You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
-**0.0.9** - Security hardening and quote-workflow refactor release
15
16
16
17
---
17
18
19
+
## [0.0.9] - 2026-03-26
20
+
21
+
### Added
22
+
-**Quote workflow service modules** - Added `server/lib/quoteActivity.js`, `server/services/itemStatsService.js`, and `server/services/quoteService.js` so activity logging, item analytics bookkeeping, quote send, duplication, and status transitions are reusable outside the route layer.
-**Release notes for 0.0.9** - Added a dedicated `RELEASE_NOTES_0.0.9.md` summary for packaging/tagging and downstream release publishing.
25
+
26
+
### Changed
27
+
-**Quote detail architecture** - `QuoteDetailPage.jsx` has been reduced substantially by moving shared state and modal/file-picker concerns into dedicated modules.
28
+
-**Quote builder architecture** - `QuoteBuilder.jsx` now delegates line-item editing, adjustment management, and inventory browsing to smaller focused panels.
29
+
-**Shared pricing logic** - Public and operator quote totals now derive from the same shared helper instead of duplicating pricing/adjustment math in two pages.
30
+
-**Backend route structure** - `server/routes/quotes.js` now routes through extracted quote services/helpers instead of hosting the core orchestration inline.
31
+
32
+
### Fixed
33
+
-**JWT and extension-auth fallback behavior** - Auth middleware no longer leaves broad route access coupled to a generic extension token path.
34
+
-**Public file and quote exposure** - File serving and public quote payloads now use tighter access checks and smaller response surfaces.
35
+
-**Upload and attachment safety** - File uploads are validated from actual file signatures, and outbound quote mail only attaches files already linked to the quote.
36
+
-**Public quote state mutation guardrails** - Public approval/signing-related flows now have stronger state checks and safer backend handling.
@@ -21,18 +21,16 @@ BadShuffle is a self-hosted event rental software platform for project-centric q
21
21
-**Domain complexity** — Availability conflicts, per-line pricing overrides, reusable rental/payment policies, and public quote signing target actual event-rental workflows.
22
22
-**Deployment pragmatism** — Run it locally, on a LAN, in Docker, or as packaged Windows executables.
23
23
24
-
## What’s New In v0.0.8
24
+
## What’s New In v0.0.9
25
25
26
-
`v0.0.8` is the navigation, admin continuity, UX polish, and Windows host packaging release, now followed by a hotfix pass that focuses on performance, mobile behavior, editing safety, and import resilience. It reorganizes the operator experience around workflow-based navigation, adds in-app database backup/restore, ships packaged Windows `.exe` artifacts for self-hosted deployments, and tightens daily operator workflows with better loading, error handling, and guardrails.
26
+
`v0.0.9` is the security hardening and quote-workflow refactor release. It tightens public/auth/file handling on the backend, breaks the largest quote surfaces into smaller maintainable modules, and standardizes shared pricing logic so the operator and public quote experiences stay in sync as the product grows.
27
27
28
-
-**Navigation architecture refresh** — The sidebar is now grouped around workflows (Projects, Inventory, Messages, Directory, Settings), supports collapse + flyout behavior, and surfaces unread-message plus pending-admin counts alongside live team presence.
29
-
-**Admin continuity tooling** — Admin now includes SQLite backup export/import so operators can migrate or restore data without leaving the app.
30
-
-**New workspace surfaces** — Added a Directory hub for Leads/Vendors plus dedicated Inventory Settings and Message Settings screens for operational preferences.
31
-
-**Windows host packaging** — The project is packaged for Windows hosts with separate server, client, and updater `.exe` artifacts so operators can run BadShuffle without a manual Node deployment.
32
-
-**Performance hotfixes** — Heavy operator and public routes now lazy-load on first navigation, reducing the initial client bundle cost for day-to-day use.
33
-
-**Workflow safety hotfixes** — Quote detail editing now warns before reload or navigation when there are unsaved changes, making large project edits harder to lose accidentally.
