Release Notes:

--------------------
2.10 Release
--------------------
NEW FEATURES:
- Added Easy Installation System
  * Created easy-install.sh: One-command installer eliminating need for chmod
  * Installation reduced from 3 commands to 1 simple command:
    curl -sSL https://raw.githubusercontent.com/rcrum003/HiveControl/master/easy-install.sh | sudo bash
  * Added EASY_INSTALL_GUIDE.md: Complete beginner's guide from SD card imaging to running system
    - Step-by-step Raspberry Pi OS 5 installation instructions
    - How to use Raspberry Pi Imager with screenshots
    - WiFi and SSH configuration walkthrough
    - Sensor connection guide
    - Comprehensive troubleshooting section
  * Added DOWNLOAD_INSTRUCTIONS.md: All installation methods with comparisons
    - One-line installation (recommended for beginners)
    - Manual download and run (for code review)
    - Git clone method (for developers)
    - What happens during installation explained
  * Added QUICK_REFERENCE.md: Printable one-page reference card
    - Common commands and system control
    - Web interface quick links
    - Sensor testing commands
    - File locations and pin connections
    - Troubleshooting quick fixes
  * Created download.html: Beautiful web-based download page
    - Interactive installation method selector
    - Copy-to-clipboard buttons for commands
    - Visual step-by-step guides
    - Links to all documentation
  * Updated README.md with simplified installation instructions
    - Prominent easy installation section
    - Clear options for different features
    - Links to comprehensive guides
  * Added PACKAGING_IMPROVEMENTS.md: Complete documentation of all improvements
  * Addresses user feedback that "chmod u+x and multiple commands are too hard"
  * Makes HiveControl accessible to non-technical beekeepers

- Added Backup & Restore System (backup.php)
  * Create full database backups (60MB+ databases supported)
  * Create configuration-only backups for quick settings preservation
  * Restore from any backup with automatic safety backup before restore
  * Download backups to local computer
  * Delete old backups to manage storage
  * All operations logged with user IP tracking
  * Protected backup directory with .htaccess deny rules
  * Optimized for large databases using file copy instead of SQL export
  * Updated navigation menus to include "Backup & Restore" option

- Added Admin Password Management System (changepassword.php)
  * Change admin password through web interface
  * Current password verification required
  * Minimum 8 character password requirement
  * Password confirmation to prevent typos
  * Supports multiple Apache htpasswd hash formats (APR1, bcrypt, SHA1, crypt)
  * All password changes logged with IP tracking

- Added Comprehensive Help Documentation System
  * Created central help.php with topic-based navigation
  * Added 13 comprehensive help topics covering all system features
  * Topics include: Overview, Initial Setup, Basic Settings, Instruments & Sensors,
    Calibration, Weather Sources, Dashboard Guide, Hive Components, Site Preferences,
    System Commands, Backup & Restore, Change Password, and Troubleshooting
  * Professional styling with Font Awesome icons and Bootstrap UI
  * Step-by-step guides with visual indicators
  * Code examples and configuration instructions
  * Best practices and recommendations for each feature area
  * Added Help link to navigation menu (both wide and normal orientations)

WEB APPLICATION SECURITY FIXES:
- Fixed CRITICAL SQL injection vulnerabilities in admin interface
  * loglocal() function now uses parameterized queries instead of string interpolation
  * removezero command uses strict column name whitelisting (hivetempf, hiveHum, hiveweight, IN_COUNT)
  * Message queue operations converted to parameterized queries
  * All database operations now use PDO prepared statements with ? placeholders
  * Prevents database manipulation, data theft, and privilege escalation

- Fixed HIGH severity XSS (Cross-Site Scripting) vulnerabilities
  * All log output properly escaped with htmlspecialchars() in getlog() function
  * Error messages properly escaped in system.php command handling
  * Database content escaped before display to prevent script injection
  * Prevents session hijacking, credential theft, and malicious JavaScript execution

- Implemented CSRF (Cross-Site Request Forgery) protection
  * All POST forms now include cryptographically secure CSRF tokens
  * Token validation required before processing sensitive operations
  * Implemented in backup.php, changepassword.php, and other admin forms
  * Session-based token storage with automatic regeneration
  * Prevents unauthorized actions from malicious websites

