sync main repo and fix checkout v2#3
Closed
kewcoder wants to merge 5800 commits into
Closed
Conversation
…#27802) * fix: hide feature opt-in banner and feedback forms during impersonation Co-Authored-By: sean@cal.com <Sean@brydon.io> * fix: keep opt-in banner visible during impersonation, only hide feedback forms Co-Authored-By: sean@cal.com <Sean@brydon.io> * fix: allow feedback form during impersonation in development mode Co-Authored-By: sean@cal.com <Sean@brydon.io> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* Add DB table for wrong assignment reports * When report is submitted write to the db * Prevent duplicate reportings * test: add migration and tests for WrongAssignmentReport table Co-Authored-By: joe@cal.com <j.auyeung419@gmail.com> * fix: add unique constraint on bookingUid and booking access check for hasWrongAssignmentReport - Add @unique constraint on bookingUid in WrongAssignmentReport model to prevent duplicate reports at DB level - Add booking ownership check using BookingAccessService in hasWrongAssignmentReport endpoint - Refactor hasWrongAssignmentReport into separate handler and schema files Addresses Cubic AI review feedback on PR calcom#27405 Co-Authored-By: unknown <> * feat: add routingFormId to WrongAssignmentReport and fix Select clearing - Add routingFormId field to WrongAssignmentReport model in schema.prisma - Add relation to App_RoutingForms_Form with SetNull on delete - Update WrongAssignmentReportRepository.createReport to accept routingFormId - Update BookingRepository.findByUidIncludeEventTypeAndTeamAndAssignmentReason to include routedFromRoutingFormReponse - Extract routingFormId from booking in reportWrongAssignment handler - Fix Select clearing issue: handle null case when user clears team member selection - Update tests to include routingFormId field Co-Authored-By: joe@cal.com <j.auyeung419@gmail.com> * chore: add migration for routingFormId in WrongAssignmentReport Co-Authored-By: joe@cal.com <j.auyeung419@gmail.com> * fix: address Udit's review comments - hasWrongAssignmentReport: throw UNAUTHORIZED error instead of returning false - reportWrongAssignment: add try-catch for Prisma P2002 unique constraint error - WrongAssignmentReport: add Team relation to teamId field - WrongAssignmentReportRepository: use findUnique instead of findFirst - reportWrongAssignment: use i18n for error messages Co-Authored-By: joe@cal.com <j.auyeung419@gmail.com> * fix: revert hasWrongAssignmentReport to return false when user lacks access Per PR checklist, hasWrongAssignmentReport should return { hasReport: false } when user lacks access to booking, not throw an error. This allows the UI to gracefully treat 'no access' as 'no report exists'. Co-Authored-By: joe@cal.com <j.auyeung419@gmail.com> * test: update mocks for findUnique and i18n in unit tests Co-Authored-By: joe@cal.com <j.auyeung419@gmail.com> * fix: throw UNAUTHORIZED in hasWrongAssignmentReport and squash migrations Co-Authored-By: joe@cal.com <j.auyeung419@gmail.com> * fix: change User relation onDelete from Cascade to SetNull in WrongAssignmentReport Address Hariom's review feedback: - Changed reportedById from Int to Int? (nullable) - Changed reportedBy relation from onDelete: Cascade to onDelete: SetNull - Updated migration SQL to reflect these changes This preserves wrong assignment reports even when the reporting user is deleted, as the data is still useful for analysis. Co-Authored-By: joe@cal.com <j.auyeung419@gmail.com> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
…27751) * make GetPublicEventInput * space * mv feature flags router to trpc * remove trpc imports * wip * mv OrgMembershipLookup to features * fix * fix * update * fix * revert formatting-only changes to improve PR reviewability Co-Authored-By: benny@cal.com <sldisek783@gmail.com> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
…com#27821) * inviteMemberUtils in featuers * update imports * wip * wip * fix: remove PII from log statements in inviteMemberUtils - Remove email (usernameOrEmail) from error log in sendSignupToOrganizationEmail - Replace full user object with userId in debug log in sendExistingUserTeamInviteEmails Co-Authored-By: unknown <> * revert: restore original code for pure relocation (no formatting/logic changes) Co-Authored-By: benny@cal.com <sldisek783@gmail.com> * fix * fix: update test mocks to use new import path for inviteMemberUtils Co-Authored-By: benny@cal.com <sldisek783@gmail.com> * revert: restore original formatting in proration test and handleGroupEvents Co-Authored-By: benny@cal.com <sldisek783@gmail.com> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
This reverts commit 2676867.
