ci: ignore CVE-2026-4878 and CVE-2026-33845 (no fix available)

Both CVEs affect Debian 13 base image packages with no fixed version: - CVE-2026-4878: libcap2 privilege escalation via TOCTOU race in cap_set_file() - CVE-2026-33845: libgnutls30t64 DoS via DTLS zero-length fragment
ci: suppress 3 unfixed Debian CVEs via .trivyignore
2026-06-28 18:59:05 -06:00 · 2026-05-03 16:21:24 -06:00 · 2026-05-03 09:35:38 -06:00 · 2026-04-27 08:53:02 -06:00 · 2026-04-27 08:45:17 -06:00 · 2026-04-27 08:45:09 -06:00
21 changed files with 1051 additions and 67 deletions
@@ -0,0 +1,35 @@
+---
+name: Bug Report
+about: Report a bug in the system
+title: "[Bug]: "
+labels: bug
+assignees: ''
+---
+
+### Description
+
+A clear and concise description of the bug.
+
+### Steps to Reproduce
+
+1. Go to '...'
+2. Click on '...'
+3. See the error.
+
+### Expected Behavior
+
+Explain what you expected to happen.
+
+### Screenshots
+
+Add screenshots if applicable.
+
+### Environment
+
+- OS: [e.g., Windows, macOS, Linux]
+- Browser: [e.g., Chrome, Firefox]
+- Version: [e.g., 1.0.0]
+
+### Additional Context
+
+Add any other context about the problem here.
@@ -0,0 +1,22 @@
+blank_issues_enabled: false
+issue_templates:
+  - name: "Bug Report"
+    description: "Report a bug in the system."
+    title: "[Bug]: "
+    labels: ["bug"]
+    body: "./ISSUE_TEMPLATE/bug_report.md"
+  - name: "Feature Request"
+    description: "Propose a new feature or improvement."
+    title: "[Feature]: "
+    labels: ["enhancement"]
+    body: "./ISSUE_TEMPLATE/feature_request.md"
+  - name: "Documentation"
+    description: "Suggest updates or additions to the documentation."
+    title: "[Docs]: "
+    labels: ["documentation"]
+    body: "./ISSUE_TEMPLATE/documentation.md"
+  - name: "General Report"
+    description: "Provide general feedback or inquiries."
+    title: "[General]: "
+    labels: ["general"]
+    body: "./ISSUE_TEMPLATE/general_report.md"
@@ -0,0 +1,23 @@
+--
+name: Documentation
+about: Suggest updates or additions to documentation
+title: "[Docs]: "
+labels: documentation
+assignees: ''
+---
+
+### Documentation Update
+
+What part of the documentation needs to be updated or added?
+
+### Why Is This Needed?
+
+Explain the importance of this update.
+
+### Suggested Changes
+
+Provide a detailed description of the changes.
+
+### Additional Context
+
+Include any related resources.
@@ -0,0 +1,23 @@
+---
+name: Feature Request
+about: Suggest a new feature or improvement
+title: "[Feature]: "
+labels: enhancement
+assignees: ''
+---
+
+### Feature Description
+
+What feature would you like to see?
+
+### Why Is This Needed?
+
+Explain the problem or need for this feature.
+
+### Suggested Solutions
+
+Describe how this feature could be implemented.
+
+### Additional Context
+
+Add any relevant screenshots, links, or resources.
@@ -0,0 +1,15 @@
+---
+name: General Report
+about: Provide general feedback or inquiries
+title: "[General]: "
+labels: general
+assignees: ''
+---
+
+### Feedback or Inquiry
+
+Provide your feedback or inquiry.
+
+### Additional Information
+
+Add any other relevant details here.
@@ -0,0 +1,33 @@
+# Dependabot version updates
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+
+  # Python dependencies — requirements.txt
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    labels:
+      - "dependencies"
+
+  # Docker base image — Dockerfile
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    labels:
+      - "dependencies"
+
+  # GitHub Actions workflow dependencies
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    labels:
+      - "dependencies"
+      - "ci"
@@ -9,12 +9,12 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v4
      - name: Log in to DockerHub
        if: github.event_name == 'push'
-        uses: docker/login-action@v2
+        uses: docker/login-action@v4
        with:
          username: ${{ vars.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
@@ -25,6 +25,13 @@ jobs:
          docker build . --file Dockerfile --tag $IMAGE_TAG
          echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
 # Uncomment below to push the image to Docker Hub (or another registry)
+      - name: Scan image for vulnerabilities
+        uses: aquasecurity/trivy-action@v0.36.0
+        with:
+          image-ref: ${{ env.IMAGE_TAG }}
+          format: table
+          exit-code: '1'
+          severity: CRITICAL,HIGH
      - name: Push the Docker image
        if: github.event_name == 'push'
        run: |
@@ -8,7 +8,7 @@ jobs:
  todo:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
      - uses: alstr/todo-to-issue-action@v5
        with:
          TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -0,0 +1,17 @@
+# Unfixed OS-level vulnerabilities in Debian 13 (trixie) base image.
+# No fix available upstream as of 2026-04-27; revisit when patches land.
+
+# ncurses: buffer overflow (libncursesw6, libtinfo6, ncurses-base, ncurses-bin)
+CVE-2025-69720
+
+# nghttp2: DoS via malformed HTTP/2 frames after session termination (libnghttp2-14)
+CVE-2026-27135
+
+# systemd: arbitrary code execution / DoS via spurious IPC (libsystemd0, libudev1)
+CVE-2026-29111
+
+# libcap: privilege escalation via TOCTOU race in cap_set_file() (libcap2)
+CVE-2026-4878
+
+# gnutls: DoS via DTLS zero-length fragment (libgnutls30t64)
+CVE-2026-33845
@@ -1,5 +1,5 @@
 # Use a lightweight Python image
-FROM python:3.9-slim
+FROM python:3.14-slim

 # Set the working directory
 WORKDIR /app
@@ -2,6 +2,9 @@ import logging
 import os
 import re
 import sqlite3
+import threading
+from datetime import datetime, timedelta, timezone
+from zoneinfo import ZoneInfo

 from email_validator import validate_email, EmailNotValidError
 from flask import Flask, render_template, request, redirect, url_for, jsonify, abort
@@ -10,6 +13,7 @@ from flask_limiter.util import get_remote_address
 from flask_login import (
    LoginManager, UserMixin, login_user, logout_user, login_required, current_user
 )
+from flask_wtf.csrf import CSRFProtect, generate_csrf
 from werkzeug.security import generate_password_hash, check_password_hash

