A correctness release for the reverse proxy, with documentation and tooling
fixes surfaced by an internal audit. Upgrading is a drop-in: no config changes.
Fixed
- Streaming responses (Server-Sent Events, live logs, slow downloads) were
severed onceproxy_timeoutelapsed, even while data was still flowing. The
proxy write deadline now resets on every write, so it bounds idle time
between writes rather than total response duration -- a backend that keeps
streaming within the timeout is no longer cut off. - Apps served from a subpath (an app whose URL ends in e.g.
/admin) had their
/apirequests routed to the backend root instead of under the mount prefix,
returning 404./apipaths are now prefixed with the app's path like every
other request. Root-mounted apps are unaffected. - The runtime interceptor's injected
<base>tag was anchored at the proxy
root on every page, so relative asset paths (e.g.img.png) on a non-root
page resolved against the wrong directory. The base is now anchored at the
document's own directory. - The config import/preview validator rejected
session_max_ageand
proxy_timeoutvalues using the documented day suffix (e.g.7d), even
though the running server accepts them. Both paths now share one duration
parser, so an exported config round-trips through import.
Changed
- Removed the
icons.dashboard_icons.enabledandmode
(on_demand/prefetch/offline) keys from the configuration reference and
the icons page. They were never read by the code; onlycache_dirand
cache_ttltake effect. - The frontend coverage figure is now explicitly scoped to the unit-tested
src/libandsrc/componentssurface, with the app shell (App.svelte,
main.ts,src/routes) excluded and documented as such in
web/vitest.config.ts. README and CONTRIBUTING wording updated to match, and
CONTRIBUTING now notes the one-timegit config core.hooksPath .githooksstep. - Bumped the Go and npm dependency groups, the frontend build image to
node:26-alpine, and several GitHub Actions to current versions.