Commit Graph

9911 Commits

Author SHA1 Message Date
Rob Zolkos 21981898d2 Add JSON API for webhook deliveries (#2785)
* Add JSON API for webhook deliveries

* Extract sanitized_request method on Webhook::Delivery

* Extract response_summary method on Webhook::Delivery
2026-04-07 15:08:27 -04:00
dependabot[bot] f3bacffe2b Bump lexxy from 0.9.0.beta to 0.9.1.beta (#2796)
* Bump lexxy from 0.9.0.beta to 0.9.1.beta

Bumps [lexxy](https://github.com/basecamp/lexxy) from 0.9.0.beta to 0.9.1.beta.
- [Release notes](https://github.com/basecamp/lexxy/releases)
- [Commits](https://github.com/basecamp/lexxy/compare/v0.9.0.beta...v0.9.1.beta)

---
updated-dependencies:
- dependency-name: lexxy
  dependency-version: 0.9.1.beta
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Sync Gemfile.saas.lock

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2026-04-07 11:36:12 -07:00
dependabot[bot] b2021e1e74 Bump trilogy from 2.10.0 to 2.11.1 (#2794)
* Bump trilogy from 2.10.0 to 2.11.1

Bumps [trilogy](https://github.com/trilogy-libraries/trilogy) from 2.10.0 to 2.11.1.
- [Release notes](https://github.com/trilogy-libraries/trilogy/releases)
- [Changelog](https://github.com/trilogy-libraries/trilogy/blob/main/CHANGELOG.md)
- [Commits](https://github.com/trilogy-libraries/trilogy/compare/v2.10.0...v2.11.1)

---
updated-dependencies:
- dependency-name: trilogy
  dependency-version: 2.11.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Sync Gemfile.saas.lock

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2026-04-07 10:09:41 -07:00
dependabot[bot] dc6139a75e Bump sigstore/cosign-installer in the github-actions group (#2795)
Bumps the github-actions group with 1 update: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer).


Updates `sigstore/cosign-installer` from 4.1.0 to 4.1.1
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/ba7bc0a3fef59531c69a25acd34668d6d3fe6f22...cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-version: 4.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-07 10:09:30 -07:00
dependabot[bot] adc1b02d7a Bump thruster from 0.1.19 to 0.1.20 (#2797)
* Bump thruster from 0.1.19 to 0.1.20

Bumps [thruster](https://github.com/basecamp/thruster) from 0.1.19 to 0.1.20.
- [Changelog](https://github.com/basecamp/thruster/blob/v0.1.20/CHANGELOG.md)
- [Commits](https://github.com/basecamp/thruster/compare/v0.1.19...v0.1.20)

---
updated-dependencies:
- dependency-name: thruster
  dependency-version: 0.1.20
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Sync Gemfile.saas.lock

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2026-04-07 10:08:59 -07:00
Rob Zolkos cdd13c1a61 Split API docs into per-resource sections under docs/api/ (#2793)
* Split docs/API.md into per-resource sections under docs/api/

* Move API endpoints index above authentication in docs/api/README.md

* Fix trailing comma in boards.md JSON example

* Fix trailing comma in cards.md, add Response label to identity.md, add Rich Text to endpoint index
2026-04-06 14:00:17 -04:00
Donal McBreen 00a5c6ef14 Merge pull request #2804 from basecamp/fix-account-destroy-cascade-gaps
Fix account destroy cascade gaps
2026-04-06 10:15:31 +01:00
Donal McBreen e51f0bfee7 Fix account destroy cascade gaps
Account incineration could leave orphaned records due to missing cascade
declarations and async jobs failing when the account was already gone.

Cascade fixes:
- Add Account::Searchable concern to clean up Search::Query (delete_all)
  and Search::Record (destroy_all, respects SQLite FTS dependent: :destroy)
- Add before_destroy in Account::Storage to delete storage entries
- Suppress storage entry recording during incineration so attachment
  purge callbacks don't create entries or enqueue materialize jobs
- Guard Access#clean_inaccessible_data_later with unless user.destroyed?
  to avoid enqueuing pointless jobs during user cascade

Job tenancy:
- Extract AccountTenanted concern from the global ActiveJob initializer
  into ApplicationJob (include) with targeted prepends for
  ActionMailer::MailDeliveryJob and Turbo broadcast jobs
- Defer account resolution from deserialize to perform so that missing
  accounts raise DeserializationError inside the execution path where
  discard_on can handle it

Tests:
- Comprehensive incineration test covering 35 model types with
  before/after assertions and full enqueued job processing
- Mailer deliver_later test verifying account context survives job
  serialization for multi-account users
- Turbo broadcast test verifying account-scoped URLs in rendered partials
2026-04-06 10:04:24 +01:00
Donal McBreen d9f176aeb0 Merge pull request #2803 from basecamp/fix-timezone-date-display
Fix timezone handling for day timeline and card dates
2026-04-06 09:27:49 +01:00
Donal McBreen 6d71385846 Fix timezone handling for day timeline and card dates
Revert beginningOfDay() to use local timezone methods — the UTC change
from #2790 caused cards created earlier the same day to show "yesterday"
for users in UTC-negative timezones after their local 7 PM.