 # Set up logging
@@ -18,9 +22,42 @@ logger = logging.getLogger(__name__)

 app = Flask(__name__)
 DATABASE = os.environ.get('DATABASE_PATH', 'guestbook.db')
-app.secret_key = os.environ.get('SECRET_KEY', 'dev-secret-key-change-in-production')
+
+_secret_key = os.environ.get('SECRET_KEY')
+if not _secret_key:
+    raise RuntimeError("SECRET_KEY environment variable must be set")
+app.secret_key = _secret_key

 limiter = Limiter(get_remote_address, app=app, default_limits=[])
+csrf = CSRFProtect(app)
+
+app.config.update(
+    SESSION_COOKIE_HTTPONLY=True,
+    SESSION_COOKIE_SAMESITE='Lax',
+    PERMANENT_SESSION_LIFETIME=timedelta(hours=8),
+)
+
+@app.after_request
+def set_security_headers(response):
+    response.headers['X-Content-Type-Options'] = 'nosniff'
+    response.headers['X-Frame-Options'] = 'SAMEORIGIN'
+    response.headers['Referrer-Policy'] = 'strict-origin-when-cross-origin'
+    if request.path.startswith('/admin'):
+        response.headers['Cache-Control'] = 'no-store'
+    return response
+
+_DISPLAY_TZ = ZoneInfo('America/Denver')
+
+@app.template_filter('localtime')
+def localtime_filter(value):
+    if not value:
+        return value
+    try:
+        dt = datetime.strptime(str(value), '%Y-%m-%d %H:%M:%S')
+        dt = dt.replace(tzinfo=timezone.utc)
+        return dt.astimezone(_DISPLAY_TZ).strftime('%Y-%m-%d %H:%M')
+    except ValueError:
+        return value

 login_manager = LoginManager(app)
 login_manager.login_view = 'admin_login'
@@ -86,6 +123,14 @@ def load_banned_words():

 BANNED_WORDS = load_banned_words()

+FIELD_MAX = {
+    'first_name': 100,
+    'last_name':  100,
+    'email':      254,
+    'location':   100,
+    'comment':   2000,
+}
+
 def contains_banned_words(text):
    lower = text.lower()
    # Whole-word check (punctuation-stripped) — catches exact matches
@@ -173,6 +218,22 @@ def is_valid_email(email):
 with app.app_context():
    migrate_db()

+# ---------------------------------------------------------------------------
+# Webhook
+# ---------------------------------------------------------------------------
+
+def _fire_webhook(payload):
+    url = os.environ.get("WEBHOOK_URL", "")
+    if not url:
+        return
+    try:
+        import urllib.request, json as _json
+        data = _json.dumps(payload).encode()
+        req = urllib.request.Request(url, data=data, headers={"Content-Type": "application/json"})
+        urllib.request.urlopen(req, timeout=5)
+    except Exception as e:
+        logger.warning("Webhook delivery failed: %s", e)
+
 # ---------------------------------------------------------------------------
 # Public routes
 # ---------------------------------------------------------------------------
@@ -193,6 +254,14 @@ def index():
        if not (first_name and last_name and location):
            error = "First name, last name, and location are required."
            logger.warning("Missing required fields.")
+        elif (len(first_name) > FIELD_MAX['first_name'] or
+              len(last_name)  > FIELD_MAX['last_name']  or
+              len(location)   > FIELD_MAX['location']):
+            error = "A required field exceeds the maximum allowed length."
+        elif email and len(email) > FIELD_MAX['email']:
+            error = "Email address is too long."
+        elif comment and len(comment) > FIELD_MAX['comment']:
+            error = f"Comment is too long (max {FIELD_MAX['comment']:,} characters)."
        elif email and not is_valid_email(email):
            error = "Invalid email address."
            logger.warning("Invalid email: %s", email)
@@ -230,7 +299,14 @@ def index():
                                   error="Unable to save your entry. Please try again.",
                                   guests=[])
        logger.info("Added guest: %s %s from %s", first_name, last_name, location)
-        return redirect(url_for('index'))
+        threading.Thread(target=_fire_webhook, args=({
+            "first_name": first_name,
+            "last_name": last_name,
+            "email": email,
+            "location": location,
+            "newsletter_opt_in": newsletter_opt_in,
+        },), daemon=True).start()
+        return redirect(url_for('thank_you', name=first_name))

    try:
        conn = sqlite3.connect(DATABASE)
@@ -244,6 +320,31 @@ def index():
    logger.info("Rendering index with %d guests.", len(guests))
    return render_template('index.html', error=error, guests=guests)

+# ---------------------------------------------------------------------------
+# Thank-you page
+# ---------------------------------------------------------------------------
+
+@app.route('/thank-you')
+def thank_you():
+    name = request.args.get('name', '').strip()
+    if not name:
+        return redirect(url_for('index'))
+    offline = request.args.get('offline') == '1'
+    site_title = os.environ.get('SITE_TITLE', 'Guestbook')
+    logo_url   = os.environ.get('LOGO_URL', '/static/images/logo.png')
+    try:
+        conn = sqlite3.connect(DATABASE)
+        c = conn.cursor()
+        c.execute('SELECT first_name, location FROM guests ORDER BY id DESC LIMIT 100')
+        guests = c.fetchall()
+        conn.close()
+    except sqlite3.Error as e:
+        logger.error("Database error loading guests for thank-you: %s", e)
+        guests = []
+    return render_template('thank_you.html', name=name, guests=guests,
+                           site_title=site_title, logo_url=logo_url,
+                           offline=offline)
+
 # ---------------------------------------------------------------------------
 # Admin auth routes
 # ---------------------------------------------------------------------------
@@ -252,6 +353,7 @@ def _admin_configured():
    return bool(os.environ.get('ADMIN_USER') and os.environ.get('ADMIN_PASSWORD'))

@app.route('/admin/login', methods=['GET', 'POST'])
+@limiter.limit("10 per minute", methods=["POST"])
 def admin_login():
    if not _admin_configured():
        abort(503)
@@ -303,10 +405,30 @@ def admin():
    page = request.args.get('page', 1, type=int)
    per_page = 25
    offset = (page - 1) * per_page
+
+    # Compute week/month boundaries in Mountain Time, convert to UTC for SQLite comparison
+    now_mt = datetime.now(_DISPLAY_TZ)
+    today_mt = now_mt.replace(hour=0, minute=0, second=0, microsecond=0)
+    week_start_utc  = (today_mt - timedelta(days=today_mt.weekday())).astimezone(timezone.utc).strftime('%Y-%m-%d %H:%M:%S')
+    month_start_utc = today_mt.replace(day=1).astimezone(timezone.utc).strftime('%Y-%m-%d %H:%M:%S')
+
    try:
        conn = sqlite3.connect(DATABASE)
        c = conn.cursor()
-        total = c.execute('SELECT COUNT(*) FROM guests').fetchone()[0]
+        row = c.execute('''
+            SELECT
+                COUNT(*) AS total,
+                SUM(CASE WHEN timestamp >= ? THEN 1 ELSE 0 END) AS this_week,
+                SUM(CASE WHEN timestamp >= ? THEN 1 ELSE 0 END) AS this_month,
+                SUM(CASE WHEN newsletter_opt_in THEN 1 ELSE 0 END) AS newsletter_count
+            FROM guests
+        ''', (week_start_utc, month_start_utc)).fetchone()
+        total, this_week, this_month, newsletter_count = row
+        total = total or 0
+        this_week = this_week or 0
+        this_month = this_month or 0
+        newsletter_count = newsletter_count or 0
+        newsletter_pct = round(newsletter_count / total * 100) if total > 0 else 0
        c.execute('''
            SELECT id, first_name, last_name, email, location, comment, newsletter_opt_in, timestamp
            FROM guests ORDER BY id DESC LIMIT ? OFFSET ?
@@ -316,10 +438,18 @@ def admin():
    except sqlite3.Error as e:
        logger.error("Database error in admin: %s", e)
        guests = []
-        total = 0
+        total = this_week = this_month = newsletter_count = newsletter_pct = 0
+
+    stats = {
+        'total': total,
+        'week': this_week,
+        'month': this_month,
+        'newsletter_count': newsletter_count,
+        'newsletter_pct': newsletter_pct,
+    }
    total_pages = (total + per_page - 1) // per_page
    return render_template('admin.html', guests=guests, page=page, total_pages=total_pages,
-                           total=total)
+                           total=total, stats=stats)

