Highlights
- argon2id password hashing — replaces scrypt→SHA-1 chain with modern argon2id; existing SHA-1 hashes auto-upgrade on next login with deprecation banner
- Login brute-force lockout — configurable lockout after failed attempts with concurrent session limits
- OpenAPI 3.1.0 spec — versioned
/api/v1path, standardized collection envelopes, pagination links, machine-readable error contract - Mobile scroll fix — dashboard and all views now scroll correctly on mobile browsers (Android Chrome, mobile Safari)
- Behavior load test — correctness check made advisory (intermittent vuser failures in CI are not indicative of real bugs)
- Node.js 24 — required across all workspaces
Security
- Full credential redaction (no more partial masking)
- Destructive action confirmation headers
- Per-endpoint webhook token scoping
- OIDC redirect URL validation and whitelist
- Command trigger stderr warning in logs
UI
- Update/rollback confirmation dialogs
- SHA-1 hash deprecation banner
- Font size & appearance customization
- Theme palette refresh
- Announcement banner component
Stability
- EBUSY compose trigger retry with direct-write fallback
- cron-parser v2 → v5
See full CHANGELOG for details.