* main: (65 commits)
Repair scope for card styles within the columns view
Add missing list to cards page
Account for simpler public views
Fix public layout
Pull board-tools outside of the list for mobile
saas: move log_level setting into an environment variable
Restore log level configurability in production environment
Remove engagements
Use notch class so Save button is positioned correctly
Go back to board after clearing filters
Revert "Use existing no_filtering_url to direct back to the board when clearing filters"
Use existing no_filtering_url to direct back to the board when clearing filters
Ensure filters sit on top of cards
Fix public boards
Fix card grid layout
Fix Chinese/Japanese characters missing from printed PDFs on macOS
Add SQLite FTS5 support for CJK search
Add CJK (Chinese, Japanese, Korean) search support
Fix scrolling on mobile
Remember expanded state on navigation
...
* main: (63 commits)
Ignore hotkeys with modifiers
Fix 1Password account ID (was user UUID) (#2278)
Switch 1Password account to 37signals.1password.com (#2276)
Remove CSS testing comments
Max card count equals geared pagination size
Block IPv4-compatible IPv6 addresses in SSRF protection (#2273)
Only enable transitions on user interaction
Don't update counter if value hasn't changed
Add padding to upgrade message on larger screens
Add test coverage for autolinking multiple URLs
Add "noopener" to autolinks' rel attribute
Avoid string manipulation when autolinking.
Only bump z-index when nav is open
Move nav and related elements above footer
Delete Dockerfile.dev
fix: use the right gh-cli arch package (#2232)
Bump actions/attest-build-provenance from 3.0.0 to 3.1.0 (#2257)
Bump docker/setup-buildx-action from 3.11.1 to 3.12.0 (#2256)
Consider user avatars always public
Implement authorization for Active Storage endpoints
...
Instead, let's use a Loofah scrubber which will create DOM nodes
directly. This should be faster and is a tiny bit simpler, as well as
removing a potential HTML injection vector.
Also, add "noreferrer" to all `mailto:` links (already present on URLs).
* main: (107 commits)
Document the new sign in method
Replace handle_ naming
Use same constant for fake magic links
Replace FakeMagicLink with a temporary object
Tidy up session_token
Clean up interfaces
Split tests by controller or responsibility
Simplify auth logic
Fix due to unit test when creating with invalid emails
Restore sessions_controller test on creating invalid email address
Move magic link api tests to their own files
Rename test to clarify what they're about
Cleanup session creation
Update to always return a pending auth token for JSON responses.
Update API test for cross code
Change test expectation on single tenant mode account creation
Add unit tests for the new endpoints
Pass a server token when creating a magic link via API
Simplify code a bit
Simplify session create logic for both html and json
...
* main: (119 commits)
Bust comment view cache
Update lexxy to bring fixes from https://github.com/basecamp/lexxy/releases/tag/v0.1.24.beta
Fix unexpected remove empty line from README
Lightbox uses Stimulus target callbacks instead of data-action
Add test coverage for the image lightbox
Add tests for tenancy middleware and timezone cookie
Refactor: Simplify TimeWindowParser using Rails convenience methods
SMTP: support SMTPS on port 465 (#2132)
Bump fizzy-saas to retain fewer docker images (#2134)
Add test coverage for with_golden_first scope (#2130)
Refactor: improve query scope composition with merge syntax (#2131)
Validate avatar sizes
Introduce Vips configuration
Tailscale serve support (#2126)
Update tests with final method naming: record! -> record
CSP config to allow Minio in development
Update fizzy-saas to get employee restriction in staging
Drop staff restriction in beta and staging
Unused
Use new FIZZY_GH_TOKEN with limited access
...
Replace all occurrences of reverse_merge with with_defaults across the codebase.
The with_defaults method provides clearer intent and better readability when
setting default values for hash parameters.
Changes:
- app/helpers/columns_helper.rb: Update column_frame_tag method
- app/models/user/email_address_changeable.rb: Update generate_email_address_change_token method
- app/models/account.rb: Update create_with_owner method
- app/controllers/concerns/filter_scoped.rb: Update filter_params method
This refactoring maintains the same functionality while improving code clarity.