@app.route('/admin/delete/<int:entry_id>', methods=['POST'])
@login_required
@@ -339,6 +469,46 @@ def admin_delete(entry_id):
        logger.error("Database error deleting guest %d: %s", entry_id, e)
    return redirect(url_for('admin', page=request.args.get('page', 1)))

+@app.route('/admin/export.csv')
+@login_required
+@csrf.exempt
+def admin_export_csv():
+    if not _admin_configured():
+        abort(503)
+    if current_user.role == 'viewer':
+        abort(403)
+    import csv, io
+    try:
+        conn = sqlite3.connect(DATABASE)
+        c = conn.cursor()
+        c.execute('''
+            SELECT id, first_name, last_name, email, location, comment, newsletter_opt_in, timestamp
+            FROM guests ORDER BY id ASC
+        ''')
+        rows = c.fetchall()
+        conn.close()
+    except sqlite3.Error as e:
+        logger.error("Database error in admin_export_csv: %s", e)
+        abort(503)
+    buf = io.StringIO()
+    writer = csv.writer(buf)
+    writer.writerow(['id', 'first_name', 'last_name', 'email', 'location',
+                     'comment', 'newsletter_opt_in', 'timestamp_mountain'])
+    for row in rows:
+        ts = row[7]
+        try:
+            dt = datetime.strptime(str(ts), '%Y-%m-%d %H:%M:%S').replace(tzinfo=timezone.utc)
+            ts = dt.astimezone(_DISPLAY_TZ).strftime('%Y-%m-%d %H:%M')
+        except (ValueError, TypeError):
+            pass
+        writer.writerow([row[0], row[1], row[2], row[3], row[4], row[5], int(row[6] or 0), ts])
+    from flask import Response
+    return Response(
+        buf.getvalue(),
+        mimetype='text/csv',
+        headers={'Content-Disposition': 'attachment; filename="guestbook_export.csv"'}
+    )
+
@app.route('/admin/users')
@login_required
 def admin_users():
@@ -407,6 +577,8 @@ def admin_users_delete(user_id):
 # ---------------------------------------------------------------------------

@app.route('/api/guests', methods=['GET'])
+@limiter.limit("100 per hour")
+@csrf.exempt
 def api_guests():
    api_key = request.headers.get('X-API-Key')
    if api_key != os.environ.get("API_KEY"):
@@ -441,6 +613,50 @@ def api_guests():
    ]
    return jsonify(guests)

+@app.route('/api/csrf', methods=['GET'])
+@csrf.exempt
+@limiter.limit("30 per minute")
+def api_csrf():
+    return jsonify({"csrf_token": generate_csrf()})
+
+# ---------------------------------------------------------------------------
+# PWA
+# ---------------------------------------------------------------------------
+
+@app.route('/manifest.webmanifest')
+@csrf.exempt
+def pwa_manifest():
+    import json as _json
+    site_title = os.environ.get('SITE_TITLE', 'Guestbook')
+    logo_url   = os.environ.get('LOGO_URL', '/static/images/logo.png')
+    manifest = {
+        "name": site_title,
+        "short_name": site_title,
+        "start_url": "/",
+        "display": "standalone",
+        "background_color": "#ffffff",
+        "theme_color": "#3a9cb8",
+        "orientation": "any",
+        "icons": [
+            {
+                "src": logo_url,
+                "sizes": "500x500",
+                "type": "image/png",
+                "purpose": "any maskable"
+            }
+        ]
+    }
+    from flask import Response
+    return Response(_json.dumps(manifest), mimetype='application/manifest+json')
+
+@app.route('/sw.js')
+@csrf.exempt
+def service_worker():
+    response = app.send_static_file('sw.js')
+    response.headers['Service-Worker-Allowed'] = '/'
+    response.headers['Cache-Control'] = 'no-cache'
+    return response
+
 if __name__ == '__main__':
    migrate_db()
    logger.info("Starting development server at http://0.0.0.0:8000")
@@ -1,4 +1,6 @@
 #!/bin/sh
+set -e
+
 # Fix ownership of the data directory so appuser can write the database.
 # This runs as root (no USER directive in Dockerfile) and is safe because
 # we immediately drop privileges via gosu before starting the app.
@@ -9,4 +11,8 @@ chown -R appuser:appuser "$DATA_DIR"
 envsubst < /app/templates/index.html.template > /app/templates/index.html

