chore: extract translations

- **fix: interpolate inviterEmail in invite email mailto link**
- **fix: add alt attributes to email template images**

.env.example

@@ -180,6 +180,20 @@ NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP=
 NEXT_PUBLIC_DISABLE_OIDC_SIGNUP=
 # OPTIONAL: Comma-separated list of email domains allowed to sign up (e.g., example.com,acme.org).
 NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS=
+# OPTIONAL: Set to "true" to disable all signin methods (email, Google, Microsoft, OIDC).
+NEXT_PUBLIC_DISABLE_SIGNIN=
+# OPTIONAL: Set to "true" to disable email/password signin only. Also closes /forgot-password and /reset-password.
+NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN=
+# OPTIONAL: Set to "true" to hide the Google signin button.
+NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN=
+# OPTIONAL: Set to "true" to hide the Microsoft signin button.
+NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN=
+# OPTIONAL: Set to "true" to hide the OIDC signin button.
+NEXT_PUBLIC_DISABLE_OIDC_SIGNIN=
+# OPTIONAL: When OIDC is the only enabled signin transport, /signin auto-redirects
+# to the OIDC provider (rendering only a spinner). Set to "true" to disable this
+# and keep showing the signin page.
+NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT=
 # OPTIONAL: Set to true to use internal webapp url in browserless requests.
 NEXT_PUBLIC_USE_INTERNAL_URL_BROWSERLESS=false
 

apps/docs/content/docs/self-hosting/configuration/environment.mdx

@@ -272,6 +272,12 @@ For detailed certificate setup, see [Signing Certificate](/docs/self-hosting/con
 | `NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP`       | Block new accounts via Microsoft. Existing linked users can still sign in           | `false` |
 | `NEXT_PUBLIC_DISABLE_OIDC_SIGNUP`            | Block new accounts via OIDC, including the organisation portal                      | `false` |
 | `NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS`        | Comma-separated list of email domains allowed to sign up (e.g., `example.com,acme.org`) |         |
+| `NEXT_PUBLIC_DISABLE_SIGNIN`                 | Master switch. Disable all signin methods application-wide                          | `false` |
+| `NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN`  | Disable email/password signin. Also closes `/forgot-password` and `/reset-password` | `false` |
+| `NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN`          | Hide the Google signin button                                                       | `false` |
+| `NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN`       | Hide the Microsoft signin button                                                    | `false` |
+| `NEXT_PUBLIC_DISABLE_OIDC_SIGNIN`            | Hide the OIDC signin button                                                         | `false` |
+| `NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT`     | Disable the automatic `/signin` redirect when OIDC is the only enabled transport    | `false` |
 | `NEXT_PUBLIC_POSTHOG_KEY`             | PostHog API key for analytics and feature flags                                     |         |
 | `NEXT_PUBLIC_FEATURE_BILLING_ENABLED` | Enable billing features                                                             | `false` |
 
@@ -303,6 +309,44 @@ NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP="true"
 NEXT_PUBLIC_DISABLE_SIGNUP="true"
 ```
 
+### Sign-in Restrictions
+
+You can control which methods are available for users to sign in with the following environment variables:
+
+- **`NEXT_PUBLIC_DISABLE_SIGNIN`** (master switch): Set to `true` to block all signin methods (email/password, Google, Microsoft, OIDC). Hides every signin entry point on `/signin` and rejects email/password signin server-side with a `SIGNIN_DISABLED` error.
+- **`NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN`**: Set to `true` to disable email/password signin only. The email/password form is hidden, the `/forgot-password` and `/reset-password` pages redirect to `/signin`, and the corresponding server endpoints reject requests. SSO signin is unaffected.
+- **`NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN`**, **`NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN`**, **`NEXT_PUBLIC_DISABLE_OIDC_SIGNIN`**: Set to `true` to hide the matching SSO button on the signin page. Useful when an SSO provider is kept configured for account linking but not advertised as a signin entry point.
+
+These flags are opt-in: when none are set, signin behaviour is unchanged from a stock Documenso instance.
+
+```bash
+# Allow only OIDC signin (e.g. enterprise SSO-only)
+NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN="true"
+NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN="true"
+NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN="true"
+
+# Or disable signin entirely
+NEXT_PUBLIC_DISABLE_SIGNIN="true"
+```
+
+### OIDC Auto-redirect
+
+When OIDC is the only enabled signin transport on your instance, `/signin` automatically redirects users straight to the OIDC provider instead of showing the signin form. The page renders a spinner while the redirect happens. No extra configuration is required — disabling every other signin method is enough to trigger it.
+
+- **`NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT`**: Set to `true` to opt out of the automatic redirect and keep rendering the signin page even when OIDC is the only enabled transport.
+
+The redirect only triggers when OIDC is configured and email/password, Google, and Microsoft signin are all disabled. If any other transport remains enabled, the signin form is shown as normal.
+
+```bash
+# OIDC-only signin: disabling all other methods auto-redirects to the provider
+NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN="true"
+NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN="true"
+NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN="true"
+
+# Opt out of the auto-redirect while still OIDC-only
+# NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT="true"
+```
+
 ---
 
 ## AI Features
@@ -446,6 +490,16 @@ NEXT_PRIVATE_SIGNING_PASSPHRASE="your-certificate-password"
 # NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP="true"
 # NEXT_PUBLIC_DISABLE_OIDC_SIGNUP="true"
 # NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS="example.com,acme.org"
+
+# Sign-in restrictions (optional)
+# NEXT_PUBLIC_DISABLE_SIGNIN="true"
+# NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN="true"
+# NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN="true"
+# NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN="true"
+# NEXT_PUBLIC_DISABLE_OIDC_SIGNIN="true"
+
+# Opt out of the automatic OIDC redirect when OIDC is the only enabled transport (optional)
+# NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT="true"
 ```
 
 ---

apps/docs/content/docs/self-hosting/deployment/docker-compose.mdx

@@ -163,6 +163,19 @@ NEXT_PUBLIC_DISABLE_SIGNUP=false
 # NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP=true
 # NEXT_PUBLIC_DISABLE_OIDC_SIGNUP=true
 # NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS=example.com,acme.org
+
+# Signin restrictions (optional)
+# Master switch — disables every signin method
+# NEXT_PUBLIC_DISABLE_SIGNIN=true
+# Per-method switches (optional). Each disables that signin path.
+# NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN=true
+# NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN=true
+# NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN=true
+# NEXT_PUBLIC_DISABLE_OIDC_SIGNIN=true
+
+# When OIDC is the only enabled transport, /signin auto-redirects to the provider.
+# Set this to opt out and keep showing the signin page (optional).
+# NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT=true
 ```
 
 <Callout type="info">Generate secure secrets using: `openssl rand -base64 32`</Callout>

apps/docs/content/docs/self-hosting/deployment/docker.mdx

@@ -112,6 +112,12 @@ See [Email Configuration](/docs/self-hosting/configuration/email) for other tran
 | `NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP`      | Block new accounts via Microsoft OAuth                         | `false`                   |
 | `NEXT_PUBLIC_DISABLE_OIDC_SIGNUP`           | Block new accounts via OIDC (incl. organisation portal)        | `false`                   |
 | `NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS`       | Comma-separated list of allowed signup email domains           |                           |
+| `NEXT_PUBLIC_DISABLE_SIGNIN`                | Master switch — disable all signin methods                     | `false`                   |
+| `NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN` | Disable email/password signin only                             | `false`                   |
+| `NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN`         | Hide the Google signin button                                  | `false`                   |
+| `NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN`      | Hide the Microsoft signin button                               | `false`                   |
+| `NEXT_PUBLIC_DISABLE_OIDC_SIGNIN`           | Hide the OIDC signin button                                    | `false`                   |
+| `NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT`    | Disable auto-redirect to OIDC when it is the only transport     | `false`                   |
 
 For the complete list, see [Environment Variables](/docs/self-hosting/configuration/environment).
 

apps/docs/content/docs/self-hosting/deployment/railway.mdx

@@ -159,6 +159,12 @@ NEXT_PRIVATE_SMTP_FROM_ADDRESS=noreply@yourdomain.com
 | `NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP`| Block new accounts via Microsoft OAuth                 | `false` |
 | `NEXT_PUBLIC_DISABLE_OIDC_SIGNUP`     | Block new accounts via OIDC (incl. organisation portal)| `false` |
 | `NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS` | Comma-separated list of allowed signup email domains   |         |
+| `NEXT_PUBLIC_DISABLE_SIGNIN`          | Master switch — disable all signin methods             | `false` |
+| `NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN` | Disable email/password signin only                     | `false` |
+| `NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN`   | Hide the Google signin button                          | `false` |
+| `NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN`| Hide the Microsoft signin button                       | `false` |
+| `NEXT_PUBLIC_DISABLE_OIDC_SIGNIN`     | Hide the OIDC signin button                            | `false` |
+| `NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT` | Disable auto-redirect to OIDC when it is the only transport | `false` |
 | `NEXT_PRIVATE_SIGNING_PASSPHRASE`     | Passphrase for signing certificate                     | -       |
 | `DOCUMENSO_DISABLE_TELEMETRY`     | Disable anonymous telemetry        | `false` |
 

apps/remix/app/components/forms/signin.tsx

@@ -58,6 +58,7 @@ export type TSignInFormSchema = z.infer<typeof ZSignInFormSchema>;
 export type SignInFormProps = {
   className?: string;
   initialEmail?: string;
+  isEmailPasswordSigninEnabled?: boolean;
   isGoogleSSOEnabled?: boolean;
   isMicrosoftSSOEnabled?: boolean;
   isOIDCSSOEnabled?: boolean;
@@ -68,6 +69,7 @@ export type SignInFormProps = {
 export const SignInForm = ({
   className,
   initialEmail,
+  isEmailPasswordSigninEnabled = true,
   isGoogleSSOEnabled,
   isMicrosoftSSOEnabled,
   isOIDCSSOEnabled,
@@ -324,66 +326,78 @@ export const SignInForm = ({
     <Form {...form}>
       <form className={cn('flex w-full flex-col gap-y-4', className)} onSubmit={form.handleSubmit(onFormSubmit)}>
         <fieldset className="flex w-full flex-col gap-y-4" disabled={isSubmitting || isPasskeyLoading}>
-          <FormField
-            control={form.control}
-            name="email"
-            render={({ field }) => (
-              <FormItem>
-                <FormLabel>
-                  <Trans>Email</Trans>
-                </FormLabel>
+          {isEmailPasswordSigninEnabled && (
+            <>
+              <FormField
+                control={form.control}
+                name="email"
+                render={({ field }) => (
+                  <FormItem>
+                    <FormLabel>
+                      <Trans>Email</Trans>
+                    </FormLabel>
 
-                <FormControl>
-                  <Input type="email" {...field} />
-                </FormControl>
+                    <FormControl>
+                      <Input type="email" {...field} />
+                    </FormControl>
 
-                <FormMessage />
-              </FormItem>
-            )}
-          />
+                    <FormMessage />
+                  </FormItem>
+                )}
+              />
 
-          <FormField
-            control={form.control}
-            name="password"
-            render={({ field }) => (
-              <FormItem>
-                <FormLabel>
-                  <Trans>Password</Trans>
-                </FormLabel>
+              <FormField
+                control={form.control}
+                name="password"
+                render={({ field }) => (
+                  <FormItem>
+                    <FormLabel>
+                      <Trans>Password</Trans>
+                    </FormLabel>
 
-                <FormControl>
-                  <PasswordInput {...field} />
-                </FormControl>
+                    <FormControl>
+                      <PasswordInput {...field} />
+                    </FormControl>
 
-                <FormMessage />
+                    <FormMessage />
 
-                <p className="mt-2 text-right">
-                  <Link to="/forgot-password" className="text-muted-foreground text-sm duration-200 hover:opacity-70">
-                    <Trans>Forgot your password?</Trans>
-                  </Link>
-                </p>
-              </FormItem>
-            )}
-          />
+                    <p className="mt-2 text-right">
+                      <Link
+                        to="/forgot-password"
+                        className="text-muted-foreground text-sm duration-200 hover:opacity-70"
+                      >
+                        <Trans>Forgot your password?</Trans>
+                      </Link>
+                    </p>
+                  </FormItem>
+                )}
+              />
 
-          {turnstileSiteKey && !isTwoFactorAuthenticationDialogOpen && (
-            <Turnstile
-              ref={turnstileRef}
-              siteKey={turnstileSiteKey}
-              options={{
-                size: 'flexible',
-                appearance: 'always',
-              }}
-            />
+              {turnstileSiteKey && !isTwoFactorAuthenticationDialogOpen && (
+                <Turnstile
+                  ref={turnstileRef}
+                  siteKey={turnstileSiteKey}
+                  options={{
+                    size: 'flexible',
+                    appearance: 'always',
+                  }}
+                />
+              )}
+
+              <Button
+                type="submit"
+                size="lg"
+                loading={isSubmitting}
+                className="dark:bg-documenso dark:hover:opacity-90"
+              >
+                {isSubmitting ? <Trans>Signing in...</Trans> : <Trans>Sign In</Trans>}
+              </Button>
+            </>
           )}
 
-          <Button type="submit" size="lg" loading={isSubmitting} className="dark:bg-documenso dark:hover:opacity-90">
-            {isSubmitting ? <Trans>Signing in...</Trans> : <Trans>Sign In</Trans>}
-          </Button>
-
           {!isEmbeddedRedirect && (
             <>
-              {hasSocialAuthEnabled && (
+              {isEmailPasswordSigninEnabled && hasSocialAuthEnabled && (
                 <div className="relative flex items-center justify-center gap-x-4 py-2 text-xs uppercase">
                   <div className="h-px flex-1 bg-border" />
                   <span className="bg-transparent text-muted-foreground">

apps/remix/app/components/general/document-signing/document-signing-attachments-popover.tsx

@@ -1,3 +1,4 @@
+import { toSafeHref } from '@documenso/lib/utils/is-http-url';
 import { trpc } from '@documenso/trpc/react';
 import { Button } from '@documenso/ui/primitives/button';
 import { Popover, PopoverContent, PopoverTrigger } from '@documenso/ui/primitives/popover';
@@ -53,7 +54,7 @@ export const DocumentSigningAttachmentsPopover = ({
             {attachments?.data.map((attachment) => (
               <a
                 key={attachment.id}
-                href={attachment.data}
+                href={toSafeHref(attachment.data)}
                 title={attachment.data}
                 target="_blank"
                 rel="noopener noreferrer"

apps/remix/app/components/general/document/document-attachments-popover.tsx

@@ -1,5 +1,6 @@
 import { DO_NOT_INVALIDATE_QUERY_ON_MUTATION } from '@documenso/lib/constants/trpc';
 import { AppError } from '@documenso/lib/errors/app-error';
+import { isHttpUrl, toSafeHref } from '@documenso/lib/utils/is-http-url';
 import { trpc } from '@documenso/trpc/react';
 import { cn } from '@documenso/ui/lib/utils';
 import { Button } from '@documenso/ui/primitives/button';
@@ -24,7 +25,7 @@ export type DocumentAttachmentsPopoverProps = {
 
 const ZAttachmentFormSchema = z.object({
   label: z.string().min(1, 'Label is required'),
-  url: z.string().url('Must be a valid URL'),
+  url: z.string().url('Must be a valid URL').refine(isHttpUrl, 'URL must use the http or https protocol'),
 });
 
 type TAttachmentFormSchema = z.infer<typeof ZAttachmentFormSchema>;
@@ -156,7 +157,7 @@ export const DocumentAttachmentsPopover = ({
                   <div className="min-w-0 flex-1">
                     <p className="truncate font-medium text-sm">{attachment.label}</p>
                     <a
-                      href={attachment.data}
+                      href={toSafeHref(attachment.data)}
                       target="_blank"
                       rel="noopener noreferrer"
                       className="truncate text-muted-foreground text-xs underline hover:text-foreground"

apps/remix/app/components/general/document/embedded-editor-attachment-popover.tsx

@@ -1,5 +1,6 @@
 import { useCurrentEnvelopeEditor } from '@documenso/lib/client-only/providers/envelope-editor-provider';
 import { nanoid } from '@documenso/lib/universal/id';
+import { isHttpUrl, toSafeHref } from '@documenso/lib/utils/is-http-url';
 import { cn } from '@documenso/ui/lib/utils';
 import { Button } from '@documenso/ui/primitives/button';
 import { Form, FormControl, FormField, FormItem, FormMessage } from '@documenso/ui/primitives/form/form';
@@ -22,7 +23,7 @@ export type EmbeddedEditorAttachmentPopoverProps = {
 
 const ZAttachmentFormSchema = z.object({
   label: z.string().min(1, 'Label is required'),
-  url: z.string().url('Must be a valid URL'),
+  url: z.string().url('Must be a valid URL').refine(isHttpUrl, 'URL must use the http or https protocol'),
 });
 
 type TAttachmentFormSchema = z.infer<typeof ZAttachmentFormSchema>;
@@ -117,7 +118,7 @@ export const EmbeddedEditorAttachmentPopover = ({
                   <div className="min-w-0 flex-1">
                     <p className="truncate font-medium text-sm">{attachment.label}</p>
                     <a
-                      href={attachment.data}
+                      href={toSafeHref(attachment.data)}
                       target="_blank"
                       rel="noopener noreferrer"
                       className="truncate text-muted-foreground text-xs underline hover:text-foreground"

apps/remix/app/components/general/envelope-editor/envelope-editor-fields-page-renderer.tsx

@@ -49,6 +49,13 @@ export const EnvelopeEditorFieldsPageRenderer = ({ pageData }: { pageData: PageR
   const [isFieldChanging, setIsFieldChanging] = useState(false);
   const [pendingFieldCreation, setPendingFieldCreation] = useState<Konva.Rect | null>(null);
 
+  /**
+   * Whether the field was automatically selected on creation (drag-drop or marquee).
+   *
+   * We purposefully supress the floating toolbar for newly created fields.
+   */
+  const [isAutoSelectedField, setIsAutoSelectedField] = useState(false);
+
   const { stage, pageLayer, konvaContainer, scaledViewport, unscaledViewport } = usePageRenderer(
     ({ stage, pageLayer }) => createPageCanvas(stage, pageLayer),
     pageData,
@@ -237,10 +244,26 @@ export const EnvelopeEditorFieldsPageRenderer = ({ pageData }: { pageData: PageR
     fieldGroup.off('transformend');
     fieldGroup.off('dragend');
 
-    // Set up field selection.
-    fieldGroup.on('click', () => {
+    // Set up field selection. Shift + click toggles this field in/out of the current
+    // multi-selection, so fields can be added to a group by clicking them --
+    // complementing marquee drag-selection. A plain click (no modifier) selects just
+    // this field.
+    fieldGroup.on('click', (event) => {
       removePendingField();
-      setSelectedFields([fieldGroup]);
+
+      const isMultiSelectModifier = event.evt.shiftKey;
+
+      if (isMultiSelectModifier) {
+        const currentNodes = interactiveTransformer.current?.nodes() ?? [];
+        const isAlreadySelected = currentNodes.includes(fieldGroup);
+
+        setSelectedFields(
+          isAlreadySelected ? currentNodes.filter((node) => node !== fieldGroup) : [...currentNodes, fieldGroup],
+        );
+      } else {
+        setSelectedFields([fieldGroup]);
+      }
+
       pageLayer.current?.batchDraw();
     });
 
@@ -445,43 +468,18 @@ export const EnvelopeEditorFieldsPageRenderer = ({ pageData }: { pageData: PageR
       }
     });
 
-    // Clicks should select/deselect shapes
+    // Clicking empty stage area clears the selection. Field clicks -- including
+    // Shift+click multi-select -- are handled by each field group's own click
+    // handler in `unsafeRenderFieldOnLayer`.
     currentStage.on('click tap', (e) => {
-      // if we are selecting with rect, do nothing
+      // If we are selecting with the marquee rectangle, do nothing.
       if (selectionRectangle.visible() && selectionRectangle.width() > 0 && selectionRectangle.height() > 0) {
         return;
       }
 
-      // If empty area clicked, remove all selections
+      // If empty area clicked, remove all selections.
       if (e.target === stage.current) {
         setSelectedFields([]);
-        return;
-      }
-
-      // Do nothing if field not clicked, or if field is not editable
-      if (!e.target.hasName('field-group') || e.target.draggable() === false) {
-        return;
-      }
-
-      // do we pressed shift or ctrl?
-      const metaPressed = e.evt.shiftKey || e.evt.ctrlKey || e.evt.metaKey;
-      const isSelected = transformer.nodes().indexOf(e.target) >= 0;
-
-      if (!metaPressed && !isSelected) {
-        // if no key pressed and the node is not selected
-        // select just one
-        setSelectedFields([e.target]);
-      } else if (metaPressed && isSelected) {
-        // if we pressed keys and node was selected
-        // we need to remove it from selection:
-        const nodes = transformer.nodes().slice(); // use slice to have new copy of array
-        // remove node from array
-        nodes.splice(nodes.indexOf(e.target), 1);
-        setSelectedFields(nodes);
-      } else if (metaPressed && !isSelected) {
-        // add the node into selection
-        const nodes = transformer.nodes().concat([e.target]);
-        setSelectedFields(nodes);
       }
     });
 
@@ -521,13 +519,48 @@ export const EnvelopeEditorFieldsPageRenderer = ({ pageData }: { pageData: PageR
       setSelectedFields(liveSelectedFieldGroups);
     }
 
+    // Mirror the editor's single selected field onto the canvas (Konva) selection.
+    //
+    // `addField` already marks a newly created field as the selected field, so this
+    // makes a field placed via the palette (drag-drop) or marquee creation show its
+    // resize handles immediately -- no second click needed. It also clears the canvas
+    // selection when the selected field is cleared (e.g. when the author starts
+    // placing another field), so the floating action toolbar can't intercept the next
+    // placement click. Runs after the render loop above so the field's group exists.
+    const selectedFormId = editorFields.selectedField?.formId ?? null;
+    const isSingleCanvasSelection = selectedKonvaFieldGroups.length === 1;
+
+    if (selectedFormId && localPageFields.some((field) => field.formId === selectedFormId)) {
+      const isAlreadySelected = isSingleCanvasSelection && selectedKonvaFieldGroups[0].id() === selectedFormId;
+
+      if (!isAlreadySelected) {
+        const fieldGroupToSelect = pageLayer.current.findOne(`#${selectedFormId}`);
+
+        if (fieldGroupToSelect instanceof Konva.Group) {
+          setSelectedFields([fieldGroupToSelect], { isAutoSelect: true });
+        }
+      }
+    } else if (selectedFormId === null && isSingleCanvasSelection) {
+      setSelectedFields([]);
+    }
+
     // Rerender the transformer
     interactiveTransformer.current?.forceUpdate();
 
     pageLayer.current.batchDraw();
-  }, [localPageFields, selectedKonvaFieldGroups, overlappingFieldFormIds, isFieldChanging]);
+  }, [
+    localPageFields,
+    selectedKonvaFieldGroups,
+    overlappingFieldFormIds,
+    isFieldChanging,
+    editorFields.selectedField?.formId,
+  ]);
+
+  const setSelectedFields = (nodes: Konva.Node[], options?: { isAutoSelect?: boolean }) => {
+    // Any explicit (user-driven) selection shows the action toolbar; only auto-selection
+    // on field creation suppresses it.
