From f89093212f236003a8b0d3b6e7e47c156fa3ce0d Mon Sep 17 00:00:00 2001
From: X9 Dev <dev@x9.cz>
Date: Tue, 2 Jun 2026 14:07:27 +0200
Subject: [PATCH] docs: version changelog as 0.7 + add web changelog page

- CHANGELOG.md: switch to Keep a Changelog versioning ([Unreleased], [0.7], [0.6]).
- web/changelog/: new page that fetches CHANGELOG.md from Forgejo (raw API via the
  /forgejo-api proxy) and renders it - single source of truth.
- Add Changelog to the nav on landing, navod and spec pages.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 CHANGELOG.md             | 134 ++++++++++++++++-----------------
 web/changelog/index.html | 155 +++++++++++++++++++++++++++++++++++++++
 web/index.html           |   1 +
 web/navod/index.html     |   1 +
 web/spec/index.html      |   1 +
 5 files changed, 222 insertions(+), 70 deletions(-)
 create mode 100644 web/changelog/index.html

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 765e123..1d47997 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,85 +1,79 @@
 # Changelog
 
-All notable changes to xetup. Dates are when the change landed on `main`.
+All notable changes to xetup. Format based on [Keep a Changelog](https://keepachangelog.com).
+No diacritics anywhere (project rule).
 
-Builds are continuous: every push to `main` produces a signed `xetup.exe`
-published as the `latest` release. No diacritics anywhere (project rule).
+Builds are continuous: every push to `main` produces a signed `xetup.exe` published as the
+`latest` release. Version tags (e.g. `v0.7`) mark notable milestones.
 
-## 2026-06-02
+## [Unreleased]
 
-### Fixed
-- **Accent color now reliable in all profiles** (`04-default-profile.ps1`):
-  write `AccentPalette` (REG_BINARY, 8 shades from #223B47) alongside
-  `AccentColor`/`AccentColorMenu`. Without `AccentPalette`, Win11 ignores the
-  custom accent on Start/taskbar and falls back to the default - the cause of
-  "colors not applied everywhere". The full theme (Custom mode: dark system +
-  light apps, accent on Start/taskbar and title bars/borders) is written to the
-  Default hive (new users), the current user (HKCU) and `HKU\.DEFAULT`
-  (lock/welcome screen) so all profiles match. (`4d08d0c`)
-- **BackInfo background color** (`assets/Backinfo/BackInfo.ini`):
-  `BackgroundColor 4668194 -> 2243399`. BackInfo reads the value as 0xRRGGBB
-  (RGB), not COLORREF/BGR, so #223B47 = 0x223B47 = 2243399; the BGR value
-  rendered with red/blue swapped. (`4d08d0c`)
+_Nothing yet._
 
-### Docs
-- Web (spec, descriptions.json) updated for AccentPalette / all-profile theme
-  and the BackInfo background fix. (`917fc89`)
-- `SPEC.md` + `CLAUDE.md` synced with all changes from this period. (`41f6d27`)
-
-## 2026-06-01
-
-### Fixed
-- **Taskbar File Explorer pin** (`04-default-profile.ps1`): pin Explorer via its
-  AppUserModelID (`DesktopApplicationID="Microsoft.Windows.Explorer"`) instead of
-  a hand-made `File Explorer.lnk`. The custom shortcut pinned as a separate app -
-  clicking it launched a second Explorer that did not group with the running
-  window, and the icon could not be unpinned normally. (`451b9e2`)
-- **Atera installed under SYSTEM** (`02-software.ps1`): install the Atera MSI via
-  a one-shot scheduled task running as `NT AUTHORITY\SYSTEM` (`msiexec /qn`), then
-  remove the task. Under SYSTEM the agent registers silently with no interactive
-  MFA window, so no technician input is needed. MSI staged in `C:\Windows\Temp`. (`451b9e2`)
-
-### Docs
-- Web (spec, descriptions.json, navod) updated for the Explorer AUMID pin and
-  Atera-under-SYSTEM. (`603fba5`)
-
-## 2026-05-29
+## [0.7] - 2026-06-02
 
