ANetBBS Changelog

Versions are internal build numbers. Public releases are tagged
separately. Current release: v1.0b2.33 (July 2026). Full release: August 1 2026.

v1.0a2.214 — HACKERS theme: secret "Hack the Planet" easter egg modal (July 2026)

  • HACKERS (1995) theme: "HACK THE PLANET" in the navbar is now a clickable secret link.
    Opens a tribute modal with the full crew roster (Zero Cool, Acid Burn, Crash Override,
    Cereal Killer, Lord Nikon, Phantom Phreak, The Plague), iconic movie quotes, a heartfelt
    tribute paragraph, and a typewriter terminal that types "HACK THE PLANET / ACCESS GRANTED".
    Rainbow-animated title, lime-green crew handles, blinking cursor. Closes with [ LATER, HACKER ].

v1.0a2.213 — Two epic themes: VOID SIGNAL + HACKERS (1995) (July 2026)

  • New built-in theme: VOID SIGNAL ◈ — Triple neon (electric green + cyan + magenta) on
    pure black. Full-page CRT scanlines, moving phosphor beam sweep, animated brand glitch,
    cycling card border stripe, neon glow buttons, animated rainbow footer sweep line.
  • New built-in theme: HACKERS (1995) ◈ — Neon violet + lime + cyan on black. For those
    who ride the information superhighway. Rainbow cycling navbar border, full rainbow brand
    glitch animation, rainbow card top stripe, rotating footer sweep, "HACK THE PLANET"
    navbar watermark. Orbitron font, all-caps labels throughout.
  • Both themes seeded automatically on first run / upgrade — no manual step needed.
  • Base template now supports an extended stylesheet marker (--theme-stylesheet) in any
    theme's CSS variables, enabling full layout/animation overrides beyond color vars.

v1.0a2.212 — Fix casino wallet saves; fix stale door game sessions (July 2026)

  • Casino wallet saves now work: CSRF token was being read from a cookie that doesn't
    exist (token lives in <meta name="csrf-token">). Every POST was silently rejected with
  • All 4 casino templates fixed.
  • Door game WebSocket disconnect now calls terminate_session() so sessions end when
    the browser tab closes or disconnects.
  • On startup, any game sessions still marked active from before the previous restart are
    automatically marked stale (in-memory PTY state is gone after restart).
  • Admin → Game Sessions now has a "Terminate All" button for bulk cleanup.

v1.0a2.211 — Web casino games: persistent wallet + weekly reset + leaderboard (July 2026)

Blackjack, Slots, Video Poker, and Hold'em now have a persistent wallet. Balance
carries between sessions and resets every Monday. If you hit zero, play locks until
the next weekly reset. Peak balance posts to the leaderboard. Starting amounts are
configurable per-game in Admin → Settings (CASINO_BLACKJACK_START,
CASINO_SLOTS_START, CASINO_VIDEOPOKER_START, CASINO_HOLDEM_START).

v1.0a2.210 — Fix upgrade checker error when REGISTRY_URL is not configured (July 2026)

Admin → Upgrades no longer shows a MissingSchema error when REGISTRY_URL is not set. It now shows "upstream not configured" instead.

v1.0a2.209 — Menu admin: add imsg / imsg_send / rss to action-type dropdown (July 2026)

v1.0a2.207 — Terminal MRC fixes; QWK blank-body diagnostic (July 2026)

  • Terminal /afk [msg] now sends AFK (not STATUS AFK), so the away message is visible to other chatters
  • Terminal /back now sends BACK instead of STATUS AFK
  • Fixed rate-limit error when sending first message after returning from AFK
  • Tab-complete now tracks users who join after you (USERIN/USEROUT/USERLIST/USERNICK parsed); from_user field used for nick tracking on chat messages
  • /chatters now sends CHATTERS (all rooms); /who//whoon send WHOON (current room)
  • QWK inbound: warning log when body is blank (first 256 raw bytes logged for diagnosis)
  • Admin: autocomplete="new-password" on QWK password field

v1.0a2.206 — Fix dosemu2 conf written to /tmp (July 1 2026)

dosemu2 temp files (conf and COM1 PTS path) were hardcoded to /tmp/. On
servers with restricted /tmp/ permissions the door failed immediately with
"Permission denied" before dosemu2 even launched. Both paths now use
temp_root() (<DATA_DIR>/temp/) which the service user always owns.

v1.0a2.205 — Fix menu hotkey duplication on update (July 1 2026)

seed_default_menus() ran on every startup and backfilled any default hotkey
not present in the sysop's menu. When a sysop rebound a hotkey (e.g. changed
MA for Message Boards), the original M was seen as "missing" and a
second Message Boards entry was added — causing duplicates on every update.

