alexei.dolgolyov/notify-bridge
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 31 Wiki Activity
Files
9aada7538198de7975654e32760e522f97e77638
notify-bridge/RELEASE_NOTES.md
T
alexei.dolgolyov 85a8f1e71c
Release / test-backend (push) Successful in 2m20s
Details
Release / release (push) Successful in 1m40s
Details
chore: release v0.8.2
2026-05-22 22:54:00 +03:00

4.5 KiB
Raw Blame History

v0.8.2 (2026-05-22)

A production-readiness hardening release that follows up on v0.8.1 with six isolated, low-risk fixes surfaced by a parallel full-codebase review (backend, frontend, security, performance, UI/UX, bugs+features). No breaking changes; no migrations required.

User-facing changes

Security

  • Provider access_token masked in API responses. The provider GET endpoints were leaking plaintext credentials — most importantly Home Assistant long-lived tokens — in their JSON payloads. The field is now masked on read and dropped on edit when the *** placeholder is sent back, so the UI can show "set" / "unset" without ever round-tripping the secret. Centralized through PROVIDER_SECRET_FIELDS so every call site stays in sync (2d59a5b)
  • Pre-auth resource-exhaustion amplifier closed on webhook ingest. The Gitea provider used to read the 1 MiB request body before checking whether a secret was even configured or whether the request had a signature header — an unauthenticated client could force a body read on every hit. The generic-webhook bearer-token path had the same shape: body read before Authorization check. Both now bail out before consuming the body when the auth precondition fails (2d59a5b)

Bug Fixes

  • Home Assistant status-change events no longer silently lost. ha_status_changed rows are written from asyncio.create_task(...), but create_task only keeps a weak reference — the task was being garbage-collected before the row landed, so connection-flap events disappeared. The task handles are now held in a module-level set with a done_callback to release them on completion (2d59a5b)
  • Telegram-webhook handler exceptions can no longer leak writes. The catch-all error path in the Telegram inbound endpoint now rolls back the request's SQLAlchemy session before returning, so a handler crash mid-transaction cannot bleed uncommitted state into the next request on the same connection (2d59a5b)

Accessibility

  • Toast notifications now announced by screen readers. Added role="region" on the snackbar container plus per-toast role / aria-live / aria-atomic attributes, with a localized region name (snackbar.region) in both en and ru (2d59a5b)
  • Active sidebar link now has an accessible state. aria-current="page" is now set on the matching nav item, so assistive tech can announce the active route (2d59a5b)

Development / Internal

Refactoring

  • Last provider.type === 'immich' check removed from components. The action-rule editor's "Auto-organize" affordance now consumes a supportsAutoOrganize capability on ProviderDescriptor instead of branching on the provider type — bringing the rule editor under CLAUDE.md rule 8 (no provider-specific hardcoding in components) (2d59a5b)

Chores

  • Synced .facts-sync.json with claude-code-facts@cfdafa9. Both previously pending suggestions (venv install for monorepos + hatchling METADATA workaround) were applied upstream; the local queue is empty (a20635a)

Known gaps (tracked for follow-up)

The full-codebase review surfaced more ship-blockers than this release fixes. Each of the items below needs more than a mechanical edit and is tracked in .claude/reviews/README.md:

  • Secret encryption at rest
  • JWT moved into an HTTP-only cookie
  • Alembic adoption (currently create_all)
  • Webhook delivery idempotency
  • Deferred-dispatch crash window
  • Persisted Telegram update watermark
  • bridge_self counter lock
All Commits
  • 2d59a5bfix: production-readiness hardening from full-codebase review (alexei.dolgolyov)
  • a20635achore: sync .facts-sync.json with claude-code-facts@cfdafa9 (alexei.dolgolyov)
Reference in New Issue View Git Blame Copy Permalink