Releases: mlotocki2k/KSeF_Monitor
Releases · mlotocki2k/KSeF_Monitor
Release list
KSeF Monitor v0.5.3
v0.5.3 — post-0.5.2 hotfix bundle
First production-ready release of the v0.5 line. Closes the v0.5.0 → v0.5.2 audit cycle (UI auth, V5-13 user accounts, U-01..U-17 hardening) and the seven post-merge defects surfaced during pre-prod testing.
Showstoppers fixed
- Fresh-install lockout —
auth_tokenauto-gen + bootstrap admin used the unknowable random token as the password./ui/setupnow stays accessible on auto-gen so the operator picks their own credentials. - Initial load: every invoice rejected —
_map_export_invoicewas on pre-v2.x KSeF field names (ksefReferenceNumber,grossValue,subjectBy.…). Re-mapped against the v2.4InvoiceMetadataspec example, legacy keys kept as fallback. - Initial load: KSeF 21405 on every other window — 91-day window off-by-one. Fixed: 89-day exact span, instant-overlap cursor advance, end_date treated inclusive.
Logging
- U-12 audit log silently dropped —
alembic.inifileConfig()clobbered root logger to WARNING on every boot. Five of seven U-12 events (session create/revoke, password change, user create, absolute-cap eviction) were invisible in prod. Bumped root to INFO.
GUI
- Per-window history view (phase 8 migration
h3c4d5e67890) — every window logged: type, range, status, imported/skipped, error, duration. Toggle in status card. - Failed windows surfaced — new
completed_with_errorsjob status + amber "Ukończony z błędami" badge + "Niepowodzenia okien" callout. - On-demand artifact caching —
/api/v1/invoices/{ksef}/{xml,pdf}now writes XML+PDF to disk and registers ininvoice_artifactsso subsequent calls hit cache (saves the 64/h KSeF rate budget). - Tailwind subset gaps — restored
.hidden,.sr-only,whitespace-pre-line, amber palette (used by/ui/pushnotice + initial-load history). The QR-pairing reveal block was rendering before auth click; "Pobierz PDF (0)" was always visible. All fixed. - Table separators — first row now matches divide-y color; logo↔menu gap widened.
Security
- CodeQL clean — closed alerts #5/#6/#7/#8/#9/#12/#13 (URL redirect sanitization, HTML regexp, URL substring). #10/#11 dismissed as false positives (cleartext-logging on
validate_passworderror strings; SHA-256 pre-hash for bcrypt 72B limit per U-02 control). - cryptography 46.0.7 → 47.0.0 — major bump audited per breaking-changes list (no SECT*, OpenSSL 3.x in Docker base, broad excepts catch new exception types).
Docs
- iOS App Store status notice — App Store v1.0.2 predates push pairing.
/ui/pushshows amber callout pointing atkontakt@krzewilabs.plfor TestFlight v1.1.x build; same blockquote in README iOS Push section.
Migrations
h3c4d5e67890— phase 8initial_load_windows, idempotent againstBase.metadata.create_all.
Tests
- 744 passed, 2 skipped (was 739 in v0.5.2).
- New:
TestAuthTokenAutoGeneration(2 cases),TestInitialLoadWindowLog(2 cases). Updated:test_exceeds_range(90→89 inclusive semantic). - CI matrix Python 3.10 / 3.11 / 3.12 + bandit + pip-audit green.
Upgrade path
- v0.5.0/v0.5.1/v0.5.2 → v0.5.3:
alembic upgrade headbrings phases 5–8 (ui_users,ui_login_attempts,ui_sessions.ua_hash,initial_load_windows). - Operator-supplied
auth_token→ bootstrap admin still runs (admin= your token). - Auto-generated
auth_token→/ui/setupwizard required on first launch.
Full diff vs v0.4.0: see CHANGELOG.md — sections [0.5.0], [0.5.1], [0.5.2], [0.5.3].