Add Time.zone.name to day timeline fragment cache keys so
timezone-different renders don't collide.
2026-04-06 09:21:03 +01:00
Donal McBreen e1426af06c Merge pull request #2791 from basecamp/fix-export-column-colors
Fix export/import losing custom column colors
2026-04-03 10:08:37 +01:00
Donal McBreen b79c7897e6 Fix export/import losing custom column colors
record.to_json serializes through model accessors. Column::Colored
overrides the color accessor to return a Color struct, which serializes
as {"name":"Blue","value":"var(--color-card-default)"} instead of the
raw CSS string.

Two fixes:
- Export raw DB values via record.attributes.slice(*attributes).to_json
- Color.for_value parses legacy JSON format so columns imported from
  old exports self-heal when read
2026-04-03 10:05:11 +01:00
Donal McBreen 752237abab Merge pull request #2790 from basecamp/fix-utc-date-off-by-one
Fix off-by-one date display for UTC-negative timezone users
2026-04-03 09:06:46 +01:00
Donal McBreen c2d693fc9a Fix off-by-one date display for UTC-negative timezone users
beginningOfDay() used local timezone methods (getFullYear, getMonth,
getDate) to snap timestamps to midnight. Since the server sends UTC
timestamps, this caused day boundary calculations to be off by one
for users in UTC-negative timezones — cards created after UTC midnight
but before local midnight showed as "yesterday" instead of "today".

Switch to UTC methods (getUTCFullYear, getUTCMonth, getUTCDate) so day
boundaries are calculated consistently with the server's UTC timestamps.

Affects DaysAgoFormatter, DaysAgoOrWeekdayFormatter, TimeOrDateFormatter,
InDaysFormatter, and bubble controller stalled/entropy calculations.
2026-04-03 08:50:25 +01:00
Donal McBreen 7ab6b43e04 Merge pull request #2776 from basecamp/bearer-token-json-only
Restrict bearer token authentication to JSON requests
2026-04-01 09:14:05 +01:00
Donal McBreen b4c4a32205 Return 401 for bearer tokens on non-JSON requests
Rather than silently ignoring bearer tokens on HTML requests
(which breaks the audit console's error handling), explicitly
reject them with 401. Bearer tokens on JSON requests continue
to authenticate normally.
2026-04-01 09:09:00 +01:00
Donal McBreen 13e2c74929 Restrict bearer token authentication to JSON requests
Bearer tokens are for API/SDK/CLI access — they should only
authenticate JSON requests.
2026-04-01 08:55:04 +01:00
Donal McBreen d63801eae3 Merge pull request #2775 from basecamp/queenbee-account-callbacks
Implement Queenbee account callbacks
2026-04-01 08:09:25 +01:00
Donal McBreen 98d06947cb Implement Queenbee account callbacks
Add Account::QueenbeeIntegration concern (SaaS-only) that bridges
Fizzy's external_account_id to Queenbee's find_by_queenbee_id lookup,
and adapts the bang lifecycle methods to Fizzy's Cancellable module.

Remove dead billing conditional from cancellation mailer — Fizzy is
free-only, there's no charge to stop.
2026-03-31 15:14:49 +01:00
Jay Ohms e04182786c Merge pull request #2762 from basecamp/mobile/hide-profile-links
Mobile: hide profile links in native apps
2026-03-31 09:42:55 -04:00
Adrien Maston 7c3682ec93 Merge pull request #2773 from basecamp/mobile/fix-missing-golden-effect
Mobile / Fix missing golden effect
2026-03-30 16:44:46 +02:00
Adrien Maston a5cc2e8ab5 Change CSS selector 2026-03-30 16:38:32 +02:00
Adrien Maston f11bb18d93 Tweak alignments 2026-03-30 13:53:14 +02:00
Donal McBreen fed2996b7c Merge pull request #2772 from basecamp/provision-queenbee-secret
Provision QUEENBEE_SECRET env var
2026-03-30 11:25:20 +01:00
Donal McBreen 6a27853a58 Provision QUEENBEE_SECRET env var 2026-03-30 11:17:38 +01:00
dependabot[bot] 08faa17584 Bump action_text-trix from 2.1.17 to 2.1.18 (#2771)
* Bump action_text-trix from 2.1.17 to 2.1.18

Bumps [action_text-trix](https://github.com/basecamp/trix) from 2.1.17 to 2.1.18.
- [Release notes](https://github.com/basecamp/trix/releases)
- [Commits](https://github.com/basecamp/trix/compare/v2.1.17...v2.1.18)

---
updated-dependencies:
- dependency-name: action_text-trix
  dependency-version: 2.1.18
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* Sync Gemfile.saas.lock

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2026-03-29 14:43:08 -07:00
dependabot[bot] 509d8d158f Bump the development-dependencies group with 2 updates (#2765)
* Bump the development-dependencies group with 2 updates

Bumps the development-dependencies group with 2 updates: [webmock](https://github.com/bblimke/webmock) and [mocha](https://github.com/freerange/mocha).


