FutureSolutionDev/Deploy-Center-Server

v3.0.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 10d Deployment Automation

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

bullmq ci-cd deployment deployment-automation devops express

+11 more

mariadb mysql nodejs pipeline react redis self-hosted sequelize socket-io typescript webhook

Affected surfaces

breaking_upgrade

ReleasePort's take

Light signal

editorial:auto 5d

Version v3.0.0 introduces multiple new features—including a persistent deployment queue, encrypted environment variables, log downloads, caching improvements, multi‑channel notifications, rollback UI, project templates, workspaces with drag‑and‑drop, CI workflow automation, and schema adjustments—and fixes truncation bugs.

Why it matters: The release adds performance gains (≈85 % deploy time reduction, ≈70 % disk usage cut) and security hardening via AES-256-GCM at rest; it also resolves the Deployments table truncation bug that affected error‑message storage.

Summary

AI summary

Broad release touches Database, Compatibility, Operator notes, and /migration-v2-to-v3.md.

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Medium	Adds persistent deployment queue using BullMQ/Redis. Adds persistent deployment queue using BullMQ/Redis. Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Medium	Adds encrypted environment variables stored with AES-256-GCM at rest. Adds encrypted environment variables stored with AES-256-GCM at rest. Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Medium	Adds log download endpoint `GET /api/deployments/:id/log/download` returning attachment. Adds log download endpoint `GET /api/deployments/:id/log/download` returning attachment. Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Medium	Adds local Git bare cache to reduce deploy time ~85 % and disk usage ~70 %. Adds local Git bare cache to reduce deploy time ~85 % and disk usage ~70 %. Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Medium	Adds multi‑channel notifications (Discord, Slack, Email) via strategy pattern. Adds multi‑channel notifications (Discord, Slack, Email) via strategy pattern. Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Medium	Adds rollback UI with `POST /api/deployments/:id/rollback` endpoint and socket event. Adds rollback UI with `POST /api/deployments/:id/rollback` endpoint and socket event. Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Medium	Adds project templates (5 built‑ins) and wizard step in Create‑Project flow. Adds project templates (5 built‑ins) and wizard step in Create‑Project flow. Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Medium	Adds workspaces with drag‑and‑drop reassignment and RBAC for mutation. Adds workspaces with drag‑and‑drop reassignment and RBAC for mutation. Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Medium	Adds GitHub Actions CI workflow running server and client tests with coverage gates. Adds GitHub Actions CI workflow running server and client tests with coverage gates. Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Low	Introduces testing foundation with Jest (server) and Vitest (client), coverage gates, and extensive unit/integration tests for core services. Introduces testing foundation with Jest (server) and Vitest (client), coverage gates, and extensive unit/integration tests for core services. Source: granite4.1:30b@2026-05-29-audit Confidence: low	—
Deprecation	Medium	Deprecates `DISCORD_WEBHOOK_URL` env var; will be removed in v3.1. Deprecates `DISCORD_WEBHOOK_URL` env var; will be removed in v3.1. Source: granite4.1:30b@2026-05-29-audit Confidence: low	—
Deprecation	Medium	Deprecates legacy `Project.Config.envVars` JSON field; will be removed in v3.1. Deprecates legacy `Project.Config.envVars` JSON field; will be removed in v3.1. Source: granite4.1:30b@2026-05-29-audit Confidence: low	—
Bugfix	Medium	Widens `Deployments.ErrorMessage` and `CommitMessage` columns to LONGTEXT fixing truncation bug. Widens `Deployments.ErrorMessage` and `CommitMessage` columns to LONGTEXT fixing truncation bug. Source: llm_adapter@2026-05-29 Confidence: high	—

Full changelog

[3.0.0] — 2026-05-24

Status: 🟢 Released
Theme: Foundation — wipe out the five critical v2.1 debts + add five high-value UX wins.

