# Changelog

## [0.1.1] - 2026-04-09

### Changed
- Reorganized project structure: moved all modules to `src/` folder
- Refactored endpoints into separate router modules:
  - `src/routers/init.py` - System initialization endpoint
  - `src/routers/login.py` - Authentication endpoint
  - `src/routers/status.py` - Status check endpoint
- Reduced `main.py` from 100+ lines to 35 lines (only app configuration)
- Updated all internal imports to use relative imports within `src/`

### Project Structure
```
archivium-backend/
├── main.py                          # Entry point (35 lines)
├── src/
│   ├── __init__.py
│   ├── config.py                    # Configuration
│   ├── models.py                    # Database models
│   ├── schemas.py                   # Request/response schemas
│   ├── database.py                  # Database setup
│   ├── security.py                  # Password hashing
│   └── routers/
│       ├── __init__.py
│       ├── init.py                  # POST /api/init
│       ├── login.py                 # POST /api/login
│       └── status.py                # GET /api/status
├── pyproject.toml
├── requirements.txt
└── README.md
```

---

## [0.1.0] - 2026-04-09

### Changed
- Removed excessive Polish comments and restructured code for readability
- Refactored monolithic `main.py` into modular structure:
  - `config.py` - Environment configuration and CORS settings
  - `models.py` - SQLAlchemy ORM models
  - `schemas.py` - Pydantic request/response schemas with validation
  - `database.py` - Database initialization and session management
  - `security.py` - Password hashing and recovery key generation
  - `main.py` - FastAPI application and endpoint handlers
- Added official Python docstrings for public functions and classes only
- Improved project metadata with description and version in FastAPI app

### Security Improvements
- Restricted CORS to explicit allowed origins instead of wildcard ("*")
- Limited allowed HTTP methods to POST and GET only
- Restricted allowed headers to Content-Type only
- Added password validation (minimum 8 characters, maximum 128)
- Improved error handling with try-except for password verification
- Database operations now properly managed with dependency injection

### Added
- `pyproject.toml` for modern Python package management (compatible with uv)
- `requirements.txt` for traditional pip/env management
- Proper dependency pinning with specific versions
- Database initialization on startup event
- Dependency injection for database sessions via `Depends(get_db)`
- Recovery key generation moved to dedicated security module
- Startup lifecycle event to ensure schema creation

### Dependencies
- fastapi>=0.104.0
- uvicorn[standard]>=0.24.0
- pydantic>=2.5.0
- sqlalchemy>=2.0.0
- passlib[argon2]>=1.7.4

### Notes
- SQLite remains in use for development (no encryption at rest)
- For production deployment, consider:
  - Using PostgreSQL or equivalent encrypted database
  - Setting ENVIRONMENT=production env var
  - Configuring CORS_ORIGINS for specific domains
  - Enabling HTTPS/SSL
  - Implementing rate limiting
  - Adding request logging and monitoring