Add V2 API routes to download an envelope's certificate and audit log
separately, and align the internal cert/audit log downloads to use
envelopeId.
Enforces document visibility via getEnvelopeWhereInput and loads field
signatures so certificates render correctly.
Adds a CANCELLED envelope status that privileged members (owner or team
admin/manager) can move a pending document into. Sending recipient
notifications via a background job while retaining the document in the
dashboard as proof of distribution.
Includes a dedicated Cancelled tab, single and bulk cancel actions,
the ENVELOPE_CANCELLED mutability guard, and e2e coverage for
permissions
and visibility.
Adds Cloud Signature Consortium (CSC) integration for AES/QES signing
against a configured TSP. v1 ships as instance-wide configuration via
environment variables, with per-envelope signature level selection,
license gating, and an OAuth-driven signing flow (capture + FIFO
signers, SAD session, blocking/in-progress recipient pages).
Includes signature level compatibility checks (role, signing order,
dictate next signer), envelope mutability assertions, Prisma migration
for signature level and CSC tables, and docs for the new signing
certificate options.
- backfill DocumentMeta.includeAuditLog from the effective team/org
setting so documents created before the column keep embedding audit
logs after deploy
- default includeAuditLog in the webhook payload schema so resending
historical WebhookCall payloads stays backward-compatible
- allow audit-log embedding to be changed after a document is sent
(drop the server guards and the editor checkbox lock)
- restore the commented change-detection block in updateEnvelope
Replace per-event webhook handlers with a single sync function that
fetches the current state from Stripe and converges the local
subscription, claim, and organisation type.
- Create organisations upfront before checkout, restricted as
"pending payment" until the first payment syncs
- Add rate-limited subscription sync route, triggered on checkout
success so the UI doesn't wait on webhooks
- Surface pending payment state in banner, billing table, and limits
Reject disposable / throwaway email providers (mailinator, yopmail,
10minutemail, ...) across all signup paths: email/password, Google,
Microsoft, personal OIDC and organisation OIDC. Backed by the
mailchecker package (offline, ~55k domains, subdomain-aware).
Exposes a SIGNUP_DISPOSABLE_EMAIL error code so the signup form and
SSO redirect alert can show a dedicated message instead of the
generic 'signup disabled' one.