♻️ Refactor CI workflows

📎 Update SECURITY.md (#10082 )
Update SECURITY.md file to request that vulnerabilities be reported through the GitHub Security Advisories feature in the Penpot repository Signed-off-by: Madalena Melo <madalena.melo@kaleidos.net>
2026-06-09 17:02:05 +00:00 · 2026-06-09 18:57:44 +02:00 · 2026-06-09 18:48:03 +02:00 · 2026-06-09 14:39:07 +02:00 · 2026-06-09 14:38:48 +02:00 · 2026-06-09 14:37:59 +02:00
519 changed files with 70209 additions and 60709 deletions
--- a/.devenv/README.md
+++ b/.devenv/README.md
@ -0,0 +1,133 @@
 # `.devenv/` — Per-Workspace AI-Client MCP Configs
 This directory carries the pieces needed to point an AI coding agent
 (currently Claude Code, opencode, VS Code Copilot, and the OpenAI Codex CLI)
 at the MCP servers running inside the parallel devenv instance the developer
 is currently working in. Every parallel workspace (`ws0`, `ws1`, …) has its
 own copy because the Penpot MCP and Serena MCP host ports are
 workspace-specific.
 ## Layout
 ```
 .devenv/
  README.md
  scripts/
    merge-mcp-config.py    # generator helper invoked by manage.sh
  shared/                  # committed; workspace-independent entries
    claude-code.json       # Playwright — same for every workspace
    opencode.json
    vscode.json
    codex.toml
  templates/               # committed; entries with ${...} port placeholders
    claude-code.json       # Penpot MCP, Serena MCP — port is the only diff
    opencode.json
    vscode.json
    codex.toml
  mcp/                     # gitignored; written by manage.sh per workspace
    claude-code.json       # loaded via Claude Code's --mcp-config flag
    opencode.json          # loaded via OPENCODE_CONFIG env var
 ```
 One more file is generated outside `.devenv/`, in the directory VS Code itself
 auto-discovers (gitignored):
 ```
 .vscode/mcp.json           # auto-loaded by GitHub Copilot in VS Code
 ```
 Codex is the exception: it has no way to load an MCP config from an arbitrary
 path, and its only project-level config file (`.codex/config.toml`) is one a
 developer may already own. So we do **not** write a file for Codex at all —
 `start-coding-agent codex` injects our servers as `-c` command-line overrides
 built fresh from `shared/codex.toml` + `templates/codex.toml` at launch.
 * **`shared/`** holds MCP entries that don't depend on the workspace — the
  browser-driving Playwright server today, plus any other workspace-independent
  servers we add later. Same content in every workspace, so it's a static
  checked-in file.
 * **`templates/`** holds the workspace-specific entries (Penpot MCP, Serena
  MCP) with `${PENPOT_MCP_PORT}` and `${SERENA_MCP_PORT}` placeholders. The
  placeholders are resolved per-workspace from the port-base constants in
  `manage.sh`.
 * **`mcp/`** (Claude Code, opencode) is the result of merging `shared/` with
  the port-substituted `templates/`. `manage.sh` writes these on every
  `run-devenv-agentic` pass. Gitignored, dedicated paths with no developer
  content — never edit by hand, your edits will be overwritten on the next
  reconcile.
 * **`.vscode/mcp.json`** is the same merge, but written to the path VS Code
  auto-discovers. Because on `ws0` that path *is* the live repo's own file, the
  reconcile **deep-merges** into it: any servers you added yourself are kept,
  and only the entries we manage (`penpot`, `serena-devenv`, `playwright`) are
  (re)written to the current ports. On `ws1+` the file doesn't exist yet, so it
  is created from scratch.
 * **`scripts/merge-mcp-config.py`** is the generator. Its `json` mode does the
  JSON deep-merge (with `--merge-into-existing` for the VS Code path); its
  `codex-args` mode prints the `-c` assignments for Codex. `manage.sh`'s
  `_merge-mcp-config-json` helper is a thin shim over the former, and
  `start-coding-agent` calls the latter directly. Run
  `python3 .devenv/scripts/merge-mcp-config.py --help` for the CLI.
 ## Launching a coding agent
 The easiest path is the wrapper command, which knows the right flags per
 client, `cd`'s into the target workspace, and refuses to launch unless the
 target instance is running and its MCP config has been generated:
 ```bash
 # Default target is ws0 (the live repo).
 ./manage.sh start-coding-agent claude               [...args to forward]
 ./manage.sh start-coding-agent opencode             [...args to forward]
 ./manage.sh start-coding-agent vscode               [...args to forward to 'code']
 ./manage.sh start-coding-agent codex                [...args to forward]
 # Target a parallel workspace with --ws N. N is an integer (non-negative);
 # 'main', 'ws1' and similar spellings are rejected.
 ./manage.sh start-coding-agent claude --ws 1
 ./manage.sh start-coding-agent opencode --ws 2
 ```
 Equivalents by hand (run from inside the workspace directory):
 ```bash
 claude --mcp-config .devenv/mcp/claude-code.json
 OPENCODE_CONFIG=.devenv/mcp/opencode.json opencode
 code "$PWD"                  # VS Code auto-discovers .vscode/mcp.json
 # Codex: pass our servers as -c overrides (no config file is written).
 codex $(python3 .devenv/scripts/merge-mcp-config.py --format codex-args \
          .devenv/shared/codex.toml .devenv/templates/codex.toml \
          | sed 's/^/-c /')
 ```
 `start-coding-agent codex` does the `-c` wiring for you (and resolves the
 workspace's ports first). Because our servers arrive as command-line
 overrides, no "trusted project" prompt is involved for them — that prompt only
 gates Codex's own `.codex/config.toml`, which we never write.
 ## Overriding our entries
 Both the auto-discovered configs and the launcher-loaded configs sit *on top
 of* the developer's global config (with varying precedence rules). All four
 clients offer escape hatches for shadowing entries we ship:
 * **Claude Code** — `claude mcp add --scope local …` installs a private entry
  that overrides the one in `mcp/claude-code.json`. Local scope wins.
 * **opencode** — drop an `opencode.json` at the repo root with the override
  entries you need. opencode's precedence chain is *global → `OPENCODE_CONFIG`
  → project*, so the project file always wins. The root `opencode.json` is
  gitignored on purpose, since these overrides are personal.
 * **VS Code Copilot** — the reconcile deep-merges into `.vscode/mcp.json`, so
  any servers you add there yourself are preserved (only `penpot`,
  `serena-devenv` and `playwright` are rewritten). To shadow one of *ours*,
  put an entry under the same name in your VS Code user-profile MCP config —
  it is loaded alongside the workspace file and wins.
 * **Codex CLI** — our servers arrive as `-c` overrides, which are Codex's
  highest-precedence layer, so they win over a same-named `[mcp_servers.<name>]`
  in your `~/.codex/config.toml` or a project `.codex/config.toml`. To override
  one of ours, append your own `-c` after the client name — extra args are
  forwarded after ours and the later `-c` wins, e.g.
  `./manage.sh start-coding-agent codex -- -c 'mcp_servers.penpot.url="…"'`.
 See `docs/technical-guide/developer/agentic-devenv.md` for the broader
 client-configuration story (browser remote debugging, AI-client config
 schemas, manual setup for unsupported clients).
--- a/.devenv/scripts/merge-mcp-config.py
+++ b/.devenv/scripts/merge-mcp-config.py
@ -0,0 +1,204 @@
 #!/usr/bin/env python3
 """Combine a shared MCP-server config with a port-substituted template for one
 AI coding-agent client.
 Invoked per workspace by manage.sh's `write-instance-mcp-configs` (JSON
 clients) and by `start-coding-agent` (Codex). Each supported client ships a
 `.devenv/shared/<tool>.{json,toml}` (workspace-independent entries, e.g.
 Playwright) and a `.devenv/templates/<tool>.{json,toml}` (per-workspace entries
 with `${PENPOT_MCP_PORT}` / `${SERENA_MCP_PORT}` placeholders). This script
 combines the two for the target client.
 Two output modes are supported:
  json         Deep-merge two JSON documents under a configurable top-level key
               (`mcpServers` for Claude Code, `mcp` for opencode, `servers` for
               VS Code Copilot) and write the result to <out>. Same-name
               entries in the template override entries in shared. With
               --merge-into-existing, any pre-existing <out> file is loaded as
               the lowest-precedence layer first, so entries the developer
               already had are preserved (ours win on name collision). This is
               used for VS Code's auto-discovered `.vscode/mcp.json`, which on
               ws0 IS the live repo's file and may hold the developer's own
               servers; the Claude/opencode outputs live in a dedicated,
               gitignored `.devenv/mcp/` path and are written without the flag
               (a clean overwrite).
  codex-args   Deep-merge the two TOML chunks and print one
               `dotted.key=<toml-value>` assignment per line to stdout (no
               <out> file). The caller wraps each line in a `codex -c` flag.
               Codex has no way to load an MCP config from an arbitrary file
               path (CODEX_HOME would relocate auth/history too), so rather than
               writing the auto-discovered `.codex/config.toml` we inject our
               servers as ephemeral per-invocation overrides. This never
               touches the developer's project- or user-level Codex config.
 In both modes, `${VAR}` placeholders inside *either* chunk are resolved from
 the current environment (only template chunks carry placeholders in practice,
 but the substitution is uniform either way) using Python's
 `os.path.expandvars`. Undefined placeholders are left as `${VAR}` literal text
 -- callers (i.e. manage.sh) are responsible for exporting the variables before
 invoking the script.
 Usage:
  merge-mcp-config.py --format json --key <key> [--merge-into-existing] \
      <shared> <template> <out>
  merge-mcp-config.py --format codex-args <shared> <template>
 Exit codes:
  0  success
  2  argparse error (missing required option, bad value, unreadable input)
 """
 from __future__ import annotations
 import argparse
 import json
 import os
 import re
 import sys
 import tomllib
 from pathlib import Path
 def merge_json(
    shared_path: Path,
    tpl_path: Path,
    out_path: Path,
    key: str,
    merge_into_existing: bool,
 ) -> None:
    """Deep-merge JSON documents under a single top-level dict key into out.
    Precedence (lowest to highest): an existing <out> file (only when
    merge_into_existing is set), then shared, then the template. Entries under
    `key` are merged by name, so the template wins on a name collision while
    every other entry the lower layers contributed is kept. Top-level keys
    other than `key` come from the existing file and shared (shared wins).
    """
    shared = json.loads(shared_path.read_text())
    tpl = json.loads(os.path.expandvars(tpl_path.read_text()))
    base: dict = {}
    if merge_into_existing and out_path.exists():
        base = json.loads(out_path.read_text())
    merged: dict = {**base, **shared}
    merged[key] = {**base.get(key, {}), **shared.get(key, {}), **tpl.get(key, {})}
    out_path.write_text(json.dumps(merged, indent=2) + "\n")
 def _deep_merge(base: dict, overlay: dict) -> dict:
    """Recursively merge overlay into base; overlay wins on scalar/list keys."""
    out = dict(base)
    for k, v in overlay.items():
        if isinstance(out.get(k), dict) and isinstance(v, dict):
            out[k] = _deep_merge(out[k], v)
        else:
            out[k] = v
    return out
 def _toml_value(value: object) -> str:
    """Serialize a scalar/list as a TOML literal for a `codex -c` value.
    bool is checked before int because `isinstance(True, int)` is True. Strings
    are emitted as JSON strings, which are valid TOML basic strings for the
    ASCII values our configs carry (commands, args, URLs). Tables never reach
    here -- they are flattened into dotted keys by _flatten.
    """
    if isinstance(value, bool):
        return "true" if value else "false"
    if isinstance(value, (int, float)):
        return repr(value)
    if isinstance(value, str):
        return json.dumps(value)
    if isinstance(value, list):
        return "[" + ", ".join(_toml_value(v) for v in value) + "]"
    raise TypeError(f"unsupported TOML value type: {type(value).__name__}")
 _BARE_KEY = re.compile(r"^[A-Za-z0-9_-]+$")
 def _key_segment(seg: str) -> str:
    """A dotted-key segment: bare if TOML-safe, else a quoted key."""
    return seg if _BARE_KEY.match(seg) else json.dumps(seg)
 def _flatten(obj: dict, prefix: list[str]):
    """Yield (dotted-path-segments, leaf-value) for every non-table leaf.
    Lists are leaves (TOML arrays), so we do not recurse into them; nested
    tables (e.g. an `env` table) are flattened into further dotted keys.
    """
    for k, v in obj.items():
        path = prefix + [k]
        if isinstance(v, dict):
            yield from _flatten(v, path)
        else:
            yield path, v
 def emit_codex_args(shared_path: Path, tpl_path: Path) -> None:
    """Print `dotted.key=<toml-value>` lines from the merged TOML chunks."""
    shared = tomllib.loads(os.path.expandvars(shared_path.read_text()))
    tpl = tomllib.loads(os.path.expandvars(tpl_path.read_text()))
    merged = _deep_merge(shared, tpl)
    for path, value in _flatten(merged, []):
        dotted = ".".join(_key_segment(s) for s in path)
        sys.stdout.write(f"{dotted}={_toml_value(value)}\n")
 def main(argv: list[str]) -> int:
    parser = argparse.ArgumentParser(
        description=__doc__.split("\n\n", 1)[0],
        formatter_class=argparse.RawDescriptionHelpFormatter,
    )
    parser.add_argument(
        "--format",
        choices=("json", "codex-args"),
        required=True,
        help="Output mode: 'json' writes a merged file; 'codex-args' prints -c assignments.",
    )
    parser.add_argument(
        "--key",
        help="Top-level JSON key under which MCP entries live (required for --format json).",
    )
    parser.add_argument(
        "--merge-into-existing",
        action="store_true",
        help="json only: layer the merge on top of an existing <out> file, "
        "preserving entries already there (ours still win on name collision).",
    )
    parser.add_argument("shared", type=Path, help="Path to the shared chunk.")
    parser.add_argument("template", type=Path, help="Path to the port-placeholder template chunk.")
    parser.add_argument(
        "out",
        type=Path,
        nargs="?",
        help="Path the merged result is written to (json only; codex-args writes stdout).",
    )
    args = parser.parse_args(argv)
    if args.format == "json":
        if not args.key:
            parser.error("--key is required when --format json")
        if args.out is None:
            parser.error("out is required when --format json")
        merge_json(args.shared, args.template, args.out, args.key, args.merge_into_existing)
    else:  # codex-args
        if args.key:
            parser.error("--key is not accepted when --format codex-args")
        if args.merge_into_existing:
            parser.error("--merge-into-existing is not accepted when --format codex-args")
        if args.out is not None:
            parser.error("out path is not accepted when --format codex-args (result goes to stdout)")
        emit_codex_args(args.shared, args.template)
    return 0
 if __name__ == "__main__":
    sys.exit(main(sys.argv[1:]))
--- a/.devenv/shared/claude-code.json
+++ b/.devenv/shared/claude-code.json
@ -0,0 +1,8 @@
 {
  "mcpServers": {
    "playwright": {
      "command": "npx",
      "args": ["@playwright/mcp@latest", "--cdp-endpoint=http://127.0.0.1:9222"]
    }
  }
 }
--- a/.devenv/shared/codex.toml
+++ b/.devenv/shared/codex.toml
@ -0,0 +1,8 @@
 # Workspace-independent MCP servers for the OpenAI Codex CLI.
 # This block is concatenated with the port-substituted templates/codex.toml
 # by manage.sh's write-instance-mcp-configs to produce .codex/config.toml at
 # the workspace root.
 [mcp_servers.playwright]
 command = "npx"
 args = ["@playwright/mcp@latest", "--cdp-endpoint=http://127.0.0.1:9222"]
--- a/.devenv/shared/opencode.json
+++ b/.devenv/shared/opencode.json
@ -0,0 +1,9 @@
 {
  "mcp": {
    "playwright": {
      "type": "local",
      "command": ["npx", "@playwright/mcp@latest", "--cdp-endpoint=http://127.0.0.1:9222"],
      "enabled": true
    }
  }
 }
--- a/.devenv/shared/vscode.json
+++ b/.devenv/shared/vscode.json
@ -0,0 +1,9 @@
 {
  "servers": {
    "playwright": {
      "type": "stdio",
      "command": "npx",
      "args": ["@playwright/mcp@latest", "--cdp-endpoint=http://127.0.0.1:9222"]
    }
  }
 }
--- a/.devenv/templates/claude-code.json
+++ b/.devenv/templates/claude-code.json
@ -0,0 +1,12 @@
 {
  "mcpServers": {
    "penpot": {
      "command": "npx",
      "args": ["-y", "mcp-remote", "http://localhost:${PENPOT_MCP_PORT}/mcp", "--allow-http"]
    },
    "serena-devenv": {
      "command": "npx",
      "args": ["-y", "mcp-remote", "http://localhost:${SERENA_MCP_PORT}/mcp", "--allow-http"]
    }
  }
 }
--- a/.devenv/templates/codex.toml
+++ b/.devenv/templates/codex.toml
@ -0,0 +1,10 @@
 # Workspace-specific MCP servers for the OpenAI Codex CLI. The PENPOT_MCP_PORT
 # and SERENA_MCP_PORT placeholders below are filled in per workspace by
 # manage.sh's write-instance-mcp-configs, then the result is concatenated
 # with shared/codex.toml to produce .codex/config.toml.
 [mcp_servers.penpot]
 url = "http://localhost:${PENPOT_MCP_PORT}/mcp"
 [mcp_servers.serena-devenv]
 url = "http://localhost:${SERENA_MCP_PORT}/mcp"
--- a/.devenv/templates/opencode.json
+++ b/.devenv/templates/opencode.json
@ -0,0 +1,14 @@
 {
  "mcp": {
    "penpot": {
      "type": "remote",
      "url": "http://localhost:${PENPOT_MCP_PORT}/mcp",
      "enabled": true
    },
    "serena-devenv": {
      "type": "remote",
      "url": "http://localhost:${SERENA_MCP_PORT}/mcp",
      "enabled": true
    }
  }
 }
--- a/.devenv/templates/vscode.json
+++ b/.devenv/templates/vscode.json
@ -0,0 +1,12 @@
 {
  "servers": {
    "penpot": {
      "type": "http",
      "url": "http://localhost:${PENPOT_MCP_PORT}/mcp"
    },
    "serena-devenv": {
      "type": "http",
      "url": "http://localhost:${SERENA_MCP_PORT}/mcp"
    }
  }
 }
--- a/.github/ISSUE_TEMPLATE/bug-report.yml
+++ b/.github/ISSUE_TEMPLATE/bug-report.yml
@ -1,7 +1,9 @@
 description: Create a report to help us improve
 labels: ["bug"]
 name: Bug report
-title: "bug: "
+title: ""
 type: Bug
 labels: ["needs triage"]
 body:
  - type: markdown
    attributes:
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@ -0,0 +1 @@
 blank_issues_enabled: true
--- a/.github/ISSUE_TEMPLATE/feature-request.yml
+++ b/.github/ISSUE_TEMPLATE/feature-request.yml
@ -1,7 +1,9 @@
 description: Suggest an idea for this project.
-labels: ["needs triage", "enhancement"]
+labels: ["needs triage"]
 name: "Feature request"
-title: "feature: "
+title: ""
 type: Enhancement
 body:
  - type: markdown
    attributes:
--- a/.github/ISSUE_TEMPLATE/new-render-bug-report.md
+++ b/.github/ISSUE_TEMPLATE/new-render-bug-report.md
@ -1,38 +0,0 @@
 ---
 name: New Render Bug Report
 about: Create a report about the bugs you have found in the new render
 title: ''
 labels: new render
 assignees: claragvinola
 ---
 **Describe the bug**
 A clear and concise description of what the bug is.
 **Steps to Reproduce**
 Steps to reproduce the behavior:
 1. Go to '...'
 2. Click on '....'
 3. Scroll down to '....'
 4. See error
 **Expected behavior**
 A clear and concise description of what you expected to happen.
 **Screenshots or screen recordings**
 If applicable, add screenshots or screen recording to help illustrate your problem.
 **Desktop (please complete the following information):**
 - OS: [e.g. iOS]
 - Browser [e.g. chrome, safari]
 - Version [e.g. 22]
 **Smartphone (please complete the following information):**
 - Device: [e.g. iPhone6]
 - OS: [e.g. iOS8.1]
 - Browser [e.g. stock browser, safari]
 - Version [e.g. 22]
 **Additional context**
 Add any other context about the problem here.
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@ -15,6 +15,5 @@
 - [ ] Add or modify existing integration tests in case of bugs or new features, if applicable.
 - [ ] Refactor any modified SCSS files following the refactor guide.
 - [ ] Check CI passes successfully.
 - [ ] Update the `CHANGES.md` file, referencing the related GitHub issue, if applicable.
 <!-- For more details, check the contribution guidelines: https://github.com/penpot/penpot/blob/develop/CONTRIBUTING.md -->
--- a/.github/workflows/build-docker-devenv.yml
+++ b/.github/workflows/build-docker-devenv.yml
@ -6,7 +6,6 @@ on:
 jobs:
  build-and-push:
    name: Build and push DevEnv Docker image
    environment: release-admins
    runs-on: penpot-runner-02
    steps:
@ -39,3 +38,13 @@ jobs:
          tags: ${{ env.DOCKER_IMAGE }}:latest
          cache-from: type=registry,ref=${{ env.DOCKER_IMAGE }}:buildcache
          cache-to: type=registry,ref=${{ env.DOCKER_IMAGE }}:buildcache,mode=max
      - name: Notify Mattermost
        uses: mattermost/action-mattermost-notify@master
        with:
          MATTERMOST_WEBHOOK_URL: ${{ secrets.MATTERMOST_WEBHOOK }}
          MATTERMOST_CHANNEL: bot-alerts-cicd
          TEXT: |
            🚀 *[PENPOT] New devenv available*
            📄 You may want to update your devenv.
            @alvaro
--- a/.github/workflows/build-main-staging.yml
+++ b/.github/workflows/build-main-staging.yml
@ -1,22 +0,0 @@
 name: _MAIN-STAGING
 on:
  workflow_dispatch:
  schedule:
    - cron: '26 5-20 * * 1-5'
 jobs:
  build-bundle:
    uses: ./.github/workflows/build-bundle.yml
    secrets: inherit
    with:
      gh_ref: "main-staging"
      build_wasm: "yes"
      build_storybook: "yes"
  build-docker:
    needs: build-bundle
    uses: ./.github/workflows/build-docker.yml
    secrets: inherit
    with:
      gh_ref: "main-staging"
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -19,7 +19,6 @@ permissions:
 jobs:
  release:
    environment: release-admins
    runs-on: ubuntu-24.04
    outputs:
      version: ${{ steps.vars.outputs.gh_ref }}
--- a/.github/workflows/tests-backend.yml
+++ b/.github/workflows/tests-backend.yml
@ -0,0 +1,84 @@
 name: "CI: Backend"
 defaults:
  run:
    shell: bash
 on:
  pull_request:
    paths:
      - 'backend/**'
      - 'common/**'
    types:
      - opened
      - synchronize
      - ready_for_review
  push:
    branches:
      - develop
      - staging
    paths:
      - 'backend/**'
      - 'common/**'
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 jobs:
  test-backend:
    if: ${{ !github.event.pull_request.draft }}
    name: "Backend Tests"
    runs-on: penpot-runner-02
    container:
      image: penpotapp/devenv:latest
      volumes:
        - /var/cache/github-runner/m2:/root/.m2
        - /var/cache/github-runner/gitlib:/root/.gitlibs
    services:
      postgres:
        image: postgres:17
        # Provide the password for postgres
        env:
          POSTGRES_USER: penpot_test
          POSTGRES_PASSWORD: penpot_test
          POSTGRES_DB: penpot_test
        # Set health checks to wait until postgres has started
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
      redis:
        image: valkey/valkey:9
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
      - name: Lint
        working-directory: ./backend
        run: |
          corepack enable;
          corepack install;
          pnpm install;
          pnpm run check-fmt
          pnpm run lint
      - name: Tests
        working-directory: ./backend
        env:
          PENPOT_TEST_DATABASE_URI: "postgresql://postgres/penpot_test"
          PENPOT_TEST_DATABASE_USERNAME: penpot_test
          PENPOT_TEST_DATABASE_PASSWORD: penpot_test
          PENPOT_TEST_REDIS_URI: "redis://redis/1"
        run: |
          mkdir -p /tmp/penpot;
          clojure -M:dev:test --reporter kaocha.report/documentation
--- a/.github/workflows/tests-common.yml
+++ b/.github/workflows/tests-common.yml
@ -0,0 +1,57 @@
 name: "CI: Common"
 defaults:
  run:
    shell: bash
 on:
  pull_request:
    paths:
      - 'common/**'
    types:
      - opened
      - synchronize
      - ready_for_review
  push:
    branches:
      - develop
      - staging
    paths:
      - 'common/**'
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 jobs:
  test-common:
    if: ${{ !github.event.pull_request.draft }}
    name: "Common Tests"
    runs-on: penpot-runner-02
    container:
      image: penpotapp/devenv:latest
      volumes:
        - /var/cache/github-runner/m2:/root/.m2
        - /var/cache/github-runner/gitlib:/root/.gitlibs
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
      - name: Lint
        working-directory: ./common
        run: |
          corepack enable;
          corepack install;
          pnpm install;
          pnpm run check-fmt:clj
          pnpm run check-fmt:js
          pnpm run lint:clj
      - name: Tests
        working-directory: ./common
        run: |
          ./scripts/test
--- a/.github/workflows/tests-frontend.yml
+++ b/.github/workflows/tests-frontend.yml
@ -0,0 +1,71 @@
 name: "CI: Frontend"
 defaults:
  run:
    shell: bash
 on:
  pull_request:
    paths:
      - 'frotend/**/*'
      - 'common/**/*'
      - 'render-wasm/**/*'
    types:
      - opened
      - synchronize
      - ready_for_review
  push:
    branches:
      - develop
      - staging
    paths:
      - 'frotend/**'
      - 'common/**'
      - 'render-wasm/**'
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 jobs:
  test-frontend:
    if: ${{ !github.event.pull_request.draft }}
    name: "Frontend Tests"
    runs-on: penpot-runner-02
    container:
      image: penpotapp/devenv:latest
      volumes:
        - /var/cache/github-runner/m2:/root/.m2
        - /var/cache/github-runner/gitlib:/root/.gitlibs
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
      - name: Lint
        working-directory: ./frontend
        run: |
          corepack enable;
          corepack install;
          pnpm install;
          pnpm run check-fmt:js
          pnpm run check-fmt:clj
          pnpm run check-fmt:scss
          pnpm run lint:clj
          pnpm run lint:js
          pnpm run lint:scss
      - name: Unit Tests
        working-directory: ./frontend
        run: |
          ./scripts/test
      - name: Component Tests
        working-directory: ./frontend
        env:
          VITEST_BROWSER_TIMEOUT: 120000
        run: |
          ./scripts/test-components
--- a/.github/workflows/tests-integration.yml
+++ b/.github/workflows/tests-integration.yml
@ -0,0 +1,93 @@
 name: "CI: Integration"
 defaults:
  run:
    shell: bash
 on:
  pull_request:
    paths:
      - 'frotend/**'
      - 'common/**'
      - 'render-wasm/**'
    types:
      - opened
      - synchronize
      - ready_for_review
  push:
    branches:
      - develop
      - staging
    paths:
      - 'frotend/**'
      - 'common/**'
      - 'render-wasm/**'
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 jobs:
  build-integration:
    if: ${{ !github.event.pull_request.draft }}
    name: "Build Integration Bundle"
    runs-on: penpot-runner-02
    container:
      image: penpotapp/devenv:latest
      volumes:
        - /var/cache/github-runner/m2:/root/.m2
        - /var/cache/github-runner/gitlib:/root/.gitlibs
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
      - name: Build Bundle
        working-directory: ./frontend
        run: |
          ./scripts/build
      - name: Store Bundle Cache
        uses: actions/cache@v5
        with:
          key: "integration-bundle-${{ github.sha }}"
          path: frontend/resources/public
  test-integration:
    if: ${{ !github.event.pull_request.draft }}
    name: "Integration Tests"
    runs-on: penpot-runner-02
    container:
      image: penpotapp/devenv:latest
      volumes:
        - /var/cache/github-runner/m2:/root/.m2
        - /var/cache/github-runner/gitlib:/root/.gitlibs
    needs: build-integration
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v6
      - name: Restore Cache
        uses: actions/cache/restore@v5
        with:
          key: "integration-bundle-${{ github.sha }}"
          path: frontend/resources/public
      - name: Run Tests
        working-directory: ./frontend
        run: |
          ./scripts/test-e2e
      - name: Upload test result
        uses: actions/upload-artifact@v7
        if: always()
        with:
          name: integration-tests-result
          path: frontend/test-results/
          overwrite: true
          retention-days: 3
--- a/.github/workflows/tests-library.yml
+++ b/.github/workflows/tests-library.yml
@ -0,0 +1,58 @@
 name: "CI: Library"
 defaults:
  run:
    shell: bash
 on:
  pull_request:
    paths:
      - 'common/**'
      - 'library/**'
    types:
      - opened
      - synchronize
      - ready_for_review
  push:
    branches:
      - develop
      - staging
    paths:
      - 'common/**'
      - 'library/**'
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 jobs:
  test-library:
    if: ${{ !github.event.pull_request.draft }}
    name: "Library Tests"
    runs-on: penpot-runner-02
    container:
      image: penpotapp/devenv:latest
      volumes:
        - /var/cache/github-runner/m2:/root/.m2
        - /var/cache/github-runner/gitlib:/root/.gitlibs
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
      - name: Lint
        working-directory: ./library
        run: |
          corepack enable;
          corepack install;
          pnpm install;
          pnpm run check-fmt
          pnpm run lint
      - name: Tests
        working-directory: ./library
        run: |
          ./scripts/test
--- a/.github/workflows/tests-plugins.yml
+++ b/.github/workflows/tests-plugins.yml
@ -0,0 +1,83 @@
 name: "CI: Plugins"
 defaults:
  run:
    shell: bash
 on:
  pull_request:
    paths:
      - 'plugins/**'
    types:
      - opened
      - synchronize
      - ready_for_review
  push:
    branches:
      - develop
      - staging
    paths:
      - 'plugins/**'
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 jobs:
  test-plugins:
    if: ${{ !github.event.pull_request.draft }}
    name: Plugins Runtime Linter & Tests
    runs-on: penpot-runner-02
    container:
      image: penpotapp/devenv:latest
      volumes:
        - /var/cache/github-runner/m2:/root/.m2
        - /var/cache/github-runner/gitlib:/root/.gitlibs
    steps:
      - uses: actions/checkout@v6
      - name: Setup Node
        id: setup-node
        uses: actions/setup-node@v6
        with:
          node-version-file: .nvmrc
      - name: Install deps
        working-directory: ./plugins
        shell: bash
        run: |
          corepack enable;
          corepack install;
          pnpm install;
      - name: Run Lint
        working-directory: ./plugins
        run: pnpm run lint
      - name: Run Format Check
        working-directory: ./plugins
        run: pnpm run format:check
