# Changelog All notable changes to this project will be documented in this file. ## [0.8.6] - Karm (2026-06-12) ### Added - `OBSIDIAN_PACKAGE` env var: unpack a pre-placed `.deb`, `.asar.gz`, or `.asar` on first run instead of downloading, for offline or restricted networks. - `PROXY_ALLOW_PRIVATE_HOSTS` env var: IPs or IPv4 CIDRs the cross-origin proxy may reach despite the private-address block. ### Changed - `fs.promises.realpath` is answered from the client-side cache; vault load no longer issues one realpath request per folder. ### Fixed - Sync file reads serve virtual plugin files the same as async reads. ### Security - Cross-origin proxy rewritten for better security - Filesystem and vault error responses no longer include absolute server paths. - Protocol-relative (`//host`) requests route through the proxy guard. - Vault names are validated on creation; `batch-read` caps the number of paths per request. - Demo mode: `/api/ext/*` blocked, and several security fixes - The `ob` CLI is spawned without a shell. - Dependency bumps clearing npm audit. ## [0.8.5] - Karm (2026-06-07) ### Added - Server settings panel in the Ignis settings tab. - `assert`, `constants`, and `stream` shims, plus callback-style `fs` methods and `realpath`. ### Changed - Write coalescing is now off by default (`WRITE_COALESCE_MS=0`). ### Fixed - Native menus now stay disabled on platforms where its default is true - `/app/data` is now created and owned by the runtime user. - Caddy reverse-proxy example uses the current `basic_auth` directive. ### Security - Cross-origin proxy rejects requests that resolve to private, loopback, or link-local addresses (SSRF guard). ## [0.8.4] - Karm (2026-06-03) ### Fixed - Codeblocks calling clipboard APIs no longer causes reccursion error. ### Security - Hardened same-origin checks, virtual-plugin URL validation, token file permissions, and log line bounds. ## [0.8.3] - Karm (2026-06-01) ### Added - `WS_ORIGINS` env var to restrict allowed `Origin` headers on WebSocket connections. ### Fixed - Ignis version is now rendered correctly. - Tables in editing mode now render correctly in Firefox. ## [0.8.2] - Karm (2026-05-23) ### Fixed - Various app menus crash when "Use native menus" enabled. Solved by forcing the setting off internally; the on-disk value is preserved across toggles. - `/api/fs/rename` and `/api/fs/copyFile` reject missing path fields with 400 instead of silently resolving to the vault root. ## [0.8.1] - Karm (2026-05-17) ### Added - "Available version" indicator in Ignis settings now links to the release page on GitHub. ### Fixed - Update check no longer reports a new version available when only the SemVer build metadata differs. ## [0.8.0] - Karm (2026-05-16) ### Added - Demo mode: per-session vaults, auto-cleanup, proxy allowlist, login blocking. See [examples/demo/](examples/demo/). - No-op guard in the bridge plugin and headless-sync plugin when loaded outside Ignis. - "Open workspace in new tab" command now loads the workspace preset rather than the per-tab live state. - Real digests for `crypto.createHash` (SHA-1/SHA-256/SHA-512/MD5) via `@noble/hashes`. - `LEGAL.md` with the full EU Software Directive rationale. ### Changed - Obsidian pinned at 1.12.7. - Entrypoint downloads `.asar.gz` instead of `.deb`. Smaller image, simpler extraction. - FS shim path translation moved from the transport layer up to the shim's public surface, so caches and metadata operate only on physical paths. - Readme cleanup. ### Fixed - `navigator.vibrate` made conditional. Firefox setups with `dom.vibrator.enabled` off no longer hit a `TypeError`. - Write coalescer no longer holds HTTP responses open for the full debounce window. Buffered writes return immediately with synthetic mtime/size; only the first/stale writes wait on disk. - Prefetch race in workspaces-per-tab resolved by the path-translation refactor. ## [0.7.6] - Orm (2026-04-05) ### Changed - file patching to in-flight injection ## [0.7.5] - Orm (2026-04-05) ### Added - per tab workspaces - self-host auth examples - better documentation ## [0.7.4] - Orm (2026-03-30) ### Added - guards against running Obsidian sync and headless sync simultaneously ### Changed - improved status indicator for headless sync ## [0.7.3] - Orm (2026-03-30) ### Added - status bar indicator for headless sync ## [0.7.2] - Orm (2026-03-29) ### Added - utils shim ### Fixed - right sidebar toggle with css overrides - clipboard functionality ## [0.7.1] - Orm (2026-03-29) ### Added - Server plugin system - obsidian-headless integration via server plugin ## [0.6.4] - Slifer (2026-03-24) ### Added - Context menu items for downloading files and folders ## [0.6.3] - Slifer (2026-03-24) ### Changed - Use stack fingerprinting to identify caller context for file staging registry ## [0.6.2] - Slifer (2026-03-24) ### Added - File watcher system with WebSocket-based live sync for external vault changes - Real-time detection of file create, modify, delete, and rename operations - Echo guard to suppress events from local operations (prevents feedback loops) - Automatic reconnection with exponential backoff for WebSocket client ## [0.6.1] - Slifer (2026-03-24) ### Added - `fetch()` shim that proxies cross-origin requests through `/api/proxy` to bypass CORS restrictions - Automatic `Origin: app://obsidian.md` header injection for cross-origin requests to match Obsidian desktop app - User-Agent forwarding from browser to proxy for cross-origin requests ### Fixed - Obsidian Sync API authentication now works in browser (was blocked by CORS) - Proxy response headers cleaned to exclude hop-by-hop headers (`content-encoding`, `transfer-encoding`, `content-length`, `connection`) ## [0.6.0] - Slifer (2026-03-23) ### Added - `zlib` shim using `pako` library for compression/decompression operations (deflate, inflate, gzip, gunzip, etc.) - File descriptor operations: `fs.open()`, `fs.read()`, `fs.close()`, `fs.fstat()` and sync variants - `fs.promises.open()` returning FileHandle objects with `stat()`, `read()`, `close()` methods - `showOpenDialog` electron dialog shim with browser file picker and vault upload - `showOpenDialogSync` hacky workaround using file staging registry and two-step upload flow - Enhanced `Buffer` shim with `alloc()`, `allocUnsafe()`, `byteLength()`, and `isEncoding()` methods ### Fixed - `MessageDialog` modal dismiss error when confirm button clicked - Dialog shim modal event ordering to prevent null reference errors ## [0.5.0] - Scatha (2026-03-22) ### Added - Compression middleware (gzip/brotli) for API responses to reduce bandwidth - Plugin installation prompt system with per-vault trust flags - Versioning system with cache-busting query parameters on script URLs - Option to install ignis-bridge plugin to vaults imported at runtime ### Changed - Auto-creation of default vault now requires `AUTO_CREATE_DEFAULT=true` environment variable - Script URLs (`ignis-ui.js`, `shim-loader.js`) now include version query params for automatic cache invalidation - Cache headers: versioned assets cached for 1 year, non-versioned for 5 minutes ### Fixed - Vault manager not displaying when no vaults exist - `window.close()` now shows vault manager when no vault is configured ### Removed - Unused `VAULT_PATH` environment variable fallback logic ## [0.4.0] - Gostir (2026-03-18) ### Added - Vault management: create, rename, delete vaults - Last active vault persistence: remembers which vault was open - Plugin trust preservation: keeps plugin trust status when renaming vaults ### Changed - Refactored vault operations into shared service ### Fixed - Issues with dialogs and vault rename operations --- _Changelog tracking started at version 0.4.0. For earlier versions, please refer to commit history._