Changelog

All notable changes to Project Syrup, newest first.

v0.1.17

v0.1.17 2026-05-31
Added
  • Progress Bars — DaisyUI fill progress bars on waffle cards (public list, admin dashboard, waffle detail) showing claimed vs total spots at a glance.
  • Image Thumbnails — Waffle list cards now render an image_url thumbnail when set, with an onerror handler to gracefully hide broken images.
  • Open Graph Meta Tags — OG tags added to waffle detail and home pages for richer link previews when shared on Instagram or other platforms.
  • Configurable Trusted Proxies — New TRUSTED_PROXIES environment variable accepts comma-separated CIDRs. Defaults to RFC 1918 ranges if unset or invalid. Ensures real client IPs are captured correctly behind Cloudflare, nginx, or cloud load balancers.
  • Extended Private IP Detection — WHOIS skip logic now covers IPv6 loopback (::1), link-local (fe80::/10), ULA (fc00::/7), and CGNAT (100.64.0.0/10) in addition to the existing RFC 1918 ranges.
  • Template Functions — Added mul and div template helper functions used by the new progress bar calculations.

v0.1.18

v0.1.18 2026-05-31
Added
  • Users Registry — New users table with GetOrCreateUser, ListUsers, and BackfillUsers service functions, admin users list page and JSON API endpoint.
  • User Backfill — Automatic backfill of existing claimed_by_handle values from spots table into users table on application startup.
Fixed
  • Duplicate Lockout Removal — Resolved duplicate Instagram handle lockout preventing claim submissions for handles with existing pending/paid spots.

v0.1.16

v0.1.16 2026-05-31
Changed
  • Dev/Stable Release Channels — Docker workflow dev branch trigger, version bump, CHANGELOG backfill, README channels section.

v0.1.15

v0.1.15 2026-05-30
Added
  • Admin Profile Expansion — First name, last name, email, and social links fields on admin profile.

v0.1.14

v0.1.14 2026-05-30
Changed
  • Admin UI Polish — Password change UI, tooltips, responsive layout fix.

v0.1.13

v0.1.13 2026-05-29
Changed
  • Admin Nav Grouping — Grouped admin navigation under Admin Tools dropdown.

v0.1.12

v0.1.12 2026-05-29
Added
  • Audit Log Nav Prominence — Moved audit log to top nav, added admin filter, and added server settings tab.
  • Role-Permissions Guide — Inline role-permissions guide on admin users page.

v0.1.11

v0.1.11 2026-05-29
Fixed
  • Archived Waffle Filter — Admin active and archived waffle lists now show the correct records.
  • Buyer Stats Recalculation — Clear/change winner actions now refresh buyer win/loss stats.
  • Password Reset API — Forgot-password JSON response no longer exposes reset tokens.
  • Drought Report Dates — Missing last-entry dates now render cleanly instead of showing Invalid Date.
Changed
  • Admin Code Cleanup — Removed unused spot/winner handlers and consolidated shared audit/password confirmation helpers.
  • Accessibility Polish — Claim success/error feedback now announces via aria-live.
  • Audit Export Link — CSV export filters are URL-encoded.

v0.1.10

v0.1.10 2026-05-29
Fixed
  • Admin Login Redirect — Already-authenticated admins are redirected from login to the dashboard.
  • Public Header/Footer Spacing — Public header and footer vertical spacing now better matches admin layout density.

v0.1.9

v0.1.9 2026-05-29
Added
  • CI Pipelinedev branch added to GitHub Actions trigger.
  • Audit Export UI — CSV export button on admin audit log page with date filter support.
  • WebSocket Heartbeat — Server-side ping/pong with per-connection mutex, client-side stale detection.
  • Smoke Tests — Shell script for end-to-end Docker Compose validation.
  • Data Retention — Configurable audit_log and login_history retention (default 90 days).
  • Release Automation — GitHub Release auto-created on tag push with CHANGELOG excerpt.

v0.1.8

v0.1.8 2026-05-28
Added
  • CI Pipeline — GitHub Actions workflow with go test, vet, govulncheck, and Docker build checks.
  • Audit Log CSV Export — New API endpoint to export audit log entries as CSV.
  • WebSocket Reconnect Logic — Exponential backoff jitter and max retry cap for resilient client reconnection.
  • gosec G104 Triage — All unhandled error returns reviewed and explicitly handled across the codebase.

v0.1.7

v0.1.7 2026-05-27
Added
  • Admin Audit Log — Full audit trail with audit_log table, service layer, JSON API, and admin UI at /admin/audit.
  • Last Login IP Tracking — Login history records and displays the IP address of each admin session.
  • Brute-Force Lockout — Rate-limited login endpoints with configurable failed attempt threshold and lockout duration.
  • Configurable JWT Expiration — System setting to control JWT token lifetime.
  • Password Policy Enforcement — Server-side validation enforcing minimum length and rejecting common/weak passwords.
  • Destructive Action Confirmation — Delete, deactivate, and role-demotion operations require current password confirmation.

v0.1.5

v0.1.5 2026-05-27
Added
  • Login History — Audit trail tracking admin logins with IP, browser, OS, and device type.
  • WHOIS Enrichment — Async WHOIS lookups on login to capture org, country, city, and ASN.
  • System Settings — Configurable WHOIS server, super_admin only.
  • Winner Management — Admin-only endpoints to clear winner and change winner with buyer stats recalculation.
  • Settings Dropdown — Consolidated admin nav menu under username.
  • About Page — Public about page with admin-only system extras section.
  • Login History Pages — My Login History tab on settings page + full admin login history page with role-based filtering.

v0.1.0

v0.1.0 2026-05-26
Added
  • Multi-Admin Auth — Role-based access control with super_admin, admin, and waffle_manager roles.
  • Admin Management — Create admins, change roles, deactivate accounts, reset passwords (super_admin only).
  • waffle_manager Role — Create and manage waffles + view reports, without archive/delete/user-management access.
  • Timezone Settings — Per-admin timezone preference with IANA timezone dropdown.
  • Password Reset — Self-service reset tokens plus authenticated password changes.
  • Instagram Media Links — Link to posts showing what's being waffled (supports multiple items).
  • Archive + Delete Controls — Hide completed waffles by default, or type DELETE for permanent removal.
Changed
  • Migrated all UI to DaisyUI with syrup theme and amber primary colors.
  • Redesigned navigation with Inter font and unified brand colors.

v0.0.9

v0.0.9 2026-05-26
Added
  • DaisyUI Migration — Complete UI overhaul with DaisyUI component library and syrup color theme.
  • Production Deployment — docker-compose.prod.yml, .env.example, and GHCR image workflow.
  • PWA Service Worker — Offline caching with service worker registration.
  • Rate Limiting — Request rate limiting for public endpoints.

v0.0.8

v0.0.8 2026-05-25
Added
  • Seed Data — Demo waffle and admin data for fresh installs.
  • Navigation Redesign — Cleaner admin nav with role-based visibility.
  • Inter Font — Modern typography across all pages.
  • Brand Color Unification — Consistent amber/brown color scheme.

v0.0.5

v0.0.5 2026-05-24
Added
  • PWA Support — Web App Manifest, app icons, standalone display metadata.
  • Offline Page — Cached offline.html for when the network is unavailable.

v0.0.1

v0.0.1 2026-05-20
Added
  • Initial Public Release — Project Syrup foundation.
  • Docker Compose setup with PostgreSQL 16.
  • Go backend with Gin framework and server-rendered Tailwind CSS templates.
  • WebSocket hub for real-time spot updates.
  • Basic waffle CRUD operations.
  • Spot claim and payment tracking.
  • Admin authentication system.