+    setIsAutoSelectedField(Boolean(options?.isAutoSelect));
 
-  const setSelectedFields = (nodes: Konva.Node[]) => {
     // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
     const fieldGroups = nodes.filter(
       (node) => node.hasName('field-group') && Boolean(node.getStage()) && Boolean(node.getParent()),
@@ -663,25 +696,30 @@ export const EnvelopeEditorFieldsPageRenderer = ({ pageData }: { pageData: PageR
 
   return (
     <>
-      {selectedKonvaFieldGroups.length > 0 && interactiveTransformer.current && !isFieldChanging && (
-        <FieldActionButtons
-          handleDuplicateSelectedFields={duplicatedSelectedFields}
-          handleDuplicateSelectedFieldsOnAllPages={duplicatedSelectedFieldsOnAllPages}
-          handleDeleteSelectedFields={deletedSelectedFields}
-          handleChangeRecipient={changeSelectedFieldsRecipients}
-          handleChangeFieldType={changeSelectedFieldsType}
-          selectedFieldFormId={selectedKonvaFieldGroups.map((field) => field.id())}
-          style={{
-            position: 'absolute',
-            top: interactiveTransformer.current.y() + interactiveTransformer.current.getClientRect().height + 5 + 'px',
-            left: interactiveTransformer.current.x() + interactiveTransformer.current.getClientRect().width / 2 + 'px',
-            transform: 'translateX(-50%)',
-            gap: '8px',
-            pointerEvents: 'auto',
-            zIndex: 50,
-          }}
-        />
-      )}
+      {selectedKonvaFieldGroups.length > 0 &&
+        interactiveTransformer.current &&
+        !isFieldChanging &&
+        !isAutoSelectedField && (
+          <FieldActionButtons
+            handleDuplicateSelectedFields={duplicatedSelectedFields}
+            handleDuplicateSelectedFieldsOnAllPages={duplicatedSelectedFieldsOnAllPages}
+            handleDeleteSelectedFields={deletedSelectedFields}
+            handleChangeRecipient={changeSelectedFieldsRecipients}
+            handleChangeFieldType={changeSelectedFieldsType}
+            selectedFieldFormId={selectedKonvaFieldGroups.map((field) => field.id())}
+            style={{
+              position: 'absolute',
+              top:
+                interactiveTransformer.current.y() + interactiveTransformer.current.getClientRect().height + 5 + 'px',
+              left:
+                interactiveTransformer.current.x() + interactiveTransformer.current.getClientRect().width / 2 + 'px',
+              transform: 'translateX(-50%)',
+              gap: '8px',
+              pointerEvents: 'auto',
+              zIndex: 50,
+            }}
+          />
+        )}
 
       {pendingFieldCreation && (
         <div

apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx

@@ -1,14 +1,17 @@
 import { useCurrentOrganisation } from '@documenso/lib/client-only/providers/organisation';
 import { IS_BILLING_ENABLED } from '@documenso/lib/constants/app';
 import { putFile } from '@documenso/lib/universal/upload/put-file';
+import { canExecuteOrganisationAction } from '@documenso/lib/utils/organisations';
 import type { SanitizeBrandingCssWarning } from '@documenso/lib/utils/sanitize-branding-css';
 import { trpc } from '@documenso/trpc/react';
 import { Alert, AlertDescription, AlertTitle } from '@documenso/ui/primitives/alert';
+import { Button } from '@documenso/ui/primitives/button';
 import { useToast } from '@documenso/ui/primitives/use-toast';
 import { plural } from '@lingui/core/macro';
 import { Trans, useLingui } from '@lingui/react/macro';
 import { Loader } from 'lucide-react';
 import { useState } from 'react';
+import { Link } from 'react-router';
 
 import {
   BrandingPreferencesForm,
@@ -36,6 +39,8 @@ export default function TeamsSettingsPage() {
 
   const { mutateAsync: updateTeamSettings } = trpc.team.settings.update.useMutation();
 
+  const canConfigureBranding = organisation.organisationClaim.flags.allowCustomBranding || !IS_BILLING_ENABLED();
+
   const canCustomBranding =
     organisation.organisationClaim.flags.embedSigningWhiteLabel === true || !IS_BILLING_ENABLED();
 
@@ -112,39 +117,61 @@ export default function TeamsSettingsPage() {
         subtitle={t`Here you can set preferences and defaults for branding.`}
       />
 
-      <section>
-        <BrandingPreferencesForm
-          canInherit={true}
-          hasAdvancedBranding={canCustomBranding}
-          context="Team"
-          settings={teamWithSettings.teamSettings}
-          onFormSubmit={onBrandingPreferencesFormSubmit}
-        />
+      {canConfigureBranding ? (
+        <section>
+          <BrandingPreferencesForm
+            canInherit={true}
+            hasAdvancedBranding={canCustomBranding}
+            context="Team"
+            settings={teamWithSettings.teamSettings}
+            onFormSubmit={onBrandingPreferencesFormSubmit}
+          />
 
-        {cssWarnings.length > 0 && (
-          <Alert variant="warning" className="mt-6">
+          {cssWarnings.length > 0 && (
+            <Alert variant="warning" className="mt-6">
+              <AlertTitle>
+                <Trans>CSS rules were dropped during sanitisation</Trans>
+              </AlertTitle>
+
+              <AlertDescription>
+                <ul className="list-disc pl-5">
+                  {cssWarnings.map((warning, index) => (
+                    <li key={index}>
+                      {warning.detail}
+                      {warning.line !== undefined && (
+                        <span className="text-muted-foreground">
+                          {' '}
+                          <Trans>(line {warning.line})</Trans>
+                        </span>
+                      )}
+                    </li>
+                  ))}
+                </ul>
+              </AlertDescription>
+            </Alert>
+          )}
+        </section>
+      ) : (
+        <Alert className="mt-8 flex flex-col justify-between p-6 sm:flex-row sm:items-center" variant="neutral">
+          <div className="mb-4 sm:mb-0">
             <AlertTitle>
-              <Trans>CSS rules were dropped during sanitisation</Trans>
+              <Trans>Branding Preferences</Trans>
             </AlertTitle>
 
-            <AlertDescription>
-              <ul className="list-disc pl-5">
-                {cssWarnings.map((warning, index) => (
-                  <li key={index}>
-                    {warning.detail}
-                    {warning.line !== undefined && (
-                      <span className="text-muted-foreground">
-                        {' '}
-                        <Trans>(line {warning.line})</Trans>
-                      </span>
-                    )}
-                  </li>
-                ))}
-              </ul>
+            <AlertDescription className="mr-2">
+              <Trans>Currently branding can only be configured for Teams and above plans.</Trans>
             </AlertDescription>
-          </Alert>
-        )}
-      </section>
+          </div>
+
+          {canExecuteOrganisationAction('MANAGE_BILLING', organisation.currentOrganisationRole) && (
+            <Button asChild variant="outline">
+              <Link to={`/o/${organisation.url}/settings/billing`}>
+                <Trans>Update Billing</Trans>
+              </Link>
+            </Button>
+          )}
+        </Alert>
+      )}
     </div>
   );
 }

apps/remix/app/routes/_unauthenticated+/forgot-password.tsx

@@ -1,6 +1,7 @@
+import { isSigninEnabledForProvider } from '@documenso/lib/constants/auth';
 import { msg } from '@lingui/core/macro';
 import { Trans } from '@lingui/react/macro';
-import { Link } from 'react-router';
+import { Link, redirect } from 'react-router';
 
 import { ForgotPasswordForm } from '~/components/forms/forgot-password';
 import { appMetaTags } from '~/utils/meta';
@@ -9,6 +10,14 @@ export function meta() {
   return appMetaTags(msg`Forgot Password`);
 }
 
+export async function loader() {
+  if (!isSigninEnabledForProvider('email')) {
+    throw redirect('/signin');
+  }
+
+  return null;
+}
+
 export default function ForgotPasswordPage() {
   return (
     <div className="w-screen max-w-lg px-4">

apps/remix/app/routes/_unauthenticated+/reset-password.$token.tsx

@@ -1,3 +1,4 @@
+import { isSigninEnabledForProvider } from '@documenso/lib/constants/auth';
 import { getResetTokenValidity } from '@documenso/lib/server-only/user/get-reset-token-validity';
 import { msg } from '@lingui/core/macro';
 import { Trans } from '@lingui/react/macro';
@@ -13,6 +14,10 @@ export function meta() {
 }
 
 export async function loader({ params }: Route.LoaderArgs) {
+  if (!isSigninEnabledForProvider('email')) {
+    throw redirect('/signin');
+  }
+
   const { token } = params;
 
   const isValid = await getResetTokenValidity({ token });

apps/remix/app/routes/_unauthenticated+/reset-password._index.tsx

@@ -1,7 +1,8 @@
+import { isSigninEnabledForProvider } from '@documenso/lib/constants/auth';
 import { Button } from '@documenso/ui/primitives/button';
 import { msg } from '@lingui/core/macro';
 import { Trans } from '@lingui/react/macro';
-import { Link } from 'react-router';
+import { Link, redirect } from 'react-router';
 
 import { appMetaTags } from '~/utils/meta';
 
@@ -9,6 +10,14 @@ export function meta() {
   return appMetaTags(msg`Reset Password`);
 }
 
+export async function loader() {
+  if (!isSigninEnabledForProvider('email')) {
+    throw redirect('/signin');
+  }
+
+  return null;
+}
+
 export default function ResetPasswordPage() {
   return (
     <div className="w-screen max-w-lg px-4">

apps/remix/app/routes/_unauthenticated+/signin.tsx

@@ -1,8 +1,11 @@
+import { authClient } from '@documenso/auth/client';
 import { getOptionalSession } from '@documenso/auth/server/lib/utils/get-session';
 import {
   IS_GOOGLE_SSO_ENABLED,
   IS_MICROSOFT_SSO_ENABLED,
+  IS_OIDC_AUTO_REDIRECT_DISABLED,
   IS_OIDC_SSO_ENABLED,
+  isSigninEnabledForProvider,
   isSignupEnabledForProvider,
   OIDC_PROVIDER_LABEL,
 } from '@documenso/lib/constants/auth';
@@ -11,6 +14,7 @@ import { Alert, AlertDescription } from '@documenso/ui/primitives/alert';
 import { msg } from '@lingui/core/macro';
 import { useLingui } from '@lingui/react';
 import { Trans } from '@lingui/react/macro';
+import { Loader2Icon } from 'lucide-react';
 import { useEffect, useState } from 'react';
 import { Link, redirect, useSearchParams } from 'react-router';
 
@@ -28,10 +32,20 @@ export async function loader({ request }: Route.LoaderArgs) {
   const { isAuthenticated } = await getOptionalSession(request);
 
   // SSR env variables.
-  const isGoogleSSOEnabled = IS_GOOGLE_SSO_ENABLED;
-  const isMicrosoftSSOEnabled = IS_MICROSOFT_SSO_ENABLED;
-  const isOIDCSSOEnabled = IS_OIDC_SSO_ENABLED;
+  const isEmailPasswordSigninEnabled = isSigninEnabledForProvider('email');
+  const isGoogleSSOEnabled = IS_GOOGLE_SSO_ENABLED && isSigninEnabledForProvider('google');
+  const isMicrosoftSSOEnabled = IS_MICROSOFT_SSO_ENABLED && isSigninEnabledForProvider('microsoft');
+  const isOIDCSSOEnabled = IS_OIDC_SSO_ENABLED && isSigninEnabledForProvider('oidc');
+
+  // Automatically redirect to OIDC when it is the only enabled signin transport,
+  // unless the redirect has been explicitly disabled via env.
+  const isOIDCOnlyTransport =
+    isOIDCSSOEnabled && !isEmailPasswordSigninEnabled && !isGoogleSSOEnabled && !isMicrosoftSSOEnabled;
+
+  const shouldAutoRedirectToOIDC = isOIDCOnlyTransport && !IS_OIDC_AUTO_REDIRECT_DISABLED;
+
   const oidcProviderLabel = OIDC_PROVIDER_LABEL;
+
   const isSignupEnabled =
     isSignupEnabledForProvider('email') ||
     (IS_GOOGLE_SSO_ENABLED && isSignupEnabledForProvider('google')) ||
@@ -47,18 +61,28 @@ export async function loader({ request }: Route.LoaderArgs) {
   }
 
   return {
+    isEmailPasswordSigninEnabled,
     isGoogleSSOEnabled,
     isMicrosoftSSOEnabled,
     isOIDCSSOEnabled,
     isSignupEnabled,
     oidcProviderLabel,
     returnTo,
+    shouldAutoRedirectToOIDC,
   };
 }
 
 export default function SignIn({ loaderData }: Route.ComponentProps) {
-  const { isGoogleSSOEnabled, isMicrosoftSSOEnabled, isOIDCSSOEnabled, isSignupEnabled, oidcProviderLabel, returnTo } =
-    loaderData;
+  const {
+    isEmailPasswordSigninEnabled,
+    isGoogleSSOEnabled,
+    isMicrosoftSSOEnabled,
+    isOIDCSSOEnabled,
+    isSignupEnabled,
+    oidcProviderLabel,
+    returnTo,
+    shouldAutoRedirectToOIDC,
+  } = loaderData;
 
   const { _ } = useLingui();
 
@@ -76,6 +100,27 @@ export default function SignIn({ loaderData }: Route.ComponentProps) {
     setIsEmbeddedRedirect(params.get('embedded') === 'true');
   }, []);
 
+  useEffect(() => {
+    if (!shouldAutoRedirectToOIDC) {
+      return;
+    }
+
+    void authClient.oidc.signIn({ redirectPath: returnTo ?? '/' });
+  }, [shouldAutoRedirectToOIDC, returnTo]);
+
+  if (shouldAutoRedirectToOIDC) {
+    return (
+      <div className="w-screen max-w-lg px-4">
+        <div className="flex flex-col items-center justify-center gap-y-4 py-12">
+          <Loader2Icon className="h-8 w-8 animate-spin text-muted-foreground" />
+          <p className="text-muted-foreground text-sm">
+            <Trans>Redirecting to {oidcProviderLabel || 'OIDC'}...</Trans>
+          </p>
+        </div>
+      </div>
+    );
+  }
+
   return (
     <div className="w-screen max-w-lg px-4">
       <div className="z-10 rounded-xl border border-border bg-neutral-100 p-6 dark:bg-background">
@@ -95,6 +140,7 @@ export default function SignIn({ loaderData }: Route.ComponentProps) {
         <hr className="-mx-6 my-4" />
 
         <SignInForm
+          isEmailPasswordSigninEnabled={isEmailPasswordSigninEnabled}
           isGoogleSSOEnabled={isGoogleSSOEnabled}
           isMicrosoftSSOEnabled={isMicrosoftSSOEnabled}
           isOIDCSSOEnabled={isOIDCSSOEnabled}

docker/production/compose.yml

@@ -64,6 +64,12 @@ services:
       - NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP=${NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP}
       - NEXT_PUBLIC_DISABLE_OIDC_SIGNUP=${NEXT_PUBLIC_DISABLE_OIDC_SIGNUP}
       - NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS=${NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS}
+      - NEXT_PUBLIC_DISABLE_SIGNIN=${NEXT_PUBLIC_DISABLE_SIGNIN}
+      - NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN=${NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN}
+      - NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN=${NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN}
+      - NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN=${NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN}
+      - NEXT_PUBLIC_DISABLE_OIDC_SIGNIN=${NEXT_PUBLIC_DISABLE_OIDC_SIGNIN}
+      - NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT=${NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT}
       - NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH=${NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH:-/opt/documenso/cert.p12}
       - NEXT_PRIVATE_SIGNING_PASSPHRASE=${NEXT_PRIVATE_SIGNING_PASSPHRASE}
       - NEXT_PUBLIC_USE_INTERNAL_URL_BROWSERLESS=${NEXT_PUBLIC_USE_INTERNAL_URL_BROWSERLESS}

packages/app-tests/e2e/documents/document-visibility-access.spec.ts

@@ -0,0 +1,89 @@
+import { cancelDocument } from '@documenso/lib/server-only/document/cancel-document';
+import { deleteDocument } from '@documenso/lib/server-only/document/delete-document';
+import { getEnvelopeWhereInput } from '@documenso/lib/server-only/envelope/get-envelope-by-id';
+import { prisma } from '@documenso/prisma';
+import { DocumentStatus, DocumentVisibility, TeamMemberRole } from '@documenso/prisma/client';
+import { seedBlankDocument } from '@documenso/prisma/seed/documents';
+import { seedTeamMember } from '@documenso/prisma/seed/teams';
+import { seedUser } from '@documenso/prisma/seed/users';
+import { expect, test } from '@playwright/test';
+
+const requestMetadata = {
+  auth: null,
+  requestMetadata: {},
+  source: 'app' as const,
+};
+
+test.describe.configure({ mode: 'parallel' });
+
+const canReadEnvelope = async (envelopeId: string, userId: number, teamId: number) => {
+  try {
+    await getEnvelopeWhereInput({
+      id: { type: 'envelopeId', id: envelopeId },
+      userId,
+      teamId,
+      type: null,
+    }).then(({ envelopeWhereInput }) => prisma.envelope.findFirstOrThrow({ where: envelopeWhereInput }));
+
+    return true;
+  } catch {
+    return false;
+  }
+};
+
+test('[DOCUMENTS]: a member cannot delete a document with restricted visibility', async () => {
+  const { user: owner, team } = await seedUser();
+  const member = await seedTeamMember({ teamId: team.id, role: TeamMemberRole.MEMBER });
+
+  const envelope = await seedBlankDocument(owner, team.id, {
+    createDocumentOptions: {
+      visibility: DocumentVisibility.ADMIN,
+      status: DocumentStatus.DRAFT,
+    },
+  });
+
+  // The member cannot read an ADMIN-visibility document, so they must not be
+  // able to delete it either.
+  expect(await canReadEnvelope(envelope.id, member.id, team.id)).toBe(false);
+
+  await expect(
+    deleteDocument({
+      id: { type: 'envelopeId', id: envelope.id },
+      userId: member.id,
+      teamId: team.id,
+      requestMetadata,
+    }),
+  ).rejects.toThrow();
+
+  const stillExists = await prisma.envelope.findUnique({ where: { id: envelope.id } });
+  expect(stillExists).not.toBeNull();
+});
+
+test('[DOCUMENTS]: a manager cannot cancel a document with restricted visibility', async () => {
+  const { user: owner, team } = await seedUser();
+  const manager = await seedTeamMember({ teamId: team.id, role: TeamMemberRole.MANAGER });
+
+  const envelope = await seedBlankDocument(owner, team.id, {
+    createDocumentOptions: {
+      visibility: DocumentVisibility.ADMIN,
+      status: DocumentStatus.PENDING,
+    },
+  });
+
+  // A manager outranks a member but still cannot read an ADMIN-visibility
+  // document, so cancellation must be blocked despite the sufficient role.
+  expect(await canReadEnvelope(envelope.id, manager.id, team.id)).toBe(false);
+
+  await expect(
+    cancelDocument({
+      id: { type: 'envelopeId', id: envelope.id },
+      userId: manager.id,
+      teamId: team.id,
+      reason: 'test-cancel',
+      requestMetadata,
+    }),
+  ).rejects.toThrow();
+
+  const after = await prisma.envelope.findUnique({ where: { id: envelope.id } });
+  expect(after?.status).toBe(DocumentStatus.PENDING);
+});

packages/app-tests/e2e/envelope-editor-v2/attachment-url-validation.spec.ts

@@ -0,0 +1,70 @@
+import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
+import { hashString } from '@documenso/lib/server-only/auth/hash';
+import { alphaid } from '@documenso/lib/universal/id';
+import { prisma } from '@documenso/prisma';
+import { seedBlankDocument } from '@documenso/prisma/seed/documents';
+import { seedTeam } from '@documenso/prisma/seed/teams';
+import { expect, test } from '@playwright/test';
+
+const WEBAPP_BASE_URL = NEXT_PUBLIC_WEBAPP_URL();
+const API_BASE_URL = `${WEBAPP_BASE_URL}/api/v2-beta`;
+
+test.describe.configure({ mode: 'parallel' });
+
+const seedApiTokenForUser = async ({ userId, teamId }: { userId: number; teamId: number }) => {
+  const token = `api_${alphaid(16)}`;
+
+  await prisma.apiToken.create({
+    data: { name: 'attachment-url-test', token: hashString(token), expires: null, userId, teamId },
+  });
+
+  return { token };
+};
+
+/**
+ * Attachment URLs are rendered as link hrefs, so they must be restricted to
+ * http(s). The API must reject any other scheme.
