v95.0.1

95.0.1 (2026-03-14)

What's Changed

• fix(ai): applied AI suggestions from stage apps branch by @rahul-rocket in #9597
• Fix/desktop timer stopped offline by @syns2191 in #9608
• chore(deps): bump undici from 6.23.0 to 6.24.0 by @dependabot[bot] in #9599
• chore(deps): bump locutus from 3.0.10 to 3.0.14 by @dependabot[bot] in #9598
• Stage by @evereq in #9609
• Apps by @evereq in #9610

Full Changelog: v94.0.0...v95.0.1

v95.0.0

95.0.0 (2026-03-14)

⚠ BREAKING CHANGES

• JWT tokens now include organizationId field. Clients should handle the new token structure.

• fix(ui): restore CHANGE_SELECTED_ORGANIZATION permission check for organization selector

Re-add permission verification that was removed - users without
CHANGE_SELECTED_ORGANIZATION permission should not see the organization
selector in the header.

• fix(migration): remove UNIQUE constraint on userId in SQLite UP migration

Remove CONSTRAINT REL_f4b0d329c4a3cf79ffe9d56504 UNIQUE (userId) from all
CREATE TABLE temporary_employee statements in sqliteUpQueryRunner to allow
many-to-one relationship (multiple employees can reference the same user).

The DOWN migration retains the UNIQUE constraint to restore the original
one-to-one relationship when reverting.

• fix(context): merge duplicate currentOrganizationId methods with proper fallback

Consolidate two currentOrganizationId() methods into one with priority:

1. JWT token organizationId (most secure)
2. User's employee organizationId (fallback for old tokens)
3. Request header organization-id (legacy backward compatibility)

This ensures existing functionality continues to work while preferring
the secure JWT-based organization context when available.

• fix(auth): inject organizationId from JWT into user with fallback

Make organizationId follow the same pattern as employeeId:

• jwt.strategy.ts: inject organizationId from JWT into user.lastOrganizationId
• request-context.ts: currentOrganizationId() reads from user.lastOrganizationId
  with fallback to user.employee.organizationId and header for backward compatibility

This ensures consistency across all context methods while maintaining
backward compatibility with old tokens.

• fix(auth): validate organization access in JWT strategy

• Add UserOrganizationService to validate user has access to organization
• Remove unvalidated header fallback from currentOrganizationId()
• organizationId is now only accepted from validated JWT tokens

• fix(employee): catch specific NotFoundException and validate input

• Catch only NotFoundException instead of all errors
• Add validation for input.user.email before accessing it

• fix(ui): add await for async selectOrganization calls

• Make updateOrganization, deleteOrganization, selectOrganizationById async
• Properly await selectOrganization to prevent race conditions

• fix(ui): add @deprecated to initialize() method

• Mark initialize() as deprecated with JSDoc
• Clean up comments in applyOrganizationData()

• docs(auth): clarify refresh token organization behavior

• Add note explaining refresh token is organization-specific
• Document that /auth/switch-organization should be used to change org

• refactor(ui): use inject() function instead of constructor injection

• Replace constructor parameter injection with inject() function
• Follow Angular modern DI pattern

• fix(auth): include organizationId in refresh token

• Pass organizationId to getJwtRefreshToken in login, signinWorkspaceByToken, and switchWorkspace
• Ensures refresh token contains same organization context as access token

• fix(auth): add cross-validation between employeeId and organizationId in JWT

• Validate that employee.organizationId matches the claimed organizationId
• Prevents JWT token manipulation attacks

• fix(employee): use BadRequestException and check for existing employee

• Use BadRequestException instead of generic Error for proper HTTP 400
• Check if employee already exists for user+organization to prevent duplicates

• fix(ui): validate response fields before applying to store

• Check token and user exist before updating store
• Return false and show error if validation fails

• fix(auth): update user.lastOrganizationId in memory after DB update

• Ensures returned user object has fresh lastOrganizationId value

• fix(employee): load role relation when finding existing user

• Use findOneByOptions with relations: { role: true }
• Fixes 'Cannot read properties of undefined (reading name)' error
• addUserToOrganization requires user.role.name for SUPER_ADMIN check

• Stage (#9305) (59a9cc9), closes #9305 #9303 #9272 #8465 #8465 #8465 #8465 #8465 #8465 #8465 #8465

What's Changed

• fix(ai): applied AI suggestions from stage apps branch by @rahul-rocket in #9597
• Fix/desktop timer stopped offline by @syns2191 in #9608
• chore(deps): bump undici from 6.23.0 to 6.24.0 by @dependabot[bot] in #9599
• chore(deps): bump locutus from 3.0.10 to 3.0.14 by @dependabot[bot] in #9598
• Stage by @evereq in #9609

