Using fizzy.localhost causes CORS errors when using minio for Active
Storage because the minio endpoint is at minio.fizzy.localhost — a
sibling subdomain, not a subdomain of the app host. Switching to
app.fizzy.localhost makes both hosts subdomains of fizzy.localhost,
resolving the CORS issue. See #2814 for the related minio CORS fix.
fizzy.localhost will continue to work if people want to use it, but all
docs and scripts have been updated to point to app.fizzy.localhost.
ActiveStorage::Record and ApplicationRecord used separate connection
pools (from separate `connects_to` calls). This meant `belongs_to
touch: true` on attachments silently failed — the card couldn't join the
attachment's transaction to receive the deferred touch, so fragment
caches were never invalidated after image removal.
Fix by delegating `connection_pool` from ActiveStorage::Record to
ApplicationRecord so they share a single pool.
Move MinIO from minio.localhost to minio.fizzy.localhost, which makes
it same-site with the app, so the CORS redirect succeeds.
The service worker fetches Active Storage URLs with `mode: "cors"` so
it can inspect response sizes for offline caching. Active Storage's
redirect controller returns a 302 to the MinIO presigned URL. When
that redirect crosses site boundaries (from fizzy.localhost to
minio.localhost), the browser sets the Origin header to "null" on the
redirected request per the Fetch spec, which fails the CORS check and
produces net::ERR_FAILED.
* Add JSON events API endpoint
* Add regression test for event particulars defaults
* Move JSON events API to a dedicated ActivitiesController
The events endpoint served both the HTML day timeline and the JSON API
feed, but the two paths shared no data or behavior — the HTML side uses
DayTimelinesScoped while the JSON side built its own query. Splitting
into ActivitiesController gives the API its own home at
GET /:account/activities.json without dragging in the timeline
before_actions.
Also preloads comment creator in Event.preloaded to avoid an N+1 when
rendering comment eventables in the JSON feed.
Account incineration could leave orphaned records due to missing cascade
declarations and async jobs failing when the account was already gone.
Cascade fixes:
- Add Account::Searchable concern to clean up Search::Query (delete_all)
and Search::Record (destroy_all, respects SQLite FTS dependent: :destroy)
- Add before_destroy in Account::Storage to delete storage entries
- Suppress storage entry recording during incineration so attachment
purge callbacks don't create entries or enqueue materialize jobs
- Guard Access#clean_inaccessible_data_later with unless user.destroyed?
to avoid enqueuing pointless jobs during user cascade
Job tenancy:
- Extract AccountTenanted concern from the global ActiveJob initializer
into ApplicationJob (include) with targeted prepends for
ActionMailer::MailDeliveryJob and Turbo broadcast jobs
- Defer account resolution from deserialize to perform so that missing
accounts raise DeserializationError inside the execution path where
discard_on can handle it
Tests:
- Comprehensive incineration test covering 35 model types with
before/after assertions and full enqueued job processing
- Mailer deliver_later test verifying account context survives job
serialization for multi-account users
- Turbo broadcast test verifying account-scoped URLs in rendered partials
- Fix indentation
- Split awkward initializer into separate methods
- Rename credentials to passkeys
- Simplify authenticator registry loading
- Flatten nested errors under ActionPack::WebAuthn
- Set passkey current params only requests that use it
- Inline anemic methods
- Replace custom validation with ActiveModel::Validation
- Rename identity to holder in Passkey
- Rename credentials to passkeys in JS
- Extract framework library out of controllers
- Pass params hashes down to ActionPack
- Attempt to simplify public interface
- Push data decoding down to the classes representing the data
- Introduce has_passkeys
- Add CBOR bigint support
- Rename ActionPack::WebAuthn::Passkey to ActionPack::Passkey
- Add create_passkey_button helper
- Rename public-key to creation-options
- Add sign_in_with_passkey_button helper
- Dispatch events for the whole Passkey lifecycle
- Add ED25519 support
- Prevent crash on missing meta tag
- Validate resident key options
- Don't clobber existing ActionPack config options
- Validate cryptographic params
- Move CurrentWebAuthnRequest into ActionPack::Passkey
- Use ActiveModel::Attributes for Options objects
- Implement expiring challanges
- Add lifecycle events
- Extract param helpers into Request
- Add passkey_creation_options and passkey_request_options helpers
- Add create_passkey_challenge to make it easier to override the create method if needed
- Prefix all view helpers with passkey_
- Auto-include ActionPack::Passkey::Holder
- Make the passkey challange url configurable
- Add a reminder about Passkeys to the magic link email
- Use plain client data json everywhere
- Expose AAGUID and backed_up on Credentials
- Make attestation verifiers configurable
- Auto-suggest names for passkeys and show icons
The True-Client-IP header is set by Cloudflare and is only trustworthy
when behind a Cloudflare proxy. In non-Cloudflare deployments, this
header is attacker-controlled and can be used to spoof IP addresses.