+ */
+const NON_HTTP_URLS = [
+  'javascript:alert(document.cookie)',
+  'data:text/html,<script>alert(1)</script>',
+  'vbscript:msgbox(1)',
+  'file:///etc/passwd',
+];
+
+test('[ATTACHMENTS]: rejects attachment URLs with a non-http(s) protocol', async ({ request }) => {
+  const { team, owner } = await seedTeam();
+  const { token } = await seedApiTokenForUser({ userId: owner.id, teamId: team.id });
+
+  const envelope = await seedBlankDocument(owner, team.id);
+
+  for (const url of NON_HTTP_URLS) {
+    const res = await request.post(`${API_BASE_URL}/envelope/attachment/create`, {
+      headers: { Authorization: `Bearer ${token}`, 'Content-Type': 'application/json' },
+      data: { envelopeId: envelope.id, data: { label: 'attachment', data: url } },
+    });
+
+    expect(res.ok(), `expected ${url} to be rejected`).toBe(false);
+  }
+
+  const attachments = await prisma.envelopeAttachment.findMany({ where: { envelopeId: envelope.id } });
+  expect(attachments).toHaveLength(0);
+});
+
+test('[ATTACHMENTS]: accepts attachment URLs with an http(s) protocol', async ({ request }) => {
+  const { team, owner } = await seedTeam();
+  const { token } = await seedApiTokenForUser({ userId: owner.id, teamId: team.id });
+
+  const envelope = await seedBlankDocument(owner, team.id);
+
+  const res = await request.post(`${API_BASE_URL}/envelope/attachment/create`, {
+    headers: { Authorization: `Bearer ${token}`, 'Content-Type': 'application/json' },
+    data: { envelopeId: envelope.id, data: { label: 'safe', data: 'https://example.com/file.pdf' } },
+  });
+
+  expect(res.ok()).toBe(true);
+
+  const attachments = await prisma.envelopeAttachment.findMany({ where: { envelopeId: envelope.id } });
+  expect(attachments).toHaveLength(1);
+  expect(attachments[0].data).toBe('https://example.com/file.pdf');
+});

packages/app-tests/e2e/envelope-editor-v2/attachment-visibility-access.spec.ts

@@ -0,0 +1,121 @@
+import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
+import { hashString } from '@documenso/lib/server-only/auth/hash';
+import { alphaid } from '@documenso/lib/universal/id';
+import { prisma } from '@documenso/prisma';
+import { DocumentVisibility, TeamMemberRole } from '@documenso/prisma/client';
+import { seedBlankDocument } from '@documenso/prisma/seed/documents';
+import { seedTeam, seedTeamMember } from '@documenso/prisma/seed/teams';
+import { type APIRequestContext, expect, test } from '@playwright/test';
+
+const WEBAPP_BASE_URL = NEXT_PUBLIC_WEBAPP_URL();
+const API_BASE_URL = `${WEBAPP_BASE_URL}/api/v2-beta`;
+
+test.describe.configure({ mode: 'parallel' });
+
+const seedApiTokenForUser = async ({ userId, teamId }: { userId: number; teamId: number }) => {
+  const token = `api_${alphaid(16)}`;
+
+  await prisma.apiToken.create({
+    data: { name: 'attachment-access-test', token: hashString(token), expires: null, userId, teamId },
+  });
+
+  return { token };
+};
+
+const canReadEnvelope = async (request: APIRequestContext, token: string, envelopeId: string) => {
+  const res = await request.get(`${API_BASE_URL}/envelope/${envelopeId}`, {
+    headers: { Authorization: `Bearer ${token}` },
+  });
+
+  return res.ok();
+};
+
+/**
+ * Attachment create/update/delete/list must enforce document visibility, not
+ * just team membership. A member whose visibility tier excludes a restricted
+ * envelope must not be able to read or mutate its attachments.
+ */
+test('[ATTACHMENTS]: a member cannot create or delete attachments on a restricted document', async ({ request }) => {
+  const { team, owner } = await seedTeam();
+  const member = await seedTeamMember({ teamId: team.id, role: TeamMemberRole.MEMBER });
+
+  const { token: memberToken } = await seedApiTokenForUser({ userId: member.id, teamId: team.id });
+
+  const envelope = await seedBlankDocument(owner, team.id, {
+    createDocumentOptions: { visibility: DocumentVisibility.ADMIN },
+  });
+
+  expect(await canReadEnvelope(request, memberToken, envelope.id)).toBe(false);
+
+  const createRes = await request.post(`${API_BASE_URL}/envelope/attachment/create`, {
+    headers: { Authorization: `Bearer ${memberToken}`, 'Content-Type': 'application/json' },
+    data: { envelopeId: envelope.id, data: { label: 'attachment', data: 'https://example.com' } },
+  });
+
+  expect(createRes.ok()).toBe(false);
+
+  // No attachment should have been created.
+  const attachments = await prisma.envelopeAttachment.findMany({ where: { envelopeId: envelope.id } });
+  expect(attachments).toHaveLength(0);
+});
+
+test('[ATTACHMENTS]: a member cannot update an attachment on a restricted document', async ({ request }) => {
+  const { team, owner } = await seedTeam();
+  const member = await seedTeamMember({ teamId: team.id, role: TeamMemberRole.MEMBER });
+
+  const { token: ownerToken } = await seedApiTokenForUser({ userId: owner.id, teamId: team.id });
+  const { token: memberToken } = await seedApiTokenForUser({ userId: member.id, teamId: team.id });
+
+  const envelope = await seedBlankDocument(owner, team.id, {
+    createDocumentOptions: { visibility: DocumentVisibility.ADMIN },
+  });
+
+  // The owner (who can see the document) creates the attachment.
+  const createRes = await request.post(`${API_BASE_URL}/envelope/attachment/create`, {
+    headers: { Authorization: `Bearer ${ownerToken}`, 'Content-Type': 'application/json' },
+    data: { envelopeId: envelope.id, data: { label: 'original', data: 'https://example.com/original' } },
+  });
+  expect(createRes.ok()).toBe(true);
+  const attachment = await createRes.json();
+
+  expect(await canReadEnvelope(request, memberToken, envelope.id)).toBe(false);
+
+  const updateRes = await request.post(`${API_BASE_URL}/envelope/attachment/update`, {
+    headers: { Authorization: `Bearer ${memberToken}`, 'Content-Type': 'application/json' },
+    data: { id: attachment.id, data: { label: 'tampered', data: 'https://example.com/tampered' } },
+  });
+
+  expect(updateRes.ok()).toBe(false);
+
+  const persisted = await prisma.envelopeAttachment.findUnique({ where: { id: attachment.id } });
+  expect(persisted?.label).toBe('original');
+});
+
+test('[ATTACHMENTS]: a member cannot list attachments on a restricted document', async ({ request }) => {
+  const { team, owner } = await seedTeam();
+  const member = await seedTeamMember({ teamId: team.id, role: TeamMemberRole.MEMBER });
+
+  const { token: ownerToken } = await seedApiTokenForUser({ userId: owner.id, teamId: team.id });
+  const { token: memberToken } = await seedApiTokenForUser({ userId: member.id, teamId: team.id });
+
+  const envelope = await seedBlankDocument(owner, team.id, {
+    createDocumentOptions: { visibility: DocumentVisibility.ADMIN },
+  });
+
+  await request.post(`${API_BASE_URL}/envelope/attachment/create`, {
+    headers: { Authorization: `Bearer ${ownerToken}`, 'Content-Type': 'application/json' },
+    data: { envelopeId: envelope.id, data: { label: 'restricted', data: 'https://example.com/restricted' } },
+  });
+
+  expect(await canReadEnvelope(request, memberToken, envelope.id)).toBe(false);
+
+  const findRes = await request.get(`${API_BASE_URL}/envelope/attachment?envelopeId=${envelope.id}`, {
+    headers: { Authorization: `Bearer ${memberToken}` },
+  });
+
+  expect(findRes.ok()).toBe(false);
+
+  const body = findRes.ok() ? await findRes.json() : null;
+  const attachments = body?.data ?? [];
+  expect(attachments).toHaveLength(0);
+});

packages/app-tests/e2e/envelope-editor-v2/envelope-fields.spec.ts

@@ -20,7 +20,7 @@ import {
   type TEnvelopeEditorSurface,
 } from '../fixtures/envelope-editor';
 import { expectToastTextToBeVisible } from '../fixtures/generic';
-import { getKonvaElementCountForPage } from '../fixtures/konva';
+import { getKonvaElementCountForPage, getKonvaTransformerNodeCountForPage } from '../fixtures/konva';
 
 type TFieldFlowResult = {
   externalId: string;
@@ -46,6 +46,7 @@ const updateExternalId = async (surface: TEnvelopeEditorSurface, externalId: str
 
   if (!surface.isEmbedded) {
     await expectToastTextToBeVisible(surface.root, 'Envelope updated');
+    await surface.root.getByTestId('toast-close').click();
   }
 };
 
@@ -98,6 +99,17 @@ const selectFieldOnCanvas = async (root: Page, position: { x: number; y: number
   await canvas.click({ position, force: true });
 };
 
+/**
+ * Shift+click a field on the canvas to toggle it in/out of the current multi-selection.
+ */
+const shiftClickFieldOnCanvas = async (root: Page, position: { x: number; y: number }) => {
+  const canvas = root.locator('.konva-container canvas').first();
+  await expect(canvas).toBeVisible();
+  await root.waitForTimeout(300);
+  // Use force:true to bypass any floating action toolbar buttons that may intercept clicks.
+  await canvas.click({ position, modifiers: ['Shift'], force: true });
+};
+
 const runAddAndPersistSignatureTextFields = async (surface: TEnvelopeEditorSurface): Promise<TFieldFlowResult> => {
   const externalId = `e2e-fields-${nanoid()}`;
 
@@ -760,9 +772,106 @@ const assertChangeFieldTypePersistedInDatabase = async ({
   expect(actualMetaTypes).toEqual(['date', 'date']);
 };
 
+// --- Shift+click multi-select flow ---
+
+type TShiftClickFlowResult = {
+  externalId: string;
+};
+
+const SHIFT_CLICK_FIELD_POSITIONS = {
+  signature: { x: 150, y: 120 },
+  text: { x: 150, y: 260 },
+  name: { x: 150, y: 400 },
+};
+
+const runShiftClickMultiSelectFlow = async (surface: TEnvelopeEditorSurface): Promise<TShiftClickFlowResult> => {
+  const externalId = `e2e-shift-click-${nanoid()}`;
+  const root = surface.root;
+
+  if (surface.isEmbedded && !surface.envelopeId) {
+    await addEnvelopeItemPdf(root, 'embedded-fields.pdf');
+  }
+
+  await updateExternalId(surface, externalId);
+  await setupRecipientsForFieldPlacement(surface);
+
+  await clickEnvelopeEditorStep(root, 'addFields');
+  await expect(root.locator('.konva-container canvas').first()).toBeVisible();
+
+  // Place three fields, spaced far enough apart that their action toolbars don't
+  // overlap a neighbouring field's click target.
+  await placeFieldOnPdf(root, 'Signature', SHIFT_CLICK_FIELD_POSITIONS.signature);
+  await placeFieldOnPdf(root, 'Text', SHIFT_CLICK_FIELD_POSITIONS.text);
+  await placeFieldOnPdf(root, 'Name', SHIFT_CLICK_FIELD_POSITIONS.name);
+  expect(await getKonvaElementCountForPage(root, 1, '.field-group')).toBe(3);
+
+  // A plain click selects exactly one field.
+  await selectFieldOnCanvas(root, SHIFT_CLICK_FIELD_POSITIONS.signature);
+  await expect.poll(() => getKonvaTransformerNodeCountForPage(root, 1)).toBe(1);
+
+  // Shift+click a second field ADDS it to the selection (the new behaviour).
+  await shiftClickFieldOnCanvas(root, SHIFT_CLICK_FIELD_POSITIONS.text);
+  await expect.poll(() => getKonvaTransformerNodeCountForPage(root, 1)).toBe(2);
+
+  // Shift+click an already-selected field REMOVES it from the selection.
+  await shiftClickFieldOnCanvas(root, SHIFT_CLICK_FIELD_POSITIONS.signature);
+  await expect.poll(() => getKonvaTransformerNodeCountForPage(root, 1)).toBe(1);
+
+  // Shift+click it again RE-ADDS it, leaving Signature + Text selected and Name excluded.
+  await shiftClickFieldOnCanvas(root, SHIFT_CLICK_FIELD_POSITIONS.signature);
+  await expect.poll(() => getKonvaTransformerNodeCountForPage(root, 1)).toBe(2);
+
+  // Delete the two selected fields via the floating action toolbar. Only the
+  // un-selected Name field should remain -- proving the multi-selection contained
+  // exactly the two Shift-clicked fields.
+  await expect(root.locator('button[title="Remove"]')).toBeVisible();
+  await root.locator('button[title="Remove"]').click();
+  expect(await getKonvaElementCountForPage(root, 1, '.field-group')).toBe(1);
+
+  // Navigate away and back to verify persistence.
+  await clickEnvelopeEditorStep(root, 'upload');
+  await clickEnvelopeEditorStep(root, 'addFields');
+  expect(await getKonvaElementCountForPage(root, 1, '.field-group')).toBe(1);
+
+  return { externalId };
+};
+
+const assertShiftClickMultiSelectPersistedInDatabase = async ({
+  surface,
+  externalId,
+}: {
+  surface: TEnvelopeEditorSurface;
+  externalId: string;
+}) => {
+  const envelope = await prisma.envelope.findFirstOrThrow({
+    where: {
+      externalId,
+      userId: surface.userId,
+      teamId: surface.teamId,
+      type: surface.envelopeType,
+    },
+    orderBy: { createdAt: 'desc' },
+    include: { fields: true },
+  });
+
+  // Signature + Text were multi-selected via Shift+click and deleted; only Name remains.
+  expect(envelope.fields).toHaveLength(1);
+  expect(envelope.fields[0].type).toBe(FieldType.NAME);
+};
+
 // --- Test describe blocks ---
 
 test.describe('document editor', () => {
+  test('shift+click adds and removes fields from the selection', async ({ page }) => {
+    const surface = await openDocumentEnvelopeEditor(page);
+    const result = await runShiftClickMultiSelectFlow(surface);
+
+    await assertShiftClickMultiSelectPersistedInDatabase({
+      surface,
+      ...result,
+    });
+  });
+
   test('add and persist signature/text fields', async ({ page }) => {
     const surface = await openDocumentEnvelopeEditor(page);
     const result = await runAddAndPersistSignatureTextFields(surface);
@@ -815,6 +924,16 @@ test.describe('document editor', () => {
 });
 
 test.describe('template editor', () => {
+  test('shift+click adds and removes fields from the selection', async ({ page }) => {
+    const surface = await openTemplateEnvelopeEditor(page);
+    const result = await runShiftClickMultiSelectFlow(surface);
+
+    await assertShiftClickMultiSelectPersistedInDatabase({
+      surface,
+      ...result,
+    });
+  });
+
   test('add and persist signature/text fields', async ({ page }) => {
     const surface = await openTemplateEnvelopeEditor(page);
     const result = await runAddAndPersistSignatureTextFields(surface);
@@ -867,6 +986,21 @@ test.describe('template editor', () => {
 });
 
 test.describe('embedded create', () => {
+  test('shift+click adds and removes fields from the selection', async ({ page }) => {
+    const surface = await openEmbeddedEnvelopeEditor(page, {
+      envelopeType: 'DOCUMENT',
+      tokenNamePrefix: 'e2e-embed-shift-click',
+    });
+    const result = await runShiftClickMultiSelectFlow(surface);
+
+    await persistEmbeddedEnvelope(surface);
+
+    await assertShiftClickMultiSelectPersistedInDatabase({
+      surface,
+      ...result,
+    });
+  });
+
   test('add and persist signature/text fields', async ({ page }) => {
     const surface = await openEmbeddedEnvelopeEditor(page, {
       envelopeType: 'DOCUMENT',
@@ -944,6 +1078,22 @@ test.describe('embedded create', () => {
 });
 
 test.describe('embedded edit', () => {
+  test('shift+click adds and removes fields from the selection', async ({ page }) => {
+    const surface = await openEmbeddedEnvelopeEditor(page, {
+      envelopeType: 'TEMPLATE',
+      mode: 'edit',
+      tokenNamePrefix: 'e2e-embed-shift-click',
+    });
+    const result = await runShiftClickMultiSelectFlow(surface);
+
+    await persistEmbeddedEnvelope(surface);
+
+    await assertShiftClickMultiSelectPersistedInDatabase({
+      surface,
+      ...result,
+    });
+  });
+
   test('add and persist signature/text fields', async ({ page }) => {
     const surface = await openEmbeddedEnvelopeEditor(page, {
       envelopeType: 'TEMPLATE',

packages/app-tests/e2e/fixtures/konva.ts

@@ -16,3 +16,35 @@ export const getKonvaElementCountForPage = async (page: Page, pageNumber: number
     { pageNumber, elementSelector },
   );
 };
+
+/**
+ * Returns how many field groups are currently attached to the page's Konva
+ * transformer, i.e. the size of the active canvas selection. Used to assert
+ * multi-select behaviour (marquee drag and Shift+click).
+ */
+export const getKonvaTransformerNodeCountForPage = async (page: Page, pageNumber: number) => {
+  await page.locator('.konva-container canvas').first().waitFor({ state: 'visible' });
+
+  return await page.evaluate(
+    ({ pageNumber }) => {
+      // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+      const konva: typeof Konva = (window as unknown as { Konva: typeof Konva }).Konva;
+
+      const stage = konva.stages.find((stage) => stage.attrs.id === `page-${pageNumber}`);
+
+      if (!stage) {
+        return 0;
+      }
+
+      const transformer = stage.find('Transformer')[0];
+
+      if (!transformer) {
+        return 0;
+      }
+
+      // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+      return (transformer as Konva.Transformer).nodes().length;
+    },
+    { pageNumber },
+  );
+};

packages/app-tests/e2e/organisations/organisation-permission-hierarchy.spec.ts

@@ -340,3 +340,67 @@ test.describe('[ORGANISATION_PERMISSION_HIERARCHY]: leaving an organisation', ()
     expect(deleted).toBeNull();
   });
 });
+
+test.describe('[ORGANISATION_PERMISSION_HIERARCHY]: group membership scoping', () => {
+  test('cannot add a member from another organisation to a group', async ({ page }) => {
+    // Organisation A, where the actor is the owner/admin.
+    const { user: actor, organisation: organisationA } = await seedUser({
+      isPersonalOrganisation: false,
+    });
+
+    // A separate organisation B with a member the actor has no authority over.
+    const { organisation: organisationB } = await seedUser({ isPersonalOrganisation: false });
+    const [foreignUser] = await seedOrganisationMembers({
+      members: [{ name: 'Foreign', organisationRole: 'MEMBER' }],
+      organisationId: organisationB.id,
+    });
+
+    const foreignMember = await getOrganisationMember(foreignUser.id, organisationB.id);
+
+    // A custom group the actor legitimately controls in organisation A.
+    const groupA = await createCustomGroup(organisationA.id, 'MEMBER');
+
+    await apiSignin({ page, email: actor.email });
+
+    const res = await trpcMutation(page, 'organisation.group.update', {
+      id: groupA.id,
+      memberIds: [foreignMember.id],
+    });
+
+    expect(res.ok()).toBeFalsy();
+
+    const injectedMembership = await prisma.organisationGroupMember.findFirst({
+      where: { groupId: groupA.id, organisationMemberId: foreignMember.id },
+    });
+
+    expect(injectedMembership).toBeNull();
+  });
+
+  test('can add a member from the same organisation to a group (positive control)', async ({ page }) => {
+    const { user: actor, organisation } = await seedUser({ isPersonalOrganisation: false });
+
+    const [memberUser] = await seedOrganisationMembers({
+      members: [{ name: 'Member', organisationRole: 'MEMBER' }],
+      organisationId: organisation.id,
+    });
+
+    const member = await getOrganisationMember(memberUser.id, organisation.id);
+
+    const group = await createCustomGroup(organisation.id, 'MEMBER');
+
+    await apiSignin({ page, email: actor.email });
+
+    const res = await trpcMutation(page, 'organisation.group.update', {
+      id: group.id,
+      memberIds: [member.id],
+    });
+
+    expect(res.ok()).toBeTruthy();
+
+    const membership = await prisma.organisationGroupMember.findFirst({
+      where: { groupId: group.id, organisationMemberId: member.id },
+    });
+
+    expect(membership).not.toBeNull();
+  });
+});

packages/app-tests/e2e/recipient/recipient-visibility-access.spec.ts

@@ -0,0 +1,72 @@
+import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
+import { hashString } from '@documenso/lib/server-only/auth/hash';
+import { alphaid } from '@documenso/lib/universal/id';
+import { prisma } from '@documenso/prisma';
+import { DocumentVisibility, TeamMemberRole } from '@documenso/prisma/client';
+import { seedCompletedDocument } from '@documenso/prisma/seed/documents';
+import { seedTeam, seedTeamMember } from '@documenso/prisma/seed/teams';
+import { expect, test } from '@playwright/test';
+
+const WEBAPP_BASE_URL = NEXT_PUBLIC_WEBAPP_URL();
+const API_BASE_URL = `${WEBAPP_BASE_URL}/api/v2-beta`;
+
+test.describe.configure({ mode: 'parallel' });
+
+const seedApiTokenForUser = async ({ userId, teamId }: { userId: number; teamId: number }) => {
+  const token = `api_${alphaid(16)}`;
+
+  await prisma.apiToken.create({
+    data: { name: 'recipient-access-test', token: hashString(token), expires: null, userId, teamId },
+  });
+
+  return { token };
+};
+
+/**
+ * Reading a recipient exposes its signing token (a bearer credential), so the
+ * recipient read must enforce document visibility — a member who cannot read a
+ * restricted document must not be able to read its recipients either. This
+ * mirrors the field read, which is asserted as a control below.
+ */
+test('[RECIPIENT]: a member cannot read a recipient of a restricted document', async ({ request }) => {
+  const { team, owner } = await seedTeam();
+  const member = await seedTeamMember({ teamId: team.id, role: TeamMemberRole.MEMBER });
+
+  const { token: memberToken } = await seedApiTokenForUser({ userId: member.id, teamId: team.id });
+
+  const document = await seedCompletedDocument(owner, team.id, ['recipient@test.documenso.com'], {
+    createDocumentOptions: { visibility: DocumentVisibility.ADMIN },
+  });
+
+  const recipient = await prisma.recipient.findFirstOrThrow({ where: { envelopeId: document.id } });
+
+  const res = await request.get(`${API_BASE_URL}/envelope/recipient/${recipient.id}`, {
+    headers: { Authorization: `Bearer ${memberToken}` },
+  });
+
+  expect(res.status()).toBe(404);
+
+  const body = res.ok() ? await res.json() : null;
+  expect(body?.token).toBeUndefined();
+});
+
+test('[RECIPIENT]: a member cannot read a field of a restricted document', async ({ request }) => {
+  const { team, owner } = await seedTeam();
+  const member = await seedTeamMember({ teamId: team.id, role: TeamMemberRole.MEMBER });
+
+  const { token: memberToken } = await seedApiTokenForUser({ userId: member.id, teamId: team.id });
+
+  const document = await seedCompletedDocument(owner, team.id, ['recipient@test.documenso.com'], {
+    createDocumentOptions: { visibility: DocumentVisibility.ADMIN },
+  });
+
+  const field = await prisma.field.findFirst({ where: { envelopeId: document.id } });
+
+  test.skip(!field, 'No field seeded on completed document');
+
+  const res = await request.get(`${API_BASE_URL}/envelope/field/${field!.id}`, {
+    headers: { Authorization: `Bearer ${memberToken}` },
+  });
+
+  expect(res.status()).toBe(404);
+});

packages/app-tests/e2e/teams/team-groups.spec.ts

@@ -0,0 +1,163 @@
+import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
+import { generateDatabaseId } from '@documenso/lib/universal/id';
+import { prisma } from '@documenso/prisma';
+import { seedTeamMember } from '@documenso/prisma/seed/teams';
+import { seedUser } from '@documenso/prisma/seed/users';
+import { expect, type Page, test } from '@playwright/test';
+import { OrganisationGroupType, OrganisationMemberRole, TeamMemberRole } from '@prisma/client';
+
+import { apiSignin } from '../fixtures/authentication';
+
+const WEBAPP_BASE_URL = NEXT_PUBLIC_WEBAPP_URL();
+
+test.describe.configure({ mode: 'parallel' });
+
+/**
+ * Calls a team-group tRPC mutation directly, bypassing the UI.
