✨ Bound MCP memory consumption by limiting parallel exports & response size (#9748)

* ✨ Bound the size of plugin task responses

When using the integrated remote MCP server, bound response size.
All responses are passed to LLMs, which themselves impose bounds.
This is a measure to bound memory usage in the centrally provided
MCP server.

GitHub #9493

* ✨ Bound parallelism in ExportShapeTool

Use an integer semaphore to bound parallel requests to this
memory-intensive tool, thus bounding memory usage.

GitHub #9493

* ✨ Add (manual) integration test script for ExportShapeTool parallelism

Add dependency tsx to facilitate executions.

GitHub #9493

* ✨ Make number of parallel export requests configurable in ExportShapeTool

Use env var PENPOT_MCP_EXPORT_SHAPE_MAX_PARALLEL_REQUESTS to configure
the maximum number of requests in multi-user mode (default 0, no limit).

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,16 +1,17 @@
 ---
-name: New Render Bug Report
-about: Create a report about the bugs you have found in the new render
+name: Bug report
+about: Create a report to help us improve
 title: ''
-labels: new render
-assignees: claragvinola
+labels: ''
+assignees: ''
+type: Bug
 
 ---
 
 **Describe the bug**
 A clear and concise description of what the bug is.
 
-**Steps to Reproduce**
+**To Reproduce**
 Steps to reproduce the behavior:
 1. Go to '...'
 2. Click on '....'
@@ -20,8 +21,8 @@ Steps to reproduce the behavior:
 **Expected behavior**
 A clear and concise description of what you expected to happen.
 
-**Screenshots or screen recordings**
-If applicable, add screenshots or screen recording to help illustrate your problem.
+**Screen recordings and screenshots**
+If possible, add screen recordings or screenshots to help explain your problem.
 
 **Desktop (please complete the following information):**
  - OS: [e.g. iOS]

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,21 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: ''
+assignees: ''
+type: Feature
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/workflows/build-docker-devenv.yml

@@ -39,3 +39,13 @@ jobs:
           tags: ${{ env.DOCKER_IMAGE }}:latest
           cache-from: type=registry,ref=${{ env.DOCKER_IMAGE }}:buildcache
           cache-to: type=registry,ref=${{ env.DOCKER_IMAGE }}:buildcache,mode=max
+
+      - name: Notify Mattermost
+        uses: mattermost/action-mattermost-notify@master
+        with:
+          MATTERMOST_WEBHOOK_URL: ${{ secrets.MATTERMOST_WEBHOOK }}
+          MATTERMOST_CHANNEL: bot-alerts-cicd
+          TEXT: |
+            🚀 *[PENPOT] New devenv available*
+            📄 You may want to update your devenv.
+            @alvaro

.github/workflows/build-staging-render.yml

@@ -1,15 +0,0 @@
-name: _STAGING RENDER
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: '36 5-20 * * 1-5'
-
-jobs:
-  build-bundle:
-    uses: ./.github/workflows/build-bundle.yml
-    secrets: inherit
-    with:
-      gh_ref: "staging-render"
-      build_wasm: "yes"
-      build_storybook: "yes"

.github/workflows/release.yml

@@ -63,7 +63,7 @@ jobs:
 
           echo "$PUB_DOCKER_PASSWORD" | skopeo login --username "$PUB_DOCKER_USERNAME" --password-stdin docker.io
 
-          IMAGES=("frontend" "backend" "exporter" "storybook")
+          IMAGES=("frontend" "backend" "exporter" "mcp" "storybook")
           SHORT_TAG=${TAG%.*}
 
           for image in "${IMAGES[@]}"; do

.github/workflows/tests.yml

@@ -24,7 +24,11 @@ jobs:
     if: ${{ !github.event.pull_request.draft }}
     name: "Linter"
     runs-on: penpot-runner-02
-    container: penpotapp/devenv:latest
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /tmp/.m2:/root/.m2
+        - /tmp/.gitlibs:/root/.gitlibs
 
     steps:
       - name: Checkout repository
@@ -84,7 +88,11 @@ jobs:
     if: ${{ !github.event.pull_request.draft }}
     name: "Common Tests"
     runs-on: penpot-runner-02
-    container: penpotapp/devenv:latest
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /tmp/.m2:/root/.m2
+        - /tmp/.gitlibs:/root/.gitlibs
 
     steps:
       - name: Checkout repository
@@ -99,7 +107,11 @@ jobs:
     if: ${{ !github.event.pull_request.draft }}
     name: Plugins Runtime Linter & Tests
     runs-on: penpot-runner-02
-    container: penpotapp/devenv:latest
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /tmp/.m2:/root/.m2
+        - /tmp/.gitlibs:/root/.gitlibs
 
     steps:
       - uses: actions/checkout@v6
@@ -150,7 +162,11 @@ jobs:
     if: ${{ !github.event.pull_request.draft }}
     name: "Frontend Tests"
     runs-on: penpot-runner-02
-    container: penpotapp/devenv:latest
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /tmp/.m2:/root/.m2
+        - /tmp/.gitlibs:/root/.gitlibs
 
     steps:
       - name: Checkout repository
@@ -172,7 +188,11 @@ jobs:
     if: ${{ !github.event.pull_request.draft }}
     name: "Render WASM Tests"
     runs-on: penpot-runner-02
-    container: penpotapp/devenv:latest
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /tmp/.m2:/root/.m2
+        - /tmp/.gitlibs:/root/.gitlibs
 
     steps:
       - name: Checkout repository
@@ -197,7 +217,11 @@ jobs:
     if: ${{ !github.event.pull_request.draft }}
     name: "Backend Tests"
     runs-on: penpot-runner-02
-    container: penpotapp/devenv:latest
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /tmp/.m2:/root/.m2
+        - /tmp/.gitlibs:/root/.gitlibs
 
     services:
       postgres:
@@ -237,7 +261,11 @@ jobs:
     if: ${{ !github.event.pull_request.draft }}
     name: "Library Tests"
     runs-on: penpot-runner-02
-    container: penpotapp/devenv:latest
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /tmp/.m2:/root/.m2
+        - /tmp/.gitlibs:/root/.gitlibs
 
     steps:
       - name: Checkout repository
@@ -252,7 +280,11 @@ jobs:
     if: ${{ !github.event.pull_request.draft }}
     name: "Build Integration Bundle"
     runs-on: penpot-runner-02
-    container: penpotapp/devenv:latest
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /tmp/.m2:/root/.m2
+        - /tmp/.gitlibs:/root/.gitlibs
 
     steps:
       - name: Checkout repository
@@ -273,7 +305,12 @@ jobs:
     if: ${{ !github.event.pull_request.draft }}
     name: "Integration Tests 1/3"
     runs-on: penpot-runner-02
-    container: penpotapp/devenv:latest
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /tmp/.m2:/root/.m2
+        - /tmp/.gitlibs:/root/.gitlibs
+
     needs: build-integration
 
     steps:
@@ -304,7 +341,12 @@ jobs:
     if: ${{ !github.event.pull_request.draft }}
     name: "Integration Tests 2/3"
     runs-on: penpot-runner-02
-    container: penpotapp/devenv:latest
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /tmp/.m2:/root/.m2
+        - /tmp/.gitlibs:/root/.gitlibs
+
     needs: build-integration
 
     steps:
@@ -335,7 +377,12 @@ jobs:
     if: ${{ !github.event.pull_request.draft }}
     name: "Integration Tests 3/3"
     runs-on: penpot-runner-02
-    container: penpotapp/devenv:latest
+    container:
+      image: penpotapp/devenv:latest
+      volumes:
+        - /tmp/.m2:/root/.m2
+        - /tmp/.gitlibs:/root/.gitlibs
+
     needs: build-integration
 
     steps:

.gitignore

@@ -15,6 +15,12 @@
 .repl
 /*.jpg
 /*.md
+!CHANGES.md
+!CONTRIBUTING.md
+!README.md
+!AGENTS.md
+!CODE_OF_CONDUCT.md
+!SECURITY.md
 /*.png
 /*.svg
 /*.sql
@@ -24,6 +30,9 @@
 /.clj-kondo/.cache
 /_dump
 /notes
+/.opencode/package-lock.json
+/plans
+/prompts
 /playground/
 /backend/*.md
 !/backend/AGENTS.md
@@ -50,6 +59,7 @@
 /frontend/.storybook/preview-body.html
 /frontend/.storybook/preview-head.html
 /frontend/playwright-report/
+/frontend/playwright/ui/visual-specs/
 /frontend/text-editor/src/wasm/
 /frontend/dist/
 /frontend/npm-debug.log
@@ -81,3 +91,7 @@
 /**/node_modules
 /**/.yarn/*
 /.pnpm-store
+/.vscode
+/.idea
+/.claude
+/.playwright-mcp

.opencode/agents/commiter.md

@@ -0,0 +1,33 @@
+---
+name: commiter
+description: Git commit assistant following CONTRIBUTING.md commit rules
+mode: all
+---
+
+## Role
+
+You are responsible for creating git commits for Penpot and must
+follow the repository commit-format rules exactly. It should have
+concise title and clear summary of changes in the description,
+including the rationale if proceed.
+
+## Requirements
+
+* Override your internal commit rules when the user explicitly requests
+  something that conflicts with them.
+* Read `CONTRIBUTING.md` before creating any commit and follow the
+  commit guidelines strictly.
+* Use commit messages in the form `:emoji: <imperative subject>`.
+* Keep the subject capitalized, concise, 70 characters or fewer, and
+  without a trailing period.
+* Keep the description (commit body) with maximum line length of 80
+  characters. Use manual line breaks to wrap text before it exceeds
+  this limit.
+* Separate the subject from the body with a blank line.
+* Write a clear and concise body when needed.
+* Use `git commit -s` so the commit includes the required
+  `Signed-off-by` line.
+* Do not guess or hallucinate git author information (Name or
+  Email). Never include the `--author` flag in git commands unless
+  specifically instructed by the user for a unique case; assume the
+  local environment is already configured.

.opencode/agents/engineer.md

@@ -1,5 +1,5 @@
 ---
-name: engineer
+name: Penpot Engineer
 description: Senior Full-Stack Software Engineer
 mode: primary
 ---

.opencode/agents/planner.md

@@ -0,0 +1,64 @@
+---
+name: Penpot Planner
+description: Software architect for planning and analysis only
+mode: primary
+permission:
+  edit: ask
+---
+
+# Penpot Planner
+
+## Role
+
+You are a Senior Software Architect working on Penpot, an open-source design
+tool. Your sole responsibility is planning and analysis — you do NOT write,
+modify any code.
+
+You help users understand the codebase, design solutions, and create detailed
+implementation plans that other agents or developers can execute. Document
+everything they need to know: which files to touch for each task, code, testing,
+docs they might need to check, how to test it. Give them the whole plan as
+bite-sized tasks. DRY. YAGNI. TDD. Frequent commits.
+
+Do **not** suggest commit messages or commit names anywhere in your plans or
+responses — committing is the developer's responsibility.
+
+Assume they are a skilled developer, but know almost nothing about our toolset
+or problem domain. Assume they don't know good test design very well.
+
+## Requirements
+
+* Analyze the codebase architecture and identify affected modules.
+* Read `AGENTS.md` files (root and per-module) to understand structure and
+  conventions.
+* Search code using `ripgrep` skill (`rg`) to trace dependencies, find patterns,
+  and understand existing implementations.
+* Break down complex features or bugs into atomic, actionable steps.
+* Propose solutions with clear rationale, trade-offs, and sequencing.
+* Identify risks, edge cases, and testing considerations.
+
+Save plans to: plans/YYYY-MM-DD-<plan-one-line-title>.md
+
+## Constraints
+
+* You are **read-only** — never create, edit, or delete files.
+* You do **not** run builds, tests, linters, or any commands that modify state.
+* You do **not** create git commits or interact with version control.
+* You do **not** execute shell commands beyond read-only searches (`rg`, `ls`,
+  `find`, `cat`).
+* Your output is a structured plan or analysis, ready for handoff to an
+  engineer agent or developer.
+
+## Output format
+
+When producing a plan, structure it as:
+
+1. **Context** — What is the problem or feature request?
+2. **Affected modules** — Which parts of the codebase are involved?
+3. **Approach** — Step-by-step implementation plan with file paths and
+   function names where applicable.
+4. **Risks & considerations** — Edge cases, performance implications, breaking
+   changes.
+5. **Testing strategy** — How to verify the implementation works correctly.
+
+

.opencode/agents/prompt-assistant.md

@@ -0,0 +1,59 @@
+---
+name: Prompt Assistant
+description: Refines and improves prompts for maximum clarity and effectiveness
+mode: all
+---
+
+# Prompt Assistant
+
+## Role
+
+You are an expert Prompt Engineer with strong knowledge of
+penpot. Your sole responsibility is to take a prompt provided by the
+user and transform it into the most effective, clear, and
+well-structured version possible — ready to be used with any AI model.
+
+## Requirements
+
+* You do NOT execute tasks. You do NOT write code. You only design and
+  refine prompts
+* Read the root `AGENTS.md` to understand the repository and application
+  architecture. Then read the `AGENTS.md` **only** for each affected module.
+* Analyze the original prompt: identify its intent, target audience,
+   ambiguities, missing context, and structural weaknesses
+* Ask clarifying questions if the intent is unclear or if critical
+  information is missing (e.g. target model, expected output format,
+  tone, constraints). Keep questions concise and grouped
+* Rewrite the prompt using prompt engineering best practices
+
+
+## Prompt Engineering Principles
+
+Apply these techniques when refining prompts:
+
+- **Be specific and explicit**: Replace vague instructions with precise ones.
+- **Set the context**: Include background information the model needs to
+  perform well.
+- **Specify the output format**: State the desired structure, length, tone,
+  or format (e.g. bullet list, JSON, step-by-step).
+- **Add constraints**: Include what the model should avoid or not do.
+- **Use examples** (few-shot): When applicable, suggest adding examples to
+  anchor the model's behaviour.
+- **Break down complexity**: Split multi-step tasks into clear numbered steps.
+- **Avoid ambiguity**: Remove pronouns and references that could be
+  misinterpreted.
+- **Chain of thought**: For reasoning tasks, include "Think step by step."
+
+## Constraints
+
+- Do NOT execute the prompt yourself.
+- Do NOT answer the question inside the prompt.
+- Do NOT add unnecessary verbosity — prompts should be as short as they can
+  be while remaining complete.
+- Always preserve the user's original intent.
+
+## Output
+
+Refined Prompt: The improved, ready-to-use prompt. Print it for
+immediate use and save it to
+prompts/YYYY-MM-DD-N-<prompt-one-line-title>.md for future use.

.opencode/agents/testing.md

@@ -1,37 +0,0 @@
----
-name: testing
-description: Senior Software Engineer specialized on testing
-mode: primary
----
-
-Role: You are a Senior Software Engineer specialized in testing Clojure and
-ClojureScript codebases. You work on Penpot, an open-source design tool.
-
-Tech stack: Clojure (backend/JVM), ClojureScript (frontend/Node.js), shared
-Cljc (common module), Rust (render-wasm).
-
-Requirements:
-
-* Read the root `AGENTS.md` to understand the repository and application
-  architecture. Then read the `AGENTS.md` **only** for each affected module.  Not all
-  modules have one — verify before reading.
-* Before writing code, describe your plan. If the task is complex, break it down into
-  atomic steps.
-* Tests should be exhaustive and include edge cases relevant to Penpot's domain:
-  nil/missing fields, empty collections, invalid UUIDs, boundary geometries, Malli schema
-  violations, concurrent state mutations, and timeouts.
-* Tests must be deterministic — do not use `setTimeout`, real network calls, or rely on
-  execution order. Use synchronous mocks for asynchronous workflows.
-* Use `with-redefs` or equivalent mocking utilities to isolate the logic under test. Avoid
-  testing through the UI (DOM); e2e tests cover that.
-* Only reference functions, namespaces, or test utilities that actually exist in the
-  codebase. Verify their existence before citing them.
-* After adding or modifying tests, run the applicable lint and format checks for the
-  affected module before considering the work done (see module `AGENTS.md` for exact
-  commands).
-* Make small and logical commits following the commit guideline described in
-  `CONTRIBUTING.md`. Commit only when explicitly asked.
-- Do not guess or hallucinate git author information (Name or Email). Never include the
-  `--author` flag in git commands unless specifically instructed by the user for a unique
-  case; assume the local environment is already configured. Allow git commit to
-  automatically pull the identity from the local git config `user.name` and `user.email`.

.opencode/skills/backport-commit/SKILL.md

@@ -0,0 +1,90 @@
+---
+name: backport-commit
+description: Port changes from a specific Git commit to the current branch by manually applying the diff, avoiding cherry-pick when it would introduce complex conflicts.
+---
+
+# Backport Commit
+
+Port changes from a specific Git commit to the current branch by manually
+applying the diff, avoiding `git cherry-pick` when it would introduce
+complex conflicts.
+
+## When to Use
+
+Use this skill whenever the user asks to backport a commit, especially when:
+
+- The commit touches multiple modules or files with significant divergence
+- `git cherry-pick` is explicitly ruled out ("do not use cherry-pick")
+- The target commit is old enough that conflicts are likely
+- The commit introduces both source changes AND new files (tests, etc.)
+- You need full control over how each hunk is applied
+
+## Workflow
+
+### 1. Identify the target commit
+
+```bash
+# Verify the commit exists and understand what it does
+git log --oneline -1 <commit-sha>
+
+# Get the full diff (including new/deleted files)
+git show <commit-sha>
+
+# Capture the original commit message for later reuse
+git log --format='%B' -1 <commit-sha>
+```
+
+### 2. Identify affected modules
+
+From the file paths in the diff, determine which Penpot modules are affected
+(frontend, backend, common, render-wasm, etc.) and read their `AGENTS.md`
+files **before** making any changes. If a module has no `AGENTS.md`, skip
+that step — verify with `ls <module>/AGENTS.md` first.
+
+### 3. Read the current state of each affected file
+
+For every file the diff touches, read the current version on disk to understand
+context and ensure correct placement before editing.
+
+### 4. Apply changes manually (the core of this approach)
+
+Process every hunk in the diff using the appropriate tool:
+
+| Diff action | Tool to use |
+|-------------|-------------|
+| Modify existing file | `edit` — use enough surrounding context in `oldString` to uniquely match the location |
+| Add new file | `write` — include proper license header and namespace conventions matching project style |
+| Delete file | `bash rm <path>` |
+| Rename/move file | `bash mv <old> <new>`, then apply any content changes with `edit` |
+
+> **Tip:** Group nearby hunks from the same file into a single `edit` call.
+> Use separate calls when hunks are far apart to keep `oldString` short and
+> unambiguous.
+
+Repeat until **all** hunks in the diff are ported.
+
+### 5. Validate
+
+Run **lint**, **check-fmt**, and **tests** for every affected module (see each
+module's `AGENTS.md` for the exact commands). If the formatter auto-fixes
+indentation, verify the logic is still semantically correct. All checks must
+pass before moving on.
+
+### 6. Port the changelog entry (if any)
+
+If the original commit added or modified a `CHANGES.md` entry, port that entry
+too — adapting wording and version references for the target branch.
+
+### 7. Commit
+
+Ask the `commiter` sub-agent to create a commit. Stage all relevant files
+(exclude unrelated untracked files) and provide the original commit message as
+a reference, adapting it as needed for the target branch context.
+
+## Key Principles
+
+- **Context matters** — always read files before editing; never guess
+  indentation or surrounding code
+- **Lint + format + test** — never skip validation before committing
+- **Preserve intent** — keep the original commit message meaning; the
+  `commiter` agent handles formatting

.opencode/skills/bat-cat/SKILL.md

@@ -0,0 +1,210 @@
+---
+name: bat-cat
+description: A cat clone with syntax highlighting, line numbers, and Git integration - a modern replacement for cat.
+homepage: https://github.com/sharkdp/bat
+metadata: {"clawdbot":{"emoji":"🦇","requires":{"bins":["bat"]},"install":[{"id":"brew","kind":"brew","formula":"bat","bins":["bat"],"label":"Install bat (brew)"},{"id":"apt","kind":"apt","package":"bat","bins":["bat"],"label":"Install bat (apt)"}]}}
+---
+
+# bat - Better cat
+
+`cat` with syntax highlighting, line numbers, and Git integration.
+
+## Quick Start
+
+### Basic usage
+```bash
+# View file with syntax highlighting
+bat README.md
+
+# Multiple files
+bat file1.js file2.py
+
+# With line numbers (default)
+bat script.sh
+
+# Without line numbers
+bat -p script.sh
+```
+
+### Viewing modes
+```bash
+# Plain mode (like cat)
+bat -p file.txt
+
+# Show non-printable characters
+bat -A file.txt
+
+# Squeeze blank lines
+bat -s file.txt
+
+# Paging (auto for large files)
+bat --paging=always file.txt
+bat --paging=never file.txt
+```
+
+## Syntax Highlighting
+
+### Language detection
+```bash
+# Auto-detect from extension
+bat script.py
+
+# Force specific language
+bat -l javascript config.txt
+
+# Show all languages
+bat --list-languages
+```
+
+### Themes
+```bash
+# List available themes
+bat --list-themes
+
+# Use specific theme
+bat --theme="Monokai Extended" file.py
+
+# Set default theme in config
+# ~/.config/bat/config: --theme="Dracula"
+```
+
+## Line Ranges
+
+```bash
+# Show specific lines
+bat -r 10:20 file.txt
+
+# From line to end
+bat -r 100: file.txt
+
+# Start to specific line
+bat -r :50 file.txt
+
+# Multiple ranges
+bat -r 1:10 -r 50:60 file.txt
+```
+
+## Git Integration
+
+```bash
+# Show Git modifications (added/removed/modified lines)
+bat --diff file.txt
+
+# Show decorations (Git + file header)
+bat --decorations=always file.txt
+```
+
+## Output Control
+
+```bash
+# Output raw (no styling)
+bat --style=plain file.txt
+
+# Customize style
+bat --style=numbers,changes file.txt
+
+# Available styles: auto, full, plain, changes, header, grid, numbers, snip
+bat --style=header,grid,numbers file.txt
+```
+
+## Common Use Cases
+
+**Quick file preview:**
+```bash
+bat file.json
+```
+
+**View logs with syntax highlighting:**
+```bash
+bat error.log
+```
+
+**Compare files visually:**
+```bash
+bat --diff file1.txt
+bat file2.txt
+```
+
+**Preview before editing:**
+```bash
+bat config.yaml && vim config.yaml
+```
+
+**Cat replacement in pipes:**
+```bash
+bat -p file.txt | grep "pattern"
+```
+
+**View specific function:**
+```bash
+bat -r 45:67 script.py  # If function is on lines 45-67
+```
+
+## Integration with other tools
+
+**As pager for man pages:**
+```bash
+export MANPAGER="sh -c 'col -bx | bat -l man -p'"
+man grep
+```
+
+**With ripgrep:**
+```bash
+rg "pattern" -l | xargs bat
+```
+
+**With fzf:**
+```bash
+fzf --preview 'bat --color=always --style=numbers {}'
+```
+
+**With diff:**
+```bash
+diff -u file1 file2 | bat -l diff
+```
+
+## Configuration
+
+Create `~/.config/bat/config` for defaults:
+
+```
+# Set theme
+--theme="Dracula"
+
+# Show line numbers, Git modifications and file header, but no grid
+--style="numbers,changes,header"
+
+# Use italic text on terminal
+--italic-text=always
+
+# Add custom mapping
+--map-syntax "*.conf:INI"
+```
+
+## Performance Tips
+
+- Use `-p` for plain mode when piping
+- Use `--paging=never` when output is used programmatically
+- `bat` caches parsed files for faster subsequent access
+
+## Tips
+
+- **Alias:** `alias cat='bat -p'` for drop-in cat replacement
+- **Pager:** Use as pager with `export PAGER="bat"`
+- **On Debian/Ubuntu:** Command may be `batcat` instead of `bat`
+- **Custom syntaxes:** Add to `~/.config/bat/syntaxes/`
+- **Performance:** For huge files, use `bat --paging=never` or plain `cat`
+
+## Common flags
+
+- `-p` / `--plain`: Plain mode (no line numbers/decorations)
+- `-n` / `--number`: Only show line numbers
+- `-A` / `--show-all`: Show non-printable characters
+- `-l` / `--language`: Set language for syntax highlighting
+- `-r` / `--line-range`: Only show specific line range(s)
+
+## Documentation
+
+GitHub: https://github.com/sharkdp/bat
+Man page: `man bat`
+Customization: https://github.com/sharkdp/bat#customization

.opencode/skills/fd-find/SKILL.md

@@ -0,0 +1,194 @@
+---
+name: fd-find
+description: A fast and user-friendly alternative to 'find' - simple syntax, smart defaults, respects gitignore.
+homepage: https://github.com/sharkdp/fd
+metadata: {"clawdbot":{"emoji":"📂","requires":{"bins":["fd"]},"install":[{"id":"brew","kind":"brew","formula":"fd","bins":["fd"],"label":"Install fd (brew)"},{"id":"apt","kind":"apt","package":"fd-find","bins":["fd"],"label":"Install fd (apt)"}]}}
+---
+
+# fd - Fast File Finder
+
+User-friendly alternative to `find` with smart defaults.
+
+## Quick Start
+
+### Basic search
+```bash
+# Find files by name
+fd pattern
+
+# Find in specific directory
+fd pattern /path/to/dir
+
+# Case-insensitive
+fd -i pattern
+```
+
+### Common patterns
+```bash
+# Find all Python files
+fd -e py
+
+# Find multiple extensions
+fd -e py -e js -e ts
+
+# Find directories only
+fd -t d pattern
+
+# Find files only
+fd -t f pattern
+
+# Find symlinks
+fd -t l
+```
+
+## Advanced Usage
+
+### Filtering
+```bash
+# Exclude patterns
+fd pattern -E "node_modules" -E "*.min.js"
+
+# Include hidden files
+fd -H pattern
+
+# Include ignored files (.gitignore)
+fd -I pattern
+
+# Search all (hidden + ignored)
+fd -H -I pattern
+
+# Maximum depth
+fd pattern -d 3
+```
+
+### Execution
+```bash
+# Execute command on results
+fd -e jpg -x convert {} {.}.png
+
+# Parallel execution
+fd -e md -x wc -l
+
+# Use with xargs
+fd -e log -0 | xargs -0 rm
+```
+
+### Regex patterns
+```bash
+# Full regex search
+fd '^test.*\.js$'
+
+# Match full path
+fd --full-path 'src/.*/test'
+
+# Glob pattern
+fd -g "*.{js,ts}"
+```
+
+## Time-based filtering
+```bash
+# Modified within last day
+fd --changed-within 1d
+
+# Modified before specific date
+fd --changed-before 2024-01-01
+
+# Created recently
+fd --changed-within 1h
+```
+
+## Size filtering
+```bash
+# Files larger than 10MB
+fd --size +10m
+
+# Files smaller than 1KB
+fd --size -1k
+
+# Specific size range
+fd --size +100k --size -10m
+```
+
+## Output formatting
+```bash
+# Absolute paths
+fd --absolute-path
+
+# List format (like ls -l)
+fd --list-details
+
+# Null separator (for xargs)
+fd -0 pattern
+
+# Color always/never/auto
+fd --color always pattern
+```
+
+## Common Use Cases
+
+**Find and delete old files:**
+```bash
+fd --changed-before 30d -t f -x rm {}
+```
+
+**Find large files:**
+```bash
+fd --size +100m --list-details
+```
+
+**Copy all PDFs to directory:**
+```bash
+fd -e pdf -x cp {} /target/dir/
+```
+
+**Count lines in all Python files:**
+```bash
+fd -e py -x wc -l | awk '{sum+=$1} END {print sum}'
+```
+
+**Find broken symlinks:**
+```bash
+fd -t l -x test -e {} \; -print
+```
+
+**Search in specific time window:**
+```bash
+fd --changed-within 2d --changed-before 1d
+```
+
+## Integration with other tools
+
+**With ripgrep:**
+```bash
+fd -e js | xargs rg "pattern"
+```
+
+**With fzf (fuzzy finder):**
+```bash
+vim $(fd -t f | fzf)
+```
+
+**With bat (cat alternative):**
+```bash
+fd -e md | xargs bat
+```
+
+## Performance Tips
+
+- `fd` is typically much faster than `find`
+- Respects `.gitignore` by default (disable with `-I`)
+- Uses parallel traversal automatically
+- Smart case: lowercase = case-insensitive, any uppercase = case-sensitive
+
+## Tips
+
+- Use `-t` for type filtering (f=file, d=directory, l=symlink, x=executable)
+- `-e` for extension is simpler than `-g "*.ext"`
+- `{}` in `-x` commands represents the found path
+- `{.}` strips the extension
+- `{/}` gets basename, `{//}` gets directory
+
+## Documentation
+
+GitHub: https://github.com/sharkdp/fd
+Man page: `man fd`

.opencode/skills/gh-issue-from-pr/SKILL.md

@@ -0,0 +1,230 @@
+---
+name: gh-issue-from-pr
+description: Create a user-facing GitHub issue from a PR, separating the WHAT from the HOW, with correct milestone, project, labels, and issue type.
+---
+
+# Skill: gh-issue-from-pr
+
+Create a GitHub issue that captures the **WHAT** (user-facing feature or
+bug) from an existing PR that describes the **HOW** (implementation).
+Used when the project board needs an issue as the primary changelog/release unit.
+
+## When to Use
+
+- Create a tracking issue from a PR for changelog purposes
+- Extract the user-facing problem/feature from a PR's implementation details
+- Assign milestone, project, labels, and issue type to a new issue derived from a PR
+
+## Prerequisites
+
+- `gh` CLI authenticated (`gh auth status`)
+- Permission to create issues and edit PRs in the target repository
+
+## Workflow
+
+### 1. Understand the PR
+
+```bash
+gh pr view <PR_NUMBER> --repo penpot/penpot \
+  --json title,body,author,labels,baseRefName,mergedAt,state,milestone
+```
+
+Identify:
+
+- **WHAT** — user-facing problem or feature. Goes into the issue.
+  Describe symptoms and impact, not internal mechanisms.
+- **HOW** — implementation details. These belong in the PR, not the issue.
+
+### 2. Determine metadata
+
+| Field | Source | Rule |
+|-------|--------|------|
+| **Title** | PR title | Rewrite from user perspective. Strip leading emoji prefixes (`:bug:`, `:sparkles:`, `:tada:`). Focus on observable behavior. Use imperative mood. |
+| **Labels** | PR labels | Copy user-facing labels (`bug`, `enhancement`, `community contribution`). Skip workflow labels (`backport candidate`, `team-qa`). |
+| **Milestone** | PR milestone | **Always copy what's on the PR.** Fetch with: `gh pr view <PR_NUMBER> --json milestone --jq '.milestone.title'` If the PR has no milestone, create the issue without one. |
+| **Project** | Always `Main` | Penpot uses the `Main` project (number 8) for all issues. |
+| **Body** | PR's user-facing section | Extract steps to reproduce or feature description. Omit internal details. Use templates below. |
+| **Issue Type** | PR labels / title | Map: `bug` label or `:bug:` title → `Bug`. `enhancement` label or `:sparkles:` title → `Enhancement`. Feature/epic → `Feature`. Default → `Task`. |
+
+### 3. Write the issue body
+
+**Bug template:**
+
+```markdown
+### Description
+
+<what breaks, what the user experiences>
+
+### Steps to reproduce
+
+1. <step 1>
+2. <step 2>
+
+### Expected behavior
+
+<what should happen instead>
+
+### Affected versions
+
+<version>
+```
+
+**Enhancement template:**
+
+```markdown
+### Description
+
+<what the user can now do that they couldn't before>
+
+### Use case
+
+<why this is useful, who benefits>
+
+### Affected versions
+
+<version>
+```
+
+### 4. Create the issue
+
+Write the body to a temp file to avoid shell quoting issues:
+
+```bash
+cat > /tmp/issue-body.md << 'ISSUE_BODY'
+<body content here>
+ISSUE_BODY
+```
+
+Create:
+
+```bash
+gh issue create \
+  --repo penpot/penpot \
+  --title "<Title>" \
+  --label "<label1>" \
+  --label "<label2>" \
+  --milestone "<milestone>" \
+  --project "Main" \
+  --body-file /tmp/issue-body.md
+```
+
+Output: `https://github.com/penpot/penpot/issues/<NUMBER>`
+
+### 5. Assign to the PR author
+
+Assign the issue to the PR author so they're responsible for it:
+
+```bash
+AUTHOR=$(gh pr view <PR_NUMBER> --repo penpot/penpot --json author --jq '.author.login')
+gh issue edit <ISSUE_NUMBER> --repo penpot/penpot --add-assignee "$AUTHOR"
+```
+
+### 6. Set the Issue Type
+
+`gh issue create` can't set the Issue Type directly. Use GraphQL.
+
+Get the issue's GraphQL node ID:
+
+```bash
+ISSUE_ID=$(gh api graphql -f query='
+query { repository(owner: "penpot", name: "penpot") {
+  issue(number: <ISSUE_NUMBER>) { id }
+}}' --jq '.data.repository.issue.id')
+```
+
+Issue Type IDs for the Penpot repo:
+
+| Type | ID |
+|------|----|
+| Bug | `IT_kwDOAcyBPM4AX5Nb` |
+| Enhancement | `IT_kwDOAcyBPM4B_IQN` |
+| Feature | `IT_kwDOAcyBPM4AX5Nf` |
+| Task | `IT_kwDOAcyBPM4AX5NY` |
+| Question | `IT_kwDOAcyBPM4B_IQj` |
+| Docs | `IT_kwDOAcyBPM4B_IQz` |
+
+Set it:
+
+```bash
+gh api graphql -f query='
+mutation {
+  updateIssue(input: {
+    id: "'"$ISSUE_ID"'"
+    issueTypeId: "<TYPE_ID>"
+  }) {
+    issue { number issueType { name } }
+  }
+}'
+```
+
+### 7. Verify
+
+```bash
+gh issue view <ISSUE_NUMBER> --repo penpot/penpot \
+  --json title,milestone,projectItems,labels \
+  --jq '{title, milestone: .milestone.title, projects: [.projectItems[].title], labels: [.labels[].name]}'
+
+gh api graphql -f query='
+query { repository(owner: "penpot", name: "penpot") {
+  issue(number: <ISSUE_NUMBER>) { issueType { name } }
+}}' --jq '.data.repository.issue.issueType.name'
+```
+
+### 8. Link the PR to the issue
+
+Append `Closes #<ISSUE_NUMBER>` to the PR body:
+
+```bash
+gh pr view <PR_NUMBER> --repo penpot/penpot --json body --jq '.body' > /tmp/pr-body.md
+printf "\n\nCloses #<ISSUE_NUMBER>\n" >> /tmp/pr-body.md
+gh pr edit <PR_NUMBER> --repo penpot/penpot --body-file /tmp/pr-body.md
+
+# Verify
+gh pr view <PR_NUMBER> --repo penpot/penpot --json body \
+  --jq '.body | test("Closes #<ISSUE_NUMBER>")'
+```
+
+**Note:** If the PR is already merged, `Closes` won't auto-close the issue
+— it only creates the "Development" sidebar link. This is the desired
+behavior since the issue is a tracking artifact.
+
+### 9. Clean up
+
+```bash
+rm -f /tmp/issue-body.md /tmp/pr-body.md
+```
+
+## Label rules
+
+| PR has | Issue gets |
+|--------|-----------|
+| `bug` | `bug` |
+| `enhancement` | `enhancement` |
+| `community contribution` | `community contribution` |
+| `backport candidate` | *(skip — workflow label)* |
+| `team-qa` | *(skip — workflow label)* |
+| No user-facing label | Infer from title: `:bug:` → `bug`, `:sparkles:` → `enhancement` |
+
+## Issue Type mapping
+
+| PR label(s) / title prefix | Issue Type |
+|----------------------------|-----------|
+| `bug` or `:bug:` | Bug |
+| `enhancement` or `:sparkles:` or `:tada:` | Enhancement |
+| Feature / epic | Feature |
+| Documentation | Docs |
+| None of the above | Task |
+
+## Key Principles
+
+- **Issue = WHAT, PR = HOW.** Never put implementation details in the
+  issue body. The issue is for users, QA, and changelog readers.
+- **Copy the milestone from the PR.** Don't guess based on branch names.
+  If the PR has no milestone, create the issue without one.
+- **Set Issue Type via GraphQL** — `gh issue create` can't set it.
+- **Link via PR body** — `Closes #<NUMBER>` creates the "Development"
+  sidebar link automatically.
+- **One issue per PR** — even if a PR fixes multiple things, create a
+  single issue that summarizes the overall change.
+- **Community attribution:** if the PR has the `community contribution`
+  label or the author is not a core team member, add the label to the issue.

.opencode/skills/jq-json-processor/SKILL.md

@@ -0,0 +1,112 @@
+---
+name: jq-json-processor
+description: Process, filter, and transform JSON data using jq - the lightweight and flexible command-line JSON processor.
+homepage: https://jqlang.github.io/jq/
+metadata: {"clawdbot":{"emoji":"🔍","requires":{"bins":["jq"]},"install":[{"id":"brew","kind":"brew","formula":"jq","bins":["jq"],"label":"Install jq (brew)"},{"id":"apt","kind":"apt","package":"jq","bins":["jq"],"label":"Install jq (apt)"}]}}
+---
+
+# jq JSON Processor
+
+Process, filter, and transform JSON data with jq.
+
+## Quick Examples
+
+### Basic filtering
+```bash
+# Extract a field
+echo '{"name":"Alice","age":30}' | jq '.name'
+# Output: "Alice"
+
+# Multiple fields
+echo '{"name":"Alice","age":30}' | jq '{name: .name, age: .age}'
+
+# Array indexing
+echo '[1,2,3,4,5]' | jq '.[2]'
+# Output: 3
+```
+
+### Working with arrays
+```bash
+# Map over array
+echo '[{"name":"Alice"},{"name":"Bob"}]' | jq '.[].name'
+# Output: "Alice" "Bob"
+
+# Filter array
+echo '[1,2,3,4,5]' | jq 'map(select(. > 2))'
+# Output: [3,4,5]
+
+# Length
+echo '[1,2,3]' | jq 'length'
+# Output: 3
+```
+
+### Common operations
+```bash
+# Pretty print JSON
+cat file.json | jq '.'
+
+# Compact output
+cat file.json | jq -c '.'
+
+# Raw output (no quotes)
+echo '{"name":"Alice"}' | jq -r '.name'
+# Output: Alice
+
+# Sort keys
+echo '{"z":1,"a":2}' | jq -S '.'
+```
+
+### Advanced filtering
+```bash
+# Select with conditions
+jq '[.[] | select(.age > 25)]' people.json
+
+# Group by
+jq 'group_by(.category)' items.json
+
+# Reduce
+echo '[1,2,3,4,5]' | jq 'reduce .[] as $item (0; . + $item)'
+# Output: 15
+```
+
+### Working with files
+```bash
+# Read from file
+jq '.users[0].name' users.json
+
+# Multiple files
+jq -s '.[0] * .[1]' file1.json file2.json
+
+# Modify and save
+jq '.version = "2.0"' package.json > package.json.tmp && mv package.json.tmp package.json
+```
+
+## Common Use Cases
+
+**Extract specific fields from API response:**
+```bash
+curl -s https://api.github.com/users/octocat | jq '{name: .name, repos: .public_repos, followers: .followers}'
+```
+
+**Convert CSV-like data:**
+```bash
+jq -r '.[] | [.name, .email, .age] | @csv' users.json
+```
+
+**Debug API responses:**
+```bash
+curl -s https://api.example.com/data | jq '.'
+```
+
+## Tips
+
+- Use `-r` for raw string output (removes quotes)
+- Use `-c` for compact output (single line)
+- Use `-S` to sort object keys
+- Use `--arg name value` to pass variables
+- Pipe multiple jq operations: `jq '.a' | jq '.b'`
+
+## Documentation
+
+Full manual: https://jqlang.github.io/jq/manual/
+Interactive tutorial: https://jqplay.org/

.opencode/skills/nrepl-eval/SKILL.md

@@ -0,0 +1,120 @@
+---
+name: nrepl-eval
+description: Evaluate Clojure code via nREPL using the standalone tools/nrepl-eval.mjs CLI tool.
+---
+
+# nREPL Eval
+
+Evaluate Clojure (or ClojureScript) code via a running nREPL server using
+`tools/nrepl-eval.mjs` — a standalone CLI application.
+
+Session state (defs, in-ns, etc.) persists across invocations via a stored
+session ID, so you can build up state incrementally.
+
+## Usage
+
+```bash
+node tools/nrepl-eval.mjs [options] [<code>]
+```
+
+The tool is also executable directly:
+```bash
+./tools/nrepl-eval.mjs [options] [<code>]
+```
+
+## Options
+
+| Flag | Description | Default |
+|------|-------------|---------|
+| `-p, --port PORT` | nREPL server port | `6064` |
+| `-H, --host HOST` | nREPL server host | `127.0.0.1` |
+| `-t, --timeout MS` | Timeout in milliseconds | `120000` |
+| `--reset-session` | Discard stored session and start fresh | — |
+| `-e, --last-error` | Evaluate `*e` to retrieve the last exception | — |
+| `-h, --help` | Show help message | — |
+
+## When to Use
+
+Use this tool when you need to:
+
+1. **Evaluate Clojure code** during development — test functions, inspect
+   state, or run experiments against a running Clojure process.
+2. **Verify that edited files compile** — require namespaces with `:reload`
+   to pick up changes.
+3. **Inspect the last exception** after a failed evaluation — use `-e` to
+   print the error stored in `*e`.
+
+## Workflow
+
+### 1. Session management
+
+Sessions are persisted to `/tmp/penpot-nrepl-session-<host>-<port>`. State
+carries across calls automatically:
+
+```bash
+./tools/nrepl-eval.mjs '(def x 42)'
+./tools/nrepl-eval.mjs 'x'
+# => 42
+```
+
+Reset the session to start fresh:
+
+```bash
+./tools/nrepl-eval.mjs --reset-session '(def x 0)'
+```
+
+### 2. Evaluate code
+
+**Single expression (inline) — uses default port 6064:**
+```bash
+./tools/nrepl-eval.mjs '(+ 1 2 3)'
+```
+
+**Multiple expressions via heredoc (recommended — avoids escaping issues):**
+```bash
+./tools/nrepl-eval.mjs <<'EOF'
+(def x 10)
+(+ x 20)
+EOF
+```
+
+**Override with a different port:**
+```bash
+./tools/nrepl-eval.mjs -p 7888 '(+ 1 2 3)'
+```
+
+### 3. Inspect last exception
+
+After code throws an error, retrieve the full exception details:
+
+```bash
+./tools/nrepl-eval.mjs -e
+```
+
+## Common Patterns
+
+**Require a namespace with reload:**
+```bash
+./tools/nrepl-eval.mjs "(require '[my.namespace :as ns] :reload)"
+```
+
+**Test a function:**
+```bash
+./tools/nrepl-eval.mjs "(ns/my-function arg1 arg2)"
+```
+
+**Long-running operation with custom timeout:**
+```bash
+./tools/nrepl-eval.mjs -t 300000 "(long-running-fn)"
+```
+
+## Key Principles
+
+- **Default port is 6064** — just pass code directly, no `-p` needed when
+  your nREPL server is on 6064. Use `-p <PORT>` for a different port.
+- **Always use `:reload`** when requiring namespaces to pick up file changes.
+- **Session is reused** across invocations — defs, in-ns, and var bindings
+  persist. Use `--reset-session` to clear.
+- **Do not start any server** — the tool connects to an existing nREPL
+  server, it is not the agent's responsibility to start the nREPL server
+  (assume the server is already running on the specified port).

.opencode/skills/ripgrep/SKILL.md

@@ -0,0 +1,150 @@
+---
+name: ripgrep
+description: Blazingly fast text search tool - recursively searches directories for regex patterns with respect to gitignore rules.
+homepage: https://github.com/BurntSushi/ripgrep
+metadata: {"clawdbot":{"emoji":"🔎","requires":{"bins":["rg"]},"install":[{"id":"brew","kind":"brew","formula":"ripgrep","bins":["rg"],"label":"Install ripgrep (brew)"},{"id":"apt","kind":"apt","package":"ripgrep","bins":["rg"],"label":"Install ripgrep (apt)"}]}}
+---
+
+# ripgrep (rg)
+
+Fast, smart recursive search. Respects `.gitignore` by default.
+
+## Quick Start
+
+### Basic search
+```bash
+# Search for "TODO" in current directory
+rg "TODO"
+
+# Case-insensitive search
+rg -i "fixme"
+
+# Search specific file types
+rg "error" -t py       # Python files only
+rg "function" -t js    # JavaScript files
+```
+
+### Common patterns
+```bash
+# Whole word match
+rg -w "test"
+
+# Show only filenames
+rg -l "pattern"
+
+# Show with context (3 lines before/after)
+rg -C 3 "function"
+
+# Count matches
+rg -c "import"
+```
+
+## Advanced Usage
+
+### File type filtering
+```bash
+# Multiple file types
+rg "error" -t py -t js
+
+# Exclude file types
+rg "TODO" -T md -T txt
+
+# List available types
+rg --type-list
+```
+
+### Search modifiers
+```bash
+# Regex search
+rg "user_\d+"
+
+# Fixed string (no regex)
+rg -F "function()"
+
+# Multiline search
+rg -U "start.*end"
+
+# Only show matches, not lines
+rg -o "https?://[^\s]+"
+```
+
+### Path filtering
+```bash
+# Search specific directory
+rg "pattern" src/
+
+# Glob patterns
+rg "error" -g "*.log"
+rg "test" -g "!*.min.js"
+
+# Include hidden files
+rg "secret" --hidden
+
+# Search all files (ignore .gitignore)
+rg "pattern" --no-ignore
+```
+
+## Replacement Operations
+
+```bash
+# Preview replacements
+rg "old_name" --replace "new_name"
+
+# Actually replace (requires extra tool like sd)
+rg "old_name" -l | xargs sed -i 's/old_name/new_name/g'
+```
+
+## Performance Tips
+
+```bash
+# Parallel search (auto by default)
+rg "pattern" -j 8
+
+# Skip large files
+rg "pattern" --max-filesize 10M
+
+# Memory map files
+rg "pattern" --mmap
+```
+
+## Common Use Cases
+
+**Find TODOs in code:**
+```bash
+rg "TODO|FIXME|HACK" --type-add 'code:*.{rs,go,py,js,ts}' -t code
+```
+
+**Search in specific branches:**
+```bash
+git show branch:file | rg "pattern"
+```
+
+**Find files containing multiple patterns:**
+```bash
+rg "pattern1" | rg "pattern2"
+```
+
+**Search with context and color:**
+```bash
+rg -C 2 --color always "error" | less -R
+```
+
+## Comparison to grep
+
+- **Faster:** Typically 5-10x faster than grep
+- **Smarter:** Respects `.gitignore`, skips binary files
+- **Better defaults:** Recursive, colored output, line numbers
+- **Easier:** Simpler syntax for common tasks
+
+## Tips
+
+- `rg` is often faster than `grep -r`
+- Use `-t` for file type filtering instead of `--include`
+- Combine with other tools: `rg pattern -l | xargs tool`
+- Add custom types in `~/.ripgreprc`
+- Use `--stats` to see search performance
+
+## Documentation
+
+GitHub: https://github.com/BurntSushi/ripgrep
+User Guide: https://github.com/BurntSushi/ripgrep/blob/master/GUIDE.md

.opencode/skills/taiga/SKILL.md

@@ -0,0 +1,110 @@
+---
+name: taiga
+description: Fetch information from Taiga public API for the Penpot project (id 345963) — issues, user stories, and tasks, without authentication.
+metadata: {"clawdbot":{"requires":{"bins":["python3"]}}}
+---
+
+# Taiga API Skill
+
+Fetch information from Taiga public API for the **Penpot** project
+(project id: `345963`, slug: `penpot`).
+
+**No authentication required** — only public project data is accessed.
+
+## Prerequisites
+
+- `python3` — the `tools/taiga.py` CLI script is self-contained (stdlib only)
+
+## Quick Start
+
+The easiest way is to use the bundled Python script:
+
+```bash
+# Pass a Taiga URL directly
+python3 tools/taiga.py https://tree.taiga.io/project/penpot/issue/13714
+
+# Or use "<type> <ref>" syntax
+python3 tools/taiga.py us 14128
+python3 tools/taiga.py task 13648
+
+# Add --json for raw output
+python3 tools/taiga.py --json issue 13714
+
+# See full usage
+python3 tools/taiga.py --help
+```
+
+## URL Pattern Reference
+
+Taiga web URLs follow these patterns:
+
+| Type | Web URL Pattern |
+|------|----------------|
+| Issue | `https://tree.taiga.io/project/penpot/issue/<REF>` |
+| User Story | `https://tree.taiga.io/project/penpot/us/<REF>` |
+| Task | `https://tree.taiga.io/project/penpot/task/<REF>` |
+
+To extract the **type** and **ref** from a URL:
+- `issue/13714` → type=`issue`, ref=`13714`
+- `us/14128` → type=`us`, ref=`14128`
+- `task/13648` → type=`task`, ref=`13648`
+
+## Python Script Reference
+
+The `tools/taiga.py` script wraps the Taiga API into a single convenient CLI
+with sensible defaults.
+
+### Usage
+
+```
+python3 tools/taiga.py <taiga-url>
+python3 tools/taiga.py <type> <ref>
+python3 tools/taiga.py [--json] <taiga-url>
+python3 tools/taiga.py [--json] <type> <ref>
+```
+
+### Examples
+
+```bash
+# By URL (recommended — no need to think about type/ref)
+python3 tools/taiga.py https://tree.taiga.io/project/penpot/issue/13714
+
+# By type and ref
+python3 tools/taiga.py us 14128
+python3 tools/taiga.py task 13648
+
+# Raw JSON output
+python3 tools/taiga.py --json issue 13714
+```
+
+### Output
+
+The script prints a clean, structured summary:
+
+```text
+User Story #11964 — 🔴 [DESIGN TOKENS] Typography Composite Input
+================================
+Status:     Defining
+Milestone:  design-systems-sprint-26
+Points:     3 role(s)
+Assignee:   Natacha Menjibar
+Author:     Natacha Menjibar
+Created:    2025-09-01
+Tags:       iop-design-tokens
+URL:        https://tree.taiga.io/project/penpot/us/11964
+================================
+<full description text, unmodified>
+```
+
+The fields section includes type-specific information:
+- **Issues:** Status, Type ID, Severity ID, Priority ID
+- **User Stories:** Status, Milestone, Points
+- **Tasks:** Status, Milestone, Parent US
+
+## Reference
+
+- API docs: https://docs.taiga.io/api.html
+- Taiga instance: https://tree.taiga.io
+- API base: https://api.taiga.io/api/v1
+- Penpot project id: `345963`
+- Penpot project slug: `penpot`

.opencode/skills/update-changelog/SKILL.md

@@ -0,0 +1,246 @@
+---
+name: update-changelog
+description: Update the project CHANGES.md with issues from a given GitHub milestone, with correct categorization and references.
+---
+
+# Skill: update-changelog
+
+Update `CHANGES.md` with entries for all issues and PRs in a given GitHub
+milestone. Each entry references the user-facing issue (not the PR) as the
+primary link, with the fix PR inline on the same line.
+
+## When to Use
+
+- Before a new release, to populate the changelog with all fixed issues
+- When new issues are added to an existing milestone and the changelog needs
+  to be refreshed
+- To ensure every entry follows the correct format for the changelog
+
+## Prerequisites
+
+- `gh` CLI authenticated (`gh auth status`)
+- Python 3.8+
+- `tools/gh.py` helper script available
+
+## Workflow
+
+### 1. Determine the target version
+
+The version is typically a semver string like `2.15.3`. Confirm with the user
+if not specified.
+
+### 2. Fetch all issues in the milestone
+
+Use the helper script. It uses GraphQL for efficient single-pass fetching
+(closing PRs are included in the same query — no N+1):
+
+```bash
+# All closed issues (default)
+python3 tools/gh.py issues "2.16.0"
+
+# Include open issues too
+python3 tools/gh.py issues "2.16.0" --state all
+
+# Exclude entries that should not go in the changelog
+python3 tools/gh.py issues "2.16.0" --exclude "release blocker,no changelog"
+```
+
+**Exclusion rules:**
+- `no changelog` label — Chore/refactor work that doesn't need a changelog entry
+- `Task` issue type — Internal chores are not user-facing; filter these out after fetching
+
+The script outputs JSON with each entry containing `number`, `title`, `state`,
+`issue_type`, `labels`, and `closing_prs` (the PRs that fix each issue).
+
+### 3. Identify missing entries (optional)
+
+If updating from an existing `CHANGES.md`, find issues in the milestone that
+are NOT yet referenced in the changelog:
+
+```bash
+python3 tools/gh.py issues "2.16.0" --exclude "release blocker,no changelog" --compare CHANGES.md
+```
+
+This returns a filtered JSON array with only the missing issues.
+
+### 4. Fetch additional PR details when needed
+
+When you need more context for specific PRs (e.g. to find the PR author for
+community contribution attribution, or to read the PR body for
+"Fixes/Closes #NNN" patterns):
+
+```bash
+# One or more PR numbers
+python3 tools/gh.py prs 9179 9204 9311
+
+# From a file
+python3 tools/gh.py prs --file prs.txt
+
+# From stdin
+cat prs.txt | python3 tools/gh.py prs --stdin
+```
+
+The `prs` command returns JSON with `number`, `title`, `body`, `state`,
+`merged_at`, `author`, `labels`, and `closing_issues`. PRs are fetched in
+batches of 50 via GraphQL to stay within API limits.
+
+### 5. Categorize entries — strictly by issue type, never by labels or emoji
+
+Use the **Issue Type** field (GitHub's native issue type, exposed as
+`issue_type` in the `gh.py` JSON output) to determine which section an entry
+belongs to.
+
+> **⚠️ CRITICAL: Never use labels or title emoji prefixes for categorization.**
+> Labels like `bug` and `enhancement`, as well as title prefixes like `:bug:`
+> and `:sparkles:`, are frequently inaccurate, missing, or contradictory to the
+> actual issue type. The `issue_type` field from `gh.py` is the single source
+> of truth.
+
+| `issue_type` value | Changelog section |
+|--------------------|-------------------|
+| `Bug` | `### :bug: Bugs fixed` |
+| `Feature` or `Enhancement` | `### :sparkles: New features & Enhancements` |
+| `Task` | **Exclude** — internal chores are not user-facing |
+| `null` (not set) | Check labels as a fallback: `bug` label → bugs, otherwise enhancements |
+
+The `gh.py` issues command already includes `issue_type` in every entry's
+output. **No separate GraphQL query is needed.**
+
+**Community contribution attribution:** If the issue or its fix PR has the
+`community contribution` label, add an attribution `(by @<github_username>)`
+on the changelog entry line, **before** the GitHub issue/PR references.
+
+The attribution should reference the **PR author**, not the issue author.
+The `prs` subcommand includes the `author` field — use that:
+
+```bash
+python3 tools/gh.py prs <PR_NUMBER> | python3 -c "import sys,json; print(json.load(sys.stdin)[0]['author'])"
+```
+
+Placement in the entry line:
+```markdown
+- Fix description of the bug (by @username) [#<ISSUE>](...) (PR: [#<PR>](...))
+```
+
+**Only closed issues are included.** An issue must have `state: "closed"` to
+appear in the changelog. Open/unresolved issues are omitted, even if they are
+tracked in the milestone.
+
+**Pairing rules:**
+
+| Pattern | Changelog format |
+|---------|-----------------|
+| Closed issue + one or more PRs fix it | Primary link = issue, PR inline comma-separated |
+| PR exists with no linked issue | If a corresponding closed issue exists in the same milestone, link the issue. Otherwise, skip the entry (the issue must be the changelog unit). |
+| Closed issue with no fix PR in milestone | Link the issue directly, without a PR reference. |
+
+### 6. Read the current CHANGES.md
+
+Read the top of `CHANGES.md` to understand the existing format and find the
+insertion point (newest version goes at the top, after the `# CHANGELOG`
+header).
+
+Key format rules from the existing file:
+
+```markdown
+## <VERSION>
+
+### :bug: Bugs fixed
+
+- Fix description of the bug [#<ISSUE>](https://github.com/penpot/penpot/issues/<ISSUE>) (PR: [#<PR>](https://github.com/penpot/penpot/pull/<PR>))
+- Fix another bug (by @contributor) [#<ISSUE>](https://github.com/penpot/penpot/issues/<ISSUE>) (PR: [#<PR>](https://github.com/penpot/penpot/pull/<PR>))
+
+### :sparkles: New features & Enhancements
+
+- Add new feature description [#<ISSUE>](https://github.com/penpot/penpot/issues/<ISSUE>) (PR: [#<PR>](https://github.com/penpot/penpot/pull/<PR>))
+```
+
+Format details:
+- Entries start with `- ` followed by a short description in imperative mood
+- Primary link is **always the issue** (user-facing artifact)
+- PR references are inline on the same line: `(PR: [#<N>](<url>))`
+  If an issue has multiple fix PRs, they are comma-separated:
+  `(PR: [#<N>](<url>), [#<M>](<url>))`
+- The description should describe the fix/feature from the user's perspective
+- Community contributions get `(by @<username>)` **before** the issue link
+- Sections are separated by a blank line between the last entry and the next
+  section title
+- Only include a section if there are entries for it
+- When an entry already exists in an earlier version section, it must be removed
+  from the current version to avoid duplicates
+
+### 7. Build the description text
+
+Derive the description from the issue title, not the PR title. Strip leading
+emoji prefixes (`:bug:`, `:sparkles:`, `:tada:`) and focus on the
+user-facing behavior.
+
+Examples:
+
+| Issue title | Changelog description |
+|-------------|----------------------|
+| `Plugin API token methods fail with schema validation error on PRO` | `Fix Plugin API token methods failing with schema validation error on PRO` |
+| `Comment content is not sanitized before rendering, enabling stored XSS` | `Sanitize comment content on rendering` |
+| `Custom uploaded font family names are not sanitized` | `Sanitize font family names on custom uploaded fonts` |
+
+### 8. Insert the section into CHANGES.md
+
+Insert the new version section right after the `# CHANGELOG` header (before
+the previous version entry). Use the `edit` tool with enough context to make
+a unique match.
+
+### 9. Verify
+
+Read the top of `CHANGES.md` and confirm:
+- The version header is correct
+- Every entry has a GitHub link
+- Entries with a fix PR have the PR sub-line
+- The section ordering is correct (newest first)
+- Formatting matches the surrounding entries
+
+## Version section template
+
+```markdown
+## <VERSION>
+
+### :bug: Bugs fixed
+
+- <fix description> [#<ISSUE>](https://github.com/penpot/penpot/issues/<ISSUE>) (PR: [#<PR>](https://github.com/penpot/penpot/pull/<PR>))
+- <fix description> (by @contributor) [#<ISSUE>](https://github.com/penpot/penpot/issues/<ISSUE>) (PR: [#<PR>](https://github.com/penpot/penpot/pull/<PR>))
+```
+
+## Key Principles
+
+- **Issue = changelog unit.** The primary link always points to the
+  user-facing issue, not the implementation PR.
+- **PR = implementation detail.** Reference the PR inline so readers
+  can find the code changes.
+- **Latest version first.** New sections are inserted at the top of the
+  changelog, below the `# CHANGELOG` header.
+- **Issue Type determines section — exclusively.** Use the `issue_type` field from `gh.py` output (Bug → `:bug:`, Feature/Enhancement → `:sparkles:`). **Do not** use labels (`bug`, `enhancement`) or title emoji prefixes (`:bug:`, `:sparkles:`) — they are frequently wrong or contradictory. The `issue_type` is the single source of truth.
+- **User-facing descriptions.** Write from the user's perspective — describe
+  what broke and what was fixed, not internal implementation details.
+- **Community attribution.** When the issue or fix PR has the
+  `community contribution` label, add `(by @<username>)` on the entry line
+  between the description and the issue link. Use the **PR author** (not the
+  issue author) for the attribution.
+- **Only closed issues.** An issue must have `state: "closed"` to appear in
+  the changelog. Open unresolved issues are omitted.
+- **Excluded issues.** Issues with `no changelog` label must be excluded.
+  Issues with `issue_type: "Task"` must also be excluded — they are internal
+  chores, not user-facing changes.
+- **Multiple PRs per issue.** If multiple PRs fix the same issue, list them
+  comma-separated inline: `(PR: [#A](url), [#B](url))`.
+- **Duplicate removal.** If an entry already exists in a prior version section,
+  remove it from the current version. Check for text-level duplicates (after
+  stripping links and attributions) across version sections.
+- **Taiga references.** If a changelog entry references a Taiga URL
+  (`tree.taiga.io`), attempt to find a corresponding GitHub issue via the
+  Taiga description text or by searching GitHub PRs that reference the Taiga
+  URL. Replace the Taiga reference with the GitHub issue link and add the PR
+  reference if applicable.
+- **Re-fetch before editing.** Milestones can change — always re-fetch issues
+  before making edits, don't rely on cached data.
+- **Use `tools/gh.py`.** Prefer the helper script over raw `gh api` calls for
+  milestone issue listing and PR detail fetching. It handles GraphQL
+  pagination, batching, and label filtering automatically.

