Skip to content

Releases: ZingerLittleBee/ServerBee

v1.0.0-alpha.11

Choose a tag to compare

@github-actions github-actions released this 02 Jul 17:00
32eba8e

Security

  • Session and mobile access tokens are now stored hashed -- The sessions table held the plaintext web session and mobile access token and looked them up by plaintext, so anyone with a database snapshot (the backup export, a db-pull) could replay any active row as a cookie or Bearer token until it expired -- unlike API keys, agent tokens, and refresh tokens, which were already hashed. Tokens are now stored as a SHA-256 hash and hashed again on every lookup (login validation, logout, password-change revocation, and the mobile push endpoints); the plaintext lives only in the cookie/response. A migration drops existing plaintext sessions, so web clients re-log in and mobile clients transparently refresh

  • Agent traceroute now enforces the SSRF guard -- Traceroute validated only a character whitelist and then traced whatever the target resolved to, unlike the ping/TCP/HTTP probes which all pass the shared SSRF guard. A server could push a traceroute to 169.254.169.254, loopback, or an internal address and turn the agent into an internal-network probe. The resolved address is now rejected with the same monitor-safe policy (private RFC1918 ranges remain allowed for legitimate internal monitoring; loopback, link-local, and the cloud-metadata endpoint are blocked)

  • Agent firewall blocklist mutations require the firewall capability -- BlocklistSync, BlocklistAdd, and BlocklistRemove were applied to the host firewall with no capability check, while every other high-risk agent command (exec, upgrade, file, traceroute, IP quality) is gated on the current capability bitmap. The agent now enforces CAP_FIREWALL_BLOCK on these mutations so it is its own trust boundary; BlocklistReset stays ungated on purpose so a capability-revoked agent can still be cleaned up

Fixed

  • Disconnected agents no longer generate phantom metrics -- The record writer flushed its entire report cache every minute and stamped each row with the current time, but the cache was never pruned when an agent disconnected. An agent that connected once and then dropped kept producing current-looking metric and traffic rows every minute -- fabricating history and writing to the database without bound. The writer now persists only currently-connected agents, while the cache is retained so offline servers still show their last-known metrics and is purged when a server is deleted

Performance

  • Retention cleanup and hourly aggregation use dedicated time indexes -- The periodic cleanup and aggregation jobs filter the time-series tables by their time column alone, but the existing composite indexes lead with server_id/task_id, so SQLite fell back to a full table scan of the largest tables every hour inside a write transaction. A migration adds a single-column index on every time column these jobs scan (records, records_hourly, gpu_records, ping_records, security_event, audit_logs, unlock_event, ip_risk_cache, traffic_hourly)

v1.0.0-alpha.10

Choose a tag to compare

@github-actions github-actions released this 21 Jun 17:16
ee145e5

Added

  • Manually correct a server's country / region flag -- GeoIP sometimes maps an agent's public IP to the wrong country, and the flag shown next to a server could not be fixed. The server edit dialog now has a searchable Country / Region picker that lists every ISO 3166-1 entry with its flag and localized name, with frequently-used VPS locations pinned to a "Common" group on top, so an admin can choose the right one without knowing the 2-letter code. A manual choice is pinned (geo_manual) and is no longer overwritten by GeoIP on the next report; clearing it resumes automatic detection. The chosen value is validated and persisted server-side, and country flags across the app (server cards, list rows, detail headers, and public status pages) now reveal the localized country name on hover via a shared CountryFlag component

  • Edit a server from its card -- The grid-view server card's overflow menu gained an Edit item that opens the full edit dialog directly (previously only the table view could), and the Recover Agent action is now hidden for online servers, mirroring the detail page's gating since recovery only applies to a disconnected agent

Changed

  • Objective cost advisories replace the value score -- The synthetic 0-100 "value score" (grade, confidence, and fleet-relative reasoning) was dropped in favor of objective, per-server cost advisories while keeping the concrete cost data (burn rate and per-resource unit costs). Advisories -- expired billing, sleeping money, idle burn, and low uptime -- are computed without any fleet comparison and surfaced in priority order, with idle/activity detection now gated on per-window network speed instead of cumulative transfer counters. Applied across the Rust cost service and OpenAPI schema, the web cost cell and insight bar, the iOS client, and the bilingual docs