+ *
+ * The UI only ever surfaces CUSTOM / INTERNAL_ORGANISATION groups, so these
+ * authorisation rules must be enforced on the server - a crafted request can
+ * target any `teamGroupId`, including the system-managed INTERNAL_TEAM groups.
+ */
+const callTeamGroupMutation = (
+  page: Page,
+  procedure: 'team.group.delete' | 'team.group.update',
+  teamId: number,
+  input: Record<string, unknown>,
+) =>
+  page.context().request.post(`${WEBAPP_BASE_URL}/api/trpc/${procedure}`, {
+    headers: { 'content-type': 'application/json', 'x-team-id': teamId.toString() },
+    data: JSON.stringify({ json: input }),
+  });
+
+/**
+ * Every team is created with three system-managed INTERNAL_TEAM groups
+ * (admin/manager/member). They are the backbone of team-specific access and,
+ * like organisation internal groups, must not be deletable - deleting them
+ * silently strips team members of access while leaving the team row in place.
+ */
+test('[TEAMS]: internal team groups cannot be deleted via the API', async ({ page }) => {
+  // Member inheritance OFF: membership is granted exclusively through the team's
+  // INTERNAL_TEAM groups, so removing them is what causes the access loss.
+  const { user: owner, team } = await seedUser({ inheritMembers: false });
+
+  // A direct team member whose access depends on the INTERNAL_TEAM member group.
+  const directMember = await seedTeamMember({ teamId: team.id, role: TeamMemberRole.MEMBER });
+
+  await apiSignin({ page, email: owner.email });
+
+  const internalTeamGroups = await prisma.teamGroup.findMany({
+    where: {
+      teamId: team.id,
+      organisationGroup: { type: OrganisationGroupType.INTERNAL_TEAM },
+    },
+  });
+
+  // admin + manager + member.
+  expect(internalTeamGroups).toHaveLength(3);
+
+  for (const group of internalTeamGroups) {
+    const response = await callTeamGroupMutation(page, 'team.group.delete', team.id, {
+      teamId: team.id,
+      teamGroupId: group.id,
+    });
+
+    expect(response.status(), `INTERNAL_TEAM ${group.teamRole} group must not be deletable`).not.toBe(200);
+  }
+
+  // None of the internal groups were removed.
+  const remaining = await prisma.teamGroup.count({
+    where: {
+      teamId: team.id,
+      organisationGroup: { type: OrganisationGroupType.INTERNAL_TEAM },
+    },
+  });
+
+  expect(remaining).toBe(3);
+
+  // The direct member therefore keeps their team access.
+  const memberStillHasAccess = await prisma.teamGroup.findFirst({
+    where: {
+      teamId: team.id,
+      organisationGroup: {
+        type: OrganisationGroupType.INTERNAL_TEAM,
+        organisationGroupMembers: {
+          some: { organisationMember: { userId: directMember.id } },
+        },
+      },
+    },
+  });
+
+  expect(memberStillHasAccess).not.toBeNull();
+});
+
+/**
+ * Guards against over-blocking: user-created (CUSTOM) team groups are not
+ * internal and must remain removable by team managers/admins.
+ */
+test('[TEAMS]: custom team groups can still be deleted', async ({ page }) => {
+  const { user: owner, organisation, team } = await seedUser({ inheritMembers: false });
+
+  const customGroup = await prisma.organisationGroup.create({
+    data: {
+      id: generateDatabaseId('org_group'),
+      name: `custom-${team.url}`,
+      type: OrganisationGroupType.CUSTOM,
+      organisationRole: OrganisationMemberRole.MEMBER,
+      organisationId: organisation.id,
+      teamGroups: {
+        create: {
+          id: generateDatabaseId('team_group'),
+          teamId: team.id,
+          teamRole: TeamMemberRole.MEMBER,
+        },
+      },
+    },
+    include: { teamGroups: true },
+  });
+
+  const customTeamGroup = customGroup.teamGroups[0];
+
+  await apiSignin({ page, email: owner.email });
+
+  const response = await callTeamGroupMutation(page, 'team.group.delete', team.id, {
+    teamId: team.id,
+    teamGroupId: customTeamGroup.id,
+  });
+
+  expect(response.status()).toBe(200);
+
+  const deleted = await prisma.teamGroup.findUnique({ where: { id: customTeamGroup.id } });
+
+  expect(deleted).toBeNull();
+});
+
+/**
+ * The same root cause affects updates: an INTERNAL_TEAM group's role must not be
+ * editable either, otherwise a team admin could rewrite the backbone roles
+ * (e.g. promote the member group to admin).
+ */
+test('[TEAMS]: internal team groups cannot be updated via the API', async ({ page }) => {
+  const { user: owner, team } = await seedUser({ inheritMembers: false });
+
+  await apiSignin({ page, email: owner.email });
+
+  const internalMemberGroup = await prisma.teamGroup.findFirstOrThrow({
+    where: {
+      teamId: team.id,
+      teamRole: TeamMemberRole.MEMBER,
+      organisationGroup: { type: OrganisationGroupType.INTERNAL_TEAM },
+    },
+  });
+
+  const response = await callTeamGroupMutation(page, 'team.group.update', team.id, {
+    id: internalMemberGroup.id,
+    data: { teamRole: TeamMemberRole.ADMIN },
+  });
+
+  expect(response.status()).not.toBe(200);
+
+  const reloaded = await prisma.teamGroup.findUniqueOrThrow({ where: { id: internalMemberGroup.id } });
+
+  expect(reloaded.teamRole).toBe(TeamMemberRole.MEMBER);
+});

packages/app-tests/e2e/teams/team-profile-access.spec.ts

@@ -0,0 +1,53 @@
+import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
+import { prisma } from '@documenso/prisma';
+import { TeamMemberRole } from '@documenso/prisma/client';
+import { seedTeam, seedTeamMember } from '@documenso/prisma/seed/teams';
+import { expect, test } from '@playwright/test';
+
+import { apiSignin } from '../fixtures/authentication';
+
+const WEBAPP_BASE_URL = NEXT_PUBLIC_WEBAPP_URL();
+
+test.describe.configure({ mode: 'parallel' });
+
+/**
+ * Editing the team public profile is a team-management action and must require
+ * MANAGE_TEAM, consistent with renaming the team or changing its URL.
+ */
+test('[TEAMS]: a member cannot edit the team public profile', async ({ page }) => {
+  const { team, owner } = await seedTeam();
+  const member = await seedTeamMember({ teamId: team.id, role: TeamMemberRole.MEMBER });
+
+  await apiSignin({ page, email: member.email });
+
+  const profileRes = await page.context().request.post(`${WEBAPP_BASE_URL}/api/trpc/team.update`, {
+    headers: { 'content-type': 'application/json', 'x-team-id': team.id.toString() },
+    data: JSON.stringify({
+      json: {
+        teamId: team.id,
+        data: { profileEnabled: true, profileBio: 'edited-by-member' },
+      },
+    }),
+  });
+
+  expect(profileRes.status()).not.toBe(200);
+
+  const profile = await prisma.teamProfile.findUnique({ where: { teamId: team.id } });
+  expect(profile?.enabled ?? false).toBe(false);
+  expect(profile?.bio ?? '').not.toBe('edited-by-member');
+
+  // The name/url path of the same route is also management-gated.
+  const nameRes = await page.context().request.post(`${WEBAPP_BASE_URL}/api/trpc/team.update`, {
+    headers: { 'content-type': 'application/json', 'x-team-id': team.id.toString() },
+    data: JSON.stringify({
+      json: { teamId: team.id, data: { name: 'renamed-by-member' } },
+    }),
+  });
+
+  expect(nameRes.status()).not.toBe(200);
+
+  const reloaded = await prisma.team.findUnique({ where: { id: team.id } });
+  expect(reloaded?.name).not.toBe('renamed-by-member');
+
+  expect(owner.id).toBeTruthy();
+});

packages/auth/server/lib/errors/error-codes.ts

@@ -17,6 +17,7 @@ export const AuthenticationErrorCode = {
   // TwoFactorMissingSecret: 'TWO_FACTOR_MISSING_SECRET',
   // TwoFactorMissingCredentials: 'TWO_FACTOR_MISSING_CREDENTIALS',
   InvalidTwoFactorCode: 'INVALID_TWO_FACTOR_CODE',
+  SigninDisabled: 'SIGNIN_DISABLED',
   SignupDisabled: 'SIGNUP_DISABLED',
   SignupDisposableEmail: 'SIGNUP_DISPOSABLE_EMAIL',
   // IncorrectTwoFactorBackupCode: 'INCORRECT_TWO_FACTOR_BACKUP_CODE',

packages/auth/server/routes/email-password.ts

@@ -1,6 +1,7 @@
 import {
   isDisposableEmail,
   isEmailDomainAllowedForSignup,
+  isSigninEnabledForProvider,
   isSignupEnabledForProvider,
 } from '@documenso/lib/constants/auth';
 import { EMAIL_VERIFICATION_STATE } from '@documenso/lib/constants/email';
@@ -64,6 +65,12 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()
   .post('/authorize', sValidator('json', ZSignInSchema), async (c) => {
     const requestMetadata = c.get('requestMetadata');
 
+    if (!isSigninEnabledForProvider('email')) {
+      throw new AppError(AuthenticationErrorCode.SigninDisabled, {
+        statusCode: 400,
+      });
+    }
+
     const { email, password, totpCode, backupCode, csrfToken, captchaToken } = c.req.valid('json');
 
     const loginLimitResult = await loginRateLimit.check({
@@ -244,6 +251,12 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()
     const { password, currentPassword } = c.req.valid('json');
     const requestMetadata = c.get('requestMetadata');
 
+    if (!isSigninEnabledForProvider('email')) {
+      throw new AppError(AuthenticationErrorCode.SigninDisabled, {
+        statusCode: 400,
+      });
+    }
+
     const { session, user } = await getSession(c);
 
     await updatePassword({
@@ -346,6 +359,12 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()
   .post('/forgot-password', sValidator('json', ZForgotPasswordSchema), async (c) => {
     const requestMetadata = c.get('requestMetadata');
 
+    if (!isSigninEnabledForProvider('email')) {
+      throw new AppError(AuthenticationErrorCode.SigninDisabled, {
+        statusCode: 400,
+      });
+    }
+
     const { email } = c.req.valid('json');
 
     const forgotLimitResult = await forgotPasswordRateLimit.check({
@@ -377,6 +396,12 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()
   .post('/reset-password', sValidator('json', ZResetPasswordSchema), async (c) => {
     const requestMetadata = c.get('requestMetadata');
 
+    if (!isSigninEnabledForProvider('email')) {
+      throw new AppError(AuthenticationErrorCode.SigninDisabled, {
+        statusCode: 400,
+      });
+    }
+
     const { token, password } = c.req.valid('json');
 
     const resetLimitResult = await resetPasswordRateLimit.check({

packages/email/template-components/template-document-completed.tsx

@@ -28,7 +28,11 @@ export const TemplateDocumentCompleted = ({
         <Section className="mb-4">
           <Column align="center">
             <Text className="font-semibold text-base text-foreground">
-              <Img src={getAssetUrl('/static/completed.png')} className="-mt-0.5 mr-2 inline h-7 w-7 align-middle" />
+              <Img
+                src={getAssetUrl('/static/completed.png')}
+                className="-mt-0.5 mr-2 inline h-7 w-7 align-middle"
+                alt=""
+              />
               <Trans>Completed</Trans>
             </Text>
           </Column>
@@ -47,7 +51,7 @@ export const TemplateDocumentCompleted = ({
             className="rounded-lg border border-border border-solid px-4 py-2 text-center font-medium text-foreground text-sm no-underline"
             href={downloadLink}
           >
-            <Img src={getAssetUrl('/static/download.png')} className="mr-2 mb-0.5 inline h-5 w-5 align-middle" />
+            <Img src={getAssetUrl('/static/download.png')} className="mr-2 mb-0.5 inline h-5 w-5 align-middle" alt="" />
             <Trans>Download</Trans>
           </Button>
         </Section>

packages/email/template-components/template-document-pending.tsx

@@ -21,7 +21,7 @@ export const TemplateDocumentPending = ({ documentName, assetBaseUrl }: Template
         <Section className="mb-4">
           <Column align="center">
             <Text className="font-semibold text-base text-foreground">
-              <Img src={getAssetUrl('/static/clock.png')} className="-mt-0.5 mr-2 inline h-7 w-7 align-middle" />
+              <Img src={getAssetUrl('/static/clock.png')} className="-mt-0.5 mr-2 inline h-7 w-7 align-middle" alt="" />
               <Trans>Waiting for others</Trans>
             </Text>
           </Column>

packages/email/template-components/template-document-recipient-signed.tsx

@@ -30,7 +30,11 @@ export const TemplateDocumentRecipientSigned = ({
         <Section className="mb-4">
           <Column align="center">
             <Text className="font-semibold text-base text-foreground">
-              <Img src={getAssetUrl('/static/completed.png')} className="-mt-0.5 mr-2 inline h-7 w-7 align-middle" />
+              <Img
+                src={getAssetUrl('/static/completed.png')}
+                className="-mt-0.5 mr-2 inline h-7 w-7 align-middle"
+                alt=""
+              />
               <Trans>Completed</Trans>
             </Text>
           </Column>

packages/email/template-components/template-document-self-signed.tsx

@@ -26,7 +26,11 @@ export const TemplateDocumentSelfSigned = ({ documentName, assetBaseUrl }: Templ
         <Section>
           <Column align="center">
             <Text className="font-semibold text-base text-foreground">
-              <Img src={getAssetUrl('/static/completed.png')} className="-mt-0.5 mr-2 inline h-7 w-7 align-middle" />
+              <Img
+                src={getAssetUrl('/static/completed.png')}
+                className="-mt-0.5 mr-2 inline h-7 w-7 align-middle"
+                alt=""
+              />
               <Trans>Completed</Trans>
             </Text>
           </Column>
@@ -51,7 +55,11 @@ export const TemplateDocumentSelfSigned = ({ documentName, assetBaseUrl }: Templ
             href={signUpUrl}
             className="mr-4 rounded-lg border border-border border-solid px-4 py-2 text-center font-medium text-foreground text-sm no-underline"
           >
-            <Img src={getAssetUrl('/static/user-plus.png')} className="mr-2 mb-0.5 inline h-5 w-5 align-middle" />
+            <Img
+              src={getAssetUrl('/static/user-plus.png')}
+              className="mr-2 mb-0.5 inline h-5 w-5 align-middle"
+              alt=""
+            />
             <Trans>Create account</Trans>
           </Button>
 
@@ -59,7 +67,7 @@ export const TemplateDocumentSelfSigned = ({ documentName, assetBaseUrl }: Templ
             className="rounded-lg border border-border border-solid px-4 py-2 text-center font-medium text-foreground text-sm no-underline"
             href="https://documenso.com/pricing"
           >
-            <Img src={getAssetUrl('/static/review.png')} className="mr-2 mb-0.5 inline h-5 w-5 align-middle" />
+            <Img src={getAssetUrl('/static/review.png')} className="mr-2 mb-0.5 inline h-5 w-5 align-middle" alt="" />
             <Trans>View plans</Trans>
           </Button>
         </Section>

packages/email/template-components/template-image.tsx

@@ -11,7 +11,7 @@ export const TemplateImage = ({ assetBaseUrl, className, staticAsset }: Template
     return new URL(path, assetBaseUrl).toString();
   };
 
-  return <Img className={className} src={getAssetUrl(`/static/${staticAsset}`)} />;
+  return <Img className={className} src={getAssetUrl(`/static/${staticAsset}`)} alt="" />;
 };
 
 export default TemplateImage;

packages/email/templates/access-auth-2fa.tsx

@@ -30,9 +30,10 @@ export const AccessAuth2FAEmailTemplate = ({
   return (
     <Html>
       <Head />
-      <Preview>{_(previewText)}</Preview>
 
       <Body className="mx-auto my-auto bg-background font-sans">
+        <Preview>{_(previewText)}</Preview>
+
         <Section>
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid p-4 backdrop-blur-sm">
             <Section>

packages/email/templates/admin-user-created.tsx

@@ -21,8 +21,9 @@ export const AdminUserCreatedTemplate = ({
   return (
     <Html>
       <Head />
-      <Preview>{_(previewText)}</Preview>
       <Body className="mx-auto my-auto bg-background font-sans">
+        <Preview>{_(previewText)}</Preview>
+
         <Section>
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid p-4 backdrop-blur-sm">
             <Section>

packages/email/templates/bulk-send-complete.tsx

@@ -24,11 +24,14 @@ export const BulkSendCompleteEmail = ({
 }: BulkSendCompleteEmailProps) => {
   const { _ } = useLingui();
 
+  const previewText = msg`Bulk send operation complete for template "${templateName}"`;
+
   return (
     <Html>
       <Head />
-      <Preview>{_(msg`Bulk send operation complete for template "${templateName}"`)}</Preview>
       <Body className="mx-auto my-auto bg-background font-sans">
+        <Preview>{_(previewText)}</Preview>
+
         <Section>
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid p-4 backdrop-blur-sm">
             <Section>

packages/email/templates/confirm-email.tsx

@@ -18,8 +18,9 @@ export const ConfirmEmailTemplate = ({
   return (
     <Html>
       <Head />
-      <Preview>{_(previewText)}</Preview>
       <Body className="mx-auto my-auto bg-background font-sans">
+        <Preview>{_(previewText)}</Preview>
+
         <Section>
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid p-4 backdrop-blur-sm">
             <Section>

packages/email/templates/confirm-team-email.tsx

@@ -30,9 +30,9 @@ export const ConfirmTeamEmailTemplate = ({
   return (
     <Html>
       <Head />
-      <Preview>{_(previewText)}</Preview>
-
       <Body className="mx-auto my-auto font-sans">
+        <Preview>{_(previewText)}</Preview>
+
         <Section className="bg-background">
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid px-2 pt-2 backdrop-blur-sm">
             <TemplateBrandingLogo assetBaseUrl={assetBaseUrl} className="mb-4 h-6 p-2" />

packages/email/templates/document-cancel.tsx

@@ -23,9 +23,10 @@ export const DocumentCancelTemplate = ({
   return (
     <Html>
       <Head />
-      <Preview>{_(previewText)}</Preview>
 
       <Body className="mx-auto my-auto bg-background font-sans">
+        <Preview>{_(previewText)}</Preview>
+
         <Section>
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid p-4 backdrop-blur-sm">
             <Section>

packages/email/templates/document-completed.tsx

@@ -26,9 +26,9 @@ export const DocumentCompletedEmailTemplate = ({
   return (
     <Html>
       <Head />
-      <Preview>{_(previewText)}</Preview>
-
       <Body className="mx-auto my-auto font-sans">
+        <Preview>{_(previewText)}</Preview>
+
         <Section className="bg-background">
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid p-2 backdrop-blur-sm">
             <Section className="p-2">

packages/email/templates/document-created-from-direct-template.tsx

@@ -33,9 +33,9 @@ export const DocumentCreatedFromDirectTemplateEmailTemplate = ({
   return (
     <Html>
       <Head />
-      <Preview>{_(previewText)}</Preview>
-
       <Body className="mx-auto my-auto font-sans">
+        <Preview>{_(previewText)}</Preview>
+
         <Section className="bg-background">
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid p-2 backdrop-blur-sm">
             <Section className="p-2">

packages/email/templates/document-invite.tsx

@@ -56,9 +56,10 @@ export const DocumentInviteEmailTemplate = ({
   return (
     <Html>
       <Head />
-      <Preview>{_(previewText)}</Preview>
 
       <Body className="mx-auto my-auto bg-background font-sans">
+        <Preview>{_(previewText)}</Preview>
+
         <Section>
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid p-4 backdrop-blur-sm">
             <Section>
@@ -85,7 +86,7 @@ export const DocumentInviteEmailTemplate = ({
                 <Text className="my-4 font-semibold text-base">
                   <Trans>
                     {inviterName}{' '}
-                    <Link className="font-normal text-muted-foreground" href="mailto:{inviterEmail}">
+                    <Link className="font-normal text-muted-foreground" href={`mailto:${inviterEmail}`}>
                       ({inviterEmail})
                     </Link>
                   </Trans>

packages/email/templates/document-pending.tsx

@@ -20,9 +20,9 @@ export const DocumentPendingEmailTemplate = ({
   return (
     <Html>
       <Head />
-      <Preview>{_(previewText)}</Preview>
-
       <Body className="mx-auto my-auto font-sans">
+        <Preview>{_(previewText)}</Preview>
+
         <Section className="bg-background">
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid p-4 backdrop-blur-sm">
             <Section>

packages/email/templates/document-recipient-signed.tsx

@@ -28,9 +28,9 @@ export const DocumentRecipientSignedEmailTemplate = ({
   return (
     <Html>
       <Head />
-      <Preview>{_(previewText)}</Preview>
-
       <Body className="mx-auto my-auto font-sans">
+        <Preview>{_(previewText)}</Preview>
+
         <Section className="bg-background">
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid p-2 backdrop-blur-sm">
             <Section className="p-2">

packages/email/templates/document-rejected.tsx

@@ -28,9 +28,10 @@ export function DocumentRejectedEmail({
   return (
     <Html>
       <Head />
-      <Preview>{previewText}</Preview>
 
       <Body className="mx-auto my-auto bg-background font-sans">
+        <Preview>{previewText}</Preview>
+
         <Section>
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid p-4 backdrop-blur-sm">
             <Section>

packages/email/templates/document-rejection-confirmed.tsx

@@ -28,9 +28,10 @@ export function DocumentRejectionConfirmedEmail({
   return (
     <Html>
       <Head />
-      <Preview>{previewText}</Preview>
 
       <Body className="mx-auto my-auto bg-background font-sans">
+        <Preview>{previewText}</Preview>
+
         <Section>
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid p-4 backdrop-blur-sm">
             <Section>

packages/email/templates/document-reminder.tsx

@@ -37,9 +37,10 @@ export const DocumentReminderEmailTemplate = ({
   return (
     <Html>
       <Head />
-      <Preview>{_(previewText)}</Preview>
 
       <Body className="mx-auto my-auto bg-background font-sans">
+        <Preview>{_(previewText)}</Preview>
+
         <Section>
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid p-4 backdrop-blur-sm">
             <Section>

packages/email/templates/document-self-signed.tsx

@@ -20,9 +20,9 @@ export const DocumentSelfSignedEmailTemplate = ({
   return (
