From 0ac7ef769d98ba194f2c8d7168ba89e67f102bb3 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Thu, 22 May 2025 09:53:09 +0100
Subject: [PATCH 001/106] fix: deprecation warning for web_console in
 development

---
 config/environments/development.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/environments/development.rb b/config/environments/development.rb
index 60a1ef6c3..9384f66f4 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -115,7 +115,7 @@
   }
 
   # Fixes error "Cannot render console from 172.22.0.1!" when in Docker
-  config.web_console.whitelisted_ips = [
+  config.web_console.allowed_ips = [
     '10.0.0.0/8',
     '172.16.0.0/12',
     '192.168.0.0/16'

From 3e75128ea741badce18ed43185ad79a227ec7b7e Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Thu, 22 May 2025 11:48:53 +0100
Subject: [PATCH 002/106] chore: fix a bug where db restores would sometimes
 fail due to failure to resolve public.squish function

---
 db/functions/squish_null/20250522113100.sql         | 12 ++++++++++++
 db/helpers/000_helpers.sql                          |  9 ---------
 .../20250522113100_update_squish_null_function.rb   | 13 +++++++++++++
 db/structure.sql                                    |  8 ++++++--
 4 files changed, 31 insertions(+), 11 deletions(-)
 create mode 100644 db/functions/squish_null/20250522113100.sql
 create mode 100644 db/migrate/20250522113100_update_squish_null_function.rb

diff --git a/db/functions/squish_null/20250522113100.sql b/db/functions/squish_null/20250522113100.sql
new file mode 100644
index 000000000..487632b46
--- /dev/null
+++ b/db/functions/squish_null/20250522113100.sql
@@ -0,0 +1,12 @@
+CREATE OR REPLACE FUNCTION public.squish_null(TEXT) RETURNS TEXT
+  LANGUAGE SQL IMMUTABLE
+AS $fn$
+  SELECT
+    CASE WHEN public.squish($1) = ''
+    THEN NULL
+    ELSE public.squish($1)
+  END;
+$fn$;
+
+COMMENT ON FUNCTION public.squish_null(TEXT) IS
+  'Squishes whitespace characters in a string and returns null for empty string';
diff --git a/db/helpers/000_helpers.sql b/db/helpers/000_helpers.sql
index 5393152a8..4d96c0ea3 100644
--- a/db/helpers/000_helpers.sql
+++ b/db/helpers/000_helpers.sql
@@ -9,15 +9,6 @@ AS $FUNCTION$
     );
 $FUNCTION$;
 
-CREATE OR REPLACE FUNCTION squish_null(TEXT) RETURNS TEXT
-  LANGUAGE SQL IMMUTABLE
-  AS $$
-    SELECT CASE WHEN SQUISH($1) = '' THEN NULL ELSE SQUISH($1) END;
-  $$;
-
-COMMENT ON FUNCTION squish_null(TEXT) IS
-  'Squishes whitespace characters in a string and returns null for empty string';
-
 -- This function previously had a different signature - ensure that the old version is gone
 DROP FUNCTION IF EXISTS full_name_with_spp(rank_name VARCHAR(255), full_name VARCHAR(255));
 
diff --git a/db/migrate/20250522113100_update_squish_null_function.rb b/db/migrate/20250522113100_update_squish_null_function.rb
new file mode 100644
index 000000000..ef6b7293f
--- /dev/null
+++ b/db/migrate/20250522113100_update_squish_null_function.rb
@@ -0,0 +1,13 @@
+class UpdateSquishNullFunction < ActiveRecord::Migration[7.1]
+  def up
+    safety_assured do
+      execute function_sql('20250522113100', 'squish_null')
+    end
+  end
+
+  def down
+    safety_assured do
+      execute function_sql('20150421071444', 'squish_null')
+    end
+  end
+end
diff --git a/db/structure.sql b/db/structure.sql
index 3c2ec3806..1849748f6 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -6775,8 +6775,12 @@ COMMENT ON FUNCTION public.squish(text) IS 'Squishes whitespace characters in a
 CREATE FUNCTION public.squish_null(text) RETURNS text
     LANGUAGE sql IMMUTABLE
     AS $_$
-    SELECT CASE WHEN SQUISH($1) = '' THEN NULL ELSE SQUISH($1) END;
-  $_$;
+  SELECT
+    CASE WHEN public.squish($1) = ''
+    THEN NULL
+    ELSE public.squish($1)
+  END;
+$_$;
 
 
 --

From 66c6a1dfc9ad8071d06ae9a1d53036108e326904 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Fri, 23 May 2025 10:04:41 +0100
Subject: [PATCH 003/106] chore: fix db_trim tasks

---
 lib/tasks/db_trim.rake | 241 ++++++++++++++++++++++++++++++++++++-----
 1 file changed, 215 insertions(+), 26 deletions(-)

diff --git a/lib/tasks/db_trim.rake b/lib/tasks/db_trim.rake
index c75375267..5393435cf 100644
--- a/lib/tasks/db_trim.rake
+++ b/lib/tasks/db_trim.rake
@@ -1,7 +1,25 @@
+##
+# In addition to deleting data, some consideration should be given to database
+# maintenance:
+#
+# ANALYSE calculates summary stats about a table and its columns. These stats
+# are used in query planning, so bad stats
+#
+# REINDEX is called because some large tables have gigabytes locked away in
+# indexes, and REINDEX is the quickest way to free up that space.
+#
+# VACUUM can only reclaim space from dead tuples so often is not worth it.
+# Furthermore space it reclaims is still reserved for the table, so is not
+# released by the file system - for that VACUUM FULL is required, which requires
+# a full table rewrite, which takes up additional disk space which may not be
+# free.
+
 namespace :db do
   desc 'Deletes historic and sensitive data, runs cleanup of temporary tables and rebuilds'
   task trim: [
     :environment,
+    'db:trim_ahoy',
+    'db:trim_api_requests',
     'db:common_names:cleanup',
     'db:taxon_names:cleanup',
     'db:trim_trade',
@@ -11,29 +29,99 @@ namespace :db do
     'db:trim_users',
     'import:drop_import_tables',
     'db:migrate:rebuild',
-    'db:drop_temporary_tables'
+    'db:drop_temporary_tables',
+    'db:vacuum_full'
   ]
 
+  ##
+  # Drop all tables of the form /^trade_sandbox_\d+$/
+  # and their associated views and indexes
+  task trim_trade_sandboxes: :environment do
+    sandbox_group_count = 50
+
+    sandbox_query =
+      <<-SQL.squish
+        SELECT count(*) FROM information_schema.tables
+        WHERE table_name LIKE 'trade_sandbox%'
+          AND table_name != 'trade_sandbox_template'
+          AND table_type != 'VIEW'
+      SQL
+
+    sandbox_count =
+      ApplicationRecord.connection.execute(
+        sandbox_query
+      )[0]['count'].to_i
+
+    (
+      sandbox_count.to_f / sandbox_group_count
+    ).ceil.times do
+      ApplicationRecord.connection.execute <<-SQL.squish
+        DO $do$
+          DECLARE
+            current_table_name TEXT;
+          BEGIN
+            FOR current_table_name
+            IN #{sandbox_query}
+            LIMIT #{sandbox_group_count}
+            LOOP
+              EXECUTE 'DROP TABLE ' || current_table_name || ' CASCADE';
+            END LOOP;
+            RETURN;
+          END;
+        $do$;
+      SQL
+    end
+  end
+
   task trim_trade: :environment do
-    puts 'Deleting old shipments'
     year = Date.today.year - 5
-    ApplicationRecord.connection.execute "DELETE FROM trade_shipments WHERE year <= #{year}"
-    puts 'Clearing permit and annual report data'
-    ApplicationRecord.connection.execute 'UPDATE trade_shipments SET
+
+    puts "Deleting shipments prior to #{year}"
+    ApplicationRecord.connection.execute <<-SQL.squish
+      DELETE FROM trade_shipments WHERE year <= #{year}
+    SQL
+
+    ApplicationRecord.connection.execute 'ANALYSE trade_shipments;'
+    ApplicationRecord.connection.execute 'REINDEX TABLE trade_shipments;'
+
+    puts 'Clearing permits'
+    # Note: where clause don't make unnecessary writes to rows
+    ApplicationRecord.connection.execute <<-SQL.squish
+      UPDATE trade_shipments SET
         import_permit_number = NULL,
         export_permit_number = NULL,
         origin_permit_number = NULL,
-        import_permits_ids = \'{}\'::INT[],
-        export_permits_ids = \'{}\'::INT[],
-        origin_permits_ids = \'{}\'::INT[],
+        import_permits_ids = '{}'::INT[],
+        export_permits_ids = '{}'::INT[],
+        origin_permits_ids = '{}'::INT[],
         trade_annual_report_upload_id = NULL,
-        sandbox_id = NULL'
-    puts 'Dropping sandboxes'
-    ApplicationRecord.connection.execute 'SELECT * FROM drop_trade_sandboxes()'
-    puts 'Truncating annual reports'
-    ApplicationRecord.connection.execute 'DELETE FROM trade_annual_report_uploads'
+        sandbox_id = NULL
+      WHERE origin_permit_number IS NOT NULL
+        OR export_permit_number IS NOT NULL
+        OR origin_permit_number IS NOT NULL
+        OR trade_annual_report_upload_id IS NOT NULL
+        OR sandbox_id IS NOT NULL
+      ;
+    SQL
+
     puts 'Truncating permits'
     ApplicationRecord.connection.execute 'TRUNCATE trade_permits'
+    ApplicationRecord.connection.execute 'REINDEX TABLE trade_permits'
+
+    ##
+    # drop_trade_sandboxes() does not work when there are many sandboxes
+    #
+    #   puts 'Dropping sandboxes'
+    #   ApplicationRecord.connection.execute 'SELECT * FROM drop_trade_sandboxes()'
+
+    puts "Deleting annual reports uploaded prior to #{year}"
+    ApplicationRecord.connection.execute <<-SQL.squish
+      DELETE FROM trade_annual_report_uploads
+      WHERE updated_at <= '#{year}-01-01';
+    SQL
+
+    ApplicationRecord.connection.execute 'ANALYSE trade_annual_report_uploads;'
+    ApplicationRecord.connection.execute 'REINDEX TABLE trade_annual_report_uploads;'
   end
 
   task trim_listing_changes: :environment do
@@ -47,28 +135,32 @@ namespace :db do
         ON lc.parent_id = nc_lc.id
       ), listing_changes_to_delete AS (
         SELECT * FROM non_current_listing_changes
-        UNION
+        EXCEPT
         SELECT * FROM exceptions
       ), deleted_listing_distributions AS (
         DELETE FROM listing_distributions
         USING listing_changes_to_delete lc
         WHERE lc.id = listing_distributions.listing_change_id
-      ), deleted_annotations AS (
-        DELETE FROM annotations
-        USING listing_changes_to_delete lc
-        WHERE annotations.id = lc.annotation_id
       ), updated_original_id AS (
         UPDATE listing_changes
         SET original_id = NULL
         FROM listing_changes_to_delete
         WHERE listing_changes.original_id = listing_changes_to_delete.id
+      ), updated_parent_id AS (
+        UPDATE listing_changes
+        SET parent_id = NULL
+        FROM listing_changes_to_delete
+        WHERE listing_changes.parent_id = listing_changes_to_delete.id
       )
       DELETE FROM listing_changes
       USING listing_changes_to_delete lc
-      WHERE lc.id = listing_changes.id
+      WHERE lc.id = listing_changes.id;
     SQL
+
     puts 'Deleting old listing changes'
     ApplicationRecord.connection.execute sql
+    ApplicationRecord.connection.execute 'ANALYSE listing_changes;'
+    ApplicationRecord.connection.execute 'REINDEX TABLE listing_changes;'
   end
 
   task trim_trade_restrictions: :environment do
@@ -76,6 +168,10 @@ namespace :db do
       WITH trade_restrictions_to_delete AS (
         SELECT * FROM trade_restrictions
         WHERE NOT is_current
+      ), deleted_cites_suspension_confirmations AS (
+        DELETE FROM cites_suspension_confirmations
+        USING trade_restrictions_to_delete
+        WHERE cites_suspension_confirmations.cites_suspension_id = trade_restrictions_to_delete.id
       ), deleted_restriction_purposes AS (
         DELETE FROM trade_restriction_purposes
         USING trade_restrictions_to_delete
@@ -96,29 +192,122 @@ namespace :db do
       )
       DELETE FROM trade_restrictions
       USING trade_restrictions_to_delete tr
-      WHERE tr.id = trade_restrictions.id
+      WHERE tr.id = trade_restrictions.id;
     SQL
+
     puts 'Deleting old trade restrictions'
     ApplicationRecord.connection.execute sql
+    ApplicationRecord.connection.execute 'ANALYSE trade_restrictions;'
+    ApplicationRecord.connection.execute 'REINDEX TABLE trade_restrictions;'
   end
 
   task trim_eu_decisions: :environment do
-    sql = 'DELETE FROM eu_decisions WHERE NOT is_current'
     puts 'Deleting old EU decisions'
-    ApplicationRecord.connection.execute sql
+    ApplicationRecord.connection.execute <<-SQL.squish
+      DELETE FROM eu_decisions
+      WHERE NOT eu_decisions.is_current AND NOT EXISTS (
+        SELECT TRUE
+        FROM eu_decision_confirmations
+        WHERE eu_decision_id = eu_decisions.id
+      );
+    SQL
+
+    ApplicationRecord.connection.execute 'ANALYSE eu_decisions;'
+    ApplicationRecord.connection.execute 'REINDEX TABLE eu_decisions;'
   end
 
   task trim_users: :environment do
-    puts 'Clearing user data'
+    puts 'Pseudonymising user data'
     ApplicationRecord.connection.execute <<-SQL.squish
-      UPDATE users SET
-        name = 'user ' || users.id,
-        email = 'user.' || users.id || '@test.org'
+      UPDATE "users" u SET
+        "name"               = 'User ' || u.id,
+        "email"              = 'user.' || u.id || '@test.local',
+        "current_sign_in_ip" = '192.168.1.' || (u.id % 256),
+        "last_sign_in_ip"    = '192.168.1.' || (u.id % 256)
+      WHERE "email" NOT LIKE '%@unep-wcmc.org'
+        AND "email" NOT LIKE '%@test.local'
     SQL
   end
 
+  task trim_ahoy: :environment do
+    puts 'Removing analytics data'
+
+    ApplicationRecord.connection.execute <<-SQL.squish
+      TRUNCATE TABLE ahoy_events;
+      REINDEX TABLE ahoy_events;
+      TRUNCATE TABLE ahoy_visits;
+      REINDEX TABLE ahoy_visits;
+    SQL
+  end
+
+  task trim_api_requests: :environment do
+    cutoff = 2.years.ago.to_date.to_s
+
+    puts "Removing records of API Request data prior to #{cutoff}"
+
+    ApplicationRecord.connection.execute <<-SQL.squish
+      DELETE FROM api_requests
+        WHERE updated_at <= '#{cutoff}'
+      ;
+    SQL
+
+    ApplicationRecord.connection.execute 'ANALYSE api_requests;'
+    ApplicationRecord.connection.execute 'REINDEX TABLE api_requests;'
+  end
+
   task drop_temporary_tables: :environment do
     puts 'Dropping temporary tables'
+
     ApplicationRecord.connection.execute 'SELECT * FROM drop_eu_lc_mviews()'
   end
+
+  ##
+  # Reclaims space from any table where the number of dead tuples (old versions
+  # of rows left over by postgres as a result of updates/deletes) is greater
+  # than the number of live tuples. In effect, this means that wherever the size
+  # on disk of a table can be reduced by about 50% or more, a full-table rewrite
+  # will be performed. This requires a exclusive lock on the entire table.
+  task vacuum_full: :environment do
+    puts 'Finding tables that need vacuuming'
+
+    vaccumable_sql = <<-SQL.squish
+      SELECT
+        st.schemaname,
+        st.relname,
+        n_live_tup,
+        n_dead_tup
+      FROM pg_catalog.pg_stat_all_tables st
+      JOIN pg_catalog.pg_class r
+        ON st.relid = r.oid
+        AND r.relkind = 't'
+      WHERE st.schemaname = 'public'
+      AND n_dead_tup > n_live_tup
+    SQL
+
+    vacuumables = ApplicationRecord.connection.execute vaccumable_sql
+
+    puts (
+      vacuumables.map do |row|
+        %Q("#{row['schemaname']}"."#{row['relname']}": #{row['n_dead_tup']} dead, #{row['n_live_tup']} live")
+      end.join("\n")
+    )
+
+    ApplicationRecord.connection.execute <<-SQL.squish
+      DO $do$
+        DECLARE
+          schemaname TEXT;
+          relname TEXT;
+        BEGIN
+          FOR schemaname, relname IN #{vaccumable_sql}
+          LOOP
+            EXECUTE format(
+              'VACUUM FULL ANALYSE %I$1.%I$2',
+              schemaname, relname
+            );
+          END LOOP;
+          RETURN;
+        END;
+      $do$;
+    SQL
+  end
 end

From b31edbf6bea62b9d1704eacf53adb3232370b34e Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Fri, 23 May 2025 10:15:13 +0100
Subject: [PATCH 004/106] chore: interim docker-compose for side-by-side work
 on pg10, pg17

---
 docker-compose.yml | 45 ++++++++++++++++++++++++++++++++++-----------
 1 file changed, 34 insertions(+), 11 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 95816b64e..649ef24b4 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -45,8 +45,8 @@ services:
       MINIO_ROOT_USER: minioadmin
       MINIO_ROOT_PASSWORD: minioadmin
 
-  db:
-    container_name: sapi-db
+  db-pg10:
+    container_name: sapi-db-pg10
     image: postgres:10
     command: postgres -c max_wal_size=2GB
     healthcheck:
@@ -66,6 +66,27 @@ services:
       POSTGRES_HOST_AUTH_METHOD: "trust"
       POSTGRES_DB: "sapi_development"
 
+  db-pg17:
+    container_name: sapi-db-pg17
+    image: postgres:17
+    command: postgres -c max_wal_size=2GB
+    healthcheck:
+      test: ["CMD", "pg_isready", "-U", "postgres"]
+      timeout: 45s
+      interval: 10s
+      retries: 10
+    volumes:
+      - ./db_init:/docker-entrypoint-initdb.d
+      - ./db/structure.sql:/docker-entrypoint-initdb.d/sapi_schema.sql
+      - 'pg17data:/var/lib/postgresql/data'
+    ports:
+      - "${SAPI_CONTAINER_DB_PORT:-5417}:5432"
+    networks:
+      - sapi
+    environment:
+      POSTGRES_HOST_AUTH_METHOD: "trust"
+      POSTGRES_DB: "sapi_development"
+
   rails:
     container_name: sapi-rails
     build:
@@ -114,17 +135,18 @@ services:
     tty: true
     environment:
       MAILER_ADDRESS: sapi-mailcatcher
-      SAPI_DATABASE_HOST: sapi-db
+      SAPI_DATABASE_HOST: sapi-db-pg17
       SAPI_DATABASE_USERNAME: postgres
       SAPI_DATABASE_PORT: 5432
       SAPI_SIDEKIQ_REDIS_URL: redis://sapi-redis:6379/0
       SAPI_SIDEKIQ_REDIS_CACHE_URL: redis://sapi-redis-cache:6380/0
-      CAPTIVE_BREEDING_DATABASE_HOST: sapi-db
+      CAPTIVE_BREEDING_DATABASE_HOST: sapi-db-pg17
       SAPI_S3_PORT: '${SAPI_CONTAINER_S3_PORT:-9000}'
     depends_on:
       - redis
       - redis_cache
-      - db
+      - db-pg10
+      - db-pg17
       - mailcatcher
       - minio
   deploy:
@@ -138,7 +160,7 @@ services:
     stdin_open: true
     tty: true
     environment:
-      SAPI_DATABASE_HOST: sapi-db
+      SAPI_DATABASE_HOST: sapi-db-pg17
       SAPI_SIDEKIQ_REDIS_URL: redis://sapi-redis:6379/0
       # Defaults to blank; used by AppSignal:
       USER: "$USER"
@@ -176,7 +198,8 @@ services:
     networks:
       - sapi
     depends_on:
-      - db
+      - db-pg10
+      - db-pg17
       - redis
       - redis_cache
       - mailcatcher
@@ -185,14 +208,13 @@ services:
     volumes: *rails_volumes
     environment:
       MAILER_ADDRESS: sapi-mailcatcher
-      SAPI_DATABASE_HOST: sapi-db
+      SAPI_DATABASE_HOST: sapi-db-pg17
       SAPI_DATABASE_USERNAME: postgres
       SAPI_DATABASE_PORT: 5432
-      SAPI_SIDEKIQ_REDIS_URL: redis://sapi-redis:6379/0
       SAPI_S3_PORT: '${SAPI_CONTAINER_S3_PORT:-9000}'
+      SAPI_SIDEKIQ_REDIS_URL: redis://sapi-redis:6379/0
       SAPI_SIDEKIQ_REDIS_CACHE_URL: redis://sapi-redis-cache:6380/0
-      CAPTIVE_BREEDING_DATABASE_HOST: sapi-db
-
+      CAPTIVE_BREEDING_DATABASE_HOST: sapi-db-pg17
   mailcatcher:
     container_name: sapi-mailcatcher
     image: sj26/mailcatcher
@@ -203,6 +225,7 @@ services:
 
 volumes:
   pgdata:
+  pg17data:
   bundler_gems:
   redis_data:
   minio-data:

From c88a35fc9b167accb398e230a89f81184350aac7 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Mon, 9 Jun 2025 09:22:14 +0100
Subject: [PATCH 005/106] chore: install postgres 17 client in Dockerfile

---
 Dockerfile | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 5b18e7dcc..ee36821fd 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -11,12 +11,15 @@ FROM ruby:3.2.5
 # socat is just for binding ports within docker, not needed for the application
 RUN apt-get update && apt-get install -y --force-yes \
   libsodium-dev libgmp3-dev libssl-dev \
-  libpq-dev postgresql-client \
+  postgresql-common \
   nodejs \
   socat \
   texlive-latex-base texlive-fonts-recommended texlive-fonts-extra texlive-latex-extra \
-  ;
-# NB: Postgres client from Debian is 9.4 - not sure if this is acceptable
+;
+
+# pg_dump requires that the client library >= the server (major) version
+RUN yes | /usr/share/postgresql-common/pgdg/apt.postgresql.org.sh
+RUN apt-get install -y --force-yes libpq-dev postgresql-client-17
 
 RUN mkdir /SAPI
 WORKDIR /SAPI

From 5a7216233beaddf9b903f87b2896d88ee31e7cb3 Mon Sep 17 00:00:00 2001
From: Leonardo Wong <leonardo.wong@unep-wcmc.org>
Date: Fri, 25 Jul 2025 10:48:27 +0100
Subject: [PATCH 006/106] pin ruby/kamal version for kamal deploy

---
 deploy/.ruby-version |  1 +
 deploy/Gemfile       |  4 +++
 deploy/Gemfile.lock  | 72 ++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 77 insertions(+)
 create mode 100644 deploy/.ruby-version
 create mode 100644 deploy/Gemfile
 create mode 100644 deploy/Gemfile.lock

diff --git a/deploy/.ruby-version b/deploy/.ruby-version
new file mode 100644
index 000000000..f9892605c
--- /dev/null
+++ b/deploy/.ruby-version
@@ -0,0 +1 @@
+3.4.4
diff --git a/deploy/Gemfile b/deploy/Gemfile
new file mode 100644
index 000000000..aa43c464f
--- /dev/null
+++ b/deploy/Gemfile
@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+ruby '3.4.4'
+
+gem "kamal", "~> 2.7"
diff --git a/deploy/Gemfile.lock b/deploy/Gemfile.lock
new file mode 100644
index 000000000..5baa55c1c
--- /dev/null
+++ b/deploy/Gemfile.lock
@@ -0,0 +1,72 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (8.0.2)
+      base64
+      benchmark (>= 0.3)
+      bigdecimal
+      concurrent-ruby (~> 1.0, >= 1.3.1)
+      connection_pool (>= 2.2.5)
+      drb
+      i18n (>= 1.6, < 2)
+      logger (>= 1.4.2)
+      minitest (>= 5.1)
+      securerandom (>= 0.3)
+      tzinfo (~> 2.0, >= 2.0.5)
+      uri (>= 0.13.1)
+    base64 (0.3.0)
+    bcrypt_pbkdf (1.1.1)
+    benchmark (0.4.1)
+    bigdecimal (3.2.2)
+    concurrent-ruby (1.3.5)
+    connection_pool (2.5.3)
+    dotenv (3.1.8)
+    drb (2.2.3)
+    ed25519 (1.4.0)
+    i18n (1.14.7)
+      concurrent-ruby (~> 1.0)
+    kamal (2.7.0)
+      activesupport (>= 7.0)
+      base64 (~> 0.2)
+      bcrypt_pbkdf (~> 1.0)
+      concurrent-ruby (~> 1.2)
+      dotenv (~> 3.1)
+      ed25519 (~> 1.4)
+      net-ssh (~> 7.3)
+      sshkit (>= 1.23.0, < 2.0)
+      thor (~> 1.3)
+      zeitwerk (>= 2.6.18, < 3.0)
+    logger (1.7.0)
+    minitest (5.25.5)
+    net-scp (4.1.0)
+      net-ssh (>= 2.6.5, < 8.0.0)
+    net-sftp (4.0.0)
+      net-ssh (>= 5.0.0, < 8.0.0)
+    net-ssh (7.3.0)
+    ostruct (0.6.3)
+    securerandom (0.4.1)
+    sshkit (1.24.0)
+      base64
+      logger
+      net-scp (>= 1.1.2)
+      net-sftp (>= 2.1.2)
+      net-ssh (>= 2.8.0)
+      ostruct
+    thor (1.3.2)
+    tzinfo (2.0.6)
+      concurrent-ruby (~> 1.0)
+    uri (1.0.3)
+    zeitwerk (2.7.3)
+
+PLATFORMS
+  arm64-darwin-24
+  ruby
+
+DEPENDENCIES
+  kamal (~> 2.7)
+
+RUBY VERSION
+   ruby 3.4.4p34
+
+BUNDLED WITH
+   2.6.7

From 8f2eb4353b448fbc426b8fe3017026a623790aad Mon Sep 17 00:00:00 2001
From: Leonardo Wong <leonardo.wong@unep-wcmc.org>
Date: Fri, 25 Jul 2025 14:01:09 +0100
Subject: [PATCH 007/106] pin nodejs version, and optimise Dockefile, the image
 size down from 4GB to 2.4GB

---
 .node-version      |  1 +
 Dockerfile         | 27 ++++++++++++++++++++++-----
 docker-compose.yml |  8 ++------
 3 files changed, 25 insertions(+), 11 deletions(-)
 create mode 100644 .node-version

diff --git a/.node-version b/.node-version
new file mode 100644
index 000000000..08b7109d0
--- /dev/null
+++ b/.node-version
@@ -0,0 +1 @@
+18.20.8
diff --git a/Dockerfile b/Dockerfile
index 5b18e7dcc..08cedd4f1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,21 +4,38 @@
 # or SUS-ORS project.
 
 # Dockerfile
-FROM ruby:3.2.5
+FROM ruby:3.2.5-slim
 
 # Rails and SAPI has some additional dependencies, e.g. rake requires a JS
 # runtime, so attempt to get these from apt, where possible
 # socat is just for binding ports within docker, not needed for the application
-RUN apt-get update && apt-get install -y --force-yes \
+RUN apt-get update && apt-get install --no-install-recommends -y --force-yes \
+  # ?
   libsodium-dev libgmp3-dev libssl-dev \
+  # PSQL
   libpq-dev postgresql-client \
-  nodejs \
+  # node js
+  curl xz-utils \
+  # For minio, local s3, development only.
   socat \
+  # latex (huge file size)
   texlive-latex-base texlive-fonts-recommended texlive-fonts-extra texlive-latex-extra \
-  ;
+  # Clean up
+  && rm -rf /var/lib/apt/lists/*
 # NB: Postgres client from Debian is 9.4 - not sure if this is acceptable
 
-RUN mkdir /SAPI
+# Install Node.js 18.20.8 manually
+ARG NODE_VERSION=18.20.8
+ARG TARGETARCH
+# Map Docker TARGETARCH to Node.js archive name
+RUN case "$TARGETARCH" in \
+  amd64) NODE_ARCH=x64 ;; \
+  arm64) NODE_ARCH=arm64 ;; \
+  *) echo "Unsupported architecture: $TARGETARCH"; exit 1 ;; \
+  esac && \
+  curl -fsSL https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz \
+  | tar -xJ -C /usr/local --strip-components=1
+
 WORKDIR /SAPI
 
 #
diff --git a/docker-compose.yml b/docker-compose.yml
index 329955999..f54462985 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -68,9 +68,7 @@ services:
 
   rails:
     container_name: sapi-rails
-    build:
-      context: ./
-      dockerfile: Dockerfile
+    build: .
     command: bundle exec rails server -p 3000 -b '0.0.0.0'
     volumes: &rails_volumes
       # Used for both rails and sidekiq
@@ -175,9 +173,7 @@ services:
 
   sidekiq:
     container_name: sapi-sidekiq
-    build:
-      context: .
-      dockerfile: Dockerfile
+    build: .
     networks:
       - sapi
     depends_on:

From 162b1ac07114fbd46710a62d9d69bf89560a0bba Mon Sep 17 00:00:00 2001
From: Leonardo Wong <leonardo.wong@unep-wcmc.org>
Date: Fri, 25 Jul 2025 14:37:43 +0100
Subject: [PATCH 008/106] config.hosts and ALLOWED_HOSTS only use in local
 docker development.

---
 config/environments/production.rb | 1 -
 config/environments/staging.rb    | 2 --
 2 files changed, 3 deletions(-)

diff --git a/config/environments/production.rb b/config/environments/production.rb
index d93986aa5..c700c15a1 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -116,7 +116,6 @@
   # ]
   # Skip DNS rebinding protection for the default health check endpoint.
   # config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
-  config.hosts += ENV['ALLOWED_HOSTS'].split(',') if ENV['ALLOWED_HOSTS'].present?
 
   ###
   # Everything below are WCMC custom settings.
diff --git a/config/environments/staging.rb b/config/environments/staging.rb
index 6b20dc228..85a35f2c9 100644
--- a/config/environments/staging.rb
+++ b/config/environments/staging.rb
@@ -108,8 +108,6 @@
   # ]
   # Skip DNS rebinding protection for the default health check endpoint.
   # config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
-  config.hosts += ENV['ALLOWED_HOSTS'].split(',') if ENV['ALLOWED_HOSTS'].present?
-
 
   # Inserts middleware to perform automatic connection switching.
   # The `database_selector` hash is used to pass options to the DatabaseSelector

From 5d8da2218e8649cc01e8d7dabc7ca58b0b42b765 Mon Sep 17 00:00:00 2001
From: Leonardo Wong <leonardo.wong@unep-wcmc.org>
Date: Fri, 25 Jul 2025 14:43:57 +0100
Subject: [PATCH 009/106] mailer config can't use Rails credentials: 1) should
 migrate to ENV so DevOps can make changes without developers; 2)
 assets:precompile without RAILS_MASTER_KEY not able to run coz failed to load
 credentials.

---
 config/environments/production.rb | 24 ++++++++----------------
 config/environments/staging.rb    | 24 ++++++++----------------
 2 files changed, 16 insertions(+), 32 deletions(-)

diff --git a/config/environments/production.rb b/config/environments/production.rb
index c700c15a1..3c38ce0d0 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -124,31 +124,23 @@
   config.ember.variant = :production
 
   # Custom email settings
-  mailer_credentials = Rails.application.credentials[:mailer]
-
   config.action_mailer.delivery_method = :smtp
   config.action_mailer.smtp_settings = {
-    address: mailer_credentials[:address],
-    port: mailer_credentials[:port],
-    domain: mailer_credentials[:domain],
-    user_name: mailer_credentials[:username],
-    password: mailer_credentials[:password],
+    address: "smtp.sendgrid.net",
+    port: 587,
+    domain: "unep-wcmc.org",
+    user_name: ENV['MAIL_USERNAME'],
+    password: ENV['MAIL_PASSWORD'],
     authentication: :login,
     enable_starttls_auto: true
   }
 
   config.action_mailer.default_url_options = {
-    host: mailer_credentials[:host]
+    host: "www.speciesplus.net"
   }
 
-  # fix for current version of mail gem: https://github.com/mikel/mail/issues/1538
-  # config.action_mailer.delivery_method = :sendmail
-  # config.action_mailer.sendmail_settings = {
-  #   location: '/usr/sbin/sendmail', arguments: ['-i']
-  # }
-
   config.action_mailer.default_options = {
-    from: mailer_credentials[:from],
-    reply_to: mailer_credentials[:from]
+    from: "no-reply@unep-wcmc.org",
+    reply_to: "no-reply@unep-wcmc.org"
   }
 end
diff --git a/config/environments/staging.rb b/config/environments/staging.rb
index 85a35f2c9..ab9c3621e 100644
--- a/config/environments/staging.rb
+++ b/config/environments/staging.rb
@@ -134,31 +134,23 @@
   config.ember.variant = :production
 
   # Custom email settings
-  mailer_credentials = Rails.application.credentials[:mailer]
-
   config.action_mailer.delivery_method = :smtp
   config.action_mailer.smtp_settings = {
-    address: mailer_credentials[:address],
-    port: mailer_credentials[:port],
-    domain: mailer_credentials[:domain],
-    user_name: mailer_credentials[:username],
-    password: mailer_credentials[:password],
+    address: "smtp.sendgrid.net",
+    port: 587,
+    domain: "unep-wcmc.org",
+    user_name: ENV['MAIL_USERNAME'],
+    password: ENV['MAIL_PASSWORD'],
     authentication: :login,
     enable_starttls_auto: true
   }
 
   config.action_mailer.default_url_options = {
-    host: mailer_credentials[:host]
+    host: "sapi.sapi-staging.linode.unep-wcmc.org"
   }
 
-  # fix for current version of mail gem: https://github.com/mikel/mail/issues/1538
-  # config.action_mailer.delivery_method = :sendmail
-  # config.action_mailer.sendmail_settings = {
-  #   location: '/usr/sbin/sendmail', arguments: ['-i']
-  # }
-
   config.action_mailer.default_options = {
-    from: mailer_credentials[:from],
-    reply_to: mailer_credentials[:from]
+    from: "no-reply@unep-wcmc.org",
+    reply_to: "no-reply@unep-wcmc.org"
   }
 end

From a0fd60c975e01bbd2065e7a90c86171d5fb51458 Mon Sep 17 00:00:00 2001
From: Leonardo Wong <leonardo.wong@unep-wcmc.org>
Date: Fri, 25 Jul 2025 15:46:47 +0100
Subject: [PATCH 010/106] Things that can't raise error, when running
 assets:precompile without RAILS_MASTER_KEY.

---
 config/initializers/devise.rb              | 2 +-
 config/initializers/schema_dump_options.rb | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 66d3f7fe7..afd5a0394 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -4,7 +4,7 @@
   # The secret key used by Devise. Devise uses this key to generate
   # random tokens. Changing this key will render invalid all existing
   # confirmation, reset password and unlock tokens in the database.
-  config.secret_key = Rails.application.credentials.secret_key_base!
+  config.secret_key = Rails.application.credentials.secret_key_base
 
   # ==> Mailer Configuration
   # Configure the e-mail address which will be shown in Devise::Mailer,
diff --git a/config/initializers/schema_dump_options.rb b/config/initializers/schema_dump_options.rb
index 37c23a120..4a5323ef6 100644
--- a/config/initializers/schema_dump_options.rb
+++ b/config/initializers/schema_dump_options.rb
@@ -1,2 +1,4 @@
-ActiveRecord::SchemaDumper.ignore_tables <<
-  ActiveRecord::Base.connection.data_sources.grep(/^trade_sandbox_\d+/)
+if ENV['SECRET_KEY_BASE_DUMMY'].blank?
+  ActiveRecord::SchemaDumper.ignore_tables <<
+    ActiveRecord::Base.connection.data_sources.grep(/^trade_sandbox_\d+/)
+end

From c3d3be07acfc989bed42d1d4926fb47be019c590 Mon Sep 17 00:00:00 2001
From: Leonardo Wong <leonardo.wong@unep-wcmc.org>
Date: Fri, 25 Jul 2025 15:57:41 +0100
Subject: [PATCH 011/106] Production Dockerfile and .dockerignore

---
 .dockerignore     | 47 +++++++++++++++++++++++++
 Dockerfile.deploy | 90 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 137 insertions(+)
 create mode 100644 Dockerfile.deploy

diff --git a/.dockerignore b/.dockerignore
index e3cd043e9..541931e5d 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -45,3 +45,50 @@
 # Ignore Docker-related files
 /.dockerignore
 /Dockerfile*
+
+# SAPI
+/coverage
+/rdoc
+/private
+/public/system
+/public/downloads/*.pdf
+#LaTeX
+/public/latex/*.aux
+/public/latex/*.out
+/public/latex/*.log
+/public/latex/*.gz
+/public/latex/index.pdf
+/public/latex/history.pdf
+/public/sitemap*
+
+#checklist downloads
+/public/downloads/checklist/*.*
+
+#exports csvs
+/public/downloads/documents/*.csv
+/public/downloads/quotas/*.csv
+/public/downloads/cites_listings/*.csv
+/public/downloads/cites_suspensions/*.csv
+/public/downloads/eu_listings/*.csv
+/public/downloads/eu_decisions/*.csv
+/public/downloads/cms_listings/*.csv
+/public/downloads/checklist/*.pdf
+/public/downloads/checklist/*.csv
+/public/downloads/checklist/*.json
+/public/downloads/taxon_concepts_names/*.csv
+/public/downloads/synonyms_and_trade_names/*.csv
+/public/downloads/taxon_concepts_distributions/*.csv
+/public/downloads/shipments/*.csv
+/public/downloads/comptab/*.csv
+/public/downloads/gross_exports/*.csv
+/public/downloads/gross_imports/*.csv
+/public/downloads/net_exports/*.csv
+/public/downloads/net_imports/*.csv
+/public/downloads/trade_download_stats/*.csv
+/public/downloads/species_reference_output/*.csv
+/public/downloads/standard_reference_output/*.csv
+/public/downloads/common_names/*.csv
+/public/downloads/iucn_mappings/*.csv
+/public/downloads/cms_mappings/*.csv
+/public/downloads/orphaned_taxon_concepts/*.csv
+/public/uploads/*
diff --git a/Dockerfile.deploy b/Dockerfile.deploy
new file mode 100644
index 000000000..369f38c5a
--- /dev/null
+++ b/Dockerfile.deploy
@@ -0,0 +1,90 @@
+# syntax=docker/dockerfile:1
+# check=error=true
+
+# This Dockerfile is designed for production, not development. Use with Kamal or build'n'run by hand.
+
+# For a containerized dev environment, see Dev Containers: https://guides.rubyonrails.org/getting_started_with_devcontainer.html
+
+# Make sure RUBY_VERSION matches the Ruby version in .ruby-version
+ARG RUBY_VERSION=3.2.5
+FROM ruby:$RUBY_VERSION-slim AS base
+
+# Rails app lives here
+WORKDIR /rails
+
+# Install base packages
+RUN apt-get update -qq && \
+  apt-get install --no-install-recommends -y curl libjemalloc2 libpq-dev \
+  # ?
+  libsodium-dev libgmp3-dev libssl-dev \
+  # latex (huge file size)
+  texlive-latex-base texlive-fonts-recommended texlive-fonts-extra texlive-latex-extra \
+  && rm -rf /var/lib/apt/lists /var/cache/apt/archives
+
+# Set production environment
+ENV NODE_ENV="production" \
+  RAILS_ENV="production" \
+  BUNDLE_DEPLOYMENT="1" \
+  BUNDLE_PATH="/usr/local/bundle" \
+  BUNDLE_WITHOUT="development"
+
+# Throw-away build stage to reduce size of final image
+FROM base AS build
+
+# Install packages needed to build gems
+RUN apt-get update -qq && \
+  apt-get install --no-install-recommends -y build-essential git libyaml-dev pkg-config \
+  # install node js
+  curl xz-utils \
+  && rm -rf /var/lib/apt/lists /var/cache/apt/archives
+
+# Install Node.js 18.20.8 manually
+ARG NODE_VERSION=18.20.8
+ARG TARGETARCH
+# Map Docker TARGETARCH to Node.js archive name
+RUN case "$TARGETARCH" in \
+  amd64) NODE_ARCH=x64 ;; \
+  arm64) NODE_ARCH=arm64 ;; \
+  *) echo "Unsupported architecture: $TARGETARCH"; exit 1 ;; \
+  esac && \
+  curl -fsSL https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz \
+  | tar -xJ -C /usr/local --strip-components=1
+
+# Install application gems
+COPY Gemfile Gemfile.lock ./
+RUN bundle install && \
+  rm -rf ~/.bundle/ "${BUNDLE_PATH}"/ruby/*/cache "${BUNDLE_PATH}"/ruby/*/bundler/gems/*/.git && \
+  bundle exec bootsnap precompile --gemfile
+
+# Copy application code
+COPY . .
+
+# Precompile bootsnap code for faster boot times
+RUN bundle exec bootsnap precompile app/ lib/
+
+# Precompiling assets for production without requiring secret RAILS_MASTER_KEY
+RUN SECRET_KEY_BASE_DUMMY=1 ./bin/rails assets:precompile
+
+
+
+
+# Final stage for app image
+FROM base
+
+# Copy built artifacts: gems, application
+COPY --from=build "${BUNDLE_PATH}" "${BUNDLE_PATH}"
+COPY --from=build /rails /rails
+
+# Run and own only the runtime files as a non-root user for security
+RUN groupadd --system --gid 1000 rails && \
+  useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \
+  chown -R rails:rails db log tmp
+USER 1000:1000
+
+# Entrypoint prepares the database.
+ENTRYPOINT ["/rails/bin/docker-entrypoint"]
+
+# Start server
+EXPOSE 80
+# CMD ["./bin/rails", "server"]
+CMD ["tail", "-f", "/dev/null"]

From d353f2b61a0669a9d88f6bf2b17c5705c4e5d334 Mon Sep 17 00:00:00 2001
From: Leonardo Wong <leonardo.wong@unep-wcmc.org>
Date: Fri, 25 Jul 2025 17:08:28 +0100
Subject: [PATCH 012/106] Align ENV name with DevOps

---
 config/database.yml | 4 ++--
 config/storage.yml  | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/config/database.yml b/config/database.yml
index 3b51f642b..26026bfbb 100644
--- a/config/database.yml
+++ b/config/database.yml
@@ -6,7 +6,7 @@ default: &default
     host:     <%= ENV.fetch("SAPI_DATABASE_HOST",     Rails.application.credentials.dig(:db, :host)) %>
     username: <%= ENV.fetch("SAPI_DATABASE_USERNAME", Rails.application.credentials.dig(:db, :username)) %>
     password: <%= ENV.fetch("SAPI_DATABASE_PASSWORD", Rails.application.credentials.dig(:db, :password)) %>
-    port:     <%= ENV.fetch("SAPI_DATABASE_PORT",     Rails.application.credentials.dig(:db, :port)) %>
+    port:     <%= ENV.fetch("SAPI_DATABASE_PORT",     Rails.application.credentials.dig(:db, :port) || '5432') %>
     database: <%= ENV.fetch("SAPI_DATABASE_NAME",     "sapi_#{Rails.env}") %>
     variables:
       # It is important that ordinary queries do not hang while waiting for a
@@ -24,7 +24,7 @@ default: &default
     username: <%= ENV.fetch("CAPTIVE_BREEDING_DATABASE_USERNAME", Rails.application.credentials.dig(:captive_breeding_db, :username) || 'postgres') %>
     password: <%= ENV.fetch("CAPTIVE_BREEDING_DATABASE_PASSWORD", Rails.application.credentials.dig(:captive_breeding_db, :password)) %>
     port:     <%= ENV.fetch("CAPTIVE_BREEDING_DATABASE_PORT",     Rails.application.credentials.dig(:captive_breeding_db, :port) || '5432') %>
-    database: <%= ENV.fetch("CAPTIVE_BREEDING_DATABASE",          Rails.application.credentials.dig(:captive_breeding_db, :database) || "captive_breeding_database_#{Rails.env}") %>
+    database: <%= ENV.fetch("CAPTIVE_BREEDING_DATABASE_NAME",     Rails.application.credentials.dig(:captive_breeding_db, :database) || "captive_breeding_database_#{Rails.env}") %>
     database_tasks: false
 
 development:
diff --git a/config/storage.yml b/config/storage.yml
index 90da9d2bd..34b151869 100644
--- a/config/storage.yml
+++ b/config/storage.yml
@@ -14,9 +14,9 @@ local:
 #     secret_access_key: xXXxxXXXx0Xx/XXxx000xxXX0XxX/xxx00X0xx0X
 amazon: &amazon
   service: S3
-  access_key_id:     <%= ENV.fetch("AWS_S3_ACCESS_KEY_ID")     { Rails.application.credentials.dig(:storage, :aws, :access_key_id) } %>
-  secret_access_key: <%= ENV.fetch("AWS_S3_SECRET_ACCESS_KEY") { Rails.application.credentials.dig(:storage, :aws, :secret_access_key) } %>
-  region:            <%= ENV.fetch("AWS_S3_REGION")            { Rails.application.credentials.dig(:storage, :aws, :region) || 'eu-west-2' } %>
+  access_key_id:     <%= ENV.fetch("AWS_ACCESS_KEY_ID")     { Rails.application.credentials.dig(:storage, :aws, :access_key_id) } %>
+  secret_access_key: <%= ENV.fetch("AWS_SECRET_ACCESS_KEY") { Rails.application.credentials.dig(:storage, :aws, :secret_access_key) } %>
+  region:            <%= ENV.fetch("AWS_REGION")            { Rails.application.credentials.dig(:storage, :aws, :region) || 'eu-west-2' } %>
   bucket:            <%= ENV.fetch("AWS_S3_BUCKET")            { Rails.application.credentials.dig(:storage, :aws, :bucket) || "species-plus-#{Rails.env}" } %>
 
 local_s3:

From c950332a160cbc58e6ece81f51732b8252f6c49b Mon Sep 17 00:00:00 2001
From: Leonardo Wong <leonardo.wong@unep-wcmc.org>
Date: Fri, 25 Jul 2025 20:25:39 +0100
Subject: [PATCH 013/106] sidekiq admin username/password move to credentials.
 Was nginx .htpasswd.

---
 config/credentials/production.yml.enc |  2 +-
 config/credentials/staging.yml.enc    |  2 +-
 config/environments/development.rb    |  2 +-
 config/routes.rb                      | 16 ++++++++++++++++
 4 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/config/credentials/production.yml.enc b/config/credentials/production.yml.enc
index bd1ef26c3..ed1380f72 100644
--- a/config/credentials/production.yml.enc
+++ b/config/credentials/production.yml.enc
@@ -1 +1 @@
-EmP9XcW3ZHaYNRAHhMVJ62joCE3qCkq7U9nmYLgqlYhARoIiRq5Di5U60M37pRIFE4s1jk45FvQS6alf/N1qU3o9X3BRngvBjwXYR+4lNK4BuPQsEbdpQIjzByNDPk8m1mDsgshQJhsb4wZQkhNbYMlXgXAP81cCW26KHL74l9CoPG3p+1xraPTwI1jrWyRgwbK4vcb5yWdLOZ4CGKL29I/QdLc7VwW/MVfYm15mM/k55umGJweaNvAJvBTY3J3a09xoUy1FWsIqnlcf0uKswKrWNzK2cp0HtEVQTF9Xk/Pi3pB9AKZddMYYMAr79iI+qO/WxJk8qSNhAcaEv4K88vC2ZgJ6K3B++aH9vN9Z8fwIxgJ1lWbiraoeMBUsUAd5jLt3VO3vAK3SZvDUco5WDikA0ghuM4kRoO7IJCZYhWlsYrswzx4OpGTvOzp4MXydqOzblGspS9lSLOFuluvEaMCKagqwjol8ZTzw4T/mx1+sYEAXE1Ht9oP4nrbX8wtTh8tbuNsxhRyDcwqCT4S4SykHiy1T/1dyZo8n12YrNb6g0ENuADaXPFRpwd8h4BLVIFyz/TKeGogMmd9UNRPV/JUcNef5BgaTmXjNniQJtasTiqo3wjdb0CPz8oOBEjxXflU2heDlWg60Rr7ucK5AuYHcuHqfVNvET+vK0W3IPfSoEa0M+EUsI5YyBFGbsNNEpENUf6YXMDWxCfNax42g4qVTrUHJaY5qKy9mqM+lKzLec3UTlbN7Zf/JMtfQlhF5wixZpQerotLKng3K1nBGmzYPNdikxm7aA45KNXC5Fu28BqJtlrn3qEwUPfHvie5w8/kbdZL23XrsznIQjlvLxjZDqV30Nw88LbwkeOKbnms4JZONtj4U62QBr3N5LijZzptCGYaBeWdx2VMfxCCd/Ju30hNni/+WNe0tLoaS9+FQ01VcNbJMTkbAhANIs+V2zGyC3Ik+G79N05TcahFlwiuA2N5B40P7TBjEoOtuYfMf2wBaQkSCDDrrjHz1GCwrDuhHGXwYU4NGJjrmBuV2zOzF/KBMa454bfeReMkUG4PtGc9TxHCE7QnABYiou3Vxt2HTtJiRC8/syE2e53Oj4oAQRnkGlIClDrb0dQNVNEguvvoH0PZu8wIoVCT7fqXqMOZI4rciOifNS9CC2xw7P952fY0LhCQv+ZWjYzq9F4TT84kUArUobo3V0h9zoafazIcFFAq/6HaKgXmPrC/hJ5eEgCSuwN6LASkLEuTpJ4KvRem6wRZ7V35tcsgGSUl52gKuCdhEq/6PHis2B1/DkhcICj2iOU9yQWgHtOTeCPwzcDRDe9UKaQQGkER973S5drB3yBuCWHuPcV2J/61ffbHs3YP9E7mdzzUgI7p1P/zEqkPoix3lRltN7lW3mAPVQclF082RAb82WgqgV/TkcqSPFHbwV3vIaMVcMurd7OXmnvFOcBvDcuEn2g4XwepxeAq960cYk6CoU+e6xkQ2qRwyXMvxBsbcD+/59LVuU6Ml0xAzjhZFUfZyoP9tRG+qHE6xwSP7TMUxdvgIdTby09CbdHx4A/i8zgabXjK5asg+J7eE2mC1RFvHgZajdKosioWhTeQ8+vWAPTODtzSpDC1XkAZtPj5Nz8NRYYkL24Aj+CBG3Rkmi2Ng0ryqwb5UdOIVKX4zoaNM1A7v1mC8i9tXXYoRz9FDwbZc7mf8lAsoOx+uUAv2SevwjWTSHjSEcnB9+OsQhrq5j6tDcM3O6OspW0r8dK4I9FJ/cED56F5Oo2Lh0CvqlyOcQD06uv+ZRMQaxaIV4eQLMZTZKdhjNSLvMaGMTnoG3ncMoikhkcHWC7h/qevUC9BrIcwZS2lDI3La/nZroPwXqa5lTsiTzFa148Jr3zAT3fnlgDiABUYBJ4EyyrOEcJb1k11pXe063A7WKT47Z13pO2PZlhMnPz46XoZtUQzv4sQfXqXpZyqJSmgxp2D1BQkYBHnEleJo703ndvRCIJw45gkrZqGbZDCDsJUuvKcWe2hAtQq1KSL4HHY7r/Wd/Ak9KQPCjTxkgJFt775aeCNmkPpkNFdmmoOOC2PFylok21pJpoHOexBjwWQinlDhXzilrWP7CUThgJ3pCU+3qkt5gowjG9mLKV/bRgB1e9Zmva2sG60QHydknxG/xj3vnkeF3yJeUsOqy6QwAJt4id2giwyajhkGM5IdikYAUo98uewU97B5zuPm4sSwAXSJSBsPTuDCA6wSpqHotWNPv0fIv/OWC4MwgFOqrjksbIaV8Vzi6vgRbDRb+NXX8e3cZxAacp2Rq4aE0whzmkRdpY1rei8Wyx+KX02MgNTlPME7o0OAv2bARLEVtUILrbOMZSfuc7VxzgTECJhB4I2y6RH1JPwl1lXGNVjgfiUPKaUPJCmhiZ+nifhcZbADn33/lR2N0XR8vpHkJjUBSW12A7EW5eIFRWjZpyRFjhVBlhU7Ow3KfXTLayj1gTO0lj9fubDL4X3RwNjYoc/X2Cm1LIDwrK0HRZqZzaCzxGogSw4edx8msaC6Vx6Ip8wRmn0cAz72bmq+CAg/00IoBQX5toQ4a9BGimsvwqGT3jsiYFUjs6oAUBL5bzDpbYy5/BmYkN7PdITbxGQ9Kese+7Kxv3qjgzlSv9HeoP0TCfUioCzTulYezzICXFu6+aA9ortFgAhatu0PcDBEWIy1QUYHIcM6UvsvzmCj7LLgeCeIHUuBd7yF5gaNpXmSIpODrGQ6dpqKONUTQt568Wa6YEzmmTi7pN3xdhu3yZQ5k+BxDg0xyQyybeTIg0lnSBSMP7x3LMxkCSCzvIYjXsznZns91hjwuL8SpPqlYs3qGpWcusqGdso5JkddoECKCvdYu95Hbt3v7sIsjBHBzo5O+an6kXcbZgecBU2DbePrZA0seh79+N0/zpKfS2GgqPm1Hrg+8rrmZ7pV+uDJwYSN/Ic0krtUwHQxlzwbplEi0AkHFJNLh3jdQqxJfY9xNugHYMgAcxltHnpwBroH/PtZi6V6PU3O6h9mAxwsw/xcZbZnouF3/iJ58vFcTW/ucFy4e2jGNUlNdeauFW5wvJiz4txUerAQciph31OS+kBpQjyMePk24jx5WQvgaa7+Aa4YfcKO9YS98NjgD+q9ervWcogYdafsTd9bBKGMPWYo/GxyrF1MxWt0RFqWDPa+ViRo+v6KThk9k8USgYZtGyzdZFGxB50pVB1+pZdPE9Hy1y7vUVkOf34s7138+/m2pv6Veb2XsNlq7ekycRJ04KXLU0WCOMMlC/yGbbNydV5xbW/06Y3Dfs9WptKWosRv2FJ+chWMkdsJN4AfEJG8KddmMUN2x866/J6gtGncQAyhGG40VQ==--4qJJGNVpgQ3/1fEB--8mjgJXG+SInWCclUQkgTqA==
\ No newline at end of file
+15XdjowjG51zusY9MhBiAsQJWrckBz4g4co3LszHFC8dE8nFp1+MQMJXVz2GuGcI46LYiZ9fiekCRWOd6CjHeekYHX91VKd86dPIlrC2bYOrZfEUVMZiOHr+97PfoIOkznwIpTi8H01YuJ3EF68wxGDNoEuYwhTUhMcGpQu3HvzqZHDJSHKpX/22xqrWAV/C2tqOLKXZ7Z7WRLpzfUaOeaQlBRTvBDWj2aP/6tjPuL8kG885jsWMlg+DiBjD/9rNAB/tWpwHGkURS70DqFfgnIfuby5mTuLmbTFDDu3NB6mAbk6M3ZXlwhoJWX4Le+1WOcATdLUSQAuKukJ8lywQkEQdzpmzjAfHvREBH1IrxYQXGQs129857gLS8Q8kScT/wBDYMDKDNeRuGWRdEvDb2d8KsINaF0qqYYX+72kWgq3Mqr2mGTeU4ht6T+Yqdw68EF3xupPxkwr+zX7LG340NG3qIFXew2HTva7yBVtWVyut+7g2BBGL9GA+pJDEMPiArRFjEg+eNyeQwrQK1WPy0Pd2WT3A6ygNevUhvCW38zm1sOwPnBKmubRiPeOr4KH4cuVvgCUIKBC2Pw9BF1/NOd9hW9d1rd7sldquGcocXI/2wJzl6fG43NKk4nI2O50+67YhhUBDmYqEPRzTT1Ozuvklzo4gtAhGtPz8unXPzCopXQgFAuEVyM4d6x15OtfeOqEco+2t4PeDsi5HfXKKXq2Wl15ca6+qB6rL73tktb3pI4Iq1p/d2jS2xJCbQuCK0nV+ApnsXPJ7lEkmYl7e9qmAX79BJPK1VhJDWRIGvtmW4R4c6vmbUWmi9r38rTGPj4lVQd8aKERPaOaWkHPSh44xT5ZKXLAE3A1iQE93ERcQXueCBTKgpcKr7HjXOPk65IVP6F+lqE4QjHEopoQvlLFY78kAszbe/HF/QkDqjA7rhnF02B5GJ4TgoSl1O+0CvQuzt+nvZeqlVPkBJl0tAktXnxFz7pKEG0XkoIjfJcPTfsCBzOI6Inht0k+biAAw9907BlMTaev5Uhbk5j+l+Ea3lGiIBw0AWO2ETRrEBul9Er8rNR9uwStDd503kYUlJ79HvWys/kq9c8bPrLSh1ma+ooxfq2eQAT23iJJLgIGSaNg4TegJtWNh5EaKS3gcAzZjVtMBT1zZdDGKYHwFk325tkwTGVvE9mhknzYiUUzBNq3NGk8KvtptsMbxRkwTR/Tusb6O3rSYzPAnm65YwPx/DWsXzXwPI9O2iP5CpaiXAvQG8u/FlP/1Bvt5a6EACSPAEA3FS3X+uB8Is925ApKswCyPvQeWccpwoilxT7ZpAhnjdg2SCsKSDkQcLbkV7EJga1k1iEv9Lv8gCGaRF4QV1IWQMMe33QSoB1qQL+0pBbAZ1StyvjT3sG+I5xclaog6XwPxsEE6RHot6Jg1QHCzgRobPj8HXqdk8EuPgN5UUTF+zLLq6xCg/hOqgjc1O1AbWuyJT2sU0haqdJWacQywMGxygEEkI4wypjNDQRxnqtXL6mzPEGy8TzUarMrtjrPXc0H5qAr6OrQpysyIvZzcGWzgP4TCK6m30LyYiWvVw3L/y80omZzjfeOUtzhQzjGNbD6fqhPnKolU3Imoh3haaTaj0Rtf+XYjSUejj5roRIg/I8Dz1vYZTjZrNCrV0z79BBrOCQDHhDpsCQqnG4T4bFLiBGmMe5hz9af1I5TaBUpSEUPs7PGS4zYD1EQ6DXrIQQynTrBI4nJpgVSATvwGyNmzekswQ8D9Nhrh03C+Nnn5XzKzZ4ssV4ZuloK2TOfJ2RtbizAzm91KTMvkhRRTnmCNdllH460d2WP/r+M8M+/Rg3lXJS96Pv8HYeuzVKw3HG3kOMZMIlFm4FxxNMasf9hvK18ImEsN7NEZ9L2NOjtU8LPqxCkojupaT1l8HI2geQ1weuFgHk2MzVvk5G72TtYXwvHNjEMNS4jbQxl2Dc5RHGH6YAC40RqqgeddkMXIo12Z+CnEPGzcxg7X93l5+yVOkRtbxiju8QN6RBraVyH2n8y44aI6cRZbygpxUfdjaRIwMxLQlGPiDMW0G7twej02IiGO6zVDwTDXYJmk/8eXa2SL8jKeSvsWIYBa46OmEedNBrOj5fB++91n1mCmqczhNj43ts97nXEXL46SV9ky2ItcioMNsSEkMyS/XW5TPxoky4Q+r8wv8b/GteatVEoixGAX3McbcY54e8yD6A5T8x3IEoxNvIBTK9fbGqcLm0JZ4nKyhCCp+vl3rTY/dmt55MpqBYwwLffqQ0G5aFXCC69XMxb7dThVeh3KNQR8qnvFCwMZnat32b7n1G1l1wC7ZXJRkBp4FyTgqeVbQdcGgYtZhuQa6hGnBTSv44LjVgA/9wqcTUqoq+nRpTEbriQMuEJdHEQNhuDdOWGGOHvYz6lUcQ/QS9LEXu3wtBF7+/cit2FDCSR/+hjK9BbFUxFu1GO4hL0rc/5upIr1+wWMBDU3pXocJLwPsJieCUqqSJp5jOdxaXGEP+sDoLi60PWASpOouCCThJwVEXO2pG0FSXQtHC1T1k8RDJWQQPgRnC5pOkUAiJBuPlYk9YdfIFFA7Mfz5oHXyMq5h0x4ia5wOjpF/LIVwaCoIC03gX8d+VdGcvdYOe0o67u87nPiZpk6Lg9yofgJ1uOAGql+xZdSqO4GLhlBmhQD+HE15QC8bNwZTpcWk2Ec3KkzcDe7uCI7BsL/EYT5g3IRRmZTGGn11LAAJt9ee/p7/B7CAst0p41Ja8rqfxdNP59GGOo4fI9oMjUItnqsBuGev9Yhoq7HjujhUo2if8amqQ94ulJfX2TNpm7uoyrAsv+kJKalAdHfRmcoCk1JI1jL/8DdnG/AiHVpFYoKoHtluyiUZK74Zjz94xiQNjh524eLrzAAOzplPng60oG93lE6uSaeEBEdiVHJISsu+aQjNcnt02/o9cUF3stCa76TlvNTT+YRzkdNB2Hvbt0YX/IhfhdL7pTUnDNSQEA4IFMZZ6oWQguAX3uxfhH+72iPGj5eZsOyZG/PXwNYYDeCLOr+wVm/69Nd+hhtgydgsiZ/aEinzZarDb7EQm0lMD4TixkJqYGOVF3xXHVzzw6o0ePms1zSh8NgM8aeI4GaTs0eSAFh6r0HE9pFBmUk1wzZI3ex1AMTgtO0XTM3qoUjRDk5DzKsI1FSYjI4rM59QLtya+dpx6Jmp5c582FE2+gKXWPtdlBjgMmjlQHGeBwrWiJEBpRlCulEfQ3r6XBH8rjyx/6hOSxAtmVOEb82VAw53mV+Bp60XmjrpIIxoBlOezaxKmCfYLVWky+OEQvnTOV9QBovt+w4EhBy7a5dwnYO5P9d94seCE860NjPtrTGl8D4L/85ng0EU4HyjGLhXpIZI4nR+dGmnP4yVzcKBDEHU/kGUpichn0QElZsaoiW7SSX--3BxCon5UxLls1Gsi--aRhvTbWT82GnXRKdWvv4Cw==
\ No newline at end of file
diff --git a/config/credentials/staging.yml.enc b/config/credentials/staging.yml.enc
index 76ab6ed9a..a1a494783 100644
--- a/config/credentials/staging.yml.enc
+++ b/config/credentials/staging.yml.enc
@@ -1 +1 @@
-df+arMqTyLOBZFcuLABSJ3b2ZnwAnquwmFkbJgMONfqpRcYFybT3R6rkdV0rmDtaIJOoeRUGLflzqAiyy9YuDuPb0z9iy4GbqmuaCTaJq8nEmbfXzceyFePLg82L4u6qnEYh1Rh7FyXRB1kj1houEw2N+ZGHzJT4JJRJkv++LnVwItDn5HoelScK0iz9EunuMOf77MDBnV49MfGwIVT4F1gZi141T3Idg7P+v53fkA9mMYrAXouz3W8iLELn3aO9F+9bbbcC5SU5gJkzo+q0V3dal4RObT0rLRtuD41OuK70sVaz5pyqgykoT6HNkht4fnQEojTk9aA+5lsyjm17geZiIR6NIScMIPVDVCsbfJ8e7hi9ylTbwacQUMQHe/SenjTSlZbvwl9BjmJedB29wAmlA20HmCSRZZlh8XourkbTouRPwDPcmeAnsKDwHXtOUJXeugOer9UcG+52xvy0IEwWzMVqSCqWB0P0TsJ6vBL2vbrzP35nPczL2LyYzXlyVw2rj/HGIetfigTCJ/K0qlAMY/Pb114Pc92kwbn9O0H7a4MqlF3p3YRnjayKmpCLz7IRW91cfRL24M2XfjF59kBKnuGIhQdcjF/ErQCaEw9GkGMNeFBphUZs3s8E7WtyyAtyVU7FOqViaLVAgm/RtFZrlgnCdsYGlWoUJUYeeje9+KFfanNK8s9mlLFDyCpNNSDl4Mtk1watsA/uJqeuf+4E+aiQkk7P7+x9Oi2YeDbpS6rjJ6/ruS/t6qu2NiIP/Qhq7TXyJLIK8sFRW5n867y1HkOAs89sabRRmCj2/y8IQrHXAkXplrwCLfkK60WuNg7XZS13QkoitVmtyBB/nv9uDUu80KBFnDsuDBRnH23Z7STM+d7eFBqvVSLCrDj5rpwN4/Qk41+C/Sj86TKQgQsY5XMiX5TW5icTk1fP75norpZKdXvd5dYtNfHPF2yOD8W33RMb+f/DOtfLwmS7t/4QBW1RTqx3ZNb7MJfKIi8PImOiPpii0sGByObphydnTPrMgB64H1LVSHzKaqzqu4zyqG7qzzNCmjJJ1pUci2rOalM/v3+EJUfOaITGumNVZXc3uA/Xd9bzd0VqxklVFwJcjhGYZ9VQh+fPInU6wwI/m56pGESPaJ4ZalyZ3t3mMrAGBFt/8UIIZjZgb89vpvjC8D3XmSp425R2K2Nts8DSzDqccObhKYROFzVlb6EbcY/u8SUpFyTPBMBv1rXwEmzCfZyIfMcnP6AZhtl7zM7ehCi6oS3ZbYIES/ZE9mr+1fvzH3L5K6oO4FpzBe36BHYsbejf+tl9qGyYBWdQw13gLJbZcMEThqJGGNgwUGj+ZhE+F7AaieCRX4Zr6nMIqADje8GtNK4L3W6dGE9rpUmSO2GZlWXm8pq+pgSJ+6Bk4F3wrISLgBhIo2kG0+EfgS+LHDv1CCXgf9YrHP17ViA2Kn1HgNqGWVOQqPY6Po2P2zAcyRFZ/EFp9VG0e8rArP2AzqgkiVQ7T7rzszEN3Rm/YawK2EToRICPIQBovCdjoQjhQ8/KYQKoW9aO/KU6/aewlNDSbE56R5vdTzRKSfDeMjym7piAmlMMmfKZFmEo1GzlNm9iH38tzErYE2pDzZi8vIES6gJ9vbYjKyIz+ayACFjB4aa0g5vw7NAria+RusfmsDY6aYPSMDftsh1woPQl0jbNK3oM97L0S4aoi7xrFX7cd30ICbxad7tIUMHa+Upl/LwWA0mHbrUFA+1lcjeDxMGurb+GnHgbhBUZjrMhPJm9FzHg64TrvlQv4kRB+azcPq58fL8wJsh1N3VRgAFVRYAQLXBHIzifZ7VpDOE+GGgvh8gaDC/oyMQ0CYhBd98Xnk+A6dwRf6wHQHOub9SIJee9kOhIt92F/WAYYJPQpCt6gLWCghvZr+xy3ZuEvnglrGLOwjxru+A0FKVXObTUCcuzv3wq3DfuT2FBcoZeIHG0y22szqNLxiA774BpG/vzQEf8oprvyw5dKtQiHW9S0WgNJ9SReNXEobad0ONulu826aDZGkdSuD2SOwm8NVMzLGRYjBMAyFgHjnJKj/ENsJ8S13NWJU8I3lNjpL7fNTqUvM4iBxkeelcaVZIa258kMtBj0DP3z+1NBJxjkBi7jPeU411tB9vUI52bEcNR7DQPUQV9FQD9/8Y+S6TB1UVbHiN1Y13Kt0Kr7JoyVGMrLQRZr75NWhi844H4dE8lRNxMQ33bANUiNOfIRfmGoAr7bT2Phw7JM4y3JbpBUdnOzdVVQP8kz52hS8Wv3fuJpIQg3h+WX1MpgSPKYmB7MdHB/o1w+j9CgWa6y9Z8NkRiaNeMwwLMZly4InGX8mwEisWRfTE29e4RlOnHkdcbxpD/Ha2k++FpzutFaDRDfZeEnRmPsXUkOnACseov5CfK6FKhK2oJrhqnBGZXQlj+006euj7BwLS7kGp6bA2Bt2SgzzQPeyJ7XsgukIctsiwDMG24Bhbsx/SHX4PwQ6riYUNsI901tumKTRKi/9/kMoK3mHRmBOU0/7ak21goQbCPt9spzKMqb1ck1I7UYcUZqIN7XMdPOLlSs9Iriuu6wjRwwTujz0lx7QT9USui/TC0FsJr6rkpN3SmE+AZWSmdVAduglmkndmq1BYZd5JfBIY2Ln7YRwqha8/7YDInRYCz1ygsgRyKY7IuxPkiYROUJT1yYD9rIXilKwYDy3cuK/85hToqALfiO6asYokpFsY7muI+QlCs1SpULehV5QtnhB6Dpk+q9P8400qPdvaGIh6/F6bX0iWGbd7ist3fRleZzc3fRnc2UPf6hFzCox1ZOE3EqjzVmOQC812fOB0NCXTYcnppxBFWm+pwpdoec2AXGO5dH5n1RwjBlaMNA8mVgOhk6YuIifXrns9J+UteE0KHyCfFJFeD7joVKGXNu4VAhmobYsxYgBc59ZgLUA+Y0Y5OVCvoQoZsmmvj3mfmoF1c1pyGd5Q7K30Y/SlHfgkW+YmXSOSzYwXCiAbiBLd7KCdc5QGgli/CUBAkmxtZ/jbX/HpLdF90ucVBXMDSNJvO4wvcURNZdcIAec3VDNOkQh6CKcpcCHD1KZAlB7Cu+pKvXV9K0Uvow5UyK/SASqgdZyUpRPR7mA88j+K81sZZvHkVidZYeO2K2SUKnTrrjKPaiNJLDur8z2zGY2sMhAkqtihMoXH6C7Sx0VkCRbxuWCLbfFIUNZHC5bOvOokM17ojEg2f+tHtpkwGCJJXeujle3QOay7lk4a4ncNVKPXBCrAwSI4MfMAayHo=--m9FT/eiK2duMeoPd--TPeu8jM4DG29Rd1MfvgePw==
\ No newline at end of file
+ZMkejLl+WPee+fHeeSFBJL8b/GNc/S9FFzZB+0H2pwSILpGD4byPzxUKKl71US/86+Z3o/BPSvcbJWJY1nBxoz2dGZHJXr8jivvgSSEjobeNLXIJvY9RMdwrqLR3jxUcl5A5mBfhn9N+Y8WtLZpdb1ZxnWOUZEFfx4hh0GtyQgxQAUjxIZDsGEXsD/88JCmw02pmbtEwlhDM5//05fSDT/TG+i7tfTm1oIogEEVNxhTnidM9h6acMaMj13iyGcp7W+aAgm4hRiX66iZNMGOzF68KpkNxUNPmBXe/PWT0efdPAqTGSVffjwZpBqLhR2clbEqByrP+T0D8oF84jr320y76xq2GKplNTNnUlwFfYio35NoJz88WIOp9A4JDOs0+bosVwjlNrbX2C/zuFhouhFF6RoWdLa8IS5PCODhsNKG1eggJNDxkJLJVj+4typMuXfk9Bb6nRRhK4L1Q/as2KtSMLmcvqF5H1hNvq1GXu3D5d+G2RhatZ0rZ/fJctLWH1fgSwgBY8+DfCAS/g+b8gZPHXiW11BchS3OF0d+p1yHzix8EQOp0VK74EpW57r8xcgLfNpnLoZDcyh3SFCsl4zxobT/K5KCCn5NhAafFwMFZPXHq42D0380TKhiWDhkDc85cskCb6B09ws4Q0+4m6GNr6WN+UKCPAdn7o8Ds0k9FxhxXVuQbAfBqduALXfU55k1YNeGBMnhqW5Dkuxe3sGicovLdod0tfg8Jy1i9/ptXEzV8MFxULSfRP4x1vqFuh4ZyaU+h1ihdSjWMl7WPNnA36EwRvsQbFrU1B2ypOVlZdDFZaxQggKmSvQPUKaai/OfORZNCvx8rSYO6WKrjS4fq8M9hx2Ht3nD0UdNJcUFQTii3h/v2tCC5Cekah7tBrwQfXzKmnKBp0A69kxPFT9zBEST3eWZXJ+c/SeOpbArZPP3B72O5YaGFftq+BViaeAxE5VlWshg+WlIyCSLSmH9HguK83mQAaVj4SIVOExGnxjPWec42REZlJ7I6NDGLev9wkhpwz9jGp/nB3lQHYKrsozX8uiygU1f6s3guWl0vPerzqdbks9OWgfACfnlHuHcvxEo5Gd4Xd9s/psvsxHr2PwCVB1FvSL2cCNz+UUXNP693Hvm6z0sTD5mnYWuMvCHLGLekHp+aLLWzip1w0LCYhFPqokz2k6sujpYBEujnqAXNEbTTdjHJxqud8ff6on8VZ38xwcdoVjlK3looySmWmJQBP6+wWsRBKZJHaawe/EVFIHiZPufys3IsBXz5ipIo+pkri0UKwlskIpj71dYjIJoEIVpwewj/HzVQvPUwwEp1pZImpoTtZRCXWssrVeNrkWCYpd83I0Nu1zscTgog1n/oXOsJQQ2+n/qMIgpUCfhiy9DEoGR3b/HKwjn+fbwOS2qZ9TGiUnzoGWB+4Bg11gbRpYNsiRuySXNmDKIpi/STbCAdI5wcJgjg355IiImz65RBKsjJfbpQgdx198z8uEfrgx6U2emAfiygHco4LkuSvnmBrKD06sZ/o5+raB4Y46fhpvN20H8myr31+QevQTSvHUD0ZpFWSqk6vXj/DsBtJe9GPXA98JfelmB16JtheIg/6UszrgNFw2gMJBARMqtHDOWNPlVN3xChts3rOt1x8pGB9BR2kdE+mWRogqHlo13khfSpDErPMViahbKTJPsXdwLrxFYDrKXqYXy3nuqqwxCRO/JSK1SbBvvGgsPwQo43sXmf7xmDmG6nCqIDXciDSCk7MA5VvsAPBBrN9KseXST0k4LbsGHrJPmfA9uThgsKPXRMQdIA2g0E4youAexlmzUrim9luHbvO2RV+iT/VpMzWDbwrRq6OJ+WKwwDJQ3D9FeCTEv9soWnQhP/IEjQjK2CWsxFprOfQvopLHQNtoxdDOufzQonYDy4MH9zBVvtyBn0IdfPcWiyAVaJZVSxvpZqsDH4V2xH2mvUL9U2Xk5ruL0dH9U0vlGm8PSBZrjcoklF53smMcz/65+KChl/3emt5DwemK5ubV1fwQI7IXHWDhWvjL8vXWILb4WAfg4k7b6fscY/s+xxU+jDG2CnOjCgIdTa7PrbGMqjoeLVSmZGmjaAXCfU2GG2TUYse0aCWdtuiRnOMSewkZ6of6BLZFi6vGJ5280nYrDGpAoxkgygMorLy9Lqsur5W5Vez5FcqGy1bWCRorEESAT5MoUsSZ4zZBe5tVNSu7qemAljWht4t0WHRcWli+4WAz0PGmMMqAc9hsXoAROWSmfQtz6XKV8T4nV/mbcuJb5ypgV6NuXYBeG3OBOnVFO9lukZLBn5kbgww5sgBo4CsXjlY2oi+riPhcuVCMbvwQfjOhUNhRZx6KSOnhuFFFplXKE3pMCSeb1Cg2Ur2ciOjQs/t9QoL4iWha0ZvABUIMDmJoQR1zjRMX20ZqTaU7seym0olP2GGOW1VrLjA+arLU3yREckwc2sgS8FCd+UANgrJKxjowVo404FybNxuedkPxJPGg5+2cNdrOzwE6IaCKxcm1fKOCedpmMW/fYhn3IMj5Hse2huyJyGSUhXjrN21vVjp5SITqWQuU4DWbvgOR5Vbw+0PqzQyCOH9PJHkolcTbYS9t3h1FhKPP4pDXQbkMCAIJUuzugNRnyIjioxgGZEq24YXzfG9tkhGFco1/rDwaWweuDVNeFQxsh+NyyKCh3Q1+zeK5jVKesVGwEQf9M8Hu9F65E3pmPIc3LpCs2fOECPPQhSkEVn1AubSWI4SWW4PPNW50NoiqDH8ZrNYFp3SextdbSC2sKTIIoW16NgvLyckxJW9rnHgC/F4WI4hwhU9u7OtTvp4VA1XWdTnpD9FBOSbhW8fCtZRA/rnOCzaw6ewRdMdPFlrIdClKT6jGoNRfQE+buGB2asMaI49lXbXYYM8ax3YBy2+yH2WkesXj5NyDMRTyxhC6NGqjcvmGblBg9KveHaEorshc9lBOlF7RzN4nTMyWWCBykkU3PBRlOExhRgySLUFE8dkEgI9TZZvZGfRwBqFVoZsdfpSROG6llzquCHvW4FQKnyDZsqqAttUU/Ida/1sZnMDz+iqyyofbTzW7dZ62HNIPInAbpMW40wrH5IV/HDVPaIO5SRFUsx68NKI05dbSbOwPnDdRumKaEPb7qSpJyvGagjfXItDyb8eov1HJmi5/MbnV4s+0CBKZwmKoMsJoleBZh1k7CqiAyg6hiCUr+2IDC/GUdaakbhAJPUq8iXeHlsEbpnFBJZEgBmi4QbjNKvdINsDaILSIrWxY8bEFzZCDYpMei+NVcgj3bf/INti+G2dgIgC5muZ0eFa6CgS3MBvao3bmrYEeEW2VhZwMo7DPWRA8nzMA==--Y3cbBcS9LVL6HEYv--ydc+IIWgrsJdp3h/Two1PA==
\ No newline at end of file
diff --git a/config/environments/development.rb b/config/environments/development.rb
index f994d2d70..2e18abc54 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -24,7 +24,7 @@
     config.action_controller.enable_fragment_cache_logging = true
 
     # Use a redis instance as a cache store in local development.
-    config.cache_store = :redis_cache_store, { url: ENV.fetch('SAPI_SIDEKIQ_REDIS_CACHE_URL') }
+    config.cache_store = :redis_cache_store, { url: ENV.fetch('SAPI_SIDEKIQ_REDIS_CACHE_URL', '') }
     config.public_file_server.headers = {
       'Cache-Control' => "public, max-age=#{2.days.to_i}"
     }
diff --git a/config/routes.rb b/config/routes.rb
index ce44a452b..481f14a42 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -1,6 +1,22 @@
 require 'sidekiq/web'
 require 'sidekiq/cron/web'
 
+if %w[test development].exclude?(Rails.env)
+  Sidekiq::Web.use Rack::Auth::Basic do |username, password|
+    # Protect against timing attacks:
+    # - See https://codahale.com/a-lesson-in-timing-attacks/
+    # - See https://thisdata.com/blog/timing-attacks-against-string-comparison/
+    # - Use & (do not use &&) so that it doesn't short circuit.
+    # - Use digests to stop length information leaking (see also ActiveSupport::SecurityUtils.variable_size_secure_compare)
+    sidekiq_username = Rails.application.credentials.sidekiq.username!
+    sidekiq_password = Rails.application.credentials.sidekiq.password!
+    ActiveSupport::SecurityUtils.secure_compare(Digest::SHA256.hexdigest(username),
+      Digest::SHA256.hexdigest(sidekiq_username)) &
+      ActiveSupport::SecurityUtils.secure_compare(Digest::SHA256.hexdigest(password),
+        Digest::SHA256.hexdigest(sidekiq_password))
+  end
+end
+
 Rails.application.routes.draw do
   # Reveal health status on /up that returns 200 if the app boots with no exceptions, otherwise 500.
   # Can be used by load balancers and uptime monitors to verify that the app is live.

From 92d816a635d48ed0b6b021ed1e6418669e00e540 Mon Sep 17 00:00:00 2001
From: Leonardo Wong <leonardo.wong@unep-wcmc.org>
Date: Fri, 25 Jul 2025 20:48:22 +0100
Subject: [PATCH 014/106] =?UTF-8?q?Remove=20the=20bundle=20install=20comma?=
 =?UTF-8?q?nd=20from=20the=20entrypoint.=20In=20staging=20and=20production?=
 =?UTF-8?q?,=20it=E2=80=99s=20already=20run=20when=20the=20Docker=20image?=
 =?UTF-8?q?=20is=20built;=20Move=20it=20into=20the=20Docker=20Compose=20co?=
 =?UTF-8?q?nfiguration=20for=20development=20only.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 bin/docker-entrypoint | 2 --
 docker-compose.yml    | 2 +-
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/bin/docker-entrypoint b/bin/docker-entrypoint
index cd970544f..5c404a181 100755
--- a/bin/docker-entrypoint
+++ b/bin/docker-entrypoint
@@ -4,8 +4,6 @@ if [[ "${@}" =~ "rails server" ]]; then
   rm -f ./tmp/pids/server.pid;
 fi
 
-bundle install
-
 mkdir -p {./,spec/}public/downloads/checklist
 mkdir -p {./,spec/}public/downloads/cites_listings
 mkdir -p {./,spec/}public/downloads/cites_suspensions
diff --git a/docker-compose.yml b/docker-compose.yml
index f54462985..ca05afb0d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -69,7 +69,7 @@ services:
   rails:
     container_name: sapi-rails
     build: .
-    command: bundle exec rails server -p 3000 -b '0.0.0.0'
+    command: bundle install && bundle exec rails server -p 3000 -b '0.0.0.0'
     volumes: &rails_volumes
       # Used for both rails and sidekiq
 

From acb3d4d40c8d30fd7e5ea82fb9c6a6ff642db8e5 Mon Sep 17 00:00:00 2001
From: Leonardo Wong <leonardo.wong@unep-wcmc.org>
Date: Fri, 25 Jul 2025 20:49:42 +0100
Subject: [PATCH 015/106] kamal 2 config

---
 .kamal/hooks/docker-setup.sample      |   3 +
 .kamal/hooks/post-app-boot.sample     |   3 +
 .kamal/hooks/post-deploy.sample       |  14 +++
 .kamal/hooks/post-proxy-reboot.sample |   3 +
 .kamal/hooks/pre-app-boot.sample      |   3 +
 .kamal/hooks/pre-build                |  51 +++++++++++
 .kamal/hooks/pre-connect.sample       |  47 ++++++++++
 .kamal/hooks/pre-deploy.sample        | 122 ++++++++++++++++++++++++++
 .kamal/hooks/pre-proxy-reboot.sample  |   3 +
 .kamal/secrets-common                 |  39 ++++++++
 Dockerfile                            |   2 +
 config/database.yml.sample            |  29 ------
 config/deploy.production.yml          |  36 ++++++++
 config/deploy.staging.yml             |  35 ++++++++
 config/deploy.yml                     |  48 ++++++++++
 15 files changed, 409 insertions(+), 29 deletions(-)
 create mode 100755 .kamal/hooks/docker-setup.sample
 create mode 100755 .kamal/hooks/post-app-boot.sample
 create mode 100755 .kamal/hooks/post-deploy.sample
 create mode 100755 .kamal/hooks/post-proxy-reboot.sample
 create mode 100755 .kamal/hooks/pre-app-boot.sample
 create mode 100755 .kamal/hooks/pre-build
 create mode 100755 .kamal/hooks/pre-connect.sample
 create mode 100755 .kamal/hooks/pre-deploy.sample
 create mode 100755 .kamal/hooks/pre-proxy-reboot.sample
 create mode 100644 .kamal/secrets-common
 delete mode 100644 config/database.yml.sample
 create mode 100644 config/deploy.production.yml
 create mode 100644 config/deploy.staging.yml
 create mode 100644 config/deploy.yml

diff --git a/.kamal/hooks/docker-setup.sample b/.kamal/hooks/docker-setup.sample
new file mode 100755
index 000000000..2fb07d7d7
--- /dev/null
+++ b/.kamal/hooks/docker-setup.sample
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+echo "Docker set up on $KAMAL_HOSTS..."
diff --git a/.kamal/hooks/post-app-boot.sample b/.kamal/hooks/post-app-boot.sample
new file mode 100755
index 000000000..70f9c4bc9
--- /dev/null
+++ b/.kamal/hooks/post-app-boot.sample
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+echo "Booted app version $KAMAL_VERSION on $KAMAL_HOSTS..."
diff --git a/.kamal/hooks/post-deploy.sample b/.kamal/hooks/post-deploy.sample
new file mode 100755
index 000000000..fd364c2a7
--- /dev/null
+++ b/.kamal/hooks/post-deploy.sample
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+# A sample post-deploy hook
+#
+# These environment variables are available:
+# KAMAL_RECORDED_AT
+# KAMAL_PERFORMER
+# KAMAL_VERSION
+# KAMAL_HOSTS
+# KAMAL_ROLES (if set)
+# KAMAL_DESTINATION (if set)
+# KAMAL_RUNTIME
+
+echo "$KAMAL_PERFORMER deployed $KAMAL_VERSION to $KAMAL_DESTINATION in $KAMAL_RUNTIME seconds"
diff --git a/.kamal/hooks/post-proxy-reboot.sample b/.kamal/hooks/post-proxy-reboot.sample
new file mode 100755
index 000000000..1435a677f
--- /dev/null
+++ b/.kamal/hooks/post-proxy-reboot.sample
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+echo "Rebooted kamal-proxy on $KAMAL_HOSTS"
diff --git a/.kamal/hooks/pre-app-boot.sample b/.kamal/hooks/pre-app-boot.sample
new file mode 100755
index 000000000..45f735504
--- /dev/null
+++ b/.kamal/hooks/pre-app-boot.sample
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+echo "Booting app version $KAMAL_VERSION on $KAMAL_HOSTS..."
diff --git a/.kamal/hooks/pre-build b/.kamal/hooks/pre-build
new file mode 100755
index 000000000..c5a55678b
--- /dev/null
+++ b/.kamal/hooks/pre-build
@@ -0,0 +1,51 @@
+#!/bin/sh
+
+# A sample pre-build hook
+#
+# Checks:
+# 1. We have a clean checkout
+# 2. A remote is configured
+# 3. The branch has been pushed to the remote
+# 4. The version we are deploying matches the remote
+#
+# These environment variables are available:
+# KAMAL_RECORDED_AT
+# KAMAL_PERFORMER
+# KAMAL_VERSION
+# KAMAL_HOSTS
+# KAMAL_ROLES (if set)
+# KAMAL_DESTINATION (if set)
+
+if [ -n "$(git status --porcelain)" ]; then
+  echo "Git checkout is not clean, aborting..." >&2
+  git status --porcelain >&2
+  exit 1
+fi
+
+first_remote=$(git remote)
+
+if [ -z "$first_remote" ]; then
+  echo "No git remote set, aborting..." >&2
+  exit 1
+fi
+
+current_branch=$(git branch --show-current)
+
+if [ -z "$current_branch" ]; then
+  echo "Not on a git branch, aborting..." >&2
+  exit 1
+fi
+
+remote_head=$(git ls-remote $first_remote --tags $current_branch | cut -f1)
+
+if [ -z "$remote_head" ]; then
+  echo "Branch not pushed to remote, aborting..." >&2
+  exit 1
+fi
+
+if [ "$KAMAL_VERSION" != "$remote_head" ]; then
+  echo "Version ($KAMAL_VERSION) does not match remote HEAD ($remote_head), aborting..." >&2
+  exit 1
+fi
+
+exit 0
diff --git a/.kamal/hooks/pre-connect.sample b/.kamal/hooks/pre-connect.sample
new file mode 100755
index 000000000..77744bdca
--- /dev/null
+++ b/.kamal/hooks/pre-connect.sample
@@ -0,0 +1,47 @@
+#!/usr/bin/env ruby
+
+# A sample pre-connect check
+#
+# Warms DNS before connecting to hosts in parallel
+#
+# These environment variables are available:
+# KAMAL_RECORDED_AT
+# KAMAL_PERFORMER
+# KAMAL_VERSION
+# KAMAL_HOSTS
+# KAMAL_ROLES (if set)
+# KAMAL_DESTINATION (if set)
+# KAMAL_RUNTIME
+
+hosts = ENV["KAMAL_HOSTS"].split(",")
+results = nil
+max = 3
+
+elapsed = Benchmark.realtime do
+  results = hosts.map do |host|
+    Thread.new do
+      tries = 1
+
+      begin
+        Socket.getaddrinfo(host, 0, Socket::AF_UNSPEC, Socket::SOCK_STREAM, nil, Socket::AI_CANONNAME)
+      rescue SocketError
+        if tries < max
+          puts "Retrying DNS warmup: #{host}"
+          tries += 1
+          sleep rand
+          retry
+        else
+          puts "DNS warmup failed: #{host}"
+          host
+        end
+      end
+
+      tries
+    end
+  end.map(&:value)
+end
+
+retries = results.sum - hosts.size
+nopes = results.count { |r| r == max }
+
+puts "Prewarmed %d DNS lookups in %.2f sec: %d retries, %d failures" % [ hosts.size, elapsed, retries, nopes ]
diff --git a/.kamal/hooks/pre-deploy.sample b/.kamal/hooks/pre-deploy.sample
new file mode 100755
index 000000000..05b3055b7
--- /dev/null
+++ b/.kamal/hooks/pre-deploy.sample
@@ -0,0 +1,122 @@
+#!/usr/bin/env ruby
+
+# A sample pre-deploy hook
+#
+# Checks the Github status of the build, waiting for a pending build to complete for up to 720 seconds.
+#
+# Fails unless the combined status is "success"
+#
+# These environment variables are available:
+# KAMAL_RECORDED_AT
+# KAMAL_PERFORMER
+# KAMAL_VERSION
+# KAMAL_HOSTS
+# KAMAL_COMMAND
+# KAMAL_SUBCOMMAND
+# KAMAL_ROLES (if set)
+# KAMAL_DESTINATION (if set)
+
+# Only check the build status for production deployments
+if ENV["KAMAL_COMMAND"] == "rollback" || ENV["KAMAL_DESTINATION"] != "production"
+  exit 0
+end
+
+require "bundler/inline"
+
+# true = install gems so this is fast on repeat invocations
+gemfile(true, quiet: true) do
+  source "https://rubygems.org"
+
+  gem "octokit"
+  gem "faraday-retry"
+end
+
+MAX_ATTEMPTS = 72
+ATTEMPTS_GAP = 10
+
+def exit_with_error(message)
+  $stderr.puts message
+  exit 1
+end
+
+class GithubStatusChecks
+  attr_reader :remote_url, :git_sha, :github_client, :combined_status
+
+  def initialize
+    @remote_url = github_repo_from_remote_url
+    @git_sha = `git rev-parse HEAD`.strip
+    @github_client = Octokit::Client.new(access_token: ENV["GITHUB_TOKEN"])
+    refresh!
+  end
+
+  def refresh!
+    @combined_status = github_client.combined_status(remote_url, git_sha)
+  end
+
+  def state
+    combined_status[:state]
+  end
+
+  def first_status_url
+    first_status = combined_status[:statuses].find { |status| status[:state] == state }
+    first_status && first_status[:target_url]
+  end
+
+  def complete_count
+    combined_status[:statuses].count { |status| status[:state] != "pending"}
+  end
+
+  def total_count
+    combined_status[:statuses].count
+  end
+
+  def current_status
+    if total_count > 0
+      "Completed #{complete_count}/#{total_count} checks, see #{first_status_url} ..."
+    else
+      "Build not started..."
+    end
+  end
+
+  private
+    def github_repo_from_remote_url
+      url = `git config --get remote.origin.url`.strip.delete_suffix(".git")
+      if url.start_with?("https://github.com/")
+        url.delete_prefix("https://github.com/")
+      elsif url.start_with?("git@github.com:")
+        url.delete_prefix("git@github.com:")
+      else
+        url
+      end
+    end
+end
+
+
+$stdout.sync = true
+
+begin
+  puts "Checking build status..."
+
+  attempts = 0
+  checks = GithubStatusChecks.new
+
+  loop do
+    case checks.state
+    when "success"
+      puts "Checks passed, see #{checks.first_status_url}"
+      exit 0
+    when "failure"
+      exit_with_error "Checks failed, see #{checks.first_status_url}"
+    when "pending"
+      attempts += 1
+    end
+
+    exit_with_error "Checks are still pending, gave up after #{MAX_ATTEMPTS * ATTEMPTS_GAP} seconds" if attempts == MAX_ATTEMPTS
+
+    puts checks.current_status
+    sleep(ATTEMPTS_GAP)
+    checks.refresh!
+  end
+rescue Octokit::NotFound
+  exit_with_error "Build status could not be found"
+end
diff --git a/.kamal/hooks/pre-proxy-reboot.sample b/.kamal/hooks/pre-proxy-reboot.sample
new file mode 100755
index 000000000..061f8059e
--- /dev/null
+++ b/.kamal/hooks/pre-proxy-reboot.sample
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+echo "Rebooting kamal-proxy on $KAMAL_HOSTS..."
diff --git a/.kamal/secrets-common b/.kamal/secrets-common
new file mode 100644
index 000000000..d32adb401
--- /dev/null
+++ b/.kamal/secrets-common
@@ -0,0 +1,39 @@
+# Minimal Secrets Template - Backend Rails API Kamal Deployment
+# Secrets defined here are available for reference under registry/password, env/secret, builder/secrets,
+# and accessories/*/env/secret in config/deploy.yml. All secrets should be pulled from either
+# password manager, ENV, or a file. DO NOT ENTER RAW CREDENTIALS HERE! This file needs to be safe for git.
+
+# Registry Configuration (ALWAYS REQUIRED)
+KAMAL_REGISTRY_USERNAME=$KAMAL_REGISTRY_USERNAME
+KAMAL_REGISTRY_PASSWORD=$KAMAL_REGISTRY_PASSWORD
+
+# Rails Configuration (REQUIRED)
+RAILS_MASTER_KEY=$RAILS_MASTER_KEY
+
+# Database Configuration (special, 2 database)
+SAPI_DATABASE_HOST=$SAPI_DATABASE_HOST
+SAPI_DATABASE_NAME=$SAPI_DATABASE_NAME
+SAPI_DATABASE_USERNAME=$SAPI_DATABASE_USERNAME
+SAPI_DATABASE_PASSWORD=$SAPI_DATABASE_PASSWORD
+SAPI_DATABASE_PORT=$SAPI_DATABASE_PORT
+
+CAPTIVE_BREEDING_DATABASE_HOST=$CAPTIVE_BREEDING_DATABASE_HOST
+CAPTIVE_BREEDING_DATABASE_NAME=$CAPTIVE_BREEDING_DATABASE_NAME
+CAPTIVE_BREEDING_DATABASE_USERNAME=$CAPTIVE_BREEDING_DATABASE_USERNAME
+CAPTIVE_BREEDING_DATABASE_PASSWORD=$CAPTIVE_BREEDING_DATABASE_PASSWORD
+CAPTIVE_BREEDING_DATABASE_PORT=$CAPTIVE_BREEDING_DATABASE_PORT
+
+# Mail Configuration
+MAIL_USERNAME=$MAIL_USERNAME
+MAIL_PASSWORD=$MAIL_PASSWORD
+
+# AWS Configuration
+AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
+AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
+AWS_REGION=$AWS_REGION
+
+# Redis for Sidekiq
+SAPI_SIDEKIQ_REDIS_URL=$SAPI_SIDEKIQ_REDIS_URL
+
+# Redis for cache
+SAPI_SIDEKIQ_REDIS_CACHE_URL=$SAPI_SIDEKIQ_REDIS_CACHE_URL
diff --git a/Dockerfile b/Dockerfile
index 08cedd4f1..61ba877a1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,6 +12,8 @@ FROM ruby:3.2.5-slim
 RUN apt-get update && apt-get install --no-install-recommends -y --force-yes \
   # ?
   libsodium-dev libgmp3-dev libssl-dev \
+  # Editor
+  vim nano \
   # PSQL
   libpq-dev postgresql-client \
   # node js
diff --git a/config/database.yml.sample b/config/database.yml.sample
deleted file mode 100644
index 64521c841..000000000
--- a/config/database.yml.sample
+++ /dev/null
@@ -1,29 +0,0 @@
-
-default: &default
-  host: <%= ENV.fetch("SAPI_DATABASE_HOST", 'localhost') %>
-  adapter: postgresql
-  encoding: unicode
-  # For details on connection pooling, see Rails configuration guide
-  # https://guides.rubyonrails.org/configuring.html#database-pooling
-  pool: <%= ENV.fetch("SAPI_RAILS_MAX_THREADS") { 5 } %>
-  username: <%= ENV.fetch("SAPI_DATABASE_USERNAME", 'postgres') %>
-  port: <%= ENV.fetch("SAPI_DATABASE_PORT", 5432) %>
-
-development:
-  <<: *default
-  database: sapi_development
-  timeout: 5000
-
-test:
-  <<: *default
-  database: sapi_test
-  timeout: 5000
-
-staging:
-  <<: *default
-  database: sapi_development
-  port: 5432
-
-production:
-  <<: *default
-  database: sapi_development
diff --git a/config/deploy.production.yml b/config/deploy.production.yml
new file mode 100644
index 000000000..58bd56641
--- /dev/null
+++ b/config/deploy.production.yml
@@ -0,0 +1,36 @@
+# Name of the container image
+image: ghcr.io/unepwcmc/sapi/rails-production
+
+# Define services (servers for Kamal 2.5.2 compatibility)
+servers:
+  web:
+    hosts:
+      - example.com # TODO: Ruan
+    proxy:
+      hosts:
+        - www.speciesplus.net # Public-facing domain
+        # TODO: Ruan, do we need to add `speciesplus.net` (without www)?
+      ssl: true # Proxy terminates SSL
+      forward_headers: true # Forward headers like X-Forwarded-Proto
+      healthcheck:
+        path: /up
+      logging:
+        request_headers:
+          - Cache-Control
+          - User-Agent
+          - X-Forwarded-Proto # Critical for Rails to detect HTTPS
+        response_headers:
+          - X-Request-ID
+  job:
+    hosts:
+      - example.com # TODO: Ruan
+    options:
+      add-host: host.docker.internal:host-gateway
+    cmd: bundle exec sidekiq -C config/sidekiq.yml
+    healthcheck:
+      cmd: /rails/bin/docker-sidekiq-healthcheck
+
+# Environment variables
+env:
+  clear:
+    RAILS_ENV: production
diff --git a/config/deploy.staging.yml b/config/deploy.staging.yml
new file mode 100644
index 000000000..3b7cf46ef
--- /dev/null
+++ b/config/deploy.staging.yml
@@ -0,0 +1,35 @@
+# Name of the container image
+image: ghcr.io/unepwcmc/sapi/rails-staging
+
+# Define services (servers for Kamal 2.5.2 compatibility)
+servers:
+  web:
+    hosts:
+      - example.com # TODO: Ruan
+    proxy:
+      hosts:
+        - sapi.sapi-staging.linode.unep-wcmc.org # Public-facing domain
+      ssl: true # Proxy terminates SSL
+      forward_headers: true # Forward headers like X-Forwarded-Proto
+      healthcheck:
+        path: /up
+      logging:
+        request_headers:
+          - Cache-Control
+          - User-Agent
+          - X-Forwarded-Proto # Critical for Rails to detect HTTPS
+        response_headers:
+          - X-Request-ID
+  job:
+    hosts:
+      - example.com # TODO: Ruan
+    options:
+      add-host: host.docker.internal:host-gateway
+    cmd: bundle exec sidekiq -C config/sidekiq.yml
+    healthcheck:
+      cmd: /rails/bin/docker-sidekiq-healthcheck
+
+# Environment variables
+env:
+  clear:
+    RAILS_ENV: staging
diff --git a/config/deploy.yml b/config/deploy.yml
new file mode 100644
index 000000000..f67661cba
--- /dev/null
+++ b/config/deploy.yml
@@ -0,0 +1,48 @@
+# Name of your application. Used to uniquely configure containers.
+service: sapi
+
+# Credentials for your image host.
+registry:
+  server: ghcr.io
+  username:
+    - KAMAL_REGISTRY_USERNAME
+  password:
+    - KAMAL_REGISTRY_PASSWORD
+
+# Inject ENV variables into containers (secrets come from .kamal/secrets.{environment})
+env:
+  clear:
+    RAILS_LOG_LEVEL: warn # @see https://github.com/heartcombo/devise#password-reset-tokens-and-rails-logs
+    PORT: 80
+    RAILS_SERVE_STATIC_FILES: 1
+    RAILS_LOG_TO_STDOUT: 1 # Need this before upgrade to Rails 7.1, which then default is STDOUT.
+  secret:
+    - RAILS_MASTER_KEY
+    - SAPI_DATABASE_HOST
+    - SAPI_DATABASE_NAME
+    - SAPI_DATABASE_USERNAME
+    - SAPI_DATABASE_PASSWORD
+    - SAPI_DATABASE_PORT
+    - CAPTIVE_BREEDING_DATABASE_HOST
+    - CAPTIVE_BREEDING_DATABASE_NAME
+    - CAPTIVE_BREEDING_DATABASE_USERNAME
+    - CAPTIVE_BREEDING_DATABASE_PASSWORD
+    - CAPTIVE_BREEDING_DATABASE_PORT
+    - MAIL_USERNAME
+    - MAIL_PASSWORD
+    - AWS_ACCESS_KEY_ID
+    - AWS_SECRET_ACCESS_KEY
+    - AWS_REGION
+    - SAPI_SIDEKIQ_REDIS_URL
+    - SAPI_SIDEKIQ_REDIS_CACHE_URL
+
+# Use a different ssh user than root
+ssh:
+  user: wcmc
+
+# Configure builder setup
+builder:
+  arch: amd64
+  dockerfile: Dockerfile.deploy
+  args:
+    RUBY_VERSION: 3.2.5

From 19ba0c95a906cd770190639388fb20940c1c7ac0 Mon Sep 17 00:00:00 2001
From: Leonardo Wong <leonardo.wong@unep-wcmc.org>
Date: Fri, 25 Jul 2025 22:06:11 +0100
Subject: [PATCH 016/106] add sidekiq healthcheck script

---
 bin/docker-sidekiq-healthcheck | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100755 bin/docker-sidekiq-healthcheck

diff --git a/bin/docker-sidekiq-healthcheck b/bin/docker-sidekiq-healthcheck
new file mode 100755
index 000000000..975e7c159
--- /dev/null
+++ b/bin/docker-sidekiq-healthcheck
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Cannot use `sidekiqmon`, because it rely on REDIS_URL env.
+# We do not store redis_url in REDIS_URL:
+# - it has password, is serect, should be in rails credentials;
+# - there maybe more than one redis (e.g. One for sidekiq [maxmemory-policy=noeviction]; one for cache [maxmemory-policy=lfu])
+if [ $(ps aux | grep 'sidekiq ' | grep -v grep | wc -l) -gt 0 ]; then
+  exit 0
+else
+  exit 1
+fi

From ed76285662bc478328c0c4fed1a34e07b6833be7 Mon Sep 17 00:00:00 2001
From: Leonardo Wong <leonardo.wong@unep-wcmc.org>
Date: Fri, 25 Jul 2025 22:07:27 +0100
Subject: [PATCH 017/106] nodejs only use for assets:precompile, but somehow it
 broken if not available in runtime, maybe due to terser?

---
 Dockerfile.deploy | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/Dockerfile.deploy b/Dockerfile.deploy
index 369f38c5a..c678f6183 100644
--- a/Dockerfile.deploy
+++ b/Dockerfile.deploy
@@ -17,6 +17,8 @@ RUN apt-get update -qq && \
   apt-get install --no-install-recommends -y curl libjemalloc2 libpq-dev \
   # ?
   libsodium-dev libgmp3-dev libssl-dev \
+  # install node js
+  curl xz-utils \
   # latex (huge file size)
   texlive-latex-base texlive-fonts-recommended texlive-fonts-extra texlive-latex-extra \
   && rm -rf /var/lib/apt/lists /var/cache/apt/archives
@@ -28,16 +30,6 @@ ENV NODE_ENV="production" \
   BUNDLE_PATH="/usr/local/bundle" \
   BUNDLE_WITHOUT="development"
 
-# Throw-away build stage to reduce size of final image
-FROM base AS build
-
-# Install packages needed to build gems
-RUN apt-get update -qq && \
-  apt-get install --no-install-recommends -y build-essential git libyaml-dev pkg-config \
-  # install node js
-  curl xz-utils \
-  && rm -rf /var/lib/apt/lists /var/cache/apt/archives
-
 # Install Node.js 18.20.8 manually
 ARG NODE_VERSION=18.20.8
 ARG TARGETARCH
@@ -50,6 +42,15 @@ RUN case "$TARGETARCH" in \
   curl -fsSL https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz \
   | tar -xJ -C /usr/local --strip-components=1
 
+
+# Throw-away build stage to reduce size of final image
+FROM base AS build
+
+# Install packages needed to build gems
+RUN apt-get update -qq && \
+  apt-get install --no-install-recommends -y build-essential git libyaml-dev pkg-config \
+  && rm -rf /var/lib/apt/lists /var/cache/apt/archives
+
 # Install application gems
 COPY Gemfile Gemfile.lock ./
 RUN bundle install && \

From 60e88d392520b580f5d12fcd439cea370bb5caee Mon Sep 17 00:00:00 2001
From: Leonardo Wong <leonardo.wong@unep-wcmc.org>
Date: Fri, 25 Jul 2025 22:08:41 +0100
Subject: [PATCH 018/106] No longer need to remove the pid file in production
 mode, only need for development. Move to docker compose

---
 bin/docker-entrypoint |  6 +++--
 config/puma.rb        | 60 ++++++++++++++++++++++++-------------------
 2 files changed, 37 insertions(+), 29 deletions(-)

diff --git a/bin/docker-entrypoint b/bin/docker-entrypoint
index 5c404a181..3054757cc 100755
--- a/bin/docker-entrypoint
+++ b/bin/docker-entrypoint
@@ -1,7 +1,9 @@
 #!/bin/bash -e
 
-if [[ "${@}" =~ "rails server" ]]; then
-  rm -f ./tmp/pids/server.pid;
+# Enable jemalloc for reduced memory usage and latency.
+if [ -z "${LD_PRELOAD+x}" ]; then
+    LD_PRELOAD=$(find /usr/lib -name libjemalloc.so.2 -print -quit)
+    export LD_PRELOAD
 fi
 
 mkdir -p {./,spec/}public/downloads/checklist
diff --git a/config/puma.rb b/config/puma.rb
index 58e1c205b..a248513b2 100644
--- a/config/puma.rb
+++ b/config/puma.rb
@@ -1,35 +1,41 @@
 # This configuration file will be evaluated by Puma. The top-level methods that
 # are invoked here are part of Puma's configuration DSL. For more information
 # about methods provided by the DSL, see https://puma.io/puma/Puma/DSL.html.
-
-# Puma can serve each request in a thread from an internal thread pool.
-# The `threads` method setting takes two numbers: a minimum and maximum.
-# Any libraries that use thread pools should be configured to match
-# the maximum value specified for Puma. Default is set to 5 threads for minimum
-# and maximum; this matches the default thread size of Active Record.
-max_threads_count = ENV.fetch('RAILS_MAX_THREADS') { 5 }
-min_threads_count = ENV.fetch('RAILS_MIN_THREADS') { max_threads_count }
-threads min_threads_count, max_threads_count
-
-# Specifies that the worker count should equal the number of processors in production.
-if ENV['RAILS_ENV'] == 'production'
-  require 'concurrent-ruby'
-  worker_count = Integer(ENV.fetch('WEB_CONCURRENCY') { Concurrent.physical_processor_count })
-  workers worker_count if worker_count > 1
-end
-
-# Specifies the `worker_timeout` threshold that Puma will use to wait before
-# terminating a worker in development environments.
-worker_timeout 3600 if ENV.fetch('RAILS_ENV', 'development') == 'development'
+#
+# Puma starts a configurable number of processes (workers) and each process
+# serves each request in a thread from an internal thread pool.
+#
+# You can control the number of workers using ENV["WEB_CONCURRENCY"]. You
+# should only set this value when you want to run 2 or more workers. The
+# default is already 1.
+#
+# The ideal number of threads per worker depends both on how much time the
+# application spends waiting for IO operations and on how much you wish to
+# prioritize throughput over latency.
+#
+# As a rule of thumb, increasing the number of threads will increase how much
+# traffic a given process can handle (throughput), but due to CRuby's
+# Global VM Lock (GVL) it has diminishing returns and will degrade the
+# response time (latency) of the application.
+#
+# The default is set to 3 threads as it's deemed a decent compromise between
+# throughput and latency for the average Rails application.
+#
+# Any libraries that use a connection pool or another resource pool should
+# be configured to provide at least as many connections as the number of
+# threads. This includes Active Record's `pool` parameter in `database.yml`.
+threads_count = ENV.fetch("RAILS_MAX_THREADS", 3)
+threads threads_count, threads_count
 
 # Specifies the `port` that Puma will listen on to receive requests; default is 3000.
-port ENV.fetch('PORT') { 3000 }
+port ENV.fetch("PORT", 3000)
 
-# Specifies the `environment` that Puma will run in.
-environment ENV.fetch('RAILS_ENV') { 'development' }
+# Allow puma to be restarted by `bin/rails restart` command.
+plugin :tmp_restart
 
-# Specifies the `pidfile` that Puma will use.
-pidfile ENV.fetch('PIDFILE') { 'tmp/pids/server.pid' }
+# Run the Solid Queue supervisor inside of Puma for single-server deployments
+plugin :solid_queue if ENV["SOLID_QUEUE_IN_PUMA"]
 
-# Allow puma to be restarted by `rails restart` command.
-plugin :tmp_restart
+# Specify the PID file. Defaults to tmp/pids/server.pid in development.
+# In other environments, only set the PID file if requested.
+pidfile ENV["PIDFILE"] if ENV["PIDFILE"]

From 36d46f865c7b246d72cb99e4aac14ca7e9041616 Mon Sep 17 00:00:00 2001
From: Leonardo Wong <leonardo.wong@unep-wcmc.org>
Date: Fri, 25 Jul 2025 22:09:37 +0100
Subject: [PATCH 019/106] fix production config, to serve assets from puma

---
 config/environments/production.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/environments/production.rb b/config/environments/production.rb
index 3c38ce0d0..df9557e54 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -21,7 +21,7 @@
   # config.require_master_key = true
 
   # Disable serving static files from `public/`, relying on NGINX/Apache to do so instead.
-  config.public_file_server.enabled = false
+  config.public_file_server.enabled = ENV['RAILS_SERVE_STATIC_FILES'].present?
 
   # Compress JavaScripts and CSS.
   config.assets.js_compressor = :terser

From 95ad590502545683ffcb8d4d553322ff643a234c Mon Sep 17 00:00:00 2001
From: Leonardo Wong <leonardo.wong@unep-wcmc.org>
Date: Fri, 1 Aug 2025 17:02:04 +0100
Subject: [PATCH 020/106] add remove puma pid file in docker compose for
 development only

---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index ca05afb0d..26167db01 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -69,7 +69,7 @@ services:
   rails:
     container_name: sapi-rails
     build: .
-    command: bundle install && bundle exec rails server -p 3000 -b '0.0.0.0'
+    command: /bin/bash -l -c "bundle install && rm -rf /SAPI/tmp/pids/server.pid && bundle exec rails server -p 3000 -b '0.0.0.0'"
     volumes: &rails_volumes
       # Used for both rails and sidekiq
 

From c6d05d28c6c52bb8c3d8035b7b48c817e371c44b Mon Sep 17 00:00:00 2001
From: Leonardo Wong <leonardo.wong@unep-wcmc.org>
Date: Fri, 1 Aug 2025 17:08:02 +0100
Subject: [PATCH 021/106] add redis cache port in compose

---
 docker-compose.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index 26167db01..9dcc5f458 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -164,6 +164,8 @@ services:
   redis_cache:
     container_name: sapi-redis-cache
     image: redis:7.2.0
+    ports:
+      - "${SAPI_CONTAINER_REDIS_PORT:-6380}:6380"
     networks:
       - sapi
     command: redis-server /usr/local/etc/redis/redis.conf

From db16764c138efa604a64b2a718a7517e7a2f61d5 Mon Sep 17 00:00:00 2001
From: Leonardo Wong <leonardo.wong@unep-wcmc.org>
Date: Tue, 17 Mar 2026 17:11:54 +0000
Subject: [PATCH 022/106] Update Kamal deploy configuration

---
 .kamal/secrets-common        |  4 ----
 config/deploy.production.yml |  1 -
 config/deploy.staging.yml    |  1 -
 config/deploy.yml            |  6 +-----
 deploy/Gemfile               |  4 ++--
 deploy/Gemfile.lock          | 41 +++++++++++++++++++-----------------
 6 files changed, 25 insertions(+), 32 deletions(-)

diff --git a/.kamal/secrets-common b/.kamal/secrets-common
index d32adb401..4189767a8 100644
--- a/.kamal/secrets-common
+++ b/.kamal/secrets-common
@@ -3,10 +3,6 @@
 # and accessories/*/env/secret in config/deploy.yml. All secrets should be pulled from either
 # password manager, ENV, or a file. DO NOT ENTER RAW CREDENTIALS HERE! This file needs to be safe for git.
 
