tpi-flow: v3.1.0

3.1.0 — 2026-04-19

Features

• administration: panneau admin avec rôles RBAC — remplace l'ancien ADMIN_TOKEN.
• authentification: réinitialisation de mot de passe par email et vérification d'adresse à l'inscription.
• emails transactionnels: intégration Postmark + templates React Email pour les flux d'auth.
• digest hebdomadaire: récapitulatif TPI envoyé chaque dimanche par email.
• landing page: refonte complète avec effet glassmorphism.
• pages légales: CGU et confidentialité repassées au style glassmorphism, lisibles en dark mode.
• ui interne: effet glass-card sur les cartes principales, orbes d'arrière-plan ajustées.
• branding: image Open Graph glassmorph générée de façon reproductible.
• changelog in-app: parcourt les dernières releases GitHub pour toujours afficher des notes non vides.

Bug Fixes

• authentification: vérification d'email obligatoire, erreurs de login plus robustes, templates email harmonisés.
• reset password: token retiré de l'URL, timer de redirection fiabilisé, labels accessibles.
• digest hebdomadaire: fenêtre de semaine en timezone locale, claim atomique + heartbeat, interruption propre si le lock est perdu au shutdown.
• changelog in-app: timeout sur les fetch GitHub, clés React stables, fallback si la dernière release est vide, prise en compte des sections breaking et perf.
• emails: logos et liens épinglés à l'origine publique, EMAIL_PUBLIC_URL validée (http(s) uniquement).
• landing: focus trap sur le menu mobile, lisibilité du bouton « Se connecter » au survol, corrections a11y.
• sécurité: remédiation des findings de l'audit Snyk / Semgrep / CodeRabbit du 2026-04-19.
• arrêt gracieux: chaque ressource est fermée indépendamment, plus de double-close.
• accessibilité: fallback lisible pour les titres en dégradé (impression et forced-colors).
• ci: workflow CLA Assistant corrigé (branche non protégée, config remote-* retirée).
• lint: conformité avec les nouvelles règles d'eslint-plugin-react-hooks 7.1.

tpi-flow: v3.0.0

3.0.0 (2026-04-17)

⚠ BREAKING CHANGES

• license: project license changed from GNU GPL-3.0 to Elastic License 2.0. Source remains publicly available on GitHub and personal, academic and internal use stays free. Providing TPI Flow (or a modified version) to third parties as a hosted or managed service now requires a separate commercial license. Versions already tagged under GPL-3.0 keep their GPL-3.0 terms.
• license: project license changed from GNU GPL-3.0 to Elastic License 2.0. Source remains publicly available on GitHub and personal, academic and internal use stays free. Providing TPI Flow (or a modified version) to third parties as a hosted or managed service now requires a separate commercial license. Versions already tagged under GPL-3.0 keep their GPL-3.0 terms.

Miscellaneous Chores

• license: switch from GPL-3.0 to Elastic License 2.0 (93f76d6)
• license: switch from GPL-3.0 to Elastic License 2.0 (#219) (206daef)

tpi-flow: v2.12.4

2.12.4 (2026-04-16)

Bug Fixes

• admin-changelog: parse release-please scope format and more sections (#217) (53e02a4)

tpi-flow: v2.12.3

2.12.3 (2026-04-16)

Bug Fixes

• ci: use object-form signCommand with absolute signtool path (#215) (666f135)

tpi-flow: v2.12.2

2.12.2 (2026-04-16)

Bug Fixes

• ci: call signtool directly instead of wrapping it in PowerShell (#213) (5f25b5e)

tpi-flow: v2.12.1

2.12.1 (2026-04-16)

Bug Fixes

• ci: use powershell.exe for signCommand instead of pwsh (#211) (db7ff3a)

tpi-flow: v2.12.0

2.12.0 (2026-04-16)

Features

• migrate SSE to Socket.io WebSocket with Redis adapter (7b4c8da)
• migrate SSE to Socket.io WebSocket with Redis adapter (6ebadb9)
• overtime: extend day range visually instead of rolling task over (b1002db)
• tasks: detect apprentice overtime and reflect it in the XLSX export (71a6e78)

Bug Fixes

• admin-users: send FORCE_LOGOUT after user delete succeeds (a846ae7)
• apply CodeRabbit review recommendations (1801753)
• clean up partial Redis connections and fail fast in prod (570a72a)
• csp: align CORS_ORIGIN default with index.ts and app.ts (c89c52b)
• csp: restrict connect-src ws origins to CORS_ORIGIN (bad0f39)
• desktop: disable DMA-BUF renderer to prevent white screen on Linux (#200) (9b3d754)
• desktop: remove AppImage from release and re-enable GPU rendering (#207) (db3e664)
• gantt: clamp startTime to working day bounds in bar geometry (948a341)
• hide Redis password from healthcheck, guard attachSocketIO (25787b5)
• kanban: auto-set progress to 100% when moving task to done (#206) (f54730b), closes #205
• log auth errors in WS middleware, add maintenance cache fallback (c4aee06)
• overtime: align capacity messaging, export defaults, and break math (a1eaed3)
• prod guard checks raw REDIS_URL, void async signal handlers (526bdf9)
• read maintenance state from DB on each connection (07858b7)
• reduce PG work_mem to 4MB, bind Redis to localhost only (6bb476a)
• regenerate lockfile after deps move (e46b938)
• require payload on CLEAR_MAINTENANCE and FORCE_LOGOUT schemas (cd283dd)
• ws: reconnect socket when page restored from bfcache (57e97bc)
• ws: reconnect socket when page restored from bfcache (2faab8f)

