What's Changed

• Reply-To submitter on authenticated feedback + length UX in https://github.com/onetimesecret/onetimesecret/pull/3077
• Add TTL entitlement gate for extended secret expiration (#3074) in https://github.com/onetimesecret/onetimesecret/pull/3081
• Add domain verification requirement toggle for custom domains in https://github.com/onetimesecret/onetimesecret/pull/3082
• Fix domain permission validation to use Forbidden instead of FormError in https://github.com/onetimesecret/onetimesecret/pull/3078
• Fix account settings tabs missing until refresh after login in https://github.com/onetimesecret/onetimesecret/pull/3084
• Fix Colonel users list and normalize verified field in https://github.com/onetimesecret/onetimesecret/pull/3079
• Fix domain status staleness tracking with atomic persistence (issue #3080) in https://github.com/onetimesecret/onetimesecret/pull/3085

Dependencies

• Update dependency vite to ^8.0.6 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/3035
• Update dependency rubocop to v1.86.1 - autoclosed by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/3034
• Bump net-imap from 0.6.3 to 0.6.4 in the bundler group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/3071

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.25.1...v0.25.2

What's Changed

• Show progress for v0.24.5 migration loops by @delano in https://github.com/onetimesecret/onetimesecret/pull/3043
• v0.24.5 migration: background-job pipeline + transform hardening by @delano in https://github.com/onetimesecret/onetimesecret/pull/3047
• Increase Redis timeouts for load_keys by @delano in https://github.com/onetimesecret/onetimesecret/pull/3050
• Remove CustomerMigrationWorker and enqueue script (#3059) by @delano in https://github.com/onetimesecret/onetimesecret/pull/3060
• Add per-domain SSO enforcement, fix secret creation by @delano in https://github.com/onetimesecret/onetimesecret/pull/3061
• SSO settings alignment by @delano in https://github.com/onetimesecret/onetimesecret/pull/3066
• Refactor showSsoOnly logic into named intermediaries (#3064) by @delano in https://github.com/onetimesecret/onetimesecret/pull/3070
• Add NormalizeContentType middleware for malformed Content-Type headers by @delano in https://github.com/onetimesecret/onetimesecret/pull/3069
• Obscure recipient email in incoming secret receipts by @delano in https://github.com/onetimesecret/onetimesecret/pull/3068

Dependencies

• Bump erb from 6.0.2 to 6.0.4 in the bundler group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/3038
• Drop pretty-format-json from pre-push hooks by @delano in https://github.com/onetimesecret/onetimesecret/pull/3044

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.25.0...v0.25.1

What's Changed

• Add Axios error breadcrumbs for API debugging (#2965) in https://github.com/onetimesecret/onetimesecret/pull/2992
• Add backend CRUD for per-domain incoming secrets recipients in https://github.com/onetimesecret/onetimesecret/pull/2869
• Add beforeBreadcrumb to scrub URLs from Sentry breadcrumbs in https://github.com/onetimesecret/onetimesecret/pull/2982
• Add characterization specs for SetupConnectionPool initializer in https://github.com/onetimesecret/onetimesecret/pull/3031
• Add CustomDomain::MailerConfig model, navigation, and entitlement rename in https://github.com/onetimesecret/onetimesecret/pull/2813
• Add distributed tracing across Web → RabbitMQ → Workers in https://github.com/onetimesecret/onetimesecret/pull/2993
• Add doctor CLI commands for domains, memberships, and customers in https://github.com/onetimesecret/onetimesecret/pull/2935
• Add domain_scope_id for SSO-provisioned user isolation in https://github.com/onetimesecret/onetimesecret/pull/2917
• Add explicit enabled toggle for custom domain incoming secrets in https://github.com/onetimesecret/onetimesecret/pull/2876
• Add JSON serialization check to customer doctor command in https://github.com/onetimesecret/onetimesecret/pull/3017
• Add jurisdiction tag to frontend Sentry events (#2970) in https://github.com/onetimesecret/onetimesecret/pull/2987
• Add localStorage-based debug logging for features in https://github.com/onetimesecret/onetimesecret/pull/2778
• Add LOGO_SHOW_NAME toggle for icon-only masthead display in https://github.com/onetimesecret/onetimesecret/pull/2772
• Add logtide-ship log shipping tool and hivemind runner support in https://github.com/onetimesecret/onetimesecret/pull/2953
• Add per-domain incoming secrets configuration in https://github.com/onetimesecret/onetimesecret/pull/2631
• Add per-organization SSO configuration (#2730) in https://github.com/onetimesecret/onetimesecret/pull/2747
• Add request context to V1 API Sentry capture_error in https://github.com/onetimesecret/onetimesecret/pull/2998
• Add require_sudo guard to BillingDiagnoseCommand in https://github.com/onetimesecret/onetimesecret/pull/2861
• Add Sentry context improvements for debugging in https://github.com/onetimesecret/onetimesecret/pull/2994
• Add separate Sentry DSN for background workers in https://github.com/onetimesecret/onetimesecret/pull/2991
• Add single-auth-method overrides (password/email/webauthn/sso-only modes) in https://github.com/onetimesecret/onetimesecret/pull/2806
• Add SSO domain UI locale strings and debugLog cleanup in https://github.com/onetimesecret/onetimesecret/pull/2810
• Add standalone Ruby 4.0.2 preview CI workflow in https://github.com/onetimesecret/onetimesecret/pull/3006
• Add subscription reactivation for cancelled subscriptions in https://github.com/onetimesecret/onetimesecret/pull/2927
• Add test coverage for dev auth strategy authenticate methods in https://github.com/onetimesecret/onetimesecret/pull/2814
• Add URL scrubbing to Sentry before_send hook in https://github.com/onetimesecret/onetimesecret/pull/2975
• Address Dependabot security alerts and PR review feedback in https://github.com/onetimesecret/onetimesecret/pull/2784
• Address Sentry URL scrubbing security review feedback in https://github.com/onetimesecret/onetimesecret/pull/2977
• Apply gracefulParse consistently across all Pinia stores in https://github.com/onetimesecret/onetimesecret/pull/2771
• Associate git commits with Sentry releases in https://github.com/onetimesecret/onetimesecret/pull/2995
• Auto-verify and auto-login invite signups in https://github.com/onetimesecret/onetimesecret/pull/2920
• Bake Sentry release into frontend bundle at build time in https://github.com/onetimesecret/onetimesecret/pull/3000
• Cache recipient hash lookup for custom domains in https://github.com/onetimesecret/onetimesecret/pull/2872
• claude/review-pr-3006-XRLEU in https://github.com/onetimesecret/onetimesecret/pull/3009
• Clean up pending invitations when deleting organization in https://github.com/onetimesecret/onetimesecret/pull/2884
• CLI subcommands: billing diagnose improvements and tests in https://github.com/onetimesecret/onetimesecret/pull/2842
• Consolidate email normalization into OT::Utils.normalize_email in https://github.com/onetimesecret/onetimesecret/pull/2911
• Decouple billing module with convention-based plugin architecture in https://github.com/onetimesecret/onetimesecret/pull/2891
• Derive Sentry breadcrumb scrub patterns from API route metadata in https://github.com/onetimesecret/onetimesecret/pull/3002
• Diagnostics and logging improvements for Sentry capture path in https://github.com/onetimesecret/onetimesecret/pull/3012
• DNS resilience and observability improvements in https://github.com/onetimesecret/onetimesecret/pull/2841
• Document duplicate free plan cause and resolution in https://github.com/onetimesecret/onetimesecret/pull/3024
• Email sender configuration UI for custom domains in https://github.com/onetimesecret/onetimesecret/pull/2831
• Email sender UX: flexible from-domain and per-record verification in https://github.com/onetimesecret/onetimesecret/pull/2944
• Enable organization member management with branded invitations in https://github.com/onetimesecret/onetimesecret/pull/2893
• Extract homepage and API config from brand settings in https://github.com/onetimesecret/onetimesecret/pull/2948
• Extract useSsoConfig composable to match Email config pattern in https://github.com/onetimesecret/onetimesecret/pull/2870
• Frontend: Domain incoming secrets recipient management UI in https://github.com/onetimesecret/onetimesecret/pull/2873
• Gate domain config menu items behind server-side feature flags in https://github.com/onetimesecret/onetimesecret/pull/2933
• Generate owner memberships during v0.24.5 migration and harden pipeline in https://github.com/onetimesecret/onetimesecret/pull/3042
• Grant admin role full menu visibility on custom domains in https://github.com/onetimesecret/onetimesecret/pull/2914
• Handle missing checkout param in /welcome endpoint gracefully in https://github.com/onetimesecret/onetimesecret/pull/3003
• Handle org not found with proper error state in settings in https://github.com/onetimesecret/onetimesecret/pull/2811
• Harmonize i18n content hashes across locales in https://github.com/onetimesecret/onetimesecret/pull/2937
• Harmonize translations and standardize hash field names in https://github.com/onetimesecret/onetimesecret/pull/2896
• Homepage config backfill in https://github.com/onetimesecret/onetimesecret/pull/3029
• Implement atomic signup+accept invite flow in https://github.com/onetimesecret/onetimesecret/pull/2898
• Implement Domain Sender Config CRUD API (#2802) in https://github.com/onetimesecret/onetimesecret/pull/2827
• Improve organization management UI and invitation flow in https://github.com/onetimesecret/onetimesecret/pull/2890
• Improve Podman build documentation with proper metadata args in https://github.com/onetimesecret/onetimesecret/pull/2895
• Improve site_secret validation for recipient lookup in https://github.com/onetimesecret/onetimesecret/pull/2875
• Integrate tracking fields into ValidateSenderDomain in https://github.com/onetimesecret/onetimesecret/pull/2848
• Layout UI fixes for #2702 in https://github.com/onetimesecret/onetimesecret/pull/2796
• Mask API key display and add missing locale entries in https://github.com/onetimesecret/onetimesecret/pull/2785
• Move sender domain DNS validation to background job in https://github.com/onetimesecret/onetimesecret/pull/2838
• Normalize SSL config checks to use != false instead of raw truthiness in https://github.com/onetimesecret/onetimesecret/pull/2794
• OmniAuth callback integration tests and fixes in https://github.com/onetimesecret/onetimesecret/pull/2791
• Organization membership and custom domain management in https://github.com/onetimesecret/onetimesecret/pull/2894
• Per-domain SSO configuration for multi-IdP environments in https://github.com/onetimesecret/onetimesecret/pull/2789
• Platform-managed sender domain provisioning with strategy validation in https://github.com/onetimesecret/onetimesecret/pull/2839
• Propagate bypass_cache through DNS validation stack in https://github.com/onetimesecret/onetimesecret/pull/2847
• ProvisionSenderDomain operation for platform-managed DKIM provisioning in https://github.com/onetimesecret/onetimesecret/pull/2837
• Raise Sentry sampleRate from 0.001 to 1.0 for error capture in https://github.com/onetimesecret/onetimesecret/pull/2985
• Re-enable multi-arch builds for linux/arm64 in https://github.com/onetimesecret/onetimesecret/pull/2957
• Remove colonel auto-provisioning, restore CLI-only role management in https://github.com/onetimesecret/onetimesecret/pull/2901
• Remove unnecessary favicon and social preview image tags in https://github.com/onetimesecret/onetimesecret/pull/2773
• Remove vestigial ots:migration_needed:db_0 setnx flag in https://github.com/onetimesecret/onetimesecret/pull/3030
• Remove write operations from OrganizationLoader auth phase in https://github.com/onetimesecret/onetimesecret/pull/2886
• Rename DomainSsoConfig → CustomDomain::SsoConfig, remove manual index in https://github.com/onetimesecret/onetimesecret/pull/2812
• Rename org to auth_org for immutable session organization context in https://github.com/onetimesecret/onetimesecret/pull/2808
• Rename ssoOnlyDisabled → excludeSsoOnly, guard SSO-only account routes in https://github.com/onetimesecret/onetimesecret/pull/2769
• Replace commit_fields workaround with split-brain detection and rebuild tooling in https://github.com/onetimesecret/onetimesecret/pull/3021
• Responsive header collapse and mobile privacy options UX in https://github.com/onetimesecret/onetimesecret/pull/2930
• Ruby gem security updates in https://github.com/onetimesecret/onetimesecret/pull/2938
• Scrub routes with sensitive params by position, not value grammar in https://github.com/onetimesecret/onetimesecret/pull/3008
• Scrub sensitive route params from Sentry events in https://github.com/onetimesecret/onetimesecret/pull/2978
• Secure SSO fallback defaults and branded custom domain sign-in in https://github.com/onetimesecret/onetimesecret/pull/2923
• Sender config refactor in https://github.com/onetimesecret/onetimesecret/pull/2936
• Sender UX improvements and domain detail redesign in https://github.com/onetimesecret/onetimesecret/pull/2945
• Set 14-day Sentry event retention for compliance in https://github.com/onetimesecret/onetimesecret/pull/2983
• SSO domain coda: test coverage, UI gating, dev auth hardening in https://github.com/onetimesecret/onetimesecret/pull/2790
• Store domain_id on Receipt for custom domain incoming secrets in https://github.com/onetimesecret/onetimesecret/pull/2874
• Sync frontend org selection to backend via X-Organization-ID header in https://github.com/onetimesecret/onetimesecret/pull/2885
• Thread sender_config through Mailer and EmailWorker in https://github.com/onetimesecret/onetimesecret/pull/2832
• UI capabilities schema for form field visibility in https://github.com/onetimesecret/onetimesecret/pull/2797
• UI misc 2 in https://github.com/onetimesecret/onetimesecret/pull/2854
• UI misc in https://github.com/onetimesecret/onetimesecret/pull/2850
• Unify org membership lifecycle with Familia staged relationships in https://github.com/onetimesecret/onetimesecret/pull/2909
• Update to familia 2.3.3 for AAD fixes in https://github.com/onetimesecret/onetimesecret/pull/2828
• Upgrade sentry-ruby to 6.5.0 with strict trace continuation integration in https://github.com/onetimesecret/onetimesecret/pull/3007
• Upgrade Vite 7 → 8 (Rolldown bundler) in https://github.com/onetimesecret/onetimesecret/pull/2925
• Upload source maps to Sentry for readable stacktraces in https://github.com/onetimesecret/onetimesecret/pull/2974
• Use Familia staged relationships for invitation lifecycle in https://github.com/onetimesecret/onetimesecret/pull/2907
• Use setTag instead of setExtras for searchable Sentry fields (#2964) in https://github.com/onetimesecret/onetimesecret/pull/2990
• ValidateSenderDomain operation with provider strategies in https://github.com/onetimesecret/onetimesecret/pull/2830
• Wire Sneakers fork hooks into InitializerRegistry in https://github.com/onetimesecret/onetimesecret/pull/2767