  • Health-first network overview cards -- Server cards now lead with a health verdict pill (healthy / unstable / critical / offline) derived from the shared severity thresholds, with latency as a large colour-coded focal number. The opaque "availability %" was replaced with packet-loss %, the redundant anomaly banner was removed, and the anomaly figure is now a warning-styled stat card showing "N anomalies in last 24h" only for problem servers

  • Theme and language switchers moved into the sidebar user menu -- The theme toggle (Light / Dark / System) and language switcher (中文 / English) moved from the top header into nested submenus in the sidebar user dropdown. The public status page keeps its own header toggles since it has no sidebar

  • Three-tier capability risk model; firewall block is now medium risk -- Capability risk is no longer a binary high-vs-not split. CAP_FIREWALL_BLOCK is reclassified from high to medium risk -- the agent can only add or remove IPs in its own dedicated nft blocklist set (with self-lockout guardrails) and cannot exec code, read files, or flush the host firewall, so its worst case is bounded availability impact rather than host compromise. The capabilities dialog and settings matrix now render high (red) / medium (amber) / low (muted) tiers and order columns by descending risk

Fixed

  • Dashboard widgets no longer jitter after saving a layout -- The custom dashboard could enter an infinite re-render loop right after saving widget positions, jittering widgets that sit below a content-height or aspect-square widget and eventually crashing with React's "Maximum update depth exceeded". The coarse-row y-snap is now applied only where appropriate, so react-grid-layout and the layout normalizer no longer ping-pong

v1.0.0-alpha.9

Choose a tag to compare

@github-actions github-actions released this 20 Jun 10:12
57a9967

Added

  • Temporary, host-local capability grants -- A user with shell access on an agent host can temporarily enable an off-by-default capability for a bounded duration with the new serverbee-agent grant <cap> --for <30m|2h|1d> [--reason "..."] CLI (plus serverbee-agent revoke <cap> and serverbee-agent grants to inspect). Grants persist to <state_dir>/capability_grants.json with an absolute expires_at, so they survive an agent restart and expire at their original deadline; a missing/corrupt store fails safe to no grants, and a duration over temporary_max_duration (default 24h) is refused. Consistent with the agent-owned trust model, the server and web/iOS UI cannot grant a capability -- the agent re-reports its effective set, so the server opens the gate live, mirrors the change with an amber "Temporary" badge and a live countdown in the capabilities dialog and the Settings capabilities matrix, audits each transition (capability_temporarily_granted / capability_grant_expired / capability_grant_revoked), and fires the new event-driven capability_grant_detected alert when a high-risk capability (terminal/exec/file/docker) is granted. Two agent config keys tune the feature: capabilities.temporary_max_duration and capabilities.state_dir

Changed

  • Capabilities are now agent-owned -- The trust model changed so the agent host is the sole authority over its capabilities. Each agent computes its capability bitmask from the new [capabilities] config block (allow/deny over CAP_DEFAULT) plus optional --allow-cap/--deny-cap CLI flags and reports it in SystemInfo; the server now persists that value only as a display mirror (servers.capabilities) and gates control-plane requests on it. The server can no longer change an agent's capabilities: PUT /api/servers/{id} no longer accepts a capabilities field, the PUT /api/servers/batch-capabilities endpoint and the server→agent CapabilitiesSync message are removed, and the protocol version is bumped to 6 (a new agent→server CapabilitiesChanged message carries live grant transitions). Effective capabilities equal the agent-reported set (no more server_caps & agent_local_caps intersection), so a compromised or misconfigured server cannot silently enable terminal, exec, file, or Docker access on a host. The web and iOS capability UIs (server detail dialog and Settings → Capabilities) are now read-only views, and capability denials always report agent_capability_disabled

