Adds a CANCELLED envelope status that privileged members (owner or team
admin/manager) can move a pending document into. Sending recipient
notifications via a background job while retaining the document in the
dashboard as proof of distribution.
Includes a dedicated Cancelled tab, single and bulk cancel actions,
the ENVELOPE_CANCELLED mutability guard, and e2e coverage for
permissions
and visibility.
Adds Cloud Signature Consortium (CSC) integration for AES/QES signing
against a configured TSP. v1 ships as instance-wide configuration via
environment variables, with per-envelope signature level selection,
license gating, and an OAuth-driven signing flow (capture + FIFO
signers, SAD session, blocking/in-progress recipient pages).
Includes signature level compatibility checks (role, signing order,
dictate next signer), envelope mutability assertions, Prisma migration
for signature level and CSC tables, and docs for the new signing
certificate options.
Replace per-event webhook handlers with a single sync function that
fetches the current state from Stripe and converges the local
subscription, claim, and organisation type.
- Create organisations upfront before checkout, restricted as
"pending payment" until the first payment syncs
- Add rate-limited subscription sync route, triggered on checkout
success so the UI doesn't wait on webhooks
- Surface pending payment state in banner, billing table, and limits
Add a Rejected tab and an Expired pseudo-status tab to the documents
list, and an orthogonal hasExpiredRecipients boolean to the public v2
document and envelope find APIs.
- Add shared hasExpiredRecipient EXISTS predicate (expiresAt in the
past, NOT_SIGNED, role != CC) to find-documents, get-stats and
find-envelopes
- Surface REJECTED in the documents tabs (backend already wired)
- Add EXPIRED extended status: where-clause branches, stats count
(excluded from ALL since it overlaps PENDING), status display
(TimerOff/orange), tabs, and empty-state copy
- Expose hasExpiredRecipients on GET /document and /envelope using an
enum-transform schema to avoid the coerce "false" -> true footgun
- Document that redistributing renews expired signing links
- Add e2e coverage for the expired filter on both endpoints
Reject disposable / throwaway email providers (mailinator, yopmail,
10minutemail, ...) across all signup paths: email/password, Google,
Microsoft, personal OIDC and organisation OIDC. Backed by the
mailchecker package (offline, ~55k domains, subdomain-aware).
Exposes a SIGNUP_DISPOSABLE_EMAIL error code so the signup form and
SSO redirect alert can show a dedicated message instead of the
generic 'signup disabled' one.