Version History

feat(plugins): add custom plugin system with verification and execution (#104) @VectoDE

Version 2.3.3 (#110) @VectoDE

feat(control-panel): improve bot presence detection and plugin manage… (#105) @VectoDE

Version 2.3.3 (#110) @VectoDE

feat(control-panel): improve bot presence detection and plugin manage… (#105) @VectoDE

fix(latency): handle infinite latency values in monitor snapshot (#103) @VectoDE

v2.3.2...$CURRENT_TAG

chore: rename BUILD_STRIPE_KEY env variable reference to STRIPE_SECRE… (#100) @VectoDE

remerge (#90) @VectoDE

Development (#83) @VectoDE

chore(deps): Bump qs from 6.14.0 to 6.14.1 in /frontend (#82) @[dependabot[bot]](https://github.com/apps/dependabot)

chore(deps): Bump @radix-ui/react-label from 2.1.1 to 2.1.8 in /frontend (#81) @[dependabot[bot]](https://github.com/apps/dependabot)

chore(deps): Bump react-resizable-panels from 2.1.9 to 4.2.1 in /frontend (#80) @[dependabot[bot]](https://github.com/apps/dependabot)

chore(deps): Bump @radix-ui/react-tooltip from 1.1.6 to 1.2.8 in /frontend (#79) @[dependabot[bot]](https://github.com/apps/dependabot)

chore(deps): Bump sonner from 1.7.4 to 2.0.7 in /frontend (#78) @[dependabot[bot]](https://github.com/apps/dependabot)

chore(deps): Bump the nextjs-runtime group in /frontend with 10 updates (#77) @[dependabot[bot]](https://github.com/apps/dependabot)

chore(deps): Bump qs from 6.14.0 to 6.14.1 in /frontend (#76) @[dependabot[bot]](https://github.com/apps/dependabot)

chore(deps): Bump the nextjs-runtime group across 1 directory with 10 updates (#75) @[dependabot[bot]](https://github.com/apps/dependabot)

[Snyk] Upgrade @radix-ui/react-accordion from 1.2.2 to 1.2.12 (#71) @VectoDE

chore(deps): Bump @radix-ui/react-tooltip from 1.1.6 to 1.2.8 in /frontend (#69) @[dependabot[bot]](https://github.com/apps/dependabot)

chore(deps): Bump @radix-ui/react-dialog from 1.1.4 to 1.1.15 in /frontend (#68) @[dependabot[bot]](https://github.com/apps/dependabot)

chore(deps): Bump @radix-ui/react-collapsible from 1.1.2 to 1.1.12 in /frontend (#67) @[dependabot[bot]](https://github.com/apps/dependabot)

[Snyk] Upgrade @react-three/drei from 10.7.6 to 10.7.7 (#74) @VectoDE

[Snyk] Upgrade @radix-ui/react-separator from 1.1.1 to 1.1.8 (#73) @VectoDE

[Snyk] Upgrade @radix-ui/react-switch from 1.1.2 to 1.2.6 (#72) @VectoDE

[Snyk] Upgrade @radix-ui/react-toast from 1.2.4 to 1.2.15 (#70) @VectoDE

chore(deps-dev): Bump @tailwindcss/postcss from 4.1.17 to 4.1.18 in /frontend (#66) @[dependabot[bot]](https://github.com/apps/dependabot)

Enable Vercel Web Analytics setup guide (#63) @[vercel[bot]](https://github.com/apps/vercel)

chore(deps): Bump actions/upload-artifact from 4 to 6 (#58) @[dependabot[bot]](https://github.com/apps/dependabot)

Add Vercel Speed Insights to your project (#62) @[vercel[bot]](https://github.com/apps/vercel)