     <Html>
       <Head />
-      <Preview>{_(previewText)}</Preview>
-
       <Body className="mx-auto my-auto font-sans">
+        <Preview>{_(previewText)}</Preview>
+
         <Section className="bg-background">
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid p-2 backdrop-blur-sm">
             <Section className="p-2">

packages/email/templates/document-super-delete.tsx

@@ -23,9 +23,10 @@ export const DocumentSuperDeleteEmailTemplate = ({
   return (
     <Html>
       <Head />
-      <Preview>{_(previewText)}</Preview>
 
       <Body className="mx-auto my-auto bg-background font-sans">
+        <Preview>{_(previewText)}</Preview>
+
         <Section>
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid p-4 backdrop-blur-sm">
             <Section>

packages/email/templates/forgot-password.tsx

@@ -20,9 +20,10 @@ export const ForgotPasswordTemplate = ({
   return (
     <Html>
       <Head />
-      <Preview>{_(previewText)}</Preview>
 
       <Body className="mx-auto my-auto bg-background font-sans">
+        <Preview>{_(previewText)}</Preview>
+
         <Section>
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid p-4 backdrop-blur-sm">
             <Section>

packages/email/templates/organisation-account-link-confirmation.tsx

@@ -30,8 +30,9 @@ export const OrganisationAccountLinkConfirmationTemplate = ({
   return (
     <Html>
       <Head />
-      <Preview>{_(previewText)}</Preview>
       <Body className="mx-auto my-auto font-sans">
+        <Preview>{_(previewText)}</Preview>
+
         <Section className="bg-background">
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid px-2 pt-2 backdrop-blur-sm">
             <TemplateBrandingLogo assetBaseUrl={assetBaseUrl} className="mb-4 h-6 p-2" />

packages/email/templates/organisation-delete.tsx

@@ -34,9 +34,9 @@ export const OrganisationDeleteEmailTemplate = ({
   return (
     <Html>
       <Head />
-      <Preview>{_(previewText)}</Preview>
-
       <Body className="mx-auto my-auto font-sans">
+        <Preview>{_(previewText)}</Preview>
+
         <Section className="bg-background text-muted-foreground">
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid p-2 backdrop-blur-sm">
             <TemplateBrandingLogo assetBaseUrl={assetBaseUrl} className="mb-4 h-6 p-2" />

packages/email/templates/organisation-invite.tsx

@@ -29,9 +29,9 @@ export const OrganisationInviteEmailTemplate = ({
   return (
     <Html>
       <Head />
-      <Preview>{_(previewText)}</Preview>
-
       <Body className="mx-auto my-auto font-sans">
+        <Preview>{_(previewText)}</Preview>
+
         <Section className="bg-background text-muted-foreground">
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid p-2 backdrop-blur-sm">
             <TemplateBrandingLogo assetBaseUrl={assetBaseUrl} className="mb-4 h-6 p-2" />

packages/email/templates/organisation-join.tsx

@@ -31,9 +31,9 @@ export const OrganisationJoinEmailTemplate = ({
   return (
     <Html>
       <Head />
-      <Preview>{_(previewText)}</Preview>
-
       <Body className="mx-auto my-auto font-sans">
+        <Preview>{_(previewText)}</Preview>
+
         <Section className="bg-background text-muted-foreground">
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid p-2 backdrop-blur-sm">
             <TemplateBrandingLogo assetBaseUrl={assetBaseUrl} className="mb-4 h-6 p-2" />

packages/email/templates/organisation-leave.tsx

@@ -31,9 +31,9 @@ export const OrganisationLeaveEmailTemplate = ({
   return (
     <Html>
       <Head />
-      <Preview>{_(previewText)}</Preview>
-
       <Body className="mx-auto my-auto font-sans">
+        <Preview>{_(previewText)}</Preview>
+
         <Section className="bg-background text-muted-foreground">
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid p-2 backdrop-blur-sm">
             <TemplateBrandingLogo assetBaseUrl={assetBaseUrl} className="mb-4 h-6 p-2" />

packages/email/templates/organisation-limit-alert.tsx

@@ -29,9 +29,9 @@ export const OrganisationLimitAlertEmailTemplate = ({
   return (
     <Html>
       <Head />
-      <Preview>{_(previewText)}</Preview>
-
       <Body className="mx-auto my-auto font-sans">
+        <Preview>{_(previewText)}</Preview>
+
         <Section className="bg-background text-muted-foreground">
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid p-2 backdrop-blur-sm">
             <TemplateBrandingLogo assetBaseUrl={assetBaseUrl} className="mb-4 h-6 p-2" />

packages/email/templates/recipient-expired.tsx

@@ -23,9 +23,10 @@ export const RecipientExpiredTemplate = ({
   return (
     <Html>
       <Head />
-      <Preview>{_(previewText)}</Preview>
 
       <Body className="mx-auto my-auto bg-background font-sans">
+        <Preview>{_(previewText)}</Preview>
+
         <Section>
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid p-4 backdrop-blur-sm">
             <Section>

packages/email/templates/recipient-removed-from-document.tsx

@@ -22,9 +22,10 @@ export const RecipientRemovedFromDocumentTemplate = ({
   return (
     <Html>
       <Head />
-      <Preview>{_(previewText)}</Preview>
 
       <Body className="mx-auto my-auto bg-background font-sans">
+        <Preview>{_(previewText)}</Preview>
+
         <Section>
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid p-4 backdrop-blur-sm">
             <Section>

packages/email/templates/reset-password.tsx

@@ -22,9 +22,10 @@ export const ResetPasswordTemplate = ({
   return (
     <Html>
       <Head />
-      <Preview>{_(previewText)}</Preview>
 
       <Body className="mx-auto my-auto bg-background font-sans">
+        <Preview>{_(previewText)}</Preview>
+
         <Section>
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid p-4 backdrop-blur-sm">
             <Section>

packages/email/templates/team-delete.tsx

@@ -29,9 +29,9 @@ export const TeamDeleteEmailTemplate = ({
   return (
     <Html>
       <Head />
-      <Preview>{_(previewText)}</Preview>
-
       <Body className="mx-auto my-auto font-sans">
+        <Preview>{_(previewText)}</Preview>
+
         <Section className="bg-background text-muted-foreground">
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid p-2 backdrop-blur-sm">
             <TemplateBrandingLogo assetBaseUrl={assetBaseUrl} className="mb-4 h-6 p-2" />

packages/email/templates/team-email-removed.tsx

@@ -30,9 +30,9 @@ export const TeamEmailRemovedTemplate = ({
   return (
     <Html>
       <Head />
-      <Preview>{_(previewText)}</Preview>
-
       <Body className="mx-auto my-auto font-sans">
+        <Preview>{_(previewText)}</Preview>
+
         <Section className="bg-background text-muted-foreground">
           <Container className="mx-auto mt-8 mb-2 max-w-xl rounded-lg border border-border border-solid px-2 pt-2 backdrop-blur-sm">
             <TemplateBrandingLogo assetBaseUrl={assetBaseUrl} className="mb-4 h-6 p-2" />

packages/lib/constants/auth.ts

@@ -41,6 +41,14 @@ export const IS_OIDC_SSO_ENABLED = Boolean(
 
 export const OIDC_PROVIDER_LABEL = env('NEXT_PRIVATE_OIDC_PROVIDER_LABEL');
 
+/**
+ * Opt-out flag for the automatic OIDC redirect.
+ *
+ * When OIDC is the only enabled signin transport we redirect to the provider
+ * automatically. Set this to "true" to keep rendering the signin page instead.
+ */
+export const IS_OIDC_AUTO_REDIRECT_DISABLED = env('NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT') === 'true';
+
 export const USER_SECURITY_AUDIT_LOG_MAP: Record<string, string> = {
   ACCOUNT_SSO_LINK: 'Linked account to SSO',
   ACCOUNT_SSO_UNLINK: 'Unlinked account from SSO',
@@ -188,3 +196,22 @@ export const isSignupEnabledForProvider = (provider: 'email' | 'google' | 'micro
 
   return env(flagMap[provider]) !== 'true';
 };
+
+/**
+ * Check if signin is enabled for the given provider.
+ * The master switch takes precedence over the per-provider flags.
+ */
+export const isSigninEnabledForProvider = (provider: 'email' | 'google' | 'microsoft' | 'oidc'): boolean => {
+  if (env('NEXT_PUBLIC_DISABLE_SIGNIN') === 'true') {
+    return false;
+  }
+
+  const flagMap = {
+    email: 'NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN',
+    google: 'NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN',
+    microsoft: 'NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN',
+    oidc: 'NEXT_PUBLIC_DISABLE_OIDC_SIGNIN',
+  } as const;
+
+  return env(flagMap[provider]) !== 'true';
+};

packages/lib/server-only/document/cancel-document.ts

@@ -8,8 +8,9 @@ import { mapEnvelopeToWebhookDocumentPayload, ZWebhookDocumentSchema } from '../
 import type { ApiRequestMetadata } from '../../universal/extract-request-metadata';
 import { createDocumentAuditLogData } from '../../utils/document-audit-logs';
 import type { EnvelopeIdOptions } from '../../utils/envelope';
-import { mapSecondaryIdToDocumentId, unsafeBuildEnvelopeIdQuery } from '../../utils/envelope';
+import { mapSecondaryIdToDocumentId } from '../../utils/envelope';
 import { isMemberManagerOrAbove } from '../../utils/teams';
+import { getEnvelopeWhereInput } from '../envelope/get-envelope-by-id';
 import { getMemberRoles } from '../team/get-member-roles';
 import { triggerWebhook } from '../webhooks/trigger/trigger-webhook';
 
@@ -22,9 +23,18 @@ export type CancelDocumentOptions = {
 };
 
 export const cancelDocument = async ({ id, userId, teamId, reason, requestMetadata }: CancelDocumentOptions) => {
-  // Note: This is an unsafe request, we validate the ownership/permission later in the function.
-  const envelope = await prisma.envelope.findUnique({
-    where: unsafeBuildEnvelopeIdQuery(id, EnvelopeType.DOCUMENT),
+  // Resolve the envelope through the visibility-aware helper so the caller must
+  // have read access (ownership OR team membership with sufficient visibility OR
+  // team-email). This prevents cancelling a document the caller cannot see.
+  const { envelopeWhereInput } = await getEnvelopeWhereInput({
+    id,
+    userId,
+    teamId,
+    type: EnvelopeType.DOCUMENT,
+  });
+
+  const envelope = await prisma.envelope.findFirst({
+    where: envelopeWhereInput,
     include: {
       recipients: true,
       documentMeta: true,
@@ -49,16 +59,6 @@ export const cancelDocument = async ({ id, userId, teamId, reason, requestMetada
     .then((roles) => roles.teamRole)
     .catch(() => null);
 
-  const isUserTeamMember = teamRole !== null;
-
-  // Callers with no relationship to the document must not be able to determine
-  // whether it exists, so respond as if it was not found.
-  if (!isUserOwner && !isUserTeamMember) {
-    throw new AppError(AppErrorCode.NOT_FOUND, {
-      message: 'Document not found',
-    });
-  }
-
   const isPrivilegedTeamMember = teamRole && isMemberManagerOrAbove(teamRole);
 
   // The document is visible to the caller, but cancelling requires elevated permissions.

packages/lib/server-only/document/delete-document.ts

@@ -13,7 +13,7 @@ import { createDocumentAuditLogData } from '../../utils/document-audit-logs';
 import { type EnvelopeIdOptions, unsafeBuildEnvelopeIdQuery } from '../../utils/envelope';
 import { isRecipientEmailValidForSending } from '../../utils/recipients';
 import { getEmailContext } from '../email/get-email-context';
-import { getMemberRoles } from '../team/get-member-roles';
+import { getEnvelopeWhereInput } from '../envelope/get-envelope-by-id';
 import { triggerWebhook } from '../webhooks/trigger/trigger-webhook';
 
 export type DeleteDocumentOptions = {
@@ -36,7 +36,9 @@ export const deleteDocument = async ({ id, userId, teamId, requestMetadata }: De
     });
   }
 
-  // Note: This is an unsafe request, we validate the ownership later in the function.
+  // Note: This is an unsafe request. It is used purely to resolve the recipient
+  // self-hide path below. The authoritative delete authorization is performed
+  // via the visibility-aware `getEnvelopeWhereInput` helper.
   const envelope = await prisma.envelope.findUnique({
     where: unsafeBuildEnvelopeIdQuery(id, EnvelopeType.DOCUMENT),
     include: {
@@ -51,27 +53,36 @@ export const deleteDocument = async ({ id, userId, teamId, requestMetadata }: De
     });
   }
 
-  const isUserTeamMember = await getMemberRoles({
-    teamId: envelope.teamId,
-    reference: {
-      type: 'User',
-      id: userId,
-    },
+  // Determine whether the user has authorized delete access using the
+  // visibility-aware helper. This enforces ownership OR (team membership AND
+  // the document's visibility is permitted for the member's role) OR team-email
+  // access. A bare team member without sufficient visibility will resolve to
+  // null here and therefore must not be able to delete the document.
+  const hasDeleteAccess = await getEnvelopeWhereInput({
+    id,
+    userId,
+    teamId,
+    type: EnvelopeType.DOCUMENT,
   })
-    .then(() => true)
+    .then(({ envelopeWhereInput }) =>
+      prisma.envelope.findFirst({
+        where: envelopeWhereInput,
+        select: { id: true },
+      }),
+    )
+    .then((result) => Boolean(result))
     .catch(() => false);
 
-  const isUserOwner = envelope.userId === userId;
   const userRecipient = envelope.recipients.find((recipient) => recipient.email === user.email);
 
-  if (!isUserOwner && !isUserTeamMember && !userRecipient) {
+  if (!hasDeleteAccess && !userRecipient) {
     throw new AppError(AppErrorCode.UNAUTHORIZED, {
       message: 'Not allowed',
     });
   }
 
   // Handle hard or soft deleting the actual document if user has permission.
-  if (isUserOwner || isUserTeamMember) {
+  if (hasDeleteAccess) {
     await handleDocumentOwnerDelete({
       envelope,
       user,

packages/lib/server-only/envelope-attachment/create-attachment.ts

@@ -2,7 +2,7 @@ import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
 import { prisma } from '@documenso/prisma';
 import { DocumentStatus } from '@prisma/client';
 
-import { buildTeamWhereQuery } from '../../utils/teams';
+import { getEnvelopeWhereInput } from '../envelope/get-envelope-by-id';
 
 export type CreateAttachmentOptions = {
   envelopeId: string;
@@ -15,11 +15,15 @@ export type CreateAttachmentOptions = {
 };
 
 export const createAttachment = async ({ envelopeId, teamId, userId, data }: CreateAttachmentOptions) => {
+  const { envelopeWhereInput } = await getEnvelopeWhereInput({
+    id: { type: 'envelopeId', id: envelopeId },
+    userId,
+    teamId,
+    type: null,
+  });
+
   const envelope = await prisma.envelope.findFirst({
-    where: {
-      id: envelopeId,
-      team: buildTeamWhereQuery({ teamId, userId }),
-    },
+    where: envelopeWhereInput,
   });
 
   if (!envelope) {

packages/lib/server-only/envelope-attachment/delete-attachment.ts

@@ -2,7 +2,7 @@ import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
 import { prisma } from '@documenso/prisma';
 import { DocumentStatus } from '@prisma/client';
 
-import { buildTeamWhereQuery } from '../../utils/teams';
+import { getEnvelopeWhereInput } from '../envelope/get-envelope-by-id';
 
 export type DeleteAttachmentOptions = {
   id: string;
@@ -14,9 +14,6 @@ export const deleteAttachment = async ({ id, userId, teamId }: DeleteAttachmentO
   const attachment = await prisma.envelopeAttachment.findFirst({
     where: {
       id,
-      envelope: {
-        team: buildTeamWhereQuery({ teamId, userId }),
-      },
     },
     include: {
       envelope: true,
@@ -29,6 +26,24 @@ export const deleteAttachment = async ({ id, userId, teamId }: DeleteAttachmentO
     });
   }
 
+  const { envelopeWhereInput } = await getEnvelopeWhereInput({
+    id: { type: 'envelopeId', id: attachment.envelopeId },
+    userId,
+    teamId,
+    type: null,
+  });
+
+  // Additional validation to check the user has visibility-aware access to the envelope.
+  const envelope = await prisma.envelope.findFirst({
+    where: envelopeWhereInput,
+  });
+
+  if (!envelope) {
+    throw new AppError(AppErrorCode.NOT_FOUND, {
+      message: 'Attachment not found',
+    });
+  }
+
   if (
     attachment.envelope.status === DocumentStatus.COMPLETED ||
     attachment.envelope.status === DocumentStatus.REJECTED

packages/lib/server-only/envelope-attachment/find-attachments-by-envelope-id.ts

@@ -1,7 +1,7 @@
 import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
 import { prisma } from '@documenso/prisma';
 
-import { buildTeamWhereQuery } from '../../utils/teams';
+import { getEnvelopeWhereInput } from '../envelope/get-envelope-by-id';
 
 export type FindAttachmentsByEnvelopeIdOptions = {
   envelopeId: string;
@@ -14,11 +14,15 @@ export const findAttachmentsByEnvelopeId = async ({
   userId,
   teamId,
 }: FindAttachmentsByEnvelopeIdOptions) => {
+  const { envelopeWhereInput } = await getEnvelopeWhereInput({
+    id: { type: 'envelopeId', id: envelopeId },
+    userId,
+    teamId,
+    type: null,
+  });
+
   const envelope = await prisma.envelope.findFirst({
-    where: {
-      id: envelopeId,
-      team: buildTeamWhereQuery({ teamId, userId }),
-    },
+    where: envelopeWhereInput,
   });
 
   if (!envelope) {

packages/lib/server-only/envelope-attachment/update-attachment.ts

@@ -2,7 +2,7 @@ import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
 import { prisma } from '@documenso/prisma';
 import { DocumentStatus } from '@prisma/client';
 
-import { buildTeamWhereQuery } from '../../utils/teams';
+import { getEnvelopeWhereInput } from '../envelope/get-envelope-by-id';
 
 export type UpdateAttachmentOptions = {
   id: string;
@@ -15,9 +15,6 @@ export const updateAttachment = async ({ id, teamId, userId, data }: UpdateAttac
   const attachment = await prisma.envelopeAttachment.findFirst({
     where: {
       id,
-      envelope: {
-        team: buildTeamWhereQuery({ teamId, userId }),
-      },
     },
     include: {
       envelope: true,
@@ -30,6 +27,24 @@ export const updateAttachment = async ({ id, teamId, userId, data }: UpdateAttac
     });
   }
 
+  const { envelopeWhereInput } = await getEnvelopeWhereInput({
+    id: { type: 'envelopeId', id: attachment.envelopeId },
+    userId,
+    teamId,
+    type: null,
+  });
+
+  // Additional validation to check the user has visibility-aware access to the envelope.
+  const envelope = await prisma.envelope.findFirst({
+    where: envelopeWhereInput,
+  });
+
+  if (!envelope) {
+    throw new AppError(AppErrorCode.NOT_FOUND, {
+      message: 'Attachment not found',
+    });
+  }
+
   if (
     attachment.envelope.status === DocumentStatus.COMPLETED ||
     attachment.envelope.status === DocumentStatus.REJECTED

packages/lib/server-only/public-api/get-user-by-token.ts

@@ -1,44 +0,0 @@
-import { prisma } from '@documenso/prisma';
-
-import { AppError, AppErrorCode } from '../../errors/app-error';
-import { hashString } from '../auth/hash';
-
-export const getUserByApiToken = async ({ token }: { token: string }) => {
-  const hashedToken = hashString(token);
-
-  const user = await prisma.user.findFirst({
-    where: {
-      apiTokens: {
-        some: {
-          token: hashedToken,
-        },
-      },
-    },
-    include: {
-      apiTokens: true,
-    },
-  });
-
-  if (!user) {
-    throw new AppError(AppErrorCode.UNAUTHORIZED, {
-      message: 'Invalid token',
-      statusCode: 401,
-    });
-  }
-
-  const retrievedToken = user.apiTokens.find((apiToken) => apiToken.token === hashedToken);
-
-  // This should be impossible but we need to satisfy TypeScript
-  if (!retrievedToken) {
-    throw new AppError(AppErrorCode.UNAUTHORIZED, {
-      message: 'Invalid token',
-      statusCode: 401,
-    });
-  }
-
-  if (retrievedToken.expires && retrievedToken.expires < new Date()) {
-    throw new Error('Expired token');
-  }
-
-  return user;
-};

packages/lib/server-only/recipient/get-recipient-by-id.ts

@@ -4,6 +4,7 @@ import { EnvelopeType } from '@prisma/client';
 import { AppError, AppErrorCode } from '../../errors/app-error';
 import { mapSecondaryIdToDocumentId, mapSecondaryIdToTemplateId } from '../../utils/envelope';
 import { buildTeamWhereQuery } from '../../utils/teams';
+import { getEnvelopeWhereInput } from '../envelope/get-envelope-by-id';
 
 export type GetRecipientByIdOptions = {
   recipientId: number;
@@ -41,6 +42,27 @@ export const getRecipientById = async ({ recipientId, userId, teamId, type }: Ge
     });
   }
 
+  const { envelopeWhereInput } = await getEnvelopeWhereInput({
+    id: {
+      type: 'envelopeId',
+      id: recipient.envelopeId,
+    },
+    type,
+    userId,
+    teamId,
+  });
+
+  // Additional validation to check visibility.
+  const envelope = await prisma.envelope.findUnique({
+    where: envelopeWhereInput,
+  });
+
+  if (!envelope) {
+    throw new AppError(AppErrorCode.NOT_FOUND, {
+      message: 'Recipient not found',
+    });
+  }
+
   const legacyId = {
     documentId: type === EnvelopeType.DOCUMENT ? mapSecondaryIdToDocumentId(recipient.envelope.secondaryId) : null,
     templateId: type === EnvelopeType.TEMPLATE ? mapSecondaryIdToTemplateId(recipient.envelope.secondaryId) : null,

packages/lib/server-only/share/create-or-get-share-link.ts

@@ -5,6 +5,7 @@ import { match, P } from 'ts-pattern';
 import { AppError, AppErrorCode } from '../../errors/app-error';
 import { alphaid } from '../../universal/id';
 import { unsafeBuildEnvelopeIdQuery } from '../../utils/envelope';
+import { getEnvelopeWhereInput } from '../envelope/get-envelope-by-id';
 
 export type CreateSharingIdOptions =
   | {
@@ -27,6 +28,7 @@ export const createOrGetShareLink = async ({ documentId, ...options }: CreateSha
     ),
     select: {
       id: true,
+      teamId: true,
     },
   });
 
@@ -46,6 +48,31 @@ export const createOrGetShareLink = async ({ documentId, ...options }: CreateSha
         .then((recipient) => recipient?.email);
     })
     .with({ userId: P.number }, async ({ userId }) => {
+      // Ensure the authenticated user actually has visibility-aware access to the
+      // envelope before allowing them to create a share link. The share route does
+      // not carry a teamId, so we derive it from the envelope and reuse the canonical
+      // visibility check (owner OR team member with sufficient visibility).