Fixes

• Fix V2 receipt list schema with stale field names in https://github.com/onetimesecret/onetimesecret/pull/2775
• Fix JSON encoding and case sensitivity in repair scripts in https://github.com/onetimesecret/onetimesecret/pull/2780
• Fix double-encoding in sanitize_plain_text in https://github.com/onetimesecret/onetimesecret/pull/2809
• Fix sender config verification reset and add email validation in https://github.com/onetimesecret/onetimesecret/pull/2829
• Fix CLI subcommands display in https://github.com/onetimesecret/onetimesecret/pull/2840
• Fix email case sensitivity mismatch between Rodauth and Redis in https://github.com/onetimesecret/onetimesecret/pull/2844
• Fix SSO config form UX: duplicate messages, locked provider, test cleanup in https://github.com/onetimesecret/onetimesecret/pull/2846
• Fix Lettermint domain provisioning to use Team API in https://github.com/onetimesecret/onetimesecret/pull/2853
• Fix domain SSO routes 404 when AUTH_SSO_ENABLED=false in https://github.com/onetimesecret/onetimesecret/pull/2855
• Fix Lettermint domain creation error handling in https://github.com/onetimesecret/onetimesecret/pull/2860
• Fix incoming secrets test coverage and remove Postman artifacts in https://github.com/onetimesecret/onetimesecret/pull/2871
• Fix OrganizationsSettings to use MANAGE_ORGS entitlement in https://github.com/onetimesecret/onetimesecret/pull/2882
• Fix: Clear member's org cache on removal (#2877) in https://github.com/onetimesecret/onetimesecret/pull/2883
• Fix cross-region federation plan resolution using metadata in https://github.com/onetimesecret/onetimesecret/pull/2900
• Fix member role update response + reorder org settings tabs in https://github.com/onetimesecret/onetimesecret/pull/2905
• Fix EmailHash normalization mismatch + add normalize_email unit tests in https://github.com/onetimesecret/onetimesecret/pull/2913
• Fix custom domain logos forced into square aspect ratio in https://github.com/onetimesecret/onetimesecret/pull/2924
• Fix bare-metal onboarding: defaults, validation, systemd templates in https://github.com/onetimesecret/onetimesecret/pull/2928
• Fix invite onboarding, domain header, mailer config, and homepage API in https://github.com/onetimesecret/onetimesecret/pull/2951
• Fix Sentry environment fragmentation by hostname in https://github.com/onetimesecret/onetimesecret/pull/2980
• Fix OpenAPI schema scanner gaps in https://github.com/onetimesecret/onetimesecret/pull/2989
• Fix Sentry startup error: use set_tags instead of config.tags in https://github.com/onetimesecret/onetimesecret/pull/2997
• Fix billing CLI ID truncation; add multi-currency probono migration in https://github.com/onetimesecret/onetimesecret/pull/3014
• Fix NOT email normalization (#3016) in https://github.com/onetimesecret/onetimesecret/pull/3018
• Fix blind unique-index guard in CustomDomain.claim_orphaned_domain in https://github.com/onetimesecret/onetimesecret/pull/3032
• Fix silent dry-run in v0.24.5 enrich migration pipeline in https://github.com/onetimesecret/onetimesecret/pull/3037

Dependencies

• Update Node.js to 7e791fc by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2782
• Update github/codeql-action digest to 5c8a8a6 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2781
• Update postgres:17 Docker digest to b994732 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2783
• Update dependency @types/node to v25.5.0 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2742
• Update dependency @babel/helpers to ^7.29.2 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2737
• Update docker/dockerfile Docker tag to v1.22 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2743
• Update docker/login-action action to v3.7.0 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2744
• Update docker/metadata-action action to v5.9.0 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2746
• Update dependency @codemirror/state to v6.6.0 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2738
• Update dependency @codemirror/view to v6.40.0 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2739
• Update rabbitmq Docker tag to v4.2 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2826
• Update pnpm to v10.33.0 - autoclosed by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2824
• Update golang Docker tag to v1.26 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2821
• Update docker/setup-qemu-action action to v3.7.0 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2820
• Update docker/setup-buildx-action action to v3.12.0 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2819
• Update docker/metadata-action action to v5.10.0 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2817
• Update dependency axios to ^1.14.0 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2815
• Update dependency rubocop to '~> 1.86.0' by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2816
• Secure renovate settings in https://github.com/onetimesecret/onetimesecret/pull/2858
• Update dependency vite to v7.3.2 [SECURITY] by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2902
• Update dependency @codemirror/lang-yaml to v6.1.3 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2939
• Update release-drafter/release-drafter action to v6.4.0 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2941
• Update valkey/valkey Docker tag to v8.1 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2942
• Update dependency axios to v1.15.0 [SECURITY] by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2949
• Update dependency dompurify to v3.4.0 [SECURITY] by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/3019
• Update dependency webmock to v3.26.2 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/3022
• Update dependency postcss to v8.5.10 [SECURITY] by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/3040
• Bump the bundler group across 1 directory with 2 updates by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/2749
• Bump picomatch from 2.3.1 to 2.3.2 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/2765
• Bump lodash from 4.17.23 to 4.18.1 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/2979
• Bump follow-redirects from 1.15.11 to 1.16.0 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/3010
• Bump yard from 0.9.38 to 0.9.42 in the bundler group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/3028

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.24.7...v0.25.0

What's Changed

• Fix nil domain_strategy causing custom domain permission check to always fail in https://github.com/onetimesecret/onetimesecret/pull/2764

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.24.6...v0.24.7

[!NOTE]
There are updates to the v0.24 upgrade migrations that fix some minor inconsistencies when run for the first time. It also includes repair scripts if they've already been run. All scripts are written to be idempotent so they can be run multiple times safely.

scripts/upgrades/v0.24.5/repair_display_domain_indexes.rb
scripts/upgrades/v0.24.5/repair_instance_index_scores.rb