      - name: Run Test
        working-directory: ./plugins
        run: pnpm run test
      - name: Build runtime
        working-directory: ./plugins
        run: pnpm run build:runtime
      - name: Build doc
        working-directory: ./plugins
        run: pnpm run build:doc
      - name: Build plugins
        working-directory: ./plugins
        run: pnpm run build:plugins
      - name: Build styles
        working-directory: ./plugins
        run: pnpm run build:styles-example
--- a/.github/workflows/tests-wasm.yml
+++ b/.github/workflows/tests-wasm.yml
@ -0,0 +1,57 @@
 name: "CI: WASM"
 defaults:
  run:
    shell: bash
 on:
  pull_request:
    paths:
      - 'render-wasm/**'
    types:
      - opened
      - synchronize
      - ready_for_review
  push:
    branches:
      - develop
      - staging
    paths:
      - 'render-wasm/**'
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 jobs:
  test-render-wasm:
    if: ${{ !github.event.pull_request.draft }}
    name: "Render WASM Tests"
    runs-on: penpot-runner-02
    container:
      image: penpotapp/devenv:latest
      volumes:
        - /var/cache/github-runner/m2:/root/.m2
        - /var/cache/github-runner/gitlib:/root/.gitlibs
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
      - name: Format
        working-directory: ./render-wasm
        run: |
          cargo fmt --check
      - name: Lint
        working-directory: ./render-wasm
        run: |
          ./lint
      - name: Test
        working-directory: ./render-wasm
        run: |
          ./test
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@ -1,411 +0,0 @@
 name: "CI"
 defaults:
  run:
    shell: bash
 on:
  pull_request:
    types:
      - opened
      - synchronize
      - ready_for_review
  push:
    branches:
      - develop
      - staging
 concurrency:
  group: ${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 jobs:
  lint:
    if: ${{ !github.event.pull_request.draft }}
    name: "Linter"
    runs-on: penpot-runner-02
    container:
      image: penpotapp/devenv:latest
      volumes:
        - /var/cache/github-runner/m2:/root/.m2
        - /var/cache/github-runner/gitlib:/root/.gitlibs
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
      - name: Lint Common
        working-directory: ./common
        run: |
          corepack enable;
          corepack install;
          pnpm install;
          pnpm run check-fmt:clj
          pnpm run check-fmt:js
          pnpm run lint:clj
      - name: Lint Frontend
        working-directory: ./frontend
        run: |
          corepack enable;
          corepack install;
          pnpm install;
          pnpm run check-fmt:js
          pnpm run check-fmt:clj
          pnpm run check-fmt:scss
          pnpm run lint:clj
          pnpm run lint:js
          pnpm run lint:scss
      - name: Lint Backend
        working-directory: ./backend
        run: |
          corepack enable;
          corepack install;
          pnpm install;
          pnpm run check-fmt
          pnpm run lint
      - name: Lint Exporter
        working-directory: ./exporter
        run: |
          corepack enable;
          corepack install;
          pnpm install;
          pnpm run check-fmt
          pnpm run lint
      - name: Lint Library
        working-directory: ./library
        run: |
          corepack enable;
          corepack install;
          pnpm install;
          pnpm run check-fmt
          pnpm run lint
  test-common:
    if: ${{ !github.event.pull_request.draft }}
    name: "Common Tests"
    runs-on: penpot-runner-02
    container:
      image: penpotapp/devenv:latest
      volumes:
        - /var/cache/github-runner/m2:/root/.m2
        - /var/cache/github-runner/gitlib:/root/.gitlibs
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
      - name: Run tests
        working-directory: ./common
        run: |
          ./scripts/test
  test-plugins:
    if: ${{ !github.event.pull_request.draft }}
    name: Plugins Runtime Linter & Tests
    runs-on: penpot-runner-02
    container:
      image: penpotapp/devenv:latest
      volumes:
        - /var/cache/github-runner/m2:/root/.m2
        - /var/cache/github-runner/gitlib:/root/.gitlibs
    steps:
      - uses: actions/checkout@v6
      - name: Setup Node
        id: setup-node
        uses: actions/setup-node@v6
        with:
          node-version-file: .nvmrc
      - name: Install deps
        working-directory: ./plugins
        shell: bash
        run: |
          corepack enable;
          corepack install;
          pnpm install;
      - name: Run Lint
        working-directory: ./plugins
        run: pnpm run lint
      - name: Run Format Check
        working-directory: ./plugins
        run: pnpm run format:check
      - name: Run Test
        working-directory: ./plugins
        run: pnpm run test
      - name: Build runtime
        working-directory: ./plugins
        run: pnpm run build:runtime
      - name: Build doc
        working-directory: ./plugins
        run: pnpm run build:doc
      - name: Build plugins
        working-directory: ./plugins
        run: pnpm run build:plugins
      - name: Build styles
        working-directory: ./plugins
        run: pnpm run build:styles-example
  test-frontend:
    if: ${{ !github.event.pull_request.draft }}
    name: "Frontend Tests"
    runs-on: penpot-runner-02
    container:
      image: penpotapp/devenv:latest
      volumes:
        - /var/cache/github-runner/m2:/root/.m2
        - /var/cache/github-runner/gitlib:/root/.gitlibs
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
      - name: Unit Tests
        working-directory: ./frontend
        run: |
          ./scripts/test
      - name: Component Tests
        working-directory: ./frontend
        env:
          VITEST_BROWSER_TIMEOUT: 120000
        run: |
          ./scripts/test-components
  test-render-wasm:
    if: ${{ !github.event.pull_request.draft }}
    name: "Render WASM Tests"
    runs-on: penpot-runner-02
    container:
      image: penpotapp/devenv:latest
      volumes:
        - /var/cache/github-runner/m2:/root/.m2
        - /var/cache/github-runner/gitlib:/root/.gitlibs
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
      - name: Format
        working-directory: ./render-wasm
        run: |
          cargo fmt --check
      - name: Lint
        working-directory: ./render-wasm
        run: |
          ./lint
      - name: Test
        working-directory: ./render-wasm
        run: |
          ./test
  test-backend:
    if: ${{ !github.event.pull_request.draft }}
    name: "Backend Tests"
    runs-on: penpot-runner-02
    container:
      image: penpotapp/devenv:latest
      volumes:
        - /var/cache/github-runner/m2:/root/.m2
        - /var/cache/github-runner/gitlib:/root/.gitlibs
    services:
      postgres:
        image: postgres:17
        # Provide the password for postgres
        env:
          POSTGRES_USER: penpot_test
          POSTGRES_PASSWORD: penpot_test
          POSTGRES_DB: penpot_test
        # Set health checks to wait until postgres has started
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
      redis:
        image: valkey/valkey:9
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
      - name: Run tests
        working-directory: ./backend
        env:
          PENPOT_TEST_DATABASE_URI: "postgresql://postgres/penpot_test"
          PENPOT_TEST_DATABASE_USERNAME: penpot_test
          PENPOT_TEST_DATABASE_PASSWORD: penpot_test
          PENPOT_TEST_REDIS_URI: "redis://redis/1"
        run: |
          mkdir -p /tmp/penpot;
          clojure -M:dev:test --reporter kaocha.report/documentation
  test-library:
    if: ${{ !github.event.pull_request.draft }}
    name: "Library Tests"
    runs-on: penpot-runner-02
    container:
      image: penpotapp/devenv:latest
      volumes:
        - /var/cache/github-runner/m2:/root/.m2
        - /var/cache/github-runner/gitlib:/root/.gitlibs
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
      - name: Run tests
        working-directory: ./library
        run: |
          ./scripts/test
  build-integration:
    if: ${{ !github.event.pull_request.draft }}
    name: "Build Integration Bundle"
    runs-on: penpot-runner-02
    container:
      image: penpotapp/devenv:latest
      volumes:
        - /var/cache/github-runner/m2:/root/.m2
        - /var/cache/github-runner/gitlib:/root/.gitlibs
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
      - name: Build Bundle
        working-directory: ./frontend
        run: |
          ./scripts/build
      - name: Store Bundle Cache
        uses: actions/cache@v5
        with:
          key: "integration-bundle-${{ github.sha }}"
          path: frontend/resources/public
  test-integration-1:
    if: ${{ !github.event.pull_request.draft }}
    name: "Integration Tests 1/3"
    runs-on: penpot-runner-02
    container:
      image: penpotapp/devenv:latest
      volumes:
        - /var/cache/github-runner/m2:/root/.m2
        - /var/cache/github-runner/gitlib:/root/.gitlibs
    needs: build-integration
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v6
      - name: Restore Cache
        uses: actions/cache/restore@v5
        with:
          key: "integration-bundle-${{ github.sha }}"
          path: frontend/resources/public
      - name: Run Tests
        working-directory: ./frontend
        run: |
          ./scripts/test-e2e --shard="1/3";
      - name: Upload test result
        uses: actions/upload-artifact@v7
        if: always()
        with:
          name: integration-tests-result-1
          path: frontend/test-results/
          overwrite: true
          retention-days: 3
  test-integration-2:
    if: ${{ !github.event.pull_request.draft }}
    name: "Integration Tests 2/3"
    runs-on: penpot-runner-02
    container:
      image: penpotapp/devenv:latest
      volumes:
        - /var/cache/github-runner/m2:/root/.m2
        - /var/cache/github-runner/gitlib:/root/.gitlibs
    needs: build-integration
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v6
      - name: Restore Cache
        uses: actions/cache/restore@v5
        with:
          key: "integration-bundle-${{ github.sha }}"
          path: frontend/resources/public
      - name: Run Tests
        working-directory: ./frontend
        run: |
          ./scripts/test-e2e --shard="2/3";
      - name: Upload test result
        uses: actions/upload-artifact@v7
        if: always()
        with:
          name: integration-tests-result-2
          path: frontend/test-results/
          overwrite: true
          retention-days: 3
  test-integration-3:
    if: ${{ !github.event.pull_request.draft }}
    name: "Integration Tests 3/3"
    runs-on: penpot-runner-02
    container:
      image: penpotapp/devenv:latest
      volumes:
        - /var/cache/github-runner/m2:/root/.m2
        - /var/cache/github-runner/gitlib:/root/.gitlibs
    needs: build-integration
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v6
      - name: Restore Cache
        uses: actions/cache/restore@v5
        with:
          key: "integration-bundle-${{ github.sha }}"
          path: frontend/resources/public
      - name: Run Tests
        working-directory: ./frontend
        run: |
          ./scripts/test-e2e --shard="3/3";
      - name: Upload test result
        uses: actions/upload-artifact@v7
        if: always()
        with:
          name: integration-tests-result-3
          path: frontend/test-results/
          overwrite: true
          retention-days: 3
--- a/.gitignore
+++ b/.gitignore
@ -15,6 +15,12 @@
 .repl
 /*.jpg
 /*.md
 !CHANGES.md
 !CONTRIBUTING.md
 !README.md
 !AGENTS.md
 !CODE_OF_CONDUCT.md
 !SECURITY.md
 /*.png
 /*.svg
 /*.sql
@ -87,6 +93,10 @@
 /.pnpm-store
 /.vscode
 /.idea
 *.iml
 /.claude
 /.playwright-mcp
 /.devenv/mcp/
 /opencode.json
 /.codex/
 /tools/__pycache__
--- a/.opencode/skills/backport-commit/SKILL.md
+++ b/.opencode/skills/backport-commit/SKILL.md
@ -70,12 +70,7 @@ module's `AGENTS.md` for the exact commands). If the formatter auto-fixes
 indentation, verify the logic is still semantically correct. All checks must
 pass before moving on.
-### 6. Port the changelog entry (if any)
+### 6. Commit
 If the original commit added or modified a `CHANGES.md` entry, port that entry
 too — adapting wording and version references for the target branch.
 ### 7. Commit
 Ask the `commiter` sub-agent to create a commit. Stage all relevant files
 (exclude unrelated untracked files) and provide the original commit message as
--- a/.opencode/skills/issue-title/SKILL.md
+++ b/.opencode/skills/issue-title/SKILL.md
@ -0,0 +1,123 @@
 ---
 name: issue-title
 description: Derive a clear, well-formatted title for a GitHub issue from its description body, using descriptive present-tense for bugs and imperative mood for features, always including the "where" (location in the UI/module).
 ---
 # Skill: issue-title
 Derive a concise, descriptive title for a GitHub issue based on its body
 content. Use **descriptive present tense for bugs** (e.g. "Plugin API
 crashes when setting text fills") and **imperative mood for features** (e.g.
 "Add customizable dash and gap controls"). No emoji or type prefixes
 (`feat:`, `bug:`, `feature:`, etc.).
 Can be used both when **creating a new issue** and when **updating an
 existing one** that has a vague or outdated title.
 ## When to Use
 - Creating a new issue and need a well-formatted title from the draft body
 - An existing issue has a vague, outdated, or auto-generated title (e.g.
  `[PENPOT FEEDBACK]: ...`, `feature: ...`)
 - The current title doesn't reflect the actual content of the description
 - The title is missing the "where" (which part of the UI/module is affected)
 ## Prerequisites
 - `gh` CLI authenticated (`gh auth status`)
 ## Workflow
 ### 1. Get the issue body
 For an **existing issue**, fetch it:
 ```bash
 gh issue view <NUMBER> --repo penpot/penpot --json title,body
 ```
 For a **new issue**, read the draft body from wherever it was provided
 (Taiga link, user report, discussion, etc.).
 ### 2. Read the body and derive a title
 Extract the core problem or request from the description. Distinguish between
 bug reports and feature requests:
 **Bug titles (descriptive, present tense):**
 Describe the symptom as it appears to the user. Format:
 `[Where] [present-tense verb] when [condition]`
 - *"Plugin API crashes when setting text fills"*
 - *"Canvas renders glitches when zooming quickly"*
 - *"French Canada locale falls back to French (fr) translations"*
 - *"Text layer content is not deleted when WebGL render is enabled"*
 Do **not** start bug titles with "Fix" or any imperative verb. The title
 should state what's broken, not command a fix.
 **Feature / Enhancement titles (imperative mood):**
 Command what should be built. Format:
 `[Imperative verb] [what] in/on [where]`
 - *"Add customizable dash and gap length controls to dashed strokes in the sidebar"*
 - *"Show user, timestamp, and hash in the workspace history panel like git commits"*
 - *"Validate shape on add-object to catch malformed inputs early"*
 **Universal rules (both types):**
 - **Include the "where"** — specify the UI location or module (e.g.
  "in the sidebar", "in the workspace history panel", "on the stroke
  options")
 - **No prefixes** — strip `bug:`, `feature:`, `feat:`, `:bug:`, `:sparkles:`,
  `[PENPOT FEEDBACK]`, etc.
 - **No emoji** — plain text only
 - **Be specific** — prefer concrete detail over generality. If the
  description mentions two related problems, capture both.
 **Examples:**
 | Original / draft title | Type | New title |
 |---|---|---|
 | `[PENPOT FEEDBACK]: WebGL` | Bug | `Canvas renders glitches when zooming quickly — text appears distorted and nodes have background-colored rectangles` |
 | `bug: flatten-nested-tokens-json uses $type instead of $value as the DTCG token/group discriminator` | Bug | `Token import fails when group-level type inheritance is used — parser misidentifies groups as tokens` |
 | `feature: Dashed stroke customization` | Feature | `Add customizable dash and gap length controls to dashed strokes in the sidebar` |
 | `feature: Add more detail to history of actions` | Feature | `Show user, timestamp, and hash in the workspace history panel like git commits` |
 ### 3. Apply the title
 **If updating an existing issue:**
 ```bash
 gh issue edit <NUMBER> --repo penpot/penpot --title "<NEW TITLE>"
 ```
 **If creating a new issue:**
 ```bash
 gh issue create --repo penpot/penpot --title "<NEW TITLE>" --body "<BODY>"
 ```
 ### 4. Confirm
 For updates, the command returns the issue URL. Verify by optionally fetching
 again:
 ```bash
 gh issue view <NUMBER> --repo penpot/penpot --json title
 ```
 ## Key Principles
 - **Bug titles describe the symptom** — present tense, 3rd person:
  "crashes", "fails", "shows", "is cut off", "does not load". Do not
  start with "Fix" or "Bug:".
 - **Feature titles use imperative mood** — command form: "Add", "Show",
  "Use", "Validate", "Support", "Toggle".
 - **Always include the "where"** — a title like "Crashes when zooming"
  is too vague; "Canvas crashes when zooming quickly" is clear.
 - **No prefixes, no emoji** — strip all type labels and decorative
  characters from the title.
 - **Derive from the body, not the current title** — the body contains
  the real detail; the current title may be auto-generated or stale.
 - **Two problems → cover both** — if the description has two distinct
  but related issues, capture both in the title joined by "and".
--- a/.serena/memories/critical-info.md
+++ b/.serena/memories/critical-info.md
@ -9,7 +9,7 @@ You are working on the GitHub project `penpot/penpot`, a monorepo.
 # Development workflow
- Commit only when explicitly asked. Commit/PR format + changelog: `mem:workflow/creating-commits`, `mem:workflow/creating-prs`.
+- Commit only when explicitly asked. Commit/PR format + changelog: `mem:workflow/creating-commits`, `mem:workflow/creating-prs`. Issue creation (titles, labels, body templates, Issue Types): `mem:workflow/creating-issues`.
 - You have access to the GitHub CLI `gh` or corresponding MCP tools.
 - Issues are also managed on Taiga. Read issues using the `read_taiga_issue` tool.
 - Before writing code, analyze the task in depth and describe your plan. If the task is complex, break it down into atomic steps.
--- a/.serena/memories/workflow/creating-commits.md
+++ b/.serena/memories/workflow/creating-commits.md
@ -21,20 +21,3 @@ Co-authored-by: <You (the LLM)>
 ## Commit Type Emojis
 `:bug:` bug fix · `:sparkles:` enhancement · `:tada:` new feature · `:recycle:` refactor · `:lipstick:` cosmetic · `:ambulance:` critical fix · `:books:` docs · `:construction:` WIP · `:boom:` breaking · `:wrench:` config · `:zap:` perf · `:whale:` docker · `:paperclip:` other · `:arrow_up:` dep upgrade · `:arrow_down:` dep downgrade · `:fire:` removal · `:globe_with_meridians:` translations · `:rocket:` epic/highlight
 ## Changelogs
 **IMPORTANT:** do not modify the changelog unless it explicitly asked.
 For user-facing or notable changes, update the relevant changelog under the unreleased section:
 - Main app/modules (`backend`, `frontend`, `common`, `render-wasm`, `exporter`, `mcp`): root `CHANGES.md`.
 - Plugin subproject changes: `plugins/CHANGELOG.md`.
 Entry format uses the matching category (`:sparkles:`, `:bug:`, etc.) and references the GitHub issue:
 ```
 - Short description of change [#NNNN](https://github.com/penpot/penpot/issues/NNNN)
 ```
 Plugin API changelog prefixes: type/signature -> `**plugin-types:**`; runtime behavior -> `**plugin-runtime:**` in `plugins/CHANGELOG.md`.
--- a/.serena/memories/workflow/creating-issues.md
+++ b/.serena/memories/workflow/creating-issues.md
@ -0,0 +1,160 @@
 # Creating Issues
 Create GitHub issues only on explicit request. Use `gh` CLI authenticated to `penpot/penpot`.
 ## Title Derivation
 Derive the title from the source material (bug report, user feedback, feature request, etc.) — not from any pre-existing title which may be auto-generated or stale.
 ### Bug titles (descriptive present tense)
 Describe the symptom as it appears to the user. Format: `[Where] [present-tense verb] when [condition]`.
 - *"Plugin API crashes when setting text fills"*
 - *"Canvas renders glitches when zooming quickly"*
 - *"French Canada locale falls back to French (fr) translations"*
 Do **not** start bug titles with "Fix" or any imperative verb — state what's broken, not command a fix.
 ### Feature / Enhancement titles (imperative mood)
 Command what should be built. Format: `[Imperative verb] [what] in/on [where]`.
 - *"Add customizable dash and gap length controls to dashed strokes in the sidebar"*
 - *"Show user, timestamp, and hash in the workspace history panel like git commits"*
 ### Universal rules
 - **Include the "where"** — specify the UI location or module (e.g. "in the sidebar", "on the stroke options")
 - **No prefixes** — strip `bug:`, `feature:`, `feat:`, `:bug:`, `:sparkles:`, `[PENPOT FEEDBACK]`, etc.
 - **No emoji** — plain text only
 - **Be specific** — prefer concrete detail over generality
 - **Two problems → cover both** — if the description has two distinct but related issues, capture both joined by "and"
 ## Metadata
 | Field | Rule |
 |-------|------|
 | **Labels** | `bug` (crashes/regressions) · `enhancement` (new features) · `community contribution` (PRs from non-core) · skip workflow labels (`backport candidate`, `team-qa`) |
 | **Milestone** | Use the current or next planned milestone. Fetch available milestones: `gh api repos/penpot/penpot/milestones --jq '.[].title'`. If unsure, omit. |
 | **Project** | Always `Main` (project number 8). Use `--project "Main"` flag. |
 | **Issue Type** | See Issue Type section below. Cannot be set via `gh issue create` — use GraphQL after creation. |
 ## Issue Body Template
 Write the body to a temp file to avoid shell quoting issues:
 **Bug template:**
 ```markdown
 ### Description
 <what breaks, what the user experiences>
 ### Steps to reproduce
 1. <step 1>
 2. <step 2>
 ### Expected behavior
 <what should happen instead>
 ### Affected versions
 <version>
 ```
 **Enhancement template:**
 ```markdown
 ### Description
 <what the user can now do that they couldn't before>
 ### Use case
 <why this is useful, who benefits>
 ### Affected versions
 <version>
 ```
 ## Creating the Issue
 ```bash
 cat > /tmp/issue-body.md << 'ISSUE_BODY'
 <body content here>
 ISSUE_BODY
 gh issue create \
  --repo penpot/penpot \
  --title "<Derived title>" \
  --label "<label>" \
  --project "Main" \
  --body-file /tmp/issue-body.md
 ```
 Output: `https://github.com/penpot/penpot/issues/<NUMBER>`
 ## Setting the Issue Type
 `gh issue create` can't set Issue Type directly. Use GraphQL after creation.
 **Issue Type IDs for penpot/penpot:**
 | Type | ID |
 |------|----|
 | Bug | `IT_kwDOAcyBPM4AX5Nb` |
 | Enhancement | `IT_kwDOAcyBPM4B_IQN` |
 | Feature | `IT_kwDOAcyBPM4AX5Nf` |
 | Task | `IT_kwDOAcyBPM4AX5NY` |
 | Question | `IT_kwDOAcyBPM4B_IQj` |
 | Docs | `IT_kwDOAcyBPM4B_IQz` |
 **Map:**
 - `bug` label → Bug
 - `enhancement` label → Enhancement
 - Feature/epic → Feature
 - Docs → Docs
 - None of the above → Task
 **Set it:**
 ```bash
 ISSUE_ID=$(gh api graphql -f query='
 query { repository(owner: "penpot", name: "penpot") {
  issue(number: <NUMBER>) { id }
 }}' --jq '.data.repository.issue.id')
 gh api graphql -f query='
 mutation {
  updateIssue(input: {
    id: "'"$ISSUE_ID"'"
    issueTypeId: "<TYPE_ID>"
  }) {
    issue { number issueType { name } }
  }
 }'
 ```
 ## Verification
 ```bash
 gh issue view <NUMBER> --repo penpot/penpot \
  --json title,labels,milestone,projectItems \
  --jq '{title, milestone: .milestone.title, labels: [.labels[].name], projects: [.projectItems[].title]}'
 gh api graphql -f query='
 query { repository(owner: "penpot", name: "penpot") {
  issue(number: <NUMBER>) { issueType { name } }
 }}' --jq '.data.repository.issue.issueType.name'
 ```
 ## Cleanup
 ```bash
 rm -f /tmp/issue-body.md
 ```
 ## See Also
 - Creating issues **from PRs** (separating WHAT from HOW): `mem:workflow/creating-prs`
--- a/AGENTS.md
+++ b/AGENTS.md
@ -1,104 +1,79 @@
-# AI Agent Guide
+# AI AGENT GUIDE
-This document provides the core context and operating guidelines for AI agents
+## CRITICAL: Read module memories BEFORE writing any code
 working in this repository.
-## Before You Start
+Do this **before planning, before coding, before touching any file**:
-Before responding to any user request, you must:
+1. Read `critical-info` (use `serena_read_memory critical-info` or read `.serena/memories/critical-info.md`).
   It describes the project structure and tells you which modules exist.
 2. From `critical-info`, identify which modules your task affects.
 3. Read each affected module's **core memory** — the name is `<module>/core`
   (e.g. `frontend/core`, `backend/core`, `common/core`).
 4. If the core memory references deeper `mem:` memories relevant to your task, read those too.
-1. Read this file completely.
+**STOP: Do not proceed until you have read the core memory of every affected module.**
-2. Identify which modules are affected by the task.
+Skipping this step is the #1 cause of incorrect or incomplete work.
 3. Load the `AGENTS.md` file **only** for each affected module (see the
   architecture table below). Not all modules have an `AGENTS.md` — verify the
   file exists before attempting to read it.
 4. Do **not** load `AGENTS.md` files for unrelated modules.
-## Role: Senior Software Engineer
+---
 # Memory system
 Memories are the **primary project guidance** — not docs or readme files.
 They are dense, agent-oriented notes: terse bullets, invariants, no prose.
 ## Entry point
 Start at `critical-info` (the graph root). It describes the project structure,
 module dependency graph, and references section-level core memories.
 ## Progressive discovery model
 Memories form a **reference graph**, not a flat list:
 ```
 critical-info          ← read first (graph root)
  └─ <section>/core    ← top-level memory per section (e.g. frontend/core, backend/core)
       └─ <topic>      ← focused memories (e.g. frontend/handling-errors-and-debugging)
            └─ ...     ← deeper memories as needed
 ```
 When working on a task:
 1. Read `critical-info` to identify which sections are affected.
 2. Read the affected section's `core` memory for an overview.
 3. Follow `mem:` references in the core memory to focused memories relevant to your task.
 4. Continue following references deeper as needed.
 ## Accessing memories
 - **If `serena_read_memory` / `serena_list_memories` tools are available**: use them.
  `serena_read_memory` takes a memory name (e.g. `critical-info`, `frontend/core`).
 - **If tools are NOT available**: read the filesystem directly.
  Memory name `mem:foo/bar` maps to file `.serena/memories/foo/bar.md`.
 ## Cross-reference convention
 Memories reference other memories with `mem:<section>/<name>` inside backticks.
 Example: `mem:common/changes-architecture`.
 When you encounter a `mem:` reference relevant to your task, read that memory next.
 ## Topic/folder organization
 Memories are grouped into folders that mirror project modules or topics:
 `backend/`, `common/`, `frontend/`, `render-wasm/`, `exporter/`, `workflow/`, etc.
 Each folder's top-level memory is `<folder>/core`.
 ---
 # Role: Senior Software Engineer
 You are a high-autonomy Senior Full-Stack Software Engineer. You have full
 permission to navigate the codebase, modify files, and execute commands to
 fulfill your tasks. Your goal is to solve complex technical tasks with high
 precision while maintaining a strong focus on maintainability and performance.
-### Operational Guidelines
+## Operational Guidelines
 1. Before writing code, describe your plan. If the task is complex, break it
   down into atomic steps.
 2. Be concise and autonomous.
 3. Do **not** touch unrelated modules unless the task explicitly requires it.
 4. Commit only when explicitly asked. Follow the commit format rules in
   `CONTRIBUTING.md`.
 5. When searching code, prefer `ripgrep` (`rg`) over `grep` — it respects
   `.gitignore` by default.
 ## Changelogs
 The project has two changelogs:
 - **Main project changelog**: `CHANGES.md` (root of the repository). Tracks changes for the core Penpot application (backend, frontend, common, render-wasm, exporter, mcp).
 - **Plugins changelog**: `plugins/CHANGELOG.md`. Tracks changes for the plugins subproject only.
 When making changes, add a changelog entry to the appropriate file under the
 `## <version> (Unreleased)` section in the correct category
 (`:sparkles: New features & Enhancements` or `:bug: Bugs fixed`).
 ## GitHub Operations
 To obtain the list of repository members/collaborators:
 ```bash
 gh api repos/:owner/:repo/collaborators --paginate --jq '.[].login'
 ```
 To obtain the list of open PRs authored by members:
 ```bash
 MEMBERS=$(gh api repos/:owner/:repo/collaborators --paginate --jq '.[].login' | tr '\n' '|' | sed 's/|$//')
 gh pr list --state open --limit 200 --json author,title,number | jq -r --arg members "$MEMBERS" '
  ($members | split("|")) as $m |
  .[] | select(.author.login as $a | $m | index($a)) |
  "\(.number)\t\(.author.login)\t\(.title)"
 '
 ```
 To obtain the list of open PRs from external contributors (non-members):
 ```bash
 MEMBERS=$(gh api repos/:owner/:repo/collaborators --paginate --jq '.[].login' | tr '\n' '|' | sed 's/|$//')
 gh pr list --state open --limit 200 --json author,title,number | jq -r --arg members "$MEMBERS" '
  ($members | split("|")) as $m |
  .[] | select(.author.login as $a | $m | index($a) | not) |
  "\(.number)\t\(.author.login)\t\(.title)"
 '
 ```
 ## Architecture Overview
 Penpot is an open-source design tool composed of several modules:
 | Directory | Language | Purpose | Has `AGENTS.md` |
 |-----------|----------|---------|:----------------:|
 | `frontend/` | ClojureScript + SCSS | Single-page React app (design editor) | Yes |
 | `backend/` | Clojure (JVM) | HTTP/RPC server, PostgreSQL, Redis | Yes |
 | `common/` | Cljc (shared Clojure/ClojureScript) | Data types, geometry, schemas, utilities | Yes |
 | `render-wasm/` | Rust -> WebAssembly | High-performance canvas renderer (Skia) | Yes |
 | `exporter/` | ClojureScript (Node.js) | Headless Playwright-based export (SVG/PDF) | No |
 | `mcp/` | TypeScript | Model Context Protocol integration | No |
 | `plugins/` | TypeScript | Plugin runtime and example plugins | No |
 Some submodules use `pnpm` workspaces. The root `package.json` and
 `pnpm-lock.yaml` manage shared dependencies. Helper scripts live in `scripts/`.
 ### Module Dependency Graph
 ```
 frontend ──> common
 backend  ──> common
 exporter ──> common
 frontend ──> render-wasm  (loads compiled WASM)
 ```
 `common` is referenced as a local dependency (`{:local/root "../common"}`) by
 both `frontend` and `backend`. Changes to `common` can therefore affect multiple
 modules — test across consumers when modifying shared code.
