Releases: ZingerLittleBee/ServerBee
Release list
v1.0.0-alpha.11
Security
-
Session and mobile access tokens are now stored hashed -- The
sessionstable held the plaintext web session and mobile access token and looked them up by plaintext, so anyone with a database snapshot (the backup export, adb-pull) could replay any active row as a cookie or Bearer token until it expired -- unlike API keys, agent tokens, and refresh tokens, which were already hashed. Tokens are now stored as a SHA-256 hash and hashed again on every lookup (login validation, logout, password-change revocation, and the mobile push endpoints); the plaintext lives only in the cookie/response. A migration drops existing plaintext sessions, so web clients re-log in and mobile clients transparently refresh -
Agent traceroute now enforces the SSRF guard -- Traceroute validated only a character whitelist and then traced whatever the target resolved to, unlike the ping/TCP/HTTP probes which all pass the shared SSRF guard. A server could push a traceroute to
169.254.169.254, loopback, or an internal address and turn the agent into an internal-network probe. The resolved address is now rejected with the same monitor-safe policy (private RFC1918 ranges remain allowed for legitimate internal monitoring; loopback, link-local, and the cloud-metadata endpoint are blocked) -
Agent firewall blocklist mutations require the firewall capability --
BlocklistSync,BlocklistAdd, andBlocklistRemovewere applied to the host firewall with no capability check, while every other high-risk agent command (exec, upgrade, file, traceroute, IP quality) is gated on the current capability bitmap. The agent now enforcesCAP_FIREWALL_BLOCKon these mutations so it is its own trust boundary;BlocklistResetstays ungated on purpose so a capability-revoked agent can still be cleaned up
Fixed
- Disconnected agents no longer generate phantom metrics -- The record writer flushed its entire report cache every minute and stamped each row with the current time, but the cache was never pruned when an agent disconnected. An agent that connected once and then dropped kept producing current-looking metric and traffic rows every minute -- fabricating history and writing to the database without bound. The writer now persists only currently-connected agents, while the cache is retained so offline servers still show their last-known metrics and is purged when a server is deleted
Performance
- Retention cleanup and hourly aggregation use dedicated time indexes -- The periodic cleanup and aggregation jobs filter the time-series tables by their time column alone, but the existing composite indexes lead with
server_id/task_id, so SQLite fell back to a full table scan of the largest tables every hour inside a write transaction. A migration adds a single-column index on every time column these jobs scan (records,records_hourly,gpu_records,ping_records,security_event,audit_logs,unlock_event,ip_risk_cache,traffic_hourly)
v1.0.0-alpha.10
Added
-
Manually correct a server's country / region flag -- GeoIP sometimes maps an agent's public IP to the wrong country, and the flag shown next to a server could not be fixed. The server edit dialog now has a searchable Country / Region picker that lists every ISO 3166-1 entry with its flag and localized name, with frequently-used VPS locations pinned to a "Common" group on top, so an admin can choose the right one without knowing the 2-letter code. A manual choice is pinned (
geo_manual) and is no longer overwritten by GeoIP on the next report; clearing it resumes automatic detection. The chosen value is validated and persisted server-side, and country flags across the app (server cards, list rows, detail headers, and public status pages) now reveal the localized country name on hover via a sharedCountryFlagcomponent -
Edit a server from its card -- The grid-view server card's overflow menu gained an Edit item that opens the full edit dialog directly (previously only the table view could), and the Recover Agent action is now hidden for online servers, mirroring the detail page's gating since recovery only applies to a disconnected agent
Changed
-
Objective cost advisories replace the value score -- The synthetic 0-100 "value score" (grade, confidence, and fleet-relative reasoning) was dropped in favor of objective, per-server cost advisories while keeping the concrete cost data (burn rate and per-resource unit costs). Advisories -- expired billing, sleeping money, idle burn, and low uptime -- are computed without any fleet comparison and surfaced in priority order, with idle/activity detection now gated on per-window network speed instead of cumulative transfer counters. Applied across the Rust cost service and OpenAPI schema, the web cost cell and insight bar, the iOS client, and the bilingual docs
-
Health-first network overview cards -- Server cards now lead with a health verdict pill (healthy / unstable / critical / offline) derived from the shared severity thresholds, with latency as a large colour-coded focal number. The opaque "availability %" was replaced with packet-loss %, the redundant anomaly banner was removed, and the anomaly figure is now a warning-styled stat card showing "N anomalies in last 24h" only for problem servers
-
Theme and language switchers moved into the sidebar user menu -- The theme toggle (Light / Dark / System) and language switcher (中文 / English) moved from the top header into nested submenus in the sidebar user dropdown. The public status page keeps its own header toggles since it has no sidebar
-
Three-tier capability risk model; firewall block is now medium risk -- Capability risk is no longer a binary high-vs-not split.