-# Registry Configuration (ALWAYS REQUIRED)
-KAMAL_REGISTRY_USERNAME=$KAMAL_REGISTRY_USERNAME
-KAMAL_REGISTRY_PASSWORD=$KAMAL_REGISTRY_PASSWORD
-
 # Rails Configuration (REQUIRED)
 RAILS_MASTER_KEY=$RAILS_MASTER_KEY
 
diff --git a/config/deploy.production.yml b/config/deploy.production.yml
index 58bd56641..a687b2def 100644
--- a/config/deploy.production.yml
+++ b/config/deploy.production.yml
@@ -1,7 +1,6 @@
 # Name of the container image
 image: ghcr.io/unepwcmc/sapi/rails-production
 
-# Define services (servers for Kamal 2.5.2 compatibility)
 servers:
   web:
     hosts:
diff --git a/config/deploy.staging.yml b/config/deploy.staging.yml
index 3b7cf46ef..542072ad6 100644
--- a/config/deploy.staging.yml
+++ b/config/deploy.staging.yml
@@ -1,7 +1,6 @@
 # Name of the container image
 image: ghcr.io/unepwcmc/sapi/rails-staging
 
-# Define services (servers for Kamal 2.5.2 compatibility)
 servers:
   web:
     hosts:
diff --git a/config/deploy.yml b/config/deploy.yml
index f67661cba..77deb7521 100644
--- a/config/deploy.yml
+++ b/config/deploy.yml
@@ -3,11 +3,7 @@ service: sapi
 
 # Credentials for your image host.
 registry:
-  server: ghcr.io
-  username:
-    - KAMAL_REGISTRY_USERNAME
-  password:
-    - KAMAL_REGISTRY_PASSWORD
+  server: localhost:5555
 
 # Inject ENV variables into containers (secrets come from .kamal/secrets.{environment})
 env:
diff --git a/deploy/Gemfile b/deploy/Gemfile
index aa43c464f..091be5259 100644
--- a/deploy/Gemfile
+++ b/deploy/Gemfile
@@ -1,4 +1,4 @@
 source 'https://rubygems.org'
-ruby '3.4.4'
+ruby '3.4.9'
 
-gem "kamal", "~> 2.7"
+gem "kamal", "~> 2.10"
diff --git a/deploy/Gemfile.lock b/deploy/Gemfile.lock
index 5baa55c1c..e53430700 100644
--- a/deploy/Gemfile.lock
+++ b/deploy/Gemfile.lock
@@ -1,31 +1,31 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (8.0.2)
+    activesupport (8.1.2)
       base64
-      benchmark (>= 0.3)
       bigdecimal
       concurrent-ruby (~> 1.0, >= 1.3.1)
       connection_pool (>= 2.2.5)
       drb
       i18n (>= 1.6, < 2)
+      json
       logger (>= 1.4.2)
       minitest (>= 5.1)
       securerandom (>= 0.3)
       tzinfo (~> 2.0, >= 2.0.5)
       uri (>= 0.13.1)
     base64 (0.3.0)
-    bcrypt_pbkdf (1.1.1)
-    benchmark (0.4.1)
-    bigdecimal (3.2.2)
-    concurrent-ruby (1.3.5)
-    connection_pool (2.5.3)
-    dotenv (3.1.8)
+    bcrypt_pbkdf (1.1.2)
+    bigdecimal (4.0.1)
+    concurrent-ruby (1.3.6)
+    connection_pool (3.0.2)
+    dotenv (3.2.0)
     drb (2.2.3)
     ed25519 (1.4.0)
-    i18n (1.14.7)
+    i18n (1.14.8)
       concurrent-ruby (~> 1.0)
-    kamal (2.7.0)
+    json (2.19.1)
+    kamal (2.10.1)
       activesupport (>= 7.0)
       base64 (~> 0.2)
       bcrypt_pbkdf (~> 1.0)
@@ -37,36 +37,39 @@ GEM
       thor (~> 1.3)
       zeitwerk (>= 2.6.18, < 3.0)
     logger (1.7.0)
-    minitest (5.25.5)
+    minitest (6.0.2)
+      drb (~> 2.0)
+      prism (~> 1.5)
     net-scp (4.1.0)
       net-ssh (>= 2.6.5, < 8.0.0)
     net-sftp (4.0.0)
       net-ssh (>= 5.0.0, < 8.0.0)
-    net-ssh (7.3.0)
+    net-ssh (7.3.1)
     ostruct (0.6.3)
+    prism (1.9.0)
     securerandom (0.4.1)
-    sshkit (1.24.0)
+    sshkit (1.25.0)
       base64
       logger
       net-scp (>= 1.1.2)
       net-sftp (>= 2.1.2)
       net-ssh (>= 2.8.0)
       ostruct
-    thor (1.3.2)
+    thor (1.5.0)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    uri (1.0.3)
-    zeitwerk (2.7.3)
+    uri (1.1.1)
+    zeitwerk (2.7.5)
 
 PLATFORMS
   arm64-darwin-24
   ruby
 
 DEPENDENCIES
-  kamal (~> 2.7)
+  kamal (~> 2.10)
 
 RUBY VERSION
-   ruby 3.4.4p34
+   ruby 3.4.9p82
 
 BUNDLED WITH
-   2.6.7
+   2.6.9

From 7092abd875fbcd2b269878d6a0a017bfa027e05b Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 11:26:23 +0000
Subject: [PATCH 023/106] Configure Kamal v2 staging deployment for proxmox

- Update config/deploy.staging.yml: set web/job hosts to 172.20.0.146,
  add host.docker.internal gateway for Redis, wire wildcard SSL certs,
  update proxy hostname to sapi-web-staging-01.internal.unep-wcmc.org
- Update config/deploy/staging.rb: point Capistrano at new internal hostname
- Add .github/workflows/deploy.yml: Kamal v2 deploy workflow for staging/production
- Add .github/workflows/kamal-setup.yml: one-time Kamal setup workflow
---
 .github/workflows/deploy.yml      | 196 ++++++++++++++++++++++++++++++
 .github/workflows/kamal-setup.yml | 174 ++++++++++++++++++++++++++
 config/deploy.staging.yml         |  14 ++-
 config/deploy/staging.rb          |   4 +-
 4 files changed, 381 insertions(+), 7 deletions(-)
 create mode 100644 .github/workflows/deploy.yml
 create mode 100644 .github/workflows/kamal-setup.yml

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
new file mode 100644
index 000000000..1de82f8a5
--- /dev/null
+++ b/.github/workflows/deploy.yml
@@ -0,0 +1,196 @@
+name: Deploy SAPI Rails API
+on:
+  push:
+    branches:
+      - deploy/staging/rails-api
+      - deploy/production/rails-api
+  release:
+    types: [published]
+
+jobs:
+  determine-environment:
+    runs-on: self-hosted
+    outputs:
+      environment: ${{ steps.env.outputs.environment }}
+      deploy-type: ${{ steps.env.outputs.deploy-type }}
+      kamal-secrets-file: ${{ steps.env.outputs.kamal-secrets-file }}
+    steps:
+      - id: env
+        run: |
+          if [[ "${{ github.event_name }}" == "release" ]]; then
+            echo "environment=production" >> $GITHUB_OUTPUT
+            echo "deploy-type=release" >> $GITHUB_OUTPUT
+            echo "kamal-secrets-file=.kamal/secrets-common" >> $GITHUB_OUTPUT
+            echo "🚀 Production deployment triggered by release: ${{ github.event.release.tag_name }}"
+          elif [[ "${{ github.ref }}" == "refs/heads/deploy/production/rails-api" ]]; then
+            echo "environment=production" >> $GITHUB_OUTPUT
+            echo "deploy-type=branch" >> $GITHUB_OUTPUT
+            echo "kamal-secrets-file=.kamal/secrets-common" >> $GITHUB_OUTPUT
+            echo "🚀 Production deployment triggered by push to deploy/production/rails-api"
+          elif [[ "${{ github.ref }}" == "refs/heads/deploy/staging/rails-api" ]]; then
+            echo "environment=staging" >> $GITHUB_OUTPUT
+            echo "deploy-type=branch" >> $GITHUB_OUTPUT
+            echo "kamal-secrets-file=.kamal/secrets-common" >> $GITHUB_OUTPUT
+            echo "🔧 Staging deployment triggered by push to deploy/staging/rails-api"
+          else
+            echo "❌ No deployment configured for this trigger"
+            exit 1
+          fi
+
+  deploy:
+    needs: determine-environment
+    runs-on: self-hosted
+    environment: ${{ needs.determine-environment.outputs.environment }}
+    steps:
+      - name: Set workflow start time
+        run: |
+          echo "START_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> $GITHUB_ENV
+          echo "ACTION_TYPE=Deploy" >> $GITHUB_ENV
+
+      - uses: actions/checkout@v4
+
+      - name: Notify deployment start
+        id: notify-start
+        uses: unepwcmc/devops-actions/.github/actions/slack-notify@v1
+        with:
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          slack-channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
+          notification-type: started
+          action-type: Deploy
+          environment: ${{ needs.determine-environment.outputs.environment }}
+          repository: ${{ github.repository }}
+          repository-url: ${{ github.server_url }}/${{ github.repository }}
+          action-run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          actor: ${{ github.actor }}
+          actor-url: ${{ github.server_url }}/${{ github.actor }}
+          workflow-name: ${{ github.workflow }}
+          run-id: ${{ github.run_id }}
+          commit-message: ${{ github.event.head_commit.message || github.event.release.name || 'Manual workflow trigger' }}
+          runner-name: ${{ runner.name }}
+          start-time: ${{ env.START_TIME }}
+
+      - name: Export and validate kamal secrets
+        shell: bash
+        env:
+          SECRETS_JSON: ${{ toJSON(secrets) }}
+          KAMAL_SECRETS_FILE: ${{ needs.determine-environment.outputs.kamal-secrets-file }}
+        run: |
+          if [[ -z "$KAMAL_SECRETS_FILE" ]]; then
+            echo "Error: kamal secrets file path not provided."
+            exit 1
+          fi
+          if [[ ! -f "$KAMAL_SECRETS_FILE" ]]; then
+            echo "Error: $KAMAL_SECRETS_FILE file not found."
+            exit 1
+          fi
+
+          temp_secrets="$(mktemp)"
+          trap 'rm -f "$temp_secrets"' EXIT
+          printf '%s' "$SECRETS_JSON" > "$temp_secrets"
+
+          needed_vars=()
+          while IFS= read -r line; do
+            trimmed="$(echo "$line" | tr -d '\r' | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"
+            [[ -z "$trimmed" || "$trimmed" == \#* ]] && continue
+            [[ "$trimmed" != *=* ]] && continue
+
+            value="${trimmed#*=}"
+            value="${value#"${value%%[![:space:]]*}"}"
+            value="${value%"${value##*[![:space:]]}"}"
+
+            [[ "$value" != \$* ]] && continue
+            [[ "$value" == '$('* ]] && continue
+
+            if [[ "$value" == \$\{* ]]; then
+              if [[ "$value" =~ ^\$\{([A-Z0-9_]+) ]]; then
+                needed_vars+=("${BASH_REMATCH[1]}")
+              fi
+            elif [[ "$value" =~ ^\$([A-Z0-9_]+) ]]; then
+              needed_vars+=("${BASH_REMATCH[1]}")
+            fi
+          done < "$KAMAL_SECRETS_FILE"
+
+          IFS=$'\n' read -r -d '' -a unique_vars < <(printf '%s\n' "${needed_vars[@]}" | sort -u && printf '\0')
+
+          for var in "${unique_vars[@]}"; do
+            value=$(jq -r --arg key "$var" '.[$key] // empty' "$temp_secrets")
+            if [[ -z "$value" ]]; then
+              echo "Missing environment variable required in .kamal/secrets-common: ${var}" >&2
+              exit 1
+            fi
+
+            {
+              echo "${var}<<EOF"
+              echo "$value"
+              echo "EOF"
+            } >> "$GITHUB_ENV"
+          done
+
+          echo "✅ All required kamal secrets are validated and available as environment variables"
+
+      - name: Deploy with Kamal v2
+        uses: unepwcmc/devops-actions/.github/actions/kamal-v2.x-deploy@v1
+        with:
+          environment: ${{ needs.determine-environment.outputs.environment }}
+          working-directory: .
+        env:
+          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+
+      - name: Set workflow end time and calculate duration
+        if: always()
+        run: |
+          echo "END_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> $GITHUB_ENV
+          if [[ -n "$START_TIME" ]]; then
+            start_timestamp=$(date -d "$START_TIME" +%s)
+            end_timestamp=$(date -d "$(date -u +"%Y-%m-%dT%H:%M:%SZ")" +%s)
+            duration=$((end_timestamp - start_timestamp))
+            echo "DEPLOYMENT_DURATION=${duration}" >> $GITHUB_ENV
+          else
+            echo "DEPLOYMENT_DURATION=0" >> $GITHUB_ENV
+          fi
+
+      - name: Notify deployment success
+        if: success()
+        uses: unepwcmc/devops-actions/.github/actions/slack-notify@v1
+        with:
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          slack-channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
+          notification-type: success
+          action-type: Deploy
+          environment: ${{ needs.determine-environment.outputs.environment }}
+          repository: ${{ github.repository }}
+          repository-url: ${{ github.server_url }}/${{ github.repository }}
+          action-run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          actor: ${{ github.actor }}
+          actor-url: ${{ github.server_url }}/${{ github.actor }}
+          workflow-name: ${{ github.workflow }}
+          run-id: ${{ github.run_id }}
+          commit-message: ${{ github.event.head_commit.message || github.event.release.name || 'Manual workflow trigger' }}
+          runner-name: ${{ runner.name }}
+          start-time: ${{ env.START_TIME }}
+          end-time: ${{ env.END_TIME }}
+          deployment-duration: ${{ env.DEPLOYMENT_DURATION }}
+          update-message-ts: ${{ steps.notify-start.outputs.message-ts }}
+
+      - name: Notify deployment failure
+        if: failure()
+        uses: unepwcmc/devops-actions/.github/actions/slack-notify@v1
+        with:
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          slack-channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
+          notification-type: failure
+          action-type: Deploy
+          environment: ${{ needs.determine-environment.outputs.environment }}
+          repository: ${{ github.repository }}
+          repository-url: ${{ github.server_url }}/${{ github.repository }}
+          action-run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          actor: ${{ github.actor }}
+          actor-url: ${{ github.server_url }}/${{ github.actor }}
+          workflow-name: ${{ github.workflow }}
+          run-id: ${{ github.run_id }}
+          commit-message: ${{ github.event.head_commit.message || github.event.release.name || 'Manual workflow trigger' }}
+          runner-name: ${{ runner.name }}
+          start-time: ${{ env.START_TIME }}
+          end-time: ${{ env.END_TIME }}
+          deployment-duration: ${{ env.DEPLOYMENT_DURATION }}
+          update-message-ts: ${{ steps.notify-start.outputs.message-ts }}
diff --git a/.github/workflows/kamal-setup.yml b/.github/workflows/kamal-setup.yml
new file mode 100644
index 000000000..2eab50ae6
--- /dev/null
+++ b/.github/workflows/kamal-setup.yml
@@ -0,0 +1,174 @@
+name: Kamal v2 SAPI Setup (One-time per Environment)
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Environment to setup'
+        required: true
+        type: choice
+        options:
+          - staging
+          - production
+      confirm:
+        description: 'Type "CONFIRM" to proceed with setup'
+        required: true
+        type: string
+
+jobs:
+  validate-input:
+    runs-on: self-hosted
+    steps:
+      - name: Validate confirmation
+        run: |
+          if [[ "${{ github.event.inputs.confirm }}" != "CONFIRM" ]]; then
+            echo "❌ Setup cancelled. You must type 'CONFIRM' to proceed."
+            echo "⚠️  This is a one-time setup operation that will:"
+            echo "   • Initialize Kamal v2 configuration for ${{ github.event.inputs.environment }}"
+            echo "   • Set up Docker containers and services"
+            echo "   • Configure the deployment infrastructure"
+            exit 1
+          fi
+          echo "✅ Setup confirmed for ${{ github.event.inputs.environment }} environment"
+
+  setup:
+    needs: validate-input
+    runs-on: self-hosted
+    environment: ${{ github.event.inputs.environment }}
+    steps:
+      - name: Set workflow start time
+        run: |
+          echo "START_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> $GITHUB_ENV
+          echo "ACTION_TYPE=Setup" >> $GITHUB_ENV
+
+      - uses: actions/checkout@v4
+
+      - name: Notify setup start
+        id: notify-start
+        uses: unepwcmc/devops-actions/.github/actions/slack-notify@v1
+        with:
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          slack-channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
+          notification-type: started
+          action-type: Setup
+          environment: ${{ github.event.inputs.environment }}
+          repository: ${{ github.repository }}
+          repository-url: ${{ github.server_url }}/${{ github.repository }}
+          action-run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          actor: ${{ github.actor }}
+          actor-url: ${{ github.server_url }}/${{ github.actor }}
+          workflow-name: ${{ github.workflow }}
+          run-id: ${{ github.run_id }}
+          commit-message: ${{ github.event.head_commit.message || 'Manual workflow trigger' }}
+          runner-name: ${{ runner.name }}
+          start-time: ${{ env.START_TIME }}
+
+      - name: Validate and Populate Secrets
+        uses: unepwcmc/devops-actions/.github/actions/validate-secrets@v1
+        with:
+          secrets-file: '.kamal/secrets-common'
+          environment: ${{ github.event.inputs.environment }}
+        env:
+          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+          RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
+          SAPI_DATABASE_HOST: ${{ secrets.SAPI_DATABASE_HOST }}
+          SAPI_DATABASE_NAME: ${{ secrets.SAPI_DATABASE_NAME }}
+          SAPI_DATABASE_USERNAME: ${{ secrets.SAPI_DATABASE_USERNAME }}
+          SAPI_DATABASE_PASSWORD: ${{ secrets.SAPI_DATABASE_PASSWORD }}
+          SAPI_DATABASE_PORT: ${{ secrets.SAPI_DATABASE_PORT }}
+          CAPTIVE_BREEDING_DATABASE_HOST: ${{ secrets.CAPTIVE_BREEDING_DATABASE_HOST }}
+          CAPTIVE_BREEDING_DATABASE_NAME: ${{ secrets.CAPTIVE_BREEDING_DATABASE_NAME }}
+          CAPTIVE_BREEDING_DATABASE_USERNAME: ${{ secrets.CAPTIVE_BREEDING_DATABASE_USERNAME }}
+          CAPTIVE_BREEDING_DATABASE_PASSWORD: ${{ secrets.CAPTIVE_BREEDING_DATABASE_PASSWORD }}
+          CAPTIVE_BREEDING_DATABASE_PORT: ${{ secrets.CAPTIVE_BREEDING_DATABASE_PORT }}
+          MAIL_USERNAME: ${{ secrets.MAIL_USERNAME }}
+          MAIL_PASSWORD: ${{ secrets.MAIL_PASSWORD }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
+          SAPI_SIDEKIQ_REDIS_URL: ${{ secrets.SAPI_SIDEKIQ_REDIS_URL }}
+          SAPI_SIDEKIQ_REDIS_CACHE_URL: ${{ secrets.SAPI_SIDEKIQ_REDIS_CACHE_URL }}
+
+      - name: Setup SAPI with Kamal v2
+        uses: unepwcmc/devops-actions/.github/actions/kamal-v2-setup@v1
+        with:
+          environment: ${{ github.event.inputs.environment }}
+          working-directory: '.'
+        env:
+          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+          RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
+          SAPI_DATABASE_HOST: ${{ secrets.SAPI_DATABASE_HOST }}
+          SAPI_DATABASE_NAME: ${{ secrets.SAPI_DATABASE_NAME }}
+          SAPI_DATABASE_USERNAME: ${{ secrets.SAPI_DATABASE_USERNAME }}
+          SAPI_DATABASE_PASSWORD: ${{ secrets.SAPI_DATABASE_PASSWORD }}
+          SAPI_DATABASE_PORT: ${{ secrets.SAPI_DATABASE_PORT }}
+          CAPTIVE_BREEDING_DATABASE_HOST: ${{ secrets.CAPTIVE_BREEDING_DATABASE_HOST }}
+          CAPTIVE_BREEDING_DATABASE_NAME: ${{ secrets.CAPTIVE_BREEDING_DATABASE_NAME }}
+          CAPTIVE_BREEDING_DATABASE_USERNAME: ${{ secrets.CAPTIVE_BREEDING_DATABASE_USERNAME }}
+          CAPTIVE_BREEDING_DATABASE_PASSWORD: ${{ secrets.CAPTIVE_BREEDING_DATABASE_PASSWORD }}
+          CAPTIVE_BREEDING_DATABASE_PORT: ${{ secrets.CAPTIVE_BREEDING_DATABASE_PORT }}
+          MAIL_USERNAME: ${{ secrets.MAIL_USERNAME }}
+          MAIL_PASSWORD: ${{ secrets.MAIL_PASSWORD }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
+          SAPI_SIDEKIQ_REDIS_URL: ${{ secrets.SAPI_SIDEKIQ_REDIS_URL }}
+          SAPI_SIDEKIQ_REDIS_CACHE_URL: ${{ secrets.SAPI_SIDEKIQ_REDIS_CACHE_URL }}
+
+      - name: Set workflow end time and calculate duration
+        if: always()
+        run: |
+          echo "END_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> $GITHUB_ENV
+          if [[ -n "$START_TIME" ]]; then
+            start_timestamp=$(date -d "$START_TIME" +%s)
+            end_timestamp=$(date -d "$(date -u +"%Y-%m-%dT%H:%M:%SZ")" +%s)
+            duration=$((end_timestamp - start_timestamp))
+            echo "DEPLOYMENT_DURATION=${duration}" >> $GITHUB_ENV
+          else
+            echo "DEPLOYMENT_DURATION=0" >> $GITHUB_ENV
+          fi
+
+      - name: Notify setup success
+        if: success()
+        uses: unepwcmc/devops-actions/.github/actions/slack-notify@v1
+        with:
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          slack-channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
+          notification-type: success
+          action-type: Setup
+          environment: ${{ github.event.inputs.environment }}
+          repository: ${{ github.repository }}
+          repository-url: ${{ github.server_url }}/${{ github.repository }}
+          action-run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          actor: ${{ github.actor }}
+          actor-url: ${{ github.server_url }}/${{ github.actor }}
+          workflow-name: ${{ github.workflow }}
+          run-id: ${{ github.run_id }}
+          commit-message: ${{ github.event.head_commit.message || 'Manual workflow trigger' }}
+          runner-name: ${{ runner.name }}
+          start-time: ${{ env.START_TIME }}
+          end-time: ${{ env.END_TIME }}
+          deployment-duration: ${{ env.DEPLOYMENT_DURATION }}
+          update-message-ts: ${{ steps.notify-start.outputs.message-ts }}
+
+      - name: Notify setup failure
+        if: failure()
+        uses: unepwcmc/devops-actions/.github/actions/slack-notify@v1
+        with:
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          slack-channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
+          notification-type: failure
+          action-type: Setup
+          environment: ${{ github.event.inputs.environment }}
+          repository: ${{ github.repository }}
+          repository-url: ${{ github.server_url }}/${{ github.repository }}
+          action-run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          actor: ${{ github.actor }}
+          actor-url: ${{ github.server_url }}/${{ github.actor }}
+          workflow-name: ${{ github.workflow }}
+          run-id: ${{ github.run_id }}
+          commit-message: ${{ github.event.head_commit.message || 'Manual workflow trigger' }}
+          runner-name: ${{ runner.name }}
+          start-time: ${{ env.START_TIME }}
+          end-time: ${{ env.END_TIME }}
+          deployment-duration: ${{ env.DEPLOYMENT_DURATION }}
+          update-message-ts: ${{ steps.notify-start.outputs.message-ts }}
diff --git a/config/deploy.staging.yml b/config/deploy.staging.yml
index 542072ad6..5ef9ea345 100644
--- a/config/deploy.staging.yml
+++ b/config/deploy.staging.yml
@@ -4,11 +4,15 @@ image: ghcr.io/unepwcmc/sapi/rails-staging
 servers:
   web:
     hosts:
-      - example.com # TODO: Ruan
+      - 172.20.0.146 # sapi-web-staging-01.internal.unep-wcmc.org
+    options:
+      add-host: host.docker.internal:host-gateway # Required to reach host-bound Redis
     proxy:
       hosts:
-        - sapi.sapi-staging.linode.unep-wcmc.org # Public-facing domain
-      ssl: true # Proxy terminates SSL
+        - sapi-web-staging-01.internal.unep-wcmc.org # Public-facing domain
+      ssl: true
+      tls_certificate_path: /etc/ssl/kamal/star.internal.unep-wcmc.org.crt
+      tls_private_key_path: /etc/ssl/kamal/star.internal.unep-wcmc.org.key
       forward_headers: true # Forward headers like X-Forwarded-Proto
       healthcheck:
         path: /up
@@ -21,9 +25,9 @@ servers:
           - X-Request-ID
   job:
     hosts:
-      - example.com # TODO: Ruan
+      - 172.20.0.146 # sapi-web-staging-01.internal.unep-wcmc.org
     options:
-      add-host: host.docker.internal:host-gateway
+      add-host: host.docker.internal:host-gateway # Required to reach host-bound Redis
     cmd: bundle exec sidekiq -C config/sidekiq.yml
     healthcheck:
       cmd: /rails/bin/docker-sidekiq-healthcheck
diff --git a/config/deploy/staging.rb b/config/deploy/staging.rb
index cbec89947..5e5dc6593 100644
--- a/config/deploy/staging.rb
+++ b/config/deploy/staging.rb
@@ -1,9 +1,9 @@
 set :stage, :staging
 set :branch, ENV['CAP_BRANCH'] || 'develop'
 
-server 'sapi-staging.linode.unep-wcmc.org', user: 'wcmc', roles: %w[app web db]
+server 'sapi-web-staging-01.internal.unep-wcmc.org', user: 'wcmc', roles: %w[app web db]
 
-set :domain, 'sapi-staging.linode.unep-wcmc.org'
+set :domain, 'sapi-web-staging-01.internal.unep-wcmc.org'
 
 set :application, 'sapi'
 

From 088a7622d63a6c33ebc8a4a0ffa00e42b77fd081 Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 11:27:00 +0000
Subject: [PATCH 024/106] Add Kamal v2 GitHub Actions workflows

---
 .github/workflows/deploy.yml      | 196 ++++++++++++++++++++++++++++++
 .github/workflows/kamal-setup.yml | 174 ++++++++++++++++++++++++++
 2 files changed, 370 insertions(+)
 create mode 100644 .github/workflows/deploy.yml
 create mode 100644 .github/workflows/kamal-setup.yml

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
new file mode 100644
index 000000000..1de82f8a5
--- /dev/null
+++ b/.github/workflows/deploy.yml
@@ -0,0 +1,196 @@
+name: Deploy SAPI Rails API
+on:
+  push:
+    branches:
+      - deploy/staging/rails-api
+      - deploy/production/rails-api
+  release:
+    types: [published]
+
+jobs:
+  determine-environment:
+    runs-on: self-hosted
+    outputs:
+      environment: ${{ steps.env.outputs.environment }}
+      deploy-type: ${{ steps.env.outputs.deploy-type }}
+      kamal-secrets-file: ${{ steps.env.outputs.kamal-secrets-file }}
+    steps:
+      - id: env
+        run: |
+          if [[ "${{ github.event_name }}" == "release" ]]; then
+            echo "environment=production" >> $GITHUB_OUTPUT
+            echo "deploy-type=release" >> $GITHUB_OUTPUT
+            echo "kamal-secrets-file=.kamal/secrets-common" >> $GITHUB_OUTPUT
+            echo "🚀 Production deployment triggered by release: ${{ github.event.release.tag_name }}"
+          elif [[ "${{ github.ref }}" == "refs/heads/deploy/production/rails-api" ]]; then
+            echo "environment=production" >> $GITHUB_OUTPUT
+            echo "deploy-type=branch" >> $GITHUB_OUTPUT
+            echo "kamal-secrets-file=.kamal/secrets-common" >> $GITHUB_OUTPUT
+            echo "🚀 Production deployment triggered by push to deploy/production/rails-api"
+          elif [[ "${{ github.ref }}" == "refs/heads/deploy/staging/rails-api" ]]; then
+            echo "environment=staging" >> $GITHUB_OUTPUT
+            echo "deploy-type=branch" >> $GITHUB_OUTPUT
+            echo "kamal-secrets-file=.kamal/secrets-common" >> $GITHUB_OUTPUT
+            echo "🔧 Staging deployment triggered by push to deploy/staging/rails-api"
+          else
+            echo "❌ No deployment configured for this trigger"
+            exit 1
+          fi
+
+  deploy:
+    needs: determine-environment
+    runs-on: self-hosted
+    environment: ${{ needs.determine-environment.outputs.environment }}
+    steps:
+      - name: Set workflow start time
+        run: |
+          echo "START_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> $GITHUB_ENV
+          echo "ACTION_TYPE=Deploy" >> $GITHUB_ENV
+
+      - uses: actions/checkout@v4
+
+      - name: Notify deployment start
+        id: notify-start
+        uses: unepwcmc/devops-actions/.github/actions/slack-notify@v1
+        with:
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          slack-channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
+          notification-type: started
+          action-type: Deploy
+          environment: ${{ needs.determine-environment.outputs.environment }}
+          repository: ${{ github.repository }}
+          repository-url: ${{ github.server_url }}/${{ github.repository }}
+          action-run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          actor: ${{ github.actor }}
+          actor-url: ${{ github.server_url }}/${{ github.actor }}
+          workflow-name: ${{ github.workflow }}
+          run-id: ${{ github.run_id }}
+          commit-message: ${{ github.event.head_commit.message || github.event.release.name || 'Manual workflow trigger' }}
+          runner-name: ${{ runner.name }}
+          start-time: ${{ env.START_TIME }}
+
+      - name: Export and validate kamal secrets
+        shell: bash
+        env:
+          SECRETS_JSON: ${{ toJSON(secrets) }}
+          KAMAL_SECRETS_FILE: ${{ needs.determine-environment.outputs.kamal-secrets-file }}
+        run: |
+          if [[ -z "$KAMAL_SECRETS_FILE" ]]; then
+            echo "Error: kamal secrets file path not provided."
+            exit 1
+          fi
+          if [[ ! -f "$KAMAL_SECRETS_FILE" ]]; then
+            echo "Error: $KAMAL_SECRETS_FILE file not found."
+            exit 1
+          fi
+
+          temp_secrets="$(mktemp)"
+          trap 'rm -f "$temp_secrets"' EXIT
+          printf '%s' "$SECRETS_JSON" > "$temp_secrets"
+
+          needed_vars=()
+          while IFS= read -r line; do
+            trimmed="$(echo "$line" | tr -d '\r' | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"
+            [[ -z "$trimmed" || "$trimmed" == \#* ]] && continue
+            [[ "$trimmed" != *=* ]] && continue
+
+            value="${trimmed#*=}"
+            value="${value#"${value%%[![:space:]]*}"}"
+            value="${value%"${value##*[![:space:]]}"}"
+
+            [[ "$value" != \$* ]] && continue
+            [[ "$value" == '$('* ]] && continue
+
+            if [[ "$value" == \$\{* ]]; then
+              if [[ "$value" =~ ^\$\{([A-Z0-9_]+) ]]; then
+                needed_vars+=("${BASH_REMATCH[1]}")
+              fi
+            elif [[ "$value" =~ ^\$([A-Z0-9_]+) ]]; then
+              needed_vars+=("${BASH_REMATCH[1]}")
+            fi
+          done < "$KAMAL_SECRETS_FILE"
+
+          IFS=$'\n' read -r -d '' -a unique_vars < <(printf '%s\n' "${needed_vars[@]}" | sort -u && printf '\0')
+
+          for var in "${unique_vars[@]}"; do
+            value=$(jq -r --arg key "$var" '.[$key] // empty' "$temp_secrets")
+            if [[ -z "$value" ]]; then
+              echo "Missing environment variable required in .kamal/secrets-common: ${var}" >&2
+              exit 1
+            fi
+
+            {
+              echo "${var}<<EOF"
+              echo "$value"
+              echo "EOF"
+            } >> "$GITHUB_ENV"
+          done
+
+          echo "✅ All required kamal secrets are validated and available as environment variables"
+
+      - name: Deploy with Kamal v2
+        uses: unepwcmc/devops-actions/.github/actions/kamal-v2.x-deploy@v1
+        with:
+          environment: ${{ needs.determine-environment.outputs.environment }}
+          working-directory: .
+        env:
+          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+
+      - name: Set workflow end time and calculate duration
+        if: always()
+        run: |
+          echo "END_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> $GITHUB_ENV
+          if [[ -n "$START_TIME" ]]; then
+            start_timestamp=$(date -d "$START_TIME" +%s)
+            end_timestamp=$(date -d "$(date -u +"%Y-%m-%dT%H:%M:%SZ")" +%s)
+            duration=$((end_timestamp - start_timestamp))
+            echo "DEPLOYMENT_DURATION=${duration}" >> $GITHUB_ENV
+          else
+            echo "DEPLOYMENT_DURATION=0" >> $GITHUB_ENV
+          fi
+
+      - name: Notify deployment success
+        if: success()
+        uses: unepwcmc/devops-actions/.github/actions/slack-notify@v1
+        with:
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          slack-channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
+          notification-type: success
+          action-type: Deploy
+          environment: ${{ needs.determine-environment.outputs.environment }}
+          repository: ${{ github.repository }}
+          repository-url: ${{ github.server_url }}/${{ github.repository }}
+          action-run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          actor: ${{ github.actor }}
+          actor-url: ${{ github.server_url }}/${{ github.actor }}
+          workflow-name: ${{ github.workflow }}
+          run-id: ${{ github.run_id }}
+          commit-message: ${{ github.event.head_commit.message || github.event.release.name || 'Manual workflow trigger' }}
+          runner-name: ${{ runner.name }}
+          start-time: ${{ env.START_TIME }}
+          end-time: ${{ env.END_TIME }}
+          deployment-duration: ${{ env.DEPLOYMENT_DURATION }}
+          update-message-ts: ${{ steps.notify-start.outputs.message-ts }}
+
+      - name: Notify deployment failure
+        if: failure()
+        uses: unepwcmc/devops-actions/.github/actions/slack-notify@v1
+        with:
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          slack-channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
+          notification-type: failure
+          action-type: Deploy
+          environment: ${{ needs.determine-environment.outputs.environment }}
+          repository: ${{ github.repository }}
+          repository-url: ${{ github.server_url }}/${{ github.repository }}
+          action-run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          actor: ${{ github.actor }}
+          actor-url: ${{ github.server_url }}/${{ github.actor }}
+          workflow-name: ${{ github.workflow }}
+          run-id: ${{ github.run_id }}
+          commit-message: ${{ github.event.head_commit.message || github.event.release.name || 'Manual workflow trigger' }}
+          runner-name: ${{ runner.name }}
+          start-time: ${{ env.START_TIME }}
+          end-time: ${{ env.END_TIME }}
+          deployment-duration: ${{ env.DEPLOYMENT_DURATION }}
+          update-message-ts: ${{ steps.notify-start.outputs.message-ts }}
diff --git a/.github/workflows/kamal-setup.yml b/.github/workflows/kamal-setup.yml
new file mode 100644
index 000000000..2eab50ae6
--- /dev/null
+++ b/.github/workflows/kamal-setup.yml
@@ -0,0 +1,174 @@
+name: Kamal v2 SAPI Setup (One-time per Environment)
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Environment to setup'
+        required: true
+        type: choice
+        options:
+          - staging
+          - production
+      confirm:
+        description: 'Type "CONFIRM" to proceed with setup'
+        required: true
+        type: string
+
+jobs:
+  validate-input:
+    runs-on: self-hosted
+    steps:
+      - name: Validate confirmation
+        run: |
+          if [[ "${{ github.event.inputs.confirm }}" != "CONFIRM" ]]; then
+            echo "❌ Setup cancelled. You must type 'CONFIRM' to proceed."
+            echo "⚠️  This is a one-time setup operation that will:"
+            echo "   • Initialize Kamal v2 configuration for ${{ github.event.inputs.environment }}"
+            echo "   • Set up Docker containers and services"
+            echo "   • Configure the deployment infrastructure"
+            exit 1
+          fi
+          echo "✅ Setup confirmed for ${{ github.event.inputs.environment }} environment"
+
+  setup:
+    needs: validate-input
+    runs-on: self-hosted
+    environment: ${{ github.event.inputs.environment }}
+    steps:
+      - name: Set workflow start time
+        run: |
+          echo "START_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> $GITHUB_ENV
+          echo "ACTION_TYPE=Setup" >> $GITHUB_ENV
+
+      - uses: actions/checkout@v4
+
+      - name: Notify setup start
+        id: notify-start
+        uses: unepwcmc/devops-actions/.github/actions/slack-notify@v1
+        with:
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          slack-channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
+          notification-type: started
+          action-type: Setup
+          environment: ${{ github.event.inputs.environment }}
+          repository: ${{ github.repository }}
+          repository-url: ${{ github.server_url }}/${{ github.repository }}
+          action-run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          actor: ${{ github.actor }}
+          actor-url: ${{ github.server_url }}/${{ github.actor }}
+          workflow-name: ${{ github.workflow }}
+          run-id: ${{ github.run_id }}
+          commit-message: ${{ github.event.head_commit.message || 'Manual workflow trigger' }}
+          runner-name: ${{ runner.name }}
+          start-time: ${{ env.START_TIME }}
+
+      - name: Validate and Populate Secrets
+        uses: unepwcmc/devops-actions/.github/actions/validate-secrets@v1
+        with:
+          secrets-file: '.kamal/secrets-common'
+          environment: ${{ github.event.inputs.environment }}
+        env:
+          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+          RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
+          SAPI_DATABASE_HOST: ${{ secrets.SAPI_DATABASE_HOST }}
+          SAPI_DATABASE_NAME: ${{ secrets.SAPI_DATABASE_NAME }}
+          SAPI_DATABASE_USERNAME: ${{ secrets.SAPI_DATABASE_USERNAME }}
+          SAPI_DATABASE_PASSWORD: ${{ secrets.SAPI_DATABASE_PASSWORD }}
+          SAPI_DATABASE_PORT: ${{ secrets.SAPI_DATABASE_PORT }}
+          CAPTIVE_BREEDING_DATABASE_HOST: ${{ secrets.CAPTIVE_BREEDING_DATABASE_HOST }}
+          CAPTIVE_BREEDING_DATABASE_NAME: ${{ secrets.CAPTIVE_BREEDING_DATABASE_NAME }}
+          CAPTIVE_BREEDING_DATABASE_USERNAME: ${{ secrets.CAPTIVE_BREEDING_DATABASE_USERNAME }}
+          CAPTIVE_BREEDING_DATABASE_PASSWORD: ${{ secrets.CAPTIVE_BREEDING_DATABASE_PASSWORD }}
+          CAPTIVE_BREEDING_DATABASE_PORT: ${{ secrets.CAPTIVE_BREEDING_DATABASE_PORT }}
+          MAIL_USERNAME: ${{ secrets.MAIL_USERNAME }}
+          MAIL_PASSWORD: ${{ secrets.MAIL_PASSWORD }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
+          SAPI_SIDEKIQ_REDIS_URL: ${{ secrets.SAPI_SIDEKIQ_REDIS_URL }}
+          SAPI_SIDEKIQ_REDIS_CACHE_URL: ${{ secrets.SAPI_SIDEKIQ_REDIS_CACHE_URL }}
+
+      - name: Setup SAPI with Kamal v2
+        uses: unepwcmc/devops-actions/.github/actions/kamal-v2-setup@v1
+        with:
+          environment: ${{ github.event.inputs.environment }}
+          working-directory: '.'
+        env:
+          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+          RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
+          SAPI_DATABASE_HOST: ${{ secrets.SAPI_DATABASE_HOST }}
+          SAPI_DATABASE_NAME: ${{ secrets.SAPI_DATABASE_NAME }}
+          SAPI_DATABASE_USERNAME: ${{ secrets.SAPI_DATABASE_USERNAME }}
+          SAPI_DATABASE_PASSWORD: ${{ secrets.SAPI_DATABASE_PASSWORD }}
+          SAPI_DATABASE_PORT: ${{ secrets.SAPI_DATABASE_PORT }}
+          CAPTIVE_BREEDING_DATABASE_HOST: ${{ secrets.CAPTIVE_BREEDING_DATABASE_HOST }}
+          CAPTIVE_BREEDING_DATABASE_NAME: ${{ secrets.CAPTIVE_BREEDING_DATABASE_NAME }}
+          CAPTIVE_BREEDING_DATABASE_USERNAME: ${{ secrets.CAPTIVE_BREEDING_DATABASE_USERNAME }}
+          CAPTIVE_BREEDING_DATABASE_PASSWORD: ${{ secrets.CAPTIVE_BREEDING_DATABASE_PASSWORD }}
+          CAPTIVE_BREEDING_DATABASE_PORT: ${{ secrets.CAPTIVE_BREEDING_DATABASE_PORT }}
+          MAIL_USERNAME: ${{ secrets.MAIL_USERNAME }}
+          MAIL_PASSWORD: ${{ secrets.MAIL_PASSWORD }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
+          SAPI_SIDEKIQ_REDIS_URL: ${{ secrets.SAPI_SIDEKIQ_REDIS_URL }}
+          SAPI_SIDEKIQ_REDIS_CACHE_URL: ${{ secrets.SAPI_SIDEKIQ_REDIS_CACHE_URL }}
+
+      - name: Set workflow end time and calculate duration
+        if: always()
+        run: |
+          echo "END_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> $GITHUB_ENV
+          if [[ -n "$START_TIME" ]]; then
+            start_timestamp=$(date -d "$START_TIME" +%s)
+            end_timestamp=$(date -d "$(date -u +"%Y-%m-%dT%H:%M:%SZ")" +%s)
+            duration=$((end_timestamp - start_timestamp))
+            echo "DEPLOYMENT_DURATION=${duration}" >> $GITHUB_ENV
+          else
+            echo "DEPLOYMENT_DURATION=0" >> $GITHUB_ENV
+          fi
+
+      - name: Notify setup success
+        if: success()
+        uses: unepwcmc/devops-actions/.github/actions/slack-notify@v1
+        with:
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          slack-channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
+          notification-type: success
+          action-type: Setup
+          environment: ${{ github.event.inputs.environment }}
+          repository: ${{ github.repository }}
+          repository-url: ${{ github.server_url }}/${{ github.repository }}
+          action-run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          actor: ${{ github.actor }}
+          actor-url: ${{ github.server_url }}/${{ github.actor }}
+          workflow-name: ${{ github.workflow }}
+          run-id: ${{ github.run_id }}
+          commit-message: ${{ github.event.head_commit.message || 'Manual workflow trigger' }}
+          runner-name: ${{ runner.name }}
+          start-time: ${{ env.START_TIME }}
+          end-time: ${{ env.END_TIME }}
+          deployment-duration: ${{ env.DEPLOYMENT_DURATION }}
+          update-message-ts: ${{ steps.notify-start.outputs.message-ts }}
+
+      - name: Notify setup failure
+        if: failure()
+        uses: unepwcmc/devops-actions/.github/actions/slack-notify@v1
+        with:
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          slack-channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
+          notification-type: failure
+          action-type: Setup
+          environment: ${{ github.event.inputs.environment }}
+          repository: ${{ github.repository }}
+          repository-url: ${{ github.server_url }}/${{ github.repository }}
+          action-run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          actor: ${{ github.actor }}
+          actor-url: ${{ github.server_url }}/${{ github.actor }}
+          workflow-name: ${{ github.workflow }}
+          run-id: ${{ github.run_id }}
+          commit-message: ${{ github.event.head_commit.message || 'Manual workflow trigger' }}
+          runner-name: ${{ runner.name }}
+          start-time: ${{ env.START_TIME }}
+          end-time: ${{ env.END_TIME }}
+          deployment-duration: ${{ env.DEPLOYMENT_DURATION }}
+          update-message-ts: ${{ steps.notify-start.outputs.message-ts }}

From 7662ecd5786c166feb82fcab9f2bd829f1c5655c Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 11:35:47 +0000
Subject: [PATCH 025/106] Fix workflows: staging-only, trigger on staging
 branch push

---
 .github/workflows/deploy.yml      | 65 +++++++------------------------
 .github/workflows/kamal-setup.yml |  1 -
 2 files changed, 13 insertions(+), 53 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 1de82f8a5..73bad07a6 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -2,50 +2,16 @@ name: Deploy SAPI Rails API
 on:
   push:
     branches:
-      - deploy/staging/rails-api
-      - deploy/production/rails-api
-  release:
-    types: [published]
+      - staging
 
 jobs:
-  determine-environment:
-    runs-on: self-hosted
-    outputs:
-      environment: ${{ steps.env.outputs.environment }}
-      deploy-type: ${{ steps.env.outputs.deploy-type }}
-      kamal-secrets-file: ${{ steps.env.outputs.kamal-secrets-file }}
-    steps:
-      - id: env
-        run: |
-          if [[ "${{ github.event_name }}" == "release" ]]; then
-            echo "environment=production" >> $GITHUB_OUTPUT
-            echo "deploy-type=release" >> $GITHUB_OUTPUT
-            echo "kamal-secrets-file=.kamal/secrets-common" >> $GITHUB_OUTPUT
-            echo "🚀 Production deployment triggered by release: ${{ github.event.release.tag_name }}"
-          elif [[ "${{ github.ref }}" == "refs/heads/deploy/production/rails-api" ]]; then
-            echo "environment=production" >> $GITHUB_OUTPUT
-            echo "deploy-type=branch" >> $GITHUB_OUTPUT
-            echo "kamal-secrets-file=.kamal/secrets-common" >> $GITHUB_OUTPUT
-            echo "🚀 Production deployment triggered by push to deploy/production/rails-api"
-          elif [[ "${{ github.ref }}" == "refs/heads/deploy/staging/rails-api" ]]; then
-            echo "environment=staging" >> $GITHUB_OUTPUT
-            echo "deploy-type=branch" >> $GITHUB_OUTPUT
-            echo "kamal-secrets-file=.kamal/secrets-common" >> $GITHUB_OUTPUT
-            echo "🔧 Staging deployment triggered by push to deploy/staging/rails-api"
-          else
-            echo "❌ No deployment configured for this trigger"
-            exit 1
-          fi
-
   deploy:
-    needs: determine-environment
     runs-on: self-hosted
-    environment: ${{ needs.determine-environment.outputs.environment }}
+    environment: staging
     steps:
       - name: Set workflow start time
         run: |
           echo "START_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> $GITHUB_ENV
-          echo "ACTION_TYPE=Deploy" >> $GITHUB_ENV
 
       - uses: actions/checkout@v4
 
@@ -57,7 +23,7 @@ jobs:
           slack-channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
           notification-type: started
           action-type: Deploy
-          environment: ${{ needs.determine-environment.outputs.environment }}
+          environment: staging
           repository: ${{ github.repository }}
           repository-url: ${{ github.server_url }}/${{ github.repository }}
           action-run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
@@ -65,7 +31,7 @@ jobs:
           actor-url: ${{ github.server_url }}/${{ github.actor }}
           workflow-name: ${{ github.workflow }}
           run-id: ${{ github.run_id }}
-          commit-message: ${{ github.event.head_commit.message || github.event.release.name || 'Manual workflow trigger' }}
+          commit-message: ${{ github.event.head_commit.message || 'Manual workflow trigger' }}
           runner-name: ${{ runner.name }}
           start-time: ${{ env.START_TIME }}
 
@@ -73,14 +39,9 @@ jobs:
         shell: bash
         env:
           SECRETS_JSON: ${{ toJSON(secrets) }}
-          KAMAL_SECRETS_FILE: ${{ needs.determine-environment.outputs.kamal-secrets-file }}
         run: |
-          if [[ -z "$KAMAL_SECRETS_FILE" ]]; then
-            echo "Error: kamal secrets file path not provided."
-            exit 1
-          fi
-          if [[ ! -f "$KAMAL_SECRETS_FILE" ]]; then
-            echo "Error: $KAMAL_SECRETS_FILE file not found."
+          if [[ ! -f ".kamal/secrets-common" ]]; then
+            echo "Error: .kamal/secrets-common file not found."
             exit 1
           fi
 
@@ -108,7 +69,7 @@ jobs:
             elif [[ "$value" =~ ^\$([A-Z0-9_]+) ]]; then
               needed_vars+=("${BASH_REMATCH[1]}")
             fi
-          done < "$KAMAL_SECRETS_FILE"
+          done < ".kamal/secrets-common"
 
           IFS=$'\n' read -r -d '' -a unique_vars < <(printf '%s\n' "${needed_vars[@]}" | sort -u && printf '\0')
 
@@ -126,12 +87,12 @@ jobs:
             } >> "$GITHUB_ENV"
           done
 
-          echo "✅ All required kamal secrets are validated and available as environment variables"
+          echo "✅ All required kamal secrets validated"
 
       - name: Deploy with Kamal v2
         uses: unepwcmc/devops-actions/.github/actions/kamal-v2.x-deploy@v1
         with:
-          environment: ${{ needs.determine-environment.outputs.environment }}
+          environment: staging
           working-directory: .
         env:
           SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
@@ -157,7 +118,7 @@ jobs:
           slack-channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
           notification-type: success
           action-type: Deploy
-          environment: ${{ needs.determine-environment.outputs.environment }}
+          environment: staging
           repository: ${{ github.repository }}
           repository-url: ${{ github.server_url }}/${{ github.repository }}
           action-run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
@@ -165,7 +126,7 @@ jobs:
           actor-url: ${{ github.server_url }}/${{ github.actor }}
           workflow-name: ${{ github.workflow }}
           run-id: ${{ github.run_id }}
-          commit-message: ${{ github.event.head_commit.message || github.event.release.name || 'Manual workflow trigger' }}
+          commit-message: ${{ github.event.head_commit.message || 'Manual workflow trigger' }}
           runner-name: ${{ runner.name }}
           start-time: ${{ env.START_TIME }}
           end-time: ${{ env.END_TIME }}
@@ -180,7 +141,7 @@ jobs:
           slack-channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
           notification-type: failure
           action-type: Deploy
-          environment: ${{ needs.determine-environment.outputs.environment }}
+          environment: staging
           repository: ${{ github.repository }}
           repository-url: ${{ github.server_url }}/${{ github.repository }}
           action-run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
@@ -188,7 +149,7 @@ jobs:
           actor-url: ${{ github.server_url }}/${{ github.actor }}
           workflow-name: ${{ github.workflow }}
           run-id: ${{ github.run_id }}
-          commit-message: ${{ github.event.head_commit.message || github.event.release.name || 'Manual workflow trigger' }}
+          commit-message: ${{ github.event.head_commit.message || 'Manual workflow trigger' }}
           runner-name: ${{ runner.name }}
           start-time: ${{ env.START_TIME }}
           end-time: ${{ env.END_TIME }}
diff --git a/.github/workflows/kamal-setup.yml b/.github/workflows/kamal-setup.yml
index 2eab50ae6..2f8c0340f 100644
--- a/.github/workflows/kamal-setup.yml
+++ b/.github/workflows/kamal-setup.yml
@@ -8,7 +8,6 @@ on:
         type: choice
         options:
           - staging
-          - production
       confirm:
         description: 'Type "CONFIRM" to proceed with setup'
         required: true

From d8898855d06fc221f6038d1b3ac63774ca7d3505 Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 11:35:55 +0000
Subject: [PATCH 026/106] Fix workflows: staging-only, trigger on staging
 branch push

---
 .github/workflows/deploy.yml      | 65 +++++++------------------------
 .github/workflows/kamal-setup.yml |  1 -
 2 files changed, 13 insertions(+), 53 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 1de82f8a5..73bad07a6 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -2,50 +2,16 @@ name: Deploy SAPI Rails API
 on:
   push:
     branches:
-      - deploy/staging/rails-api
-      - deploy/production/rails-api
-  release:
-    types: [published]
+      - staging
 
 jobs:
-  determine-environment:
-    runs-on: self-hosted
-    outputs:
-      environment: ${{ steps.env.outputs.environment }}
-      deploy-type: ${{ steps.env.outputs.deploy-type }}
-      kamal-secrets-file: ${{ steps.env.outputs.kamal-secrets-file }}
-    steps:
-      - id: env
-        run: |
-          if [[ "${{ github.event_name }}" == "release" ]]; then
-            echo "environment=production" >> $GITHUB_OUTPUT
-            echo "deploy-type=release" >> $GITHUB_OUTPUT
-            echo "kamal-secrets-file=.kamal/secrets-common" >> $GITHUB_OUTPUT
-            echo "🚀 Production deployment triggered by release: ${{ github.event.release.tag_name }}"
-          elif [[ "${{ github.ref }}" == "refs/heads/deploy/production/rails-api" ]]; then
-            echo "environment=production" >> $GITHUB_OUTPUT
-            echo "deploy-type=branch" >> $GITHUB_OUTPUT
-            echo "kamal-secrets-file=.kamal/secrets-common" >> $GITHUB_OUTPUT
-            echo "🚀 Production deployment triggered by push to deploy/production/rails-api"
-          elif [[ "${{ github.ref }}" == "refs/heads/deploy/staging/rails-api" ]]; then
-            echo "environment=staging" >> $GITHUB_OUTPUT
-            echo "deploy-type=branch" >> $GITHUB_OUTPUT
-            echo "kamal-secrets-file=.kamal/secrets-common" >> $GITHUB_OUTPUT
-            echo "🔧 Staging deployment triggered by push to deploy/staging/rails-api"
-          else
-            echo "❌ No deployment configured for this trigger"
-            exit 1
-          fi
-
   deploy:
-    needs: determine-environment
     runs-on: self-hosted
-    environment: ${{ needs.determine-environment.outputs.environment }}
+    environment: staging
     steps:
       - name: Set workflow start time
         run: |
           echo "START_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> $GITHUB_ENV
-          echo "ACTION_TYPE=Deploy" >> $GITHUB_ENV
 
       - uses: actions/checkout@v4
 
@@ -57,7 +23,7 @@ jobs:
           slack-channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
           notification-type: started
           action-type: Deploy
-          environment: ${{ needs.determine-environment.outputs.environment }}
+          environment: staging
           repository: ${{ github.repository }}
           repository-url: ${{ github.server_url }}/${{ github.repository }}
           action-run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
@@ -65,7 +31,7 @@ jobs:
           actor-url: ${{ github.server_url }}/${{ github.actor }}
           workflow-name: ${{ github.workflow }}
           run-id: ${{ github.run_id }}
-          commit-message: ${{ github.event.head_commit.message || github.event.release.name || 'Manual workflow trigger' }}
+          commit-message: ${{ github.event.head_commit.message || 'Manual workflow trigger' }}
           runner-name: ${{ runner.name }}
           start-time: ${{ env.START_TIME }}
 
@@ -73,14 +39,9 @@ jobs:
         shell: bash
         env:
           SECRETS_JSON: ${{ toJSON(secrets) }}
-          KAMAL_SECRETS_FILE: ${{ needs.determine-environment.outputs.kamal-secrets-file }}
         run: |
-          if [[ -z "$KAMAL_SECRETS_FILE" ]]; then
-            echo "Error: kamal secrets file path not provided."
-            exit 1
-          fi
-          if [[ ! -f "$KAMAL_SECRETS_FILE" ]]; then
-            echo "Error: $KAMAL_SECRETS_FILE file not found."
+          if [[ ! -f ".kamal/secrets-common" ]]; then
+            echo "Error: .kamal/secrets-common file not found."
             exit 1
           fi
 
@@ -108,7 +69,7 @@ jobs:
             elif [[ "$value" =~ ^\$([A-Z0-9_]+) ]]; then
               needed_vars+=("${BASH_REMATCH[1]}")
             fi
-          done < "$KAMAL_SECRETS_FILE"
+          done < ".kamal/secrets-common"
 
           IFS=$'\n' read -r -d '' -a unique_vars < <(printf '%s\n' "${needed_vars[@]}" | sort -u && printf '\0')
 
@@ -126,12 +87,12 @@ jobs:
             } >> "$GITHUB_ENV"
           done
 
-          echo "✅ All required kamal secrets are validated and available as environment variables"
+          echo "✅ All required kamal secrets validated"
 
       - name: Deploy with Kamal v2
         uses: unepwcmc/devops-actions/.github/actions/kamal-v2.x-deploy@v1
         with:
-          environment: ${{ needs.determine-environment.outputs.environment }}
+          environment: staging
           working-directory: .
         env:
           SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
@@ -157,7 +118,7 @@ jobs:
           slack-channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
           notification-type: success
           action-type: Deploy
-          environment: ${{ needs.determine-environment.outputs.environment }}
+          environment: staging
           repository: ${{ github.repository }}
           repository-url: ${{ github.server_url }}/${{ github.repository }}
           action-run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
@@ -165,7 +126,7 @@ jobs:
           actor-url: ${{ github.server_url }}/${{ github.actor }}
           workflow-name: ${{ github.workflow }}
           run-id: ${{ github.run_id }}
-          commit-message: ${{ github.event.head_commit.message || github.event.release.name || 'Manual workflow trigger' }}
+          commit-message: ${{ github.event.head_commit.message || 'Manual workflow trigger' }}
           runner-name: ${{ runner.name }}
           start-time: ${{ env.START_TIME }}
           end-time: ${{ env.END_TIME }}
@@ -180,7 +141,7 @@ jobs:
           slack-channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
           notification-type: failure
           action-type: Deploy
-          environment: ${{ needs.determine-environment.outputs.environment }}
+          environment: staging
           repository: ${{ github.repository }}
           repository-url: ${{ github.server_url }}/${{ github.repository }}
           action-run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
@@ -188,7 +149,7 @@ jobs:
           actor-url: ${{ github.server_url }}/${{ github.actor }}
           workflow-name: ${{ github.workflow }}
           run-id: ${{ github.run_id }}
-          commit-message: ${{ github.event.head_commit.message || github.event.release.name || 'Manual workflow trigger' }}
+          commit-message: ${{ github.event.head_commit.message || 'Manual workflow trigger' }}
           runner-name: ${{ runner.name }}
           start-time: ${{ env.START_TIME }}
           end-time: ${{ env.END_TIME }}
diff --git a/.github/workflows/kamal-setup.yml b/.github/workflows/kamal-setup.yml
index 2eab50ae6..2f8c0340f 100644
--- a/.github/workflows/kamal-setup.yml
+++ b/.github/workflows/kamal-setup.yml
@@ -8,7 +8,6 @@ on:
         type: choice
         options:
           - staging
-          - production
       confirm:
         description: 'Type "CONFIRM" to proceed with setup'
         required: true

From 33274529f21f2178b6b7758f5190a5f5fb128f7f Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 12:00:21 +0000
Subject: [PATCH 027/106] Pass dummy registry creds to satisfy kamal-v2-setup
 action check

---
 .github/workflows/kamal-setup.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/kamal-setup.yml b/.github/workflows/kamal-setup.yml
index 2f8c0340f..cdb39532d 100644
--- a/.github/workflows/kamal-setup.yml
+++ b/.github/workflows/kamal-setup.yml
@@ -94,6 +94,8 @@ jobs:
           working-directory: '.'
         env:
           SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+          KAMAL_REGISTRY_USERNAME: local
+          KAMAL_REGISTRY_PASSWORD: local
           RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
           SAPI_DATABASE_HOST: ${{ secrets.SAPI_DATABASE_HOST }}
           SAPI_DATABASE_NAME: ${{ secrets.SAPI_DATABASE_NAME }}

From e128b75d79a4a57113cb23b29099f96db62b3442 Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 12:00:24 +0000
Subject: [PATCH 028/106] Pass dummy registry creds to satisfy kamal-v2-setup
 action check

---
 .github/workflows/kamal-setup.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/kamal-setup.yml b/.github/workflows/kamal-setup.yml
index 2f8c0340f..cdb39532d 100644
--- a/.github/workflows/kamal-setup.yml
+++ b/.github/workflows/kamal-setup.yml
@@ -94,6 +94,8 @@ jobs:
           working-directory: '.'
         env:
           SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+          KAMAL_REGISTRY_USERNAME: local
+          KAMAL_REGISTRY_PASSWORD: local
           RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
           SAPI_DATABASE_HOST: ${{ secrets.SAPI_DATABASE_HOST }}
           SAPI_DATABASE_NAME: ${{ secrets.SAPI_DATABASE_NAME }}

From 37dd6b4c2b1f7f4ec78d4cb1eed38b23ced7f848 Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 12:02:15 +0000
Subject: [PATCH 029/106] Map SAPI_DATABASE_* to generic names required by
 kamal-v2-setup action

---
 .github/workflows/kamal-setup.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/kamal-setup.yml b/.github/workflows/kamal-setup.yml
index cdb39532d..0fc9a62bf 100644
--- a/.github/workflows/kamal-setup.yml
+++ b/.github/workflows/kamal-setup.yml
@@ -96,6 +96,11 @@ jobs:
           SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
           KAMAL_REGISTRY_USERNAME: local
           KAMAL_REGISTRY_PASSWORD: local
+          # The kamal-v2-setup action requires generic DATABASE_* names
+          DATABASE_HOST: ${{ secrets.SAPI_DATABASE_HOST }}
+          DATABASE_NAME: ${{ secrets.SAPI_DATABASE_NAME }}
+          DATABASE_USERNAME: ${{ secrets.SAPI_DATABASE_USERNAME }}
+          DATABASE_PASSWORD: ${{ secrets.SAPI_DATABASE_PASSWORD }}
           RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
           SAPI_DATABASE_HOST: ${{ secrets.SAPI_DATABASE_HOST }}
           SAPI_DATABASE_NAME: ${{ secrets.SAPI_DATABASE_NAME }}

From 53d2b7a638463aaaaadc12ce86938e60c9d27a17 Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 12:02:17 +0000
Subject: [PATCH 030/106] Map SAPI_DATABASE_* to generic names required by
 kamal-v2-setup action

---
 .github/workflows/kamal-setup.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/kamal-setup.yml b/.github/workflows/kamal-setup.yml
index cdb39532d..0fc9a62bf 100644
--- a/.github/workflows/kamal-setup.yml
+++ b/.github/workflows/kamal-setup.yml
@@ -96,6 +96,11 @@ jobs:
           SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
           KAMAL_REGISTRY_USERNAME: local
           KAMAL_REGISTRY_PASSWORD: local
+          # The kamal-v2-setup action requires generic DATABASE_* names
+          DATABASE_HOST: ${{ secrets.SAPI_DATABASE_HOST }}
+          DATABASE_NAME: ${{ secrets.SAPI_DATABASE_NAME }}
+          DATABASE_USERNAME: ${{ secrets.SAPI_DATABASE_USERNAME }}
+          DATABASE_PASSWORD: ${{ secrets.SAPI_DATABASE_PASSWORD }}
           RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
           SAPI_DATABASE_HOST: ${{ secrets.SAPI_DATABASE_HOST }}
           SAPI_DATABASE_NAME: ${{ secrets.SAPI_DATABASE_NAME }}

From 5620b10217a080bd0c0c7edb6bc8dc453d92bfe2 Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 13:34:22 +0000
Subject: [PATCH 031/106] Fix kamal setup: inline steps, prefixed secrets,
 corrected image and registry

- Replace broken kamal-v2-setup@v1 action with direct SSH + bundle exec kamal setup
- Revert secrets-common to use SAPI_ and CAPTIVE_BREEDING_ prefixed GitHub secret names
- Fix deploy.staging.yml image to remove ghcr.io prefix
- Fix deploy.yml registry to use dcr.internal.unep-wcmc.org
---
 .github/workflows/kamal-setup.yml | 88 +++++++++++--------------------
 .kamal/secrets-common             |  3 +-
 config/deploy.staging.yml         |  2 +-
 config/deploy.yml                 |  2 +-
 4 files changed, 35 insertions(+), 60 deletions(-)

diff --git a/.github/workflows/kamal-setup.yml b/.github/workflows/kamal-setup.yml
index 0fc9a62bf..01242c569 100644
--- a/.github/workflows/kamal-setup.yml
+++ b/.github/workflows/kamal-setup.yml
@@ -33,11 +33,29 @@ jobs:
     needs: validate-input
     runs-on: self-hosted
     environment: ${{ github.event.inputs.environment }}
+    env:
+      RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
+      SAPI_DATABASE_HOST: ${{ secrets.SAPI_DATABASE_HOST }}
+      SAPI_DATABASE_NAME: ${{ secrets.SAPI_DATABASE_NAME }}
+      SAPI_DATABASE_USERNAME: ${{ secrets.SAPI_DATABASE_USERNAME }}
+      SAPI_DATABASE_PASSWORD: ${{ secrets.SAPI_DATABASE_PASSWORD }}
+      SAPI_DATABASE_PORT: ${{ secrets.SAPI_DATABASE_PORT }}
+      CAPTIVE_BREEDING_DATABASE_HOST: ${{ secrets.CAPTIVE_BREEDING_DATABASE_HOST }}
+      CAPTIVE_BREEDING_DATABASE_NAME: ${{ secrets.CAPTIVE_BREEDING_DATABASE_NAME }}
+      CAPTIVE_BREEDING_DATABASE_USERNAME: ${{ secrets.CAPTIVE_BREEDING_DATABASE_USERNAME }}
+      CAPTIVE_BREEDING_DATABASE_PASSWORD: ${{ secrets.CAPTIVE_BREEDING_DATABASE_PASSWORD }}
+      CAPTIVE_BREEDING_DATABASE_PORT: ${{ secrets.CAPTIVE_BREEDING_DATABASE_PORT }}
+      MAIL_USERNAME: ${{ secrets.MAIL_USERNAME }}
+      MAIL_PASSWORD: ${{ secrets.MAIL_PASSWORD }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_REGION: ${{ secrets.AWS_REGION }}
+      SAPI_SIDEKIQ_REDIS_URL: ${{ secrets.SAPI_SIDEKIQ_REDIS_URL }}
+      SAPI_SIDEKIQ_REDIS_CACHE_URL: ${{ secrets.SAPI_SIDEKIQ_REDIS_CACHE_URL }}
     steps:
       - name: Set workflow start time
         run: |
           echo "START_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> $GITHUB_ENV
-          echo "ACTION_TYPE=Setup" >> $GITHUB_ENV
 
       - uses: actions/checkout@v4
 
@@ -61,64 +79,20 @@ jobs:
           runner-name: ${{ runner.name }}
           start-time: ${{ env.START_TIME }}
 
-      - name: Validate and Populate Secrets
-        uses: unepwcmc/devops-actions/.github/actions/validate-secrets@v1
+      - name: Set up SSH agent
+        uses: webfactory/ssh-agent@v0.9.0
         with:
-          secrets-file: '.kamal/secrets-common'
-          environment: ${{ github.event.inputs.environment }}
-        env:
-          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
-          RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
-          SAPI_DATABASE_HOST: ${{ secrets.SAPI_DATABASE_HOST }}
-          SAPI_DATABASE_NAME: ${{ secrets.SAPI_DATABASE_NAME }}
-          SAPI_DATABASE_USERNAME: ${{ secrets.SAPI_DATABASE_USERNAME }}
-          SAPI_DATABASE_PASSWORD: ${{ secrets.SAPI_DATABASE_PASSWORD }}
-          SAPI_DATABASE_PORT: ${{ secrets.SAPI_DATABASE_PORT }}
-          CAPTIVE_BREEDING_DATABASE_HOST: ${{ secrets.CAPTIVE_BREEDING_DATABASE_HOST }}
-          CAPTIVE_BREEDING_DATABASE_NAME: ${{ secrets.CAPTIVE_BREEDING_DATABASE_NAME }}
-          CAPTIVE_BREEDING_DATABASE_USERNAME: ${{ secrets.CAPTIVE_BREEDING_DATABASE_USERNAME }}
-          CAPTIVE_BREEDING_DATABASE_PASSWORD: ${{ secrets.CAPTIVE_BREEDING_DATABASE_PASSWORD }}
-          CAPTIVE_BREEDING_DATABASE_PORT: ${{ secrets.CAPTIVE_BREEDING_DATABASE_PORT }}
-          MAIL_USERNAME: ${{ secrets.MAIL_USERNAME }}
-          MAIL_PASSWORD: ${{ secrets.MAIL_PASSWORD }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          AWS_REGION: ${{ secrets.AWS_REGION }}
-          SAPI_SIDEKIQ_REDIS_URL: ${{ secrets.SAPI_SIDEKIQ_REDIS_URL }}
-          SAPI_SIDEKIQ_REDIS_CACHE_URL: ${{ secrets.SAPI_SIDEKIQ_REDIS_CACHE_URL }}
+          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
 
-      - name: Setup SAPI with Kamal v2
-        uses: unepwcmc/devops-actions/.github/actions/kamal-v2-setup@v1
-        with:
-          environment: ${{ github.event.inputs.environment }}
-          working-directory: '.'
-        env:
-          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
-          KAMAL_REGISTRY_USERNAME: local
-          KAMAL_REGISTRY_PASSWORD: local
-          # The kamal-v2-setup action requires generic DATABASE_* names
-          DATABASE_HOST: ${{ secrets.SAPI_DATABASE_HOST }}
-          DATABASE_NAME: ${{ secrets.SAPI_DATABASE_NAME }}
-          DATABASE_USERNAME: ${{ secrets.SAPI_DATABASE_USERNAME }}
-          DATABASE_PASSWORD: ${{ secrets.SAPI_DATABASE_PASSWORD }}
-          RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
-          SAPI_DATABASE_HOST: ${{ secrets.SAPI_DATABASE_HOST }}
-          SAPI_DATABASE_NAME: ${{ secrets.SAPI_DATABASE_NAME }}
-          SAPI_DATABASE_USERNAME: ${{ secrets.SAPI_DATABASE_USERNAME }}
-          SAPI_DATABASE_PASSWORD: ${{ secrets.SAPI_DATABASE_PASSWORD }}
-          SAPI_DATABASE_PORT: ${{ secrets.SAPI_DATABASE_PORT }}
-          CAPTIVE_BREEDING_DATABASE_HOST: ${{ secrets.CAPTIVE_BREEDING_DATABASE_HOST }}
-          CAPTIVE_BREEDING_DATABASE_NAME: ${{ secrets.CAPTIVE_BREEDING_DATABASE_NAME }}
-          CAPTIVE_BREEDING_DATABASE_USERNAME: ${{ secrets.CAPTIVE_BREEDING_DATABASE_USERNAME }}
-          CAPTIVE_BREEDING_DATABASE_PASSWORD: ${{ secrets.CAPTIVE_BREEDING_DATABASE_PASSWORD }}
-          CAPTIVE_BREEDING_DATABASE_PORT: ${{ secrets.CAPTIVE_BREEDING_DATABASE_PORT }}
-          MAIL_USERNAME: ${{ secrets.MAIL_USERNAME }}
-          MAIL_PASSWORD: ${{ secrets.MAIL_PASSWORD }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          AWS_REGION: ${{ secrets.AWS_REGION }}
-          SAPI_SIDEKIQ_REDIS_URL: ${{ secrets.SAPI_SIDEKIQ_REDIS_URL }}
-          SAPI_SIDEKIQ_REDIS_CACHE_URL: ${{ secrets.SAPI_SIDEKIQ_REDIS_CACHE_URL }}
+      - name: Install Kamal
+        run: |
+          cd deploy
+          bundle install --quiet
+
+      - name: Run Kamal setup
+        run: |
+          cd deploy
+          bundle exec kamal setup -d ${{ github.event.inputs.environment }}
 
       - name: Set workflow end time and calculate duration
         if: always()
diff --git a/.kamal/secrets-common b/.kamal/secrets-common
index 4189767a8..a8be83b2a 100644
--- a/.kamal/secrets-common
+++ b/.kamal/secrets-common
@@ -6,13 +6,14 @@
 # Rails Configuration (REQUIRED)
 RAILS_MASTER_KEY=$RAILS_MASTER_KEY
 
-# Database Configuration (special, 2 database)
+# SAPI Database Configuration
 SAPI_DATABASE_HOST=$SAPI_DATABASE_HOST
 SAPI_DATABASE_NAME=$SAPI_DATABASE_NAME
 SAPI_DATABASE_USERNAME=$SAPI_DATABASE_USERNAME
 SAPI_DATABASE_PASSWORD=$SAPI_DATABASE_PASSWORD
 SAPI_DATABASE_PORT=$SAPI_DATABASE_PORT
 
+# Captive Breeding Database Configuration
 CAPTIVE_BREEDING_DATABASE_HOST=$CAPTIVE_BREEDING_DATABASE_HOST
 CAPTIVE_BREEDING_DATABASE_NAME=$CAPTIVE_BREEDING_DATABASE_NAME
 CAPTIVE_BREEDING_DATABASE_USERNAME=$CAPTIVE_BREEDING_DATABASE_USERNAME
diff --git a/config/deploy.staging.yml b/config/deploy.staging.yml
index 5ef9ea345..40c65ce0d 100644
--- a/config/deploy.staging.yml
+++ b/config/deploy.staging.yml
@@ -1,5 +1,5 @@
 # Name of the container image
-image: ghcr.io/unepwcmc/sapi/rails-staging
+image: unepwcmc/sapi/rails-staging
 
 servers:
   web:
diff --git a/config/deploy.yml b/config/deploy.yml
index 77deb7521..ae809e475 100644
--- a/config/deploy.yml
+++ b/config/deploy.yml
@@ -3,7 +3,7 @@ service: sapi
 
 # Credentials for your image host.
 registry:
-  server: localhost:5555
+  server: dcr.internal.unep-wcmc.org
 
 # Inject ENV variables into containers (secrets come from .kamal/secrets.{environment})
 env:

From e43fe3eec331e678118a7b31d022c7a1a8fe4ba8 Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 13:34:40 +0000
Subject: [PATCH 032/106] Sync kamal workflow files from staging branch

---
 .github/workflows/kamal-setup.yml | 88 +++++++++++--------------------
 .kamal/secrets-common             | 36 +++++++++++++
 config/deploy.staging.yml         | 38 +++++++++++++
 config/deploy.yml                 | 44 ++++++++++++++++
 4 files changed, 149 insertions(+), 57 deletions(-)
 create mode 100644 .kamal/secrets-common
 create mode 100644 config/deploy.staging.yml
 create mode 100644 config/deploy.yml

diff --git a/.github/workflows/kamal-setup.yml b/.github/workflows/kamal-setup.yml
index 0fc9a62bf..01242c569 100644
--- a/.github/workflows/kamal-setup.yml
+++ b/.github/workflows/kamal-setup.yml
@@ -33,11 +33,29 @@ jobs:
     needs: validate-input
     runs-on: self-hosted
     environment: ${{ github.event.inputs.environment }}
+    env:
+      RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
+      SAPI_DATABASE_HOST: ${{ secrets.SAPI_DATABASE_HOST }}
+      SAPI_DATABASE_NAME: ${{ secrets.SAPI_DATABASE_NAME }}
+      SAPI_DATABASE_USERNAME: ${{ secrets.SAPI_DATABASE_USERNAME }}
+      SAPI_DATABASE_PASSWORD: ${{ secrets.SAPI_DATABASE_PASSWORD }}
+      SAPI_DATABASE_PORT: ${{ secrets.SAPI_DATABASE_PORT }}
+      CAPTIVE_BREEDING_DATABASE_HOST: ${{ secrets.CAPTIVE_BREEDING_DATABASE_HOST }}
+      CAPTIVE_BREEDING_DATABASE_NAME: ${{ secrets.CAPTIVE_BREEDING_DATABASE_NAME }}
+      CAPTIVE_BREEDING_DATABASE_USERNAME: ${{ secrets.CAPTIVE_BREEDING_DATABASE_USERNAME }}
+      CAPTIVE_BREEDING_DATABASE_PASSWORD: ${{ secrets.CAPTIVE_BREEDING_DATABASE_PASSWORD }}
+      CAPTIVE_BREEDING_DATABASE_PORT: ${{ secrets.CAPTIVE_BREEDING_DATABASE_PORT }}
+      MAIL_USERNAME: ${{ secrets.MAIL_USERNAME }}
+      MAIL_PASSWORD: ${{ secrets.MAIL_PASSWORD }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_REGION: ${{ secrets.AWS_REGION }}
+      SAPI_SIDEKIQ_REDIS_URL: ${{ secrets.SAPI_SIDEKIQ_REDIS_URL }}
+      SAPI_SIDEKIQ_REDIS_CACHE_URL: ${{ secrets.SAPI_SIDEKIQ_REDIS_CACHE_URL }}
     steps:
       - name: Set workflow start time
         run: |
           echo "START_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> $GITHUB_ENV
-          echo "ACTION_TYPE=Setup" >> $GITHUB_ENV
 
       - uses: actions/checkout@v4
 
@@ -61,64 +79,20 @@ jobs:
           runner-name: ${{ runner.name }}
           start-time: ${{ env.START_TIME }}
 
-      - name: Validate and Populate Secrets
-        uses: unepwcmc/devops-actions/.github/actions/validate-secrets@v1
+      - name: Set up SSH agent
+        uses: webfactory/ssh-agent@v0.9.0
         with:
-          secrets-file: '.kamal/secrets-common'
-          environment: ${{ github.event.inputs.environment }}
-        env:
-          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
-          RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
-          SAPI_DATABASE_HOST: ${{ secrets.SAPI_DATABASE_HOST }}
-          SAPI_DATABASE_NAME: ${{ secrets.SAPI_DATABASE_NAME }}
-          SAPI_DATABASE_USERNAME: ${{ secrets.SAPI_DATABASE_USERNAME }}
-          SAPI_DATABASE_PASSWORD: ${{ secrets.SAPI_DATABASE_PASSWORD }}
-          SAPI_DATABASE_PORT: ${{ secrets.SAPI_DATABASE_PORT }}
-          CAPTIVE_BREEDING_DATABASE_HOST: ${{ secrets.CAPTIVE_BREEDING_DATABASE_HOST }}
-          CAPTIVE_BREEDING_DATABASE_NAME: ${{ secrets.CAPTIVE_BREEDING_DATABASE_NAME }}
-          CAPTIVE_BREEDING_DATABASE_USERNAME: ${{ secrets.CAPTIVE_BREEDING_DATABASE_USERNAME }}
-          CAPTIVE_BREEDING_DATABASE_PASSWORD: ${{ secrets.CAPTIVE_BREEDING_DATABASE_PASSWORD }}
-          CAPTIVE_BREEDING_DATABASE_PORT: ${{ secrets.CAPTIVE_BREEDING_DATABASE_PORT }}
-          MAIL_USERNAME: ${{ secrets.MAIL_USERNAME }}
-          MAIL_PASSWORD: ${{ secrets.MAIL_PASSWORD }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          AWS_REGION: ${{ secrets.AWS_REGION }}
-          SAPI_SIDEKIQ_REDIS_URL: ${{ secrets.SAPI_SIDEKIQ_REDIS_URL }}
-          SAPI_SIDEKIQ_REDIS_CACHE_URL: ${{ secrets.SAPI_SIDEKIQ_REDIS_CACHE_URL }}
+          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
 
-      - name: Setup SAPI with Kamal v2
-        uses: unepwcmc/devops-actions/.github/actions/kamal-v2-setup@v1
-        with:
-          environment: ${{ github.event.inputs.environment }}
-          working-directory: '.'
-        env:
-          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
-          KAMAL_REGISTRY_USERNAME: local
-          KAMAL_REGISTRY_PASSWORD: local
-          # The kamal-v2-setup action requires generic DATABASE_* names
-          DATABASE_HOST: ${{ secrets.SAPI_DATABASE_HOST }}
-          DATABASE_NAME: ${{ secrets.SAPI_DATABASE_NAME }}
-          DATABASE_USERNAME: ${{ secrets.SAPI_DATABASE_USERNAME }}
-          DATABASE_PASSWORD: ${{ secrets.SAPI_DATABASE_PASSWORD }}
-          RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
-          SAPI_DATABASE_HOST: ${{ secrets.SAPI_DATABASE_HOST }}
-          SAPI_DATABASE_NAME: ${{ secrets.SAPI_DATABASE_NAME }}
-          SAPI_DATABASE_USERNAME: ${{ secrets.SAPI_DATABASE_USERNAME }}
-          SAPI_DATABASE_PASSWORD: ${{ secrets.SAPI_DATABASE_PASSWORD }}
-          SAPI_DATABASE_PORT: ${{ secrets.SAPI_DATABASE_PORT }}
-          CAPTIVE_BREEDING_DATABASE_HOST: ${{ secrets.CAPTIVE_BREEDING_DATABASE_HOST }}
-          CAPTIVE_BREEDING_DATABASE_NAME: ${{ secrets.CAPTIVE_BREEDING_DATABASE_NAME }}
-          CAPTIVE_BREEDING_DATABASE_USERNAME: ${{ secrets.CAPTIVE_BREEDING_DATABASE_USERNAME }}
-          CAPTIVE_BREEDING_DATABASE_PASSWORD: ${{ secrets.CAPTIVE_BREEDING_DATABASE_PASSWORD }}
-          CAPTIVE_BREEDING_DATABASE_PORT: ${{ secrets.CAPTIVE_BREEDING_DATABASE_PORT }}
-          MAIL_USERNAME: ${{ secrets.MAIL_USERNAME }}
-          MAIL_PASSWORD: ${{ secrets.MAIL_PASSWORD }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          AWS_REGION: ${{ secrets.AWS_REGION }}
-          SAPI_SIDEKIQ_REDIS_URL: ${{ secrets.SAPI_SIDEKIQ_REDIS_URL }}
-          SAPI_SIDEKIQ_REDIS_CACHE_URL: ${{ secrets.SAPI_SIDEKIQ_REDIS_CACHE_URL }}
+      - name: Install Kamal
+        run: |
+          cd deploy
+          bundle install --quiet
+
+      - name: Run Kamal setup
+        run: |
+          cd deploy
+          bundle exec kamal setup -d ${{ github.event.inputs.environment }}
 
       - name: Set workflow end time and calculate duration
         if: always()
diff --git a/.kamal/secrets-common b/.kamal/secrets-common
new file mode 100644
index 000000000..a8be83b2a
--- /dev/null
+++ b/.kamal/secrets-common
@@ -0,0 +1,36 @@
+# Minimal Secrets Template - Backend Rails API Kamal Deployment
+# Secrets defined here are available for reference under registry/password, env/secret, builder/secrets,
+# and accessories/*/env/secret in config/deploy.yml. All secrets should be pulled from either
+# password manager, ENV, or a file. DO NOT ENTER RAW CREDENTIALS HERE! This file needs to be safe for git.
+
+# Rails Configuration (REQUIRED)
+RAILS_MASTER_KEY=$RAILS_MASTER_KEY
+
+# SAPI Database Configuration
+SAPI_DATABASE_HOST=$SAPI_DATABASE_HOST
+SAPI_DATABASE_NAME=$SAPI_DATABASE_NAME
+SAPI_DATABASE_USERNAME=$SAPI_DATABASE_USERNAME
+SAPI_DATABASE_PASSWORD=$SAPI_DATABASE_PASSWORD
+SAPI_DATABASE_PORT=$SAPI_DATABASE_PORT
+
+# Captive Breeding Database Configuration
+CAPTIVE_BREEDING_DATABASE_HOST=$CAPTIVE_BREEDING_DATABASE_HOST
+CAPTIVE_BREEDING_DATABASE_NAME=$CAPTIVE_BREEDING_DATABASE_NAME
+CAPTIVE_BREEDING_DATABASE_USERNAME=$CAPTIVE_BREEDING_DATABASE_USERNAME
+CAPTIVE_BREEDING_DATABASE_PASSWORD=$CAPTIVE_BREEDING_DATABASE_PASSWORD
+CAPTIVE_BREEDING_DATABASE_PORT=$CAPTIVE_BREEDING_DATABASE_PORT
+
+# Mail Configuration
+MAIL_USERNAME=$MAIL_USERNAME
+MAIL_PASSWORD=$MAIL_PASSWORD
+
+# AWS Configuration
+AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
+AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
+AWS_REGION=$AWS_REGION
+
+# Redis for Sidekiq
+SAPI_SIDEKIQ_REDIS_URL=$SAPI_SIDEKIQ_REDIS_URL
+
+# Redis for cache
+SAPI_SIDEKIQ_REDIS_CACHE_URL=$SAPI_SIDEKIQ_REDIS_CACHE_URL
diff --git a/config/deploy.staging.yml b/config/deploy.staging.yml
new file mode 100644
index 000000000..40c65ce0d
--- /dev/null
+++ b/config/deploy.staging.yml
@@ -0,0 +1,38 @@
+# Name of the container image
+image: unepwcmc/sapi/rails-staging
+
+servers:
+  web:
+    hosts:
+      - 172.20.0.146 # sapi-web-staging-01.internal.unep-wcmc.org
+    options:
+      add-host: host.docker.internal:host-gateway # Required to reach host-bound Redis
+    proxy:
+      hosts:
+        - sapi-web-staging-01.internal.unep-wcmc.org # Public-facing domain
+      ssl: true
+      tls_certificate_path: /etc/ssl/kamal/star.internal.unep-wcmc.org.crt
+      tls_private_key_path: /etc/ssl/kamal/star.internal.unep-wcmc.org.key
+      forward_headers: true # Forward headers like X-Forwarded-Proto
+      healthcheck:
+        path: /up
+      logging:
+        request_headers:
+          - Cache-Control
+          - User-Agent
+          - X-Forwarded-Proto # Critical for Rails to detect HTTPS
+        response_headers:
+          - X-Request-ID
+  job:
+    hosts:
+      - 172.20.0.146 # sapi-web-staging-01.internal.unep-wcmc.org
+    options:
+      add-host: host.docker.internal:host-gateway # Required to reach host-bound Redis
+    cmd: bundle exec sidekiq -C config/sidekiq.yml
+    healthcheck:
+      cmd: /rails/bin/docker-sidekiq-healthcheck
+
+# Environment variables
+env:
+  clear:
+    RAILS_ENV: staging
diff --git a/config/deploy.yml b/config/deploy.yml
new file mode 100644
index 000000000..ae809e475
--- /dev/null
+++ b/config/deploy.yml
@@ -0,0 +1,44 @@
+# Name of your application. Used to uniquely configure containers.
+service: sapi
+
+# Credentials for your image host.
+registry:
+  server: dcr.internal.unep-wcmc.org
+
+# Inject ENV variables into containers (secrets come from .kamal/secrets.{environment})
+env:
+  clear:
+    RAILS_LOG_LEVEL: warn # @see https://github.com/heartcombo/devise#password-reset-tokens-and-rails-logs
+    PORT: 80
+    RAILS_SERVE_STATIC_FILES: 1
+    RAILS_LOG_TO_STDOUT: 1 # Need this before upgrade to Rails 7.1, which then default is STDOUT.
+  secret:
+    - RAILS_MASTER_KEY
+    - SAPI_DATABASE_HOST
+    - SAPI_DATABASE_NAME
+    - SAPI_DATABASE_USERNAME
+    - SAPI_DATABASE_PASSWORD
+    - SAPI_DATABASE_PORT
+    - CAPTIVE_BREEDING_DATABASE_HOST
+    - CAPTIVE_BREEDING_DATABASE_NAME
+    - CAPTIVE_BREEDING_DATABASE_USERNAME
+    - CAPTIVE_BREEDING_DATABASE_PASSWORD
+    - CAPTIVE_BREEDING_DATABASE_PORT
+    - MAIL_USERNAME
+    - MAIL_PASSWORD
+    - AWS_ACCESS_KEY_ID
+    - AWS_SECRET_ACCESS_KEY
+    - AWS_REGION
+    - SAPI_SIDEKIQ_REDIS_URL
+    - SAPI_SIDEKIQ_REDIS_CACHE_URL
+
+# Use a different ssh user than root
+ssh:
+  user: wcmc
+
+# Configure builder setup
+builder:
+  arch: amd64
+  dockerfile: Dockerfile.deploy
+  args:
+    RUBY_VERSION: 3.2.5

From a43d2f0a540ea7ea08e463fab31838fb8198c995 Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 13:36:05 +0000
Subject: [PATCH 033/106] Fix deploy Ruby version to 3.4.9 to match Gemfile

---
 deploy/.ruby-version | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy/.ruby-version b/deploy/.ruby-version
index f9892605c..7bcbb3808 100644
--- a/deploy/.ruby-version
+++ b/deploy/.ruby-version
@@ -1 +1 @@
-3.4.4
+3.4.9

From c23a85c5254981265b2976fa6fde3e3ac87e19e3 Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 13:36:07 +0000
Subject: [PATCH 034/106] Sync deploy Ruby version fix to master

---
 deploy/.ruby-version | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 deploy/.ruby-version

diff --git a/deploy/.ruby-version b/deploy/.ruby-version
new file mode 100644
index 000000000..7bcbb3808
--- /dev/null
+++ b/deploy/.ruby-version
@@ -0,0 +1 @@
+3.4.9

From 45a069dfeb7b10388ca2edefa0392193b82e10eb Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 13:38:32 +0000
Subject: [PATCH 035/106] Remove invalid healthcheck key from job role in
 deploy.staging.yml

---
 config/deploy.staging.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/config/deploy.staging.yml b/config/deploy.staging.yml
index 40c65ce0d..8546e064d 100644
--- a/config/deploy.staging.yml
+++ b/config/deploy.staging.yml
@@ -29,8 +29,6 @@ servers:
     options:
       add-host: host.docker.internal:host-gateway # Required to reach host-bound Redis
     cmd: bundle exec sidekiq -C config/sidekiq.yml
-    healthcheck:
-      cmd: /rails/bin/docker-sidekiq-healthcheck
 
 # Environment variables
 env:

From a4741ee49fe941eb20bd7af0a78a9537dab76e81 Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 13:38:34 +0000
Subject: [PATCH 036/106] Sync deploy.staging.yml fix to master

---
 config/deploy.staging.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/config/deploy.staging.yml b/config/deploy.staging.yml
index 40c65ce0d..8546e064d 100644
--- a/config/deploy.staging.yml
+++ b/config/deploy.staging.yml
@@ -29,8 +29,6 @@ servers:
     options:
       add-host: host.docker.internal:host-gateway # Required to reach host-bound Redis
     cmd: bundle exec sidekiq -C config/sidekiq.yml
-    healthcheck:
-      cmd: /rails/bin/docker-sidekiq-healthcheck
 
 # Environment variables
 env:

From 9ded9626a164f88e4563ac2b54c79210af71f117 Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 13:39:50 +0000
Subject: [PATCH 037/106] Add ruby/setup-ruby step to kamal-setup workflow

---
 .github/workflows/kamal-setup.yml | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/kamal-setup.yml b/.github/workflows/kamal-setup.yml
index 01242c569..316cf4547 100644
--- a/.github/workflows/kamal-setup.yml
+++ b/.github/workflows/kamal-setup.yml
@@ -84,15 +84,19 @@ jobs:
         with:
           ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
 
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          working-directory: deploy
+          bundler-cache: false
+
       - name: Install Kamal
-        run: |
-          cd deploy
-          bundle install --quiet
+        working-directory: deploy
+        run: bundle install --quiet
 
       - name: Run Kamal setup
-        run: |
-          cd deploy
-          bundle exec kamal setup -d ${{ github.event.inputs.environment }}
+        working-directory: deploy
+        run: bundle exec kamal setup -d ${{ github.event.inputs.environment }}
 
       - name: Set workflow end time and calculate duration
         if: always()

From 00012d0c55c9a21faaf5244940977ea21f5a36dd Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 13:39:52 +0000
Subject: [PATCH 038/106] Sync kamal-setup ruby fix to master

---
 .github/workflows/kamal-setup.yml | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/kamal-setup.yml b/.github/workflows/kamal-setup.yml
index 01242c569..316cf4547 100644
--- a/.github/workflows/kamal-setup.yml
+++ b/.github/workflows/kamal-setup.yml
@@ -84,15 +84,19 @@ jobs:
         with:
           ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
 
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          working-directory: deploy
+          bundler-cache: false
+
       - name: Install Kamal
-        run: |
-          cd deploy
-          bundle install --quiet
+        working-directory: deploy
+        run: bundle install --quiet
 
       - name: Run Kamal setup
-        run: |
-          cd deploy
-          bundle exec kamal setup -d ${{ github.event.inputs.environment }}
+        working-directory: deploy
+        run: bundle exec kamal setup -d ${{ github.event.inputs.environment }}
 
       - name: Set workflow end time and calculate duration
         if: always()

From e66992dcaf3c462319aa9aea606bae944d15c389 Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 13:44:25 +0000
Subject: [PATCH 039/106] Fix kamal setup path and disable auto-deploy until
 setup complete

- Run kamal from repo root using BUNDLE_GEMFILE=deploy/Gemfile
- Switch deploy workflow to workflow_dispatch only
---
 .github/workflows/deploy.yml      | 4 +---
 .github/workflows/kamal-setup.yml | 3 +--
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 73bad07a6..dfa578b12 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -1,8 +1,6 @@
 name: Deploy SAPI Rails API
 on:
-  push:
-    branches:
-      - staging
+  workflow_dispatch:
 
 jobs:
   deploy:
diff --git a/.github/workflows/kamal-setup.yml b/.github/workflows/kamal-setup.yml
index 316cf4547..0ff35fcd8 100644
--- a/.github/workflows/kamal-setup.yml
+++ b/.github/workflows/kamal-setup.yml
@@ -95,8 +95,7 @@ jobs:
         run: bundle install --quiet
 
       - name: Run Kamal setup
-        working-directory: deploy
-        run: bundle exec kamal setup -d ${{ github.event.inputs.environment }}
+        run: BUNDLE_GEMFILE=deploy/Gemfile bundle exec kamal setup -d ${{ github.event.inputs.environment }}
 
       - name: Set workflow end time and calculate duration
         if: always()

From 73996a87e1d5edc94a7f3848028c7055c6830f92 Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 13:44:27 +0000
Subject: [PATCH 040/106] Sync workflow fixes to master

---
 .github/workflows/deploy.yml      | 4 +---
 .github/workflows/kamal-setup.yml | 3 +--
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 73bad07a6..dfa578b12 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -1,8 +1,6 @@
 name: Deploy SAPI Rails API
 on:
-  push:
-    branches:
-      - staging
+  workflow_dispatch:
 
 jobs:
   deploy:
diff --git a/.github/workflows/kamal-setup.yml b/.github/workflows/kamal-setup.yml
index 316cf4547..0ff35fcd8 100644
--- a/.github/workflows/kamal-setup.yml
+++ b/.github/workflows/kamal-setup.yml
@@ -95,8 +95,7 @@ jobs:
         run: bundle install --quiet
 
       - name: Run Kamal setup
-        working-directory: deploy
-        run: bundle exec kamal setup -d ${{ github.event.inputs.environment }}
+        run: BUNDLE_GEMFILE=deploy/Gemfile bundle exec kamal setup -d ${{ github.event.inputs.environment }}
 
       - name: Set workflow end time and calculate duration
         if: always()

From e21a7381fbf1a54da030b72b9cfdbe05461d0d25 Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 13:48:13 +0000
Subject: [PATCH 041/106] Fix SSL config to use kamal v2
 certificate_pem/private_key_pem secrets

---
 .kamal/secrets-common     | 4 ++++
 config/deploy.staging.yml | 6 +++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/.kamal/secrets-common b/.kamal/secrets-common
index a8be83b2a..70635feb0 100644
--- a/.kamal/secrets-common
+++ b/.kamal/secrets-common
@@ -34,3 +34,7 @@ SAPI_SIDEKIQ_REDIS_URL=$SAPI_SIDEKIQ_REDIS_URL
 
 # Redis for cache
 SAPI_SIDEKIQ_REDIS_CACHE_URL=$SAPI_SIDEKIQ_REDIS_CACHE_URL
+
+# SSL certificates
+CERTIFICATE_PEM=$CERTIFICATE_PEM
+PRIVATE_KEY_PEM=$PRIVATE_KEY_PEM
diff --git a/config/deploy.staging.yml b/config/deploy.staging.yml
index 8546e064d..b91fd1449 100644
--- a/config/deploy.staging.yml
+++ b/config/deploy.staging.yml
@@ -10,9 +10,9 @@ servers:
     proxy:
       hosts:
         - sapi-web-staging-01.internal.unep-wcmc.org # Public-facing domain
-      ssl: true
-      tls_certificate_path: /etc/ssl/kamal/star.internal.unep-wcmc.org.crt
-      tls_private_key_path: /etc/ssl/kamal/star.internal.unep-wcmc.org.key
+      ssl:
+        certificate_pem: CERTIFICATE_PEM
+        private_key_pem: PRIVATE_KEY_PEM
       forward_headers: true # Forward headers like X-Forwarded-Proto
       healthcheck:
         path: /up

From 1929e8881a0d4395173e23500f5abc37d774a223 Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 13:48:15 +0000
Subject: [PATCH 042/106] Sync SSL config fix to master

---
 .kamal/secrets-common     | 4 ++++
 config/deploy.staging.yml | 6 +++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/.kamal/secrets-common b/.kamal/secrets-common
index a8be83b2a..70635feb0 100644
--- a/.kamal/secrets-common
+++ b/.kamal/secrets-common
@@ -34,3 +34,7 @@ SAPI_SIDEKIQ_REDIS_URL=$SAPI_SIDEKIQ_REDIS_URL
 
 # Redis for cache
 SAPI_SIDEKIQ_REDIS_CACHE_URL=$SAPI_SIDEKIQ_REDIS_CACHE_URL
+
+# SSL certificates
+CERTIFICATE_PEM=$CERTIFICATE_PEM
+PRIVATE_KEY_PEM=$PRIVATE_KEY_PEM
diff --git a/config/deploy.staging.yml b/config/deploy.staging.yml
index 8546e064d..b91fd1449 100644
--- a/config/deploy.staging.yml
+++ b/config/deploy.staging.yml
@@ -10,9 +10,9 @@ servers:
     proxy:
       hosts:
         - sapi-web-staging-01.internal.unep-wcmc.org # Public-facing domain
-      ssl: true
-      tls_certificate_path: /etc/ssl/kamal/star.internal.unep-wcmc.org.crt
-      tls_private_key_path: /etc/ssl/kamal/star.internal.unep-wcmc.org.key
+      ssl:
+        certificate_pem: CERTIFICATE_PEM
+        private_key_pem: PRIVATE_KEY_PEM
       forward_headers: true # Forward headers like X-Forwarded-Proto
       healthcheck:
         path: /up

From 786ab5e11f4ac7d0c369511becab95371e45db66 Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 13:53:24 +0000
Subject: [PATCH 043/106] Use localhost:5555 local registry instead of Harbour
 (no auth needed)

---
 config/deploy.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/deploy.yml b/config/deploy.yml
index ae809e475..77deb7521 100644
--- a/config/deploy.yml
+++ b/config/deploy.yml
@@ -3,7 +3,7 @@ service: sapi
 
 # Credentials for your image host.
 registry:
-  server: dcr.internal.unep-wcmc.org
+  server: localhost:5555
 
 # Inject ENV variables into containers (secrets come from .kamal/secrets.{environment})
 env:

From 6a4970bd5c32e21bc46407f46ad9f5c1d2e6cb1a Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 13:53:24 +0000
Subject: [PATCH 044/106] Use localhost:5555 local registry instead of Harbour
 (no auth needed)

---
 config/deploy.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/deploy.yml b/config/deploy.yml
index ae809e475..77deb7521 100644
--- a/config/deploy.yml
+++ b/config/deploy.yml
@@ -3,7 +3,7 @@ service: sapi
 
 # Credentials for your image host.
 registry:
-  server: dcr.internal.unep-wcmc.org
+  server: localhost:5555
 
 # Inject ENV variables into containers (secrets come from .kamal/secrets.{environment})
 env:

From e4c211dabb00ad49c6e2790e014443354ff64c35 Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 14:06:21 +0000
Subject: [PATCH 045/106] Add buildx setup and remote builder on server for
 localhost:5555 registry

---
 .github/workflows/kamal-setup.yml | 3 +++
 config/deploy.yml                 | 3 ++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/kamal-setup.yml b/.github/workflows/kamal-setup.yml
index 0ff35fcd8..d4e71dd2a 100644
--- a/.github/workflows/kamal-setup.yml
+++ b/.github/workflows/kamal-setup.yml
@@ -84,6 +84,9 @@ jobs:
         with:
           ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:
diff --git a/config/deploy.yml b/config/deploy.yml
index 77deb7521..37ec91439 100644
--- a/config/deploy.yml
+++ b/config/deploy.yml
@@ -36,9 +36,10 @@ env:
 ssh:
   user: wcmc
 
-# Configure builder setup
+# Configure builder setup — builds remotely on the server so localhost:5555 registry works
 builder:
   arch: amd64
   dockerfile: Dockerfile.deploy
   args:
     RUBY_VERSION: 3.2.5
+  remote: ssh://wcmc@172.20.0.146

From cb3e94a9e87b357a68a6464c673e18c6a56449a4 Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 14:06:21 +0000
Subject: [PATCH 046/106] Add buildx setup and remote builder on server for
 localhost:5555 registry

---
 .github/workflows/kamal-setup.yml | 3 +++
 config/deploy.yml                 | 3 ++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/kamal-setup.yml b/.github/workflows/kamal-setup.yml
index 0ff35fcd8..d4e71dd2a 100644
--- a/.github/workflows/kamal-setup.yml
+++ b/.github/workflows/kamal-setup.yml
@@ -84,6 +84,9 @@ jobs:
         with:
           ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:
diff --git a/config/deploy.yml b/config/deploy.yml
index 77deb7521..37ec91439 100644
--- a/config/deploy.yml
+++ b/config/deploy.yml
@@ -36,9 +36,10 @@ env:
 ssh:
   user: wcmc
 
-# Configure builder setup
+# Configure builder setup — builds remotely on the server so localhost:5555 registry works
 builder:
   arch: amd64
   dockerfile: Dockerfile.deploy
   args:
     RUBY_VERSION: 3.2.5
+  remote: ssh://wcmc@172.20.0.146

From 33255ee266d21e0a088a0dd41ddd84849dec3b19 Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 14:25:37 +0000
Subject: [PATCH 047/106] Add CERTIFICATE_PEM and PRIVATE_KEY_PEM to
 kamal-setup env

---
 .github/workflows/kamal-setup.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/kamal-setup.yml b/.github/workflows/kamal-setup.yml
index d4e71dd2a..ad607227a 100644
--- a/.github/workflows/kamal-setup.yml
+++ b/.github/workflows/kamal-setup.yml
@@ -52,6 +52,8 @@ jobs:
       AWS_REGION: ${{ secrets.AWS_REGION }}
       SAPI_SIDEKIQ_REDIS_URL: ${{ secrets.SAPI_SIDEKIQ_REDIS_URL }}
       SAPI_SIDEKIQ_REDIS_CACHE_URL: ${{ secrets.SAPI_SIDEKIQ_REDIS_CACHE_URL }}
+      CERTIFICATE_PEM: ${{ secrets.CERTIFICATE_PEM }}
+      PRIVATE_KEY_PEM: ${{ secrets.PRIVATE_KEY_PEM }}
     steps:
       - name: Set workflow start time
         run: |

From 96c2a78d3c2e12e5507e43e06658315c5bff0aa5 Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 14:25:37 +0000
Subject: [PATCH 048/106] Add CERTIFICATE_PEM and PRIVATE_KEY_PEM to
 kamal-setup env

---
 .github/workflows/kamal-setup.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/kamal-setup.yml b/.github/workflows/kamal-setup.yml
index d4e71dd2a..ad607227a 100644
--- a/.github/workflows/kamal-setup.yml
+++ b/.github/workflows/kamal-setup.yml
@@ -52,6 +52,8 @@ jobs:
       AWS_REGION: ${{ secrets.AWS_REGION }}
       SAPI_SIDEKIQ_REDIS_URL: ${{ secrets.SAPI_SIDEKIQ_REDIS_URL }}
       SAPI_SIDEKIQ_REDIS_CACHE_URL: ${{ secrets.SAPI_SIDEKIQ_REDIS_CACHE_URL }}
+      CERTIFICATE_PEM: ${{ secrets.CERTIFICATE_PEM }}
+      PRIVATE_KEY_PEM: ${{ secrets.PRIVATE_KEY_PEM }}
     steps:
       - name: Set workflow start time
         run: |

From 9b2a6130818503ee2eddc102341c545a67d0e88f Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 15:50:38 +0000
Subject: [PATCH 049/106] Add Dockerfile.staging with puma CMD; wire into
 deploy.staging.yml

---
 Dockerfile.staging        | 68 +++++++++++++++++++++++++++++++++++++++
 config/deploy.staging.yml |  4 +++
 2 files changed, 72 insertions(+)
 create mode 100644 Dockerfile.staging

diff --git a/Dockerfile.staging b/Dockerfile.staging
new file mode 100644
index 000000000..243139f99
--- /dev/null
+++ b/Dockerfile.staging
@@ -0,0 +1,68 @@
+# syntax=docker/dockerfile:1
+# check=error=true
+
+# Staging Dockerfile — identical to Dockerfile.deploy but with puma as CMD.
+# Dockerfile.deploy uses `tail -f /dev/null` for production (Capistrano manages the process).
+# Kamal manages the process via Docker, so we start puma directly here.
+
+ARG RUBY_VERSION=3.2.5
+FROM ruby:$RUBY_VERSION-slim AS base
+
+WORKDIR /rails
+
+RUN apt-get update -qq && \
+  apt-get install --no-install-recommends -y curl libjemalloc2 libpq-dev \
+  libsodium-dev libgmp3-dev libssl-dev \
+  curl xz-utils \
+  texlive-latex-base texlive-fonts-recommended texlive-fonts-extra texlive-latex-extra \
+  && rm -rf /var/lib/apt/lists /var/cache/apt/archives
+
+ENV NODE_ENV="production" \
+  RAILS_ENV="production" \
+  BUNDLE_DEPLOYMENT="1" \
+  BUNDLE_PATH="/usr/local/bundle" \
+  BUNDLE_WITHOUT="development"
+
+ARG NODE_VERSION=18.20.8
+ARG TARGETARCH
+RUN case "$TARGETARCH" in \
+  amd64) NODE_ARCH=x64 ;; \
+  arm64) NODE_ARCH=arm64 ;; \
+  *) echo "Unsupported architecture: $TARGETARCH"; exit 1 ;; \
+  esac && \
+  curl -fsSL https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz \
+  | tar -xJ -C /usr/local --strip-components=1
+
+
+FROM base AS build
+
+RUN apt-get update -qq && \
+  apt-get install --no-install-recommends -y build-essential git libyaml-dev pkg-config \
+  && rm -rf /var/lib/apt/lists /var/cache/apt/archives
+
+COPY Gemfile Gemfile.lock ./
+RUN bundle install && \
+  rm -rf ~/.bundle/ "${BUNDLE_PATH}"/ruby/*/cache "${BUNDLE_PATH}"/ruby/*/bundler/gems/*/.git && \
+  bundle exec bootsnap precompile --gemfile
+
+COPY . .
+
+RUN bundle exec bootsnap precompile app/ lib/
+
+RUN SECRET_KEY_BASE_DUMMY=1 ./bin/rails assets:precompile
+
+
+FROM base
+
+COPY --from=build "${BUNDLE_PATH}" "${BUNDLE_PATH}"
+COPY --from=build /rails /rails
+
+RUN groupadd --system --gid 1000 rails && \
+  useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \
+  chown -R rails:rails db log tmp
+USER 1000:1000
+
+ENTRYPOINT ["/rails/bin/docker-entrypoint"]
+
+EXPOSE 80
+CMD ["./bin/rails", "server", "-b", "0.0.0.0"]
diff --git a/config/deploy.staging.yml b/config/deploy.staging.yml
index b91fd1449..61fdd0ea6 100644
--- a/config/deploy.staging.yml
+++ b/config/deploy.staging.yml
@@ -30,6 +30,10 @@ servers:
       add-host: host.docker.internal:host-gateway # Required to reach host-bound Redis
     cmd: bundle exec sidekiq -C config/sidekiq.yml
 
+# Use staging-specific Dockerfile that starts puma (Dockerfile.deploy uses tail -f /dev/null for Capistrano)
+builder:
+  dockerfile: Dockerfile.staging
+
 # Environment variables
 env:
   clear:

From 798a2671fcd2f8ac0577ab413b7b558d8b663dab Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Wed, 18 Mar 2026 15:50:38 +0000
Subject: [PATCH 050/106] Add Dockerfile.staging with puma CMD; wire into
 deploy.staging.yml

---
 Dockerfile.staging        | 68 +++++++++++++++++++++++++++++++++++++++
 config/deploy.staging.yml |  4 +++
 2 files changed, 72 insertions(+)
 create mode 100644 Dockerfile.staging

diff --git a/Dockerfile.staging b/Dockerfile.staging
new file mode 100644
index 000000000..243139f99
--- /dev/null
+++ b/Dockerfile.staging
@@ -0,0 +1,68 @@
+# syntax=docker/dockerfile:1
+# check=error=true
+
+# Staging Dockerfile — identical to Dockerfile.deploy but with puma as CMD.
+# Dockerfile.deploy uses `tail -f /dev/null` for production (Capistrano manages the process).
+# Kamal manages the process via Docker, so we start puma directly here.
+
+ARG RUBY_VERSION=3.2.5
+FROM ruby:$RUBY_VERSION-slim AS base
+
+WORKDIR /rails
+
+RUN apt-get update -qq && \
+  apt-get install --no-install-recommends -y curl libjemalloc2 libpq-dev \
+  libsodium-dev libgmp3-dev libssl-dev \
+  curl xz-utils \
+  texlive-latex-base texlive-fonts-recommended texlive-fonts-extra texlive-latex-extra \
+  && rm -rf /var/lib/apt/lists /var/cache/apt/archives
+
+ENV NODE_ENV="production" \
+  RAILS_ENV="production" \
+  BUNDLE_DEPLOYMENT="1" \
+  BUNDLE_PATH="/usr/local/bundle" \
+  BUNDLE_WITHOUT="development"
+
+ARG NODE_VERSION=18.20.8
+ARG TARGETARCH
+RUN case "$TARGETARCH" in \
+  amd64) NODE_ARCH=x64 ;; \
+  arm64) NODE_ARCH=arm64 ;; \
+  *) echo "Unsupported architecture: $TARGETARCH"; exit 1 ;; \
+  esac && \
+  curl -fsSL https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz \
+  | tar -xJ -C /usr/local --strip-components=1
+
+
+FROM base AS build
+
+RUN apt-get update -qq && \
+  apt-get install --no-install-recommends -y build-essential git libyaml-dev pkg-config \
+  && rm -rf /var/lib/apt/lists /var/cache/apt/archives
+
+COPY Gemfile Gemfile.lock ./
+RUN bundle install && \
+  rm -rf ~/.bundle/ "${BUNDLE_PATH}"/ruby/*/cache "${BUNDLE_PATH}"/ruby/*/bundler/gems/*/.git && \
+  bundle exec bootsnap precompile --gemfile
+
+COPY . .
+
+RUN bundle exec bootsnap precompile app/ lib/
+
+RUN SECRET_KEY_BASE_DUMMY=1 ./bin/rails assets:precompile
+
+
+FROM base
+
+COPY --from=build "${BUNDLE_PATH}" "${BUNDLE_PATH}"
+COPY --from=build /rails /rails
+
+RUN groupadd --system --gid 1000 rails && \
+  useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \
+  chown -R rails:rails db log tmp
+USER 1000:1000
+
+ENTRYPOINT ["/rails/bin/docker-entrypoint"]
+
+EXPOSE 80
+CMD ["./bin/rails", "server", "-b", "0.0.0.0"]
diff --git a/config/deploy.staging.yml b/config/deploy.staging.yml
index b91fd1449..61fdd0ea6 100644
--- a/config/deploy.staging.yml
+++ b/config/deploy.staging.yml
@@ -30,6 +30,10 @@ servers:
       add-host: host.docker.internal:host-gateway # Required to reach host-bound Redis
     cmd: bundle exec sidekiq -C config/sidekiq.yml
 
+# Use staging-specific Dockerfile that starts puma (Dockerfile.deploy uses tail -f /dev/null for Capistrano)
+builder:
+  dockerfile: Dockerfile.staging
+
 # Environment variables
 env:
   clear:

From e6813d3515ac4d9a0f80789ee558c5cb0788fc94 Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Thu, 19 Mar 2026 07:15:26 +0000
Subject: [PATCH 051/106] Enable auto-deploy on staging branch push

---
 .github/workflows/deploy.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index dfa578b12..1a7a1d3ba 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -1,5 +1,8 @@
 name: Deploy SAPI Rails API
 on:
+  push:
+    branches:
+      - staging
   workflow_dispatch:
 
 jobs:

From 374864338a4ec1415887d029d734b2da90aba8f0 Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Thu, 19 Mar 2026 07:15:26 +0000
Subject: [PATCH 052/106] Enable auto-deploy on staging branch push

---
 .github/workflows/deploy.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index dfa578b12..1a7a1d3ba 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -1,5 +1,8 @@
 name: Deploy SAPI Rails API
 on:
+  push:
+    branches:
+      - staging
   workflow_dispatch:
 
 jobs:

From 8da02eaa497c233f062b5f4123661666c4cc4387 Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Thu, 19 Mar 2026 07:37:17 +0000
Subject: [PATCH 053/106] Add staging.speciesplus.net Cloudflare tunnel host to
 kamal-proxy

---
 config/deploy.staging.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/config/deploy.staging.yml b/config/deploy.staging.yml
index 61fdd0ea6..b8824d49f 100644
--- a/config/deploy.staging.yml
+++ b/config/deploy.staging.yml
@@ -9,7 +9,8 @@ servers:
       add-host: host.docker.internal:host-gateway # Required to reach host-bound Redis
     proxy:
       hosts:
-        - sapi-web-staging-01.internal.unep-wcmc.org # Public-facing domain
+        - sapi-web-staging-01.internal.unep-wcmc.org
+        - staging.speciesplus.net # Cloudflare tunnel endpoint
       ssl:
         certificate_pem: CERTIFICATE_PEM
         private_key_pem: PRIVATE_KEY_PEM

From 7bea977a476437dab955f27f8bf9e8bf0c5950d3 Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Thu, 19 Mar 2026 07:54:57 +0000
Subject: [PATCH 054/106] =?UTF-8?q?Remove=20staging.speciesplus.net=20from?=
 =?UTF-8?q?=20kamal-proxy=20=E2=80=94=20Cloudflare=20routes=20to=20interna?=
 =?UTF-8?q?l=20hostname?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 config/deploy.staging.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/config/deploy.staging.yml b/config/deploy.staging.yml
index b8824d49f..05e4baa36 100644
--- a/config/deploy.staging.yml
+++ b/config/deploy.staging.yml
@@ -10,7 +10,6 @@ servers:
     proxy:
       hosts:
         - sapi-web-staging-01.internal.unep-wcmc.org
-        - staging.speciesplus.net # Cloudflare tunnel endpoint
       ssl:
         certificate_pem: CERTIFICATE_PEM
         private_key_pem: PRIVATE_KEY_PEM

From 04e0dc302f53e55dfbc0e4348b3446020e7501fa Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Thu, 19 Mar 2026 12:00:18 +0000
Subject: [PATCH 055/106] Remove stale server.pid in entrypoint to prevent
 crash-restart loop

---
 bin/docker-entrypoint | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/bin/docker-entrypoint b/bin/docker-entrypoint
index 3054757cc..ba34b5cb1 100755
--- a/bin/docker-entrypoint
+++ b/bin/docker-entrypoint
@@ -35,5 +35,9 @@ mkdir -p {./,spec/}public/downloads/taxon_concepts_names
 #   ./bin/rails db:prepare
 # fi
 
+# Remove stale PID file — survives Docker restarts on the same writable layer
+# and causes Rails to refuse to start (finds a PID it thinks is already running)
+rm -f /rails/tmp/pids/server.pid
+
 # This is the main rails/sidekiq command
 exec "${@}"

From 528d27ced36bb4d1105eff515e4958a51d967234 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Tue, 7 Apr 2026 11:52:15 +0100
Subject: [PATCH 056/106] chore: upgrade Rails from 7.1.3.4 to 7.2.3.1 (Gemfile
 only)

---
 Gemfile | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/Gemfile b/Gemfile
index 100a8b7da..cf512d207 100644
--- a/Gemfile
+++ b/Gemfile
@@ -3,7 +3,7 @@ source 'https://rubygems.org'
 ruby '3.2.5'
 
 # Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
-gem 'rails', '7.1.3.4'
+gem 'rails', '7.2.3.1'
 
 # Configure Cross-Origin resource sharing
 gem 'rack-cors'
@@ -34,10 +34,10 @@ gem 'coffee-rails', '~> 5.0'
 # gem 'mini_racer', platforms: :ruby
 
 gem 'active_model_serializers', '0.8.4' # Deprecated
-gem "active_storage_validations", "~> 2.0"
+gem 'active_storage_validations', '~> 2.0'
 
 # Use redis for caching
-gem "redis", "~> 4.8"
+gem 'redis', '~> 4.8'
 
 # Use PostgreSQL database
 gem 'pg', '~> 1.5', '>= 1.5.4'
@@ -229,5 +229,3 @@ gem 'handlebars-source', '1.0.12' # TODO: just a wrapwrapper. Any update will ch
 # It might be possible to fix this if we had an nginx version which supported
 # the config: `passenger_preload_bundler on;`
 gem 'base64', '0.1.1'
-
-

From 8a4a4dc1fe0d5a7f7a455ecc9cf9977b580db5a4 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Wed, 8 Apr 2026 10:21:36 +0100
Subject: [PATCH 057/106] chore: bundle upgrade rails to 7.2 and
 acts-as-taggable-on

---
 Gemfile      |   2 +-
 Gemfile.lock | 487 ++++++++++++++++++++++++++++-----------------------
 2 files changed, 265 insertions(+), 224 deletions(-)

diff --git a/Gemfile b/Gemfile
index cf512d207..3c466031c 100644
--- a/Gemfile
+++ b/Gemfile
@@ -70,7 +70,7 @@ gem 'httparty', '~> 0.21.0'
 
 gem 'kaminari', '~> 1.2', '>= 1.2.2' # TODO: Suggest migrate to pagy gem.
 