Full Changelog: v93.0.0...v95.0.0

v94.0.4

94.0.4 (2026-03-14)

What's Changed

• chore(deps): bump undici from 6.23.0 to 6.24.0 by @dependabot[bot] in #9599

Full Changelog: v94.0.2...v94.0.4

v94.0.3

94.0.3 (2026-03-14)

What's Changed

• chore(deps): bump locutus from 3.0.10 to 3.0.14 by @dependabot[bot] in #9598

Full Changelog: v94.0.4...v94.0.3

v94.0.2

94.0.2 (2026-03-14)

What's Changed

• Fix/desktop timer stopped offline by @syns2191 in #9608

Full Changelog: v94.0.1...v94.0.2

v94.0.1

94.0.1 (2026-03-13)

Bug Fixes

• ai: applied AI suggestions from stage apps branch (#9597) (c0df495)

What's Changed

• fix(ai): applied AI suggestions from stage apps branch by @rahul-rocket in #9597

Full Changelog: v93.0.1...v94.0.1

v94.0.0

94.0.0 (2026-03-12)

⚠ BREAKING CHANGES

• JWT tokens now include organizationId field. Clients should handle the new token structure.

• fix(ui): restore CHANGE_SELECTED_ORGANIZATION permission check for organization selector

Re-add permission verification that was removed - users without
CHANGE_SELECTED_ORGANIZATION permission should not see the organization
selector in the header.

• fix(migration): remove UNIQUE constraint on userId in SQLite UP migration

Remove CONSTRAINT REL_f4b0d329c4a3cf79ffe9d56504 UNIQUE (userId) from all
CREATE TABLE temporary_employee statements in sqliteUpQueryRunner to allow
many-to-one relationship (multiple employees can reference the same user).

The DOWN migration retains the UNIQUE constraint to restore the original
one-to-one relationship when reverting.

• fix(context): merge duplicate currentOrganizationId methods with proper fallback

Consolidate two currentOrganizationId() methods into one with priority:

1. JWT token organizationId (most secure)
2. User's employee organizationId (fallback for old tokens)
3. Request header organization-id (legacy backward compatibility)

This ensures existing functionality continues to work while preferring
the secure JWT-based organization context when available.

• fix(auth): inject organizationId from JWT into user with fallback

Make organizationId follow the same pattern as employeeId:

• jwt.strategy.ts: inject organizationId from JWT into user.lastOrganizationId
• request-context.ts: currentOrganizationId() reads from user.lastOrganizationId
  with fallback to user.employee.organizationId and header for backward compatibility

This ensures consistency across all context methods while maintaining
backward compatibility with old tokens.

• fix(auth): validate organization access in JWT strategy

• Add UserOrganizationService to validate user has access to organization
• Remove unvalidated header fallback from currentOrganizationId()
• organizationId is now only accepted from validated JWT tokens

• fix(employee): catch specific NotFoundException and validate input

• Catch only NotFoundException instead of all errors
• Add validation for input.user.email before accessing it

• fix(ui): add await for async selectOrganization calls

• Make updateOrganization, deleteOrganization, selectOrganizationById async
• Properly await selectOrganization to prevent race conditions

• fix(ui): add @deprecated to initialize() method

• Mark initialize() as deprecated with JSDoc
• Clean up comments in applyOrganizationData()

• docs(auth): clarify refresh token organization behavior

• Add note explaining refresh token is organization-specific
• Document that /auth/switch-organization should be used to change org

• refactor(ui): use inject() function instead of constructor injection

• Replace constructor parameter injection with inject() function
• Follow Angular modern DI pattern

• fix(auth): include organizationId in refresh token

• Pass organizationId to getJwtRefreshToken in login, signinWorkspaceByToken, and switchWorkspace
• Ensures refresh token contains same organization context as access token

• fix(auth): add cross-validation between employeeId and organizationId in JWT

• Validate that employee.organizationId matches the claimed organizationId
• Prevents JWT token manipulation attacks

• fix(employee): use BadRequestException and check for existing employee

• Use BadRequestException instead of generic Error for proper HTTP 400
• Check if employee already exists for user+organization to prevent duplicates

• fix(ui): validate response fields before applying to store

• Check token and user exist before updating store
• Return false and show error if validation fails

• fix(auth): update user.lastOrganizationId in memory after DB update

• Ensures returned user object has fresh lastOrganizationId value

• fix(employee): load role relation when finding existing user

• Use findOneByOptions with relations: { role: true }
• Fixes 'Cannot read properties of undefined (reading name)' error
• addUserToOrganization requires user.role.name for SUPER_ADMIN check

• Stage (#9305) (59a9cc9), closes #9305 #9303 #9272 #8465 #8465 #8465 #8465 #8465 #8465 #8465 #8465

What's Changed

• chore: global editorconfig updates by @rahul-rocket in #9503
• fix(ui): daily timesheet layout selector & actions buttons UI by @rahul-rocket in #9593
• Stage by @evereq in #9594
• Apps by @evereq in #9596

Full Changelog: v92.0.1...v94.0.0

v93.0.1

93.0.1 (2026-03-12)

What's Changed

• fix(ui): daily timesheet layout selector & actions buttons UI by @rahul-rocket in #9593

Full Changelog: v92.0.3...v93.0.1

v93.0.0

93.0.0 (2026-03-12)

⚠ BREAKING CHANGES

• JWT tokens now include organizationId field. Clients should handle the new token structure.