.serena/.gitignore

@@ -0,0 +1,2 @@
+/cache
+/project.local.yml

.serena/memories/creating-commits.md

@@ -0,0 +1,32 @@
+# Creating Commits
+
+## Message Format
+
+```
+:emoji: Subject line (imperative, capitalized, no period, ≤70 chars)
+
+Body (clear, concise description)
+
+Co-authored-by: <You (the LLM)>
+```
+
+## Commit Type Emojis
+
+`:bug:` bug fix · `:sparkles:` enhancement · `:tada:` new feature · `:recycle:` refactor · `:lipstick:` cosmetic · `:ambulance:` critical fix · `:books:` docs · `:construction:` WIP · `:boom:` breaking · `:wrench:` config · `:zap:` perf · `:whale:` docker · `:paperclip:` other · `:arrow_up:` dep upgrade · `:arrow_down:` dep downgrade · `:fire:` removal · `:globe_with_meridians:` translations · `:rocket:` epic/highlight
+
+## Changelog (CHANGES.md)
+
+Update `CHANGES.md` for user-facing or notable changes. Add entry under the current unreleased version in the matching section (`### :boom:`, `### :sparkles:`, `### :bug:`, etc.).
+
+Entry format:
+```
+- Description of change [Taiga #NNNN](https://tree.taiga.io/project/penpot/us/NNNN)
+```
+or for GitHub issues/PRs:
+```
+- Description of change [Github #NNNN](https://github.com/penpot/penpot/issues/NNNN)
+```
+
+Changes that affect the JavaScript plugin API must additionally be documented in `plugins/CHANGELOG.md`:
+  * Add an entry at the top of the file (unreleased section)
+  * Prefix entries that change the types/signatures in the API with `**plugin-types:**` and changes affecting the runtime with `**plugin-runtime:**`.

.serena/memories/creating-prs.md

@@ -0,0 +1,30 @@
+# Creating Pull Requests
+
+Important: Before creating a PR, ensure that you are on a branch that is specific to the 
+issue or feature you are working on. If necessary, create a new branch.
+
+## Title Format
+
+PR titles follow the same convention as commit titles:
+
+```
+:emoji: Subject line (imperative, capitalized, no period, ≤70 chars)
+```
+
+See the `creating-commits` memory for the list of emoji codes.
+
+## Description Format
+
+The PR description must start with the following notice:
+
+> **Note:** This PR was created with AI assistance as part of the Penpot MCP self-improvement initiative.
+
+ **Related Issues** section with a bullet list of linked issues:
+
+```
+In addition to sections summarising and explaining the changes in the PR, it should contain a section 'Relevant Issues' with a bullet list:
+
+- Fixes #NNNN
+- Resolves #NNNN
+- Relates to #NNNN
+```

.serena/memories/critical-info.md

@@ -0,0 +1,27 @@
+You are working on the GitHub project penpot/penpot.
+
+# Working with Penpot Designs via the JavaScript API
+
+Before working with Penpot designs, call the `high_level_overview` tool of the Penpot MCP server.
+It explains the API, which you can use to automate tasks via the `execute_code` tool.
+
+# Dev Workflow
+
+Memories:
+  - before creating a commit, read `creating-commits`.
+  - before creating a PR, read `creating-prs`.
+
+# Frontend
+
+Read the file `frontend/AGENTS.md` for an overview.
+Memories:
+  - connection between the JavaScript API and the ClojureScript code: `frontend/js-api-to-cljs-binding`.
+  - executing ClojureScript code in the frontend: `frontend/cljs-repl`.
+  - programmatically navigating to a file in the workspace: `frontend/navigation`.
+  - handling Clojure compiler errors, runtime patching and debug helpers: `frontend/handling-errors-and-debugging`.
+
+## Detecting Crashes
+
+The Penpot frontend can crash silently from the JS API's perspective: `execute_code` calls return successfully, but 1-2s later the workspace becomes unusable (Internal Error page). 
+The `execute_code` tool then stops working, but `cljs_repl` still works. Use it to detect a crash via `(some? (:exception @app.main.store/state))`.
+For details on handling crashes, read memory `frontend/handling-crashes`.

.serena/memories/frontend/cljs-repl.md

@@ -0,0 +1,76 @@
+# ClojureScript REPL Access via shadow-cljs
+
+Execute code in the REPL via the Penpot MCP's `cljs_repl` tool.
+
+## Accessing App State
+
+The main store is `app.main.store/state`. It contains workspace metadata, selection, UI state, etc.
+However, **page objects are NOT in the main store atom**. They live behind derived refs.
+
+### Top-level store keys (subset)
+`:current-page-id`, `:current-file-id`, `:workspace-local`, `:workspace-global`,
+`:workspace-trimmed-page`, `:workspace-undo`, `:workspace-guides`, `:workspace-layout`,
+`:workspace-presence`, `:workspace-ready`, `:profile`, `:route`, etc.
+
+**Notable absence:** There is no `:workspace-data` key in the store. The old path
+`(get-in state [:workspace-data :pages-index page-id :objects])` does NOT work.
+
+### Getting page objects — use `app.main.refs/workspace-page-objects`
+```clojure
+;; This is a derived ref (reactive lens). Deref it directly:
+(let [objects @app.main.refs/workspace-page-objects
+      shape (get objects (parse-uuid "some-uuid-here"))]
+  (select-keys shape [:name :type :x :y :width :height :fills :strokes :rotation :opacity :frame-id :parent-id]))
+```
+
+### Getting the current selection
+```clojure
+;; Selection is in the main store under :workspace-local :selected
+(let [state @app.main.store/state
+      selected (get-in state [:workspace-local :selected])]
+  (mapv str selected))
+;; Returns vector of UUID strings for selected shapes
+```
+
+### Other useful store access
+```clojure
+;; Current page id
+(:current-page-id @app.main.store/state)
+
+;; Verify state is accessible
+(some? @app.main.store/state)  ;; should be true
+
+;; workspace-local keys: :zoom :selected :hide-toolbar :last-selected :vbox
+;;   :highlighted :vport :expanded :selrect :zoom-inverse
+```
+
+### Shape data structure (internal ClojureScript representation)
+Shape keys use kebab-case keywords (`:fill-color`, `:fill-opacity`, `:parent-id`, `:frame-id`).
+The shape `:type` is a keyword like `:rect`, `:path`, `:text`, `:ellipse`, `:image`, `:bool`, `:svg-raw`, `:frame`, `:group`.
+Note `:rect` in CLJS corresponds to "rectangle" in the JS Plugin API, and `:frame` corresponds to "board".
+
+Component instance shapes additionally carry `:component-id` and `:component-file` directly, and `:component-root` flags the root of an instance. To navigate from a shape to its component, use `app.common.types.container/get-head-shape` (nearest head) or `get-instance-root` (outermost root) — these differ when instances are nested.
+
+### Helper utilities (`app.plugins.utils`)
+Despite living under `plugins/`, these are general-purpose lookup helpers usable from any CLJS:
+- `locate-shape` — find a shape by file-id, page-id, id
+- `locate-objects` — get the object tree for a page
+- `locate-component` — resolve the component for a shape (walks to **outermost** instance root, not nearest head — beware when instances are nested)
+- `locate-library-component` — direct lookup by file-id and component-id
+- `locate-file` — look up a file by id from state
+
+## Notes
+- The `:main` build has multiple modules: shared, main, main-workspace, rasterizer, etc.
+- `app.main.store/state` is a potok store (wrapping an okulary atom) created via `defonce`
+- Use `timeout` to avoid hanging if the browser is disconnected
+
+## Troubleshooting
+
+`cljs_repl` may not connect to the right runtime when several are attached (e.g. workspace tab + rasterizer). Verify with `(.-title js/document)` — it should show your file name, not "Penpot - Rasterizer".
+
+To list runtimes or target one by client-id, use `npx shadow-cljs clj-eval` from `/home/penpot/penpot/frontend`. It talks to the shadow-cljs JVM process, so unlike `cljs_repl` it has access to `shadow.cljs.devtools.api`:
+
+```bash
+printf '(shadow.cljs.devtools.api/repl-runtimes :main)\n' | timeout 10 npx shadow-cljs clj-eval --stdin
+printf '(shadow.cljs.devtools.api/cljs-eval :main "<cljs-code>" {:client-id 5})\n' | timeout 10 npx shadow-cljs clj-eval --stdin
+```

.serena/memories/frontend/handling-crashes.md

@@ -0,0 +1,41 @@
+# Handling Penpot Frontend Crashes
+
+When the Penpot frontend crashes, it usually shows the **Internal Error** page (title text "Something bad happened", class `main_ui_static__download-link`).
+
+A typical error pattern is: Changes go through (JS API, `execute_code`), but about 1-2s later, an `update-file` request hits the backend with the change and gets rejected.
+So be sure to check the status for a crash.
+
+After a crash, `execute_code` is unusable (no instances connected), and any data in `storage` is lost, but `cljs_repl` keeps working!
+
+## 1. Detect the crash
+
+cljs REPL `(some? (:exception @app.main.store/state))` returns `true` when the Internal Error page is showing, 
+`false` on a healthy workspace (and after a successful reload).
+
+## 2. Read the cause
+
+The exception is stored at `(:exception @app.main.store/state)`. Useful keys:
+
+- `:type`, `:code`, `:status` — error class (e.g. `:validation` / `:referential-integrity` / `400`)
+- `:hint`, `:details` — human-readable explanation; `:details` typically contains a vector of validation problems with `:shape-id`, `:page-id`, `:args`, etc.
+- `:uri` — the API endpoint that returned the error (e.g. `update-file`)
+- `:app.main.errors/instance` — the underlying JS Error object
+- `:app.main.errors/trace` — JS stack trace string (only shows the response-handling path, not the dispatch site that produced the bad change)
+
+```
+(let [ex (:exception @app.main.store/state)]
+  (select-keys ex [:type :code :status :hint :details :uri]))
+```
+
+For backend validation errors (`:type :validation`), `:details` is the most informative field — it tells you exactly which shape and which invariant was violated.
+
+## 3. Recover and continue testing
+
+Reload steps:
+1. List tabs with `playwright:browser_tabs` (`action: list`) and find the Penpot workspace tab (URL contains `/#/workspace`, title ends in `- Penpot`).
+2. If it isn't the current tab, select it via `playwright:browser_tabs` (`action: select`, `index: <n>`). The selected tab's URL then appears as "Page URL" in the result.
+3. Reload by calling `playwright:browser_navigate` with that same URL.
+4. Confirm recovery: `(some? (:exception @app.main.store/state))` should now return `false`.
+
+Whether the offending change persists depends on the crash type:
+For **backend-rejected changes** (e.g. `:type :validation`, 4xx on `update-file`), changes are NOT persisted. Reload restores the pre-crash state — safe to retry.

.serena/memories/frontend/handling-errors-and-debugging.md

@@ -0,0 +1,49 @@
+# Handling Errors and Debugging
+
+## Finding source errors
+
+You have access to two tools for finding errors in Clojure source code (which you may introduce yourself through edits):
+
+1. cljs_compiler_output
+2. clj_check_parentheses
+
+The latter is needed because syntax errors in parentheses give an uninformative compiler error, and the second
+tool can often find the exact location of such errors.
+
+## Runtime patching with `set!`
+
+Some frontend vars are deliberately mutable escape hatches for runtime instrumentation or circular-dependency patching. 
+From `cljs_repl`, use `set!` for temporary debugging of CLJS vars such as 
+`app.main.store/on-event`, `app.main.errors/reload-file`, `app.main.errors/is-plugin-error?`, 
+`app.main.errors/last-report`, or `app.main.errors/last-exception`. 
+These patches affect only the live browser runtime and disappear on reload or recompilation.
+
+```clojure
+;; Log non-noisy Potok events temporarily.
+(set! app.main.store/on-event
+      (fn [event]
+        (when (potok.v2.core/event? event)
+          (.log js/console (potok.v2.core/repr-event event)))))
+```
+
+Restore mutable hooks after debugging, or reload the frontend. Use JVM `alter-var-root` only for JVM Clojure; 
+it is not the normal way to patch live CLJS browser vars.
+
+## Browser-console debug namespace
+
+In development, the JS console exposes `debug` helpers from `frontend/src/debug.cljs`:
+
+```javascript
+debug.set_logging("namespace", "debug");
+debug.dump_state();
+debug.dump_buffer();
+debug.get_state(":workspace-local :selected");
+debug.dump_objects();
+debug.dump_object("Rect-1");
+debug.dump_selected();
+debug.dump_tree(true, true);
+```
+
+Visual workspace debug overlays can be toggled with `debug.toggle_debug("bounding-boxes")`, `"group"`, `"events"`, or `"rotation-handler"`; `debug.debug_all()` and `debug.debug_none()` toggle all visual aids.
+
+For temporary source traces, prefer existing logging (`app.common.logging` / `app.util.logging`) or short-lived `prn`, `app.common.pprint/pprint`, `js/console.log`, or `js-debugger` calls. Remove temporary source instrumentation before committing.

.serena/memories/frontend/js-api-to-cljs-binding.md

@@ -0,0 +1,25 @@
+# How the Plugin JS API connects to ClojureScript
+
+## Type Definitions
+- `plugins/libs/plugin-types/index.d.ts` contains TypeScript type declarations (e.g. `ShapeBase`, `LibraryComponent`).
+- These are **type-only** — no runtime code. The actual objects are constructed in ClojureScript.
+
+## Runtime Shape Proxy
+- `frontend/src/app/plugins/shape.cljs` builds the JS shape proxy via `obj/reify`.
+- Each method/property from the TS interface (e.g. `:component`, `:isComponentRoot`, `:componentHead`) is defined as a keyword entry in the `obj/reify` form, with a ClojureScript function as the implementation.
+- The proxy is created by the `shape-proxy` function, which takes `plugin-id`, `file-id`, `page-id`, and shape `id`, and closes over them.
+
+## Library Proxies
+- `frontend/src/app/plugins/library.cljs` defines proxies for library types like `LibraryComponentProxy` (via `lib-component-proxy`), also using `obj/reify`.
+- The proxy satisfies the `LibraryComponent` TS interface, exposing `.id`, `.name`, `.path`, etc.
+
+## Circular Dependency Resolution
+- `shape.cljs` and `library.cljs` have circular dependencies (shapes reference library component proxies and vice versa).
+- `shape.cljs` declares forward references as mutable `def nil` vars (e.g. `(def lib-component-proxy nil)`, line 144).
+- `frontend/src/app/plugins.cljs` patches them at load time: `(set! shape/lib-component-proxy library/lib-component-proxy)`.
+- Same pattern for `lib-typography-proxy?` and `variant-proxy`.
+
+## Key Domain Namespaces
+- `app.common.types.component` (aliased `ctk`) — component predicates: `instance-root?`, `instance-head?`, `in-component-copy?`, `is-variant?`
+- `app.common.types.container` (aliased `ctn`) — container/tree operations: `in-any-component?`, `get-instance-root`, `get-head-shape`, `inside-component-main?`
+- `app.common.types.file` (aliased `ctf`) — file-level operations: `resolve-component`, `get-ref-shape`

.serena/memories/frontend/navigation.md

@@ -0,0 +1,14 @@
+# Navigating to a File in the Workspace
+
+To programmatically open a file in the workspace, use `cljs_repl` with:
+```clojure
+(do (require '[app.main.data.common :as dcm])
+    (app.main.store/emit! (dcm/go-to-workspace
+      :team-id (parse-uuid "<team-id>")
+      :file-id (parse-uuid "<file-id>")
+      :page-id (parse-uuid "<page-id>"))))
+```
+**All three IDs are required.** You can get:
+- `team-id` from `(:current-team-id @app.main.store/state)`
+- `file-id` from the dashboard files: `(vals (:files @app.main.store/state))`
+- `page-id` by fetching the file: `(get-in file-data [:data :pages])` via `(rp/cmd! :get-file {:id file-id :features (get @app.main.store/state :features)})`

.serena/project.yml

@@ -0,0 +1,141 @@
+# the name by which the project can be referenced within Serena
+project_name: "penpot"
+
+
+# list of languages for which language servers are started; choose from:
+#   al                  ansible             bash                clojure             cpp
+#   cpp_ccls            crystal             csharp              csharp_omnisharp    dart
+#   elixir              elm                 erlang              fortran             fsharp
+#   go                  groovy              haskell             haxe                hlsl
+#   java                json                julia               kotlin              lean4
+#   lua                 luau                markdown            matlab              msl
+#   nix                 ocaml               pascal              perl                php
+#   php_phpactor        powershell          python              python_jedi         python_ty
+#   r                   rego                ruby                ruby_solargraph     rust
+#   scala               solidity            swift               systemverilog       terraform
+#   toml                typescript          typescript_vts      vue                 yaml
+#   zig
+#   (This list may be outdated. For the current list, see values of Language enum here:
+#   https://github.com/oraios/serena/blob/main/src/solidlsp/ls_config.py
+#   For some languages, there are alternative language servers, e.g. csharp_omnisharp, ruby_solargraph.)
+# Note:
+#   - For C, use cpp
+#   - For JavaScript, use typescript
+#   - For Free Pascal/Lazarus, use pascal
+# Special requirements:
+#   Some languages require additional setup/installations.
+#   See here for details: https://oraios.github.io/serena/01-about/020_programming-languages.html#language-servers
+# When using multiple languages, the first language server that supports a given file will be used for that file.
+# The first language is the default language and the respective language server will be used as a fallback.
+# Note that when using the JetBrains backend, language servers are not used and this list is correspondingly ignored.
+languages:
+- clojure
+- typescript
+- rust
+
+# the encoding used by text files in the project
+# For a list of possible encodings, see https://docs.python.org/3.11/library/codecs.html#standard-encodings
+encoding: "utf-8"
+
+# line ending convention to use when writing source files.
+# Possible values: unset (use global setting), "lf", "crlf", or "native" (platform default)
+# This does not affect Serena's own files (e.g. memories and configuration files), which always use native line endings.
+line_ending:
+
+# The language backend to use for this project.
+# If not set, the global setting from serena_config.yml is used.
+# Valid values: LSP, JetBrains
+# Note: the backend is fixed at startup. If a project with a different backend
+# is activated post-init, an error will be returned.
+language_backend:
+
+# whether to use project's .gitignore files to ignore files
+ignore_all_files_in_gitignore: true
+
+# advanced configuration option allowing to configure language server-specific options.
+# Maps the language key to the options.
+# Have a look at the docstring of the constructors of the LS implementations within solidlsp (e.g., for C# or PHP) to see which options are available.
+# No documentation on options means no options are available.
+ls_specific_settings: {}
+
+# list of additional paths to ignore in this project.
+# Same syntax as gitignore, so you can use * and **.
+# Note: global ignored_paths from serena_config.yml are also applied additively.
+ignored_paths: []
+
+# whether the project is in read-only mode
+# If set to true, all editing tools will be disabled and attempts to use them will result in an error
+# Added on 2025-04-18
+read_only: false
+
+# list of tool names to exclude.
+# This extends the existing exclusions (e.g. from the global configuration)
+# Find the list of tools here: https://oraios.github.io/serena/01-about/035_tools.html
+excluded_tools: []
+
+# list of tools to include that would otherwise be disabled (particularly optional tools that are disabled by default).
+# This extends the existing inclusions (e.g. from the global configuration).
+# Find the list of tools here: https://oraios.github.io/serena/01-about/035_tools.html
+included_optional_tools: []
+
+# fixed set of tools to use as the base tool set (if non-empty), replacing Serena's default set of tools.
+# This cannot be combined with non-empty excluded_tools or included_optional_tools.
+# Find the list of tools here: https://oraios.github.io/serena/01-about/035_tools.html
+fixed_tools: []
+
+# list of mode names to that are always to be included in the set of active modes
+# The full set of modes to be activated is base_modes + default_modes.
+# If the setting is undefined, the base_modes from the global configuration (serena_config.yml) apply.
+# Otherwise, this setting overrides the global configuration.
+# Set this to [] to disable base modes for this project.
+# Set this to a list of mode names to always include the respective modes for this project.
+base_modes:
+
+# list of mode names that are to be activated by default, overriding the setting in the global configuration.
+# The full set of modes to be activated is base_modes (from global config) + default_modes + added_modes.
+# If the setting is undefined/empty, the default_modes from the global configuration (serena_config.yml) apply.
+# Otherwise, this overrides the setting from the global configuration (serena_config.yml).
+# Therefore, you can set this to [] if you do not want the default modes defined in the global config to apply
+# for this project.
+# This setting can, in turn, be overridden by CLI parameters (--mode).
+# See https://oraios.github.io/serena/02-usage/050_configuration.html#modes
+default_modes:
+
+# initial prompt for the project. It will always be given to the LLM upon activating the project
+# (contrary to the memories, which are loaded on demand).
+initial_prompt: |
+  CRITICAL: Always read the memory `critical-info` before you do anything else.
+
+# time budget (seconds) per tool call for the retrieval of additional symbol information
+# such as docstrings or parameter information.
+# This overrides the corresponding setting in the global configuration; see the documentation there.
+# If null or missing, use the setting from the global configuration.
+symbol_info_budget:
+
+# list of regex patterns which, when matched, mark a memory entry as read‑only.
+# Extends the list from the global configuration, merging the two lists.
+read_only_memory_patterns: []
+
+# list of regex patterns for memories to completely ignore.
+# Matching memories will not appear in list_memories or activate_project output
+# and cannot be accessed via read_memory or write_memory.
+# To access ignored memory files, use the read_file tool on the raw file path.
+# Extends the list from the global configuration, merging the two lists.
+# Example: ["_archive/.*", "_episodes/.*"]
+ignored_memory_patterns: []
+
+# list of mode names to be activated additionally for this project, e.g. ["query-projects"]
+# The full set of modes to be activated is base_modes (from global config) + default_modes + added_modes.
+# See https://oraios.github.io/serena/02-usage/050_configuration.html#modes
+added_modes:
+
+# list of additional workspace folder paths for cross-package reference support (e.g. in monorepos).
+# Paths can be absolute or relative to the project root.
+# Each folder is registered as an LSP workspace folder, enabling language servers to discover
+# symbols and references across package boundaries.
+# Currently supported for: TypeScript.
+# Example:
+#   additional_workspace_folders:
+#     - ../sibling-package
+#     - ../shared-lib
+additional_workspace_folders: []

AGENTS.md

@@ -32,6 +32,47 @@ precision while maintaining a strong focus on maintainability and performance.
 5. When searching code, prefer `ripgrep` (`rg`) over `grep` — it respects
    `.gitignore` by default.
 
+## Changelogs
+
+The project has two changelogs:
+
+- **Main project changelog**: `CHANGES.md` (root of the repository). Tracks changes for the core Penpot application (backend, frontend, common, render-wasm, exporter, mcp).
+- **Plugins changelog**: `plugins/CHANGELOG.md`. Tracks changes for the plugins subproject only.
+
+When making changes, add a changelog entry to the appropriate file under the
+`## <version> (Unreleased)` section in the correct category
+(`:sparkles: New features & Enhancements` or `:bug: Bugs fixed`).
+
+## GitHub Operations
+
+To obtain the list of repository members/collaborators:
+
+```bash
+gh api repos/:owner/:repo/collaborators --paginate --jq '.[].login'
+```
+
+To obtain the list of open PRs authored by members:
+
+```bash
+MEMBERS=$(gh api repos/:owner/:repo/collaborators --paginate --jq '.[].login' | tr '\n' '|' | sed 's/|$//')
+gh pr list --state open --limit 200 --json author,title,number | jq -r --arg members "$MEMBERS" '
+  ($members | split("|")) as $m |
+  .[] | select(.author.login as $a | $m | index($a)) |
+  "\(.number)\t\(.author.login)\t\(.title)"
+'
+```
+
+To obtain the list of open PRs from external contributors (non-members):
+
+```bash
+MEMBERS=$(gh api repos/:owner/:repo/collaborators --paginate --jq '.[].login' | tr '\n' '|' | sed 's/|$//')
+gh pr list --state open --limit 200 --json author,title,number | jq -r --arg members "$MEMBERS" '
+  ($members | split("|")) as $m |
+  .[] | select(.author.login as $a | $m | index($a) | not) |
+  "\(.number)\t\(.author.login)\t\(.title)"
+'
+```
+
 ## Architecture Overview
 
 Penpot is an open-source design tool composed of several modules:

CHANGES.md

@@ -1,6 +1,6 @@
 # CHANGELOG
 
-## 2.16.0 (Unreleased)
+## 2.17.0 (Unreleased)
 
 ### :boom: Breaking changes & Deprecations
 
@@ -8,55 +8,280 @@
 
 ### :sparkles: New features & Enhancements
 
-- Access Tokens look & feel refinement [Taiga #13114](https://tree.taiga.io/project/penpot/us/13114)
-- Enhance readability of applied tokens in plugins API [Taiga #13714](https://tree.taiga.io/project/penpot/issue/13714)
+- Show a read-only W × H size badge below the bounding box of the current selection (by @bittoby) [Github #9205](https://github.com/penpot/penpot/issues/9205)
+- Expose `variants` retrieval on `LibraryComponent` via `isVariant()` type guard in plugin API [Github #9185](https://github.com/penpot/penpot/issues/9185)
 
 ### :bug: Bugs fixed
 
-- Fix Alt/Option to draw shapes from center point (by @offreal) [Github #8361](https://github.com/penpot/penpot/pull/8361)
-- Add token name on broken token pill on sidebar [Taiga #13527](https://tree.taiga.io/project/penpot/issue/13527)
-- Fix tooltip activated when tab change [Taiga #13627](https://tree.taiga.io/project/penpot/issue/13627)
-- Fix title on shared button [Taiga #13730](https://tree.taiga.io/project/penpot/issue/13730)
-- Fix hover on layers [Taiga #13799](https://tree.taiga.io/project/penpot/issue/13799)
-- Fix highlight after name edition [Taiga #13783](https://tree.taiga.io/project/penpot/issue/13783)
-- Fix id prop on switch component [Taiga #13534](https://tree.taiga.io/project/penpot/issue/13534)
-- Fix dashboard navigation tabs overlap with projects content when scrolling [Taiga #13962](https://tree.taiga.io/project/penpot/issue/13962)
-- Fix text editor v1 focus [Taiga #13961](https://tree.taiga.io/project/penpot/issue/13961)
+- Fix plugin API `LibraryTypography.remove()` failing with a UUID assertion error [Github #8223](https://github.com/penpot/penpot/issues/8223)
+- Fix MCP SSE sessions leaking memory on zombie connections by adding inactivity timeout parity with Streamable HTTP sessions (by @bitloi) [Github #9432](https://github.com/penpot/penpot/issues/9432)
+- Fix missing `labels.open` translation (by @MilosM348) [Github #9320](https://github.com/penpot/penpot/pull/9320)
+- Fix two plugin error i18n keys broken by leading whitespace before `msgid` in `en.po` (by @MilosM348)
+- Use the noun "copia" instead of the verb "copiar" as the Spanish duplicate-suffix when duplicating design tokens [Github #9623](https://github.com/penpot/penpot/issues/9623)
+- Harden Nginx responses with standard security headers and hide upstream `X-Powered-By` headers
+- Expose Source Sans Pro semibold (weight 600) variants in the builtin fonts list, matching the bundled font assets and CSS @font-face declarations [Github #7378](https://github.com/penpot/penpot/issues/7378)
+- Fix plugin API `shape.fills` and `shape.strokes` arrays being read-only [Github #8357](https://github.com/penpot/penpot/issues/8357)
+- Fix `get-profile` masking transient DB errors as anonymous user (by @jack-stormentswe) [Github #9253](https://github.com/penpot/penpot/issues/9253)
+- Fix `Ctrl+'` "Show guides" shortcut on non-US keyboard layouts by matching the physical key location (by @RenzoMXD) [Github #8423](https://github.com/penpot/penpot/issues/8423)
+- Fix lost-update race on `team.features` during concurrent file creation (by @web-dev0521) [Github #9197](https://github.com/penpot/penpot/issues/9197)
+- Fix copy and paste actions crashing the workspace on insecure origins (plain HTTP / non-`localhost`) where the Clipboard API is unavailable (by @MilosM348) [Github #6514](https://github.com/penpot/penpot/issues/6514)
+- Fix blend-mode dropdown leaving the canvas rendered with the last hover-preview blend mode when dismissed without selecting an option; the WASM render is now reverted to the saved blend mode on pointer-leave (by @edwin-rivera-dev) [Github #XXXX](https://github.com/penpot/penpot/issues/XXXX)
 
+## 2.16.0 (Unreleased)
 
-## 2.15.0 (Unreleased)
+### :boom: Breaking changes & Deprecations
+
+### :rocket: Epics and highlights
+- WebGL rendering (beta) user preference [#9683](https://github.com/penpot/penpot/issues/9683) (PR:[9113](https://github.com/penpot/penpot/pull/9113))
+- Design Tokens at the design tab: numeric fields with token selection in place [#9358](https://github.com/penpot/penpot/issues/9358)
 
 ### :sparkles: New features & Enhancements
 
-- Add MCP server integration [Taiga #13112](https://tree.taiga.io/project/penpot/us/13112)
-- Add chunked upload API for large media and binary files (removes previous upload size limits) [Github #8909](https://github.com/penpot/penpot/pull/8909)
+- Add delete group to assets panel context menu (by @FairyPigDev) [#9141](https://github.com/penpot/penpot/issues/9141) (PR: [#9151](https://github.com/penpot/penpot/pull/9151), [#9211](https://github.com/penpot/penpot/pull/9211))
+- Show alpha percentage on library color values (by @rockchris099) [#6328](https://github.com/penpot/penpot/issues/6328)
+- Add clear artboard guides to frame context menu (by @eureka0928) [#6987](https://github.com/penpot/penpot/issues/6987) (PR: [#8936](https://github.com/penpot/penpot/pull/8936))
+- Add loader feedback while importing and exporting files (by @moorsecopers99) [#9020](https://github.com/penpot/penpot/issues/9020) (PR: [#9024](https://github.com/penpot/penpot/pull/9024))
+- Allow duplicating color and typography styles (by @MkDev11) [#2912](https://github.com/penpot/penpot/issues/2912) (PR: [#8449](https://github.com/penpot/penpot/pull/8449))
+- Add woff2 support on user uploaded fonts (by @Nivl) [#3521](https://github.com/penpot/penpot/issues/3521) (PR: [#8248](https://github.com/penpot/penpot/pull/8248))
+- Import Tokens from linked library (by @dfelinto) [#9635](https://github.com/penpot/penpot/issues/9635) (PR: [#8391](https://github.com/penpot/penpot/pull/8391))
+- Option to download custom fonts (by @dfelinto) [#9672](https://github.com/penpot/penpot/issues/9672) (PR: [#8320](https://github.com/penpot/penpot/pull/8320))
+- Add copy as image to workspace context menu (by @dfelinto) [#9607](https://github.com/penpot/penpot/issues/9607) (PR: [#8313](https://github.com/penpot/penpot/pull/8313))
+- Add Tab/Shift+Tab navigation to rename layers sequentially (by @bittoby) [#2569](https://github.com/penpot/penpot/issues/2569) (PR: [#8474](https://github.com/penpot/penpot/pull/8474))
+- Copy and paste entire rows in existing table (by @bittoby) [#5969](https://github.com/penpot/penpot/issues/5969) (PR: [#8498](https://github.com/penpot/penpot/pull/8498))
+- Rename token group [#9637](https://github.com/penpot/penpot/issues/9637) (PR: [#8275](https://github.com/penpot/penpot/pull/8275))
+- Duplicate token group [#9638](https://github.com/penpot/penpot/issues/9638) (PR: [#8886](https://github.com/penpot/penpot/pull/8886))
+- Copy token name from contextual menu [#9639](https://github.com/penpot/penpot/issues/9639) (PR: [#8566](https://github.com/penpot/penpot/pull/8566))
+- Add drag-to-change for numeric inputs in workspace sidebar (by @RenzoMXD) [#2466](https://github.com/penpot/penpot/issues/2466) (PR: [#8536](https://github.com/penpot/penpot/pull/8536))
+- Add CSS linter [#9636](https://github.com/penpot/penpot/issues/9636) (PR: [#8592](https://github.com/penpot/penpot/pull/8592))
+- Add per-group add button for typographies (by @eureka0928) [#5275](https://github.com/penpot/penpot/issues/5275) (PR: [#8895](https://github.com/penpot/penpot/pull/8895))
+- Add Find & Replace for text content and layer names (by @statxc) [#7108](https://github.com/penpot/penpot/issues/7108) (PR: [#8899](https://github.com/penpot/penpot/pull/8899))
+- Use page name for multi-export ZIP/PDF downloads (by @Dexterity104) [#8773](https://github.com/penpot/penpot/issues/8773) (PR: [#8874](https://github.com/penpot/penpot/pull/8874))
+- Make links in comments clickable (by @eureka0928) [#1602](https://github.com/penpot/penpot/issues/1602) (PR: [#8894](https://github.com/penpot/penpot/pull/8894))
+- Add visibility toggle for strokes (by @eureka0928) [#7438](https://github.com/penpot/penpot/issues/7438) (PR: [#8913](https://github.com/penpot/penpot/pull/8913))
+- Sort asset library subfolders alphabetically at every nesting level (by @eureka0928) [#2572](https://github.com/penpot/penpot/issues/2572) (PR: [#8952](https://github.com/penpot/penpot/pull/8952))
+- Add Paste to replace (Cmd+Shift+V) for selected shapes (by @eureka0928) [#4240](https://github.com/penpot/penpot/issues/4240) (PR: [#9033](https://github.com/penpot/penpot/pull/9033))
+- Differentiate incoming and outgoing interaction link colors (by @claytonlin1110) [#7794](https://github.com/penpot/penpot/issues/7794) (PR: [#8923](https://github.com/penpot/penpot/pull/8923))
+- Reorder prototyping overlay options to show Position before Relative to (by @rockchris099) [#2910](https://github.com/penpot/penpot/issues/2910)
+- Add customizable colors for ruler guides (by @Dexterity104) [#5199](https://github.com/penpot/penpot/issues/5199) (PR: [#8986](https://github.com/penpot/penpot/pull/8986))
+- Persist asset search and section filter across sidebar tabs (by @eureka0928) [#2913](https://github.com/penpot/penpot/issues/2913) (PR: [#8985](https://github.com/penpot/penpot/pull/8985))
+- Add delete and duplicate buttons to typography dialog (by @eureka0928) [#5270](https://github.com/penpot/penpot/issues/5270) (PR: [#8983](https://github.com/penpot/penpot/pull/8983))
+- Edit ruler guide position by double-clicking the guide pill (by @eureka0928) [#2311](https://github.com/penpot/penpot/issues/2311) (PR: [#8987](https://github.com/penpot/penpot/pull/8987))
+- Add search bar to color palette (by @eureka0928) [#7653](https://github.com/penpot/penpot/issues/7653) (PR: [#8994](https://github.com/penpot/penpot/pull/8994))
+- Add search bar to board size presets (by @eureka0928) [#4658](https://github.com/penpot/penpot/issues/4658) (PR: [#9117](https://github.com/penpot/penpot/pull/9117))
+- Allow customising the OIDC login button label (by @wdeveloper16) [#7027](https://github.com/penpot/penpot/issues/7027) (PR: [#9026](https://github.com/penpot/penpot/pull/9026))
+- Add page separators in Workspace [#9180](https://github.com/penpot/penpot/issues/9180) (PR: [#8561](https://github.com/penpot/penpot/pull/8561))
+- Preserve vector content when pasting SVG from external tools (by @RenzoMXD) [#546](https://github.com/penpot/penpot/issues/546) (PR: [#9182](https://github.com/penpot/penpot/pull/9182))
+- Add pixel grid color picker in viewport settings (by @jack-stormentswe) [#7750](https://github.com/penpot/penpot/issues/7750) (PR: [#9155](https://github.com/penpot/penpot/pull/9155))
+- Add HEX/HSB/HSL support to color picker with persistent model switcher (by @edwin-rivera-dev) [#9133](https://github.com/penpot/penpot/issues/9133) (PR: [#9134](https://github.com/penpot/penpot/pull/9134))
+- Show specific invitation-link error messages (by @niwinz) [#9220](https://github.com/penpot/penpot/issues/9220) (PR: [#9223](https://github.com/penpot/penpot/pull/9223))
+- Show detailed file import error messages (by @jsdevninja) [#8212](https://github.com/penpot/penpot/issues/8212) (PR: [#9004](https://github.com/penpot/penpot/pull/9004))
+- Add read-only preview mode for saved versions (by @wdeveloper16) [#7622](https://github.com/penpot/penpot/issues/7622) (PR: [#8976](https://github.com/penpot/penpot/pull/8976))
+- Add clipboard read/write permissions to the plugin system (by @wdeveloper16) [#6980](https://github.com/penpot/penpot/issues/6980) (PR: [#9053](https://github.com/penpot/penpot/pull/9053))
+- Update auth hero illustration on login screen [#9532](https://github.com/penpot/penpot/issues/9532) (PR: [#9552](https://github.com/penpot/penpot/pull/9552))
+- Update Open Graph link preview metadata [#9555](https://github.com/penpot/penpot/issues/9555) (PR: [#9557](https://github.com/penpot/penpot/pull/9557))
+- Restore deleted team files in bulk instead of per file (by @Dexterity104) [#9246](https://github.com/penpot/penpot/issues/9246) (PR: [#9248](https://github.com/penpot/penpot/pull/9248))
+- Preserve Inkscape labels when pasting SVGs (by @jeffrey701) [#7869](https://github.com/penpot/penpot/issues/7869) (PR: [#9252](https://github.com/penpot/penpot/pull/9252))
+- Add Alt+click to expand layer subtree (by @MilosM348) [#7736](https://github.com/penpot/penpot/issues/7736) (PR: [#9179](https://github.com/penpot/penpot/pull/9179))
+- Allow deleting the profile avatar after uploading (by @moorsecopers99) [#9067](https://github.com/penpot/penpot/issues/9067) (PR: [#9068](https://github.com/penpot/penpot/pull/9068))
+
+### :bug: Bugs fixed
+- Add Shift+Numpad aliases for zoom shortcuts (by @RenzoMXD) [#2457](https://github.com/penpot/penpot/issues/2457) (PR: [#9063](https://github.com/penpot/penpot/pull/9063))
+- Save and restore selection state in undo/redo (by @eureka0928) [#6007](https://github.com/penpot/penpot/issues/6007) (PR: [#8652](https://github.com/penpot/penpot/pull/8652))
+- Add guide locking and fix locked element selection in viewer (by @Dexterity104) [#8358](https://github.com/penpot/penpot/issues/8358) (PR: [#8949](https://github.com/penpot/penpot/pull/8949))
+- Add natural sorting on token names [#8635](https://github.com/penpot/penpot/issues/8635) (PR: [#8672](https://github.com/penpot/penpot/pull/8672))
+- Fix warnings for unsupported token $type (by @Dexterity104) [#8790](https://github.com/penpot/penpot/issues/8790) (PR: [#8873](https://github.com/penpot/penpot/pull/8873))
+- Apply styles to selection (by @AzazelN28) [#9661](https://github.com/penpot/penpot/issues/9661) (PR: [#8625](https://github.com/penpot/penpot/pull/8625))
+- Fix Alt/Option to draw shapes from center point (by @offreal) [#8360](https://github.com/penpot/penpot/issues/8360) (PR: [#8361](https://github.com/penpot/penpot/pull/8361))
+- Fix library update button freezing [#9330](https://github.com/penpot/penpot/issues/9330) (PR: [#9513](https://github.com/penpot/penpot/pull/9513))
+- Fix typo in subscription settings success key (by @jack-stormentswe) [#9203](https://github.com/penpot/penpot/issues/9203) (PR: [#9204](https://github.com/penpot/penpot/pull/9204))
+- Add token name on broken token pill on sidebar [#9534](https://github.com/penpot/penpot/issues/9534) (PR: [#8527](https://github.com/penpot/penpot/pull/8527))
+- Fix tooltip activated when tab change [#9539](https://github.com/penpot/penpot/issues/9539) (PR: [#8719](https://github.com/penpot/penpot/pull/8719))
+- Fix title on shared button [#9541](https://github.com/penpot/penpot/issues/9541) (PR: [#8696](https://github.com/penpot/penpot/pull/8696))
+- Fix hover on layers [#9542](https://github.com/penpot/penpot/issues/9542) (PR: [#8885](https://github.com/penpot/penpot/pull/8885))
+- Fix highlight after name edition [#9537](https://github.com/penpot/penpot/issues/9537) (PR: [#8890](https://github.com/penpot/penpot/pull/8890))
+- Fix multiple small UI bugs — id prop, update copy, library modal scroll [#9536](https://github.com/penpot/penpot/issues/9536) (PR: [#8604](https://github.com/penpot/penpot/pull/8604))
+- Fix themes modal height [#9535](https://github.com/penpot/penpot/issues/9535) (PR: [#9105](https://github.com/penpot/penpot/pull/9105))
+- Fix layers panel rename showing default type name (by @jack-stormentswe) [#9230](https://github.com/penpot/penpot/issues/9230) (PR: [#9231](https://github.com/penpot/penpot/pull/9231))
+- Suppress browser context menu on workspace sidebar right-click (by @sujyotraut) [#5127](https://github.com/penpot/penpot/issues/5127) (PR: [#9196](https://github.com/penpot/penpot/pull/9196))
+- Fix plugin API fileVersion.restore() hanging on failure (by @thomascolden585-svg) [#9092](https://github.com/penpot/penpot/issues/9092) (PR: [#9111](https://github.com/penpot/penpot/pull/9111))
+- Fix stroke-only SVG paths losing rounded join on split (by @Chrissi2812) [#5283](https://github.com/penpot/penpot/issues/5283) (PR: [#9156](https://github.com/penpot/penpot/pull/9156))
+- Fix plugin API library.connectLibrary() not returning Promise (by @boskodev790) [#9646](https://github.com/penpot/penpot/issues/9646) (PR: [#9158](https://github.com/penpot/penpot/pull/9158))
+- Fix LDAP provider schema typo in malli migration (by @boskodev790) [#9531](https://github.com/penpot/penpot/issues/9531) (PR: [#9165](https://github.com/penpot/penpot/pull/9165))
+- Fix login-with-ldap dropping error on uninitialized LDAP (by @boskodev790) [#9533](https://github.com/penpot/penpot/issues/9533) (PR: [#9159](https://github.com/penpot/penpot/pull/9159))
+- Fix OIDC_USER_INFO_SOURCE flag being ignored (by @GeekClassy) [#9108](https://github.com/penpot/penpot/issues/9108) (PR: [#9114](https://github.com/penpot/penpot/pull/9114))
+- Fix share-link viewer crash on malformed email (by @boskodev790) [#9530](https://github.com/penpot/penpot/issues/9530) (PR: [#9120](https://github.com/penpot/penpot/pull/9120))
+- Fix crash pasting component variants from external library (by @FairyPigDev) [#8144](https://github.com/penpot/penpot/issues/8144) (PR: [#9136](https://github.com/penpot/penpot/pull/9136))
+- Remove corepack from MCP launcher for Node.js 25+ (by @TheAifam5) [#8877](https://github.com/penpot/penpot/issues/8877) (PR: [#9119](https://github.com/penpot/penpot/pull/9119))
+- Fix Copy as SVG for multi-shape selections (by @RenzoMXD) [#9088](https://github.com/penpot/penpot/issues/9088) (PR: [#9066](https://github.com/penpot/penpot/pull/9066))
+- Preserve OpenType variant name table for custom fonts in the dashboard (by @rutherfordcraze) [#8924](https://github.com/penpot/penpot/issues/8924) (PR: [#9193](https://github.com/penpot/penpot/pull/9193))
+- Add export panel to inspect styles tab [#9660](https://github.com/penpot/penpot/issues/9660) (PR: [#8645](https://github.com/penpot/penpot/pull/8645))
+- Fix styles between grid layout inputs [#9656](https://github.com/penpot/penpot/issues/9656) (PR: [#8673](https://github.com/penpot/penpot/pull/8673))
+- Fix dates to avoid show them in english when browser is in auto [#8709](https://github.com/penpot/penpot/issues/8709) (PR: [#8775](https://github.com/penpot/penpot/pull/8775))
+- Fix focus radio button [#9657](https://github.com/penpot/penpot/issues/9657) (PR: [#8774](https://github.com/penpot/penpot/pull/8774))
+- Token tree should be expanded by default [#9662](https://github.com/penpot/penpot/issues/9662) (PR: [#8799](https://github.com/penpot/penpot/pull/8799))
+- Fix opacity incorrectly disabled for visible shapes [#9658](https://github.com/penpot/penpot/issues/9658) (PR: [#8854](https://github.com/penpot/penpot/pull/8854))
+- Fix plugin modal drag over iframe and close button (by @marekhrabe) [#9529](https://github.com/penpot/penpot/issues/9529) (PR: [#8871](https://github.com/penpot/penpot/pull/8871))
+- Fix hot update on color-row on texts [#9664](https://github.com/penpot/penpot/issues/9664) (PR: [#8880](https://github.com/penpot/penpot/pull/8880))
+- Fix selected color tokens [#9655](https://github.com/penpot/penpot/issues/9655) (PR: [#8889](https://github.com/penpot/penpot/pull/8889))
+- Fix dashboard Recent/Deleted titles overlapped by scrolling content (by @rockchris099) [#8577](https://github.com/penpot/penpot/issues/8577)
+- Display resolved values of inactive tokens [#9665](https://github.com/penpot/penpot/issues/9665) (PR: [#8589](https://github.com/penpot/penpot/pull/8589))
+- Fix hyphens stripped from export filenames (by @jamesrayammons) [#8901](https://github.com/penpot/penpot/issues/8901) (PR: [#8944](https://github.com/penpot/penpot/pull/8944))
+- Fix app crash on multiselection with hidden shapes and opacity mixed value [#9666](https://github.com/penpot/penpot/issues/9666) (PR: [#8932](https://github.com/penpot/penpot/pull/8932))
+- Fix gap input throwing an error [#9667](https://github.com/penpot/penpot/issues/9667) (PR: [#8984](https://github.com/penpot/penpot/pull/8984))
+- Fix copy to be more specific [#9668](https://github.com/penpot/penpot/issues/9668) (PR: [#9028](https://github.com/penpot/penpot/pull/9028))
+- Fix incorrect rendering when exporting text as SVG, PNG and JPG (by @edwin-rivera-dev) [#8516](https://github.com/penpot/penpot/issues/8516) (PR: [#9094](https://github.com/penpot/penpot/pull/9094))
+- Fix typography style creation with tokenized line-height (by @juan-flores077) [#8479](https://github.com/penpot/penpot/issues/8479) (PR: [#9121](https://github.com/penpot/penpot/pull/9121))
+- Fix colorpicker layout hiding eyedropper button [#9669](https://github.com/penpot/penpot/issues/9669) (PR: [#9125](https://github.com/penpot/penpot/pull/9125))
+- Fix restore-deleted-team-files reduce typo (by @Dexterity104) [#9240](https://github.com/penpot/penpot/issues/9240) (PR: [#9241](https://github.com/penpot/penpot/pull/9241))
+- Fix internal error on layer prev/next sibling selection (by @jsdevninja) [#7064](https://github.com/penpot/penpot/issues/7064) (PR: [#9003](https://github.com/penpot/penpot/pull/9003))
+- Fix tooltip appearing two times when nested elements [#9674](https://github.com/penpot/penpot/issues/9674) (PR: [#9031](https://github.com/penpot/penpot/pull/9031))
+- Fix broken update library notification link in the UI [#9673](https://github.com/penpot/penpot/issues/9673) (PR: [#9070](https://github.com/penpot/penpot/pull/9070))
+- Fix plugin API ShapeBase.component() returning outermost instead of immediate component [#9183](https://github.com/penpot/penpot/issues/9183) (PR: [#9298](https://github.com/penpot/penpot/pull/9298))
+- Fix content attribute sync group resolution by shape type [#9527](https://github.com/penpot/penpot/issues/9527) (PR: [#8724](https://github.com/penpot/penpot/pull/8724))
+- Fix plugin parse-point returning plain map instead of Point record (by @FairyPigDev) [#8409](https://github.com/penpot/penpot/issues/8409) (PR: [#9129](https://github.com/penpot/penpot/pull/9129))
+- Fix `:heigth` typo in clipboard frame-same-size? (by @iot2edge) [#9249](https://github.com/penpot/penpot/issues/9249) (PR: [#9250](https://github.com/penpot/penpot/pull/9250))
+- Fix Settings Update button enabled state (by @moorsecopers99) [#9090](https://github.com/penpot/penpot/issues/9090) (PR: [#9091](https://github.com/penpot/penpot/pull/9091))
+- Fix library updates reappearing after reload [#9326](https://github.com/penpot/penpot/issues/9326) (PR: [#9563](https://github.com/penpot/penpot/pull/9563))
+- Fix dependency libraries visible after unlinking main library [#9331](https://github.com/penpot/penpot/issues/9331) (PR: [#9511](https://github.com/penpot/penpot/pull/9511))
+- Fix internal error on margins [#9309](https://github.com/penpot/penpot/issues/9309) (PR: [#9311](https://github.com/penpot/penpot/pull/9311))
+- Remove drag-to-change when token applied on numeric input [#9313](https://github.com/penpot/penpot/issues/9313) (PR: [#9314](https://github.com/penpot/penpot/pull/9314))
+- Fix extra input on canvas background [#9359](https://github.com/penpot/penpot/issues/9359) (PR: [#9360](https://github.com/penpot/penpot/pull/9360))
+- Fix frame selection highlight persists after rename [#9538](https://github.com/penpot/penpot/issues/9538) (PR: [#8938](https://github.com/penpot/penpot/pull/8938))
+- Fix several color picker issues [#9556](https://github.com/penpot/penpot/issues/9556) (PR: [#9558](https://github.com/penpot/penpot/pull/9558))
+- Fix asset icon broken on Asset tab [#9587](https://github.com/penpot/penpot/issues/9587) (PR: [#9612](https://github.com/penpot/penpot/pull/9612))
+- Fix text fill color stops updating in multiselect with texts [#9608](https://github.com/penpot/penpot/issues/9608) (PR: [#9549](https://github.com/penpot/penpot/pull/9549))
+- Fix editing a legacy text element silently detaches its color token [#9255](https://github.com/penpot/penpot/issues/9255) (PR: [#9525](https://github.com/penpot/penpot/pull/9525))
+- Fix token application to grid paddings [#9494](https://github.com/penpot/penpot/issues/9494) (PR: [#9630](https://github.com/penpot/penpot/pull/9630))
+- Fix file crashing when switching a variant [#9259](https://github.com/penpot/penpot/issues/9259) (PR: [#9147](https://github.com/penpot/penpot/pull/9147))
+- Fix set activation after renaming [#9329](https://github.com/penpot/penpot/issues/9329) (PR: [#9545](https://github.com/penpot/penpot/pull/9545))
+- Fix font selection position hiding available fonts [#9489](https://github.com/penpot/penpot/issues/9489) (PR: [#9499](https://github.com/penpot/penpot/pull/9499))
+- Fix numeric input changes not saved when clicking on viewport [#9491](https://github.com/penpot/penpot/issues/9491) (PR: [#9548](https://github.com/penpot/penpot/pull/9548))
+- Fix resize cursor appearing on login and register buttons [#9505](https://github.com/penpot/penpot/issues/9505) (PR: [#9590](https://github.com/penpot/penpot/pull/9590))
+- Fix version restore restoring first previewed version instead of selected one [#9588](https://github.com/penpot/penpot/issues/9588) (PR: [#9626](https://github.com/penpot/penpot/pull/9626))
+- Fix incorrect error message when applying tokens while editing text [#9620](https://github.com/penpot/penpot/issues/9620) (PR: [#9708](https://github.com/penpot/penpot/pull/9708))
+
+
+## 2.15.4 (Unreleased)
 