-gem 'acts-as-taggable-on', '~> 10.0' # TODO: refuses to install against Rails 7.2
+gem 'acts-as-taggable-on', '~> 12.0'
 gem 'carrierwave', '~> 3.0', '>= 3.0.5'
 
 # PDF
diff --git a/Gemfile.lock b/Gemfile.lock
index d9acef088..b8ba233dd 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -2,52 +2,49 @@ GEM
   remote: https://rubygems.org/
   specs:
     Ascii85 (1.0.3)
-    actioncable (7.1.3.4)
-      actionpack (= 7.1.3.4)
-      activesupport (= 7.1.3.4)
+    actioncable (7.2.3.1)
+      actionpack (= 7.2.3.1)
+      activesupport (= 7.2.3.1)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
       zeitwerk (~> 2.6)
-    actionmailbox (7.1.3.4)
-      actionpack (= 7.1.3.4)
-      activejob (= 7.1.3.4)
-      activerecord (= 7.1.3.4)
-      activestorage (= 7.1.3.4)
-      activesupport (= 7.1.3.4)
-      mail (>= 2.7.1)
-      net-imap
-      net-pop
-      net-smtp
-    actionmailer (7.1.3.4)
-      actionpack (= 7.1.3.4)
-      actionview (= 7.1.3.4)
-      activejob (= 7.1.3.4)
-      activesupport (= 7.1.3.4)
-      mail (~> 2.5, >= 2.5.4)
-      net-imap
-      net-pop
-      net-smtp
+    actionmailbox (7.2.3.1)
+      actionpack (= 7.2.3.1)
+      activejob (= 7.2.3.1)
+      activerecord (= 7.2.3.1)
+      activestorage (= 7.2.3.1)
+      activesupport (= 7.2.3.1)
+      mail (>= 2.8.0)
+    actionmailer (7.2.3.1)
+      actionpack (= 7.2.3.1)
+      actionview (= 7.2.3.1)
+      activejob (= 7.2.3.1)
+      activesupport (= 7.2.3.1)
+      mail (>= 2.8.0)
       rails-dom-testing (~> 2.2)
-    actionpack (7.1.3.4)
-      actionview (= 7.1.3.4)
-      activesupport (= 7.1.3.4)
+    actionpack (7.2.3.1)
+      actionview (= 7.2.3.1)
+      activesupport (= 7.2.3.1)
+      cgi
       nokogiri (>= 1.8.5)
       racc
-      rack (>= 2.2.4)
+      rack (>= 2.2.4, < 3.3)
       rack-session (>= 1.0.1)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
-    actiontext (7.1.3.4)
-      actionpack (= 7.1.3.4)
-      activerecord (= 7.1.3.4)
-      activestorage (= 7.1.3.4)
-      activesupport (= 7.1.3.4)
+      useragent (~> 0.16)
+    actiontext (7.2.3.1)
+      actionpack (= 7.2.3.1)
+      activerecord (= 7.2.3.1)
+      activestorage (= 7.2.3.1)
+      activesupport (= 7.2.3.1)
       globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (7.1.3.4)
-      activesupport (= 7.1.3.4)
+    actionview (7.2.3.1)
+      activesupport (= 7.2.3.1)
       builder (~> 3.1)
+      cgi
       erubi (~> 1.11)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
@@ -55,67 +52,74 @@ GEM
       ember-data-source (>= 1.13, < 3.0)
     active_model_serializers (0.8.4)
       activemodel (>= 3.0)
-    active_storage_validations (2.0.3)
+    active_storage_validations (2.0.4)
       activejob (>= 6.1.4)
       activemodel (>= 6.1.4)
       activestorage (>= 6.1.4)
       activesupport (>= 6.1.4)
       marcel (>= 1.0.3)
-    activejob (7.1.3.4)
-      activesupport (= 7.1.3.4)
+    activejob (7.2.3.1)
+      activesupport (= 7.2.3.1)
       globalid (>= 0.3.6)
-    activemodel (7.1.3.4)
-      activesupport (= 7.1.3.4)
-    activerecord (7.1.3.4)
-      activemodel (= 7.1.3.4)
-      activesupport (= 7.1.3.4)
+    activemodel (7.2.3.1)
+      activesupport (= 7.2.3.1)
+    activerecord (7.2.3.1)
+      activemodel (= 7.2.3.1)
+      activesupport (= 7.2.3.1)
       timeout (>= 0.4.0)
-    activestorage (7.1.3.4)
-      actionpack (= 7.1.3.4)
-      activejob (= 7.1.3.4)
-      activerecord (= 7.1.3.4)
-      activesupport (= 7.1.3.4)
+    activestorage (7.2.3.1)
+      actionpack (= 7.2.3.1)
+      activejob (= 7.2.3.1)
+      activerecord (= 7.2.3.1)
+      activesupport (= 7.2.3.1)
       marcel (~> 1.0)
-    activesupport (7.1.3.4)
+    activesupport (7.2.3.1)
       base64
+      benchmark (>= 0.3)
       bigdecimal
-      concurrent-ruby (~> 1.0, >= 1.0.2)
+      concurrent-ruby (~> 1.0, >= 1.3.1)
       connection_pool (>= 2.2.5)
       drb
       i18n (>= 1.6, < 2)
-      minitest (>= 5.1)
-      mutex_m
-      tzinfo (~> 2.0)
-    acts-as-taggable-on (10.0.0)
-      activerecord (>= 6.1, < 7.2)
-    addressable (2.8.7)
-      public_suffix (>= 2.0.2, < 7.0)
+      logger (>= 1.4.2)
+      minitest (>= 5.1, < 6)
+      securerandom (>= 0.3)
+      tzinfo (~> 2.0, >= 2.0.5)
+    acts-as-taggable-on (12.0.0)
+      activerecord (>= 7.1, < 8.1)
+      zeitwerk (>= 2.4, < 3.0)
+    addressable (2.9.0)
+      public_suffix (>= 2.0.2, < 8.0)
     afm (0.2.2)
-    ahoy_matey (5.1.0)
-      activesupport (>= 6.1)
+    ahoy_matey (5.4.2)
+      activesupport (>= 7.1)
+      cgi
       device_detector (>= 1)
       safely_block (>= 0.4)
-    airbrussh (1.5.2)
+    airbrussh (1.6.1)
       sshkit (>= 1.6.1, != 1.7.0)
     annotaterb (4.10.2)
     appsignal (3.13.1)
       rack
-    ast (2.4.2)
-    aws-eventstream (1.3.0)
-    aws-partitions (1.961.0)
-    aws-sdk-core (3.201.3)
+    ast (2.4.3)
+    aws-eventstream (1.4.0)
+    aws-partitions (1.1236.0)
+    aws-sdk-core (3.244.0)
       aws-eventstream (~> 1, >= 1.3.0)
-      aws-partitions (~> 1, >= 1.651.0)
-      aws-sigv4 (~> 1.8)
+      aws-partitions (~> 1, >= 1.992.0)
+      aws-sigv4 (~> 1.9)
+      base64
+      bigdecimal
       jmespath (~> 1, >= 1.6.1)
-    aws-sdk-kms (1.88.0)
-      aws-sdk-core (~> 3, >= 3.201.0)
+      logger
+    aws-sdk-kms (1.123.0)
+      aws-sdk-core (~> 3, >= 3.244.0)
       aws-sigv4 (~> 1.5)
-    aws-sdk-s3 (1.157.0)
-      aws-sdk-core (~> 3, >= 3.201.0)
+    aws-sdk-s3 (1.219.0)
+      aws-sdk-core (~> 3, >= 3.244.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.5)
-    aws-sigv4 (1.9.1)
+    aws-sigv4 (1.12.1)
       aws-eventstream (~> 1, >= 1.0.2)
     babel-source (5.8.35)
     babel-transpiler (0.7.0)
@@ -125,11 +129,12 @@ GEM
       ember-source (>= 1.0, < 3.1)
       execjs (>= 1.2, < 3)
     base64 (0.1.1)
-    bcrypt (3.1.20)
+    bcrypt (3.1.22)
     bcrypt_pbkdf (1.1.0)
-    bigdecimal (3.1.8)
+    benchmark (0.5.0)
+    bigdecimal (4.1.1)
     bindex (0.8.1)
-    bootsnap (1.18.3)
+    bootsnap (1.23.0)
       msgpack (~> 1.2)
     bootstrap-sass (2.3.2.2)
       sass (~> 3.2)
@@ -137,7 +142,8 @@ GEM
       concurrent-ruby (~> 1.0, >= 1.0.5)
       redis (>= 1.0, < 6)
     builder (3.3.0)
-    byebug (11.1.3)
+    byebug (13.0.0)
+      reline (>= 0.6.0)
     cancancan (3.6.1)
     capistrano (3.18.0)
       airbrussh (>= 1.0.0)
@@ -171,14 +177,15 @@ GEM
       rack-test (>= 0.6.3)
       regexp_parser (>= 1.5, < 3.0)
       xpath (~> 3.2)
-    carrierwave (3.0.7)
+    carrierwave (3.1.2)
       activemodel (>= 6.0.0)
       activesupport (>= 6.0.0)
       addressable (~> 2.6)
       image_processing (~> 1.1)
       marcel (~> 1.0.0)
       ssrf_filter (~> 1.0)
-    chartkick (5.0.7)
+    cgi (0.5.1)
+    chartkick (5.2.1)
     chronic_duration (0.10.6)
       numerizer (~> 0.1.1)
     coffee-rails (5.0.0)
@@ -188,21 +195,21 @@ GEM
       coffee-script-source
       execjs
     coffee-script-source (1.12.2)
-    concurrent-ruby (1.3.5)
-    connection_pool (2.5.0)
+    concurrent-ruby (1.3.6)
+    connection_pool (2.5.5)
     coveralls_reborn (0.28.0)
       simplecov (~> 0.22.0)
       term-ansicolor (~> 1.7)
       thor (~> 1.2)
       tins (~> 1.32)
     crass (1.0.6)
-    database_cleaner (2.0.2)
+    database_cleaner (2.1.0)
       database_cleaner-active_record (>= 2, < 3)
-    database_cleaner-active_record (2.2.0)
+    database_cleaner-active_record (2.2.2)
       activerecord (>= 5.a)
-      database_cleaner-core (~> 2.0.0)
+      database_cleaner-core (~> 2.0)
     database_cleaner-core (2.0.1)
-    date (3.4.1)
+    date (3.5.1)
     device_detector (1.1.3)
     devise (4.9.4)
       bcrypt (~> 3.0)
@@ -210,12 +217,12 @@ GEM
       railties (>= 4.1.0)
       responders
       warden (~> 1.2.3)
-    diff-lcs (1.5.1)
+    diff-lcs (1.6.2)
     docile (1.4.1)
     dotenv (2.0.1)
     dotenv-rails (2.0.1)
       dotenv (= 2.0.1)
-    drb (2.2.1)
+    drb (2.2.3)
     ed25519 (1.2.4)
     ember-cli-assets (0.0.37)
     ember-data-source (1.13.0)
@@ -238,59 +245,62 @@ GEM
       railties (>= 4.2)
     ember-source (1.8.0)
       handlebars-source (~> 1.0)
-    erubi (1.13.0)
-    et-orbi (1.2.11)
+    erb (6.0.2)
+    erubi (1.13.1)
+    et-orbi (1.4.0)
       tzinfo
-    execjs (2.9.1)
+    execjs (2.10.1)
     factory_bot (5.2.0)
       activesupport (>= 4.2.0)
     factory_bot_rails (5.2.0)
       factory_bot (~> 5.2.0)
       railties (>= 4.2.0)
-    ffi (1.17.0)
+    ffi (1.17.4)
     file_exists (0.2.0)
-    fugit (1.11.0)
-      et-orbi (~> 1, >= 1.2.11)
+    fugit (1.12.1)
+      et-orbi (~> 1.4)
       raabro (~> 1.4)
     geoip (1.3.5)
-    globalid (1.2.1)
+    globalid (1.3.0)
       activesupport (>= 6.1)
-    gon (6.4.0)
+    gon (6.6.0)
       actionpack (>= 3.0.20)
       i18n (>= 0.7)
       multi_json
       request_store (>= 1.0)
-    groupdate (6.4.0)
-      activesupport (>= 6.1)
+    groupdate (6.7.0)
+      activesupport (>= 7.1)
     handlebars-source (1.0.12)
-    has_scope (0.8.2)
-      actionpack (>= 5.2)
-      activesupport (>= 5.2)
+    has_scope (0.9.0)
+      actionpack (>= 7.0)
+      activesupport (>= 7.0)
     hashery (2.1.2)
     httparty (0.21.0)
       mini_mime (>= 1.0.0)
       multi_xml (>= 0.5.2)
-    i18n (1.14.5)
+    i18n (1.14.8)
       concurrent-ruby (~> 1.0)
-    image_processing (1.13.0)
-      mini_magick (>= 4.9.5, < 5)
+    image_processing (1.14.0)
+      mini_magick (>= 4.9.5, < 6)
       ruby-vips (>= 2.0.17, < 3)
     inherited_resources (1.14.0)
       actionpack (>= 6.0)
       has_scope (>= 0.6)
       railties (>= 6.0)
       responders (>= 2)
-    io-console (0.7.2)
-    irb (1.14.0)
+    io-console (0.8.2)
+    irb (1.17.0)
+      pp (>= 0.6.0)
+      prism (>= 1.3.0)
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
     jmespath (1.6.2)
-    jquery-rails (4.6.0)
+    jquery-rails (4.6.1)
       rails-dom-testing (>= 1, < 3)
       railties (>= 4.2.0)
       thor (>= 0.14, < 2.0)
     jslint_on_rails (1.1.1)
-    json (2.7.2)
+    json (2.19.3)
     json_spec (1.1.5)
       multi_json (~> 1.0)
       rspec (>= 2.0, < 4.0)
@@ -306,65 +316,72 @@ GEM
       activerecord
       kaminari-core (= 1.2.2)
     kaminari-core (1.2.2)
-    language_server-protocol (3.17.0.3)
+    language_server-protocol (3.17.0.5)
     launchy (2.4.3)
       addressable (~> 2.3)
-    listen (3.9.0)
+    lint_roller (1.1.0)
+    listen (3.10.0)
+      logger
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
-    logger (1.6.0)
-    loofah (2.24.0)
+    logger (1.7.0)
+    loofah (2.25.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
-    mail (2.8.1)
+    mail (2.9.0)
+      logger
       mini_mime (>= 0.1.1)
       net-imap
       net-pop
       net-smtp
     marcel (1.0.4)
-    matrix (0.4.2)
-    mini_magick (4.13.2)
+    matrix (0.4.3)
+    mini_magick (5.3.1)
+      logger
     mini_mime (1.1.5)
-    mini_portile2 (2.8.8)
-    minitest (5.24.1)
-    mobility (1.2.9)
+    mini_portile2 (2.8.9)
+    minitest (5.27.0)
+    mize (0.6.1)
+    mobility (1.3.2)
       i18n (>= 0.6.10, < 2)
       request_store (~> 1.0)
-    msgpack (1.7.2)
-    multi_json (1.15.0)
-    multi_xml (0.6.0)
-    mutex_m (0.2.0)
+    msgpack (1.8.0)
+    multi_json (1.19.1)
+    multi_xml (0.8.1)
+      bigdecimal (>= 3.1, < 5)
     nested-hstore (0.1.2)
       activerecord
       activesupport
     nested_form (0.3.2)
-    net-imap (0.4.20)
+    net-imap (0.6.3)
       date
       net-protocol
     net-pop (0.1.2)
       net-protocol
     net-protocol (0.2.2)
       timeout
-    net-scp (4.0.0)
+    net-scp (4.1.0)
       net-ssh (>= 2.6.5, < 8.0.0)
     net-sftp (4.0.0)
       net-ssh (>= 5.0.0, < 8.0.0)
-    net-smtp (0.5.0)
+    net-smtp (0.5.1)
       net-protocol
-    net-ssh (7.2.3)
-    nio4r (2.7.3)
-    nokogiri (1.18.8)
+    net-ssh (7.3.2)
+    nio4r (2.7.5)
+    nokogiri (1.19.2)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
     numerizer (0.1.1)
-    oj (3.16.4)
+    oj (3.16.16)
       bigdecimal (>= 3.0)
+      ostruct (>= 0.2)
     orm_adapter (0.5.0)
+    ostruct (0.6.3)
     paper_trail (15.1.0)
       activerecord (>= 6.1)
       request_store (~> 1.4)
-    parallel (1.25.1)
-    parser (3.3.4.0)
+    parallel (1.28.0)
+    parser (3.3.11.1)
       ast (~> 2.4.1)
       racc
     pdf-reader (1.4.1)
@@ -374,69 +391,76 @@ GEM
       ruby-rc4
       ttfunk
     pdfkit (0.8.7.3)
-    pg (1.5.7)
+    pg (1.6.3)
     pg_array_parser (0.0.9)
-    pg_search (2.3.6)
-      activerecord (>= 5.2)
-      activesupport (>= 5.2)
+    pg_search (2.3.7)
+      activerecord (>= 6.1)
+      activesupport (>= 6.1)
+    pp (0.6.3)
+      prettyprint
     prawn (0.13.2)
       pdf-reader (~> 1.2)
       ruby-rc4
       ttfunk (~> 1.0.3)
-    psych (5.1.2)
+    prettyprint (0.2.0)
+    prism (1.9.0)
+    psych (5.3.1)
+      date
       stringio
-    public_suffix (6.0.1)
-    puma (5.6.8)
+    public_suffix (7.0.5)
+    puma (5.6.9)
       nio4r (~> 2.0)
     raabro (1.4.0)
     racc (1.8.1)
-    rack (2.2.14)
+    rack (2.2.23)
     rack-cors (2.0.2)
       rack (>= 2.0.0)
     rack-mini-profiler (2.3.4)
       rack (>= 1.2.0)
     rack-session (1.0.2)
       rack (< 3)
-    rack-test (2.1.0)
+    rack-test (2.2.0)
       rack (>= 1.3)
-    rackup (1.0.0)
+    rackup (1.0.1)
       rack (< 3)
       webrick
-    rails (7.1.3.4)
-      actioncable (= 7.1.3.4)
-      actionmailbox (= 7.1.3.4)
-      actionmailer (= 7.1.3.4)
-      actionpack (= 7.1.3.4)
-      actiontext (= 7.1.3.4)
-      actionview (= 7.1.3.4)
-      activejob (= 7.1.3.4)
-      activemodel (= 7.1.3.4)
-      activerecord (= 7.1.3.4)
-      activestorage (= 7.1.3.4)
-      activesupport (= 7.1.3.4)
+    rails (7.2.3.1)
+      actioncable (= 7.2.3.1)
+      actionmailbox (= 7.2.3.1)
+      actionmailer (= 7.2.3.1)
+      actionpack (= 7.2.3.1)
+      actiontext (= 7.2.3.1)
+      actionview (= 7.2.3.1)
+      activejob (= 7.2.3.1)
+      activemodel (= 7.2.3.1)
+      activerecord (= 7.2.3.1)
+      activestorage (= 7.2.3.1)
+      activesupport (= 7.2.3.1)
       bundler (>= 1.15.0)
-      railties (= 7.1.3.4)
+      railties (= 7.2.3.1)
     rails-controller-testing (1.0.5)
       actionpack (>= 5.0.1.rc1)
       actionview (>= 5.0.1.rc1)
       activesupport (>= 5.0.1.rc1)
-    rails-dom-testing (2.2.0)
+    rails-dom-testing (2.3.0)
       activesupport (>= 5.0.0)
       minitest
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.6.1)
-      loofah (~> 2.21)
+    rails-html-sanitizer (1.7.0)
+      loofah (~> 2.25)
       nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
-    railties (7.1.3.4)
-      actionpack (= 7.1.3.4)
-      activesupport (= 7.1.3.4)
-      irb
+    railties (7.2.3.1)
+      actionpack (= 7.2.3.1)
+      activesupport (= 7.2.3.1)
+      cgi
+      irb (~> 1.13)
       rackup (>= 1.0.0)
       rake (>= 12.2)
       thor (~> 1.0, >= 1.2.2)
+      tsort (>= 0.2)
       zeitwerk (~> 2.6)
     rainbow (3.1.1)
-    rake (13.2.1)
+    rake (13.3.1)
     rb-fsevent (0.11.2)
     rb-inotify (0.11.1)
       ffi (~> 1.0)
@@ -444,33 +468,37 @@ GEM
       ffi
     rbnacl-libsodium (1.0.16)
       rbnacl (>= 3.0.1)
-    rdoc (6.7.0)
+    rdoc (7.2.0)
+      erb
       psych (>= 4.0.0)
+      tsort
+    readline (0.0.4)
+      reline
     redis (4.8.1)
-    regexp_parser (2.9.2)
-    reline (0.5.9)
+    regexp_parser (2.12.0)
+    reline (0.6.3)
       io-console (~> 0.5)
     request_store (1.7.0)
       rack (>= 1.4)
-    responders (3.1.1)
-      actionpack (>= 5.2)
-      railties (>= 5.2)
-    rexml (3.3.9)
-    rspec (3.13.0)
+    responders (3.2.0)
+      actionpack (>= 7.0)
+      railties (>= 7.0)
+    rexml (3.4.4)
+    rspec (3.13.2)
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
       rspec-mocks (~> 3.13.0)
     rspec-collection_matchers (1.2.1)
       rspec-expectations (>= 2.99.0.beta1)
-    rspec-core (3.13.0)
+    rspec-core (3.13.6)
       rspec-support (~> 3.13.0)
-    rspec-expectations (3.13.1)
+    rspec-expectations (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-mocks (3.13.1)
+    rspec-mocks (3.13.8)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-rails (6.1.3)
+    rspec-rails (6.1.5)
       actionpack (>= 6.1)
       activesupport (>= 6.1)
       railties (>= 6.1)
@@ -478,52 +506,55 @@ GEM
       rspec-expectations (~> 3.13)
       rspec-mocks (~> 3.13)
       rspec-support (~> 3.13)
-    rspec-support (3.13.1)
-    rubocop (1.65.1)
+    rspec-support (3.13.7)
+    rubocop (1.86.0)
       json (~> 2.3)
-      language_server-protocol (>= 3.17.0)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
       parallel (~> 1.10)
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 2.4, < 3.0)
-      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.31.1, < 2.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.49.0, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.31.3)
-      parser (>= 3.3.1.0)
-    rubocop-capybara (2.21.0)
-      rubocop (~> 1.41)
-    rubocop-factory_bot (2.26.1)
-      rubocop (~> 1.61)
-    rubocop-minitest (0.35.1)
-      rubocop (>= 1.61, < 2.0)
-      rubocop-ast (>= 1.31.1, < 2.0)
-    rubocop-performance (1.21.1)
-      rubocop (>= 1.48.1, < 2.0)
-      rubocop-ast (>= 1.31.1, < 2.0)
-    rubocop-rails (2.25.1)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.49.1)
+      parser (>= 3.3.7.2)
+      prism (~> 1.7)
+    rubocop-capybara (2.22.1)
+      lint_roller (~> 1.1)
+      rubocop (~> 1.72, >= 1.72.1)
+    rubocop-factory_bot (2.28.0)
+      lint_roller (~> 1.1)
+      rubocop (~> 1.72, >= 1.72.1)
+    rubocop-performance (1.26.1)
+      lint_roller (~> 1.1)
+      rubocop (>= 1.75.0, < 2.0)
+      rubocop-ast (>= 1.47.1, < 2.0)
+    rubocop-rails (2.34.3)
       activesupport (>= 4.2.0)
+      lint_roller (~> 1.1)
       rack (>= 1.1)
-      rubocop (>= 1.33.0, < 2.0)
-      rubocop-ast (>= 1.31.1, < 2.0)
-    rubocop-rails-omakase (1.0.0)
-      rubocop
-      rubocop-minitest
-      rubocop-performance
-      rubocop-rails
-    rubocop-rspec (3.0.3)
-      rubocop (~> 1.61)
-    rubocop-rspec_rails (2.30.0)
-      rubocop (~> 1.61)
-      rubocop-rspec (~> 3, >= 3.0.1)
+      rubocop (>= 1.75.0, < 2.0)
+      rubocop-ast (>= 1.44.0, < 2.0)
+    rubocop-rails-omakase (1.1.0)
+      rubocop (>= 1.72)
+      rubocop-performance (>= 1.24)
+      rubocop-rails (>= 2.30)
+    rubocop-rspec (3.9.0)
+      lint_roller (~> 1.1)
+      rubocop (~> 1.81)
+    rubocop-rspec_rails (2.32.0)
+      lint_roller (~> 1.1)
+      rubocop (~> 1.72, >= 1.72.1)
+      rubocop-rspec (~> 3.5)
     ruby-progressbar (1.13.0)
     ruby-rc4 (0.1.5)
-    ruby-vips (2.2.2)
+    ruby-vips (2.3.0)
       ffi (~> 1.12)
       logger
-    rubyzip (2.3.2)
-    safely_block (0.4.0)
+    rubyzip (2.4.1)
+    safely_block (0.5.0)
     sass (3.4.25)
     sass-rails (5.1.0)
       railties (>= 5.2.0)
@@ -531,6 +562,7 @@ GEM
       sprockets (>= 2.8, < 4.0)
       sprockets-rails (>= 2.0, < 4.0)
       tilt (>= 1.1, < 3)
+    securerandom (0.4.1)
     selenium-webdriver (4.16.0)
       rexml (~> 3.2, >= 3.2.5)
       rubyzip (>= 1.2.2, < 3.0)
@@ -556,14 +588,14 @@ GEM
       docile (~> 1.1)
       simplecov-html (~> 0.11)
       simplecov_json_formatter (~> 0.1)
-    simplecov-html (0.12.3)
+    simplecov-html (0.13.2)
     simplecov_json_formatter (0.1.4)
     sitemap_generator (6.3.0)
       builder (~> 3.0)
     slackistrano (0.1.9)
       capistrano (>= 3.0.1)
       json
-    spring (4.2.1)
+    spring (4.4.2)
     sprockets (3.7.2)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
@@ -571,32 +603,40 @@ GEM
       actionpack (>= 6.1)
       activesupport (>= 6.1)
       sprockets (>= 3.0.0)
-    sshkit (1.23.0)
+    sshkit (1.25.0)
       base64
+      logger
       net-scp (>= 1.1.2)
       net-sftp (>= 2.1.2)
       net-ssh (>= 2.8.0)
-    ssrf_filter (1.1.2)
-    stringio (3.1.1)
+      ostruct
+    ssrf_filter (1.5.0)
+    stringio (3.2.0)
     strong_migrations (1.8.0)
       activerecord (>= 5.2)
     susy (2.2.14)
       sass (>= 3.3.0, < 3.5)
     sync (0.5.0)
-    term-ansicolor (1.11.1)
-      tins (~> 1.0)
-    terser (1.2.3)
+    term-ansicolor (1.11.3)
+      tins (~> 1)
+    terser (1.2.7)
       execjs (>= 0.3.0, < 3)
-    thor (1.3.2)
-    tilt (2.4.0)
-    timeout (0.4.3)
-    tins (1.33.0)
+    thor (1.5.0)
+    tilt (2.7.0)
+    timeout (0.6.1)
+    tins (1.52.0)
       bigdecimal
+      mize (~> 0.6)
+      readline
       sync
+    tsort (0.2.0)
     ttfunk (1.0.3)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    unicode-display_width (2.5.0)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.2.0)
+    useragent (0.16.11)
     uuidtools (2.2.0)
     warden (1.2.9)
       rack (>= 2.0.9)
@@ -609,17 +649,18 @@ GEM
       nokogiri (~> 1.6)
       rubyzip (>= 1.3.0)
       selenium-webdriver (~> 4.0)
-    webrick (1.8.2)
+    webrick (1.9.2)
     websocket (1.2.11)
-    websocket-driver (0.7.6)
+    websocket-driver (0.8.0)
+      base64
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
     wicked (2.0.0)
       railties (>= 3.0.7)
-    wkhtmltopdf-binary (0.12.6.7)
+    wkhtmltopdf-binary (0.12.6.10)
     xpath (3.2.0)
       nokogiri (~> 1.8)
-    zeitwerk (2.6.17)
+    zeitwerk (2.7.5)
 
 PLATFORMS
   ruby
@@ -627,7 +668,7 @@ PLATFORMS
 DEPENDENCIES
   active_model_serializers (= 0.8.4)
   active_storage_validations (~> 2.0)
-  acts-as-taggable-on (~> 10.0)
+  acts-as-taggable-on (~> 12.0)
   ahoy_matey (~> 5.0, >= 5.0.2)
   annotaterb (~> 4.10.2)
   appsignal (~> 3.13.1)
@@ -685,7 +726,7 @@ DEPENDENCIES
   puma (~> 5.0)
   rack-cors
   rack-mini-profiler (~> 2.0)
-  rails (= 7.1.3.4)
+  rails (= 7.2.3.1)
   rails-controller-testing
   rbnacl (= 4.0.2)
   rbnacl-libsodium (= 1.0.16)

From b0ecec85e2aeb9a03d122df766c04782e1ec9e2b Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Wed, 8 Apr 2026 12:30:50 +0100
Subject: [PATCH 058/106] chore: bundle exec rails app:update (to Rails 7.2)

---
 bin/rubocop                                   |  8 ++
 bin/setup                                     |  5 ++
 config/environments/development.rb            |  6 +-
 config/environments/test.rb                   |  2 +
 .../0_new_framework_defaults_7_2.rb           | 70 +++++++++++++++
 .../initializers/filter_parameter_logging.rb  |  2 +-
 config/puma.rb                                | 53 ++++++-----
 public/404.html                               | 88 +++++++++----------
 public/422.html                               | 88 +++++++++----------
 public/500.html                               | 88 +++++++++----------
 10 files changed, 245 insertions(+), 165 deletions(-)
 create mode 100755 bin/rubocop
 create mode 100644 config/initializers/0_new_framework_defaults_7_2.rb

diff --git a/bin/rubocop b/bin/rubocop
new file mode 100755
index 000000000..40330c0ff
--- /dev/null
+++ b/bin/rubocop
@@ -0,0 +1,8 @@
+#!/usr/bin/env ruby
+require "rubygems"
+require "bundler/setup"
+
+# explicit rubocop config increases performance slightly while avoiding config confusion.
+ARGV.unshift("--config", File.expand_path("../.rubocop.yml", __dir__))
+
+load Gem.bin_path("rubocop", "rubocop")
diff --git a/bin/setup b/bin/setup
index 3cd5a9d78..bb61d6ef0 100755
--- a/bin/setup
+++ b/bin/setup
@@ -3,6 +3,7 @@ require "fileutils"
 
 # path to your application root.
 APP_ROOT = File.expand_path("..", __dir__)
+APP_NAME = "sapi"
 
 def system!(*args)
   system(*args, exception: true)
@@ -30,4 +31,8 @@ FileUtils.chdir APP_ROOT do
 
   puts "\n== Restarting application server =="
   system! "bin/rails restart"
+
+  # puts "\n== Configuring puma-dev =="
+  # system "ln -nfs #{APP_ROOT} ~/.puma-dev/#{APP_NAME}"
+  # system "curl -Is https://#{APP_NAME}.test/up | head -n 1"
 end
diff --git a/config/environments/development.rb b/config/environments/development.rb
index f994d2d70..296375591 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -40,6 +40,8 @@
   # Don't care if the mailer can't send.
   config.action_mailer.raise_delivery_errors = false
 
+  # Disable caching for Action Mailer templates even if Action Controller
+  # caching is enabled.
   config.action_mailer.perform_caching = false
 
   # Print deprecation notices to the Rails logger.
@@ -80,12 +82,12 @@
   # config.i18n.raise_on_missing_translations = true
 
   # Annotate rendered view with file names.
-  # config.action_view.annotate_rendered_view_with_filenames = true
+  config.action_view.annotate_rendered_view_with_filenames = true
 
   # Uncomment if you wish to allow Action Cable access from any origin.
   # config.action_cable.disable_request_forgery_protection = true
 
-  # Raise error when a before_action's only/except options reference missing actions
+  # Raise error when a before_action's only/except options reference missing actions.
   config.action_controller.raise_on_missing_callback_actions = true
 
   ###
diff --git a/config/environments/test.rb b/config/environments/test.rb
index 0ecd0a654..6d4d4e6f9 100644
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -38,6 +38,8 @@
   # Store uploaded files on the local file system in a temporary directory.
   config.active_storage.service = :test
 
+  # Disable caching for Action Mailer templates even if Action Controller
+  # caching is enabled.
   config.action_mailer.perform_caching = false
 
   # Tell Action Mailer not to deliver emails to the real world.
diff --git a/config/initializers/0_new_framework_defaults_7_2.rb b/config/initializers/0_new_framework_defaults_7_2.rb
new file mode 100644
index 000000000..b549c4a25
--- /dev/null
+++ b/config/initializers/0_new_framework_defaults_7_2.rb
@@ -0,0 +1,70 @@
+# Be sure to restart your server when you modify this file.
+#
+# This file eases your Rails 7.2 framework defaults upgrade.
+#
+# Uncomment each configuration one by one to switch to the new default.
+# Once your application is ready to run with all new defaults, you can remove
+# this file and set the `config.load_defaults` to `7.2`.
+#
+# Read the Guide for Upgrading Ruby on Rails for more info on each option.
+# https://guides.rubyonrails.org/upgrading_ruby_on_rails.html
+
+###
+# Controls whether Active Job's `#perform_later` and similar methods automatically defer
+# the job queuing to after the current Active Record transaction is committed.
+#
+# Example:
+#   Topic.transaction do
+#     topic = Topic.create(...)
+#     NewTopicNotificationJob.perform_later(topic)
+#   end
+#
+# In this example, if the configuration is set to `:never`, the job will
+# be enqueued immediately, even though the `Topic` hasn't been committed yet.
+# Because of this, if the job is picked up almost immediately, or if the
+# transaction doesn't succeed for some reason, the job will fail to find this
+# topic in the database.
+#
+# If `enqueue_after_transaction_commit` is set to `:default`, the queue adapter
+# will define the behaviour.
+#
+# Note: Active Job backends can disable this feature. This is generally done by
+# backends that use the same database as Active Record as a queue, hence they
+# don't need this feature.
+#++
+# Rails.application.config.active_job.enqueue_after_transaction_commit = :default
+
+###
+# Adds image/webp to the list of content types Active Storage considers as an image
+# Prevents automatic conversion to a fallback PNG, and assumes clients support WebP, as they support gif, jpeg, and png.
+# This is possible due to broad browser support for WebP, but older browsers and email clients may still not support
+# WebP. Requires imagemagick/libvips built with WebP support.
+#++
+# Rails.application.config.active_storage.web_image_content_types = %w[image/png image/jpeg image/gif image/webp]
+
+###
+# Enable validation of migration timestamps. When set, an ActiveRecord::InvalidMigrationTimestampError
+# will be raised if the timestamp prefix for a migration is more than a day ahead of the timestamp
+# associated with the current time. This is done to prevent forward-dating of migration files, which can
+# impact migration generation and other migration commands.
+#
+# Applications with existing timestamped migrations that do not adhere to the
+# expected format can disable validation by setting this config to `false`.
+#++
+# Rails.application.config.active_record.validate_migration_timestamps = true
+
+###
+# Controls whether the PostgresqlAdapter should decode dates automatically with manual queries.
+#
+# Example:
+#   ActiveRecord::ConnectionAdapters::PostgreSQLAdapter.select_value("select '2024-01-01'::date") #=> Date
+#
+# This query used to return a `String`.
+#++
+# Rails.application.config.active_record.postgresql_adapter_decode_dates = true
+
+###
+# Enables YJIT as of Ruby 3.3, to bring sizeable performance improvements. If you are
+# deploying to a memory constrained environment you may want to set this to `false`.
+#++
+# Rails.application.config.yjit = true
diff --git a/config/initializers/filter_parameter_logging.rb b/config/initializers/filter_parameter_logging.rb
index c2d89e28a..c010b83dd 100644
--- a/config/initializers/filter_parameter_logging.rb
+++ b/config/initializers/filter_parameter_logging.rb
@@ -4,5 +4,5 @@
 # Use this to limit dissemination of sensitive information.
 # See the ActiveSupport::ParameterFilter documentation for supported notations and behaviors.
 Rails.application.config.filter_parameters += [
-  :passw, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn
+  :passw, :email, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn
 ]
diff --git a/config/puma.rb b/config/puma.rb
index 58e1c205b..03c166f4c 100644
--- a/config/puma.rb
+++ b/config/puma.rb
@@ -2,34 +2,33 @@
 # are invoked here are part of Puma's configuration DSL. For more information
 # about methods provided by the DSL, see https://puma.io/puma/Puma/DSL.html.
 
-# Puma can serve each request in a thread from an internal thread pool.
-# The `threads` method setting takes two numbers: a minimum and maximum.
-# Any libraries that use thread pools should be configured to match
-# the maximum value specified for Puma. Default is set to 5 threads for minimum
-# and maximum; this matches the default thread size of Active Record.
-max_threads_count = ENV.fetch('RAILS_MAX_THREADS') { 5 }
-min_threads_count = ENV.fetch('RAILS_MIN_THREADS') { max_threads_count }
-threads min_threads_count, max_threads_count
-
-# Specifies that the worker count should equal the number of processors in production.
-if ENV['RAILS_ENV'] == 'production'
-  require 'concurrent-ruby'
-  worker_count = Integer(ENV.fetch('WEB_CONCURRENCY') { Concurrent.physical_processor_count })
-  workers worker_count if worker_count > 1
-end
-
-# Specifies the `worker_timeout` threshold that Puma will use to wait before
-# terminating a worker in development environments.
-worker_timeout 3600 if ENV.fetch('RAILS_ENV', 'development') == 'development'
+# Puma starts a configurable number of processes (workers) and each process
+# serves each request in a thread from an internal thread pool.
+#
+# The ideal number of threads per worker depends both on how much time the
+# application spends waiting for IO operations and on how much you wish to
+# to prioritize throughput over latency.
+#
+# As a rule of thumb, increasing the number of threads will increase how much
+# traffic a given process can handle (throughput), but due to CRuby's
+# Global VM Lock (GVL) it has diminishing returns and will degrade the
+# response time (latency) of the application.
+#
+# The default is set to 3 threads as it's deemed a decent compromise between
+# throughput and latency for the average Rails application.
+#
+# Any libraries that use a connection pool or another resource pool should
+# be configured to provide at least as many connections as the number of
+# threads. This includes Active Record's `pool` parameter in `database.yml`.
+threads_count = ENV.fetch("RAILS_MAX_THREADS", 3)
+threads threads_count, threads_count
 
 # Specifies the `port` that Puma will listen on to receive requests; default is 3000.
-port ENV.fetch('PORT') { 3000 }
-
-# Specifies the `environment` that Puma will run in.
-environment ENV.fetch('RAILS_ENV') { 'development' }
+port ENV.fetch("PORT", 3000)
 
-# Specifies the `pidfile` that Puma will use.
-pidfile ENV.fetch('PIDFILE') { 'tmp/pids/server.pid' }
-
-# Allow puma to be restarted by `rails restart` command.
+# Allow puma to be restarted by `bin/rails restart` command.
 plugin :tmp_restart
+
+# Specify the PID file. Defaults to tmp/pids/server.pid in development.
+# In other environments, only set the PID file if requested.
+pidfile ENV["PIDFILE"] if ENV["PIDFILE"]
diff --git a/public/404.html b/public/404.html
index f028a6e83..2be3af26f 100644
--- a/public/404.html
+++ b/public/404.html
@@ -1,57 +1,56 @@
 <!DOCTYPE html>
 <html>
-
 <head>
   <title>The page you were looking for doesn't exist (404)</title>
   <meta name="viewport" content="width=device-width,initial-scale=1">
   <style>
-    .rails-default-error-page {
-      background-color: #EFEFEF;
-      color: #2E2F30;
-      text-align: center;
-      font-family: arial, sans-serif;
-      margin: 0;
-    }
+  .rails-default-error-page {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+    margin: 0;
+  }
 
-    .rails-default-error-page div.dialog {
-      width: 95%;
-      max-width: 33em;
-      margin: 4em auto 0;
-    }
+  .rails-default-error-page div.dialog {
+    width: 95%;
+    max-width: 33em;
+    margin: 4em auto 0;
+  }
 
-    .rails-default-error-page div.dialog>div {
-      border: 1px solid #CCC;
-      border-right-color: #999;
-      border-left-color: #999;
-      border-bottom-color: #BBB;
-      border-top: #B00100 solid 4px;
-      border-top-left-radius: 9px;
-      border-top-right-radius: 9px;
-      background-color: white;
-      padding: 7px 12% 0;
-      box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
-    }
+  .rails-default-error-page div.dialog > div {
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 12% 0;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
 
-    .rails-default-error-page h1 {
-      font-size: 100%;
-      color: #730E15;
-      line-height: 1.5em;
-    }
+  .rails-default-error-page h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
 
-    .rails-default-error-page div.dialog>p {
-      margin: 0 0 1em;
-      padding: 1em;
-      background-color: #F7F7F7;
-      border: 1px solid #CCC;
-      border-right-color: #999;
-      border-left-color: #999;
-      border-bottom-color: #999;
-      border-bottom-left-radius: 4px;
-      border-bottom-right-radius: 4px;
-      border-top-color: #DADADA;
-      color: #666;
-      box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
-    }
+  .rails-default-error-page div.dialog > p {
+    margin: 0 0 1em;
+    padding: 1em;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
   </style>
 </head>
 
@@ -65,5 +64,4 @@ <h1>The page you were looking for doesn't exist.</h1>
     <p>If you are the application owner check the logs for more information.</p>
   </div>
 </body>
-
 </html>
diff --git a/public/422.html b/public/422.html
index 33dda348e..c08eac0d1 100644
--- a/public/422.html
+++ b/public/422.html
@@ -1,57 +1,56 @@
 <!DOCTYPE html>
 <html>
-
 <head>
   <title>The change you wanted was rejected (422)</title>
   <meta name="viewport" content="width=device-width,initial-scale=1">
   <style>
-    .rails-default-error-page {
-      background-color: #EFEFEF;
-      color: #2E2F30;
-      text-align: center;
-      font-family: arial, sans-serif;
-      margin: 0;
-    }
+  .rails-default-error-page {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+    margin: 0;
+  }
 
-    .rails-default-error-page div.dialog {
-      width: 95%;
-      max-width: 33em;
-      margin: 4em auto 0;
-    }
+  .rails-default-error-page div.dialog {
+    width: 95%;
+    max-width: 33em;
+    margin: 4em auto 0;
+  }
 
-    .rails-default-error-page div.dialog>div {
-      border: 1px solid #CCC;
-      border-right-color: #999;
-      border-left-color: #999;
-      border-bottom-color: #BBB;
-      border-top: #B00100 solid 4px;
-      border-top-left-radius: 9px;
-      border-top-right-radius: 9px;
-      background-color: white;
-      padding: 7px 12% 0;
-      box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
-    }
+  .rails-default-error-page div.dialog > div {
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 12% 0;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
 
-    .rails-default-error-page h1 {
-      font-size: 100%;
-      color: #730E15;
-      line-height: 1.5em;
-    }
+  .rails-default-error-page h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
 
-    .rails-default-error-page div.dialog>p {
-      margin: 0 0 1em;
-      padding: 1em;
-      background-color: #F7F7F7;
-      border: 1px solid #CCC;
-      border-right-color: #999;
-      border-left-color: #999;
-      border-bottom-color: #999;
-      border-bottom-left-radius: 4px;
-      border-bottom-right-radius: 4px;
-      border-top-color: #DADADA;
-      color: #666;
-      box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
-    }
+  .rails-default-error-page div.dialog > p {
+    margin: 0 0 1em;
+    padding: 1em;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
   </style>
 </head>
 
@@ -65,5 +64,4 @@ <h1>The change you wanted was rejected.</h1>
     <p>If you are the application owner check the logs for more information.</p>
   </div>
 </body>
-
 </html>
diff --git a/public/500.html b/public/500.html
index 90beade75..78a030af2 100644
--- a/public/500.html
+++ b/public/500.html
@@ -1,57 +1,56 @@
 <!DOCTYPE html>
 <html>
-
 <head>
   <title>We're sorry, but something went wrong (500)</title>
   <meta name="viewport" content="width=device-width,initial-scale=1">
   <style>
-    .rails-default-error-page {
-      background-color: #EFEFEF;
-      color: #2E2F30;
-      text-align: center;
-      font-family: arial, sans-serif;
-      margin: 0;
-    }
+  .rails-default-error-page {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+    margin: 0;
+  }
 
-    .rails-default-error-page div.dialog {
-      width: 95%;
-      max-width: 33em;
-      margin: 4em auto 0;
-    }
+  .rails-default-error-page div.dialog {
+    width: 95%;
+    max-width: 33em;
+    margin: 4em auto 0;
+  }
 
-    .rails-default-error-page div.dialog>div {
-      border: 1px solid #CCC;
-      border-right-color: #999;
-      border-left-color: #999;
-      border-bottom-color: #BBB;
-      border-top: #B00100 solid 4px;
-      border-top-left-radius: 9px;
-      border-top-right-radius: 9px;
-      background-color: white;
-      padding: 7px 12% 0;
-      box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
-    }
+  .rails-default-error-page div.dialog > div {
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 12% 0;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
 
-    .rails-default-error-page h1 {
-      font-size: 100%;
-      color: #730E15;
-      line-height: 1.5em;
-    }
+  .rails-default-error-page h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
 
-    .rails-default-error-page div.dialog>p {
-      margin: 0 0 1em;
-      padding: 1em;
-      background-color: #F7F7F7;
-      border: 1px solid #CCC;
-      border-right-color: #999;
-      border-left-color: #999;
-      border-bottom-color: #999;
-      border-bottom-left-radius: 4px;
-      border-bottom-right-radius: 4px;
-      border-top-color: #DADADA;
-      color: #666;
-      box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
-    }
+  .rails-default-error-page div.dialog > p {
+    margin: 0 0 1em;
+    padding: 1em;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
   </style>
 </head>
 
@@ -64,5 +63,4 @@ <h1>We're sorry, but something went wrong.</h1>
     <p>If you are the application owner check the logs for more information.</p>
   </div>
 </body>
-
 </html>

From f4a4901eb3c1edd49ca4bec6eeb3f111b6a7d642 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Wed, 8 Apr 2026 14:17:37 +0100
Subject: [PATCH 059/106] chore: Rails 7.2 changes informed by railsdiff and
 FastRuby and official Rails upgrade guides

---
 Gemfile                                   |  6 ++-
 Gemfile.lock                              |  6 ++-
 app/controllers/application_controller.rb |  3 ++
 app/models/ahoy/visit.rb                  |  2 +
 bin/docker-entrypoint                     |  5 ++
 config/environments/test.rb               |  3 ++
 public/406-unsupported-browser.html       | 66 +++++++++++++++++++++++
 7 files changed, 89 insertions(+), 2 deletions(-)
 create mode 100644 public/406-unsupported-browser.html

diff --git a/Gemfile b/Gemfile
index 3c466031c..9e43c0d15 100644
--- a/Gemfile
+++ b/Gemfile
@@ -145,7 +145,11 @@ group :development do
   gem 'bcrypt_pbkdf', '1.1.0'
   gem 'ed25519', '1.2.4'
 
-  # @TODO: bring back when ruby updated to > 2.6 # gem 'net-ssh', '7.0.0.beta1' # openssl 3.0 compatibility @see https://stackoverflow.com/q/72068406/1090438
+  ##
+  # Static analysis for security vulnerabilities [https://brakemanscanner.org/]
+  gem 'brakeman', require: false
+
+  gem 'net-ssh', '7.0.0.beta1'
 end
 
 group :test, :development do
diff --git a/Gemfile.lock b/Gemfile.lock
index b8ba233dd..a401d600b 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -138,6 +138,8 @@ GEM
       msgpack (~> 1.2)
     bootstrap-sass (2.3.2.2)
       sass (~> 3.2)
+    brakeman (8.0.4)
+      racc
     brpoplpush-redis_script (0.1.3)
       concurrent-ruby (~> 1.0, >= 1.0.5)
       redis (>= 1.0, < 6)
@@ -366,7 +368,7 @@ GEM
       net-ssh (>= 5.0.0, < 8.0.0)
     net-smtp (0.5.1)
       net-protocol
-    net-ssh (7.3.2)
+    net-ssh (7.0.0.beta1)
     nio4r (2.7.5)
     nokogiri (1.19.2)
       mini_portile2 (~> 2.8.2)
@@ -677,6 +679,7 @@ DEPENDENCIES
   bcrypt_pbkdf (= 1.1.0)
   bootsnap (>= 1.4.4)
   bootstrap-sass (= 2.3.2.2)
+  brakeman
   byebug
   cancancan (~> 3.5)
   capistrano (= 3.18.0)
@@ -715,6 +718,7 @@ DEPENDENCIES
   mobility (~> 1.2, >= 1.2.9)
   nested-hstore (~> 0.1.2)
   nested_form (~> 0.3.2)
+  net-ssh (= 7.0.0.beta1)
   nokogiri (~> 1.18)
   oj (~> 3.16, >= 3.16.3)
   paper_trail (= 15.1.0)
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 815be2559..dbb08db6e 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,4 +1,7 @@
 class ApplicationController < ActionController::Base
+  # Only allow modern browsers supporting webp images, web push, badges, import maps, CSS nesting, and CSS :has.
+  allow_browser versions: :modern
+
   before_action :track_who_does_it_current_user
   before_action :set_locale
   before_action :configure_permitted_parameters, if: :devise_controller?
diff --git a/app/models/ahoy/visit.rb b/app/models/ahoy/visit.rb
index 648a62e0e..fb3bfdeca 100644
--- a/app/models/ahoy/visit.rb
+++ b/app/models/ahoy/visit.rb
@@ -48,6 +48,8 @@ class Visit < ApplicationRecord
     # (https://github.com/ankane/ahoy/blob/v1.0.1/lib/generators/ahoy/stores/templates/active_record_visits_migration.rb)
     # However it has changed since version 1.4.0, from `id` to `visit_token`, and from `visitor_id` to `visitor_token`.
     # (https://github.com/ankane/ahoy/blob/v1.4.0/lib/generators/ahoy/stores/templates/active_record_visits_migration.rb)
+    # Note that this will bypass custom methods on the original attribute, which thankfully we don't have:
+    # (https://guides.rubyonrails.org/upgrading_ruby_on_rails.html#alias-attribute-now-bypasses-custom-methods-on-the-original-attribute)
     alias_attribute :visit_token, :id
     alias_attribute :visitor_token, :visitor_id
   end
diff --git a/bin/docker-entrypoint b/bin/docker-entrypoint
index cd970544f..0690f2576 100755
--- a/bin/docker-entrypoint
+++ b/bin/docker-entrypoint
@@ -4,6 +4,11 @@ if [[ "${@}" =~ "rails server" ]]; then
   rm -f ./tmp/pids/server.pid;
 fi
 
+# Enable jemalloc for reduced memory usage and latency.
+if [ -z "${LD_PRELOAD+x}" ] && [ -f /usr/lib/*/libjemalloc.so.2 ]; then
+  export LD_PRELOAD="$(echo /usr/lib/*/libjemalloc.so.2)"
+fi
+
 bundle install
 
 mkdir -p {./,spec/}public/downloads/checklist
diff --git a/config/environments/test.rb b/config/environments/test.rb
index 6d4d4e6f9..67ea3090c 100644
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -29,6 +29,9 @@
   config.action_controller.perform_caching = false
   config.cache_store = :null_store
 
+  # https://guides.rubyonrails.org/upgrading_ruby_on_rails.html#all-tests-now-respect-the-active-job-queue-adapter-config
+  config.active_job.queue_adapter = :test
+
   # Render exception templates for rescuable exceptions and raise for other exceptions.
   config.action_dispatch.show_exceptions = :rescuable
 
diff --git a/public/406-unsupported-browser.html b/public/406-unsupported-browser.html
new file mode 100644
index 000000000..7cf1e168e
--- /dev/null
+++ b/public/406-unsupported-browser.html
@@ -0,0 +1,66 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Your browser is not supported (406)</title>
+  <meta name="viewport" content="width=device-width,initial-scale=1">
+  <style>
+  .rails-default-error-page {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+    margin: 0;
+  }
+
+  .rails-default-error-page div.dialog {
+    width: 95%;
+    max-width: 33em;
+    margin: 4em auto 0;
+  }
+
+  .rails-default-error-page div.dialog > div {
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 12% 0;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+
+  .rails-default-error-page h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  .rails-default-error-page div.dialog > p {
+    margin: 0 0 1em;
+    padding: 1em;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  </style>
+</head>
+
+<body class="rails-default-error-page">
+  <!-- This file lives in public/406-unsupported-browser.html -->
+  <div class="dialog">
+    <div>
+      <h1>Your browser is not supported.</h1>
+      <p>Please upgrade your browser to continue.</p>
+    </div>
+  </div>
+</body>
+</html>

From 8815168a7d16aa5058aebcf68fbc8ffb03aa1f11 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Wed, 8 Apr 2026 15:37:31 +0100
Subject: [PATCH 060/106] chore: more dependency upgrades, to fix a sprockets
 build issue

---
 Gemfile                            | 30 ++++++-------
 Gemfile.lock                       | 69 ++++++++++++++++--------------
 app/views/layouts/species.html.erb |  2 +-
 3 files changed, 54 insertions(+), 47 deletions(-)

diff --git a/Gemfile b/Gemfile
index 9e43c0d15..410277377 100644
--- a/Gemfile
+++ b/Gemfile
@@ -14,15 +14,10 @@ gem 'rack-cors'
 gem 'puma', '~> 5.0'
 
 # Use SCSS for stylesheets
-# TODO: Can't upgrade sass-rails to 6.0, it raise the following error when running `RAILS_ENV=staging rake assets:precompile`.
-# SassC::SyntaxError: Error: Invalid CSS after "...in-bottom:-3px;": expected "}", was ".margin-bottom:-3px"
-#         on line 3712:5063 of stdin
-# >> ction=135,Strength=3)";_margin-bottom:-3px;.margin-bottom:-3px;}/*!Add round
-# gem 'sass-rails', '>= 6'
-gem 'sass-rails', '~> 5.0'
+gem 'sass-rails', '~> 6'
 
 # https://stackoverflow.com/questions/55213868/rails-6-how-to-disable-webpack-and-use-sprockets-instead
-gem 'sprockets', '3.7.2'
+gem 'sprockets', '~> 4'
 gem 'sprockets-rails', require: 'sprockets/railtie'
 
 # Use Terser as compressor for JavaScript assets
@@ -98,17 +93,22 @@ gem 'bootsnap', '>= 1.4.4', require: false
 # To use Jbuilder templates for JSON
 # gem 'jbuilder', '~> 2.7'
 
+gem 'erb', '~> 6.0.2'
+
 group :development do
+  ##
   # Adds comments at the top of models describing table column
   # (replaces annotate)
-  gem 'annotaterb', '~> 4.10.2'
+  gem 'annotaterb', '~> 4.22.0'
 
+  ##
   # Access an interactive console on exception pages or by calling 'console' anywhere in the code.
-  gem 'web-console', '>= 4.1.0'
+  gem 'web-console'
+
   # Display performance information such as SQL time and flame graphs for each request in your browser.
   # Can be configured to work on production as well see: https://github.com/MiniProfiler/rack-mini-profiler/blob/master/README.md
-  gem 'rack-mini-profiler', '~> 2.0'
-  gem 'listen', '~> 3.3'
+  gem 'rack-mini-profiler', '~> 4.0.1'
+  gem 'listen', '~> 3.10.0'
   # Spring speeds up development by keeping your application running in the background. Read more: https://github.com/rails/spring
   gem 'spring'
 
@@ -149,11 +149,11 @@ group :development do
   # Static analysis for security vulnerabilities [https://brakemanscanner.org/]
   gem 'brakeman', require: false
 
-  gem 'net-ssh', '7.0.0.beta1'
+  gem 'net-ssh', '7.3.2'
 end
 
 group :test, :development do
-  gem 'rspec-rails', '~> 6.1', '>= 6.1.1'
+  gem 'rspec-rails', '~> 7.1'
   gem 'rspec-collection_matchers', '~> 1.2', '>= 1.2.1'
   gem 'json_spec', '~> 1.1', '>= 1.1.5'
   gem 'database_cleaner', '~> 2.0', '>= 2.0.2'
@@ -170,7 +170,7 @@ group :test do
   gem 'webdrivers'
 
   gem 'rails-controller-testing'
-  gem 'factory_bot_rails', '5.2.0'
+  gem 'factory_bot_rails', '~> 6.5.1'
   gem 'simplecov', '~> 0.22.0', require: false
   gem 'coveralls_reborn', '~> 0.28.0', require: false
 end
@@ -178,7 +178,7 @@ end
 gem 'geoip', '1.3.5' # TODO: no change logs, no idea if safe to update. Latest version is 1.6.4 @ 2018
 
 gem 'request_store', '~> 1.5', '>= 1.5.1'
-gem 'paper_trail', '15.1.0'
+gem 'paper_trail', '~> 17.0.0'
 
 gem 'dotenv-rails', '2.0.1'
 
diff --git a/Gemfile.lock b/Gemfile.lock
index a401d600b..17e836f52 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -98,7 +98,9 @@ GEM
       safely_block (>= 0.4)
     airbrussh (1.6.1)
       sshkit (>= 1.6.1, != 1.7.0)
-    annotaterb (4.10.2)
+    annotaterb (4.22.0)
+      activerecord (>= 6.0.0)
+      activesupport (>= 6.0.0)
     appsignal (3.13.1)
       rack
     ast (2.4.3)
@@ -252,11 +254,11 @@ GEM
     et-orbi (1.4.0)
       tzinfo
     execjs (2.10.1)
-    factory_bot (5.2.0)
-      activesupport (>= 4.2.0)
-    factory_bot_rails (5.2.0)
-      factory_bot (~> 5.2.0)
-      railties (>= 4.2.0)
+    factory_bot (6.5.6)
+      activesupport (>= 6.1.0)
+    factory_bot_rails (6.5.1)
+      factory_bot (~> 6.5)
+      railties (>= 6.1.0)
     ffi (1.17.4)
     file_exists (0.2.0)
     fugit (1.12.1)
@@ -368,7 +370,7 @@ GEM
       net-ssh (>= 5.0.0, < 8.0.0)
     net-smtp (0.5.1)
       net-protocol
-    net-ssh (7.0.0.beta1)
+    net-ssh (7.3.2)
     nio4r (2.7.5)
     nokogiri (1.19.2)
       mini_portile2 (~> 2.8.2)
@@ -379,8 +381,8 @@ GEM
       ostruct (>= 0.2)
     orm_adapter (0.5.0)
     ostruct (0.6.3)
-    paper_trail (15.1.0)
-      activerecord (>= 6.1)
+    paper_trail (17.0.0)
+      activerecord (>= 7.1)
       request_store (~> 1.4)
     parallel (1.28.0)
     parser (3.3.11.1)
@@ -417,7 +419,7 @@ GEM
     rack (2.2.23)
     rack-cors (2.0.2)
       rack (>= 2.0.0)
-    rack-mini-profiler (2.3.4)
+    rack-mini-profiler (4.0.1)
       rack (>= 1.2.0)
     rack-session (1.0.2)
       rack (< 3)
@@ -500,10 +502,10 @@ GEM
     rspec-mocks (3.13.8)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-rails (6.1.5)
-      actionpack (>= 6.1)
-      activesupport (>= 6.1)
-      railties (>= 6.1)
+    rspec-rails (7.1.1)
+      actionpack (>= 7.0)
+      activesupport (>= 7.0)
+      railties (>= 7.0)
       rspec-core (~> 3.13)
       rspec-expectations (~> 3.13)
       rspec-mocks (~> 3.13)
@@ -558,12 +560,16 @@ GEM
     rubyzip (2.4.1)
     safely_block (0.5.0)
     sass (3.4.25)
-    sass-rails (5.1.0)
-      railties (>= 5.2.0)
-      sass (~> 3.1)
-      sprockets (>= 2.8, < 4.0)
-      sprockets-rails (>= 2.0, < 4.0)
-      tilt (>= 1.1, < 3)
+    sass-rails (6.0.0)
+      sassc-rails (~> 2.1, >= 2.1.1)
+    sassc (2.4.0)
+      ffi (~> 1.9)
+    sassc-rails (2.1.2)
+      railties (>= 4.0.0)
+      sassc (>= 2.0)
+      sprockets (> 3.0)
+      sprockets-rails
+      tilt
     securerandom (0.4.1)
     selenium-webdriver (4.16.0)
       rexml (~> 3.2, >= 3.2.5)
@@ -598,7 +604,7 @@ GEM
       capistrano (>= 3.0.1)
       json
     spring (4.4.2)
-    sprockets (3.7.2)
+    sprockets (4.0.3)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
     sprockets-rails (3.5.2)
@@ -672,7 +678,7 @@ DEPENDENCIES
   active_storage_validations (~> 2.0)
   acts-as-taggable-on (~> 12.0)
   ahoy_matey (~> 5.0, >= 5.0.2)
-  annotaterb (~> 4.10.2)
+  annotaterb (~> 4.22.0)
   appsignal (~> 3.13.1)
   aws-sdk-s3 (~> 1.143)
   base64 (= 0.1.1)
@@ -702,7 +708,8 @@ DEPENDENCIES
   ember-data-source (= 1.13.0)
   ember-rails (~> 0.21.0)
   ember-source (= 1.8.0)
-  factory_bot_rails (= 5.2.0)
+  erb (~> 6.0.2)
+  factory_bot_rails (~> 6.5.1)
   file_exists (~> 0.2.0)
   geoip (= 1.3.5)
   gon (~> 6.4)
@@ -714,14 +721,14 @@ DEPENDENCIES
   json_spec (~> 1.1, >= 1.1.5)
   kaminari (~> 1.2, >= 1.2.2)
   launchy (= 2.4.3)
-  listen (~> 3.3)
+  listen (~> 3.10.0)
   mobility (~> 1.2, >= 1.2.9)
   nested-hstore (~> 0.1.2)
   nested_form (~> 0.3.2)
-  net-ssh (= 7.0.0.beta1)
+  net-ssh (= 7.3.2)
   nokogiri (~> 1.18)
   oj (~> 3.16, >= 3.16.3)
-  paper_trail (= 15.1.0)
+  paper_trail (~> 17.0.0)
   pdfkit (~> 0.8.7.3)
   pg (~> 1.5, >= 1.5.4)
   pg_array_parser (~> 0.0.9)
@@ -729,7 +736,7 @@ DEPENDENCIES
   prawn (= 0.13.2)
   puma (~> 5.0)
   rack-cors
-  rack-mini-profiler (~> 2.0)
+  rack-mini-profiler (~> 4.0.1)
   rails (= 7.2.3.1)
   rails-controller-testing
   rbnacl (= 4.0.2)
@@ -738,7 +745,7 @@ DEPENDENCIES
   request_store (~> 1.5, >= 1.5.1)
   responders (~> 3.1, >= 3.1.1)
   rspec-collection_matchers (~> 1.2, >= 1.2.1)
-  rspec-rails (~> 6.1, >= 6.1.1)
+  rspec-rails (~> 7.1)
   rubocop
   rubocop-capybara
   rubocop-factory_bot
@@ -747,7 +754,7 @@ DEPENDENCIES
   rubocop-rspec
   rubocop-rspec_rails
   rubyzip (~> 2.3, >= 2.3.2)
-  sass-rails (~> 5.0)
+  sass-rails (~> 6)
   selenium-webdriver (>= 4.0.0.rc1)
   sidekiq (< 7)
   sidekiq-cron (~> 1.12)
@@ -757,13 +764,13 @@ DEPENDENCIES
   sitemap_generator (~> 6.3)
   slackistrano (= 0.1.9)
   spring
-  sprockets (= 3.7.2)
+  sprockets (~> 4)
   sprockets-rails
   strong_migrations (~> 1.7)
   susy (~> 2.2, >= 2.2.14)
   terser (~> 1.2.3)
   uuidtools (~> 2.2)
-  web-console (>= 4.1.0)
+  web-console
   webdrivers
   wicked (= 2.0.0)
   wkhtmltopdf-binary (~> 0.12.6.6)
diff --git a/app/views/layouts/species.html.erb b/app/views/layouts/species.html.erb
index 054f63979..eccb413dc 100644
--- a/app/views/layouts/species.html.erb
+++ b/app/views/layouts/species.html.erb
@@ -8,7 +8,7 @@
     <meta name="description" content="">
     <meta name="author" content="">
 
-    <%= stylesheet_link_tag    "species" %>
+    <%= stylesheet_link_tag "species" %>
     <script type="text/javascript">
       EmberENV = {FEATURES: {'query-params-new' : true}};
     </script>

From 5fdd94d373e1e2e08f31c22512562919f80068ce Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Wed, 8 Apr 2026 15:50:02 +0100
Subject: [PATCH 061/106] chore: upgrade target version in .rubocop.yml

---
 .rubocop.yml                                        |  4 ++--
 config/initializers/0_new_framework_defaults_7_2.rb | 10 +++++-----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.rubocop.yml b/.rubocop.yml
index 0d729d038..e0992f781 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -12,8 +12,8 @@ require:
 Rails:
   Enabled: true
 AllCops:
-  TargetRubyVersion: 3.2.5
-  TargetRailsVersion: 7.1
+  TargetRubyVersion: 3.2
+  TargetRailsVersion: 7.2
 
 Style/StringLiterals:
   EnforcedStyle: single_quotes
diff --git a/config/initializers/0_new_framework_defaults_7_2.rb b/config/initializers/0_new_framework_defaults_7_2.rb
index b549c4a25..683cc7b63 100644
--- a/config/initializers/0_new_framework_defaults_7_2.rb
+++ b/config/initializers/0_new_framework_defaults_7_2.rb
@@ -32,7 +32,7 @@
 # backends that use the same database as Active Record as a queue, hence they
 # don't need this feature.
 #++
-# Rails.application.config.active_job.enqueue_after_transaction_commit = :default
+Rails.application.config.active_job.enqueue_after_transaction_commit = :default
 
 ###
 # Adds image/webp to the list of content types Active Storage considers as an image
@@ -40,7 +40,7 @@
 # This is possible due to broad browser support for WebP, but older browsers and email clients may still not support
 # WebP. Requires imagemagick/libvips built with WebP support.
 #++
-# Rails.application.config.active_storage.web_image_content_types = %w[image/png image/jpeg image/gif image/webp]
+Rails.application.config.active_storage.web_image_content_types = %w[image/png image/jpeg image/gif image/webp]
 
 ###
 # Enable validation of migration timestamps. When set, an ActiveRecord::InvalidMigrationTimestampError
@@ -51,7 +51,7 @@
 # Applications with existing timestamped migrations that do not adhere to the
 # expected format can disable validation by setting this config to `false`.
 #++
-# Rails.application.config.active_record.validate_migration_timestamps = true
+Rails.application.config.active_record.validate_migration_timestamps = true
 
 ###
 # Controls whether the PostgresqlAdapter should decode dates automatically with manual queries.
@@ -61,10 +61,10 @@
 #
 # This query used to return a `String`.
 #++
-# Rails.application.config.active_record.postgresql_adapter_decode_dates = true
+Rails.application.config.active_record.postgresql_adapter_decode_dates = true
 
 ###
 # Enables YJIT as of Ruby 3.3, to bring sizeable performance improvements. If you are
 # deploying to a memory constrained environment you may want to set this to `false`.
 #++
-# Rails.application.config.yjit = true
+Rails.application.config.yjit = true

From 3dddf49a9ed57ed79baa15a57c20979e4c51cab0 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Wed, 8 Apr 2026 15:55:48 +0100
Subject: [PATCH 062/106] chore: add Rails 7.2 upgrade to changelog

---
 CHANGELOG.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0c88f2f20..9eff57692 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,15 @@
+### 1.22.0
+
+**Rails 7.2 Upgrade**
+The primary goal of this release is to upgrade the Rails version without causing
+any breaking changes to functionality.
+
+* Upgrades Rails 7.1.3.4 to 7.2.3.1
+* Some dependency updates/changes allowed or required by the above:
+  * Upgraded `sprockets` from 3.7.2 to 4.0.3
+  * Upgraded `papertrail` from 15.1.0 to 17.0.0
+  * Upgraded `acts-as-taggable-on` from 10.0.0 to 12.0.0
+
 ### 1.21.2
 
 **Species+**

From bad866e4c4ebb3180bfa338e140f80a5c60d798b Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Thu, 9 Apr 2026 11:32:25 +0100
Subject: [PATCH 063/106] fix: Open Sans is not loading after sprockets upgrade

https://github.com/rails/sprockets/issues/785
---
 app/assets/stylesheets/mobile/mobile.scss | 2 --
 app/assets/stylesheets/species/all.scss   | 1 -
 app/views/layouts/mobile.html.erb         | 4 ++++
 app/views/layouts/species.html.erb        | 4 ++++
 4 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/app/assets/stylesheets/mobile/mobile.scss b/app/assets/stylesheets/mobile/mobile.scss
index b4a7ddb10..efff1051d 100644
--- a/app/assets/stylesheets/mobile/mobile.scss
+++ b/app/assets/stylesheets/mobile/mobile.scss
@@ -1,6 +1,4 @@
 // Settings (mobile-first)
-@import url('https://fonts.googleapis.com/css2?family=Open+Sans:wght@400;600;700&display=swap');
-
 $navy: #253848;
 $black: #2D2D2D;
 $medium-grey: #dddddd;
diff --git a/app/assets/stylesheets/species/all.scss b/app/assets/stylesheets/species/all.scss
index b28ec7f5e..a18e844fb 100755
--- a/app/assets/stylesheets/species/all.scss
+++ b/app/assets/stylesheets/species/all.scss
@@ -3,7 +3,6 @@
    License: none (public domain)
 */
 
-@import url(https://fonts.googleapis.com/css?family=Open+Sans:400italic,700italic,400,600,700);
 @import './variables';
 
 html, body, div, span, applet, object, iframe, h1, h2, h3, h4, h5, h6, p, blockquote, pre, a, abbr, acronym, address, big, cite, code, del, dfn, em, img, ins, kbd, q, s, samp, small, strike, strong, sub, sup, tt, var, b, u, i, center, dl, dt, dd, ol, ul, li, fieldset, form, label, legend, table, caption, tbody, tfoot, thead, tr, th, td, article, aside, canvas, details, embed, figure, figcaption, footer, header, hgroup, menu, nav, output, ruby, section, summary, time, mark, audio, video {
diff --git a/app/views/layouts/mobile.html.erb b/app/views/layouts/mobile.html.erb
index f37c2e414..eef38bf48 100644
--- a/app/views/layouts/mobile.html.erb
+++ b/app/views/layouts/mobile.html.erb
@@ -7,6 +7,10 @@
   <meta name="description" content="">
   <meta name="author" content="">
 
+  <style lang="text/css">
+    @import url(//fonts.googleapis.com/css2?family=Open+Sans:wght@400;600;700&display=swap);
+  </style>
+
   <%= stylesheet_link_tag "mobile" %>
   <%= javascript_include_tag "application" %>
   <%= csrf_meta_tags %>
diff --git a/app/views/layouts/species.html.erb b/app/views/layouts/species.html.erb
index eccb413dc..10a4f6590 100644
--- a/app/views/layouts/species.html.erb
+++ b/app/views/layouts/species.html.erb
@@ -8,6 +8,10 @@
     <meta name="description" content="">
     <meta name="author" content="">
 
+    <style lang="text/css">
+      @import url(//fonts.googleapis.com/css?family=Open+Sans:400italic,700italic,400,600,700);
+    </style>
+
     <%= stylesheet_link_tag "species" %>
     <script type="text/javascript">
       EmberENV = {FEATURES: {'query-params-new' : true}};

From 0c6886d6a8aea63e3b2b769e3e381e82715620ac Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Wed, 8 Apr 2026 16:13:54 +0100
Subject: [PATCH 064/106] chore: Upgrade Ruby to 3.4.9

---
 .rubocop.yml          |  2 +-
 .ruby-version         |  2 +-
 CHANGELOG.md          |  1 +
 Dockerfile            |  4 ++--
 Dockerfile.cap-deploy |  6 +++---
 Gemfile               |  7 ++++---
 Gemfile.lock          | 22 +++++++++++++---------
 config/deploy.rb      |  2 +-
 8 files changed, 26 insertions(+), 20 deletions(-)

diff --git a/.rubocop.yml b/.rubocop.yml
index e0992f781..fe16dfcf9 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -12,7 +12,7 @@ require:
 Rails:
   Enabled: true
 AllCops:
-  TargetRubyVersion: 3.2
+  TargetRubyVersion: 3.4
   TargetRailsVersion: 7.2
 
 Style/StringLiterals:
diff --git a/.ruby-version b/.ruby-version
index 5ae69bd5f..7bcbb3808 100644
--- a/.ruby-version
+++ b/.ruby-version
@@ -1 +1 @@
-3.2.5
+3.4.9
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9eff57692..a283f2969 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@ The primary goal of this release is to upgrade the Rails version without causing
 any breaking changes to functionality.
 
 * Upgrades Rails 7.1.3.4 to 7.2.3.1
+* Upgrades Ruby 3.2.5 to 3.4.9
 * Some dependency updates/changes allowed or required by the above:
   * Upgraded `sprockets` from 3.7.2 to 4.0.3
   * Upgraded `papertrail` from 15.1.0 to 17.0.0
diff --git a/Dockerfile b/Dockerfile
index 5b18e7dcc..05554313b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,7 +4,7 @@
 # or SUS-ORS project.
 
 # Dockerfile
-FROM ruby:3.2.5
+FROM ruby:3.4.9
 
 # Rails and SAPI has some additional dependencies, e.g. rake requires a JS
 # runtime, so attempt to get these from apt, where possible
@@ -25,7 +25,7 @@ WORKDIR /SAPI
 # Don't need to do these, as we have done this with Docker bindings
 #   COPY Gemfile /SAPI/Gemfile
 #   COPY Gemfile.lock /SAPI/Gemfile.lock
-RUN gem install bundler -v 2.5.17
+RUN gem install bundler -v 4.0.10
 
 ##
 # This happens in the entrypoint
diff --git a/Dockerfile.cap-deploy b/Dockerfile.cap-deploy
index 377c091fc..f7845c6d5 100644
--- a/Dockerfile.cap-deploy
+++ b/Dockerfile.cap-deploy
@@ -1,5 +1,5 @@
 # Dockerfile
-FROM ruby:3.2.5
+FROM ruby:3.4.9
 
 ENV DEBIAN_FRONTEND=noninteractive
 # Rails and SAPI has some additional dependencies, e.g. rake requires a JS
@@ -20,7 +20,7 @@ WORKDIR /SAPI
 # https://stackoverflow.com/questions/43612927/how-to-correctly-install-rvm-in-docker
 RUN gpg --keyserver keyserver.ubuntu.com --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB
 RUN curl -sSL https://get.rvm.io | bash -s
-RUN /bin/bash -l -c ". /etc/profile.d/rvm.sh && rvm install 3.2.5"
+RUN /bin/bash -l -c ". /etc/profile.d/rvm.sh && rvm install 3.4.9"
 # RVM installed in multi-user mode. However cap assume rvm is installed in single user mode.
 # Create a soft link to fake it.
 RUN mkdir -p ~/.rvm/bin && ln -s /usr/local/rvm/bin/rvm ~/.rvm/bin/rvm
@@ -30,7 +30,7 @@ COPY Gemfile.lock /SAPI/Gemfile.lock
 
 ENV BUNDLE_SILENCE_ROOT_WARNING=1
 RUN /bin/bash -c "source /etc/profile.d/rvm.sh \
-  && gem install bundler:2.5.17 \
+  && gem install bundler:4.0.10 \
   && bundle"
 
 ENTRYPOINT ["/bin/bash", "-l"]
diff --git a/Gemfile b/Gemfile
index 410277377..7f91875a6 100644
--- a/Gemfile
+++ b/Gemfile
@@ -1,6 +1,6 @@
 source 'https://rubygems.org'
 
-ruby '3.2.5'
+ruby '3.4.9'
 
 # Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
 gem 'rails', '7.2.3.1'
@@ -48,6 +48,7 @@ gem 'devise', '~> 4.9', '>= 4.9.3'
 gem 'cancancan', '~> 3.5'
 gem 'ahoy_matey', '~> 5.0', '>= 5.0.2'
 gem 'uuidtools', '~> 2.2' # For Ahoy. (https://github.com/ankane/ahoy/blob/v2.2.1/docs/Ahoy-2-Upgrade.md#activerecordstore)
+gem 'csv', '~> 3.3.5' # no longer a default gem from Ruby 3.4.0 onwards
 
 gem 'wicked', '2.0.0'
 
@@ -165,7 +166,7 @@ end
 group :test do
   # Adds support for Capybara system testing and selenium driver
   gem 'capybara', '>= 3.26'
-  gem 'selenium-webdriver', '>= 4.0.0.rc1'
+  gem 'selenium-webdriver', '~> 4.41'
   # Easy installation and use of web drivers to run system tests with browsers
   gem 'webdrivers'
 
@@ -232,4 +233,4 @@ gem 'handlebars-source', '1.0.12' # TODO: just a wrapwrapper. Any update will ch
 #
 # It might be possible to fix this if we had an nginx version which supported
 # the config: `passenger_preload_bundler on;`
-gem 'base64', '0.1.1'
+gem 'base64', '0.2.0'
diff --git a/Gemfile.lock b/Gemfile.lock
index 17e836f52..eb3f1aa12 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -130,7 +130,7 @@ GEM
     barber (0.12.2)
       ember-source (>= 1.0, < 3.1)
       execjs (>= 1.2, < 3)
-    base64 (0.1.1)
+    base64 (0.2.0)
     bcrypt (3.1.22)
     bcrypt_pbkdf (1.1.0)
     benchmark (0.5.0)
@@ -207,6 +207,7 @@ GEM
       thor (~> 1.2)
       tins (~> 1.32)
     crass (1.0.6)
+    csv (3.3.5)
     database_cleaner (2.1.0)
       database_cleaner-active_record (>= 2, < 3)
     database_cleaner-active_record (2.2.2)
@@ -259,7 +260,7 @@ GEM
     factory_bot_rails (6.5.1)
       factory_bot (~> 6.5)
       railties (>= 6.1.0)
-    ffi (1.17.4)
+    ffi (1.17.4-x86_64-linux-gnu)
     file_exists (0.2.0)
     fugit (1.12.1)
       et-orbi (~> 1.4)
@@ -395,7 +396,7 @@ GEM
       ruby-rc4
       ttfunk
     pdfkit (0.8.7.3)
-    pg (1.6.3)
+    pg (1.6.3-x86_64-linux)
     pg_array_parser (0.0.9)
     pg_search (2.3.7)
       activerecord (>= 6.1)
@@ -571,9 +572,11 @@ GEM
       sprockets-rails
       tilt
     securerandom (0.4.1)
-    selenium-webdriver (4.16.0)
+    selenium-webdriver (4.41.0)
+      base64 (~> 0.2)
+      logger (~> 1.4)
       rexml (~> 3.2, >= 3.2.5)
-      rubyzip (>= 1.2.2, < 3.0)
+      rubyzip (>= 1.2.2, < 4.0)
       websocket (~> 1.0)
     sidekiq (6.5.12)
       connection_pool (>= 2.2.5, < 3)
@@ -671,7 +674,7 @@ GEM
     zeitwerk (2.7.5)
 
 PLATFORMS
-  ruby
+  x86_64-linux-gnu
 
 DEPENDENCIES
   active_model_serializers (= 0.8.4)
@@ -681,7 +684,7 @@ DEPENDENCIES
   annotaterb (~> 4.22.0)
   appsignal (~> 3.13.1)
   aws-sdk-s3 (~> 1.143)
-  base64 (= 0.1.1)
+  base64 (= 0.2.0)
   bcrypt_pbkdf (= 1.1.0)
   bootsnap (>= 1.4.4)
   bootstrap-sass (= 2.3.2.2)
@@ -701,6 +704,7 @@ DEPENDENCIES
   chartkick (~> 5.0, >= 5.0.5)
   coffee-rails (~> 5.0)
   coveralls_reborn (~> 0.28.0)
+  csv (~> 3.3.5)
   database_cleaner (~> 2.0, >= 2.0.2)
   devise (~> 4.9, >= 4.9.3)
   dotenv-rails (= 2.0.1)
@@ -755,7 +759,7 @@ DEPENDENCIES
   rubocop-rspec_rails
   rubyzip (~> 2.3, >= 2.3.2)
   sass-rails (~> 6)
-  selenium-webdriver (>= 4.0.0.rc1)
+  selenium-webdriver (~> 4.41)
   sidekiq (< 7)
   sidekiq-cron (~> 1.12)
   sidekiq-status (~> 3.0, >= 3.0.3)
@@ -776,7 +780,7 @@ DEPENDENCIES
   wkhtmltopdf-binary (~> 0.12.6.6)
 
 RUBY VERSION
-   ruby 3.2.5p208
+   ruby 3.4.9p82
 
 BUNDLED WITH
    2.5.17
diff --git a/config/deploy.rb b/config/deploy.rb
index ce0f0d011..f0a1295f9 100644
--- a/config/deploy.rb
+++ b/config/deploy.rb
@@ -20,7 +20,7 @@
 # set :format, :pretty
 
 set :rvm_type, :user
-set :rvm_ruby_version, '3.2.5'
+set :rvm_ruby_version, '3.4.9'
 
 # Sidekiq config
 set :sidekiq_service_unit_user, :system

From 95b496c78e26bb0fb2bf0ab678bc0b36258b8916 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Thu, 9 Apr 2026 12:17:16 +0100
Subject: [PATCH 065/106] chore: update bundler version

---
 Dockerfile            | 12 +++++++-----
 Dockerfile.cap-deploy |  6 ++++--
 Gemfile.lock          |  4 ++--
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 05554313b..5ce6e24a8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -21,11 +21,13 @@ RUN apt-get update && apt-get install -y --force-yes \
 RUN mkdir /SAPI
 WORKDIR /SAPI
 
-#
-# Don't need to do these, as we have done this with Docker bindings
-#   COPY Gemfile /SAPI/Gemfile
-#   COPY Gemfile.lock /SAPI/Gemfile.lock
-RUN gem install bundler -v 4.0.10
+COPY Gemfile.lock /SAPI/Gemfile.lock
+
+RUN grep -A1 '^BUNDLED WITH$' Gemfile.lock | tail -n1 | tr -d ' ' \
+  | xargs -I _BUNDLER_VERSION_ gem install bundler -v _BUNDLER_VERSION_
+
+# Don't this any more, as we get it with Docker bindings
+RUN rm /SAPI/Gemfile.lock
 
 ##
 # This happens in the entrypoint
diff --git a/Dockerfile.cap-deploy b/Dockerfile.cap-deploy
index f7845c6d5..dab0ef354 100644
--- a/Dockerfile.cap-deploy
+++ b/Dockerfile.cap-deploy
@@ -29,9 +29,11 @@ COPY Gemfile /SAPI/Gemfile
 COPY Gemfile.lock /SAPI/Gemfile.lock
 
 ENV BUNDLE_SILENCE_ROOT_WARNING=1
+
 RUN /bin/bash -c "source /etc/profile.d/rvm.sh \
-  && gem install bundler:4.0.10 \
-  && bundle"
+  && grep -A1 '^BUNDLED WITH$' Gemfile.lock | tail -n1 | tr -d ' ' \
+  | xargs -I _BUNDLER_VERSION_ gem install bundler -v _BUNDLER_VERSION_ \
+  && bundle install"
 
 ENTRYPOINT ["/bin/bash", "-l"]
 
diff --git a/Gemfile.lock b/Gemfile.lock
index eb3f1aa12..6e20c7836 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -780,7 +780,7 @@ DEPENDENCIES
   wkhtmltopdf-binary (~> 0.12.6.6)
 
 RUBY VERSION
-   ruby 3.4.9p82
+  ruby 3.4.9p82
 
 BUNDLED WITH
-   2.5.17
+  4.0.10

From fbd719f02d4f03ab07d4df19867006b5a1a128d7 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Thu, 9 Apr 2026 13:08:05 +0100
Subject: [PATCH 066/106] chore: upgrade rails to 8.0.5

---
 .rubocop.yml |   2 +-
 CHANGELOG.md |   2 +-
 Gemfile      |   2 +-
 Gemfile.lock | 149 +++++++++++++++++++++++++--------------------------
 4 files changed, 77 insertions(+), 78 deletions(-)

diff --git a/.rubocop.yml b/.rubocop.yml
index fe16dfcf9..dbcb46b2c 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -13,7 +13,7 @@ Rails:
   Enabled: true
 AllCops:
   TargetRubyVersion: 3.4
-  TargetRailsVersion: 7.2
+  TargetRailsVersion: 8.0
 
 Style/StringLiterals:
   EnforcedStyle: single_quotes
diff --git a/CHANGELOG.md b/CHANGELOG.md
index a283f2969..ac7ab1bba 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,7 +4,7 @@
 The primary goal of this release is to upgrade the Rails version without causing
 any breaking changes to functionality.
 
-* Upgrades Rails 7.1.3.4 to 7.2.3.1
+* Upgrades Rails 7.1.3.4 to 8.0.5
 * Upgrades Ruby 3.2.5 to 3.4.9
 * Some dependency updates/changes allowed or required by the above:
   * Upgraded `sprockets` from 3.7.2 to 4.0.3
diff --git a/Gemfile b/Gemfile
index 7f91875a6..38bdd2378 100644
--- a/Gemfile
+++ b/Gemfile
@@ -3,7 +3,7 @@ source 'https://rubygems.org'
 ruby '3.4.9'
 
 # Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
-gem 'rails', '7.2.3.1'
+gem 'rails', '8.0.5'
 
 # Configure Cross-Origin resource sharing
 gem 'rack-cors'
diff --git a/Gemfile.lock b/Gemfile.lock
index 6e20c7836..d7ea6c3bc 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -2,49 +2,46 @@ GEM
   remote: https://rubygems.org/
   specs:
     Ascii85 (1.0.3)
-    actioncable (7.2.3.1)
-      actionpack (= 7.2.3.1)
-      activesupport (= 7.2.3.1)
+    actioncable (8.0.5)
+      actionpack (= 8.0.5)
+      activesupport (= 8.0.5)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
       zeitwerk (~> 2.6)
-    actionmailbox (7.2.3.1)
-      actionpack (= 7.2.3.1)
-      activejob (= 7.2.3.1)
-      activerecord (= 7.2.3.1)
-      activestorage (= 7.2.3.1)
-      activesupport (= 7.2.3.1)
+    actionmailbox (8.0.5)
+      actionpack (= 8.0.5)
+      activejob (= 8.0.5)
+      activerecord (= 8.0.5)
+      activestorage (= 8.0.5)
+      activesupport (= 8.0.5)
       mail (>= 2.8.0)
-    actionmailer (7.2.3.1)
-      actionpack (= 7.2.3.1)
-      actionview (= 7.2.3.1)
-      activejob (= 7.2.3.1)
-      activesupport (= 7.2.3.1)
+    actionmailer (8.0.5)
+      actionpack (= 8.0.5)
+      actionview (= 8.0.5)
+      activejob (= 8.0.5)
+      activesupport (= 8.0.5)
       mail (>= 2.8.0)
       rails-dom-testing (~> 2.2)
-    actionpack (7.2.3.1)
-      actionview (= 7.2.3.1)
-      activesupport (= 7.2.3.1)
-      cgi
+    actionpack (8.0.5)
+      actionview (= 8.0.5)
+      activesupport (= 8.0.5)
       nokogiri (>= 1.8.5)
-      racc
-      rack (>= 2.2.4, < 3.3)
+      rack (>= 2.2.4)
       rack-session (>= 1.0.1)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
       useragent (~> 0.16)
-    actiontext (7.2.3.1)
-      actionpack (= 7.2.3.1)
-      activerecord (= 7.2.3.1)
-      activestorage (= 7.2.3.1)
-      activesupport (= 7.2.3.1)
+    actiontext (8.0.5)
+      actionpack (= 8.0.5)
+      activerecord (= 8.0.5)
+      activestorage (= 8.0.5)
+      activesupport (= 8.0.5)
       globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (7.2.3.1)
-      activesupport (= 7.2.3.1)
+    actionview (8.0.5)
+      activesupport (= 8.0.5)
       builder (~> 3.1)
-      cgi
       erubi (~> 1.11)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
@@ -58,22 +55,22 @@ GEM
       activestorage (>= 6.1.4)
       activesupport (>= 6.1.4)
       marcel (>= 1.0.3)
-    activejob (7.2.3.1)
-      activesupport (= 7.2.3.1)
+    activejob (8.0.5)
+      activesupport (= 8.0.5)
       globalid (>= 0.3.6)
-    activemodel (7.2.3.1)
-      activesupport (= 7.2.3.1)
-    activerecord (7.2.3.1)
-      activemodel (= 7.2.3.1)
-      activesupport (= 7.2.3.1)
+    activemodel (8.0.5)
+      activesupport (= 8.0.5)
+    activerecord (8.0.5)
+      activemodel (= 8.0.5)
+      activesupport (= 8.0.5)
       timeout (>= 0.4.0)
-    activestorage (7.2.3.1)
-      actionpack (= 7.2.3.1)
-      activejob (= 7.2.3.1)
-      activerecord (= 7.2.3.1)
-      activesupport (= 7.2.3.1)
+    activestorage (8.0.5)
+      actionpack (= 8.0.5)
+      activejob (= 8.0.5)
+      activerecord (= 8.0.5)
+      activesupport (= 8.0.5)
       marcel (~> 1.0)
-    activesupport (7.2.3.1)
+    activesupport (8.0.5)
       base64
       benchmark (>= 0.3)
       bigdecimal
@@ -82,17 +79,18 @@ GEM
       drb
       i18n (>= 1.6, < 2)
       logger (>= 1.4.2)
-      minitest (>= 5.1, < 6)
+      minitest (>= 5.1)
       securerandom (>= 0.3)
       tzinfo (~> 2.0, >= 2.0.5)
+      uri (>= 0.13.1)
     acts-as-taggable-on (12.0.0)
       activerecord (>= 7.1, < 8.1)
       zeitwerk (>= 2.4, < 3.0)
     addressable (2.9.0)
       public_suffix (>= 2.0.2, < 8.0)
     afm (0.2.2)
-    ahoy_matey (5.4.2)
-      activesupport (>= 7.1)
+    ahoy_matey (5.5.0)
+      activesupport (>= 7.2)
       cgi
       device_detector (>= 1)
       safely_block (>= 0.4)
@@ -105,7 +103,7 @@ GEM
       rack
     ast (2.4.3)
     aws-eventstream (1.4.0)
-    aws-partitions (1.1236.0)
+    aws-partitions (1.1237.0)
     aws-sdk-core (3.244.0)
       aws-eventstream (~> 1, >= 1.3.0)
       aws-partitions (~> 1, >= 1.992.0)
@@ -273,8 +271,8 @@ GEM
       i18n (>= 0.7)
       multi_json
       request_store (>= 1.0)
-    groupdate (6.7.0)
-      activesupport (>= 7.1)
+    groupdate (6.8.0)
+      activesupport (>= 7.2)
     handlebars-source (1.0.12)
     has_scope (0.9.0)
       actionpack (>= 7.0)
@@ -345,7 +343,9 @@ GEM
       logger
     mini_mime (1.1.5)
     mini_portile2 (2.8.9)
-    minitest (5.27.0)
+    minitest (6.0.3)
+      drb (~> 2.0)
+      prism (~> 1.5)
     mize (0.6.1)
     mobility (1.3.2)
       i18n (>= 0.6.10, < 2)
@@ -385,7 +385,7 @@ GEM
     paper_trail (17.0.0)
       activerecord (>= 7.1)
       request_store (~> 1.4)
-    parallel (1.28.0)
+    parallel (2.0.0)
     parser (3.3.11.1)
       ast (~> 2.4.1)
       racc
@@ -429,20 +429,20 @@ GEM
     rackup (1.0.1)
       rack (< 3)
       webrick
-    rails (7.2.3.1)
-      actioncable (= 7.2.3.1)
-      actionmailbox (= 7.2.3.1)
-      actionmailer (= 7.2.3.1)
-      actionpack (= 7.2.3.1)
-      actiontext (= 7.2.3.1)
-      actionview (= 7.2.3.1)
-      activejob (= 7.2.3.1)
-      activemodel (= 7.2.3.1)
-      activerecord (= 7.2.3.1)
-      activestorage (= 7.2.3.1)
-      activesupport (= 7.2.3.1)
+    rails (8.0.5)
+      actioncable (= 8.0.5)
+      actionmailbox (= 8.0.5)
+      actionmailer (= 8.0.5)
+      actionpack (= 8.0.5)
+      actiontext (= 8.0.5)
+      actionview (= 8.0.5)
+      activejob (= 8.0.5)
+      activemodel (= 8.0.5)
+      activerecord (= 8.0.5)
+      activestorage (= 8.0.5)
+      activesupport (= 8.0.5)
       bundler (>= 1.15.0)
-      railties (= 7.2.3.1)
+      railties (= 8.0.5)
     rails-controller-testing (1.0.5)
       actionpack (>= 5.0.1.rc1)
       actionview (>= 5.0.1.rc1)
@@ -454,10 +454,9 @@ GEM
     rails-html-sanitizer (1.7.0)
       loofah (~> 2.25)
       nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
-    railties (7.2.3.1)
-      actionpack (= 7.2.3.1)
-      activesupport (= 7.2.3.1)
-      cgi
+    railties (8.0.5)
+      actionpack (= 8.0.5)
+      activesupport (= 8.0.5)
       irb (~> 1.13)
       rackup (>= 1.0.0)
       rake (>= 12.2)
@@ -512,11 +511,11 @@ GEM
       rspec-mocks (~> 3.13)
       rspec-support (~> 3.13)
     rspec-support (3.13.7)
-    rubocop (1.86.0)
+    rubocop (1.86.1)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
-      parallel (~> 1.10)
+      parallel (>= 1.10)
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 2.9.3, < 3.0)
@@ -559,7 +558,7 @@ GEM
       ffi (~> 1.12)
       logger
     rubyzip (2.4.1)
-    safely_block (0.5.0)
+    safely_block (1.0.0)
     sass (3.4.25)
     sass-rails (6.0.0)
       sassc-rails (~> 2.1, >= 2.1.1)
@@ -572,7 +571,7 @@ GEM
       sprockets-rails
       tilt
     securerandom (0.4.1)
-    selenium-webdriver (4.41.0)
+    selenium-webdriver (4.42.0)
       base64 (~> 0.2)
       logger (~> 1.4)
       rexml (~> 3.2, >= 3.2.5)
@@ -647,15 +646,15 @@ GEM
     unicode-display_width (3.2.0)
       unicode-emoji (~> 4.1)
     unicode-emoji (4.2.0)
+    uri (1.1.1)
     useragent (0.16.11)
     uuidtools (2.2.0)
     warden (1.2.9)
       rack (>= 2.0.9)
-    web-console (4.2.1)
-      actionview (>= 6.0.0)
-      activemodel (>= 6.0.0)
+    web-console (4.3.0)
+      actionview (>= 8.0.0)
       bindex (>= 0.4.0)
-      railties (>= 6.0.0)
+      railties (>= 8.0.0)
     webdrivers (5.2.0)
       nokogiri (~> 1.6)
       rubyzip (>= 1.3.0)
@@ -741,7 +740,7 @@ DEPENDENCIES
   puma (~> 5.0)
   rack-cors
   rack-mini-profiler (~> 4.0.1)
-  rails (= 7.2.3.1)
+  rails (= 8.0.5)
   rails-controller-testing
   rbnacl (= 4.0.2)
   rbnacl-libsodium (= 1.0.16)

From b860fcb2124d041e926f04f371e28acf1add6e11 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Thu, 9 Apr 2026 13:11:45 +0100
Subject: [PATCH 067/106] chore: remove 0_new_framework_defaults_7_2.rb

---
 config/application.rb                         |  2 +-
 .../0_new_framework_defaults_7_2.rb           | 70 -------------------
 2 files changed, 1 insertion(+), 71 deletions(-)
 delete mode 100644 config/initializers/0_new_framework_defaults_7_2.rb

diff --git a/config/application.rb b/config/application.rb
index d08af56ef..4dcde7fec 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -11,7 +11,7 @@
 module SAPI
   class Application < Rails::Application
     # Initialize configuration defaults for originally generated Rails version.
-    config.load_defaults 7.1
+    config.load_defaults 7.2
 
     # Since Rails 5, on submit, submission buttons in `form_for` are disabled.
     # However, if errors are thrown and the whole form is not rerendered, then
diff --git a/config/initializers/0_new_framework_defaults_7_2.rb b/config/initializers/0_new_framework_defaults_7_2.rb
deleted file mode 100644
index 683cc7b63..000000000
--- a/config/initializers/0_new_framework_defaults_7_2.rb
+++ /dev/null
@@ -1,70 +0,0 @@
-# Be sure to restart your server when you modify this file.
-#
-# This file eases your Rails 7.2 framework defaults upgrade.
-#
-# Uncomment each configuration one by one to switch to the new default.
-# Once your application is ready to run with all new defaults, you can remove
-# this file and set the `config.load_defaults` to `7.2`.
-#
-# Read the Guide for Upgrading Ruby on Rails for more info on each option.
-# https://guides.rubyonrails.org/upgrading_ruby_on_rails.html
-
-###
-# Controls whether Active Job's `#perform_later` and similar methods automatically defer
-# the job queuing to after the current Active Record transaction is committed.
-#
-# Example:
-#   Topic.transaction do
-#     topic = Topic.create(...)
-#     NewTopicNotificationJob.perform_later(topic)
-#   end
-#
-# In this example, if the configuration is set to `:never`, the job will
-# be enqueued immediately, even though the `Topic` hasn't been committed yet.
-# Because of this, if the job is picked up almost immediately, or if the
-# transaction doesn't succeed for some reason, the job will fail to find this
-# topic in the database.
-#
-# If `enqueue_after_transaction_commit` is set to `:default`, the queue adapter
-# will define the behaviour.
-#
-# Note: Active Job backends can disable this feature. This is generally done by
-# backends that use the same database as Active Record as a queue, hence they
-# don't need this feature.
-#++
-Rails.application.config.active_job.enqueue_after_transaction_commit = :default
-
-###
-# Adds image/webp to the list of content types Active Storage considers as an image
-# Prevents automatic conversion to a fallback PNG, and assumes clients support WebP, as they support gif, jpeg, and png.
-# This is possible due to broad browser support for WebP, but older browsers and email clients may still not support
-# WebP. Requires imagemagick/libvips built with WebP support.
-#++
-Rails.application.config.active_storage.web_image_content_types = %w[image/png image/jpeg image/gif image/webp]
-
-###
-# Enable validation of migration timestamps. When set, an ActiveRecord::InvalidMigrationTimestampError
-# will be raised if the timestamp prefix for a migration is more than a day ahead of the timestamp
-# associated with the current time. This is done to prevent forward-dating of migration files, which can
-# impact migration generation and other migration commands.
-#
-# Applications with existing timestamped migrations that do not adhere to the
-# expected format can disable validation by setting this config to `false`.
-#++
-Rails.application.config.active_record.validate_migration_timestamps = true
-
-###
-# Controls whether the PostgresqlAdapter should decode dates automatically with manual queries.
-#
-# Example:
-#   ActiveRecord::ConnectionAdapters::PostgreSQLAdapter.select_value("select '2024-01-01'::date") #=> Date
-#
-# This query used to return a `String`.
-#++
-Rails.application.config.active_record.postgresql_adapter_decode_dates = true
-
-###
-# Enables YJIT as of Ruby 3.3, to bring sizeable performance improvements. If you are
-# deploying to a memory constrained environment you may want to set this to `false`.
-#++
-Rails.application.config.yjit = true

From 530a03f7199c9b31ff97b6489f28bc8cbd1b9841 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Thu, 9 Apr 2026 13:23:58 +0100
Subject: [PATCH 068/106] chore: run rails app:update for rails 8.0

---
 bin/brakeman                                  |   7 +
 bin/dev                                       |   2 +
 bin/setup                                     |  12 +-
 config/environments/development.rb            |   4 +-
 config/environments/test.rb                   |   4 +-
 .../0_new_framework_defaults_8_0.rb           |  30 +++
 config/initializers/cors.rb                   |  26 +--
 .../initializers/filter_parameter_logging.rb  |   2 +-
 config/puma.rb                                |  11 +-
 ..._to_active_storage_blobs.active_storage.rb |  22 +++
 ..._storage_variant_records.active_storage.rb |  27 +++
 ...e_storage_blobs_checksum.active_storage.rb |   8 +
 public/400.html                               | 114 +++++++++++
 public/404.html                               | 179 +++++++++++-------
 public/406-unsupported-browser.html           | 178 ++++++++++-------
 public/422.html                               | 179 +++++++++++-------
 public/500.html                               | 178 ++++++++++-------
 17 files changed, 693 insertions(+), 290 deletions(-)
 create mode 100755 bin/brakeman
 create mode 100755 bin/dev
 create mode 100644 config/initializers/0_new_framework_defaults_8_0.rb
 create mode 100644 db/migrate/20260409121409_add_service_name_to_active_storage_blobs.active_storage.rb
 create mode 100644 db/migrate/20260409121410_create_active_storage_variant_records.active_storage.rb
 create mode 100644 db/migrate/20260409121411_remove_not_null_on_active_storage_blobs_checksum.active_storage.rb
 create mode 100644 public/400.html

diff --git a/bin/brakeman b/bin/brakeman
new file mode 100755
index 000000000..ace1c9ba0
--- /dev/null
+++ b/bin/brakeman
@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+require "rubygems"
+require "bundler/setup"
+
+ARGV.unshift("--ensure-latest")
+
+load Gem.bin_path("brakeman", "brakeman")
diff --git a/bin/dev b/bin/dev
new file mode 100755
index 000000000..5f91c2054
--- /dev/null
+++ b/bin/dev
@@ -0,0 +1,2 @@
+#!/usr/bin/env ruby
+exec "./bin/rails", "server", *ARGV
diff --git a/bin/setup b/bin/setup
index bb61d6ef0..2311239cd 100755
--- a/bin/setup
+++ b/bin/setup
@@ -15,7 +15,6 @@ FileUtils.chdir APP_ROOT do
   # Add necessary setup steps to this file.
 
   puts "== Installing dependencies =="
-  system! "gem install bundler --conservative"
   system("bundle check") || system!("bundle install")
 
   # puts "\n== Copying sample files =="
@@ -29,10 +28,9 @@ FileUtils.chdir APP_ROOT do
   puts "\n== Removing old logs and tempfiles =="
   system! "bin/rails log:clear tmp:clear"
 
-  puts "\n== Restarting application server =="
-  system! "bin/rails restart"
-
-  # puts "\n== Configuring puma-dev =="
-  # system "ln -nfs #{APP_ROOT} ~/.puma-dev/#{APP_NAME}"
-  # system "curl -Is https://#{APP_NAME}.test/up | head -n 1"
+  unless ARGV.include?("--skip-server")
+    puts "\n== Starting development server =="
+    STDOUT.flush # flush the output before exec(2) so that it displays
+    exec "bin/dev"
+  end
 end
diff --git a/config/environments/development.rb b/config/environments/development.rb
index 296375591..623a6dfac 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -3,9 +3,7 @@
 Rails.application.configure do
   # Settings specified here will take precedence over those in config/application.rb.
 
-  # In the development environment your application's code is reloaded any time
-  # it changes. This slows down response time but is perfect for development
-  # since you don't have to restart the web server when you make code changes.
+  # Make code changes take effect immediately without server restart.
   config.enable_reloading = true
 
   # Do not eager load code on boot.
diff --git a/config/environments/test.rb b/config/environments/test.rb
index 67ea3090c..3d9eb940e 100644
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -1,5 +1,3 @@
-require 'active_support/core_ext/integer/time'
-
 # The test environment is used exclusively to run your application's
 # test suite. You never need to work with it otherwise. Remember that
 # your test database is "scratch space" for the test suite and is wiped
@@ -65,7 +63,7 @@
   # Annotate rendered view with file names.
   # config.action_view.annotate_rendered_view_with_filenames = true
 
-  # Raise error when a before_action's only/except options reference missing actions
+  # Raise error when a before_action's only/except options reference missing actions.
   config.action_controller.raise_on_missing_callback_actions = true
 
   ###
diff --git a/config/initializers/0_new_framework_defaults_8_0.rb b/config/initializers/0_new_framework_defaults_8_0.rb
new file mode 100644
index 000000000..92efa9515
--- /dev/null
+++ b/config/initializers/0_new_framework_defaults_8_0.rb
@@ -0,0 +1,30 @@
+# Be sure to restart your server when you modify this file.
+#
+# This file eases your Rails 8.0 framework defaults upgrade.
+#
+# Uncomment each configuration one by one to switch to the new default.
+# Once your application is ready to run with all new defaults, you can remove
+# this file and set the `config.load_defaults` to `8.0`.
+#
+# Read the Guide for Upgrading Ruby on Rails for more info on each option.
+# https://guides.rubyonrails.org/upgrading_ruby_on_rails.html
+
+###
+# Specifies whether `to_time` methods preserve the UTC offset of their receivers or preserves the timezone.
+# If set to `:zone`, `to_time` methods will use the timezone of their receivers.
+# If set to `:offset`, `to_time` methods will use the UTC offset.
+# If `false`, `to_time` methods will convert to the local system UTC offset instead.
+#++
+# Rails.application.config.active_support.to_time_preserves_timezone = :zone
+
+###
+# When both `If-Modified-Since` and `If-None-Match` are provided by the client
+# only consider `If-None-Match` as specified by RFC 7232 Section 6.
+# If set to `false` both conditions need to be satisfied.
+#++
+# Rails.application.config.action_dispatch.strict_freshness = true
+
+###
+# Set `Regexp.timeout` to `1`s by default to improve security over Regexp Denial-of-Service attacks.
+#++
+# Regexp.timeout = 1
diff --git a/config/initializers/cors.rb b/config/initializers/cors.rb
index ab670b5e6..0c5dd99ac 100644
--- a/config/initializers/cors.rb
+++ b/config/initializers/cors.rb
@@ -1,14 +1,16 @@
-Rails.application.config.middleware.insert_before 0, Rack::Cors do
-  allow do
-    app_cors_origins =
-      Rails.application.credentials.dig(
-        :cors, :origins
-      ) || []
+# Be sure to restart your server when you modify this file.
 
-    origins app_cors_origins&.map(&:strip)
+# Avoid CORS issues when API is called from the frontend app.
+# Handle Cross-Origin Resource Sharing (CORS) in order to accept cross-origin Ajax requests.
 
-    resource '*', headers: :any, methods: [
-      :get, :post, :patch, :put, :delete
-    ]
-  end
-end
+# Read more: https://github.com/cyu/rack-cors
+
+# Rails.application.config.middleware.insert_before 0, Rack::Cors do
+#   allow do
+#     origins "example.com"
+#
+#     resource "*",
+#       headers: :any,
+#       methods: [:get, :post, :put, :patch, :delete, :options, :head]
+#   end
+# end
diff --git a/config/initializers/filter_parameter_logging.rb b/config/initializers/filter_parameter_logging.rb
index c010b83dd..c0b717f7e 100644
--- a/config/initializers/filter_parameter_logging.rb
+++ b/config/initializers/filter_parameter_logging.rb
@@ -4,5 +4,5 @@
 # Use this to limit dissemination of sensitive information.
 # See the ActiveSupport::ParameterFilter documentation for supported notations and behaviors.
 Rails.application.config.filter_parameters += [
-  :passw, :email, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn
+  :passw, :email, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn, :cvv, :cvc
 ]
diff --git a/config/puma.rb b/config/puma.rb
index 03c166f4c..a248513b2 100644
--- a/config/puma.rb
+++ b/config/puma.rb
@@ -1,13 +1,17 @@
 # This configuration file will be evaluated by Puma. The top-level methods that
 # are invoked here are part of Puma's configuration DSL. For more information
 # about methods provided by the DSL, see https://puma.io/puma/Puma/DSL.html.
-
+#
 # Puma starts a configurable number of processes (workers) and each process
 # serves each request in a thread from an internal thread pool.
 #
+# You can control the number of workers using ENV["WEB_CONCURRENCY"]. You
+# should only set this value when you want to run 2 or more workers. The
+# default is already 1.
+#
 # The ideal number of threads per worker depends both on how much time the
 # application spends waiting for IO operations and on how much you wish to
-# to prioritize throughput over latency.
+# prioritize throughput over latency.
 #
 # As a rule of thumb, increasing the number of threads will increase how much
 # traffic a given process can handle (throughput), but due to CRuby's
@@ -29,6 +33,9 @@
 # Allow puma to be restarted by `bin/rails restart` command.
 plugin :tmp_restart
 
