Release v0.4.1 #28

Merged

Mike Bros merged 17 commits from release/v0.4.1 into main 2026-02-19 02:03:36 +00:00

Conversation 1 Commits 17 Files changed 42 +942 -132

Gravity Bot commented 2026-02-19 01:53:45 +00:00

Contributor

Copy link

Release v0.4.1 — Deferred Polish

Features

• Mobile responsiveness: Responsive sidebars (admin/settings drawers), mobile navbar with hamburger collapse, responsive grid layouts for all form sections (OP#1059)
• Keyboard shortcuts: Global keyboard shortcuts (? help overlay, / search focus, n new dashboard) (OP#1064)
• Browser favicon support: Per-dashboard and server-default favicon URLs with DB migration, admin settings UI, and fallback resolution chain (OP#334)

Security Fixes

• Require POST for logout to prevent CSRF forced-logout (OP#1073)
• Use constant-time comparison for CSRF and OAuth state tokens (OP#1074)
• Add Secure flag to all cookies missing it (OP#1075)
• Add PATCH to CSRF method check (OP#1076)

Tests

• Unit tests for mobile responsiveness across admin, settings, and header layouts
• Unit tests for favicon resolution fallback chain
• Unit tests for base.templ faviconOrDefault helper

## Release v0.4.1 — Deferred Polish ### Features - **Mobile responsiveness**: Responsive sidebars (admin/settings drawers), mobile navbar with hamburger collapse, responsive grid layouts for all form sections (OP#1059) - **Keyboard shortcuts**: Global keyboard shortcuts (`?` help overlay, `/` search focus, `n` new dashboard) (OP#1064) - **Browser favicon support**: Per-dashboard and server-default favicon URLs with DB migration, admin settings UI, and fallback resolution chain (OP#334) ### Security Fixes - Require POST for logout to prevent CSRF forced-logout (OP#1073) - Use constant-time comparison for CSRF and OAuth state tokens (OP#1074) - Add `Secure` flag to all cookies missing it (OP#1075) - Add PATCH to CSRF method check (OP#1076) ### Tests - Unit tests for mobile responsiveness across admin, settings, and header layouts - Unit tests for favicon resolution fallback chain - Unit tests for base.templ `faviconOrDefault` helper

Gravity Bot added 16 commits 2026-02-19 01:53:45 +00:00

feat(ui): convert admin and settings sidebars to responsive drawers ... da97921651

Add mobile drawer pattern with Alpine.js toggle, backdrop overlay, and
slide-in animation to both admin and settings sidebar layouts. Sidebars
collapse to off-canvas drawers on screens < 768px with a floating
hamburger button. Desktop layout unchanged.

Closes GP#1060

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

feat(header): add mobile navbar with hamburger collapse ... 2143a6fd54

Add responsive hamburger menu to the header component. On mobile (<md):
- Search, user dropdown, and admin links collapse into a slide-down panel
- Hamburger button toggles the mobile menu via Alpine.js
- Notification bell stays always visible
- Dashboard name truncates with max-width
- Search panel uses full-width input instead of dropdown popover
- Header padding reduced (px-4 on mobile, px-6 on desktop)

Desktop behavior is unchanged - search popover, user dropdown, and all
nav items remain in the top bar.

Closes GP#1061

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fix(forms): make grid-cols-3 form layouts responsive ... 7d647180c5

Change all grid-cols-3 grids to grid-cols-1 sm:grid-cols-3 so form
fields stack vertically on mobile. Affects section form (name/icon/
icon-type) and item form (icon/icon-type/target) in both modal and
standalone variants.

Closes GP#1062

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fix(forms): make all grid-cols-2 layouts responsive ... ae77fd61aa

Change all bare grid-cols-2 to grid-cols-1 sm:grid-cols-2 across all
form templates so paired fields stack vertically on mobile (<640px).

