v0.13.1 — Security, Stability & UX
New Features
- URL Hash Routing — Active tab and settings sub-page now persist in the URL hash (
#settings/normalization,#m3u-manager, etc.). Supports page refresh, bookmarks, and browser back/forward navigation. - Renumber All Groups Enhancement — Per-group starting number overrides in the Renumber All Groups modal, letting you customize where each group's numbering begins.
Security
- ~22 CodeQL Alerts Resolved — Unused variables/imports, overly permissive file permissions, stack trace exposure, SSRF hardening, command injection taint flow, clear-text logging separation.
- TLS Certificate Permissions — All cert/chain files tightened from 0o640 to 0o600 (owner-only access).
- Cloudflare SSRF Hardening — Regex-validated API paths, httpx
base_urlpattern to keep host fixed and untainted. - Stack Trace Exposure — Probe error messages, EPG refresh errors, and CSV import errors no longer leak exception details to HTTP responses.
- Information Exposure — Internal error details removed from HTTP responses across channels, TLS routes.
- Password Validation — Restructured to prevent sensitive data flowing to printed output.
Bug Fixes
- Auto-Creation: set_channel_number — Fixed backend validation failure caused by frontend sending value in wrong field.
- Auto-Creation: Rule Save Errors — Save failures now show a toast notification instead of crashing the entire tab.
- Sort Field/Regex Reset — sort_field and sort_regex can now be properly cleared back to default values.
Internal
- 1002 frontend unit tests, 1826 backend tests — all passing
- 14 new E2E tests for hash routing