6770 Commits

Author SHA1 Message Date
Mike Dalessio 466b215ef8 Add SearchReindexJob to repopulate the search index (#2850)
Rebuilds search records for every published Card and every Comment on a
published Card. Intended for manual invocation after a search-index loss
event — not a recurring job.

Uses ActiveJob::Continuable so the work survives worker restarts and
resumes from the last-processed id. The job is idempotent.

Removes script/maintenance/reindex_stale_search_records.rb, which was
written against a different hypothesis (a date-cutoff backfill) and is
superseded by this unconditional repair job.
2026-04-16 19:40:02 -04:00
Mike Dalessio 9a27ca8b42 Scope clear_search_records to the account being destroyed (#2847)
Account::Searchable#clear_search_records called
Search::Record.for(id).destroy_all which deleted every row in the
shard's table, wiping search records belonging to every other account
that happened to hash to the same shard.

ref: https://3.basecamp.com/2914079/buckets/27/card_tables/cards/9782824728
2026-04-16 15:43:55 -04:00
Stanko K.R. f66fa886bc Return apostrophes to our preferred style 2026-04-15 17:31:10 +02:00
Rob Zolkos abd59567e3 Add indexed_by=maybe to cards (#2827)
* Add indexed_by=maybe to cards
2026-04-14 17:35:41 -04:00
Rob Zolkos bb54b859dc Add workflow column filtering to cards (#2787) 2026-04-14 13:14:14 -04:00
Stanko Krtalić 127156e23a Merge pull request #2829 from basecamp/remove-tag-attachable
Remove dead Tag::Attachable code and tags prompt
2026-04-10 09:05:48 +02:00
Mike Dalessio f3f9aec547 Fix missing partial when editing comments with @mentions (#2828)
Edge Rails introduced ActionText::Attachable#to_editor_content_attachment_partial_path
which defaults to to_partial_path ("users/user"). Override it in User::Mentionable to
delegate to to_attachable_partial_path ("users/attachable"), matching the existing
display rendering path.
2026-04-09 17:29:30 -04:00
Mike Dalessio 975b8998ef Remove ActionText::Attachable from Tag
Tag was never actually embedded as an action-text-attachment in
persisted rich text. It was only used in the Fizzy Do command prompt
input which was not stored. The data transfer tests happened to use Tag
as a convenient fixture — switch them to User, which is genuinely
attachable via mentions.
2026-04-09 17:17:29 -04:00
Mike Dalessio 151787a864 Remove dead Tag::Attachable code and tags prompt
The tags prompt was added for the Fizzy Do command system, but became
dead code when commands were removed in 89af9066. The commands_prompt
was cleaned up but tags_prompt was missed.

Remove the Tag::Attachable concern, Prompts::TagsController, its views
and route, and the tags_prompt helper. Tag still includes
ActionText::Attachable directly, which is needed by the data transfer
system.
2026-04-09 17:13:41 -04:00
Rob Zolkos e422d5b37e Add a JSON cards endpoint for workflow columns (#2800)
* Add JSON endpoint for cards in workflow columns

* Add cards URL to column JSON responses

* Add coverage for column cards authorization
2026-04-09 13:17:02 -04:00
Jorge Manrubia 1c6141c131 Update lexxy to 0.9.5.beta (#2820)
* Update lexxy to 0.9.5.beta

* Fix syntax highlight controller for lexxy 0.9.5.beta

The highlightAll export was renamed to highlightCode.

---------

Co-authored-by: Mike Dalessio <mike@37signals.com>
2026-04-09 13:06:59 -04:00
Rob Zolkos 69daae79f1 Add board membership read endpoint (#2799)
* Add board membership read endpoint

* Paginate board membership read endpoint
2026-04-09 12:54:25 -04:00
Mike Dalessio 3a30d7796f style: formalize preference for if/unless in rubocop (#2816) 2026-04-09 11:14:52 -04:00
Rob Zolkos 5e154a767f Allow bearer auth on Active Storage downloads 2026-04-08 14:37:24 -04:00
Zoltán Hosszú 0ef9c56bf5 Merge pull request #2811 from basecamp/lexxy-toolbar-fixes
Fix icon color and chevron size
2026-04-08 15:13:15 +02:00
Rob Zolkos 1975a04f14 Add JSON API support for email address changes (#2807) 2026-04-08 09:09:36 -04:00
Zoltan Hosszu d7040388fa Fix icon color and chevron size 2026-04-08 15:09:29 +02:00
Rob Zolkos d08aa11bfb Add JSON API support for timezone update (#2806)
* Add JSON API support for timezone update

