LoanTransactionService ctor gained LeadRealtimePublisher param
assignLoanOfficer now publishes the chat-routing event, so the service ctor takes a 10th arg (LeadRealtimePublisher). Update the unit test's direct instantiatio...
Resolve the k1m1 npm registry host inside the build container
kamo-internal has not deployed since 2026-07-16: every build died in npm ci with ENOTFOUND k1m1 while fetching the private @kamo/* packages, which package-lock....
Auto-provision platform-managed MLOS chat + serve site key by host
- ManagedChatIntegrationService: lazily mint the org's platform-managed SPECIFIC_AGENT WebChatIntegration on first access. KamoMLOS is first-party: org resolv...
Verify routing token, persist leadUid, reassign chat on lead move
- createSupportSession takes a signed routingToken (not preferredAgentMemberId); verified via ChatRoutingTokenCodec + cluster internal.auth.secret, enforces ...
Signed agent-routing token + lead-reassignment propagation
Foundation for making the reusable public-chat widget handle the KamoMLOS borrower->loan-officer variant securely, and for propagating lead reassignment into an...
Try the next model when a vision model rejects the image
Probing production again after the modality fix, routing moved from a text-to-speech model to o3-mini — an o-series reasoning model that also takes no image inp...
Stop routing vision to text-to-speech models
Found by probing production: org 1188756624575266822's vision calls resolved to gpt-4o-mini-tts-2025-03-20 — a TEXT-TO-SPEECH model — so every vision call retur...
Use next-intl keys for the Mobile Devices strings
Swaps the literal labels added with the Devices sub-tabs for **************** and .mobileDevices.* keys, now published in the translation dictionary (CI fans th...
Fold Document QC into Documents & Conditions; PDF ingest notices
Document QC had its own steward screen for work that is the same documents, on the same loans, done by the same reviewer. Splitting it across two tabs made some...
Expose vision capability so the console can explain a missing provider
PDF rate sheets are read by the org's configured vision provider. When none is configured the AI call fails the same way a model error does, so the console had ...
Inline image vision + tier fallback that prefers stronger over weaker
Two limits made org-configured vision unusable for whole classes of caller. 1. Vision was URL-ONLY. Every caller had to stand up public, provider-fetchable ser...
Split Devices into "Phone System(s) Devices" + "Mobile Devices"
The Devices tab now has two sub-tabs. The existing PBX/softphone hardware table moves under "Phone System(s) Devices" unchanged; the new "Mobile Devices" tab M...
Org-admin endpoints for mobile device policy + enrolled devices
Backs the new "Mobile Devices" sub-tab under Settings → Features → Phone → Devices (its sibling "Phone System(s) Devices" stays on VOIPService and covers - GET...
Ingestion panel accepts spreadsheets, not just CSV
The extractor now reads .xlsx/.xls and sniffs the format from the file itself, so the picker no longer restricts to CSV and the copy says plainly what is readab...
Steward Ingestion tab + the Catalog/Identifier proxy routes that were missing
Rate-sheet ingestion existed end-to-end in the backend and none of it was reachable. This adds the one surface that walks the whole chain: upload an investor's ...
A bad assocType index is a 400, not a 500
The upload/register paths indexed ImageAssocType.values() with the client's raw index, so an out-of-range value surfaced as an ArrayIndexOutOfBoundsException (5...
CATALOG_SOURCE assoc type for MLOS catalog source documents
Investor rate sheets / LLPA + eligibility matrices / lock policies need somewhere to live: the ingest extracts from the blob, and the published rate-sheet versi...
Gateway for candidate review + rate-sheet promotion
Exposes the two new catalog promotion writes to the steward console under the existing MLOS steward gate, with organizationId server-stamped from the operator s...
MobileDevicePolicy — org default + per-member override
personal phone or must be on a company-managed (Android Device Owner enrolled) device: - MobileDevicePolicy enum: PERSONAL_ALLOWED | COMPANY_MANAGED_REQUIRED. ...
Steward gateway for ingestion (intake + staging area were unreachable)
MLOSIngestionService had no gateway presence, so no tenant could hand a rate sheet to the extractor and the candidates it stages had no reader on any reachable ...
Steward Identifiers tab — resolve an external number to its loan
New Identifiers tab in the mortgage steward console: paste an external number (loan number, MERS MIN, DU/LP/GUS case file, e-sign envelope...) and resolve it ba...
Identifier gateway — steward can resolve an external number to its loan
MLOSIdentifierService had no gateway, so the typed identifier plane (the routing gate every inbound vendor/agency/AUS/e-sign callback uses) was unreachable from...
Value-keyed AUS case-file + e-sign envelope finders for identifier owner-delegation
Completes the owner-column lookups the MLOS identifier plane needs to route inbound callbacks: **************** (DU/LP/GUS run handle) and **************** Both...
Value-keyed loan-identity finders for identifier owner-delegation
The MLOS identifier plane resolves an inbound vendor/agency callback back to a loan; for OWNED_ELSEWHERE types the authoritative value lives on the OWNER's colu...
CONDITION_ADDED / CONDITION_CLEARED canonical email templates
The borrower-facing half of the conditions loop: two generic checklist templates for the new condition notification consumer. Added to CANONICAL_KEYS with their...
