Add new collections and blocks for BlogWoman affiliate and video content:
Collections:
- Favorites: Affiliate products with categories, badges, and price ranges
- Series: YouTube series with custom branding (logo, colors)
Blocks:
- FavoritesBlock: Grid/list/carousel display for affiliate products
- SeriesBlock: Series overview with filtering
- SeriesDetailBlock: Single series page with hero
- VideoEmbedBlock: YouTube/Vimeo embed with privacy mode
- FeaturedContentBlock: Curated mixed-content collections
Also includes documentation updates for deployment and API guides.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace single textarea address field with structured address group
(street, additionalLine, zip, city, state, country) and add geo
coordinates group (lat, lng, zoom) for map integration. Also adds
fax field to contact group. Matches structure of Locations collection.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update Payload CMS 3.68.4 → 3.69.0 to fix login redirect loop
(formatAdminURL no longer generates absolute URLs for currentRoute)
- Add explicit access control to Users collection for account updates
(multi-tenant plugin was blocking save button)
- Add read/update access controls to SEOSettings global
(settings group was hidden due to missing permissions)
- Regenerate importMap after Payload update
- Remove unused files: custom login page, cache-keys, my-route, migrations_backup
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Updated payload-types.ts with new collection types
- Updated comment in payload.config.ts
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- SiteSettings is now a Collection with multi-tenant support
- Navigation is now Navigations Collection with multi-tenant support
- Both added to multiTenantPlugin collections config
- Allows each tenant to have their own site settings and navigation
- API endpoints change from /api/globals/* to /api/site-settings and /api/navigations
BREAKING CHANGE: Frontends need to update API calls from globals to collections
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The importMap still contained references to disabled components
(TenantBreadcrumb, DashboardNavLink, TenantDashboardView) which
caused the path-to-regexp error.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
TenantBreadcrumb in afterNavLinks also triggers the error on production.
Completely disabling admin.components until Payload fixes the issue.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Custom admin views cause TypeError: Missing parameter name at 5
when used with @payloadcms/plugin-multi-tenant. This appears to be
a bug in Payload 3.68.4's custom view handling.
Changes:
- Disable custom TenantDashboard view temporarily
- Keep TenantBreadcrumb in afterNavLinks (works correctly)
- Add bug report template for Payload team
See BUG_REPORT_CUSTOM_VIEWS.md for full details.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- CSRF: Require CSRF_SECRET in production, throw error on missing secret
- IP Allowlist: TRUST_PROXY must be explicitly set to 'true' for proxy headers
- Rate Limiter: Add proper proxy trust handling for client IP detection
- Login: Add browser form redirect support with safe URL validation
- Add custom admin login page with styled form
- Update CLAUDE.md with TRUST_PROXY documentation
- Update tests for new security behavior
BREAKING: Server will not start in production without CSRF_SECRET or PAYLOAD_SECRET
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Adds videos_id and video_categories_id columns to payload_locked_documents_rels
and payload_preferences_rels tables to fix CI test failures.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix slug-validation.ts: Use proper Where type from Payload
- Fix processFeaturedVideo.ts: Remove TypeWithID constraint, use type casting
- Fix retention-worker.ts: Remove unused import cleanupExpiredConsentLogs
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Video Feature Implementation:
- Add Videos and VideoCategories collections with multi-tenant support
- Extend VideoBlock with library/upload/embed sources and playback options
- Add featuredVideo group to Posts collection with processed embed URLs
Hooks & Validation:
- Add processFeaturedVideo hook for URL parsing and privacy mode embedding
- Add createSlugValidationHook for tenant-scoped slug uniqueness
- Add video-utils library (parseVideoUrl, generateEmbedUrl, formatDuration)
