Skip to content

Releases: netresearch/timetracker

v6.3.4

Choose a tag to compare

@CybotTM CybotTM released this 16 Jul 12:05
v6.3.4
8bee888

Highlights

Two follow-up fixes to the settings and status polish from v6.3.3.

Fixes

  • Searchable-select fields no longer draw a double border (#642). The inner input matched the shared field-box rule on top of its wrapper's own frame; it now shows a single clean border. Affects every form combobox — e.g. the ticket-system picker on the sync page.
  • The admin status page shows the running release version (#645). /ui/admin/status now reports the deployed release (e.g. 6.3.4) and its tag instead of 1.0.0+no-version-set / branch main. The profiling image used for the production deploy is now built only on tag pushes (or manual dispatch), so its baked build ref is deterministically the release tag.

Thanks @CybotTM.

Full changelog: v6.3.3...v6.3.4

v6.3.3

Choose a tag to compare

@CybotTM CybotTM released this 16 Jul 08:23
v6.3.3
6f0199e

Highlights

This release polishes the settings and admin UIs and makes the deployed version visible on the status page.

Settings forms

  • API-token form redesign — the create-token form now leads the section, with a segmented By resource / Full access mode toggle. The scope picker is a compact grid with per-column read / write select-all header checkboxes (three-state), and Full access spells out that the wildcard scope covers every current and future resource, not a snapshot of today's rights.
  • Single-select fields show the selected value in the input rather than as a removable chip, so they no longer behave like multi-selects.
  • Checkbox and date-field consistency — checkboxes are 24×24px (WCAG 2.2 target size 2.5.8), date fields no longer draw a double border, and the help-icon checkboxes on the sync page align to their labels.

Admin grid

  • Removing a chip with its × in an inline-edit cell drops just that chip and stays in edit mode, instead of discarding the whole edit (#637).

Operations

  • The profiling image used for the production hot-deploy now bakes in its build commit, ref, and date, so /ui/admin/status shows which version is actually running (#639).

Thanks @CybotTM.

Full changelog: v6.3.2...v6.3.3

v6.3.2

Choose a tag to compare

@CybotTM CybotTM released this 15 Jul 21:17
v6.3.2
4d456a3

Highlights

Fixes two form-layout regressions on the settings pages that shipped in v6.3.1.

Changes

  • Sync settings: a date field's "YYYY-MM-DD" hint no longer floats to the far right — it sits directly under the field.
  • Personio opt-in: the checkbox and its label share one row again, with the "available once a Personio connection is configured" note below the box (previously the box was stranded above its label).

Upgrading

No database migration and no config or environment changes — redeploy the image.

Full Changelog: v6.3.1...v6.3.2@CybotTM (#636)

v6.3.1

Choose a tag to compare

@CybotTM CybotTM released this 15 Jul 17:36
v6.3.1
8f83519

Highlights

The searchable form selects from v6.3.0 now read and behave the same whether single- or multi-select, and they work again inside the Monats-Abrechnung (Billing) modal.

Changes

  • Unified combobox — single- and multi-select share one layout: the input is the search field, the chosen value(s) show as chips, and opening always lists every option (the current selection is highlighted, not pre-filtered).
  • Selects open in the Billing modal again — the popup renders inline so a modal dialog's focus trap no longer disables it, a regression from the v6.3.0 combobox rollout.
  • Consistent controls — native selects carry the same arrow as the combobox; date fields sit in the row instead of standing out; in the settings and billing forms, labels are right-aligned and checkboxes/radios line up with the other inputs.

Upgrading

No database migration and no config or environment changes — redeploy the image.

Full Changelog: v6.3.0...v6.3.1@CybotTM (#635)

v6.3.0

Choose a tag to compare

@CybotTM CybotTM released this 15 Jul 13:41
v6.3.0
667937a

Highlights

Searchable dropdowns for data-heavy fields — the relation pickers that were long native dropdowns are now type-to-search comboboxes like the worklog grid's cell editor: the Auswertung filters (customer/project/team/user/activity), the Billing period filters, and the worklog-sync + import ticket-system/user/activity pickers. Multi-select fields show removable chips.