+      const { envelopeWhereInput } = await getEnvelopeWhereInput({
+        id: {
+          type: 'documentId',
+          id: documentId,
+        },
+        userId,
+        teamId: envelope.teamId,
+        type: EnvelopeType.DOCUMENT,
+      });
+
+      const accessibleEnvelope = await prisma.envelope.findFirst({
+        where: envelopeWhereInput,
+        select: {
+          id: true,
+        },
+      });
+
+      if (!accessibleEnvelope) {
+        throw new AppError(AppErrorCode.NOT_FOUND);
+      }
+
       return await prisma.user
         .findFirst({
           where: {

packages/lib/server-only/team/delete-team.ts

@@ -85,6 +85,7 @@ export const deleteTeam = async ({ userId, teamId }: DeleteTeamOptions) => {
     // Purge all internal organisation groups that have no teams.
     await tx.organisationGroup.deleteMany({
       where: {
+        organisationId: team.organisationId,
         type: OrganisationGroupType.INTERNAL_TEAM,
         teamGroups: {
           none: {},

packages/lib/server-only/team/get-team-public-profile.ts

@@ -3,7 +3,6 @@ import type { TeamProfile } from '@prisma/client';
 
 import { AppError, AppErrorCode } from '../../errors/app-error';
 import { buildTeamWhereQuery } from '../../utils/teams';
-import { updateTeamPublicProfile } from './update-team-public-profile';
 
 export type GetTeamPublicProfileOptions = {
   userId: number;
@@ -32,25 +31,24 @@ export const getTeamPublicProfile = async ({
     });
   }
 
-  // Create and return the public profile.
+  // Lazily initialize a disabled public profile on first access. Membership is
+  // already verified by the query above, so this system initialization does not
+  // impose the MANAGE_TEAM gate that updateTeamPublicProfile enforces for writes.
   if (!team.profile) {
-    const { url, profile } = await updateTeamPublicProfile({
-      userId: userId,
-      teamId,
-      data: {
+    const profile = await prisma.teamProfile.upsert({
+      where: {
+        teamId,
+      },
+      create: {
+        teamId,
         enabled: false,
       },
+      update: {},
     });
 
-    if (!profile) {
-      throw new AppError(AppErrorCode.NOT_FOUND, {
-        message: 'Failed to create public profile',
-      });
-    }
-
     return {
       profile,
-      url,
+      url: team.url,
     };
   }
 

packages/lib/server-only/team/update-team-public-profile.ts

@@ -1,3 +1,4 @@
+import { TEAM_MEMBER_ROLE_PERMISSIONS_MAP } from '@documenso/lib/constants/teams';
 import { prisma } from '@documenso/prisma';
 
 import { buildTeamWhereQuery } from '../../utils/teams';
@@ -13,7 +14,11 @@ export type UpdatePublicProfileOptions = {
 
 export const updateTeamPublicProfile = async ({ userId, teamId, data }: UpdatePublicProfileOptions) => {
   return await prisma.team.update({
-    where: buildTeamWhereQuery({ teamId, userId }),
+    where: buildTeamWhereQuery({
+      teamId,
+      userId,
+      roles: TEAM_MEMBER_ROLE_PERMISSIONS_MAP['MANAGE_TEAM'],
+    }),
     data: {
       profile: {
         upsert: {

packages/lib/server-only/user/forgot-password.ts

@@ -18,31 +18,26 @@ export const forgotPassword = async ({ email }: { email: string }) => {
     return;
   }
 
-  // Find a token that was created in the last hour and hasn't expired
-  // const existingToken = await prisma.passwordResetToken.findFirst({
-  //   where: {
-  //     userId: user.id,
-  //     expiry: {
-  //       gt: new Date(),
-  //     },
-  //     createdAt: {
-  //       gt: new Date(Date.now() - ONE_HOUR),
-  //     },
-  //   },
-  // });
-
-  // if (existingToken) {
-  //   return;
-  // }
-
   const token = crypto.randomBytes(18).toString('hex');
 
-  await prisma.passwordResetToken.create({
-    data: {
-      token,
-      expiry: new Date(Date.now() + ONE_HOUR),
-      userId: user.id,
-    },
+  // Invalidate any prior reset tokens for this user before issuing a new one, so
+  // only a single token is ever live at a time. We still always issue a fresh
+  // token (and email) so the user can request a new link if a prior email never
+  // arrived, while bounding the number of usable tokens to one.
+  await prisma.$transaction(async (tx) => {
+    await tx.passwordResetToken.deleteMany({
+      where: {
+        userId: user.id,
+      },
+    });
+
+    await tx.passwordResetToken.create({
+      data: {
+        token,
+        expiry: new Date(Date.now() + ONE_HOUR),
+        userId: user.id,
+      },
+    });
   });
 
   await sendForgotPassword({

packages/lib/server-only/webhooks/zapier/subscribe.ts

@@ -1,4 +1,6 @@
-import { AppError } from '@documenso/lib/errors/app-error';
+import { TEAM_MEMBER_ROLE_PERMISSIONS_MAP } from '@documenso/lib/constants/teams';
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { buildTeamWhereQuery } from '@documenso/lib/utils/teams';
 import { prisma } from '@documenso/prisma';
 
 import { assertNotPrivateUrl } from '../assert-webhook-url';
@@ -9,14 +11,36 @@ export const subscribeHandler = async (req: Request) => {
     const authorization = req.headers.get('authorization');
 
     if (!authorization) {
-      return new Response('Unauthorized', { status: 401 });
+      throw new AppError(AppErrorCode.UNAUTHORIZED, { message: 'Unauthorized' });
     }
 
     const { webhookUrl, eventTrigger } = await req.json();
 
     await assertNotPrivateUrl(webhookUrl);
 
-    const result = await validateApiToken({ authorization });
+    const result = await validateApiToken({ authorization }).catch(() => {
+      throw new AppError(AppErrorCode.UNAUTHORIZED, { message: 'Unauthorized' });
+    });
+
+    const userId = result.userId ?? result.user.id;
+    const teamId = result.teamId ?? undefined;
+
+    // Re-verify the token holder still has MANAGE_TEAM on the team, mirroring the
+    // tRPC webhook mutations (create-webhook.ts). Guards against stale-privilege
+    // use of a token minted while the holder was privileged.
+    const team = await prisma.team.findFirst({
+      where: buildTeamWhereQuery({
+        teamId,
+        userId,
+        roles: TEAM_MEMBER_ROLE_PERMISSIONS_MAP['MANAGE_TEAM'],
+      }),
+    });
+
+    if (!team) {
+      throw new AppError(AppErrorCode.UNAUTHORIZED, {
+        message: 'You do not have permission to manage webhooks for this team',
+      });
+    }
 
     const createdWebhook = await prisma.webhook.create({
       data: {
@@ -24,15 +48,19 @@ export const subscribeHandler = async (req: Request) => {
         eventTriggers: [eventTrigger],
         secret: null,
         enabled: true,
-        userId: result.userId ?? result.user.id,
-        teamId: result.teamId ?? undefined,
+        userId,
+        teamId,
       },
     });
 
     return Response.json(createdWebhook);
   } catch (err) {
     if (err instanceof AppError) {
-      return Response.json({ message: err.message }, { status: 400 });
+      // Map authorization failures to 401, keep other AppErrors as 400 to
+      // preserve the existing Zapier contract (e.g. invalid webhook URL).
+      const status = err.code === AppErrorCode.UNAUTHORIZED ? 401 : 400;
+
+      return Response.json({ message: err.message }, { status });
     }
 
     console.error(err);

packages/lib/server-only/webhooks/zapier/unsubscribe.ts

@@ -1,3 +1,6 @@
+import { TEAM_MEMBER_ROLE_PERMISSIONS_MAP } from '@documenso/lib/constants/teams';
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { buildTeamWhereQuery } from '@documenso/lib/utils/teams';
 import { prisma } from '@documenso/prisma';
 
 import { validateApiToken } from './validateApiToken';
@@ -7,23 +10,42 @@ export const unsubscribeHandler = async (req: Request) => {
     const authorization = req.headers.get('authorization');
 
     if (!authorization) {
-      return new Response('Unauthorized', { status: 401 });
+      throw new AppError(AppErrorCode.UNAUTHORIZED, { message: 'Unauthorized' });
     }
 
     const { webhookId } = await req.json();
 
-    const result = await validateApiToken({ authorization });
+    const result = await validateApiToken({ authorization }).catch(() => {
+      throw new AppError(AppErrorCode.UNAUTHORIZED, { message: 'Unauthorized' });
+    });
 
+    const userId = result.userId ?? result.user.id;
+    const teamId = result.teamId ?? undefined;
+
+    // Re-verify the token holder still has MANAGE_TEAM on the team, mirroring the
+    // tRPC delete-webhook-by-id mutation. Guards against stale-privilege use of a
+    // token minted while the holder was privileged.
     const deletedWebhook = await prisma.webhook.delete({
       where: {
         id: webhookId,
-        userId: result.userId ?? result.user.id,
-        teamId: result.teamId ?? undefined,
+        team: buildTeamWhereQuery({
+          teamId,
+          userId,
+          roles: TEAM_MEMBER_ROLE_PERMISSIONS_MAP['MANAGE_TEAM'],
+        }),
       },
     });
 
     return Response.json(deletedWebhook);
   } catch (err) {
+    if (err instanceof AppError) {
+      // Map authorization failures to 401, keep other AppErrors as 400 to
+      // preserve the existing Zapier contract.
+      const status = err.code === AppErrorCode.UNAUTHORIZED ? 401 : 400;
+
+      return Response.json({ message: err.message }, { status });
+    }
+
     console.error(err);
 
     return Response.json(

packages/lib/translations/de/web.po

@@ -2441,6 +2441,7 @@ msgstr "Branding-Logo"
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Branding Preferences"
 msgstr "Markenpräferenzen"
 
@@ -3572,6 +3573,7 @@ msgid "Currently all organisation members can access this team"
 msgstr "Derzeit können alle Organisationsmitglieder auf dieses Team zugreifen"
 
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Currently branding can only be configured for Teams and above plans."
 msgstr "Zurzeit kann das Branding nur für Teams und darüber konfiguriert werden."
 
@@ -4214,8 +4216,8 @@ msgstr "Dokument storniert"
 
 #: apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx
 #: apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx
+#: packages/lib/jobs/definitions/emails/send-document-deleted-emails.handler.ts
 #: packages/lib/server-only/admin/admin-super-delete-document.ts
-#: packages/lib/server-only/document/delete-document.ts
 msgid "Document Cancelled"
 msgstr "Dokument storniert"
 
@@ -7942,6 +7944,11 @@ msgstr "Original"
 msgid "Otherwise, the document will be created as a draft."
 msgstr "Andernfalls wird das Dokument als Entwurf erstellt."
 
+#: apps/remix/app/components/dialogs/envelope-distribute-dialog.tsx
+#: apps/remix/app/components/general/envelope-editor/envelope-editor-fields-page.tsx
+msgid "Overlapping fields detected"
+msgstr ""
+
 #: apps/remix/app/components/forms/document-preferences-form.tsx
 #: apps/remix/app/components/forms/email-preferences-form.tsx
 msgid "Override organisation settings"
@@ -8917,6 +8924,11 @@ msgstr "Weiterleitungs-URL"
 msgid "Redirecting"
 msgstr "Weiterleitung"
 
+#. placeholder {0}: oidcProviderLabel || 'OIDC'
+#: apps/remix/app/routes/_unauthenticated+/signin.tsx
+msgid "Redirecting to {0}..."
+msgstr ""
+
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"
@@ -10219,6 +10231,11 @@ msgstr "Website Einstellungen"
 msgid "Skip"
 msgstr "Überspringen"
 
+#: apps/remix/app/components/dialogs/envelope-distribute-dialog.tsx
+#: apps/remix/app/components/general/envelope-editor/envelope-editor-fields-page.tsx
+msgid "Some fields are placed on top of each other. This may complicate the signing process or cause fields to not work as expected."
+msgstr ""
+
 #: packages/ui/primitives/document-flow/missing-signature-field-dialog.tsx
 msgid "Some signers have not been assigned a signature field. Please assign at least 1 signature field to each signer before proceeding."
 msgstr "Einige Unterzeichner haben noch kein Unterschriftsfeld zugewiesen bekommen. Bitte weisen Sie jedem Unterzeichner mindestens ein Unterschriftsfeld zu, bevor Sie fortfahren."
@@ -12342,6 +12359,7 @@ msgstr "Banner aktualisieren"
 
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.email-domains._index.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Update Billing"
 msgstr "Rechnungsdaten aktualisieren"
 
@@ -12942,7 +12960,7 @@ msgstr "Warten"
 msgid "Waiting for others"
 msgstr "Warten auf andere"
 
-#: packages/lib/server-only/document/send-pending-email.ts
+#: packages/lib/jobs/definitions/emails/send-document-pending-email.handler.ts
 msgid "Waiting for others to complete signing."
 msgstr "Warten auf andere, um die Unterzeichnung abzuschließen."
 
@@ -13916,8 +13934,7 @@ msgstr "Du wurdest eingeladen, {0} auf Documenso beizutreten"
 msgid "You have been invited to join the following organisation"
 msgstr "Sie wurden eingeladen, der folgenden Organisation beizutreten"
 
-#: packages/lib/server-only/recipient/delete-envelope-recipient.ts
-#: packages/lib/server-only/recipient/set-document-recipients.ts
+#: packages/lib/jobs/definitions/emails/send-recipient-removed-email.handler.ts
 msgid "You have been removed from a document"
 msgstr "Du wurdest von einem Dokument entfernt"
 
@@ -14716,4 +14733,3 @@ msgstr "Ihr Verifizierungscode:"
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.sso.tsx
 msgid "your-domain.com another-domain.com"
 msgstr "your-domain.com another-domain.com"
-

packages/lib/translations/en/web.po

@@ -2436,6 +2436,7 @@ msgstr "Branding Logo"
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Branding Preferences"
 msgstr "Branding Preferences"
 
@@ -3567,6 +3568,7 @@ msgid "Currently all organisation members can access this team"
 msgstr "Currently all organisation members can access this team"
 
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Currently branding can only be configured for Teams and above plans."
 msgstr "Currently branding can only be configured for Teams and above plans."
 
@@ -4209,8 +4211,8 @@ msgstr "Document cancelled"
 
 #: apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx
 #: apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx
+#: packages/lib/jobs/definitions/emails/send-document-deleted-emails.handler.ts
 #: packages/lib/server-only/admin/admin-super-delete-document.ts
-#: packages/lib/server-only/document/delete-document.ts
 msgid "Document Cancelled"
 msgstr "Document Cancelled"
 
@@ -7937,6 +7939,11 @@ msgstr "Original"
 msgid "Otherwise, the document will be created as a draft."
 msgstr "Otherwise, the document will be created as a draft."
 
+#: apps/remix/app/components/dialogs/envelope-distribute-dialog.tsx
+#: apps/remix/app/components/general/envelope-editor/envelope-editor-fields-page.tsx
+msgid "Overlapping fields detected"
+msgstr "Overlapping fields detected"
+
 #: apps/remix/app/components/forms/document-preferences-form.tsx
 #: apps/remix/app/components/forms/email-preferences-form.tsx
 msgid "Override organisation settings"
@@ -8772,6 +8779,10 @@ msgstr "Recipient ID:"
 msgid "Recipient rejected the document"
 msgstr "Recipient rejected the document"
 
+#: packages/lib/utils/document-audit-logs.ts
+msgid "Recipient rejected the document externally"
+msgstr "Recipient rejected the document externally"
+
 #: apps/remix/app/components/general/admin-global-settings-section.tsx
 msgid "Recipient removed"
 msgstr "Recipient removed"
@@ -8908,6 +8919,11 @@ msgstr "Redirect URL"
 msgid "Redirecting"
 msgstr "Redirecting"
 
+#. placeholder {0}: oidcProviderLabel || 'OIDC'
+#: apps/remix/app/routes/_unauthenticated+/signin.tsx
+msgid "Redirecting to {0}..."
+msgstr "Redirecting to {0}..."
+
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"
@@ -10210,6 +10226,11 @@ msgstr "Site Settings"
 msgid "Skip"
 msgstr "Skip"
 
+#: apps/remix/app/components/dialogs/envelope-distribute-dialog.tsx
+#: apps/remix/app/components/general/envelope-editor/envelope-editor-fields-page.tsx
+msgid "Some fields are placed on top of each other. This may complicate the signing process or cause fields to not work as expected."
+msgstr "Some fields are placed on top of each other. This may complicate the signing process or cause fields to not work as expected."
+
 #: packages/ui/primitives/document-flow/missing-signature-field-dialog.tsx
 msgid "Some signers have not been assigned a signature field. Please assign at least 1 signature field to each signer before proceeding."
 msgstr "Some signers have not been assigned a signature field. Please assign at least 1 signature field to each signer before proceeding."
@@ -11088,6 +11109,23 @@ msgstr "The document signing process will be stopped"
 msgid "The document was created but could not be sent to recipients."
 msgstr "The document was created but could not be sent to recipients."
 
+#: packages/lib/utils/document-audit-logs.ts
+msgid "The document was rejected externally by {onBehalfOf} on behalf of {user}"
+msgstr "The document was rejected externally by {onBehalfOf} on behalf of {user}"
+
+#: packages/lib/utils/document-audit-logs.ts
+#: packages/lib/utils/document-audit-logs.ts
+msgid "The document was rejected externally by {onBehalfOf} on behalf of the recipient"
+msgstr "The document was rejected externally by {onBehalfOf} on behalf of the recipient"
+
+#: packages/lib/utils/document-audit-logs.ts
+msgid "The document was rejected externally on behalf of {user}"
+msgstr "The document was rejected externally on behalf of {user}"
+
+#: packages/lib/utils/document-audit-logs.ts
+msgid "The document was rejected externally on behalf of the recipient"
+msgstr "The document was rejected externally on behalf of the recipient"
+
 #: apps/remix/app/components/dialogs/envelope-delete-dialog.tsx
 msgid "The document will be hidden from your account"
 msgstr "The document will be hidden from your account"
@@ -12316,6 +12354,7 @@ msgstr "Update Banner"
 
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.email-domains._index.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Update Billing"
 msgstr "Update Billing"
 
@@ -12916,7 +12955,7 @@ msgstr "Waiting"
 msgid "Waiting for others"
 msgstr "Waiting for others"
 
-#: packages/lib/server-only/document/send-pending-email.ts
+#: packages/lib/jobs/definitions/emails/send-document-pending-email.handler.ts
 msgid "Waiting for others to complete signing."
 msgstr "Waiting for others to complete signing."
 
@@ -13890,8 +13929,7 @@ msgstr "You have been invited to join {0} on Documenso"
 msgid "You have been invited to join the following organisation"
 msgstr "You have been invited to join the following organisation"
 
-#: packages/lib/server-only/recipient/delete-envelope-recipient.ts
-#: packages/lib/server-only/recipient/set-document-recipients.ts
+#: packages/lib/jobs/definitions/emails/send-recipient-removed-email.handler.ts
 msgid "You have been removed from a document"
 msgstr "You have been removed from a document"
 

packages/lib/translations/es/web.po

@@ -2441,6 +2441,7 @@ msgstr "Logotipo de Marca"
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Branding Preferences"
 msgstr "Preferencias de marca"
 
@@ -3572,6 +3573,7 @@ msgid "Currently all organisation members can access this team"
 msgstr "Actualmente, todos los miembros de la organización pueden acceder a este equipo"
 
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Currently branding can only be configured for Teams and above plans."
 msgstr "Actualmente la marca solo se puede configurar para Equipos y planes superiores."
 
@@ -4214,8 +4216,8 @@ msgstr "Documento cancelado"
 
 #: apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx
 #: apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx
+#: packages/lib/jobs/definitions/emails/send-document-deleted-emails.handler.ts
 #: packages/lib/server-only/admin/admin-super-delete-document.ts
-#: packages/lib/server-only/document/delete-document.ts
 msgid "Document Cancelled"
 msgstr "Documento cancelado"
 
@@ -7942,6 +7944,11 @@ msgstr "Original"
 msgid "Otherwise, the document will be created as a draft."
 msgstr "De lo contrario, el documento se creará como un borrador."
 
+#: apps/remix/app/components/dialogs/envelope-distribute-dialog.tsx
+#: apps/remix/app/components/general/envelope-editor/envelope-editor-fields-page.tsx
+msgid "Overlapping fields detected"
+msgstr ""
+
 #: apps/remix/app/components/forms/document-preferences-form.tsx
 #: apps/remix/app/components/forms/email-preferences-form.tsx
 msgid "Override organisation settings"
@@ -8917,6 +8924,11 @@ msgstr "URL de redirección"
 msgid "Redirecting"
 msgstr "Redireccionando"
 
+#. placeholder {0}: oidcProviderLabel || 'OIDC'
+#: apps/remix/app/routes/_unauthenticated+/signin.tsx
+msgid "Redirecting to {0}..."
+msgstr ""
+
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"
@@ -10219,6 +10231,11 @@ msgstr "Configuraciones del sitio"
 msgid "Skip"
 msgstr "Omitir"
 
+#: apps/remix/app/components/dialogs/envelope-distribute-dialog.tsx
+#: apps/remix/app/components/general/envelope-editor/envelope-editor-fields-page.tsx
+msgid "Some fields are placed on top of each other. This may complicate the signing process or cause fields to not work as expected."
+msgstr ""
+
 #: packages/ui/primitives/document-flow/missing-signature-field-dialog.tsx
 msgid "Some signers have not been assigned a signature field. Please assign at least 1 signature field to each signer before proceeding."
 msgstr "Algunos firmantes no han sido asignados a un campo de firma. Asigne al menos 1 campo de firma a cada firmante antes de continuar."
@@ -12342,6 +12359,7 @@ msgstr "Actualizar banner"
 
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.email-domains._index.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Update Billing"
 msgstr "Actualizar facturación"
 
@@ -12942,7 +12960,7 @@ msgstr "Esperando"
 msgid "Waiting for others"
 msgstr "Esperando a otros"
 
-#: packages/lib/server-only/document/send-pending-email.ts
+#: packages/lib/jobs/definitions/emails/send-document-pending-email.handler.ts
 msgid "Waiting for others to complete signing."
 msgstr "Esperando a que otros completen la firma."
