domnitor/CHANGELOG.md

# Changelog

All notable changes to Domain Monitor will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [1.1.5] - 2026-03-08

### Added
- **Twig Templating** - All PHP views migrated to Twig; `twig/twig` added as dependency
- **Twig-Only Rendering** - Removed legacy PHP view fallbacks; ErrorHandler renders via Twig with safe escaped HTML fallback on failure
- **DNS Monitoring** - Track DNS record changes with DnsService (lookup, crt.sh discovery, Cloudflare detection, IP enrichment), DnsRecord model for snapshots and diffs, per-domain `dns_monitoring_enabled` toggle, manual and scheduled refresh via `cron/check_dns.php`
- **SSL Certificate Monitoring** - Track TLS certificates with SslService and SslCertificate model; validity, expiry, issuer, SAN list; per-domain `ssl_monitoring_enabled`; add/refresh/delete endpoints for root and custom hostnames/ports; `cron/check_ssl.php` for scheduled checks
- **Domain View Tabs** - New tabbed domain view: Overview, DNS, Billing, Notifications, SSL, WHOIS
- **Domain View Template Setting** - Choose `detailed` (tabbed) or `legacy` view per installation
- **Cron Staleness Warnings** - Settings shows warnings when domain/DNS/SSL cron runs are overdue
- **Timezone on Installer Routes** - App timezone now applied even on `/install` and `/install/update` when installed, so upgrade notifications use correct timezone

### Changed
- **2FA Flows** - Twig templates for setup, verify, backup-codes; TwoFactorService silences deprecated QR code warnings
- **Settings Page** - Timezone lists, notification preset selection, cron path display, cached update state, rollback availability
- **Avatar and 2FA Data in Controllers** - ProfileController and UserController pass avatar and two-factor info to Twig views
- **EmailHelper** - Safer subject handling
- **TldRegistry** - Search improvements
- **Domain Sorting** - Uses effective status (e.g. `expiring_soon`) for ordering
- **Discord Channel** - Null-safe field handling

### Technical
- **Core** - `Core\TwigService` for Twig rendering; Controller and Router always use Twig
- **Models** - `DnsRecord`, `SslCertificate`
- **Services** - `DnsService` (DNS lookup, crt.sh, Cloudflare detection), `SslService` (certificate fetch and parsing)
- **DomainController** - `performWhoisRefresh`/`performDnsRefresh`, `refreshWhois`, `refreshDns`, `refreshAll`; SSL endpoints: `addSslHost`, `refreshAllSsl`, `bulkRefreshSsl`, `bulkDeleteSsl`, `refreshSsl`, `deleteSsl`
- **NotificationService** - Notifications when DNS or SSL monitoring is toggled
- **domains table** - `dns_last_checked`, `dns_monitoring_enabled`, `crtsh_last_fetched`, `ssl_last_checked`, `ssl_monitoring_enabled`
- **settings** - `domain_view_template`, `dns_check_interval_hours`, `last_dns_check_run`, `ssl_check_interval_hours`, `last_ssl_check_run`

### Migrations
- `027_add_dns_monitoring.sql` - dns_records table, domain columns, DNS cron settings
- `028_add_ssl_monitoring.sql` - ssl_certificates table, domain columns, SSL cron settings, app version 1.1.5

---

## [1.1.4] - 2026-03-02

### Added
- **CSV/JSON Import & Export for TLD Registry** - Export all TLDs with WHOIS servers, RDAP servers, registry URLs, and active status; import from CSV/JSON with create-or-update logic and duplicate detection
- **Manual TLD Creation** - Create button with popup modal to add custom TLD entries (supports multi-level TLDs like .co.uk, .co.za, .com.au)
- **IANA Dropdown Menu** - Consolidated "Import TLDs from IANA", "Check for Updates", and "IANA Import Logs" into a single indigo dropdown, reducing button clutter and separating IANA sync from file import/export
- **TldRegistry::findByTld()** - Lookup TLDs regardless of active status (used by import deduplication and create duplicate check)
- **TldRegistry::getAll()** - Retrieve all TLDs ordered by name for export

### Changed
- **Standardized Import Logging** - Added consistent `Logger('import')` calls across all four import functions (Tags, Domains, Notification Groups, TLD Registry) with start, file info, parse count, validation warnings, and completion stats
- **Standardized Export Logging** - TLD Registry export now uses local `Logger('export')` instances matching Tags, Domains, and Notification Groups pattern
- **TLD Registry Action Bar Redesigned** - Six separate buttons consolidated into four: IANA dropdown (indigo), Export dropdown (emerald), Import button, Create TLD button

