v0.1.7 — Security Hardening (OWASP Top 10)

🔒 Security Release

This release addresses 6 Critical and 5 High severity findings from a comprehensive OWASP Top 10 audit.

Security Fixes

• No default credentials — login disabled until STATUS_PANEL_USERNAME/PASSWORD are configured
• Container & SSL routes require authentication — /restart, /stop, /pause, /enable_ssl, /disable_ssl
• AGENT_ID enforced — API endpoints reject requests when AGENT_ID is unset
• Secure session cookies — HttpOnly; Secure; SameSite=Strict
• Certbot injection prevented — email/domain values validated against shell metacharacters
• Daemon command validation — shell fallback now passes through CommandValidator
• Session TTL — cleanup_expired() removes stale sessions
• Localhost by default — server binds 127.0.0.1 instead of 0.0.0.0
• Logout invalidates session — server-side deletion + cookie cleared
• HTTPS-only self-update — HTTP URLs rejected; SHA256 always computed
• 12 automated OWASP security tests added

Added

• status init — generates default config.json and .env template on first run
• Friendly error message when config is missing (replaces stack trace)

Fixed

• RUSTSEC-2026-0049 — upgraded rustls-webpki 0.103.8 → 0.103.10

Upgrade Guide

After upgrading, ensure these environment variables are set:

STATUS_PANEL_USERNAME=your-username
STATUS_PANEL_PASSWORD=your-password
AGENT_ID=your-agent-id

Or run status init to generate a .env template.

Full changelog: https://github.com/trydirect/status/blob/master/CHANGELOG.md

What's Changed

• feat: add 'status init' command for first-run config generation by @vsilent in #85
• OWASP-10 security fixes by @vsilent in #86
• release: v0.1.7 — security hardening (OWASP Top 10) by @vsilent in #87

Full Changelog: v0.1.6...v0.1.7

v0.1.6

v0.1.6 — Kata Containers Runtime Support

New Features

• Kata Containers runtime support: Deploy containers with hardware-level isolation via lightweight microVMs
• ContainerRuntime enum (Runc / Kata) with serde and Display support
• detect_kata_runtime(): Auto-detect Kata availability via docker info, cached with OnceLock
• inject_runtime_into_compose(): Inject runtime: io.containerd.kata.v2 per-service in compose YAML
• Runtime field on DeployAppCommand and DeployWithConfigsCommand
• Graceful fallback: If Kata is requested but unavailable, deploys with runc + warning
• Capabilities endpoint reports kata feature when runtime is detected

Improvements

• Async file operations in deploy handler (tokio::fs::try_exists instead of blocking Path::exists)
• Improved error logging in unlink_handler
• 14 new tests for Kata runtime functionality

Full Changelog

v0.1.5...v0.1.6

What's Changed

• Improved readme by @vsilent in #70
• Bump time from 0.3.44 to 0.3.47 by @dependabot[bot] in #56
• Bump quinn-proto from 0.11.13 to 0.11.14 by @dependabot[bot] in #61
• Fix env var state leakage in tests via Drop-based EnvGuard by @Copilot in #80
• Copilot/analyze test coverage by @vsilent in #79
• Remove hardcoded urls by @vsilent in #82
• Support kata container runtime by @vsilent in #84

New Contributors

• @Copilot made their first contribution in #80

Full Changelog: v0.1.4...v0.1.6

v0.1.5

v0.1.5

• Improved UI with marketplace integration
• Self-registration via command
• User authentication for linking status panel with Stacker
• Probe endpoint
• Dependency updates (quinn-proto, time)
• Fix: restore correct determine_status return values

What's Changed

• Improved readme by @vsilent in #70
• Bump time from 0.3.44 to 0.3.47 by @dependabot[bot] in #56
• Bump quinn-proto from 0.11.13 to 0.11.14 by @dependabot[bot] in #61

Full Changelog: v0.1.4...v0.1.5

v0.1.4

What's Changed

• firewall manager, fix parameters by @vsilent in #60
• Firewall feature testing merge by @vsilent in #62
• Merge pull request #62 from trydirect/testing by @vsilent in #63
• Testing by @vsilent in #65
• Merge pull request #63 from trydirect/master by @vsilent in #64

Full Changelog: v0.1.3...v0.1.4

What's Changed

• firewall manager, fix parameters by @vsilent in #60
• Firewall feature testing merge by @vsilent in #62
• Merge pull request #62 from trydirect/testing by @vsilent in #63
• Testing by @vsilent in #65
• Merge pull request #63 from trydirect/master by @vsilent in #64
• correctly interpret 'all' and return health status for all containers by @vsilent in #66
• v0.1.4, install with curl, new health/status,update commands, build r… by @vsilent in #67
• fix: apply rustfmt to stacker.rs by @vsilent in #69
• Merge testing into master (v0.1.4) by @vsilent in #68

Full Changelog: v0.1.3...v0.1.4

v0.1.3

What's Changed

• Issue 38 by @vsilent in #40
• Issue 39 by @vsilent in #42
• SSL, reqwest default-features=false by @vsilent in #43
• Keep port 5000 for the app instead of 8080 by @vsilent in #44
• static musl build by @vsilent in #45
• Feature agent compose sidecar by @vsilent in #46
• Update README.md by @vsilent in #47
• Update README to improve clarity and remove header by @vsilent in #48
• Feature agent compose sidecar by @vsilent in #49
• container name match, should be rethinked, must match app_code by @vsilent in #50
• Deploy app and configs by @vsilent in #51
• Deploy app and configs by @vsilent in #52
• fmt all and clippy fixes by @vsilent in #54
• Bump bytes from 1.11.0 to 1.11.1 by @dependabot[bot] in #53
• Deploy app and configs by @vsilent in #55
• Deploy app and configs by @vsilent in #57

New Contributors

• @dependabot[bot] made their first contribution in #53

Full Changelog: v0.1.1...v0.1.3

v0.1.0

• Python version upgrade 3.9
• Docker image size reduced
• Deploy python app as a binary file using nuitka lib