v1.0.0-alpha.6

Added

• Network quality dashboard widgets -- New network overview, network latency chart, and network quality summary widgets, complete with per-widget config forms, i18n strings, picker icons, and registered widget types. Detail-page and widget chart records now share a single pure merge function and records hook. The dashboard save path whitelists the new network quality widget types on the backend
• Server-cards widget layout controls -- The dashboard server-cards widget gains a grid/list layout toggle, sizes itself to its content height (applied instantly to avoid overlap), and reveals additional rows on scroll instead of paginating, with a load-more spinner while fetching

Changed

• Documentation overhaul -- The Chinese docs locale was renamed from cn to zh and README links now point to the docs site. The configuration reference was restructured into tables, and the agent, deployment, monitoring, terminal, ping, alerts, architecture, and index guides were expanded and corrected (JSON terminal transport with base64 data field, single status page, retention tiers, reverse proxy and OAuth/mobile coverage). ENV.md and the config docs were synced with the code

Security

• RBAC hardening -- The Docker container logs WebSocket and the file read/download endpoints are now restricted to admins. The password policy is unified across change flows, and all active sessions are revoked when a user changes their password

v1.0.0-alpha.5

Added

• Custom widget system (B/C method) -- New @serverbee/widget-sdk workspace package exposes defineWidget, a bundled z schema validator, and a typed hook surface (live: useServers/useServer/useMetric/useCapability via useSyncExternalStore; domain: useHistory/useTraffic/useAlerts/useServiceMonitors/useUptime/useGeoIp; host: useTheme/useConfigUpdate; escape hatches: useApiQuery/useApiMutation). Widgets are authored as a single ESM file with a top-of-file @serverbee-widget JSDoc manifest, statically extractable, no eval. Admins install via POST /api/widget-modules (URL or multipart upload) for single .js/.mjs files or .zip collection bundles with a collection.json index. Built-in widgets are emitted by a new Vite nested-build plugin to apps/web/dist/builtin-widgets/, embedded into the server binary via rust-embed, and registered at boot
• Dashboard module rendering -- dashboard_widget gained a module_id column; widget_type='module' widgets dispatch through the widget registry and render via the SDK component contract. The picker surfaces installed modules under a "Custom Widgets" section; the config dialog renders the module's configSchema via the SDK form renderer (real renderers for z.metricPath/z.color/z.duration) with friendly placeholders for missing modules or empty schemas. ActionButton from the SDK ships with confirm dialog, pending state, and success/error toast wiring
• Bilingual widget docs -- apps/docs/content/docs/{en,cn}/custom-widgets.mdx covers method B (single file) and method C (zip bundle) end-to-end: manifest fields, build pipeline with React/SDK externals, install flows, asset resolution rules, SDK surface summary, and the full safety/limits table

Changed

• Widget install hardening -- SSRF guard now resolves DNS and rejects any host whose IP falls in a reserved/private range (loopback, RFC 1918, CGNAT, link-local incl. cloud metadata, IPv6 ULA/link-local, benchmarking, documentation, multicast, reserved); HTTP redirects are disabled; uploads enforce a per-route 1 MiB body limit with streaming size accounting; zip extraction caps total uncompressed size at 32 MiB across at most 64 entries; manifest extractor rejects sources > 1 MiB up front; id conflicts across source_type (e.g. upload trying to overwrite a builtin) return 409 Conflict; dashboard_widget.module_id is validated against installed modules; SDK declarations carry a sdkVersion semver range checked at load time. Install and uninstall events emit audit log entries
• Runtime bridge -- mountRuntimeBridge now wires the SDK runtime to the live React Query servers cache and the host theme provider via useSyncExternalStore, surfaces sonner toasts, and exposes a confirm-dialog request channel. /runtime/* import-map shims are served with Cache-Control: no-cache to avoid stale shim drift across SPA upgrades. defineWidget rejects duplicate action ids

