Skip to content

v1.1.0 — The module platform

Choose a tag to compare

@noschmarrn noschmarrn released this 30 May 13:50
Immutable release. Only release title and notes can be modified.

Schneespur v1.1.0 — The module platform

Five extensibility waves (M013–M017) turn Schneespur from a closed system into an open module platform: modules can now transform core values, react to lifecycle events, bring their own roles & permissions, fill UI areas, swap backup/storage/cron/PDF backends — and be distributed through a third-party catalog.

Fully backward-compatible. Existing installations keep running unchanged after the update — no manual migration steps needed.

ℹ️ Historical note (added later): this release introduced Ed25519 module signing and Official/Verified/Community trust badges (Wave 5 below). Those were removed in v1.1.5 because the catalog never actually sent signatures — SHA256 integrity checking plus virus scanning is the real guard. The text below is kept verbatim as an accurate historical record.


🪝 Wave 1 — Hook foundation (M013)

  • FilterRegistry — typed filters with priority ordering and error isolation. Three core hooks: schneespur.navigation.items, schneespur.dashboard.kpis, schneespur.job.notification.recipients.
  • Domain events — 13 lifecycle events (Shift, Customer, User, Module) with 15 dispatch points, consumable per listener.
  • NotificationChannelRegistry — pluggable notification channels with per-channel error isolation.
  • Module migrations & settings — automatic migrate on enable, rollback on remove; namespaced settings with auto-cleanup.
  • Dependency validationrequires/conflicts in module.json with semver constraints (>=, ^, ~, *).

🔐 Wave 2 — Identity & permissions (M014)

  • Flexible RBAC — the rigid admin/driver enum replaced by many-to-many roles & permissions (pivot tables). Users can hold several roles at once.
  • Gates everywhereGate::authorize() at 87 points across all 32 admin controllers; navigation & dashboard widgets filter by permission.
  • Admin user management — CRUD at /admin/users with role assignment and last-admin protection (the last admin can't be deleted/demoted).
  • TwoFactorMethodRegistry — extension point for 2FA methods (login flow follows in a later milestone).
  • Auto-sync bridge keeps the legacy role column in sync → zero breaking changes.

🧩 Wave 3 — UI extensibility (M015)

  • Slot system — 15 named slots across admin, driver, and portal layouts via the @extensionSlot directive, with append and replace semantics plus conflict warnings.
  • DispatchStrategyRegistry — swappable job-assignment strategies with an admin settings UI at /admin/settings/dispatch.

⚙️ Wave 4 — Ops & compliance (M016)

  • 5 new registries — BackupTarget, StorageBackend, ScheduledTask, PdfRenderer, ReportFormat.
  • Swappable photo storage — with a fallback read chain: local photos stay readable after a backend switch.
  • Cron overview/admin/crontasks with last-run status, source badges, and enable/disable; error-isolated (one broken task doesn't crash the scheduler).
  • PDF renderers & report formats — modularly swappable (PDF/CSV as defaults, e.g. for US/Canada compliance).

🚀 Wave 5 — Market opening (M017)

  • Ed25519 signature verification — trust chain (root key → valid_keys → manifest signature → ZIP integrity) on install/update. Tampered/revoked/expired modules are blocked, unsigned ones warned. (Removed in v1.1.5 — see note above.)
  • Trust levels — catalog-supplied classification (Official / Verified / Community / Unknown) with colored badges and a filter. (Removed in v1.1.5.)
  • Versioned module REST APIapi/mod/{slug}/v{n}/* with bearer-token auth (slug-scoped) and admin token management (token shown once with a copy button).
  • Per-module loggingmod_logs table (insert-only) + an admin log viewer with level filter and pagination.
  • Module assets & i18n — modules bring their own CSS/JS (@moduleAssets directive, symlink lifecycle) and DE/EN translations.

🔬 Engineering

  • Test suite: 366 tests, 0 failures — grown from 88 to 366, regression-free throughout.
  • ExtensionRegistry pattern proven across 13+ domains (UI, Weather, Notifications, Auth, Backup, Storage, Scheduler, PDF, Report, Dispatch …).
  • No external package dependencies for RBAC, signing, or the API — deliberately lean for shared hosting.

📦 Installation

Download the ZIP → extract → upload via FTP → open in the browser → the installer starts automatically. Existing installations update conveniently via the built-in self-updater.