What's new

v0.10.2 - 2026-05-28

Added

• Public documentation for core features: Getting Started, Projects, SBOM Generation, Vulnerability Monitoring, Git Integration
• /changelog page on website rendered from CHANGELOG.md
• /legal/privacy, /legal/terms, /legal/imprint pages
• Optional updatedAt frontmatter field on docs pages

Changed

• Replaced ExpandableScreen animation with a standard Dialog in the beta signup component — fixes broken button behaviour when multiple instances are on the same page
• Removed CLI documentation from public website (CLI not yet released)
• Removed breadcrumbs from all website page layouts
• Removed GitHub edit link and helpful voting widget from docs pages
• Updated introducing blog post with current feature details

v0.10.1 - 2026-05-28

Added

• gitBranch and gitCommitSha fields on the SBOM schema and API output
• Project version extraction from manifest files (package.json, pyproject.toml, Cargo.toml, etc.) during syft scans — detected version is stored on the SBOM record
• breadcrumbLoader helper in frontend (src/lib/breadcrumb.ts) for consistent dynamic breadcrumbs across all routes using the query cache

Changed

• SBOM breadcrumb in the header now shows the version instead of the name (falls back to name when no version is set)
• Breadcrumb system overhauled: now reads per-route __beforeLoadContext and loaderData so all levels of nested routes render correctly; dynamic routes (project, SBOM, note, agent, CVE, git integration) load real entity names via breadcrumbLoader
• SBOM generation prioritises the version detected from manifest files over the version field in the CycloneDX document

Fixed

• Global breadcrumbs only showing one level deep due to match.context accumulation overwriting the breadcrumb key from parent routes — fixed by reading __beforeLoadContext per match
• React key warnings in the breadcrumb list (key={undefined} when to was absent) — fixed with Fragment keyed on index
• Breadcrumb separator ordering (was rendered after the item instead of before the next item)
• Project name missing from breadcrumb trail when viewing a SBOM — moved breadcrumb to the $projectId/route.tsx layout route so it appears for all sub-routes

v0.10.0 - 2026-05-27

Added

• Automatic SBOM generation from linked Git repositories: worker polls every 30 minutes, compares latest commit SHA, and enqueues a sbom-generate job when new commits are detected
• syft integration in worker (v1.44.0 static binary, CycloneDX JSON output): downloads Forgejo repository archives, extracts them, and runs syft to produce SBOMs
• bun.lock → package-lock.json v3 conversion in worker so syft can catalogue JavaScript lockfiles in monorepos (upstream syft has no bun.lock support yet)
• Manual SBOM generation trigger: POST /:id/repos/:owner/:repo/generate-sbom API endpoint with optional branch body parameter
• Branch selection for SBOM generation: "Run now" dialog in the scan runs tab shows a branch dropdown populated from the Forgejo API
• Scan run history per repository: GET /:id/repos/:owner/:repo/scan-runs endpoint and "Scan Runs" tab on the integrations file browser page with status icons, trigger badges, duration, and vulnerability delta columns
• scan_branch column on git_repo_link (migration 0012): configurable primary branch per linked repo, defaults to default_branch
• PATCH /:id/repos/:owner/:repo/scan-branch API endpoint to update the scan branch
• Inline scan branch selector in the integrations repo list row — small branch dropdown that immediately PATCHes on change
• gitBranch, gitCommitSha, gitRepoLinkId, generatedBy columns on sbom table (migration 0011)

Changed

• SBOM list (GET /v1/sboms) and project vulnerability summary/trend endpoints now filter by the configured scan branch of the linked git repo; manually uploaded SBOMs (no gitBranch) are always included
• sbom.list() and sbom.listCompleted() domain functions accept an optional gitBranch filter
• isNull added to @pkg/database drizzle-orm exports
• pino logger now includes err and error standard serializers so Error objects log with message and stack instead of {}