v1.0.0-alpha.8

Choose a tag to compare

@github-actions github-actions released this 19 Jun 13:27
be9d27f

Security

  • SSRF guard on ping / network-probe targets -- Probe targets are free-form strings pushed from the server to every agent and were executed after only a capability check, with no target validation -- a vector for turning the agent fleet into a distributed internal-network / cloud-metadata scanner driven by a compromised server or rogue admin. The agent now runs the monitor-grade SSRF guard on every ICMP/TCP/HTTP probe: RFC1918 internal monitoring stays allowed, but loopback, link-local (incl. the 169.254.169.254 cloud-metadata endpoint), NAT64, and broadcast are blocked. TCP probes connect to the validated address with no re-resolve, and HTTP probes disable redirect following (blocking a 302 bounce into metadata) and pin the host to the validated address. As defense-in-depth, PingService and NetworkProbeService also reject literal loopback/metadata targets at create/update time. Internal RFC1918 monitoring and domain-name targets are unaffected
  • Mobile refresh tokens are invalidated by a password change -- A new password_changed_at user timestamp lets the mobile refresh path reject any refresh token whose session was issued before the user's last password change. Both self-service changes and admin-driven resets stamp it, revoke the user's web sessions, and drop their mobile sessions in a single transaction -- closing a TOCTOU window where a concurrent refresh could "revive" a session and a foreign-key path could leave the revocation half-applied. The caller's own current mobile session is preserved, and existing sessions are unaffected until the next password change after upgrade (no forced mass re-login on deploy)
  • Capability revocation is an immediate kill-switch -- Revoking CAP_TERMINAL / CAP_FILE / CAP_DOCKER now tears down in-flight operations on the agent (open PTYs, in-flight file transfers, Docker stats) instead of only gating future ones; a locally torn-down terminal notifies the server so the browser bridge closes at once rather than hanging until idle timeout. The server also re-checks CAP_IP_QUALITY before persisting/broadcasting unlock results and re-checks CAP_FILE on upload chunks, so a capability revoked mid-run cannot let a trailing batch through
  • Expanded audit logging -- Failed and rate-limited logins (web and mobile), server delete / batch-delete / upgrade triggers, Docker container actions, scheduled-task create/update/delete, and capability-denied events now emit audit-log entries. A first-factor login that still needs a 2FA code is no longer recorded as a failed login, and attacker-controlled usernames in audit detail are length-capped

v1.0.0-alpha.7

Choose a tag to compare

@github-actions github-actions released this 14 Jun 11:50

Added

  • POSIX install script with OpenRC support -- deploy/install.sh was rewritten in portable POSIX sh and now manages services under both systemd and OpenRC, making Alpine and other non-systemd hosts first-class. Releases publish sha256sums and the installer verifies every download against them, and a CI job gates the script with shellcheck and dash
  • Connection-lost banner -- The layout shows a persistent banner when the browser loses its WebSocket link to the server (after a short grace period to ignore brief blips) and clears it automatically on reconnect, so a dropped connection no longer leaves the dashboard silently stale
  • Shareable tab state in the URL -- The server detail tabs (metrics / traffic / security / IP quality) and the status-page settings tabs (config / incidents / maintenance) are persisted in the URL, so reload, browser back/forward, and shared links keep the selected tab instead of resetting to the first one; an invalid tab value falls back to the default

Changed

  • Capability-gated terminal and file routes -- Opening the web terminal or file manager for a server whose CAP_TERMINAL / CAP_FILE bit is disabled now renders an explanatory notice instead of a dead shell, and skips the doomed WebSocket connect and file-list request

Fixed

  • Custom dashboard widgets -- The backend accepts metric-card widgets, module widgets load reliably, the grid is more responsive, and the default layout no longer leaves an empty band
  • Service monitors -- HTTP-keyword checks accept custom ports, and the service-monitor detail page no longer crashes on SSL certificate dates
  • Installer robustness -- purge removes the base directory even with orphaned files and the snap Docker config directory; toml_set preserves the section separator when appending a key; SERVERBEE_* env is forwarded across doas elevation; sha256sums are matched on the exact filename; OpenRC agent respawn is bounded on permanent enrollment failure; and status/log commands print a clear message instead of nothing when there is no output
  • Web reliability -- Failed data queries and dashboard create/update errors surface a toast instead of an empty view; destructive actions (monitors, ping tasks, notifications, incidents, maintenance windows, OAuth unlink, password change) require confirmation; the terminal clears its stale WS error on reconnect; capability toggles reflect immediately; localStorage access is guarded against unavailable storage; realtime state is no longer mutated in place; numeric && guards no longer render a literal 0; and alert-rule and scheduled-task validation is surfaced
  • Web layout & accessibility -- Wide tables scroll instead of overflowing the viewport, modal dialogs stay centered on narrow screens, the main scroll area is constrained to the viewport width, the traffic table scrolls on narrow screens with a clamped usage label, latency chart series stay mounted when toggling targets, network overview cards deep-link to a valid time range, settings breadcrumbs are complete, terminal and file breadcrumb labels resolve, the security and IP-quality pages get a11y and narrow-screen fixes, data-table empty states are localized, the public traffic bar uses cumulative totals, and the API-key dialog gains a copy button
  • Agent -- SSH security events are detected on OpenSSH 9.8+, which logs authentication through the new sshd-session process

