- Wrap save-bar + popover in .save-bar-wrap (position:relative) so the
absolute-positioned popover anchors correctly below the Load button
(previously popovers were outside the save-bar, so had no positioned
ancestor and appeared at the wrong place on screen)
- Remove confirm() dialog from deleteEncounter — encounter disappears
immediately from the popover list after deletion
- ICD-10 diagnoses: replace static-only lookup with live NLM Clinical
Tables API search (clinicaltables.nlm.nih.gov) with 280ms debounce;
results appear in a dropdown below the search input; Enter/click selects
- Add clinicaltables.nlm.nih.gov to CSP connect-src
- Drop unused position:relative from .save-bar (now on .save-bar-wrap)
Helmet 8 adds script-src-attr: 'none' by default which blocks ALL
inline event attribute handlers (onclick, onchange, etc.) regardless
of script-src unsafe-inline. This silently broke every onclick button:
copy, read aloud, nextcloud upload, generate, record, etc.
- CSP connectSrc was blocking service worker re-fetches to cdnjs.cloudflare.com
causing Font Awesome icons to go blank (settings, logout, nextcloud buttons)
- Add cdnjs, googleapis, gstatic, google to connectSrc to fix icon rendering
and Chrome Web Speech API (which connects to Google servers for TTS voices)
- Add vendor model Opus 4.6 and vendor model Sonnet 4.6 to all three provider lists
(OpenRouter, Bedrock, Azure-compatible); Sonnet 4.6 now default for Bedrock
- Enable Helmet CSP (scripts/styles/fonts/connect restricted to self + CDNs)
- Lock CORS to APP_URL origin in production (open in dev)
- Reduce JSON body limit from 50mb to 1mb
- Add per-route rate limits: login 10/15min, register 5/hr, forgot-pw 5/hr
- Add README with full setup, Docker Hub, provider switching, env reference
- Bump version to 3.0.0