- Improved session security configuration
  * HTTPOnly cookies prevent JavaScript access to session IDs
  * SameSite=Strict prevents cross-site request attacks
  * Strict session mode rejects uninitialized session IDs
  * Session ID regenerated every 5 minutes to prevent session fixation
  * 1-hour session timeout (configurable in security-init.php)
  * Note: session.cookie_secure disabled by default (enable if using HTTPS)

- Fixed HIGH severity IP spoofing vulnerability
  * getUserIP() now only trusts REMOTE_ADDR for accurate logging
  * Removed trust of HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP headers
  * Prevents attackers from forging IP addresses in logs
  * Command injection via IP spoofing no longer possible

- Removed plaintext password exposure in hiveconfig.php
  * Hivetool.org password field no longer pre-filled in forms
  * Password not visible in HTML source code or browser memory
  * Update logic preserves existing password if field left empty
  * Prevents password theft via shoulder surfing or page source inspection

- Fixed information disclosure vulnerabilities
  * Database connection errors now logged instead of displayed to users
  * Error messages sanitized to prevent information leakage
  * Prevents attackers from learning database structure or credentials

- Added comprehensive security headers
  * X-Frame-Options: DENY (prevents clickjacking attacks)
  * X-Content-Type-Options: nosniff (prevents MIME type sniffing)
  * Referrer-Policy: strict-origin-when-cross-origin (limits referrer information)
  * Content-Security-Policy with restrictions on script/style sources

- Created centralized security initialization system
  * New /include/security-init.php file for all security configuration
  * Reusable CSRF protection functions: csrf_field(), verify_csrf_token(), require_csrf_token()
  * Automatic session management with secure defaults
  * Easy to maintain and extend security features

Files Modified for Security:
  * /admin/system.php - SQL injection, XSS, IP spoofing, CSRF protection
  * /admin/changepassword.php - SQL injection, IP spoofing, CSRF protection
  * /admin/backup.php - SQL injection, IP spoofing, CSRF protection
  * /admin/hiveconfig.php - Plaintext password removal
  * /include/db-connect.php - Error disclosure prevention
  * /include/security-init.php - NEW FILE with session and CSRF configuration

Security Documentation:
  * SECURITY_AUDIT_2026-01-17.md - Complete vulnerability assessment
  * SECURITY_FIXES_APPLIED_2026-01-17.md - Detailed fix documentation with testing procedures

BUG FIXES:
- Fixed temperature validation to allow valid 0-degree readings
  * Updated all_chart.php to remove != 0 check from temperature validation
  * Temperature values of exactly 0 degrees now display correctly on charts
  * Applies to both hive temperature and weather temperature readings

- Fixed instrumentconfig.php blank screen issue on form submission
  * Added hidden input fields for all 39 required form validation fields
  * Ensures all fields are present in POST data even when conditionally hidden
  * Form now properly validates and reloads instead of showing blank screen

- Fixed siteconfig.php blank screen issue with checkbox validation
  * Added PHP preprocessing to set unchecked checkboxes to empty string
  * Handles 18 checkbox fields: trend lines, chart options, and SHOW_METRIC
  * Unchecked checkboxes now properly pass validation

- Fixed hiveconfig.inc generation failures on fresh installations
  * Removed stub file from git tracking and added to .gitignore
  * Added file size validation (<100 bytes triggers regeneration)
  * Changed INNER JOIN to LEFT JOIN for defensive database queries
  * Added source command to load config variables into shell environment
  * Fixes hive registration failures due to undefined variables (POWER, INTERNET, STATUS, COMPUTER)

- Fixed footer display issues in web interface
  * Corrected malformed HTML structure in footer.php (changed from <nav> to <footer>)
  * Repositioned footer include in index.php for proper rendering
  * Footer now displays correctly with version information

- Fixed FATAL PHP error in weight gauge display
  * Added type checking in weightguage-hc.php before arithmetic operations
  * Implemented is_numeric() validation and floatval() type conversion
  * Prevents "Unsupported operand types: string - string" error in PHP 8+
  * Weight gauges now handle null/non-numeric values gracefully