 # Drop to appuser and start Gunicorn
-exec gosu appuser gunicorn --bind 0.0.0.0:8000 app:app --workers ${GUNICORN_WORKERS:-3}
+exec gosu appuser gunicorn \
+    --bind 0.0.0.0:8000 \
+    --workers ${GUNICORN_WORKERS:-3} \
+    --timeout 30 \
+    app:app
@@ -13,3 +13,5 @@ LOGO_URL="/static/images/logo.png"
 ADMIN_USER=admin
 ADMIN_PASSWORD=changeme
 SECRET_KEY=change-this-to-a-random-secret-key
+# Optional: POST new signups as JSON to this URL (e.g. an n8n Webhook node)
+WEBHOOK_URL=
@@ -1,6 +1,8 @@
 Flask>=3.1.3
-Werkzeug>=3.0.6
-Flask-Limiter>=3.0
-Flask-Login>=0.6
-email-validator>=2.0
+Flask-WTF>=1.3.0
+Werkzeug>=3.1.8
+Flask-Limiter>=4.1.1
+Flask-Login>=0.6.3
+email-validator>=2.3.0
 gunicorn
+tzdata
@@ -0,0 +1,223 @@
+/**
+ * Offline queue for kiosk-guestbook.
+ *
+ * Intercepts the guestbook form submit via fetch. On network failure,
+ * stores the submission in IndexedDB and shows an offline thank-you.
+ * Replays queued entries on the `online` event and on each page load.
+ *
+ * Works on both the form page (/) and the thank-you page (/thank-you).
+ * Background Sync is not used — it is unsupported in iOS Safari.
+ */
+
+const OQ_DB_NAME  = 'guestbook-offline-queue';
+const OQ_STORE    = 'entries';
+const OQ_VERSION  = 1;
+
+// ---------------------------------------------------------------------------
+// IndexedDB helpers
+// ---------------------------------------------------------------------------
+
+function oqOpenDb() {
+    return new Promise(function (resolve, reject) {
+        var req = indexedDB.open(OQ_DB_NAME, OQ_VERSION);
+        req.onupgradeneeded = function (e) {
+            e.target.result.createObjectStore(OQ_STORE, { keyPath: 'id', autoIncrement: true });
+        };
+        req.onsuccess = function (e) { resolve(e.target.result); };
+        req.onerror   = function (e) { reject(e.target.error); };
+    });
+}
+
+function oqEnqueue(fields) {
+    return oqOpenDb().then(function (db) {
+        return new Promise(function (resolve, reject) {
+            var tx    = db.transaction(OQ_STORE, 'readwrite');
+            var store = tx.objectStore(OQ_STORE);
+            store.add({ fields: fields, queued_at: new Date().toISOString() });
+            tx.oncomplete = resolve;
+            tx.onerror    = function (e) { reject(e.target.error); };
+        });
+    });
+}
+
+function oqDequeue(id) {
+    return oqOpenDb().then(function (db) {
+        return new Promise(function (resolve, reject) {
+            var tx = db.transaction(OQ_STORE, 'readwrite');
+            tx.objectStore(OQ_STORE).delete(id);
+            tx.oncomplete = resolve;
+            tx.onerror    = function (e) { reject(e.target.error); };
+        });
+    });
+}
+
+function oqGetAll() {
+    return oqOpenDb().then(function (db) {
+        return new Promise(function (resolve, reject) {
+            var tx  = db.transaction(OQ_STORE, 'readonly');
+            var req = tx.objectStore(OQ_STORE).getAll();
+            req.onsuccess = function (e) { resolve(e.target.result); };
+            req.onerror   = function (e) { reject(e.target.error); };
+        });
+    });
+}
+
+// ---------------------------------------------------------------------------
+// Collect form fields into a plain object (excludes csrf_token)
+// ---------------------------------------------------------------------------
+
+function oqCollectFields(form) {
+    var fields = {};
+    var fd = new FormData(form);
+    fd.forEach(function (value, key) {
+        if (key !== 'csrf_token') fields[key] = value;
+    });
+    // Explicitly record the newsletter checkbox so a missing key means opt-out
+    var checkbox = form.querySelector('[name="newsletter_opt_in"]');
+    if (checkbox && !checkbox.checked) {
+        delete fields['newsletter_opt_in'];
+    }
+    return fields;
+}
+
+// ---------------------------------------------------------------------------
+// Queue replay
+// ---------------------------------------------------------------------------
+
+var oqReplaying = false;
+
+async function oqReplayQueue() {
+    if (oqReplaying) return;
+    oqReplaying = true;
+
+    var items;
+    try {
+        items = await oqGetAll();
+    } catch (e) {
+        oqReplaying = false;
+        return;
+    }
+    if (!items.length) {
+        oqReplaying = false;
+        return;
+    }
+
+    // Fetch a fresh CSRF token once for the whole batch
+    var token;
+    try {
+        var csrfRes = await fetch('/api/csrf');
+        var csrfJson = await csrfRes.json();
+        token = csrfJson.csrf_token;
+    } catch (e) {
+        // Still offline
+        oqReplaying = false;
+        return;
+    }
+
+    for (var i = 0; i < items.length; i++) {
+        var item = items[i];
+        try {
+            var fd = new FormData();
+            fd.append('csrf_token', token);
+            Object.keys(item.fields).forEach(function (k) {
+                fd.append(k, item.fields[k]);
+            });
+
+            var res = await fetch('/', { method: 'POST', body: fd });
+
+            if (res.ok) {
+                await oqDequeue(item.id);
+            } else if (res.status === 429) {
+                // Rate-limited — leave remaining entries, try again later
+                break;
+            } else {
+                // Server rejected (validation error etc.) — discard to unblock queue
+                console.warn('oq: discarding entry', item.id, 'server returned', res.status);
+                await oqDequeue(item.id);
+            }
+        } catch (e) {
+            // Network error again — stop, leave entries for next online event
+            break;
+        }
+    }
+
+    oqReplaying = false;
+
+    // Update offline indicator if we're now fully synced
+    var remaining;
+    try { remaining = await oqGetAll(); } catch (e) { remaining = []; }
+    if (!remaining.length) {
+        oqSetIndicator(false);
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Offline indicator (form page only)
+// ---------------------------------------------------------------------------
+
+function oqSetIndicator(offline) {
+    var el = document.getElementById('offline-indicator');
+    if (!el) return;
+    if (offline) {
+        el.classList.remove('d-none');
+    } else {
+        el.classList.add('d-none');
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Form submit intercept (form page only)
+// ---------------------------------------------------------------------------
+
+async function oqHandleSubmit(e) {
+    e.preventDefault();
+    var form = e.target;
+    var fields = oqCollectFields(form);
+
+    try {
+        var res = await fetch('/', { method: 'POST', body: new FormData(form) });
+        // fetch follows redirects; res.url is the final URL (thank-you page on success)
+        window.location.href = res.url;
+    } catch (err) {
+        // Network failure — queue and show offline thank-you
+        try {
+            await oqEnqueue(fields);
+        } catch (dbErr) {
+            console.error('oq: failed to enqueue', dbErr);
+        }
+        var name = fields['first_name'] || '';
+        window.location.href = '/thank-you?name=' + encodeURIComponent(name) + '&offline=1';
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Bootstrap on DOMContentLoaded
+// ---------------------------------------------------------------------------
+
+document.addEventListener('DOMContentLoaded', function () {
+    // Intercept form submit (form page only)
+    var form = document.querySelector('form[action="/"]');
+    if (form) {
+        form.addEventListener('submit', oqHandleSubmit);
+    }
+
+    // Sync indicator with current state
+    if (!navigator.onLine) {
+        oqSetIndicator(true);
+    }
+
+    // Replay queue on reconnect
+    window.addEventListener('online', function () {
+        oqSetIndicator(false);
+        oqReplayQueue();
+    });
+
+    window.addEventListener('offline', function () {
+        oqSetIndicator(true);
+    });
+
+    // Replay any previously queued items on page load
+    if (navigator.onLine) {
+        oqReplayQueue();
+    }
+});
@@ -0,0 +1,50 @@
+const CACHE_NAME = 'guestbook-v2';
+const STATIC_ASSETS = [
+    'https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/css/bootstrap.min.css',
+    'https://cdn.jsdelivr.net/npm/@popperjs/core@2.10.2/dist/umd/popper.min.js',
+    'https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.min.js',
+    'https://fonts.googleapis.com/css2?family=Vollkorn:wght@700&family=Open+Sans&display=swap',
+    '/static/images/logo.png',
+    '/static/offline-queue.js',
+];
+
+self.addEventListener('install', event => {
+    event.waitUntil(
+        caches.open(CACHE_NAME)
+            .then(cache => cache.addAll(STATIC_ASSETS))
+            .then(() => self.skipWaiting())
+    );
+});
+
+self.addEventListener('activate', event => {
+    event.waitUntil(
+        caches.keys().then(keys =>
+            Promise.all(keys.filter(k => k !== CACHE_NAME).map(k => caches.delete(k)))
+        ).then(() => self.clients.claim())
+    );
+});
+
+self.addEventListener('fetch', event => {
+    const url = new URL(event.request.url);
+
+    // Cache-first for CDN and local static assets
+    const isStatic = STATIC_ASSETS.includes(event.request.url) ||
+                     (url.origin === self.location.origin && url.pathname.startsWith('/static/'));
+
+    if (isStatic) {
+        event.respondWith(
+            caches.match(event.request).then(cached => {
+                if (cached) return cached;
+                return fetch(event.request).then(response => {
+                    const clone = response.clone();
+                    caches.open(CACHE_NAME).then(cache => cache.put(event.request, clone));
+                    return response;
+                });
+            })
+        );
+        return;
+    }
+
+    // Network-only for all app routes (/, /admin/*, /api/*, /manifest.webmanifest)
+    // No caching of authenticated or dynamic content
+});
@@ -2,16 +2,32 @@
 <html lang="en">
 <head>
    <meta charset="utf-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover" />
    <title>Guestbook Admin</title>
+
+    <!-- PWA -->
+    <link rel="manifest" href="/manifest.webmanifest" />
+    <link rel="apple-touch-icon" href="/static/images/logo.png" />
+    <meta name="theme-color" content="#3a9cb8" />
+    <meta name="apple-mobile-web-app-capable" content="yes" />
+    <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent" />
+
    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/css/bootstrap.min.css" rel="stylesheet" />
+    <style>
+        html, body { overscroll-behavior: none; }
+        body { padding-bottom: env(safe-area-inset-bottom); }
+        input, select, textarea { font-size: 16px !important; }
+    </style>
 </head>
 <body class="bg-light">
    <div class="container py-4">
-        <div class="d-flex justify-content-between align-items-center mb-4">
+        <div class="d-flex justify-content-between align-items-center mb-3">
            <h1 class="h3 mb-0">Guestbook Admin</h1>
            <div class="d-flex align-items-center gap-3">
-                <span class="text-muted">{{ current_user.username }} &middot; {{ total }} entries</span>
+                <span class="text-muted">{{ current_user.username }}</span>
+                {% if current_user.role != 'viewer' %}
+                <a href="{{ url_for('admin_export_csv') }}" class="btn btn-outline-success btn-sm">Export CSV</a>
+                {% endif %}
                {% if current_user.role == 'superadmin' %}
                <a href="{{ url_for('admin_users') }}" class="btn btn-outline-secondary btn-sm">Manage Users</a>
                {% endif %}
@@ -19,6 +35,47 @@
            </div>
        </div>

