Update version

- Signal: Use base64Attachments field in signal-cli-rest-api
- WhatsApp: Implement Baileys attachment sending for images, videos, audio, and documents
- Both channels retrieve attachments from Zammad Store model
- Support multiple attachments per message

.gitlab-ci.yml

@@ -20,13 +20,11 @@ build-all:
     - turbo build
 
 .docker-build:
-  image: registry.gitlab.com/digiresilience/link/link-stack/buildx:main
+  image: registry.gitlab.com/digiresilience/link/link-stack/buildx:${CI_COMMIT_REF_NAME}
   services:
     - docker:dind
   stage: docker-build
   variables:
-    DOCKER_HOST: tcp://docker:2375
-    DOCKER_TLS_CERTDIR: ""
     DOCKER_TAG: ${CI_COMMIT_SHORT_SHA}
     BUILD_CONTEXT: .
   only:
@@ -39,13 +37,11 @@ build-all:
     - docker push ${DOCKER_NS}:${DOCKER_TAG}
 
 .docker-release:
-  image: registry.gitlab.com/digiresilience/link/link-stack/buildx:main
+  image: registry.gitlab.com/digiresilience/link/link-stack/buildx:${CI_COMMIT_REF_NAME}
   services:
     - docker:dind
   stage: docker-release
   variables:
-    DOCKER_HOST: tcp://docker:2375
-    DOCKER_TLS_CERTDIR: ""
     DOCKER_TAG: ${CI_COMMIT_SHORT_SHA}
     DOCKER_TAG_NEW: ${CI_COMMIT_REF_NAME}
   only:
@@ -199,8 +195,8 @@ zammad-docker-build:
     PNPM_HOME: "/pnpm"
   before_script:
     - export PATH="$PNPM_HOME:$PATH"
-    - corepack enable && corepack prepare pnpm@9.15.4 --activate
   script:
+    - corepack enable && corepack prepare pnpm@9.15.4 --activate
     - pnpm add -g turbo
     - pnpm install --frozen-lockfile
     - turbo build --force --filter @link-stack/zammad-addon-*
@@ -222,8 +218,8 @@ zammad-standalone-docker-build:
     PNPM_HOME: "/pnpm"
   before_script:
     - export PATH="$PNPM_HOME:$PATH"
-    - corepack enable && corepack prepare pnpm@9.15.4 --activate
   script:
+    - corepack enable && corepack prepare pnpm@9.15.4 --activate
     - pnpm add -g turbo
     - pnpm install --frozen-lockfile
     - turbo build --force --filter @link-stack/zammad-addon-*

README.md

@@ -20,4 +20,3 @@ We use [Turborepo](https://turbo.build) to manage development and building of th
 To run a single package:
 
 - `turbo dev --filter @link-stack/link`
-

apps/bridge-frontend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/bridge-frontend",
-  "version": "3.3.5",
+  "version": "3.3.0-beta.4",
   "type": "module",
   "scripts": {
     "dev": "next dev",
@@ -20,7 +20,7 @@
     "@mui/x-license": "^7",
     "@link-stack/bridge-common": "workspace:*",
     "@link-stack/bridge-ui": "workspace:*",
-    "next": "15.5.9",
+    "next": "15.5.4",
     "next-auth": "^4.24.11",
     "react": "19.2.0",
     "react-dom": "19.2.0",

apps/bridge-migrations/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/bridge-migrations",
-  "version": "3.3.5",
+  "version": "3.3.0-beta.4",
   "type": "module",
   "scripts": {
     "migrate:up:all": "tsx migrate.ts up:all",

apps/bridge-whatsapp/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/bridge-whatsapp",
-  "version": "3.3.5",
+  "version": "3.3.0-beta.4",
   "main": "build/main/index.js",
   "author": "Darren Clarke <darren@redaranj.com>",
   "license": "AGPL-3.0-or-later",
@@ -11,7 +11,7 @@
     "@hapipal/toys": "^4.0.0",
     "@link-stack/bridge-common": "workspace:*",
     "@link-stack/logger": "workspace:*",
-    "@whiskeysockets/baileys": "6.7.21",
+    "@whiskeysockets/baileys": "^6.7.21",
     "hapi-pino": "^13.0.0",
     "link-preview-js": "^3.1.0"
   },

apps/bridge-whatsapp/src/service.ts

@@ -26,7 +26,11 @@ export default class WhatsappService extends Service {
   connections: { [key: string]: any } = {};
   loginConnections: { [key: string]: any } = {};
 