- Added input validation for Hive Name field
  * Implemented regex validation in setup-wizard.php and hiveconfig.php
  * Pattern /^[a-zA-Z0-9_-]+$/ ensures only letters, numbers, dashes, and underscores
  * Prevents special characters that could cause system issues
  * Validation applied consistently across initial setup and configuration updates

Major Security and Performance Refactoring of currconditions.sh

CRITICAL SECURITY FIXES:
- Fixed SQL injection vulnerability in database operations
  * All variables now properly escaped before insertion into SQLite database
  * Added sql_escape() function to prevent database corruption or manipulation
- Fixed XML injection vulnerability in hivetool.org data sharing
  * All XML output now properly escaped to prevent structure corruption
  * Added xml_escape() function for special character handling
- Improved credential security
  * Documented password exposure issue with recommendation for .netrc file
  * Properly quoted all sensitive variables

ROBUSTNESS IMPROVEMENTS:
- Added set -euo pipefail for fail-fast behavior
  * Script now exits immediately on errors instead of continuing with bad data
  * Undefined variables now cause script to fail rather than silently continue
  * Pipeline failures properly detected and handled
- Comprehensive error handling throughout script
  * All sensor script executions now check for failures
  * Database operations validate success before continuing
  * File existence verified before operations
  * Clear error messages with context for troubleshooting
- Fixed all hardcoded /home/HiveControl paths to use $HOMEDIR variable
  * Script now portable to different installation directories

PERFORMANCE OPTIMIZATIONS:
- Dramatically improved parsing efficiency
  * Reduced 23+ awk calls in weather parsing to single read operation
  * Weight data parsing: 2 awk calls → 1 read operation
  * Temperature data parsing: 4 awk calls → 1 read operation
  * Bee count parsing: 2 awk calls → 1 read operation
  * Air quality parsing: 6 awk calls → 1 read operation
  * Overall ~30-50% performance improvement expected
- Optimized database operations
  * Now uses last_insert_rowid() instead of querying by date
  * More efficient and reliable record ID retrieval

CODE QUALITY IMPROVEMENTS:
- Complete refactoring into modular functions
  * get_hive_weight() - Collect weight data with error handling
  * get_hive_temp() - Collect temperature data with error handling
  * get_bee_count() - Collect bee flight data with error handling
  * get_weather() - Collect weather data with error handling
  * get_lux() - Collect light level data with error handling
  * get_air_quality() - Collect air quality data with error handling
  * Easier to test, maintain, and extend individual components
- Fixed typo: print_seperator → print_separator
- Removed unnecessary clear command
  * Better for cron job execution and log file preservation
- Quoted all variable expansions throughout script
  * Prevents word splitting and globbing issues
  * Handles paths with spaces or special characters correctly
- Safer file operations
  * Changed rm -rf to rm -f for single file deletion
  * Prevents accidental directory deletion if variables are misconfigured
- Fixed uninitialized variable bug in lux collection
- Better exit codes (exit 0 vs exit 1) for proper error signaling

DOCUMENTATION:
- Added comprehensive REFACTOR_NOTES.md with:
  * Detailed explanation of all changes
  * Security vulnerability descriptions and fixes
  * Testing recommendations and edge cases
  * Migration notes for existing installations
  * Performance benchmarking guidance
  * Future enhancement recommendations

BACKWARD COMPATIBILITY:
- ALL original functionality preserved
- No breaking changes to configuration files
- Database schema unchanged
- Output format maintained (except enhanced error messages)
- Integration with external scripts fully compatible

Version updated: 2025042101 → 2026011704
Script size: 287 lines → 470 lines (due to proper error handling and functions)

