v2.13.0: Security hardening and reliability fixes

Security

• Bumped google.golang.org/grpc 1.79.1 -> 1.79.3 to close CVE-2026-33186 (gRPC-Go authorization bypass via missing leading slash in :path). Not exploitable on Sentinel (mTLS, no path-based authz) but bumped for supply-chain hygiene.
• Bumped github.com/go-jose/go-jose/v4 4.1.3 -> 4.1.4 (indirect) to close CVE-2026-34986 (panic in JWE decryption). Not exploitable on Sentinel (uses JWS not JWE).
• Webhook secret is now header-only. POST /api/webhook requires X-Webhook-Secret header. The query-string fallback (?secret=...) has been removed because proxies and access logs record URLs verbatim. Breaking change for webhook clients using query-string auth.
• Atom feed accepts Authorization: Bearer. GET /api/history/feed now prefers the header for credentials. The legacy ?token= still works but the rendered feed's <link rel="self"> no longer echoes the token.
• OIDC login uses nonce + PKCE. The authorization request now includes a 32-byte nonce and S256 PKCE challenge. The callback verifies the nonce (constant-time) and sends the code_verifier on exchange. Closes two OAuth 2.1 replay classes: ID token replay across sessions and authorization code interception.
• Logout is POST-only and CSRF-protected. GET /logout removed. POST /logout now requires CSRF double-submit token (already present in HTML templates).
• OIDC callback error redirect sanitised. Raw IdP error strings no longer reflected into /login?error=.... Uses a fixed /login?error=sso_failed slug; detail logged server-side.

Fixed

• Graceful shutdown bounded to 10 seconds. srv.Shutdown previously used context.Background() which could hang indefinitely if any SSE client was connected. Now bounded so SIGTERM always completes.
• NPM client body close. defer resp.Body.Close() inside the retry loop replaced with immediate close before return.
• Frontend authFetchJSON helper. New wrapper checks r.ok before parsing JSON. SSE row updates (highest-frequency dashboard fetch) now reject on non-2xx instead of silently corrupting DOM state.

Documentation

• CSP comment corrected. The securityHeaders middleware comment now accurately describes why unsafe-inline is required (~160 inline onclick handlers, ~180 inline style attributes) instead of incorrectly attributing it to htmx.

Breaking Changes

• Webhook query-string auth removed. If your CI/CD pipeline calls POST /api/webhook?secret=..., you must switch to the X-Webhook-Secret header before upgrading.

Full Changelog

v2.12.0...v2.13.0

v2.12.0

What's Changed

Multi-Instance Portainer Support

• Connect multiple Portainer instances simultaneously, each with independent endpoint toggles
• Portainer-managed containers appear as host groups on the dashboard, alongside local and cluster containers
• New portainer_instances BoltDB bucket with full CRUD and automatic migration from legacy single-instance settings
• Smart local socket detection prevents scanning the host Docker daemon twice when a Portainer endpoint points at the same machine
• Auto-blocking of overlapping endpoints when multiple Portainer instances monitor the same Docker Engine (detected via Engine ID fingerprinting)
• Connector UI in settings for adding, testing, and managing Portainer instances

Portainer Self-Update

• Update Portainer directly from the Sentinel UI via a portainer-updater helper container
• Streaming pull progress with history recording

NPM Resolver Hardening

• Auto-detects local IPs to prevent cross-host port shadowing (containers on different hosts no longer resolve to the wrong NPM URL)
• Skips wildcard domains in port URL resolution
• Excludes container-local IPs from host filtering

Cluster Improvements

• Source deduplication via Docker Engine ID fingerprinting across agents and Portainer endpoints
• Actionable CA mismatch guidance when cluster agents fail TLS enrollment
• SENTINEL_CLUSTER_ADVERTISE environment variable for TLS cert SANs

Swarm Fixes

• Swarm task rows cached so shutdown rows persist across page refresh (#65)
• Correct colspan on scaled-to-0 placeholder rows (#64)
• Swarm task row columns aligned with table header (#64)
• Phantom 7th column removed from swarm service rows (#62)
• Host-group dividers span full table width (#62)

Bug Fixes

• Data race on portainerInstances in Scan() -- unprotected slice reads while HTTP handlers mutate concurrently; now snapshots under RLock
• Store adapter silently dropped EngineID and ForceAllow fields -- manually force-allowed Portainer endpoints would get re-blocked on reconnect
• Dashboard no longer stuck on "Updating" after queue approval
• Container detail page works correctly for Portainer-managed containers
• Pending updates stat card count mismatch resolved
• Failed approval history records now include NewImage
• History page scan summary rows display under correct column headers
• Images page column alignment and red badge for unused images
• Filter bar bottom border for visual consistency (#61)
• Stopped containers shown by default on dashboard (#63)
• Scoped key lookups for history/snapshot on remote containers
• Portainer connector hot-reload, stale credential cleanup, and duplicate queue entry prevention
• Docker Hub canonical prefix handling in IsPortainerImage
• 2s timeout on DNS lookup in isLocalPortainerInstance

Full Changelog: v2.11.1...v2.12.0

v2.11.1

What's Changed

Other Changes

• fix: agent network bugs + optional issue templates by @Will-Luck in #74

Full Changelog: v2.11.0...v2.11.1

v2.11.0

What's Changed

Other Changes

• fix: replace broken GHCR pulls badge by @Will-Luck in #70
• fix: restore GHCR pulls badge by @Will-Luck in #71
• feat: rename-before-replace self-update (#72) by @Will-Luck in #73

Full Changelog: v2.10.2...v2.11.0

v2.10.2

What's Changed

Other Changes

• fix: repeated Image Identical results for multi-arch images by @Will-Luck in #69

Full Changelog: v2.10.1...v2.10.2

v2.10.1

What's Changed

Other Changes

• docs: CHANGELOG for v2.10.0 by @Will-Luck in #65
• chore: add community docs, templates, and repo config by @Will-Luck in #66
• docs: add download count badges to README by @Will-Luck in #67
• feat: clearer outcome labels, tooltips, and scan summary row by @Will-Luck in #68

Full Changelog: v2.10.0...v2.10.1

v2.10.0

What's Changed

• v2.9.0: UI/UX polish, issue #59, codebase hardening by @Will-Luck in #64

Full Changelog: v2.9.1...v2.10.0

v2.9.1

What's Changed

• fix: container detail shows wrong policy when no label set by @Will-Luck in #61

Full Changelog: v2.9.0...v2.9.1

v2.9.0

What's Changed

• docs: update README with v2.8.0 screenshots by @Will-Luck in #56
• v2.9.0: Log streaming, container controls, auto self-update, code review fixes by @Will-Luck in #60

Full Changelog: v2.8.0...v2.9.0

v2.8.0

What's Changed

• Remove Actions column, centre-align table (#58) by @Will-Luck in #55

Full Changelog: v2.6.0...v2.8.0