LUMA
Connexion S'inscrire

Changelog 10.4.0

MINOR 2026-03-25

LUMA Nova 10.4.0 — Security Hardening, Elyn Intelligence, Nino TV Controls & Codex

Security hardening

  • Authentication API now enforces JSON content-type and strict input caps on login/register.
  • Login now rotates active sessions and hardens ws_session cookie with httpOnly.
  • Registration adds a honeypot anti-bot field and stricter email/password validation.
  • CSRF origin checks now leverage Sec-Fetch-Site first and reject explicit null origin.
  • Dangerous dev API route was removed from the public API registry.

Elyn and Shield improvements

  • Elyn decision engine now scores geo-risk countries and request velocity (single, burst, flood).
  • Rate limiting now adapts dynamically from Elyn IP policy (observe, throttled, blocked).
  • Bruteforce shield now emits Elyn events for attempt and escalation signals.
  • Shield dashboard now exposes velocity tags, geo indicators, and brute-force activity tables.
  • Elyn chat now supports short-lived context cache, multi-turn history, and better Ollama fallback behavior.

API and platform safety

  • CORS now warns explicitly when CORS_ORIGIN is missing (fail-closed cross-origin).
  • Environment bootstrap now requires explicit database configuration (no unsafe fallback DSN).
  • DropIt API now requires auth for file/config routes and applies per-user upload quotas.
  • QRYPT APIs and websocket handlers now validate message payload types and apply socket rate limits.
  • Users search endpoint no longer searches by email field.

Nino updates

  • Nino upload path now enforces extension/mimetype allowlist and validates video magic bytes.
  • Nino upload adds per-user quota check before multer writes to disk.
  • Nino API now returns explicit errors for invalid type and oversized file uploads.
  • Nino TV mode adds remote control key normalization, back-key handling, and focus navigation polish.
  • Watch shortcuts were refactored to support TV remotes and avoid editable-field interception.

Nest public API

  • Added new public /api/nest endpoints for Nino feed, Orion agents, and Orion alerts with cache and fallback modes.

Codex — Nouveau module de lecture narrative

  • Lancement du module Codex : plateforme de lecture d'histoires interactives en format .cdx
  • Deux modes de lecture : clic (avance par clic, type visual novel) et défilement (révélation au scroll)
  • Système de portraits façon visual novel : personnages positionnés gauche/droite avec variantes de pose
  • Fond illustré par scène via directive @bg avec transition en fondu
  • Sauvegarde automatique de la progression par œuvre (mode de lecture + position)
  • Badge 'Nouveau' dismissable, bouton 'Recommencer' quand une progression existe
  • Lien retour LUMA dans le header du reader et sur la page d'index

Codex Admin — Interface d'administration complète

  • Nouvelle section /admin/codex accessible via la card 'Codex' du dashboard admin
  • Éditeur d'œuvre en 3 onglets : Informations, Personnages, Chapitres
  • Éditeur CDX pleine hauteur avec Ctrl+S, indicateur de sauvegarde et import de fichier .cdx
  • Gestion des personnages : nom, couleur, portrait, position (gauche/droite), classe CSS
  • Cards Sonora Studio et Codex ajoutées au dashboard admin dans une nouvelle section Contenus

Auth and session security

  • app/controllers/auth/login.js: removed trust in client-forged x-forwarded-proto for secure-request checks.
  • app/controllers/auth/login.js: revoke old sessions on successful login before issuing a new one.
  • app/routes/api/auth/login.js: enforce application/json and strict credential typing/length limits.
  • app/controllers/auth/register.js + app/routes/api/auth/register.js: honeypot support and stronger pre-validation guards.
  • app/core/views/luma/auth/register.ejs: hidden honeypot field wiring for bot filtering.

Shield runtime and scoring

  • app/shield/services/elynDecisionEngine.js: geo score via ELYN_HIGH_RISK_COUNTRIES and velocity-based attack typing.
  • app/middleware/rateLimit.js: dynamic quota multiplier from getIpPolicy() with hard block behavior.
  • app/shield/middleware/trafficGuard.js: split strong probe patterns from noisy patterns to reduce false auto-bans.
  • app/shield/middleware/banCheck.js: soft-ban delay before 403 response to slow probing feedback loops.
  • app/shield/middleware/rateShield.js: bounded in-memory IP map with oldest-entry eviction.

