.gitlab-ci.yml

@@ -20,13 +20,11 @@ build-all:
     - turbo build
 
 .docker-build:
-  image: registry.gitlab.com/digiresilience/link/link-stack/buildx:main
+  image: registry.gitlab.com/digiresilience/link/link-stack/buildx:${CI_COMMIT_REF_NAME}
   services:
     - docker:dind
   stage: docker-build
   variables:
-    DOCKER_HOST: tcp://docker:2375
-    DOCKER_TLS_CERTDIR: ""
     DOCKER_TAG: ${CI_COMMIT_SHORT_SHA}
     BUILD_CONTEXT: .
   only:
@@ -39,13 +37,11 @@ build-all:
     - docker push ${DOCKER_NS}:${DOCKER_TAG}
 
 .docker-release:
-  image: registry.gitlab.com/digiresilience/link/link-stack/buildx:main
+  image: registry.gitlab.com/digiresilience/link/link-stack/buildx:${CI_COMMIT_REF_NAME}
   services:
     - docker:dind
   stage: docker-release
   variables:
-    DOCKER_HOST: tcp://docker:2375
-    DOCKER_TLS_CERTDIR: ""
     DOCKER_TAG: ${CI_COMMIT_SHORT_SHA}
     DOCKER_TAG_NEW: ${CI_COMMIT_REF_NAME}
   only:
@@ -199,8 +195,8 @@ zammad-docker-build:
     PNPM_HOME: "/pnpm"
   before_script:
     - export PATH="$PNPM_HOME:$PATH"
-    - corepack enable && corepack prepare pnpm@9.15.4 --activate
   script:
+    - corepack enable && corepack prepare pnpm@9.15.4 --activate
     - pnpm add -g turbo
     - pnpm install --frozen-lockfile
     - turbo build --force --filter @link-stack/zammad-addon-*
@@ -222,8 +218,8 @@ zammad-standalone-docker-build:
     PNPM_HOME: "/pnpm"
   before_script:
     - export PATH="$PNPM_HOME:$PATH"
-    - corepack enable && corepack prepare pnpm@9.15.4 --activate
   script:
+    - corepack enable && corepack prepare pnpm@9.15.4 --activate
     - pnpm add -g turbo
     - pnpm install --frozen-lockfile
     - turbo build --force --filter @link-stack/zammad-addon-*

README.md

@@ -20,4 +20,3 @@ We use [Turborepo](https://turbo.build) to manage development and building of th
 To run a single package:
 
 - `turbo dev --filter @link-stack/link`
-

apps/bridge-frontend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/bridge-frontend",
-  "version": "3.3.5",
+  "version": "3.3.0",
   "type": "module",
   "scripts": {
     "dev": "next dev",
@@ -20,7 +20,7 @@
     "@mui/x-license": "^7",
     "@link-stack/bridge-common": "workspace:*",
     "@link-stack/bridge-ui": "workspace:*",
-    "next": "15.5.9",
+    "next": "15.5.4",
     "next-auth": "^4.24.11",
     "react": "19.2.0",
     "react-dom": "19.2.0",

apps/bridge-migrations/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/bridge-migrations",
-  "version": "3.3.5",
+  "version": "3.3.0",
   "type": "module",
   "scripts": {
     "migrate:up:all": "tsx migrate.ts up:all",

apps/bridge-whatsapp/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/bridge-whatsapp",
-  "version": "3.3.5",
+  "version": "3.3.0",
   "main": "build/main/index.js",
   "author": "Darren Clarke <darren@redaranj.com>",
   "license": "AGPL-3.0-or-later",
@@ -11,7 +11,7 @@
     "@hapipal/toys": "^4.0.0",
     "@link-stack/bridge-common": "workspace:*",
     "@link-stack/logger": "workspace:*",
-    "@whiskeysockets/baileys": "6.7.21",
+    "@whiskeysockets/baileys": "^6.7.21",
     "hapi-pino": "^13.0.0",
     "link-preview-js": "^3.1.0"
   },

apps/bridge-whatsapp/src/service.ts

@@ -26,7 +26,11 @@ export default class WhatsappService extends Service {
   connections: { [key: string]: any } = {};
   loginConnections: { [key: string]: any } = {};
 
