v0.20.3 — Settings & Config Fixes

Fixed

• Settings preserved on upgrade — web UI settings survive addon restarts and upgrades
• OpenRouter 401 Forbidden — addon config API key now properly synced to settings on first start
• Ingress double-slash — path rewrite fix for HA Supervisor proxy
• Changelog — now shows only latest version in HA addon panel

v0.20.0 — English GUI

• All UI strings translated from Polish to English
• Fully internationalized interface

v0.19.0 — CVE Watch

• Periodic CVE vulnerability monitoring for installed components
• Configurable check interval
• MQTT alerts on new vulnerabilities
• Lightweight — checks deps without full scan

v0.18.0 — SARIF Export

• SARIF export for CI/CD integration
• Standard format compatible with GitHub Code Scanning, GitLab SAST, and other tools
• Export scan results as SARIF JSON

v0.17.0 — Cross-Component Intelligence

• Cross-component intelligence (L.5)
• Detect shared suspicious patterns across multiple components
• Aggregate reputation data for related components

v0.16.0 — Fingerprint Diff/Delta API

• Diff/delta API for fingerprint comparison between scans
• Track changes across component versions
• API endpoint for fingerprint comparison

v0.15.0 — Scheduled Periodic Scans

• Scheduled periodic scans of installed HACS components
• Configurable scan interval
• Auto-scan all installed components on schedule

v0.14.0 — Hot Reload & Rate Limiting

• Hot reload in debug mode
• Configurable AI timeout
• Repo cache cleanup after scans
• API rate limiting

v0.13.0 — AI Review Rewrite + PDF Export

AI Review Rewrite

• Model: switched from gemma3:12b to qwen2.5-coder:14b (benchmarked 4 models)
  • Malicious code: 0/10 score, 100% confidence (gemma gave 2/10, 95%)
  • Safe code: 9/10 score, 95% confidence (gemma gave 5/10, 50%)
• Single-step prompt: was 2-step (analysis → JSON conversion) which lost file paths and context
• System prompt: now used for Ollama (was only used for public API)
• No duplicate findings: AI findings that repeat static analysis are filtered
• No fabricated findings: prompt explicitly forbids repeating/inventing issues

PDF Export

• New /api/report/{id}/pdf endpoint
• PDF button in report modal (next to CSV and HTML)
• DejaVu Unicode font on Alpine, Helvetica fallback elsewhere

Bug Fixes

• Findings display: HTML in code field (e.g. innerHTML = '<div...') was parsed as DOM, hiding subsequent findings — all fields now HTML-escaped
• HTML export: same escape fix applied
• XSS hardening: onclick handlers use JSON.stringify() instead of manual escaping

AI Benchmark Results

Model	Time	Score (malicious)	Coverage	Confidence
gemma3:12b	33.8s	2/10	3/4	95%
qwen2.5-coder:14b	188s	0/10	4/4	100%
qwen3:14b	48.7s	1/10	3/4	95%
deepseek-coder-v2:16b	77.8s	4/10	4/4	70%

v0.12.2 — Ingress + Startup Fixes

Fixed

• Ingress double-slash 404 — GET // from Supervisor proxy now redirects to /
• Startup race condition — retry loop waits for Supervisor API before reading config (fixes "Unable to access the API, forbidden")
• MQTT graceful fallback — no error when MQTT service not configured