Three small fork tweaks bundled together; none touch upload flow:
* OIDC: pass `prompt=select_account` so Zitadel always shows its account
picker rather than silently passing through an existing session. Override
with OIDC_PROMPT env var.
* Branding: swap "with binarybeach.io" -> "with BinaryBeach.io" and replace
GitHub light/dark logo imports with our brand mark (works on both themes).
* Session: thread the binarybeachio session-lifecycle convention values
(SESSION_COOKIE_AGE, ADMIN_SESSION_COOKIE_AGE, SESSION_SAVE_EVERY_REQUEST)
through docker-compose.bb-local.yml app-env mixin and document the
cross-fork convention link in BINARYBEACHIO.md.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Patches the plane-backend GitHubOAuthProvider so the /auth/github/*
flow points at our self-hosted Zitadel instance when ZITADEL_DOMAIN
is set, and falls back to vanilla GitHub OAuth when unset (regression-
safe). Touch surface is one backend file plus a cosmetic frontend
label change. Full rationale, configuration steps, refresh procedure,
and AGPL compliance notes in BINARYBEACHIO.md at repo root.
* chore(deps): replace dotenvx with dotenv and update dependency overrides
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: sort devDependencies in package.json files
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: replace Discord references with Forum links
* chore: migrate help and community CTAs from Discord to Forum
* refactor: replace Discord icons with lucide MessageSquare
* chore: rename Discord labels and keys to Forum
* chore: remove obsolete Discord icon component
* chore: update Discord references to Forum in templates
* chore: code refactoring
Disable autocomplete on authentication and security-related forms to prevent
browsers from storing sensitive credentials. This affects sign-in, password
reset, account security, and onboarding forms across admin, web, and space apps.
Modified components:
- Auth forms (email, password, unique code, forgot/reset/set password)
- Account security pages
- Instance setup and profile onboarding
- Shared UI components (auth-input, password-input)
* chore(security): implement input validation across authentication and workspace forms
- Add OWASP-compliant autocomplete attributes to all auth input fields
- Create centralized validation utilities blocking injection-risk characters
- Apply validation to names, display names, workspace names, and slugs
- Block special characters: < > ' " % # { } [ ] * ^ !
- Secure sensitive input fields across admin, web, and space apps
* chore: add missing workspace name validation to settings and admin forms
* feat: enhance validation regex for international names and usernames
- Updated regex patterns to support Unicode characters for person names, display names, company names, and slugs.
- Improved validation functions to block injection-risk characters in names and slugs.
- Modified the invite link to include a token for enhanced security.
- Updated the WorkspaceJoinEndpoint to validate the token instead of the email.
- Adjusted the workspace invitation task to generate links with the token.
- Refactored the frontend to handle token in the invitation process.
Co-authored-by: sriram veeraghanta <veeraghanta.sriram@gmail.com>
