From “Ice Flame” to “Berry Cloud”: Security, Stability, and a Bit of Spark
Posted: Sun Oct 12, 2025 11:14 am
Friends,
Since the Ice Flame era, we’ve been heads‑down turning QhtLink Firewall into a fortress with a friendly face. Today, I’m thrilled to introduce Berry Cloud (v0.2.1) as a clean, independent release line that takes everything we learned—and hardened—into a tight, secure, and polished experience across cPanel/WHM, DirectAdmin, CWP, InterWorx, Webmin, and more.
If Ice Flame was our rigorous refactor and stabilization epoch, Berry Cloud is the auditable, CSP‑clean, UX‑refined baseline you’ll want to run everywhere. It’s faster to read, safer to run, and designed to keep attackers guessing and admins grinning.
Let’s talk about what changed, why it matters, and how it makes your environment safer without making your day harder.
Security first: CSP, no‑inline, and a padlock on the front door
We’ve placed security on the front line—not as an afterthought, but as the default posture.
Content Security Policy (CSP), end‑to‑end:
No inline script handlers. No inline styles. Everything goes through nonce‑aware asset endpoints.
Scripts and styles are loaded with strict MIME and nosniff rules to cut off “it looked like a script” shenanigans.
We removed brittle inline heredocs and replaced them with safe emission paths that survive quotes, newlines, and browser quirks.
Sanitized base URLs in every environment:
window.QHTL_SCRIPT and QHTL_BASE are sanitized so even stray line breaks won’t trigger a SyntaxError at the worst possible moment.
Regex gremlins? Evicted. We replaced HTML/regex extraction with DOM parsing and simple character scans. It’s not glamourous—it’s robust.
SRI manifest for UI assets:
Every CSS/JS asset gets a SHA‑256 fingerprint (asset_sri.json). If someone swaps a file behind your back, you’ll know—and the browser will care.
Deterministic packaging and checksums:
Tarballs are reproducible with SHA256 recorded in latest.json and inside premium 0.2.1. No “mystery bytes,” just consistent bits you can verify.
Security should be uncompromising and invisible. Here, it is.
Inline, not in your way: editors that feel modern
We turned “click-edit-save” into “press, edit, done”—with zero page reloads and no double‑posts:
Allow, Deny, Redirect, Config all save in place via AJAX.
Real submit buttons are back (no UI gaslighting): Save Allow / Save Deny / Save Redirect / Save Config.
We added submit guards to prevent double writes, with clear success fragments replacing the editor.
The backend save pipeline got industrial‑grade resilience:
Syswrite loops (no short writes), atomic temp‑file fallback, readback verification (digest + stat), and rich diagnostics when something is off.
Short version: you click Save. It actually saves. And if the filesystem throws a tantrum, we tell you exactly why and what happened.
Waterfall, re-plumbed: no more 404/undefined, no more gotchas
Waterfall used to occasionally launch you into /cgi/qhtlink/undefined. Not anymore.
We normalized form actions and methods across all inline editors.
Submit interception is scoped to inline containers (not global), so the main tabs/popups keep working.
After any Waterfall save, we auto‑arm the On bubble’s restart. If the widget isn’t mounted, we mount it. The UI is in charge, not the race condition.
Also: yes, we kept the blue water sheen and yes, the seasonal pumpkin returns in October (because admins deserve a smile).
The Firewall tab: counters that don’t blink “?” at you
We rebuilt counter logic to be predictable and resilient:
Allow/Deny counts, and Temporary counts, now handle HTML or empty responses gracefully.
If a response is malformed, we retry intelligently and preserve the last known good values.
Values are clamped, synchronized with server data attributes, and reflected consistently.
The “Tmp Allow” button got smart—long‑press gets you “Spec Deny” (SIPs), while single click does the expected thing. No surprises.
Translation: if your deny list has 9, the badge won’t suddenly display 93749273 because a parser stub tripped on a newline. We removed that entire class of error.