Files updated:
- admin/smtp.templ (4 instances: server, security, credentials, sender)
- admin/auth.templ (1 instance: admin group/role)
- admin/themes.templ (1 instance: name/display name)
- partials/edit_forms.templ (9 instances: page, item, status display)
- partials/setup.templ (1 instance: admin group/role)
- partials/user_settings.templ (3 instances: theme grid, toast, comparison)
- partials/user_dashboards.templ (1 instance: diff current/new values)

Closes GP#1063

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fix(ui): responsive padding and toast min-width ... cd887c2f7b

- Change px-6 to px-4 sm:px-6 on main content containers:
  dashboard_page.templ, user_dashboards.templ (7 instances),
  edit_forms.templ FormPage wrapper
- Reduce toast min-width from 280px to 240px on mobile to prevent
  overflow on 320px screens (min-w-[240px] sm:min-w-[280px])

Closes GP#1064

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

test(responsive): add unit tests for mobile responsiveness ... d6bba6a862

Add 13 template render tests verifying responsive CSS classes:

Header (7 tests):
- Mobile hamburger renders for logged-in users with md:hidden
- Mobile menu panel contains user links and sign-out
- Desktop dropdown uses hidden md:block
- Header has responsive padding (px-4 md:px-6)
- Dashboard name truncates on mobile (max-w-[150px])
- No mobile menu panel for unauthenticated users
- Mobile search panel renders in hamburger menu

Edit forms (4 tests):
- Section form uses grid-cols-1 sm:grid-cols-3
- Item form uses grid-cols-1 sm:grid-cols-3 and sm:grid-cols-2
- Standalone section form responsive grid

Layout drawers (2 tests):
- Admin layout has responsive drawer (sidebarOpen, FAB, overlay)
- Settings layout has responsive drawer

Also fix mobile menu panel to respect NavbarConfig.HasElement("user_menu")
so the panel doesn't render when user_menu is hidden.

Closes GP#1072

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

feat(shortcuts): add global keyboard shortcuts with help overlay ... ddc77650ab

Adds `/` (search focus), `?` (help overlay), `Esc` (close), and chord
navigation `g h`/`g a`/`g s`. Replaces the inline `/` handler with a
dedicated JS module and an Alpine.js help overlay modal.

Closes GP#149

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

feat(db): add favicon_url fields to app_settings and dashboards ... 65ac1ef497

Migration 00018 adds default_favicon_url to app_settings and
favicon_url to dashboards. Updates all SELECT/Scan sites, model
structs, UpdateSettings, and test mocks for the new columns.

Closes GP#1068

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

feat(favicon): admin settings input and base.templ rendering ... 073bc78a94

Adds favicon URL input to admin General Settings form. Updates BaseData
with FaviconURL field and renders it in the <link rel="icon"> tag with
fallback to /static/favicon.svg. Populates favicon in all baseData()
helpers with resolution: dashboard-specific → server default → built-in.

Closes GP#1069

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

feat(dashboard): add favicon URL field to dashboard create form ... 7f5ff05078

Add per-dashboard favicon_url to the create form and update the
CreateDashboard service/interface to accept and persist the value.

Closes GP#1070

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

test(favicon): add unit tests for favicon resolution and fallback ... 929336660d

Table-driven tests for faviconOrDefault helper and handler-level tests
verifying the three-tier resolution: dashboard → server default → built-in.

Closes GP#1071

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fix(auth): require POST for logout to prevent CSRF forced logout ... 05c50d4b3b

Change /auth/logout from GET to POST-only across OIDC provider, manager,
and dev auth. Update header template to use form+button instead of links.

Closes GP#1073

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fix(security): use constant-time comparison for CSRF and OAuth state ... 186a9ef42c

Replace == with subtle.ConstantTimeCompare for CSRF token validation
and OAuth state cookie verification to prevent timing side-channels.

Closes GP#1074

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fix(security): add Secure flag to all cookies missing it ... 8b91567ef2

Add Secure: true to impersonate_admin, dev_user, flash_toast cookies
and the OAuth state cookie clearing. Mirror HttpOnly/SameSite flags
on deletion cookies for consistency.

Closes GP#1075

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fix(security): add PATCH to CSRF method check ... 2627bf1f36

CSRF middleware now validates tokens on PATCH requests in addition to
POST, PUT, and DELETE.

Closes GP#1076

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

chore(release): bump version to 0.4.1 ... 8a759faac9

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Mike Bros added 1 commit 2026-02-19 01:56:47 +00:00

ci: retrigger CI after creating draft release ... 86ecf63ae5

Refs GP#1067

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Mike Bros approved these changes 2026-02-19 01:59:34 +00:00

Mike Bros merged commit a14d0a1442 into main 2026-02-19 02:03:36 +00:00

Mike Bros deleted branch release/v0.4.1 2026-02-19 02:03:36 +00:00

Mike Bros referenced this pull request from a commit 2026-02-19 02:03:38 +00:00

Merge pull request 'Release v0.4.1' (!28) from release/v0.4.1 into main

Sign in to join this conversation.

Reviewers

No reviewers

Mike Bros

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

mike/gashy!28

No description provided.