Security
- Restrict the OpenAPI specification (
/openapi.json,/api/v1/openapi.json) and the/docsdocumentation page to signed-in admins, based on a penetration-test scan (#228)./docsis now hidden entirely in production and returns404unless the new optionalENABLE_API_DOCS=trueis set, in which case it is exposed to admins only. GET /api/v1/versionnow returns the exact application version only to authenticated callers (session or API token). Unauthenticated login and setup pages still receiveapp_nameandsetup_required, so version fingerprinting no longer works anonymously.POST /api/v1/auth/setupresponds with404instead of403in production once initial setup is complete, so the first-run admin-creation flow is no longer confirmed to anonymous visitors.- Remove the deployment host URL and SQLite implementation details (backup endpoint descriptions, version schema) from the generated OpenAPI spec.