This reverts commit 6f6c27b.
This reverts commit 38492d5.
Co-authored-by: Hariom Balhara <1780212+hariombalhara@users.noreply.github.com>
…alcom#27834) * fix: update booking page terms text to use APP_NAME instead of 'our' Co-Authored-By: carina@cal.com <c.wollendorfer@me.com> * remove changes for platform booker --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Co-authored-by: CarinaWolli <wollencarina@gmail.com>
…alcom#27612) * fix: openapi spec for GetWebhook decorator * fix: openapi spec
…es (calcom#27399) * perf: optimize getBusyTimesForLimitChecks with batched parallel queries and raw SQL Co-Authored-By: udit@cal.com <udit222001@gmail.com> * test: add unit tests for getBusyTimesForLimitChecks batched query optimization Co-Authored-By: udit@cal.com <udit222001@gmail.com> * refactor: use Prisma findMany instead of raw SQL for better testability The batching (50 user chunks) and parallel execution (Promise.all) provide the main performance optimization. Using findMany instead of $queryRaw maintains the same performance characteristics while being compatible with prismock for testing. Co-Authored-By: udit@cal.com <udit222001@gmail.com> * fix: type error * refactor: add integration test * chore: remove log * chore: remove log * fix: avoid logging PII (userId) in busyTimes debug log Replace JSON.stringify(busyTimes) with count to avoid exposing userId in logs. Addresses Cubic AI review feedback (confidence 9/10). Co-Authored-By: unknown <> * chore: undo --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* factory and statergie * chore: use correct method of DI * feat: add onchagne * add logic to HWM stat * add webhook resolver methods to each statergy * move seat tracking + webhooks over to own statergy * Move to factory base approach * move logic to correct class * rename create -> createByTeamId * fix: remove debug `true ||` overrides from IS_STRIPE_ENABLED and IS_TEAM_BILLING_ENABLED Remove accidentally committed debug overrides that short-circuited IS_STRIPE_ENABLED and IS_TEAM_BILLING_ENABLED to always be true, bypassing Stripe credential checks. This would break self-hosted instances without Stripe configured. Identified by cubic (https://cubic.dev) Co-Authored-By: unknown <> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* refactor: apply biome formatting to apps/web (batch 1) Formats apps/web non-modules directories: - apps/web/app - apps/web/lib - apps/web/pages - apps/web/styles - apps/web/server - apps/web/test - Root-level .ts and .mjs files Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor: apply biome formatting to apps/web/modules (batch 2) Formats smaller apps/web/modules directories: - onboarding, data-table, users, apps, auth - integration-attribute-sync, shell, availability - feature-flags, team, webhooks, getting-started - feature-opt-in, troubleshooter, schedules, notifications - signup-view.tsx Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor: apply biome formatting to apps/web/modules (batch 3) Formats medium apps/web/modules directories: - bookings - event-types - insights - embed Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor: apply biome formatting to apps/web/modules/ee (batch 4) Formats apps/web/modules/ee directory. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor: apply biome formatting to apps/web (batch 5) Formats remaining apps/web directories: - apps/web/modules/settings - apps/web/modules/booking-audit - apps/web/playwright Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor: apply biome formatting to apps/web/components (batch 6) Formats remaining apps/web/components files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor: apply biome formatting to new apps/web files from main Formats newly added/modified files from main merge: - WorkflowStepContainer.tsx (resolved merge conflicts) - Newly moved files (blocklist, form-builder, schedules, etc.) - Other files modified in main Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor: apply biome formatting to new apps/web files from main Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* feat: claude templates * refactor: new file * feat: symlink
When disableCancelling or disableRescheduling is enabled on an event type, the confirmation email still showed non-functional cancel/reschedule links. The ManageLink email component already had correct conditional logic to hide these links, but two flows constructed the CalendarEvent manually without including the flags: the booking confirmation handler and the payment booking flow. This caused the flags to be undefined, which ManageLink interpreted as enabled. Added disableCancelling and disableRescheduling to the Prisma select and CalendarEvent object in both confirm.handler.ts and getBooking.ts. Closes calcom#22906
Co-authored-by: Volnei Munhoz <volnei@cal.com>
…ollisions (calcom#27847) Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
… payload (calcom#27300) Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Co-authored-by: ali@cal.com <ali@cal.com> Co-authored-by: Morgan <33722304+ThyMinimalDev@users.noreply.github.com>
* new caretta.so app * added logo and screenshots * nit
…m#27854) * feat: add UTM parameter data to insights bookings CSV download Co-Authored-By: carina@cal.com <c.wollendorfer@me.com> * test: add UTM data tests and update snapshots for csvDataTransformer Co-Authored-By: carina@cal.com <c.wollendorfer@me.com> * fix: use Tracking relation for UTM data instead of flat fields on Booking Co-Authored-By: carina@cal.com <c.wollendorfer@me.com> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: Romit <85230081+romitg2@users.noreply.github.com>
The Date.now() method returns time in epoch miliseconds, adding 60 * 60 = 3.6seconds leads to a bug that results in expiring the access token in 3.6 seconds, although it been valid. It creates unnecessary api calls to the zoho servers before most the api calls.
