Releases: wrobeltomasz/OpenSparrow
Release list
2.9 - GDPR Anonymization, Automation Emails, and a PHP 8.4 Refactor
New
- Data Anonymization module (GDPR/EDPB) — configurable per-column rules, scheduled runs, dry-run preview, and structured compliance reports (System → Anonymization)
- Automations: email action with templated recipients/subject/body, plus new comparison (>, <, >=, <=) and change-detection (changed, changed_from, changed_to) operators
- Dashboard: global period filter with prev-period deltas and CSV export
- Calendar: per-source filter bar
Changed
- Modernized backend for PHP 8.4 (enums, readonly classes, #[\Override], json_validate()); minimum PHP raised to 8.4
- Consolidated page bootstrap logic (os_page_bootstrap() / os_boot_app()) — removes duplicated session/CSRF/CSP boilerplate across pages
- Normalized i18n JSON files (consistent formatting, no translation changes)
Fixed
Anonymization rules losing date_column/days on save
2.8 - Kanban Board, MySQL Gateway, Security Hardening
New Features
- Board (Kanban) view — draggable cards in status lanes with instant updates and audit trail
- MySQL Gateway — auto-discover columns, handle non-standard PKs, External Tables tab, re-sync API
- Linked record count badges on grid expand buttons
- Calendar API optimized (query visible month only)
Security
- Ownership guards on mass operations and calendar drag-and-drop
- Random setup password (no more hardcoded admin/admin)
- Session file protection (.htaccess on storage/sessions/)
- File uploads stored outside web docroot
- Config import validation (size limits, empty archive rejection)
- Error messages hardened (no database leak)
Infrastructure
- Web-root restructure: public/ is docroot, backend outside
- Cypress suite overhauled (18 specs, seed endpoint, admin tests active)
- CI: source integrity checks, version tag validation, PHP 8.1–8.3
- Docs updated (6 languages, MySQL Gateway section)
2.7 - RAG Enhancements, Admin Redesign, Automations (Beta)
What's new:
- RAG: Improved parsing, Ollama SSL support
- Admin UI: Card editors, inline panels, refactored styles
- Automations (beta): If-then rules, OR logic, run logs, user picker
- Security: CSP nonces, XSS fixes, session hardening
- Tests: Cypress suite expanded to ~300 tests
- Deploy: One-click configs for Render & Railway
- Other: Server search, row caps, better CSV import
2.6.0 - RAG, Multilingual Support & Mass Edit
What's new:
RAG Enhancements
RAG Statistics tab in admin: 4 summary cards tracking query tokens, response times, and document matches; recent queries table (50 rows, formatted units)
Multilingual RAG: User queries auto-respond in their UI language via language hints (no schema changes required)
Localized "Ask AI" sliding panel fully translated to 20 languages
Language dropdown in test tab; optional language tagging in upload form
Grid & Bulk Operations
Mass Edit module: select rows via checkboxes → bulk edit fields, export CSV, assign owner, duplicate, or delete with confirmation
Grid keyboard shortcuts (arrow keys, Tab, Ctrl+C copy, Ctrl+F search, Help modal via Ctrl-hold) across all 20 languages
Quick Data Cleanup toolbar button (editors only): find & replace text with live preview, case sensitivity, accent-ignore options
Admin
Renamed "RAG Knowledge Base" → "Centrum AI" heading
Release Migration Manager: pending file/config cleanup tasks after version upgrades, with audit trail and automatic backups
Fixes
Fixed api_rag.php regression: restored page_context support and query logging
Fixed rag_call_ollama() return type annotation (now array instead of string)
CSV Import: fixed duplicate "Step 1" UI race condition; conflict column no longer defaults to id
Pinned qs and uuid dependencies (Dependabot security alerts)
What's Inside
All operations (mass edit, cleanup, bulk delete) are editor-role gated, CSRF-protected, and audit-logged. FK columns render as dropdowns in forms. Full i18n support (20 languages) across all new modules.
2.3.0 - Multilingual Module
2.2.0 - centralize session/CSP headers, extract CSS, add PHPUnit suite
What's new in 2.2.0
Refactoring: all pages now use start_session() and send_security_headers() from a single includes/session.php, eliminating ~18 duplicated session and header blocks across the codebase. Inline style blocks removed from all PHP pages and moved to external CSS files.
Testing: PHPUnit unit test suite added — 87 tests, 129 assertions covering the src/ OOP layer (Form, Domain, Csrf, Support). Dev-only, not required in production. New CI workflow runs the suite on PHP 8.1, 8.2, and 8.3 on every push and pull request.
2.1.0 - security, sessions and Admin panel
What's new:
Security & sessions - Reverse-proxy aware: auto-detect HTTPS via X-Forwarded-Proto, CF-Visitor, X-Forwarded-SSL.
- Real client IP resolved via
CF-Connecting-IP/X-Real-IP(fixes rate-limit collapse behind CloudFlare). - Fixed admin login redirect loop (ERR_TOO_MANY_REDIRECTS) caused by relativesession.save_pathunder PHP-FPM. session.gc_maxlifetimesynced withSESSION_MAX_LIFETIMEto prevent premature logout.IP_HASH_SALTauto-generated on first request and persisted toincludes/.secret_salt(chmod 0600, gitignored).- New
tmp/.htaccessdenies HTTP access to session files. - Hardened
session_regenerate_id()flow inlogin.php.