What's Changed

• Wire try/jobs/ into CI and add live-broker check_jobqueue test in https://github.com/onetimesecret/onetimesecret/pull/2695
• Fix login crash when MFA disabled but account has MFA data in https://github.com/onetimesecret/onetimesecret/pull/2698
• Update gem deps to latest within range in https://github.com/onetimesecret/onetimesecret/pull/2680
• Customer schema: coerce string-encoded counter fields in https://github.com/onetimesecret/onetimesecret/pull/2701
• Split OpenAPI generator into per-API-version specs with tracked output in https://github.com/onetimesecret/onetimesecret/pull/2704
• Bump API docs deployment via Bump.sh hub in https://github.com/onetimesecret/onetimesecret/pull/2705
• [#2703] OpenAPI spec improvements: descriptions, config, and deployment in https://github.com/onetimesecret/onetimesecret/pull/2708
• Bump CLI workflow in https://github.com/onetimesecret/onetimesecret/pull/2709
• Bump CLI workflow contd in https://github.com/onetimesecret/onetimesecret/pull/2710
• Consolidate API v2/v3 structure for schema refactor in https://github.com/onetimesecret/onetimesecret/pull/2712
• Reorganize schema directories to mirror API structure in https://github.com/onetimesecret/onetimesecret/pull/2721
• Fix LICENSE link in README in https://github.com/onetimesecret/onetimesecret/pull/2724
• Improve footer links handling and remove unused domain context in https://github.com/onetimesecret/onetimesecret/pull/2723
• Standardize date formatting with date-fns library in https://github.com/onetimesecret/onetimesecret/pull/2725
• Bootstrap schema single source of truth + Options API refactor in https://github.com/onetimesecret/onetimesecret/pull/2731
• Implement layered schema architecture with comprehensive entity testing in https://github.com/onetimesecret/onetimesecret/pull/2722
• Fix non-deterministic UUIDv7 in migration pipeline in https://github.com/onetimesecret/onetimesecret/pull/2750
• Consolidate brand UI helpers and migrate components to v3 schemas in https://github.com/onetimesecret/onetimesecret/pull/2751
• Add dev auth strategies and modularize auth architecture in https://github.com/onetimesecret/onetimesecret/pull/2753
• Remove Customer.anonymous singleton and sentinel-based detection in https://github.com/onetimesecret/onetimesecret/pull/2736
• [#QUEST1] Improve startup error handling DX for worker and backend in https://github.com/onetimesecret/onetimesecret/pull/2756
• Make passphrase minimum length config-driven in https://github.com/onetimesecret/onetimesecret/pull/2759
• Add comprehensive data-testid attributes across Vue components in https://github.com/onetimesecret/onetimesecret/pull/2760
• [#2761] Quality Quest in https://github.com/onetimesecret/onetimesecret/pull/2762

Dependencies

• Bump loofah from 2.25.0 to 2.25.1 in the bundler group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/2707
• Update docker.io/library/ruby:3.4-slim-bookworm Docker digest to 510c441 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2715
• Update ruby/setup-ruby digest to 97b3338 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2716
• Update dependency @codemirror/view to v6.39.17 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2717
• Update dependency ruby to v3.4.9 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2718
• Update dorny/paths-filter action to v3.0.3 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2719
• Bump json from 2.19.1 to 2.19.2 in the bundler group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/2713

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.24.5...v0.24.6

What's Changed

• Receipt list secret identifier in https://github.com/onetimesecret/onetimesecret/pull/2687
• fix: Improve install onboarding for non-Docker setups (#2628) in https://github.com/onetimesecret/onetimesecret/pull/2683
• Consolidate release infrastructure, CLI tooling, and OpenAPI fixes in https://github.com/onetimesecret/onetimesecret/pull/2684
• Fix anonymous owner matching in Secret and Receipt (#2682) in https://github.com/onetimesecret/onetimesecret/pull/2688
• Derive OpenAPI tags from route paths instead of handler namespaces in https://github.com/onetimesecret/onetimesecret/pull/2690
• Rename omniauth→sso, add SSO-only sign-in gating in https://github.com/onetimesecret/onetimesecret/pull/2694
• Fix Zod validation errors for null booleans in V3 schemas in https://github.com/onetimesecret/onetimesecret/pull/2693

Dependencies

• Update npm deps to latest within range in https://github.com/onetimesecret/onetimesecret/pull/2679

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.24.4...v0.24.5

What's Changed

• Fix: Add VERSION build arg fallback for OCI image builds in https://github.com/onetimesecret/onetimesecret/pull/2678
• Fix BasicAuth 500 by removing plain Hash session fallback in https://github.com/onetimesecret/onetimesecret/pull/2681

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.24.3...v0.24.4

What's Changed

• Fix API authentication to default to disabled when config missing in https://github.com/onetimesecret/onetimesecret/pull/2656
• V1 API: Enforce v0.23.4 validation boundaries and rate limiting in https://github.com/onetimesecret/onetimesecret/pull/2661
• Add metadata_url field to V1 API receipt response in https://github.com/onetimesecret/onetimesecret/pull/2659
• V1 API: Preserve v0.23.4 validation boundaries and add rate limiting (#2621) in https://github.com/onetimesecret/onetimesecret/pull/2667
• Enforce V1 API response type contracts with coerce_v1_types in https://github.com/onetimesecret/onetimesecret/pull/2660
• V1 API additive field mapping for all 7 renamed fields (#2617) in https://github.com/onetimesecret/onetimesecret/pull/2675
• refactor: distinguish V1 wire format from V3 internal schemas in https://github.com/onetimesecret/onetimesecret/pull/2662
• Add comprehensive tests for receipt/secret state machine lifecycle (#2619) in https://github.com/onetimesecret/onetimesecret/pull/2663
• Update Zod imports from v4 to default export in https://github.com/onetimesecret/onetimesecret/pull/2665
• Add globalSetup to generate locale files before i18n tests in https://github.com/onetimesecret/onetimesecret/pull/2666
• Fix Docker images reporting version 0.0.0 (#2651) in https://github.com/onetimesecret/onetimesecret/pull/2664
• Migrate legacy pro-bono accounts to $0 complimentary subscriptions in https://github.com/onetimesecret/onetimesecret/pull/2658
• Fix browser language detection for regional locale variants (#2668) in https://github.com/onetimesecret/onetimesecret/pull/2669
• SSO docs: multi-provider rewrite and inline comment cleanup in https://github.com/onetimesecret/onetimesecret/pull/2672
• i18n: Harmonize and translate all 29 locales in https://github.com/onetimesecret/onetimesecret/pull/2674
• Multi-provider SSO: Entra ID, Google, GitHub alongside existing OIDC in https://github.com/onetimesecret/onetimesecret/pull/2676

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.24.2...v0.24.3

What's Changed

• Update installation docs and scripts for Ruby 3.4.7, Puma, and Valkey support in https://github.com/onetimesecret/onetimesecret/pull/2632
• docs: add comprehensive v0.23 → v0.24 schema migration guide in https://github.com/onetimesecret/onetimesecret/pull/2630
• Fix V1 Otto route auth enforcement and related auth hardening in https://github.com/onetimesecret/onetimesecret/pull/2648
• Add customers dates and purge CLI subcommands in https://github.com/onetimesecret/onetimesecret/pull/2650
• Fix version metadata for non-tag CI builds in https://github.com/onetimesecret/onetimesecret/pull/2653
• Fix V1 API response contract and path handling in https://github.com/onetimesecret/onetimesecret/pull/2652

Dependencies

• Bump undici from 6.23.0 to 6.24.0 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/2654

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.24.1...v0.24.2

What's Changed

• Simplify dev environment setup and process management in https://github.com/onetimesecret/onetimesecret/pull/2612
• Fix V1 API backward compat: params key, field mapping, passphrase guard in https://github.com/onetimesecret/onetimesecret/pull/2613
• V1 API compat: match v0.23 contract; fix validation tooling in https://github.com/onetimesecret/onetimesecret/pull/2626
• [#2615] V1 API compat gap-analysis deliverables in https://github.com/onetimesecret/onetimesecret/pull/2627
• V1 API: plan-aware TTL enforcement and compat documentation in https://github.com/onetimesecret/onetimesecret/pull/2629
• Fix: Load date_arithmetic extension on runtime database connections in https://github.com/onetimesecret/onetimesecret/pull/2645
• Convention-based OpenAPI 3.1 generator with full schema pipeline in https://github.com/onetimesecret/onetimesecret/pull/2644
• Fix JSON BINARY encoding warning in v2 decrypt path in https://github.com/onetimesecret/onetimesecret/pull/2647

Dependencies

• Pin dependencies by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2633
• Update docker.io/library/ruby:3.4-slim-bookworm Docker digest to 1af9231 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2634
• Update github/codeql-action digest to 820e316 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2635
• Update Node.js to b501c08 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2636
• Update postgres:17 Docker digest to 2cd8273 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2637
• Update dependency @asteasolutions/zod-to-openapi to ^8.4.1 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2639
• Update ruby/setup-ruby digest to ea73ddb by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2638
• Update dependency @sentry/cli to ^3.2.2 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2640
• Update dependency axios to ^1.13.5 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2641
• Update dependency happy-dom to ^20.7.0 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2642
• Bump dompurify from 3.3.1 to 3.3.2 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/2624

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.24.0...v0.24.1

Release Notes

[!NOTE]
This release is much larger than typical sub 1.0 updates. There are known rough edges and the install process is a bit gnarly for existing installs due to the significant configuration and data migration involved. We recommend testing the upgrade process on a staging environment before applying to production.

For the full announcement, see this post. For step-by-step upgrade instructions, see Upgrading from v0.23 to v0.24.

Configuration Changes

v0.24 includes significant configuration restructuring. Review the changes below and update your config.yaml / .env accordingly before upgrading.

New settings

site.session -- Explicit session configuration (previously implicit):

site:
  session:
    secret: <%= ENV['SESSION_SECRET'] %>   # Falls back to site.secret if not set
    expire_after: 86400                     # 24 hours
    key: 'onetime.session'
    secure: <%= ENV['SSL'] == 'true' %>
    same_site: lax                          # Required for Stripe/OAuth redirects
    httponly: true

site.secret_options.generated_value_display_ttl -- Controls how long a generated password remains visible on the receipt page:

site:
  secret_options:
    generated_value_display_ttl: <%= ENV['GENERATED_VALUE_DISPLAY_TTL'] || 60 %>

jobs -- Background job processing via RabbitMQ (email, billing, scheduled maintenance):

jobs:
  enabled: <%= ENV['JOBS_ENABLED'] == 'true' || false %>
  rabbitmq_url: <%= ENV['RABBITMQ_URL'] || 'amqp://guest:guest@localhost:5672/dev' %>
  fallback_to_sync: true   # Synchronous email delivery when RabbitMQ unavailable
  scheduler:
    enabled: <%= ENV['JOBS_SCHEDULER_ENABLED'] == 'true' || false %>
  maintenance:
    enabled: <%= ENV['JOBS_MAINTENANCE_ENABLED'] == 'true' || false %>

features.domains.validation_strategy -- Domain validation and certificate management:

features:
  domains:
    validation_strategy: <%= ENV['DOMAINS_VALIDATION_STRATEGY'] || 'passthrough' %>
    # Options: passthrough | approximated | caddy_on_demand
    acme:
      enabled: <%= ENV['ACME_ENDPOINT_ENABLED'] == 'true' %>

site.security.csp -- Content Security Policy:

site:
  security:
    csp:
      enabled: <%= ENV['CSP_ENABLED'] == 'true' || false %>

HKDF-derived secrets in .env -- Cryptographic material is now derived from a single root SECRET via HKDF (RFC 5869). Run ./install.sh init for new installs or ./install.sh reconcile for existing installs:

SECRET=                     # Root secret (back this up)
#-----BEGIN DERIVED SECRETS (from SECRET via HKDF)-----
#SESSION_SECRET=
#IDENTIFIER_SECRET=
#-----END DERIVED SECRETS-----
#-----BEGIN INDEPENDENT SECRETS-----
#AUTH_SECRET=
#ARGON2_SECRET=
#-----END INDEPENDENT SECRETS-----
#-----BEGIN FEDERATION-----
#FEDERATION_SECRET=
#-----END FEDERATION-----

Moved / renamed settings

| v0.23 location | v0.24 location |
|---|---|
| site.regions | features.regions |
| site.domains | features.domains |
| site.domains.cluster.* | features.domains.approximated.* |
| experimental.middleware.* | site.middleware.* (with env var overrides) |
| experimental.allow_nil_global_secret | development.allow_nil_global_secret |
| emailer.fromname | emailer.from_name |

Removed settings

| Setting | Notes |
|---|---|
| site.plans | Replaced by entitlement enforcement system with Stripe integration |
| site.authenticity | Altcha captcha config removed |
| site.authentication.colonels | Use COLONEL env var only |
| experimental (entire section) | Options moved to development or site.middleware; freeze_app and rotated_secrets removed |
| limits (entire section) | Rate limiting replaced by middleware-based approach |
| logging (top-level section) | Logging now handled internally |
| redis.dbs.* | Removed |

Redis database consolidation

All Redis databases now default to 0 (previously spread across databases 0-15). Existing installs with data in multiple databases should use the migration tooling. VALKEY_* env vars now take precedence over REDIS_* equivalents.