* Simplify timezone controller to just head :no_content

* Use PUT instead of PATCH in timezone tests to match docs

* Use PATCH instead of PUT for timezone endpoint

Reverts tests to use patch and updates docs heading to PATCH
for consistency.
2026-04-08 08:41:34 -04:00
Rob Zolkos 6a71856b3d Add JSON activities API endpoint (#2783)
* Add JSON events API endpoint

* Add regression test for event particulars defaults

* Move JSON events API to a dedicated ActivitiesController

The events endpoint served both the HTML day timeline and the JSON API
feed, but the two paths shared no data or behavior — the HTML side uses
DayTimelinesScoped while the JSON side built its own query. Splitting
into ActivitiesController gives the API its own home at
GET /:account/activities.json without dragging in the timeline
before_actions.

Also preloads comment creator in Event.preloaded to avoid an N+1 when
rendering comment eventables in the JSON feed.
2026-04-08 08:39:36 -04:00
Rob Zolkos 2a4adf3a2b Add board settings fields to board JSON responses (#2788)
* Add board settings fields to board JSON responses

* Move public_description fields to board partial, gate on published

* Add index test for public_description fields on published boards

* Update app/views/boards/show.json.jbuilder

Prefer `unless` to `if !`

---------

Co-authored-by: Mike Dalessio <mike.dalessio@gmail.com>
2026-04-08 08:31:52 -04:00
Rob Zolkos 8201c2a4bd Add JSON API support for user data exports (#2786) 2026-04-08 08:17:24 -04:00
Rob Zolkos 21981898d2 Add JSON API for webhook deliveries (#2785)
* Add JSON API for webhook deliveries

* Extract sanitized_request method on Webhook::Delivery

* Extract response_summary method on Webhook::Delivery
2026-04-07 15:08:27 -04:00
Donal McBreen e51f0bfee7 Fix account destroy cascade gaps
Account incineration could leave orphaned records due to missing cascade
declarations and async jobs failing when the account was already gone.

Cascade fixes:
- Add Account::Searchable concern to clean up Search::Query (delete_all)
  and Search::Record (destroy_all, respects SQLite FTS dependent: :destroy)
- Add before_destroy in Account::Storage to delete storage entries
- Suppress storage entry recording during incineration so attachment
  purge callbacks don't create entries or enqueue materialize jobs
- Guard Access#clean_inaccessible_data_later with unless user.destroyed?
  to avoid enqueuing pointless jobs during user cascade

Job tenancy:
- Extract AccountTenanted concern from the global ActiveJob initializer
  into ApplicationJob (include) with targeted prepends for
  ActionMailer::MailDeliveryJob and Turbo broadcast jobs
- Defer account resolution from deserialize to perform so that missing
  accounts raise DeserializationError inside the execution path where
  discard_on can handle it

Tests:
- Comprehensive incineration test covering 35 model types with
  before/after assertions and full enqueued job processing
- Mailer deliver_later test verifying account context survives job
  serialization for multi-account users
- Turbo broadcast test verifying account-scoped URLs in rendered partials
2026-04-06 10:04:24 +01:00
Donal McBreen 6d71385846 Fix timezone handling for day timeline and card dates
Revert beginningOfDay() to use local timezone methods — the UTC change
from #2790 caused cards created earlier the same day to show "yesterday"
for users in UTC-negative timezones after their local 7 PM.

Add Time.zone.name to day timeline fragment cache keys so
timezone-different renders don't collide.
2026-04-06 09:21:03 +01:00
Donal McBreen b79c7897e6 Fix export/import losing custom column colors
record.to_json serializes through model accessors. Column::Colored
overrides the color accessor to return a Color struct, which serializes
as {"name":"Blue","value":"var(--color-card-default)"} instead of the
raw CSS string.

Two fixes:
- Export raw DB values via record.attributes.slice(*attributes).to_json
- Color.for_value parses legacy JSON format so columns imported from
  old exports self-heal when read
2026-04-03 10:05:11 +01:00
Donal McBreen c2d693fc9a Fix off-by-one date display for UTC-negative timezone users
beginningOfDay() used local timezone methods (getFullYear, getMonth,
getDate) to snap timestamps to midnight. Since the server sends UTC
timestamps, this caused day boundary calculations to be off by one
for users in UTC-negative timezones — cards created after UTC midnight
but before local midnight showed as "yesterday" instead of "today".