Security

  • OAuth login hardening -- The OAuth sign-in flow adopts PKCE (S256), binds the login state to the initiating browser via a pre-auth cookie (closing a CSRF / session-fixation gap), and redacts OAuth secrets from Debug output
  • SSRF guards for service monitors -- HTTP-keyword and other checkers route through a shared SSRF guard that rejects loopback, cloud-metadata, and private targets at create time and re-validates on every HTTP redirect hop
  • Agent token transport -- The agent WebSocket prefers the Authorization header over the query string when sending its token
  • Expanded audit logging -- Database backup/restore, user-management actions, and API-key creation/deletion now emit audit-log entries, and restore audit entries persist into the restored database
  • Fail-closed admin route gating -- Every /settings/* route is admin-only by default; members reach only the self-service mobile-devices, API-keys, and security pages and are redirected away from any other settings route, so a new settings page is admin-only unless explicitly allow-listed

Performance

  • Smaller initial bundle -- Routes and vendor libraries are code-split into separate chunks
  • Hot-path cleanups -- Linear scans were removed from the data-transform hot paths, and several components derive state during render instead of in effects

v1.0.0-alpha.6

Choose a tag to compare

@github-actions github-actions released this 31 May 11:19

Added

  • Network quality dashboard widgets -- New network overview, network latency chart, and network quality summary widgets, complete with per-widget config forms, i18n strings, picker icons, and registered widget types. Detail-page and widget chart records now share a single pure merge function and records hook. The dashboard save path whitelists the new network quality widget types on the backend
  • Server-cards widget layout controls -- The dashboard server-cards widget gains a grid/list layout toggle, sizes itself to its content height (applied instantly to avoid overlap), and reveals additional rows on scroll instead of paginating, with a load-more spinner while fetching

Changed

  • Documentation overhaul -- The Chinese docs locale was renamed from cn to zh and README links now point to the docs site. The configuration reference was restructured into tables, and the agent, deployment, monitoring, terminal, ping, alerts, architecture, and index guides were expanded and corrected (JSON terminal transport with base64 data field, single status page, retention tiers, reverse proxy and OAuth/mobile coverage). ENV.md and the config docs were synced with the code

Security

  • RBAC hardening -- The Docker container logs WebSocket and the file read/download endpoints are now restricted to admins. The password policy is unified across change flows, and all active sessions are revoked when a user changes their password

v1.0.0-alpha.5

Choose a tag to compare

@github-actions github-actions released this 28 May 17:44
059d4c3

Added

  • Custom widget system (B/C method) -- New @serverbee/widget-sdk workspace package exposes defineWidget, a bundled z schema validator, and a typed hook surface (live: useServers/useServer/useMetric/useCapability via useSyncExternalStore; domain: useHistory/useTraffic/useAlerts/useServiceMonitors/useUptime/useGeoIp; host: useTheme/useConfigUpdate; escape hatches: useApiQuery/useApiMutation). Widgets are authored as a single ESM file with a top-of-file @serverbee-widget JSDoc manifest, statically extractable, no eval. Admins install via POST /api/widget-modules (URL or multipart upload) for single .js/.mjs files or .zip collection bundles with a collection.json index. Built-in widgets are emitted by a new Vite nested-build plugin to apps/web/dist/builtin-widgets/, embedded into the server binary via rust-embed, and registered at boot
  • Dashboard module rendering -- dashboard_widget gained a module_id column; widget_type='module' widgets dispatch through the widget registry and render via the SDK component contract. The picker surfaces installed modules under a "Custom Widgets" section; the config dialog renders the module's configSchema via the SDK form renderer (real renderers for z.metricPath/z.color/z.duration) with friendly placeholders for missing modules or empty schemas. ActionButton from the SDK ships with confirm dialog, pending state, and success/error toast wiring
  • Bilingual widget docs -- apps/docs/content/docs/{en,cn}/custom-widgets.mdx covers method B (single file) and method C (zip bundle) end-to-end: manifest fields, build pipeline with React/SDK externals, install flows, asset resolution rules, SDK surface summary, and the full safety/limits table

