Nova DSO Tracker v5.6.0 – Nova DSO Tracker

This release adds a PHD2 calibration star recommender to the graph view and hardens the journal rich-text editor against content loss and XSS. It also brings analytics to single-user deployments, polishes several graph-view interactions, and cleans up dead code across the codebase.

Security

XSS in project edit form – Hidden inputs feeding the Trix rich-text editor were rendered with | safe, allowing injected HTML to break out of the input attribute. All four fields (Goals, Story, Framing, Processing) now use | e to properly escape values.
Dependency CVEs – Bumped Mako, Pillow, pytest, and requests to versions that resolve open Dependabot advisories.

What’s New

PHD2 Calibration Star Recommender

A new widget on the Chart tab recommends the best guide calibration star near the meridian for your current location and time:

Ranks a catalog of 87 named equatorial stars by proximity to the meridian (smallest hour-angle offset).
Filters candidates by altitude (>30 degrees above the horizon) and respects your configured horizon mask.
Shows the calibration window open/close times alongside the recommended star’s coordinates and hour angle.
Fully translated into all 6 supported locales, with a help modal explaining the feature.
Works in simulation mode – when viewing a non-today date on the graph, the widget computes the calibration window for that calendar day instead of “now.”

Analytics for Single-User Mode

Usage analytics were previously limited to multi-user deployments. Single-user instances now collect and report feature-usage telemetry so the project can better understand how Nova is used across all deployment types.

Graph View Polish

Blend opacity auto-set – Selecting a “Blend with” overlay now automatically sets the blend opacity to a sensible default, so you see the result immediately without manually adjusting the slider.
“Show Framing” button restyled – The framing toggle on the graph chart now uses the teal ghost variant to visually distinguish it from primary actions.

Added a close (X) button to the universal help modal so it can be dismissed without scrolling to the bottom.
Help modal now fully supports dark mode.
Long help documents scroll correctly within the modal body.

Bug Fixes

Rich-text editor destroying content on re-save – The HTML sanitizer was applied to hidden-input values fed into the Trix editor, stripping tables, headings, code blocks, and inline formatting (bold, italic, underline) every time the edit form loaded. The editor would then save the stripped version, permanently losing that content. Raw database values are now used for the editor inputs, and the display sanitizer allowlist has been expanded to cover tables, headings, blockquotes, and code blocks.
Telemetry retry loop broken – A failed telemetry POST was incorrectly marked as “sent,” preventing retries on the next cycle. The throttle flag now only advances after a successful response.
Observable objects cache collisions – The cache key included the location name, which could cause identical entries for the same coordinates under different display names. Location name has been removed from the key.
Location comments lost on YAML import – The comments field on Location records was not included in YAML export/import, so any notes attached to a location would disappear during a config migration. The field is now preserved.

Under the Hood

AI prompt quality – Added anti-numbering instructions to the DSO notes, session summary, and best-objects prompts so the model no longer emits structural labels like “Paragraph 1” or “STEP 2” in its responses.
Fragile SINGLE_USER_MODE lookups replaced – Several modules used globals().get('SINGLE_USER_MODE') to read the mode flag, which breaks if the import chain changes. These have been replaced with direct imports. The .env.example file has also been cleaned up to remove orphaned variables and document currently used ones.
Dead code removed – Deleted unused ASIAIR coordinate formatting helpers, an orphaned debug test function in graph_view_chart.js, orphaned CSS tokens, and stale END REFACTOR comments.
Narrative noise removed – Cleared console.log statements from JavaScript files and redundant restatement comments from Python and Jinja templates.

Upgrade Notes

No database migration required – all changes are backwards-compatible.
No new dependencies – dependency bumps are patch/minor version updates only.
Docker – no changes to the Dockerfile or entry point. Pull the new image and restart as usual.

Thanks for using Nova DSO Tracker! As always, feedback is welcome – please report any issues on GitHub.