Release v3.12.0

Author: eldinmiller

CHANGELOG.md

@@ -2,10 +2,14 @@
 
 All notable changes to BluePLM will be documented in this file.
 
-## [3.11.1] - 2026-01-23
+## [3.12.0] - 2026-01-23
 
 ### Added
 - **Type generation script**: New `npm run gen:types` command that loads `SUPABASE_ACCESS_TOKEN` from `.env` file and regenerates TypeScript types from the live database
+- **SolidWorks service versioning**: The SolidWorks service now reports its version, and the app checks for compatibility. Version mismatch warnings appear in the Service tab when the service is outdated or incompatible, with clear instructions to rebuild
+- **Metadata preservation when copying**: Copying files now preserves part number, description, and revision from the source file. Metadata is copied from pending local edits if present, otherwise from synced server data
+- **Checkout protection for destructive operations**: Files checked out by other users are now protected from delete, move, and rename operations. Commands show clear error messages indicating which files are locked and by whom. Context menu items appear disabled with "(locked)" indicator when selection includes files checked out by others. Drag-and-drop moves show "not allowed" cursor for locked files
+- **Document Manager-only mode**: The SolidWorks service can now run without a full SolidWorks installation. Users with just the Document Manager API license key can read/write file properties, extract BOMs, get configurations, read references, and extract previews. A new "Feature Availability" collapsible section in the Service tab shows which features work in each mode. Operations requiring full SolidWorks (exports, mass properties, Pack and Go, etc.) now return clear error messages with `SW_NOT_INSTALLED` error code instead of failing silently
 
 ### Fixed
 - **Delete from server keeps file read-only**: Fixed issue where deleting a checked-in file from the server while keeping the local copy would leave the file read-only. Local-only files are now correctly made writable after the server deletion
@@ -16,6 +20,11 @@ All notable changes to BluePLM will be documented in this file.
 
 ### Changed
 - **Removed type workarounds**: Cleaned up `as any` type casts for `folders` table, `move_file` RPC, and `create_default_workflow` RPC now that types are regenerated
+- **Bulk delete performance overhaul**: Large file deletions no longer use optimistic UI updates. Files now remain visible with spinners during the deletion process, and both the file tree and main browser update together when the operation completes. This prevents visual inconsistencies where files would disappear then reappear if deletion failed
+- **Folder move reliability**: Moving folders now releases Document Manager file handles before the operation, cancels any queued thumbnail extractions, and checks for ongoing file operations (downloads, syncs) before proceeding. Previously, moves could fail with EPERM errors when files inside the folder were being processed
+- **Rename/move error handling**: Rename and move operations now detect locked files and identify the blocking process (e.g., "Cannot rename: file is in use by SLDWORKS.exe"). Operations retry up to 3 times with backoff before failing
+- **Folder copy accuracy**: Copying folders now accurately reports the total number of files copied (not just the folder count) and shows proper progress. Nested files inside copied folders are immediately visible in the UI without requiring a refresh
+- **Multi-machine folder sync**: When another user moves a folder, the app now batches all file location updates into a single render instead of processing each file individually. This prevents UI freezes when large folders are moved by teammates
 
 ### Removed
 - **Speculative parent assembly warning**: Removed the warning toast "Some files may have parent assemblies still checked out" that appeared when checking in parts or assemblies. This warning was overly aggressive and triggered false positives - it would warn even when the checked-out assemblies had nothing to do with the files being checked in

api/middleware/auth.ts

@@ -2,13 +2,23 @@
  * BluePLM API Authentication Middleware
  * 
  * Fastify plugin that validates JWT tokens and attaches user profile to requests.
+ * 
+ * Security note: Verbose logging is disabled by default. Do not log tokens,
+ * full user IDs, or email addresses in production.
  */
 
 import { FastifyPluginAsync, FastifyRequest, FastifyReply } from 'fastify'
 import fp from 'fastify-plugin'
 import { createSupabaseClient } from '../src/infrastructure/supabase.js'
 import type { UserProfile } from '../types.js'
 