-  static browserDescription: [string, string, string] = ["Bridge", "Chrome", "2.0"];
+  static browserDescription: [string, string, string] = [
+    "Bridge",
+    "Chrome",
+    "2.0",
+  ];
 
   constructor(server: Server, options: never) {
     super(server, options);
@@ -43,7 +47,7 @@ export default class WhatsappService extends Service {
     }
 
     // Prevent path traversal by checking for suspicious patterns
-    if (id.includes("..") || id.includes("/") || id.includes("\\")) {
+    if (id.includes('..') || id.includes('/') || id.includes('\\')) {
       throw new Error(`Path traversal detected in bot ID: ${id}`);
     }
 
@@ -98,14 +102,20 @@ export default class WhatsappService extends Service {
       auth: state,
       generateHighQualityLinkPreview: false,
       msgRetryCounterMap,
-      shouldIgnoreJid: (jid) => isJidBroadcast(jid) || isJidStatusBroadcast(jid),
+      shouldIgnoreJid: (jid) =>
+        isJidBroadcast(jid) || isJidStatusBroadcast(jid),
     });
     let pause = 5000;
 
     socket.ev.process(async (events) => {
       if (events["connection.update"]) {
         const update = events["connection.update"];
-        const { connection: connectionState, lastDisconnect, qr, isNewLogin } = update;
+        const {
+          connection: connectionState,
+          lastDisconnect,
+          qr,
+          isNewLogin,
+        } = update;
         if (qr) {
           logger.info("got qr code");
           const botDirectory = this.getBotDirectory(botID);
@@ -120,7 +130,8 @@ export default class WhatsappService extends Service {
           logger.info("opened connection");
         } else if (connectionState === "close") {
           logger.info({ lastDisconnect }, "connection closed");
-          const disconnectStatusCode = (lastDisconnect?.error as any)?.output?.statusCode;
+          const disconnectStatusCode = (lastDisconnect?.error as any)?.output
+            ?.statusCode;
           if (disconnectStatusCode === DisconnectReason.restartRequired) {
             logger.info("reconnecting after got new login");
             await this.createConnection(botID, server, options);
@@ -163,7 +174,10 @@ export default class WhatsappService extends Service {
       const verifiedFile = `${directory}/verified`;
       if (fs.existsSync(verifiedFile)) {
         const { version, isLatest } = await fetchLatestBaileysVersion();
-        logger.info({ version: version.join("."), isLatest }, "using WA version");
+        logger.info(
+          { version: version.join("."), isLatest },
+          "using WA version",
+        );
 
         await this.createConnection(botID, this.server, {
           browser: WhatsappService.browserDescription,
@@ -174,7 +188,10 @@ export default class WhatsappService extends Service {
     }
   }
 
-  private async queueMessage(botID: string, webMessageInfo: proto.IWebMessageInfo) {
+  private async queueMessage(
+    botID: string,
+    webMessageInfo: proto.IWebMessageInfo,
+  ) {
     const {
       key: { id, fromMe, remoteJid },
       message,
@@ -187,9 +204,11 @@ export default class WhatsappService extends Service {
         "Message field",
       );
     }
-    const isValidMessage = message && remoteJid !== "status@broadcast" && !fromMe;
+    const isValidMessage =
+      message && remoteJid !== "status@broadcast" && !fromMe;
     if (isValidMessage) {
-      const { audioMessage, documentMessage, imageMessage, videoMessage } = message;
+      const { audioMessage, documentMessage, imageMessage, videoMessage } =
+        message;
       const isMediaMessage =
         audioMessage || documentMessage || imageMessage || videoMessage;
 
@@ -269,7 +288,10 @@ export default class WhatsappService extends Service {
     }
   }
 
-  private async queueUnreadMessages(botID: string, messages: proto.IWebMessageInfo[]) {
+  private async queueUnreadMessages(
+    botID: string,
+    messages: proto.IWebMessageInfo[],
+  ) {
     for await (const message of messages) {
       await this.queueMessage(botID, message);
     }
@@ -312,7 +334,10 @@ export default class WhatsappService extends Service {
     }
   }
 
-  async register(botID: string, callback?: AuthCompleteCallback): Promise<void> {
+  async register(
+    botID: string,
+    callback?: AuthCompleteCallback,
+  ): Promise<void> {
     const { version } = await fetchLatestBaileysVersion();
     await this.createConnection(
       botID,
@@ -330,10 +355,7 @@ export default class WhatsappService extends Service {
     attachments?: Array<{ data: string; filename: string; mime_type: string }>,
   ): Promise<void> {
     const connection = this.connections[botID]?.socket;
-    const digits = phoneNumber.replace(/\D+/g, "");
-    // LIDs are 15+ digits, phone numbers with country code are typically 10-14 digits
-    const suffix = digits.length > 14 ? "@lid" : "@s.whatsapp.net";
-    const recipient = `${digits}${suffix}`;
+    const recipient = `${phoneNumber.replace(/\D+/g, "")}@s.whatsapp.net`;
 
