scrumRithm™ 2.2.7-2.3 scrumRithm™ RSS Release Feed

Hardened, Cleaner, and More Capable — Security, Code Quality, and New Workflow Features

New Features

Work Item Cancelled Status: Added a Cancelled status to Work Items with a dedicated lane on the scrum board and backlog views (styled in red), a cancel button on applicable items, a cancelled indicator on cards and table rows, and a Show Cancelled toggle (default off, persisted per user) on the board view. Cancelled status is also supported in the Linked Work Items actions column.
Quill Table Support: Native table editing is now available across all Quill rich text editors including ticket detail, resource pages, and project comments, with table HTML properly sanitized and styled across all rendering contexts.
Markdown + Mermaid Editor: An optional Markdown editor (EasyMDE) toggle is now available on every Quill toolbar, with live Mermaid diagram preview and rendering in read-only content. The editor automatically switches to Markdown mode when existing Markdown source is detected. All new dependencies are lazy-loaded on demand.

Feature Updates

Stakeholder MrSignIn SSO Invite Flow: Stakeholder invitations now use MrSignIn SSO for registration instead of a local password-based flow. After SSO callback, Stakeholder and CompanyAccess records are created automatically. Stakeholders can log back in via SSO after signing out.
Company Phone Log — Unified Call Sources: The company dashboard phone log now pulls from both Call Tracker entries and time card entries matched by service, with a Source column distinguishing the two. Phone call flag is automatically set when a matching service is used in time card entries.
Stakeholder UI Lockdown: Stakeholder views now hide scrums dropdown, call button, Actions card, AI Task Suggestions, Create/Link Task buttons, staff-only detail fields, Escalation Notes, and modal dialogs. The New Project button is also hidden for stakeholders on the Projects list.

Feature Enhancements

Security Hardening — Django 5.2 LTS Upgrade: Upgraded to Django 5.2 LTS and patched all pip-audit CVEs across dependencies. SECRET_KEY and DEBUG moved to environment variables with fallback support for SSO-safe key rotation. Added production-gated transport security (SSL redirect, HSTS, secure cookies), django-axes login lockout, explicit JWT lifetimes, Cognito IdToken verification via JWKS, and a supply chain guardrail with hash-pinned requirements and SRI on CDN assets.
Codebase Decomposition: The core views, API, and models modules have been decomposed from large single files into organized domain-scoped packages — all files now under ~2,000 lines. The split is behavior-preserving with full namespace parity verified, migrations clean, and the full test suite passing.
Standardized API Error Envelope: All API errors now return a consistent {"error": "..."} envelope via a custom DRF exception handler, with safe error detail (generic in production, detailed under DEBUG) and structured logging for unhandled exceptions.
Work Item Comment Avatars: Work item comments now display a full name and avatar instead of a raw username. Staff message bubbles are styled with white text on a teal background.
Active Tickets Panel on Company Dashboard: Added an Active Tickets panel to the company dashboard between the Projects and Active Work Items sections.
Stakeholder Invite Email Reliability: Stakeholder invite emails now use tenant SMTP settings consistent with all other email senders in the platform. A copy-link button is available on the Contacts table as a fallback when email delivery fails, with automatic clipboard copy and a clear fallback alert.
Sticky Footer: Applied sticky footer layout across the application using flexbox min-height so the footer always anchors to the bottom of the viewport.

Bug Fixes

Fixed NoReverseMatch error on perpetual task template detail page.
Fixed perpetual task title link to only be clickable when the link status is active.
Fixed stakeholder invite OAuth flow when the state token is lost during the redirect round-trip, with session-based token backup and fallback recovery.
Fixed superuser privilege escalation vulnerability where non-superuser tenant admins could call the toggle-superuser endpoint. Scoped user management views to the actor's active tenant for non-superusers.
Fixed RunSQL migration operations crashing the SQLite CI test runner by replacing PostgreSQL-specific ALTER COLUMN syntax with vendor-guarded RunPython migrations.
Fixed 6 undefined-name bugs, removed debug print statements, replaced raw exception strings in HTTP responses with safe error detail helpers, and dropped unused dependencies.