All header() redirects across index.php, logout.php, settings.php, ticket.php, and auth.php were using app_url() which produced broken paths on IIS when SCRIPT_NAME returned / or empty string. Replaced every redirect with config('site_url') directly — no more IIS path manipulation possible.

All three cron scripts were using !== for key comparison, vulnerable to timing attacks. Changed to hash_equals() on daily-report.php, monthly-report.php, and never-logged-in.php.

Viewers could PATCH any ticket by ID — the role check only stripped assigned_to but didn't prevent editing tickets they didn't submit. Now verifies the requester_email matches the viewer's session email before allowing any edits.

department_id and location_id were accepted on ticket creation without verifying they exist as active records. Invalid IDs are now silently nulled before insert.

Board now fills the full page height — no dead space below columns when tickets are few. All four columns stretch to equal height via flex chain from page-body down through kanbanView to the board.

Projects page now shows the OVERVIEW label above the stats pills to match the Tickets board layout.

New Ticket modal and Projects attachment drop zone were hardcoded to 10MB. Both now read from config('max_upload_mb'). Server-side MAX_FILE_MB constant in api/attachments.php also reads from config.

Uploads Backup button was btn-secondary while Database Backup was btn-primary. Both now btn-primary for consistency.

api/attachments.php added realpath() checks on both the file serve and delete endpoints to prevent path traversal. Flagged by Akido security scan.

app.py from the original Python/Flask prototype was still in the repository, triggering false positive security alerts. Removed.

Ticket list view now paginates. Page size configurable in Settings → General: 25 / 50 / 100 / All. Defaults to 25. Pagination bar shows current range and total count. Filters and search reset to page 1 automatically.

Project cards can now be dragged between Planning, Active, On Hold, and Complete columns — same as the ticket board. Status updates automatically on drop via PATCH.

External Ticket Submission settings moved out of General into a dedicated Submit Form tab. General tab is significantly less cluttered.

Tickets Per Page and Completed Projects Window cards now have explicit Save buttons. Audit log entries added for meaningful settings changes: company name, ticket format, notifications, email provider, and submit form enable/disable.

Kanban board Done column now has a fixed height with its own scroll, so a long completed list doesn't push the other columns off screen.

Clicking the backdrop or ✕ while title or description has content now shows a "Discard changes?" confirmation. Prevents accidentally losing a ticket mid-entry.

Projects page now shows the OVERVIEW label above the stats pills to match the Tickets board layout.

Removed the ▲ Hide button from the overview stats bar — not a commonly used feature and added visual noise.

api/notes.php was calling require_csrf_header() which doesn't exist — fixed to require_csrf(). Adding notes to projects was returning a 500.

updateBulkBar, toggleSelectAll, clearBulkSelection, bulkApply and handleRowClick functions were referenced but never inserted into dashboard.php. Checkboxes showed but nothing happened on click.

Bulk bar had display:none set twice in its inline style — JS was setting it to flex but the second declaration overrode it. Bar never appeared.

Tickets that haven't been updated in a while now show a colored age badge on both the kanban board and list view. Yellow ⚠ for warning threshold, red 🔴 for critical. Thresholds configurable in Settings → Notifications → Ticket Aging Alerts. Default: warning at 3 days, critical at 7 days.

Checkboxes in list view allow selecting multiple tickets. A bulk action bar appears with dropdowns to set status, priority, or assigned tech across all selected tickets at once. Select All in the header grabs everything. Hidden on mobile.

Single on/off toggle in Settings → Notifications. When enabled, emails the requester when their ticket status changes to In Progress, Waiting, Done, or Reopened. Requires a valid requester email on the ticket.

Ticket search now searches comment/note body text in addition to title, description, ticket number, and requester name.

Configurable dropdown (7 / 30 / 60 / 90 days / All time) controls how long completed projects appear in the Projects page, Projects report, and the projects section of Daily, Weekly, and Monthly reports. Previously completed projects showed indefinitely.

External Ticket Submission settings moved from Notifications tab to General tab where it makes more sense as a global configuration option.