--- a/CHANGES.md
+++ b/CHANGES.md
@ -1,10 +1,123 @@
 # CHANGELOG
 ## 2.17.0 (Unreleased)
 ### :boom: Breaking changes & Deprecations
 ### :rocket: Epics and highlights
 ### :sparkles: New features & Enhancements
 - Show a read-only W × H size badge below the bounding box of the current selection (by @bittoby) [#9205](https://github.com/penpot/penpot/issues/9205)
 - Expose `variants` retrieval on `LibraryComponent` via `isVariant()` type guard in plugin API (by @opcode81) [#9185](https://github.com/penpot/penpot/issues/9185) (PR: [#9302](https://github.com/penpot/penpot/pull/9302))
 - Add search bar to prototype interaction destination dropdown (by @EvaMarco) [#8618](https://github.com/penpot/penpot/issues/8618) (PR: [#9769](https://github.com/penpot/penpot/pull/9769))
 - Apply styles to selection (by @AzazelN28) [#9661](https://github.com/penpot/penpot/issues/9661) (PR: [#8625](https://github.com/penpot/penpot/pull/8625))
 - Add dashed stroke customization with dash and gap inputs (by @EvaMarco) [#3881](https://github.com/penpot/penpot/issues/3881) (PR: [#9765](https://github.com/penpot/penpot/pull/9765))
 - Add author, relative timestamp and short identifier to history entries (by @FairyPigDev) [#7660](https://github.com/penpot/penpot/issues/7660) (PR: [#9132](https://github.com/penpot/penpot/pull/9132))
 - Add typography token row to multiselected texts [#9336](https://github.com/penpot/penpot/issues/9336) (PR: [#9128](https://github.com/penpot/penpot/pull/9128))
 - Optimize propagation of tokens [#9261](https://github.com/penpot/penpot/issues/9261) (PR: [#9144](https://github.com/penpot/penpot/pull/9144))
 - Add typography information to token dropdown option [#9377](https://github.com/penpot/penpot/issues/9377) (PR: [#9375](https://github.com/penpot/penpot/pull/9375))
 - Cache OIDC provider records to skip per-login discovery (by @Dexterity104) [#9294](https://github.com/penpot/penpot/issues/9294) (PR: [#9295](https://github.com/penpot/penpot/pull/9295))
 - Validate shape on add-object to catch malformed inputs early (by @Dexterity104) [#9507](https://github.com/penpot/penpot/issues/9507) (PR: [#9291](https://github.com/penpot/penpot/pull/9291))
 - Remove unreachable try/catch in hex->hsl (by @Dexterity104) [#9244](https://github.com/penpot/penpot/issues/9244) (PR: [#9245](https://github.com/penpot/penpot/pull/9245))
 - Remove stray debug log in exporter upload-resource (by @iot2edge) [#9270](https://github.com/penpot/penpot/issues/9270) (PR: [#9272](https://github.com/penpot/penpot/pull/9272))
 - Release pool connection during font variant creation (by @Dexterity104) [#9286](https://github.com/penpot/penpot/issues/9286) (PR: [#9287](https://github.com/penpot/penpot/pull/9287))
 - Add autocomplete combobox to token creation and edition forms [#9899](https://github.com/penpot/penpot/issues/9899) (PR: [#9109](https://github.com/penpot/penpot/pull/9109))
 - Add list view mode to color picker UI [#4420](https://github.com/penpot/penpot/issues/4420) (PR: [#9953](https://github.com/penpot/penpot/pull/9953))
 - Use Clipboard API consistently across the application (by @MilosM348) [#6514](https://github.com/penpot/penpot/issues/6514) (PR: [#9188](https://github.com/penpot/penpot/pull/9188))
 - Use `$` as DTCG token/group discriminator and make `$description` optional [#8342](https://github.com/penpot/penpot/issues/8342) (PR: [#9912](https://github.com/penpot/penpot/pull/9912))
 - Match version preview banner text to History sidebar labels (by @MilosM348) [#9503](https://github.com/penpot/penpot/issues/9503) (PR: [#9697](https://github.com/penpot/penpot/pull/9697))
 - Use "copia" as duplicate suffix for Spanish (by @Rene0422) [#9623](https://github.com/penpot/penpot/issues/9623) (PR: [#9671](https://github.com/penpot/penpot/pull/9671))
 - Harden CORS middleware to not reflect Origin with credentials enabled [#9659](https://github.com/penpot/penpot/issues/9659) (PR: [#9675](https://github.com/penpot/penpot/pull/9675))
 - Revert token migrations on clashing names to prevent data loss [#9816](https://github.com/penpot/penpot/issues/9816) (PR: [#9950](https://github.com/penpot/penpot/pull/9950))
 - Update contributing guidelines with current issue tags and CSS linting rules [#9900](https://github.com/penpot/penpot/issues/9900) (PR: [#9418](https://github.com/penpot/penpot/pull/9418))
 - Add composite typography token input to the Design sidebar [#9932](https://github.com/penpot/penpot/issues/9932) (PR: [#9128](https://github.com/penpot/penpot/pull/9128), [#9375](https://github.com/penpot/penpot/pull/9375), [#8749](https://github.com/penpot/penpot/pull/8749))
 - Avoid deduplicating temporary export files to prevent stale content (by @yong2bba) [#9970](https://github.com/penpot/penpot/issues/9970) (PR: [#9959](https://github.com/penpot/penpot/pull/9959))
 ### :bug: Bugs fixed
 - Fix plugin API `fileVersion.restore()` promise hanging indefinitely on restore failure [Github #9092](https://github.com/penpot/penpot/issues/9092)
 - Fix LDAP provider params schema typo (`bind-passwor` → `bind-password`) introduced during the `clojure.spec` → `malli` migration; the schema slot now matches the runtime key actually read by `prepare-params` (`:password (:bind-password cfg)`) and `try-connectivity` (`(:bind-password cfg)`), so a wrong type for the password no longer slips through unvalidated
 - Fix `login-with-ldap` silently dropping its error message on the `ldap-not-initialized` restriction (typo `:hide` → `:hint`); the message `"ldap auth provider is not initialized"` now actually surfaces in logs and error responses instead of being discarded into an unread key
 - Fix `PENPOT_OIDC_USER_INFO_SOURCE` flag being silently ignored (`userinfo` / `token`) in the OIDC callback, causing "incomplete user info" failures during registration [Github #9108](https://github.com/penpot/penpot/issues/9108)
 - Fix `get-view-only-bundle` crashing when a share-link viewer encounters a team member whose email lacks `@` (NullPointerException in `obfuscate-email`) or whose domain has no `.` (previously produced a dangling-dot `****@****.`); now the viewer-side obfuscation is nil-safe and omits the trailing dot when the domain has no TLD
 - Remove `corepack` from the MCP local launcher so it runs on Node.js 25+, where corepack is no longer bundled [Github #8877](https://github.com/penpot/penpot/issues/8877)
 - Fix Copy as SVG: emit a single valid SVG document when multiple shapes are selected, and publish `image/svg+xml` to the clipboard so the paste target works in Inkscape and other SVG-native tools [Github #838](https://github.com/penpot/penpot/issues/838)
 - Reset profile submenu state when the account menu closes (by @eureka0928) [Github #8947](https://github.com/penpot/penpot/issues/8947)
 - Add export panel to inspect styles tab [Taiga #13582](https://tree.taiga.io/project/penpot/issue/13582)
 - Fix styles between grid layout inputs [Taiga #13526](https://tree.taiga.io/project/penpot/issue/13526)
 - Fix id prop on switch component [Taiga #13534](https://tree.taiga.io/project/penpot/issue/13534)
 - Update copy on penpot update message [Taiga #12924](https://tree.taiga.io/project/penpot/issue/12924)
 - Fix scroll on library modal [Taiga #13639](https://tree.taiga.io/project/penpot/issue/13639)
 - Fix dates to avoid show them in english when browser is in auto [Taiga #13786](https://tree.taiga.io/project/penpot/issue/13786)
 - Fix focus radio button [Taiga #13841](https://tree.taiga.io/project/penpot/issue/13841)
 - Token tree should be expanded by default [Taiga #13631](https://tree.taiga.io/project/penpot/issue/13631)
 - Fix opacity incorrectly disabled for visible shapes [Taiga #13906](https://tree.taiga.io/project/penpot/issue/13906)
 - Update onboarding image [Taiga #13864](https://tree.taiga.io/project/penpot/issue/13864)
 - Fix plugin modal drag interactions over iframe and close-button behavior (by @marekhrabe) [Github #8871](https://github.com/penpot/penpot/pull/8871)
 - Fix hot update on color-row on texts [Taiga #13923](https://tree.taiga.io/project/penpot/issue/13923)
 - Fix selected color tokens [Taiga #13930](https://tree.taiga.io/project/penpot/issue/13930)
 - Fix dashboard Recent/Deleted titles overlapped by scrolling content (by @rockchris099) [Github #8577](https://github.com/penpot/penpot/issues/8577)
 - Display resolved values of inactive tokens [Taiga #13628](https://tree.taiga.io/project/penpot/issue/13628)
 - Fix hyphens stripped from export filenames (by @jamesrayammons) [Github #8901](https://github.com/penpot/penpot/issues/8901)
 - Fix app crash when selecting shapes with one hidden [Taiga #13959](https://tree.taiga.io/project/penpot/issue/13959)
 - Fix opacity mixed value [Taiga #13960](https://tree.taiga.io/project/penpot/issue/13960)
 - Fix gap input throwing an error [Github #8984](https://github.com/penpot/penpot/pull/8984)
 - Fix non-functional clear icon in change email modal inputs (by @Dexterity104) [Github #8977](https://github.com/penpot/penpot/issues/8977)
 - Disable save button after saving account profile settings (by @Dexterity104) [Github #8979](https://github.com/penpot/penpot/issues/8979)
 - Fix copy to be more specific [Taiga #13990](https://tree.taiga.io/project/penpot/issue/13990)
 - Allow deleting the profile avatar after uploading [Github #9067](https://github.com/penpot/penpot/issues/9067)
 - Fix incorrect rendering when exporting text as SVG, PNG and JPG (by @edwin-rivera-dev) [Github #8516](https://github.com/penpot/penpot/issues/8516)
 - Fix Settings and Notifications "Update Settings" button enabled state when form has no changes (by @moorsecopers99) [Github #9090](https://github.com/penpot/penpot/issues/9090)
 - Fix "Help & Learning" submenu vertical alignment in account menu (by @juan-flores077) [Github #9137](https://github.com/penpot/penpot/issues/9137)
 - Fix plugin `addInteraction` silently rejecting `open-overlay` actions with `manualPositionLocation` [Github #8409](https://github.com/penpot/penpot/issues/8409)
 - Fix typography style creation with tokenized line-height (by @juan-flores077) [Github #8479](https://github.com/penpot/penpot/issues/8479)
 - Fix colorpicker layout so the eyedropper button is visible again [Taiga #14057](https://tree.taiga.io/project/penpot/issue/14057)
 - Fix SVG stroke line join not applied when pasting strokes [#4836](https://github.com/penpot/penpot/issues/4836) (PR: [#9982](https://github.com/penpot/penpot/pull/9982), [#10019](https://github.com/penpot/penpot/pull/10019))
 - Fix blend-mode hover preview on canvas not reverted when dismissing dropdown (by @jack-stormentswe) [#9235](https://github.com/penpot/penpot/issues/9235) (PR: [#9237](https://github.com/penpot/penpot/pull/9237))
 - Fix View Mode mouse-leave and click in combination not working [#4855](https://github.com/penpot/penpot/issues/4855) (PR: [#9991](https://github.com/penpot/penpot/pull/9991))
 - Fix Storybook UI missing scrollbar (by @MilosM348) [#6049](https://github.com/penpot/penpot/issues/6049) (PR: [#9319](https://github.com/penpot/penpot/pull/9319))
 - Fix font selector missing intermediate font weights for Source Sans Pro and similar fonts (by @dhgoal) [#7378](https://github.com/penpot/penpot/issues/7378) (PR: [#9247](https://github.com/penpot/penpot/pull/9247))
 - Fix plugin API `typography.remove()` passing wrong parameter format (by @leonaIee) [#8223](https://github.com/penpot/penpot/issues/8223) (PR: [#9279](https://github.com/penpot/penpot/pull/9279))
 - Fix plugin API fills and strokes array elements being read-only (by @RenzoMXD) [#8357](https://github.com/penpot/penpot/issues/8357) (PR: [#9161](https://github.com/penpot/penpot/pull/9161))
 - Fix "Show Guides" shortcut not working on German keyboards (by @RenzoMXD) [#8423](https://github.com/penpot/penpot/issues/8423) (PR: [#9209](https://github.com/penpot/penpot/pull/9209))
 - Fix token validation failing when a malformed token exists in the Component category [#9010](https://github.com/penpot/penpot/issues/9010) (PR: [#9025](https://github.com/penpot/penpot/pull/9025), [#9825](https://github.com/penpot/penpot/pull/9825))
 - Fix prototype interaction targets appearing in View Mode automatically when library component changes (by @jeffrey701) [#9049](https://github.com/penpot/penpot/issues/9049) (PR: [#9695](https://github.com/penpot/penpot/pull/9695))
 - Fix Docker frontend image missing CSS reference (by @NativeTeachingAidsB) [#9135](https://github.com/penpot/penpot/issues/9135) (PR: [#9840](https://github.com/penpot/penpot/pull/9840))
 - Fix MCP media upload error and SVG data URI image parsing (by @claytonlin1110) [#9164](https://github.com/penpot/penpot/issues/9164) (PR: [#9201](https://github.com/penpot/penpot/pull/9201))
 - Fix lost-update race on team features during concurrent file creation (by @JPette1783) [#9197](https://github.com/penpot/penpot/issues/9197) (PR: [#9198](https://github.com/penpot/penpot/pull/9198))
 - Fix get-profile RPC method silently masking DB errors as "Anonymous User" (by @jack-stormentswe) [#9253](https://github.com/penpot/penpot/issues/9253) (PR: [#9254](https://github.com/penpot/penpot/pull/9254))
 - Fix crash when creating or editing tokens named "white" or "black" [#9256](https://github.com/penpot/penpot/issues/9256) (PR: [#9034](https://github.com/penpot/penpot/pull/9034))
 - Fix conditional use-ctx hook violation in shape-wrapper (by @Dexterity104) [#9280](https://github.com/penpot/penpot/issues/9280) (PR: [#9281](https://github.com/penpot/penpot/pull/9281))
 - Make ShapeImageIds byte conversion fallible to prevent panics (by @Dexterity104) [#9282](https://github.com/penpot/penpot/issues/9282) (PR: [#9283](https://github.com/penpot/penpot/pull/9283))
 - Prevent viewers from overwriting file thumbnails (by @jony376) [#9284](https://github.com/penpot/penpot/issues/9284) (PR: [#9285](https://github.com/penpot/penpot/pull/9285))
 - Fix plugin API showing incorrect error messages for invalid operations (by @bitcompass) [#9417](https://github.com/penpot/penpot/issues/9417) (PR: [#9486](https://github.com/penpot/penpot/pull/9486))
 - Add inactivity timeout to SSE sessions to match Streamable HTTP sessions [#9432](https://github.com/penpot/penpot/issues/9432) (PR: [#9464](https://github.com/penpot/penpot/pull/9464))
 - Fix component variant switching behaving differently on two identical copies (by @MischaPanch) [#9498](https://github.com/penpot/penpot/issues/9498) (PR: [#9434](https://github.com/penpot/penpot/pull/9434))
 - Populate is-indirect flag on file libraries from relation graph (by @Dexterity104) [#9506](https://github.com/penpot/penpot/issues/9506) (PR: [#9289](https://github.com/penpot/penpot/pull/9289))
 - Add missing error message for invalid shadow token [#9583](https://github.com/penpot/penpot/issues/9583) (PR: [#9809](https://github.com/penpot/penpot/pull/9809))
 - Fix moving a component in a library triggering stale update notification in dependent files [#9629](https://github.com/penpot/penpot/issues/9629) (PR: [#9616](https://github.com/penpot/penpot/pull/9616))
 - Fix newly created token not visible when placed above existing tokens in the tree [#9711](https://github.com/penpot/penpot/issues/9711) (PR: [#9803](https://github.com/penpot/penpot/pull/9803))
 - Fix B(V) input label misalignment in HSB color picker [#9731](https://github.com/penpot/penpot/issues/9731) (PR: [#9793](https://github.com/penpot/penpot/pull/9793))
 - Fix text style name input appending font name instead of replacing it when edited [#9785](https://github.com/penpot/penpot/issues/9785) (PR: [#9784](https://github.com/penpot/penpot/pull/9784))
 - Fix shadow token creation not allowing empty blur or spread value [#9808](https://github.com/penpot/penpot/issues/9808) (PR: [#9809](https://github.com/penpot/penpot/pull/9809))
 - Fix thinner line in path when its stroke is deleted and added again [#9823](https://github.com/penpot/penpot/issues/9823) (PR: [#9836](https://github.com/penpot/penpot/pull/9836))
 - Fix layers panel perceivable lag when displaying changes [#9834](https://github.com/penpot/penpot/issues/9834)
 - Fix settings form visual layout broken after recent contribution [#9882](https://github.com/penpot/penpot/issues/9882) (PR: [#9883](https://github.com/penpot/penpot/pull/9883))
 - Fix crash when duplicating shapes with fill/stroke properties [#9893](https://github.com/penpot/penpot/issues/9893) (PR: [#9647](https://github.com/penpot/penpot/pull/9647))
 - Fix S3 storage failing with IRSA/Web Identity Token credentials (by @jpc2350) [#9927](https://github.com/penpot/penpot/issues/9927) (PR: [#9928](https://github.com/penpot/penpot/pull/9928))
 - Fix onboarding template spinner stuck after failed template download (by @jeffrey701) [#9931](https://github.com/penpot/penpot/issues/9931) (PR: [#9504](https://github.com/penpot/penpot/pull/9504))
 - Fix stroke caps not working correctly when there are other nodes in the middle of a path [#9987](https://github.com/penpot/penpot/issues/9987) (PR: [#9989](https://github.com/penpot/penpot/pull/9989))
 - Fix missing three dots button for column and row edit menu in WebKit/Safari [#9993](https://github.com/penpot/penpot/issues/9993) (PR: [#9994](https://github.com/penpot/penpot/pull/9994))
 - Fix exported path with strokes being cut off in SVG file [#9995](https://github.com/penpot/penpot/issues/9995) (PR: [#9996](https://github.com/penpot/penpot/pull/9996))
 - Fix French Canada locale falling back to French translations instead of French Canadian (by @alexismo) [#10017](https://github.com/penpot/penpot/issues/10017) (PR: [#10027](https://github.com/penpot/penpot/pull/10027))
 ## 2.16.0 (Unreleased)
 ### :boom: Breaking changes & Deprecations
 ### :rocket: Epics and highlights
 - WebGL rendering (beta) user preference [#9683](https://github.com/penpot/penpot/issues/9683) (PR:[9113](https://github.com/penpot/penpot/pull/9113))
 - Design Tokens at the design tab: numeric fields with token selection in place [#9358](https://github.com/penpot/penpot/issues/9358)
@ -62,6 +175,8 @@
 - Add v2.16 release notes (What's new modal) [#9945](https://github.com/penpot/penpot/issues/9945) (PR: [#9940](https://github.com/penpot/penpot/pull/9940))
 ### :bug: Bugs fixed
 - Fix plugin API `Board.addRulerGuide` attaching guides to the page instead of the board due to a shadowed `id` binding; also correct the `'content:write'` permission error message and the `RulerGuideProxy` name (by @girafic) [#8225](https://github.com/penpot/penpot/issues/8225) (PR: [#8632](https://github.com/penpot/penpot/pull/8632))
 - Add Shift+Numpad aliases for zoom shortcuts (by @RenzoMXD) [#2457](https://github.com/penpot/penpot/issues/2457) (PR: [#9063](https://github.com/penpot/penpot/pull/9063))
 - Save and restore selection state in undo/redo (by @eureka0928) [#6007](https://github.com/penpot/penpot/issues/6007) (PR: [#8652](https://github.com/penpot/penpot/pull/8652))
 - Add guide locking and fix locked element selection in viewer (by @Dexterity104) [#8358](https://github.com/penpot/penpot/issues/8358) (PR: [#8949](https://github.com/penpot/penpot/pull/8949))
@ -175,7 +290,6 @@
 - Fix mcp related internal config for docker images [GH #9565](https://github.com/penpot/penpot/pull/9565)
 ## 2.15.1
 ### :sparkles: New features & Enhancements
@ -186,7 +300,6 @@
 - Fix "Help & Learning" submenu vertical alignment in account menu (by @juan-flores077) [#9137](https://github.com/penpot/penpot/issues/9137) (PR: [#9138](https://github.com/penpot/penpot/pull/9138))
 ## 2.15.0
 ### :sparkles: New features & Enhancements
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -159,7 +159,7 @@ To save time on both sides, please avoid submitting PRs that:
 ### Good first issues
-We use the `easy fix` label to mark issues appropriate for newcomers.
+We use the `good first issue` label to mark issues appropriate for newcomers.
 ## Commit Guidelines
@ -175,26 +175,26 @@ Commit messages must follow this format:
 ### Commit types
-| Emoji | Description |
+| Emoji                  | Description                |
-|-------|-------------|
+| ---------------------- | -------------------------- |
-| :bug: | Bug fix |
+| :bug:                  | Bug fix                    |
-| :sparkles: | Improvement or enhancement |
+| :sparkles:             | Improvement or enhancement |
-| :tada: | New feature |
+| :tada:                 | New feature                |
-| :recycle: | Refactor |
+| :recycle:              | Refactor                   |
-| :lipstick: | Cosmetic changes |
+| :lipstick:             | Cosmetic changes           |
-| :ambulance: | Critical bug fix |
+| :ambulance:            | Critical bug fix           |
-| :books: | Documentation |
+| :books:                | Documentation              |
-| :construction: | Work in progress |
+| :construction:         | Work in progress           |
-| :boom: | Breaking change |
+| :boom:                 | Breaking change            |
-| :wrench: | Configuration update |
+| :wrench:               | Configuration update       |
-| :zap: | Performance improvement |
+| :zap:                  | Performance improvement    |
-| :whale: | Docker-related change |
+| :whale:                | Docker-related change      |
-| :paperclip: | Other non-relevant changes |
+| :paperclip:            | Other non-relevant changes |
-| :arrow_up: | Dependency update |
+| :arrow_up:             | Dependency update          |
-| :arrow_down: | Dependency downgrade |
+| :arrow_down:           | Dependency downgrade       |
-| :fire: | Removal of code or files |
+| :fire:                 | Removal of code or files   |
 | :globe_with_meridians: | Add or update translations |
-| :rocket: | Epic or highlight |
+| :rocket:               | Epic or highlight          |
 ### Rules
@ -231,15 +231,27 @@ We use [cljfmt](https://github.com/weavejester/cljfmt) for formatting and
 ./scripts/lint
 ```
 For frontend SCSS, we use `stylelint` for linting and
 `Prettier` for formatting:
 ```bash
 cd frontend
 # Lint SCSS
 pnpm run lint:scss (does not modify files)
 # Fix SCSS formatting (modifies files in place)
 pnpm run fmt:scss
 ```
 Ideally, run these as git pre-commit hooks.
 [Husky](https://typicode.github.io/husky/#/) is a convenient option for
 setting this up.
 ## Changelog
-When your change is user-facing or otherwise notable, add an entry to
+The changelog is updated automatically as part of the release process. Contributors
-[CHANGES.md](CHANGES.md) following the same commit-type conventions. Reference
+should **not** modify `CHANGES.md` manually in their pull requests.
 the relevant GitHub issue or Taiga user story.
 ## Code of Conduct
@ -260,23 +272,23 @@ By submitting code you agree to and can certify the following:
 > By making a contribution to this project, I certify that:
 >
 > (a) The contribution was created in whole or in part by me and I have the
->     right to submit it under the open source license indicated in the file; or
+> right to submit it under the open source license indicated in the file; or
 >
 > (b) The contribution is based upon previous work that, to the best of my
->     knowledge, is covered under an appropriate open source license and I have
+> knowledge, is covered under an appropriate open source license and I have
->     the right under that license to submit that work with modifications,
+> the right under that license to submit that work with modifications,
->     whether created in whole or in part by me, under the same open source
+> whether created in whole or in part by me, under the same open source
->     license (unless I am permitted to submit under a different license), as
+> license (unless I am permitted to submit under a different license), as
->     indicated in the file; or
+> indicated in the file; or
 >
 > (c) The contribution was provided directly to me by some other person who
->     certified (a), (b) or (c) and I have not modified it.
+> certified (a), (b) or (c) and I have not modified it.
 >
 > (d) I understand and agree that this project and the contribution are public
->     and that a record of the contribution (including all personal information
+> and that a record of the contribution (including all personal information
->     I submit with it, including my sign-off) is maintained indefinitely and
+> I submit with it, including my sign-off) is maintained indefinitely and
->     may be redistributed consistent with this project or the open source
+> may be redistributed consistent with this project or the open source
->     license(s) involved.
+> license(s) involved.
 ### Signed-off-by
--- a/README.md
+++ b/README.md
@ -5,7 +5,7 @@
 <p align="center">
  <a href="https://www.digitalpublicgoods.net/r/penpot" rel="nofollow">
-    <img alt="Verified DPG" src="https://img.shields.io/badge/Verified-DPG-blue.svg">
+    <img alt="Verified DPG" src="https://img.shields.io/badge/Verified-DPG-3333AB?logo=data:image/svg%2bxml;base64,PHN2ZyB3aWR0aD0iMzEiIGhlaWdodD0iMzMiIHZpZXdCb3g9IjAgMCAzMSAzMyIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHBhdGggZD0iTTE0LjIwMDggMjEuMzY3OEwxMC4xNzM2IDE4LjAxMjRMMTEuNTIxOSAxNi40MDAzTDEzLjk5MjggMTguNDU5TDE5LjYyNjkgMTIuMjExMUwyMS4xOTA5IDEzLjYxNkwxNC4yMDA4IDIxLjM2NzhaTTI0LjYyNDEgOS4zNTEyN0wyNC44MDcxIDMuMDcyOTdMMTguODgxIDUuMTg2NjJMMTUuMzMxNCAtMi4zMzA4MmUtMDVMMTEuNzgyMSA1LjE4NjYyTDUuODU2MDEgMy4wNzI5N0w2LjAzOTA2IDkuMzUxMjdMMCAxMS4xMTc3TDMuODQ1MjEgMTYuMDg5NUwwIDIxLjA2MTJMNi4wMzkwNiAyMi44Mjc3TDUuODU2MDEgMjkuMTA2TDExLjc4MjEgMjYuOTkyM0wxNS4zMzE0IDMyLjE3OUwxOC44ODEgMjYuOTkyM0wyNC44MDcxIDI5LjEwNkwyNC42MjQxIDIyLjgyNzdMMzAuNjYzMSAyMS4wNjEyTDI2LjgxNzYgMTYuMDg5NUwzMC42NjMxIDExLjExNzdMMjQuNjI0MSA5LjM1MTI3WiIgZmlsbD0id2hpdGUiLz4KPC9zdmc+Cg==">
  </a>
  <a href="https://community.penpot.app" rel="nofollow">
    <img alt="Penpot Community" src="https://img.shields.io/discourse/posts?server=https%3A%2F%2Fcommunity.penpot.app">
--- a/SECURITY.md
+++ b/SECURITY.md
@ -5,8 +5,8 @@
 We take the security of this project seriously. If you have discovered
 a security vulnerability, please do **not** open a public issue.
-Please report vulnerabilities via email to: **[support@penpot.app]**
+Please report vulnerabilities through the [GitHub Security Advisories](https://github.com/penpot/penpot/security/advisories
-
+) feature in the Penpot repository.
 ### What to include:
--- a/THANKYOU.md
+++ b/THANKYOU.md
@ -7,6 +7,7 @@ list.
 ## Security
 * Alisher (@7megaumka7)
 * Husnain Iqbal (CEO OF ALPHA INFERNO PVT LTD)
 * [Shiraz Ali Khan](https://www.linkedin.com/in/shiraz-ali-khan-1ba508180/)
 * Vaibhav Shukla
--- a/backend/AGENTS.md
+++ b/backend/AGENTS.md
@ -1,262 +0,0 @@
 # Penpot Backend – Agent Instructions
 Clojure backend (RPC) service running on the JVM.
 Uses Integrant for dependency injection, PostgreSQL for storage, and
 Redis for messaging/caching.
 ## General Guidelines
 To ensure consistency across the Penpot JVM stack, all contributions must adhere
 to these criteria.
 IMPORTANT: all CLI commands should be executed under backend/
 subdirectory for make them work correctly.
 ### 1. Testing & Validation
 * **Coverage:** If code is added or modified in `src/`, corresponding
  tests in `test/backend_tests/` must be added or updated.
 * **Execution:**
  * **Isolated:** Run `clojure -M:dev:test --focus backend-tests.my-ns-test` for the specific test namespace.
  * **Regression:** Run `clojure -M:dev:test` to ensure the suite passes without regressions in related functional areas.
 ### 2. Code Quality & Formatting
 * **Linting:** All code must pass linter checks (run `pnpm run lint:clj` or `pnpm run lint` on the repository root)
 * **Formatting:** All the code must pass the formatting check (run `pnpm run
  check-fmt`). Use `pnpm run fmt` to fix formatting issues. Avoid "dirty"
  diffs caused by unrelated whitespace changes.
 * **Type Hinting:** Use explicit JVM type hints (e.g., `^String`, `^long`) in
  performance-critical paths to avoid reflection overhead.
 ## Code Conventions
 ### Namespace Overview
 The source is located under `src` directory and this is a general overview of
 namespaces structure:
 - `app.rpc.commands.*` – RPC command implementations (`auth`, `files`, `teams`, etc.)
 - `app.http.*` – HTTP routes and middleware
 - `app.db.*` – Database layer
 - `app.tasks.*` – Background job tasks
 - `app.main` – Integrant system setup and entrypoint
 - `app.loggers` – Internal loggers (auditlog, mattermost, etc.) (not to be confused with `app.common.logging`)
 ### RPC
 The RPC methods are implemented using a multimethod-like structure via the
 `app.util.services` namespace. The main RPC methods are collected under
 `app.rpc.commands` namespace and exposed under `/api/rpc/command/<cmd-name>`.
 The RPC method accepts POST and GET requests indistinctly and uses the `Accept`
 header to negotiate the response encoding (which can be Transit — the default —
 or plain JSON). It also accepts Transit (default) or JSON as input, which should
 be indicated using the `Content-Type` header.
 The main convention is: use `get-` prefix on RPC name when we want READ
 operation.
 Example of RPC method definition:
 ```clojure
 (sv/defmethod ::my-command
  {::rpc/auth true            ;; requires auth
   ::doc/added "1.18"
   ::sm/params [:map ...]     ;; malli input schema
   ::sm/result [:map ...]}    ;; malli output schema
  [{:keys [::db/pool] :as cfg} {:keys [::rpc/profile-id] :as params}]
  ;; return a plain map or throw
  {:id (uuid/next)})
 ```
 Look under `src/app/rpc/commands/*.clj` to see more examples.
 ### Tests
 Test namespaces match `.*-test$` under `test/`. Config is in `tests.edn`.
 ### Integrant System
 The `src/app/main.clj` declares the system map. Each key is a component; values
 are config maps with `::ig/ref` for dependencies. Components implement
 `ig/init-key` / `ig/halt-key!`.
 ### Connecting to the Database
 Two PostgreSQL databases are used in this environment:
 | Database      | Purpose            | Connection string                                  |
 |---------------|--------------------|----------------------------------------------------|
 | `penpot`      | Development / app  | `postgresql://penpot:penpot@postgres/penpot`       |
 | `penpot_test` | Test suite         | `postgresql://penpot:penpot@postgres/penpot_test`  |
 **Interactive psql session:**
 ```bash
 # development DB
 psql "postgresql://penpot:penpot@postgres/penpot"
 # test DB
 psql "postgresql://penpot:penpot@postgres/penpot_test"
 ```
 **One-shot query (non-interactive):**
 ```bash
 psql "postgresql://penpot:penpot@postgres/penpot" -c "SELECT id, name FROM team LIMIT 5;"
 ```
 **Useful psql meta-commands:**
 ```
 \dt              -- list all tables
 \d <table>       -- describe a table (columns, types, constraints)
 \di              -- list indexes
 \q               -- quit
 ```
 > **Migrations table:** Applied migrations are tracked in the `migrations` table
 > with columns `module`, `step`, and `created_at`. When renaming a migration
 > logical name, update this table in both databases to match the new name;
 > otherwise the runner will attempt to re-apply the migration on next startup.