• fix(ui): restore CHANGE_SELECTED_ORGANIZATION permission check for organization selector

Re-add permission verification that was removed - users without
CHANGE_SELECTED_ORGANIZATION permission should not see the organization
selector in the header.

• fix(migration): remove UNIQUE constraint on userId in SQLite UP migration

Remove CONSTRAINT REL_f4b0d329c4a3cf79ffe9d56504 UNIQUE (userId) from all
CREATE TABLE temporary_employee statements in sqliteUpQueryRunner to allow
many-to-one relationship (multiple employees can reference the same user).

The DOWN migration retains the UNIQUE constraint to restore the original
one-to-one relationship when reverting.

• fix(context): merge duplicate currentOrganizationId methods with proper fallback

Consolidate two currentOrganizationId() methods into one with priority:

1. JWT token organizationId (most secure)
2. User's employee organizationId (fallback for old tokens)
3. Request header organization-id (legacy backward compatibility)

This ensures existing functionality continues to work while preferring
the secure JWT-based organization context when available.

• fix(auth): inject organizationId from JWT into user with fallback

Make organizationId follow the same pattern as employeeId:

• jwt.strategy.ts: inject organizationId from JWT into user.lastOrganizationId
• request-context.ts: currentOrganizationId() reads from user.lastOrganizationId
  with fallback to user.employee.organizationId and header for backward compatibility

This ensures consistency across all context methods while maintaining
backward compatibility with old tokens.

• fix(auth): validate organization access in JWT strategy

• Add UserOrganizationService to validate user has access to organization
• Remove unvalidated header fallback from currentOrganizationId()
• organizationId is now only accepted from validated JWT tokens

• fix(employee): catch specific NotFoundException and validate input

• Catch only NotFoundException instead of all errors
• Add validation for input.user.email before accessing it

• fix(ui): add await for async selectOrganization calls

• Make updateOrganization, deleteOrganization, selectOrganizationById async
• Properly await selectOrganization to prevent race conditions

• fix(ui): add @deprecated to initialize() method

• Mark initialize() as deprecated with JSDoc
• Clean up comments in applyOrganizationData()

• docs(auth): clarify refresh token organization behavior

• Add note explaining refresh token is organization-specific
• Document that /auth/switch-organization should be used to change org

• refactor(ui): use inject() function instead of constructor injection

• Replace constructor parameter injection with inject() function
• Follow Angular modern DI pattern

• fix(auth): include organizationId in refresh token

• Pass organizationId to getJwtRefreshToken in login, signinWorkspaceByToken, and switchWorkspace
• Ensures refresh token contains same organization context as access token

• fix(auth): add cross-validation between employeeId and organizationId in JWT

• Validate that employee.organizationId matches the claimed organizationId
• Prevents JWT token manipulation attacks

• fix(employee): use BadRequestException and check for existing employee

• Use BadRequestException instead of generic Error for proper HTTP 400
• Check if employee already exists for user+organization to prevent duplicates

• fix(ui): validate response fields before applying to store

• Check token and user exist before updating store
• Return false and show error if validation fails

• fix(auth): update user.lastOrganizationId in memory after DB update

• Ensures returned user object has fresh lastOrganizationId value

• fix(employee): load role relation when finding existing user

• Use findOneByOptions with relations: { role: true }
• Fixes 'Cannot read properties of undefined (reading name)' error
• addUserToOrganization requires user.role.name for SUPER_ADMIN check

Bug Fixes

• ui: daily timesheet layout selector & actions buttons UI (#9593) (99c86c9)

• Stage (#9305) (59a9cc9), closes #9305 #9303 #9272 #8465 #8465 #8465 #8465 #8465 #8465 #8465 #8465

What's Changed

• chore: global editorconfig updates by @rahul-rocket in #9503
• fix(ui): daily timesheet layout selector & actions buttons UI by @rahul-rocket in #9593
• Stage by @evereq in #9594

Full Changelog: v92.0.0...v93.0.0

v92.0.3

92.0.3 (2026-03-12)

What's Changed

• chore: global editorconfig updates by @rahul-rocket in #9503

Full Changelog: v92.0.2...v92.0.3