v0.9.1

Added

• Multi-rack share URL support with v2 schema (#1207, PR #1417)
• Session save flush on pagehide/beforeunload to prevent data loss (#1404, PR #1413)
• Reverse proxy, access control, and deployment scenario documentation (#1107, PR #1411)

Fixed

• Cross-browser drag tooltip positioning for Safari 26 and Firefox 148 (#1443, #1444, PR #1446)
• Circuit breaker reactivity and health-check reset for persistence auto-save (#1088, PR #1416, PR #1434)
• Surface user-facing feedback for previously silent failures (#1389-#1392, PR #1407)
• Keyboard viewport input type coverage using allowlist instead of exclusion list (#1115, PR #1408)
• Pin Bun 1.3.10 in Dockerfile and regenerate lockfile

Technical

• Migrate E2E selectors to data-testid (#1228, PR #1435)
• Repair migration E2E tests and archive format detection (#1401, PR #1437)
• Rewrite shelf-category E2E tests for accordion palette (#1400, PR #1406)
• Unskip device-name undo/redo and cross-rack metadata E2E tests (#1405, PR #1436)
• Eliminate waitForTimeout in E2E tests (#1224, PR #1414)
• Update stale E2E selectors and save filename assertions (#1261, #1263, PR #1412, PR #1415)
• Triage and fix disabled E2E tests (#1226, PR #1439)
• E2E testing architecture research spike (#1393, PR #1424)
• Trim SPEC.md from 2,482 to 184 lines (#1399)
• Dependency updates: Svelte 5.53.9, Hono 4.12.7, DOMPurify 3.3.2, simple-icons 16.11.0

v0.9.0

Added

• Local authentication mode with username/password login (#1117, PR #1356)
• Move compatible-only toggle from device palette to Settings menu (#1361, PR #1379)

Fixed

• Export dialog preview clipped for tall racks (#1350, PR #1380)
• Defence-in-depth guards for duplicate device IDs preventing layout load (#1363, PR #1378)
• Stale auth documentation referencing removed environment variables (#1102, PR #1373)
• Restore Trivy scan gating in deploy-prod workflow (#1360, PR #1381)

Security

• Reject control characters in to prevent CRLF injection (#1371, PR #1382)
• Require OIDC issuer pinning when discovery URL is configured (#1372, PR #1382)

v0.8.4

[0.8.4] - 2026-02-20

Fixed

• Prevented container startup crash in persist deployments caused by unresolved AUTH_MODE values rendering invalid nginx config (unknown "auth_mode" variable) (#1297) - thanks @P4r4n01dB34r for reporting!
• Normalized auth mode at container entrypoint and restricted nginx auth-mode mapping to sanitized RACKULA_AUTH_MODE values (none|oidc|local) with safe fallback to none

Security

• Remediated open Dependabot alerts by upgrading vulnerable dependencies: jspdf to 4.2.0, svelte to 5.53.0 (with patched devalue 5.6.3), and hono to 4.12.0

v0.8.3

Fixed

• Production deploy workflow now keeps Trivy SARIF gating aligned with configured severity () via , preventing medium/low advisories from blocking deploy

v0.8.2

Technical

• Recut release after the deploy workflow was cancelled during , to republish and container tags

v0.8.1

Bugfixes! Cheers to @marcuspee, @Mihai-B and @moviemakr1620 for the reports. Also added the underpinnings of a future Proxmox LXC distribution method 🤫

Added

• Separate Save from Save As: dedicated Save action for backend persistence, Save As for ZIP export (#1219, PR #1247)
• ProxmoxVE LXC distribution infrastructure (PR #1218)

Fixed

• Half-width device slot_position not threaded through pointer-based move events (#1244, PR #1246)
• Half-width device slot_position not threaded through keyboard/context-menu move events (PR #1242)
• Safari drag-and-drop broken due to missing text/plain fallback (#1200, PR #1243)
• Settings menu gear icon broken by incorrect GroupHeading usage (#1203, PR #1241)
• Share link encoding failure on large layouts (#953, #1195, PR #1242)
• Duplicating half-width device linked state with original (#1195, PR #1242)
• Half-width device context menu opening at wrong position (#1193, PR #1242)
• Half-width second-device placement inconsistency in same RU (#1191, PR #1242)

