- Embed widget: standalone iframe player with dark/light/transparent themes, copy-paste embed code admin page
- Real-time SSE: streaming now-playing/listeners/dj events, replaces polling in radio-player and embed
- Song history: auto-records song changes to radio_song_plays table, Filament resource to view
- DJ moderation: unified panel for shouts approval, song request queue, DJ applications
- Auto DJ: playlist management with round-robin playback when no DJ is live
- Refactored radio-player Alpine component to use EventSource API with auto-reconnect
- New 5-step RadioWizardController with session-based wizard flow
- Enhanced RadioStreamService with Shoutcast/Icecast/ AzureCast auto-detection
- Connection test functionality for stream, now-playing, and listeners
- Wizard views for all 5 steps with step indicator navigation
- All 21 language files updated with wizard translation keys (NL/EN + placeholders)
- Wizard link added to existing radio setup page
- Routes registered under /admin/radio/wizard/*
- Replace closures in web.php and auth.php with dedicated controllers
(LoginRedirectController, LogoutController, TwoFactorChallengeController,
EmailVerificationController) to fix route caching issues
- Add migration to increase password column to VARCHAR(255) for Argon2id support
- Fix 500 error caused by route cache incompatibility with closures
- SystemFixService: removed ALL shell_exec/sudo calls (30+ instances), replaced with
safe PHP alternatives (mkdir, chmod, disk_total_space, Artisan calls)
- InstallationController: added ALLOWED_SETTINGS whitelist to prevent arbitrary
settings manipulation via request data
- ExceptionHandler: removed dangerous npm run build execution and hardcoded
chown/chmod paths from auto-recovery
- AuthController: fixed user enumeration timing attack by running Hash::make()
even when user doesn't exist (constant-time comparison)
- DDoSDetectionCommand: added IP validation (FILTER_VALIDATE_IP) before blocking
to prevent iptables manipulation with spoofed/malicious IPs
- trackRequest: now validates IP before storing in cache
Added proper return types (View, RedirectResponse, JsonResponse, Collection)
to 40+ controller methods across 16 controllers. Also added missing
imports for Illuminate response types and tightened parameter types
(e.g. InstallationController::showStep now uses int instead of mixed).
root