* fix: use i18n for apps count with proper pluralization
Replace hardcoded "${installedAppsNumber} apps" with
t("number_apps", { count: installedAppsNumber }) for proper
i18n pluralization support. Removes the TODO comment that
flagged this issue.
Closes calcom#28407
* fix: update e2e test to match i18n singular/plural apps count
---------
Co-authored-by: Sahitya Chandra <sahityajb@gmail.com>
Co-authored-by: Romit <85230081+romitg2@users.noreply.github.com>
…ookings (calcom#28333) * fix(api-v2): correctly parse ISO timezone offsets when rescheduling bookings closes: calcom#28310 * fix: clarify reschedule endpoint requires UTC timezone Signed-off-by: Hemant M Mehta <hemant29mehta@gmail.com> --------- Signed-off-by: Hemant M Mehta <hemant29mehta@gmail.com> Co-authored-by: Rajiv Sahal <sahalrajiv-extc@atharvacoe.ac.in> Co-authored-by: Peer Richelsen <peeroke@gmail.com> Co-authored-by: Sahitya Chandra <sahityajb@gmail.com> Co-authored-by: Romit <85230081+romitg2@users.noreply.github.com>
Added a badge for DeepWiki to the README.
* Add Famulor app integration to app store Introduces the Famulor app as a new automation integration in the app store, including configuration, API handler, assets, and documentation. Updates redirectApps utility to include 'famulor' for redirection support. * fixed - famulor * Update packages/app-store/famulor/api/add.ts Co-authored-by: devin-ai-integration[bot] <158243242+devin-ai-integration[bot]@users.noreply.github.com> * Update packages/app-store/famulor/config.json Co-authored-by: devin-ai-integration[bot] <158243242+devin-ai-integration[bot]@users.noreply.github.com> * yarn app-store:build --------- Co-authored-by: Sahitya Chandra <sahityajb@gmail.com> Co-authored-by: devin-ai-integration[bot] <158243242+devin-ai-integration[bot]@users.noreply.github.com> Co-authored-by: Dhairyashil Shinde <93669429+dhairyashiil@users.noreply.github.com>
In column view, time slots are always visible. selectFirstAvailableTimeSlotNextMonth could click stale time slots from the current month before the schedule data refreshed for the new month. Since isQuickAvailabilityCheckFeatureEnabled is always true in E2E, isTimeSlotAvailable would check the stale slot against the new month's schedule data, find no match, and permanently disable the confirm button. Fix: wait for initial schedule data to load before setting up a waitForResponse listener for getSchedule, then click incrementMonth and await the response before selecting slots. Ported from calcom/cal#1107.
