Merge branch 'fix/docker-build-issues' into 'main'

Fix Docker-in-Docker connectivity for GitLab CI

See merge request digiresilience/link/link-stack!23

.gitignore

@@ -30,3 +30,4 @@ project.org
 **/.openapi-generator/
 apps/bridge-worker/scripts/*
 ENVIRONMENT_VARIABLES_MIGRATION.md
+local-scripts/*

.gitlab-ci.yml

@@ -20,11 +20,13 @@ build-all:
     - turbo build
 
 .docker-build:
-  image: registry.gitlab.com/digiresilience/link/link-stack/buildx:${CI_COMMIT_REF_NAME}
+  image: registry.gitlab.com/digiresilience/link/link-stack/buildx:main
   services:
     - docker:dind
   stage: docker-build
   variables:
+    DOCKER_HOST: tcp://docker:2375
+    DOCKER_TLS_CERTDIR: ""
     DOCKER_TAG: ${CI_COMMIT_SHORT_SHA}
     BUILD_CONTEXT: .
   only:
@@ -37,11 +39,13 @@ build-all:
     - docker push ${DOCKER_NS}:${DOCKER_TAG}
 
 .docker-release:
-  image: registry.gitlab.com/digiresilience/link/link-stack/buildx:${CI_COMMIT_REF_NAME}
+  image: registry.gitlab.com/digiresilience/link/link-stack/buildx:main
   services:
     - docker:dind
   stage: docker-release
   variables:
+    DOCKER_HOST: tcp://docker:2375
+    DOCKER_TLS_CERTDIR: ""
     DOCKER_TAG: ${CI_COMMIT_SHORT_SHA}
     DOCKER_TAG_NEW: ${CI_COMMIT_REF_NAME}
   only:
@@ -195,8 +199,8 @@ zammad-docker-build:
     PNPM_HOME: "/pnpm"
   before_script:
     - export PATH="$PNPM_HOME:$PATH"
-  script:
     - corepack enable && corepack prepare pnpm@9.15.4 --activate
+  script:
     - pnpm add -g turbo
     - pnpm install --frozen-lockfile
     - turbo build --force --filter @link-stack/zammad-addon-*
@@ -218,8 +222,8 @@ zammad-standalone-docker-build:
     PNPM_HOME: "/pnpm"
   before_script:
     - export PATH="$PNPM_HOME:$PATH"
-  script:
     - corepack enable && corepack prepare pnpm@9.15.4 --activate
+  script:
     - pnpm add -g turbo
     - pnpm install --frozen-lockfile
     - turbo build --force --filter @link-stack/zammad-addon-*

README.md

@@ -20,3 +20,4 @@ We use [Turborepo](https://turbo.build) to manage development and building of th
 To run a single package:
 
 - `turbo dev --filter @link-stack/link`
+

apps/bridge-frontend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/bridge-frontend",
-  "version": "3.3.0-beta.1",
+  "version": "3.3.5",
   "type": "module",
   "scripts": {
     "dev": "next dev",
@@ -20,7 +20,7 @@
     "@mui/x-license": "^7",
     "@link-stack/bridge-common": "workspace:*",
     "@link-stack/bridge-ui": "workspace:*",
-    "next": "15.5.4",
+    "next": "15.5.9",
     "next-auth": "^4.24.11",
     "react": "19.2.0",
     "react-dom": "19.2.0",

apps/bridge-migrations/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/bridge-migrations",
-  "version": "3.3.0-beta.1",
+  "version": "3.3.5",
   "type": "module",
   "scripts": {
     "migrate:up:all": "tsx migrate.ts up:all",

apps/bridge-whatsapp/Dockerfile

@@ -28,10 +28,13 @@ FROM base as runner
 ARG BUILD_DATE
 ARG VERSION
 ARG APP_DIR=/opt/bridge-whatsapp
+ENV PNPM_HOME="/pnpm"
+ENV PATH="$PNPM_HOME:$PATH"
 RUN mkdir -p ${APP_DIR}/
 RUN DEBIAN_FRONTEND=noninteractive apt-get update && \
     apt-get install -y --no-install-recommends \
     dumb-init
+RUN corepack enable && corepack prepare pnpm@9.15.4 --activate
 WORKDIR ${APP_DIR}
 COPY --from=installer ${APP_DIR} ./
 RUN chown -R node:node ${APP_DIR}

apps/bridge-whatsapp/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/bridge-whatsapp",
-  "version": "3.3.0-beta.1",
+  "version": "3.3.5",
   "main": "build/main/index.js",
   "author": "Darren Clarke <darren@redaranj.com>",
   "license": "AGPL-3.0-or-later",
@@ -11,7 +11,7 @@
     "@hapipal/toys": "^4.0.0",
     "@link-stack/bridge-common": "workspace:*",
     "@link-stack/logger": "workspace:*",
-    "@whiskeysockets/baileys": "^6.7.20",
+    "@whiskeysockets/baileys": "6.7.21",
     "hapi-pino": "^13.0.0",
     "link-preview-js": "^3.1.0"
   },

apps/bridge-whatsapp/src/service.ts

@@ -26,11 +26,7 @@ export default class WhatsappService extends Service {
   connections: { [key: string]: any } = {};
   loginConnections: { [key: string]: any } = {};
 
-  static browserDescription: [string, string, string] = [
-    "Bridge",
-    "Chrome",
-    "2.0",
-  ];
+  static browserDescription: [string, string, string] = ["Bridge", "Chrome", "2.0"];
 
   constructor(server: Server, options: never) {
     super(server, options);
@@ -47,7 +43,7 @@ export default class WhatsappService extends Service {
     }
 
     // Prevent path traversal by checking for suspicious patterns
-    if (id.includes('..') || id.includes('/') || id.includes('\\')) {
+    if (id.includes("..") || id.includes("/") || id.includes("\\")) {
       throw new Error(`Path traversal detected in bot ID: ${id}`);
     }
 
@@ -102,20 +98,14 @@ export default class WhatsappService extends Service {
       auth: state,
       generateHighQualityLinkPreview: false,
       msgRetryCounterMap,
-      shouldIgnoreJid: (jid) =>
-        isJidBroadcast(jid) || isJidStatusBroadcast(jid),
+      shouldIgnoreJid: (jid) => isJidBroadcast(jid) || isJidStatusBroadcast(jid),
     });
     let pause = 5000;
 
     socket.ev.process(async (events) => {
       if (events["connection.update"]) {
         const update = events["connection.update"];
-        const {
-          connection: connectionState,
-          lastDisconnect,
-          qr,
-          isNewLogin,
-        } = update;
+        const { connection: connectionState, lastDisconnect, qr, isNewLogin } = update;
         if (qr) {
           logger.info("got qr code");
           const botDirectory = this.getBotDirectory(botID);
@@ -130,8 +120,7 @@ export default class WhatsappService extends Service {
           logger.info("opened connection");
         } else if (connectionState === "close") {
           logger.info({ lastDisconnect }, "connection closed");
-          const disconnectStatusCode = (lastDisconnect?.error as any)?.output
-            ?.statusCode;
+          const disconnectStatusCode = (lastDisconnect?.error as any)?.output?.statusCode;
           if (disconnectStatusCode === DisconnectReason.restartRequired) {
             logger.info("reconnecting after got new login");
             await this.createConnection(botID, server, options);
@@ -174,10 +163,7 @@ export default class WhatsappService extends Service {
       const verifiedFile = `${directory}/verified`;
       if (fs.existsSync(verifiedFile)) {
         const { version, isLatest } = await fetchLatestBaileysVersion();
-        logger.info(
-          { version: version.join("."), isLatest },
-          "using WA version",
-        );
+        logger.info({ version: version.join("."), isLatest }, "using WA version");
 
         await this.createConnection(botID, this.server, {
           browser: WhatsappService.browserDescription,
@@ -188,10 +174,7 @@ export default class WhatsappService extends Service {
     }
   }
 
-  private async queueMessage(
-    botID: string,
-    webMessageInfo: proto.IWebMessageInfo,
-  ) {
+  private async queueMessage(botID: string, webMessageInfo: proto.IWebMessageInfo) {
     const {
       key: { id, fromMe, remoteJid },
       message,
@@ -204,11 +187,9 @@ export default class WhatsappService extends Service {
         "Message field",
       );
     }
-    const isValidMessage =
-      message && remoteJid !== "status@broadcast" && !fromMe;
+    const isValidMessage = message && remoteJid !== "status@broadcast" && !fromMe;
     if (isValidMessage) {
-      const { audioMessage, documentMessage, imageMessage, videoMessage } =
-        message;
+      const { audioMessage, documentMessage, imageMessage, videoMessage } = message;
       const isMediaMessage =
         audioMessage || documentMessage || imageMessage || videoMessage;
 
@@ -288,10 +269,7 @@ export default class WhatsappService extends Service {
     }
   }
 
-  private async queueUnreadMessages(
-    botID: string,
-    messages: proto.IWebMessageInfo[],
-  ) {
+  private async queueUnreadMessages(botID: string, messages: proto.IWebMessageInfo[]) {
     for await (const message of messages) {
       await this.queueMessage(botID, message);
     }
@@ -334,10 +312,7 @@ export default class WhatsappService extends Service {
     }
   }
 
-  async register(
-    botID: string,
-    callback?: AuthCompleteCallback,
-  ): Promise<void> {
+  async register(botID: string, callback?: AuthCompleteCallback): Promise<void> {
     const { version } = await fetchLatestBaileysVersion();
     await this.createConnection(
       botID,
@@ -355,7 +330,10 @@ export default class WhatsappService extends Service {
     attachments?: Array<{ data: string; filename: string; mime_type: string }>,
   ): Promise<void> {
     const connection = this.connections[botID]?.socket;
-    const recipient = `${phoneNumber.replace(/\D+/g, "")}@s.whatsapp.net`;
+    const digits = phoneNumber.replace(/\D+/g, "");
+    // LIDs are 15+ digits, phone numbers with country code are typically 10-14 digits
+    const suffix = digits.length > 14 ? "@lid" : "@s.whatsapp.net";
+    const recipient = `${digits}${suffix}`;
 