Changed

  • Widget install hardening -- SSRF guard now resolves DNS and rejects any host whose IP falls in a reserved/private range (loopback, RFC 1918, CGNAT, link-local incl. cloud metadata, IPv6 ULA/link-local, benchmarking, documentation, multicast, reserved); HTTP redirects are disabled; uploads enforce a per-route 1 MiB body limit with streaming size accounting; zip extraction caps total uncompressed size at 32 MiB across at most 64 entries; manifest extractor rejects sources > 1 MiB up front; id conflicts across source_type (e.g. upload trying to overwrite a builtin) return 409 Conflict; dashboard_widget.module_id is validated against installed modules; SDK declarations carry a sdkVersion semver range checked at load time. Install and uninstall events emit audit log entries
  • Runtime bridge -- mountRuntimeBridge now wires the SDK runtime to the live React Query servers cache and the host theme provider via useSyncExternalStore, surfaces sonner toasts, and exposes a confirm-dialog request channel. /runtime/* import-map shims are served with Cache-Control: no-cache to avoid stale shim drift across SPA upgrades. defineWidget rejects duplicate action ids

Removed

  • Legacy SPA theme + custom CSS theme system -- The spa_theme package upload feature, custom_theme CSS variable system, and seven preset themes are deleted in their entirety (backend service/router/entity, migrations dropping spa_themes and custom_theme, the appearance settings UI, preset CSS files, theme_ref from public status pages, and the SERVERBEE_FEATURE__CUSTOM_THEMES config field). The theme provider is collapsed to light/dark/system. The old custom-themes.mdx and custom-frontend.mdx doc pages are replaced by custom-widgets.mdx

v1.0.0-alpha.4

Choose a tag to compare

@github-actions github-actions released this 26 May 16:41

Added

  • Public status page -- New /api/status/* public surface with field redaction and a singleton is_public toggle exposes a curated public dashboard; the web app gained public variants of the server list, server detail, network overview, network detail, and IP quality cards with grid/list toggles and i18n coverage
  • Custom SPA themes -- Operators can upload zip-packaged frontend themes from Settings → Appearance. The server validates the manifest, runs zip-bomb and symlink security checks, supports preview/activate flows with cookie-based theme selection, exposes /__system/clear-recovery and /__system/clear-preview recovery endpoints, and ships a starter template under templates/ with a pack.ts helper
  • Agent registration redesign -- "Add Server" now creates a pending server with full metadata up front; admins can recover offline agents via a dedicated dialog, regenerate enrollment codes with optimistic CAS, and bound enrollments tie tokens to specific servers. The UI surfaces pending status indicators and disables rotate-token on pending rows
  • Rate limit management page -- New admin page and API to inspect and reset per-IP rate limits, with separate scopes for login, registration, and the public status surface; admin rate_limit endpoint reports the public scope alongside the existing ones
  • Network anomaly KPI card -- The anomaly count is surfaced as a clickable KPI tile with a dialog containing the table, count, and window selector; latency anomaly detection thresholds are now configurable via env vars
  • ipapi.is IP quality provider -- Default IP risk provider switched to ipapi.is with ip-api as automatic fallback orchestrated by IpRiskService; the snapshot entity and DTOs gained the new abuser_score and related fields, and the IP quality card renders them

Changed

  • Settings forms moved into dialogs -- Notification channels and groups, user creation, and ping task creation were converted to dialogs; outer card wrappers were dropped on alerts, notifications, and api-keys pages in favour of inline layouts, and redundant page titles were removed from settings routes
  • Service monitors and notifications polished -- Service monitors gained a header description and an inline add button within the table column; notification sections wrap in cards for clearer grouping
  • Latency charts use 24-hour time -- Avoids am/pm ambiguity on dense timelines
  • Agent registration error handling -- Agent categorizes registration errors and backs off in-process instead of looping fast on permanent failures; registration is transactional with no implicit server creation
  • Default register rate-limit raised -- From 3 to 10 attempts per 15-minute window so legitimate batch installs do not lock themselves out
  • Status page collapsed to singleton -- Admin status-page router and service collapsed to GET/PUT on a single row, with new is_public columns and DTO/field cleanup
  • Canonical 429 error -- OpenAPI rate-limit responses standardised and the in-band sweep tightened