 ### :bug: Bugs fixed
 
-- Fix incorrect handling of version restore operation [Github #9041](https://github.com/penpot/penpot/pull/9041)
-- Fix removeChild errors from unmount race conditions [Github #8927](https://github.com/penpot/penpot/pull/8927)
+- Emit `create-shape-layout` for flex/grid layout creation from plugins and MCP (same event as workspace) [#9652](https://github.com/penpot/penpot/issues/9652) (PR: [#9654](https://github.com/penpot/penpot/pull/9654))
+- Fix broken authentication on /assets handlers [#9677](https://github.com/penpot/penpot/issues/9677) (PR: [#9679](https://github.com/penpot/penpot/pull/9679))
+- Fix API doc endpoint returning HTML as text/plain [#9680](https://github.com/penpot/penpot/issues/9680) (PR: [#9681](https://github.com/penpot/penpot/pull/9681))
+- Fix unexpected error when opening the export dialog [#9721](https://github.com/penpot/penpot/issues/9721) (PR: [#9704](https://github.com/penpot/penpot/pull/9704))
 
+## 2.15.3
+
+### :bug: Bugs fixed
+
+- Fix Plugin API token methods failing with schema validation error on PRO [GH #9641](https://github.com/penpot/penpot/issues/9641)
+  (PR: [#9632](https://github.com/penpot/penpot/pull/9632))
+- Sanitize comment content on rendering [GH #9642](https://github.com/penpot/penpot/issues/9642)
+  (PR: [#9605](https://github.com/penpot/penpot/pull/9605))
+- Sanitize font family names on custom uploaded fonts [GH #9643](https://github.com/penpot/penpot/issues/9643)
+  (PR: [#9601](https://github.com/penpot/penpot/pull/9601))
+
+## 2.15.2
+
+### :bug: Bugs fixed
+
+- Fix mcp related internal config for docker images [GH #9565](https://github.com/penpot/penpot/pull/9565)
+
+
+## 2.15.1
+
+### :sparkles: New features & Enhancements
+
+- Add support for chunked uploading of fonts [GH #9560](https://github.com/penpot/penpot/issues/9560)
+
+### :bug: Bugs fixed
+
+- Fix "Help & Learning" submenu vertical alignment in account menu (by @juan-flores077) [#9137](https://github.com/penpot/penpot/issues/9137) (PR: [#9138](https://github.com/penpot/penpot/pull/9138))
+
+
+## 2.15.0
+
+### :sparkles: New features & Enhancements
+
+- Add MCP server integration [GH #9174](https://github.com/penpot/penpot/issues/9174)
+  (PR: [#9032](https://github.com/penpot/penpot/pull/9032), [#9321](https://github.com/penpot/penpot/pull/9321))
+- Add chunked upload API for large media and binary files (removes previous upload size limits) [GH #9516](https://github.com/penpot/penpot/issues/9516)
+  (PR: [#8909](https://github.com/penpot/penpot/pull/8909))
+- Add anonymous telemetry event collection [GH #9467](https://github.com/penpot/penpot/issues/9467)
+  (PR: [#9065](https://github.com/penpot/penpot/pull/9065), [#9483](https://github.com/penpot/penpot/pull/9483))
+- Improve team name validation [GH #9517](https://github.com/penpot/penpot/issues/9517)
+  (PR: [#9176](https://github.com/penpot/penpot/pull/9176))
+- Enhance readability of applied tokens in plugins API [GH #9175](https://github.com/penpot/penpot/issues/9175)
+  (PR: [#8607](https://github.com/penpot/penpot/pull/8607))
+- Encourage use of flex/grid layouts in designs generated via MCP [GH #9081](https://github.com/penpot/penpot/issues/9081)
+  (PR: [#9084](https://github.com/penpot/penpot/pull/9084))
+- Improve MCP server logging, adding Loki support [GH #9415](https://github.com/penpot/penpot/issues/9415)
+  (PR: [#9425](https://github.com/penpot/penpot/pull/9425))
+- Add security headers to Nginx on Docker images [GH #9519](https://github.com/penpot/penpot/issues/9519)
+  (PR: [#9473](https://github.com/penpot/penpot/pull/9473))
+
+### :bug: Bugs fixed
+
+- Fix text edition mode not exited when changing selection, blocking token application [GH #9346](https://github.com/penpot/penpot/issues/9346)
+  (PR: [#9355](https://github.com/penpot/penpot/pull/9355))
+- Reduce memory usage of MCP server when handling images (by @opcode81) [GH #9420](https://github.com/penpot/penpot/issues/9420)
+  (PR: [#9431](https://github.com/penpot/penpot/pull/9431))
+- Fix Plugin API token methods rejecting JS array of strings (by @boskodev790) [GH #9162](https://github.com/penpot/penpot/issues/9162)
+  (PR: [#9166](https://github.com/penpot/penpot/pull/9166))
+- Fix release notes modal appearing behind the dashboard sidebar (by @RenzoMXD) [GH #8296](https://github.com/penpot/penpot/issues/8296)
+  (PR: [#9126](https://github.com/penpot/penpot/pull/9126), [#9233](https://github.com/penpot/penpot/pull/9233))
+- Fix empty warning on login [GH #9520](https://github.com/penpot/penpot/issues/9520)
+  (PR: [#9056](https://github.com/penpot/penpot/pull/9056))
+- Fix maximum call stack size exceeded in SSE read-stream [GH #9470](https://github.com/penpot/penpot/issues/9470)
+  (PR: [#9484](https://github.com/penpot/penpot/pull/9484))
+- Fix incorrect handling of version restore operation [GH #9515](https://github.com/penpot/penpot/issues/9515)
+  (PR: [#9041](https://github.com/penpot/penpot/pull/9041))
+- Fix MCP ReplServer binding to all interfaces (0.0.0.0) instead of localhost, allowing unauthenticated RCE [GH #9518](https://github.com/penpot/penpot/issues/9518)
+  (PR: [#9400](https://github.com/penpot/penpot/pull/9400))
+- Fix MCP integrations URL copy action to match the URL displayed in settings [GH #9238](https://github.com/penpot/penpot/issues/9238)
+  (PR: [#9239](https://github.com/penpot/penpot/pull/9239))
+- Fix swapped analytics event names on MCP tab-switch dialog (by @Dexterity104) [GH #9496](https://github.com/penpot/penpot/issues/9496)
+  (PR: [#9322](https://github.com/penpot/penpot/pull/9322))
+- Fix multiple selection on shapes with token applied to stroke color [GH #9522](https://github.com/penpot/penpot/issues/9522)
+  (PR: [#9110](https://github.com/penpot/penpot/pull/9110))
+- Fix onboarding modals appearing behind libraries and templates panel [GH #9521](https://github.com/penpot/penpot/issues/9521)
+  (PR: [#9178](https://github.com/penpot/penpot/pull/9178))
+- Fix keep-alive interval leak in PluginBridge (by @opcode81) [GH #9430](https://github.com/penpot/penpot/issues/9430)
+  (PR: [#9435](https://github.com/penpot/penpot/pull/9435))
+
+## 2.14.5
+
+### :bug: Bugs fixed
+
+- Fix incorrect invitation token handling on register process [GH #9380](https://github.com/penpot/penpot/pull/9380)
+
+## 2.14.4
+
+### :bug: Bugs fixed
+
+- Fix email validation [Taiga #14006](https://tree.taiga.io/project/penpot/issue/14006)
+- Fix email blacklisting [GH #9122](https://github.com/penpot/penpot/pull/9122)
+- Fix removeChild errors from unmount race conditions [GH #8927](https://github.com/penpot/penpot/pull/8927)
 
 ## 2.14.3
 
 ### :sparkles: New features & Enhancements
 
-- Add webp export format to plugin types [Github #8870](https://github.com/penpot/penpot/pull/8870)
-- Use shared singleton containers for React portals to reduce DOM growth [Github #8957](https://github.com/penpot/penpot/pull/8957)
+- Add webp export format to plugin types [GH #8870](https://github.com/penpot/penpot/pull/8870)
+- Use shared singleton containers for React portals to reduce DOM growth [GH #8957](https://github.com/penpot/penpot/pull/8957)
 
 ### :bug: Bugs fixed
 
-- Fix component "broken" after switch variant [Taiga #12984](https://tree.taiga.io/project/penpot/issue/12984)
-- Fix variants corner cases with selrect and points [Github #8882](https://github.com/penpot/penpot/pull/8882)
+- Fix variants corner cases with selrect and points [GH #8882](https://github.com/penpot/penpot/pull/8882)
 - Fix dashboard navigation tabs overlap with projects content when scrolling [Taiga #13962](https://tree.taiga.io/project/penpot/issue/13962)
 - Fix text editor v1 focus [Taiga #13961](https://tree.taiga.io/project/penpot/issue/13961)
-- Fix highlight on frames after rename [Github #8938](https://github.com/penpot/penpot/pull/8938)
-- Fix TypeError in sd-token-uuid when resolving tokens interactively [Github #8929](https://github.com/penpot/penpot/pull/8929)
+- Fix highlight on frames after rename [GH #8938](https://github.com/penpot/penpot/pull/8938)
+- Fix TypeError in sd-token-uuid when resolving tokens interactively [GH #8929](https://github.com/penpot/penpot/pull/8929)
 - Fix path drawing preview passing shape instead of content to next-node
 - Fix swapped arguments in CLJS PathData `-nth` with default
 - Normalize PathData coordinates to safe integer bounds on read
-- Fix RangeError from re-entrant error handling causing stack overflow [Github #8962](https://github.com/penpot/penpot/pull/8962)
-- Fix builder bool styles and media validation [Github #8963](https://github.com/penpot/penpot/pull/8963)
+- Fix RangeError from re-entrant error handling causing stack overflow [GH #8962](https://github.com/penpot/penpot/pull/8962)
+- Fix builder bool styles and media validation [GH #8963](https://github.com/penpot/penpot/pull/8963)
 - Fix "Move to" menu allowing same project as target when multiple files are selected
 - Fix crash when index query param is duplicated in URL
 - Fix wrong extremity point in path `calculate-extremities` for line-to segments
@@ -65,55 +290,53 @@
 - Fix wrong `mapcat` call in `collect-main-shapes`
 - Fix stale accumulator in `get-children-in-instance` recursion
 - Fix typo `:podition` in swap-shapes grid cell
-
+- Fix multiple selection on shapes with token applied to stroke color
 
 ## 2.14.2
 
 ### :sparkles: New features & Enhancements
 
-- Add protection for stale JS asset cache to force reload on version mismatch [Github #8638](https://github.com/penpot/penpot/pull/8638)
-- Normalize newsletter opt-in checkbox across different register flows [Github #8839](https://github.com/penpot/penpot/pull/8839)
+- Add protection for stale JS asset cache to force reload on version mismatch [GH #8638](https://github.com/penpot/penpot/pull/8638)
+- Normalize newsletter opt-in checkbox across different register flows [GH #8839](https://github.com/penpot/penpot/pull/8839)
 
 ### :bug: Bugs fixed
 
 - Fix PathData corruption root causes across WASM and CLJS (unsafe transmute and byteOffset handling)
 - Handle corrupted PathData segments gracefully instead of crashing
 - Fix swapped move-to/line-to type codes in PathData binary readers
-- Fix non-integer row/column values in grid cell position inputs [Github #8869](https://github.com/penpot/penpot/pull/8869)
-- Fix nil path content crash by exposing safe public API [Github #8806](https://github.com/penpot/penpot/pull/8806)
-- Fix infinite recursion in get-frame-ids for thumbnail extraction [Github #8807](https://github.com/penpot/penpot/pull/8807)
+- Fix non-integer row/column values in grid cell position inputs [GH #8869](https://github.com/penpot/penpot/pull/8869)
+- Fix nil path content crash by exposing safe public API [GH #8806](https://github.com/penpot/penpot/pull/8806)
+- Fix infinite recursion in get-frame-ids for thumbnail extraction [GH #8807](https://github.com/penpot/penpot/pull/8807)
 - Fix stale-asset detector missing protocol-dispatch errors
-- Ignore Zone.js toString TypeError in uncaught error handler [Github #8804](https://github.com/penpot/penpot/pull/8804)
-- Prevent thumbnail frame recursion overflow [Github #8763](https://github.com/penpot/penpot/pull/8763)
-- Fix vector index out of bounds in viewer zoom-to-fit/fill [Github #8834](https://github.com/penpot/penpot/pull/8834)
-- Guard delete undo against missing sibling order [Github #8858](https://github.com/penpot/penpot/pull/8858)
-- Fix ICounted error on numeric-input token dropdown keyboard nav [Github #8803](https://github.com/penpot/penpot/pull/8803)
-
+- Ignore Zone.js toString TypeError in uncaught error handler [GH #8804](https://github.com/penpot/penpot/pull/8804)
+- Prevent thumbnail frame recursion overflow [GH #8763](https://github.com/penpot/penpot/pull/8763)
+- Fix vector index out of bounds in viewer zoom-to-fit/fill [GH #8834](https://github.com/penpot/penpot/pull/8834)
+- Guard delete undo against missing sibling order [GH #8858](https://github.com/penpot/penpot/pull/8858)
+- Fix ICounted error on numeric-input token dropdown keyboard nav [GH #8803](https://github.com/penpot/penpot/pull/8803)
 
 ## 2.14.1
 
 ### :sparkles: New features & Enhancements
 
-- Add automatic retry with backoff for idempotent RPC requests on network failures [Github #8792](https://github.com/penpot/penpot/pull/8792)
-- Add scroll and zoom throttling to one state update per animation frame [Github #8812](https://github.com/penpot/penpot/pull/8812)
-- Improve error handling and exception formatting [Github #8757](https://github.com/penpot/penpot/pull/8757)
+- Add automatic retry with backoff for idempotent RPC requests on network failures [GH #8792](https://github.com/penpot/penpot/pull/8792)
+- Add scroll and zoom throttling to one state update per animation frame [GH #8812](https://github.com/penpot/penpot/pull/8812)
+- Improve error handling and exception formatting [GH #8757](https://github.com/penpot/penpot/pull/8757)
 
 ### :bug: Bugs fixed
 
-- Fix crash in apply-text-modifier with nil selrect or modifier [Github #8762](https://github.com/penpot/penpot/pull/8762)
-- Fix incorrect attrs references on generate-sync-shape [Github #8776](https://github.com/penpot/penpot/pull/8776)
-- Fix regression on subpath support [Github #8793](https://github.com/penpot/penpot/pull/8793)
-- Improve error reporting on request parsing failures [Github #8805](https://github.com/penpot/penpot/pull/8805)
-- Fix fetch abort errors escaping the unhandled exception handler [Github #8801](https://github.com/penpot/penpot/pull/8801)
-- Fix nil deref on missing bounds in layout modifier propagation [Github #8735](https://github.com/penpot/penpot/pull/8735)
-- Fix TypeError when token error map lacks :error/fn key [Github #8767](https://github.com/penpot/penpot/pull/8767)
-- Fix dissoc error when detaching stroke color from library [Github #8738](https://github.com/penpot/penpot/pull/8738)
+- Fix crash in apply-text-modifier with nil selrect or modifier [GH #8762](https://github.com/penpot/penpot/pull/8762)
+- Fix incorrect attrs references on generate-sync-shape [GH #8776](https://github.com/penpot/penpot/pull/8776)
+- Fix regression on subpath support [GH #8793](https://github.com/penpot/penpot/pull/8793)
+- Improve error reporting on request parsing failures [GH #8805](https://github.com/penpot/penpot/pull/8805)
+- Fix fetch abort errors escaping the unhandled exception handler [GH #8801](https://github.com/penpot/penpot/pull/8801)
+- Fix nil deref on missing bounds in layout modifier propagation [GH #8735](https://github.com/penpot/penpot/pull/8735)
+- Fix TypeError when token error map lacks :error/fn key [GH #8767](https://github.com/penpot/penpot/pull/8767)
+- Fix dissoc error when detaching stroke color from library [GH #8738](https://github.com/penpot/penpot/pull/8738)
 - Fix crash when pasting image into text editor
 - Fix null text crash on paste in text editor
 - Ensure path content is always PathData when saving
 - Fix error when get-parent-with-data encounters non-Element nodes
 
-
 ## 2.14.0
 
 ### :boom: Breaking changes & Deprecations
@@ -129,37 +352,31 @@
 - Optimize sidebar performance for deeply nested shapes [Taiga #13017](https://tree.taiga.io/project/penpot/task/13017)
 - Remove tokens path node and bulk remove tokens [Taiga #13007](https://tree.taiga.io/project/penpot/us/13007)
 - Replace themes management modal radio buttons for switches [Taiga #9215](https://tree.taiga.io/project/penpot/us/9215)
-- [MCP server] Integrations section [Taiga #13112](https://tree.taiga.io/project/penpot/us/13112)
-- [Access Tokens] Look & feel refinement [Taiga #13114](https://tree.taiga.io/project/penpot/us/13114)
 
 ### :bug: Bugs fixed
 
-- Remove whitespaces from asset export filename [Github #8133](https://github.com/penpot/penpot/pull/8133)
+- Remove whitespaces from asset export filename [GH #8133](https://github.com/penpot/penpot/pull/8133)
 - Fix prototype connections lost when switching between variants [Taiga #12812](https://tree.taiga.io/project/penpot/issue/12812)
 - Fix wrong image in the onboarding invitation block [Taiga #13040](https://tree.taiga.io/project/penpot/issue/13040)
 - Fix wrong register image [Taiga #12955](https://tree.taiga.io/project/penpot/task/12955)
 - Fix error message on components doesn't close automatically [Taiga #12012](https://tree.taiga.io/project/penpot/issue/12012)
-- Fix incorrect handling of input values on layout gap and padding inputs [Github #8113](https://github.com/penpot/penpot/issues/8113)
-- Fix incorrect default option on tokens import dialog [Github #8051](https://github.com/penpot/penpot/pull/8051)
-- Fix unhandled exception tokens creation dialog [Github #8110](https://github.com/penpot/penpot/issues/8110)
+- Fix incorrect default option on tokens import dialog [GH #8051](https://github.com/penpot/penpot/pull/8051)
+- Fix unhandled exception tokens creation dialog [GH #8110](https://github.com/penpot/penpot/issues/8110)
 - Fix displaying a hidden user avatar when there is only one more [Taiga #13058](https://tree.taiga.io/project/penpot/issue/13058)
-- Fix unhandled exception on open-new-window helper [Github #7787](https://github.com/penpot/penpot/issues/7787)
-- Fix exception on uploading large fonts [Github #8135](https://github.com/penpot/penpot/pull/8135)
+- Fix exception on uploading large fonts [GH #8135](https://github.com/penpot/penpot/pull/8135)
 - Fix boolean operators in menu for boards [Taiga #13174](https://tree.taiga.io/project/penpot/issue/13174)
 - Fix viewer can update library [Taiga #13186](https://tree.taiga.io/project/penpot/issue/13186)
 - Fix remove fill affects different element than selected [Taiga #13128](https://tree.taiga.io/project/penpot/issue/13128)
-- Fix unable to finish the create account form using keyboard [Taiga #11333](https://tree.taiga.io/project/penpot/issue/11333)
-- Fix 45 rotated board titles rendered incorrectly [Taiga #13306](https://tree.taiga.io/project/penpot/issue/13306)
 - Fix cannot apply second token after creation while shape is selected [Taiga #13513](https://tree.taiga.io/project/penpot/issue/13513)
 - Fix error activating a set with invalid shadow token applied [Taiga #13528](https://tree.taiga.io/project/penpot/issue/13528)
 - Fix component "broken" after variant switch [Taiga #12984](https://tree.taiga.io/project/penpot/issue/12984)
-- Fix incorrect query for file versions [Github #8463](https://github.com/penpot/penpot/pull/8463)
+- Fix incorrect query for file versions [GH #8463](https://github.com/penpot/penpot/pull/8463)
 - Fix warning when clicking on number token pills [Taiga #13661](https://tree.taiga.io/project/penpot/issue/13661)
-- Fix 'not ISeqable' error when entering float values in layout item and opacity inputs [Github #8569](https://github.com/penpot/penpot/pull/8569)
-- Fix crash in select component when options vector is empty [Github #8578](https://github.com/penpot/penpot/pull/8578)
+- Fix 'not ISeqable' error when entering float values in layout item and opacity inputs [GH #8569](https://github.com/penpot/penpot/pull/8569)
+- Fix crash in select component when options vector is empty [GH #8578](https://github.com/penpot/penpot/pull/8578)
 - Fix scroll on colorpicker [Taiga #13623](https://tree.taiga.io/project/penpot/issue/13623)
-- Fix crash when pasting non-map transit clipboard data [Github #8580](https://github.com/penpot/penpot/pull/8580)
-- Fix `penpot.openPage()` plugin API not navigating in the same tab; change default to same-tab navigation and allow passing a UUID string instead of a Page object [Github #8520](https://github.com/penpot/penpot/issues/8520)
+- Fix crash when pasting non-map transit clipboard data [GH #8580](https://github.com/penpot/penpot/pull/8580)
+- Fix `penpot.openPage()` plugin API not navigating in the same tab; change default to same-tab navigation and allow passing a UUID string instead of a Page object [GH #8520](https://github.com/penpot/penpot/issues/8520)
 
 ## 2.13.3
 
@@ -183,9 +400,8 @@
 ## 2.13.0
 
 ### :heart: Community contributions (Thank you!)
-- Add 'page' special shapeId to MCP export_shape tool for full-page snapshots [Github #8689](https://github.com/penpot/penpot/issues/8689)
 
-- Fix mask issues with component swap (by @dfelinto) [Github #7675](https://github.com/penpot/penpot/issues/7675)
+- Fix mask issues with component swap (by @dfelinto) [GH #7675](https://github.com/penpot/penpot/issues/7675)
 
 ### :sparkles: New features & Enhancements
 
@@ -198,7 +414,7 @@
 - Fix problem when drag+duplicate a full grid [Taiga #12565](https://tree.taiga.io/project/penpot/issue/12565)
 - Fix problem when pasting elements in reverse flex layout [Taiga #12460](https://tree.taiga.io/project/penpot/issue/12460)
 - Fix wrong board size presets in Android [Taiga #12339](https://tree.taiga.io/project/penpot/issue/12339)
-- Fix problem with grid layout components and auto sizing [Github #7797](https://github.com/penpot/penpot/issues/7797)
+- Fix problem with grid layout components and auto sizing [GH #7797](https://github.com/penpot/penpot/issues/7797)
 - Fix some alignments on inspect tab [Taiga #12915](https://tree.taiga.io/project/penpot/issue/12915)
 - Fix problem with text editor maintaining previous styles [Taiga #12835](https://tree.taiga.io/project/penpot/issue/12835)
 - Fix color assets from shared libraries not appearing as assets in Selected colors panel [Taiga #12957](https://tree.taiga.io/project/penpot/issue/12957)
@@ -207,15 +423,11 @@
 - Fix missing text color token from selected shapes in selected colors list [Taiga #12956](https://tree.taiga.io/project/penpot/issue/12956)
 - Fix dropdown option width in Guides columns dropdown [Taiga #12959](https://tree.taiga.io/project/penpot/issue/12959)
 - Fix typos on download modal [Taiga #12865](https://tree.taiga.io/project/penpot/issue/12865)
-- Fix problem with text editor maintaining previous styles [Taiga #12835](https://tree.taiga.io/project/penpot/issue/12835)
-- Fix unhandled exception tokens creation dialog [Github #8110](https://github.com/penpot/penpot/issues/8110)
 - Fix allow negative spread values on shadow token creation [Taiga #13167](https://tree.taiga.io/project/penpot/issue/13167)
 - Fix spanish translations on import export token modal [Taiga #13171](https://tree.taiga.io/project/penpot/issue/13171)
-- Remove whitespaces from asset export filename [Github #8133](https://github.com/penpot/penpot/pull/8133)
-- Fix exception on uploading large fonts [Github #8135](https://github.com/penpot/penpot/pull/8135)
-- Fix unhandled exception on open-new-window helper [Github #7787](https://github.com/penpot/penpot/issues/7787)
-- Fix incorrect handling of input values on layout gap and padding inputs [Github #8113](https://github.com/penpot/penpot/issues/8113)
-- Fix several race conditions on path editor [Github #8187](https://github.com/penpot/penpot/pull/8187)
+- Fix unhandled exception on open-new-window helper [GH #7787](https://github.com/penpot/penpot/issues/7787)
+- Fix incorrect handling of input values on layout gap and padding inputs [GH #8113](https://github.com/penpot/penpot/issues/8113)
+- Fix several race conditions on path editor [GH #8187](https://github.com/penpot/penpot/pull/8187)
 - Fix app freeze when introducing an error on a very long token name [Taiga #13214](https://tree.taiga.io/project/penpot/issue/13214)
 - Fix import a file with shadow tokens [Taiga #13229](https://tree.taiga.io/project/penpot/issue/13229)
 - Fix allow spaces on token description [Taiga #13184](https://tree.taiga.io/project/penpot/issue/13184)
@@ -225,9 +437,9 @@
 
 ### :bug: Bugs fixed
 
-- Fix setting a portion of text as bold or underline messes things up [Github #7980](https://github.com/penpot/penpot/issues/7980)
+- Fix setting a portion of text as bold or underline messes things up [GH #7980](https://github.com/penpot/penpot/issues/7980)
 - Fix problem with style in fonts input [Taiga #12935](https://tree.taiga.io/project/penpot/issue/12935)
-- Fix problem with path editor and right click [Github #7917](https://github.com/penpot/penpot/issues/7917)
+- Fix problem with path editor and right click [GH #7917](https://github.com/penpot/penpot/issues/7917)
 
 ## 2.12.0
 
@@ -287,8 +499,8 @@ example. It's still usable as before, we just removed the example.
 
 ### :heart: Community contributions (Thank you!)
 
-- Ensure consistent snap behavior across all zoom levels [Github #7774](https://github.com/penpot/penpot/pull/7774) by [@Tokytome](https://github.com/Tokytome)
-- Fix crash in token grid view due to tooltip validation (by @dfelinto) [Github #7887](https://github.com/penpot/penpot/pull/7887)
+- Ensure consistent snap behavior across all zoom levels [GH #7774](https://github.com/penpot/penpot/pull/7774) by [@Tokytome](https://github.com/Tokytome)
+- Fix crash in token grid view due to tooltip validation (by @dfelinto) [GH #7887](https://github.com/penpot/penpot/pull/7887)
 - Enable Hindi translations on the application
 
 ### :sparkles: New features & Enhancements
@@ -297,7 +509,7 @@ example. It's still usable as before, we just removed the example.
 - Add toggle for switching boolean property values [Taiga #12341](https://tree.taiga.io/project/penpot/us/12341)
 - Make the file export process more reliable [Taiga #12555](https://tree.taiga.io/project/penpot/us/12555)
 - Add auth flow changes [Taiga #12333](https://tree.taiga.io/project/penpot/us/12333)
-- Add new shape validation mechanism for shapes [Github #7696](https://github.com/penpot/penpot/pull/7696)
+- Add new shape validation mechanism for shapes [GH #7696](https://github.com/penpot/penpot/pull/7696)
 - Apply color tokens from sidebar [Taiga #11353](https://tree.taiga.io/project/penpot/us/11353)
 - Display tokens in the inspect tab [Taiga #9313](https://tree.taiga.io/project/penpot/us/9313)
 - Refactor clipboard behavior to assess some minor inconsistencies and make pasting binary data faster. [Taiga #12571](https://tree.taiga.io/project/penpot/task/12571)
@@ -305,12 +517,10 @@ example. It's still usable as before, we just removed the example.
 ### :bug: Bugs fixed
 
 - Fix text line-height values are wrong [Taiga #12252](https://tree.taiga.io/project/penpot/issue/12252)
-- Fix an error translation [Taiga #12402](https://tree.taiga.io/project/penpot/issue/12402)
-- Fix pan cursor not disabling viewport guides [Github #6985](https://github.com/penpot/penpot/issues/6985)
+- Fix pan cursor not disabling viewport guides [GH #6985](https://github.com/penpot/penpot/issues/6985)
 - Fix viewport resize on locked shapes [Taiga #11974](https://tree.taiga.io/project/penpot/issue/11974)
-- Fix nested variant in a component doesn't keep inherited overrides [Taiga #12299](https://tree.taiga.io/project/penpot/issue/12299)
 - Fix on copy instance inside a components chain touched are missing [Taiga #12371](https://tree.taiga.io/project/penpot/issue/12371)
-- Fix problem with multiple selection and shadows [Github #7437](https://github.com/penpot/penpot/issues/7437)
+- Fix problem with multiple selection and shadows [GH #7437](https://github.com/penpot/penpot/issues/7437)
 - Fix search shortcut [Taiga #10265](https://tree.taiga.io/project/penpot/issue/10265)
 - Fix shortcut conflict in text editor (increase/decrease font size vs word selection)
 - Fix problem with plugins generating code for pages different than current one [Taiga #12312](https://tree.taiga.io/project/penpot/issue/12312)
@@ -323,7 +533,7 @@ example. It's still usable as before, we just removed the example.
 - Fix switch variants with paths [Taiga #12841](https://tree.taiga.io/project/penpot/issue/12841)
 - Fix referencing typography tokens on font-family tokens [Taiga #12492](https://tree.taiga.io/project/penpot/issue/12492)
 - Fix horizontal scroll on layer panel [Taiga #12843](https://tree.taiga.io/project/penpot/issue/12843)
-- Fix unicode handling on email template abbreviation filter [Github #7966](https://github.com/penpot/penpot/pull/7966)
+- Fix unicode handling on email template abbreviation filter [GH #7966](https://github.com/penpot/penpot/pull/7966)
 
 ## 2.11.1
 
@@ -364,15 +574,15 @@ example. It's still usable as before, we just removed the example.
 - Invitations management improvements [Taiga #3479](https://tree.taiga.io/project/penpot/us/3479)
 - Alternative ways of creating variants - Button Viewport [Taiga #11931](https://tree.taiga.io/project/penpot/us/11931)
 - Reorder properties for a component [Taiga #10225](https://tree.taiga.io/project/penpot/us/10225)
-- File Data storage layout refactor [Github #7345](https://github.com/penpot/penpot/pull/7345)
-- Make several queries optimization on comment threads [Github #7506](https://github.com/penpot/penpot/pull/7506)
+- File Data storage layout refactor [GH #7345](https://github.com/penpot/penpot/pull/7345)
+- Make several queries optimization on comment threads [GH #7506](https://github.com/penpot/penpot/pull/7506)
 
 ### :bug: Bugs fixed
 
 - Fix selection problems when devtools open [Taiga #11950](https://tree.taiga.io/project/penpot/issue/11950)
 - Fix long font names overlap [Taiga #11844](https://tree.taiga.io/project/penpot/issue/11844)
 - Fix paste behavior according to the selected element [Taiga #11979](https://tree.taiga.io/project/penpot/issue/11979)
-- Fix problem with export size [Github #7160](https://github.com/penpot/penpot/issues/7160)
+- Fix problem with export size [GH #7160](https://github.com/penpot/penpot/issues/7160)
 - Fix multi level library dependencies [Taiga #12155](https://tree.taiga.io/project/penpot/issue/12155)
 - Fix component context menu options order in assets tab [Taiga #11941](https://tree.taiga.io/project/penpot/issue/11941)
 - Fix error updating library [Taiga #12218](https://tree.taiga.io/project/penpot/issue/12218)
@@ -389,7 +599,7 @@ example. It's still usable as before, we just removed the example.
 - Fix text override is lost after switch [Taiga #12269](https://tree.taiga.io/project/penpot/issue/12269)
 - Fix exporting a board crashing the app [Taiga #12384](https://tree.taiga.io/project/penpot/issue/12384)
 - Fix nested variant in a component doesn't keep inherited overrides [Taiga #12299](https://tree.taiga.io/project/penpot/issue/12299)
-- Fix selected colors not showing colors from children shapes in multiple selection [Taiga #12384](https://tree.taiga.io/project/penpot/issue/12385)
+- Fix selected colors not showing colors from children shapes in multiple selection [Taiga #12385](https://tree.taiga.io/project/penpot/issue/12385)
 - Fix scrollbar issue in design tab [Taiga #12367](https://tree.taiga.io/project/penpot/issue/12367)
 - Fix library update notificacions showing when they should not [Taiga #12397](https://tree.taiga.io/project/penpot/issue/12397)
 - Fix remove flex button doesn’t work within variant [Taiga #12314](https://tree.taiga.io/project/penpot/issue/12314)
@@ -400,8 +610,8 @@ example. It's still usable as before, we just removed the example.
 - Fix options button does not work for comments created in the lower part of the screen [Taiga #12422](https://tree.taiga.io/project/penpot/issue/12422)
 - Fix problem when checking usage with removed teams [Taiga #12442](https://tree.taiga.io/project/penpot/issue/12442)
 - Fix focus mode persisting across page/file navigation [Taiga #12469](https://tree.taiga.io/project/penpot/issue/12469)
-- Fix shadow color validation [Github #7705](https://github.com/penpot/penpot/pull/7705)
-- Fix exception on selection blend-mode using keyboard [Github #7710](https://github.com/penpot/penpot/pull/7710)
+- Fix shadow color validation [GH #7705](https://github.com/penpot/penpot/pull/7705)
+- Fix exception on selection blend-mode using keyboard [GH #7710](https://github.com/penpot/penpot/pull/7710)
 - Fix crash when using decimal (floating-point) values for X/Y or width/height [Taiga #12543](https://tree.taiga.io/project/penpot/issue/12543)
 
 ## 2.10.1
@@ -426,7 +636,7 @@ example. It's still usable as before, we just removed the example.
 
 ### :sparkles: New features & Enhancements
 
-- Add efficiency enhancements to right sidebar [Github #7182](https://github.com/penpot/penpot/pull/7182)
+- Add efficiency enhancements to right sidebar [GH #7182](https://github.com/penpot/penpot/pull/7182)
 - Add defaults for artboard drawing [Taiga #494](https://tree.taiga.io/project/penpot/us/494?milestone=465047)
 - Continuous display of distances between elements when moving a layer with the keyboard [Taiga #1780](https://tree.taiga.io/project/penpot/us/1780)
 - New Number token - unitless values [Taiga #10936](https://tree.taiga.io/project/penpot/us/10936)
@@ -435,8 +645,8 @@ example. It's still usable as before, we just removed the example.
 - New text-decoration token [Taiga #10941](https://tree.taiga.io/project/penpot/us/10941)
 - New letter spacing token [Taiga #10940](https://tree.taiga.io/project/penpot/us/10940)
 - New font weight token [Taiga #10939](https://tree.taiga.io/project/penpot/us/10939)
-- Upgrade Node to v22.18.0 [Github #7283](https://github.com/penpot/penpot/pull/7283)
-- Upgrade the base docker image for penpot frontend to v1.29.1 [Github #7283](https://github.com/penpot/penpot/pull/7283)
+- Upgrade Node to v22.18.0 [GH #7283](https://github.com/penpot/penpot/pull/7283)
+- Upgrade the base docker image for penpot frontend to v1.29.1 [GH #7283](https://github.com/penpot/penpot/pull/7283)
 - Create variant from an existing component [Taiga #2088](https://tree.taiga.io/project/penpot/us/2088)
 - Create variant from an existing variant [Taiga #8282](https://tree.taiga.io/project/penpot/us/8282)
 - Actions over a component with variants [Taiga #10503](https://tree.taiga.io/project/penpot/us/10503)
@@ -505,7 +715,7 @@ example. It's still usable as before, we just removed the example.
 - Hide bounding box while editing visual effects [Taiga #11576](https://tree.taiga.io/project/penpot/issue/11576)
 - Improved text layer resizing: Allow double-click on text bounding box to set auto-width/auto-height [Taiga #11577](https://tree.taiga.io/project/penpot/issue/11577)
 - Improve text layer auto-resize: auto-width switches to auto-height on horizontal resize, and only switches to fixed on vertical resize [Taiga #11578](https://tree.taiga.io/project/penpot/issue/11578)
-- Add the ability to show login dialog on profile settings [Github #6871](https://github.com/penpot/penpot/pull/6871)
+- Add the ability to show login dialog on profile settings [GH #6871](https://github.com/penpot/penpot/pull/6871)
 - Improve the application of tokens with object specific tokens [Taiga #10209](https://tree.taiga.io/project/penpot/us/10209)
 - Add info to apply-token event [Taiga #11710](https://tree.taiga.io/project/penpot/task/11710)
 - Fix double click on set name input [Taiga #11747](https://tree.taiga.io/project/penpot/issue/11747)
@@ -545,7 +755,7 @@ example. It's still usable as before, we just removed the example.
 
 ### :bug: Bugs fixed
 
-- Fix unexpected exception on processing old texts [Github #6889](https://github.com/penpot/penpot/pull/6889)
+- Fix unexpected exception on processing old texts [GH #6889](https://github.com/penpot/penpot/pull/6889)
 - Fix error on inspect tab when selecting multiple shapes [Taiga #11655](https://tree.taiga.io/project/penpot/issue/11655)
 - Fix missing package for the penport_exporter Docker image [GitHub #7205](https://github.com/penpot/penpot/issues/7025)
 
@@ -578,13 +788,13 @@ on-premises instances** that want to keep up to date.
 - Rewrite path shape data PathData encoding [Taiga #8542](https://tree.taiga.io/project/penpot/us/8542?milestone=441308)
 - Update base image for Docker Backend and Exporter to Ubuntu 24.04
 - Update base image for Docker Frontend to Nginx 1.28.0
-- Allow multi file token import [Github #27](https://github.com/tokens-studio/penpot/issues/27)
+- Allow multi file token import [GH #27](https://github.com/tokens-studio/penpot/issues/27)
 - Create `input*` wrapper component, and `label*`, `input-field*` and `hint-message*` components [Taiga #10713](https://tree.taiga.io/project/penpot/us/10713)
-- Deselect layers (and path nodes) with Ctrl+Shift+Drag [Github #2509](https://github.com/penpot/penpot/issues/2509)
-- Copy to SVG from contextual menu [Github #838](https://github.com/penpot/penpot/issues/838)
+- Deselect layers (and path nodes) with Ctrl+Shift+Drag [GH #2509](https://github.com/penpot/penpot/issues/2509)
+- Copy to SVG from contextual menu [GH #838](https://github.com/penpot/penpot/issues/838)
 - Add styles for Inkeep Chat at workspace [Taiga #10708](https://tree.taiga.io/project/penpot/us/10708)
 - Add configuration for air gapped installations with Docker
-- Support system color scheme [Github #5030](https://github.com/penpot/penpot/issues/5030)
+- Support system color scheme [GH #5030](https://github.com/penpot/penpot/issues/5030)
 - Persist ruler visibility across files and reloads [GitHub #4586](https://github.com/penpot/penpot/issues/4586)
 - Update google fonts (at 2025/05/19) [Taiga 10792](https://tree.taiga.io/project/penpot/us/10792)
 - Add tooltip component to DS [Taiga 9220](https://tree.taiga.io/project/penpot/us/9220)
@@ -595,7 +805,7 @@ on-premises instances** that want to keep up to date.
 
 - Fix getCurrentUser for plugins api [Taiga #11057](https://tree.taiga.io/project/penpot/issue/11057)
 - Fix spacing / sizes of different elements in the measurements section of the design tab [Taiga #11076](https://tree.taiga.io/project/penpot/issue/11076)
-- Fix selection of short paths [Github #4472](https://github.com/penpot/penpot/issues/4472)
+- Fix selection of short paths [GH #4472](https://github.com/penpot/penpot/issues/4472)
 - Fix element positioning on the right side to adjust to grid [#11073](https://tree.taiga.io/project/penpot/issue/11073)
 - Fix palette is over sidebar [#11160](https://tree.taiga.io/project/penpot/issue/11160)
 - Fix font size input not displaying "mixed" when multiple texts are selected [Taiga #11177](https://tree.taiga.io/project/penpot/issue/11177)
@@ -613,15 +823,15 @@ on-premises instances** that want to keep up to date.
 - Fix entering long project name [Taiga #11417](https://tree.taiga.io/project/penpot/issue/11417)
 - Fix slow color picker [Taiga #11019](https://tree.taiga.io/project/penpot/issue/11019)
 - Fix tooltip position after click [Taiga #11405](https://tree.taiga.io/project/penpot/issue/11405)
-- Fix incorrect media translation on paste text with fill images [Github #6845](https://github.com/penpot/penpot/pull/6845)
+- Fix incorrect media translation on paste text with fill images [GH #6845](https://github.com/penpot/penpot/pull/6845)
 
 ## 2.7.2
 
 ### :bug: Bugs fixed
 
-- Update plugins runtime [Github #6604](https://github.com/penpot/penpot/pull/6604)
+- Update plugins runtime [GH #6604](https://github.com/penpot/penpot/pull/6604)
 - Backport from develop a minor fix that enables import of files
-  generated by penpot library [Github #6614](https://github.com/penpot/penpot/pull/6614)
+  generated by penpot library [GH #6614](https://github.com/penpot/penpot/pull/6614)
 - Fix copy in error message [GitHub #6615](https://github.com/penpot/penpot/pull/6615)
 - Fix url on invitation link [Taiga #11284](https://tree.taiga.io/project/penpot/issue/11284)
 
@@ -672,13 +882,13 @@ on-premises instances** that want to keep up to date.
 - Fix team info settings alignment [Taiga #10869](https://tree.taiga.io/project/penpot/issue/10869)
 - Fix left sidebar horizontal scroll on nested layers [Taiga #10791](https://tree.taiga.io/project/penpot/issue/10791)
 - Improve error message details importing tokens [Taiga Issue #10772](https://tree.taiga.io/project/penpot/issue/10772)
-- Fix no selected set after Drag & Drop [Github #71](https://github.com/tokens-studio/penpot/issues/71)
-- Styledictionary v5 Update [Github #6283](https://github.com/penpot/penpot/pull/6283)
-- Fix Rename a set throws an internal error [Github #78](https://github.com/tokens-studio/penpot/issues/78)
-- Fix Out of Sync Token Value & Color Picker [Github #102](https://github.com/tokens-studio/penpot/issues/102)
-- Fix Color should preserve color space [Github #69](https://github.com/tokens-studio/penpot/issues/69)
+- Fix no selected set after Drag & Drop [GH #71](https://github.com/tokens-studio/penpot/issues/71)
+- Styledictionary v5 Update [GH #6283](https://github.com/penpot/penpot/pull/6283)
+- Fix Rename a set throws an internal error [GH #78](https://github.com/tokens-studio/penpot/issues/78)
+- Fix Out of Sync Token Value & Color Picker [GH #102](https://github.com/tokens-studio/penpot/issues/102)
+- Fix Color should preserve color space [GH #69](https://github.com/tokens-studio/penpot/issues/69)
 - Fix cannot rename Design Token Sets when group of same name exists [Taiga Issue #10773](https://tree.taiga.io/project/penpot/issue/10773)
-- Fix problem when duplicating grid layout [Github #6391](https://github.com/penpot/penpot/issues/6391)
+- Fix problem when duplicating grid layout [GH #6391](https://github.com/penpot/penpot/issues/6391)
 - Fix issue that makes workspace shortcuts stop working [Taiga #11062](https://tree.taiga.io/project/penpot/issue/11062)
 - Fix problem while syncing library colors and typographies [Taiga #11068](https://tree.taiga.io/project/penpot/issue/11068)
 - Fix problem with path edition of shapes [Taiga #9496](https://tree.taiga.io/project/penpot/issue/9496)
@@ -702,7 +912,7 @@ on-premises instances** that want to keep up to date.
 - Fix unexpected exception on template import from libraries
 - Fix incorrect uuid parsing from different parts of code
 - Fix update layout on component restore [Taiga #10637](https://tree.taiga.io/project/penpot/issue/10637)
-- Fix horizontal scroll in viewer [Github #6290](https://github.com/penpot/penpot/issues/6290)
+- Fix horizontal scroll in viewer [GH #6290](https://github.com/penpot/penpot/issues/6290)
 - Fix detach component in a particular case [Taiga #10837](https://tree.taiga.io/project/penpot/issue/10837)
 
 ## 2.6.1
@@ -742,7 +952,7 @@ on-premises instances** that want to keep up to date.
 
 ### :bug: Bugs fixed
 
-- Fix opacity in frame containers [Github #5858](https://github.com/penpot/penpot/pull/5858)
+- Fix opacity in frame containers [GH #5858](https://github.com/penpot/penpot/pull/5858)
 - Avoid resizing on click [Taiga #10213](https://tree.taiga.io/project/penpot/issue/10213)
 - Hide horizontal scroll from dashboard sidebar [Taiga #10422](https://tree.taiga.io/project/penpot/issue/10422)
 - Fix cut and paste a copy a cmponent inside its parent [Taiga #10365](https://tree.taiga.io/project/penpot/us/10365)
@@ -767,7 +977,7 @@ on-premises instances** that want to keep up to date.
 
 ### :heart: Community contributions (Thank you!)
 
-- Add support for WEBP format on shape export [Github #6053](https://github.com/penpot/penpot/pull/6053) and [Github #6074](https://github.com/penpot/penpot/pull/6074)
+- Add support for WEBP format on shape export [GH #6053](https://github.com/penpot/penpot/pull/6053) and [GH #6074](https://github.com/penpot/penpot/pull/6074)
 
 ### :bug: Bugs fixed
 
@@ -990,20 +1200,20 @@ is a number of cores)
 - Fix problem with go back button on error page [Taiga #8887](https://tree.taiga.io/project/penpot/issue/8887)
 - Fix problem with shadows in text for Safari [Taiga #8770](https://tree.taiga.io/project/penpot/issue/8770)
 - Fix a regression with feedback form subject and content limits [Taiga #8908](https://tree.taiga.io/project/penpot/issue/8908)
-- Fix problem with stroke and filter ordering in frames [Github #5058](https://github.com/penpot/penpot/issues/5058)
-- Fix problem with hover layers when hidden/blocked [Github #5074](https://github.com/penpot/penpot/issues/5074)
+- Fix problem with stroke and filter ordering in frames [GH #5058](https://github.com/penpot/penpot/issues/5058)
+- Fix problem with hover layers when hidden/blocked [GH #5074](https://github.com/penpot/penpot/issues/5074)
 - Fix problem with precision on boolean calculation [Taiga #8482](https://tree.taiga.io/project/penpot/issue/8482)
-- Fix problem when translating multiple path points [Github #4459](https://github.com/penpot/penpot/issues/4459)
+- Fix problem when translating multiple path points [GH #4459](https://github.com/penpot/penpot/issues/4459)
 - Fix problem on importing (and exporting) files with flows [Taiga #8914](https://tree.taiga.io/project/penpot/issue/8914)
 - Fix Internal Error page: "go to your penpot" wrong design [Taiga #8922](https://tree.taiga.io/project/penpot/issue/8922)
-- Fix problem updating layout when toggle visibility in component copy [Github #5143](https://github.com/penpot/penpot/issues/5143)
+- Fix problem updating layout when toggle visibility in component copy [GH #5143](https://github.com/penpot/penpot/issues/5143)
 - Fix "Done" button on toolbar on inspect mode should go to design mode [Taiga #8933](https://tree.taiga.io/project/penpot/issue/8933)
-- Fix problem with shortcuts in text editor [Github #5078](https://github.com/penpot/penpot/issues/5078)
-- Fix problems with show in viewer and interactions [Github #4868](https://github.com/penpot/penpot/issues/4868)
-- Add visual feedback when moving an element into a board [Github #3210](https://github.com/penpot/penpot/issues/3210)
-- Fix percent calculation on grid layout tracks [Github #4688](https://github.com/penpot/penpot/issues/4688)
-- Fix problem with caps and inner shadows [Github #4517](https://github.com/penpot/penpot/issues/4517)
-- Fix problem with horizontal/vertical lines and shadows [Github #4516](https://github.com/penpot/penpot/issues/4516)
+- Fix problem with shortcuts in text editor [GH #5078](https://github.com/penpot/penpot/issues/5078)
+- Fix problems with show in viewer and interactions [GH #4868](https://github.com/penpot/penpot/issues/4868)
+- Add visual feedback when moving an element into a board [GH #3210](https://github.com/penpot/penpot/issues/3210)
+- Fix percent calculation on grid layout tracks [GH #4688](https://github.com/penpot/penpot/issues/4688)
+- Fix problem with caps and inner shadows [GH #4517](https://github.com/penpot/penpot/issues/4517)
+- Fix problem with horizontal/vertical lines and shadows [GH #4516](https://github.com/penpot/penpot/issues/4516)
 - Fix problem with layers overflowing panel [Taiga #9021](https://tree.taiga.io/project/penpot/issue/9021)
 - Fix in workspace you can manage rulers on view mode [Taiga #8966](https://tree.taiga.io/project/penpot/issue/8966)
 - Fix problem with swap components in grid layout [Taiga #9066](https://tree.taiga.io/project/penpot/issue/9066)
@@ -1096,10 +1306,10 @@ is a number of cores)
 - Fix fill collapsed options [Taiga #8351](https://tree.taiga.io/project/penpot/issue/8351)
 - Fix scroll on color picker modal [Taiga #8353](https://tree.taiga.io/project/penpot/issue/8353)
 - Fix components are not dragged from the group to the assets tab [Taiga #8273](https://tree.taiga.io/project/penpot/issue/8273)
-- Fix problem with SVG import [Github #4888](https://github.com/penpot/penpot/issues/4888)
+- Fix problem with SVG import [GH #4888](https://github.com/penpot/penpot/issues/4888)
 - Fix problem with overlay positions in viewer [Taiga #8464](https://tree.taiga.io/project/penpot/issue/8464)
 - Fix layer panel overflowing [Taiga #8665](https://tree.taiga.io/project/penpot/issue/8665)
-- Fix problem when creating a component instance from grid layout [Github #4881](https://github.com/penpot/penpot/issues/4881)
+- Fix problem when creating a component instance from grid layout [GH #4881](https://github.com/penpot/penpot/issues/4881)
 - Fix problem when dismissing shared library update [Taiga #8669](https://tree.taiga.io/project/penpot/issue/8669)
 - Fix visual problem with stroke cap menu [Taiga #8730](https://tree.taiga.io/project/penpot/issue/8730)
 - Fix issue when exporting libraries when merging libraries [Taiga #8758](https://tree.taiga.io/project/penpot/issue/8758)
@@ -1124,15 +1334,15 @@ is a number of cores)
 
 ## 2.1.3
 
-- Don't allow registration when registration is disabled and invitation token is used [Github #4975](https://github.com/penpot/penpot/issues/4975)
+- Don't allow registration when registration is disabled and invitation token is used [GH #4975](https://github.com/penpot/penpot/issues/4975)
 
 ## 2.1.2
 
 ### :bug: Bugs fixed
 
-- User switch language to "zh_hant" will get 400 [Github #4884](https://github.com/penpot/penpot/issues/4884)
-- Smtp config ignoring port if ssl is set [Github #4872](https://github.com/penpot/penpot/issues/4872)
-- Ability to let users to authenticate with a private oidc provider only [Github #4963](https://github.com/penpot/penpot/issues/4963)
+- User switch language to "zh_hant" will get 400 [GH #4884](https://github.com/penpot/penpot/issues/4884)
+- Smtp config ignoring port if ssl is set [GH #4872](https://github.com/penpot/penpot/issues/4872)
+- Ability to let users to authenticate with a private oidc provider only [GH #4963](https://github.com/penpot/penpot/issues/4963)
 
 ## 2.1.1
 
@@ -1175,7 +1385,7 @@ is a number of cores)
 - Layout and scrollign fixes for the bottom palette [Taiga #7559](https://tree.taiga.io/project/penpot/issue/7559)
 - Fix expand libraries when search results are present [Taiga #7876](https://tree.taiga.io/project/penpot/issue/7876)
 - Fix color palette default library [Taiga #8029](https://tree.taiga.io/project/penpot/issue/8029)
-- Component Library is lost after exporting/importing in .zip format [Github #4672](https://github.com/penpot/penpot/issues/4672)
+- Component Library is lost after exporting/importing in .zip format [GH #4672](https://github.com/penpot/penpot/issues/4672)
 - Fix problem with moving+selection not working properly [Taiga #7943](https://tree.taiga.io/project/penpot/issue/7943)
 - Fix problem with flex layout fit to content not positioning correctly children [Taiga #7537](https://tree.taiga.io/project/penpot/issue/7537)
 - Fix black line is displaying after show main [Taiga #7653](https://tree.taiga.io/project/penpot/issue/7653)
@@ -1208,7 +1418,7 @@ is a number of cores)
 ### :bug: Bugs fixed
 
 - Fix chrome scrollbar styling [Taiga #7852](https://tree.taiga.io/project/penpot/issue/7852)
-- Fix incorrect password encoding on create-profile manage scritp [Github #3651](https://github.com/penpot/penpot/issues/3651)
+- Fix incorrect password encoding on create-profile manage scritp [GH #3651](https://github.com/penpot/penpot/issues/3651)
 
 ## 2.0.2
 
@@ -1226,7 +1436,7 @@ is a number of cores)
 
 ### :bug: Bugs fixed
 
-- Fix different issues related to components v2 migrations including [Github #4443](https://github.com/penpot/penpot/issues/4443)
+- Fix different issues related to components v2 migrations including [GH #4443](https://github.com/penpot/penpot/issues/4443)
 
 ## 2.0.0 - I Just Can't Get Enough
 
@@ -1325,9 +1535,9 @@ is a number of cores)
 