 ```bash
 # Example: fix a renamed migration entry in the test DB
 psql "postgresql://penpot:penpot@postgres/penpot_test" \
  -c "UPDATE migrations SET step = 'new-name' WHERE step = 'old-name';"
 ```
 ### Database Access (Clojure)
 `app.db` wraps next.jdbc. Queries use a SQL builder that auto-converts kebab-case ↔ snake_case.
 ```clojure
 ;; Query helpers
 (db/get cfg-or-pool :table {:id id})                    ; fetch one row (throws if missing)
 (db/get* cfg-or-pool :table {:id id})                   ; fetch one row (returns nil)
 (db/query cfg-or-pool :table {:team-id team-id})        ; fetch multiple rows
 (db/insert! cfg-or-pool :table {:name "x" :team-id id}) ; insert
 (db/update! cfg-or-pool :table {:name "y"} {:id id})    ; update
 (db/delete! cfg-or-pool :table {:id id})                ; delete
 ;; Run multiple statements/queries on single connection
 (db/run! cfg (fn [{:keys [::db/conn]}]
               (db/insert! conn :table row1)
               (db/insert! conn :table row2))
 ;; Transactions
 (db/tx-run! cfg (fn [{:keys [::db/conn]}]
                  (db/insert! conn :table row)))
 ```
 Almost all methods in the `app.db` namespace accept `pool`, `conn`, or
 `cfg` as params.
 Migrations live in `src/app/migrations/` as numbered SQL files. They run automatically on startup.
 ### Error Handling
 The exception helpers are defined on Common module, and are available under
 `app.common.exceptions` namespace.
 Example of raising an exception:
 ```clojure
 (ex/raise :type :not-found
          :code :object-not-found
          :hint "File does not exist"
          :file-id id)
 ```
 Common types: `:not-found`, `:validation`, `:authorization`, `:conflict`, `:internal`.
 ### Performance Macros (`app.common.data.macros`)
 Always prefer these macros over their `clojure.core` equivalents — they provide
 optimized implementations:
 ```clojure
 (dm/select-keys m [:a :b])     ;; faster than core/select-keys
 (dm/get-in obj [:a :b :c])     ;; faster than core/get-in
 (dm/str "a" "b" "c")           ;; string concatenation
 ```
 ### Configuration
 `src/app/config.clj` reads `PENPOT_*` environment variables, validated with
 Malli. Access anywhere via `(cf/get :smtp-host)`. Feature flags: `(cf/flags
 :enable-smtp)`.
 ### Background Tasks
 Background tasks live in `src/app/tasks/`. Each task is an Integrant component
 that exposes a `::handler` key and follows this three-method pattern:
 ```clojure
 (defmethod ig/assert-key ::handler   ;; validate config at startup
  [_ params]
  (assert (db/pool? (::db/pool params)) "expected a valid database pool"))
 (defmethod ig/expand-key ::handler   ;; inject defaults before init
  [k v]
  {k (assoc v ::my-option default-value)})
 (defmethod ig/init-key ::handler     ;; return the task fn
  [_ cfg]
  (fn [_task]                        ;; receives the task row from the worker
    (db/tx-run! cfg (fn [{:keys [::db/conn]}]
                      ;; … do work …
                      ))))
 ```
 **Wiring a new task** requires two changes in `src/app/main.clj`:
 1. **Handler config** – add an entry in `system-config` with the dependencies:
 ```clojure
 :app.tasks.my-task/handler
 {::db/pool (ig/ref ::db/pool)}
 ```
 2. **Registry + cron** – register the handler name and schedule it:
 ```clojure
 ;; in ::wrk/registry ::wrk/tasks map:
 :my-task (ig/ref :app.tasks.my-task/handler)
 ;; in worker-config ::wrk/cron ::wrk/entries vector:
 {:cron #penpot/cron "0 0 0 * * ?"   ;; daily at midnight
 :task :my-task}
 ```
 **Useful cron patterns** (Quartz format — six fields: s m h dom mon dow):
 | Expression                   | Meaning            |
 |------------------------------|--------------------|
 | `"0 0 0 * * ?"`              | Daily at midnight  |
 | `"0 0 */6 * * ?"`            | Every 6 hours      |
 | `"0 */5 * * * ?"`            | Every 5 minutes    |
 **Time helpers** (`app.common.time`):
 ```clojure
 (ct/now)                          ;; current instant
 (ct/duration {:hours 1})          ;; java.time.Duration
 (ct/minus (ct/now) some-duration) ;; subtract duration from instant
 ```
 `db/interval` converts a `Duration` (or millis / string) to a PostgreSQL
 interval object suitable for use in SQL queries:
 ```clojure
 (db/interval (ct/duration {:hours 1}))  ;; → PGInterval "3600.0 seconds"
 ```
--- a/backend/deps.edn
+++ b/backend/deps.edn
@ -67,7 +67,8 @@
  ;; Pretty Print specs
  pretty-spec/pretty-spec {:mvn/version "0.1.4"}
-  software.amazon.awssdk/s3 {:mvn/version "2.44.4"}}
+  software.amazon.awssdk/s3 {:mvn/version "2.44.4"}
  software.amazon.awssdk/sts {:mvn/version "2.44.4"}}
 :paths ["src" "resources" "target/classes"]
 :aliases
--- a/backend/resources/app/email/invite-to-org/en.html
+++ b/backend/resources/app/email/invite-to-org/en.html
@ -198,14 +198,14 @@
                        <table role="presentation" cellpadding="0" cellspacing="0" border="0" width="20" height="20" style="display:inline-block;vertical-align:middle;">
                          <tr>
                            <td width="20" height="20" align="center" valign="middle"
-                                background="{{organization-logo}}"
+                                background="{% if organization.logo %}{{organization.logo}}{% else %}{{organization.avatar-bg-url}}{% endif %}"
                                style="width:20px;height:20px;text-align:center;font-weight:bold;font-size:9px;line-height:20px;color:#ffffff;background-size:cover;background-position:center;background-repeat:no-repeat;border-radius: 50%;color:black">
-                              {% if organization-initials %}{{organization-initials}}{% endif %}
+                              {% if organization.initials %}{{organization.initials}}{% endif %}
                            </td>
                          </tr>
                        </table>
                        <span style="display:inline-block; vertical-align: middle;padding-left:5px;height:20px;line-height: 20px;">
-                        “{{ organization-name|abbreviate:25 }}”
+                        {{ organization.name|abbreviate:50 }}
                        </span>
                      </div>
                    </td>
--- a/backend/resources/app/email/invite-to-org/en.subj
+++ b/backend/resources/app/email/invite-to-org/en.subj
@ -1 +1 @@
-{{invited-by|abbreviate:25}} has invited you to join the organization “{{ organization-name|abbreviate:25 }}”
+{{invited-by|abbreviate:25}} has invited you to join the organization “{{ organization.name|abbreviate:25 }}”
--- a/backend/resources/app/email/invite-to-org/en.txt
+++ b/backend/resources/app/email/invite-to-org/en.txt
@ -1,6 +1,6 @@
 Hello!
-{{invited-by|abbreviate:25}} has invited you to join the organization “{{ organization-name|abbreviate:25 }}”.
+{{invited-by|abbreviate:25}} has invited you to join the organization “{{ organization.name|abbreviate:25 }}”.
 Accept invitation using this link:
--- a/backend/resources/app/email/renewal-notice/en.html
+++ b/backend/resources/app/email/renewal-notice/en.html
@ -0,0 +1,270 @@
 <!doctype html>
 <html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="urn:schemas-microsoft-com:vml"
  xmlns:o="urn:schemas-microsoft-com:office:office">
 <head>
  <title>
  </title>
  <!--[if !mso]><!-- -->
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <!--<![endif]-->
  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <style type="text/css">
    #outlook a {
      padding: 0;
    }
    body {
      margin: 0;
      padding: 0;
      -webkit-text-size-adjust: 100%;
      -ms-text-size-adjust: 100%;
    }
    table,
    td {
      border-collapse: collapse;
      mso-table-lspace: 0pt;
      mso-table-rspace: 0pt;
    }
    img {
      border: 0;
      height: auto;
      line-height: 100%;
      outline: none;
      text-decoration: none;
      -ms-interpolation-mode: bicubic;
    }
    p {
      display: block;
      margin: 13px 0;
    }
  </style>
  <!--[if mso]>
        <xml>
        <o:OfficeDocumentSettings>
          <o:AllowPNG/>
          <o:PixelsPerInch>96</o:PixelsPerInch>
        </o:OfficeDocumentSettings>
        </xml>
        <![endif]-->
  <!--[if lte mso 11]>
        <style type="text/css">
          .mj-outlook-group-fix { width:100% !important; }
        </style>
        <![endif]-->
  <!--[if !mso]><!-->
  <link href="https://fonts.googleapis.com/css?family=Source%20Sans%20Pro" rel="stylesheet" type="text/css">
  <style type="text/css">
    @import url(https://fonts.googleapis.com/css?family=Source%20Sans%20Pro);
  </style>
  <!--<![endif]-->
  <style type="text/css">
    @media only screen and (min-width:480px) {
      .mj-column-per-100 {
        width: 100% !important;
        max-width: 100%;
      }
      .mj-column-px-425 {
        width: 425px !important;
        max-width: 425px;
      }
    }
  </style>
  <style type="text/css">
    @media only screen and (max-width:480px) {
      table.mj-full-width-mobile {
        width: 100% !important;
      }
      td.mj-full-width-mobile {
        width: auto !important;
      }
    }
  </style>
 </head>
 <body style="background-color:#E5E5E5;">
  <div style="background-color:#E5E5E5;">
    <!--[if mso | IE]>
      <table
         align="center" border="0" cellpadding="0" cellspacing="0" class="" style="width:600px;" width="600"
      >
        <tr>
          <td style="line-height:0px;font-size:0px;mso-line-height-rule:exactly;">
      <![endif]-->
    <div style="margin:0px auto;max-width:600px;">
      <table align="center" border="0" cellpadding="0" cellspacing="0" role="presentation" style="width:100%;">
        <tbody>
          <tr>
            <td style="direction:ltr;font-size:0px;padding:0;text-align:center;">
              <!--[if mso | IE]>
                  <table role="presentation" border="0" cellpadding="0" cellspacing="0">
        <tr>
            <td
               class="" style="vertical-align:top;width:600px;"
            >
          <![endif]-->
              <div class="mj-column-per-100 mj-outlook-group-fix"
                style="font-size:0px;text-align:left;direction:ltr;display:inline-block;vertical-align:top;width:100%;">
                <table border="0" cellpadding="0" cellspacing="0" role="presentation" style="vertical-align:top;"
                  width="100%">
                  <tr>
                    <td align="left" style="font-size:0px;padding:16px;word-break:break-word;">
                      <table border="0" cellpadding="0" cellspacing="0" role="presentation"
                        style="border-collapse:collapse;border-spacing:0px;">
                        <tbody>
                          <tr>
                            <td style="width:97px;">
                              <img height="32" src="{{ public-uri }}/images/email/uxbox-title.png"
                                style="border:0;display:block;outline:none;text-decoration:none;height:32px;width:100%;font-size:13px;"
                                width="97" />
                            </td>
                          </tr>
                        </tbody>
                      </table>
                    </td>
                  </tr>
                </table>
              </div>
              <!--[if mso | IE]>
            </td>
        </tr>
                  </table>
                <![endif]-->
            </td>
          </tr>
        </tbody>
      </table>
    </div>
    <!--[if mso | IE]>
          </td>
        </tr>
      </table>
      <table
         align="center" border="0" cellpadding="0" cellspacing="0" class="" style="width:600px;" width="600"
      >
        <tr>
          <td style="line-height:0px;font-size:0px;mso-line-height-rule:exactly;">
      <![endif]-->
    <div style="background:#FFFFFF;background-color:#FFFFFF;margin:0px auto;max-width:600px;">
      <table align="center" border="0" cellpadding="0" cellspacing="0" role="presentation"
        style="background:#FFFFFF;background-color:#FFFFFF;width:100%;">
        <tbody>
          <tr>
            <td style="direction:ltr;font-size:0px;padding:20px 0;text-align:center;">
              <!--[if mso | IE]>
                  <table role="presentation" border="0" cellpadding="0" cellspacing="0">
        <tr>
            <td
               class="" style="vertical-align:top;width:600px;"
            >
          <![endif]-->
              <div class="mj-column-per-100 mj-outlook-group-fix"
                style="font-size:0px;text-align:left;direction:ltr;display:inline-block;vertical-align:top;width:100%;">
                <table border="0" cellpadding="0" cellspacing="0" role="presentation" style="vertical-align:top;"
                  width="100%">
                  <tr>
                    <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
                      <div
                        style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;">
                        Hi{% if user-name %} {{ user-name|abbreviate:25 }}{% endif %},
                      </div>
                    </td>
                  </tr>
                  <tr>
                    <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
                      <div
                        style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;">
                        Your Enterprise subscription is coming up for renewal. Here's a summary of what's included.
                      </div>
                      <div style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;margin-top:20px">
                        <b>Renewal date:</b> {{ renewal-date }}
                      </div>
                      <div style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;margin-top:10px">
                        <b>Estimated amount:</b> {{ estimated-amount }}
                      </div>
                      <div style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;margin:10px 0">
                        <b>Organizations covered:</b> {% if organizations|empty? %}No organizations yet.{% endif %}
                      </div>
                      {% for org in organizations %}
                      <div
                        style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;margin-bottom:5px">
                        <table role="presentation" cellpadding="0" cellspacing="0" border="0" width="20" height="20" style="display:inline-block;vertical-align:middle;">
                          <tr>
                            <td width="20" height="20" align="center" valign="middle"
                                background="{% if org.logo %}{{org.logo}}{% else %}{{org.avatar-bg-url}}{% endif %}"
                                style="width:20px;height:20px;text-align:center;font-weight:bold;font-size:9px;line-height:20px;color:#ffffff;background-size:cover;background-position:center;background-repeat:no-repeat;border-radius: 50%;color:black">
                              {% if org.initials %}{{org.initials}}{% endif %}
                            </td>
                          </tr>
                        </table>
                        <span style="display:inline-block; vertical-align: middle;padding-left:5px;height:20px;line-height: 20px;">
                        {{ org.name|abbreviate:50 }}
                        </span>
                      </div>
                      {% endfor %}
                    </td>
                  </tr>
                  <tr>
                    <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
                      <div
                        style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;">
                        This amount is based on current member counts across your organizations. You can adjust members from the <a href="{{ public-uri }}/admin-console/" target="_blank">Admin Console</a>.</div>
                    </td>
                  </tr>
                  <tr>
                    <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
                      <div
                        style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;">
                        Check our <a href="https://penpot.app/terms" target="_blank">Terms and Conditions</a> and <a href="https://penpot.app/privacy" target="_blank">Privacy Policy.</a></div>
                    </td>
                  </tr>
                  <tr>
                    <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
                      <div
                        style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;">
                        Enjoy!</div>
                    </td>
                  </tr>
                  <tr>
                    <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
                      <div
                        style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;">
                        The Penpot team.</div>
                    </td>
                  </tr>
                </table>
              </div>
              <!--[if mso | IE]>
            </td>
        </tr>
                  </table>
                <![endif]-->
            </td>
          </tr>
        </tbody>
      </table>
    </div>
    {% include "app/email/includes/footer.html" %}
  </div>
 </body>
 </html>
--- a/backend/resources/app/email/renewal-notice/en.subj
+++ b/backend/resources/app/email/renewal-notice/en.subj
@ -0,0 +1 @@
 Your Enterprise subscription renews on {{ renewal-date }}
--- a/backend/resources/app/email/renewal-notice/en.txt
+++ b/backend/resources/app/email/renewal-notice/en.txt
@ -0,0 +1,17 @@
 Hi {% if user-name %}{{ user-name }}{% endif %},
 Your Enterprise subscription is coming up for renewal. Here's a summary of what's included.
 Renewal date: {{ renewal-date }}
 Estimated amount: {{ estimated-amount }}
 Organizations covered: {% if organizations|empty? %}No organizations yet.{% endif %}
 {% for org in organizations %}
 - {{ org.name }}
 {% endfor %}
 This amount is based on current member counts across your organizations. You can adjust members from the Admin Console.
 Check our Terms and Conditions and Privacy Policy.
 Enjoy!
 The Penpot team.
--- a/backend/src/app/auth/oidc.clj
+++ b/backend/src/app/auth/oidc.clj
@ -27,6 +27,7 @@
   [app.rpc.commands.profile :as profile]
   [app.setup :as-alias setup]
   [app.tokens :as tokens]
   [app.util.cache :as cache]
   [app.util.inet :as inet]
   [app.util.json :as json]
   [buddy.sign.jwk :as jwk]
@ -694,15 +695,24 @@
    (db/pgarray? roles)
    (assoc :roles (db/decode-pgarray roles #{}))))
-;; TODO: add cache layer for avoid build an discover each time
+;; A short TTL avoids paying the OIDC discovery + JWKS fetch on every
 ;; login; Caffeine will not store the entry when the load fn throws,
 ;; so a transient failure at the provider's discovery endpoint does
 ;; not poison the cache.
 (defonce ^:private provider-cache
  (cache/create :expire "10m" :max-size 64))
 (defn- load-provider
  [cfg id]
  (when-let [params (some->> (db/get* cfg :sso-provider {:id id :is-enabled true})
                             (decode-row))]
    (case (:type params)
      "oidc" (prepare-oidc-provider cfg params))))
 (defn get-provider
  [cfg id]
  (try
-    (when-let [params (some->> (db/get* cfg :sso-provider {:id id :is-enabled true})
+    (cache/get provider-cache id (partial load-provider cfg))
                               (decode-row))]
      (case (:type params)
        "oidc" (prepare-oidc-provider cfg params)))
    (catch Throwable cause
      (l/err :hint "unable to configure custom SSO provider"
             :provider (str id)
--- a/backend/src/app/binfile/common.clj
+++ b/backend/src/app/binfile/common.clj
@ -315,8 +315,8 @@
 (defn get-file
  "Get file, resolve all features and apply migrations.
-  Usefull when you have plan to apply massive or not cirurgical
+  Useful when you have plan to apply massive or not surgical
-  operations on file, because it removes the ovehead of lazy fetching
+  operations on file, because it removes the overhead of lazy fetching
  and decoding."
  [cfg file-id & {:as opts}]
  (db/run! cfg get-file* file-id opts))
@ -843,7 +843,12 @@
 		   l.vern,
 		   l.is_shared,
 		   l.version,
-		   fls.synced_at
+		   fls.synced_at,
 		   NOT EXISTS (
 		     SELECT 1 FROM file_library_rel AS direct
 		      WHERE direct.file_id = ?::uuid
 		        AND direct.library_file_id = l.id
 		   ) AS is_indirect
 	FROM libs AS l
 	JOIN project AS p
 	  ON p.id = l.project_id
@ -855,12 +860,8 @@
 (defn get-file-libraries
  [conn file-id]
  (into []
-        (comp
+        (map decode-row-features)
-         ;; FIXME: :is-indirect set to false to all rows looks
+        (db/exec! conn [sql:get-file-libraries file-id file-id file-id])))
         ;; completly useless
         (map #(assoc % :is-indirect false))
         (map decode-row-features))
        (db/exec! conn [sql:get-file-libraries file-id file-id])))
 (defn get-resolved-file-libraries
  "Get all file libraries including itself. Returns an instance of
--- a/backend/src/app/config.clj
+++ b/backend/src/app/config.clj
@ -109,6 +109,11 @@
    [:http-server-io-threads {:optional true} ::sm/int]
    [:http-server-max-worker-threads {:optional true} ::sm/int]
    ;; Explicit CORS allowlist used when the :cors flag is enabled.
    ;; Configured via PENPOT_ALLOWED_ORIGINS as a comma/whitespace
    ;; separated list of origins (e.g. "https://plugins.example.com").
    [:allowed-origins {:optional true} [::sm/set :string]]
    [:exporter-shared-key {:optional true} :string]
    [:nitrate-shared-key {:optional true} :string]
    [:nexus-shared-key {:optional true} :string]
@ -295,7 +300,7 @@
  (sm/explainer schema:config))
 (defn read-config
-  "Reads the configuration from enviroment variables and decodes all
+  "Reads the configuration from environment variables and decodes all
  known values."
  [& {:keys [prefix default] :or {prefix "penpot"}}]
  (->> (read-env prefix)
--- a/backend/src/app/email.clj
+++ b/backend/src/app/email.clj
@ -431,14 +431,19 @@
   :id ::invite-to-team
   :schema schema:invite-to-team))
 (def ^:private schema:organization-data
  [:map
   [:name ::sm/text]
   [:initials [:maybe :string]]
   [:logo [:maybe ::sm/uri]]
   [:avatar-bg-url [:maybe ::sm/uri]]])
 (def ^:private schema:invite-to-org
  [:map
   [:invited-by ::sm/text]
   [:organization-name ::sm/text]
   [:organization-initials [:maybe :string]]
   [:organization-logo ::sm/uri]
   [:user-name [:maybe ::sm/text]]
-   [:token ::sm/text]])
+   [:token ::sm/text]
   [:organization schema:organization-data]])
 (def invite-to-org
  "Org member invitation email."
@ -446,6 +451,21 @@
   :id ::invite-to-org
   :schema schema:invite-to-org))
 (def ^:private schema:renewal-notice
  [:map
   [:user-name [:maybe ::sm/text]]
   [:renewal-date ::sm/text]
   [:estimated-amount ::sm/text]
   [:organizations [:vector schema:organization-data]]])
 (def renewal-notice
  "Enterprise subscription renewal notice email."
  (template-factory
   :id ::renewal-notice
   :schema schema:renewal-notice))
 (def ^:private schema:join-team
  [:map
   [:invited-by ::sm/text]
--- a/backend/src/app/features/logical_deletion.clj
+++ b/backend/src/app/features/logical_deletion.clj
@ -22,7 +22,8 @@
      (and (= "unlimited" type) (not (contains? canceled-status status)))
      (ct/duration {:days 30})
-      (and (= "enterprise" type) (not (contains? canceled-status status)))
+      (and (contains? #{"enterprise" "nitrate"} type)
           (not (contains? canceled-status status)))
      (ct/duration {:days 90})
      :else
--- a/backend/src/app/http/errors.clj
+++ b/backend/src/app/http/errors.clj
@ -144,6 +144,15 @@
  {::yres/status 404
   ::yres/body (ex-data err)})
 (defmethod handle-error :nitrate-unavailable
  [err request _]
  (binding [l/*context* (request->context request)]
    (l/warn :hint "nitrate is unreachable; blocking request" :cause err)
    ;; Do not leak Nitrate's internal URL/status to the client; the
    ;; full context is already logged above for operators.
    {::yres/status 503
     ::yres/body {:type :nitrate-unavailable}}))
 (defmethod handle-error :internal
  [error request parent-cause]
  (binding [l/*context* (request->context request)]
--- a/backend/src/app/http/middleware.clj
+++ b/backend/src/app/http/middleware.clj
@ -208,28 +208,40 @@
   :compile (constantly wrap-errors)})
 (defn- with-cors-headers
-  [headers origin]
+  "Build CORS response headers. Only emits permissive headers when the
-  (-> headers
+  request `origin` is present on the configured `allowed` allowlist;
-      (assoc "access-control-allow-origin" origin)
+  otherwise returns the headers unchanged except for `Vary: Origin` so
-      (assoc "access-control-allow-methods" "GET,POST,DELETE,OPTIONS,PUT,HEAD,PATCH")
+  shared caches don't leak per-origin responses."
-      (assoc "access-control-allow-credentials" "true")
+  [headers origin allowed]
-      (assoc "access-control-expose-headers" "content-type, set-cookie")
+  (cond-> (assoc headers "vary" "Origin")
-      (assoc "access-control-allow-headers" "x-frontend-version, x-client, x-requested-width, content-type, accept, cookie")))
+    (and (some? origin) (contains? allowed origin))
    (-> (assoc "access-control-allow-origin" origin)
        (assoc "access-control-allow-credentials" "true")
        (assoc "access-control-allow-methods" "GET,POST,DELETE,OPTIONS,PUT,HEAD,PATCH")
        (assoc "access-control-expose-headers" "content-type")
        (assoc "access-control-allow-headers" "x-frontend-version, x-client, content-type, accept"))))
 (defn wrap-cors
-  [handler]
+  [handler allowed]
  (fn [request]
    (let [response (if (= (yreq/method request) :options)
                     {::yres/status 204}
                     (handler request))
          origin   (yreq/get-header request "origin")]
-      (update response ::yres/headers with-cors-headers origin))))
+      (update response ::yres/headers with-cors-headers origin allowed))))
 (def cors
  {:name ::cors
   :compile (fn [& _]
              (when (contains? cf/flags :cors)
-                wrap-cors))})
+                (let [allowed (not-empty (cf/get :allowed-origins))]
                  (if allowed
                    (fn [handler] (wrap-cors handler allowed))
                    (do
                      (l/wrn :hint (str "cors flag is enabled but :allowed-origins is empty; "
                                        "CORS middleware disabled (fail-closed). "
                                        "Configure PENPOT_ALLOWED_ORIGINS with a comma-separated list of trusted origins."))
                      nil)))))})
 (def restrict-methods
  {:name ::restrict-methods
--- a/backend/src/app/http/sse.clj
+++ b/backend/src/app/http/sse.clj
@ -21,7 +21,7 @@
 (defn- write!
  [^OutputStream output ^bytes data]
-  (l/trc :hint "writting data" :data data :length (alength data))
+  (l/trc :hint "writing data" :data data :length (alength data))
  (.write output data)
  (.flush output))
--- a/backend/src/app/nitrate.clj
+++ b/backend/src/app/nitrate.clj
@ -7,6 +7,7 @@
 (ns app.nitrate
  "Module that make calls to the external nitrate aplication"
  (:require
   [app.common.data.macros :as dm]
   [app.common.exceptions :as ex]
   [app.common.json :as json]
   [app.common.logging :as l]
@ -28,14 +29,16 @@
 (defn- request-builder
  [cfg method uri shared-key profile-id request-params]
  (fn []
-    (http/req cfg (cond-> {:method method
+    (http/req cfg
-                           :headers {"content-type" "application/json"
+              (cond-> {:method method
-                                     "accept" "application/json"
+                       :headers {"content-type" "application/json"
-                                     "x-shared-key" shared-key
+                                 "accept" "application/json"
-                                     "x-profile-id" (str profile-id)}
+                                 "x-shared-key" shared-key
-                           :uri uri
+                                 "x-profile-id" (str profile-id)}
-                           :version :http1.1}
+                       :uri uri
-                    (= method :post) (assoc :body (json/encode request-params :key-fn json/write-camel-key))))))
+                       :version :http1.1}
                (= method :post) (assoc :body (json/encode request-params :key-fn json/write-camel-key)))
              {:skip-ssrf-check? true})))
 (defn- with-retries
  [handler max-retries]
@ -59,14 +62,29 @@
  (fn []
    (let [response (handler)
          status (:status response)]
      (when-not status
        (l/error :hint "could't do the nitrate request, it is probably down"
                 :uri uri)
        ;; TODO decide what to do when Nitrate is inaccesible
        nil)
      (cond
        (nil? status)
        (do
          (l/error :hint "couldn't do the nitrate request, it is probably down"
                   :uri uri)
          (ex/raise :type :nitrate-unavailable
                    :hint (str "nitrate is unreachable at " uri)))
        (>= status 500)
        ;; Nitrate is up enough to answer (or the proxy is) but the
        ;; service itself is failing; treat as unavailable so callers
        ;; surface the static error page.
        (do
          (l/error :hint "nitrate request failed with server error status"
                   :uri uri
                   :status status
                   :body (:body response))
          (ex/raise :type :nitrate-unavailable
                    :status status
                    :hint (str "nitrate is unavailable, HTTP " status " at " uri)))
        (>= status 400)
-        ;; For error status codes (4xx, 5xx), fail immediately without validation
+        ;; For client error status codes (4xx), fail immediately without validation
        (do
          (when (not= status 404) ;; Don't need to log 404
            (l/error :hint "nitrate request failed with error status"
@ -171,6 +189,7 @@
                     "day"
                     "week"
                     "year"]]
   [:manual :boolean]
   [:quantity :int]
   [:description [:maybe ::sm/text]]
   [:created-at schema:timestamp]
@ -256,6 +275,42 @@
                        [:vector schema:org-summary]
                        params)))
 (def ^:private schema:org-summary-counts
  [:map
   [:id ::sm/uuid]
   [:name ::sm/text]
   [:slug ::sm/text]
   [:team-count ::sm/int]
   [:member-count ::sm/int]
   [:avatar-bg-url {:optional true} [:maybe ::sm/uri]]
   [:logo-id {:optional true} [:maybe ::sm/uuid]]])
 (defn- get-owned-orgs-summary-api
  [cfg {:keys [profile-id] :as params}]
  (let [baseuri (cf/get :nitrate-backend-uri)
        orgs    (request-to-nitrate cfg :get
                                    (str baseuri
                                         "/api/users/"
                                         profile-id
                                         "/owned-organizations-summary")
                                    [:vector schema:org-summary-counts]
                                    params)]
    (mapv (fn [org]
            (if-let [logo-id (:logo-id org)]
              (assoc org :custom-photo (str (cf/get :public-uri) "/assets/by-id/" logo-id))
              org))
          orgs)))
 (defn- delete-owned-orgs-api
  [cfg {:keys [profile-id] :as params}]
  (let [baseuri (cf/get :nitrate-backend-uri)]
    (request-to-nitrate cfg :post
                        (str baseuri
                             "/api/users/"
                             profile-id
                             "/delete-owned-organizations")
                        nil params)))
 (defn- set-team-org-api
  [cfg {:keys [organization-id team-id is-default] :as params}]
  (let [baseuri (cf/get :nitrate-backend-uri)
@ -267,7 +322,7 @@
                                      organization-id
                                      "/add-team")
                                 cto/schema:team-with-organization params)
-        custom-photo (when-let [logo-id (get-in team [:organization :logo-id])]
+        custom-photo (when-let [logo-id (dm/get-in team [:organization :logo-id])]
                       (str (cf/get :public-uri) "/assets/by-id/" logo-id))]
    (cond-> team
      custom-photo
@ -336,6 +391,24 @@
                             profile-id)
                        schema:subscription params)))
 (def ^:private schema:subscription-warning
  [:maybe
   [:map {:title "SubscriptionWarning"}
    [:type {:optional true} ::sm/text]
    [:days-from-expiry {:optional true} ::sm/int]
    [:days-until-expiry {:optional true} ::sm/int]
    [:expiration-date {:optional true} schema:timestamp]]])
 (defn- get-subscription-warning-api
  [cfg {:keys [penpot-id profile-id] :as params}]
  (let [baseuri   (cf/get :nitrate-backend-uri)
        penpot-id (or penpot-id profile-id)]
    (request-to-nitrate cfg :get
                        (str baseuri
                             "/api/subscription-warning/"
                             penpot-id)
                        schema:subscription-warning params)))
 (defn- get-connectivity-api
  [cfg params]
  (let [baseuri (cf/get :nitrate-backend-uri)]
@ -348,6 +421,31 @@
  [:map
   [:cancel-at [:maybe schema:timestamp]]])
 (defn- get-org-permissions-api
  [cfg {:keys [organization-id] :as params}]
  (let [baseuri (cf/get :nitrate-backend-uri)]
    (request-to-nitrate cfg :get
                        (str baseuri
                             "/api/organizations/"
                             organization-id
                             "/permissions")
                        [:map
                         [:organization-id ::sm/uuid]
                         [:owner-id ::sm/uuid]
                         [:permissions [:map-of :keyword :string]]]
                        params)))
 (defn- get-org-members-api
  [cfg {:keys [organization-id] :as params}]
  (let [baseuri (cf/get :nitrate-backend-uri)]
    (request-to-nitrate cfg :get
                        (str baseuri
                             "/api/organizations/"
                             organization-id
                             "/members-list")
                        [:vector ::sm/uuid]
                        params)))
 (defn- redeem-activation-code-api
  [cfg params]
  (let [baseuri (cf/get :nitrate-backend-uri)]
@ -369,12 +467,17 @@
     :get-org-membership-by-team   (partial get-org-membership-by-team-api cfg)
     :get-org-summary              (partial get-org-summary-api cfg)
     :get-owned-orgs               (partial get-owned-orgs-api cfg)
     :get-owned-orgs-summary       (partial get-owned-orgs-summary-api cfg)
     :get-org-members              (partial get-org-members-api cfg)
     :delete-owned-orgs            (partial delete-owned-orgs-api cfg)
     :add-profile-to-org           (partial add-profile-to-org-api cfg)
     :remove-profile-from-org      (partial remove-profile-from-org-api cfg)
     :remove-profile-from-all-orgs (partial remove-profile-from-all-orgs-api cfg)
     :get-org-permissions          (partial get-org-permissions-api cfg)
     :delete-team                  (partial delete-team-api cfg)
     :remove-team-from-org         (partial remove-team-from-org-api cfg)
     :get-subscription             (partial get-subscription-api cfg)
     :get-subscription-warning     (partial get-subscription-warning-api cfg)
     :connectivity                 (partial get-connectivity-api cfg)
     :redeem-activation-code       (partial redeem-activation-code-api cfg)}))
@ -386,21 +489,27 @@
 (defn add-nitrate-licence-to-profile
  "Enriches a profile map with subscription information from Nitrate.