Fixed

  • IP quality provider edge cases -- abuser_score clamps to 0..=100; risk_provider=none suppresses fallback; misconfigured provider names warn at startup; new ipapi.is fields persist correctly in save_ip_quality_snapshot
  • Status page migration safety -- Dropped a broken manual transaction from simplify_status_page and parameterised migration LIKE clauses inside a transaction; servers migration now uses explicit column names to avoid positional drift
  • SPA theme handler -- Tightened the serve handler for spec compliance with cookie precedence, preview banner, and review fixes; the theme extractor was hardened with additional zip-bomb and symlink coverage
  • Agent token validation -- validate_agent_token filters NULL token_hash at the query layer with a half-bound row regression test
  • Latency chart and UI polish -- Anomaly count card gained cursor-pointer; tag chips test alignment with placeholder behaviour
  • Web bun.lock -- Synced with the v1.0.0-alpha.3 web version bump that landed without lockfile refresh

Removed

  • Recovery-merge subsystem -- Replaced by the new agent recovery flow; the legacy server and web code, including orphaned type re-exports, were removed
  • Legacy paid IP risk providers -- Removed in favour of the ipapi.is + ip-api stack
  • RebindIdentity protocol -- Handler and protocol removed as part of the registration redesign
  • Dead ServerMessageOutcome enum -- Removed along with legacy test helpers
  • Legacy slug-based status page surface -- The /status/$slug route was dropped after the singleton refactor

Documentation

  • Custom frontend theme guide -- New EN/CN docs cover pack.ts, manifest fields, and the upload flow; the SPA theme manual E2E checklist was added under tests/
  • Network probe anomaly thresholds -- Configurable latency anomaly env vars are documented in ENV.md and the bilingual configuration pages
  • Design specs and plans -- Added specs and plans for the public status page refactor, custom SPA themes, agent registration redesign, and ipapi.is provider refactor, with multiple review-driven revisions
  • IP quality docs replaced -- The IP quality provider docs were rewritten around ipapi.is with the ip-api fallback story
  • Removed fabricated env vars -- Stripped references to SERVERBEE_FEATURE__SPA_THEMES that never existed in the codebase

v1.0.0-alpha.3

Choose a tag to compare

@github-actions github-actions released this 24 May 17:21
29199c2

Added

  • ASN database for traceroute enrichment -- A new ASN MMDB service labels every traceroute hop with its autonomous system number; the settings page exposes a download/update card mirroring the existing GeoIP control, and SERVERBEE_ASN__MMDB_PATH / the [asn] config section let operators bring a custom file
  • Server version on the settings page -- A public /api/about endpoint reports the running build's CARGO_PKG_VERSION and the settings page renders it in an About row so operators can confirm the version at a glance
  • Manual audit log clear -- Admins can wipe the audit log table from the audit logs page via a destructive button with a confirmation dialog; the clear itself is recorded as an audit_log_clear entry afterward so the operator who triggered it remains auditable

Changed

  • Settings page redesigned -- The standalone GeoIP/ASN/About cards were replaced with a unified SettingsSection/SettingsRow primitive grouped into "Data sources" and "About" panels in a macOS System Settings style; the DB-IP attribution moved into the section footer
  • Traceroute dialog UX -- The dialog was rebuilt around a quick-pick "Recent" chips row backed by a full-history popover, grew to 92vh, pins the all-history button to the right of the chips, renders the protocol select's uppercase label, and shows a loading spinner while a selected history snapshot is being fetched
  • ScrollArea adoption on network surfaces -- The traceroute result table, traceroute history list, and manage-targets dialog list all migrated from native overflow-auto to shadcn's ScrollArea; the manage-targets list also grew to 70vh so far fewer targets sit below the fold

Fixed

  • Agent file receive flush -- receive_chunk now flushes the file handle before returning so the last chunk reliably lands on disk
  • Select trigger label vs. value -- Several admin selects (users page role picker, traceroute protocol picker) were rendering the raw value instead of the label; the items prop is now passed through so the trigger shows the display string
  • Self-delete button on users page -- The current user's own row no longer shows a delete button that would have failed server-side