+        <div class="d-flex flex-wrap gap-2 mb-3 align-items-center">
+            <span class="badge bg-primary" style="font-size:0.9rem;">{{ stats.total }} total</span>
+            <span class="badge bg-secondary">{{ stats.week }} this week</span>
+            <span class="badge bg-secondary">{{ stats.month }} this month</span>
+            <span class="badge bg-success">{{ stats.newsletter_count }} newsletter ({{ stats.newsletter_pct }}%)</span>
+        </div>
+
+        <!-- Mobile card list (phones) -->
+        <div class="d-md-none">
+            {% for g in guests %}
+            <div class="card mb-2 shadow-sm">
+                <div class="card-body py-2 px-3">
+                    <div class="d-flex justify-content-between align-items-start">
+                        <div>
+                            <strong>{{ g[1] }} {{ g[2] }}</strong>
+                            <div class="text-muted small">{{ g[4] }} &middot; {{ g[7] | localtime }}</div>
+                            <div class="small mt-1">Newsletter: {{ 'Yes' if g[6] else 'No' }}</div>
+                            {% if g[3] %}
+                            <div class="text-muted small">{{ g[3] }}</div>
+                            {% endif %}
+                            {% if g[5] %}
+                            <div class="text-muted small fst-italic">{{ g[5] }}</div>
+                            {% endif %}
+                        </div>
+                        {% if current_user.role != 'viewer' %}
+                        <form method="POST" action="{{ url_for('admin_delete', entry_id=g[0]) }}?page={{ page }}"
+                              onsubmit="return confirm('Delete entry for {{ g[1] }} {{ g[2] }}?')">
+                            <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+                            <button type="submit" class="btn btn-danger btn-sm ms-2">Delete</button>
+                        </form>
+                        {% endif %}
+                    </div>
+                </div>
+            </div>
+            {% else %}
+            <p class="text-muted text-center">No entries found.</p>
+            {% endfor %}
+        </div>
+
+        <!-- Desktop table (hidden on phones) -->
+        <div class="d-none d-md-block">
            <div class="table-responsive">
                <table class="table table-bordered table-hover bg-white">
                    <thead class="table-dark">
@@ -42,11 +99,12 @@
                            <td>{{ g[4] }}</td>
                            <td>{{ g[5] or '—' }}</td>
                            <td>{{ 'Yes' if g[6] else 'No' }}</td>
-                        <td class="text-nowrap">{{ g[7] }}</td>
+                            <td class="text-nowrap">{{ g[7] | localtime }}</td>
                            <td>
                                {% if current_user.role != 'viewer' %}
                                <form method="POST" action="{{ url_for('admin_delete', entry_id=g[0]) }}?page={{ page }}"
                                      onsubmit="return confirm('Delete entry for {{ g[1] }} {{ g[2] }}?')">
+                                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
                                    <button type="submit" class="btn btn-danger btn-sm">Delete</button>
                                </form>
                                {% endif %}
@@ -60,6 +118,7 @@
                    </tbody>
                </table>
            </div>
+        </div>

        {% if total_pages > 1 %}
        <nav>
@@ -79,5 +138,13 @@
        </nav>
        {% endif %}
    </div>
+
+    <script>
+        if ('serviceWorker' in navigator) {
+            window.addEventListener('load', function () {
+                navigator.serviceWorker.register('/sw.js', { scope: '/' });
+            });
+        }
+    </script>
 </body>
 </html>
@@ -2,9 +2,22 @@
 <html lang="en">
 <head>
    <meta charset="utf-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover" />
    <title>Guestbook Admin — Login</title>
+
+    <!-- PWA -->
+    <link rel="manifest" href="/manifest.webmanifest" />
+    <link rel="apple-touch-icon" href="/static/images/logo.png" />
+    <meta name="theme-color" content="#3a9cb8" />
+    <meta name="apple-mobile-web-app-capable" content="yes" />
+    <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent" />
+
    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/css/bootstrap.min.css" rel="stylesheet" />
+    <style>
+        html, body { overscroll-behavior: none; }
+        body { padding-bottom: env(safe-area-inset-bottom); }
+        input.form-control { font-size: 16px !important; }
+    </style>
 </head>
 <body class="bg-light">
    <div class="container py-5" style="max-width: 400px;">
@@ -15,6 +28,7 @@
                <div class="alert alert-danger py-2">{{ error }}</div>
                {% endif %}
                <form method="POST" action="{{ url_for('admin_login', next=request.args.get('next', '')) }}">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
                    <div class="mb-3">
                        <label for="username" class="form-label">Username</label>
                        <input type="text" id="username" name="username" class="form-control"
@@ -30,5 +44,13 @@
            </div>
        </div>
    </div>
+
+    <script>
+        if ('serviceWorker' in navigator) {
+            window.addEventListener('load', function () {
+                navigator.serviceWorker.register('/sw.js', { scope: '/' });
+            });
+        }
+    </script>
 </body>
 </html>
@@ -2,9 +2,22 @@
 <html lang="en">
 <head>
    <meta charset="utf-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover" />
    <title>Guestbook Admin — Users</title>
+
+    <!-- PWA -->
+    <link rel="manifest" href="/manifest.webmanifest" />
+    <link rel="apple-touch-icon" href="/static/images/logo.png" />
+    <meta name="theme-color" content="#3a9cb8" />
+    <meta name="apple-mobile-web-app-capable" content="yes" />
+    <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent" />
+
    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/css/bootstrap.min.css" rel="stylesheet" />
+    <style>
+        html, body { overscroll-behavior: none; }
+        body { padding-bottom: env(safe-area-inset-bottom); }
+        input.form-control, select.form-select { font-size: 16px !important; }
+    </style>
 </head>
 <body class="bg-light">
    <div class="container py-4" style="max-width: 700px;">
@@ -20,6 +33,7 @@
            <div class="card-header">Add User</div>
            <div class="card-body">
                <form method="POST" action="{{ url_for('admin_users_add') }}">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
                    <div class="row g-2">
                        <div class="col-sm-4">
                            <input type="text" name="username" class="form-control" placeholder="Username" required />
@@ -57,6 +71,7 @@
                    <td>
                        <form method="POST" action="{{ url_for('admin_users_delete', user_id=u[0]) }}"
                              onsubmit="return confirm('Remove user {{ u[1] }}?')">
+                            <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
                            <button type="submit" class="btn btn-danger btn-sm">Remove</button>
                        </form>
                    </td>
@@ -74,5 +89,13 @@
            Admins can view and delete entries. Viewers can only view.
        </p>
    </div>
+
+    <script>
+        if ('serviceWorker' in navigator) {
+            window.addEventListener('load', function () {
+                navigator.serviceWorker.register('/sw.js', { scope: '/' });
+            });
+        }
+    </script>
 </body>
 </html>
@@ -3,12 +3,48 @@

