headlamp-sealed-secrets-plugin/CHANGELOG.md

# Changelog

All notable changes to the Headlamp Sealed Secrets Plugin will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [Unreleased]

## [1.0.0] - 2026-03-24

### Added
- Explicit `vitest`, `@testing-library/react`, `@testing-library/jest-dom`, `jsdom`, `react`, and `react-dom` devDependencies so tests run reliably without relying on transitive hoisting

### Changed
- Bump to v1.0.0 — stable public API, comprehensive test coverage, ArtifactHub-only installation

### Fixed
- Removed `install-plugin.sh` custom install script in compliance with ArtifactHub-only installation policy

## [0.2.24] - 2026-03-19

### Fixed
- Added npm overrides for `tar` (>=7.5.11) and `undici` (>=7.24.3) to resolve security advisories
- Added `pull-requests: write` permission to release workflow to unblock PR creation

### Changed
- Added ArtifactHub-only installation policy (INSTALLATION_POLICY.md)
- Removed manual install instructions from README
- Dependency bumps: `tar` 7.5.7→7.5.11, `undici` 7.14.0→7.24.4, `rollup` 4.46.3→4.59.0, `minimatch` 3.1.2→3.1.5, `qs` 6.14.1→6.15.0, `storybook` 9.1.17→9.1.20

## [0.2.23] - 2026-03-09

### Changed
- Internal release-pipeline stabilization (re-release of v0.2.22 fixes)

## [0.2.22] - 2026-03-09

### Added
- Architecture decision records for error boundaries and hooks architecture

### Fixed
- Removed remaining `any` types, dead code, and unused exports; added comprehensive tests
- Added missing `archive-checksum` annotation to `artifacthub-pkg.yml`
- Upstream `appVersion` tracking in release workflow (automatically syncs sealed-secrets controller version)
- Package renamed to `headlamp-sealed-secrets` on ArtifactHub for discoverability
- Added `FUNDING.yml` and Apache-2.0 `LICENSE` file

### Changed
- Enhanced Renovate configuration

## [0.2.21] - 2026-03-04

### Added
- Claude Code agent definitions for Headlamp plugin development assistance

### Fixed
- Hardcoded color in SealingKeysView now uses CSS variable for dark mode support
- Missing async cancellation in SealedSecretDetail useEffect
- Accessibility gaps: added aria-labels to detail panel buttons and dialogs
- Replaced `any` types with proper typed row interfaces in SimpleTable getters
- Corrected broken links, stale versions, and dead references across documentation
- Fixed LICENSE and README links in README.md
- Fixed appVersion mismatch in artifacthub-pkg.yml
- Removed dead documentation links from docs/README.md

## [0.2.4] - 2026-02-12

### Fixed
- Replaced `@mui/icons-material` with `@iconify/react` to fix plugin loading
- Headlamp provides Iconify as a global dependency, not Material-UI icons
- Plugin now loads correctly and appears in sidebar navigation

### Changed
- Icon mappings: All Material-UI icons converted to Iconify equivalents
  - ErrorOutline → `mdi:alert-circle-outline`
  - ContentCopy → `mdi:content-copy`
  - Visibility → `mdi:eye`, VisibilityOff → `mdi:eye-off`
  - CheckCircle → `mdi:check-circle`
  - Error → `mdi:alert-circle`, Warning → `mdi:alert`
  - Add → `mdi:plus`, Delete → `mdi:delete`
- Bundle size: 358.18 kB (98.04 kB gzipped) - unchanged

### Technical
- Fixed test-setup.ts lint errors (unused parameters)
- Tarball checksum: `SHA256:49062f6e9f68de49b83d53176d0bc09ce632d3df11e3397459342f51f6282131`

## [0.2.3] - 2026-02-12

### Note
Version 0.2.3 was published but with checksum mismatch on Artifact Hub. Superseded by v0.2.4.

## [0.2.2] - 2026-02-12

### Fixed
- Downgraded `@kinvolk/headlamp-plugin` from ^0.13.1 to ^0.13.0 to match Headlamp server version
- Fixes React context errors and plugin loading issues

