## [1.3.0] - 2025-09-26
### Security / Hardening
- Removed all reflective private field access (`getDeclaredField` / `setAccessible`). Added explicit getters and helper methods.
- Migrated web session auth to `Authorization: Bearer <session>` header after initial load; SPA auto-migrates and strips `?session=` from URL history.
- Added hashed API token support via `web.api.token-hashes` (SHA-256 lowercase hex). Legacy plain `web.api.tokens` still accepted but deprecated (one-time warning when both present).
- Updated `SECURITY.md` to reflect mitigations.

### Developer / Internal
- Added utility methods in `WebServer` for token validation and constant-time hash comparison.

### Upgrade Notes
1. After updating, players' existing web links still work. On first load the UI migrates the token to a header and removes it from the address bar.
2. For API integrations using read-only tokens, you may begin migrating to hashed tokens:
- Generate hash: `echo -n "YourTokenValue" | sha256sum` (Linux/macOS) or use PowerShell `"YourTokenValue" | Out-File -NoNewline t.txt; certutil -hashfile t.txt SHA256 | Select-String -NotMatch "hash"; Remove-Item t.txt`.
- Place resulting 64-char hex in `web.api.token-hashes` list.
- Remove the clear token from `web.api.tokens` after deployment to drop the deprecation warning.
3. No config keys were removed; all changes are backward compatible.

## [1.2.0] - 2025-09-25
### Added
- Custom Web UI override (`web.custom.*`): external `index.html` & static assets, auto-export starter file, optional reload bypass.
- Admin commands: `/endex webui export`, `/endex webui reload` for managing exported UI.
- Unified web market view with advanced filters (category, price bounds, trend, sort fields & direction) and collapsible persistent filter panel.
- Category auto-population & improved watchlist/group toggles.

### Changed
- Removed legacy Addons tab and `/api/addons` usage; addons now integrate as items or custom routes.
- Simplified live update flow (single item stream via WS/SSE/polling).
- Refactored layout (two-row search + filters) for clarity and responsiveness.
- Copy tasks marked untracked to prevent Gradle state errors with transient DB journal files.

### Fixed
- UI tab reversion issue resolved by removing tab abstraction.
- Async misuse (`await` in sync render) eliminated; stabilized frontend rendering.
- Ensured Vault economy deductions occur on main thread; corrected SELL handling logic.

### Removed
- Addons navigation UI and related frontend logic.

### Documentation
- Added `docs/CUSTOM_WEBUI.md` and updated config with `web.custom.*` keys.

### Compatibility
- Built against Paper API 1.20.1; expected to operate on 1.21.x.

### Upgrade Notes
- If you relied on Addons tab navigation, migrate to item-based representation or custom web routes.
- Enable `web.custom.enabled` to customize UI; restart to export default scaffold.

## [1.1.0] - 2025-08-29
### Added
- Web UI item icons served from resource packs with `/icon/{material}` endpoint (public, ETag caching)
- Resource pack extraction/usage via `web.icons.*` with support for both `item/items` and `block/blocks` folders
- Aliases for tricky materials (e.g., PUMPKIN, CACTUS) to reduce 404s across pack variations
- Addons tab in the UI and `/api/addons` endpoint (auth required)
- Developer HTTP API documentation (`docs/API.md`) and reverse proxy guide (`docs/REVERSE_PROXY.md`)

### Changed
- Improved client error fallback for missing icons (initials badge)
- More informative server logs (actual paths tried for missing icons when `logging.verbose=true`)

### Fixed
- Kotlin string interpolation in logs and headers (no longer prints `$vars` literally)
- Javalin route syntax for path params (now uses `/icon/{material}`)

### Compatibility
- Built against Paper API 1.20.1; expected to work on newer Paper versions

### Highlights
- HTTP API reference: see `docs/API.md`
- Reverse proxy examples (HTTPS): `docs/REVERSE_PROXY.md`
- Config keys for icons and addons: `docs/CONFIG.md`