PixlKey Changelog

πŸ““ CHANGELOG

All notable changes to PixlKey will be documented in this file.

This project adheres to Semantic Versioning and follows a simplified Keep a Changelog format.

0.5.25-Alpha

Added

  • Added admin-only templates that mirror the public site layout with a red/gold theme.
  • Added admin navigation to dashboard and logs within the new template structure.

Changed

  • Admin pages now reuse the PixlKey site layout with a dedicated admin stylesheet.
  • Admin access enforcement now returns a minimal 403 page for non-admin users.
  • Root index shows the Admin link only for admin users and links to the dashboard.

0.5.24-Alpha

Added

  • Added public PixlKey Site scaffold under /public/site with reusable header/menu/footer templates.
  • Added PixlKey Site button to root index page.

0.5.22-Alpha

Added

  • Admin logs page: added per-log Copy View (clipboard) and manual rotation controls.
  • Admin logs page: show per-log file size in KB.
  • Core tools: added safe log rotation helper under /core/tools/.

0.5.20-Alpha

Changed

  • Admin dashboard: removed Recent Audit Log Entries panel.
  • Admin: added Logs page to view recent entries from php-error.log and pixlkey.log with safe truncation.
  • Admin: added dashboard link/button to Logs page.
  • Admin logs page: corrected log panel layout to vertical stacking.
  • Admin logs page: fixed log panel overflow escaping admin layout.

0.5.19-Alpha

Added

  • Admin dashboard: added system status panel (memory, swap, load averages, PixlKey disk usage).
  • No DB writes; Linux /proc parsing with graceful fallbacks.

0.5.18-Alpha

Added

  • Replaced the admin dashboard processing runs panel with a per-user data table including image totals and disk usage.

0.5.17-Alpha

Changed

  • Registration now requires acceptance of PixlKey user agreement; stored to users.accept_agreement.
  • Registration now blocks duplicate email signups with a user-friendly message.

0.5.16-Alpha

Added

  • Added an admin dashboard with system stats, charts, and recent activity lists.
  • Added a shared admin guard include for enforcing admin-only access across admin pages.

0.5.14-Alpha

Added

  • Added a protected admin landing page with a red-tinted high-security theme.
  • Added an admin-only navigation link to the main menu.

0.5.13-Alpha

Added

  • Added an Instagram padding tool that generates *_instagram.png from *_preview.png for portrait images.
  • Runs after watermarking so padded assets include all overlays.
  • Uses symmetric left/right padding to reach the 4:5 portrait aspect ratio.

Changed

  • Instagram padding now uses a blurred background derived from the artwork for portrait images.
  • Instagram padded output is now included in processed ZIP packages when present.

0.5.12-Alpha

Changed

  • Removed the user-selectable top-left and bottom-left custom watermark positions.
  • Added an Advanced Watermark setting to toggle QR code overlays on previews (default ON).
  • Clarified preview defaults: QR codes remain bottom-left and PixlKey watermark remains top-left.

0.5.11-Alpha

Added

  • Added PixlKey watermark overlay to all generated preview images (_preview.png), placed top-left and scaled to 5% of the smallest dimension.

0.5.10-Alpha

Changed

  • Profile page sections are now collapsible window-shade panels (except Account & System Information).
  • Improved usability and navigation on the profile page.

0.5.9-Alpha β€” My Artworks Download Packages

Added

  • Added a Download button on the My Artworks page so users can download their recent processed packages.

Changed

  • Enforced the β€œonly most recent 10 packages available for download” rule.
  • Download button now appears only when a ZIP exists in the processed run directory.

0.5.8-Alpha-13 β€” My Artworks Layout Polish

Changed

  • UI polish: thumbnails positioned at the top of each artwork card; added spacing between artwork cards.

Notes

  • Recap of 0.5.8-Alpha-12 thumbnail fixes (since we started working on the artwork page): initial broken thumbnails, path resolution attempts, rejecting ../processed/..., overly strict realpath checks, aligning sanitiser logic with artwork.php, uncovering nested URL depth issues, then normalising to root-relative /processed/... paths for the final fix.

