OpenSparrow Files

What's new:

### Security & sessions - Reverse-proxy aware: auto-detect HTTPS via X-Forwarded-Proto, CF-Visitor, X-Forwarded-SSL.

• Real client IP resolved via CF-Connecting-IP / X-Real-IP (fixes rate-limit collapse behind CloudFlare). - Fixed admin login redirect loop (ERR_TOO_MANY_REDIRECTS) caused by relative session.save_path under PHP-FPM.
• session.gc_maxlifetime synced with SESSION_MAX_LIFETIME to prevent premature logout.
• IP_HASH_SALT auto-generated on first request and persisted to includes/.secret_salt (chmod 0600, gitignored).
• New tmp/.htaccess denies HTTP access to session files.
• Hardened session_regenerate_id() flow in login.php.

### Admin panel

• Improved 403 page on admin/ — shows current user, role, and required role for faster debugging.

### CI / release

• Fixed Docker Hub build tag pattern (now matches both v1.2.3 and bare 1.2.3 semver tags).
• Release ZIP excludes hardened: tmp/, cypress/, node_modules/, package*.json, .claude/, includes/.secret_salt.
• Removed dead e2e-tests.yml workflow (Cypress not in repo).
• CodeQL no longer references non-existent classic branch.
• PHP lint now runs matrix across PHP 8.1, 8.2, 8.3.
• vanilla-check.yml extended with chart.js, swiper, htmx, gsap, three, stimulus, d3.

### Docs

• README updated: badges refreshed, IP_HASH_SALT behaviour documented, reverse-proxy notes added, tag examples corrected (X.Y.Z not vX.Y.Z).

### Upgrade notes

• No breaking changes. Existing database.json and configuration are preserved.
• Behind reverse proxy: no action required — detection is automatic.
• Multi-server deployments should set IP_HASH_SALT explicitly so all nodes share the same salt.