- Replace postMessage wildcard ('*') with explicit parent origin passed
via ?origin= parameter to prevent auth state disclosure to arbitrary
embedders
- Tighten frame-ancestors CSP: production restricts to self + DOMAIN,
dev restricts to localhost origins (was frame-ancestors *)
- Remove deprecated X-Frame-Options ALLOW-FROM header (CSP
frame-ancestors is the modern replacement)
- Validate targetOrigin with URL constructor before use
Bunker Admin
ScheduleOutlined was missing from the ANT_ICON_TO_MATERIAL mapping in
header-builder.service.ts, causing Material Icons to render raw text
characters ("S", "O") instead of a clock icon for the Shifts nav item.
Added the missing mapping and a toMaterialIcon() fallback that converts
any unmapped Ant Design icon name to snake_case Material Icons format.
Bunker Admin
Replaced multi-step manual instructions (heredocs, printf, individual echo
commands) with a single convenience script. Users now just clone the repo
and run: bash setup.sh YOUR_API_KEY
The script handles package install, key config, permissions, Termux:Boot,
and starting the server. Updated both the admin wizard and MkDocs docs.
Bunker Admin
printf \n escapes also get mangled by Android clipboard (expanded to real
newlines). Individual echo >> commands are the only reliable approach for
copy-pasting multi-line scripts to a mobile terminal.
Bunker Admin
Heredocs fail silently on Android Termux when copy-pasting from the admin GUI
(trailing whitespace from clipboard prevents EOF recognition). Switched to
printf commands in both the setup wizard and MkDocs docs. Also added
source ~/.bashrc and boot script steps directly in the wizard Step 4.
Bunker Admin
