June 2026 — v1.1 Maintenance Release

v1.1.0 (2026-05-11) — audit + hardening pass

• Saved views for the helpdesk queue — admins manage org-wide views at /admin/helpdesk/views; operators manage personal views at /profile/settings/views. Both flavours show up in the helpdesk sidebar.
• Helpdesk URL filters — ?filter=mine, ?filter=sla, ?filter=awaiting, ?filter=closed now resolve to server-side WHERE clauses. (Previously silent no-ops.)
• /helpdesk/new — full DS-styled ticket-create form with title, description, type, priority pill-group, customer / project / assignee / contract selectors. The broken link in the helpdesk empty state is gone.
• /forgot-password — public landing page walking users through the two recovery routes (SSO or admin-issued invitation).
• /crm/contacts/[id]/edit — edit page is live. The contact detail Edit button no longer 404s.
• Topbar bell — /api/notifications/unread returns a derived count of open tickets assigned to the caller. The silent 404 is gone.
• License banner fix — the red "license expired" banner no longer flashes on every page load before /api/license resolves.
• KW Group license — all 29 features active, 1000 user seats, 100 tenants, never expires.

v1.1.1 (2026-06-03) — functional + security audit

• /admin/hrm and /admin/helpdesk landing pages — both top-level admin pages now render a card grid of their sub-pages. Were 404s before.
• TOCTOU race fix on crm-service.updateContact — switched the write to an atomic updateMany({ where: { id, orgId } }) (mirrors the pattern in deleteContact, updateDeal, deleteDeal, marketing-service.updateCampaign/deleteCampaign, and the customer PATCH/DELETE in 1.1.0). Multi-tenant mutations can no longer be raced between the org-scope check and the write.
• Three more dangerouslySetInnerHTML sites sanitised — TicketDetail.tsx:621 (ticket description), TicketDetail.tsx:813 (comment body), and app/(kb)/kb/[category]/[slug]/page.tsx:107 (public KB article body). All user-supplied HTML now routes through sanitizeHtml().
• E2E spec routes updated — the golden-path specs were hitting routes renamed during the portal re-skin; updated to the current paths.

v1.1.2 (2026-06-03) — schema reconciliation + seed fix

• 49 pending Prisma migrations reconciled — the live MariaDB was originally provisioned from a schema dump, not via the migration runner. The schema drift is now closed; prisma migrate status reports "Database schema is up to date!".
• pnpm seed:reset crash fixed — the reset was tripping an FK on org-delete because its hard-coded table list was missing every table added by 1.1.0. Rewrote the sweep to introspect INFORMATION_SCHEMA.COLUMNS for every org-scoped table.
• Stale DEFAULT_ORG_ID after seed:reset — resolveHost() now falls back to the kwg-demo org by slug when the configured UUID no longer resolves, so the public surfaces keep working across re-seeds without an operator edit.

New in this release — public Checkmk access

The Checkmk monitoring web UI is now reachable publicly at:

• URL: https://portal.kwgroup.org.uk/checkmk/
• Login: Checkmk's own cmkadmin user (not the portal login).

This is a Traefik path-rewrite proxy in front of the existing kwgroup-checkmk container. No portal auth wraps the URL — the Checkmk login page is the gate. See the Checkmk Monitoring Integration article for the full setup and the live cmkadmin credentials.

Where to get help

• For the operator manual: see the user guide under /opt/docs/user-guide/.
• For a new KB article topic, or to publish one of the in-repo articles, see the KB import guide.
• For support, contact noc@kwgroup.uk or open a ticket at support.kwgroup.uk.