     // Send text message if provided
     if (message) {
@@ -368,7 +346,9 @@ export default class WhatsappService extends Service {
       const MAX_TOTAL_SIZE = getMaxTotalAttachmentSize();
 
       if (attachments.length > MAX_ATTACHMENTS) {
-        throw new Error(`Too many attachments: ${attachments.length} (max ${MAX_ATTACHMENTS})`);
+        throw new Error(
+          `Too many attachments: ${attachments.length} (max ${MAX_ATTACHMENTS})`,
+        );
       }
 
       let totalSize = 0;
@@ -378,20 +358,26 @@ export default class WhatsappService extends Service {
         const estimatedSize = (attachment.data.length * 3) / 4;
 
         if (estimatedSize > MAX_ATTACHMENT_SIZE) {
-          logger.warn({
-            filename: attachment.filename,
-            size: estimatedSize,
-            maxSize: MAX_ATTACHMENT_SIZE
-          }, 'Attachment exceeds size limit, skipping');
+          logger.warn(
+            {
+              filename: attachment.filename,
+              size: estimatedSize,
+              maxSize: MAX_ATTACHMENT_SIZE,
+            },
+            "Attachment exceeds size limit, skipping",
+          );
           continue;
         }
 
         totalSize += estimatedSize;
         if (totalSize > MAX_TOTAL_SIZE) {
-          logger.warn({
-            totalSize,
-            maxTotalSize: MAX_TOTAL_SIZE
-          }, 'Total attachment size exceeds limit, skipping remaining');
+          logger.warn(
+            {
+              totalSize,
+              maxTotalSize: MAX_TOTAL_SIZE,
+            },
+            "Total attachment size exceeds limit, skipping remaining",
+          );
           break;
         }
 

apps/bridge-worker/crontab

@@ -1 +1,2 @@
 */1 * * * * fetch-signal-messages ?max=1&id=fetchSignalMessagesCron {"scheduleTasks": "true"}
+*/2 * * * * check-group-membership ?max=1&id=checkGroupMembershipCron {}

apps/bridge-worker/index.ts

@@ -3,7 +3,7 @@ import { createLogger } from "@link-stack/logger";
 import * as path from "path";
 import { fileURLToPath } from "url";
 
-const logger = createLogger('bridge-worker');
+const logger = createLogger("bridge-worker");
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
@@ -32,6 +32,15 @@ const main = async () => {
 };
 
 main().catch((err) => {
-  logger.error({ error: err }, 'Worker failed to start');
+  logger.error(
+    {
+      error: err,
+      message: err.message,
+      stack: err.stack,
+      name: err.name,
+    },
+    "Worker failed to start",
+  );
+  console.error("Full error:", err);
   process.exit(1);
 });

apps/bridge-worker/lib/zammad.ts

@@ -100,19 +100,57 @@ export const Zammad = (
   };
 };
 
-export const getUser = async (zammad: ZammadClient, phoneNumber: string) => {
-  // Sanitize phone number: only allow digits and + symbol
-  const mungedNumber = phoneNumber.replace(/[^\d+]/g, "");
+/**
+ * Sanitizes phone number to E.164 format: +15554446666
+ * Strips all non-digit characters except +, ensures + prefix
+ * @param phoneNumber - Raw phone number (e.g., "(555) 444-6666", "5554446666", "+1 555 444 6666")
+ * @returns E.164 formatted phone number (e.g., "+15554446666")
+ * @throws Error if phone number is invalid
+ */
+export const sanitizePhoneNumber = (phoneNumber: string): string => {
+  // Remove all characters except digits and +
+  let cleaned = phoneNumber.replace(/[^\d+]/g, "");
 
-  // Validate phone number format (10-15 digits, optional + prefix)
-  if (!/^\+?\d{10,15}$/.test(mungedNumber)) {
+  // Ensure it starts with +
+  if (!cleaned.startsWith("+")) {
+    // Assume US/Canada if no country code (11 digits starting with 1, or 10 digits)
+    if (cleaned.length === 10) {
+      cleaned = "+1" + cleaned;
+    } else if (cleaned.length === 11 && cleaned.startsWith("1")) {
+      cleaned = "+" + cleaned;
+    } else if (cleaned.length >= 10) {
+      // International number without +, add it
+      cleaned = "+" + cleaned;
+    }
+  }
+
+  // Validate E.164 format: + followed by 10-15 digits
+  if (!/^\+\d{10,15}$/.test(cleaned)) {
     throw new Error(`Invalid phone number format: ${phoneNumber}`);
   }
 
-  // Remove + for search query
-  const searchNumber = mungedNumber.replace("+", "");
-  const results = await zammad.user.search(`phone:${searchNumber}`);
+  return cleaned;
+};
+
+export const getUser = async (zammad: ZammadClient, phoneNumber: string) => {
+  // Sanitize to E.164 format
+  const sanitized = sanitizePhoneNumber(phoneNumber);
+
+  // Remove + for Zammad search query
+  const searchNumber = sanitized.replace("+", "");
+
+  // Try sanitized format first (e.g., "6464229653" for "+16464229653")
+  let results = await zammad.user.search(`phone:${searchNumber}`);
   if (results.length > 0) return results[0];
+
+  // Fall back to searching for original input (handles legacy formatted numbers)
+  // This ensures we can find users with "(646) 422-9653" format in database
+  const originalCleaned = phoneNumber.replace(/[^\d+]/g, "").replace("+", "");
+  if (originalCleaned !== searchNumber) {
+    results = await zammad.user.search(`phone:${originalCleaned}`);
+    if (results.length > 0) return results[0];
+  }
+
   return undefined;
 };
 
@@ -123,8 +161,11 @@ export const getOrCreateUser = async (
   const customer = await getUser(zammad, phoneNumber);
   if (customer) return customer;
 
+  // Sanitize phone number to E.164 format before storing
+  const sanitized = sanitizePhoneNumber(phoneNumber);
+
   return zammad.user.create({
-    phone: phoneNumber,
+    phone: sanitized,
     note: "User created from incoming voice call",
   });
 };

apps/bridge-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/bridge-worker",
-  "version": "3.3.0-beta.1",
+  "version": "3.3.5",
   "type": "module",
   "main": "build/main/index.js",
   "author": "Darren Clarke <darren@redaranj.com>",

apps/bridge-worker/tasks/check-group-membership.ts

@@ -0,0 +1,121 @@
+#!/usr/bin/env node
+/**
+ * Check Signal group membership status and update Zammad tickets
+ *
+ * This task queries the Signal CLI API to check if users have joined
+ * their assigned groups. When a user joins (moves from pendingInvites to members),
+ * it updates the ticket's group_joined flag in Zammad.
+ *
+ * Note: This task sends webhooks for all group members every time it runs.
+ * The Zammad webhook handler is idempotent and will ignore duplicate notifications
+ * if group_joined is already true.
+ */
+
+import { db, getWorkerUtils } from "@link-stack/bridge-common";
+import { createLogger } from "@link-stack/logger";
+import * as signalApi from "@link-stack/signal-api";
+
+const logger = createLogger("check-group-membership");
+
+const { Configuration, GroupsApi } = signalApi;
+
+interface CheckGroupMembershipTaskOptions {
+  // Optional: Check specific group. If not provided, checks all groups with group_joined=false
+  groupId?: string;
+  botToken?: string;
+}
+
+const checkGroupMembershipTask = async (
+  options: CheckGroupMembershipTaskOptions = {},
+): Promise<void> => {
+  const config = new Configuration({
+    basePath: process.env.BRIDGE_SIGNAL_URL,
+  });
+  const groupsClient = new GroupsApi(config);
+  const worker = await getWorkerUtils();
+
+  // Get all Signal bots
+  const bots = await db.selectFrom("SignalBot").selectAll().execute();
+
+  for (const bot of bots) {
+    try {
+      logger.debug(
+        { botId: bot.id, phoneNumber: bot.phoneNumber },
+        "Checking groups for bot",
+      );
+
+      // Get all groups for this bot
+      const groups = await groupsClient.v1GroupsNumberGet({
+        number: bot.phoneNumber,
+      });
+
+      logger.debug(
+        { botId: bot.id, groupCount: groups.length },
+        "Retrieved groups from Signal CLI",
+      );
+
+      // For each group, check if we have tickets waiting for members to join
+      for (const group of groups) {
+        if (!group.id || !group.internalId) {
+          logger.debug({ groupName: group.name }, "Skipping group without ID");
+          continue;
+        }
+
+        // Log info about each group temporarily for debugging
+        logger.info(
+          {
+            groupId: group.id,
+            groupName: group.name,
+            membersCount: group.members?.length || 0,
+            members: group.members,
+            pendingInvitesCount: group.pendingInvites?.length || 0,
+            pendingInvites: group.pendingInvites,
+            pendingRequestsCount: group.pendingRequests?.length || 0,
+          },
+          "Checking group membership",
+        );
+
+        // Notify Zammad about each member who has joined
+        // This handles both cases:
+        // 1. New contacts who must accept invite (they move from pendingInvites to members)
+        // 2. Existing contacts who are auto-added (they appear directly in members)
+        if (group.members && group.members.length > 0) {
+          for (const memberPhone of group.members) {
+            // Check if this member was previously pending
+            // We'll send the webhook and let Zammad decide if it needs to update
+            await worker.addJob("common/notify-webhooks", {
+              backendId: bot.id,
+              payload: {
+                event: "group_member_joined",
+                group_id: group.id,
+                member_phone: memberPhone,
+                timestamp: new Date().toISOString(),
+              },
+            });
+
+            logger.info(
+              {
+                groupId: group.id,
+                memberPhone,
+              },
+              "Notified Zammad about group member",
+            );
+          }
+        }
+      }
+    } catch (error: any) {
+      logger.error(
+        {
+          botId: bot.id,
+          error: error.message,
+          stack: error.stack,
+        },
+        "Error checking group membership for bot",
+      );
+    }
+  }
+
+  logger.info("Completed group membership check");
+};
+
+export default checkGroupMembershipTask;

apps/bridge-worker/tasks/fetch-signal-messages.ts

@@ -2,7 +2,7 @@ import { db, getWorkerUtils } from "@link-stack/bridge-common";
 import { createLogger } from "@link-stack/logger";
 import * as signalApi from "@link-stack/signal-api";
 