### Technical
- **Drag-and-Drop File Upload for TLD Import** - Same dropzone pattern as Tags and Groups with file preview, remove, and submit spinner
- **TLD Validation** - Regex supports multi-level TLDs (`^\.[a-z0-9\-]+(\.[a-z0-9\-]+)*$`), auto-lowercasing, dot-prefix normalization
- **Import Create-or-Update** - File import creates new TLDs or updates existing ones; RDAP servers parsed from JSON arrays or comma/semicolon-separated strings
- **Routes** - Added `GET /tld-registry/export`, `POST /tld-registry/import`, `POST /tld-registry/create` before `{id}` catch-all

### Migrations
- `026_update_app_version_v1.1.4.sql` - Updates app version to 1.1.4

---

## [1.1.3] - 2026-02-11

### Added
- **CSV/JSON Import & Export for Domains** - Export all domains with tags, groups, and notes; import from file with WHOIS auto-lookup, group matching by name, and duplicate skip
- **CSV/JSON Import & Export for Tags** - Export/import user tags with human-readable color names and descriptions
- **CSV/JSON Import & Export for Notification Groups** - Export groups with channels (sensitive data masked); import with auto-disable for masked credentials
- **In-App Update System** - Check, download, and apply updates directly from Settings (GitHub Releases & hotfix tracking)
  - Two update channels: Stable (releases only) and Latest (releases + hotfixes)
  - Full file and database backup before every update, with one-click rollback
  - Automatic `composer install` when dependencies change (detects cPanel/shared hosting limitations)
  - Commit SHA integrity verification on downloaded archives
  - Update badge in top navigation bar (admin-only, configurable)
  - Cron-based background update checks with admin notifications
- **Update Available Notifications** - In-app alerts for admins when a new release or hotfix is detected
- **Tag Transfer** - Admin-only transfer of individual or bulk-selected tags to another user
- **Domain Bulk Transfer** - Admin-only bulk transfer of selected domains to another user
- **Drag-and-Drop File Upload** - File import zones on Domains (bulk-add), Tags, and Groups pages with format hints and size limits

### Changed
- **Bulk Action Bars Redesigned** - Consistent inline toolbar across Domains, Tags, Groups, Users, Errors, and TLD Registry
- **Notification Click Routing** - `update_available` notifications redirect to Settings → Updates tab
- **Domains Per-Page Preference** - Remembered via cookie (persists for 1 year)
- **Installer Route Protection** - Requires admin auth for post-install routes; blocks re-installation
- **Settings Page** - New Updates tab with status card, preferences, rollback, and release notes viewer (Markdown rendered via marked.js + DOMPurify)
- **Button Color Consistency** - TLD Registry and transfer modals use `bg-primary` branding instead of mixed indigo/green
- **ErrorHandler Hardened** - Recursion guard, `JSON_PARTIAL_OUTPUT_ON_ERROR` for stack traces, `\Throwable` catch, graceful fallback to `error_log()`

### Fixed
- **Tag Delete XSS** - Fixed escaping of tag names containing quotes in delete confirmation
- **Bulk Actions Bar Toggle Bug** - Removed flex class toggling that caused display issues

### Security
- **Sensitive Data Masking in Exports** - API tokens show `****` + last 4 chars; webhook URLs show scheme + host only; masked channels imported as disabled
- **Installer Access Control** - Post-install pages (update, migration runner) require admin authentication
- **Import Validation** - File size limits (5 MB domains, 2 MB groups, 1 MB tags), extension whitelist (`.csv`, `.json`), CSRF on all import forms

### Technical
- **UpdateController** - New admin-only controller with check, apply, rollback, and preference endpoints
- **UpdateService** - GitHub API integration with release/commit tracking, file + DB backup, staged extraction, and rollback
- **LayoutHelper::getUpdateBadgeInfo()** - Cached badge state for top-nav without API calls on page load
- **ViewHelper::getMaxUploadSize()** - Returns effective PHP upload limit as human-readable string
- **NotificationGroup::findByName()** - Lookup groups by name with optional user scope
- **Setting::getUpdateSettings()** - Returns all update-related settings in one call
- **In-memory CSV building** - Uses `php://temp` streams to avoid output buffer conflicts