Settings, Reports, and Audit Log links hidden from the mobile sidebar. These pages aren't optimised for mobile and the links were taking up space that's better used for tickets and projects.

Projects page now defaults to list view on mobile screens. Kanban columns are too cramped on small screens — list view is much more usable. Board view still available via the toggle button.

Tapping ticket cards was occasionally triggering the New Ticket modal on mobile. Root cause: modal overlays were using opacity:0 + pointer-events:none when closed, which some mobile browsers still treated as tappable. Changed to display:none so closed modals are completely removed from hit-testing.

The 30-day remember me cookie was being set with Secure flag hardcoded to true, causing browsers to silently drop it on HTTP connections. Now detects HTTPS properly and sets the flag accordingly. Also added the cookie check to index.php on page load.

Moving the External Ticket Submission card introduced a missing closing div that caused all Settings panels after General to be nested inside the General panel — appearing as blank tabs. Fixed div structure and added missing backup tab to can_see_settings_tab() auth check.

New Backup tab in Settings. One-click download of a full SQL dump — all tickets, users, settings, comments, attachment metadata. Second button downloads a zip of the uploads/ folder. Requires ZipArchive PHP extension for uploads backup.

Settings was saving the API key as email_api_key but mailer.php looked for postmark_api_key (and sendgrid_api_key etc). API email worked on initial setup but broke after re-saving settings. Now saves under the correct provider-specific key.

send_via_phpmailer() was catching the base Exception class instead of PHPMailer\PHPMailer\Exception. On some servers the catch never fired, the exception bubbled up uncaught, and the API returned a 500. Fixed to catch the correct namespaced exception plus a Throwable fallback.

SMTP/API failures now return the actual error message in the toast — authentication failure, connection refused, bad API key etc — instead of a generic "Request Failed".

Sidebar logo section and topbar were different heights causing the horizontal divider lines to not align. Both set to a fixed 64px height with flex centering.

Default theme picker in Settings was taking up excessive space. Swatches reduced in height and reorganised into a compact 2-column grid with max-width constraint.

Every page was throwing a 404 for /assets/css/app-mobile.css — the file was referenced in layout_header.php but never existed. Mobile styles extracted from inline style block into a proper app-mobile.css file.

Version number and build date now shown at the bottom of Settings → General with a link to the changelog.

New Backup tab in Settings. One-click download of a full SQL dump of the database — all tickets, users, settings, comments, attachment metadata. Second button downloads a zip of the uploads/ folder. Requires ZipArchive PHP extension for uploads backup. CSRF-protected GET download endpoint.

send_via_phpmailer() was catching the base Exception class instead of PHPMailer\PHPMailer\Exception. On some servers (notably IIS) the catch block never fired, the exception bubbled up uncaught, and the API returned a 500 with no error detail. Fixed to catch the correct namespaced exception plus a Throwable fallback.

SMTP failures now return the actual PHPMailer error message (authentication failure, connection refused, etc.) instead of a generic "Request Failed". Decrypt failures return a specific message. Empty password after decryption returns a specific message.

First production-ready release. Packaged as ticket-foundry-v1.0.zip — clean install, no setup artifacts, LICENSE.txt included, install guide redirects to ticketfoundry.net for always-current docs.

tf_tickets has a foreign key to tf_locations, and tf_attachments has a foreign key to tf_projects — but both referenced tables were defined later in schema.sql. MySQL silently failed to create tf_tickets, tf_comments, and tf_attachments on fresh installs. Fixed table creation order so all foreign key dependencies are satisfied.

Schema was missing used and ip_address columns on tf_password_resets. Forgot Password page threw a 500 on any fresh install. Both columns added to schema.

mailer.php was requiring /includes/phpmailer/ (lowercase) but the folder is /includes/PHPMailer/ (uppercase). On Linux filesystems this is case-sensitive — PHPMailer was never found, silently fell back to PHP mail(), which failed. All four require_once paths corrected to match actual folder name.

7-Day Report → Weekly Report, 30-Day Report → Monthly Report. Clearer labelling throughout the Reports page.

