ANetBBS Changelog
Versions are internal build numbers. Public releases are tagged
separately. Current release: v1.0b2.33 (July 2026). Full release: August 1 2026.
v1.0a2.214 — HACKERS theme: secret "Hack the Planet" easter egg modal (July 2026)
- HACKERS (1995) theme: "HACK THE PLANET" in the navbar is now a clickable secret link.
Opens a tribute modal with the full crew roster (Zero Cool, Acid Burn, Crash Override,
Cereal Killer, Lord Nikon, Phantom Phreak, The Plague), iconic movie quotes, a heartfelt
tribute paragraph, and a typewriter terminal that types "HACK THE PLANET / ACCESS GRANTED".
Rainbow-animated title, lime-green crew handles, blinking cursor. Closes with [ LATER, HACKER ].
v1.0a2.213 — Two epic themes: VOID SIGNAL + HACKERS (1995) (July 2026)
- New built-in theme: VOID SIGNAL ◈ — Triple neon (electric green + cyan + magenta) on
pure black. Full-page CRT scanlines, moving phosphor beam sweep, animated brand glitch,
cycling card border stripe, neon glow buttons, animated rainbow footer sweep line. - New built-in theme: HACKERS (1995) ◈ — Neon violet + lime + cyan on black. For those
who ride the information superhighway. Rainbow cycling navbar border, full rainbow brand
glitch animation, rainbow card top stripe, rotating footer sweep, "HACK THE PLANET"
navbar watermark. Orbitron font, all-caps labels throughout. - Both themes seeded automatically on first run / upgrade — no manual step needed.
- Base template now supports an extended stylesheet marker (
--theme-stylesheet) in any
theme's CSS variables, enabling full layout/animation overrides beyond color vars.
v1.0a2.212 — Fix casino wallet saves; fix stale door game sessions (July 2026)
- Casino wallet saves now work: CSRF token was being read from a cookie that doesn't
exist (token lives in<meta name="csrf-token">). Every POST was silently rejected with - All 4 casino templates fixed.
- Door game WebSocket disconnect now calls
terminate_session()so sessions end when
the browser tab closes or disconnects. - On startup, any game sessions still marked
activefrom before the previous restart are
automatically markedstale(in-memory PTY state is gone after restart). - Admin → Game Sessions now has a "Terminate All" button for bulk cleanup.
v1.0a2.211 — Web casino games: persistent wallet + weekly reset + leaderboard (July 2026)
Blackjack, Slots, Video Poker, and Hold'em now have a persistent wallet. Balance
carries between sessions and resets every Monday. If you hit zero, play locks until
the next weekly reset. Peak balance posts to the leaderboard. Starting amounts are
configurable per-game in Admin → Settings (CASINO_BLACKJACK_START,
CASINO_SLOTS_START, CASINO_VIDEOPOKER_START, CASINO_HOLDEM_START).
v1.0a2.210 — Fix upgrade checker error when REGISTRY_URL is not configured (July 2026)
Admin → Upgrades no longer shows a MissingSchema error when REGISTRY_URL is not set. It now shows "upstream not configured" instead.
v1.0a2.209 — Menu admin: add imsg / imsg_send / rss to action-type dropdown (July 2026)
v1.0a2.207 — Terminal MRC fixes; QWK blank-body diagnostic (July 2026)
- Terminal
/afk [msg]now sendsAFK(notSTATUS AFK), so the away message is visible to other chatters - Terminal
/backnow sendsBACKinstead ofSTATUS AFK - Fixed rate-limit error when sending first message after returning from AFK
- Tab-complete now tracks users who join after you (
USERIN/USEROUT/USERLIST/USERNICKparsed);from_userfield used for nick tracking on chat messages /chattersnow sendsCHATTERS(all rooms);/who//whoonsendWHOON(current room)- QWK inbound: warning log when body is blank (first 256 raw bytes logged for diagnosis)
- Admin:
autocomplete="new-password"on QWK password field
v1.0a2.206 — Fix dosemu2 conf written to /tmp (July 1 2026)
dosemu2 temp files (conf and COM1 PTS path) were hardcoded to /tmp/. On
servers with restricted /tmp/ permissions the door failed immediately with
"Permission denied" before dosemu2 even launched. Both paths now use
temp_root() (<DATA_DIR>/temp/) which the service user always owns.
v1.0a2.205 — Fix menu hotkey duplication on update (July 1 2026)
seed_default_menus() ran on every startup and backfilled any default hotkey
not present in the sysop's menu. When a sysop rebound a hotkey (e.g. changed
M → A for Message Boards), the original M was seen as "missing" and a
second Message Boards entry was added — causing duplicates on every update.
Fix: backfill now checks by (action_type, action_args) instead of hotkey.