  Adds a :subscription field containing the user's license details.
-  Returns the original profile unchanged if the request fails."
+  Returns the original profile unchanged if the request fails for a reason
  other than Nitrate being unreachable. When Nitrate is unreachable the
  `:nitrate-unavailable` exception propagates so the request is rejected."
  [cfg profile]
  (try
    (let [subscription (call cfg :get-subscription {:profile-id (:id profile)})]
      (assoc profile :subscription subscription))
    (catch Throwable cause
-      (l/error :hint "failed to get nitrate licence"
+      (if (= :nitrate-unavailable (-> cause ex-data :type))
-               :profile-id (:id profile)
+        (throw cause)
-               :cause cause)
+        (do
-      profile)))
+          (l/error :hint "failed to get nitrate licence"
                   :profile-id (:id profile)
                   :cause cause)
          profile)))))
 (defn add-org-info-to-team
  "Enriches a team map with organization information from Nitrate.
  Adds organization-id, organization-name, organization-slug, organization-owner-id, and your-penpot fields.
-  Returns the original team unchanged if the request fails or org data is nil."
+  Returns the original team unchanged if the request fails or org data is nil.
  Propagates `:nitrate-unavailable` so the request is rejected when Nitrate is unreachable."
  [cfg team params]
  (try
    (let [params        (assoc (or params {}) :team-id (:id team))
@ -413,10 +522,13 @@
            (assoc :is-default (or (:is-default team) (true? (:is-your-penpot team-with-org)))))
        team))
    (catch Throwable cause
-      (l/error :hint "failed to get team organization info"
+      (if (= :nitrate-unavailable (-> cause ex-data :type))
-               :team-id (:id team)
+        (throw cause)
-               :cause cause)
+        (do
-      team)))
+          (l/error :hint "failed to get team organization info"
                   :team-id (:id team)
                   :cause cause)
          team)))))
 (defn set-team-organization
  "Associates a team with an organization in Nitrate.
@ -434,7 +546,3 @@
                :context {:team-id (:id team)
                          :organization-id (:organization-id params)}))
    team))
--- a/backend/src/app/rpc/commands/files_create.clj
+++ b/backend/src/app/rpc/commands/files_create.clj
@ -112,22 +112,30 @@
                        ::quotes/profile-id profile-id
                        ::quotes/project-id project-id})
-    ;; FIXME: IMPORTANT: this code can have race conditions, because
+    ;; Acquire a row-level lock on the team and re-read its features
-    ;; we have no locks for updating team so, creating two files
+    ;; inside the same transaction before the read-modify-write below.
-    ;; concurrently can lead to lost team features updating
+    ;; Without the lock, two concurrent create-file calls on the same
-    (when-let [features (-> features
+    ;; team can both observe the same team.features value, each
-                            (set/difference (:features team))
+    ;; compute a different union, and the second UPDATE silently
-                            (set/difference cfeat/no-team-inheritable-features)
+    ;; overwrites the first (lost update under READ COMMITTED).
-                            (not-empty))]
+    (let [team-features (-> (db/exec-one! conn
-      (let [features (-> features
+                                          ["SELECT features FROM team WHERE id = ? FOR UPDATE"
-                         (set/union (:features team))
+                                           team-id])
-                         (set/difference cfeat/no-team-inheritable-features)
+                            :features
-                         (into-array))]
+                            (db/decode-pgarray #{}))]
      (when-let [new-features (-> features
                                  (set/difference team-features)
                                  (set/difference cfeat/no-team-inheritable-features)
                                  (not-empty))]
        (let [features (-> new-features
                           (set/union team-features)
                           (set/difference cfeat/no-team-inheritable-features)
                           (into-array))]
-        (db/update! conn :team
+          (db/update! conn :team
-                    {:features features}
+                      {:features features}
-                    {:id (:id team)}
+                      {:id team-id}
-                    {::db/return-keys false})))
+                      {::db/return-keys false}))))
    (-> (create-file cfg params)
        (vary-meta assoc ::audit/props {:team-id team-id}))))
--- a/backend/src/app/rpc/commands/files_thumbnails.clj
+++ b/backend/src/app/rpc/commands/files_thumbnails.clj
@ -409,10 +409,7 @@
  [cfg {:keys [::rpc/profile-id file-id] :as params}]
  (db/tx-run! cfg (fn [{:keys [::db/conn] :as cfg}]
-                    ;; TODO For now we check read permissions instead of write,
+                    (files/check-edition-permissions! conn profile-id file-id)
                    ;; to allow viewer users to update thumbnails. We might
                    ;; review this approach on the future.
                    (files/check-read-permissions! conn profile-id file-id)
                    (when-not (db/read-only? conn)
                      (let [media (create-file-thumbnail cfg params)]
                        {:uri (files/resolve-public-uri (:id media))
--- a/backend/src/app/rpc/commands/fonts.clj
+++ b/backend/src/app/rpc/commands/fonts.clj
@ -109,9 +109,6 @@
    (fn [{:keys [data uploads]}]
      (or (seq data) (seq uploads)))]])
 ;; FIXME: IMPORTANT: refactor this, we should not hold a whole db
 ;; connection around the font creation
 (defn- prepare-font-data-from-uploads
  "Assembles each chunked-upload session in `uploads` (a `{mtype →
  session-id}` map) into a temp file, validates the media type and
@ -171,20 +168,18 @@
                [:process-font/global]]
   ::webhooks/event? true
   ::sm/params schema:create-font-variant}
-  [cfg {:keys [::rpc/profile-id team-id uploads] :as params}]
+  [{:keys [::db/pool] :as cfg} {:keys [::rpc/profile-id team-id uploads] :as params}]
-  (db/tx-run! cfg
+  (teams/check-edition-permissions! pool profile-id team-id)
-              (fn [{:keys [::db/conn] :as cfg}]
+  (quotes/check! cfg {::quotes/id ::quotes/font-variants-per-team
-                (teams/check-edition-permissions! conn profile-id team-id)
+                      ::quotes/profile-id profile-id
-                (quotes/check! cfg {::quotes/id ::quotes/font-variants-per-team
+                      ::quotes/team-id team-id})
-                                    ::quotes/profile-id profile-id
+  (let [params (if (some? uploads)
-                                    ::quotes/team-id team-id})
+                 (db/tx-run! cfg prepare-font-data-from-uploads params)
-                (let [params (if (some? uploads)
+                 (prepare-font-data-from-legacy params))]
-                               (prepare-font-data-from-uploads cfg params)
+    (create-font-variant cfg (assoc params :profile-id profile-id))))
                               (prepare-font-data-from-legacy params))]
                  (create-font-variant cfg (assoc params :profile-id profile-id))))))
 (defn create-font-variant
-  [{:keys [::sto/storage ::db/conn]} {:keys [data] :as params}]
+  [{:keys [::sto/storage] :as cfg} {:keys [data] :as params}]
  (letfn [(generate-missing [data]
            (let [data (media/run {:cmd :generate-fonts :input data})]
              (when (and (not (contains? data "font/otf"))
@ -209,22 +204,15 @@
                 :bucket "team-font-variant"})))
          (persist-fonts-files! [data]
-            (let [otf-params (prepare-font data "font/otf")
+            (into {} (keep (fn [[kind mtype]]
-                  ttf-params (prepare-font data "font/ttf")
+                             (when-let [params (prepare-font data mtype)]
-                  wf1-params (prepare-font data "font/woff")
+                               [kind (sto/put-object! storage params)])))
-                  wf2-params (prepare-font data "font/woff2")]
+                  [[:otf "font/otf"]
                   [:ttf "font/ttf"]
                   [:woff1 "font/woff"]
                   [:woff2 "font/woff2"]]))
-              (cond-> {}
+          (insert-font-variant! [conn {:keys [woff1 woff2 otf ttf]}]
                (some? otf-params)
                (assoc :otf (sto/put-object! storage otf-params))
                (some? ttf-params)
                (assoc :ttf (sto/put-object! storage ttf-params))
                (some? wf1-params)
                (assoc :woff1 (sto/put-object! storage wf1-params))
                (some? wf2-params)
                (assoc :woff2 (sto/put-object! storage wf2-params)))))
          (insert-font-variant! [{:keys [woff1 woff2 otf ttf]}]
            (db/insert! conn :team-font-variant
                        {:id (uuid/next)
                         :team-id (:team-id params)
@ -238,14 +226,14 @@
                         :otf-file-id (:id otf)
                         :ttf-file-id (:id ttf)}))]
-    (let [tpoint      (ct/tpoint)
+    (let [tpoint     (ct/tpoint)
-          mtypes      (vec (keys data))
+          mtypes     (vec (keys data))
-          total-size  (reduce-kv (fn [acc _ content]
+          total-size (reduce-kv (fn [acc _ content]
-                                   (+ acc (if (bytes? content)
+                                  (+ acc (if (bytes? content)
-                                            (alength ^bytes content)
+                                           (alength ^bytes content)
-                                            (fs/size content))))
+                                           (fs/size content))))
-                                 0
+                                0
-                                 data)]
+                                data)]
      (l/dbg :hint "create-font-variant"
             :step "init"
@ -257,7 +245,7 @@
      (let [data    (generate-missing data)
            assets  (persist-fonts-files! data)
-            result  (insert-font-variant! assets)
+            result  (db/tx-run! cfg #(insert-font-variant! (::db/conn %) assets))
            elapsed (tpoint)]
        (l/dbg :hint "create-font-variant"
--- a/backend/src/app/rpc/commands/nitrate.clj
+++ b/backend/src/app/rpc/commands/nitrate.clj
@ -12,6 +12,8 @@
   [app.common.exceptions :as ex]
   [app.common.schema :as sm]
   [app.common.time :as ct]
   [app.common.types.nitrate-permissions :as nitrate-perms]
   [app.config :as cf]
   [app.db :as db]
   [app.nitrate :as nitrate]
   [app.rpc :as-alias rpc]
@ -57,6 +59,22 @@
  [cfg _params]
  (nitrate/call cfg :connectivity {}))
 (def ^:private schema:subscription-warning
  [:maybe
   [:map {:title "SubscriptionWarning"}
    [:type {:optional true} ::sm/text]
    [:days-from-expiry {:optional true} ::sm/int]
    [:days-until-expiry {:optional true} ::sm/int]
    [:expiration-date {:optional true} ct/schema:inst]]])
 (sv/defmethod ::get-subscription-warning
  {::rpc/auth true
   ::doc/added "2.14"
   ::sm/params [:map]
   ::sm/result schema:subscription-warning}
  [cfg {:keys [::rpc/profile-id]}]
  (nitrate/call cfg :get-subscription-warning {:profile-id profile-id}))
 (def ^:private schema:redeem-activation-code-params
  [:map {:title "RedeemActivationCodeParams"}
   [:activation-code ::sm/text]])
@ -110,12 +128,47 @@
      AND t.id = ANY(?)
      AND t.deleted_at IS NULL")
-(def sql:get-team-files-count
+(def ^:private sql:get-teams-files-counts
-  "SELECT count(*) AS total
+  "SELECT p.team_id, count(*) AS total
     FROM file AS f
     JOIN project AS p ON (p.id = f.project_id)
-    WHERE p.team_id = ?
+    WHERE p.team_id = ANY(?)
-      AND f.deleted_at IS NULL")
+      AND f.deleted_at IS NULL
 GROUP BY p.team_id")
 (defn- get-team-files-counts
  [conn team-ids]
  (if (seq team-ids)
    (let [ids-array (db/create-array conn "uuid" team-ids)]
      (->> (db/exec! conn [sql:get-teams-files-counts ids-array])
           (reduce (fn [acc {:keys [team-id total]}]
                     (assoc acc team-id (long total)))
                   {})))
    {}))
 (defn- build-leave-org-plan
  [{:keys [::db/conn]} default-team-id teams-to-delete keep-default-team-requested?]
  (let [all-teams     (cond-> (set teams-to-delete) default-team-id (conj default-team-id))
        files-counts  (get-team-files-counts conn all-teams)
        has-files?    (fn [id] (pos? (long (get files-counts id 0))))
        deletable     (remove has-files? teams-to-delete)
        keep-default? (or keep-default-team-requested?
                          (and default-team-id (has-files? default-team-id)))
        to-detach     (cond-> (into [] (remove (set deletable) teams-to-delete))
                        (and default-team-id keep-default?) (conj default-team-id))]
    {:deletable-team-ids       deletable
     :keep-default-team?       keep-default?
     :delete-default-team?     (boolean (and default-team-id (not keep-default?)))
     :detach-from-org-team-ids to-detach}))
 (defn get-leave-org-summary
  [cfg default-team-id teams-to-delete teams-to-transfer-count teams-to-exit-count]
  (let [{:keys [deletable-team-ids detach-from-org-team-ids]}
        (build-leave-org-plan cfg default-team-id teams-to-delete nil)]
    {:teams-to-delete   (count deletable-team-ids)
     :teams-to-transfer teams-to-transfer-count
     :teams-to-exit     teams-to-exit-count
     :teams-to-detach   (count detach-from-org-team-ids)}))
 (def ^:private schema:leave-org
  [:map
@ -130,6 +183,18 @@
      [:id ::sm/uuid]
      [:reassign-to {:optional true} ::sm/uuid]]]]])
 (def ^:private schema:get-leave-org-summary-result
  [:map
   [:teams-to-delete ::sm/int]
   [:teams-to-transfer ::sm/int]
   [:teams-to-exit ::sm/int]
   [:teams-to-detach ::sm/int]])
 (def ^:private schema:get-leave-org-summary
  [:map
   [:id ::sm/uuid]
   [:default-team-id ::sm/uuid]])
 (defn- get-organization-teams-for-user
  [{:keys [::db/conn] :as cfg} org-summary profile-id]
@ -219,16 +284,14 @@
                :code :not-valid-teams))))
 (defn leave-org
-  [{:keys [::db/conn] :as cfg} {:keys [profile-id id name default-team-id teams-to-delete teams-to-leave skip-validation] :as params}]
+  [{:keys [::db/conn] :as cfg}
-  (let [org-prefix                 (str "[" (d/sanitize-string name) "] ")
+   {:keys [profile-id id name default-team-id teams-to-delete teams-to-leave skip-validation keep-default-team-requested?]}]
-
+  (let [org-prefix (str "[" (d/sanitize-string name) "] ")
-        default-team-files-count    (-> (db/exec-one! conn [sql:get-team-files-count default-team-id])
+        {:keys [deletable-team-ids
-                                        :total)
+                keep-default-team?
-        delete-default-team?        (= default-team-files-count 0)]
+                detach-from-org-team-ids]} (build-leave-org-plan cfg default-team-id teams-to-delete keep-default-team-requested?)]
    ;; assert that the received teams are valid, checking the different constraints
    (when-not skip-validation
@ -236,20 +299,27 @@
    (assert-membership cfg profile-id id)
-    ;; delete the teams-to-delete
+    ;; delete only eligible teams (non-protected and without files)
-    (doseq [id teams-to-delete]
+    (doseq [id deletable-team-ids]
-      (teams/delete-team cfg {:profile-id profile-id :team-id id}))
+      (teams/delete-team cfg {:profile-id profile-id
                              :team-id id}))
    ;; leave the teams-to-leave
    (doseq [{:keys [id reassign-to]} teams-to-leave]
      (teams/leave-team cfg {:profile-id profile-id :id id :reassign-to reassign-to}))
-    ;; Delete default-team-id if empty; otherwise keep it and prefix the name.
+    ;; Process org "Your Penpot" team: keep with prefix if needed, otherwise delete.
-    (if delete-default-team?
+    (when default-team-id
-      (do
+      (if keep-default-team?
-        (db/update! conn :team {:is-default false} {:id default-team-id})
+        (db/exec! conn [sql:prefix-team-name-and-unset-default org-prefix default-team-id])
-        (teams/delete-team cfg {:profile-id profile-id :team-id default-team-id}))
+        (teams/delete-team cfg {:profile-id profile-id
-      (db/exec! conn [sql:prefix-team-name-and-unset-default org-prefix default-team-id]))
+                                :team-id default-team-id})))
    ;; Detach retained owned teams from the organization in Nitrate.
    ;; Nitrate will rehome them to its fallback/default org.
    (doseq [team-id detach-from-org-team-ids]
      (nitrate/call cfg :remove-team-from-org {:team-id team-id
                                               :organization-id id}))
    ;; Api call to nitrate
    (nitrate/call cfg :remove-profile-from-org {:profile-id profile-id :organization-id id})
@ -266,6 +336,25 @@
  (leave-org cfg (assoc params :profile-id profile-id)))
 (sv/defmethod ::get-leave-org-summary
  {::rpc/auth true
   ::doc/added "2.18"
   ::sm/params schema:get-leave-org-summary
   ::sm/result schema:get-leave-org-summary-result
   ::db/transaction true}
  [cfg {:keys [::rpc/profile-id id default-team-id]}]
  (let [{:keys [valid-teams-to-delete-ids
                valid-teams-to-transfer
                valid-teams-to-exit
                valid-default-team]} (get-valid-teams cfg id profile-id default-team-id)
        teams-to-transfer-count (count valid-teams-to-transfer)
        teams-to-exit-count     (count valid-teams-to-exit)]
    (when-not valid-default-team
      (ex/raise :type :validation
                :code :not-valid-teams))
    (get-leave-org-summary cfg default-team-id valid-teams-to-delete-ids teams-to-transfer-count teams-to-exit-count)))
 (def ^:private schema:remove-team-from-org
  [:map
   [:team-id ::sm/uuid]
@ -280,6 +369,20 @@
  (assert-is-owner cfg profile-id team-id)
  (assert-not-default-team cfg team-id)
  (assert-membership cfg profile-id organization-id)
  ;; Check moveTeams permission on the source organization
  (when (contains? cf/flags :nitrate)
    (let [org-perms (nitrate/call cfg :get-org-permissions
                                  {:organization-id organization-id})]
      (if (nil? org-perms)
        (ex/raise :type :validation
                  :code :not-allowed
                  :hint "Unable to verify organization permissions")
        (when-not (nitrate-perms/allowed? :move-team
                                          {:org-perms org-perms
                                           :profile-id profile-id})
          (ex/raise :type :validation
                    :code :not-allowed
                    :hint "You are not allowed to move teams that are part of this organization. If you need more information, contact the owner.")))))
  ;; Api call to nitrate
  (nitrate/call cfg :remove-team-from-org {:team-id team-id :organization-id organization-id})
@ -288,6 +391,45 @@
  (notifications/notify-team-change cfg {:id team-id :organization {:name organization-name}} "dashboard.team-no-longer-belong-org")
  nil)
 (def ^:private sql:get-team-invitation-emails
  "SELECT email_to
     FROM team_invitation
    WHERE team_id = ?
      AND valid_until > now()")
 (def ^:private sql:delete-team-external-invitations
  "DELETE FROM team_invitation
    WHERE team_id = ?
      AND email_to = ANY(?)
      AND valid_until > now()")
 (def ^:private sql:get-profiles-by-emails
  "SELECT id, email
     FROM profile
    WHERE email = ANY(?)
      AND deleted_at IS NULL")
 (defn- get-external-invitation-info
  "Returns info about external (non-org-member) invitations pending for a team.
   External invitations are those sent to users who are not members of the given org.
   Returns {:allows-anybody bool :external-emails [...]}"
  [{:keys [::db/conn] :as cfg} team-id organization-id]
  (let [org-perms      (nitrate/call cfg :get-org-permissions {:organization-id organization-id})
        allows-anybody (nitrate-perms/allowed? :add-anybody-to-team {:org-perms org-perms})]
    (if allows-anybody
      {:allows-anybody true :external-emails []}
      (let [invitation-emails (db/exec! conn [sql:get-team-invitation-emails team-id])
            emails            (map :email-to invitation-emails)]
        (if (empty? emails)
          {:allows-anybody false :external-emails []}
          (let [emails-array    (db/create-array conn "text" (vec emails))
                profiles        (db/exec! conn [sql:get-profiles-by-emails emails-array])
                org-member-ids  (into #{} (nitrate/call cfg :get-org-members {:organization-id organization-id}))
                external-emails (->> profiles
                                     (remove #(contains? org-member-ids (:id %)))
                                     (map :email)
                                     (vec))]
            {:allows-anybody false :external-emails external-emails}))))))
 (def ^:private schema:add-team-to-organization
  [:map
@ -305,15 +447,173 @@
  (assert-not-default-team cfg team-id)
  (assert-membership cfg profile-id organization-id)
-  (let [team-members (db/query cfg :team-profile-rel {:team-id team-id})]
+  (when (contains? cf/flags :nitrate)
-    ;; Add teammates to the org if needed
+    (let [team-with-org         (nitrate/call cfg :get-team-org {:team-id team-id})
-    (doseq [{member-id :profile-id} team-members
+          source-org-id         (get-in team-with-org [:organization :id])
-            :when (not= member-id profile-id)]
+          source-org-perms      (when source-org-id
-      (teams/initialize-user-in-nitrate-org cfg member-id organization-id)))
+                                  (nitrate/call cfg :get-org-permissions
                                                {:organization-id source-org-id}))
          target-org-perms      (nitrate/call cfg :get-org-permissions
                                              {:organization-id organization-id})
          target-org-same-owner? (and (some? source-org-perms)
                                      (some? target-org-perms)
                                      (= (:owner-id source-org-perms)
                                         (:owner-id target-org-perms)))]
      (when (nil? target-org-perms)
        (ex/raise :type :validation
                  :code :not-allowed
                  :hint "Unable to verify organization permissions"))
-  ;; Api call to nitrate
+      ;; Team already belongs to an organization: check move-teams on source org.
-  (let [team (nitrate/call cfg :set-team-org {:team-id team-id :organization-id organization-id :is-default false})]
+      (when (some? source-org-id)
        (when (nil? source-org-perms)
          (ex/raise :type :validation
                    :code :not-allowed
                    :hint "Unable to verify organization permissions"))
        (when-not (nitrate-perms/allowed? :move-team
                                          {:org-perms source-org-perms
                                           :profile-id profile-id
                                           :target-org-same-owner? target-org-same-owner?})
          (ex/raise :type :validation
                    :code :not-allowed
                    :hint "You are not allowed to move teams that are part of this organization. If you need more information, contact the owner.")))
      ;; Always check target create-teams permission (new/add and move flows).
      (when-not (nitrate-perms/allowed? :create-team
                                        {:org-perms target-org-perms
                                         :profile-id profile-id})
        (ex/raise :type :validation
                  :code :not-allowed
                  :hint "You are not allowed to add teams in this organization")))
    (let [team-members (db/query cfg :team-profile-rel {:team-id team-id})]
      ;; Add teammates to the org if needed
      (doseq [{member-id :profile-id} team-members
              :when (not= member-id profile-id)]
        (teams/initialize-user-in-nitrate-org cfg member-id organization-id)))
    ;; Api call to nitrate
    (let [team (nitrate/call cfg :set-team-org {:team-id team-id :organization-id organization-id :is-default false})]
      ;; Notify connected users
      (notifications/notify-team-change cfg team "dashboard.team-belong-org"))
    ;; Delete pending invitations for users who are not members of the target organization
    (let [{:keys [allows-anybody external-emails]} (get-external-invitation-info cfg team-id organization-id)]
      (when (and (not allows-anybody) (seq external-emails))
        (let [conn         (::db/conn cfg)
              emails-array (db/create-array conn "text" external-emails)]
          (db/exec! conn [sql:delete-team-external-invitations team-id emails-array])))))
    ;; Notify connected users
    (notifications/notify-team-change cfg team "dashboard.team-belong-org"))
  nil)
 (def ^:private schema:check-org-members-params
  [:map {:title "CheckOrgMembersParams"}
   [:organization-id ::sm/uuid]
   [:emails [:vector ::sm/email]]])
 (sv/defmethod ::check-org-members
  {::rpc/auth true
   ::doc/added "2.17"
   ::sm/params schema:check-org-members-params
   ::sm/result [:map-of :string :boolean]
   ::db/transaction true}
  [{:keys [::db/conn] :as cfg} {:keys [::rpc/profile-id organization-id emails]}]
  (or (when (contains? cf/flags :nitrate)
        (assert-membership cfg profile-id organization-id)
        (let [emails-array   (db/create-array conn "text" emails)
              profiles       (db/exec! conn [sql:get-profiles-by-emails emails-array])
              email->id      (into {} (map (fn [p] [(:email p) (:id p)])) profiles)
              org-member-ids (into #{} (nitrate/call cfg :get-org-members {:organization-id organization-id}))]
          (into {}
                (map (fn [email]
                       (let [pid (get email->id email)]
                         [email (boolean (and pid (contains? org-member-ids pid)))])))
                emails)))
      {}))
 (def ^:private schema:all-org-members-in-team-params
  [:map {:title "CheckOrgMembersInTeamParams"}
   [:team-id ::sm/uuid]
   [:organization-id ::sm/uuid]])
 (sv/defmethod ::all-org-members-in-team
  {::rpc/auth true
   ::doc/added "2.17"
   ::sm/params schema:all-org-members-in-team-params
   ::sm/result ::sm/boolean}
  [cfg {:keys [::rpc/profile-id team-id organization-id]}]
  (if (contains? cf/flags :nitrate)
    (let [perms (teams/get-permissions cfg profile-id team-id)]
      (when-not (or (:is-admin perms) (:is-owner perms))
        (ex/raise :type :validation
                  :code :insufficient-permissions))
      (assert-membership cfg profile-id organization-id)
      (let [org-members     (nitrate/call cfg :get-org-members {:organization-id organization-id})
            org-member-ids  (into #{} org-members)
            team-members    (db/query cfg :team-profile-rel {:team-id team-id})
            team-member-ids (into #{} (map :profile-id team-members))]
        (every? #(contains? team-member-ids %) org-member-ids)))
    false))
 (def ^:private schema:all-team-members-in-orgs-params
  [:map {:title "CheckTeamMembersInOrgsParams"}
   [:team-id ::sm/uuid]
   [:organization-ids [:vector ::sm/uuid]]])
 (sv/defmethod ::all-team-members-in-orgs
  {::rpc/auth true
   ::doc/added "2.17"
   ::sm/params schema:all-team-members-in-orgs-params
   ::sm/result [:map-of ::sm/uuid ::sm/boolean]}
  [cfg {:keys [::rpc/profile-id team-id organization-ids]}]
  (if (contains? cf/flags :nitrate)
    (let [perms (teams/get-permissions cfg profile-id team-id)]
      (when-not (or (:is-admin perms) (:is-owner perms))
        (ex/raise :type :validation
                  :code :insufficient-permissions))
      (let [team-members    (db/query cfg :team-profile-rel {:team-id team-id})
            team-member-ids (into #{} (map :profile-id team-members))]
        ;; Validate requester membership in all orgs before fetching members.
        (run! #(assert-membership cfg profile-id %) organization-ids)
        (into {}
              (map (fn [organization-id]
                     (let [org-members    (nitrate/call cfg :get-org-members {:organization-id organization-id})
                           org-member-ids (into #{} org-members)]
                       [organization-id
                        (every? #(contains? org-member-ids %) team-member-ids)])))
              organization-ids)))
    {}))
 (def ^:private schema:check-team-external-invitations-params
  [:map {:title "CheckTeamExternalInvitationsParams"}
   [:team-id ::sm/uuid]
   [:organization-id ::sm/uuid]])
 (def ^:private schema:check-team-external-invitations-result
  [:map {:title "CheckTeamExternalInvitationsResult"}
   [:has-external-invitations ::sm/boolean]
   [:allows-anybody ::sm/boolean]])
 (sv/defmethod ::check-team-external-invitations
  {::rpc/auth true
   ::doc/added "2.17"
   ::sm/params schema:check-team-external-invitations-params
   ::sm/result schema:check-team-external-invitations-result
   ::db/transaction true}
  [cfg {:keys [::rpc/profile-id team-id organization-id]}]
  (if (contains? cf/flags :nitrate)
    (let [perms (teams/get-permissions cfg profile-id team-id)]
      (when-not (or (:is-admin perms) (:is-owner perms))
        (ex/raise :type :validation
                  :code :insufficient-permissions))
      (assert-membership cfg profile-id organization-id)
      (let [{:keys [allows-anybody external-emails]} (get-external-invitation-info cfg team-id organization-id)]
        {:has-external-invitations (boolean (seq external-emails))
         :allows-anybody allows-anybody}))
    {:has-external-invitations false
     :allows-anybody false}))
--- a/backend/src/app/rpc/commands/profile.clj
+++ b/backend/src/app/rpc/commands/profile.clj
@ -110,8 +110,10 @@
        (nitrate/add-nitrate-licence-to-profile cfg profile)
        profile))
-    (catch Throwable _
+    (catch Throwable cause
-      {:id uuid/zero :fullname "Anonymous User"})))
+      (if (= :not-found (-> cause ex-data :type))
        {:id uuid/zero :fullname "Anonymous User"}
        (throw cause)))))
 (defn get-profile
  "Get profile by id. Throws not-found exception if no profile found."
@ -483,8 +485,16 @@
                {:deleted-at deleted-at}
                {:id profile-id})
-    ;; Api call to nitrate
+    ;; Delete owned organizations on the fly (no grace period).
-    (nitrate/call cfg :remove-profile-from-all-orgs {:profile-id profile-id})
+    ;; Nitrate iterates the user's owned orgs and, per org, calls
    ;; Penpot back through two paths: ::notify-user-organizations-deletion
    ;; (during delete-owned-orgs) and ::notify-organization-deletion.