Tabs, popups, and navigation: scoped, safe, and stable
We caged global interceptors to inline containers only. That means:
Tabs and popups behave naturally again.
Hash‑only links are allowed to do their job (classic tabs and modal toggles work).
Options tab got alignment polish; the orange grid is centered and stays put even when inline content loads.
Small things? Sure. But small things add up when your hand is on the wheel all day.
Advanced: “Choose Version” where it belongs
We moved version selection into the Advanced section as an inline “Choose Version” control. No promotional popups, no cognitive overhead. It’s where admins expect it and behaves like the rest of the UI.
Platform integrations: WHM, TUI, and friends
WHM:
Banner and status surfaces are nonce‑safe and nosniff‑clean.
Lightweight APIs exist for start/stop/restart—UI smoothness backed by real endpoints.
TUI:
Dialog‑based terminal UI for edits, status, temp rules, and logs.
Respectful of screen size; feels like a modern CLI companion without the bloat.
Installers:
Idempotent setups, guarded service sequencing, and per‑platform paths covered.
Version is written to /etc/qhtlfirewall/version.txt, and we read it back everywhere consistently.
We kept compatibility paths—then smoothed the edges.
Packaging, artifacts, and auditability
Rebuilt artifacts for v0.2.1:
qhtlfirewall-0.2.1.tgz and canonical qhtlfirewall.tgz
SHA256 manifest and latest.json metadata with builtEpoch and commit SHA
Premium 0.2.1 directory includes the tgz, checksum, version.txt, and a clean changelog
“Deterministic” isn’t marketing here—run the build again, get the same thing (within timestamp tolerances). That’s how you maintain trust.
The Ice Flame arc: what we learned and shipped in 0.1.x
Between Ice Flame’s first spark and today, we shipped a lot of ground‑level hardening. Highlights:
Replaced inline handlers/styles with delegated bindings and proper CSS utilities.
Burned down fragile heredocs that could produce unescaped line breaks in JS.
Moved risky regex parsing to DOM or character scanning to prevent “unterminated literal” edge cases.
Built layered fallbacks:
If an inline fragment doesn’t show up, we parse body. If body fails, we show a compact, scrollable raw dump with explicit diagnostics. Silence is not acceptable.
Inline spacer/loader:
Stable height, no jitter, gradual fade-out, and a graceful fallback animation (the sword made it into the credits).
A lot of UI fit and finish:
Count badges with real numeric separation, hex buttons without glow overload, sane spacing, and predictable flows.
The point of Ice Flame wasn’t just features—it was laying down a hardened street for Berry Cloud to race on.
Backward compatibility and upgrades
No breaking changes in CLI or file formats.
Inline flows are sturdier, not different—and legacy flows remain accessible.
Upgrading is simple:
Replace artifacts and verify SHA256.
Ensure CSP allows nonced assets (no inline exceptions needed).
Validate Waterfall and Firewall behaviors—inline saves stay in place, counters remain sane.
You get safer defaults with no migration scavenger hunt.
A small chuckle for the admins-in-arms
Yes, we removed the regex gremlins, but we left the seasonal pumpkin. Yes, we clamped counters, but your Deny button still feels satisfyingly stern. And yes—when something goes off, we actually tell you what, where, and why. Because sometimes the best security improvement is simply knowing what just happened.
What’s next
Continued CSP tightening: SRI enforcement options and HTTP response hardening toggles.
More direct integrations for hosted environments.
Optional telemetry (opt‑in and anonymized) to proactively detect flaky environments or file persistence issues.
If there’s a specific platform or flow you want first-class treatment for, tell us. We’ve shown we’ll do the heavy lifting and make it feel native.
Thank you
To everyone who rode through Ice Flame’s refactors and trusted us to deliver: thank you. Berry Cloud is the clean slate we wanted—secure by default, calm under pressure, and properly documented. It’s the release you install when your future self has to audit the past.
Now go upgrade, enjoy the smooth inline saves, watch those counters behave, and maybe—just maybe—smile when October drops a tiny pumpkin on your On bubble.