Consistent date fields — Auswertung's start/end date filters use the enhanced date field (calendar + the user's date format) like the rest of the app.

Internal: CI pipeline speed work (#624) — flattened job graph, per-job dependency install, Docker layer + PHP static-analysis caching, and coverage moved to a nightly run with branch coverage.

Full changelog: v6.2.2...v6.3.0

v6.2.2

Choose a tag to compare

@CybotTM CybotTM released this 15 Jul 00:48
v6.2.2
ceaaa09

Highlights

Three layout fixes for the month overview and the worklog-sync admin page.

  • Month overview — the weekday header (Mo–So) now sits correctly over its columns instead of bunching up in the corner, and the calendar and summary cards keep a comfortable side margin at the compact and ultra-compact density settings instead of touching the window edge.
  • Worklog synchronization (admin) — the "trigger a run", "run history" and "conflicts" cards are now spaced apart instead of sitting flush against each other.

Upgrading

No database migration and no configuration changes. Deploy replaces the frontend assets only.

Full Changelog: v6.2.1...v6.2.2

v6.2.1

Choose a tag to compare

@CybotTM CybotTM released this 14 Jul 23:04
v6.2.1
8795a87

Highlights

A settings polish release: the redesigned settings screen from 6.2.0 gets a round of usability fixes across every section, and the density switch is reined in to where it belongs.

Settings usability

  • Density switch now affects only the tables and the main menu, as intended. Settings and dialogs keep their comfortable controls, and their help texts no longer disappear on the compact setting.
  • Wider forms — settings inputs and selects now use the available width instead of being squeezed next to the section navigation; field hints span the full width.
  • Personio opt-in sits in its own card, matching the other synchronization blocks.
  • Jira import date fields use the calendar date picker (with your configured date format) instead of a plain input.
  • API token scopes are easier to grant: preset buttons (Time tracking, MCP agent, Jira sync, Read-only) select a sensible scope set in one click, and every scope carries a plain-language description. The token expiry field uses the same calendar picker and your date format.
  • Shorter, clearer label for the grid Enter-key behavior setting.

Under the hood

  • Faster CI pipeline (concurrency groups, leaner E2E sharding) — no runtime effect.

Upgrading

No database migration and no configuration changes. Deploy replaces the frontend assets only.

Full Changelog: v6.2.0...v6.2.1

v6.2.0

Choose a tag to compare

@CybotTM CybotTM released this 14 Jul 17:26
v6.2.0
0367cdb

Highlights

TimeTracker 6.2.0 closes the loop with the systems around it: worklogs sync both ways with Jira, attendance and absences flow to and from Personio, and the settings screen grew into a full page that explains itself. On the way there, "Stay logged in" finally does what it says, the header speaks your language, and booking time is back to the keyboard-first flow v4 users remember.

This release requires action on upgrade. It ships nine database migrations and — for deployments that mount their own .envthree environment variables that newer images resolve at runtime. See Upgrading.

Jira worklog sync, both directions

Connected Jira ticket systems can now mirror your booked time as worklogs — under your own token once you opt in under Settings → Synchronization, or under a project lead's token for teams that opt into sync-all. A self-service import brings existing Jira worklogs into TimeTracker, always with a dry-run preview before anything is written, and a conflict review resolves entries that changed on both sides.

Personio attendance and absences

Once an administrator connects a Personio account, opted-in users get their working hours exported as Personio attendances on a nightly schedule, and approved absences flow back. An employee auto-match with a review screen takes the tedium out of mapping accounts.

Settings, redesigned

Settings moved out of its cramped modal onto a full page with five deep-linkable sections — account & tracking, appearance, security, API tokens, and synchronization. Every section states how it saves, and the new "?" help popovers explain passkeys, token scopes, sync semantics and more, in all five languages. Programmatically, user settings are now a proper API: GET/PATCH /api/v2/settings with partial-update semantics (the legacy internal POST /settings/save is gone; scripts need the settings:write scope).