     // Send text message if provided
     if (message) {
@@ -346,9 +368,7 @@ export default class WhatsappService extends Service {
       const MAX_TOTAL_SIZE = getMaxTotalAttachmentSize();
 
       if (attachments.length > MAX_ATTACHMENTS) {
-        throw new Error(
-          `Too many attachments: ${attachments.length} (max ${MAX_ATTACHMENTS})`,
-        );
+        throw new Error(`Too many attachments: ${attachments.length} (max ${MAX_ATTACHMENTS})`);
       }
 
       let totalSize = 0;
@@ -358,26 +378,20 @@ export default class WhatsappService extends Service {
         const estimatedSize = (attachment.data.length * 3) / 4;
 
         if (estimatedSize > MAX_ATTACHMENT_SIZE) {
-          logger.warn(
-            {
+          logger.warn({
             filename: attachment.filename,
             size: estimatedSize,
-              maxSize: MAX_ATTACHMENT_SIZE,
-            },
-            "Attachment exceeds size limit, skipping",
-          );
+            maxSize: MAX_ATTACHMENT_SIZE
+          }, 'Attachment exceeds size limit, skipping');
           continue;
         }
 
         totalSize += estimatedSize;
         if (totalSize > MAX_TOTAL_SIZE) {
-          logger.warn(
-            {
+          logger.warn({
             totalSize,
-              maxTotalSize: MAX_TOTAL_SIZE,
-            },
-            "Total attachment size exceeds limit, skipping remaining",
-          );
+            maxTotalSize: MAX_TOTAL_SIZE
+          }, 'Total attachment size exceeds limit, skipping remaining');
           break;
         }
 

apps/bridge-worker/lib/zammad.ts

@@ -100,57 +100,19 @@ export const Zammad = (
   };
 };
 
-/**
- * Sanitizes phone number to E.164 format: +15554446666
- * Strips all non-digit characters except +, ensures + prefix
- * @param phoneNumber - Raw phone number (e.g., "(555) 444-6666", "5554446666", "+1 555 444 6666")
- * @returns E.164 formatted phone number (e.g., "+15554446666")
- * @throws Error if phone number is invalid
- */
-export const sanitizePhoneNumber = (phoneNumber: string): string => {
-  // Remove all characters except digits and +
-  let cleaned = phoneNumber.replace(/[^\d+]/g, "");
+export const getUser = async (zammad: ZammadClient, phoneNumber: string) => {
+  // Sanitize phone number: only allow digits and + symbol
+  const mungedNumber = phoneNumber.replace(/[^\d+]/g, "");
 
-  // Ensure it starts with +
-  if (!cleaned.startsWith("+")) {
-    // Assume US/Canada if no country code (11 digits starting with 1, or 10 digits)
-    if (cleaned.length === 10) {
-      cleaned = "+1" + cleaned;
-    } else if (cleaned.length === 11 && cleaned.startsWith("1")) {
-      cleaned = "+" + cleaned;
-    } else if (cleaned.length >= 10) {
-      // International number without +, add it
-      cleaned = "+" + cleaned;
-    }
-  }
-
-  // Validate E.164 format: + followed by 10-15 digits
-  if (!/^\+\d{10,15}$/.test(cleaned)) {
+  // Validate phone number format (10-15 digits, optional + prefix)
+  if (!/^\+?\d{10,15}$/.test(mungedNumber)) {
     throw new Error(`Invalid phone number format: ${phoneNumber}`);
   }
 
-  return cleaned;
-};
-
-export const getUser = async (zammad: ZammadClient, phoneNumber: string) => {
-  // Sanitize to E.164 format
-  const sanitized = sanitizePhoneNumber(phoneNumber);
-
-  // Remove + for Zammad search query
-  const searchNumber = sanitized.replace("+", "");
-
-  // Try sanitized format first (e.g., "6464229653" for "+16464229653")
-  let results = await zammad.user.search(`phone:${searchNumber}`);
+  // Remove + for search query
+  const searchNumber = mungedNumber.replace("+", "");
+  const results = await zammad.user.search(`phone:${searchNumber}`);
   if (results.length > 0) return results[0];
-
-  // Fall back to searching for original input (handles legacy formatted numbers)
-  // This ensures we can find users with "(646) 422-9653" format in database
-  const originalCleaned = phoneNumber.replace(/[^\d+]/g, "").replace("+", "");
-  if (originalCleaned !== searchNumber) {
-    results = await zammad.user.search(`phone:${originalCleaned}`);
-    if (results.length > 0) return results[0];
-  }
-
   return undefined;
 };
 
