Changelog

All notable changes are documented here. This page is maintained during development and will be trimmed to recent releases once v1.0 ships.

---

Unreleased

Security

• Socket CLI moved to Docker build stage only — no longer present in the runtime image
• Security response headers added (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy)
• HSTS header added when running in direct TLS mode

Added

• Direct TLS support — Kestrel can now terminate TLS directly using a PEM or PFX certificate (TLS_ENABLED, TLS_CERT_PATH, TLS_KEY_PATH, TLS_PORT env vars)
• PROXY_ENABLED env var — explicit flag for reverse-proxy deployments; enables forwarded headers middleware
• Documentation site — VitePress docs deployed to Cloudflare Workers via Gitea Actions on every push
• Network Share data source — SMB/CIFS file share connections with list, read, write, move, delete, and CSV/Excel parsing
• SFTP data source — SSH file transfer with key-based auth, host fingerprint verification, and the same file operations as network shares
• Native CSV/Excel parsing — ReadCsv / ReadExcel available in all script languages via network share and SFTP data sources
• Notification system — send results to Slack, Microsoft Teams, or email from within scripts; per-channel enable/disable and role controls
• CompletedWithWarnings status — tasks that emit logger.Warn or logger.Error but do not throw are marked with a distinct warning status
• MQTT triggers — tasks can be triggered by messages on a configured MQTT broker topic
• Webhook triggers — tasks can be triggered via HTTP POST to a unique URL; optional shared secret for HMAC-style verification
• TypeScript support — scripts can be written in TypeScript; transpiled via tsc before execution
• Data Sources — named, encrypted connections to PostgreSQL, SQL Server, MySQL/MariaDB, Oracle, and REST APIs injected into scripts at runtime
• OpenAPI spec import — paste an OpenAPI/Swagger spec on a REST API data source for endpoint auto-discovery and Monaco IntelliSense
• Task sharing — share tasks with other users at View or Edit permission level
• OIDC / SSO — single sign-on via any OpenID Connect provider (Entra ID, Google, Keycloak, etc.) with optional role mapping
• Invite-only registration — admin can disable open registration and send email invites instead
• Admin Settings — database-backed configuration for general settings, auth, email/SMTP, notifications, MQTT, storage limits, and sandbox mode
• Unrestricted mode — per-role flag to remove language-level sandbox restrictions for fully trusted teams (OS-level isolation always active)
• Run history — full execution log with live SSE streaming during runs and stored log drill-down afterward
• Log retention — nightly job purges run history older than a configurable number of days
• Soft delete — tasks, users, shares, and invites are soft-deleted; admin history shows [DELETED] badges
• Setup wizard — first-run wizard creates the initial admin account and configures the database; env-var mode skips the wizard for Docker deployments
• Sandbox script execution — PowerShell runs in ConstrainedLanguage with a cmdlet whitelist; JavaScript runs in a vm.runInContext sandbox; both execute as a locked-down script-runner OS user
• Monaco Editor — full code editor with syntax highlighting and IntelliSense for all supported languages
• Cron scheduling — Quartz.NET-backed scheduler with a visual cron picker; tasks can have both a schedule and a webhook/MQTT trigger simultaneously
• JWT authentication — 15-minute access tokens in memory, 7-day refresh tokens in HttpOnly cookies; silent refresh on page load
• Python and Bash support — scripts can be written in Python 3 or Bash in addition to PowerShell, JavaScript, and TypeScript