Authentication & Session Management

• Introduce new app: Auth service in https://github.com/onetimesecret/onetimesecret/pull/1663
• Frontend Auth Integration in https://github.com/onetimesecret/onetimesecret/pull/1672
• Complete V2::Session removal and migrate to unified Rack::Session architecture in https://github.com/onetimesecret/onetimesecret/pull/1675
• Complete Otto authentication integration for API v2 in https://github.com/onetimesecret/onetimesecret/pull/1680
• Complete Otto authentication integration phases 2-5 in https://github.com/onetimesecret/onetimesecret/pull/1681
• Configuration and Session Standardization in https://github.com/onetimesecret/onetimesecret/pull/1682
• Simplify Onetime Session Integration in https://github.com/onetimesecret/onetimesecret/pull/1683
• Auth API standardization and session management improvements in https://github.com/onetimesecret/onetimesecret/pull/1684
• Dual authentication mode architecture in https://github.com/onetimesecret/onetimesecret/pull/1798
• Organize authentication tests by mode for better CI efficiency in https://github.com/onetimesecret/onetimesecret/pull/1804
• Add authentication-required mode with dedicated route guards in https://github.com/onetimesecret/onetimesecret/pull/1694
• Handle orphaned sessions gracefully in auth endpoints in https://github.com/onetimesecret/onetimesecret/pull/2220
• Add feature flags for signin and signup routes in https://github.com/onetimesecret/onetimesecret/pull/2481
• Fix CSRF token generation against detached session on anonymous routes in https://github.com/onetimesecret/onetimesecret/pull/2502
• Simplify CSRF: Remove shrimp code, use Rack::Protection only in https://github.com/onetimesecret/onetimesecret/pull/2428
• Fix CSRF token refresh on form submission errors in https://github.com/onetimesecret/onetimesecret/pull/2531
• Consolidate CSRF handling for OmniAuth SSO routes in https://github.com/onetimesecret/onetimesecret/pull/2416
• Add OmniAuth SSO integration for OIDC identity providers in https://github.com/onetimesecret/onetimesecret/pull/2417
• Rename auth env vars to AUTH_*_ENABLED pattern in https://github.com/onetimesecret/onetimesecret/pull/2420
• Add transparent password migration from Redis to Rodauth in https://github.com/onetimesecret/onetimesecret/pull/2452
• Enforce auth strategy session contracts in https://github.com/onetimesecret/onetimesecret/pull/2551
• Polish MFA recovery codes UI in https://github.com/onetimesecret/onetimesecret/pull/2221
• Add email change UI with verification flow in https://github.com/onetimesecret/onetimesecret/pull/2526

Organizations & Teams

• Add OrganizationMembership through model for rich Customer/Organization relationships in https://github.com/onetimesecret/onetimesecret/pull/2239
• Organization invitation system in https://github.com/onetimesecret/onetimesecret/pull/2241
• Consolidate Teams into Organizations in https://github.com/onetimesecret/onetimesecret/pull/2242
• Phase 6: Cleanup and final verification in https://github.com/onetimesecret/onetimesecret/pull/2245
• Add organization member management with role-based permissions in https://github.com/onetimesecret/onetimesecret/pull/2287
• Organization navigation and workspace layout refactoring in https://github.com/onetimesecret/onetimesecret/pull/2306
• Fix extid-based API calls and organization settings navigation in https://github.com/onetimesecret/onetimesecret/pull/2311
• Implement Opaque Identifier Pattern (ExtId/ObjId Branded Types) in https://github.com/onetimesecret/onetimesecret/pull/2317
• Elevate domain context to workspace-level scope (Variation D) in https://github.com/onetimesecret/onetimesecret/pull/2274
• Add route-based scope switcher visibility control in https://github.com/onetimesecret/onetimesecret/pull/2324
• Sync domain context switcher with route navigation in https://github.com/onetimesecret/onetimesecret/pull/2509

API & Routes

• Add public /share API endpoints for guest (anonymous) users (#2190) in https://github.com/onetimesecret/onetimesecret/pull/2199
• Add comprehensive test coverage and documentation for guest routes (#2190) in https://github.com/onetimesecret/onetimesecret/pull/2284
• Add guest routes for anonymous API access (#2190) in https://github.com/onetimesecret/onetimesecret/pull/2191
• Fix(api): Use string keys for HTTP params across API boundaries in https://github.com/onetimesecret/onetimesecret/pull/2329
• Replace blocking Redis KEYS with non-blocking SCAN in Colonel API in https://github.com/onetimesecret/onetimesecret/pull/2280
• Fix link recipient UI and API auth in https://github.com/onetimesecret/onetimesecret/pull/2548
• Fix #2500: Allow null values in incoming secret API response fields in https://github.com/onetimesecret/onetimesecret/pull/2505

Data Migration & Redis

• Prevent loss of access to data with auto-configuration for legacy Redis databases in https://github.com/onetimesecret/onetimesecret/pull/1731
• Enhance Redis data consolidation command with comprehensive migration tools in https://github.com/onetimesecret/onetimesecret/pull/1735
• Auto-configure Redis database indexes from legacy data in https://github.com/onetimesecret/onetimesecret/pull/1737
• Complete Familia v1→v2 data migration pipeline in https://github.com/onetimesecret/onetimesecret/pull/2436
• Add Kiba ETL migration pipeline spike for customer transform in https://github.com/onetimesecret/onetimesecret/pull/2448
• Add migration pipeline library infrastructure in https://github.com/onetimesecret/onetimesecret/pull/2447
• Data migration framework: three implementation approaches in https://github.com/onetimesecret/onetimesecret/pull/2449
• Data migration framework and schema-derived types in https://github.com/onetimesecret/onetimesecret/pull/2453
• Fix migration bugs, add billing_email support, legacy plan handling in https://github.com/onetimesecret/onetimesecret/pull/2470
• Reorganize migration infrastructure and upgrade scripts in https://github.com/onetimesecret/onetimesecret/pull/2476
• Harden v0.24 migration: fix index bugs, add validators, improve test coverage in https://github.com/onetimesecret/onetimesecret/pull/2506
• Handle valkey errors gracefully when checking legacy data in https://github.com/onetimesecret/onetimesecret/pull/2504
• Fix backfill progress and add Redis deduplication commands in https://github.com/onetimesecret/onetimesecret/pull/2572
• Normalize orphaned JSON-quoted instance members in https://github.com/onetimesecret/onetimesecret/pull/2592
• Add scheduled maintenance jobs for Redis data consistency in https://github.com/onetimesecret/onetimesecret/pull/2584
• Address PR #2550 review feedback: load_multi optimization and whitespace fix in https://github.com/onetimesecret/onetimesecret/pull/2595
• Database configuration improvements and test fixes in https://github.com/onetimesecret/onetimesecret/pull/1730
• ACME app hardening, non-fatal migration validators, infra fixes in https://github.com/onetimesecret/onetimesecret/pull/2603
• Harden ACME localhost detection, redact PII in migration scripts, normalize boot logging in https://github.com/onetimesecret/onetimesecret/pull/2602

Architecture & Core

• Upgrade to Rack 3 & Otto 1.4: Modernization, Security, and Performance in https://github.com/onetimesecret/onetimesecret/pull/1592
• Familia 2 upgrade with custom domain disclaimer in https://github.com/onetimesecret/onetimesecret/pull/1618
• Migrate to Familia v2-pre15 and consolidate model architecture in https://github.com/onetimesecret/onetimesecret/pull/1657
• Complete Otto 2 migration and reorganize application structure in https://github.com/onetimesecret/onetimesecret/pull/1786
• Replace Chimera with Rhales in https://github.com/onetimesecret/onetimesecret/pull/1805
• Refactor Customer model and upgrade to Familia 2.0.0.pre17 in https://github.com/onetimesecret/onetimesecret/pull/1770
• Clean codebase consolidation and V2→Onetime namespace migration in https://github.com/onetimesecret/onetimesecret/pull/1774
• Remove core extensions and cleanup utility methods in https://github.com/onetimesecret/onetimesecret/pull/1659
• Standardize on string keys for configuration and view variables in https://github.com/onetimesecret/onetimesecret/pull/1581
• Replace JSON with OJ across codebase in https://github.com/onetimesecret/onetimesecret/pull/1740
• Replace custom rate limiting logic in https://github.com/onetimesecret/onetimesecret/pull/1577
• Replace custom Ruby i18n with ruby-i18n gem in https://github.com/onetimesecret/onetimesecret/pull/2259
• Add @phase infrastructure to initializer system (PR 1/2) in https://github.com/onetimesecret/onetimesecret/pull/2204
• Convert fork-sensitive initializers to phase-aware pattern (PR 2/2) in https://github.com/onetimesecret/onetimesecret/pull/2206
• Implement Kubernetes-style boot state model for test isolation in https://github.com/onetimesecret/onetimesecret/pull/2264
• ADR-001: Rack application naming and separation in https://github.com/onetimesecret/onetimesecret/pull/1796
• ADR-002: Custom session handler rationale in https://github.com/onetimesecret/onetimesecret/pull/1802
• Fix Receipt.spawn_pair double-save that caused missing secret_ttl in https://github.com/onetimesecret/onetimesecret/pull/2604
• Add domain strategy response headers and remove systemd files in https://github.com/onetimesecret/onetimesecret/pull/2601

Internationalization (i18n)