@@ -161,11 +123,8 @@ export const getOrCreateUser = async (
   const customer = await getUser(zammad, phoneNumber);
   if (customer) return customer;
 
-  // Sanitize phone number to E.164 format before storing
-  const sanitized = sanitizePhoneNumber(phoneNumber);
-
   return zammad.user.create({
-    phone: sanitized,
+    phone: phoneNumber,
     note: "User created from incoming voice call",
   });
 };

apps/bridge-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/bridge-worker",
-  "version": "3.3.5",
+  "version": "3.3.0-beta.4",
   "type": "module",
   "main": "build/main/index.js",
   "author": "Darren Clarke <darren@redaranj.com>",

apps/bridge-worker/tasks/formstack/create-ticket-from-form.ts

@@ -1,6 +1,6 @@
 import { createLogger } from "@link-stack/logger";
 import { db } from "@link-stack/bridge-common";
-import { Zammad, getUser, sanitizePhoneNumber } from "../../lib/zammad.js";
+import { Zammad, getUser } from "../../lib/zammad.js";
 import {
   loadFieldMapping,
   getFieldValue,
@@ -55,35 +55,12 @@ const createTicketFromFormTask = async (
 
   // Extract well-known fields used for special logic (all optional)
   const email = getFieldValue(formData, "email", mapping);
-  const rawPhone = getFieldValue(formData, "phone", mapping);
-  const rawSignalAccount = getFieldValue(formData, "signalAccount", mapping);
+  const phone = getFieldValue(formData, "phone", mapping);
+  const signalAccount = getFieldValue(formData, "signalAccount", mapping);
   const organization = getFieldValue(formData, "organization", mapping);
   const typeOfSupport = getFieldValue(formData, "typeOfSupport", mapping);
   const descriptionOfIssue = getFieldValue(formData, "descriptionOfIssue", mapping);
 
-  // Sanitize phone numbers to E.164 format (+15554446666)
-  let phone: string | undefined;
-  if (rawPhone) {
-    try {
-      phone = sanitizePhoneNumber(rawPhone);
-      logger.info({ rawPhone, sanitized: phone }, "Sanitized phone number");
-    } catch (error: any) {
-      logger.warn({ rawPhone, error: error.message }, "Invalid phone number format, ignoring");
-      phone = undefined;
-    }
-  }
-
-  let signalAccount: string | undefined;
-  if (rawSignalAccount) {
-    try {
-      signalAccount = sanitizePhoneNumber(rawSignalAccount);
-      logger.info({ rawSignalAccount, sanitized: signalAccount }, "Sanitized signal account");
-    } catch (error: any) {
-      logger.warn({ rawSignalAccount, error: error.message }, "Invalid signal account format, ignoring");
-      signalAccount = undefined;
-    }
-  }
-
   // Validate that at least one contact method is provided
   if (!email && !phone && !signalAccount) {
     logger.error(

apps/link/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/link",
-  "version": "3.3.5",
+  "version": "3.3.0-beta.4",
   "type": "module",
   "scripts": {
     "dev": "next dev -H 0.0.0.0",
@@ -31,7 +31,7 @@
     "graphql-request": "^7.2.0",
     "ioredis": "^5.8.1",
     "mui-chips-input": "^6.0.0",
-    "next": "15.5.9",
+    "next": "15.5.4",
     "next-auth": "^4.24.11",
     "react": "19.2.0",
     "react-cookie": "^8.0.1",