CAP_FIREWALL_BLOCKis reclassified from high to medium risk -- the agent can only add or remove IPs in its own dedicated nft blocklist set (with self-lockout guardrails) and cannot exec code, read files, or flush the host firewall, so its worst case is bounded availability impact rather than host compromise. The capabilities dialog and settings matrix now render high (red) / medium (amber) / low (muted) tiers and order columns by descending risk
Fixed
- Dashboard widgets no longer jitter after saving a layout -- The custom dashboard could enter an infinite re-render loop right after saving widget positions, jittering widgets that sit below a content-height or aspect-square widget and eventually crashing with React's "Maximum update depth exceeded". The coarse-row y-snap is now applied only where appropriate, so react-grid-layout and the layout normalizer no longer ping-pong
v1.0.0-alpha.9
Added
- Temporary, host-local capability grants -- A user with shell access on an agent host can temporarily enable an off-by-default capability for a bounded duration with the new
serverbee-agent grant <cap> --for <30m|2h|1d> [--reason "..."]CLI (plusserverbee-agent revoke <cap>andserverbee-agent grantsto inspect). Grants persist to<state_dir>/capability_grants.jsonwith an absoluteexpires_at, so they survive an agent restart and expire at their original deadline; a missing/corrupt store fails safe to no grants, and a duration overtemporary_max_duration(default24h) is refused. Consistent with the agent-owned trust model, the server and web/iOS UI cannot grant a capability -- the agent re-reports its effective set, so the server opens the gate live, mirrors the change with an amber "Temporary" badge and a live countdown in the capabilities dialog and the Settings capabilities matrix, audits each transition (capability_temporarily_granted/capability_grant_expired/capability_grant_revoked), and fires the new event-drivencapability_grant_detectedalert when a high-risk capability (terminal/exec/file/docker) is granted. Two agent config keys tune the feature:capabilities.temporary_max_durationandcapabilities.state_dir
Changed
- Capabilities are now agent-owned -- The trust model changed so the agent host is the sole authority over its capabilities. Each agent computes its capability bitmask from the new
[capabilities]config block (allow/denyoverCAP_DEFAULT) plus optional--allow-cap/--deny-capCLI flags and reports it inSystemInfo; the server now persists that value only as a display mirror (servers.capabilities) and gates control-plane requests on it. The server can no longer change an agent's capabilities:PUT /api/servers/{id}no longer accepts acapabilitiesfield, thePUT /api/servers/batch-capabilitiesendpoint and the server→agentCapabilitiesSyncmessage are removed, and the protocol version is bumped to 6 (a new agent→serverCapabilitiesChangedmessage carries live grant transitions). Effective capabilities equal the agent-reported set (no moreserver_caps & agent_local_capsintersection), so a compromised or misconfigured server cannot silently enable terminal, exec, file, or Docker access on a host. The web and iOS capability UIs (server detail dialog and Settings → Capabilities) are now read-only views, and capability denials always reportagent_capability_disabled
v1.0.0-alpha.8
Security
- SSRF guard on ping / network-probe targets -- Probe targets are free-form strings pushed from the server to every agent and were executed after only a capability check, with no target validation -- a vector for turning the agent fleet into a distributed internal-network / cloud-metadata scanner driven by a compromised server or rogue admin. The agent now runs the monitor-grade SSRF guard on every ICMP/TCP/HTTP probe: RFC1918 internal monitoring stays allowed, but loopback, link-local (incl. the
169.254.169.254cloud-metadata endpoint), NAT64, and broadcast are blocked. TCP probes connect to the validated address with no re-resolve, and HTTP probes disable redirect following (blocking a302bounce into metadata) and pin the host to the validated address. As defense-in-depth,PingServiceandNetworkProbeServicealso reject literal loopback/metadata targets at create/update time. Internal RFC1918 monitoring and domain-name targets are unaffected - Mobile refresh tokens are invalidated by a password change -- A new
password_changed_atuser timestamp lets the mobile refresh path reject any refresh token whose session was issued before the user's last password change. Both self-service changes and admin-driven resets stamp it, revoke the user's web sessions, and drop their mobile sessions in a single transaction -- closing a TOCTOU window where a concurrent refresh could "revive" a session and a foreign-key path could leave the revocation half-applied. The caller's own current mobile session is preserved, and existing sessions are unaffected until the next password change after upgrade (no forced mass re-login on deploy) - Capability revocation is an immediate kill-switch -- Revoking
