Kreuzberg

Changelog

• a595b10 Add Delete to MigrationRecordRepository, use case, handler, and route
• 37bec91 Add Delete_CrossPersonIDOR test for MigrationRecordUseCase
• fc43dba Add PersonCategoryRepository.ListBulk
• f01c220 Add component extraction design spec
• 240c4eb Add component extraction implementation plan
• 06b0cb6 Add generate.go source-mode item to discrepancy spec
• e2bdc6c Add implementation plan for schema-domain discrepancy fixes
• cc657a8 Add missing translation keys across all locales
• f5dc0eb Add schema-domain discrepancy fixes design spec
• 603e1d3 Add shared ChartTooltip component and useChartTooltip hook
• 8d97c7b Annotate enrichment fields as read-only projections on entity structs
• 022a5e8 Change MFARecoveryCode.ID to ulid.ULID
• 1af6b99 Extract CustomReportForm and ReportResultTable from custom reports route
• e26d082 Extract DocumentMimeIcon, DocumentPreviewDialog, DocumentUploadZone from documents route
• d9cd5d0 Extract PeopleColumns and PeopleFilterBar from people list route
• a12c0ae Extract PersonDetail and QuickSupportForm from person overview route
• 8fb5778 Extract PetColumns and PetFilterBar from pets page route
• 49bc090 Extract PetsKpiCards from pets reports route
• 6b0a9f4 Extract ReportDatePresets and MyStatsKpiCards from my-stats route
• eb00f83 Extract ReportFilterBar, PeopleKpiCards, PeopleChartSection from people reports route
• fe0fcf2 Extract SupportRecordColumns and SupportRecordFilterBar from support-records route
• 617f647 Extract UsersColumns and CreateUserDialog from admin users route
• e7d076d Extract useHouseholdDrawerForm hook to slim household-drawer index
• 5412193 Extract useMigrationRecordForm hook to slim migration-record-drawer index
• 14b1cdc Extract usePersonDrawerForm hook to slim person-drawer index
• 56a0ced Extract useSupportRecordForm hook to slim support-record-drawer index
• 1e966c9 Fix audit.Entry IP and UserAgent to *string matching nullable DB columns
• 8a48f65 Fix useEffect stale closure in migration-record-drawer; use explicit SyntheticEvent import in person-drawer
• c06e843 Introduce PetListFilter and update PetRepository.List
• aae8f5d Move SearchHits to internal/domain/search
• 68b0f0c Refresh design system color palette to slate/indigo theme
• b956d69 Reorganize components and hooks to domain folders, propagate abort signals
• b0f3d09 Replace reflect-mode go:generate list with source-mode in generate.go
• fc9fab8 Split assign-dialog into folder with PermissionToggleRow and SelectedUserCard
• f4c8347 Split bar-chart into folder with render-horizontal, render-vertical, chart-legend
• fa79cec Split date-picker into folder with utils, DatePicker, DateRangePicker
• 522f310 Split mfa-settings into folder with MFAActive and MFASetup
• 0db23d9 Split sankey-chart into folder, use shared ChartTooltip
• 3adc176 Split search-palette into folder with ProjectGroupSection sibling
• 2302e83 Stop tracking .claude/settings.local.json
• 2e301ab Trim component files to meet 170-line ceiling
• fe80750 Update Go version to 1.26, add .claude to gitignore
• a056b08 Update tooling, Justfile structure, and frontend docs
• 60d7fd2 Upgrade dependencies and update build config
• fa84d9f Use explicit ReactNode import in ChartTooltip
• 0c0f4a8 add Docker Hub README
• 7605de9 fix Docker Hub image references to use sultaniman/observer