-  static browserDescription: [string, string, string] = ["Bridge", "Chrome", "2.0"];
+  static browserDescription: [string, string, string] = [
+    "Bridge",
+    "Chrome",
+    "2.0",
+  ];
 
   constructor(server: Server, options: never) {
     super(server, options);
@@ -43,7 +47,7 @@ export default class WhatsappService extends Service {
     }
 
     // Prevent path traversal by checking for suspicious patterns
-    if (id.includes("..") || id.includes("/") || id.includes("\\")) {
+    if (id.includes('..') || id.includes('/') || id.includes('\\')) {
       throw new Error(`Path traversal detected in bot ID: ${id}`);
     }
 
@@ -98,14 +102,20 @@ export default class WhatsappService extends Service {
       auth: state,
       generateHighQualityLinkPreview: false,
       msgRetryCounterMap,
-      shouldIgnoreJid: (jid) => isJidBroadcast(jid) || isJidStatusBroadcast(jid),
+      shouldIgnoreJid: (jid) =>
+        isJidBroadcast(jid) || isJidStatusBroadcast(jid),
     });
     let pause = 5000;
 
     socket.ev.process(async (events) => {
       if (events["connection.update"]) {
         const update = events["connection.update"];
-        const { connection: connectionState, lastDisconnect, qr, isNewLogin } = update;
+        const {
+          connection: connectionState,
+          lastDisconnect,
+          qr,
+          isNewLogin,
+        } = update;
         if (qr) {
           logger.info("got qr code");
           const botDirectory = this.getBotDirectory(botID);
@@ -120,7 +130,8 @@ export default class WhatsappService extends Service {
           logger.info("opened connection");
         } else if (connectionState === "close") {
           logger.info({ lastDisconnect }, "connection closed");
-          const disconnectStatusCode = (lastDisconnect?.error as any)?.output?.statusCode;
+          const disconnectStatusCode = (lastDisconnect?.error as any)?.output
+            ?.statusCode;
           if (disconnectStatusCode === DisconnectReason.restartRequired) {
             logger.info("reconnecting after got new login");
             await this.createConnection(botID, server, options);
@@ -163,7 +174,10 @@ export default class WhatsappService extends Service {
       const verifiedFile = `${directory}/verified`;
       if (fs.existsSync(verifiedFile)) {
         const { version, isLatest } = await fetchLatestBaileysVersion();
-        logger.info({ version: version.join("."), isLatest }, "using WA version");
+        logger.info(
+          { version: version.join("."), isLatest },
+          "using WA version",
+        );
 
         await this.createConnection(botID, this.server, {
           browser: WhatsappService.browserDescription,
@@ -174,7 +188,10 @@ export default class WhatsappService extends Service {
     }
   }
 
-  private async queueMessage(botID: string, webMessageInfo: proto.IWebMessageInfo) {
+  private async queueMessage(
+    botID: string,
+    webMessageInfo: proto.IWebMessageInfo,
+  ) {
     const {
       key: { id, fromMe, remoteJid },
       message,
@@ -187,9 +204,11 @@ export default class WhatsappService extends Service {
         "Message field",
       );
     }
-    const isValidMessage = message && remoteJid !== "status@broadcast" && !fromMe;
+    const isValidMessage =
+      message && remoteJid !== "status@broadcast" && !fromMe;
     if (isValidMessage) {
-      const { audioMessage, documentMessage, imageMessage, videoMessage } = message;
+      const { audioMessage, documentMessage, imageMessage, videoMessage } =
+        message;
       const isMediaMessage =
         audioMessage || documentMessage || imageMessage || videoMessage;
 
@@ -269,7 +288,10 @@ export default class WhatsappService extends Service {
     }
   }
 
-  private async queueUnreadMessages(botID: string, messages: proto.IWebMessageInfo[]) {
+  private async queueUnreadMessages(
+    botID: string,
+    messages: proto.IWebMessageInfo[],
+  ) {
     for await (const message of messages) {
       await this.queueMessage(botID, message);
     }
@@ -312,7 +334,10 @@ export default class WhatsappService extends Service {
     }
   }
 