+/**
+ * Truncate a UUID for safe logging (shows first 8 characters)
+ */
+function truncateId(id: string): string {
+  return id.length > 8 ? `${id.substring(0, 8)}...` : id
+}
+
 const authPluginImpl: FastifyPluginAsync = async (fastify) => {
   // Decorate request with user, supabase client, and access token
   fastify.decorateRequest('user', null)
@@ -20,14 +30,11 @@ const authPluginImpl: FastifyPluginAsync = async (fastify) => {
     request: FastifyRequest, 
     reply: FastifyReply
   ): Promise<void> {
-    console.log('>>> [Auth] authenticate() ENTRY')
-    
     try {
       const authHeader = request.headers.authorization
-      console.log('>>> [Auth] Header:', authHeader ? authHeader.substring(0, 30) + '...' : 'NONE')
 
       if (!authHeader || !authHeader.startsWith('Bearer ')) {
-        console.log('>>> [Auth] FAIL: Missing or invalid auth header')
+        fastify.log.warn('[Auth] Missing or invalid auth header')
         reply.code(401).send({ 
           error: 'Unauthorized',
           message: 'Missing or invalid Authorization header'
@@ -38,20 +45,19 @@ const authPluginImpl: FastifyPluginAsync = async (fastify) => {
       const token = authHeader.substring(7)
 
       if (!token || token === 'undefined' || token === 'null') {
-        console.log('>>> [Auth] FAIL: Empty or invalid token string')
+        fastify.log.warn('[Auth] Empty or invalid token string')
         reply.code(401).send({ 
           error: 'Unauthorized',
           message: 'Invalid or missing access token'
         })
         throw new Error('Auth: Invalid token string')
       }
 
-      console.log('>>> [Auth] Verifying token with Supabase...')
       const supabase = createSupabaseClient(token)
       const { data: { user }, error } = await supabase.auth.getUser(token)
 
       if (error || !user) {
-        console.log('>>> [Auth] FAIL: Token verification failed:', error?.message)
+        fastify.log.warn('[Auth] Token verification failed')
         reply.code(401).send({ 
           error: 'Invalid token',
           message: error?.message || 'Token verification failed',
@@ -60,15 +66,14 @@ const authPluginImpl: FastifyPluginAsync = async (fastify) => {
         throw new Error('Auth: Token verification failed')
       }
 
-      console.log('>>> [Auth] Token valid, looking up profile for user:', user.id)
       const { data: profile, error: profileError } = await supabase
         .from('users')
         .select('id, email, role, org_id, full_name')
         .eq('id', user.id)
         .single()
 
       if (profileError || !profile) {
-        console.log('>>> [Auth] FAIL: Profile lookup failed:', profileError?.message)
+        fastify.log.warn({ msg: '[Auth] Profile lookup failed', userId: truncateId(user.id) })
         reply.code(401).send({ 
           error: 'Profile not found',
           message: 'User profile does not exist'
@@ -77,7 +82,7 @@ const authPluginImpl: FastifyPluginAsync = async (fastify) => {
       }
 
       if (!profile.org_id) {
-        console.log('>>> [Auth] FAIL: User has no organization:', profile.email)
+        fastify.log.warn({ msg: '[Auth] User has no organization', userId: truncateId(user.id) })
         reply.code(403).send({ 
           error: 'No organization',
           message: 'User is not a member of any organization'
@@ -89,11 +94,11 @@ const authPluginImpl: FastifyPluginAsync = async (fastify) => {
       request.user = profile as UserProfile
       request.supabase = supabase
       request.accessToken = token
-      console.log('>>> [Auth] SUCCESS: Authenticated', profile.email)
-      fastify.log.info({ msg: '>>> [Auth] Authenticated', email: profile.email })
+      
+      // Log success with minimal info (no email, truncated ID)
+      fastify.log.debug({ msg: '[Auth] Authenticated', userId: truncateId(profile.id) })
     } catch (err) {
-      // Re-throw to stop the request lifecycle
-      console.log('>>> [Auth] Exception caught:', err instanceof Error ? err.message : err)
+      // Re-throw to stop the request lifecycle (error already logged above)
       throw err
     }
   })

electron/handlers/extensionHost.ts

@@ -113,9 +113,6 @@ function getExtensionsPath(): string {
 function loadExtensionsFromDisk(): void {
   const extensionsPath = getExtensionsPath()
 