-const logger = createLogger('fetch-signal-messages');
+const logger = createLogger("fetch-signal-messages");
 
 const { Configuration, MessagesApi, AttachmentsApi } = signalApi;
 const config = new Configuration({
@@ -28,13 +28,13 @@ const fetchAttachments = async (attachments: any[] | undefined) => {
       let defaultFilename = name;
       if (!defaultFilename) {
         // Check if id already has an extension
-        const hasExtension = id.includes('.');
+        const hasExtension = id.includes(".");
         if (hasExtension) {
           // ID already includes extension
           defaultFilename = id;
         } else {
           // Add extension based on content type
-          const extension = contentType?.split('/')[1] || 'bin';
+          const extension = contentType?.split("/")[1] || "bin";
           defaultFilename = `${id}.${extension}`;
         }
       }
@@ -64,7 +64,22 @@ const processMessage = async ({
   message: msg,
 }: ProcessMessageArgs): Promise<Record<string, any>[]> => {
   const { envelope } = msg;
-  const { source, sourceUuid, dataMessage } = envelope;
+  const { source, sourceUuid, dataMessage, syncMessage, receiptMessage, typingMessage } =
+    envelope;
+
+  // Log all envelope types to understand what events we're receiving
+  logger.info(
+    {
+      source,
+      sourceUuid,
+      hasDataMessage: !!dataMessage,
+      hasSyncMessage: !!syncMessage,
+      hasReceiptMessage: !!receiptMessage,
+      hasTypingMessage: !!typingMessage,
+      envelopeKeys: Object.keys(envelope),
+    },
+    "Received Signal envelope",
+  );
 
   const isGroup = !!(
     dataMessage?.groupV2 ||
@@ -72,23 +87,69 @@ const processMessage = async ({
     dataMessage?.groupInfo
   );
 
+  // Check if this is a group membership change event
+  const groupInfo = dataMessage?.groupInfo;
+  if (groupInfo) {
+    logger.info(
+      {
+        type: groupInfo.type,
+        groupId: groupInfo.groupId,
+        source,
+        groupInfoKeys: Object.keys(groupInfo),
+        fullGroupInfo: groupInfo,
+      },
+      "Received group info event",
+    );
+
+    // If user joined the group, notify Zammad
+    if (groupInfo.type === "JOIN" || groupInfo.type === "JOINED") {
+      const worker = await getWorkerUtils();
+      const groupId = groupInfo.groupId
+        ? `group.${Buffer.from(groupInfo.groupId).toString("base64")}`
+        : null;
+
+      if (groupId) {
+        await worker.addJob("common/notify-webhooks", {
+          backendId: id,
+          payload: {
+            event: "group_member_joined",
+            group_id: groupId,
+            member_phone: source,
+            timestamp: new Date().toISOString(),
+          },
+        });
+
+        logger.info(
+          {
+            groupId,
+            memberPhone: source,
+          },
+          "User joined Signal group, notifying Zammad",
+        );
+      }
+    }
+  }
+
   if (!dataMessage) return [];
 
   const { attachments } = dataMessage;
   const rawTimestamp = dataMessage?.timestamp;
 
-  logger.debug({
-    sourceUuid,
-    source,
-    rawTimestamp,
-    hasGroupV2: !!dataMessage?.groupV2,
-    hasGroupContext: !!dataMessage?.groupContext,
-    hasGroupInfo: !!dataMessage?.groupInfo,
-    isGroup,
-    groupV2Id: dataMessage?.groupV2?.id,
-    groupContextType: dataMessage?.groupContext?.type,
-    groupInfoType: dataMessage?.groupInfo?.type,
-   }, 'Processing message');
+  logger.debug(
+    {
+      sourceUuid,
+      source,
+      rawTimestamp,
+      hasGroupV2: !!dataMessage?.groupV2,
+      hasGroupContext: !!dataMessage?.groupContext,
+      hasGroupInfo: !!dataMessage?.groupInfo,
+      isGroup,
+      groupV2Id: dataMessage?.groupV2?.id,
+      groupContextType: dataMessage?.groupContext?.type,
+      groupInfoType: dataMessage?.groupInfo?.type,
+    },
+    "Processing message",
+  );
   const timestamp = new Date(rawTimestamp);
 
   const formattedAttachments = await fetchAttachments(attachments);
@@ -165,7 +226,7 @@ const fetchSignalMessagesTask = async ({
       number: phoneNumber,
     });
 
-    logger.debug({  botId: id, phoneNumber  }, 'Fetching messages for bot');
+    logger.debug({ botId: id, phoneNumber }, "Fetching messages for bot");
 
     for (const message of messages) {
       const formattedMessages = await processMessage({
@@ -175,19 +236,19 @@ const fetchSignalMessagesTask = async ({
       });
       for (const formattedMessage of formattedMessages) {
         if (formattedMessage.to !== formattedMessage.from) {
-          logger.debug({
-            messageId: formattedMessage.messageId,
-            from: formattedMessage.from,
-            to: formattedMessage.to,
-            isGroup: formattedMessage.isGroup,
-            hasMessage: !!formattedMessage.message,
-            hasAttachment: !!formattedMessage.attachment,
-           }, 'Creating job for message');
-
-          await worker.addJob(
-            "signal/receive-signal-message",
-            formattedMessage,
+          logger.debug(
+            {
+              messageId: formattedMessage.messageId,
+              from: formattedMessage.from,
+              to: formattedMessage.to,
+              isGroup: formattedMessage.isGroup,
+              hasMessage: !!formattedMessage.message,
+              hasAttachment: !!formattedMessage.attachment,
+            },
+            "Creating job for message",
           );
+
+          await worker.addJob("signal/receive-signal-message", formattedMessage);
         }
       }
     }

apps/bridge-worker/tasks/formstack/create-ticket-from-form.ts

@@ -1,5 +1,6 @@
 import { createLogger } from "@link-stack/logger";
-import { Zammad, getUser } from "../../lib/zammad.js";
+import { db } from "@link-stack/bridge-common";
+import { Zammad, getUser, sanitizePhoneNumber } from "../../lib/zammad.js";
 import {
   loadFieldMapping,
   getFieldValue,
@@ -10,7 +11,7 @@ import {
   type FieldMappingConfig,
 } from "../../lib/formstack-field-mapping.js";
 
-const logger = createLogger('create-ticket-from-form');
+const logger = createLogger("create-ticket-from-form");
 
 export interface CreateTicketFromFormOptions {
   formData: any;
@@ -26,40 +27,72 @@ const createTicketFromFormTask = async (
   const mapping = loadFieldMapping();
 
   // Log only non-PII metadata using configured field names
-  const formId = getFieldValue(formData, 'formId', mapping);
-  const uniqueId = getFieldValue(formData, 'uniqueId', mapping);
+  const formId = getFieldValue(formData, "formId", mapping);
+  const uniqueId = getFieldValue(formData, "uniqueId", mapping);
 
-  logger.info({
-    formId,
-    uniqueId,
-    receivedAt,
-    fieldCount: Object.keys(formData).length
-  }, 'Processing Formstack form submission');
+  logger.info(
+    {
+      formId,
+      uniqueId,
+      receivedAt,
+      fieldCount: Object.keys(formData).length,
+    },
+    "Processing Formstack form submission",
+  );
 
   // Extract fields using dynamic mapping
-  const nameField = getFieldValue(formData, 'name', mapping);
+  const nameField = getFieldValue(formData, "name", mapping);
   const firstName = mapping.nestedFields?.name?.firstNamePath
-    ? getNestedFieldValue(nameField, mapping.nestedFields.name.firstNamePath) || ''
-    : '';
+    ? getNestedFieldValue(nameField, mapping.nestedFields.name.firstNamePath) || ""
+    : "";
   const lastName = mapping.nestedFields?.name?.lastNamePath
-    ? getNestedFieldValue(nameField, mapping.nestedFields.name.lastNamePath) || ''
-    : '';
-  const fullName = (firstName && lastName)
-    ? `${firstName} ${lastName}`.trim()
-    : firstName || lastName || 'Unknown';
+    ? getNestedFieldValue(nameField, mapping.nestedFields.name.lastNamePath) || ""
+    : "";
+  const fullName =
+    firstName && lastName
+      ? `${firstName} ${lastName}`.trim()
+      : firstName || lastName || "Unknown";
 
   // Extract well-known fields used for special logic (all optional)
-  const email = getFieldValue(formData, 'email', mapping);
-  const phone = getFieldValue(formData, 'phone', mapping);
-  const signalAccount = getFieldValue(formData, 'signalAccount', mapping);
-  const organization = getFieldValue(formData, 'organization', mapping);
-  const typeOfSupport = getFieldValue(formData, 'typeOfSupport', mapping);
-  const descriptionOfIssue = getFieldValue(formData, 'descriptionOfIssue', mapping);
+  const email = getFieldValue(formData, "email", mapping);
+  const rawPhone = getFieldValue(formData, "phone", mapping);
+  const rawSignalAccount = getFieldValue(formData, "signalAccount", mapping);
+  const organization = getFieldValue(formData, "organization", mapping);
+  const typeOfSupport = getFieldValue(formData, "typeOfSupport", mapping);
+  const descriptionOfIssue = getFieldValue(formData, "descriptionOfIssue", mapping);
+
+  // Sanitize phone numbers to E.164 format (+15554446666)
+  let phone: string | undefined;
+  if (rawPhone) {
+    try {
+      phone = sanitizePhoneNumber(rawPhone);
+      logger.info({ rawPhone, sanitized: phone }, "Sanitized phone number");
+    } catch (error: any) {
+      logger.warn({ rawPhone, error: error.message }, "Invalid phone number format, ignoring");
+      phone = undefined;
+    }
+  }
+
+  let signalAccount: string | undefined;
+  if (rawSignalAccount) {
+    try {
+      signalAccount = sanitizePhoneNumber(rawSignalAccount);
+      logger.info({ rawSignalAccount, sanitized: signalAccount }, "Sanitized signal account");
+    } catch (error: any) {
+      logger.warn({ rawSignalAccount, error: error.message }, "Invalid signal account format, ignoring");
+      signalAccount = undefined;
+    }
+  }
 
   // Validate that at least one contact method is provided
   if (!email && !phone && !signalAccount) {
-    logger.error({ formId, uniqueId }, 'No contact information provided - at least one of email, phone, or signalAccount is required');
-    throw new Error('At least one contact method (email, phone, or signalAccount) is required for ticket creation');
+    logger.error(
+      { formId, uniqueId },
+      "No contact information provided - at least one of email, phone, or signalAccount is required",
+    );
+    throw new Error(
+      "At least one contact method (email, phone, or signalAccount) is required for ticket creation",
+    );
   }
 