Elyn memory and chat runtime

  • app/services/vectorIndexingService.js: added auth_events and luma_bans as indexable sources.
  • app/shield/routes/api.js: added manual job trigger elynVectorIndexing and chat history passthrough.
  • app/shield/services/elynChatService.js: context TTL cache, expanded prompt contract, and history-aware Ollama calls.
  • app/services/lumaAssistantService.js: improved intent handling for short starts, repetition control, and recommendation quality.
  • app/shield/controllers/shieldAdminController.js + dashboard.ejs: new datasets and visual diagnostics for geo/velocity/bruteforce.

Codex — Architecture frontend

  • app/modules/codex/assets/js/codex/parser.js : parser .cdx vers tableau d'actions typées
  • app/modules/codex/assets/js/codex/engine.js : moteur renderClick / renderScroll + IntersectionObserver scroll reveal + onPortrait callback
  • app/modules/codex/assets/js/codex/reader.js : bootstrap, makePortraitHandler (cache URL, active/dim/hidden), makeBgHandler (fondu), applyMode
  • app/modules/codex/assets/js/codex/index.js : badge dismiss (POST progress), updateCards (Continuer / Recommencer)
  • app/modules/codex/views/codex/reader.ejs : slots #portrait-left / #portrait-right, nav LUMA/Codex dans le topbar
  • app/modules/codex/assets/css/codex/reader.css : couche z-index bg(0)/portraits(1)/stage(2), transitions portrait active/dim/hidden

Codex — Architecture backend

  • app/routes/web/codex.js : réécriture complète async sqlV3 — listWorks (CTE chapter_stats + first_chapters), loadWorkBySlug, renderReader
  • app/routes/api/codex.js : correction signature sqlV3 (objet {text, values} au lieu de 3 arguments)
  • app/routes/api/admin/codex.js : CRUD complet works / characters / chapters avec ACL admin.codex.manage
  • app/routes/admin/codex.js : routes web admin (liste, éditeur œuvre, éditeur chapitre)
  • app/modules/api.registry.js : enregistrement admin-codex sur /admin/codex
  • app/routes/admin/index.js : r.use('/codex', requireACL('admin.codex.manage'), codexRoutes)

Codex — Admin UI

  • app/modules/admin/views/admin/codex/index.ejs : tableau des œuvres + modal 'Nouvelle œuvre'
  • app/modules/admin/views/admin/codex/work.ejs : 3 onglets (meta, personnages, chapitres) + danger zone
  • app/modules/admin/views/admin/codex/chapter.ejs : éditeur CDX pleine hauteur + aide format
  • app/modules/admin/assets/css/admin/codex.css : classes cdx-* (table, tabs, form, editor, modal, danger zone)
  • app/modules/admin/assets/js/admin/codex/index.js, work.js, chapter.js : logique CRUD et sauvegarde
  • app/modules/admin/views/admin/index.ejs : section Contenus avec cards Sonora Studio et Codex

Codex — Base de données

  • Migration 179_codex_db.sql : tables codex_works, codex_chapters (content TEXT), codex_characters (portrait, position CHECK left/right)
  • Migration 180_codex_portraits.sql : ALTER TABLE idempotent pour portrait/position si 179 déjà appliquée
  • app/scripts/codex-import.js : script UPSERT pour importer des fichiers .cdx depuis le disque vers la DB

Data and migration

  • app/database/migrations/174_audit_log_indexes.sql: added covering indexes for audit_log, auth_events, and luma_bans read paths.
  • Note: migration filename number 174 is already used by an existing migration (174_aether_feature_pack.sql), verify ordering policy before release.

Release notes

  • LUMA version bumped to 10.4.0 (Nova-10.4.0 - Build 10400).
  • Nouveau module CODEX 1.0.0.
  • Admin bumped to 1.2.0.
  • Core ELYN version bumped to 1.2.0.
  • Core NINO version bumped to 5.1.0.
  • Nouvelle ACL requise : admin.codex.manage (à attribuer aux rôles admin/luma via migration).