BUG FIXES (Post-Release):
- Version 2026011702: Fixed unbound variable errors with TIMEZONE and UTC
  * Moved set -eo pipefail after config file loading
  * Added default values for TIMEZONE and UTC variables
  * Changed from -euo to -eo pipefail for compatibility with check.inc
- Version 2026011703: Fixed script termination on sensor failures
  * Added || true to all sensor collection function calls
  * Allows script to continue even when individual sensors fail
  * Ensures data from working sensors is still collected and stored
- Version 2026011704: Fixed WeatherFlow error handling
  * Fixed getWeatherFlowLocal.sh to handle missing data gracefully
  * Added 2>/dev/null to all bc and jq commands to suppress error messages
  * Returns null CSV format when no weather data available
  * Added default values for all numeric variables before calculations
  * Prevents bc "syntax error" when variables are empty

WEATHER STATION FIX:
- Updated getWeatherFlowLocal.sh (Version 6 → 7)
  * Fixed error cascade when WeatherFlow Tempest station not broadcasting
  * Suppressed "syntax error" messages from bc calculator
  * Added early exit with null values when no data received
  * Added validation checks before mathematical operations
  * Improved error logging specificity (WeatherFlow vs AmbientWeather)

This release represents a major upgrade in security, reliability, and maintainability while
maintaining full backward compatibility with existing HiveControl installations.

--------------------
2.09 Release
--------------------
- Fixed legacy OS issues with Expired LetsEncrypt CA Root Cert
- Fixed hx711calibrate.sh script to only collect valid entries when trying to help you calculate zerp/slope values

--------------------
2.08 Release
--------------------
- Added a retry function to GetWeight to reduce the random zero values when trying to get weight

--------------------
2.07 Release
--------------------
- Added support for OurWeather station for jhalt/Duncan

--------------------
2.05 - 2.06 Release
--------------------
- Added support for WeatherFlow Tempest Weather Station, if the station is on same network as your hives. We use the UDP broadcast here. Future will support their API.
- Fixed AmbientWeather.net script that was causing errors, sorry about that.

--------------------
2.00 Release
--------------------
- Added support for BroodMinder BLE Temp/Humidity sensor (Wireless) 

--------------------
1.99 Release
--------------------
- Added support for BME280 Temp/Humidity/Pressure sensor (if using HiveTool Sensore board, use the LUX TS2591 I2C jack, or attach to PINs on side of board)
	- Thank you to Davey Rance for the sensor donation

--------------------
1.98 Release
--------------------
- Added support for Raspberry PI 4 hardware

--------------------
1.97 Release
--------------------
- Added a way to configure the air monitors - sorry, you'll have to go purpleair.com and find the id at the moment

--------------------
1.96 Release
--------------------
- Slight fixes to the last release, mostly update scripts and some getair error checking.

--------------------
1.95 Release
--------------------
- Hiveconfig.sh now makes sure that code version number is correct in the database
- Added Support for Air Quality Monitors, specifcally PurpleAir. You can select the closet PurpleAir Station.
	Your hive must be able to reach the Internet to config AND to pull the data. (Note, not configuratble via the UI until the next version)
- If the LocalHive Updates Hivecontrol.org, we no longer clear the values in hivecontrol.org for things the local hive doesn't configure.
- Certain Hive Config items are ONLY configurable now at HiveControl.org. This makes our development efforts easier, so we aren't coding in two languages in two places. 
	- bee_race
	- bee_source
	- hive_type
	- hive_status
	- queen_start
	- queen_color
- Aligned Timezone fields between LocalHive and Hivecontrol.org - stops the overwriting with invalid options


--------------------
1.94 Release
--------------------
HiveControl - Local Hive
- Fixed cloud.inc send file to stop converting all weather station dates, and moved that into AmbientWeather.sh
- Fixed Icon Size for Weight icon, thanks ptegler for the report

--------------------
1.93 Release
--------------------
HiveControl - Local Hive
- Removed the API calls to WXunderground, because IBM are jerks and no longer provide community weather data
- Reverted WXUnderground to pull XML since they still allow that, based on request from ptegler

--------------------
1.92 Release
--------------------

HiveControl.org
- Ability to filter hives and yards based on status
- Fixed the charts for hives that send data - now shows on individual hive pages
- Fixed the ability for hives to send proper data


HiveControl - Local Hive
- Added Version Footer, so you can easily see what version each hive is running.