 
@@ -13916,8 +13934,7 @@ msgstr "Te han invitado a unirte a {0} en Documenso"
 msgid "You have been invited to join the following organisation"
 msgstr "Has sido invitado a unirte a la siguiente organización"
 
-#: packages/lib/server-only/recipient/delete-envelope-recipient.ts
-#: packages/lib/server-only/recipient/set-document-recipients.ts
+#: packages/lib/jobs/definitions/emails/send-recipient-removed-email.handler.ts
 msgid "You have been removed from a document"
 msgstr "Te han eliminado de un documento"
 
@@ -14716,4 +14733,3 @@ msgstr "Su código de verificación:"
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.sso.tsx
 msgid "your-domain.com another-domain.com"
 msgstr "su-dominio.com otro-dominio.com"
-

packages/lib/translations/fr/web.po

@@ -2441,6 +2441,7 @@ msgstr "Logo de la marque"
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Branding Preferences"
 msgstr "Préférences de branding"
 
@@ -3572,6 +3573,7 @@ msgid "Currently all organisation members can access this team"
 msgstr "Actuellement, tous les membres de l'organisation peuvent accéder à cette équipe"
 
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Currently branding can only be configured for Teams and above plans."
 msgstr "Actuellement, la personnalisation de la marque ne peut être configurée que pour les plans Équipe et plus."
 
@@ -4214,8 +4216,8 @@ msgstr "Document annulé"
 
 #: apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx
 #: apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx
+#: packages/lib/jobs/definitions/emails/send-document-deleted-emails.handler.ts
 #: packages/lib/server-only/admin/admin-super-delete-document.ts
-#: packages/lib/server-only/document/delete-document.ts
 msgid "Document Cancelled"
 msgstr "Document Annulé"
 
@@ -7942,6 +7944,11 @@ msgstr "Original"
 msgid "Otherwise, the document will be created as a draft."
 msgstr "Sinon, le document sera créé sous forme de brouillon."
 
+#: apps/remix/app/components/dialogs/envelope-distribute-dialog.tsx
+#: apps/remix/app/components/general/envelope-editor/envelope-editor-fields-page.tsx
+msgid "Overlapping fields detected"
+msgstr ""
+
 #: apps/remix/app/components/forms/document-preferences-form.tsx
 #: apps/remix/app/components/forms/email-preferences-form.tsx
 msgid "Override organisation settings"
@@ -8424,7 +8431,7 @@ msgstr "Veuillez réessayer ou contacter notre support."
 #. placeholder {0}: `'${t(deleteMessage)}'`
 #: apps/remix/app/components/dialogs/envelope-delete-dialog.tsx
 msgid "Please type {0} to confirm"
-msgstr "Veuiillez taper {0} pour confirmer"
+msgstr "Veuillez taper {0} pour confirmer"
 
 #. placeholder {0}: user.email
 #: apps/remix/app/components/dialogs/account-delete-dialog.tsx
@@ -8917,6 +8924,11 @@ msgstr "URL de redirection"
 msgid "Redirecting"
 msgstr "Redirection"
 
+#. placeholder {0}: oidcProviderLabel || 'OIDC'
+#: apps/remix/app/routes/_unauthenticated+/signin.tsx
+msgid "Redirecting to {0}..."
+msgstr ""
+
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"
@@ -10219,6 +10231,11 @@ msgstr "Paramètres du site"
 msgid "Skip"
 msgstr "Ignorer"
 
+#: apps/remix/app/components/dialogs/envelope-distribute-dialog.tsx
+#: apps/remix/app/components/general/envelope-editor/envelope-editor-fields-page.tsx
+msgid "Some fields are placed on top of each other. This may complicate the signing process or cause fields to not work as expected."
+msgstr ""
+
 #: packages/ui/primitives/document-flow/missing-signature-field-dialog.tsx
 msgid "Some signers have not been assigned a signature field. Please assign at least 1 signature field to each signer before proceeding."
 msgstr "Certains signataires n'ont pas été assignés à un champ de signature. Veuillez assigner au moins 1 champ de signature à chaque signataire avant de continuer."
@@ -12342,6 +12359,7 @@ msgstr "Mettre à jour la bannière"
 
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.email-domains._index.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Update Billing"
 msgstr "Mettre à jour la facturation"
 
@@ -12942,7 +12960,7 @@ msgstr "En attente"
 msgid "Waiting for others"
 msgstr "En attente des autres"
 
-#: packages/lib/server-only/document/send-pending-email.ts
+#: packages/lib/jobs/definitions/emails/send-document-pending-email.handler.ts
 msgid "Waiting for others to complete signing."
 msgstr "En attente que d'autres terminent la signature."
 
@@ -13916,8 +13934,7 @@ msgstr "Vous avez été invité à rejoindre {0} sur Documenso"
 msgid "You have been invited to join the following organisation"
 msgstr "Vous avez été invité à rejoindre l'organisation suivante"
 
-#: packages/lib/server-only/recipient/delete-envelope-recipient.ts
-#: packages/lib/server-only/recipient/set-document-recipients.ts
+#: packages/lib/jobs/definitions/emails/send-recipient-removed-email.handler.ts
 msgid "You have been removed from a document"
 msgstr "Vous avez été supprimé d'un document"
 
@@ -14716,4 +14733,3 @@ msgstr "Votre code de vérification :"
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.sso.tsx
 msgid "your-domain.com another-domain.com"
 msgstr "your-domain.com another-domain.com"
-

packages/lib/translations/it/web.po

@@ -2441,6 +2441,7 @@ msgstr "Logo del Marchio"
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Branding Preferences"
 msgstr "Preferenze per il branding"
 
@@ -3572,6 +3573,7 @@ msgid "Currently all organisation members can access this team"
 msgstr "Attualmente tutti i membri dell'organizzazione possono accedere a questo team"
 
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Currently branding can only be configured for Teams and above plans."
 msgstr "Attualmente il marchio può essere configurato solo per i piani Team e superiori."
 
@@ -4214,8 +4216,8 @@ msgstr "Documento annullato"
 
 #: apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx
 #: apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx
+#: packages/lib/jobs/definitions/emails/send-document-deleted-emails.handler.ts
 #: packages/lib/server-only/admin/admin-super-delete-document.ts
-#: packages/lib/server-only/document/delete-document.ts
 msgid "Document Cancelled"
 msgstr "Documento Annullato"
 
@@ -7942,6 +7944,11 @@ msgstr "Originale"
 msgid "Otherwise, the document will be created as a draft."
 msgstr "Altrimenti, il documento sarà creato come bozza."
 
+#: apps/remix/app/components/dialogs/envelope-distribute-dialog.tsx
+#: apps/remix/app/components/general/envelope-editor/envelope-editor-fields-page.tsx
+msgid "Overlapping fields detected"
+msgstr ""
+
 #: apps/remix/app/components/forms/document-preferences-form.tsx
 #: apps/remix/app/components/forms/email-preferences-form.tsx
 msgid "Override organisation settings"
@@ -8917,6 +8924,11 @@ msgstr "URL di reindirizzamento"
 msgid "Redirecting"
 msgstr "Reindirizzamento"
 
+#. placeholder {0}: oidcProviderLabel || 'OIDC'
+#: apps/remix/app/routes/_unauthenticated+/signin.tsx
+msgid "Redirecting to {0}..."
+msgstr ""
+
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"
@@ -10219,6 +10231,11 @@ msgstr "Impostazioni del sito"
 msgid "Skip"
 msgstr "Salta"
 
+#: apps/remix/app/components/dialogs/envelope-distribute-dialog.tsx
+#: apps/remix/app/components/general/envelope-editor/envelope-editor-fields-page.tsx
+msgid "Some fields are placed on top of each other. This may complicate the signing process or cause fields to not work as expected."
+msgstr ""
+
 #: packages/ui/primitives/document-flow/missing-signature-field-dialog.tsx
 msgid "Some signers have not been assigned a signature field. Please assign at least 1 signature field to each signer before proceeding."
 msgstr "Alcuni firmatari non hanno un campo firma assegnato. Assegna almeno 1 campo di firma a ciascun firmatario prima di procedere."
@@ -12342,6 +12359,7 @@ msgstr "Aggiorna banner"
 
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.email-domains._index.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Update Billing"
 msgstr "Aggiorna fatturazione"
 
@@ -12942,7 +12960,7 @@ msgstr "In attesa"
 msgid "Waiting for others"
 msgstr "In attesa di altri"
 
-#: packages/lib/server-only/document/send-pending-email.ts
+#: packages/lib/jobs/definitions/emails/send-document-pending-email.handler.ts
 msgid "Waiting for others to complete signing."
 msgstr "In attesa che altri completino la firma."
 
@@ -13916,8 +13934,7 @@ msgstr "Sei stato invitato a unirti a {0} su Documenso"
 msgid "You have been invited to join the following organisation"
 msgstr "Sei stato invitato a unirti alla seguente organizzazione"
 
-#: packages/lib/server-only/recipient/delete-envelope-recipient.ts
-#: packages/lib/server-only/recipient/set-document-recipients.ts
+#: packages/lib/jobs/definitions/emails/send-recipient-removed-email.handler.ts
 msgid "You have been removed from a document"
 msgstr "Sei stato rimosso da un documento"
 
@@ -14716,4 +14733,3 @@ msgstr "Il tuo codice di verifica:"
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.sso.tsx
 msgid "your-domain.com another-domain.com"
 msgstr "tuo-dominio.com altro-dominio.com"
-

packages/lib/translations/ja/web.po

@@ -2441,6 +2441,7 @@ msgstr "ブランディングロゴ"
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Branding Preferences"
 msgstr "ブランディング設定"
 
@@ -3572,6 +3573,7 @@ msgid "Currently all organisation members can access this team"
 msgstr "現在、すべての組織メンバーがこのチームにアクセスできます"
 
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Currently branding can only be configured for Teams and above plans."
 msgstr "現在、ブランディングは Teams プラン以上のみ設定できます。"
 
@@ -4214,8 +4216,8 @@ msgstr "文書は取り消されました"
 
 #: apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx
 #: apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx
+#: packages/lib/jobs/definitions/emails/send-document-deleted-emails.handler.ts
 #: packages/lib/server-only/admin/admin-super-delete-document.ts
-#: packages/lib/server-only/document/delete-document.ts
 msgid "Document Cancelled"
 msgstr "文書はキャンセルされました"
 
@@ -7942,6 +7944,11 @@ msgstr "オリジナル"
 msgid "Otherwise, the document will be created as a draft."
 msgstr "チェックを入れない場合、文書は下書きとして作成されます。"
 
+#: apps/remix/app/components/dialogs/envelope-distribute-dialog.tsx
+#: apps/remix/app/components/general/envelope-editor/envelope-editor-fields-page.tsx
+msgid "Overlapping fields detected"
+msgstr ""
+
 #: apps/remix/app/components/forms/document-preferences-form.tsx
 #: apps/remix/app/components/forms/email-preferences-form.tsx
 msgid "Override organisation settings"
@@ -8917,6 +8924,11 @@ msgstr "リダイレクト URL"
 msgid "Redirecting"
 msgstr "リダイレクト中"
 
+#. placeholder {0}: oidcProviderLabel || 'OIDC'
+#: apps/remix/app/routes/_unauthenticated+/signin.tsx
+msgid "Redirecting to {0}..."
+msgstr ""
+
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"
@@ -10219,6 +10231,11 @@ msgstr "サイト設定"
 msgid "Skip"
 msgstr "スキップ"
 
+#: apps/remix/app/components/dialogs/envelope-distribute-dialog.tsx
+#: apps/remix/app/components/general/envelope-editor/envelope-editor-fields-page.tsx
+msgid "Some fields are placed on top of each other. This may complicate the signing process or cause fields to not work as expected."
+msgstr ""
+
 #: packages/ui/primitives/document-flow/missing-signature-field-dialog.tsx
 msgid "Some signers have not been assigned a signature field. Please assign at least 1 signature field to each signer before proceeding."
 msgstr "一部の署名者に署名フィールドが割り当てられていません。続行する前に、各署名者に少なくとも 1 つの署名フィールドを割り当ててください。"
@@ -12342,6 +12359,7 @@ msgstr "バナーを更新"
 
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.email-domains._index.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Update Billing"
 msgstr "請求情報を更新"
 
@@ -12942,7 +12960,7 @@ msgstr "保留中"
 msgid "Waiting for others"
 msgstr "他の人の完了待ち"
 
-#: packages/lib/server-only/document/send-pending-email.ts
+#: packages/lib/jobs/definitions/emails/send-document-pending-email.handler.ts
 msgid "Waiting for others to complete signing."
 msgstr "他の署名者による署名完了を待っています。"
 
@@ -13916,8 +13934,7 @@ msgstr "Documenso で {0} に参加するよう招待されています"
 msgid "You have been invited to join the following organisation"
 msgstr "次の組織に参加するよう招待されています。"
 
-#: packages/lib/server-only/recipient/delete-envelope-recipient.ts
-#: packages/lib/server-only/recipient/set-document-recipients.ts
+#: packages/lib/jobs/definitions/emails/send-recipient-removed-email.handler.ts
 msgid "You have been removed from a document"
 msgstr "ドキュメントから削除されました"
 
@@ -14716,4 +14733,3 @@ msgstr "認証コード:"
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.sso.tsx
 msgid "your-domain.com another-domain.com"
 msgstr "your-domain.com another-domain.com"
-

packages/lib/translations/ko/web.po

@@ -2441,6 +2441,7 @@ msgstr "브랜딩 로고"
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Branding Preferences"
 msgstr "브랜딩 환경설정"
 
@@ -3572,6 +3573,7 @@ msgid "Currently all organisation members can access this team"
 msgstr "현재 모든 조직 구성원이 이 팀에 접근할 수 있습니다."
 
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Currently branding can only be configured for Teams and above plans."
 msgstr "브랜딩은 현재 Teams 요금제 이상에서만 구성할 수 있습니다."
 
@@ -4214,8 +4216,8 @@ msgstr "문서가 취소되었습니다"
 
 #: apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx
 #: apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx
+#: packages/lib/jobs/definitions/emails/send-document-deleted-emails.handler.ts
 #: packages/lib/server-only/admin/admin-super-delete-document.ts
-#: packages/lib/server-only/document/delete-document.ts
 msgid "Document Cancelled"
 msgstr "문서가 취소됨"
 
@@ -7942,6 +7944,11 @@ msgstr "원본"
 msgid "Otherwise, the document will be created as a draft."
 msgstr "그렇지 않으면 문서는 초안으로 생성됩니다."
 
+#: apps/remix/app/components/dialogs/envelope-distribute-dialog.tsx
+#: apps/remix/app/components/general/envelope-editor/envelope-editor-fields-page.tsx
+msgid "Overlapping fields detected"
+msgstr ""
+
 #: apps/remix/app/components/forms/document-preferences-form.tsx
 #: apps/remix/app/components/forms/email-preferences-form.tsx
 msgid "Override organisation settings"
@@ -8917,6 +8924,11 @@ msgstr "리디렉션 URL"
 msgid "Redirecting"
 msgstr "리디렉션 중"
 
+#. placeholder {0}: oidcProviderLabel || 'OIDC'
+#: apps/remix/app/routes/_unauthenticated+/signin.tsx
+msgid "Redirecting to {0}..."
+msgstr ""
+
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"
@@ -10219,6 +10231,11 @@ msgstr "사이트 설정"
 msgid "Skip"
 msgstr "건너뛰기"
 
+#: apps/remix/app/components/dialogs/envelope-distribute-dialog.tsx
+#: apps/remix/app/components/general/envelope-editor/envelope-editor-fields-page.tsx
+msgid "Some fields are placed on top of each other. This may complicate the signing process or cause fields to not work as expected."
+msgstr ""
+
 #: packages/ui/primitives/document-flow/missing-signature-field-dialog.tsx
 msgid "Some signers have not been assigned a signature field. Please assign at least 1 signature field to each signer before proceeding."
 msgstr "일부 서명자에게 서명 필드가 할당되지 않았습니다. 진행하기 전에 각 서명자에게 최소 1개 이상의 서명 필드를 할당해 주세요."
@@ -12342,6 +12359,7 @@ msgstr "배너 업데이트"
 
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.email-domains._index.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Update Billing"
 msgstr "결제 정보 업데이트"
 
@@ -12942,7 +12960,7 @@ msgstr "대기 중"
 msgid "Waiting for others"
 msgstr "다른 사람을 기다리는 중"
 
-#: packages/lib/server-only/document/send-pending-email.ts
+#: packages/lib/jobs/definitions/emails/send-document-pending-email.handler.ts
 msgid "Waiting for others to complete signing."
 msgstr "다른 서명자들이 이 문서에 서명 완료하기를 기다리는 중입니다."
 
@@ -13916,8 +13934,7 @@ msgstr "Documenso에서 {0} 조직에 초대되었습니다."
 msgid "You have been invited to join the following organisation"
 msgstr "다음 조직에 참여하라는 초대를 받았습니다."
 
-#: packages/lib/server-only/recipient/delete-envelope-recipient.ts
-#: packages/lib/server-only/recipient/set-document-recipients.ts
+#: packages/lib/jobs/definitions/emails/send-recipient-removed-email.handler.ts
 msgid "You have been removed from a document"
 msgstr "문서에서 제거되었습니다."
 
@@ -14716,4 +14733,3 @@ msgstr "인증 코드:"
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.sso.tsx
 msgid "your-domain.com another-domain.com"
 msgstr "your-domain.com another-domain.com"
-

packages/lib/translations/nl/web.po

@@ -2441,6 +2441,7 @@ msgstr "Branding-logo"
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Branding Preferences"
 msgstr "Brandingvoorkeuren"
 
@@ -3572,6 +3573,7 @@ msgid "Currently all organisation members can access this team"
 msgstr "Momenteel hebben alle organisatieleden toegang tot dit team"
 
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Currently branding can only be configured for Teams and above plans."
 msgstr "Branding kan momenteel alleen worden geconfigureerd voor Teams- en hogere abonnementen."
 
@@ -4214,8 +4216,8 @@ msgstr "Document geannuleerd"
 
 #: apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx
 #: apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx
+#: packages/lib/jobs/definitions/emails/send-document-deleted-emails.handler.ts
 #: packages/lib/server-only/admin/admin-super-delete-document.ts
-#: packages/lib/server-only/document/delete-document.ts
 msgid "Document Cancelled"
 msgstr "Document geannuleerd"
 
@@ -7942,6 +7944,11 @@ msgstr "Origineel"
 msgid "Otherwise, the document will be created as a draft."
 msgstr "Anders wordt het document als concept aangemaakt."
 
+#: apps/remix/app/components/dialogs/envelope-distribute-dialog.tsx
+#: apps/remix/app/components/general/envelope-editor/envelope-editor-fields-page.tsx
+msgid "Overlapping fields detected"
+msgstr ""
+
 #: apps/remix/app/components/forms/document-preferences-form.tsx
 #: apps/remix/app/components/forms/email-preferences-form.tsx
 msgid "Override organisation settings"
@@ -8917,6 +8924,11 @@ msgstr "Redirect-URL"
 msgid "Redirecting"
 msgstr "Doorsturen"
 
+#. placeholder {0}: oidcProviderLabel || 'OIDC'
+#: apps/remix/app/routes/_unauthenticated+/signin.tsx
+msgid "Redirecting to {0}..."
+msgstr ""
+
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"
@@ -10219,6 +10231,11 @@ msgstr "Site‑instellingen"
 msgid "Skip"
 msgstr "Overslaan"
 
+#: apps/remix/app/components/dialogs/envelope-distribute-dialog.tsx
+#: apps/remix/app/components/general/envelope-editor/envelope-editor-fields-page.tsx
+msgid "Some fields are placed on top of each other. This may complicate the signing process or cause fields to not work as expected."
+msgstr ""
+
 #: packages/ui/primitives/document-flow/missing-signature-field-dialog.tsx
 msgid "Some signers have not been assigned a signature field. Please assign at least 1 signature field to each signer before proceeding."
 msgstr "Sommige ondertekenaars hebben geen handtekeningveld toegewezen gekregen. Wijs ten minste 1 handtekeningveld toe aan elke ondertekenaar voordat je doorgaat."
@@ -12342,6 +12359,7 @@ msgstr "Banner bijwerken"
 
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.email-domains._index.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Update Billing"
 msgstr "Facturering bijwerken"
 
@@ -12942,7 +12960,7 @@ msgstr "Wachten"
 msgid "Waiting for others"
 msgstr "Wachten op anderen"
 
-#: packages/lib/server-only/document/send-pending-email.ts
+#: packages/lib/jobs/definitions/emails/send-document-pending-email.handler.ts
 msgid "Waiting for others to complete signing."
 msgstr "Wachten tot anderen het ondertekenen hebben voltooid."
 
@@ -13916,8 +13934,7 @@ msgstr "Je bent uitgenodigd om {0} op Documenso te joinen"
 msgid "You have been invited to join the following organisation"
 msgstr "Je bent uitgenodigd om lid te worden van de volgende organisatie"
 
-#: packages/lib/server-only/recipient/delete-envelope-recipient.ts
-#: packages/lib/server-only/recipient/set-document-recipients.ts
+#: packages/lib/jobs/definitions/emails/send-recipient-removed-email.handler.ts
 msgid "You have been removed from a document"
 msgstr "Je bent verwijderd uit een document"
 
@@ -14716,4 +14733,3 @@ msgstr "Uw verificatiecode:"
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.sso.tsx
 msgid "your-domain.com another-domain.com"
 msgstr "your-domain.com another-domain.com"
-

packages/lib/translations/pl/web.po

@@ -2441,6 +2441,7 @@ msgstr "Logo marki"
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Branding Preferences"
 msgstr "Ustawienia brandingu"
 
@@ -2501,7 +2502,6 @@ msgstr "Akceptując prośbę, przyznasz zespołowi {0} następujące uprawnienia
 
 #: packages/email/templates/confirm-team-email.tsx
 msgid "By accepting this request, you will be granting <0>{teamName}</0> access to:"
-msgstr "Akceptując prośbę, umożliwisz zespołowi <0>{teamName}</0> na:"
 msgstr "Akceptując prośbę, umożliwisz zespołowi <0>{teamName}</0>:"
 
 #: apps/remix/app/components/dialogs/envelope-delete-dialog.tsx
@@ -3573,6 +3573,7 @@ msgid "Currently all organisation members can access this team"
 msgstr "Obecnie wszyscy użytkownicy organizacji mogą uzyskać dostęp tego zespołu"
 
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Currently branding can only be configured for Teams and above plans."
 msgstr "Branding możesz skonfigurować tylko w planie Teams i wyższym."