CAP_TERMINAL/CAP_FILE/CAP_DOCKERnow tears down in-flight operations on the agent (open PTYs, in-flight file transfers, Docker stats) instead of only gating future ones; a locally torn-down terminal notifies the server so the browser bridge closes at once rather than hanging until idle timeout. The server also re-checksCAP_IP_QUALITYbefore persisting/broadcasting unlock results and re-checksCAP_FILEon upload chunks, so a capability revoked mid-run cannot let a trailing batch through - Expanded audit logging -- Failed and rate-limited logins (web and mobile), server delete / batch-delete / upgrade triggers, Docker container actions, scheduled-task create/update/delete, and capability-denied events now emit audit-log entries. A first-factor login that still needs a 2FA code is no longer recorded as a failed login, and attacker-controlled usernames in audit detail are length-capped
v1.0.0-alpha.7
Added
- POSIX install script with OpenRC support --
deploy/install.shwas rewritten in portable POSIX sh and now manages services under both systemd and OpenRC, making Alpine and other non-systemd hosts first-class. Releases publishsha256sumsand the installer verifies every download against them, and a CI job gates the script with shellcheck and dash - Connection-lost banner -- The layout shows a persistent banner when the browser loses its WebSocket link to the server (after a short grace period to ignore brief blips) and clears it automatically on reconnect, so a dropped connection no longer leaves the dashboard silently stale
- Shareable tab state in the URL -- The server detail tabs (metrics / traffic / security / IP quality) and the status-page settings tabs (config / incidents / maintenance) are persisted in the URL, so reload, browser back/forward, and shared links keep the selected tab instead of resetting to the first one; an invalid tab value falls back to the default
Changed
- Capability-gated terminal and file routes -- Opening the web terminal or file manager for a server whose
CAP_TERMINAL/CAP_FILEbit is disabled now renders an explanatory notice instead of a dead shell, and skips the doomed WebSocket connect and file-list request
Fixed
- Custom dashboard widgets -- The backend accepts
metric-cardwidgets, module widgets load reliably, the grid is more responsive, and the default layout no longer leaves an empty band - Service monitors -- HTTP-keyword checks accept custom ports, and the service-monitor detail page no longer crashes on SSL certificate dates
- Installer robustness --
purgeremoves the base directory even with orphaned files and the snap Docker config directory;toml_setpreserves the section separator when appending a key;SERVERBEE_*env is forwarded acrossdoaselevation;sha256sumsare matched on the exact filename; OpenRC agent respawn is bounded on permanent enrollment failure; and status/log commands print a clear message instead of nothing when there is no output - Web reliability -- Failed data queries and dashboard create/update errors surface a toast instead of an empty view; destructive actions (monitors, ping tasks, notifications, incidents, maintenance windows, OAuth unlink, password change) require confirmation; the terminal clears its stale WS error on reconnect; capability toggles reflect immediately;
localStorageaccess is guarded against unavailable storage; realtime state is no longer mutated in place; numeric&&guards no longer render a literal0; and alert-rule and scheduled-task validation is surfaced - Web layout & accessibility -- Wide tables scroll instead of overflowing the viewport, modal dialogs stay centered on narrow screens, the main scroll area is constrained to the viewport width, the traffic table scrolls on narrow screens with a clamped usage label, latency chart series stay mounted when toggling targets, network overview cards deep-link to a valid time range, settings breadcrumbs are complete, terminal and file breadcrumb labels resolve, the security and IP-quality pages get a11y and narrow-screen fixes, data-table empty states are localized, the public traffic bar uses cumulative totals, and the API-key dialog gains a copy button
- Agent -- SSH security events are detected on OpenSSH 9.8+, which logs authentication through the new
sshd-sessionprocess
Security
- OAuth login hardening -- The OAuth sign-in flow adopts PKCE (S256), binds the login state to the initiating browser via a pre-auth cookie (closing a CSRF / session-fixation gap), and redacts OAuth secrets from