### Migrations
- `025_add_update_system_v1.1.3.sql` - Adds `update_channel` and `update_badge_enabled` settings, updates app version to 1.1.3

---

## [1.1.2] - 2026-02-09

### Added
- **Google Chat Webhook Support** - Selectable payload formats: Generic (n8n/Zapier/Make), Google Chat (rich card), and Simple Text
- **Domain Status Change Notifications** - Configurable alerts for domain lifecycle events: available, registered, expired, redemption_period, pending_delete
- **Failed Login Notifications** - In-app alerts for failed login attempts with geolocation, device info, and reason
- **Domain Expiration Bell Notifications** - In-app notifications for expiring domains, respects user isolation mode
- **Admin User Profile Page** (`/users/{id}`) - Detailed view with Overview, Domains, Tags, and Notification Groups tabs
- **Dashboard Insights Widgets** - Registrar distribution, tag usage, and notification coverage for logged-in users
- **Quick Actions Dropdown** - Top-nav `+` button with Add Domain, Create Group, Create Tag, and WHOIS Lookup
- **WHOIS Rate Limit Handling** - Exponential backoff with retry logic, grouped by TLD to avoid repeated throttling
- **Admin TLD Registry Editing** - Edit WHOIS and RDAP servers directly from the TLD registry UI
- **Redemption Period & Pending Delete Detection** - New domain statuses parsed from EPP status codes (`redemptionPeriod`, `pendingDelete`)
- **Configurable Status Triggers** - Settings UI to choose which domain status changes trigger notifications
- **Sidebar Branding** - SVG logo with clickable "Domain Monitor" title and "Track your domains" subtitle
- **404 Error Logging** - Router logs 404 errors with request method, IP, user-agent, and referer details
- **Copy Error Report** - Clipboard copy with toast feedback in admin error detail view

### Changed
- **Dashboard Redesigned** - Compact admin system status bar, balanced widget grid, removed Quick Actions widget
- **Mobile UI Overhauled** - Sidebar overlay with swipe-to-close, body scroll lock, responsive layout tweaks
- **Error Log Deduplication Improved** - Matches on type + file + line + message; resolution operates on all matching errors
- **Webhook Logging Enhanced** - Masked URLs, response body truncation, payload previews, structured error handling
- **Notification Dropdown Enriched** - Country flags, device icons for login alerts, clickable domain links
- **User Create Form Redesigned** - Centered card layout, responsive grid, password show/hide toggles, live validation
- **WHOIS Date Parsing** - Added DD/MM/YYYY format support for European registries (.pt, .es, .fr)
- **Domain Status ENUM Expanded** - Added `redemption_period` and `pending_delete` values
- **Status Detection Improved** - Better handling for .nl and .eu domains missing expiration dates
- **Login Success Messages** - Now include the user's full name
- **Centralized Logging** - Logger service replaces all remaining `error_log()` calls

### Fixed
- **Notification Group Delete** - Changed from GET to POST with CSRF token (was vulnerable to CSRF)
- **Bulk Domain Create** - Wrapped in try/catch to handle duplicate domain conflicts gracefully
- **User Edit Form Action** - Fixed route mismatch (`/users/update` → `/users/{id}/update`)
- **Tag Isolation Access** - Enforced permission checks in TagController for isolated mode
- **RDAP Server Route** - Fixed route name mismatch between definition and controller method
- **Top-Nav Dropdowns** - Fixed broken dropdown toggle logic after Quick Actions addition
- **PHP 8.x Compatibility** - Fixed null parameter warnings in date functions
- **Sidebar Quick Stats** - Fixed variable collision when viewing user profiles

### Security
- **CSRF Protection** - Added to profile delete, notification delete/clear-all, user delete, user toggle-status
- **POST Method Enforced** - All destructive actions changed from GET to POST (profile, notifications, users, groups)
- **Failed Login Alerts** - Target user notified with IP address and user-agent details
- **Tag Access Control** - Isolated mode users blocked from viewing other users' tags via direct URL

### Migrations
- `024_add_status_notifications_v1.1.2.sql` - Expands domain status ENUM, adds notification status triggers setting, updates app version