Admin panel
- Improved 403 page on
admin/— shows current user, role, and required role for faster debugging.
CI / release
- Fixed Docker Hub build tag pattern (now matches both
v1.2.3and bare1.2.3semver tags). - Release ZIP excludes hardened:
tmp/,cypress/,node_modules/,package*.json,.claude/,includes/.secret_salt. - Removed dead
e2e-tests.ymlworkflow (Cypress not in repo). - CodeQL no longer references non-existent
classicbranch. - PHP lint now runs matrix across PHP 8.1, 8.2, 8.3.
vanilla-check.ymlextended withchart.js,swiper,htmx,gsap,three,stimulus,d3.
Docs
- README updated: badges refreshed,
IP_HASH_SALTbehaviour documented, reverse-proxy notes added, tag examples corrected (X.Y.Znot
vX.Y.Z).
Upgrade notes
- No breaking changes. Existing
database.jsonand configuration are preserved. - Behind reverse proxy: no action required — detection is automatic.
- Multi-server deployments should set
IP_HASH_SALTexplicitly so all nodes share the same salt.
2.0.0 - admin UX overhaul, advanced data modeling, security hardening, and mobile responsiveness
What's new:
A comprehensive release focused on admin UX overhaul, advanced data modeling, security hardening, and mobile responsiveness.
Major Features
Admin Interface Redesign
- Collapsible side panel layout for improved information architecture and navigation
- Responsive mobile UI with off-canvas navigation for touch devices
- Icon buttons for grid edit/delete actions replacing text-based controls
Data Modeling Enhancements
- Virtual computed columns with f(x) badge indicator for formula-based calculated fields
- Many-to-Many (M2M) grid column support with chip renderer and dedicated Builder tab
- Schema Map ERD (Entity-Relationship Diagram) tab with search functionality and PNG export
New Administrative Modules
- Custom Views module for creating and managing personalized data perspectives
- Database Migrations system (System → Migrations) for tracking and applying schema changes
- Record Ownership tracking with full assignment history (System → Record Owner)
- Comprehensive Performance diagnostics tab (System → Performance) with index advisor, slow query analyzer, bloat detection
- Dedicated Cron Notifications management interface with run history, stats, and log cleanup
Grid & UX Improvements
- Comment indicators in grid rows highlighting records with discussions
- Duplicate record button for quick data duplication
- Grid default sort order and initial load limit configuration per table
- Grid drilldown quick-add for related records with pre-filled foreign keys
- Tooltip pattern for grid headers and date columns
Documentation & Configuration
- Expanded admin documentation (9 new comprehensive reference sections covering Migrations, Ownership, Grid Configuration, Performance, Cron, and more)
- Dynamic table of contents in documentation sidebar with smooth scroll navigation
- Demo column descriptions integrated into schema
- Updated dashboard module documentation
Security
- 5 security audit priority fixes addressing identified vulnerabilities
- Enhanced session security and input validation across admin panel
Technical Improvements
- Refactored HTML rendering with improved DOM structure
- Anchor IDs on all documentation headings for deep linking support
- HTML/CSS/JS optimization for better performance
- Bug fixes for tbody rendering and styling inconsistencies
System Requirements
- PostgreSQL with mandatory primary key column named
id - PHP 8.1+ with argon2id password hashing
- Modern browser with ES6 support (Chrome, Firefox, Safari, Edge)
Installation & Upgrades
Fresh Install: Run System → Migrations → Apply Pending Migrations to initialize all system tables and default admin account.
Upgrading from 1.9:
- Back up your database and config
- Deploy the new version
- Run System → Migrations → Apply Pending Migrations
- Review new System tabs (Migrations, Performance) to optimize your setup
1.9.0 - first-run setup wizard
What's new:
Introduce setup.php and setup_api.php — a four-step guided wizard that activates automatically when includes/database.json is absent. Covers database connection testing, schema selection, and system table initialization with admin seed. Security: SSRF guard on host param, size-limited JSON input, sanitized error messages, CSP headers.
index.php, login.php, and admin/index.php all redirect to the wizard until configuration is complete.
1.8.0 - record snapshot module, admin ux and centralise configuration in config.php
What's new:
Centralise configuration in config.php and fix admin login redirect loop
- Move all hardcoded values (session lifetime, rate-limit thresholds,
IP hash salt, file limits, cache ages, HSTS, demo mode, timezone,
DB connect timeout) to includes/config.php as env-overridable constants - Fix ERR_TOO_MANY_REDIRECTS: replace SameSite=Strict with SESSION_SAMESITE
constant (default Lax) across all 9 session controllers - Fix admin panel blank screen: add require config.php to admin/api.php
before DEMO_MODE constant is referenced - Update docs.js (section 12) and README with full env variable reference
Add record snapshot module with admin toggle
Add spw_record_snapshots table storing JSONB post-write state for every
INSERT and UPDATE, linked via FK to spw_users_log. Toggle controlled at
runtime via System → Audit & Snapshots (writes includes/settings.json)
or RECORD_SNAPSHOTS_ENABLED env var. Covers both api.php inline edits
and edit.php / create.php OOP path. Fix duplicate const declarations in
users.js that blocked the admin panel from loading.
Add Table builder: column options (NOT NULL, default, index, comment, FK),
timestamps preset, schema.json auto-registration, admin nav redesign