Removed

• Legacy SPA theme + custom CSS theme system -- The spa_theme package upload feature, custom_theme CSS variable system, and seven preset themes are deleted in their entirety (backend service/router/entity, migrations dropping spa_themes and custom_theme, the appearance settings UI, preset CSS files, theme_ref from public status pages, and the SERVERBEE_FEATURE__CUSTOM_THEMES config field). The theme provider is collapsed to light/dark/system. The old custom-themes.mdx and custom-frontend.mdx doc pages are replaced by custom-widgets.mdx

v1.0.0-alpha.4

Added

• Public status page -- New /api/status/* public surface with field redaction and a singleton is_public toggle exposes a curated public dashboard; the web app gained public variants of the server list, server detail, network overview, network detail, and IP quality cards with grid/list toggles and i18n coverage
• Custom SPA themes -- Operators can upload zip-packaged frontend themes from Settings → Appearance. The server validates the manifest, runs zip-bomb and symlink security checks, supports preview/activate flows with cookie-based theme selection, exposes /__system/clear-recovery and /__system/clear-preview recovery endpoints, and ships a starter template under templates/ with a pack.ts helper
• Agent registration redesign -- "Add Server" now creates a pending server with full metadata up front; admins can recover offline agents via a dedicated dialog, regenerate enrollment codes with optimistic CAS, and bound enrollments tie tokens to specific servers. The UI surfaces pending status indicators and disables rotate-token on pending rows
• Rate limit management page -- New admin page and API to inspect and reset per-IP rate limits, with separate scopes for login, registration, and the public status surface; admin rate_limit endpoint reports the public scope alongside the existing ones
• Network anomaly KPI card -- The anomaly count is surfaced as a clickable KPI tile with a dialog containing the table, count, and window selector; latency anomaly detection thresholds are now configurable via env vars
• ipapi.is IP quality provider -- Default IP risk provider switched to ipapi.is with ip-api as automatic fallback orchestrated by IpRiskService; the snapshot entity and DTOs gained the new abuser_score and related fields, and the IP quality card renders them

Changed

• Settings forms moved into dialogs -- Notification channels and groups, user creation, and ping task creation were converted to dialogs; outer card wrappers were dropped on alerts, notifications, and api-keys pages in favour of inline layouts, and redundant page titles were removed from settings routes
• Service monitors and notifications polished -- Service monitors gained a header description and an inline add button within the table column; notification sections wrap in cards for clearer grouping
• Latency charts use 24-hour time -- Avoids am/pm ambiguity on dense timelines
• Agent registration error handling -- Agent categorizes registration errors and backs off in-process instead of looping fast on permanent failures; registration is transactional with no implicit server creation
• Default register rate-limit raised -- From 3 to 10 attempts per 15-minute window so legitimate batch installs do not lock themselves out
• Status page collapsed to singleton -- Admin status-page router and service collapsed to GET/PUT on a single row, with new is_public columns and DTO/field cleanup
• Canonical 429 error -- OpenAPI rate-limit responses standardised and the in-band sweep tightened

Fixed

• IP quality provider edge cases -- abuser_score clamps to 0..=100; risk_provider=none suppresses fallback; misconfigured provider names warn at startup; new ipapi.is fields persist correctly in save_ip_quality_snapshot
• Status page migration safety -- Dropped a broken manual transaction from simplify_status_page and parameterised migration LIKE clauses inside a transaction; servers migration now uses explicit column names to avoid positional drift
• SPA theme handler -- Tightened the serve handler for spec compliance with cookie precedence, preview banner, and review fixes; the theme extractor was hardened with additional zip-bomb and symlink coverage
• Agent token validation -- validate_agent_token filters NULL token_hash at the query layer with a half-bound row regression test
• Latency chart and UI polish -- Anomaly count card gained cursor-pointer; tag chips test alignment with placeholder behaviour
• Web bun.lock -- Synced with the v1.0.0-alpha.3 web version bump that landed without lockfile refresh

Removed

• Recovery-merge subsystem -- Replaced by the new agent recovery flow; the legacy server and web code, including orphaned type re-exports, were removed
• Legacy paid IP risk providers -- Removed in favour of the ipapi.is + ip-api stack
• RebindIdentity protocol -- Handler and protocol removed as part of the registration redesign
• Dead ServerMessageOutcome enum -- Removed along with legacy test helpers
• Legacy slug-based status page surface -- The /status/$slug route was dropped after the singleton refactor