docker-compose.bridge-dev.yml

@@ -0,0 +1,67 @@
+version: '3.8'
+
+services:
+  zammad-railsserver:
+    volumes:
+      # Controllers
+      - ${PWD}/packages/zammad-addon-bridge/src/app/controllers/channels_cdr_signal_controller.rb:/opt/zammad/app/controllers/channels_cdr_signal_controller.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/app/controllers/channels_cdr_voice_controller.rb:/opt/zammad/app/controllers/channels_cdr_voice_controller.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/app/controllers/channels_cdr_whatsapp_controller.rb:/opt/zammad/app/controllers/channels_cdr_whatsapp_controller.rb:ro
+      
+      # Models
+      - ${PWD}/packages/zammad-addon-bridge/src/app/models/channel/driver/cdr_signal.rb:/opt/zammad/app/models/channel/driver/cdr_signal.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/app/models/channel/driver/cdr_whatsapp.rb:/opt/zammad/app/models/channel/driver/cdr_whatsapp.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/app/models/ticket/article/enqueue_communicate_cdr_signal_job.rb:/opt/zammad/app/models/ticket/article/enqueue_communicate_cdr_signal_job.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/app/models/ticket/article/enqueue_communicate_cdr_whatsapp_job.rb:/opt/zammad/app/models/ticket/article/enqueue_communicate_cdr_whatsapp_job.rb:ro
+      
+      # Jobs
+      - ${PWD}/packages/zammad-addon-bridge/src/app/jobs/communicate_cdr_signal_job.rb:/opt/zammad/app/jobs/communicate_cdr_signal_job.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/app/jobs/communicate_cdr_whatsapp_job.rb:/opt/zammad/app/jobs/communicate_cdr_whatsapp_job.rb:ro
+      
+      # Policies
+      - ${PWD}/packages/zammad-addon-bridge/src/app/policies/controllers/channels_cdr_signal_controller_policy.rb:/opt/zammad/app/policies/controllers/channels_cdr_signal_controller_policy.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/app/policies/controllers/channels_cdr_voice_controller_policy.rb:/opt/zammad/app/policies/controllers/channels_cdr_voice_controller_policy.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/app/policies/controllers/channels_cdr_whatsapp_controller_policy.rb:/opt/zammad/app/policies/controllers/channels_cdr_whatsapp_controller_policy.rb:ro
+      
+      # Config - initializers
+      - ${PWD}/packages/zammad-addon-bridge/src/config/initializers/cdr_signal.rb:/opt/zammad/config/initializers/cdr_signal.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/config/initializers/cdr_whatsapp.rb:/opt/zammad/config/initializers/cdr_whatsapp.rb:ro
+      
+      # Config - routes
+      - ${PWD}/packages/zammad-addon-bridge/src/config/routes/channel_cdr_signal.rb:/opt/zammad/config/routes/channel_cdr_signal.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/config/routes/channel_cdr_voice.rb:/opt/zammad/config/routes/channel_cdr_voice.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/config/routes/channel_cdr_whatsapp.rb:/opt/zammad/config/routes/channel_cdr_whatsapp.rb:ro
+      
+      # Database migrations
+      - ${PWD}/packages/zammad-addon-bridge/src/db/addon/bridge/20210525091356_cdr_signal_channel.rb:/opt/zammad/db/addon/bridge/20210525091356_cdr_signal_channel.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/db/addon/bridge/20210525091357_cdr_voice_channel.rb:/opt/zammad/db/addon/bridge/20210525091357_cdr_voice_channel.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/db/addon/bridge/20210525091358_cdr_whatsapp_channel.rb:/opt/zammad/db/addon/bridge/20210525091358_cdr_whatsapp_channel.rb:ro
+      
+      # Lib files
+      - ${PWD}/packages/zammad-addon-bridge/src/lib/cdr_signal.rb:/opt/zammad/lib/cdr_signal.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/lib/cdr_signal_api.rb:/opt/zammad/lib/cdr_signal_api.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/lib/cdr_whatsapp.rb:/opt/zammad/lib/cdr_whatsapp.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/lib/cdr_whatsapp_api.rb:/opt/zammad/lib/cdr_whatsapp_api.rb:ro
+
+  # Also map to scheduler for background jobs
+  zammad-scheduler:
+    volumes:
+      # Models
+      - ${PWD}/packages/zammad-addon-bridge/src/app/models/channel/driver/cdr_signal.rb:/opt/zammad/app/models/channel/driver/cdr_signal.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/app/models/channel/driver/cdr_whatsapp.rb:/opt/zammad/app/models/channel/driver/cdr_whatsapp.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/app/models/ticket/article/enqueue_communicate_cdr_signal_job.rb:/opt/zammad/app/models/ticket/article/enqueue_communicate_cdr_signal_job.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/app/models/ticket/article/enqueue_communicate_cdr_whatsapp_job.rb:/opt/zammad/app/models/ticket/article/enqueue_communicate_cdr_whatsapp_job.rb:ro
+      
+      # Jobs
+      - ${PWD}/packages/zammad-addon-bridge/src/app/jobs/communicate_cdr_signal_job.rb:/opt/zammad/app/jobs/communicate_cdr_signal_job.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/app/jobs/communicate_cdr_whatsapp_job.rb:/opt/zammad/app/jobs/communicate_cdr_whatsapp_job.rb:ro
+      
+      # Config - initializers
+      - ${PWD}/packages/zammad-addon-bridge/src/config/initializers/cdr_signal.rb:/opt/zammad/config/initializers/cdr_signal.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/config/initializers/cdr_whatsapp.rb:/opt/zammad/config/initializers/cdr_whatsapp.rb:ro
+      
+      # Lib files
+      - ${PWD}/packages/zammad-addon-bridge/src/lib/cdr_signal.rb:/opt/zammad/lib/cdr_signal.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/lib/cdr_signal_api.rb:/opt/zammad/lib/cdr_signal_api.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/lib/cdr_whatsapp.rb:/opt/zammad/lib/cdr_whatsapp.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/lib/cdr_whatsapp_api.rb:/opt/zammad/lib/cdr_whatsapp_api.rb:ro

docker/zammad/Dockerfile

@@ -56,6 +56,9 @@ RUN sed -i "s/'flattened'/'flat_object'/g" /opt/zammad/lib/search_index_backend.
 RUN touch db/schema.rb && \
     ZAMMAD_SAFE_MODE=1 DATABASE_URL=postgresql://zammad:/zammad bundle exec rake assets:precompile
 
