vazra · vazra · Apr 30, 2026 · Apr 30, 2026 · Apr 30, 2026 · Apr 30, 2026
diff --git a/docs-site/src/content/docs/blog/2026-04-06-v1-0-0.md b/docs-site/src/content/docs/blog/2026-04-06-v1-0-0.md
@@ -0,0 +1,50 @@
+---
+title: SimpleDeploy 1.0.0
+date: 2026-04-06
+authors:
+  - name: SimpleDeploy maintainers
+    title: Project team
+    picture: https://github.com/vazra.png
+    url: https://github.com/vazra/simpledeploy
+excerpt: First public release. One Go binary, Docker Compose apps on a VPS with HTTPS, metrics, backups, alerts, and a dashboard.
+tags:
+  - release
+---
+
+The 1.0.0 cut. Everything needed to run a small fleet of Compose apps on a single VPS, in one binary.
+
+## What's in the box
+
+- **CLI + API server.** `simpledeploy serve` runs the daemon; the CLI talks to it locally or remotely with context switching (`simpledeploy context`).
+- **Reconciler.** Drops a `compose.yml` in the apps directory and SimpleDeploy applies it. A directory watcher with debounce handles edits.
+- **Embedded Caddy.** Reverse proxy is built in, programmatic config (no Caddyfile), with custom modules for per-domain rate limiting and request metrics.
+- **SQLite + WAL store.** Apps, deploys, users, API keys, app access, metrics, request stats, alerts, webhooks, backups, all in one local file.
+- **Auth.** Passwords (bcrypt), JWT sessions, API keys with scopes, per-app access middleware, login rate limiting.
+- **Metrics.** System and container stats collector, buffered batch writer, tiered rollup and pruning, query API.
+- **Request stats.** Caddy module records every request; tiered rollup powers the dashboard charts.
+- **Backups.** Strategies and targets with a scheduler, configs and run history in the store, CLI commands.
+- **Alerts.** Rule evaluator, webhook dispatch with built-in templates, history.
+- **Svelte dashboard.** Embedded in the Go binary. Login, app list, app detail with charts and live logs, deploy/remove flows, backups page, alerts page, user management.
+- **Log streaming.** Process stdout/stderr through a ring buffer, exposed live over WebSocket and the CLI.
+
+## Install
+
+Homebrew tap:
+
+```bash
+brew install vazra/tap/simpledeploy
+```
+
+APT:
+
+```bash
+curl -fsSL https://vazra.github.io/apt-repo/key.gpg | sudo gpg --dearmor -o /etc/apt/keyrings/simpledeploy.gpg
+echo "deb [signed-by=/etc/apt/keyrings/simpledeploy.gpg] https://vazra.github.io/apt-repo stable main" | sudo tee /etc/apt/sources.list.d/simpledeploy.list
+sudo apt update && sudo apt install simpledeploy
+```
+
+Or grab a tarball from [GitHub Releases](https://github.com/vazra/simpledeploy/releases/tag/v1.0.0).
+
+## Where to start
+
+`simpledeploy serve`, point a browser at the dashboard, complete first-time setup, and deploy your first compose app from the UI or via `simpledeploy apply`.
diff --git a/docs-site/src/content/docs/blog/2026-04-07-v1-1-0.md b/docs-site/src/content/docs/blog/2026-04-07-v1-1-0.md
@@ -0,0 +1,20 @@
+---
+title: SimpleDeploy 1.1.0
+date: 2026-04-07
+authors:
+  - name: SimpleDeploy maintainers
+    title: Project team
+    picture: https://github.com/vazra.png
+    url: https://github.com/vazra/simpledeploy
+excerpt: Patch release fixing the goreleaser pipeline so artifacts publish cleanly.
+tags:
+  - release
+---
+
+Quick follow-up to 1.0.0 to fix the release pipeline.
+
+### Bug fixes
+
+- Reset git state after the UI build so goreleaser doesn't see a dirty tree and skip publishing.
+
+No code or behavior changes for users. Upgrade only if you're scripting against the latest tag.
diff --git a/docs-site/src/content/docs/blog/2026-04-08-v1-2-0.md b/docs-site/src/content/docs/blog/2026-04-08-v1-2-0.md
@@ -0,0 +1,21 @@
+---
+title: SimpleDeploy 1.2.0
+date: 2026-04-08
+authors:
+  - name: SimpleDeploy maintainers
+    title: Project team
+    picture: https://github.com/vazra.png
+    url: https://github.com/vazra/simpledeploy
+excerpt: Patch release. CGO disabled for cross-compilation so Linux ARM64 and macOS builds publish.
+tags:
+  - release
+---
+
+Second follow-up to 1.0.0.
