sofarr

Gandalf/sofarr

Fork 0

Commit Graph

Author	SHA1	Message	Date
Gronod	c0dd93a1ab	feat: production hardening v1.2.0 Some checks failed Build and Push Docker Image / build (push) Successful in 59s Details CI / Security audit (push) Successful in 1m5s Details CI / Tests & coverage (push) Successful in 1m24s Details Docs Check / Markdown lint (push) Failing after 45s Details Docs Check / Mermaid diagram parse check (push) Successful in 1m27s Details CI / Security audit (pull_request) Successful in 51s Details CI / Tests & coverage (pull_request) Successful in 1m1s Details Docs Check / Markdown lint (pull_request) Failing after 39s Details Docs Check / Mermaid diagram parse check (pull_request) Successful in 1m12s Details Phase 1 - Licensing & Compliance: - Add MIT LICENSE file - Add copyright headers to server/index.js, poller.js, config.js, sanitizeError.js, and new loadSecrets.js Phase 2 - Security Hardening: - Add server/utils/loadSecrets.js: Docker secrets support via _FILE env var pattern (COOKIE_SECRET_FILE, EMBY_API_KEY_FILE, etc.) - Add SSRF/URL validation in config.js: validates all configured service instance URLs for scheme and well-formedness at startup - Add SIGTERM/SIGINT graceful shutdown: stops poller, drains HTTP connections, 10s force-exit fallback - Warn at startup if COOKIE_SECRET is shorter than 32 characters - Validate EMBY_URL scheme at startup - Improve sanitizeError: redact host:port from axios error URLs while preserving path/query for other redaction patterns Phase 3 - Config Robustness: - Weak COOKIE_SECRET warning (< 32 chars) - EMBY_URL validated via validateInstanceUrl on startup Phase 4 - Docker & Deployment: - .dockerignore: add tests/, coverage/, vitest.config.js, CHANGELOG.md, SECURITY.md, LICENSE, .markdownlint.json - docker-compose.yaml: add commented Option B (Docker secrets _FILE pattern) alongside existing plain-env Option A Phase 5 - Docs & Release Readiness: - Add CHANGELOG.md with entries from v1.0.0 to v1.2.0 - Update SECURITY.md: supported versions table, fix Docker secrets note to reflect _FILE support now implemented - Add public/.well-known/security.txt for responsible disclosure - Bump version to 1.2.0	2026-05-17 19:40:07 +01:00
Gronod	f500f4db3b	feat: fix download-to-user matching, add cover art to downloads - Fix seriesMap key (use Sonarr internal id, not tvdbId) - Fix Sonarr tag resolution (use tag map like Radarr) - Use sourceTitle for history record matching - Fall back to embedded movie/series objects when API timeouts - Add includeMovie/includeSeries params to queue/history API calls - Add coverArt field to all download responses (TMDB poster URLs) - Add cover art display to frontend download cards - Fix user-summary route to use instance config and tag maps	2026-05-15 14:54:21 +01:00

Author

SHA1

Message

Date

Gronod

c0dd93a1ab

feat: production hardening v1.2.0

Build and Push Docker Image / build (push) Successful in 59s

Details

CI / Security audit (push) Successful in 1m5s

Details

CI / Tests & coverage (push) Successful in 1m24s

Details

Docs Check / Markdown lint (push) Failing after 45s

Details

Docs Check / Mermaid diagram parse check (push) Successful in 1m27s

Details

CI / Security audit (pull_request) Successful in 51s

Details

CI / Tests & coverage (pull_request) Successful in 1m1s

Details

Docs Check / Markdown lint (pull_request) Failing after 39s

Details

Docs Check / Mermaid diagram parse check (pull_request) Successful in 1m12s

Details

Phase 1 - Licensing & Compliance:
- Add MIT LICENSE file
- Add copyright headers to server/index.js, poller.js, config.js,
  sanitizeError.js, and new loadSecrets.js

Phase 2 - Security Hardening:
- Add server/utils/loadSecrets.js: Docker secrets support via _FILE
  env var pattern (COOKIE_SECRET_FILE, EMBY_API_KEY_FILE, etc.)
- Add SSRF/URL validation in config.js: validates all configured
  service instance URLs for scheme and well-formedness at startup
- Add SIGTERM/SIGINT graceful shutdown: stops poller, drains HTTP
  connections, 10s force-exit fallback
- Warn at startup if COOKIE_SECRET is shorter than 32 characters
- Validate EMBY_URL scheme at startup
- Improve sanitizeError: redact host:port from axios error URLs
  while preserving path/query for other redaction patterns

Phase 3 - Config Robustness:
- Weak COOKIE_SECRET warning (< 32 chars)
- EMBY_URL validated via validateInstanceUrl on startup

Phase 4 - Docker & Deployment:
- .dockerignore: add tests/, coverage/, vitest.config.js,
  CHANGELOG.md, SECURITY.md, LICENSE, .markdownlint.json
- docker-compose.yaml: add commented Option B (Docker secrets
  _FILE pattern) alongside existing plain-env Option A

Phase 5 - Docs & Release Readiness:
- Add CHANGELOG.md with entries from v1.0.0 to v1.2.0
- Update SECURITY.md: supported versions table, fix Docker secrets
  note to reflect _FILE support now implemented
- Add public/.well-known/security.txt for responsible disclosure
- Bump version to 1.2.0

2026-05-17 19:40:07 +01:00

Gronod

f500f4db3b

feat: fix download-to-user matching, add cover art to downloads

- Fix seriesMap key (use Sonarr internal id, not tvdbId)
- Fix Sonarr tag resolution (use tag map like Radarr)
- Use sourceTitle for history record matching
- Fall back to embedded movie/series objects when API timeouts
- Add includeMovie/includeSeries params to queue/history API calls
- Add coverArt field to all download responses (TMDB poster URLs)
- Add cover art display to frontend download cards
- Fix user-summary route to use instance config and tag maps

2026-05-15 14:54:21 +01:00

2 Commits