Release Notes — March 19, 2026
This release adds a Contact page in three languages, completes the centralized log aggregation infrastructure with Grafana Cloud Loki, introduces MongoDB backup monitoring, ingress rate limiting, structured JSON logging, and a GDPR audit log transport.
Contact Page
Contact Page — EN / HU / DE
CADENSA now has a dedicated Contact page available at cadensa.io/contact in all three supported languages (English, Hungarian, German).
What's on the page:
| Channel | Purpose | Response time |
|---|---|---|
| Support | Technical issues, usage questions | 24h |
| Billing | Subscriptions, invoices, payments | 48h |
| Privacy | GDPR, data requests (Art. 15–22) | 72h |
| Legal | Legal inquiries, DPA signing | 5 business days |
Company information:
- Axeri Labs Bt. — 2120 Dunakeszi, Brassói utca 7.
- Registration: 13-06-060656 · Tax: 22531300-2-13 · EU VAT: HU22531300
Technical details:
- Email addresses are JavaScript-rendered and Unicode-obfuscated — not present in plain HTML or i18n JSON (spam protection)
- Footer
Contactlink updated from Coming Soon to the live page
Backend: GDPR Audit Log Transport
GDPR Audit Log — 365-day Retention (Art. 5(2))
All GDPR-relevant events are now persisted to a dedicated audit log database with a 365-day retention policy.
Logged events include:
- User registration, login, password changes
- Personal data access and exports (Art. 15)
- Data deletion and cancellation requests (Art. 17)
- Consent updates
- Admin actions on user accounts
Compliance basis: GDPR Art. 5(2) — accountability obligation.
Tier: All plans (automatic, no user action required)
Backend: Structured JSON Logging
JSON Log Format + RequestLogger Middleware
All backend log output is now structured JSON (production mode), enabling full-text and structured queries in Grafana Loki.
Log fields in every request:
{
"timestamp": "2026-03-19T10:00:00.000Z",
"level": "info",
"method": "POST",
"path": "/api/time-entries",
"statusCode": 201,
"durationMs": 34,
"userId": "...",
"workspaceId": "...",
"ip": "x.x.x.x"
}
Additional changes:
- All
console.*calls replaced withlogger.*across controllers, services, models, and config - Kubernetes
/healthliveness probe requests are silently filtered — not logged (reduces noise)
Infrastructure: Ingress Rate Limiting
IP-Level Rate Limiting on All API Endpoints
The Nginx Ingress Controller now enforces IP-level rate limits on all /api/* routes.
Limits:
| Setting | Value |
|---|---|
| Request rate | 50 req/s per IP |
| Concurrent connections | 30 per IP |
| Burst | 5× (250 req burst / 150 conn burst) |
Behaviour:
- Requests exceeding the limit receive
429 Too Many Requests - Burst window allows short traffic spikes without immediate rejection
- All 429 responses are visible in Grafana (Rate Limit Spike alert)
Infrastructure: Centralized Log Aggregation
Promtail → Grafana Cloud Loki (Fázis 3 + 5)
All Kubernetes pod logs are now aggregated to Grafana Cloud Loki via a Promtail DaemonSet.
Pipeline overview:
- cadensa-pods job: reads JSON logs → parses
level,message,path,method,statusCode,durationMs,userId,workspaceIdas labels - cadensa-backup job: reads plain-text backup logs (no CRI timestamp stripping — Loki ingestion time used)
- monitoring-pods job: Promtail + Grafana Agent self-logs
5 Grafana alert rules deployed:
| Alert | Condition | Severity |
|---|---|---|
| High Error Rate | >10 errors/5min | critical |
| Brute Force Detected | >20 failed logins/5min | critical |
| Rate Limit Spike | >50 429s/5min | warning |
| MongoDB Unreachable | no heartbeat 5min | critical |
| Backup Missing | no backup log in 25h | warning |
Infrastructure: MongoDB Backup Monitoring
Backup Missing Alert + Admin Backup UI
Grafana alert:
Backup Missingfires when no backup success log appears within 25 hours- Alert query targets plain-text backup logs directly (no JSON parse)
- Resolves automatically when next backup runs
Admin panel (/admin/backup):
- Tree-view browser: type → snapshot date → individual files
isStaleindicator — visual warning if last snapshot is >25h old- Monitoring widget on Admin dashboard showing backup status at a glance
- Backup source: Wasabi S3 (eu-central-2) — legal notices updated
Bug Fixes
- SMTP relay: Internal relay address corrected to
smtp-relay.cadensa.svc.cluster.local:25(no-auth, no TLS) - Backup log ingestion: Removed CRI timestamp parsing stage for backup logs — ingestion time used instead, resolving Loki rejection errors
- Admin users list:
403 Forbiddenon/reports/invoicesfixed - Workspace archive: GDPR notice added to ArchiveWorkspaceDialog
Summary
| Area | Change |
|---|---|
| Landing | Contact page EN/HU/DE, footer link, spam-protected emails |
| Backend | GDPR audit log transport (365d, Art. 5(2)) |
| Backend | Structured JSON logging, RequestLogger, /health filter |
| Infra | Ingress rate limiting: 50 rps / 30 conn / burst ×5 |
| Infra | Promtail DaemonSet → Grafana Cloud Loki (3 jobs) |
| Infra | 5 Grafana alert rules (error rate, brute-force, rate-limit, MongoDB, backup) |
| Infra | MongoDB backup monitoring + Admin backup UI (tree-view, isStale) |
| Fix | SMTP relay, backup log ingestion, admin 403, workspace archive GDPR |