Bug Fixes

• (db) Create favourite index in migrate() not schema
• (ui) Eliminate stored XSS in feed onclick handlers
• (security) Reject javascript: links from RSS feeds
• (chart) Use Chart.AppVersion as image tag so CI version flows through
• (chart) Add imagePullSecrets for private registry
• (chart) Add ingressClassName to ingress
• (fetcher) Recover from parser panics and limit response body to 10 MB
• (fetcher) Increase response body limit to 100 MB
• (fetcher) Run initial fetch in background so HTTP server starts immediately
• (chart) Use contains to prevent duplicate chart name in fullname
• (chart) Single tnyrss name via fullnameOverride, version in deployment name
• (reader) Detect Cloudflare challenge and show open-in-browser fallback
• (auth) Increase minimum password length to 12 characters
• (ui) Restore desktop layout after pane-wrapper refactor
• (security) Fix XSS in admin confirm dialog and SSRF in reader client
• (ui) Fix FAB z-index and auto-advance to article pane on mobile
• (docker) Copy static/ directory before build to satisfy go:embed
• (ui) Navigate to article list pane when selecting a feed on mobile
• (ui) Move toolbar to bottom, full width, centered
• (ui) Move feed title back to top of articles pane
• (security) Enforce item access control on state mutations
• (landing) Reword hero copy for end users, not self-hosters
• (ui) Prevent bottom toolbar from obscuring add-feed form and sidebar footer
• (ui) Replace settings icon with text label in sidebar footer
• (ui) Improve keyboard shortcut labels in toolbar
• (deps) Upgrade golang.org/x/crypto to v0.52.0 to fix 7 CVEs (GO-2026-5013/5015/5017/5018/5019/5020/5021)
• (settings) Harden OPML import against malicious files
• (ci) Use github.repository context and FORGEJO_HOST for release API URL
• Versioning for non release versions
• (server) Add /healthz probe endpoint; point k8s probes at it
• (server) Healthz uses PingContext for honest DB liveness check
• (server) Split liveness from readiness probe to stop spurious restarts
• (ci) Use step output for dev version, restore Helm tgz filename
• (ci) Decouple image/API path from Forgejo repo name
• (ui) Render markdown preview in write modal as HTML
• (security) Escape double quotes in renderMarkdown to prevent XSS
• (ui) Prevent ‘a’ keystroke from being typed into write modal title
• (security) Build markdown links via DOM API to avoid string concatenation
• (security) IDOR in tag assignment + iframe sandbox bypass
• (security) Build search result DOM nodes via createElement to prevent XSS
• (ui) Enable j/k scrolling in reader pane via postMessage
• (ui) Auto-focus reader pane when article opens
• (admin) Keep last_seen_version current on page load

Features

• Initial project scaffold
• (ui) Auto-mark items as read on selection
• (items) Add favourites with f keybinding and sidebar category
• (ui) Add loading bar for article pane
• (readlater) Save article images alongside markdown
• (config) Add TNYRSS_* environment variable overrides
• (ui) Show unread count badges on feeds in sidebar
• (ui) Add keybind help overlay toggled with ?
• (ui) Rebind save-for-later from r to s
• (auth) Add multi-user support with session-based authentication
• (admin) Add user management panel and feed preloading for new users
• (deploy) Add Helm chart and CI publish pipeline
• (ui) Add y keybind to copy current item link to clipboard
• (ui) Show version next to title, injected via TNYRSS_VERSION env var
• (auth) Add sign-up page with username/password validation
• (auth) Invite tokens, per-IP rate limiting, and configurable open signup
• (auth) Add Sign out button and signup/invite tests
• (ui) Mobile-friendly three-pane swipe layout
• (admin) Add copy button for invite tokens
• (admin) Split invite copy into ‘copy invite’ and ‘copy token’ buttons
• (ui) Reflect item state on mobile FAB buttons
• (db) Persist saved-for-later state in user_item_state
• (pwa) Add iOS home screen / PWA support
• (community) Add community recommendations feed
• (settings) Add user settings page
• (admin) Add email, unread count, and user management actions
• (settings) Allow user to change their own email address
• (settings) Add OPML feed export
• (landing) Replace login page with full landing page
• (ui) Move user actions to bottom of sidebar
• (ui) Add arrow key navigation alongside hjkl
• (sync) Add WebDAV and Git sync for saved articles
• (articles) Add write-article modal with live markdown preview
• (news) Add what’s new modal and feature announcement RSS feed
• (help) Add user manual at /help with full feature documentation
• (settings) Add OPML import
• (ui) Replace add-feed form with a discovery modal
• (clip) Add personal clippings feed with bookmarklet
• (onboarding) Show first-login modal with feature overview and OPML import
• Add articles and notes sections with shared label system
• Phases 3+6+7 — bookmarklet→articles, feed labels, global search
• (js) Add CodeMirror vim editor module and bundle
• (db) Add per-user vim_mode preference
• (server) Add vim mode handler and route
• (ui) Add vim mode toggle to write editor
• (fetcher) Implement error backoff and defunct feed detection
• (ui) Derive friendly name from URL for untitled feeds
• (items) Toggle read/unread with m shortcut
• (feeds) Per-user feed categories with OPML support

Performance

• (db) Add composite indexes on user_item_state for read and favourite queries
• (db) Eliminate correlated subqueries and reduce per-request query count

Refactoring

• (server) Split server.go into handler files with embedded templates
• (ui) Extract shared CSS to static/style.css