   // Build ticket title using configured template
@@ -72,10 +105,10 @@ const createTicketFromFormTask = async (
 
   // Build article body - format all fields as HTML
   const formatAllFields = (data: any): string => {
-    let html = '';
+    let html = "";
 
     // Add formatted name field first if we have it
-    if (fullName && fullName !== 'Unknown') {
+    if (fullName && fullName !== "Unknown") {
       html += `<strong>Name:</strong><br>${fullName}<br>`;
     }
 
@@ -84,15 +117,18 @@ const createTicketFromFormTask = async (
       const skipFields = [
         mapping.sourceFields.formId,
         mapping.sourceFields.uniqueId,
-        mapping.sourceFields.name,  // Skip raw name field
-        'HandshakeKey',
+        mapping.sourceFields.name, // Skip raw name field
+        "HandshakeKey",
       ].filter(Boolean);
 
       if (skipFields.includes(key)) continue;
-      if (value === null || value === undefined || value === '') continue;
+      if (value === null || value === undefined || value === "") continue;
 
-      const displayValue = Array.isArray(value) ? value.join(', ') :
-                          typeof value === 'object' ? JSON.stringify(value) : value;
+      const displayValue = Array.isArray(value)
+        ? value.join(", ")
+        : typeof value === "object"
+          ? JSON.stringify(value)
+          : value;
       html += `<strong>${key}:</strong><br>${displayValue}<br>`;
     }
     return html;
@@ -101,12 +137,12 @@ const createTicketFromFormTask = async (
   const body = formatAllFields(formData);
 
   // Get Zammad configuration from environment
-  const zammadUrl = process.env.ZAMMAD_URL || 'http://zammad-nginx:8080';
+  const zammadUrl = process.env.ZAMMAD_URL || "http://zammad-nginx:8080";
   const zammadToken = process.env.ZAMMAD_API_TOKEN;
 
   if (!zammadToken) {
-    logger.error('ZAMMAD_API_TOKEN environment variable is not configured');
-    throw new Error('ZAMMAD_API_TOKEN is required');
+    logger.error("ZAMMAD_API_TOKEN environment variable is not configured");
+    throw new Error("ZAMMAD_API_TOKEN is required");
   }
 
   const zammad = Zammad({ token: zammadToken }, zammadUrl);
@@ -115,35 +151,39 @@ const createTicketFromFormTask = async (
     // Look up the configured article type
     let articleTypeId: number | undefined;
     try {
-      const articleTypes = await zammad.get('ticket_article_types');
-      const configuredType = articleTypes.find((t: any) => t.name === mapping.ticket.defaultArticleType);
+      const articleTypes = await zammad.get("ticket_article_types");
+      const configuredType = articleTypes.find(
+        (t: any) => t.name === mapping.ticket.defaultArticleType,
+      );
       articleTypeId = configuredType?.id;
       if (articleTypeId) {
-        logger.info({ articleTypeId, typeName: mapping.ticket.defaultArticleType }, 'Found configured article type');
+        logger.info(
+          { articleTypeId, typeName: mapping.ticket.defaultArticleType },
+          "Found configured article type",
+        );
       } else {
-        logger.warn({ typeName: mapping.ticket.defaultArticleType }, 'Configured article type not found, ticket will use default type');
+        logger.warn(
+          { typeName: mapping.ticket.defaultArticleType },
+          "Configured article type not found, ticket will use default type",
+        );
       }
     } catch (error: any) {
-      logger.warn({ error: error.message }, 'Failed to look up article type');
+      logger.warn({ error: error.message }, "Failed to look up article type");
     }
 
     // Get or create user
-    // Try to find existing user by: signalAccount -> phone -> email
+    // Try to find existing user by: phone -> email
+    // Note: We can't search by Signal account since Signal group IDs aren't phone numbers
     let customer;
 
-    // Try Signal account first if provided
-    if (signalAccount) {
-      customer = await getUser(zammad, signalAccount);
-      if (customer) {
-        logger.info({ customerId: customer.id, method: 'signal' }, 'Found existing user by Signal account');
-      }
-    }
-
-    // Fall back to phone if no customer found yet
-    if (!customer && phone) {
+    // Try phone if provided
+    if (phone) {
       customer = await getUser(zammad, phone);
       if (customer) {
-        logger.info({ customerId: customer.id, method: 'phone' }, 'Found existing user by phone');
+        logger.info(
+          { customerId: customer.id, method: "phone" },
+          "Found existing user by phone",
+        );
       }
     }
 
@@ -155,22 +195,25 @@ const createTicketFromFormTask = async (
         const emailResults = await zammad.user.search(`email:${email}`);
         if (emailResults.length > 0) {
           customer = emailResults[0];
-          logger.info({ customerId: customer.id, method: 'email' }, 'Found existing user by email');
+          logger.info(
+            { customerId: customer.id, method: "email" },
+            "Found existing user by email",
+          );
         }
       } else {
-        logger.warn({ email }, 'Invalid email format provided, skipping email search');
+        logger.warn({ email }, "Invalid email format provided, skipping email search");
       }
     }
 
     if (!customer) {
       // Create new user
-      logger.info('Creating new user from form submission');
+      logger.info("Creating new user from form submission");
 
       // Build user data with whatever contact info we have
       const userData: any = {
         firstname: firstName,
         lastname: lastName,
-        roles: ['Customer'],
+        roles: ["Customer"],
       };
 
       // Add contact info only if provided
@@ -178,47 +221,129 @@ const createTicketFromFormTask = async (
         userData.email = email;
       }
 
-      const userPhone = signalAccount || phone;
-      if (userPhone) {
-        userData.phone = userPhone;
+      // Use phone number if provided (don't use Signal group ID as phone)
+      if (phone) {
+        userData.phone = phone;
       }
 
       customer = await zammad.user.create(userData);
     }
 
-    logger.info({
-      customerId: customer.id,
-      email: customer.email,
-    }, 'Using customer for ticket');
+    logger.info(
+      {
+        customerId: customer.id,
+        email: customer.email,
+      },
+      "Using customer for ticket",
+    );
 
     // Look up the configured group
-    const groups = await zammad.get('groups');
+    const groups = await zammad.get("groups");
     const targetGroup = groups.find((g: any) => g.name === mapping.ticket.group);
 
     if (!targetGroup) {
-      logger.error({ groupName: mapping.ticket.group }, 'Configured group not found');
+      logger.error({ groupName: mapping.ticket.group }, "Configured group not found");
       throw new Error(`Zammad group "${mapping.ticket.group}" not found`);
     }
 
-    logger.info({ groupId: targetGroup.id, groupName: targetGroup.name }, 'Using configured group');
+    logger.info(
+      { groupId: targetGroup.id, groupName: targetGroup.name },
+      "Using configured group",
+    );
 
     // Build custom fields using Zammad field mapping
     // This dynamically maps all configured fields without hardcoding
     const customFields = getZammadFieldValues(formData, mapping);
 
+    // Check if this is a Signal ticket
+    let signalArticleType = null;
+    let signalChannelId = null;
+    let signalBotToken = null;
+
+    if (signalAccount) {
+      try {
+        logger.info({ signalAccount }, "Looking up Signal channel and article type");
+
+        // Look up Signal channels from Zammad (admin-only endpoint)
+        // Note: bot_token is NOT included in this response for security reasons
+        const channels = await zammad.get("cdr_signal_channels");
+        if (channels.length > 0) {
+          const zammadChannel = channels[0]; // Use first active Signal channel
+          signalChannelId = zammadChannel.id;
+
+          logger.info(
+            {
+              channelId: zammadChannel.id,
+              phoneNumber: zammadChannel.phone_number,
+            },
+            "Found active Signal channel from Zammad",
+          );
+
+          // Look up the bot_token from our own cdr database using the phone number
+          const signalBot = await db
+            .selectFrom("SignalBot")
+            .selectAll()
+            .where("phoneNumber", "=", zammadChannel.phone_number)
+            .executeTakeFirst();
+
+          if (signalBot) {
+            signalBotToken = signalBot.token;
+            logger.info(
+              { botId: signalBot.id, phoneNumber: signalBot.phoneNumber },
+              "Found Signal bot token from cdr database",
+            );
+          } else {
+            logger.warn(
+              { phoneNumber: zammadChannel.phone_number },
+              "Signal bot not found in cdr database",
+            );
+          }
+        } else {
+          logger.warn("No active Signal channels found");
+        }
+
+        // Look up cdr_signal article type
+        const articleTypes = await zammad.get("ticket_article_types");
+        signalArticleType = articleTypes.find((t: any) => t.name === "cdr_signal");
+
+        if (!signalArticleType) {
+          logger.warn("Signal article type (cdr_signal) not found, using default type");
+        } else {
+          logger.info(
+            { articleTypeId: signalArticleType.id },
+            "Found Signal article type",
+          );
+        }
+      } catch (error: any) {
+        logger.warn(
+          { error: error.message },
+          "Failed to look up Signal article type, creating regular ticket",
+        );
+      }
+    }
+
     // Create the ticket
     const articleData: any = {
-      subject: descriptionOfIssue || 'Support Request',
+      subject: descriptionOfIssue || "Support Request",
       body,
-      content_type: 'text/html',
+      content_type: "text/html",
       internal: false,
     };
 
-    if (articleTypeId) {
+    // Use Signal article type if available, otherwise use configured default
+    if (signalArticleType) {
+      articleData.type_id = signalArticleType.id;
+      logger.info({ typeId: signalArticleType.id }, "Using Signal article type");
+
+      // IMPORTANT: Set sender to "Customer" for Signal tickets created from Formstack
+      // This prevents the article from being echoed back to the user via Signal
+      // (enqueue_communicate_cdr_signal_job only sends if sender != 'Customer')
+      articleData.sender = "Customer";
+    } else if (articleTypeId) {
       articleData.type_id = articleTypeId;
     }
 
-    const ticketData = {
+    const ticketData: any = {
       title,
       group_id: targetGroup.id,
       customer_id: customer.id,
@@ -226,29 +351,84 @@ const createTicketFromFormTask = async (
       ...customFields,
     };
 