Fixed

• Delete SBOM AlertDialog was missing the open prop — clicking the trash icon had no visible effect

v0.9.0 - 2026-05-27

Added

• Forgejo Git integration: per-org OAuth2 connections with AES-256-GCM encrypted token storage (@pkg/crypto, git_provider_connection table)
• Git file browser: navigate repositories, directories and file contents via click-through UI with breadcrumb navigation
• Repository-to-project linking: git_repo_link table, domain CRUD (link, unlink, listByProject, listByConnection), API endpoints (PUT/DELETE /:id/repos/:owner/:repo/link, GET /:id/links, GET /v1/projects/:id/repos)
• Link dialog in file browser with project dropdown, loading states, unlink support, and error feedback
• "Linked Repositories" section on project detail page with empty-state CTA linking to Integrations
• Worker job to sweep expired OAuth state rows every 5 minutes
• Integrations nav item in sidebar (config.features.integrations = true)
• DB migration 0009_unusual_daredevil.sql for git_repo_link table

Changed

• File browser repo list polished: two-line layout (name + description), prefetched project list for instant dialog open, improved empty and error states
• Website: premium landing page redesign with shared site chrome

v0.8.1 - 2026-05-27

Added

• Premium design system foundation: PageHero, SeverityRing, StatTile, ProjectCard, gradient meshes, dot-grid and sheen utilities
• Premium UI overhaul for Dashboard, Projects, Sidebar, CVE list, CVE detail and SBOM detail with severity-token theming
• Nested SBOM routing under /projects/$projectId/sboms/{$sbomId,upload} and new UploadSbomDialog with project picker on Dashboard
• Bidirectional CVE ↔ SBOM cross-linking: new GET /v1/me/cves/{vulnerabilityId}/affected endpoint and AffectedSbomsCard on CVE detail; SBOM detail rows link back to CVE detail
• CVE detail details field now renders as GitHub-flavored markdown via react-markdown + remark-gfm with @tailwindcss/typography styling

Changed

• Sidebar: flat Projects link (no sub-dropdown), removed top-level SBOMs entry
• Invalidate /v1/projects queries on project create/delete for sidebar sync
• Split $projectId route into route.tsx layout + index.tsx detail page
• Replaced hardcoded severity colors with --color-sev-* CSS variable tokens across CVE and SBOM views

v0.8.0 - 2026-05-27

Added

• Local OSV.dev mirror in the database with automatic worker sync (@domain/osv package, vulnerability matching)
• New API endpoints: /v1/osv search, get-by-id, and get-by-alias
• Frontend /cves page replaced with OSV mirror search and detail views
• Worker scans SBOMs against the local OSV mirror instead of the remote API

Changed

• Worker uses OSV querybatch endpoint for CVE scanning
• Worker logs registry enrichment duration
• Various WIP improvements to scan_logs, api_keys, frontend and website (blog structure and content)

Removed

• Legacy api.osv.dev client from the worker

v0.7.17 - 2026-05-26

Changed

• Replaced React Email / JSX-based email rendering with plain HTML templates rendered via Mustache (packages/email/src/templates/*.html)
• @pkg/email exports are now synchronous string functions — no React, no JSX, no async
• Worker send_email.ts updated accordingly (removed await on template calls)
• Worker Dockerfile reverted to clean bun build --compile --minify single binary

Removed

• Removed @react-email/components, @react-email/render, react, react-dom from @pkg/email

v0.7.16 - 2026-05-26

Changed

• Worker no longer compiles to a standalone binary; Bun runs apps/worker/src/index.ts directly in the Docker image, eliminating all JSX runtime issues with bun build --compile
• Reverted email pre-compilation build step; @pkg/email is back to React/JSX templates rendered at runtime

v0.7.15 - 2026-05-26

Changed

• Email templates are now pre-compiled to plain HTML strings at build time via packages/email/scripts/build.tsx; the worker binary no longer contains any React/JSX code, eliminating the $jsxDEV is not a function crash
• Worker Dockerfile reverts to --minify now that no JSX runtime is needed in the compiled binary
• packages/email exports synchronous string functions from src/generated/index.ts instead of async React render functions