Potential fix for code scanning alert no. 3: Client-side cross-site scripting (#61) @VectoDE

chore(deps): Bump next from 16.0.0 to 16.1.0 in /frontend (#59) @[dependabot[bot]](https://github.com/apps/dependabot)

ci: add traefik-public network to docker compose services (#99) @VectoDE

ci: connect services to traefik-public network (#97) @VectoDE

Version 2.3.2 (#96) @VectoDE

Version 2.3.2 (#64) @VectoDE

ci(deploy): exclude bot/data from rsync and fix permissions (#102) @VectoDE

ci: configure traefik routing and remove exposed ports (#101) @VectoDE

ci: connect services to traefik-public network (#97) @VectoDE

Version 2.3.2 (#96) @VectoDE

Version 2.3.2 (#64) @VectoDE

Potential fix for code scanning alert no. 3: Client-side cross-site scripting (#60) @VectoDE

chore: remove services from traefik-public network (#98) @VectoDE

Version 2.3.2 (#96) @VectoDE

Version 2.3.2 (#64) @VectoDE

v2.3.1...$CURRENT_TAG

Enhance Lavalink stability and node management (#50) @VectoDE

Remove Redis `depends_on` from bot service (#49) @VectoDE

Add Redis dependency to bot service (#48) @VectoDE

feat: Standardize and enhance bot command information display (#56) @VectoDE

Add Redis SSL/TLS support via CA path (#51) @VectoDE

feat: Standardize and enhance bot command information display (#56) @VectoDE

Add Redis SSL/TLS support via CA path (#51) @VectoDE

v2.3.0...$CURRENT_TAG

Normalised line endings across CI/workflow metadata (`.github/ISSUE_TEMPLATE/custom.md`, `.github/workflows/codeql.yml`), preventing spurious diffs on Windows checkouts.

Bot codebase (commands, lifecycle events, services) converted to CRLF line endings without altering logic or behaviour.

Frontend API routes, pages, shared components, and library helpers updated to CRLF line endings while keeping implementation identical.

Documentation and repository collateral (`README.md`, `docs/command_reference.md`, docker/compose configs) aligned to CRLF line endings for consistent formatting.

Frontend package metadata (`frontend/package.json`, `frontend/package-lock.json`) and Stripe app info (`frontend/lib/stripe.ts`, `frontend/app/api/stripe/webhook/route.ts`) now report version `2.3.0`.

v2.2.1...$CURRENT_TAG

Dynamic profile SEO with per-creator metadata, keywords, and Person JSON-LD; profile pages emit structured stats.

Forum structured data (collection, breadcrumb, discussion postings) and enriched keywords for category/thread pages.

New stats summary card for live voice connections and “Top Referrer Paths” (later removed) plus referrer host ingestion.

Blog landing copy fully translated to English; removed “SEO” wording from UI text.

Forum metadata/title/keywords rewritten for stronger search targeting; forum pages switched to English strings and telemetry feed widened.

`/stats` cards now share the same gradient/hover styling as top metrics.

Control Panel lists (servers installed/needed, subscriptions) and container scroll areas hide native scrollbars while retaining scroll.

Home metrics fetch retries multiple local origins to avoid ECONNREFUSED during startup.

Changelog summary grid fits five cards on one row.

Home page live metrics omit “Commands Executed”/“Streams Processed” while keeping them in the API.

Recent Forum Events now load reliably by fetching more history; location tracking prefers country codes to avoid “unknown.”

Playlist ordering for playlist links on `/play` preserves source order and surfaces playlist info in embeds.

Blog/profile metadata rendering errors resolved (duplicate exports, missing helper module).

Control Panel scrollbars removed/hidden in Overview and Settings while keeping scroll functionality.

Sitemap generation now pulls live blog posts and public profile slugs so new articles and creators appear in search indices automatically.

Public profile listing helper (`listPublicProfileSlugs`) respects `profilePublic` and `searchVisibility` flags when exposing profile URLs.

Robots.txt now explicitly allows the site root and `favicon.ico`, keeps sensitive paths disallowed, and provides dedicated Googlebot rules while pointing to the canonical host/sitemap.

Static sitemap routes extended to cover all visible marketing/support pages and favicon with consistent priorities and weekly crawl hints.

