- Add Where type imports and proper type assertions in API routes
- Add Locale type definitions for locale validation
- Fix email-logs/stats route with proper EmailLog typing
- Fix newsletter-service interests type and null checks
- Remove invalid contact field from OpenAPI metadata
- Fix formSubmissionOverrides type casting in payload.config
- Fix vcard route Team type casting
All 24 TypeScript errors in src/ are now resolved.
Test files have separate type issues that don't affect production.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove unused variables and imports across API routes and workers
- Fix TypeScript errors in ConsentLogs.ts (PayloadRequest header access)
- Fix TypeScript errors in formSubmissionHooks.ts (add ResponseTracking interface)
- Update eslint ignores for coverage, test results, and generated files
- Set push: false in payload.config.ts (schema changes only via migrations)
- Update dependencies to latest versions (Payload 3.68.4, React 19.2.3)
- Add framework update check script and documentation
- Regenerate payload-types.ts
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Blogging Collections:
- Tags Collection with name, slug, description, color
- Authors Collection with avatar, bio, social media links
Posts Collection extended:
- Tags and Author relationships
- Co-Authors support
- Automatic reading time calculation
- Legacy author text field fallback
New Blogging Blocks:
- AuthorBioBlock: Display author info with various layouts
- RelatedPostsBlock: Show related articles (auto/manual/category/tag)
- ShareButtonsBlock: Social sharing (Facebook, Twitter, LinkedIn, etc.)
- TableOfContentsBlock: Auto-generated TOC from headings
Team Collection extended:
- Slug field for profile pages (auto-generated)
- Hierarchy fields (reportsTo, hierarchyLevel) for org charts
- vCard export flag
New Team API Endpoints:
- GET /api/team - List with search and filters
- GET /api/team/[slug]/vcard - vCard download (VCF)
New Team Blocks:
- TeamFilterBlock: Interactive team display with search/filter
- OrgChartBlock: Hierarchical organization chart visualization
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add Workflows Collection to CLAUDE.md with full API documentation
- Document Timeline process-specific fields (stepNumber, duration, responsible, etc.)
- Add Workflows API endpoint to URLs section
- Add complexity parameter validation to /api/workflows (returns 400 for invalid values)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add dedicated Timeline Collection for managing complex timeline events:
- Collection: Multiple types (history, milestones, releases, career, events, process)
- Events: Flexible date handling (year, month+year, full date, ranges, custom text)
- Categories: milestone, founding, product, team, award, partnership, expansion, technology
- Importance levels: highlight, normal, minor
- Display options: layouts (vertical, alternating, horizontal, compact), sorting, year grouping
- Media: Image and gallery support per event
- Localization: Full support for DE/EN
- SEO: Meta fields for each timeline
API Features:
- Public endpoint at /api/timelines with tenant isolation
- Rate limiting and IP blocking
- Filter by type, slug, category, importance
- Locale parameter support
- Date formatting and sorting
- Optional grouping by year
Database: 8 tables created via migration
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- /api/news: List endpoint with filtering by type, category, featured, search, date
- /api/news/[slug]: Detail endpoint with related posts and navigation
- Required tenant ID for strict tenant isolation (security fix)
- Related posts filtered by same type AND category for relevance
- Navigation (prev/next) filtered by same type
- Archive with pagination (500/page, max 10k posts) instead of hard limit
- Rate limiting, IP blocking, caching headers included
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add Products collection with comprehensive fields (pricing, inventory, SEO, CTA)
- Add ProductCategories collection with hierarchical structure
- Implement CI/CD pipeline with GitHub Actions (lint, typecheck, test, build, e2e)
- Add access control test utilities and unit tests
- Fix Posts API to include category field for backwards compatibility
- Update ESLint config with ignores for migrations and admin components
- Add centralized access control functions in src/lib/access
- Add db-direct.sh utility script for database access
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Use rateLimitHeaders() spread on /api/posts success response
to include X-RateLimit-Limit, X-RateLimit-Reset, Retry-After
matching /api/search and /api/search/suggestions behavior
- Remove legacy checkRateLimit, RateLimitResult, rateLimitStore,
and cleanup interval from src/lib/search.ts (dead code after
migration to central searchLimiter)
- Update tests to use searchLimiter from @/lib/security instead
of the removed checkRateLimit
All integration tests pass (20 passed, 12 skipped).
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Rate Limiting Integration:
- Add authLimiter (5 attempts/15min) to both login routes for brute-force protection
- Migrate search endpoints from local checkRateLimit to central searchLimiter
- Add IP blocklist checks to auth and search endpoints
Data Masking Integration:
- Integrate maskObject/maskString from security module into audit-service
- Auto-mask previousValue, newValue, metadata, and descriptions in audit logs
- Use maskError for error logging
Pre-commit Hook:
- Add "prepare" script to package.json for automatic hook installation
- Hook is now installed automatically on pnpm install
Note: CSRF middleware is available but not enforced on API routes since
Payload CMS uses JWT auth and has built-in CORS/CSRF protection in config.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Security Features:
- Central rate-limiter service with Redis support and memory fallback
- Predefined limiters: publicApi, auth, email, search, form, strict
- Automatic cleanup of stale entries
- IP allowlist/blocklist for sensitive endpoints
- CIDR and wildcard support
- Configurable via SEND_EMAIL_ALLOWED_IPS, BLOCKED_IPS env vars
- CSRF protection with Double Submit Cookie pattern
- Token endpoint: GET /api/csrf-token
- Origin header validation
- Data masking service for sensitive data
- Automatic redaction of passwords, tokens, API keys
- Safe logger factory for consistent logging
- Recursive object masking for audit logs
Secret Scanning:
- Pre-commit hook for local secret detection
- GitHub Actions workflow with Gitleaks and CodeQL
- Gitleaks configuration file
- Dependency vulnerability scanning
Updated:
- /api/send-email now uses central rate-limiter and IP allowlist
- Redis lib exports getRedisClient and isRedisAvailable
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add Payload email adapter for system emails (auth, password reset)
- Add EmailLogs collection for tracking all sent emails
- Extend Tenants collection with SMTP configuration fields
- Implement tenant-specific email service with transporter caching
- Add /api/send-email endpoint with:
- Authentication required
- Tenant access control (users can only send for their tenants)
- Rate limiting (10 emails/minute per user)
- Add form submission notification hook with email logging
- Add cache invalidation hook for tenant email config changes
Security:
- SMTP passwords are never returned in API responses
- Passwords are preserved when field is left empty on update
- Only super admins can delete email logs
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