 ### Added
-- **Code signing in CI**: the release workflow now signs `xetup.exe` on every push
-  (and via `workflow_dispatch`) using Azure Trusted Signing (certificate
-  "X9.cz s.r.o.") through jsign, plus an RFC3161 timestamp
-  (`timestamp.acs.microsoft.com`). jsign is pinned by version + sha256. Trusted
-  Signing certs are short-lived (~3 days); the timestamp keeps the signature valid
-  past expiry. Only `AZURE_CLIENT_SECRET` is a Forgejo Actions secret. (`853908b`)
+- **Code signing in CI**: the release workflow signs `xetup.exe` on every push (and via
+  `workflow_dispatch`) using Azure Trusted Signing (certificate "X9.cz s.r.o.") through jsign,
+  plus an RFC3161 timestamp (`timestamp.acs.microsoft.com`). jsign is pinned by version + sha256.
+  Trusted Signing certs are short-lived (~3 days); the timestamp keeps the signature valid past
+  expiry. Only `AZURE_CLIENT_SECRET` is a Forgejo Actions secret. (`853908b`)
 - `workflow_dispatch` trigger for manual release runs. (`cdad15a`)
+- **Keyboard layout**: CZ primary + US secondary, applied to all profiles via
+  `Set-WinUserLanguageList` (current user) and the `Preload` key in the Default hive and
+  `HKU\.DEFAULT`. (`94b7786`)
 
 ### Fixed
-Field fixes from the first fresh Win11 deployment (Dell Latitude 5521 / GLBNTB63) (`94b7786`):
-- **winget**: pass `--source winget` to every install (02, 11). Fresh Win11 ISOs
-  ship an App Installer with a stale pinned cert, so the msstore source fails with
-  `0x8a15005e` and aborts the install; forcing the winget source bypasses it.
-- **Network Discovery** (10): enable by resource-string group
-  `-Group "@FirewallAPI.dll,-32752"` instead of `-DisplayGroup "Network Discovery"`,
-  which is localized and failed on Czech Windows.
-- **Keyboard** (04): set CZ primary + US secondary via `Set-WinUserLanguageList`
-  (current user) and the `Preload` key in the Default hive and `HKU\.DEFAULT`.
-- **Atera detection** (02): verify via the `AteraAgent` service (`Get-Service`)
-  with a path-check fallback incl. `C:\ProgramData`, since Atera no longer installs
-  to a fixed location.
-- **Windows Update log** (12): format installed updates via `$_.Result`/`$_.Title`
-  instead of logging the raw objects (which printed "System.__ComObject").
-- **UCPD** (02): the UCPD stop failure on Win11 24H2 (protected service) is logged
-  WARN, not ERROR; the system-wide HKCR write succeeds regardless.
+- **winget** (02, 11): pass `--source winget` to every install. Fresh Win11 ISOs ship an App
+  Installer with a stale pinned cert, so the msstore source fails with `0x8a15005e` and aborts
+  the install; forcing the winget source bypasses it. (`94b7786`)
+- **Network Discovery** (10): enable by resource-string group `-Group "@FirewallAPI.dll,-32752"`
+  instead of `-DisplayGroup "Network Discovery"`, which is localized and failed on Czech Windows. (`94b7786`)
+- **Atera detection** (02): verify via the `AteraAgent` service (`Get-Service`) with a path-check
+  fallback incl. `C:\ProgramData`, since Atera no longer installs to a fixed location. (`94b7786`)
+- **Windows Update log** (12): format installed updates via `$_.Result`/`$_.Title` instead of
+  logging the raw objects (which printed "System.__ComObject"). (`94b7786`)
+- **UCPD** (02): the UCPD stop failure on Win11 24H2 (protected service) is logged WARN, not
+  ERROR; the system-wide HKCR write succeeds regardless. (`94b7786`)
+- **Atera under SYSTEM** (02): install the MSI via a one-shot scheduled task running as
+  `NT AUTHORITY\SYSTEM` (`msiexec /qn`). Under SYSTEM the agent registers silently with no
+  interactive MFA window. (`451b9e2`)
+- **Taskbar File Explorer pin** (04): pin Explorer via its AppUserModelID
+  (`DesktopApplicationID="Microsoft.Windows.Explorer"`) instead of a hand-made `.lnk`. The custom
+  shortcut launched a second Explorer that did not group with the running window and could not be
+  unpinned. (`451b9e2`)
+- **Accent color in all profiles** (04): write `AccentPalette` (REG_BINARY, 8 shades from #223B47)
+  alongside `AccentColor`. Without it Win11 drops the custom accent on Start/taskbar and falls back
+  to the default. The full theme (Custom mode: dark system + light apps; accent on Start/taskbar and
+  title bars/borders) is written to the Default hive, the current user (HKCU) and `HKU\.DEFAULT` so
+  all profiles match. (`4d08d0c`)
+- **BackInfo background color**: `BackgroundColor 4668194 -> 2243399`. BackInfo reads the value as
+  0xRRGGBB (RGB), not COLORREF/BGR, so #223B47 = 2243399; the BGR value swapped red/blue. (`4d08d0c`)
 