Debugoutput - SSRF guards for service monitors -- HTTP-keyword and other checkers route through a shared SSRF guard that rejects loopback, cloud-metadata, and private targets at create time and re-validates on every HTTP redirect hop
- Agent token transport -- The agent WebSocket prefers the
Authorizationheader over the query string when sending its token - Expanded audit logging -- Database backup/restore, user-management actions, and API-key creation/deletion now emit audit-log entries, and restore audit entries persist into the restored database
- Fail-closed admin route gating -- Every
/settings/*route is admin-only by default; members reach only the self-service mobile-devices, API-keys, and security pages and are redirected away from any other settings route, so a new settings page is admin-only unless explicitly allow-listed
Performance
- Smaller initial bundle -- Routes and vendor libraries are code-split into separate chunks
- Hot-path cleanups -- Linear scans were removed from the data-transform hot paths, and several components derive state during render instead of in effects
v1.0.0-alpha.6
Added
- Network quality dashboard widgets -- New network overview, network latency chart, and network quality summary widgets, complete with per-widget config forms, i18n strings, picker icons, and registered widget types. Detail-page and widget chart records now share a single pure merge function and records hook. The dashboard save path whitelists the new network quality widget types on the backend
- Server-cards widget layout controls -- The dashboard server-cards widget gains a grid/list layout toggle, sizes itself to its content height (applied instantly to avoid overlap), and reveals additional rows on scroll instead of paginating, with a load-more spinner while fetching
Changed
- Documentation overhaul -- The Chinese docs locale was renamed from
cntozhand README links now point to the docs site. The configuration reference was restructured into tables, and the agent, deployment, monitoring, terminal, ping, alerts, architecture, and index guides were expanded and corrected (JSON terminal transport with base64 data field, single status page, retention tiers, reverse proxy and OAuth/mobile coverage).ENV.mdand the config docs were synced with the code
Security
- RBAC hardening -- The Docker container logs WebSocket and the file read/download endpoints are now restricted to admins. The password policy is unified across change flows, and all active sessions are revoked when a user changes their password
v1.0.0-alpha.5
Added
- Custom widget system (B/C method) -- New
@serverbee/widget-sdkworkspace package exposesdefineWidget, a bundledzschema validator, and a typed hook surface (live:useServers/useServer/useMetric/useCapabilityviauseSyncExternalStore; domain:useHistory/useTraffic/useAlerts/useServiceMonitors/useUptime/useGeoIp; host:useTheme/useConfigUpdate; escape hatches:useApiQuery/useApiMutation). Widgets are authored as a single ESM file with a top-of-file@serverbee-widgetJSDoc manifest, statically extractable, noeval. Admins install viaPOST /api/widget-modules(URL or multipart upload) for single.js/.mjsfiles or.zipcollection bundles with acollection.jsonindex. Built-in widgets are emitted by a new Vite nested-build plugin toapps/web/dist/builtin-widgets/, embedded into the server binary via rust-embed, and registered at boot - Dashboard module rendering --
dashboard_widgetgained amodule_idcolumn;widget_type='module'widgets dispatch through the widget registry and render via the SDK component contract. The picker surfaces installed modules under a "Custom Widgets" section; the config dialog renders the module'sconfigSchemavia the SDK form renderer (real renderers forz.metricPath/z.color/z.duration) with friendly placeholders for missing modules or empty schemas.ActionButtonfrom the SDK ships with confirm dialog, pending state, and success/error toast wiring - Bilingual widget docs --
apps/docs/content/docs/{en,cn}/custom-widgets.mdxcovers method B (single file) and method C (zip bundle) end-to-end: manifest fields, build pipeline with React/SDK externals, install flows, asset resolution rules, SDK surface summary, and the full safety/limits table
Changed
- Widget install hardening -- SSRF guard now resolves DNS and rejects any host whose IP falls in a reserved/private range (loopback, RFC 1918, CGNAT, link-local incl. cloud metadata, IPv6 ULA/link-local, benchmarking, documentation, multicast, reserved); HTTP redirects are disabled; uploads enforce a per-route 1 MiB body limit with streaming size accounting; zip extraction caps total uncompressed size at 32 MiB across at most 64 entries; manifest extractor rejects sources > 1 MiB up front; id conflicts across
