Commit Graph

7427 Commits

Author SHA1 Message Date
Mike Dalessio 09366fc949 style: rubocop fix 2025-11-27 12:34:31 -05:00
Mike Dalessio 198e404eb0 Avoid N+1 on account and board settings pages 2025-11-27 11:44:16 -05:00
Mike Dalessio 50fe973105 Remove N+1 on the cards board. 2025-11-27 11:30:54 -05:00
Mike Dalessio 0ab3aaca72 Preload Event to avoid N+1s on the timeline 2025-11-27 11:27:10 -05:00
Mike Dalessio 79c9ea2ce1 Remove a bunch of N+1s
related to notification and comment rendering
2025-11-27 11:08:45 -05:00
Mike Dalessio b78977f563 Make db/seeds.rb rerunnable when I want to add more cards. 2025-11-27 10:46:48 -05:00
Mike Dalessio afcd2a6132 Merge pull request #1736 from basecamp/flavorjones/improve-agents.md
Improve AGENTS.md with some loki suggestions
2025-11-27 08:47:42 -05:00
Jorge Manrubia 30ad851a77 Merge pull request #1743 from basecamp/refreshes
Prevent Fizzy menu from closing on page refreshes
2025-11-27 07:13:06 +01:00
Jorge Manrubia 5e23e6c3d3 Prevent Fizzy menu from closing on page refreshes
https://app.fizzy.do/5986089/cards/3190
2025-11-27 07:07:27 +01:00
Mike Dalessio a556fe9f8c Merge pull request #1741 from basecamp/flavorjones/fix-gitleaks-recursion
Rename bin/gitleaks to gitleaks-audit
2025-11-26 21:37:46 -05:00
Mike Dalessio f0b2603ba4 Rename bin/gitleaks to gitleaks-audit
to prevent script recursion if bin is in user's $PATH
2025-11-26 21:36:01 -05:00
Mike Dalessio e8671d11fa Improve AGENTS.md with some loki suggestions
Suggested by Claude after I yelled at it when it was using string
matching instead of the structured fields.
2025-11-26 17:48:37 -05:00
Mike Dalessio a83735d434 Merge pull request #1737 from basecamp/flavorjones/gitleaks
Introduce gitleaks to the codebase
2025-11-26 15:55:34 -05:00
Mike Dalessio 7f46063c25 Introduce gitleaks to the codebase
- `bin/setup` installs gitleaks
- add `gitleaks dir` command to CI
- configure gitleaks to ignore tmp, log, and encrypted files
- tag existing false positives with `gitleaks:allow`
- add historical false positives to the ignore list
2025-11-26 15:46:47 -05:00
Mike Dalessio 1534485477 Merge pull request #1735 from basecamp/flavorjones/simplify-current-with-account
Simplify Current.with_account and .without_account
2025-11-26 12:32:23 -05:00
Mike Dalessio 9446bc18d2 Simplify Current.with_account and .without_account
Co-authored-by: Jeffrey Hardy <jeff@37signals.com>
2025-11-26 12:31:49 -05:00
Jason Zimdars a9bb534d86 Merge pull request #1734 from basecamp/reactions-polish
Reactions polish
2025-11-26 11:31:37 -06:00
Jason Zimdars e26845709a Disable focus ring 2025-11-26 11:24:13 -06:00
Jason Zimdars 9ca4cda5e4 Larger emojis in picker, fit on narrow viewports 2025-11-26 11:13:18 -06:00
Rosa Gutierrez 3e716bfa26 Fix a couple of typos 2025-11-26 13:16:44 +01:00
Donal McBreen 9c08f68884 Merge pull request #1669 from basecamp/sqlite
Sqlite
2025-11-26 10:32:09 +00:00
Donal McBreen 761f86d78d Revert unnecessary fixture change 2025-11-26 10:30:02 +00:00
Donal McBreen 18fa877882 Switch to a pool size of 5 2025-11-26 10:27:06 +00:00
Donal McBreen a5fc6eeaec Update SQLite schema 2025-11-26 10:18:55 +00:00
Donal McBreen c4498212dc Merge branch 'main' into sqlite
* main: (116 commits)
  Ensure avatar thumbnails are square
  Update useragent to recognize twitterbot/facebot
  Add defensive styles for non-square avatar images
  Update test for copy changes
  Missed commit
  AI: standardize on https://agents.md
  Make it clear this is just notifications, not comprehensive activity
  AI: configure MCP servers for Chrome, Grafana, and Sentry (#1727)
  Allow requests from Google Image Proxy
  Update to basecamp's useragent fork
  Clean up a little bit the CSRF reporting code
  Claude: production observability guidance (#1725)
  Prevent autoscroll to the root columns container to prevent jump on page load
  Include full name string so you can type your name to filter
  Prioritize current user and assigned users in assignment dropdown
  Check and report on Sec-Fetch-Site header for forgery protection
  bundle update
  Bump bootsnap from 1.18.6 to 1.19.0
  Bump rails from `077c3ad` to `17f6e00`
  Fix cards getting stuck in edit mode
  ...
2025-11-26 10:07:41 +00:00
Donal McBreen b839340cf2 Tidy up modules and on_load points 2025-11-26 10:02:32 +00:00
Donal McBreen 9c86205510 Enforce SQLite column limits via CHECK constraints
Patch the sqlite adapter to add CHECK constraints for string and text
column limits. We'll do them inline, so that any column changes
automatically update the constraints.
2025-11-26 09:50:29 +00:00
Kevin McConnell e7d716c0f1 Merge pull request #1731 from basecamp/avatar-thumb-aspect-ratio
Ensure avatar thumbnails are square
2025-11-26 09:30:33 +00:00
Kevin McConnell ca5065a378 Ensure avatar thumbnails are square
Previously we were fitting the image inside a 256x256 box while keeping
it's original aspect ratio. But this can lead to images that are
squished and/or pixelated when we try to show them inside a square
container in the app.