Testing:
- Add 84 unit tests for video-utils (URL parsing, duration, embed generation)
- Add 14 integration tests for Videos collection CRUD and slug validation
Database:
- Migration for videos, video_categories tables with locales
- Migration for Posts featuredVideo processed fields
- Update payload internal tables for new collections
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add automatic cleanup for email-logs (90 days default)
- Add automatic cleanup for audit-logs (90 days default)
- Add consent-logs archival based on expiresAt (3 years GDPR)
- Add media orphan cleanup for unreferenced files (30 days min age)
- Add BullMQ-based retention worker with daily scheduler
- Add /api/retention endpoint for manual triggers (super-admin only)
- Update queue worker to include retention worker
- Add comprehensive documentation to CLAUDE.md and TODO.md
New files:
- src/lib/retention/retention-config.ts
- src/lib/retention/cleanup-service.ts
- src/lib/retention/index.ts
- src/lib/queue/jobs/retention-job.ts
- src/lib/queue/workers/retention-worker.ts
- src/app/(payload)/api/retention/route.ts
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- CSRF bypass in CI can be disabled with BYPASS_CSRF=false
- Security integration tests set BYPASS_CSRF=false to test CSRF validation
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove NODE_ENV check from CSRF bypass (production builds need bypass too)
- Add CI environment stub to CSRF unit tests to ensure normal validation
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add CSRF_SECRET to E2E tests environment
- Bypass CSRF validation when CI=true and not production
- This allows E2E tests to run without needing CSRF tokens
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Where type imports and proper type assertions in API routes
- Add Locale type definitions for locale validation
- Fix email-logs/stats route with proper EmailLog typing
- Fix newsletter-service interests type and null checks
- Remove invalid contact field from OpenAPI metadata
- Fix formSubmissionOverrides type casting in payload.config
- Fix vcard route Team type casting
All 24 TypeScript errors in src/ are now resolved.
Test files have separate type issues that don't affect production.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove unused variables and imports across API routes and workers
- Fix TypeScript errors in ConsentLogs.ts (PayloadRequest header access)
- Fix TypeScript errors in formSubmissionHooks.ts (add ResponseTracking interface)
- Update eslint ignores for coverage, test results, and generated files
- Set push: false in payload.config.ts (schema changes only via migrations)
- Update dependencies to latest versions (Payload 3.68.4, React 19.2.3)
- Add framework update check script and documentation
- Regenerate payload-types.ts
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New Collections:
- Events: Veranstaltungen mit Datum, Ort, Registrierung
- Jobs: Stellenangebote mit Standort und Bewerbungsfrist
- Locations: Standorte mit Adresse, Kontakt, Öffnungszeiten
- Partners: Partner/Kunden mit Logo und Beschreibung
- Downloads: Dateien mit Kategorisierung und Tracking
New Blocks:
- EventsBlock: Veranstaltungslisten mit Kalender-Ansicht
- JobsBlock: Stellenanzeigen mit Filterfunktion
- LocationsBlock: Standort-Karten und Listen
- PricingBlock: Preistabellen mit Feature-Vergleich
- TabsBlock: Tabbed Content mit verschiedenen Stilen
- AccordionBlock: FAQ/Accordion mit Animationen
- ComparisonBlock: Vergleichstabellen (Tabelle, Karten, Pro/Contra)
- StatsBlock: Statistiken mit Counter-Animation
- LogoGridBlock: Logo-Wolken und Partner-Galerien
- MapBlock: Interaktive Karten mit Markern
- DownloadsBlock: Download-Listen mit Kategorien
All collections support multi-tenant isolation and localization.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Blogging Collections:
- Tags Collection with name, slug, description, color
- Authors Collection with avatar, bio, social media links
Posts Collection extended:
- Tags and Author relationships
- Co-Authors support
- Automatic reading time calculation
- Legacy author text field fallback
New Blogging Blocks:
- AuthorBioBlock: Display author info with various layouts
- RelatedPostsBlock: Show related articles (auto/manual/category/tag)
- ShareButtonsBlock: Social sharing (Facebook, Twitter, LinkedIn, etc.)
