- Add Neon as the recommended production Postgres provider in
self-hosting docs, with a non-affiliate note.
- Link database recommendations to `https://typebot.com/neon`.
- Ignore `.context` files from Biome checks.
- Update the manual self-hosting deploy guide for the current Nx/Bun
workflow.
- Replace stale PM2 commands with repo-root Nx start commands for
builder and viewer.
- Expand the Nginx sample to cover separate builder and viewer domains
and streaming support.
- Replace direct browser presigned PUT uploads with signed Typebot
upload proxy URLs.
- Generate or validate upload object keys server-side while preserving
legacy v1/v2/v3 file-input upload contracts.
- Keep builder slot uploads stable for replaceable assets and use
generated names for runtime file uploads.
- Store active file-input MIME types as safe attachment downloads while
keeping safe image uploads inline.
- Update upload clients and docs to support both raw PUT proxy uploads
and form-data uploads.
- Verify Meta WhatsApp webhooks with optional app secrets while
preserving soft compatibility for existing credentials.
- Add optional 360Dialog webhook secret validation and update flows for
existing WhatsApp credentials.
- Validate Meta WABA and phone number access, then auto-subscribe the
Meta app to the WABA during setup.
- Clear and disable WhatsApp integration when the active credentials are
removed, including published bot state.
- Preserve raw webhook request bodies, document preview app secret
configuration, and add focused webhook verification tests.
- Update related tooling, Biome ignore rules, opensrc guidance, and
small formatting/type-safety cleanup.
- Added an "Authentication fails or users are randomly logged out"
section to `apps/docs/self-hosting/troubleshoot.mdx` covering the common
causes (rotated `NEXTAUTH_SECRET` / `ENCRYPTION_SECRET`, builder/viewer
secret mismatch, mismatched `NEXTAUTH_URL`, unreachable or reset
database).
- Pointed users to tail the builder logs to surface the actual NextAuth
/ Prisma error behind the generic "Check server logs" message.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Revert #2487 (trigger_onepick OAuth param) and #2486 (setAppId +
NEXT_PUBLIC_GOOGLE_SHEETS_APP_ID env var) which broke the Google Sheets
picker in production.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
- Call `PickerBuilder.setAppId()` with the Cloud Project number when
building the Google Sheets picker (required by Google when the OAuth
flow uses the `drive.file` scope, otherwise the picker iframe returns
401).
- Add new optional client env var `NEXT_PUBLIC_GOOGLE_SHEETS_APP_ID` in
`packages/env`.
- Document the new variable and setup step in
`apps/docs/self-hosting/configuration.mdx`.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Added a new "Is there a status page?" entry to the FAQ pointing to
status.typebot.io.
- Added a "Definitions" section to the analytics doc explaining Views,
Starts, Completions (no input remaining + at least one answer + no
pending client-side action expecting a dedicated reply) and the
per-block drop-off rate.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Add a new "Add a VAT ID for B2B reverse charge" section to
`apps/docs/workspace/subscription.mdx`
- Document the steps to add a VAT ID through the Stripe billing portal
- Clarify that the reverse charge only applies to future invoices, not
retroactively
- Note that without a VAT ID, destination VAT is charged as for a
standard B2C customer
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Add a "Common pitfalls" section to `apps/docs/editor/graph.mdx`
warning that a block without an outgoing edge stops the flow.
- Add a note in `apps/docs/theme/overview.mdx` clarifying that toggling
Typebot branding (or any theme change) requires a republish to go live.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Add a Pro-only `<Note>` callout at the top of
`deploy/web/custom-domain.mdx`
- Add a "Switch workspace" section in `workspace.mdx` covering the
workspace dropdown
- Add a FAQ entry "I don't see my bots after login" pointing to the
workspace switcher
- Add new guide `guides/external-messaging-apps.mdx` on integrating
Typebot with external messaging apps (KakaoTalk, LINE, Telegram, etc.)
via the HTTP API
- Register the new guide in `mint.json`
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Clarify that logs are per-result and not a global activity feed in
`results/overview.mdx`
- Add `guides/user-commands.mdx` with a concrete Reply event + Jump +
Return recipe for `restart` / `help` commands
- Cross-link Reply event vs Command event in `editor/events/reply.mdx`
and `editor/events/command.mdx`
- Add FAQ entry explaining that a persistent text input is not native,
with keyword and custom-UI workarounds
- Restructure `workspace/subscription.mdx` with a Steps-based
cancel/downgrade flow and explicit Free plan limits (200 chats, 1 seat)
- Register the new user-commands guide in `mint.json` navigation
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Remove the "If this is urgent" section and link to
`typebot.co/urgent-support` from the how-to-get-help docs page
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
## Summary
- **New "Ask Model" action** in the OpenAI block using the Responses API
(`openai.responses.stream()`), supporting multi-turn conversations via
`previous_response_id`, built-in tools (file search with vector store
IDs, web search, code interpreter), custom function calling, and
streaming.
- **Deprecated "Ask Assistant"** action: hidden from the action dropdown
(still functional for existing typebots), with Sentry tracking for
production usage monitoring.
- **Updated template** (`openai-assistant-chat.json`) to use the new Ask
Model action with `gpt-5.4`.
- **Merged `chatModels` + `reasoningModels`** into a single `models`
list in constants.
- **Updated docs** replacing Ask Assistant documentation with Ask Model.
## Test plan
- [ ] Create a typebot with OpenAI → "Ask Model", configure model +
message + instructions, verify streaming works
- [ ] Test multi-turn: verify Response ID variable persists across
exchanges
- [ ] Test built-in tools: web search toggle, vector store IDs tag
input, code interpreter toggle
- [ ] Test custom function calling loop
- [ ] Verify "Ask Assistant" still works for existing typebots but is
hidden from the dropdown for new ones
- [ ] Verify the template loads correctly in the builder
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
## Changes
- **Presigned POST → PUT**: Replace `generatePresignedPostPolicy` with
`generatePresignedPutUrl` across all upload endpoints (builder + viewer
v1/v2/v3). This makes uploads compatible with Cloudflare R2 which
doesn't support the S3 POST Object API. Frontend consumers now use `PUT`
with raw file body + `Content-Type`/`Cache-Control` headers instead of
`POST` with FormData.
- **XSS mitigation**: Block dangerous content types (SVG, HTML, XML, JS)
in the builder `generateUploadUrl` endpoint. Restrict frontend `accept`
attributes from `image/*` to an explicit list of safe raster types
(`png, jpeg, gif, webp, avif, bmp, tiff`). Addresses
GHSA-jj87-c343-26vp.
- **Fix file upload URL validation**: `isURL` with `require_tld: true`
rejected `localhost` and `NEXTAUTH_URL` proxy URLs for private files.
Now uses a trusted host allowlist (`localhost`, `NEXTAUTH_URL`,
`S3_PUBLIC_CUSTOM_DOMAIN`) to skip TLD requirement.
- **Docs**: Update S3 CORS policy from `POST` to `PUT`, add Cloudflare
R2 to supported providers list.
- **Bump**: `@typebot.io/js` and `@typebot.io/react` → `0.10.0`
## Verification
- Tested avatar upload on builder with R2 bucket (PUT succeeds, image
displays)
- Verified CORS preflight passes after R2 bucket config
- Confirmed `generateUploadUrl` rejects `image/svg+xml` with 400
- All unit tests pass (`nx affected -t test`)
- Typecheck passes on all affected packages
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Move builder, viewer, and workflows onto shared telemetry helpers so request logging, OTLP config, and workflow failures are reported consistently across runtimes.