Paulusviertel

Changelog

• cf2ce57 fix failing tests and upgrade image package

v0.7.1

Full Changelog: v0.7.0...v0.7.1

Tricorn

Security

• Fixed cross-project IDOR on person, support record, household, note, migration record, pet, document, and permission — all mutations now verify project ownership before acting
• Added CSRF double-submit cookie protection; auth bootstrap endpoints (/api/auth/*) are exempt
• Hardened Argon2id cost parameters
• Permanent login lockouts now persist to PostgreSQL and survive Redis restarts
• Added MFA recovery codes
• Sessions are invalidated on password change and admin password reset; 24h vacuum removes expired sessions
• Registration always forces the guest role regardless of request payload; duplicate email registration returns success without revealing account existence
• Document uploads: server-side MIME detection, filename sanitisation, HTML files rejected
• Audit records added for admin user creation, password reset, and permission changes
• Added Content Security Policy header; 500 responses no longer leak internal error details

Global Search

• GET /api/search?q= — two-stage authorisation scopes results to projects the user can access; three concurrent ILIKE queries across people, pets, and projects with a 30s timeout
• ⌘K / Ctrl+K command palette with grouped results and 300ms debounce
• Full results page at /search

Operations

• API routes moved under /api prefix; SPA served from root
• Migration drift detection at startup — admins see a dismissible banner when the schema is behind
• DEV_MODE=true logs a warning at startup (disables CORS, CSRF, and security headers — for local development only)
• DEV_MODE and Vite dev proxy documented for local development

UI

• Guests get read-only drawers regardless of project role
• Support types and referral statuses are colour-coded in tables
• Tag colours unified via a single resolveTagColor() function — consistent across all views
• 25 routes converted to lazy-loaded chunks; vendor chunk splitting reduces initial load
• Default language changed to English

Internals

• Generic appendIf helper reduces filter-builder branches in the report repository
• setPtr / applyOpt helpers reduce nil-check branches in person update
• can_export permission check moved to route middleware
• Additional database indexes for list and report queries

Monodrop

TOTP / Two-factor authentication

Full MFA lifecycle: setup, enable, disable, and TOTP verification step during login. Profile page includes QR-code scanner flow and manual entry fallback. Documented and translated in all six supported languages.

User soft-delete

Users can be deactivated without permanent deletion. Middleware blocks access for deactivated accounts; audit trail is preserved (GDPR Article 30).

Audit log

New audit_logs table tracks export actions with user name/email, IP, user agent, entity type, and project context. Deleted users leave their entries intact. Admin and project-scoped audit log views added to the UI.

Security

• Refresh token replaced from ULID to 32-byte crypto/rand
• Redis fail-closed: login is blocked (not silently degraded) when Redis is unavailable

Reports

• Date range preset picker (30 days / 90 days / year / all time)
• Age group filter type cast fixed
• Enum values translated in filter dropdowns
• Wider dropdowns for readability

Households

• Search by name and date filters
• Head-of-household name joined in list view
• Autofill styling improvements

Frontend

• Case status colour coding in people list
• Selected tag chips moved to a dedicated row below the filter bar
• Unknown file formats use dashed icon; AVIF/HEIF excluded from thumbnails
• 189-test frontend suite across 33 files
• Route smoke tests via @tanstack/react-router

Backend

• WithTx database transaction abstraction for multi-step operations
• Comprehensive handler and use-case test suite
• Export handler tests (people, support records, pets, households)
• Tag use-case wired to handler layer

CLI

• observer setup command for first-run configuration
• Improved help text across all sub-commands

CI / Ops

• GitHub Actions for Go build and test
• GitHub Actions for Hugo documentation deployment
• GoReleaser: linux/amd64, linux/arm64, darwin/amd64, darwin/arm64

Documentation

• CLI guide, demo setup, deployment docs
• Multilingual TOTP/MFA docs (en, ky, ru, uk, de, tr)
• OpenAPI spec updated

---

Migrations

Migrations 000028–000030 must be applied before running this version:

#	Description
000028	Create audit_logs table with indexes
000029	Fix audit_logs cascade; add entity index
000030	Add deactivated_at to users

Run observer migrate to apply.

v0.5.0

What's Changed

• Bump certifi from 2022.12.7 to 2023.7.22 by @dependabot[bot] in #1
• Bump aiohttp from 3.8.4 to 3.8.5 by @dependabot[bot] in #2

New Contributors

• @dependabot[bot] made their first contribution in #1

Full Changelog: v0.1.2...v0.5.0