+# Run the Solid Queue supervisor inside of Puma for single-server deployments
+plugin :solid_queue if ENV["SOLID_QUEUE_IN_PUMA"]
+
 # Specify the PID file. Defaults to tmp/pids/server.pid in development.
 # In other environments, only set the PID file if requested.
 pidfile ENV["PIDFILE"] if ENV["PIDFILE"]
diff --git a/db/migrate/20260409121409_add_service_name_to_active_storage_blobs.active_storage.rb b/db/migrate/20260409121409_add_service_name_to_active_storage_blobs.active_storage.rb
new file mode 100644
index 000000000..a15c6ce8e
--- /dev/null
+++ b/db/migrate/20260409121409_add_service_name_to_active_storage_blobs.active_storage.rb
@@ -0,0 +1,22 @@
+# This migration comes from active_storage (originally 20190112182829)
+class AddServiceNameToActiveStorageBlobs < ActiveRecord::Migration[6.0]
+  def up
+    return unless table_exists?(:active_storage_blobs)
+
+    unless column_exists?(:active_storage_blobs, :service_name)
+      add_column :active_storage_blobs, :service_name, :string
+
+      if configured_service = ActiveStorage::Blob.service.name
+        ActiveStorage::Blob.unscoped.update_all(service_name: configured_service)
+      end
+
+      change_column :active_storage_blobs, :service_name, :string, null: false
+    end
+  end
+
+  def down
+    return unless table_exists?(:active_storage_blobs)
+
+    remove_column :active_storage_blobs, :service_name
+  end
+end
diff --git a/db/migrate/20260409121410_create_active_storage_variant_records.active_storage.rb b/db/migrate/20260409121410_create_active_storage_variant_records.active_storage.rb
new file mode 100644
index 000000000..94ac83af0
--- /dev/null
+++ b/db/migrate/20260409121410_create_active_storage_variant_records.active_storage.rb
@@ -0,0 +1,27 @@
+# This migration comes from active_storage (originally 20191206030411)
+class CreateActiveStorageVariantRecords < ActiveRecord::Migration[6.0]
+  def change
+    return unless table_exists?(:active_storage_blobs)
+
+    # Use Active Record's configured type for primary key
+    create_table :active_storage_variant_records, id: primary_key_type, if_not_exists: true do |t|
+      t.belongs_to :blob, null: false, index: false, type: blobs_primary_key_type
+      t.string :variation_digest, null: false
+
+      t.index %i[ blob_id variation_digest ], name: "index_active_storage_variant_records_uniqueness", unique: true
+      t.foreign_key :active_storage_blobs, column: :blob_id
+    end
+  end
+
+  private
+    def primary_key_type
+      config = Rails.configuration.generators
+      config.options[config.orm][:primary_key_type] || :primary_key
+    end
+
+    def blobs_primary_key_type
+      pkey_name = connection.primary_key(:active_storage_blobs)
+      pkey_column = connection.columns(:active_storage_blobs).find { |c| c.name == pkey_name }
+      pkey_column.bigint? ? :bigint : pkey_column.type
+    end
+end
diff --git a/db/migrate/20260409121411_remove_not_null_on_active_storage_blobs_checksum.active_storage.rb b/db/migrate/20260409121411_remove_not_null_on_active_storage_blobs_checksum.active_storage.rb
new file mode 100644
index 000000000..93c8b85ad
--- /dev/null
+++ b/db/migrate/20260409121411_remove_not_null_on_active_storage_blobs_checksum.active_storage.rb
@@ -0,0 +1,8 @@
+# This migration comes from active_storage (originally 20211119233751)
+class RemoveNotNullOnActiveStorageBlobsChecksum < ActiveRecord::Migration[6.0]
+  def change
+    return unless table_exists?(:active_storage_blobs)
+
+    change_column_null(:active_storage_blobs, :checksum, true)
+  end
+end
diff --git a/public/400.html b/public/400.html
new file mode 100644
index 000000000..282dbc8cc
--- /dev/null
+++ b/public/400.html
@@ -0,0 +1,114 @@
+<!doctype html>
+
+<html lang="en">
+
+  <head>
+
+    <title>The server cannot process the request due to a client error (400 Bad Request)</title>
+
+    <meta charset="utf-8">
+    <meta name="viewport" content="initial-scale=1, width=device-width">
+    <meta name="robots" content="noindex, nofollow">
+
+    <style>
+
+      *, *::before, *::after {
+        box-sizing: border-box;
+      }
+
+      * {
+        margin: 0;
+      }
+
+      html {
+        font-size: 16px;
+      }
+
+      body {
+        background: #FFF;
+        color: #261B23;
+        display: grid;
+        font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, Aptos, Roboto, "Segoe UI", "Helvetica Neue", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
+        font-size: clamp(1rem, 2.5vw, 2rem);
+        -webkit-font-smoothing: antialiased;
+        font-style: normal;
+        font-weight: 400;
+        letter-spacing: -0.0025em;
+        line-height: 1.4;
+        min-height: 100vh;
+        place-items: center;
+        text-rendering: optimizeLegibility;
+        -webkit-text-size-adjust: 100%;
+      }
+
+      a {
+        color: inherit;
+        font-weight: 700;
+        text-decoration: underline;
+        text-underline-offset: 0.0925em;
+      }
+
+      b, strong {
+        font-weight: 700;
+      }
+
+      i, em {
+        font-style: italic;
+      }
+
+      main {
+        display: grid;
+        gap: 1em;
+        padding: 2em;
+        place-items: center;
+        text-align: center;
+      }
+
+      main header {
+        width: min(100%, 12em);
+      }
+
+      main header svg {
+        height: auto;
+        max-width: 100%;
+        width: 100%;
+      }
+
+      main article {
+        width: min(100%, 30em);
+      }
+
+      main article p {
+        font-size: 75%;
+      }
+
+      main article br {
+
+        display: none;
+
+        @media(min-width: 48em) {
+          display: inline;
+        }
+
+      }
+
+    </style>
+
+  </head>
+
+  <body>
+
+    <!-- This file lives in public/400.html -->
+
+    <main>
+      <header>
+        <svg height="172" viewBox="0 0 480 172" width="480" xmlns="http://www.w3.org/2000/svg"><path d="m124.48 3.00509-45.6889 100.02991h26.2239v-28.1168h38.119v28.1168h21.628v35.145h-21.628v30.82h-37.308v-30.82h-72.1833v-31.901l50.2851-103.27391zm115.583 168.69891c-40.822 0-64.884-35.146-64.884-85.7015 0-50.5554 24.062-85.700907 64.884-85.700907 40.823 0 64.884 35.145507 64.884 85.700907 0 50.5555-24.061 85.7015-64.884 85.7015zm0-133.2831c-17.572 0-22.709 21.8984-22.709 47.5816 0 25.6835 5.137 47.5815 22.709 47.5815 17.303 0 22.71-21.898 22.71-47.5815 0-25.6832-5.407-47.5816-22.71-47.5816zm140.456 133.2831c-40.823 0-64.884-35.146-64.884-85.7015 0-50.5554 24.061-85.700907 64.884-85.700907 40.822 0 64.884 35.145507 64.884 85.700907 0 50.5555-24.062 85.7015-64.884 85.7015zm0-133.2831c-17.573 0-22.71 21.8984-22.71 47.5816 0 25.6835 5.137 47.5815 22.71 47.5815 17.302 0 22.709-21.898 22.709-47.5815 0-25.6832-5.407-47.5816-22.709-47.5816z" fill="#f0eff0"/><path d="m123.606 85.4445c3.212 1.0523 5.538 4.2089 5.538 8.0301 0 6.1472-4.209 9.5254-11.298 9.5254h-15.617v-34.0033h14.565c7.089 0 11.353 3.1566 11.353 9.2484 0 3.6551-2.049 6.3134-4.541 7.1994zm-12.904-2.9905h5.095c2.603 0 3.988-.9968 3.988-3.1013 0-2.1044-1.385-3.0459-3.988-3.0459h-5.095zm0 6.6456v6.5902h5.981c2.492 0 3.877-1.3291 3.877-3.2674 0-2.049-1.385-3.3228-3.877-3.3228zm43.786 13.9004h-8.362v-1.274c-.831.831-3.323 1.717-5.981 1.717-4.929 0-9.083-2.769-9.083-8.0301 0-4.818 4.154-7.9193 9.581-7.9193 2.049 0 4.486.6646 5.483 1.3845v-1.606c0-1.606-.942-2.9905-3.046-2.9905-1.606 0-2.548.7199-2.935 1.8275h-8.197c.72-4.8181 4.985-8.6393 11.409-8.6393 7.088 0 11.131 3.7659 11.131 10.2453zm-8.362-6.9779v-1.4399c-.554-1.0522-2.049-1.7167-3.655-1.7167-1.717 0-3.434.7199-3.434 2.3813 0 1.7168 1.717 2.4367 3.434 2.4367 1.606 0 3.101-.6645 3.655-1.6614zm27.996 6.9779v-1.994c-1.163 1.329-3.599 2.548-6.147 2.548-7.199 0-11.131-5.8151-11.131-13.0145s3.932-13.0143 11.131-13.0143c2.548 0 4.984 1.2184 6.147 2.5475v-13.0697h8.695v35.997zm0-9.1931v-6.5902c-.664-1.3291-2.159-2.326-3.821-2.326-2.99 0-4.763 2.4368-4.763 5.6488s1.773 5.5934 4.763 5.5934c1.717 0 3.157-.9415 3.821-2.326zm35.471-2.049h-3.101v11.2421h-8.806v-34.0033h15.285c7.31 0 12.35 4.1535 12.35 11.5744 0 5.1503-2.603 8.6947-6.757 10.2453l7.975 12.1836h-9.858zm-3.101-15.2849v8.1962h5.538c3.156 0 4.596-1.606 4.596-4.0981s-1.44-4.0981-4.596-4.0981zm36.957 17.8323h8.03c-.886 5.7597-5.206 9.2487-11.685 9.2487-7.643 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.316-13.0143 12.515-13.0143 7.643 0 11.962 5.095 11.962 12.5159v2.1598h-16.115c.277 2.9905 1.827 4.5965 4.32 4.5965 1.772 0 3.156-.7753 3.655-2.4921zm-3.822-10.0237c-2.049 0-3.433 1.2737-3.987 3.5997h7.532c-.111-2.0491-1.385-3.5997-3.545-3.5997zm30.98 27.5234v-10.799c-1.163 1.329-3.6 2.548-6.147 2.548-7.2 0-11.132-5.9259-11.132-13.0145 0-7.144 3.932-13.0143 11.132-13.0143 2.547 0 4.984 1.2184 6.147 2.5475v-1.9937h8.695v33.726zm0-17.9981v-6.5902c-.665-1.3291-2.105-2.326-3.821-2.326-2.991 0-4.763 2.4368-4.763 5.6488s1.772 5.5934 4.763 5.5934c1.661 0 3.156-.9415 3.821-2.326zm36.789-15.7279v24.921h-8.695v-2.16c-1.329 1.551-3.821 2.714-6.646 2.714-5.482 0-8.75-3.5999-8.75-9.1379v-16.3371h8.64v14.288c0 2.1045.996 3.5997 3.212 3.5997 1.606 0 3.101-1.0522 3.544-2.769v-15.1187zm19.084 16.2263h8.03c-.886 5.7597-5.206 9.2487-11.685 9.2487-7.643 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.316-13.0143 12.515-13.0143 7.643 0 11.963 5.095 11.963 12.5159v2.1598h-16.116c.277 2.9905 1.828 4.5965 4.32 4.5965 1.772 0 3.156-.7753 3.655-2.4921zm-3.822-10.0237c-2.049 0-3.433 1.2737-3.987 3.5997h7.532c-.111-2.0491-1.385-3.5997-3.545-3.5997zm13.428 11.0206h8.474c.387 1.3845 1.606 2.1598 3.156 2.1598 1.44 0 2.548-.5538 2.548-1.7168 0-.9414-.72-1.2737-1.939-1.5506l-4.873-.9969c-4.154-.886-6.867-2.8797-6.867-7.2547 0-5.3165 4.762-8.4178 10.633-8.4178 6.812 0 10.522 3.1567 11.297 8.0855h-8.03c-.277-1.0522-1.052-1.9937-3.046-1.9937-1.273 0-2.326.5538-2.326 1.6614 0 .7753.554 1.163 1.717 1.3845l4.929 1.163c4.541 1.0522 6.978 3.4335 6.978 7.4763 0 5.3168-4.818 8.2518-10.91 8.2518-6.369 0-10.965-2.88-11.741-8.2518zm27.538-.8861v-9.5807h-3.655v-6.7564h3.655v-6.8671h8.584v6.8671h5.205v6.7564h-5.205v8.307c0 1.9383.941 2.769 2.658 2.769.941 0 1.993-.2216 2.769-.5538v7.3654c-.997.443-2.88.775-4.818.775-5.871 0-9.193-2.769-9.193-9.0819z" fill="#d30001"/></svg>
+      </header>
+      <article>
+        <p><strong>The server cannot process the request due to a client error.</strong> Please check the request and try again. If you’re the application owner check the logs for more information.</p>
+      </article>
+    </main>
+
+  </body>
+
+</html>
diff --git a/public/404.html b/public/404.html
index 2be3af26f..c0670bc87 100644
--- a/public/404.html
+++ b/public/404.html
@@ -1,67 +1,114 @@
-<!DOCTYPE html>
-<html>
-<head>
-  <title>The page you were looking for doesn't exist (404)</title>
-  <meta name="viewport" content="width=device-width,initial-scale=1">
-  <style>
-  .rails-default-error-page {
-    background-color: #EFEFEF;
-    color: #2E2F30;
-    text-align: center;
-    font-family: arial, sans-serif;
-    margin: 0;
-  }
-
-  .rails-default-error-page div.dialog {
-    width: 95%;
-    max-width: 33em;
-    margin: 4em auto 0;
-  }
-
-  .rails-default-error-page div.dialog > div {
-    border: 1px solid #CCC;
-    border-right-color: #999;
-    border-left-color: #999;
-    border-bottom-color: #BBB;
-    border-top: #B00100 solid 4px;
-    border-top-left-radius: 9px;
-    border-top-right-radius: 9px;
-    background-color: white;
-    padding: 7px 12% 0;
-    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
-  }
-
-  .rails-default-error-page h1 {
-    font-size: 100%;
-    color: #730E15;
-    line-height: 1.5em;
-  }
-
-  .rails-default-error-page div.dialog > p {
-    margin: 0 0 1em;
-    padding: 1em;
-    background-color: #F7F7F7;
-    border: 1px solid #CCC;
-    border-right-color: #999;
-    border-left-color: #999;
-    border-bottom-color: #999;
-    border-bottom-left-radius: 4px;
-    border-bottom-right-radius: 4px;
-    border-top-color: #DADADA;
-    color: #666;
-    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
-  }
-  </style>
-</head>
-
-<body class="rails-default-error-page">
-  <!-- This file lives in public/404.html -->
-  <div class="dialog">
-    <div>
-      <h1>The page you were looking for doesn't exist.</h1>
-      <p>You may have mistyped the address or the page may have moved.</p>
-    </div>
-    <p>If you are the application owner check the logs for more information.</p>
-  </div>
-</body>
+<!doctype html>
+
+<html lang="en">
+
+  <head>
+
+    <title>The page you were looking for doesn’t exist (404 Not found)</title>
+
+    <meta charset="utf-8">
+    <meta name="viewport" content="initial-scale=1, width=device-width">
+    <meta name="robots" content="noindex, nofollow">
+
+    <style>
+
+      *, *::before, *::after {
+        box-sizing: border-box;
+      }
+
+      * {
+        margin: 0;
+      }
+
+      html {
+        font-size: 16px;
+      }
+
+      body {
+        background: #FFF;
+        color: #261B23;
+        display: grid;
+        font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, Aptos, Roboto, "Segoe UI", "Helvetica Neue", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
+        font-size: clamp(1rem, 2.5vw, 2rem);
+        -webkit-font-smoothing: antialiased;
+        font-style: normal;
+        font-weight: 400;
+        letter-spacing: -0.0025em;
+        line-height: 1.4;
+        min-height: 100vh;
+        place-items: center;
+        text-rendering: optimizeLegibility;
+        -webkit-text-size-adjust: 100%;
+      }
+
+      a {
+        color: inherit;
+        font-weight: 700;
+        text-decoration: underline;
+        text-underline-offset: 0.0925em;
+      }
+
+      b, strong {
+        font-weight: 700;
+      }
+
+      i, em {
+        font-style: italic;
+      }
+
+      main {
+        display: grid;
+        gap: 1em;
+        padding: 2em;
+        place-items: center;
+        text-align: center;
+      }
+
+      main header {
+        width: min(100%, 12em);
+      }
+
+      main header svg {
+        height: auto;
+        max-width: 100%;
+        width: 100%;
+      }
+
+      main article {
+        width: min(100%, 30em);
+      }
+
+      main article p {
+        font-size: 75%;
+      }
+
+      main article br {
+
+        display: none;
+
+        @media(min-width: 48em) {
+          display: inline;
+        }
+
+      }
+
+    </style>
+
+  </head>
+
+  <body>
+
+    <!-- This file lives in public/404.html -->
+
+    <main>
+      <header>
+        <svg height="172" viewBox="0 0 480 172" width="480" xmlns="http://www.w3.org/2000/svg"><path d="m124.48 3.00509-45.6889 100.02991h26.2239v-28.1168h38.119v28.1168h21.628v35.145h-21.628v30.82h-37.308v-30.82h-72.1833v-31.901l50.2851-103.27391zm115.583 168.69891c-40.822 0-64.884-35.146-64.884-85.7015 0-50.5554 24.062-85.700907 64.884-85.700907 40.823 0 64.884 35.145507 64.884 85.700907 0 50.5555-24.061 85.7015-64.884 85.7015zm0-133.2831c-17.572 0-22.709 21.8984-22.709 47.5816 0 25.6835 5.137 47.5815 22.709 47.5815 17.303 0 22.71-21.898 22.71-47.5815 0-25.6832-5.407-47.5816-22.71-47.5816zm165.328-35.41581-45.689 100.02991h26.224v-28.1168h38.119v28.1168h21.628v35.145h-21.628v30.82h-37.308v-30.82h-72.184v-31.901l50.285-103.27391z" fill="#f0eff0"/><path d="m157.758 68.9967v34.0033h-7.199l-14.233-19.8814v19.8814h-8.584v-34.0033h8.307l13.125 18.7184v-18.7184zm28.454 21.5428c0 7.6978-5.15 13.0145-12.737 13.0145-7.532 0-12.738-5.3167-12.738-13.0145s5.206-13.0143 12.738-13.0143c7.587 0 12.737 5.3165 12.737 13.0143zm-8.528 0c0-3.4336-1.496-5.8703-4.209-5.8703-2.659 0-4.154 2.4367-4.154 5.8703s1.495 5.8149 4.154 5.8149c2.713 0 4.209-2.3813 4.209-5.8149zm13.184 3.8766v-9.5807h-3.655v-6.7564h3.655v-6.8671h8.584v6.8671h5.205v6.7564h-5.205v8.307c0 1.9383.941 2.769 2.658 2.769.941 0 1.994-.2216 2.769-.5538v7.3654c-.997.443-2.88.775-4.818.775-5.87 0-9.193-2.769-9.193-9.0819zm37.027 8.5839h-8.806v-34.0033h23.924v7.6978h-15.118v6.7564h13.9v7.5316h-13.9zm41.876-12.4605c0 7.6978-5.15 13.0145-12.737 13.0145-7.532 0-12.738-5.3167-12.738-13.0145s5.206-13.0143 12.738-13.0143c7.587 0 12.737 5.3165 12.737 13.0143zm-8.529 0c0-3.4336-1.495-5.8703-4.208-5.8703-2.659 0-4.154 2.4367-4.154 5.8703s1.495 5.8149 4.154 5.8149c2.713 0 4.208-2.3813 4.208-5.8149zm35.337-12.4605v24.921h-8.695v-2.16c-1.329 1.551-3.821 2.714-6.646 2.714-5.482 0-8.75-3.5999-8.75-9.1379v-16.3371h8.64v14.288c0 2.1045.997 3.5997 3.212 3.5997 1.606 0 3.101-1.0522 3.544-2.769v-15.1187zm4.076 24.921v-24.921h8.694v2.1598c1.385-1.5506 3.822-2.7136 6.701-2.7136 5.538 0 8.806 3.5997 8.806 9.1377v16.3371h-8.639v-14.2327c0-2.049-1.053-3.5443-3.268-3.5443-1.717 0-3.156.9969-3.6 2.7136v15.0634zm44.113 0v-1.994c-1.163 1.329-3.6 2.548-6.147 2.548-7.2 0-11.132-5.8151-11.132-13.0145s3.932-13.0143 11.132-13.0143c2.547 0 4.984 1.2184 6.147 2.5475v-13.0697h8.695v35.997zm0-9.1931v-6.5902c-.665-1.3291-2.16-2.326-3.821-2.326-2.991 0-4.763 2.4368-4.763 5.6488s1.772 5.5934 4.763 5.5934c1.717 0 3.156-.9415 3.821-2.326z" fill="#d30001"/></svg>
+      </header>
+      <article>
+        <p><strong>The page you were looking for doesn’t exist.</strong> You may have mistyped the address or the page may have moved. If you’re the application owner check the logs for more information.</p>
+      </article>
+    </main>
+
+  </body>
+
 </html>
diff --git a/public/406-unsupported-browser.html b/public/406-unsupported-browser.html
index 7cf1e168e..9532a9ccd 100644
--- a/public/406-unsupported-browser.html
+++ b/public/406-unsupported-browser.html
@@ -1,66 +1,114 @@
-<!DOCTYPE html>
-<html>
-<head>
-  <title>Your browser is not supported (406)</title>
-  <meta name="viewport" content="width=device-width,initial-scale=1">
-  <style>
-  .rails-default-error-page {
-    background-color: #EFEFEF;
-    color: #2E2F30;
-    text-align: center;
-    font-family: arial, sans-serif;
-    margin: 0;
-  }
-
-  .rails-default-error-page div.dialog {
-    width: 95%;
-    max-width: 33em;
-    margin: 4em auto 0;
-  }
-
-  .rails-default-error-page div.dialog > div {
-    border: 1px solid #CCC;
-    border-right-color: #999;
-    border-left-color: #999;
-    border-bottom-color: #BBB;
-    border-top: #B00100 solid 4px;
-    border-top-left-radius: 9px;
-    border-top-right-radius: 9px;
-    background-color: white;
-    padding: 7px 12% 0;
-    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
-  }
-
-  .rails-default-error-page h1 {
-    font-size: 100%;
-    color: #730E15;
-    line-height: 1.5em;
-  }
-
-  .rails-default-error-page div.dialog > p {
-    margin: 0 0 1em;
-    padding: 1em;
-    background-color: #F7F7F7;
-    border: 1px solid #CCC;
-    border-right-color: #999;
-    border-left-color: #999;
-    border-bottom-color: #999;
-    border-bottom-left-radius: 4px;
-    border-bottom-right-radius: 4px;
-    border-top-color: #DADADA;
-    color: #666;
-    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
-  }
-  </style>
-</head>
-
-<body class="rails-default-error-page">
-  <!-- This file lives in public/406-unsupported-browser.html -->
-  <div class="dialog">
-    <div>
-      <h1>Your browser is not supported.</h1>
-      <p>Please upgrade your browser to continue.</p>
-    </div>
-  </div>
-</body>
+<!doctype html>
+
+<html lang="en">
+
+  <head>
+
+    <title>Your browser is not supported (406 Not Acceptable)</title>
+
+    <meta charset="utf-8">
+    <meta name="viewport" content="initial-scale=1, width=device-width">
+    <meta name="robots" content="noindex, nofollow">
+
+    <style>
+
+      *, *::before, *::after {
+        box-sizing: border-box;
+      }
+
+      * {
+        margin: 0;
+      }
+
+      html {
+        font-size: 16px;
+      }
+
+      body {
+        background: #FFF;
+        color: #261B23;
+        display: grid;
+        font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, Aptos, Roboto, "Segoe UI", "Helvetica Neue", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
+        font-size: clamp(1rem, 2.5vw, 2rem);
+        -webkit-font-smoothing: antialiased;
+        font-style: normal;
+        font-weight: 400;
+        letter-spacing: -0.0025em;
+        line-height: 1.4;
+        min-height: 100vh;
+        place-items: center;
+        text-rendering: optimizeLegibility;
+        -webkit-text-size-adjust: 100%;
+      }
+
+      a {
+        color: inherit;
+        font-weight: 700;
+        text-decoration: underline;
+        text-underline-offset: 0.0925em;
+      }
+
+      b, strong {
+        font-weight: 700;
+      }
+
+      i, em {
+        font-style: italic;
+      }
+
+      main {
+        display: grid;
+        gap: 1em;
+        padding: 2em;
+        place-items: center;
+        text-align: center;
+      }
+
+      main header {
+        width: min(100%, 12em);
+      }
+
+      main header svg {
+        height: auto;
+        max-width: 100%;
+        width: 100%;
+      }
+
+      main article {
+        width: min(100%, 30em);
+      }
+
+      main article p {
+        font-size: 75%;
+      }
+
+      main article br {
+
+        display: none;
+
+        @media(min-width: 48em) {
+          display: inline;
+        }
+
+      }
+
+    </style>
+
+  </head>
+
+  <body>
+
+    <!-- This file lives in public/406-unsupported-browser.html -->
+
+    <main>
+      <header>
+        <svg height="172" viewBox="0 0 480 172" width="480" xmlns="http://www.w3.org/2000/svg"><path d="m124.48 3.00509-45.6889 100.02991h26.2239v-28.1168h38.119v28.1168h21.628v35.145h-21.628v30.82h-37.308v-30.82h-72.1833v-31.901l50.2851-103.27391zm115.583 168.69891c-40.822 0-64.884-35.146-64.884-85.7015 0-50.5554 24.062-85.700907 64.884-85.700907 40.823 0 64.884 35.145507 64.884 85.700907 0 50.5555-24.061 85.7015-64.884 85.7015zm0-133.2831c-17.572 0-22.709 21.8984-22.709 47.5816 0 25.6835 5.137 47.5815 22.709 47.5815 17.303 0 22.71-21.898 22.71-47.5815 0-25.6832-5.407-47.5816-22.71-47.5816zm202.906 9.7326h-41.093c-2.433-7.2994-7.84-12.4361-17.302-12.4361-16.221 0-25.413 17.5728-25.954 34.8752v1.3517c5.137-7.0291 16.221-12.4361 30.82-12.4361 33.524 0 54.881 24.0612 54.881 53.7998 0 33.253-23.791 58.396-61.64 58.396-21.628 0-39.741-10.003-50.825-27.576-9.733-14.599-13.788-32.442-13.788-54.3406 0-51.9072 24.331-89.485807 66.236-89.485807 32.712 0 53.258 18.654107 58.665 47.851907zm-82.727 66.2355c0 13.247 9.463 22.439 22.71 22.439 12.977 0 22.439-9.192 22.439-22.439 0-13.517-9.462-22.7091-22.439-22.7091-13.247 0-22.71 9.1921-22.71 22.7091z" fill="#f0eff0"/><path d="m100.761 68.9967v34.0033h-7.1991l-14.2326-19.8814v19.8814h-8.5839v-34.0033h8.307l13.125 18.7184v-18.7184zm28.454 21.5428c0 7.6978-5.15 13.0145-12.737 13.0145-7.532 0-12.738-5.3167-12.738-13.0145s5.206-13.0143 12.738-13.0143c7.587 0 12.737 5.3165 12.737 13.0143zm-8.529 0c0-3.4336-1.495-5.8703-4.208-5.8703-2.659 0-4.154 2.4367-4.154 5.8703s1.495 5.8149 4.154 5.8149c2.713 0 4.208-2.3813 4.208-5.8149zm13.185 3.8766v-9.5807h-3.655v-6.7564h3.655v-6.8671h8.584v6.8671h5.205v6.7564h-5.205v8.307c0 1.9383.941 2.769 2.658 2.769.941 0 1.994-.2216 2.769-.5538v7.3654c-.997.443-2.88.775-4.818.775-5.87 0-9.193-2.769-9.193-9.0819zm39.02-25.4194h9.083l12.958 34.0033h-9.027l-2.436-6.5902h-12.35l-2.381 6.5902h-8.806zm4.431 10.5222-3.489 9.5807h6.978zm17.44 11.0206c0-7.6978 5.095-13.0143 12.572-13.0143 6.701 0 10.854 3.9874 11.574 9.8023h-8.418c-.221-1.4953-1.384-2.6029-3.156-2.6029-2.437 0-3.988 2.2706-3.988 5.8149s1.551 5.7595 3.988 5.7595c1.772 0 2.935-1.0522 3.156-2.5475h8.418c-.72 5.7596-4.873 9.8025-11.574 9.8025-7.477 0-12.572-5.3167-12.572-13.0145zm25.676 0c0-7.6978 5.095-13.0143 12.572-13.0143 6.701 0 10.854 3.9874 11.574 9.8023h-8.418c-.221-1.4953-1.384-2.6029-3.156-2.6029-2.437 0-3.988 2.2706-3.988 5.8149s1.551 5.7595 3.988 5.7595c1.772 0 2.935-1.0522 3.156-2.5475h8.418c-.72 5.7596-4.873 9.8025-11.574 9.8025-7.477 0-12.572-5.3167-12.572-13.0145zm42.013 3.7658h8.031c-.887 5.7597-5.206 9.2487-11.686 9.2487-7.642 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.317-13.0143 12.516-13.0143 7.643 0 11.962 5.095 11.962 12.5159v2.1598h-16.115c.277 2.9905 1.827 4.5965 4.319 4.5965 1.773 0 3.157-.7753 3.655-2.4921zm-3.821-10.0237c-2.049 0-3.433 1.2737-3.987 3.5997h7.532c-.111-2.0491-1.385-3.5997-3.545-3.5997zm23.4 16.7244v10.799h-8.694v-33.726h8.694v1.9937c1.163-1.3291 3.6-2.5475 6.148-2.5475 7.199 0 11.131 5.8703 11.131 13.0143 0 7.0886-3.932 13.0145-11.131 13.0145-2.548 0-4.985-1.219-6.148-2.548zm0-13.7893v6.5902c.665 1.3845 2.16 2.326 3.822 2.326 2.99 0 4.762-2.3814 4.762-5.5934s-1.772-5.6488-4.762-5.6488c-1.717 0-3.157.9969-3.822 2.326zm21.892 7.1994v-9.5807h-3.655v-6.7564h3.655v-6.8671h8.584v6.8671h5.206v6.7564h-5.206v8.307c0 1.9383.941 2.769 2.658 2.769.942 0 1.994-.2216 2.769-.5538v7.3654c-.997.443-2.88.775-4.818.775-5.87 0-9.193-2.769-9.193-9.0819zm39.458 8.5839h-8.363v-1.274c-.83.831-3.322 1.717-5.981 1.717-4.928 0-9.082-2.769-9.082-8.0301 0-4.818 4.154-7.9193 9.581-7.9193 2.049 0 4.486.6646 5.482 1.3845v-1.606c0-1.606-.941-2.9905-3.045-2.9905-1.606 0-2.548.7199-2.936 1.8275h-8.196c.72-4.8181 4.984-8.6393 11.408-8.6393 7.089 0 11.132 3.7659 11.132 10.2453zm-8.363-6.9779v-1.4399c-.553-1.0522-2.049-1.7167-3.655-1.7167-1.716 0-3.433.7199-3.433 2.3813 0 1.7168 1.717 2.4367 3.433 2.4367 1.606 0 3.102-.6645 3.655-1.6614zm20.742 4.9839v1.994h-8.694v-35.997h8.694v13.0697c1.163-1.3291 3.6-2.5475 6.148-2.5475 7.199 0 11.131 5.8149 11.131 13.0143s-3.932 13.0145-11.131 13.0145c-2.548 0-4.985-1.219-6.148-2.548zm0-13.7893v6.5902c.665 1.3845 2.105 2.326 3.822 2.326 2.99 0 4.762-2.3814 4.762-5.5934s-1.772-5.6488-4.762-5.6488c-1.662 0-3.157.9969-3.822 2.326zm28.759-20.2137v35.997h-8.695v-35.997zm19.172 27.3023h8.03c-.886 5.7597-5.206 9.2487-11.685 9.2487-7.643 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.316-13.0143 12.516-13.0143 7.642 0 11.962 5.095 11.962 12.5159v2.1598h-16.116c.277 2.9905 1.828 4.5965 4.32 4.5965 1.772 0 3.157-.7753 3.655-2.4921zm-3.821-10.0237c-2.049 0-3.434 1.2737-3.988 3.5997h7.532c-.111-2.0491-1.384-3.5997-3.544-3.5997z" fill="#d30001"/></svg>
+      </header>
+      <article>
+        <p><strong>Your browser is not supported.</strong><br> Please upgrade your browser to continue.</p>
+      </article>
+    </main>
+
+  </body>
+
 </html>
diff --git a/public/422.html b/public/422.html
index c08eac0d1..8bcf06014 100644
--- a/public/422.html
+++ b/public/422.html
@@ -1,67 +1,114 @@
-<!DOCTYPE html>
-<html>
-<head>
-  <title>The change you wanted was rejected (422)</title>
-  <meta name="viewport" content="width=device-width,initial-scale=1">
-  <style>
-  .rails-default-error-page {
-    background-color: #EFEFEF;
-    color: #2E2F30;
-    text-align: center;
-    font-family: arial, sans-serif;
-    margin: 0;
-  }
-
-  .rails-default-error-page div.dialog {
-    width: 95%;
-    max-width: 33em;
-    margin: 4em auto 0;
-  }
-
-  .rails-default-error-page div.dialog > div {
-    border: 1px solid #CCC;
-    border-right-color: #999;
-    border-left-color: #999;
-    border-bottom-color: #BBB;
-    border-top: #B00100 solid 4px;
-    border-top-left-radius: 9px;
-    border-top-right-radius: 9px;
-    background-color: white;
-    padding: 7px 12% 0;
-    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
-  }
-
-  .rails-default-error-page h1 {
-    font-size: 100%;
-    color: #730E15;
-    line-height: 1.5em;
-  }
-
-  .rails-default-error-page div.dialog > p {
-    margin: 0 0 1em;
-    padding: 1em;
-    background-color: #F7F7F7;
-    border: 1px solid #CCC;
-    border-right-color: #999;
-    border-left-color: #999;
-    border-bottom-color: #999;
-    border-bottom-left-radius: 4px;
-    border-bottom-right-radius: 4px;
-    border-top-color: #DADADA;
-    color: #666;
-    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
-  }
-  </style>
-</head>
-
-<body class="rails-default-error-page">
-  <!-- This file lives in public/422.html -->
-  <div class="dialog">
-    <div>
-      <h1>The change you wanted was rejected.</h1>
-      <p>Maybe you tried to change something you didn't have access to.</p>
-    </div>
-    <p>If you are the application owner check the logs for more information.</p>
-  </div>
-</body>
+<!doctype html>
+
+<html lang="en">
+
+  <head>
+
+    <title>The change you wanted was rejected (422 Unprocessable Entity)</title>
+
+    <meta charset="utf-8">
+    <meta name="viewport" content="initial-scale=1, width=device-width">
+    <meta name="robots" content="noindex, nofollow">
+
+    <style>
+
+      *, *::before, *::after {
+        box-sizing: border-box;
+      }
+
+      * {
+        margin: 0;
+      }
+
+      html {
+        font-size: 16px;
+      }
+
+      body {
+        background: #FFF;
+        color: #261B23;
+        display: grid;
+        font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, Aptos, Roboto, "Segoe UI", "Helvetica Neue", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
+        font-size: clamp(1rem, 2.5vw, 2rem);
+        -webkit-font-smoothing: antialiased;
+        font-style: normal;
+        font-weight: 400;
+        letter-spacing: -0.0025em;
+        line-height: 1.4;
+        min-height: 100vh;
+        place-items: center;
+        text-rendering: optimizeLegibility;
+        -webkit-text-size-adjust: 100%;
+      }
+
+      a {
+        color: inherit;
+        font-weight: 700;
+        text-decoration: underline;
+        text-underline-offset: 0.0925em;
+      }
+
+      b, strong {
+        font-weight: 700;
+      }
+
+      i, em {
+        font-style: italic;
+      }
+
+      main {
+        display: grid;
+        gap: 1em;
+        padding: 2em;
+        place-items: center;
+        text-align: center;
+      }
+
+      main header {
+        width: min(100%, 12em);
+      }
+
+      main header svg {
+        height: auto;
+        max-width: 100%;
+        width: 100%;
+      }
+
+      main article {
+        width: min(100%, 30em);
+      }
+
+      main article p {
+        font-size: 75%;
+      }
+
+      main article br {
+
+        display: none;
+
+        @media(min-width: 48em) {
+          display: inline;
+        }
+
+      }
+
+    </style>
+
+  </head>
+
+  <body>
+
+    <!-- This file lives in public/422.html -->
+
+    <main>
+      <header>
+        <svg height="172" viewBox="0 0 480 172" width="480" xmlns="http://www.w3.org/2000/svg"><path d="m124.48 3.00509-45.6889 100.02991h26.2239v-28.1168h38.119v28.1168h21.628v35.145h-21.628v30.82h-37.308v-30.82h-72.1833v-31.901l50.2851-103.27391zm130.453 51.63681c0-8.9215-6.218-15.4099-15.681-15.4099-10.273 0-15.95 7.5698-16.491 16.4913h-44.608c3.244-30.8199 25.683-55.421707 61.099-55.421707 36.498 0 59.477 20.816907 59.477 51.636807 0 21.3577-14.869 36.7676-31.901 52.7186l-27.305 27.035h59.747v37.308h-120.306v-27.846l57.044-56.7736c11.084-11.8954 18.925-20.0059 18.925-29.7385zm140.455 0c0-8.9215-6.218-15.4099-15.68-15.4099-10.274 0-15.951 7.5698-16.492 16.4913h-44.608c3.245-30.8199 25.684-55.421707 61.1-55.421707 36.497 0 59.477 20.816907 59.477 51.636807 0 21.3577-14.87 36.7676-31.902 52.7186l-27.305 27.035h59.747v37.308h-120.305v-27.846l57.043-56.7736c11.085-11.8954 18.925-20.0059 18.925-29.7385z" fill="#f0eff0"/><path d="m19.3936 103.554c-8.9715 0-14.84183-5.0952-14.84183-14.4544v-20.1029h8.86083v19.3276c0 4.8181 2.2706 7.3102 5.981 7.3102 3.6551 0 5.9257-2.4921 5.9257-7.3102v-19.3276h8.8608v20.1583c0 9.3038-5.8149 14.399-14.7865 14.399zm18.734-.554v-24.921h8.6947v2.1598c1.3845-1.5506 3.8212-2.7136 6.701-2.7136 5.538 0 8.8054 3.5997 8.8054 9.1377v16.3371h-8.6393v-14.2327c0-2.049-1.0522-3.5443-3.2674-3.5443-1.7168 0-3.1567.9969-3.5997 2.7136v15.0634zm36.8584-1.994v10.799h-8.6946v-33.726h8.6946v1.9937c1.163-1.3291 3.5997-2.5475 6.1472-2.5475 7.1994 0 11.1314 5.8703 11.1314 13.0143 0 7.0886-3.932 13.0145-11.1314 13.0145-2.5475 0-4.9842-1.219-6.1472-2.548zm0-13.7893v6.5902c.6646 1.3845 2.1599 2.326 3.8213 2.326 2.9905 0 4.7626-2.3814 4.7626-5.5934s-1.7721-5.6488-4.7626-5.6488c-1.7168 0-3.1567.9969-3.8213 2.326zm36.789-9.2485v8.3624c-1.052-.5538-2.215-.7753-3.6-.7753-2.381 0-3.987 1.0522-4.43 2.8244v14.6203h-8.6949v-24.921h8.6949v2.2152c1.218-1.6614 3.156-2.769 5.648-2.769 1.108 0 1.994.2215 2.382.443zm26.769 12.5713c0 7.6978-5.15 13.0145-12.737 13.0145-7.532 0-12.738-5.3167-12.738-13.0145s5.206-13.0143 12.738-13.0143c7.587 0 12.737 5.3165 12.737 13.0143zm-8.528 0c0-3.4336-1.496-5.8703-4.209-5.8703-2.659 0-4.154 2.4367-4.154 5.8703s1.495 5.8149 4.154 5.8149c2.713 0 4.209-2.3813 4.209-5.8149zm10.352 0c0-7.6978 5.095-13.0143 12.571-13.0143 6.701 0 10.855 3.9874 11.574 9.8023h-8.417c-.222-1.4953-1.385-2.6029-3.157-2.6029-2.437 0-3.987 2.2706-3.987 5.8149s1.55 5.7595 3.987 5.7595c1.772 0 2.935-1.0522 3.157-2.5475h8.417c-.719 5.7596-4.873 9.8025-11.574 9.8025-7.476 0-12.571-5.3167-12.571-13.0145zm42.013 3.7658h8.03c-.886 5.7597-5.206 9.2487-11.685 9.2487-7.643 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.316-13.0143 12.516-13.0143 7.642 0 11.962 5.095 11.962 12.5159v2.1598h-16.116c.277 2.9905 1.828 4.5965 4.32 4.5965 1.772 0 3.156-.7753 3.655-2.4921zm-3.821-10.0237c-2.049 0-3.434 1.2737-3.988 3.5997h7.532c-.111-2.0491-1.385-3.5997-3.544-3.5997zm13.428 11.0206h8.473c.387 1.3845 1.606 2.1598 3.156 2.1598 1.44 0 2.548-.5538 2.548-1.7168 0-.9414-.72-1.2737-1.938-1.5506l-4.874-.9969c-4.153-.886-6.867-2.8797-6.867-7.2547 0-5.3165 4.763-8.4178 10.633-8.4178 6.812 0 10.522 3.1567 11.297 8.0855h-8.03c-.277-1.0522-1.052-1.9937-3.046-1.9937-1.273 0-2.326.5538-2.326 1.6614 0 .7753.554 1.163 1.717 1.3845l4.929 1.163c4.541 1.0522 6.978 3.4335 6.978 7.4763 0 5.3168-4.818 8.2518-10.91 8.2518-6.369 0-10.965-2.88-11.74-8.2518zm24.269 0h8.474c.387 1.3845 1.606 2.1598 3.156 2.1598 1.44 0 2.548-.5538 2.548-1.7168 0-.9414-.72-1.2737-1.939-1.5506l-4.873-.9969c-4.154-.886-6.867-2.8797-6.867-7.2547 0-5.3165 4.763-8.4178 10.633-8.4178 6.812 0 10.522 3.1567 11.297 8.0855h-8.03c-.277-1.0522-1.052-1.9937-3.046-1.9937-1.273 0-2.326.5538-2.326 1.6614 0 .7753.554 1.163 1.717 1.3845l4.929 1.163c4.541 1.0522 6.978 3.4335 6.978 7.4763 0 5.3168-4.818 8.2518-10.91 8.2518-6.369 0-10.965-2.88-11.741-8.2518zm47.918 7.6978h-8.363v-1.274c-.831.831-3.323 1.717-5.981 1.717-4.929 0-9.082-2.769-9.082-8.0301 0-4.818 4.153-7.9193 9.581-7.9193 2.049 0 4.485.6646 5.482 1.3845v-1.606c0-1.606-.941-2.9905-3.046-2.9905-1.606 0-2.547.7199-2.935 1.8275h-8.196c.72-4.8181 4.984-8.6393 11.408-8.6393 7.089 0 11.132 3.7659 11.132 10.2453zm-8.363-6.9779v-1.4399c-.554-1.0522-2.049-1.7167-3.655-1.7167-1.717 0-3.434.7199-3.434 2.3813 0 1.7168 1.717 2.4367 3.434 2.4367 1.606 0 3.101-.6645 3.655-1.6614zm20.742 4.9839v1.994h-8.695v-35.997h8.695v13.0697c1.163-1.3291 3.6-2.5475 6.147-2.5475 7.2 0 11.132 5.8149 11.132 13.0143s-3.932 13.0145-11.132 13.0145c-2.547 0-4.984-1.219-6.147-2.548zm0-13.7893v6.5902c.665 1.3845 2.105 2.326 3.821 2.326 2.991 0 4.763-2.3814 4.763-5.5934s-1.772-5.6488-4.763-5.6488c-1.661 0-3.156.9969-3.821 2.326zm28.759-20.2137v35.997h-8.695v-35.997zm19.172 27.3023h8.03c-.886 5.7597-5.206 9.2487-11.685 9.2487-7.643 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.316-13.0143 12.515-13.0143 7.643 0 11.962 5.095 11.962 12.5159v2.1598h-16.115c.277 2.9905 1.827 4.5965 4.32 4.5965 1.772 0 3.156-.7753 3.655-2.4921zm-3.822-10.0237c-2.049 0-3.433 1.2737-3.987 3.5997h7.532c-.111-2.0491-1.385-3.5997-3.545-3.5997zm25.461-15.2849h24.311v7.6424h-15.561v5.3165h14.232v7.4763h-14.232v5.8703h15.561v7.6978h-24.311zm27.942 34.0033v-24.921h8.694v2.1598c1.385-1.5506 3.822-2.7136 6.701-2.7136 5.538 0 8.806 3.5997 8.806 9.1377v16.3371h-8.639v-14.2327c0-2.049-1.053-3.5443-3.268-3.5443-1.717 0-3.157.9969-3.6 2.7136v15.0634zm29.991-8.5839v-9.5807h-3.655v-6.7564h3.655v-6.8671h8.584v6.8671h5.206v6.7564h-5.206v8.307c0 1.9383.941 2.769 2.658 2.769.942 0 1.994-.2216 2.769-.5538v7.3654c-.997.443-2.88.775-4.818.775-5.87 0-9.193-2.769-9.193-9.0819zm26.161-16.3371v24.921h-8.694v-24.921zm.61-6.7564c0 2.8244-2.271 4.652-4.929 4.652s-4.929-1.8276-4.929-4.652c0-2.8797 2.271-4.7073 4.929-4.7073s4.929 1.8276 4.929 4.7073zm5.382 23.0935v-9.5807h-3.655v-6.7564h3.655v-6.8671h8.584v6.8671h5.206v6.7564h-5.206v8.307c0 1.9383.941 2.769 2.658 2.769.941 0 1.994-.2216 2.769-.5538v7.3654c-.997.443-2.88.775-4.818.775-5.87 0-9.193-2.769-9.193-9.0819zm29.22 17.3889h-8.584l3.655-9.414-9.303-24.312h9.026l4.763 14.1773 4.652-14.1773h8.639z" fill="#d30001"/></svg>
+      </header>
+      <article>
+        <p><strong>The change you wanted was rejected.</strong> Maybe you tried to change something you didn’t have access to. If you’re the application owner check the logs for more information.</p>
+      </article>
+    </main>
+
+  </body>
+
 </html>
diff --git a/public/500.html b/public/500.html
index 78a030af2..d77718c3a 100644
--- a/public/500.html
+++ b/public/500.html
@@ -1,66 +1,114 @@
-<!DOCTYPE html>
-<html>
-<head>
-  <title>We're sorry, but something went wrong (500)</title>
-  <meta name="viewport" content="width=device-width,initial-scale=1">
-  <style>
-  .rails-default-error-page {
-    background-color: #EFEFEF;
-    color: #2E2F30;
-    text-align: center;
-    font-family: arial, sans-serif;
-    margin: 0;
-  }
-
-  .rails-default-error-page div.dialog {
-    width: 95%;
-    max-width: 33em;
-    margin: 4em auto 0;
-  }
-
-  .rails-default-error-page div.dialog > div {
-    border: 1px solid #CCC;
-    border-right-color: #999;
-    border-left-color: #999;
-    border-bottom-color: #BBB;
-    border-top: #B00100 solid 4px;
-    border-top-left-radius: 9px;
-    border-top-right-radius: 9px;
-    background-color: white;
-    padding: 7px 12% 0;
-    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
-  }
-
-  .rails-default-error-page h1 {
-    font-size: 100%;
-    color: #730E15;
-    line-height: 1.5em;
-  }
-
-  .rails-default-error-page div.dialog > p {
-    margin: 0 0 1em;
-    padding: 1em;
-    background-color: #F7F7F7;
-    border: 1px solid #CCC;
-    border-right-color: #999;
-    border-left-color: #999;
-    border-bottom-color: #999;
-    border-bottom-left-radius: 4px;
-    border-bottom-right-radius: 4px;
-    border-top-color: #DADADA;
-    color: #666;
-    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
-  }
-  </style>
-</head>
-
-<body class="rails-default-error-page">
-  <!-- This file lives in public/500.html -->
-  <div class="dialog">
-    <div>
-      <h1>We're sorry, but something went wrong.</h1>
-    </div>
-    <p>If you are the application owner check the logs for more information.</p>
-  </div>
-</body>
+<!doctype html>
+
+<html lang="en">
+
+  <head>
+
+    <title>We’re sorry, but something went wrong (500 Internal Server Error)</title>
+
+    <meta charset="utf-8">
+    <meta name="viewport" content="initial-scale=1, width=device-width">
+    <meta name="robots" content="noindex, nofollow">
+
+    <style>
+
+      *, *::before, *::after {
+        box-sizing: border-box;
+      }
+
+      * {
+        margin: 0;
+      }
+
+      html {
+        font-size: 16px;
+      }
+
+      body {
+        background: #FFF;
+        color: #261B23;
+        display: grid;
+        font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, Aptos, Roboto, "Segoe UI", "Helvetica Neue", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
+        font-size: clamp(1rem, 2.5vw, 2rem);
+        -webkit-font-smoothing: antialiased;
+        font-style: normal;
+        font-weight: 400;
+        letter-spacing: -0.0025em;
+        line-height: 1.4;
+        min-height: 100vh;
+        place-items: center;
+        text-rendering: optimizeLegibility;
+        -webkit-text-size-adjust: 100%;
+      }
+
+      a {
+        color: inherit;
+        font-weight: 700;
+        text-decoration: underline;
+        text-underline-offset: 0.0925em;
+      }
+
+      b, strong {
+        font-weight: 700;
+      }
+
+      i, em {
+        font-style: italic;
+      }
+
+      main {
+        display: grid;
+        gap: 1em;
+        padding: 2em;
+        place-items: center;
+        text-align: center;
+      }
+
+      main header {
+        width: min(100%, 12em);
+      }
+
+      main header svg {
+        height: auto;
+        max-width: 100%;
+        width: 100%;
+      }
+
+      main article {
+        width: min(100%, 30em);
+      }
+
+      main article p {
+        font-size: 75%;
+      }
+
+      main article br {
+
+        display: none;
+
+        @media(min-width: 48em) {
+          display: inline;
+        }
+
+      }
+
+    </style>
+
+  </head>
+
+  <body>
+
+    <!-- This file lives in public/500.html -->
+
+    <main>
+      <header>
+        <svg height="172" viewBox="0 0 480 172" width="480" xmlns="http://www.w3.org/2000/svg"><path d="m101.23 93.8427c-8.1103 0-15.4098 3.7849-19.7354 8.3813h-36.2269v-99.21891h103.8143v37.03791h-68.3984v24.8722c5.1366-2.7035 15.1396-5.9477 24.6014-5.9477 35.146 0 56.233 22.7094 56.233 55.4215 0 34.605-23.791 57.315-60.558 57.315-37.8492 0-61.64-22.169-63.8028-55.963h42.9857c1.0814 10.814 9.1919 19.195 21.6281 19.195 11.355 0 19.465-8.381 19.465-20.547 0-11.625-7.299-20.5463-20.006-20.5463zm138.833 77.8613c-40.822 0-64.884-35.146-64.884-85.7015 0-50.5554 24.062-85.700907 64.884-85.700907 40.823 0 64.884 35.145507 64.884 85.700907 0 50.5555-24.061 85.7015-64.884 85.7015zm0-133.2831c-17.572 0-22.709 21.8984-22.709 47.5816 0 25.6835 5.137 47.5815 22.709 47.5815 17.303 0 22.71-21.898 22.71-47.5815 0-25.6832-5.407-47.5816-22.71-47.5816zm140.456 133.2831c-40.823 0-64.884-35.146-64.884-85.7015 0-50.5554 24.061-85.700907 64.884-85.700907 40.822 0 64.884 35.145507 64.884 85.700907 0 50.5555-24.062 85.7015-64.884 85.7015zm0-133.2831c-17.573 0-22.71 21.8984-22.71 47.5816 0 25.6835 5.137 47.5815 22.71 47.5815 17.302 0 22.709-21.898 22.709-47.5815 0-25.6832-5.407-47.5816-22.709-47.5816z" fill="#f0eff0"/><path d="m23.1377 68.9967v34.0033h-8.9162v-34.0033zm4.3157 34.0033v-24.921h8.6947v2.1598c1.3845-1.5506 3.8212-2.7136 6.701-2.7136 5.538 0 8.8054 3.5997 8.8054 9.1377v16.3371h-8.6393v-14.2327c0-2.049-1.0522-3.5443-3.2674-3.5443-1.7168 0-3.1567.9969-3.5997 2.7136v15.0634zm29.9913-8.5839v-9.5807h-3.655v-6.7564h3.655v-6.8671h8.5839v6.8671h5.2058v6.7564h-5.2058v8.307c0 1.9383.9415 2.769 2.6583 2.769.9414 0 1.9937-.2216 2.769-.5538v7.3654c-.9969.443-2.8798.775-4.8181.775-5.8703 0-9.1931-2.769-9.1931-9.0819zm32.3666-.1108h8.0301c-.8861 5.7597-5.2057 9.2487-11.6852 9.2487-7.6424 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.3165-13.0143 12.5159-13.0143 7.6424 0 11.9621 5.095 11.9621 12.5159v2.1598h-16.1156c.2769 2.9905 1.8275 4.5965 4.3196 4.5965 1.7722 0 3.1567-.7753 3.6551-2.4921zm-3.8212-10.0237c-2.0491 0-3.4336 1.2737-3.9874 3.5997h7.5317c-.1107-2.0491-1.3845-3.5997-3.5443-3.5997zm31.4299-6.3134v8.3624c-1.052-.5538-2.215-.7753-3.599-.7753-2.382 0-3.988 1.0522-4.431 2.8244v14.6203h-8.694v-24.921h8.694v2.2152c1.219-1.6614 3.157-2.769 5.649-2.769 1.108 0 1.994.2215 2.381.443zm2.949 25.0318v-24.921h8.694v2.1598c1.385-1.5506 3.821-2.7136 6.701-2.7136 5.538 0 8.806 3.5997 8.806 9.1377v16.3371h-8.64v-14.2327c0-2.049-1.052-3.5443-3.267-3.5443-1.717 0-3.157.9969-3.6 2.7136v15.0634zm50.371 0h-8.363v-1.274c-.83.831-3.323 1.717-5.981 1.717-4.929 0-9.082-2.769-9.082-8.0301 0-4.818 4.153-7.9193 9.581-7.9193 2.049 0 4.485.6646 5.482 1.3845v-1.606c0-1.606-.941-2.9905-3.046-2.9905-1.606 0-2.547.7199-2.935 1.8275h-8.196c.72-4.8181 4.984-8.6393 11.408-8.6393 7.089 0 11.132 3.7659 11.132 10.2453zm-8.363-6.9779v-1.4399c-.554-1.0522-2.049-1.7167-3.655-1.7167-1.717 0-3.433.7199-3.433 2.3813 0 1.7168 1.716 2.4367 3.433 2.4367 1.606 0 3.101-.6645 3.655-1.6614zm20.742-29.0191v35.997h-8.694v-35.997zm13.036 25.9178h9.248c.72 2.326 2.714 3.489 5.483 3.489 2.713 0 4.596-1.163 4.596-3.2674 0-1.6061-1.052-2.326-3.212-2.8244l-6.534-1.3845c-4.985-1.1076-8.751-3.7105-8.751-9.47 0-6.6456 5.538-11.0206 13.07-11.0206 8.307 0 13.014 4.5411 13.956 10.4114h-8.695c-.72-1.8829-2.27-3.3228-5.205-3.3228-2.548 0-4.265 1.1076-4.265 2.9905 0 1.4953 1.052 2.326 2.825 2.7137l6.645 1.5506c5.815 1.3845 9.027 4.5412 9.027 9.8023 0 6.9778-5.87 10.9654-13.291 10.9654-8.141 0-13.679-3.9322-14.897-10.6332zm46.509 1.3845h8.031c-.887 5.7597-5.206 9.2487-11.686 9.2487-7.642 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.317-13.0143 12.516-13.0143 7.643 0 11.962 5.095 11.962 12.5159v2.1598h-16.115c.277 2.9905 1.827 4.5965 4.319 4.5965 1.773 0 3.157-.7753 3.655-2.4921zm-3.821-10.0237c-2.049 0-3.433 1.2737-3.987 3.5997h7.532c-.111-2.0491-1.385-3.5997-3.545-3.5997zm31.431-6.3134v8.3624c-1.053-.5538-2.216-.7753-3.6-.7753-2.381 0-3.988 1.0522-4.431 2.8244v14.6203h-8.694v-24.921h8.694v2.2152c1.219-1.6614 3.157-2.769 5.649-2.769 1.108 0 1.994.2215 2.382.443zm18.288 25.0318h-7.809l-9.47-24.921h8.861l4.763 14.288 4.652-14.288h8.528zm25.614-8.6947h8.03c-.886 5.7597-5.206 9.2487-11.685 9.2487-7.642 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.316-13.0143 12.516-13.0143 7.642 0 11.962 5.095 11.962 12.5159v2.1598h-16.116c.277 2.9905 1.828 4.5965 4.32 4.5965 1.772 0 3.157-.7753 3.655-2.4921zm-3.821-10.0237c-2.049 0-3.434 1.2737-3.988 3.5997h7.532c-.111-2.0491-1.384-3.5997-3.544-3.5997zm31.43-6.3134v8.3624c-1.052-.5538-2.215-.7753-3.6-.7753-2.381 0-3.987 1.0522-4.43 2.8244v14.6203h-8.695v-24.921h8.695v2.2152c1.218-1.6614 3.157-2.769 5.649-2.769 1.107 0 1.993.2215 2.381.443zm13.703-8.9715h24.312v7.6424h-15.562v5.3165h14.232v7.4763h-14.232v5.8703h15.562v7.6978h-24.312zm44.667 8.9715v8.3624c-1.052-.5538-2.215-.7753-3.6-.7753-2.381 0-3.987 1.0522-4.43 2.8244v14.6203h-8.695v-24.921h8.695v2.2152c1.218-1.6614 3.156-2.769 5.648-2.769 1.108 0 1.994.2215 2.382.443zm19.673 0v8.3624c-1.053-.5538-2.216-.7753-3.6-.7753-2.381 0-3.987 1.0522-4.43 2.8244v14.6203h-8.695v-24.921h8.695v2.2152c1.218-1.6614 3.156-2.769 5.648-2.769 1.108 0 1.994.2215 2.382.443zm26.769 12.5713c0 7.6978-5.15 13.0145-12.737 13.0145-7.532 0-12.738-5.3167-12.738-13.0145s5.206-13.0143 12.738-13.0143c7.587 0 12.737 5.3165 12.737 13.0143zm-8.529 0c0-3.4336-1.495-5.8703-4.208-5.8703-2.659 0-4.154 2.4367-4.154 5.8703s1.495 5.8149 4.154 5.8149c2.713 0 4.208-2.3813 4.208-5.8149zm28.082-12.5713v8.3624c-1.052-.5538-2.215-.7753-3.6-.7753-2.381 0-3.987 1.0522-4.43 2.8244v14.6203h-8.695v-24.921h8.695v2.2152c1.218-1.6614 3.157-2.769 5.649-2.769 1.107 0 1.993.2215 2.381.443z" fill="#d30001"/></svg>
+      </header>
+      <article>
+        <p><strong>We’re sorry, but something went wrong.</strong><br> If you’re the application owner check the logs for more information.</p>
+      </article>
+    </main>
+
+  </body>
+
 </html>

From 4693456be17fd26baba7f13ead60259898a5515e Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Thu, 9 Apr 2026 13:58:29 +0100
Subject: [PATCH 069/106] chore: do not include active_storage migrations

---
 ..._to_active_storage_blobs.active_storage.rb | 22 ---------------
 ..._storage_variant_records.active_storage.rb | 27 -------------------
 ...e_storage_blobs_checksum.active_storage.rb |  8 ------
 3 files changed, 57 deletions(-)
 delete mode 100644 db/migrate/20260409121409_add_service_name_to_active_storage_blobs.active_storage.rb
 delete mode 100644 db/migrate/20260409121410_create_active_storage_variant_records.active_storage.rb
 delete mode 100644 db/migrate/20260409121411_remove_not_null_on_active_storage_blobs_checksum.active_storage.rb

diff --git a/db/migrate/20260409121409_add_service_name_to_active_storage_blobs.active_storage.rb b/db/migrate/20260409121409_add_service_name_to_active_storage_blobs.active_storage.rb
deleted file mode 100644
index a15c6ce8e..000000000
--- a/db/migrate/20260409121409_add_service_name_to_active_storage_blobs.active_storage.rb
+++ /dev/null
@@ -1,22 +0,0 @@
-# This migration comes from active_storage (originally 20190112182829)
-class AddServiceNameToActiveStorageBlobs < ActiveRecord::Migration[6.0]
-  def up
-    return unless table_exists?(:active_storage_blobs)
-
-    unless column_exists?(:active_storage_blobs, :service_name)
-      add_column :active_storage_blobs, :service_name, :string
-
-      if configured_service = ActiveStorage::Blob.service.name
-        ActiveStorage::Blob.unscoped.update_all(service_name: configured_service)
-      end
-
-      change_column :active_storage_blobs, :service_name, :string, null: false
-    end
-  end
-
-  def down
-    return unless table_exists?(:active_storage_blobs)
-
-    remove_column :active_storage_blobs, :service_name
-  end
-end
diff --git a/db/migrate/20260409121410_create_active_storage_variant_records.active_storage.rb b/db/migrate/20260409121410_create_active_storage_variant_records.active_storage.rb
deleted file mode 100644
index 94ac83af0..000000000
--- a/db/migrate/20260409121410_create_active_storage_variant_records.active_storage.rb
+++ /dev/null
@@ -1,27 +0,0 @@
-# This migration comes from active_storage (originally 20191206030411)
-class CreateActiveStorageVariantRecords < ActiveRecord::Migration[6.0]
-  def change
-    return unless table_exists?(:active_storage_blobs)
-
-    # Use Active Record's configured type for primary key
-    create_table :active_storage_variant_records, id: primary_key_type, if_not_exists: true do |t|
-      t.belongs_to :blob, null: false, index: false, type: blobs_primary_key_type
-      t.string :variation_digest, null: false
-
-      t.index %i[ blob_id variation_digest ], name: "index_active_storage_variant_records_uniqueness", unique: true
-      t.foreign_key :active_storage_blobs, column: :blob_id
-    end
-  end
-
-  private
-    def primary_key_type
-      config = Rails.configuration.generators
-      config.options[config.orm][:primary_key_type] || :primary_key
-    end
-
-    def blobs_primary_key_type
-      pkey_name = connection.primary_key(:active_storage_blobs)
-      pkey_column = connection.columns(:active_storage_blobs).find { |c| c.name == pkey_name }
-      pkey_column.bigint? ? :bigint : pkey_column.type
-    end
-end
diff --git a/db/migrate/20260409121411_remove_not_null_on_active_storage_blobs_checksum.active_storage.rb b/db/migrate/20260409121411_remove_not_null_on_active_storage_blobs_checksum.active_storage.rb
deleted file mode 100644
index 93c8b85ad..000000000
--- a/db/migrate/20260409121411_remove_not_null_on_active_storage_blobs_checksum.active_storage.rb
+++ /dev/null
@@ -1,8 +0,0 @@
-# This migration comes from active_storage (originally 20211119233751)
-class RemoveNotNullOnActiveStorageBlobsChecksum < ActiveRecord::Migration[6.0]
-  def change
-    return unless table_exists?(:active_storage_blobs)
-
-    change_column_null(:active_storage_blobs, :checksum, true)
-  end
-end

From 5f8ccf961b23e0a1b28f75b0f02debc87ab4bbd3 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Thu, 9 Apr 2026 16:53:05 +0100
Subject: [PATCH 070/106] chore: apply more changes from
 https://railsdiff.org/7.2.3.1/8.0.5

---
 .dockerignore                                |  7 +++--
 .gitignore                                   |  3 +-
 app/channels/application_cable/channel.rb    |  4 ---
 app/channels/application_cable/connection.rb |  4 ---
 bin/docker-entrypoint                        |  7 +++--
 config/environments/development.rb           |  6 ++--
 config/environments/production.rb            | 33 ++++++++++----------
 7 files changed, 29 insertions(+), 35 deletions(-)
 delete mode 100644 app/channels/application_cable/channel.rb
 delete mode 100644 app/channels/application_cable/connection.rb

diff --git a/.dockerignore b/.dockerignore
index e3cd043e9..fb4e9b361 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -6,9 +6,12 @@
 # Ignore bundler config.
 /.bundle
 
-# Ignore all environment files (except templates).
+# Ignore all environment files
 /.env*
-!/.env*.erb
+
+# Ignore Kamal files.
+/config/deploy*.yml
+/.kamal
 
 # Ignore all default key files.
 /config/master.key
diff --git a/.gitignore b/.gitignore
index f856c4e89..e7cd399ce 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,9 +7,8 @@
 # Ignore bundler config
 /.bundle
 
-# Ignore all environment files (except templates).
+# Ignore all environment files
 /.env*
-!/.env*.erb
 
 # Ignore all logfiles and tempfiles.
 /log/*
diff --git a/app/channels/application_cable/channel.rb b/app/channels/application_cable/channel.rb
deleted file mode 100644
index d67269728..000000000
--- a/app/channels/application_cable/channel.rb
+++ /dev/null
@@ -1,4 +0,0 @@
-module ApplicationCable
-  class Channel < ActionCable::Channel::Base
-  end
-end
diff --git a/app/channels/application_cable/connection.rb b/app/channels/application_cable/connection.rb
deleted file mode 100644
index 0ff5442f4..000000000
--- a/app/channels/application_cable/connection.rb
+++ /dev/null
@@ -1,4 +0,0 @@
-module ApplicationCable
-  class Connection < ActionCable::Connection::Base
-  end
-end
diff --git a/bin/docker-entrypoint b/bin/docker-entrypoint
index 0690f2576..af841e1eb 100755
--- a/bin/docker-entrypoint
+++ b/bin/docker-entrypoint
@@ -5,8 +5,9 @@ if [[ "${@}" =~ "rails server" ]]; then
 fi
 
 # Enable jemalloc for reduced memory usage and latency.
-if [ -z "${LD_PRELOAD+x}" ] && [ -f /usr/lib/*/libjemalloc.so.2 ]; then
-  export LD_PRELOAD="$(echo /usr/lib/*/libjemalloc.so.2)"
+if [ -z "${LD_PRELOAD+x}" ]; then
+  LD_PRELOAD=$(find /usr/lib -name libjemalloc.so.2 -print -quit)
+  export LD_PRELOAD
 fi
 
 bundle install
@@ -36,7 +37,7 @@ mkdir -p {./,spec/}public/downloads/taxon_concepts_distributions
 mkdir -p {./,spec/}public/downloads/taxon_concepts_names
 
 # If running the rails server then create or migrate existing database
-# if [ "${1}" == "./bin/rails" ] && [ "${2}" == "server" ]; then
+# if [ "${@: -2:1}" == "./bin/rails" ] && [ "${@: -1:1}" == "server" ]; then
 #   ./bin/rails db:prepare
 # fi
 
diff --git a/config/environments/development.rb b/config/environments/development.rb
index 623a6dfac..df7e38c40 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -61,12 +61,12 @@
   # Lets keep this for now, its development mode only.
   config.assets.debug = true
 
+  # Append comments with runtime information tags to SQL queries in logs.
+  config.active_record.query_log_tags_enabled = true
+
   # Highlight code that enqueued background job in logs.
   config.active_job.verbose_enqueue_logs = true
 
-  # Suppress logger output for asset requests.
-  config.assets.quiet = true
-
   # Enable DNS rebinding protection and other `Host` header attacks.
   # config.hosts = [
   #   "example.com",     # Allow requests from example.com
diff --git a/config/environments/production.rb b/config/environments/production.rb
index d93986aa5..9c8d37da7 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -6,19 +6,14 @@
   # Code is not reloaded between requests.
   config.enable_reloading = false
 
-  # Eager load code on boot. This eager loads most of Rails and
-  # your application in memory, allowing both threaded web servers
-  # and those relying on copy on write to perform better.
-  # Rake tasks automatically ignore this option for performance.
+  # Eager load code on boot for better performance and memory savings (ignored by Rake tasks).
   config.eager_load = true
 
-  # Full error reports are disabled and caching is turned on.
+  # Full error reports are disabled.
   config.consider_all_requests_local = false
-  config.action_controller.perform_caching = true
 
-  # Ensures that a master key has been made available in ENV["RAILS_MASTER_KEY"], config/master.key, or an environment
-  # key such as config/credentials/production.key. This key is used to decrypt credentials (and other encrypted files).
-  # config.require_master_key = true
+  # Turn on fragment caching in view templates
+  config.action_controller.perform_caching = true
 
   # Disable serving static files from `public/`, relying on NGINX/Apache to do so instead.
   config.public_file_server.enabled = false
@@ -29,8 +24,10 @@
   # Compress CSS using a preprocessor.
   # config.assets.css_compressor = :sass
 
-  # Do not fall back to assets pipeline if a precompiled asset is missed.
-  config.assets.compile = false
+  # Cache assets for far-future expiry since they are all digest stamped.
+  config.public_file_server.headers = {
+    'cache-control' => "public, max-age=#{1.year.to_i}"
+  }
 
   # Enable serving of images, stylesheets, and JavaScripts from an asset server.
   # config.asset_host = "http://assets.example.com"
@@ -77,14 +74,18 @@
   # Prepend all log lines with the following tags.
   config.log_tags = [ :request_id ]
 
-  # "info" includes generic and useful information about system operation, but avoids logging too much
-  # information to avoid inadvertent exposure of personally identifiable information (PII). If you
-  # want to log everything, set the level to "debug".
+  # Change to "debug" to log everything (including potentially personally-identifiable information!)
   # config.log_level = ENV.fetch("RAILS_LOG_LEVEL", "info")
   # Leonardo: override default behaviour and hard-code warn.
   # @see https://github.com/heartcombo/devise#password-reset-tokens-and-rails-logs
   config.log_level = 'warn'
 
+  # Prevent health checks from clogging up the logs.
+  config.silence_healthcheck_path = '/up'
+
+  # Don't log any deprecations.
+  config.active_support.report_deprecations = false
+
   # Use a redis instance as a cache store on production.
   config.cache_store = :redis_cache_store, { url: ENV.fetch('SAPI_SIDEKIQ_REDIS_CACHE_URL', Rails.application.credentials.dig(:redis_cache, :url)) }
 
@@ -103,9 +104,6 @@
   # config.i18n.fallbacks = true
   config.i18n.fallbacks = false
 
-  # Don't log any deprecations.
-  config.active_support.report_deprecations = false
-
   # Do not dump schema after migrations.
   config.active_record.dump_schema_after_migration = false
 
@@ -114,6 +112,7 @@
   #   "example.com",     # Allow requests from example.com
   #   /.*\.example\.com/ # Allow requests from subdomains like `www.example.com`
   # ]
+  #
   # Skip DNS rebinding protection for the default health check endpoint.
   # config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
   config.hosts += ENV['ALLOWED_HOSTS'].split(',') if ENV['ALLOWED_HOSTS'].present?

From 16f06c1523d321ae7b46b97335ce8a31e86e9a74 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Thu, 9 Apr 2026 17:54:10 +0100
Subject: [PATCH 071/106] chore: bump defaults to 8.0

---
 config/application.rb                         |  2 +-
 .../0_new_framework_defaults_8_0.rb           | 30 -------------------
 2 files changed, 1 insertion(+), 31 deletions(-)
 delete mode 100644 config/initializers/0_new_framework_defaults_8_0.rb

diff --git a/config/application.rb b/config/application.rb
index 4dcde7fec..852a14403 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -11,7 +11,7 @@
 module SAPI
   class Application < Rails::Application
     # Initialize configuration defaults for originally generated Rails version.
-    config.load_defaults 7.2
+    config.load_defaults 8.0
 
     # Since Rails 5, on submit, submission buttons in `form_for` are disabled.
     # However, if errors are thrown and the whole form is not rerendered, then
diff --git a/config/initializers/0_new_framework_defaults_8_0.rb b/config/initializers/0_new_framework_defaults_8_0.rb
deleted file mode 100644
index 92efa9515..000000000
--- a/config/initializers/0_new_framework_defaults_8_0.rb
+++ /dev/null
@@ -1,30 +0,0 @@
-# Be sure to restart your server when you modify this file.
-#
-# This file eases your Rails 8.0 framework defaults upgrade.
-#
-# Uncomment each configuration one by one to switch to the new default.
-# Once your application is ready to run with all new defaults, you can remove
-# this file and set the `config.load_defaults` to `8.0`.
-#
-# Read the Guide for Upgrading Ruby on Rails for more info on each option.
-# https://guides.rubyonrails.org/upgrading_ruby_on_rails.html
-
-###
-# Specifies whether `to_time` methods preserve the UTC offset of their receivers or preserves the timezone.
-# If set to `:zone`, `to_time` methods will use the timezone of their receivers.
-# If set to `:offset`, `to_time` methods will use the UTC offset.
-# If `false`, `to_time` methods will convert to the local system UTC offset instead.
-#++
-# Rails.application.config.active_support.to_time_preserves_timezone = :zone
-
-###
-# When both `If-Modified-Since` and `If-None-Match` are provided by the client
-# only consider `If-None-Match` as specified by RFC 7232 Section 6.
-# If set to `false` both conditions need to be satisfied.
-#++
-# Rails.application.config.action_dispatch.strict_freshness = true
-
-###
-# Set `Regexp.timeout` to `1`s by default to improve security over Regexp Denial-of-Service attacks.
-#++
-# Regexp.timeout = 1

From 1efaf15cd0194360276e3714a8783723ade6e12a Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Fri, 10 Apr 2026 09:11:18 +0100
Subject: [PATCH 072/106] chore: upgrade Rails from 8.0.5 to 8.1.3,
 acts-as-taggable-on, bundle update

---
 Gemfile      |   4 +-
 Gemfile.lock | 126 ++++++++++++++++++++++++++-------------------------
 2 files changed, 66 insertions(+), 64 deletions(-)

diff --git a/Gemfile b/Gemfile
index 38bdd2378..fe385b3d5 100644
--- a/Gemfile
+++ b/Gemfile
@@ -3,7 +3,7 @@ source 'https://rubygems.org'
 ruby '3.4.9'
 
 # Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
-gem 'rails', '8.0.5'
+gem 'rails', '8.1.3'
 
 # Configure Cross-Origin resource sharing
 gem 'rack-cors'
@@ -66,7 +66,7 @@ gem 'httparty', '~> 0.21.0'
 
 gem 'kaminari', '~> 1.2', '>= 1.2.2' # TODO: Suggest migrate to pagy gem.
 
-gem 'acts-as-taggable-on', '~> 12.0'
+gem 'acts-as-taggable-on', '~> 13.0'
 gem 'carrierwave', '~> 3.0', '>= 3.0.5'
 
 # PDF
diff --git a/Gemfile.lock b/Gemfile.lock
index d7ea6c3bc..cf9a538a3 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -2,29 +2,31 @@ GEM
   remote: https://rubygems.org/
   specs:
     Ascii85 (1.0.3)
-    actioncable (8.0.5)
-      actionpack (= 8.0.5)
-      activesupport (= 8.0.5)
+    action_text-trix (2.1.18)
+      railties
+    actioncable (8.1.3)
+      actionpack (= 8.1.3)
+      activesupport (= 8.1.3)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
       zeitwerk (~> 2.6)
-    actionmailbox (8.0.5)
-      actionpack (= 8.0.5)
-      activejob (= 8.0.5)
-      activerecord (= 8.0.5)
-      activestorage (= 8.0.5)
-      activesupport (= 8.0.5)
+    actionmailbox (8.1.3)
+      actionpack (= 8.1.3)
+      activejob (= 8.1.3)
+      activerecord (= 8.1.3)
+      activestorage (= 8.1.3)
+      activesupport (= 8.1.3)
       mail (>= 2.8.0)
-    actionmailer (8.0.5)
-      actionpack (= 8.0.5)
-      actionview (= 8.0.5)
-      activejob (= 8.0.5)
-      activesupport (= 8.0.5)
+    actionmailer (8.1.3)
+      actionpack (= 8.1.3)
+      actionview (= 8.1.3)
+      activejob (= 8.1.3)
+      activesupport (= 8.1.3)
       mail (>= 2.8.0)
       rails-dom-testing (~> 2.2)
-    actionpack (8.0.5)
-      actionview (= 8.0.5)
-      activesupport (= 8.0.5)
+    actionpack (8.1.3)
+      actionview (= 8.1.3)
+      activesupport (= 8.1.3)
       nokogiri (>= 1.8.5)
       rack (>= 2.2.4)
       rack-session (>= 1.0.1)
@@ -32,15 +34,16 @@ GEM
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
       useragent (~> 0.16)
-    actiontext (8.0.5)
-      actionpack (= 8.0.5)
-      activerecord (= 8.0.5)
-      activestorage (= 8.0.5)
-      activesupport (= 8.0.5)
+    actiontext (8.1.3)
+      action_text-trix (~> 2.1.15)
+      actionpack (= 8.1.3)
+      activerecord (= 8.1.3)
+      activestorage (= 8.1.3)
+      activesupport (= 8.1.3)
       globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (8.0.5)
-      activesupport (= 8.0.5)
+    actionview (8.1.3)
+      activesupport (= 8.1.3)
       builder (~> 3.1)
       erubi (~> 1.11)
       rails-dom-testing (~> 2.2)
@@ -55,36 +58,36 @@ GEM
       activestorage (>= 6.1.4)
       activesupport (>= 6.1.4)
       marcel (>= 1.0.3)
-    activejob (8.0.5)
-      activesupport (= 8.0.5)
+    activejob (8.1.3)
+      activesupport (= 8.1.3)
       globalid (>= 0.3.6)
-    activemodel (8.0.5)
-      activesupport (= 8.0.5)
-    activerecord (8.0.5)
-      activemodel (= 8.0.5)
-      activesupport (= 8.0.5)
+    activemodel (8.1.3)
+      activesupport (= 8.1.3)
+    activerecord (8.1.3)
+      activemodel (= 8.1.3)
+      activesupport (= 8.1.3)
       timeout (>= 0.4.0)
-    activestorage (8.0.5)
-      actionpack (= 8.0.5)
-      activejob (= 8.0.5)
-      activerecord (= 8.0.5)
-      activesupport (= 8.0.5)
+    activestorage (8.1.3)
+      actionpack (= 8.1.3)
+      activejob (= 8.1.3)
+      activerecord (= 8.1.3)
+      activesupport (= 8.1.3)
       marcel (~> 1.0)
-    activesupport (8.0.5)
+    activesupport (8.1.3)
       base64
-      benchmark (>= 0.3)
       bigdecimal
       concurrent-ruby (~> 1.0, >= 1.3.1)
       connection_pool (>= 2.2.5)
       drb
       i18n (>= 1.6, < 2)
+      json
       logger (>= 1.4.2)
       minitest (>= 5.1)
       securerandom (>= 0.3)
       tzinfo (~> 2.0, >= 2.0.5)
       uri (>= 0.13.1)
-    acts-as-taggable-on (12.0.0)
-      activerecord (>= 7.1, < 8.1)
+    acts-as-taggable-on (13.0.0)
+      activerecord (>= 7.1, < 8.2)
       zeitwerk (>= 2.4, < 3.0)
     addressable (2.9.0)
       public_suffix (>= 2.0.2, < 8.0)
@@ -131,7 +134,6 @@ GEM
     base64 (0.2.0)
     bcrypt (3.1.22)
     bcrypt_pbkdf (1.1.0)
-    benchmark (0.5.0)
     bigdecimal (4.1.1)
     bindex (0.8.1)
     bootsnap (1.23.0)
@@ -351,7 +353,7 @@ GEM
       i18n (>= 0.6.10, < 2)
       request_store (~> 1.0)
     msgpack (1.8.0)
-    multi_json (1.19.1)
+    multi_json (1.20.0)
     multi_xml (0.8.1)
       bigdecimal (>= 3.1, < 5)
     nested-hstore (0.1.2)
@@ -385,7 +387,7 @@ GEM
     paper_trail (17.0.0)
       activerecord (>= 7.1)
       request_store (~> 1.4)
-    parallel (2.0.0)
+    parallel (2.0.1)
     parser (3.3.11.1)
       ast (~> 2.4.1)
       racc
@@ -429,20 +431,20 @@ GEM
     rackup (1.0.1)
       rack (< 3)
       webrick
-    rails (8.0.5)
-      actioncable (= 8.0.5)
-      actionmailbox (= 8.0.5)
-      actionmailer (= 8.0.5)
-      actionpack (= 8.0.5)
-      actiontext (= 8.0.5)
-      actionview (= 8.0.5)
-      activejob (= 8.0.5)
-      activemodel (= 8.0.5)
-      activerecord (= 8.0.5)
-      activestorage (= 8.0.5)
-      activesupport (= 8.0.5)
+    rails (8.1.3)
+      actioncable (= 8.1.3)
+      actionmailbox (= 8.1.3)
+      actionmailer (= 8.1.3)
+      actionpack (= 8.1.3)
+      actiontext (= 8.1.3)
+      actionview (= 8.1.3)
+      activejob (= 8.1.3)
+      activemodel (= 8.1.3)
+      activerecord (= 8.1.3)
+      activestorage (= 8.1.3)
+      activesupport (= 8.1.3)
       bundler (>= 1.15.0)
-      railties (= 8.0.5)
+      railties (= 8.1.3)
     rails-controller-testing (1.0.5)
       actionpack (>= 5.0.1.rc1)
       actionview (>= 5.0.1.rc1)
@@ -454,9 +456,9 @@ GEM
     rails-html-sanitizer (1.7.0)
       loofah (~> 2.25)
       nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
-    railties (8.0.5)
-      actionpack (= 8.0.5)
-      activesupport (= 8.0.5)
+    railties (8.1.3)
+      actionpack (= 8.1.3)
+      activesupport (= 8.1.3)
       irb (~> 1.13)
       rackup (>= 1.0.0)
       rake (>= 12.2)
@@ -571,7 +573,7 @@ GEM
       sprockets-rails
       tilt
     securerandom (0.4.1)
-    selenium-webdriver (4.42.0)
+    selenium-webdriver (4.43.0)
       base64 (~> 0.2)
       logger (~> 1.4)
       rexml (~> 3.2, >= 3.2.5)
@@ -678,7 +680,7 @@ PLATFORMS
 DEPENDENCIES
   active_model_serializers (= 0.8.4)
   active_storage_validations (~> 2.0)
-  acts-as-taggable-on (~> 12.0)
+  acts-as-taggable-on (~> 13.0)
   ahoy_matey (~> 5.0, >= 5.0.2)
   annotaterb (~> 4.22.0)
   appsignal (~> 3.13.1)
@@ -740,7 +742,7 @@ DEPENDENCIES
   puma (~> 5.0)
   rack-cors
   rack-mini-profiler (~> 4.0.1)
-  rails (= 8.0.5)
+  rails (= 8.1.3)
   rails-controller-testing
   rbnacl (= 4.0.2)
   rbnacl-libsodium (= 1.0.16)

From f0a0bc529aea1d0c6fedc024f9c2c607b3b1775b Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Fri, 10 Apr 2026 09:29:27 +0100
Subject: [PATCH 073/106] chore: for 8.1.3, run "bundle exec rails app:update"

---
 bin/rubocop                                   |  2 +-
 bin/setup                                     |  1 +
 config/environments/production.rb             |  7 +-
 .../0_new_framework_defaults_8_1.rb           | 74 +++++++++++++++++++
 .../initializers/content_security_policy.rb   |  4 +
 config/puma.rb                                |  5 +-
 public/400.html                               | 31 ++++++--
 public/404.html                               | 33 +++++++--
 public/406-unsupported-browser.html           | 29 +++++++-
 public/422.html                               | 31 ++++++--
 public/500.html                               | 33 +++++++--
 11 files changed, 217 insertions(+), 33 deletions(-)
 create mode 100644 config/initializers/0_new_framework_defaults_8_1.rb

diff --git a/bin/rubocop b/bin/rubocop
index 40330c0ff..5a2050471 100755
--- a/bin/rubocop
+++ b/bin/rubocop
@@ -2,7 +2,7 @@
 require "rubygems"
 require "bundler/setup"
 
-# explicit rubocop config increases performance slightly while avoiding config confusion.
+# Explicit RuboCop config increases performance slightly while avoiding config confusion.
 ARGV.unshift("--config", File.expand_path("../.rubocop.yml", __dir__))
 
 load Gem.bin_path("rubocop", "rubocop")
diff --git a/bin/setup b/bin/setup
index 2311239cd..d9b575d79 100755
--- a/bin/setup
+++ b/bin/setup
@@ -24,6 +24,7 @@ FileUtils.chdir APP_ROOT do
 
   puts "\n== Preparing database =="
   system! "bin/rails db:prepare"
+  system! "bin/rails db:reset" if ARGV.include?("--reset")
 
   puts "\n== Removing old logs and tempfiles =="
   system! "bin/rails log:clear tmp:clear"
diff --git a/config/environments/production.rb b/config/environments/production.rb
index 9c8d37da7..fd5519fc0 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -12,7 +12,7 @@
   # Full error reports are disabled.
   config.consider_all_requests_local = false
 
-  # Turn on fragment caching in view templates
+  # Turn on fragment caching in view templates.
   config.action_controller.perform_caching = true
 
   # Disable serving static files from `public/`, relying on NGINX/Apache to do so instead.
@@ -45,11 +45,10 @@
   # config.action_cable.allowed_request_origins = [ "http://example.com", /http:\/\/example.*/ ]
 
   # Assume all access to the app is happening through a SSL-terminating reverse proxy.
-  # Can be used together with config.force_ssl for Strict-Transport-Security and secure cookies.
   # config.assume_ssl = true
 
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
-  # config.force_ssl = true # TODO: should we enable it? Rails enable it by default since 7.1
+  # config.force_ssl = true
 
   # TODO: Since Rails 7.1, the log no longer output to file, but STDOUT, which is the better approach, specially suitable
   # for docker. However this project still deploying use cap, we may need to change it back until we ready?
@@ -89,7 +88,7 @@
   # Use a redis instance as a cache store on production.
   config.cache_store = :redis_cache_store, { url: ENV.fetch('SAPI_SIDEKIQ_REDIS_CACHE_URL', Rails.application.credentials.dig(:redis_cache, :url)) }
 
-  # Use a real queuing backend for Active Job (and separate queues per environment).
+  # Replace the default in-process and non-durable queuing backend for Active Job.
   # config.active_job.queue_adapter = :resque
   # config.active_job.queue_name_prefix = "sapi_production"
 
diff --git a/config/initializers/0_new_framework_defaults_8_1.rb b/config/initializers/0_new_framework_defaults_8_1.rb
new file mode 100644
index 000000000..8569b5b1c
--- /dev/null
+++ b/config/initializers/0_new_framework_defaults_8_1.rb
@@ -0,0 +1,74 @@
+# Be sure to restart your server when you modify this file.
+#
+# This file eases your Rails 8.1 framework defaults upgrade.
+#
+# Uncomment each configuration one by one to switch to the new default.
+# Once your application is ready to run with all new defaults, you can remove
+# this file and set the `config.load_defaults` to `8.1`.
+#
+# Read the Guide for Upgrading Ruby on Rails for more info on each option.
+# https://guides.rubyonrails.org/upgrading_ruby_on_rails.html
+
+###
+# Skips escaping HTML entities and line separators. When set to `false`, the
+# JSON renderer no longer escapes these to improve performance.
+#
+# Example:
+#   class PostsController < ApplicationController
+#     def index
+#       render json: { key: "\u2028\u2029<>&" }
+#     end
+#   end
+#
+# Renders `{"key":"\u2028\u2029\u003c\u003e\u0026"}` with the previous default, but `{"key":"

<>&"}` with the config
+# set to `false`.
+#
+# Applications that want to keep the escaping behavior can set the config to `true`.
+#++
+# Rails.configuration.action_controller.escape_json_responses = false
+
+###
+# Skips escaping LINE SEPARATOR (U+2028) and PARAGRAPH SEPARATOR (U+2029) in JSON.
+#
+# Historically these characters were not valid inside JavaScript literal strings but that changed in ECMAScript 2019.
+# As such it's no longer a concern in modern browsers: https://caniuse.com/mdn-javascript_builtins_json_json_superset.
+#++
+# Rails.configuration.active_support.escape_js_separators_in_json = false
+
+###
+# Raises an error when order dependent finder methods (e.g. `#first`, `#second`) are called without `order` values
+# on the relation, and the model does not have any order columns (`implicit_order_column`, `query_constraints`, or
+# `primary_key`) to fall back on.
+#
+# The current behavior of not raising an error has been deprecated, and this configuration option will be removed in
+# Rails 8.2.
+#++
+# Rails.configuration.active_record.raise_on_missing_required_finder_order_columns = true
+
+###
+# Controls how Rails handles path relative URL redirects.
+# When set to `:raise`, Rails will raise an `ActionController::Redirecting::UnsafeRedirectError`
+# for relative URLs without a leading slash, which can help prevent open redirect vulnerabilities.
+#
+# Example:
+#   redirect_to "example.com"     # Raises UnsafeRedirectError
+#   redirect_to "@attacker.com"   # Raises UnsafeRedirectError
+#   redirect_to "/safe/path"      # Works correctly
+#
+# Applications that want to allow these redirects can set the config to `:log` (previous default)
+# to only log warnings, or `:notify` to send ActiveSupport notifications.
+#++
+# Rails.configuration.action_controller.action_on_path_relative_redirect = :raise
+
+###
+# Use a Ruby parser to track dependencies between Action View templates
+#++
+# Rails.configuration.action_view.render_tracker = :ruby
+
+###
+# When enabled, hidden inputs generated by `form_tag`, `token_tag`, `method_tag`, and the hidden parameter fields
+# included in `button_to` forms will omit the `autocomplete="off"` attribute.
+#
+# Applications that want to keep generating the `autocomplete` attribute for those tags can set it to `false`.
+#++
+# Rails.configuration.action_view.remove_hidden_field_autocomplete = true
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index b3076b38f..d51d71397 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -20,6 +20,10 @@
 #   config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
 #   config.content_security_policy_nonce_directives = %w(script-src style-src)
 #
+#   # Automatically add `nonce` to `javascript_tag`, `javascript_include_tag`, and `stylesheet_link_tag`
+#   # if the corresponding directives are specified in `content_security_policy_nonce_directives`.
+#   # config.content_security_policy_nonce_auto = true
+#
 #   # Report violations without enforcing the policy.
 #   # config.content_security_policy_report_only = true
 # end
diff --git a/config/puma.rb b/config/puma.rb
index a248513b2..38c4b8659 100644
--- a/config/puma.rb
+++ b/config/puma.rb
@@ -7,7 +7,8 @@
 #
 # You can control the number of workers using ENV["WEB_CONCURRENCY"]. You
 # should only set this value when you want to run 2 or more workers. The
-# default is already 1.
+# default is already 1. You can set it to `auto` to automatically start a worker
+# for each available processor.
 #
 # The ideal number of threads per worker depends both on how much time the
 # application spends waiting for IO operations and on how much you wish to
@@ -33,7 +34,7 @@
 # Allow puma to be restarted by `bin/rails restart` command.
 plugin :tmp_restart
 
-# Run the Solid Queue supervisor inside of Puma for single-server deployments
+# Run the Solid Queue supervisor inside of Puma for single-server deployments.
 plugin :solid_queue if ENV["SOLID_QUEUE_IN_PUMA"]
 
 # Specify the PID file. Defaults to tmp/pids/server.pid in development.
diff --git a/public/400.html b/public/400.html
index 282dbc8cc..640de0339 100644
--- a/public/400.html
+++ b/public/400.html
@@ -35,12 +35,35 @@
         font-weight: 400;
         letter-spacing: -0.0025em;
         line-height: 1.4;
-        min-height: 100vh;
+        min-height: 100dvh;
         place-items: center;
         text-rendering: optimizeLegibility;
         -webkit-text-size-adjust: 100%;
       }
 
+      #error-description {
+        fill: #d30001;
+      }
+
+      #error-id {
+        fill: #f0eff0;
+      }
+
+      @media (prefers-color-scheme: dark) {
+        body {
+          background: #101010;
+          color: #e0e0e0;
+        }
+
+        #error-description {
+          fill: #FF6161;
+        }
+
+        #error-id {
+          fill: #2c2c2c;
+        }
+      }
+
       a {
         color: inherit;
         font-weight: 700;
@@ -83,13 +106,11 @@
       }
 
       main article br {
-
         display: none;
 
         @media(min-width: 48em) {
           display: inline;
         }
-
       }
 
     </style>
@@ -102,10 +123,10 @@
 
     <main>
       <header>
-        <svg height="172" viewBox="0 0 480 172" width="480" xmlns="http://www.w3.org/2000/svg"><path d="m124.48 3.00509-45.6889 100.02991h26.2239v-28.1168h38.119v28.1168h21.628v35.145h-21.628v30.82h-37.308v-30.82h-72.1833v-31.901l50.2851-103.27391zm115.583 168.69891c-40.822 0-64.884-35.146-64.884-85.7015 0-50.5554 24.062-85.700907 64.884-85.700907 40.823 0 64.884 35.145507 64.884 85.700907 0 50.5555-24.061 85.7015-64.884 85.7015zm0-133.2831c-17.572 0-22.709 21.8984-22.709 47.5816 0 25.6835 5.137 47.5815 22.709 47.5815 17.303 0 22.71-21.898 22.71-47.5815 0-25.6832-5.407-47.5816-22.71-47.5816zm140.456 133.2831c-40.823 0-64.884-35.146-64.884-85.7015 0-50.5554 24.061-85.700907 64.884-85.700907 40.822 0 64.884 35.145507 64.884 85.700907 0 50.5555-24.062 85.7015-64.884 85.7015zm0-133.2831c-17.573 0-22.71 21.8984-22.71 47.5816 0 25.6835 5.137 47.5815 22.71 47.5815 17.302 0 22.709-21.898 22.709-47.5815 0-25.6832-5.407-47.5816-22.709-47.5816z" fill="#f0eff0"/><path d="m123.606 85.4445c3.212 1.0523 5.538 4.2089 5.538 8.0301 0 6.1472-4.209 9.5254-11.298 9.5254h-15.617v-34.0033h14.565c7.089 0 11.353 3.1566 11.353 9.2484 0 3.6551-2.049 6.3134-4.541 7.1994zm-12.904-2.9905h5.095c2.603 0 3.988-.9968 3.988-3.1013 0-2.1044-1.385-3.0459-3.988-3.0459h-5.095zm0 6.6456v6.5902h5.981c2.492 0 3.877-1.3291 3.877-3.2674 0-2.049-1.385-3.3228-3.877-3.3228zm43.786 13.9004h-8.362v-1.274c-.831.831-3.323 1.717-5.981 1.717-4.929 0-9.083-2.769-9.083-8.0301 0-4.818 4.154-7.9193 9.581-7.9193 2.049 0 4.486.6646 5.483 1.3845v-1.606c0-1.606-.942-2.9905-3.046-2.9905-1.606 0-2.548.7199-2.935 1.8275h-8.197c.72-4.8181 4.985-8.6393 11.409-8.6393 7.088 0 11.131 3.7659 11.131 10.2453zm-8.362-6.9779v-1.4399c-.554-1.0522-2.049-1.7167-3.655-1.7167-1.717 0-3.434.7199-3.434 2.3813 0 1.7168 1.717 2.4367 3.434 2.4367 1.606 0 3.101-.6645 3.655-1.6614zm27.996 6.9779v-1.994c-1.163 1.329-3.599 2.548-6.147 2.548-7.199 0-11.131-5.8151-11.131-13.0145s3.932-13.0143 11.131-13.0143c2.548 0 4.984 1.2184 6.147 2.5475v-13.0697h8.695v35.997zm0-9.1931v-6.5902c-.664-1.3291-2.159-2.326-3.821-2.326-2.99 0-4.763 2.4368-4.763 5.6488s1.773 5.5934 4.763 5.5934c1.717 0 3.157-.9415 3.821-2.326zm35.471-2.049h-3.101v11.2421h-8.806v-34.0033h15.285c7.31 0 12.35 4.1535 12.35 11.5744 0 5.1503-2.603 8.6947-6.757 10.2453l7.975 12.1836h-9.858zm-3.101-15.2849v8.1962h5.538c3.156 0 4.596-1.606 4.596-4.0981s-1.44-4.0981-4.596-4.0981zm36.957 17.8323h8.03c-.886 5.7597-5.206 9.2487-11.685 9.2487-7.643 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.316-13.0143 12.515-13.0143 7.643 0 11.962 5.095 11.962 12.5159v2.1598h-16.115c.277 2.9905 1.827 4.5965 4.32 4.5965 1.772 0 3.156-.7753 3.655-2.4921zm-3.822-10.0237c-2.049 0-3.433 1.2737-3.987 3.5997h7.532c-.111-2.0491-1.385-3.5997-3.545-3.5997zm30.98 27.5234v-10.799c-1.163 1.329-3.6 2.548-6.147 2.548-7.2 0-11.132-5.9259-11.132-13.0145 0-7.144 3.932-13.0143 11.132-13.0143 2.547 0 4.984 1.2184 6.147 2.5475v-1.9937h8.695v33.726zm0-17.9981v-6.5902c-.665-1.3291-2.105-2.326-3.821-2.326-2.991 0-4.763 2.4368-4.763 5.6488s1.772 5.5934 4.763 5.5934c1.661 0 3.156-.9415 3.821-2.326zm36.789-15.7279v24.921h-8.695v-2.16c-1.329 1.551-3.821 2.714-6.646 2.714-5.482 0-8.75-3.5999-8.75-9.1379v-16.3371h8.64v14.288c0 2.1045.996 3.5997 3.212 3.5997 1.606 0 3.101-1.0522 3.544-2.769v-15.1187zm19.084 16.2263h8.03c-.886 5.7597-5.206 9.2487-11.685 9.2487-7.643 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.316-13.0143 12.515-13.0143 7.643 0 11.963 5.095 11.963 12.5159v2.1598h-16.116c.277 2.9905 1.828 4.5965 4.32 4.5965 1.772 0 3.156-.7753 3.655-2.4921zm-3.822-10.0237c-2.049 0-3.433 1.2737-3.987 3.5997h7.532c-.111-2.0491-1.385-3.5997-3.545-3.5997zm13.428 11.0206h8.474c.387 1.3845 1.606 2.1598 3.156 2.1598 1.44 0 2.548-.5538 2.548-1.7168 0-.9414-.72-1.2737-1.939-1.5506l-4.873-.9969c-4.154-.886-6.867-2.8797-6.867-7.2547 0-5.3165 4.762-8.4178 10.633-8.4178 6.812 0 10.522 3.1567 11.297 8.0855h-8.03c-.277-1.0522-1.052-1.9937-3.046-1.9937-1.273 0-2.326.5538-2.326 1.6614 0 .7753.554 1.163 1.717 1.3845l4.929 1.163c4.541 1.0522 6.978 3.4335 6.978 7.4763 0 5.3168-4.818 8.2518-10.91 8.2518-6.369 0-10.965-2.88-11.741-8.2518zm27.538-.8861v-9.5807h-3.655v-6.7564h3.655v-6.8671h8.584v6.8671h5.205v6.7564h-5.205v8.307c0 1.9383.941 2.769 2.658 2.769.941 0 1.993-.2216 2.769-.5538v7.3654c-.997.443-2.88.775-4.818.775-5.871 0-9.193-2.769-9.193-9.0819z" fill="#d30001"/></svg>
+        <svg height="172" viewBox="0 0 480 172" width="480" xmlns="http://www.w3.org/2000/svg"><path d="m124.48 3.00509-45.6889 100.02991h26.2239v-28.1168h38.119v28.1168h21.628v35.145h-21.628v30.82h-37.308v-30.82h-72.1833v-31.901l50.2851-103.27391zm115.583 168.69891c-40.822 0-64.884-35.146-64.884-85.7015 0-50.5554 24.062-85.700907 64.884-85.700907 40.823 0 64.884 35.145507 64.884 85.700907 0 50.5555-24.061 85.7015-64.884 85.7015zm0-133.2831c-17.572 0-22.709 21.8984-22.709 47.5816 0 25.6835 5.137 47.5815 22.709 47.5815 17.303 0 22.71-21.898 22.71-47.5815 0-25.6832-5.407-47.5816-22.71-47.5816zm140.456 133.2831c-40.823 0-64.884-35.146-64.884-85.7015 0-50.5554 24.061-85.700907 64.884-85.700907 40.822 0 64.884 35.145507 64.884 85.700907 0 50.5555-24.062 85.7015-64.884 85.7015zm0-133.2831c-17.573 0-22.71 21.8984-22.71 47.5816 0 25.6835 5.137 47.5815 22.71 47.5815 17.302 0 22.709-21.898 22.709-47.5815 0-25.6832-5.407-47.5816-22.709-47.5816z" id="error-id"/><path d="m123.606 85.4445c3.212 1.0523 5.538 4.2089 5.538 8.0301 0 6.1472-4.209 9.5254-11.298 9.5254h-15.617v-34.0033h14.565c7.089 0 11.353 3.1566 11.353 9.2484 0 3.6551-2.049 6.3134-4.541 7.1994zm-12.904-2.9905h5.095c2.603 0 3.988-.9968 3.988-3.1013 0-2.1044-1.385-3.0459-3.988-3.0459h-5.095zm0 6.6456v6.5902h5.981c2.492 0 3.877-1.3291 3.877-3.2674 0-2.049-1.385-3.3228-3.877-3.3228zm43.786 13.9004h-8.362v-1.274c-.831.831-3.323 1.717-5.981 1.717-4.929 0-9.083-2.769-9.083-8.0301 0-4.818 4.154-7.9193 9.581-7.9193 2.049 0 4.486.6646 5.483 1.3845v-1.606c0-1.606-.942-2.9905-3.046-2.9905-1.606 0-2.548.7199-2.935 1.8275h-8.197c.72-4.8181 4.985-8.6393 11.409-8.6393 7.088 0 11.131 3.7659 11.131 10.2453zm-8.362-6.9779v-1.4399c-.554-1.0522-2.049-1.7167-3.655-1.7167-1.717 0-3.434.7199-3.434 2.3813 0 1.7168 1.717 2.4367 3.434 2.4367 1.606 0 3.101-.6645 3.655-1.6614zm27.996 6.9779v-1.994c-1.163 1.329-3.599 2.548-6.147 2.548-7.199 0-11.131-5.8151-11.131-13.0145s3.932-13.0143 11.131-13.0143c2.548 0 4.984 1.2184 6.147 2.5475v-13.0697h8.695v35.997zm0-9.1931v-6.5902c-.664-1.3291-2.159-2.326-3.821-2.326-2.99 0-4.763 2.4368-4.763 5.6488s1.773 5.5934 4.763 5.5934c1.717 0 3.157-.9415 3.821-2.326zm35.471-2.049h-3.101v11.2421h-8.806v-34.0033h15.285c7.31 0 12.35 4.1535 12.35 11.5744 0 5.1503-2.603 8.6947-6.757 10.2453l7.975 12.1836h-9.858zm-3.101-15.2849v8.1962h5.538c3.156 0 4.596-1.606 4.596-4.0981s-1.44-4.0981-4.596-4.0981zm36.957 17.8323h8.03c-.886 5.7597-5.206 9.2487-11.685 9.2487-7.643 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.316-13.0143 12.515-13.0143 7.643 0 11.962 5.095 11.962 12.5159v2.1598h-16.115c.277 2.9905 1.827 4.5965 4.32 4.5965 1.772 0 3.156-.7753 3.655-2.4921zm-3.822-10.0237c-2.049 0-3.433 1.2737-3.987 3.5997h7.532c-.111-2.0491-1.385-3.5997-3.545-3.5997zm30.98 27.5234v-10.799c-1.163 1.329-3.6 2.548-6.147 2.548-7.2 0-11.132-5.9259-11.132-13.0145 0-7.144 3.932-13.0143 11.132-13.0143 2.547 0 4.984 1.2184 6.147 2.5475v-1.9937h8.695v33.726zm0-17.9981v-6.5902c-.665-1.3291-2.105-2.326-3.821-2.326-2.991 0-4.763 2.4368-4.763 5.6488s1.772 5.5934 4.763 5.5934c1.661 0 3.156-.9415 3.821-2.326zm36.789-15.7279v24.921h-8.695v-2.16c-1.329 1.551-3.821 2.714-6.646 2.714-5.482 0-8.75-3.5999-8.75-9.1379v-16.3371h8.64v14.288c0 2.1045.996 3.5997 3.212 3.5997 1.606 0 3.101-1.0522 3.544-2.769v-15.1187zm19.084 16.2263h8.03c-.886 5.7597-5.206 9.2487-11.685 9.2487-7.643 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.316-13.0143 12.515-13.0143 7.643 0 11.963 5.095 11.963 12.5159v2.1598h-16.116c.277 2.9905 1.828 4.5965 4.32 4.5965 1.772 0 3.156-.7753 3.655-2.4921zm-3.822-10.0237c-2.049 0-3.433 1.2737-3.987 3.5997h7.532c-.111-2.0491-1.385-3.5997-3.545-3.5997zm13.428 11.0206h8.474c.387 1.3845 1.606 2.1598 3.156 2.1598 1.44 0 2.548-.5538 2.548-1.7168 0-.9414-.72-1.2737-1.939-1.5506l-4.873-.9969c-4.154-.886-6.867-2.8797-6.867-7.2547 0-5.3165 4.762-8.4178 10.633-8.4178 6.812 0 10.522 3.1567 11.297 8.0855h-8.03c-.277-1.0522-1.052-1.9937-3.046-1.9937-1.273 0-2.326.5538-2.326 1.6614 0 .7753.554 1.163 1.717 1.3845l4.929 1.163c4.541 1.0522 6.978 3.4335 6.978 7.4763 0 5.3168-4.818 8.2518-10.91 8.2518-6.369 0-10.965-2.88-11.741-8.2518zm27.538-.8861v-9.5807h-3.655v-6.7564h3.655v-6.8671h8.584v6.8671h5.205v6.7564h-5.205v8.307c0 1.9383.941 2.769 2.658 2.769.941 0 1.993-.2216 2.769-.5538v7.3654c-.997.443-2.88.775-4.818.775-5.871 0-9.193-2.769-9.193-9.0819z" id="error-description"/></svg>
       </header>
       <article>
-        <p><strong>The server cannot process the request due to a client error.</strong> Please check the request and try again. If you’re the application owner check the logs for more information.</p>
+        <p><strong>The server cannot process the request due to a client error.</strong> Please check the request and try again. If you're the application owner check the logs for more information.</p>
       </article>
     </main>
 
diff --git a/public/404.html b/public/404.html
index c0670bc87..d7f0f1422 100644
--- a/public/404.html
+++ b/public/404.html
@@ -4,7 +4,7 @@
 
   <head>
 
-    <title>The page you were looking for doesn’t exist (404 Not found)</title>
+    <title>The page you were looking for doesn't exist (404 Not found)</title>
 
     <meta charset="utf-8">
     <meta name="viewport" content="initial-scale=1, width=device-width">
@@ -35,12 +35,35 @@
         font-weight: 400;
         letter-spacing: -0.0025em;
         line-height: 1.4;
-        min-height: 100vh;
+        min-height: 100dvh;
         place-items: center;
         text-rendering: optimizeLegibility;
         -webkit-text-size-adjust: 100%;
       }
 
+      #error-description {
+        fill: #d30001;
+      }
+
+      #error-id {
+        fill: #f0eff0;
+      }
+
+      @media (prefers-color-scheme: dark) {
+        body {
+          background: #101010;
+          color: #e0e0e0;
+        }
+
+        #error-description {
+          fill: #FF6161;
+        }
+
+        #error-id {
+          fill: #2c2c2c;
+        }
+      }
+
       a {
         color: inherit;
         font-weight: 700;
@@ -83,13 +106,11 @@
       }
 
       main article br {
-
         display: none;
 
         @media(min-width: 48em) {
           display: inline;
         }
-
       }
 
     </style>
@@ -102,10 +123,10 @@
 
     <main>
       <header>
-        <svg height="172" viewBox="0 0 480 172" width="480" xmlns="http://www.w3.org/2000/svg"><path d="m124.48 3.00509-45.6889 100.02991h26.2239v-28.1168h38.119v28.1168h21.628v35.145h-21.628v30.82h-37.308v-30.82h-72.1833v-31.901l50.2851-103.27391zm115.583 168.69891c-40.822 0-64.884-35.146-64.884-85.7015 0-50.5554 24.062-85.700907 64.884-85.700907 40.823 0 64.884 35.145507 64.884 85.700907 0 50.5555-24.061 85.7015-64.884 85.7015zm0-133.2831c-17.572 0-22.709 21.8984-22.709 47.5816 0 25.6835 5.137 47.5815 22.709 47.5815 17.303 0 22.71-21.898 22.71-47.5815 0-25.6832-5.407-47.5816-22.71-47.5816zm165.328-35.41581-45.689 100.02991h26.224v-28.1168h38.119v28.1168h21.628v35.145h-21.628v30.82h-37.308v-30.82h-72.184v-31.901l50.285-103.27391z" fill="#f0eff0"/><path d="m157.758 68.9967v34.0033h-7.199l-14.233-19.8814v19.8814h-8.584v-34.0033h8.307l13.125 18.7184v-18.7184zm28.454 21.5428c0 7.6978-5.15 13.0145-12.737 13.0145-7.532 0-12.738-5.3167-12.738-13.0145s5.206-13.0143 12.738-13.0143c7.587 0 12.737 5.3165 12.737 13.0143zm-8.528 0c0-3.4336-1.496-5.8703-4.209-5.8703-2.659 0-4.154 2.4367-4.154 5.8703s1.495 5.8149 4.154 5.8149c2.713 0 4.209-2.3813 4.209-5.8149zm13.184 3.8766v-9.5807h-3.655v-6.7564h3.655v-6.8671h8.584v6.8671h5.205v6.7564h-5.205v8.307c0 1.9383.941 2.769 2.658 2.769.941 0 1.994-.2216 2.769-.5538v7.3654c-.997.443-2.88.775-4.818.775-5.87 0-9.193-2.769-9.193-9.0819zm37.027 8.5839h-8.806v-34.0033h23.924v7.6978h-15.118v6.7564h13.9v7.5316h-13.9zm41.876-12.4605c0 7.6978-5.15 13.0145-12.737 13.0145-7.532 0-12.738-5.3167-12.738-13.0145s5.206-13.0143 12.738-13.0143c7.587 0 12.737 5.3165 12.737 13.0143zm-8.529 0c0-3.4336-1.495-5.8703-4.208-5.8703-2.659 0-4.154 2.4367-4.154 5.8703s1.495 5.8149 4.154 5.8149c2.713 0 4.208-2.3813 4.208-5.8149zm35.337-12.4605v24.921h-8.695v-2.16c-1.329 1.551-3.821 2.714-6.646 2.714-5.482 0-8.75-3.5999-8.75-9.1379v-16.3371h8.64v14.288c0 2.1045.997 3.5997 3.212 3.5997 1.606 0 3.101-1.0522 3.544-2.769v-15.1187zm4.076 24.921v-24.921h8.694v2.1598c1.385-1.5506 3.822-2.7136 6.701-2.7136 5.538 0 8.806 3.5997 8.806 9.1377v16.3371h-8.639v-14.2327c0-2.049-1.053-3.5443-3.268-3.5443-1.717 0-3.156.9969-3.6 2.7136v15.0634zm44.113 0v-1.994c-1.163 1.329-3.6 2.548-6.147 2.548-7.2 0-11.132-5.8151-11.132-13.0145s3.932-13.0143 11.132-13.0143c2.547 0 4.984 1.2184 6.147 2.5475v-13.0697h8.695v35.997zm0-9.1931v-6.5902c-.665-1.3291-2.16-2.326-3.821-2.326-2.991 0-4.763 2.4368-4.763 5.6488s1.772 5.5934 4.763 5.5934c1.717 0 3.156-.9415 3.821-2.326z" fill="#d30001"/></svg>
+        <svg height="172" viewBox="0 0 480 172" width="480" xmlns="http://www.w3.org/2000/svg"><path d="m124.48 3.00509-45.6889 100.02991h26.2239v-28.1168h38.119v28.1168h21.628v35.145h-21.628v30.82h-37.308v-30.82h-72.1833v-31.901l50.2851-103.27391zm115.583 168.69891c-40.822 0-64.884-35.146-64.884-85.7015 0-50.5554 24.062-85.700907 64.884-85.700907 40.823 0 64.884 35.145507 64.884 85.700907 0 50.5555-24.061 85.7015-64.884 85.7015zm0-133.2831c-17.572 0-22.709 21.8984-22.709 47.5816 0 25.6835 5.137 47.5815 22.709 47.5815 17.303 0 22.71-21.898 22.71-47.5815 0-25.6832-5.407-47.5816-22.71-47.5816zm165.328-35.41581-45.689 100.02991h26.224v-28.1168h38.119v28.1168h21.628v35.145h-21.628v30.82h-37.308v-30.82h-72.184v-31.901l50.285-103.27391z" id="error-id"/><path d="m157.758 68.9967v34.0033h-7.199l-14.233-19.8814v19.8814h-8.584v-34.0033h8.307l13.125 18.7184v-18.7184zm28.454 21.5428c0 7.6978-5.15 13.0145-12.737 13.0145-7.532 0-12.738-5.3167-12.738-13.0145s5.206-13.0143 12.738-13.0143c7.587 0 12.737 5.3165 12.737 13.0143zm-8.528 0c0-3.4336-1.496-5.8703-4.209-5.8703-2.659 0-4.154 2.4367-4.154 5.8703s1.495 5.8149 4.154 5.8149c2.713 0 4.209-2.3813 4.209-5.8149zm13.184 3.8766v-9.5807h-3.655v-6.7564h3.655v-6.8671h8.584v6.8671h5.205v6.7564h-5.205v8.307c0 1.9383.941 2.769 2.658 2.769.941 0 1.994-.2216 2.769-.5538v7.3654c-.997.443-2.88.775-4.818.775-5.87 0-9.193-2.769-9.193-9.0819zm37.027 8.5839h-8.806v-34.0033h23.924v7.6978h-15.118v6.7564h13.9v7.5316h-13.9zm41.876-12.4605c0 7.6978-5.15 13.0145-12.737 13.0145-7.532 0-12.738-5.3167-12.738-13.0145s5.206-13.0143 12.738-13.0143c7.587 0 12.737 5.3165 12.737 13.0143zm-8.529 0c0-3.4336-1.495-5.8703-4.208-5.8703-2.659 0-4.154 2.4367-4.154 5.8703s1.495 5.8149 4.154 5.8149c2.713 0 4.208-2.3813 4.208-5.8149zm35.337-12.4605v24.921h-8.695v-2.16c-1.329 1.551-3.821 2.714-6.646 2.714-5.482 0-8.75-3.5999-8.75-9.1379v-16.3371h8.64v14.288c0 2.1045.997 3.5997 3.212 3.5997 1.606 0 3.101-1.0522 3.544-2.769v-15.1187zm4.076 24.921v-24.921h8.694v2.1598c1.385-1.5506 3.822-2.7136 6.701-2.7136 5.538 0 8.806 3.5997 8.806 9.1377v16.3371h-8.639v-14.2327c0-2.049-1.053-3.5443-3.268-3.5443-1.717 0-3.156.9969-3.6 2.7136v15.0634zm44.113 0v-1.994c-1.163 1.329-3.6 2.548-6.147 2.548-7.2 0-11.132-5.8151-11.132-13.0145s3.932-13.0143 11.132-13.0143c2.547 0 4.984 1.2184 6.147 2.5475v-13.0697h8.695v35.997zm0-9.1931v-6.5902c-.665-1.3291-2.16-2.326-3.821-2.326-2.991 0-4.763 2.4368-4.763 5.6488s1.772 5.5934 4.763 5.5934c1.717 0 3.156-.9415 3.821-2.326z" id="error-description"/></svg>
       </header>
       <article>
-        <p><strong>The page you were looking for doesn’t exist.</strong> You may have mistyped the address or the page may have moved. If you’re the application owner check the logs for more information.</p>
+        <p><strong>The page you were looking for doesn't exist.</strong> You may have mistyped the address or the page may have moved. If you're the application owner check the logs for more information.</p>
       </article>
     </main>
 
diff --git a/public/406-unsupported-browser.html b/public/406-unsupported-browser.html
index 9532a9ccd..43d2811e8 100644
--- a/public/406-unsupported-browser.html
+++ b/public/406-unsupported-browser.html
@@ -35,12 +35,35 @@
         font-weight: 400;
         letter-spacing: -0.0025em;
         line-height: 1.4;
-        min-height: 100vh;
+        min-height: 100dvh;
         place-items: center;
         text-rendering: optimizeLegibility;
         -webkit-text-size-adjust: 100%;
       }
 
+      #error-description {
+        fill: #d30001;
+      }
+
+      #error-id {
+        fill: #f0eff0;
+      }
+
+      @media (prefers-color-scheme: dark) {
+        body {
+          background: #101010;
+          color: #e0e0e0;
+        }
+
+        #error-description {
+          fill: #FF6161;
+        }
+
+        #error-id {
+          fill: #2c2c2c;
+        }
+      }
+
       a {
         color: inherit;
         font-weight: 700;
@@ -83,13 +106,11 @@
       }
 
       main article br {
-
         display: none;
 
         @media(min-width: 48em) {
           display: inline;
         }
-
       }
 
     </style>
@@ -102,7 +123,7 @@
 
     <main>
       <header>
-        <svg height="172" viewBox="0 0 480 172" width="480" xmlns="http://www.w3.org/2000/svg"><path d="m124.48 3.00509-45.6889 100.02991h26.2239v-28.1168h38.119v28.1168h21.628v35.145h-21.628v30.82h-37.308v-30.82h-72.1833v-31.901l50.2851-103.27391zm115.583 168.69891c-40.822 0-64.884-35.146-64.884-85.7015 0-50.5554 24.062-85.700907 64.884-85.700907 40.823 0 64.884 35.145507 64.884 85.700907 0 50.5555-24.061 85.7015-64.884 85.7015zm0-133.2831c-17.572 0-22.709 21.8984-22.709 47.5816 0 25.6835 5.137 47.5815 22.709 47.5815 17.303 0 22.71-21.898 22.71-47.5815 0-25.6832-5.407-47.5816-22.71-47.5816zm202.906 9.7326h-41.093c-2.433-7.2994-7.84-12.4361-17.302-12.4361-16.221 0-25.413 17.5728-25.954 34.8752v1.3517c5.137-7.0291 16.221-12.4361 30.82-12.4361 33.524 0 54.881 24.0612 54.881 53.7998 0 33.253-23.791 58.396-61.64 58.396-21.628 0-39.741-10.003-50.825-27.576-9.733-14.599-13.788-32.442-13.788-54.3406 0-51.9072 24.331-89.485807 66.236-89.485807 32.712 0 53.258 18.654107 58.665 47.851907zm-82.727 66.2355c0 13.247 9.463 22.439 22.71 22.439 12.977 0 22.439-9.192 22.439-22.439 0-13.517-9.462-22.7091-22.439-22.7091-13.247 0-22.71 9.1921-22.71 22.7091z" fill="#f0eff0"/><path d="m100.761 68.9967v34.0033h-7.1991l-14.2326-19.8814v19.8814h-8.5839v-34.0033h8.307l13.125 18.7184v-18.7184zm28.454 21.5428c0 7.6978-5.15 13.0145-12.737 13.0145-7.532 0-12.738-5.3167-12.738-13.0145s5.206-13.0143 12.738-13.0143c7.587 0 12.737 5.3165 12.737 13.0143zm-8.529 0c0-3.4336-1.495-5.8703-4.208-5.8703-2.659 0-4.154 2.4367-4.154 5.8703s1.495 5.8149 4.154 5.8149c2.713 0 4.208-2.3813 4.208-5.8149zm13.185 3.8766v-9.5807h-3.655v-6.7564h3.655v-6.8671h8.584v6.8671h5.205v6.7564h-5.205v8.307c0 1.9383.941 2.769 2.658 2.769.941 0 1.994-.2216 2.769-.5538v7.3654c-.997.443-2.88.775-4.818.775-5.87 0-9.193-2.769-9.193-9.0819zm39.02-25.4194h9.083l12.958 34.0033h-9.027l-2.436-6.5902h-12.35l-2.381 6.5902h-8.806zm4.431 10.5222-3.489 9.5807h6.978zm17.44 11.0206c0-7.6978 5.095-13.0143 12.572-13.0143 6.701 0 10.854 3.9874 11.574 9.8023h-8.418c-.221-1.4953-1.384-2.6029-3.156-2.6029-2.437 0-3.988 2.2706-3.988 5.8149s1.551 5.7595 3.988 5.7595c1.772 0 2.935-1.0522 3.156-2.5475h8.418c-.72 5.7596-4.873 9.8025-11.574 9.8025-7.477 0-12.572-5.3167-12.572-13.0145zm25.676 0c0-7.6978 5.095-13.0143 12.572-13.0143 6.701 0 10.854 3.9874 11.574 9.8023h-8.418c-.221-1.4953-1.384-2.6029-3.156-2.6029-2.437 0-3.988 2.2706-3.988 5.8149s1.551 5.7595 3.988 5.7595c1.772 0 2.935-1.0522 3.156-2.5475h8.418c-.72 5.7596-4.873 9.8025-11.574 9.8025-7.477 0-12.572-5.3167-12.572-13.0145zm42.013 3.7658h8.031c-.887 5.7597-5.206 9.2487-11.686 9.2487-7.642 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.317-13.0143 12.516-13.0143 7.643 0 11.962 5.095 11.962 12.5159v2.1598h-16.115c.277 2.9905 1.827 4.5965 4.319 4.5965 1.773 0 3.157-.7753 3.655-2.4921zm-3.821-10.0237c-2.049 0-3.433 1.2737-3.987 3.5997h7.532c-.111-2.0491-1.385-3.5997-3.545-3.5997zm23.4 16.7244v10.799h-8.694v-33.726h8.694v1.9937c1.163-1.3291 3.6-2.5475 6.148-2.5475 7.199 0 11.131 5.8703 11.131 13.0143 0 7.0886-3.932 13.0145-11.131 13.0145-2.548 0-4.985-1.219-6.148-2.548zm0-13.7893v6.5902c.665 1.3845 2.16 2.326 3.822 2.326 2.99 0 4.762-2.3814 4.762-5.5934s-1.772-5.6488-4.762-5.6488c-1.717 0-3.157.9969-3.822 2.326zm21.892 7.1994v-9.5807h-3.655v-6.7564h3.655v-6.8671h8.584v6.8671h5.206v6.7564h-5.206v8.307c0 1.9383.941 2.769 2.658 2.769.942 0 1.994-.2216 2.769-.5538v7.3654c-.997.443-2.88.775-4.818.775-5.87 0-9.193-2.769-9.193-9.0819zm39.458 8.5839h-8.363v-1.274c-.83.831-3.322 1.717-5.981 1.717-4.928 0-9.082-2.769-9.082-8.0301 0-4.818 4.154-7.9193 9.581-7.9193 2.049 0 4.486.6646 5.482 1.3845v-1.606c0-1.606-.941-2.9905-3.045-2.9905-1.606 0-2.548.7199-2.936 1.8275h-8.196c.72-4.8181 4.984-8.6393 11.408-8.6393 7.089 0 11.132 3.7659 11.132 10.2453zm-8.363-6.9779v-1.4399c-.553-1.0522-2.049-1.7167-3.655-1.7167-1.716 0-3.433.7199-3.433 2.3813 0 1.7168 1.717 2.4367 3.433 2.4367 1.606 0 3.102-.6645 3.655-1.6614zm20.742 4.9839v1.994h-8.694v-35.997h8.694v13.0697c1.163-1.3291 3.6-2.5475 6.148-2.5475 7.199 0 11.131 5.8149 11.131 13.0143s-3.932 13.0145-11.131 13.0145c-2.548 0-4.985-1.219-6.148-2.548zm0-13.7893v6.5902c.665 1.3845 2.105 2.326 3.822 2.326 2.99 0 4.762-2.3814 4.762-5.5934s-1.772-5.6488-4.762-5.6488c-1.662 0-3.157.9969-3.822 2.326zm28.759-20.2137v35.997h-8.695v-35.997zm19.172 27.3023h8.03c-.886 5.7597-5.206 9.2487-11.685 9.2487-7.643 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.316-13.0143 12.516-13.0143 7.642 0 11.962 5.095 11.962 12.5159v2.1598h-16.116c.277 2.9905 1.828 4.5965 4.32 4.5965 1.772 0 3.157-.7753 3.655-2.4921zm-3.821-10.0237c-2.049 0-3.434 1.2737-3.988 3.5997h7.532c-.111-2.0491-1.384-3.5997-3.544-3.5997z" fill="#d30001"/></svg>
+        <svg height="172" viewBox="0 0 480 172" width="480" xmlns="http://www.w3.org/2000/svg"><path d="m124.48 3.00509-45.6889 100.02991h26.2239v-28.1168h38.119v28.1168h21.628v35.145h-21.628v30.82h-37.308v-30.82h-72.1833v-31.901l50.2851-103.27391zm115.583 168.69891c-40.822 0-64.884-35.146-64.884-85.7015 0-50.5554 24.062-85.700907 64.884-85.700907 40.823 0 64.884 35.145507 64.884 85.700907 0 50.5555-24.061 85.7015-64.884 85.7015zm0-133.2831c-17.572 0-22.709 21.8984-22.709 47.5816 0 25.6835 5.137 47.5815 22.709 47.5815 17.303 0 22.71-21.898 22.71-47.5815 0-25.6832-5.407-47.5816-22.71-47.5816zm202.906 9.7326h-41.093c-2.433-7.2994-7.84-12.4361-17.302-12.4361-16.221 0-25.413 17.5728-25.954 34.8752v1.3517c5.137-7.0291 16.221-12.4361 30.82-12.4361 33.524 0 54.881 24.0612 54.881 53.7998 0 33.253-23.791 58.396-61.64 58.396-21.628 0-39.741-10.003-50.825-27.576-9.733-14.599-13.788-32.442-13.788-54.3406 0-51.9072 24.331-89.485807 66.236-89.485807 32.712 0 53.258 18.654107 58.665 47.851907zm-82.727 66.2355c0 13.247 9.463 22.439 22.71 22.439 12.977 0 22.439-9.192 22.439-22.439 0-13.517-9.462-22.7091-22.439-22.7091-13.247 0-22.71 9.1921-22.71 22.7091z" id="error-id"/><path d="m100.761 68.9967v34.0033h-7.1991l-14.2326-19.8814v19.8814h-8.5839v-34.0033h8.307l13.125 18.7184v-18.7184zm28.454 21.5428c0 7.6978-5.15 13.0145-12.737 13.0145-7.532 0-12.738-5.3167-12.738-13.0145s5.206-13.0143 12.738-13.0143c7.587 0 12.737 5.3165 12.737 13.0143zm-8.529 0c0-3.4336-1.495-5.8703-4.208-5.8703-2.659 0-4.154 2.4367-4.154 5.8703s1.495 5.8149 4.154 5.8149c2.713 0 4.208-2.3813 4.208-5.8149zm13.185 3.8766v-9.5807h-3.655v-6.7564h3.655v-6.8671h8.584v6.8671h5.205v6.7564h-5.205v8.307c0 1.9383.941 2.769 2.658 2.769.941 0 1.994-.2216 2.769-.5538v7.3654c-.997.443-2.88.775-4.818.775-5.87 0-9.193-2.769-9.193-9.0819zm39.02-25.4194h9.083l12.958 34.0033h-9.027l-2.436-6.5902h-12.35l-2.381 6.5902h-8.806zm4.431 10.5222-3.489 9.5807h6.978zm17.44 11.0206c0-7.6978 5.095-13.0143 12.572-13.0143 6.701 0 10.854 3.9874 11.574 9.8023h-8.418c-.221-1.4953-1.384-2.6029-3.156-2.6029-2.437 0-3.988 2.2706-3.988 5.8149s1.551 5.7595 3.988 5.7595c1.772 0 2.935-1.0522 3.156-2.5475h8.418c-.72 5.7596-4.873 9.8025-11.574 9.8025-7.477 0-12.572-5.3167-12.572-13.0145zm25.676 0c0-7.6978 5.095-13.0143 12.572-13.0143 6.701 0 10.854 3.9874 11.574 9.8023h-8.418c-.221-1.4953-1.384-2.6029-3.156-2.6029-2.437 0-3.988 2.2706-3.988 5.8149s1.551 5.7595 3.988 5.7595c1.772 0 2.935-1.0522 3.156-2.5475h8.418c-.72 5.7596-4.873 9.8025-11.574 9.8025-7.477 0-12.572-5.3167-12.572-13.0145zm42.013 3.7658h8.031c-.887 5.7597-5.206 9.2487-11.686 9.2487-7.642 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.317-13.0143 12.516-13.0143 7.643 0 11.962 5.095 11.962 12.5159v2.1598h-16.115c.277 2.9905 1.827 4.5965 4.319 4.5965 1.773 0 3.157-.7753 3.655-2.4921zm-3.821-10.0237c-2.049 0-3.433 1.2737-3.987 3.5997h7.532c-.111-2.0491-1.385-3.5997-3.545-3.5997zm23.4 16.7244v10.799h-8.694v-33.726h8.694v1.9937c1.163-1.3291 3.6-2.5475 6.148-2.5475 7.199 0 11.131 5.8703 11.131 13.0143 0 7.0886-3.932 13.0145-11.131 13.0145-2.548 0-4.985-1.219-6.148-2.548zm0-13.7893v6.5902c.665 1.3845 2.16 2.326 3.822 2.326 2.99 0 4.762-2.3814 4.762-5.5934s-1.772-5.6488-4.762-5.6488c-1.717 0-3.157.9969-3.822 2.326zm21.892 7.1994v-9.5807h-3.655v-6.7564h3.655v-6.8671h8.584v6.8671h5.206v6.7564h-5.206v8.307c0 1.9383.941 2.769 2.658 2.769.942 0 1.994-.2216 2.769-.5538v7.3654c-.997.443-2.88.775-4.818.775-5.87 0-9.193-2.769-9.193-9.0819zm39.458 8.5839h-8.363v-1.274c-.83.831-3.322 1.717-5.981 1.717-4.928 0-9.082-2.769-9.082-8.0301 0-4.818 4.154-7.9193 9.581-7.9193 2.049 0 4.486.6646 5.482 1.3845v-1.606c0-1.606-.941-2.9905-3.045-2.9905-1.606 0-2.548.7199-2.936 1.8275h-8.196c.72-4.8181 4.984-8.6393 11.408-8.6393 7.089 0 11.132 3.7659 11.132 10.2453zm-8.363-6.9779v-1.4399c-.553-1.0522-2.049-1.7167-3.655-1.7167-1.716 0-3.433.7199-3.433 2.3813 0 1.7168 1.717 2.4367 3.433 2.4367 1.606 0 3.102-.6645 3.655-1.6614zm20.742 4.9839v1.994h-8.694v-35.997h8.694v13.0697c1.163-1.3291 3.6-2.5475 6.148-2.5475 7.199 0 11.131 5.8149 11.131 13.0143s-3.932 13.0145-11.131 13.0145c-2.548 0-4.985-1.219-6.148-2.548zm0-13.7893v6.5902c.665 1.3845 2.105 2.326 3.822 2.326 2.99 0 4.762-2.3814 4.762-5.5934s-1.772-5.6488-4.762-5.6488c-1.662 0-3.157.9969-3.822 2.326zm28.759-20.2137v35.997h-8.695v-35.997zm19.172 27.3023h8.03c-.886 5.7597-5.206 9.2487-11.685 9.2487-7.643 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.316-13.0143 12.516-13.0143 7.642 0 11.962 5.095 11.962 12.5159v2.1598h-16.116c.277 2.9905 1.828 4.5965 4.32 4.5965 1.772 0 3.157-.7753 3.655-2.4921zm-3.821-10.0237c-2.049 0-3.434 1.2737-3.988 3.5997h7.532c-.111-2.0491-1.384-3.5997-3.544-3.5997z" id="error-description"/></svg>
       </header>
       <article>
         <p><strong>Your browser is not supported.</strong><br> Please upgrade your browser to continue.</p>
diff --git a/public/422.html b/public/422.html
index 8bcf06014..f12fb4aa1 100644
--- a/public/422.html
+++ b/public/422.html
@@ -35,12 +35,35 @@
         font-weight: 400;
         letter-spacing: -0.0025em;
         line-height: 1.4;
-        min-height: 100vh;
+        min-height: 100dvh;
         place-items: center;
         text-rendering: optimizeLegibility;
         -webkit-text-size-adjust: 100%;
       }
 
+      #error-description {
+        fill: #d30001;
+      }
+
+      #error-id {
+        fill: #f0eff0;
+      }
+
+      @media (prefers-color-scheme: dark) {
+        body {
+          background: #101010;
+          color: #e0e0e0;
+        }
+
+        #error-description {
+          fill: #FF6161;
+        }
+
+        #error-id {
+          fill: #2c2c2c;
+        }
+      }
+
       a {
         color: inherit;
         font-weight: 700;
@@ -83,13 +106,11 @@
       }
 
       main article br {
-
         display: none;
 
         @media(min-width: 48em) {
           display: inline;
         }
-
       }
 
     </style>
@@ -102,10 +123,10 @@
 
     <main>
       <header>
-        <svg height="172" viewBox="0 0 480 172" width="480" xmlns="http://www.w3.org/2000/svg"><path d="m124.48 3.00509-45.6889 100.02991h26.2239v-28.1168h38.119v28.1168h21.628v35.145h-21.628v30.82h-37.308v-30.82h-72.1833v-31.901l50.2851-103.27391zm130.453 51.63681c0-8.9215-6.218-15.4099-15.681-15.4099-10.273 0-15.95 7.5698-16.491 16.4913h-44.608c3.244-30.8199 25.683-55.421707 61.099-55.421707 36.498 0 59.477 20.816907 59.477 51.636807 0 21.3577-14.869 36.7676-31.901 52.7186l-27.305 27.035h59.747v37.308h-120.306v-27.846l57.044-56.7736c11.084-11.8954 18.925-20.0059 18.925-29.7385zm140.455 0c0-8.9215-6.218-15.4099-15.68-15.4099-10.274 0-15.951 7.5698-16.492 16.4913h-44.608c3.245-30.8199 25.684-55.421707 61.1-55.421707 36.497 0 59.477 20.816907 59.477 51.636807 0 21.3577-14.87 36.7676-31.902 52.7186l-27.305 27.035h59.747v37.308h-120.305v-27.846l57.043-56.7736c11.085-11.8954 18.925-20.0059 18.925-29.7385z" fill="#f0eff0"/><path d="m19.3936 103.554c-8.9715 0-14.84183-5.0952-14.84183-14.4544v-20.1029h8.86083v19.3276c0 4.8181 2.2706 7.3102 5.981 7.3102 3.6551 0 5.9257-2.4921 5.9257-7.3102v-19.3276h8.8608v20.1583c0 9.3038-5.8149 14.399-14.7865 14.399zm18.734-.554v-24.921h8.6947v2.1598c1.3845-1.5506 3.8212-2.7136 6.701-2.7136 5.538 0 8.8054 3.5997 8.8054 9.1377v16.3371h-8.6393v-14.2327c0-2.049-1.0522-3.5443-3.2674-3.5443-1.7168 0-3.1567.9969-3.5997 2.7136v15.0634zm36.8584-1.994v10.799h-8.6946v-33.726h8.6946v1.9937c1.163-1.3291 3.5997-2.5475 6.1472-2.5475 7.1994 0 11.1314 5.8703 11.1314 13.0143 0 7.0886-3.932 13.0145-11.1314 13.0145-2.5475 0-4.9842-1.219-6.1472-2.548zm0-13.7893v6.5902c.6646 1.3845 2.1599 2.326 3.8213 2.326 2.9905 0 4.7626-2.3814 4.7626-5.5934s-1.7721-5.6488-4.7626-5.6488c-1.7168 0-3.1567.9969-3.8213 2.326zm36.789-9.2485v8.3624c-1.052-.5538-2.215-.7753-3.6-.7753-2.381 0-3.987 1.0522-4.43 2.8244v14.6203h-8.6949v-24.921h8.6949v2.2152c1.218-1.6614 3.156-2.769 5.648-2.769 1.108 0 1.994.2215 2.382.443zm26.769 12.5713c0 7.6978-5.15 13.0145-12.737 13.0145-7.532 0-12.738-5.3167-12.738-13.0145s5.206-13.0143 12.738-13.0143c7.587 0 12.737 5.3165 12.737 13.0143zm-8.528 0c0-3.4336-1.496-5.8703-4.209-5.8703-2.659 0-4.154 2.4367-4.154 5.8703s1.495 5.8149 4.154 5.8149c2.713 0 4.209-2.3813 4.209-5.8149zm10.352 0c0-7.6978 5.095-13.0143 12.571-13.0143 6.701 0 10.855 3.9874 11.574 9.8023h-8.417c-.222-1.4953-1.385-2.6029-3.157-2.6029-2.437 0-3.987 2.2706-3.987 5.8149s1.55 5.7595 3.987 5.7595c1.772 0 2.935-1.0522 3.157-2.5475h8.417c-.719 5.7596-4.873 9.8025-11.574 9.8025-7.476 0-12.571-5.3167-12.571-13.0145zm42.013 3.7658h8.03c-.886 5.7597-5.206 9.2487-11.685 9.2487-7.643 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.316-13.0143 12.516-13.0143 7.642 0 11.962 5.095 11.962 12.5159v2.1598h-16.116c.277 2.9905 1.828 4.5965 4.32 4.5965 1.772 0 3.156-.7753 3.655-2.4921zm-3.821-10.0237c-2.049 0-3.434 1.2737-3.988 3.5997h7.532c-.111-2.0491-1.385-3.5997-3.544-3.5997zm13.428 11.0206h8.473c.387 1.3845 1.606 2.1598 3.156 2.1598 1.44 0 2.548-.5538 2.548-1.7168 0-.9414-.72-1.2737-1.938-1.5506l-4.874-.9969c-4.153-.886-6.867-2.8797-6.867-7.2547 0-5.3165 4.763-8.4178 10.633-8.4178 6.812 0 10.522 3.1567 11.297 8.0855h-8.03c-.277-1.0522-1.052-1.9937-3.046-1.9937-1.273 0-2.326.5538-2.326 1.6614 0 .7753.554 1.163 1.717 1.3845l4.929 1.163c4.541 1.0522 6.978 3.4335 6.978 7.4763 0 5.3168-4.818 8.2518-10.91 8.2518-6.369 0-10.965-2.88-11.74-8.2518zm24.269 0h8.474c.387 1.3845 1.606 2.1598 3.156 2.1598 1.44 0 2.548-.5538 2.548-1.7168 0-.9414-.72-1.2737-1.939-1.5506l-4.873-.9969c-4.154-.886-6.867-2.8797-6.867-7.2547 0-5.3165 4.763-8.4178 10.633-8.4178 6.812 0 10.522 3.1567 11.297 8.0855h-8.03c-.277-1.0522-1.052-1.9937-3.046-1.9937-1.273 0-2.326.5538-2.326 1.6614 0 .7753.554 1.163 1.717 1.3845l4.929 1.163c4.541 1.0522 6.978 3.4335 6.978 7.4763 0 5.3168-4.818 8.2518-10.91 8.2518-6.369 0-10.965-2.88-11.741-8.2518zm47.918 7.6978h-8.363v-1.274c-.831.831-3.323 1.717-5.981 1.717-4.929 0-9.082-2.769-9.082-8.0301 0-4.818 4.153-7.9193 9.581-7.9193 2.049 0 4.485.6646 5.482 1.3845v-1.606c0-1.606-.941-2.9905-3.046-2.9905-1.606 0-2.547.7199-2.935 1.8275h-8.196c.72-4.8181 4.984-8.6393 11.408-8.6393 7.089 0 11.132 3.7659 11.132 10.2453zm-8.363-6.9779v-1.4399c-.554-1.0522-2.049-1.7167-3.655-1.7167-1.717 0-3.434.7199-3.434 2.3813 0 1.7168 1.717 2.4367 3.434 2.4367 1.606 0 3.101-.6645 3.655-1.6614zm20.742 4.9839v1.994h-8.695v-35.997h8.695v13.0697c1.163-1.3291 3.6-2.5475 6.147-2.5475 7.2 0 11.132 5.8149 11.132 13.0143s-3.932 13.0145-11.132 13.0145c-2.547 0-4.984-1.219-6.147-2.548zm0-13.7893v6.5902c.665 1.3845 2.105 2.326 3.821 2.326 2.991 0 4.763-2.3814 4.763-5.5934s-1.772-5.6488-4.763-5.6488c-1.661 0-3.156.9969-3.821 2.326zm28.759-20.2137v35.997h-8.695v-35.997zm19.172 27.3023h8.03c-.886 5.7597-5.206 9.2487-11.685 9.2487-7.643 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.316-13.0143 12.515-13.0143 7.643 0 11.962 5.095 11.962 12.5159v2.1598h-16.115c.277 2.9905 1.827 4.5965 4.32 4.5965 1.772 0 3.156-.7753 3.655-2.4921zm-3.822-10.0237c-2.049 0-3.433 1.2737-3.987 3.5997h7.532c-.111-2.0491-1.385-3.5997-3.545-3.5997zm25.461-15.2849h24.311v7.6424h-15.561v5.3165h14.232v7.4763h-14.232v5.8703h15.561v7.6978h-24.311zm27.942 34.0033v-24.921h8.694v2.1598c1.385-1.5506 3.822-2.7136 6.701-2.7136 5.538 0 8.806 3.5997 8.806 9.1377v16.3371h-8.639v-14.2327c0-2.049-1.053-3.5443-3.268-3.5443-1.717 0-3.157.9969-3.6 2.7136v15.0634zm29.991-8.5839v-9.5807h-3.655v-6.7564h3.655v-6.8671h8.584v6.8671h5.206v6.7564h-5.206v8.307c0 1.9383.941 2.769 2.658 2.769.942 0 1.994-.2216 2.769-.5538v7.3654c-.997.443-2.88.775-4.818.775-5.87 0-9.193-2.769-9.193-9.0819zm26.161-16.3371v24.921h-8.694v-24.921zm.61-6.7564c0 2.8244-2.271 4.652-4.929 4.652s-4.929-1.8276-4.929-4.652c0-2.8797 2.271-4.7073 4.929-4.7073s4.929 1.8276 4.929 4.7073zm5.382 23.0935v-9.5807h-3.655v-6.7564h3.655v-6.8671h8.584v6.8671h5.206v6.7564h-5.206v8.307c0 1.9383.941 2.769 2.658 2.769.941 0 1.994-.2216 2.769-.5538v7.3654c-.997.443-2.88.775-4.818.775-5.87 0-9.193-2.769-9.193-9.0819zm29.22 17.3889h-8.584l3.655-9.414-9.303-24.312h9.026l4.763 14.1773 4.652-14.1773h8.639z" fill="#d30001"/></svg>
+        <svg height="172" viewBox="0 0 480 172" width="480" xmlns="http://www.w3.org/2000/svg"><path d="m124.48 3.00509-45.6889 100.02991h26.2239v-28.1168h38.119v28.1168h21.628v35.145h-21.628v30.82h-37.308v-30.82h-72.1833v-31.901l50.2851-103.27391zm130.453 51.63681c0-8.9215-6.218-15.4099-15.681-15.4099-10.273 0-15.95 7.5698-16.491 16.4913h-44.608c3.244-30.8199 25.683-55.421707 61.099-55.421707 36.498 0 59.477 20.816907 59.477 51.636807 0 21.3577-14.869 36.7676-31.901 52.7186l-27.305 27.035h59.747v37.308h-120.306v-27.846l57.044-56.7736c11.084-11.8954 18.925-20.0059 18.925-29.7385zm140.455 0c0-8.9215-6.218-15.4099-15.68-15.4099-10.274 0-15.951 7.5698-16.492 16.4913h-44.608c3.245-30.8199 25.684-55.421707 61.1-55.421707 36.497 0 59.477 20.816907 59.477 51.636807 0 21.3577-14.87 36.7676-31.902 52.7186l-27.305 27.035h59.747v37.308h-120.305v-27.846l57.043-56.7736c11.085-11.8954 18.925-20.0059 18.925-29.7385z" id="error-id"/><path d="m19.3936 103.554c-8.9715 0-14.84183-5.0952-14.84183-14.4544v-20.1029h8.86083v19.3276c0 4.8181 2.2706 7.3102 5.981 7.3102 3.6551 0 5.9257-2.4921 5.9257-7.3102v-19.3276h8.8608v20.1583c0 9.3038-5.8149 14.399-14.7865 14.399zm18.734-.554v-24.921h8.6947v2.1598c1.3845-1.5506 3.8212-2.7136 6.701-2.7136 5.538 0 8.8054 3.5997 8.8054 9.1377v16.3371h-8.6393v-14.2327c0-2.049-1.0522-3.5443-3.2674-3.5443-1.7168 0-3.1567.9969-3.5997 2.7136v15.0634zm36.8584-1.994v10.799h-8.6946v-33.726h8.6946v1.9937c1.163-1.3291 3.5997-2.5475 6.1472-2.5475 7.1994 0 11.1314 5.8703 11.1314 13.0143 0 7.0886-3.932 13.0145-11.1314 13.0145-2.5475 0-4.9842-1.219-6.1472-2.548zm0-13.7893v6.5902c.6646 1.3845 2.1599 2.326 3.8213 2.326 2.9905 0 4.7626-2.3814 4.7626-5.5934s-1.7721-5.6488-4.7626-5.6488c-1.7168 0-3.1567.9969-3.8213 2.326zm36.789-9.2485v8.3624c-1.052-.5538-2.215-.7753-3.6-.7753-2.381 0-3.987 1.0522-4.43 2.8244v14.6203h-8.6949v-24.921h8.6949v2.2152c1.218-1.6614 3.156-2.769 5.648-2.769 1.108 0 1.994.2215 2.382.443zm26.769 12.5713c0 7.6978-5.15 13.0145-12.737 13.0145-7.532 0-12.738-5.3167-12.738-13.0145s5.206-13.0143 12.738-13.0143c7.587 0 12.737 5.3165 12.737 13.0143zm-8.528 0c0-3.4336-1.496-5.8703-4.209-5.8703-2.659 0-4.154 2.4367-4.154 5.8703s1.495 5.8149 4.154 5.8149c2.713 0 4.209-2.3813 4.209-5.8149zm10.352 0c0-7.6978 5.095-13.0143 12.571-13.0143 6.701 0 10.855 3.9874 11.574 9.8023h-8.417c-.222-1.4953-1.385-2.6029-3.157-2.6029-2.437 0-3.987 2.2706-3.987 5.8149s1.55 5.7595 3.987 5.7595c1.772 0 2.935-1.0522 3.157-2.5475h8.417c-.719 5.7596-4.873 9.8025-11.574 9.8025-7.476 0-12.571-5.3167-12.571-13.0145zm42.013 3.7658h8.03c-.886 5.7597-5.206 9.2487-11.685 9.2487-7.643 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.316-13.0143 12.516-13.0143 7.642 0 11.962 5.095 11.962 12.5159v2.1598h-16.116c.277 2.9905 1.828 4.5965 4.32 4.5965 1.772 0 3.156-.7753 3.655-2.4921zm-3.821-10.0237c-2.049 0-3.434 1.2737-3.988 3.5997h7.532c-.111-2.0491-1.385-3.5997-3.544-3.5997zm13.428 11.0206h8.473c.387 1.3845 1.606 2.1598 3.156 2.1598 1.44 0 2.548-.5538 2.548-1.7168 0-.9414-.72-1.2737-1.938-1.5506l-4.874-.9969c-4.153-.886-6.867-2.8797-6.867-7.2547 0-5.3165 4.763-8.4178 10.633-8.4178 6.812 0 10.522 3.1567 11.297 8.0855h-8.03c-.277-1.0522-1.052-1.9937-3.046-1.9937-1.273 0-2.326.5538-2.326 1.6614 0 .7753.554 1.163 1.717 1.3845l4.929 1.163c4.541 1.0522 6.978 3.4335 6.978 7.4763 0 5.3168-4.818 8.2518-10.91 8.2518-6.369 0-10.965-2.88-11.74-8.2518zm24.269 0h8.474c.387 1.3845 1.606 2.1598 3.156 2.1598 1.44 0 2.548-.5538 2.548-1.7168 0-.9414-.72-1.2737-1.939-1.5506l-4.873-.9969c-4.154-.886-6.867-2.8797-6.867-7.2547 0-5.3165 4.763-8.4178 10.633-8.4178 6.812 0 10.522 3.1567 11.297 8.0855h-8.03c-.277-1.0522-1.052-1.9937-3.046-1.9937-1.273 0-2.326.5538-2.326 1.6614 0 .7753.554 1.163 1.717 1.3845l4.929 1.163c4.541 1.0522 6.978 3.4335 6.978 7.4763 0 5.3168-4.818 8.2518-10.91 8.2518-6.369 0-10.965-2.88-11.741-8.2518zm47.918 7.6978h-8.363v-1.274c-.831.831-3.323 1.717-5.981 1.717-4.929 0-9.082-2.769-9.082-8.0301 0-4.818 4.153-7.9193 9.581-7.9193 2.049 0 4.485.6646 5.482 1.3845v-1.606c0-1.606-.941-2.9905-3.046-2.9905-1.606 0-2.547.7199-2.935 1.8275h-8.196c.72-4.8181 4.984-8.6393 11.408-8.6393 7.089 0 11.132 3.7659 11.132 10.2453zm-8.363-6.9779v-1.4399c-.554-1.0522-2.049-1.7167-3.655-1.7167-1.717 0-3.434.7199-3.434 2.3813 0 1.7168 1.717 2.4367 3.434 2.4367 1.606 0 3.101-.6645 3.655-1.6614zm20.742 4.9839v1.994h-8.695v-35.997h8.695v13.0697c1.163-1.3291 3.6-2.5475 6.147-2.5475 7.2 0 11.132 5.8149 11.132 13.0143s-3.932 13.0145-11.132 13.0145c-2.547 0-4.984-1.219-6.147-2.548zm0-13.7893v6.5902c.665 1.3845 2.105 2.326 3.821 2.326 2.991 0 4.763-2.3814 4.763-5.5934s-1.772-5.6488-4.763-5.6488c-1.661 0-3.156.9969-3.821 2.326zm28.759-20.2137v35.997h-8.695v-35.997zm19.172 27.3023h8.03c-.886 5.7597-5.206 9.2487-11.685 9.2487-7.643 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.316-13.0143 12.515-13.0143 7.643 0 11.962 5.095 11.962 12.5159v2.1598h-16.115c.277 2.9905 1.827 4.5965 4.32 4.5965 1.772 0 3.156-.7753 3.655-2.4921zm-3.822-10.0237c-2.049 0-3.433 1.2737-3.987 3.5997h7.532c-.111-2.0491-1.385-3.5997-3.545-3.5997zm25.461-15.2849h24.311v7.6424h-15.561v5.3165h14.232v7.4763h-14.232v5.8703h15.561v7.6978h-24.311zm27.942 34.0033v-24.921h8.694v2.1598c1.385-1.5506 3.822-2.7136 6.701-2.7136 5.538 0 8.806 3.5997 8.806 9.1377v16.3371h-8.639v-14.2327c0-2.049-1.053-3.5443-3.268-3.5443-1.717 0-3.157.9969-3.6 2.7136v15.0634zm29.991-8.5839v-9.5807h-3.655v-6.7564h3.655v-6.8671h8.584v6.8671h5.206v6.7564h-5.206v8.307c0 1.9383.941 2.769 2.658 2.769.942 0 1.994-.2216 2.769-.5538v7.3654c-.997.443-2.88.775-4.818.775-5.87 0-9.193-2.769-9.193-9.0819zm26.161-16.3371v24.921h-8.694v-24.921zm.61-6.7564c0 2.8244-2.271 4.652-4.929 4.652s-4.929-1.8276-4.929-4.652c0-2.8797 2.271-4.7073 4.929-4.7073s4.929 1.8276 4.929 4.7073zm5.382 23.0935v-9.5807h-3.655v-6.7564h3.655v-6.8671h8.584v6.8671h5.206v6.7564h-5.206v8.307c0 1.9383.941 2.769 2.658 2.769.941 0 1.994-.2216 2.769-.5538v7.3654c-.997.443-2.88.775-4.818.775-5.87 0-9.193-2.769-9.193-9.0819zm29.22 17.3889h-8.584l3.655-9.414-9.303-24.312h9.026l4.763 14.1773 4.652-14.1773h8.639z" id="error-description"/></svg>
       </header>
       <article>
-        <p><strong>The change you wanted was rejected.</strong> Maybe you tried to change something you didn’t have access to. If you’re the application owner check the logs for more information.</p>
+        <p><strong>The change you wanted was rejected.</strong> Maybe you tried to change something you didn't have access to. If you're the application owner check the logs for more information.</p>
       </article>
     </main>
 
diff --git a/public/500.html b/public/500.html
index d77718c3a..e4eb18a75 100644
--- a/public/500.html
+++ b/public/500.html
@@ -4,7 +4,7 @@
 