Performance Improvements

• db: optimize PostgreSQL for 100 concurrent users (8a965aa)
• db: optimize PostgreSQL for 100 concurrent users (#202) (6fda30b)

tpi-flow: v2.11.0

2.11.0 (2026-04-15)

Features

• admin: expand dashboard with users, messaging, and changelog editor (6893746)
• admin: expand dashboard with users, messaging, and changelog editor (12a8275)
• gantt: mark days as sick to shift planning by one working day (3dc54d1)

Bug Fixes

• admin: a11y focus management for user-tab modals (77c4469)
• admin: address review findings (8556e78)
• admin: mask reset-password input, clamp page after delete, ignore stale fetches (899d7f9)
• admin: stop modal focus thrash on parent re-render (2182433)
• gantt: properly cascade tasks around a sick day (65df442)
• recurring task occurrence no longer resets startTime to day start (bc21e51)
• sick-days: harden concurrency, validation, a11y and export duration (95981e0)
• sick-days: lock projectSettings/tasks rows on PG to prevent lost updates (ceb6910)
• web: disable view transitions in Tauri to prevent WebKitGTK crash (251d463)
• web: disable view transitions in Tauri to prevent WebKitGTK crash (2afd525)

tpi-flow: v2.10.0

2.10.0 (2026-04-14)

Features

• api: persist maintenance state across API restarts (5e38a60)
• api: persist maintenance state to survive API restarts (efaa3d9)
• auth: enable better-auth cookieCache and re-enable rate limit on /get-session (fe41c46)
• feedback: add in-app bug report and feature request flow (877c473)
• feedback: in-app bug report and feature request (0b9e9e5)
• real-time SSE notifications + admin broadcast dashboard (08b72c5)
• real-time SSE notifications with admin broadcast dashboard (85ae1f0), closes #177
• web: add FAQ page covering common user questions (2811b3a)
• web: add FAQ page covering common user questions (5a98a65)
• web: add work-in-progress banner on FAQ page (8b8b534)

Bug Fixes

• address CodeRabbit SSE PR feedback (5b89adc)
• api: add CSP hash for theme bootstrap script (48c60cc)
• api: add CSP hash for theme bootstrap script (73561ed)
• api: only count failed auth attempts toward admin rate limit (27cb4e1)
• api: scope clearPersistedMaintenance delete to the singleton row (fa72469)
• api: validate persisted maintenance payload on hydration (94c853d)
• auth: give /get-session a dedicated rate limit budget (db268b6)
• desktop: blank window on Linux + updater ACL denial (c4b51c0)
• desktop: blank window on Linux + updater ACL denial (#186) (45cd6d4)
• desktop: drop unused localhost scope from updater capability (ac6844b)
• feedback: address PR review (round 2) (807c413)
• feedback: address review feedback (4274def)
• feedback: copy issue body to clipboard instead of URL params (968eb7a)
• feedback: remove hidden Select that broke radio toggling (553b92c)
• feedback: trim pageUrl and userAgent before submission (1d4ec21)
• onboarding: correct HERMES/IPERKA explanations and add Clôture phase (5c8a20c)
• web: don't leak admin token length requirement in login form (9bcb071)
• web: harden adminFetch headers and drop env-var leak on 503 (366fc84)
• web: keep admin token in memory only (42d9586)

Performance Improvements

• web: minimize render-blocking theme script and fix dark variant selector (7d24014)
• web: minimize render-blocking theme script and fix dark variant selector (55bfd3f)

tpi-flow: v2.9.0

2.9.0 (2026-04-13)

Features

• web: add global dark mode (7741e7b)
• web: drag-n-drop reorder for sections (ffb9e98)
• web: drag-n-drop reorder for sections in section manager (9d2b368)

Bug Fixes

• web: add aria-label to risk-table save/cancel/edit/delete buttons (9e59418)
• web: add dark variants to remaining colored surfaces (91f3adf)
• web: constrain theme switcher layout (e8d5b9f)
• web: give icon-only controls accessible names (f32ddf1)
• web: honor IPERKA methodology in dashboard and kanban phase filters (68587de)
• web: honor IPERKA methodology in phase filters (926bc13)
• web: only mark tasks overdue when endDate is before today (42023f7)
• web: restore vivid tints in dark mode (84f33a4)
• web: serialize section reorder PUTs and sync optimistic cache (93346b0)
• web: tâches du jour plus marquées "en retard" dès minuit (f15c815)

Performance Improvements

• web: use View Transitions API for theme switch (05cf371)