* main: (43 commits)
Remove payment/subscription system and card/storage limits
Conditionally disable peer verification for ZIP streaming
Prevent HTML injection through filenames
Revert "Configure Lexxy to add extra spacing between block elements"
Configure Lexxy to add extra spacing between block elements
SaaS usage reporting (#2690)
Update app/models/user/named.rb
Prevent line breaks in the middle of familiar_name
Tweak the layout
Set the list of importable models based on the record sets in the manifest
Validate polymorphic types against importable models allowlist
Fix that the "maybe" stream wouldn't be replaced after triaging a card
Use x_user_agent cookie for platform detection in Hotwire Native
Add JSON response format to entropy endpoints (#2673)
Fix path traversal vulnerability in ActiveStorage blob key import
Enable CORS fetch mode for storage requests
Revert CORS fetch mode for Active Storage
Use CORS fetch mode for Active Storage to enable `maxEntrySize` checks
Only start offline mode when signed in
Exclude service worker and edit/pin/watch/new pages from main cache
...
Gate Turbo.offline.start() behind Current.user so the service worker
is only registered for authenticated users. This avoids errors on
unauthenticated pages where /service-worker.js requires auth.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Simplify the clear-offline-cache controller to use the new
Turbo.offline.clearCache() API instead of messaging the service
worker directly.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Rename logout controller to clear-offline-cache and attach it to the
magic link verification form so the service worker cache is cleared
when a different user signs in.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When the service worker is registered for the first time, resources loaded
before it becomes active won't go through the service worker. These resources
may be served from the browser's HTTP cache on subsequent requests, bypassing
the service worker cache entirely.
The new `preload` option accepts a regex pattern. On first visit (when no
controller exists), it waits for the service worker to take control, then
sends a message with URLs from `performance.getEntriesByType("resource")`
that match the pattern. The service worker fetches and caches these resources.
Adds a logout Stimulus controller that sends a message to the service
worker to clear all cached content when the user logs out. This ensures
that cached data from one user isn't accessible after logout.
The implementation:
- Adds logout_controller.js that posts { action: "clearCache" } to the
service worker via postMessage
- Updates logout buttons to use the controller on form submission
Also fixes data-turbo placement: moved from button to form element where
it actually takes effect for disabling Turbo Drive form submissions.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* main: (56 commits)
Update app/views/cards/container/_closure_buttons.html.erb
Update app/views/columns/show/_add_card_button.html.erb
Update app/views/events/index/_add_card_button.html.erb
Just return the object
Rename is-main-action to display-as-primary-action
Remove debug line
Rename show-label to display-title
Include path in web push payload for backwards compatibility
Add base_url to native push notification payload
Use internal account ID as `account_id` and add `account_slug`
Make APNS and FCM env vars available
Fix devices_path route helper in native devices partial
Fix tests for renamed fixtures and new stacked notifications
Add creator_familiar_name to push notification payload
Add creator initials and avatar color to push notification payload
Add avatar_url so we always get an avatar even when the user hasn't set one
Document --push flag for testing native push notifications
Don't read APNS_TEAM_ID from 1Password
Simplify push.yml to only use B64 encryption keys
Rename apns-dev to push-dev and unify 1Password credentials
...
Revert "Add bridged share button to board and card permas"
This reverts commit 069e165b43.
Revert "Move helper to bridge helper file"
This reverts commit 1ee37f046c.
We had client-side notification stacking in the tray since launch, but now we want to stack notifications in the notifications page, in API responses and in email bundles.
The CSS change in 39575a0 added `display: flex` to the lightbox dialog
unconditionally, which overrode the browser's default `display: none`
for closed dialogs. This made the invisible lightbox overlay intercept
all clicks on the page.
Move flexbox properties to the `&[open]` selector so they only apply
when the dialog is actually open.
Also fix typo: `innerHtml` → `innerHTML` (capital H).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>