   <head>
 
-    <title>We’re sorry, but something went wrong (500 Internal Server Error)</title>
+    <title>We're sorry, but something went wrong (500 Internal Server Error)</title>
 
     <meta charset="utf-8">
     <meta name="viewport" content="initial-scale=1, width=device-width">
@@ -35,12 +35,35 @@
         font-weight: 400;
         letter-spacing: -0.0025em;
         line-height: 1.4;
-        min-height: 100vh;
+        min-height: 100dvh;
         place-items: center;
         text-rendering: optimizeLegibility;
         -webkit-text-size-adjust: 100%;
       }
 
+      #error-description {
+        fill: #d30001;
+      }
+
+      #error-id {
+        fill: #f0eff0;
+      }
+
+      @media (prefers-color-scheme: dark) {
+        body {
+          background: #101010;
+          color: #e0e0e0;
+        }
+
+        #error-description {
+          fill: #FF6161;
+        }
+
+        #error-id {
+          fill: #2c2c2c;
+        }
+      }
+
       a {
         color: inherit;
         font-weight: 700;
@@ -83,13 +106,11 @@
       }
 
       main article br {
-
         display: none;
 
         @media(min-width: 48em) {
           display: inline;
         }
-
       }
 
     </style>
@@ -102,10 +123,10 @@
 
     <main>
       <header>
-        <svg height="172" viewBox="0 0 480 172" width="480" xmlns="http://www.w3.org/2000/svg"><path d="m101.23 93.8427c-8.1103 0-15.4098 3.7849-19.7354 8.3813h-36.2269v-99.21891h103.8143v37.03791h-68.3984v24.8722c5.1366-2.7035 15.1396-5.9477 24.6014-5.9477 35.146 0 56.233 22.7094 56.233 55.4215 0 34.605-23.791 57.315-60.558 57.315-37.8492 0-61.64-22.169-63.8028-55.963h42.9857c1.0814 10.814 9.1919 19.195 21.6281 19.195 11.355 0 19.465-8.381 19.465-20.547 0-11.625-7.299-20.5463-20.006-20.5463zm138.833 77.8613c-40.822 0-64.884-35.146-64.884-85.7015 0-50.5554 24.062-85.700907 64.884-85.700907 40.823 0 64.884 35.145507 64.884 85.700907 0 50.5555-24.061 85.7015-64.884 85.7015zm0-133.2831c-17.572 0-22.709 21.8984-22.709 47.5816 0 25.6835 5.137 47.5815 22.709 47.5815 17.303 0 22.71-21.898 22.71-47.5815 0-25.6832-5.407-47.5816-22.71-47.5816zm140.456 133.2831c-40.823 0-64.884-35.146-64.884-85.7015 0-50.5554 24.061-85.700907 64.884-85.700907 40.822 0 64.884 35.145507 64.884 85.700907 0 50.5555-24.062 85.7015-64.884 85.7015zm0-133.2831c-17.573 0-22.71 21.8984-22.71 47.5816 0 25.6835 5.137 47.5815 22.71 47.5815 17.302 0 22.709-21.898 22.709-47.5815 0-25.6832-5.407-47.5816-22.709-47.5816z" fill="#f0eff0"/><path d="m23.1377 68.9967v34.0033h-8.9162v-34.0033zm4.3157 34.0033v-24.921h8.6947v2.1598c1.3845-1.5506 3.8212-2.7136 6.701-2.7136 5.538 0 8.8054 3.5997 8.8054 9.1377v16.3371h-8.6393v-14.2327c0-2.049-1.0522-3.5443-3.2674-3.5443-1.7168 0-3.1567.9969-3.5997 2.7136v15.0634zm29.9913-8.5839v-9.5807h-3.655v-6.7564h3.655v-6.8671h8.5839v6.8671h5.2058v6.7564h-5.2058v8.307c0 1.9383.9415 2.769 2.6583 2.769.9414 0 1.9937-.2216 2.769-.5538v7.3654c-.9969.443-2.8798.775-4.8181.775-5.8703 0-9.1931-2.769-9.1931-9.0819zm32.3666-.1108h8.0301c-.8861 5.7597-5.2057 9.2487-11.6852 9.2487-7.6424 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.3165-13.0143 12.5159-13.0143 7.6424 0 11.9621 5.095 11.9621 12.5159v2.1598h-16.1156c.2769 2.9905 1.8275 4.5965 4.3196 4.5965 1.7722 0 3.1567-.7753 3.6551-2.4921zm-3.8212-10.0237c-2.0491 0-3.4336 1.2737-3.9874 3.5997h7.5317c-.1107-2.0491-1.3845-3.5997-3.5443-3.5997zm31.4299-6.3134v8.3624c-1.052-.5538-2.215-.7753-3.599-.7753-2.382 0-3.988 1.0522-4.431 2.8244v14.6203h-8.694v-24.921h8.694v2.2152c1.219-1.6614 3.157-2.769 5.649-2.769 1.108 0 1.994.2215 2.381.443zm2.949 25.0318v-24.921h8.694v2.1598c1.385-1.5506 3.821-2.7136 6.701-2.7136 5.538 0 8.806 3.5997 8.806 9.1377v16.3371h-8.64v-14.2327c0-2.049-1.052-3.5443-3.267-3.5443-1.717 0-3.157.9969-3.6 2.7136v15.0634zm50.371 0h-8.363v-1.274c-.83.831-3.323 1.717-5.981 1.717-4.929 0-9.082-2.769-9.082-8.0301 0-4.818 4.153-7.9193 9.581-7.9193 2.049 0 4.485.6646 5.482 1.3845v-1.606c0-1.606-.941-2.9905-3.046-2.9905-1.606 0-2.547.7199-2.935 1.8275h-8.196c.72-4.8181 4.984-8.6393 11.408-8.6393 7.089 0 11.132 3.7659 11.132 10.2453zm-8.363-6.9779v-1.4399c-.554-1.0522-2.049-1.7167-3.655-1.7167-1.717 0-3.433.7199-3.433 2.3813 0 1.7168 1.716 2.4367 3.433 2.4367 1.606 0 3.101-.6645 3.655-1.6614zm20.742-29.0191v35.997h-8.694v-35.997zm13.036 25.9178h9.248c.72 2.326 2.714 3.489 5.483 3.489 2.713 0 4.596-1.163 4.596-3.2674 0-1.6061-1.052-2.326-3.212-2.8244l-6.534-1.3845c-4.985-1.1076-8.751-3.7105-8.751-9.47 0-6.6456 5.538-11.0206 13.07-11.0206 8.307 0 13.014 4.5411 13.956 10.4114h-8.695c-.72-1.8829-2.27-3.3228-5.205-3.3228-2.548 0-4.265 1.1076-4.265 2.9905 0 1.4953 1.052 2.326 2.825 2.7137l6.645 1.5506c5.815 1.3845 9.027 4.5412 9.027 9.8023 0 6.9778-5.87 10.9654-13.291 10.9654-8.141 0-13.679-3.9322-14.897-10.6332zm46.509 1.3845h8.031c-.887 5.7597-5.206 9.2487-11.686 9.2487-7.642 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.317-13.0143 12.516-13.0143 7.643 0 11.962 5.095 11.962 12.5159v2.1598h-16.115c.277 2.9905 1.827 4.5965 4.319 4.5965 1.773 0 3.157-.7753 3.655-2.4921zm-3.821-10.0237c-2.049 0-3.433 1.2737-3.987 3.5997h7.532c-.111-2.0491-1.385-3.5997-3.545-3.5997zm31.431-6.3134v8.3624c-1.053-.5538-2.216-.7753-3.6-.7753-2.381 0-3.988 1.0522-4.431 2.8244v14.6203h-8.694v-24.921h8.694v2.2152c1.219-1.6614 3.157-2.769 5.649-2.769 1.108 0 1.994.2215 2.382.443zm18.288 25.0318h-7.809l-9.47-24.921h8.861l4.763 14.288 4.652-14.288h8.528zm25.614-8.6947h8.03c-.886 5.7597-5.206 9.2487-11.685 9.2487-7.642 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.316-13.0143 12.516-13.0143 7.642 0 11.962 5.095 11.962 12.5159v2.1598h-16.116c.277 2.9905 1.828 4.5965 4.32 4.5965 1.772 0 3.157-.7753 3.655-2.4921zm-3.821-10.0237c-2.049 0-3.434 1.2737-3.988 3.5997h7.532c-.111-2.0491-1.384-3.5997-3.544-3.5997zm31.43-6.3134v8.3624c-1.052-.5538-2.215-.7753-3.6-.7753-2.381 0-3.987 1.0522-4.43 2.8244v14.6203h-8.695v-24.921h8.695v2.2152c1.218-1.6614 3.157-2.769 5.649-2.769 1.107 0 1.993.2215 2.381.443zm13.703-8.9715h24.312v7.6424h-15.562v5.3165h14.232v7.4763h-14.232v5.8703h15.562v7.6978h-24.312zm44.667 8.9715v8.3624c-1.052-.5538-2.215-.7753-3.6-.7753-2.381 0-3.987 1.0522-4.43 2.8244v14.6203h-8.695v-24.921h8.695v2.2152c1.218-1.6614 3.156-2.769 5.648-2.769 1.108 0 1.994.2215 2.382.443zm19.673 0v8.3624c-1.053-.5538-2.216-.7753-3.6-.7753-2.381 0-3.987 1.0522-4.43 2.8244v14.6203h-8.695v-24.921h8.695v2.2152c1.218-1.6614 3.156-2.769 5.648-2.769 1.108 0 1.994.2215 2.382.443zm26.769 12.5713c0 7.6978-5.15 13.0145-12.737 13.0145-7.532 0-12.738-5.3167-12.738-13.0145s5.206-13.0143 12.738-13.0143c7.587 0 12.737 5.3165 12.737 13.0143zm-8.529 0c0-3.4336-1.495-5.8703-4.208-5.8703-2.659 0-4.154 2.4367-4.154 5.8703s1.495 5.8149 4.154 5.8149c2.713 0 4.208-2.3813 4.208-5.8149zm28.082-12.5713v8.3624c-1.052-.5538-2.215-.7753-3.6-.7753-2.381 0-3.987 1.0522-4.43 2.8244v14.6203h-8.695v-24.921h8.695v2.2152c1.218-1.6614 3.157-2.769 5.649-2.769 1.107 0 1.993.2215 2.381.443z" fill="#d30001"/></svg>
+        <svg height="172" viewBox="0 0 480 172" width="480" xmlns="http://www.w3.org/2000/svg"><path d="m101.23 93.8427c-8.1103 0-15.4098 3.7849-19.7354 8.3813h-36.2269v-99.21891h103.8143v37.03791h-68.3984v24.8722c5.1366-2.7035 15.1396-5.9477 24.6014-5.9477 35.146 0 56.233 22.7094 56.233 55.4215 0 34.605-23.791 57.315-60.558 57.315-37.8492 0-61.64-22.169-63.8028-55.963h42.9857c1.0814 10.814 9.1919 19.195 21.6281 19.195 11.355 0 19.465-8.381 19.465-20.547 0-11.625-7.299-20.5463-20.006-20.5463zm138.833 77.8613c-40.822 0-64.884-35.146-64.884-85.7015 0-50.5554 24.062-85.700907 64.884-85.700907 40.823 0 64.884 35.145507 64.884 85.700907 0 50.5555-24.061 85.7015-64.884 85.7015zm0-133.2831c-17.572 0-22.709 21.8984-22.709 47.5816 0 25.6835 5.137 47.5815 22.709 47.5815 17.303 0 22.71-21.898 22.71-47.5815 0-25.6832-5.407-47.5816-22.71-47.5816zm140.456 133.2831c-40.823 0-64.884-35.146-64.884-85.7015 0-50.5554 24.061-85.700907 64.884-85.700907 40.822 0 64.884 35.145507 64.884 85.700907 0 50.5555-24.062 85.7015-64.884 85.7015zm0-133.2831c-17.573 0-22.71 21.8984-22.71 47.5816 0 25.6835 5.137 47.5815 22.71 47.5815 17.302 0 22.709-21.898 22.709-47.5815 0-25.6832-5.407-47.5816-22.709-47.5816z" id="error-id"/><path d="m23.1377 68.9967v34.0033h-8.9162v-34.0033zm4.3157 34.0033v-24.921h8.6947v2.1598c1.3845-1.5506 3.8212-2.7136 6.701-2.7136 5.538 0 8.8054 3.5997 8.8054 9.1377v16.3371h-8.6393v-14.2327c0-2.049-1.0522-3.5443-3.2674-3.5443-1.7168 0-3.1567.9969-3.5997 2.7136v15.0634zm29.9913-8.5839v-9.5807h-3.655v-6.7564h3.655v-6.8671h8.5839v6.8671h5.2058v6.7564h-5.2058v8.307c0 1.9383.9415 2.769 2.6583 2.769.9414 0 1.9937-.2216 2.769-.5538v7.3654c-.9969.443-2.8798.775-4.8181.775-5.8703 0-9.1931-2.769-9.1931-9.0819zm32.3666-.1108h8.0301c-.8861 5.7597-5.2057 9.2487-11.6852 9.2487-7.6424 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.3165-13.0143 12.5159-13.0143 7.6424 0 11.9621 5.095 11.9621 12.5159v2.1598h-16.1156c.2769 2.9905 1.8275 4.5965 4.3196 4.5965 1.7722 0 3.1567-.7753 3.6551-2.4921zm-3.8212-10.0237c-2.0491 0-3.4336 1.2737-3.9874 3.5997h7.5317c-.1107-2.0491-1.3845-3.5997-3.5443-3.5997zm31.4299-6.3134v8.3624c-1.052-.5538-2.215-.7753-3.599-.7753-2.382 0-3.988 1.0522-4.431 2.8244v14.6203h-8.694v-24.921h8.694v2.2152c1.219-1.6614 3.157-2.769 5.649-2.769 1.108 0 1.994.2215 2.381.443zm2.949 25.0318v-24.921h8.694v2.1598c1.385-1.5506 3.821-2.7136 6.701-2.7136 5.538 0 8.806 3.5997 8.806 9.1377v16.3371h-8.64v-14.2327c0-2.049-1.052-3.5443-3.267-3.5443-1.717 0-3.157.9969-3.6 2.7136v15.0634zm50.371 0h-8.363v-1.274c-.83.831-3.323 1.717-5.981 1.717-4.929 0-9.082-2.769-9.082-8.0301 0-4.818 4.153-7.9193 9.581-7.9193 2.049 0 4.485.6646 5.482 1.3845v-1.606c0-1.606-.941-2.9905-3.046-2.9905-1.606 0-2.547.7199-2.935 1.8275h-8.196c.72-4.8181 4.984-8.6393 11.408-8.6393 7.089 0 11.132 3.7659 11.132 10.2453zm-8.363-6.9779v-1.4399c-.554-1.0522-2.049-1.7167-3.655-1.7167-1.717 0-3.433.7199-3.433 2.3813 0 1.7168 1.716 2.4367 3.433 2.4367 1.606 0 3.101-.6645 3.655-1.6614zm20.742-29.0191v35.997h-8.694v-35.997zm13.036 25.9178h9.248c.72 2.326 2.714 3.489 5.483 3.489 2.713 0 4.596-1.163 4.596-3.2674 0-1.6061-1.052-2.326-3.212-2.8244l-6.534-1.3845c-4.985-1.1076-8.751-3.7105-8.751-9.47 0-6.6456 5.538-11.0206 13.07-11.0206 8.307 0 13.014 4.5411 13.956 10.4114h-8.695c-.72-1.8829-2.27-3.3228-5.205-3.3228-2.548 0-4.265 1.1076-4.265 2.9905 0 1.4953 1.052 2.326 2.825 2.7137l6.645 1.5506c5.815 1.3845 9.027 4.5412 9.027 9.8023 0 6.9778-5.87 10.9654-13.291 10.9654-8.141 0-13.679-3.9322-14.897-10.6332zm46.509 1.3845h8.031c-.887 5.7597-5.206 9.2487-11.686 9.2487-7.642 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.317-13.0143 12.516-13.0143 7.643 0 11.962 5.095 11.962 12.5159v2.1598h-16.115c.277 2.9905 1.827 4.5965 4.319 4.5965 1.773 0 3.157-.7753 3.655-2.4921zm-3.821-10.0237c-2.049 0-3.433 1.2737-3.987 3.5997h7.532c-.111-2.0491-1.385-3.5997-3.545-3.5997zm31.431-6.3134v8.3624c-1.053-.5538-2.216-.7753-3.6-.7753-2.381 0-3.988 1.0522-4.431 2.8244v14.6203h-8.694v-24.921h8.694v2.2152c1.219-1.6614 3.157-2.769 5.649-2.769 1.108 0 1.994.2215 2.382.443zm18.288 25.0318h-7.809l-9.47-24.921h8.861l4.763 14.288 4.652-14.288h8.528zm25.614-8.6947h8.03c-.886 5.7597-5.206 9.2487-11.685 9.2487-7.642 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.316-13.0143 12.516-13.0143 7.642 0 11.962 5.095 11.962 12.5159v2.1598h-16.116c.277 2.9905 1.828 4.5965 4.32 4.5965 1.772 0 3.157-.7753 3.655-2.4921zm-3.821-10.0237c-2.049 0-3.434 1.2737-3.988 3.5997h7.532c-.111-2.0491-1.384-3.5997-3.544-3.5997zm31.43-6.3134v8.3624c-1.052-.5538-2.215-.7753-3.6-.7753-2.381 0-3.987 1.0522-4.43 2.8244v14.6203h-8.695v-24.921h8.695v2.2152c1.218-1.6614 3.157-2.769 5.649-2.769 1.107 0 1.993.2215 2.381.443zm13.703-8.9715h24.312v7.6424h-15.562v5.3165h14.232v7.4763h-14.232v5.8703h15.562v7.6978h-24.312zm44.667 8.9715v8.3624c-1.052-.5538-2.215-.7753-3.6-.7753-2.381 0-3.987 1.0522-4.43 2.8244v14.6203h-8.695v-24.921h8.695v2.2152c1.218-1.6614 3.156-2.769 5.648-2.769 1.108 0 1.994.2215 2.382.443zm19.673 0v8.3624c-1.053-.5538-2.216-.7753-3.6-.7753-2.381 0-3.987 1.0522-4.43 2.8244v14.6203h-8.695v-24.921h8.695v2.2152c1.218-1.6614 3.156-2.769 5.648-2.769 1.108 0 1.994.2215 2.382.443zm26.769 12.5713c0 7.6978-5.15 13.0145-12.737 13.0145-7.532 0-12.738-5.3167-12.738-13.0145s5.206-13.0143 12.738-13.0143c7.587 0 12.737 5.3165 12.737 13.0143zm-8.529 0c0-3.4336-1.495-5.8703-4.208-5.8703-2.659 0-4.154 2.4367-4.154 5.8703s1.495 5.8149 4.154 5.8149c2.713 0 4.208-2.3813 4.208-5.8149zm28.082-12.5713v8.3624c-1.052-.5538-2.215-.7753-3.6-.7753-2.381 0-3.987 1.0522-4.43 2.8244v14.6203h-8.695v-24.921h8.695v2.2152c1.218-1.6614 3.157-2.769 5.649-2.769 1.107 0 1.993.2215 2.381.443z" id="error-description"/></svg>
       </header>
       <article>
-        <p><strong>We’re sorry, but something went wrong.</strong><br> If you’re the application owner check the logs for more information.</p>
+        <p><strong>We're sorry, but something went wrong.</strong><br> If you're the application owner check the logs for more information.</p>
       </article>
     </main>
 

From 64fcdd318941cf26483c05a759b9b9cb4d320df7 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Fri, 10 Apr 2026 10:23:37 +0100
Subject: [PATCH 074/106] chore: changes per https://railsdiff.org/8.0.5/8.1.3

---
 .gitignore                         | 4 ++--
 bin/docker-entrypoint              | 9 +++++----
 config/environments/development.rb | 6 ++++++
 config/environments/production.rb  | 3 +++
 4 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/.gitignore b/.gitignore
index e7cd399ce..bf1f2d413 100644
--- a/.gitignore
+++ b/.gitignore
@@ -29,8 +29,8 @@
 !/public/assets/.keep
 .byebug_history
 
-# Ignore master key for decrypting credentials and more.
-/config/master.key
+# Ignore key files for decrypting credentials and more.
+/config/*.key
 /config/credentials/*.key
 
 /coverage
diff --git a/bin/docker-entrypoint b/bin/docker-entrypoint
index af841e1eb..66c698432 100755
--- a/bin/docker-entrypoint
+++ b/bin/docker-entrypoint
@@ -4,11 +4,12 @@ if [[ "${@}" =~ "rails server" ]]; then
   rm -f ./tmp/pids/server.pid;
 fi
 
+# Removed per https://railsdiff.org/8.0.5/8.1.3
 # Enable jemalloc for reduced memory usage and latency.
-if [ -z "${LD_PRELOAD+x}" ]; then
-  LD_PRELOAD=$(find /usr/lib -name libjemalloc.so.2 -print -quit)
-  export LD_PRELOAD
-fi
+# if [ -z "${LD_PRELOAD+x}" ]; then
+#   LD_PRELOAD=$(find /usr/lib -name libjemalloc.so.2 -print -quit)
+#   export LD_PRELOAD
+# fi
 
 bundle install
 
diff --git a/config/environments/development.rb b/config/environments/development.rb
index df7e38c40..311a5bd08 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -67,6 +67,12 @@
   # Highlight code that enqueued background job in logs.
   config.active_job.verbose_enqueue_logs = true
 
+  # Highlight code that triggered redirect in logs.
+  config.action_dispatch.verbose_redirect_logs = true
+
+  # Suppress logger output for asset requests.
+  config.assets.quiet = true
+
   # Enable DNS rebinding protection and other `Host` header attacks.
   # config.hosts = [
   #   "example.com",     # Allow requests from example.com
diff --git a/config/environments/production.rb b/config/environments/production.rb
index fd5519fc0..5cb80ab25 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -50,6 +50,9 @@
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
   # config.force_ssl = true
 
+  # Skip http-to-https redirect for the default health check endpoint.
+  # config.ssl_options = { redirect: { exclude: ->(request) { request.path == "/up" } } }
+
   # TODO: Since Rails 7.1, the log no longer output to file, but STDOUT, which is the better approach, specially suitable
   # for docker. However this project still deploying use cap, we may need to change it back until we ready?
   # Log to STDOUT by default

From 5e7ca78832398933e923e83a74ee179553983a65 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Fri, 10 Apr 2026 10:25:57 +0100
Subject: [PATCH 075/106] chore: remove unusual character

---
 config/initializers/0_new_framework_defaults_8_1.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/initializers/0_new_framework_defaults_8_1.rb b/config/initializers/0_new_framework_defaults_8_1.rb
index 8569b5b1c..2dcf3ca7b 100644
--- a/config/initializers/0_new_framework_defaults_8_1.rb
+++ b/config/initializers/0_new_framework_defaults_8_1.rb
@@ -20,7 +20,7 @@
 #     end
 #   end
 #
-# Renders `{"key":"\u2028\u2029\u003c\u003e\u0026"}` with the previous default, but `{"key":"

<>&"}` with the config
+# Renders `{"key":"\u2028\u2029\u003c\u003e\u0026"}` with the previous default, but `{"key":"<>&"}` with the config
 # set to `false`.
 #
 # Applications that want to keep the escaping behavior can set the config to `true`.

From e2e276c4b98d47200aed1347e446888d1e07726c Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Fri, 10 Apr 2026 10:47:25 +0100
Subject: [PATCH 076/106] chore: set config.load_defaults to 8.1

---
 config/application.rb                         |  2 +-
 .../0_new_framework_defaults_8_1.rb           | 74 -------------------
 2 files changed, 1 insertion(+), 75 deletions(-)
 delete mode 100644 config/initializers/0_new_framework_defaults_8_1.rb

diff --git a/config/application.rb b/config/application.rb
index 852a14403..1d5184a55 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -11,7 +11,7 @@
 module SAPI
   class Application < Rails::Application
     # Initialize configuration defaults for originally generated Rails version.
-    config.load_defaults 8.0
+    config.load_defaults 8.1
 
     # Since Rails 5, on submit, submission buttons in `form_for` are disabled.
     # However, if errors are thrown and the whole form is not rerendered, then
diff --git a/config/initializers/0_new_framework_defaults_8_1.rb b/config/initializers/0_new_framework_defaults_8_1.rb
deleted file mode 100644
index 2dcf3ca7b..000000000
--- a/config/initializers/0_new_framework_defaults_8_1.rb
+++ /dev/null
@@ -1,74 +0,0 @@
-# Be sure to restart your server when you modify this file.
-#
-# This file eases your Rails 8.1 framework defaults upgrade.
-#
-# Uncomment each configuration one by one to switch to the new default.
-# Once your application is ready to run with all new defaults, you can remove
-# this file and set the `config.load_defaults` to `8.1`.
-#
-# Read the Guide for Upgrading Ruby on Rails for more info on each option.
-# https://guides.rubyonrails.org/upgrading_ruby_on_rails.html
-
-###
-# Skips escaping HTML entities and line separators. When set to `false`, the
-# JSON renderer no longer escapes these to improve performance.
-#
-# Example:
-#   class PostsController < ApplicationController
-#     def index
-#       render json: { key: "\u2028\u2029<>&" }
-#     end
-#   end
-#
-# Renders `{"key":"\u2028\u2029\u003c\u003e\u0026"}` with the previous default, but `{"key":"<>&"}` with the config
-# set to `false`.
-#
-# Applications that want to keep the escaping behavior can set the config to `true`.
-#++
-# Rails.configuration.action_controller.escape_json_responses = false
-
-###
-# Skips escaping LINE SEPARATOR (U+2028) and PARAGRAPH SEPARATOR (U+2029) in JSON.
-#
-# Historically these characters were not valid inside JavaScript literal strings but that changed in ECMAScript 2019.
-# As such it's no longer a concern in modern browsers: https://caniuse.com/mdn-javascript_builtins_json_json_superset.
-#++
-# Rails.configuration.active_support.escape_js_separators_in_json = false
-
-###
-# Raises an error when order dependent finder methods (e.g. `#first`, `#second`) are called without `order` values
-# on the relation, and the model does not have any order columns (`implicit_order_column`, `query_constraints`, or
-# `primary_key`) to fall back on.
-#
-# The current behavior of not raising an error has been deprecated, and this configuration option will be removed in
-# Rails 8.2.
-#++
-# Rails.configuration.active_record.raise_on_missing_required_finder_order_columns = true
-
-###
-# Controls how Rails handles path relative URL redirects.
-# When set to `:raise`, Rails will raise an `ActionController::Redirecting::UnsafeRedirectError`
-# for relative URLs without a leading slash, which can help prevent open redirect vulnerabilities.
-#
-# Example:
-#   redirect_to "example.com"     # Raises UnsafeRedirectError
-#   redirect_to "@attacker.com"   # Raises UnsafeRedirectError
-#   redirect_to "/safe/path"      # Works correctly
-#
-# Applications that want to allow these redirects can set the config to `:log` (previous default)
-# to only log warnings, or `:notify` to send ActiveSupport notifications.
-#++
-# Rails.configuration.action_controller.action_on_path_relative_redirect = :raise
-
-###
-# Use a Ruby parser to track dependencies between Action View templates
-#++
-# Rails.configuration.action_view.render_tracker = :ruby
-
-###
-# When enabled, hidden inputs generated by `form_tag`, `token_tag`, `method_tag`, and the hidden parameter fields
-# included in `button_to` forms will omit the `autocomplete="off"` attribute.
-#
-# Applications that want to keep generating the `autocomplete` attribute for those tags can set it to `false`.
-#++
-# Rails.configuration.action_view.remove_hidden_field_autocomplete = true

From 6b7b629f6600e9e10d1cf362b000d936146bd690 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Fri, 10 Apr 2026 10:50:05 +0100
Subject: [PATCH 077/106] chore: set RuboCop TargetRailsVersion to 8.1

---
 .rubocop.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.rubocop.yml b/.rubocop.yml
index dbcb46b2c..9d04a4079 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -13,7 +13,7 @@ Rails:
   Enabled: true
 AllCops:
   TargetRubyVersion: 3.4
-  TargetRailsVersion: 8.0
+  TargetRailsVersion: 8.1
 
 Style/StringLiterals:
   EnforcedStyle: single_quotes

From 9f93102fa37d923c8efc06b79aca5bab9d97b735 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Fri, 10 Apr 2026 11:14:58 +0100
Subject: [PATCH 078/106] chore: upgrade sidekiq to 7.3.10

---
 Gemfile      |  8 ++++----
 Gemfile.lock | 48 +++++++++++++++++++++++++++---------------------
 2 files changed, 31 insertions(+), 25 deletions(-)

diff --git a/Gemfile b/Gemfile
index fe385b3d5..2f9e53fb5 100644
--- a/Gemfile
+++ b/Gemfile
@@ -57,10 +57,10 @@ gem 'groupdate', '~> 6.4'
 gem 'rubyzip', '~> 2.3', '>= 2.3.2'
 gem 'responders', '~> 3.1', '>= 3.1.1' # https://guides.rubyonrails.org/v4.2/upgrading_ruby_on_rails.html#responders
 
-gem 'sidekiq', '< 7' # TODO, latest is 7, which required Redis 6.2+, but our servers running Redis 4.0.9.
-gem 'sidekiq-status', '~> 3.0', '>= 3.0.3'
-gem 'sidekiq-unique-jobs', '7.1.33' # TODO: can upgrade to latest when sidekiq upgrade to 7
-gem 'sidekiq-cron', '~> 1.12'
+gem 'sidekiq', '>= 7.3.10', '< 8'
+gem 'sidekiq-status', '~> 4.0'
+gem 'sidekiq-unique-jobs', '~> 8', '>= 8.1.0'
+gem 'sidekiq-cron', '~> 2.3.1'
 
 gem 'httparty', '~> 0.21.0'
 
diff --git a/Gemfile.lock b/Gemfile.lock
index cf9a538a3..1431d3c5d 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -142,9 +142,6 @@ GEM
       sass (~> 3.2)
     brakeman (8.0.4)
       racc
-    brpoplpush-redis_script (0.1.3)
-      concurrent-ruby (~> 1.0, >= 1.0.5)
-      redis (>= 1.0, < 6)
     builder (3.3.0)
     byebug (13.0.0)
       reline (>= 0.6.0)
@@ -207,6 +204,9 @@ GEM
       thor (~> 1.2)
       tins (~> 1.32)
     crass (1.0.6)
+    cronex (0.15.0)
+      tzinfo
+      unicode (>= 0.4.4.5)
     csv (3.3.5)
     database_cleaner (2.1.0)
       database_cleaner-active_record (>= 2, < 3)
@@ -481,6 +481,8 @@ GEM
     readline (0.0.4)
       reline
     redis (4.8.1)
+    redis-client (0.28.0)
+      connection_pool
     regexp_parser (2.12.0)
     reline (0.6.3)
       io-console (~> 0.5)
@@ -579,23 +581,26 @@ GEM
       rexml (~> 3.2, >= 3.2.5)
       rubyzip (>= 1.2.2, < 4.0)
       websocket (~> 1.0)
-    sidekiq (6.5.12)
-      connection_pool (>= 2.2.5, < 3)
-      rack (~> 2.0)
-      redis (>= 4.5.0, < 5)
-    sidekiq-cron (1.12.0)
-      fugit (~> 1.8)
+    sidekiq (7.3.10)
+      base64
+      connection_pool (>= 2.3.0, < 3)
+      logger
+      rack (>= 2.2.4, < 3.3)
+      redis-client (>= 0.23.0, < 1)
+    sidekiq-cron (2.3.1)
+      cronex (>= 0.13.0)
+      fugit (~> 1.8, >= 1.11.1)
       globalid (>= 1.0.1)
-      sidekiq (>= 6)
-    sidekiq-status (3.0.3)
+      sidekiq (>= 6.5.0)
+    sidekiq-status (4.0.0)
+      base64
       chronic_duration
-      sidekiq (>= 6.0, < 8)
-    sidekiq-unique-jobs (7.1.33)
-      brpoplpush-redis_script (> 0.1.1, <= 2.0.0)
+      logger
+      sidekiq (>= 7, < 9)
+    sidekiq-unique-jobs (8.1.0)
       concurrent-ruby (~> 1.0, >= 1.0.5)
-      redis (< 5.0)
-      sidekiq (>= 5.0, < 7.0)
-      thor (>= 0.20, < 3.0)
+      sidekiq (>= 7.0.0, < 9.0.0)
+      thor (>= 1.0, < 3.0)
     simplecov (0.22.0)
       docile (~> 1.1)
       simplecov-html (~> 0.11)
@@ -645,6 +650,7 @@ GEM
     ttfunk (1.0.3)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
+    unicode (0.4.4.5)
     unicode-display_width (3.2.0)
       unicode-emoji (~> 4.1)
     unicode-emoji (4.2.0)
@@ -761,10 +767,10 @@ DEPENDENCIES
   rubyzip (~> 2.3, >= 2.3.2)
   sass-rails (~> 6)
   selenium-webdriver (~> 4.41)
-  sidekiq (< 7)
-  sidekiq-cron (~> 1.12)
-  sidekiq-status (~> 3.0, >= 3.0.3)
-  sidekiq-unique-jobs (= 7.1.33)
+  sidekiq (>= 7.3.10, < 8)
+  sidekiq-cron (~> 2.3.1)
+  sidekiq-status (~> 4.0)
+  sidekiq-unique-jobs (~> 8, >= 8.1.0)
   simplecov (~> 0.22.0)
   sitemap_generator (~> 6.3)
   slackistrano (= 0.1.9)

From b87475c6a1347e8a8439ae7767b4d3b8c9a6fc44 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Fri, 10 Apr 2026 11:48:48 +0100
Subject: [PATCH 079/106] chore: upgrade sidekiq to 8.1.2

---
 Gemfile      | 2 +-
 Gemfile.lock | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Gemfile b/Gemfile
index 2f9e53fb5..b8dc13eff 100644
--- a/Gemfile
+++ b/Gemfile
@@ -57,7 +57,7 @@ gem 'groupdate', '~> 6.4'
 gem 'rubyzip', '~> 2.3', '>= 2.3.2'
 gem 'responders', '~> 3.1', '>= 3.1.1' # https://guides.rubyonrails.org/v4.2/upgrading_ruby_on_rails.html#responders
 
-gem 'sidekiq', '>= 7.3.10', '< 8'
+gem 'sidekiq', '< 9'
 gem 'sidekiq-status', '~> 4.0'
 gem 'sidekiq-unique-jobs', '~> 8', '>= 8.1.0'
 gem 'sidekiq-cron', '~> 2.3.1'
diff --git a/Gemfile.lock b/Gemfile.lock
index 1431d3c5d..29cebf139 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -767,7 +767,7 @@ DEPENDENCIES
   rubyzip (~> 2.3, >= 2.3.2)
   sass-rails (~> 6)
   selenium-webdriver (~> 4.41)
-  sidekiq (>= 7.3.10, < 8)
+  sidekiq (< 9)
   sidekiq-cron (~> 2.3.1)
   sidekiq-status (~> 4.0)
   sidekiq-unique-jobs (~> 8, >= 8.1.0)

From 1756ab301dfe33c7c392ec05b8b63169527dc7c4 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Fri, 10 Apr 2026 12:10:51 +0100
Subject: [PATCH 080/106] chore: various other dependency upgrades

---
 Gemfile      | 22 ++++++++++----------
 Gemfile.lock | 57 +++++++++++++++++++++++++++-------------------------
 2 files changed, 41 insertions(+), 38 deletions(-)

diff --git a/Gemfile b/Gemfile
index b8dc13eff..fc32f8db9 100644
--- a/Gemfile
+++ b/Gemfile
@@ -42,9 +42,9 @@ gem 'pg_search', '~> 2.3', '>= 2.3.6'
 
 gem 'oj', '~> 3.16', '>= 3.16.3' # optimised JSON (picked by multi_json)
 gem 'inherited_resources', '~> 1.14' # Deprecated (https://github.com/activeadmin/inherited_resources#notice)
-gem 'nokogiri', '~> 1.18', force_ruby_platform: true
+gem 'nokogiri', '~> 1.19.2', force_ruby_platform: true
 gem 'mobility', '~> 1.2', '>= 1.2.9'
-gem 'devise', '~> 4.9', '>= 4.9.3'
+gem 'devise', '~> 5', '>= 5.0.3'
 gem 'cancancan', '~> 3.5'
 gem 'ahoy_matey', '~> 5.0', '>= 5.0.2'
 gem 'uuidtools', '~> 2.2' # For Ahoy. (https://github.com/ankane/ahoy/blob/v2.2.1/docs/Ahoy-2-Upgrade.md#activerecordstore)
@@ -52,17 +52,17 @@ gem 'csv', '~> 3.3.5' # no longer a default gem from Ruby 3.4.0 onwards
 
 gem 'wicked', '2.0.0'
 
-gem 'groupdate', '~> 6.4'
+gem 'groupdate', '~> 6.8.0'
 
-gem 'rubyzip', '~> 2.3', '>= 2.3.2'
-gem 'responders', '~> 3.1', '>= 3.1.1' # https://guides.rubyonrails.org/v4.2/upgrading_ruby_on_rails.html#responders
+gem 'rubyzip', '~> 3.2.2'
+gem 'responders', '~> 3.2.0' # https://guides.rubyonrails.org/v4.2/upgrading_ruby_on_rails.html#responders
 
 gem 'sidekiq', '< 9'
 gem 'sidekiq-status', '~> 4.0'
 gem 'sidekiq-unique-jobs', '~> 8', '>= 8.1.0'
 gem 'sidekiq-cron', '~> 2.3.1'
 
-gem 'httparty', '~> 0.21.0'
+gem 'httparty', '~> 0.24.2'
 
 gem 'kaminari', '~> 1.2', '>= 1.2.2' # TODO: Suggest migrate to pagy gem.
 
@@ -80,7 +80,7 @@ gem 'aws-sdk-s3', '~> 1.143', require: false
 # See https://github.com/sstephenson/execjs#readme for more supported runtimes
 # gem 'therubyracer', :platforms => :ruby
 
-gem 'strong_migrations', '~> 1.7'
+gem 'strong_migrations', '~> 1.7' # v2 drops support for pg<12
 
 # Use Active Model has_secure_password
 # gem 'bcrypt', '~> 3.1.7'
@@ -154,7 +154,7 @@ group :development do
 end
 
 group :test, :development do
-  gem 'rspec-rails', '~> 7.1'
+  gem 'rspec-rails', '~> 8.0'
   gem 'rspec-collection_matchers', '~> 1.2', '>= 1.2.1'
   gem 'json_spec', '~> 1.1', '>= 1.1.5'
   gem 'database_cleaner', '~> 2.0', '>= 2.0.2'
@@ -178,14 +178,14 @@ end
 
 gem 'geoip', '1.3.5' # TODO: no change logs, no idea if safe to update. Latest version is 1.6.4 @ 2018
 
-gem 'request_store', '~> 1.5', '>= 1.5.1'
+gem 'request_store', '~> 1.7', '>= 1.7.0'
 gem 'paper_trail', '~> 17.0.0'
 
-gem 'dotenv-rails', '2.0.1'
+gem 'dotenv-rails', '3.2.0'
 
 gem 'sitemap_generator', '~> 6.3'
 
-gem 'appsignal', '~> 3.13.1'
+gem 'appsignal', '~> 4'
 
 ### GEM for frontend ###
 # Remove the `jquery-rails` gem to eliminate any dependency issues that may block the upgrade process.
diff --git a/Gemfile.lock b/Gemfile.lock
index 29cebf139..dc73f70b5 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -102,8 +102,9 @@ GEM
     annotaterb (4.22.0)
       activerecord (>= 6.0.0)
       activesupport (>= 6.0.0)
-    appsignal (3.13.1)
-      rack
+    appsignal (4.8.4)
+      logger
+      rack (>= 2.0.0)
     ast (2.4.3)
     aws-eventstream (1.4.0)
     aws-partitions (1.1237.0)
@@ -216,17 +217,18 @@ GEM
     database_cleaner-core (2.0.1)
     date (3.5.1)
     device_detector (1.1.3)
-    devise (4.9.4)
+    devise (5.0.3)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0)
+      railties (>= 7.0)
       responders
       warden (~> 1.2.3)
     diff-lcs (1.6.2)
     docile (1.4.1)
-    dotenv (2.0.1)
-    dotenv-rails (2.0.1)
-      dotenv (= 2.0.1)
+    dotenv (3.2.0)
+    dotenv-rails (3.2.0)
+      dotenv (= 3.2.0)
+      railties (>= 6.1)
     drb (2.2.3)
     ed25519 (1.2.4)
     ember-cli-assets (0.0.37)
@@ -280,7 +282,8 @@ GEM
       actionpack (>= 7.0)
       activesupport (>= 7.0)
     hashery (2.1.2)
-    httparty (0.21.0)
+    httparty (0.24.2)
+      csv
       mini_mime (>= 1.0.0)
       multi_xml (>= 0.5.2)
     i18n (1.14.8)
@@ -506,14 +509,14 @@ GEM
     rspec-mocks (3.13.8)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-rails (7.1.1)
-      actionpack (>= 7.0)
-      activesupport (>= 7.0)
-      railties (>= 7.0)
-      rspec-core (~> 3.13)
-      rspec-expectations (~> 3.13)
-      rspec-mocks (~> 3.13)
-      rspec-support (~> 3.13)
+    rspec-rails (8.0.4)
+      actionpack (>= 7.2)
+      activesupport (>= 7.2)
+      railties (>= 7.2)
+      rspec-core (>= 3.13.0, < 5.0.0)
+      rspec-expectations (>= 3.13.0, < 5.0.0)
+      rspec-mocks (>= 3.13.0, < 5.0.0)
+      rspec-support (>= 3.13.0, < 5.0.0)
     rspec-support (3.13.7)
     rubocop (1.86.1)
       json (~> 2.3)
@@ -561,7 +564,7 @@ GEM
     ruby-vips (2.3.0)
       ffi (~> 1.12)
       logger
-    rubyzip (2.4.1)
+    rubyzip (3.2.2)
     safely_block (1.0.0)
     sass (3.4.25)
     sass-rails (6.0.0)
@@ -689,7 +692,7 @@ DEPENDENCIES
   acts-as-taggable-on (~> 13.0)
   ahoy_matey (~> 5.0, >= 5.0.2)
   annotaterb (~> 4.22.0)
-  appsignal (~> 3.13.1)
+  appsignal (~> 4)
   aws-sdk-s3 (~> 1.143)
   base64 (= 0.2.0)
   bcrypt_pbkdf (= 1.1.0)
@@ -713,8 +716,8 @@ DEPENDENCIES
   coveralls_reborn (~> 0.28.0)
   csv (~> 3.3.5)
   database_cleaner (~> 2.0, >= 2.0.2)
-  devise (~> 4.9, >= 4.9.3)
-  dotenv-rails (= 2.0.1)
+  devise (~> 5, >= 5.0.3)
+  dotenv-rails (= 3.2.0)
   ed25519 (= 1.2.4)
   ember-data-source (= 1.13.0)
   ember-rails (~> 0.21.0)
@@ -724,9 +727,9 @@ DEPENDENCIES
   file_exists (~> 0.2.0)
   geoip (= 1.3.5)
   gon (~> 6.4)
-  groupdate (~> 6.4)
+  groupdate (~> 6.8.0)
   handlebars-source (= 1.0.12)
-  httparty (~> 0.21.0)
+  httparty (~> 0.24.2)
   inherited_resources (~> 1.14)
   jslint_on_rails (= 1.1.1)
   json_spec (~> 1.1, >= 1.1.5)
@@ -737,7 +740,7 @@ DEPENDENCIES
   nested-hstore (~> 0.1.2)
   nested_form (~> 0.3.2)
   net-ssh (= 7.3.2)
-  nokogiri (~> 1.18)
+  nokogiri (~> 1.19.2)
   oj (~> 3.16, >= 3.16.3)
   paper_trail (~> 17.0.0)
   pdfkit (~> 0.8.7.3)
@@ -753,10 +756,10 @@ DEPENDENCIES
   rbnacl (= 4.0.2)
   rbnacl-libsodium (= 1.0.16)
   redis (~> 4.8)
-  request_store (~> 1.5, >= 1.5.1)
-  responders (~> 3.1, >= 3.1.1)
+  request_store (~> 1.7, >= 1.7.0)
+  responders (~> 3.2.0)
   rspec-collection_matchers (~> 1.2, >= 1.2.1)
-  rspec-rails (~> 7.1)
+  rspec-rails (~> 8.0)
   rubocop
   rubocop-capybara
   rubocop-factory_bot
@@ -764,7 +767,7 @@ DEPENDENCIES
   rubocop-rails-omakase
   rubocop-rspec
   rubocop-rspec_rails
-  rubyzip (~> 2.3, >= 2.3.2)
+  rubyzip (~> 3.2.2)
   sass-rails (~> 6)
   selenium-webdriver (~> 4.41)
   sidekiq (< 9)

From 13bf5d8162c5cd3c4f84795b403e608163a22c46 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Fri, 10 Apr 2026 16:59:07 +0100
Subject: [PATCH 081/106] refactor: prefer params.expect(...) over
 params.require(...).permit(...)

---
 .../admin/change_types_controller.rb          |   8 +-
 app/controllers/admin/cites_acs_controller.rb |  13 +-
 .../cites_captivity_processes_controller.rb   |  12 +-
 .../admin/cites_cops_controller.rb            |  13 +-
 ...cites_extraordinary_meetings_controller.rb |  13 +-
 .../cites_hash_annotations_controller.rb      |  13 +-
 app/controllers/admin/cites_pcs_controller.rb |  13 +-
 ...tes_suspension_notifications_controller.rb |  13 +-
 .../admin/cites_suspensions_controller.rb     |  31 +-
 app/controllers/admin/cites_tcs_controller.rb |  13 +-
 .../admin/designations_controller.rb          |   5 +-
 .../admin/distributions_controller.rb         |  14 +-
 .../admin/document_batches_controller.rb      |  16 +-
 app/controllers/admin/documents_controller.rb |  44 +--
 app/controllers/admin/ec_srgs_controller.rb   |  13 +-
 .../eu_council_regulations_controller.rb      |  12 +-
 .../admin/eu_decision_types_controller.rb     |   7 +-
 .../admin/eu_hash_annotations_controller.rb   |  11 +-
 .../eu_implementing_regulations_controller.rb |  12 +-
 .../admin/eu_opinions_controller.rb           |  15 +-
 .../admin/eu_regulations_controller.rb        |  13 +-
 .../eu_suspension_regulations_controller.rb   |  13 +-
 app/controllers/admin/events_controller.rb    |  12 +-
 .../admin/geo_entities_controller.rb          |  11 +-
 .../admin/geo_relationships_controller.rb     |   7 +-
 .../admin/hybrid_relationships_controller.rb  |   9 +-
 .../admin/instruments_controller.rb           |   5 +-
 app/controllers/admin/languages_controller.rb |   5 +-
 .../nomenclature_changes/build_controller.rb  |  61 +++-
 .../nomenclature_changes/lump_controller.rb   |  89 ++----
 .../nomenclature_changes/split_controller.rb  |  89 ++----
 .../status_swap_controller.rb                 | 104 ++-----
 .../status_to_accepted_controller.rb          | 105 ++-----
 .../status_to_synonym_controller.rb           | 107 +++----
 app/controllers/admin/purposes_controller.rb  |   5 +-
 app/controllers/admin/ranks_controller.rb     |   8 +-
 .../admin/references_controller.rb            |   5 +-
 app/controllers/admin/sources_controller.rb   |   5 +-
 .../admin/species_listings_controller.rb      |   5 +-
 .../admin/srg_histories_controller.rb         |   5 +-
 .../admin/synonym_relationships_controller.rb |   9 +-
 app/controllers/admin/tags_controller.rb      |   5 +-
 .../taxon_cites_suspensions_controller.rb     |  31 +-
 .../admin/taxon_commons_controller.rb         |  10 +-
 .../taxon_concept_comments_controller.rb      |   9 +-
 .../taxon_concept_references_controller.rb    |  16 +-
 .../taxon_concept_term_pairs_controller.rb    |   5 +-
 .../admin/taxon_concepts_controller.rb        |  25 +-
 .../admin/taxon_eu_suspensions_controller.rb  |  15 +-
 .../admin/taxon_instruments_controller.rb     |   7 +-
 .../admin/taxon_listing_changes_controller.rb |  38 +--
 .../admin/taxon_quotas_controller.rb          |  22 +-
 .../admin/taxon_relationships_controller.rb   |   8 +-
 .../admin/taxonomies_controller.rb            |   2 +-
 .../term_trade_codes_pairs_controller.rb      |   4 +-
 app/controllers/admin/terms_controller.rb     |   2 +-
 .../trade_name_relationships_controller.rb    |   8 +-
 app/controllers/admin/units_controller.rb     |   4 +-
 app/controllers/admin/users_controller.rb     |  10 +-
 .../api/v1/eu_decisions_controller.rb         |   1 +
 .../api/v1/shipments_controller.rb            |  36 +--
 .../checklist/downloads_controller.rb         |  11 +-
 app/controllers/registrations_controller.rb   |  13 +-
 app/controllers/sessions_controller.rb        |   2 +-
 .../trade/annual_report_uploads_controller.rb |  44 +--
 .../trade/sandbox_shipments_controller.rb     |  17 +-
 app/controllers/trade/shipments_controller.rb |   6 +-
 .../trade/validation_errors_controller.rb     |   4 +-
 app/models/analytics_event.rb                 |   1 -
 app/models/annotation.rb                      |   5 -
 app/models/change_type.rb                     |   3 -
 app/models/cites_process.rb                   |   4 -
 .../cites_processes/cites_rst_process.rb      |   1 -
 app/models/cites_suspension_confirmation.rb   |   2 -
 app/models/cms_mapping.rb                     |   3 -
 app/models/comment.rb                         |   3 -
 app/models/common_name.rb                     |   3 -
 app/models/designation.rb                     |   3 +-
 app/models/designation_geo_entity.rb          |   1 -
 app/models/distribution.rb                    |   3 -
 app/models/distribution_reference.rb          |   2 -
 app/models/document.rb                        |  48 ++-
 app/models/document/proposal.rb               |   1 -
 .../document/review_of_significant_trade.rb   |   1 -
 app/models/document_citation.rb               |   2 -
 app/models/document_citation_geo_entity.rb    |   1 -
 app/models/document_citation_taxon_concept.rb |   2 -
 app/models/document_tag.rb                    |   1 -
 app/models/download.rb                        |   3 -
 app/models/eu_country_date.rb                 |   1 -
 app/models/eu_decision.rb                     |   6 -
 app/models/eu_decision_confirmation.rb        |   1 -
 app/models/eu_decision_type.rb                |   4 +-
 app/models/eu_decisions/eu_opinion.rb         |   3 -
 app/models/event.rb                           |   5 -
 app/models/events/cites_ac.rb                 |   3 -
 app/models/events/cites_cop.rb                |   3 -
 .../events/cites_extraordinary_meeting.rb     |   3 -
 app/models/events/cites_pc.rb                 |   3 -
 .../events/cites_suspension_notification.rb   |   4 +-
 app/models/events/cites_tc.rb                 |   3 -
 app/models/events/ec_srg.rb                   |   3 -
 app/models/events/eu_regulation.rb            |   2 -
 app/models/events/eu_suspension_regulation.rb |   2 -
 app/models/geo_entity.rb                      |   4 -
 app/models/geo_entity_type.rb                 |   1 -
 app/models/geo_relationship.rb                |   2 -
 app/models/geo_relationship_type.rb           |   1 -
 app/models/instrument.rb                      |   2 -
 app/models/iucn_mapping.rb                    |   2 -
 app/models/language.rb                        |   3 +-
 app/models/listing_change.rb                  |   8 -
 app/models/listing_distribution.rb            |   2 -
 app/models/nomenclature_change.rb             |  13 +-
 app/models/nomenclature_change/input.rb       |   7 -
 app/models/nomenclature_change/lump.rb        |   3 +-
 app/models/nomenclature_change/output.rb      |  15 +-
 .../parent_reassignment.rb                    |   2 -
 .../reassignment_helpers.rb                   |   5 -
 .../reassignment_target.rb                    |   4 +-
 app/models/nomenclature_change/split.rb       |   3 +-
 .../status_change_helpers.rb                  |   3 -
 .../nomenclature_change/status_to_accepted.rb |  10 +-
 app/models/preset_tag.rb                      |   2 -
 app/models/proposal_details.rb                |   3 +-
 app/models/rank.rb                            |   3 -
 app/models/reference.rb                       |   2 -
 app/models/review_details.rb                  |   1 -
 app/models/species_listing.rb                 |   2 -
 app/models/srg_history.rb                     |   3 -
 app/models/taxon_common.rb                    |   3 -
 app/models/taxon_concept.rb                   |   9 -
 app/models/taxon_concept_reference.rb         |   4 -
 app/models/taxon_concept_version.rb           |   7 -
 app/models/taxon_instrument.rb                |   2 -
 app/models/taxon_name.rb                      |   1 -
 app/models/taxon_relationship.rb              |   3 -
 app/models/taxon_relationship_type.rb         |   1 -
 app/models/taxonomy.rb                        |   3 +-
 app/models/term_trade_codes_pair.rb           |   3 -
 app/models/trade/annual_report_upload.rb      |   3 -
 app/models/trade/format_validation_rule.rb    |   1 -
 app/models/trade/inclusion_validation_rule.rb |   1 -
 app/models/trade/permit.rb                    |   1 -
 app/models/trade/sandbox_template.rb          |   4 +-
 app/models/trade/shipment.rb                  |   9 -
 app/models/trade/taxon_concept_term_pair.rb   |   2 -
 app/models/trade/trade_data_download.rb       |   3 -
 app/models/trade/validation_error.rb          |  11 +-
 app/models/trade/validation_rule.rb           |   1 -
 app/models/trade_code.rb                      |   3 +-
 app/models/trade_restriction.rb               |   7 -
 app/models/trade_restriction_purpose.rb       |   1 -
 app/models/trade_restriction_source.rb        |   1 -
 app/models/trade_restriction_term.rb          |   1 -
 .../trade_restrictions/cites_suspension.rb    |   5 +-
 app/models/trade_restrictions/quota.rb        |   8 +-
 app/models/user.rb                            |   4 -
 app/models/year_annual_reports_by_country.rb  |   1 -
 app/services/document_batch.rb                |   8 +-
 lib/modules/trade/grouping/base.rb            |   2 +-
 .../admin/change_types_controller_spec.rb     |  15 +-
 .../admin/cites_cops_controller_spec.rb       |   3 +
 .../cites_suspensions_controller_spec.rb      |   3 +-
 .../admin/designations_controller_spec.rb     |  15 +-
 .../admin/document_batches_controller_spec.rb |  93 ++++--
 .../admin/documents_controller_spec.rb        | 171 +++++++----
 .../admin/eu_opinions_controller_spec.rb      | 284 +++++++++++-------
 .../admin/instruments_controller_spec.rb      |  18 +-
 .../admin/languages_controller_spec.rb        |  37 ++-
 .../split_controller_spec.rb                  | 144 +++++++--
 .../status_swap_controller_spec.rb            |  51 +++-
 .../status_to_accepted_controller_spec.rb     |  82 +++--
 .../status_to_synonym_controller_spec.rb      |  47 ++-
 .../admin/ranks_controller_spec.rb            |  15 +-
 .../admin/species_listings_controller_spec.rb |  25 +-
 .../admin/srg_histories_controller_spec.rb    |   9 +-
 .../controllers/admin/tags_controller_spec.rb |  24 +-
 ...taxon_cites_suspensions_controller_spec.rb |  56 +++-
 .../admin/taxon_commons_controller_spec.rb    |  37 ++-
 ...axon_concept_references_controller_spec.rb |  51 +++-
 .../admin/taxon_concepts_controller_spec.rb   |  61 +++-
 .../taxon_eu_suspensions_controller_spec.rb   | 141 ++++++---
 .../taxon_listing_changes_controller_spec.rb  | 129 ++++++--
 .../admin/taxon_quotas_controller_spec.rb     |  69 +++--
 .../sandbox_shipments_controller_spec.rb      |  10 +
 186 files changed, 1870 insertions(+), 1396 deletions(-)

diff --git a/app/controllers/admin/change_types_controller.rb b/app/controllers/admin/change_types_controller.rb
index 908262b51..41312061b 100644
--- a/app/controllers/admin/change_types_controller.rb
+++ b/app/controllers/admin/change_types_controller.rb
@@ -20,9 +20,11 @@ def load_associations
 private
 
   def change_type_params
-    params.require(:change_type).permit(
-      # attributes were in model `attr_accessible`.
-      :name, :display_name_en, :display_name_es, :display_name_fr, :designation_id
+    params.expect(
+      change_type: [
+        :name, :designation_id,
+        :display_name_en, :display_name_es, :display_name_fr
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/cites_acs_controller.rb b/app/controllers/admin/cites_acs_controller.rb
index 7a12267be..8051bf366 100644
--- a/app/controllers/admin/cites_acs_controller.rb
+++ b/app/controllers/admin/cites_acs_controller.rb
@@ -21,11 +21,14 @@ def collection
 private
 
   def cites_ac_params
-    params.require(:cites_ac).permit(
-      # attributes were in model `attr_accessible`.
-      :is_current, :name, :designation_id, :description, :extended_description,
-      :url, :private_url, :multilingual_url, :published_at, :effective_at, :is_current, :end_date,
-      :created_by_id, :updated_by_id
+    params.expect(
+      cites_ac: [
+        :is_current, :name, :designation_id,
+        :description, :extended_description,
+        :url, :private_url, :multilingual_url,
+        :published_at, :effective_at, :is_current, :end_date,
+        :created_by_id, :updated_by_id
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/cites_captivity_processes_controller.rb b/app/controllers/admin/cites_captivity_processes_controller.rb
index 512650bb2..37d237884 100644
--- a/app/controllers/admin/cites_captivity_processes_controller.rb
+++ b/app/controllers/admin/cites_captivity_processes_controller.rb
@@ -62,11 +62,13 @@ def collection
 private
 
   def cites_captivity_process_params
-    params.require(:cites_captivity_process).permit(
-      # attributes were in model `attr_accessible`.
-      :start_event_id, :geo_entity_id, :resolution, :start_date,
-      :taxon_concept_id, :notes, :status, :document, :document_title,
-      :created_by_id, :updated_by_id
+    params.expect(
+      cites_captivity_process: [
+        :start_event_id, :geo_entity_id, :resolution, :start_date,
+        :taxon_concept_id, :notes, :status,
+        :document, :document_title,
+        :created_by_id, :updated_by_id
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/cites_cops_controller.rb b/app/controllers/admin/cites_cops_controller.rb
index af100aec7..c011a1a51 100644
--- a/app/controllers/admin/cites_cops_controller.rb
+++ b/app/controllers/admin/cites_cops_controller.rb
@@ -20,11 +20,14 @@ def collection
 private
 
   def cites_cop_params
-    params.require(:cites_cop).permit(
-      # attributes were in model `attr_accessible`.
-      :is_current, :name, :designation_id, :description, :extended_description,
-      :url, :private_url, :multilingual_url, :published_at, :effective_at, :is_current, :end_date,
-      :created_by_id, :updated_by_id
+    params.expect(
+      cites_cop: [
+        :is_current, :name, :designation_id,
+        :description, :extended_description,
+        :url, :private_url, :multilingual_url, :published_at,
+        :effective_at, :is_current, :end_date,
+        :created_by_id, :updated_by_id
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/cites_extraordinary_meetings_controller.rb b/app/controllers/admin/cites_extraordinary_meetings_controller.rb
index a9145e9f1..5e1318740 100644
--- a/app/controllers/admin/cites_extraordinary_meetings_controller.rb
+++ b/app/controllers/admin/cites_extraordinary_meetings_controller.rb
@@ -21,11 +21,14 @@ def collection
 private
 
   def cites_extraordinary_meeting_params
-    params.require(:cites_extraordinary_meeting).permit(
-      # attributes were in model `attr_accessible`.
-      :is_current, :name, :designation_id, :description, :extended_description,
-      :url, :private_url, :multilingual_url, :published_at, :effective_at, :is_current, :end_date,
-      :created_by_id, :updated_by_id
+    params.expect(
+      cites_extraordinary_meeting: [
+        :is_current, :name, :designation_id,
+        :description, :extended_description,
+        :url, :private_url, :multilingual_url,
+        :published_at, :effective_at, :is_current, :end_date,
+        :created_by_id, :updated_by_id
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/cites_hash_annotations_controller.rb b/app/controllers/admin/cites_hash_annotations_controller.rb
index 01e3b0863..967019d6b 100644
--- a/app/controllers/admin/cites_hash_annotations_controller.rb
+++ b/app/controllers/admin/cites_hash_annotations_controller.rb
@@ -12,11 +12,14 @@ def load_associations
 private
 
   def cites_hash_annotation_params
-    params.require(:annotation).permit(
-      # attributes were in model `attr_accessible`.
-      :listing_change_id, :symbol, :parent_symbol, :short_note_en,
-      :full_note_en, :short_note_fr, :full_note_fr, :short_note_es, :full_note_es,
-      :display_in_index, :display_in_footnote, :event_id
+    params.expect(
+      annotation: [
+        :listing_change_id, :symbol, :parent_symbol,
+        :short_note_en, :full_note_en,
+        :short_note_fr, :full_note_fr,
+        :short_note_es, :full_note_es,
+        :display_in_index, :display_in_footnote, :event_id
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/cites_pcs_controller.rb b/app/controllers/admin/cites_pcs_controller.rb
index 9cd047f88..4f39e2cec 100644
--- a/app/controllers/admin/cites_pcs_controller.rb
+++ b/app/controllers/admin/cites_pcs_controller.rb
@@ -21,11 +21,14 @@ def collection
 private
 
   def cites_pc_params
-    params.require(:cites_pc).permit(
-      # attributes were in model `attr_accessible`.
-      :is_current, :name, :designation_id, :description, :extended_description,
-      :url, :private_url, :multilingual_url, :published_at, :effective_at, :is_current, :end_date,
-      :created_by_id, :updated_by_id
+    params.expect(
+      cites_pc: [
+        :is_current, :name, :designation_id,
+        :description, :extended_description,
+        :url, :private_url, :multilingual_url,
+        :published_at, :effective_at, :is_current, :end_date,
+        :created_by_id, :updated_by_id
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/cites_suspension_notifications_controller.rb b/app/controllers/admin/cites_suspension_notifications_controller.rb
index 45b7d570b..50d12ff63 100644
--- a/app/controllers/admin/cites_suspension_notifications_controller.rb
+++ b/app/controllers/admin/cites_suspension_notifications_controller.rb
@@ -20,11 +20,14 @@ def collection
 private
 
   def cites_suspension_notification_params
-    params.require(:cites_suspension_notification).permit(
-      # attributes were in model `attr_accessible`.
-      :subtype, :new_subtype, :end_date, :name, :designation_id, :description, :extended_description,
-      :url, :private_url, :multilingual_url, :published_at, :effective_at, :is_current, :end_date,
-      :created_by_id, :updated_by_id
+    params.expect(
+      cites_suspension_notification: [
+        :subtype, :new_subtype, :end_date, :name, :designation_id,
+        :description, :extended_description,
+        :url, :private_url, :multilingual_url,
+        :published_at, :effective_at, :is_current, :end_date,
+        :created_by_id, :updated_by_id
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/cites_suspensions_controller.rb b/app/controllers/admin/cites_suspensions_controller.rb
index 31fad98a3..514c86517 100644
--- a/app/controllers/admin/cites_suspensions_controller.rb
+++ b/app/controllers/admin/cites_suspensions_controller.rb
@@ -67,21 +67,22 @@ def collection
 private
 
   def cites_suspension_params
-    params.require(:cites_suspension).permit(
-      # attributes were in model `attr_accessible`.
-      :start_notification_id, :end_notification_id,
-      :applies_to_import, :end_date, :geo_entity_id, :is_current,
-      :notes, :publication_date, :quota, :type,
-      :start_date, :unit_id, :internal_notes,
-      :nomenclature_note_en, :nomenclature_note_es, :nomenclature_note_fr,
-      :created_by_id, :updated_by_id, :url,
-      :taxon_concept_id,
-      cites_suspension_confirmations_attributes: [
-        :id, :cites_suspension_notification_id, :_destroy
-      ],
-      purpose_ids: [],
-      term_ids: [],
-      source_ids: []
+    params.expect(
+      cites_suspension: [
+        :start_notification_id, :end_notification_id,
+        :applies_to_import, :end_date, :geo_entity_id, :is_current,
+        :notes, :publication_date, :quota, :type,
+        :start_date, :unit_id, :internal_notes,
+        :nomenclature_note_en, :nomenclature_note_es, :nomenclature_note_fr,
+        :created_by_id, :updated_by_id, :url,
+        :taxon_concept_id,
+        cites_suspension_confirmations_attributes: [
+          [ :id, :_destroy, :cites_suspension_notification_id ]
+        ],
+        purpose_ids: [],
+        term_ids: [],
+        source_ids: []
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/cites_tcs_controller.rb b/app/controllers/admin/cites_tcs_controller.rb
index f15f37e2c..334c16a4f 100644
--- a/app/controllers/admin/cites_tcs_controller.rb
+++ b/app/controllers/admin/cites_tcs_controller.rb
@@ -21,11 +21,14 @@ def collection
 private
 
   def cites_tc_params
-    params.require(:cites_tc).permit(
-      # attributes were in model `attr_accessible`.
-      :is_current, :name, :designation_id, :description, :extended_description,
-      :url, :private_url, :multilingual_url, :published_at, :effective_at, :is_current, :end_date,
-      :created_by_id, :updated_by_id
+    params.expect(
+      cites_tc: [
+        :is_current, :name, :designation_id,
+        :description, :extended_description,
+        :url, :private_url, :multilingual_url,
+        :published_at, :effective_at, :is_current, :end_date,
+        :created_by_id, :updated_by_id
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/designations_controller.rb b/app/controllers/admin/designations_controller.rb
index f978c4e1f..fdad4aa55 100644
--- a/app/controllers/admin/designations_controller.rb
+++ b/app/controllers/admin/designations_controller.rb
@@ -31,9 +31,6 @@ def load_associations
 private
 
   def designation_params
-    params.require(:designation).permit(
-      # attributes were in model `attr_accessible`.
-      :name, :taxonomy_id
-    )
+    params.expect(designation: [ :name, :taxonomy_id ])
   end
 end
diff --git a/app/controllers/admin/distributions_controller.rb b/app/controllers/admin/distributions_controller.rb
index fead5828b..0248e51d6 100644
--- a/app/controllers/admin/distributions_controller.rb
+++ b/app/controllers/admin/distributions_controller.rb
@@ -80,11 +80,15 @@ def load_distributions
 private
 
   def distribution_params
-    params.require(:distribution).permit(
-      # attributes were in model `attr_accessible`.
-      :geo_entity_id, :taxon_concept_id, :internal_notes, :created_by_id, :updated_by_id,
-      references_attributes: [ :citation, :created_by_id, :updated_by_id, :id, :_destroy ],
-      tag_list: []
+    params.expect(
+      distribution: [
+        :geo_entity_id, :taxon_concept_id, :internal_notes,
+        :created_by_id, :updated_by_id,
+        references_attributes: [
+          [ :id, :_destroy, :citation, :created_by_id, :updated_by_id ]
+        ],
+        tag_list: []
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/document_batches_controller.rb b/app/controllers/admin/document_batches_controller.rb
index f8af456a2..77722e5c4 100644
--- a/app/controllers/admin/document_batches_controller.rb
+++ b/app/controllers/admin/document_batches_controller.rb
@@ -15,6 +15,7 @@ def new
   def create
     @event = Event.find(params[:event_id]) if params[:event_id]
     @document_batch = DocumentBatch.new(document_batch_params)
+
     if @document_batch.save
       if @event
         redirect_to admin_event_documents_url(@event)
@@ -44,9 +45,18 @@ def load_associations
   def document_batch_params
     params.require(:document_batch).permit(
       :event_id, :date, :language_id, :is_public,
-      documents_attributes: [
-        :type
-      ], files: []
+      documents_attributes: [ :type ],
+      files: []
     )
+
+    # TODO: for some reason the following won't work
+    # params.expect(
+    #   document_batch: [
+    #     :event_id, :date, :language_id, :is_public,
+    #     files: [ [] ],
+    #     documents_attributes: [ [ :type ] ],
+    #   ]
+    # )
+
   end
 end
diff --git a/app/controllers/admin/documents_controller.rb b/app/controllers/admin/documents_controller.rb
index 639ecb04d..b34aabf3b 100644
--- a/app/controllers/admin/documents_controller.rb
+++ b/app/controllers/admin/documents_controller.rb
@@ -163,23 +163,33 @@ def redirect_url
 private
 
   def document_params
-    params.require(:document).permit(
-      # attributes were in model `attr_accessible`.
-      :event_id, :file, :date, :type, :title, :is_public,
-      :language_id,
-      :sort_index, :discussion_id, :discussion_sort_index,
-      :primary_language_document_id,
-      :designation_id,
-      citations_attributes: [
-        :id, :_destroy, :document_id, :stringy_taxon_concept_ids,
-        geo_entity_ids: []
-      ],
-      proposal_details_attributes: [
-        :id, :_destroy, :document_id, :proposal_nature, :proposal_outcome_id,
-        :representation, :proposal_number
-      ],
-      review_details_attributes: [
-        :id, :_destroy, :document_id, :review_phase_id, :process_stage_id, :recommended_category
+    params.expect(
+      document: [
+        :event_id, :file, :date, :type, :title, :is_public,
+        :language_id,
+        :sort_index, :discussion_id, :discussion_sort_index,
+        :primary_language_document_id,
+        :designation_id,
+        citations_attributes: [
+          [
+            :id, :_destroy, :document_id,
+            :stringy_taxon_concept_ids,
+            geo_entity_ids: []
+          ]
+        ],
+        proposal_details_attributes: [
+          [
+            :id, :_destroy, :document_id,
+            :proposal_nature, :proposal_outcome_id,
+            :representation, :proposal_number
+          ]
+        ],
+        review_details_attributes: [
+          [
+            :id, :_destroy, :document_id,
+            :review_phase_id, :process_stage_id, :recommended_category
+          ]
+        ]
       ]
     )
   end
diff --git a/app/controllers/admin/ec_srgs_controller.rb b/app/controllers/admin/ec_srgs_controller.rb
index c37d005f4..e2490110f 100644
--- a/app/controllers/admin/ec_srgs_controller.rb
+++ b/app/controllers/admin/ec_srgs_controller.rb
@@ -19,11 +19,14 @@ def collection
 private
 
   def ec_srg_params
-    params.require(:ec_srg).permit(
-      # attributes were in model `attr_accessible`.
-      :is_current, :name, :designation_id, :description, :extended_description,
-      :url, :private_url, :multilingual_url, :published_at, :effective_at, :is_current, :end_date,
-      :created_by_id, :updated_by_id
+    params.expect(
+      ec_srg: [
+        :is_current, :name, :designation_id,
+        :description, :extended_description,
+        :url, :private_url, :multilingual_url,
+        :published_at, :effective_at, :is_current, :end_date,
+        :created_by_id, :updated_by_id
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/eu_council_regulations_controller.rb b/app/controllers/admin/eu_council_regulations_controller.rb
index d20f5e25c..3500210a1 100644
--- a/app/controllers/admin/eu_council_regulations_controller.rb
+++ b/app/controllers/admin/eu_council_regulations_controller.rb
@@ -22,11 +22,13 @@ def list_template
 private
 
   def eu_council_regulation_params
-    params.require(:eu_council_regulation).permit(
-      # attributes were in model `attr_accessible`.
-      :name, :designation_id, :description, :extended_description,
-      :url, :private_url, :multilingual_url, :published_at, :effective_at, :is_current, :end_date,
-      :created_by_id, :updated_by_id
+    params.expect(
+      eu_council_regulation: [
+        :name, :designation_id, :description, :extended_description,
+        :url, :private_url, :multilingual_url,
+        :published_at, :effective_at, :is_current, :end_date,
+        :created_by_id, :updated_by_id
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/eu_decision_types_controller.rb b/app/controllers/admin/eu_decision_types_controller.rb
index 7d9d60754..564801aca 100644
--- a/app/controllers/admin/eu_decision_types_controller.rb
+++ b/app/controllers/admin/eu_decision_types_controller.rb
@@ -22,9 +22,10 @@ def collection
 private
 
   def eu_decision_type_params
-    params.require(:eu_decision_type).permit(
-      # attributes were in model `attr_accessible`.
-      :name, :tooltip, :decision_type
+    params.expect(
+      eu_decision_type: [
+        :name, :tooltip, :decision_type
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/eu_hash_annotations_controller.rb b/app/controllers/admin/eu_hash_annotations_controller.rb
index bd763c8dd..f9a06e797 100644
--- a/app/controllers/admin/eu_hash_annotations_controller.rb
+++ b/app/controllers/admin/eu_hash_annotations_controller.rb
@@ -12,11 +12,12 @@ def load_associations
 private
 
   def eu_hash_annotation_params
-    params.require(:annotation).permit(
-      # attributes were in model `attr_accessible`.
-      :listing_change_id, :symbol, :parent_symbol, :short_note_en,
-      :full_note_en, :short_note_fr, :full_note_fr, :short_note_es, :full_note_es,
-      :display_in_index, :display_in_footnote, :event_id
+    params.expect(
+      annotation: [
+        :listing_change_id, :symbol, :parent_symbol, :short_note_en,
+        :full_note_en, :short_note_fr, :full_note_fr, :short_note_es, :full_note_es,
+        :display_in_index, :display_in_footnote, :event_id
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/eu_implementing_regulations_controller.rb b/app/controllers/admin/eu_implementing_regulations_controller.rb
index 0adad6b9f..cd458e24e 100644
--- a/app/controllers/admin/eu_implementing_regulations_controller.rb
+++ b/app/controllers/admin/eu_implementing_regulations_controller.rb
@@ -22,11 +22,13 @@ def list_template
 private
 
   def eu_implementing_regulation_params
-    params.require(:eu_implementing_regulation).permit(
-      # attributes were in model `attr_accessible`.
-      :name, :designation_id, :description, :extended_description,
-      :url, :private_url, :multilingual_url, :published_at, :effective_at, :is_current, :end_date,
-      :created_by_id, :updated_by_id
+    params.expect(
+      eu_implementing_regulation: [
+        :name, :designation_id, :description, :extended_description,
+        :url, :private_url, :multilingual_url, :published_at,
+        :effective_at, :is_current, :end_date,
+        :created_by_id, :updated_by_id
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/eu_opinions_controller.rb b/app/controllers/admin/eu_opinions_controller.rb
index 589283fc6..380112ab1 100644
--- a/app/controllers/admin/eu_opinions_controller.rb
+++ b/app/controllers/admin/eu_opinions_controller.rb
@@ -73,13 +73,14 @@ def collection
 private
 
   def eu_opinion_params
-    params.require(:eu_opinion).permit(
-      # attributes were in model `attr_accessible`.
-      :document_id, :end_date, :end_event_id, :geo_entity_id, :internal_notes,
-      :is_current, :notes, :start_date, :start_event_id, :eu_decision_type_id,
-      :taxon_concept_id, :type, :conditions_apply, :term_id, :source_id,
-      :nomenclature_note_en, :nomenclature_note_es, :nomenclature_note_fr,
-      :created_by_id, :updated_by_id, :srg_history_id
+    params.expect(
+      eu_opinion: [
+        :document_id, :end_date, :end_event_id, :geo_entity_id, :internal_notes,
+        :is_current, :notes, :start_date, :start_event_id, :eu_decision_type_id,
+        :taxon_concept_id, :type, :conditions_apply, :term_id, :source_id,
+        :nomenclature_note_en, :nomenclature_note_es, :nomenclature_note_fr,
+        :created_by_id, :updated_by_id, :srg_history_id
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/eu_regulations_controller.rb b/app/controllers/admin/eu_regulations_controller.rb
index fc59951dc..8d9869d85 100644
--- a/app/controllers/admin/eu_regulations_controller.rb
+++ b/app/controllers/admin/eu_regulations_controller.rb
@@ -35,11 +35,14 @@ def load_associations
 private
 
   def eu_regulation_params
-    params.require(:eu_regulation).permit(
-      # attributes were in model `attr_accessible`.
-      :listing_changes_event_id, :name, :designation_id, :description, :extended_description,
-      :url, :private_url, :multilingual_url, :published_at, :effective_at, :is_current, :end_date,
-      :created_by_id, :updated_by_id
+    params.expect(
+      eu_regulation: [
+        :listing_changes_event_id, :name, :designation_id,
+        :description, :extended_description,
+        :url, :private_url, :multilingual_url, :published_at,
+        :effective_at, :is_current, :end_date,
+        :created_by_id, :updated_by_id
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/eu_suspension_regulations_controller.rb b/app/controllers/admin/eu_suspension_regulations_controller.rb
index 329687a3d..5f9cc3a78 100644
--- a/app/controllers/admin/eu_suspension_regulations_controller.rb
+++ b/app/controllers/admin/eu_suspension_regulations_controller.rb
@@ -42,11 +42,14 @@ def load_associations
 private
 
   def eu_suspension_regulation_params
-    params.require(:eu_suspension_regulation).permit(
-      # attributes were in model `attr_accessible`.
-      :eu_suspensions_event_id, :name, :designation_id, :description, :extended_description,
-      :url, :private_url, :multilingual_url, :published_at, :effective_at, :is_current, :end_date,
-      :created_by_id, :updated_by_id
+    params.expect(
+      eu_suspension_regulation: [
+        :eu_suspensions_event_id, :name, :designation_id,
+        :description, :extended_description,
+        :url, :private_url, :multilingual_url,
+        :published_at, :effective_at, :is_current, :end_date,
+        :created_by_id, :updated_by_id
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/events_controller.rb b/app/controllers/admin/events_controller.rb
index c71853f82..6d6ddd5f4 100644
--- a/app/controllers/admin/events_controller.rb
+++ b/app/controllers/admin/events_controller.rb
@@ -54,11 +54,13 @@ def load_associations
 private
 
   def event_params
-    params.require(:event).permit(
-      # attributes were in model `attr_accessible`.
-      :name, :designation_id, :description, :extended_description,
-      :url, :private_url, :multilingual_url, :published_at, :effective_at, :is_current, :end_date,
-      :created_by_id, :updated_by_id
+    params.expect(
+      event: [
+        :name, :designation_id, :description, :extended_description,
+        :url, :private_url, :multilingual_url,
+        :published_at, :effective_at, :is_current, :end_date,
+        :created_by_id, :updated_by_id
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/geo_entities_controller.rb b/app/controllers/admin/geo_entities_controller.rb
index 8bbe75d7e..2abced7e8 100644
--- a/app/controllers/admin/geo_entities_controller.rb
+++ b/app/controllers/admin/geo_entities_controller.rb
@@ -37,11 +37,12 @@ def collection
 private
 
   def geo_entity_params
-    params.require(:geo_entity).permit(
-      # attributes were in model `attr_accessible`.
-      :geo_entity_type_id, :iso_code2, :iso_code3,
-      :legacy_id, :legacy_type, :long_name, :name_en, :name_es, :name_fr,
-      :is_current
+    params.expect(
+      geo_entity: [
+        :geo_entity_type_id, :iso_code2, :iso_code3,
+        :legacy_id, :legacy_type, :long_name, :name_en, :name_es, :name_fr,
+        :is_current
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/geo_relationships_controller.rb b/app/controllers/admin/geo_relationships_controller.rb
index 8b7b50954..9383a3559 100644
--- a/app/controllers/admin/geo_relationships_controller.rb
+++ b/app/controllers/admin/geo_relationships_controller.rb
@@ -47,9 +47,10 @@ def collection
 private
 
   def geo_relationship_params
-    params.require(:geo_relationship).permit(
-      # attributes were in model `attr_accessible`.
-      :geo_entity_id, :geo_relationship_type_id, :other_geo_entity_id
+    params.expect(
+      geo_relationship: [
+        :geo_entity_id, :geo_relationship_type_id, :other_geo_entity_id
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/hybrid_relationships_controller.rb b/app/controllers/admin/hybrid_relationships_controller.rb
index 6dfec3073..ed8f75697 100644
--- a/app/controllers/admin/hybrid_relationships_controller.rb
+++ b/app/controllers/admin/hybrid_relationships_controller.rb
@@ -66,10 +66,11 @@ def load_hybrid_relationship_type
 private
 
   def hybrid_relationship_params
-    params.require(:taxon_relationship).permit(
-      # attributes were in model `attr_accessible`.
-      :taxon_concept_id, :other_taxon_concept_id, :taxon_relationship_type_id,
-      :created_by_id, :updated_by_id
+    params.expect(
+      taxon_relationship: [
+        :taxon_concept_id, :other_taxon_concept_id, :taxon_relationship_type_id,
+        :created_by_id, :updated_by_id
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/instruments_controller.rb b/app/controllers/admin/instruments_controller.rb
index cb19f5fc8..3eb36c278 100644
--- a/app/controllers/admin/instruments_controller.rb
+++ b/app/controllers/admin/instruments_controller.rb
@@ -30,9 +30,6 @@ def load_associations
 private
 
   def instrument_params
-    params.require(:instrument).permit(
-      # attributes were in model `attr_accessible`.
-      :designation_id, :name
-    )
+    params.expect(instrument: [ :designation_id, :name ])
   end
 end
diff --git a/app/controllers/admin/languages_controller.rb b/app/controllers/admin/languages_controller.rb
index f7a26fe4f..0308e857a 100644
--- a/app/controllers/admin/languages_controller.rb
+++ b/app/controllers/admin/languages_controller.rb
@@ -14,9 +14,8 @@ def collection
 private
 
   def language_params
-    params.require(:language).permit(
-      # attributes were in model `attr_accessible`.
-      :iso_code1, :iso_code3, :name_en, :name_fr, :name_es
+    params.expect(
+      language: [ :iso_code1, :iso_code3, :name_en, :name_fr, :name_es ]
     )
   end
 end
diff --git a/app/controllers/admin/nomenclature_changes/build_controller.rb b/app/controllers/admin/nomenclature_changes/build_controller.rb
index 95941c87a..7cfb85ec4 100644
--- a/app/controllers/admin/nomenclature_changes/build_controller.rb
+++ b/app/controllers/admin/nomenclature_changes/build_controller.rb
@@ -12,6 +12,7 @@ def finish_wizard_path
   def show
     raise NoMethodError
   end
+
   def create
     @nomenclature_change = klass.new()
     @nomenclature_change.status = NomenclatureChange::NEW
@@ -31,6 +32,64 @@ def destroy
     raise NoMethodError
   end
 
+protected
+  def common_nomenclature_change_attribute_names
+    input_attribute_names = [
+      :id, :_destroy,
+      :nomenclature_change_id, :taxon_concept_id,
+      :note_en, :note_es, :note_fr, :internal_note
+    ]
+
+    output_attribute_names = [
+      :id, :_destroy,
+      :nomenclature_change_id, :taxon_concept_id,
+      :new_taxon_concept_id, :rank_id, :new_scientific_name, :new_author_year,
+      :new_name_status, :new_parent_id, :new_rank_id, :taxonomy_id,
+      :note_en, :note_es, :note_fr, :internal_note, :is_primary_output,
+      :output_type, :created_by_id, :updated_by_id,
+      tag_list: []
+    ]
+
+    reassignment_attribute_names = [
+      :id, :_destroy,
+      :type, :reassignable_id, :reassignable_type,
+      :nomenclature_change_input_id, :nomenclature_change_output_id,
+      :note_en, :note_es, :note_fr, :internal_note
+    ]
+
+    reassignment_target_attribute_names = [
+      :id, :_destroy,
+      :nomenclature_change_output_id,
+      :nomenclature_change_reassignment_id,
+      :note
+    ]
+
+    parent_reassignments_attribute_names = [
+      *reassignment_attribute_names,
+      reassignment_target_attributes: [ reassignment_target_attribute_names ]
+    ]
+
+    output_parent_reassignment_attribute_names = [
+      *parent_reassignments_attribute_names,
+      output_ids: []
+    ]
+
+    output_reassignment_attribute_names = [
+      *reassignment_attribute_names,
+      output_ids: []
+    ]
+
+    {
+      input_attribute_names:,
+      output_attribute_names:,
+      output_parent_reassignment_attribute_names:,
+      output_reassignment_attribute_names:,
+      parent_reassignments_attribute_names:,
+      reassignment_attribute_names:,
+      reassignment_target_attribute_names:
+    }
+  end
+
 private
 
   def set_nomenclature_change
@@ -64,8 +123,6 @@ def authorise_finish
     end
   end
 
-private
-
   def klass
     NomenclatureChange
   end
diff --git a/app/controllers/admin/nomenclature_changes/lump_controller.rb b/app/controllers/admin/nomenclature_changes/lump_controller.rb
index 5a88fef91..5a0d52935 100644
--- a/app/controllers/admin/nomenclature_changes/lump_controller.rb
+++ b/app/controllers/admin/nomenclature_changes/lump_controller.rb
@@ -30,13 +30,20 @@ def show
 
   def update
     @nomenclature_change.assign_attributes(
-      (nomenclature_change_lump_params || {}).merge(
+      begin
+        nomenclature_change_lump_params
+      rescue ActionController::ParameterMissing
+        # TODO: explain why we allow this to fail silently
+        {}
+      end.merge(
         {
           status: (step == steps.last ? NomenclatureChange::SUBMITTED : step.to_s)
         }
       )
     )
+
     success = @nomenclature_change.valid?
+
     case step
     when :inputs, :outputs
       unless success
@@ -50,6 +57,7 @@ def update
         set_ranks
       end
     end
+
     render_wizard @nomenclature_change
   end
 
@@ -60,63 +68,32 @@ def klass
   end
 
   def nomenclature_change_lump_params
-    params.require(:nomenclature_change_lump).permit(
-      :event_id, :status,
-      inputs_attributes: [
-        :id, :_destroy,
-        :nomenclature_change_id, :taxon_concept_id,
-        :note_en, :note_es, :note_fr, :internal_note,
-        parent_reassignments_attributes: [
-          :id, :_destroy,
-          :type, :reassignable_id, :reassignable_type,
-          :nomenclature_change_input_id, :nomenclature_change_output_id,
-          :note_en, :note_es, :note_fr, :internal_note,
-          reassignment_target_attributes: [
-            :id, :_destroy,
-            :nomenclature_change_output_id,
-            :nomenclature_change_reassignment_id, :note
-          ],
-          output_ids: []
-        ],
-        name_reassignments_attributes: [
-          :id, :_destroy,
-          :type, :reassignable_id, :reassignable_type,
-          :nomenclature_change_input_id, :nomenclature_change_output_id,
-          :note_en, :note_es, :note_fr, :internal_note,
-          output_ids: []
-        ],
-        distribution_reassignments_attributes: [
-          :id, :_destroy,
-          :type, :reassignable_id, :reassignable_type,
-          :nomenclature_change_input_id, :nomenclature_change_output_id,
-          :note_en, :note_es, :note_fr, :internal_note,
-          output_ids: []
+    (
+      input_attribute_names,
+      output_attribute_names,
+      output_parent_reassignment_attribute_names,
+      output_reassignment_attribute_names,
+    ) = common_nomenclature_change_attribute_names.values_at(
+      :input_attribute_names,
+      :output_attribute_names,
+      :output_parent_reassignment_attribute_names,
+      :output_reassignment_attribute_names,
+    )
+
+    params.expect(
+      nomenclature_change_lump: [
+        :event_id, :status,
+        inputs_attributes: [
+          [
+            *input_attribute_names,
+            parent_reassignments_attributes: [ output_parent_reassignment_attribute_names ],
+            name_reassignments_attributes: [ output_reassignment_attribute_names ],
+            distribution_reassignments_attributes: [ output_reassignment_attribute_names ],
+            legislation_reassignments_attributes: [ output_reassignment_attribute_names ]
+          ]
         ],
-        legislation_reassignments_attributes: [
-          :id, :_destroy,
-          :type, :reassignable_id, :reassignable_type,
-          :nomenclature_change_input_id, :nomenclature_change_output_id,
-          :note_en, :note_es, :note_fr, :internal_note,
-          output_ids: []
-        ]
-      ],
-      output_attributes: [
-        :id, :_destroy,
-        :nomenclature_change_id, :taxon_concept_id,
-        :new_taxon_concept_id, :rank_id, :new_scientific_name, :new_author_year,
-        :new_name_status, :new_parent_id, :new_rank_id, :taxonomy_id,
-        :note_en, :note_es, :note_fr, :internal_note, :is_primary_output,
-        :output_type, :created_by_id, :updated_by_id,
-        tag_list: []
-        # app/models/nomenclature_change/output.rb does not have `accepts_nested_attributes_for`, so
-        # xxx_attributes suppose not in-use.
-        # :parent_reassignments_attributes,
-        # :name_reassignments_attributes,
-        # :distribution_reassignments_attributes,
-        # :legislation_reassignments_attributes,
+        output_attributes: output_attribute_names
       ]
     )
-  rescue ActionController::ParameterMissing
-    nil
   end
 end
diff --git a/app/controllers/admin/nomenclature_changes/split_controller.rb b/app/controllers/admin/nomenclature_changes/split_controller.rb
index d16f82b3c..f29e89d39 100644
--- a/app/controllers/admin/nomenclature_changes/split_controller.rb
+++ b/app/controllers/admin/nomenclature_changes/split_controller.rb
@@ -38,12 +38,18 @@ def show
 
   def update
     @nomenclature_change.assign_attributes(
-      (nomenclature_change_split_params || {}).merge(
+      begin
+        nomenclature_change_split_params
+      rescue ActionController::ParameterMissing
+        # TODO: explain why we allow this to fail silently
+        {}
+      end.merge(
         {
           status: (step == steps.last ? NomenclatureChange::SUBMITTED : step.to_s)
         }
       )
     )
+
     success = @nomenclature_change.valid?
 
     case step
@@ -65,67 +71,32 @@ def klass
   end
 
   def nomenclature_change_split_params
-    params.require(:nomenclature_change_split).permit(
-      :event_id, :status,
-      input_attributes: [
-        :id, :_destroy,
-        :nomenclature_change_id, :taxon_concept_id,
-        :note_en, :note_es, :note_fr, :internal_note,
-        parent_reassignments_attributes: [
-          :id, :_destroy,
-          :type, :reassignable_id, :reassignable_type,
-          :nomenclature_change_input_id, :nomenclature_change_output_id,
-          :note_en, :note_es, :note_fr, :internal_note,
-          :output_ids,
-          output_ids: [],
-          reassignment_target_attributes: [
-            :id, :_destroy,
-            :nomenclature_change_output_id,
-            :nomenclature_change_reassignment_id, :note
+    (
+      input_attribute_names,
+      output_attribute_names,
+      output_parent_reassignment_attribute_names,
+      output_reassignment_attribute_names,
+    ) = common_nomenclature_change_attribute_names.values_at(
+      :input_attribute_names,
+      :output_attribute_names,
+      :output_parent_reassignment_attribute_names,
+      :output_reassignment_attribute_names,
+    )
+
+    params.expect(
+      nomenclature_change_split: [
+        :event_id, :status,
+        inputs_attributes: [
+          [
+            *input_attribute_names,
+            parent_reassignments_attributes: [ output_parent_reassignment_attribute_names ],
+            name_reassignments_attributes: [ output_reassignment_attribute_names ],
+            distribution_reassignments_attributes: [ output_reassignment_attribute_names ],
+            legislation_reassignments_attributes: [ output_reassignment_attribute_names ]
           ]
         ],
-        name_reassignments_attributes: [
-          :id, :_destroy,
-          :type, :reassignable_id, :reassignable_type,
-          :nomenclature_change_input_id, :nomenclature_change_output_id,
-          :note_en, :note_es, :note_fr, :internal_note,
-          :output_ids,
-          output_ids: []
-        ],
-        distribution_reassignments_attributes: [
-          :id, :_destroy,
-          :type, :reassignable_id, :reassignable_type,
-          :nomenclature_change_input_id, :nomenclature_change_output_id,
-          :note_en, :note_es, :note_fr, :internal_note,
-          :output_ids,
-          output_ids: []
-        ],
-        legislation_reassignments_attributes: [
-          :id, :_destroy,
-          :type, :reassignable_id, :reassignable_type,
-          :nomenclature_change_input_id, :nomenclature_change_output_id,
-          :note_en, :note_es, :note_fr, :internal_note,
-          :output_ids,
-          output_ids: []
-        ]
-      ],
-      outputs_attributes: [
-        :id, :_destroy,
-        :nomenclature_change_id, :taxon_concept_id,
-        :new_taxon_concept_id, :rank_id, :new_scientific_name, :new_author_year,
-        :new_name_status, :new_parent_id, :new_rank_id, :taxonomy_id,
-        :note_en, :note_es, :note_fr, :internal_note, :is_primary_output,
-        :output_type, :created_by_id, :updated_by_id,
-        tag_list: []
-        # app/models/nomenclature_change/output.rb does not have `accepts_nested_attributes_for`, so
-        # xxx_attributes suppose not in-use.
-        # :parent_reassignments_attributes,
-        # :name_reassignments_attributes,
-        # :distribution_reassignments_attributes,
-        # :legislation_reassignments_attributes,
+        output_attributes: output_attribute_names
       ]
     )
-  rescue ActionController::ParameterMissing
-    nil
   end
 end
diff --git a/app/controllers/admin/nomenclature_changes/status_swap_controller.rb b/app/controllers/admin/nomenclature_changes/status_swap_controller.rb
index 59c104112..ed0fd0832 100644
--- a/app/controllers/admin/nomenclature_changes/status_swap_controller.rb
+++ b/app/controllers/admin/nomenclature_changes/status_swap_controller.rb
@@ -26,14 +26,22 @@ def show
 
   def update
     @nomenclature_change.assign_attributes(
-      (nomenclature_change_status_swap_params || {}).merge(
+      begin
+        nomenclature_change_status_swap_params
+      rescue ActionController::ParameterMissing
+        # TODO: explain why we allow this to fail silently
+        {}
+      end.merge(
         {
           status: (step == steps.last ? NomenclatureChange::SUBMITTED : step.to_s)
         }
       )
     )
+
     success = @nomenclature_change.valid?
+
     case step
+
     when :primary_output
       unless success
         set_events
@@ -45,6 +53,7 @@ def update
         set_ranks
       end
     end
+
     render_wizard @nomenclature_change
   end
 
@@ -55,78 +64,31 @@ def klass
   end
 
   def nomenclature_change_status_swap_params
-    params.require(:nomenclature_change_status_swap).permit(
-      :event_id, :status,
-      primary_output_attributes: [
-        :id, :_destroy,
-        :nomenclature_change_id, :taxon_concept_id,
-        :new_taxon_concept_id, :rank_id, :new_scientific_name, :new_author_year,
-        :new_name_status, :new_parent_id, :new_rank_id, :taxonomy_id,
-        :note_en, :note_es, :note_fr, :internal_note, :is_primary_output,
-        :output_type, :created_by_id, :updated_by_id,
-        tag_list: []
-        # app/models/nomenclature_change/output.rb does not have `accepts_nested_attributes_for`, so
-        # xxx_attributes suppose not in-use.
-        # :parent_reassignments_attributes,
-        # :name_reassignments_attributes,
-        # :distribution_reassignments_attributes,
-        # :legislation_reassignments_attributes,
-      ],
-      secondary_output_attributes: [
-        :id, :_destroy,
-        :nomenclature_change_id, :taxon_concept_id,
-        :new_taxon_concept_id, :rank_id, :new_scientific_name, :new_author_year,
-        :new_name_status, :new_parent_id, :new_rank_id, :taxonomy_id,
-        :note_en, :note_es, :note_fr, :internal_note, :is_primary_output,
-        :output_type, :created_by_id, :updated_by_id,
-        tag_list: []
-        # app/models/nomenclature_change/output.rb does not have `accepts_nested_attributes_for`, so
-        # xxx_attributes suppose not in-use.
-        # :parent_reassignments_attributes,
-        # :name_reassignments_attributes,
-        # :distribution_reassignments_attributes,
-        # :legislation_reassignments_attributes,
-      ],
-      input_attributes: [
-        :id, :_destroy,
-        :nomenclature_change_id, :taxon_concept_id,
-        :note_en, :note_es, :note_fr, :internal_note,
-        parent_reassignments_attributes: [
-          :id, :_destroy,
-          :type, :reassignable_id, :reassignable_type,
-          :nomenclature_change_input_id, :nomenclature_change_output_id,
-          :note_en, :note_es, :note_fr, :internal_note,
-          output_ids: [],
-          reassignment_target_attributes: [
-            :id, :_destroy,
-            :nomenclature_change_output_id,
-            :nomenclature_change_reassignment_id, :note
-          ]
-        ],
-        name_reassignments_attributes: [
-          :id, :_destroy,
-          :type, :reassignable_id, :reassignable_type,
-          :nomenclature_change_input_id, :nomenclature_change_output_id,
-          :note_en, :note_es, :note_fr, :internal_note,
-          output_ids: []
-        ],
-        distribution_reassignments_attributes: [
-          :id, :_destroy,
-          :type, :reassignable_id, :reassignable_type,
-          :nomenclature_change_input_id, :nomenclature_change_output_id,
-          :note_en, :note_es, :note_fr, :internal_note,
-          output_ids: []
+    (
+      input_attribute_names,
+      output_attribute_names,
+      output_reassignment_attribute_names,
+      parent_reassignments_attribute_names,
+    ) = common_nomenclature_change_attribute_names.values_at(
+      :input_attribute_names,
+      :output_attribute_names,
+      :output_reassignment_attribute_names,
+      :parent_reassignments_attribute_names,
+    )
+
+    params.expect(
+      nomenclature_change_status_swap: [
+        :event_id, :status,
+        primary_output_attributes: [ output_attribute_names ],
+        secondary_output_attributes: [ output_attribute_names ],
+        input_attributes: [
+          *input_attribute_names,
+          parent_reassignments_attributes: [ parent_reassignments_attribute_names ]
         ],
-        legislation_reassignments_attributes: [
-          :id, :_destroy,
-          :type, :reassignable_id, :reassignable_type,
-          :nomenclature_change_input_id, :nomenclature_change_output_id,
-          :note_en, :note_es, :note_fr, :internal_note,
-          output_ids: []
-        ]
+        name_reassignments_attributes: [ output_reassignment_attribute_names ],
+        distribution_reassignments_attributes: [ output_reassignment_attribute_names ],
+        legislation_reassignments_attributes: [ output_reassignment_attribute_names ]
       ]
     )
-  rescue ActionController::ParameterMissing
-    nil
   end
 end
diff --git a/app/controllers/admin/nomenclature_changes/status_to_accepted_controller.rb b/app/controllers/admin/nomenclature_changes/status_to_accepted_controller.rb
index 212a9ee32..e7f3d535c 100644
--- a/app/controllers/admin/nomenclature_changes/status_to_accepted_controller.rb
+++ b/app/controllers/admin/nomenclature_changes/status_to_accepted_controller.rb
@@ -1,5 +1,5 @@
 class Admin::NomenclatureChanges::StatusToAcceptedController < Admin::NomenclatureChanges::BuildController
-  steps *NomenclatureChange::StatusToAccepted::STEPS
+  steps(*NomenclatureChange::StatusToAccepted::STEPS)
 
   def show
     builder = klass::Constructor.new(@nomenclature_change)
@@ -18,13 +18,20 @@ def show
 
   def update
     @nomenclature_change.assign_attributes(
-      (nomenclature_change_status_to_accepted_params || {}).merge(
+      begin
+        nomenclature_change_status_to_accepted_params
+      rescue ActionController::ParameterMissing
+        # TODO: explain why we allow this to fail silently
+        {}
+      end.merge(
         {
           status: (step == steps.last ? NomenclatureChange::SUBMITTED : step.to_s)
         }
       )
     )
+
     success = @nomenclature_change.valid?
+
     case step
     when :primary_output
       unless success
@@ -33,6 +40,7 @@ def update
         set_ranks
       end
     end
+
     render_wizard @nomenclature_change
   end
 
@@ -43,78 +51,31 @@ def klass
   end
 
   def nomenclature_change_status_to_accepted_params
-    params.require(:nomenclature_change_status_to_accepted).permit(
-      :created_by_id, :updated_by_id, :event_id, :status,
-      primary_output_attributes: [
-        :id, :_destroy,
-        :nomenclature_change_id, :taxon_concept_id,
-        :new_taxon_concept_id, :rank_id, :new_scientific_name, :new_author_year,
-        :new_name_status, :new_parent_id, :new_rank_id, :taxonomy_id,
-        :note_en, :note_es, :note_fr, :internal_note, :is_primary_output,
-        :output_type, :created_by_id, :updated_by_id,
-        tag_list: []
-        # app/models/nomenclature_change/output.rb does not have `accepts_nested_attributes_for`, so
-        # xxx_attributes suppose not in-use.
-        # :parent_reassignments_attributes,
-        # :name_reassignments_attributes,
-        # :distribution_reassignments_attributes,
-        # :legislation_reassignments_attributes,
-      ],
-      secondary_output_attributes: [
-        :id, :_destroy,
-        :nomenclature_change_id, :taxon_concept_id,
-        :new_taxon_concept_id, :rank_id, :new_scientific_name, :new_author_year,
-        :new_name_status, :new_parent_id, :new_rank_id, :taxonomy_id,
-        :note_en, :note_es, :note_fr, :internal_note, :is_primary_output,
-        :output_type, :created_by_id, :updated_by_id,
-        tag_list: []
-        # app/models/nomenclature_change/output.rb does not have `accepts_nested_attributes_for`, so
-        # xxx_attributes suppose not in-use.
-        # :parent_reassignments_attributes,
-        # :name_reassignments_attributes,
-        # :distribution_reassignments_attributes,
-        # :legislation_reassignments_attributes,
-      ],
-      input_attributes: [
-        :id, :_destroy,
-        :nomenclature_change_id, :taxon_concept_id,
-        :note_en, :note_es, :note_fr, :internal_note,
-        parent_reassignments_attributes: [
-          :id, :_destroy,
-          :type, :reassignable_id, :reassignable_type,
-          :nomenclature_change_input_id, :nomenclature_change_output_id,
-          :note_en, :note_es, :note_fr, :internal_note,
-          output_ids: [],
-          reassignment_target_attributes: [
-            :id, :_destroy,
-            :nomenclature_change_output_id,
-            :nomenclature_change_reassignment_id, :note
-          ]
-        ],
-        name_reassignments_attributes: [
-          :id, :_destroy,
-          :type, :reassignable_id, :reassignable_type,
-          :nomenclature_change_input_id, :nomenclature_change_output_id,
-          :note_en, :note_es, :note_fr, :internal_note,
-          output_ids: []
-        ],
-        distribution_reassignments_attributes: [
-          :id, :_destroy,
-          :type, :reassignable_id, :reassignable_type,
-          :nomenclature_change_input_id, :nomenclature_change_output_id,
-          :note_en, :note_es, :note_fr, :internal_note,
-          output_ids: []
+    (
+      input_attribute_names,
+      output_attribute_names,
+      output_reassignment_attribute_names,
+      parent_reassignments_attribute_names,
+    ) = common_nomenclature_change_attribute_names.values_at(
+      :input_attribute_names,
+      :output_attribute_names,
+      :output_reassignment_attribute_names,
+      :parent_reassignments_attribute_names,
+    )
+
+    params.expect(
+      nomenclature_change_status_to_accepted: [
+        :created_by_id, :updated_by_id, :event_id, :status,
+        primary_output_attributes: output_attribute_names,
+        secondary_output_attributes: output_attribute_names,
+        input_attributes: [
+          *input_attribute_names,
+          parent_reassignments_attributes: [ parent_reassignments_attribute_names ]
         ],
-        legislation_reassignments_attributes: [
-          :id, :_destroy,
-          :type, :reassignable_id, :reassignable_type,
-          :nomenclature_change_input_id, :nomenclature_change_output_id,
-          :note_en, :note_es, :note_fr, :internal_note,
-          output_ids: []
-        ]
+        name_reassignments_attributes: [ output_reassignment_attribute_names ],
+        distribution_reassignments_attributes: [ output_reassignment_attribute_names ],
+        legislation_reassignments_attributes: [ output_reassignment_attribute_names ]
       ]
     )
-  rescue ActionController::ParameterMissing
-    nil
   end
 end
diff --git a/app/controllers/admin/nomenclature_changes/status_to_synonym_controller.rb b/app/controllers/admin/nomenclature_changes/status_to_synonym_controller.rb
index aeee04fea..4ecae38ea 100644
--- a/app/controllers/admin/nomenclature_changes/status_to_synonym_controller.rb
+++ b/app/controllers/admin/nomenclature_changes/status_to_synonym_controller.rb
@@ -1,8 +1,9 @@
 class Admin::NomenclatureChanges::StatusToSynonymController < Admin::NomenclatureChanges::BuildController
-  steps *NomenclatureChange::StatusToSynonym::STEPS
+  steps(*NomenclatureChange::StatusToSynonym::STEPS)
 
   def show
     builder = klass::Constructor.new(@nomenclature_change)
+
     case step
     when :primary_output
       set_events
@@ -23,18 +24,26 @@ def show
       processor = klass::Processor.new(@nomenclature_change)
       @summary = processor.summary
     end
+
     render_wizard
   end
 
   def update
     @nomenclature_change.assign_attributes(
-      (nomenclature_change_status_to_synonym_params || {}).merge(
+      begin
+        nomenclature_change_status_to_synonym_params
+      rescue ActionController::ParameterMissing
+        # TODO: explain why we allow this to fail silently
+        {}
+      end.merge(
         {
           status: (step == steps.last ? NomenclatureChange::SUBMITTED : step.to_s)
         }
       )
     )
+
     success = @nomenclature_change.valid?
+
     case step
     when :primary_output
       unless success
@@ -44,6 +53,7 @@ def update
     when :relay, :accepted_name
       set_taxonomy unless success
     end
+
     render_wizard @nomenclature_change
   end
 