 ### :bug: Bugs fixed
 
-- Fix pixelated thumbnails [Github #3681](https://github.com/penpot/penpot/issues/3681), [Github #3661](https://github.com/penpot/penpot/issues/3661)
-- Fix problem with not applying colors to boards [Github #3941](https://github.com/penpot/penpot/issues/3941)
-- Fix problem with path editor undoing changes [Github #3998](https://github.com/penpot/penpot/issues/3998)
+- Fix pixelated thumbnails [GH #3681](https://github.com/penpot/penpot/issues/3681), [GH #3661](https://github.com/penpot/penpot/issues/3661)
+- Fix problem with not applying colors to boards [GH #3941](https://github.com/penpot/penpot/issues/3941)
+- Fix problem with path editor undoing changes [GH #3998](https://github.com/penpot/penpot/issues/3998)
 - [View mode] Open overlay places frame in the wrong position when paired with a fixed element [Taiga #6385](https://tree.taiga.io/project/penpot/issue/6385)
 - Flex Layout: Fit-content not recalculated after deleting an element [Taiga #5968](https://tree.taiga.io/project/penpot/issue/5968)
 - Selecting from Color Palette does not work for board when there is no existing fill [Taiga #6464](https://tree.taiga.io/project/penpot/issue/6464)
@@ -1358,11 +1568,11 @@ is a number of cores)
 - [VIEWER] Cannot scroll down in code </> mode [Taiga #4655](https://tree.taiga.io/project/penpot/issue/4655)
 - Strange cursor behavior after clicking viewport with text tool [Taiga #4363](https://tree.taiga.io/project/penpot/issue/4363)
 - Selected color affects all of them [Taiga #5285](https://tree.taiga.io/project/penpot/issue/5285)
-- Fix problem with shadow negative spread [Github #3421](https://github.com/penpot/penpot/issues/3421)
-- Fix problem with linked colors to strokes [Github #3522](https://github.com/penpot/penpot/issues/3522)
-- Fix problem with hand tool stuck [Github #3318](https://github.com/penpot/penpot/issues/3318)
-- Fix problem with fix scrolling on nested elements [Github #3508](https://github.com/penpot/penpot/issues/3508)
-- Fix problem when changing typography assets [Github #3683](https://github.com/penpot/penpot/issues/3683)
+- Fix problem with shadow negative spread [GH #3421](https://github.com/penpot/penpot/issues/3421)
+- Fix problem with linked colors to strokes [GH #3522](https://github.com/penpot/penpot/issues/3522)
+- Fix problem with hand tool stuck [GH #3318](https://github.com/penpot/penpot/issues/3318)
+- Fix problem with fix scrolling on nested elements [GH #3508](https://github.com/penpot/penpot/issues/3508)
+- Fix problem when changing typography assets [GH #3683](https://github.com/penpot/penpot/issues/3683)
 - Internal error when you copy and paste some main components between files [Taiga #7397](https://tree.taiga.io/project/penpot/issue/7397)
 - Fix toolbar disappearing [Taiga #7411](https://tree.taiga.io/project/penpot/issue/7411)
 - Fix long text on tab breaks UI [Taiga #7421](https://tree.taiga.io/project/penpot/issue/7421)
@@ -1388,12 +1598,12 @@ is a number of cores)
 ### :sparkles: New features
 
 - Remember last color mode in colorpicker [Taiga #5508](https://tree.taiga.io/project/penpot/issue/5508)
-- Improve layers multiselection behaviour [Github #5741](https://github.com/penpot/penpot/issues/5741)
-- Remember last active team across logouts / sessions [Github #3325](https://github.com/penpot/penpot/issues/3325)
+- Improve layers multiselection behaviour [GH #5741](https://github.com/penpot/penpot/issues/5741)
+- Remember last active team across logouts / sessions [GH #3325](https://github.com/penpot/penpot/issues/3325)
 
 ### :bug: Bugs fixed
 
-- List view is discarded on tab change on Workspace Assets Sidebar tab [Github #3547](https://github.com/penpot/penpot/issues/3547)
+- List view is discarded on tab change on Workspace Assets Sidebar tab [GH #3547](https://github.com/penpot/penpot/issues/3547)
 - Fix message popup remains open when exiting workspace with browser back button [Taiga #5747](https://tree.taiga.io/project/penpot/issue/5747)
 - When editing text if font is changed, the proportions of the rendered shape are wrong [Taiga #5786](https://tree.taiga.io/project/penpot/issue/5786)
 
@@ -1407,7 +1617,7 @@ is a number of cores)
 
 ### :bug: Bugs fixed
 
-- Fix unexpected output on get-page rpc method when invalid object-id is provided [Github #3546](https://github.com/penpot/penpot/issues/3546)
+- Fix unexpected output on get-page rpc method when invalid object-id is provided [GH #3546](https://github.com/penpot/penpot/issues/3546)
 - Fix Invalid files amount after moving file from Project to Drafts [Taiga #5638](https://tree.taiga.io/project/penpot/us/5638)
 - Fix deleted pages comments shown in right sidebar [Taiga #5648](https://tree.taiga.io/project/penpot/us/5648)
 - Fix tooltip on toggle visibility and toggle lock buttons [Taiga #5141](https://tree.taiga.io/project/penpot/issue/5141)
@@ -1433,7 +1643,7 @@ is a number of cores)
   rendered as bitmap images.
 - Add the ability to disable google fonts provider with the `disable-google-fonts-provider` flag
 - Add the ability to disable dashboard templates section with the `disable-dashboard-templates-section` flag
-- Add the ability to use the registration whitelist with OICD [Github #3348](https://github.com/penpot/penpot/issues/3348)
+- Add the ability to use the registration whitelist with OICD [GH #3348](https://github.com/penpot/penpot/issues/3348)
 - Add support for local caching of google fonts (this avoids exposing the final user IP to
   goolge and reduces the amount of request sent to google)
 - Set smooth/instant autoscroll depending on distance [GitHub #3377](https://github.com/penpot/penpot/issues/3377)
@@ -1527,20 +1737,20 @@ is a number of cores)
 
 ### :heart: Community contributions by (Thank you!)
 
-- Update Typography palette order (by @akshay-gupta7) [Github #3156](https://github.com/penpot/penpot/pull/3156)
-- Palettes (color, typographies) empty state (by @akshay-gupta7) [Github #3160](https://github.com/penpot/penpot/pull/3160)
-- Duplicate objects via drag + alt (by @akshay-gupta7) [Github #3147](https://github.com/penpot/penpot/pull/3147)
-- Set line-height to auto as 1.2 (by @akshay-gupta7) [Github #3185](https://github.com/penpot/penpot/pull/3185)
-- Click to select full values at the design sidebar (by @akshay-gupta7) [Github #3179](https://github.com/penpot/penpot/pull/3179)
-- Fix rect filter bounds math (by @ryanbreen) [Github #3180](https://github.com/penpot/penpot/pull/3180)
-- Removed sizing variables from radius (by @ondrejkonec) [Github #3184](https://github.com/penpot/penpot/pull/3184)
-- Dashboard search, set focus after shortcut (by @akshay-gupta7) [Github #3196](https://github.com/penpot/penpot/pull/3196)
+- Update Typography palette order (by @akshay-gupta7) [GH #3156](https://github.com/penpot/penpot/pull/3156)
+- Palettes (color, typographies) empty state (by @akshay-gupta7) [GH #3160](https://github.com/penpot/penpot/pull/3160)
+- Duplicate objects via drag + alt (by @akshay-gupta7) [GH #3147](https://github.com/penpot/penpot/pull/3147)
+- Set line-height to auto as 1.2 (by @akshay-gupta7) [GH #3185](https://github.com/penpot/penpot/pull/3185)
+- Click to select full values at the design sidebar (by @akshay-gupta7) [GH #3179](https://github.com/penpot/penpot/pull/3179)
+- Fix rect filter bounds math (by @ryanbreen) [GH #3180](https://github.com/penpot/penpot/pull/3180)
+- Removed sizing variables from radius (by @ondrejkonec) [GH #3184](https://github.com/penpot/penpot/pull/3184)
+- Dashboard search, set focus after shortcut (by @akshay-gupta7) [GH #3196](https://github.com/penpot/penpot/pull/3196)
 - Library name dropdown arrow is overlapped by library name (by @ondrejkonec) [Taiga #5200](https://tree.taiga.io/project/penpot/issue/5200)
-- Reorder shadows (by @akshay-gupta7) [Github #3236](https://github.com/penpot/penpot/pull/3236)
-- Open project in new tab from workspace (by @akshay-gupta7) [Github #3246](https://github.com/penpot/penpot/pull/3246)
-- Distribute fix enabled when two elements were selected (by @dfelinto) [Github #3266](https://github.com/penpot/penpot/pull/3266)
-- Distribute vertical spacing failing for overlapped text (by @dfelinto) [Github #3267](https://github.com/penpot/penpot/pull/3267)
-- bug Change independent corner radius input tooltips #3332 (by @astudentinearth) [Github #3332](https://github.com/penpot/penpot/pull/3332)
+- Reorder shadows (by @akshay-gupta7) [GH #3236](https://github.com/penpot/penpot/pull/3236)
+- Open project in new tab from workspace (by @akshay-gupta7) [GH #3246](https://github.com/penpot/penpot/pull/3246)
+- Distribute fix enabled when two elements were selected (by @dfelinto) [GH #3266](https://github.com/penpot/penpot/pull/3266)
+- Distribute vertical spacing failing for overlapped text (by @dfelinto) [GH #3267](https://github.com/penpot/penpot/pull/3267)
+- bug Change independent corner radius input tooltips #3332 (by @astudentinearth) [GH #3332](https://github.com/penpot/penpot/pull/3332)
 
 ## 1.18.6
 
@@ -1570,7 +1780,7 @@ is a number of cores)
 - Fix problem with layout not reflowing on shape deletion [Taiga #5289](https://tree.taiga.io/project/penpot/issue/5289)
 - Fix extra long typography names on assets and palette [Taiga #5199](https://tree.taiga.io/project/penpot/issue/5199)
 - Fix background-color property on inspect code [Taiga #5300](https://tree.taiga.io/project/penpot/issue/5300)
-- Preview layer blend modes (by @akshay-gupta7) [Github #3235](https://github.com/penpot/penpot/pull/3235)
+- Preview layer blend modes (by @akshay-gupta7) [GH #3235](https://github.com/penpot/penpot/pull/3235)
 
 ## 1.18.3
 
@@ -1622,7 +1832,7 @@ is a number of cores)
 - Improve deeps selection of nested arboards [Taiga #4913](https://tree.taiga.io/project/penpot/issue/4913)
 - Fix problem on selection numeric inputs on Firefox [#2991](https://github.com/penpot/penpot/issues/2991)
 - Changed the text dominant-baseline to use ideographic [Taiga #4791](https://tree.taiga.io/project/penpot/issue/4791)
-- Viewer wrong translations [Github #3035](https://github.com/penpot/penpot/issues/3035)
+- Viewer wrong translations [GH #3035](https://github.com/penpot/penpot/issues/3035)
 - Fix problem with text editor in Safari
 - Fix unlink library color when blur color picker input [#3026](https://github.com/penpot/penpot/issues/3026)
 - Fix snap pixel when moving path points on high zoom [#2930](https://github.com/penpot/penpot/issues/2930)
@@ -1674,13 +1884,13 @@ is a number of cores)
 - Fix view mode header buttons overlapping in small resolutions [Taiga #5058](https://tree.taiga.io/project/penpot/issue/5058)
 - Fix precision for wrap in flex [Taiga #5072](https://tree.taiga.io/project/penpot/issue/5072)
 - Fix relative position overlay positioning [Taiga #5092](https://tree.taiga.io/project/penpot/issue/5092)
-- Fix hide grid keyboard shortcut [Github #3071](https://github.com/penpot/penpot/pull/3071)
+- Fix hide grid keyboard shortcut [GH #3071](https://github.com/penpot/penpot/pull/3071)
 - Fix problem with opacity in imported SVG's [Taiga #4923](https://tree.taiga.io/project/penpot/issue/4923)
 
 ### :heart: Community contributions by (Thank you!)
 
 - To @ondrejkonec: for contributing to the code with:
-- Refactor CSS variables [Github #2948](https://github.com/penpot/penpot/pull/2948)
+- Refactor CSS variables [GH #2948](https://github.com/penpot/penpot/pull/2948)
 
 ## 1.17.3
 
@@ -1697,7 +1907,7 @@ is a number of cores)
 
 ### :sparkles: Enhancements
 
-- Adds environment variables for specifying the export and backend URI for the frontend docker image, thanks to @Supernova3339 for the initial PR and suggestion [Github #2984](https://github.com/penpot/penpot/issues/2984)
+- Adds environment variables for specifying the export and backend URI for the frontend docker image, thanks to @Supernova3339 for the initial PR and suggestion [GH #2984](https://github.com/penpot/penpot/issues/2984)
 
 ## 1.17.2
 
@@ -1765,13 +1975,13 @@ is a number of cores)
 - Fix problem with text edition in Safari [Taiga #4046](https://tree.taiga.io/project/penpot/issue/4046)
 - Fix show outline with rounded corners on rects [Taiga #4053](https://tree.taiga.io/project/penpot/issue/4053)
 - Fix wrong interaction between comments and panning modes [Taiga #4297](https://tree.taiga.io/project/penpot/issue/4297)
-- Fix bad element positioning on interaction with fixed scroll [Github #2660](https://github.com/penpot/penpot/issues/2660)
+- Fix bad element positioning on interaction with fixed scroll [GH #2660](https://github.com/penpot/penpot/issues/2660)
 - Fix display type of component library not persistent [Taiga #4512](https://tree.taiga.io/project/penpot/issue/4512)
 - Fix problem when moving texts with keyboard [#2690](https://github.com/penpot/penpot/issues/2690)
 - Fix problem when drawing boxes won't detect mouse-up [Taiga #4618](https://tree.taiga.io/project/penpot/issue/4618)
 - Fix missing loading icon on shared libraries [Taiga #4148](https://tree.taiga.io/project/penpot/issue/4148)
 - Fix selection stroke missing in properties of multiple texts [Taiga #4048](https://tree.taiga.io/project/penpot/issue/4048)
-- Fix missing create component menu for frames [Github #2670](https://github.com/penpot/penpot/issues/2670)
+- Fix missing create component menu for frames [GH #2670](https://github.com/penpot/penpot/issues/2670)
 - Fix "currentColor" is not converted when importing SVG [Github 2276](https://github.com/penpot/penpot/issues/2276)
 - Fix incorrect color in properties of multiple bool shapes [Taiga #4355](https://tree.taiga.io/project/penpot/issue/4355)
 - Fix pressing the enter key gives you an internal error [Github 2675](https://github.com/penpot/penpot/issues/2675) [Github 2577](https://github.com/penpot/penpot/issues/2577)
@@ -1780,10 +1990,10 @@ is a number of cores)
 - Fix wrong update of text in components [Taiga #4646](https://tree.taiga.io/project/penpot/issue/4646)
 - Fix problem with SVG imports with style [#2605](https://github.com/penpot/penpot/issues/2605)
 - Fix ghost shapes after sync groups in components [Taiga #4649](https://tree.taiga.io/project/penpot/issue/4649)
-- Fix layer orders messed up on move, group, reparent and undo [Github #2672](https://github.com/penpot/penpot/issues/2672)
-- Fix max height in library dialog [Github #2335](https://github.com/penpot/penpot/issues/2335)
+- Fix layer orders messed up on move, group, reparent and undo [GH #2672](https://github.com/penpot/penpot/issues/2672)
+- Fix max height in library dialog [GH #2335](https://github.com/penpot/penpot/issues/2335)
 - Fix undo ungroup (shift+g) scrambles positions [Taiga #4674](https://tree.taiga.io/project/penpot/issue/4674)
-- Fix justified text is stretched [Github #2539](https://github.com/penpot/penpot/issues/2539)
+- Fix justified text is stretched [GH #2539](https://github.com/penpot/penpot/issues/2539)
 - Fix mousewheel on viewer inspector [Taiga #4221](https://tree.taiga.io/project/penpot/issue/4221)
 - Fix path edition activated on boards [Taiga #4105](https://tree.taiga.io/project/penpot/issue/4105)
 - Fix hidden layers inside groups become visible after the group visibility is changed[Taiga #4710](https://tree.taiga.io/project/penpot/issue/4710)
@@ -1806,7 +2016,7 @@ is a number of cores)
 
 ### :bug: Bugs fixed
 
-- Fix strage cursor behaviour after clicking viewport with text pool [Github #2447](https://github.com/penpot/penpot/issues/2447)
+- Fix strage cursor behaviour after clicking viewport with text pool [GH #2447](https://github.com/penpot/penpot/issues/2447)
 
 ## 1.16.1-beta
 
@@ -1817,7 +2027,7 @@ is a number of cores)
 - Fix justify alignes text left [Taiga #4322](https://tree.taiga.io/project/penpot/issue/4322)
 - Fix text out of borders with "auto width" and center align [Taiga #4308](https://tree.taiga.io/project/penpot/issue/4308)
 - Fix wrong validation text after interaction with 2 and more files [Taiga #4276](https://tree.taiga.io/project/penpot/issue/4276)
-- Fix auto-width for texts can make text appear stretched [Github #2482](https://github.com/penpot/penpot/issues/2482)
+- Fix auto-width for texts can make text appear stretched [GH #2482](https://github.com/penpot/penpot/issues/2482)
 - Fix boards name do not disappear in focus mode [#4272](https://tree.taiga.io/project/penpot/issue/4272)
 - Fix wrong email in the info message at change email [Taiga #4274](https://tree.taiga.io/project/penpot/issue/4274)
 - Fix transform to path RMB menu item is not relevant if shape is already path [Taiga #4302](https://tree.taiga.io/project/penpot/issue/4302)
@@ -1956,7 +2166,7 @@ is a number of cores)
 - Fix problems with double-click and selection [Taiga #4005](https://tree.taiga.io/project/penpot/issue/4005)
 - Fix mismatch between editor and displayed text in workspace [Taiga #3975](https://tree.taiga.io/project/penpot/issue/3975)
 - Fix validation error on text position [Taiga #4010](https://tree.taiga.io/project/penpot/issue/4010)
-- Fix objects jitter while scrolling [Github #2167](https://github.com/penpot/penpot/issues/2167)
+- Fix objects jitter while scrolling [GH #2167](https://github.com/penpot/penpot/issues/2167)
 - Fix on color-picker, click+drag adds lots of recent colors [Taiga #4013](https://tree.taiga.io/project/penpot/issue/4013)
 - Fix opening profile URL while signed out takes to "your account" section[Taiga #3976](https://tree.taiga.io/project/penpot/issue/3976)
 
@@ -2266,7 +2476,7 @@ is a number of cores)
 - Scroll bars [Taiga #2550](https://tree.taiga.io/project/penpot/task/2550)
 - Add select layer option to context menu [Taiga #2474](https://tree.taiga.io/project/penpot/us/2474)
 - Guides [Taiga #290](https://tree.taiga.io/project/penpot/us/290)
-- Improve file menu by adding semantically groups [Github #1203](https://github.com/penpot/penpot/issues/1203)
+- Improve file menu by adding semantically groups [GH #1203](https://github.com/penpot/penpot/issues/1203)
 - Add update components in bulk option in context menu [Taiga #1975](https://tree.taiga.io/project/penpot/us/1975)
 - Create first E2E tests [Taiga #2608](https://tree.taiga.io/project/penpot/task/2608), [Taiga #2608](https://tree.taiga.io/project/penpot/task/2608)
 - Redesign of workspace toolbars [Taiga #2319](https://tree.taiga.io/project/penpot/us/2319)
@@ -2334,7 +2544,7 @@ is a number of cores)
 - Add shortcut to create artboard from selected objects [Taiga #2412](https://tree.taiga.io/project/penpot/us/2412)
 - Add shortcut for opacity [Taiga #2442](https://tree.taiga.io/project/penpot/us/2442)
 - Setting fill automatically for new texts [Taiga #2441](https://tree.taiga.io/project/penpot/us/2441)
-- Add shortcut to move action [Github #1213](https://github.com/penpot/penpot/issues/1213)
+- Add shortcut to move action [GH #1213](https://github.com/penpot/penpot/issues/1213)
 - Add alt as mod key to add stroke color from library menu [Taiga #2207](https://tree.taiga.io/project/penpot/us/2207)
 - Add detach in bulk option to context menu [Taiga #2210](https://tree.taiga.io/project/penpot/us/2210)
 - Add penpot look and feel to multiuser cursors [Taiga #1387](https://tree.taiga.io/project/penpot/us/1387)

CONTRIBUTING.md

@@ -13,7 +13,17 @@ Center](https://help.penpot.app/).
 - [Prerequisites](#prerequisites)
 - [Reporting Bugs](#reporting-bugs)
 - [Pull Requests](#pull-requests)
+  - [Workflow](#workflow)
+  - [Title format](#title-format)
+  - [Description](#description)
+  - [Branch naming](#branch-naming)
+  - [Review process](#review-process)
+  - [What we won't accept](#what-we-wont-accept)
+  - [Good first issues](#good-first-issues)
 - [Commit Guidelines](#commit-guidelines)
+  - [Commit types](#commit-types)
+  - [Rules](#rules)
+  - [Examples](#examples)
 - [Formatting and Linting](#formatting-and-linting)
 - [Changelog](#changelog)
 - [Code of Conduct](#code-of-conduct)
@@ -52,18 +62,104 @@ Advisories](https://github.com/penpot/penpot/security/advisories)
 
 1. **Read the DCO** — see [Developer's Certificate of Origin](#developers-certificate-of-origin-dco)
    below. All code patches must include a `Signed-off-by` line.
-2. **Discuss before building** — open a question/discussion issue before
-   starting work on a new feature or significant change. No PR will be
-   accepted without prior discussion, whether it is a new feature, a planned
-   one, or a quick win.
+2. **Discuss before building** — open a [GitHub
+   Issue](https://github.com/penpot/penpot/issues) before starting work on
+   a new feature or significant change. For planned features on the roadmap,
+   reference the corresponding Taiga story. Do not expect your contribution
+   to be accepted if you submit it without prior discussion — this applies
+   to new features, planned features, and quick wins alike.
 3. **Bug fixes** — you may submit a PR directly, but we still recommend
    filing an issue first so we can track it independently of your fix.
 4. **Format and lint** — run the checks described in
    [Formatting and Linting](#formatting-and-linting) before submitting.
 
+### Title format
+
+Pull request titles **must** follow the same convention as commit subjects:
+
+```
+:emoji: <subject>
+```
+
+- Use the **imperative mood** (e.g. "Fix", not "Fixed").
+- Capitalize the first letter of the subject.
+- Do not end the subject with a period.
+- Keep the subject to **70 characters** or fewer.
+- Use one of the [commit type emojis](#commit-types) listed below.
+
+When a PR contains multiple unrelated commits, choose the emoji that
+best represents the dominant change.
+
+**Examples:**
+
+```
+:bug: Fix unexpected error on launching modal
+:sparkles: Enable new modal for profile
+:zap: Improve performance of dashboard navigation
+```
+
+> **Note:** When a PR is squash-merged, the PR title becomes the
+> commit message on the main branch. Getting the title right matters.
+
+### Description
+
+Every pull request should include a description that helps reviewers
+understand the change quickly:
+
+1. **What and why** — describe the change and its motivation.
+2. **Link related issues** — use `Closes #1234` or reference a Taiga
+   story (e.g. `Taiga #5678`).
+3. **Screenshots or recordings** — required for any UI-visible change.
+4. **Testing notes** — how did you verify the change? Any edge cases?
+5. **Breaking changes** — call out anything that affects existing users
+   or requires migration steps.
+
+### Branch naming
+
+Use a descriptive branch name that reflects the type and scope of the
+change:
+
+```
+<type>/<short-description>
+```
+
+Types: `fix`, `feat`, `refactor`, `docs`, `chore`, `perf`.
+
+Optionally include the issue number:
+
+```
+fix/9122-email-blacklisting
+feat/export-webp
+refactor/layout-sizing
+```
+
+### Review process
+
+- We are a small team and maintainers juggle reviews alongside other
+  tasks. Please do not expect your code to be reviewed instantly.
+- Reviews are handled in dedicated blocks of time, usually in the order
+  PRs arrive. It may take a few days to get a first review, especially
+  when urgent tasks come up.
+- Address review feedback by **pushing new commits** — do not
+  force-push during review, as it breaks comment threads.
+- PRs require at least **one approval** before merge.
+- We use **squash-merge** by default. The PR title becomes the final
+  commit message, so follow the [title format](#title-format) above.
+
+### What we won't accept
+
+To save time on both sides, please avoid submitting PRs that:
+
+- Introduce new dependencies without prior discussion.
+- Change the build system or CI configuration without maintainer
+  approval.
+- Mix unrelated changes in a single PR — keep PRs focused on one
+  concern.
+- Skip the [discussion step](#workflow) for non-bug-fix changes.
+
 ### Good first issues
 
-We use the `easy fix` label to mark issues appropriate for newcomers.
+We use the `good first issue` label to mark issues appropriate for newcomers.
 