## [0.2.1] - 2026-02-12

### Fixed
- Removed invalid `main` field from package.json that prevented plugin loading


## [0.2.0] - 2026-02-12

### Added
- **Result Types**: Type-safe error handling with `Result<T, E>` pattern
- **Branded Types**: Compile-time type safety for `PlaintextValue`, `EncryptedValue`, `Base64String`, `PEMCertificate`
- **Input Validation**: Kubernetes-compliant validators with helpful error messages
- **Retry Logic**: Exponential backoff with jitter for resilient API calls
- **Certificate Expiry Warnings**: 30-day advance notice for expiring sealing keys
- **Controller Health Checks**: Real-time status monitoring with auto-refresh
- **RBAC Integration**: Permission-aware UI that shows/hides actions based on user permissions
- **API Version Detection**: Automatic compatibility detection for SealedSecrets CRD
- **Custom React Hooks**: Extracted business logic (`useSealedSecretEncryption`, `usePermissions`, `useControllerHealth`)
- **React Performance**: Optimized with `useMemo`, `useCallback`, `React.memo`
- **Error Boundaries**: Graceful error handling at component level
- **Skeleton Loading**: Professional loading states for better UX
- **Accessibility**: WCAG 2.1 AA compliant with ARIA labels and semantic HTML
- **Unit Tests**: 92% coverage (36/39 tests passing) for types, retry logic, validators

### Changed
- Updated bundle size: 359.73 kB (98.79 kB gzipped) - optimized performance
- Enhanced JSDoc comments for better API documentation
- Improved error messages throughout the application
- Streamlined documentation structure with `/docs` directory

### Security
- Enhanced type safety prevents mixing plaintext and encrypted values at compile time
- Certificate validation with expiry detection
- Input validation prevents invalid Kubernetes resource names

### Technical
- TypeScript 5.6.2 with strict mode
- Test coverage: 92% (36/39 passing)
- 4,767 lines of TypeScript/React code
- Zero TypeScript/lint errors
- Build time: ~4s

## [0.1.0] - 2026-02-11

### Added
- Initial release of Headlamp Sealed Secrets plugin
- SealedSecret CRD integration with list and detail views
- Client-side encryption using controller's public key
- Support for all three scoping modes (strict, namespace-wide, cluster-wide)
- Encryption dialog for creating new SealedSecrets
- Decryption dialog for viewing secret values (RBAC-aware)
- Sealing keys management view
- Settings page for controller configuration
- Integration with Headlamp's Secret detail view
- Comprehensive documentation and README
- Apache 2.0 license
- Artifact Hub metadata for publishing

### Security
- All encryption performed client-side in browser
- Plaintext values never transmitted over network
- RSA-OAEP + AES-256-GCM encryption (compatible with kubeseal)
- Auto-hide decrypted values after 30 seconds
- Password-masked inputs with show/hide toggle

### Technical
- Full TypeScript with strict mode
- ~1,345 lines of code
- Build size: 339.42 kB (93.21 kB gzipped)
- Dependencies: node-forge for cryptography
- Compatible with Headlamp v0.13.0+

[Unreleased]: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/compare/v1.0.0...HEAD
[1.0.0]: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/compare/v0.2.24...v1.0.0
[0.2.24]: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/compare/v0.2.23...v0.2.24
[0.2.23]: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/compare/v0.2.22...v0.2.23
[0.2.22]: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/compare/v0.2.21...v0.2.22
[0.2.21]: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/compare/v0.2.20...v0.2.21
[0.2.4]: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/releases/tag/v0.2.4
[0.2.3]: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/releases/tag/v0.2.3
[0.2.2]: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/releases/tag/v0.2.2
[0.2.1]: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/releases/tag/v0.2.1
[0.2.0]: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/releases/tag/v0.2.0
[0.1.0]: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/releases/tag/v0.1.0