-  async register(botID: string, callback?: AuthCompleteCallback): Promise<void> {
+  async register(
+    botID: string,
+    callback?: AuthCompleteCallback,
+  ): Promise<void> {
     const { version } = await fetchLatestBaileysVersion();
     await this.createConnection(
       botID,
@@ -330,10 +355,7 @@ export default class WhatsappService extends Service {
     attachments?: Array<{ data: string; filename: string; mime_type: string }>,
   ): Promise<void> {
     const connection = this.connections[botID]?.socket;
-    const digits = phoneNumber.replace(/\D+/g, "");
-    // LIDs are 15+ digits, phone numbers with country code are typically 10-14 digits
-    const suffix = digits.length > 14 ? "@lid" : "@s.whatsapp.net";
-    const recipient = `${digits}${suffix}`;
+    const recipient = `${phoneNumber.replace(/\D+/g, "")}@s.whatsapp.net`;
 
     // Send text message if provided
     if (message) {
@@ -346,9 +368,7 @@ export default class WhatsappService extends Service {
       const MAX_TOTAL_SIZE = getMaxTotalAttachmentSize();
 
       if (attachments.length > MAX_ATTACHMENTS) {
-        throw new Error(
-          `Too many attachments: ${attachments.length} (max ${MAX_ATTACHMENTS})`,
-        );
+        throw new Error(`Too many attachments: ${attachments.length} (max ${MAX_ATTACHMENTS})`);
       }
 
       let totalSize = 0;
@@ -358,26 +378,20 @@ export default class WhatsappService extends Service {
         const estimatedSize = (attachment.data.length * 3) / 4;
 
         if (estimatedSize > MAX_ATTACHMENT_SIZE) {
-          logger.warn(
-            {
+          logger.warn({
             filename: attachment.filename,
             size: estimatedSize,
-              maxSize: MAX_ATTACHMENT_SIZE,
-            },
-            "Attachment exceeds size limit, skipping",
-          );
+            maxSize: MAX_ATTACHMENT_SIZE
+          }, 'Attachment exceeds size limit, skipping');
           continue;
         }
 
         totalSize += estimatedSize;
         if (totalSize > MAX_TOTAL_SIZE) {
-          logger.warn(
-            {
+          logger.warn({
             totalSize,
-              maxTotalSize: MAX_TOTAL_SIZE,
-            },
-            "Total attachment size exceeds limit, skipping remaining",
-          );
+            maxTotalSize: MAX_TOTAL_SIZE
+          }, 'Total attachment size exceeds limit, skipping remaining');
           break;
         }
 

apps/bridge-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/bridge-worker",
-  "version": "3.3.5",
+  "version": "3.3.0",
   "type": "module",
   "main": "build/main/index.js",
   "author": "Darren Clarke <darren@redaranj.com>",

apps/link/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/link",
-  "version": "3.3.5",
+  "version": "3.3.0",
   "type": "module",
   "scripts": {
     "dev": "next dev -H 0.0.0.0",
@@ -31,7 +31,7 @@
     "graphql-request": "^7.2.0",
     "ioredis": "^5.8.1",
     "mui-chips-input": "^6.0.0",
-    "next": "15.5.9",
+    "next": "15.5.4",
     "next-auth": "^4.24.11",
     "react": "19.2.0",
     "react-cookie": "^8.0.1",