• I18n/nl in https://github.com/onetimesecret/onetimesecret/pull/1543
• Autoload all available languages in https://github.com/onetimesecret/onetimesecret/pull/1928
• Add Russian language translates by @kh0mka in https://github.com/onetimesecret/onetimesecret/pull/2130
• Reorganize uncategorized locale keys into proper category structure in https://github.com/onetimesecret/onetimesecret/pull/2277
• Expand i18n prototype pollution test coverage in https://github.com/onetimesecret/onetimesecret/pull/2279
• Update code references after i18n key reorganization in https://github.com/onetimesecret/onetimesecret/pull/2285
• Restructure i18n locale files: kebab-case to snake_case migration in https://github.com/onetimesecret/onetimesecret/pull/2290
• Complete locale translations and cleanup related scripts in https://github.com/onetimesecret/onetimesecret/pull/2320
• Implement i18n for Email Templates in https://github.com/onetimesecret/onetimesecret/pull/2331
• Add email template internationalization for 27 languages in https://github.com/onetimesecret/onetimesecret/pull/2333
• i18n support for auth emails + CI workflow modernization in https://github.com/onetimesecret/onetimesecret/pull/2335
• Persist translation metadata across database rebuilds in https://github.com/onetimesecret/onetimesecret/pull/2414
• Fix translation script paths and i18n backend initialization in https://github.com/onetimesecret/onetimesecret/pull/2413
• Mass translation update with SHA256 change tracking in https://github.com/onetimesecret/onetimesecret/pull/2415
• Add Git JSON merge driver for locale files in https://github.com/onetimesecret/onetimesecret/pull/2080

Background Jobs & Email

• Use RabbitMQ policies for DLQ TTL instead of queue arguments in https://github.com/onetimesecret/onetimesecret/pull/2539
• Add DlqEmailConsumerJob: scheduled auth email replay from DLQ in https://github.com/onetimesecret/onetimesecret/pull/2544
• Email change hardening: rate limiting, Stripe field fix, retry counter scoping in https://github.com/onetimesecret/onetimesecret/pull/2545
• Unify email delivery error handling and add Lettermint backend in https://github.com/onetimesecret/onetimesecret/pull/2534
• Add email send and templates CLI commands in https://github.com/onetimesecret/onetimesecret/pull/2533
• Refactor email masking with Mail gem and improved TLD handling in https://github.com/onetimesecret/onetimesecret/pull/2469
• Add health check endpoints with RabbitMQ monitoring in https://github.com/onetimesecret/onetimesecret/pull/2418
• Enable test suites, fix RabbitMQ race condition, add boot diagnostics in https://github.com/onetimesecret/onetimesecret/pull/2334
• Fix scheduler crash on abstract job classes and add role-aware healthchecks in https://github.com/onetimesecret/onetimesecret/pull/2600

Secrets & Custom Domains

• Fix v1/v2 decrypt passphrase handling and restrict receipt value display in https://github.com/onetimesecret/onetimesecret/pull/2513
• Improve passphrase validation and UI layout in https://github.com/onetimesecret/onetimesecret/pull/1697
• Fix branded homepage links and custom domain branding in https://github.com/onetimesecret/onetimesecret/pull/2519
• Remove social metadata for custom domains in https://github.com/onetimesecret/onetimesecret/pull/1927
• Add backend verification trigger from DNS widget in https://github.com/onetimesecret/onetimesecret/pull/2435
• Add domain verification CLI commands with shared operations layer in https://github.com/onetimesecret/onetimesecret/pull/2472
• Incoming secrets v0.24 hardening in https://github.com/onetimesecret/onetimesecret/pull/2541
• Re-add Incoming Secrets feature in https://github.com/onetimesecret/onetimesecret/pull/2016
• Remove the incomplete incoming secrets feature in https://github.com/onetimesecret/onetimesecret/pull/2017
• Fix for TTL above 7 days in https://github.com/onetimesecret/onetimesecret/pull/2393
• New configuration item allowed_signup_domains by @david-garcia-garcia in https://github.com/onetimesecret/onetimesecret/pull/1936
• Migrate rel/0.22 features to develop: password generation & configuration in https://github.com/onetimesecret/onetimesecret/pull/1705
• Fix password generation config key handling in https://github.com/onetimesecret/onetimesecret/pull/1772
• Retire experimental config section in https://github.com/onetimesecret/onetimesecret/pull/2532

UI & Frontend

• Fix MastHead css class typo by @aprivette in https://github.com/onetimesecret/onetimesecret/pull/1620
• Fix class attribute formatting in MastHead.vue by @jhob101 in https://github.com/onetimesecret/onetimesecret/pull/1840
• Update custom logo MastHead styles for site name by @jhob101 in https://github.com/onetimesecret/onetimesecret/pull/1849
• Fix tooltip text for logout and settings icons in https://github.com/onetimesecret/onetimesecret/pull/1736
• Clean up dashboard UX: remove stay-on-page toggle, gate dismiss button on auth in https://github.com/onetimesecret/onetimesecret/pull/2514
• Show disabled homepage when UI explicitly disabled in https://github.com/onetimesecret/onetimesecret/pull/1692
• Make settings view in colonel clearly read-only in https://github.com/onetimesecret/onetimesecret/pull/1704
• Remove unused useDashboardMode composable in https://github.com/onetimesecret/onetimesecret/pull/2271
• Fix validation ordering, add PII masking in https://github.com/onetimesecret/onetimesecret/pull/2272
• Upgrade to Vite 6 in https://github.com/onetimesecret/onetimesecret/pull/1739
• Upgrade to zod 4 in https://github.com/onetimesecret/onetimesecret/pull/1575
• Add explicit @codemirror/state dep (reprise) in https://github.com/onetimesecret/onetimesecret/pull/1711
• Fix build issues and ESLint configuration in https://github.com/onetimesecret/onetimesecret/pull/1708
• Remove external dependency from vite build in https://github.com/onetimesecret/onetimesecret/pull/1715
• Backport homepage mode functionality in https://github.com/onetimesecret/onetimesecret/pull/2010
• Fix CIDR privacy blocking logic in homepage mode in https://github.com/onetimesecret/onetimesecret/pull/2011
• Add default homepage mode in https://github.com/onetimesecret/onetimesecret/pull/2012
• Include mail validation config in boot log banner in https://github.com/onetimesecret/onetimesecret/pull/1941
• Regenerate pnpm lockfile in https://github.com/onetimesecret/onetimesecret/pull/2591

Docker, CI & Infrastructure

• Overhaul Docker/OCI build system and workflow automation in https://github.com/onetimesecret/onetimesecret/pull/1576
• Add Docker integration testing with E2E validation in https://github.com/onetimesecret/onetimesecret/pull/1716
• Refactor Docker Compose into modular simple and full stack configs in https://github.com/onetimesecret/onetimesecret/pull/2528
• Add Docker Bake build orchestration and Podman support in https://github.com/onetimesecret/onetimesecret/pull/2560
• Streamline Docker setup with install.sh and mailpit service in https://github.com/onetimesecret/onetimesecret/pull/2549
• Add unified install.sh entrypoint and split rake ots:init in https://github.com/onetimesecret/onetimesecret/pull/2543
• Fix OCI image version tracking: separate IMAGE_TAG from VERSION in https://github.com/onetimesecret/onetimesecret/pull/2585
• Fix container E2E boot failure - add Familia dependency in https://github.com/onetimesecret/onetimesecret/pull/2268
• Fix OCI workflow and add tmate debugging support in https://github.com/onetimesecret/onetimesecret/pull/2078
• Re-add manual workflow dispatch with debug and platform options in https://github.com/onetimesecret/onetimesecret/pull/1709
• Use Valkey in CI in https://github.com/onetimesecret/onetimesecret/pull/1587
• Configure workflows to run on specific branches in https://github.com/onetimesecret/onetimesecret/pull/1567
• Update workflow triggers to include 'main' branch in https://github.com/onetimesecret/onetimesecret/pull/2076
• Enhance GitHub issue housekeeping with auto-labeling and lock threads in https://github.com/onetimesecret/onetimesecret/pull/2269
• Add Release Drafter workflow for automated release notes in https://github.com/onetimesecret/onetimesecret/pull/2451
• Configure Qodo Merge compliance checks and best practices by @Copilot in https://github.com/onetimesecret/onetimesecret/pull/1778
• Set up Ruby 3.4.7 SessionStart hook in https://github.com/onetimesecret/onetimesecret/pull/1938
• Settings migration infrastructure for v0.23 in https://github.com/onetimesecret/onetimesecret/pull/2075
• Add development process manager and setup tooling in https://github.com/onetimesecret/onetimesecret/pull/2275

Testing

• Vue test suite improvements in https://github.com/onetimesecret/onetimesecret/pull/1571
• Separate amalgamated tests dir in https://github.com/onetimesecret/onetimesecret/pull/1573
• Review and update languageStore and domainStore tests in https://github.com/onetimesecret/onetimesecret/pull/1574
• Merge recovered authentication test coverage into auth-integration in https://github.com/onetimesecret/onetimesecret/pull/1677
• Add comprehensive RSpec coverage for @phase infrastructure in https://github.com/onetimesecret/onetimesecret/pull/2214
• Add comprehensive database trigger test coverage in https://github.com/onetimesecret/onetimesecret/pull/2210
• Fix RSpec state isolation and authentication mode filtering in https://github.com/onetimesecret/onetimesecret/pull/2260
• Fix billing CLI VCR specs and Stripe API compatibility in https://github.com/onetimesecret/onetimesecret/pull/2261
• Fix RSpec WrongScopeError in billing_spec_helper.rb in https://github.com/onetimesecret/onetimesecret/pull/2262
• Simplify billing test helper architecture (3 layers → 2) in https://github.com/onetimesecret/onetimesecret/pull/2266
• Fix test isolation: Redis cleanup hooks in https://github.com/onetimesecret/onetimesecret/pull/2270
• Update VCR cassettes for billing controller specs in https://github.com/onetimesecret/onetimesecret/pull/2273
• Reorganize tryouts test suite for improved discoverability in https://github.com/onetimesecret/onetimesecret/pull/1773
• Test suite fixes in https://github.com/onetimesecret/onetimesecret/pull/1777
• Fix billing tryouts test failures in https://github.com/onetimesecret/onetimesecret/pull/2203
• Fix banner display suppression in test mode in https://github.com/onetimesecret/onetimesecret/pull/1738
• Add test coverage for chain_length == trusted_proxy_depth scenario in https://github.com/onetimesecret/onetimesecret/pull/2040