-  // #region agent log
-  fetch('http://127.0.0.1:7242/ingest/54b4ff62-a662-4a7e-94d3-5e04211d678b',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({location:'extensionHost.ts:loadExtensionsFromDisk',message:'Scanning extensions directory',data:{extensionsPath},timestamp:Date.now(),sessionId:'debug-session',hypothesisId:'H1'})}).catch(()=>{});
-  // #endregion
 
   try {
     // Get all directories in the extensions folder
@@ -177,9 +174,6 @@ function loadExtensionsFromDisk(): void {
           installedAt,
         })
 
-        // #region agent log
-        fetch('http://127.0.0.1:7242/ingest/54b4ff62-a662-4a7e-94d3-5e04211d678b',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({location:'extensionHost.ts:loadExtensionsFromDisk:registered',message:'Registered extension from disk',data:{dirName:dir.name,manifestId:manifest.id,version:manifest.version,name:manifest.name},timestamp:Date.now(),sessionId:'debug-session',hypothesisId:'H1'})}).catch(()=>{});
-        // #endregion
 
         deps?.log(`Loaded extension from disk: ${manifest.id} v${manifest.version}`)
 
@@ -801,9 +795,6 @@ export function registerExtensionHostHandlers(
         throw new Error('Store API returned unsuccessful response')
       }
 
-      // #region agent log
-      fetch('http://127.0.0.1:7242/ingest/54b4ff62-a662-4a7e-94d3-5e04211d678b',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({location:'extensionHost.ts:fetch-store:raw',message:'Raw store API response',data:{count:result.data.length,firstExt:result.data[0]},timestamp:Date.now(),sessionId:'debug-session',hypothesisId:'H2'})}).catch(()=>{});
-      // #endregion
 
       // Transform to StoreExtensionInfo format
       const extensions = result.data.map(ext => ({
@@ -1005,9 +996,6 @@ export function registerExtensionHostHandlers(
   // downloadId: database UUID for download URL
   // manifestId: optional expected manifest ID (publisher.slug + name) for validation
   ipcMain.handle('extensions:install', async (_event, downloadId: string, version?: string, manifestId?: string) => {
-    // #region agent log
-    fetch('http://127.0.0.1:7242/ingest/54b4ff62-a662-4a7e-94d3-5e04211d678b',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({location:'extensionHost.ts:install:entry',message:'Install request received',data:{downloadId,manifestId,version},timestamp:Date.now(),sessionId:'debug-session',hypothesisId:'H3'})}).catch(()=>{});
-    // #endregion
     deps?.log(`Installing extension: ${downloadId}${version ? `@${version}` : ''}`)
 
     try {
@@ -1016,9 +1004,6 @@ export function registerExtensionHostHandlers(
         ? `${STORE_API_URL}/store/extensions/${encodeURIComponent(downloadId)}/download/${encodeURIComponent(version)}`
         : `${STORE_API_URL}/store/extensions/${encodeURIComponent(downloadId)}/download`
 
-      // #region agent log
-      fetch('http://127.0.0.1:7242/ingest/54b4ff62-a662-4a7e-94d3-5e04211d678b',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({location:'extensionHost.ts:install:downloadUrl',message:'Download URL constructed',data:{downloadUrl,downloadId,manifestId},timestamp:Date.now(),sessionId:'debug-session',hypothesisId:'H2'})}).catch(()=>{});
-      // #endregion
       deps?.log(`Downloading from: ${downloadUrl}`)
 
       const response = await fetch(downloadUrl, { redirect: 'follow' })