Performance
- Reuse the already-loaded settings across the certificate-listing and renewal/zombie-scan loops, and scope cert-info cache invalidation per-domain (
clear_prefix) so a single-domain write no longer evicts every other domain's cached info. Thanks @rocogamer. (#270) - Debounce API-key
last_used_atpersistence (CERTMATE_LAST_USED_PERSIST_SECONDS, default 60s) so an authenticated API request no longer rewritessettings.jsonunder the global lock on every call. (#281)
Security hardening
- Rate-limit
/api/*per API key (SHA-256 of the bearer token, never the raw token), falling back to the source IP — clients behind one NAT/proxy no longer share a bucket, and an abusive key is throttled independently. Login keeps its own ip+username limiter. (#281) - SECURITY.md: documented that deploy hooks are an admin-controlled execution surface by design; dropped the inaccurate "tamper-evident" wording from the audit-log docstring. (#281)
Docker: linux/amd64 + linux/arm64 images published as certmate:2.11.1 (latest).