eros.sh

Changelog

UI and feature updates to eros.sh. New features are added here when released.

1.16.0
  • Self-hosted GitHub README stats API: GET /api/profile/stats (github-readme-stats equivalent -- total stars, commits, PRs, issues, contributed).
  • Self-hosted streak card: GET /api/profile/streak (github-readme-streak-stats equivalent -- total contributions, current streak, longest streak; DenverCoder1-style SVG with ring, fire, animations).
  • Self-hosted profile view counter: GET /api/profile/views -- badge SVG with label, color, base count, abbreviated; count stored in DB.
  • Self-hosted Top Languages: GET /api/profile/top-langs -- theme, locale, layout (normal/compact/donut/pie), langs_count, order (size/repos), exclude_repo, hide.
  • Self-hosted Pinned Repo: GET /api/profile/pin -- repo (required), theme, hide_border, show_owner, disable_animations.
  • Self-hosted Gist card: GET /api/profile/gist -- gist_id (required), theme, hide_border, border_radius.
  • Profile-stats-service: Stats card, Streak card (locale, date_format, exclude_days, mode daily/weekly, card_width/height), Top Languages (order, exclude_repo, hide, custom_title), Pin, Gist, Views badge, WakaTime; 12h cache.
  • GitHub utils: fetchUserReposForLanguages, fetchRepository, fetchGist added for profile stats cards.
1.15.0
  • Brute-force cooldown: Increasing wait time after failed admin login attempts.
  • JWT token family: Refresh token reuse detection; family revoked on token reuse.
  • Request ID tracing: X-Request-Id header on all API responses.
  • AI bot traffic detection: ChatGPT, Claude, GPTBot etc. flagged in visitor data.
  • Print-friendly view: Enhanced print styles for clean output.
  • Changelog RSS: /changelog.xml feed for release notes.
  • Google Search Console API: Admin Analytics GSC endpoint (placeholder for index status).
  • Availability status: Open/Busy badge in header (configurable via localStorage).
  • Response time indicator: X-Response-Time header on API responses.
  • Confetti on milestone: Celebration on 1000th visitor.
  • Secret level badge: Badge for discovering hidden content.
  • Easter eggs added (no hints documented).
  • 404 page mini-game.
  • Morse code console message.
  • Base64 console message.
  • URL parameter easter egg.
  • Window resize easter egg.
  • Hacker News referrer message.
  • localStorage easter egg.
  • Console unlock hint.
  • Meta tag easter egg.
  • ASCII art in console.
  • Robots.txt dynamic secret comment.
  • HTML comment in source.
  • JSON secret endpoint.
  • No-JavaScript message.
  • Ad blocker detection message.
  • DevTools detection.
  • View source easter egg.
  • Hidden network request.
  • Cookie name easter egg.
  • SessionStorage easter egg.
  • IndexedDB easter egg.
  • Performance mark easter egg.
  • Console group easter egg.
  • Cheat code easter eggs.
  • Cookie value unlock.
  • Battery level message.
  • Console command unlock.
  • Data attribute decode.
  • Online/offline welcome message.
  • Slow connection message.
  • Cipher decoder (ROT13, Base64).
  • 3D scene easter egg.
  • Physics engine easter egg.
1.14.0
  • Session anomaly detection: Refresh blocked when IP/User-Agent changes; admin notification created.
  • Audit log: Admin actions (password change, codes update, hire delete, revoke sessions) logged to database.
  • Login attempt logging: Success and failure attempts stored in login_attempts table.
  • Dashboard overview: New default tab with summary cards (visitors, messages, blogs, real-time count).
  • Activity feed: Recent admin actions from audit log on dashboard.
  • Notification center: Bell icon with session anomaly and system notifications; mark as read.
  • Draft preview: Blog editor shows live Markdown preview with Edit/Preview toggle.
  • Real-time visitor count: Visitors in last 15 minutes on dashboard.
  • Referrer tracking: Page events with referrer, device, path via visitor-page-event API.
  • Device breakdown: Mobile/desktop/tablet distribution in Analytics (from page events).
  • Country stats: Country-based statistics in Analytics.
  • Top exit pages: Most common exit pages in Analytics.
  • Bounce rate: Single-page visit rate in Analytics.
  • Visitor heatmap: Page-level interaction data via visitor_page_events.
  • Confirmation dialogs: Delete hire message and Revoke sessions require confirmation.
  • Cache versioning: Service Worker cache updated to v2 for clean invalidation.
1.13.0
  • Secure cookie rotation: New refresh token issued on each refresh; old token deleted, new cookie set.
  • Session timeout warning: Modal ~2 min before expiry; "Extend session" calls adminRefresh.
  • Password strength meter: Live strength indicator in password form (bar + Weak/Fair/Good/Strong).
  • Open Graph: og:image:alt, canonical URL normalization; improved Facebook and social media sharing.
  • Twitter Cards: twitter:image:alt added; share preview improved.
  • Structured data (JSON-LD): Person, Article/BlogPosting, WebSite schemas; canonical URL consistent.
  • Canonical URLs: Trailing slash redirect -- /path/ -> /path (client + server); canonical href always without slash.
  • Word count: Word counter for title and content in admin blog editor.
  • Focus trap: Tab/Shift+Tab keeps focus inside admin login modal.
1.12.0
  • CSRF token: Forms (Hire Me, Admin login) require X-CSRF-Token; GET /api/csrf-token.
  • Request signing: Admin change-password uses X-Request-Nonce + X-Request-Timestamp for replay protection.
  • Device/session list: Admin Sessions tab shows active refresh tokens with user-agent and IP.
  • Force logout all: Revoke all other sessions from Admin Sessions tab.
  • Password policy: Min 8 chars, uppercase, lowercase, number, special character.
  • Honeypot: Hire Me and Admin login forms have hidden fields to block bots.