-    logger.info({
-      title,
-      groupId: targetGroup.id,
-      customerId: customer.id,
-      hasArticleType: !!articleTypeId,
-      customFieldCount: Object.keys(customFields).length,
-    }, 'Creating ticket');
+    // Add Signal preferences if we have Signal channel and article type
+    // Note: signalAccount from Formstack is the phone number the user typed in
+    // Groups are added later via update_group webhook from bridge-worker
+    if (signalChannelId && signalBotToken && signalArticleType && signalAccount) {
+      ticketData.preferences = {
+        channel_id: signalChannelId,
+        cdr_signal: {
+          bot_token: signalBotToken,
+          chat_id: signalAccount, // Use Signal phone number as chat_id
+        },
+      };
+
+      logger.info(
+        {
+          channelId: signalChannelId,
+          chatId: signalAccount,
+        },
+        "Adding Signal preferences to ticket",
+      );
+    }
+
+    logger.info(
+      {
+        title,
+        groupId: targetGroup.id,
+        customerId: customer.id,
+        hasArticleType: !!articleTypeId || !!signalArticleType,
+        isSignalTicket: !!signalArticleType && !!signalAccount,
+        customFieldCount: Object.keys(customFields).length,
+      },
+      "Creating ticket",
+    );
 
     const ticket = await zammad.ticket.create(ticketData);
 
-    logger.info({
-      ticketId: ticket.id,
-      ticketNumber: ticket.id,
-      title,
-    }, 'Successfully created ticket from Formstack submission');
+    // Set create_article_type_id for Signal tickets to enable proper replies
+    if (signalArticleType && signalChannelId) {
+      try {
+        await zammad.ticket.update(ticket.id, {
+          create_article_type_id: signalArticleType.id,
+        });
+        logger.info(
+          {
+            ticketId: ticket.id,
+            articleTypeId: signalArticleType.id,
+          },
+          "Set create_article_type_id for Signal ticket",
+        );
+      } catch (error: any) {
+        logger.warn(
+          {
+            error: error.message,
+            ticketId: ticket.id,
+          },
+          "Failed to set create_article_type_id, ticket may not support Signal replies",
+        );
+      }
+    }
 
+    logger.info(
+      {
+        ticketId: ticket.id,
+        ticketNumber: ticket.id,
+        title,
+        isSignalTicket: !!signalChannelId,
+      },
+      "Successfully created ticket from Formstack submission",
+    );
   } catch (error: any) {
-    logger.error({
-      error: error.message,
-      stack: error.stack,
-      formId,
-      uniqueId,
-    }, 'Failed to create ticket from Formstack submission');
+    logger.error(
+      {
+        error: error.message,
+        stack: error.stack,
+        formId,
+        uniqueId,
+      },
+      "Failed to create ticket from Formstack submission",
+    );
     throw error;
   }
 };

apps/bridge-worker/tasks/signal/send-signal-message.ts

@@ -65,10 +65,9 @@ const sendSignalMessageTask = async ({
 
   try {
     // Check if 'to' is a group ID (UUID format, group.base64 format, or base64) vs phone number
-    const isUUID =
-      /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(
-        to,
-      );
+    const isUUID = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(
+      to,
+    );
     const isGroupPrefix = to.startsWith("group.");
     const isBase64 = /^[A-Za-z0-9+/]+=*$/.test(to) && to.length > 20; // Base64 internal_id
     const isGroupId = isUUID || isGroupPrefix || isBase64;
@@ -79,8 +78,7 @@ const sendSignalMessageTask = async ({
         to,
         isGroupId,
         enableAutoGroups,
-        shouldCreateGroup:
-          enableAutoGroups && !isGroupId && to && conversationId,
+        shouldCreateGroup: enableAutoGroups && !isGroupId && to && conversationId,
       },
       "Recipient analysis",
     );
@@ -140,6 +138,7 @@ const sendSignalMessageTask = async ({
           );
 
           // Notify Zammad about the new group ID via webhook
+          // Set group_joined: false initially - will be updated when user accepts invitation
           await worker.addJob("common/notify-webhooks", {
             backendId: bot.id,
             payload: {
@@ -148,6 +147,7 @@ const sendSignalMessageTask = async ({
               original_recipient: to,
               group_id: finalTo,
               internal_group_id: internalId,
+              group_joined: false,
               timestamp: new Date().toISOString(),
             },
           });
@@ -155,8 +155,7 @@ const sendSignalMessageTask = async ({
       } catch (groupError) {
         logger.error(
           {
-            error:
-              groupError instanceof Error ? groupError.message : groupError,
+            error: groupError instanceof Error ? groupError.message : groupError,
             to,
             conversationId,
           },
@@ -217,7 +216,9 @@ const sendSignalMessageTask = async ({
       const MAX_TOTAL_SIZE = getMaxTotalAttachmentSize();
 
       if (attachments.length > MAX_ATTACHMENTS) {
-        throw new Error(`Too many attachments: ${attachments.length} (max ${MAX_ATTACHMENTS})`);
+        throw new Error(
+          `Too many attachments: ${attachments.length} (max ${MAX_ATTACHMENTS})`,
+        );
       }
 
       let totalSize = 0;
@@ -228,20 +229,26 @@ const sendSignalMessageTask = async ({
         const estimatedSize = (attachment.data.length * 3) / 4;
 
         if (estimatedSize > MAX_ATTACHMENT_SIZE) {
-          logger.warn({
-            filename: attachment.filename,
-            size: estimatedSize,
-            maxSize: MAX_ATTACHMENT_SIZE
-          }, 'Attachment exceeds size limit, skipping');
+          logger.warn(
+            {
+              filename: attachment.filename,
+              size: estimatedSize,
+              maxSize: MAX_ATTACHMENT_SIZE,
+            },
+            "Attachment exceeds size limit, skipping",
+          );
           continue;
         }
 
         totalSize += estimatedSize;
         if (totalSize > MAX_TOTAL_SIZE) {
-          logger.warn({
-            totalSize,
-            maxTotalSize: MAX_TOTAL_SIZE
-          }, 'Total attachment size exceeds limit, skipping remaining');
+          logger.warn(
+            {
+              totalSize,
+              maxTotalSize: MAX_TOTAL_SIZE,
+            },
+            "Total attachment size exceeds limit, skipping remaining",
+          );
           break;
         }
 
@@ -253,8 +260,10 @@ const sendSignalMessageTask = async ({
         logger.debug(
           {
             attachmentCount: validatedAttachments.length,
-            attachmentNames: attachments.slice(0, validatedAttachments.length).map((att) => att.filename),
-            totalSizeBytes: totalSize
+            attachmentNames: attachments
+              .slice(0, validatedAttachments.length)
+              .map((att) => att.filename),
+            totalSizeBytes: totalSize,
           },
           "Including attachments in message",
         );

apps/link/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/link",
-  "version": "3.3.0-beta.1",
+  "version": "3.3.5",
   "type": "module",
   "scripts": {
     "dev": "next dev -H 0.0.0.0",
@@ -31,7 +31,7 @@
     "graphql-request": "^7.2.0",
     "ioredis": "^5.8.1",
     "mui-chips-input": "^6.0.0",
-    "next": "15.5.4",
+    "next": "15.5.9",
     "next-auth": "^4.24.11",
     "react": "19.2.0",
     "react-cookie": "^8.0.1",

