# Changelog All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] ### Added - GoTestWAF native report (`report_{token}.html`) now gets QR code injected for booth scanning - SMTP configuration via environment variables (SMTP_HOST, SMTP_PORT, SMTP_USERNAME, SMTP_PASSWORD, SMTP_FROM) - Public base URL configuration via AASD_BASE_URL env var for QR codes and email links - QR code injected into consultant-facing GoTestWAF report (non-clickable ``, no link) ### Changed - QR code on user-facing report now points to consultant report (`report_{token}.html`) instead of itself - Report link in simulation page no longer opens in new tab (removed `target="_blank"`) - Booth CTA text: "Bring this code to BU 4" → "Show this code to Sechpoint Aftica Team" - SMTP username corrected from `postpost@sechpoint.app` → `post@sechpoint.app` - Email report link uses configurable base URL instead of hardcoded `http://localhost:8080` ### Fixed - **Critical**: SMTP authentication failure — corrected typo in username (`postpost` → `post`) - QR code encoding relative paths — now uses full public URL from AASD_BASE_URL - Email report links hardcoded to localhost — now use configured base URL ### Removed - "Email Report to Me" button and sendEmail JavaScript from user-facing report (prevented auto-email/spam concern) - Hardcoded report link target in simulation page ## [0.3.0] - 2026-04-22 ### Added - Comprehensive email validation with regex pattern - Domain security validation (path traversal prevention, length limits) - Graceful shutdown with OS signal handling (SIGINT, SIGTERM) - Context propagation for GoTestWAF scan cancellation - Reports static file serving endpoint (`/reports/*`) - Go 1.25.0 compiler support - Scan status polling endpoint (`/scan-status/:domain`) for real-time updates ### Changed - GoTestWAF command flags updated for compatibility: - Removed invalid `--testCase "all"` flag - Added `--reportFormat html` flag for HTML report generation - Fixed report file naming consistency - Improved error handling throughout application - Enhanced code quality with Go idiomatic patterns - Updated main.go with proper context management ### Fixed - **Critical**: GoTestWAF integration bugs causing scan failures - **Critical**: Missing `--reportFormat` flag preventing HTML report generation - **Critical**: Report file mismatch between stored results and generated files - **Security**: Weak email validation allowing malformed input - **Security**: Path traversal vulnerability in domain handling - **Code Quality**: Monolithic function structure violating 50-line limit - **Concurrency**: Potential race conditions in map access - **Resource Leaks**: Goroutines not properly cancelled on shutdown - **Missing Feature**: Reports not served via web endpoint ### Removed - Invalid GoTestWAF flag `--testCase "all"` (not supported in current version) ## [0.2.0] - 2026-04-21 ### Added - Gin web framework dependency installed - POST `/start` endpoint with email domain extraction and validation - Static file serving (`/static`, `/`, `/simulation`) - In‑memory storage for scan results with thread‑safe mutex - Basic HTML frontend: capture page (`index.html`) with QR placeholder - Simulation page (`simulation.html`) with JavaScript step sequencer - Consultant dashboard (`/admin‑dashboard`) with results table - GoTestWAF binary integration (background execution with flags) - Reports directory auto‑creation - Server listens on `0.0.0.0:8080` for booth Wi‑Fi access ### Changed - Project structure refined: `AttackSurface/{bin,src,docs}` - Git repository initialized with `main` branch - Go 1.24.4 installed via official binary ### Fixed - N/A ## [0.1.0] - 2026-04-21 ### Added - Project initialization based on PROJECT_PLAN.md - Basic directory structure for Go web application - GoTestWAF binary integration (planned)