* main:
Update Rails
Ignore hotkeys with modifiers
Fix 1Password account ID (was user UUID) (#2278)
Switch 1Password account to 37signals.1password.com (#2276)
Remove CSS testing comments
Max card count equals geared pagination size
Block IPv4-compatible IPv6 addresses in SSRF protection (#2273)
Only enable transitions on user interaction
Don't update counter if value hasn't changed
* main: (63 commits)
Ignore hotkeys with modifiers
Fix 1Password account ID (was user UUID) (#2278)
Switch 1Password account to 37signals.1password.com (#2276)
Remove CSS testing comments
Max card count equals geared pagination size
Block IPv4-compatible IPv6 addresses in SSRF protection (#2273)
Only enable transitions on user interaction
Don't update counter if value hasn't changed
Add padding to upgrade message on larger screens
Add test coverage for autolinking multiple URLs
Add "noopener" to autolinks' rel attribute
Avoid string manipulation when autolinking.
Only bump z-index when nav is open
Move nav and related elements above footer
Delete Dockerfile.dev
fix: use the right gh-cli arch package (#2232)
Bump actions/attest-build-provenance from 3.0.0 to 3.1.0 (#2257)
Bump docker/setup-buildx-action from 3.11.1 to 3.12.0 (#2256)
Consider user avatars always public
Implement authorization for Active Storage endpoints
...
* main: (55 commits)
Add padding to upgrade message on larger screens
Add test coverage for autolinking multiple URLs
Add "noopener" to autolinks' rel attribute
Avoid string manipulation when autolinking.
Only bump z-index when nav is open
Move nav and related elements above footer
Delete Dockerfile.dev
fix: use the right gh-cli arch package (#2232)
Bump actions/attest-build-provenance from 3.0.0 to 3.1.0 (#2257)
Bump docker/setup-buildx-action from 3.11.1 to 3.12.0 (#2256)
Consider user avatars always public
Implement authorization for Active Storage endpoints
Update documentation
Expose the card ID and URL on comments
Don't run application recurring jobs in betas
This link is reduntant if you're over the limits
Add obvious upgrade button when you're out of storage
Internaly only view
Target comment elements more precisely
Better name for helper method
...
* main: (318 commits)
Document the new sign in method
Replace handle_ naming
Use same constant for fake magic links
Replace FakeMagicLink with a temporary object
Tidy up session_token
Clean up interfaces
Split tests by controller or responsibility
Simplify auth logic
Fix due to unit test when creating with invalid emails
Restore sessions_controller test on creating invalid email address
Move magic link api tests to their own files
Rename test to clarify what they're about
Cleanup session creation
Update to always return a pending auth token for JSON responses.
Update API test for cross code
Change test expectation on single tenant mode account creation
Add unit tests for the new endpoints
Pass a server token when creating a magic link via API
Simplify code a bit
Simplify session create logic for both html and json
...
* main: (107 commits)
Document the new sign in method
Replace handle_ naming
Use same constant for fake magic links
Replace FakeMagicLink with a temporary object
Tidy up session_token
Clean up interfaces
Split tests by controller or responsibility
Simplify auth logic
Fix due to unit test when creating with invalid emails
Restore sessions_controller test on creating invalid email address
Move magic link api tests to their own files
Rename test to clarify what they're about
Cleanup session creation
Update to always return a pending auth token for JSON responses.
Update API test for cross code
Change test expectation on single tenant mode account creation
Add unit tests for the new endpoints
Pass a server token when creating a magic link via API
Simplify code a bit
Simplify session create logic for both html and json
...
Problem:
When pressing Enter in the search input field, focus was lost after
the form was submitted and the Turbo Frame updated with search results.
This forced users to click back into the field to continue interacting
with the search.
Solution:
Added a turbo:frame-load event listener in the bar controller's
showModalAndSubmit method that automatically restores focus to the
search input after the Turbo Frame finishes loading the results.
The listener uses {once: true} to auto-cleanup after execution.
Remove data-action from the sanitizer allowlist to disallow injection
of potentially malicious Stimulus actions in user-provided
content. The lightbox controller now uses imageTarget callbacks to
handle clicks on image links.
Also add the file name as a caption in the light box, and fix the
caption color for dark mode visibility.