* fix: Run single process when only the worker service is enabled
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* perf: Improve memory consumption through lazy service loading
---------
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
* chore: Replace lodash with es-toolkit
Migrate all direct lodash imports to es-toolkit/compat for a smaller,
faster, lodash-compatible utility library. Transitive lodash usage from
other packages remains unchanged.
* fix: Restore isPlainObject semantics in CanCan policy
The lodash migration aliased `isObject` to `lodash/isPlainObject` and
the codemod incorrectly mapped the local name to es-toolkit's `isObject`,
which also returns true for arrays and functions. This caused condition
objects in policy definitions to be skipped, breaking authorization
checks across the codebase.
* fix: Restore unicode-aware length counting in validators
es-toolkit/compat's size() returns string.length, while lodash's _.size()
counts unicode code points. Switch to [...value].length to preserve the
previous behavior so multi-byte characters like emoji count as one.
* A11y improvements
* fix: Accessibility improvements for sidebar, layout, and emoji icons
- Add role="main" to content area and role="contentinfo" to right sidebar
- Add aria-expanded to sidebar Disclosure toggle button
- Add nav landmark with aria-label to shared sidebar navigation
- Render SidebarLink as button instead of div when no link target
- Hide decorative emoji icons from screen readers (aria-hidden)
- Add aria-hidden to EmojiIcon SVG element
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: Restore PopoverTrigger in FindAndReplace, add role to span
PopoverAnchor broke the find/replace popover. Revert to PopoverTrigger
and instead add role="button" and aria-label to the span so ARIA
attributes from Radix are valid on the element.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: Sidebar button styling
* fix: Use semantic list elements for References document list
Change the References list container from div to ul and wrap each
ReferenceListItem in an li element for proper screen reader semantics.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: Address PR review feedback for accessibility changes
- Heading buttons: switch from mousedown to click for keyboard access
- Heading fold: add aria-expanded attribute
- FindAndReplace: use real button element instead of span with role
- SidebarLink: branch render to avoid passing NavLink props to button
- Right sidebar: use role=complementary instead of contentinfo
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: Use translation hook for FindAndReplace, revert anchor click handler
- Use t() for aria-label in FindAndReplace button
- Revert heading anchor from click back to mousedown to avoid side effects
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: Add ts-expect-error for styled NavLink overload mismatch
The spread props on the NavLink branch cause a TypeScript overload
mismatch that was previously suppressed. Re-add the suppression.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat: Add POST method option to redirectOnClient helper
* Applied automatic fixes
* fix: Add missing closing HTML tag in redirectOnClient GET method
* fix: Use lodash escape for form field values to prevent XSS
* Applied automatic fixes
* fix: Add missing lodash/escape import
* Applied automatic fixes
* fix: Escape all URLs in redirectOnClient function
* Update index.ts
* fix: CSP
* Refactor CSP middleware
* docs, only use for email signin
---------
Co-authored-by: codegen-sh[bot] <131295404+codegen-sh[bot]@users.noreply.github.com>
Co-authored-by: Tom Moor <tom@getoutline.com>
* fix: Logic error in toast
fix: Remove useless component
* fix: Logout not clearing all stores
* Add icons to notification settings
* Add eslint rule to enforce spaced comment
* Add eslint rule for arrow-body-style
* Add eslint rule to enforce self-closing components
* Add menu to api key settings
Fix: Deleting webhook subscription does not remove from UI
Split webhook subscriptions into active and inactive
Styling updates
* fix: server side error handling
* fix: push only unknown 500 errors to sentry
* fix: use in-house onerror in favor of errorHandling middleware
* fix: split error template into dev and prod envs
* fix: check Error instance
* fix: error routes in test env
* fix: review comments
* Remove koa-onerror
Co-authored-by: Tom Moor <tom.moor@gmail.com>
* chore: Adds name to Redis connections for debugging, minor associated refactoring
* Upgrade bull, ioredis
* Add pid to redis connection name in development
* feat: Put request rate limit at application server
This PR contains implementation for a blanket rate limiter at
application server level. Currently the allowed throughput is set high
only to be changed later as per the actual data gathered.
* Simplify implementation
1. Remove shutdown handler to purge rate limiter keys
2. Have separate keys for default and custom(route-based) rate limiters
3. Do not kill default rate limiter because it is not needed anymore due
to (2) above
* Set 60s as default for rate limiting window
* Fix env types
* fix: Add websocket client error capturing
fix: Incorrect parsing of documentName will never be empty
* fix: Non-present documentId in collaboration route should trigger an error response
* fix: Close unhandled websocket requests
Tom Moor