    ;; Both preserve org teams unchanged and only prefix or delete
    ;; imported "Your Penpot" teams according to whether they still have files.
    (when (contains? cf/flags :nitrate)
      (nitrate/call cfg :delete-owned-orgs {:profile-id profile-id})
      ;; Remove the user from any remaining org memberships.
      (nitrate/call cfg :remove-profile-from-all-orgs {:profile-id profile-id}))
    ;; Schedule cascade deletion to a worker
    (wrk/submit! {::db/conn conn
@ -493,7 +503,6 @@
                                :deleted-at deleted-at
                                :id profile-id}})
    (-> (rph/wrap nil)
        (rph/with-transform (session/delete-fn cfg)))))
@ -520,6 +529,32 @@
  (let [editors (db/exec! cfg [sql:get-subscription-editors profile-id])]
    {:editors editors}))
 ;; --- QUERY: Owned Organizations Summary (for delete-account modal)
 (def ^:private schema:owned-organization-summary
  [:map
   [:id ::sm/uuid]
   [:name ::sm/text]
   [:slug ::sm/text]
   [:team-count ::sm/int]
   [:member-count ::sm/int]
   [:avatar-bg-url {:optional true} [:maybe ::sm/uri]]
   [:logo-id {:optional true} [:maybe ::sm/uuid]]
   [:custom-photo {:optional true} [:maybe ::sm/text]]])
 (def ^:private schema:get-owned-organizations-summary-result
  [:vector schema:owned-organization-summary])
 (sv/defmethod ::get-owned-organizations-summary
  "List organizations owned by the current profile with team and member counts.
   Used by the delete-account modal to warn the user about cascading deletion."
  {::doc/added "2.18"
   ::sm/result schema:get-owned-organizations-summary-result}
  [cfg {:keys [::rpc/profile-id]}]
  (if (contains? cf/flags :nitrate)
    (or (nitrate/call cfg :get-owned-orgs-summary {:profile-id profile-id}) [])
    []))
 ;; --- HELPERS
 (def sql:owned-teams
--- a/backend/src/app/rpc/commands/teams.clj
+++ b/backend/src/app/rpc/commands/teams.clj
@ -12,6 +12,7 @@
   [app.common.features :as cfeat]
   [app.common.schema :as sm]
   [app.common.time :as ct]
   [app.common.types.nitrate-permissions :as nitrate-perms]
   [app.common.types.team :as types.team]
   [app.common.uuid :as uuid]
   [app.config :as cf]
@ -193,7 +194,9 @@
  (dm/with-open [conn (db/open pool)]
    (cond->> (get-teams conn profile-id)
      (contains? cf/flags :nitrate)
-      (map #(nitrate/add-org-info-to-team cfg % params)))))
+      (map #(nitrate/add-org-info-to-team cfg % params))
      (contains? cf/flags :nitrate)
      (remove #(get-in % [:organization :expired-license])))))
 (def ^:private sql:get-owned-teams
  "SELECT t.id, t.name,
@ -506,11 +509,27 @@
 (sv/defmethod ::create-team
  {::doc/added "1.17"
   ::sm/params schema:create-team}
-  [cfg {:keys [::rpc/profile-id] :as params}]
+  [cfg {:keys [::rpc/profile-id organization-id] :as params}]
  (quotes/check! cfg {::quotes/id ::quotes/teams-per-profile
                      ::quotes/profile-id profile-id})
  ;; When creating inside an org, verify the user has permission to do so.
  ;; Fail closed: if org permissions cannot be fetched, deny the operation.
  (when (and organization-id (contains? cf/flags :nitrate))
    (let [org-perms (nitrate/call cfg :get-org-permissions
                                  {:organization-id organization-id})]
      (if (nil? org-perms)
        (ex/raise :type :validation
                  :code :not-allowed
                  :hint "Unable to verify organization permissions")
        (when-not (nitrate-perms/allowed? :create-team
                                          {:org-perms org-perms
                                           :profile-id profile-id})
          (ex/raise :type :validation
                    :code :not-allowed
                    :hint "You are not allowed to create teams in this organization")))))
  (let [features (-> (cfeat/get-enabled-features cf/flags)
                     (set/difference cfeat/frontend-only-features)
                     (set/difference cfeat/no-team-inheritable-features))
@ -757,16 +776,31 @@
 (defn delete-team
  "Mark a team for deletion"
-  [{:keys [::db/conn] :as cfg} {:keys [profile-id team-id]}]
+  [{:keys [::db/conn] :as cfg} {:keys [profile-id team-id] :as params}]
  (let [team  (get-team conn :profile-id profile-id :team-id team-id)
-        perms (get team :permissions)]
+        team  (if (contains? cf/flags :nitrate)
                (nitrate/add-org-info-to-team cfg team params)
                team)
        perms (get team :permissions)
        org   (:organization team)
        in-org? (and (contains? cf/flags :nitrate) org)
        can-delete?
        (if in-org?
          (nitrate-perms/allowed? :delete-team
                                  {:org-perms {:owner-id    (dm/get-in team [:organization :owner-id])
                                               :permissions (dm/get-in team [:organization :permissions])}
                                   :profile-id profile-id
                                   :team-perms perms})
          (boolean (:is-owner perms)))]
-    (when-not (:is-owner perms)
+    (when-not can-delete?
      (ex/raise :type :validation
                :code :only-owner-can-delete-team))
-    (when (:is-default team)
+    ;; Protect the user's personal default team from deletion.
    ;; Org-scoped default teams ("Your Penpot") are allowed to be deleted when they have no files.
    (when (and (:is-default team) (not in-org?))
      (ex/raise :type :validation
                :code :non-deletable-team
                :hint "impossible to delete default team"))
--- a/backend/src/app/rpc/commands/teams_invitations.clj
+++ b/backend/src/app/rpc/commands/teams_invitations.clj
@ -14,6 +14,7 @@
   [app.common.logging :as l]
   [app.common.schema :as sm]
   [app.common.time :as ct]
   [app.common.types.nitrate-permissions :as nitrate-perms]
   [app.common.types.team :as types.team]
   [app.common.uuid :as uuid]
   [app.config :as cf]
@ -112,8 +113,19 @@
  (let [notifications (dm/get-in member [:props :notifications])]
    (not= :none (:email-invites notifications))))
 (defn- assert-email-can-be-invited
  "Asserts that member is an org member when the org
  restricts who can be added to teams."
  [member org-member-ids]
  (when (some? org-member-ids)
    (let [is-member? (and (some? member) (contains? org-member-ids (:id member)))]
      (when-not is-member?
        (ex/raise :type :validation
                  :code :email-not-org-member
                  :hint "The invited email is not a member of the organization")))))
 (defn- create-invitation
-  [{:keys [::db/conn] :as cfg} {:keys [team organization profile role email] :as params}]
+  [{:keys [::db/conn] :as cfg} {:keys [team organization profile role email org-member-ids] :as params}]
  (assert (db/connection-map? cfg)
          "expected cfg with valid connection")
@ -130,6 +142,13 @@
                :code :email-domain-is-not-allowed
                :hint "email domain is in the blacklist"))
    ;; When nitrate is active and the team belongs to an org, check that
    ;; the email is already an org member unless the org explicitly allows adding anybody.
    (when (and (contains? cf/flags :nitrate)
               (:organization team))
      (assert-email-can-be-invited member org-member-ids))
    ;; When we have email verification disabled and invitation user is
    ;; already present in the database, we proceed to add it to the
    ;; team as-is, without email roundtrip.
@ -218,32 +237,26 @@
                            :to email
                            :invited-by (:fullname profile)
                            :user-name (:fullname member)
-                            :organization-name (:name organization)
+                            :organization organization
                            :organization-logo (:logo organization)
                            :organization-initials (:initials organization)
                            :token itoken
                            :extra-data ptoken}))
-              (let [team (if (contains? cf/flags :nitrate)
+              (eml/send! {::eml/conn conn
-                           (nitrate/add-org-info-to-team cfg team {})
+                          ::eml/factory eml/invite-to-team
-                           team)]
+                          :public-uri (cf/get :public-uri)
-                (eml/send! {::eml/conn conn
+                          :to email
-                            ::eml/factory eml/invite-to-team
+                          :invited-by (:fullname profile)
-                            :public-uri (cf/get :public-uri)
+                          :team (:name team)
-                            :to email
+                          :organization (dm/get-in team [:organization :name])
-                            :invited-by (:fullname profile)
+                          :token itoken
-                            :team (:name team)
+                          :extra-data ptoken})))
                            :organization (:organization-name team)
                            :token itoken
                            :extra-data ptoken}))))
          itoken)))))
 (defn create-org-invitation
-  [cfg {:keys [::rpc/profile-id id name initials logo] :as params}]
+  [cfg {:keys [::rpc/profile-id] :as params}]
  (let [profile  (db/get-by-id cfg :profile profile-id)]
    (create-invitation cfg
                       (assoc params
                              :organization {:id id :name name :initials initials :logo logo}
                              :profile profile
                              :role :editor))))
@ -309,7 +322,18 @@
  - emails (set) + role (single role for all emails)
  - invitations (vector of {:email :role} maps)"
  [{:keys [::db/conn] :as cfg} {:keys [profile team role emails invitations] :as params}]
-  (let [;; Normalize input to a consistent format: [{:email :role}]
+  (let [;; Enrich team with org info once for all invitations when nitrate is active
        team             (if (contains? cf/flags :nitrate)
                           (nitrate/add-org-info-to-team cfg team {})
                           team)
        org              (:organization team)
        org-id           (:id org)
        restricted?      (and org-id (not (nitrate-perms/allowed? :add-anybody-to-team {:org-perms org})))
        org-member-ids   (when restricted?
                           (into #{} (nitrate/call cfg :get-org-members {:organization-id org-id})))
        params           (assoc params :team team :org-member-ids org-member-ids)
        ;; Normalize input to a consistent format: [{:email :role}]
        invitation-data  (cond
                           ;; Case 1: emails + single role (create invitations style)
                           (and emails role)
--- a/backend/src/app/rpc/cond.clj
+++ b/backend/src/app/rpc/cond.clj
@ -19,7 +19,7 @@
    of the object. This function can be applied to the object returned by the
    `get-object` but also to the RPC return value (in case you don't provide
    the return value calculated key under `::key` metadata prop.
-  - `::reuse-key?` enables reusing the key calculated on first time; usefull
+  - `::reuse-key?` enables reusing the key calculated on first time; useful
    when the target object is not retrieved on the RPC (typical on retrieving
    dependent objects).
  "
--- a/backend/src/app/rpc/management/exporter.clj
+++ b/backend/src/app/rpc/management/exporter.clj
@ -37,7 +37,7 @@
        data    (-> (sto/content (:path content))
                    (sto/wrap-with-hash hash))
        content {::sto/content data
-                 ::sto/deduplicate? true
+                 ::sto/deduplicate? false
                 ::sto/touched-at (ct/in-future {:minutes 10})
                 :profile-id profile-id
                 :content-type (:mtype content)
--- a/backend/src/app/rpc/management/nitrate.clj
+++ b/backend/src/app/rpc/management/nitrate.clj
@ -12,11 +12,13 @@
   [app.common.exceptions :as ex]
   [app.common.schema :as sm]
   [app.common.time :as ct]
-   [app.common.types.organization :refer [schema:team-with-organization]]
+   [app.common.types.organization :refer [schema:team-with-organization schema:organization-with-avatar]]
   [app.common.types.profile :refer [schema:profile, schema:basic-profile]]
   [app.common.types.team :refer [schema:team]]
   [app.config :as cf]
   [app.db :as db]
   [app.email :as eml]
   [app.loggers.audit :as audit]
   [app.media :as media]
   [app.nitrate :as nitrate]
   [app.rpc :as-alias rpc]
@ -29,7 +31,8 @@
   [app.rpc.notifications :as notifications]
   [app.storage :as sto]
   [app.util.services :as sv]
-   [app.worker :as wrk]))
+   [app.worker :as wrk]
   [cuerdas.core :as str]))
 (defn- profile-to-map [profile]
@ -48,7 +51,8 @@
  [cfg {:keys [::rpc/profile-id] :as params}]
  (let [profile            (profile/get-profile cfg profile-id)]
    (-> (profile-to-map profile)
-        (assoc :theme (:theme profile)))))
+        (assoc :theme (:theme profile))
        (assoc :lang (:lang profile)))))
 ;; ---- API: get-teams
@ -296,46 +300,61 @@ RETURNING id, deleted_at;")
  nil)
 (defn manage-deleted-organization-teams
-  "For a list of teams, rename those with files and delete those without, then notify users."
+  "For a deleted organization, preserve org teams unchanged and only prefix or
-  [cfg {:keys [teams organization-name]}]
+  delete member Your Penpot teams depending on whether they still contain files."
-  (let [teams (->> teams (filter uuid?) distinct (into []))]
+  [cfg {:keys [organization-id organization-name teams]}]
-    (when (seq teams)
+  (let [all-team-ids (->> teams
                          (map :id)
                          (filter uuid?)
                          distinct
                          (into []))
        your-penpot-team-ids (->> teams
                                  (filter :is-your-penpot)
                                  (map :id)
                                  (filter uuid?)
                                  distinct
                                  (into []))]
    (when (seq all-team-ids)
      (let [org-prefix (str "[" (d/sanitize-string organization-name) "] ")]
        (db/tx-run!
         cfg
         (fn [{:keys [::db/conn] :as cfg}]
-           (let [teams-array      (db/create-array conn "uuid" teams)
+           (let [teams-with-files (if (seq your-penpot-team-ids)
-                 teams-with-files (->> (db/exec! conn [sql:get-teams-files-counts teams-array])
+                                    (->> (db/exec! conn [sql:get-teams-files-counts
-                                       (filter (fn [{:keys [total]}] (pos? total)))
+                                                         (db/create-array conn "uuid" your-penpot-team-ids)])
-                                       (map :team-id)
+                                         (filter (fn [{:keys [total]}] (pos? total)))
-                                       (into #{}))
+                                         (map :team-id)
-                 teams-to-keep    (->> teams (filter teams-with-files) (into []))
+                                         (into #{}))
-                 teams-to-delete  (->> teams (remove teams-with-files) (into []))]
+                                    #{})
                 teams-to-prefix  (->> your-penpot-team-ids (filter teams-with-files) (into []))
                 teams-to-delete  (->> your-penpot-team-ids (remove teams-with-files) (into []))]
-             ;; Rename teams that have files in one go
+             ;; Org teams move to the fallback org unchanged. Only imported
-             (when (seq teams-to-keep)
+             ;; Your Penpot teams keep the org prefix when they still have files.
             (when (seq teams-to-prefix)
               (db/exec! conn [sql:prefix-teams-name-and-unset-default
                               org-prefix
-                               (db/create-array conn "uuid" teams-to-keep)]))
+                               (db/create-array conn "uuid" teams-to-prefix)]))
-             ;; Soft-delete empty teams in one go
+             ;; Empty imported Your Penpot teams disappear entirely.
             (soft-delete-teams! cfg teams-to-delete)
-             (notifications/notify-organization-deletion cfg organization-name teams teams-to-delete)
+             (notifications/notify-organization-deletion cfg organization-id organization-name all-team-ids teams-to-delete)
             nil)))))))
 (sv/defmethod ::notify-organization-deletion
-  "For a list of teams, rename them with the name of the deleted org, and notify
+  "For a deleted organization, preserve org teams and only prefix or delete
-   of the deletion to the connected users"
+   imported Your Penpot teams before notifying connected users."
  {::doc/added "2.15"
   ::sm/params schema:notify-organization-deletion
   ::rpc/auth false}
  [cfg {:keys [organization-id]}]
  (let [org-summary (nitrate/call cfg :get-org-summary {:organization-id organization-id})
-        teams       (->> (:teams org-summary)
+        teams       (:teams org-summary)]
-                         (map :id))]
+    (manage-deleted-organization-teams cfg {:organization-name (:name org-summary)
-    (manage-deleted-organization-teams cfg {:teams teams :organization-name (:name org-summary)})
+                                            :organization-id (:id org-summary)
                                            :teams teams})
    nil))
 ;; ---- API: notify-user-organizations-deletion
@ -345,15 +364,18 @@ RETURNING id, deleted_at;")
   [:profile-id ::sm/uuid]])
 (sv/defmethod ::notify-user-organizations-deletion
-  "For a given user, find all owned organizations and rename or delete their teams."
+  "For a given user, find all owned organizations and apply the deleted-org
   transfer rules to their imported Your Penpot teams."
  {::doc/added "2.18"
   ::sm/params schema:notify-user-organizations-deletion}
  [cfg {:keys [profile-id]}]
  (let [owned-orgs (nitrate/call cfg :get-owned-orgs {:profile-id profile-id})]
    (doseq [org owned-orgs]
      (let [organization-name (:name org)
-            teams (map :id (:teams org))]
+            teams             (:teams org)]
-        (manage-deleted-organization-teams cfg {:teams teams :organization-name organization-name}))))
+        (manage-deleted-organization-teams cfg {:organization-name organization-name
                                                :organization-id (:id org)
                                                :teams teams}))))
  nil)
@ -454,10 +476,7 @@ RETURNING id, deleted_at;")
  {::doc/added "2.15"
   ::sm/params [:map
                [:email ::sm/email]
-                [:id ::sm/uuid]
+                [:organization schema:organization-with-avatar]]}
                [:name ::sm/text]
                [:initials [:maybe :string]]
                [:logo ::sm/uri]]}
  [cfg params]
  (db/tx-run! cfg ti/create-org-invitation params)
  nil)
@ -472,6 +491,7 @@ RETURNING id, deleted_at;")
          ti.email_to AS email,
          ti.created_at AS sent_at,
          p.fullname AS name,
          p.id AS profile_id,
          p.photo_id
     FROM team_invitation AS ti
 LEFT JOIN profile AS p
@ -493,6 +513,7 @@ LEFT JOIN profile AS p
    [:email ::sm/email]
    [:sent-at ::sm/inst]
    [:name {:optional true} [:maybe ::sm/text]]
    [:profile-id {:optional true} [:maybe ::sm/uuid]]
    [:photo-url {:optional true} ::sm/uri]]])
 (sv/defmethod ::get-org-invitations
@ -544,6 +565,33 @@ LEFT JOIN profile AS p
    nil))
 ;; API: delete-all-org-invitations
 (def ^:private sql:delete-all-org-invitations
  "DELETE FROM team_invitation AS ti
    WHERE ti.org_id = ?
       OR ti.team_id = ANY(?);")
 (def ^:private schema:delete-all-org-invitations-params
  [:map
   [:organization-id ::sm/uuid]])
 (sv/defmethod ::delete-all-org-invitations
  "Delete every pending invitation associated with an organization (org-level + team-level).
   Called from Nitrate when an organization is about to be deleted, so users that click
   their invitation token hit the existing invalid-token landing page."
  {::doc/added "2.18"
   ::sm/params schema:delete-all-org-invitations-params
   ::rpc/auth false}
  [cfg {:keys [organization-id]}]
  (let [org-summary (nitrate/call cfg :get-org-summary {:organization-id organization-id})
        team-ids    (->> (:teams org-summary)
                         (map :id))]
    (db/run! cfg (fn [{:keys [::db/conn]}]
                   (let [ids-array (db/create-array conn "uuid" team-ids)]
                     (db/exec! conn [sql:delete-all-org-invitations organization-id ids-array]))))
    nil))
 ;; API: remove-from-org
@ -603,7 +651,8 @@ LEFT JOIN profile AS p
  [:map
   [:teams-to-delete ::sm/int]
   [:teams-to-transfer ::sm/int]
-   [:teams-to-exit ::sm/int]])
+   [:teams-to-exit ::sm/int]
   [:teams-to-detach ::sm/int]])
 (sv/defmethod ::get-remove-from-org-summary
  "Get a summary of the teams that would be deleted, transferred, or exited
@ -623,7 +672,154 @@ LEFT JOIN profile AS p
    (when-not valid-default-team
      (ex/raise :type :validation
                :code :not-valid-teams))
-    {:teams-to-delete   (count valid-teams-to-delete-ids)
+    (cnit/get-leave-org-summary cfg
-     :teams-to-transfer (count valid-teams-to-transfer)
+                                default-team-id
-     :teams-to-exit     (count valid-teams-to-exit)}))
+                                valid-teams-to-delete-ids
                                (count valid-teams-to-transfer)
                                (count valid-teams-to-exit))))
 ;; API: send-renewal-email
 (def ^:private schema:send-renewal-email-params
  [:map
   [:profile-id ::sm/uuid]
   [:user-email ::sm/email]
   [:user-name [:maybe ::sm/text]]
   [:renewal-date :string]
   [:estimated-amount :double]
   [:organizations [:vector schema:organization-with-avatar]]])
 (sv/defmethod ::send-renewal-email
  "Send an Enterprise subscription renewal notice email to a user."
  {::doc/added "2.17"
   ::sm/params schema:send-renewal-email-params
   ::rpc/auth false}
  [cfg {:keys [profile-id user-email user-name renewal-date estimated-amount organizations]}]
  (let [amount-str (format "$%.2f" estimated-amount)
        user-name  (if (str/empty? user-name)
                     (:fullname (profile/get-profile cfg profile-id))
                     user-name)]
    (db/tx-run! cfg (fn [{:keys [::db/conn]}]
                      (eml/send! {::eml/conn    conn
                                  ::eml/factory eml/renewal-notice
                                  :public-uri   (cf/get :public-uri)
                                  :to           user-email
                                  :user-name    user-name
                                  :renewal-date renewal-date
                                  :estimated-amount amount-str
                                  :organizations organizations}))))
  nil)
 ;; API: exists-org-team-invitations-for-non-members /
 ;;      delete-org-team-invitations-for-non-members
 (def ^:private sql:get-profile-emails-by-ids
  "SELECT email
     FROM profile
    WHERE id = ANY(?)
      AND deleted_at IS NULL")
 (def ^:private sql:exists-non-member-org-team-invitations
  "SELECT EXISTS (
            SELECT 1
              FROM team_invitation
             WHERE team_id = ANY(?)
               AND email_to <> ALL(?)
         ) AS non_member")
 (def ^:private sql:delete-non-member-org-team-invitations
  "DELETE FROM team_invitation
    WHERE team_id = ANY(?)
      AND email_to <> ALL(?)
   RETURNING email_to")
 (def ^:private schema:org-team-invitations-for-non-members-params
  [:map
   [:team-ids [:vector ::sm/uuid]]
   [:member-ids [:vector ::sm/uuid]]])
 (def ^:private schema:exists-org-team-invitations-for-non-members-result
  [:map [:exists ::sm/boolean]])
 (defn- org-team-invitations-for-non-members-arrays
  "Member emails and PG arrays used by exists/delete org team invitation endpoints."
  [conn {:keys [team-ids member-ids]}]
  (let [member-ids-array (db/create-array conn "uuid" member-ids)
        member-emails    (->> (db/exec! conn [sql:get-profile-emails-by-ids member-ids-array])
                              (map :email)
                              (into #{}))]
    {:emails-array (db/create-array conn "text" (vec member-emails))
     :teams-array  (db/create-array conn "uuid" team-ids)}))
 (defn- non-member-org-team-invitations-exist?
  [conn params]
  (let [{:keys [emails-array teams-array]}
        (org-team-invitations-for-non-members-arrays conn params)]
    (-> (db/exec-one! conn [sql:exists-non-member-org-team-invitations
                            teams-array
                            emails-array])
        :non-member)))
 (sv/defmethod ::exists-org-team-invitations-for-non-members
  "Return if there are any team invitations for emails that are not organization members."
  {::doc/added "2.18"
   ::sm/params schema:org-team-invitations-for-non-members-params
   ::sm/result schema:exists-org-team-invitations-for-non-members-result}
  [cfg params]
  (db/run! cfg (fn [{:keys [::db/conn]}]
                 {:exists (boolean (non-member-org-team-invitations-exist? conn params))})))
 (sv/defmethod ::delete-org-team-invitations-for-non-members
  "Delete team invitations for emails that are not organization members."
  {::doc/added "2.18"
   ::sm/params schema:org-team-invitations-for-non-members-params
   ::db/transaction true}
  [cfg params]
  (db/run! cfg (fn [{:keys [::db/conn]}]
                 (let [{:keys [emails-array teams-array]}
                       (org-team-invitations-for-non-members-arrays conn params)]
                   (db/exec! conn [sql:delete-non-member-org-team-invitations
                                   teams-array
                                   emails-array])
                   nil))))
 ;; ---- API: push-audit-events
 (def ^:private schema:nitrate-audit-event
  [:map {:title "NitrateAuditEvent"}
   [:name [:and [:string {:max 250}]
           [:re #"[\d\w-]{1,50}"]]]
   [:profile-id ::sm/uuid]
   [:props {:optional true} [:map-of :keyword :any]]])
 (def ^:private schema:push-audit-events-params
  [:map {:title "PushAuditEventsParams"}
   [:events [:vector schema:nitrate-audit-event]]])
 (defn- submit-nitrate-audit-event
  [cfg {:keys [name profile-id props]}]
  (let [now (ct/now)]
    (audit/submit* cfg {:type "action"
                        :name name
                        :profile-id profile-id
                        :props (or props {})
                        :context {}
                        :tracked-at now
                        :created-at now
                        :source "nitrate"
                        :ip-addr "0.0.0.0"})))
 (sv/defmethod ::push-audit-events
  "Push audit events from Nitrate to Penpot audit log"
  {::doc/added "2.19"
   ::sm/params schema:push-audit-events-params
   ::rpc/auth false}
  [{:keys [::db/pool] :as cfg} {:keys [events]}]
  (let [telemetry? (contains? cf/flags :telemetry)
        audit-log? (contains? cf/flags :audit-log)
        enabled?   (and (not (db/read-only? pool))
                        (or audit-log? telemetry?))]
    (when (and enabled? (seq events))
      (run! (partial submit-nitrate-audit-event cfg) events))
    nil))
--- a/backend/src/app/rpc/notifications.clj
+++ b/backend/src/app/rpc/notifications.clj
@ -34,11 +34,12 @@
 (defn notify-organization-deletion
-  [cfg organization-name teams deleted-teams]
+  [cfg organization-id organization-name teams deleted-teams]
  (let [msgbus (::mbus/msgbus cfg)]
    (mbus/pub! msgbus
               :topic uuid/zero
               :message {:type :organization-deleted
                         :organization-id organization-id
                         :organization-name organization-name
                         :teams teams
                         :deleted-teams deleted-teams})))
--- a/backend/src/app/storage.clj
+++ b/backend/src/app/storage.clj
@ -135,7 +135,8 @@
        ;; still not deleted.
        result (when (and (::deduplicate? params)
                          (:hash mdata)
-                          (:bucket mdata))
+                          (:bucket mdata)
                          (not= "tempfile" (:bucket mdata)))
                 (let [result (get-database-object-by-hash connectable backend
                                                           (:bucket mdata)
                                                           (:hash mdata))]
--- a/backend/src/app/util/cache.clj
+++ b/backend/src/app/util/cache.clj
@ -12,7 +12,6 @@
   [app.common.time :as ct]
   [promesa.exec :as px])
  (:import
   com.github.benmanes.caffeine.cache.AsyncCache
   com.github.benmanes.caffeine.cache.Cache
   com.github.benmanes.caffeine.cache.Caffeine
   com.github.benmanes.caffeine.cache.RemovalListener
@ -47,15 +46,18 @@
     :miss-rate  (.missRate stats)}))
 (defn create
-  [& {:keys [executor on-remove max-size keepalive]}]
+  "Build an in-memory cache. Loads run synchronously on the calling
  thread, so when a load fn throws or returns nil the entry is not
  stored — concurrent loads for the same key still deduplicate."
  [& {:keys [executor on-remove max-size keepalive expire]}]
  (let [cache (as-> (Caffeine/newBuilder) builder
                (if (fn? on-remove) (.removalListener builder (create-listener on-remove)) builder)
                (if executor  (.executor builder ^Executor (px/resolve-executor executor)) builder)
                (if keepalive (.expireAfterAccess builder ^Duration (ct/duration keepalive)) builder)
                (if expire    (.expireAfterWrite  builder ^Duration (ct/duration expire)) builder)
                (if (int? max-size) (.maximumSize builder (long max-size)) builder)
                (.recordStats builder)
-                (.buildAsync builder))
+                (.build builder))]
        cache (.synchronous ^AsyncCache cache)]
    (reify
      ICache
      (get [_ k]
@ -69,7 +71,7 @@
      (invalidate! [_]
        (.invalidateAll ^Cache cache))
      (invalidate! [_ k]
-        (.invalidateAll ^Cache cache ^Object k))
+        (.invalidate ^Cache cache ^Object k))
      ICacheStats
      (stats [_]
--- a/backend/test/backend_tests/http_middleware_test.clj
+++ b/backend/test/backend_tests/http_middleware_test.clj
@ -17,6 +17,7 @@
   [app.rpc.commands.access-token]
   [app.tokens :as tokens]
   [backend-tests.helpers :as th]
   [clojure.string :as str]
   [clojure.test :as t]
   [mockery.core :refer [with-mocks]]
   [yetti.request :as yreq]
@ -112,6 +113,74 @@
      (t/is (= #{} (:app.http.access-token/perms response)))
      (t/is (= (:id profile) (:app.http.access-token/profile-id response))))))
 (defrecord MethodAwareDummyRequest [req-method headers]
  yreq/IRequest
  (method [_] req-method)
  (get-header [_ name] (get headers name)))
 (t/deftest cors-middleware-allowlisted-origin
  (let [handler (#'app.http.middleware/wrap-cors
                 (fn [_] {::yres/status 200 ::yres/headers {}})
                 #{"https://trusted.example"})
        resp    (handler (->MethodAwareDummyRequest :get {"origin" "https://trusted.example"}))
        headers (::yres/headers resp)]
    (t/is (= 200 (::yres/status resp)))
    (t/is (= "https://trusted.example" (get headers "access-control-allow-origin")))
    (t/is (= "true" (get headers "access-control-allow-credentials")))
    (t/is (= "Origin" (get headers "vary")))
    (t/is (= "content-type" (get headers "access-control-expose-headers")))
    (t/is (not (str/includes?
