81 Commits

Author SHA1 Message Date
Mike Dalessio 466b215ef8 Add SearchReindexJob to repopulate the search index (#2850)
Rebuilds search records for every published Card and every Comment on a
published Card. Intended for manual invocation after a search-index loss
event — not a recurring job.

Uses ActiveJob::Continuable so the work survives worker restarts and
resumes from the last-processed id. The job is idempotent.

Removes script/maintenance/reindex_stale_search_records.rb, which was
written against a different hypothesis (a date-cutoff backfill) and is
superseded by this unconditional repair job.
2026-04-16 19:40:02 -04:00
Donal McBreen e51f0bfee7 Fix account destroy cascade gaps
Account incineration could leave orphaned records due to missing cascade
declarations and async jobs failing when the account was already gone.

Cascade fixes:
- Add Account::Searchable concern to clean up Search::Query (delete_all)
  and Search::Record (destroy_all, respects SQLite FTS dependent: :destroy)
- Add before_destroy in Account::Storage to delete storage entries
- Suppress storage entry recording during incineration so attachment
  purge callbacks don't create entries or enqueue materialize jobs
- Guard Access#clean_inaccessible_data_later with unless user.destroyed?
  to avoid enqueuing pointless jobs during user cascade

Job tenancy:
- Extract AccountTenanted concern from the global ActiveJob initializer
  into ApplicationJob (include) with targeted prepends for
  ActionMailer::MailDeliveryJob and Turbo broadcast jobs
- Defer account resolution from deserialize to perform so that missing
  accounts raise DeserializationError inside the execution path where
  discard_on can handle it

Tests:
- Comprehensive incineration test covering 35 model types with
  before/after assertions and full enqueued job processing
- Mailer deliver_later test verifying account context survives job
  serialization for multi-account users
- Turbo broadcast test verifying account-scoped URLs in rendered partials
2026-04-06 10:04:24 +01:00
Rosa Gutierrez dbfb141b6f Restore PushNotificationJob as shim for in-flight jobs during deploy
In-flight jobs queued before deploy would fail if the old class is
missing. This shim delegates to the new notification.push method.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-25 19:31:13 +01:00
Rosa Gutierrez 3621df8f0f Consolidate push jobs into single Notification::PushJob
Replace separate WebPushJob and NativePushJob with a single PushJob
that calls notification.push, which iterates over registered targets.
Each target handles its own delivery - Web pushes synchronously via
the pool, Native enqueues device-level jobs via deliver_later_to.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-25 19:31:13 +01:00
Rosa Gutierrez b5205ce6b2 Rename Push to PushTarget for better readability
PushTarget#push reads more naturally than Push#push. The push target
is the thing that pushes notifications to a specific destination.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-25 19:31:13 +01:00
Rosa Gutierrez 05819f84a2 Refactor notification push system with registry pattern
Replace NotificationPusher with a cleaner architecture:

- Add Notification::Pushable concern with push target registry
- Add Notification::Push base class with template methods
- Add Notification::Push::Web for web push (OSS)
- Add Notification::Push::Native for native push (SaaS)
- Add Notification::WebPushJob and Notification::NativePushJob

Key design:
- Registry pattern: Notification.register_push_target(:web)
- Template method: push calls should_push? then perform_push
- Subclasses override should_push? (with super) and perform_push
- Each target handles its own job enqueueing

Also:
- Add Notification#pushable? for checking push eligibility
- Add Notification#identity delegation to user
- Reorganize tests to match new class structure

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Tidy up saas engine a bit more
2026-02-25 19:31:13 +01:00
Stanko K.R. ffce51a42f Ignore faulty ZIP files 2026-02-03 14:04:54 +01:00
Stanko K.R. 5c929238b7 Rename jobs 2026-02-02 18:22:07 +01:00
Stanko K.R. 54a7ecea98 Fail the import if the check fails 2026-02-02 13:33:06 +01:00
Stanko K.R. a6609e1bbc Add test got the import job 2026-02-02 13:03:26 +01:00
Stanko K.R. 27c73ff42b Rename validate to check
Validate is an ActiveModel method, overriding it could have unintended side-effects so I opted to rename it
2026-02-02 12:36:48 +01:00
Stanko K.R. f50d6d093d Implement cursors for imports 2026-02-02 12:36:48 +01:00
Stanko K.R. 00c5f7feab Break import and export objects into record sets 2026-02-02 12:36:48 +01:00
Stanko K.R. 19ae555c2e Convert Account::SingleUserExport to User::DataExport 2026-02-02 12:36:48 +01:00
Stanko K.R. 161efb0b8e Implement basic imports 2026-02-02 12:36:48 +01:00
Stanko K.R. 8953920652 Implement full account exports 2026-02-02 12:36:48 +01:00
Rosa Gutierrez ee636f1994 Delete orphaned watches and pins when a card is moved to a private board
For watchers and users with pins that don't have access to the private
board where the card was moved to.
2026-01-14 19:38:15 +01:00
Stanko Krtalić eceb6c9b43 Add self-service account deletion (#2246)
* Add self-service account deletion

* Disable access to cancelled accounts & implement Stripe interactions

* Add tests

* Fix failing tests

* Remove cancelled accounts from lists

* Fix incorrect redirect

* Use _path instead of _url for consistency

* Don't track how far the inicieration job got

We still want the step tracking so that the job can be interrupted. But, since the scope is idempotent, we don't need to track how far it got.