Cleanup & Removals

• Remove sysinfo dependency in https://github.com/onetimesecret/onetimesecret/pull/1580
• Remove stathat in https://github.com/onetimesecret/onetimesecret/pull/1582
• Pare Dependencies in https://github.com/onetimesecret/onetimesecret/pull/1583
• Remove unused models and clean up codebase in https://github.com/onetimesecret/onetimesecret/pull/1585
• Remove Gibbler Dependency in https://github.com/onetimesecret/onetimesecret/pull/1586
• Remove unused support_host configuration in https://github.com/onetimesecret/onetimesecret/pull/1578
• Overhaul RuboCop configuration and apply in https://github.com/onetimesecret/onetimesecret/pull/1591
• Fix code quality issues: regex anchors, destroy! cleanup, and i18n prototype pollution in https://github.com/onetimesecret/onetimesecret/pull/2217
• Fix event limit lookup in https://github.com/onetimesecret/onetimesecret/pull/2112
• Fix case collision for docs/development.md in https://github.com/onetimesecret/onetimesecret/pull/1779

Documentation

• Improve README UX and create detailed INSTALL guide in https://github.com/onetimesecret/onetimesecret/pull/1696
• Add branch information note to readme in https://github.com/onetimesecret/onetimesecret/pull/1824
• Update renovate config w/ better docs in https://github.com/onetimesecret/onetimesecret/pull/1830
• ADR/006 in https://github.com/onetimesecret/onetimesecret/pull/1805

New Contributors

• @aprivette made their first contribution in https://github.com/onetimesecret/onetimesecret/pull/1620
• @jhob101 made their first contribution in https://github.com/onetimesecret/onetimesecret/pull/1840
• @david-garcia-garcia made their first contribution in https://github.com/onetimesecret/onetimesecret/pull/1936
• @kh0mka made their first contribution in https://github.com/onetimesecret/onetimesecret/pull/2130
• @Copilot made their first contribution in https://github.com/onetimesecret/onetimesecret/pull/1778

• Bump @intlify/core from 11.1.5 to 11.1.10 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/1558
• Bump form-data from 4.0.2 to 4.0.4 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/1570
• Bump vite from 5.4.19 to 5.4.20 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/1662
• Bump axios from 1.9.0 to 1.12.0 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/1674
• Pin dependencies by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1749
• Update dependency @types/node to v22.19.9 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2482
• Update dependency @types/node to v22.19.11 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2507
• Bump @isaacs/brace-expansion from 5.0.0 to 5.0.1 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/2468
• Update dependency axios to v1.13.5 [SECURITY] by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2493
• Update docker.io/library/ruby:3.4-slim-bookworm Docker digest to bbc4917 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2494
• Update github/codeql-action digest to b5ebac6 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2495
• Update github/codeql-action digest to 4558047 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2556
• Update Node.js to 379c51a by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2496
• Update postgres:17 Docker digest to 2006493 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2497
• Update postgres:17 Docker digest to 1eada89 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2557
• Bump faraday from 2.14.0 to 2.14.1 in the bundler group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/2490
• Update ruby/setup-ruby digest to 7f562e2 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2498
• Update ruby/setup-ruby digest to 0fa9651 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2590
• Update dependency @codemirror/view to v6.39.13 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2499
• Update dependency @codemirror/view to v6.39.15 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2558
• Update dependency @sentry/vite-plugin to ^4.9.0 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2559
• Bump qs from 6.14.1 to 6.14.2 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/2508
• Update dependency focus-trap to ^7.8.0 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2460
• Update dependency stripe to ^20.3.1 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2516
• Update docker/build-push-action action to v6.19.2 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2522
• Update docker/dockerfile Docker tag to v1.16 - autoclosed by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2523
• Update docker/dockerfile Docker tag to v1.21 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2568
• Update docker/login-action action to v3.7.0 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2571
• Update docker/login-action action to v3.6.0 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2570
• Bump markdown-it from 14.1.0 to 14.1.1 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/2510
• Bump rack from 3.2.4 to 3.2.5 in the bundler group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/2527
• Update dependency prettier to ^3.8.1 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2461
• Update dependency rollup to v4.56.0 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2486
• Update dependency rollup to ^4.59.0 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2563
• Update dependency python to 3.14 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2485
• Bump ajv from 6.12.6 to 6.14.0 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/2553
• Bump minimatch from 3.1.2 to 3.1.3 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/2574
• Bump minimatch from 3.1.3 to 3.1.5 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/2587
• Bump nokogiri from 1.19.0 to 1.19.1 in the bundler group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/2552
• Update dependency rubocop to '~> 1.85.0' by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2599

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.23.6...v0.24.0

What's Changed

• Backport Docker Bake build infrastructure from v0.24 by @delano in https://github.com/onetimesecret/onetimesecret/pull/2561
• Fix Truemail config, add health check and less by @delano in https://github.com/onetimesecret/onetimesecret/pull/2573
• Harden Docker build for Podman compat and reproducibility by @delano in https://github.com/onetimesecret/onetimesecret/pull/2575
• Design improvements: brand colors, popup modal, Docker hardening by @delano in https://github.com/onetimesecret/onetimesecret/pull/2576
• v0.23: Fix missing translations in footer components (#2582) by @delano in https://github.com/onetimesecret/onetimesecret/pull/2607

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.23.5...v0.23.6

What's Changed

• [#2500] Fix incoming secrets: validation, email delivery, passphrase notice by @delano in https://github.com/onetimesecret/onetimesecret/pull/2538

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.23.4...v0.23.5

What's Changed

• Fix incoming secret response schema nullability by @delano in https://github.com/onetimesecret/onetimesecret/pull/2512

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.23.3...v0.23.4

What's Changed

• Fix for TTL above 7 days by @delano in https://github.com/onetimesecret/onetimesecret/pull/2393 (via #2390)
• chore: bump version to 0.23.3 by @delano in https://github.com/onetimesecret/onetimesecret/pull/2399

Dependencies

• chore(deps): update redis:7.4-bookworm docker digest to f6f58ac by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2346
• chore(deps): update ruby:3.4-slim-bookworm docker digest to fdadeae by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2347
• chore(deps): update docker.io/library/ruby:3.4-slim-bookworm docker digest to fdadeae by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2344
• chore(deps): update node.js to 8739e53 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2345
• chore(deps): update dependency @intlify/devtools-types to v11.2.8 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2348
• chore(deps): update dependency @types/node to v22.19.6 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2391

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.23.2...v0.23.3

What's Changed

• feat(api): add guest routes for anonymous API access (#2190) by @delano in https://github.com/onetimesecret/onetimesecret/pull/2191
• feat(locales): add Russian language translates by @kh0mka in https://github.com/onetimesecret/onetimesecret/pull/2130
• Bump version to 0.23.2 by @delano in https://github.com/onetimesecret/onetimesecret/pull/2327

Dependencies (49)

• Update dependency rollup to v4.40.2 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2103
• chore(deps): update actions/checkout digest to 34e1148 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2102
• chore(deps): update dependency tailwindcss to v3.4.18 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2104
• chore(deps): update dependency vite-plugin-checker to v0.9.3 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2105
• chore(deps): update dependency vue-tsc to v2.2.12 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2108
• fix(deps): update dependency vue-codemirror6 to v1.3.22 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2106
• fix(deps): update dependency vue-i18n to v11.1.12 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2107
• chore(deps): update github/codeql-action digest to bffd034 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2139
• chore(deps): update pnpm/action-setup digest to e94b270 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2140
• chore(deps): update dependency @pinia/testing to v1.0.3 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2141
• chore(deps): update dependency @types/node to v22.15.35 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2142
• chore(deps): update dependency faker to v3.5.3 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2143
• chore(deps): update dependency happy-dom to v20.0.11 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2122
• chore(deps): update dependency puma to v6.6.1 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2123
• chore(deps): update dependency rack to v2.2.21 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2124
• chore(deps): update dependency rubocop-thread_safety to v0.7.3 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2125
• chore(deps): update dependency stringio to v3.1.9 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2144
• fix(deps): update dependency zod to v3.24.4 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2126
• fix(deps): update dependency zod-validation-error to v3.4.1 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2109
• fix(deps): update vue monorepo to v3.5.25 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2127
• fix(deps): update dependency @babel/helpers to v7.28.4 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2110
• chore(deps): update dependency @eslint/js to v9.27.0 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2137
• chore(deps): update github/codeql-action digest to 45c3735 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2193
• chore(deps): update docker.io/library/ruby:3.4-slim-bookworm docker digest to 3a51cff by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2192
• chore(deps): update node.js to c8abd8d by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2194
• chore(deps): update redis:7.4-bookworm docker digest to d665ad9 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2195
• chore(deps): update dependency autoprefixer to v10.4.23 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2197
• chore(deps): update ruby:3.4-slim-bookworm docker digest to 9eb304d by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2196
• chore(deps): update dependency tailwindcss to v3.4.19 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2198
• chore(deps): update dependency @eslint/js to v9.34.0 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2186
• chore(deps): update pnpm/action-setup digest to 1e1c8ea by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2200
• chore(deps): update dependency @eslint/js to v9.35.0 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2231
• chore(deps): update dependency @types/node to v22.16.5 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2238
• chore(deps): update docker.io/library/ruby:3.4-slim-bookworm docker digest to 9eb304d by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2250
• chore(deps): update dependency debug to v1.11.1 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2252
• chore(deps): update dependency net-imap to v0.5.13 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2253
• chore(deps): update dependency @intlify/devtools-types to v11.2.7 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2232
• chore(deps): update dependency @playwright/test to v1.53.2 - autoclosed by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2233
• fix(deps): update vue monorepo to v3.5.26 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2254
• chore(deps): replace dependency @tsconfig/node22 with @tsconfig/node24 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2249
• chore(deps): update dependency @tailwindcss/forms to v0.5.11 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2251
• chore(deps): update dependency @playwright/test to v1.55.1 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2235
• chore(deps): update dependency @sentry/vite-plugin to v3.6.1 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2237
• chore(deps): update dependency @types/node to v22.19.3 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2294
• chore(deps): update dependency esbuild to v0.27.2 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2296
• chore(deps): update dependency eslint-plugin-vue to v10.6.2 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2300
• chore(deps): update dependency eslint-import-resolver-typescript to v4.4.4 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2297
• chore(deps): update dependency @tsconfig/node24 to v24.0.3 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2315
• fix(deps): update dependency @codemirror/state to v6.5.3 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2316

New Contributors

• @kh0mka made their first contribution in https://github.com/onetimesecret/onetimesecret/pull/2130

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.23.1...v0.23.2

This is a release of v0.21.1 where all plans have 30 day max TTL for new secrets.

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.22.1...v0.22.1b

What's Changed

• Fix event limit lookup by @delano in https://github.com/onetimesecret/onetimesecret/pull/2112
• Bump version to v0.23.1 by @delano in https://github.com/onetimesecret/onetimesecret/pull/2113

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.23.0...v0.23.1

[!NOTE]
This release converts the main config file (etc/config.yaml) from symbol keys to string keys. Part of a series preparing to merge develop into main.