source_type(e.g. upload trying to overwrite a builtin) return409 Conflict;dashboard_widget.module_idis validated against installed modules; SDK declarations carry asdkVersionsemver range checked at load time. Install and uninstall events emit audit log entries - Runtime bridge --
mountRuntimeBridgenow wires the SDK runtime to the live React Query servers cache and the host theme provider viauseSyncExternalStore, surfaces sonner toasts, and exposes a confirm-dialog request channel./runtime/*import-map shims are served withCache-Control: no-cacheto avoid stale shim drift across SPA upgrades.defineWidgetrejects duplicate action ids
Removed
- Legacy SPA theme + custom CSS theme system -- The
spa_themepackage upload feature,custom_themeCSS variable system, and seven preset themes are deleted in their entirety (backend service/router/entity, migrations droppingspa_themesandcustom_theme, the appearance settings UI, preset CSS files,theme_reffrom public status pages, and theSERVERBEE_FEATURE__CUSTOM_THEMESconfig field). The theme provider is collapsed to light/dark/system. The oldcustom-themes.mdxandcustom-frontend.mdxdoc pages are replaced bycustom-widgets.mdx
v1.0.0-alpha.4
Added
- Public status page -- New
/api/status/*public surface with field redaction and a singletonis_publictoggle exposes a curated public dashboard; the web app gained public variants of the server list, server detail, network overview, network detail, and IP quality cards with grid/list toggles and i18n coverage - Custom SPA themes -- Operators can upload zip-packaged frontend themes from Settings → Appearance. The server validates the manifest, runs zip-bomb and symlink security checks, supports preview/activate flows with cookie-based theme selection, exposes
/__system/clear-recoveryand/__system/clear-previewrecovery endpoints, and ships a starter template undertemplates/with apack.tshelper - Agent registration redesign -- "Add Server" now creates a pending server with full metadata up front; admins can recover offline agents via a dedicated dialog, regenerate enrollment codes with optimistic CAS, and bound enrollments tie tokens to specific servers. The UI surfaces pending status indicators and disables rotate-token on pending rows
- Rate limit management page -- New admin page and API to inspect and reset per-IP rate limits, with separate scopes for login, registration, and the public status surface; admin rate_limit endpoint reports the public scope alongside the existing ones
- Network anomaly KPI card -- The anomaly count is surfaced as a clickable KPI tile with a dialog containing the table, count, and window selector; latency anomaly detection thresholds are now configurable via env vars
- ipapi.is IP quality provider -- Default IP risk provider switched to ipapi.is with ip-api as automatic fallback orchestrated by
IpRiskService; the snapshot entity and DTOs gained the new abuser_score and related fields, and the IP quality card renders them
Changed
- Settings forms moved into dialogs -- Notification channels and groups, user creation, and ping task creation were converted to dialogs; outer card wrappers were dropped on alerts, notifications, and api-keys pages in favour of inline layouts, and redundant page titles were removed from settings routes
- Service monitors and notifications polished -- Service monitors gained a header description and an inline add button within the table column; notification sections wrap in cards for clearer grouping
- Latency charts use 24-hour time -- Avoids am/pm ambiguity on dense timelines
- Agent registration error handling -- Agent categorizes registration errors and backs off in-process instead of looping fast on permanent failures; registration is transactional with no implicit server creation
- Default register rate-limit raised -- From 3 to 10 attempts per 15-minute window so legitimate batch installs do not lock themselves out
- Status page collapsed to singleton -- Admin status-page router and service collapsed to
GET/PUTon a single row, with newis_publiccolumns and DTO/field cleanup - Canonical 429 error -- OpenAPI rate-limit responses standardised and the in-band sweep tightened
Fixed
- IP quality provider edge cases --
abuser_scoreclamps to0..=100;risk_provider=nonesuppresses fallback; misconfigured provider names warn at startup; new ipapi.is fields persist correctly insave_ip_quality_snapshot - Status page migration safety -- Dropped a broken manual transaction from
simplify_status_pageand parameterised migrationLIKEclauses inside a transaction; servers migration now uses explicit column names to avoid positional drift - SPA theme handler -- Tightened the serve handler for spec compliance with cookie precedence, preview banner, and review fixes; the theme extractor was hardened with additional zip-bomb and symlink coverage
