Hush Line in 2024
This article summarizes the Hush Line codebase history from January 7, 2024 through December 28, 2024, based on git log --all in the main repository.
By the Numbers
- 2,270 commits
- 13 authors
- 80,043 lines added
- 44,576 lines removed
2024 was the largest full year in the repository so far. It was also the year when Hush Line clearly shifted from installer-led work into a more complete application platform.
Q1: Hosted App Foundations
Early 2024 brought a visible product shift. The history shows work such as "hosted to main," admin page additions, support for admin users, Mailvelope integration, and substantial privacy, security, and threat-model documentation updates.
This quarter also introduced or reorganized major data-layer work, including migrations and installer changes, while removing MariaDB-related paths. The repo started to look less like a deployment bundle and more like a service with explicit application architecture.
Q2: CI, Migrations, Directory, And Auth Hardening
The second quarter focused on operational discipline and core flows. GitHub Actions CI landed, Docker and Postgres paths were tightened, the initial user directory work matured, and registration and login tests expanded.
Security work was substantial. The quarter added rate limiting and related tests, then later removed or simplified Redis and limiter dependencies as the implementation evolved. It also tightened two-factor authentication behavior, prevented token reuse, and narrowed CSP sources. By midyear, Hush Line had much stronger app-level security and much better test coverage around authentication.
Q3: Product Expansion At Full Speed
The third quarter was one of the most feature-dense in the entire history. The directory moved toward route-backed behavior, including a dedicated /directory/users.json path. The app added the Onion-Location header when configured, which reinforced the Tor access story.
This was also the period when settings routes were heavily refactored, replies and reply-status logic were built out, alias and paid-feature gating matured, and Stripe-backed subscription flows became a major focus. The repository shows deep work across routes, settings, forms, templates, migrations, and tests.
Q4: Product Polish And Security Headers
The final quarter of 2024 focused on making the expanded application feel more coherent. Responsive settings and replies work continued, modal and button behavior was refined, guidance settings improved, and admins gained the ability to control directory intro text.
Security and trust signals also strengthened. The quarter added CSP and HSTS response headers with tests, tied Vision access to Stripe state, added password-history protection, and tightened upgrade and premium behavior. The result was a more polished and better-defended product surface.