Deployment notes

[!WARNING]
Migration required before starting. The app will halt on boot with instructions, or set CONFIG_MIGRATE=auto to run automatically.

If mounting your own config file (e.g. -v $(pwd)/etc/config.yaml:/app/etc/config.yaml), ensure it's not mounted read-only (ro) or auto-migration will fail.

Migration Prompt

podman run -p 3000:3000 --name onetime-app \
    -e SECRET=$SECRET \
    -e REDIS_URL=redis://onetime-maindb:6379/0 \
    -v $(pwd)/etc/config.yaml:/app/etc/config.yaml \
    --rm \
    onetime.dev

INFO: Running entrypoint.sh...

ERROR: Migrations needed before startup

Pending migrations:
  bundle exec ruby migrations/20250727-1523_01_convert_symbol_keys.rb --dry-run

Options:
  1. Auto-migrate: Restart with CONFIG_MIGRATE=auto
  2. Manual: Run each migration with --run flag
  3. Skip: Set CONFIG_MIGRATE=skip (not recommended)

What's Changed

• Add test coverage for chain_length == trusted_proxy_depth scenario by @delano in https://github.com/onetimesecret/onetimesecret/pull/2040
• Sync Claude workflow files from practical-gagarin branch by @delano in https://github.com/onetimesecret/onetimesecret/pull/2058
• Update github/codeql-action digest to d3ced5c by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2065
• Update workflow triggers to include 'main' branch by @delano in https://github.com/onetimesecret/onetimesecret/pull/2076
• fix/rubocop by @delano in https://github.com/onetimesecret/onetimesecret/pull/2077
• Settings migration infrastructure for v0.23 by @delano in https://github.com/onetimesecret/onetimesecret/pull/2075
• feat(dx): Add Git JSON merge driver for locale files by @delano in https://github.com/onetimesecret/onetimesecret/pull/2080
• Fix OCI workflow and add tmate debugging support by @delano in https://github.com/onetimesecret/onetimesecret/pull/2078

Dependencies

• Update dependency axios to v1.12.2 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2041
• Update dependency nanoid to v5.1.6 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2042
• Update dependency postcss to v8.5.6 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2043
• Update dependency prettier-plugin-tailwindcss to v0.6.14 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2044
• Update github/codeql-action digest to d3ced5c by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2065
• Update dependency marked to v15.0.12 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2066
• Update dependency marked-highlight to v2.2.3 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2067
• Update dependency net-imap to v0.5.12 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2068
• Update dependency ostruct to v0.6.3 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2069
• Update dependency pinia to v3.0.4 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2070
• Update actions/checkout digest to 34e1148 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2048
• Update docker.io/library/ruby:3.4-slim-bookworm Docker digest to 1ca19bf by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2049
• Update redis:7.4-bookworm Docker digest to 483eaf6 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2051
• Update ruby:3.4-slim-bookworm Docker digest to 1ca19bf by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2052
• Update Node.js to 4ad2c2b by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/2050

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.22.11...v0.23.0-rc0

[!NOTE]
This is the final feature release for v0.22 (currently on main). Bug fixes and maintenance will continue, but no new features.

Starting with v0.23.0, there will be a series of maintenance releases to incrementally introduce automigrations and plumbing updates. This staged approach will help isolate and identify issues from individual changes.

This will be the long march to v1.0 from what is now the develop branch.

What's Changed

• New configuration item allowed_signup_domains by @david-garcia-garcia in https://github.com/onetimesecret/onetimesecret/pull/1936
• Include mail validation config in boot log banner by @delano in https://github.com/onetimesecret/onetimesecret/pull/1941
• Set up Ruby 3.4.7 SessionStart hook by @delano in https://github.com/onetimesecret/onetimesecret/pull/1938
• Update github/codeql-action digest to f94c9be by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1980
• Copy gitgnores from develop for max copaceticity by @delano in https://github.com/onetimesecret/onetimesecret/pull/1996
• Backport homepage mode functionality by @delano in https://github.com/onetimesecret/onetimesecret/pull/2010
• Fix CIDR privacy blocking logic in homepage mode by @delano in https://github.com/onetimesecret/onetimesecret/pull/2011
• Add default homepage mode by @delano in https://github.com/onetimesecret/onetimesecret/pull/2012
• Remove the incomplete incoming secrets feature by @delano in https://github.com/onetimesecret/onetimesecret/pull/2017
• Re-add Incoming Secrets feature by @delano in https://github.com/onetimesecret/onetimesecret/pull/2016
• Version bump to v0.22.11 by @delano in https://github.com/onetimesecret/onetimesecret/pull/2022

New Contributors

• @david-garcia-garcia made their first contribution in https://github.com/onetimesecret/onetimesecret/pull/1936

Dependencies

• Update dependency familia to v1.2.3 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1932
• Update dependency focus-trap to v7.6.6 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1933
• Update dependency happy-dom to v20.0.10 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1934
• Update dependency eslint-import-resolver-typescript to v4.3.5 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1917
• Update dependency @intlify/devtools-types to v11.1.12 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1909
• Update dependency dompurify to v3.2.7 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1915
• Update dependency @tailwindcss/typography to v0.5.19 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1911
• Update dependency eslint-plugin-tailwindcss to v3.18.2 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1918
• Update dependency autoprefixer to v10.4.22 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1981
• Update dependency httparty to v0.23.2 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1982
• Update dependency irb to v1.15.3 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1983
• Update dependency @tsconfig/node22 to v22.0.5 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1995
• Update dependency benchmark to v0.4.1 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1913
• Update dependency codemirror to v6.0.2 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1914
• Update dependency eslint-config-prettier to v10.1.8 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1916
• Bump the npm_and_yarn group across 1 directory with 4 updates by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/1854
• Bump rexml from 3.3.9 to 3.4.2 in the bundler group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/1827
• Bump js-yaml from 3.14.1 to 3.14.2 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/1966

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.22.10...v0.22.11

What's Changed

• Update custom logo MastHead styles for site name by @jhob101 in https://github.com/onetimesecret/onetimesecret/pull/1849
• Direct copy of claude workflows from develop by @delano in https://github.com/onetimesecret/onetimesecret/pull/1853
• Remove social metadata for custom domains by @delano in https://github.com/onetimesecret/onetimesecret/pull/1927
• Autoload all available languages by @delano in https://github.com/onetimesecret/onetimesecret/pull/1928
• Bump version to v0.22.10 by @delano in https://github.com/onetimesecret/onetimesecret/pull/1929

Dependencies

• Update dependency vite to v5.4.21 [SECURITY] by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1832
• Update mxschmitt/action-tmate digest to c0afd6f by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1841
• Update actions/checkout digest to 08eba0b by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1838
• Update github/codeql-action digest to 5d5cd55 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1858
• Update pnpm/action-setup digest to 41ff726 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1859
• Update CodeMirror by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1860
• Update redis:7.4-bookworm Docker digest to f3cd89d by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1870
• Update ruby:3.4-slim-bookworm Docker digest to f7e6d4d by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1871
• Update docker.io/library/ruby:3.4-slim-bookworm Docker digest to f7e6d4d by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1788
• Update dependency @babel/helpers to v7.27.6 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1855
• Update dependency @intlify/core to v11.1.12 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1856
• Update Node.js to dcf0610 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1920
• Update dependency esbuild to v0.25.12 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1921

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.22.9...v0.22.10

[!NOTE]
This release corrects an issue with the past few releases where the version patch was not incremented correctly. Thanks to @mezzomix for reporting it #1842

What's Changed

• Fix class attribute formatting in MastHead.vue by @jhob101 in https://github.com/onetimesecret/onetimesecret/pull/1840
• Add branch information note to readme in https://github.com/onetimesecret/onetimesecret/pull/1824
• Version bump to v0.22.9 in https://github.com/onetimesecret/onetimesecret/pull/1846

Dependencies

• Merge dependency updates to main in https://github.com/onetimesecret/onetimesecret/pull/1826
• Bump rack from 3.2.1 to 3.2.2 in the bundler group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/1794
• Bump happy-dom from 17.4.9 to 20.0.0 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/1799
• Update dependency vue-i18n to v11.1.10 [SECURITY] by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/1823
• Update gitignore files from develop in https://github.com/onetimesecret/onetimesecret/pull/1829
• Update renovate config w/ better docs in https://github.com/onetimesecret/onetimesecret/pull/1830

New Contributors

• @jhob101 made their first contribution in https://github.com/onetimesecret/onetimesecret/pull/1840

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.22.8...v0.22.9

What's Changed

• [#1748] Fix password generation config key handling by @delano in https://github.com/onetimesecret/onetimesecret/pull/1771

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.22.7...v0.22.8

What's Changed

• Remove external dependency from vite build by @delano in https://github.com/onetimesecret/onetimesecret/pull/1715

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.22.6...v0.22.7

What's Changed

• Backport latest OCI build workflows to rel/0.22 by @delano in https://github.com/onetimesecret/onetimesecret/pull/1710

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.22.5...v0.22.6

What's Changed

• Fix build issues and ESLint configuration by @delano in https://github.com/onetimesecret/onetimesecret/pull/1708

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.22.4...v0.22.5

Deployment Notes

[!IMPORTANT]
There are new features in the Colonel that are not fully functional in this release. For now we have limited the settings viewer to read-only.

New Configuration

[!TIP]
There are new UI configuration options for customizing passphrase, password generator, and whether the main homepage requires authentication. An issue with site.interface.ui.enabled (UI_ENABLED) has been fixed so the site can properly be disabled if only the API is being used. Alternately if you just want to disable the homepage and require an account to create secrets, set site.authentication.required (AUTH_REQUIRED) to true.