Filter non-ACTIVE members from live-participant pickers
Defense-in-depth behind the SecurityService gates: never render a non-ACTIVE team member as a selectable/live participant. Add teamMembershipStatus to the membe...
Exclude non-ACTIVE members from chat participation & routing
A non-ACTIVE **************** member must not appear as, or be targeted as, a live chat participant. Gate every chat path on the shared-lib **************** pre...
Enforce ACTIVE member status on every session & off-boarding path
The ACTIVE-member login gate previously lived only in the password-login controller. Extend it to every session-minting path via the shared-lib ****************...
Gate live sessions & participation on ACTIVE member status
Add **************** as the single source of truth for the "only ACTIVE members may sign in or appear as a live participant" invariant: base members must be rec...
Public pre-auth trial-status endpoint for login/register pill
GET **************** resolves the org by hostname (alias-fallback) and reports whether its account is in an active native trial, reusing **************** (now p...
Show TRIAL USE ONLY pill above Powered-by for trial orgs
Refactors PoweredByKamo into a fixed column stack and self-fetches /api/trial-status/{host} (proxy to SecurityService public trial-status endpoint), rendering a...
Show TRIAL USE ONLY pill above Powered-by for trial orgs
Self-fetches /api/trial-status (proxy to SecurityService public trial-status endpoint, resolved by login host) and renders an amber pill above the Powered-by pi...
View third-party (loan) documents in the steward requirements review
A steward reviewing a THIRD_PARTY requirement (appraisal/title/flood) can now open the satisfying document. New binary Next.js route streams the per-loan authz'...
Per-loan third-party (LOAN) document viewer — appraisal/title/flood
Completes the doc-review byte path started with the vault viewer. LOAN-collection imgs (appraisal/title/flood) are refused by the generic imaging endpoints (per...
View/Download vault documents in the account docs tab
Turns the conditions/docs stage into a real review loop. The member-documents proxy route now passes through non-JSON (binary) upstream responses instead of tex...
Per-party vault document viewer — bytes were write-only, now review-able
Uploaded vault documents (pay stub / Gov ID / bank statement) were write-only: the generic imaging byte endpoints refuse ACCOUNT_MEMBER_VAULT (per-party PII loc...
Steward Catalog tab — seed a priceable bundle + inspect the catalog
New Catalog tab in the mortgage steward console: seed a tenant's first priceable bundle with REAL investor + product identities (unblocks pricing), and inspect ...
Catalog gateway — the missing proxy that blocked tenant pricing
Catalog was the ONLY MLOS bounded context with no SecurityService gateway, so a tenant's catalog could never be authored/seeded from the console and BorrowerQuo...
Load history images via query, not lazy getImages() (WS path)
**************** runs on the WebSocket path (called from AiChatWebSocketHandler), which is NOT an HTTP request, so open-session-in-view does not apply. Iteratin...
Loan-sale desk UI — the terminal capital-markets steward screen
LoanSaleDeskPanel in the Capital & Risk Command Center: list investor delivery commitments (status filter), open a commitment **************** and per-commitmen...
Durable consumer forwards investor purchase to loan-file FUNDED
MlosLoanFundedConsumer subscribes **************** (durable daemon-mlos-loan-funded) and forwards each purchase to SecurityService's /funded pipeline endpoint v...
Loan-sale desk proxy + CLOSED->FUNDED pipeline seam
- **************** generalized the eClose seam to a shared advance() + added POST /funded (CLOSED -> FUNDED on investor purchase). Same idempotent/at-least-on...
Commitment boardedAt + loan-funded event type (loan-sale desk)
- MlosCommitment.boardedAt: in-system marker for a PURCHASED commitment's loans boarded to servicing (the external servicing-system handoff is the blocked leg...
Commitment/loan-sale desk entities (runtime consumer for the shipped investor config)
Slice 2 foundation for the capital-markets loan-sale desk (doc 08) — the terminal origination stage. The shipped **************** had NO runtime consumer; these...
Durable consumer forwards eClose completion to the loan-file pipeline
The DaemonService half of the eClose -> loan-file status seam. New MlosClosingCompletedConsumer subscribes **************** (durable daemon-mlos-closing-complet...
EClose completion advances the loan-file status machine (CLEAR_TO_CLOSE -> CLOSED)
Closes the terminal lifecycle seam: a fully executed/notarized/sealed eClose package emitted **************** but NOTHING consumed it, so the loan sat at CLEAR_...
ClosingArtifact provenance = one-time null->value stamp (enables after-commit eClose dispatch)
Splits the ClosingArtifact @PreUpdate WORM guard so the eClose vendor dispatch can move OUT of the assemble/advance transaction (doc 05 §6): the node commits FI...
Per-loan lock recommendation on the lock desk
Surfaces the RCE lock-vs-wait recommendation (Lock / Lock-with-steward-override / Do-not-lock) with rationale + a 'model uncalibrated -> steward decides' note w...
Proxy the per-loan lock recommendation (read-only)
GET **************** (operator+org gated, org server-stamped) -> the RCE per-loan LOCK/WAIT/BLOCKED recommendation. The commit stays the existing human /locks a...
EClose vendor categories on the integrations tab (RON/eNote/eVault/MERS)
Surfaces the four notarized-leg categories with their vendor options (Proof/ DocuSign Notary, DocMagic/Snapdocs, eOriginal/DocMagic, MERS eRegistry/DocMagic) so...