+# Run additional setup for addons
+RUN bundle exec rails runner /opt/zammad/contrib/link/setup.rb || true
+
 # Clean up build artifacts
 RUN rm -rf tmp/cache node_modules/.cache
 ARG EMBEDDED=false
@@ -75,14 +78,6 @@ RUN if [ "$EMBEDDED" = "true" ] ; then \
     echo "}" >> /opt/zammad/contrib/nginx/zammad.conf; \
 fi
 
-
-# Modify entrypoint to install packages and run migrations at runtime
-RUN sed -i '/^[[:space:]]*# es config/a\
-  echo "Installing addon packages..."\n\
-  bundle exec rails runner /opt/zammad/contrib/link/setup.rb\n\
-  bundle exec rake zammad:package:migrate\n\
-  ' /docker-entrypoint.sh
-
 FROM zammad/zammad-docker-compose:${ZAMMAD_VERSION} AS runner
 USER root
 
@@ -93,7 +88,37 @@ RUN apt-get update && \
     rm -rf /var/lib/apt/lists/* && \
     npm install -g pnpm
 
-USER zammad
-COPY --from=builder --chown=zammad:zammad ${ZAMMAD_DIR} ${ZAMMAD_DIR}
-COPY --from=builder /usr/local/bundle /usr/local/bundle
+# Copy only the modified/added files from builder
+# Copy addon files that were installed
+COPY --from=builder --chown=zammad:zammad /opt/zammad/app/frontend/apps/desktop/pages/ticket/components/TicketDetailView/ /opt/zammad/app/frontend/apps/desktop/pages/ticket/components/TicketDetailView/
+COPY --from=builder --chown=zammad:zammad /opt/zammad/app/frontend/shared/entities/ticket-article/action/plugins/ /opt/zammad/app/frontend/shared/entities/ticket-article/action/plugins/
+COPY --from=builder --chown=zammad:zammad /opt/zammad/db/addon/ /opt/zammad/db/addon/
+COPY --from=builder --chown=zammad:zammad /opt/zammad/app/assets/ /opt/zammad/app/assets/
+COPY --from=builder --chown=zammad:zammad /opt/zammad/app/controllers/*cdr* /opt/zammad/app/controllers/
+COPY --from=builder --chown=zammad:zammad /opt/zammad/app/jobs/*cdr* /opt/zammad/app/jobs/
+COPY --from=builder --chown=zammad:zammad /opt/zammad/app/models/channel/driver/*cdr* /opt/zammad/app/models/channel/driver/
+COPY --from=builder --chown=zammad:zammad /opt/zammad/app/models/ticket/article/*cdr* /opt/zammad/app/models/ticket/article/
+COPY --from=builder --chown=zammad:zammad /opt/zammad/app/policies/controllers/*cdr* /opt/zammad/app/policies/controllers/
+COPY --from=builder --chown=zammad:zammad /opt/zammad/config/initializers/*cdr* /opt/zammad/config/initializers/
+COPY --from=builder --chown=zammad:zammad /opt/zammad/config/routes/*cdr* /opt/zammad/config/routes/
+COPY --from=builder --chown=zammad:zammad /opt/zammad/lib/cdr* /opt/zammad/lib/
+# CRITICAL: Copy modified search_index_backend.rb with OpenSearch fix
+COPY --from=builder --chown=zammad:zammad /opt/zammad/lib/search_index_backend.rb /opt/zammad/lib/search_index_backend.rb
+COPY --from=builder --chown=zammad:zammad /opt/zammad/public/assets/images/icons/*cdr* /opt/zammad/public/assets/images/icons/
+COPY --from=builder --chown=zammad:zammad /opt/zammad/app/views/mailer/ticket_create/ /opt/zammad/app/views/mailer/ticket_create/
+COPY --from=builder --chown=zammad:zammad /opt/zammad/public/assets/images/logo* /opt/zammad/public/assets/images/
+
+# Copy the nginx config if embedded mode was used
+COPY --from=builder --chown=zammad:zammad /opt/zammad/contrib/nginx/zammad.conf /opt/zammad/contrib/nginx/zammad.conf
+
+# Copy the link setup scripts and addons
+COPY --from=builder --chown=zammad:zammad /opt/zammad/contrib/link/ /opt/zammad/contrib/link/
+
+# CRITICAL: Copy compiled assets that include our CoffeeScript changes
+# The builder stage compiles assets at line 47, we must copy them to runner
+COPY --from=builder --chown=zammad:zammad /opt/zammad/public/assets/ /opt/zammad/public/assets/
+
+# Copy the modified entrypoint script
 COPY --from=builder /docker-entrypoint.sh /docker-entrypoint.sh
+
+USER zammad

