174 tests covering URL normalization, FTS5 query sanitization, SSRF/CSRF
guards, sharing-mode logic, DB schema and upsert paths, handler
end-to-end flows, and gateway body-size / mesh-whitelist guards. Each
recent bug-fix commit (6ffd38d, 1bc695f, 8dffd8c) has an explicit
regression test in test_regressions.py. One xfail documents a minor
latent bug in clean_url where port 80 is not stripped from upgraded
https URLs.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Bulk delete now routes through a server-rendered confirmation page
listing the selected titles; a `confirmed=1` form field is required
before pages are actually deleted. Mirrors the single-delete flow.
- Reset-template button gains a JS confirm() so stray clicks don't wipe
the custom template.
- Homepage shows a short, neutral empty-state block when the index has
zero pages and no query — just names what tinyweb is and links to
/add, /style, and /subscriptions as equal options.
- /about gains a "your data" section explaining what lives in
~/.tinyweb/ (identity file, index.db), what losing each costs, and
how /export differs from a full backup.
- README gains a "Backups" subsection mirroring the /about copy.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Security:
- Bind HTTP gateway to 127.0.0.1 by default; add --bind for LAN opt-in
- Restrict Reticulum mesh surface to GET /api/sites only (CSRF cannot
authenticate mesh callers, so gate by whitelist)
- Cap request body size at 16 MiB to prevent memory DoS
- Redact /bookmark query strings from request logs so the bookmark token
and URLs do not land in stdout / docker / journal logs
- Tighten FTS5 sanitizer: strip colon, drop AND/OR/NOT/NEAR operator words
- Expand .dockerignore; document trust model in README
Features:
- Add sharing mode toggle (share everything except private vs share only
public-tagged) with /share/preview so users can see what subscribers
would receive before enabling sharing
Bugs:
- handle_export() crashed on every call (missing query kwarg)
- Dead float16 decompression branch in embeddings.py silently corrupted
the HNSW index when compress_embeddings was on
- GATEWAY_PORT staleness: --port and find_available_port had no effect
on the actual bind
- semantic_search default mismatched between db.py ("1") and the rest of
the app ("0"), causing embeddings to be generated when the UI said off
- Connection pool returned connections with uncommitted transactions to
the next consumer
- Gateway POST body decode 502'd on non-UTF-8 input
- ensure_rns_config clobbered user-edited ~/.reticulum/config; now only
rewrites files it authored (sentinel-tagged)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Progressive retry in rns_client.py: fast timeout (15s) then slow (60s+)
for LoRa/multi-hop links, with automatic fallback
- Background sync threads so subscriptions page returns immediately
with syncing/error status indicators per subscription
- LoRa RNode configuration in settings page with serial port and
expandable advanced radio settings (frequency, bandwidth, etc.)
- Internet transport now toggleable alongside LoRa — users can
enable one, the other, or both
- Reticulum config auto-generated from settings on startup
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Bulk delete and retag from browse page with checkboxes
- Select all / deselect all toggle
- Delete confirmation shows count of selected pages
- Auto-cleanup orphaned tags on delete, edit, and bulk actions
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Replace Google Fonts with system font stacks across all themes
- Add Referrer-Policy, X-Content-Type-Options, X-Frame-Options, CSP headers
- Add rel="noreferrer noopener" on all outbound links
- Add no-referrer and dns-prefetch-control meta tags to all themes
- Clean tracking params on outbound links from trusted/remote sources
- Remove Google domains from CSP whitelists
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Set min-height: 100vh on html/body so the cursor-bearing elements
fill the viewport even when content is short.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds pagination, meta, and success message styles, plus input
selectors for new form fields (edit page, manual entry, transport node).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add pyinstaller.spec and GitHub/Forgejo CI workflows for cross-platform builds
- Add AGPLv3 license
- Move data storage to ~/.tinyweb/
- Add --version and --port CLI flags
- Add transport node selection in /style (smart regeneration preserves Reticulum config)
- Add discover more nodes link to rmap.world
