Sync/1.7.1#28
Merged
Merged
Conversation
…11851) * feat: Support simplified mention syntax in markdown for MCP clients Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Restore translations * PR feedback --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
…outline#11856) * Initial plan * Fix passkey login 400 error when authenticatorAttachment is undefined Co-authored-by: tommoor <380914+tommoor@users.noreply.github.com> Agent-Logs-Url: https://github.com/outline/outline/sessions/b7ea5777-cd06-41e7-a796-70ea083dfc34 --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: tommoor <380914+tommoor@users.noreply.github.com>
* feat: Strip comment marks from documents in presentation mode Move removeMarks to shared ProsemirrorHelper and use it to strip comment marks before rendering slides. Make server ProsemirrorHelper extend the shared class to eliminate duplication and remove SharedProsemirrorHelper imports from server code. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: Use Set for mark lookup and cloneDeep for browser compat Use a Set for O(1) mark lookups in removeMarks traversal. Replace structuredClone with lodash/cloneDeep to support older browsers that lack the native API. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * test: Add tests for ProsemirrorHelper.removeMarks Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
…utline#11870) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* fix: Upgrade mermaid to 11.13.0 Includes a fix for incorrect viewBox casing in Radar and Packet diagram renderers (mermaid-js/mermaid#7076) and other improvements. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: Use visibility:hidden for mermaid rendering element Instead of positioning the temporary render element offscreen at -9999px, use visibility:hidden with position:fixed so the browser computes correct bounding boxes for SVG elements. Offscreen elements can produce incorrect getBBox() results, leading to wrong viewBox dimensions and diagrams rendering too big or too small. Fixes outline#11782 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add session storage for generated diagrams to reduce relayout * fix: Use LRU eviction for mermaid sessionStorage cache Track access order via a dedicated LRU index key so the cache evicts least-recently-used entries rather than arbitrary ones. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat: Extract search into pluggable provider system Refactors the monolithic SearchHelper into a pluggable search provider architecture, enabling alternative search backends (Elasticsearch, Turbopuffer, etc.) while preserving PostgreSQL full-text search as the default. The SEARCH_PROVIDER env var selects the active provider. - Add BaseSearchProvider abstract class and SearchProviderManager - Add Hook.SearchProvider to the plugin system - Move PostgreSQL search logic into plugins/postgres-search/ - Add SearchIndexProcessor for event-driven index sync - Update all callers to use the provider manager directly - Keep SearchHelper as a deprecated thin wrapper for backwards compat Closes outline#11347 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor: Remove deprecated SearchHelper wrapper All callers now use SearchProviderManager directly, so the thin delegation wrapper is no longer needed. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor: Rename postgres-search plugin to search-postgres Renames the plugin folder and id so that future search provider plugins (e.g. search-elasticsearch, search-turbopuffer) will be colocated alphabetically. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor: Remove special-case plugin import from SearchProviderManager Make PluginManager.loadPlugins resilient to individual plugin load failures so SearchProviderManager can use the standard getHooks path without needing to directly import the search-postgres plugin. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * test: Add missing search provider tests for full coverage parity Adds all tests that existed in the old SearchHelper.test.ts but were missing from PostgresSearchProvider.test.ts, including searchTitlesForUser status filters, collection filtering, group memberships, and sorting tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * feedback --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* fix: Mammoth converts docx images to <img> tags with base64 data URIs but no width/height attributes * fix: Bound memory usage and prevent infinite loop in image dimension parsing Decode only a 64 KB prefix of base64 data URIs instead of the full payload, cap the JPEG marker scan at 64 KB, and bail on malformed segment lengths (< 2 or overflowing the buffer) to prevent an infinite loop on truncated data. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ine#11879) * feat: Map creator/updater IDs to existing users during JSON import When importing documents from JSON, resolve the original document author to an internal user by matching on user ID first, then email, falling back to the importing user. Results are cached to avoid redundant queries. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: Add negative caching for user resolution during import Cache misses (not just hits) in resolveUserId so that repeated lookups for users that don't exist in the target team are served from cache instead of hitting the database for every document. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * docs: Fix resolveUserId JSDoc to match actual behavior Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