KSeF Monitor v0.4
What's New in v0.4
REST API (FastAPI)
- 8 endpoints: invoices (list, detail), stats (summary, API), monitor (health, state, trigger), artifacts (pending)
- Bearer token auth with
hmac.compare_digest(timing-safe) - Swagger UI at
/docs, pagination, filtering, sorting - Security headers, rate limiting (slowapi), CORS control
Rate Limiter
- Sliding window with 3 windows (10/s, 30/min, 120/h)
- Thread-safe, fail-closed, integrated with KSeF API client
- Automatic
429 Retry-Afterhandling
Database Phase 2
api_request_log— KSeF API call tracking (endpoint, status, timing)invoice_artifacts— resumable artifact download tracking (status, retry count, SHA-256)invoices.sourcefield
Refactoring
- Split
invoice_pdf_generator.py(1792 lines) into 3 modules - Unified 401-retry pattern in
ksef_client.py - Data-driven config validation
- QR code / font deduplication
Security Audit
- 10 security controls: SSTI sandbox, auth enforcement, rate limiting, CORS, CRLF, info disclosure
- Re-audit with Docker hardening
- Prometheus bind address restricted to
127.0.0.1by default
Prometheus Metrics
- 10 metrics total (7 new in v0.4): API requests, response time, rate limiter, artifacts, REST API
Tests
- 423 tests, 0 failures
- New: rate limiter, DB phase 2, API auth, invoices, stats, monitor, security controls
Documentation
- New:
docs/REST_API.md— full API reference - Updated: DATABASE.md, ROADMAP.md, INDEX.md, PROJECT_STRUCTURE.md, README.md
- KSeF API version updated to v2.2/v2.3
Full Changelog: v0.3...v0.4.0
KSeF Monitor v0.3
KSeF Monitor v0.3 — Fundament: templating + DB
Nowe funkcjonalności
- Powiadomienia Jinja2 — 5 szablonów per kanał (Pushover, Discord, Slack, Email, Webhook) z custom filtrami (
money,date,json_escape) - Template PDF faktur — HTML/CSS → PDF via xhtml2pdf z fallbackiem na ReportLab; dynamiczne kolumny, QR code, polskie formatowanie
- Konfigurowalna struktura folderów — placeholdery
{year},{month},{day},{type}+ nazwy plików ({invoice_number},{ksef},{seller_nip}itd.) - Safecheck na overwrite — strategia
skip/rename/overwriteprzy zapisie XML/PDF/UPO - SQLite + SQLAlchemy 2.0 — tabele
invoices,monitor_state,notification_logz Alembic migracjami - On-demand trigger —
docker kill -s SIGUSR1 <container>natychmiastowe sprawdzenie faktur poza harmonogramem
Bezpieczeństwo
- Security audit: 22 findings (C1-C2, H1-H5, M1-M8, L1-L3) — naprawione
- Re-audit: Docker hardening, ReportLab XML escaping, auth failure callback coverage
- SHA-256 deduplication, atomic state write, path traversal guards, input sanitization
KSeF API
- Pełna paginacja (
hasMore/isTruncated, max 250/page, safety limit 10 000) - Cap
dateRangedo 90 dni, 429 retry z backoff +Retry-After - Aktualizacja do KSeF API v2.2.0
Infrastruktura
- Docker entrypoint z
gosu, named volumes, OCI image labels - CI: Docker build & push, outdated packages check, OpenAPI/XSD spec monitoring
- Community: CONTRIBUTING.md, CODE_OF_CONDUCT.md, issue/PR templates
291 testów przechodzących | Pełna dokumentacja w docs/
KSeF Monitor v0.2
KSeF Monitor v0.2
Multi-channel Notifications
- 5 notification channels: Pushover, Discord, Slack, Email, Webhook
- Concurrent multi-channel delivery (one failure doesn't block others)
- Strategy Pattern with NotificationManager facade
PDF & XML Invoice Storage
- Configurable file storage via
storageconfig section (save_xml,save_pdf,output_dir) - PDF generation based on official KSeF XSD/XSL schema
- QR Code Type I (invoice verification & download)
- Polish diacritical marks support (cross-platform fonts)
- Generation timestamp footer on every page
Monitoring & Scheduling
- Prometheus metrics endpoint (
/metrics) - Flexible scheduling: 5 modes (simple, minutes, hourly, daily, weekly)
- Timezone support for all date operations (IANA timezones, default: Europe/Warsaw)
Security & Auth
- KSeF API v2 authentication (RSA-OAEP encrypted token)
- Secrets from environment variables, Docker secrets, or config file
Documentation
- Comprehensive guides: QUICKSTART, NOTIFICATIONS, KSEF_TOKEN, SECURITY, TESTING, PDF_GENERATION
- Detailed Discord/Slack webhook creation steps
- KSeF token creation guide with read-only permissions
Full Changelog: v0.1...v0.2
v0.1
Full Changelog: https://github.com/mlotocki2k/KSeF_Monitor/commits/v0.1