Security
- Default scripts_management, callbacks_management, links_management, and
media_folders_management to False so a leaked token cannot escalate to RCE
through admin CRUD endpoints.
- TokenSpec + scope hierarchy (read | control | admin); legacy bare-string
api_tokens entries promote to admin for back-compat. Management endpoints
now require admin scope.
- WebSocket subprotocol auth (Sec-WebSocket-Protocol: media-server.token.<T>)
preferred over ?token= query so the token no longer lands in URL/history/
Referer; query fallback retained for HA integration back-compat.
- Origin allow-list check on the WS endpoint (CSWSH defence).
- In-process token-bucket rate limiter: 5/min for failed auths,
10/min for /api/scripts/execute and /api/callbacks/execute.
- shell=False subprocess path (shlex.split) + per-parameter regex `pattern`
in ScriptParameterConfig to harden shell=true scripts against parameter
injection (Windows cmd.exe env-var expansion).
- CSP gains form-action, worker-src, manifest-src directives.
- Refuse cors_origins=["*"] at startup; strip token=... from uvicorn access
logs; validate Gitea release tag against strict SemVer regex.
- noopener noreferrer + no-referrer referrerpolicy on every outbound link.
- icacls hardening of config.yaml on Windows (current user + SYSTEM +
Administrators only); 0600 still enforced on POSIX.
- WS volume handler clamps input and never drops the socket on bad messages.
Performance
- Album-art read in windows_media gated by track key — was decoding the
WinRT thumbnail twice per second regardless of track changes.
- /api/media/artwork returns content-derived ETag + Cache-Control so the
browser sends If-None-Match and gets 304s on track repeats.
- Foreground-service ctypes argtypes hoisted to one-time module init
(was re-declaring ~14 prototypes per probe).
- display_service _static_cache keyed by (edid_hash, ...) tuple with
eviction of disappeared monitors — fixes stale capabilities on hot-plug
swaps where the new topology has the same monitor count.
- Visualizer rAF loop paused on document.hidden, resumed on visible.
Reliability / bug fixes
- Lifespan rewritten as try/yield/finally so a partial-startup failure
cannot orphan background tasks or executors.
- _run_callback in routes/media.py keeps a strong task ref (GC-safe) and
uses the dedicated callback executor instead of the default pool.
- macos_media.set_volume() no longer always returns True.
- TrayManager._restart_requested initialised in __init__; set before
signalling exit so the main thread observes it correctly.
- Missing static_dir now logs a WARNING instead of silent UI disable.
UX / accessibility / PWA
- manifest.json theme_color and background_color match the Studio Reference
base (#0E0D0B); added id and scope for PWA installability.
- ARIA on mini-player icon buttons; inner SVGs marked aria-hidden.
- OS mediaSession API wired so headset / lockscreen / Bluetooth buttons
drive play/pause/next/prev/seek and show track metadata + artwork.
Observability
- X-Request-ID middleware (accept upstream id if it matches a safe regex,
otherwise UUID4); request_id_var added to ContextVars and included in
every log line alongside the token label.
- Audit log (append-only JSONL) for every script + callback execution,
including the on_play/on_pause/etc. event callbacks. Background-thread
writer; queue capped; flushed in lifespan teardown.
Deployment
- proxy_headers + forwarded_allow_ips plumbed through Settings →
uvicorn.Config for reverse-proxy installs.
- HTTPS support via ssl_certfile + ssl_keyfile (+ optional password);
startup refuses to launch with only one of the pair set.
- Thumbnail cache moved from project-root .cache to
%LOCALAPPDATA%/media-server/cache (Windows) and
$XDG_CACHE_HOME/media-server/thumbnails (POSIX).
Tests
- 35 new tests across auth scopes, rate limiter, browser path traversal
(../ NUL UNC absolute), script-param validation incl. regex, Gitea tag
whitelist, config atomic write + POSIX perms. 47 passed / 4 skipped.
DDC/CI writes are fire-and-forget at the protocol level: a successful send
does not mean the monitor honored the value. Many monitors (LG ultrawides
in particular) silently drop writes for VCP codes whose registers exist
but whose feature isn't really implemented in firmware.
- New _verify_after_set helper polls readback after every DDC/CI write and
reports {success: false} when the monitor didn't apply the value. Wired
into set_contrast, set_input_source, set_color_preset, set_picture_mode.
Input source uses a longer settle window since switching can briefly
disrupt the DDC/CI link.
- Picture mode (VCP 0xDC) now requires the capability string to declare
supported codes under cmds[0xDC]. Without that declaration we treat the
feature as unsupported even when reads succeed - the LG case where reads
return a stuck value and every write is silently ignored.
Backend (routes/display.py, services/display_service.py):
- Probe DDC/CI capabilities per monitor at enumeration time
- New endpoints POST /api/display/{contrast,input_source,color_preset,picture_mode}/{id}
- Picture mode goes through raw VCP 0xDC since monitorcontrol has no
high-level wrapper; labels follow MCCS spec with vendor-friendly fallbacks
- Each capability reports a *_supported flag so the UI can hide rows that
the hardware does not advertise
Frontend (links.js, app.js, styles.css, locales):
- Monitor cards grow a contrast slider (same editorial copper treatment
as brightness) and a "PICTURE TUNING" section beneath
- Picture tuning uses the IconSelect widget (matching the audio device
selector): per-port icons (HDMI, DisplayPort, DVI, VGA, USB-C),
thermometer for color temps, per-mode icons (movie reel, gamepad,
ball, etc.) for picture modes
- Humanizers turn SHOUT_CASE enum names into readable labels
(COLOR_TEMP_6500K -> "6500 K", HDMI1 -> "HDMI 1")
- 14 new i18n keys per locale (en/ru)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Detect primary monitor via Windows EnumDisplayMonitors API and show badge
- Expand accent color picker with 9 presets and custom color input
- Auto-generate hover color for custom accent colors
- Re-render accent swatches on locale change for proper i18n
- Replace restart-server.bat with PowerShell restart-server.ps1
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- New display service with DDC/CI brightness and power control via screen_brightness_control and monitorcontrol
- New /api/display/* endpoints (monitors, brightness, power)
- Display tab in WebUI with per-monitor brightness sliders and power toggle
- EDID resolution parsing to distinguish same-name monitors
- Throttled brightness slider (50ms) matching volume control pattern
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
alexei.dolgolyov