- modal.js: add onClose callback to openModal(), fix _initialFormTimeout
cleanup, deduplicate escape/overlay-click handlers in confirmModal,
promptModal, selectModal using the new callback
- calendar.js: replace popup.innerHTML with insertAdjacentHTML (constraint),
add truncateDescription() to cap long event descriptions at 500 chars
- validate.js: extend DATETIME_RE to cover ISO 8601 with ms/timezone,
normalise datetime values to YYYY-MM-DDTHH:MM on input
- index.js: include app version in startup log message
- docker-compose.yml / .env.example: switch from named volume to
host-mounted DATA_DIR/BACKUP_DIR with sane defaults
- docs/installation.md: document host-mount data paths
Co-Authored-By: Rafael Foster <rafaelfoster@users.noreply.github.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
With the previous default of 'loopback', Express ignored X-Forwarded-Proto
headers from Caddy/nginx when running in Docker (bridge IP, not loopback).
This caused req.secure=false, which made express-session silently drop the
session cookie on login - resulting in a 401 on every subsequent request.
Changing the default to 1 (trust one proxy hop) fixes this for all standard
Docker+reverse-proxy deployments without requiring manual configuration.
docker-compose.yml now references ghcr.io/ulsklyc/oikos:latest so users
can start the app with a single 'docker compose up' without cloning or
building locally. The build: . entry is retained for contributors who
want to build from source with --build.
README Quick Start updated to document both the no-clone path (curl
docker-compose + .env.example) and the build-from-source path.
- CSP: SHA-256-Hash für Theme-Detection Inline-Script hinzugefügt
- docker-compose: SESSION_SECURE=false, damit HSTS und
upgrade-insecure-requests bei direktem HTTP-Zugriff deaktiviert sind
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add .dockerignore to prevent host node_modules (GLIBC 2.38) from
overwriting container-built binaries (GLIBC 2.36), fixing
better-sqlite3 ERR_DLOPEN_FAILED crash
- Bind port to 0.0.0.0 for LAN access
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Ulas Kalayci