- Agent token validation --
validate_agent_tokenfiltersNULL token_hashat the query layer with a half-bound row regression test - Latency chart and UI polish -- Anomaly count card gained
cursor-pointer; tag chips test alignment with placeholder behaviour - Web bun.lock -- Synced with the v1.0.0-alpha.3 web version bump that landed without lockfile refresh
Removed
- Recovery-merge subsystem -- Replaced by the new agent recovery flow; the legacy server and web code, including orphaned type re-exports, were removed
- Legacy paid IP risk providers -- Removed in favour of the ipapi.is + ip-api stack
- RebindIdentity protocol -- Handler and protocol removed as part of the registration redesign
- Dead
ServerMessageOutcomeenum -- Removed along with legacy test helpers - Legacy slug-based status page surface -- The
/status/$slugroute was dropped after the singleton refactor
Documentation
- Custom frontend theme guide -- New EN/CN docs cover
pack.ts, manifest fields, and the upload flow; the SPA theme manual E2E checklist was added undertests/ - Network probe anomaly thresholds -- Configurable latency anomaly env vars are documented in ENV.md and the bilingual configuration pages
- Design specs and plans -- Added specs and plans for the public status page refactor, custom SPA themes, agent registration redesign, and ipapi.is provider refactor, with multiple review-driven revisions
- IP quality docs replaced -- The IP quality provider docs were rewritten around ipapi.is with the ip-api fallback story
- Removed fabricated env vars -- Stripped references to
SERVERBEE_FEATURE__SPA_THEMESthat never existed in the codebase
v1.0.0-alpha.3
Added
- ASN database for traceroute enrichment -- A new ASN MMDB service labels every traceroute hop with its autonomous system number; the settings page exposes a download/update card mirroring the existing GeoIP control, and
SERVERBEE_ASN__MMDB_PATH/ the[asn]config section let operators bring a custom file - Server version on the settings page -- A public
/api/aboutendpoint reports the running build'sCARGO_PKG_VERSIONand the settings page renders it in an About row so operators can confirm the version at a glance - Manual audit log clear -- Admins can wipe the audit log table from the audit logs page via a destructive button with a confirmation dialog; the clear itself is recorded as an
audit_log_clearentry afterward so the operator who triggered it remains auditable
Changed
- Settings page redesigned -- The standalone GeoIP/ASN/About cards were replaced with a unified
SettingsSection/SettingsRowprimitive grouped into "Data sources" and "About" panels in a macOS System Settings style; the DB-IP attribution moved into the section footer - Traceroute dialog UX -- The dialog was rebuilt around a quick-pick "Recent" chips row backed by a full-history popover, grew to 92vh, pins the all-history button to the right of the chips, renders the protocol select's uppercase label, and shows a loading spinner while a selected history snapshot is being fetched
- ScrollArea adoption on network surfaces -- The traceroute result table, traceroute history list, and manage-targets dialog list all migrated from native
overflow-autoto shadcn'sScrollArea; the manage-targets list also grew to 70vh so far fewer targets sit below the fold
Fixed
- Agent file receive flush --
receive_chunknow flushes the file handle before returning so the last chunk reliably lands on disk - Select trigger label vs. value -- Several admin selects (users page role picker, traceroute protocol picker) were rendering the raw value instead of the label; the
itemsprop is now passed through so the trigger shows the display string - Self-delete button on users page -- The current user's own row no longer shows a delete button that would have failed server-side
Documentation
- ASN configuration documented --
SERVERBEE_ASN__MMDB_PATHand the[asn]config section are documented in ENV.md and the bilingual configuration MDX pages, and the GeoIP/ASN endpoints are now annotated withutoipa::pathso they appear in/swagger-ui/
v1.0.0-alpha.2
Added
- Embedded traceroute with history and protocol selection -- The shell
tracerouteinvocation is replaced by an embeddedtrippy-coreengine that runs per-hop probes over ICMP, UDP, or TCP and streams round updates back to the browser. Results are persisted to a newtraceroute_recordtable with admin delete and clear controls, hops are enriched with PTR (reverse DNS) data via a server-side LRU cache, and the network detail page renders a 10-column streaming hop table inside a header dialog backed by a history list. New protocol enums (TraceProtocol,RecordedProtocol),TracerouteRoundUpdateagent messages, and aTracerouteEnricheronAppStatemake round-by-round streaming defense-in-depth safe -- updates from a mismatchedserver_idare rejected and each traceroute is bounded by a 60s wall-clock timeout - Capability picker during agent install -- When adding a server from the web UI, admins can now pick exactly which agent capabilities to enable instead of accepting the default set, and the install script (