@@ -54,78 +64,31 @@ def klass
   end
 
   def nomenclature_change_status_to_synonym_params
-    params.require(:nomenclature_change_status_to_synonym).permit(
-      :event_id, :status,
-      primary_output_attributes: [
-        :id, :_destroy,
-        :nomenclature_change_id, :taxon_concept_id,
-        :new_taxon_concept_id, :rank_id, :new_scientific_name, :new_author_year,
-        :new_name_status, :new_parent_id, :new_rank_id, :taxonomy_id,
-        :note_en, :note_es, :note_fr, :internal_note, :is_primary_output,
-        :output_type, :created_by_id, :updated_by_id,
-        tag_list: []
-        # app/models/nomenclature_change/output.rb does not have `accepts_nested_attributes_for`, so
-        # xxx_attributes suppose not in-use.
-        # :parent_reassignments_attributes,
-        # :name_reassignments_attributes,
-        # :distribution_reassignments_attributes,
-        # :legislation_reassignments_attributes,
-      ],
-      secondary_output_attributes: [
-        :id, :_destroy,
-        :nomenclature_change_id, :taxon_concept_id,
-        :new_taxon_concept_id, :rank_id, :new_scientific_name, :new_author_year,
-        :new_name_status, :new_parent_id, :new_rank_id, :taxonomy_id,
-        :note_en, :note_es, :note_fr, :internal_note, :is_primary_output,
-        :output_type, :created_by_id, :updated_by_id,
-        tag_list: []
-        # app/models/nomenclature_change/output.rb does not have `accepts_nested_attributes_for`, so
-        # xxx_attributes suppose not in-use.
-        # :parent_reassignments_attributes,
-        # :name_reassignments_attributes,
-        # :distribution_reassignments_attributes,
-        # :legislation_reassignments_attributes,
-      ],
-      input_attributes: [
-        :id, :_destroy,
-        :nomenclature_change_id, :taxon_concept_id,
-        :note_en, :note_es, :note_fr, :internal_note,
-        parent_reassignments_attributes: [
-          :id, :_destroy,
-          :type, :reassignable_id, :reassignable_type,
-          :nomenclature_change_input_id, :nomenclature_change_output_id,
-          :note_en, :note_es, :note_fr, :internal_note,
-          output_ids: [],
-          reassignment_target_attributes: [
-            :id, :_destroy,
-            :nomenclature_change_output_id,
-            :nomenclature_change_reassignment_id, :note
-          ]
-        ],
-        name_reassignments_attributes: [
-          :id, :_destroy,
-          :type, :reassignable_id, :reassignable_type,
-          :nomenclature_change_input_id, :nomenclature_change_output_id,
-          :note_en, :note_es, :note_fr, :internal_note,
-          output_ids: []
-        ],
-        distribution_reassignments_attributes: [
-          :id, :_destroy,
-          :type, :reassignable_id, :reassignable_type,
-          :nomenclature_change_input_id, :nomenclature_change_output_id,
-          :note_en, :note_es, :note_fr, :internal_note,
-          output_ids: []
+    (
+      input_attribute_names,
+      output_attribute_names,
+      output_reassignment_attribute_names,
+      parent_reassignments_attribute_names,
+    ) = common_nomenclature_change_attribute_names.values_at(
+      :input_attribute_names,
+      :output_attribute_names,
+      :output_reassignment_attribute_names,
+      :parent_reassignments_attribute_names,
+    )
+
+    params.expect(
+      nomenclature_change_status_to_synonym: [
+        :event_id, :status,
+        primary_output_attributes: output_attribute_names,
+        secondary_output_attributes: output_attribute_names,
+        input_attributes: [
+          *input_attribute_names,
+          parent_reassignments_attributes: [ parent_reassignments_attribute_names ]
         ],
-        legislation_reassignments_attributes: [
-          :id, :_destroy,
-          :type, :reassignable_id, :reassignable_type,
-          :nomenclature_change_input_id, :nomenclature_change_output_id,
-          :note_en, :note_es, :note_fr, :internal_note,
-          output_ids: []
-        ]
+        name_reassignments_attributes: [ output_reassignment_attribute_names ],
+        distribution_reassignments_attributes: [ output_reassignment_attribute_names ],
+        legislation_reassignments_attributes: [ output_reassignment_attribute_names ]
       ]
     )
-  rescue ActionController::ParameterMissing
-    nil
   end
 end
diff --git a/app/controllers/admin/purposes_controller.rb b/app/controllers/admin/purposes_controller.rb
index 14f9fa392..0ca268dd7 100644
--- a/app/controllers/admin/purposes_controller.rb
+++ b/app/controllers/admin/purposes_controller.rb
@@ -29,9 +29,6 @@ def collection
 private
 
   def purpose_params
-    params.require(:purpose).permit(
-      # attributes were in model `attr_accessible`.
-      :code, :type, :name_en, :name_es, :name_fr
-    )
+    params.expect(purpose: [ :code, :type, :name_en, :name_es, :name_fr ])
   end
 end
diff --git a/app/controllers/admin/ranks_controller.rb b/app/controllers/admin/ranks_controller.rb
index 9099880fc..2e075f472 100644
--- a/app/controllers/admin/ranks_controller.rb
+++ b/app/controllers/admin/ranks_controller.rb
@@ -14,9 +14,11 @@ def collection
 private
 
   def rank_params
-    params.require(:rank).permit(
-      # attributes were in model `attr_accessible`.
-      :name, :display_name_en, :display_name_es, :display_name_fr, :taxonomic_position, :fixed_order
+    params.expect(
+      rank: [
+        :name, :display_name_en, :display_name_es, :display_name_fr,
+        :taxonomic_position, :fixed_order
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/references_controller.rb b/app/controllers/admin/references_controller.rb
index 2e92b6ca2..40f707e23 100644
--- a/app/controllers/admin/references_controller.rb
+++ b/app/controllers/admin/references_controller.rb
@@ -46,9 +46,6 @@ def collection
 private
 
   def reference_params
-    params.require(:reference).permit(
-      # attributes were in model `attr_accessible`.
-      :citation, :created_by_id, :updated_by_id
-    )
+    params.expect(reference: [ :citation, :created_by_id, :updated_by_id ])
   end
 end
diff --git a/app/controllers/admin/sources_controller.rb b/app/controllers/admin/sources_controller.rb
index a46f423b2..e4c2e56f8 100644
--- a/app/controllers/admin/sources_controller.rb
+++ b/app/controllers/admin/sources_controller.rb
@@ -29,9 +29,6 @@ def collection
 private
 
   def source_params
-    params.require(:source).permit(
-      # attributes were in model `attr_accessible`.
-      :code, :type, :name_en, :name_es, :name_fr
-    )
+    params.expect(source: [ :code, :type, :name_en, :name_es, :name_fr ])
   end
 end
diff --git a/app/controllers/admin/species_listings_controller.rb b/app/controllers/admin/species_listings_controller.rb
index 1649206b7..d50e4e48d 100644
--- a/app/controllers/admin/species_listings_controller.rb
+++ b/app/controllers/admin/species_listings_controller.rb
@@ -20,9 +20,6 @@ def load_associations
 private
 
   def species_listing_params
-    params.require(:species_listing).permit(
-      # attributes were in model `attr_accessible`.
-      :designation_id, :name, :abbreviation
-    )
+    params.expect(species_listing: [ :designation_id, :name, :abbreviation ])
   end
 end
diff --git a/app/controllers/admin/srg_histories_controller.rb b/app/controllers/admin/srg_histories_controller.rb
index 93e7ce5f3..344eaa12f 100644
--- a/app/controllers/admin/srg_histories_controller.rb
+++ b/app/controllers/admin/srg_histories_controller.rb
@@ -14,9 +14,6 @@ def collection
 private
 
   def srg_history_params
-    params.require(:srg_history).permit(
-      # attributes were in model `attr_accessible`.
-      :name, :tooltip
-    )
+    params.expect(srg_history: [ :name, :tooltip ])
   end
 end
diff --git a/app/controllers/admin/synonym_relationships_controller.rb b/app/controllers/admin/synonym_relationships_controller.rb
index a067137e9..2e1bfb3c1 100644
--- a/app/controllers/admin/synonym_relationships_controller.rb
+++ b/app/controllers/admin/synonym_relationships_controller.rb
@@ -66,10 +66,11 @@ def load_synonym_relationship_type
 private
 
   def synonym_relationship_params
-    params.require(:taxon_relationship).permit(
-      # attributes were in model `attr_accessible`.
-      :taxon_concept_id, :other_taxon_concept_id, :taxon_relationship_type_id,
-      :created_by_id, :updated_by_id
+    params.expect(
+      taxon_relationship: [
+        :taxon_concept_id, :other_taxon_concept_id, :taxon_relationship_type_id,
+        :created_by_id, :updated_by_id
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/tags_controller.rb b/app/controllers/admin/tags_controller.rb
index a20589052..d869410d3 100644
--- a/app/controllers/admin/tags_controller.rb
+++ b/app/controllers/admin/tags_controller.rb
@@ -18,9 +18,6 @@ def collection
 private
 
   def tag_params
-    params.require(:tag).permit(
-      # attributes were in model `attr_accessible`.
-      :model, :name
-    )
+    params.expect(tag: [ :model, :name ])
   end
 end
diff --git a/app/controllers/admin/taxon_cites_suspensions_controller.rb b/app/controllers/admin/taxon_cites_suspensions_controller.rb
index 01804f30d..1870fb243 100644
--- a/app/controllers/admin/taxon_cites_suspensions_controller.rb
+++ b/app/controllers/admin/taxon_cites_suspensions_controller.rb
@@ -72,21 +72,22 @@ def collection
 private
 
   def cites_suspension_params
-    params.require(:cites_suspension).permit(
-      # attributes were in model `attr_accessible`.
-      :start_notification_id, :end_notification_id,
-      :applies_to_import, :end_date, :geo_entity_id, :is_current,
-      :notes, :publication_date, :quota, :type,
-      :start_date, :unit_id, :internal_notes,
-      :nomenclature_note_en, :nomenclature_note_es, :nomenclature_note_fr,
-      :created_by_id, :updated_by_id, :url,
-      :taxon_concept_id,
-      cites_suspension_confirmations_attributes: [
-        :cites_suspension_notification_id, :id, :_destroy
-      ],
-      purpose_ids: [],
-      term_ids: [],
-      source_ids: []
+    params.expect(
+      cites_suspension: [
+        :start_notification_id, :end_notification_id,
+        :applies_to_import, :end_date, :geo_entity_id, :is_current,
+        :notes, :publication_date, :quota, :type,
+        :start_date, :unit_id, :internal_notes,
+        :nomenclature_note_en, :nomenclature_note_es, :nomenclature_note_fr,
+        :created_by_id, :updated_by_id, :url,
+        :taxon_concept_id,
+        cites_suspension_confirmations_attributes: [
+          [ :cites_suspension_notification_id, :id, :_destroy ]
+        ],
+        purpose_ids: [],
+        term_ids: [],
+        source_ids: []
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/taxon_commons_controller.rb b/app/controllers/admin/taxon_commons_controller.rb
index 62e7f739d..ab3591040 100644
--- a/app/controllers/admin/taxon_commons_controller.rb
+++ b/app/controllers/admin/taxon_commons_controller.rb
@@ -17,6 +17,7 @@ def edit
       format.js { render 'new' }
     end
   end
+
   def create
     create! do |success, failure|
       success.js do
@@ -65,10 +66,11 @@ def load_associations
 private
 
   def taxon_common_params
-    params.require(:taxon_common).permit(
-      # attributes were in model `attr_accessible`.
-      :common_name_id, :taxon_concept_id, :created_by_id,
-      :updated_by_id, :name, :language_id
+    params.expect(
+      taxon_common: [
+        :common_name_id, :taxon_concept_id, :created_by_id,
+        :updated_by_id, :name, :language_id
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/taxon_concept_comments_controller.rb b/app/controllers/admin/taxon_concept_comments_controller.rb
index 0c30925a0..2af3b9f96 100644
--- a/app/controllers/admin/taxon_concept_comments_controller.rb
+++ b/app/controllers/admin/taxon_concept_comments_controller.rb
@@ -31,10 +31,11 @@ def update
 private
 
   def comment_params
-    params.require(:comment).permit(
-      # attributes were in model `attr_accessible`.
-      :comment_type, :commentable_id, :commentable_type, :note,
-      :created_by_id, :updated_by_id
+    params.expect(
+      comment: [
+        :comment_type, :commentable_id, :commentable_type, :note,
+        :created_by_id, :updated_by_id
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/taxon_concept_references_controller.rb b/app/controllers/admin/taxon_concept_references_controller.rb
index 6540e6f42..1a98de50b 100644
--- a/app/controllers/admin/taxon_concept_references_controller.rb
+++ b/app/controllers/admin/taxon_concept_references_controller.rb
@@ -74,12 +74,16 @@ def destroy
 private
 
   def taxon_concept_reference_params
-    params.require(:taxon_concept_reference).permit(
-      # attributes were in model `attr_accessible`.
-      :reference_id, :taxon_concept_id, :is_standard, :is_cascaded,
-      :created_by_id, :updated_by_id,
-      :excluded_taxon_concepts_ids, # String
-      reference_attributes: [ :citation, :created_by_id, :updated_by_id, :id, :_destroy ]
+    params.expect(
+      taxon_concept_reference: [
+        :reference_id, :taxon_concept_id, :is_standard, :is_cascaded,
+        :created_by_id, :updated_by_id,
+        :excluded_taxon_concepts_ids, # String
+        reference_attributes: [
+          # Expect a single object, not an array
+          :citation, :created_by_id, :updated_by_id, :id, :_destroy
+        ]
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/taxon_concept_term_pairs_controller.rb b/app/controllers/admin/taxon_concept_term_pairs_controller.rb
index c15066107..c6a9e451e 100644
--- a/app/controllers/admin/taxon_concept_term_pairs_controller.rb
+++ b/app/controllers/admin/taxon_concept_term_pairs_controller.rb
@@ -25,9 +25,6 @@ def collection
 private
 
   def taxon_concept_term_pair_params
-    params.require(:taxon_concept_term_pair).permit(
-      # attributes were in model `attr_accessible`.
-      :taxon_concept_id, :term_id
-    )
+    params.expect(taxon_concept_term_pair: [ :taxon_concept_id, :term_id ])
   end
 end
diff --git a/app/controllers/admin/taxon_concepts_controller.rb b/app/controllers/admin/taxon_concepts_controller.rb
index 423f6d856..3f6884fe6 100644
--- a/app/controllers/admin/taxon_concepts_controller.rb
+++ b/app/controllers/admin/taxon_concepts_controller.rb
@@ -154,18 +154,19 @@ def render_new_by_name_status
 private
 
   def taxon_concept_params
-    params.require(:taxon_concept).permit(
-      # attributes were in model `attr_accessible`.
-      :parent_id, :taxonomy_id, :rank_id,
-      :parent_id, :author_year, :taxon_name_id, :taxonomic_position,
-      :legacy_id, :legacy_type, :scientific_name, :name_status,
-      :legacy_trade_code,
-      :nomenclature_note_en, :nomenclature_note_es, :nomenclature_note_fr,
-      :created_by_id, :updated_by_id, :dependents_updated_at, :kew_id,
-      hybrid_parents_ids: [], # Coerced to int array by split_stringified_ids_lists
-      accepted_names_ids: [], # Coerced to int array by split_stringified_ids_lists
-      accepted_names_for_trade_name_ids: [], # Coerced to int array by split_stringified_ids_lists
-      tag_list: []
+    params.expect(
+      taxon_concept: [
+        :parent_id, :taxonomy_id, :rank_id,
+        :parent_id, :author_year, :taxon_name_id, :taxonomic_position,
+        :legacy_id, :legacy_type, :scientific_name, :name_status,
+        :legacy_trade_code,
+        :nomenclature_note_en, :nomenclature_note_es, :nomenclature_note_fr,
+        :created_by_id, :updated_by_id, :dependents_updated_at, :kew_id,
+        hybrid_parents_ids: [], # Coerced to int array by split_stringified_ids_lists
+        accepted_names_ids: [], # Coerced to int array by split_stringified_ids_lists
+        accepted_names_for_trade_name_ids: [], # Coerced to int array by split_stringified_ids_lists
+        tag_list: []
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/taxon_eu_suspensions_controller.rb b/app/controllers/admin/taxon_eu_suspensions_controller.rb
index be81bacb1..e75dd7f85 100644
--- a/app/controllers/admin/taxon_eu_suspensions_controller.rb
+++ b/app/controllers/admin/taxon_eu_suspensions_controller.rb
@@ -92,13 +92,14 @@ def collection
 private
 
   def eu_suspension_params
-    params.require(:eu_suspension).permit(
-      # attributes were in model `attr_accessible`.
-      :end_date, :end_event_id, :geo_entity_id, :internal_notes,
-      :is_current, :notes, :start_date, :start_event_id, :eu_decision_type_id,
-      :taxon_concept_id, :type, :conditions_apply, :term_id, :source_id,
-      :nomenclature_note_en, :nomenclature_note_es, :nomenclature_note_fr,
-      :created_by_id, :updated_by_id, :srg_history_id
+    params.expect(
+      eu_suspension: [
+        :end_date, :end_event_id, :geo_entity_id, :internal_notes,
+        :is_current, :notes, :start_date, :start_event_id, :eu_decision_type_id,
+        :taxon_concept_id, :type, :conditions_apply, :term_id, :source_id,
+        :nomenclature_note_en, :nomenclature_note_es, :nomenclature_note_fr,
+        :created_by_id, :updated_by_id, :srg_history_id
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/taxon_instruments_controller.rb b/app/controllers/admin/taxon_instruments_controller.rb
index 5a57d0b3d..5b307af53 100644
--- a/app/controllers/admin/taxon_instruments_controller.rb
+++ b/app/controllers/admin/taxon_instruments_controller.rb
@@ -67,9 +67,10 @@ def load_taxon_instruments
 private
 
   def taxon_instrument_params
-    params.require(:taxon_instrument).permit(
-      # attributes were in model `attr_accessible`.
-      :effective_from, :instrument_id, :taxon_concept_id
+    params.expect(
+      taxon_instrument: [
+        :effective_from, :instrument_id, :taxon_concept_id
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/taxon_listing_changes_controller.rb b/app/controllers/admin/taxon_listing_changes_controller.rb
index 2d21b9eee..7fcfe020f 100644
--- a/app/controllers/admin/taxon_listing_changes_controller.rb
+++ b/app/controllers/admin/taxon_listing_changes_controller.rb
@@ -136,24 +136,26 @@ def load_listing_changes
 private
 
   def listing_change_params
-    params.require(:listing_change).permit(
-      :taxon_concept_id, :species_listing_id, :change_type_id,
-      :effective_at, :is_current, :parent_id,
-      :inclusion_taxon_concept_id, :hash_annotation_id, :event_id,
-      :internal_notes,
-      :excluded_taxon_concepts_ids, # String
-      :nomenclature_note_en, :nomenclature_note_es, :nomenclature_note_fr,
-      :created_by_id, :updated_by_id,
-      annotation_attributes: [
-        :listing_change_id, :symbol, :parent_symbol, :short_note_en,
-        :full_note_en, :short_note_fr, :full_note_fr, :short_note_es, :full_note_es,
-        :display_in_index, :display_in_footnote, :event_id, :id, :_destroy
-      ],
-      party_listing_distribution_attributes: [
-        :id, :_destroy, :geo_entity_id, :listing_change_id, :is_party
-      ],
-      geo_entity_ids: [],
-      excluded_geo_entities_ids: []
+    params.expect(
+      listing_change: [
+        :taxon_concept_id, :species_listing_id, :change_type_id,
+        :effective_at, :is_current, :parent_id,
+        :inclusion_taxon_concept_id, :hash_annotation_id, :event_id,
+        :internal_notes,
+        :excluded_taxon_concepts_ids, # String
+        :nomenclature_note_en, :nomenclature_note_es, :nomenclature_note_fr,
+        :created_by_id, :updated_by_id,
+        annotation_attributes: [
+          :listing_change_id, :symbol, :parent_symbol, :short_note_en,
+          :full_note_en, :short_note_fr, :full_note_fr, :short_note_es, :full_note_es,
+          :display_in_index, :display_in_footnote, :event_id, :id, :_destroy
+        ],
+        party_listing_distribution_attributes: [
+          :id, :_destroy, :geo_entity_id, :listing_change_id, :is_party
+        ],
+        geo_entity_ids: [ [] ],
+        excluded_geo_entities_ids: [ [] ]
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/taxon_quotas_controller.rb b/app/controllers/admin/taxon_quotas_controller.rb
index 8e0c3d738..2902559f5 100644
--- a/app/controllers/admin/taxon_quotas_controller.rb
+++ b/app/controllers/admin/taxon_quotas_controller.rb
@@ -79,16 +79,18 @@ def collection
 private
 
   def quota_params
-    params.require(:quota).permit(
-      :public_display, :end_date, :geo_entity_id, :is_current,
-      :notes, :publication_date, :quota, :type,
-      :start_date, :unit_id, :internal_notes,
-      :nomenclature_note_en, :nomenclature_note_es, :nomenclature_note_fr,
-      :created_by_id, :updated_by_id, :url,
-      :taxon_concept_id,
-      term_ids: [],
-      source_ids: [],
-      purpose_ids: []
+    params.expect(
+      quota: [
+        :public_display, :end_date, :geo_entity_id, :is_current,
+        :notes, :publication_date, :quota, :type,
+        :start_date, :unit_id, :internal_notes,
+        :nomenclature_note_en, :nomenclature_note_es, :nomenclature_note_fr,
+        :created_by_id, :updated_by_id, :url,
+        :taxon_concept_id,
+        term_ids: [ [] ],
+        source_ids: [ [] ],
+        purpose_ids: [ [] ]
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/taxon_relationships_controller.rb b/app/controllers/admin/taxon_relationships_controller.rb
index a554f72f3..e66211690 100644
--- a/app/controllers/admin/taxon_relationships_controller.rb
+++ b/app/controllers/admin/taxon_relationships_controller.rb
@@ -89,9 +89,11 @@ def collection
 private
 
   def taxon_relationship_params
-    params.require(:taxon_relationship).permit(
-      :taxon_concept_id, :other_taxon_concept_id, :taxon_relationship_type_id,
-      :created_by_id, :updated_by_id
+    params.expect(
+      taxon_relationship: [
+        :taxon_concept_id, :other_taxon_concept_id, :taxon_relationship_type_id,
+        :created_by_id, :updated_by_id
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/taxonomies_controller.rb b/app/controllers/admin/taxonomies_controller.rb
index beffda5d6..25264f34e 100644
--- a/app/controllers/admin/taxonomies_controller.rb
+++ b/app/controllers/admin/taxonomies_controller.rb
@@ -25,6 +25,6 @@ def collection
 private
 
   def taxonomy_params
-    params.require(:taxonomy).permit(:name)
+    params.expect(taxonomy: [ :name ])
   end
 end
diff --git a/app/controllers/admin/term_trade_codes_pairs_controller.rb b/app/controllers/admin/term_trade_codes_pairs_controller.rb
index 8da60e1c9..9758b327e 100644
--- a/app/controllers/admin/term_trade_codes_pairs_controller.rb
+++ b/app/controllers/admin/term_trade_codes_pairs_controller.rb
@@ -57,8 +57,8 @@ def collection
 private
 
   def term_trade_codes_pair_params
-    params.require(:term_trade_codes_pair).permit(
-      :trade_code_id, :trade_code_type, :term_id
+    params.expect(
+      term_trade_codes_pair: [ :trade_code_id, :trade_code_type, :term_id ]
     )
   end
 end
diff --git a/app/controllers/admin/terms_controller.rb b/app/controllers/admin/terms_controller.rb
index 7fd3883ce..e98ccefff 100644
--- a/app/controllers/admin/terms_controller.rb
+++ b/app/controllers/admin/terms_controller.rb
@@ -29,6 +29,6 @@ def collection
 private
 
   def term_params
-    params.require(:term).permit(:code, :type, :name_en, :name_es, :name_fr)
+    params.expect(term: [ :code, :type, :name_en, :name_es, :name_fr ])
   end
 end
diff --git a/app/controllers/admin/trade_name_relationships_controller.rb b/app/controllers/admin/trade_name_relationships_controller.rb
index 36574eea8..8858cdc7c 100644
--- a/app/controllers/admin/trade_name_relationships_controller.rb
+++ b/app/controllers/admin/trade_name_relationships_controller.rb
@@ -66,9 +66,11 @@ def load_trade_name_relationship_type
 private
 
   def trade_name_relationship_params
-    params.require(:taxon_relationship).permit(
-      :taxon_concept_id, :other_taxon_concept_id, :taxon_relationship_type_id,
-      :created_by_id, :updated_by_id
+    params.expect(
+      taxon_relationship: [
+        :taxon_concept_id, :other_taxon_concept_id, :taxon_relationship_type_id,
+        :created_by_id, :updated_by_id
+      ]
     )
   end
 end
diff --git a/app/controllers/admin/units_controller.rb b/app/controllers/admin/units_controller.rb
index d7ae131a3..677e91c93 100644
--- a/app/controllers/admin/units_controller.rb
+++ b/app/controllers/admin/units_controller.rb
@@ -29,8 +29,6 @@ def collection
 private
 
   def unit_params
-    params.require(:unit).permit(
-      :code, :type, :name_en, :name_es, :name_fr
-    )
+    params.expect(unit: [ :code, :type, :name_en, :name_es, :name_fr ])
   end
 end
diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb
index cc355af3b..0d310040f 100644
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -59,10 +59,12 @@ def load_associations
 private
 
   def user_params
-    params.require(:user).permit(
-      :email, :name, :password, :password_confirmation,
-      :remember_me, :role, :terms_and_conditions, :is_cites_authority,
-      :organisation, :geo_entity_id, :is_active
+    params.expect(
+      user: [
+        :email, :name, :password, :password_confirmation,
+        :remember_me, :role, :terms_and_conditions, :is_cites_authority,
+        :organisation, :geo_entity_id, :is_active
+      ]
     )
   end
 end
diff --git a/app/controllers/api/v1/eu_decisions_controller.rb b/app/controllers/api/v1/eu_decisions_controller.rb
index 153fb126b..8bebd348a 100644
--- a/app/controllers/api/v1/eu_decisions_controller.rb
+++ b/app/controllers/api/v1/eu_decisions_controller.rb
@@ -4,6 +4,7 @@ class Api::V1::EuDecisionsController < ApplicationController
 
   def index
     @eu_decisions = eu_decision_search(sanitized_params)
+
     render json: @eu_decisions,
       each_serializer: CaptiveBreeding::EuDecisionSerializer
   end
diff --git a/app/controllers/api/v1/shipments_controller.rb b/app/controllers/api/v1/shipments_controller.rb
index f03beab1d..77aadc0d6 100644
--- a/app/controllers/api/v1/shipments_controller.rb
+++ b/app/controllers/api/v1/shipments_controller.rb
@@ -10,7 +10,7 @@ class Api::V1::ShipmentsController < ApplicationController
   def chart_query
     @chart_data =
       Rails.cache.fetch(
-        [ 'chart_data', permit_params ],
+        [ 'chart_data', params_unsafely_permitted ],
         expires_in: 1.week
       ) do
         @grouping_class.new([ 'issue_type', 'year' ]).
@@ -77,29 +77,29 @@ def country_query
 
   # Compliance tool search & full list action
   def search_query
-    query = @grouping_class.new(sanitized_attributes, permit_params)
+    query = @grouping_class.new(sanitized_attributes, params_unsafely_permitted)
     data = query.run
     @search_data =
       Rails.cache.fetch(
-        [ 'search_data', permit_params ],
+        [ 'search_data', params_unsafely_permitted ],
         expires_in: 1.week
       ) do
-        query.build_hash(data, permit_params)
+        query.build_hash(data, params_unsafely_permitted)
       end
 
-    @filtered_data = query.filter(@search_data, permit_params)
+    @filtered_data = query.filter(@search_data, params_unsafely_permitted)
 
     render json: Kaminari.paginate_array(@filtered_data).page(params[:page]).per(params[:per_page]),
-      meta: metadata(@filtered_data, permit_params)
+      meta: metadata(@filtered_data, params_unsafely_permitted)
   end
 
   def over_time_query
     # TODO Remember to implement permitted parameters here
-    query = @grouping_class.new(sanitized_attributes, permit_params)
+    query = @grouping_class.new(sanitized_attributes, params_unsafely_permitted)
 
     @over_time_data =
       Rails.cache.fetch(
-        [ 'over_time_data', permit_params ], expires_in: 1.week
+        [ 'over_time_data', params_unsafely_permitted ], expires_in: 1.week
       ) do
         query.over_time_data
       end
@@ -110,11 +110,11 @@ def over_time_query
   # TODO refactor to merge this method and the over_time one above together
   def aggregated_over_time_query
     # TODO Remember to implement permitted parameters here
-    query = @grouping_class.new(sanitized_attributes, permit_params)
+    query = @grouping_class.new(sanitized_attributes, params_unsafely_permitted)
 
     @aggregated_over_time_data =
       Rails.cache.fetch(
-        [ 'aggregated_over_time_data', permit_params ],
+        [ 'aggregated_over_time_data', params_unsafely_permitted ],
         expires_in: 1.week
       ) do
         query.aggregated_over_time_data
@@ -126,7 +126,7 @@ def aggregated_over_time_query
   def download_data
     @download_data =
       Rails.cache.fetch(
-        [ 'download_data', permit_params ], expires_in: 1.week
+        [ 'download_data', params_unsafely_permitted ], expires_in: 1.week
       ) do
         Trade::DownloadDataRetriever.dashboard_download(download_params).to_a
       end
@@ -136,7 +136,7 @@ def download_data
   def search_download_data
     @download_data =
       Rails.cache.fetch(
-        [ 'search_download_data', permit_params ], expires_in: 1.week
+        [ 'search_download_data', params_unsafely_permitted ], expires_in: 1.week
       ) do
         Trade::DownloadDataRetriever.search_download(download_params).to_a
       end
@@ -145,15 +145,15 @@ def search_download_data
   end
 
   def search_download_all_data
-    query = @grouping_class.new(sanitized_attributes, permit_params)
+    query = @grouping_class.new(sanitized_attributes, params_unsafely_permitted)
     data = query.run
     @search_download_all_data =
       Rails.cache.fetch(
-        [ 'search_download_all_data', permit_params ], expires_in: 1.week
+        [ 'search_download_all_data', params_unsafely_permitted ], expires_in: 1.week
       ) do
-        search_data = query.build_hash(data, permit_params)
-        filtered_data = query.filter(search_data, permit_params)
-        data_ids = query.filter_download_data(filtered_data, permit_params)
+        search_data = query.build_hash(data, params_unsafely_permitted)
+        filtered_data = query.filter(search_data, params_unsafely_permitted)
+        data_ids = query.filter_download_data(filtered_data, params_unsafely_permitted)
         hash_params = params_hash_builder(data_ids, download_params)
 
         Trade::DownloadDataRetriever.search_download(hash_params).to_a
@@ -164,7 +164,7 @@ def search_download_all_data
 
 private
 
-  def permit_params
+  def params_unsafely_permitted
     params.permit!
   end
 
diff --git a/app/controllers/checklist/downloads_controller.rb b/app/controllers/checklist/downloads_controller.rb
index ebcea1317..ab6e5be77 100644
--- a/app/controllers/checklist/downloads_controller.rb
+++ b/app/controllers/checklist/downloads_controller.rb
@@ -103,11 +103,12 @@ def not_found
   end
 
   def download_params
-    params.require(:download).permit(
-      # attributes used in this controller.
-      :doc_type,
-      # other attributes were in model `attr_accessible`.
-      :format
+    params.expect(
+      download: [
+        # attributes used in this controller.
+        :doc_type,
+        :format
+      ]
     )
   end
 
diff --git a/app/controllers/registrations_controller.rb b/app/controllers/registrations_controller.rb
index 1ffd40f89..5bcf961c1 100644
--- a/app/controllers/registrations_controller.rb
+++ b/app/controllers/registrations_controller.rb
@@ -37,12 +37,13 @@ def needs_password?
   end
 
   def user_params
-    params.require(:user).permit(
-      # attributes needed by Devise and/or used in this controller.
-      :name, :email, :password, :password_confirmation, :current_password,
-      # other attributes were in model `attr_accessible`.
-      :remember_me, :role, :terms_and_conditions, :is_cites_authority,
-      :organisation, :geo_entity_id, :is_active
+    params.expect(
+      user: [
+        # attributes needed by Devise and/or used in this controller.
+        :name, :email, :password, :password_confirmation, :current_password,
+        :remember_me, :role, :terms_and_conditions, :is_cites_authority,
+        :organisation, :geo_entity_id, :is_active
+      ]
     )
   end
 end
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 488e67417..7609d2a8d 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -38,6 +38,6 @@ def invalid_login_attempt
 private
 
   def user_params
-    params.require(:user).permit(:email, :password)
+    params.expect(user: [ :email, :password ])
   end
 end
diff --git a/app/controllers/trade/annual_report_uploads_controller.rb b/app/controllers/trade/annual_report_uploads_controller.rb
index 56b93ff5a..4e160ed7f 100644
--- a/app/controllers/trade/annual_report_uploads_controller.rb
+++ b/app/controllers/trade/annual_report_uploads_controller.rb
@@ -55,25 +55,31 @@ def destroy
 private
 
   def annual_report_upload_params
-    params.require(:annual_report_upload).permit(
-      :csv_source_file, :trading_country_id, :point_of_view,
-      sandbox_shipments: [
-        :id,
-        :appendix,
-        :taxon_name,
-        :term_code,
-        :quantity,
-        :unit_code,
-        :trading_partner,
-        :country_of_origin,
-        :import_permit,
-        :export_permit,
-        :origin_permit,
-        :ifs_permit,
-        :purpose_code,
-        :source_code,
-        :year,
-        :_destroyed
+    params.expect(
+      annual_report_upload: [
+        :csv_source_file,
+        :trading_country_id,
+        :point_of_view,
+        sandbox_shipments: [
+          [
+            :id,
+            :appendix,
+            :taxon_name,
+            :term_code,
+            :quantity,
+            :unit_code,
+            :trading_partner,
+            :country_of_origin,
+            :import_permit,
+            :export_permit,
+            :origin_permit,
+            :ifs_permit,
+            :purpose_code,
+            :source_code,
+            :year,
+            :_destroyed
+          ]
+        ]
       ]
     )
   end
diff --git a/app/controllers/trade/sandbox_shipments_controller.rb b/app/controllers/trade/sandbox_shipments_controller.rb
index 739212c4c..856ee2e2f 100644
--- a/app/controllers/trade/sandbox_shipments_controller.rb
+++ b/app/controllers/trade/sandbox_shipments_controller.rb
@@ -46,8 +46,8 @@ def update_batch
   end
 
   def destroy_batch
-    aru = Trade::AnnualReportUpload.find(params[:annual_report_upload_id])
-    ve = Trade::ValidationError.find(params[:validation_error_id])
+    aru = Trade::AnnualReportUpload.find(destroy_batch_params[:annual_report_upload_id])
+    ve = Trade::ValidationError.find(destroy_batch_params[:validation_error_id])
     sandbox_klass = Trade::SandboxTemplate.ar_klass(aru.sandbox.table_name)
     sandbox_klass.destroy_batch(ve, aru)
 
@@ -59,22 +59,25 @@ def destroy_batch
 private
 
   def sandbox_shipment_params
-    params.require(:sandbox_shipment).permit(*sandbox_shipment_attributes)
+    params.expect(sandbox_shipment: sandbox_shipment_attribute_names)
   end
 
   def destroy_batch_params
-    params.permit(:annual_report_upload_id, :validation_error_id)
+    params.permit(
+      :annual_report_upload_id,
+      :validation_error_id
+    )
   end
 
   def update_batch_params
-    params.permit(
+    params.expect(
       :annual_report_upload_id,
       :validation_error_id,
-      updates: sandbox_shipment_attributes
+      updates: sandbox_shipment_attribute_names
     )
   end
 
-  def sandbox_shipment_attributes
+  def sandbox_shipment_attribute_names
     [
       :appendix,
       :taxon_concept_id,
diff --git a/app/controllers/trade/shipments_controller.rb b/app/controllers/trade/shipments_controller.rb
index 9759c68bd..ecfef1832 100644
--- a/app/controllers/trade/shipments_controller.rb
+++ b/app/controllers/trade/shipments_controller.rb
@@ -84,11 +84,7 @@ def shipment_attributes
   end
 
   def shipment_params
-    params.require(:shipment).permit(
-      *(shipment_attributes + [
-        :ignore_warnings
-      ])
-    )
+    params.expect(shipment: shipment_attributes + [ :ignore_warnings ])
   end
 
   def batch_update_params
diff --git a/app/controllers/trade/validation_errors_controller.rb b/app/controllers/trade/validation_errors_controller.rb
index 7c3dee610..ac773ceb2 100644
--- a/app/controllers/trade/validation_errors_controller.rb
+++ b/app/controllers/trade/validation_errors_controller.rb
@@ -19,8 +19,6 @@ def update
 private
 
   def validation_error_params
-    params.require(:validation_error).permit(
-      :is_ignored
-    )
+    params.expect(validation_error: [ :is_ignored ])
   end
 end
diff --git a/app/models/analytics_event.rb b/app/models/analytics_event.rb
index b4439e36e..09482aa58 100644
--- a/app/models/analytics_event.rb
+++ b/app/models/analytics_event.rb
@@ -17,5 +17,4 @@ class AnalyticsEvent < ApplicationRecord
   validates :event_type, inclusion: { in: EVENT_TYPES }, presence: true
 
   # Used by `download_db` in app/controllers/cites_trade/home_controller.rb
-  # attr_accessible :event_name, :event_type
 end
diff --git a/app/models/annotation.rb b/app/models/annotation.rb
index 6eb7885b9..e1c257e93 100644
--- a/app/models/annotation.rb
+++ b/app/models/annotation.rb
@@ -41,11 +41,6 @@ class Annotation < ApplicationRecord
   extend Mobility
   include TrackWhoDoesIt
 
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :listing_change_id, :symbol, :parent_symbol, :short_note_en,
-  #   :full_note_en, :short_note_fr, :full_note_fr, :short_note_es, :full_note_es,
-  #   :display_in_index, :display_in_footnote, :event_id
-
   has_many :listing_changes,
     dependent: :nullify
 
diff --git a/app/models/change_type.rb b/app/models/change_type.rb
index 16a8b3083..6ec612b94 100644
--- a/app/models/change_type.rb
+++ b/app/models/change_type.rb
@@ -27,9 +27,6 @@
 class ChangeType < ApplicationRecord
   include Deletable
   extend Mobility
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :name, :display_name_en, :display_name_es, :display_name_fr,
-  #   :designation_id
   include Dictionary
   build_dictionary :addition, :deletion, :reservation, :reservation_withdrawal, :exception
 
diff --git a/app/models/cites_process.rb b/app/models/cites_process.rb
index 1c722081a..b2f0f7a32 100644
--- a/app/models/cites_process.rb
+++ b/app/models/cites_process.rb
@@ -25,10 +25,6 @@
 #
 class CitesProcess < ApplicationRecord
   include TrackWhoDoesIt
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :start_event_id, :geo_entity_id, :resolution, :start_date,
-  #                 :taxon_concept_id, :notes, :status, :document, :document_title,
-  #                 :created_by_id, :updated_by_id
 
   belongs_to :taxon_concept
   belongs_to :geo_entity
diff --git a/app/models/cites_processes/cites_rst_process.rb b/app/models/cites_processes/cites_rst_process.rb
index df47db665..53de70db4 100644
--- a/app/models/cites_processes/cites_rst_process.rb
+++ b/app/models/cites_processes/cites_rst_process.rb
@@ -25,7 +25,6 @@
 #
 class CitesRstProcess < CitesProcess
   # Used by lib/modules/import/rst/importer.rb
-  # attr_accessible :case_id
 
   STATUS = [ 'Initiated', 'Ongoing', 'Retained', 'Trade Suspension', 'Closed' ]
 
diff --git a/app/models/cites_suspension_confirmation.rb b/app/models/cites_suspension_confirmation.rb
index ec7722c4e..df7be0c3f 100644
--- a/app/models/cites_suspension_confirmation.rb
+++ b/app/models/cites_suspension_confirmation.rb
@@ -20,8 +20,6 @@
 #
 
 class CitesSuspensionConfirmation < ApplicationRecord
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :cites_suspension_notification_id
   belongs_to :confirmation_notification, class_name: 'CitesSuspensionNotification',
     foreign_key: :cites_suspension_notification_id
   belongs_to :confirmed_suspension, class_name: 'CitesSuspension',
diff --git a/app/models/cms_mapping.rb b/app/models/cms_mapping.rb
index 7e9af5305..cddd9bef8 100644
--- a/app/models/cms_mapping.rb
+++ b/app/models/cms_mapping.rb
@@ -14,9 +14,6 @@
 #
 
 class CmsMapping < ApplicationRecord
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :accepted_name_id, :cms_author, :cms_taxon_name, :cms_uuid, :details, :taxon_concept_id
-
   # serialize :details, coder: ActiveRecord::Coders::Hstore
   belongs_to :taxon_concept, optional: true
   belongs_to :accepted_name, class_name: 'TaxonConcept', optional: true
diff --git a/app/models/comment.rb b/app/models/comment.rb
index 22e649e71..01c993c49 100644
--- a/app/models/comment.rb
+++ b/app/models/comment.rb
@@ -26,9 +26,6 @@
 
 class Comment < ApplicationRecord
   include TrackWhoDoesIt
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :comment_type, :commentable_id, :commentable_type, :note,
-  #   :created_by_id, :updated_by_id
 
   belongs_to :commentable, polymorphic: true
 end
diff --git a/app/models/common_name.rb b/app/models/common_name.rb
index de9c33908..e6d3ec38a 100644
--- a/app/models/common_name.rb
+++ b/app/models/common_name.rb
@@ -26,9 +26,6 @@
 
 class CommonName < ApplicationRecord
   include TrackWhoDoesIt
-  # Used by app/models/taxon_common.rb
-  # attr_accessible :language_id, :name,
-  #   :created_by_id, :updated_by_id
 
   belongs_to :language
 
diff --git a/app/models/designation.rb b/app/models/designation.rb
index 0b176c263..e82e12d30 100644
--- a/app/models/designation.rb
+++ b/app/models/designation.rb
@@ -19,10 +19,9 @@
 #
 
 class Designation < ApplicationRecord
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :name, :taxonomy_id
   include Deletable
   include Dictionary
+
   build_dictionary :cites, :eu, :cms
 
   validates :name, presence: true, uniqueness: true
diff --git a/app/models/designation_geo_entity.rb b/app/models/designation_geo_entity.rb
index c95dd43c4..e02fe2186 100644
--- a/app/models/designation_geo_entity.rb
+++ b/app/models/designation_geo_entity.rb
@@ -21,7 +21,6 @@
 
 class DesignationGeoEntity < ApplicationRecord
   # Relationship table between Designation and GeoEntity.
-  # attr_accessible :designation_id, :geo_entity_id
   belongs_to :designation
   belongs_to :geo_entity
 end
diff --git a/app/models/distribution.rb b/app/models/distribution.rb
index 20c0ccb36..180a9fbf3 100644
--- a/app/models/distribution.rb
+++ b/app/models/distribution.rb
@@ -31,9 +31,6 @@
 class Distribution < ApplicationRecord
   include Changeable
   include TrackWhoDoesIt
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :geo_entity_id, :taxon_concept_id, :tag_list,
-  #   :references_attributes, :internal_notes, :created_by_id, :updated_by_id
 
   acts_as_taggable
 
diff --git a/app/models/distribution_reference.rb b/app/models/distribution_reference.rb
index 2a422699f..3fce8efbe 100644
--- a/app/models/distribution_reference.rb
+++ b/app/models/distribution_reference.rb
@@ -29,8 +29,6 @@
 class DistributionReference < ApplicationRecord
   include TrackWhoDoesIt
   # Used by app/models/cms_mapping_manager.rb
-  # attr_accessible :reference_id, :distribution_id, :created_by_id,
-  #   :updated_by_id
 
   belongs_to :reference
   belongs_to :distribution, touch: true
diff --git a/app/models/document.rb b/app/models/document.rb
index 5ef7d16cc..90158b3a5 100644
--- a/app/models/document.rb
+++ b/app/models/document.rb
@@ -56,27 +56,27 @@ class Document < ApplicationRecord
   include PgSearch::Model
 
   ACCEPTED_CONTENT_TYPES = [
-    "image/jpeg",                                           # jpg
-    "image/jpeg",                                           # jpeg
-    "image/gif",                                            # gif
-    "image/png",                                            # png
-    "image/bmp",                                            # bmp
-    "image/tiff",                                           # tif
-    "image/tiff",                                           # tiff
-    "application/vnd.ms-powerpoint",                        # ppt
-    "application/vnd.openxmlformats-officedocument.presentationml.presentation",  # pptx
-    "application/vnd.ms-excel",                             # xls
-    "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",          # xlsx
-    "application/rtf",                                      # rtf
-    "text/plain",                                           # txt
-    "application/msword",                                   # doc
-    "application/vnd.openxmlformats-officedocument.wordprocessingml.document",    # docx
-    "application/pdf",                                      # pdf
-    "text/csv",                                             # csv
-    "text/tab-separated-values",                            # tsv
-    "application/vnd.oasis.opendocument.text",              # odt
-    "application/vnd.oasis.opendocument.spreadsheet",       # ods
-    "application/vnd.oasis.opendocument.presentation"       # odp
+    'image/jpeg',                                           # jpg
+    'image/jpeg',                                           # jpeg
+    'image/gif',                                            # gif
+    'image/png',                                            # png
+    'image/bmp',                                            # bmp
+    'image/tiff',                                           # tif
+    'image/tiff',                                           # tiff
+    'application/vnd.ms-powerpoint',                        # ppt
+    'application/vnd.openxmlformats-officedocument.presentationml.presentation',  # pptx
+    'application/vnd.ms-excel',                             # xls
+    'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',          # xlsx
+    'application/rtf',                                      # rtf
+    'text/plain',                                           # txt
+    'application/msword',                                   # doc
+    'application/vnd.openxmlformats-officedocument.wordprocessingml.document',    # docx
+    'application/pdf',                                      # pdf
+    'text/csv',                                             # csv
+    'text/tab-separated-values',                            # tsv
+    'application/vnd.oasis.opendocument.text',              # odt
+    'application/vnd.oasis.opendocument.spreadsheet',       # ods
+    'application/vnd.oasis.opendocument.presentation'       # odp
   ].freeze
 
   pg_search_scope :search_by_title, against: :title,
@@ -85,12 +85,6 @@ class Document < ApplicationRecord
 
   include TrackWhoDoesIt
 
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :event_id, :file, :date, :type, :title, :is_public,
-  #   :language_id, :citations_attributes,
-  #   :sort_index, :discussion_id, :discussion_sort_index,
-  #   :primary_language_document_id,
-  #   :designation_id
   belongs_to :designation, optional: true
   belongs_to :event, optional: true
   belongs_to :language, optional: true
diff --git a/app/models/document/proposal.rb b/app/models/document/proposal.rb
index 4c73ad029..55c58560d 100644
--- a/app/models/document/proposal.rb
+++ b/app/models/document/proposal.rb
@@ -55,7 +55,6 @@ def self.display_name
   end
 
   # Used in Document Controller
-  # attr_accessible :proposal_details_attributes
 
   has_one :proposal_details,
     class_name: 'ProposalDetails',
diff --git a/app/models/document/review_of_significant_trade.rb b/app/models/document/review_of_significant_trade.rb
index c4123133b..52055b64b 100644
--- a/app/models/document/review_of_significant_trade.rb
+++ b/app/models/document/review_of_significant_trade.rb
@@ -55,7 +55,6 @@ def self.display_name
   end
 
   # Used by DocumentsController.
-  # attr_accessible :review_details_attributes
 
   has_one :review_details,
     class_name: 'ReviewDetails',
diff --git a/app/models/document_citation.rb b/app/models/document_citation.rb
index e5b3d478f..5ad812cd9 100644
--- a/app/models/document_citation.rb
+++ b/app/models/document_citation.rb
@@ -25,8 +25,6 @@
 
 class DocumentCitation < ApplicationRecord
   include TrackWhoDoesIt
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :document_id, :stringy_taxon_concept_ids, :geo_entity_ids
 
   has_many :document_citation_taxon_concepts, dependent: :destroy, autosave: true
   has_many :taxon_concepts, through: :document_citation_taxon_concepts
diff --git a/app/models/document_citation_geo_entity.rb b/app/models/document_citation_geo_entity.rb
index db6e832a3..f50ec852f 100644
--- a/app/models/document_citation_geo_entity.rb
+++ b/app/models/document_citation_geo_entity.rb
@@ -29,7 +29,6 @@
 class DocumentCitationGeoEntity < ApplicationRecord
   include TrackWhoDoesIt
   # Used by app/models/nomenclature_change/reassignment_copy_processor.rb and lib/tasks/elibrary/identification_docs_distributions_importer.rb
-  # attr_accessible :created_by_id, :document_citation_id, :geo_entity_id, :updated_by_id
 
   belongs_to :geo_entity
   belongs_to :document_citation, touch: true
diff --git a/app/models/document_citation_taxon_concept.rb b/app/models/document_citation_taxon_concept.rb
index e81729703..868573fc3 100644
--- a/app/models/document_citation_taxon_concept.rb
+++ b/app/models/document_citation_taxon_concept.rb
@@ -29,8 +29,6 @@
 class DocumentCitationTaxonConcept < ApplicationRecord
   include TrackWhoDoesIt
   # Used by other models, not controllers.
-  # attr_accessible :created_by_id, :document_citation_id, :taxon_concept_id, :updated_by_id,
-  #   :updated_at
 
   belongs_to :taxon_concept
   belongs_to :document_citation, touch: true
diff --git a/app/models/document_tag.rb b/app/models/document_tag.rb
index 3d7d74b89..82edd8dc6 100644
--- a/app/models/document_tag.rb
+++ b/app/models/document_tag.rb
@@ -11,7 +11,6 @@
 
 class DocumentTag < ApplicationRecord
   # Only created by seed and rake task.
-  # attr_accessible :name
 
   has_and_belongs_to_many :documents
 
diff --git a/app/models/download.rb b/app/models/download.rb
index a979889a9..27a617d76 100644
--- a/app/models/download.rb
+++ b/app/models/download.rb
@@ -14,9 +14,6 @@
 #
 
 class Download < ApplicationRecord
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :format, :doc_type
-
   validates :format, presence: true, inclusion: { in: %w[pdf csv json zip] }
   validates :doc_type, presence: true, inclusion: { in: %w[history index citesidmanual] }
 
diff --git a/app/models/eu_country_date.rb b/app/models/eu_country_date.rb
index ddb7ab293..b21bf7844 100644
--- a/app/models/eu_country_date.rb
+++ b/app/models/eu_country_date.rb
@@ -11,7 +11,6 @@
 #
 class EuCountryDate < ApplicationRecord
   # Used by rake task.
-  # attr_accessible :eu_accession_year, :eu_exit_year, :geo_entity
 
   belongs_to :geo_entity
   validates :eu_accession_year, presence: true
diff --git a/app/models/eu_decision.rb b/app/models/eu_decision.rb
index 75a02317e..885ccabef 100644
--- a/app/models/eu_decision.rb
+++ b/app/models/eu_decision.rb
@@ -61,12 +61,6 @@ class EuDecision < ApplicationRecord
   include Changeable
   extend Mobility
   include TrackWhoDoesIt
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :end_date, :end_event_id, :geo_entity_id, :internal_notes,
-  #   :is_current, :notes, :start_date, :start_event_id, :eu_decision_type_id,
-  #   :taxon_concept_id, :type, :conditions_apply, :term_id, :source_id,
-  #   :nomenclature_note_en, :nomenclature_note_es, :nomenclature_note_fr,
-  #   :created_by_id, :updated_by_id, :srg_history_id
 
   belongs_to :taxon_concept
   belongs_to :m_taxon_concept, foreign_key: :taxon_concept_id, optional: true
diff --git a/app/models/eu_decision_confirmation.rb b/app/models/eu_decision_confirmation.rb
index 935d96213..d4e1577bf 100644
--- a/app/models/eu_decision_confirmation.rb
+++ b/app/models/eu_decision_confirmation.rb
@@ -21,7 +21,6 @@
 
 class EuDecisionConfirmation < ApplicationRecord
   # Relationship table between Event and EuDecision
-  # attr_accessible :eu_decision_id, :event_id
 
   belongs_to :eu_decision
   belongs_to :event
diff --git a/app/models/eu_decision_type.rb b/app/models/eu_decision_type.rb
index 7e15fa08a..db1bbc0e9 100644
--- a/app/models/eu_decision_type.rb
+++ b/app/models/eu_decision_type.rb
@@ -16,10 +16,8 @@
 
 class EuDecisionType < ApplicationRecord
   include Deletable
-
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :name, :tooltip, :decision_type
   include Dictionary
+
   build_dictionary :negative_opinion, :positive_opinion, :no_opinion,
     :suspension, :srg_referral
 
diff --git a/app/models/eu_decisions/eu_opinion.rb b/app/models/eu_decisions/eu_opinion.rb
index da567d566..c4a1fabb1 100644
--- a/app/models/eu_decisions/eu_opinion.rb
+++ b/app/models/eu_decisions/eu_opinion.rb
@@ -56,9 +56,6 @@
 #
 
 class EuOpinion < EuDecision
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :document_id
-
   belongs_to :document, optional: true
 
   validates :start_date, presence: true
diff --git a/app/models/event.rb b/app/models/event.rb
index 2c086ae72..4c8014e8c 100644
--- a/app/models/event.rb
+++ b/app/models/event.rb
@@ -42,11 +42,6 @@
 class Event < ApplicationRecord
   include TrackWhoDoesIt
 
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :name, :designation_id, :description, :extended_description,
-  #   :url, :private_url, :multilingual_url, :published_at, :effective_at, :is_current, :end_date,
-  #   :created_by_id, :updated_by_id
-
   attr_reader :effective_at_formatted
 
   belongs_to :designation, optional: true
diff --git a/app/models/events/cites_ac.rb b/app/models/events/cites_ac.rb
index 566db8ff9..200c1a887 100644
--- a/app/models/events/cites_ac.rb
+++ b/app/models/events/cites_ac.rb
@@ -42,9 +42,6 @@
 # Cites Animal Committee
 
 class CitesAc < Event
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :is_current
-
   validates :effective_at, presence: true
 
   def self.elibrary_document_types
diff --git a/app/models/events/cites_cop.rb b/app/models/events/cites_cop.rb
index 736cc32df..c510c8c19 100644
--- a/app/models/events/cites_cop.rb
+++ b/app/models/events/cites_cop.rb
@@ -42,9 +42,6 @@
 class CitesCop < Event
   include Deletable
 
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :is_current
-
   ##
   # The only time we would delete a CoP/EU regulation is just after we've
   # created it by mistake, but we don't want to be able to delete the CoP
diff --git a/app/models/events/cites_extraordinary_meeting.rb b/app/models/events/cites_extraordinary_meeting.rb
index 35be0fe72..a743c1f76 100644
--- a/app/models/events/cites_extraordinary_meeting.rb
+++ b/app/models/events/cites_extraordinary_meeting.rb
@@ -40,9 +40,6 @@
 #
 
 class CitesExtraordinaryMeeting < Event
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :is_current
-
   validates :effective_at, presence: true
 
   def self.elibrary_document_types
diff --git a/app/models/events/cites_pc.rb b/app/models/events/cites_pc.rb
index 036a098b5..9133902e1 100644
--- a/app/models/events/cites_pc.rb
+++ b/app/models/events/cites_pc.rb
@@ -42,9 +42,6 @@
 # Cites Plant Committee
 
 class CitesPc < Event
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :is_current
-
   validates :effective_at, presence: true
 
   def self.elibrary_document_types
diff --git a/app/models/events/cites_suspension_notification.rb b/app/models/events/cites_suspension_notification.rb
index f92099122..f8aaf0376 100644
--- a/app/models/events/cites_suspension_notification.rb
+++ b/app/models/events/cites_suspension_notification.rb
@@ -41,9 +41,9 @@
 
 class CitesSuspensionNotification < Event
   include Deletable
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :subtype, :new_subtype, :end_date
+
   attr_accessor :new_subtype
+
   has_many :started_suspensions, foreign_key: :start_notification_id, class_name: 'CitesSuspension'
   has_many :ended_suspensions, foreign_key: :end_notification_id, class_name: 'CitesSuspension'
   has_many :cites_suspension_confirmations, dependent: :destroy
diff --git a/app/models/events/cites_tc.rb b/app/models/events/cites_tc.rb
index dc234d293..c2c9cc62f 100644
--- a/app/models/events/cites_tc.rb
+++ b/app/models/events/cites_tc.rb
@@ -42,9 +42,6 @@
 # Cites Tech Committee
 
 class CitesTc < Event
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :is_current
-
   validates :effective_at, presence: true
 
   before_destroy :check_for_documents
diff --git a/app/models/events/ec_srg.rb b/app/models/events/ec_srg.rb
index b713eceef..e148f668f 100644
--- a/app/models/events/ec_srg.rb
+++ b/app/models/events/ec_srg.rb
@@ -42,9 +42,6 @@
 # European Commission Scientific Review Group
 
 class EcSrg < Event
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :is_current
-
   has_many :eu_opinions, foreign_key: :start_event_id,
     dependent: :nullify
 
diff --git a/app/models/events/eu_regulation.rb b/app/models/events/eu_regulation.rb
index d99c6a744..aa4e2a28b 100644
--- a/app/models/events/eu_regulation.rb
+++ b/app/models/events/eu_regulation.rb
@@ -42,8 +42,6 @@
 class EuRegulation < EuEvent
   include Deletable
 
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :listing_changes_event_id, :end_date
   attr_accessor :listing_changes_event_id
 
   ##
diff --git a/app/models/events/eu_suspension_regulation.rb b/app/models/events/eu_suspension_regulation.rb
index 4c2dd1ab2..6c821ae62 100644
--- a/app/models/events/eu_suspension_regulation.rb
+++ b/app/models/events/eu_suspension_regulation.rb
@@ -42,8 +42,6 @@
 class EuSuspensionRegulation < EuEvent
   include Deletable
 
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :eu_suspensions_event_id
   attr_accessor :eu_suspensions_event_id
 
   # Because EuSuspensionRegulation events are created with many suspensions
diff --git a/app/models/geo_entity.rb b/app/models/geo_entity.rb
index 5578895e0..11cd63e47 100644
--- a/app/models/geo_entity.rb
+++ b/app/models/geo_entity.rb
@@ -31,10 +31,6 @@ class GeoEntity < ApplicationRecord
   include Changeable
   include Deletable
   extend Mobility
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :geo_entity_type_id, :iso_code2, :iso_code3,
-  #   :legacy_id, :legacy_type, :long_name, :name_en, :name_es, :name_fr,
-  #   :is_current
   translates :name
   belongs_to :geo_entity_type
   has_many :geo_relationships
diff --git a/app/models/geo_entity_type.rb b/app/models/geo_entity_type.rb
index 7f4a186d6..81c98452a 100644
--- a/app/models/geo_entity_type.rb
+++ b/app/models/geo_entity_type.rb
@@ -10,7 +10,6 @@
 
 class GeoEntityType < ApplicationRecord
   # Look like the only place create GeoEntityType is lib/tasks/import_trade_shipments.rake
-  # attr_accessible :name
 
   include Dictionary
   build_dictionary :country, :cites_region, :region, :territory,
diff --git a/app/models/geo_relationship.rb b/app/models/geo_relationship.rb
index 28a141902..60594bf60 100644
--- a/app/models/geo_relationship.rb
+++ b/app/models/geo_relationship.rb
@@ -23,8 +23,6 @@
 #
 
 class GeoRelationship < ApplicationRecord
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :geo_entity_id, :geo_relationship_type_id, :other_geo_entity_id
   belongs_to :geo_relationship_type
   belongs_to :geo_entity
   belongs_to :related_geo_entity, class_name: 'GeoEntity', foreign_key: :other_geo_entity_id
diff --git a/app/models/geo_relationship_type.rb b/app/models/geo_relationship_type.rb
index 6a78f96a4..eadb44e74 100644
--- a/app/models/geo_relationship_type.rb
+++ b/app/models/geo_relationship_type.rb
@@ -10,7 +10,6 @@
 
 class GeoRelationshipType < ApplicationRecord
   # Used by seed only.
-  # attr_accessible :name
 
   include Dictionary
   build_dictionary :contains, :intersects
diff --git a/app/models/instrument.rb b/app/models/instrument.rb
index 8e5053c56..4dcd41a4a 100644
--- a/app/models/instrument.rb
+++ b/app/models/instrument.rb
@@ -21,8 +21,6 @@
 
 class Instrument < ApplicationRecord
   include Deletable
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :designation_id, :name
 
   validates :name, presence: true, uniqueness: { scope: :designation_id }
 
diff --git a/app/models/iucn_mapping.rb b/app/models/iucn_mapping.rb
index 4df57339d..e8cc3e13a 100644
--- a/app/models/iucn_mapping.rb
+++ b/app/models/iucn_mapping.rb
@@ -16,8 +16,6 @@
 
 class IucnMapping < ApplicationRecord
   # Used by IucnMappingManager
-  # attr_accessible :iucn_author, :iucn_category, :iucn_taxon_id,
-  #   :iucn_taxon_name, :taxon_concept_id, :details, :accepted_name_id
 
   # serialize :details, coder: ActiveRecord::Coders::Hstore
   belongs_to :taxon_concept
diff --git a/app/models/language.rb b/app/models/language.rb
index 87f48a102..d0c0c08e2 100644
--- a/app/models/language.rb
+++ b/app/models/language.rb
@@ -21,8 +21,7 @@ class Language < ApplicationRecord
   include Changeable
   include Deletable
   extend Mobility
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :iso_code1, :iso_code3, :name_en, :name_fr, :name_es
+
   translates :name
 
   has_many :common_names
diff --git a/app/models/listing_change.rb b/app/models/listing_change.rb
index 8bc47e2c2..70bb9d0ce 100644
--- a/app/models/listing_change.rb
+++ b/app/models/listing_change.rb
@@ -61,14 +61,6 @@ class ListingChange < ApplicationRecord
   include Changeable
   extend Mobility
   include TrackWhoDoesIt
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :taxon_concept_id, :species_listing_id, :change_type_id,
-  #   :effective_at, :is_current, :parent_id, :geo_entity_ids,
-  #   :party_listing_distribution_attributes, :inclusion_taxon_concept_id,
-  #   :annotation_attributes, :hash_annotation_id, :event_id,
-  #   :excluded_geo_entities_ids, :excluded_taxon_concepts_ids, :internal_notes,
-  #   :nomenclature_note_en, :nomenclature_note_es, :nomenclature_note_fr,
-  #   :created_by_id, :updated_by_id
 
   attr_accessor :excluded_geo_entities_ids, # Array
     :excluded_taxon_concepts_ids # String
diff --git a/app/models/listing_distribution.rb b/app/models/listing_distribution.rb
index 05a466d53..baa585d19 100644
--- a/app/models/listing_distribution.rb
+++ b/app/models/listing_distribution.rb
@@ -32,8 +32,6 @@
 
 class ListingDistribution < ApplicationRecord
   include TrackWhoDoesIt
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :geo_entity_id, :listing_change_id, :is_party
 
   belongs_to :geo_entity
   belongs_to :listing_change, inverse_of: :listing_distributions
diff --git a/app/models/nomenclature_change.rb b/app/models/nomenclature_change.rb
index 3045e7e54..a54fc7525 100644
--- a/app/models/nomenclature_change.rb
+++ b/app/models/nomenclature_change.rb
@@ -32,9 +32,6 @@ class NomenclatureChange < ApplicationRecord
 
   include TrackWhoDoesIt
 
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :event_id, :status
-
   belongs_to :event, optional: true
 
   validates :status, presence: true
@@ -69,16 +66,20 @@ def submit
   end
 
   def cannot_update_when_locked
-    if status_was == NomenclatureChange::CLOSED ||
-      (status_was == NomenclatureChange::SUBMITTED &&
-      status != NomenclatureChange::CLOSED)
+    if status_was == NomenclatureChange::CLOSED || (
+        status_was == NomenclatureChange::SUBMITTED &&
+        status != NomenclatureChange::CLOSED
+      )
+
       errors.add(:base, 'Nomenclature change is locked for updates')
+
       false
     end
   end
 
   def next_step
     steps = self.class::STEPS
+
     return nil if steps.empty?
 
     if status == NomenclatureChange::NEW
diff --git a/app/models/nomenclature_change/input.rb b/app/models/nomenclature_change/input.rb
index d8a216a5f..f15d55a9e 100644
--- a/app/models/nomenclature_change/input.rb
+++ b/app/models/nomenclature_change/input.rb
@@ -33,13 +33,6 @@
 # Inputs are required to be existing taxon concepts.
 class NomenclatureChange::Input < ApplicationRecord
   include TrackWhoDoesIt
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :nomenclature_change_id, :taxon_concept_id,
-  #   :note_en, :note_es, :note_fr, :internal_note,
-  #   :parent_reassignments_attributes,
-  #   :name_reassignments_attributes,
-  #   :distribution_reassignments_attributes,
-  #   :legislation_reassignments_attributes
 
   belongs_to :nomenclature_change
   belongs_to :taxon_concept
diff --git a/app/models/nomenclature_change/lump.rb b/app/models/nomenclature_change/lump.rb
index e83e56529..24a178486 100644
--- a/app/models/nomenclature_change/lump.rb
+++ b/app/models/nomenclature_change/lump.rb
@@ -26,8 +26,7 @@
 
 class NomenclatureChange::Lump < NomenclatureChange
   build_steps(:inputs, :outputs, :notes, :legislation, :summary)
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :inputs_attributes, :output_attributes
+
   has_many :inputs, inverse_of: :nomenclature_change,
     class_name: 'NomenclatureChange::Input',
     foreign_key: :nomenclature_change_id,
diff --git a/app/models/nomenclature_change/output.rb b/app/models/nomenclature_change/output.rb
index 0a7648e5e..58ed4f14f 100644
--- a/app/models/nomenclature_change/output.rb
+++ b/app/models/nomenclature_change/output.rb
@@ -55,14 +55,6 @@
 class NomenclatureChange::Output < ApplicationRecord
   include TrackWhoDoesIt
   attr_accessor :output_type # New taxon, Existing subspecies, Existing taxon
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :nomenclature_change_id, :taxon_concept_id,
-  #   :new_taxon_concept_id, :rank_id, :new_scientific_name, :new_author_year,
-  #   :new_name_status, :new_parent_id, :new_rank_id, :taxonomy_id,
-  #   :note_en, :note_es, :note_fr, :internal_note, :is_primary_output,
-  #   :parent_reassignments_attributes, :name_reassignments_attributes,
-  #   :distribution_reassignments_attributes, :legislation_reassignments_attributes,
-  #   :output_type, :tag_list, :created_by_id, :updated_by_id
 
   belongs_to :nomenclature_change
   belongs_to :taxon_concept, optional: true
@@ -171,6 +163,7 @@ def tmp_taxon_concept
       else
         display_full_name
       end
+
     taxon_concept_attrs = {
       parent_id: new_parent_id || parent_id,
       rank_id: new_rank_id || rank_id,
@@ -186,10 +179,11 @@ def tmp_taxon_concept
         else
           Taxonomy.find_by(name: Taxonomy::CITES_EU)
         end
+
       TaxonConcept.new(
         taxon_concept_attrs.merge(
           {
-            taxonomy_id: taxonomy.id,
+            taxonomy_id: taxonomy&.id,
             tag_list: tag_list
           }
         )
@@ -204,14 +198,17 @@ def tmp_taxon_concept
 
   def validate_tmp_taxon_concept
     @tmp_taxon_concept = tmp_taxon_concept
+
     unless @tmp_taxon_concept
       errors.add(:new_taxon_concept, "can't be blank")
     end
+
     return true if @tmp_taxon_concept.valid?
 
     @tmp_taxon_concept.errors.each do |error|
       attribute = error.attribute
       message = error.message
+
       if [ :parent_id, :rank, :name_status, :author_year, :full_name ].
           include?(attribute)
         errors.add(:"new_#{attribute}", message)
diff --git a/app/models/nomenclature_change/parent_reassignment.rb b/app/models/nomenclature_change/parent_reassignment.rb
index 1db897110..e01d26b77 100644
--- a/app/models/nomenclature_change/parent_reassignment.rb
+++ b/app/models/nomenclature_change/parent_reassignment.rb
@@ -31,8 +31,6 @@
 
 # Reassignable is a taxon concept that is reassigned to a new parent
 class NomenclatureChange::ParentReassignment < NomenclatureChange::Reassignment
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :reassignment_target_attributes
   has_one :reassignment_target, inverse_of: :reassignment,
     class_name: 'NomenclatureChange::ReassignmentTarget',
     foreign_key: :nomenclature_change_reassignment_id
diff --git a/app/models/nomenclature_change/reassignment_helpers.rb b/app/models/nomenclature_change/reassignment_helpers.rb
index 900e5b6af..ba56f76f9 100644
--- a/app/models/nomenclature_change/reassignment_helpers.rb
+++ b/app/models/nomenclature_change/reassignment_helpers.rb
@@ -2,11 +2,6 @@ module NomenclatureChange::ReassignmentHelpers
   def self.included(base)
     base.class_eval do
       include TrackWhoDoesIt
-
-      # Migrated to controller (Strong Parameters)
-      # attr_accessible :type, :reassignable_id, :reassignable_type,
-      #   :nomenclature_change_input_id, :nomenclature_change_output_id,
-      #   :note_en, :note_es, :note_fr, :internal_note, :output_ids
       belongs_to :reassignable, polymorphic: true, optional: true
       has_many :reassignment_targets,
         inverse_of: :reassignment,
diff --git a/app/models/nomenclature_change/reassignment_target.rb b/app/models/nomenclature_change/reassignment_target.rb
index 2bd31148a..3836609a1 100644
--- a/app/models/nomenclature_change/reassignment_target.rb
+++ b/app/models/nomenclature_change/reassignment_target.rb
@@ -27,9 +27,9 @@
 
 class NomenclatureChange::ReassignmentTarget < ApplicationRecord
   include TrackWhoDoesIt
+
   # Relationship table
-  # attr_accessible :nomenclature_change_output_id,
-  #   :nomenclature_change_reassignment_id, :note
+
   belongs_to :output, class_name: 'NomenclatureChange::Output',
     foreign_key: :nomenclature_change_output_id
   belongs_to :reassignment,
diff --git a/app/models/nomenclature_change/split.rb b/app/models/nomenclature_change/split.rb
index e54b48f64..1a1639ff8 100644
--- a/app/models/nomenclature_change/split.rb
+++ b/app/models/nomenclature_change/split.rb
@@ -29,8 +29,7 @@ class NomenclatureChange::Split < NomenclatureChange
     :inputs, :outputs, :notes, :children, :names, :distribution,
     :legislation, :summary
   )
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :input_attributes, :outputs_attributes
+
   has_one :input, inverse_of: :nomenclature_change,
     class_name: 'NomenclatureChange::Input',
     foreign_key: :nomenclature_change_id,
diff --git a/app/models/nomenclature_change/status_change_helpers.rb b/app/models/nomenclature_change/status_change_helpers.rb
index a6291a95e..c35573b05 100644
--- a/app/models/nomenclature_change/status_change_helpers.rb
+++ b/app/models/nomenclature_change/status_change_helpers.rb
@@ -1,9 +1,6 @@
 module NomenclatureChange::StatusChangeHelpers
   def self.included(base)
     base.class_eval do
-      # Migrated to controller (Strong Parameters)
-      # attr_accessible :primary_output_attributes, :secondary_output_attributes,
-      #   :input_attributes
       has_one :input, inverse_of: :nomenclature_change,
         class_name: 'NomenclatureChange::Input',
         foreign_key: :nomenclature_change_id,
diff --git a/app/models/nomenclature_change/status_to_accepted.rb b/app/models/nomenclature_change/status_to_accepted.rb
index 1b4ed779d..2c9afd955 100644
--- a/app/models/nomenclature_change/status_to_accepted.rb
+++ b/app/models/nomenclature_change/status_to_accepted.rb
@@ -27,15 +27,14 @@
 # A status change to A needs to have one output.
 class NomenclatureChange::StatusToAccepted < NomenclatureChange
   include NomenclatureChange::StatusChangeHelpers
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :created_by_id, :updated_by_id
-  build_steps(
-    :primary_output, :summary
-  )
+
+  build_steps :primary_output, :summary
+
   validates :status, inclusion: {
     in: self.status_dict,
     message: '%{value} is not a valid status'
   }
+
   validate :required_primary_output_name_status, if: :primary_output_or_submitting?
   before_validation :set_output_name_status, if: :primary_output_or_submitting?
   before_validation :set_output_rank_id, if: :primary_output_or_submitting?
@@ -46,6 +45,7 @@ def required_primary_output_name_status
       errors.add(:primary_output, 'Must be N or T taxon')
       return false
     end
+
     true
   end
 
diff --git a/app/models/preset_tag.rb b/app/models/preset_tag.rb
index 64a67b084..5a558b6c6 100644
--- a/app/models/preset_tag.rb
+++ b/app/models/preset_tag.rb
@@ -15,8 +15,6 @@
 
 class PresetTag < ApplicationRecord
   include Deletable
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :model, :name
 
   TYPES = {
     Distribution: 'Distribution',
diff --git a/app/models/proposal_details.rb b/app/models/proposal_details.rb
index 876944df3..a2f6a413b 100644
--- a/app/models/proposal_details.rb
+++ b/app/models/proposal_details.rb
@@ -24,8 +24,7 @@
 
 class ProposalDetails < ApplicationRecord
   # Used in DocumentsController
-  # attr_accessible :document_id, :proposal_nature, :proposal_outcome_id,
-  #   :representation, :proposal_number
+
   self.table_name = 'proposal_details'
   belongs_to :document, touch: true
 end
diff --git a/app/models/rank.rb b/app/models/rank.rb
index 4089c3532..afcadefac 100644
--- a/app/models/rank.rb
+++ b/app/models/rank.rb
@@ -23,9 +23,6 @@
 class Rank < ApplicationRecord
   include Deletable
   extend Mobility
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :name, :display_name_en, :display_name_es, :display_name_fr,
-  #   :taxonomic_position, :fixed_order
   include Dictionary
   build_dictionary :kingdom, :phylum, :class, :order, :family, :subfamily, :genus, :species, :subspecies, :variety
 
diff --git a/app/models/reference.rb b/app/models/reference.rb
index c2f2e2aea..7472198be 100644
--- a/app/models/reference.rb
+++ b/app/models/reference.rb
@@ -30,8 +30,6 @@
 class Reference < ApplicationRecord
   include Deletable
   include TrackWhoDoesIt
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :citation, :created_by_id, :updated_by_id
 
   validates :citation, presence: true, uniqueness: true
   has_many :taxon_concept_references
diff --git a/app/models/review_details.rb b/app/models/review_details.rb
index 1c7561781..66a21cab1 100644
--- a/app/models/review_details.rb
+++ b/app/models/review_details.rb
@@ -25,7 +25,6 @@
 
 class ReviewDetails < ApplicationRecord
   # Used by DocumentController.
-  # attr_accessible :document_id, :review_phase_id, :process_stage_id, :recommended_category
   self.table_name = 'review_details'
   belongs_to :document, touch: true
 
diff --git a/app/models/species_listing.rb b/app/models/species_listing.rb
index 87677b9e3..6f3be9a9a 100644
--- a/app/models/species_listing.rb
+++ b/app/models/species_listing.rb
@@ -24,8 +24,6 @@
 
 class SpeciesListing < ApplicationRecord
   include Deletable
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :designation_id, :name, :abbreviation
 
   belongs_to :designation
   has_many :listing_changes
diff --git a/app/models/srg_history.rb b/app/models/srg_history.rb
index b2eb72889..6dd244307 100644
--- a/app/models/srg_history.rb
+++ b/app/models/srg_history.rb
@@ -13,9 +13,6 @@
 #  index_srg_histories_on_name  (name) UNIQUE
 #
 class SrgHistory < ApplicationRecord
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :name, :tooltip
-
   has_many :eu_decisions
 
   validates :name, presence: true, uniqueness: true
diff --git a/app/models/taxon_common.rb b/app/models/taxon_common.rb
index 0bb4a7fc6..37d6f4e1c 100644
--- a/app/models/taxon_common.rb
+++ b/app/models/taxon_common.rb
@@ -28,9 +28,6 @@
 class TaxonCommon < ApplicationRecord
   include Changeable
   include TrackWhoDoesIt
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :common_name_id, :taxon_concept_id, :created_by_id,
-  #   :updated_by_id, :name, :language_id
 
   attr_accessor :name, :language_id
 
diff --git a/app/models/taxon_concept.rb b/app/models/taxon_concept.rb
index 4b53f0296..61a51521d 100644
--- a/app/models/taxon_concept.rb
+++ b/app/models/taxon_concept.rb
@@ -84,15 +84,6 @@ class TaxonConcept < ApplicationRecord
       rank_name: :rank_name
     }
 
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :parent_id, :taxonomy_id, :rank_id,
-  #   :parent_id, :author_year, :taxon_name_id, :taxonomic_position,
-  #   :legacy_id, :legacy_type, :scientific_name, :name_status,
-  #   :tag_list, :legacy_trade_code, :hybrid_parents_ids,
-  #   :accepted_names_ids, :accepted_names_for_trade_name_ids,
-  #   :nomenclature_note_en, :nomenclature_note_es, :nomenclature_note_fr,
-  #   :created_by_id, :updated_by_id, :dependents_updated_at, :kew_id
-
   attr_writer :accepted_names_ids,
     :accepted_names_for_trade_name_ids,
     :hybrid_parents_ids
diff --git a/app/models/taxon_concept_reference.rb b/app/models/taxon_concept_reference.rb
index 3a0e5fe76..02716c9ee 100644
--- a/app/models/taxon_concept_reference.rb
+++ b/app/models/taxon_concept_reference.rb
@@ -34,10 +34,6 @@
 class TaxonConceptReference < ApplicationRecord
   include Changeable
   include TrackWhoDoesIt
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :reference_id, :taxon_concept_id, :is_standard, :is_cascaded,
-  #   :excluded_taxon_concepts_ids, :reference_attributes,
-  #   :created_by_id, :updated_by_id
 
   belongs_to :reference
   belongs_to :taxon_concept
diff --git a/app/models/taxon_concept_version.rb b/app/models/taxon_concept_version.rb
index 143db29f4..1155fa61e 100644
--- a/app/models/taxon_concept_version.rb
+++ b/app/models/taxon_concept_version.rb
@@ -24,13 +24,6 @@
 #  index_taxon_concept_versions_on_taxonomy_name_and_created_at  (taxonomy_name,created_at)
 #
 class TaxonConceptVersion < PaperTrail::Version
-  # Migrated to Strong Parameters
-  # attr_accessible :taxon_concept_id,
-  #   :taxonomy_name,
-  #   :full_name,
-  #   :author_year,
-  #   :name_status,
-  #   :rank_name
   self.table_name = :taxon_concept_versions
   self.sequence_name = :taxon_concept_versions_id_seq
 end
diff --git a/app/models/taxon_instrument.rb b/app/models/taxon_instrument.rb
index 8f1f10f42..5da70d940 100644
--- a/app/models/taxon_instrument.rb
+++ b/app/models/taxon_instrument.rb
@@ -29,8 +29,6 @@
 class TaxonInstrument < ApplicationRecord
   include Changeable
   include TrackWhoDoesIt
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :effective_from, :instrument_id, :taxon_concept_id
 
   belongs_to :instrument
   belongs_to :taxon_concept
diff --git a/app/models/taxon_name.rb b/app/models/taxon_name.rb
index 612878521..06a547f03 100644
--- a/app/models/taxon_name.rb
+++ b/app/models/taxon_name.rb
@@ -10,7 +10,6 @@
 
 class TaxonName < ApplicationRecord
   # Used by seed and rake task.
-  # attr_accessible :basionym_id, :scientific_name
 
   has_many :taxon_concepts, dependent: :destroy
 
diff --git a/app/models/taxon_relationship.rb b/app/models/taxon_relationship.rb
index ce55bb3df..48d060d93 100644
--- a/app/models/taxon_relationship.rb
+++ b/app/models/taxon_relationship.rb
@@ -31,9 +31,6 @@
 class TaxonRelationship < ApplicationRecord
   include Changeable
   include TrackWhoDoesIt
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :taxon_concept_id, :other_taxon_concept_id, :taxon_relationship_type_id,
-  #   :created_by_id, :updated_by_id
 
   belongs_to :taxon_relationship_type
   belongs_to :taxon_concept
diff --git a/app/models/taxon_relationship_type.rb b/app/models/taxon_relationship_type.rb
index c9e61c6d5..9c785bf37 100644
--- a/app/models/taxon_relationship_type.rb
+++ b/app/models/taxon_relationship_type.rb
@@ -12,7 +12,6 @@
 
 class TaxonRelationshipType < ApplicationRecord
   # Used by seed and rake task.
-  # attr_accessible :name, :is_intertaxonomic, :is_bidirectional
 
   include Dictionary
   build_dictionary :equal_to, :includes, :overlaps, :disjunct, :has_synonym,
diff --git a/app/models/taxonomy.rb b/app/models/taxonomy.rb
index 531806138..6a9f3e6f5 100644
--- a/app/models/taxonomy.rb
+++ b/app/models/taxonomy.rb
@@ -15,10 +15,9 @@
 class Taxonomy < ApplicationRecord
   include Deletable
   include Dictionary
+
   build_dictionary :cites_eu, :cms
 
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :name
   has_many :designations
   has_many :taxon_concepts
 
diff --git a/app/models/term_trade_codes_pair.rb b/app/models/term_trade_codes_pair.rb
index fdcfbce51..fa51a9223 100644
--- a/app/models/term_trade_codes_pair.rb
+++ b/app/models/term_trade_codes_pair.rb
@@ -24,9 +24,6 @@
 #
 
 class TermTradeCodesPair < ApplicationRecord
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :trade_code_id, :trade_code_type, :term_id
-
   belongs_to :term, class_name: 'TradeCode'
   belongs_to :trade_code, optional: true
 
diff --git a/app/models/trade/annual_report_upload.rb b/app/models/trade/annual_report_upload.rb
index 8ed02bd4f..e5aafc408 100644
--- a/app/models/trade/annual_report_upload.rb
+++ b/app/models/trade/annual_report_upload.rb
@@ -56,9 +56,6 @@ class Trade::AnnualReportUpload < ApplicationRecord
   include TrackWhoDoesIt
 
   # Suppose use in controller, but controller using strong parameters...
-  # attr_accessible :csv_source_file, :trading_country_id, :point_of_view,
-  #                 :submitted_at, :submitted_by_id, :number_of_rows,
-  #                 :number_of_records_submitted, :aws_storage_path
 
   mount_uploader :csv_source_file, Trade::CsvSourceFileUploader
   belongs_to :trading_country, class_name: 'GeoEntity'
diff --git a/app/models/trade/format_validation_rule.rb b/app/models/trade/format_validation_rule.rb
index 59a95efed..b2f778f0b 100644
--- a/app/models/trade/format_validation_rule.rb
+++ b/app/models/trade/format_validation_rule.rb
@@ -17,7 +17,6 @@
 
 class Trade::FormatValidationRule < Trade::ValidationRule
   # Only created by seed.
-  # attr_accessible :format_re
 
   def error_message
     column_names.join(', ') + ' must be formatted as ' + format_re
diff --git a/app/models/trade/inclusion_validation_rule.rb b/app/models/trade/inclusion_validation_rule.rb
index 346193fb2..a204e97ea 100644
--- a/app/models/trade/inclusion_validation_rule.rb
+++ b/app/models/trade/inclusion_validation_rule.rb
@@ -17,7 +17,6 @@
 
 class Trade::InclusionValidationRule < Trade::ValidationRule
   # Only created by seed.
-  # attr_accessible :valid_values_view
 
   def matching_records_for_aru_and_error(annual_report_upload, validation_error)
     # The format of validation_error.matching_criteria seems to vary - sometimes
diff --git a/app/models/trade/permit.rb b/app/models/trade/permit.rb
index 66c8eb760..a409db913 100644
--- a/app/models/trade/permit.rb
+++ b/app/models/trade/permit.rb
@@ -15,5 +15,4 @@
 
 class Trade::Permit < ApplicationRecord
   # app/models/trade/shipment.rb is the only place create this record.
-  # attr_accessible :number
 end
diff --git a/app/models/trade/sandbox_template.rb b/app/models/trade/sandbox_template.rb
index 573e23c15..2a61b6111 100644
--- a/app/models/trade/sandbox_template.rb
+++ b/app/models/trade/sandbox_template.rb
@@ -60,8 +60,8 @@ def self.ar_klass(table_name)
           has_paper_trail
 
           include ActiveModel::ForbiddenAttributesProtection
-          # Too dynamic, hard to trace where using it.
-          # attr_accessible :appendix,
+          # Previously, `attr_accesssible` was used here for:
+          #   :appendix,
           #   :taxon_name,
           #   :term_code,
           #   :quantity,
diff --git a/app/models/trade/shipment.rb b/app/models/trade/shipment.rb
index 081475049..325b54d4a 100644
--- a/app/models/trade/shipment.rb
+++ b/app/models/trade/shipment.rb
@@ -80,15 +80,6 @@
 
 class Trade::Shipment < ApplicationRecord
   include TrackWhoDoesIt
-  # Not sure where using this.
-  # attr_accessible :annual_report_upload_id, :appendix,
-  #   :country_of_origin_id, :origin_permit_id,
-  #   :exporter_id, :import_permit_id, :importer_id, :purpose_id,
-  #   :quantity, :reporter_type, :reported_by_exporter,
-  #   :source_id, :taxon_concept_id, :reported_taxon_concept_id,
-  #   :term_id, :unit_id, :year,
-  #   :import_permit_number, :export_permit_number, :origin_permit_number,
-  #   :ignore_warnings, :created_by_id, :updated_by_id
 
   attr_accessor :reporter_type, :warnings, :ignore_warnings
 
diff --git a/app/models/trade/taxon_concept_term_pair.rb b/app/models/trade/taxon_concept_term_pair.rb
index e923ed29e..dfda331d0 100644
--- a/app/models/trade/taxon_concept_term_pair.rb
+++ b/app/models/trade/taxon_concept_term_pair.rb
@@ -20,8 +20,6 @@
 #
 
 class Trade::TaxonConceptTermPair < ApplicationRecord
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :taxon_concept_id, :term_id
   validates :taxon_concept_id, uniqueness: { scope: :term_id }
 
   belongs_to :taxon_concept
diff --git a/app/models/trade/trade_data_download.rb b/app/models/trade/trade_data_download.rb
index 3a9ca7695..e6d90defa 100644
--- a/app/models/trade/trade_data_download.rb
+++ b/app/models/trade/trade_data_download.rb
@@ -26,9 +26,6 @@
 
 class Trade::TradeDataDownload < ApplicationRecord
   # Used by app/models/trade/trade_data_download_logger.rb
-  # attr_accessible :user_ip, :report_type, :year_from, :year_to, :taxon,
-  #  :appendix, :importer, :exporter, :origin, :term, :unit, :source, :purpose,
-  #  :number_of_rows, :city, :country, :organization
 
   after_commit :async_downloads_cache_cleanup, on: [ :create, :update ]
 
diff --git a/app/models/trade/validation_error.rb b/app/models/trade/validation_error.rb
index 7f45f3561..0f52424a2 100644
--- a/app/models/trade/validation_error.rb
+++ b/app/models/trade/validation_error.rb
@@ -28,6 +28,8 @@
 class Trade::ValidationError < ApplicationRecord
   include ActiveModel::Validations
 
+  # Used by app/models/trade/validation_rule.rb
+
   validates_each :matching_criteria, allow_blank: true do |record, attr, value|
     record.errors.add attr, "must be a Hash, got a #{value.class.name}" if !value.is_a? Hash
 
@@ -42,13 +44,4 @@ class Trade::ValidationError < ApplicationRecord
 
   belongs_to :annual_report_upload, class_name: 'Trade::AnnualReportUpload'
   belongs_to :validation_rule, class_name: 'Trade::ValidationRule'
-
-  # Used by app/models/trade/validation_rule.rb
-  # attr_accessible :annual_report_upload_id,
-  #   :validation_rule_id,
-  #   :matching_criteria,
-  #   :is_ignored,
-  #   :is_primary,
-  #   :error_message,
-  #   :error_count
 end
diff --git a/app/models/trade/validation_rule.rb b/app/models/trade/validation_rule.rb
index 8e7f86178..edeb0ec18 100644
--- a/app/models/trade/validation_rule.rb
+++ b/app/models/trade/validation_rule.rb
@@ -17,7 +17,6 @@
 
 class Trade::ValidationRule < ApplicationRecord
   # Used by seed.
-  # attr_accessible :column_names, :run_order, :is_primary, :scope, :is_strict
   serialize :scope, coder: ActiveRecord::Coders::NestedHstore
   has_many :validation_errors, class_name: 'Trade::ValidationError'
 
diff --git a/app/models/trade_code.rb b/app/models/trade_code.rb
index bb0ec878a..a956d9247 100644
--- a/app/models/trade_code.rb
+++ b/app/models/trade_code.rb
@@ -18,8 +18,7 @@
 
 class TradeCode < ApplicationRecord
   extend Mobility
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :code, :type, :name_en, :name_es, :name_fr
+
   translates :name
 
   has_many :taxon_concept_term_pairs,
diff --git a/app/models/trade_restriction.rb b/app/models/trade_restriction.rb
index 2c0af552a..dff1495ba 100644
--- a/app/models/trade_restriction.rb
+++ b/app/models/trade_restriction.rb
@@ -58,13 +58,6 @@
 class TradeRestriction < ApplicationRecord
   extend Mobility
   include TrackWhoDoesIt
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :end_date, :geo_entity_id, :is_current,
-  #   :notes, :publication_date, :purpose_ids, :quota, :type,
-  #   :source_ids, :start_date, :term_ids, :unit_id, :internal_notes,
-  #   :nomenclature_note_en, :nomenclature_note_es, :nomenclature_note_fr,
-  #   :created_by_id, :updated_by_id, :url,
-  #   :taxon_concept_id
 
   belongs_to :taxon_concept, optional: true
   belongs_to :m_taxon_concept, foreign_key: :taxon_concept_id, optional: true
diff --git a/app/models/trade_restriction_purpose.rb b/app/models/trade_restriction_purpose.rb
index a8e40fcf7..3b4604a32 100644
--- a/app/models/trade_restriction_purpose.rb
+++ b/app/models/trade_restriction_purpose.rb
@@ -28,7 +28,6 @@
 class TradeRestrictionPurpose < ApplicationRecord
   include TrackWhoDoesIt
   # Relationship model between TradeCode(purpose) and TradeRestriction
-  # attr_accessible :purpose_id, :trade_restriction_id
 
   belongs_to :trade_restriction
   belongs_to :purpose, class_name: 'TradeCode'
diff --git a/app/models/trade_restriction_source.rb b/app/models/trade_restriction_source.rb
index eaf84468f..3c28f876d 100644
--- a/app/models/trade_restriction_source.rb
+++ b/app/models/trade_restriction_source.rb
@@ -28,7 +28,6 @@
 class TradeRestrictionSource < ApplicationRecord
   include TrackWhoDoesIt
   # Relationship model between TradeCode(source) and TradeRestriction
-  # attr_accessible :source_id, :trade_restriction_id
 
   belongs_to :trade_restriction
   belongs_to :source, class_name: 'TradeCode'
diff --git a/app/models/trade_restriction_term.rb b/app/models/trade_restriction_term.rb
index 26e982e2c..7cfcbbbcb 100644
--- a/app/models/trade_restriction_term.rb
+++ b/app/models/trade_restriction_term.rb
@@ -28,7 +28,6 @@
 class TradeRestrictionTerm < ApplicationRecord
   include TrackWhoDoesIt
   # Relationship model between TradeCode(term) and TradeRestriction
-  # attr_accessible :term_id, :trade_restriction_id
   belongs_to :trade_restriction
   belongs_to :term, class_name: 'TradeCode'
 end
diff --git a/app/models/trade_restrictions/cites_suspension.rb b/app/models/trade_restrictions/cites_suspension.rb
index 3df4f0691..76e4df775 100644
--- a/app/models/trade_restrictions/cites_suspension.rb
+++ b/app/models/trade_restrictions/cites_suspension.rb
@@ -54,10 +54,7 @@
 
 class CitesSuspension < TradeRestriction
   include Changeable
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :start_notification_id, :end_notification_id,
-  #   :cites_suspension_confirmations_attributes,
-  #   :applies_to_import
+
   belongs_to :taxon_concept, optional: true
   belongs_to :start_notification, class_name: 'CitesSuspensionNotification'
   belongs_to :end_notification, class_name: 'CitesSuspensionNotification', optional: true
diff --git a/app/models/trade_restrictions/quota.rb b/app/models/trade_restrictions/quota.rb
index d51750deb..8346bf489 100644
--- a/app/models/trade_restrictions/quota.rb
+++ b/app/models/trade_restrictions/quota.rb
@@ -54,8 +54,6 @@
 
 class Quota < TradeRestriction
   include Changeable
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :public_display
 
   validates :quota, presence: true
   validates :quota, numericality: { greater_than_or_equal_to: -1.0 }
@@ -98,10 +96,8 @@ def self.count_matching(params)
           SQL
         ),
         year: params[:year].to_i,
-        excluded_geo_entities: params[:excluded_geo_entities_ids].present? ?
-          params[:excluded_geo_entities_ids].map(&:to_i) : nil,
-        included_geo_entities: params[:included_geo_entities_ids].present? ?
-          params[:included_geo_entities_ids].map(&:to_i) : nil,
+        excluded_geo_entities: (params[:excluded_geo_entities_ids].presence&.map(&:to_i)),
+        included_geo_entities: (params[:included_geo_entities_ids].presence&.map(&:to_i)),
         excluded_taxon_concepts: params[:excluded_taxon_concepts_ids].present? ?
           params[:excluded_taxon_concepts_ids].split(',').map(&:to_i) : nil,
         included_taxon_concepts: params[:included_taxon_concepts_ids].present? ?
diff --git a/app/models/user.rb b/app/models/user.rb
index 66fcf5e2c..bd3469f0f 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -35,10 +35,6 @@ class User < ApplicationRecord
 
   devise :database_authenticatable, :registerable, :recoverable, :rememberable,
     :trackable, :validatable
-  # Migrated to controller (Strong Parameters)
-  # attr_accessible :email, :name, :password, :password_confirmation,
-  #   :remember_me, :role, :terms_and_conditions, :is_cites_authority,
-  #   :organisation, :geo_entity_id, :is_active
 
   MANAGER = 'admin'
   CONTRIBUTOR = 'default' # nonsense
diff --git a/app/models/year_annual_reports_by_country.rb b/app/models/year_annual_reports_by_country.rb
index 0467974f1..c4b6f3c69 100644
--- a/app/models/year_annual_reports_by_country.rb
+++ b/app/models/year_annual_reports_by_country.rb
@@ -11,5 +11,4 @@
 
 class YearAnnualReportsByCountry < ApplicationRecord
   # No idea where using this.
-  # attr_accessible :no, :name_en, :year, :reporter_type, :year_created
 end
diff --git a/app/services/document_batch.rb b/app/services/document_batch.rb
index 03bc24734..6664a9eeb 100644
--- a/app/services/document_batch.rb
+++ b/app/services/document_batch.rb
@@ -18,6 +18,7 @@ def save
     return false unless valid?
 
     success = true
+
     Document.transaction do
       @documents.each do |d|
         unless d.save
@@ -26,6 +27,7 @@ def save
       end
       raise ActiveRecord::Rollback unless success
     end
+
     success
   end
 
@@ -37,18 +39,19 @@ def persisted?
 
   def initialize_documents(documents_attributes, files)
     @documents = []
+
     if documents_attributes && files
       for idx in 0..(files.length - 1) do
         document_params =
           if files[idx].respond_to?(:read) # Filter out invalid params for ActiveStorage.
             {
-              type: documents_attributes[idx.to_s][:type],
+              type: documents_attributes[idx][:type],
               file: files[idx],
               title: document_title(files[idx])
             }
           else
             {
-              type: documents_attributes[idx.to_s][:type],
+              type: documents_attributes[idx][:type]
             }
           end
         @documents.push(Document.new(common_attributes.merge(document_params)))
@@ -71,6 +74,7 @@ def common_attributes
 
   def document_title(file)
     original_filename = file.is_a?(Hash) ? file[:filename].original_filename : file.original_filename
+
     File.basename(original_filename, File.extname(original_filename))
   end
 end
diff --git a/lib/modules/trade/grouping/base.rb b/lib/modules/trade/grouping/base.rb
index 13751bc46..1107286c6 100644
--- a/lib/modules/trade/grouping/base.rb
+++ b/lib/modules/trade/grouping/base.rb
@@ -3,7 +3,7 @@ class Trade::Grouping::Base
 
   TAXONOMIC_GROUPING = 'lib/data/group_conversions.csv'.freeze
 
-  YEARS = (2012..Date.today.year - 1).to_a
+  YEARS = (2012..(Date.today.year - 1)).to_a
 
   # Example usage
   # Group by year considering compliance types:
diff --git a/spec/controllers/admin/change_types_controller_spec.rb b/spec/controllers/admin/change_types_controller_spec.rb
index 775a0f8b4..c4910d326 100644
--- a/spec/controllers/admin/change_types_controller_spec.rb
+++ b/spec/controllers/admin/change_types_controller_spec.rb
@@ -10,11 +10,15 @@
       change_type2_1 = create(:change_type, designation: designation2, name: 'ADD')
       change_type2_2 = create(:change_type, designation: designation2, name: 'DEL')
       change_type1 = create(:change_type, designation: designation1, name: 'ADD')
+
       get :index
+
       expect(assigns(:change_types)).to eq([ change_type1, change_type2_1, change_type2_2 ])
     end
+
     it 'renders the index template' do
       get :index
+
       expect(response).to render_template('index')
     end
   end
@@ -22,30 +26,39 @@
   describe 'XHR POST create' do
     it 'renders create when successful' do
       post :create, params: { change_type: build_attributes(:change_type) }, xhr: true
+
       expect(response).to render_template('create')
     end
+
     it 'renders new when not successful' do
-      post :create, params: { change_type: { dummy: 'test' } }, xhr: true
+      post :create, params: { change_type: { designation_id: 0 } }, xhr: true
+
       expect(response).to render_template('new')
     end
   end
 
   describe 'XHR PUT update' do
     let(:change_type) { create(:change_type) }
+
     it 'responds with 200 when successful' do
       put :update, format: 'json', params: { id: change_type.id, change_type: { name: 'ZZ' } }, xhr: true
+
       expect(response).to be_successful
     end
+
     it 'responds with json when not successful' do
       put :update, format: 'json', params: { id: change_type.id, change_type: { name: nil } }, xhr: true
+
       expect(response.parsed_body).to include('errors')
     end
   end
 
   describe 'DELETE destroy' do
     let(:change_type) { create(:change_type) }
+
     it 'redirects after delete' do
       delete :destroy, params: { id: change_type.id }
+
       expect(response).to redirect_to(admin_change_types_url)
     end
   end
diff --git a/spec/controllers/admin/cites_cops_controller_spec.rb b/spec/controllers/admin/cites_cops_controller_spec.rb
index 5c59dcd27..e98266aba 100644
--- a/spec/controllers/admin/cites_cops_controller_spec.rb
+++ b/spec/controllers/admin/cites_cops_controller_spec.rb
@@ -12,10 +12,13 @@
     describe 'GET index' do
       it 'assigns @cites_cops sorted by name' do
         get :index
+
         expect(assigns(:cites_cops)).to eq([ @cites_cop2, @cites_cop1 ])
       end
+
       it 'renders the index template' do
         get :index
+
         expect(response).to render_template('index')
       end
     end
diff --git a/spec/controllers/admin/cites_suspensions_controller_spec.rb b/spec/controllers/admin/cites_suspensions_controller_spec.rb
index 7cf7cf317..d3c6da2df 100644
--- a/spec/controllers/admin/cites_suspensions_controller_spec.rb
+++ b/spec/controllers/admin/cites_suspensions_controller_spec.rb
@@ -46,7 +46,8 @@
       end
     end
     it 'renders new when not successful' do
-      post :create, params: { cites_suspension: { dummy: 'test' } }
+      post :create, params: { cites_suspension: { notes: 'DUMMY' } }
+
       expect(response).to render_template('new')
     end
   end
diff --git a/spec/controllers/admin/designations_controller_spec.rb b/spec/controllers/admin/designations_controller_spec.rb
index 4322d8584..16db14429 100644
--- a/spec/controllers/admin/designations_controller_spec.rb
+++ b/spec/controllers/admin/designations_controller_spec.rb
@@ -8,19 +8,23 @@
       @designation1 = create(:designation, name: 'BB', taxonomy: create(:taxonomy))
       @designation2 = create(:designation, name: 'AA', taxonomy: create(:taxonomy))
     end
+
     describe 'GET index' do
       it 'assigns @designations sorted by name' do
         get :index
         expect(assigns(:designations)).to eq([ @designation2, @designation1 ])
       end
+
       it 'renders the index template' do
         get :index
         expect(response).to render_template('index')
       end
     end
+
     describe 'XHR GET index JSON' do
       it 'renders json for dropdown' do
         get :index, format: 'json', xhr: true
+
         expect(response.body).to have_json_size(2)
         expect(parse_json(response.body, '0/text')).to eq('AA')
       end
@@ -30,30 +34,39 @@
   describe 'XHR POST create' do
     it 'renders create when successful' do
       post :create, params: { designation: build_attributes(:designation) }, xhr: true
+
       expect(response).to render_template('create')
     end
+
     it 'renders new when not successful' do
-      post :create, params: { designation: { dummy: 'test' } }, xhr: true
+      post :create, params: { designation: { name: nil } }, xhr: true
+
       expect(response).to render_template('new')
     end
   end
 
   describe 'XHR PUT update' do
     let(:designation) { create(:designation) }
+
     it 'responds with 200 when successful' do
       put :update, format: 'json', params: { id: designation.id, designation: { name: 'ZZ' } }, xhr: true
+
       expect(response).to be_successful
     end
+
     it 'responds with json when not successful' do
       put :update, format: 'json', params: { id: designation.id, designation: { name: nil } }, xhr: true
+
       expect(response.parsed_body).to include('errors')
     end
   end
 
   describe 'DELETE destroy' do
     let(:designation) { create(:designation) }
+
     it 'redirects after delete' do
       delete :destroy, params: { id: designation.id }
+
       expect(response).to redirect_to(admin_designations_url)
     end
   end
diff --git a/spec/controllers/admin/document_batches_controller_spec.rb b/spec/controllers/admin/document_batches_controller_spec.rb
index a24db8b0e..b23517c82 100644
--- a/spec/controllers/admin/document_batches_controller_spec.rb
+++ b/spec/controllers/admin/document_batches_controller_spec.rb
@@ -3,20 +3,26 @@
 describe Admin::DocumentBatchesController, sidekiq: :inline do
   login_admin
   let(:event) { create(:event) }
-  before(:each) { create(:language, iso_code1: 'EN') }
+
+  before { create(:language, iso_code1: 'EN') }
 
   describe 'GET new' do
     context 'when no event' do
       let(:document) { create(:document) }
+
       it 'renders the new template' do
         get :new
+
         expect(response).to render_template('new')
       end
     end
+
     context 'when event' do
       let(:document) { create(:document, event_id: event.id) }
+
       it 'renders the new template' do
         get :new
+
         expect(response).to render_template('new')
       end
     end
@@ -24,10 +30,17 @@
 
   describe 'POST create' do
     let(:document_attrs) do
-      { 'type' => 'Document::Proposal' }
+      { type: 'Document::Proposal' }
     end
+
     let(:files) do
-      [ Rack::Test::UploadedFile.new(Rails.root.join('spec/support/annual_report_upload_exporter.csv').to_s) ]
+      [
+        Rack::Test::UploadedFile.new(
+          Rails.root.join(
+            'spec/support/annual_report_upload_exporter.csv'
+          ).to_s
+        )
+      ]
     end
 
     context 'when no event' do
@@ -35,39 +48,53 @@
 
       it 'creates a new Document' do
         expect do
-          post :create, params: {
-            document_batch: {
-              date: Date.today, documents_attributes: { '0' => document_attrs }, files: files
+          post :create,
+            params: {
+              document_batch: {
+                date: Date.today,
+                documents_attributes: [ document_attrs ],
+                files: files
+              }
             }
-          }
         end.to change(Document, :count).by(1)
       end
 
       it 'redirects to index when successful' do
-        post :create, params: {
-          document_batch: {
-            date: Date.today, documents_attributes: { '0' => document_attrs }, files: files
+        post :create,
+          params: {
+            document_batch: {
+              date: Date.today,
+              documents_attributes: [ document_attrs ],
+              files: files
+            }
           }
-        }
+
         expect(response).to redirect_to(admin_documents_url)
       end
 
-      it 'does not create a new Document' do
+      it 'does not create a new Document without a date' do
         expect do
-          post :create, params: {
-            document_batch: {
-              date: nil, documents_attributes: { '0' => document_attrs }, files: files
+          post :create,
+            params: {
+              document_batch: {
+                date: nil,
+                documents_attributes: [ document_attrs ],
+                files: files
+              }
             }
-          }
-        end.to change(Document, :count).by(0)
+        end.not_to change(Document, :count)
       end
 
       it 'renders new when not successful' do
-        post :create, params: {
-          document_batch: {
-            date: nil, documents_attributes: { '0' => document_attrs }, files: files
+        post :create,
+          params: {
+            document_batch: {
+              date: nil,
+              documents_attributes: [ document_attrs ],
+              files: files
+            }
           }
-        }
+
         expect(response).to render_template('new')
       end
     end
@@ -76,20 +103,28 @@
       let(:document) { create(:document, event_id: event.id) }
 
       it 'redirects to index when successful' do
-        post :create, params: {
-          event_id: event.id, document_batch: {
-            date: Date.today, documents_attributes: { '0' => document_attrs }, files: files
+        post :create,
+          params: {
+            event_id: event.id, document_batch: {
+              date: Date.today,
+              documents_attributes: [ document_attrs ],
+              files: files
+            }
           }
-        }
+
         expect(response).to redirect_to(admin_event_documents_url(event))
       end
 
       it 'renders new when not successful' do
-        post :create, params: {
-          event_id: event.id, document_batch: {
-            date: nil, documents_attributes: { '0' => document_attrs }, files: files
+        post :create,
+          params: {
+            event_id: event.id, document_batch: {
+              date: nil,
+              documents_attributes: [ document_attrs ],
+              files: files
+            }
           }
-        }
+
         expect(response).to render_template('new')
       end
     end
diff --git a/spec/controllers/admin/documents_controller_spec.rb b/spec/controllers/admin/documents_controller_spec.rb
index 454369c35..7f90d2778 100644
--- a/spec/controllers/admin/documents_controller_spec.rb
+++ b/spec/controllers/admin/documents_controller_spec.rb
@@ -11,9 +11,10 @@
   let(:process_stage) { create(:process_stage) }
 
   describe 'index' do
-    before(:each) do
+    before do
       @document1 = create(:document, title: 'BB hello world', event: event)
       @document2 = create(:document, title: 'AA goodbye world', event: event)
+
       @public_document = create(:document, title: 'DD public document', event: event, is_public: true)
       create(:document_citation, document_id: @document1.id, taxon_concepts: [ taxon_concept ])
       create(:document_citation, document_id: @document2.id, geo_entities: [ geo_entity ])
@@ -22,8 +23,10 @@
 
     describe 'GET index' do
       login_admin
-      before(:each) do
+
+      before do
         @document3 = create(:document, title: 'CC no event!', date: DateTime.new(2014, 01, 01))
+
         DocumentSearch.refresh_citations_and_documents
       end
 
@@ -37,59 +40,86 @@
       context 'search' do
         it 'runs a full text search on title' do
           get :index, params: { 'title_query' => 'good' }
+
           expect(assigns(:documents).map(&:id)).to eq([ @document2 ].map(&:id))
         end
+
         it 'retrieves documents inclusive of the given start date' do
           get :index, params: { 'document_date_start' => '25/12/2014' }
+
           expect(assigns(:documents).map(&:id)).to eq([ @public_document, @document2, @document1 ].map(&:id))
         end
+
         it 'retrieves documents inclusive of the given end date' do
           get :index, params: { 'document_date_end' => '01/01/2014' }
+
           expect(assigns(:documents).map(&:id)).to eq([ @document3 ].map(&:id))
         end
+
         it 'retrieves documents after the given date' do
           get :index, params: { 'document_date_start' => '10/01/2014' }
+
           expect(assigns(:documents).map(&:id)).to eq([ @public_document, @document2, @document1 ].map(&:id))
         end
+
         it 'retrieves documents before the given date' do
           get :index, params: { 'document_date_end' => '10/01/2014' }
+
           expect(assigns(:documents).map(&:id)).to eq([ @document3 ].map(&:id))
         end
+
         it 'ignores invalid dates' do
           get :index, params: { 'document_date_start' => '34/24/12', 'document_date_end' => '34/24/12' }
+
           expect(assigns(:documents).map(&:id)).to eq([ @document3, @public_document, @document2, @document1 ].map(&:id))
         end
+
         it 'retrieves documents for taxon concept' do
           get :index, params: { 'taxon_concepts_ids' => taxon_concept.id }
+
           expect(assigns(:documents).map(&:id)).to eq([ @public_document, @document1 ].map(&:id))
         end
+
         it 'retrieves documents for geo entity' do
           get :index, params: { 'geo_entities_ids' => [ geo_entity.id ] }
+
           expect(assigns(:documents).map(&:id)).to eq([ @document2 ].map(&:id))
         end
+
         context 'by proposal outcome' do
-          before(:each) do
+          before do
             @document3 = create(:proposal, event: create_cites_cop(published_at: DateTime.new(2014, 01, 01)))
+
             create(:proposal_details, document_id: @document3.id, proposal_outcome_id: proposal_outcome.id)
+
             DocumentSearch.refresh_citations_and_documents
           end
+
           it 'retrieves documents for tag' do
             get :index, params: { 'document_tags_ids' => [ proposal_outcome.id ] }
+
             expect(assigns(:documents).map(&:id)).to eq([ @document3 ].map(&:id))
           end
         end
+
         context 'by document tags' do
-          before(:each) do
+          before do
             @document3 = create(:review_of_significant_trade, event: create_ec_srg(published_at: DateTime.new(2014, 01, 01)))
+
             create(:review_details, document_id: @document3.id, review_phase_id: review_phase.id, process_stage_id: process_stage.id)
+
             DocumentSearch.refresh_citations_and_documents
           end
+
           it 'retrieves documents for review_phase tag' do
             get :index, params: { 'document_tags_ids' => [ review_phase.id ] }
+
             expect(assigns(:documents).map(&:id)).to eq([ @document3 ].map(&:id))
           end
+
           it 'retrieves documents for process_stage tag' do
             get :index, params: { 'document_tags_ids' => [ process_stage.id ] }
+
             expect(assigns(:documents).map(&:id)).to eq([ @document3 ].map(&:id))
           end
         end
@@ -98,6 +128,7 @@
       context 'when no event' do
         it 'renders the index template' do
           get :index
+
           expect(response).to render_template('index')
         end
       end
@@ -105,17 +136,24 @@
       context 'when event' do
         it 'renders the event/documents/index template' do
           get :index, params: { events_ids: [ event.id ] }
+
           expect(response).to render_template('admin/event_documents/index')
         end
+
         it 'assigns @documents for event, sorted by title' do
           @document3 = create(:document, title: 'CC hello world', event: event2)
+
           DocumentSearch.refresh_citations_and_documents
+
           get :index, params: { events_ids: [ event.id, event2.id ] }
+
           expect(assigns(:documents).map(&:id)).to eq([ @document3, @document2, @document1, @public_document ].map(&:id))
         end
       end
+
       context 'when secretariat is logged in' do
         login_secretariat_user
+
         it 'returns only public documents' do
           get :index
           expect(assigns(:documents).map(&:id)).to eq([ @public_document ].map(&:id))
@@ -126,6 +164,7 @@
 
   describe 'GET edit' do
     login_admin
+
     let(:document_tags) { [ create(:document_tag) ] }
     let(:document) { create(:document, tags: document_tags) }
 
@@ -137,28 +176,37 @@
 
   describe 'PUT update' do
     login_admin
+
     context 'when no event' do
       let(:document) { create(:document) }
+
       it 'redirects to index when successful' do
         put :update, params: { id: document.id, document: { date: Date.today } }
+
         expect(response).to redirect_to(admin_documents_url)
         expect(flash[:notice]).not_to be_nil
       end
+
       it 'renders new when not successful' do
-        put :update, params: { id: document.id, document: { date: nil } }
+        put :update, params: { id: document.id, document: { date: 'Not a valid date' } }
+
         expect(response).to render_template('new')
       end
     end
 
     context 'when event' do
       let(:document) { create(:document, event_id: event.id) }
+
       it 'redirects to index when successful' do
         put :update, params: { id: document.id, event_id: event.id, document: { date: Date.today } }
+
         expect(response).to redirect_to(admin_event_documents_url(event))
         expect(flash[:notice]).not_to be_nil
       end
+
       it 'renders new when not successful' do
-        put :update, params: { id: document.id, event_id: event.id, document: { date: nil } }
+        put :update, params: { id: document.id, event_id: event.id, document: { date: 'Not a valid date' } }
+
         expect(response).to render_template('new')
       end
     end
@@ -170,35 +218,41 @@
       let(:recommended_category) { 'A wonderful category' }
 
       it 'assign review phase to Review' do
-        put :update, params: {
-          id: document.id, document: {
-            date: Date.today, review_details_attributes: { review_phase_id: review_phase.id }
+        put :update,
+          params: {
+            id: document.id, document: {
+              date: Date.today,
+              review_details_attributes: { review_phase_id: review_phase.id }
+            }
           }
-        }
-        expect(response).to redirect_to(admin_documents_url)
 
+        expect(response).to redirect_to(admin_documents_url)
         expect(document.reload.review_details.review_phase_id).to eq(review_phase.id)
       end
 
       it 'assign process stage to Review' do
-        put :update, params: {
-          id: document.id, document: {
-            date: Date.today, review_details_attributes: { process_stage_id: process_stage.id }
+        put :update,
+          params: {
+            id: document.id,
+            document: {
+              date: Date.today,
+              review_details_attributes: { process_stage_id: process_stage.id }
+            }
           }
-        }
-        expect(response).to redirect_to(admin_documents_url)
 
+        expect(response).to redirect_to(admin_documents_url)
         expect(document.reload.review_details.process_stage_id).to eq(process_stage.id)
       end
 
       it 'assign recommended category to Review' do
         put :update, params: {
           id: document.id, document: {
-            date: Date.today, review_details_attributes: { recommended_category: recommended_category }
+            date: Date.today,
+            review_details_attributes: { recommended_category: recommended_category }
           }
         }
-        expect(response).to redirect_to(admin_documents_url)
 
+        expect(response).to redirect_to(admin_documents_url)
         expect(document.reload.review_details.recommended_category).to eq(recommended_category)
       end
     end
@@ -208,13 +262,15 @@
       let(:proposal_outcome) { create(:document_tag, type: 'DocumentTag::ProposalOutcome') }
 
       it 'assign outcome to Proposal' do
-        put :update, params: {
-          id: document.id, document: {
-            date: Date.today, proposal_details_attributes: { proposal_outcome_id: proposal_outcome.id }
+        put :update,
+          params: {
+            id: document.id, document: {
+              date: Date.today,
+              proposal_details_attributes: { proposal_outcome_id: proposal_outcome.id }
+            }
           }
-        }
-        expect(response).to redirect_to(admin_documents_url)
 
+        expect(response).to redirect_to(admin_documents_url)
         expect(document.reload.proposal_details.proposal_outcome_id).to eq(proposal_outcome.id)
       end
     end
@@ -224,17 +280,18 @@
       let(:proposal_outcome) { create(:document_tag, type: 'DocumentTag::ProposalOutcome') }
 
       it 'assigns a taxon' do
-        put :update, params: {
-          id: document.id,
-          document: {
-            date: Date.today,
-            citations_attributes: [
-              {
-                stringy_taxon_concept_ids: taxon_concept.id
-              }
-            ]
+        put :update,
+          params: {
+            id: document.id,
+            document: {
+              date: Date.today,
+              citations_attributes: [
+                {
+                  stringy_taxon_concept_ids: taxon_concept.id
+                }
+              ]
+            }
           }
-        }
 
         expect(document.reload.citations.length).to eq(1)
         expect(document.reload.citations[0].taxon_concepts.length).to eq(1)
@@ -242,17 +299,18 @@
       end
 
       it 'assigns multiple taxa' do
-        put :update, params: {
-          id: document.id,
-          document: {
-            date: Date.today,
-            citations_attributes: [
-              {
-                stringy_taxon_concept_ids: "#{taxon_concept.id},#{taxon_concept2.id}"
-              }
-            ]
+        put :update,
+          params: {
+            id: document.id,
+            document: {
+              date: Date.today,
+              citations_attributes: [
+                {
+                  stringy_taxon_concept_ids: "#{taxon_concept.id},#{taxon_concept2.id}"
+                }
+              ]
+            }
           }
-        }
 
         expect(document.reload.citations.length).to eq(1)
         expect(document.reload.citations[0].taxon_concepts.length).to eq(2)
@@ -270,17 +328,18 @@
       end
 
       it 'assigns a geo_entity_id' do
-        put :update, params: {
-          id: document.id,
-          document: {
-            date: Date.today,
-            citations_attributes: [
-              {
-                geo_entity_ids: [ geo_entity.id ]
-              }
-            ]
+        put :update,
+          params: {
+            id: document.id,
+            document: {
+              date: Date.today,
+              citations_attributes: [
+                {
+                  geo_entity_ids: [ geo_entity.id ]
+                }
+              ]
+            }
           }
-        }
 
         expect(document.reload.citations.length).to eq(1)
         expect(document.reload.citations[0].geo_entities.length).to eq(1)
@@ -298,11 +357,13 @@
         geo_entity_type: country_geo_entity_type
       )
     end
+
     let(:document) do
       document = create(:document)
       document.citations << DocumentCitation.new(geo_entity_ids: [ poland.id ])
       document
     end
+
     it 'redirects after delete' do
       delete :destroy, params: { id: document.id }
       expect(response).to redirect_to(admin_documents_url)
@@ -311,6 +372,7 @@
 
   describe 'XHR GET JSON autocomplete' do
     login_admin
+
     let!(:document) do
       create(
         :document,
@@ -318,11 +380,13 @@
         event_id: event.id
       )
     end
+
     let!(:document2) { create(:document, title: 'Title2') }
 
     context 'When no event specified' do
       it 'returns properly formatted json' do
         get :autocomplete, format: 'json', params: { title: 'tit' }, xhr: true
+
         expect(response.body).to have_json_size(2)
         expect(parse_json(response.body, '0/title')).to eq('Title')
         expect(parse_json(response.body, '1/title')).to eq('Title2')
@@ -332,6 +396,7 @@
     context 'When an event is specified' do
       it 'returns properly formatted json' do
         get :autocomplete, format: 'json', params: { title: 'tit', event_id: event.id }, xhr: true
+
         expect(response.body).to have_json_size(1)
         expect(parse_json(response.body, '0/title')).to eq('Title')
       end
diff --git a/spec/controllers/admin/eu_opinions_controller_spec.rb b/spec/controllers/admin/eu_opinions_controller_spec.rb
index 313d8e189..5abd2395c 100644
--- a/spec/controllers/admin/eu_opinions_controller_spec.rb
+++ b/spec/controllers/admin/eu_opinions_controller_spec.rb
@@ -11,10 +11,13 @@
   describe 'GET index' do
     it 'renders the index template' do
       get :index, params: { taxon_concept_id: @taxon_concept.id }
+
       expect(response).to render_template('index')
     end
+
     it 'renders the taxon_concepts_layout' do
       get :index, params: { taxon_concept_id: @taxon_concept.id }
+
       expect(response).to render_template('layouts/taxon_concepts')
     end
   end
@@ -22,12 +25,16 @@
   describe 'GET new' do
     it 'renders the new template' do
       get :new, params: { taxon_concept_id: @taxon_concept.id }
+
       expect(response).to render_template('new')
     end
+
     it 'assigns @geo_entities (country and territory) with two objects' do
       create(:geo_entity, geo_entity_type_id: territory_geo_entity_type.id)
       create(:geo_entity)
+
       get :new, params: { taxon_concept_id: @taxon_concept.id }
+
       expect(assigns(:geo_entities).size).to eq(2)
     end
   end
@@ -38,39 +45,50 @@
         @eu_decision_type = create(:eu_decision_type)
         @srg_history = create(:srg_history)
       end
+
       context 'when intersessional document is present' do
         before do
           @document = create(:commission_note)
         end
+
         it 'redirects to the EU Opinions index' do
-          post :create, params: {
-            eu_opinion: {
-              eu_decision_type_id: @eu_decision_type.id,
-              srg_history_id: @srg_history.id,
-              start_date: Date.today,
-              document_id: @document.id,
-              geo_entity_id: create(
-                :geo_entity, geo_entity_type_id: country_geo_entity_type.id
-              )
-            }, taxon_concept_id: @taxon_concept.id
-          }
-          expect(response).to redirect_to(admin_taxon_concept_eu_opinions_url(@taxon_concept))
+          post :create,
+            params: {
+              eu_opinion: {
+                eu_decision_type_id: @eu_decision_type.id,
+                srg_history_id: @srg_history.id,
+                start_date: Date.today,
+                document_id: @document.id,
+                geo_entity_id: create(
+                  :geo_entity, geo_entity_type_id: country_geo_entity_type.id
+                )
+              }, taxon_concept_id: @taxon_concept.id
+            }
+
+          expect(response).to redirect_to(
+            admin_taxon_concept_eu_opinions_url(@taxon_concept)
+          )
         end
       end
+
       context 'when event is present' do
         it 'redirects to the EU Opinions index' do
-          post :create, params: {
-            eu_opinion: {
-              eu_decision_type_id: @eu_decision_type.id,
-              srg_history_id: @srg_history.id,
-              start_date: Date.today,
-              start_event_id: @eu_regulation.id,
-              geo_entity_id: create(
-                :geo_entity, geo_entity_type_id: country_geo_entity_type.id
-              )
-            }, taxon_concept_id: @taxon_concept.id
-          }
-          expect(response).to redirect_to(admin_taxon_concept_eu_opinions_url(@taxon_concept))
+          post :create,
+            params: {
+              eu_opinion: {
+                eu_decision_type_id: @eu_decision_type.id,
+                srg_history_id: @srg_history.id,
+                start_date: Date.today,
+                start_event_id: @eu_regulation.id,
+                geo_entity_id: create(
+                  :geo_entity, geo_entity_type_id: country_geo_entity_type.id
+                )
+              }, taxon_concept_id: @taxon_concept.id
+            }
+
+          expect(response).to redirect_to(
+            admin_taxon_concept_eu_opinions_url(@taxon_concept)
+          )
         end
       end
     end
@@ -78,32 +96,38 @@
     context 'when not successful' do
       it 'renders new' do
         post :create, params: { eu_opinion: { dummy: 'test' }, taxon_concept_id: @taxon_concept.id }
+
         expect(response).to render_template('new')
       end
     end
   end
 
   describe 'GET edit' do
-    before(:each) do
+    before do
       @eu_opinion = create(
         :eu_opinion,
         taxon_concept_id: @taxon_concept.id,
         start_event_id: @eu_regulation.id
       )
     end
+
     it 'renders the edit template' do
       get :edit, params: { id: @eu_opinion.id, taxon_concept_id: @taxon_concept.id, start_event_id: @eu_regulation.id }
+
       expect(response).to render_template('edit')
     end
+
     it 'assigns @geo_entities' do
       territory = create(:geo_entity, geo_entity_type_id: territory_geo_entity_type.id)
+
       get :edit, params: { id: @eu_opinion.id, taxon_concept_id: @taxon_concept.id, start_event_id: @eu_regulation.id }
+
       expect(assigns(:geo_entities)).to include(territory)
     end
   end
 
   describe 'PUT update' do
-    before(:each) do
+    before do
       @eu_opinion = create(
         :eu_opinion,
         taxon_concept_id: @taxon_concept.id,
@@ -117,12 +141,14 @@
     context 'when successful' do
       context 'when eu decision type is present' do
         it 'renders taxon_concepts EU Opinions page' do
-          put :update, params: {
-            eu_opinion: {
-              eu_decision_type_id: @eu_decision_type.id,
-              start_event_id: @eu_regulation.id
-            }, id: @eu_opinion.id, taxon_concept_id: @taxon_concept.id
-          }
+          put :update,
+            params: {
+              eu_opinion: {
+                eu_decision_type_id: @eu_decision_type.id,
+                start_event_id: @eu_regulation.id
+              }, id: @eu_opinion.id, taxon_concept_id: @taxon_concept.id
+            }
+
           expect(response).to redirect_to(
             admin_taxon_concept_eu_opinions_url(@taxon_concept)
           )
@@ -131,13 +157,17 @@
 
       context 'when eu decision type is not present' do
         it 'renders taxon_concepts EU Opinions page' do
-          put :update, params: {
-            eu_opinion: {
-              eu_decision_type_id: nil,
-              srg_history_id: @srg_history.id,
-              start_event_id: @eu_regulation.id
-            }, id: @eu_opinion.id, taxon_concept_id: @taxon_concept.id
-          }
+          put :update,
+            params: {
+              eu_opinion: {
+                eu_decision_type_id: nil,
+                srg_history_id: @srg_history.id,
+                start_event_id: @eu_regulation.id
+              },
+              id: @eu_opinion.id,
+              taxon_concept_id: @taxon_concept.id
+            }
+
           expect(response).to redirect_to(
             admin_taxon_concept_eu_opinions_url(@taxon_concept)
           )
@@ -146,12 +176,14 @@
 
       context 'when event is present' do
         it 'renders taxon_concepts EU Opinions page' do
-          put :update, params: {
-            eu_opinion: {
-              eu_decision_type_id: @eu_decision_type.id,
-              start_event_id: @eu_regulation.id
-            }, id: @eu_opinion.id, taxon_concept_id: @taxon_concept.id
-          }
+          put :update,
+            params: {
+              eu_opinion: {
+                eu_decision_type_id: @eu_decision_type.id,
+                start_event_id: @eu_regulation.id
+              }, id: @eu_opinion.id, taxon_concept_id: @taxon_concept.id
+            }
+
           expect(response).to redirect_to(
             admin_taxon_concept_eu_opinions_url(@taxon_concept)
           )
@@ -160,13 +192,17 @@
 
       context 'when event is not present' do
         it 'renders taxon_concepts EU Opinions page' do
-          put :update, params: {
-            eu_opinion: {
-              eu_decision_type_id: @eu_decision_type.id,
-              start_event_id: nil,
-              document_id: @document.id
-            }, id: @eu_opinion.id, taxon_concept_id: @taxon_concept.id
-          }
+          put :update,
+            params: {
+              eu_opinion: {
+                eu_decision_type_id: @eu_decision_type.id,
+                start_event_id: nil,
+                document_id: @document.id
+              },
+              id: @eu_opinion.id,
+              taxon_concept_id: @taxon_concept.id
+            }
+
           expect(response).to redirect_to(
             admin_taxon_concept_eu_opinions_url(@taxon_concept)
           )
@@ -177,27 +213,35 @@
     context 'when not successful' do
       context 'when eu decision type is present' do
         it 'renders new' do
-          put :update, params: {
-            eu_opinion: {
-              eu_decision_type_id: @eu_decision_type.id,
-              start_event_id: @eu_regulation.id,
-              start_date: nil
-            }, id: @eu_opinion.id, taxon_concept_id: @taxon_concept.id
-          }
+          put :update,
+            params: {
+              eu_opinion: {
+                eu_decision_type_id: @eu_decision_type.id,
+                start_event_id: @eu_regulation.id,
+                start_date: nil
+              },
+              id: @eu_opinion.id,
+              taxon_concept_id: @taxon_concept.id
+            }
+
           expect(response).to render_template('new')
         end
       end
 
       context 'when eu decision type is not present' do
         it 'renders new' do
-          put :update, params: {
-            eu_opinion: {
-              eu_decision_type_id: nil,
-              srg_history_id: @srg_history.id,
-              start_event_id: @eu_regulation.id,
-              start_date: nil
-            }, id: @eu_opinion.id, taxon_concept_id: @taxon_concept.id
-          }
+          put :update,
+            params: {
+              eu_opinion: {
+                eu_decision_type_id: nil,
+                srg_history_id: @srg_history.id,
+                start_event_id: @eu_regulation.id,
+                start_date: nil
+              },
+              id: @eu_opinion.id,
+              taxon_concept_id: @taxon_concept.id
+            }
+
           expect(response).to render_template('new')
         end
       end
@@ -205,83 +249,109 @@
 
     context 'when both eu_decision_type and srg_history are empty' do
       it 'renders new' do
-        put :update, params: {
-          eu_opinion: {
-            eu_decision_type_id: nil,
-            srg_history_id: nil,
-            start_date: nil
-          }, id: @eu_opinion.id, taxon_concept_id: @taxon_concept.id
-        }
+        put :update,
+          params: {
+            eu_opinion: {
+              eu_decision_type_id: nil,
+              srg_history_id: nil,
+              start_date: nil
+            },
+            id: @eu_opinion.id,
+            taxon_concept_id: @taxon_concept.id
+          }
+
         expect(response).to render_template('new')
       end
     end
 
     context 'when event is present' do
       it 'renders new' do
-        put :update, params: {
-          eu_opinion: {
-            eu_decision_type_id: @eu_decision_type.id,
-            start_event_id: @eu_regulation.id,
-            start_date: nil
-          }, id: @eu_opinion.id, taxon_concept_id: @taxon_concept.id
-        }
+        put :update,
+          params: {
+            eu_opinion: {
+              eu_decision_type_id: @eu_decision_type.id,
+              start_event_id: @eu_regulation.id,
+              start_date: nil
+            }, id: @eu_opinion.id,
+            taxon_concept_id: @taxon_concept.id
+          }
+
         expect(response).to render_template('new')
       end
     end
 
     context 'when event is not present' do
       it 'renders new' do
-        put :update, params: {
-          eu_opinion: {
-            eu_decision_type_id: @eu_decision_type.id,
-            start_event_id: nil,
-            document_id: @document.id,
-            start_date: nil
-          }, id: @eu_opinion.id, taxon_concept_id: @taxon_concept.id
-        }
+        put :update,
+          params: {
+            eu_opinion: {
+              eu_decision_type_id: @eu_decision_type.id,
+              start_event_id: nil,
+              document_id: @document.id,
+              start_date: nil
+            },
+            id: @eu_opinion.id,
+            taxon_concept_id: @taxon_concept.id
+          }
+
         expect(response).to render_template('new')
       end
     end
 
     context 'when both event and intersessional doc are empty' do
       it 'renders new' do
-        put :update, params: {
-          eu_opinion: {
-            eu_decision_type_id: @eu_decision_type.id,
-            start_event_id: nil,
-            document_id: nil,
-            start_date: nil
-          }, id: @eu_opinion.id, taxon_concept_id: @taxon_concept.id
-        }
+        put :update,
+          params: {
+            eu_opinion: {
+              eu_decision_type_id: @eu_decision_type.id,
+              start_event_id: nil,
+              document_id: nil,
+              start_date: nil
+            },
+            id: @eu_opinion.id,
+            taxon_concept_id: @taxon_concept.id
+          }
+
         expect(response).to render_template('new')
       end
     end
 
     context 'when both event and intersessional doc are present' do
       it 'renders new' do
-        put :update, params: {
-          eu_opinion: {
-            eu_decision_type_id: @eu_decision_type.id,
-            start_event_id: @eu_regulation.id,
-            document_id: @document.id,
-            start_date: nil
-          }, id: @eu_opinion.id, taxon_concept_id: @taxon_concept.id
-        }
+        put :update,
+          params: {
+            eu_opinion: {
+              eu_decision_type_id: @eu_decision_type.id,
+              start_event_id: @eu_regulation.id,
+              document_id: @document.id,
+              start_date: nil
+            },
+            id: @eu_opinion.id,
+            taxon_concept_id: @taxon_concept.id
+          }
+
         expect(response).to render_template('new')
       end
     end
   end
 
   describe 'DELETE destroy' do
-    before(:each) do
+    before do
       @eu_opinion = create(
         :eu_opinion,
         taxon_concept_id: @taxon_concept.id,
         start_event_id: @eu_regulation.id
       )
     end
+
     it 'redirects after delete' do
-      delete :destroy, params: { id: @eu_opinion.id, taxon_concept_id: @taxon_concept.id, start_event_id: @eu_regulation.id }
+      delete :destroy,
+        params: {
+          id: @eu_opinion.id,
+          taxon_concept_id: @taxon_concept.id,
+          start_event_id: @eu_regulation.id
+        }
+
       expect(response).to redirect_to(
         admin_taxon_concept_eu_opinions_url(@taxon_concept)
       )
diff --git a/spec/controllers/admin/instruments_controller_spec.rb b/spec/controllers/admin/instruments_controller_spec.rb
index 08c160dfe..d1c38fa7f 100644
--- a/spec/controllers/admin/instruments_controller_spec.rb
+++ b/spec/controllers/admin/instruments_controller_spec.rb
@@ -8,19 +8,25 @@
       @instrument1 = create(:instrument, name: 'BB', designation: create(:designation))
       @instrument2 = create(:instrument, name: 'AA', designation: create(:designation))
     end
+
     describe 'GET index' do
       it 'assigns @instruments sorted by name' do
         get :index
+
         expect(assigns(:instruments)).to eq([ @instrument2, @instrument1 ])
       end
+
       it 'renders the index template' do
         get :index
+
         expect(response).to render_template('index')
       end
     end
+
     describe 'XHR GET index JSON' do
       it 'renders json for dropdown' do
         get :index, format: 'json', xhr: true
+
         expect(response.body).to have_json_size(2)
         expect(parse_json(response.body, '0/text')).to eq('AA')
       end
@@ -30,38 +36,48 @@
   describe 'XHR POST create' do
     it 'renders create when successful' do
       post :create, params: { instrument: build_attributes(:instrument) }, xhr: true
+
       expect(response).to render_template('create')
     end
     it 'renders new when not successful' do
-      post :create, params: { instrument: { dummy: 'test' } }, xhr: true
+      post :create, params: { instrument: { name: nil } }, xhr: true
+
       expect(response).to render_template('new')
     end
   end
 
   describe 'XHR PUT update' do
     let(:instrument) { create(:instrument) }
+
     it 'responds with 200 when successful' do
       put :update, format: 'json', params: { id: instrument.id, instrument: { name: 'ZZ' } }, xhr: true
       expect(response).to be_successful
     end
+
     it 'responds with json when not successful' do
       put :update, format: 'json', params: { id: instrument.id, instrument: { name: nil } }, xhr: true
+
       expect(response.parsed_body).to include('errors')
     end
   end
 