Documentation

• Custom frontend theme guide -- New EN/CN docs cover pack.ts, manifest fields, and the upload flow; the SPA theme manual E2E checklist was added under tests/
• Network probe anomaly thresholds -- Configurable latency anomaly env vars are documented in ENV.md and the bilingual configuration pages
• Design specs and plans -- Added specs and plans for the public status page refactor, custom SPA themes, agent registration redesign, and ipapi.is provider refactor, with multiple review-driven revisions
• IP quality docs replaced -- The IP quality provider docs were rewritten around ipapi.is with the ip-api fallback story
• Removed fabricated env vars -- Stripped references to SERVERBEE_FEATURE__SPA_THEMES that never existed in the codebase

v1.0.0-alpha.3

Added

• ASN database for traceroute enrichment -- A new ASN MMDB service labels every traceroute hop with its autonomous system number; the settings page exposes a download/update card mirroring the existing GeoIP control, and SERVERBEE_ASN__MMDB_PATH / the [asn] config section let operators bring a custom file
• Server version on the settings page -- A public /api/about endpoint reports the running build's CARGO_PKG_VERSION and the settings page renders it in an About row so operators can confirm the version at a glance
• Manual audit log clear -- Admins can wipe the audit log table from the audit logs page via a destructive button with a confirmation dialog; the clear itself is recorded as an audit_log_clear entry afterward so the operator who triggered it remains auditable

Changed

• Settings page redesigned -- The standalone GeoIP/ASN/About cards were replaced with a unified SettingsSection/SettingsRow primitive grouped into "Data sources" and "About" panels in a macOS System Settings style; the DB-IP attribution moved into the section footer
• Traceroute dialog UX -- The dialog was rebuilt around a quick-pick "Recent" chips row backed by a full-history popover, grew to 92vh, pins the all-history button to the right of the chips, renders the protocol select's uppercase label, and shows a loading spinner while a selected history snapshot is being fetched
• ScrollArea adoption on network surfaces -- The traceroute result table, traceroute history list, and manage-targets dialog list all migrated from native overflow-auto to shadcn's ScrollArea; the manage-targets list also grew to 70vh so far fewer targets sit below the fold

Fixed

• Agent file receive flush -- receive_chunk now flushes the file handle before returning so the last chunk reliably lands on disk
• Select trigger label vs. value -- Several admin selects (users page role picker, traceroute protocol picker) were rendering the raw value instead of the label; the items prop is now passed through so the trigger shows the display string
• Self-delete button on users page -- The current user's own row no longer shows a delete button that would have failed server-side

Documentation

• ASN configuration documented -- SERVERBEE_ASN__MMDB_PATH and the [asn] config section are documented in ENV.md and the bilingual configuration MDX pages, and the GeoIP/ASN endpoints are now annotated with utoipa::path so they appear in /swagger-ui/

v1.0.0-alpha.2

Added

• Embedded traceroute with history and protocol selection -- The shell traceroute invocation is replaced by an embedded trippy-core engine that runs per-hop probes over ICMP, UDP, or TCP and streams round updates back to the browser. Results are persisted to a new traceroute_record table with admin delete and clear controls, hops are enriched with PTR (reverse DNS) data via a server-side LRU cache, and the network detail page renders a 10-column streaming hop table inside a header dialog backed by a history list. New protocol enums (TraceProtocol, RecordedProtocol), TracerouteRoundUpdate agent messages, and a TracerouteEnricher on AppState make round-by-round streaming defense-in-depth safe -- updates from a mismatched server_id are rejected and each traceroute is bounded by a 60s wall-clock timeout
• Capability picker during agent install -- When adding a server from the web UI, admins can now pick exactly which agent capabilities to enable instead of accepting the default set, and the install script (deploy/install.sh) gained a matching interactive capability picker so the choice flows through to the new agent on first run. Capability toggles are also disabled for offline servers in the capabilities settings to avoid silent drift
• Audit log filtering -- The audit log page renders full-width and supports filtering by action and by user, so security reviews on long histories no longer require scrolling through every entry
• Railway pre-release pinning -- The Railway deployment template now accepts a SERVERBEE_IMAGE_TAG build argument so operators can pin a specific pre-release image (e.g. 1.0.0-alpha.2) without forking the template, and the deployment docs describe the override

Changed

• Default capabilities include firewall and IP quality -- CAP_DEFAULT now grants CAP_FIREWALL_BLOCK and CAP_IP_QUALITY out of the box so new agents get the full operational toolkit without manual toggling
• IP quality blocked-state explanation -- When an IP quality check is denied, the server reports which side blocked the request and the web UI surfaces the explanation inline on the server detail tab instead of showing an opaque failure
• Network anomaly window alignment -- The network detail anomaly window now matches the overview badge, and recent anomalies are surfaced regardless of the active window size so a short window no longer hides events the overview is highlighting
• Capabilities page toolbar -- The capabilities settings page was streamlined with a tighter toolbar and batch actions, and security preset cards now have consistent button alignment with reserved space for two-line descriptions
• i18n coverage -- The server detail tab labels are now translated, a dedicated i18n namespace was added for the IP Quality feature, and the security page filter dropdowns show their localized labels instead of raw keys