  • Connection pooling: DB_PERSISTENT env for persistent PDO connections.
  • Prefetch: Footer and nav Links preload route chunks on hover.
  • Resource hints: Added dns-prefetch for challenges.cloudflare.com, cdn.tailwindcss.com.
  • Analytics dashboard: Admin Analytics tab -- visitors, blog views, top blogs chart.
1.11.0
  • Auth: Refresh token rotation -- access token 15 min, refresh token 7 days in HttpOnly cookie.
  • Auth: JWT blacklist (file-based) -- logout blacklists token, no Redis needed.
  • Auth: MFA/2FA TOTP -- admin can enable Google Authenticator from Password tab.
  • Auth: Session fingerprinting -- token bound to IP + User-Agent hash.
  • Auth: Admin login requires Turnstile (brute-force protection).
  • Auth: Secure cookie prefix __Secure- for refresh token over HTTPS.
  • Security: Path traversal prevention on repo contents path parameter.
  • Security: Clickjacking -- CSP frame-ancestors none, X-Frame-Options DENY.
  • Security: Referrer-Policy, Permissions-Policy headers.
  • Security: MySQL TLS -- set MYSQL_SSL_CA env for encrypted connections.
  • Security: Output encoding (h), DOMPurify for user HTML.
  • Security: Prepared statements verified; no unsafe unserialize.
1.10.0
  • Build security: JavaScript obfuscation (javascript-obfuscator) applied to chunks >15KB -- string array encoding, control flow flattening, self-defending.
  • Build security: Source maps disabled in production (no .map files).
  • Build security: Dead code elimination via terser (unused, dead_code) and tree-shaking.
  • Build security: SRI (Subresource Integrity) hashes added to built scripts and assets in index.html.
  • Build security: API keys and proxy credentials removed from client bundle; only VITE_* env vars exposed.
  • Build security: Env validation warns if secrets exist; proxy config loaded from env (PROXY_HOST, etc.) for dev server only.
1.9.0
  • Blog generate / regenerate: Admin AI model selection now tracks which API each model comes from (Anthropic, OpenAI, OpenAI-Compatible). Generate and Regenerate use the correct API base and endpoints for the selected model.
  • New OpenAI-compatible client for blog generation when an OpenAI or OpenAI-Compatible model is selected; Anthropic models still use the existing Anthropic /messages API.
  • Admin AI Models tab: models and saved settings load independently (Promise.allSettled). If settings fail, models still show; clearer error messages for each case.
  • Admin Sync tab: manually trigger GitHub profile, repositories, and blog generation sync from admin panel. Shows last sync time, status, and item count for each task. "Sync All" button runs all three at once.
  • Admin panel responsive: tabs now show icons only on mobile with horizontal scroll; full labels on desktop. Less cramped layout with proper spacing.
  • Visitor data pagination: reduced from 20 to 10 items per page for better readability.
1.8.0
  • Hire Me form: phone field replaced with optional contact method -- choose None, Telegram, WhatsApp, Signal, or Phone and enter handle/number.
  • Contact data is stored as contact_type + contact_value in the database; Telegram notifications and Admin Hire Messages list show the selected method and value.
1.7.0
  • Security: API errors return generic "Internal server error"; details only in server log.
  • Security: getBlogs limit 1-100, offset >= 0; visitor-report max body 128 KB (413 if exceeded).
  • Security: Admin login rate limit -- 5 failed attempts per IP per minute (429).
  • Security: instant-index optional auth -- if INSTANT_INDEX_API_KEY (env) is set, Bearer or X-API-Key required.
1.6.0
  • Visitor reports: GeoIP data (location/service by IP) is now fetched and stored in report payload.
  • Admin Blogs tab: list blogs, edit, and "Regenerate with AI" with live streaming output.
  • Admin settings: panel and operation codes are stored encrypted in the database and editable from the Codes tab.
  • Proxy API integration: Anthropic and OpenAI-Compatible (o7.team) model lists are fetched; Admin "AI Models" tab shows all in one grouped list for blog generation model selection.
1.5.0
  • Security improvements: XSS protection for README content, open redirect prevention, input validation for URLs and parameters.
  • Enhanced security: All user inputs are now validated and sanitized to prevent injection attacks.
1.4.0
  • 404 page: simplified layout (Go Home, Go Back, Browse Blog).
  • Changelog page: site UI changelog at /changelog.
  • Easter eggs: Konami code and console Easter egg added.
1.3.0
  • Footer: Privacy Policy and Terms of Use on the left; improved mobile layout.
  • Status page: RSS check now uses same-origin /rss.xml to avoid CORS.
  • Skeleton loaders for all new pages (403, 429, 503, Maintenance, Search, Privacy, Terms, Sitemap, Status, Redirect, Broken link, Unsupported browser).
1.2.0
  • New pages: 403 Forbidden, 429 Too Many Requests, 503 Service Unavailable, Maintenance, Search (invalid/empty), Privacy Policy, Terms of Use, Sitemap, Status, Redirect (page moved), Broken link, No-JS (noscript in index.html), Unsupported browser.
  • All new pages in English with SEO and consistent layout.
1.1.0
  • Theme toggle: dark/light with persistence and light mode contrast fixes.
  • RSS full content; Copy button on code blocks (blog + README); Copy link button icon-only.
  • Blog: view count, font size selector, reading mode, print preview.
  • Shortcut help modal (?), repo "Last updated", Prism syntax highlighting and line numbers.
  • Offline page improvements; Error 404/500 and Offline pages in English.
1.0.0
  • Initial release: Showcase, Repositories, Blog list and detail, Layout with header and footer.
  • API integration for profile, repos, and blog; theme script in index.html.