OrbitalReg 2026.1.1
✨ Highlights
Outbound calls are now off by default on a fresh install: the update-check opts in via the First-Run wizard rather than phoning home out of the box. Admin gets a leaner sidebar with Trust and Compliance each consolidated into a single tabbed shell, and the new orbital migrate CLI suite (plan / apply / verify / finalize / fill) covers the end-to-end JFrog → Nexus → cloud-registry migration loop with a published reference under /reference/cli/migrate.
🔒 Security
- Update-check default-OFF.
update_check_settings.manifest_urlships empty on every fresh install, so the worker short-circuits before any network call. Operators opt in actively via the new wizard step (Off / Daily / Weekly, no pre-selection) orAdmin → Version status → Settings. Existing installs that already wrote a manifest URL or completed the prior wizard are preserved verbatim. - CSP + strict security headers for the customer portal and marketing surfaces — HSTS preload-eligible, frame-ancestors deny, Referrer-Policy
strict-origin-when-cross-origin, and a hardened Permissions-Policy. The portal vhost relaxes script-src minimally for Astro's hydration; static sites stay strict. - DPA template published at
/legal/dpafor Auftragsverarbeitungsvertrag-required customers.
🚀 New features
orbital migrateCLI suite. Plan / Apply / Verify / Finalize / Fill subcommands cover migrations from JFrog Artifactory, Sonatype Nexus, GitHub Packages, GitLab Package Registry, and the three major cloud registries. Reference docs land at/reference/cli/migratewith one playbook per source under/migration/.- Admin sidebar consolidation. Trust mechanics (X.509 / OpenPGP, Sigstore, OIDC) fold into
/admin/trustwith WAI-ARIA-compliant tabs, fragment-driven deep-links, and back-compat redirects from the legacy URLs. Compliance follows the same shape at/admin/compliancewith ISO 27001 and SOC 2 tabs. Sidebar drops from 23 to 19 entries; Setup, Seed, API playground, and Slug-audit move to Overview tiles. - First-Run setup wizard (
/setup) walks operators through branding, admin-promotion, an explicit update-check choice, and a first project. The redirect runs ahead of every authenticated page whilesetup_requiredis true; the wizard is also re-runnable from/admin/system/setup. - Demo seeder Phase B. New
full-plusandstresssets layer per-format and per-project repo fan-out on top of thedefaultset so the format-adapter dashboard lights up every tile rather than leaving 35 of 41 grey-empty. - Portal: resend magic-link + login-activity column on the customer-portal admin tables, plus relative-time tooltips on every datetime cell.
- Migration playbook: GitHub Packages. Step-by-step PAT and GitHub-App auth setup, multi-format coverage (npm, Maven, Docker, NuGet, RubyGems), and a worked end-to-end example.
🐛 Bug fixes
- Lint-logs guard. Editorial reword on the CI message and a string-literal exclusion so the lint walks the api/ tree without flagging legitimate
"log"-as-data string occurrences. - Integration-test harness. Renamed scope
publish→artifacts:writeto match the canonical scope vocabulary on service-account tokens. - Migration docs. Inline GitHub Actions
$syntax inside fenced code blocks now wraps in<v-pre>so VitePress doesn't try to interpolate the Actions expression at build time.
📦 Upgrade notes
- Existing installs are unaffected by the update-check default flip. The migration only resets
manifest_urlto empty when it still carries the original upstream default and the first-run wizard has not been completed; operators with a mirror URL or who walked the wizard under the prior default are preserved verbatim. - Legacy admin URLs (
/admin/sigstore,/admin/oidc/policies,/admin/iso27001,/admin/soc2)<Navigate replace />to the consolidated tabs (/admin/trust#sigstore,/admin/trust#oidc,/admin/compliance#iso27001,/admin/compliance#soc2) — bookmarks keep working without page reloads. - New migrations:
102(update_check_settings.manifest_urldefault flip) and103(system_setup.step_update_check_at). Both run forward via the standardmake migratetarget; no operator action required.