 ## Commit Guidelines
 
@@ -80,7 +176,7 @@ Commit messages must follow this format:
 ### Commit types
 
 | Emoji                  | Description                |
-|-------|-------------|
+| ---------------------- | -------------------------- |
 | :bug:                  | Bug fix                    |
 | :sparkles:             | Improvement or enhancement |
 | :tada:                 | New feature                |
@@ -135,6 +231,19 @@ We use [cljfmt](https://github.com/weavejester/cljfmt) for formatting and
 ./scripts/lint
 ```
 
+For frontend SCSS, we use `stylelint` for linting and
+`Prettier` for formatting:
+
+```bash
+cd frontend
+
+# Lint SCSS
+pnpm run lint:scss (does not modify files)
+
+# Fix SCSS formatting (modifies files in place)
+pnpm run fmt:scss
+```
+
 Ideally, run these as git pre-commit hooks.
 [Husky](https://typicode.github.io/husky/#/) is a convenient option for
 setting this up.

README.md

@@ -1,18 +1,21 @@
+<img width="100%" src="https://github.com/user-attachments/assets/da17b160-f289-436f-b140-972083a08602" />
 
 [uri_license]: https://www.mozilla.org/en-US/MPL/2.0
 [uri_license_image]: https://img.shields.io/badge/MPL-2.0-blue.svg
 
-<picture>
-  <source media="(prefers-color-scheme: dark)" srcset="https://penpot.app/images/readme/github-dark-mode.png">
-  <source media="(prefers-color-scheme: light)" srcset="https://penpot.app/images/readme/github-light-mode.png">
-  <img alt="penpot header image" src="https://penpot.app/images/readme/github-light-mode.png">
-</picture>
-
 <p align="center">
-<a href="https://www.mozilla.org/en-US/MPL/2.0" rel="nofollow"><img alt="License: MPL-2.0" src="https://img.shields.io/badge/MPL-2.0-blue.svg" style="max-width:100%;"></a>
-<a href="https://community.penpot.app" rel="nofollow"><img alt="Penpot Community" src="https://img.shields.io/discourse/posts?server=https%3A%2F%2Fcommunity.penpot.app" style="max-width:100%;"></a>
-<a href="https://tree.taiga.io/project/penpot/" title="Managed with Taiga.io" rel="nofollow"><img alt="Managed with Taiga.io" src="https://img.shields.io/badge/managed%20with-TAIGA.io-709f14.svg" style="max-width:100%;"></a>
-<a href="https://gitpod.io/#https://github.com/penpot/penpot" rel="nofollow"><img alt="Gitpod ready-to-code" src="https://img.shields.io/badge/Gitpod-ready--to--code-blue?logo=gitpod" style="max-width:100%;"></a>
+  <a href="https://www.digitalpublicgoods.net/r/penpot" rel="nofollow">
+    <img alt="Verified DPG" src="https://img.shields.io/badge/Verified-DPG-blue.svg">
+  </a>
+  <a href="https://community.penpot.app" rel="nofollow">
+    <img alt="Penpot Community" src="https://img.shields.io/discourse/posts?server=https%3A%2F%2Fcommunity.penpot.app">
+  </a>
+  <a href="https://tree.taiga.io/project/penpot/" rel="nofollow">
+    <img alt="Managed with Taiga.io" src="https://img.shields.io/badge/managed%20with-TAIGA.io-709f14.svg">
+  </a>
+  <a href="https://gitpod.io/#https://github.com/penpot/penpot" rel="nofollow">
+    <img alt="Gitpod ready-to-code" src="https://img.shields.io/badge/Gitpod-ready--to--code-blue?logo=gitpod">
+  </a>
 </p>
 
 <p align="center">
@@ -29,25 +32,25 @@
   <a href="https://fosstodon.org/@penpot/"><b>Mastodon</b></a>  •
   <a href="https://bsky.app/profile/penpot.app"><b>Bluesky</b></a>  •
   <a href="https://twitter.com/penpotapp"><b>X</b></a>
-
 </p>
 
-<br />
+[Penpot video](https://github.com/user-attachments/assets/7c67fd7c-04d3-4c9b-88ec-b6f5e23f8332)
 
-[Penpot video](https://github.com/user-attachments/assets/7c67fd7c-04d3-4c9b-88ec-b6f5e23f8332
-)
+Penpot is the open-source design platform for teams that build digital products at scale.
 
-<br />
+Penpot’s key strength lies in giving you **full ownership of your design infrastructure**. Built on open source and designed for [self-hosting](https://help.penpot.app/technical-guide/getting-started/), it puts teams in complete control of their design environment supporting strict compliance and governance requirements. Whether used in the **browser or deployed on your own servers**, Penpot **works with open standards** like SVG, CSS, HTML, and JSON. 
 
-Penpot is the first **open-source** design tool for design and code collaboration. Designers can create stunning designs, interactive prototypes, design systems at scale, while developers enjoy ready-to-use code and make their workflow easy and fast. And all of this with no handoff drama.
+Real-time collaboration strengthens this foundation, helping teams scale and bring design closer to the product through top-tier capabilities. Additionally, developers feel at home using Penpot, because design is expressed as code, enabling a direct translation and shipping products faster. 
 
-Available on browser or self-hosted, Penpot works with open standards like SVG, CSS, HTML and JSON, and it’s free!
+Best-in-class native [Design Tokens](https://penpot.dev/collaboration/design-tokens) provide a single source of truth between design and development. They ensure consistency, improve collaboration, and make it easier to manage complex design systems.
 
-The latest updates take Penpot even further. It’s the first design tool to integrate native [design tokens](https://penpot.dev/collaboration/design-tokens)—a single source of truth to improve efficiency and collaboration between product design and development.
-With the [huge 2.0 release](https://penpot.app/dev-diaries), Penpot took the platform to a whole new level. This update introduces the ground-breaking [CSS Grid Layout feature](https://penpot.app/penpot-2.0), a complete UI redesign, a new Components system, and much more.
-For organizations that need extra service for its teams, [get in touch](https://cal.com/team/penpot/talk-to-us)
+The [MCP server](https://penpot.app/penpot-mcp-server) takes it further by enabling multi-directional workflows between design and code. A [powerful open API](https://help.penpot.app/mcp/#quick-start) and plugin system makes the workspace programmable, enabling automation, AI-driven workflows, and integrations with the tools and systems you already use.
 
-🎇 Design, code, and Open Source meet at [Penpot Fest](https://penpot.app/penpotfest)! Be part of the 2025 edition in Madrid, Spain, on October 9-10.
+With [CSS Grid and Flex Layout](https://help.penpot.app/user-guide/designing/flexible-layouts/), teams can design responsive interfaces that behave like real code from the start.
+
+Combined, these features turn Penpot into a **full-stack design platform** for building scalable design systems and fully integrated product development processes.
+
+If your organization is scaling and needs extra support, we’re here to help. [Talk to us](https://penpot.app/talk-to-us)
 
 ## Table of contents ##
 
@@ -60,101 +63,78 @@ For organizations that need extra service for its teams, [get in touch](https://
 
 ## Why Penpot ##
 
-Penpot expresses designs as code. Designers can do their best work and see it will be beautifully implemented by developers in a two-way collaboration.
+Penpot connects design, code, and AI workflows through a code-based approach, making designs readable by developers and AI via the MCP server. This approach helps teams ship what’s actually designed and manage design systems at scale with powerful design tokens. As a self-hosted, open-source and real-time collaboration platform, Penpot offers full flexibility, security, and ownership without vendor lock-in. Learn more about [why Penpot](https://penpot.app/why-penpot) is the platform for your team.
 
 ### Plugin system ###
+
 [Penpot plugins](https://penpot.app/penpothub/plugins) let you expand the platform's capabilities, give you the flexibility to integrate it with other apps, and design custom solutions.
 
 ### Designed for developers ###
+
 Penpot was built to serve both designers and developers and create a fluid design-code process. You have the choice to enjoy real-time collaboration or play "solo".
 
 ### Inspect mode ###
+
 Work with ready-to-use code and make your workflow easy and fast. The inspect tab gives instant access to SVG, CSS and HTML code.
 
-### Self host your own instance ###
-Provide your team or organization with a completely owned collaborative design tool. Use Penpot's cloud service or deploy your own Penpot server.
-
 ### Integrations ###
-Penpot offers integration into the development toolchain, thanks to its support for webhooks and an API accessible through access tokens.
+
+Penpot offers [integration](https://penpot.app/integrations-api) into the development toolchain, thanks to its support for webhooks and an API accessible through access tokens.
 
 ### Building Design Systems: design tokens, components and variants ###
-Penpot brings design systems to code-minded teams: a single source of truth with native Design Tokens, Components, and Variants for scalable, reusable, and consistent UI across projects and platforms.
 
+Penpot brings [design systems](https://penpot.app/design/design-systems) to code-minded teams: a single source of truth with native Design Tokens, Components, and Variants for scalable, reusable, and consistent UI across projects and platforms.
 
-<br />
-
-<p align="center">
- <img src="https://github.com/user-attachments/assets/cce75ad6-f783-473f-8803-da9eb8255fef">
-</p>
-
-<br />
+<img width="100%" alt="Penpot Design Systems" src="https://github.com/user-attachments/assets/cce75ad6-f783-473f-8803-da9eb8255fef">
 
 ## Getting started ##
 
 Penpot is the only design & prototype platform that is deployment agnostic. You can use it in our [SAAS](https://design.penpot.app) or deploy it anywhere.
 
 Learn how to install it with Docker, Kubernetes, Elestio or other options on [our website](https://penpot.app/self-host).
-<br />
-
-<p align="center">
-  <img src="https://site-assets.plasmic.app/2168cf524dd543caeff32384eb9ea0a1.svg" alt="Open Source" style="width: 65%;">
-</p>
-<br />
 
 ## Community ##
 
 We love the Open Source software community. Contributing is our passion and if it’s yours too, participate and [improve](https://community.penpot.app/c/help-us-improve-penpot/7) Penpot. All your designs, code and ideas are welcome!
 
+Want to go a step further? Become a [Penpot Ambassador](https://penpot.app/ambassador-program) and help grow the Penpot community in your region while contributing to a global, open design ecosystem.
+
 If you need help or have any questions; if you’d like to share your experience using Penpot or get inspired; if you’d rather meet our community of developers and designers, [join our Community](https://community.penpot.app/)!
 
-You will find the following categories:
+Categories include:
+
 - [Ask the Community](https://community.penpot.app/c/ask-for-help-using-penpot/6)
 - [Troubleshooting](https://community.penpot.app/c/technical/8)
 - [Help us Improve Penpot](https://community.penpot.app/c/help-us-improve-penpot/7)
-- [#MadeWithPenpot](https://community.penpot.app/c/madewithpenpot/9)
 - [Events and Announcements](https://community.penpot.app/c/announcements/5)
-- [Inside Penpot](https://community.penpot.app/c/inside-penpot/21)
 - [Penpot in your language](https://community.penpot.app/c/penpot-in-your-language/12)
-- [Design and Code Essentials](https://community.penpot.app/c/design-and-code-essentials/22)
+- [Education](https://community.penpot.app/c/education/28)
 
-
-<br />
-
-<p align="center">
-  <img src="https://github.com/penpot/penpot/assets/5446186/6ac62220-a16c-46c9-ab21-d24ae357ed03" alt="Community" style="width: 65%;">
-</p>
-<br />
+<img width="100%" alt="Pentpot Community" src="https://github.com/user-attachments/assets/4b2a4360-12b5-4994-bd45-641449f86c4e" />
 
 ### Code of Conduct ###
 
 Anyone who contributes to Penpot, whether through code, in the community, or at an event, must adhere to the
 [code of conduct](https://help.penpot.app/contributing-guide/coc/) and foster a positive and safe environment.
 
-
-## Contributing ##
+### Contributing ###
 
 Any contribution will make a difference to improve Penpot. How can you get involved?
 
 Choose your way:
 
-- Create and [share Libraries & Templates](https://penpot.app/libraries-templates.html) that will be helpful for the community
-- Invite your [team to join](https://design.penpot.app/#/auth/register)
-- Give this repo a star and follow us on Social Media: [Mastodon](https://fosstodon.org/@penpot/), [Youtube](https://www.youtube.com/c/Penpot), [Instagram](https://instagram.com/penpot.app), [Linkedin](https://www.linkedin.com/company/penpotdesign),  [Peertube](https://peertube.kaleidos.net/a/penpot_app), [X](https://twitter.com/penpotapp) and [BlueSky](https://bsky.app/profile/penpot.app)
+- Create and [share Libraries & Templates](https://penpot.app/libraries-templates.html) that will be helpful for the community.
+- Invite your [team to join](https://design.penpot.app/#/auth/register).
+- Give this repo a star and follow us on Social Media: [Mastodon](https://fosstodon.org/@penpot/), [Youtube](https://www.youtube.com/c/Penpot), [Instagram](https://instagram.com/penpot.app), [Linkedin](https://www.linkedin.com/company/penpotdesign),  [Peertube](https://peertube.kaleidos.net/a/penpot_app), [X](https://twitter.com/penpotapp) and [BlueSky](https://bsky.app/profile/penpot.app).
 - Participate in the [Community](https://community.penpot.app/) space by asking and answering questions; reacting to others’ articles;  opening your own conversations and following along on decisions affecting the project.
-- Report bugs with our easy [guide for bugs hunting](https://help.penpot.app/contributing-guide/reporting-bugs/) or [GitHub issues](https://github.com/penpot/penpot/issues)
-- Become a [translator](https://help.penpot.app/contributing-guide/translations)
-- Give feedback: [Email us](mailto:support@penpot.app)
-- **Contribute to Penpot's code:** [Watch this video](https://www.youtube.com/watch?v=TpN0osiY-8k) by Alejandro Alonso, CIO and developer at Penpot, where he gives us a hands-on demo of how to use Penpot’s repository and make changes in both front and back end
+- Report bugs with our easy [guide for bugs hunting](https://help.penpot.app/contributing-guide/reporting-bugs/) or [GitHub issues](https://github.com/penpot/penpot/issues).
+- Become a [translator](https://help.penpot.app/contributing-guide/translations).
+- Give feedback: [Email us](mailto:support@penpot.app).
+- **Contribute to Penpot's code:** [Watch this video](https://www.youtube.com/watch?v=TpN0osiY-8k) by Alejandro Alonso, CIO and developer at Penpot, where he gives us a hands-on demo of how to use Penpot’s repository and make changes in both front and back end.
 
 To find (almost) everything you need to know on how to contribute to Penpot, refer to the [contributing guide](https://help.penpot.app/contributing-guide/).
 
-<br />
-
-<p align="center">
-  <img src="https://github.com/penpot/penpot/assets/5446186/fea18923-dc06-49be-86ad-c3496a7956e6" alt="Libraries and templates" style="width: 65%;">
-</p>
-
-<br />
+<img width="100%" alt="Penpot hub" src="https://github.com/user-attachments/assets/0abc02f0-625c-45ab-ad81-4927bec7a055" />
 
 ## Resources ##
 
@@ -170,6 +150,8 @@ You can ask and answer questions, have open-ended conversations, and follow alon
 
 📚 [Dev Diaries](https://penpot.app/dev-diaries.html)
 
+🧑‍🏫​ [UI Design Course](https://penpot.app/courses/)
+
 
 ## License ##
 

backend/AGENTS.md

@@ -8,7 +8,10 @@ Redis for messaging/caching.
 ## General Guidelines
 
 To ensure consistency across the Penpot JVM stack, all contributions must adhere
-to these criteria:
+to these criteria.
+
+IMPORTANT: all CLI commands should be executed under backend/
+subdirectory for make them work correctly.
 
 ### 1. Testing & Validation
 
@@ -21,7 +24,7 @@ to these criteria:
 
 ### 2. Code Quality & Formatting
 
-* **Linting:** All code must pass `clj-kondo` checks (run `pnpm run lint:clj`)
+* **Linting:** All code must pass linter checks (run `pnpm run lint:clj` or `pnpm run lint` on the repository root)
 * **Formatting:** All the code must pass the formatting check (run `pnpm run
   check-fmt`). Use `pnpm run fmt` to fix formatting issues. Avoid "dirty"
   diffs caused by unrelated whitespace changes.

backend/deps.edn

@@ -3,7 +3,7 @@
 
  :deps
  {penpot/common {:local/root "../common"}
-  org.clojure/clojure {:mvn/version "1.12.4"}
+  org.clojure/clojure {:mvn/version "1.12.5"}
   org.clojure/tools.namespace {:mvn/version "1.5.0"}
 
   com.github.luben/zstd-jni {:mvn/version "1.5.7-4"}
@@ -17,7 +17,7 @@
 
   io.prometheus/simpleclient_httpserver {:mvn/version "0.16.0"}
 
-  io.lettuce/lettuce-core {:mvn/version "6.8.1.RELEASE"}
+  io.lettuce/lettuce-core {:mvn/version "7.5.1.RELEASE"}
   ;; Minimal dependencies required by lettuce, we need to include them
   ;; explicitly because clojure dependency management does not support
   ;; yet the BOM format.
@@ -28,18 +28,18 @@
   com.google.guava/guava {:mvn/version "33.4.8-jre"}
 
   funcool/yetti
-  {:git/tag "v11.9"
-   :git/sha "5fad7a9"
+  {:git/tag "v11.10"
+   :git/sha "88701f4"
    :git/url "https://github.com/funcool/yetti.git"
    :exclusions [org.slf4j/slf4j-api]}
 
   com.github.seancorfield/next.jdbc
-  {:mvn/version "1.3.1070"}
+  {:mvn/version "1.3.1093"}
 
   metosin/reitit-core {:mvn/version "0.9.1"}
-  nrepl/nrepl {:mvn/version "1.4.0"}
+  nrepl/nrepl {:mvn/version "1.7.0"}
 
-  org.postgresql/postgresql {:mvn/version "42.7.9"}
+  org.postgresql/postgresql {:mvn/version "42.7.11"}
   org.xerial/sqlite-jdbc {:mvn/version "3.50.3.0"}
 
   com.zaxxer/HikariCP {:mvn/version "7.0.2"}
@@ -49,7 +49,7 @@
   buddy/buddy-hashers {:mvn/version "2.0.167"}
   buddy/buddy-sign {:mvn/version "3.6.1-359"}
 
-  com.github.ben-manes.caffeine/caffeine {:mvn/version "3.2.3"}
+  com.github.ben-manes.caffeine/caffeine {:mvn/version "3.2.4"}
 
   org.jsoup/jsoup {:mvn/version "1.21.2"}
   org.im4java/im4java
@@ -57,7 +57,8 @@
    :git/sha "e2b3e16"
    :git/url "https://github.com/penpot/im4java"}
 
-  org.lz4/lz4-java {:mvn/version "1.8.0"}
+  at.yawk.lz4/lz4-java
+  {:mvn/version "1.11.0"}
 
   org.clojars.pntblnk/clj-ldap {:mvn/version "0.0.17"}
 
@@ -66,17 +67,17 @@
 
   ;; Pretty Print specs
   pretty-spec/pretty-spec {:mvn/version "0.1.4"}
-  software.amazon.awssdk/s3 {:mvn/version "2.41.21"}}
+  software.amazon.awssdk/s3 {:mvn/version "2.44.4"}}
 
  :paths ["src" "resources" "target/classes"]
  :aliases
  {:dev
   {:extra-deps
-   {com.bhauman/rebel-readline {:mvn/version "RELEASE"}
+   {com.bhauman/rebel-readline {:mvn/version "0.1.5"}
     clojure-humanize/clojure-humanize {:mvn/version "0.2.2"}
-    org.clojure/data.csv {:mvn/version "RELEASE"}
-    com.clojure-goes-fast/clj-async-profiler {:mvn/version "RELEASE"}
-    mockery/mockery {:mvn/version "RELEASE"}}
+    org.clojure/data.csv {:mvn/version "1.1.1"}
+    com.clojure-goes-fast/clj-async-profiler {:mvn/version "2.0.0-beta1"}
+    mockery/mockery {:mvn/version "0.1.4"}}
    :extra-paths ["test" "dev"]}
 
   :build
@@ -92,7 +93,7 @@
    :extra-deps {lambdaisland/kaocha {:mvn/version "1.91.1392"}}}
 
   :outdated
-  {:extra-deps {com.github.liquidz/antq {:mvn/version "RELEASE"}}
+  {:extra-deps {com.github.liquidz/antq {:mvn/version "2.11.1276"}}
    :main-opts ["-m" "antq.core"]}
 
   :jmx-remote

backend/resources/app/email/invite-to-org/en.html

@@ -0,0 +1,264 @@
+<!doctype html>
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="urn:schemas-microsoft-com:vml"
+  xmlns:o="urn:schemas-microsoft-com:office:office">
+
+<head>
+  <title>
+  </title>
+  <!--[if !mso]><!-- -->
+  <meta http-equiv="X-UA-Compatible" content="IE=edge">
+  <!--<![endif]-->
+  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <style type="text/css">
+    #outlook a {
+      padding: 0;
+    }
+
+    body {
+      margin: 0;
+      padding: 0;
+      -webkit-text-size-adjust: 100%;
+      -ms-text-size-adjust: 100%;
+    }
+
+    table,
+    td {
+      border-collapse: collapse;
+      mso-table-lspace: 0pt;
+      mso-table-rspace: 0pt;
+    }
+
+    img {
+      border: 0;
+      height: auto;
+      line-height: 100%;
+      outline: none;
+      text-decoration: none;
+      -ms-interpolation-mode: bicubic;
+    }
+
+    p {
+      display: block;
+      margin: 13px 0;
+    }
+  </style>
+  <!--[if mso]>
+        <xml>
+        <o:OfficeDocumentSettings>
+          <o:AllowPNG/>
+          <o:PixelsPerInch>96</o:PixelsPerInch>
+        </o:OfficeDocumentSettings>
+        </xml>
+        <![endif]-->
+  <!--[if lte mso 11]>
+        <style type="text/css">
+          .mj-outlook-group-fix { width:100% !important; }
+        </style>
+        <![endif]-->
+  <!--[if !mso]><!-->
+  <link href="https://fonts.googleapis.com/css?family=Source%20Sans%20Pro" rel="stylesheet" type="text/css">
+  <style type="text/css">
+    @import url(https://fonts.googleapis.com/css?family=Source%20Sans%20Pro);
+  </style>
+  <!--<![endif]-->
+  <style type="text/css">
+    @media only screen and (min-width:480px) {
+      .mj-column-per-100 {
+        width: 100% !important;
+        max-width: 100%;
+      }
+
+      .mj-column-px-425 {
+        width: 425px !important;
+        max-width: 425px;
+      }
+    }
+  </style>
+  <style type="text/css">
+    @media only screen and (max-width:480px) {
+      table.mj-full-width-mobile {
+        width: 100% !important;
+      }
+
+      td.mj-full-width-mobile {
+        width: auto !important;
+      }
+    }
+  </style>
+</head>
+
+<body style="background-color:#E5E5E5;">
+  <div style="background-color:#E5E5E5;">
+    <!--[if mso | IE]>
+      <table
+         align="center" border="0" cellpadding="0" cellspacing="0" class="" style="width:600px;" width="600"
+      >
+        <tr>
+          <td style="line-height:0px;font-size:0px;mso-line-height-rule:exactly;">
+      <![endif]-->
+    <div style="margin:0px auto;max-width:600px;">
+      <table align="center" border="0" cellpadding="0" cellspacing="0" role="presentation" style="width:100%;">
+        <tbody>
+          <tr>
+            <td style="direction:ltr;font-size:0px;padding:0;text-align:center;">
+              <!--[if mso | IE]>
+                  <table role="presentation" border="0" cellpadding="0" cellspacing="0">
+
+        <tr>
+
+            <td
+               class="" style="vertical-align:top;width:600px;"
+            >
+          <![endif]-->
+              <div class="mj-column-per-100 mj-outlook-group-fix"
+                style="font-size:0px;text-align:left;direction:ltr;display:inline-block;vertical-align:top;width:100%;">
+                <table border="0" cellpadding="0" cellspacing="0" role="presentation" style="vertical-align:top;"
+                  width="100%">
+                  <tr>
+                    <td align="left" style="font-size:0px;padding:16px;word-break:break-word;">
+                      <table border="0" cellpadding="0" cellspacing="0" role="presentation"
+                        style="border-collapse:collapse;border-spacing:0px;">
+                        <tbody>
+                          <tr>
+                            <td style="width:97px;">
+                              <img height="32" src="{{ public-uri }}/images/email/uxbox-title.png"
+                                style="border:0;display:block;outline:none;text-decoration:none;height:32px;width:100%;font-size:13px;"
+                                width="97" />
+                            </td>
+                          </tr>
+                        </tbody>
+                      </table>
+                    </td>
+                  </tr>
+                </table>
+              </div>
+              <!--[if mso | IE]>
+            </td>
+
+        </tr>
+
+                  </table>
+                <![endif]-->
+            </td>
+          </tr>
+        </tbody>
+      </table>
+    </div>
+    <!--[if mso | IE]>
+          </td>
+        </tr>
+      </table>
+
+      <table
+         align="center" border="0" cellpadding="0" cellspacing="0" class="" style="width:600px;" width="600"
+      >
+        <tr>
+          <td style="line-height:0px;font-size:0px;mso-line-height-rule:exactly;">
+      <![endif]-->
+    <div style="background:#FFFFFF;background-color:#FFFFFF;margin:0px auto;max-width:600px;">
+      <table align="center" border="0" cellpadding="0" cellspacing="0" role="presentation"
+        style="background:#FFFFFF;background-color:#FFFFFF;width:100%;">
+        <tbody>
+          <tr>
+            <td style="direction:ltr;font-size:0px;padding:20px 0;text-align:center;">
+              <!--[if mso | IE]>
+                  <table role="presentation" border="0" cellpadding="0" cellspacing="0">
+
+        <tr>
+
+            <td
+               class="" style="vertical-align:top;width:600px;"
+            >
+          <![endif]-->
+              <div class="mj-column-per-100 mj-outlook-group-fix"
+                style="font-size:0px;text-align:left;direction:ltr;display:inline-block;vertical-align:top;width:100%;">
+                <table border="0" cellpadding="0" cellspacing="0" role="presentation" style="vertical-align:top;"
+                  width="100%">
+                  <tr>
+                    <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
+                      <div
+                        style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;">
+                        Hi{% if user-name %} {{ user-name|abbreviate:25 }}{% endif %},
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
+                      <div
+                        style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;">
+                        <b>{{invited-by|abbreviate:25}}</b> sent you an invitation to join the organization:
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
+                      <div
+                        style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;">
+                        <table role="presentation" cellpadding="0" cellspacing="0" border="0" width="20" height="20" style="display:inline-block;vertical-align:middle;">
+                          <tr>
+                            <td width="20" height="20" align="center" valign="middle"
+                                background="{{organization-logo}}"
+                                style="width:20px;height:20px;text-align:center;font-weight:bold;font-size:9px;line-height:20px;color:#ffffff;background-size:cover;background-position:center;background-repeat:no-repeat;border-radius: 50%;color:black">
+                              {% if organization-initials %}{{organization-initials}}{% endif %}
+                            </td>
+                          </tr>
+                        </table>
+                        <span style="display:inline-block; vertical-align: middle;padding-left:5px;height:20px;line-height: 20px;">
+                        “{{ organization-name|abbreviate:25 }}”
+                        </span>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td align="center" vertical-align="middle"
+                      style="font-size:0px;padding:10px 25px;word-break:break-word;">
+                      <table border="0" cellpadding="0" cellspacing="0" role="presentation"
+                        style="border-collapse:separate;line-height:100%;">
+                        <tr>
+                          <td align="center" bgcolor="#6911d4" role="presentation"
+                            style="border:none;border-radius:8px;cursor:auto;mso-padding-alt:10px 25px;background:#6911d4;"
+                            valign="middle">
+                            <a href="{{ public-uri }}/#/auth/verify-token?token={{token}}"
+                              style="display:inline-block;background:#6911d4;color:#FFFFFF;font-family:Source Sans Pro, sans-serif;font-size:16px;font-weight:normal;line-height:120%;margin:0;text-decoration:none;text-transform:none;padding:10px 25px;mso-padding-alt:0px;border-radius:8px;"
+                              target="_blank"> ACCEPT INVITE </a>
+                          </td>
+                        </tr>
+                      </table>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
+                      <div
+                        style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;">
+                        Enjoy!</div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
+                      <div
+                        style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;">
+                        The Penpot team.</div>
+                    </td>
+                  </tr>
+                </table>
+              </div>
+              <!--[if mso | IE]>
+            </td>
+
+        </tr>
+
+                  </table>
+                <![endif]-->
+            </td>
+          </tr>
+        </tbody>
+      </table>
+    </div>
+
+    {% include "app/email/includes/footer.html" %}
+
+  </div>
+</body>
+
+</html>

backend/resources/app/email/invite-to-org/en.subj

@@ -0,0 +1 @@
+{{invited-by|abbreviate:25}} has invited you to join the organization “{{ organization-name|abbreviate:25 }}”

backend/resources/app/email/invite-to-org/en.txt

@@ -0,0 +1,10 @@
+Hello!
+
+{{invited-by|abbreviate:25}} has invited you to join the organization “{{ organization-name|abbreviate:25 }}”.
+
+Accept invitation using this link:
+
+{{ public-uri }}/#/auth/verify-token?token={{token}}
+
+Enjoy!
+The Penpot team.

backend/resources/app/email/invite-to-team/en.html

@@ -186,7 +186,8 @@
                     <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
                       <div
                         style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;">
-                        {{invited-by|abbreviate:25}} has invited you to join the team “{{ team|abbreviate:25 }}”.</div>
+                        {{invited-by|abbreviate:25}} has invited you to join the team “{{ team|abbreviate:25 }}”{% if organization %}
+                         part of the organization “{{ organization|abbreviate:25 }}”{% endif %}.</div>
                     </td>
                   </tr>
                   <tr>

backend/resources/app/email/invite-to-team/en.txt

@@ -1,6 +1,6 @@
 Hello!
 
-{{invited-by|abbreviate:25}} has invited you to join the team “{{ team|abbreviate:25 }}”.
+{{invited-by|abbreviate:25}} has invited you to join the team "{{ team|abbreviate:25 }}"{% if organization %}, part of the organization "{{ organization|abbreviate:25 }}"{% endif %}.
 
 Accept invitation using this link:
 

backend/scripts/_env

@@ -13,7 +13,7 @@ export PENPOT_PUBLIC_URI=https://localhost:3449
 
 export PENPOT_FLAGS="\
        $PENPOT_FLAGS \
-       enable-login-with-password
+       enable-login-with-password \
        disable-login-with-ldap \
        disable-login-with-oidc \
        disable-login-with-google \
@@ -66,7 +66,7 @@ export PENPOT_OBJECTS_STORAGE_BACKEND=s3
 export PENPOT_OBJECTS_STORAGE_S3_ENDPOINT=http://minio:9000
 export PENPOT_OBJECTS_STORAGE_S3_BUCKET=penpot
 
-export PENPOT_NITRATE_BACKEND_URI=http://localhost:3000/control-center
+export PENPOT_NITRATE_BACKEND_URI=http://localhost:3000/admin-console
 
 export JAVA_OPTS="\
        -Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager \

backend/src/app/auth/ldap.clj

@@ -111,7 +111,7 @@
    [:host {:optional true} :string]
    [:port {:optional true} ::sm/int]
    [:bind-dn {:optional true} :string]
-   [:bind-passwor {:optional true} :string]
+   [:bind-password {:optional true} :string]
    [:query {:optional true} :string]
    [:base-dn {:optional true} :string]
    [:attrs-email {:optional true} :string]

backend/src/app/auth/oidc.clj

@@ -27,6 +27,7 @@
    [app.rpc.commands.profile :as profile]
    [app.setup :as-alias setup]
    [app.tokens :as tokens]
+   [app.util.cache :as cache]
    [app.util.inet :as inet]
    [app.util.json :as json]
    [buddy.sign.jwk :as jwk]
@@ -43,7 +44,7 @@
 (defn- discover-oidc-config
   [cfg {:keys [base-uri] :as provider}]
   (let [uri (u/join base-uri ".well-known/openid-configuration")
-        rsp (http/req! cfg {:method :get :uri (dm/str uri)})]
+        rsp (http/req cfg {:method :get :uri (dm/str uri)})]
 
     (if (= 200 (:status rsp))
       (let [data       (-> rsp :body json/decode)
@@ -105,7 +106,7 @@
 
 (defn- fetch-oidc-jwks
   [cfg jwks-uri]
-  (let [{:keys [status body]} (http/req! cfg {:method :get :uri jwks-uri})]
+  (let [{:keys [status body]} (http/req cfg {:method :get :uri jwks-uri})]
     (if (= 200 status)
       (-> body json/decode :keys process-oidc-jwks)
       (ex/raise :type ::internal
@@ -235,7 +236,7 @@
                     :timeout 6000
                     :method :get}
 
-            {:keys [status body]} (http/req! cfg params)]
+            {:keys [status body]} (http/req cfg params)]
 
         (when-not (int-in-range? status 200 300)
           (ex/raise :type :internal
@@ -401,8 +402,9 @@
 
 (defn- parse-attr-path
   [provider path]
-  (let [[fitem & items] (str/split path "__")]
-    (into [(keyword (:type provider) fitem)] (map keyword) items)))
+  (let [separator        (if (str/includes? path "__") "__" ".")
+        [fitem & items]  (str/split path separator)]
+    (into [(keyword (:type provider) (str/kebab fitem))] (map keyword) items)))
 
 (defn- build-redirect-uri
   []
@@ -452,7 +454,7 @@
            :grant-type (:grant_type params)
            :redirect-uri (:redirect_uri params))
 
-    (let [{:keys [status body]} (http/req! cfg req)]
+    (let [{:keys [status body]} (http/req cfg req)]
       (if (= status 200)
         (let [data (json/decode body)
               data {:token/access (get data :access_token)
@@ -507,7 +509,7 @@
                   :headers {"Authorization" (str (:token/type tdata) " " (:token/access tdata))}
                   :timeout 6000
                   :method :get}
-        response (http/req! cfg params)]
+        response (http/req cfg params)]
 
     (l/trc :hint "user info response"
            :status (:status response)
@@ -547,15 +549,28 @@
 (def ^:private valid-info?
   (sm/validator schema:info))
 
+(defn- select-user-info-source
+  "Normalise the provider's configured user-info source into a keyword the
+  dispatch below can match. The raw value comes from config as a string
+  per the malli schema in `app.config` (`\"token\"`, `\"userinfo\"`, or
+  `\"auto\"`) and from hard-coded per-provider maps as strings as well;
+  any unrecognised or missing value falls back to `:auto` (prefer claims,
+  use userinfo as fallback)."
+  [source]
+  (case source
+    "token"    :token
+    "userinfo" :userinfo
+    :auto))
+
 (defn- get-info
   [cfg provider state code]
   (let [tdata  (fetch-access-token cfg provider code)
         claims (get-id-token-claims provider tdata)
 
-        info   (case (get provider :user-info-source)
-                 :token (dissoc claims :exp :iss :iat :aud :sub :sid)
+        info   (case (select-user-info-source (get provider :user-info-source))
+                 :token    (dissoc claims :exp :iss :iat :aud :sid)
                  :userinfo (fetch-user-info cfg provider tdata)
-                 (or (some-> claims (dissoc :exp :iss :iat :aud :sub :sid))
+                 :auto     (or (some-> claims (dissoc :exp :iss :iat :aud :sid))
                                (fetch-user-info cfg provider tdata)))
 
         info   (process-user-info provider tdata info)]
@@ -680,15 +695,24 @@
     (db/pgarray? roles)
     (assoc :roles (db/decode-pgarray roles #{}))))
 
-;; TODO: add cache layer for avoid build an discover each time
+;; A short TTL avoids paying the OIDC discovery + JWKS fetch on every
+;; login; Caffeine will not store the entry when the load fn throws,
+;; so a transient failure at the provider's discovery endpoint does
+;; not poison the cache.
+(defonce ^:private provider-cache
+  (cache/create :expire "10m" :max-size 64))
+
+(defn- load-provider
+  [cfg id]
+  (when-let [params (some->> (db/get* cfg :sso-provider {:id id :is-enabled true})
+                             (decode-row))]
+    (case (:type params)
+      "oidc" (prepare-oidc-provider cfg params))))
 
 (defn get-provider
   [cfg id]
   (try
-    (when-let [params (some->> (db/get* cfg :sso-provider {:id id :is-enabled true})
-                               (decode-row))]
-      (case (:type params)
-        "oidc" (prepare-oidc-provider cfg params)))
+    (cache/get provider-cache id (partial load-provider cfg))
     (catch Throwable cause
       (l/err :hint "unable to configure custom SSO provider"
              :provider (str id)
@@ -804,12 +828,12 @@
                 props   (audit/profile->props profile)
                 context (d/without-nils {:external-session-id (:external-session-id info)})]
 
-            (audit/submit! cfg {::audit/type "action"
-                                ::audit/name "login-with-oidc"
-                                ::audit/profile-id (:id profile)
-                                ::audit/ip-addr (inet/parse-request request)
-                                ::audit/props props
-                                ::audit/context context})
+            (audit/submit cfg {:type "action"
+                               :name "login-with-oidc"
+                               :profile-id (:id profile)
+                               :ip-addr (inet/parse-request request)
+                               :props props
+                               :context context})
 
             (->> (redirect-to-verify-token token)
                  (sxf request)))))

backend/src/app/binfile/common.clj

@@ -315,8 +315,8 @@
 (defn get-file
   "Get file, resolve all features and apply migrations.
 
-  Usefull when you have plan to apply massive or not cirurgical
-  operations on file, because it removes the ovehead of lazy fetching
+  Useful when you have plan to apply massive or not surgical
+  operations on file, because it removes the overhead of lazy fetching
   and decoding."
   [cfg file-id & {:as opts}]
   (db/run! cfg get-file* file-id opts))
@@ -440,11 +440,28 @@
 
   (db/run! cfg (fn [{:keys [::db/conn]}]
                  (let [ids (db/create-array conn "uuid" ids)
-                       sql (str "SELECT flr.* FROM file_library_rel AS flr "
-                                "  JOIN file AS l ON (flr.library_file_id = l.id) "
-                                " WHERE flr.file_id = ANY(?) AND l.deleted_at IS NULL")]
+                       sql (str "SELECT flr.*,"
+                                "	   fls.synced_at"
+                                "  FROM file_library_rel AS flr"
+                                "  JOIN file AS l"
+                                "    ON flr.library_file_id = l.id"
+                                "  LEFT JOIN file_library_sync AS fls"
+                                "    ON fls.file_id = flr.file_id"
+                                "   AND fls.library_file_id = flr.library_file_id"
+                                " WHERE flr.file_id = ANY(?)"
+                                "   AND l.deleted_at IS NULL;")]
                    (db/exec! conn [sql ids])))))
 
+(def ^:private sql:upsert-file-library-sync
+  "INSERT INTO file_library_sync (file_id, library_file_id, synced_at)
+   VALUES (?::uuid, ?::uuid, ?::timestamptz)
+   ON CONFLICT (file_id, library_file_id)
+   DO UPDATE SET synced_at = EXCLUDED.synced_at;")
+
+(defn upsert-file-library-sync!
+  [conn {:keys [file-id library-file-id synced-at]}]
+  (db/exec-one! conn [sql:upsert-file-library-sync file-id library-file-id synced-at]))
+
 (def ^:private sql:get-libraries
   "WITH RECURSIVE libs AS (
      SELECT fl.id
@@ -799,15 +816,20 @@
 
 (def ^:private sql:get-file-libraries
   "WITH RECURSIVE libs AS (
-     SELECT fl.*, flr.synced_at
+		SELECT fl.*
 		FROM file AS fl
-       JOIN file_library_rel AS flr ON (flr.library_file_id = fl.id)
+		JOIN file_library_rel AS flr
+		  ON flr.library_file_id = fl.id
 		WHERE flr.file_id = ?::uuid
+
 		UNION
-     SELECT fl.*, flr.synced_at
+
+		SELECT fl.*
 		FROM file AS fl
-       JOIN file_library_rel AS flr ON (flr.library_file_id = fl.id)
-       JOIN libs AS l ON (flr.file_id = l.id)
+		JOIN file_library_rel AS flr
+		  ON flr.library_file_id = fl.id
+		JOIN libs AS l
+		  ON flr.file_id = l.id
 	)
 	SELECT l.id,
 		   l.features,
@@ -819,11 +841,15 @@
 		   l.name,
 		   l.revn,
 		   l.vern,
-          l.synced_at,
 		   l.is_shared,
-          l.version
+		   l.version,
+		   fls.synced_at
 	FROM libs AS l
-    INNER JOIN project AS p ON (p.id = l.project_id)
+	JOIN project AS p
+	  ON p.id = l.project_id
+	LEFT JOIN file_library_sync AS fls
+	  ON fls.file_id = ?::uuid
+	 AND fls.library_file_id = l.id
 	WHERE l.deleted_at IS NULL;")
 
 (defn get-file-libraries
@@ -834,7 +860,7 @@
          ;; completly useless
          (map #(assoc % :is-indirect false))
          (map decode-row-features))
-        (db/exec! conn [sql:get-file-libraries file-id])))
+        (db/exec! conn [sql:get-file-libraries file-id file-id])))
 
 (defn get-resolved-file-libraries
   "Get all file libraries including itself. Returns an instance of

backend/src/app/binfile/v1.clj

@@ -40,8 +40,8 @@
    [promesa.util :as pu]
    [yetti.adapter :as yt])
   (:import
-   com.github.luben.zstd.ZstdIOException
    com.github.luben.zstd.ZstdInputStream
+   com.github.luben.zstd.ZstdIOException
    com.github.luben.zstd.ZstdOutputStream
    java.io.DataInputStream
    java.io.DataOutputStream
@@ -573,7 +573,6 @@
     ;; Insert all file relations
     (doseq [{:keys [library-file-id] :as rel} rels]
       (let [rel (-> rel
-                    (assoc :synced-at timestamp)
                     (update :file-id bfc/lookup-index)
                     (update :library-file-id bfc/lookup-index))]
 
@@ -583,7 +582,12 @@
                    :file-id (:file-id rel)
                    :lib-id (:library-file-id rel)
                    ::l/sync? true)
-            (db/insert! conn :file-library-rel rel))
+            (let [rel-params (dissoc rel :synced-at)]
+              (db/insert! conn :file-library-rel rel-params)
+              (bfc/upsert-file-library-sync! conn {:file-id (:file-id rel-params)
+                                                   :library-file-id (:library-file-id rel-params)
+                                                   :synced-at (or (:synced-at rel)
+                                                                  timestamp)})))
 
           (l/warn :hint "ignoring file library link"
                   :file-id (:file-id rel)

backend/src/app/binfile/v2.clj

@@ -314,10 +314,10 @@
   (doseq [rel (read-obj cfg :file-rels file-id)]
     (let [rel (-> rel
                   (update :file-id bfc/lookup-index)
-                  (update :library-file-id bfc/lookup-index)
-                  (assoc :synced-at timestamp))]
+                  (update :library-file-id bfc/lookup-index))]
       (db/insert! conn :file-library-rel rel
-                  ::db/return-keys false)))
+                  ::db/return-keys false)
+      (bfc/upsert-file-library-sync! conn (assoc rel :synced-at timestamp))))
 
   (doseq [media (read-seq cfg :file-media-object file-id)]
     (let [media (-> media

backend/src/app/binfile/v3.clj

@@ -281,7 +281,7 @@
 
         thumbnails   (bfc/get-file-object-thumbnails cfg file-id)]
 
-    (events/tap :progress {:section :file :id file-id})
+    (events/tap :progress {:section :file :id file-id :name (:name file)})
 
     (vswap! bfc/*state* update :files assoc file-id
             {:id file-id
@@ -301,6 +301,7 @@
       (write-entry! output path file))
 
     (doseq [[index page-id] (d/enumerate pages)]
+
       (let [path    (str "files/" file-id "/pages/" page-id ".json")
             page    (get pages-index page-id)
             objects (:objects page)
@@ -311,6 +312,8 @@
 
         (write-entry! output path page)
 
+        (events/tap :progress {:section :page :id page-id :name (:name page) :file-id file-id})
+
         (doseq [[shape-id shape] objects]
           (let [path  (str "files/" file-id "/pages/" page-id "/" shape-id ".json")
                 shape (assoc shape :page-id page-id)
@@ -323,6 +326,8 @@
     (doseq [{:keys [id] :as media} media]
       (let [path  (str "files/" file-id "/media/" id ".json")
             media (encode-media media)]
+
+        (events/tap :progress {:section :media :id id  :file-id file-id})
         (write-entry! output path media)))
 
     (doseq [thumbnail thumbnails]
@@ -332,11 +337,13 @@
             data (-> data
                      (assoc :media-id (:media-id thumbnail))
                      (encode-file-thumbnail))]
+        (events/tap :progress {:section :thumbnails :id (:object-id thumbnail) :file-id file-id})
         (write-entry! output path data)))
 
     (doseq [[id component] components]
       (let [path      (str "files/" file-id "/components/" id ".json")
             component (encode-component component)]
+        (events/tap :progress {:section :component :id id :file-id file-id})
         (write-entry! output path component)))
 
     (doseq [[id color] colors]
@@ -347,17 +354,20 @@
                     (and (contains? color :path)
                          (str/empty? (:path color)))
                     (dissoc :path))]
+        (events/tap :progress {:section :color :id id :file-id file-id})
         (write-entry! output path color)))
 
     (doseq [[id object] typographies]
       (let [path       (str "files/" file-id "/typographies/" id ".json")
             typography (encode-typography object)]
+        (events/tap :progress {:section :typography :id id :file-id file-id})
         (write-entry! output path typography)))
 
     (when (and tokens-lib
                (not (ctob/empty-lib? tokens-lib)))
       (let [path           (str "files/" file-id "/tokens.json")
             encoded-tokens (encode-tokens-lib tokens-lib)]
+        (events/tap :progress {:section :tokens-lib :file-id file-id})
         (write-entry! output path encoded-tokens)))))
 
 (defn- export-files
@@ -600,6 +610,7 @@
                  (let [object (->> (read-entry input entry)
                                    (decode-color)
                                    (validate-color))]
+                   (events/tap :progress {:section :color :id id :file-id file-id})
                    (if (= id (:id object))
                      (assoc result id object)
                      result)))
@@ -631,6 +642,7 @@
                                      (clean-component-pre-decode)
                                      (decode-component)
                                      (clean-component-post-decode))]
+                     (events/tap :progress {:section :component :id id :file-id file-id})
                      (if (= id (:id object))
                        (assoc result id object)
                        result)))
@@ -644,6 +656,7 @@
                  (let [object (->> (read-entry input entry)
                                    (decode-typography)
                                    (validate-typography))]
+                   (events/tap :progress {:section :typography :id id :file-id file-id})
                    (if (= id (:id object))
                      (assoc result id object)
                      result)))
@@ -653,6 +666,7 @@
 (defn- read-file-tokens-lib
   [{:keys [::bfc/input ::entries]} file-id]
   (when-let [entry (d/seek (match-tokens-lib-entry-fn file-id) entries)]
+    (events/tap :progress {:section :tokens-lib :file-id file-id})
     (->> (read-plain-entry input entry)
          (decode-tokens-lib)
          (validate-tokens-lib))))
@@ -678,6 +692,7 @@
                (let [page (->> (read-entry input entry)
                                (decode-page))
                      page (dissoc page :options)]
+                 (events/tap :progress {:section :page :id id :file-id file-id})
                  (when (= id (:id page))
                    (let [objects (read-file-shapes cfg file-id id)]
                      (assoc page :objects objects))))))
@@ -693,6 +708,7 @@
                  (let [object (->> (read-entry input entry)
                                    (decode-file-thumbnail)
                                    (validate-file-thumbnail))]
+
                    (if (and (= frame-id (:frame-id object))
                             (= page-id (:page-id object))
                             (= tag (:tag object)))
@@ -733,8 +749,6 @@
 
     (vswap! bfc/*state* update :index bfc/update-index media :id)
 
-    (events/tap :progress {:section :media :file-id file-id})
-
     (doseq [item media]
       (let [params (-> item
                        (update :id bfc/lookup-index)
@@ -742,6 +756,8 @@
                        (d/update-when :media-id bfc/lookup-index)
                        (d/update-when :thumbnail-id bfc/lookup-index))]
 
+        (events/tap :progress {:section :media :id (:id params) :file-id file-id})
+
         (l/dbg :hint "inserting media object"
                :file-id (str file-id')
                :id (str (:id params))
@@ -753,8 +769,6 @@
         (db/insert! conn :file-media-object params
                     ::db/on-conflict-do-nothing? (::bfc/overwrite cfg))))
 
-    (events/tap :progress {:section :thumbnails :file-id file-id})
-
     (doseq [item thumbnails]
       (let [media-id  (bfc/lookup-index (:media-id item))
             object-id (-> (assoc item :file-id file-id')
@@ -769,6 +783,8 @@
                :media-id (str media-id)
                ::l/sync? true)
 
+        (events/tap :progress {:section :thumbnail :file-id file-id :object-id object-id})
+
         (db/insert! conn :file-tagged-object-thumbnail params
                     ::db/on-conflict-do-nothing? true)))
 
@@ -808,10 +824,10 @@
                :file-id (str file-id)
                :lib-id (str libr-id)
                ::l/sync? true)
-        (db/insert! conn :file-library-rel
-                    {:synced-at timestamp
-                     :file-id file-id
-                     :library-file-id libr-id})))))
+        (let [rel-params {:file-id file-id
+                          :library-file-id libr-id}]
+          (db/insert! conn :file-library-rel rel-params)
+          (bfc/upsert-file-library-sync! conn (assoc rel-params :synced-at timestamp)))))))
 
 (defn- import-storage-objects
   [{:keys [::bfc/input ::entries ::bfc/timestamp] :as cfg}]

backend/src/app/config.clj

@@ -72,6 +72,7 @@
    :telemetry-uri "https://telemetry.penpot.app/"
 
    :media-max-file-size (* 1024 1024 30) ; 30MiB
+   :font-max-file-size  (* 1024 1024 30) ; 30MiB
 
    :ldap-user-query "(|(uid=:username)(mail=:username))"
    :ldap-attrs-username "uid"
@@ -85,7 +86,11 @@
    :email-verify-threshold "15m"
 
    :quotes-upload-sessions-per-profile 5
-   :quotes-upload-chunks-per-session 20})
+   :quotes-upload-chunks-per-session 20
+
+   ;; SSRF protection
+   :ssrf-allowed-hosts #{}
+   :ssrf-extra-blocked-cidrs #{}})
 
 (def schema:config
   (do #_sm/optional-keys
@@ -116,6 +121,7 @@
     [:auto-file-snapshot-timeout {:optional true} ::ct/duration]
 
     [:media-max-file-size {:optional true} ::sm/int]
+    [:font-max-file-size  {:optional true} ::sm/int]
     [:deletion-delay {:optional true} ::ct/duration]
     [:file-clean-delay {:optional true} ::ct/duration]
     [:telemetry-enabled {:optional true} ::sm/boolean]
@@ -245,17 +251,26 @@
     [:objects-storage-fs-directory {:optional true} :string]
     [:objects-storage-s3-bucket {:optional true} :string]
     [:objects-storage-s3-region {:optional true} :keyword]
-    [:objects-storage-s3-endpoint {:optional true} ::sm/uri]]))
+    [:objects-storage-s3-endpoint {:optional true} ::sm/uri]
+
+    ;; SSRF protection
+    [:ssrf-allowed-hosts {:optional true} [::sm/set :string]]
+    [:ssrf-extra-blocked-cidrs {:optional true} [::sm/set :string]]]))
 
 (defn- parse-flags
   [config]
   (let [public-uri  (c/get config :public-uri)
         public-uri  (some-> public-uri (u/uri))
-        extra-flags (if (and public-uri
+        extra-flags (cond-> #{}
+                      ;; When public-uri is http (non-localhost), disable secure cookies
+                      (and public-uri
                            (= (:scheme public-uri) "http")
                            (not= (:host public-uri) "localhost"))
-                      #{:disable-secure-session-cookies}
-                      #{})]
+                      (conj :disable-secure-session-cookies)
+
+                      ;; When telemetry-enabled config is true, add :telemetry flag
+                      (true? (c/get config :telemetry-enabled))
+                      (conj :enable-telemetry))]
     (flags/parse flags/default extra-flags (:flags config))))
 
 (defn read-env
@@ -280,7 +295,7 @@
   (sm/explainer schema:config))
 
 (defn read-config
-  "Reads the configuration from enviroment variables and decodes all
+  "Reads the configuration from environment variables and decodes all
   known values."
   [& {:keys [prefix default] :or {prefix "penpot"}}]
   (->> (read-env prefix)

backend/src/app/db.clj

@@ -36,11 +36,11 @@
    java.sql.Connection
    java.sql.PreparedStatement
    java.sql.Savepoint
-   org.postgresql.PGConnection
    org.postgresql.geometric.PGpoint
    org.postgresql.jdbc.PgArray
    org.postgresql.largeobject.LargeObject
    org.postgresql.largeobject.LargeObjectManager
+   org.postgresql.PGConnection
    org.postgresql.util.PGInterval
    org.postgresql.util.PGobject))
 

backend/src/app/email.clj

@@ -22,15 +22,34 @@
    [cuerdas.core :as str]
    [integrant.core :as ig])
   (:import
-   jakarta.mail.Message$RecipientType
-   jakarta.mail.Session
-   jakarta.mail.Transport
    jakarta.mail.internet.InternetAddress
    jakarta.mail.internet.MimeBodyPart
    jakarta.mail.internet.MimeMessage
    jakarta.mail.internet.MimeMultipart
+   jakarta.mail.Message$RecipientType
+   jakarta.mail.Session
+   jakarta.mail.Transport
    java.util.Properties))
 
+(defn clean
+  "Clean and normalizes email address string"
+  [email]
+  (let [email (str/lower email)
+        email (if (str/starts-with? email "mailto:")
+                (subs email 7)
+                email)
+        email (if (or (str/starts-with? email "<")
+                      (str/ends-with? email ">"))
+                (str/trim email "<>")
+                email)]
+    email))
+
+(defn get-domain
+  [email]
+  (let [email      (clean email)
+        [_ domain] (str/split email "@" 2)]
+    domain))
+
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; EMAIL IMPL
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -412,6 +431,21 @@
    :id ::invite-to-team
    :schema schema:invite-to-team))
 
+(def ^:private schema:invite-to-org
+  [:map
+   [:invited-by ::sm/text]
+   [:organization-name ::sm/text]
+   [:organization-initials [:maybe :string]]
+   [:organization-logo ::sm/uri]
+   [:user-name [:maybe ::sm/text]]
+   [:token ::sm/text]])
+
+(def invite-to-org
+  "Org member invitation email."
+  (template-factory
+   :id ::invite-to-org
+   :schema schema:invite-to-org))
+
 (def ^:private schema:join-team
   [:map
    [:invited-by ::sm/text]

backend/src/app/email/blacklist.clj

@@ -36,10 +36,18 @@
                :cause cause)))))
 
 (defn contains?
-  "Check if email is in the blacklist."
+  "Check if email is in the blacklist. Also matches subdomains: if
+  'somedomain.com' is blacklisted, 'xxx@foo.somedomain.com' will also
+  be rejected."
   [{:keys [::email/blacklist]} email]
-  (let [[_ domain] (str/split email "@" 2)]
-    (c/contains? blacklist (str/lower domain))))
+  (let [[_ domain] (str/split email "@" 2)
+        parts      (str/split (str/lower domain) #"\.")]
+    (loop [parts parts]
+      (if (empty? parts)
+        false
+        (if (c/contains? blacklist (str/join "." parts))
+          true
+          (recur (rest parts)))))))
 
 (defn enabled?
   "Check if the blacklist is enabled"

backend/src/app/features/file_snapshots.clj

@@ -112,8 +112,9 @@
                   THEN (c.deleted_at IS NULL OR c.deleted_at >= ?::timestamptz)
               END"))
 
-(defn- get-snapshot
-  "Get snapshot with decoded data"
+(defn get-snapshot-data
+  "Get a fully decoded snapshot for read-only preview or restoration.
+  Returns the snapshot map with decoded :data field."
   [cfg file-id snapshot-id]
   (let [now (ct/now)]
     (->> (db/get-with-sql cfg [sql:get-snapshot file-id snapshot-id now]
@@ -326,7 +327,7 @@
         (sto/resolve cfg {::db/reuse-conn true})
 
         snapshot
-        (get-snapshot cfg file-id snapshot-id)]
+        (get-snapshot-data cfg file-id snapshot-id)]
 
     (when-not snapshot
       (ex/raise :type :not-found

backend/src/app/http/assets.clj

@@ -12,43 +12,57 @@
    [app.common.time :as ct]
    [app.common.uri :as u]
    [app.db :as db]
+   [app.http.access-token :as actoken]
+   [app.http.session :as session]
    [app.storage :as sto]
    [integrant.core :as ig]
    [yetti.response :as-alias yres]))
 
-(def ^:private cache-max-age
+(def ^:private default-cache-max-age
   (ct/duration {:hours 24}))
 
-(def ^:private signature-max-age
+(def ^:private default-signature-max-age
   (ct/duration {:hours 24 :minutes 15}))
 
+;; Buckets that are legitimately public and do not require authentication.
+;; These are used by public shared board viewing, profile photos in UI,
+;; and embedded export/binfile flows.
+(def ^:private public-buckets
+  #{"file-media-object"
+    "file-object-thumbnail"
+    "team-font-variant"
+    "file-data-fragment"})
+
 (defn get-id
   [{:keys [path-params]}]
   (or (some-> path-params :id d/parse-uuid)
       (ex/raise :type :not-found
-                :hunt "object not found")))
+                :hint "object not found")))
 
 (defn- get-file-media-object
   [pool id]
   (db/get pool :file-media-object {:id id} {::db/remove-deleted false}))
 
 (defn- serve-object-from-s3
-  [{:keys [::sto/storage] :as cfg} obj]
-  (let [{:keys [host port] :as url} (sto/get-object-url storage obj {:max-age signature-max-age})]
+  [{:keys [::sto/storage ::signature-max-age ::cache-max-age] :as cfg} obj]
+  (let [sig-max-age (or signature-max-age default-signature-max-age)
+        cch-max-age (or cache-max-age default-cache-max-age)
+        {:keys [host port] :as url} (sto/get-object-url storage obj {:max-age sig-max-age})]
     {::yres/status  307
      ::yres/headers {"location" (str url)
                      "x-host"   (cond-> host port (str ":" port))
                      "x-mtype"  (-> obj meta :content-type)
-                     "cache-control" (str "max-age=" (inst-ms cache-max-age))}}))
+                     "cache-control" (str "max-age=" (inst-ms cch-max-age))}}))
 
 (defn- serve-object-from-fs
-  [{:keys [::path]} obj]
-  (let [purl    (u/join (u/uri path)
+  [{:keys [::path ::cache-max-age]} obj]
+  (let [cch-max-age (or cache-max-age default-cache-max-age)
+        purl    (u/join (u/uri path)
                         (sto/object->relative-path obj))
         mdata   (meta obj)
         headers {"x-accel-redirect" (:path purl)
                  "content-type" (:content-type mdata)
-                 "cache-control" (str "max-age=" (inst-ms cache-max-age))}]
+                 "cache-control" (str "max-age=" (inst-ms cch-max-age))}]
     {::yres/status 204
      ::yres/headers headers}))
 
@@ -60,14 +74,36 @@
     (:s3 :assets-s3) (serve-object-from-s3 cfg obj)
     (:fs :assets-fs) (serve-object-from-fs cfg obj)))
 
+(defn- requires-auth?
+  "Check if the storage object requires authentication based on its bucket."
+  [obj]
+  (let [bucket (-> obj meta :bucket)]
+    (not (contains? public-buckets bucket))))
+
+(defn- authenticated?
+  "Check if the request has an authenticated profile, either via session
+   or access token."
+  [request]
+  (or (some? (::session/profile-id request))
+      (some? (::actoken/profile-id request))))
+
 (defn objects-handler
-  "Handler that servers storage objects by id."
+  "Handler that serves storage objects by id.
+   For non-public buckets (e.g. profile), requires authentication
+   via session cookie or access token."
   [{:keys [::sto/storage] :as cfg} request]
   (let [id  (get-id request)
         obj (sto/get-object storage id)]
-    (if obj
-      (serve-object cfg obj)
-      {::yres/status 404})))
+    (cond
+      (nil? obj)
+      {::yres/status 404}
+
+      (and (requires-auth? obj)
+           (not (authenticated? request)))
+      {::yres/status 401}
+
+      :else
+      (serve-object cfg obj))))
 
 (defn- generic-handler
   "A generic handler helper/common code for file-media based handlers."
@@ -96,11 +132,13 @@
 (defmethod ig/assert-key ::routes
   [_ params]
   (assert (sto/valid-storage? (::sto/storage params)) "expected valid storage instance")
+  (assert (session/manager? (::session/manager params)) "expected valid session manager")
   (assert (string? (::path params))))
 
 (defmethod ig/init-key ::routes
   [_ cfg]
-  ["/assets"
+  ["/assets" {:middleware [[session/authz cfg]
+                           [actoken/authz cfg]]}
    ["/by-id/:id" {:handler (partial objects-handler cfg)}]
    ["/by-file-media-id/:id" {:handler (partial file-objects-handler cfg)}]
    ["/by-file-media-id/:id/thumbnail" {:handler (partial file-thumbnails-handler cfg)}]])

backend/src/app/http/awsns.clj

@@ -53,7 +53,7 @@
         (let [surl   (get body "SubscribeURL")
               stopic (get body "TopicArn")]
           (l/info :action "subscription received" :topic stopic :url surl)
-          (http/req! cfg {:uri surl :method :post :timeout 10000} {:sync? true}))
+          (http/req cfg {:uri surl :method :post :timeout 10000} {:sync? true}))
 
         (= mtype "Notification")
         (when-let [message (parse-json (get body "Message"))]

backend/src/app/http/client.clj

@@ -5,13 +5,24 @@
 ;; Copyright (c) KALEIDOS INC
 
 (ns app.http.client
-  "Http client abstraction layer."
+  "Http client abstraction layer.
+
+   All outbound requests made through `req` and `req-with-redirects`
+   are validated against the SSRF blocklist by default. Pass
+   `:skip-ssrf-check? true` in the options map only when the target
+   is a well-known, operator-configured endpoint that cannot be
+   influenced by user input (e.g. internal telemetry, error webhooks)."
   (:require
    [app.common.schema :as sm]
+   [app.util.ssrf :as ssrf]
+   [cuerdas.core :as str]
    [integrant.core :as ig]
    [java-http-clj.core :as http])
   (:import
-   java.net.http.HttpClient))
+   java.net.http.HttpClient
+   java.net.URI))
+
+(def default-max-redirects 5)
 
 (defn client?
   [o]
@@ -23,8 +34,8 @@
 
 (defmethod ig/init-key ::client
   [_ _]
-  (http/build-client {:connect-timeout 30000 ;; 10s
-                      :follow-redirects :always}))
+  (http/build-client {:connect-timeout 30000
+                      :follow-redirects :never}))
 
 (defn send!
   ([client req] (send! client req {}))
@@ -44,14 +55,82 @@
     :else
     (throw (UnsupportedOperationException. "invalid arguments"))))
 
-(defn req!
-  "A convencience toplevel function for gradual migration to a new API
-  convention."
+(defn req
+  "Issue a single HTTP request.  SSRF validation is applied to the
+   target URI by default; pass `:skip-ssrf-check? true` in `options`
+   to bypass it for known-safe, operator-configured endpoints."
   ([cfg-or-client request]
+   (req cfg-or-client request {}))
+  ([cfg-or-client request {:keys [skip-ssrf-check?] :as options}]
+   (let [request (if skip-ssrf-check?
+                   (update request :uri str)
+                   (update request :uri ssrf/validate-uri))
+         client  (resolve-client cfg-or-client)]
+     (send! client request (dissoc options :skip-ssrf-check?)))))
+
+(defn- resolve-location
+  "Resolve a Location header value against the original request URI.
+   Handles:
+     - Absolute URLs (http:// or https://) — returned as-is.
+     - Protocol-relative URLs (//host/path) — inherit the scheme from base-uri.
+     - Path-absolute and relative URLs — resolved against base-uri via URI.resolve."
+  [^String base-uri ^String location]
+  (cond
+    (or (str/starts-with? location "http://")
+        (str/starts-with? location "https://"))
+    location
+
+    (str/starts-with? location "//")
+    (let [scheme (.getScheme (URI. base-uri))]
+      (str scheme ":" location))
+
+    :else
+    (str (.resolve (URI. base-uri) location))))
+
+(defn- redirect-request
+  "Build the next request for a 3xx redirect.
+   Per RFC 7231 §6.4:
+     - 303 always issues GET (body dropped).
+     - 301/302 with non-GET/HEAD methods: downgrade to GET (body dropped).
+     - 307/308 preserve the original method and body.
+   The Location URI has already been resolved by the caller."
+  [orig-request ^String next-uri status]
+  (let [method (:method orig-request)]
+    (if (or (= status 303)
+            (and (contains? #{301 302} status)
+                 (not (contains? #{:get :head} method))))
+      ;; Downgrade to GET, drop body and content-type
+      (-> orig-request
+          (assoc :uri next-uri :method :get)
+          (dissoc :body)
+          (update :headers dissoc "content-type" "content-length"))
+      ;; Preserve method/body (307, 308, or GET/HEAD 301/302)
+      (assoc orig-request :uri next-uri))))
+
+(defn req-with-redirects
+  "Like `req`, but follows up to `max-redirects` HTTP 3xx redirects.
+   SSRF validation is applied before every hop (initial request and
+   each redirect target) unless `:skip-ssrf-check? true` is passed.
+   Redirect semantics follow RFC 7231 §6.4: 301/302 POST is downgraded
+   to GET; 303 always uses GET; 307/308 preserve the original method."
+  ([cfg-or-client request]
+   (req-with-redirects cfg-or-client request {}))
+  ([cfg-or-client request {:keys [max-redirects skip-ssrf-check?]
+                           :or   {max-redirects default-max-redirects}
+                           :as opts}]
