v0.3.0 - Stream Canvas Security Hardening

Highlights

• Hardened stream-canvas WebSocket access with short-lived signed room tickets instead of raw Clerk session tokens in query strings.
• Added hashed-at-rest OBS secrets with one-time regeneration reveal, legacy backfill, stricter token exchange, and no-referrer OBS headers.
• Locked down uploads with request size caps, magic-byte MIME sniffing, sanitized filenames, signed media access URLs, and refresh-aware canvas media loading.
• Added server-side validation and rate limits for room settings, OBS access, upload flows, WebSocket auth, and repeated auth failures.
• Reduced user/profile data exposure in Convex user queries and added bounded username resolution/search behavior.

Fixes

• Split owner/settings room response data from collaborator/public room data.
• Added DB-level filtering for accessible room lookup and consolidated upload access checks.
• Improved WebM audio/video detection by inspecting EBML track metadata.
• Kept auth-failure limiter state across successful requests and cleaned expired limiter entries from read checks.
• Fixed the OBS missing-secret fallback so it remains readable despite the transparent OBS overlay layout.

Notes

• Existing rooms with legacy plaintext OBS secrets are migrated to hashed secrets at startup. Users who need to copy a secret again should regenerate the OBS URL from settings.
• External media URLs remain allowed; this release focuses on token, upload, room, and referrer hardening.

Verification

• pnpm --dir backend/stream-canvas run typecheck
• pnpm --dir backend/stream-canvas run test
• pnpm run lint
• pnpm run typecheck
• pnpm run test
• pnpm run build

v0.2.1

What's New

Landing Page

• Updated the platform strip so Works with highlights Twitch only.
• Added a Coming soon logo row for YouTube Live, Kick, TikTok Live, and Rumble.
• Removed outbound platform links and removed Discord from the landing page platform presentation.

Assets

• Added local brand SVG assets for Kick, TikTok, and Rumble.
• Attached a fresh landing page screenshot for the release.

v0.2.0

What's New

Landing Page

• Rebuilt the Moddrop landing page around the new brand direction with a tighter hero, product mockup, feature grid, setup flow, creator CTA, and platform brand row.
• Added the new Moddrop logo and icon asset pack, including favicon, lockups, monochrome variants, app icon, and partner brand marks.
• Swapped the mockup's blue highlight direction into Moddrop's green accent system.
• Tightened the mobile header so the logo and primary CTA stay clean on small screens.

v0.1.1

Fixes

• fix the stream-canvas production image so better-sqlite3 builds correctly in the container
• keep workspace lifecycle scripts disabled during image install while rebuilding the native SQLite binding explicitly

Impact

• restores the production /canvas-api backend so control room requests and room access stop returning 503

v0.1.0

What's New

Auth and Production Readiness

• Switched Moddrop to the new Clerk setup across frontend, Convex, and stream-canvas.
• Updated production secret wiring so the live app, Convex, and canvas backend all point at the same Clerk issuer.
• Improved token handling for stream-canvas requests to better recover from Clerk token refreshes.

Control Room and Sign-In

• Fixed the top-right login flow and removed blocked interactions caused by decorative overlays.
• Improved the Clerk sign-in modal styling for Moddrop's dark theme so the auth flow is readable and consistent with the app.
• Kept the landing and control room experience focused by removing extra CTA clutter under the title.

Dev and Deployment Workflow

• pnpm dev now starts frontend, Convex, and stream-canvas together from the repo root.
• Fixed the missing tracked landing footer component that was breaking frontend image builds in CI.
• Cleaned up the canvas dev hostname path so local auth no longer collides with other projects using stream-canvas.

Important

This release is intended to be deployed together with the updated kub-homelab Moddrop secrets and image tags so production uses the new Clerk configuration end to end.

v0.0.2

What's New

Release Fix

• Supersedes v0.0.1, which still referenced the wrong ARC runner label in the image workflow.
• Updated all build-images.yml jobs from arc-beastypage to arc-moddrop so container builds can run in the correct repo runner pool.

Release Metadata

• Bumped the project version to 0.0.2 so the published release matches the buildable main branch state.

v0.0.1

What's New

Launch

• First public Moddrop release: a shared live canvas for stream overlays and OBS browser-source control.
• Streamers can own rooms, invite mods, and manage live media from one collaborative board.
• Landing page copy and branding were tightened for the initial launch pass.

Tooling

• Switched the workspace, CI, and Docker builds from Bun to pnpm.
• Added a pnpm workspace, refreshed lockfiles, and aligned docs/scripts around the new toolchain.

Project Setup

• Added license files and published the repository baseline for future releases.