deploy/install.sh) gained a matching interactive capability picker so the choice flows through to the new agent on first run. Capability toggles are also disabled for offline servers in the capabilities settings to avoid silent drift - Audit log filtering -- The audit log page renders full-width and supports filtering by action and by user, so security reviews on long histories no longer require scrolling through every entry
- Railway pre-release pinning -- The Railway deployment template now accepts a
SERVERBEE_IMAGE_TAGbuild argument so operators can pin a specific pre-release image (e.g.1.0.0-alpha.2) without forking the template, and the deployment docs describe the override
Changed
- Default capabilities include firewall and IP quality --
CAP_DEFAULTnow grantsCAP_FIREWALL_BLOCKandCAP_IP_QUALITYout of the box so new agents get the full operational toolkit without manual toggling - IP quality blocked-state explanation -- When an IP quality check is denied, the server reports which side blocked the request and the web UI surfaces the explanation inline on the server detail tab instead of showing an opaque failure
- Network anomaly window alignment -- The network detail anomaly window now matches the overview badge, and recent anomalies are surfaced regardless of the active window size so a short window no longer hides events the overview is highlighting
- Capabilities page toolbar -- The capabilities settings page was streamlined with a tighter toolbar and batch actions, and security preset cards now have consistent button alignment with reserved space for two-line descriptions
- i18n coverage -- The server detail tab labels are now translated, a dedicated i18n namespace was added for the IP Quality feature, and the security page filter dropdowns show their localized labels instead of raw keys
Performance
- Server detail CLS reduction -- Cumulative Layout Shift on the server detail page dropped from 0.48 to 0.04 by deferring offscreen content, reserving space for late-loading widgets, and disabling Recharts animations on every chart in the route
- Uptime timeline rewrite -- The 90-day uptime timeline now paints as a single pixel-snapped CSS gradient on its own compositor layer with one shared tooltip popup across all segments, eliminating per-segment React nodes and the gradient seams that appeared on subpixel widths
- Dashboard widget lazy loading -- Dashboard widgets are now viewport-gated and chart animations are disabled by default, so a dashboard with many widgets no longer stalls the initial paint; a new docs page records the recommended widget capacity limits
- Route-level code splitting -- The server detail and terminal routes are now lazy-loaded, and the route generator ignores
-page.tsxlazy modules so the/serverslist page ships a noticeably smaller initial bundle
Fixed
- Traceroute correctness -- Traceroute updates from a mismatched
server_idare rejected at the server, the agent bounds each traceroute with a 60s wall-clock timeout, the PTR cache evicts byinserted_atinstead of by IP ordering, and thetraceroute_recordforeign key was corrected to reference theserverstable - Server card layout stability -- Server card height now stays consistent whether the card has tags or not, and the route generator no longer treats
-page.tsxlazy modules as routable, preventing accidental layout shifts on first paint - DataTable width blowup -- Removed
table-fixedfrom the sharedDataTableso wide cells no longer force the whole grid to overflow horizontally - Add-server install command host -- The install command shown in the add-server dialog now points at
raw.githubusercontent.comso the copy-pasted one-liner actually fetches the script
Documentation
- Traceroute design and operations -- New design spec (with four review passes), a matching implementation plan, and a manual E2E checklist describe how the embedded trippy-core flow replaced the prior shell-based path
- Cost insights reference -- A new dedicated docs page covers the cost insights and value-score feature so the configuration is no longer buried inside the alerts docs
- Dashboard widget capacity limits -- A new docs page records the recommended upper bound on widgets per dashboard, derived from the viewport-gating performance work in this release