v4.0.0-beta.436

[andrasbacsai]

This release brings essential fixes and improvements that build on the foundation laid in v4.0.0-beta.435, focusing on security patches, Livewire modernization, API enhancements, and service template additions.

---

🚀 Major Features

Complete Livewire Legacy Model Binding Migration (#6862)

Modernized 25+ Livewire components from legacy binding to explicit properties, enabling future-proof architecture.

Migration Scope:

• ✅ 25+ components migrated
• ✅ 150+ explicit properties added
• ✅ 0 legacy bindings remaining
• ✅ legacy_model_binding flag disabled

Major Components:

• Application/General.php (53 fields) - Largest migration
• Security/PrivateKey/Show.php (4 fields)
• Storage/Form.php (8 fields)
• Source/Github/Change.php (16 fields)
• Project/Shared/* (ResourceLimits, HealthChecks, Storages)
• Service/* (StackForm, EditDomain, EditCompose, Database)
• All Database General components (8 database types)

Critical Fixes:

• 🐛 Collection/string confusion in EditDomain
• 🐛 Parent component sync after save
• 🐛 Empty FQDN field on load
• 🐛 Lifecycle hooks not firing
• 🐛 Duplicate HTML IDs with auto-generated unique IDs
• 🐛 Fixed Monaco editor @entangle errors

Statistics: 1,715 additions, 532 deletions, 46 files changed

---

Authentication Pages Redesign (#6906)

Aligned all auth pages with new onboarding design for consistent user experience.

Pages Updated:

• login, register, forgot-password, reset-password
• two-factor-challenge, confirm-password

Design Changes:

• Removed white/gray card backgrounds
• Consistent centered layout with large Coolify heading
• Color-coded alerts with icons
• Segmented auto-advancing 2FA input
• Paste-compatible 2FA code entry
• Updated email error messages for security (prevents enumeration)
• Applied border styling to match onboarding

---

Admin User Deletion Command (#6907)

New comprehensive command for deleting users with full resource cleanup.

Features:

• Full resource cleanup (applications, databases, services)
• Team ownership transfers and management
• Server deletion for user-owned teams
• Stripe integration (cloud instances)
• Safety features: dry-run mode, phase confirmations, state tracking
• Instance agnostic (works on self-hosted and cloud)

Replaces:

• admin:remove-user (deleted)
• cloud:delete-user (now deprecated alias)

Bug Fixes:

• Correct resource filtering by team ownership
• Fixed relationship access (using method calls)
• Proper lock management with Ctrl+C handling
• Stripe cancellation after DB commit
• Self-hosted support (skips Stripe operations)

---

✨ Core Features

API Enhancements (#6899)

Added three new API endpoints with comprehensive documentation.

Cancel Deployment API

• POST /api/v1/deployments/{uuid}/cancel
• Cancel queued/in_progress deployments
• Docker container cleanup with docker rm -f
• Process termination by PID
• Detailed cancellation logging

Database Backup Creation API

• POST /api/v1/databases/{uuid}/backups
• Cron expressions and predefined frequencies
• S3 storage integration with validation
• Retention policy configuration (local and S3)
• Optional immediate backup trigger
• Authorization via manageBackups gate

List GitHub Apps API

• GET /api/v1/github-apps
• Team-owned and system-wide apps
• Sensitive data filtering (client_secret, webhook_secret)
• Team isolation enforced

Test Coverage: 30+ tests across 3 comprehensive suites

---

Service Templates

New Templates:

• SigNoz (feat(service): add signoz template #5386) - Observability platform with:

  • Telemetry configuration
  • SMTP and Alert Manager setup
  • OTEL collector with healthcheck
  • Latest tags for all services
  • JWT secret auto-generation

• Cap (feat(service): add cap service #6011) - Open-source Loom alternative

  • S3 storage support (local/remote)
  • Environment variable documentation
  • Co-authored by @ShadowArcanist

Template Updates:

• Ente Photos (feat(templates): add SMTP configuration to ente-photos compose templates #6883) - Added SMTP configuration
• n8n (Update n8n template #6835) - Updated to v1.114.4 with deprecation env vars
• Plausible (Update plausible.yaml and shlink.yaml - clickhouse config contents were swapped; fixing double https:// issue in shlink web app #6475) - Fixed swapped clickhouse configs
• Shlink (Update plausible.yaml and shlink.yaml - clickhouse config contents were swapped; fixing double https:// issue in shlink web app #6475) - Fixed double https:// issue

---

🔒 Critical Security Fixes

Session Management (#6893)

CRITICAL: Fixed password changes not invalidating user sessions.

• Changed isDirty() to wasChanged() in updated() hooks
• Sessions now properly invalidated on password change
• Prevents session hijacking after password reset
• Fixed in 3 locations:
  • DeletesUserSessions trait (password changes)
  • InstanceSettings (helper_version changes)
  • ServerSetting (sentinel service restart)

Test Coverage: 15 tests across 3 suites

---

Privilege Escalation (#6884)

Fixed critical privilege escalation vulnerability in team invitation system.

---

Command Injection Prevention (#6887)

Secured git ls-remote operations against command injection attacks.

---

TrustHosts Middleware (#6889)

Implemented middleware to handle FQDN and IP address trust logic for improved security.

---

🐛 Bug Fixes

Deployment & Build

• Null Environment Variables (fix: handle null environment variable values in bash escaping #6886)

  • Handle null values in bash escaping functions
  • Prevents deployment failures
  • 29 tests passing

• Docker Compose Parsing (fix: docker compose parsing #6891, Fix preg_match error with array labels #6895)

  • Fixed array labels in preg_match
  • Added type checks before processing labels
  • Handles array label values by converting to strings
  • Unit tests added

UI/UX

• Service Textarea Focus (Fix: Domains input dirty state reset on blur #6897)

  • Removed wire:model.blur causing form dirty state reset
  • Fixed jarring UI flicker on domains input
  • Changed to deferred synchronization

• Input Focus Styling (Update input focus styling to border-left #6900)

  • Updated to border-left focus instead of ring-based
  • Consistent styling with input-sticky utility

• Hetzner Cloud Rendering (Fix Hetzner Cloud rendering in onboarding #6902)

  • Fixed onboarding back button navigation
  • Proper state restoration with $currentState

• Ports Exposes Null (Seed Docker Compose Example with ports_exposes #6901)

  • Added default value for Docker Compose Example
  • Fixes NOT NULL constraint violation

---

📝 Documentation & Infrastructure

GHCR Cleanup Workflow (#6903)

Automated cleanup of untagged container images from GitHub Container Registry.

Features:

• Deletes only untagged versions (keeps all tagged images)
• Runs every 6 hours + manual trigger
• Up to 100 versions per run
• Testing phase on coolify-testing-host image

Expected Impact:

• Current: 16,000+ untagged versions
• Reduces storage bloat
• Faster registry operations

---

Service Updates

• Preview Deployment Updates (feat: include service name in preview deployment updates #6876)

  • Added service name in update job for better tracking

• API Enabled in Dev (Enable API by default in development mode #6890)

  • API enabled by default in development mode
  • Production remains secure (disabled by default)

---

📊 Statistics

• 25 merged PRs since v4.0.0-beta.435
• ~3,000+ lines added
• ~700+ lines removed
• 80+ files changed
• 60+ new tests
• 2 new service templates
• 3 major template updates
• 4 critical security fixes

---

🙏 Credits

Thank you to all contributors since v435:

@andrasbacsai, @GauthierPLM, @titouv, @ariqpradipa, @xwxfox, @yipfram, @stylefieber, @ShadowArcanist, @thereis

And thanks to everyone who reported issues and helped test!

---

Generated by Andras & Jean-Claude, hand-in-hand.