docker-compose.bridge-dev.yml

@@ -0,0 +1,67 @@
+version: '3.8'
+
+services:
+  zammad-railsserver:
+    volumes:
+      # Controllers
+      - ${PWD}/packages/zammad-addon-bridge/src/app/controllers/channels_cdr_signal_controller.rb:/opt/zammad/app/controllers/channels_cdr_signal_controller.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/app/controllers/channels_cdr_voice_controller.rb:/opt/zammad/app/controllers/channels_cdr_voice_controller.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/app/controllers/channels_cdr_whatsapp_controller.rb:/opt/zammad/app/controllers/channels_cdr_whatsapp_controller.rb:ro
+      
+      # Models
+      - ${PWD}/packages/zammad-addon-bridge/src/app/models/channel/driver/cdr_signal.rb:/opt/zammad/app/models/channel/driver/cdr_signal.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/app/models/channel/driver/cdr_whatsapp.rb:/opt/zammad/app/models/channel/driver/cdr_whatsapp.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/app/models/ticket/article/enqueue_communicate_cdr_signal_job.rb:/opt/zammad/app/models/ticket/article/enqueue_communicate_cdr_signal_job.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/app/models/ticket/article/enqueue_communicate_cdr_whatsapp_job.rb:/opt/zammad/app/models/ticket/article/enqueue_communicate_cdr_whatsapp_job.rb:ro
+      
+      # Jobs
+      - ${PWD}/packages/zammad-addon-bridge/src/app/jobs/communicate_cdr_signal_job.rb:/opt/zammad/app/jobs/communicate_cdr_signal_job.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/app/jobs/communicate_cdr_whatsapp_job.rb:/opt/zammad/app/jobs/communicate_cdr_whatsapp_job.rb:ro
+      
+      # Policies
+      - ${PWD}/packages/zammad-addon-bridge/src/app/policies/controllers/channels_cdr_signal_controller_policy.rb:/opt/zammad/app/policies/controllers/channels_cdr_signal_controller_policy.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/app/policies/controllers/channels_cdr_voice_controller_policy.rb:/opt/zammad/app/policies/controllers/channels_cdr_voice_controller_policy.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/app/policies/controllers/channels_cdr_whatsapp_controller_policy.rb:/opt/zammad/app/policies/controllers/channels_cdr_whatsapp_controller_policy.rb:ro
+      
+      # Config - initializers
+      - ${PWD}/packages/zammad-addon-bridge/src/config/initializers/cdr_signal.rb:/opt/zammad/config/initializers/cdr_signal.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/config/initializers/cdr_whatsapp.rb:/opt/zammad/config/initializers/cdr_whatsapp.rb:ro
+      
+      # Config - routes
+      - ${PWD}/packages/zammad-addon-bridge/src/config/routes/channel_cdr_signal.rb:/opt/zammad/config/routes/channel_cdr_signal.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/config/routes/channel_cdr_voice.rb:/opt/zammad/config/routes/channel_cdr_voice.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/config/routes/channel_cdr_whatsapp.rb:/opt/zammad/config/routes/channel_cdr_whatsapp.rb:ro
+      
+      # Database migrations
+      - ${PWD}/packages/zammad-addon-bridge/src/db/addon/bridge/20210525091356_cdr_signal_channel.rb:/opt/zammad/db/addon/bridge/20210525091356_cdr_signal_channel.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/db/addon/bridge/20210525091357_cdr_voice_channel.rb:/opt/zammad/db/addon/bridge/20210525091357_cdr_voice_channel.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/db/addon/bridge/20210525091358_cdr_whatsapp_channel.rb:/opt/zammad/db/addon/bridge/20210525091358_cdr_whatsapp_channel.rb:ro
+      
+      # Lib files
+      - ${PWD}/packages/zammad-addon-bridge/src/lib/cdr_signal.rb:/opt/zammad/lib/cdr_signal.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/lib/cdr_signal_api.rb:/opt/zammad/lib/cdr_signal_api.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/lib/cdr_whatsapp.rb:/opt/zammad/lib/cdr_whatsapp.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/lib/cdr_whatsapp_api.rb:/opt/zammad/lib/cdr_whatsapp_api.rb:ro
+
+  # Also map to scheduler for background jobs
+  zammad-scheduler:
+    volumes:
+      # Models
+      - ${PWD}/packages/zammad-addon-bridge/src/app/models/channel/driver/cdr_signal.rb:/opt/zammad/app/models/channel/driver/cdr_signal.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/app/models/channel/driver/cdr_whatsapp.rb:/opt/zammad/app/models/channel/driver/cdr_whatsapp.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/app/models/ticket/article/enqueue_communicate_cdr_signal_job.rb:/opt/zammad/app/models/ticket/article/enqueue_communicate_cdr_signal_job.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/app/models/ticket/article/enqueue_communicate_cdr_whatsapp_job.rb:/opt/zammad/app/models/ticket/article/enqueue_communicate_cdr_whatsapp_job.rb:ro
+      
+      # Jobs
+      - ${PWD}/packages/zammad-addon-bridge/src/app/jobs/communicate_cdr_signal_job.rb:/opt/zammad/app/jobs/communicate_cdr_signal_job.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/app/jobs/communicate_cdr_whatsapp_job.rb:/opt/zammad/app/jobs/communicate_cdr_whatsapp_job.rb:ro
+      
+      # Config - initializers
+      - ${PWD}/packages/zammad-addon-bridge/src/config/initializers/cdr_signal.rb:/opt/zammad/config/initializers/cdr_signal.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/config/initializers/cdr_whatsapp.rb:/opt/zammad/config/initializers/cdr_whatsapp.rb:ro
+      
+      # Lib files
+      - ${PWD}/packages/zammad-addon-bridge/src/lib/cdr_signal.rb:/opt/zammad/lib/cdr_signal.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/lib/cdr_signal_api.rb:/opt/zammad/lib/cdr_signal_api.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/lib/cdr_whatsapp.rb:/opt/zammad/lib/cdr_whatsapp.rb:ro
+      - ${PWD}/packages/zammad-addon-bridge/src/lib/cdr_whatsapp_api.rb:/opt/zammad/lib/cdr_whatsapp_api.rb:ro