Stay safe, stay curious, and keep the ports where you want them.
Since the Ice Flame era, we’ve been heads‑down turning QhtLink Firewall into a fortress with a friendly face. Today, I’m thrilled to introduce Berry Cloud (v0.2.1) as a clean, independent release line that takes everything we learned—and hardened—into a tight, secure, and polished experience across cPanel/WHM, DirectAdmin, CWP, InterWorx, Webmin, and more.
If Ice Flame was our rigorous refactor and stabilization epoch, Berry Cloud is the auditable, CSP‑clean, UX‑refined baseline you’ll want to run everywhere. It’s faster to read, safer to run, and designed to keep attackers guessing and admins grinning.
Let’s talk about what changed, why it matters, and how it makes your environment safer without making your day harder.
Security first: CSP, no‑inline, and a padlock on the front door
We’ve placed security on the front line—not as an afterthought, but as the default posture.
Content Security Policy (CSP), end‑to‑end:
No inline script handlers. No inline styles. Everything goes through nonce‑aware asset endpoints.
Scripts and styles are loaded with strict MIME and nosniff rules to cut off “it looked like a script” shenanigans.
We removed brittle inline heredocs and replaced them with safe emission paths that survive quotes, newlines, and browser quirks.
Sanitized base URLs in every environment:
window.QHTL_SCRIPT and QHTL_BASE are sanitized so even stray line breaks won’t trigger a SyntaxError at the worst possible moment.
Regex gremlins? Evicted. We replaced HTML/regex extraction with DOM parsing and simple character scans. It’s not glamourous—it’s robust.
SRI manifest for UI assets:
Every CSS/JS asset gets a SHA‑256 fingerprint (asset_sri.json). If someone swaps a file behind your back, you’ll know—and the browser will care.
Deterministic packaging and checksums:
Tarballs are reproducible with SHA256 recorded in latest.json and inside premium 0.2.1. No “mystery bytes,” just consistent bits you can verify.
Security should be uncompromising and invisible. Here, it is.
Inline, not in your way: editors that feel modern
We turned “click-edit-save” into “press, edit, done”—with zero page reloads and no double‑posts:
Allow, Deny, Redirect, Config all save in place via AJAX.
Real submit buttons are back (no UI gaslighting): Save Allow / Save Deny / Save Redirect / Save Config.
We added submit guards to prevent double writes, with clear success fragments replacing the editor.
The backend save pipeline got industrial‑grade resilience:
Syswrite loops (no short writes), atomic temp‑file fallback, readback verification (digest + stat), and rich diagnostics when something is off.
Short version: you click Save. It actually saves. And if the filesystem throws a tantrum, we tell you exactly why and what happened.
Waterfall, re-plumbed: no more 404/undefined, no more gotchas
Waterfall used to occasionally launch you into /cgi/qhtlink/undefined. Not anymore.
We normalized form actions and methods across all inline editors.
Submit interception is scoped to inline containers (not global), so the main tabs/popups keep working.
After any Waterfall save, we auto‑arm the On bubble’s restart. If the widget isn’t mounted, we mount it. The UI is in charge, not the race condition.
Also: yes, we kept the blue water sheen and yes, the seasonal pumpkin returns in October (because admins deserve a smile).
The Firewall tab: counters that don’t blink “?” at you
We rebuilt counter logic to be predictable and resilient:
Allow/Deny counts, and Temporary counts, now handle HTML or empty responses gracefully.
If a response is malformed, we retry intelligently and preserve the last known good values.
Values are clamped, synchronized with server data attributes, and reflected consistently.
The “Tmp Allow” button got smart—long‑press gets you “Spec Deny” (SIPs), while single click does the expected thing. No surprises.
Translation: if your deny list has 9, the badge won’t suddenly display 93749273 because a parser stub tripped on a newline. We removed that entire class of error.
Tabs, popups, and navigation: scoped, safe, and stable
We caged global interceptors to inline containers only. That means:
Tabs and popups behave naturally again.