---

## [1.1.1] - 2025-11-18

### Added
- **Pushover Notification Channel** - Send domain expiration alerts via Pushover (iOS, Android, Desktop)
  - Priority-based notifications (Emergency, High, Normal, Low) based on days until expiration
  - Emergency alerts (expired or expiring in ≤1 day) with auto-retry every 5 minutes for 1 hour
  - 23 custom notification sounds to choose from
  - Device targeting - send to specific devices or all devices
  - Rich notifications with title, message, and clickable URL to domain details
  - Optional custom sound and device configuration
  - Database migration `022_add_pushover_channel_type.sql` to add Pushover support

### Fixed
- **Security: PHP 8.x URI Injection Vulnerability** - Fixed deprecated `strpos()` null parameter warning
  - Added early request validation in `public/index.php` to block malformed URIs
  - Enhanced `core/Auth.php` to handle null values from `parse_url()` gracefully
  - Malformed requests are now logged and return 400 Bad Request
  - Prevents attackers from causing PHP warnings via malformed URI probes
- **PHP 8.x Compatibility: strtotime() Null Parameter** - Fixed deprecated warnings for null expiration dates
  - Added null checks before calling `strtotime()` in all domain view templates
  - Displays "Unknown" for domains without expiration dates (e.g., .nl domains)
  - Updated 9 view files: groups/edit, domains/index, domains/view, domains/edit, dashboard/index, tags/view, search/results
  - Also fixed `NotificationService::formatExpirationMessage()` to handle null dates
- **Domain Status Detection for .nl Domains** - Fixed incorrect "available" status for registered .nl domains
  - `.nl` WHOIS/RDAP doesn't always provide expiration dates or explicit status flags
  - Improved `WhoisService::getDomainStatus()` to detect registered domains via nameservers and valid registrar
  - Cron job now preserves existing expiration dates when WHOIS doesn't return one
  - Prevents false positives for domain availability
- **Domain Status Detection for .eu Domains** - Fixed incorrect status and registrar parsing for .eu domains
  - Added specific `.eu` registrar format parsing (`Name: Registrar Name`)
  - Fixed RDAP vCard parsing to strip "Name:" prefix from registrar field  
  - Fixed WHOIS parsing to handle "Name: Company" format in registrar sections
  - Enhanced status detection logic to recognize registered domains without explicit status flags
  - Consistent behavior between manual refresh and automated cron checks
- **Logging Consistency** - Replaced all remaining `error_log()` calls with custom Logger service
  - Updated `WhoisService.php`, `NotificationService.php`, `AuthController.php`, `UserController.php`
  - Centralized structured logging throughout the application
  - Better debugging and audit trail capabilities

### Changed
- **Status Detection** - Unified `DomainHelper::determineStatus()` to use `WhoisService::getDomainStatus()` for consistency
- **Documentation** - Updated README.md to reflect all available notification channels including Pushover