- Weather (Outside Temp/Humidity/Solar/Wind, etc)
	1. WeatherUnderground was bought by IBM, so no longer allows API access to the data YOU give them! - Currently leaving option to select
	2. Added Support for AmbientWeather.net (since they discontinued local access for their weather stations)
- HiveTemp/Humidity Sensors
	1. Added support for SHT31-D (if using HiveTool Dev board, use the LUX TS2591 I2C jack, or attach to PINs on side of board)
		See HiveControl wiki for instructions
	2. Added support for BME680 (if using HiveTool Dev board, use the LUX TS2591 I2C jack, or attach to PINs on side of board)
		See HiveControl wiki for instructions
- OS Updates
	1. Forced all hives to upgrade/update packages

-  Added/Fixed script to connect and register with hivecontrol.org
-  Added functions to sync hivecontrol.net and the local hive configuration files, this will help if you need to rebuild a hive



--------------------
1.91 Release
--------------------

- HiveControl.net
	1. Added/Fixed script to connect and register with hivecontrol.org
	2. Added functions to sync hivecontrol.net and the local hive configuration files, this will help if you need to rebuild a hive

- Added Version Footer, so you can easily see what version each hive is running.

--------------------
1.90 Release
--------------------
- Weather (Outside Temp/Humidity/Solar/Wind, etc)
	1. WeatherUnderground was bought by IBM, so no longer allows API access to the data YOU give them! - Currently leaving option to select
	2. Added Support for AmbientWeather.net (since they discontinued local access for their weather stations)
- HiveTemp/Humidity Sensors
	1. Added support for SHT31-D (if using HiveTool Dev board, use the LUX TS2591 I2C jack, or attach to PINs on side of board)
		See HiveControl wiki for instructions
	2. Added support for BME680 (if using HiveTool Dev board, use the LUX TS2591 I2C jack, or attach to PINs on side of board)
		See HiveControl wiki for instructions
- OS Updates
	1. Forced all hives to upgrade/update packages


--------------------
1.84-89 Release
--------------------
1. Focused on minor fixes and supporting Debian OS upgrades


--------------------
1.83 Release
--------------------
1. Added support for the temper, minus the hum sensors.


--------------------
1.81 Release
--------------------
1. Changed diskspace output in systemstatus to show human readable format
2. Fixed an issue with Crontab not installing during install
3. Created an install image, since unix noobs couldn't figure out how to install without it.
	- Resizes hard disk on first install
	- Doesn't include automatic hive registration or default sharing with hivetool, since if you share with hivetool without them expecting, you'll be locked out.
4. Added support for TSL2561 for David


--------------------
1.80 Release
--------------------
Wow, we did a lot of rework and found a few bugs in the process
1. You can now read the sensors on demand from the Instrument Config Admin
2. Fixed the Weight trend for the "Today" time period
3. Fixed when the WS1400 timed out
4. Fixed Ambient Temp Scripts to deal with errors when collecting data (such as WX offline, or the local sensor not working)
5. Fixed Currentconditions to show NA when it can't get a good reading
6. Changed the charts to end the line connecting points when mising data
7. Overhauled the scripts to output "null" instead of zero, showing better accuracy when we actually have a zero 
8. Simplified the currconditions.sh script by moving each set of sensor code into their own scripts, called by currconditions
9. Fixed the problem that if you disabled a sensor, it cleared all configuration entries (really sucked for the weight sensors, as it was hard to recalibrate a live hive)
10. Changed the upload to hivetool.org for the Ambient Weather - now uses XML instead of the key (key still needed) - but will reduce the amount of overages you get. Still best to get a key per hive.


--------------------
1.72 Release
--------------------
1. Changed Database table allhive to default to 0 if we don't get a value.
2. Fixed Tick Marks on main chart
3. Changed the way we start pigpiod - init.d wasn't working for us, for some reason and the author suggested adding to cron @reboot
4. Fixed systemadmin page "RemoveZero" humidity actually removed ALL data.


--------------------
1.70 Release Hotfix
--------------------
1. Added a service called pigpiod (needed so when reboots happen)

--------------------
1.69 Release Hotfix
--------------------
2. Fixed pressure_in check - we referenced the wrong value, thus invalidating the check itself, allowing "----" to be inserted into our DBs.

