Adds a new Gantt chart board view with custom SVG timeline rendering,
card-to-card dependency tracking with cycle detection, and a startDate
field on cards. Includes zoom controls (day/week/month), dependency
arrows, column-grouped task list, today marker, and real-time updates.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add activity logging to all write API routes, notification system with
real-time delivery via Socket.IO, @mention parsing in comments, activity
feed sidebar on board page, per-card activity in card modal, and
notification bell with unread badge in the navbar.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Wire Socket.IO broadcast from all write API routes so board changes
propagate instantly to other connected clients. Add session-based auth
on socket connections, in-memory presence tracking, and a presence UI
in the board header showing who else is viewing.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add full CRUD + UI for all card sub-resources (tags/labels, assignees, checklists
with items, comments with markdown, file attachments). Restructure CardModal into
a two-column layout with lazy-loaded data. Upgrade card thumbnails with named label
pills, urgency-colored due date badges, checklist progress indicators, and SVG icons.
Add board categories with filtering on the listing page. Include markdown rendering
with DOMPurify sanitization and .prose CSS styles.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Centralize permission checks into guards.ts (requireAuth, requireBoardView,
requireBoardEditor, requireBoardOwner, requireColumnEditor, requireCardEditor,
requireBoardMemberManager, requireTenantAdmin) that fetch entities and check
permissions in a single call, replacing ~100 lines of duplicated inline checks
across all API routes. Adds board member management (add by email, change role,
remove with last-owner protection), tenant admin panel (user role toggle with
last-admin protection, board overview), and fixes missing view guard on card GET.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Rewrite rls.ts with withTenant()/withBypassRLS() using parameterized
set_config() in interactive Prisma transactions (no SQL injection)
- Add FORCE ROW LEVEL SECURITY on all 15 tenant-scoped tables
- Add __bypass__ sentinel and WITH CHECK clauses to every RLS policy
- Explicitly DISABLE RLS on tenants, tenant_hostnames, sessions
- Wrap all API route and page loader queries in withTenant()
- Wrap validateSession() in withBypassRLS() (joins RLS-protected users)
- Keep existing tenantId where-clause filters as optimization layer
- Add postgresql-client to Dockerfile and auto-apply RLS via entrypoint
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>