Technical

• Harden Playwright config for CI stability (#1223, PR #1232)
• Pin GitHub Actions to commit SHAs in build-lxc.yml (PR #1256)
• Consolidate E2E test helpers and migrate specs to gotoWithRack (#1225, PR #1249)
• Bump Svelte from 5.50.1 to 5.51.2 (PR #1204, #1252)
• Bump ESLint group, @vitest/eslint-plugin, typescript-eslint (PR #1250, #1251, #1257)
• Bump actions group with 4 updates (PR #1253)
• Bump simple-icons, qs, and production dependencies (PR #1206, #1217, #1220, #1221)

v0.8.0

Woohoo! So this release was primarily focused on mobile. There is plenty more work to do, though it should be usable. We also sprinkled in tons of bug fixes and security-minded improvements around the API.

Next up on the path to v0.9 is authentication. See #1095
Cheers,
@ggfevans

Added

• Mobile bottom navigation bar with Framework7-inspired design (#641, PR #1055, #1062, #1063)
• Slim toolbar mode for mobile viewports (PR #1054)
• Mobile file actions sheet (PR #1059)
• Rack indicator strip with navigation dots (PR #1056)
• Mobile view sheet controls (#643, PR #1058)
• Compact mobile toolbar quick actions (PR #1060)
• Mobile device library trigger in bottom nav (PR #1061)
• Mobile rack swipe navigation (PR #1076)
• Touch long-press context menus (PR #1086)
• Mobile floating undo/redo controls (#1046, PR #1098)
• Virtual keyboard viewport adaptation (#1049, PR #1097)
• Phase 1 NetBox homelab device import: 40 image-priority devices (#1109, PR #1134)
• Phase 2 NetBox homelab device expansion: 45 image-backed devices (#1111, PR #1188)
• E2E test infrastructure and wizard keyboard shortcuts (#903, PR #1128)
• Layout store contract safety net tests (#910, PR #1083)
• BottomSheet interaction test coverage (PR #1072)

Changed

• Mobile warning modal updated with positive messaging (PR #1053)
• Mobile export/share dialogs made responsive (#1047, PR #1123, #1126)
• BottomSheet refactored to one-way open prop (PR #1073)
• Tokenized shared dialog mobile content padding (#1162, PR #1165)

Fixed

• Start Screen startup path stabilized (#1122, PR #1168)
• Svelte a11y build warnings resolved (#1028, PR #1172)
• App.svelte state_referenced_locally warning resolved (#1171, PR #1179)
• Stale canvas touch listener lifecycle hardened (#1089, PR #1099)
• Swipe pan rejection aligned with dominance ratio (#1090, PR #1093)
• Swipe listener lifecycle and logging tightened (PR #1082)
• Swipe gesture review follow-ups addressed (PR #1081)
• Two-way binding to derived sheet state avoided (PR #1064)
• Selection store sync, a11y improvements, and Safari iOS dark rack colours (PR #1057)
• Persistence Start Screen integration into app launch flow (PR #1065)
• Firefox logo SVG decode errors and persistence health handling hardened (PR #1092)
• Keyboard viewport scroll excluded from select elements (#1103)
• Zip export folder names sanitized (PR #1074)
• Review & Clean Up action routed through real cleanup workflow (#1125, PR #1138)
• Dev deploy env persistence and checkout permissions fixed (#1147, PR #1148, #1149)
• Persistence health validation hardened to prevent false-positive API status (#1087, PR #1197)
• API typecheck errors in security and storage modules resolved (PR #1186, #1192)

Security

• API CORS hardened and write-route auth defaults tightened (#1124, PR #1135)
• CORS explicitly configured for dev domain