 ### CI / Infra
-- deploy.json update step made non-fatal (cosmetic, runs after the release is
-  published). (`8a7fc10`)
-- Forgejo runner: bind-mount the docker socket into job containers so the
-  deploy.json step's `docker exec` works. (`c8c8523`, `beceeb4`)
-- docker-compose: mount `web/data` read-write so CI can refresh `deploy.json`
-  (rest of the web docroot stays read-only). (`7becac7`)
+- deploy.json update step made non-fatal (cosmetic, runs after the release is published). (`8a7fc10`)
+- Forgejo runner: bind-mount the docker socket into job containers so the deploy.json step's
+  `docker exec` works. (`c8c8523`, `beceeb4`)
+- docker-compose: mount `web/data` read-write so CI can refresh `deploy.json` (rest of the web
+  docroot stays read-only). (`7becac7`)
 
 ### Docs
-- Web (spec, descriptions.json, navod, landing) updated for the field fixes and
-  code signing. (`133fc1e`)
+- Web (spec, descriptions.json, navod, landing) updated for all of the above.
+- `SPEC.md` + `CLAUDE.md` synced. Added this `CHANGELOG.md`.
+
+## [0.6] - 2026-04-28
+
+### Added
+- Step 03: disable hibernation and Smart App Control; reworked Edge configuration
+  (mandatory policies + initial_preferences). (`0cfe751`)
+
+### Fixed
+- Reliability and robustness pass: watchdog kills a stalled script after 30 min of silence;
+  reboot-loop protection caps each step at 5 restarts; atomic `state.json` writes (tmp+rename);
+  email report retried 3x with a local HTML fallback; Default-hive unload retried; resume mode
+  fixed to actually run pending steps. (`d30767e`)
+
+---
+
+Earlier history (pre-0.6): see the git log - initial Go launcher, embedded PowerShell steps,
+reboot-resume cycle, Forgejo CI build, and the static site at xetup.x9.cz.
diff --git a/web/changelog/index.html b/web/changelog/index.html
new file mode 100644
index 0000000..a0dd88d
--- /dev/null
+++ b/web/changelog/index.html
@@ -0,0 +1,155 @@
+<!DOCTYPE html>
+<html lang="cs">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Changelog &ndash; xetup</title>
+<link rel="icon" type="image/x-icon" href="/favicon.ico">
+<style>
+  :root {
+    --bg: #0f1117;
+    --card: #1a1d27;
+    --border: #2a2d3a;
+    --text: #e0e0e0;
+    --muted: #888;
+    --accent: #223B47;
+    --green: #2ea043;
+    --blue: #58a6ff;
+  }
+  * { box-sizing: border-box; margin: 0; padding: 0; }
+  body {
+    font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+    background: var(--bg); color: var(--text); min-height: 100vh;
+  }
+  header {
+    border-bottom: 1px solid var(--border); padding: 1rem 2rem;
+    display: flex; align-items: center; gap: .75rem;
+    position: sticky; top: 0; background: var(--bg); z-index: 100;
+  }
+  .logo-text { font-size: 1.1rem; font-weight: 700; color: #fff; letter-spacing: -.02em; }
+  .logo-sub  { font-size: .8rem; color: var(--muted); margin-left: .2rem; }
+  header nav { margin-left: auto; display: flex; gap: 1.5rem; }
+  header nav a { color: var(--muted); text-decoration: none; font-size: .85rem; transition: color .15s; }
+  header nav a:hover, header nav a.active { color: var(--text); }
+
+  .content { max-width: 760px; margin: 0 auto; padding: 3rem 1.5rem 4rem; }