docker-compose.bridge-dev.yml

@@ -1,67 +0,0 @@
-version: '3.8'
-
-services:
-  zammad-railsserver:
-    volumes:
-      # Controllers
-      - ${PWD}/packages/zammad-addon-bridge/src/app/controllers/channels_cdr_signal_controller.rb:/opt/zammad/app/controllers/channels_cdr_signal_controller.rb:ro
-      - ${PWD}/packages/zammad-addon-bridge/src/app/controllers/channels_cdr_voice_controller.rb:/opt/zammad/app/controllers/channels_cdr_voice_controller.rb:ro
-      - ${PWD}/packages/zammad-addon-bridge/src/app/controllers/channels_cdr_whatsapp_controller.rb:/opt/zammad/app/controllers/channels_cdr_whatsapp_controller.rb:ro
-      
-      # Models
-      - ${PWD}/packages/zammad-addon-bridge/src/app/models/channel/driver/cdr_signal.rb:/opt/zammad/app/models/channel/driver/cdr_signal.rb:ro
-      - ${PWD}/packages/zammad-addon-bridge/src/app/models/channel/driver/cdr_whatsapp.rb:/opt/zammad/app/models/channel/driver/cdr_whatsapp.rb:ro
-      - ${PWD}/packages/zammad-addon-bridge/src/app/models/ticket/article/enqueue_communicate_cdr_signal_job.rb:/opt/zammad/app/models/ticket/article/enqueue_communicate_cdr_signal_job.rb:ro
-      - ${PWD}/packages/zammad-addon-bridge/src/app/models/ticket/article/enqueue_communicate_cdr_whatsapp_job.rb:/opt/zammad/app/models/ticket/article/enqueue_communicate_cdr_whatsapp_job.rb:ro
-      
-      # Jobs
-      - ${PWD}/packages/zammad-addon-bridge/src/app/jobs/communicate_cdr_signal_job.rb:/opt/zammad/app/jobs/communicate_cdr_signal_job.rb:ro
-      - ${PWD}/packages/zammad-addon-bridge/src/app/jobs/communicate_cdr_whatsapp_job.rb:/opt/zammad/app/jobs/communicate_cdr_whatsapp_job.rb:ro
-      
-      # Policies
-      - ${PWD}/packages/zammad-addon-bridge/src/app/policies/controllers/channels_cdr_signal_controller_policy.rb:/opt/zammad/app/policies/controllers/channels_cdr_signal_controller_policy.rb:ro
-      - ${PWD}/packages/zammad-addon-bridge/src/app/policies/controllers/channels_cdr_voice_controller_policy.rb:/opt/zammad/app/policies/controllers/channels_cdr_voice_controller_policy.rb:ro
-      - ${PWD}/packages/zammad-addon-bridge/src/app/policies/controllers/channels_cdr_whatsapp_controller_policy.rb:/opt/zammad/app/policies/controllers/channels_cdr_whatsapp_controller_policy.rb:ro
-      
-      # Config - initializers
-      - ${PWD}/packages/zammad-addon-bridge/src/config/initializers/cdr_signal.rb:/opt/zammad/config/initializers/cdr_signal.rb:ro
-      - ${PWD}/packages/zammad-addon-bridge/src/config/initializers/cdr_whatsapp.rb:/opt/zammad/config/initializers/cdr_whatsapp.rb:ro
-      
-      # Config - routes
-      - ${PWD}/packages/zammad-addon-bridge/src/config/routes/channel_cdr_signal.rb:/opt/zammad/config/routes/channel_cdr_signal.rb:ro
-      - ${PWD}/packages/zammad-addon-bridge/src/config/routes/channel_cdr_voice.rb:/opt/zammad/config/routes/channel_cdr_voice.rb:ro
-      - ${PWD}/packages/zammad-addon-bridge/src/config/routes/channel_cdr_whatsapp.rb:/opt/zammad/config/routes/channel_cdr_whatsapp.rb:ro
-      
-      # Database migrations
-      - ${PWD}/packages/zammad-addon-bridge/src/db/addon/bridge/20210525091356_cdr_signal_channel.rb:/opt/zammad/db/addon/bridge/20210525091356_cdr_signal_channel.rb:ro
-      - ${PWD}/packages/zammad-addon-bridge/src/db/addon/bridge/20210525091357_cdr_voice_channel.rb:/opt/zammad/db/addon/bridge/20210525091357_cdr_voice_channel.rb:ro
-      - ${PWD}/packages/zammad-addon-bridge/src/db/addon/bridge/20210525091358_cdr_whatsapp_channel.rb:/opt/zammad/db/addon/bridge/20210525091358_cdr_whatsapp_channel.rb:ro
-      
-      # Lib files
-      - ${PWD}/packages/zammad-addon-bridge/src/lib/cdr_signal.rb:/opt/zammad/lib/cdr_signal.rb:ro
-      - ${PWD}/packages/zammad-addon-bridge/src/lib/cdr_signal_api.rb:/opt/zammad/lib/cdr_signal_api.rb:ro
-      - ${PWD}/packages/zammad-addon-bridge/src/lib/cdr_whatsapp.rb:/opt/zammad/lib/cdr_whatsapp.rb:ro
-      - ${PWD}/packages/zammad-addon-bridge/src/lib/cdr_whatsapp_api.rb:/opt/zammad/lib/cdr_whatsapp_api.rb:ro
-
-  # Also map to scheduler for background jobs
-  zammad-scheduler:
-    volumes:
-      # Models
-      - ${PWD}/packages/zammad-addon-bridge/src/app/models/channel/driver/cdr_signal.rb:/opt/zammad/app/models/channel/driver/cdr_signal.rb:ro
-      - ${PWD}/packages/zammad-addon-bridge/src/app/models/channel/driver/cdr_whatsapp.rb:/opt/zammad/app/models/channel/driver/cdr_whatsapp.rb:ro
-      - ${PWD}/packages/zammad-addon-bridge/src/app/models/ticket/article/enqueue_communicate_cdr_signal_job.rb:/opt/zammad/app/models/ticket/article/enqueue_communicate_cdr_signal_job.rb:ro
-      - ${PWD}/packages/zammad-addon-bridge/src/app/models/ticket/article/enqueue_communicate_cdr_whatsapp_job.rb:/opt/zammad/app/models/ticket/article/enqueue_communicate_cdr_whatsapp_job.rb:ro
-      
-      # Jobs
-      - ${PWD}/packages/zammad-addon-bridge/src/app/jobs/communicate_cdr_signal_job.rb:/opt/zammad/app/jobs/communicate_cdr_signal_job.rb:ro
-      - ${PWD}/packages/zammad-addon-bridge/src/app/jobs/communicate_cdr_whatsapp_job.rb:/opt/zammad/app/jobs/communicate_cdr_whatsapp_job.rb:ro
-      
-      # Config - initializers
-      - ${PWD}/packages/zammad-addon-bridge/src/config/initializers/cdr_signal.rb:/opt/zammad/config/initializers/cdr_signal.rb:ro
-      - ${PWD}/packages/zammad-addon-bridge/src/config/initializers/cdr_whatsapp.rb:/opt/zammad/config/initializers/cdr_whatsapp.rb:ro
-      
-      # Lib files
-      - ${PWD}/packages/zammad-addon-bridge/src/lib/cdr_signal.rb:/opt/zammad/lib/cdr_signal.rb:ro
-      - ${PWD}/packages/zammad-addon-bridge/src/lib/cdr_signal_api.rb:/opt/zammad/lib/cdr_signal_api.rb:ro
-      - ${PWD}/packages/zammad-addon-bridge/src/lib/cdr_whatsapp.rb:/opt/zammad/lib/cdr_whatsapp.rb:ro
-      - ${PWD}/packages/zammad-addon-bridge/src/lib/cdr_whatsapp_api.rb:/opt/zammad/lib/cdr_whatsapp_api.rb:ro

docker/compose/bridge-whatsapp.yml

@@ -0,0 +1,20 @@
+services:
+  bridge-whatsapp:
+    container_name: bridge-whatsapp
+    build:
+      context: ../../
+      dockerfile: ./apps/bridge-whatsapp/Dockerfile
+    image: registry.gitlab.com/digiresilience/link/link-stack/bridge-whatsapp:${LINK_STACK_VERSION}
+    restart: ${RESTART}
+    environment:
+      PORT: 5000
+      NODE_ENV: production
+      BRIDGE_FRONTEND_URL: http://link:3000/link
+    volumes:
+      - bridge-whatsapp-data:/home/node/baileys
+    ports:
+      - 5000:5000
+
+volumes:
+  bridge-whatsapp-data:
+    driver: local

docker/compose/bridge.yml

@@ -22,6 +22,7 @@ x-bridge-vars: &common-bridge-variables
   NEXTAUTH_SECRET: ${NEXTAUTH_SECRET}
   BRIDGE_SIGNAL_URL: ${BRIDGE_SIGNAL_URL}
   BRIDGE_SIGNAL_AUTO_GROUPS: ${BRIDGE_SIGNAL_AUTO_GROUPS}
+  BRIDGE_WHATSAPP_URL: "http://bridge-whatsapp:5000"
   LOG_LEVEL: "debug"
   ZAMMAD_API_TOKEN: ${ZAMMAD_API_TOKEN}
   ZAMMAD_URL: ${ZAMMAD_URL}

docker/compose/link.yml

@@ -16,7 +16,7 @@ services:
       LINK_URL: ${LINK_URL}
       BRIDGE_URL: http://bridge-frontend:3000
       BRIDGE_SIGNAL_URL: http://signal-cli-rest-api:8080
-      BRIDGE_WHATSAPP_URL: http://bridge-whatsapp:3000
+      BRIDGE_WHATSAPP_URL: http://bridge-whatsapp:5000
       ZAMMAD_URL: http://zammad-nginx:8080
       REDIS_URL: "redis://zammad-redis:6379"
       NEXTAUTH_URL: ${LINK_URL}/api/auth

docker/zammad/Dockerfile

@@ -56,9 +56,6 @@ RUN sed -i "s/'flattened'/'flat_object'/g" /opt/zammad/lib/search_index_backend.
 RUN touch db/schema.rb && \
     ZAMMAD_SAFE_MODE=1 DATABASE_URL=postgresql://zammad:/zammad bundle exec rake assets:precompile
 
-# Run additional setup for addons
-RUN bundle exec rails runner /opt/zammad/contrib/link/setup.rb || true
-
 # Clean up build artifacts
 RUN rm -rf tmp/cache node_modules/.cache
 ARG EMBEDDED=false
@@ -78,6 +75,14 @@ RUN if [ "$EMBEDDED" = "true" ] ; then \
     echo "}" >> /opt/zammad/contrib/nginx/zammad.conf; \
 fi
 
+
+# Modify entrypoint to install packages and run migrations at runtime
+RUN sed -i '/^[[:space:]]*# es config/a\
+  echo "Installing addon packages..."\n\
+  bundle exec rails runner /opt/zammad/contrib/link/setup.rb\n\
+  bundle exec rake zammad:package:migrate\n\
+  ' /docker-entrypoint.sh
+
 FROM zammad/zammad-docker-compose:${ZAMMAD_VERSION} AS runner
 USER root
 
@@ -88,37 +93,7 @@ RUN apt-get update && \
     rm -rf /var/lib/apt/lists/* && \
     npm install -g pnpm
 
-# Copy only the modified/added files from builder
-# Copy addon files that were installed
-COPY --from=builder --chown=zammad:zammad /opt/zammad/app/frontend/apps/desktop/pages/ticket/components/TicketDetailView/ /opt/zammad/app/frontend/apps/desktop/pages/ticket/components/TicketDetailView/
-COPY --from=builder --chown=zammad:zammad /opt/zammad/app/frontend/shared/entities/ticket-article/action/plugins/ /opt/zammad/app/frontend/shared/entities/ticket-article/action/plugins/
-COPY --from=builder --chown=zammad:zammad /opt/zammad/db/addon/ /opt/zammad/db/addon/
-COPY --from=builder --chown=zammad:zammad /opt/zammad/app/assets/ /opt/zammad/app/assets/
-COPY --from=builder --chown=zammad:zammad /opt/zammad/app/controllers/*cdr* /opt/zammad/app/controllers/
-COPY --from=builder --chown=zammad:zammad /opt/zammad/app/jobs/*cdr* /opt/zammad/app/jobs/
-COPY --from=builder --chown=zammad:zammad /opt/zammad/app/models/channel/driver/*cdr* /opt/zammad/app/models/channel/driver/
-COPY --from=builder --chown=zammad:zammad /opt/zammad/app/models/ticket/article/*cdr* /opt/zammad/app/models/ticket/article/
-COPY --from=builder --chown=zammad:zammad /opt/zammad/app/policies/controllers/*cdr* /opt/zammad/app/policies/controllers/
-COPY --from=builder --chown=zammad:zammad /opt/zammad/config/initializers/*cdr* /opt/zammad/config/initializers/
-COPY --from=builder --chown=zammad:zammad /opt/zammad/config/routes/*cdr* /opt/zammad/config/routes/
-COPY --from=builder --chown=zammad:zammad /opt/zammad/lib/cdr* /opt/zammad/lib/
-# CRITICAL: Copy modified search_index_backend.rb with OpenSearch fix
-COPY --from=builder --chown=zammad:zammad /opt/zammad/lib/search_index_backend.rb /opt/zammad/lib/search_index_backend.rb
-COPY --from=builder --chown=zammad:zammad /opt/zammad/public/assets/images/icons/*cdr* /opt/zammad/public/assets/images/icons/
-COPY --from=builder --chown=zammad:zammad /opt/zammad/app/views/mailer/ticket_create/ /opt/zammad/app/views/mailer/ticket_create/
-COPY --from=builder --chown=zammad:zammad /opt/zammad/public/assets/images/logo* /opt/zammad/public/assets/images/
-
-# Copy the nginx config if embedded mode was used
-COPY --from=builder --chown=zammad:zammad /opt/zammad/contrib/nginx/zammad.conf /opt/zammad/contrib/nginx/zammad.conf
-
-# Copy the link setup scripts and addons
-COPY --from=builder --chown=zammad:zammad /opt/zammad/contrib/link/ /opt/zammad/contrib/link/
-
-# CRITICAL: Copy compiled assets that include our CoffeeScript changes
-# The builder stage compiles assets at line 47, we must copy them to runner
-COPY --from=builder --chown=zammad:zammad /opt/zammad/public/assets/ /opt/zammad/public/assets/
-
-# Copy the modified entrypoint script
-COPY --from=builder /docker-entrypoint.sh /docker-entrypoint.sh
-
 USER zammad
+COPY --from=builder --chown=zammad:zammad ${ZAMMAD_DIR} ${ZAMMAD_DIR}
+COPY --from=builder /usr/local/bundle /usr/local/bundle
+COPY --from=builder /docker-entrypoint.sh /docker-entrypoint.sh