…rgets (outline#11885) * Initial plan * fix: show siblings and descendants in DocumentMove dialog The filterSourceDocument function was incorrectly removing the document's parent node from the navigation tree, which also hid all siblings (children of the same parent) and their descendants. Instead, only the document itself and its own descendants are now excluded (to prevent circular references). The parent is kept in the tree so siblings remain visible as valid move targets. Agent-Logs-Url: https://github.com/outline/outline/sessions/12574f1c-7a7c-45a0-8444-19e24aa10782 Co-authored-by: tommoor <380914+tommoor@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: tommoor <380914+tommoor@users.noreply.github.com>
…outline#11872) * Initial plan * fix: resolve team avatar to signed URL for public share link previews Co-authored-by: tommoor <380914+tommoor@users.noreply.github.com> Agent-Logs-Url: https://github.com/outline/outline/sessions/3632734e-1bb5-4705-bdcd-a2ccbb211af8 * refactor: move avatar URL resolution to Team.publicAvatarUrl() Co-authored-by: tommoor <380914+tommoor@users.noreply.github.com> Agent-Logs-Url: https://github.com/outline/outline/sessions/a2191be3-0533-459a-8366-602bb798a60e * test: add Team.publicAvatarUrl model tests; update JSDoc Co-authored-by: tommoor <380914+tommoor@users.noreply.github.com> Agent-Logs-Url: https://github.com/outline/outline/sessions/7609501c-a4d1-44ea-a7bf-fa6fd8e7c999 * test: fix Team.publicAvatarUrl tests to use actual attachment URLs Co-authored-by: tommoor <380914+tommoor@users.noreply.github.com> Agent-Logs-Url: https://github.com/outline/outline/sessions/0a768f8b-0dd8-4e7a-a50d-873af58aab28 --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: tommoor <380914+tommoor@users.noreply.github.com>
* Initial plan * Add comment anchor text to MCP comment tool responses Agent-Logs-Url: https://github.com/outline/outline/sessions/294b6510-996f-4a86-a7d6-7ed1c336fc19 Co-authored-by: tommoor <380914+tommoor@users.noreply.github.com> * Address PR review: fix auth gap, cache marks, add anchorText tests - Always authorize read access in update_comment before exposing anchor text - Cache comment marks per document in list_comments to avoid O(n * docSize) - Add 4 MCP tests verifying anchorText presence/absence in responses Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: tommoor <380914+tommoor@users.noreply.github.com> Co-authored-by: Tom Moor <tom@getoutline.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
…#11889) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
dquote> fix: Existing drafts should not focus the editor
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* fix: Present mode slide content not vertically centered
…11908) The group filter on the Integrations settings page compared against the hardcoded string "Integrations" instead of the translated value from t("Integrations"), causing no integrations to appear in non-English locales. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat: Add support for Docker Swarm style secrets * fix: Handle empty-string env values and bare _FILE key in resolveFileSecrets Use undefined check instead of truthiness so empty-string values are treated as "already set" and not overridden by _FILE variants. Skip processing when the key is exactly "_FILE" to avoid creating an empty-key entry. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Preload share popover data on hover with useShareDataLoader hook Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: Route programmatic closes through handleOpenChange and fix race conditions - closePopover now calls handleOpenChange(false) so reset() fires on all close paths, including programmatic closes via onRequestClose - Reset requestedRef when entity id changes so preload fires for new targets - Use request counter to prevent stale loading state when reset() is called during an in-flight request Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Wrap collection and document names in the header breadcrumb with ContextMenu components, enabling right-click menus with relevant actions. Each breadcrumb item type has its own component to scope hooks. Breadcrumb links prevent navigation when a context menu is open. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
…11913) * fix: Integrations list missing when language is not English The group filter on the Integrations settings page compared against the hardcoded string "Integrations" instead of the translated value from t("Integrations"), causing no integrations to appear in non-English locales. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: Sidebar shows unconnected integrations in non-English locales Same hardcoded "Integrations" string comparison issue as the main integrations page — the sidebar filter skipped the connected-check when the translated group name didn't match the English literal. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* Initial plan * chore: upgrade Node.js base image from 22.21.0 to 24.14.1 (LTS) * chore: include node version in node_modules cache keys * Add canary build for docker changes * fix: Try docker driver --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: tommoor <380914+tommoor@users.noreply.github.com> Co-authored-by: Tom Moor <tom@getoutline.