+  h1 { font-size: 1.9rem; font-weight: 800; color: #fff; letter-spacing: -.03em; margin-bottom: .4rem; }
+  .subtitle { color: var(--muted); font-size: .95rem; margin-bottom: 2.5rem; }
+
+  /* rendered markdown */
+  .md h2 {
+    font-size: 1.25rem; font-weight: 800; color: #fff; margin: 2.2rem 0 .3rem;
+    padding-bottom: .4rem; border-bottom: 1px solid var(--border);
+  }
+  .md h2:first-child { margin-top: 0; }
+  .md h3 {
+    font-size: .78rem; font-weight: 700; letter-spacing: .07em; text-transform: uppercase;
+    color: var(--blue); margin: 1.3rem 0 .5rem;
+  }
+  .md p { color: var(--muted); font-size: .9rem; line-height: 1.6; margin: .5rem 0; }
+  .md ul { list-style: none; margin: .3rem 0 .9rem; padding: 0; }
+  .md li {
+    color: var(--text); font-size: .89rem; line-height: 1.6;
+    padding: .35rem 0 .35rem 1.1rem; position: relative; border-bottom: 1px solid rgba(42,45,58,.5);
+  }
+  .md li:before { content: "\2022"; color: var(--accent); filter: brightness(2.2); position: absolute; left: .15rem; }
+  .md strong { color: #fff; font-weight: 600; }
+  .md em { color: var(--muted); font-style: italic; }
+  .md code {
+    background: rgba(255,255,255,.1); padding: .08rem .35rem; border-radius: 4px;
+    font-family: 'SFMono-Regular', Consolas, 'Liberation Mono', Menlo, monospace;
+    font-size: .82em; color: var(--blue);
+  }
+  .md a { color: var(--blue); text-decoration: none; }
+  .md a:hover { text-decoration: underline; }
+  .md hr { border: none; border-top: 1px solid var(--border); margin: 2rem 0; }
+  .loading { color: var(--muted); font-size: .9rem; }
+
+  footer {
+    border-top: 1px solid var(--border); padding: 1.2rem 2rem;
+    text-align: center; font-size: .8rem; color: var(--muted);
+  }
+  footer a { color: var(--muted); text-decoration: none; }
+  footer a:hover { color: var(--text); }
+</style>
+</head>
+<body>
+
+<header>
+  <a href="/" style="display:flex;align-items:center;gap:.6rem;text-decoration:none">
+    <img src="/x9-logo.jpeg" alt="X9.cz" style="height:28px;width:28px;border-radius:5px;object-fit:cover;">
+    <span class="logo-text">xetup</span><span class="logo-sub">by X9.cz</span>
+  </a>
+  <nav>
+    <a href="/navod/">Navod</a>
+    <a href="/spec/">Specifikace</a>
+    <a href="/changelog/" class="active">Changelog</a>
+    <a href="https://git.xetup.x9.cz/x9/xetup">Git</a>
+  </nav>
+</header>
+
+<div class="content">
+  <h1>Changelog</h1>
+  <p class="subtitle">Historie zmen &ndash; nacitano z <code>CHANGELOG.md</code> v repozitari</p>
+  <div class="md" id="md"><p class="loading">Nacitam changelog...</p></div>
+</div>
+
+<footer>
+  &copy; 2026 <a href="https://x9.cz">X9.cz s.r.o.</a>
+  &nbsp;&middot;&nbsp;
+  <a href="/">xetup.x9.cz</a>
+  &nbsp;&middot;&nbsp;
+  <a href="https://git.xetup.x9.cz/x9/xetup/raw/branch/main/CHANGELOG.md">Raw</a>
+</footer>
+
+<script>
+(function () {
+  var API = '/forgejo-api';
+  var REPO = 'x9/xetup';
+
+  function esc(s) {
+    return s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+  }
+  function inline(s) {
+    s = esc(s);
+    s = s.replace(/`([^`]+)`/g, '<code>$1</code>');