## [1.1.0] - 2025-10-09

### Added
- **User Notifications System** - In-app notification center with filtering and pagination
- **Welcome Notifications** - Automatically sent to new users on registration or fresh install
- **System Upgrade Notifications** - Admins notified when system is upgraded with migration details
- **Notification Types**:
  - System: Welcome, Upgrade notifications
  - Domain: Expiring, Expired, Updated
  - Security: New login detection
  - WHOIS: Lookup failures
- **Notification Features**:
  - Unread notification count in top navigation
  - Dropdown preview of recent notifications
  - Full notification page with filtering (status, type, date range)
  - Pagination and sorting
  - Mark as read / Mark all as read
  - Delete individual / Clear all notifications
- **Database-Backed Sessions** - Full session management stored in database
- **Active Session Management** - View, monitor, and control all logged-in devices
- **Geolocation Tracking** - IP-based location detection (country, city, region, ISP)
- **Session Details Display**:
  - Country flags with flag-icons library
  - City and country name
  - ISP/Network provider
  - Device type detection (Desktop/Mobile/Tablet)
  - Browser detection (Chrome/Firefox/Safari/Edge/Opera)
  - Session age and last activity timestamps
  - Remember me indicator (cookie badge)
- **Remote Session Control**:
  - Terminate individual sessions with delete button
  - Logout all other sessions with one click
  - Immediate logout validation (deleted sessions can't access anything)
- **Enhanced Profile Page**:
  - Sidebar navigation layout
  - Four sections: Profile Information, Security, Active Sessions, Danger Zone
  - URL hash navigation (#profile, #security, #sessions, #danger)
  - Clean design matching application theme
- **Remember Token Security**:
  - Remember tokens linked to specific sessions
  - Deleting session also invalidates remember token
  - Prevents auto-login after remote logout
- **Session Validator Middleware** - Validates sessions on every request
- **Auto-Detected Cron Paths** - Settings page shows actual installation paths (thanks @jadeops)
- **Automatic Session Cleanup** - Multiple cleanup triggers (no cron job needed)
- User registration with email verification
- Password reset via email
- Remember me functionality (30-day cookies)
- User profile management
- Change password
- Email verification with token expiry (24h)
- Password reset tokens (1h expiry)
- Registration enable/disable toggle
- User CRUD management (admin-only)
- Role-based access control (admin/user)
- Centralized app version in database
- Web-based installer (replaces CLI migrate.php)
- Web-based updater for new migrations
- Auto-detection of installation status
- Migration tracking system
- Consolidated database schema for v1.1.0 fresh installs
- Smart migration system (consolidated for new, incremental for upgrades)
- **Two-Factor Authentication (2FA) System**:
  - TOTP (Time-based One-Time Password) implementation
  - Email backup codes for 2FA recovery
  - 2FA verification attempts tracking with rate limiting
  - 2FA policy settings (optional/required/disabled)
  - Complete 2FA setup, verification, and management flow
  - Backup codes generation and verification system
- **CAPTCHA Security System**:
  - Support for reCAPTCHA v2, reCAPTCHA v3, and Cloudflare Turnstile
  - Configurable CAPTCHA settings in admin panel
  - Score-based verification for reCAPTCHA v3
  - Integration with login and registration forms
  - CAPTCHA provider selection and configuration
- **Domain Tags System**:
  - Domain tagging for organization and categorization
  - Comma-separated tags field in domains table
  - Tag-based domain filtering and organization
  - Indexed tag searches for performance
- **Advanced Error Logging System**:
  - Database-backed error logging and tracking
  - Error deduplication and occurrence counting
  - Request context capture (method, URI, data)
  - User context (IP, user agent, session data)
  - System context (PHP version, memory usage)
  - Error resolution tracking and management
  - Admin error log interface for debugging
- **Enhanced Logger Service**:
  - Structured logging with context arrays
  - Multiple log levels (debug, info, warning, error, critical)
  - Date-based log file rotation
  - Context-aware logging throughout the application
  - JSON-formatted log entries with timestamps
- **User Avatar System**:
  - Avatar upload and deletion functionality
  - Gravatar integration with fallback to user initials
  - Dynamic web root detection for file uploads
  - Avatar display in profile, navigation, and user listings
  - File validation and security measures
- **WHOIS Parsing Improvements**:
  - Enhanced WHOIS data parsing and processing
  - Better referral server handling and following
  - Improved domain availability detection
  - Status parsing cleanup and consistency
  - WHOIS server display improvements

### Changed
- Profile page completely redesigned with sidebar layout
- Session system migrated from file-based to database-backed
- Top navigation dropdown links updated with hash navigation
- Settings → System tab now shows auto-detected cron paths
- Help & Support menu links to GitHub repository
- Auth views refactored with base layout
- System section (Settings/Users) restricted to admins
- TLD Registry read-only for regular users
- Sidebar shows role-based links
- Profile integrated with dashboard layout
- Installation now via web UI instead of CLI
- Auto-redirect to installer on first run
- Domain management enhanced with tagging system
- Error handling improved with comprehensive logging
- WHOIS parsing enhanced with better data extraction
- User interface updated with avatar display throughout

### Security
- **Database Session Storage** - True session control with remote termination
- **Session Validation** - Every request validates session exists in database
- **Geolocation Logging** - Track suspicious login locations
- **Remember Token Linking** - Tokens tied to sessions, deleted together
- **Immediate Logout** - Deleted sessions invalidated within seconds
- Bcrypt password hashing
- Secure 32-byte tokens
- Time-limited tokens
- One-time use reset tokens
- HttpOnly secure cookies
- Email enumeration protection
- Session-based verification resend
- Admin-only route protection
- **Two-Factor Authentication** - TOTP and email backup codes for enhanced security
- **CAPTCHA Protection** - Anti-bot protection for login and registration
- **Advanced Error Logging** - Comprehensive error tracking and debugging
- **File Upload Security** - Avatar upload validation and secure file handling