+
+### Bug fixes
+
+- Disable CGO for cross-compilation. Linux ARM64 and macOS arm64/amd64 binaries now build cleanly under goreleaser.
+- Reset git state after UI build (carried over from 1.1.0).
+
+This is the recommended 1.x baseline until [1.3.0](/blog/2026-04-30-v1-3-0/).
diff --git a/docs-site/src/content/docs/blog/2026-04-30-v1-3-0.md b/docs-site/src/content/docs/blog/2026-04-30-v1-3-0.md
@@ -0,0 +1,82 @@
+---
+title: SimpleDeploy 1.3.0
+date: 2026-04-30
+authors:
+  - name: SimpleDeploy maintainers
+    title: Project team
+    picture: https://github.com/vazra.png
+    url: https://github.com/vazra/simpledeploy
+excerpt: Big release. Backups v2, multi-endpoint routing, local TLS, realtime UI, and a sweeping security pass.
+tags:
+  - release
+---
+
+1.3.0 is the first release since 1.2.0 and it's a large one. Hundreds of commits, much of it focused on making SimpleDeploy safer to put on a public IP, plus three feature areas worth calling out.
+
+Full notes: [CHANGELOG](https://github.com/vazra/simpledeploy/blob/main/CHANGELOG.md).
+
+## Backups v2
+
+The backup subsystem was rewritten end to end.
+
+- Six built-in strategies (sqlite, postgres, mysql, files, docker volumes, custom command), each behind the same interface.
+- New scheduler with hot-reload, retention rules, pre/post lifecycle hooks, and a pipeline processor.
+- Target detection so the dashboard can suggest the right strategy for each app.
+- Per-backup checksum verification.
+- A `BackupWizard` in the UI walks non-technical users through configuration in four steps.
+- Per-app `Backups` tab and a `BackupHealthCard` on the dashboard.
+- Backup events flow through the alert system, so a failed nightly snapshot can page you the same way a downed app does.
+
+Existing backups are migrated automatically.
+
+## Multi-endpoint routing and local TLS
+
+The reverse proxy gained two long-requested capabilities.
+
+- **Multi-endpoint apps.** A single app can publish more than one domain, each routed to a different service. No more splitting an app across compose stacks just to expose two hostnames.
+- **Local TLS mode.** Caddy's internal issuer can now sign certs for local development or air-gapped installs. The dashboard exposes a trust page with a one-click CA download so a fresh laptop trusts the install in under a minute.
+- **Shared `simpledeploy-public` network** with container-IP upstreams, removing the host-port hop for proxied traffic.
+
+## Realtime UI
+
+The dashboard is now event-driven.
+
+- A notify-only WebSocket bus (`GET /api/events`) streams state changes; REST stays the source of truth.
+- Live terminal output for deploys, restores, and other long-running actions through a new `ActionModal`.
+- Inline scale controls, activity feed, alert history with active-only toggle, deploy-version delete, and a degraded-app status badge.
+
+## Security hardening
+
+A coordinated pass closed a long list of issues found during a security review. Highlights:
+
+- JWT signing key derived per install via HKDF from `master_secret`, plus server-side invalidation via token version.
+- Login lockout rekeyed to `(user, ip)` and CIDR-aware trusted-proxy handling.
+- Management dashboard binds to `127.0.0.1` by default; published app ports pin to `127.0.0.1` unless explicitly public.
+- WebSocket Origin checks, periodic re-auth on long-lived streams, capped frame sizes on log/deploy streams.
+- Per-handler request body limits, panic-recovery middleware, slowloris defenses (`ReadHeaderTimeout`, `IdleTimeout`).
+- CSP on the SPA, default security headers injected by Caddy.
+- Backup restore validates the tar stream and caps gzip decompression to block compression bombs.
+- Compose validation expanded to cover container-escape vectors, applied in both deploy and reconciler scan paths.
+- Webhook SSRF DNS-rebinding window closed; reserved-IP filter expanded.
+- Audit rows recorded for rollback, profile self-update, and gitsync config changes; preserved across app purge.
+- Tighter file modes for secrets and app config; hardened `simpledeploy.service` systemd unit.
+
+A full security architecture and threat model now live in [`SECURITY.md`](https://github.com/vazra/simpledeploy/blob/main/SECURITY.md) and the contributor docs.
+
+## Upgrade
+
+Homebrew:
+
+```bash
+brew update && brew upgrade simpledeploy
+```
+
+APT:
+
+```bash
+sudo apt update && sudo apt install --only-upgrade simpledeploy
+```
+
+Binary tarball: [GitHub Releases](https://github.com/vazra/simpledeploy/releases/tag/v1.3.0).
+
+No manual migration steps. Backup v2 migrates on first start; existing schedules keep running.