* Specify the exact time when the data will be deleted

* Fix crash due to unadvancable cursor

* Rename up_for_incineration to due_for_incineration

* Regenrate the schema

* Fix incorrect path check

* Migrate the SQLite schema

* Only show the cancel button on cancellable accounts

* Check that a subscirption method exists before calling it

* Ignore job failures due to missing records when an account gets deleted

* Skip sending notifications on cancelled accounts

* Use collbacks to integrate

* Add a blank line between queue_as and discard_on

* Break checks into methods

* Inline methods

* Rename Account::IncinerateJob

* Run migrations

* Migrate SQLite
2026-01-12 14:21:05 +01:00
Jeremy Daer bd6c1cf34f Storage: harden reconcile for concurrent writes and fix board transfer (#2096)
* Storage: harden reconcile for concurrent writes and fix board transfer

Reconcile now uses two-cursor approach: captures cursor before and after
the storage scan, aborting if they differ (entries added during scan).
Job retries 3x with 1-minute waits and limits concurrency to 1 per owner.

Board transfer now correctly moves storage for card description embeds
and comment embeds, not just direct attachments. Uses batched queries
to handle cards with thousands of comments efficiently.

Also fixes N+1 queries in attachment grouping via lookup maps.

* Storage: fix per-attachment reconcile and enforce no blob reuse

The storage ledger tracks per-attachment (not per-blob) as a business
abstraction for quotas. This fixes reconcile to match that model and
adds enforcement to prevent blob reuse in tracked contexts.

* Reconcile now uses joins(:blob).sum() for per-attachment counting
* New validation prevents reusing blobs across tracked attachments
* Race-safe storage_total creation with create_or_find_by
* Job efficiency: skip find_by when object already available
* Backfill script checks per-attachment, not just per-blob
2025-12-19 13:07:32 -08:00
Jeremy Daer 5d181af391 Storage: ignore jobs for now-deleted targets 2025-12-10 20:13:19 -08:00
Jeremy Daer 761d0b4a76 Speedy, auditable, deadlock-resistant storage tracking (#2026)
An append-only storage ledger replaces deadlock-prone synchronous
counter updates and drift-prone async updates.

All content storage (card images, card/comment/board description embeds)
is tracked. Account exports (which expire) and avatars are not tracked.

Storage is accounted for by Account and Board. Both consume the same
event stream independently: no bubble-up storage bumps triggering
deadlocks due to lock sequencing. Each calculates its own total from
the underlying ledger with independent cursors and materialization.

* Storage::Entry: Append-only ledger recording attach/detach/transfer
  events with delta bytes. Single event stream indexed for both
  Account and Board cursor queries.

* Storage::Total: Polymorphic snapshot cache with cursor (last_entry_id)
  tracking which entries have been materialized.

* Storage::Totaled concern: Provides bytes_used (fast snapshot) and
  bytes_used_exact (snapshot + pending) query modes, plus
  materialize_storage! to roll up pending entries.

* Storage::Tracked concern: For models owning attachments (Card,
  Comment, Board). Provides board_for_storage_tracking for models
  where board is determined differently (Board returns self).
  Handles board transfers by recording transfer_out/transfer_in entries.

* Storage::AttachmentTracking: Hooks ActiveStorage::Attachment lifecycle
  to record attach/detach entries. Handles ActionText::RichText embeds
  by traversing to the actual model. Snapshots context in before_destroy
  to handle cascading deletes where parent record may be gone by
  after_destroy_commit.

* MaterializeJob: Rolls up pending entries into snapshot. Concurrency
  limited per owner to prevent duplicate work.

* ReconcileJob: On-demand reconciliation against actual attachment
  storage for support/debugging. Compares ledger total to real bytes
  from card images, card embeds, comment embeds, and board embeds.

