What's New
Security Hardening
- Timing-safe authentication with
hmac.compare_digest - Login rate limiting (5 failed attempts / 5 min per IP, only counts failures)
- Content Security Policy headers
- Session invalidation via
CASHPILOT_SESSION_EPOCHenv var - Deploy spec validation blocks privileged containers, dangerous capabilities, and sensitive volume mounts (including subpaths)
- XSS fix in fleet template (HTML-escape error messages)
Collector Base Refactor
- Reusable
httpx.AsyncClientwith lifecycle management (_get_client()) - Exponential backoff retry (
_retry()) for all collectors - Instance caching with stale cleanup on config change
- All 14 collectors updated to use the new base
Async Orchestrator
- All blocking Docker SDK calls wrapped in
asyncio.to_thread() - Background task logging upgraded to WARNING level
API Conformance
- EarnApp API version updated to 1.627.783
- Traffmonetizer: Origin/Referer headers for CORS compliance
- IPRoyal: retry protection on post-refresh balance fetch
Database
- SQLite
busy_timeout=5000pragma for concurrent access password_changed_atcolumn migration
Tests
pytest.importorskip("docker")for CI environments without Docker SDK- Stronger assertion on delete_volumes parameter forwarding