…eferences (calcom#28703) Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
…8704) Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
- Fix typo in 'what_is_this_meeting_about' translation - Change 'посвязена' to 'посвящена' (correct Russian spelling) - Verified with type-check:ci --force
Co-authored-by: Sahitya Chandra <sahityajb@gmail.com>
Co-authored-by: Romit <85230081+romitg2@users.noreply.github.com>
…#28176) * feat(bookings): add booking audit logging to instant bookings wire up BookingEventHandlerService.onBookingCreated in InstantBookingCreateService to emit audit events, matching the pattern already used in RegularBookingService and RecurringBookingService. * refactor: extract fireBookingEvents and reuse existing orgId * refactor: derive orgId once and pass to both webhook trigger and audit event * fix: add missing return in webhook map callback * refactor: make creationSource required for instant bookings Both callers (WEBAPP and API_V2) always set creationSource, so validate it upfront and use CreationSource enum type instead of string | null. * fix: use ErrorWithCode instead of Error, pass userUuid to audit events * fix: pass null for hostUserUuid in instant booking audit data Instant bookings have status AWAITING_HOST with no assigned host, so the booker's UUID should not be recorded as hostUserUuid. * fix: address devin review - hostUserUuid and creationSource validation * fix: address review - bookingMeta, getOrgIdFromMemberOrTeamId, required creationSource - pass userUuid via bookingMeta instead of separate param (matches RegularBookingService pattern) - restore getOrgIdFromMemberOrTeamId for proper org resolution instead of eventType.team.parentId - make creationSource required with runtime validation instead of defaulting to WEBAPP * fix: enforce creationSource at compile time instead of runtime use Required<Pick<>> to make creationSource required in the type signature. removes the runtime check since TypeScript catches missing creationSource at build time. * fix: simplify type signature and derive hostUserUuid from booking relation - Replace Required<Pick<CreateInstantBookingData, 'creationSource'>> with inline { creationSource: CreationSource } - Include user relation in booking create query to derive hostUserUuid - Pass newBooking.user?.uuid instead of hardcoding null for userUuid in audit data Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com> * chore: trigger CI * fix: add missing impersonatedByUserUuid to instant booking meta The CreateBookingMeta type requires impersonatedByUserUuid. Set it to null for non-impersonated instant bookings. * fix: show 'awaiting host' in audit log for instant bookings Use booking status AWAITING_HOST to display "Booked (awaiting host)" instead of "Booked with Unknown" when no host has accepted yet. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: add booking audit for instant meeting accept via connect-and-join Extract fireInstantBookingAcceptedAuditEvent to InstantBookingCreateService and fire it right after the DB update, before side-effect notifications. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * test: add audit logging tests for instant booking creation * fix: simulate audit failure in resilience test (identified by cubic) The test 'should not throw when booking audit event fails' was not actually simulating an audit failure. Added vi.spyOn on BookingEventHandlerService.prototype.onBookingCreated to reject with an error, and assert the spy was called, proving the try/catch in fireBookingEvents properly catches the error without breaking the booking flow. Co-Authored-By: bot_apk <apk@cognition.ai> * test: add audit event tests for connectAndJoin and fix InstantBooking audit test * test --------- Co-authored-by: Hariom Balhara <1780212+hariombalhara@users.noreply.github.com> Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Co-authored-by: hariom@cal.com <hariombalhara@gmail.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: bot_apk <apk@cognition.ai>
…se verification (calcom#28756) * docs: add self-hosting troubleshooting guide Add a dedicated troubleshooting page (docs/self-hosting/troubleshooting.mdx) covering the most common self-hosting issues: - 500 error during onboarding caused by missing STRIPE_PRIVATE_KEY (calcom#25993) - Redirect to localhost after deployment (NEXTAUTH_URL / NEXT_PUBLIC_WEBAPP_URL) (calcom#21921) - API v2 service not starting in Docker (missing REDIS_URL, JWT_SECRET, WEB_APP_URL) - CLIENT_FETCH_ERROR in Docker logs - SSL issues behind a reverse proxy - Prisma user creation failure on first setup Also adds the new page to the "Getting Started" navigation group in docs/docs.json. Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(docs): provide safer SSL troubleshooting alternatives Replace the blanket NODE_TLS_REJECT_UNAUTHORIZED=0 recommendation with three options in order of preference: 1. Use HTTP internally with proper header forwarding 2. Add internal CA to NODE_EXTRA_CA_CERTS 3. Disable TLS verification (last resort with security warning) The previous guidance could expose users to MITM attacks on all external API calls (Stripe, Google, etc.). * fix(docs): correct NEXTAUTH_URL guidance to prevent OAuth breakage The previous guidance recommended setting NEXTAUTH_URL to localhost for SSL/DNS issues, which breaks OAuth callbacks since external providers would redirect to localhost instead of the public domain. - Replace localhost workaround with extra_hosts in docker-compose - Add nginx proxy header configuration example - Add warnings explaining why localhost breaks OAuth Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(docs): correct troubleshooting guide based on codebase verification - Stripe section: Rewrite to accurately reflect current behavior (app gracefully handles missing keys by marking Stripe as 'not installed' rather than crashing). Clarify that NEXT_PUBLIC_STRIPE_PUBLIC_KEY belongs in .env.appStore. - API v2 section: Add missing required vars (STRIPE_API_KEY, STRIPE_WEBHOOK_SECRET, NEXTAUTH_SECRET) that crash the service if absent. Move WEB_APP_URL to optional (it has a fallback default). - CLIENT_FETCH_ERROR section: Add caveat about HTTPS URLs failing with the extra_hosts approach when app listens on port 3000. - Vercel note: Clarify that NEXTAUTH_URL is auto-inferred via VERCEL_URL, not just 'left empty'. - Database section: Replace unverifiable metadata/id advice with actionable migration and setup guidance matching actual code in apps/web/app/api/auth/setup/route.ts. Co-Authored-By: romitgabani1 <romitgabani1.work@gmail.com> * docs: fix inaccuracies in self-hosting troubleshooting guide - Add missing CALENDSO_ENCRYPTION_KEY to API v2 required variables - Fix setup endpoint path from /api/auth/setup to /auth/setup - Add note about NEXTAUTH_URL auto-derivation from NEXT_PUBLIC_WEBAPP_URL * fix(docs): correct NEXTAUTH_URL derivation mechanism description NextAuth infers the base URL from the request's Host header when NEXTAUTH_URL is not set, not from NEXT_PUBLIC_WEBAPP_URL directly. Co-Authored-By: romitgabani1 <romitgabani1.work@gmail.com> --------- Co-authored-by: shockzM1 <shockz@dsn.so> Co-authored-by: Paperclip <noreply@paperclip.ing> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
…lake in InstantBookingCreateService (calcom#28773) Signed-off-by: Mendral Agent <support@mendral.com> Co-authored-by: Mendral Agent <support@mendral.com>
…8765) Co-authored-by: Romit <85230081+romitg2@users.noreply.github.com>
…ain risk (calcom#28774) Signed-off-by: Mendral Agent <support@mendral.com> Co-authored-by: Mendral Agent <support@mendral.com>
…alcom#28787) * fix: add vi.mock calls to prevent InstantBookingCreateService test flake Add two vi.mock() calls ported from cal repo to prevent 'Closing rpc while fetch was pending' errors: 1. Mock @calcom/app-store/calendar.services.generated with a Proxy to prevent real calendar modules (feishu, lark) from triggering async getAppAccessToken fetch calls during test worker shutdown. 2. Mock @calcom/features/ee/organizations/di/OrganizationRepository.container to prevent deep transitive import chain from triggering a Vitest module-resolution RPC still in flight at shutdown. Also removes the narrow feishucalendar mock which is now covered by the broader calendar.services.generated Proxy mock. * fix: update bookingScenario to use Proxy-based CalendarServiceMap Replace the plain-object CalendarServiceMap mock with a Proxy-based implementation that catches ALL calendar service accesses. This prevents real calendar modules (feishu, lark, etc.) from being imported during tests, which was causing 'Closing rpc while fetch was pending' errors when the Vitest worker shut down. Also update mockCalendar to use a shared mock map directly instead of dynamically importing calendar.services.generated, avoiding loading real calendar service modules during test execution.
…g invite link (calcom#28753) * chore(member-invite): early return for pending mutations while copying invite link * typo fix * make rabbit happy --------- Co-authored-by: Romit <85230081+romitg2@users.noreply.github.com>
…8850) Upgrades axios from 1.13.5 to 1.15.0 in apps/api/v2 and the root resolutions field to resolve two critical vulnerabilities: - GHSA-3p68-rc4w-qgx5: NO_PROXY hostname normalization bypass leading to SSRF - GHSA-fvcv-3m26-pcqx: Unrestricted cloud metadata exfiltration via header injection Both CVEs are fixed in axios >=1.15.0.
|
Hey there and thank you for opening this pull request! 👋🏼 We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted. Details: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Mandatory Tasks (DO NOT REMOVE)
How should this be tested?
Checklist