Technical

• Restored svelte-check/typecheck baseline (#1121, PR #1136)
• NetBox homelab device curation spike delivered (#1096, PR #1118)
• Authentication v1 architecture spike and ADR (#1100, PR #1167)
• Security threat model research document added (#1069, PR #1070)
• Nginx auth hardening section added to self-hosting guide (#1112, PR #1127)
• Self-hosting docs: storage paths, persistence setup, and audit checklist updated (PR #1156, #1157, #1159, #1163)
• Container/self-hosting runtime and CI guardrails tightened (#1155, PR #1161, #1169)
• .env.example expanded for persistence and API security vars (#1153, PR #1159)
• Deploy dev workflow and docker-compose updated
• Hoisted mock resets in cleanup prompt spec (#1150, PR #1158)
• Star history chart added to README (PR #1071, #1075)
• Bumped dependencies: svelte 5.49.1→5.50.0, simple-icons, @types/node, eslint, Playwright, and others (PR #1139, #1140, #1141, #1142, #1143, #1146)
• Updated copyright year and owner in LICENSE (PR #1166)
• YAML viewer/editor spike recommendations (#573, PR #1173)
• ESLint v10 peer dependency conflict reverted pending ecosystem support (#1198, PR #1199)

v0.7.9

Security

• Fix ReDoS vulnerability in @isaacs/brace-expansion (5.0.0 to 5.0.1, CVSS 9.2) (PR #1038)
• Fix nginx security header inheritance bug: /assets/ location was silently dropping all security headers (#1037, PR #1038)
• Add HSTS, Referrer-Policy, and Permissions-Policy headers to all responses (PR #1038)
• Add 1MB request body size limit on layout PUT endpoints to prevent memory exhaustion (PR #1038)
• Centralize security headers into shared nginx include snippet to prevent header drift (#1039, PR #1040)
• Add startup warning when CORS_ORIGIN is unset in production (PR #1040)
• Update jsPDF 4.0.0 to 4.1.0, resolving 4 CVEs: race condition, XMP injection, PDF injection, BMP DoS (PR #1033)

Technical

• Bump GitHub Actions: claude-code-action, codeql-action, docker/login-action (PR #1034)
• Bump development dependencies: Stryker, jsdom, happy-dom, svelte-check, @types/node, globals (PR #1035, #1032, #1031)
• Remove deprecated X-XSS-Protection header (CSP replaces it) (PR #1038) @ggfevans

<3 @claude @coderabbitai

v0.7.8

Fixed

• Persistence API 404 errors on /layouts endpoints - routes now mount at root (#1007, PR #1008)
• Stale localStorage overwriting newer server data during session storage race conditions (#1012, PR #1014)
• Thanks to @Mihai-B for reporting this issue!
• Auto-save creating empty layout on every visit to root URL (#1003, PR #1013)
• Nginx /api and /api/ edge case request handling (#1010, PR #1015)
• CSP script hashes updated to match current build output (PR #1021)

Also thanks to @timothystewart6 for encouraging me to look around and take care of the bugs & technical debt accrued.

Added

• Compatibility aliases for /api/* routes for direct API access (#1009, PR #1019)

Technical

• Migrated Vitest config to v4 poolOptions format (#1017, PR #1018)
• Addressed CodeRabbit feedback on session-storage tests (PR #1016)

by @ggfevans

v0.7.7

Fixed

• Persistence mode now actually persists data with proper YAML serialization (PR #1001)
• Auto-save now works correctly with cloud status indicators
• Start screen displays appropriately when persistence is enabled
• Layout auto-loads on startup if a saved layout exists
• Metadata and UUID handling for persisted layouts
• Thanks to @timothystewart6 for the comprehensive persistence fix!

Technical

• Production deployment now syncs docker-compose.yml from repo to prevent config drift
• Added --remove-orphans flag to clean up stale containers during deployment
• Fixed inch mark character escaping in changelog for GitHub Actions