- Added [migration] logging for each migration step (applying, completed, timing)
- Added [migration-error] logging with elapsed time on failures
- Added [migration] All migrations completed in Xms total timing
- Added lazy getLogAudit() for audit logging of migration failures (avoids circular dep)
- Changed DB path log to basename only (Hudson rec: reduce info disclosure)
- Version bumped to 0.23.0
- Reset default admin password when INIT_ADMIN_PASS is set on legacy DBs
- Added run() functions to all legacy migration entries (reconcileLegacyMigrations)
- Migrations that aren't present in legacy DB now actually execute
- v0.40 ownership migration assigns to first admin (not first user)
- Removed username from password reset log (info disclosure fix)
- must_change_password enforced after legacy password reset
Added ErrorBoundary component wrapping all routes in App.jsx.
Shows friendly fallback UI with Try Again and Reload buttons
instead of white screen crash. Logs component stack to console.
CRITICAL fix: Users upgrading from pre-migration-tracking databases
(now get 'invalid username/password' because schema_migrations table
doesn't exist. Added handleLegacyDatabase() and
reconcileLegacyMigrations() to detect and reconcile legacy DBs.
Security fixes:
- Path traversal: replaced sanitizePath() with ALLOWED_FILES allowlist
- Public /about bypass: added admin route guard in App.jsx
- Sensitive info exposure: expanded redactSensitiveContent() patterns
- Error message path leaks: generic error messages only
- Race condition: wrapped in db.transaction() in server.js
- Password validation: INIT_REGULAR_PASS min 8 chars with process.exit(1)
All verified by Bishop (build + runtime) and Private_Hudson (security).
- Added schema_migrations table for explicit version tracking (CRITICAL fix)
- Refactored runMigrations() to use versioned migration objects
- Added hasMigrationBeenApplied() and recordMigration() helpers
- Migrations now skip already-applied versions and log progress
- Updated FUTURE.md with migration system issues and criticality ratings
- Updated Engineering_Reference_Manual.md with migration system docs
- Added DEVELOPMENT_LOG.md for agent work tracking
null