← All docs changelog/2026-05-28.md

May 28, 2026

Commits

90bc03e — deploy-dashboard: pipeline redesign + local mock-preview

Major UI redesign of the deploy dashboard: env cards are connected by pipeline connectors showing the promotion flow (jh→dev→beta→main). Adds a local mock-preview script (preview_dashboard.py) that serves the dashboard with fake data for rapid UI iteration.

Added:

  • dev/static_site/preview_dashboard.py — local mock data server (+142)

Changed:

  • dev/static_site/templates/deploy-dashboard/index.html — full pipeline redesign (+1037/-284)

5459ffd — ci/_git_in_modal: route AppList through the synchronicity loop

Routes the Modal AppList RPC through the existing synchronicity event loop helper, fixing potential deadlocks when the dashboard backend mixes sync and async calls.

Changed:

  • ci/_git_in_modal.py — synchronicity loop routing (+43/-25)

2db12a6 — deploy-dashboard: 3 recent commits + DOWN label for absent envs

Each env card now shows the 3 most recent commits on its branch. Environments without a running Modal app get a "DOWN" label instead of "idle."

Changed:

  • dev/static_site/templates/deploy-dashboard/index.html — commits + DOWN label (+4/-3)

ae3b2f7 — ci/_git_in_modal: return last 3 commits per branch from get_branch_tips

Extends get_branch_tips to return the last 3 commit subjects alongside the tip SHA, providing the data for the dashboard's commit display.

Changed:

  • ci/_git_in_modal.py — commit history in branch tips (+23/-7)

bfb4f5b — deploy-dashboard: solid in-flight connector + source recent commits from branch tips

Pipeline connectors now show a solid animated style when a promotion is in flight between two environments. Recent commits are sourced from the branch tips API instead of a separate endpoint.

Changed:

  • dev/static_site/templates/deploy-dashboard/index.html — animated connectors + commits source (+41/-44)

a741bf3 — deploy-dashboard: shift connector overlap off the commits area

Adjusts connector positioning so the pipeline arrows don't overlap with the recent commits display on narrow viewports.

Changed:

  • dev/static_site/templates/deploy-dashboard/index.html — connector positioning (+8/-3)

0dbf94f — ci/_git_in_modal: return 4 commits per branch (was 3)

Bumps the per-branch commit count from 3 to 4 to give more context on each env card.

Changed:

  • ci/_git_in_modal.py — 4 commits per branch (+5/-4)

971b6ca — deploy-dashboard: 4 commits with truncated subjects on narrow cards

Updates the dashboard to show 4 commits per card and truncates long commit subjects with ellipsis on narrow viewports.

Changed:

  • dev/static_site/templates/deploy-dashboard/index.html — 4 commits + truncation (+14/-10)

835108a — security: route invite/Resend secrets via Modal, fix JWT validator, escape static_site titles

Security fixes: (1) invite emails now use Resend API key from Modal Secrets instead of environment variables, closing a secret-in-env-var gap; (2) the JWT validator now properly checks exp and iss claims; (3) static site page titles are HTML-escaped to prevent XSS via crafted blog/doc titles.

Changed:

  • IMPROVE.md — close resolved findings (+131/-?)
  • dev/core/core.py — add Resend secret to Modal secrets list (+23/-1)
  • dev/core/notifier.py — source Resend key from Modal Secret (+15/-2)
  • dev/static_site/endpoint.py — HTML-escape page titles (+28/-4)
  • dev/users/auth.py — stricter JWT validation (+17/-2)

ca76051 — security: fix SessionState cross-session leak + input-validate rpc/websocket/gemini surfaces

Security fixes: (1) SessionState was being shared across LiveKit sessions due to a class-level dict — switched to per-instance state; (2) added input validation (type checks, length limits) on RPC handler arguments, WebSocket message payloads, and Gemini streaming inputs.

Changed:

  • IMPROVE.md — close resolved findings (+73/-?)
  • dev/livekit_ts/agent/rpc_handler.py — input validation (+29/-3)
  • dev/livekit_ts/agent/session_state.py — per-instance state (+7/-1)
  • dev/websocket/gemini.py — input validation (+27/-?)
  • dev/websocket/websocket.py — input validation (+21/-?)

d13fe51 — Justfile: add optional verbose arg to deploy recipe for tailed output

The just deploy <env> recipe now accepts an optional verbose argument that tails the Modal deploy output instead of running silently.

Changed:

  • Justfile — verbose deploy option (+14/-2)

6c66c41 — cleanup: drop dead imports, unused packages, == True/False comparisons

Codebase hygiene pass: removes unused imports across 12 files, drops 2 unused packages from requirements.txt, and replaces == True/== False comparisons with idiomatic boolean checks.

Changed:

  • IMPROVE.md — close resolved findings (+61/-?)
  • dev/core/core.py — remove unused import (-1)
  • dev/core/decorators.py — idiomatic bool checks (+6/-2)
  • dev/livekit_ts/agents/ — remove unused imports (5 files)
  • dev/livekit_ts/livekit_dashboard.py — remove unused imports (-3)
  • dev/livekit_ts/livekit_helpers.py — remove unused function (-33)
  • dev/requirements.txt — drop unused packages (-2)
  • dev/users/auth.py — idiomatic bool checks (+6/-2)
  • dev/websocket/gemini.py — remove unused imports (-9)
  • dev/websocket/websocket.py — remove unused import (-1)