Server-side security and resource hardening from the May audit — Cloud Relay credential overhaul, presence-spoof protection, /api/health lockdown, Dial-A-Moon SSRF guard, and four cache memory leaks closed. Plus extended grid-locator utilities and a quieter browser console.
🔒 Rig Bridge Cloud Relay — Credential Overhaul
Cloud Relay credentials are no longer the raw RIG_BRIDGE_RELAY_KEY — each rig-bridge instance now gets a 256-bit per-session token persisted to data/relay-tokens.json so it survives server restarts and deploys without re-pairing. The /api/rig-bridge/status endpoint now validates the host (preventing SSRF) and connects to the resolved IP to defeat DNS-rebinding. Long-poll connections capped at 10 per IP. Installer-script URL injection closed with new URL() validation. Cloud-relay plugin bumped to v2.1.3 with TLS-aware loopback and proper error handlers so a TLS-enabled rig-bridge no longer crashes when commands arrive.
⚠ Heads-up: existing Cloud Relay users will need to re-run Connect Cloud Relay in Settings → Rig Bridge once after this update to generate fresh credentials.
🔒 API Surface Hardening
/api/presence now binds each callsign to its source IP and rate-limits to 1 update per minute — anyone spoofing a POST with someone else's callsign now gets locked out and the prior pin is removed. /api/health stops leaking endpoint counts, byte totals, MQTT broker state, in-flight upstream counters, and visitor history to unauthenticated requests; only basic status, version, and uptime remain visible without auth. The Dial-A-Moon image fetch now validates that the upstream-supplied URL parses as https://*.nasa.gov before following it, closing the SSRF vector noted in the audit.
♻️ Server Cache Memory Leaks Closed
The error-deduplication map (errorLogState), the EmComm caches (NWS alerts, FEMA open shelters, disaster declarations), and the MUF map cache all now have periodic purges and hard size caps (200 entries each, with TTL-based eviction). Previous behavior left them growing unbounded over weeks of uptime — invisible on small self-hosted instances, but a real slow bleed on the public site over time.
📐 Extended Maidenhead Grid Utilities
src/utils/geo.js now fully supports the Maidenhead standard at all four sizes — field (DM), square (DM12), subsquare (DM12kv), and extended-square (DM12kv99) — plus a new maidenheadToBoundingBox() helper for plugin authors who want to draw grid overlays at any precision. Backed by a new geo.test.js with 169 cases covering both hemispheres. The legacy parseGridSquare and calculateGridSquare entry points still work as thin wrappers, so existing plugins keep working unchanged.
🧹 Cleaner Browser Console
Routine per-event log lines across the client (lightning, WSPR, RBN, weather, wake-lock, version-check, POTA/SOTA/WWFF/WWBOTA spots, earthquake markers, plugin loader, layer states, etc.) moved from console.log to console.debug, with one-shot lifecycle messages going to console.info. Open DevTools at the default level and you now see signal instead of noise — verbose tracing is still available by toggling the Debug filter, or by appending ?log=debug to the URL.
🐛 Same-day hotfix included
After this release first hit production, users with an empty/missing config.timezone in localStorage hit RangeError: invalid time zone specified in the Propagation panel on first load (previously masked behind a "clear cache and reload"). Fixed in 68ebe67 — PropagationPanel now applies the same safeTimezone validation pattern already used by useTimeState, so an empty timezone falls back to the browser default instead of throwing. No version bump needed; the fix is included in this tag.
Full Changelog: v26.1.3...v26.3.1
Note: this is the first GitHub release since v26.1.3; the v26.2.x and v26.3.0 development cycles shipped to users via Staging deploys but were not tagged. The compare link above therefore covers a large diff.
Docker image: ghcr.io/accius/openhamclock:26.3.1
docker pull ghcr.io/accius/openhamclock:26.3.1
Docker image: ghcr.io/accius/openhamclock:26.3.1
docker pull ghcr.io/accius/openhamclock:26.3.1