# Changelog
All notable changes to DevPulse will be documented in this file.
Format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [1.0.0] - 2025-07-26
### Added
- **Shared utilities module** (`utils.rs`) — `format_size()` and `safe_truncate()` centralized
from duplicated implementations across modules
- **Parallel doctor checks** — All 7 health checks now run concurrently via `std::thread::scope`
for faster startup diagnostics
### Changed
- **Version bump** — `0.1.0` → `1.0.0` for first public release
- **serde_yaml → serde_yml** — Migrated from deprecated `serde_yaml 0.9` to `serde_yml 0.0.12`
- **Dynamic version strings** — All hardcoded `v0.1.0` references replaced with
`env!("CARGO_PKG_VERSION")` for automatic version tracking
- **TOML round-trip fidelity** — Convert now uses `serde_json::to_value()` intermediate
to preserve key ordering and avoid double-serialization artifacts
- **Clone derives** — Added `Clone` to `ArtifactEntry` and `ScanResult` structs in sweep module
### Fixed
- **Eliminated `process::exit(1)`** — Doctor and ports modules now return proper
`Err(DevPulseError)` instead of hard-exiting, enabling clean error propagation
- **HTTP CRLF injection** — `build_request()` now validates all header values for
`\r` and `\n` characters, returning `InvalidHeader` error on injection attempts
- **TCP timeout safety** — Added 30s read and 10s write timeouts to all TCP connections
to prevent indefinite hangs on unresponsive hosts
- **HTTP body size cap** — Response body reads capped at 10 MB (`MAX_BODY_SIZE`) to
prevent out-of-memory on large responses
- **UTF-8 safe truncation** — Replaced unsafe byte slicing in ports and TUI modules
with `safe_truncate()` that respects character boundaries
- **PATH duplicate detection** — Windows now uses case-insensitive comparison
(`eq_ignore_ascii_case`) for PATH duplicate detection via `#[cfg(windows)]`
- **dotenv edge cases** — Single-character values no longer panic on quote detection
(added `val.len() >= 2` guard before quote stripping)
### Security
- Zero `unsafe` code throughout codebase
- All error paths use `thiserror` — no unwrap/panic in production paths
- CRLF injection prevention in HTTP headers
- TCP timeouts prevent resource exhaustion
- Body size limits prevent OOM attacks
---
## [0.1.0] - 2025-07-25
### Added
- **Config Format Converter** — New `convert` subcommand: converts between JSON, YAML,
TOML, and .env formats with auto-detection from file extension, `--from` override,
and optional `-o` file output
- **Dot-flattening** — Nested structures are dot-flattened for .env output
(`database.host=localhost` ↔ `{"database": {"host": "localhost"}}`) and
unflattened when reading .env files
- **TUI Convert screen** — Two-field input form (file path + target format) with
Tab switching between fields, integrated as tool #6 in the dashboard
- **Interactive TUI Dashboard** — ratatui-based terminal UI with branded header,
arrow-key menu, and live result rendering for all 5 diagnostic tools
- **Doctor** — Health checker for Git, Node.js, Rust, Python, Docker, disk space, SSH
- **Ports** — Cross-platform listening port inspector (Windows netstat, Linux ss, macOS lsof)
with 36+ service hints and PID/process name resolution
- **Parallel Network Scan** — rayon-powered parallel TCP connect scanner for 16 common
development ports on localhost with latency measurement
- **Banner Grabbing** — Protocol-specific probes for open ports: HTTP HEAD → Server header,
Redis PING → PONG, generic initial banner read
- **Port Range Scanning** — `--scan-range START-END` CLI flag for custom port range scanning
- **Env** — PATH analyzer with duplicate/missing detection, dev tool variables, proxy,
CI detection, and .env file scanner with sensitive key warnings
- **Git Config Audit** — Reads 7 global Git configuration keys (user.name, user.email,
commit.gpgsign, core.editor, core.autocrlf, credential.helper, init.defaultBranch)
with warnings for missing identity, unsigned commits, and no credential helper
- **SSH Key Audit** — Scans ~/.ssh/*.pub for key type (RSA/ED25519/ECDSA/DSA), estimated
bit strength, age in days, and warnings on weak keys (RSA < 3072), old keys (> 2 years),
and deprecated algorithms (DSA)
- **Sweep** — Build artifact scanner for node_modules, target, __pycache__, .next, dist, etc.
with human-readable sizes and reclaimable space totals
- **HTTP** — Request timing with DNS, TCP, TLS, TTFB, and transfer breakdown plus
cumulative waterfall and response header display
- **Security Header Audit** — Checks 8 critical HTTP security headers (HSTS, CSP,
X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy,
X-XSS-Protection, COOP) with weighted A-F grading
- **TLS Certificate Inspection** — x509-parser powered certificate analysis showing subject,
issuer, validity dates, days until expiry, key algorithm & size, and SANs
- **Redirect Chain Tracing** — Follows HTTP redirects (301/302/303/307/308) up to 10 hops,
recording status code, URL, and timing for each hop
- **Help** — Full keyboard reference accessible via F1 or ? from any screen
- **TUI Navigation** — Tab/Shift+Tab to cycle tools, number keys 1-7 from any screen,
r to re-run current tool, scroll position indicator in status bar
- **CLI Mode** — All tools available as 6 subcommands with `--json` structured output
- **Shell Completions** — `devpulse completions bash|zsh|fish|powershell`
- **Cross-platform** — Windows, Linux, macOS with platform-specific adapters
- **CI/CD** — GitHub Actions workflow with lint, test, and release builds for all 3 platforms
- **Zero async** — Fully synchronous, single-binary, no runtime dependencies