"Maybe later" previously only hid the modal for the current session,
causing it to reappear on every subsequent visit. Now it snoozes the
modal for 7 days before showing again.
The previous commit added FreeBSD binaries to the Docker build and
release directory but didn't update the manifest generator or validation
script. Without this, FreeBSD binaries would be built but not tracked
or validated, and release validation would fail on the new entries.
Related to #1051
Two fixes for FreeBSD agent support:
1. The Docker image never built or included FreeBSD agent binaries, causing
404 errors when FreeBSD clients requested the download. Added FreeBSD
amd64/arm64 cross-compilation for both host-agent and unified-agent,
plus COPY statements to include them in the image. Also added bare
FreeBSD binaries to GitHub release assets for the redirect fallback.
2. pfSense does not use the standard FreeBSD rc.d boot system — scripts
in /usr/local/etc/rc.d/ must end in .sh to run at boot. The installer
now detects pfSense and creates a .sh boot wrapper alongside the
standard rc.d script. Also added -r flag to daemon for auto-restart.
Related to #1051
The legacy cleanup section in TEMPERATURE_MONITORING.md only covered 1 of the
5 systemd units and referenced an outdated binary path. Users following these
docs still had the selfheal timer running, generating recurring TASK ERROR
entries in the Proxmox task log.
Updated with the complete set of units, correct file paths, and a note that
upgrading the Pulse container does not remove the sensor proxy from the host.
Added a sensor proxy removal section to UPGRADE_v5.md so users see the warning
during upgrade.
Related to #817
Replace manual resource ID entry with a searchable, filterable resource
picker that uses live WebSocket state. Support selecting multiple
resources (up to 50) for combined fleet reports.
Multi-resource PDFs include a cover page, fleet summary table with
aggregate health status, and condensed per-resource detail pages with
overlaid CPU/memory charts. Multi-resource CSVs include a summary
section followed by interleaved time-series data with resource columns.
New POST /api/admin/reports/generate-multi endpoint handles multi-resource
requests while the existing single-resource GET endpoint remains unchanged.
Also fixes resource ID validation regex to allow colons used in
VM/container IDs (e.g., "instance:node:vmid").
When namespace matching fails, the VMID-only fallback now checks whether
the VMID appears on multiple PVE instances. If ambiguous, the fallback
is skipped — preventing backups from being falsely attributed to the
wrong guest. Unique VMIDs still fall back as before.
Add three layers of secret leak prevention:
1. .gitleaks.toml — config extending the default ruleset (~150 rules for
AWS, GCP, Stripe, OpenAI, private keys, JWTs, etc.) with allowlists
tuned to suppress false positives from test fixtures and docs.
2. .husky/pre-commit — enhanced with gitleaks protect --staged (graceful
skip if not installed), sensitive file type blocking (.pem, .key, .enc,
id_rsa, etc.), and broadened fallback patterns covering AWS, OpenAI,
GCP, and private key headers alongside existing Stripe checks.
3. .github/workflows/build-and-test.yml — new secret-scan CI job using
gitleaks-action that runs in parallel with build on every push/PR,
serving as the last gate if someone bypasses local hooks.
API tokens passed via ?token= query parameter were accepted on all HTTP
requests. This is a security concern because tokens in URLs can leak via
server logs, browser history, referrer headers, and proxy logs.
The query-string token path exists solely for WebSocket connections which
cannot set custom headers during the upgrade handshake. This change adds
an isWebSocketUpgrade check to all three query-string extraction sites
in CheckAuth and extractAndStoreAuthContext, rejecting ?token= on regular
HTTP requests while preserving WebSocket functionality.
No frontend impact — the kiosk flow stores the token in sessionStorage
then uses X-API-Token headers for all API calls.
The previous fix (cf52b5f5) only updated NodeSummaryTable. Guest rows,
Docker hosts, storage, and backup views still used hardcoded 0 decimals,
showing "1 GB/2 GB" instead of "1.50 GB/2.00 GB" for small values.
Related to #1116
- KnowledgeStore: use atomic write (temp+rename) to prevent file
corruption from concurrent async saves
- Change password tests: add auth headers since endpoint now requires
authentication
- ClearSession test: expect 2 cookies (pulse_session + pulse_csrf)
matching updated clearSession behavior
- API token test: update to match current behavior where query-string
tokens are accepted (needed for WebSocket connections)
- Host agent config: allow ScopeHostManage to resolve any host, not
just token-bound hosts
ExportConfig held a read lock while calling LoadNodesConfig, which
could trigger a migration requiring a write lock - causing a deadlock.
Removed the redundant outer lock since each Load function manages its
own locking.
Also updated TestAppriseConfigPersistence to match the security fix
that hardcodes CLIPath to "apprise" to prevent RCE.
Backend:
- Add HostData field to ChartResponse struct in types.go
- Add host data processing in /api/charts endpoint using 'host:' prefix key
- Include hosts count in debug logging for chart responses
Frontend:
- Add 'host' to MetricResourceKind type in metricsKeys.ts
- Add hostData field to ChartsResponse interface in charts.ts
- Process hostData in seedFromBackend() in metricsHistory.ts
- Pass resourceId to EnhancedCPUBar and StackedMemoryBar in HostsOverview.tsx
- Add '7d' and '30d' to TIME_RANGE_OPTIONS in metricsViewMode.ts
This enables sparkline trend visualization for unified host agents,
consistent with Proxmox guests. Data accumulates over time at 30s intervals.
The DiscoveryTab component for Docker containers/services and Kubernetes pods
was not receiving the customUrl and onCustomUrlChange props, causing saved
URLs to be lost when the drawer was reopened.
Changes:
- Add guest metadata management to DockerUnifiedTable (fetches on mount,
caches, listens for external changes)
- Pass customUrl and onCustomUrlChange props to DiscoveryTab in
DockerContainerRow and DockerServiceRow
- Add guest metadata management to KubernetesClusters component
- Update PodRow to receive and pass metadata props to DiscoveryTab
The fix ensures that when users click 'Use this' on a suggested URL and save,
the URL persists correctly across Docker containers, Swarm services, and K8s pods.