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack",
-  "version": "3.3.5",
+  "version": "3.3.0-beta.4",
   "description": "Link from the Center for Digital Resilience",
   "scripts": {
     "dev": "dotenv -- turbo dev",

packages/bridge-common/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/bridge-common",
-  "version": "3.3.5",
+  "version": "3.3.0-beta.4",
   "main": "build/main/index.js",
   "type": "module",
   "author": "Darren Clarke <darren@redaranj.com>",

packages/bridge-ui/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/bridge-ui",
-  "version": "3.3.5",
+  "version": "3.3.0-beta.4",
   "scripts": {
     "build": "tsc -p tsconfig.json"
   },
@@ -11,7 +11,7 @@
     "@mui/material": "^6",
     "@mui/x-data-grid-pro": "^7",
     "kysely": "0.27.5",
-    "next": "15.5.9",
+    "next": "15.5.4",
     "react": "19.2.0",
     "react-dom": "19.2.0",
     "react-qr-code": "^2.0.18"

packages/eslint-config/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/eslint-config",
-  "version": "3.3.5",
+  "version": "3.3.0-beta.4",
   "description": "amigo's eslint config",
   "main": "index.js",
   "author": "Abel Luck <abel@guardianproject.info>",

packages/jest-config/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/jest-config",
-  "version": "3.3.5",
+  "version": "3.3.0-beta.4",
   "description": "",
   "main": "index.js",
   "author": "Abel Luck <abel@guardianproject.info>",

packages/logger/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/logger",
-  "version": "3.3.5",
+  "version": "3.3.0-beta.4",
   "description": "Shared logging utility for Link Stack monorepo",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",

packages/signal-api/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/signal-api",
-  "version": "3.3.5",
+  "version": "3.3.0-beta.4",
   "type": "module",
   "main": "build/index.js",
   "exports": {

packages/typescript-config/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/typescript-config",
-  "version": "3.3.5",
+  "version": "3.3.0-beta.4",
   "description": "Shared TypeScript config",
   "license": "AGPL-3.0-or-later",
   "author": "Abel Luck <abel@guardianproject.info>",

packages/ui/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/ui",
-  "version": "3.3.5",
+  "version": "3.3.0-beta.4",
   "description": "",
   "scripts": {
     "build": "tsc -p tsconfig.json"
@@ -11,7 +11,7 @@
     "@mui/material": "^6",
     "@mui/x-data-grid-pro": "^7",
     "@mui/x-license": "^7",
-    "next": "15.5.9",
+    "next": "15.5.4",
     "react": "19.2.0",
     "react-dom": "19.2.0"
   },

packages/zammad-addon-bridge/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@link-stack/zammad-addon-bridge",
   "displayName": "Bridge",
-  "version": "3.3.5",
+  "version": "3.3.0-beta.4",
   "description": "An addon that adds CDR Bridge channels to Zammad.",
   "scripts": {
     "build": "node '../zammad-addon-common/dist/build.js'",

packages/zammad-addon-bridge/src/app/controllers/channels_cdr_signal_controller.rb

@@ -222,11 +222,11 @@ class ChannelsCdrSignalController < ApplicationController
       Rails.logger.info "Channel ID: #{channel.id}"
 
       begin
-        # Use text search on preferences YAML to efficiently find tickets without loading all into memory
+        # Use PostgreSQL JSONB queries to efficiently search preferences without loading all tickets into memory
         # This prevents DoS attacks from memory exhaustion
         ticket = Ticket.where.not(state_id: state_ids)
-                      .where("preferences LIKE ?", "%channel_id: #{channel.id}%")
-                      .where("preferences LIKE ?", "%chat_id: #{receiver_phone_number}%")
+                      .where("preferences->>'channel_id' = ?", channel.id.to_s)
+                      .where("preferences->'cdr_signal'->>'chat_id' = ?", receiver_phone_number)
                       .order(updated_at: :desc)
                       .first
 
@@ -420,11 +420,11 @@ class ChannelsCdrSignalController < ApplicationController
     end
 