Added

F-001 — Persistent deployment queue. Replaced the in-memory
Map<projectId, Item[]> with a BullMQ/Redis-backed queue. Deployments
now survive server restart. Retry policy: 3 attempts, exponential
backoff (1s → 5s → 25s). New Deployment.QueueJobId column for
job↔row correlation. Bull Board admin UI mounted at
/admin/queues (Admin only). 503 short-circuit via
QueueReadyMiddleware when Redis is unreachable.
F-002 — Testing foundation. Jest + ts-jest scaffold under
server/__tests__/ mirroring src/. Coverage gate ratcheted from
0 % → 40 % across 4 weeks (GA gate). Vitest gate for client at 30 %.
Unit + integration tests for Encryption, Password, SSH key gen, log
formatter, AutoRecovery, QueueService, NotificationService dispatchers,
AuditLogService, plus integration tests for Auth, Projects, Users,
Deployments, EnvVars, Notifications, Rollback.
F-003 — Encrypted environment variables. New
EnvironmentVariables table with AES-256-GCM at rest, unique IV per
row. API: GET/POST/PUT/DELETE /api/projects/:id/env-vars
(Admin/Manager). Injected into process.env during pipeline
spawn(); secret values redacted from logs (FR-013).
F-004 — Log download. GET /api/deployments/:id/log/download
returns the deployment log as a text/plain attachment. Frontend
"Download Log" + "Copy to Clipboard" buttons; auto-scroll toggle for
live logs.
F-005 — Local Git bare cache. First deploy creates
server/deployments/cache/project-{id}.git/; subsequent deploys
--reference it for ~85 % deploy-time / ~70 % disk savings.
F-006 — Multi-channel notifications. Strategy-pattern refactor
with three new dispatchers (Discord, Slack, Email). Three new tables:
NotificationProviders (credentials, encrypted), NotificationChannels
(delivery targets, encrypted), ProjectNotificationSubscriptions
(M:N + event filter). Fan-out via Promise.allSettled — one channel
failing does not block the others (FR-025b). Test endpoint per channel
- per provider. Settings UI tab + per-project subscription card.
F-007 — Rollback UI. New EAuditAction.DeploymentRolledBack and
ETriggerType.Rollback. POST /api/deployments/:id/rollback creates a
new deployment with the project's last successful commit, queued via
BullMQ. New deployment:rollback-queued socket event. UI button auto-
hides on non-failed deployments and disables with tooltip when there's
no prior success or commits already match.
F-008 — Project templates. Migration 017 seeds 5 built-ins
(Node.js Backend, React SPA (Vite), Next.js, Static HTML, Astro). New
ProjectTemplateWizard runs as Step 0 of Create-Project. Built-ins
are immutable (422 on Update/Delete). Custom templates editable by
Admin/Manager.
F-009 — Workspaces. Migration 016 adds Workspaces table +
nullable Project.WorkspaceId. ProjectsPage rewritten as a
workspace-first grid with drag-and-drop project reassignment
(@dnd-kit). "Unassigned" group always present. Owner-or-admin
RBAC for workspace mutation; open to all for viewing.
F-010 — GitHub Actions CI. .github/workflows/ci.yml runs server
typecheck + lint + jest --coverage AND client typecheck + lint +
vitest + build. Coverage gates wired to the jest/vitest configs.

Changed

EAuditAction extended with DeploymentRolledBack.
ETriggerType extended with Rollback.
ResponseHelper gains Conflict (409) and UnprocessableEntity (422)
helpers used by F-007 + F-008.
NotificationService refactored to fan out via the new
Provider/Channel/Subscription model while preserving the legacy
Project.Config.Notifications path for v2.1 backward compat.

Database

Migrations applied (in actual MigrationRunner order): 009, 012, 013, 016,
017, 018, 019, 020, 021, 999.
Migration 020 drops 7 legacy UserSettings.Notify* columns that were
never wired to deployment fan-out.
Migration 021 widens Deployments.{ErrorMessage,CommitMessage} from
TEXT (64 KB) to LONGTEXT (4 GB) — fixes a pre-existing v2.1 bug
where the original 007 file body was an accidental copy of 008, so the
intended widening never ran on any upgrade.
Migration 999 is one-shot data: re-enqueues v2.1 pending/queued
deployments into BullMQ with an audit row. Idempotent via
QueueJobId IS NULL guard.
Migration numbers 010, 011, 014, 015 are reserved for v3.1.

Compatibility

No breaking changes for v2.1 API clients. All new columns are
nullable; all new endpoints are additive (NFR-001).
DISCORD_WEBHOOK_URL env var still honored as the legacy
notification path — deprecated in v3.0, will be removed in v3.1.
Project.Config.envVars JSON still honored alongside the new
encrypted EnvironmentVariables table — deprecated in v3.0, will be
removed in v3.1.

Operator notes

Redis 7+ required. See migration-v2-to-v3.md
§1 for the docker-compose recipe.
Bull Board lives at /admin/queues and is admin-only.
See server/docs/migration-v2-to-v3.md for full upgrade steps,
including the F-003 envVars migration helper SQL.

📄 Full feature spec: versions/v3.0-foundation.md
📄 Migration guide: migration-v2-to-v3.md

Security Fixes

Encrypted environment variables table uses AES-256-GCM at rest

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track FutureSolutionDev/Deploy-Center-Server

Get notified when new releases ship.

About FutureSolutionDev/Deploy-Center-Server

All releases →