OpenShft changelog

Two official client libraries: @openshft/sdk on npm (ESM + CJS, Node ≥18, Bun, Deno, Edge runtimes) and openshft-sdk on PyPI (sync + async clients on httpx, Pydantic v2 models, Python ≥3.10). Both expose full CRUD on the 8 v1 resources, OAuth client_credentials with auto token caching, cursor pagination iterators (.iterate() / iterate()), and a typed OpenShftError class. Source lives in packages/sdk-ts/ and packages/sdk-py/ in the monorepo.

Reference: PRD §18

Three new tabs above the agenda on /shifts. Calendar is a 7-day × 16-hour grid with drag-drop reschedule (powered by @dnd-kit) and live same-worker conflict highlighting; the existing rescheduleShift action emits shift.updated webhooks and writes audit_logs. Gantt is a read-only worker × time strip — workers without shifts this week sink to the bottom so coverage gaps pop out. Map renders sites with lat/lng on OpenStreetMap via react-leaflet (sites without coords get a sidebar with a 'fill in coordinates' CTA). PRD §M3 closed end-to-end.

Reference: PRD §M3

Migrations: 20260507200000_site_geocoding.sql

/api/v1/oauth/token implements the RFC 6749 §4.4 client_credentials grant. Register clients at /settings/oauth; secret shown once at creation; tokens are short-lived osk_live_… keys with operator-set TTL (60s–24h cap). The api_resolve_key RPC was patched to honour expires_at so revoked + expired tokens both fail closed.

Reference: PRD §18

Migrations: 20260507180000_oauth_clients_and_api_key_expiry.sql

GraphQL endpoint /api/graphql gained createParticipant / updateParticipant / deleteParticipant, createWorker / updateWorker / deleteWorker, createShift / cancelShift, createIncident, createProgressNote. Mutations require a key with the 'write' scope and emit the same audit_logs + webhook events as the REST counterparts.

Reference: PRD §18

src/lib/rate-limit.ts now picks a backend at runtime: Upstash Redis when UPSTASH_REDIS_REST_URL + UPSTASH_REDIS_REST_TOKEN are set, Postgres-backed (public.ratelimit_state) when only Supabase service-role is available, in-memory only as a last-resort dev fallback. checkRateLimit became async; all three callsites (chat route, support action, middleware) now await. C-12 from the 2026-04-17 audit is closed once Upstash is provisioned.

Reference: Audit follow-up — 2026-04-17 C-12

Read-only GraphQL endpoint at /api/graphql covering the same eight resources as REST v1 (participants, workers, shifts, incidents, claim lines, progress notes, form templates, form submissions). Same Bearer API key as REST; cursor pagination; per-resource filters (reportable=, status=, from=, to=). GraphiQL playground available in browsers.

Reference: PRD §18 day-90 commitment

Weekly Inngest cron walks 14 retention-tracked tables (participants, incidents, complaints, etc.), counts rows past 7-year retention vs rows on legal hold, logs to retention_sweep_log, and emails workspace owners with eligible-archive counts. Log-only; hard archival follows in v1.1 with an explicit operator action.

Reference: PRD §11.3

Migrations: 20260507170000_retention_and_ai_labels.sql

New participant_messages table + RPCs power a privacy-protective chat between participants (or family members with messaging permission) and the workspace office. Surfaced in the participant mobile app via /messages and on the web admin via /messages/participants alongside the worker chat.

Reference: PRD §17

Migrations: 20260507160000_participant_chat.sql

Worker app gains hazard one-tap, money & property dual-sign log, travel & expenses (km + receipts), and a read-only document vault (policies + credentials + training). Participant app gains live spend bars on the plan screen, replacing the previous hardcoded zero.

Reference: PRD §16 + §17

Audit triggers extended to shifts, workers, participants, worker_credentials, training_records, plan_budget_categories, service_bookings and staff_participant_matches. Auto-incident on use of an unauthorised restrictive practice. Legal-hold framework that blocks DELETE on retention-tracked tables. Per-tenant AI kill switch on workspaces.

Reference: PRD §11 + §13.6 + §21.1

Migrations: 20260507110000_audit_triggers_master_data.sql, 20260507120000_restrictive_practice_auto_incident.sql, 20260507130000_legal_hold.sql, 20260507140000_workspace_ai_kill_switch.sql

/settings/webhooks lets owners and admins create, pause, revoke, and test webhook subscriptions without SQL. Test ping fires a real signed POST and records the attempt in webhook_deliveries. HMAC secrets are shown once at creation, never again.

Reference: PRD §18

/messages/broadcasts lets owners and admins fan out a single message to all active workers (or a specific selection) over in-app chat, SMS, and email. Preview-and-confirm flow with cost estimate; SMS spend tracked through the chassis usage table.

Reference: PRD §M11

Migrations: 20260507150000_broadcasts.sql

/reports gains a no-shows / cancellation-rate / AR-outstanding / AR-over-60-days card row plus a 5-bucket AR ageing strip. Closes the M10 'Operations' gap; Finance / Clinical / Workforce dashboards arrive in v1.1.

Reference: PRD §M10

checkLimit() now wired into participant / worker / shift create paths so the Free tier hard-caps at 3 / 2 / 50 — including a re-activation guard so archive-then-restore can't bypass the cap. ABN became a required field on the workspace step of onboarding (11-digit, validated against the existing CHECK constraint).

Reference: PRD §20.2

Statutory-timer cron now fans out to verified phone numbers at the highest-stakes tiers — incident_24h_t2, every *_overdue, and breach_30day_overdue. Email is still the baseline; SMS is reserved for catastrophic risk per PRD §11.2.

Reference: PRD §11.2

Migrations: 20260507100000_timer_reminder_log_target_types.sql

ADR-008 generic Form / Register / Document-Control engine — five tables, seven RPCs, twelve UI components, six v1 endpoints, twenty-seven pgTAP assertions. Easy-Read sibling validator enforces participant-facing templates have a sibling before publish.

Reference: ADR-008 + PRD §9

Migrations: 20260506230000_form_engine.sql, 20260506240000_form_engine_seed.sql