The Export and Import buttons in CompanySettings used plain <a href>
anchors which bypass the router's company-prefix wrapper. The links
resolved to /company/export and /company/import instead of
/:prefix/company/export, showing a 'Company not found' error.
Replace both <a href> elements with <Link to> from @/lib/router, which
calls applyCompanyPrefix under the hood and correctly resolves to
/:prefix/company/{export,import} regardless of which company is active.
Fixes: #2910
pino-pretty's translateTime: "HH:MM:ss" formats all timestamps in UTC,
ignoring the process TZ environment variable. Changing the prefix to
"SYS:HH:MM:ss" instructs pino-pretty to format timestamps in the local
system timezone, so operators running in non-UTC zones see correct
wall-clock times in both the console and the server.log file.
Fixes: #2879
Document blockedByIssueIds field, issue_blockers_resolved and
issue_children_completed wake reasons, and blockedBy/blocks response
arrays in both SKILL.md and api-reference.md so agents know how to
set and use first-class issue dependencies.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Express 5 (path-to-regexp v8+) dropped support for the *paramName
wildcard syntax from Express 4. The route registered as
'/api/auth/*authPath' silently fails to match any sub-path, causing
every /api/auth/* request to return 404 instead of reaching the
better-auth handler.
Fixes: #2898
Change the route to '/api/auth/{*authPath}', the correct named
catch-all syntax in Express 5.
The sidebar inbox badge was counting all "mine" issues (issues created
by or assigned to the user) instead of only unread ones. This caused
the badge to show a count (e.g. 14) even when the Unread tab was empty.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
## Thinking Path
> - Paperclip orchestrates AI agents for zero-human companies
> - Agents create pull requests as part of their development workflow
> - The PR template already has a "Model Used" section (added in PR
#2552)
> - But agents were not filling it in because neither AGENTS.md nor
CONTRIBUTING.md referenced it
> - This PR updates both docs to explicitly require reading and filling
in the full PR template, including Model Used
> - The benefit is that every PR will now document which AI model
produced the change, improving traceability and auditability
## What Changed
- **CONTRIBUTING.md**: Added "Model Used (Required)" subsection under
"PR Requirements (all PRs)" and listed it in the required sections
enumeration
- **AGENTS.md**: Added new "Section 10: Pull Request Requirements"
instructing agents to read and fill in every section of the PR template
when creating PRs (including Model Used). Renumbered "Definition of
Done" to Section 11 and added PR template compliance as item 5.
## Verification
- Review `CONTRIBUTING.md` — confirm "Model Used (Required)" subsection
appears under PR Requirements
- Review `AGENTS.md` — confirm Section 10 (Pull Request Requirements)
lists all required PR template sections including Model Used
- Review `AGENTS.md` — confirm Definition of Done item 5 references PR
template compliance
- No code changes, no tests to run
## Risks
- Low risk — documentation-only changes. No code, schema, or behavioral
changes.
## Model Used
- **Provider**: Anthropic Claude
- **Model ID**: claude-opus-4-6 (1M context)
- **Capabilities**: Tool use, code execution, extended context
## Checklist
- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [x] If this change affects the UI, I have included before/after
screenshots
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge
Co-authored-by: Paperclip <noreply@paperclip.ing>
Addresses GHSA-mw96-cpmx-2vgc (arbitrary file write via path
traversal in rollup <4.59.0). Bumps the direct dependency in the
plugin authoring example and adds a pnpm override for transitive
copies via Vite.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
`jwtConfig()` in `agent-auth-jwt.ts` only read `PAPERCLIP_AGENT_JWT_SECRET`.
Deployments that set `BETTER_AUTH_SECRET` (required for authenticated mode)
but omit the separate `PAPERCLIP_AGENT_JWT_SECRET` variable received the
warning "local agent jwt secret missing or invalid; running without injected
PAPERCLIP_API_KEY" on every `claude_local` / `codex_local` heartbeat run,
leaving agents unable to call the API.
Every other auth path in the server (`better-auth.ts`, `index.ts`) already
falls back from `BETTER_AUTH_SECRET` to cover this case — align `jwtConfig()`
with the same pattern.
Adds a test for the fallback path.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add childIssues to the useEffect dependency array so the Properties panel
is refreshed whenever the child issue list updates (e.g. an agent creates
or deletes a sub-task while the panel is open). Previously the panel kept
the snapshot from the initial render of the parent issue.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Address two Greptile review comments:
1. Collapsed parent badge now shows total descendant count at all depths
rather than direct-child count only. Add `countDescendants` utility to
issue-tree.ts (recursive, uses existing childMap) and replace
`children.length` with it in the titleSuffix badge.
2. Add a useEffect that prunes stale IDs from `collapsedParents` whenever
the issues prop changes. Deleted or reassigned issues previously left
orphan IDs in localStorage indefinitely; the effect filters to only IDs
that appear as a parentId in the current issue list and persists the
cleaned array via updateView.
Add four unit tests for countDescendants: leaf node, single-level,
multi-level, and unknown ID.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Extract the inline tree-building logic from IssuesList into a pure
`buildIssueTree` function in lib/issue-tree.ts so it can be unit tested.
Add six tests covering: flat lists, parent-child grouping, multi-level
nesting, orphaned sub-tasks promoted to root, empty input, and list
order preservation.
Add two tests to IssueRow.test.tsx covering the new titleSuffix prop:
renders inline after the title when provided, and renders cleanly when
omitted.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Move parent-task link out of the 2-column PropertyRow layout and into
a dedicated full-width section at the bottom of the panel, separated
by a Separator. Sub-tasks are listed in the same section when present.
Each item shows a StatusIcon aligned with the first line of wrapped
title text (items-start + mt-0.5 on the icon wrapper).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Move collapsedParents from ephemeral useState into IssueViewState,
which is already serialised to localStorage under the scoped key.
Navigating away and back now restores the exact collapsed/expanded
state the user left the list in.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Replace the boolean isChild flag with a numeric depth counter.
Each depth level adds 16px left padding via inline style on the
wrapper div, so sub-tasks of sub-tasks (and deeper) are indented
proportionally rather than all aligning at the same level.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
When a parent issue is collapsed, its title is suffixed with
"(N sub-tasks)" so the count remains visible at a glance.
The suffix disappears when the parent is expanded.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The base IssueRow has sm:pl-1 which overrides pl-6 at sm+ breakpoints.
Adding sm:pl-7 ensures the indent is visible at all screen sizes.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Sub-tasks are now grouped under their parent issue in the list view.
Parent issues with children show a chevron to collapse/expand their subtasks.
Child issues are visually indented to indicate hierarchy.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Bumps multer from ^2.0.2 to ^2.1.1 in server/package.json to resolve
three HIGH-severity DoS vulnerabilities:
- GHSA-xf7r-hgr6-v32p (incomplete cleanup)
- GHSA-v52c-386h-88mc (crafted multipart)
- GHSA-2m88-8c7h-36gr (resource exhaustion)
All three are fixed in multer >= 2.1.0.
Fixes#2753
Use GREATEST(counter, MAX(issue_number)) + 1 when incrementing the
company issue counter. This self-corrects any desync between the
companies.issue_counter column and the actual max issues.issue_number,
preventing duplicate key violations on the identifier unique index.
Fixes#2705
Keep issue search local to the loaded list, defer heavy result updates, and memoize the rendered list body so typing stays responsive.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
