release 1.0.2

[Polliog]

Release 1.0.2 (target date 2026-06-22).

A frontend correctness and security release from a multi-agent frontend bug hunt, plus a hardening of how the browser authenticates the live-streaming endpoints. One additive migration (049_stream_tickets); otherwise drop-in.

Highlights

Security

• Session token out of WebSocket/SSE URLs: log live-tail, SIEM events and trace live-tail now authenticate with a short-lived, single-use stream ticket (POST /api/v1/stream-tickets) instead of the session token in the query string. Tickets live in the relational DB (portable across BullMQ/graphile), expire in 30s, single-use. Legacy ?token= still accepted.
• Webhook channel secrets no longer rehydrated into the DOM on edit.
• OIDC callback strips the token from the URL after reading it.
• Admin pages enforce a client-side admin guard (user detail, usage, organization detail, admin layout).
• Removed a debug console.log leaking log content and api-key metadata.

Added

• Global 401 handler: a fetch interceptor clears auth and redirects to login (preserving the path) on any authenticated /api/v1 401, instead of only detecting a dead session on full remount.
• stream_tickets table + endpoint (migration 049).

Fixed

• Stale-response races across search, traces, error groups, SIEM incidents, monitoring and custom-dashboard panels (local request-sequence guards).
• API client error-body JSON parse guards (non-JSON 502/HTML/204 no longer mask the real error).
• en-US locale formatting for user-facing dates/numbers; alert history no longer mislabels UTC as local.
• Lifecycle/memory leaks (timers, store subscriptions, chart disposal).
• Svelte 5 reactivity and assorted UI/validation fixes.
• ClickHouse: materialized-view backfills run once instead of on every startup.

Notes

• Session token in localStorage left as-is (disputed, low): an httpOnly-cookie move trades XSS token theft for CSRF surface and a full auth overhaul without a clear net win.

Full detail in CHANGELOG.md under [1.0.2]. Findings report (gitignored) in FRONTEND-BUGS.md.

[codecov]

Codecov Report

❌ Patch coverage is 80.00000% with 35 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...ervoir/src/engines/clickhouse/clickhouse-engine.ts	75.86%	14 Missing ⚠️
...kend/src/modules/streaming/stream-ticket-routes.ts	70.37%	8 Missing ⚠️
packages/backend/src/modules/siem/sse-events.ts	61.11%	7 Missing ⚠️
packages/backend/src/modules/auth/plugin.ts	78.26%	5 Missing ⚠️
...end/src/modules/streaming/stream-ticket-service.ts	96.55%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!