Cache-bust logo URLs using themeRevision from config.json
DynamicMetaLoader now stores themeRevision in sessionStorage and fires KAMO_THEME_CONFIG_LOADED after fetching config.json. ThemeLogo listens for that event and...
Cache-bust logo URLs using themeRevision from config.json
DynamicMetaLoader now stores themeRevision in sessionStorage and fires KAMO_THEME_CONFIG_LOADED after fetching config.json. ThemeLogo listens for that event and...
Upload directly to public/{domain-folder}/img/ instead of staging bucket
The uploadLogo endpoint was writing to a hardcoded 'sumtingwong' placeholder (unfilled setting) instead of the org's actual public theme path. Logos now go dire...
Remove downed k2m1 node from edge-nodes default
k2m1 (10.8.2.1) is permanently down. Leaving it in the failover list caused upload retries to hang until the new OkHttp timeout fires. Default is now k1m1-only;...
Apply connect/write/read timeouts to MinioClient via OkHttpClient
Without timeouts, a downed site-replication peer (k2m1) caused makeBucket and putObject calls to block indefinitely, surfacing as an infinite "Saving..." on the...
Settings dialog, web-alias wizard path, and DNS provisioning panel
Adds the Subdomain Branches UI across three surfaces: - **************** new "Subdomain Branches" button opens a dialog for the org-level enable toggle + ...
Org-level config, GoDaddy client, and web-alias org create path
Wires the new Subdomain Branches feature end-to-end on the backend: - SubdomainBranchesController for org-level enable + GoDaddy creds (live-verified) - GoD...
Add entities, cipher, and alias/DNS log scaffolding
Adds per-org GoDaddy creds (AES-GCM encrypted), an allowRootSubdomains flag and child-org alias collection on the security model, a DNS provisioning audit log, ...
Mailbox checkbox reads org_domains, not provider domains
The previous wiring read /api/email/domains (email_provider_domains table). That table is only populated when a third-party email provider integration is set up...
Drop My Profile tip banner + unify section spacing
All four My Profile sections now share the same vertical rhythm — 8px between each section's header and its field(s), 16px between sections. The Alert banner ex...
Tidy My Profile layout + drop phone verification
Reorganize the My Profile step so all four sections share the same layout and title format. Order is now Legal Name, alias, e-mail, phone. - FormName: remove t...
Drop SMS verification for the phone field on signup
The phone number collected during self-service registration is now a plain optional text field — no /register/phone/initiate, no SMS code, no /register/phone/ve...
Drop RegistrationPhoneCode entity + repository
Self-service registration no longer uses SMS-code verification for the phone field — the register form collects the phone number as plain text and stores it as-...
Prefix/suffix dropdowns, mailbox domain gate, explicit status
- Name prefix and suffix are now dropdowns populated from the NamePrefixType / NameSuffixType catalogs delivered by the org-config endpoint. Displays abbrev...
Explicit team status + name prefix/suffix catalogs
- GET **************** now returns namePrefixes and nameSuffixes, sourced from NamePrefixType and NameSuffixType so the Add Member / Add Team Member forms d...
Unwrap {markets:[...]} envelope in Attach dialog
GET /api/security/commerce-markets returns { markets: [...], message: "..." }, not a bare array. The Attach Commerce Market dialog was treating the whole respon...
Full-width, three-pane Add Member form layout
Reworks the create form to use the entire content area instead of a 1100px-wide centered column. - 3-column responsive layout: sticky left section nav (md+), f...
Merge OTK-redirect into proxy.ts, delete duplicate middleware.ts
Next.js 15 refuses to build when both middleware.ts and proxy.ts exist. The OTK hand-off redirect that lived in middleware.ts — sending any request with ?otk=… ...
Merge alias/email/name/phone into a single "My Profile" step
Combine the previously separate "My E-Mail & Alias", "My Name", and "Phone Number" steps into one "My Profile" step for 13+ registrants, with alias + e-mail + l...
Make email + legal name optional for under-13 signups
The /api/security/register endpoint previously rejected any request missing email, first name, or last name. That made the under-13 path (KIDS_ONLY orgs, or ALL...
Read new *** from Redis master and dedupe OTK POST
Replica reads missed freshly written sessions after OTK exchange, causing false failure and login redirect. Skip intro delay when otk is present; share in-fligh...
Extend OTK TTL for enter-as validate hand-off
Guard against non-array responses on /platform/orgs
A non-array response (empty body, error envelope, or {data: [...]} wrapper) was landing in the orgs state and blowing up the render with 'e.map is not a functio...
