The compositing quality story hit its capstone: smart auto-stretch with histogram analysis and per-channel controls (#688/#1206) is finally merged. Same day shipped the production Docker service-name defaults, hardened mosaic generation against enumeration, migrated to photutils 3.0, and cleared a 17-PR Dependabot backlog in one sitting.
Thirteen-PR security and correctness blitz — auth rate limiting, account lockout, user enumeration prevention, data enumeration prevention across analysis and composite endpoints, NaN and empty-input guards across the processing pipeline, and a handful of race-condition and validation bugs.
Landed the security quick-wins bundle (password complexity, private-by-default for targets, proxy trust config), hardened the Dependabot pipeline, and merged the React 19.2.5 bump along with a clutch of smaller dep bumps.
Ripping out the last of the hardcoded dev credentials, wiring the JWT secret through docker-compose, gating auth debug logs behind a development flag, and sanitizing the remaining places that were returning raw ex.Message to clients.
Three small security-adjacent bug fixes — the FITS validator was loading the whole file before checking the size, the JWT middleware was swallowing validation failures silently, and a region endpoint was using assert for user input validation. Plus TypeScript 6 and a pile of feature ideas from the MAST Users Group winter report.
Heavy security-infrastructure day — added the .NET exception hierarchy with centralized error middleware, security headers middleware on the gateway, gitleaks secret scanning in pre-commit and CI, plus the Claude Code GitHub workflow, a narrowed exception swallow in FITS save, and a full dependabot drop.
Massive infrastructure day. The composite pipeline got streaming reprojection to stop loading entire FITS files into memory, auto-stretch parameters learned to compute themselves from channel statistics, and a security audit scrubbed hardcoded paths and AWS IDs from the codebase.