README hero now includes a website badge plus status badges for Quality Gate, Build Container, Release Drafter, Deploy VectoBeat, Dependency Audit, CodeQL Advanced, and Dependabot Updates.

Build workflow exports `DATABASE_URL`/`BUILD_STRIPE_KEY` to Docker build args and enforces a pre-build check so Prisma steps succeed consistently in CI.

Badge labels and links refreshed to match the current workflow names and coverage.

Safety CSS for the changelog page to suppress all animations/transforms that could hide content.

Changelog fetch now prioritizes live GitHub releases with a local fallback; page set to force dynamic rendering for fresh data.

Production auth bypass enforced across bot/control-panel APIs to prevent 401s on operational endpoints.

Status/event push URLs redirected from `/status/*` to `/api/bot/metrics` and `/api/bot/events`; status URL derived from `BOT_API_BASE_URL` with no localhost fallback.

Frontend package version bumped to `2.0.1`; Stripe/Discord User-Agent identifiers updated accordingly.

Resolved disappearing changelog entries after load by disabling fade/scroll animations and forcing opacity to stay at 1.

Eliminated bot status 502/ECONNREFUSED and `/status/push` 404s in production by correcting endpoints and removing local fallbacks.

Prevented production APIs from returning 401 when keys are absent by honoring the auth bypass across routes.

Global `authBypassEnabled()` helper to short-circuit all frontend API auth in production (and via existing env toggles), ensuring dashboards and bot control remain reachable.

Frontend/bot status client now derives the status URL from `BOT_API_BASE_URL` with no localhost fallback; preferred endpoint caching remains but only against live targets.

Status push/event URLs in production now point to the frontend APIs (`/api/bot/metrics` and `/api/bot/events`) instead of the bot’s `/status/*` paths.

Status API defaults allow unauthenticated access; ENV defaults (`STATUS_API_ALLOW_UNAUTHENTICATED=true`) applied across prod/dev/example.

Manual auth gates across bot-defaults broadcast and external queue endpoints honor the production bypass to keep requests flowing.

Resolved `[VectoBeat] Bot status API error` 502/ECONNREFUSED by removing localhost status fallbacks and always calling the live bot endpoint.

Fixed `/status/push` 404s by directing bot pushes/events to the frontend API, restoring metrics/event ingestion.

Prevented frontend APIs from returning 401s in production by bypassing session/API-key checks and tolerating missing tokens.

Env templates updated to align push/event endpoints and auth defaults across production, development, and example configs.

**Auth & Security**

`verifyRequestForUser` returns the authenticated profile and is enforced across account settings, dashboard, concierge, control-panel APIs.

API tokens include actor metadata in creation/rotation/leak notifications; emails/logs no longer show `unknown`.

Enterprise hardening items planned: SSO/SAML, SCIM lifecycle, signed audit/event payloads.

**Concierge**

Secret-protected `/api/bot/concierge` (GET usage; POST create/resolve) with subscription gating and request ID propagation.

Concierge model extended to return IDs and store resolution metadata/notes; bot/UI consume IDs.

**Queue Sync & Analytics**

Durable queue-sync store replaces in-memory Map with plan-tier TTL/eviction.

`/api/queue-sync` and `/api/dashboard/analytics` read/write through the durable store to stay fresh after redeploys.

Queue-sync concurrency tests simulate multiple Next.js workers and socket broadcasts.

**Bot Contracts & Load Testing**

Contract tests for `/api/bot/*` (queue sync, automation audit, success pod, scale contact, concierge) to detect payload drift.

Load/failover simulations: multiple queue-sync writers, concurrent concierge requests, rapid API token churn.

**Docs & Ops**

Centralized docs index (deployment, ops, troubleshooting) and updated architecture diagram; added queue health Grafana dashboard.

Ports standardized: frontend 3050, bot status 3051, bot metrics 3052; `.env.example`/compose aligned.

Roadmap and `FURTHER_DEVELOPMENT.md` synced for 2026 (forum telemetry, zero-downtime security patching, enterprise hardening).