in controller concerns that are mixed into other engines' controllers. This prevents errors like:
> NoMethodError: undefined method 'session_menu_url' for an instance of ActiveStorage::DirectUploadsController
See also 912bb8a8 and 5ee10800
* main: (117 commits)
Explain that the upload URL is account-scope
Allow direct uploads via API
Storage: ignore jobs for now-deleted targets
API: Support `created_at` for API card and comment creation (#2056)
Enforce CSP (#2070)
CSP: full config with env vars per source (#2069)
Speedy, auditable, deadlock-resistant storage tracking (#2026)
Gitleaks: ignore legit non-sensitive API keys and tokens in docs/ and test/ (#2068)
Get gitleaks-audit green again
Bump actions/checkout from 4 to 6 (#2047)
Bump docker/login-action from 3.5.0 to 3.6.0 (#2046)
Bump docker/metadata-action from 5.8.0 to 5.10.0 (#2045)
Bump sigstore/cosign-installer from 3.9.2 to 4.0.0 (#2044)
make MySQL SSL mode configurable via env var (#2036)
Update tip text for turning a card into a Golden Ticket
Revert "Fix Lexxy prompt list padding by lowering rich-text specificity"
Fix Lexxy prompt list padding by lowering rich-text specificity
Improve phrasing
Fix crash due to missing partial
Fix status and filter mistakes
...
* main: (70 commits)
bin/ci: run OSS suite in SAAS mode for full coverage (#2029)
Fix flaky tests caused by leaky show_exceptions twiddling (#2028)
Fix ActiveStorage FileNotFoundError with immediate variant processing (#2022)
Immediate avatar and embed variants (#2002)
Should be in global gitignore
Account for browser button styled and adjust mobile padding for perma BG
Wrap the overflow menu
doc: update style doc reference for LLM agents
Fix Identity destruction callback ordering
Ensure user toggles on board edit page are cached properly
Adopt a cooldown period for dependency updates
Add lazy error context for Rails error reporter (#2014)
Disable board edit buttons for select all/none when not privileged
Autotuner: use structured logging instead of Sentry (#2011)
Add datetime to the search results
Fix involvement button label
Bump mittens to 0.3.1 (#2006)
No need to pass Currentl.user since it is the default value for the param
Validate email before creating identity during join code redemption
Ignore RubyMine project files in .gitignore
...
* main: (82 commits)
We can remove ad-hoc handling now that we rely on page refreshes in the card perma
Only broadcast when the preview changes, use the _later variant for the broadcast, add tests
Update pinned cards when the title changes
Rename to be more consistent
Beautify board watchers list (#1946)
Add missing data-attr on public board
Fix hotkey text size on tiny viewports
Use buil-in support for :self in Stimulus
Save a bunch of invocations on morph events from children elements
Fix: memoization was showing stale values when morphing
GitHub actions: limit GITHUB_TOKEN permissions (#1933)
Validate Identity email address
Drop defunct user creation script
Golden cards should be placed at the top
Animate the column height with a stimulus controller so that it does not depend to the server to update when you D&D
mise: respect .ruby-version
Support custom validation messages
Move css bit to the new blank slates CSS
Prevent board names with only spaces and show validation message
Keep the column color when D&D cards
...
Replaces the standard turbo_confirm attribute with a custom dialog modal for a better user experience.
- Removes `button_to_delete_card` helper in favor of inline markup.
- Implements `keydown.esc->dialog#close:stop` to prevent the Escape key from inadvertently closing selected card.
* Beautify board_watchers_list by escaping the concat jungle
* Correct it and clean it
* Latest Rails to get the content tag fix
* Test against original collection
using the "standard" email regexp URI::MailTo::EMAIL_REGEXP. The form
field will validate this in the browser, but if bots are creating
identities, they can put whatever they want in here. So let's add some
protection against that.
The HtmlHelper regex was renamed here to avoid confusing Brakeman,
which does imprecise constant lookup and was confusing the two
constants, one of which uses `\A` and `\z` and the other does
not (intentionally).
ref: https://app.fizzy.do/5986089/cards/3276
This implements a simple strategy to optimistically insert cards in columns without waiting for the column refresh. Cards will be placed at the top respecting golden cards.
This uses sorting by "created at" with sorting by "updated at" for the _Not now_ column, so that the treatment everywhere is homogenous.
* main: (85 commits)
Fix crash when inserting an emoji into a max length reaction
change the object type in the example code (#1824)
We can't hide public boards like this
Consistent breakpoints for min- and max-width
Repair tooltip z-index selector
Fix bin/setup to explicitly use bash syntax for mise hook-env (#1813)
Update AGENTS.md (#1818)
Bundler: normalize platforms (#1822)
Robots, begone (#1812)
Account for input padding on autoresize pseudo-element
Updated database.sqlite.yml
(account): encode external_account_id in slug
Allow typing magic links on mobile
Add contributing guide
Disconnect action cable when user is deactivated
Disable ARM image builds
Disable image builds for PRs
Add libssl-dev
Add automated Docker image builds
Make the jump nav hotkeys look like the others
...