If a menu already has a boards action (regardless of what key it's bound to),
no new boards item is added. Truly new features added in new releases still
backfill automatically, as long as their hotkey doesn't conflict.
v1.0a2.204 — Remove ANetCRAFT Enhanced and RDQ3 from release (July 1 2026)
- Removed ANetCRAFT Enhanced web game: WEB_GAMES entry deleted from
games/web_games.py,
templates/games/web/anetcraft_enhanced.htmldeleted. - Removed Red Dragon Quest 3 door (
doors/mystic/rdq3/) from the release package.
v1.0a2.203 — Beta release: package cleanup, REGISTRY_URL fix, docs update (July 1 2026)
REGISTRY_URLdefault changed from hardcoded hub URL to empty string. Sysops opt in to
federation by settingREGISTRY_URLin Admin → Settings or.env. Preflight check now
reports "not configured" instead of silently contacting an external host.mrc/bridge/config.example.json:bridge_bbschanged to generic placeholder.- CHANGELOG v1.0a2.200 entry: removed internal tooling note.
- README: status updated from alpha 2 to beta; removed broken doc link.
v1.0a2.202 — Auto-ban; IP whitelist; GeoIP country blocking; wiki edit gate (June 25 2026)
Security hardening and anti-spam protections.
- Auto-ban: When the login rate limiter trips (10 attempts in 5 min), the source IP is
permanently written to the IpBan table automatically — no sysop action needed. Visible and
removable from Admin → IP Bans like any manual ban. Auto-bans have no expiry by default. - IP whitelist (
Admin → IP Whitelist): New tableip_whitelist. Entries bypass all
ban checks AND GeoIP country blocks. Use for sysop home IPs, trusted peers, and VPN exit
nodes. Supports single IPs and CIDR ranges. - Country blocking: Set
BLOCKED_COUNTRIES=CN,RU,KP(comma-separated ISO codes) in
Admin → Settings. Blocks login and registration from listed countries. Uses
ip-api.com — free, no registration, no download, no API key. Results
cached in-memory for 1 hour so repeated login attempts don't add latency. Fails open
(lookup error = allow) so a network hiccup never locks out users. Whitelisted IPs are exempt. - fail2ban configs (
deploy/fail2ban/): Filter (filter.d/anetbbs-web.conf) matches
nginx 429 responses on/auth/login. Jail (jail.d/anetbbs-web.conf) bans after 3 hits
in 10 min for 24 h, covering ports 80, 443, 2233, 2234. Belt-and-suspenders on top of the
in-process auto-ban above. - Wiki edit gate: New users must have at least 5 posts and a 3-day-old account before
editing any wiki page. Configurable viaWIKI_MIN_POSTSandWIKI_MIN_DAYSin Admin →
Settings (set to 0 to disable). Admins are always exempt. Message tells the user exactly
what requirement they don't yet meet. - New settings in Admin → Settings:
BLOCKED_COUNTRIES,WIKI_MIN_POSTS,WIKI_MIN_DAYS.
v1.0a2.201 — Theme edit/delete; MSP toggle in Admin Settings (June 25 2026)
Theme management is now fully self-service from the admin UI.
- Admin → Themes: Delete button added for each theme. The default theme's delete button is
disabled (can't remove the fallback). A browser confirm dialog guards against accidents.
Any users who had the deleted theme selected are automatically migrated to the system default. - Theme Builder: existing-themes table now has Edit and Delete action buttons alongside each
row — no need to navigate away to Admin → Themes just to fix a name or remove a test theme. - Admin → Settings:
MSP_ENABLEDandMSP_PORTare now listed under Editable Settings.
Sysops can toggle MSP (inter-BBS instant messaging, RFC 1312) on or off and change the port
without editing.envmanually. Flagged as requires-restart so the UI reminds you.
v1.0a2.200 — File areas manage page; echomail admin polish (June 25 2026)
- File areas: new
manage.htmltemplate for per-area file management. - Echomail admin
network_form.html: UI improvements. - ANetCRAFT web game:
anetcraft_enhanced.htmltemplate added. - QWK outbound diagnostics removed (verbose body hex dump +
/tmpREP copy introduced in
v1.0a2.198 no longer needed after confirmed fix).
v1.0a2.199 — QWK outbound: fix \r in body + MSGID space truncation (June 2026)
Two bugs in _build_rep_packet confirmed by hex-dumping the REP file:
-
\rbytes left in body — body encoding converted\n→\xe3but left\rfrom
Windows\r\nline endings, producing\r\xe3instead of bare\xe3throughout.
Fix: replace\r\nfirst, then lone\r, then\n. -
MSGID space → Synchronet dupe truncation — auto-generated MSGID was
ANETBBS_<hash> <timestamp>. Synchronet'sqwk_import_msgcallstruncstr(p, " ")
on the MSGID, storing onlyANETBBS_<hash>. That truncated stub is identical on every
re-upload of the same message → dupe detection silently drops it.
Fix: use underscore separator →ANETBBS_<hash>_<timestamp>.
Outbound messages to Dove-Net/vert.synchro.net confirmed working after this fix.