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* Initial plan * Fix mention trigger to work after CJK characters without preceding space Agent-Logs-Url: https://github.com/outline/outline/sessions/b34bba3f-fe94-408c-bf09-794f8e3d05ff Co-authored-by: tommoor <380914+tommoor@users.noreply.github.com> * Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: tommoor <380914+tommoor@users.noreply.github.com> Co-authored-by: Tom Moor <tom@getoutline.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Re-highlight result context client-side using the current search query instead of relying on server-generated <b> tags. This prevents stale highlights when results from a previous query are still displayed while a newer search is in-flight. Also guards against setting stale results by checking the query ref before updating state. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
) * Initial plan * fix: allow Tab to indent list items inside toggle blocks When the cursor is inside a list within a toggle block, the indentBlock command was consuming the Tab key event before the list's sinkListItem handler could run. This happened because indentBlock found a previous container_toggle sibling at the ancestor level and returned true. Fix: return false early in indentBlock when the cursor is inside a list, allowing the list's Tab handler to handle indentation correctly. Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: tommoor <380914+tommoor@users.noreply.github.com>
* Add Node LTS auto-update script * fix: Validate LTS version and update CI step name in Node update workflow Add semver validation for the fetched LTS version to prevent creating PRs with invalid node versions (e.g. null) if the upstream API changes. Also update the human-readable step name in ci.yml during major bumps. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
…ine#11929) * Use CSS highlights instead of editor decorations when available * Fix scroll target for non-HTML elements and refresh highlights on toggle fold - Use `Element` instead of `HTMLElement` for scroll target so SVG/MathML elements are handled correctly - Bump highlight generation on toggle fold/unfold transactions so newly visible matches get proper highlight ranges - Cache decoration getter result to avoid redundant mapping Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ne#12225) * fix: Api keys with global read scope not being saved correctly * refactor: Hoist global scopes Set to module level --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
…outline#12226) * Add RATE_LIMIT_MULTIPLIER configuration for self-hosted instances * PR feedback
…12227) * fix: should change lastModifiedById when republishing an already published document * test: Use same-team creator in republish attribution test Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* fix: Autofocus inside lazy-loaded modal/popover * use wrapperRef * remove unused import
* chore: resolve no-explicit-any lint warnings in plugins Replaces uses of `any` in the plugins directory with concrete types, `unknown`, or structured type assertions, addressing the remaining typescript-eslint(no-explicit-any) warnings flagged by oxlint. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * chore: address review feedback in GitLabIssueProvider Drop trailing semicolon from log string and add early return in `destroyNamespace` when neither `user_id` nor `full_path` is present to avoid an unnecessary full-scan transaction. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* feat: Add breadcrumb to MCP responses
* test: Update MCP test expectations for new response envelope
Tests were reading the old flat document shape; update them to read
through the new { document, breadcrumb } envelope.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* perf: Batch collection lookups when building breadcrumbs
Add getBreadcrumbsForDocuments helper that loads all referenced
collections in one query (with the user's memberships) and resolves
breadcrumbs from the per-collection cached documentStructure. Use it
in list_documents and move_document, replacing the per-document
Collection.findByPk that produced an N+1 query pattern.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* test: Add coverage for getBreadcrumbsForDocuments and parallelize doc + breadcrumb loads
Run presentDocument and getDocumentBreadcrumb concurrently in fetch,
create_document, and update_document so the breadcrumb lookup no
longer adds latency on top of the presenter.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
…#12243) Replaces `as any` casts when constructing OAuth2Server Request/Response with explicit objects containing the fields the library actually consumes, and switches BaseStorage's manual header spread to a node-fetch `Headers` instance to avoid the no-misused-spread warning. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* Add title guidance for MCP * Scope H1 guidance to documents only