34
-
-**Responsive messaging polish** — Messages now behaves as a focused single-pane experience on smaller screens, with cleaner thread/detail transitions during mobile use.
35
-
-**Debugging and import hardening** — Settings can enable verbose error output for debugging, quote creation failures now return cleaner API errors, and sheet/item imports reject numeric-only titles that commonly come from spreadsheet date serials or malformed source data.
28
+
-**Security hardening pass** — JWT and extension-token handling is narrowed, file-serving auth is stricter, public quote payloads are least-privilege, upload MIME detection is content-based, and quote email attachments are scoped to the active project.
29
+
-**Backend quote-service extraction** — Quote send, duplicate, activity logging, status transitions, and item stats bookkeeping now live in dedicated service/lib modules instead of a single oversized route file.
30
+
-**Quote detail decomposition** — QuoteDetailPage now relies on extracted helpers/components and a shared controller hook so editing, files, sending, and totals logic are easier to evolve independently.
31
+
-**Quote builder decomposition** — QuoteBuilder has been split into focused line-items, adjustments, and inventory-picker panels, reducing rerender pressure and making future UI changes less risky.
32
+
-**Shared totals utility** — Quote total/adjustment logic now comes from one shared utility instead of drifting between QuoteDetail and PublicQuote.
33
+
-**Release documentation refresh** — README, changelog, status notes, package versions, and release notes have all been aligned to `0.0.9`.
36
34
37
35
## Core Features
38
36
@@ -54,10 +52,10 @@ BadShuffle is a self-hosted event rental software platform for project-centric q
54
52
55
53
## Near-Term Roadmap
56
54
57
-
-**Cross-theme QA + responsive pass** — Finish theme verification and close the remaining mobile layout gaps across quote editing, messages, and modal-heavy views.
58
-
-**Performance follow-up** — Finish image lazy loading on the remaining public/files surfaces and review post-split route chunk sizes.
59
-
-**Workflow safety** — Extend unsaved-change protection to other high-risk forms and replace destructive browser confirms with better inline confirmation patterns.
-**Frontend refactor completion** — Finish landing the QuoteDetail/QuoteBuilder extraction work and smoke-test the refactored flows across desktop and mobile.
56
+
-**Cross-theme QA + responsive pass** — Close the remaining theme/mobile gaps across quote editing, messages, and modal-heavy views.
57
+
-**Workflow safety** — Extend unsaved-change protection and better destructive-action confirmation patterns to other high-risk forms.
58
+
-**Operations depth** — Send preview, pull sheets, richer warehouse workflows, and migration/versioning cleanup for the database bootstrap.
61
59
62
60
More context lives in [ai/KNOWN_GAPS.md](ai/KNOWN_GAPS.md) and [ai/TODO.md](ai/TODO.md).
`0.0.9` is the security hardening and quote-workflow refactor release. It tightens auth/public/file behavior on the backend, extracts the largest quote flows into reusable services and helpers, and continues the QuoteDetail/QuoteBuilder decomposition so future work can land with less coupling and less drift.
8
+
9
+
## Highlights
10
+
11
+
- Stricter auth and public-surface handling around JWT, extension-token access, file serving, and public quote payloads
12
+
- Upload validation now uses detected file signatures instead of trusting browser MIME values
13
+
- Quote email attachments are restricted to files already linked to the active quote
14
+
-`server/routes/quotes.js` now delegates orchestration to:
15
+
-`server/lib/quoteActivity.js`
16
+
-`server/services/itemStatsService.js`
17
+
-`server/services/quoteService.js`
18
+
- Shared quote pricing/totals logic moved to `client/src/lib/quoteTotals.js`
19
+
- QuoteDetail and QuoteBuilder have been broken into smaller modules, hooks, and focused panels for easier iteration
20
+
21
+
## Notes
22
+
23
+
- This remains a `0.x` pre-release line
24
+
- The backend extraction work is complete in this release
25
+
- Frontend refactor follow-through and broader responsive/theme QA remain active follow-up work
0 commit comments