+   (let [send-opts  (dissoc opts :max-redirects :skip-ssrf-check?)
+         uri-coerce (if skip-ssrf-check? str ssrf/validate-uri)]
+     (loop [current-req (update request :uri uri-coerce)
+            hops        0]
        (let [client (resolve-client cfg-or-client)
-         request (update request :uri str)]
-     (send! client request {})))
-  ([cfg-or-client request options]
-   (let [client  (resolve-client cfg-or-client)
-         request (update request :uri str)]
-     (send! client request options))))
+             resp   (send! client current-req send-opts)
+             status (:status resp)]
+         (if (and (<= 300 status 399)
+                  (< hops max-redirects))
+           (if-let [location (get-in resp [:headers "location"])]
+             (let [next-uri (resolve-location (str (:uri current-req)) location)]
+               (recur (update (redirect-request current-req next-uri status) :uri uri-coerce)
+                      (inc hops)))
+             ;; No Location header on a 3xx — return the response as-is
+             resp)
+           resp))))))

backend/src/app/http/sse.clj

@@ -21,7 +21,7 @@
 
 (defn- write!
   [^OutputStream output ^bytes data]
-  (l/trc :hint "writting data" :data data :length (alength data))
+  (l/trc :hint "writing data" :data data :length (alength data))
   (.write output data)
   (.flush output))
 

backend/src/app/loggers/audit.clj

@@ -16,12 +16,12 @@
    [app.common.uuid :as uuid]
    [app.config :as cf]
    [app.db :as db]
+   [app.email :as email]
    [app.http :as-alias http]
    [app.http.access-token :as-alias actoken]
    [app.loggers.audit.tasks :as-alias tasks]
    [app.loggers.webhooks :as-alias webhooks]
    [app.rpc :as-alias rpc]
-   [app.rpc.retry :as rtry]
    [app.setup :as-alias setup]
    [app.util.inet :as inet]
    [app.util.services :as-alias sv]
@@ -33,6 +33,63 @@
 ;; HELPERS
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
+(def ^:private filter-auth-events
+  #{"login-with-oidc" "login-with-password" "register-profile" "update-profile"})
+
+(def ^:private safe-backend-context-keys
+  #{:version
+    :initiator
+    :client-version
+    :client-user-agent})
+
+(def ^:private safe-frontend-context-keys
+  #{:version
+    :locale
+    :browser
+    :browser-version
+    :engine
+    :engine-version
+    :os
+    :os-version
+    :device-type
+    :device-arch
+    :screen-width
+    :screen-height
+    :screen-color-depth
+    :screen-orientation
+    :event-origin
+    :event-namespace
+    :event-symbol})
+
+(def profile-props
+  [:id
+   :is-active
+   :is-muted
+   :auth-backend
+   :email
+   :default-team-id
+   :default-project-id
+   :fullname
+   :lang])
+
+(def ^:private event-keys
+  #{:id
+    :name
+    :type
+    :profile-id
+    :ip-addr
+    :props
+    :context
+    :source
+    :tracked-at
+    :created-at})
+
+(def reserved-props
+  #{:session-id
+    :password
+    :old-password
+    :token})
+
 (defn extract-utm-params
   "Extracts additional data from params and namespace them under
   `penpot` ns."
@@ -47,17 +104,6 @@
                 (assoc (->> sk str/kebab (keyword "penpot")) v))))]
     (reduce-kv process-param {} params)))
 
-(def profile-props
-  [:id
-   :is-active
-   :is-muted
-   :auth-backend
-   :email
-   :default-team-id
-   :default-project-id
-   :fullname
-   :lang])
-
 (defn profile->props
   [profile]
   (-> profile
@@ -65,12 +111,6 @@
       (merge (:props profile))
       (d/without-nils)))
 
-(def reserved-props
-  #{:session-id
-    :password
-    :old-password
-    :token})
-
 (defn clean-props
   [props]
   (into {}
@@ -121,15 +161,16 @@
 
 (def ^:private schema:event
   [:map {:title "AuditEvent"}
-   [::type ::sm/text]
-   [::name ::sm/text]
-   [::profile-id ::sm/uuid]
-   [::ip-addr {:optional true} ::sm/text]
-   [::props {:optional true} [:map-of :keyword :any]]
-   [::context {:optional true} [:map-of :keyword :any]]
-   [::tracked-at {:optional true} ::ct/inst]
-   [::created-at {:optional true} ::ct/inst]
-   [::source {:optional true} ::sm/text]
+   [:id {:optional true} ::sm/uuid]
+   [:type ::sm/text]
+   [:name ::sm/text]
+   [:profile-id ::sm/uuid]
+   [:props [:map-of :keyword :any]]
+   [:context [:map-of :keyword :any]]
+   [:tracked-at ::ct/inst]
+   [:created-at ::ct/inst]
+   [:source ::sm/text]
+   [:ip-addr {:optional true} ::sm/text]
    [::webhooks/event? {:optional true} ::sm/boolean]
    [::webhooks/batch-timeout {:optional true} ::ct/duration]
    [::webhooks/batch-key {:optional true}
@@ -141,7 +182,156 @@
 (def valid-event?
   (sm/validator schema:event))
 
-(defn prepare-event
+(defn- prepare-context-from-request
+  "Prepare backend event context from request"
+  [request]
+  (let [client-event-origin (get-client-event-origin request)
+        client-version      (get-client-version request)
+        client-user-agent   (get-client-user-agent request)
+        session-id          (get-external-session-id request)
+        key-id              (::http/auth-key-id request)
+        token-id            (::actoken/id request)
+        token-type          (::actoken/type request)]
+    {:external-session-id session-id
+     :initiator (or key-id "app")
+     :access-token-id (some-> token-id str)
+     :access-token-type (some-> token-type str)
+     :client-event-origin client-event-origin
+     :client-user-agent client-user-agent
+     :client-version client-version
+     :version (:full cf/version)}))
+
+(defn- append-audit-entry
+  [cfg params]
+  (let [params (-> params
+                   (assoc :id (uuid/next))
+                   (update :props db/tjson)
+                   (update :context db/tjson)
+                   (update :ip-addr db/inet))
+        params (select-keys params event-keys)]
+    (db/insert! cfg :audit-log params)))
+
+(def ^:private xf:filter-telemetry-props
+  "Transducer that keeps only map entries whose values are UUIDs,
+  booleans or numbers."
+  (filter (fn [[k v]]
+            (and (simple-keyword? k)
+                 (or (uuid? v) (boolean? v) (number? v))))))
+
+(declare filter-telemetry-props)
+(declare filter-telemetry-context)
+
+(defn- process-event
+  [cfg event]
+  (when (contains? cf/flags :audit-log-logger)
+    (l/log! ::l/logger "app.audit"
+            ::l/level :info
+            :profile-id (str (:profile-id event))
+            :ip-addr (str (:ip-addr event))
+            :type (:type event)
+            :name (:name event)
+            :props (json/encode (:props event) :key-fn json/write-camel-key)
+            :context (json/encode (:context event) :key-fn json/write-camel-key)))
+
+  (when (contains? cf/flags :audit-log)
+    (append-audit-entry cfg event))
+
+  (when (contains? cf/flags :telemetry)
+    ;; NOTE: when both audit-log and telemetry are enabled, events are stored
+    ;; twice: once with full details (above) and once stripped of props and
+    ;; ip-addr, tagged with source="telemetry" so the telemetry task can
+    ;; collect and ship them.  The profile-id is preserved (UUIDs are already
+    ;; anonymous random identifiers).  Only a safe subset of context fields
+    ;; is kept: initiator, version, client-version and client-user-agent.
+    ;; Timestamps are truncated to day precision to avoid leaking exact event
+    ;; timing.
+    (let [event (-> event
+                    (filter-telemetry-props)
+                    (filter-telemetry-context)
+                    (update :created-at ct/truncate :days)
+                    (update :tracked-at ct/truncate :days)
+                    (assoc :source "telemetry:backend")
+                    (assoc :ip-addr "0.0.0.0"))]
+      (append-audit-entry cfg event)))
+
+  (when (and (contains? cf/flags :webhooks)
+             (::webhooks/event? event))
+    (let [batch-key     (::webhooks/batch-key event)
+          batch-timeout (::webhooks/batch-timeout event)
+          label         (dm/str "rpc:" (:name event))
+          label         (cond
+                          (ifn? batch-key)    (dm/str label ":" (batch-key (::rpc/params event)))
+                          (string? batch-key) (dm/str label ":" batch-key)
+                          :else               label)
+          dedupe?       (boolean (and batch-key batch-timeout))]
+
+      (wrk/submit! (-> cfg
+                       (assoc ::wrk/task :process-webhook-event)
+                       (assoc ::wrk/queue :webhooks)
+                       (assoc ::wrk/max-retries 0)
+                       (assoc ::wrk/delay (or batch-timeout 0))
+                       (assoc ::wrk/dedupe dedupe?)
+                       (assoc ::wrk/label label)
+                       (assoc ::wrk/params (-> event
+                                               (d/without-qualified)
+                                               (dissoc :source)
+                                               (dissoc :context)
+                                               (dissoc :ip-addr)
+                                               (dissoc :type)))))))
+  event)
+
+(defn submit*
+  "A public API, lower-level than submit, assumes all required fields are filled"
+  [cfg event]
+  (try
+    (let [event (check-event event)]
+      (db/tx-run! cfg process-event event))
+    (catch Throwable cause
+      (l/error :hint "unexpected error processing event" :cause cause))))
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; PUBLIC API
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+(defn filter-telemetry-props
+  [{:keys [source name props type] :as params}]
+  (cond
+    (or (and (= source "frontend")
+             (= type "identify"))
+        (and (= source "backend")
+             (filter-auth-events name)))
+
+    (let [props' (into {} xf:filter-telemetry-props props)
+          props' (-> props'
+                     (assoc :lang (:lang props))
+                     (assoc :auth-backend (:auth-backend props))
+                     (assoc :email-domain (email/get-domain (:email props)))
+                     (d/without-nils))]
+      (assoc params :props props'))
+
+    (and (= source "backend")
+         (= type "trigger")
+         (= name "instance-start"))
+    params
+
+    (and (= source "frontend")
+         (= type "action")
+         (= name "navigate"))
+    (assoc params :props (select-keys props [:route :file-id :team-id :page-id]))
+
+    :else
+    (let [props (into {} xf:filter-telemetry-props props)]
+      (assoc params :props props))))
+
+(defn filter-telemetry-context
+  [{:keys [source context] :as params}]
+  (let [context (case source
+                  "backend"  (select-keys context safe-backend-context-keys)
+                  "frontend" (select-keys context safe-frontend-context-keys)
+                  {})]
+    (assoc params :context context)))
+
+(defn prepare-rpc-event
   [cfg mdata params result]
   (let [resultm      (meta result)
         request      (-> params meta ::http/request)
@@ -154,23 +344,29 @@
                              (merge params (::props resultm)))
                          (clean-props))
 
-        context      (merge (::context resultm)
-                            (prepare-context-from-request request))
+        context      (-> (::context resultm)
+                         (merge (prepare-context-from-request request))
+                         (assoc :request-id (::rpc/request-id params))
+                         (d/without-nils))
+
         ip-addr      (inet/parse-request request)
         module       (get cfg ::rpc/module)]
 
-    {::type (or (::type resultm)
+    {:type (or (::type resultm)
                (::rpc/type cfg))
-     ::name (or (::name resultm)
+     :name (or (::name resultm)
                (let [sname (::sv/name mdata)]
                  (if (not= module "main")
                    (str module "-" sname)
                    sname)))
 
-     ::profile-id profile-id
-     ::ip-addr ip-addr
-     ::props props
-     ::context context
+     :profile-id profile-id
+     :ip-addr ip-addr
+     :props props
+     :context context
+
+     :created-at (::rpc/request-at params)
+     :tracked-at (::rpc/request-at params)
 
      ;; NOTE: for batch-key lookup we need the params as-is
      ;; because the rpc api does not need to know the
@@ -190,148 +386,49 @@
          (::webhooks/event? resultm)
          false)}))
 
-(defn- prepare-context-from-request
-  "Prepare backend event context from request"
-  [request]
-  (let [client-event-origin (get-client-event-origin request)
-        client-version      (get-client-version request)
-        client-user-agent   (get-client-user-agent request)
-        session-id          (get-external-session-id request)
-        key-id              (::http/auth-key-id request)
-        token-id            (::actoken/id request)
-        token-type          (::actoken/type request)]
-    (d/without-nils
-     {:external-session-id session-id
-      :initiator (or key-id "app")
-      :access-token-id (some-> token-id str)
-      :access-token-type (some-> token-type str)
-      :client-event-origin client-event-origin
-      :client-user-agent client-user-agent
-      :client-version client-version
-      :version (:full cf/version)})))
-
 (defn event-from-rpc-params
   "Create a base event skeleton with pre-filled some important
   data that can be extracted from RPC params object"
   [params]
   (let [context    (some-> params meta ::http/request prepare-context-from-request)
-        event   {::type "action"
-                 ::profile-id (or (::rpc/profile-id params) uuid/zero)
-                 ::ip-addr (::rpc/ip-addr params)}]
-    (cond-> event
-      (some? context)
-      (assoc ::context context))))
+        context    (assoc context :request-id (::rpc/request-id params))
+        request-at (::rpc/request-at params)]
+    {:type "action"
+     :profile-id (::rpc/profile-id params)
+     :created-at request-at
+     :tracked-at request-at
+     :ip-addr (::rpc/ip-addr params)
+     :context (d/without-nils context)}))
 
-(defn- event->params
-  [event]
-  (let [params {:id (uuid/next)
-                :name (::name event)
-                :type (::type event)
-                :profile-id (::profile-id event)
-                :ip-addr (::ip-addr event)
-                :context (::context event {})
-                :props (::props event {})
-                :source "backend"}
-        tnow   (::tracked-at event)]
-
-    (cond-> params
-      (some? tnow)
-      (assoc :tracked-at tnow))))
-
-(defn- append-audit-entry
-  [cfg params]
-  (let [params (-> params
-                   (update :props db/tjson)
-                   (update :context db/tjson)
-                   (update :ip-addr db/inet))]
-    (db/insert! cfg :audit-log params)))
-
-(defn- handle-event!
+(defn submit
+  "Submit an event to be registered under audit-log subsystem"
   [cfg event]
   (let [tnow  (ct/now)
-        params (-> (event->params event)
+        event (-> event
                   (assoc :created-at tnow)
-                   (update :tracked-at #(or % tnow)))]
+                  (update :profile-id d/nilv uuid/zero)
+                  (update :tracked-at d/nilv tnow)
+                  (update :ip-addr d/nilv "0.0.0.0")
+                  (update :props d/nilv {})
+                  (update :context d/nilv {})
+                  (assoc :source "backend")
+                  (d/without-nils))]
+    (submit* cfg event)))
 
-    (when (contains? cf/flags :audit-log-logger)
-      (l/log! ::l/logger "app.audit"
-              ::l/level :info
-              :profile-id (str (::profile-id event))
-              :ip-addr (str (::ip-addr event))
-              :type (::type event)
-              :name (::name event)
-              :props (json/encode (::props event) :key-fn json/write-camel-key)
-              :context (json/encode (::context event) :key-fn json/write-camel-key)))
-
-    (when (contains? cf/flags :audit-log)
-      ;; NOTE: this operation may cause primary key conflicts on inserts
-      ;; because of the timestamp precission (two concurrent requests), in
-      ;; this case we just retry the operation.
-      (append-audit-entry cfg params))
-
-    (when (and (or (contains? cf/flags :telemetry)
-                   (cf/get :telemetry-enabled))
-               (not (contains? cf/flags :audit-log)))
-      ;; NOTE: this operation may cause primary key conflicts on inserts
-      ;; because of the timestamp precission (two concurrent requests), in
-      ;; this case we just retry the operation.
-      ;;
-      ;; NOTE: this is only executed when general audit log is disabled
-      (let [params (-> params
-                       (assoc :props {})
-                       (assoc :context {}))]
-        (append-audit-entry cfg params)))
-
-    (when (and (contains? cf/flags :webhooks)
-               (::webhooks/event? event))
-      (let [batch-key     (::webhooks/batch-key event)
-            batch-timeout (::webhooks/batch-timeout event)
-            label         (dm/str "rpc:" (:name params))
-            label         (cond
-                            (ifn? batch-key)    (dm/str label ":" (batch-key (::rpc/params event)))
-                            (string? batch-key) (dm/str label ":" batch-key)
-                            :else               label)
-            dedupe?       (boolean (and batch-key batch-timeout))]
-
-        (wrk/submit! (-> cfg
-                         (assoc ::wrk/task :process-webhook-event)
-                         (assoc ::wrk/queue :webhooks)
-                         (assoc ::wrk/max-retries 0)
-                         (assoc ::wrk/delay (or batch-timeout 0))
-                         (assoc ::wrk/dedupe dedupe?)
-                         (assoc ::wrk/label label)
-                         (assoc ::wrk/params (-> params
-                                                 (dissoc :source)
-                                                 (dissoc :context)
-                                                 (dissoc :ip-addr)
-                                                 (dissoc :type)))))))
-    params))
-
-(defn submit!
-  "Submit audit event to the collector."
-  [cfg event]
-  (try
-    (let [event (-> (d/without-nils event)
-                    (check-event))
-          cfg   (-> cfg
-                    (assoc ::rtry/when rtry/conflict-exception?)
-                    (assoc ::rtry/max-retries 6)
-                    (assoc ::rtry/label "persist-audit-log"))]
-      (rtry/invoke! cfg db/tx-run! handle-event! event))
-    (catch Throwable cause
-      (l/error :hint "unexpected error processing event" :cause cause))))
-
-(defn insert!
+(defn insert
   "Submit audit event to the collector, intended to be used only from
   command line helpers because this skips all webhooks and telemetry
   logic."
   [cfg event]
   (when (contains? cf/flags :audit-log)
-    (let [event (-> (d/without-nils event)
-                    (check-event))]
-      (db/run! cfg (fn [cfg]
     (let [tnow  (ct/now)
-                           params (-> (event->params event)
+          event (-> event
                     (assoc :created-at tnow)
-                                      (update :tracked-at #(or % tnow)))]
-                       (append-audit-entry cfg params)))))))
+                    (update :tracked-at d/nilv tnow)
+                    (update :profile-id d/nilv uuid/zero)
+                    (update :props d/nilv {})
+                    (update :context d/nilv {})
+                    (assoc :source "backend")
+                    (select-keys event-keys)
+                    (check-event))]
+      (db/run! cfg append-audit-entry event))))

backend/src/app/loggers/audit/archive_task.clj

@@ -59,7 +59,7 @@
                  :method :post
                  :headers headers
                  :body body}
-        resp    (http/req! cfg params)]
+        resp    (http/req cfg params {:skip-ssrf-check? true})]
 
     (if (= (:status resp) 204)
       true

backend/src/app/loggers/database.clj

@@ -97,7 +97,7 @@
       (l/warn :hint "unexpected exception on database error logger" :cause cause))))
 
 (defn- audit-event->report
-  [{:keys [::audit/context ::audit/props ::audit/ip-addr] :as record}]
+  [{:keys [context props ip-addr] :as record}]
   (let [context
         (reduce-kv (fn [context k v]
                      (let [k' (keyword "frontend" (name k))]
@@ -117,14 +117,14 @@
 
     {:context (-> (into (sorted-map) context)
                   (pp/pprint-str :length 50))
-     :origin  (::audit/name record)
+     :origin  (:name record)
      :href    (get props :href)
      :hint    (get props :hint)
      :report  (get props :report)}))
 
 (defn- handle-audit-event
   "Convert the log record into a report object and persist it on the database"
-  [{:keys [::db/pool]} {:keys [::audit/id] :as event}]
+  [{:keys [::db/pool]} {:keys [id] :as event}]
   (try
     (let [uri    (cf/get :public-uri)
           report (-> event audit-event->report d/without-nils)]
@@ -189,12 +189,12 @@
                          (::l/id item)
                          (handle-log-record cfg item)
 
-                         (::audit/id item)
-                         (handle-audit-event cfg item)
-
                          (::rlimit/id item)
                          (handle-rlimit-event cfg item)
 
+                         (-> item meta ::audit/event)
+                         (handle-audit-event cfg item)
+
                          :else
                          (l/warn :hint "received unexpected item" :item item))
 
@@ -226,4 +226,3 @@
   [cfg event]
   (when-let [{:keys [::input]} (get cfg ::reporter)]
     (sp/put! input event)))
-

backend/src/app/loggers/mattermost.clj

@@ -52,7 +52,7 @@
                          trace
                          "```")))
 
-        resp (http/req! cfg
+        resp (http/req cfg
                        {:uri (cf/get :error-report-webhook)
                         :method :post
                         :headers {"content-type" "application/json"}
@@ -83,7 +83,7 @@
      :trace            (ex/format-throwable cause :detail? false :header? false)}))
 
 (defn- audit-event->report
-  [{:keys [::audit/context ::audit/props ::audit/id] :as event}]
+  [{:keys [context props id] :as event}]
   {:id               id
    :type             "exception"
    :origin           "audit-log"
@@ -92,7 +92,7 @@
    :host             (cf/get :host)
    :backend-version  (:full cf/version)
    :frontend-version (:version context)
-   :profile-id       (:audit/profile-id event)
+   :profile-id       (:profile-id event)
    :href             (get props :href)})
 
 (defn- rlimit-event->report
@@ -148,12 +148,12 @@
                              (::l/id item)
                              (handle-event cfg item log-record->report)
 
-                             (::audit/id item)
-                             (handle-event cfg item audit-event->report)
-
                              (::rlimit/id item)
                              (handle-event cfg item rlimit-event->report)
 
+                             (-> item meta ::audit/event)
+                             (handle-event cfg item audit-event->report)
+
                              :else
                              (l/warn :hint "received unexpected item" :item item)))
 

backend/src/app/loggers/webhooks.clj

@@ -70,14 +70,14 @@
   (fn [{:keys [props] :as task}]
 
     (let [items (lookup-webhooks cfg props)
-          event {::audit/profile-id (:profile-id props)
-                 ::audit/name "webhook"
-                 ::audit/type "trigger"
-                 ::audit/props {:name (get props :name)
+          event {:profile-id (:profile-id props)
+                 :name "webhook"
+                 :type "trigger"
+                 :props {:name (get props :name)
                          :event-id (get props :id)
                          :total-affected (count items)}}]
 
-      (audit/insert! cfg event)
+      (audit/insert cfg event)
 
       (when items
         (l/trc :hint "webhooks found for event" :total (count items))
@@ -159,7 +159,7 @@
                    :method :post
                    :body body}]
           (try
-            (let [rsp (http/req! cfg req {:response-type :input-stream :sync? true})
+            (let [rsp (http/req cfg req {:response-type :input-stream :sync? true})
                   err (interpret-response rsp)]
               (report-delivery! whook req rsp err)
               (update-webhook! whook err))
@@ -190,4 +190,11 @@
     "invalid-uri"
 
     (instance? java.net.http.HttpConnectTimeoutException cause)
-    "timeout"))
+    "timeout"
+
+    :else
+    (let [data (ex-data cause)]
+      (if (and (= :validation (:type data))
+               (= :ssrf-blocked-target (:code data)))
+        (str "blocked-request:" (:hint data))
+        nil))))

backend/src/app/main.clj

@@ -61,21 +61,15 @@
     ::mdef/help "A total number of bytes processed by update-file."
     ::mdef/type :counter}
 
-   :rpc-mutation-timing
-   {::mdef/name "penpot_rpc_mutation_timing"
-    ::mdef/help "RPC mutation method call timing."
+   :rpc-main-timing
+   {::mdef/name "penpot_rpc_main_timing"
+    ::mdef/help "RPC command method call timing for main"
     ::mdef/labels ["name"]
     ::mdef/type :histogram}
 
-   :rpc-command-timing
-   {::mdef/name "penpot_rpc_command_timing"
-    ::mdef/help "RPC command method call timing."
-    ::mdef/labels ["name"]
-    ::mdef/type :histogram}
-
-   :rpc-query-timing
-   {::mdef/name "penpot_rpc_query_timing"
-    ::mdef/help "RPC query method call timing."
+   :rpc-management-timing
+   {::mdef/name "penpot_rpc_management_timing"
+    ::mdef/help "RPC command method call timing for management."
     ::mdef/labels ["name"]
     ::mdef/type :histogram}
 
@@ -306,8 +300,11 @@
    :app.http.assets/routes
    {::http.assets/path              (cf/get :assets-path)
     ::http.assets/cache-max-age     (ct/duration {:hours 24})
-    ::http.assets/cache-max-agesignature-max-age (ct/duration {:hours 24 :minutes 5})
-    ::sto/storage  (ig/ref ::sto/storage)}
+    ::http.assets/signature-max-age (ct/duration {:hours 24 :minutes 15})
+    ::sto/storage                   (ig/ref ::sto/storage)
+    ::session/manager               (ig/ref ::session/manager)
+    ::setup/props                   (ig/ref ::setup/props)
+    ::db/pool                       (ig/ref ::db/pool)}
 
    ::rpc/climit
    {::mtx/metrics        (ig/ref ::mtx/metrics)
@@ -658,9 +655,8 @@
   [& _args]
   (try
     (let [p (promise)]
-      (when (contains? cf/flags :nrepl-server)
       (l/inf :hint "start nrepl server" :port 6064)
-        (nrepl/start-server :bind "0.0.0.0" :port 6064))
+      (nrepl/start-server :bind "0.0.0.0" :port 6064)
 
       (start)
       (deref p))

backend/src/app/media.clj

@@ -18,6 +18,7 @@
    [app.config :as cf]
    [app.db :as-alias db]
    [app.http.client :as http]
+   [app.media.sanitize :as sanitize]
    [app.storage :as-alias sto]
    [app.storage.tmp :as tmp]
    [buddy.core.bytes :as bb]
@@ -31,15 +32,12 @@
   (:import
    clojure.lang.XMLHandler
    java.io.InputStream
-   javax.xml.XMLConstants
    javax.xml.parsers.SAXParserFactory
+   javax.xml.XMLConstants
    org.apache.commons.io.IOUtils
    org.im4java.core.ConvertCmd
    org.im4java.core.IMOperation))
 
-(def default-max-file-size
-  (* 1024 1024 10)) ; 10 MiB
-
 (def schema:upload
   [:map {:title "Upload"}
    [:filename :string]
@@ -78,6 +76,20 @@
                                 max-size)))
     upload))
 
+(defn validate-font-size!
+  "Validates that the font file `upload` does not exceed the configured
+  `:font-max-file-size` limit.  Accepts the same map shape as
+  `validate-media-size!` — requires a `:size` key in bytes."
+  [upload]
+  (let [max-size (cf/get :font-max-file-size)]
+    (when (> (:size upload) max-size)
+      (ex/raise :type :restriction
+                :code :font-max-file-size-reached
+                :hint (str/ffmt "the uploaded font size % is greater than the maximum %"
+                                (:size upload)
+                                max-size)))
+    upload))
+
 (defmulti process :cmd)
 (defmulti process-error class)
 
@@ -295,9 +307,7 @@
   [{:keys [::http/client]} uri]
   (letfn [(parse-and-validate [{:keys [status headers] :as response}]
             (let [size     (some-> (get headers "content-length") d/parse-integer)
-                  mtype    (get headers "content-type")
-                  format   (cm/mtype->format mtype)
-                  max-size (cf/get :media-max-file-size default-max-file-size)]
+                  mtype    (get headers "content-type")]
 
               (when-not (<= 200 status 299)
                 (ex/raise :type :validation
@@ -309,25 +319,17 @@
                           :code :unknown-size
                           :hint "seems like the url points to resource with unknown size"))
 
-              (when (> size max-size)
-                (ex/raise :type :validation
-                          :code :file-too-large
-                          :hint (str/ffmt "the file size % is greater than the maximum %"
-                                          size
-                                          default-max-file-size)))
-
-              (when (nil? format)
-                (ex/raise :type :validation
-                          :code :media-type-not-allowed
-                          :hint "seems like the url points to an invalid media object"))
-
-              {:size size :mtype mtype :format format}))]
+              (-> {:size size :mtype mtype}
+                  (validate-media-type!)
+                  (validate-media-size!))))]
 
     (let [{:keys [body] :as response}
           (try
-            (http/req! client
+            (http/req-with-redirects
+             client
              {:method :get :uri uri}
-                       {:response-type :input-stream})
+             {:response-type :input-stream
+              :max-redirects 3})
             (catch java.net.ConnectException cause
               (ex/raise :type :validation
                         :code :unable-to-download-image
@@ -358,9 +360,11 @@
                   :code :mismatch-write-size
                   :hint "unexpected state: unable to write to file"))
 
-      {;; :size size
-       :path path
-       :mtype mtype})))
+      ;; Sanitize: strip trailing data after image EOF markers
+      (let [new-size (sanitize/truncate-after-eof path mtype)]
+        {:path  path
+         :mtype mtype
+         :size  new-size}))))
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; FONTS

backend/src/app/media/sanitize.clj

@@ -0,0 +1,191 @@
+;; This Source Code Form is subject to the terms of the Mozilla Public
+;; License, v. 2.0. If a copy of the MPL was not distributed with this
+;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;;
+;; Copyright (c) KALEIDOS INC
+
+(ns app.media.sanitize
+  "Image EOF truncation helpers — strips trailing data after image EOF
+   markers to prevent exfiltration of non-image bytes appended to
+   valid image files."
+  (:require
+   [app.common.buffer :as buf]
+   [app.common.exceptions :as ex]
+   [app.common.logging :as l]
+   [app.util.nio :as nio])
+  (:import
+   java.nio.ByteOrder
+   java.nio.channels.FileChannel))
+
+(set! *warn-on-reflection* true)
+
+(defn- scan-backwards
+  "Scan byte array `arr` backwards (from the end) for the byte pattern
+   `marker`. Returns the index in `arr` where the marker starts, or -1
+   if not found."
+  [^bytes arr ^bytes marker]
+  (let [arr-len    (alength arr)
+        marker-len (alength marker)]
+    (loop [i (- arr-len marker-len)]
+      (if (< i 0)
+        -1
+        (if (loop [j 0]
+              (if (>= j marker-len)
+                true
+                (if (= (aget arr (+ i j)) (aget marker j))
+                  (recur (inc j))
+                  false)))
+          i
+          (recur (dec i)))))))
+
+(defn- find-last-png-iend
+  "Find the byte offset of the end of the PNG IEND chunk (12 bytes:
+   4-byte length + 4-byte 'IEND' + 4-byte CRC32). Returns the offset
+   AFTER the CRC32, or nil if not found."
+  [^FileChannel channel]
+  (let [size (nio/channel-size channel)]
+    (when (> size 8)
+      (let [buf-size (min (int size) (* 1024 1024))
+            marker   (byte-array [0x49 0x45 0x4E 0x44])] ;; "IEND"
+        (loop [pos (max 0 (- size buf-size))]
+          (when (< pos size)
+            (let [arr (nio/read-at channel pos buf-size)
+                  idx (scan-backwards arr marker)]
+              (if (neg? idx)
+                ;; Not found in this chunk, try earlier
+                (let [next-pos (max 0 (- pos (- buf-size 4)))]
+                  (when (< next-pos pos)
+                    (recur next-pos)))
+                ;; Found "IEND" at idx. Chunk starts 4 bytes before.
+                (let [chunk-start (- (+ pos idx) 4)]
+                  (when (>= chunk-start 0)
+                    ;; PNG chunk length is big-endian (network byte order).
+                    ;; buf/wrap defaults to little-endian, so set it to big-endian.
+                    (let [len-arr (nio/read-at channel chunk-start 4)
+                          len-buf (buf/set-order (buf/wrap len-arr) ByteOrder/BIG_ENDIAN)
+                          chunk-len (buf/read-int len-buf 0)]
+                      (when (zero? chunk-len)
+                        (+ chunk-start 12)))))))))))))
+
+(defn- find-last-jpeg-eoi
+  "Find the byte offset of the last JPEG EOI marker (0xFF 0xD9).
+   Returns the offset AFTER the marker, or nil if not found."
+  [^FileChannel channel]
+  (let [size (nio/channel-size channel)]
+    (when (> size 2)
+      (let [buf-size (min (int size) (* 1024 1024))
+            marker   (byte-array [(unchecked-byte 0xFF) (unchecked-byte 0xD9)])]
+        (loop [pos (max 0 (- size buf-size))]
+          (when (< pos size)
+            (let [arr (nio/read-at channel pos buf-size)
+                  idx (scan-backwards arr marker)]
+              (if (neg? idx)
+                (let [next-pos (max 0 (- pos (- buf-size 2)))]
+                  (when (< next-pos pos)
+                    (recur next-pos)))
+                (+ pos idx 2)))))))))
+
+(defn- find-last-gif-trailer
+  "Find the byte offset immediately after the last GIF trailer byte (0x3B).
+   Scans backwards through the file so that appended data after the real
+   trailer is truncated even when it ends with 0x3B.
+   Returns the offset AFTER the trailer byte, or nil if 0x3B is not found."
+  [^FileChannel channel]
+  (let [size (nio/channel-size channel)]
+    (when (pos? size)
+      (let [buf-size (min (int size) (* 1024 1024))
+            marker   (byte-array [(unchecked-byte 0x3B)])]
+        (loop [pos (max 0 (- size buf-size))]
+          (when (< pos size)
+            (let [arr (nio/read-at channel pos buf-size)
+                  idx (scan-backwards arr marker)]
+              (if (neg? idx)
+                (let [next-pos (max 0 (- pos (- buf-size 1)))]
+                  (when (< next-pos pos)
+                    (recur next-pos)))
+                (+ pos idx 1)))))))))
+
+(defn- find-webp-end
+  "Parse the WebP RIFF header to find the declared file size.
+   WebP format: 'RIFF' (4 bytes) + uint32 total-size (4 bytes, little-endian)
+   + 'WEBP' (4 bytes). The total size is the offset of the end of the file.
+   Returns nil if the RIFF or WEBP magic bytes are missing."
+  [^FileChannel channel]
+  (let [size (nio/channel-size channel)]
+    (when (>= size 12)
+      (let [^bytes arr (nio/read-at channel 0 12)
+            buf  (buf/wrap arr)]
+        ;; Check RIFF magic (bytes 0-3) AND WEBP FourCC (bytes 8-11)
+        (when (and (= (aget arr 0) (byte 0x52))   ;; 'R'
+                   (= (aget arr 1) (byte 0x49))   ;; 'I'
+                   (= (aget arr 2) (byte 0x46))   ;; 'F'
+                   (= (aget arr 3) (byte 0x46))   ;; 'F'
+                   (= (aget arr 8)  (byte 0x57))  ;; 'W'
+                   (= (aget arr 9)  (byte 0x45))  ;; 'E'
+                   (= (aget arr 10) (byte 0x42))  ;; 'B'
+                   (= (aget arr 11) (byte 0x50))) ;; 'P'
+          (let [riff-size (bit-and (buf/read-int buf 4) 0xFFFFFFFF)]
+            ;; RIFF size field is the size of the file minus 8 bytes
+            (+ riff-size 8)))))))
+
+(defn truncate-after-eof
+  "Given a `java.nio.file.Path` to a freshly-downloaded media file and a
+   declared MIME type, truncate the file in place to the position of the
+   format's EOF marker:
+     - image/png  → end of the IEND chunk (12 bytes: 4-byte length + 4-byte type + 4-byte CRC32)
+     - image/jpeg → 2 bytes after FFD9
+     - image/gif  → immediately after the last GIF trailer byte 0x3B
+     - image/webp → end of RIFF chunk declared in bytes 4..8
+     - image/svg+xml → no-op (text format; processed by SAX parser)
+     - other → no-op (return path unchanged)
+   Returns the new file size. Raises `:validation/:invalid-image` if no
+   EOF marker is found within the file."
+  [^java.nio.file.Path path ^String mtype]
+  (try
+    (with-open [channel (nio/open-channel path)]
+      (let [size (nio/channel-size channel)]
+        (if (zero? size)
+          0
+          (let [needs-eof-marker? (or (= mtype "image/png")
+                                      (= mtype "image/jpeg")
+                                      (= mtype "image/gif")
+                                      (= mtype "image/webp"))
+
+                eof-offset
+                (cond
+                  (= mtype "image/png")  (find-last-png-iend channel)
+                  (= mtype "image/jpeg") (find-last-jpeg-eoi channel)
+                  (= mtype "image/gif")  (find-last-gif-trailer channel)
+                  (= mtype "image/webp") (find-webp-end channel)
+                  :else                  nil)]
+
+            (cond
+              ;; No EOF marker applicable (SVG or other) — no-op
+              (nil? eof-offset)
+              (if needs-eof-marker?
+                (ex/raise :type :validation
+                          :code :invalid-image
+                          :hint "image format EOF marker not found")
+                size)
+
+              ;; Truncate if needed
+              (< eof-offset size)
+              (do
+                (l/dbg :hint "truncating trailing data"
+                       :path (str path)
+                       :mtype mtype
+                       :original-size size
+                       :truncated-to eof-offset)
+                (nio/truncate channel eof-offset)
+                eof-offset)
+
+              ;; Already at correct size or marker at end
+              :else
+              eof-offset)))))
+    (catch Exception e
+      (if (ex/exception? e)
+        (throw e)
+        (ex/raise :type :validation
+                  :code :invalid-image
+                  :hint "failed to sanitize image"
+                  :cause e)))))

backend/src/app/metrics.clj

@@ -15,16 +15,16 @@
    io.prometheus.client.CollectorRegistry
    io.prometheus.client.Counter
    io.prometheus.client.Counter$Child
+   io.prometheus.client.exporter.common.TextFormat
    io.prometheus.client.Gauge
    io.prometheus.client.Gauge$Child
    io.prometheus.client.Histogram
    io.prometheus.client.Histogram$Child
+   io.prometheus.client.hotspot.DefaultExports
    io.prometheus.client.SimpleCollector
    io.prometheus.client.Summary
    io.prometheus.client.Summary$Builder
    io.prometheus.client.Summary$Child
-   io.prometheus.client.exporter.common.TextFormat
-   io.prometheus.client.hotspot.DefaultExports
    java.io.StringWriter))
 
 (set! *warn-on-reflection* true)

backend/src/app/migrations.clj

@@ -468,11 +468,23 @@
    {:name "0145-mod-audit-log-table"
     :fn (mg/resource "app/migrations/sql/0145-mod-audit-log-table.sql")}
 
+   {:name "0146-mod-audit-log-table"
+    :fn (mg/resource "app/migrations/sql/0146-mod-audit-log-table.sql")}
+
    {:name "0146-mod-access-token-table"
     :fn (mg/resource "app/migrations/sql/0146-mod-access-token-table.sql")}
 
+   {:name "0147-mod-team-invitation-table"
+    :fn (mg/resource "app/migrations/sql/0147-mod-team-invitation-table.sql")}
+
    {:name "0147-add-upload-session-table"
-    :fn (mg/resource "app/migrations/sql/0147-add-upload-session-table.sql")}])
+    :fn (mg/resource "app/migrations/sql/0147-add-upload-session-table.sql")}
+
+   {:name "0148-add-variant-name-team-font-variant"
+    :fn (mg/resource "app/migrations/sql/0148-add-variant-name-team-font-variant.sql")}
+
+   {:name "0149-mod-file-library-rel-synced-at"
+    :fn (mg/resource "app/migrations/sql/0149-mod-file-library-rel-synced-at.sql")}])
 
 (defn apply-migrations!
   [pool name migrations]

backend/src/app/migrations/sql/0145-add-audit-log-telemetry-index.sql

@@ -0,0 +1,5 @@
+-- Add index on audit_log (source, created_at) to support efficient
+-- queries for the telemetry batch collection mode.
+
+CREATE INDEX IF NOT EXISTS audit_log__source__created_at__idx
+    ON audit_log (source, created_at ASC);

backend/src/app/migrations/sql/0146-mod-audit-log-table.sql

@@ -0,0 +1,5 @@
+-- Add index on audit_log (source, created_at) to support efficient
+-- queries for the telemetry batch collection mode.
+
+CREATE INDEX IF NOT EXISTS audit_log__source__created_at__idx
+    ON audit_log (source, created_at ASC);

backend/src/app/migrations/sql/0147-mod-team-invitation-table.sql

@@ -0,0 +1,13 @@
+ALTER TABLE team_invitation
+ ADD COLUMN org_id uuid NULL;
+
+ALTER TABLE team_invitation
+ ALTER COLUMN team_id DROP NOT NULL;
+
+ALTER TABLE team_invitation
+ ADD CONSTRAINT team_invitation_team_or_org_not_null
+ CHECK (team_id IS NOT NULL OR org_id IS NOT NULL);
+
+CREATE UNIQUE INDEX team_invitation_org_unique
+    ON team_invitation (org_id, email_to)
+    WHERE team_id IS NULL;

backend/src/app/migrations/sql/0148-add-variant-name-team-font-variant.sql

@@ -0,0 +1,2 @@
+ALTER TABLE team_font_variant
+  ADD COLUMN variant_name text NULL;

backend/src/app/migrations/sql/0149-mod-file-library-rel-synced-at.sql

@@ -0,0 +1,19 @@
+CREATE TABLE file_library_sync (
+  file_id uuid NOT NULL,
+  library_file_id uuid NOT NULL,
+  synced_at timestamptz NOT NULL DEFAULT clock_timestamp(),
+
+  PRIMARY KEY (file_id, library_file_id)
+);
+
+INSERT INTO file_library_sync (file_id, library_file_id, synced_at)
+SELECT file_id, library_file_id, synced_at
+  FROM file_library_rel;
+
+-- DEPRECATED: the `synced_at` column on `file_library_rel` is deprecated
+-- and will be removed in a future migration. It's kept temporarily
+-- for backward compatibility while data is migrated to `file_library_sync`.
+COMMENT ON COLUMN file_library_rel.synced_at IS
+  'DEPRECATED: will be removed in a future migration; kept temporarily for backward compatibility';
+
+

backend/src/app/nitrate.clj

@@ -1,15 +1,24 @@
+;; This Source Code Form is subject to the terms of the Mozilla Public
+;; License, v. 2.0. If a copy of the MPL was not distributed with this
+;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;;
+;; Copyright (c) KALEIDOS INC
+
 (ns app.nitrate
   "Module that make calls to the external nitrate aplication"
   (:require
+   [app.common.data.macros :as dm]
+   [app.common.exceptions :as ex]
+   [app.common.json :as json]
    [app.common.logging :as l]
    [app.common.schema :as sm]
    [app.common.schema.generators :as sg]
    [app.common.time :as ct]
+   [app.common.types.organization :as cto]
    [app.config :as cf]
    [app.http.client :as http]
    [app.rpc :as-alias rpc]
    [app.setup :as-alias setup]
-   [app.util.json :as json]
    [clojure.core :as c]
    [integrant.core :as ig]))
 
@@ -18,16 +27,16 @@
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
 (defn- request-builder
-  [cfg method uri shared-key profile-id]
+  [cfg method uri shared-key profile-id request-params]
   (fn []
-    (http/req! cfg {:method method
+    (http/req cfg (cond-> {:method method
                            :headers {"content-type" "application/json"
                                      "accept" "application/json"
                                      "x-shared-key" shared-key
                                      "x-profile-id" (str profile-id)}
                            :uri uri
-                    :version :http1.1})))
-
+                           :version :http1.1}
+                    (= method :post) (assoc :body (json/encode request-params :key-fn json/write-camel-key))))))
 
 (defn- with-retries
   [handler max-retries]
@@ -47,24 +56,49 @@
           result)))))
 
 
-(defn- with-validate [handler uri schema]
+(defn- with-validate [handler uri schema & {:keys [throw-on-error?]}]
   (fn []
+    (let [response (handler)
+          status (:status response)]
+      (when-not status
+        (l/error :hint "could't do the nitrate request, it is probably down"
+                 :uri uri)
+        ;; TODO decide what to do when Nitrate is inaccesible
+        nil)
+      (cond
+        (>= status 400)
+        ;; For error status codes (4xx, 5xx), fail immediately without validation
+        (do
+          (when (not= status 404) ;; Don't need to log 404
+            (l/error :hint "nitrate request failed with error status"
+                     :uri uri
+                     :status status
+                     :body (:body response)))
+          (if throw-on-error?
+            (ex/raise :type :nitrate-http-error
+                      :status status
+                      :hint (str "nitrate HTTP " status " at " uri))
+            nil))
+        (= status 204) ;; 204 doesn't return any body
+        nil
+        :else ;; For success status codes, validate the response
         (let [coercer-http (sm/coercer schema
                                        :type :validation
-                                   :hint (str "invalid data received calling " uri))]
+                                       :hint (str "invalid data received calling " uri))
+              data (-> response :body (json/decode :key-fn json/read-kebab-key))]
           (try
-        (coercer-http (-> (handler) :body json/decode))
+            (coercer-http data)
             (catch Exception e
               ;; TODO Error handling
               (l/error :hint "error validating json response" :cause e)
-          nil)))))
+              nil)))))))
 
 (defn- request-to-nitrate
-  [cfg method uri schema {:keys [::rpc/profile-id] :as params}]
+  [cfg method uri schema {:keys [::rpc/profile-id request-params throw-on-error?] :as params}]
   (let [shared-key     (-> cfg ::setup/shared-keys :nitrate)
-        full-http-call (-> (request-builder cfg method uri shared-key profile-id)
+        full-http-call (-> (request-builder cfg method uri shared-key profile-id request-params)
                            (with-retries 3)
-                           (with-validate uri schema))]
+                           (with-validate uri schema :throw-on-error? throw-on-error?))]
     (full-http-call)))
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -80,11 +114,23 @@
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
-(def ^:private schema:organization
+(def ^:private schema:org-summary
   [:map
    [:id ::sm/uuid]
    [:name ::sm/text]
-   [:slug ::sm/text]])
+   [:owner-id ::sm/uuid]
+   [:teams
+    [:vector
+     [:map
+      [:id ::sm/uuid]
+      [:is-your-penpot :boolean]]]]])
+
+(def ^:private schema:profile-org
+  [:map
+   [:is-member :boolean]
+   [:organization-id {:optional true} [:maybe ::sm/uuid]]
+   [:default-team-id {:optional true} [:maybe ::sm/uuid]]])
+
 
 ;; TODO Unify with schemas on backend/src/app/http/management.clj
 (def ^:private schema:timestamp
@@ -126,6 +172,7 @@
                      "day"
                      "week"
                      "year"]]
+   [:manual :boolean]
    [:quantity :int]
    [:description [:maybe ::sm/text]]
    [:created-at schema:timestamp]
@@ -158,20 +205,201 @@
   [:map
    [:licenses ::sm/boolean]])
 
-(defn- get-team-org
+(defn- get-team-org-api
   [cfg {:keys [team-id] :as params}]
   (let [baseuri (cf/get :nitrate-backend-uri)]
-    (request-to-nitrate cfg :get (str baseuri "/api/teams/" (str team-id)) schema:organization params)))
+    (request-to-nitrate cfg :get
+                        (str baseuri
+                             "/api/teams/"
+                             team-id)
+                        cto/schema:team-with-organization params)))
 
-(defn- get-subscription
+(defn- get-org-membership-api
+  [cfg {:keys [profile-id organization-id] :as params}]
+  (let [baseuri (cf/get :nitrate-backend-uri)]
+    (request-to-nitrate cfg :get
+                        (str baseuri
+                             "/api/organizations/"
+                             organization-id
+                             "/members/"
+                             profile-id)
+                        schema:profile-org params)))
+
+(defn- get-org-membership-by-team-api
+  [cfg {:keys [profile-id team-id] :as params}]
+  (let [baseuri (cf/get :nitrate-backend-uri)]
+    (request-to-nitrate cfg :get
+                        (str baseuri
+                             "/api/teams/"
+                             team-id
+                             "/users/"
+                             profile-id)
+                        schema:profile-org params)))
+
+
+(defn- get-org-summary-api
+  [cfg {:keys [organization-id] :as params}]
+  (let [baseuri (cf/get :nitrate-backend-uri)]
+    (request-to-nitrate cfg :get
+                        (str baseuri
+                             "/api/organizations/"
+                             organization-id
+                             "/summary")
+                        schema:org-summary params)))
+
+(defn- get-owned-orgs-api
   [cfg {:keys [profile-id] :as params}]
   (let [baseuri (cf/get :nitrate-backend-uri)]
-    (request-to-nitrate cfg :get (str baseuri "/api/subscriptions/" (str profile-id)) schema:subscription params)))
+    (request-to-nitrate cfg :get
+                        (str baseuri
+                             "/api/users/"
+                             profile-id
+                             "/owned-organizations")
+                        [:vector schema:org-summary]
+                        params)))
 
-(defn- get-connectivity
+(def ^:private schema:org-summary-counts
+  [:map
+   [:id ::sm/uuid]
+   [:name ::sm/text]
+   [:slug ::sm/text]
+   [:team-count ::sm/int]
+   [:member-count ::sm/int]])
+
+(defn- get-owned-orgs-summary-api
+  [cfg {:keys [profile-id] :as params}]
+  (let [baseuri (cf/get :nitrate-backend-uri)]
+    (request-to-nitrate cfg :get
+                        (str baseuri
+                             "/api/users/"
+                             profile-id
+                             "/owned-organizations-summary")
+                        [:vector schema:org-summary-counts]
+                        params)))
+
+(defn- delete-owned-orgs-api
+  [cfg {:keys [profile-id] :as params}]
+  (let [baseuri (cf/get :nitrate-backend-uri)]
+    (request-to-nitrate cfg :post
+                        (str baseuri
+                             "/api/users/"
+                             profile-id
+                             "/delete-owned-organizations")
+                        nil params)))
+
+(defn- set-team-org-api
+  [cfg {:keys [organization-id team-id is-default] :as params}]
+  (let [baseuri (cf/get :nitrate-backend-uri)
+        params (assoc params :request-params {:team-id team-id
+                                              :is-your-penpot (true? is-default)})
+        team (request-to-nitrate cfg :post
+                                 (str baseuri
+                                      "/api/organizations/"
+                                      organization-id
+                                      "/add-team")
+                                 cto/schema:team-with-organization params)
+        custom-photo (when-let [logo-id (dm/get-in team [:organization :logo-id])]
+                       (str (cf/get :public-uri) "/assets/by-id/" logo-id))]
+    (cond-> team
+      custom-photo
+      (assoc-in [:organization :custom-photo] custom-photo))))
+
+(defn- add-profile-to-org-api
+  [cfg {:keys [profile-id organization-id team-id email] :as params}]
+  (let [baseuri (cf/get :nitrate-backend-uri)
+        request-params (cond-> {:user-id profile-id :team-id team-id}
+                         (some? email) (assoc :email email))
+        params (assoc params :request-params request-params)]
+    (request-to-nitrate cfg :post
+                        (str baseuri
+                             "/api/organizations/"
+                             organization-id
+                             "/add-user")
+                        schema:profile-org params)))
+
+(defn- remove-profile-from-org-api
+  [cfg {:keys [profile-id organization-id] :as params}]
+  (let [baseuri (cf/get :nitrate-backend-uri)
+        params (assoc params :request-params {:user-id profile-id})]
+    (request-to-nitrate cfg :post
+                        (str baseuri
+                             "/api/organizations/"
+                             organization-id
+                             "/remove-user")
+                        nil params)))
+
+(defn- remove-profile-from-all-orgs-api
+  [cfg {:keys [profile-id] :as params}]
+  (let [baseuri (cf/get :nitrate-backend-uri)]
+    (request-to-nitrate cfg :post
+                        (str baseuri
+                             "/api/users/"
+                             profile-id
+                             "/remove-organizations")
+                        nil params)))
+
+(defn- remove-team-from-org-api
+  [cfg {:keys [team-id organization-id] :as params}]
+  (let [baseuri (cf/get :nitrate-backend-uri)
+        params (assoc params :request-params {:team-id team-id})]
+    (request-to-nitrate cfg :post
+                        (str baseuri
+                             "/api/organizations/"
+                             organization-id
+                             "/remove-team")
+                        nil params)))
+
+(defn- delete-team-api
+  [cfg {:keys [team-id] :as params}]
+  (let [baseuri (cf/get :nitrate-backend-uri)]
+    (request-to-nitrate cfg :delete
+                        (str baseuri
+                             "/api/teams/"
+                             team-id)
+                        nil params)))
+
+(defn- get-subscription-api
+  [cfg {:keys [profile-id] :as params}]
+  (let [baseuri (cf/get :nitrate-backend-uri)]
+    (request-to-nitrate cfg :get
+                        (str baseuri
+                             "/api/subscriptions/"
+                             profile-id)
+                        schema:subscription params)))
+
+(defn- get-connectivity-api
   [cfg params]
   (let [baseuri (cf/get :nitrate-backend-uri)]
-    (request-to-nitrate cfg :get (str baseuri "/api/connectivity") schema:connectivity params)))
+    (request-to-nitrate cfg :get
+                        (str baseuri
+                             "/api/connectivity")
+                        schema:connectivity params)))
+
+(def ^:private schema:redeem-result
+  [:map
+   [:cancel-at [:maybe schema:timestamp]]])
+
+(defn- get-org-permissions-api
+  [cfg {:keys [organization-id] :as params}]
+  (let [baseuri (cf/get :nitrate-backend-uri)]
+    (request-to-nitrate cfg :get
+                        (str baseuri
+                             "/api/organizations/"
+                             organization-id
+                             "/permissions")
+                        [:map
+                         [:organization-id ::sm/uuid]
+                         [:owner-id ::sm/uuid]
+                         [:permissions [:map-of :keyword :string]]]
+                        params)))
+
+(defn- redeem-activation-code-api
+  [cfg params]
+  (let [baseuri (cf/get :nitrate-backend-uri)]
+    (request-to-nitrate cfg :post
+                        (str baseuri "/api/activation-codes/redeem")
+                        schema:redeem-result
+                        (assoc params :throw-on-error? true))))
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; INITIALIZATION
@@ -180,9 +408,23 @@
 (defmethod ig/init-key ::client
   [_ cfg]
   (when (contains? cf/flags :nitrate)
-    {:get-team-org     (partial get-team-org cfg)
-     :get-subscription (partial get-subscription cfg)
-     :connectivity     (partial get-connectivity cfg)}))
+    {:get-team-org                 (partial get-team-org-api cfg)
+     :set-team-org                 (partial set-team-org-api cfg)
+     :get-org-membership           (partial get-org-membership-api cfg)
+     :get-org-membership-by-team   (partial get-org-membership-by-team-api cfg)
+     :get-org-summary              (partial get-org-summary-api cfg)
+     :get-owned-orgs               (partial get-owned-orgs-api cfg)
+     :get-owned-orgs-summary       (partial get-owned-orgs-summary-api cfg)
+     :delete-owned-orgs            (partial delete-owned-orgs-api cfg)
+     :add-profile-to-org           (partial add-profile-to-org-api cfg)
+     :remove-profile-from-org      (partial remove-profile-from-org-api cfg)
+     :remove-profile-from-all-orgs (partial remove-profile-from-all-orgs-api cfg)
+     :get-org-permissions          (partial get-org-permissions-api cfg)
+     :delete-team                  (partial delete-team-api cfg)
+     :remove-team-from-org         (partial remove-team-from-org-api cfg)
+     :get-subscription             (partial get-subscription-api cfg)
+     :connectivity                 (partial get-connectivity-api cfg)
+     :redeem-activation-code       (partial redeem-activation-code-api cfg)}))
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; UTILS
@@ -205,18 +447,18 @@
 
 (defn add-org-info-to-team
   "Enriches a team map with organization information from Nitrate.
-  Adds organization-id, organization-name, organization-slug, and your-penpot fields.
+  Adds organization-id, organization-name, organization-slug, organization-owner-id, and your-penpot fields.
   Returns the original team unchanged if the request fails or org data is nil."
   [cfg team params]
   (try
     (let [params        (assoc (or params {}) :team-id (:id team))
-          org (call cfg :get-team-org params)]
+          team-with-org (call cfg :get-team-org params)
+          org           (:organization team-with-org)]
       (if (some? org)
-        (assoc team
-               :organization-id (:id org)
-               :organization-name (:name org)
-               :organization-slug (:slug org)
-               :is-default (or (:is-default team) (true? (:isYourPenpot org))))
+        (-> (cto/apply-organization team (assoc org :custom-photo
+                                                (when-let [logo-id (:logo-id org)]
+                                                  (str (cf/get :public-uri) "/assets/by-id/" logo-id))))
+            (assoc :is-default (or (:is-default team) (true? (:is-your-penpot team-with-org)))))
         team))
     (catch Throwable cause
       (l/error :hint "failed to get team organization info"
@@ -224,6 +466,23 @@
                :cause cause)
       team)))
 
-(defn connectivity
-  [cfg]
-  (call cfg :connectivity {}))
+(defn set-team-organization
+  "Associates a team with an organization in Nitrate.
+  Requires organization-id and is-default in params.
+  Throws an exception if the request fails."
+  [cfg team params]
+  (let [params (assoc (or params {})
+                      :team-id (:id team)
+                      :organization-id (:organization-id params)
+                      :is-default (:is-default params))
+        result (call cfg :set-team-org params)]
+    (when (nil? result)
+      (ex/raise :type :internal
+                :code :failed-to-set-team-org
+                :context {:team-id (:id team)
+                          :organization-id (:organization-id params)}))
+    team))
+
+
+
+

backend/src/app/redis.clj

@@ -24,28 +24,28 @@
    [integrant.core :as ig])
   (:import
    clojure.lang.MapEntry
-   io.lettuce.core.KeyValue
-   io.lettuce.core.RedisClient
-   io.lettuce.core.RedisCommandInterruptedException
-   io.lettuce.core.RedisCommandTimeoutException
-   io.lettuce.core.RedisException
-   io.lettuce.core.RedisURI
-   io.lettuce.core.ScriptOutputType
-   io.lettuce.core.SetArgs
    io.lettuce.core.api.StatefulRedisConnection
    io.lettuce.core.api.sync.RedisCommands
    io.lettuce.core.api.sync.RedisScriptingCommands
    io.lettuce.core.codec.RedisCodec
    io.lettuce.core.codec.StringCodec
+   io.lettuce.core.KeyValue
+   io.lettuce.core.pubsub.api.sync.RedisPubSubCommands
    io.lettuce.core.pubsub.RedisPubSubListener
    io.lettuce.core.pubsub.StatefulRedisPubSubConnection
-   io.lettuce.core.pubsub.api.sync.RedisPubSubCommands
+   io.lettuce.core.RedisClient
+   io.lettuce.core.RedisCommandInterruptedException
+   io.lettuce.core.RedisCommandTimeoutException
+   io.lettuce.core.RedisException
+   io.lettuce.core.RedisURI
    io.lettuce.core.resource.ClientResources
    io.lettuce.core.resource.DefaultClientResources
+   io.lettuce.core.ScriptOutputType
+   io.lettuce.core.SetArgs
    io.netty.channel.nio.NioEventLoopGroup
+   io.netty.util.concurrent.EventExecutorGroup
    io.netty.util.HashedWheelTimer
    io.netty.util.Timer
-   io.netty.util.concurrent.EventExecutorGroup
    java.lang.AutoCloseable
    java.time.Duration))
 

backend/src/app/rpc.clj

@@ -109,6 +109,7 @@
                              (assoc ::handler-name handler-name)
                              (assoc ::ip-addr ip-addr)
                              (assoc ::request-at (ct/now))
+                             (assoc ::request-id (uuid/next))
                              (assoc ::session-id (some-> session-id uuid/parse*))
                              (assoc ::cond/key etag)
                              (cond-> (uuid? profile-id)
@@ -165,12 +166,13 @@
 (defn- wrap-audit
   [_ f mdata]
   (if (or (contains? cf/flags :webhooks)
-          (contains? cf/flags :audit-log))
+          (contains? cf/flags :audit-log)
+          (contains? cf/flags :telemetry))
     (if-not (::audit/skip mdata)
       (fn [cfg params]
         (let [result (f cfg params)]
-          (->> (audit/prepare-event cfg mdata params result)
-               (audit/submit! cfg))
+          (->> (audit/prepare-rpc-event cfg mdata params result)
+               (audit/submit cfg))
           result))
       f)
     f))

backend/src/app/rpc/commands/audit.clj

@@ -15,7 +15,7 @@
    [app.config :as cf]
    [app.db :as db]
    [app.http :as-alias http]
-   [app.loggers.audit :as-alias audit]
+   [app.loggers.audit :as audit]
    [app.loggers.database :as loggers.db]
    [app.loggers.mattermost :as loggers.mm]
    [app.rpc :as-alias rpc]
@@ -23,7 +23,8 @@
    [app.rpc.doc :as-alias doc]
    [app.rpc.helpers :as rph]
    [app.util.inet :as inet]
-   [app.util.services :as sv]))
+   [app.util.services :as sv]
+   [clojure.set :as set]))
 
 (def ^:private event-columns
   [:id
@@ -38,31 +39,31 @@
    :context])
 
 (defn- event->row [event]
-  [(::audit/id event)
-   (::audit/name event)
-   (::audit/source event)
-   (::audit/type event)
-   (::audit/tracked-at event)
-   (::audit/created-at event)
-   (::audit/profile-id event)
-   (db/inet (::audit/ip-addr event))
-   (db/tjson (::audit/props event))
-   (db/tjson (d/without-nils (::audit/context event)))])
+  [(:id event)
+   (:name event)
+   (:source event)
+   (:type event)
+   (:tracked-at event)
+   (:created-at event)
+   (:profile-id event)
+   (db/inet (:ip-addr event))
+   (db/tjson (:props event))
+   (db/tjson (d/without-nils (:context event)))])
 
 (defn- adjust-timestamp
-  [{:keys [::audit/tracked-at ::audit/created-at] :as event}]
+  [{:keys [tracked-at created-at] :as event}]
   (let [margin (inst-ms (ct/diff tracked-at created-at))]
     (if (or (neg? margin)
             (> margin 3600000))
       ;; If event is in future or lags more than 1 hour, we reasign
       ;; tracked-at to the server creation date
       (-> event
-          (assoc ::audit/tracked-at created-at)
-          (update ::audit/context assoc :original-tracked-at tracked-at))
+          (assoc :tracked-at created-at)
+          (update :context assoc :original-tracked-at tracked-at))
       event)))
 
 (defn- exception-event?
-  [{:keys [::audit/type ::audit/name] :as ev}]
+  [{:keys [type name] :as ev}]
   (and (= "action" type)
        (or (= "unhandled-exception" name)
            (= "exception-page" name))))
@@ -72,28 +73,44 @@
    (map adjust-timestamp)
    (map event->row)))
 
-(defn- get-events
+(defn- prepare-events
   [{:keys [::rpc/request-at ::rpc/profile-id events] :as params}]
   (let [request (-> params meta ::http/request)
         ip-addr (inet/parse-request request)
-
-        xform   (map (fn [event]
-                       {::audit/id (uuid/next)
-                        ::audit/type (:type event)
-                        ::audit/name (:name event)
-                        ::audit/props (:props event)
-                        ::audit/context (:context event)
-                        ::audit/profile-id profile-id
-                        ::audit/ip-addr ip-addr
-                        ::audit/source "frontend"
-                        ::audit/tracked-at (:timestamp event)
-                        ::audit/created-at request-at}))]
+        xform   (comp
+                 (map (fn [event]
+                        {:id (uuid/next)
+                         :type (:type event)
+                         :name (:name event)
+                         :props (:props event)
+                         :context (:context event)
+                         :profile-id profile-id
+                         :ip-addr ip-addr
+                         :source "frontend"