### Technical
- **MVC Architecture Refactoring** - Complete separation of concerns
  - `LayoutHelper` - Global layout data (notifications, stats, settings)
  - `DomainHelper` - Domain formatting and business logic
  - `SessionHelper` - Session display formatting
  - `NotificationService` - Notification creation and management
  - All business logic removed from views (~265 lines cleaned)
- Database session handler implementing SessionHandlerInterface
- IP geolocation via ip-api.com (free, 45 req/min)
- Session validator middleware for real-time validation
- Automatic session cleanup (no cron needed for sessions)
- Flag-icons library integration for country flags
- User-agent parsing for device and browser detection
- Remember token cascade deletion on session termination
- Notification system with 7 notification types
- Welcome notifications on user creation and fresh install
- Upgrade notifications for admins with version tracking
- **TwoFactorService** - Complete 2FA implementation with TOTP and backup codes
- **CaptchaService** - Multi-provider CAPTCHA verification system
- **ErrorHandler** - Centralized error handling with database logging
- **Logger** - Enhanced logging service with structured context
- **AvatarHelper** - User avatar management with Gravatar integration
- **Tag Model** - Domain tagging system with user isolation
- **ErrorLog Model** - Error tracking and deduplication system

### Contributors
- Special thanks to @jadeops for auto-detected cron path improvement & XSS protection enhancement (PR #1)

## [1.0.0] - 2024-10-08

### Added
- Initial release of Domain Monitor
- Modern PHP 8.1+ MVC architecture
- Domain management system with CRUD operations
- Automatic WHOIS lookup for domain information
- Multi-channel notification system:
  - Email notifications via PHPMailer
  - Telegram bot integration
  - Discord webhook support
  - Slack webhook support
- Notification groups feature
- Assign domains to notification groups
- Dashboard with real-time statistics
- Domain status tracking (active, expiring_soon, expired, error)
- Notification logging system
- Customizable notification intervals
- Cron job for automated domain checks
- Test notification script
- Responsive, modern UI design
- Database migration system
- Comprehensive documentation
- Installation guide
- Basic login/logout authentication
- Security features (prepared statements, session management)
- **TLD Registry System with IANA integration**
  - Import and manage TLD data (RDAP servers, WHOIS servers, registry URLs)
  - Progressive import workflow with real-time progress tracking
  - Support for 1,400+ TLDs with automatic updates
  - Import logs and history tracking
- Advanced domain verification using TLD registry data
- RDAP protocol support for modern domain queries
- Automatic WHOIS server discovery per TLD
- Monitoring status change notifications (activated/deactivated alerts)
- Notification group assignment change alerts
- Enhanced domain detail view with channel status indicators
- Comprehensive notification threshold configuration
- Debug logging for notification thresholds

### Changed
- Unified design system across all views
  - Consistent header styles (bordered instead of gradients)
  - Standardized button sizes and padding
  - Consistent form input styling
  - Unified empty state designs
  - Removed emojis from UI elements
- Improved navigation flow (edit page returns to detail view)
- Enhanced cron job logging with threshold display
- Streamlined installation process
  - Encryption key auto-generation during migration
  - No separate script needed for encryption key setup

### Fixed
- Notification channel type display error in domain view
- Navigation redirect after domain update
- Cancel button redirect in domain edit page
- Design inconsistencies in notification group views

### Security
- Random secure password generation on installation
- One-time password display during migration
- Removed hardcoded default credentials
- 16-character cryptographically secure admin passwords

### Features
- ✅ Add, edit, delete, and view domains
- ✅ Automatic expiration date detection via WHOIS
- ✅ Support for multiple notification channels per group
- ✅ Flexible notification scheduling (60, 30, 21, 14, 7, 5, 3, 2, 1 days before)
- ✅ Email notifications with HTML templates
- ✅ Rich Discord embeds with color coding
- ✅ Telegram messages with formatting
- ✅ Slack blocks for structured messages
- ✅ Notification deduplication (prevent spam)
- ✅ Manual domain refresh
- ✅ Active/inactive domain toggle
- ✅ Comprehensive logging
- ✅ Statistics dashboard
- ✅ Recent notifications view
- ✅ Domain details with WHOIS data
- ✅ Nameserver display
- ✅ Notification history per domain

### Technical
- PHP 8.1+ with modern features (match expressions, typed properties)
- MySQL/MariaDB database
- PSR-4 autoloading
- Environment-based configuration
- MVC pattern implementation
- Service layer architecture
- Repository pattern for data access
- Interface-based notification channels
- JSON configuration storage
- Prepared statements for SQL injection prevention
- CSRF token support ready
- Responsive CSS with CSS variables
- No JavaScript framework dependencies (vanilla JS where needed)