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack",
-  "version": "3.3.0-beta.1",
+  "version": "3.3.5",
   "description": "Link from the Center for Digital Resilience",
   "scripts": {
     "dev": "dotenv -- turbo dev",

packages/bridge-common/lib/database.ts

@@ -1,19 +1,12 @@
 import { PostgresDialect, CamelCasePlugin } from "kysely";
-import type {
-  GeneratedAlways,
-  Generated,
-  ColumnType,
-  Selectable,
-} from "kysely";
+import type { GeneratedAlways, Generated, ColumnType, Selectable } from "kysely";
 import pg from "pg";
 import { KyselyAuth } from "@auth/kysely-adapter";
 const { Pool, types } = pg;
 
 type Timestamp = ColumnType<Date, Date | string>;
 
-types.setTypeParser(types.builtins.TIMESTAMPTZ, (val) =>
-  new Date(val).toISOString(),
-);
+types.setTypeParser(types.builtins.TIMESTAMPTZ, (val) => new Date(val).toISOString());
 
 type GraphileJob = {
   taskIdentifier: string;
@@ -153,13 +146,23 @@ function getDb(): KyselyAuth<Database> {
   const DATABASE_USER = process.env.DATABASE_USER;
   const DATABASE_PASSWORD = process.env.DATABASE_PASSWORD;
 
-  if (!DATABASE_HOST || !DATABASE_NAME || !DATABASE_PORT || !DATABASE_USER || !DATABASE_PASSWORD) {
-    throw new Error('Missing required database environment variables: DATABASE_HOST, DATABASE_NAME, DATABASE_PORT, DATABASE_USER, DATABASE_PASSWORD');
+  if (
+    !DATABASE_HOST ||
+    !DATABASE_NAME ||
+    !DATABASE_PORT ||
+    !DATABASE_USER ||
+    !DATABASE_PASSWORD
+  ) {
+    throw new Error(
+      "Missing required database environment variables: DATABASE_HOST, DATABASE_NAME, DATABASE_PORT, DATABASE_USER, DATABASE_PASSWORD",
+    );
   }
 
   const port = parseInt(DATABASE_PORT, 10);
   if (isNaN(port) || port < 1 || port > 65535) {
-    throw new Error(`Invalid DATABASE_PORT: ${DATABASE_PORT}. Must be a number between 1 and 65535.`);
+    throw new Error(
+      `Invalid DATABASE_PORT: ${DATABASE_PORT}. Must be a number between 1 and 65535.`,
+    );
   }
 
   _db = new KyselyAuth<Database>({
@@ -185,7 +188,7 @@ export const db = new Proxy({} as KyselyAuth<Database>, {
     const value = (instance as any)[prop];
 
     // If it's a function, bind it to the actual instance to preserve 'this' context
-    if (typeof value === 'function') {
+    if (typeof value === "function") {
       return value.bind(instance);
     }
 

packages/bridge-common/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/bridge-common",
-  "version": "3.3.0-beta.1",
+  "version": "3.3.5",
   "main": "build/main/index.js",
   "type": "module",
   "author": "Darren Clarke <darren@redaranj.com>",

packages/bridge-ui/components/QRCode.tsx

@@ -29,21 +29,30 @@ export const QRCode: FC<QRCodeProps> = ({
 
   useEffect(() => {
     if (!verified && getValue && refreshInterval) {
-      const interval = setInterval(async () => {
+      // Fetch immediately on mount
+      const fetchQR = async () => {
         const { qr, kind } = await getValue(token);
         setValue(qr);
         setKind(kind);
-      }, refreshInterval * 1000);
+      };
+      fetchQR();
+
+      // Then set up interval for refreshes
+      const interval = setInterval(fetchQR, refreshInterval * 1000);
       return () => clearInterval(interval);
     }
-  }, [getValue, refreshInterval]);
+  }, [getValue, refreshInterval, token, verified]);
 
   return !verified ? (
     <Box sx={{ backgroundColor: white, m: 2 }}>
-      {kind === "data" ? (
-        <QRCodeInternal value={value} />
+      {value ? (
+        kind === "data" ? (
+          <QRCodeInternal value={value} />
+        ) : (
+          <img src={value} alt={name} />
+        )
       ) : (
-        <img src={value} alt={name} />
+        <Box>Loading QR code...</Box>
       )}
       <Box>{helperText}</Box>
     </Box>

packages/bridge-ui/config/whatsapp.ts

@@ -2,11 +2,28 @@ import { ServiceConfig } from "../lib/service";
 // import { generateSelectOneAction } from "../lib/actions";
 
 const getQRCode = async (token: string) => {
-  const url = `/link/api/whatsapp/bots/${token}`;
-  const result = await fetch(url, { cache: "no-store" });
-  const { qr } = await result.json();
+  try {
+    const url = `/link/api/whatsapp/bots/${token}`;
+    const result = await fetch(url, { cache: "no-store" });
 
-  return { qr, kind: "data" };
+    if (!result.ok) {
+      console.error(`Failed to fetch QR code: ${result.status} ${result.statusText}`);
+      return { qr: "", kind: "data" };
+    }
+
+    const data = await result.json();
+    const { qr } = data;
+
+    if (!qr) {
+      console.error("No QR code in response");
+      return { qr: "", kind: "data" };
+    }
+
+    return { qr, kind: "data" };
+  } catch (error) {
+    console.error("Error fetching QR code:", error);
+    return { qr: "", kind: "data" };
+  }
 };
 
 export const whatsappConfig: ServiceConfig = {

packages/bridge-ui/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/bridge-ui",
-  "version": "3.3.0-beta.1",
+  "version": "3.3.5",
   "scripts": {
     "build": "tsc -p tsconfig.json"
   },
@@ -11,7 +11,7 @@
     "@mui/material": "^6",
     "@mui/x-data-grid-pro": "^7",
     "kysely": "0.27.5",
-    "next": "15.5.4",
+    "next": "15.5.9",
     "react": "19.2.0",
     "react-dom": "19.2.0",
     "react-qr-code": "^2.0.18"

packages/eslint-config/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/eslint-config",
-  "version": "3.3.0-beta.1",
+  "version": "3.3.5",
   "description": "amigo's eslint config",
   "main": "index.js",
   "author": "Abel Luck <abel@guardianproject.info>",

packages/jest-config/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/jest-config",
-  "version": "3.3.0-beta.1",
+  "version": "3.3.5",
   "description": "",
   "main": "index.js",
   "author": "Abel Luck <abel@guardianproject.info>",

packages/logger/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/logger",
-  "version": "3.3.0-beta.1",
+  "version": "3.3.5",
   "description": "Shared logging utility for Link Stack monorepo",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",

packages/signal-api/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/signal-api",
-  "version": "3.3.0-beta.1",
+  "version": "3.3.5",
   "type": "module",
   "main": "build/index.js",
   "exports": {

packages/typescript-config/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/typescript-config",
-  "version": "3.3.0-beta.1",
+  "version": "3.3.5",
   "description": "Shared TypeScript config",
   "license": "AGPL-3.0-or-later",
   "author": "Abel Luck <abel@guardianproject.info>",

packages/ui/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/ui",
-  "version": "3.3.0-beta.1",
+  "version": "3.3.5",
   "description": "",
   "scripts": {
     "build": "tsc -p tsconfig.json"
@@ -11,7 +11,7 @@
     "@mui/material": "^6",
     "@mui/x-data-grid-pro": "^7",
     "@mui/x-license": "^7",
-    "next": "15.5.4",
+    "next": "15.5.9",
     "react": "19.2.0",
     "react-dom": "19.2.0"
   },

packages/zammad-addon-bridge/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@link-stack/zammad-addon-bridge",
   "displayName": "Bridge",
-  "version": "3.3.0-beta.1",
+  "version": "3.3.5",
   "description": "An addon that adds CDR Bridge channels to Zammad.",
   "scripts": {
     "build": "node '../zammad-addon-common/dist/build.js'",

packages/zammad-addon-bridge/src/app/assets/javascripts/app/controllers/ticket_zoom/article_action/cdr_whatsapp.coffee

@@ -45,13 +45,6 @@ class CdrWhatsappReply
   @articleTypes: (articleTypes, ticket, ui) ->
     return articleTypes if !ui.permissionCheck('ticket.agent')
 
