Perfex CRM API Changelog

Fix Auth_api.php: 17 broken response calls causing 500 errors on all auth endpoints (login, refresh, verify). Fix CI3 Session driver 503 error on Linux servers (defensive constructor workaround). Remove legacy Api.php catch-all router (root cause of Session 503 bug). Extract duplicate JWT generation into reusable buildJwt() method. Refactor routes from catch-all pattern to explicit per-endpoint routing. Remove duplicate lowercase auth_api.php file (Linux case-sensitivity fix).

Fix API response time always showing 0.000ms (protected → public $start_time). Server-side DataTables pagination for API and webhook logs. Add Clear All Logs buttons (admin-only) for API and webhook logs. Remove "All" option from log table length menu (memory safety). Display log retention info on logs page. Fix Auth_api.php case sensitivity for Linux server compatibility. Fix CSRF token missing on Regenerate Routes button (419 error).

Fixed ticket replies list still causing memory exhaustion. Root cause: SELECT * was loading full HTML email bodies with base64-encoded inline images. List replies now returns metadata only (id, date, sender). Full message content available via individual reply endpoint GET /tickets/{id}/replies/{replyId}.

Fixed ticket replies endpoint causing PHP memory exhaustion (512MB) on tickets with many or large replies. Added pagination support (page, per_page) to GET /tickets/{id}/replies. Embedded replies via ?include=replies now capped at 25 with reply_count metadata.

Fixed "Save Changes" button not working on Settings page. Root cause: nested HTML form for "Regenerate Routes" inside the main settings form (invalid HTML). Browser closed the outer form at the inner closing tag, leaving the Save button outside any form. Replaced nested form with JavaScript-based POST submission.

API completeness: Added POST /invoices (create invoice with full line items support) and POST /contracts (create contract). Added invoice.deleted and staff.login webhook events (100 total). Fixed ticket assign/status endpoints to accept both PUT and POST methods. n8n node aligned with API changes.

Fixed "Download Postman Collection" button returning 404 on production installations. Postman collection (193 requests, 21 resource folders) now included in distribution ZIP. Collection version bumped to v2.5.4

Standardized pagination across all 19 controllers: migrated Invoices, Leads, Projects, Contracts to getPaginationParams() helper. Added limit as backwards-compatible alias for per_page. Webhook docs enhanced with click-to-expand descriptions and payload field tags for all 98 events. 518 E2E tests passing (301 API + 217 webhook)

Documentation audit (21 fixes): Removed 4 ghost KB endpoints from admin docs, added JWT auth endpoint docs, added Resource Details for 12 API resources, added pagination/sorting docs. Postman collection updated to v2.5.1 with broken webhook test removed and 5 task operations added. README/COMPETITIVE-ANALYSIS updated with current numbers. Added 11 missing webhook event category language strings. 526 E2E tests passing (306 API + 220 webhook)

Auto-update security hardening: OPcache bypass for reliable file reads, concurrent update lock protection, download URL SSRF prevention, Throwable catch blocks for broader error handling. 301 E2E tests passing

Activation page security hardening: POST-only guards with CSRF tokens, XSS prevention on all dynamic outputs, download URL domain validation (MITM protection), double-submit prevention with loading spinners. License model instance-level caching. Removed dead KB routes. Restored contract.renewed webhook event. Expanded Postman collection. Critical routing and security fixes across all 5 new resources from v2.4.0. 526 E2E tests passing (306 API + 220 webhook)

Activation page security hardening: POST-only guards with CSRF tokens, XSS prevention on all dynamic outputs, download URL domain validation (MITM protection), double-submit prevention with loading spinners. License model instance-level caching (7 DB queries reduced to 1). Removed 4 dead KB routes. Restored contract.renewed webhook event (98 total). Postman collection expanded with Auth section and Invoice/Contract CRUD. 526 E2E tests passing (306 API + 220 webhook)

Removed OAuth 2.0 skeleton code (DB tables, model methods, auth chain, routes β€” never implemented). Settings page redesigned with 3-tab layout and conditional field visibility. Added Response Options (include_meta, include_timestamps) to settings UI. Fixed cache options not seeded in install. Fixed 12 input fields missing id attributes for label association. Fixed max_request_size input missing max attribute. Code cleanup across 29 files. 477 E2E tests passing (287 API + 190 webhook)

Dashboard & logs audit: Fixed XSS in all log views and dashboard, SQL performance optimization with 3 compound indexes, ISO week format fix, N+1 query elimination, MVC compliance (views no longer query DB directly), removed dead code, fixed exception message leak in Admin controller, fixed migration DB access pattern. 25 new localization keys. 477 E2E tests passing (287 API + 190 webhook)

Security & reliability fixes: API key management (expires_at saving, edit page display, per-key rate limiting, permissions list), webhook management (URL/event validation, retry enforcement, XSS prevention, secret standardization, header safety), ZIP build fix for views/logs/ directory. 469 E2E tests passing

Critical routing fix for v2.4.0 resources. Security fixes: notes permission bypass, items auth checks. Quality fixes: invoice status sync on payments, cascade deletes, input validation, cache wildcard support, lead.status_changed accuracy. 469 E2E tests passing (282 API + 187 webhook)

5 new standalone API resources: Payments, Items (full CRUD upgrade), Contacts, Timesheets, Notes. 15 new webhook events (3 per resource). Notes support polymorphic relations across 10 entity types. Timesheets support running timer concept. Updated Postman collection with 26 new requests. 282 E2E API tests passing + webhook tests. Total: 19 resources, 170+ endpoints, 98+ webhook events

Test update workflow

Auto-update download workflow verification

Update workflow verification release

Fix install update "Invalid request" error

Update verification release

Fix changelog display, file size extraction, version downgrade guard

Updated README with full feature overview

Release pipeline skill validation

Clear PHP opcache after auto-update for shared hosting

One-click auto-update feature

Security hardening, dead code cleanup

Security improvements

Initial public release