Usage:
* account.bytes_used / board.bytes_used: fast, slightly stale bytesize
* account.bytes_used_exact / board.bytes_used_exact: real-time bytesize
* Storage::Entry: audit trail for debugging and point-in-time queries
2025-12-10 16:04:30 -08:00
Mike Dalessio c4a8996562 Retry mailer jobs on common networking and SMTP errors
This concern is lifted nearly verbatim from Basecamp.

ref: https://app.fizzy.do/5986089/cards/3300
2025-12-04 10:26:24 -05:00
Kevin McConnell e16cc21b0a Add "data export" feature
- Adds a button in Account Settings where you can request a ZIP export of your
  Fizzy data
- Export files are created in the background. When ready, a link to
  download them is sent to the requester.
- Exports expire after 24 hours. And are limited to 10 per day.
2025-12-01 15:23:26 +00:00
Stanko K.R. e0693de7c3 Scope jobs and controllers by account 2025-11-17 09:12:41 -05:00
Mike Dalessio 4d3c265042 Rip out activerecord-tenanting
Co-authored-by: Stanko K.R. <stanko@stanko.io>
2025-11-17 09:11:35 -05:00
Jorge Manrubia 39ec6cf062 Replace collection with board in the code, tests green 2025-11-05 13:41:12 +01:00
Jorge Manrubia 03a345609e Baseline replacing collection with board across code 2025-11-05 13:31:54 +01:00
Jorge Manrubia 9d4dd3b00e Remove "save as draft"
Removes the creating status completely as well as the abandoned cards system. It will
always resume drafts if they exist, for a given collection and user.

https://app.box-car.com/5986089/cards/2489
2025-11-03 09:32:29 +01:00
David Heinemeier Hansson 966aa51a37 Get rid of unnecessary touch jobs
touch_all on 10K cards took 6ms in testing
2025-11-02 14:15:53 +01:00
Jorge Manrubia 6cfc0978a4 Columns touch the cards when the name/color changes 2025-10-31 10:40:45 +01:00
Jorge Manrubia aa1ffb3357 Remove AI summaries and semantic searches
We were not using either. We can restore if we revisit.
2025-10-29 11:55:32 +01:00
Mike Dalessio 57ec1d1d99 Retry RubyLLM jobs on RubyLLM::ForbiddenError
ref: https://fizzy.37signals.com/5986089/cards/2574
2025-10-28 09:44:03 -04:00
Jorge Manrubia 9317a82570 Remove Fizzy Ask
Since we are not going to ship it
2025-10-27 14:45:30 +01:00
Jorge Manrubia 392bdae316 Rename highlights -> summary 2025-10-25 20:06:57 +02:00
Jason Zimdars f5384baf63 Boxcar -> BOXCAR 2025-10-23 15:05:36 -07:00
Jason Zimdars 49e87310d7 Rename Fizzy, Boxcar 2025-10-22 13:42:41 -07:00
Mike Dalessio 3e54b7e655 backups: sweep them into "/backups" if it exists
and delete any backups older than our data retention policy

ref: https://3.basecamp.com/2914079/buckets/37331921/todos/9175385847
2025-10-14 16:07:49 -04:00
Mike Dalessio 63458ceb87 Fix SQLiteBackupsJob to work with AR::Tenanted v0.5.0
ref: https://github.com/basecamp/activerecord-tenanted/pull/215
2025-10-13 08:47:16 -04:00
Jorge Manrubia a629418eed Discard when the record was deleted
https://fizzy.37signals.com/5986089/cards/2068
2025-09-30 08:27:18 +02:00
Jorge Manrubia ea03116ad0 Remove unused job 2025-09-29 18:53:01 +02:00
Jorge Manrubia 2f6a639682 Prepare entropy code for the new auto postpone approach 2025-09-24 16:22:42 +02:00
Stanko K.R. fee25a49ea Periodically cleanup deliveries 2025-09-16 20:04:20 +02:00
Stanko K.R. 5e4d15d802 Remove concurrency limit
It won't be useful in practice for now, and we can always put it back in if the need arises
2025-09-16 20:04:20 +02:00
Stanko K.R. 5c6cad057f Extract triggering logic into a concern 2025-09-16 20:03:57 +02:00
Stanko K.R. 9d717239e7 Dispatch Webhooks on event creation 2025-09-16 20:03:57 +02:00
Stanko K.R. a515ea3b1f Create webhooks 2025-09-16 20:03:55 +02:00
Jorge Manrubia 7f7ecf0346 Delete notifications when the user loses access to the collection 2025-09-10 10:24:20 +02:00
Jorge Manrubia b8630bdb24 Cron jobs must process all the tenants 2025-09-02 11:35:53 +02:00
Jorge Manrubia 5b68750713 Generate weekly highlights instead of daily ones
https://3.basecamp.com/2914079/buckets/37331921/todos/9010176047
2025-09-01 16:01:19 +02:00
Jorge Manrubia a9444caf1f Add a "backend" queue with less priorities for deliveries 2025-08-29 09:39:48 +02:00