Each report schedule (Daily, Weekly, Monthly) now has a customisable Email Subject field. Supports {company} and {date} placeholders. Defaults to sensible values, saves to config, substituted at send time in cron scripts.

Weekly and Monthly report schedules previously only had a day picker with no time. Time picker added to both, defaulting to 08:00. Cron scripts read the configured time and exit silently if it's not the right hour.

Category was read-only in the ticket modal — no way to change it after creation. Now a dropdown matching the status and priority selectors. Changes save instantly via updateTicketField(). Viewers still see it as read-only text.

Notes on the direct ticket page (ticket.php) were displaying raw HTML tags instead of rendered content. Quill stores notes as HTML — the template was using htmlspecialchars() which escaped the tags. Fixed to output raw HTML.

Comments query on ticket.php was selecting u.username instead of COALESCE(u.full_name, u.username). Fixed to show display name consistently.

profile.php was only listing 6 themes — missing Midnight, Light, Warm, and High Contrast. All 10 themes now available in the profile theme picker.

Added try/catch with verbose output to never-logged-in.php. Previously silent failures showed Done. Sent: 0 with no indication of what went wrong. Now prints per-user status and any exception messages directly in the response.

Commercial use license included in the package. One purchase = one install. No redistribution, reselling, or sublicensing. PHPMailer LGPL license also included in includes/PHPMailer/LICENSE.

All Beta wording removed. Before You Begin section rebuilt with separate dependency tables for PHP extensions, Apache, IIS, and Nginx. Step 3 (Schema Import) updated to reflect automatic import via setup wizard — manual phpMyAdmin fallback moved to a collapsible details block.

The reformat query was triggering MySQL's ON UPDATE CURRENT_TIMESTAMP on the updated_at column, stamping every ticket with the exact moment the reformat ran. This skewed Average Resolve Time in reports to show absurd numbers (20+ days) for old tickets. Fixed by explicitly setting updated_at = updated_at in the UPDATE statement to bypass the auto-update trigger.

Added "Reformat All Ticket Numbers" button in Settings → General → Ticket Number Format. Rewrites all existing ticket numbers to match the current prefix/date/padding configuration using each ticket's original created_at date. Useful when migrating from an old format (e.g. TF-0001) to the new format (EPI-20260520-00085). Logs to audit log. Cannot be undone.

Removed the "Newest First / Oldest First / By Priority" dropdown from the list view filter bar. Column headers already handle sorting by clicking — the dropdown was redundant and added clutter.

Category column in tf_tickets was defined as ENUM, silently rejecting any new categories added after install and falling back to 'Other'. Altered to VARCHAR(100). Category dropdown added to ticket modal so category can be changed inline like status and priority. catIcon() function was undefined — now built from a live CAT_MAP loaded from tf_categories at page load so new categories show their icons automatically.

Completely rewritten setup.php — zero dependencies on auth.php or db.php. Reads DB credentials via regex, handles schema import, admin account creation, site settings, ticket number format, email config, and generates encryption key on finish. Works on Apache, IIS, and Nginx.

Added web.config as full IIS equivalent of .htaccess — URL rewriting, security headers, blocked paths. Also added nginx.conf.example for Nginx installs. Ticket Foundry now officially supports Apache, IIS, and Nginx on any OS.

install-guide.html — single HTML file covering prerequisites, step-by-step setup, all email providers, cron job setup, server types (Apache/IIS/Nginx/Raspberry Pi), internal DNS, troubleshooting, and security recommendations.

Added missing tables: tf_locations (with address/city/state/zip), tf_categories, tf_directory, tf_password_resets, tf_remember_tokens, tf_templates, tf_project_checklist, tf_project_attachments. Fixed tf_tickets: added location_id, source, VARCHAR category. ticket_number expanded to VARCHAR(40).

Notes can now be marked Internal Only — skips email notification to requester and is hidden from viewer accounts. Displayed with purple indicator in the note thread. is_internal column added to tf_comments.

Urgent, New, In Progress, Waiting, Total Open, and Completed 7-Day pills are now clickable filters. Click to filter the board, click again to clear. Active pill highlights with acid green label.