docker/zammad/Dockerfile

@@ -56,6 +56,9 @@ RUN sed -i "s/'flattened'/'flat_object'/g" /opt/zammad/lib/search_index_backend.
 RUN touch db/schema.rb && \
     ZAMMAD_SAFE_MODE=1 DATABASE_URL=postgresql://zammad:/zammad bundle exec rake assets:precompile
 
+# Run additional setup for addons
+RUN bundle exec rails runner /opt/zammad/contrib/link/setup.rb || true
+
 # Clean up build artifacts
 RUN rm -rf tmp/cache node_modules/.cache
 ARG EMBEDDED=false
@@ -75,14 +78,6 @@ RUN if [ "$EMBEDDED" = "true" ] ; then \
     echo "}" >> /opt/zammad/contrib/nginx/zammad.conf; \
 fi
 
-
-# Modify entrypoint to install packages and run migrations at runtime
-RUN sed -i '/^[[:space:]]*# es config/a\
-  echo "Installing addon packages..."\n\
-  bundle exec rails runner /opt/zammad/contrib/link/setup.rb\n\
-  bundle exec rake zammad:package:migrate\n\
-  ' /docker-entrypoint.sh
-
 FROM zammad/zammad-docker-compose:${ZAMMAD_VERSION} AS runner
 USER root
 
@@ -93,7 +88,37 @@ RUN apt-get update && \
     rm -rf /var/lib/apt/lists/* && \
     npm install -g pnpm
 
-USER zammad
-COPY --from=builder --chown=zammad:zammad ${ZAMMAD_DIR} ${ZAMMAD_DIR}
-COPY --from=builder /usr/local/bundle /usr/local/bundle
+# Copy only the modified/added files from builder
+# Copy addon files that were installed
+COPY --from=builder --chown=zammad:zammad /opt/zammad/app/frontend/apps/desktop/pages/ticket/components/TicketDetailView/ /opt/zammad/app/frontend/apps/desktop/pages/ticket/components/TicketDetailView/
+COPY --from=builder --chown=zammad:zammad /opt/zammad/app/frontend/shared/entities/ticket-article/action/plugins/ /opt/zammad/app/frontend/shared/entities/ticket-article/action/plugins/
+COPY --from=builder --chown=zammad:zammad /opt/zammad/db/addon/ /opt/zammad/db/addon/
+COPY --from=builder --chown=zammad:zammad /opt/zammad/app/assets/ /opt/zammad/app/assets/
+COPY --from=builder --chown=zammad:zammad /opt/zammad/app/controllers/*cdr* /opt/zammad/app/controllers/
+COPY --from=builder --chown=zammad:zammad /opt/zammad/app/jobs/*cdr* /opt/zammad/app/jobs/
+COPY --from=builder --chown=zammad:zammad /opt/zammad/app/models/channel/driver/*cdr* /opt/zammad/app/models/channel/driver/
+COPY --from=builder --chown=zammad:zammad /opt/zammad/app/models/ticket/article/*cdr* /opt/zammad/app/models/ticket/article/
+COPY --from=builder --chown=zammad:zammad /opt/zammad/app/policies/controllers/*cdr* /opt/zammad/app/policies/controllers/
+COPY --from=builder --chown=zammad:zammad /opt/zammad/config/initializers/*cdr* /opt/zammad/config/initializers/
+COPY --from=builder --chown=zammad:zammad /opt/zammad/config/routes/*cdr* /opt/zammad/config/routes/
+COPY --from=builder --chown=zammad:zammad /opt/zammad/lib/cdr* /opt/zammad/lib/
+# CRITICAL: Copy modified search_index_backend.rb with OpenSearch fix
+COPY --from=builder --chown=zammad:zammad /opt/zammad/lib/search_index_backend.rb /opt/zammad/lib/search_index_backend.rb
+COPY --from=builder --chown=zammad:zammad /opt/zammad/public/assets/images/icons/*cdr* /opt/zammad/public/assets/images/icons/
+COPY --from=builder --chown=zammad:zammad /opt/zammad/app/views/mailer/ticket_create/ /opt/zammad/app/views/mailer/ticket_create/
+COPY --from=builder --chown=zammad:zammad /opt/zammad/public/assets/images/logo* /opt/zammad/public/assets/images/
+
+# Copy the nginx config if embedded mode was used
+COPY --from=builder --chown=zammad:zammad /opt/zammad/contrib/nginx/zammad.conf /opt/zammad/contrib/nginx/zammad.conf
+
+# Copy the link setup scripts and addons
+COPY --from=builder --chown=zammad:zammad /opt/zammad/contrib/link/ /opt/zammad/contrib/link/
+
+# CRITICAL: Copy compiled assets that include our CoffeeScript changes
+# The builder stage compiles assets at line 47, we must copy them to runner
+COPY --from=builder --chown=zammad:zammad /opt/zammad/public/assets/ /opt/zammad/public/assets/
+
+# Copy the modified entrypoint script
 COPY --from=builder /docker-entrypoint.sh /docker-entrypoint.sh
+
+USER zammad