Documentation

  • ASN configuration documented -- SERVERBEE_ASN__MMDB_PATH and the [asn] config section are documented in ENV.md and the bilingual configuration MDX pages, and the GeoIP/ASN endpoints are now annotated with utoipa::path so they appear in /swagger-ui/

v1.0.0-alpha.2

Choose a tag to compare

@github-actions github-actions released this 24 May 12:27

Added

  • Embedded traceroute with history and protocol selection -- The shell traceroute invocation is replaced by an embedded trippy-core engine that runs per-hop probes over ICMP, UDP, or TCP and streams round updates back to the browser. Results are persisted to a new traceroute_record table with admin delete and clear controls, hops are enriched with PTR (reverse DNS) data via a server-side LRU cache, and the network detail page renders a 10-column streaming hop table inside a header dialog backed by a history list. New protocol enums (TraceProtocol, RecordedProtocol), TracerouteRoundUpdate agent messages, and a TracerouteEnricher on AppState make round-by-round streaming defense-in-depth safe -- updates from a mismatched server_id are rejected and each traceroute is bounded by a 60s wall-clock timeout
  • Capability picker during agent install -- When adding a server from the web UI, admins can now pick exactly which agent capabilities to enable instead of accepting the default set, and the install script (deploy/install.sh) gained a matching interactive capability picker so the choice flows through to the new agent on first run. Capability toggles are also disabled for offline servers in the capabilities settings to avoid silent drift
  • Audit log filtering -- The audit log page renders full-width and supports filtering by action and by user, so security reviews on long histories no longer require scrolling through every entry
  • Railway pre-release pinning -- The Railway deployment template now accepts a SERVERBEE_IMAGE_TAG build argument so operators can pin a specific pre-release image (e.g. 1.0.0-alpha.2) without forking the template, and the deployment docs describe the override

Changed

  • Default capabilities include firewall and IP quality -- CAP_DEFAULT now grants CAP_FIREWALL_BLOCK and CAP_IP_QUALITY out of the box so new agents get the full operational toolkit without manual toggling
  • IP quality blocked-state explanation -- When an IP quality check is denied, the server reports which side blocked the request and the web UI surfaces the explanation inline on the server detail tab instead of showing an opaque failure
  • Network anomaly window alignment -- The network detail anomaly window now matches the overview badge, and recent anomalies are surfaced regardless of the active window size so a short window no longer hides events the overview is highlighting
  • Capabilities page toolbar -- The capabilities settings page was streamlined with a tighter toolbar and batch actions, and security preset cards now have consistent button alignment with reserved space for two-line descriptions
  • i18n coverage -- The server detail tab labels are now translated, a dedicated i18n namespace was added for the IP Quality feature, and the security page filter dropdowns show their localized labels instead of raw keys

Performance

  • Server detail CLS reduction -- Cumulative Layout Shift on the server detail page dropped from 0.48 to 0.04 by deferring offscreen content, reserving space for late-loading widgets, and disabling Recharts animations on every chart in the route
  • Uptime timeline rewrite -- The 90-day uptime timeline now paints as a single pixel-snapped CSS gradient on its own compositor layer with one shared tooltip popup across all segments, eliminating per-segment React nodes and the gradient seams that appeared on subpixel widths
  • Dashboard widget lazy loading -- Dashboard widgets are now viewport-gated and chart animations are disabled by default, so a dashboard with many widgets no longer stalls the initial paint; a new docs page records the recommended widget capacity limits
  • Route-level code splitting -- The server detail and terminal routes are now lazy-loaded, and the route generator ignores -page.tsx lazy modules so the /servers list page ships a noticeably smaller initial bundle

Fixed

  • Traceroute correctness -- Traceroute updates from a mismatched server_id are rejected at the server, the agent bounds each traceroute with a 60s wall-clock timeout, the PTR cache evicts by inserted_at instead of by IP ordering, and the traceroute_record foreign key was corrected to reference the servers table
  • Server card layout stability -- Server card height now stays consistent whether the card has tags or not, and the route generator no longer treats -page.tsx lazy modules as routable, preventing accidental layout shifts on first paint
  • DataTable width blowup -- Removed table-fixed from the shared DataTable so wide cells no longer force the whole grid to overflow horizontally
  • Add-server install command host -- The install command shown in the add-server dialog now points at raw.githubusercontent.com so the copy-pasted one-liner actually fetches the script

Documentation

  • Traceroute design and operations -- New design spec (with four review passes), a matching implementation plan, and a manual E2E checklist describe how the embedded trippy-core flow replaced the prior shell-based path
  • Cost insights reference -- A new dedicated docs page covers the cost insights and value-score feature so the configuration is no longer buried inside the alerts docs
  • Dashboard widget capacity limits -- A new docs page records the recommended upper bound on widgets per dashboard, derived from the viewport-gating performance work in this release