Switch to UTC methods (getUTCFullYear, getUTCMonth, getUTCDate) so day
boundaries are calculated consistently with the server's UTC timestamps.

Affects DaysAgoFormatter, DaysAgoOrWeekdayFormatter, TimeOrDateFormatter,
InDaysFormatter, and bubble controller stalled/entropy calculations.
2026-04-03 08:50:25 +01:00
Donal McBreen b4c4a32205 Return 401 for bearer tokens on non-JSON requests
Rather than silently ignoring bearer tokens on HTML requests
(which breaks the audit console's error handling), explicitly
reject them with 401. Bearer tokens on JSON requests continue
to authenticate normally.
2026-04-01 09:09:00 +01:00
Donal McBreen 13e2c74929 Restrict bearer token authentication to JSON requests
Bearer tokens are for API/SDK/CLI access — they should only
authenticate JSON requests.
2026-04-01 08:55:04 +01:00
Donal McBreen d63801eae3 Merge pull request #2775 from basecamp/queenbee-account-callbacks
Implement Queenbee account callbacks
2026-04-01 08:09:25 +01:00
Donal McBreen 98d06947cb Implement Queenbee account callbacks
Add Account::QueenbeeIntegration concern (SaaS-only) that bridges
Fizzy's external_account_id to Queenbee's find_by_queenbee_id lookup,
and adapts the bang lifecycle methods to Fizzy's Cancellable module.

Remove dead billing conditional from cancellation mailer — Fizzy is
free-only, there's no charge to stop.
2026-03-31 15:14:49 +01:00
Jay Ohms e04182786c Merge pull request #2762 from basecamp/mobile/hide-profile-links
Mobile: hide profile links in native apps
2026-03-31 09:42:55 -04:00
Adrien Maston a5cc2e8ab5 Change CSS selector 2026-03-30 16:38:32 +02:00
Adrien Maston f11bb18d93 Tweak alignments 2026-03-30 13:53:14 +02:00
Stanko K.R. c2fe41d376 Fix sign in flow 2026-03-27 10:13:57 +01:00
Jay Ohms 3ccfb864db Hide the links to manage passkeys and sign out from the webview in the native apps 2026-03-27 04:41:43 -04:00
Stanko K.R. 76d00d17c8 Abort conditional mediation when the button disconnects 2026-03-26 16:49:59 +01:00
Stanko K.R. 9614c1ecfb Add a button to sign in with a passkey 2026-03-26 15:59:09 +01:00
Stanko Krtalić 09d5b8c92f Merge pull request #2756 from basecamp/friendly-error-message-on-duplicate-passkey
Show separate error message when adding a Passkey twice
2026-03-26 14:19:35 +01:00
Stanko K.R. 6107d3cee1 Add margin ot error messages 2026-03-25 18:16:11 +01:00
Stanko K.R. 01d66a9463 Change challange expiration based on purpose 2026-03-25 17:31:42 +01:00
Stanko K.R. 693415bc71 Rename request options to authentication options 2026-03-25 17:26:49 +01:00
Stanko K.R. df7c2678f3 Rename create_options to registration_options 2026-03-25 17:26:49 +01:00
Stanko K.R. 8e4f9ce5e7 Cleanup form helpers 2026-03-25 17:26:49 +01:00
Stanko K.R. 4fb1cddb4c Use WebComponents for buttons
This simplifies the loading and cleanup logic, while providing ubiquitous support across JS frameworks. Buttons can now be added in any way imaginable and still work without requiring additional initialization. The upside of this aproach is that it doesn't require a mutation observer nor a global click listener, and is supported by all browsers that also support passkeys.
2026-03-25 17:26:49 +01:00
Sean Mitchell 4b4454de89 Update colophon icons 2026-03-24 13:32:39 -07:00
Jason Fried 2c60ddb7c7 Added Basecamp + HEY icons/links 2026-03-24 12:12:33 -07:00
Stanko K.R. 134a533e28 Fix Passkey buttons not triggering sometimes 2026-03-24 14:36:52 +01:00
Andy Smith 7632802f18 Merge pull request #2682 from nqst/delete-account-improvements
Delete account: design improvements
2026-03-23 09:38:23 -05:00
Stanko K.R. 49fbb82676 Permit variant records in imports 2026-03-23 12:30:40 +01:00
Zacharias Knudsen 6808250c8f Merge pull request #2745 from basecamp/excert-truncation
Pre-truncate excerpt before running replacement regexes
2026-03-23 10:24:58 +01:00