* chore: promote no-explicit-any from warn to error and resolve violations Upgrades the oxlint rule severity and removes all 40 existing `no-explicit-any` warnings across the codebase. Most call sites gained proper types (SharedEditor refs, JSONNode/JSONMark for ProseMirror JSON walking, DocumentsStore, dd-trace `Span` parameter inference, prosemirror Fragment public API in place of internal `(fragment as any).content`). A few load-bearing `any` uses were preserved with scoped disable comments where changing the type would cascade widely (Sequelize JSONB columns on `Event`, the `withTracing` higher-order function generic, `Extension.options` consumed by many subclasses, dd-trace's `req` patching). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…e#12245) * feat: Add delete_document and delete_collection MCP tools Adds MCP tools for deleting (or archiving) documents and collections. Refactors Document#delete into destroyWithCtx and extracts collection archive logic into Collection#archiveWithCtx so the same code paths can be shared between the REST API and MCP entry points. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix: Wrap MCP delete tools in DB transaction Ensures delete/archive of documents and collections via MCP is atomic and that row locks (transaction.LOCK.UPDATE) inside *WithCtx methods actually apply, matching the pattern used by move_document. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * docs: Clarify delete_collection MCP tool description Reflects that collection deletion only soft-deletes non-archived documents via the BeforeDestroy hook. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* chore: Update editor generics * fix: Address PR review on editor generics - Restore null-guard on Link click handler so anchors aren't inert when no onClickLink is provided - Mark onClickLink optional in LinkOptions and openLink command to match runtime - Remove dead `collapsed` option from HeadingOptions - Make ToggleBlock dictionary optional and restore optional-chained access for server-side schema instantiation Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* Refactor of OAuth account linking flows * PR feedback
Resolved conflict in server/routes/auth/index.ts: - Adopted upstream's AuthenticationType.APP middleware type - Retained foss-main's JWT_COOKIE_TTL_DAYS 7-day TTL for token/cookie binding Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Lint: authentication.test.ts used `any` in several places (createCtx overrides, error catch variables, ctx type annotations). Added CtxOverrides and MiddlewareError interfaces; replaced all explicit `any` with proper types so oxlint no-explicit-any passes. Audit: three new high-severity advisories flagged by yarn npm audit: - @babel/plugin-transform-modules-systemjs <=7.29.3 (GHSA-fv7c-fp4j-7gwp): arbitrary code generation. Fixed by bumping @babel/preset-env to ^7.29.5 (matching upstream) so the transitive dep resolves to 7.29.4, then deduping the ^7.11.0 range into the same entry. - axios <1.15.2 (GHSA-pmwg-cvhr-8vh7, GHSA-pf86-5x62-jrwf, GHSA-6chq-wfr3-2hj9, GHSA-q8qp-cvcw-x6jj): NO_PROXY bypass and prototype pollution via aws-crt. Forced to ^1.15.2 via resolution. - fast-uri <=3.1.1 (GHSA-v39h-62p7-jpjc, GHSA-q3j6-qgpj-74h6) and fast-xml-builder <=1.1.6 (GHSA-5wm8-gmm8-39j9) via ajv/fast-xml-parser. Forced to patched versions via resolutions. All resolution ranges are scoped to the exact descriptors present in yarn.lock, matching upstream's approach for the same advisories. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
UsamaSadiq
approved these changes
May 20, 2026
hunzlahmalik
approved these changes
May 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Merges upstream v1.7.1 into foss-main, plus CI fixes required to make the branch mergeable.
Old diff w main
New diff w main
Tests run
Clean everything related to outline (containers, db)
Build, provision, run on
foss-mainCheckout this branch
Build and restart
New migrations run and everything working
Clean everything
Build, run, provision on 1.7.1
Everything working
CI fixes (added post-merge)
Lint —
no-explicit-anyinauthentication.test.tsThe ForwardAuth tests introduced in this branch used
anyfor context objects and error catch variables, which oxlint flags as an error. Two interfaces were added (CtxOverrides,MiddlewareError) and all explicitanyannotations were replaced with proper types. Without this the lint job exits non-zero and blocks merge.Lint —
no-floating-promisesinapp/utils/userContinuity.tsTwo
Promise.all([...]).finally(...)calls were left unawaited. The navigation to/homeinside.finally()makes awaiting semantically wrong (the function returns before the redirect fires), sovoidis the correct suppression. Without this oxlint exits non-zero.Audit — four high-severity advisories newly flagged by
yarn npm auditThese CVEs were not present when the branch was cut but appeared in the advisory database before merge:
@babel/plugin-transform-modules-systemjs≤7.29.3axios<1.15.2 (viaaws-crt)fast-uri≤3.1.1 (viaajv)fast-xml-builder≤1.1.6 (viafast-xml-parser)Fixes applied (matching upstream's approach):
@babel/preset-envbumped to^7.29.5so the transitive systemjs plugin resolves to the patched 7.29.4 — identical to how upstream resolved this.resolutionsentries added foraxios,fast-uri, andfast-xml-builderto force their locked versions to the patched releases.All resolution descriptors are scoped to the exact ranges present in
yarn.lock, per the project's resolution policy.