Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog,
and this project adheres to Semantic Versioning.

0.1.0 - 2026-03-29

Initial release of Oikos — a self-hosted family planner for 2–6 person households. Runs as a Docker container behind Nginx with SSL, no cloud dependency.

Added

• Dashboard with time-of-day greeting, urgent tasks, upcoming events, today's meals, pinned notes, and weather widget (OpenWeatherMap integration with 3–5 day forecast scaling by screen size)
• Task management with categories, priorities, due dates, subtasks (max 2 levels), list and Kanban views, swipe gestures on mobile (swipe left = toggle done, swipe right = edit), and recurring tasks via iCal RRULE
• Shopping lists with multiple named lists, supermarket-aisle sorting, autocomplete from history, optimistic checkbox toggle, and bulk-clear of checked items
• Weekly meal planner with breakfast/lunch/dinner/snack grid (Mon–Sun), ingredient tracking per meal, and one-click transfer of ingredients to shopping lists
• Calendar with month, week, day, and agenda views, multi-day event support, color-coded entries, and family member assignment
• Google Calendar sync via OAuth 2.0 with incremental sync tokens and Apple CalDAV sync via tsdav, both bidirectional
• Pinboard (notes) with color-coded sticky notes, pin-to-top, Markdown formatting toolbar (bold, italic, lists, headings, code, links), and automatic text contrast based on background color
• Contacts directory with category filtering (doctor, emergency, trades, etc.), full-text search, and direct tel:/mailto:/maps: links
• Budget tracker with income/expense logging, monthly navigation, category breakdown bar charts (pure CSS), and CSV export
• Settings page for password change, calendar sync status, and family member management
• Authentication with session-based login (bcrypt, httpOnly/secure/sameSite cookies, 7-day TTL), admin-only user creation, and rate-limited login (5 attempts/min with 15-min lockout)
• CSRF protection using Double Submit Cookie pattern with timing-safe comparison
• Progressive Web App with app-shell caching (service worker with stale-while-revalidate for static assets, network-first for navigation, network-only for API), custom install prompt for Android and iOS, dynamic theme-color per module, safe area inset handling, and offline fallback
• Responsive design with mobile bottom navigation (swipeable pages with dot indicator), collapsible sidebar on tablet, and full sidebar on desktop
• Dark mode with system preference detection and manual toggle, warm-tinted neutral color scale
• Design system with CSS custom properties (tokens for colors, spacing, typography, shadows, radii, z-indices), module-specific accent colors, and consistent component patterns
• Accessibility improvements: skip link, sr-only headings on all pages, aria-hidden decorative icons, aria-label on icon-only buttons, token-based touch targets (44–48px), 12px minimum font size, and prefers-reduced-motion support
• Docker deployment with docker-compose, optional SQLCipher encryption (AES-256), and nginx.conf example
• Setup script (node setup.js) for initial admin account creation with LAN-reachable URL display
• Input validation middleware with centralized rules (string length, date/time format, enum, color) across all API routes
• Content Security Policy via Helmet with strict CSP, self-hosted Lucide Icons (no CDN at runtime)
• Lazy loading with per-page ES module imports cached in memory, Cache-Control headers (immutable for assets, must-revalidate for code), and service worker update notification

Security

• Fail-fast on missing SESSION_SECRET in production
• Rate limiting on login endpoint and global API limiter (300 req/min/IP)
• No user data cached by service worker (API requests are network-only)
• Hardened .gitignore and .dockerignore to prevent accidental secret or binary leakage