v0.7.14 - 2026-05-26

Fixed

• Worker Docker build now passes --define 'process.env.NODE_ENV="production"' to bun build so the production JSX runtime (jsx) is used instead of the dev runtime ($jsxDEV is not a function)

v0.7.13 - 2026-05-26

Fixed

• Worker Docker build now uses --minify-syntax --minify-whitespace instead of --minify to prevent identifier minification from breaking the React JSX runtime (Uu is not a function)

v0.7.12 - 2026-05-22

Fixed

• Add explicit React import in @pkg/email index to fix Uu is not a function JSX crash in minified worker Docker build

v0.7.11 - 2026-05-22

Fixed

• Email render calls extracted into variables with fallback strings to prevent null HTML being sent
• Email rendering errors in magic_link and organization_invitation are now caught and logged
• CI release workflow no longer includes gateway and agent services in the build matrix

v0.7.10 - 2026-05-22

Fixed

• Worker email error log now includes job context for better debugging

v0.7.9 - 2026-05-22

Added

• CLI output format aligned with website demo
• Website intro animation and updated beta signup copy

Fixed

• Worker email handler now wrapped in try-catch to prevent unhandled errors when sending emails

Changed

• Website content and navigation updates

v0.7.8 - 2026-05-18

Added

• CVSS v4.0 scoring support for OSV vulnerability data — CVEs that only provide a CVSS_V4 vector now return a score instead of null
• pnpm-lock.yaml scanner support in the boto CLI

Changed

• CVSS score calculation now uses @pandatix/js-cvss library for both v3.x and v4.0 vectors; CVSS v3 is preferred, v4 used as fallback

v0.7.7 - 2026-05-18

Added

• boto CLI for generating CycloneDX SBOMs from a project directory

Fixed

• SBOM upload from the frontend now correctly passes projectId in the request body instead of as a query parameter, resolving a validation error when assigning an SBOM to a project

v0.7.6 - 2026-05-18

Fixed

• Auth service no longer fails with null value in column "id" on verification table — removed generateId: "uuid" so better-auth generates IDs in the application layer instead of delegating to the database

v0.7.5 - 2026-05-18

Fixed

• Auth cookie domain fix now correctly applied on staging

v0.7.4 - 2026-05-18

Fixed

• Session cookies now shared across subdomains — add AUTH_COOKIE_DOMAIN=your.root.domain on the auth container to enable cross-subdomain cookie sharing (e.g. staging.boring.tools for auth.staging.boring.tools + my.staging.boring.tools)

v0.7.3 - 2026-05-18

Added

• Frontend runtime configuration via /config.json served by nginx at container start — self-hosters can now configure BACKEND_URL, AUTH_URL, and FRONTEND_URL as Docker environment variables without rebuilding the image
• runtimeConfig and loadRuntimeConfig exported from @pkg/config for use across packages

Changed

• Frontend Dockerfile no longer requires VITE_BACKEND_URL, VITE_AUTH_URL, or VITE_FRONTEND_URL build args — a single image works for all environments
• Orval-generated API client uses relative /v1 paths instead of hardcoded http://localhost:4000/v1
• auth_client in @pkg/auth lazily initialized to read AUTH_URL from runtime config
• CI release workflow no longer passes VITE_* build args to Docker builds

v0.7.2 - 2026-05-18

Added

• Staging CI pipeline with VITE_AUTH_URL build arg for correct auth service URL in staging environments

Fixed

• Auth migrations not applied correctly in production/staging Docker image — Dockerfile now copies migrations from packages/auth/src/migrations (the canonical, generated set) instead of the stale apps/auth/src/migrations copy, which was missing username, displayUsername, and apikey table