"Stay logged in" works now

The remember-me cookie used to be issued and then rejected on the very first request after a browser restart — a force-logout even deleted it. Sessions resumed from the cookie are now accepted for day-to-day work, while sensitive operations (password, passkeys, API tokens, 2FA, admin changes) still demand a fresh login. Passkey sign-ins honor the checkbox too.

Keyboard-first time booking, v4 style

A new entry starts right after your previous one and runs until now (never shorter than your configured minimum), so on a normal day you only type the ticket — which sits under the cursor immediately, with customer and project derived from it. Continuing an entry jumps straight to the description. Saving no longer throws you out of the row: after Enter confirms the activity, you keep typing in the description. Shift+Tab walks backwards through editable cells instead of escaping to the column headers, and Tab accepts a highlighted dropdown option just like Enter.

Smaller, but visible

  • The server-rendered page header now renders in your saved language instead of always English.
  • The TODAY/WEEK/MONTH totals in the header update live — after your own edits, and shortly after out-of-band bookings (e.g. via MCP agents) thanks to refresh-on-focus and the status poll.
  • MCP list tools declare proper output schemas, and the whole MCP test suite now runs in CI.
  • log_time and entry saves reject over-long descriptions and tickets with a clear message instead of a generic "could not save".

Upgrading

  1. Run the database migrations (php bin/console doctrine:migrations:migrate). Nine migrations since 6.1.0, including additions to the entries table — allow for a short maintenance window on large installations.
  2. If your deployment mounts a custom .env (which shadows the image's file entirely), add the keys newer images resolve at runtime, with values for your public domain: WEBAUTHN_RP_ID, WEBAUTHN_ALLOWED_ORIGINS, and REQUIRE_TWO_FACTOR (false keeps 2FA per-user opt-in). Missing keys surface as HTTP 500 on the next container start.
  3. If any external script still posts to /settings/save, switch it to PATCH /api/v2/settings with a token carrying the settings:write scope.

Full Changelog: v6.1.0...v6.2.0

v6.1.0

Choose a tag to compare

@CybotTM CybotTM released this 09 Jul 05:59
v6.1.0
28989d1

Highlights

TimeTracker 6.1.0 turns the application into a first-class platform for coding agents and scripts: personal access tokens with fine-grained scopes, a native MCP server with 24 tools, and a new typed /api/v2 REST layer — while humans get a calendar date picker and a worklog table that finally uses the whole screen.

This release requires action on upgrade. It ships one database migration (the API-token table) and one new environment variable (MCP_ALLOWED_HOSTS). See Upgrading.

API tokens with fine-grained scopes

Programmatic access no longer needs a browser session (ADR-021). Personal access tokens (tt_pat_…) act on behalf of their owner, are hashed at rest, revocable, and can be narrowed to resource:action scopes (e.g. entries:write, reporting:read) — scopes only ever restrict what the user could already do (#551, #553). Tokens are managed self-service in Settings, including one-time plaintext display and revocation (#554), or via the app:api-token:create CLI. The OpenAPI spec documents the Bearer scheme and per-endpoint scopes (#559), and agents can discover the API through RFC-9727 well-known URIs and llms.txt (#549).

MCP server — 24 tools for coding agents

A native Model Context Protocol server at /mcp (Streamable HTTP, Bearer-PAT authenticated) lets agents work the tracker directly (#567, #569; ADR-021 Phase 5):

  • Booking: log_time resolves projects/activities by name, and answers with the same context a person sees in the UI — the ticket's per-scope totals, the booked day so far, and the running IST/SOLL balance with warnings (#570, #580, #584). update_entry edits single fields of an existing entry (partial merge), bulk_log_time fills a date range from a preset like the UI's Massen-Eintragung, and delete_entry completes the cycle (#584).
  • Context & discovery: get_day, get_ticket_info, get_time_balance, list_recent_entries, plus list tools for projects, activities, customers, teams, presets — and admin-gated ones for users, ticket systems (credentials are never returned) and contracts (#570, #580, #584). A protocol-conformance bug that made the list tools unusable for strict clients was fixed (#578, reported in #573 by @CybotTM).
  • Administration: onboard projects, customers and users, activate/deactivate them for offboarding, and create/update teams, contracts and ticket systems — every admin tool requires both the admin role and the matching write scope; deletion is deliberately not exposed (#581, #584).