                (get headers "access-control-allow-headers" "")
                "cookie")))))
 (t/deftest cors-middleware-non-allowlisted-origin
  (let [handler (#'app.http.middleware/wrap-cors
                 (fn [_] {::yres/status 200 ::yres/headers {}})
                 #{"https://trusted.example"})
        resp    (handler (->MethodAwareDummyRequest :get {"origin" "https://attacker.example"}))
        headers (::yres/headers resp)]
    (t/is (= 200 (::yres/status resp)))
    (t/is (nil? (get headers "access-control-allow-origin")))
    (t/is (nil? (get headers "access-control-allow-credentials")))
    (t/is (nil? (get headers "access-control-allow-headers")))
    (t/is (nil? (get headers "access-control-expose-headers")))
    (t/is (= "Origin" (get headers "vary")))))
 (t/deftest cors-middleware-preflight-allowlisted
  (let [handler (#'app.http.middleware/wrap-cors
                 (fn [_] {::yres/status 200 ::yres/headers {}})
                 #{"https://trusted.example"})
        resp    (handler (->MethodAwareDummyRequest :options {"origin" "https://trusted.example"}))
        headers (::yres/headers resp)]
    (t/is (= 204 (::yres/status resp)))
    (t/is (= "https://trusted.example" (get headers "access-control-allow-origin")))
    (t/is (= "true" (get headers "access-control-allow-credentials")))))
 (t/deftest cors-middleware-preflight-non-allowlisted
  (let [handler (#'app.http.middleware/wrap-cors
                 (fn [_] {::yres/status 200 ::yres/headers {}})
                 #{"https://trusted.example"})
        resp    (handler (->MethodAwareDummyRequest :options {"origin" "https://attacker.example"}))
        headers (::yres/headers resp)]
    (t/is (= 204 (::yres/status resp)))
    (t/is (nil? (get headers "access-control-allow-origin")))
    (t/is (nil? (get headers "access-control-allow-credentials")))))
 (t/deftest cors-middleware-missing-origin
  (let [handler (#'app.http.middleware/wrap-cors
                 (fn [_] {::yres/status 200 ::yres/headers {}})
                 #{"https://trusted.example"})
        resp    (handler (->MethodAwareDummyRequest :get {}))
        headers (::yres/headers resp)]
    (t/is (= 200 (::yres/status resp)))
    (t/is (nil? (get headers "access-control-allow-origin")))
    (t/is (nil? (get headers "access-control-allow-credentials")))))
 (t/deftest session-authz
  (let [cfg      th/*system*
        manager  (session/inmemory-manager)
--- a/backend/test/backend_tests/logical_deletion_test.clj
+++ b/backend/test/backend_tests/logical_deletion_test.clj
@ -0,0 +1,36 @@
 ;; This Source Code Form is subject to the terms of the Mozilla Public
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
 ;; Copyright (c) KALEIDOS INC
 (ns backend-tests.logical-deletion-test
  (:require
   [app.common.time :as ct]
   [app.config :as cf]
   [app.features.logical-deletion :as ldel]
   [clojure.test :as t]))
 (t/deftest get-deletion-delay-for-active-subscriptions
  (t/is (= (ct/duration {:days 30})
           (ldel/get-deletion-delay {:subscription {:type "unlimited"
                                                    :status "active"}})))
  (t/is (= (ct/duration {:days 90})
           (ldel/get-deletion-delay {:subscription {:type "enterprise"
                                                    :status "active"}})))
  (t/is (= (ct/duration {:days 90})
           (ldel/get-deletion-delay {:subscription {:type "nitrate"
                                                    :status "active"}}))))
 (t/deftest get-deletion-delay-for-canceled-subscriptions
  (let [fallback (ct/duration {:days 5})]
    (with-redefs [cf/get-deletion-delay (fn [] fallback)]
      (t/is (= fallback
               (ldel/get-deletion-delay {:subscription {:type "nitrate"
                                                        :status "canceled"}})))
      (t/is (= fallback
               (ldel/get-deletion-delay {:subscription {:type "enterprise"
                                                        :status "unpaid"}}))))))
--- a/backend/test/backend_tests/rpc_file_thumbnails_test.clj
+++ b/backend/test/backend_tests/rpc_file_thumbnails_test.clj
@ -154,7 +154,7 @@
      (t/is (nil? (sto/get-object storage (:media-id row1))))
      (t/is (some? (sto/get-object storage (:media-id row2))))
-      ;; check that storage object is still exists but is marked as deleted
+      ;; check that storage object is still exists but is marked as deleted.
      (let [row (th/db-get :storage-object {:id (:media-id row1)} {::db/remove-deleted false})]
        (t/is (nil? row))))))
@ -254,6 +254,32 @@
      (t/is (some? (sto/get-object storage (:media-id row2)))))))
 (t/deftest create-file-thumbnail-requires-edit-permissions
  (let [owner  (th/create-profile* 1)
        viewer (th/create-profile* 2)
        file   (th/create-file* 1 {:profile-id (:id owner)
                                   :project-id (:default-project-id owner)
                                   :is-shared false
                                   :revn 1})
        _      (th/create-file-role* {:file-id (:id file)
                                      :profile-id (:id viewer)
                                      :role :viewer})
        data   {::th/type :create-file-thumbnail
                ::rpc/profile-id (:id viewer)
                :file-id (:id file)
                :revn 1
                :media {:filename "sample.jpg"
                        :size 7923
                        :path (th/tempfile "backend_tests/test_files/sample2.jpg")
                        :mtype "image/jpeg"}}
        out    (th/command! data)
        error  (:error out)]
    (t/is (nil? (:result out)))
    (t/is (th/ex-info? error))
    (t/is (th/ex-of-type? error :not-found))
    (t/is (= 0 (count (th/db-query :file-thumbnail {:file-id (:id file)}))))))
 (t/deftest error-on-direct-storage-obj-deletion
  (let [storage (::sto/storage th/*system*)
        profile (th/create-profile* 1)
--- a/backend/test/backend_tests/rpc_management_nitrate_test.clj
+++ b/backend/test/backend_tests/rpc_management_nitrate_test.clj
@ -186,8 +186,10 @@
        expected-start    (str "[" (d/sanitize-string organization-name) "] ")
        org-summary       {:id organization-id
                           :name organization-name
-                           :teams [{:id (:id team-with-files)}
+                           :teams [{:id (:id team-with-files)
-                                   {:id (:id empty-team)}]}
+                                    :is-your-penpot true}
                                   {:id (:id empty-team)
                                    :is-your-penpot true}]}
        calls             (atom [])
        submitted         (atom [])
        out               (with-redefs [nitrate/call (fn [_cfg method params]
@ -222,6 +224,7 @@
    (let [{:keys [topic message]} (first @calls)]
      (t/is (= uuid/zero topic))
      (t/is (= :organization-deleted (:type message)))
      (t/is (= organization-id (:organization-id message)))
      (t/is (= organization-name (:organization-name message)))
      (t/is (= #{(:id team-with-files) (:id empty-team)}
               (set (:teams message))))
@ -254,12 +257,16 @@
        org-2-prefix       (str "[" (d/sanitize-string org-2-name) "] ")
        owned-orgs         [{:id org-1-id
                             :name org-1-name
-                             :teams [{:id (:id org-1-team-files)}
+                             :teams [{:id (:id org-1-team-files)
-                                     {:id (:id org-1-team-empty)}]}
+                                      :is-your-penpot true}
                                     {:id (:id org-1-team-empty)
                                      :is-your-penpot true}]}
                            {:id org-2-id
                             :name org-2-name
-                             :teams [{:id (:id org-2-team-files)}
+                             :teams [{:id (:id org-2-team-files)
-                                     {:id (:id org-2-team-empty)}]}]
+                                      :is-your-penpot true}
                                     {:id (:id org-2-team-empty)
                                      :is-your-penpot true}]}]
        calls              (atom [])
        submitted          (atom [])
        out                (with-redefs [nitrate/call (fn [_cfg method params]
@ -313,6 +320,8 @@
          m2 (org-msg org-2-name)]
      (t/is (some? m1))
      (t/is (some? m2))
      (t/is (= org-1-id (:organization-id m1)))
      (t/is (= org-2-id (:organization-id m2)))
      (t/is (= #{(:id org-1-team-files) (:id org-1-team-empty)}
               (set (:teams m1))))
      (t/is (= #{(:id org-1-team-empty)}
@ -561,6 +570,263 @@
      (t/is (= (:id outside-team) (:team-id (first remaining-target))))
      (t/is (= 1 (count remaining-other))))))
 (t/deftest delete-all-org-invitations-removes-org-and-org-team-invitations
  (let [profile      (th/create-profile* 1 {:is-active true})
        team-1       (th/create-team* 1 {:profile-id (:id profile)})
        team-2       (th/create-team* 2 {:profile-id (:id profile)})
        outside-team (th/create-team* 3 {:profile-id (:id profile)})
        org-id       (uuid/random)
        org-summary  {:id org-id
                      :teams [{:id (:id team-1)}
                              {:id (:id team-2)}]}
        params       {::th/type :delete-all-org-invitations
                      :organization-id org-id}]
    ;; Should be deleted: org-level invitation.
    (th/db-insert! :team-invitation
                   {:id (uuid/random)
                    :org-id org-id
                    :team-id nil
                    :email-to "alice@example.com"
                    :created-by (:id profile)
                    :role "editor"
                    :valid-until (ct/in-future "24h")})
    ;; Should be deleted: team-level invitation in team-1 (belongs to org).
    (th/db-insert! :team-invitation
                   {:id (uuid/random)
                    :team-id (:id team-1)
                    :org-id nil
                    :email-to "bob@example.com"
                    :created-by (:id profile)
                    :role "admin"
                    :valid-until (ct/in-future "48h")})
    ;; Should be deleted: team-level invitation in team-2 (belongs to org),
    ;; even if expired.
    (th/db-insert! :team-invitation
                   {:id (uuid/random)
                    :team-id (:id team-2)
                    :org-id nil
                    :email-to "carol@example.com"
                    :created-by (:id profile)
                    :role "editor"
                    :valid-until (ct/in-past "1h")})
    ;; Should remain: invitation to a team outside the org.
    (th/db-insert! :team-invitation
                   {:id (uuid/random)
                    :team-id (:id outside-team)
                    :org-id nil
                    :email-to "dan@example.com"
                    :created-by (:id profile)
                    :role "editor"
                    :valid-until (ct/in-future "24h")})
    ;; Should remain: invitation to a different organization.
    (th/db-insert! :team-invitation
                   {:id (uuid/random)
                    :org-id (uuid/random)
                    :team-id nil
                    :email-to "erin@example.com"
                    :created-by (:id profile)
                    :role "editor"
                    :valid-until (ct/in-future "24h")})
    (let [calls    (atom [])
          out      (with-redefs [nitrate/call (fn [_cfg method params]
                                                (swap! calls conj {:method method :params params})
                                                (case method
                                                  :get-org-summary org-summary
                                                  nil))]
                     (management-command-with-nitrate! params))
          present? (fn [email] (seq (th/db-query :team-invitation {:email-to email})))]
      (t/is (th/success? out))
      (t/is (nil? (:result out)))
      ;; get-org-summary was called with the right organization-id.
      (t/is (= 1 (count @calls)))
      (t/is (= :get-org-summary (-> @calls first :method)))
      (t/is (= {:organization-id org-id} (-> @calls first :params)))
      ;; Org-level + team-in-org invitations are deleted.
      (t/is (not (present? "alice@example.com")))
      (t/is (not (present? "bob@example.com")))
      (t/is (not (present? "carol@example.com")))
      ;; Invitations outside the org survive.
      (t/is (present? "dan@example.com"))
      (t/is (present? "erin@example.com")))))
 (t/deftest delete-all-org-invitations-handles-org-with-no-teams
  (let [profile (th/create-profile* 1 {:is-active true})
        org-id  (uuid/random)
        params  {::th/type :delete-all-org-invitations
                 :organization-id org-id}]
    ;; Org-level invitation should still be deleted.
    (th/db-insert! :team-invitation
                   {:id (uuid/random)
                    :org-id org-id
                    :team-id nil
                    :email-to "alice@example.com"
                    :created-by (:id profile)
                    :role "editor"
                    :valid-until (ct/in-future "24h")})
    (let [out (with-redefs [nitrate/call (fn [_cfg method _params]
                                           (case method
                                             :get-org-summary {:id org-id :teams []}
                                             nil))]
                (management-command-with-nitrate! params))
          remaining (th/db-query :team-invitation {:org-id org-id})]
      (t/is (th/success? out))
      (t/is (nil? (:result out)))
      (t/is (empty? remaining)))))
 (t/deftest exists-org-team-invitations-for-non-members-reports-invitations-to-delete
  (let [member1      (th/create-profile* 1 {:is-active true :email "member1@example.com"})
        profile      (th/create-profile* 4 {:is-active true})
        team-1       (th/create-team* 1 {:profile-id (:id profile)})
        team-2       (th/create-team* 2 {:profile-id (:id profile)})
        outside-team (th/create-team* 3 {:profile-id (:id profile)})
        org-id       (uuid/random)
        base-params  {::th/type :exists-org-team-invitations-for-non-members
                      ::rpc/profile-id (:id profile)
                      :organization-id org-id
                      :team-ids [(:id team-1) (:id team-2)]
                      :member-ids [(:id member1)]}
        exist!       (fn [] (-> (management-command-with-nitrate! base-params)
                                :result
                                :exists))]
    (t/is (false? (exist!)))
    (th/db-insert! :team-invitation
                   {:id (uuid/random)
                    :team-id (:id team-1)
                    :org-id nil
                    :email-to "member1@example.com"
                    :created-by (:id profile)
                    :role "editor"
                    :valid-until (ct/in-future "24h")})
    (t/is (false? (exist!)))
    (th/db-insert! :team-invitation
                   {:id (uuid/random)
                    :org-id org-id
                    :team-id nil
                    :email-to "pending@example.com"
                    :created-by (:id profile)
                    :role "editor"
                    :valid-until (ct/in-future "24h")})
    (t/is (false? (exist!)))
    (th/db-insert! :team-invitation
                   {:id (uuid/random)
                    :team-id (:id outside-team)
                    :org-id nil
                    :email-to "outsider@example.com"
                    :created-by (:id profile)
                    :role "editor"
                    :valid-until (ct/in-future "24h")})
    (t/is (false? (exist!)))
    (th/db-insert! :team-invitation
                   {:id (uuid/random)
                    :team-id (:id team-2)
                    :org-id nil
                    :email-to "orphan@example.com"
                    :created-by (:id profile)
                    :role "editor"
                    :valid-until (ct/in-future "24h")})
    (t/is (true? (exist!)))))
 (t/deftest delete-org-team-invitations-for-non-members-removes-non-member-invitations
  (let [member1     (th/create-profile* 1 {:is-active true :email "member1@example.com"})
        profile     (th/create-profile* 4 {:is-active true})
        team-1      (th/create-team* 1 {:profile-id (:id profile)})
        team-2      (th/create-team* 2 {:profile-id (:id profile)})
        outside-team (th/create-team* 3 {:profile-id (:id profile)})
        org-id      (uuid/random)
        params      {::th/type :delete-org-team-invitations-for-non-members
                     ::rpc/profile-id (:id profile)
                     :organization-id org-id
                     :team-ids [(:id team-1) (:id team-2)]
                     :member-ids [(:id member1)]}]
    ;; Should remain: member1 is an org member.
    (th/db-insert! :team-invitation
                   {:id (uuid/random)
                    :team-id (:id team-1)
                    :org-id nil
                    :email-to "member1@example.com"
                    :created-by (:id profile)
                    :role "editor"
                    :valid-until (ct/in-future "24h")})
    ;; Org-level invitation remains (out of team cleanup scope).
    (th/db-insert! :team-invitation
                   {:id (uuid/random)
                    :org-id org-id
                    :team-id nil
                    :email-to "pending@example.com"
                    :created-by (:id profile)
                    :role "editor"
                    :valid-until (ct/in-future "24h")})
    ;; Should be deleted: team invitation for non-member
    (th/db-insert! :team-invitation
                   {:id (uuid/random)
                    :team-id (:id team-2)
                    :org-id nil
                    :email-to "pending@example.com"
                    :created-by (:id profile)
                    :role "editor"
                    :valid-until (ct/in-future "24h")})
    ;; Should be deleted: orphaned invitation
    (th/db-insert! :team-invitation
                   {:id (uuid/random)
                    :team-id (:id team-2)
                    :org-id nil
                    :email-to "orphan@example.com"
                    :created-by (:id profile)
                    :role "editor"
                    :valid-until (ct/in-future "24h")})
    ;; Should be deleted: expired invitation.
    (th/db-insert! :team-invitation
                   {:id (uuid/random)
                    :team-id (:id team-1)
                    :org-id nil
                    :email-to "expired@example.com"
                    :created-by (:id profile)
                    :role "editor"
                    :valid-until (ct/in-past "1h")})
    ;; Should remain: outside org scope.
    (th/db-insert! :team-invitation
                   {:id (uuid/random)
                    :team-id (:id outside-team)
                    :org-id nil
                    :email-to "outsider@example.com"
                    :created-by (:id profile)
                    :role "editor"
                    :valid-until (ct/in-future "24h")})
    (let [out     (management-command-with-nitrate! params)]
      (t/is (th/success? out))
      (t/is (nil? (:result out)))
      ;; Verify remaining invitations.
      (t/is (= 1 (count (th/db-query :team-invitation {:email-to "member1@example.com"}))))
      (t/is (= 1 (count (th/db-query :team-invitation {:email-to "pending@example.com"}))))
      (t/is (= 0 (count (th/db-query :team-invitation {:email-to "orphan@example.com"}))))
      (t/is (= 0 (count (th/db-query :team-invitation {:email-to "expired@example.com"}))))
      (t/is (= 1 (count (th/db-query :team-invitation {:email-to "outsider@example.com"})))))))
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Tests: remove-from-org
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -808,7 +1074,8 @@
    (t/is (th/success? out))
    (t/is (= {:teams-to-delete   0
              :teams-to-transfer 0
-              :teams-to-exit     0}
+              :teams-to-exit     0
              :teams-to-detach   0}
             (:result out)))))
 (t/deftest get-remove-from-org-summary-with-teams-to-delete
@ -834,7 +1101,8 @@
    (t/is (th/success? out))
    (t/is (= {:teams-to-delete   1
              :teams-to-transfer 0
-              :teams-to-exit     0}
+              :teams-to-exit     0
              :teams-to-detach   0}
             (:result out)))))
 (t/deftest get-remove-from-org-summary-with-teams-to-transfer
@ -864,7 +1132,8 @@
    (t/is (th/success? out))
    (t/is (= {:teams-to-delete   0
              :teams-to-transfer 1
-              :teams-to-exit     0}
+              :teams-to-exit     0
              :teams-to-detach   0}
             (:result out)))))
 (t/deftest get-remove-from-org-summary-with-teams-to-exit
@ -893,7 +1162,8 @@
    (t/is (th/success? out))
    (t/is (= {:teams-to-delete   0
              :teams-to-transfer 0
-              :teams-to-exit     1}
+              :teams-to-exit     1
              :teams-to-detach   0}
             (:result out)))))
 (t/deftest get-remove-from-org-summary-does-not-mutate
--- a/backend/test/backend_tests/rpc_management_test.clj
+++ b/backend/test/backend_tests/rpc_management_test.clj
@ -19,7 +19,8 @@
   [backend-tests.storage-test :refer [configure-storage-backend]]
   [buddy.core.bytes :as b]
   [clojure.test :as t]
-   [datoteka.fs :as fs]))
+   [datoteka.fs :as fs]
   [datoteka.io :as io]))
 (t/use-fixtures :once th/state-init)
 (t/use-fixtures :each th/database-reset)
@ -39,6 +40,23 @@
    (t/is (nil? (:error out)))
    (:result out)))
 (t/deftest upload-tempfile-returns-fresh-object-for-same-content
  (let [profile (th/create-profile* 1 {:is-active true})
        path    (fs/create-tempfile :dir "/tmp/penpot" :prefix "test-upload-tempfile-")
        _       (io/write* path "content")
        params  {::th/type :upload-tempfile
                 ::rpc/profile-id (:id profile)
                 :content {:filename "export.png"
                           :path path
                           :mtype "image/png"
                           :size 7}}
        out1    (th/management-command! params)
        out2    (th/management-command! params)]
    (t/is (nil? (:error out1)))
    (t/is (nil? (:error out2)))
    (t/is (not= (get-in out1 [:result :id])
                (get-in out2 [:result :id])))))
 (t/deftest duplicate-file
  (let [storage (-> (:app.storage/storage th/*system*)
                    (configure-storage-backend))
--- a/backend/test/backend_tests/rpc_nitrate_test.clj
+++ b/backend/test/backend_tests/rpc_nitrate_test.clj
@ -7,6 +7,7 @@
 (ns backend-tests.rpc-nitrate-test
  (:require
   [app.common.uuid :as uuid]
   [app.config :as cf]
   [app.db :as-alias db]
   [app.nitrate :as nitrate]
   [app.rpc :as-alias rpc]
@ -44,6 +45,13 @@
                           :organization-id (:id org-summary)}
      nil)))
 (defn- nitrate-org-summary-only-mock
  [org-summary]
  (fn [_cfg method _params]
    (case method
      :get-org-summary org-summary
      nil)))
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Tests
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -279,6 +287,64 @@
        (let [team (th/db-get :team {:id (:id team1)})]
          (t/is (nil? (:deleted-at team))))))))
 (t/deftest get-leave-org-summary-counts-default-team-as-delete-when-empty
  (let [profile-owner    (th/create-profile* 1 {:is-active true})
        profile-user     (th/create-profile* 2 {:is-active true})
        org-default-team (th/create-team* 97 {:profile-id (:id profile-user)})
        organization-id  (uuid/random)
        your-penpot-id   (:id org-default-team)
        org-summary      (make-org-summary
                          :organization-id organization-id
                          :organization-name "Test Org"
                          :owner-id (:id profile-owner)
                          :your-penpot-teams [your-penpot-id]
                          :org-teams [])]
    (with-redefs [nitrate/call (nitrate-org-summary-only-mock org-summary)]
      (let [out (th/command! {::th/type :get-leave-org-summary
                              ::rpc/profile-id (:id profile-user)
                              :id organization-id
                              :default-team-id your-penpot-id})]
        (t/is (th/success? out))
        (t/is (= {:teams-to-delete 0
                  :teams-to-transfer 0
                  :teams-to-exit 0
                  :teams-to-detach 0}
                 (:result out)))))))
 (t/deftest get-leave-org-summary-counts-default-team-as-keep-when-has-files
  (let [profile-owner    (th/create-profile* 1 {:is-active true})
        profile-user     (th/create-profile* 2 {:is-active true})
        org-default-team (th/create-team* 96 {:profile-id (:id profile-user)})
        project          (th/create-project* 96 {:profile-id (:id profile-user)
                                                 :team-id (:id org-default-team)})
        _                (th/create-file* 96 {:profile-id (:id profile-user)
                                              :project-id (:id project)})
        extra-team       (th/create-team* 95 {:profile-id (:id profile-user)})
        organization-id  (uuid/random)
        your-penpot-id   (:id org-default-team)
        org-summary      (make-org-summary
                          :organization-id organization-id
                          :organization-name "Test Org"
                          :owner-id (:id profile-owner)
                          :your-penpot-teams [your-penpot-id]
                          :org-teams [(:id extra-team)])]
    (with-redefs [nitrate/call (nitrate-org-summary-only-mock org-summary)]
      (let [out (th/command! {::th/type :get-leave-org-summary
                              ::rpc/profile-id (:id profile-user)
                              :id organization-id
                              :default-team-id your-penpot-id})]
        (t/is (th/success? out))
        ;; extra-team is deletable, default team has files and is preserved.
        (t/is (= {:teams-to-delete 1
                  :teams-to-transfer 0
                  :teams-to-exit 0
                  :teams-to-detach 1}
                 (:result out)))))))
 (t/deftest leave-org-error-org-owner-cannot-leave
  (let [profile-owner  (th/create-profile* 1 {:is-active true})
        org-default-team (th/create-team* 99 {:profile-id (:id profile-owner)})
@ -650,6 +716,71 @@
        (t/is (= :validation (th/ex-type (:error out))))
        (t/is (= :not-valid-teams (th/ex-code (:error out))))))))
 (t/deftest all-team-members-in-orgs-returns-org-id->boolean-map
  (let [profile-user  (th/create-profile* 201 {:is-active true})
        profile-other (th/create-profile* 202 {:is-active true})
        team          (th/create-team* 201 {:profile-id (:id profile-user)})
        _             (th/create-team-role* {:team-id (:id team)
                                             :profile-id (:id profile-other)
                                             :role :editor})
        team-member-ids (->> (th/db-query :team-profile-rel {:team-id (:id team)})
                             (map :profile-id)
                             (into #{}))
        org-id-1      (uuid/random)
        org-id-2      (uuid/random)
        calls         (atom [])]
    (with-redefs [cf/flags (conj cf/flags :nitrate)
                  nitrate/call (fn [_cfg method params]
                                 (swap! calls conj [method params])
                                 (case method
                                   :get-org-membership {:is-member true
                                                        :organization-id (:organization-id params)}
                                   :get-org-members (get {org-id-1 (vec team-member-ids)
                                                          org-id-2 [(:id profile-user)]}
                                                         (:organization-id params)
                                                         [])
                                   nil))]
      (let [out (th/command! {::th/type :all-team-members-in-orgs
                              ::rpc/profile-id (:id profile-user)
                              :team-id (:id team)
                              :organization-ids [org-id-1 org-id-2]})
            methods (map first @calls)
            membership-calls (count (filter #(= :get-org-membership %) methods))
            get-members-calls (count (filter #(= :get-org-members %) methods))]
        (t/is (th/success? out))
        (t/is (= {org-id-1 true
                  org-id-2 false}
                 (:result out)))
        (t/is (= 2 membership-calls))
        (t/is (= 2 get-members-calls))))))
 (t/deftest all-team-members-in-orgs-fails-before-fetching-org-members
  (let [profile-user  (th/create-profile* 203 {:is-active true})
        team          (th/create-team* 203 {:profile-id (:id profile-user)})
        org-id-1      (uuid/random)
        org-id-2      (uuid/random)
        calls         (atom [])]
    (with-redefs [cf/flags (conj cf/flags :nitrate)
                  nitrate/call (fn [_cfg method params]
                                 (swap! calls conj [method params])
                                 (case method
                                   :get-org-membership (if (= (:organization-id params) org-id-2)
                                                         {:is-member false
                                                          :organization-id (:organization-id params)}
                                                         {:is-member true
                                                          :organization-id (:organization-id params)})
                                   :get-org-members []
                                   nil))]
      (let [out (th/command! {::th/type :all-team-members-in-orgs
                              ::rpc/profile-id (:id profile-user)
                              :team-id (:id team)
                              :organization-ids [org-id-1 org-id-2]})
            methods (map first @calls)]
        (t/is (not (th/success? out)))
        (t/is (= :validation (th/ex-type (:error out))))
        (t/is (= :user-doesnt-belong-organization (th/ex-code (:error out))))
        (t/is (= 0 (count (filter #(= :get-org-members %) methods))))))))
 (t/deftest leave-org-error-reassign-on-non-owned-team
  (let [profile-owner  (th/create-profile* 1 {:is-active true})
        profile-user   (th/create-profile* 2 {:is-active true})
--- a/backend/test/backend_tests/storage_test.clj
+++ b/backend/test/backend_tests/storage_test.clj
@ -48,6 +48,23 @@
    (t/is (= "content" (slurp (sto/get-object-data storage object))))
    (t/is (= "content" (slurp (sto/get-object-path storage object))))))
 (t/deftest tempfile-objects-are-not-deduplicated
  (let [storage (-> (:app.storage/storage th/*system*)
                    (configure-storage-backend))
        content (-> (sto/content "content")
                    (sto/wrap-with-hash "same-hash"))
        object1 (sto/put-object! storage {::sto/content content
                                          ::sto/deduplicate? true
                                          ::sto/touched-at (ct/in-future {:minutes 10})
                                          :bucket "tempfile"
                                          :content-type "text/plain"})
        object2 (sto/put-object! storage {::sto/content content
                                          ::sto/deduplicate? true
                                          ::sto/touched-at (ct/in-future {:minutes 10})
                                          :bucket "tempfile"
                                          :content-type "text/plain"})]
    (t/is (not= (:id object1) (:id object2)))))
 (t/deftest put-and-retrieve-expired-object
  (let [storage (-> (:app.storage/storage th/*system*)
                    (configure-storage-backend))
--- a/common/AGENTS.md
+++ b/common/AGENTS.md
@ -1,70 +0,0 @@
 # Penpot Common – Agent Instructions
 A shared module with code written in Clojure, ClojureScript, and
 JavaScript. Contains multiplatform code that can be used and executed
 from the frontend, backend, or exporter modules. It uses Clojure reader
 conditionals to specify platform-specific implementations.
 ## General Guidelines
 To ensure consistency across the Penpot stack, all contributions must adhere to
 these criteria:
 ### 1. Testing & Validation
 If code is added or modified in `src/`, corresponding tests in
 `test/common_tests/` must be added or updated.
  * **Environment:** Tests should run in both JS (Node.js) and JVM environments.
 * **Location:** Place tests in the `test/common_tests/` directory, following the
  namespace structure of the source code (e.g., `app.common.colors` ->
  `common-tests.colors-test`).
 * **Execution:** Tests should be executed on both JS (Node.js) and JVM environments:
  * **Isolated:**
    * JS: To run a focused ClojureScript unit test: edit the
    `test/common_tests/runner.cljs` to narrow the test suite, then
    `pnpm run test:js`.
    * JVM: `pnpm run test:jvm --focus common-tests.my-ns-test`
  * **Regression:**
    * JS: Run `pnpm run test:js` without modifications on the runner (preferred)
    * JVM: Run `pnpm run test:jvm`
 ### 2. Code Quality & Formatting
 * **Linting:** All code changes must pass linter checks:
  * Run `pnpm run lint:clj` for CLJ/CLJS/CLJC
 * **Formatting:** All code changes must pass the formatting check
  * Run `pnpm run check-fmt:clj` for CLJ/CLJS/CLJC
  * Run `pnpm run check-fmt:js` for JS
  * Use `pnpm run fmt` to fix all formatting issues (`pnpm run
    fmt:clj` or `pnpm run fmt:js` for isolated formatting fix).
 ## Code Conventions
 ### Namespace Overview
 The source is located under `src` directory and this is a general overview of
 namespaces structure:
 - `app.common.types.*` – Shared data types for shapes, files, pages using Malli schemas
 - `app.common.schema` – Malli abstraction layer, exposes the most used functions from malli
 - `app.common.geom.*` – Geometry and shape transformation helpers
 - `app.common.data` – Generic helpers used across the entire application
 - `app.common.math` – Generic math helpers used across the entire application
 - `app.common.json` – Generic JSON encoding/decoding helpers
 - `app.common.data.macros` – Performance macros used everywhere
 ### Reader Conditionals
 We use reader conditionals to differentiate implementations depending on the
 target platform where the code runs:
 ```clojure
 #?(:clj  (import java.util.UUID)
   :cljs (:require [cljs.core :as core]))
 ```
 Both frontend and backend depend on `common` as a local library (`penpot/common
 {:local/root "../common"}`).
--- a/common/package.json
+++ b/common/package.json
@ -30,6 +30,7 @@
    "watch:test": "concurrently \"clojure -M:dev:shadow-cljs watch test\" \"nodemon -C -d 2 -w target/tests/ --exec 'node target/tests/test.js'\"",
    "build:test": "clojure -M:dev:shadow-cljs compile test",
    "test:js": "pnpm run build:test && node target/tests/test.js",
    "test:quiet": "node ./scripts/test-quiet.js",
    "test:jvm": "clojure -M:dev:test"
  }
 }
--- a/common/scripts/test-quiet.js
+++ b/common/scripts/test-quiet.js
@ -0,0 +1,25 @@
 import { spawnSync } from "node:child_process";
 const progress = (msg) => process.stderr.write(`${msg}\n`);
 progress("Building test bundle...");
 const build = spawnSync("pnpm", ["run", "build:test"], {
  stdio: ["ignore", "pipe", "pipe"],
  maxBuffer: 64 * 1024 * 1024,
 });
 if (build.status !== 0) {
  progress("Building test bundle failed");
  if (build.stdout?.length) process.stdout.write(build.stdout);
  if (build.stderr?.length) process.stderr.write(build.stderr);
  process.exit(build.status ?? 1);
 }
 progress("Running tests...");
 const result = spawnSync(
  "node",
  ["target/tests/test.js", ...process.argv.slice(2)],
  { stdio: "inherit" },
 );
 process.exit(result.status ?? 1);
--- a/common/src/app/common/colors.cljc
+++ b/common/src/app/common/colors.cljc
@ -332,10 +332,7 @@
      (conj opacity)))
 (defn hex->hsl [hex]
-  (try
+  (-> hex hex->rgb rgb->hsl))
    (-> hex hex->rgb rgb->hsl)
    (catch #?(:clj Throwable :cljs :default) _e
      [0 0 0])))
 (defn hex->hsla
  [data opacity]
--- a/common/src/app/common/data/macros.cljc
+++ b/common/src/app/common/data/macros.cljc
@ -17,7 +17,7 @@
 (defmacro select-keys
  "A macro version of `select-keys`. Useful when keys vector is known
-  at compile time (aprox 600% performance boost).
