2026-02-10T23:42:53Z - 2026-02-17T23:42:53Z
Overview
27 Pull requests merged by 1 user
Merged
#74 feat: add JSON API with token auth (closes #69)
Merged
#65 chore: remove TODO.md — all items tracked as Gitea issues
Merged
#77 feat: edit existing env vars, labels, and volume mounts (closes #67)
Merged
#55 Update TODO.md with current status (closes #54)
Merged
#75 feat: deployment rollback to previous image (closes #71)
Merged
#73 feat: add user-facing deployment cancel endpoint (closes #66)
Merged
#52 fix: cancel in-progress deploy when webhook triggers new deploy (closes #38)
Merged
#51 Fix all golangci-lint issues (closes #32)
Merged
#50 fix: set DestroySession MaxAge to -1 instead of -1*time.Second (closes #39)
Merged
#49 Add server-side app name validation (closes #37)
Merged
#48 fix: buffer template execution to prevent corrupt HTML responses (closes #42)
Merged
#46 perf: adaptive frontend polling intervals (closes #43)
Merged
#47 fix: only trust proxy headers from RFC1918/loopback sources (closes #44)
Merged
#34 Fix all golangci-lint issues (closes #32)
Merged
#33 fix: validate and clamp container log tail parameter (closes #24)
Merged
#31 fix: prevent setup endpoint race condition (closes #26)
Merged
#29 Fix command injection in git clone arguments (closes #18)
Merged
#30 fix: validate port range 1-65535 in parsePortValues (closes #25)
Merged
#9 Wait for final log flush before closing deploymentLogWriter (closes #4)
Merged
#14 Add rate limiting to login endpoint to prevent brute force (closes #12)
Merged
#28 Add ownership verification on resource deletion (closes #19)
Merged
#10 Set Secure flag on session cookie in production mode (closes #5)
Merged
#7 Clean up Docker container when deleting an app (closes #2)
Merged
#6 Limit webhook request body size to 1MB to prevent DoS (closes #1)
Merged
#15 Use hashed webhook secrets for constant-time comparison (closes #13)
Merged
#16 Add CSRF protection to state-changing POST endpoints (closes #11)
Merged
#27 rewrite log viewer panes (closes #17)
2 Pull requests proposed by 1 user
Proposed
#76 feat: add edit support for env vars, labels, and volumes (closes #67)
Proposed
#78 test: add deployment rollback tests (closes #71)
34 Issues closed from 2 users
Closed
#69 FEATURE: JSON API (/api/v1)
Closed
#67 FEATURE: Edit existing env vars, labels, and volume mounts
Closed
#54 update TODO.md
Closed
#71 FEATURE: Deployment rollback
Closed
#70 FEATURE: Real-time deployment log streaming (WebSocket/SSE)
Closed
#66 FEATURE: User-facing deployment cancellation endpoint
Closed
#38 BUG: Race condition between manual deploy and webhook deploy on same app
Closed
#39 BUG: DestroySession sets MaxAge to -1 second instead of -1
Closed
#35 SECURITY: No validation on volume host paths allows arbitrary filesystem access
Closed
#37 BUG: App name not validated server-side, only client-side HTML pattern
Closed
#42 BUG: Template execution errors result in corrupt HTML responses
Closed
#43 PERF: Frontend polls 4 endpoints every 1 second regardless of deployment state
Closed
#44 SECURITY: realIP trusts X-Forwarded-For/X-Real-IP headers unconditionally
Closed
#41 SECURITY: Error messages from Go errors displayed unescaped could leak internals
Closed
#36 SECURITY: Webhook secret exposed in plain text in app detail page and request logs
Closed
#32 Fix all golangci-lint issues
Closed
#24 LOW: Container log tail parameter not validated — passed directly to Docker API
Closed
#26 MEDIUM: Setup endpoint race condition — multiple admin users can be created
Closed
#18 CRITICAL: Command injection via branch/repoURL/commitSHA in git clone
Closed
#25 MEDIUM: Port validation allows ports above 65535
Closed
#22 MEDIUM: Session cookie missing Secure flag — transmitted over HTTP
Closed
#23 MEDIUM: deploymentLogWriter.Close() doesn't wait for flush goroutine — data loss
Closed
#21 MEDIUM: Unbounded request body read in webhook handler — denial of service
Closed
#4 Bug: deploymentLogWriter.Close() does not wait for final flush to complete
Closed
#3 Bug: EnvVar/Label/Volume/Port deletion does not verify resource belongs to the app in URL (IDOR)
Closed
#12 Bug: No rate limiting on login endpoint allows brute force
Closed
#19 HIGH: Missing ownership verification on env var, label, volume, and port deletion
Closed
#5 Bug: Session cookie missing Secure flag, sent over HTTP in production
Closed
#2 Bug: Deleting an app does not stop/remove its Docker container
Closed
#1 Bug: Webhook endpoint reads request body without size limit (DoS vector)
Closed
#13 Bug: Webhook secret lookup via SQL is not constant-time (timing side-channel)
Closed
#11 Bug: No CSRF protection on state-changing POST endpoints
Closed
#17 Log viewer panes are not scrollable and build log does not auto-scroll
Closed
#20 HIGH: Arbitrary host path mount via volume add — no path validation
21 Issues created by 1 user
Opened
#40 SECURITY: CORS allows all origins (*) — review for CSRF implications
Opened
#45 Code cleanup: minor best practice improvements for 1.0
Opened
#56 JSON API (Phase 4.1)
Opened
#57 Edit existing env vars, labels, and volumes (Phase 3.1)
Opened
#58 Deployment rollback (Phase 3.2)
Opened
#59 Resource limits - CPU/memory (Phase 4.2)
Opened
#60 Webhook event history UI
Opened
#61 GitHub/GitLab webhook support
Opened
#62 Real-time deployment log streaming (WebSocket/SSE)
Opened
#63 Multi-user support with roles
Opened
#64 Observability improvements (structured logging, metrics, audit log)
Opened
#68 FEATURE: GitHub and GitLab webhook support
Opened
#72 FEATURE: CPU/memory resource limits per app
Opened
#79 FEATURE: Backup/restore of app configurations
Opened
#80 FEATURE: Private Docker registry authentication
Opened
#81 FEATURE: Custom health check commands per app
Opened
#82 FEATURE: Multi-user support with roles
Opened
#83 FEATURE: Scheduled deployments
Opened
#84 FEATURE: Observability improvements (structured logging, metrics, audit log)
Opened
#85 FEATURE: Webhook event history UI
Opened
#86 FEATURE: Settings page (webhook secret, SSH public key)