TOTP-based 2FA endpoints (`/api/account/security/*`), challenge handler, backup code support, and a guided setup UI with QR/secret display.

SEO utility (`lib/seo`) powering per-page metadata, `robots.ts`/`sitemap.ts`, and richer OpenGraph/Twitter cards across about, pricing, features, roadmap, blog, and profile pages.

New contact client flow with validated form handling, plus refreshed support-desk metadata and changelog/blog sharing widgets.

Stripe customer helper and admin subscription/log endpoints expanded to improve invoice/portal handling and audit coverage.

Documentation additions for queue sync and updated architecture/operations guidance.

Frontend Docker build uses root context, includes Prisma/plan capabilities, builds via npm; compose healthchecks point to new ports.

Bot config/schema defaults updated to status port 3051 and metrics port 3052; control panel base URL defaults to 3050.

README refreshed with translucent banners, consolidated commands table, and updated setup/service port guidance.

`.gitignore` tightened to block stray envs and editor/OS cruft; only root `.env`/.env.example allowed.

Control-panel, concierge, automation, analytics, and bot routes now reuse stricter auth/actor helpers and more consistent error payloads; server settings/status APIs gained robustness.

Marketing surface tightened: navigation/footer/hero content tuned, contact page rebuilt as a client flow, and page-level metadata normalized.

Issue templates converted to structured Markdown prompts for bugs/features/custom requests.

Workflows (build, deploy, security, test) adjusted for the multi-service layout and stronger cache/keying; Docker builds pull the correct contexts.

Session enforcement prevents cross-tenant access on account settings, dashboard overview, subscriptions, concierge endpoints.

Queue-sync analytics remain live after restarts; stale in-memory snapshots eliminated.

CI now checks docs links and env drift to prevent broken references or missing vars.

Account export, billing (invoice/portal), and bot metric/event handlers now return consistent responses and validation failures instead of silent fallbacks.

Resolved React 19 peer conflict by upgrading `vaul` to 1.1.2 so `npm ci --include=dev` succeeds in CI and container builds.

Docker-compose healthchecks and bot status fallbacks updated to new ports.

Added Grafana queue health dashboard and scrape hints for updated metrics endpoints.

Roadmap/frontend data updated to include forum telemetry, security patching cadence, enterprise hardening milestones.

Dependency refreshes (vaul 1.1.2 and related lockfile updates), plus minor UI kit tidy-ups.

README/command reference and queue-sync docs updated to reflect the post-alpha architecture and operational paths.

Scripts and workflows realigned to the new repo structure; TODO/CONTRIBUTING/CODEOWNERS refreshed.

**Quality & Documentation**

Test workflow matrix runs linting, bytecode compilation, and `pytest` for Python 3.10/3.11 while auto-seeding a minimal `.env` (`tests/conftest.py`, `9780464↗`, `d889f41↗`).

Documentation guard regenerates the architecture diagram with pinned Mermaid CLI and fails if `assets/images/architecture.png` drifts (`57d137a↗`).

README plus `docs/command_reference.md` gained badges, rich tables, and an auto-generated slash-command overview (`287d047↗`).

**Observability & Automation**

Diagnostics suite with `/status`, `/ping`, `/permissions`, `/lavalink`, `/guildinfo`, and `/botinfo` exposes latency distributions, resource metrics, and Lavalink node stats (`src/commands/info_commands.py`, `efedc0f↗`, `92efaa6↗`).

`/voiceinfo` and refreshed permission audits surface channel rights, latency, and player status live (`src/commands/connection_commands.py`, `e2a49d4↗`).

Auto-scaling service plus `/scaling status|evaluate` compares shard/node demand to targets and signals Nomad/custom orchestrators (`src/services/scaling_service.py`, `src/commands/scaling_commands.py`, `efedc0f↗`).