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack",
-  "version": "3.3.5",
+  "version": "3.3.0",
   "description": "Link from the Center for Digital Resilience",
   "scripts": {
     "dev": "dotenv -- turbo dev",

packages/bridge-common/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/bridge-common",
-  "version": "3.3.5",
+  "version": "3.3.0",
   "main": "build/main/index.js",
   "type": "module",
   "author": "Darren Clarke <darren@redaranj.com>",

packages/bridge-ui/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/bridge-ui",
-  "version": "3.3.5",
+  "version": "3.3.0",
   "scripts": {
     "build": "tsc -p tsconfig.json"
   },
@@ -11,7 +11,7 @@
     "@mui/material": "^6",
     "@mui/x-data-grid-pro": "^7",
     "kysely": "0.27.5",
-    "next": "15.5.9",
+    "next": "15.5.4",
     "react": "19.2.0",
     "react-dom": "19.2.0",
     "react-qr-code": "^2.0.18"

packages/eslint-config/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/eslint-config",
-  "version": "3.3.5",
+  "version": "3.3.0",
   "description": "amigo's eslint config",
   "main": "index.js",
   "author": "Abel Luck <abel@guardianproject.info>",

packages/jest-config/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/jest-config",
-  "version": "3.3.5",
+  "version": "3.3.0",
   "description": "",
   "main": "index.js",
   "author": "Abel Luck <abel@guardianproject.info>",

packages/logger/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/logger",
-  "version": "3.3.5",
+  "version": "3.3.0",
   "description": "Shared logging utility for Link Stack monorepo",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",

packages/signal-api/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/signal-api",
-  "version": "3.3.5",
+  "version": "3.3.0",
   "type": "module",
   "main": "build/index.js",
   "exports": {

packages/typescript-config/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/typescript-config",
-  "version": "3.3.5",
+  "version": "3.3.0",
   "description": "Shared TypeScript config",
   "license": "AGPL-3.0-or-later",
   "author": "Abel Luck <abel@guardianproject.info>",

packages/ui/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/ui",
-  "version": "3.3.5",
+  "version": "3.3.0",
   "description": "",
   "scripts": {
     "build": "tsc -p tsconfig.json"
@@ -11,7 +11,7 @@
     "@mui/material": "^6",
     "@mui/x-data-grid-pro": "^7",
     "@mui/x-license": "^7",
-    "next": "15.5.9",
+    "next": "15.5.4",
     "react": "19.2.0",
     "react-dom": "19.2.0"
   },