- TableOfContentsBlock: Auto-generated TOC from headings
Team Collection extended:
- Slug field for profile pages (auto-generated)
- Hierarchy fields (reportsTo, hierarchyLevel) for org charts
- vCard export flag
New Team API Endpoints:
- GET /api/team - List with search and filters
- GET /api/team/[slug]/vcard - vCard download (VCF)
New Team Blocks:
- TeamFilterBlock: Interactive team display with search/filter
- OrgChartBlock: Hierarchical organization chart visualization
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add Workflows Collection to CLAUDE.md with full API documentation
- Document Timeline process-specific fields (stepNumber, duration, responsible, etc.)
- Add Workflows API endpoint to URLs section
- Add complexity parameter validation to /api/workflows (returns 400 for invalid values)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add dedicated Timeline Collection for managing complex timeline events:
- Collection: Multiple types (history, milestones, releases, career, events, process)
- Events: Flexible date handling (year, month+year, full date, ranges, custom text)
- Categories: milestone, founding, product, team, award, partnership, expansion, technology
- Importance levels: highlight, normal, minor
- Display options: layouts (vertical, alternating, horizontal, compact), sorting, year grouping
- Media: Image and gallery support per event
- Localization: Full support for DE/EN
- SEO: Meta fields for each timeline
API Features:
- Public endpoint at /api/timelines with tenant isolation
- Rate limiting and IP blocking
- Filter by type, slug, category, importance
- Locale parameter support
- Date formatting and sorting
- Optional grouping by year
Database: 8 tables created via migration
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- /api/news: List endpoint with filtering by type, category, featured, search, date
- /api/news/[slug]: Detail endpoint with related posts and navigation
- Required tenant ID for strict tenant isolation (security fix)
- Related posts filtered by same type AND category for relevance
- Navigation (prev/next) filtered by same type
- Archive with pagination (500/page, max 10k posts) instead of hard limit
- Rate limiting, IP blocking, caching headers included
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add Products collection with comprehensive fields (pricing, inventory, SEO, CTA)
- Add ProductCategories collection with hierarchical structure
- Implement CI/CD pipeline with GitHub Actions (lint, typecheck, test, build, e2e)
- Add access control test utilities and unit tests
- Fix Posts API to include category field for backwards compatibility
- Update ESLint config with ignores for migrations and admin components
- Add centralized access control functions in src/lib/access
- Add db-direct.sh utility script for database access
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Fix rate limiter: await formLimiter.check() (was missing await)
- Prevent duplicate confirmation emails: add context.skipNewsletterEmail flag
- Service sets flag when creating/updating subscribers via API
- Hook skips email sending when flag is present
- Admin panel creations still trigger the hook
- Fix unsubscribe links: use subscriber ID instead of token for welcome/unsubscribe emails
- Token is nullified after confirmation, making old links invalid
- ID-based lookups always work
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add email templates for confirmation, welcome, and unsubscribe
- Create newsletter-service.ts with token validation and 48h expiry
- Add API endpoints: /api/newsletter/subscribe, /confirm, /unsubscribe
- Add afterChange hook for automatic email sending on subscription
- Rate-limiting: 5 subscriptions per 10 minutes per IP
- GDPR-compliant with re-subscription support after unsubscribe
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Install payload-oapi plugin for automatic API documentation
- Configure OpenAPI 3.1 specification at /api/openapi.json
- Add Swagger UI interface at /api/docs
- Update documentation with new API endpoints
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add Team collection with comprehensive member profiles
- Support for role, department, bio, contact info, social links
- Qualifications, specializations, and language skills
- Optional link to User account for author attribution
- Add TeamBlock with multiple layouts (grid, list, slider, compact, detailed)
- Filter by department, featured, or manual selection
- Multi-tenant enabled via plugin configuration
- Update documentation
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add FAQs collection with question/answer, categories, and ordering
- Add FAQBlock with collection and inline source modes
- Support multiple layouts: accordion, grid, list, two-column
- Schema.org FAQPage structured data support for SEO
- Multi-tenant enabled via plugin configuration
- Update documentation
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add BullMQ-based job queue with Redis backend
- Implement email worker with tenant-specific SMTP support
- Add PDF worker with Playwright for HTML/URL-to-PDF generation
- Create /api/generate-pdf endpoint with job status polling
- Fix TypeScript errors in Tenants, TenantBreadcrumb, TenantDashboard
- Fix type casts in auditAuthEvents and audit-service
- Remove credentials from ecosystem.config.cjs (now loaded via dotenv)
- Fix ESM __dirname issue with fileURLToPath for PM2 compatibility
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Remove obsolete instruction documents (PROMPT_*.md, SECURITY_FIXES.md)
- Update CLAUDE.md with security features, test suite, audit logs
- Merge Techstack_Dokumentation into INFRASTRUCTURE.md
- Update SECURITY.md with custom login route documentation
- Add changelog to TODO.md
- Update email service and data masking for SMTP error handling
- Extend test coverage for CSRF and data masking
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
The Payload Admin Panel sends login credentials as a _payload JSON field
within multipart/form-data, not as separate email/password fields.