   describe 'DELETE destroy' do
     let(:instrument) { create(:instrument) }
+
     it 'redirects after delete' do
       delete :destroy, params: { id: instrument.id }
+
       expect(flash[:notice]).not_to be_nil
       expect(flash[:alert]).to be_nil
       expect(response).to redirect_to(admin_instruments_url)
     end
+
     let(:instrument2) { create(:instrument) }
     let!(:taxon_instrument) { create(:taxon_instrument, instrument_id: instrument2.id) }
+
     it 'fails to delete instrument because there are dependent objects' do
       delete :destroy, params: { id: instrument2.id }
+
       expect(flash[:notice]).to be_nil
       expect(flash[:alert]).not_to be_nil
       expect(instrument2.reload).not_to be_nil
diff --git a/spec/controllers/admin/languages_controller_spec.rb b/spec/controllers/admin/languages_controller_spec.rb
index 2bd6ba74b..ea2f5dee3 100644
--- a/spec/controllers/admin/languages_controller_spec.rb
+++ b/spec/controllers/admin/languages_controller_spec.rb
@@ -7,42 +7,71 @@
     it 'assigns @languages sorted by iso_code1' do
       language1 = create(:language, iso_code1: 'BB', iso_code3: 'BBB')
       language2 = create(:language, iso_code1: 'AA', iso_code3: 'AAA')
+
       get :index
+
       expect(assigns(:languages)).to eq([ language2, language1 ])
     end
+
     it 'renders the index template' do
       get :index
+
       expect(response).to render_template('index')
     end
   end
 
   describe 'XHR POST create' do
     it 'renders create when successful' do
-      post :create, params: { language: attributes_for(:language) }, xhr: true
+      post :create,
+        params: { language: attributes_for(:language) },
+        xhr: true
+
       expect(response).to render_template('create')
     end
+
     it 'renders new when not successful' do
-      post :create, params: { language: { dummy: 'test' } }, xhr: true
+      post :create,
+        params: { language: { iso_code1: '' } },
+        xhr: true
+
       expect(response).to render_template('new')
     end
   end
 
   describe 'XHR PUT update' do
     let(:language) { create(:language) }
+
     it 'responds with 200 when successful' do
-      put :update, format: 'json', params: { id: language.id, language: { iso_code1: 'ZZ' } }, xhr: true
+      put :update,
+        format: 'json',
+        params: {
+          id: language.id,
+          language: { iso_code1: 'ZZ' }
+        },
+        xhr: true
+
       expect(response).to be_successful
     end
+
     it 'responds with json when not successful' do
-      put :update, format: 'json', params: { id: language.id, language: { iso_code1: 'zzz' } }, xhr: true
+      put :update,
+        format: 'json',
+        params: {
+          id: language.id,
+          language: { iso_code1: 'zzz' }
+        },
+        xhr: true
+
       expect(response.parsed_body).to include('errors')
     end
   end
 
   describe 'DELETE destroy' do
     let(:language) { create(:language) }
+
     it 'redirects after delete' do
       delete :destroy, params: { id: language.id }
+
       expect(response).to redirect_to(admin_languages_url)
     end
   end
diff --git a/spec/controllers/admin/nomenclature_changes/split_controller_spec.rb b/spec/controllers/admin/nomenclature_changes/split_controller_spec.rb
index abfd0254f..42ab617d6 100644
--- a/spec/controllers/admin/nomenclature_changes/split_controller_spec.rb
+++ b/spec/controllers/admin/nomenclature_changes/split_controller_spec.rb
@@ -6,43 +6,56 @@
 
   describe 'GET show' do
     context 'inputs' do
-      before(:each) do
+      before do
         @split = create(:nomenclature_change_split)
       end
+
       it 'renders the inputs template' do
         get :show, params: { id: :inputs, nomenclature_change_id: @split.id }
+
         expect(response).to render_template('inputs')
       end
     end
+
     context 'outputs' do
-      before(:each) do
+      before do
         @split = split_with_input
       end
+
       it 'renders the outputs template' do
         get :show, params: { id: :outputs, nomenclature_change_id: @split.id }
+
         expect(response).to render_template('outputs')
       end
     end
+
     context 'reassignments' do
-      before(:each) do
+      before do
         @split = split_with_input_and_output
       end
+
       it 'renders the notes template' do
         get :show, params: { id: :notes, nomenclature_change_id: @split.id }
+
         expect(response).to render_template('notes')
       end
+
       context 'when children present' do
-        before(:each) do
+        before do
           create_cites_eu_subspecies(parent: input_species)
         end
+
         it 'renders the children template' do
           get :show, params: { id: :children, nomenclature_change_id: @split.id }
+
           expect(response).to render_template('children')
         end
       end
+
       context 'when no children' do
         it 'redirects to next step' do
           get :show, params: { id: :children, nomenclature_change_id: @split.id }
+
           expect(response).to redirect_to(
             admin_nomenclature_change_split_url(
               nomenclature_change_id: assigns(:nomenclature_change).id, id: 'names'
@@ -50,8 +63,9 @@
           )
         end
       end
+
       context 'when names present' do
-        before(:each) do
+        before do
           create(
             :taxon_relationship,
             taxon_concept: input_species,
@@ -59,33 +73,43 @@
             taxon_relationship_type: synonym_relationship_type
           )
         end
+
         it 'renders the names template' do
           get :show, params: { id: :names, nomenclature_change_id: @split.id }
+
           expect(response).to render_template('names')
         end
       end
+
       context 'when no names' do
         it 'redirects to next step' do
           get :show, params: { id: :names, nomenclature_change_id: @split.id }
+
           expect(response).to redirect_to(
             admin_nomenclature_change_split_url(
-              nomenclature_change_id: assigns(:nomenclature_change).id, id: 'distribution'
+              nomenclature_change_id: assigns(:nomenclature_change).id,
+              id: 'distribution'
             )
           )
         end
       end
+
       context 'when distribution present' do
-        before(:each) do
+        before do
           create(:distribution, taxon_concept: input_species)
         end
+
         it 'renders the distribution template' do
           get :show, params: { id: :distribution, nomenclature_change_id: @split.id }
+
           expect(response).to render_template('distribution')
         end
       end
+
       context 'when no distribution' do
         it 'redirects to next step' do
           get :show, params: { id: :distribution, nomenclature_change_id: @split.id }
+
           expect(response).to redirect_to(
             admin_nomenclature_change_split_url(
               nomenclature_change_id: assigns(:nomenclature_change).id, id: 'legislation'
@@ -93,27 +117,42 @@
           )
         end
       end
+
       context 'when legislation present' do
-        before(:each) do
+        before do
           create_cites_I_addition(taxon_concept: input_species)
         end
+
         it 'renders the legislation template' do
-          get :show, params: { id: :legislation, nomenclature_change_id: @split.id }
+          get :show, params: {
+            id: :legislation,
+            nomenclature_change_id: @split.id
+          }
+
           expect(response).to render_template('legislation')
         end
       end
+
       context 'when no legislation' do
         it 'redirects to next step' do
           get :show, params: { id: :legislation, nomenclature_change_id: @split.id }
+
           expect(response).to redirect_to(
             admin_nomenclature_change_split_url(
-              nomenclature_change_id: assigns(:nomenclature_change).id, id: 'summary'
+              nomenclature_change_id: assigns(:nomenclature_change).id,
+              id: 'summary'
             )
           )
         end
       end
+
       it 'renders the summary template' do
-        get :show, params: { id: :summary, nomenclature_change_id: @split.id }
+        get :show,
+          params: {
+            id: :summary,
+            nomenclature_change_id: @split.id
+          }
+
         expect(response).to render_template('summary')
       end
     end
@@ -122,25 +161,30 @@
   describe 'POST create' do
     it 'redirects to split wizard' do
       post :create, params: { nomenclature_change_id: 'new' }
+
       expect(response).to redirect_to(
         admin_nomenclature_change_split_url(
-          nomenclature_change_id: assigns(:nomenclature_change).id, id: 'inputs'
+          nomenclature_change_id: assigns(:nomenclature_change).id,
+          id: 'inputs'
         )
       )
     end
   end
 
   describe 'PUT update' do
-    before(:each) do
+    before do
       @split = create(:nomenclature_change_split)
     end
+
     context 'when successful' do
       it 'redirects to next step' do
-        put :update, params: {
-          nomenclature_change_split: {
-            input_attributes: { taxon_concept_id: create_cites_eu_species.id }
-          }, nomenclature_change_id: @split.id, id: 'inputs'
-        }
+        put :update,
+          params: {
+            nomenclature_change_split: {
+              input_attributes: { taxon_concept_id: create_cites_eu_species.id }
+            }, nomenclature_change_id: @split.id, id: 'inputs'
+          }
+
         expect(response).to redirect_to(
           admin_nomenclature_change_split_url(
             nomenclature_change_id: assigns(:nomenclature_change).id, id: 'outputs'
@@ -148,28 +192,42 @@
         )
       end
     end
+
     context 'when unsuccessful' do
       it 're-renders step' do
-        put :update, params: {
-          nomenclature_change_split: {
-            input_attributes: { taxon_concept_id: nil }
-          }, nomenclature_change_id: @split.id, id: 'inputs'
-        }
+        put :update,
+          params: {
+            nomenclature_change_split: {
+              input_attributes: { taxon_concept_id: nil }
+            },
+            nomenclature_change_id: @split.id,
+            id: 'inputs'
+          }
+
         expect(response).to render_template('inputs')
       end
     end
+
     context 'when last step' do
       context 'when user is secretariat' do
         login_secretariat_user
         it 'redirects to admin root path' do
           put :update, params: { nomenclature_change_id: @split.id, id: 'summary' }
+
           expect(response).to redirect_to admin_root_path
         end
       end
+
       context 'when user is manager' do
         it 'redirects to nomenclature changes path' do
           pending('Strange render mismatch after upgrading to Rails 4')
-          put :update, params: { nomenclature_change_id: @split.id, id: 'summary', nomenclature_change_split: { dummy: 'test' } }
+
+          put :update, params: {
+            nomenclature_change_id: @split.id,
+            id: 'summary',
+            nomenclature_change_split: { dummy: 'test' }
+          }
+
           expect(response).to be_successful
           expect(response).to render_template('nomenclature_changes')
         end
@@ -178,31 +236,39 @@
   end
 
   describe 'Previous button' do
-    before(:each) do
+    before do
       @split = split_with_input_and_output
     end
+
     context 'when step is names' do
       context 'when children' do
-        before(:each) do
+        before do
           create_cites_eu_subspecies(parent: input_species)
         end
+
         it 'renders children template' do
           get :show, params: { id: :children, nomenclature_change_id: @split.id, back: true }
+
           expect(response).to render_template('children')
         end
       end
+
       context 'when no children' do
         it 'redirects to notes step' do
           get :show, params: { id: :children, nomenclature_change_id: @split.id, back: true }
+
           expect(response).to redirect_to action: :show, id: :notes
+
           get :show, params: { id: :notes, nomenclature_change_id: @split.id }
+
           expect(response).to render_template('notes')
         end
       end
     end
+
     context 'when step is distribution' do
       context 'when names' do
-        before(:each) do
+        before do
           create(
             :taxon_relationship,
             taxon_concept: input_species,
@@ -210,54 +276,74 @@
             taxon_relationship_type: synonym_relationship_type
           )
         end
+
         it 'renders names template' do
           get :show, params: { id: :names, nomenclature_change_id: @split.id, back: :true }
+
           expect(response).to render_template('names')
         end
       end
+
       context 'when no names and no children' do
         it 'redirects to notes step' do
           get :show, params: { id: :names, nomenclature_change_id: @split.id, back: true }
+
           expect(response).to redirect_to action: :show, id: :children
+
           get :show, params: { id: :children, nomenclature_change_id: @split.id }
+
           expect(response).to redirect_to action: :show, id: :notes
         end
       end
     end
+
     context 'when step is legislation' do
       context 'when distribution' do
-        before(:each) do
+        before do
           create(:distribution, taxon_concept: input_species)
         end
+
         it 'renders distribution template' do
           get :show, params: { id: :distribution, nomenclature_change_id: @split.id, back: true }
+
           expect(response).to render_template('distribution')
         end
       end
+
       context 'when no distribution and no names' do
         it 'redirects to children step' do
           get :show, params: { id: :distribution, nomenclature_change_id: @split.id, back: true }
+
           expect(response).to redirect_to action: :show, id: :names
+
           get :show, params: { id: :names, nomenclature_change_id: @split.id }
+
           expect(response).to redirect_to action: :show, id: :children
         end
       end
     end
+
     context 'when step is summary' do
       context 'when legislation' do
-        before(:each) do
+        before do
           create_cites_I_addition(taxon_concept: input_species)
         end
+
         it 'renders legislation template' do
           get :show, params: { id: :legislation, nomenclature_change_id: @split.id, back: true }
+
           expect(response).to render_template('legislation')
         end
       end
+
       context 'when no legislation and no distribution' do
         it 'redirects to names step' do
           get :show, params: { id: :legislation, nomenclature_change_id: @split.id, back: true }
+
           expect(response).to redirect_to action: :show, id: :distribution
+
           get :show, params: { id: :distribution, nomenclature_change_id: @split.id }
+
           expect(response).to redirect_to action: :show, id: :names
         end
       end
diff --git a/spec/controllers/admin/nomenclature_changes/status_swap_controller_spec.rb b/spec/controllers/admin/nomenclature_changes/status_swap_controller_spec.rb
index 1b271ac15..0e4cf0df4 100644
--- a/spec/controllers/admin/nomenclature_changes/status_swap_controller_spec.rb
+++ b/spec/controllers/admin/nomenclature_changes/status_swap_controller_spec.rb
@@ -9,36 +9,44 @@
       before(:each) do
         @status_change = create(:nomenclature_change_status_swap)
       end
+
       it 'renders the primary_output template' do
         get :show, params: { id: :primary_output, nomenclature_change_id: @status_change.id }
         expect(response).to render_template('primary_output')
       end
     end
+
     context 'swap' do
       before(:each) do
         @status_change = a_to_s_with_swap
       end
+
       it 'renders the swap template' do
         get :show, params: { id: :secondary_output, nomenclature_change_id: @status_change.id }
         expect(response).to render_template('secondary_output')
       end
     end
+
     context 'reassignments' do
       before(:each) do
         @status_change = a_to_s_with_swap
       end
+
       context 'when legislation present' do
         before(:each) do
           create_cites_I_addition(taxon_concept: input_species)
         end
+
         it 'renders the legislation template' do
           get :show, params: { id: :legislation, nomenclature_change_id: @status_change.id }
           expect(response).to render_template('legislation')
         end
       end
+
       context 'when no legislation' do
         it 'redirects to next step' do
           get :show, params: { id: :legislation, nomenclature_change_id: @status_change.id }
+
           expect(response).to redirect_to(
             admin_nomenclature_change_status_swap_url(
               nomenclature_change_id: assigns(:nomenclature_change).id, id: 'summary'
@@ -51,6 +59,7 @@
       before(:each) do
         @status_change = a_to_s_with_swap
       end
+
       it 'renders the summary template' do
         get :show, params: { id: :summary, nomenclature_change_id: @status_change.id }
         expect(response).to render_template('summary')
@@ -61,6 +70,7 @@
   describe 'POST create' do
     it 'redirects to status_change wizard' do
       post :create, params: { nomenclature_change_id: 'new' }
+
       expect(response).to redirect_to(
         admin_nomenclature_change_status_swap_url(
           nomenclature_change_id: assigns(:nomenclature_change).id, id: 'primary_output'
@@ -73,41 +83,60 @@
     before(:each) do
       @status_change = create(:nomenclature_change_status_swap)
     end
+
     context 'when successful' do
       it 'redirects to next step' do
-        put :update, params: {
-          nomenclature_change_status_swap: {
-            primary_output_attributes: {
-              taxon_concept_id: create_cites_eu_species.id,
-              new_name_status: 'S'
-            }
-          }, nomenclature_change_id: @status_change.id, id: 'primary_output'
-        }
+        put :update,
+          params: {
+            nomenclature_change_status_swap: {
+              primary_output_attributes: {
+                taxon_concept_id: create_cites_eu_species.id,
+                new_name_status: 'S'
+              }
+            }, nomenclature_change_id: @status_change.id,
+            id: 'primary_output'
+          }
+
         expect(response).to redirect_to(
           admin_nomenclature_change_status_swap_url(
-            nomenclature_change_id: assigns(:nomenclature_change).id, id: 'secondary_output'
+            nomenclature_change_id: assigns(:nomenclature_change).id,
+            id: 'secondary_output'
           )
         )
       end
     end
     context 'when unsuccessful' do
       it 're-renders step' do
-        put :update, params: { nomenclature_change_status_swap: { dummy: 'test' }, nomenclature_change_id: @status_change.id, id: 'primary_output' }
+        put :update,
+          params: {
+            nomenclature_change_status_swap: { dummy: 'test' },
+            nomenclature_change_id: @status_change.id, id: 'primary_output'
+          }
+
         expect(response).to render_template('primary_output')
       end
     end
+
     context 'when last step' do
       context 'when user is secretariat' do
         login_secretariat_user
         it 'redirects to admin root path' do
           put :update, params: { nomenclature_change_id: @status_change.id, id: 'summary' }
+
           expect(response).to redirect_to admin_root_path
         end
       end
+
       context 'when user is manager' do
         it 'redirects to nomenclature changes path' do
           pending('Strange render mismatch after upgrading to Rails 4')
-          put :update, params: { nomenclature_change_id: @status_change.id, id: 'summary', nomenclature_change_status_swap: { dummy: 'test' } }
+          put :update,
+            params: {
+              nomenclature_change_id: @status_change.id,
+              id: 'summary',
+              nomenclature_change_status_swap: { dummy: 'test' }
+            }
+
           expect(response).to be_successful
           expect(response).to render_template('nomenclature_changes')
         end
diff --git a/spec/controllers/admin/nomenclature_changes/status_to_accepted_controller_spec.rb b/spec/controllers/admin/nomenclature_changes/status_to_accepted_controller_spec.rb
index fdcfeb2d3..16add018e 100644
--- a/spec/controllers/admin/nomenclature_changes/status_to_accepted_controller_spec.rb
+++ b/spec/controllers/admin/nomenclature_changes/status_to_accepted_controller_spec.rb
@@ -6,20 +6,25 @@
 
   describe 'GET show' do
     context 'primary_output' do
-      before(:each) do
+      before do
         @status_change = create(:nomenclature_change_status_to_accepted)
       end
+
       it 'renders the primary_output template' do
         get :show, params: { id: :primary_output, nomenclature_change_id: @status_change.id }
+
         expect(response).to render_template('primary_output')
       end
     end
+
     context 'summary' do
-      before(:each) do
+      before do
         @status_change = t_to_a_with_input
       end
+
       it 'renders the summary template' do
         get :show, params: { id: :summary, nomenclature_change_id: @status_change.id }
+
         expect(response).to render_template('summary')
       end
     end
@@ -28,59 +33,92 @@
   describe 'POST create' do
     it 'redirects to status_change wizard' do
       post :create, params: { nomenclature_change_id: 'new' }
+
       expect(response).to redirect_to(
         admin_nomenclature_change_status_to_accepted_url(
-          nomenclature_change_id: assigns(:nomenclature_change).id, id: 'primary_output'
+          nomenclature_change_id: assigns(:nomenclature_change).id,
+          id: 'primary_output'
         )
       )
     end
   end
 
   describe 'PUT update' do
-    before(:each) do
+    before do
       @status_change = create(:nomenclature_change_status_to_accepted)
     end
+
     context 'when successful' do
       it 'redirects to next step' do
-        put :update, params: {
-          nomenclature_change_status_to_accepted: {
-            primary_output_attributes: {
-              taxon_concept_id: create_cites_eu_species(
-                name_status: 'T',
-                taxon_name: create(:taxon_name, scientific_name: 'Patagonus miserabilis')
-              ).id,
-              new_parent_id: create_cites_eu_genus(
-                taxon_name: create(:taxon_name, scientific_name: 'Patagonus')
-              ).id,
-              new_name_status: 'A'
-            }
-          }, nomenclature_change_id: @status_change.id, id: 'primary_output'
-        }
+        put :update,
+          params: {
+            nomenclature_change_status_to_accepted: {
+              primary_output_attributes: {
+                taxon_concept_id: create_cites_eu_species(
+                  name_status: 'T',
+                  taxon_name: create(:taxon_name, scientific_name: 'Patagonus miserabilis')
+                ).id,
+                new_parent_id: create_cites_eu_genus(
+                  taxon_name: create(:taxon_name, scientific_name: 'Patagonus')
+                ).id,
+                new_name_status: 'A'
+              }
+            },
+            nomenclature_change_id: @status_change.id,
+            id: 'primary_output'
+          }
+
         expect(response).to redirect_to(
           admin_nomenclature_change_status_to_accepted_url(
-            nomenclature_change_id: assigns(:nomenclature_change).id, id: 'summary'
+            nomenclature_change_id: assigns(:nomenclature_change).id,
+            id: 'summary'
           )
         )
       end
     end
+
     context 'when unsuccessful' do
       it 're-renders step' do
-        put :update, params: { nomenclature_change_status_to_accepted: { dummy: 'test' }, nomenclature_change_id: @status_change.id, id: 'primary_output' }
+        put :update,
+          params: {
+            nomenclature_change_status_to_accepted: {
+              primary_output_attributes: {
+                new_name_status: '£'
+              }
+            },
+            nomenclature_change_id: @status_change.id,
+            id: 'primary_output'
+          }
+
         expect(response).to render_template('primary_output')
       end
     end
+
     context 'when last step' do
       context 'when user is secretariat' do
         login_secretariat_user
+
         it 'redirects to admin root path' do
-          put :update, params: { nomenclature_change_id: @status_change.id, id: 'summary' }
+          put :update,
+            params: {
+              nomenclature_change_id: @status_change.id,
+              id: 'summary'
+            }
+
           expect(response).to redirect_to admin_root_path
         end
       end
+
       context 'when user is manager' do
         it 'redirects to nomenclature changes path' do
           pending('Strange render mismatch after upgrading to Rails 4')
-          put :update, params: { nomenclature_change_id: @status_change.id, id: 'summary', nomenclature_change_status_to_accepted: { dummy: 'test' } }
+
+          put :update,
+            params: {
+              nomenclature_change_id: @status_change.id,
+              id: 'summary'
+            }
+
           expect(response).to be_successful
           expect(response).to render_template('nomenclature_changes')
         end
diff --git a/spec/controllers/admin/nomenclature_changes/status_to_synonym_controller_spec.rb b/spec/controllers/admin/nomenclature_changes/status_to_synonym_controller_spec.rb
index 2f5688d2f..ff37fce39 100644
--- a/spec/controllers/admin/nomenclature_changes/status_to_synonym_controller_spec.rb
+++ b/spec/controllers/admin/nomenclature_changes/status_to_synonym_controller_spec.rb
@@ -2,23 +2,28 @@
 
 describe Admin::NomenclatureChanges::StatusToSynonymController do
   login_admin
+
   include_context 'status_change_definitions'
+
   let(:input_species) { create_cites_eu_species(name_status: 'N') }
 
   describe 'GET show' do
     context 'primary_output' do
-      before(:each) do
+      before do
         @status_change = create(:nomenclature_change_status_to_synonym)
       end
+
       it 'renders the primary_output template' do
         get :show, params: { id: :primary_output, nomenclature_change_id: @status_change.id }
         expect(response).to render_template('primary_output')
       end
     end
+
     context 'relay' do
-      before(:each) do
+      before do
         @status_change = n_to_s_with_primary_output
       end
+
       it 'renders the relay template' do
         get :show, params: { id: :relay, nomenclature_change_id: @status_change.id }
         expect(response).to render_template('relay')
@@ -26,9 +31,10 @@
     end
 
     context 'summary' do
-      before(:each) do
+      before do
         @status_change = n_to_s_with_input_and_secondary_output
       end
+
       it 'renders the summary template' do
         get :show, params: { id: :summary, nomenclature_change_id: @status_change.id }
         expect(response).to render_template('summary')
@@ -39,6 +45,7 @@
   describe 'POST create' do
     it 'redirects to status_change wizard' do
       post :create, params: { nomenclature_change_id: 'new' }
+
       expect(response).to redirect_to(
         admin_nomenclature_change_status_to_synonym_url(
           nomenclature_change_id: assigns(:nomenclature_change).id, id: 'primary_output'
@@ -48,19 +55,22 @@
   end
 
   describe 'PUT update' do
-    before(:each) do
+    before do
       @status_change = create(:nomenclature_change_status_to_synonym)
     end
+
     context 'when successful' do
       it 'redirects to next step' do
         put :update, params: {
           nomenclature_change_status_to_synonym: {
             primary_output_attributes: {
-              taxon_concept_id: create_cites_eu_species(name_status: 'N').id,
               new_name_status: 'S'
             }
-          }, nomenclature_change_id: @status_change.id, id: 'primary_output'
+          },
+          nomenclature_change_id: @status_change.id,
+          id: 'primary_output'
         }
+
         expect(response).to redirect_to(
           admin_nomenclature_change_status_to_synonym_url(
             nomenclature_change_id: assigns(:nomenclature_change).id, id: 'relay'
@@ -68,24 +78,43 @@
         )
       end
     end
+
     context 'when unsuccessful' do
       it 're-renders step' do
-        put :update, params: { nomenclature_change_status_to_synonym: { dummy: 'test' }, nomenclature_change_id: @status_change.id, id: 'primary_output' }
+        put :update,
+          params: {
+            nomenclature_change_status_to_synonym: {
+              primary_output_attributes: {
+                new_name_status: '£'
+              }
+            },
+            nomenclature_change_id: @status_change.id,
+            id: 'primary_output'
+          }
+
         expect(response).to render_template('primary_output')
       end
     end
+
     context 'when last step' do
       context 'when user is secretariat' do
         login_secretariat_user
+
         it 'redirects to admin root path' do
           put :update, params: { nomenclature_change_id: @status_change.id, id: 'summary' }
+
           expect(response).to redirect_to admin_root_path
         end
       end
+
       context 'when user is manager' do
         it 'redirects to nomenclature changes path' do
-          pending('Strange render mismatch after upgrading to Rails 4')
-          put :update, params: { nomenclature_change_id: @status_change.id, id: 'summary', nomenclature_change_status_to_synonym: { dummy: 'test' } }
+          put :update,
+            params: {
+              nomenclature_change_id: @status_change.id,
+              id: 'summary'
+            }
+
           expect(response).to be_successful
           expect(response).to render_template('nomenclature_changes')
         end
diff --git a/spec/controllers/admin/ranks_controller_spec.rb b/spec/controllers/admin/ranks_controller_spec.rb
index c0835221e..dfb309faa 100644
--- a/spec/controllers/admin/ranks_controller_spec.rb
+++ b/spec/controllers/admin/ranks_controller_spec.rb
@@ -7,11 +7,15 @@
     it 'assigns @ranks sorted by taxonomic position' do
       rank2 = create(:rank, name: Rank::PHYLUM, taxonomic_position: '2')
       rank1 = create(:rank, name: Rank::KINGDOM, taxonomic_position: '1')
+
       get :index
+
       expect(assigns(:ranks)).to eq([ rank1, rank2 ])
     end
+
     it 'renders the index template' do
       get :index
+
       expect(response).to render_template('index')
     end
   end
@@ -19,30 +23,39 @@
   describe 'XHR POST create' do
     it 'renders create when successful' do
       post :create, params: { rank: build_attributes(:rank) }, xhr: true
+
       expect(response).to render_template('create')
     end
+
     it 'renders new when not successful' do
-      post :create, params: { rank: { dummy: 'test' } }, xhr: true
+      post :create, params: { rank: { taxonomic_position: '0' } }, xhr: true
+
       expect(response).to render_template('new')
     end
   end
 
   describe 'XHR PUT update' do
     let(:rank) { create(:rank) }
+
     it 'responds with 200 when successful' do
       put :update, format: 'json', params: { id: rank.id, rank: { name: 'ZZ' } }, xhr: true
+
       expect(response).to be_successful
     end
+
     it 'responds with json when not successful' do
       put :update, format: 'json', params: { id: rank.id, rank: { name: nil } }, xhr: true
+
       expect(response.parsed_body).to include('errors')
     end
   end
 
   describe 'DELETE destroy' do
     let(:rank) { create(:rank) }
+
     it 'redirects after delete' do
       delete :destroy, params: { id: rank.id }
+
       expect(response).to redirect_to(admin_ranks_url)
     end
   end
diff --git a/spec/controllers/admin/species_listings_controller_spec.rb b/spec/controllers/admin/species_listings_controller_spec.rb
index cb8150581..a1589385d 100644
--- a/spec/controllers/admin/species_listings_controller_spec.rb
+++ b/spec/controllers/admin/species_listings_controller_spec.rb
@@ -10,11 +10,15 @@
       species_listing2_1 = create(:species_listing, designation: designation2, name: 'I')
       species_listing2_2 = create(:species_listing, designation: designation2, name: 'II')
       species_listing1 = create(:species_listing, designation: designation1, name: 'I')
+
       get :index
+
       expect(assigns(:species_listings)).to eq([ species_listing1, species_listing2_1, species_listing2_2 ])
     end
+
     it 'renders the index template' do
       get :index
+
       expect(response).to render_template('index')
     end
   end
@@ -22,30 +26,45 @@
   describe 'XHR POST create' do
     it 'renders create when successful' do
       post :create, params: { species_listing: build_attributes(:species_listing) }, xhr: true
+
       expect(response).to render_template('create')
     end
+
     it 'renders new when not successful' do
-      post :create, params: { species_listing: { dummy: 'test' } }, xhr: true
+      post :create, params: { species_listing: { name: 'NOT ENOUGH' } }, xhr: true
+
       expect(response).to render_template('new')
     end
   end
 
   describe 'XHR PUT update' do
     let(:species_listing) { create(:species_listing) }
+
     it 'responds with 200 when successful' do
-      put :update, format: 'json', params: { id: species_listing.id, species_listing: { name: 'ZZ' } }, xhr: true
+      put :update,
+        format: 'json',
+        params: { id: species_listing.id, species_listing: { name: 'ZZ' } },
+        xhr: true
+
       expect(response).to be_successful
     end
+
     it 'responds with json when not successful' do
-      put :update, format: 'json', params: { id: species_listing.id, species_listing: { name: nil } }, xhr: true
+      put :update,
+        format: 'json',
+        params: { id: species_listing.id, species_listing: { name: '' } },
+        xhr: true
+
       expect(response.parsed_body).to include('errors')
     end
   end
 
   describe 'DELETE destroy' do
     let(:species_listing) { create(:species_listing) }
+
     it 'redirects after delete' do
       delete :destroy, params: { id: species_listing.id }
+
       expect(response).to redirect_to(admin_species_listings_url)
     end
   end
diff --git a/spec/controllers/admin/srg_histories_controller_spec.rb b/spec/controllers/admin/srg_histories_controller_spec.rb
index 9c9e62cc3..76effe86a 100644
--- a/spec/controllers/admin/srg_histories_controller_spec.rb
+++ b/spec/controllers/admin/srg_histories_controller_spec.rb
@@ -6,6 +6,7 @@
   describe 'GET index' do
     it 'renders the index template' do
       get :index
+
       expect(response).to render_template('index')
     end
   end
@@ -25,7 +26,7 @@
 
     context 'when not successful' do
       it 'renders new' do
-        post :create, params: { srg_history: { dummy: 'test' }, format: :js }
+        post :create, params: { srg_history: { name: '' }, format: :js }
 
         expect(response).to render_template('new')
       end
@@ -33,13 +34,13 @@
   end
 
   describe 'PUT update' do
-    before(:each) do
+    before do
       @srg_history = create(:srg_history)
     end
 
     context 'when successful' do
       it 'renders the create js template' do
-        put :update, params: { id: @srg_history.id, srg_history: { dummy: 'test' }, format: :js }
+        put :update, params: { id: @srg_history.id, srg_history: { name: 'Test SRG' }, format: :js }
 
         expect(response).to render_template('create')
       end
@@ -55,7 +56,7 @@
   end
 
   describe 'DELETE destroy' do
-    before(:each) do
+    before do
       @srg_history = create(:srg_history)
     end
 
diff --git a/spec/controllers/admin/tags_controller_spec.rb b/spec/controllers/admin/tags_controller_spec.rb
index 3d9491e5e..fe56b3b10 100644
--- a/spec/controllers/admin/tags_controller_spec.rb
+++ b/spec/controllers/admin/tags_controller_spec.rb
@@ -13,11 +13,16 @@
 
   describe 'XHR POST create' do
     it 'renders create when successful' do
-      post :create, params: { tag: { name: 'Test Tag', model: 'TaxonConcept' } }, xhr: true
+      post :create,
+        params: { tag: { name: 'Test Tag', model: 'TaxonConcept' } },
+        xhr: true
+
       expect(response).to render_template('create')
     end
+
     it 'renders new when not successful' do
-      post :create, params: { tag: { dummy: 'test' } }, xhr: true
+      post :create, params: { tag: { name: nil } }, xhr: true
+
       expect(response).to render_template('new')
     end
   end
@@ -26,11 +31,20 @@
     let(:preset_tag) { create(:preset_tag) }
     context 'when JSON' do
       it 'responds with 200 when successful' do
-        put :update, format: 'json', params: { id: preset_tag.id, tag: { dummy: 'test' } }, xhr: true
+        put :update,
+          format: 'json',
+          params: { id: preset_tag.id, tag: { name: nil } },
+          xhr: true
+
         expect(response).to be_successful
       end
+
       it 'responds with json error when not successful' do
-        put :update, format: 'json', params: { id: preset_tag.id, tag: { model: 'FakeCategory' } }, xhr: true
+        put :update,
+          format: 'json',
+          params: { id: preset_tag.id, tag: { model: 'FakeCategory' } },
+          xhr: true
+
         expect(response.parsed_body).to include('errors')
       end
     end
@@ -38,8 +52,10 @@
 
   describe 'DELETE destroy' do
     let(:preset_tag) { create(:preset_tag) }
+
     it 'redirects after delete' do
       delete :destroy, params: { id: preset_tag.id }
+
       expect(response).to redirect_to(admin_tags_url)
     end
   end
diff --git a/spec/controllers/admin/taxon_cites_suspensions_controller_spec.rb b/spec/controllers/admin/taxon_cites_suspensions_controller_spec.rb
index 35eac94d5..54a128bcb 100644
--- a/spec/controllers/admin/taxon_cites_suspensions_controller_spec.rb
+++ b/spec/controllers/admin/taxon_cites_suspensions_controller_spec.rb
@@ -15,10 +15,13 @@
   describe 'GET index' do
     it 'renders the index template' do
       get :index, params: { taxon_concept_id: @taxon_concept.id }
+
       expect(response).to render_template('index')
     end
+
     it 'renders the taxon_concepts_layout' do
       get :index, params: { taxon_concept_id: @taxon_concept.id }
+
       expect(response).to render_template('layouts/taxon_concepts')
     end
   end
@@ -26,6 +29,7 @@
   describe 'GET new' do
     it 'renders the new template' do
       get :new, params: { taxon_concept_id: @taxon_concept.id }
+
       expect(response).to render_template('new')
     end
   end
@@ -33,18 +37,26 @@
   describe 'POST create' do
     context 'when successful' do
       it 'renders index' do
-        post :create, params: {
-          cites_suspension: {
-            start_notification_id: create_cites_suspension_notification.id
-          }, taxon_concept_id: @taxon_concept.id
-        }
+        post :create,
+          params: {
+            cites_suspension: {
+              start_notification_id: create_cites_suspension_notification.id
+            }, taxon_concept_id: @taxon_concept.id
+          }
+
         expect(response).to redirect_to(
           admin_taxon_concept_cites_suspensions_url(@taxon_concept)
         )
       end
     end
+
     it 'renders new when not successful' do
-      post :create, params: { cites_suspension: { dummy: 'test' }, taxon_concept_id: @taxon_concept.id }
+      post :create,
+        params: {
+          cites_suspension: { start_notification_id: 0 },
+          taxon_concept_id: @taxon_concept.id
+        }
+
       expect(response).to render_template('new')
     end
   end
@@ -52,6 +64,7 @@
   describe 'GET edit' do
     it 'renders the edit template' do
       get :edit, params: { id: @cites_suspension.id, taxon_concept_id: @taxon_concept.id }
+
       expect(response).to render_template('edit')
     end
   end
@@ -59,11 +72,13 @@
   describe 'PUT update' do
     context 'when successful' do
       it 'renders taxon_concepts cites suspensions page' do
-        put :update, params: {
-          cites_suspension: {
-            publication_date: 1.week.ago
-          }, id: @cites_suspension.id, taxon_concept_id: @taxon_concept.id
-        }
+        put :update,
+          params: {
+            cites_suspension: {
+              publication_date: 1.week.ago
+            }, id: @cites_suspension.id, taxon_concept_id: @taxon_concept.id
+          }
+
         expect(response).to redirect_to(
           admin_taxon_concept_cites_suspensions_url(@taxon_concept)
         )
@@ -71,11 +86,13 @@
     end
 
     it 'renders edit when not successful' do
-      put :update, params: {
-        cites_suspension: {
-          start_notification_id: nil
-        }, id: @cites_suspension.id, taxon_concept_id: @taxon_concept.id
-      }
+      put :update,
+        params: {
+          cites_suspension: {
+            start_notification_id: nil
+          }, id: @cites_suspension.id, taxon_concept_id: @taxon_concept.id
+        }
+
       expect(response).to render_template('edit')
     end
   end
@@ -83,6 +100,7 @@
   describe 'DELETE destroy' do
     it 'redirects after delete' do
       delete :destroy, params: { id: @cites_suspension.id, taxon_concept_id: @taxon_concept.id }
+
       expect(response).to redirect_to(
         admin_taxon_concept_cites_suspensions_url(@taxon_concept)
       )
@@ -95,17 +113,23 @@
     describe 'GET index' do
       it 'renders the index template' do
         get :index, params: { taxon_concept_id: @taxon_concept.id }
+
         expect(response).to render_template('index')
       end
+
       it 'renders the taxon_concepts_layout' do
         get :index, params: { taxon_concept_id: @taxon_concept.id }
+
         expect(response).to render_template('layouts/taxon_concepts')
       end
     end
+
     describe 'DELETE destroy' do
       it 'fails to delete and redirects' do
         @request.env['HTTP_REFERER'] = admin_taxon_concept_cites_suspensions_url(@taxon_concept)
+
         delete :destroy, params: { id: @cites_suspension.id, taxon_concept_id: @taxon_concept.id }
+
         expect(response).to redirect_to(
           admin_taxon_concept_cites_suspensions_url(@taxon_concept)
         )
diff --git a/spec/controllers/admin/taxon_commons_controller_spec.rb b/spec/controllers/admin/taxon_commons_controller_spec.rb
index de6f53993..29c4cd8bf 100644
--- a/spec/controllers/admin/taxon_commons_controller_spec.rb
+++ b/spec/controllers/admin/taxon_commons_controller_spec.rb
@@ -11,6 +11,7 @@
   describe "XHR GET 'new'" do
     it 'returns http success and renders the new template' do
       get :new, params: { taxon_concept_id: @taxon_concept.id, format: 'js' }, xhr: true
+
       expect(response).to be_successful
       expect(response).to render_template('new')
     end
@@ -18,7 +19,8 @@
 
   describe 'XHR POST create' do
     it 'renders create when successful' do
-      post :create, xhr: true,
+      post :create,
+        xhr: true,
         params: {
           taxon_concept_id: @taxon_concept.id,
           taxon_common: {
@@ -26,14 +28,18 @@
             language_id: @common_name.language_id
           }
         }
+
       expect(response).to render_template('create')
     end
+
     it 'renders new when not successful' do
-      post :create, xhr: true,
+      post :create,
+        xhr: true,
         params: {
           taxon_concept_id: @taxon_concept.id,
-          taxon_common: { dummy: 'test' }
+          taxon_common: { name: nil }
         }
+
       expect(response).to render_template('new')
     end
   end
@@ -46,12 +52,16 @@
         taxon_concept_id: @taxon_concept.id
       )
     end
+
     it 'renders the edit template' do
       get :edit, params: { taxon_concept_id: @taxon_concept.id, id: @taxon_common.id }, xhr: true
+
       expect(response).to render_template('new')
     end
+
     it 'assigns the  taxon common variable' do
       get :edit, params: { taxon_concept_id: @taxon_concept.id, id: @taxon_common.id }, xhr: true
+
       expect(assigns(:taxon_common)).not_to be_nil
     end
   end
@@ -64,8 +74,11 @@
         taxon_concept_id: @taxon_concept.id
       )
     end
+
     it 'renders create when successful' do
-      put :update, format: 'js', xhr: true,
+      put :update,
+        format: 'js',
+        xhr: true,
         params: {
           taxon_concept_id: @taxon_concept.id,
           id: @taxon_common.id,
@@ -74,10 +87,13 @@
             language_id: @common_name.language_id
           }
         }
+
       expect(response).to render_template('create')
     end
     it 'renders new when not successful' do
-      put :update, format: 'js', xhr: true,
+      put :update,
+        format: 'js',
+        xhr: true,
         params: {
           taxon_concept_id: @taxon_concept.id,
           id: @taxon_common.id,
@@ -85,6 +101,7 @@
             common_name_id: nil
           }
         }
+
       expect(response).to render_template('new')
     end
   end
@@ -97,8 +114,10 @@
         common_name: @common_name
       )
     end
+
     it 'redirects after delete' do
       delete :destroy, params: { taxon_concept_id: @taxon_concept.id, id: taxon_common.id }
+
       expect(response).to redirect_to(
         admin_taxon_concept_names_url(@taxon_concept)
       )
@@ -124,7 +143,9 @@
       expect(@taxon_concept.reload.dependents_updated_at).not_to be_nil
       old_date = @taxon_concept.dependents_updated_at
 
-      put :update, format: 'js', xhr: true,
+      put :update,
+        format: 'js',
+        xhr: true,
         params: {
           taxon_concept_id: @taxon_concept.id,
           id: @taxon_common.id,
@@ -155,6 +176,7 @@
 
   describe 'Authorization for contributors' do
     login_contributor
+
     let(:taxon_common) do
       create(
         :taxon_common,
@@ -162,10 +184,13 @@
         common_name: @common_name
       )
     end
+
     describe 'DELETE destroy' do
       it 'fails to delete and redirects' do
         @request.env['HTTP_REFERER'] = admin_taxon_concept_names_url(@taxon_concept)
+
         delete :destroy, params: { id: taxon_common.id, taxon_concept_id: @taxon_concept.id }
+
         expect(response).to redirect_to(
           admin_taxon_concept_names_url(@taxon_concept)
         )
diff --git a/spec/controllers/admin/taxon_concept_references_controller_spec.rb b/spec/controllers/admin/taxon_concept_references_controller_spec.rb
index a39f169b0..4f57323a9 100644
--- a/spec/controllers/admin/taxon_concept_references_controller_spec.rb
+++ b/spec/controllers/admin/taxon_concept_references_controller_spec.rb
@@ -10,23 +10,30 @@
 
   describe 'XHR POST create' do
     it 'renders create when successful' do
-      post :create, xhr: true, params: {
-        taxon_concept_id: @taxon_concept.id,
-        taxon_concept_reference: {
-          reference_attributes: { citation: 'My nice literature' }
+      post :create,
+        xhr: true,
+        params: {
+          taxon_concept_id: @taxon_concept.id,
+          taxon_concept_reference: {
+            reference_attributes: { citation: 'My nice literature' }
+          }
         }
-      }
+
       expect(response).to render_template('create')
     end
+
     it 'renders new when not successful' do
-      post :create, xhr: true, params: {
-        taxon_concept_id: @taxon_concept.id,
-        taxon_concept_reference: {
-          reference_attributes: {
-            dummy: 'test'
+      post :create,
+        xhr: true,
+        params: {
+          taxon_concept_id: @taxon_concept.id,
+          taxon_concept_reference: {
+            reference_attributes: {
+              dummy: 'test'
+            }
           }
         }
-      }
+
       expect(response).to render_template('new')
     end
   end
@@ -39,12 +46,16 @@
         taxon_concept_id: @taxon_concept.id
       )
     end
+
     it 'renders the edit template' do
       get :edit, params: { taxon_concept_id: @taxon_concept.id, id: @taxon_concept_reference.id }, xhr: true
+
       expect(response).to render_template('new')
     end
+
     it 'assigns the  taxon concept reference variable' do
       get :edit, params: { taxon_concept_id: @taxon_concept.id, id: @taxon_concept_reference.id }, xhr: true
+
       expect(assigns(:taxon_concept_reference)).not_to be_nil
     end
   end
@@ -57,8 +68,11 @@
         taxon_concept_id: @taxon_concept.id
       )
     end
+
     it 'renders create when successful' do
-      put :update, format: 'js', xhr: true,
+      put :update,
+        format: 'js',
+        xhr: true,
         params: {
           taxon_concept_id: @taxon_concept.id,
           id: @taxon_concept_reference.id,
@@ -66,19 +80,25 @@
             reference_attributes: { citation: 'My nice literature' }
           }
         }
+
       expect(response).to render_template('create')
     end
+
     it 'renders new when not successful' do
-      put :update, format: 'js', xhr: true,
+      put :update,
+        format: 'js',
+        xhr: true,
         params: {
           taxon_concept_id: @taxon_concept.id,
           id: @taxon_concept_reference.id,
           taxon_concept_reference: {
+            reference_id: 'not a valid integer',
             reference_attributes: {
-              dummy: 'test'
+              citation: nil
             }
           }
         }
+
       expect(response).to render_template('new')
     end
   end
@@ -86,6 +106,7 @@
   describe "XHR GET 'new'" do
     it 'returns http success and renders the new template' do
       get :new, params: { taxon_concept_id: @taxon_concept.id }, xhr: true, format: 'js'
+
       expect(response).to be_successful
       expect(response).to render_template('new')
     end
@@ -93,8 +114,10 @@
 
   describe 'DELETE destroy' do
     let(:taxon_concept_reference) { create(:taxon_concept_reference, taxon_concept_id: @taxon_concept.id, reference_id: @reference.id) }
+
     it 'redirects after delete' do
       delete :destroy, params: { taxon_concept_id: @taxon_concept.id, id: taxon_concept_reference.id }
+
       expect(response).to redirect_to(
         admin_taxon_concept_taxon_concept_references_url(taxon_concept_reference.taxon_concept)
       )
diff --git a/spec/controllers/admin/taxon_concepts_controller_spec.rb b/spec/controllers/admin/taxon_concepts_controller_spec.rb
index a4dcf51c1..c58a4602c 100644
--- a/spec/controllers/admin/taxon_concepts_controller_spec.rb
+++ b/spec/controllers/admin/taxon_concepts_controller_spec.rb
@@ -14,32 +14,40 @@
         )
       )
     end
+
     it 'renders the index template' do
       get :index
       expect(response).to render_template('index')
       expect(response).to render_template('layouts/admin')
     end
+
     it 'redirects if 1 result' do
-      get :index, params: {
-        search_params: {
-          taxonomy: { id: cites_eu.id }, scientific_name: 'Foobarus i'
+      get :index,
+        params: {
+          search_params: {
+            taxonomy: { id: cites_eu.id }, scientific_name: 'Foobarus i'
+          }
         }
-      }
+
       expect(response).to redirect_to(admin_taxon_concept_names_path(@taxon))
     end
+
     it 'assigns taxa in taxonomic order' do
-      get :index, params: {
-        search_params: {
-          taxonomy: { id: cites_eu.id }, scientific_name: 'Foobarus'
+      get :index,
+        params: {
+          search_params: {
+            taxonomy: { id: cites_eu.id }, scientific_name: 'Foobarus'
+          }
         }
-      }
+
       expect(assigns(:taxon_concepts)).to eq([ @taxon.parent, @taxon ])
     end
   end
 
   describe 'XHR POST create' do
     it 'renders create when successful' do
-      post :create, xhr: true,
+      post :create,
+        xhr: true,
         params: {
           taxon_concept: {
             name_status: 'A',
@@ -49,37 +57,47 @@
             parent_id: create_cites_eu_family
           }
         }
+
       expect(response).to render_template('create')
     end
+
     it 'renders new when not successful' do
       post :create, params: { taxon_concept: { dummy: 'test' } }, xhr: true
+
       expect(response).to render_template('new')
     end
+
     it 'renders new_synonym when not successful S' do
       post :create, params: { taxon_concept: { name_status: 'S' } }, xhr: true
+
       expect(response).to render_template('new_synonym')
     end
+
     it 'renders new_hybrid when not successful H' do
       post :create, params: { taxon_concept: { name_status: 'H' } }, xhr: true
       expect(response).to render_template('new_hybrid')
     end
+
     it 'renders new_synonym when not successful N' do
       post :create, params: { taxon_concept: { name_status: 'N' } }, xhr: true
+
       expect(response).to render_template('new_n_name')
     end
   end
 
   describe 'XHR PUT update' do
     let(:taxon_concept) { create(:taxon_concept) }
+
     context 'when JSON' do
       it 'responds with 200 when successful' do
         put :update, format: 'json', params: {
           id: taxon_concept.id,
-          taxon_concept: { dummy: 'test' }
+          taxon_concept: { taxonomic_position: '1.1.3' }
         }, xhr: true
 
         expect(response).to be_successful
       end
+
       it 'responds with json error when not successful' do
         put :update, format: 'json', params: {
           id: taxon_concept.id,
@@ -91,11 +109,18 @@
     end
     context 'when HTML' do
       it 'redirects to edit when successful' do
-        put :update, params: { id: taxon_concept.id, taxon_concept: { dummy: 'test' } }
+        put :update,
+          params: {
+            id: taxon_concept.id,
+            taxon_concept: { taxonomic_position: '1.1.3' }
+          }
+
         expect(response).to redirect_to(edit_admin_taxon_concept_url(taxon_concept))
       end
+
       it 'renders edit when not successful' do
         put :update, params: { id: taxon_concept.id, taxon_concept: { taxonomy_id: nil } }
+
         expect(response).to render_template('edit')
       end
     end
@@ -103,8 +128,10 @@
 
   describe 'DELETE destroy' do
     let(:taxon_concept) { create(:taxon_concept) }
+
     it 'redirects after delete' do
       delete :destroy, params: { id: taxon_concept.id }
+
       expect(response).to redirect_to(admin_taxon_concepts_url)
     end
   end
@@ -115,6 +142,7 @@
 
     it "redirects to admin root path and doesn't delete" do
       delete :destroy, params: { id: taxon_concept.id }
+
       expect(response).to redirect_to(admin_root_path)
       expect(TaxonConcept.where(id: taxon_concept.id).size).to eq(1)
     end
@@ -126,11 +154,13 @@
 
     it 'redirects to root path' do
       get :index
+
       expect(response).to redirect_to(root_path)
     end
 
     it "redirects to root path and doesn't delete" do
       delete :destroy, params: { id: taxon_concept.id }
+
       expect(response).to redirect_to(root_path)
       expect(TaxonConcept.where(id: taxon_concept.id).size).to eq(1)
     end
@@ -142,9 +172,14 @@
         taxon_name: create(:taxon_name, scientific_name: 'AAA')
       )
     end
+
     it 'returns properly formatted json' do
-      get :autocomplete, format: 'json',
-        params: { search_params: { scientific_name: 'AAA' } }, xhr: true
+      get :autocomplete,
+        format: 'json',
+        params: {
+          search_params: { scientific_name: 'AAA' }
+        }, xhr: true
+
       expect(response.body).to have_json_size(1)
       expect(parse_json(response.body, '0/full_name')).to eq('Aaa')
     end
diff --git a/spec/controllers/admin/taxon_eu_suspensions_controller_spec.rb b/spec/controllers/admin/taxon_eu_suspensions_controller_spec.rb
index c2d6ec5f4..3a7e185fb 100644
--- a/spec/controllers/admin/taxon_eu_suspensions_controller_spec.rb
+++ b/spec/controllers/admin/taxon_eu_suspensions_controller_spec.rb
@@ -10,10 +10,13 @@
   describe 'GET index' do
     it 'renders the index template' do
       get :index, params: { taxon_concept_id: @taxon_concept.id }
+
       expect(response).to render_template('index')
     end
+
     it 'renders the taxon_concepts_layout' do
       get :index, params: { taxon_concept_id: @taxon_concept.id }
+
       expect(response).to render_template('layouts/taxon_concepts')
     end
   end
@@ -21,12 +24,16 @@
   describe 'GET new' do
     it 'renders the new template' do
       get :new, params: { taxon_concept_id: @taxon_concept.id }
+
       expect(response).to render_template('new')
     end
+
     it 'assigns @geo_entities (country and territory) with two objects' do
       territory = create(:geo_entity, geo_entity_type_id: territory_geo_entity_type.id)
       country = create(:geo_entity)
+
       get :new, params: { taxon_concept_id: @taxon_concept.id }
+
       expect(assigns(:geo_entities).size).to eq(2)
     end
   end
@@ -36,82 +43,101 @@
       before do
         @eu_decision_type = create(:eu_decision_type)
       end
+
       it 'redirects to the EU suspensions index' do
-        post :create, params: {
-          eu_suspension: {
-            eu_decision_type_id: @eu_decision_type.id,
-            start_date: Date.new(2013, 1, 1),
-            geo_entity_id: create(
-              :geo_entity, geo_entity_type_id: country_geo_entity_type.id
-            )
-          }, taxon_concept_id: @taxon_concept.id
-        }
+        post :create,
+          params: {
+            eu_suspension: {
+              eu_decision_type_id: @eu_decision_type.id,
+              start_date: Date.new(2013, 1, 1),
+              geo_entity_id: create(
+                :geo_entity, geo_entity_type_id: country_geo_entity_type.id
+              )
+            }, taxon_concept_id: @taxon_concept.id
+          }
+
         expect(response).to redirect_to(admin_taxon_concept_eu_suspensions_url(@taxon_concept.id))
       end
     end
 
     context 'when not successful' do
       it 'renders new' do
-        post :create, params: { eu_suspension: { dummy: 'test' }, taxon_concept_id: @taxon_concept.id }
+        post :create,
+          params: {
+            eu_suspension: { start_date: nil },
+            taxon_concept_id: @taxon_concept.id
+          }
+
         expect(response).to render_template('new')
       end
     end
   end
 
   describe 'GET edit' do
-    before(:each) do
+    before do
       @eu_suspension = create(
         :eu_suspension,
         taxon_concept_id: @taxon_concept.id
       )
     end
+
     it 'renders the edit template' do
       get :edit, params: { id: @eu_suspension.id, taxon_concept_id: @taxon_concept.id }
+
       expect(response).to render_template('edit')
     end
+
     it 'assigns @geo_entities' do
       territory = create(:geo_entity, geo_entity_type_id: territory_geo_entity_type.id)
+
       get :edit, params: { id: @eu_suspension.id, taxon_concept_id: @taxon_concept.id }
+
       expect(assigns(:geo_entities)).to include(territory)
     end
   end
 
   describe 'PUT update' do
-    before(:each) do
+    before do
       @eu_suspension = create(
         :eu_suspension,
         taxon_concept_id: @taxon_concept.id
       )
+
       @srg_history = create(:srg_history)
     end
 
     context 'when successful' do
       context 'when eu_decision_type is present' do
         it 'renders taxon_concepts EU suspensions page' do
-          put :update, params: {
-            eu_suspension: {
-              eu_decision_type_id: create(:eu_decision_type),
-              geo_entity_id: create(
-                :geo_entity, geo_entity_type_id: country_geo_entity_type.id
-              )
-            }, id: @eu_suspension.id, taxon_concept_id: @taxon_concept.id
-          }
+          put :update,
+            params: {
+              eu_suspension: {
+                eu_decision_type_id: create(:eu_decision_type),
+                geo_entity_id: create(
+                  :geo_entity, geo_entity_type_id: country_geo_entity_type.id
+                )
+              }, id: @eu_suspension.id, taxon_concept_id: @taxon_concept.id
+            }
+
           expect(response).to redirect_to(
             admin_taxon_concept_eu_suspensions_url(@taxon_concept)
           )
         end
       end
+
       context 'when eu_decision_type is not present' do
         it 'renders taxon_concepts EU suspensions page' do
-          put :update, params: {
-            eu_suspension: {
-              eu_decision_type_id: nil,
-              srg_history_id: @srg_history.id,
-              geo_entity_id: create(
-                :geo_entity, geo_entity_type_id: country_geo_entity_type.id
-              )
-            }, id: @eu_suspension.id, taxon_concept_id: @taxon_concept.id
-          }
+          put :update,
+            params: {
+              eu_suspension: {
+                eu_decision_type_id: nil,
+                srg_history_id: @srg_history.id,
+                geo_entity_id: create(
+                  :geo_entity, geo_entity_type_id: country_geo_entity_type.id
+                )
+              }, id: @eu_suspension.id, taxon_concept_id: @taxon_concept.id
+            }
+
           expect(response).to redirect_to(
             admin_taxon_concept_eu_suspensions_url(@taxon_concept)
           )
@@ -122,24 +148,31 @@
     context 'when not successful' do
       context 'when eu_decision_type is present' do
         it 'renders new' do
-          put :update, params: {
-            eu_suspension: {
-              eu_decision_type_id: create(:eu_decision_type),
-              geo_entity_id: nil
-            }, id: @eu_suspension.id, taxon_concept_id: @taxon_concept.id
-          }
+          put :update,
+            params: {
+              eu_suspension: {
+                eu_decision_type_id: create(:eu_decision_type),
+                geo_entity_id: nil
+              }, id: @eu_suspension.id, taxon_concept_id: @taxon_concept.id
+            }
+
           expect(response).to render_template('new')
         end
       end
+
       context 'when eu_decision_type is not present' do
         it 'renders new' do
-          put :update, params: {
-            eu_suspension: {
-              eu_decision_type_id: nil,
-              srg_history_id: @srg_history.id,
-              geo_entity_id: nil
-            }, id: @eu_suspension.id, taxon_concept_id: @taxon_concept.id
-          }
+          put :update,
+            params: {
+              eu_suspension: {
+                eu_decision_type_id: nil,
+                srg_history_id: @srg_history.id,
+                geo_entity_id: nil
+              },
+              id: @eu_suspension.id,
+              taxon_concept_id: @taxon_concept.id
+            }
+
           expect(response).to render_template('new')
         end
       end
@@ -147,25 +180,30 @@
 
     context 'when both eu_decision_type and srg_history are empty' do
       it 'renders new' do
-        put :update, params: {
-          eu_suspension: {
-            eu_decision_type_id: nil,
-            srg_history_id: nil,
-            start_date: nil
-          }, id: @eu_suspension.id, taxon_concept_id: @taxon_concept.id
-        }
+        put :update,
+          params: {
+            eu_suspension: {
+              eu_decision_type_id: nil,
+              srg_history_id: nil,
+              start_date: nil
+            },
+            id: @eu_suspension.id,
+            taxon_concept_id: @taxon_concept.id
+          }
+
         expect(response).to render_template('new')
       end
     end
   end
 
   describe 'DELETE destroy' do
-    before(:each) do
+    before do
       @eu_suspension = create(
         :eu_suspension,
         taxon_concept_id: @taxon_concept.id
       )
     end
+
     it 'redirects after delete' do
       delete :destroy, params: { id: @eu_suspension.id, taxon_concept_id: @taxon_concept.id }
       expect(response).to redirect_to(
@@ -182,16 +220,19 @@
         taxon_concept_id: @taxon_concept.id
       )
     end
+
     describe 'GET index' do
       it 'renders the index template' do
         get :index, params: { taxon_concept_id: @taxon_concept.id }
         expect(response).to render_template('index')
       end
+
       it 'renders the taxon_concepts_layout' do
         get :index, params: { taxon_concept_id: @taxon_concept.id }
         expect(response).to render_template('layouts/taxon_concepts')
       end
     end
+
     describe 'DELETE destroy' do
       it 'fails to delete and redirects' do
         @request.env['HTTP_REFERER'] = admin_taxon_concept_eu_suspensions_url(@taxon_concept)
diff --git a/spec/controllers/admin/taxon_listing_changes_controller_spec.rb b/spec/controllers/admin/taxon_listing_changes_controller_spec.rb
index d33d1f623..c747d02a8 100644
--- a/spec/controllers/admin/taxon_listing_changes_controller_spec.rb
+++ b/spec/controllers/admin/taxon_listing_changes_controller_spec.rb
@@ -33,6 +33,7 @@
         change_type_id: @addition.id,
         effective_at: 2.weeks.ago
       )
+
       listing_change2 = create(
         :listing_change,
         species_listing: @appendix,
@@ -40,16 +41,23 @@
         change_type_id: @addition.id,
         effective_at: 1.week.ago
       )
+
       get :index, params: { taxon_concept_id: @taxon_concept.id, designation_id: @designation.id }
+
       expect(assigns(:listing_changes)).to eq([ listing_change2, listing_change1 ])
+
       expect(assigns(:taxon_concept)).to eq @taxon_concept
     end
+
     it 'renders the index template' do
       get :index, params: { taxon_concept_id: @taxon_concept.id, designation_id: @designation.id }
+
       expect(response).to render_template('index')
     end
+
     it 'renders the taxon_concepts_layout' do
       get :index, params: { taxon_concept_id: @taxon_concept.id, designation_id: @designation.id }
+
       expect(response).to render_template('layouts/taxon_concepts')
     end
   end
@@ -57,10 +65,13 @@
   describe 'GET new' do
     it 'renders the new template' do
       get :new, params: { taxon_concept_id: @taxon_concept.id, designation_id: @designation.id }
+
       expect(response).to render_template('new')
     end
+
     it 'assigns @listing_change' do
       get :new, params: { taxon_concept_id: @taxon_concept.id, designation_id: @designation.id }
+
       expect(assigns(:listing_change)).not_to be_nil
     end
   end
@@ -68,21 +79,33 @@
   describe 'POST create' do
     context 'when successful' do
       it 'redirects to taxon_concept listing_changes page' do
-        post :create, params: {
-          listing_change: {
-            change_type_id: @addition.id,
-            species_listing_id: @appendix.id,
-            effective_at: 1.week.ago
-          }, taxon_concept_id: @taxon_concept.id, designation_id: @designation.id
-        }
+        post :create,
+          params: {
+            listing_change: {
+              change_type_id: @addition.id,
+              species_listing_id: @appendix.id,
+              effective_at: 1.week.ago
+            },
+            taxon_concept_id: @taxon_concept.id,
+            designation_id: @designation.id
+          }
+
         expect(response).to redirect_to(
           admin_taxon_concept_designation_listing_changes_url(@taxon_concept, @designation)
         )
       end
     end
+
     it 'renders new when not successful' do
       taxon_concept = create(:taxon_concept)
-      post :create, params: { listing_change: { dummy: 'test' }, taxon_concept_id: @taxon_concept.id, designation_id: @designation.id }
+
+      post :create,
+        params: {
+         listing_change: { change_type_id: 0 },
+         taxon_concept_id: @taxon_concept.id,
+         designation_id: @designation.id
+        }
+
       expect(response).to render_template('new')
     end
   end
@@ -97,12 +120,16 @@
         effective_at: 1.week.ago
       )
     end
+
     it 'renders the edit template' do
       get :edit, params: { id: @listing_change.id, taxon_concept_id: @taxon_concept.id, designation_id: @designation.id }
+
       expect(response).to render_template('edit')
     end
+
     it 'assigns the listing_change variable' do
       get :edit, params: { id: @listing_change.id, taxon_concept_id: @taxon_concept.id, designation_id: @designation.id }
+
       expect(assigns(:listing_change)).not_to be_nil
     end
   end
@@ -119,19 +146,26 @@
         annotation_id: @annotation.id
       )
     end
+
     context 'when successful' do
       it 'redirects to taxon_concept listing_changes page' do
-        put :update, params: {
-          listing_change: {
-            change_type_id: @addition.id,
-            species_listing_id: @appendix.id,
-            effective_at: 1.week.ago
-          }, id: @listing_change.id, taxon_concept_id: @taxon_concept.id, designation_id: @designation.id
-        }
+        put :update,
+          params: {
+            listing_change: {
+              change_type_id: @addition.id,
+              species_listing_id: @appendix.id,
+              effective_at: 1.week.ago
+            },
+            id: @listing_change.id,
+            taxon_concept_id: @taxon_concept.id,
+            designation_id: @designation.id
+          }
+
         expect(response).to redirect_to(
           admin_taxon_concept_designation_listing_changes_url(@taxon_concept, @designation)
         )
       end
+
       it 'redirects to eu regulation listing changes page when param is set' do
         taxon_concept = create(:taxon_concept)
         eu_designation = create(
@@ -158,26 +192,44 @@
           effective_at: 1.week.ago,
           event_id: eu_regulation.id
         )
-        put :update, params: {
-          listing_change: {
-            change_type_id: addition.id,
-            species_listing_id: annex.id,
-            effective_at: 1.week.ago
-          }, id: listing_change2.id, taxon_concept_id: taxon_concept.id, designation_id: eu_designation.id, redirect_to_eu_reg: '1'
-        }
+
+        put :update,
+          params: {
+            listing_change: {
+              change_type_id: addition.id,
+              species_listing_id: annex.id,
+              effective_at: 1.week.ago
+            },
+            id: listing_change2.id,
+            taxon_concept_id: taxon_concept.id,
+            designation_id: eu_designation.id,
+            redirect_to_eu_reg: '1'
+          }
+
         expect(response).to redirect_to(
           admin_eu_regulation_listing_changes_url(eu_regulation)
         )
       end
     end
+
     it 'renders edit when not successful' do
-      put :update, params: { listing_change: { effective_at: nil }, id: @listing_change.id, taxon_concept_id: @taxon_concept.id, designation_id: @designation.id }
+      put :update,
+        params: {
+          listing_change: { effective_at: nil },
+          id: @listing_change.id,
+          taxon_concept_id: @taxon_concept.id,
+          designation_id: @designation.id
+        }
+
       expect(response).to render_template('edit')
     end
 
     it 'redirects to index page and removes annotation when fields cleared' do
       put :update, params: {
-        id: @listing_change.id, taxon_concept_id: @taxon_concept.id, designation_id: @designation.id, listing_change: {
+        id: @listing_change.id,
+        taxon_concept_id: @taxon_concept.id,
+        designation_id: @designation.id,
+        listing_change: {
           annotation_attributes: {
             'short_note_en' => '', 'short_note_es' => '',
             'short_note_fr' => '', 'full_note_en' => '',
@@ -186,11 +238,13 @@
           }
         }
       }
+
       expect(response).to redirect_to(
         admin_taxon_concept_designation_listing_changes_url(
           @taxon_concept, @designation
         )
       )
+
       expect(@listing_change.reload.annotation).to be_nil
     end
   end
@@ -205,8 +259,15 @@
         effective_at: 1.week.ago
       )
     end
+
     it 'redirects after delete' do
-      delete :destroy, params: { id: @listing_change.id, taxon_concept_id: @taxon_concept.id, designation_id: @designation.id }
+      delete :destroy,
+        params: {
+          id: @listing_change.id,
+          taxon_concept_id: @taxon_concept.id,
+          designation_id: @designation.id
+        }
+
       expect(response).to redirect_to(
         admin_taxon_concept_designation_listing_changes_url(@taxon_concept, @designation)
       )
@@ -214,6 +275,7 @@
   end
   describe 'Authorization for contributors' do
     login_contributor
+
     let!(:listing_change) do
       create(
         :listing_change,
@@ -223,23 +285,36 @@
         effective_at: 1.week.ago
       )
     end
+
     describe 'GET index' do
       it 'renders the index template' do
         get :index, params: { taxon_concept_id: @taxon_concept.id, designation_id: @designation.id }
+
         expect(response).to render_template('index')
       end
+
       it 'renders the taxon_concepts_layout' do
         get :index, params: { taxon_concept_id: @taxon_concept.id, designation_id: @designation.id }
+
         expect(response).to render_template('layouts/taxon_concepts')
       end
     end
     describe 'DELETE destroy' do
       it 'fails to delete and redirects' do
-        @request.env['HTTP_REFERER'] = admin_taxon_concept_designation_listing_changes_url(@taxon_concept, @designation)
-        delete :destroy, params: { id: listing_change.id, taxon_concept_id: @taxon_concept.id, designation_id: @designation.id }
+        @request.env['HTTP_REFERER'] =
+          admin_taxon_concept_designation_listing_changes_url(@taxon_concept, @designation)
+
+        delete :destroy,
+          params: {
+            id: listing_change.id,
+            taxon_concept_id: @taxon_concept.id,
+            designation_id: @designation.id
+          }
+
         expect(response).to redirect_to(
           admin_taxon_concept_designation_listing_changes_url(@taxon_concept, @designation)
         )
+
         expect(ListingChange.find(listing_change.id)).not_to be_nil
       end
     end
diff --git a/spec/controllers/admin/taxon_quotas_controller_spec.rb b/spec/controllers/admin/taxon_quotas_controller_spec.rb
index 7259a4f0a..6add6dba7 100644
--- a/spec/controllers/admin/taxon_quotas_controller_spec.rb
+++ b/spec/controllers/admin/taxon_quotas_controller_spec.rb
@@ -12,10 +12,13 @@
   describe 'GET index' do
     it 'renders the index template' do
       get :index, params: { taxon_concept_id: @taxon_concept.id }
+
       expect(response).to render_template('index')
     end
+
     it 'renders the taxon_concepts_layout' do
       get :index, params: { taxon_concept_id: @taxon_concept.id }
+
       expect(response).to render_template('layouts/taxon_concepts')
     end
   end
@@ -23,12 +26,16 @@
   describe 'GET new' do
     it 'renders the new template' do
       get :new, params: { taxon_concept_id: @taxon_concept.id }
+
       expect(response).to render_template('new')
     end
+
     it 'assigns @geo_entities (country and territory) with two objects' do
       geo_entity_type_t = create(:geo_entity_type, name: 'TERRITORY')
       territory = create(:geo_entity, geo_entity_type_id: geo_entity_type_t.id)
+
       get :new, params: { taxon_concept_id: @taxon_concept.id }
+
       expect(assigns(:geo_entities).size).to eq(2)
     end
   end
@@ -36,21 +43,26 @@
   describe 'POST create' do
     context 'when successful' do
       it 'renders index' do
-        post :create, params: {
-          quota: {
-            quota: 1,
-            unit_id: @unit.id,
-            publication_date: 1.week.ago,
-            geo_entity_id: @geo_entity.id
-          }, taxon_concept_id: @taxon_concept.id
-        }
+        post :create,
+          params: {
+            quota: {
+              quota: 1,
+              unit_id: @unit.id,
+              publication_date: 1.week.ago,
+              geo_entity_id: @geo_entity.id
+            }, taxon_concept_id: @taxon_concept.id
+          }
+
         expect(response).to redirect_to(
           admin_taxon_concept_quotas_url(@taxon_concept)
         )
       end
     end
+
     it 'renders new when not successful' do
-      post :create, params: { quota: { dummy: 'test' }, taxon_concept_id: @taxon_concept.id }
+      post :create,
+        params: { quota: { year: 0 }, taxon_concept_id: @taxon_concept.id }
+
       expect(response).to render_template('new')
     end
   end
@@ -64,14 +76,18 @@
         geo_entity_id: @geo_entity.id
       )
     end
+
     it 'renders the edit template' do
       get :edit, params: { id: @quota.id, taxon_concept_id: @taxon_concept.id }
       expect(response).to render_template('edit')
     end
+
     it 'assigns @geo_entities (country and territory) with two objects' do
       geo_entity_type_t = create(:geo_entity_type, name: 'TERRITORY')
       territory = create(:geo_entity, geo_entity_type_id: geo_entity_type_t.id)
+
       get :edit, params: { id: @quota.id, taxon_concept_id: @taxon_concept.id }
+
       expect(assigns(:geo_entities).size).to eq(2)
     end
   end
@@ -88,11 +104,13 @@
 
     context 'when successful' do
       it 'renders taxon_concepts quotas page' do
-        put :update, params: {
-          quota: {
-            publication_date: 1.week.ago
-          }, id: @quota.id, taxon_concept_id: @taxon_concept.id
-        }
+        put :update,
+          params: {
+            quota: { publication_date: 1.week.ago },
+            id: @quota.id,
+            taxon_concept_id: @taxon_concept.id
+          }
+
         expect(response).to redirect_to(
           admin_taxon_concept_quotas_url(@taxon_concept)
         )
@@ -100,11 +118,13 @@
     end
 
     it 'renders new when not successful' do
-      put :update, params: {
-        quota: {
-          publication_date: nil
-        }, id: @quota.id, taxon_concept_id: @taxon_concept.id
-      }
+      put :update,
+        params: {
+          quota: { publication_date: 'not a date' },
+          id: @quota.id,
+          taxon_concept_id: @taxon_concept.id
+        }
+
       expect(response).to render_template('new')
     end
   end
@@ -118,8 +138,10 @@
         geo_entity_id: @geo_entity.id
       )
     end
+
     it 'redirects after delete' do
       delete :destroy, params: { id: @quota.id, taxon_concept_id: @taxon_concept.id }
+
       expect(response).to redirect_to(
         admin_taxon_concept_quotas_url(@taxon_concept)
       )
@@ -128,6 +150,7 @@
 
   describe 'Authorization for contributors' do
     login_contributor
+
     let!(:quota) do
       create(
         :quota,
@@ -136,23 +159,31 @@
         geo_entity_id: @geo_entity.id
       )
     end
+
     describe 'GET index' do
       it 'renders the index template' do
         get :index, params: { taxon_concept_id: @taxon_concept.id }
+
         expect(response).to render_template('index')
       end
+
       it 'renders the taxon_concepts_layout' do
         get :index, params: { taxon_concept_id: @taxon_concept.id }
+
         expect(response).to render_template('layouts/taxon_concepts')
       end
     end
+
     describe 'DELETE destroy' do
       it 'fails to delete and redirects' do
         @request.env['HTTP_REFERER'] = admin_taxon_concept_quotas_url(@taxon_concept)
+
         delete :destroy, params: { id: quota.id, taxon_concept_id: @taxon_concept.id }
+
         expect(response).to redirect_to(
           admin_taxon_concept_quotas_url(@taxon_concept)
         )
+
         expect(Quota.find(quota.id)).not_to be_nil
       end
     end
diff --git a/spec/controllers/trade/sandbox_shipments_controller_spec.rb b/spec/controllers/trade/sandbox_shipments_controller_spec.rb
index fe1c9fd06..08acfed5c 100644
--- a/spec/controllers/trade/sandbox_shipments_controller_spec.rb
+++ b/spec/controllers/trade/sandbox_shipments_controller_spec.rb
@@ -6,20 +6,25 @@
   let(:annual_report_upload) do
     aru = build(:annual_report_upload)
     aru.save(validate: false)
+
     aru
   end
+
   let(:sandbox_klass) do
     Trade::SandboxTemplate.ar_klass(annual_report_upload.sandbox.table_name)
   end
+
   before(:each) do
     @genus = create_cites_eu_genus(
       taxon_name: create(:taxon_name, scientific_name: 'Acipenser')
     )
+
     @species = create_cites_eu_species(
       taxon_name: create(:taxon_name, scientific_name: 'baerii'),
       parent_id: @genus.id
     )
     @shipment = sandbox_klass.create(taxon_name: 'Acipenser baerii', appendix: 'I', year: 2016)
+
     @validation_error = create(
       :validation_error,
       annual_report_upload_id: annual_report_upload.id,
@@ -31,13 +36,16 @@
       error_count: 1
     )
   end
+
   describe 'PUT update' do
     it 'should return success when taxon_name not set' do
       put :update, params: { annual_report_upload_id: annual_report_upload.id, id: @shipment.id, sandbox_shipment: { taxon_name: nil, accepted_taxon_name: nil }, format: :json }
+
       expect(response.body).to be_blank
     end
     it 'should return success when taxon_name does not exist' do
       put :update, params: { annual_report_upload_id: annual_report_upload.id, id: @shipment.id, sandbox_shipment: { taxon_name: 'Acipenser foobarus' }, format: :json }
+
       expect(response.body).to be_blank
     end
   end
@@ -52,6 +60,7 @@
   describe 'POST update_batch' do
     it 'should return success' do
       post :update_batch, params: { annual_report_upload_id: annual_report_upload.id, validation_error_id: @validation_error.id, updates: { appendix: 'II' }, format: :json }
+
       expect(response.body).to be_blank
       expect(sandbox_klass.where(taxon_name: @species.full_name, appendix: 'I').count(true)).to eq(0)
       expect(sandbox_klass.where(taxon_name: @species.full_name, appendix: 'II').count(true)).to eq(1)
@@ -61,6 +70,7 @@
   describe 'POST destroy_batch' do
     it 'should return success' do
       post :destroy_batch, params: { annual_report_upload_id: annual_report_upload.id, validation_error_id: @validation_error.id, format: :json }
+
       expect(response.body).to be_blank
       expect(sandbox_klass.where(taxon_concept_id: @species.id).count(true)).to eq(0)
     end

From 51eb160396ef8246fa4c76c9a95457aa8fd66ed1 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Mon, 13 Apr 2026 16:36:00 +0100
Subject: [PATCH 082/106] chore: rubocop

---
 .rubocop.yml                                       | 14 ++++++++++++++
 .../admin/nomenclature_changes/lump_controller.rb  |  3 ++-
 .../admin/nomenclature_changes/split_controller.rb |  1 +
 .../nomenclature_changes/status_swap_controller.rb |  4 +++-
 .../admin/taxon_eu_suspensions_controller_spec.rb  |  4 ++--
 5 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/.rubocop.yml b/.rubocop.yml
index 9d04a4079..04854f23f 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -175,6 +175,11 @@ Layout/AssignmentIndentation:
 
 Metrics/MethodLength:
   Enabled: false
+  CountAsOne:
+    - array
+    - hash
+    - heredoc
+    - method_call
 
 Naming/VariableNumber:
   Enabled: false
@@ -186,6 +191,15 @@ Layout/HashAlignment:
 Rails/NotNullColumn:
   Enabled: false
 
+Rails/ExampleLength:
+  Enabled: true
+  Max: 10
+  CountAsOne:
+    - array
+    - hash
+    - heredoc
+    - method_call
+
 Rails/UnknownEnv:
   Enabled: true
   Environments:
diff --git a/app/controllers/admin/nomenclature_changes/lump_controller.rb b/app/controllers/admin/nomenclature_changes/lump_controller.rb
index 5a0d52935..3bbc446ba 100644
--- a/app/controllers/admin/nomenclature_changes/lump_controller.rb
+++ b/app/controllers/admin/nomenclature_changes/lump_controller.rb
@@ -1,5 +1,5 @@
 class Admin::NomenclatureChanges::LumpController < Admin::NomenclatureChanges::BuildController
-  steps *NomenclatureChange::Lump::STEPS
+  steps(*NomenclatureChange::Lump::STEPS)
 
   def show
     builder = NomenclatureChange::Lump::Constructor.new(@nomenclature_change)
@@ -22,6 +22,7 @@ def show
       skip_or_previous_step if @nomenclature_change.inputs.map(&:legislation_reassignments).flatten.empty?
     when :summary
       builder.build_document_reassignments
+
       processor = NomenclatureChange::Lump::Processor.new(@nomenclature_change)
       @summary = processor.summary
     end
diff --git a/app/controllers/admin/nomenclature_changes/split_controller.rb b/app/controllers/admin/nomenclature_changes/split_controller.rb
index f29e89d39..ac5afbfe3 100644
--- a/app/controllers/admin/nomenclature_changes/split_controller.rb
+++ b/app/controllers/admin/nomenclature_changes/split_controller.rb
@@ -29,6 +29,7 @@ def show
       skip_or_previous_step if @nomenclature_change.input.legislation_reassignments.empty?
     when :summary
       builder.build_document_reassignments
+
       processor = NomenclatureChange::Split::Processor.new(@nomenclature_change)
       @summary = processor.summary
     end
diff --git a/app/controllers/admin/nomenclature_changes/status_swap_controller.rb b/app/controllers/admin/nomenclature_changes/status_swap_controller.rb
index ed0fd0832..6161f4236 100644
--- a/app/controllers/admin/nomenclature_changes/status_swap_controller.rb
+++ b/app/controllers/admin/nomenclature_changes/status_swap_controller.rb
@@ -1,8 +1,9 @@
 class Admin::NomenclatureChanges::StatusSwapController < Admin::NomenclatureChanges::BuildController
-  steps *NomenclatureChange::StatusSwap::STEPS
+  steps(*NomenclatureChange::StatusSwap::STEPS)
 
   def show
     builder = klass::Constructor.new(@nomenclature_change)
+
     case step
     when :primary_output
       set_events
@@ -21,6 +22,7 @@ def show
       processor = klass::Processor.new(@nomenclature_change)
       @summary = processor.summary
     end
+
     render_wizard
   end
 
diff --git a/spec/controllers/admin/taxon_eu_suspensions_controller_spec.rb b/spec/controllers/admin/taxon_eu_suspensions_controller_spec.rb
index 3a7e185fb..6c38809c9 100644
--- a/spec/controllers/admin/taxon_eu_suspensions_controller_spec.rb
+++ b/spec/controllers/admin/taxon_eu_suspensions_controller_spec.rb
@@ -29,8 +29,8 @@
     end
 
     it 'assigns @geo_entities (country and territory) with two objects' do
-      territory = create(:geo_entity, geo_entity_type_id: territory_geo_entity_type.id)
-      country = create(:geo_entity)
+      create(:geo_entity, geo_entity_type_id: territory_geo_entity_type.id)
+      create(:geo_entity)
 
       get :new, params: { taxon_concept_id: @taxon_concept.id }
 

From 89efdf010df37a0bd5469a4770c6c18b31186c06 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Wed, 15 Apr 2026 16:15:46 +0100
Subject: [PATCH 083/106] chore: merge into single Dockerfile

---
 Dockerfile                     | 245 ++++++++++++++++++++++++++++-----
 Dockerfile.cap-deploy          |  52 -------
 Dockerfile.staging             |  68 ---------
 bin/docker-entrypoint          |   4 +-
 config/deploy.staging.yml      |   3 +-
 config/environments/staging.rb |   3 +-
 config/initializers/devise.rb  |   2 +
 docker-compose.yml             |  87 ++++++------
 8 files changed, 263 insertions(+), 201 deletions(-)
 delete mode 100644 Dockerfile.cap-deploy
 delete mode 100644 Dockerfile.staging

diff --git a/Dockerfile b/Dockerfile
index 120752e97..b35ca58b4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,44 +1,219 @@
-# WARNING:
-# This file is for development, not for production.
-# For production, please refer to https://railsdiff.org/7.0.8.4/7.1.3.4#diff-466a28a0e93935ce250159682062e5a94698a3d8
-# or SUS-ORS project.
+# Staging Dockerfile — identical to Dockerfile.deploy but with puma as CMD.
+# Dockerfile.deploy uses `tail -f /dev/null` for production (Capistrano manages the process).
+# Kamal manages the process via Docker, so we start puma directly here.
 
-# Dockerfile
-FROM ruby:3.4.9
+ARG RUBY_VERSION=3.4.9
 
-# Rails and SAPI has some additional dependencies, e.g. rake requires a JS
-# runtime, so attempt to get these from apt, where possible
-# socat is just for binding ports within docker, not needed for the application
-RUN apt-get update && apt-get install -y --force-yes \
-  libsodium-dev libgmp3-dev libssl-dev \
-  postgresql-common \
-  nodejs \
-  socat \
-  texlive-latex-base texlive-fonts-recommended texlive-fonts-extra texlive-latex-extra \
-;
+FROM ruby:$RUBY_VERSION-slim AS base
+  ARG NODE_VERSION=18.20.8
+  ARG POSTGRES_CLIENT_MAJOR=17
+  ARG TARGETARCH=amd64
+  ARG DEBIAN_FRONTEND=noninteractive
 
-# pg_dump requires that the client library >= the server (major) version
-RUN yes | /usr/share/postgresql-common/pgdg/apt.postgresql.org.sh
-RUN apt-get install -y --force-yes libpq-dev postgresql-client-17
+  WORKDIR /rails
 
-RUN mkdir /SAPI
-WORKDIR /SAPI
+  ##
+  # Rails and SAPI has some additional dependencies, e.g. rake requires a JS
+  # runtime, so attempt to get these from apt, where possible
+  RUN apt-get update -qq \
+    && apt-get install --no-install-recommends -y \
+      # Needed to install Node.js from official distribution archives.
+      curl ca-certificates xz-utils gnupg \
+      \
+      # Needed by psych native extension (`yaml.h`) when bundling on slim images.
+      libyaml-dev \
+      \
+      # Use jemalloc for long-running Rails/Sidekiq processes to reduce allocator fragmentation and lower RSS during
+      # memory-heavy jobs such as questionnaire publish loop expansion.
+      libjemalloc2 \
+      \
+      # Needed for variout library building activities
+      build-essential pkg-config \
+      \
+      # Do not install Postgres libraries from Debian; needs a specific version:
+      #   postgresql-client libpq
+      # Do not install Node.js from Debian; needs a specific version:
+      #   nodejs
+    \
+    ##
+    # Keep PostgreSQL client major version aligned with DB server major version
+    # to avoid the generation of SQL which is inconsistent with the DB server, e.g.
+    # unpinned `postgresql-client` can upgrade to 17 and generate `structure.sql`
+    # that includes `transaction_timeout`, which fails to load on PostgreSQL 15.
+    # pg_dump requires that the client library >= the server (major) version
+    # `postgresql-client-${POSTGRES_CLIENT_MAJOR}` requires PostgreSQL `apt`
+    # repository.
+    && install -d /usr/share/postgresql-common/pgdg \
+    && curl -fsSL https://www.postgresql.org/media/keys/ACCC4CF8.asc \
+      | gpg --dearmor -o /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg \
+    && . /etc/os-release \
+    && echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg] http://apt.postgresql.org/pub/repos/apt ${VERSION_CODENAME}-pgdg main" \
+      > /etc/apt/sources.list.d/pgdg.list \
+    \
+    && apt-get install --no-install-recommends -y --force-yes \
+      # Install libvips for Active Storage preview support
+      libvips \
+      \
+      # Zip for exports
+      zip \
+      #
+      libsodium-dev libgmp3-dev libssl-dev \
+      \
+      # socat is just for binding ports within docker, not needed for the application
+      socat \
+      \
+      # TeX is used for the generation of CITES Checklist PDFs.
+      texlive-latex-base texlive-fonts-recommended texlive-fonts-extra texlive-latex-extra \
+    && rm -rf /var/lib/apt/lists /var/cache/apt/archives \
+  ;
 
-COPY Gemfile.lock /SAPI/Gemfile.lock
+  RUN case $TARGETARCH \
+      in \
+        amd64) NODE_ARCH=x64 ;; \
+        arm64) NODE_ARCH=arm64 ;; \
+        *) echo "Unsupported architecture: '$TARGETARCH'"; exit 1 ;; \
+      esac \
+    && echo https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$NODE_ARCH.tar.xz \
+    && curl -fsSL https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$NODE_ARCH.tar.xz \
+      | tar -xJ -C /usr/local --strip-components=1 \
+  ;
 
-RUN grep -A1 '^BUNDLED WITH$' Gemfile.lock | tail -n1 | tr -d ' ' \
-  | xargs -I _BUNDLER_VERSION_ gem install bundler -v _BUNDLER_VERSION_
+  # Debian installs jemalloc in an architecture-specific library directory. Resolve the actual path at build time and
+  # expose one stable preload path so both the Rails web process and Sidekiq use the same allocator automatically.
+  RUN jemalloc_path="$(find /usr/lib -name 'libjemalloc.so.2' | head -n 1)" \
+    && test -n "${jemalloc_path}" \
+    && ln -sf "${jemalloc_path}" /usr/local/lib/libjemalloc.so.2 \
+  ;
 
-# Don't this any more, as we get it with Docker bindings
-RUN rm /SAPI/Gemfile.lock
+  ENV LD_PRELOAD=/usr/local/lib/libjemalloc.so.2
+
+FROM base AS build
+  ARG DEBIAN_FRONTEND=noninteractive
+  RUN apt-get update -qq \
+    && apt-get install --no-install-recommends -y \
+      build-essential git libyaml-dev pkg-config \
+    && rm -rf /var/lib/apt/lists /var/cache/apt/archives \
+  ;
 
 ##
-# This happens in the entrypoint
-#   RUN bundle install
-#
-# This is done via docker bindings
-#   COPY . /SAPI
-
-ENTRYPOINT ["/SAPI/bin/docker-entrypoint-develop"]
-EXPOSE 3000
-CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0"]
+# For local development, we run `bundler` during the entrypoint
+FROM build AS build-develop
+  ##
+  # BUNDLE_DEPLOYMENT prevents changes to Gemfile.lock
+  ENV RAILS_ENV="development" \
+    NODE_ENV="production" \
+    BUNDLE_DEPLOYMENT="1" \
+    BUNDLE_PATH="/usr/local/bundle"
+
+  ##
+  # Install the same version of bundler as the one used to create the lockfile
+  RUN --mount=type=bind,source=Gemfile.lock,target=Gemfile.lock \
+    grep -A1 '^BUNDLED WITH$' Gemfile.lock | tail -n1 | tr -d ' ' \
+    | xargs -I _BUNDLER_VERSION_ gem install bundler -v _BUNDLER_VERSION_ \
+  ;
+
+FROM build-develop AS exec-develop
+  ##
+  # You may wish to do the following:
+  #
+  #   export LOCAL_UID=$(id -u)
+  #   export LOCAL_GID=$(id -g)
+  ARG LOCAL_UID=1000
+  ARG LOCAL_GID=1000
+  ARG DEFAULT_GROUPNAME=railsgroup
+  ARG DEFAULT_USERNAME=railsuser
+
+  ##
+  # Docker UID/GID Mapping to Host: reuse or create group, then reuse or create
+  # user, and give them passwordless sudo.
+  RUN if getent group $LOCAL_GID > /dev/null; then \
+        grp=$(getent group $LOCAL_GID | cut -d: -f1); \
+      else \
+        groupadd -g $LOCAL_GID $DEFAULT_GROUPNAME; \
+        grp=$DEFAULT_GROUPNAME; \
+      fi \
+    && if getent passwd $LOCAL_UID > /dev/null; then \
+        user=$(getent passwd $LOCAL_UID | cut -d: -f1); \
+      else \
+        useradd -m -u $LOCAL_UID -g "$grp" $DEFAULT_USERNAME; \
+        user=$DEFAULT_USERNAME; \
+      fi \
+    && mkdir -p /etc/sudoers.d/ \
+    && echo "${user} ALL=(ALL) NOPASSWD:ALL" > "/etc/sudoers.d/${user}"\
+    && chmod 0440 "/etc/sudoers.d/${user}" \
+  ;
+
+  ##
+  # Ensure writable dirs for the non-root user
+  RUN mkdir -p /usr/local/bundle \
+      ./ ./db ./log ./storage ./tmp \
+    && chown -R "${LOCAL_UID}:${LOCAL_GID}" \
+      /usr/local/bundle \
+      ./ ./db ./log ./storage ./tmp \
+  ;
+
+  ##
+  # Run as the numeric UID:GID so it works regardless of whether we created
+  # a user
+  USER ${LOCAL_UID}:${LOCAL_GID}
+
+  ENTRYPOINT ["/rails/bin/docker-entrypoint"]
+
+  EXPOSE 80
+
+  CMD ["./bin/rails", "server", "-b", "0.0.0.0"]
+
+##
+# The build step for staging
+FROM build AS build-staging
+  ENV NODE_ENV="production" \
+    RAILS_ENV="staging" \
+    BUNDLE_DEPLOYMENT="1" \
+    BUNDLE_PATH="/usr/local/bundle" \
+    BUNDLE_WITHOUT="development"
+
+  COPY Gemfile Gemfile.lock ./
+
+  RUN grep -A1 '^BUNDLED WITH$' Gemfile.lock | tail -n1 | tr -d ' ' \
+    | xargs -I _BUNDLER_VERSION_ \
+      gem install bundler -v _BUNDLER_VERSION_ \
+  ;
+
+  RUN bundle install \
+    && rm -rf \
+      ~/.bundle/ \
+      "${BUNDLE_PATH}"/ruby/*/cache \
+      "${BUNDLE_PATH}"/ruby/*/bundler/gems/*/.git \
+    && bundle exec bootsnap precompile --gemfile \
+  ;
+
+  COPY . .
+
+  RUN bundle exec bootsnap precompile app/ lib/
+
+  # RUN SECRET_KEY_BASE_DUMMY=1 ./bin/rails assets:precompile
+
+FROM base AS exec-staging
+  ARG DEFAULT_GROUPNAME=railsgroup
+  ARG DEFAULT_USERNAME=railsuser
+  ENV BUNDLE_PATH="/usr/local/bundle"
+
+  # Run and own only the runtime files as a non-root user for security
+  RUN groupadd $DEFAULT_GROUPNAME \
+      --gid 1000 --system \
+    && useradd $DEFAULT_USERNAME \
+      --uid 1000 --gid 1000 --create-home --shell /bin/bash \
+  ;
+
+  USER 1000:1000
+
+  COPY --from="build-staging" --chown=1000:1000 $BUNDLE_PATH $BUNDLE_PATH
+  COPY --from="build-staging" --chown=1000:1000 /rails/ /rails/
+
+  ENTRYPOINT ["/rails/bin/docker-entrypoint"]
+
+  EXPOSE 80
+
+  CMD ["./bin/rails", "server", "-b", "0.0.0.0"]
+
+FROM exec-develop AS default
diff --git a/Dockerfile.cap-deploy b/Dockerfile.cap-deploy
deleted file mode 100644
index dab0ef354..000000000
--- a/Dockerfile.cap-deploy
+++ /dev/null
@@ -1,52 +0,0 @@
-# Dockerfile
-FROM ruby:3.4.9
-
-ENV DEBIAN_FRONTEND=noninteractive
-# Rails and SAPI has some additional dependencies, e.g. rake requires a JS
-# runtime, so attempt to get these from apt, where possible
-RUN apt-get update && apt-get install -y --force-yes \
-  # For ruby?
-  libsodium-dev libgmp3-dev \
-  # For RVM
-  gnupg procps curl libssl-dev \
-  # For assets local_precompile (cap deploy)
-  rsync nodejs \
-  # gems
-  libpq-dev postgresql-client
-
-RUN mkdir /SAPI
-WORKDIR /SAPI
-
-# https://stackoverflow.com/questions/43612927/how-to-correctly-install-rvm-in-docker
-RUN gpg --keyserver keyserver.ubuntu.com --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB
-RUN curl -sSL https://get.rvm.io | bash -s
-RUN /bin/bash -l -c ". /etc/profile.d/rvm.sh && rvm install 3.4.9"
-# RVM installed in multi-user mode. However cap assume rvm is installed in single user mode.
-# Create a soft link to fake it.
-RUN mkdir -p ~/.rvm/bin && ln -s /usr/local/rvm/bin/rvm ~/.rvm/bin/rvm
-
-COPY Gemfile /SAPI/Gemfile
-COPY Gemfile.lock /SAPI/Gemfile.lock
-
-ENV BUNDLE_SILENCE_ROOT_WARNING=1
-
-RUN /bin/bash -c "source /etc/profile.d/rvm.sh \
-  && grep -A1 '^BUNDLED WITH$' Gemfile.lock | tail -n1 | tr -d ' ' \
-  | xargs -I _BUNDLER_VERSION_ gem install bundler -v _BUNDLER_VERSION_ \
-  && bundle install"
-
-ENTRYPOINT ["/bin/bash", "-l"]
-
-##########################################
-## Run the following in container
-##########################################
-# /bin/bash --rcfile cap-deploy-shell.sh
-# [Enter your passphrase]
-# root@commit:/SAPI$ CAP_BRANCH=<branch> bundle exec cap staging deploy
-#
-##########################################
-# Alternatively, from outside docker
-##########################################
-# docker exec -it sapi-cap-deploy /bin/bash --rcfile cap-deploy-shell.sh
-# [Enter your passphrase]
-# root@commit:/SAPI# CAP_BRANCH=<branch> bundle exec cap staging deploy
diff --git a/Dockerfile.staging b/Dockerfile.staging
deleted file mode 100644
index 243139f99..000000000
--- a/Dockerfile.staging
+++ /dev/null
@@ -1,68 +0,0 @@
-# syntax=docker/dockerfile:1
-# check=error=true
-
-# Staging Dockerfile — identical to Dockerfile.deploy but with puma as CMD.
-# Dockerfile.deploy uses `tail -f /dev/null` for production (Capistrano manages the process).
-# Kamal manages the process via Docker, so we start puma directly here.
-
-ARG RUBY_VERSION=3.2.5
-FROM ruby:$RUBY_VERSION-slim AS base
-
-WORKDIR /rails
-
-RUN apt-get update -qq && \
-  apt-get install --no-install-recommends -y curl libjemalloc2 libpq-dev \
-  libsodium-dev libgmp3-dev libssl-dev \
-  curl xz-utils \
-  texlive-latex-base texlive-fonts-recommended texlive-fonts-extra texlive-latex-extra \
-  && rm -rf /var/lib/apt/lists /var/cache/apt/archives
-
-ENV NODE_ENV="production" \
-  RAILS_ENV="production" \
-  BUNDLE_DEPLOYMENT="1" \
-  BUNDLE_PATH="/usr/local/bundle" \
-  BUNDLE_WITHOUT="development"
-
-ARG NODE_VERSION=18.20.8
-ARG TARGETARCH
-RUN case "$TARGETARCH" in \
-  amd64) NODE_ARCH=x64 ;; \
-  arm64) NODE_ARCH=arm64 ;; \
-  *) echo "Unsupported architecture: $TARGETARCH"; exit 1 ;; \
-  esac && \
-  curl -fsSL https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz \
-  | tar -xJ -C /usr/local --strip-components=1
-
-
-FROM base AS build
-
-RUN apt-get update -qq && \
-  apt-get install --no-install-recommends -y build-essential git libyaml-dev pkg-config \
-  && rm -rf /var/lib/apt/lists /var/cache/apt/archives
-
-COPY Gemfile Gemfile.lock ./
-RUN bundle install && \
-  rm -rf ~/.bundle/ "${BUNDLE_PATH}"/ruby/*/cache "${BUNDLE_PATH}"/ruby/*/bundler/gems/*/.git && \
-  bundle exec bootsnap precompile --gemfile
-
-COPY . .
-
-RUN bundle exec bootsnap precompile app/ lib/
-
-RUN SECRET_KEY_BASE_DUMMY=1 ./bin/rails assets:precompile
-
-
-FROM base
-
-COPY --from=build "${BUNDLE_PATH}" "${BUNDLE_PATH}"
-COPY --from=build /rails /rails
-
-RUN groupadd --system --gid 1000 rails && \
-  useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \
-  chown -R rails:rails db log tmp
-USER 1000:1000
-
-ENTRYPOINT ["/rails/bin/docker-entrypoint"]
-
-EXPOSE 80
-CMD ["./bin/rails", "server", "-b", "0.0.0.0"]
diff --git a/bin/docker-entrypoint b/bin/docker-entrypoint
index 66c698432..cf04702c2 100755
--- a/bin/docker-entrypoint
+++ b/bin/docker-entrypoint
@@ -11,7 +11,9 @@ fi
 #   export LD_PRELOAD
 # fi
 
-bundle install
+if [[ "$RAILS_ENV" =~ "develop" ]]; then
+  bundle install
+fi
 
 mkdir -p {./,spec/}public/downloads/checklist
 mkdir -p {./,spec/}public/downloads/cites_listings
diff --git a/config/deploy.staging.yml b/config/deploy.staging.yml
index 61fdd0ea6..38a92c6e4 100644
--- a/config/deploy.staging.yml
+++ b/config/deploy.staging.yml
@@ -32,7 +32,8 @@ servers:
 
 # Use staging-specific Dockerfile that starts puma (Dockerfile.deploy uses tail -f /dev/null for Capistrano)
 builder:
-  dockerfile: Dockerfile.staging
+  dockerfile: Dockerfile
+  target: exec-staging
 
 # Environment variables
 env:
diff --git a/config/environments/staging.rb b/config/environments/staging.rb
index 6b20dc228..f682a997b 100644
--- a/config/environments/staging.rb
+++ b/config/environments/staging.rb
@@ -136,7 +136,8 @@
   config.ember.variant = :production
 
   # Custom email settings
-  mailer_credentials = Rails.application.credentials[:mailer]
+  # Can be nil when doing asset compilation
+  mailer_credentials = Rails.application.credentials[:mailer] || {}
 
   config.action_mailer.delivery_method = :smtp
   config.action_mailer.smtp_settings = {
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 66d3f7fe7..0e52cc114 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -1,6 +1,8 @@
 # Use this hook to configure devise mailer, warden hooks and so forth.
 # Many of these configuration options can be set straight in your model.
 Devise.setup do |config|
+  return if ENV['SECRET_KEY_BASE_DUMMY'].present?
+
   # The secret key used by Devise. Devise uses this key to generate
   # random tokens. Changing this key will render invalid all existing
   # confirmation, reset password and unlock tokens in the database.
diff --git a/docker-compose.yml b/docker-compose.yml
index 5c16e44a6..4dc7d588c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -92,38 +92,39 @@ services:
     build:
       context: ./
       dockerfile: Dockerfile
+      target: exec-develop
     command: bundle exec rails server -p 3000 -b '0.0.0.0'
     volumes: &rails_volumes
       # Used for both rails and sidekiq
 
       # The following paths are commonly written by the application at runtime
-      - 'app_tmp:/SAPI/tmp'
-      - 'app_log:/SAPI/log'
-      - 'app_storage:/SAPI/storage'
-      - 'app_public_uploads:/SAPI/public/uploads'
-      - 'app_public_downloads:/SAPI/public/downloads'
-      - 'app_private_elibrary:/SAPI/private/elibrary'
-      - 'app_spec_public:/SAPI/spec/public/'
+      # - 'app_tmp:/rails/tmp'
+      # - 'app_log:/rails/log'
+      # - 'app_storage:/rails/storage'
+      # - 'app_public_uploads:/rails/public/uploads'
+      # - 'app_public_downloads:/rails/public/downloads'
+      # - 'app_private_elibrary:/rails/private/elibrary'
+      # - 'app_spec_public:/rails/spec/public/'
 
       # The following paths are writable during build/development
-      - './Gemfile.lock:/SAPI/Gemfile.lock'
+      - './Gemfile.lock:/rails/Gemfile.lock'
 
       # Most rest of the application should not be writable, except to run
       # specific tasks like db migrations
-      - './app:/SAPI/app:${SAPI_CONTAINER_FS_MODE:-ro}'
-      - './bin:/SAPI/bin:${SAPI_CONTAINER_FS_MODE:-ro}'
-      - './config:/SAPI/config:${SAPI_CONTAINER_FS_MODE:-ro}'
-      - './db:/SAPI/db:${SAPI_CONTAINER_FS_MODE:-ro}'
-      - './db_init:/SAPI/db_init:${SAPI_CONTAINER_FS_MODE:-ro}'
-      - './doc:/SAPI/doc:${SAPI_CONTAINER_FS_MODE:-ro}'
-      - './lib:/SAPI/lib:${SAPI_CONTAINER_FS_MODE:-ro}'
-      - './script:/SAPI/script:${SAPI_CONTAINER_FS_MODE:-ro}'
-      - './spec:/SAPI/spec:${SAPI_CONTAINER_FS_MODE:-ro}'
-      - './vendor:/SAPI/vendor:${SAPI_CONTAINER_FS_MODE:-ro}'
+      - './app:/rails/app:${SAPI_CONTAINER_FS_MODE:-ro}'
+      - './bin:/rails/bin:${SAPI_CONTAINER_FS_MODE:-ro}'
+      - './config:/rails/config:${SAPI_CONTAINER_FS_MODE:-ro}'
+      - './db:/rails/db:${SAPI_CONTAINER_FS_MODE:-ro}'
+      - './db_init:/rails/db_init:${SAPI_CONTAINER_FS_MODE:-ro}'
+      - './doc:/rails/doc:${SAPI_CONTAINER_FS_MODE:-ro}'
+      - './lib:/rails/lib:${SAPI_CONTAINER_FS_MODE:-ro}'
+      - './script:/rails/script:${SAPI_CONTAINER_FS_MODE:-ro}'
+      - './spec:/rails/spec:${SAPI_CONTAINER_FS_MODE:-ro}'
+      - './vendor:/rails/vendor:${SAPI_CONTAINER_FS_MODE:-ro}'
 
       # During deploy public/assets is removed and re-added
-      - './public:/SAPI/public'
-      - '.:/SAPI'
+      - './public:/rails/public'
+      - '.:/rails'
 
       # Keep the cache of bundler gems for sharing across install commands
       - bundler_gems:/usr/local/bundle
@@ -153,29 +154,29 @@ services:
     # Sometimes the db is not ready when we attempt to start
     restart: on-failure:10
 
-  deploy:
-    container_name: sapi-cap-deploy
-    build:
-      context: ./
-      dockerfile: Dockerfile.cap-deploy
-    volumes: *rails_volumes
-    networks:
-      - sapi
-    stdin_open: true
-    tty: true
-    environment:
-      SAPI_DATABASE_HOST: sapi-db-pg17
-      SAPI_DATABASE_USERNAME: postgres
-      SAPI_DATABASE_NAME: sapi_development
-      SAPI_DATABASE_PORT: 5432
-      SAPI_SIDEKIQ_REDIS_URL: redis://sapi-redis:6379/0
-      SAPI_SIDEKIQ_REDIS_CACHE_URL: redis://sapi-redis-cache:6380/0
-      # Defaults to blank; used by AppSignal:
-      USER: "$USER"
-      USERNAME: "$USERNAME"
-    secrets:
-      - host_ssh_key
-      - host_ssh_config
+  # deploy:
+  #   container_name: sapi-cap-deploy
+  #   build:
+  #     context: ./
+  #     dockerfile: Dockerfile.cap-deploy
+  #   volumes: *rails_volumes
+  #   networks:
+  #     - sapi
+  #   stdin_open: true
+  #   tty: true
+  #   environment:
+  #     SAPI_DATABASE_HOST: sapi-db-pg17
+  #     SAPI_DATABASE_USERNAME: postgres
+  #     SAPI_DATABASE_NAME: sapi_development
+  #     SAPI_DATABASE_PORT: 5432
+  #     SAPI_SIDEKIQ_REDIS_URL: redis://sapi-redis:6379/0
+  #     SAPI_SIDEKIQ_REDIS_CACHE_URL: redis://sapi-redis-cache:6380/0
+  #     # Defaults to blank; used by AppSignal:
+  #     USER: "$USER"
+  #     USERNAME: "$USERNAME"
+  #   secrets:
+  #     - host_ssh_key
+  #     - host_ssh_config
 
   redis:
     container_name: sapi-redis

From 4b115f2ee437b100c81ff5f4e8e456cfb3b8b8c9 Mon Sep 17 00:00:00 2001
From: Ruan du Toit <ruan.dutoit@unep-wcmc.org>
Date: Thu, 16 Apr 2026 15:25:57 +0100
Subject: [PATCH 084/106] Fix RUBY_VERSION build arg to 3.4.9; remove
 Dockerfile.deploy from base builder config

---
 config/deploy.staging.yml | 1 -
 config/deploy.yml         | 3 +--
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/config/deploy.staging.yml b/config/deploy.staging.yml
index 470ed4e32..9ff32c501 100644
--- a/config/deploy.staging.yml
+++ b/config/deploy.staging.yml
@@ -9,7 +9,6 @@ servers:
       add-host: host.docker.internal:host-gateway # Required to reach host-bound Redis
     proxy:
       hosts:
-        - staging.speciesplus.net # Public-facing domain
         - sapi-web-staging-01.internal.unep-wcmc.org
       ssl:
         certificate_pem: CERTIFICATE_PEM
diff --git a/config/deploy.yml b/config/deploy.yml
index 37ec91439..ac950b430 100644
--- a/config/deploy.yml
+++ b/config/deploy.yml
@@ -39,7 +39,6 @@ ssh:
 # Configure builder setup — builds remotely on the server so localhost:5555 registry works
 builder:
   arch: amd64
-  dockerfile: Dockerfile.deploy
   args:
-    RUBY_VERSION: 3.2.5
+    RUBY_VERSION: 3.4.9
   remote: ssh://wcmc@172.20.0.146

From 2fe120e960dce0cdaf73d716ff6cbde8458be5fe Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Thu, 16 Apr 2026 09:22:27 +0100
Subject: [PATCH 085/106] fix: use consistent ruby version, and target the
 right docker branch

---
 Dockerfile                | 30 +++++++------
 Dockerfile.deploy         | 91 ---------------------------------------
 Dockerfile.staging        | 68 -----------------------------
 config/deploy.staging.yml |  3 +-
 config/deploy.yml         |  5 +++
 5 files changed, 25 insertions(+), 172 deletions(-)
 delete mode 100644 Dockerfile.deploy
 delete mode 100644 Dockerfile.staging

diff --git a/Dockerfile b/Dockerfile
index 79d5e1c34..efd5815b6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -108,7 +108,7 @@ FROM build AS build-develop
     | xargs -I _BUNDLER_VERSION_ gem install bundler -v _BUNDLER_VERSION_ \
   ;
 
-FROM build-develop AS exec-develop
+FROM build-develop AS built-develop
   ##
   # You may wish to do the following:
   #
@@ -143,7 +143,7 @@ FROM build-develop AS exec-develop
   # Ensure writable dirs for the non-root user
   RUN mkdir -p /usr/local/bundle \
       ./ ./db ./log ./storage ./tmp \
-    && chown -R "${LOCAL_UID}:${LOCAL_GID}" \
+    && chown -R $LOCAL_UID:$LOCAL_GID \
       /usr/local/bundle \
       ./ ./db ./log ./storage ./tmp \
   ;
@@ -153,15 +153,9 @@ FROM build-develop AS exec-develop
   # a user
   USER ${LOCAL_UID}:${LOCAL_GID}
 
-  ENTRYPOINT ["/rails/bin/docker-entrypoint"]
-
-  EXPOSE 80
-
-  CMD ["./bin/rails", "server", "-b", "0.0.0.0"]
-
 ##
 # The build step for staging
-FROM build AS build-staging
+FROM build AS built-staging
   ENV NODE_ENV="production" \
     RAILS_ENV="staging" \
     BUNDLE_DEPLOYMENT="1" \
@@ -187,9 +181,9 @@ FROM build AS build-staging
 
   RUN bundle exec bootsnap precompile app/ lib/
 
-  # RUN SECRET_KEY_BASE_DUMMY=1 ./bin/rails assets:precompile
+  RUN SECRET_KEY_BASE_DUMMY=1 ./bin/rails assets:precompile
 
-FROM base AS exec-staging
+FROM base AS base-staging
   ARG DEFAULT_GROUPNAME=railsgroup
   ARG DEFAULT_USERNAME=railsuser
   ENV BUNDLE_PATH="/usr/local/bundle"
@@ -206,10 +200,22 @@ FROM base AS exec-staging
   COPY --from="build-staging" --chown=1000:1000 $BUNDLE_PATH $BUNDLE_PATH
   COPY --from="build-staging" --chown=1000:1000 /rails/ /rails/
 
+FROM built-staging AS deploy-staging
+  CMD ["tail", "-f", "/dev/null"]
+
+FROM built-staging AS exec-staging
   ENTRYPOINT ["/rails/bin/docker-entrypoint"]
 
   EXPOSE 80
 
   CMD ["./bin/rails", "server", "-b", "0.0.0.0"]
 
-FROM exec-develop AS default
+FROM built-develop AS deploy-develop
+  CMD ["tail", "-f", "/dev/null"]
+
+FROM built-develop AS exec-develop
+  ENTRYPOINT ["/rails/bin/docker-entrypoint"]
+
+  EXPOSE 80
+
+  CMD ["./bin/rails", "server", "-b", "0.0.0.0"]
diff --git a/Dockerfile.deploy b/Dockerfile.deploy
deleted file mode 100644
index c678f6183..000000000
--- a/Dockerfile.deploy
+++ /dev/null
@@ -1,91 +0,0 @@
-# syntax=docker/dockerfile:1
-# check=error=true
-
-# This Dockerfile is designed for production, not development. Use with Kamal or build'n'run by hand.
-
-# For a containerized dev environment, see Dev Containers: https://guides.rubyonrails.org/getting_started_with_devcontainer.html
-
-# Make sure RUBY_VERSION matches the Ruby version in .ruby-version
-ARG RUBY_VERSION=3.2.5
-FROM ruby:$RUBY_VERSION-slim AS base
-
-# Rails app lives here
-WORKDIR /rails
-
-# Install base packages
-RUN apt-get update -qq && \
-  apt-get install --no-install-recommends -y curl libjemalloc2 libpq-dev \
-  # ?
-  libsodium-dev libgmp3-dev libssl-dev \
-  # install node js
-  curl xz-utils \
-  # latex (huge file size)
-  texlive-latex-base texlive-fonts-recommended texlive-fonts-extra texlive-latex-extra \
-  && rm -rf /var/lib/apt/lists /var/cache/apt/archives
-
-# Set production environment
-ENV NODE_ENV="production" \
-  RAILS_ENV="production" \
-  BUNDLE_DEPLOYMENT="1" \
-  BUNDLE_PATH="/usr/local/bundle" \
-  BUNDLE_WITHOUT="development"
-
-# Install Node.js 18.20.8 manually
-ARG NODE_VERSION=18.20.8
-ARG TARGETARCH
-# Map Docker TARGETARCH to Node.js archive name
-RUN case "$TARGETARCH" in \
-  amd64) NODE_ARCH=x64 ;; \
-  arm64) NODE_ARCH=arm64 ;; \
-  *) echo "Unsupported architecture: $TARGETARCH"; exit 1 ;; \
-  esac && \
-  curl -fsSL https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz \
-  | tar -xJ -C /usr/local --strip-components=1
-
-
-# Throw-away build stage to reduce size of final image
-FROM base AS build
-
-# Install packages needed to build gems
-RUN apt-get update -qq && \
-  apt-get install --no-install-recommends -y build-essential git libyaml-dev pkg-config \
-  && rm -rf /var/lib/apt/lists /var/cache/apt/archives
-
-# Install application gems
-COPY Gemfile Gemfile.lock ./
-RUN bundle install && \
-  rm -rf ~/.bundle/ "${BUNDLE_PATH}"/ruby/*/cache "${BUNDLE_PATH}"/ruby/*/bundler/gems/*/.git && \
-  bundle exec bootsnap precompile --gemfile
-
-# Copy application code
-COPY . .
-
-# Precompile bootsnap code for faster boot times
-RUN bundle exec bootsnap precompile app/ lib/
-
-# Precompiling assets for production without requiring secret RAILS_MASTER_KEY
-RUN SECRET_KEY_BASE_DUMMY=1 ./bin/rails assets:precompile
-
-
-
-
-# Final stage for app image
-FROM base
-
-# Copy built artifacts: gems, application
-COPY --from=build "${BUNDLE_PATH}" "${BUNDLE_PATH}"
-COPY --from=build /rails /rails
-
-# Run and own only the runtime files as a non-root user for security
-RUN groupadd --system --gid 1000 rails && \
-  useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \
-  chown -R rails:rails db log tmp
-USER 1000:1000
-
-# Entrypoint prepares the database.
-ENTRYPOINT ["/rails/bin/docker-entrypoint"]
-
-# Start server
-EXPOSE 80
-# CMD ["./bin/rails", "server"]
-CMD ["tail", "-f", "/dev/null"]
diff --git a/Dockerfile.staging b/Dockerfile.staging
deleted file mode 100644
index 243139f99..000000000
--- a/Dockerfile.staging
+++ /dev/null
@@ -1,68 +0,0 @@
-# syntax=docker/dockerfile:1
-# check=error=true
-
-# Staging Dockerfile — identical to Dockerfile.deploy but with puma as CMD.
-# Dockerfile.deploy uses `tail -f /dev/null` for production (Capistrano manages the process).
-# Kamal manages the process via Docker, so we start puma directly here.
-
-ARG RUBY_VERSION=3.2.5
-FROM ruby:$RUBY_VERSION-slim AS base
-
-WORKDIR /rails
-
-RUN apt-get update -qq && \
-  apt-get install --no-install-recommends -y curl libjemalloc2 libpq-dev \
-  libsodium-dev libgmp3-dev libssl-dev \
-  curl xz-utils \
-  texlive-latex-base texlive-fonts-recommended texlive-fonts-extra texlive-latex-extra \
-  && rm -rf /var/lib/apt/lists /var/cache/apt/archives
-
-ENV NODE_ENV="production" \
-  RAILS_ENV="production" \
-  BUNDLE_DEPLOYMENT="1" \
-  BUNDLE_PATH="/usr/local/bundle" \
-  BUNDLE_WITHOUT="development"
-
-ARG NODE_VERSION=18.20.8
-ARG TARGETARCH
-RUN case "$TARGETARCH" in \
-  amd64) NODE_ARCH=x64 ;; \
-  arm64) NODE_ARCH=arm64 ;; \
-  *) echo "Unsupported architecture: $TARGETARCH"; exit 1 ;; \
-  esac && \
-  curl -fsSL https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz \
-  | tar -xJ -C /usr/local --strip-components=1
-
-
-FROM base AS build
-
-RUN apt-get update -qq && \
-  apt-get install --no-install-recommends -y build-essential git libyaml-dev pkg-config \
-  && rm -rf /var/lib/apt/lists /var/cache/apt/archives
-
-COPY Gemfile Gemfile.lock ./
-RUN bundle install && \
-  rm -rf ~/.bundle/ "${BUNDLE_PATH}"/ruby/*/cache "${BUNDLE_PATH}"/ruby/*/bundler/gems/*/.git && \
-  bundle exec bootsnap precompile --gemfile
-
-COPY . .
-
-RUN bundle exec bootsnap precompile app/ lib/
-
-RUN SECRET_KEY_BASE_DUMMY=1 ./bin/rails assets:precompile
-
-
-FROM base
-
-COPY --from=build "${BUNDLE_PATH}" "${BUNDLE_PATH}"
-COPY --from=build /rails /rails
-
-RUN groupadd --system --gid 1000 rails && \
-  useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \
-  chown -R rails:rails db log tmp
-USER 1000:1000
-
-ENTRYPOINT ["/rails/bin/docker-entrypoint"]
-
-EXPOSE 80
-CMD ["./bin/rails", "server", "-b", "0.0.0.0"]
diff --git a/config/deploy.staging.yml b/config/deploy.staging.yml
index 9ff32c501..3009feb1d 100644
--- a/config/deploy.staging.yml
+++ b/config/deploy.staging.yml
@@ -30,7 +30,8 @@ servers:
       add-host: host.docker.internal:host-gateway # Required to reach host-bound Redis
     cmd: bundle exec sidekiq -C config/sidekiq.yml
 
-# Use staging-specific Dockerfile that starts puma (Dockerfile.deploy uses tail -f /dev/null for Capistrano)
+# Use staging-specific Dockerfile that starts puma
+# (uses tail -f /dev/null)
 builder:
   dockerfile: Dockerfile
   target: exec-staging
diff --git a/config/deploy.yml b/config/deploy.yml
index ac950b430..c212863a4 100644
--- a/config/deploy.yml
+++ b/config/deploy.yml
@@ -41,4 +41,9 @@ builder:
   arch: amd64
   args:
     RUBY_VERSION: 3.4.9
+  dockerfile: Dockerfile
+  target: exec-staging
+  # Use the version in the dockerfile
+  # args:
+  #  RUBY_VERSION: 3.4.9
   remote: ssh://wcmc@172.20.0.146

From 998f6516447ae7402891b9b52e0afb39d85962f7 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Thu, 16 Apr 2026 10:58:28 +0100
Subject: [PATCH 086/106] Some fixes for tests

---
 .../admin/document_batches_controller.rb      |  3 +-
 app/controllers/admin/documents_controller.rb | 14 ++--
 .../nomenclature_changes/lump_controller.rb   |  4 ++
 .../nomenclature_changes/split_controller.rb  | 20 +++---
 .../status_swap_controller.rb                 | 18 ++---
 .../status_to_accepted_controller.rb          | 10 +--
 .../status_to_synonym_controller.rb           |  8 +--
 .../trade/sandbox_shipments_controller.rb     |  4 +-
 .../document/review_of_significant_trade.rb   |  1 +
 app/services/document_batch.rb                | 13 +++-
 .../admin/ahoy_events_controller_spec.rb      | 12 ++--
 .../admin/document_batches_controller_spec.rb | 10 +--
 .../admin/documents_controller_spec.rb        |  3 +-
 .../admin/eu_opinions_controller_spec.rb      | 17 ++++-
 .../lump_controller_spec.rb                   | 57 +++++++++++++---
 .../split_controller_spec.rb                  | 15 +++--
 .../status_swap_controller_spec.rb            | 67 ++++++++++++++-----
 .../status_to_synonym_controller_spec.rb      | 10 ++-
 .../controllers/admin/tags_controller_spec.rb | 23 +++++--
 .../admin/taxon_concepts_controller_spec.rb   | 36 +++++++---
 .../admin/taxon_quotas_controller_spec.rb     | 15 +++--
 .../sandbox_shipments_controller_spec.rb      | 58 +++++++++++++---
 spec/services/document_batch_spec.rb          | 31 ++++++---
 23 files changed, 321 insertions(+), 128 deletions(-)

diff --git a/app/controllers/admin/document_batches_controller.rb b/app/controllers/admin/document_batches_controller.rb
index 77722e5c4..6270deea2 100644
--- a/app/controllers/admin/document_batches_controller.rb
+++ b/app/controllers/admin/document_batches_controller.rb
@@ -46,7 +46,7 @@ def document_batch_params
     params.require(:document_batch).permit(
       :event_id, :date, :language_id, :is_public,
       documents_attributes: [ :type ],
-      files: []
+      files: [ {} ]
     )
 