The admin status page gained an MCP card showing endpoint, transport and tool count (#569), next to new storage and subsystem cards (#556).

v2 REST API with typed responses

New /api/v2/* endpoints back the same features for plain HTTP clients, with stable snake_case JSON contracts, top-level objects, and {message} errors (ADR-022): time balance, entry summary, day view, entry PATCH, bulk entries, and the admin on/offboarding writes (#579, #580, #581, #584). The superseded v1 endpoints /getSummary and /getTimeSummary keep working but are deprecated (Deprecation header; removal in v7) — and /getSummary received a security backport: it is now scoped to the caller's own entries, closing a cross-user data disclosure (#579).

Worklog usability

  • Calendar date picker with type-the-day completion — date cells and form date fields open a calendar popover, and typing a partial date ("7") previews and completes to the full date; requested in #572 by @CybotTM (#577, #582).
  • The table uses the whole screen: the worklog is no longer capped at reading width, and the description column now takes exactly the leftover space and truncates only at the real column edge — no more ellipsis next to empty space (#574, #582, #583).
  • Row state cues (day break, pause, overlap) are derived on the client and future entries are visually distinguished (#576).

Fixes

  • Deleting an entry no longer orphans its synced Jira worklog (#555), and deletion validates payload, ownership and no-ops harder (#557).
  • Two intermittent accessibility test failures were fixed at their root instead of retried (#552, #558).

Upgrading

  1. Apply the database migration (adds the api_tokens table): php bin/console doctrine:migrations:migrate
  2. Set the new environment variable MCP_ALLOWED_HOSTS to the public hostname(s) the MCP endpoint is served under (e.g. MCP_ALLOWED_HOSTS=tt.example.com); it defaults to localhost-only, which blocks remote MCP clients.
  3. No breaking API changes: the deprecated v1 endpoints keep working until v7.

Full Changelog: v6.0.0...v6.1.0

v4.5.0

Choose a tag to compare

@CybotTM CybotTM released this 05 Jul 17:25
v4.5.0
37fa15a

End of life

v4.5.0 is the final release of the v4 line. v4 is no longer maintained — all further fixes, features, and support move to the current stable line, main / v6. New installations should start on v6; existing v4 installs should upgrade to v6.

This release exists to ship one good-will security fix (below) to v4 users who cannot upgrade immediately, plus the maintenance and feature work that had accumulated on the branch since v4.4.2.

Security

  • Entry deletion now enforces ownership (IDOR). Previously any authenticated user could delete another user's time entry by id. Deletion is now allowed only for the entry's owner, or a project leader / admin — mirroring the read-access rule. — @CybotTM (#560)

Features

  • Configurable Jira API version per ticket system. Jira Server/Data Center 9.x (REST v2, search) and Jira Cloud (REST v3, search/jql) use different search endpoints; the ticket system now carries the API version and picks the correct path. — @CybotTM, building on @cweiske's groundwork in TIM-130 (#225)
  • New route GET /tracking/entry/{id} to fetch a single entry by id, with owner/PL access control and translated 404/403 responses. — @tivvie (TIM-123)
  • Customer lists are sorted by name.@bergo (TIM-126)

Fixes

  • Reject entry creation when the activity parameter is missing or invalid. — @tivvie (TIM-132, #240)
  • Check authentication before resolving the user in the group-by-user interpretation. — @tivvie (TIM-136, #234)

Maintenance

  • Pin all CI actions to commit SHAs and bump them to current majors (the docker-publish workflow builds green again). — @CybotTM (#561, #562)
  • Refresh composer.lock within the existing PHP 7.4 constraints. — @CybotTM (#565)

Full Changelog: v4.4.2...v4.5.0