 <head>
    <meta charset="utf-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover" />
    <title>${SITE_TITLE}</title>

+    <!-- PWA -->
+    <link rel="manifest" href="/manifest.webmanifest" />
+    <link rel="apple-touch-icon" href="/static/images/logo.png" />
+    <meta name="theme-color" content="#3a9cb8" />
+    <meta name="apple-mobile-web-app-capable" content="yes" />
+    <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent" />
+    <meta name="apple-mobile-web-app-title" content="${SITE_TITLE}" />
+
    <!-- Bootstrap CSS -->
    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/css/bootstrap.min.css" rel="stylesheet" />
+    <!-- Fonts -->
+    <link href="https://fonts.googleapis.com/css2?family=Vollkorn:wght@700&family=Open+Sans&display=swap" rel="stylesheet" />
    <style>
+        body {
+            font-family: 'Open Sans', sans-serif;
+        }
+
+        h1, h2, h3, h4, h5, h6 {
+            font-family: 'Vollkorn', serif;
+            font-weight: 700;
+        }
+
+        /* PWA / iOS kiosk */
+        html, body {
+            height: 100%;
+            overscroll-behavior: none;
+        }
+
+        body {
+            padding-bottom: env(safe-area-inset-bottom);
+        }
+
+        /* Prevent iOS auto-zoom on input focus (requires >= 16px) */
+        input.form-control,
+        textarea.form-control,
+        select.form-select {
+            font-size: 16px !important;
+        }
+
        /* Scrolling marquee styles */
        .scrolling-wrapper {
            overflow: hidden;
@@ -18,6 +54,7 @@
            width: 100%;
            background-color: #f8f9fa;
            border-top: 1px solid #dee2e6;
+            padding-bottom: env(safe-area-inset-bottom);
        }

        .scrolling-content {
@@ -52,6 +89,10 @@
            Providing your email is optional, but it helps us follow up if needed.
        </div>

+        <div id="offline-indicator" class="alert alert-warning d-none" role="status">
+            No internet connection &mdash; your entry will be saved and submitted automatically when reconnected.
+        </div>
+
        {% if error %}
        <div class="alert alert-danger" role="alert">
            {{ error }}
@@ -59,19 +100,20 @@
        {% endif %}

        <form method="post" action="/" class="mb-4">
+            <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
            <div class="mb-3">
                <label for="first_name" class="form-label">First Name(s):</label>
-                <input type="text" class="form-control" id="first_name" name="first_name" required />
+                <input type="text" class="form-control" id="first_name" name="first_name" maxlength="100" required />
            </div>
            <div class="mb-3">
                <label for="last_name" class="form-label">Last Name:</label>
-                <input type="text" class="form-control" id="last_name" name="last_name" required />
+                <input type="text" class="form-control" id="last_name" name="last_name" maxlength="100" required />
            </div>

            <!-- Email + Newsletter Block (fully fixed) -->
            <div class="mb-3">
                <label for="email" class="form-label">Email (Optional):</label>
-                <input type="email" class="form-control" id="email" name="email" />
+                <input type="email" class="form-control" id="email" name="email" maxlength="254" />

                <div class="form-check mt-2">
                    <input class="form-check-input" type="checkbox" name="newsletter_opt_in" id="newsletter_opt_in"
@@ -84,13 +126,13 @@

            <div class="mb-3">
                <label for="location" class="form-label">Location:</label>
-                <input type="text" class="form-control" id="location" name="location" required />
+                <input type="text" class="form-control" id="location" name="location" maxlength="100" required />
            </div>

            <!-- Comment field hidden by default -->
            <div class="mb-3" id="comment-field" style="display: none;">
                <label for="comment" class="form-label">Comment (Optional):</label>
-                <textarea class="form-control" id="comment" name="comment" rows="3"></textarea>
+                <textarea class="form-control" id="comment" name="comment" rows="3" maxlength="2000"></textarea>
            </div>

            <button type="submit" class="btn btn-primary">Submit</button>
@@ -160,6 +202,17 @@
    <!-- Bootstrap JS (optional) -->
    <script src="https://cdn.jsdelivr.net/npm/@popperjs/core@2.10.2/dist/umd/popper.min.js"></script>
    <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.min.js"></script>
+
+    <script src="/static/offline-queue.js"></script>
+
+    <!-- Service worker registration -->
+    <script>
+        if ('serviceWorker' in navigator) {
+            window.addEventListener('load', function () {
+                navigator.serviceWorker.register('/sw.js', { scope: '/' });
+            });
+        }
+    </script>
 </body>