--------------------
1.68 Release Notes
--------------------
Major changes here. We were having stability problems with the wiringPI DHT code. We've switched to pigpio. 
1. New pigpio DHT based code, seems more stable and reliable that lol_dht/wiringPI based code. It was also causing a conflict when we were running our beecounter service.
2. New HX711 Python code, to leverage pigpio code base
3. Fixed page refresh after running calibration wizard to show new value on intstrument page 


--------------------
1.67 Release Notes
--------------------
1. Fixed today option to show full day and use local timezone.


--------------------
1.66 Release Notes
--------------------
1. Added Today Option to all charts that show's all data since 12midnight local time.


--------------------
1.65 Release Notes
--------------------
1. Fixed Weather Pages to Show Metric (since we did it other places)


--------------------
1.64 Release Notes
--------------------
1. Fixed problem with ClearLogs in System Commands page (it wouldn't clear the logs)
2. Added ceiling and floor to humidity charts.
3. Fixed hidden error when default theme was set (no one noticed, but it was there)
4. Fixed background highcharts error where it was complaining about the data not being in order. 
5. Added an option to Pause Data Collection
6. Moved Logs menu item to default system.php page, to consolidate.
7. Fixed 401 error page not displaying


--------------------
1.63 Release Notes
--------------------
1. Fixed erorr where daily pollen count wouldn't run from cron because of a relative path defined.
2. Added a check for Locked file when running the DHT22 code
3. Removed the option to change running directory. (not needed)
4. Removed NASA ID, as that project seems dead.
5. Moved Weeather Instrument config to the Instruments page (for Nate)
6. Added option to specify IP address of your WS1400ip, if you are using (cuz Nate bought one)
7. Added SystemStatus option, because people liked that feature on Hivetool v1 code.

--------------------
1.62 Release Notes
--------------------
1. Implemented first version of Beecounter code, it's a large install.
	Going forward, it'll be an option included in the install.sh script
	The upgrade.sh won't install it automatically, you'll have to follow the instructions to get it setup.

--------------------
1.61 Release Notes
--------------------
1. Fixed unexpected error in currconditions.sh


--------------------
1.60 Release Notes
--------------------
1. Fixed a rare condition in that if you entered a decimal without a leading 0, HX711 would error out. We now check for that.
2. Added duplicate checking to database to disallow two hiveconfig rows with an ID of zero, just an added error check.
3. Added XRDP support during the install (you have to specify it though with -x if you want it) - Added for the folks who don't know how to enable it on their own.
4. Added TouchScreen Support for those that run the GUI Desktop, and can't install matchbox by themselves, use -k when installing to enable - example ./install.sh -k
5. Added the ability to "save on click" for all the forms, eliminating the save button. Fixes the problem of having to hit save to get the second set of options.
6. Changed Rain Trend to a Area Chart, instead of a bar.
7. Add rain to hive activity detail chart
8. Changed GDD Chart to be Area in Detail views
9. Added Pollen values to the GDD Detail chart
10. Fixed Current Conditions Metric Trend Calc error
11. Added field validation to hivebodyconfig.php


--------------------
1.59 Release Notes
--------------------

1. Disallow negative numbers in the check function in the main shell scripts. This protects if a instrument gives us a negative value.
2. Added check for negative in IN_COUNT/OUT_COUNT for future support of beecounter code.
3. Actually commited the check.inc file.


--------------------
1.58 Release Notes
--------------------
1. Added index.html to /admin page.
2. Fixed All_charts flight color misspelling of variable.
3. Finished Weight Calibration Wizard feature for HX711 (the majority of our users)
4. Fixed a bug in DHT22.sh
5. Fixed getpollen script to use pollen.com, instead of Claritin
6. Fixed issue with Install script, it wasn't inserting the default values after install, causing improper startup.
7. Added "date/time to currentconditions.php so we know how current the data is (even though we have the option to show red, when the data is older than 5 minutes)."
8. Added 5 minute refresh of index.php, so we can watch our charts all day long!
9. Added check.inc function to check if we get an invalid figure for an expected value. Mainly for when the weather script returns pressure of ----