Hash‑only links are allowed to do their job (classic tabs and modal toggles work).
Options tab got alignment polish; the orange grid is centered and stays put even when inline content loads.
Small things? Sure. But small things add up when your hand is on the wheel all day.
Advanced: “Choose Version” where it belongs
We moved version selection into the Advanced section as an inline “Choose Version” control. No promotional popups, no cognitive overhead. It’s where admins expect it and behaves like the rest of the UI.
Platform integrations: WHM, TUI, and friends
WHM:
Banner and status surfaces are nonce‑safe and nosniff‑clean.
Lightweight APIs exist for start/stop/restart—UI smoothness backed by real endpoints.
TUI:
Dialog‑based terminal UI for edits, status, temp rules, and logs.
Respectful of screen size; feels like a modern CLI companion without the bloat.
Installers:
Idempotent setups, guarded service sequencing, and per‑platform paths covered.
Version is written to /etc/qhtlfirewall/version.txt, and we read it back everywhere consistently.
We kept compatibility paths—then smoothed the edges.
Packaging, artifacts, and auditability
Rebuilt artifacts for v0.2.1:
qhtlfirewall-0.2.1.tgz and canonical qhtlfirewall.tgz
SHA256 manifest and latest.json metadata with builtEpoch and commit SHA
Premium 0.2.1 directory includes the tgz, checksum, version.txt, and a clean changelog
“Deterministic” isn’t marketing here—run the build again, get the same thing (within timestamp tolerances). That’s how you maintain trust.
The Ice Flame arc: what we learned and shipped in 0.1.x
Between Ice Flame’s first spark and today, we shipped a lot of ground‑level hardening. Highlights:
Replaced inline handlers/styles with delegated bindings and proper CSS utilities.
Burned down fragile heredocs that could produce unescaped line breaks in JS.
Moved risky regex parsing to DOM or character scanning to prevent “unterminated literal” edge cases.
Built layered fallbacks:
If an inline fragment doesn’t show up, we parse body. If body fails, we show a compact, scrollable raw dump with explicit diagnostics. Silence is not acceptable.
Inline spacer/loader:
Stable height, no jitter, gradual fade-out, and a graceful fallback animation (the sword made it into the credits).
A lot of UI fit and finish:
Count badges with real numeric separation, hex buttons without glow overload, sane spacing, and predictable flows.
The point of Ice Flame wasn’t just features—it was laying down a hardened street for Berry Cloud to race on.
Backward compatibility and upgrades
No breaking changes in CLI or file formats.
Inline flows are sturdier, not different—and legacy flows remain accessible.
Upgrading is simple:
Replace artifacts and verify SHA256.
Ensure CSP allows nonced assets (no inline exceptions needed).
Validate Waterfall and Firewall behaviors—inline saves stay in place, counters remain sane.
You get safer defaults with no migration scavenger hunt.
A small chuckle for the admins-in-arms
Yes, we removed the regex gremlins, but we left the seasonal pumpkin. Yes, we clamped counters, but your Deny button still feels satisfyingly stern. And yes—when something goes off, we actually tell you what, where, and why. Because sometimes the best security improvement is simply knowing what just happened.
What’s next
Continued CSP tightening: SRI enforcement options and HTTP response hardening toggles.
More direct integrations for hosted environments.
Optional telemetry (opt‑in and anonymized) to proactively detect flaky environments or file persistence issues.
If there’s a specific platform or flow you want first-class treatment for, tell us. We’ve shown we’ll do the heavy lifting and make it feel native.
Thank you
To everyone who rode through Ice Flame’s refactors and trusted us to deliver: thank you. Berry Cloud is the clean slate we wanted—secure by default, calm under pressure, and properly documented. It’s the release you install when your future self has to audit the past.
Now go upgrade, enjoy the smooth inline saves, watch those counters behave, and maybe—just maybe—smile when October drops a tiny pumpkin on your On bubble.
Stay safe, stay curious, and keep the ports where you want them.