Releases: karl-cta/onyka
Releases · karl-cta/onyka
Release list
v1.0.4
What's New
Page Lock
- New per-page read-only mode. Toggle from the tab context menu or the options menu.
- Lock icon in the tab and "Page is read-only" banner above the editor.
- Server-enforced (HTTP 423 on locked writes), survives reload and applies to all collaborators.
Page Tabs
- Reliable drag and drop reordering on desktop and mobile (migrated from framer-motion to
dnd-kit, long-press on touch). - Optimistic order update, tabs snap into place instantly with no more reverting to old positions.
- Auto-select the page title text when renaming.
- Fix double-tab flash when switching between notes that both have pages.
Editor UX
- Single click on a link opens the URL in a new tab (was a no-op before).
- Tighter font-size scale: XS=12, S=14 (default), M=16, L=18, XL=22, XXL=28.
- "Modified X ago" refreshes within 500 ms, checkbox toggles and atomic edits feel instant.
- Note info chips hidden on mobile, only the "modified" timestamp remains.
Collaboration
- Collaborator avatars in the presence pill now show uploaded profile pictures (was always falling back to the initial).
- Presence indicator clears properly when switching from a shared note to a personal one.
Sidebar
- Larger text in the shared-with-me section (notes 12 to 13 px, owner 11 to 12 px, badge 9 to 10 px).
- Bigger owner avatars (4×4 to 5×5).
Security
Shannon agentic pentest, 8 vulnerabilities patched:
- IDOR on uploads:
note_uploadspivot table synced on every note/page write, authorization scoped to the referenced note. - 2FA bypass: signed
pending-2fatoken (5 min TTL) now required on/2fa/send-login-codeand/2fa/verify. - OTP hashing: HMAC-SHA256 with
JWT_SECRETinstead of raw SHA-256 (blocks local crack of 6-digit code if DB leaks). - Access token revocation:
jtiplusrevoked_access_tokenstable, logout invalidates immediately with no more 15-minute replay window. - Rate limit on
/password-reset/request(5 per 15 min per IP). - Cache-Control: no-store on all
/auth/*routes. - XSS in search preview: decode HTML entities before strip-tags (double-encoding bypass).
- TOCTOU on first admin creation: atomic SQLite transaction.
v1.0.3
What's New
Glass Design System
- Floating panel tokens on all 10 themes (per-theme opacity, blur, shadow)
- Semi-transparent glass effect on all menus, dropdowns, toolbars, modals, context menus
- New
.floating-paneland.floating-panel-interactiveCSS utilities
Editor UX
- Note Info inline: metadata chips expand next to "Modified X ago" instead of remote popup
- Bubble Menu lighter: pill shape, transparency, more spacing from text
- Code block copy button: one-click copy via ProseMirror widget decorations
- Markdown table shortcut: type
|Col1|Col2|Col3|to create a table (2-6 columns)
Sparks Rework
- Zero-friction capture, cleaner library drawer
- Spark button split separator in sidebar
- Glass effect on spark panels and cards
- Fix QuickAdd showing "Captured" on dismiss without submission
Sidebar
- Folder button on same row as Note and Sparks (icon-only)
- Search bar and folder button use glass interactive style
- Inline search replaces search modal
Other
- Focus mode: resizable editor width + keyboard shortcuts
- Structured server logs for auth events (register, login, 2FA, password change)
Security
- multer 2.0.2 → 2.1.1 (fixes 3 HIGH DoS vulnerabilities)
v1.0.2
v1.0.2
Bug Fixes
Editor
- Fix content loss when switching notes or renaming in sidebar (Closes #1, #2)
- Fix bubble menu flying off-screen on long documents when using Ctrl+A
- Fix bubble menu z-index overlapping with header on scroll
- Fix slash menu staying open when pressing space
- Fix slash menu filter not resetting between openings
- Fix slash menu positioning when triggered near bottom of editor
Columns
- Show toolbar on desktop by hovering the column border (±24px zone) instead of requiring cursor inside
- Fix column removal losing content, now extracts text inline
- Auto-focus first paragraph after inserting columns
- Remove faulty Enter key handler causing premature column exit
Rate Limiting
- Translate rate limit errors on registration page (was raw English)
- Extract Retry-After headers for real-time countdown timer
- Detect rate limit by error code instead of parsing message text
- Reduce registration rate limit window from 1h to 30min
PWA / Mobile
- Fix homepage scroll on mobile PWA
- Fix header height mismatch on mobile
- Regenerate apple-touch-icon with padding (no more iOS clipping)
- Add maskable icons for Android adaptive icon safe zone
- Validate folder creation on blur (mobile keyboard dismiss)
Docker / Self-hosting
- Fix blank page on HTTP-only Docker deployments, Helmet v8 defaults (COEP, HSTS, upgrade-insecure-requests) blocked page rendering (Closes #4)
- Scope CORS to /api routes only, static assets no longer require CORS headers
- Simplify docker-compose port mapping with clear documentation
Features
- Last activity tracking -
lastActivityAtupdated on each authenticated request (5min throttle), displayed in admin panel - Weekly recap - Focus time promoted to permanent stat card, streak displayed full-width
v1.0.1
Initial Release
Full Changelog: https://github.com/karl-cta/onyka/commits/v1.0.0