v0.5.0

New Features

Webhooks

• HTTP POST webhook delivery as a notification channel alongside email
• HMAC-SHA256 request signing with configurable header (default X-Signature-256)
• Outbox-based delivery with exponential backoff retry (up to 5 attempts: 30 s → 2 min → 10 min → 1 h → failed)
• 30-day delivery history retained per webhook
• Per-webhook respect_quiet_hours flag (default: false)
• Test endpoint (POST /api/v2/alerts/{id}/notify-webhooks/{wid}/test) sends a ping event immediately
• Delivery history API (GET /api/v2/alerts/{id}/notify-webhooks/{wid}/deliveries)
• HMAC secret stored write-only; never returned in any GET response

CORS Proxy Endpoints

• GET /api/probe/client-api — proxies a client API path server-side and returns status code + CORS origin header
• GET /api/probe/well-known — same for well-known endpoints (support, etc.)
• Enables the frontend to detect CORS misconfigurations without browser interference

Additional Alert Types

• tls_expiry_warning — fires when a TLS certificate expires within 14 days
• tls_cert_changed — fires when the TLS fingerprint changes
• version_changed — fires when the server software version changes
• server_name_changed — fires when delegation or server name changes

Daily Statistics

• New daily aggregation endpoint for finer-grained graphs in the frontend

Quiet Hours

• Quiet hours properly wired into alert dispatch; delivery deferred until the window ends

Configurable Sponsor URLs

• Sponsor URLs now configurable via config.yaml; passed through to all email templates

Authentication & Accounts

• Replaced magic-link login with full password-based authentication
• Password reset, password set, and password change flows with email confirmation
• Primary email promotion and verification-resend endpoints
• Timezone stored per account; exposed in account API
• Tightened password entropy requirements
• Fixed account deletion to cascade-delete all associated data (alerts, emails, outbox entries)
• Fixed server_name leaking into the database in alert-related paths

API

• New /api/v2/alerts endpoints required for the v3 frontend redesign
• Alert notification emails now scoped to specific addresses per alert (not just the account email)
• Fixed permissions and response payload in the alerts v2 API
• Fixed double-send race condition in the email outbox
• Added detail fields to federation check responses for improved frontend readability
• Fixed DateTime serialisation for time-zoned values

Email

• Email dispatch is now non-blocking (no longer stalls the alert check loop)
• Fixed outbox double-send race condition under concurrent pod execution
• Correct retention policy enforced for delivered/failed outbox entries
• SMTP can be disabled entirely via config (previously required)
• All email templates updated to the new v3 design
• OAuth2 consent template updated to new design

Performance & Reliability

• HTTP federation check path refactored for lower allocations
• TLS handling improvements (certificate parsing and fingerprint extraction)
• Small database query optimisations
• Improved Redis distributed locking (lock renewal via Lua script to prevent expiry races)

Observability & Tooling

• CodSpeed benchmark integration: full_check and validation_only benchmark suites
• Clippy cognitive_complexity lint enforced globally via [lints.clippy] in Cargo.toml
• cargo nextest adopted as the test runner
• Pre-commit hook runs Clippy automatically
• HEALTHCHECK instruction added to the Dockerfile
• Cargo.lock no longer excluded from Docker image builds
• Credential leak protection in structured logs

Dependency Updates

• hickory-resolver 0.25 → 0.26.1 — security update (CVE affecting >= 0.25.0-alpha.3, <= 0.25.2)
• redis 0.27 → 1.2.1
• deadpool-redis 0.18 → 0.23
• css-inline 0.19 → 0.20
• axum-tracing-opentelemetry 0.32 → 0.33.1
• askama 0.15 → 0.16
• axum-test (dev) 18 → 20
• Removed unused rustls-pemfile dependency (RUSTSEC-2025-0134)
• Removed direct ed25519 dependency (now sourced transitively through ed25519-dalek)

---

Full Changelog: v0.4.2...v0.5.0

v0.4.2

Changes

• Fixed login via magic link in the oauth2 code... it now works across tabs properly
• The mail queue doesn't block UI anymore
• Allow disabling smtp as a feature in your instance!
• Some boilerplate and complexity cleanup
• Fixed upgrading from magic link to oauth2 not working properly
• Password reset and Password update functionality added on the oauth2 UI.
• N:N relations on email<>alerts

Full Changelog: v0.4.1...v0.4.2

v0.4.1

Fixes an issue where oauth2 users were unable to create alerts using the new oauth2 alert api.

Full Changelog: v0.4.0...v0.4.1

v0.4.0

What's Changed

• Split brain resolution detection and warning
• OAuth2 backend for the alerts
  • Multiple email addresses possible
  • Less need for the magic links
  • Magic Links still available if preferred

• Redis locking and synchronizing of the email detection to ensure it is possible to run multiple instances at the same time
• Various bugfixes and refactoring and improvements.
  • Fix #19
  • Fixed the connection limiting to actually work correctly, which does ~half the median response time on requests from ~811ms to ~471ms
  • We now internally have k6 benchmarks to monitor changes in performance better
    • Bump quinn-proto from 0.11.13 to 0.11.14 in the cargo group across 1 directory by @dependabot[bot] in #23

Full Changelog: v0.3.4...v0.4.0

v0.3.4

Fix the email tests running into the DDOS protection

Full Changelog: v0.3.3...v0.3.4

v0.3.3

This adds some extra logging to verify it is actually working as wanted

Full Changelog: v0.3.2...v0.3.3

v0.3.2

This update reworks the email checks which hopefully fix the spurious emails

Full Changelog: v0.3.1...v0.3.2

v0.3.1

This adds the error reason to the email and some more logging to hopefully debug email issues better.

Full Changelog: v0.3.0...v0.3.1

v0.3.0

This release adds and fixes:

• Fixing the spurious email errors happening
• Using OAuth 2.0 instead of magic emails for alerts (yes it has a migration path and yes that's optional for now. This will require UI changes first to be usable)
• Improved API docs at /api-docs
• Improved logging capabilities
• Improved email layout

Full Changelog: v0.2.6...v0.3.0

v0.2.6

Full Changelog: v0.2.5...v0.2.6

This release overhauls the alerts. They now get checked in 5m intervals, send reminders in 12h intervals and send a resolved email when it works again.

Additionally there is now html content in the email using the uk gov theme.