# Changelog All notable changes to this project will be documented in this file. Format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). --- ## [1.2.2] - 2026-05-17 ### Changed - **Header logo** — uses the higher-resolution 192px favicon source rendered at 56px for better visual balance alongside the title text. --- ## [1.2.1] - 2026-05-17 ### Added - **Version footer** — the dashboard footer now displays the running app version (e.g. `sofarr v1.2.1`), fetched from the `/health` endpoint on page load. --- ## [1.2.0] - 2025-05-17 ### Security - **Docker secrets support** — all sensitive environment variables (`COOKIE_SECRET`, `EMBY_API_KEY`, `SABNZBD_API_KEY`, `SONARR_API_KEY`, `RADARR_API_KEY`, `QBITTORRENT_PASSWORD`) now support the standard `_FILE` variant for loading values from mounted secret files (e.g. `COOKIE_SECRET_FILE=/run/secrets/cookie_secret`). - **Weak secret warning** — server now warns at startup if `COOKIE_SECRET` is shorter than 32 characters. - **EMBY_URL validation** — validates the Emby URL scheme at startup and warns on misconfiguration. - **Improved error sanitization** — `sanitizeError()` now also redacts hostnames from full request URLs that may appear in axios error messages. - **Graceful shutdown** — `SIGTERM` and `SIGINT` handlers now stop the background poller and drain open HTTP connections before exiting. Prevents data loss and zombie processes on `docker stop`. ### Compliance - **MIT LICENSE file** added to project root. - **Copyright headers** added to key server source files (`index.js`, `poller.js`, `config.js`, `sanitizeError.js`, `loadSecrets.js`). - **`security.txt`** (`/.well-known/security.txt`) added for responsible disclosure. ### Configuration - **URL validation** added to `config.js` — all configured service instance URLs are validated for scheme (`http`/`https`) and well-formedness at startup; malformed URLs emit a warning instead of crashing. ### Docker / Deployment - **`docker-compose.yaml`** updated with commented Option B (Docker secrets `_FILE` pattern) alongside the existing plain-env Option A. - **`.dockerignore`** updated — `tests/`, `coverage/`, `vitest.config.js`, `CHANGELOG.md`, `SECURITY.md`, `LICENSE`, `.markdownlint.json` excluded from the production image. ### CI - **`docs-check` workflow** added — separate Gitea Actions workflow that lints all Markdown files and validates Mermaid diagram syntax on every push that touches `.md` files. Both jobs use `continue-on-error: true` so documentation issues never block a release. - **Mermaid diagrams** in `docs/ARCHITECTURE.md` fixed — replaced invalid `\n` in stateDiagram transition labels, Unicode arrows/dashes, and double-spaces in flowchart edge definitions. --- ## [1.1.2] - 2025-05-15 ### Changed - Server startup message now includes the current version (`sofarr v1.1.2`). --- ## [1.1.1] - 2025-05-14 ### Fixed - Docker/TrueNAS SCALE healthcheck: dynamic HTTP/HTTPS selection based on `TLS_ENABLED` environment variable. Prevents containers from being stuck in "starting" state when `TLS_ENABLED=false`. --- ## [1.1.0] - 2025-05-13 ### Added - **Episode display** — TV show download cards now show episode information (S01E01 format with title). Multi-episode packs show a "Multiple episodes" badge with a tooltip listing all episodes. - **Episode tooltip** — solid background colour (theme-dependent) for readability. - Sonarr queue and history API requests now include `includeEpisode=true`. --- ## [1.0.0] - 2025-05-01 ### Added - Initial release. - SABnzbd queue and history integration. - qBittorrent torrent integration. - Sonarr and Radarr queue/history matching with user tag filtering. - Emby/Jellyfin authentication. - Server-Sent Events (SSE) real-time dashboard. - Per-request CSP nonce, CSRF double-submit, HSTS, Permissions-Policy. - Background polling with configurable interval and on-demand fallback. - Docker multi-stage build, non-root user, read-only filesystem. - TLS support with bundled snakeoil certificate.