Fix: backfill now checks by (action_type, action_args) instead of hotkey.
If a menu already has a boards action (regardless of what key it's bound to),
no new boards item is added. Truly new features added in new releases still
backfill automatically, as long as their hotkey doesn't conflict.

v1.0a2.204 — Remove ANetCRAFT Enhanced and RDQ3 from release (July 1 2026)

  • Removed ANetCRAFT Enhanced web game: WEB_GAMES entry deleted from games/web_games.py,
    templates/games/web/anetcraft_enhanced.html deleted.
  • Removed Red Dragon Quest 3 door (doors/mystic/rdq3/) from the release package.

v1.0a2.203 — Beta release: package cleanup, REGISTRY_URL fix, docs update (July 1 2026)

  • REGISTRY_URL default changed from hardcoded hub URL to empty string. Sysops opt in to
    federation by setting REGISTRY_URL in Admin → Settings or .env. Preflight check now
    reports "not configured" instead of silently contacting an external host.
  • mrc/bridge/config.example.json: bridge_bbs changed to generic placeholder.
  • CHANGELOG v1.0a2.200 entry: removed internal tooling note.
  • README: status updated from alpha 2 to beta; removed broken doc link.

v1.0a2.202 — Auto-ban; IP whitelist; GeoIP country blocking; wiki edit gate (June 25 2026)

Security hardening and anti-spam protections.

  • Auto-ban: When the login rate limiter trips (10 attempts in 5 min), the source IP is
    permanently written to the IpBan table automatically — no sysop action needed. Visible and
    removable from Admin → IP Bans like any manual ban. Auto-bans have no expiry by default.
  • IP whitelist (Admin → IP Whitelist): New table ip_whitelist. Entries bypass all
    ban checks AND GeoIP country blocks. Use for sysop home IPs, trusted peers, and VPN exit
    nodes. Supports single IPs and CIDR ranges.
  • Country blocking: Set BLOCKED_COUNTRIES=CN,RU,KP (comma-separated ISO codes) in
    Admin → Settings. Blocks login and registration from listed countries. Uses
    ip-api.com — free, no registration, no download, no API key. Results
    cached in-memory for 1 hour so repeated login attempts don't add latency. Fails open
    (lookup error = allow) so a network hiccup never locks out users. Whitelisted IPs are exempt.
  • fail2ban configs (deploy/fail2ban/): Filter (filter.d/anetbbs-web.conf) matches
    nginx 429 responses on /auth/login. Jail (jail.d/anetbbs-web.conf) bans after 3 hits
    in 10 min for 24 h, covering ports 80, 443, 2233, 2234. Belt-and-suspenders on top of the
    in-process auto-ban above.
  • Wiki edit gate: New users must have at least 5 posts and a 3-day-old account before
    editing any wiki page. Configurable via WIKI_MIN_POSTS and WIKI_MIN_DAYS in Admin →
    Settings (set to 0 to disable). Admins are always exempt. Message tells the user exactly
    what requirement they don't yet meet.
  • New settings in Admin → Settings: BLOCKED_COUNTRIES, WIKI_MIN_POSTS, WIKI_MIN_DAYS.

v1.0a2.201 — Theme edit/delete; MSP toggle in Admin Settings (June 25 2026)

Theme management is now fully self-service from the admin UI.

  • Admin → Themes: Delete button added for each theme. The default theme's delete button is
    disabled (can't remove the fallback). A browser confirm dialog guards against accidents.
    Any users who had the deleted theme selected are automatically migrated to the system default.
  • Theme Builder: existing-themes table now has Edit and Delete action buttons alongside each
    row — no need to navigate away to Admin → Themes just to fix a name or remove a test theme.
  • Admin → Settings: MSP_ENABLED and MSP_PORT are now listed under Editable Settings.
    Sysops can toggle MSP (inter-BBS instant messaging, RFC 1312) on or off and change the port
    without editing .env manually. Flagged as requires-restart so the UI reminds you.

v1.0a2.200 — File areas manage page; echomail admin polish (June 25 2026)

  • File areas: new manage.html template for per-area file management.
  • Echomail admin network_form.html: UI improvements.
  • ANetCRAFT web game: anetcraft_enhanced.html template added.
  • QWK outbound diagnostics removed (verbose body hex dump + /tmp REP copy introduced in
    v1.0a2.198 no longer needed after confirmed fix).

v1.0a2.199 — QWK outbound: fix \r in body + MSGID space truncation (June 2026)

Two bugs in _build_rep_packet confirmed by hex-dumping the REP file:

  1. \r bytes left in body — body encoding converted \n\xe3 but left \r from
    Windows \r\n line endings, producing \r\xe3 instead of bare \xe3 throughout.
    Fix: replace \r\n first, then lone \r, then \n.

  2. MSGID space → Synchronet dupe truncation — auto-generated MSGID was
    ANETBBS_<hash> <timestamp>. Synchronet's qwk_import_msg calls truncstr(p, " ")
    on the MSGID, storing only ANETBBS_<hash>. That truncated stub is identical on every
    re-upload of the same message → dupe detection silently drops it.
    Fix: use underscore separator → ANETBBS_<hash>_<timestamp>.

Outbound messages to Dove-Net/vert.synchro.net confirmed working after this fix.