- New MEDIARIP__ADMIN__PASSWORD env var accepts plaintext password
- Hashed via bcrypt on startup, plaintext cleared from memory immediately
- PASSWORD_HASH still works for backward compatibility (takes precedence)
- Removes the 'docker run python bcrypt' ceremony from setup flow
- Updated README, docker-compose, .env.example to use plaintext
- Admin enabled by default (was opt-in via env var)
- New /admin/status (public) and /admin/setup (first-run only) endpoints
- Setup endpoint locked after first use (returns 403)
- Admin password persisted to SQLite config table (survives restarts)
- Change password now persists to DB (was in-memory only)
- Frontend router guard forces /admin redirect until setup is complete
- AdminSetup.vue wizard: username + password + confirm
- Public config exposes admin_enabled/admin_setup_complete for frontend
- TLS warning only fires when password is actually configured
Three bugs causing 100% CPU and container crash-looping in production:
1. sse-starlette ping=0 causes await anyio.sleep(0) busy loop in _ping task.
Each SSE connection spins a ping task at 100% CPU. Changed to ping=15
(built-in keepalive). Removed our manual ping yield in favor of continue.
2. Dockerfile purged curl after installing deno, but Docker healthcheck
(and compose override) uses curl. Healthcheck always failed -> autoheal
restarted the container every ~2 minutes. Keep curl in the image.
3. Downloads that fail during server shutdown leave zombie jobs stuck in
queued/downloading status (event loop closes before error handler can
update DB). Added startup recovery that marks these as failed.
Verified: no external URLs in frontend (no CDN fonts, no analytics,
no Google Fonts, no external scripts). All fonts use system fallback
chains (JetBrains Mono → Cascadia Code → Fira Code → monospace).
No outbound HTTP calls in backend code.
Added SecurityHeadersMiddleware enforcing:
- Content-Security-Policy: default-src 'self', script/font/connect
restricted to 'self', style allows 'unsafe-inline' for Vue scoped
styles, img allows data: URIs, object-src 'none', frame-ancestors
'none'
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- Referrer-Policy: no-referrer
These headers prevent any accidental introduction of external
resources in future development — CSP violations will block them.