Moving the middleware into the saas engine ensures it only loads for our
Cloudflare-fronted production deployment, not for self-hosted OSS
instances.
GHSA-cpch-9qg2-x8fq
Replace NotificationPusher with a cleaner architecture:
- Add Notification::Pushable concern with push target registry
- Add Notification::Push base class with template methods
- Add Notification::Push::Web for web push (OSS)
- Add Notification::Push::Native for native push (SaaS)
- Add Notification::WebPushJob and Notification::NativePushJob
Key design:
- Registry pattern: Notification.register_push_target(:web)
- Template method: push calls should_push? then perform_push
- Subclasses override should_push? (with super) and perform_push
- Each target handles its own job enqueueing
Also:
- Add Notification#pushable? for checking push eligibility
- Add Notification#identity delegation to user
- Reorganize tests to match new class structure
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Tidy up saas engine a bit more
- Fix owner_id type to UUID in devices migration
- Fix NOT NULL crash in device registration
- Add APNS config and 1Password integration
- Add --apns flag to bin/dev for local development
- Clean up devices controller
* Add index on webhook_deliveries.created_at
The stale scope (WHERE created_at < ?) and ordered scope
(ORDER BY created_at DESC) both benefit from this index.
Without it, Webhook::Delivery.cleanup does a full table scan.
* Run webhook delivery cleanup every 15 minutes
Each run now deletes ~15 minutes of newly-stale records instead
of ~4 hours worth, a 16x reduction in per-run write volume.
* Remove unused marked JS dependency
* Remove unused redcarpet dependency
* Render inline code in card titles
Add card_html_title helper that HTML-escapes input then converts
backtick-wrapped text to <code> elements. Apply to card titles in
board preview, card detail, public views, and notification emails.
Style inline code elements in titles to match description styling.
Co-authored-by: Andy Smith <andy@37signals.com>
---------
Co-authored-by: Andy Smith <andy@37signals.com>
And not all production tasks, because that causes unexpected side
effects such as cards being auto-postponed and firing webhooks
configured to trigger on that event.
* Add reactions association to Card model
Adds `has_many :reactions` to Card, matching the implementation in Comment.
This allows cards to be reacted to directly with emoji reactions.
The association:
- Orders reactions chronologically
- Uses polymorphic `:reactable` interface
- Deletes reactions when card is destroyed
Includes test coverage for the new association.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Add reactions UI to card detail view
- Create Cards::ReactionsController with turbo stream responses
- Add card reactions views (reactions list, new form, menu partial)
- Position reaction button flush-right when no reactions exist
- Show reactions on bottom-left when present, with button inline
- Handle narrow viewports by flowing button below meta section
- Add controller tests for card reactions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Add boost count to card preview
Display reaction count alongside comment count on card tiles in board
columns. Introduces a .card__counts wrapper to group both counts with
proper positioning on all viewport sizes.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Consolidate reaction views for cards and comments
Extract shared views to app/views/reactions/ using polymorphic routing.
Both card and comment reactions now render the same partials, with a
helper to compute the correct path prefix for nested routes.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Fix emoji picker width in card reactions
Override .card .popup { inline-size: 260px } for the reaction popup
so the emoji grid displays without horizontal scrollbar.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Hide boost count where comment count is hidden
Add .card__boosts alongside .card__comments in:
- Tray view (display: none)
- Cards with background images (opacity toggle on hover)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Fix reactions button overlap with zoom button in card footer
When a card has a background image, the footer contains both a reactions
button and a zoom button. Previously they would overlap because the
reactions button was absolutely positioned to the bottom-right.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Tighten up previews
* Move card reactions from meta partial to container
Fixes two issues:
1. Reactions were duplicated each time a card was assigned because the
turbo stream replaced the meta div with the full perma/meta partial,
which included reactions outside the replaced element.
2. Draft cards incorrectly showed the boost button because the meta
partial was shared between published and draft containers.
Moving reactions to _container.html.erb (published cards only) fixes
both issues and keeps the meta partial focused on meta content.