Performance

• Server detail CLS reduction -- Cumulative Layout Shift on the server detail page dropped from 0.48 to 0.04 by deferring offscreen content, reserving space for late-loading widgets, and disabling Recharts animations on every chart in the route
• Uptime timeline rewrite -- The 90-day uptime timeline now paints as a single pixel-snapped CSS gradient on its own compositor layer with one shared tooltip popup across all segments, eliminating per-segment React nodes and the gradient seams that appeared on subpixel widths
• Dashboard widget lazy loading -- Dashboard widgets are now viewport-gated and chart animations are disabled by default, so a dashboard with many widgets no longer stalls the initial paint; a new docs page records the recommended widget capacity limits
• Route-level code splitting -- The server detail and terminal routes are now lazy-loaded, and the route generator ignores -page.tsx lazy modules so the /servers list page ships a noticeably smaller initial bundle

Fixed

• Traceroute correctness -- Traceroute updates from a mismatched server_id are rejected at the server, the agent bounds each traceroute with a 60s wall-clock timeout, the PTR cache evicts by inserted_at instead of by IP ordering, and the traceroute_record foreign key was corrected to reference the servers table
• Server card layout stability -- Server card height now stays consistent whether the card has tags or not, and the route generator no longer treats -page.tsx lazy modules as routable, preventing accidental layout shifts on first paint
• DataTable width blowup -- Removed table-fixed from the shared DataTable so wide cells no longer force the whole grid to overflow horizontally
• Add-server install command host -- The install command shown in the add-server dialog now points at raw.githubusercontent.com so the copy-pasted one-liner actually fetches the script

Documentation

• Traceroute design and operations -- New design spec (with four review passes), a matching implementation plan, and a manual E2E checklist describe how the embedded trippy-core flow replaced the prior shell-based path
• Cost insights reference -- A new dedicated docs page covers the cost insights and value-score feature so the configuration is no longer buried inside the alerts docs
• Dashboard widget capacity limits -- A new docs page records the recommended upper bound on widgets per dashboard, derived from the viewport-gating performance work in this release

v1.0.0-alpha.1

Added

• IP quality & streaming unlock checks -- Agents probe a configurable catalog of streaming and AI services (Netflix, ChatGPT, Spotify, and more) and score their public IP for risk. Results appear on a dedicated overview page, a server-detail tab, and optionally on public status pages. Gated behind the new CAP_IP_QUALITY capability and protected by an SSRF guard that blocks internal ranges, IPv4-mapped IPv6 bypasses, and embedded credentials
• Firewall blocklist management -- Servers can block abusive IPs through an nftables-backed firewall manager, with a one-click block action, an auto-block toggle that reacts to security events, and a three-tier guardrail that protects the operator's own IPs from accidental lockout. Gated behind the new CAP_FIREWALL_BLOCK capability
• Security event detection -- Agents detect SSH logins, SSH brute-force attempts, and port scans via journal, conntrack, and kernel-firewall watchers, reporting them as security events with severity escalation. A new Security overview page and per-server Security tab visualize events, and alert rules can match on them. Gated behind the new CAP_SECURITY_EVENTS capability
• Hardened Agent self-upgrade -- A new [upgrade] config section pins release download and checksum URLs, supports a --release-repo CLI override, and verifies the release-signing certificate via SPKI SHA-256 pinning
• iOS mobile client -- The iOS app gains push-notification deep linking, an actor-based WebSocket layer with heartbeat and exponential-backoff reconnect, full VoiceOver and Dynamic Type accessibility, an editable device name, insecure-URL banners, and SwiftLint/swift-format tooling

Changed

• Dashboard rendering -- The service-status widget was redesigned with a summary and richer rows, the gauge widget locks to a square aspect on resize, and dashboard WebSocket re-renders were reduced
• Release CI -- The cross-platform release build matrix no longer runs on pull requests; pre-release tags are flagged as pre-releases and no longer move the Docker :latest tag

Fixed

• NAT and Docker country detection -- country_code is now populated for agents behind Docker bridges and NAT
• Uptime timeline -- Fixed tooltip clipping and a stray horizontal scrollbar
• IP quality robustness -- Response body streaming is capped, 0.0.0.0/8 is blocked, ambiguous unlock probes report as Failed rather than Blocked, and stale foreign keys and missing capabilities are guarded