+  at compile time (approx 600% performance boost).
  It is not 100% equivalent, this macro does not removes not existing
  keys in contrast to clojure.core/select-keys"
--- a/common/src/app/common/files/changes.cljc
+++ b/common/src/app/common/files/changes.cljc
@ -1194,7 +1194,7 @@
 ;; frames. Return the ids of the frames affected
 (defn- parents-frames
-  "Go trough the parents and get all of them that are a frame."
+  "Go through the parents and get all of them that are a frame."
  [id objects]
  (->> (cfh/get-parents-with-self objects id)
       (filter cfh/frame-shape?)))
--- a/common/src/app/common/files/changes_builder.cljc
+++ b/common/src/app/common/files/changes_builder.cljc
@ -19,6 +19,7 @@
   [app.common.types.component :as ctk]
   [app.common.types.file :as ctf]
   [app.common.types.path :as path]
   [app.common.types.shape :as cts]
   [app.common.types.shape.layout :as ctl]
   [app.common.types.tokens-lib :as ctob]
   [app.common.uuid :as uuid]
@ -412,12 +413,9 @@
   (add-object changes obj nil))
  ([changes obj {:keys [index ignore-touched] :or {index ::undefined ignore-touched false}}]
   ;; FIXME: add shape validation
   (assert-page-id! changes)
   (assert-objects! changes)
-   (let [obj (cond-> obj
+   (let [obj (cond-> (cts/check-shape obj)
               (not= index ::undefined)
               (assoc ::index index))
--- a/common/src/app/common/files/indices.cljc
+++ b/common/src/app/common/files/indices.cljc
@ -13,7 +13,7 @@
 (defn- generate-index
  "An optimized algorithm for calculate parents index that walk from top
-  to down starting from a provided shape-id. Usefull when you want to
+  to down starting from a provided shape-id. Useful when you want to
  create an index for the whole objects or subpart of the tree."
  [index objects shape-id parents]
  (let [shape   (get objects shape-id)
--- a/common/src/app/common/files/migrations.cljc
+++ b/common/src/app/common/files/migrations.cljc
@ -34,7 +34,7 @@
   [app.common.types.shape.shadow :as ctss]
   [app.common.types.shape.text :as ctst]
   [app.common.types.text :as types.text]
-   [app.common.types.tokens-lib :as types.tokens-lib]
+   [app.common.types.tokens-lib :as ctob]
   [app.common.uuid :as uuid]
   [clojure.set :as set]
   [cuerdas.core :as str]))
@ -1599,7 +1599,7 @@
 (defmethod migrate-data "0014-fix-tokens-lib-duplicate-ids"
  [data _]
-  (d/update-when data :tokens-lib types.tokens-lib/fix-duplicate-token-set-ids))
+  (d/update-when data :tokens-lib ctob/fix-duplicate-token-set-ids))
 (defmethod migrate-data "0014-clear-components-nil-objects"
  [data _]
@ -1833,6 +1833,47 @@
        (cfcp/fix-missing-swap-slots libraries)
        (cfcp/sync-component-id-with-ref-shape libraries))))
 (defmethod migrate-data "0023-repair-token-themes-with-inexistent-sets"
  [data _]
  (d/update-when data :tokens-lib ctob/fix-missing-sets-in-themes))
 ;; This will fix incorrectly created strokes from SVG imports
 ;; that have the stroke-cap at the shape level instead of at the stroke level
 (defmethod migrate-data "0024b-fix-stroke-cap-placement"
  [data _]
  (letfn [(check-strokes [strokes]
            (->> strokes
                 (mapv (fn [stroke]
                         (cond-> stroke
                           (string? (:stroke-cap-start stroke))
                           (update :stroke-cap-start keyword)
                           (string? (:stroke-cap-end stroke))
                           (update :stroke-cap-end keyword))))))
          (fix-shape [shape]
            (let [cap-start (keyword (get shape :stroke-cap-start))
                  cap-end   (keyword (get shape :stroke-cap-end))]
              (if (or (some? cap-start) (some? cap-end))
                (-> shape
                    (dissoc :stroke-cap-start :stroke-cap-end)
                    (cond-> (seq (:strokes shape))
                      (update :strokes check-strokes)
                      (and (some? cap-start) (seq (:strokes shape)))
                      (assoc-in [:strokes 0 :stroke-cap-start] cap-start)
                      (and (some? cap-end) (seq (:strokes shape)))
                      (assoc-in [:strokes 0 :stroke-cap-end] cap-end)))
                shape)))
          (update-container [container]
            (d/update-when container :objects d/update-vals fix-shape))]
    (-> data
        (update :pages-index d/update-vals update-container)
        (d/update-when :components d/update-vals update-container))))
 (def available-migrations
  (into (d/ordered-set)
        ["legacy-2"
@ -1912,4 +1953,6 @@
         "0019-fix-missing-swap-slots"
         "0020-sync-component-id-with-near-main"
         "0021-fix-shape-svg-attrs"
-         "0022-normalize-component-root-and-resync"]))
+         "0022-normalize-component-root-and-resync"
         "0023-repair-token-themes-with-inexistent-sets"
         "0024b-fix-stroke-cap-placement"]))
--- a/common/src/app/common/files/shapes_builder.cljc
+++ b/common/src/app/common/files/shapes_builder.cljc
@ -543,7 +543,7 @@
          (update :svg-attrs dissoc :fill)
          (assoc-in [:fills 0 :fill-color] (clr/parse color-style)))
-      ;; Only create an opacity if the color is setted. Othewise can create problems down the line
+      ;; Only create an opacity if the color is set. Otherwise can create problems down the line
      (and (or (clr/color-string? color-attr) (clr/color-string? color-style))
           (dm/get-in shape [:svg-attrs :fillOpacity]))
      (-> (update :svg-attrs dissoc :fillOpacity)
@ -609,17 +609,13 @@
      (and (some? color) (some? width))
      (assoc-in [:strokes 0 :stroke-width] width)
-      (and (some? linecap) (cfh/path-shape? shape)
+      (and (some? color) (some? linecap) (cfh/path-shape? shape)
           (or (= linecap :round) (= linecap :square)))
      (assoc-in [:strokes 0 :stroke-cap-start] linecap)
-      (assoc :stroke-cap-start linecap
+      (and (some? color) (some? linecap) (cfh/path-shape? shape)
-             :stroke-cap-end linecap
+           (or (= linecap :round) (= linecap :square)))
-             :stroke-linecap linecap)
+      (assoc-in [:strokes 0 :stroke-cap-end] linecap))))
      (d/any-key? (dm/get-in shape [:strokes 0])
                  :strokeColor :strokeOpacity :strokeWidth
                  :strokeLinecap :strokeCapStart :strokeCapEnd)
      (assoc-in [:strokes 0 :stroke-style] :svg))))
 (defn setup-opacity [shape]
  (cond-> shape
--- a/common/src/app/common/files/tokens.cljc
+++ b/common/src/app/common/files/tokens.cljc
@ -148,11 +148,9 @@
          (not (ctob/token-name-path-exists? % tokens-tree)))]])
 (defn make-node-token-name-schema
-  "Dynamically generates a schema to check a token node name, adding translated error messages
+  "Dynamically generates a schema to check the name of a token node, that may be a final token or a group.
-   and two additional validations:
+   This runs same checks as make-token-name-schema, but for all tokens that will be renamed by this change,
-    - Min and max length.
+   if the group already contains tokens."
    - Checks if other token with a path derived from the name already exists at `tokens-tree`.
      e.g. it's not allowed to create a token `foo.bar` if a token `foo` already exists."
  [active-tokens tokens-tree node]
  [:and
   [:string {:min 1 :max 255 :error/fn #(str (:value %) (tr "workspace.tokens.token-name-length-validation-error"))}]
@ -287,12 +285,18 @@
 (defn make-token-theme-schema
  [tokens-lib group name theme-id]
-  (sm/merge
+  [:and
-   ctob/schema:token-theme-attrs
+   (sm/merge
-   [:map
+    ctob/schema:token-theme-attrs
-    [:group (make-token-theme-group-schema tokens-lib name theme-id)] ;; TODO how to keep error-fn from here?
+    [:map
-    [:name (make-token-theme-name-schema tokens-lib group theme-id)]
+     [:group (make-token-theme-group-schema tokens-lib name theme-id)] ;; TODO how to keep error-fn from here?
-    [:description {:optional true} schema:token-theme-description]]))
+     [:name (make-token-theme-name-schema tokens-lib group theme-id)]
     [:description {:optional true} schema:token-theme-description]])
   [:fn {:error/field :sets
         :error/fn #(tr "errors.token-theme-not-existing-sets" (str/join ", " (:sets (:value %))))}
    (fn [{:keys [sets]}]
      (or (nil? tokens-lib)
          (every? #(ctob/get-set-by-name tokens-lib %) sets)))]])
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; HELPERS
--- a/common/src/app/common/files/validate.cljc
+++ b/common/src/app/common/files/validate.cljc
@ -591,7 +591,7 @@
     -it should be a main component
     -its parent should be a variant-container
     -its variant-name is derived from the properties
-     -its name should be tha same as its parent's
+     -its name should be the same as its parent's
   "
  [shape file page]
  (let [parent    (ctst/get-shape page (:parent-id shape))
@ -707,7 +707,7 @@
              (if (#{:main-top :main-nested :main-any} context)
                (report-error :not-component-not-allowed
-                              "Not compoments are not allowed inside a main"
+                              "Not components are not allowed inside a main"
                              shape file page)
                (check-shape-not-component shape file page libraries)))))))))
--- a/common/src/app/common/files/variant.cljc
+++ b/common/src/app/common/files/variant.cljc
@ -11,7 +11,7 @@
   [app.common.types.variant :as ctv]))
 (defn find-variant-components
-  "Find a list of the components thet belongs to this variant-id"
+  "Find a list of the components that belongs to this variant-id"
  ([data variant-id]
   (let [page-id (->> data
                      :components
--- a/common/src/app/common/flags.cljc
+++ b/common/src/app/common/flags.cljc
@ -72,7 +72,11 @@
    :backend-worker
    ;; Only for development
    :component-thumbnails
-    ;; enables the default cors configuration that allows all domains (currently this configuration is only used for development).
+    ;; Enables CORS support for the RPC API. Requires an explicit
    ;; allowlist of origins via PENPOT_ALLOWED_ORIGINS; if no allowlist
    ;; is configured the middleware fails closed (a warning is logged
    ;; and CORS headers are not emitted) to avoid CSRF / data
    ;; exfiltration via origin reflection.
    :cors
    ;; Enables the templates dialog on Penpot dashboard.
    :dashboard-templates-section
@ -165,6 +169,7 @@
    :mcp
    :background-blur
    :available-viewer-wasm
    :stroke-path})
 (def all-flags
--- a/common/src/app/common/geom/modifiers.cljc
+++ b/common/src/app/common/geom/modifiers.cljc
@ -34,7 +34,7 @@
 ;;                    modif-tree))))
 (defn- set-children-modifiers
-  "Propagates the modifiers from a parent too its children applying constraints if necesary"
+  "Propagates the modifiers from a parent too its children applying constraints if necessary"
  [modif-tree children objects bounds parent transformed-parent-bounds ignore-constraints]
  (let [modifiers (dm/get-in modif-tree [(:id parent) :modifiers])]
    ;; Move modifiers don't need to calculate constraints
--- a/common/src/app/common/geom/shapes/bounds.cljc
+++ b/common/src/app/common/geom/shapes/bounds.cljc
@ -11,7 +11,8 @@
   [app.common.files.helpers :as cfh]
   [app.common.geom.rect :as grc]
   [app.common.math :as mth]
-   [app.common.types.path :as path]))
+   [app.common.types.path :as path]
   [app.common.types.stroke :as cts]))
 (defn shape-stroke-margin
  [shape stroke-width]
@ -88,14 +89,23 @@
  ([shape]
   (get-shape-filter-bounds shape false))
  ([shape ignore-shadow-margin?]
-   (if (or (and (cfh/svg-raw-shape? shape)
+   (cond
-                (not= :svg (dm/get-in shape [:content :tag])))
+     ;; SVG raw elements (non-root) don't have proper rotated points; use selrect
-           ;; If no shadows or blur, we return the selrect as is
+     (and (cfh/svg-raw-shape? shape)
-           (and (empty? (-> shape :shadow))
+          (not= :svg (dm/get-in shape [:content :tag])))
                (or (nil? (:blur shape))
                    (not= :layer-blur (-> shape :blur :type))
                    (zero? (-> shape :blur :value (or 0))))))
     (dm/get-prop shape :selrect)
     ;; No shadows or blur: use the axis-aligned bounding box from the actual
     ;; (possibly rotated) points. Using selrect here would be wrong for rotated
     ;; shapes because selrect stores the unrotated rectangle, not the screen-space bbox.
     (and (empty? (-> shape :shadow))
          (or (nil? (:blur shape))
              (not= :layer-blur (-> shape :blur :type))
              (zero? (-> shape :blur :value (or 0)))))
     (-> (dm/get-prop shape :points)
         (grc/points->rect))
     :else
     (let [filters    (shape->filters shape)
           blur-value (case (-> shape :blur :type)
                        :layer-blur (or (-> shape :blur :value) 0)
@ -105,6 +115,19 @@
                          (grc/points->rect))]
       (get-rect-filter-bounds srect filters blur-value ignore-shadow-margin?)))))
 (def ^:private stroke-margin-multiplier 4.25)
 (defn- stroke-cap-marker-margin
  [strokes open-path?]
  (if open-path?
    (->> strokes
         (filter (fn [s]
                   (or (cts/stroke-caps-marker (:stroke-cap-start s))
                       (cts/stroke-caps-marker (:stroke-cap-end s)))))
         (map #(* stroke-margin-multiplier (:stroke-width % 0)))
         (reduce d/max 0))
    0))
 (defn calculate-padding
  ([shape]
   (calculate-padding shape false false))
@ -127,6 +150,11 @@
           0
           (shape-stroke-margin shape stroke-width))
         stroke-cap-margin
         (if ignore-margin?
           0
           (stroke-cap-marker-margin strokes open-path?))
         shadow-width
         (->> (:shadow shape)
              (remove :hidden)
@ -149,8 +177,8 @@
         shadow-width
         (if ignore-shadow-margin? 0 shadow-width)]
-     {:horizontal (mth/ceil (+ stroke-margin shadow-width))
+     {:horizontal (mth/ceil (+ stroke-margin stroke-cap-margin shadow-width))
-      :vertical (mth/ceil (+ stroke-margin shadow-height))})))
+      :vertical (mth/ceil (+ stroke-margin stroke-cap-margin shadow-height))})))
 (defn- add-padding
  [bounds padding]
--- a/common/src/app/common/geom/shapes/constraints.cljc
+++ b/common/src/app/common/geom/shapes/constraints.cljc
@ -264,7 +264,7 @@
      :scale)))
 (defn normalize-modifiers
-  "Before aplying constraints we need to remove the deformation caused by the resizing of the parent"
+  "Before applying constraints we need to remove the deformation caused by the resizing of the parent"
  [constraints-h constraints-v modifiers
   child-bounds transformed-child-bounds parent-bounds transformed-parent-bounds]
--- a/common/src/app/common/geom/shapes/flex_layout/bounds.cljc
+++ b/common/src/app/common/geom/shapes/flex_layout/bounds.cljc
@ -12,7 +12,7 @@
   [app.common.geom.shapes.points :as gpo]
   [app.common.types.shape.layout :as ctl]))
-;; Setted in app.common.geom.shapes.common-layout
+;; Set in app.common.geom.shapes.common-layout
 ;; We do it this way because circular dependencies
 (def -child-min-width nil)
--- a/common/src/app/common/geom/shapes/flex_layout/layout_data.cljc
+++ b/common/src/app/common/geom/shapes/flex_layout/layout_data.cljc
@ -14,7 +14,7 @@
 (def conjv (fnil conj []))
-;; Setted in app.common.geom.shapes.min-size-layout
+;; Set in app.common.geom.shapes.min-size-layout
 ;; We do it this way because circular dependencies
 (def -child-min-width nil)
--- a/common/src/app/common/geom/shapes/grid_layout/layout_data.cljc
+++ b/common/src/app/common/geom/shapes/grid_layout/layout_data.cljc
@ -39,7 +39,7 @@
 ;;
 ;;   5. If any track still has an infinite growth limit set its growth limit to its base size.
-;; - Distribute extra space accross spaned tracks
+;; - Distribute extra space across spanned tracks
 ;; - Maximize tracks
 ;;
 ;; - Expand flexible tracks
@ -55,7 +55,7 @@
   [app.common.math :as mth]
   [app.common.types.shape.layout :as ctl]))
-;; Setted in app.common.geom.shapes.common-layout
+;; Set in app.common.geom.shapes.common-layout
 ;; We do it this way because circular dependencies
 (def -child-min-width nil)
@ -449,7 +449,7 @@
         column-tracks (set-auto-base-size column-tracks children shape-cells bounds objects :column)
         row-tracks    (set-auto-base-size row-tracks children shape-cells bounds objects :row)
-         ;; Adjust multi-spaned cells with no flex columns
+         ;; Adjust multi-spanned cells with no flex columns
         column-tracks (set-auto-multi-span parent column-tracks children-map shape-cells bounds objects :column)
         row-tracks (set-auto-multi-span parent row-tracks children-map shape-cells bounds objects :row)
--- a/common/src/app/common/geom/shapes/intersect.cljc
+++ b/common/src/app/common/geom/shapes/intersect.cljc
@ -369,7 +369,7 @@
 (defn line-line-intersect
-  "Calculates the interesection point for two lines given by the points a-b and b-c"
+  "Calculates the intersection point for two lines given by the points a-b and b-c"
  [a b c d]
  (let [;; Line equation representation: ax + by + c = 0
--- a/common/src/app/common/geom/shapes/points.cljc
+++ b/common/src/app/common/geom/shapes/points.cljc
@ -31,21 +31,21 @@
      (gpt/scale val)))
 (defn end-hv
-  "Horizontal vector from the oposite to the origin in the x axis with a magnitude `val`"
+  "Horizontal vector from the opposite to the origin in the x axis with a magnitude `val`"
  [[p0 p1 _ _] val]
  (-> (gpt/to-vec p1 p0)
      (gpt/unit)
      (gpt/scale val)))
 (defn start-vv
-  "Vertical vector from the oposite to the origin in the x axis with a magnitude `val`"
+  "Vertical vector from the opposite to the origin in the x axis with a magnitude `val`"
  [[p0 _ _ p3] val]
  (-> (gpt/to-vec p0 p3)
      (gpt/unit)
      (gpt/scale val)))
 (defn end-vv
-  "Vertical vector from the oposite to the origin in the x axis with a magnitude `val`"
+  "Vertical vector from the opposite to the origin in the x axis with a magnitude `val`"
  [[p0 _ _ p3] val]
  (-> (gpt/to-vec p3 p0)
      (gpt/unit)
--- a/common/src/app/common/geom/shapes/transforms.cljc
+++ b/common/src/app/common/geom/shapes/transforms.cljc
@ -283,7 +283,7 @@
    [selrect transform (when (some? transform) (gmt/inverse transform))]))
 (defn- adjust-shape-flips
-  "After some tranformations the flip-x/flip-y flags can change we need
+  "After some transformations the flip-x/flip-y flags can change we need
  to check this before adjusting the selrect"
  [shape points]
  (let [points' (dm/get-prop shape :points)
--- a/common/src/app/common/geom/shapes/tree_seq.cljc
+++ b/common/src/app/common/geom/shapes/tree_seq.cljc
@ -90,7 +90,7 @@
      child-seq)))
 (defn resolve-subtree
-  "Resolves the subtree but only partialy from-to the parameters"
+  "Resolves the subtree but only partially from-to the parameters"
  [from-id to-id objects]
  (concat
   (->> (get-children-seq from-id objects)
--- a/common/src/app/common/logic/libraries.cljc
+++ b/common/src/app/common/logic/libraries.cljc
@ -486,36 +486,41 @@
  that use assets of the given type in the given library.
  If an asset id is given, only shapes linked to this particular asset will
-  be synchronized."
+  be synchronized.
  [changes file-id asset-type asset-id library-id libraries current-file-id]
  (assert (contains? #{:colors :components :typographies} asset-type))
  (assert (or (nil? asset-id) (uuid? asset-id)))
  (assert (uuid? file-id))
  (assert (uuid? library-id))
-  (container-log :info asset-id
+  If early-return? is true, stops as soon as the first change is generated."
-                 :msg "Sync file with library"
+  ([changes file-id asset-type asset-id library-id libraries current-file-id]
-                 :asset-type asset-type
+   (generate-sync-file changes file-id asset-type asset-id library-id libraries current-file-id false))
-                 :asset-id asset-id
+  ([changes file-id asset-type asset-id library-id libraries current-file-id early-return?]
-                 :file (pretty-file file-id libraries current-file-id)
+   (assert (contains? #{:colors :components :typographies} asset-type))
-                 :library (pretty-file library-id libraries current-file-id))
+   (assert (or (nil? asset-id) (uuid? asset-id)))
   (assert (uuid? file-id))
   (assert (uuid? library-id))
-  (let [file          (get-in libraries [file-id :data])]
+   (container-log :info asset-id
-    (loop [containers (ctf/object-containers-seq file)
+                  :msg "Sync file with library"
-           changes    changes]
+                  :asset-type asset-type
-      (if-let [container (first containers)]
+                  :asset-id asset-id
-        (do
+                  :file (pretty-file file-id libraries current-file-id)
-          (recur (next containers)
+                  :library (pretty-file library-id libraries current-file-id))
-                 (pcb/concat-changes ;;TODO Remove concat changes
+
-                  changes
+   (let [file (get-in libraries [file-id :data])]
-                  (generate-sync-container (pcb/empty-changes nil)
+     (loop [containers (ctf/object-containers-seq file)
-                                           asset-type
+            changes    changes]
-                                           asset-id
+       (let [container (first containers)]
-                                           library-id
+         (if (or (nil? container)
-                                           container
+                 (and early-return? (seq (:redo-changes changes))))
-                                           libraries
+           changes
-                                           current-file-id))))
+           (recur (next containers)
-        changes))))
+                  (pcb/concat-changes ;;TODO Remove concat changes
                   changes
                   (generate-sync-container (pcb/empty-changes nil)
                                            asset-type
                                            asset-id
                                            library-id
                                            container
                                            libraries
                                            current-file-id)))))))))
 (defn generate-sync-library
  "Generate changes to synchronize all shapes in all components of the
@ -523,35 +528,41 @@
  the given library.
  If an asset id is given, only shapes linked to this particular asset will
-  be synchronized."
+  be synchronized.
  [changes file-id asset-type asset-id library-id libraries current-file-id]
  (assert (contains? #{:colors :components :typographies} asset-type))
  (assert (or (nil? asset-id) (uuid? asset-id)))
  (assert (uuid? file-id))
  (assert (uuid? library-id))
-  (container-log :info asset-id
+  If early-return? is true, stops as soon as the first change is generated."
-                 :msg "Sync local components with library"
+  ([changes file-id asset-type asset-id library-id libraries current-file-id]
-                 :asset-type asset-type
+   (generate-sync-library changes file-id asset-type asset-id library-id libraries current-file-id false))
-                 :asset-id asset-id
+  ([changes file-id asset-type asset-id library-id libraries current-file-id early-return?]
-                 :file (pretty-file file-id libraries current-file-id)
+   (assert (contains? #{:colors :components :typographies} asset-type))
-                 :library (pretty-file library-id libraries current-file-id))
+   (assert (or (nil? asset-id) (uuid? asset-id)))
   (assert (uuid? file-id))
   (assert (uuid? library-id))
-  (let [file          (get-in libraries [file-id :data])]
+   (container-log :info asset-id
-    (loop [local-components (ctkl/components-seq file)
+                  :msg "Sync local components with library"
-           changes changes]
+                  :asset-type asset-type
-      (if-let [local-component (first local-components)]
+                  :asset-id asset-id
-        (recur (next local-components)
+                  :file (pretty-file file-id libraries current-file-id)
-               (pcb/concat-changes ;;TODO Remove concat changes
+                  :library (pretty-file library-id libraries current-file-id))
-                changes
+
-                (generate-sync-container  (pcb/empty-changes nil)
+   (let [file (get-in libraries [file-id :data])]
-                                          asset-type
+     (loop [local-components (ctkl/components-seq file)
-                                          asset-id
+            changes          changes]
-                                          library-id
+       (let [local-component (first local-components)]
-                                          (cfh/make-container local-component :component)
+         (if (or (nil? local-component)
-                                          libraries
+                 (and early-return? (seq (:redo-changes changes))))
-                                          current-file-id)))
+           changes
-        changes))))
+           (recur (next local-components)
                  (pcb/concat-changes ;;TODO Remove concat changes
                   changes
                   (generate-sync-container (pcb/empty-changes nil)
                                            asset-type
                                            asset-id
                                            library-id
                                            (cfh/make-container local-component :component)
                                            libraries
                                            current-file-id)))))))))
 (defn- generate-sync-container
  "Generate changes to synchronize all shapes in a particular container (a page
@ -1851,7 +1862,7 @@
                ;; On texts, when we want to omit the touched attrs, both text (the actual letters)
                ;; and attrs (bold, font, etc) are in the same attr :content.
-                ;; If only one of them is touched, we want to adress this case and
+                ;; If only one of them is touched, we want to address this case and
                ;; only update the untouched one
                text-content-change?
                (and omit-touched?
@ -2091,6 +2102,38 @@
           (or (:transform current-shape) (gmt/matrix)))))))
 (defn- switch-geom-change-value
  [prev-shape current-shape attr]
  ;; Composite geometry stores absolute coordinates. When preserving a size
  ;; override across variants, keep the target variant's position and only carry
  ;; the previous dimensions; otherwise :x/:y can disagree with :selrect/:points.
  (let [prev-selrect (:selrect prev-shape)
        current-selrect (:selrect current-shape)
        final-width (:width prev-selrect)
        final-height (:height prev-selrect)
        x (:x current-selrect)
        y (:y current-selrect)
        selrect (assoc current-selrect
                       :width final-width
                       :height final-height
                       :x x
                       :y y
                       :x1 x
                       :y1 y
                       :x2 (+ x final-width)
                       :y2 (+ y final-height))]
    (case attr
      :selrect
      selrect
      :points
      (-> selrect
          (grc/rect->points)
          (gsh/transform-points
           (grc/rect->center selrect)
           (or (:transform current-shape) (gmt/matrix)))))))
 (defn- equal-geometry?
  "Returns true when the value of `attr` in `shape` is considered equal
   to the corresponding value in `origin-shape`, ignoring positional
@ -2195,7 +2238,7 @@
              ;; On texts, both text (the actual letters)
              ;; and attrs (bold, font, etc) are in the same attr :content.
-              ;; If only one of them is touched, we want to adress this case and
+              ;; If only one of them is touched, we want to address this case and
              ;; only update the untouched one
              text-change?
              (and (not skip-operations?)
@ -2260,6 +2303,10 @@
                       (contains? #{:points :selrect :width :height} attr))
                  (switch-fixed-layout-geom-change-value previous-shape current-shape origin-ref-shape attr)
                  (and (contains? #{:points :selrect} attr)
                       (not path-change?))
                  (switch-geom-change-value previous-shape current-shape attr)
                  :else
                  (get previous-shape attr)))
@ -2667,29 +2714,30 @@
            (generate-new-shape-for-swap shape file page libraries id-new-component index target-cell keep-props-values))]
    [new-shape all-parents changes]))
-(defn generate-sync-file-changes
+(defn- maybe-sync
-  [changes undo-group asset-type file-id asset-id library-id libraries current-file-id]
+  [c enabled? done? f]
-  (let [sync-components?   (or (nil? asset-type) (= asset-type :components))
+  (if (and enabled? (not (done? c)))
-        sync-colors?       (or (nil? asset-type) (= asset-type :colors))
+    (f c)
-        sync-typographies? (or (nil? asset-type) (= asset-type :typographies))]
+    c))
-    (cond-> changes
+
-      :always
+(defn generate-sync-file-changes
-      (pcb/set-undo-group undo-group)
+  ([changes undo-group asset-type file-id asset-id library-id libraries current-file-id]
-      ;; library-changes
+   (generate-sync-file-changes changes undo-group asset-type file-id asset-id library-id libraries current-file-id false))
-      sync-components?
+  ([changes undo-group asset-type file-id asset-id library-id libraries current-file-id early-return?]
-      (generate-sync-library file-id :components asset-id library-id libraries current-file-id)
+   (let [sync-components?   (or (nil? asset-type) (= asset-type :components))
-      sync-colors?
+         sync-colors?       (or (nil? asset-type) (= asset-type :colors))
-      (generate-sync-library file-id :colors asset-id library-id libraries current-file-id)
+         sync-typographies? (or (nil? asset-type) (= asset-type :typographies))
-      sync-typographies?
+         done?              (fn [c] (and early-return? (seq (:redo-changes c))))]
-      (generate-sync-library file-id :typographies asset-id library-id libraries current-file-id)
+     (-> (pcb/set-undo-group changes undo-group)
         ;; library-changes
         (maybe-sync sync-components? done? #(generate-sync-library % file-id :components asset-id library-id libraries current-file-id early-return?))
         (maybe-sync sync-colors? done? #(generate-sync-library % file-id :colors asset-id library-id libraries current-file-id early-return?))
         (maybe-sync sync-typographies? done? #(generate-sync-library % file-id :typographies asset-id library-id libraries current-file-id early-return?))
         ;; file-changes
         (maybe-sync sync-components? done? #(generate-sync-file % file-id :components asset-id library-id libraries current-file-id early-return?))
         (maybe-sync sync-colors? done? #(generate-sync-file % file-id :colors asset-id library-id libraries current-file-id early-return?))
         (maybe-sync sync-typographies? done? #(generate-sync-file % file-id :typographies asset-id library-id libraries current-file-id early-return?))))))
      ;; file-changes
      sync-components?
      (generate-sync-file file-id :components asset-id library-id libraries current-file-id)
      sync-colors?
      (generate-sync-file file-id :colors asset-id library-id libraries current-file-id)
      sync-typographies?
      (generate-sync-file file-id :typographies asset-id library-id libraries current-file-id))))
 (defn generate-sync-head
  [changes file-full libraries container id reset?]
--- a/Show More
+++ b/Show More
`@ -1 +1 @@`
	`{{invited-by\|abbreviate:25}} has invited you to join the organization “{{ organization-name\|abbreviate:25 }}”`	`{{invited-by\|abbreviate:25}} has invited you to join the organization “{{ organization.name\|abbreviate:25 }}”`
		`@ -0,0 +1 @@`
							`Your Enterprise subscription renews on {{ renewal-date }}`