0.5.8-Alpha-12 β€” My Artworks Details & Thumbnails

Added

  • My Artworks page now displays thumbnails sourced from Images.thumbnail_path.
  • Added artwork details: description, creation_date, keywords, and genre.
  • Added hash identifiers: sha256 (Hash Value) and hvf_sha256 (HVF Key).

0.5.8-Alpha-11 β€” My Artworks Dashboard

Added

  • Added authenticated β€œMy Artworks” page listing a user’s processed artworks with pagination.
  • Added a profile navigation link to the new My Artworks page.

0.5.8-Alpha-10 β€” Changelog Page

Added

  • Added public changelog page that renders the project CHANGELOG.md.
  • Added a discreet footer link from the landing page to the changelog.

0.5.8-Alpha-9 β€” Public Artwork Display Enhancements

Changed

  • Artwork public lookup now prefers seo_headline for the page title with fallback to the artwork title.
  • Added license display with on-demand modal fetch for full license text.
  • Included optional public contact display with email obfuscation when enabled by the creator.

0.5.8-Alpha-8 β€” Logging Consistency Updates

Changed

  • Consolidated log payload creation with shared request ID handling.
  • Improved request ID fallback generation and JSON encoding safety.
  • Nested user-supplied log context under ctx to avoid collisions.
  • Routed database connection logging through structured log helpers.
  • Ensured PHP logging ini defaults are set in logging bootstrap.

0.5.8-Alpha-7 β€” Logging Bootstrap Refactor

Changed

  • Moved logging bootstrap into /core/logging/bootstrap.php.
  • Added pk_log and pk_debug helpers with APP_DEBUG toggle for debug output.
  • Standardized JSON-line log output to var/log/pixlkey.log.

0.5.8-Alpha-6 β€” Ownership History Initialization

Added

  • Initial ownership event persistence during artwork registration.
  • New ArtworkOwnershipHistory record created when an artwork is first registered.
  • Captures:
  • artwork ID
  • from/to user
  • acting user
  • actor IP address
  • event type (initial_registration)
  • timestamped audit trail

Notes

  • No schema changes.
  • Ownership history is immutable and append-only.
  • Backward compatible with existing artworks.

[0.5.8-Alpha-5] β€” Artwork Public Lookup Compatibility & Safety

Changed

  • Updated artwork public lookup version header and public messaging to emphasise controlled, read-only access.
  • Hardened token lookup ordering with schema-aware fallback and prevented thumbnail fetches from failing when ordering columns are absent.
  • Clarified logging while maintaining privacy and ensured empty artwork titles default cleanly to β€œUntitled.”

[0.5.8-Alpha-4] β€” Artwork Public Lookup Hardening

Changed

  • Updated public artwork lookup page title and messaging to reinforce public, rights-respecting access.
  • Enforced processed-state gating for artworks resolved via lookup tokens and hardened thumbnail path sanitisation.
  • Improved thumbnail selection robustness with graceful fallback when created_at is unavailable and ensured newest lookup token rows are preferred.

[0.5.8-Alpha-3] β€” Public Artwork Lookup Fixes

Fixed

  • Corrected /public/artwork.php to validate lookup tokens, return appropriate HTTP status codes, and render public artwork details with thumbnails when available.

[0.5.8-Alpha-2] β€” Profile Management UI

Added

  • Added authenticated User Profile Management UI:
  • New page: /public/user/profile.php
  • Allows users to manage public identity, contact information, social/portfolio links, regional visibility, and public notes.
  • System fields (registered email, last login, account creation date) are visible to the account holder only and read-only.
  • Visibility of contact and regional data governed by explicit privacy toggles.

[0.5.7-Alpha-2] β€” Redirect Sanitisation Consolidation

Security / Hardening

  • Consolidated redirect sanitisation logic into a single shared security helper to prevent drift.
  • Ensured all login and access-guard redirects use the same validated code path.

Maintainability

  • Removed duplicate redirect validation logic from controllers and services.
  • Removed CLI-only sanity-test code from public login controller.
  • Centralised redirect rules in /core/security/Redirect.php for auditability.

Notes

  • No database interactions added or modified.
  • Behaviour unchanged for valid internal redirects.
  • Bug-squash and defensive hardening only.