     # Find ticket(s) with this group_id in preferences
-    # Use text search on preferences YAML for efficient lookup (prevents DoS from loading all tickets)
+    # Use PostgreSQL JSONB queries for efficient lookup (prevents DoS from loading all tickets)
     state_ids = Ticket::State.where(name: %w[closed merged removed]).pluck(:id)
 
     ticket = Ticket.where.not(state_id: state_ids)
-                  .where("preferences LIKE ?", "%chat_id: #{params[:group_id]}%")
+                  .where("preferences->'cdr_signal'->>'chat_id' = ?", params[:group_id])
                   .order(updated_at: :desc)
                   .first
 

packages/zammad-addon-common/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/zammad-addon-common",
-  "version": "3.3.5",
+  "version": "3.3.0-beta.4",
   "description": "",
   "bin": {
     "zpm-build": "./dist/build.js",

packages/zammad-addon-hardening/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@link-stack/zammad-addon-hardening",
   "displayName": "Hardening",
-  "version": "3.3.5",
+  "version": "3.3.0-beta.4",
   "description": "A Zammad addon that hardens a Zammad instance according to CDR's needs.",
   "scripts": {
     "build": "node '../zammad-addon-common/dist/build.js'",

packages/zammad-addon-hardening/src/config/initializers/transaction_notification_no_attachments.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+# Monkey patch Transaction::Notification to prevent attachments from being
+# included in ticket notification emails for security/privacy reasons.
+#
+# This overrides the send_notification_email method to always pass an empty
+# attachments array instead of article.attachments_inline.
+
+module TransactionNotificationNoAttachments
+  def send_notification_email(user:, ticket:, article:, changes:, current_user:, recipients_reason:)
+    template = case @item[:type]
+               when 'create'
+                 'ticket_create'
+               when 'update'
+                 'ticket_update'
+               when 'reminder_reached'
+                 'ticket_reminder_reached'
+               when 'escalation'
+                 'ticket_escalation'
+               when 'escalation_warning'
+                 'ticket_escalation_warning'
+               when 'update.merged_into', 'update.received_merge'
+                 'ticket_update_merged'
+               when 'update.reaction'
+                 'ticket_article_update_reaction'
+               else
+                 raise "unknown type for notification #{@item[:type]}"
+               end
+
+    # HARDENING: Always use empty attachments array to prevent leaking sensitive files
+    original_attachment_count = article&.attachments_inline&.count || 0
+    attachments = []
+
+    if original_attachment_count > 0
+      Rails.logger.info "[HARDENING] Stripped #{original_attachment_count} attachment(s) from notification email for ticket ##{ticket.id}"
+    end
+
+    NotificationFactory::Mailer.notification(
+      template:    template,
+      user:        user,
+      objects:     {
+        ticket:       ticket,
+        article:      article,
+        recipient:    user,
+        current_user: current_user,
+        changes:      changes,
+        reason:       recipients_reason[user.id],
+      },
+      message_id:  "<notification.#{DateTime.current.to_fs(:number)}.#{ticket.id}.#{user.id}.#{SecureRandom.uuid}@#{Setting.get('fqdn')}>",
+      references:  ticket.get_references,
+      main_object: ticket,
+      attachments: attachments,
+    )
+    Rails.logger.debug { "sent ticket email notification to agent (#{@item[:type]}/#{ticket.id}/#{user.email})" }
+  rescue Channel::DeliveryError => e
+    status_code = begin
+      e.original_error.response.status.to_i
+    rescue
+      raise e
+    end
+
+    if Transaction::Notification::SILENCABLE_SMTP_ERROR_CODES.any? { |elem| elem.include? status_code }
+      Rails.logger.info do
+        "could not send ticket email notification to agent (#{@item[:type]}/#{ticket.id}/#{user.email}) #{e.original_error}"
+      end
+
+      return
+    end
+
+    raise e
+  end
+end
+
+# Apply the monkey patch after Rails initialization when all classes are loaded
+Rails.application.config.after_initialize do
+  Rails.logger.info '[HARDENING] Loading TransactionNotificationNoAttachments monkey patch...'
+  Transaction::Notification.prepend(TransactionNotificationNoAttachments)
+  Rails.logger.info '[HARDENING] TransactionNotificationNoAttachments monkey patch successfully applied - email attachments will be stripped from notifications'
+end

set_channel_setting.rb

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+
+require '/opt/zammad/config/boot'
+require '/opt/zammad/config/application'
+
+Rails.application.initialize!
+
+# Reset to default (empty = allow all channels)
+Setting.set('cdr_link_allowed_channels', '')
+puts "Setting 'cdr_link_allowed_channels' has been reset to default (empty = allow all channels)"