Queue telemetry webhooks and docs forward play/skip/finish events; opt-in command analytics adds hashed user telemetry with batch flush/local log fallback (`docs/queue_telemetry.md`, `src/services/queue_telemetry_service.py`, `docs/analytics.md`, `src/services/analytics_service.py`).

Chaos engineering commands enable guided resilience drills directly from Discord (`src/commands/chaos_commands.py`, `docs/command_reference.md`).

**Playback & Queueing**

Per-guild playback profiles (`/profile show|set-volume|set-autoplay|set-announcement`) persist JSON-backed defaults and push them live to Lavalink players (`src/commands/profile_commands.py`, `src/services/profile_service.py`, `52cbbd9↗`).

Redis-backed playlists and autoplay history (`/playlist save|load|list|delete`) prevent repeats through history-aware autoplay and artist rotation (`src/services/playlist_service.py`, `src/services/autoplay_service.py`, `queue_commands.py`, `52cbbd9↗`).

Crossfade and gapless playback ship with tunable fade steps and base volume controls in `config.yml` (`crossfade.*`, `52cbbd9↗`).

Rich now-playing embeds add requester metadata, progress bars, and permission audits; Lavalink integration records requester IDs for telemetry (`src/commands/music_controls.py`, `4f95ad2↗`).

DJ permissions (`/dj add-role|remove-role|show|clear`) protect critical queue operations (`src/commands/dj_commands.py`).

Core playback/voice commands from the prototype (`/play`, `/pause`, `/resume`, `/seek`, `/skip`, `/queue`, `/nowplaying`, `/volume`, `/connect`, `/disconnect`, `/voiceinfo`) anchor the UX (`src/commands/music_controls.py`, `src/commands/connection_commands.py`, `36e3c3e↗`).

**Infrastructure & Onboarding**

Production-grade Docker setup (multi-stage `Dockerfile`, `docker-compose.yml`, `docker-compose.local.yml`) plus Lavalink installation guide streamline deployments (`INSTALL_LAVALINK.md`, `3b48611↗`).

GitHub Actions for build, deploy, docs, security, and releases create a complete automation pipeline (`.github/workflows/*.yml`, `3b48611↗`).

Operational scripts (profiling harness, scenario runner, command reference generator, `typecheck.sh`) improve local QA (`scripts/*.py`, `scripts/typecheck.sh`).

Repository onboarding delivers README, Apache 2.0 license, sample `.env`, branding assets, typed config, and health/telemetry services (`README.md`, `assets/images/logo.png`, `src/configs/schema.py`, `src/services/*`, `13c6bf0↗`).

Docs builds skip the npm cache so runners never reuse stale assets (`d1ac8b6↗`).

Source modules were cleaned of dead imports and unused helpers, speeding up type checks and SAST scans (`src/commands/*`, `5f65f20↗`).

Logging and error surfacing were standardised; queue/DJ actions now enter the telemetry stream with actor metadata (`src/commands/music_controls.py`, `src/commands/queue_commands.py`, `9b824c3↗`).

Project governance (CODEOWNERS, Security Policy, Support Guide, PR template) now lives centrally under `.github/` (`55877b8↗`).

`/about` and status embeds reliably send ephemeral responses and gracefully handle missing permissions (`src/commands/info_commands.py`, `14a3274↗`).

Components that disable Discord views no longer fire multiple buttons at once (`src/commands/music_controls.py::disable_all_items`, `d4019dc↗`).

Deploy workflow now loads secrets via the proper environment variables and no longer blocks on the SCP step (`.github/workflows/deploy.yml`, `c2c2d95↗`).

Base container image moved to `python:3.14-slim`, aligning local dev, Docker, and CI (`Dockerfile`, `08ef302↗`).

GitHub Actions upgraded to the latest majors (build-push-action v6, setup-node v6, upload-artifact v5, appleboy ssh/scp 1.x) to clear security advisories (`b80b1e1↗`-`529202a↗`).

Multiple workflow runners now share unified dependency caches, reducing release lead time (`d559121↗`, `5e74330↗`, `f52830e↗`, `1733c56↗`).