[0.5.7-Alpha-1] β€” Redirect Hardening

Security

  • Fixed a potential open redirect vulnerability during authentication flows.
  • Constrained post-login redirects (next parameter) to validated local paths only.
  • Rejected external URLs, protocol-relative paths, malformed input, and control characters.
  • Ensured unauthenticated access guards preserve intent safely without external redirection.

Stability

  • Redirect behaviour consistently falls back to /index.php when invalid or missing.

Notes

  • No database schema changes.
  • No new database reads or writes.
  • Fully backward-compatible for valid internal navigation.

[0.5.1.2-alpha] β€” 2025-07-26

Refactor β€” Modular CSRF Token Management

  • Introduced core/security/CsrfToken.php:
  • Centralised CSRF token generation, validation, and rotation.
  • Supports form-based (csrf_token) and header-based (X-CSRFTOKEN) validation.
  • Explicit token rotation after privilege transitions (login, logout, registration).
  • Updated core/auth/auth.php to consume the new CSRF module.

Security Benefits

  • Single point of truth for CSRF handling.
  • Reduced replay risk.
  • Foundation for future per-route nonce strategies.

[0.5.1.1-alpha] β€” 2025-07-26

Refactor β€” Modular Session Bootstrapping

  • Introduced core/session/SessionBootstrap.php.
  • Centralised session initialisation and cookie flags.
  • Eliminated duplicated session_start() and cookie boilerplate.
  • Improved auditability and extensibility of session handling.

[0.4.9-beta] β€” 2025-07-17

Critical Security Enhancements

  • Global rate limiting for authentication and downloads.
  • New rate_limiter.php middleware with configurable thresholds.
  • Centralised toggles and environment overrides.
  • Graceful 429 responses with retry headers.

[0.4.8-beta] β€” 2025-07-16

Security Enhancements

  • Enforced modern password hashing (PASSWORD_DEFAULT, Argon2id).
  • Automatic hash re-upgrade via password_needs_rehash().

[0.4.7-beta] β€” 2025-07-14

Security Enhancements

  • Enforced TLS across all entry points.
  • Added strict security headers.
  • Hardened cookie flags globally.

[0.4.6-beta] β€” 2025-07-14

Security Enhancements

  • CSRF token rotation at login, logout, registration, and ingestion boundaries.
  • Improved session isolation.

[0.4.5-beta] β€” 2025-07-12

Internal Improvements

  • Dynamic branding support via APP_TITLE and APP_HEADER.
  • Updated index.php to consume branding constants.

[0.4.4-beta] β€” 2025-07-12

Security Enhancements

  • Hardened session fixation protections across auth lifecycle.
  • Ensured session ID regeneration at all critical transitions.

[0.4.3-beta] β€” 2025-07-11

Security Enhancements

  • Rate limiting added to login and registration.
  • Introduced reusable rate-limiter utilities.

[0.4.2-beta] β€” 2025-07-11

Added

  • Placeholder frames for watermark and image previews.
  • Branding polish (drop shadows, Orbitron-styled headers).

Fixed

  • Gallery thumbnail layout and width issues.
  • Removed stray rendering logic tokens.

[0.4.1-beta] β€” 2025-07-11

Security

  • Enforced ownership verification for downloads and data ingestion.
  • Hardened runId validation.
  • Prevented unauthorised ZIP and metadata access.

[0.4.0-beta] β€” 2025-07-10

Added

  • Roadmap reset.
  • CSRF and session hardening groundwork.
  • Core audit and agent refactor started.

[0.3.0-alpha] β€” 2024-06-29

Added

  • Initial functional Alpha release.
  • Core image processing, watermarking, metadata embedding, fingerprinting, certificates, licensing, and authentication.

Known Issues

  • No rate limiting (addressed later).
  • Limited error handling.
  • No API or test coverage.

[main reset] β€” 2025-07-10

Changed

  • Repository reverted to 0.3.0-alpha to restore stability.
  • Removed experimental branches.
  • Set main to known-good baseline.

[Unreleased]

Planned

  • Further modularisation of processing pipeline.
  • REST API.
  • Audit logs and analytics.
  • Docker and deployment tooling.

© 2025 PixlKey by Infinite Muse Arts