- nginx: add HSTS (max-age=31536000) and gzip for text/css/js/json
- entries: add limit/offset query params (default 200, max 1000)
- Ntfy: wire NTFY_URL/NTFY_TOKEN through env; notify on startup, new
registration, admin login, user disable, and user delete
- httpx==0.28.1 added for async Ntfy HTTP calls
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Block disabled accounts at login and unimpersonate (C4, C2)
- Catch IntegrityError on register commit to return 409 instead of 500 (C5)
- Stop _seed_admin from overwriting existing admin password on restart (C8)
- Cap public/stats query at 500 users to bound memory usage (C3)
- Rate-limit PUT /me/password at 5/minute (C6)
- Bump SQLAlchemy to 2.0.50 and aiomysql to 0.3.2; re-enable pool_pre_ping (C7)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Remove pool_pre_ping=True to fix startup crash caused by aiomysql 0.2.0
async adapter requiring a reconnect argument SQLAlchemy does not pass.
Add slowapi rate limiting, structured logging, CORS config, backend
health check, and nginx security headers.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>