Skip to content

Commit 1e0ddaa

Browse files
release: v1.0.0-alpha.7 — bump version and update changelog
1 parent 4cd1478 commit 1e0ddaa

7 files changed

Lines changed: 28 additions & 14 deletions

File tree

CHANGELOG.md

Lines changed: 20 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -7,25 +7,39 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
77

88
## [Unreleased]
99

10+
## [1.0.0-alpha.7] - 2026-06-14
11+
1012
### Added
1113

14+
- **POSIX install script with OpenRC support** -- `deploy/install.sh` was rewritten in portable POSIX sh and now manages services under both systemd and OpenRC, making Alpine and other non-systemd hosts first-class. Releases publish `sha256sums` and the installer verifies every download against them, and a CI job gates the script with shellcheck and dash
1215
- **Connection-lost banner** -- The layout shows a persistent banner when the browser loses its WebSocket link to the server (after a short grace period to ignore brief blips) and clears it automatically on reconnect, so a dropped connection no longer leaves the dashboard silently stale
13-
- **Shareable tab state in the URL** -- The server detail tabs (metrics / traffic / security / IP quality) and the status-page settings tabs (config / incidents / maintenance) are persisted in the URL, so reload, browser back/forward, and shared links keep the selected tab instead of resetting to the first one. An invalid tab value falls back to the default
16+
- **Shareable tab state in the URL** -- The server detail tabs (metrics / traffic / security / IP quality) and the status-page settings tabs (config / incidents / maintenance) are persisted in the URL, so reload, browser back/forward, and shared links keep the selected tab instead of resetting to the first one; an invalid tab value falls back to the default
1417

1518
### Changed
1619

1720
- **Capability-gated terminal and file routes** -- Opening the web terminal or file manager for a server whose `CAP_TERMINAL` / `CAP_FILE` bit is disabled now renders an explanatory notice instead of a dead shell, and skips the doomed WebSocket connect and file-list request
1821

1922
### Fixed
2023

21-
- **Silent data-load failures** -- Failed data queries and dashboard create/update errors now surface a toast instead of leaving an empty view with no explanation
22-
- **Unconfirmed destructive actions** -- Deleting an incident or a maintenance window, and unlinking an OAuth provider, now require confirmation
23-
- **Public server traffic bar** -- The public server-detail network bar uses cumulative transfer totals so the figures match the rest of the UI
24-
- **Untranslated table empty states** -- Data-table "no results" text is now localized
24+
- **Custom dashboard widgets** -- The backend accepts `metric-card` widgets, module widgets load reliably, the grid is more responsive, and the default layout no longer leaves an empty band
25+
- **Service monitors** -- HTTP-keyword checks accept custom ports, and the service-monitor detail page no longer crashes on SSL certificate dates
26+
- **Installer robustness** -- `purge` removes the base directory even with orphaned files and the snap Docker config directory; `toml_set` preserves the section separator when appending a key; `SERVERBEE_*` env is forwarded across `doas` elevation; `sha256sums` are matched on the exact filename; OpenRC agent respawn is bounded on permanent enrollment failure; and status/log commands print a clear message instead of nothing when there is no output
27+
- **Web reliability** -- Failed data queries and dashboard create/update errors surface a toast instead of an empty view; destructive actions (monitors, ping tasks, notifications, incidents, maintenance windows, OAuth unlink, password change) require confirmation; the terminal clears its stale WS error on reconnect; capability toggles reflect immediately; `localStorage` access is guarded against unavailable storage; realtime state is no longer mutated in place; numeric `&&` guards no longer render a literal `0`; and alert-rule and scheduled-task validation is surfaced
28+
- **Web layout & accessibility** -- Wide tables scroll instead of overflowing the viewport, modal dialogs stay centered on narrow screens, the main scroll area is constrained to the viewport width, the traffic table scrolls on narrow screens with a clamped usage label, latency chart series stay mounted when toggling targets, network overview cards deep-link to a valid time range, settings breadcrumbs are complete, terminal and file breadcrumb labels resolve, the security and IP-quality pages get a11y and narrow-screen fixes, data-table empty states are localized, the public traffic bar uses cumulative totals, and the API-key dialog gains a copy button
29+
- **Agent** -- SSH security events are detected on OpenSSH 9.8+, which logs authentication through the new `sshd-session` process
2530

2631
### Security
2732

28-
- **Fail-closed admin route gating** -- Every `/settings/*` route is admin-only by default; members can only reach the self-service mobile-devices, API-keys, and security pages and are redirected away from any other settings route, so a new settings page is admin-only unless explicitly allow-listed
33+
- **OAuth login hardening** -- The OAuth sign-in flow adopts PKCE (S256), binds the login state to the initiating browser via a pre-auth cookie (closing a CSRF / session-fixation gap), and redacts OAuth secrets from `Debug` output
34+
- **SSRF guards for service monitors** -- HTTP-keyword and other checkers route through a shared SSRF guard that rejects loopback, cloud-metadata, and private targets at create time and re-validates on every HTTP redirect hop
35+
- **Agent token transport** -- The agent WebSocket prefers the `Authorization` header over the query string when sending its token
36+
- **Expanded audit logging** -- Database backup/restore, user-management actions, and API-key creation/deletion now emit audit-log entries, and restore audit entries persist into the restored database
37+
- **Fail-closed admin route gating** -- Every `/settings/*` route is admin-only by default; members reach only the self-service mobile-devices, API-keys, and security pages and are redirected away from any other settings route, so a new settings page is admin-only unless explicitly allow-listed
38+
39+
### Performance
40+
41+
- **Smaller initial bundle** -- Routes and vendor libraries are code-split into separate chunks
42+
- **Hot-path cleanups** -- Linear scans were removed from the data-transform hot paths, and several components derive state during render instead of in effects
2943

3044
## [1.0.0-alpha.6] - 2026-05-31
3145

Cargo.lock

Lines changed: 3 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ members = [
77
]
88

99
[workspace.package]
10-
version = "1.0.0-alpha.6"
10+
version = "1.0.0-alpha.7"
1111
edition = "2024"
1212
license = "AGPL-3.0-or-later"
1313
repository = "https://github.com/ZingerLittleBee/ServerBee"

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ ServerBee watches all your servers from one place. A central **server** receives
2828
- 🔒 **Secure by default** — OAuth + 2FA, RBAC, audit logs, one-time agent enrollment, per-server capability gates.
2929

3030
> [!NOTE]
31-
> ServerBee is in active development (`v1.0.0-alpha.6`). Expect rapid iteration.
31+
> ServerBee is in active development (`v1.0.0-alpha.7`). Expect rapid iteration.
3232
3333
## Quick Start
3434

README.zh-CN.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ ServerBee 在一处统一监控你的所有服务器。中心 **Server** 通过
2828
- 🔒 **默认安全** —— OAuth + 2FA、RBAC、审计日志、一次性 Agent 注册、逐服务器能力门控。
2929

3030
> [!NOTE]
31-
> ServerBee 正在活跃开发中(`v1.0.0-alpha.6`),迭代频繁。
31+
> ServerBee 正在活跃开发中(`v1.0.0-alpha.7`),迭代频繁。
3232
3333
## 快速开始
3434

apps/web/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"name": "@serverbee/web",
33
"private": true,
4-
"version": "1.0.0-alpha.6",
4+
"version": "1.0.0-alpha.7",
55
"type": "module",
66
"scripts": {
77
"dev": "vite",

bun.lock

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)