 </html>
@@ -0,0 +1,145 @@
+<!doctype html>
+<html lang="en">
+<head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover" />
+    <meta http-equiv="refresh" content="4;url=/" />
+    <title>{{ site_title }}</title>
+
+    <!-- PWA -->
+    <link rel="manifest" href="/manifest.webmanifest" />
+    <link rel="apple-touch-icon" href="/static/images/logo.png" />
+    <meta name="theme-color" content="#3a9cb8" />
+    <meta name="apple-mobile-web-app-capable" content="yes" />
+    <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent" />
+    <meta name="apple-mobile-web-app-title" content="{{ site_title }}" />
+
+    <!-- Bootstrap CSS -->
+    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/css/bootstrap.min.css" rel="stylesheet" />
+    <!-- Fonts -->
+    <link href="https://fonts.googleapis.com/css2?family=Vollkorn:wght@700&family=Open+Sans&display=swap" rel="stylesheet" />
+    <style>
+        body {
+            font-family: 'Open Sans', sans-serif;
+        }
+
+        h1, h2, h3, h4, h5, h6 {
+            font-family: 'Vollkorn', serif;
+            font-weight: 700;
+        }
+
+        html, body {
+            height: 100%;
+            overscroll-behavior: none;
+        }
+
+        body {
+            padding-bottom: env(safe-area-inset-bottom);
+        }
+
+        .scrolling-wrapper {
+            overflow: hidden;
+            white-space: nowrap;
+            position: fixed;
+            bottom: 0;
+            width: 100%;
+            background-color: #f8f9fa;
+            border-top: 1px solid #dee2e6;
+            padding-bottom: env(safe-area-inset-bottom);
+        }
+
+        .scrolling-content {
+            display: inline-block;
+            padding: 10px;
+            font-size: 1.25rem;
+            animation: scroll-left linear infinite;
+        }
+
+        @keyframes scroll-left {
+            0%   { transform: translateX(0); }
+            100% { transform: translateX(-50%); }
+        }
+
+        .thank-you-message {
+            font-size: 2rem;
+        }
+    </style>
+</head>
+
+<body>
+    <div class="container mt-5 mb-5">
+        <header class="d-flex align-items-center mb-4">
+            <img src="{{ logo_url }}" alt="Logo" class="me-3" style="height: 50px;" />
+            <h1 class="h3 mb-0">{{ site_title }}</h1>
+        </header>
+
+        <div class="text-center mt-5">
+            <div class="alert alert-success py-4" role="alert">
+                <p class="thank-you-message mb-1">Thanks, {{ name }}!</p>
+                {% if offline %}
+                <p class="mb-0">You&rsquo;re currently offline &mdash; your entry has been saved and will sync automatically when reconnected.</p>
+                {% else %}
+                <p class="mb-0">Your visit has been recorded.</p>
+                {% endif %}
+            </div>
+            <p class="text-muted mt-3">
+                Returning to the form in <span id="countdown">4</span>...
+            </p>
+        </div>
+    </div>
+
+    <!-- Scrolling Guest Entries at the Bottom -->
+    <div class="scrolling-wrapper">
+        <div class="scrolling-content">
+            {% for guest in guests %}
+            <span class="me-5">
+                <strong>{{ guest[0] }}</strong> from {{ guest[1] }}
+            </span>
+            {% endfor %}
+            {% for guest in guests %}
+            <span class="me-5">
+                <strong>{{ guest[0] }}</strong> from {{ guest[1] }}
+            </span>
+            {% endfor %}
+        </div>
+    </div>
+
+    <script>
+        (function () {
+            const pixelsPerSecond = 80;
+            const content = document.querySelector(".scrolling-content");
+            function updateScrollSpeed() {
+                const oneCopyWidth = content.offsetWidth / 2;
+                content.style.animationDuration = (oneCopyWidth / pixelsPerSecond) + "s";
+            }
+            updateScrollSpeed();
+            window.addEventListener("resize", updateScrollSpeed);
+        })();
+    </script>
+
+    <script>
+        (function () {
+            var n = 4;
+            var el = document.getElementById('countdown');
+            var timer = setInterval(function () {
+                n--;
+                if (el) el.textContent = n;
+                if (n <= 0) {
+                    clearInterval(timer);
+                    window.location.href = '/';
+                }
+            }, 1000);
+        })();
+    </script>
+
+    <script src="/static/offline-queue.js"></script>
+
+    <script>
+        if ('serviceWorker' in navigator) {
+            window.addEventListener('load', function () {
+                navigator.serviceWorker.register('/sw.js', { scope: '/' });
+            });
+        }
+    </script>
+</body>
+</html>
Author	SHA1	Message	Date
steve	613a9dc590	ci: ignore CVE-2026-4878 and CVE-2026-33845 (no fix available) Both CVEs affect Debian 13 base image packages with no fixed version: - CVE-2026-4878: libcap2 privilege escalation via TOCTOU race in cap_set_file() - CVE-2026-33845: libgnutls30t64 DoS via DTLS zero-length fragment	2026-05-03 16:21:24 -06:00
steve	c371b9a04f	ci: suppress 3 unfixed Debian CVEs via .trivyignore CVE-2025-69720 (ncurses), CVE-2026-27135 (nghttp2), and CVE-2026-29111 (systemd) have no upstream fix available. .trivyignore suppresses them so Trivy can still gate on all other CRITICAL/HIGH findings without relying on the coarser ignore-unfixed flag in the workflow.	2026-05-03 09:35:38 -06:00
steve	d57ba928c4	chore(deps): bump Werkzeug to >=3.1.8 and Flask-Login to >=0.6.3 Resolves dependabot PRs #30 and #31 which had merge conflicts after the Flask-Limiter v4 and email-validator bumps landed. Flask-Login 0.6.3 adds Flask 3 / Werkzeug 3 compatibility.	2026-04-27 08:53:02 -06:00
steve	c1db6ee692	Merge pull request #29 from tmdinosaurcenter/dependabot/pip/flask-limiter-gte-4.1.1 chore(deps): update flask-limiter requirement from >=3.0 to >=4.1.1	2026-04-27 08:45:17 -06:00
steve	523a9e22c2	Merge pull request #28 from tmdinosaurcenter/dependabot/pip/email-validator-gte-2.3.0 chore(deps): update email-validator requirement from >=2.0 to >=2.3.0	2026-04-27 08:45:09 -06:00
steve	f5af8b556f	Merge pull request #27 from tmdinosaurcenter/dependabot/pip/flask-wtf-gte-1.3.0 chore(deps): update flask-wtf requirement from >=1.2 to >=1.3.0	2026-04-27 08:45:05 -06:00
steve	211c94b8c8	Merge pull request #26 from tmdinosaurcenter/dependabot/github_actions/aquasecurity/trivy-action-0.36.0 chore(deps): bump aquasecurity/trivy-action from 0.35.0 to 0.36.0	2026-04-27 08:45:01 -06:00
dependabot[bot]	a7350bc3d5	chore(deps): update flask-limiter requirement from >=3.0 to >=4.1.1 Updates the requirements on [flask-limiter](https://github.com/alisaifee/flask-limiter) to permit the latest version. - [Release notes](https://github.com/alisaifee/flask-limiter/releases) - [Changelog](https://github.com/alisaifee/flask-limiter/blob/master/HISTORY.rst) - [Commits](https://github.com/alisaifee/flask-limiter/compare/3.0.0...4.1.1) --- updated-dependencies: - dependency-name: flask-limiter dependency-version: 4.1.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2026-04-27 11:57:46 +00:00
dependabot[bot]	e3ed22a201	chore(deps): update email-validator requirement from >=2.0 to >=2.3.0 Updates the requirements on [email-validator](https://github.com/JoshData/python-email-validator) to permit the latest version. - [Release notes](https://github.com/JoshData/python-email-validator/releases) - [Changelog](https://github.com/JoshData/python-email-validator/blob/main/CHANGELOG.md) - [Commits](https://github.com/JoshData/python-email-validator/compare/v2.0.0...v2.3.0) --- updated-dependencies: - dependency-name: email-validator dependency-version: 2.3.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2026-04-27 11:57:43 +00:00