 
@@ -4215,8 +4216,8 @@ msgstr "Anulowano dokument"
 
 #: apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx
 #: apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx
+#: packages/lib/jobs/definitions/emails/send-document-deleted-emails.handler.ts
 #: packages/lib/server-only/admin/admin-super-delete-document.ts
-#: packages/lib/server-only/document/delete-document.ts
 msgid "Document Cancelled"
 msgstr "Dokument został anulowany"
 
@@ -7943,6 +7944,11 @@ msgstr "Oryginalny"
 msgid "Otherwise, the document will be created as a draft."
 msgstr "W przeciwnym razie dokument zostanie utworzony jako wersja robocza."
 
+#: apps/remix/app/components/dialogs/envelope-distribute-dialog.tsx
+#: apps/remix/app/components/general/envelope-editor/envelope-editor-fields-page.tsx
+msgid "Overlapping fields detected"
+msgstr ""
+
 #: apps/remix/app/components/forms/document-preferences-form.tsx
 #: apps/remix/app/components/forms/email-preferences-form.tsx
 msgid "Override organisation settings"
@@ -8918,6 +8924,11 @@ msgstr "Adres URL przekierowania"
 msgid "Redirecting"
 msgstr "Przekierowywanie"
 
+#. placeholder {0}: oidcProviderLabel || 'OIDC'
+#: apps/remix/app/routes/_unauthenticated+/signin.tsx
+msgid "Redirecting to {0}..."
+msgstr ""
+
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"
@@ -10220,6 +10231,11 @@ msgstr "Ustawienia strony"
 msgid "Skip"
 msgstr "Pomiń"
 
+#: apps/remix/app/components/dialogs/envelope-distribute-dialog.tsx
+#: apps/remix/app/components/general/envelope-editor/envelope-editor-fields-page.tsx
+msgid "Some fields are placed on top of each other. This may complicate the signing process or cause fields to not work as expected."
+msgstr ""
+
 #: packages/ui/primitives/document-flow/missing-signature-field-dialog.tsx
 msgid "Some signers have not been assigned a signature field. Please assign at least 1 signature field to each signer before proceeding."
 msgstr "Niektórym podpisującym nie przypisano pola podpisu. Przypisz co najmniej jedno pole podpisu do każdego podpisującego."
@@ -12343,6 +12359,7 @@ msgstr "Zaktualizuj baner"
 
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.email-domains._index.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Update Billing"
 msgstr "Zaktualizuj płatności"
 
@@ -12943,7 +12960,7 @@ msgstr "Oczekiwanie"
 msgid "Waiting for others"
 msgstr "Oczekiwanie na innych"
 
-#: packages/lib/server-only/document/send-pending-email.ts
+#: packages/lib/jobs/definitions/emails/send-document-pending-email.handler.ts
 msgid "Waiting for others to complete signing."
 msgstr "Oczekiwanie na zakończenie podpisywania przez innych."
 
@@ -13917,8 +13934,7 @@ msgstr "Dołącz do organizacji {0} w Documenso"
 msgid "You have been invited to join the following organisation"
 msgstr "Masz zaproszenie do dołączenia do następującej organizacji"
 
-#: packages/lib/server-only/recipient/delete-envelope-recipient.ts
-#: packages/lib/server-only/recipient/set-document-recipients.ts
+#: packages/lib/jobs/definitions/emails/send-recipient-removed-email.handler.ts
 msgid "You have been removed from a document"
 msgstr "Usunięto Cię z dokumentu"
 
@@ -14717,4 +14733,3 @@ msgstr "Twój kod weryfikacyjny:"
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.sso.tsx
 msgid "your-domain.com another-domain.com"
 msgstr "twoja-domena.pl inna-domena.pl"
-

packages/lib/translations/pt-BR/web.po

@@ -2436,6 +2436,7 @@ msgstr "Logo da Marca"
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Branding Preferences"
 msgstr "Preferências da Marca"
 
@@ -3567,6 +3568,7 @@ msgid "Currently all organisation members can access this team"
 msgstr "Atualmente, todos os membros da organização podem acessar esta equipe"
 
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Currently branding can only be configured for Teams and above plans."
 msgstr "Atualmente, a marca só pode ser configurada para planos Teams e superiores."
 
@@ -4209,8 +4211,8 @@ msgstr ""
 
 #: apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx
 #: apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx
+#: packages/lib/jobs/definitions/emails/send-document-deleted-emails.handler.ts
 #: packages/lib/server-only/admin/admin-super-delete-document.ts
-#: packages/lib/server-only/document/delete-document.ts
 msgid "Document Cancelled"
 msgstr "Documento Cancelado"
 
@@ -7937,6 +7939,11 @@ msgstr "Original"
 msgid "Otherwise, the document will be created as a draft."
 msgstr "Caso contrário, o documento será criado como um rascunho."
 
+#: apps/remix/app/components/dialogs/envelope-distribute-dialog.tsx
+#: apps/remix/app/components/general/envelope-editor/envelope-editor-fields-page.tsx
+msgid "Overlapping fields detected"
+msgstr ""
+
 #: apps/remix/app/components/forms/document-preferences-form.tsx
 #: apps/remix/app/components/forms/email-preferences-form.tsx
 msgid "Override organisation settings"
@@ -8772,6 +8779,10 @@ msgstr ""
 msgid "Recipient rejected the document"
 msgstr ""
 
+#: packages/lib/utils/document-audit-logs.ts
+msgid "Recipient rejected the document externally"
+msgstr ""
+
 #: apps/remix/app/components/general/admin-global-settings-section.tsx
 msgid "Recipient removed"
 msgstr ""
@@ -8908,6 +8919,11 @@ msgstr "URL de Redirecionamento"
 msgid "Redirecting"
 msgstr "Redirecionando"
 
+#. placeholder {0}: oidcProviderLabel || 'OIDC'
+#: apps/remix/app/routes/_unauthenticated+/signin.tsx
+msgid "Redirecting to {0}..."
+msgstr ""
+
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"
@@ -10210,6 +10226,11 @@ msgstr "Configurações do Site"
 msgid "Skip"
 msgstr "Pular"
 
+#: apps/remix/app/components/dialogs/envelope-distribute-dialog.tsx
+#: apps/remix/app/components/general/envelope-editor/envelope-editor-fields-page.tsx
+msgid "Some fields are placed on top of each other. This may complicate the signing process or cause fields to not work as expected."
+msgstr ""
+
 #: packages/ui/primitives/document-flow/missing-signature-field-dialog.tsx
 msgid "Some signers have not been assigned a signature field. Please assign at least 1 signature field to each signer before proceeding."
 msgstr "Alguns signatários não receberam um campo de assinatura. Por favor, atribua pelo menos 1 campo de assinatura a cada signatário antes de prosseguir."
@@ -11088,6 +11109,23 @@ msgstr ""
 msgid "The document was created but could not be sent to recipients."
 msgstr "O documento foi criado, mas não pôde ser enviado aos destinatários."
 
+#: packages/lib/utils/document-audit-logs.ts
+msgid "The document was rejected externally by {onBehalfOf} on behalf of {user}"
+msgstr ""
+
+#: packages/lib/utils/document-audit-logs.ts
+#: packages/lib/utils/document-audit-logs.ts
+msgid "The document was rejected externally by {onBehalfOf} on behalf of the recipient"
+msgstr ""
+
+#: packages/lib/utils/document-audit-logs.ts
+msgid "The document was rejected externally on behalf of {user}"
+msgstr ""
+
+#: packages/lib/utils/document-audit-logs.ts
+msgid "The document was rejected externally on behalf of the recipient"
+msgstr ""
+
 #: apps/remix/app/components/dialogs/envelope-delete-dialog.tsx
 msgid "The document will be hidden from your account"
 msgstr "O documento será ocultado da sua conta"
@@ -12316,6 +12354,7 @@ msgstr "Atualizar Banner"
 
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.email-domains._index.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Update Billing"
 msgstr "Atualizar Faturamento"
 
@@ -12916,7 +12955,7 @@ msgstr "Aguardando"
 msgid "Waiting for others"
 msgstr "Aguardando outros"
 
-#: packages/lib/server-only/document/send-pending-email.ts
+#: packages/lib/jobs/definitions/emails/send-document-pending-email.handler.ts
 msgid "Waiting for others to complete signing."
 msgstr "Aguardando outros completarem a assinatura."
 
@@ -13890,8 +13929,7 @@ msgstr "Você foi convidado para participar de {0} no Documenso"
 msgid "You have been invited to join the following organisation"
 msgstr "Você foi convidado para participar da seguinte organização"
 
-#: packages/lib/server-only/recipient/delete-envelope-recipient.ts
-#: packages/lib/server-only/recipient/set-document-recipients.ts
+#: packages/lib/jobs/definitions/emails/send-recipient-removed-email.handler.ts
 msgid "You have been removed from a document"
 msgstr "Você foi removido de um documento"
 

packages/lib/translations/zh/web.po

@@ -2441,6 +2441,7 @@ msgstr "品牌 Logo"
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Branding Preferences"
 msgstr "品牌偏好设置"
 
@@ -3572,6 +3573,7 @@ msgid "Currently all organisation members can access this team"
 msgstr "目前所有组织成员都可以访问此团队"
 
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Currently branding can only be configured for Teams and above plans."
 msgstr "目前仅 Teams 及以上套餐可以配置品牌。"
 
@@ -4214,8 +4216,8 @@ msgstr "文档已被取消"
 
 #: apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx
 #: apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx
+#: packages/lib/jobs/definitions/emails/send-document-deleted-emails.handler.ts
 #: packages/lib/server-only/admin/admin-super-delete-document.ts
-#: packages/lib/server-only/document/delete-document.ts
 msgid "Document Cancelled"
 msgstr "文档已取消"
 
@@ -7942,6 +7944,11 @@ msgstr "原始"
 msgid "Otherwise, the document will be created as a draft."
 msgstr "否则将把文档创建为草稿。"
 
+#: apps/remix/app/components/dialogs/envelope-distribute-dialog.tsx
+#: apps/remix/app/components/general/envelope-editor/envelope-editor-fields-page.tsx
+msgid "Overlapping fields detected"
+msgstr ""
+
 #: apps/remix/app/components/forms/document-preferences-form.tsx
 #: apps/remix/app/components/forms/email-preferences-form.tsx
 msgid "Override organisation settings"
@@ -8917,6 +8924,11 @@ msgstr "重定向 URL"
 msgid "Redirecting"
 msgstr "正在重定向"
 
+#. placeholder {0}: oidcProviderLabel || 'OIDC'
+#: apps/remix/app/routes/_unauthenticated+/signin.tsx
+msgid "Redirecting to {0}..."
+msgstr ""
+
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"
@@ -10219,6 +10231,11 @@ msgstr "站点设置"
 msgid "Skip"
 msgstr "跳过"
 
+#: apps/remix/app/components/dialogs/envelope-distribute-dialog.tsx
+#: apps/remix/app/components/general/envelope-editor/envelope-editor-fields-page.tsx
+msgid "Some fields are placed on top of each other. This may complicate the signing process or cause fields to not work as expected."
+msgstr ""
+
 #: packages/ui/primitives/document-flow/missing-signature-field-dialog.tsx
 msgid "Some signers have not been assigned a signature field. Please assign at least 1 signature field to each signer before proceeding."
 msgstr "部分签署人尚未被分配签名字段。请在继续前为每位签署人至少分配 1 个签名字段。"
@@ -12342,6 +12359,7 @@ msgstr "更新横幅"
 
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.email-domains._index.tsx
+#: apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx
 msgid "Update Billing"
 msgstr "更新计费"
 
@@ -12942,7 +12960,7 @@ msgstr "等待中"
 msgid "Waiting for others"
 msgstr "等待其他人"
 
-#: packages/lib/server-only/document/send-pending-email.ts
+#: packages/lib/jobs/definitions/emails/send-document-pending-email.handler.ts
 msgid "Waiting for others to complete signing."
 msgstr "正在等待其他人完成签署。"
 
@@ -13916,8 +13934,7 @@ msgstr "您已被邀请加入 Documenso 上的 {0}"
 msgid "You have been invited to join the following organisation"
 msgstr "您已被邀请加入以下组织"
 
-#: packages/lib/server-only/recipient/delete-envelope-recipient.ts
-#: packages/lib/server-only/recipient/set-document-recipients.ts
+#: packages/lib/jobs/definitions/emails/send-recipient-removed-email.handler.ts
 msgid "You have been removed from a document"
 msgstr "您已被从某个文档中移除"
 
@@ -14716,4 +14733,3 @@ msgstr "您的验证码："
 #: apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.sso.tsx
 msgid "your-domain.com another-domain.com"
 msgstr "your-domain.com another-domain.com"
-

packages/lib/utils/is-http-url.test.ts

@@ -0,0 +1,45 @@
+import { describe, expect, it } from 'vitest';
+
+import { isHttpUrl, toSafeHref } from './is-http-url';
+
+describe('isHttpUrl', () => {
+  it('accepts http and https URLs', () => {
+    expect(isHttpUrl('http://example.com')).toBe(true);
+    expect(isHttpUrl('https://example.com/path?q=1#hash')).toBe(true);
+    expect(isHttpUrl('HTTPS://EXAMPLE.COM')).toBe(true);
+  });
+
+  it('rejects non-http(s) schemes', () => {
+    expect(isHttpUrl('javascript:alert(1)')).toBe(false);
+    expect(isHttpUrl('JavaScript:alert(1)')).toBe(false);
+    expect(isHttpUrl('data:text/html,<script>alert(1)</script>')).toBe(false);
+    expect(isHttpUrl('vbscript:msgbox(1)')).toBe(false);
+    expect(isHttpUrl('file:///etc/passwd')).toBe(false);
+  });
+
+  it('rejects non-absolute or unparseable values', () => {
+    expect(isHttpUrl('not a url')).toBe(false);
+    expect(isHttpUrl('/relative/path')).toBe(false);
+    expect(isHttpUrl('')).toBe(false);
+  });
+
+  it('does not treat leading whitespace tricks as safe', () => {
+    // `new URL` trims leading control chars; ensure a smuggled scheme is rejected.
+    expect(isHttpUrl(' javascript:alert(1)')).toBe(false);
+    expect(isHttpUrl('java\tscript:alert(1)')).toBe(false);
+  });
+});
+
+describe('toSafeHref', () => {
+  it('returns the URL when it is http(s)', () => {
+    expect(toSafeHref('https://example.com')).toBe('https://example.com');
+  });
+
+  it('returns undefined for dangerous or empty values', () => {
+    expect(toSafeHref('javascript:alert(1)')).toBeUndefined();
+    expect(toSafeHref('data:text/html,x')).toBeUndefined();
+    expect(toSafeHref('')).toBeUndefined();
+    expect(toSafeHref(null)).toBeUndefined();
+    expect(toSafeHref(undefined)).toBeUndefined();
+  });
+});

packages/lib/utils/is-http-url.ts

@@ -0,0 +1,32 @@
+const ALLOWED_PROTOCOLS = ['http', 'https'];
+
+/**
+ * Returns true only when `value` parses as an absolute URL using the http or
+ * https protocol.
+ *
+ * Zod's `.url()` accepts any parseable URL, including non-web schemes. Use this
+ * to restrict user-supplied URLs to http(s) before they are stored or rendered
+ * as a link.
+ */
+export const isHttpUrl = (value: string) => {
+  try {
+    const url = new URL(value);
+
+    return ALLOWED_PROTOCOLS.includes(url.protocol.slice(0, -1).toLowerCase());
+  } catch {
+    return false;
+  }
+};
+
+/**
+ * Returns the value to use for a link `href` only when it is an http(s) URL,
+ * otherwise `undefined`. Use this when rendering user-supplied URLs as anchors,
+ * including for older rows stored before URL validation was in place.
+ */
+export const toSafeHref = (value: string | null | undefined): string | undefined => {
+  if (!value || !isHttpUrl(value)) {
+    return undefined;
+  }
+
+  return value;
+};

packages/trpc/server/envelope-router/attachment/create-attachment.types.ts

@@ -1,3 +1,4 @@
+import { isHttpUrl } from '@documenso/lib/utils/is-http-url';
 import { z } from 'zod';
 
 import type { TrpcRouteMeta } from '../../trpc';
@@ -16,7 +17,7 @@ export const ZCreateAttachmentRequestSchema = z.object({
   envelopeId: z.string(),
   data: z.object({
     label: z.string().min(1, 'Label is required'),
-    data: z.string().url('Must be a valid URL'),
+    data: z.string().url('Must be a valid URL').refine(isHttpUrl, 'URL must use the http or https protocol'),
   }),
 });
 

packages/trpc/server/envelope-router/attachment/update-attachment.types.ts

@@ -1,3 +1,4 @@
+import { isHttpUrl } from '@documenso/lib/utils/is-http-url';
 import { z } from 'zod';
 
 import { ZSuccessResponseSchema } from '../../schema';
@@ -17,7 +18,7 @@ export const ZUpdateAttachmentRequestSchema = z.object({
   id: z.string(),
   data: z.object({
     label: z.string().min(1, 'Label is required'),
-    data: z.string().url('Must be a valid URL'),
+    data: z.string().url('Must be a valid URL').refine(isHttpUrl, 'URL must use the http or https protocol'),
   }),
 });
 

packages/trpc/server/envelope-router/envelope-recipients/get-envelope-recipient.ts

@@ -1,4 +1,5 @@
 import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { getEnvelopeWhereInput } from '@documenso/lib/server-only/envelope/get-envelope-by-id';
 import { buildTeamWhereQuery } from '@documenso/lib/utils/teams';
 import { prisma } from '@documenso/prisma';
 
@@ -41,5 +42,26 @@ export const getEnvelopeRecipientRoute = authenticatedProcedure
       });
     }
 
+    const { envelopeWhereInput } = await getEnvelopeWhereInput({
+      id: {
+        type: 'envelopeId',
+        id: recipient.envelopeId,
+      },
+      type: null,
+      userId: user.id,
+      teamId,
+    });
+
+    // Additional validation to check visibility.
+    const envelope = await prisma.envelope.findUnique({
+      where: envelopeWhereInput,
+    });
+
+    if (!envelope) {
+      throw new AppError(AppErrorCode.NOT_FOUND, {
+        message: 'Recipient not found',
+      });
+    }
+
     return recipient;
   });

packages/trpc/server/organisation-router/update-organisation-group.ts

@@ -38,6 +38,15 @@ export const updateOrganisationGroupRoute = authenticatedProcedure
       },
       include: {
         organisationGroupMembers: true,
+        organisation: {
+          include: {
+            members: {
+              select: {
+                id: true,
+              },
+            },
+          },
+        },
       },
     });
 
@@ -78,6 +87,15 @@ export const updateOrganisationGroupRoute = authenticatedProcedure
 
     const groupMemberIds = unique(data.memberIds || []);
 
+    // Validate that members belong to the same organisation as the group.
+    groupMemberIds.forEach((memberId) => {
+      const member = organisationGroup.organisation.members.find(({ id }) => id === memberId);
+
+      if (!member) {
+        throw new AppError(AppErrorCode.NOT_FOUND);
+      }
+    });
+
     const membersToDelete = organisationGroup.organisationGroupMembers.filter(
       (member) => !groupMemberIds.includes(member.organisationMemberId),
     );

packages/trpc/server/team-router/delete-team-group.ts

@@ -53,6 +53,15 @@ export const deleteTeamGroupRoute = authenticatedProcedure
       });
     }
 
+    // You cannot delete internal team groups. These are the system-managed
+    // admin/manager/member groups that back the team's role-based access, and
+    // deleting them would silently strip team members of their access.
+    if (group.organisationGroup.type === OrganisationGroupType.INTERNAL_TEAM) {
+      throw new AppError(AppErrorCode.UNAUTHORIZED, {
+        message: 'You are not allowed to delete internal team groups',
+      });
+    }
+
     // You cannot delete internal organisation groups.
     // The only exception is deleting the "member" organisation group which is used to allow
     // all organisation members to access a team.

packages/trpc/server/team-router/update-team-group.ts

@@ -45,9 +45,12 @@ export const updateTeamGroupRoute = authenticatedProcedure
       });
     }
 
-    if (teamGroup.organisationGroup.type === OrganisationGroupType.INTERNAL_ORGANISATION) {
+    if (
+      teamGroup.organisationGroup.type === OrganisationGroupType.INTERNAL_ORGANISATION ||
+      teamGroup.organisationGroup.type === OrganisationGroupType.INTERNAL_TEAM
+    ) {
       throw new AppError(AppErrorCode.UNAUTHORIZED, {
-        message: 'You are not allowed to update internal organisation groups',
+        message: 'You are not allowed to update internal groups',
       });
     }
 

packages/tsconfig/process-env.d.ts

@@ -93,6 +93,13 @@ declare namespace NodeJS {
     NEXT_PUBLIC_DISABLE_OIDC_SIGNUP?: string;
     NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS?: string;
 
+    NEXT_PUBLIC_DISABLE_SIGNIN?: string;
+    NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN?: string;
+    NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN?: string;
+    NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN?: string;
+    NEXT_PUBLIC_DISABLE_OIDC_SIGNIN?: string;
+    NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT?: string;
+
     NEXT_PRIVATE_BROWSERLESS_URL?: string;
 
     NEXT_PRIVATE_JOBS_PROVIDER?: 'inngest' | 'local' | 'bullmq';

render.yaml

@@ -163,6 +163,18 @@ services:
         sync: false
       - key: NEXT_PUBLIC_DISABLE_OIDC_SIGNUP
         sync: false
+      - key: NEXT_PUBLIC_DISABLE_SIGNIN
+        sync: false
+      - key: NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN
+        sync: false
+      - key: NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN
+        sync: false
+      - key: NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN
+        sync: false
+      - key: NEXT_PUBLIC_DISABLE_OIDC_SIGNIN
+        sync: false
+      - key: NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT
+        sync: false
       - key: NEXT_PUBLIC_USE_INTERNAL_URL_BROWSERLESS
         sync: false
 

turbo.json

@@ -53,6 +53,12 @@
     "NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP",
     "NEXT_PUBLIC_DISABLE_OIDC_SIGNUP",
     "NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS",
+    "NEXT_PUBLIC_DISABLE_SIGNIN",
+    "NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN",
+    "NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN",
+    "NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN",
+    "NEXT_PUBLIC_DISABLE_OIDC_SIGNIN",
+    "NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT",
     "NEXT_PRIVATE_PLAIN_API_KEY",
     "NEXT_PUBLIC_DOCUMENT_SIZE_UPLOAD_LIMIT",
     "NEXT_PRIVATE_DOCUMENSO_LICENSE_KEY",