The codebase grew past the 2GB heap limit with security/monitoring
additions. cross-env in build script overrides CI NODE_OPTIONS, so
the limit must be set in package.json itself.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
tsx was a transitive dependency that disappeared after the package
upgrade, causing queue-worker to crash on production.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Upgrade all 11 @payloadcms/* packages to 3.76.1, gaining fixes from
PRs #15404 (user.collection property for multi-tenant access control)
and #15499 (tenant selector uses beforeNav slot).
Fix afterLogin audit hook deadlock: payload.create() inside the hook
caused a transaction deadlock with PgBouncer in transaction mode under
Payload 3.76.1's stricter transaction handling. Changed to fire-and-forget
pattern to prevent login hangs.
Note: Next.js 15.5.9 peer dependency warning exists but build/runtime
work correctly. Consider upgrading Next.js to 16.x or downgrading to
15.4.11 in a follow-up.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Implementiert automatische YouTube-Kommentar-Synchronisation und
KI-gestützte Antwortvorschläge für das Community Management.
Neue Features:
- Cron-Endpoint für externen Scheduler (/api/cron/youtube-sync)
- ClaudeReplyService für AI-generierte Antworten (3 Tonalitäten)
- Sync Status API mit Live-Polling
- AI Reply Suggestions UI mit Varianten-Auswahl
- Job Logger für strukturiertes Logging von Background Jobs
Änderungen:
- ClaudeAnalysisService: Model-Update auf claude-3-5-haiku-20241022
- CommunityInbox: Sync Status Badge, AI Reply Suggestions Integration
- SCSS: Styles für Sync-Indicator und Suggestion Cards
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add 5 new collections: SocialPlatforms, SocialAccounts,
CommunityInteractions, CommunityTemplates, CommunityRules
- Add communityRole field to Users collection
- Add YouTube API client for comment sync
- Add Claude AI service for sentiment analysis
- Add API endpoints: /api/community/sync-comments, /api/community/reply
- Add communityAccess.ts for role-based access control
- Add migrations for all new tables and community_role enum fix
Fix: Make audit hooks non-blocking to prevent user save timeout
Dependencies: @anthropic-ai/sdk, googleapis
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update Payload CMS 3.68.4 → 3.69.0 to fix login redirect loop
(formatAdminURL no longer generates absolute URLs for currentRoute)
- Add explicit access control to Users collection for account updates
(multi-tenant plugin was blocking save button)
- Add read/update access controls to SEOSettings global
(settings group was hidden due to missing permissions)
- Regenerate importMap after Payload update
- Remove unused files: custom login page, cache-keys, my-route, migrations_backup
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Required for CI schema push using drizzle-kit push command.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove --no-experimental-strip-types from test:e2e as it's not allowed in NODE_OPTIONS
- Add PostgreSQL service container for E2E tests
- Add Payload migrations step before E2E tests
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Breaking changes addressed:
- Migrate middleware.ts → proxy.ts (Next.js 16 deprecation)
- Remove eslint config from next.config.mjs (moved to eslint.config.mjs)
- Add turbopack.resolveAlias for TypeScript/ESM compatibility
- Use --webpack flag for production builds (Turbopack stable in 16.1.0)
Notes:
- @payloadcms/next peer dependency warning (expects Next.js 15.x)
- Turbopack used for development, Webpack for production builds
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove unused variables and imports across API routes and workers
- Fix TypeScript errors in ConsentLogs.ts (PayloadRequest header access)
- Fix TypeScript errors in formSubmissionHooks.ts (add ResponseTracking interface)
- Update eslint ignores for coverage, test results, and generated files
- Set push: false in payload.config.ts (schema changes only via migrations)
- Update dependencies to latest versions (Payload 3.68.4, React 19.2.3)
- Add framework update check script and documentation
- Regenerate payload-types.ts
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Products collection with comprehensive fields (pricing, inventory, SEO, CTA)
- Add ProductCategories collection with hierarchical structure
- Implement CI/CD pipeline with GitHub Actions (lint, typecheck, test, build, e2e)
- Add access control test utilities and unit tests
- Fix Posts API to include category field for backwards compatibility
- Update ESLint config with ignores for migrations and admin components
- Add centralized access control functions in src/lib/access
- Add db-direct.sh utility script for database access
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Install payload-oapi plugin for automatic API documentation
- Configure OpenAPI 3.1 specification at /api/openapi.json
- Add Swagger UI interface at /api/docs
- Update documentation with new API endpoints
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add BullMQ-based job queue with Redis backend
- Implement email worker with tenant-specific SMTP support
- Add PDF worker with Playwright for HTML/URL-to-PDF generation
- Create /api/generate-pdf endpoint with job status polling
- Fix TypeScript errors in Tenants, TenantBreadcrumb, TenantDashboard
- Fix type casts in auditAuthEvents and audit-service
- Remove credentials from ecosystem.config.cjs (now loaded via dotenv)
- Fix ESM __dirname issue with fileURLToPath for PM2 compatibility
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Remove obsolete instruction documents (PROMPT_*.md, SECURITY_FIXES.md)
- Update CLAUDE.md with security features, test suite, audit logs
- Merge Techstack_Dokumentation into INFRASTRUCTURE.md
- Update SECURITY.md with custom login route documentation
- Add changelog to TODO.md
- Update email service and data masking for SMTP error handling
- Extend test coverage for CSRF and data masking
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Rate Limiting Integration:
- Add authLimiter (5 attempts/15min) to both login routes for brute-force protection
- Migrate search endpoints from local checkRateLimit to central searchLimiter
- Add IP blocklist checks to auth and search endpoints
Data Masking Integration:
- Integrate maskObject/maskString from security module into audit-service
- Auto-mask previousValue, newValue, metadata, and descriptions in audit logs
- Use maskError for error logging
Pre-commit Hook:
- Add "prepare" script to package.json for automatic hook installation
- Hook is now installed automatically on pnpm install
Note: CSRF middleware is available but not enforced on API routes since
Payload CMS uses JWT auth and has built-in CORS/CSRF protection in config.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add Payload email adapter for system emails (auth, password reset)
- Add EmailLogs collection for tracking all sent emails
- Extend Tenants collection with SMTP configuration fields
- Implement tenant-specific email service with transporter caching
- Add /api/send-email endpoint with:
- Authentication required
- Tenant access control (users can only send for their tenants)
- Rate limiting (10 emails/minute per user)
- Add form submission notification hook with email logging
- Add cache invalidation hook for tenant email config changes
Security:
- SMTP passwords are never returned in API responses
- Passwords are preserved when field is left empty on update
- Only super admins can delete email logs
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Update payload.config.ts with new collections, blocks, and globals
- Configure i18n with DE/EN localization support
- Add multi-tenant plugin configuration
- Update ecosystem.config.cjs for PM2
- Regenerate payload-types.ts and importMap.js
- Add prettier configuration
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