Changed

• Removed stale duplicate migration set from apps/auth/src/migrations to prevent future drift

v0.7.1 - 2026-05-13

Added

• Auth client baseURL is now configurable via VITE_AUTH_URL environment variable, enabling correct auth service URLs for staging and production

Changed

• Fixed staging frontend port mapping from 4000:4000 to 3000:80

v0.7.0 - 2026-05-13

Added

• Project and SBOM domain with upload/scan pipeline, API routes, object storage helpers, and frontend views
• Global vulnerability summary on dashboard with severity breakdown and trend chart
• Project list rebuilt as data table with vulnerability severity badges
• Project vulnerability dashboard with summary bar and trend chart
• Bulk SBOM analyses endpoint with suppressed vulnerability filtering
• Severity color variants for card and SBOM vulnerability list components
• Feature flags for agents, containers, and notes in centralized config — UI sections are now conditionally rendered
• Fuzzy search using fuse.js across list views with data tables and pagination
• Project and SBOM tables exported from database package index

Fixed

• CVSS score parsing and MODERATE severity mapping from OSV in worker
• Trend chart tooltip background color and x-axis unique key
• Chart tooltip passed as component reference instead of JSX instance
• Chart tooltip entries sorted by severity order
• Low severity color changed from blue to emerald for visual consistency
• Summary and trend data refetched after SBOM deletion on project page

v0.6.2 - 2026-04-17

Fixed

• Read release version from package.json instead of computing from commit history to prevent wrong version tags

v0.6.1 - 2026-04-16

Fixed

• Replace artifact-based Docker pipeline with direct build and push to fix CI failures

v0.6.0 - 2026-04-16

Added

• Automatic database migrations on production startup for API and auth services
• Staging environment configuration files
• Split CI pipelines into separate quality gate and release workflows

v0.5.0 - 2026-04-16

Added

• CI workflow dependency: build jobs now require quality gate to pass first
• Staging environment configuration files
• Infisical secrets integration for deployment

Fixed

• Corrected bun.lock file
• Critical CVE in axios dependency
• Settings environment variables configuration
• Infisical agent configuration
• Removed empty environments from config
• Simplified PR workflow

v0.4.1 - 2026-04-09

Added

• CI build and Docker workflows for Go services (gateway, agent)

Fixed

• CI build pipeline now correctly handles Go services separately from Bun/Turbo workspace builds

v0.4.0 - 2026-04-09

Added

• ClickHouse @pkg/clickhouse package with schema, insert helpers, and query functions for container stats, events, and logs
• Postgres state tables for containers, networks, volumes, and images with Zod validation schemas
• Worker NATS subscribers for container stats, events, state sync, and log ingestion with batching
• API endpoints for querying stats, stats history, events, and logs from ClickHouse
• API endpoints for listing agent networks, volumes, and images from Postgres
• Agent support for listing Docker networks, volumes, and images
• Agent container log streaming with stdcopy demuxing and periodic refresh loop
• Agent periodic state report (containers, networks, volumes, images) every 30 seconds
• Gateway forwarding for agent state reports and container logs via NATS
• Protobuf definitions for networks, volumes, images, agent state report, and container logs
• Frontend log viewer component with search, time range, and limit filters
• Frontend REST-based container stats polling from ClickHouse API

Changed

• Container list API reads from Postgres state table instead of live NATS request
• Frontend replaced WebSocket connections with REST polling for container stats and events
• Removed WebSocket handler and useAgentWebSocket hook in favor of useContainerStats polling

Removed

• WebSocket-based real-time container monitoring (ws.ts, use_agent_websocket.ts)

v0.3.2 - 2026-04-09

Changed

• Introduce service-scoped child loggers for api, worker, nats, and queue packages
• Rename agentService to agent for naming consistency
• Move agent status tracker from API to worker as NATS subscriber
• Extract worker email queue handler into dedicated module
• Simplify agent router by removing redundant sub-router
• Add missing tsconfig path mappings for @pkg/nats, @domain/agent, and @domain/pki
• Add WebSocket onClose/onError handlers before onOpen for correct lifecycle ordering

v0.3.1 - 2026-04-04

Added

• Shared @pkg/theme package with design tokens (colors, border radius) and cn() utility
• Tailwind CSS support for react-email templates using shared theme tokens
• Docker agent service configuration