-    # Check CDR Link allowed channels setting
-    allowedChannels = ui.Config.get('cdr_link_allowed_channels')
-    if allowedChannels && allowedChannels.trim()
-      whitelist = (channel.trim() for channel in allowedChannels.split(','))
-      # Return early if 'cdr_whatsapp' or 'whatsapp message' not in whitelist
-      return articleTypes if 'cdr_whatsapp' not in whitelist && 'whatsapp message' not in whitelist
-
     return articleTypes if !ticket || !ticket.create_article_type_id
 
     articleTypeCreate = App.TicketArticleType.find(ticket.create_article_type_id).name

packages/zammad-addon-bridge/src/app/controllers/cdr_signal_channels_controller.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+class CdrSignalChannelsController < ApplicationController
+  prepend_before_action -> { authentication_check && authorize! }
+
+  def index
+    channels = Channel.where(area: 'Signal::Number', active: true).map do |channel|
+      {
+        id: channel.id,
+        phone_number: channel.options['phone_number'],
+        bot_endpoint: channel.options['bot_endpoint']
+        # bot_token intentionally excluded - bridge-worker should look it up from cdr database
+      }
+    end
+
+    render json: channels
+  end
+end

packages/zammad-addon-bridge/src/app/controllers/channels_cdr_signal_controller.rb

@@ -115,13 +115,22 @@ class ChannelsCdrSignalController < ApplicationController
 
     channel = channel_for_token(token)
     return render json: {}, status: 401 if !channel || !channel.active
-    return render json: {}, status: 401 if channel.options[:token] != token
+    # Use constant-time comparison to prevent timing attacks
+    return render json: {}, status: 401 unless ActiveSupport::SecurityUtils.secure_compare(
+      channel.options[:token].to_s,
+      token.to_s
+    )
 
     # Handle group creation events
     if params[:event] == 'group_created'
       return update_group
     end
 
+    # Handle group member joined events
+    if params[:event] == 'group_member_joined'
+      return handle_group_member_joined
+    end
+
     channel_id = channel.id
 
     # validate input
@@ -213,38 +222,13 @@ class ChannelsCdrSignalController < ApplicationController
       Rails.logger.info "Channel ID: #{channel.id}"
 
       begin
-        # For group messages, search all tickets regardless of customer
-        # since users may have duplicate phone numbers
-        all_tickets = Ticket.where.not(state_id: state_ids)
-                           .order(updated_at: :desc)
-
-        Rails.logger.info "Found #{all_tickets.count} active tickets (searching all customers for group match)"
-
-        ticket = all_tickets.find do |t|
-          begin
-            has_preferences = t.preferences.is_a?(Hash)
-            has_cdr_signal = has_preferences && t.preferences['cdr_signal'].is_a?(Hash)
-            has_channel_id = has_preferences && t.preferences['channel_id'] == channel.id
-
-            if has_cdr_signal && has_channel_id
-              stored_chat_id = t.preferences['cdr_signal']['chat_id']
-
-              Rails.logger.info "  - stored_chat_id: #{stored_chat_id}"
-              Rails.logger.info "  - incoming_group_id: #{receiver_phone_number}"
-
-              matches = receiver_phone_number == stored_chat_id
-              Rails.logger.info "  - MATCH: #{matches}"
-
-              matches
-            else
-              Rails.logger.info "Ticket ##{t.number} has no cdr_signal preferences or wrong channel"
-              false
-            end
-          rescue => e
-            Rails.logger.error "Error checking ticket #{t.id}: #{e.message}"
-            false
-          end
-        end
+        # Use text search on preferences YAML to efficiently find tickets without loading all into memory
+        # This prevents DoS attacks from memory exhaustion
+        ticket = Ticket.where.not(state_id: state_ids)
+                      .where("preferences LIKE ?", "%channel_id: #{channel.id}%")
+                      .where("preferences LIKE ?", "%chat_id: #{receiver_phone_number}%")
+                      .order(updated_at: :desc)
+                      .first
 
         if ticket
           Rails.logger.info "=== FOUND MATCHING TICKET BY GROUP ID: ##{ticket.number} ==="
@@ -397,6 +381,10 @@ class ChannelsCdrSignalController < ApplicationController
     ticket.preferences[:cdr_signal][:original_recipient] = params[:original_recipient] if params[:original_recipient].present?
     ticket.preferences[:cdr_signal][:group_created_at] = params[:timestamp] if params[:timestamp].present?
 
+    # Track whether user has joined the group (initially false)
+    # This will be updated to true when we receive a group join event from Signal
+    ticket.preferences[:cdr_signal][:group_joined] = params[:group_joined] if params.key?(:group_joined)
+
     ticket.save!
 
     Rails.logger.info "Signal group #{params[:group_id]} associated with ticket #{ticket.id}"
@@ -407,4 +395,74 @@ class ChannelsCdrSignalController < ApplicationController
       ticket_number: ticket.number
     }, status: :ok
   end
+
+  # Webhook endpoint for receiving group member joined notifications from bridge-worker
+  # This is called when a user accepts the Signal group invitation
+  # Expected payload:
+  # {
+  #   "event": "group_member_joined",
+  #   "group_id": "group.base64encodedid",
+  #   "member_phone": "+1234567890",
+  #   "timestamp": "ISO8601 timestamp"
+  # }
+  def handle_group_member_joined
+    # Validate required parameters
+    errors = {}
+    errors['event'] = 'required' unless params[:event].present?
+    errors['group_id'] = 'required' unless params[:group_id].present?
+    errors['member_phone'] = 'required' unless params[:member_phone].present?
+
+    if errors.present?
+      render json: {
+        errors: errors
+      }, status: :bad_request
+      return
+    end
+
+    # Find ticket(s) with this group_id in preferences
+    # Use text search on preferences YAML for efficient lookup (prevents DoS from loading all tickets)
+    state_ids = Ticket::State.where(name: %w[closed merged removed]).pluck(:id)
+
+    ticket = Ticket.where.not(state_id: state_ids)
+                  .where("preferences LIKE ?", "%chat_id: #{params[:group_id]}%")
+                  .order(updated_at: :desc)
+                  .first
+
+    unless ticket
+      Rails.logger.warn "Signal group member joined: Ticket not found for group_id #{params[:group_id]}"
+      render json: { error: 'Ticket not found for this group' }, status: :not_found
+      return
+    end
+
+    # Idempotency check: if already marked as joined, skip update and return success
+    # This prevents unnecessary database writes when the cron job sends duplicate notifications
+    if ticket.preferences.dig('cdr_signal', 'group_joined') == true
+      Rails.logger.debug "Signal group member #{params[:member_phone]} already marked as joined for group #{params[:group_id]} ticket #{ticket.id}, skipping update"
+      render json: {
+        success: true,
+        ticket_id: ticket.id,
+        ticket_number: ticket.number,
+        group_joined: true,
+        already_joined: true
+      }, status: :ok
+      return
+    end
+
+    # Update group_joined flag
+    member_phone = params[:member_phone]
+    ticket.preferences[:cdr_signal][:group_joined] = true
+    ticket.preferences[:cdr_signal][:group_joined_at] = params[:timestamp] if params[:timestamp].present?
+    ticket.preferences[:cdr_signal][:group_joined_by] = member_phone
+
+    ticket.save!
+
+    Rails.logger.info "Signal group member #{member_phone} joined group #{params[:group_id]} for ticket #{ticket.id}"
+
+    render json: {
+      success: true,
+      ticket_id: ticket.id,
+      ticket_number: ticket.number,
+      group_joined: true
+    }, status: :ok
+  end
 end

packages/zammad-addon-bridge/src/app/jobs/communicate_cdr_signal_job.rb

@@ -30,6 +30,25 @@ class CommunicateCdrSignalJob < ApplicationJob
       log_error(article,
                 "Can't find ticket.preferences['cdr_signal']['chat_id'] for Ticket.find(#{article.ticket_id})")
     end
+
+    # Check if this is a group chat and if the user has joined
+    chat_id = ticket.preferences['cdr_signal']['chat_id']
+    is_group_chat = chat_id&.start_with?('group.')
+    group_joined = ticket.preferences.dig('cdr_signal', 'group_joined')
+
+    # If this is a group chat and user hasn't joined yet, don't send the message
+    if is_group_chat && group_joined == false
+      Rails.logger.info "Ticket ##{ticket.number}: User hasn't joined Signal group yet, skipping message delivery"
+
+      # Mark article as pending delivery
+      article.preferences['delivery_status'] = 'pending'
+      article.preferences['delivery_status_message'] = 'Waiting for user to join Signal group'
+      article.preferences['delivery_status_date'] = Time.zone.now
+      article.save!
+
+      # Retry later when user might have joined
+      raise 'User has not joined Signal group yet'
+    end
     channel = ::CdrSignal.bot_by_bot_token(ticket.preferences['cdr_signal']['bot_token'])
     channel ||= ::Channel.lookup(id: ticket.preferences['channel_id'])
     unless channel

packages/zammad-addon-bridge/src/app/policies/controllers/cdr_signal_channels_controller_policy.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Controllers
+  class CdrSignalChannelsControllerPolicy < Controllers::ApplicationControllerPolicy
+    def index?
+      user.permissions?('admin.channel')
+    end
+  end
+end

packages/zammad-addon-bridge/src/config/routes/cdr_signal_channels.rb

@@ -0,0 +1,5 @@
+Zammad::Application.routes.draw do
+  api_path = Rails.configuration.api_path
+
+  match api_path + '/cdr_signal_channels', to: 'cdr_signal_channels#index', via: :get
+end

packages/zammad-addon-common/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/zammad-addon-common",
-  "version": "3.3.0-beta.1",
+  "version": "3.3.5",
   "description": "",
   "bin": {
     "zpm-build": "./dist/build.js",

packages/zammad-addon-hardening/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@link-stack/zammad-addon-hardening",
   "displayName": "Hardening",
-  "version": "3.3.0-beta.1",
+  "version": "3.3.5",
   "description": "A Zammad addon that hardens a Zammad instance according to CDR's needs.",
   "scripts": {
     "build": "node '../zammad-addon-common/dist/build.js'",

set_channel_setting.rb

@@ -1,9 +0,0 @@
-#!/usr/bin/env ruby
-
-require '/opt/zammad/config/boot'
-require '/opt/zammad/config/application'
-
-Rails.application.initialize!
-
-Setting.set('cdr_link_allowed_channels', 'note,cdr_signal,email')
-puts "Setting 'cdr_link_allowed_channels' has been set to: 'note,cdr_signal,email'"