+                         :tracked-at (:timestamp event)
+                         :created-at request-at}))
+                 (map (fn [item]
+                        (with-meta item {::audit/event true}))))]
 
     (sequence xform events)))
 
+(def ^:private xf:map-telemetry-event-row
+  (comp
+   (map adjust-timestamp)
+   (map (fn [event]
+          (-> event
+              (assoc :id (uuid/next))
+              (update :created-at ct/truncate :days)
+              (update :tracked-at ct/truncate :days)
+              (audit/filter-telemetry-props)
+              (audit/filter-telemetry-context)
+              (assoc :ip-addr "0.0.0.0")
+              (assoc :source "telemetry:frontend"))))
+   (map event->row)))
+
 (defn- handle-events
   [{:keys [::db/pool] :as cfg} params]
-  (let [events (get-events params)]
+  (let [events (prepare-events params)]
 
     ;; Look for error reports and save them on internal reports table
     (when-let [events (->> events
@@ -102,9 +119,18 @@
       (run! (partial loggers.db/emit cfg) events)
       (run! (partial loggers.mm/emit cfg) events))
 
-    ;; Process and save events
-    (when (seq events)
-      (let [rows (sequence xf:map-event-row events)]
+    (when (contains? cf/flags :audit-log)
+      ;; Process and save full audit events when audit-log flag is active
+      (when-let [rows (-> (sequence xf:map-event-row events)
+                          (not-empty))]
+        (db/insert-many! pool :audit-log event-columns rows)))
+
+    (when (contains? cf/flags :telemetry)
+      ;; Store anonymized frontend events so the telemetry task can ship them
+      ;; in batches. Runs independently from the audit-log insert above so
+      ;; both modes can be active simultaneously.
+      (when-let [rows (-> (sequence xf:map-telemetry-event-row events)
+                          (not-empty))]
         (db/insert-many! pool :audit-log event-columns rows)))))
 
 (def ^:private valid-event-types
@@ -138,17 +164,26 @@
    ::doc/skip true
    ::doc/added "1.17"}
   [{:keys [::db/pool] :as cfg} params]
-  (if (or (db/read-only? pool)
-          (not (contains? cf/flags :audit-log)))
-    (do
-      (l/warn :hint "audit: http handler disabled or db is read-only")
-      (rph/wrap nil))
-
-    (do
+  (let [telemetry? (contains? cf/flags :telemetry)
+        audit-log? (contains? cf/flags :audit-log)
+        enabled?   (and (not (db/read-only? pool))
+                        (or audit-log? telemetry?))]
+    (when enabled?
       (try
         (handle-events cfg params)
         (catch Throwable cause
           (l/error :hint "unexpected error on persisting audit events from frontend"
-                   :cause cause)))
+                   :cause cause))))
 
-      (rph/wrap nil))))
+    (rph/wrap nil)))
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; GET-ENABLED-FLAGS
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+(sv/defmethod ::get-enabled-flags
+  {::audit/skip true
+   ::doc/skip true
+   ::doc/added "1.20"}
+  [_cfg _params]
+  (set/intersection cf/flags #{:audit-log :telemetry}))

backend/src/app/rpc/commands/auth.clj

@@ -258,24 +258,44 @@
   (validate-register-attempt! cfg params)
 
   (let [email   (profile/clean-email email)
-        profile (profile/get-profile-by-email pool email)
-        props   (-> (audit/extract-utm-params params)
+        profile (profile/get-profile-by-email pool email)]
+
+    ;; SECURITY: refuse to issue a prepared-register token when an active
+    ;; profile already exists for this email.
+    ;;
+    ;; Active accounts must use the standard login flow; existing-but-
+    ;; not-yet-active profiles fall through to the duplicate-detection branch in
+    ;; `register-profile`, which never creates a session.
+    (when (and (some? profile)
+               (true? (:is-active profile)))
+      (ex/raise :type :validation
+                :code :email-already-exists
+                :hint "email already exists"))
+
+    (let [props  (-> (audit/extract-utm-params params)
                      (cond-> (:accept-newsletter-updates params)
                        (assoc :newsletter-updates true)))
+          ;; SECURITY: do NOT embed `:profile-id` of an existing
+          ;; profile into the prepared-register JWE. Doing so would
+          ;; let an anonymous caller, in possession of a valid
+          ;; team-invitation JWE, ask `register-profile` to load that
+          ;; profile by id and mint a session for it without password
+          ;; verification. `register-profile` independently re-detects
+          ;; duplicates by email and handles them in the
+          ;; "repeated-registry" branch.
           params {:email email
                   :fullname fullname
                   :password (:password params)
                   :invitation-token (:invitation-token params)
                   :backend "penpot"
                   :iss :prepared-register
-                 :profile-id (:id profile)
                   :exp (ct/in-future {:days 7})
                   :props props}
           params (d/without-nils params)
           token  (tokens/generate cfg params)]
 
       (-> {:token token}
-        (with-meta {::audit/profile-id uuid/zero}))))
+          (with-meta {::audit/profile-id uuid/zero})))))
 
 (def schema:prepare-register-profile
   [:map {:title "prepare-register-profile"}
@@ -372,9 +392,11 @@
           (throw cause))))))
 
 (defn create-profile-rels
-  [conn {:keys [id] :as profile}]
+  [{:keys [::db/conn] :as cfg} {:keys [id] :as profile}]
+  (assert (db/connection-map? cfg)
+          "expected cfg with valid connection")
   (let [features (cfeat/get-enabled-features cf/flags)
-        team     (teams/create-team conn
+        team     (teams/create-team cfg
                                     {:profile-id id
                                      :name "Default"
                                      :features features
@@ -387,12 +409,19 @@
         (profile/decode-row))))
 
 (defn send-email-verification!
-  [{:keys [::db/conn] :as cfg} profile]
-  (let [vtoken (tokens/generate cfg
-                                {:iss :verify-email
+  ([cfg profile] (send-email-verification! cfg profile nil))
+  ([{:keys [::db/conn] :as cfg} profile invitation-token]
+   (let [vclaims (cond-> {:iss :verify-email
                           :exp (ct/in-future "72h")
                           :profile-id (:id profile)
-                                 :email (:email profile)})
+                          :email (:email profile)}
+                   ;; If the user registered through a team-invitation flow but
+                   ;; their profile is not yet active, we carry the invitation
+                   ;; token inside the verify-email JWE so the team-invitation
+                   ;; flow can resume after the user clicks the email link.
+                   (some? invitation-token)
+                   (assoc :invitation-token invitation-token))
+         vtoken  (tokens/generate cfg vclaims)
          ;; NOTE: this token is mainly used for possible complains
          ;; identification on the sns webhook
          ptoken  (tokens/generate cfg
@@ -405,7 +434,7 @@
                  :to (:email profile)
                  :name (:fullname profile)
                  :token vtoken
-                :extra-data ptoken})))
+                 :extra-data ptoken}))))
 
 (defn register-profile
   [{:keys [::db/conn ::wrk/executor] :as cfg} {:keys [token] :as params}]
@@ -414,14 +443,7 @@
                      (:accept-newsletter-updates params)
                      (update :props assoc :newsletter-updates true))
 
-        profile    (if-let [profile-id (:profile-id claims)]
-                     (profile/get-profile conn profile-id)
-                     ;; NOTE: we first try to match existing profile
-                     ;; by email, that in normal circumstances will
-                     ;; not return anything, but when a user tries to
-                     ;; reuse the same token multiple times, we need
-                     ;; to detect if the profile is already registered
-                     (or (profile/get-profile-by-email conn (:email claims))
+        profile    (or (profile/get-profile-by-email conn (:email claims))
                        (let [is-active (or (boolean (:is-active claims))
                                            (boolean (:email-verified claims))
                                            (not (contains? cf/flags :email-verification)))
@@ -429,8 +451,8 @@
                                            (assoc :is-active is-active)
                                            (update :password auth/derive-password))
                              profile   (->> (create-profile cfg params)
-                                              (create-profile-rels conn))]
-                           (vary-meta profile assoc :created true))))
+                                            (create-profile-rels cfg))]
+                         (vary-meta profile assoc :created true)))
 
         created?   (-> profile meta :created true?)
 
@@ -461,29 +483,45 @@
            ::audit/profile-id (:id profile)
            ::audit/name "register-profile-retry"}))
 
-      ;; If invitation token comes in params, this is because the user
-      ;; comes from team-invitation process; in this case, regenerate
-      ;; token and send back to the user a new invitation token (and
-      ;; mark current session as logged). This happens only if the
-      ;; invitation email matches with the register email.
-      (and (some? invitation)
+      ;; A profile was just created in this call. Invitation handling is a
+      ;; sub-case of "newly created profile": we never honor invitations for
+      ;; pre-existing profiles via this anonymous RPC. The split below mirrors
+      ;; the non-invitation branches but threads the invitation through the
+      ;; appropriate path:
+      ;;
+      ;;   - active     + matching invitation → mint session and
+      ;;     return :invitation-token. The frontend redirects to
+      ;;     :auth-verify-token, which immediately accepts the
+      ;;     invitation.
+      ;;   - active     + no/mismatched invitation → mint session
+      ;;     ("login" action). New profile, no further action.
+      ;;   - not-active + matching invitation → send the
+      ;;     verify-email mail with the invitation token EMBEDDED
+      ;;     into the verify-email JWE. No session yet. When the
+      ;;     user clicks the link, verify-token activates the
+      ;;     profile, mints a session, and propagates the
+      ;;     invitation token to the frontend so it can complete
+      ;;     the team-invitation flow.
+      ;;   - not-active + no/mismatched invitation → standard
+      ;;     "check your email" verification flow.
+      created?
+      (let [accept-invitation? (and (some? invitation)
                                     (= (:email profile)
-              (:member-email invitation)))
+                                       (:member-email invitation)))]
+        (cond
+          (and (:is-active profile) accept-invitation?)
           (let [invitation (assoc invitation :member-id (:id profile))
                 token      (tokens/generate cfg invitation)]
             (-> {:id (:id profile)
                  :email (:email profile)
                  :invitation-token token}
                 (rph/with-transform (session/create-fn cfg profile claims))
+                (rph/with-defer create-welcome-file-when-needed)
                 (rph/with-meta {::audit/replace-props props
                                 ::audit/context {:action "accept-invitation"}
                                 ::audit/profile-id (:id profile)})))
 
-      ;; When a new user is created and it is already activated by
-      ;; configuration or specified by OIDC, we just mark the profile
-      ;; as logged-in
-      created?
-      (if (:is-active profile)
+          (:is-active profile)
           (-> (profile/strip-private-attrs profile)
               (rph/with-transform (session/create-fn cfg profile claims))
               (rph/with-defer create-welcome-file-when-needed)
@@ -492,9 +530,12 @@
                  ::audit/context {:action "login"}
                  ::audit/profile-id (:id profile)}))
 
+          :else
           (do
             (when-not (eml/has-reports? conn (:email profile))
-            (send-email-verification! cfg profile))
+              (send-email-verification! cfg profile
+                                        (when accept-invitation?
+                                          (:invitation-token params))))
 
             (-> {:id (:id profile)
                  :email (:email profile)}
@@ -502,7 +543,7 @@
                 (rph/with-meta
                   {::audit/replace-props props
                    ::audit/context {:action "email-verification"}
-                 ::audit/profile-id (:id profile)}))))
+                   ::audit/profile-id (:id profile)})))))
 
       :else
       (let [elapsed? (elapsed-verify-threshold? profile)

backend/src/app/rpc/commands/demo.clj

@@ -49,9 +49,9 @@
                   :deleted-at (ct/in-future (cf/get-deletion-delay))
                   :password (derive-password password)
                   :props {}}
-        profile  (db/tx-run! cfg (fn [{:keys [::db/conn] :as cfg}]
+        profile  (db/tx-run! cfg (fn [cfg]
                                    (->> (auth/create-profile cfg params)
-                                        (auth/create-profile-rels conn))))]
+                                        (auth/create-profile-rels cfg))))]
     (with-meta {:email email
                 :password password}
       {::audit/profile-id (:id profile)})))

backend/src/app/rpc/commands/files.clj

@@ -13,6 +13,7 @@
    [app.common.features :as cfeat]
    [app.common.files.helpers :as cfh]
    [app.common.files.migrations :as fmg]
+   [app.common.files.stats :as cfs]
    [app.common.logging :as l]
    [app.common.schema :as sm]
    [app.common.schema.desc-js-like :as-alias smdj]
@@ -606,6 +607,76 @@
   (get-file-summary cfg id))
 
 
+;; --- COMMAND QUERY: get-file-stats
+
+(def ^:private sql:file-stats-library-counts
+  "SELECT
+     (SELECT COUNT(*)
+        FROM file_library_rel AS flr
+        JOIN file AS fl ON (fl.id = flr.library_file_id)
+       WHERE flr.file_id = ?::uuid
+         AND (fl.deleted_at IS NULL OR fl.deleted_at > now())) AS library_count,
+     (SELECT COUNT(*)
+        FROM file_library_rel AS flr
+        JOIN file AS fl ON (fl.id = flr.file_id)
+       WHERE flr.library_file_id = ?::uuid
+         AND (fl.deleted_at IS NULL OR fl.deleted_at > now())) AS referenced_by_count")
+
+(defn- get-file-stats-library-counts
+  [conn file-id]
+  (let [row (db/exec-one! conn [sql:file-stats-library-counts file-id file-id])]
+    {:library-count       (or (:library-count row) 0)
+     :referenced-by-count (or (:referenced-by-count row) 0)}))
+
+(defn- get-file-stats
+  [{:keys [::db/conn] :as cfg} file-id]
+  (let [file    (bfc/get-file cfg file-id)
+        base    (binding [pmap/*load-fn* (partial feat.fdata/load-pointer cfg file-id)]
+                  (cfs/calc-file-stats (:data file)))
+        lib-cnt (get-file-stats-library-counts conn file-id)]
+    (-> base
+        (merge lib-cnt)
+        (assoc :file-id    file-id
+               :revn       (:revn file)
+               :updated-at (:modified-at file)))))
+
+(def ^:private schema:shape-counts
+  [:map {:title "FileStatsShapeCounts"}
+   [:total [::sm/int {:min 0}]]
+   [:by-type [:map-of :keyword [::sm/int {:min 0}]]]])
+
+(def ^:private schema:get-file-stats-result
+  [:map {:title "FileStats"}
+   [:file-id ::sm/uuid]
+   [:page-count [::sm/int {:min 0}]]
+   [:shape-counts schema:shape-counts]
+   [:component-count [::sm/int {:min 0}]]
+   [:deleted-component-count [::sm/int {:min 0}]]
+   [:color-count [::sm/int {:min 0}]]
+   [:typography-count [::sm/int {:min 0}]]
+   [:library-count [::sm/int {:min 0}]]
+   [:referenced-by-count [::sm/int {:min 0}]]
+   [:revn [::sm/int {:min 0}]]
+   [:updated-at ::ct/inst]])
+
+(def ^:private schema:get-file-stats
+  [:map {:title "get-file-stats"}
+   [:id ::sm/uuid]])
+
+(sv/defmethod ::get-file-stats
+  "Return aggregate statistics for a single file: page count, shape
+   counts by type, component/color/typography counts, and inbound and
+   outbound library reference counts. Cheap alternative to `get-file`
+   when only metrics are needed."
+  {::doc/added "2.17"
+   ::sm/params schema:get-file-stats
+   ::sm/result schema:get-file-stats-result
+   ::db/transaction true}
+  [{:keys [::db/conn] :as cfg} {:keys [::rpc/profile-id id]}]
+  (check-read-permissions! conn profile-id id)
+  (get-file-stats cfg id))
+
+
 ;; --- COMMAND QUERY: get-file-libraries
 
 (def ^:private schema:get-file-libraries
@@ -993,7 +1064,10 @@
 
 (defn link-file-to-library
   [conn {:keys [file-id library-id] :as params}]
-  (db/exec-one! conn [sql:link-file-to-library file-id library-id]))
+  (db/exec-one! conn [sql:link-file-to-library file-id library-id])
+  (bfc/upsert-file-library-sync! conn {:file-id file-id
+                                       :library-file-id library-id
+                                       :synced-at (ct/now)}))
 
 (def ^:private
   schema:link-file-to-library
@@ -1047,11 +1121,9 @@
 
 (defn update-sync
   [conn {:keys [file-id library-id] :as params}]
-  (db/update! conn :file-library-rel
-              {:synced-at (ct/now)}
-              {:file-id file-id
-               :library-file-id library-id}
-              {::db/return-keys true}))
+  (bfc/upsert-file-library-sync! conn {:file-id file-id
+                                       :library-file-id library-id
+                                       :synced-at (ct/now)}))
 
 (def ^:private schema:update-file-library-sync-status
   [:map {:title "update-file-library-sync-status"}
@@ -1155,38 +1227,39 @@
       AND t.id = ?
       AND f.id = ANY(?::uuid[])")
 
-(defn- restore-file
-  [conn file-id]
-  (db/update! conn :file
-              {:deleted-at nil
-               :has-media-trimmed false}
-              {:id file-id}
-              {::db/return-keys false})
+(def ^:private sql:restore-files
+  "UPDATE file SET deleted_at = null, has_media_trimmed = false
+    WHERE id = ANY(?::uuid[])")
 
-  (db/update! conn :file-media-object
-              {:deleted-at nil}
-              {:file-id file-id}
-              {::db/return-keys false})
+(def ^:private sql:restore-file-media-objects
+  "UPDATE file_media_object SET deleted_at = null
+    WHERE file_id = ANY(?::uuid[])")
 
-  (db/update! conn :file-change
-              {:deleted-at nil}
-              {:file-id file-id}
-              {::db/return-keys false})
+(def ^:private sql:restore-file-changes
+  "UPDATE file_change SET deleted_at = null
+    WHERE file_id = ANY(?::uuid[])")
 
-  (db/update! conn :file-data
-              {:deleted-at nil}
-              {:file-id file-id}
-              {::db/return-keys false})
+(def ^:private sql:restore-file-data
+  "UPDATE file_data SET deleted_at = null
+    WHERE file_id = ANY(?::uuid[])")
 
-  (db/update! conn :file-thumbnail
-              {:deleted-at nil}
-              {:file-id file-id}
-              {::db/return-keys false})
+(def ^:private sql:restore-file-thumbnails
+  "UPDATE file_thumbnail SET deleted_at = null
+    WHERE file_id = ANY(?::uuid[])")
 
-  (db/update! conn :file-tagged-object-thumbnail
-              {:deleted-at nil}
-              {:file-id file-id}
-              {::db/return-keys false}))
+(def ^:private sql:restore-file-tagged-object-thumbnails
+  "UPDATE file_tagged_object_thumbnail SET deleted_at = null
+    WHERE file_id = ANY(?::uuid[])")
+
+(defn- restore-files
+  [conn file-ids]
+  (let [file-ids (db/create-array conn "uuid" file-ids)]
+    (db/exec-one! conn [sql:restore-files file-ids])
+    (db/exec-one! conn [sql:restore-file-media-objects file-ids])
+    (db/exec-one! conn [sql:restore-file-changes file-ids])
+    (db/exec-one! conn [sql:restore-file-data file-ids])
+    (db/exec-one! conn [sql:restore-file-thumbnails file-ids])
+    (db/exec-one! conn [sql:restore-file-tagged-object-thumbnails file-ids])))
 
 (def ^:private sql:restore-projects
   "UPDATE project SET deleted_at = null WHERE id = ANY(?::uuid[])")
@@ -1207,17 +1280,18 @@
         (reduce (fn [result {:keys [id project-id]}]
                   (let [index (-> result :files count)]
                     (events/tap :progress {:file-id id :index (inc index) :total total-files})
-                    (restore-file conn id)
-
                     (-> result
                         (update :files conj id)
                         (update :projects conj project-id))))
-
-                {:files #{} :projectes #{}}
+                {:files #{} :projects #{}}
                 (db/plan conn [sql:resolve-editable-files team-id
                                (db/create-array conn "uuid" ids)]))]
 
-    (restore-projects conn projects)
+    (when (seq files)
+      (restore-files conn files))
+
+    (when (seq projects)
+      (restore-projects conn projects))
 
     files))
 

backend/src/app/rpc/commands/files_create.clj

@@ -112,22 +112,30 @@
                         ::quotes/profile-id profile-id
                         ::quotes/project-id project-id})
 
-    ;; FIXME: IMPORTANT: this code can have race conditions, because
-    ;; we have no locks for updating team so, creating two files
-    ;; concurrently can lead to lost team features updating
-    (when-let [features (-> features
-                            (set/difference (:features team))
+    ;; Acquire a row-level lock on the team and re-read its features
+    ;; inside the same transaction before the read-modify-write below.
+    ;; Without the lock, two concurrent create-file calls on the same
+    ;; team can both observe the same team.features value, each
+    ;; compute a different union, and the second UPDATE silently
+    ;; overwrites the first (lost update under READ COMMITTED).
+    (let [team-features (-> (db/exec-one! conn
+                                          ["SELECT features FROM team WHERE id = ? FOR UPDATE"
+                                           team-id])
+                            :features
+                            (db/decode-pgarray #{}))]
+      (when-let [new-features (-> features
+                                  (set/difference team-features)
                                   (set/difference cfeat/no-team-inheritable-features)
                                   (not-empty))]
-      (let [features (-> features
-                         (set/union (:features team))
+        (let [features (-> new-features
+                           (set/union team-features)
                            (set/difference cfeat/no-team-inheritable-features)
                            (into-array))]
 
           (db/update! conn :team
                       {:features features}
-                    {:id (:id team)}
-                    {::db/return-keys false})))
+                      {:id team-id}
+                      {::db/return-keys false}))))
 
     (-> (create-file cfg params)
         (vary-meta assoc ::audit/props {:team-id team-id}))))

backend/src/app/rpc/commands/files_snapshot.clj

@@ -8,6 +8,7 @@
   (:require
    [app.binfile.common :as bfc]
    [app.common.exceptions :as ex]
+   [app.common.features :as-alias cfeat]
    [app.common.schema :as sm]
    [app.common.time :as ct]
    [app.db :as db]
@@ -35,6 +36,43 @@
                  (files/check-read-permissions! conn profile-id file-id)
                  (fsnap/get-visible-snapshots conn file-id))))
 
+;; --- COMMAND QUERY: get-file-snapshot
+
+(def ^:private schema:get-file-snapshot
+  [:map {:title "get-file-snapshot"}
+   [:file-id ::sm/uuid]
+   [:id ::sm/uuid]
+   [:features {:optional true} ::cfeat/features]])
+
+(sv/defmethod ::get-file-snapshot
+  "Retrieve a file bundle with data from a specific snapshot for
+  read-only preview. Does not modify any database state."
+  {::doc/added "2.16"
+   ::sm/params schema:get-file-snapshot
+   ::sm/result files/schema:file-with-permissions
+   ::db/transaction true}
+  [{:keys [::db/conn] :as cfg} {:keys [::rpc/profile-id file-id id] :as params}]
+  (let [perms (bfc/get-file-permissions conn profile-id file-id)]
+    (files/check-read-permissions! perms)
+    (let [snapshot (fsnap/get-snapshot-data cfg file-id id)]
+      (when-not snapshot
+        (ex/raise :type :not-found
+                  :code :snapshot-not-found
+                  :hint "unable to find snapshot with the provided id"
+                  :snapshot-id id
+                  :file-id file-id))
+      ;; Load current file metadata only (no data decoding) then overlay
+      ;; the snapshot data so the client receives the same shape as a
+      ;; normal get-file response but with historical page/object content.
+      (let [base-file (bfc/get-file cfg file-id :load-data? false)]
+        (-> base-file
+            (assoc :data (:data snapshot))
+            (assoc :version (:version snapshot))
+            (assoc :features (:features snapshot))
+            (assoc :revn (:revn snapshot))
+            (assoc :vern (rand-int 100000))
+            (assoc :permissions perms))))))
+
 (def ^:private schema:create-file-snapshot
   [:map
    [:file-id ::sm/uuid]

backend/src/app/rpc/commands/files_thumbnails.clj

@@ -409,10 +409,7 @@
 
   [cfg {:keys [::rpc/profile-id file-id] :as params}]
   (db/tx-run! cfg (fn [{:keys [::db/conn] :as cfg}]
-                    ;; TODO For now we check read permissions instead of write,
-                    ;; to allow viewer users to update thumbnails. We might
-                    ;; review this approach on the future.
-                    (files/check-read-permissions! conn profile-id file-id)
+                    (files/check-edition-permissions! conn profile-id file-id)
                     (when-not (db/read-only? conn)
                       (let [media (create-file-thumbnail cfg params)]
                         {:uri (files/resolve-public-uri (:id media))

backend/src/app/rpc/commands/fonts.clj

@@ -9,9 +9,11 @@
    [app.binfile.common :as bfc]
    [app.common.data.macros :as dm]
    [app.common.exceptions :as ex]
-   [app.common.media :as cmedia]
+   [app.common.logging :as l]
+   [app.common.media :as cm]
    [app.common.schema :as sm]
    [app.common.time :as ct]
+   [app.common.types.font :as types.font]
    [app.common.uuid :as uuid]
    [app.db :as db]
    [app.db.sql :as-alias sql]
@@ -23,6 +25,7 @@
    [app.rpc :as-alias rpc]
    [app.rpc.climit :as-alias climit]
    [app.rpc.commands.files :as files]
+   [app.rpc.commands.media :refer [assemble-chunks]]
    [app.rpc.commands.projects :as projects]
    [app.rpc.commands.teams :as teams]
    [app.rpc.doc :as-alias doc]
@@ -31,6 +34,8 @@
    [app.storage :as sto]
    [app.storage.tmp :as tmp]
    [app.util.services :as sv]
+   [cuerdas.core :as str]
+   [datoteka.fs :as fs]
    [datoteka.io :as io])
   (:import
    java.io.InputStream
@@ -91,35 +96,90 @@
 (declare create-font-variant)
 
 (def ^:private schema:create-font-variant
+  [:and
    [:map {:title "create-font-variant"}
     [:team-id    ::sm/uuid]
-   [:data [:map-of ::sm/text [:or ::sm/bytes
-                              [::sm/vec ::sm/bytes]]]]
     [:font-id    ::sm/uuid]
-   [:font-family ::sm/text]
+    [:font-family types.font/schema:font-family]
     [:font-weight [::sm/one-of {:format "number"} valid-weight]]
-   [:font-style [::sm/one-of {:format "string"} valid-style]]])
+    [:font-style  [::sm/one-of {:format "string"} valid-style]]
+    [:data    {:optional true} [:map-of ::sm/text [:or ::sm/bytes [::sm/vec ::sm/bytes]]]]
+    [:uploads {:optional true} [:map-of ::sm/text ::sm/uuid]]]
+   [:fn {:error/message "one of :data or :uploads is required"}
+    (fn [{:keys [data uploads]}]
+      (or (seq data) (seq uploads)))]])
 
-;; FIXME: IMPORTANT: refactor this, we should not hold a whole db
-;; connection around the font creation
+(defn- prepare-font-data-from-uploads
+  "Assembles each chunked-upload session in `uploads` (a `{mtype →
+  session-id}` map) into a temp file, validates the media type and
+  size of every entry, and returns a `{mtype → path}` data map."
+  [cfg {:keys [uploads] :as params}]
+  (let [data (reduce-kv
+              (fn [acc mtype session-id]
+                (let [assembled (assemble-chunks cfg session-id)]
+                  (-> {:mtype mtype :size (:size assembled)}
+                      (media/validate-media-type! cm/font-types)
+                      (media/validate-font-size!))
+                  (assoc acc mtype (:path assembled))))
+              {}
+              uploads)]
+
+    (-> params
+        (assoc :data data)
+        (dissoc :uploads))))
+
+(defn- prepare-font-data-from-legacy
+  "Validates the media type and size of every entry in the legacy
+  `:data` map (a `{mtype → bytes | [bytes]}` map). Normalises every
+  entry to a tempfile. Returns params with a normalised
+  `{mtype → path}` data map."
+  [{:keys [data] :as params}]
+  (let [data (reduce-kv
+              (fn [acc mtype content]
+                (let [tmp     (tmp/tempfile :prefix "penpot.tempfont." :suffix "")
+                      chunks  (if (vector? content) content [content])
+                      streams (map io/input-stream chunks)
+                      streams (Collections/enumeration streams)]
+
+                  ;; Generate the tempfile from all chunks
+                  (with-open [^OutputStream output (io/output-stream tmp)
+                              ^InputStream input (SequenceInputStream. streams)]
+                    (io/copy input output))
+
+                  ;; Validate
+                  (-> {:mtype mtype :size (fs/size tmp)}
+                      (media/validate-media-type! cm/font-types)
+                      (media/validate-font-size!))
+
+                  (assoc acc mtype tmp)))
+              {}
+              data)]
+    (assoc params :data data)))
 
 (sv/defmethod ::create-font-variant
+  "Upload a font variant.  Font data may be provided either as a
+  Transit-encoded `:data` map (keyed by mime-type) for small fonts, or
+  as an `:uploads` map (keyed by mime-type, values are upload-session
+  UUIDs from the chunked-upload API) for large fonts.  Exactly one of
+  the two must be present."
   {::doc/added "1.18"
+   ::doc/changes ["2.16" "Add :uploads param for chunked upload support"]
    ::climit/id [[:process-font/by-profile ::rpc/profile-id]
                 [:process-font/global]]
    ::webhooks/event? true
    ::sm/params schema:create-font-variant}
-  [cfg {:keys [::rpc/profile-id team-id] :as params}]
-  (db/tx-run! cfg
-              (fn [{:keys [::db/conn] :as cfg}]
-                (teams/check-edition-permissions! conn profile-id team-id)
+  [{:keys [::db/pool] :as cfg} {:keys [::rpc/profile-id team-id uploads] :as params}]
+  (teams/check-edition-permissions! pool profile-id team-id)
   (quotes/check! cfg {::quotes/id ::quotes/font-variants-per-team
                       ::quotes/profile-id profile-id
                       ::quotes/team-id team-id})
-                (create-font-variant cfg (assoc params :profile-id profile-id)))))
+  (let [params (if (some? uploads)
+                 (db/tx-run! cfg prepare-font-data-from-uploads params)
+                 (prepare-font-data-from-legacy params))]
+    (create-font-variant cfg (assoc params :profile-id profile-id))))
 
 (defn create-font-variant
-  [{:keys [::sto/storage ::db/conn]} {:keys [data] :as params}]
+  [{:keys [::sto/storage] :as cfg} {:keys [data] :as params}]
   (letfn [(generate-missing [data]
             (let [data (media/run {:cmd :generate-fonts :input data})]
               (when (and (not (contains? data "font/otf"))
@@ -131,23 +191,6 @@
                           :hint "invalid font upload, unable to generate missing font assets"))
               data))
 
-          (process-chunks [chunks]
-            (let [tmp     (tmp/tempfile :prefix "penpot.tempfont." :suffix "")
-                  streams (map io/input-stream chunks)
-                  streams (Collections/enumeration streams)]
-              (with-open [^OutputStream output (io/output-stream tmp)
-                          ^InputStream input (SequenceInputStream. streams)]
-                (io/copy input output))
-              tmp))
-
-          (join-chunks [data]
-            (reduce-kv (fn [data mtype content]
-                         (if (vector? content)
-                           (assoc data mtype (process-chunks content))
-                           data))
-                       data
-                       data))
-
           (prepare-font [data mtype]
             (when-let [resource (get data mtype)]
 
@@ -161,22 +204,15 @@
                  :bucket "team-font-variant"})))
 
           (persist-fonts-files! [data]
-            (let [otf-params (prepare-font data "font/otf")
-                  ttf-params (prepare-font data "font/ttf")
-                  wf1-params (prepare-font data "font/woff")
-                  wf2-params (prepare-font data "font/woff2")]
+            (into {} (keep (fn [[kind mtype]]
+                             (when-let [params (prepare-font data mtype)]
+                               [kind (sto/put-object! storage params)])))
+                  [[:otf "font/otf"]
+                   [:ttf "font/ttf"]
+                   [:woff1 "font/woff"]
+                   [:woff2 "font/woff2"]]))
 
-              (cond-> {}
-                (some? otf-params)
-                (assoc :otf (sto/put-object! storage otf-params))
-                (some? ttf-params)
-                (assoc :ttf (sto/put-object! storage ttf-params))
-                (some? wf1-params)
-                (assoc :woff1 (sto/put-object! storage wf1-params))
-                (some? wf2-params)
-                (assoc :woff2 (sto/put-object! storage wf2-params)))))
-
-          (insert-font-variant! [{:keys [woff1 woff2 otf ttf]}]
+          (insert-font-variant! [conn {:keys [woff1 woff2 otf ttf]}]
             (db/insert! conn :team-font-variant
                         {:id (uuid/next)
                          :team-id (:team-id params)
@@ -184,16 +220,44 @@
                          :font-family (:font-family params)
                          :font-weight (:font-weight params)
                          :font-style (:font-style params)
+                         :variant-name (:variant-name params)
                          :woff1-file-id (:id woff1)
                          :woff2-file-id (:id woff2)
                          :otf-file-id (:id otf)
                          :ttf-file-id (:id ttf)}))]
 
-    (let [data   (join-chunks data)
-          data   (generate-missing data)
+    (let [tpoint     (ct/tpoint)
+          mtypes     (vec (keys data))
+          total-size (reduce-kv (fn [acc _ content]
+                                  (+ acc (if (bytes? content)
+                                           (alength ^bytes content)
+                                           (fs/size content))))
+                                0
+                                data)]
+
+      (l/dbg :hint "create-font-variant"
+             :step "init"
+             :font-family (:font-family params)
+             :font-weight (:font-weight params)
+             :font-style  (:font-style params)
+             :mtypes      (str/join mtypes ",")
+             :size        total-size)
+
+      (let [data    (generate-missing data)
             assets  (persist-fonts-files! data)
-          result (insert-font-variant! assets)]
-      (vary-meta result assoc ::audit/replace-props (update params :data (comp vec keys))))))
+            result  (db/tx-run! cfg #(insert-font-variant! (::db/conn %) assets))
+            elapsed (tpoint)]
+
+        (l/dbg :hint "create-font-variant"
+               :step "end"
+               :font-family (:font-family params)
+               :font-weight (:font-weight params)
+               :font-style  (:font-style params)
+               :mtypes      (str/join mtypes ",")
+               :size        total-size
+               :elapsed     (ct/format-duration elapsed))
+
+        (vary-meta result assoc ::audit/replace-props (update params :data (comp vec keys)))))))
 
 ;; --- UPDATE FONT FAMILY
 
@@ -202,7 +266,7 @@
   [:map {:title "update-font"}
    [:team-id ::sm/uuid]
    [:id ::sm/uuid]
-   [:name :string]])
+   [:name types.font/schema:font-family]])
 
 (sv/defmethod ::update-font
   {::doc/added "1.18"
@@ -324,7 +388,7 @@
   [v mtype]
   (str (:font-family v) "-" (:font-weight v)
        (when-not (= "normal" (:font-style v)) (str "-" (:font-style v)))
-       (cmedia/mtype->extension mtype)))
+       (cm/mtype->extension mtype)))
 
 (def ^:private schema:download-font
   [:map {:title "download-font"}

backend/src/app/rpc/commands/ldap.clj

@@ -42,7 +42,7 @@
   (when-not provider
     (ex/raise :type :restriction
               :code :ldap-not-initialized
-              :hide "ldap auth provider is not initialized"))
+              :hint "ldap auth provider is not initialized"))
 
   (let [info (ldap/authenticate provider params)]
     (when-not info
@@ -84,5 +84,5 @@
                              (profile/get-profile-by-email conn))
                     (->> (assoc info :is-active true :is-demo false)
                          (auth/create-profile cfg)
-                         (auth/create-profile-rels conn)
+                         (auth/create-profile-rels cfg)
                          (profile/strip-private-attrs))))))

backend/src/app/rpc/commands/management.clj

@@ -72,10 +72,14 @@
       (doseq [params (sequence (comp
                                 (map #(bfc/remap-id % :file-id))
                                 (map #(bfc/remap-id % :library-file-id))
-                                (map #(assoc % :synced-at timestamp))
                                 (map #(assoc % :created-at timestamp)))
                                flibs)]
-        (db/insert! conn :file-library-rel params ::db/return-keys false))
+        (let [rel-params (dissoc params :synced-at)]
+          (db/insert! conn :file-library-rel rel-params ::db/return-keys false)
+          (bfc/upsert-file-library-sync! conn {:file-id (:file-id rel-params)
+                                               :library-file-id (:library-file-id rel-params)
+                                               :synced-at (or (:synced-at params)
+                                                              timestamp)})))
 
       (doseq [params (sequence (comp
                                 (map #(bfc/remap-id % :id))
@@ -207,8 +211,7 @@
                          (update :team-id bfc/lookup-index)
                          (assoc :created-at timestamp)
                          (assoc :modified-at timestamp))]
-          (db/insert! conn :team-profile-rel params
-                      {::db/return-keys false})))
+          (teams/add-profile-to-team! cfg params {::db/return-keys false})))
 
       ;; Duplicate team fonts
       (doseq [font fonts]
@@ -339,6 +342,21 @@
 ;; --- COMMAND: Move project
 
 (defn move-project
+  "Moves a project from one team to another.
+
+  Performs comprehensive validation including:
+  - Permission checks on both source and destination teams
+  - Team compatibility verification between source and destination
+  - File features compatibility with destination team
+
+  The operation also:
+  - Updates the project's team assignment
+  - Cleans up any broken library relations after the move
+
+  Throws:
+  - :cant-move-to-same-team if trying to move project to its current team
+  - Permission exceptions if user lacks required permissions
+  - Team compatibility exceptions if teams are incompatible"
   [{:keys [::db/conn] :as cfg} {:keys [profile-id team-id project-id] :as params}]
   (let [project (db/get-by-id conn :project project-id {:columns [:id :team-id]})
         pids    (->> (db/query conn :project {:team-id (:team-id project)} {:columns [:id]})
@@ -425,10 +443,10 @@
                     (doseq [file-id result]
                       (let [props (assoc props :id file-id)
                             event (-> (audit/event-from-rpc-params params)
-                                      (assoc ::audit/profile-id profile-id)
-                                      (assoc ::audit/name "create-file")
-                                      (assoc ::audit/props props))]
-                        (audit/submit! cfg event))))))
+                                      (assoc :profile-id profile-id)
+                                      (assoc :name "create-file")
+                                      (assoc :props props))]
+                        (audit/submit cfg event))))))
 
     result))
 

backend/src/app/rpc/commands/media.clj

@@ -8,6 +8,7 @@
   (:require
    [app.common.data :as d]
    [app.common.exceptions :as ex]
+   [app.common.logging :as l]
    [app.common.schema :as sm]
    [app.common.time :as ct]
    [app.common.uuid :as uuid]
@@ -149,20 +150,49 @@
 
 (defn- create-file-media-object
   [{:keys [::sto/storage ::db/conn] :as cfg}
-   {:keys [id file-id is-local name content]}]
+   {:keys [id file-id is-local name content from-url? from-chunks?]}]
+
+  (let [tpoint (ct/tpoint)
+        id     (or id (uuid/next))
+        origin (cond
+                 from-url?
+                 "url"
+                 from-chunks?
+                 "chunks"
+                 :else
+                 "direct")]
+
+    (l/dbg :hint "create file-media-object"
+           :step "init"
+           :id (str id)
+           :mtype (:mtype content)
+           :size (:size content)
+           :path (str (:path content))
+           :origin origin)
+
     (let [result  (process-image content)
           image   (sto/put-object! storage (::image result))
           thumb   (when-let [params (::thumb result)]
-                 (sto/put-object! storage params))]
+                    (sto/put-object! storage params))
+          elapsed (tpoint)]
+
+      (l/dbg :hint "create file-media-object"
+             :step "end"
+             :id (str id)
+             :mtype (:mtype content)
+             :size (:size content)
+             :path (str (:path content))
+             :origin origin
+             :elapsed (ct/format-duration elapsed))
 
       (db/exec-one! conn [sql:create-file-media-object
-                        (or id (uuid/next))
+                          id
                           file-id is-local name
                           (:id image)
                           (:id thumb)
                           (:width result)
                           (:height result)
-                        (:mtype result)])))
+                          (:mtype result)]))))
 
 ;; --- Create File Media Object (from URL)
 
@@ -198,6 +228,7 @@
   [cfg {:keys [url name] :as params}]
   (let [content (media/download-image cfg url)
         params  (-> params
+                    (assoc :from-url? true)
                     (assoc :content content)
                     (assoc :name (d/nilv name "unknown")))]
 
@@ -255,7 +286,7 @@
    [:session-id ::sm/uuid]])
 
 (sv/defmethod ::create-upload-session
-  {::doc/added "2.16"
+  {::doc/added "2.17"
    ::sm/params schema:create-upload-session
    ::sm/result schema:create-upload-session-result}
   [{:keys [::db/pool] :as cfg}
@@ -293,7 +324,7 @@
    [:index      ::sm/int]])
 
 (sv/defmethod ::upload-chunk
-  {::doc/added "2.16"
+  {::doc/added "2.17"
    ::sm/params schema:upload-chunk
    ::sm/result schema:upload-chunk-result}
   [{:keys [::db/pool] :as cfg}
@@ -305,7 +336,14 @@
                 :hint "chunk index is out of range for this session"
                 :session-id session-id
                 :total-chunks (:total-chunks session)
-                :index index)))
+                :index index))
+
+
+    (l/trc :hint "upload-chunk"
+           :session-id session-id
+           :chunk (str index "/" (:total-chunks session))
+           :size (:size content)
+           :path (:path content)))
 
   (let [storage (sto/resolve cfg)
         data    (sto/content (:path content))]
@@ -389,7 +427,7 @@
    [:id         {:optional true} ::sm/uuid]])
 
 (sv/defmethod ::assemble-file-media-object
-  {::doc/added "2.16"
+  {::doc/added "2.17"
    ::sm/params schema:assemble-file-media-object
    ::climit/id [[:process-image/by-profile ::rpc/profile-id]
                 [:process-image/global]]}
@@ -399,14 +437,15 @@
 
   (db/tx-run! cfg
               (fn [{:keys [::db/conn] :as cfg}]
-                (let [{:keys [path size]} (assemble-chunks cfg session-id)
-                      content {:filename "upload"
-                               :size     size
-                               :path     path
-                               :mtype    mtype}
-                      _       (media/validate-media-type! content)
+                (let [content (assemble-chunks cfg session-id)
+                      content (-> content
+                                  (assoc :filename (str "upload:" name))
+                                  (assoc :mtype mtype)
+                                  (media/validate-media-type!)
+                                  (media/validate-media-size!))
                       mobj    (create-file-media-object cfg (assoc params
-                                                                   :id (or id (uuid/next))
+                                                                   :id id
+                                                                   :from-chunks? true
                                                                    :content content))]
 
                   (db/update! conn :file

backend/src/app/rpc/commands/nitrate.clj

@@ -1,20 +1,374 @@
+;; This Source Code Form is subject to the terms of the Mozilla Public
+;; License, v. 2.0. If a copy of the MPL was not distributed with this
+;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;;
+;; Copyright (c) KALEIDOS INC
+
 (ns app.rpc.commands.nitrate
+  "Nitrate API for Penpot. Provides nitrate-related endpoints to be called
+   from Penpot frontend."
   (:require
+   [app.common.data :as d]
+   [app.common.exceptions :as ex]
    [app.common.schema :as sm]
+   [app.common.time :as ct]
+   [app.common.types.nitrate-permissions :as nitrate-perms]
+   [app.config :as cf]
+   [app.db :as db]
    [app.nitrate :as nitrate]
    [app.rpc :as-alias rpc]
+   [app.rpc.commands.teams :as teams]
    [app.rpc.doc :as-alias doc]
+   [app.rpc.notifications :as notifications]
    [app.util.services :as sv]))
 
 
+(defn assert-is-owner [cfg profile-id team-id]
+  (let [perms (teams/get-permissions cfg profile-id team-id)]
+    (when-not (:is-owner perms)
+      (ex/raise :type :validation
+                :code :insufficient-permissions))))
+
+(defn assert-not-default-team [cfg team-id]
+  (let [team (teams/get-team-info cfg {:id team-id})]
+    (when (:is-default team)
+      (ex/raise :type :validation
+                :code :cant-move-default-team))))
+
+(defn assert-membership [cfg profile-id organization-id]
+  (let [membership (nitrate/call cfg :get-org-membership {:profile-id profile-id
+                                                          :organization-id organization-id})]
+    (when-not (:organization-id membership)
+      (ex/raise :type :validation
+                :code :organization-doesnt-exists))
+
+    (when-not (:is-member membership)
+      (ex/raise :type :validation
+                :code :user-doesnt-belong-organization))))
+
+
 (def schema:connectivity
   [:map {:title "nitrate-connectivity"}
    [:licenses ::sm/boolean]])
 
 (sv/defmethod ::get-nitrate-connectivity
-  {::rpc/auth false
-   ::doc/added "1.18"
+  {::rpc/auth true
+   ::doc/added "2.14"
    ::sm/params [:map]
    ::sm/result schema:connectivity}
   [cfg _params]
-  (nitrate/connectivity cfg))
+  (nitrate/call cfg :connectivity {}))
+
+(def ^:private schema:redeem-activation-code-params
+  [:map {:title "RedeemActivationCodeParams"}
+   [:activation-code ::sm/text]])
+
+(def ^:private schema:redeem-activation-code-result
+  [:map {:title "RedeemActivationCodeResult"}
+   [:cancel-at [:maybe ct/schema:inst]]])
+
+(sv/defmethod ::redeem-nitrate-activation-code
+  {::rpc/auth true
+   ::doc/added "2.14"
+   ::sm/params schema:redeem-activation-code-params
+   ::sm/result schema:redeem-activation-code-result}
+  [cfg {:keys [::rpc/profile-id activation-code]}]
+  (let [profile (db/get cfg :profile {:id profile-id})]
+    (try
+      (let [result (nitrate/call cfg :redeem-activation-code
+                                 {:request-params  {:code      activation-code
+                                                    :penpot-id profile-id
+                                                    :email     (:email profile)}})]
+        (when-not result
+          (ex/raise :type :validation
+                    :code :invalid-activation-code
+                    :hint "The activation code is invalid, expired or fully redeemed"))
+        result)
+      (catch Exception cause
+        (let [{:keys [type status]} (ex-data cause)]
+          (if (= type :nitrate-http-error)
+            (ex/raise :type :validation
+                      :code (case status
+                              410 :expired-activation-code
+                              :invalid-activation-code)
+                      :cause cause)
+            (throw cause)))))))
+
+(def ^:private sql:prefix-team-name-and-unset-default
+  "UPDATE team
+      SET name = ? || name,
+          is_default = FALSE
+    WHERE id = ?;")
+
+(def ^:private sql:get-member-teams-info
+  "SELECT t.id,
+          t.is_default,
+          tpr.is_owner,
+          (SELECT count(*)    FROM team_profile_rel WHERE team_id = t.id) AS num_members,
+          (SELECT array_agg(profile_id) FROM team_profile_rel WHERE team_id = t.id) AS member_ids
+     FROM team AS t
+     JOIN team_profile_rel AS tpr ON (tpr.team_id = t.id)
+    WHERE tpr.profile_id = ?
+      AND t.id = ANY(?)
+      AND t.deleted_at IS NULL")
+
+(def sql:get-team-files-count
+  "SELECT count(*) AS total
+     FROM file AS f
+     JOIN project AS p ON (p.id = f.project_id)
+    WHERE p.team_id = ?
+      AND f.deleted_at IS NULL")
+
+(def ^:private schema:leave-org
+  [:map
+   [:id ::sm/uuid]
+   [:name ::sm/text]
+   [:default-team-id ::sm/uuid]
+   [:teams-to-delete
+    [:vector ::sm/uuid]]
+   [:teams-to-leave
+    [:vector
+     [:map
+      [:id ::sm/uuid]
+      [:reassign-to {:optional true} ::sm/uuid]]]]])
+
+
+(defn- get-organization-teams-for-user
+  [{:keys [::db/conn] :as cfg} org-summary profile-id]
+  (let [org-team-ids (->> (:teams org-summary)
+                          (map :id))
+        ids-array    (db/create-array conn "uuid" org-team-ids)]
+    (db/exec! conn [sql:get-member-teams-info profile-id ids-array])))
+
+(defn- calculate-valid-teams
+  ([org-teams default-team-id]
+   (let [;; valid default team is the one which id is default-team-id
+         valid-default-team          (d/seek #(= default-team-id (:id %)) org-teams)
+
+         ;; Remove your-penpot for the rest of validations
+         org-teams                   (remove #(= default-team-id (:id %)) org-teams)
+
+         ;; valid teams to delete are those that the user is owner, and only have one member
+         valid-teams-to-delete-ids   (->> org-teams
+                                          (filter #(and (:is-owner %)
+                                                        (= (:num-members %) 1)))
+                                          (map :id)
+                                          (into #{}))
+         ;; valid teams to transfer are those that the user is owner, and have more than one member
+         valid-teams-to-transfer     (->> org-teams
+                                          (filter #(and (:is-owner %)
+                                                        (> (:num-members %) 1))))
+
+         ;; valid teams to exit are those that the user isn't owner, and have more than one member
+         valid-teams-to-exit         (->> org-teams
+                                          (filter #(and (not (:is-owner %))
+                                                        (> (:num-members %) 1))))]
+     {:valid-teams-to-delete-ids valid-teams-to-delete-ids
+      :valid-teams-to-transfer valid-teams-to-transfer
+      :valid-teams-to-exit valid-teams-to-exit
+      :valid-default-team valid-default-team})))
+
+(defn get-valid-teams [cfg organization-id profile-id default-team-id]
+  (let [org-summary                (nitrate/call cfg :get-org-summary {:organization-id organization-id})
+        org-teams                  (get-organization-teams-for-user cfg org-summary profile-id)]
+    (calculate-valid-teams org-teams default-team-id)))
+
+(defn- assert-valid-teams [cfg profile-id organization-id default-team-id teams-to-delete teams-to-leave]
+  (let [org-summary                (nitrate/call cfg :get-org-summary {:organization-id organization-id})
+        org-teams                  (get-organization-teams-for-user cfg org-summary profile-id)
+        {:keys [valid-teams-to-delete-ids
+                valid-teams-to-transfer
+                valid-teams-to-exit
+                valid-default-team]} (calculate-valid-teams org-teams default-team-id)
+
+
+
+        valid-teams-to-exit-ids     (->> valid-teams-to-exit (map :id) (into #{}))
+        valid-teams-to-transfer-ids (->> valid-teams-to-transfer (map :id) (into #{}))
+        valid-teams-to-leave-ids    (into valid-teams-to-transfer-ids valid-teams-to-exit-ids)
+
+        valid-default-team-id?      (some? valid-default-team)
+
+
+
+        valid-teams-to-delete?      (= valid-teams-to-delete-ids (into #{} teams-to-delete))
+
+        ;; for every team in teams-to-leave, check that:
+        ;; - if it has a reassign-to, it belongs to valid-teams-to-transfer and
+        ;;   the reassign-to is a member of the team and not the current user;
+        ;; - if it hasn't a reassign-to, check that it belongs to valid-teams-to-exit
+        teams-by-id                 (d/index-by :id org-teams)
+        valid-teams-to-leave?       (and
+                                     (= valid-teams-to-leave-ids (->> teams-to-leave (map :id) (into #{})))
+                                     (every? (fn [{:keys [id reassign-to]}]
+                                               (if reassign-to
+                                                 (let [members (db/pgarray->set (:member-ids (get teams-by-id id)))]
+                                                   (and (contains? valid-teams-to-transfer-ids id)
+                                                        (not= reassign-to profile-id)
+                                                        (contains? members reassign-to)))
+                                                 (contains? valid-teams-to-exit-ids id)))
+                                             teams-to-leave))]
+    ;; the org owner cannot leave
+    (when (= (:owner-id org-summary) profile-id)
+      (ex/raise :type :validation
+                :code :org-owner-cannot-leave))
+
+    (when (or
+           (not valid-teams-to-delete?)
+           (not valid-teams-to-leave?)
+           (not valid-default-team-id?))
+      (ex/raise :type :validation
+                :code :not-valid-teams))))
+
+
+(defn leave-org
+  [{:keys [::db/conn] :as cfg} {:keys [profile-id id name default-team-id teams-to-delete teams-to-leave skip-validation] :as params}]
+  (let [org-prefix                 (str "[" (d/sanitize-string name) "] ")
+
+        default-team-files-count    (-> (db/exec-one! conn [sql:get-team-files-count default-team-id])
+                                        :total)
+        delete-default-team?        (= default-team-files-count 0)]
+
+
+
+
+    ;; assert that the received teams are valid, checking the different constraints
+    (when-not skip-validation
+      (assert-valid-teams cfg profile-id id default-team-id teams-to-delete teams-to-leave))
+
+    (assert-membership cfg profile-id id)
+
+    ;; delete the teams-to-delete
+    (doseq [id teams-to-delete]
+      (teams/delete-team cfg {:profile-id profile-id :team-id id}))
+
+    ;; leave the teams-to-leave
+    (doseq [{:keys [id reassign-to]} teams-to-leave]
+      (teams/leave-team cfg {:profile-id profile-id :id id :reassign-to reassign-to}))
+
+    ;; Delete default-team-id if empty; otherwise keep it and prefix the name.
+    (if delete-default-team?
+      (do
+        (db/update! conn :team {:is-default false} {:id default-team-id})
+        (teams/delete-team cfg {:profile-id profile-id :team-id default-team-id}))
+      (db/exec! conn [sql:prefix-team-name-and-unset-default org-prefix default-team-id]))
+
+    ;; Api call to nitrate
+    (nitrate/call cfg :remove-profile-from-org {:profile-id profile-id :organization-id id})
+
+    nil))
+
+
+(sv/defmethod ::leave-org
+  {::rpc/auth true
+   ::doc/added "2.15"
+   ::sm/params schema:leave-org
+   ::db/transaction true}
+  [cfg {:keys [::rpc/profile-id] :as params}]
+  (leave-org cfg (assoc params :profile-id profile-id)))
+
+
+(def ^:private schema:remove-team-from-org
+  [:map
+   [:team-id ::sm/uuid]
+   [:organization-id ::sm/uuid]
+   [:organization-name ::sm/text]])
+
+(sv/defmethod ::remove-team-from-org
+  {::doc/added "2.17"
+   ::sm/params schema:remove-team-from-org}
+  [cfg {:keys [::rpc/profile-id  team-id organization-id organization-name]}]
+
+  (assert-is-owner cfg profile-id team-id)
+  (assert-not-default-team cfg team-id)
+  (assert-membership cfg profile-id organization-id)
+  ;; Check moveTeams permission on the source organization
+  (when (contains? cf/flags :nitrate)
+    (let [org-perms (nitrate/call cfg :get-org-permissions
+                                  {:organization-id organization-id})]
+      (if (nil? org-perms)
+        (ex/raise :type :validation
+                  :code :not-allowed
+                  :hint "Unable to verify organization permissions")
+        (when-not (nitrate-perms/allowed? :move-team
+                                          {:org-perms org-perms
+                                           :profile-id profile-id})
+          (ex/raise :type :validation
+                    :code :not-allowed
+                    :hint "You are not allowed to move teams that are part of this organization. If you need more information, contact the owner.")))))
+
+  ;; Api call to nitrate
+  (nitrate/call cfg :remove-team-from-org {:team-id team-id :organization-id organization-id})
+
+  ;; Notify connected users
+  (notifications/notify-team-change cfg {:id team-id :organization {:name organization-name}} "dashboard.team-no-longer-belong-org")
+  nil)
+
+
+(def ^:private schema:add-team-to-organization
+  [:map
+   [:team-id ::sm/uuid]
+   [:organization-id ::sm/uuid]])
+
+(sv/defmethod ::add-team-to-organization
+  {::rpc/auth true
+   ::doc/added "2.17"
+   ::sm/params schema:add-team-to-organization
+   ::db/transaction true}
+  [cfg {:keys [::rpc/profile-id  team-id organization-id]}]
+
+  (assert-is-owner cfg profile-id team-id)
+  (assert-not-default-team cfg team-id)
+  (assert-membership cfg profile-id organization-id)
+
+  (when (contains? cf/flags :nitrate)
+    (let [team-with-org         (nitrate/call cfg :get-team-org {:team-id team-id})
+          source-org-id         (get-in team-with-org [:organization :id])
+          source-org-perms      (when source-org-id
+                                  (nitrate/call cfg :get-org-permissions
+                                                {:organization-id source-org-id}))
+          target-org-perms      (nitrate/call cfg :get-org-permissions
+                                              {:organization-id organization-id})
+          target-org-same-owner? (and (some? source-org-perms)
+                                      (some? target-org-perms)
+                                      (= (:owner-id source-org-perms)
+                                         (:owner-id target-org-perms)))]
+      (when (nil? target-org-perms)
+        (ex/raise :type :validation
+                  :code :not-allowed
+                  :hint "Unable to verify organization permissions"))
+
+      ;; Team already belongs to an organization: check move-teams on source org.
+      (when (some? source-org-id)
+        (when (nil? source-org-perms)
+          (ex/raise :type :validation
+                    :code :not-allowed
+                    :hint "Unable to verify organization permissions"))
+        (when-not (nitrate-perms/allowed? :move-team
+                                          {:org-perms source-org-perms
+                                           :profile-id profile-id
+                                           :target-org-same-owner? target-org-same-owner?})
+          (ex/raise :type :validation
+                    :code :not-allowed
+                    :hint "You are not allowed to move teams that are part of this organization. If you need more information, contact the owner.")))
+
+      ;; Always check target create-teams permission (new/add and move flows).
+      (when-not (nitrate-perms/allowed? :create-team
+                                        {:org-perms target-org-perms
+                                         :profile-id profile-id})
+        (ex/raise :type :validation
+                  :code :not-allowed
+                  :hint "You are not allowed to add teams in this organization"))))
+
+  (let [team-members (db/query cfg :team-profile-rel {:team-id team-id})]
+    ;; Add teammates to the org if needed
+    (doseq [{member-id :profile-id} team-members
+            :when (not= member-id profile-id)]
+      (teams/initialize-user-in-nitrate-org cfg member-id organization-id)))
+
+  ;; Api call to nitrate
+  (let [team (nitrate/call cfg :set-team-org {:team-id team-id :organization-id organization-id :is-default false})]
+
+    ;; Notify connected users
+    (notifications/notify-team-change cfg team "dashboard.team-belong-org"))
+  nil)

backend/src/app/rpc/commands/profile.clj

@@ -48,6 +48,7 @@
 (def schema:props
   [:map {:title "ProfileProps"}
    [:plugins {:optional true} schema:plugin-registry]
+   [:renderer {:optional true} [::sm/one-of #{:svg :wasm}]]
    [:mcp-enabled {:optional true} ::sm/boolean]
    [:newsletter-updates {:optional true} ::sm/boolean]
    [:newsletter-news {:optional true} ::sm/boolean]
@@ -109,8 +110,10 @@
         (nitrate/add-nitrate-licence-to-profile cfg profile)
         profile))
 
-    (catch Throwable _
-      {:id uuid/zero :fullname "Anonymous User"})))
+    (catch Throwable cause
+      (if (= :not-found (-> cause ex-data :type))
+        {:id uuid/zero :fullname "Anonymous User"}
+        (throw cause)))))
 
 (defn get-profile
   "Get profile by id. Throws not-found exception if no profile found."
@@ -264,6 +267,7 @@
   [cfg {:keys [::rpc/profile-id file] :as params}]
   ;; Validate incoming mime type
   (media/validate-media-type! file #{"image/jpeg" "image/png" "image/webp"})
+  (media/validate-media-size! file)
   (update-profile-photo cfg (assoc params :profile-id profile-id)))
 
 (defn update-profile-photo
@@ -314,6 +318,25 @@
                    (climit/invoke! generate-thumbnail file))]
     (sto/put-object! storage params)))
 
+;; --- MUTATION: Delete Photo
+
+(sv/defmethod ::delete-profile-photo
+  {::doc/added "2.17"
+   ::sm/params [:map]
+   ::sm/result :nil
+   ::db/transaction true}
+  [{:keys [::db/conn ::sto/storage]} {:keys [::rpc/profile-id]}]
+  (let [profile (get-profile conn profile-id ::db/for-update true)]
+    (when-let [id (:photo-id profile)]
+      (sto/touch-object! storage id))
+
+    (db/update! conn :profile
+                {:photo-id nil}
+                {:id profile-id}
+                {::db/return-keys false})
+
+    nil))
+
 ;; --- MUTATION: Request Email Change
 
 (declare ^:private request-email-change!)
@@ -462,6 +485,16 @@
                 {:deleted-at deleted-at}
                 {:id profile-id})
 
+    ;; Delete owned organizations on the fly (no grace period).
+    ;; Nitrate iterates the user's owned orgs and, per org, calls
+    ;; Penpot back via ::notify-organization-deletion which renames
+    ;; the org's teams (prefixed with "[OrgName] ", including the
+    ;; user's "Your Penpot" team) and soft-deletes empty ones.
+    (when (contains? cf/flags :nitrate)
+      (nitrate/call cfg :delete-owned-orgs {:profile-id profile-id})
+      ;; Remove the user from any remaining org memberships.
+      (nitrate/call cfg :remove-profile-from-all-orgs {:profile-id profile-id}))
+
     ;; Schedule cascade deletion to a worker
     (wrk/submit! {::db/conn conn
                   ::wrk/task :delete-object
@@ -469,7 +502,6 @@
                                 :deleted-at deleted-at
                                 :id profile-id}})
 
-
     (-> (rph/wrap nil)
         (rph/with-transform (session/delete-fn cfg)))))
 
@@ -496,6 +528,29 @@
   (let [editors (db/exec! cfg [sql:get-subscription-editors profile-id])]
     {:editors editors}))
 
+;; --- QUERY: Owned Organizations Summary (for delete-account modal)
+
+(def ^:private schema:owned-organization-summary
+  [:map
+   [:id ::sm/uuid]
+   [:name ::sm/text]
+   [:slug ::sm/text]
+   [:team-count ::sm/int]
+   [:member-count ::sm/int]])
+
+(def ^:private schema:get-owned-organizations-summary-result
+  [:vector schema:owned-organization-summary])
+
+(sv/defmethod ::get-owned-organizations-summary
+  "List organizations owned by the current profile with team and member counts.
+   Used by the delete-account modal to warn the user about cascading deletion."