Changed

• Frontend and website now import shared theme from @pkg/theme instead of duplicating styles
• Email templates use semantic color tokens (bg-primary, text-foreground) and theme border radius instead of hardcoded values
• Email button styling aligned with frontend button component (same radius, padding, font weight)

v0.3.0 - 2026-03-30

Added

• Go agent service with mTLS registration and Docker container management
• Go gRPC gateway service with mTLS support
• Protobuf definitions and generated Go code for agent service
• Agent CRUD and registration API routes with domain and database schema
• PKI domain package for certificate management
• NATS TypeScript package with connection management
• Container management endpoints, WebSocket handler, and agent status tracker
• Container management views with real-time WebSocket updates
• Live container stats collection and streaming via gRPC, NATS, and WebSocket
• Dashboard with agent and container summary cards
• Container detail page with live CPU, memory, network, and disk stats
• Container table with status indicators and progress bars
• Agent management pages and sidebar navigation
• Beta signup with Listmonk integration on website
• Container event proto message and Docker Events API watcher

Changed

• Replaced HTTP API with NATS messaging for agent communication
• CI pipeline versions updated for new workflow labels
• Redesigned container table UI

Fixed

• Use fully qualified URLs for reusable workflows in Forgejo
• Container index page rendering
• Container query cache shape to prevent 'not iterable' error
• Undefined/NaN in formatBytes for missing stats fields
• NATS config to use CLI flags instead of file bind-mount

v0.2.0 - 2026-03-26

Added

• Turborepo integration for incremental builds in monorepo
• Docker workflow for building and pushing container images to Gitea registry
• Website with Astro, ShadcnUI, and theme support
• Website Dockerfile and CI build integration
• Chatwoot integration for website

Changed

• Build pipeline uses Turborepo with per-service caching instead of full rebuilds
• Updated dependencies: lucide-react, oxfmt, oven/bun, react-email, @react-email/components, @react-email/preview-server

v0.1.0 - 2026-03-20

Added

• Simple logger, environment package, and Hono API framework
• Docker Compose setup for local development (PostgreSQL, Redis, NATS, ClickHouse, MinIO)
• Database health check and migration functions
• S3-compatible object storage package with health check
• Health check endpoint for API
• Authentication module with better-auth (organization and team management)
• Dark mode theme support with toggle
• Account settings with profile and password management
• TanStack Router and frontend routing
• Breadcrumbs navigation
• Organization creation flow for new users
• Organization invitations and email verification
• Profile completion screen for magic link users
• Notes routes with CRUD operations
• Organization chooser when no active organization is available
• Active states for sidebar navigation and dashboard link
• Orval integration for frontend API client generation
• Email queue with pg-boss and magic link email
• Centralized config package
• Auth middleware with public endpoint exceptions
• /v1/me endpoint
• Organization-required middleware with type-safe context
• AI skills for development workflow
• ShadcnUI alert dialog for removing notes
• CI/CD build pipeline with matrix strategy
• Quality gate workflow (SonarQube + Trivy/Dependency-Track)
• Version tracking in quality gate pipeline
• Renovate configuration for dependency updates
• Commitlint with conventional commit validation
• oxc (oxlint + oxfmt) for linting and formatting

Changed

• Restructured queue package
• Improved queue creation
• Improved logging configuration for production environment
• Refactored frontend to Vite
• Refactored API error handling and code style

Fixed

• TypeScript config for workspace packages
• Frontend dev mode
• Different React versions in frontend
• Frontend orval type issues
• Dashboard sub items toggle
• Render loop in organization invitations table
• Members list data fetching with listMembers API
• Worker environment variables
• API Dockerfile configuration
• Frontend build in CI