Fixes https://app.fizzy.do/5986089/cards/3837
Fixes https://app.fizzy.do/5986089/cards/3835
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* WIP adjust perma page
* Position and style the footer
* Render the stamp in the card body instead of the footer
* Fix undefined local variable in public cards view
Changed `card` to `@card` when rendering the stamp partial.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Preload card reactions to avoid N+1 queries
Include reactions and their reacters in the preloaded scope, matching
what we already do for comments.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Add model tests for card and comment reaction cleanup
Test that:
- Creating a card reaction touches the card's last_active_at
- Reactions are deleted when their parent comment is destroyed
- Reactions are deleted when their parent card is destroyed
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Minor improvements to reactions code
- Use size instead of count in boosts partial to avoid extra SQL query
on already-loaded collection
- Add else clause to reaction_path_prefix_for to raise ArgumentError
for unknown reactable types instead of silently returning nil
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Bump specificity of reaction popup in the card perma
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: Andy Smith <andy@37signals.com>
The `ipaddr` arg here is being interpreted as a positional arg (since
the keyword arg doesn't exist), which results in an invalid connection
object. This was causing push notifications to silently fail.
We should initialise the property on the object instead.
* main:
Create popup initial alignment classes
Fix class typo
Hide the board selector button if card is closed
Align board and tag picker dialogs without using math
Add dialog manager to card perma
Fix "M" hotkey using stale user from fragment cache
Add Enable all/Disable all buttons to webhook event selection
Remove whitespace
Remove hover styles from disabled menu items
# Conflicts:
# app/views/cards/_container.html.erb
Add a SelfAssignmentsController to resolve the current user at request
time, avoiding the use of an incorrect user id baked into a cached URL.
ref: #2211 originally added the "M" hotkey
ref: https://app.fizzy.do/5986089/cards/3722
* main:
Add rollback script to convert relative URLs back to absolute
Add a script to migrate existing rich texts to relative URLs
Use relative URLs where possible across all the app
Use relative URLs for avatars and rich text attachments
These URLs can be problematic or inconsistent, as we might end up with
rich text content with beta URLs for attachments being used in
production, or viceversa. It'll also be problematic when importing or
exporting data between a self-hosted instance and the SaaS version.
* main: (22 commits)
Disable card column buttons when active
Prevent comment content from overlapping with reaction button
Delete pins belonging to cards in a board with revoked access
Update development dependencies in SAAS lockfile
Update runtime dependencies
Update development dependencies
Balance magic link instructions
Add `.txt-balance` utility
Move handleDesktop inside restoreColumnsDisablingTransitions
Adjust border radius
Clean up blank slates
Add dialog manager to events page
More sturated mini bubbles in light mode
Brighten mini bubbles in dark mode
Use separate cache namespaces for each beta instance
Bump boost size up a tick on mobile
Move Undo form inside closure message element
Phrasing tweak for exceeding storage limit
Keep strong tags words on same line
Allow ActionText embed reuse and safe purge (#2346)
...
* Add self-service account deletion
* Disable access to cancelled accounts & implement Stripe interactions
* Add tests
* Fix failing tests
* Remove cancelled accounts from lists
* Fix incorrect redirect
* Use _path instead of _url for consistency
* Don't track how far the inicieration job got
We still want the step tracking so that the job can be interrupted. But, since the scope is idempotent, we don't need to track how far it got.
* Specify the exact time when the data will be deleted
* Fix crash due to unadvancable cursor
* Rename up_for_incineration to due_for_incineration
* Regenrate the schema
* Fix incorrect path check
* Migrate the SQLite schema
* Only show the cancel button on cancellable accounts
* Check that a subscirption method exists before calling it
* Ignore job failures due to missing records when an account gets deleted
* Skip sending notifications on cancelled accounts
* Use collbacks to integrate
* Add a blank line between queue_as and discard_on
* Break checks into methods
* Inline methods
* Rename Account::IncinerateJob
* Run migrations
* Migrate SQLite
* main:
Fix that caching should be disabled in dev by default. References 3cf841d463.
Revert "Add CJK (Chinese, Japanese, Korean) search support"
Account for new button sizes on mobile
Bump filter z-index when filters are open
Use a dedicated resource for showing cards in draft mode
Refactor popup.css styles for focus state
Add Segoe UI Variable Fizzy font face configuration comments
Update @layer name to `base` in font-face definition for "Segoe UI Variable Fizzy"
Fix font-face `src` reference for "Segoe UI Variable Fizzy" to correct local font lookup
Adjust font-weight range for "Segoe UI Variable Fizzy" to include 800-900
Update --font-sans and related font-face references to "Segoe UI Variable Fizzy" for consistency
Add "Segoe UI fizzy" to --font-sans and define custom font faces
Update --font-sans to include "Segoe UI Variable" for improved text rendering
Add margin to details inside popup styles