     # TODO: for some reason the following won't work
@@ -57,6 +57,5 @@ def document_batch_params
     #     documents_attributes: [ [ :type ] ],
     #   ]
     # )
-
   end
 end
diff --git a/app/controllers/admin/documents_controller.rb b/app/controllers/admin/documents_controller.rb
index b34aabf3b..e9b996cf8 100644
--- a/app/controllers/admin/documents_controller.rb
+++ b/app/controllers/admin/documents_controller.rb
@@ -178,17 +178,13 @@ def document_params
           ]
         ],
         proposal_details_attributes: [
-          [
-            :id, :_destroy, :document_id,
-            :proposal_nature, :proposal_outcome_id,
-            :representation, :proposal_number
-          ]
+          :id, :_destroy, :document_id,
+          :proposal_nature, :proposal_outcome_id,
+          :representation, :proposal_number
         ],
         review_details_attributes: [
-          [
-            :id, :_destroy, :document_id,
-            :review_phase_id, :process_stage_id, :recommended_category
-          ]
+          :id, :_destroy, :document_id,
+          :review_phase_id, :process_stage_id, :recommended_category
         ]
       ]
     )
diff --git a/app/controllers/admin/nomenclature_changes/lump_controller.rb b/app/controllers/admin/nomenclature_changes/lump_controller.rb
index 3bbc446ba..a922da79e 100644
--- a/app/controllers/admin/nomenclature_changes/lump_controller.rb
+++ b/app/controllers/admin/nomenclature_changes/lump_controller.rb
@@ -84,6 +84,8 @@ def nomenclature_change_lump_params
     params.expect(
       nomenclature_change_lump: [
         :event_id, :status,
+        ##
+        # Note: `inputs` is plural, because lump is many -> one
         inputs_attributes: [
           [
             *input_attribute_names,
@@ -93,6 +95,8 @@ def nomenclature_change_lump_params
             legislation_reassignments_attributes: [ output_reassignment_attribute_names ]
           ]
         ],
+        ##
+        # Note: `outputs` is singular, because lump is many -> one
         output_attributes: output_attribute_names
       ]
     )
diff --git a/app/controllers/admin/nomenclature_changes/split_controller.rb b/app/controllers/admin/nomenclature_changes/split_controller.rb
index ac5afbfe3..907f67bb7 100644
--- a/app/controllers/admin/nomenclature_changes/split_controller.rb
+++ b/app/controllers/admin/nomenclature_changes/split_controller.rb
@@ -87,16 +87,18 @@ def nomenclature_change_split_params
     params.expect(
       nomenclature_change_split: [
         :event_id, :status,
-        inputs_attributes: [
-          [
-            *input_attribute_names,
-            parent_reassignments_attributes: [ output_parent_reassignment_attribute_names ],
-            name_reassignments_attributes: [ output_reassignment_attribute_names ],
-            distribution_reassignments_attributes: [ output_reassignment_attribute_names ],
-            legislation_reassignments_attributes: [ output_reassignment_attribute_names ]
-          ]
+        ##
+        # Note: `input` is singular, because split is one -> many
+        input_attributes: [
+          *input_attribute_names,
+          parent_reassignments_attributes: [ output_parent_reassignment_attribute_names ],
+          name_reassignments_attributes: [ output_reassignment_attribute_names ],
+          distribution_reassignments_attributes: [ output_reassignment_attribute_names ],
+          legislation_reassignments_attributes: [ output_reassignment_attribute_names ]
         ],
-        output_attributes: output_attribute_names
+        ##
+        # Note: `outputs` is plural, because split is one -> many
+        outputs_attributes: [ output_attribute_names ]
       ]
     )
   end
diff --git a/app/controllers/admin/nomenclature_changes/status_swap_controller.rb b/app/controllers/admin/nomenclature_changes/status_swap_controller.rb
index 6161f4236..63ddb81c8 100644
--- a/app/controllers/admin/nomenclature_changes/status_swap_controller.rb
+++ b/app/controllers/admin/nomenclature_changes/status_swap_controller.rb
@@ -70,26 +70,26 @@ def nomenclature_change_status_swap_params
       input_attribute_names,
       output_attribute_names,
       output_reassignment_attribute_names,
-      parent_reassignments_attribute_names,
+      output_parent_reassignments_attribute_names,
     ) = common_nomenclature_change_attribute_names.values_at(
       :input_attribute_names,
       :output_attribute_names,
       :output_reassignment_attribute_names,
-      :parent_reassignments_attribute_names,
+      :output_parent_reassignments_attribute_names,
     )
 
     params.expect(
       nomenclature_change_status_swap: [
         :event_id, :status,
-        primary_output_attributes: [ output_attribute_names ],
-        secondary_output_attributes: [ output_attribute_names ],
+        primary_output_attributes: output_attribute_names,
+        secondary_output_attributes: output_attribute_names,
         input_attributes: [
           *input_attribute_names,
-          parent_reassignments_attributes: [ parent_reassignments_attribute_names ]
-        ],
-        name_reassignments_attributes: [ output_reassignment_attribute_names ],
-        distribution_reassignments_attributes: [ output_reassignment_attribute_names ],
-        legislation_reassignments_attributes: [ output_reassignment_attribute_names ]
+          parent_reassignments_attributes: [ output_parent_reassignments_attribute_names ],
+          name_reassignments_attributes: [ output_reassignment_attribute_names ],
+          distribution_reassignments_attributes: [ output_reassignment_attribute_names ],
+          legislation_reassignments_attributes: [ output_reassignment_attribute_names ]
+        ]
       ]
     )
   end
diff --git a/app/controllers/admin/nomenclature_changes/status_to_accepted_controller.rb b/app/controllers/admin/nomenclature_changes/status_to_accepted_controller.rb
index e7f3d535c..460b52d65 100644
--- a/app/controllers/admin/nomenclature_changes/status_to_accepted_controller.rb
+++ b/app/controllers/admin/nomenclature_changes/status_to_accepted_controller.rb
@@ -70,11 +70,11 @@ def nomenclature_change_status_to_accepted_params
         secondary_output_attributes: output_attribute_names,
         input_attributes: [
           *input_attribute_names,
-          parent_reassignments_attributes: [ parent_reassignments_attribute_names ]
-        ],
-        name_reassignments_attributes: [ output_reassignment_attribute_names ],
-        distribution_reassignments_attributes: [ output_reassignment_attribute_names ],
-        legislation_reassignments_attributes: [ output_reassignment_attribute_names ]
+          parent_reassignments_attributes: [ parent_reassignments_attribute_names ],
+          name_reassignments_attributes: [ output_reassignment_attribute_names ],
+          distribution_reassignments_attributes: [ output_reassignment_attribute_names ],
+          legislation_reassignments_attributes: [ output_reassignment_attribute_names ]
+        ]
       ]
     )
   end
diff --git a/app/controllers/admin/nomenclature_changes/status_to_synonym_controller.rb b/app/controllers/admin/nomenclature_changes/status_to_synonym_controller.rb
index 4ecae38ea..c683d36ca 100644
--- a/app/controllers/admin/nomenclature_changes/status_to_synonym_controller.rb
+++ b/app/controllers/admin/nomenclature_changes/status_to_synonym_controller.rb
@@ -83,11 +83,11 @@ def nomenclature_change_status_to_synonym_params
         secondary_output_attributes: output_attribute_names,
         input_attributes: [
           *input_attribute_names,
-          parent_reassignments_attributes: [ parent_reassignments_attribute_names ]
+          parent_reassignments_attributes: [ parent_reassignments_attribute_names ],
+          name_reassignments_attributes: [ output_reassignment_attribute_names ],
+          distribution_reassignments_attributes: [ output_reassignment_attribute_names ],
+          legislation_reassignments_attributes: [ output_reassignment_attribute_names ]
         ],
-        name_reassignments_attributes: [ output_reassignment_attribute_names ],
-        distribution_reassignments_attributes: [ output_reassignment_attribute_names ],
-        legislation_reassignments_attributes: [ output_reassignment_attribute_names ]
       ]
     )
   end
diff --git a/app/controllers/trade/sandbox_shipments_controller.rb b/app/controllers/trade/sandbox_shipments_controller.rb
index 856ee2e2f..ca12cbc75 100644
--- a/app/controllers/trade/sandbox_shipments_controller.rb
+++ b/app/controllers/trade/sandbox_shipments_controller.rb
@@ -39,7 +39,7 @@ def update_batch
     sandbox_klass = Trade::SandboxTemplate.ar_klass(aru.sandbox.table_name)
 
     sandbox_klass.update_batch(
-      update_batch_params[:updates], ve, aru
+      update_batch_params, ve, aru
     )
 
     head :no_content
@@ -71,8 +71,6 @@ def destroy_batch_params
 
   def update_batch_params
     params.expect(
-      :annual_report_upload_id,
-      :validation_error_id,
       updates: sandbox_shipment_attribute_names
     )
   end
diff --git a/app/models/document/review_of_significant_trade.rb b/app/models/document/review_of_significant_trade.rb
index 52055b64b..879a6cf89 100644
--- a/app/models/document/review_of_significant_trade.rb
+++ b/app/models/document/review_of_significant_trade.rb
@@ -60,5 +60,6 @@ def self.display_name
     class_name: 'ReviewDetails',
     foreign_key: 'document_id',
     dependent: :destroy
+
   accepts_nested_attributes_for :review_details, allow_destroy: true
 end
diff --git a/app/services/document_batch.rb b/app/services/document_batch.rb
index 6664a9eeb..700d15135 100644
--- a/app/services/document_batch.rb
+++ b/app/services/document_batch.rb
@@ -1,8 +1,11 @@
 class DocumentBatch
   extend ActiveModel::Naming
+
   include ActiveModel::Conversion
   include ActiveModel::Validations
+
   attr_reader :event_id, :language_id, :date, :is_public, :documents
+
   validates :date, presence: true
   validates :documents, presence: true, allow_blank: false
 
@@ -11,6 +14,7 @@ def initialize(attributes = {})
     @language_id = attributes[:language_id]
     @date = attributes[:date]
     @is_public = attributes[:is_public]
+
     initialize_documents(attributes[:documents_attributes], attributes[:files])
   end
 
@@ -25,6 +29,7 @@ def save
           success = false
         end
       end
+
       raise ActiveRecord::Rollback unless success
     end
 
@@ -40,7 +45,12 @@ def persisted?
   def initialize_documents(documents_attributes, files)
     @documents = []
 
-    if documents_attributes && files
+    if (
+      documents_attributes &&
+      files &&
+      documents_attributes.try(:length) == files.try(:length)
+    )
+
       for idx in 0..(files.length - 1) do
         document_params =
           if files[idx].respond_to?(:read) # Filter out invalid params for ActiveStorage.
@@ -54,6 +64,7 @@ def initialize_documents(documents_attributes, files)
               type: documents_attributes[idx][:type]
             }
           end
+
         @documents.push(Document.new(common_attributes.merge(document_params)))
       end
     end
diff --git a/spec/controllers/admin/ahoy_events_controller_spec.rb b/spec/controllers/admin/ahoy_events_controller_spec.rb
index 6da244541..0f1499b79 100644
--- a/spec/controllers/admin/ahoy_events_controller_spec.rb
+++ b/spec/controllers/admin/ahoy_events_controller_spec.rb
@@ -5,16 +5,18 @@
   login_admin
 
   describe 'index' do
-    let!(:ahoy_event1) do
-      create(:ahoy_event, name: 'Search')
+    let!(:ahoy_event_older) do
+      create(:ahoy_event, name: 'Search', time: 3.days.ago)
     end
-    let!(:ahoy_event2) do
-      create(:ahoy_event, name: 'Taxon Concept')
+
+    let!(:ahoy_event_newer) do
+      create(:ahoy_event, name: 'Taxon Concept', time: 2.days.ago)
     end
 
     describe 'GET index' do
       it 'assigns to @ahoy_events sorted by time DESC' do
-        events = [ ahoy_event1, ahoy_event2 ]
+        events = [ ahoy_event_newer, ahoy_event_older ]
+
         get :index
         expect(assigns(:ahoy_events)).to eq(events)
       end
diff --git a/spec/controllers/admin/document_batches_controller_spec.rb b/spec/controllers/admin/document_batches_controller_spec.rb
index b23517c82..a5858a36e 100644
--- a/spec/controllers/admin/document_batches_controller_spec.rb
+++ b/spec/controllers/admin/document_batches_controller_spec.rb
@@ -52,7 +52,7 @@
             params: {
               document_batch: {
                 date: Date.today,
-                documents_attributes: [ document_attrs ],
+                documents_attributes: { '0': document_attrs },
                 files: files
               }
             }
@@ -78,7 +78,7 @@
             params: {
               document_batch: {
                 date: nil,
-                documents_attributes: [ document_attrs ],
+                documents_attributes: { '0': document_attrs },
                 files: files
               }
             }
@@ -90,7 +90,7 @@
           params: {
             document_batch: {
               date: nil,
-              documents_attributes: [ document_attrs ],
+              documents_attributes: { '0': document_attrs },
               files: files
             }
           }
@@ -107,7 +107,7 @@
           params: {
             event_id: event.id, document_batch: {
               date: Date.today,
-              documents_attributes: [ document_attrs ],
+              documents_attributes: { '0': document_attrs },
               files: files
             }
           }
@@ -120,7 +120,7 @@
           params: {
             event_id: event.id, document_batch: {
               date: nil,
-              documents_attributes: [ document_attrs ],
+              documents_attributes: { '0': document_attrs },
               files: files
             }
           }
diff --git a/spec/controllers/admin/documents_controller_spec.rb b/spec/controllers/admin/documents_controller_spec.rb
index 7f90d2778..ed8676c02 100644
--- a/spec/controllers/admin/documents_controller_spec.rb
+++ b/spec/controllers/admin/documents_controller_spec.rb
@@ -220,7 +220,8 @@
       it 'assign review phase to Review' do
         put :update,
           params: {
-            id: document.id, document: {
+            id: document.id,
+            document: {
               date: Date.today,
               review_details_attributes: { review_phase_id: review_phase.id }
             }
diff --git a/spec/controllers/admin/eu_opinions_controller_spec.rb b/spec/controllers/admin/eu_opinions_controller_spec.rb
index 5abd2395c..7799eb543 100644
--- a/spec/controllers/admin/eu_opinions_controller_spec.rb
+++ b/spec/controllers/admin/eu_opinions_controller_spec.rb
@@ -95,7 +95,10 @@
 
     context 'when not successful' do
       it 'renders new' do
-        post :create, params: { eu_opinion: { dummy: 'test' }, taxon_concept_id: @taxon_concept.id }
+        post :create, params: {
+          eu_opinion: { geo_entity_id: 0 },
+          taxon_concept_id: @taxon_concept.id
+        }
 
         expect(response).to render_template('new')
       end
@@ -112,7 +115,11 @@
     end
 
     it 'renders the edit template' do
-      get :edit, params: { id: @eu_opinion.id, taxon_concept_id: @taxon_concept.id, start_event_id: @eu_regulation.id }
+      get :edit, params: {
+        id: @eu_opinion.id,
+        taxon_concept_id: @taxon_concept.id,
+        start_event_id: @eu_regulation.id
+      }
 
       expect(response).to render_template('edit')
     end
@@ -120,7 +127,11 @@
     it 'assigns @geo_entities' do
       territory = create(:geo_entity, geo_entity_type_id: territory_geo_entity_type.id)
 
-      get :edit, params: { id: @eu_opinion.id, taxon_concept_id: @taxon_concept.id, start_event_id: @eu_regulation.id }
+      get :edit, params: {
+        id: @eu_opinion.id,
+        taxon_concept_id: @taxon_concept.id,
+        start_event_id: @eu_regulation.id
+      }
 
       expect(assigns(:geo_entities)).to include(territory)
     end
diff --git a/spec/controllers/admin/nomenclature_changes/lump_controller_spec.rb b/spec/controllers/admin/nomenclature_changes/lump_controller_spec.rb
index 8fb8783ff..aaffb334e 100644
--- a/spec/controllers/admin/nomenclature_changes/lump_controller_spec.rb
+++ b/spec/controllers/admin/nomenclature_changes/lump_controller_spec.rb
@@ -5,47 +5,62 @@
 
   describe 'GET show' do
     context 'inputs' do
-      before(:each) do
+      before do
         @lump = create(:nomenclature_change_lump)
       end
+
       it 'renders the inputs template' do
         get :show, params: { id: :inputs, nomenclature_change_id: @lump.id }
+
         expect(response).to render_template('inputs')
       end
     end
+
     context 'outputs' do
-      before(:each) do
+      before do
         @lump = create(:nomenclature_change_lump)
+
         create(:nomenclature_change_input, nomenclature_change: @lump)
       end
+
       it 'renders the outputs template' do
         get :show, params: { id: :outputs, nomenclature_change_id: @lump.id }
+
         expect(response).to render_template('outputs')
       end
     end
+
     context 'reassignments' do
-      before(:each) do
+      before do
         @input_species = create_cites_eu_species
         @lump = create(:nomenclature_change_lump)
+
         create(:nomenclature_change_input, nomenclature_change: @lump, taxon_concept: @input_species)
         create(:nomenclature_change_output, nomenclature_change: @lump)
       end
+
       it 'renders the notes template' do
         get :show, params: { id: :notes, nomenclature_change_id: @lump.id }
+
         expect(response).to render_template('notes')
       end
+
       context 'when legislation present' do
-        before(:each) do
+        before do
           create_cites_I_addition(taxon_concept: @input_species)
         end
+
         it 'renders the legislation template' do
           get :show, params: { id: :legislation, nomenclature_change_id: @lump.id }
+
           expect(response).to render_template('legislation')
         end
       end
+
       context 'when no legislation' do
         it 'redirects to next step' do
           get :show, params: { id: :legislation, nomenclature_change_id: @lump.id }
+
           expect(response).to redirect_to(
             admin_nomenclature_change_lump_url(
               nomenclature_change_id: assigns(:nomenclature_change).id, id: 'summary'
@@ -53,8 +68,10 @@
           )
         end
       end
+
       it 'renders the summary template' do
         get :show, params: { id: :summary, nomenclature_change_id: @lump.id }
+
         expect(response).to render_template('summary')
       end
     end
@@ -63,6 +80,7 @@
   describe 'POST create' do
     it 'redirects to lump wizard' do
       post :create, params: { nomenclature_change_id: 'new' }
+
       expect(response).to redirect_to(
         admin_nomenclature_change_lump_url(
           nomenclature_change_id: assigns(:nomenclature_change).id, id: 'inputs'
@@ -72,9 +90,10 @@
   end
 
   describe 'PUT update' do
-    before(:each) do
+    before do
       @lump = create(:nomenclature_change_lump)
     end
+
     context 'when successful' do
       it 'redirects to next step' do
         put :update, params: {
@@ -85,6 +104,7 @@
             }
           }, nomenclature_change_id: @lump.id, id: 'inputs'
         }
+
         expect(response).to redirect_to(
           admin_nomenclature_change_lump_url(
             nomenclature_change_id: assigns(:nomenclature_change).id, id: 'outputs'
@@ -92,6 +112,7 @@
         )
       end
     end
+
     context 'when unsuccessful' do
       it 're-renders step' do
         put :update, params: {
@@ -101,21 +122,31 @@
             }
           }, nomenclature_change_id: @lump.id, id: 'inputs'
         }
+
         expect(response).to render_template('inputs')
       end
     end
+
     context 'when last step' do
       context 'when user is secretariat' do
         login_secretariat_user
         it 'redirects to admin root path' do
           put :update, params: { nomenclature_change_id: @lump.id, id: 'summary' }
+
           expect(response).to redirect_to admin_root_path
         end
       end
+
       context 'when user is manager' do
         it 'redirects to nomenclature changes path' do
           pending('Strange render mismatch after upgrading to Rails 4')
-          put :update, params: { nomenclature_change_id: @lump.id, id: 'summary', nomenclature_change_lump: { dummy: 'test' } }
+          put :update,
+            params: {
+              nomenclature_change_id: @lump.id,
+              id: 'summary',
+              nomenclature_change_lump: { event_id: 0 }
+            }
+
           expect(response).to be_successful
           expect(response).to render_template('nomenclature_changes')
         end
@@ -124,33 +155,43 @@
   end
 
   describe 'Previous button' do
-    before(:each) do
+    before do
       @input_species = create_cites_eu_species
       @lump = create(:nomenclature_change_lump)
+
       create(:nomenclature_change_input, nomenclature_change: @lump, taxon_concept: @input_species)
       create(:nomenclature_change_output, nomenclature_change: @lump)
     end
+
     context 'when step is legislation' do
       it 'renders notes step' do
         get :show, params: { id: :notes, nomenclature_change_id: @lump.id, back: true }
+
         expect(response).to render_template('notes')
       end
     end
+
     context 'when step is summary' do
       context 'when legislation' do
-        before(:each) do
+        before do
           create_cites_I_addition(taxon_concept: @input_species)
         end
+
         it 'renders legislation step' do
           get :show, params: { id: :legislation, nomenclature_change_id: @lump.id, back: true }
+
           expect(response).to render_template('legislation')
         end
       end
+
       context 'when no legislation' do
         it 'redirects to notes step' do
           get :show, params: { id: :legislation, nomenclature_change_id: @lump.id, back: true }
+
           expect(response).to redirect_to action: :show, id: :notes
+
           get :show, params: { id: :notes, nomenclature_change_id: @lump.id }
+
           expect(response).to render_template('notes')
         end
       end
diff --git a/spec/controllers/admin/nomenclature_changes/split_controller_spec.rb b/spec/controllers/admin/nomenclature_changes/split_controller_spec.rb
index 42ab617d6..cd62f35ca 100644
--- a/spec/controllers/admin/nomenclature_changes/split_controller_spec.rb
+++ b/spec/controllers/admin/nomenclature_changes/split_controller_spec.rb
@@ -182,7 +182,9 @@
           params: {
             nomenclature_change_split: {
               input_attributes: { taxon_concept_id: create_cites_eu_species.id }
-            }, nomenclature_change_id: @split.id, id: 'inputs'
+            },
+            nomenclature_change_id: @split.id,
+            id: 'inputs'
           }
 
         expect(response).to redirect_to(
@@ -222,11 +224,12 @@
         it 'redirects to nomenclature changes path' do
           pending('Strange render mismatch after upgrading to Rails 4')
 
-          put :update, params: {
-            nomenclature_change_id: @split.id,
-            id: 'summary',
-            nomenclature_change_split: { dummy: 'test' }
-          }
+          put :update,
+            params: {
+              nomenclature_change_id: @split.id,
+              id: 'summary',
+              nomenclature_change_split: { event_id: 0 }
+            }
 
           expect(response).to be_successful
           expect(response).to render_template('nomenclature_changes')
diff --git a/spec/controllers/admin/nomenclature_changes/status_swap_controller_spec.rb b/spec/controllers/admin/nomenclature_changes/status_swap_controller_spec.rb
index 0e4cf0df4..a61328437 100644
--- a/spec/controllers/admin/nomenclature_changes/status_swap_controller_spec.rb
+++ b/spec/controllers/admin/nomenclature_changes/status_swap_controller_spec.rb
@@ -6,62 +6,88 @@
 
   describe 'GET show' do
     context 'primary_output' do
-      before(:each) do
+      before do
         @status_change = create(:nomenclature_change_status_swap)
       end
 
       it 'renders the primary_output template' do
-        get :show, params: { id: :primary_output, nomenclature_change_id: @status_change.id }
+        get :show,
+          params: {
+            id: :primary_output,
+            nomenclature_change_id: @status_change.id
+          }
+
         expect(response).to render_template('primary_output')
       end
     end
 
     context 'swap' do
-      before(:each) do
+      before do
         @status_change = a_to_s_with_swap
       end
 
       it 'renders the swap template' do
-        get :show, params: { id: :secondary_output, nomenclature_change_id: @status_change.id }
+        get :show,
+          params: {
+            id: :secondary_output,
+            nomenclature_change_id: @status_change.id
+          }
+
         expect(response).to render_template('secondary_output')
       end
     end
 
     context 'reassignments' do
-      before(:each) do
+      before do
         @status_change = a_to_s_with_swap
       end
 
       context 'when legislation present' do
-        before(:each) do
+        before do
           create_cites_I_addition(taxon_concept: input_species)
         end
 
         it 'renders the legislation template' do
-          get :show, params: { id: :legislation, nomenclature_change_id: @status_change.id }
+          get :show,
+            params: {
+              id: :legislation,
+              nomenclature_change_id: @status_change.id
+            }
+
           expect(response).to render_template('legislation')
         end
       end
 
       context 'when no legislation' do
         it 'redirects to next step' do
-          get :show, params: { id: :legislation, nomenclature_change_id: @status_change.id }
+          get :show,
+            params: {
+              id: :legislation,
+              nomenclature_change_id: @status_change.id
+            }
 
           expect(response).to redirect_to(
             admin_nomenclature_change_status_swap_url(
-              nomenclature_change_id: assigns(:nomenclature_change).id, id: 'summary'
+              id: 'summary',
+              nomenclature_change_id: assigns(:nomenclature_change).id
             )
           )
         end
       end
     end
+
     context 'summary' do
-      before(:each) do
+      before do
         @status_change = a_to_s_with_swap
       end
 
       it 'renders the summary template' do
-        get :show, params: { id: :summary, nomenclature_change_id: @status_change.id }
+        get :show,
+          params: {
+            id: :summary,
+            nomenclature_change_id: @status_change.id
+          }
+
         expect(response).to render_template('summary')
       end
     end
@@ -73,14 +99,15 @@
 
       expect(response).to redirect_to(
         admin_nomenclature_change_status_swap_url(
-          nomenclature_change_id: assigns(:nomenclature_change).id, id: 'primary_output'
+          id: 'primary_output',
+          nomenclature_change_id: assigns(:nomenclature_change).id
         )
       )
     end
   end
 
   describe 'PUT update' do
-    before(:each) do
+    before do
       @status_change = create(:nomenclature_change_status_swap)
     end
 
@@ -93,7 +120,8 @@
                 taxon_concept_id: create_cites_eu_species.id,
                 new_name_status: 'S'
               }
-            }, nomenclature_change_id: @status_change.id,
+            },
+            nomenclature_change_id: @status_change.id,
             id: 'primary_output'
           }
 
@@ -105,11 +133,12 @@
         )
       end
     end
+
     context 'when unsuccessful' do
       it 're-renders step' do
         put :update,
           params: {
-            nomenclature_change_status_swap: { dummy: 'test' },
+            nomenclature_change_status_swap: { event_id: 0 },
             nomenclature_change_id: @status_change.id, id: 'primary_output'
           }
 
@@ -121,7 +150,11 @@
       context 'when user is secretariat' do
         login_secretariat_user
         it 'redirects to admin root path' do
-          put :update, params: { nomenclature_change_id: @status_change.id, id: 'summary' }
+          put :update,
+            params: {
+              nomenclature_change_id: @status_change.id,
+              id: 'summary'
+            }
 
           expect(response).to redirect_to admin_root_path
         end
@@ -134,7 +167,7 @@
             params: {
               nomenclature_change_id: @status_change.id,
               id: 'summary',
-              nomenclature_change_status_swap: { dummy: 'test' }
+              nomenclature_change_status_swap: {}
             }
 
           expect(response).to be_successful
diff --git a/spec/controllers/admin/nomenclature_changes/status_to_synonym_controller_spec.rb b/spec/controllers/admin/nomenclature_changes/status_to_synonym_controller_spec.rb
index ff37fce39..4c8f8e73a 100644
--- a/spec/controllers/admin/nomenclature_changes/status_to_synonym_controller_spec.rb
+++ b/spec/controllers/admin/nomenclature_changes/status_to_synonym_controller_spec.rb
@@ -64,6 +64,7 @@
         put :update, params: {
           nomenclature_change_status_to_synonym: {
             primary_output_attributes: {
+              taxon_concept_id: create_cites_eu_species(name_status: 'N').id,
               new_name_status: 'S'
             }
           },
@@ -101,7 +102,12 @@
         login_secretariat_user
 
         it 'redirects to admin root path' do
-          put :update, params: { nomenclature_change_id: @status_change.id, id: 'summary' }
+          put :update,
+            params: {
+              nomenclature_change_id: @status_change.id,
+              nomenclature_change: {},
+              id: 'summary'
+            }
 
           expect(response).to redirect_to admin_root_path
         end
@@ -109,9 +115,11 @@
 
       context 'when user is manager' do
         it 'redirects to nomenclature changes path' do
+          pending('Strange render mismatch after upgrading to Rails 4')
           put :update,
             params: {
               nomenclature_change_id: @status_change.id,
+              nomenclature_change: {},
               id: 'summary'
             }
 
diff --git a/spec/controllers/admin/tags_controller_spec.rb b/spec/controllers/admin/tags_controller_spec.rb
index fe56b3b10..ea9aba8ef 100644
--- a/spec/controllers/admin/tags_controller_spec.rb
+++ b/spec/controllers/admin/tags_controller_spec.rb
@@ -6,6 +6,7 @@
   describe 'GET index' do
     it 'renders the index template' do
       get :index
+
       expect(response).to render_template('index')
       expect(response).to render_template('layouts/admin')
     end
@@ -14,14 +15,21 @@
   describe 'XHR POST create' do
     it 'renders create when successful' do
       post :create,
-        params: { tag: { name: 'Test Tag', model: 'TaxonConcept' } },
+        params: {
+          tag: {
+            name: 'Test Tag',
+            model: 'TaxonConcept'
+          }
+        },
         xhr: true
 
       expect(response).to render_template('create')
     end
 
     it 'renders new when not successful' do
-      post :create, params: { tag: { name: nil } }, xhr: true
+      post :create,
+        params: { tag: { name: nil } },
+        xhr: true
 
       expect(response).to render_template('new')
     end
@@ -29,11 +37,15 @@
 
   describe 'XHR PUT update' do
     let(:preset_tag) { create(:preset_tag) }
+
     context 'when JSON' do
       it 'responds with 200 when successful' do
         put :update,
           format: 'json',
-          params: { id: preset_tag.id, tag: { name: nil } },
+          params: {
+            id: preset_tag.id,
+            tag: { name: 'Tag for testing' }
+          },
           xhr: true
 
         expect(response).to be_successful
@@ -42,7 +54,10 @@
       it 'responds with json error when not successful' do
         put :update,
           format: 'json',
-          params: { id: preset_tag.id, tag: { model: 'FakeCategory' } },
+          params: {
+            id: preset_tag.id,
+            tag: { model: 'FakeCategory' }
+          },
           xhr: true
 
         expect(response.parsed_body).to include('errors')
diff --git a/spec/controllers/admin/taxon_concepts_controller_spec.rb b/spec/controllers/admin/taxon_concepts_controller_spec.rb
index c58a4602c..eaadc24f7 100644
--- a/spec/controllers/admin/taxon_concepts_controller_spec.rb
+++ b/spec/controllers/admin/taxon_concepts_controller_spec.rb
@@ -4,7 +4,7 @@
   login_admin
 
   describe 'GET index' do
-    before(:each) do
+    before do
       @taxon = create_cites_eu_species(
         taxon_name: create(:taxon_name, scientific_name: 'indefinitus'),
         taxonomic_position: '1.1.2',
@@ -17,6 +17,7 @@
 
     it 'renders the index template' do
       get :index
+
       expect(response).to render_template('index')
       expect(response).to render_template('layouts/admin')
     end
@@ -62,7 +63,7 @@
     end
 
     it 'renders new when not successful' do
-      post :create, params: { taxon_concept: { dummy: 'test' } }, xhr: true
+      post :create, params: { taxon_concept: { name_status: '' } }, xhr: true
 
       expect(response).to render_template('new')
     end
@@ -75,6 +76,7 @@
 
     it 'renders new_hybrid when not successful H' do
       post :create, params: { taxon_concept: { name_status: 'H' } }, xhr: true
+
       expect(response).to render_template('new_hybrid')
     end
 
@@ -90,23 +92,30 @@
 
     context 'when JSON' do
       it 'responds with 200 when successful' do
-        put :update, format: 'json', params: {
-          id: taxon_concept.id,
-          taxon_concept: { taxonomic_position: '1.1.3' }
-        }, xhr: true
+        put :update,
+          format: 'json',
+          params: {
+            id: taxon_concept.id,
+            taxon_concept: { taxonomic_position: '1.1.3' }
+          },
+          xhr: true
 
         expect(response).to be_successful
       end
 
       it 'responds with json error when not successful' do
-        put :update, format: 'json', params: {
-          id: taxon_concept.id,
-          taxon_concept: { taxonomy_id: nil }
-        }, xhr: true
+        put :update,
+          format: 'json',
+          params: {
+            id: taxon_concept.id,
+            taxon_concept: { taxonomy_id: nil }
+          },
+          xhr: true
 
         expect(response.parsed_body).to include('errors')
       end
     end
+
     context 'when HTML' do
       it 'redirects to edit when successful' do
         put :update,
@@ -119,7 +128,11 @@
       end
 
       it 'renders edit when not successful' do
-        put :update, params: { id: taxon_concept.id, taxon_concept: { taxonomy_id: nil } }
+        put :update,
+          params: {
+            id: taxon_concept.id,
+            taxon_concept: { taxonomy_id: nil }
+          }
 
         expect(response).to render_template('edit')
       end
@@ -138,6 +151,7 @@
 
   describe "DELETE destroy doesn't work for non managers" do
     login_contributor
+
     let(:taxon_concept) { create(:taxon_concept) }
 
     it "redirects to admin root path and doesn't delete" do
diff --git a/spec/controllers/admin/taxon_quotas_controller_spec.rb b/spec/controllers/admin/taxon_quotas_controller_spec.rb
index 6add6dba7..5390877bd 100644
--- a/spec/controllers/admin/taxon_quotas_controller_spec.rb
+++ b/spec/controllers/admin/taxon_quotas_controller_spec.rb
@@ -61,14 +61,21 @@
 
     it 'renders new when not successful' do
       post :create,
-        params: { quota: { year: 0 }, taxon_concept_id: @taxon_concept.id }
+        params: {
+          quota: {
+            unit_id: 0,
+            publication_date: 1.week.ago,
+            geo_entity_id: @geo_entity.id
+          },
+          taxon_concept_id: @taxon_concept.id
+        }
 
       expect(response).to render_template('new')
     end
   end
 
   describe 'GET edit' do
-    before(:each) do
+    before do
       @quota = create(
         :quota,
         unit_id: @unit.id,
@@ -93,7 +100,7 @@
   end
 
   describe 'PUT update' do
-    before(:each) do
+    before do
       @quota = create(
         :quota,
         unit_id: @unit.id,
@@ -130,7 +137,7 @@
   end
 
   describe 'DELETE destroy' do
-    before(:each) do
+    before do
       @quota = create(
         :quota,
         unit_id: @unit.id,
diff --git a/spec/controllers/trade/sandbox_shipments_controller_spec.rb b/spec/controllers/trade/sandbox_shipments_controller_spec.rb
index 08acfed5c..25ad9e22b 100644
--- a/spec/controllers/trade/sandbox_shipments_controller_spec.rb
+++ b/spec/controllers/trade/sandbox_shipments_controller_spec.rb
@@ -14,7 +14,7 @@
     Trade::SandboxTemplate.ar_klass(annual_report_upload.sandbox.table_name)
   end
 
-  before(:each) do
+  before do
     @genus = create_cites_eu_genus(
       taxon_name: create(:taxon_name, scientific_name: 'Acipenser')
     )
@@ -23,6 +23,7 @@
       taxon_name: create(:taxon_name, scientific_name: 'baerii'),
       parent_id: @genus.id
     )
+
     @shipment = sandbox_klass.create(taxon_name: 'Acipenser baerii', appendix: 'I', year: 2016)
 
     @validation_error = create(
@@ -38,29 +39,59 @@
   end
 
   describe 'PUT update' do
-    it 'should return success when taxon_name not set' do
-      put :update, params: { annual_report_upload_id: annual_report_upload.id, id: @shipment.id, sandbox_shipment: { taxon_name: nil, accepted_taxon_name: nil }, format: :json }
+    it 'returns success when taxon_name not set' do
+      put :update,
+        params: {
+          annual_report_upload_id: annual_report_upload.id,
+          id: @shipment.id,
+          sandbox_shipment: { taxon_name: nil, accepted_taxon_name: nil },
+          format: :json
+        }
 
+      expect(response).to be_successful
       expect(response.body).to be_blank
     end
-    it 'should return success when taxon_name does not exist' do
-      put :update, params: { annual_report_upload_id: annual_report_upload.id, id: @shipment.id, sandbox_shipment: { taxon_name: 'Acipenser foobarus' }, format: :json }
 
+    it 'returns success when taxon_name does not exist' do
+      put :update,
+        params: {
+          annual_report_upload_id:
+          annual_report_upload.id,
+          id: @shipment.id,
+          sandbox_shipment: { taxon_name: 'Acipenser foobarus' },
+          format: :json
+        }
+
+      expect(response).to be_successful
       expect(response.body).to be_blank
     end
   end
 
   describe 'DELETE destroy' do
-    it 'should return success' do
-      delete :destroy, params: { annual_report_upload_id: annual_report_upload.id, id: @shipment.id, format: :json }
+    it 'returns success' do
+      delete :destroy,
+        params: {
+          annual_report_upload_id: annual_report_upload.id,
+          id: @shipment.id,
+          format: :json
+        }
+
+      expect(response).to be_successful
       expect(response.body).to be_blank
     end
   end
 
   describe 'POST update_batch' do
-    it 'should return success' do
-      post :update_batch, params: { annual_report_upload_id: annual_report_upload.id, validation_error_id: @validation_error.id, updates: { appendix: 'II' }, format: :json }
+    it 'returns success' do
+      post :update_batch,
+        params: {
+          annual_report_upload_id: annual_report_upload.id,
+          validation_error_id: @validation_error.id,
+          updates: { appendix: 'II' },
+          format: :json
+        }
 
+      expect(response).to be_successful
       expect(response.body).to be_blank
       expect(sandbox_klass.where(taxon_name: @species.full_name, appendix: 'I').count(true)).to eq(0)
       expect(sandbox_klass.where(taxon_name: @species.full_name, appendix: 'II').count(true)).to eq(1)
@@ -68,8 +99,13 @@
   end
 
   describe 'POST destroy_batch' do
-    it 'should return success' do
-      post :destroy_batch, params: { annual_report_upload_id: annual_report_upload.id, validation_error_id: @validation_error.id, format: :json }
+    it 'returns success' do
+      post :destroy_batch,
+        params: {
+          annual_report_upload_id: annual_report_upload.id,
+          validation_error_id: @validation_error.id,
+          format: :json
+        }
 
       expect(response.body).to be_blank
       expect(sandbox_klass.where(taxon_concept_id: @species.id).count(true)).to eq(0)
diff --git a/spec/services/document_batch_spec.rb b/spec/services/document_batch_spec.rb
index f5de0e267..30127253f 100644
--- a/spec/services/document_batch_spec.rb
+++ b/spec/services/document_batch_spec.rb
@@ -5,31 +5,42 @@
     context 'when invalid' do
       subject do
         DocumentBatch.new(
-          documents_attributes: {
-            '0' => { type: 'Document' }
-          },
+          documents_attributes: [
+            { type: 'Document' }
+          ],
           files: [
-            filename: Rack::Test::UploadedFile.new(Rails.root.join('spec/support/annual_report_upload_exporter.csv').to_s)
+            filename: Rack::Test::UploadedFile.new(
+              Rails.root.join(
+                'spec/support/annual_report_upload_exporter.csv'
+              ).to_s
+            )
           ]
         )
       end
+
       specify { expect(subject.save).to be_falsey }
-      specify { expect { subject.save }.not_to change { Document.count } }
+      specify { expect { subject.save }.not_to change(Document, :count) }
     end
+
     context 'when valid' do
       subject do
         DocumentBatch.new(
           date: Date.today,
-          documents_attributes: {
-            '0' => { type: 'Document' }
-          },
+          documents_attributes: [
+            { type: 'Document' }
+          ],
           files: [
-            Rack::Test::UploadedFile.new(Rails.root.join('spec/support/annual_report_upload_exporter.csv').to_s)
+            Rack::Test::UploadedFile.new(
+              Rails.root.join(
+                'spec/support/annual_report_upload_exporter.csv'
+              ).to_s
+            )
           ]
         )
       end
+
       specify { expect(subject.save).to be_truthy }
-      specify { expect { subject.save }.to change { Document.count }.by(1) }
+      specify { expect { subject.save }.to change(Document, :count).by(1) }
     end
   end
 end

From ef49619742e73b28ffb05672cc6d0e043dde2acf Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Thu, 16 Apr 2026 10:22:05 +0100
Subject: [PATCH 087/106] fix: force test env in rspec

---
 spec/spec_helper.rb | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 7c3aa80af..3565585a4 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -1,3 +1,5 @@
+# This file is copied to spec/ when you run 'rails generate rspec:install'
+
 require 'simplecov'
 require 'coveralls'
 
@@ -14,8 +16,9 @@
   add_group 'Serializers', 'app/serializers'
 end
 
-# This file is copied to spec/ when you run 'rails generate rspec:install'
-ENV['RAILS_ENV'] ||= 'test'
+# CHANGED
+ENV['RAILS_ENV'] = 'test'
+
 require File.expand_path('../../config/environment', __FILE__)
 require 'rspec/rails'
 require 'sidekiq/testing'

From 1f6be2ddd2afe0a63ac08e8fc8011897d446ea40 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Fri, 17 Apr 2026 17:24:43 +0100
Subject: [PATCH 088/106] fix: document batches tests

---
 .../admin/document_batches_controller.rb            | 13 +++++++++----
 app/services/document_batch.rb                      | 11 +++++++++--
 .../admin/document_batches_controller_spec.rb       | 10 +++++-----
 3 files changed, 23 insertions(+), 11 deletions(-)

diff --git a/app/controllers/admin/document_batches_controller.rb b/app/controllers/admin/document_batches_controller.rb
index 6270deea2..e87759ac4 100644
--- a/app/controllers/admin/document_batches_controller.rb
+++ b/app/controllers/admin/document_batches_controller.rb
@@ -43,10 +43,15 @@ def load_associations
   end
 
   def document_batch_params
-    params.require(:document_batch).permit(
-      :event_id, :date, :language_id, :is_public,
-      documents_attributes: [ :type ],
-      files: [ {} ]
+    params.expect(
+      document_batch: [
+        :event_id,
+        :date,
+        :language_id,
+        :is_public,
+        documents_attributes: [ [ :type ] ],
+        files: []
+      ]
     )
 
     # TODO: for some reason the following won't work
diff --git a/app/services/document_batch.rb b/app/services/document_batch.rb
index 700d15135..131f8b365 100644
--- a/app/services/document_batch.rb
+++ b/app/services/document_batch.rb
@@ -45,12 +45,19 @@ def persisted?
   def initialize_documents(documents_attributes, files)
     @documents = []
 
+    debugger
+
     if (
       documents_attributes &&
-      files &&
-      documents_attributes.try(:length) == files.try(:length)
+      files
     )
 
+      unless documents_attributes.try(:length) == files.try(:length)
+        raise StandardError(
+          'documents_attributes and files should have the same number of elements'
+        )
+      end
+
       for idx in 0..(files.length - 1) do
         document_params =
           if files[idx].respond_to?(:read) # Filter out invalid params for ActiveStorage.
diff --git a/spec/controllers/admin/document_batches_controller_spec.rb b/spec/controllers/admin/document_batches_controller_spec.rb
index a5858a36e..b23517c82 100644
--- a/spec/controllers/admin/document_batches_controller_spec.rb
+++ b/spec/controllers/admin/document_batches_controller_spec.rb
@@ -52,7 +52,7 @@
             params: {
               document_batch: {
                 date: Date.today,
-                documents_attributes: { '0': document_attrs },
+                documents_attributes: [ document_attrs ],
                 files: files
               }
             }
@@ -78,7 +78,7 @@
             params: {
               document_batch: {
                 date: nil,
-                documents_attributes: { '0': document_attrs },
+                documents_attributes: [ document_attrs ],
                 files: files
               }
             }
@@ -90,7 +90,7 @@
           params: {
             document_batch: {
               date: nil,
-              documents_attributes: { '0': document_attrs },
+              documents_attributes: [ document_attrs ],
               files: files
             }
           }
@@ -107,7 +107,7 @@
           params: {
             event_id: event.id, document_batch: {
               date: Date.today,
-              documents_attributes: { '0': document_attrs },
+              documents_attributes: [ document_attrs ],
               files: files
             }
           }
@@ -120,7 +120,7 @@
           params: {
             event_id: event.id, document_batch: {
               date: nil,
-              documents_attributes: { '0': document_attrs },
+              documents_attributes: [ document_attrs ],
               files: files
             }
           }

From 2ff1f5b3eba06d260497500f86b6d104c9add78e Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Mon, 20 Apr 2026 09:38:11 +0100
Subject: [PATCH 089/106] fix: remove debugger statement

---
 app/services/document_batch.rb | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/app/services/document_batch.rb b/app/services/document_batch.rb
index 131f8b365..8b00d4bf2 100644
--- a/app/services/document_batch.rb
+++ b/app/services/document_batch.rb
@@ -45,13 +45,7 @@ def persisted?
   def initialize_documents(documents_attributes, files)
     @documents = []
 
-    debugger
-
-    if (
-      documents_attributes &&
-      files
-    )
-
+    if documents_attributes && files
       unless documents_attributes.try(:length) == files.try(:length)
         raise StandardError(
           'documents_attributes and files should have the same number of elements'

From 54972aa035e695681b90c3c76446c4d5ce52a39c Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Thu, 16 Apr 2026 10:23:14 +0100
Subject: [PATCH 090/106] fix: deprecation of ActiveSupport::Multibyte::Chars
 (mb_chars no longer needed)

---
 ..._taxon_concept_filter_by_scientific_name_with_descendants.rb | 2 +-
 lib/modules/search_param_sanitiser.rb                           | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/services/m_taxon_concept_filter_by_scientific_name_with_descendants.rb b/app/services/m_taxon_concept_filter_by_scientific_name_with_descendants.rb
index b05cdb790..624fafedf 100644
--- a/app/services/m_taxon_concept_filter_by_scientific_name_with_descendants.rb
+++ b/app/services/m_taxon_concept_filter_by_scientific_name_with_descendants.rb
@@ -1,7 +1,7 @@
 class MTaxonConceptFilterByScientificNameWithDescendants
   def initialize(relation, scientific_name, match_options = {})
     @relation = relation || MTaxonConcept.all
-    @scientific_name = scientific_name.mb_chars.upcase.strip
+    @scientific_name = scientific_name.upcase.strip
     @match_synonyms = match_options[:synonyms] || true
     @match_common_names = match_options[:common_names] || false
     @match_subspecies = match_options[:subspecies] || false
diff --git a/lib/modules/search_param_sanitiser.rb b/lib/modules/search_param_sanitiser.rb
index eb24c7a69..58f3ad6f1 100644
--- a/lib/modules/search_param_sanitiser.rb
+++ b/lib/modules/search_param_sanitiser.rb
@@ -5,7 +5,7 @@ def sanitise_string(s)
   end
 
   def sanitise_upcase_string(s)
-    s && s.strip.mb_chars.upcase
+    s && s.strip.upcase
   end
 
   def sanitise_symbol(s, default = nil)

From 53b7bdc3d7d6c47f0dc62649bd41e6b4464fc0c3 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Thu, 16 Apr 2026 09:49:25 +0100
Subject: [PATCH 091/106] chore: upgrade non-rails dependencies

---
 Gemfile      | 14 +++++++-------
 Gemfile.lock | 18 +++++++++---------
 2 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/Gemfile b/Gemfile
index fc32f8db9..f6d4060a6 100644
--- a/Gemfile
+++ b/Gemfile
@@ -11,7 +11,7 @@ gem 'rack-cors'
 # Use sqlite3 as the database for Active Record
 # gem 'sqlite3'
 # Use Puma as the app server
-gem 'puma', '~> 5.0'
+gem 'puma', '~> 8.0'
 
 # Use SCSS for stylesheets
 gem 'sass-rails', '~> 6'
@@ -21,7 +21,7 @@ gem 'sprockets', '~> 4'
 gem 'sprockets-rails', require: 'sprockets/railtie'
 
 # Use Terser as compressor for JavaScript assets
-gem 'terser', '~> 1.2.3'
+gem 'terser', '~> 1.2.7'
 
 # Use CoffeeScript for .coffee assets and views
 gem 'coffee-rails', '~> 5.0'
@@ -35,15 +35,15 @@ gem 'active_storage_validations', '~> 2.0'
 gem 'redis', '~> 4.8'
 
 # Use PostgreSQL database
-gem 'pg', '~> 1.5', '>= 1.5.4'
+gem 'pg', '~> 1.6', '>= 1.6.3'
 gem 'pg_array_parser', '~> 0.0.9'
 gem 'nested-hstore', '~> 0.1.2'
-gem 'pg_search', '~> 2.3', '>= 2.3.6'
+gem 'pg_search', '~> 2.3', '>= 2.3.7'
 
-gem 'oj', '~> 3.16', '>= 3.16.3' # optimised JSON (picked by multi_json)
+gem 'oj', '~> 3.16', '>= 3.16.17' # optimised JSON (picked by multi_json)
 gem 'inherited_resources', '~> 1.14' # Deprecated (https://github.com/activeadmin/inherited_resources#notice)
 gem 'nokogiri', '~> 1.19.2', force_ruby_platform: true
-gem 'mobility', '~> 1.2', '>= 1.2.9'
+gem 'mobility', '~> 1.3', '>= 1.3.2'
 gem 'devise', '~> 5', '>= 5.0.3'
 gem 'cancancan', '~> 3.5'
 gem 'ahoy_matey', '~> 5.0', '>= 5.0.2'
@@ -89,7 +89,7 @@ gem 'strong_migrations', '~> 1.7' # v2 drops support for pg<12
 # gem 'mini_magick', '~> 4.8'
 
 # Reduces boot times through caching; required in config/boot.rb
-gem 'bootsnap', '>= 1.4.4', require: false
+gem 'bootsnap', '>= 1.23.0', require: false
 
 # To use Jbuilder templates for JSON
 # gem 'jbuilder', '~> 2.7'
diff --git a/Gemfile.lock b/Gemfile.lock
index dc73f70b5..5943daa91 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -382,7 +382,7 @@ GEM
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
     numerizer (0.1.1)
-    oj (3.16.16)
+    oj (3.16.17)
       bigdecimal (>= 3.0)
       ostruct (>= 0.2)
     orm_adapter (0.5.0)
@@ -418,7 +418,7 @@ GEM
       date
       stringio
     public_suffix (7.0.5)
-    puma (5.6.9)
+    puma (8.0.0)
       nio4r (~> 2.0)
     raabro (1.4.0)
     racc (1.8.1)
@@ -696,7 +696,7 @@ DEPENDENCIES
   aws-sdk-s3 (~> 1.143)
   base64 (= 0.2.0)
   bcrypt_pbkdf (= 1.1.0)
-  bootsnap (>= 1.4.4)
+  bootsnap (>= 1.23.0)
   bootstrap-sass (= 2.3.2.2)
   brakeman
   byebug
@@ -736,19 +736,19 @@ DEPENDENCIES
   kaminari (~> 1.2, >= 1.2.2)
   launchy (= 2.4.3)
   listen (~> 3.10.0)
-  mobility (~> 1.2, >= 1.2.9)
+  mobility (~> 1.3, >= 1.3.2)
   nested-hstore (~> 0.1.2)
   nested_form (~> 0.3.2)
   net-ssh (= 7.3.2)
   nokogiri (~> 1.19.2)
-  oj (~> 3.16, >= 3.16.3)
+  oj (~> 3.16, >= 3.16.17)
   paper_trail (~> 17.0.0)
   pdfkit (~> 0.8.7.3)
-  pg (~> 1.5, >= 1.5.4)
+  pg (~> 1.6, >= 1.6.3)
   pg_array_parser (~> 0.0.9)
-  pg_search (~> 2.3, >= 2.3.6)
+  pg_search (~> 2.3, >= 2.3.7)
   prawn (= 0.13.2)
-  puma (~> 5.0)
+  puma (~> 8.0)
   rack-cors
   rack-mini-profiler (~> 4.0.1)
   rails (= 8.1.3)
@@ -782,7 +782,7 @@ DEPENDENCIES
   sprockets-rails
   strong_migrations (~> 1.7)
   susy (~> 2.2, >= 2.2.14)
-  terser (~> 1.2.3)
+  terser (~> 1.2.7)
   uuidtools (~> 2.2)
   web-console
   webdrivers

From adea7866e216c774617bf8105d1e04dcb78314e5 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Thu, 16 Apr 2026 09:58:09 +0100
Subject: [PATCH 092/106] chore: updated CHANGELOG

---
 CHANGELOG.md | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ac7ab1bba..1fb1ee0ed 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,15 +1,24 @@
 ### 1.22.0
 
 **Rails 7.2 Upgrade**
+
 The primary goal of this release is to upgrade the Rails version without causing
 any breaking changes to functionality.
 
-* Upgrades Rails 7.1.3.4 to 8.0.5
-* Upgrades Ruby 3.2.5 to 3.4.9
-* Some dependency updates/changes allowed or required by the above:
-  * Upgraded `sprockets` from 3.7.2 to 4.0.3
+* Upgrades Rails from 7.1.3.4 to 8.0.5
+* Upgrades Ruby from 3.2.5 to 3.4.9
+* Some dependency updates/changes consequently allowed or required, in particular:
+  * Upgraded `acts-as-taggable-on` from 10.0.0 to 13.0.0
+  * Upgraded `devise` from 4.9.3 to 5.0.3
   * Upgraded `papertrail` from 15.1.0 to 17.0.0
-  * Upgraded `acts-as-taggable-on` from 10.0.0 to 12.0.0
+  * Upgraded `pg` from 1.5.4 to 1.6.3
+  * Upgraded `puma` from 5.6.8 to 8.0.0
+  * Upgraded `rubyzip` from 2.3.3 to 3.2.2
+  * Upgraded `sidekiq` from 6.5.12 to 7.3.10
+  * Upgraded `sprockets` from 3.7.2 to 4.0.3
+* We now target Postgres 17 (was 10) and Redis 7 (was 4.2).
+* Moving to `params.expect` over `require`/`permit` pattern.
+
 
 ### 1.21.2
 

From 4d486336e6ab34901c8ce72d2bea0a58fda6d2ae Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Thu, 16 Apr 2026 10:58:47 +0100
Subject: [PATCH 093/106] remove gitkeep files

---
 spec/public/downloads/cites_listings/.gitkeep            | 0
 spec/public/downloads/common_names/.gitkeep              | 0
 spec/public/downloads/documents/.gitkeep                 | 0
 spec/public/downloads/orphaned_taxon_concepts/.gitkeep   | 0
 spec/public/downloads/species_reference_output/.gitkeep  | 0
 spec/public/downloads/standard_reference_output/.gitkeep | 0
 spec/public/downloads/synonyms_and_trade_names/.gitkeep  | 0
 spec/public/downloads/taxon_concepts_names/.gitkeep      | 0
 8 files changed, 0 insertions(+), 0 deletions(-)
 delete mode 100644 spec/public/downloads/cites_listings/.gitkeep
 delete mode 100644 spec/public/downloads/common_names/.gitkeep
 delete mode 100644 spec/public/downloads/documents/.gitkeep
 delete mode 100644 spec/public/downloads/orphaned_taxon_concepts/.gitkeep
 delete mode 100644 spec/public/downloads/species_reference_output/.gitkeep
 delete mode 100644 spec/public/downloads/standard_reference_output/.gitkeep
 delete mode 100644 spec/public/downloads/synonyms_and_trade_names/.gitkeep
 delete mode 100644 spec/public/downloads/taxon_concepts_names/.gitkeep

diff --git a/spec/public/downloads/cites_listings/.gitkeep b/spec/public/downloads/cites_listings/.gitkeep
deleted file mode 100644
index e69de29bb..000000000
diff --git a/spec/public/downloads/common_names/.gitkeep b/spec/public/downloads/common_names/.gitkeep
deleted file mode 100644
index e69de29bb..000000000
diff --git a/spec/public/downloads/documents/.gitkeep b/spec/public/downloads/documents/.gitkeep
deleted file mode 100644
index e69de29bb..000000000
diff --git a/spec/public/downloads/orphaned_taxon_concepts/.gitkeep b/spec/public/downloads/orphaned_taxon_concepts/.gitkeep
deleted file mode 100644
index e69de29bb..000000000
diff --git a/spec/public/downloads/species_reference_output/.gitkeep b/spec/public/downloads/species_reference_output/.gitkeep
deleted file mode 100644
index e69de29bb..000000000
diff --git a/spec/public/downloads/standard_reference_output/.gitkeep b/spec/public/downloads/standard_reference_output/.gitkeep
deleted file mode 100644
index e69de29bb..000000000
diff --git a/spec/public/downloads/synonyms_and_trade_names/.gitkeep b/spec/public/downloads/synonyms_and_trade_names/.gitkeep
deleted file mode 100644
index e69de29bb..000000000
diff --git a/spec/public/downloads/taxon_concepts_names/.gitkeep b/spec/public/downloads/taxon_concepts_names/.gitkeep
deleted file mode 100644
index e69de29bb..000000000

From 6189e480f9586ad627309f866698fb158c09e53a Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Thu, 16 Apr 2026 16:19:36 +0100
Subject: [PATCH 094/106] chore: attempting to get staging deploy working again

---
 Dockerfile                    | 4 ++--
 config/initializers/devise.rb | 2 --
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index efd5815b6..84299468e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -155,7 +155,7 @@ FROM build-develop AS built-develop
 
 ##
 # The build step for staging
-FROM build AS built-staging
+FROM build AS build-staging
   ENV NODE_ENV="production" \
     RAILS_ENV="staging" \
     BUNDLE_DEPLOYMENT="1" \
@@ -183,7 +183,7 @@ FROM build AS built-staging
 
   RUN SECRET_KEY_BASE_DUMMY=1 ./bin/rails assets:precompile
 
-FROM base AS base-staging
+FROM base AS built-staging
   ARG DEFAULT_GROUPNAME=railsgroup
   ARG DEFAULT_USERNAME=railsuser
   ENV BUNDLE_PATH="/usr/local/bundle"
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 93fe6f275..afd5a0394 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -1,8 +1,6 @@
 # Use this hook to configure devise mailer, warden hooks and so forth.
 # Many of these configuration options can be set straight in your model.
 Devise.setup do |config|
-  return if ENV['SECRET_KEY_BASE_DUMMY'].present?
-
   # The secret key used by Devise. Devise uses this key to generate
   # random tokens. Changing this key will render invalid all existing
   # confirmation, reset password and unlock tokens in the database.

From d7fbba05091f348bd5db2082fefdb6a9b5188da6 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Thu, 16 Apr 2026 16:46:16 +0100
Subject: [PATCH 095/106] fix: staging runtime

---
 Dockerfile | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 84299468e..68c0781a2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -204,6 +204,12 @@ FROM built-staging AS deploy-staging
   CMD ["tail", "-f", "/dev/null"]
 
 FROM built-staging AS exec-staging
+  ENV NODE_ENV="production" \
+    RAILS_ENV="staging" \
+    BUNDLE_DEPLOYMENT="1" \
+    BUNDLE_PATH="/usr/local/bundle" \
+    BUNDLE_WITHOUT="development"
+
   ENTRYPOINT ["/rails/bin/docker-entrypoint"]
 
   EXPOSE 80

From ce9023faba77a2d791e0a5b51961bbba919ff7ef Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Thu, 16 Apr 2026 16:47:31 +0100
Subject: [PATCH 096/106] chore: more startup tweaks to get staging working

---
 Dockerfile            | 8 ++------
 bin/docker-entrypoint | 4 ----
 2 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 68c0781a2..f4703a8fb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -204,11 +204,7 @@ FROM built-staging AS deploy-staging
   CMD ["tail", "-f", "/dev/null"]
 
 FROM built-staging AS exec-staging
-  ENV NODE_ENV="production" \
-    RAILS_ENV="staging" \
-    BUNDLE_DEPLOYMENT="1" \
-    BUNDLE_PATH="/usr/local/bundle" \
-    BUNDLE_WITHOUT="development"
+  ENV RAILS_ENV="staging"
 
   ENTRYPOINT ["/rails/bin/docker-entrypoint"]
 
@@ -220,7 +216,7 @@ FROM built-develop AS deploy-develop
   CMD ["tail", "-f", "/dev/null"]
 
 FROM built-develop AS exec-develop
-  ENTRYPOINT ["/rails/bin/docker-entrypoint"]
+  ENTRYPOINT ["/rails/bin/docker-entrypoint-develop"]
 
   EXPOSE 80
 
diff --git a/bin/docker-entrypoint b/bin/docker-entrypoint
index ba5f91f5c..8e1b5440c 100755
--- a/bin/docker-entrypoint
+++ b/bin/docker-entrypoint
@@ -7,10 +7,6 @@
 #   export LD_PRELOAD
 # fi
 
-if [[ "$RAILS_ENV" =~ "develop" ]]; then
-  bundle install
-fi
-
 mkdir -p {./,spec/}public/downloads/checklist
 mkdir -p {./,spec/}public/downloads/cites_listings
 mkdir -p {./,spec/}public/downloads/cites_suspensions

From ee27b3fe57dbd36a96c00ac7f426df179f44666d Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Thu, 16 Apr 2026 17:44:25 +0100
Subject: [PATCH 097/106] fix: hopefully adding BUNDLE_WITHOUT=development will
 do it

---
 Dockerfile | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index f4703a8fb..0ca4e9c24 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -201,10 +201,14 @@ FROM base AS built-staging
   COPY --from="build-staging" --chown=1000:1000 /rails/ /rails/
 
 FROM built-staging AS deploy-staging
+  ENV RAILS_ENV="staging" \
+    BUNDLE_WITHOUT="development"
+
   CMD ["tail", "-f", "/dev/null"]
 
 FROM built-staging AS exec-staging
-  ENV RAILS_ENV="staging"
+  ENV RAILS_ENV="staging" \
+    BUNDLE_WITHOUT="development"
 
   ENTRYPOINT ["/rails/bin/docker-entrypoint"]
 

From 7dba8e70f1f6b7b0dd6da42269d11771b2c87456 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Wed, 22 Apr 2026 18:09:37 +0100
Subject: [PATCH 098/106] fix: Benchmark gem is no longer provided by Rails

---
 Gemfile      | 2 ++
 Gemfile.lock | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/Gemfile b/Gemfile
index f6d4060a6..c2959a7e6 100644
--- a/Gemfile
+++ b/Gemfile
@@ -234,3 +234,5 @@ gem 'handlebars-source', '1.0.12' # TODO: just a wrapwrapper. Any update will ch
 # It might be possible to fix this if we had an nginx version which supported
 # the config: `passenger_preload_bundler on;`
 gem 'base64', '0.2.0'
+
+gem "benchmark", "~> 0.5.0"
diff --git a/Gemfile.lock b/Gemfile.lock
index 5943daa91..9e2b96299 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -135,6 +135,7 @@ GEM
     base64 (0.2.0)
     bcrypt (3.1.22)
     bcrypt_pbkdf (1.1.0)
+    benchmark (0.5.0)
     bigdecimal (4.1.1)
     bindex (0.8.1)
     bootsnap (1.23.0)
@@ -696,6 +697,7 @@ DEPENDENCIES
   aws-sdk-s3 (~> 1.143)
   base64 (= 0.2.0)
   bcrypt_pbkdf (= 1.1.0)
+  benchmark (~> 0.5.0)
   bootsnap (>= 1.23.0)
   bootstrap-sass (= 2.3.2.2)
   brakeman

From 8bf7a9ac969cf875a918c2c823a4760f7ef85219 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Thu, 23 Apr 2026 09:54:12 +0100
Subject: [PATCH 099/106] chore: lmodern no longer available on Ubuntu 22, use
 mlmodern

---
 public/latex/history.tex | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public/latex/history.tex b/public/latex/history.tex
index 1303156ba..b4bab6cbe 100644
--- a/public/latex/history.tex
+++ b/public/latex/history.tex
@@ -8,7 +8,7 @@
 \usepackage{attachfile}
 \usepackage[T1]{fontenc}
 \usepackage[utf8]{inputenc}
-\usepackage{lmodern}
+\usepackage{mlmodern}
 \usepackage{longtable}
 \usepackage{hyperref}
 \usepackage{fancyhdr}

From e3c1c35c50a0b9cc1ad3c1fd911b7e73f18bbcde Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Fri, 24 Apr 2026 09:40:32 +0100
Subject: [PATCH 100/106] fix: revert unintended changes to CORS initialiser

---
 config/initializers/cors.rb | 26 ++++++++++++--------------
 1 file changed, 12 insertions(+), 14 deletions(-)

diff --git a/config/initializers/cors.rb b/config/initializers/cors.rb
index 0c5dd99ac..ab670b5e6 100644
--- a/config/initializers/cors.rb
+++ b/config/initializers/cors.rb
@@ -1,16 +1,14 @@
-# Be sure to restart your server when you modify this file.
+Rails.application.config.middleware.insert_before 0, Rack::Cors do
+  allow do
+    app_cors_origins =
+      Rails.application.credentials.dig(
+        :cors, :origins
+      ) || []
 
-# Avoid CORS issues when API is called from the frontend app.
-# Handle Cross-Origin Resource Sharing (CORS) in order to accept cross-origin Ajax requests.
+    origins app_cors_origins&.map(&:strip)
 
-# Read more: https://github.com/cyu/rack-cors
-
-# Rails.application.config.middleware.insert_before 0, Rack::Cors do
-#   allow do
-#     origins "example.com"
-#
-#     resource "*",
-#       headers: :any,
-#       methods: [:get, :post, :put, :patch, :delete, :options, :head]
-#   end
-# end
+    resource '*', headers: :any, methods: [
+      :get, :post, :patch, :put, :delete
+    ]
+  end
+end

From 83e7a7ff12f910c3b8dc172fb40d087487c4caa0 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Mon, 27 Apr 2026 13:45:03 +0100
Subject: [PATCH 101/106] chore: use new staging url in mailer credentials

---
 config/credentials/staging.yml.enc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/credentials/staging.yml.enc b/config/credentials/staging.yml.enc
index a1a494783..fd86d3ed2 100644
--- a/config/credentials/staging.yml.enc
+++ b/config/credentials/staging.yml.enc
@@ -1 +1 @@
-ZMkejLl+WPee+fHeeSFBJL8b/GNc/S9FFzZB+0H2pwSILpGD4byPzxUKKl71US/86+Z3o/BPSvcbJWJY1nBxoz2dGZHJXr8jivvgSSEjobeNLXIJvY9RMdwrqLR3jxUcl5A5mBfhn9N+Y8WtLZpdb1ZxnWOUZEFfx4hh0GtyQgxQAUjxIZDsGEXsD/88JCmw02pmbtEwlhDM5//05fSDT/TG+i7tfTm1oIogEEVNxhTnidM9h6acMaMj13iyGcp7W+aAgm4hRiX66iZNMGOzF68KpkNxUNPmBXe/PWT0efdPAqTGSVffjwZpBqLhR2clbEqByrP+T0D8oF84jr320y76xq2GKplNTNnUlwFfYio35NoJz88WIOp9A4JDOs0+bosVwjlNrbX2C/zuFhouhFF6RoWdLa8IS5PCODhsNKG1eggJNDxkJLJVj+4typMuXfk9Bb6nRRhK4L1Q/as2KtSMLmcvqF5H1hNvq1GXu3D5d+G2RhatZ0rZ/fJctLWH1fgSwgBY8+DfCAS/g+b8gZPHXiW11BchS3OF0d+p1yHzix8EQOp0VK74EpW57r8xcgLfNpnLoZDcyh3SFCsl4zxobT/K5KCCn5NhAafFwMFZPXHq42D0380TKhiWDhkDc85cskCb6B09ws4Q0+4m6GNr6WN+UKCPAdn7o8Ds0k9FxhxXVuQbAfBqduALXfU55k1YNeGBMnhqW5Dkuxe3sGicovLdod0tfg8Jy1i9/ptXEzV8MFxULSfRP4x1vqFuh4ZyaU+h1ihdSjWMl7WPNnA36EwRvsQbFrU1B2ypOVlZdDFZaxQggKmSvQPUKaai/OfORZNCvx8rSYO6WKrjS4fq8M9hx2Ht3nD0UdNJcUFQTii3h/v2tCC5Cekah7tBrwQfXzKmnKBp0A69kxPFT9zBEST3eWZXJ+c/SeOpbArZPP3B72O5YaGFftq+BViaeAxE5VlWshg+WlIyCSLSmH9HguK83mQAaVj4SIVOExGnxjPWec42REZlJ7I6NDGLev9wkhpwz9jGp/nB3lQHYKrsozX8uiygU1f6s3guWl0vPerzqdbks9OWgfACfnlHuHcvxEo5Gd4Xd9s/psvsxHr2PwCVB1FvSL2cCNz+UUXNP693Hvm6z0sTD5mnYWuMvCHLGLekHp+aLLWzip1w0LCYhFPqokz2k6sujpYBEujnqAXNEbTTdjHJxqud8ff6on8VZ38xwcdoVjlK3looySmWmJQBP6+wWsRBKZJHaawe/EVFIHiZPufys3IsBXz5ipIo+pkri0UKwlskIpj71dYjIJoEIVpwewj/HzVQvPUwwEp1pZImpoTtZRCXWssrVeNrkWCYpd83I0Nu1zscTgog1n/oXOsJQQ2+n/qMIgpUCfhiy9DEoGR3b/HKwjn+fbwOS2qZ9TGiUnzoGWB+4Bg11gbRpYNsiRuySXNmDKIpi/STbCAdI5wcJgjg355IiImz65RBKsjJfbpQgdx198z8uEfrgx6U2emAfiygHco4LkuSvnmBrKD06sZ/o5+raB4Y46fhpvN20H8myr31+QevQTSvHUD0ZpFWSqk6vXj/DsBtJe9GPXA98JfelmB16JtheIg/6UszrgNFw2gMJBARMqtHDOWNPlVN3xChts3rOt1x8pGB9BR2kdE+mWRogqHlo13khfSpDErPMViahbKTJPsXdwLrxFYDrKXqYXy3nuqqwxCRO/JSK1SbBvvGgsPwQo43sXmf7xmDmG6nCqIDXciDSCk7MA5VvsAPBBrN9KseXST0k4LbsGHrJPmfA9uThgsKPXRMQdIA2g0E4youAexlmzUrim9luHbvO2RV+iT/VpMzWDbwrRq6OJ+WKwwDJQ3D9FeCTEv9soWnQhP/IEjQjK2CWsxFprOfQvopLHQNtoxdDOufzQonYDy4MH9zBVvtyBn0IdfPcWiyAVaJZVSxvpZqsDH4V2xH2mvUL9U2Xk5ruL0dH9U0vlGm8PSBZrjcoklF53smMcz/65+KChl/3emt5DwemK5ubV1fwQI7IXHWDhWvjL8vXWILb4WAfg4k7b6fscY/s+xxU+jDG2CnOjCgIdTa7PrbGMqjoeLVSmZGmjaAXCfU2GG2TUYse0aCWdtuiRnOMSewkZ6of6BLZFi6vGJ5280nYrDGpAoxkgygMorLy9Lqsur5W5Vez5FcqGy1bWCRorEESAT5MoUsSZ4zZBe5tVNSu7qemAljWht4t0WHRcWli+4WAz0PGmMMqAc9hsXoAROWSmfQtz6XKV8T4nV/mbcuJb5ypgV6NuXYBeG3OBOnVFO9lukZLBn5kbgww5sgBo4CsXjlY2oi+riPhcuVCMbvwQfjOhUNhRZx6KSOnhuFFFplXKE3pMCSeb1Cg2Ur2ciOjQs/t9QoL4iWha0ZvABUIMDmJoQR1zjRMX20ZqTaU7seym0olP2GGOW1VrLjA+arLU3yREckwc2sgS8FCd+UANgrJKxjowVo404FybNxuedkPxJPGg5+2cNdrOzwE6IaCKxcm1fKOCedpmMW/fYhn3IMj5Hse2huyJyGSUhXjrN21vVjp5SITqWQuU4DWbvgOR5Vbw+0PqzQyCOH9PJHkolcTbYS9t3h1FhKPP4pDXQbkMCAIJUuzugNRnyIjioxgGZEq24YXzfG9tkhGFco1/rDwaWweuDVNeFQxsh+NyyKCh3Q1+zeK5jVKesVGwEQf9M8Hu9F65E3pmPIc3LpCs2fOECPPQhSkEVn1AubSWI4SWW4PPNW50NoiqDH8ZrNYFp3SextdbSC2sKTIIoW16NgvLyckxJW9rnHgC/F4WI4hwhU9u7OtTvp4VA1XWdTnpD9FBOSbhW8fCtZRA/rnOCzaw6ewRdMdPFlrIdClKT6jGoNRfQE+buGB2asMaI49lXbXYYM8ax3YBy2+yH2WkesXj5NyDMRTyxhC6NGqjcvmGblBg9KveHaEorshc9lBOlF7RzN4nTMyWWCBykkU3PBRlOExhRgySLUFE8dkEgI9TZZvZGfRwBqFVoZsdfpSROG6llzquCHvW4FQKnyDZsqqAttUU/Ida/1sZnMDz+iqyyofbTzW7dZ62HNIPInAbpMW40wrH5IV/HDVPaIO5SRFUsx68NKI05dbSbOwPnDdRumKaEPb7qSpJyvGagjfXItDyb8eov1HJmi5/MbnV4s+0CBKZwmKoMsJoleBZh1k7CqiAyg6hiCUr+2IDC/GUdaakbhAJPUq8iXeHlsEbpnFBJZEgBmi4QbjNKvdINsDaILSIrWxY8bEFzZCDYpMei+NVcgj3bf/INti+G2dgIgC5muZ0eFa6CgS3MBvao3bmrYEeEW2VhZwMo7DPWRA8nzMA==--Y3cbBcS9LVL6HEYv--ydc+IIWgrsJdp3h/Two1PA==
\ No newline at end of file
+8pdKwWt6lRShsXwJ/xsjA87OXZc8nEzUKNHo/i27D/cIvBXCGWKJ4m6j3IBjIIxMKnCth/7ZaY04QfA3/NaWZj5DX1ie1l40WVPQGGrtp5bp/bH11BrzELt7ODaK6g/M/wBLFpIDRZ5/UH//rcBxMu+wKoDT+hH/EfSOrcuF6jnMQFcf+/kdnoK5LK83hfH71RrBNJPDvHHAcFqREPGYbs7qmNJVfhTvdJE9HecxSUoNdq0mjRnOcZ87+5bNf241TxgRvVN9f2HIHC9wXiGaI8QIR/Jm0BV+NLQtR4079XIEwlpnxcHH74i7HZl77noQlh/oKnN41PVMaX6zAzPncsMCLHYLuglWqij9qDH0GpFu4L8fl3u1BgIz8POeuNLcShVj1sNPWXImLqcwotBidDSgrdIeW5JVX5WBn33zXXoRCqdXxUz6I/Of1ej9feDJa8I2qt9kDLZvzFptVTDZFy/ff27xePxeH/ERbngsNC7IH1rHSjcnSp8Q1jLr88KnNPCOi5AvAk9JzcFfkwkH4N6vVovv1oSQY0cRbxUeLJmoQIz2q2rgg2YzP4X0pLIIk1LXwx7wePoslFjTDFMSEX6vmKfCAOmGcEi+XVkpzRY9c/HZtE73u6u7Txaq3+QIUlGeIszz+wrr4TSXaD3OVohBUlvlt6rowPVwQK3aW/sJoCUhfK+UQGm+ut2CXknlfjJBArUPFAvb/TNuJ1Bt5LIVoldP6qZF4UYVHbIifu9YNmo1Ylr/ukQQaMWOcx+2C5lsBIghLqGUZEV1XzXrS0ip8CclW+lLzqPSfBw/HeFX7HeYl08ZlH+5RbmaHOST1BLsCroORVWhrtqfcr6lqXFH4X0WtR6isFkgxOEhxJJSZ3VXo9Pjs3x81kGRTRqbB5VPiAsOa5XXfP0ArKoU8QL2Yoya4O+pRcW/rBTcqCkjslu53Zmh2DDYhzb/rXIxSkpL4noFxKcgWWuQA6GzVOE8+/LJQLxac9SkP9brHVqTxigqMgO9rB789vHCHhO2q4j1cfOgVDYLkHBO0DDLo8nrWGBLfAhvQdLIN3fHail7Y2bICL0GxLWfKd5RxjIlOXx+qDk7+CvfHJaqaVU2kaFLTf5wC2ojf/GLq36+YrIHczGfCYD0pGIt4NXsbQrVhL8Gnl4ZwZiBz/wfY6exhuzxWB/lwxuxCelZ7ewx7NOEFRgQ9kLRQkf9cIppc+495qChgpl3RPshkJoio+TfNT9W31NGCrux/zY42sDYr2PgDVss/+0g4oI8k6/uHDQK3FcfCkSWtQOHaUa5EdK+s2gVYav/Aj2BQo/i8rTmhHpqDL0mtyquaT7HFjQ087C52gd0+QWtdN3KQb3Wh7weHUgafElZEmKNhFKqPWK1xLT20PDheUMGxCSGupoY1Afal48eaKugEm3n+lTazNMoODHGQCooPXgN9NHOcze6Ino6+vSLofZ/97VWJs1u1cpLErvUGZxw3fOjfLw8bnfaRiG1DCwJOeZhgZPOZ6xGBB5tAgEJS+YCSSy26YM9ik3CPyNJzesETvijRPO9a62tCHs1ptmf0rIOA7no6RoWk2c9WX8dPsmwpTcwg0DtpokQGJQ8ImrcefGR1c4qkXisQ4IVr92G8xi5MkBt4YG/nWi9VZ1IyghS20n2nFm9/Uq/XZ92C+ZGU+rpOSJ63U6vMByPar+RBqUh5Q9g90ZYREtiRwU63YpBS9B+XTWfWnjQmOpTzBlUSfXhFMJBj2PZgZn7ky1fxqqlkuOEnSR1ZEuyVqK9QAZCE5EAfQppu2B0ctbavXlmOPVHiQt440yeXFywmsI29HZ3yGcMFCLlgd+JW4c607T777SlwL0OmJDAG4R5sXsMFuKGgkHEweVfoed1XxZ2/1tzVq6PjO8zdiAiOCGv+KdqR/WQ+mfvu0rr85M12v9DMyBQ7HKfNgFuZE6jZ73DxJYUYyyjnEEJrOOo77kga53HWfMBw1dCImjH3iBokF+8OsAvjGZ1HJS82Fj3w3LPWTvQfT3AABf2mWNFS+KdaOh8oRMIZjkbHwtyKm+VDi8Oy03g51pfpN6g6w5Q9l5P8XpG4cGJPa4mFLBl3KZGD5ptV8EYGBVMTkmfI6KurVdhDzsbOE8TUB+ezfso3tVGO5xxvGcf4I1kTM7wHIhPxhnKwg+PF1mj9ZEjDGVNffaS/WErqfbnHFFWBNe1dgWeafHa0l08BMw8wYZLGb3nVPo24MirYL5lZ6frAaxdXYC5DzdQMW//0f4NzERW2gLdBtm+M5LyLuaCE3LE32geopcytyfNmk+eoljCrMLw6g8VzEyxSvdxKPB5DSe8/ehxd7eHASUCuGP9zf3qusZscoM8FTlS9gzKaHWFTrK1gVscJj4ibMqitP6qvbWvwrMHl90cac4e/0x/UuI0Fv5UG72SocB5oGdSn3I/bse9bvbCVLE4ubclOU9SclMjoFveTiaqypQqIuK144GOkJOaHDshFmN99nqUUYmbMcUMHOxvi2cvjIpncY234W0wd2jSmPOeihTYscVNlKQGxsSsJ08IUe4oMJai2XKXFMiisunpmjJbDFRwa4ja8F3iyvFq0wxgoclIQj4ownX0YbAkpCGm/3PkfyN0iteBiutR0/2VeXsEaoNyQS18xRcuGKI/irkxdcgQmlA4iLk0G30aE7l75dBDoHVsG0GiuAGx/sf9eRPh7f+nzfsl4wtVDUIfO182hhD01ObBfM/JQllMOhoEmNMumVxruJB04RkS+4cBuWqH4dpQ6qYzo2Z+wN3xCHOOmNwI3lfiiW4yfduhTQf1cRZ6x3lT8zIl104sMOU1Na7aZA9yjxsg3gG38uVXbQq129/d9IA29vjBHdeSoRZvVYZJGR8YAgKbkMPQr2uBRN6bNQEmEOgYS8eqNus36OEZmRPBI0/1g/HsNmh2vzbAPhzfh1UGEtM0DPlzUBHJ+9Btp2q4SmquCVEc0FgiPO4ZoEOy/45zwVv0RzHBE8oWDs1DRzROogVvy4IJs5xGA53E/vz/WeQdiAJ5xT0N8b5O9sqeVqt5EvHDbe+j5sOQjb3SDYoJYWaYlLGdBaL1stNUpBA4ph5zMrgTT8PaiUhm+Zl3PnhBgVpX/oiS5+6I9ito32p8XgzYblVeKWHTBvsDgfifWroRPJw7YWGv1Ctb8jBXjcMmawWx6iJS+sn7WOjLGtU2EUDwS66W7/ZPREPCMyr13+/n4r2dxQwZUYOp5XMvRd2pQsUqEKO6+gd7Lk+slfaWZSDtLNEXuUt/yslHPjLVxdlZWjNpzTUkIwT0il7QZfFbPdULSYGaJQ==--0dMPjkllo7a92Kqr--QhwXbBX53PXaKAOy23L9wA==
\ No newline at end of file

From 6abb1ebda1c33ae1400c75241d4ef4d5f9cdc752 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Fri, 17 Apr 2026 14:23:42 +0100
Subject: [PATCH 102/106] fix: eu_country_date_query

---
 app/services/trade/filter.rb           | 28 +++++++++++++++++---------
 app/services/trade/shipments_export.rb |  7 +++++++
 2 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/app/services/trade/filter.rb b/app/services/trade/filter.rb
index 74f3a5d46..fa43ad1b5 100644
--- a/app/services/trade/filter.rb
+++ b/app/services/trade/filter.rb
@@ -87,15 +87,15 @@ def initialize_query
       draft_query = draft_query.where(term_id: @terms_ids)
     end
 
-    unless @importers_ids.empty?
+    unless importers_ids.empty?
       draft_query = draft_query.where(
-        importer_id: resolve_eu(@importers_ids)
+        importer_id: resolve_eu(importers_ids)
       )
     end
 
-    unless @exporters_ids.empty?
+    unless exporters_ids.empty?
       draft_query = draft_query.where(
-        exporter_id: resolve_eu(@exporters_ids)
+        exporter_id: resolve_eu(exporters_ids)
       )
     end
 
@@ -144,11 +144,13 @@ def initialize_query
 
     if importer_eu_country_ids.present?
       sub_query = eu_country_date_query(@time_range_start, @time_range_end, 'importer', importer_eu_country_ids)
-      draft_query = draft_query.where.not(sub_query) if date_query.present?
+
+      draft_query = draft_query.where.not(sub_query) if sub_query.present?
     end
 
     if exporter_eu_country_ids.present?
       sub_query = eu_country_date_query(@time_range_start, @time_range_end, 'exporter', exporter_eu_country_ids)
+
       draft_query = draft_query.where.not(sub_query) if sub_query.present?
     end
 
@@ -167,12 +169,20 @@ def eu_country_ids
     EuCountryDate.pluck(:geo_entity_id)
   end
 
+  def importers_ids
+    @importers_ids&.presence&.map(&:to_i) || []
+  end
+
+  def exporters_ids
+    @exporters_ids&.presence&.map(&:to_i) || []
+  end
+
   # this is to collect only eu country IDs to apply EU rules query to
   # e.g. EU + Austria we don't have to apply EU rules to Austria
   def importer_eu_country_ids
     @importer_eu_country_ids ||=
-      if @importer_ids&.presence&.include?(eu_id)
-        eu_country_ids - @importer_ids
+      if importers_ids.include?(eu_id)
+        eu_country_ids - exporters_ids
       else
         []
       end
@@ -180,8 +190,8 @@ def importer_eu_country_ids
 
   def exporter_eu_country_ids
     @exporter_eu_country_ids ||=
-      if @exporter_ids&.presence&.include?(eu_id)
-        eu_country_ids - @exporter_ids
+      if exporters_ids.include?(eu_id)
+        eu_country_ids - exporters_ids
       else
         []
       end
diff --git a/app/services/trade/shipments_export.rb b/app/services/trade/shipments_export.rb
index 326b59744..9cafe287c 100644
--- a/app/services/trade/shipments_export.rb
+++ b/app/services/trade/shipments_export.rb
@@ -1,9 +1,12 @@
 # Implements "raw" shipments export
 class Trade::ShipmentsExport < Species::CsvCopyExport
   include Trade::ShipmentReportQueries
+
   PUBLIC_CSV_LIMIT = 1000000
   PUBLIC_WEB_LIMIT = 50000
+
   include ActiveModel::SerializerSupport
+
   delegate :report_type, to: :@search
   delegate :page, to: :@search
   delegate :per_page, to: :@search
@@ -11,6 +14,7 @@ class Trade::ShipmentsExport < Species::CsvCopyExport
   def initialize(filters)
     @search = Trade::Filter.new(filters)
     @filters = @search.options.merge(csv_separator: filters['csv_separator'])
+
     initialize_csv_separator(filters[:csv_separator])
     initialize_file_name
   end
@@ -19,12 +23,15 @@ def export
     unless csv_cached?
       to_csv
     end
+
     unless csv_created?
       Rails.logger.error('Unable to generate output')
       return false
     end
+
     ctime = File.ctime(@file_name).strftime('%Y-%m-%d %H:%M')
     @public_file_name = "#{resource_name}_#{ctime}_#{@csv_separator}_separated.csv"
+
     [
       @file_name,
       { filename: public_file_name, type: 'text/csv' }

From 6ecc3388fbcaa607a182a7a5d5c2f741c6306e4c Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Mon, 27 Apr 2026 14:26:02 +0100
Subject: [PATCH 103/106] chore: permit CITES checklist url to be used for CORS
 requests

---
 config/credentials/production.yml.enc | 2 +-
 config/credentials/staging.yml.enc    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/credentials/production.yml.enc b/config/credentials/production.yml.enc
index ed1380f72..0f3b56fc5 100644
--- a/config/credentials/production.yml.enc
+++ b/config/credentials/production.yml.enc
@@ -1 +1 @@
-15XdjowjG51zusY9MhBiAsQJWrckBz4g4co3LszHFC8dE8nFp1+MQMJXVz2GuGcI46LYiZ9fiekCRWOd6CjHeekYHX91VKd86dPIlrC2bYOrZfEUVMZiOHr+97PfoIOkznwIpTi8H01YuJ3EF68wxGDNoEuYwhTUhMcGpQu3HvzqZHDJSHKpX/22xqrWAV/C2tqOLKXZ7Z7WRLpzfUaOeaQlBRTvBDWj2aP/6tjPuL8kG885jsWMlg+DiBjD/9rNAB/tWpwHGkURS70DqFfgnIfuby5mTuLmbTFDDu3NB6mAbk6M3ZXlwhoJWX4Le+1WOcATdLUSQAuKukJ8lywQkEQdzpmzjAfHvREBH1IrxYQXGQs129857gLS8Q8kScT/wBDYMDKDNeRuGWRdEvDb2d8KsINaF0qqYYX+72kWgq3Mqr2mGTeU4ht6T+Yqdw68EF3xupPxkwr+zX7LG340NG3qIFXew2HTva7yBVtWVyut+7g2BBGL9GA+pJDEMPiArRFjEg+eNyeQwrQK1WPy0Pd2WT3A6ygNevUhvCW38zm1sOwPnBKmubRiPeOr4KH4cuVvgCUIKBC2Pw9BF1/NOd9hW9d1rd7sldquGcocXI/2wJzl6fG43NKk4nI2O50+67YhhUBDmYqEPRzTT1Ozuvklzo4gtAhGtPz8unXPzCopXQgFAuEVyM4d6x15OtfeOqEco+2t4PeDsi5HfXKKXq2Wl15ca6+qB6rL73tktb3pI4Iq1p/d2jS2xJCbQuCK0nV+ApnsXPJ7lEkmYl7e9qmAX79BJPK1VhJDWRIGvtmW4R4c6vmbUWmi9r38rTGPj4lVQd8aKERPaOaWkHPSh44xT5ZKXLAE3A1iQE93ERcQXueCBTKgpcKr7HjXOPk65IVP6F+lqE4QjHEopoQvlLFY78kAszbe/HF/QkDqjA7rhnF02B5GJ4TgoSl1O+0CvQuzt+nvZeqlVPkBJl0tAktXnxFz7pKEG0XkoIjfJcPTfsCBzOI6Inht0k+biAAw9907BlMTaev5Uhbk5j+l+Ea3lGiIBw0AWO2ETRrEBul9Er8rNR9uwStDd503kYUlJ79HvWys/kq9c8bPrLSh1ma+ooxfq2eQAT23iJJLgIGSaNg4TegJtWNh5EaKS3gcAzZjVtMBT1zZdDGKYHwFk325tkwTGVvE9mhknzYiUUzBNq3NGk8KvtptsMbxRkwTR/Tusb6O3rSYzPAnm65YwPx/DWsXzXwPI9O2iP5CpaiXAvQG8u/FlP/1Bvt5a6EACSPAEA3FS3X+uB8Is925ApKswCyPvQeWccpwoilxT7ZpAhnjdg2SCsKSDkQcLbkV7EJga1k1iEv9Lv8gCGaRF4QV1IWQMMe33QSoB1qQL+0pBbAZ1StyvjT3sG+I5xclaog6XwPxsEE6RHot6Jg1QHCzgRobPj8HXqdk8EuPgN5UUTF+zLLq6xCg/hOqgjc1O1AbWuyJT2sU0haqdJWacQywMGxygEEkI4wypjNDQRxnqtXL6mzPEGy8TzUarMrtjrPXc0H5qAr6OrQpysyIvZzcGWzgP4TCK6m30LyYiWvVw3L/y80omZzjfeOUtzhQzjGNbD6fqhPnKolU3Imoh3haaTaj0Rtf+XYjSUejj5roRIg/I8Dz1vYZTjZrNCrV0z79BBrOCQDHhDpsCQqnG4T4bFLiBGmMe5hz9af1I5TaBUpSEUPs7PGS4zYD1EQ6DXrIQQynTrBI4nJpgVSATvwGyNmzekswQ8D9Nhrh03C+Nnn5XzKzZ4ssV4ZuloK2TOfJ2RtbizAzm91KTMvkhRRTnmCNdllH460d2WP/r+M8M+/Rg3lXJS96Pv8HYeuzVKw3HG3kOMZMIlFm4FxxNMasf9hvK18ImEsN7NEZ9L2NOjtU8LPqxCkojupaT1l8HI2geQ1weuFgHk2MzVvk5G72TtYXwvHNjEMNS4jbQxl2Dc5RHGH6YAC40RqqgeddkMXIo12Z+CnEPGzcxg7X93l5+yVOkRtbxiju8QN6RBraVyH2n8y44aI6cRZbygpxUfdjaRIwMxLQlGPiDMW0G7twej02IiGO6zVDwTDXYJmk/8eXa2SL8jKeSvsWIYBa46OmEedNBrOj5fB++91n1mCmqczhNj43ts97nXEXL46SV9ky2ItcioMNsSEkMyS/XW5TPxoky4Q+r8wv8b/GteatVEoixGAX3McbcY54e8yD6A5T8x3IEoxNvIBTK9fbGqcLm0JZ4nKyhCCp+vl3rTY/dmt55MpqBYwwLffqQ0G5aFXCC69XMxb7dThVeh3KNQR8qnvFCwMZnat32b7n1G1l1wC7ZXJRkBp4FyTgqeVbQdcGgYtZhuQa6hGnBTSv44LjVgA/9wqcTUqoq+nRpTEbriQMuEJdHEQNhuDdOWGGOHvYz6lUcQ/QS9LEXu3wtBF7+/cit2FDCSR/+hjK9BbFUxFu1GO4hL0rc/5upIr1+wWMBDU3pXocJLwPsJieCUqqSJp5jOdxaXGEP+sDoLi60PWASpOouCCThJwVEXO2pG0FSXQtHC1T1k8RDJWQQPgRnC5pOkUAiJBuPlYk9YdfIFFA7Mfz5oHXyMq5h0x4ia5wOjpF/LIVwaCoIC03gX8d+VdGcvdYOe0o67u87nPiZpk6Lg9yofgJ1uOAGql+xZdSqO4GLhlBmhQD+HE15QC8bNwZTpcWk2Ec3KkzcDe7uCI7BsL/EYT5g3IRRmZTGGn11LAAJt9ee/p7/B7CAst0p41Ja8rqfxdNP59GGOo4fI9oMjUItnqsBuGev9Yhoq7HjujhUo2if8amqQ94ulJfX2TNpm7uoyrAsv+kJKalAdHfRmcoCk1JI1jL/8DdnG/AiHVpFYoKoHtluyiUZK74Zjz94xiQNjh524eLrzAAOzplPng60oG93lE6uSaeEBEdiVHJISsu+aQjNcnt02/o9cUF3stCa76TlvNTT+YRzkdNB2Hvbt0YX/IhfhdL7pTUnDNSQEA4IFMZZ6oWQguAX3uxfhH+72iPGj5eZsOyZG/PXwNYYDeCLOr+wVm/69Nd+hhtgydgsiZ/aEinzZarDb7EQm0lMD4TixkJqYGOVF3xXHVzzw6o0ePms1zSh8NgM8aeI4GaTs0eSAFh6r0HE9pFBmUk1wzZI3ex1AMTgtO0XTM3qoUjRDk5DzKsI1FSYjI4rM59QLtya+dpx6Jmp5c582FE2+gKXWPtdlBjgMmjlQHGeBwrWiJEBpRlCulEfQ3r6XBH8rjyx/6hOSxAtmVOEb82VAw53mV+Bp60XmjrpIIxoBlOezaxKmCfYLVWky+OEQvnTOV9QBovt+w4EhBy7a5dwnYO5P9d94seCE860NjPtrTGl8D4L/85ng0EU4HyjGLhXpIZI4nR+dGmnP4yVzcKBDEHU/kGUpichn0QElZsaoiW7SSX--3BxCon5UxLls1Gsi--aRhvTbWT82GnXRKdWvv4Cw==
\ No newline at end of file
+eyhl7vURXPhdpXsR910hbXELz258rNgpMSpfDA2QJZLo3PKQbXVJJffzTMQFq92RPbZgPR1/6k9F6JIeM3Z6wYtw+T5j2dI2W/zFPTe/a9sFXGcgh12G877qGX+Cv0EcK3Nfsuwbbs7+bVgSKDM72gs2HNEsmtH2BPWPQCeDhW0yv0CQT8ORvFSpijzd9FIKQKSNrYXeJjxfCX1YcymmXvTmuuqPjK+Mho4xcHNj1SQ2o9eQZKaz7ff7CrSNDJFJH23WBq92M+rQdRN/nJJoLyUhm+hupDyyeQZSaU2b/uBY7adhPQVNz+TS9CFL4YZ8IHG7yZXLRe1Jn2G+XBLXJGQs9V8cUx3gttR2EM9+hadpVpdsUeqrNWQNpqfdppRqsezilzYPxF6duQIWGAb0JJa4lUr72rWwTVfgngK9nRoQ1gFR84gSpOmgvxIeXy6q27kdckFySbktQOnRWCLs0V+U6Kp2Pvn4/dhp795DulfkOgZ8d5yjTsH0m3a3JySOYBhKuQ089GzutK9xgLIvrN3AgVsg1PjJgnIPvwUtfOQu8MFKvdfzNFyD5mJqXVneNoSxWnCP2+LY5eORa+HWLPZ6iiDrJjX9fXG1ISRgs4ZJP/+C9TrVTJ4RA8lZjZAbdfIrXs119IIY8Bpw99p3Fo8fymvCPIjjkkHYtTSs+NlfgsRxHTJLgmReuAoBZ+3sVXMD+6m/Qb+VVQ6ANkx9iBP0IPR827gzRQo8MclCO7DwKZZnZu5WIFqrV1W1tIdMQnAnVK5GuUynzPRzoUU7XsbblFOqp02b92aD7c2D/3MeHsCG4OQMdjGWpQgltVekW+PAkmre69OYxmra7ATLxPPGwrlSB9c5+PTZQZPalfxfBIRVH49kzEPAAORIb/MgmvC29zibPlvQ5DacvHxiydG9v3h8i5p7vYEaPihjnQTVz5IGTX6j0TI8ugI/7KKg7r0UohoSqKcvsZK5ko1mEDqhH2t19ZWpxNDPeckMW6kfC7ahbDm1wUceb13CbbIrHQzSqtfrWdNbAvwYDyVNmzUzdqnbtlSAcK1Rv8ip9pu+OXRWV9qjt7ZT2HNnfysnnXoZBXTzLy8bZScVCs4KrrHTihOk8D19iHBo1CPbxKyHmxOW1yfWaSexKqKFLtj6u4i31Qoo0uAMAGccFY0ejpXWSBkoGCnG+qSKv3ymK9quWObBVIVfMf5c87Pjdz4XTOLL0KnuQvaF0OGq8TsiDCwhSrmHfxqHhMWwU4B3RWb8E2dqHUP39EO/Ry0XtqWkUJU1A+jFdmtVimpQJwUOJzurBQBDZHE64VfcN3i9zthRWCZri9g2le22Tfkgur+Ty8eLnR55R/eXLq+hmeevr//OqXHvLfct16w3qJNEJztJ3EILHpJ2EJ9ULiPmn8IduTIKND9UO14tYJZ5YSMJ6UM6HkztNpRbIQEqmkqKkdl4wDNTuzTQeP7fMcXN+/yS7sQEKTf0fzjOHLzEml0M8gVRsoOW0yKzYHz8FmYqpZ1Me5wM0BOuNPdlxTNM7WyZG8KwCQusGMB8tU+FtM9AS/gDX8eL3ESAPRQBOg/SUkKSLSLrk7w/tGGM22FDv0fCquO+3j7jPHJIcx1x5DABl0TF7G+Vy1RpfOzsd/7FnhDX1+QCOGcXUMcpOJRpD4tn3xF759EWgfqtSXczbDVnHH0thEEBX0QOLwZu25NsKDdDQxeDZW/iF71jkrKhJYtfoUJKMpAuar32TRNM7vdipH5V17b1b0yRVSgr1H1XROI7kzib2kE3tLGK+yVMtQWADBq+pFutbuhC46sNZX7eXxJeEVpypQz8g0QGZsdY7h6viMp5YBflPoTkHqOvHEydUTYjPzr29cSXC7qXgbJxUNBK4NpjCJ9SbQoK2euQXAHsQlRH5SmRopHXdNcwPamV1BBuGfrRQdF/W8yI3S2zAZEI83dOxo2IqKlMbYjQQiGoqQl273sPE3cL5unhecd+m8ZWG5ekqiZXVrvJW1mEe/Mf41EOHPTW8d7te4KySp1c/c/Hz292EU5HvQ+cflozACS30fp5OIWrlEDr6+RpwQp38LsNWk9SLs9iXJl9boT1aZeHjNQr8cN6Y+oBYdlgYF3Avyb/Rw/YWKeQ8+FWNtdNLrRRUslhVB0EK34OQEWE6B/gFojAcM7qmmng5AtDZ+JQyz84Iik6mXsvHuRG4Ue9e5e3a6Pla/9lTOy1aFd4rcbYbSIbMoq3afu7uMJaHzcH7E1FWqfsTO9PhU4L61t16+028FWDfLsnjrBwmz1cNdr0B3/zMtKMAlfUwN7eWUM6Ty8VpfxyB5mxu/crfL1zO1AQs+oHoGk1qlLzdWSK0H/Kt1S/GSBhbezNtAVdmQVZo0uRjuJB6lDdox/RpjZzpx3tRxOwHO1pJBo9NU77WEGty0CNEUDZXS1iBHjEhixjyTEo85j6YTRsIyI1NGAQZKqv0rLzET212p/WAE53ph+4VelJXBLE2Zz7fMPYzUFqkd18HSdReeHI6GZMnyZFFQCR0xcDCZgb15N10+A6FgLmij60Mk/74HXKNmqzE8rGaznojv5uppRBoOkZHaaFu1q04J6TdE9IGkO3XRtwsDFcWb0XY0fpB8ujudKikdjcsf3vk4HYtpQXGlI3sPwP9LtEWNKgBONeDn4hR/ERPVJ6bUR5+cVcYmNdgPFygi6S0vhWBUqWLW4s5uxm+7QW2al3dLV+oaRTqFaDAW2XBDflEKqXr3+z7LiKDKMGy9WM59kvcKivYm6J84b56jYqeQmABUmMtIII1AsM7l6lF0nO/lZnqmoS9Rn1swbSyhNr0i/we1lOQLfuH/S5xVtjm9Cqc3uqgcERGCAuawvDfJ/KIC5l2TP7AJaL81+z/xFLz6X/CFYLoZMZ/eXrCGTgUwWGzAiB7PqNOkMlvYVcWSlCYkU3EwztgN3WmwgYYIJn/ubdqGyF3ITn4Ku8MxnhDlM3zqxNTbCe0Y2+7UoMwDXYXsemA6Sm4gjiS4Hm2SEBJTDwPEKt+OIhQDGFH5EwGgva6usnvL377qyom1D+z/9qAR/jczLVsb4TQMNCIhNKJXA1hmxAdxLvkkaeEfb6IPdkCuMxhU67KJ1H67MvFygMd7TKCH/mhk92nKyJJGtTWtvx2a8F6KQWusgxpr2PkM5AuMqoWr8OaEBb4Qd9r9BRyhTPtNURrW89slO9apw9SGQlNrF7I4GeAlnUi5YVW6VbfoDucc8+4YnDLhxDzjDFs0IdcgdQOaDzm55EPIEJaz8rdemLp/qRJvPwGbYYy+xmm+2lYv7zhiEOQBYTEvYdE8uyViaQP0bg7mEYP/SpMcHK97cKVVYbijvlvDXlJe5hIky4ga+x209EIMc1XksfRypNNhAX55d2/0LHKQkiY964mlqTdlK2iYho+5mUq0g6taCZzqBtgAF8xdKmk34XT9jOf7an+3ozkPibXBvaYJtZlVmWcd77XFlqtwRIXibERaxhN/qQLGVKZ5i5dGSpdDTvuWo4z0bSjhFsnD3dGK5M4WZgPBBj7UO44dfYQN9hPKklgqxJH18rJMnI7L+xWY07ez/T3SzoXl6uNyhxF3rBOOAiMzttMW45WLE=--fG9jdDXr7yO2OUx1--oDin1EisdWlIhUFEcduqNA==
\ No newline at end of file
diff --git a/config/credentials/staging.yml.enc b/config/credentials/staging.yml.enc
index fd86d3ed2..4d3a37c71 100644
--- a/config/credentials/staging.yml.enc
+++ b/config/credentials/staging.yml.enc
@@ -1 +1 @@
-8pdKwWt6lRShsXwJ/xsjA87OXZc8nEzUKNHo/i27D/cIvBXCGWKJ4m6j3IBjIIxMKnCth/7ZaY04QfA3/NaWZj5DX1ie1l40WVPQGGrtp5bp/bH11BrzELt7ODaK6g/M/wBLFpIDRZ5/UH//rcBxMu+wKoDT+hH/EfSOrcuF6jnMQFcf+/kdnoK5LK83hfH71RrBNJPDvHHAcFqREPGYbs7qmNJVfhTvdJE9HecxSUoNdq0mjRnOcZ87+5bNf241TxgRvVN9f2HIHC9wXiGaI8QIR/Jm0BV+NLQtR4079XIEwlpnxcHH74i7HZl77noQlh/oKnN41PVMaX6zAzPncsMCLHYLuglWqij9qDH0GpFu4L8fl3u1BgIz8POeuNLcShVj1sNPWXImLqcwotBidDSgrdIeW5JVX5WBn33zXXoRCqdXxUz6I/Of1ej9feDJa8I2qt9kDLZvzFptVTDZFy/ff27xePxeH/ERbngsNC7IH1rHSjcnSp8Q1jLr88KnNPCOi5AvAk9JzcFfkwkH4N6vVovv1oSQY0cRbxUeLJmoQIz2q2rgg2YzP4X0pLIIk1LXwx7wePoslFjTDFMSEX6vmKfCAOmGcEi+XVkpzRY9c/HZtE73u6u7Txaq3+QIUlGeIszz+wrr4TSXaD3OVohBUlvlt6rowPVwQK3aW/sJoCUhfK+UQGm+ut2CXknlfjJBArUPFAvb/TNuJ1Bt5LIVoldP6qZF4UYVHbIifu9YNmo1Ylr/ukQQaMWOcx+2C5lsBIghLqGUZEV1XzXrS0ip8CclW+lLzqPSfBw/HeFX7HeYl08ZlH+5RbmaHOST1BLsCroORVWhrtqfcr6lqXFH4X0WtR6isFkgxOEhxJJSZ3VXo9Pjs3x81kGRTRqbB5VPiAsOa5XXfP0ArKoU8QL2Yoya4O+pRcW/rBTcqCkjslu53Zmh2DDYhzb/rXIxSkpL4noFxKcgWWuQA6GzVOE8+/LJQLxac9SkP9brHVqTxigqMgO9rB789vHCHhO2q4j1cfOgVDYLkHBO0DDLo8nrWGBLfAhvQdLIN3fHail7Y2bICL0GxLWfKd5RxjIlOXx+qDk7+CvfHJaqaVU2kaFLTf5wC2ojf/GLq36+YrIHczGfCYD0pGIt4NXsbQrVhL8Gnl4ZwZiBz/wfY6exhuzxWB/lwxuxCelZ7ewx7NOEFRgQ9kLRQkf9cIppc+495qChgpl3RPshkJoio+TfNT9W31NGCrux/zY42sDYr2PgDVss/+0g4oI8k6/uHDQK3FcfCkSWtQOHaUa5EdK+s2gVYav/Aj2BQo/i8rTmhHpqDL0mtyquaT7HFjQ087C52gd0+QWtdN3KQb3Wh7weHUgafElZEmKNhFKqPWK1xLT20PDheUMGxCSGupoY1Afal48eaKugEm3n+lTazNMoODHGQCooPXgN9NHOcze6Ino6+vSLofZ/97VWJs1u1cpLErvUGZxw3fOjfLw8bnfaRiG1DCwJOeZhgZPOZ6xGBB5tAgEJS+YCSSy26YM9ik3CPyNJzesETvijRPO9a62tCHs1ptmf0rIOA7no6RoWk2c9WX8dPsmwpTcwg0DtpokQGJQ8ImrcefGR1c4qkXisQ4IVr92G8xi5MkBt4YG/nWi9VZ1IyghS20n2nFm9/Uq/XZ92C+ZGU+rpOSJ63U6vMByPar+RBqUh5Q9g90ZYREtiRwU63YpBS9B+XTWfWnjQmOpTzBlUSfXhFMJBj2PZgZn7ky1fxqqlkuOEnSR1ZEuyVqK9QAZCE5EAfQppu2B0ctbavXlmOPVHiQt440yeXFywmsI29HZ3yGcMFCLlgd+JW4c607T777SlwL0OmJDAG4R5sXsMFuKGgkHEweVfoed1XxZ2/1tzVq6PjO8zdiAiOCGv+KdqR/WQ+mfvu0rr85M12v9DMyBQ7HKfNgFuZE6jZ73DxJYUYyyjnEEJrOOo77kga53HWfMBw1dCImjH3iBokF+8OsAvjGZ1HJS82Fj3w3LPWTvQfT3AABf2mWNFS+KdaOh8oRMIZjkbHwtyKm+VDi8Oy03g51pfpN6g6w5Q9l5P8XpG4cGJPa4mFLBl3KZGD5ptV8EYGBVMTkmfI6KurVdhDzsbOE8TUB+ezfso3tVGO5xxvGcf4I1kTM7wHIhPxhnKwg+PF1mj9ZEjDGVNffaS/WErqfbnHFFWBNe1dgWeafHa0l08BMw8wYZLGb3nVPo24MirYL5lZ6frAaxdXYC5DzdQMW//0f4NzERW2gLdBtm+M5LyLuaCE3LE32geopcytyfNmk+eoljCrMLw6g8VzEyxSvdxKPB5DSe8/ehxd7eHASUCuGP9zf3qusZscoM8FTlS9gzKaHWFTrK1gVscJj4ibMqitP6qvbWvwrMHl90cac4e/0x/UuI0Fv5UG72SocB5oGdSn3I/bse9bvbCVLE4ubclOU9SclMjoFveTiaqypQqIuK144GOkJOaHDshFmN99nqUUYmbMcUMHOxvi2cvjIpncY234W0wd2jSmPOeihTYscVNlKQGxsSsJ08IUe4oMJai2XKXFMiisunpmjJbDFRwa4ja8F3iyvFq0wxgoclIQj4ownX0YbAkpCGm/3PkfyN0iteBiutR0/2VeXsEaoNyQS18xRcuGKI/irkxdcgQmlA4iLk0G30aE7l75dBDoHVsG0GiuAGx/sf9eRPh7f+nzfsl4wtVDUIfO182hhD01ObBfM/JQllMOhoEmNMumVxruJB04RkS+4cBuWqH4dpQ6qYzo2Z+wN3xCHOOmNwI3lfiiW4yfduhTQf1cRZ6x3lT8zIl104sMOU1Na7aZA9yjxsg3gG38uVXbQq129/d9IA29vjBHdeSoRZvVYZJGR8YAgKbkMPQr2uBRN6bNQEmEOgYS8eqNus36OEZmRPBI0/1g/HsNmh2vzbAPhzfh1UGEtM0DPlzUBHJ+9Btp2q4SmquCVEc0FgiPO4ZoEOy/45zwVv0RzHBE8oWDs1DRzROogVvy4IJs5xGA53E/vz/WeQdiAJ5xT0N8b5O9sqeVqt5EvHDbe+j5sOQjb3SDYoJYWaYlLGdBaL1stNUpBA4ph5zMrgTT8PaiUhm+Zl3PnhBgVpX/oiS5+6I9ito32p8XgzYblVeKWHTBvsDgfifWroRPJw7YWGv1Ctb8jBXjcMmawWx6iJS+sn7WOjLGtU2EUDwS66W7/ZPREPCMyr13+/n4r2dxQwZUYOp5XMvRd2pQsUqEKO6+gd7Lk+slfaWZSDtLNEXuUt/yslHPjLVxdlZWjNpzTUkIwT0il7QZfFbPdULSYGaJQ==--0dMPjkllo7a92Kqr--QhwXbBX53PXaKAOy23L9wA==
\ No newline at end of file
+rihx2kxKh5UVI9e9H3Jyw2FmZAHnmZfSgMkBxAlYWkA7nSrBJSZmWUa8Pq9iHydgXf1Laj8PQw5vQtqVNseD8FJ1ini29Gq6fJVAYKbuwXmWlIFPI8AdIfT9HeTwVzmCz1wMlczJILX3Xh/2sr7qfSbw4YTH2/KFt8rcebEkx9ZvgNnc7xZ3VtaPbeIJ25RLyLHFo/l3h7efIR3S+X4zbg3IltPkKESH4z5uAksTGYZ8YwcuF0RJbYKnnTgPfEsu6qLw3VJmCknAsUYS8FILRCpM8aihtS0ktcEYgDJAe4QFPq1z7D0sVZWdzbRdHcSJp4iktOnhKJl3tCrtZTOS4p5tNTWZqt7wYIgrHf/TUz2aVVIcLyJVNiTsT9Y4KHbfq0eIDpdbRF7quWfhTV+2mEneCViORp6bVn7X8tkvFT1w2aj5Ka3kVA7pfZxLgwMvgeGPJdlAbrdjPMp1Q4cK5KG2fBQJFRIbKB1Y8AjatJyqIqSGHDQ61CcC5qwSRwmbPfquDxGKZPcMuPGR5cUX5ccDGF+BAqqZ3RnukKm0G4m06Bb6NMd6scfb/w+t1kg+2VHbWLnKsyfvx1F0YXv7ACVTOztAcDPuFKg+gnJIIUOVU0xDQEIVH7PfHhHrjDXE/t/+aPsctsSzB3xqfy+k9IFiksL8JjoDhbAgE2mbuLChuslPAnRHP92JqTQ6vx0IQqJmmmWmBSc0iZLGd5Kmsi+gZifH2Y9OZ0Dz4KW4SLKeM53V2nW7mPvpaHaE8ijOWmzgHGyhTCARvcctCk+6McpN63z7zwL2mPbiUJCwMtJptFHaXOLnZ8DudLzqaPChBJy1tXm8lxJrSKZAbC+YspWe4Y16HJn6XARpy5/ta4eXnQoJJ3N9JdOm5NJFXQ6jaOodIGV+7RHNPcV4mDHpZJPBsvB9lm3NEPBHAU41Huc3NHCKCf9OaE1nsKJSvoA6Ei1HQTCzdMfnLY/PWixCEIGMVyh7At5ADGn47WD7YkU9sbOiyAfcUgJ96tE51APzj79slrDtYNJfI2UwF0WY44OKifgXnr8sH4DLlWz+FfpZxYFLx2ab0cbgmTBrS2JV6xYPZXTFjNo5m8zIETUHOb8ty5jUCBR6X+t34iJcEzYH5fveT/2KF2LcnkXIRUFY3pPJA4YWl/kNPhc7FOe3ELzrW/X3F2ef4yD2Nq/ZN4Bk3L6DreltVMA9AKVUt951JhF957Np6pndu85zxHDzvzG6xLd1D2XhVKfoUewY8i2PdicHG6eb10twKj4GpoJYQFxQ1ITfZ4fD/dIs3MnUMiyzIR0o2PDtrZ7hoHMuPRCzH61TGuxo92w2KJSMRQHSSyNW69Du3Hob/i4gbSTmfrI322N5BzYx4FCO2nZ0rJpeNEa/Qt7fKmqNWw8MQeIITu2+5RYRA8VbuTtj0E5a7WhlHV75KgaU+GnfDRD1xDpjO9VvWvaA5CRB5q2Ab/GsG207ywKunPDJ8B0bkeQAq2QoRP4HBVndroli0Q2dJWcQj++sH9nR1DO3l/CVT3CFkGjYYd2LtlfWgafyZhSB+1F/FCjvomj9VZJwen2TCFw3XlvbM0JQxv4GsdBANLJaOa+vROY4l2pIZVo/w2Mnr+qZ4dh0GlV0MT1tMjUpqQN8/SyFO7fiGmTLgR8e0xuzEuxlIkiRZK068PBe8IZZrPTgwqJYqn55nbTq0vJLcTu81DgPwlnKCnP0IOgWp9IrDN/LkzJqh3lBM1Fqh29o/dkfbmpPb1aujoBo3/cIcGVT1GhQouKGStrhtCleuRuzLzZfS9GhKl4I9jH+NqeN3qblm1+AMEuELDUWNLXBQ42A7SjQ4UEOI5EbvOwsSHMfYUV0xA7uMKfLX/yc7VdGKQ0C/PIAyDoWfsNC/CNaSHRVUsu10h5EtaXMC42r0ovaGhJgUZZIgnk80mu0MpyE2N5i2zmQpx1iH4JzeOzgyIGjPCpxSHjTJSUuS5E8177vC1zOohsGEts1diE27WfyUM88VQ45lfFmVPwzWmdxLebzQN+Q1XfIswE47VAuB20zOhBCajayA+gd4/WUpUyNzdRp6AkcZgF9g6mH6p0ulzABMR1Kt0J6wmFNuR2rx3WfXW9+TSQ36OzESkQ2WzLM6LFLXUz0NbP4cY1K/0lWMUrq/RBBFFY6dke2v8L4zZcX0klfvjssV9c2UnSzgzvWpG6vUXMHR6bVr+TUwMSp3Qjame5vAd7QFVv8yuOPllo+QQZyRS1LeQnvRma5B7B/da8sdAZCPioKLdVjATKD9vm52y6vSXjmHmvIr7c1usLJylI4JcKDSnCjShgxrobF6pel+uTIHpzcGyGnGEKl/q7RVaZmC2/d+RKxU7WbKbykVBMEFTLCNhk5qXWY61TmYfL/q2g2z6VM/8iAi/5Xw8Nt3yaq1pvgz7OplAkf9LattQZEMHbiIOm8EbseHi27Vr9hOJmwhU1NGM/qawF+N13omsRbirimN5bTuXQveLMRZdeBeiic6fUzeuqBMDJaDp1NfoLopm0MS/BqvWC9+940xIwWzWFVT3QJhfxWMrSqD7Ri2bRCWELGBw4UQwMTxKmwtLX3m5u8HcWi0AtsStNB5Eqeg8GgxLuUJ6K0lUVK9x27zY/yX4j886u0iQd8oeqVgv+P/ln0HYQq1rkfnRNTbHWIYKe0vEZkExAq3QUoFmS7e+IvmjBJfTGfE0SlPc0prwZq98oPWQAtqCQfhbaS11CaHuW4XvMJSus7IXcTHCwY4oWlP60zdTA35LH/VIGWI99xOUXyM12354goElC0m8wzissQdCkbFTY6MdqhRT0k0bnbRDV0RdG5uF8x6ZFLlD1iCETKMO6Zeucu82OisVBwBq0Do4BgsfexGujfVStbf55c0p+8FwnHzOHfgYLHuV2HPdlrPTSDbe2Y1I3e+qIN5wtJj5YbZ1v485ZN6mPZXysVSjevf3z4A0laCmx06Be4r9APkWrUQRx0cNsvBcC6BsEEcP1Bj4o7LO7+L59GJMR4hQgjzaQEoMTu0rBDbQeQJCei2xxNY6p986Y9PWJnzISa13JsxZmmiMukISADGv4jf9Cglqqqpq0dGzwKR26tzFFthUc+1xtXMLAEUpM6bN2Iy13T7Y7o80gw1hK5G9BQV82n+h7FbHcy0B5oKO0/aeCGv+pTdYGu83NuBsFhsGiVKiN4aTRLAnfwAxavwh3/EFP4Pdfs8AMAC706NXRUglFB4iOARZ3xaHERlfmnNMpFZBdMyBelmzCHXLB5qE1z+KfleBP2on6l/AKkX0KKgdngzvJtiIvPytJMz882CmTJp29k1KEnR2nRWAisU0TDhkr1j1cGsoFe791catt5n+ckOvresRZwd1t5aTOBzCX+SIrNVx2jOREiS2LdmkmhUUFMOW/GJMzItIj11bDDjqROA1sFH0UOxxle7D6RrzV5hutHxiJSHW4aIy66Npqa4ict/Dxb7Mmy9BCEEcMsBudh--a32vZ5YpTU0ayqVe--nJ3rwMYkjBcDjZKdW3wyew==
\ No newline at end of file

From a37abd646632f19267853f4ef4ea1ffb05b8fe39 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Mon, 27 Apr 2026 15:12:01 +0100
Subject: [PATCH 104/106] fix: Job arguments to DownloadWorker must be native
 JSON types (not ActiveSupport::HashWithIndifferentAccess)

---
 app/controllers/checklist/downloads_controller.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/controllers/checklist/downloads_controller.rb b/app/controllers/checklist/downloads_controller.rb
index ab6e5be77..dec9a6bff 100644
--- a/app/controllers/checklist/downloads_controller.rb
+++ b/app/controllers/checklist/downloads_controller.rb
@@ -31,9 +31,9 @@ def show
   def create
     @download = Download.create(download_params)
     if download_params[:doc_type] == 'citesidmanual'
-      ManualDownloadWorker.perform_async(@download.id, params.dup.permit!.to_h)
+      ManualDownloadWorker.perform_async(@download.id, params.dup.permit!.to_hash)
     else
-      DownloadWorker.perform_async(@download.id, params.dup.permit!.to_h)
+      DownloadWorker.perform_async(@download.id, params.dup.permit!.to_hash)
     end
 
     @download = @download.attributes.except('filename', 'path')

From cc4ddb4fb6d0609ad5c65f962623097fece2fb40 Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Fri, 1 May 2026 13:57:54 +0100
Subject: [PATCH 105/106] fix: use as_json instead of to_h, to avoid errors
 during serialisation for jobs

---
 app/controllers/admin/quotas_controller.rb        | 2 +-
 app/controllers/checklist/downloads_controller.rb | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/app/controllers/admin/quotas_controller.rb b/app/controllers/admin/quotas_controller.rb
index 5c1e003b5..e8375e4e8 100644
--- a/app/controllers/admin/quotas_controller.rb
+++ b/app/controllers/admin/quotas_controller.rb
@@ -18,7 +18,7 @@ def duplication
   def duplicate
     quota_params = params[:quotas].merge(current_user_id: current_user.id)
 
-    QuotasCopyWorker.perform_async(quota_params.permit!.to_hash)
+    QuotasCopyWorker.perform_async(quota_params.permit!.as_json)
 
     redirect_to admin_quotas_path({ year: params[:quotas][:start_date].split('/')[2] }),
       notice: "Your quotas are being duplicated in the background.
diff --git a/app/controllers/checklist/downloads_controller.rb b/app/controllers/checklist/downloads_controller.rb
index dec9a6bff..6b790a06f 100644
--- a/app/controllers/checklist/downloads_controller.rb
+++ b/app/controllers/checklist/downloads_controller.rb
@@ -30,10 +30,11 @@ def show
   # POST downloads/
   def create
     @download = Download.create(download_params)
+
     if download_params[:doc_type] == 'citesidmanual'
-      ManualDownloadWorker.perform_async(@download.id, params.dup.permit!.to_hash)
+      ManualDownloadWorker.perform_async(@download.id, params.dup.permit!.as_json)
     else
-      DownloadWorker.perform_async(@download.id, params.dup.permit!.to_hash)
+      DownloadWorker.perform_async(@download.id, params.dup.permit!.as_json)
     end
 
     @download = @download.attributes.except('filename', 'path')

From e219183bb4b652a53768f7164639f4893dc979ab Mon Sep 17 00:00:00 2001
From: Daniel Perrett <daniel.perrett@unep-wcmc.org>
Date: Fri, 1 May 2026 16:35:23 +0100
Subject: [PATCH 106/106] fix: another attempt to squash
 ActiveSupport::Duration bug

https://github.com/kenaniah/sidekiq-status/issues/27
---
 config/initializers/sidekiq.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/config/initializers/sidekiq.rb b/config/initializers/sidekiq.rb
index 9fce3c14b..7add07486 100644
--- a/config/initializers/sidekiq.rb
+++ b/config/initializers/sidekiq.rb
@@ -17,13 +17,15 @@
 
 Sidekiq.configure_server do |config|
   config.server_middleware do |chain|
-    chain.add Sidekiq::Status::ServerMiddleware, expiration: 30.minutes
+    chain.add Sidekiq::Status::ServerMiddleware, expiration: 30.minutes.to_i
     chain.add SidekiqUniqueJobs::Middleware::Server
   end
+
   config.client_middleware do |chain|
     chain.add Sidekiq::Status::ClientMiddleware unless Rails.env.test?
     chain.add SidekiqUniqueJobs::Middleware::Client
   end
+
   config.redis = {
     url: ENV.fetch(
       'SAPI_SIDEKIQ_REDIS_URL',