Instead we can resize them to be square.
2025-11-26 09:21:46 +00:00
Mike Dalessio e1d356d063 Merge pull request #1730 from basecamp/flavorjones/twitterbot-facebot
Update useragent to recognize twitterbot/facebot
2025-11-25 18:09:56 -05:00
Mike Dalessio 60e1751cac Update useragent to recognize twitterbot/facebot
This UA was pulled from our logs.

ref: https://app.fizzy.do/5986089/cards/1775
2025-11-25 18:05:21 -05:00
Jason Zimdars abbf226c3a Merge pull request #1729 from basecamp/avatar-bulletproofing
Add defensive styles for non-square avatar images
2025-11-25 16:56:02 -06:00
Jason Zimdars d825447e6b Add defensive styles for non-square avatar images 2025-11-25 16:51:07 -06:00
Mike Dalessio 64a39b3139 Merge pull request #1726 from basecamp/flavorjones/better-useragent-behavior
Allow requests from Google Image Proxy
2025-11-25 17:15:38 -05:00
Jason Zimdars 9a8905dbc1 Merge pull request #1728 from basecamp/update-bundle-mailer
Make it clear this is just notifications, not comprehensive activity
2025-11-25 16:12:13 -06:00
Jason Zimdars 88765f5244 Update test for copy changes 2025-11-25 16:10:34 -06:00
Jeremy Daer 426420a406 Missed commit 2025-11-25 14:10:26 -08:00
Jeremy Daer 62fb1a46af AI: standardize on https://agents.md 2025-11-25 14:09:53 -08:00
Jason Zimdars 154cbf0cde Make it clear this is just notifications, not comprehensive activity 2025-11-25 16:08:11 -06:00
Jeremy Daer 92199c4ae7 AI: configure MCP servers for Chrome, Grafana, and Sentry (#1727) 2025-11-25 13:33:07 -08:00
Jason Zimdars 14650df246 Merge pull request #1723 from basecamp/fix-scroll-jump
Prevent autoscroll to the columns container to remove jump on page load
2025-11-25 15:31:26 -06:00
Mike Dalessio b767d6edcb Allow requests from Google Image Proxy
which should fix email notifications' avatars rendering as broken
images in GMail.

ref: https://app.fizzy.do/5986089/cards/1740
2025-11-25 16:26:15 -05:00
Mike Dalessio 0bf62ba4cf Update to basecamp's useragent fork
and assert it's working by testing for Baidu
2025-11-25 16:18:23 -05:00
Rosa Gutierrez fac9f3c369 Clean up a little bit the CSRF reporting code
Small follow-up to https://github.com/basecamp/fizzy/pull/1721
2025-11-25 21:28:50 +01:00
Jeremy Daer 525efb2de8 Claude: production observability guidance (#1725) 2025-11-25 12:23:01 -08:00
Jorge Manrubia ca10e4ba4e Prevent autoscroll to the root columns container to prevent jump on page load
https://app.fizzy.do/5986089/cards/3160
2025-11-25 21:01:18 +01:00
Mike Dalessio 396c1ffdcf Merge pull request #1722 from basecamp/fwt-user-list-improvement
Prioritize current user and assigned users in assignment dropdown
2025-11-25 14:36:14 -05:00
Jason Zimdars 3d429c1dea Include full name string so you can type your name to filter 2025-11-25 13:19:33 -06:00
Mike Dalessio 3811088db3 Prioritize current user and assigned users in assignment dropdown
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-25 13:46:14 -05:00
Rosa Gutierrez d88949288c Check and report on Sec-Fetch-Site header for forgery protection
This is a great, solid alternative to CSRF tokens for CSRF protection
when we aren't worried about older browsers or other kind of actors
doing modifying requests in our app, and could be a good test for future
upstreaming to Rails (although there we'd need to continue using CSRF
tokens or at least letting people opt out manually).

Let's start checking the header and reporting on it when CSRF fails or
when it doesn't match the other checks Rails does, and then promote this
to be the only way to defend from CSRF.
2025-11-25 19:19:50 +01:00