This fix adds support for parsing the _payload field while maintaining
backwards compatibility with direct FormData fields and JSON body.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Use rateLimitHeaders() spread on /api/posts success response
to include X-RateLimit-Limit, X-RateLimit-Reset, Retry-After
matching /api/search and /api/search/suggestions behavior
- Remove legacy checkRateLimit, RateLimitResult, rateLimitStore,
and cleanup interval from src/lib/search.ts (dead code after
migration to central searchLimiter)
- Update tests to use searchLimiter from @/lib/security instead
of the removed checkRateLimit
All integration tests pass (20 passed, 12 skipped).
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Rate Limiting Integration:
- Add authLimiter (5 attempts/15min) to both login routes for brute-force protection
- Migrate search endpoints from local checkRateLimit to central searchLimiter
- Add IP blocklist checks to auth and search endpoints
Data Masking Integration:
- Integrate maskObject/maskString from security module into audit-service
- Auto-mask previousValue, newValue, metadata, and descriptions in audit logs
- Use maskError for error logging
Pre-commit Hook:
- Add "prepare" script to package.json for automatic hook installation
- Hook is now installed automatically on pnpm install
Note: CSRF middleware is available but not enforced on API routes since
Payload CMS uses JWT auth and has built-in CORS/CSRF protection in config.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Security Features:
- Central rate-limiter service with Redis support and memory fallback
- Predefined limiters: publicApi, auth, email, search, form, strict
- Automatic cleanup of stale entries
- IP allowlist/blocklist for sensitive endpoints
- CIDR and wildcard support
- Configurable via SEND_EMAIL_ALLOWED_IPS, BLOCKED_IPS env vars
- CSRF protection with Double Submit Cookie pattern
- Token endpoint: GET /api/csrf-token
- Origin header validation
- Data masking service for sensitive data
- Automatic redaction of passwords, tokens, API keys
- Safe logger factory for consistent logging
- Recursive object masking for audit logs
Secret Scanning:
- Pre-commit hook for local secret detection
- GitHub Actions workflow with Gitleaks and CodeQL
- Gitleaks configuration file
- Dependency vulnerability scanning
Updated:
- /api/send-email now uses central rate-limiter and IP allowlist
- Redis lib exports getRedisClient and isRedisAvailable
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add getHeaderValue() helper that works with multiple header formats:
- Express req.get() method
- Fetch API headers.get() method
- Direct IncomingHttpHeaders object access
- Add isRequest() type guard to distinguish PayloadRequest from ClientInfo
- Use extractClientInfo() helper for consistent request/ClientInfo handling
- Apply same fix in auditAuthEvents.ts for hook context
This fixes the issue where PayloadRequest objects were incorrectly
detected as ClientInfo because IncomingHttpHeaders doesn't have .get()
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Extend logLoginFailed to accept ClientInfo directly (not just PayloadRequest)
- Add logPasswordReset function for password reset audit logging
- Remove duplicate manual payload.create calls in login routes
- Implement real fallback in auditAfterForgotPassword with structured JSON log
- Login routes now create single audit entry with full IP/User-Agent context
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