### Documentation
- README.md with comprehensive guide
- Inline code documentation
- Configuration examples
- Troubleshooting guide

---

## Roadmap - Future Enhancements

- [x] User authentication system (completed - v1.1.0)
- [x] Session management with geolocation (completed - v1.1.0)
- [x] TLD Registry System (completed - v1.0.0)
- [x] Remote session termination (completed - v1.1.0)
- [x] In-app user notifications (completed - v1.1.0)
- [ ] Multi-user support with advanced permissions and roles
- [ ] API for external integrations
- [x] Domain grouping/tagging (completed - v1.1.0)
- [ ] Custom notification templates
- [ ] SMS notifications (Twilio)
- [x] Google Chat notifications (completed - v1.1.2)
- [ ] WhatsApp notifications
- [x] Export functionality (CSV, JSON) (completed - v1.1.3, TLD Registry - v1.1.4)
- [x] Import domains from CSV/JSON (completed - v1.1.3, TLD Registry - v1.1.4)
- [ ] Domain transfer tracking
- [x] DNS record monitoring (completed - v1.1.5)
- [x] SSL certificate monitoring (completed - v1.1.5)
- [ ] Downtime monitoring
- [x] 2FA for login (completed - v1.1.0)
- [ ] Mobile app
- [ ] Docker support
- [ ] Redis caching
- [ ] Rate limiting
- [ ] Webhook support for third-party integrations
- [ ] Dark mode UI toggle
- [ ] Multi-language support
- [x] Advanced filtering and search (completed - v1.1.0)
- [x] Bulk operations (completed - v1.1.0)
- [ ] Scheduled reports
- [ ] Integration with domain registrars

---

## Version History

### 1.1.5 (2026-03-08)
- **Twig Templating** - All PHP views migrated to Twig; Twig-only rendering with safe error fallback
- **DNS Monitoring** - DnsService, DnsRecord model, crt.sh discovery, Cloudflare detection, per-domain toggle, `cron/check_dns.php`
- **SSL Certificate Monitoring** - SslService, SslCertificate model, add/refresh/delete endpoints, `cron/check_ssl.php`
- **Domain View Tabs** - Overview, DNS, Billing, Notifications, SSL, WHOIS; `domain_view_template` setting (detailed/legacy)
- **Cron Staleness Warnings** - Settings shows overdue warnings for domain/DNS/SSL cron runs
- **Timezone on Installer** - App timezone applied on `/install` and `/install/update` when installed
- **2FA/Settings** - Twig templates for 2FA, timezone lists, notification presets, cron path in Settings
- Migrations: `027_add_dns_monitoring.sql`, `028_add_ssl_monitoring.sql`

### 1.1.4 (2026-03-02)
- **TLD Registry Import & Export** - CSV/JSON export/import for TLD entries with WHOIS, RDAP, registry URL data
- **Manual TLD Creation** - Modal form to add custom TLDs with multi-level support (.co.uk, .co.za, .com.au)
- **IANA Dropdown** - Consolidated IANA operations (Import TLDs, Check Updates, Import Logs) into a single dropdown
- **Standardized Import/Export Logging** - Consistent `Logger` usage across Tags, Domains, Notification Groups, and TLD Registry
- **TLD Registry Action Bar Redesigned** - Cleaner layout: IANA (indigo), Export (emerald), Import, Create TLD
- Migration: `026_update_app_version_v1.1.4.sql`

### 1.1.3 (2026-02-11)
- **CSV/JSON Import & Export** - Domains, Tags, and Notification Groups with drag-and-drop file upload
- **Sensitive Data Masking** - API tokens and webhook URLs masked in group exports; masked channels imported as disabled
- **In-App Update System** - Check, apply, and rollback updates from Settings (GitHub Releases + hotfix tracking)
- **Update Channels** - Stable (releases only) or Latest (releases + hotfixes) with configurable badge
- **File & Database Backup** - Automatic backup before every update, one-click rollback
- **Update Notifications** - In-app alerts for admins when new releases or hotfixes are detected
- **Tag Transfer** - Admin-only individual and bulk transfer of tags between users
- **Domain Bulk Transfer** - Admin-only bulk transfer of domains to another user
- **Bulk Action Bars Redesigned** - Consistent inline toolbar styling across all list pages
- **Installer Hardened** - Admin auth required post-install; re-installation blocked
- **ErrorHandler Improvements** - Recursion guard, graceful fallback logging, `\Throwable` catch
- Migration: `025_add_update_system_v1.1.3.sql`