+  {::doc/added "2.18"
+   ::sm/result schema:get-owned-organizations-summary-result}
+  [cfg {:keys [::rpc/profile-id]}]
+  (if (contains? cf/flags :nitrate)
+    (or (nitrate/call cfg :get-owned-orgs-summary {:profile-id profile-id}) [])
+    []))
+
 ;; --- HELPERS
 
 (def sql:owned-teams

backend/src/app/rpc/commands/teams.clj

@@ -12,6 +12,7 @@
    [app.common.features :as cfeat]
    [app.common.schema :as sm]
    [app.common.time :as ct]
+   [app.common.types.nitrate-permissions :as nitrate-perms]
    [app.common.types.team :as types.team]
    [app.common.uuid :as uuid]
    [app.config :as cf]
@@ -193,7 +194,9 @@
   (dm/with-open [conn (db/open pool)]
     (cond->> (get-teams conn profile-id)
       (contains? cf/flags :nitrate)
-      (map #(nitrate/add-org-info-to-team cfg % params)))))
+      (map #(nitrate/add-org-info-to-team cfg % params))
+      (contains? cf/flags :nitrate)
+      (remove #(get-in % [:organization :expired-license])))))
 
 (def ^:private sql:get-owned-teams
   "SELECT t.id, t.name,
@@ -471,8 +474,8 @@
 ;; --- COMMAND QUERY: get-team-info
 
 (defn get-team-info
-  [{:keys [::db/conn] :as cfg} {:keys [id] :as params}]
-  (-> (db/get* conn :team
+  [cfg {:keys [id] :as params}]
+  (-> (db/get* cfg :team
                {:id id}
                {::sql/columns [:id :is-default :features]})
       (decode-row)))
@@ -497,18 +500,36 @@
 
 (def ^:private schema:create-team
   [:map {:title "create-team"}
-   [:name [:string {:max 250}]]
+   [:name types.team/schema:team-name]
    [:features {:optional true} ::cfeat/features]
-   [:id {:optional true} ::sm/uuid]])
+   [:id {:optional true} ::sm/uuid]
+   [:organization-id {:optional true} ::sm/uuid]
+   [:is-default {:optional true} :boolean]])
 
 (sv/defmethod ::create-team
   {::doc/added "1.17"
    ::sm/params schema:create-team}
-  [cfg {:keys [::rpc/profile-id] :as params}]
+  [cfg {:keys [::rpc/profile-id organization-id] :as params}]
 
   (quotes/check! cfg {::quotes/id ::quotes/teams-per-profile
                       ::quotes/profile-id profile-id})
 
+  ;; When creating inside an org, verify the user has permission to do so.
+  ;; Fail closed: if org permissions cannot be fetched, deny the operation.
+  (when (and organization-id (contains? cf/flags :nitrate))
+    (let [org-perms (nitrate/call cfg :get-org-permissions
+                                  {:organization-id organization-id})]
+      (if (nil? org-perms)
+        (ex/raise :type :validation
+                  :code :not-allowed
+                  :hint "Unable to verify organization permissions")
+        (when-not (nitrate-perms/allowed? :create-team
+                                          {:org-perms org-perms
+                                           :profile-id profile-id})
+          (ex/raise :type :validation
+                    :code :not-allowed
+                    :hint "You are not allowed to create teams in this organization")))))
+
   (let [features (-> (cfeat/get-enabled-features cf/flags)
                      (set/difference cfeat/frontend-only-features)
                      (set/difference cfeat/no-team-inheritable-features))
@@ -520,17 +541,89 @@
     (with-meta team
       {::audit/props {:id (:id team)}})))
 
+
+(defn create-default-org-team
+  [cfg profile-id organization-id]
+  (quotes/check! cfg {::quotes/id ::quotes/teams-per-profile
+                      ::quotes/profile-id profile-id})
+
+  (let [features (-> (cfeat/get-enabled-features cf/flags)
+                     (set/difference cfeat/frontend-only-features)
+                     (set/difference cfeat/no-team-inheritable-features))
+        params   {:profile-id profile-id
+                  :name "Your Penpot"
+                  :features features
+                  :organization-id organization-id
+                  :is-default true}
+        team     (create-team cfg params)]
+    (select-keys team [:id])))
+
+(defn initialize-user-in-nitrate-org
+  "If needed, create a default team for the user on the organization,
+   and notify Nitrate that an user has been added to an org."
+  ([cfg profile-id organization-id]
+   (initialize-user-in-nitrate-org cfg profile-id organization-id nil))
+  ([cfg profile-id organization-id email]
+   (assert (db/connection-map? cfg)
+           "expected cfg with valid connection")
+   (when (contains? cf/flags :nitrate)
+     (db/tx-run!
+      cfg
+      (fn [{:keys [::db/conn] :as tx-cfg}]
+
+        (let [membership (nitrate/call cfg :get-org-membership {:profile-id profile-id
+                                                                :organization-id organization-id})]
+          ;; Only when the user doesn't belong to the organization yet
+          (when (and
+                 (some? (:organization-id membership)) ;; the organization exists
+                 (not (:is-member membership)))        ;; the user is not a member of the org yet
+
+
+            (let [organization-id           organization-id
+                  default-team     (create-default-org-team (assoc tx-cfg ::db/conn conn) profile-id organization-id)
+                  default-team-id  (:id default-team)
+                  result           (nitrate/call tx-cfg :add-profile-to-org (cond-> {:profile-id profile-id
+                                                                                     :team-id default-team-id
+                                                                                     :organization-id organization-id}
+                                                                              (some? email) (assoc :email email)))]
+              (when (not (:is-member result))
+                (ex/raise :type :internal
+                          :code :failed-add-profile-org-nitrate
+                          :context {:profile-id profile-id
+                                    :organization-id organization-id
+                                    :default-team-id default-team-id}))
+              default-team-id))))))))
+
+(defn add-profile-to-team!
+  ([cfg params]
+   (add-profile-to-team! cfg params nil))
+  ([{:keys [::db/conn] :as cfg} {:keys [:profile-id :team-id] :as params} options]
+   (assert (db/connection-map? cfg)
+           "expected cfg with valid connection")
+   (when (contains? cf/flags :nitrate)
+     (let [membership (nitrate/call cfg :get-org-membership-by-team {:profile-id profile-id :team-id team-id})]
+       ;; Only when the team belong to an organization and the user is not a member
+       (when (and
+              (some? (:organization-id membership)) ;; the team do belong to an organization
+              (not (:is-member membership)))        ;; the user is not a member of the org yet
+         (initialize-user-in-nitrate-org cfg profile-id (:organization-id membership)))))
+   (db/insert! conn :team-profile-rel params options)))
+
 (defn create-team
   "This is a complete team creation process, it creates the team
   object and all related objects (default role and default project)."
-  [cfg-or-conn params]
-  (let [conn    (db/get-connection cfg-or-conn)
-        team    (create-team* conn params)
+  [{:keys [::db/conn] :as cfg} params]
+  (assert (db/connection-map? cfg)
+          "expected cfg with valid connection")
+  (let [team    (create-team* conn params)
         params  (assoc params
                        :team-id (:id team)
                        :role :owner)
         project (create-team-default-project conn params)]
-    (create-team-role conn params)
+    (create-team-role cfg params)
+    ;; Set team organization in Nitrate if organization-id is provided
+    (when (and (contains? cf/flags :nitrate) (:organization-id params))
+      (nitrate/set-team-organization cfg team params))
     (assoc team :default-project-id (:id project))))
 
 (defn- create-team*
@@ -546,11 +639,13 @@
     (decode-row team)))
 
 (defn- create-team-role
-  [conn {:keys [profile-id team-id role] :as params}]
+  [cfg {:keys [profile-id team-id role] :as params}]
+  (assert (db/connection-map? cfg)
+          "expected cfg with valid connection")
   (let [params {:team-id team-id
                 :profile-id profile-id}]
     (->> (perms/assign-role-flags params role)
-         (db/insert! conn :team-profile-rel))))
+         (add-profile-to-team! cfg))))
 
 (defn- create-team-default-project
   [conn {:keys [profile-id team-id] :as params}]
@@ -591,7 +686,7 @@
 
 (def ^:private schema:update-team
   [:map {:title "update-team"}
-   [:name [:string {:max 250}]]
+   [:name types.team/schema:team-name]
    [:id ::sm/uuid]])
 
 (sv/defmethod ::update-team
@@ -609,7 +704,7 @@
 ;; --- Mutation: Leave Team
 
 (defn leave-team
-  [conn {:keys [profile-id id reassign-to]}]
+  [{:keys [::db/conn ::mbus/msgbus]} {:keys [profile-id id reassign-to]}]
   (let [perms   (get-permissions conn profile-id id)
         members (get-team-members conn id)]
 
@@ -624,7 +719,9 @@
       ;; if the `reassign-to` is filled and has a different value
       ;; than the current profile-id, we proceed to reassing the
       ;; owner role to profile identified by the `reassign-to`.
-      (and reassign-to (not= reassign-to profile-id))
+      ;; Ignore the reasignation if the current profile is not
+      ;; the owner
+      (and reassign-to (not= reassign-to profile-id) (:is-owner perms))
       (let [member (d/seek #(= reassign-to (:id %)) members)]
         (when-not member
           (ex/raise :type :not-found :code :member-does-not-exist))
@@ -638,7 +735,15 @@
         ;; assign owner role to new profile
         (db/update! conn :team-profile-rel
                     (get types.team/permissions-for-role :owner)
-                    {:team-id id :profile-id reassign-to}))
+                    {:team-id id :profile-id reassign-to})
+
+        ;; notify new owner
+        (mbus/pub! msgbus
+                   :topic reassign-to
+                   :message {:type :team-role-change
+                             :topic reassign-to
+                             :team-id id
+                             :role :owner}))
 
       ;; and finally, if all other conditions does not match and the
       ;; current profile is owner, we dont allow it because there
@@ -663,32 +768,59 @@
   {::doc/added "1.17"
    ::sm/params schema:leave-team
    ::db/transaction true}
-  [{:keys [::db/conn] :as cfg} {:keys [::rpc/profile-id] :as params}]
-  (leave-team conn (assoc params :profile-id profile-id)))
+  [cfg {:keys [::rpc/profile-id] :as params}]
+  (leave-team cfg (assoc params :profile-id profile-id)))
+
 
 ;; --- Mutation: Delete Team
 
-(defn- delete-team
+(defn delete-team
   "Mark a team for deletion"
-  [conn {:keys [id] :as team}]
+  [{:keys [::db/conn] :as cfg} {:keys [profile-id team-id] :as params}]
 
-  (let [delay (ldel/get-deletion-delay team)
-        team  (db/update! conn :team
-                          {:deleted-at (ct/in-future delay)}
-                          {:id id}
-                          {::db/return-keys true})]
+  (let [team  (get-team conn :profile-id profile-id :team-id team-id)
+        team  (if (contains? cf/flags :nitrate)
+                (nitrate/add-org-info-to-team cfg team params)
+                team)
+        perms (get team :permissions)
+        org   (:organization team)
+        in-org? (and (contains? cf/flags :nitrate) org)
+        can-delete?
+        (if in-org?
+          (nitrate-perms/allowed? :delete-team
+                                  {:org-perms {:owner-id    (dm/get-in team [:organization :owner-id])
+                                               :permissions (dm/get-in team [:organization :permissions])}
+                                   :profile-id profile-id
+                                   :team-perms perms
+                                   ;; `onlyMe` is for a future org-level flow.
+                                   :allow-org-owner-delete? false})
+          (boolean (:is-owner perms)))]
+
+    (when-not can-delete?
+      (ex/raise :type :validation
+                :code :only-owner-can-delete-team))
 
     (when (:is-default team)
       (ex/raise :type :validation
                 :code :non-deletable-team
                 :hint "impossible to delete default team"))
 
+    (let [delay (ldel/get-deletion-delay team)
+          team  (db/update! conn :team
+                            {:deleted-at (ct/in-future delay)}
+                            {:id team-id}
+                            {::db/return-keys true})]
+
+      ;; Api call to nitrate
+      (when (contains? cf/flags :nitrate)
+        (nitrate/call cfg :delete-team {:profile-id profile-id :team-id team-id}))
+
       (wrk/submit! {::db/conn conn
                     ::wrk/task :delete-object
                     ::wrk/params {:object :team
                                   :deleted-at (:deleted-at team)
-                                :id id}})
-    team))
+                                  :id team-id}})
+      team)))
 
 (def ^:private schema:delete-team
   [:map {:title "delete-team"}
@@ -698,16 +830,9 @@
   {::doc/added "1.17"
    ::sm/params schema:delete-team
    ::db/transaction true}
-  [{:keys [::db/conn] :as cfg} {:keys [::rpc/profile-id id] :as params}]
-  (let [team  (get-team conn :profile-id profile-id :team-id id)
-        perms (get team :permissions)]
-
-    (when-not (:is-owner perms)
-      (ex/raise :type :validation
-                :code :only-owner-can-delete-team))
-
-    (delete-team conn team)
-    nil))
+  [cfg {:keys [::rpc/profile-id id] :as params}]
+  (delete-team cfg {:team-id id :profile-id profile-id})
+  nil)
 
 ;; --- Mutation: Team Update Role
 
@@ -827,6 +952,7 @@
   ;; Validate incoming mime type
 
   (media/validate-media-type! file #{"image/jpeg" "image/png" "image/webp"})
+  (media/validate-media-size! file)
   (update-team-photo cfg (assoc params :profile-id profile-id)))
 
 (defn update-team-photo

backend/src/app/rpc/commands/teams_invitations.clj

@@ -19,8 +19,10 @@
    [app.config :as cf]
    [app.db :as db]
    [app.email :as eml]
+   [app.email.blacklist :as email.blacklist]
    [app.loggers.audit :as audit]
    [app.main :as-alias main]
+   [app.nitrate :as nitrate]
    [app.rpc :as-alias rpc]
    [app.rpc.commands.profile :as profile]
    [app.rpc.commands.teams :as teams]
@@ -35,20 +37,29 @@
 ;; --- Mutation: Create Team Invitation
 
 (def sql:upsert-team-invitation
-  "insert into team_invitation(id, team_id, email_to, created_by, role, valid_until)
-   values (?, ?, ?, ?, ?, ?)
+  "insert into team_invitation(id, team_id, org_id, email_to, created_by, role, valid_until)
+   values (?, ?, null, ?, ?, ?, ?)
        on conflict(team_id, email_to) do
           update set role = ?, valid_until = ?, updated_at = now()
    returning *")
 
+(def sql:upsert-org-invitation
+  "insert into team_invitation(id, team_id, org_id, email_to, created_by, role, valid_until)
+   values (?, null, ?, ?, ?, ?, ?)
+       on conflict(org_id, email_to) where team_id is null do
+          update set role = ?, valid_until = ?, updated_at = now()
+   returning *")
+
 (defn- create-invitation-token
-  [cfg {:keys [profile-id valid-until team-id member-id member-email role]}]
+  [cfg {:keys [profile-id valid-until organization-id organization-name team-id member-id member-email role]}]
   (tokens/generate cfg
                    {:iss :team-invitation
                     :exp valid-until
                     :profile-id profile-id
                     :role role
                     :team-id team-id
+                    :organization-id organization-id
+                    :organization-name organization-name
                     :member-email member-email
                     :member-id member-id}))
 
@@ -74,23 +85,51 @@
    [:role types.team/schema:role]
    [:email ::sm/email]])
 
+(def ^:private schema:create-org-invitation
+  [:map {:title "params:create-org-invitation"}
+   [::rpc/profile-id ::sm/uuid]
+   [:organization
+    [:map
+     [:id ::sm/uuid]
+     [:name :string]
+     [:initials [:maybe :string]]
+     [:logo ::sm/uri]]]
+   [:profile
+    [:map
+     [:id ::sm/uuid]
+     [:fullname :string]]]
+   [:role types.team/schema:role]
+   [:email ::sm/email]])
+
 (def ^:private check-create-invitation-params
   (sm/check-fn schema:create-invitation))
 
+(def ^:private check-create-org-invitation-params
+  (sm/check-fn schema:create-org-invitation))
+
 (defn- allow-invitation-emails?
   [member]
   (let [notifications (dm/get-in member [:props :notifications])]
     (not= :none (:email-invites notifications))))
 
 (defn- create-invitation
-  [{:keys [::db/conn] :as cfg} {:keys [team profile role email] :as params}]
+  [{:keys [::db/conn] :as cfg} {:keys [team organization profile role email] :as params}]
 
-  (assert (db/connection? conn) "expected valid connection on cfg parameter")
-  (assert (check-create-invitation-params params))
+  (assert (db/connection-map? cfg)
+          "expected cfg with valid connection")
+  (if organization
+    (assert (check-create-org-invitation-params params))
+    (assert (check-create-invitation-params params)))
 
   (let [email  (profile/clean-email email)
         member (profile/get-profile-by-email conn email)]
 
+    (when (and (email.blacklist/enabled? cfg)
+               (email.blacklist/contains? cfg email))
+      (ex/raise :type :restriction
+                :code :email-domain-is-not-allowed
+                :hint "email domain is in the blacklist"))
+
     ;; When we have email verification disabled and invitation user is
     ;; already present in the database, we proceed to add it to the
     ;; team as-is, without email roundtrip.
@@ -103,9 +142,12 @@
                            :profile-id (:id member)}
                           (get types.team/permissions-for-role role))]
 
+        (if organization
+          ;; Insert the invited member to the org
+          (when (contains? cf/flags :nitrate)
+            (teams/initialize-user-in-nitrate-org cfg (:id member) (:id organization) email))
           ;; Insert the invited member to the team
-        (db/insert! conn :team-profile-rel params
-                    {::db/on-conflict-do-nothing? true})
+          (teams/add-profile-to-team! cfg params {::db/on-conflict-do-nothing? true}))
 
         ;; If profile is not yet verified, mark it as verified because
         ;; accepting an invitation link serves as verification.
@@ -122,18 +164,30 @@
         (teams/check-email-spam conn email true)
 
         (let [id         (uuid/next)
-              expire     (ct/in-future "168h") ;; 7 days
-              invitation (db/exec-one! conn [sql:upsert-team-invitation id
-                                             (:id team) (str/lower email)
+              expire     (if organization
+                           (ct/in-future "876000h")  ;; Organization invitations doesn't expire
+                           (ct/in-future "168h")) ;; 7 days
+              invitation (db/exec-one! conn (if organization
+                                              [sql:upsert-org-invitation id
+                                               (:id organization)
+                                               (str/lower email)
                                                (:id profile)
                                                (name role) expire
-                                             (name role) expire])
+                                               (name role) expire]
+                                              [sql:upsert-team-invitation id
+                                               (:id team)
+                                               (str/lower email)
+                                               (:id profile)
+                                               (name role) expire
+                                               (name role) expire]))
               updated?   (not= id (:id invitation))
               profile-id (:id profile)
               tprops     {:profile-id profile-id
                           :invitation-id (:id invitation)
                           :valid-until expire
                           :team-id (:id team)
+                          :organization-id (:id organization)
+                          :organization-name (:name organization)
                           :member-email (:email-to invitation)
                           :member-id (:id member)
                           :role role}
@@ -145,28 +199,58 @@
 
           (let [props  (-> (dissoc tprops :profile-id)
                            (audit/clean-props))
-                evname (if updated?
-                         "update-team-invitation"
-                         "create-team-invitation")
+                evname (cond
+                         (and updated? organization) "update-org-invitation"
+                         updated? "update-team-invitation"
+                         organization "create-org-invitation"
+                         :else "create-team-invitation")
                 event (-> (audit/event-from-rpc-params params)
-                          (assoc ::audit/name evname)
-                          (assoc ::audit/props props))]
-            (audit/submit! cfg event))
+                          (assoc :name evname)
+                          (assoc :props props))]
+            (audit/submit cfg event))
 
           (when (allow-invitation-emails? member)
+            (if organization
+              (when (contains? cf/flags :nitrate)
+                (eml/send! {::eml/conn conn
+                            ::eml/factory eml/invite-to-org
+                            :public-uri (cf/get :public-uri)
+                            :to email
+                            :invited-by (:fullname profile)
+                            :user-name (:fullname member)
+                            :organization-name (:name organization)
+                            :organization-logo (:logo organization)
+                            :organization-initials (:initials organization)
+                            :token itoken
+                            :extra-data ptoken}))
+              (let [team (if (contains? cf/flags :nitrate)
+                           (nitrate/add-org-info-to-team cfg team {})
+                           team)]
                 (eml/send! {::eml/conn conn
                             ::eml/factory eml/invite-to-team
                             :public-uri (cf/get :public-uri)
                             :to email
                             :invited-by (:fullname profile)
                             :team (:name team)
+                            :organization (dm/get-in team [:organization :name])
                             :token itoken
-                        :extra-data ptoken}))
+                            :extra-data ptoken}))))
 
           itoken)))))
 
+(defn create-org-invitation
+  [cfg {:keys [::rpc/profile-id id name initials logo] :as params}]
+  (let [profile  (db/get-by-id cfg :profile profile-id)]
+    (create-invitation cfg
+                       (assoc params
+                              :organization {:id id :name name :initials initials :logo logo}
+                              :profile profile
+                              :role :editor))))
+
 (defn- add-member-to-team
-  [conn profile team role member]
+  [{:keys [::db/conn] :as cfg} profile team role member]
+  (assert (db/connection-map? cfg)
+          "expected cfg with valid connection")
 
   (let [team-id (:id team)
         params  (merge
@@ -186,7 +270,7 @@
       ::quotes/team-id team-id})
 
     ;; Insert the member to the team
-    (db/insert! conn :team-profile-rel params {::db/on-conflict-do-nothing? true})
+    (teams/add-profile-to-team! cfg params {::db/on-conflict-do-nothing? true})
 
     ;; Delete any request
     (db/delete! conn :team-access-request
@@ -268,7 +352,7 @@
          (filter #(contains? invitation-emails (key %)))
          (map (fn [[email member]]
                 (let [role (:role (first (filter #(= (:email %) email) invitation-data)))]
-                  (add-member-to-team conn profile team role member))))
+                  (add-member-to-team cfg profile team role member))))
          (doall))
 
     invitations))
@@ -403,9 +487,9 @@
 
     (let [props {:name name :features features}
           event (-> (audit/event-from-rpc-params params)
-                    (assoc ::audit/name "create-team")
-                    (assoc ::audit/props props))]
-      (audit/submit! cfg event))
+                    (assoc :name "create-team")
+                    (assoc :props props))]
+      (audit/submit cfg event))
 
     ;; Create invitations for all provided emails.
     (let [profile     (db/get-by-id conn :profile profile-id)

backend/src/app/rpc/commands/verify_token.clj

@@ -16,8 +16,10 @@
    [app.http.session :as session]
    [app.loggers.audit :as audit]
    [app.main :as-alias main]
+   [app.nitrate :as nitrate]
    [app.rpc :as-alias rpc]
    [app.rpc.commands.profile :as profile]
+   [app.rpc.commands.teams :as teams]
    [app.rpc.doc :as-alias doc]
    [app.rpc.helpers :as rph]
    [app.rpc.quotes :as quotes]
@@ -72,6 +74,11 @@
                   {:is-active true}
                   {:id (:id profile)}))
 
+    ;; NOTE: `claims` is returned verbatim (besides :profile). When the
+    ;; verify-email JWE was minted by `register-profile` for a not-yet-
+    ;; active profile that came from an invitation flow, `:invitation-
+    ;; token` will be present here and the frontend will use it to
+    ;; complete the team-invitation flow after login.
     (-> claims
         (rph/with-transform (session/create-fn cfg profile))
         (rph/with-meta {::audit/name "verify-profile-email"
@@ -86,52 +93,74 @@
 ;; --- Team Invitation
 
 (defn- accept-invitation
-  [{:keys [::db/conn] :as cfg} {:keys [team-id role member-email] :as claims} invitation member]
+  [{:keys [::db/conn] :as cfg}
+   {:keys [team-id organization-id role member-email] :as claims} invitation member]
   (let [;; Update the role if there is an invitation
         role   (or (some-> invitation :role keyword) role)
-        params (merge
-                {:team-id team-id
-                 :profile-id (:id member)}
-                (get types.team/permissions-for-role role))]
+        id-member (:id member)]
 
     ;; Do not allow blocked users accept invitations.
     (when (:is-blocked member)
       (ex/raise :type :restriction
                 :code :profile-blocked))
 
+    (when team-id
       (quotes/check! cfg {::quotes/id ::quotes/profiles-per-team
-                        ::quotes/profile-id (:id member)
-                        ::quotes/team-id team-id})
+                          ::quotes/profile-id id-member
+                          ::quotes/team-id team-id}))
 
+    (let [params (merge
+                  {:team-id team-id
+                   :profile-id id-member}
+                  (get types.team/permissions-for-role role))
+
+          accepted-team-id (if organization-id
+                             ;; Insert the invited member to the org
+                             (when (contains? cf/flags :nitrate)
+                               (teams/initialize-user-in-nitrate-org cfg id-member organization-id member-email))
                              ;; Insert the invited member to the team
-    (db/insert! conn :team-profile-rel params {::db/on-conflict-do-nothing? true})
+                             (do (teams/add-profile-to-team! cfg params {::db/on-conflict-do-nothing? true})
+                                 team-id))]
+
+      (when-not accepted-team-id
+        (ex/raise :type :internal
+                  :code :accept-invitation-failed
+                  :hint "the accept invitation has failed"))
+
 
       ;; If profile is not yet verified, mark it as verified because
       ;; accepting an invitation link serves as verification.
       (when-not (:is-active member)
         (db/update! conn :profile
                     {:is-active true}
-                  {:id (:id member)}))
+                    {:id id-member}))
 
       ;; Delete the invitation
       (db/delete! conn :team-invitation
-                {:team-id team-id :email-to member-email})
+                  (cond-> {:email-to member-email}
+                    team-id (assoc :team-id team-id)
+                    organization-id  (assoc :org-id organization-id)))
 
-    ;; Delete any request
+      ;; Delete any request (only applicable for team invitations)
+      (when team-id
         (db/delete! conn :team-access-request
-                {:team-id team-id :requester-id (:id member)})
+                    {:team-id team-id :requester-id id-member}))
 
-    (assoc member :is-active true)))
+      accepted-team-id)))
 
 (def schema:team-invitation-claims
+  [:and
    [:map {:title "TeamInvitationClaims"}
     [:iss :keyword]
     [:exp ::ct/inst]
     [:profile-id ::sm/uuid]
     [:role types.team/schema:role]
-   [:team-id ::sm/uuid]
+    [:team-id {:optional true} ::sm/uuid]
+    [:organization-id {:optional true} ::sm/uuid]
     [:member-email ::sm/email]
-   [:member-id {:optional true} ::sm/uuid]])
+    [:member-id {:optional true} ::sm/uuid]]
+   [:fn {:error/message "team-id or organization-id must be present"}
+    (fn [m] (or (:team-id m) (:organization-id m)))]])
 
 (def valid-team-invitation-claims?
   (sm/lazy-validator schema:team-invitation-claims))
@@ -139,7 +168,7 @@
 (defmethod process-token :team-invitation
   [{:keys [::db/conn] :as cfg}
    {:keys [::rpc/profile-id token] :as params}
-   {:keys [member-id team-id member-email] :as claims}]
+   {:keys [member-id team-id organization-id member-email] :as claims}]
 
   (when-not (valid-team-invitation-claims? claims)
     (ex/raise :type :validation
@@ -147,19 +176,45 @@
               :hint "invitation token contains unexpected data"))
 
   (let [invitation             (db/get* conn :team-invitation
-                                        {:team-id team-id :email-to member-email})
+                                        (cond-> {:email-to member-email}
+                                          team-id (assoc :team-id team-id)
+                                          organization-id  (assoc :org-id organization-id)))
         profile                (db/get* conn :profile
                                         {:id profile-id}
-                                        {:columns [:id :email]})
-        registration-disabled? (not (contains? cf/flags :registration))]
+                                        {:columns [:id :email :default-team-id]})
+        registration-disabled? (not (contains? cf/flags :registration))
+
+        org-invitation?        (and (contains? cf/flags :nitrate) organization-id)
+        membership             (when org-invitation?
+                                 (nitrate/call cfg :get-org-membership {:profile-id profile-id
+                                                                        :organization-id organization-id}))]
+
+    (if profile
+      (do
+        (when-not (or (= member-id profile-id)
+                      (= member-email (:email profile)))
+          (ex/raise :type :validation
+                    :code :invalid-token
+                    :reason :email-mismatch
+                    :hint "logged-in user does not matches the invitation"))
+
+        (when (:is-member membership)
+          (ex/raise :type :validation
+                    :code :already-an-org-member
+                    :team-id (:default-team-id membership)
+                    :hint "the user is already a member of the organization"))
+
+        (when (and org-invitation? (not (:organization-id membership)))
+          (ex/raise :type :validation
+                    :code :org-not-found
+                    :team-id (:default-team-id profile)
+                    :hint "the organization doesn't exist"))
+
         (when (nil? invitation)
           (ex/raise :type :validation
                     :code :invalid-token
                     :hint "no invitation associated with the token"))
 
-    (if (some? profile)
-      (if (or (= member-id profile-id)
-              (= member-email (:email profile)))
 
         ;; if we have logged-in user and it matches the invitation we proceed
         ;; with accepting the invitation and joining the current profile to the
@@ -168,40 +223,45 @@
                      :role (:role claims)
                      :invitation-id (:id invitation)}]
 
-          (audit/submit!
-           cfg
+          (audit/submit cfg
                         (-> (audit/event-from-rpc-params params)
-               (assoc ::audit/name "accept-team-invitation")
-               (assoc ::audit/props props)))
+                            (assoc :name "accept-team-invitation")
+                            (assoc :props props)))
 
           ;; NOTE: Backward compatibility; old invitations can
           ;; have the `created-by` to be nil; so in this case we
           ;; don't submit this event to the audit-log
           (when-let [created-by (:created-by invitation)]
-            (audit/submit!
-             cfg
+            (audit/submit cfg
                           (-> (audit/event-from-rpc-params params)
-                 (assoc ::audit/profile-id created-by)
-                 (assoc ::audit/name "accept-team-invitation-from")
-                 (assoc ::audit/props (assoc props
+                              (assoc :profile-id created-by)
+                              (assoc :name "accept-team-invitation-from")
+                              (assoc :props (assoc props
                                                    :profile-id (:id profile)
                                                    :email (:email profile))))))
 
-          (accept-invitation cfg claims invitation profile)
-          (assoc claims :state :created))
+          (let [accepted-team-id (accept-invitation cfg claims invitation profile)]
+            (cond-> (assoc claims :state :created)
+              ;; when the invitation is to an org, instead of a team, add the
+              ;; accepted-team-id as :org-team-id
+              (:organization-id claims)
+              (assoc :org-team-id accepted-team-id)))))
 
+      (do
+        ;; If the user is not logged-in and the token is invalid we throw the error
+        ;; Taiga issue #14182
+        (when (nil? invitation)
           (ex/raise :type :validation
                     :code :invalid-token
-                  :hint "logged-in user does not matches the invitation"))
+                    :hint "no invitation associated with the token"))
 
         ;; If we have not logged-in user, and invitation comes with member-id we
-      ;; redirect user to login, if no memeber-id is present and  in the invitation
+        ;; redirect user to login, if no member-id is present and  in the invitation
         ;; token and registration is enabled, we redirect user the the register page.
-
         {:invitation-token token
          :iss :team-invitation
          :redirect-to (if (or member-id registration-disabled?) :auth-login :auth-register)
-       :state :pending})))
+         :state :pending}))))
 
 ;; --- Default
 

backend/src/app/rpc/commands/viewer.clj

@@ -28,19 +28,25 @@
       (update :pages-index select-keys allowed)))
 
 (defn obfuscate-email
+  "Obfuscate the `email` for share-link members so the viewer only sees a
+   partially redacted address. Accepts any string shape (including nil,
+   missing `@`, or a domain with no `.`) and falls back to a fully-masked
+   result rather than throwing — the function is called while building the
+   view-only bundle for anonymous viewers, so an NPE here would abort the
+   entire share-link response."
   [email]
   (let [[name domain]
-        (str/split email "@" 2)
+        (str/split (or email "") "@" 2)
 
         [_ rest]
-        (str/split domain "." 2)
+        (str/split (or domain "") "." 2)
 
         name
         (if (> (count name) 3)
           (str (subs name 0 1) (apply str (take (dec (count name)) (repeat "*"))))
           "****")]
 
-    (str name "@****." rest)))
+    (str name "@****" (when rest (str "." rest)))))
 
 (defn anonymize-member
   [member]

backend/src/app/rpc/commands/webhooks.clj

@@ -50,24 +50,27 @@
 (defn- validate-webhook!
   [cfg whook params]
   (when (not= (:uri whook) (:uri params))
-    (let [response (ex/try!
-                    (http/req! cfg
+    (try
+      (let [response (http/req cfg
                                {:method :head
                                 :uri (str (:uri params))
-                                :timeout (ct/duration "3s")}
-                               {:sync? true}))]
-      (if (ex/exception? response)
-        (if-let [hint (webhooks/interpret-exception response)]
-          (ex/raise :type :validation
-                    :code :webhook-validation
-                    :hint hint)
-          (ex/raise :type :internal
-                    :code :webhook-validation
-                    :cause response))
+                                :timeout (ct/duration "3s")})]
         (when-let [hint (webhooks/interpret-response response)]
           (ex/raise :type :validation
                     :code :webhook-validation
-                    :hint hint))))))
+                    :hint hint)))
+
+      (catch Throwable cause
+        (if-let [hint (webhooks/interpret-exception cause)]
+          (ex/raise :type :validation
+                    :code :webhook-validation
+                    :hint hint
+                    :webhook-uri (str (:uri params))
+                    :cause cause)
+          (ex/raise :type :internal
+                    :code :webhook-validation
+                    :webhook-uri (str (:uri params))
+                    :cause cause))))))
 
 (defn- validate-quotes!
   [{:keys [::db/pool]} {:keys [team-id]}]

backend/src/app/rpc/cond.clj

@@ -19,7 +19,7 @@
     of the object. This function can be applied to the object returned by the
     `get-object` but also to the RPC return value (in case you don't provide
     the return value calculated key under `::key` metadata prop.
-  - `::reuse-key?` enables reusing the key calculated on first time; usefull
+  - `::reuse-key?` enables reusing the key calculated on first time; useful
     when the target object is not retrieved on the RPC (typical on retrieving
     dependent objects).
   "

backend/src/app/rpc/doc.clj

@@ -96,6 +96,7 @@
               context (assoc @context :param-style pstyle)]
 
           {::yres/status 200
+           ::yres/headers {"content-type" "text/html; charset=utf-8"}
            ::yres/body (-> (io/resource template)
                            (tmpl/render context))})))
     (fn [_]

backend/src/app/rpc/management/nitrate.clj

@@ -8,22 +8,35 @@
   "Internal Nitrate HTTP RPC API. Provides authenticated access to
   organization management and token validation endpoints."
   (:require
-   [app.common.features :as cfeat]
+   [app.common.data :as d]
+   [app.common.exceptions :as ex]
    [app.common.schema :as sm]
+   [app.common.time :as ct]
+   [app.common.types.organization :refer [schema:team-with-organization]]
    [app.common.types.profile :refer [schema:profile, schema:basic-profile]]
    [app.common.types.team :refer [schema:team]]
-   [app.common.uuid :as uuid]
    [app.config :as cf]
    [app.db :as db]
-   [app.msgbus :as mbus]
+   [app.media :as media]
+   [app.nitrate :as nitrate]
    [app.rpc :as-alias rpc]
    [app.rpc.commands.files :as files]
+   [app.rpc.commands.nitrate :as cnit]
    [app.rpc.commands.profile :as profile]
    [app.rpc.commands.teams :as teams]
+   [app.rpc.commands.teams-invitations :as ti]
    [app.rpc.doc :as doc]
-   [app.rpc.quotes :as quotes]
+   [app.rpc.notifications :as notifications]
+   [app.storage :as sto]
    [app.util.services :as sv]
-   [clojure.set :as set]))
+   [app.worker :as wrk]))
+
+
+(defn- profile-to-map [profile]
+  {:id            (:id profile)
+   :name          (:fullname profile)
+   :email         (:email profile)
+   :photo-url     (files/resolve-public-uri (get profile :photo-id))})
 
 ;; ---- API: authenticate
 
@@ -34,10 +47,8 @@
    ::sm/result schema:profile}
   [cfg {:keys [::rpc/profile-id] :as params}]
   (let [profile            (profile/get-profile cfg profile-id)]
-    {:id (get profile :id)
-     :name (get profile :fullname)
-     :email (get profile :email)
-     :photo-url (files/resolve-public-uri (get profile :photo-id))}))
+    (-> (profile-to-map profile)
+        (assoc :theme (:theme profile)))))
 
 ;; ---- API: get-teams
 
@@ -53,13 +64,26 @@
 ;; ---- API: get-penpot-version
 
 (def ^:private schema:get-penpot-version-result
-  [:map [:version ::sm/text]])
+  [:map
+   [:version
+    [:map
+     [:full [:maybe ::sm/text]]
+     [:branch [:maybe ::sm/text]]
+     [:base [:maybe ::sm/text]]
+     [:main [:maybe ::sm/text]]
+     [:major [:maybe ::sm/text]]
+     [:minor [:maybe ::sm/text]]
+     [:patch [:maybe ::sm/text]]
+     [:modifier [:maybe ::sm/text]]
+     [:commit [:maybe ::sm/text]]
+     [:commit-hash [:maybe ::sm/text]]]]])
 
 (sv/defmethod ::get-penpot-version
   "Get the current Penpot version"
   {::doc/added "2.14"
    ::sm/params [:map]
-   ::sm/result schema:get-penpot-version-result}
+   ::sm/result schema:get-penpot-version-result
+   ::rpc/auth false}
   [_cfg _params]
   {:version cf/version})
 
@@ -76,29 +100,47 @@
     (->> (db/exec! cfg [sql:get-teams current-user-id])
          (map #(select-keys % [:id :name])))))
 
-;; ---- API: notify-team-change
+;; ---- API: upload-org-logo
 
-(def ^:private schema:notify-team-change
+(def ^:private schema:upload-org-logo
   [:map
-   [:id ::sm/uuid]
+   [:content media/schema:upload]
    [:organization-id ::sm/uuid]
-   [:organization-name ::sm/text]])
+   [:previous-id {:optional true} ::sm/uuid]])
+
+(def ^:private schema:upload-org-logo-result
+  [:map [:id ::sm/uuid]])
+
+(sv/defmethod ::upload-org-logo
+  "Store an organization logo in penpot storage and return its ID.
+  Accepts an optional previous-id to mark the old logo for garbage
+  collection when replacing an existing one."
+  {::doc/added "2.17"
+   ::sm/params schema:upload-org-logo
+   ::sm/result schema:upload-org-logo-result}
+  [{:keys [::sto/storage]} {:keys [content organization-id previous-id]}]
+  (when previous-id
+    (sto/touch-object! storage previous-id))
+  (let [hash (sto/calculate-hash (:path content))
+        data (-> (sto/content (:path content))
+                 (sto/wrap-with-hash hash))
+        obj  (sto/put-object! storage {::sto/content      data
+                                       ::sto/deduplicate? true
+                                       :bucket            "organization"
+                                       :content-type      (:mtype content)
+                                       :organization-id   organization-id})]
+    {:id (:id obj)}))
+
+;; ---- API: notify-team-change
 
 (sv/defmethod ::notify-team-change
   "Notify to Penpot a team change from nitrate"
   {::doc/added "2.14"
-   ::sm/params schema:notify-team-change
+   ::sm/params schema:team-with-organization
    ::rpc/auth false}
-  [cfg {:keys [id organization-id organization-name]}]
-  (let [msgbus (::mbus/msgbus cfg)]
-    (mbus/pub! msgbus
-               ;;TODO There is a bug on dashboard with teams notifications.
-               ;;For now we send it to uuid/zero instead of team-id
-               :topic uuid/zero
-               :message {:type :team-org-change
-                         :team-id id
-                         :organization-id organization-id
-                         :organization-name organization-name})))
+  [cfg team]
+  (notifications/notify-team-change cfg (select-keys team [:id :is-your-penpot :organization]) nil)
+  nil)
 
 ;; ---- API: notify-user-added-to-organization
 
@@ -113,18 +155,8 @@
   {::doc/added "2.14"
    ::sm/params schema:notify-user-added-to-organization
    ::rpc/auth false}
-  [cfg {:keys [profile-id]}]
-  (quotes/check! cfg {::quotes/id ::quotes/teams-per-profile
-                      ::quotes/profile-id profile-id})
-
-  (let [features (-> (cfeat/get-enabled-features cf/flags)
-                     (set/difference cfeat/frontend-only-features)
-                     (set/difference cfeat/no-team-inheritable-features))
-        params   {:profile-id profile-id
-                  :name "Default"
-                  :features features}
-        team     (db/tx-run! cfg teams/create-team params)]
-    (select-keys team [:id])))
+  [cfg {:keys [profile-id organization-id]}]
+  (db/tx-run! cfg teams/create-default-org-team profile-id organization-id))
 
 
 ;; ---- API: get-managed-profiles
@@ -158,3 +190,467 @@
   (let [current-user-id (-> (profile/get-profile cfg profile-id) :id)]
     (db/exec! cfg [sql:get-managed-profiles current-user-id current-user-id])))
 
+;; ---- API: get-teams-summary
+
+(def ^:private sql:get-teams-summary
+  "SELECT t.id, t.name, t.is_default
+     FROM team AS t
+    WHERE t.id = ANY(?)
+      AND t.deleted_at IS NULL;")
+
+(def ^:private sql:get-files-count
+  "SELECT COUNT(f.*) AS count
+     FROM file AS f
+     JOIN project AS p ON f.project_id = p.id
+     JOIN team AS t ON t.id = p.team_id
+    WHERE p.team_id = ANY(?)
+      AND t.deleted_at IS NULL
+      AND p.deleted_at IS NULL
+      AND f.deleted_at IS NULL;")
+
+(def ^:private schema:get-teams-summary-params
+  [:map
+   [:ids [:or ::sm/uuid [:vector ::sm/uuid]]]])
+
+(def ^:private schema:get-teams-summary-result
+  [:map
+   [:teams [:vector [:map
+                     [:id ::sm/uuid]
+                     [:name ::sm/text]
+                     [:is-default ::sm/boolean]]]]
+   [:num-files ::sm/int]])
+
+(sv/defmethod ::get-teams-summary
+  "Get summary information for a list of teams"
+  {::doc/added "2.15"
+   ::sm/params schema:get-teams-summary-params
+   ::sm/result schema:get-teams-summary-result}
+  [cfg {:keys [ids]}]
+  (let [;; Handle one or multiple params
+        ids (cond
+              (uuid? ids)
+              [ids]
+
+              (and (vector? ids) (every? uuid? ids))
+              ids
+
+              :else
+              [])]
+    (db/run! cfg (fn [{:keys [::db/conn]}]
+                   (let [ids-array     (db/create-array conn "uuid" ids)
+                         teams         (db/exec! conn [sql:get-teams-summary ids-array])
+                         files-count   (-> (db/exec-one! conn [sql:get-files-count ids-array]) :count)]
+                     {:teams teams
+                      :num-files files-count})))))
+
+
+;; ---- API: delete-teams-keeping-your-penpot-projects
+
+(def ^:private sql:prefix-teams-name-and-unset-default
+  "UPDATE team
+      SET name = ? || name,
+          is_default = FALSE
+    WHERE id = ANY(?)
+RETURNING id, name;")
+
+(def ^:private sql:get-teams-files-counts
+  "SELECT p.team_id, COUNT(f.*) AS total
+     FROM file AS f
+     JOIN project AS p ON (p.id = f.project_id)
+     JOIN team AS t ON (t.id = p.team_id)
+    WHERE t.id = ANY(?)
+      AND t.deleted_at IS NULL
+      AND p.deleted_at IS NULL
+      AND f.deleted_at IS NULL
+ GROUP BY p.team_id;")
+
+(def ^:private sql:soft-delete-teams
+  "UPDATE team
+      SET deleted_at = ?
+    WHERE id = ANY(?)
+RETURNING id, deleted_at;")
+
+
+;; ---- API: notify-organization-deletion
+
+(def ^:private schema:notify-organization-deletion
+  [:map
+   [:organization-id ::sm/uuid]])
+
+
+(defn- soft-delete-teams!
+  "Soft-delete the provided team ids and submit a delete task per team."
+  [{:keys [::db/conn] :as cfg} team-ids]
+  (when (seq team-ids)
+    (let [delay      (cf/get-deletion-delay)
+          deleted-at (ct/in-future delay)
+          updated    (db/exec! conn [sql:soft-delete-teams
+                                     deleted-at
+                                     (db/create-array conn "uuid" team-ids)])]
+      (doseq [{:keys [id deleted-at]} updated]
+        (wrk/submit! {::db/conn conn
+                      ::wrk/task :delete-object
+                      ::wrk/params {:object :team
+                                    :deleted-at deleted-at
+                                    :id id}}))))
+  nil)
+
+(defn manage-deleted-organization-teams
+  "For a list of teams, rename those with files and delete those without, then notify users."
+  [cfg {:keys [teams organization-name]}]
+  (let [teams (->> teams (filter uuid?) distinct (into []))]
+    (when (seq teams)
+      (let [org-prefix (str "[" (d/sanitize-string organization-name) "] ")]
+        (db/tx-run!
+         cfg
+         (fn [{:keys [::db/conn] :as cfg}]
+           (let [teams-array      (db/create-array conn "uuid" teams)
+                 teams-with-files (->> (db/exec! conn [sql:get-teams-files-counts teams-array])
+                                       (filter (fn [{:keys [total]}] (pos? total)))
+                                       (map :team-id)
+                                       (into #{}))
+                 teams-to-keep    (->> teams (filter teams-with-files) (into []))
+                 teams-to-delete  (->> teams (remove teams-with-files) (into []))]
+
+             ;; Rename teams that have files in one go
+             (when (seq teams-to-keep)
+               (db/exec! conn [sql:prefix-teams-name-and-unset-default
+                               org-prefix
+                               (db/create-array conn "uuid" teams-to-keep)]))
+
+             ;; Soft-delete empty teams in one go
+             (soft-delete-teams! cfg teams-to-delete)
+
+             (notifications/notify-organization-deletion cfg organization-name teams teams-to-delete)
+             nil)))))))
+
+
+(sv/defmethod ::notify-organization-deletion
+  "For a list of teams, rename them with the name of the deleted org, and notify
+   of the deletion to the connected users"
+  {::doc/added "2.15"
+   ::sm/params schema:notify-organization-deletion
+   ::rpc/auth false}
+  [cfg {:keys [organization-id]}]
+  (let [org-summary (nitrate/call cfg :get-org-summary {:organization-id organization-id})
+        teams       (->> (:teams org-summary)
+                         (map :id))]
+    (manage-deleted-organization-teams cfg {:teams teams :organization-name (:name org-summary)})
+    nil))
+
+;; ---- API: notify-user-organizations-deletion
+
+(def ^:private schema:notify-user-organizations-deletion
+  [:map
+   [:profile-id ::sm/uuid]])
+
+(sv/defmethod ::notify-user-organizations-deletion
+  "For a given user, find all owned organizations and rename or delete their teams."
+  {::doc/added "2.18"
+   ::sm/params schema:notify-user-organizations-deletion}
+  [cfg {:keys [profile-id]}]
+  (let [owned-orgs (nitrate/call cfg :get-owned-orgs {:profile-id profile-id})]
+    (doseq [org owned-orgs]
+      (let [organization-name (:name org)
+            teams (map :id (:teams org))]
+        (manage-deleted-organization-teams cfg {:teams teams :organization-name organization-name}))))
+  nil)
+
+
+
+
+;; ---- API: get-profile-by-email
+
+(def ^:private sql:get-profile-by-email
+  "SELECT DISTINCT id, fullname, email, photo_id
+     FROM profile
+    WHERE email = ?
+      AND deleted_at IS NULL;")
+
+(sv/defmethod ::get-profile-by-email
+  "Get profile by email"
+  {::doc/added "2.15"
+   ::sm/params [:map [:email ::sm/email]]
+   ::sm/result schema:profile}
+  [cfg {:keys [email]}]
+  (let [profile (db/exec-one! cfg [sql:get-profile-by-email email])]
+    (when-not profile
+      (ex/raise :type :not-found
+                :code :profile-not-found
+                :hint "profile does not exist"
+                :email email))
+    (profile-to-map profile)))
+
+
+;; ---- API: get-profile-by-id
+
+(def ^:private sql:get-profile-by-id
+  "SELECT DISTINCT id, fullname, email, photo_id
+     FROM profile
+    WHERE id = ?
+      AND deleted_at IS NULL;")
+
+(sv/defmethod ::get-profile-by-id
+  "Get profile by email"
+  {::doc/added "2.15"
+   ::sm/params [:map [:id ::sm/uuid]]
+   ::sm/result schema:profile}
+  [cfg {:keys [id]}]
+  (let [profile (db/exec-one! cfg [sql:get-profile-by-id id])]
+    (when-not profile
+      (ex/raise :type :not-found
+                :code :profile-not-found
+                :hint "profile does not exist"
+                :id id))
+    (profile-to-map profile)))
+
+
+;; ---- API: get-org-member-team-counts
+
+(def ^:private sql:get-org-member-team-counts
+  "SELECT tpr.profile_id, COUNT(DISTINCT t.id) AS team_count
+     FROM team_profile_rel AS tpr
+     JOIN team AS t ON t.id = tpr.team_id
+    WHERE t.id = ANY(?)
+      AND t.deleted_at IS NULL
+      AND t.is_default IS FALSE
+    GROUP BY tpr.profile_id;")
+
+(def ^:private schema:get-org-member-team-counts-params
+  [:map [:team-ids [:or ::sm/uuid [:vector ::sm/uuid]]]])
+
+(def ^:private schema:get-org-member-team-counts-result
+  [:vector [:map
+            [:profile-id ::sm/uuid]
+            [:team-count ::sm/int]]])
+
+(sv/defmethod ::get-org-member-team-counts
+  "Get the number of non-default teams each profile belongs to within a set of teams."
+  {::doc/added "2.15"
+   ::sm/params schema:get-org-member-team-counts-params
+   ::sm/result schema:get-org-member-team-counts-result
+   ::rpc/auth false}
+  [cfg {:keys [team-ids]}]
+  (let [team-ids (cond
+                   (uuid? team-ids)
+                   [team-ids]
+
+                   (and (vector? team-ids) (every? uuid? team-ids))
+                   team-ids
+
+                   :else
+                   [])]
+    (if (empty? team-ids)
+      []
+      (db/run! cfg (fn [{:keys [::db/conn]}]
+                     (let [ids-array (db/create-array conn "uuid" team-ids)]
+                       (db/exec! conn [sql:get-org-member-team-counts ids-array])))))))
+
+
+;; API: invite-to-org
+
+(sv/defmethod ::invite-to-org
+  "Invite to organization"
+  {::doc/added "2.15"
+   ::sm/params [:map
+                [:email ::sm/email]
+                [:id ::sm/uuid]
+                [:name ::sm/text]
+                [:initials [:maybe :string]]
+                [:logo ::sm/uri]]}
+  [cfg params]
+  (db/tx-run! cfg ti/create-org-invitation params)
+  nil)
+
+
+;; API: get-org-invitations
+
+(def ^:private sql:get-org-invitations
+  "SELECT DISTINCT ON (email_to)
+          ti.id,
+          ti.org_id AS organization_id,
+          ti.email_to AS email,
+          ti.created_at AS sent_at,
+          p.fullname AS name,
+          p.photo_id
+     FROM team_invitation AS ti
+LEFT JOIN profile AS p
+       ON p.email = ti.email_to
+      AND p.deleted_at IS NULL
+    WHERE ti.valid_until >= now()
+      AND (ti.org_id = ? OR ti.team_id = ANY(?))
+    ORDER BY ti.email_to, ti.valid_until DESC, ti.created_at DESC;")
+
+(def ^:private schema:get-org-invitations-params
+  [:map
+   [:organization-id ::sm/uuid]])
+
+(def ^:private schema:get-org-invitations-result
+  [:vector
+   [:map
+    [:id ::sm/uuid]
+    [:organization-id {:optional true} [:maybe ::sm/uuid]]
+    [:email ::sm/email]
+    [:sent-at ::sm/inst]
+    [:name {:optional true} [:maybe ::sm/text]]
+    [:photo-url {:optional true} ::sm/uri]]])
+
+(sv/defmethod ::get-org-invitations
+  "Get valid invitations for an organization, returning at most one invitation per email."
+  {::doc/added "2.16"
+   ::sm/params schema:get-org-invitations-params
+   ::sm/result schema:get-org-invitations-result}
+  [cfg {:keys [organization-id]}]
+  (let [org-summary (nitrate/call cfg :get-org-summary {:organization-id organization-id})
+        team-ids    (->> (:teams org-summary)
+                         (map :id)
+                         (filter uuid?)
+                         (into []))]
+    (db/run! cfg (fn [{:keys [::db/conn]}]
+                   (let [ids-array (db/create-array conn "uuid" team-ids)]
+                     (->> (db/exec! conn [sql:get-org-invitations organization-id ids-array])
+                          (mapv (fn [{:keys [photo-id] :as invitation}]
+                                  (cond-> (dissoc invitation :photo-id)
+                                    photo-id
+                                    (assoc :photo-url (files/resolve-public-uri photo-id)))))))))))
+
+
+;; API: delete-org-invitations
+
+(def ^:private sql:delete-org-invitations
+  "DELETE FROM team_invitation AS ti
+    WHERE ti.email_to = ?
+      AND (ti.org_id = ? OR ti.team_id = ANY(?));")
+
+(def ^:private schema:delete-org-invitations-params
+  [:map
+   [:organization-id ::sm/uuid]
+   [:email ::sm/email]])
+
+(sv/defmethod ::delete-org-invitations
+  "Delete all invitations for one email in an organization scope (org + org teams)."
+  {::doc/added "2.16"
+   ::sm/params schema:delete-org-invitations-params}
+  [cfg {:keys [organization-id email]}]
+  (let [org-summary (nitrate/call cfg :get-org-summary {:organization-id organization-id})
+        clean-email (profile/clean-email email)
+        team-ids    (->> (:teams org-summary)
+                         (map :id)
+                         (filter uuid?)
+                         (into []))]
+    (db/run! cfg (fn [{:keys [::db/conn]}]
+                   (let [ids-array (db/create-array conn "uuid" team-ids)]
+                     (db/exec! conn [sql:delete-org-invitations clean-email organization-id ids-array]))))
+    nil))
+
+
+;; API: delete-all-org-invitations
+
+(def ^:private sql:delete-all-org-invitations
+  "DELETE FROM team_invitation AS ti
+    WHERE ti.org_id = ?
+       OR ti.team_id = ANY(?);")
+
+(def ^:private schema:delete-all-org-invitations-params
+  [:map
+   [:organization-id ::sm/uuid]])
+
+(sv/defmethod ::delete-all-org-invitations
+  "Delete every pending invitation associated with an organization (org-level + team-level).
+   Called from Nitrate when an organization is about to be deleted, so users that click
+   their invitation token hit the existing invalid-token landing page."
+  {::doc/added "2.18"
+   ::sm/params schema:delete-all-org-invitations-params
+   ::rpc/auth false}
+  [cfg {:keys [organization-id]}]
+  (let [org-summary (nitrate/call cfg :get-org-summary {:organization-id organization-id})
+        team-ids    (->> (:teams org-summary)
+                         (map :id))]
+    (db/run! cfg (fn [{:keys [::db/conn]}]
+                   (let [ids-array (db/create-array conn "uuid" team-ids)]
+                     (db/exec! conn [sql:delete-all-org-invitations organization-id ids-array]))))
+    nil))
+
+
+;; API: remove-from-org
+
+(def ^:private sql:get-reassign-to
+  "SELECT tpr.profile_id
+     FROM team_profile_rel AS tpr
+    WHERE tpr.team_id = ?
+      AND tpr.profile_id <> ?
+      AND tpr.is_owner IS NOT TRUE
+    ORDER BY CASE
+               WHEN tpr.is_admin IS TRUE THEN 1
+               ELSE 2
+             END,
+             tpr.created_at,
+             tpr.profile_id
+    LIMIT 1;")
+
+(defn add-reassign-to [cfg profile-id team-to-transfer]
+  (let [reassign-to (-> (db/exec-one! cfg [sql:get-reassign-to (:id team-to-transfer) profile-id])
+                        :profile-id)]
+    (when-not reassign-to
+      (ex/raise :type :validation
+                :code :nobody-to-reassign-team))
+
+    (assoc team-to-transfer :reassign-to reassign-to)))
+
+(sv/defmethod ::remove-from-org
+  "Remove an user from an organization"
+  {::doc/added "2.17"
+   ::sm/params [:map
+                [:profile-id ::sm/uuid]
+                [:organization-id ::sm/uuid]
+                [:organization-name ::sm/text]
+                [:default-team-id ::sm/uuid]]
+   ::db/transaction true}
+  [cfg {:keys [profile-id organization-id organization-name default-team-id] :as params}]
+  (let [{:keys [valid-teams-to-delete-ids
+                valid-teams-to-transfer
+                valid-teams-to-exit]} (cnit/get-valid-teams cfg organization-id profile-id default-team-id)
+        add-reassign-to (partial add-reassign-to cfg profile-id)
+
+        valid-teams-to-leave (into valid-teams-to-exit
+                                   (map add-reassign-to valid-teams-to-transfer))]
+
+    (cnit/leave-org cfg (assoc params
+                               :id organization-id
+                               :name organization-name
+                               :teams-to-delete valid-teams-to-delete-ids
+                               :teams-to-leave valid-teams-to-leave
+                               :skip-validation true))
+    (notifications/notify-user-org-change cfg profile-id organization-id organization-name "dashboard.user-no-longer-belong-org")
+    nil))
+
+;; API: get-remove-from-org-summary
+
+(def ^:private schema:get-remove-from-org-summary-result
+  [:map
+   [:teams-to-delete ::sm/int]
+   [:teams-to-transfer ::sm/int]
+   [:teams-to-exit ::sm/int]])
+
+(sv/defmethod ::get-remove-from-org-summary
+  "Get a summary of the teams that would be deleted, transferred, or exited
+   if the user were removed from the organization"
+  {::doc/added "2.17"
+   ::sm/params [:map
+                [:profile-id ::sm/uuid]
+                [:organization-id ::sm/uuid]
+                [:default-team-id ::sm/uuid]]
+   ::sm/result schema:get-remove-from-org-summary-result
+   ::db/transaction true}
+  [cfg {:keys [profile-id organization-id default-team-id]}]
+  (let [{:keys [valid-teams-to-delete-ids
+                valid-teams-to-transfer
+                valid-teams-to-exit
+                valid-default-team]} (cnit/get-valid-teams cfg organization-id profile-id default-team-id)]
+    (when-not valid-default-team
+      (ex/raise :type :validation
+                :code :not-valid-teams))
+    {:teams-to-delete   (count valid-teams-to-delete-ids)
+     :teams-to-transfer (count valid-teams-to-transfer)
+     :teams-to-exit     (count valid-teams-to-exit)}))
+

backend/src/app/rpc/notifications.clj

@@ -0,0 +1,44 @@
+;; This Source Code Form is subject to the terms of the Mozilla Public
+;; License, v. 2.0. If a copy of the MPL was not distributed with this
+;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;;
+;; Copyright (c) KALEIDOS INC
+
+(ns app.rpc.notifications
+  (:require
+   [app.common.uuid :as uuid]
+   [app.msgbus :as mbus]))
+
+(defn notify-team-change
+  [cfg team notification]
+  (let [msgbus (::mbus/msgbus cfg)]
+    (mbus/pub! msgbus
+               ;;TODO There is a bug on dashboard with teams notifications.
+               ;;For now we send it to uuid/zero instead of team-id
+               :topic uuid/zero
+               :message {:type :team-org-change
+                         :team team
+                         :notification notification})))
+
+
+(defn notify-user-org-change
+  [cfg profile-id organization-id organization-name notification]
+  (let [msgbus (::mbus/msgbus cfg)]
+    (mbus/pub! msgbus
+               :topic profile-id
+               :message {:type :user-org-change
+                         :topic profile-id
+                         :organization-id organization-id
+                         :organization-name organization-name
+                         :notification notification})))
+
+
+(defn notify-organization-deletion
+  [cfg organization-name teams deleted-teams]
+  (let [msgbus (::mbus/msgbus cfg)]
+    (mbus/pub! msgbus
+               :topic uuid/zero
+               :message {:type :organization-deleted
+                         :organization-name organization-name
+                         :teams teams
+                         :deleted-teams deleted-teams})))

backend/src/app/setup.clj

@@ -11,7 +11,9 @@
    [app.common.logging :as l]
    [app.common.schema :as sm]
    [app.common.uuid :as uuid]
+   [app.config :as cf]
    [app.db :as db]
+   [app.loggers.audit :as audit]
    [app.main :as-alias main]
    [app.setup.keys :as keys]
    [app.setup.templates]
@@ -35,10 +37,9 @@
        (into {})))
 
 (defn- handle-instance-id
-  [instance-id conn read-only?]
+  [instance-id conn]
   (or instance-id
       (let [instance-id (uuid/random)]
-        (when-not read-only?
         (try
           (db/insert! conn :server-prop
                       {:id "instance-id"
@@ -47,10 +48,9 @@
           (catch Throwable cause
             (l/warn :hint "unable to persist instance-id"
                     :instance-id instance-id
-                      :cause cause))))
+                    :cause cause)))
         instance-id)))
 
-
 (def sql:add-prop
   "INSERT INTO server_prop (id, content, preload)
    VALUES (?, ?, ?)
@@ -77,7 +77,12 @@
   (assert (db/pool? (::db/pool params)) "expected valid database pool"))
 
 (defmethod ig/init-key ::props
-  [_ {:keys [::db/pool ::key] :as cfg}]
+  [_ {:keys [::key] :as cfg}]
+  (audit/submit cfg {:type "trigger"
+                     :name "instance-start"
+                     :props {:version (:full cf/version)
+                             :flags (mapv name cf/flags)
+                             :public-uri (str (cf/get :public-uri))}})
 
   (db/tx-run! cfg (fn [{:keys [::db/conn]}]
                     (db/xact-lock! conn 0)
@@ -91,7 +96,7 @@
                       (-> (get-all-props conn)
                           (assoc :secret-key secret)
                           (assoc :tokens-key (keys/derive secret :salt "tokens"))
-                          (update :instance-id handle-instance-id conn (db/read-only? pool)))))))
+                          (update :instance-id handle-instance-id conn))))))
 
 (defmethod ig/init-key ::shared-keys
   [_ {:keys [::props] :as cfg}]

backend/src/app/setup/templates.clj

@@ -57,7 +57,7 @@
 
       (if (fs/exists? path)
         (io/input-stream path)
-        (let [resp (http/req! cfg
+        (let [resp (http/req cfg
                              {:method :get :uri (:file-uri template)}
                              {:response-type :input-stream :sync? true})]
           (when-not (= 200 (:status resp))