New dropdown in the filter bar lets admins and techs filter tickets by assigned tech, including an Unassigned option. Auto-populated from active staff accounts.

Location dropdown added to ticket detail modal. Techs/admins can change it inline. Viewers see it as read-only text.

Categories in Settings → Organization can be reordered by dragging. Order persists to DB and reflects immediately in all dropdowns.

Category icon field replaced with a click-to-open emoji grid — 64 IT-relevant emojis across 8 categories. Click the icon preview to open, click any emoji to select.

Template category dropdown was hardcoded. Now loads live from tf_categories so new categories appear automatically.

Settings → General now includes a Max Attachment Size dropdown (2/5/10/20/50MB). Shows server PHP limits inline so admins know the ceiling. All attachment upload areas read from config.

Added Light, Midnight, Warm, and High Contrast themes. All 10 themes available in both Settings → General and My Profile. Theme switcher whitelist updated to include all options.

Setup wizard generates a unique AES-256 encryption key on finish and writes it to tf_config.php. SMTP passwords and all API keys (Mailgun, Postmark, SendGrid, Brevo) are encrypted before being stored in tf_config table.

User email now stored in session on login, enabling viewer ticket filtering by requester_email.

Viewers were previously filtered by assigned_to which showed nothing since tickets aren't assigned to requesters. Now filters by requester_email so viewers see all tickets they submitted.

mailer.php was only routing to API when email_method === 'api'. Named providers (mailgun, postmark, sendgrid, brevo) now correctly route to send_via_api(). Provider-specific API key lookup fixed.

All notify calls wrapped in try/catch. Email failures logged to PHP error_log and audit_log (action: email.error) but don't prevent ticket/comment creation.

REGEXP_REPLACE used for ticket number generation is MySQL 8.0+ only. Replaced with COUNT(*) + preg_match on last ticket number — works on all MySQL/MariaDB versions. Fixed in both api/tickets.php and submit.php.

Added source column to tickets (web_form vs internal). Fixed duplicate ticket number bug. Try/catch on insert returns friendly error instead of fatal. Ticket number VARCHAR expanded to 40 chars.

user-guide.html — complete user documentation with light/dark toggle, role-based content filtering (Admin/Tech/Viewer), live demo widgets for the ticket board, new ticket form, status updates, and theme picker. Searchable, collapsible FAQ.

Standalone PHP/MySQL sandbox app hosted at sandbox.ticketfoundry.net. Separate DB instance (tf_sandbox), no login required, built as a live interactive demo of the full product. Multiple sessions across two weeks to get it production-ready.

Sidebar role switcher lets visitors flip between Admin, Tech, Manager, and End User views without creating an account. Each role shows exactly what a real user in that role would see — different nav, different permissions, different ticket visibility.

Cron job wipes and re-seeds the sandbox DB every 7 days automatically. Manual reset.php available — upload it, hit the URL with the secret key, everything resets, delete the file. Prevents the sandbox from accumulating garbage indefinitely.

All user-submitted content passes through filter.php before hitting the DB. Catches slurs, profanity, and other obvious abuse. Because that's how people on the internet are.

Sandbox launches with realistic seed tickets, projects, and users. Includes the classics: "Printer has chosen violence again", "It worked yesterday", and "Replace the spreadsheet pretending to be a system". Restores to this state on every reset.

Full settings panel is visible so visitors can explore every configuration option — but nothing persists. Company name locked to "Ticket Foundry Sandbox". All 10 themes available and switchable per-session.

Audit log page shows realistic fake entries rather than real activity. Demonstrates the feature without exposing actual sandbox usage data or building up a real log that gets wiped on reset.

Reports generate and download as PDF normally. All email send buttons replaced with "Emails disabled for sandbox" message. No outbound email from the sandbox environment.

Attachment drag-drop area visible but non-functional. Upload endpoint returns a polite rejection. The placeholder UI is there so visitors can see the feature exists without opening a file upload endpoint to the public internet.

.htaccess blocks direct access to /includes, .sql files, and reset.php by default. TF_SANDBOX constant guards all include files — direct HTTP requests to includes/ return 403. Relative path includes throughout for portability.