Updates `webmock` from 3.26.1 to 3.26.2
- [Release notes](https://github.com/bblimke/webmock/releases)
- [Changelog](https://github.com/bblimke/webmock/blob/master/CHANGELOG.md)
- [Commits](https://github.com/bblimke/webmock/compare/v3.26.1...v3.26.2)

Updates `mocha` from 3.0.2 to 3.1.0
- [Changelog](https://github.com/freerange/mocha/blob/main/RELEASE.md)
- [Commits](https://github.com/freerange/mocha/compare/v3.0.2...v3.1.0)

---
updated-dependencies:
- dependency-name: webmock
  dependency-version: 3.26.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: development-dependencies
- dependency-name: mocha
  dependency-version: 3.1.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: development-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>

* Sync Gemfile.saas.lock

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2026-03-29 12:54:45 -07:00
Stanko Krtalić 0a96799fc7 Merge pull request #2758 from basecamp/fix-yubikeys-getting-stuck-on-sign-in
Fix yubikeys getting stuck on sign in
2026-03-27 10:17:09 +01:00
Stanko K.R. c2fe41d376 Fix sign in flow 2026-03-27 10:13:57 +01:00
Jay Ohms 3ccfb864db Hide the links to manage passkeys and sign out from the webview in the native apps 2026-03-27 04:41:43 -04:00
Mike Dalessio 6778f9e47d Merge pull request #2760 from basecamp/cache-control-bypass
Don't set public Cache-Control on proxied non-public blobs
2026-03-26 15:56:49 -04:00
Mike Dalessio 7446eed4e1 Add representation proxy public Cache-Control test 2026-03-26 15:38:27 -04:00
Mike Dalessio e12f3e3917 Add representation proxy Cache-Control test 2026-03-26 15:34:54 -04:00
Mike Dalessio 14e6832507 Add regression test for public blob Cache-Control 2026-03-26 15:22:21 -04:00
Mike Dalessio 628571fc79 Don't set public Cache-Control on proxied non-public blobs
Rails' ActiveStorage proxy controllers hardcode `http_cache_forever public: true`,
which sets `Cache-Control: public, immutable`. For non-public blobs behind auth,
this allows CDN caching that serves responses without authorization checks.

Override `http_cache_forever` in the Authorize concern to downgrade `public` to
`false` for non-public blobs.

See https://github.com/basecamp/fizzy/pull/2251 for context
2026-03-26 14:58:40 -04:00
Stanko K.R. 76d00d17c8 Abort conditional mediation when the button disconnects 2026-03-26 16:49:59 +01:00
Stanko K.R. 7ae219ab23 Make the duplicate key error message friendly 2026-03-26 16:00:02 +01:00
Stanko K.R. 9614c1ecfb Add a button to sign in with a passkey 2026-03-26 15:59:09 +01:00
Stanko Krtalić 09d5b8c92f Merge pull request #2756 from basecamp/friendly-error-message-on-duplicate-passkey
Show separate error message when adding a Passkey twice
2026-03-26 14:19:35 +01:00
Stanko Krtalić 527f2e07ff Merge pull request #2754 from basecamp/update-aws-gem
Update AWS SDK
2026-03-25 18:36:29 +01:00
Stanko K.R. 61580ec58f Update AWS SDK 2026-03-25 18:30:01 +01:00
Stanko Krtalić 01b4698e13 Merge pull request #2751 from basecamp/passkey-improvements
Passkey improvements
2026-03-25 18:19:09 +01:00
Stanko K.R. 6107d3cee1 Add margin ot error messages 2026-03-25 18:16:11 +01:00
Stanko K.R. 5820480c0c Update SAAS gemfile 2026-03-25 18:10:11 +01:00
Stanko K.R. 54cb1a140f Add a purpose to challanges 2026-03-25 17:57:37 +01:00
Stanko K.R. 37ff66d552 Fix gemfile drift 2026-03-25 17:42:27 +01:00
Stanko K.R. 01d66a9463 Change challange expiration based on purpose 2026-03-25 17:31:42 +01:00
Stanko K.R. 6ba1814f26 Update bcrypt and loofah 2026-03-25 17:30:39 +01:00
Stanko Krtalić dac4d9233c Merge pull request #2741 from basecamp/dependabot/bundler/aws-sdk-s3-1.216.0
Bump aws-sdk-s3 from 1.215.0 to 1.216.0
2026-03-25 17:28:50 +01:00
Stanko K.R. 5d0f52b57c Update as_json to return string keys 2026-03-25 17:26:50 +01:00