YAML

:site:
  :interface:
    :ui:
      # Controls whether the web interface is enabled
      # When false, only a basic explanation page is shown
      :enabled: <%= ENV['UI_ENABLED'] != 'false' %>
  # Configuration options for secret management
  :secret_options:
    # Settings for the passphrase field that protects access to secrets
    :passphrase:
      # Require users to enter a passphrase when creating secrets
      :required: <%= ENV['PASSPHRASE_REQUIRED'] == 'true' || false %>
      # Minimum number of characters required for passphrases
      :minimum_length: <%= ENV['PASSPHRASE_MIN_LENGTH'] || 8 %>
      # Maximum number of characters allowed for passphrases
      :maximum_length: <%= ENV['PASSPHRASE_MAX_LENGTH'] || 128 %>
      # Enforce complexity requirements (uppercase, lowercase, numbers, symbols)
      :enforce_complexity: <%= ENV['PASSPHRASE_ENFORCE_COMPLEXITY'] == 'true' || false %>
    # Settings for password generation (when users click "Generate Password")
    :password_generation:
      # Default length for generated passwords
      :default_length: <%= ENV['PASSWORD_GEN_LENGTH'] || 12 %>
      # Character sets to include in generated passwords
      :character_sets:
        # Include uppercase letters (A-Z)
        :uppercase: <%= ENV['PASSWORD_GEN_UPPERCASE'] != 'false' %>
        # Include lowercase letters (a-z)
        :lowercase: <%= ENV['PASSWORD_GEN_LOWERCASE'] != 'false' %>
        # Include numbers (0-9)
        :numbers: <%= ENV['PASSWORD_GEN_NUMBERS'] != 'false' %>
        # Include symbols (!@#$%^&*()_+-=[]{}|;:,.<>?)
        :symbols: <%= ENV['PASSWORD_GEN_SYMBOLS'] == 'true' || false %>
        # Exclude ambiguous characters (0, O, l, 1, I) to prevent confusion
        :exclude_ambiguous: <%= ENV['PASSWORD_GEN_EXCLUDE_AMBIGUOUS'] != 'false' %>
  :authentication:
    # When enabled, the homepage secret form is not available unless
    # the user is logged in. Similar to a disabled homepage, but still
    # shows the header with logo and navigation links. This allows for
    # a more restrictive mode where only authenticated users can create
    # secrets while maintaining site navigation and branding.
    :required: <%= ENV['AUTH_REQUIRED'] == 'true' %>

Environment variables

PASSPHRASE_REQUIRED=false
PASSPHRASE_MIN_LENGTH=0
PASSPHRASE_MAX_LENGTH=128
PASSPHRASE_ENFORCE_COMPLEXITY=false
PASSWORD_GEN_LENGTH=12
PASSWORD_GEN_UPPERCASE=true
PASSWORD_GEN_LOWERCASE=true
PASSWORD_GEN_NUMBERS=true
PASSWORD_GEN_SYMBOLS=true
PASSWORD_GEN_EXCLUDE_AMBIGUOUS=true
AUTH_REQUIRED=false

What's Changed

• Show disabled homepage when UI explicitly disabled by @delano in https://github.com/onetimesecret/onetimesecret/pull/1692
• Add authentication-required mode with dedicated route guards by @delano in https://github.com/onetimesecret/onetimesecret/pull/1694
• Improve README UX and create detailed INSTALL guide by @delano in https://github.com/onetimesecret/onetimesecret/pull/1696
• Improve passphrase validation and UI layout by @delano in https://github.com/onetimesecret/onetimesecret/pull/1697
• Make settings view in colonel clearly read-only by @delano in https://github.com/onetimesecret/onetimesecret/pull/1704

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.22.3...v0.22.4

Deployment Notes

[!CAUTION]
There are new features in the Colonel that are not fully functional in this release. They are intended for the next major-minor release v0.23.0 and are included in this release candidate as a preview.

New Configuration

[!IMPORTANT]
There are a bunch of new UI configuration options for customizing the header and footer. This configuration will be moving in the v0.23.0 release but fret not because there will be a migration script to convert to the new format. (In a nutshell, we're splitting the huge, single YAML file into two: a much smaller YAML file that will continue to work the same way; and a new dynamic config hash stored in Redis that can be updated without needing to restart.)

YAML

:site:
  # API and UI Configuration
  :interface:
    # Controls whether the web user interface is available. When disabled, the
    # homepage becomes a basic, readonly page with the logo and a brief
    # explanation of the site and how it works. This is helpful for link
    # recipients who may do some light investigation to see if the site is
    # legit as opposed a blank page or 404.
    :ui:
      # Header configuration
      # Controls branding and navigation in the site header
      :header:
        # Control switch to enable/disable header customization
        :enabled: <%= ENV['HEADER_ENABLED'] != 'false' %>
        # Branding configuration for logo and company name
        :branding:
          # Logo configuration
          :logo:
            # URL to logo image file (see src/components/logos)
            :url: <%= ENV['LOGO_URL'] || 'LegacyLogo.vue' %>
            # Alt text for logo image
            :alt: <%= ENV['LOGO_ALT'] || 'Share a Secret One-Time' %>
            # Where the logo links to when clicked
            :href: <%= ENV['LOGO_LINK'] || '/' %>
          # Company name override (falls back to i18n if not set)
          :site_name: <%= ENV['site_name'] || 'One-Time Secret' %>
        # Navigation configuration
        :navigation:
          # Enable/disable header navigation entirely
          :enabled: <%= ENV['HEADER_NAV_ENABLED'] != 'false' %>
      # Footer link configuration
      # These links appear in the footer of each page
      :footer_links:
        :enabled: <%= ENV['FOOTER_LINKS'] == 'true' || false %>
        :groups:
          - :name: legal
            :i18n_key: web.footer.legals
            :links:
              - :text: Terms of Service
                :i18n_key: terms-of-service
                # Replace with your own terms URL or use relative path like /terms
                :url: <%= ENV['TERMS_URL']  %>
                :external: <%= ENV['TERMS_EXTERNAL'] || false %>
              - :text: Privacy Policy
                :i18n_key: privacy-policy
                # Replace with your own privacy URL or use relative path like /privacy
                :url: <%= ENV['PRIVACY_URL']  %>
                :external: <%= ENV['PRIVACY_EXTERNAL'] || false %>
          - :name: resources
            :i18n_key: web.footer.resources
            :links:
              - :text: Status
                :i18n_key: status
                # Replace with your status page URL if you have one
                :url: <%= ENV['STATUS_URL'] %>
                :external: <%= ENV['STATUS_EXTERNAL'] || true %>
                :icon: signal
              - :text: About
                :i18n_key: web.COMMON.header_about
                # Replace with your about page URL
                :url: <%= ENV['ABOUT_URL'] %>
                :external: <%= ENV['ABOUT_EXTERNAL'] || false %>
          - :name: support
            :i18n_key: web.footer.support
            :links:
              - :text: Contact
                :i18n_key: web.footer.contact
                :url: <%= ENV['CONTACT_URL'] %>
                :external: false
    

Environment variables

# Header Customizations
HEADER_ENABLED=[true/false]
HEADER_NAV_ENABLED=[true/false]
LOGO_ALT=
LOGO_LINK=
# One of: DefaultLogo.vue, LegacyLogo.vue, OnetimeSecretLogo.vue
LOGO_URL=DefaultLogo.vue
site_name=

# Footer Links
FOOTER_LINKS=[true/false]
TERMS_URL=
TERMS_EXTERNAL=
PRIVACY_URL=
PRIVACY_EXTERNAL=
STATUS_URL=
STATUS_EXTERNAL=
ABOUT_URL=
ABOUT_EXTERNAL=
CONTACT_URL=

What's Changed

• Add GitHub Action for locale files harmonization by @delano in https://github.com/onetimesecret/onetimesecret/pull/1424
• Refactor layout and enhance footer links functionality by @delano in https://github.com/onetimesecret/onetimesecret/pull/1425
• Pin dependencies by @renovate in https://github.com/onetimesecret/onetimesecret/pull/1432
• Improve startup banner formatting and organization by @delano in https://github.com/onetimesecret/onetimesecret/pull/1439
• Reorder sections in log banner by @delano in https://github.com/onetimesecret/onetimesecret/pull/1440
• Restructure architecture documentation for clarity and maintainability by @delano in https://github.com/onetimesecret/onetimesecret/pull/1447
• Add dynamic system settings and colonel settings admin by @delano in https://github.com/onetimesecret/onetimesecret/pull/1444
• Optimize harmonize locales workflow with intelligent trigger conditions by @delano in https://github.com/onetimesecret/onetimesecret/pull/1455
• Add legacy logo to let the good times roll by @delano in https://github.com/onetimesecret/onetimesecret/pull/1471
• Fix: Regenerate pnpm-lock.yaml by @delano in https://github.com/onetimesecret/onetimesecret/pull/1472
• Add missing codemirror dep by @delano in https://github.com/onetimesecret/onetimesecret/pull/1473
• Add Claude Code GitHub Workflow 🌊 by @delano in https://github.com/onetimesecret/onetimesecret/pull/1534
• Update UI defaults by @delano in https://github.com/onetimesecret/onetimesecret/pull/1539

Known Issues

• ~There is no configuration option to disabled the "Powered By Onetime Secret" text and link in the footer. This is a bug and not intentional.~ This is fixed.
• The Colonel is very buggy. YMMV.

Dependencies

• Update github/codeql-action digest to ff0a06e by @renovate in https://github.com/onetimesecret/onetimesecret/pull/1417
• Update sentry-javascript monorepo to v9.17.0 by @renovate in https://github.com/onetimesecret/onetimesecret/pull/1394
• Update docker.io/library/ruby:3.4-slim-bookworm Docker digest to 5d7149e by @renovate in https://github.com/onetimesecret/onetimesecret/pull/1416
• Update Node.js to 74066d0 by @renovate in https://github.com/onetimesecret/onetimesecret/pull/1418
• Update redis:bookworm Docker digest to b3ad798 by @renovate in https://github.com/onetimesecret/onetimesecret/pull/1419
• Update ruby:3.4-slim-bookworm Docker digest to 9366423 by @renovate in https://github.com/onetimesecret/onetimesecret/pull/1420
• Update docker.io/library/ruby:3.4-slim-bookworm Docker digest to 9366423 by @renovate in https://github.com/onetimesecret/onetimesecret/pull/1433
• Update Node.js to 0b5b940 by @renovate in https://github.com/onetimesecret/onetimesecret/pull/1434
• Update dependency @types/node to v22.15.21 by @renovate in https://github.com/onetimesecret/onetimesecret/pull/1421
• Update dependency @vitejs/plugin-vue to v5.2.4 by @renovate in https://github.com/onetimesecret/onetimesecret/pull/1422
• Update dependency @tsconfig/node22 to v22.0.2 by @renovate in https://github.com/onetimesecret/onetimesecret/pull/1435
• Update dependency altcha to v1.4.4 by @renovate in https://github.com/onetimesecret/onetimesecret/pull/1436
• Update dependency dompurify to v3.2.6 by @renovate in https://github.com/onetimesecret/onetimesecret/pull/1437
• Update dependency eslint-config-prettier to v10.1.5 by @renovate in https://github.com/onetimesecret/onetimesecret/pull/1438
• Update dependency @intlify/core to v11.1.5 by @renovate in https://github.com/onetimesecret/onetimesecret/pull/1441
• Update dependency @intlify/devtools-types to v11.1.5 by @renovate in https://github.com/onetimesecret/onetimesecret/pull/1442
• Update github/codeql-action digest to 181d5ee by @renovate in https://github.com/onetimesecret/onetimesecret/pull/1484
• Bump brace-expansion from 1.1.11 to 1.1.12 in the npm_and_yarn group across 1 directory by @dependabot in https://github.com/onetimesecret/onetimesecret/pull/1490
• Pin dependencies by @renovate in https://github.com/onetimesecret/onetimesecret/pull/1482
• Pin dependencies by @renovate in https://github.com/onetimesecret/onetimesecret/pull/1483

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.22.2...v0.22.3-rc1