dependabot[bot]	d37887fb93	chore(deps): update flask-wtf requirement from >=1.2 to >=1.3.0 Updates the requirements on [flask-wtf](https://github.com/pallets-eco/flask-wtf) to permit the latest version. - [Release notes](https://github.com/pallets-eco/flask-wtf/releases) - [Changelog](https://github.com/pallets-eco/flask-wtf/blob/main/docs/changes.rst) - [Commits](https://github.com/pallets-eco/flask-wtf/compare/v1.2.0...v1.3.0) --- updated-dependencies: - dependency-name: flask-wtf dependency-version: 1.3.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2026-04-27 11:57:40 +00:00
dependabot[bot]	519911c8f5	chore(deps): bump aquasecurity/trivy-action from 0.35.0 to 0.36.0 Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.35.0 to 0.36.0. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](https://github.com/aquasecurity/trivy-action/compare/v0.35.0...v0.36.0) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-04-27 11:57:26 +00:00
steve	b20e118def	feat: add offline queue for kiosk form submissions Intercepts form submit via fetch and stores failed submissions in IndexedDB when offline. Replays queued entries on the online event and on each page load. Shows an offline banner on the form page and a sync-pending message on the thank-you page. Service worker bumped to guestbook-v2 to pre-cache offline-queue.js so the script is available when the kiosk has no network.	2026-03-29 20:22:25 -06:00
steve	6577a733c6	feat: add /api/csrf endpoint for offline queue token refresh Returns the current session CSRF token as JSON so the offline queue replay can obtain a fresh token without parsing HTML. Rate-limited to 30 requests/minute. Passes offline flag through to the thank-you template.	2026-03-29 20:22:07 -06:00
steve	7914ac1ed7	feat: add summary stats bar to admin page Displays total entries, this week, this month, and newsletter opt-in count and percentage at the top of the admin view. Week/month boundaries are computed in America/Denver time and converted to UTC for SQLite comparison, handling DST correctly.	2026-03-29 19:48:24 -06:00
steve	d1d2065da2	feat: add thank-you confirmation screen after form submission Redirects to /thank-you?name=<first_name> on successful submission instead of back to the blank form. Shows a 4-second countdown with meta-refresh fallback before returning to the form. Includes the scrolling guest marquee so the page feels consistent with the kiosk.	2026-03-29 19:48:15 -06:00
steve	047f57513d	feat: add PWA support and mobile admin card layout All pages: manifest link, apple-mobile-web-app meta tags, theme-color, viewport-fit=cover, overscroll-behavior:none, safe-area padding, 16px input font-size to prevent iOS zoom, SW registration. admin.html: card-per-entry layout on small screens (d-md-none) with name, location, timestamp, newsletter status, email, comment, and delete button. Desktop table unchanged (d-none d-md-block).	2026-03-29 19:20:29 -06:00
steve	3057201102	feat: add PWA manifest and service worker routes Serves /manifest.webmanifest dynamically from Flask so SITE_TITLE and LOGO_URL env vars flow into the manifest at runtime. Serves /sw.js from /static/sw.js with Service-Worker-Allowed: / header to allow root scope. Service worker caches static assets and passes all app routes to network.	2026-03-29 19:20:06 -06:00
steve	12bc0cd4a1	fix(ci): update trivy-action to v0.35.0 Version 0.30.0 does not exist; latest release is v0.35.0.	2026-03-29 07:30:35 -06:00
steve	bc8d4f9fe5	fix(github) bumped trivy to latest version	2026-03-28 23:29:00 -06:00
steve	aa7fefe497	ci: scan Docker image for CRITICAL/HIGH CVEs with Trivy Runs aquasecurity/trivy-action after the build step and fails the workflow if any CRITICAL or HIGH severity vulnerabilities are found, blocking the push to Docker Hub.	2026-03-28 23:23:54 -06:00
steve	898441af0c	fix: add set -e and gunicorn worker timeout to entrypoint set -e ensures the script aborts on any error (e.g. failed chown) rather than silently continuing. --timeout 30 kills hung workers to prevent slow-client attacks from exhausting the worker pool.	2026-03-28 23:23:53 -06:00
steve	617aa5f028	fix: enforce max input lengths on guestbook form Adds FIELD_MAX constants and server-side length checks in the index route. Adds matching maxlength attributes on all form inputs so the browser enforces limits before submission.	2026-03-28 23:23:53 -06:00
steve	ecdcc044b7	feat: add CSRF protection to all POST forms Installs Flask-WTF and enables CSRFProtect globally. Adds csrf_token hidden fields to all four POST forms (login, delete entry, add user, delete user, and the public guestbook form). Exempts the API endpoint which uses header-based key auth instead.	2026-03-28 23:23:53 -06:00
steve	9ad7128619	feat: add security headers, session hardening, and admin cache control Sets X-Content-Type-Options, X-Frame-Options, and Referrer-Policy on all responses. Prevents browsers from caching admin pages. Configures session cookies as HttpOnly and SameSite=Lax with an 8-hour lifetime.	2026-03-28 23:23:53 -06:00
steve	61a298a735	fix: rate-limit admin login and API endpoint Limits POST to /admin/login to 10 requests/minute to block brute-force attacks. Limits GET /api/guests to 100 requests/hour to prevent bulk data exfiltration.	2026-03-28 23:23:52 -06:00
steve	4d58e0f0a1	fix: abort startup if SECRET_KEY is not set Raises RuntimeError at startup instead of silently falling back to a hardcoded default, preventing misconfigured deployments from running with a publicly-known session key.	2026-03-28 23:23:52 -06:00
steve	53741a4cbf	Merge pull request #25 from tmdinosaurcenter/dependabot/docker/python-3.14-slim Bump python from 3.9-slim to 3.14-slim	2026-03-28 23:09:34 -06:00
steve	4c691ab31a	Merge pull request #24 from tmdinosaurcenter/dependabot/github_actions/docker/setup-buildx-action-4 Bump docker/setup-buildx-action from 2 to 4	2026-03-28 23:09:32 -06:00
steve	77c377ab51	Merge pull request #23 from tmdinosaurcenter/dependabot/github_actions/actions/checkout-6 Bump actions/checkout from 4 to 6	2026-03-28 23:09:24 -06:00
steve	ae5002d407	Merge pull request #22 from tmdinosaurcenter/dependabot/github_actions/docker/login-action-4 Bump docker/login-action from 2 to 4	2026-03-28 23:09:21 -06:00
dependabot[bot]	5f71641cf0	Bump python from 3.9-slim to 3.14-slim Bumps python from 3.9-slim to 3.14-slim. --- updated-dependencies: - dependency-name: python dependency-version: 3.14-slim dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-29 05:05:28 +00:00
dependabot[bot]	c1206a244c	Bump docker/setup-buildx-action from 2 to 4 Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2 to 4. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/v2...v4) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-29 05:04:59 +00:00
dependabot[bot]	8230ae1c1c	Bump actions/checkout from 4 to 6 Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-29 05:04:55 +00:00
dependabot[bot]	c55037b37b	Bump docker/login-action from 2 to 4 Bumps [docker/login-action](https://github.com/docker/login-action) from 2 to 4. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/v2...v4) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-29 05:04:51 +00:00
steve	36f8a01999	ci: add Dependabot config and issue templates Add weekly Dependabot updates for pip, Docker, and GitHub Actions. Add issue templates for bug reports, feature requests, documentation, and general feedback.	2026-03-28 23:04:13 -06:00
steve	4f675fe74c	feat: display admin timestamps in America/Denver time Convert UTC timestamps from SQLite to Mountain Time (America/Denver) using a Jinja2 template filter backed by zoneinfo; add tzdata dependency for IANA timezone data in the slim Docker image.	2026-03-28 22:58:37 -06:00
steve	d5eac47ceb	feat: apply TMDC brand fonts to guestbook page Use Vollkorn 700 for headings and Open Sans for body text, in line with The Montana Dinosaur Center style guide.	2026-03-11 18:05:08 -06:00
steve	9ebac80f35	feat: add webhook integration for new guestbook submissions Posts signup data as JSON to WEBHOOK_URL (e.g. an n8n Webhook node) in a daemon thread so it never blocks the visitor-facing response.	2026-03-11 15:30:31 -06:00