### 1.1.2 (2026-02-09)
- **Google Chat Webhook Support** - Selectable payload formats (Generic, Google Chat, Simple Text)
- **Domain Status Change Notifications** - Configurable alerts for available, registered, expired, redemption_period, pending_delete
- **Failed Login Notifications** - In-app alerts with geolocation, device info, and failure reason
- **Domain Expiration Bell Notifications** - In-app alerts respecting user isolation mode
- **Admin User Profile Page** - `/users/{id}` with Overview, Domains, Tags, Notification Groups tabs
- **Dashboard Insights** - Registrar distribution, tag usage, notification coverage widgets
- **Quick Actions Dropdown** - Top-nav shortcut for Add Domain, Create Group, Create Tag, WHOIS Lookup
- **WHOIS Rate Limit Handling** - Exponential backoff with TLD-grouped retry logic
- **Admin TLD Registry Editing** - Edit WHOIS/RDAP servers from UI
- **Redemption Period & Pending Delete** - New domain lifecycle statuses from EPP codes
- **Sidebar Branding** - Logo, title, and subtitle in sidebar navigation
- **Mobile UI Overhaul** - Sidebar overlay, swipe-to-close, responsive layout improvements
- **CSRF Protection** - POST method enforced on all destructive actions
- **Error Log Deduplication** - Improved matching on type + file + line + message
- **WHOIS Date Parsing** - DD/MM/YYYY format support for European registries
- **404 Error Logging** - Router logs with full request context
- Migration: `024_add_status_notifications_v1.1.2.sql`

### 1.1.0 (2025-10-09)
- **User Notifications System** - In-app notification center with 7 notification types, filtering, pagination
- **Advanced Session Management** - Database-backed sessions with geolocation (country, city, ISP)
- **Remote Session Control** - Terminate any device instantly with immediate logout validation
- **Enhanced Profile Page** - Sidebar navigation with 4 tabs, hash-based routing (#profile, #security, #sessions)
- **Two-Factor Authentication** - Complete TOTP implementation with email backup codes and rate limiting
- **CAPTCHA Security System** - Support for reCAPTCHA v2/v3 and Cloudflare Turnstile with admin configuration
- **Domain Tags System** - Organize domains with custom tags for better categorization and filtering
- **Advanced Error Logging** - Database-backed error tracking with deduplication, context capture, and admin interface
- **User Avatar System** - Avatar upload with Gravatar integration and fallback to user initials
- **Enhanced Logger Service** - Structured logging with context arrays and multiple log levels
- **WHOIS Parsing Improvements** - Enhanced domain data parsing, referral handling, and availability detection
- **MVC Architecture Refactoring** - 3 new Helpers (Layout, Domain, Session), ~265 lines cleaned from views
- **Geolocation Tracking** - IP-based location detection using ip-api.com, country flags with flag-icons
- **Device Detection** - Browser & device type parsing (Chrome/Firefox/Safari, Desktop/Mobile/Tablet)
- **Auto-Detected Cron Paths** - Settings show actual installation paths (thanks @jadeops)
- **Welcome Notifications** - Sent to new users on registration or fresh install
- **Upgrade Notifications** - Admins notified on system updates with version & migration count
- **Web-Based Installer** - Replaces CLI, auto-generates encryption key, one-time password display
- **Web-Based Updater** - `/install/update` for running new migrations with smart detection
- **User Registration** - Full signup flow with email verification, password reset, resend verification
- **User Management** - CRUD for users with filtering, sorting, pagination (admin-only)
- **Remember Me** - 30-day secure tokens linked to sessions, cascade deletion on logout
- **Session Validator** - Middleware validates sessions on every request for instant remote logout
- **Consistent UI/UX** - Unified filtering, sorting, pagination across Domains, Users, Notifications, TLD Registry
- **Smart Migrations** - Consolidated schema for fresh installs, incremental for upgrades
- **XSS Protection** - htmlspecialchars() applied across all user-facing data (thanks @jadeops)

### 1.0.0 (2024-10-08)
- Initial public release
- Created by [Hosteroid](https://www.hosteroid.uk) - Premium Hosting Solutions

---

## 🙏 Special Thanks

### Contributors
- **@jadeops** - Auto-detected cron path improvement & XSS protection enhancement (PR #1)