packages/zammad-addon-bridge/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@link-stack/zammad-addon-bridge",
   "displayName": "Bridge",
-  "version": "3.3.5",
+  "version": "3.3.0",
   "description": "An addon that adds CDR Bridge channels to Zammad.",
   "scripts": {
     "build": "node '../zammad-addon-common/dist/build.js'",

packages/zammad-addon-common/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/zammad-addon-common",
-  "version": "3.3.5",
+  "version": "3.3.0",
   "description": "",
   "bin": {
     "zpm-build": "./dist/build.js",

packages/zammad-addon-hardening/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@link-stack/zammad-addon-hardening",
   "displayName": "Hardening",
-  "version": "3.3.5",
+  "version": "3.3.0",
   "description": "A Zammad addon that hardens a Zammad instance according to CDR's needs.",
   "scripts": {
     "build": "node '../zammad-addon-common/dist/build.js'",

packages/zammad-addon-hardening/src/config/initializers/transaction_notification_no_attachments.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+# Monkey patch Transaction::Notification to prevent attachments from being
+# included in ticket notification emails for security/privacy reasons.
+#
+# This overrides the send_notification_email method to always pass an empty
+# attachments array instead of article.attachments_inline.
+
+module TransactionNotificationNoAttachments
+  def send_notification_email(user:, ticket:, article:, changes:, current_user:, recipients_reason:)
+    template = case @item[:type]
+               when 'create'
+                 'ticket_create'
+               when 'update'
+                 'ticket_update'
+               when 'reminder_reached'
+                 'ticket_reminder_reached'
+               when 'escalation'
+                 'ticket_escalation'
+               when 'escalation_warning'
+                 'ticket_escalation_warning'
+               when 'update.merged_into', 'update.received_merge'
+                 'ticket_update_merged'
+               when 'update.reaction'
+                 'ticket_article_update_reaction'
+               else
+                 raise "unknown type for notification #{@item[:type]}"
+               end
+
+    # HARDENING: Always use empty attachments array to prevent leaking sensitive files
+    original_attachment_count = article&.attachments_inline&.count || 0
+    attachments = []
+
+    if original_attachment_count > 0
+      Rails.logger.info "[HARDENING] Stripped #{original_attachment_count} attachment(s) from notification email for ticket ##{ticket.id}"
+    end
+
+    NotificationFactory::Mailer.notification(
+      template:    template,
+      user:        user,
+      objects:     {
+        ticket:       ticket,
+        article:      article,
+        recipient:    user,
+        current_user: current_user,
+        changes:      changes,
+        reason:       recipients_reason[user.id],
+      },
+      message_id:  "<notification.#{DateTime.current.to_fs(:number)}.#{ticket.id}.#{user.id}.#{SecureRandom.uuid}@#{Setting.get('fqdn')}>",
+      references:  ticket.get_references,
+      main_object: ticket,
+      attachments: attachments,
+    )
+    Rails.logger.debug { "sent ticket email notification to agent (#{@item[:type]}/#{ticket.id}/#{user.email})" }
+  rescue Channel::DeliveryError => e
+    status_code = begin
+      e.original_error.response.status.to_i
+    rescue
+      raise e
+    end
+
+    if Transaction::Notification::SILENCABLE_SMTP_ERROR_CODES.any? { |elem| elem.include? status_code }
+      Rails.logger.info do
+        "could not send ticket email notification to agent (#{@item[:type]}/#{ticket.id}/#{user.email}) #{e.original_error}"
+      end
+
+      return
+    end
+
+    raise e
+  end
+end
+
+# Apply the monkey patch after Rails initialization when all classes are loaded
+Rails.application.config.after_initialize do
+  Rails.logger.info '[HARDENING] Loading TransactionNotificationNoAttachments monkey patch...'
+  Transaction::Notification.prepend(TransactionNotificationNoAttachments)
+  Rails.logger.info '[HARDENING] TransactionNotificationNoAttachments monkey patch successfully applied - email attachments will be stripped from notifications'
+end

set_channel_setting.rb

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+
+require '/opt/zammad/config/boot'
+require '/opt/zammad/config/application'
+
+Rails.application.initialize!
+
+# Reset to default (empty = allow all channels)
+Setting.set('cdr_link_allowed_channels', '')
+puts "Setting 'cdr_link_allowed_channels' has been reset to default (empty = allow all channels)"