+    s = s.replace(/\*\*([^*]+)\*\*/g, '<strong>$1</strong>');
+    s = s.replace(/\[([^\]]+)\]\(([^)]+)\)/g, '<a href="$2" target="_blank" rel="noopener">$1</a>');
+    s = s.replace(/(^|[\s(])_([^_]+)_/g, '$1<em>$2</em>');
+    return s;
+  }
+  function render(md) {
+    var lines = md.replace(/\r/g, '').split('\n');
+    var html = '', inList = false;
+    function closeList() { if (inList) { html += '</ul>'; inList = false; } }
+    for (var i = 0; i < lines.length; i++) {
+      var ln = lines[i];
+      if (/^# /.test(ln))      { closeList(); continue; }                       // page already has H1
+      if (/^## /.test(ln))     { closeList(); html += '<h2>' + inline(ln.slice(3)) + '</h2>'; continue; }
+      if (/^### /.test(ln))    { closeList(); html += '<h3>' + inline(ln.slice(4)) + '</h3>'; continue; }
+      if (/^---\s*$/.test(ln)) { closeList(); html += '<hr>'; continue; }
+      if (/^- /.test(ln))      { if (!inList) { html += '<ul>'; inList = true; } html += '<li>' + inline(ln.slice(2)) + '</li>'; continue; }
+      if (/^\s+\S/.test(ln) && inList) {                                         // wrapped continuation of a bullet
+        html = html.replace(/<\/li>$/, ' ' + inline(ln.trim()) + '</li>');
+        continue;
+      }
+      if (/^\s*$/.test(ln))    { closeList(); continue; }
+      closeList(); html += '<p>' + inline(ln.trim()) + '</p>';
+    }
+    closeList();
+    return html;
+  }
+
+  fetch(API + '/repos/' + REPO + '/raw/CHANGELOG.md')
+    .then(function (r) { if (!r.ok) throw new Error(r.status); return r.text(); })
+    .then(function (md) { document.getElementById('md').innerHTML = render(md); })
+    .catch(function () {
+      document.getElementById('md').innerHTML =
+        '<p>Changelog se nepodarilo nacist. Otevri jej primo v repozitari: ' +
+        '<a href="https://git.xetup.x9.cz/x9/xetup/src/branch/main/CHANGELOG.md">CHANGELOG.md</a>.</p>';
+    });
+})();
+</script>
+
+</body>
+</html>
diff --git a/web/index.html b/web/index.html
index 7f2fcf1..836f5ea 100644
--- a/web/index.html
+++ b/web/index.html
@@ -158,6 +158,7 @@
   <nav>
     <a href="/navod/">Navod</a>
     <a href="/spec/">Specifikace</a>
+    <a href="/changelog/">Changelog</a>
     <a href="https://git.xetup.x9.cz/x9/xetup">Git</a>
     <a href="https://git.xetup.x9.cz/x9/xetup/issues">Issues</a>
   </nav>
diff --git a/web/navod/index.html b/web/navod/index.html
index 27d8e0d..ed7b8ca 100644
--- a/web/navod/index.html
+++ b/web/navod/index.html
@@ -123,6 +123,7 @@
   <nav>
     <a href="/navod/" class="active">Navod</a>
     <a href="/spec/">Specifikace</a>
+    <a href="/changelog/">Changelog</a>
     <a href="https://git.xetup.x9.cz/x9/xetup">Git</a>
   </nav>
 </header>
diff --git a/web/spec/index.html b/web/spec/index.html
index 0d58f7c..8aa2411 100644
--- a/web/spec/index.html
+++ b/web/spec/index.html
@@ -486,6 +486,7 @@
   <nav>
     <a href="/navod/">Navod</a>
     <a href="/spec/" class="active">Specifikace</a>
+    <a href="/changelog/">Changelog</a>
     <a href="https://git.xetup.x9.cz/x9/xetup">Git</a>
     <a href="https://git.xetup.x9.cz/x9/xetup/issues">Issues</a>
   </nav>