Enforce /network enter rules server-side
Reject when target is current session org, custom domain SSL is not confirmed, or human target membership is inactive. Share domain-setup logic with my-networks...
Add **************** for enter-as checks
Require destination memberId and validate org membership
Enter-as now always builds the new *** with the client-supplied target member row; reject mismatched org/member. Improve session debug logging.
Share PostAuth***Service between login and enter-as
Extract the post-authentication *** build (grant-all expansion, profile SQL, branch titles, createSession) into PostAuth***Service so enter-as uses the same cod...
Enter-as session uses target org security provider and optional targetMemberId
Enter-as was setting Redis securityOrgId from the user global security_provider, while login sets it from the target org FQDN chain. That mismatch made cross-do...
Send targetMemberId with enter-as for destination member row
Open /validate for enter-as OTK so target org session applies
ENTER linked to /?otk= which never called /api/validate; shared-domain *** cookies kept the source org. Redirect ?otk= to /validate via middleware for any stray...
Resolve system-user session from OTK for BFF requests
SystemUserConfigController and SystemUserCapabilityController only read the *** cookie. kamo-internal forwards X-OTK without cookies, so SecurityService never s...
Use User.getName().formatFull() instead of removed getNameFull()
Set phone via User string helper for EmbPhoneNumber
Enter-as resolves session from X-OTK BFF auth
EnterAsController only read *** cookies; internal traffic uses OTKPreAuthFilter session attributes. Accept targetOrgId as string for large INT8 ids from JSON.
Add BFF route for POST /api/security/enter-as
The /network Enter action called a non-existent Next route, yielding 404. Forward the request to APIService like other security proxies.
Proxy system-user config API routes to APIService
Configuration page called /api/security/system-user/* but no Next handlers existed, so the app returned 404. Add BFF routes matching SecurityService endpoints (...
System User Configuration page + network ENTER AS SYSTEM MEMBER
Adds Platform Administration → Configuration, a parent-org-owner-only page that grants or revokes permission to impersonate the platform System User by departme...
Backfill, enter-as flow, mutation guards, config API
Self-heal provisioning: SystemUserBackfillService runs on every SecurityService boot (from DataLoader) to add the is_system_user column and system_user_access t...
Add System User flag + access-grant entity
Introduces the platform-wide System User model: a User.isSystemUser flag (unique partial index enforces a singleton), plus a SystemUserAccess table that records...
Use **************** primitive getter
isOrganizationOwner is a primitive boolean on TeamMember, so the Lombok- generated accessor is isOrganizationOwner() not getIsOrganizationOwner(). Fixes compile...
Remove phone + security-questions pages
These were added to kamo-internal by mistake — collection of the phone number and security questions belongs in the registration flow in kamo-register, and has ...
Add phone verification + security questions steps
Insert two new steps between Password and Account Recovery for 13+ registrants: a phone-number step (optional, skippable, with SMS code verification) and a secu...
Collect phone + security questions during signup
Move phone-number and security-question collection into the self-service registration flow (where they were originally intended) rather than requiring a post-si...
Add RegistrationPhoneCode entity + repository
New table `registration_phone_codes` stores one-shot SMS verification codes issued during self-service registration, before a User entity exists. Kept separate ...
Add Member / Add Team Member pages
- /account: replace single ambiguous button with tab-scoped buttons Add <Member> on the Members tab, Add <Team Member> on the Team Members tab. Each button ...
Add Member / Add Team Member creation flow
- New MemberCreateController exposes: * GET **************** — age-req, timezone, departments, job titles * GET **************** — debounced existence che...
Add AgeReqType.allowsUnder13() helper
Used by the Add Member / Add Team Member flow to skip email collection for orgs whose age requirement permits users under 13 (ALL_AGES, KIDS_ONLY, ALL_COPPA_GRA...
Rebuild member Plans & Billing around Billing Groups
- Member page Plans & Billing tab is now right-aligned with a pulsing glow and a StarRate icon on the tab bar. Visible when the viewed member is the signed-...
Añadir Derechos de servicio . SeguridadMel de comercio
- Derechos de servicio computes por parte de miembros subvenciones por unión activa El plan BillingGroupLicense cuenta con la línea de base de KamoCRM Free-ti...
Reescribe BillingService alrededor de BillingGroups
Elimina el nivel de org **************** controladores, servicios y DTO. Introduce: - BillingGroupControllermontes grupos, miembros, suscripciones, licencias, ...