Admin Dashboard — Nexus

**Fixed:** Security page mobile overflow issue (#63). Resolved layout constraints that caused horizontal scroll on smaller viewports, improving the mobile experience for admin dashboard users reviewing security settings.

**Fixed:** Development database now guards against incorrect template schema application (#61). This prevents silent schema mismatches when switching between template variants or running multiple instances locally. No action required for production deployments.

**Fixed:** API key validation now executes before browser session fallback (#60). This prevents edge cases where an invalid API key could be bypassed if a valid browser session existed. The fix strengthens the authentication chain without changing the public API or requiring migration steps.

Fixed API key session boundary enforcement (#59). The authentication layer now properly isolates API key sessions, preventing cross-session token reuse and strengthening the security boundary between concurrent requests. This fix hardens the auth model without requiring code changes on your end. Recommended for all deployments handling sensitive API operations.

Documentation: cleaned up buyer-facing docs branding for consistency and clarity. No functional changes.

**Upload downloads hardening**: Improved security and resilience of file upload and download handling to prevent edge-case failures and potential vulnerabilities. This fix strengthens the dashboard's file operations without requiring any changes to your implementation.

Removed stale billing public route that was no longer in use. This cleanup reduces surface area and prevents accidental exposure of deprecated endpoints. No action required on upgrade.

Documentation: clarified production Docker Compose environment variable requirements for deployment workflows. No functional changes.

Internal quality improvements from phase 7 review cycle. No breaking changes or new features — safe to update.

Fixed console logging in the DSAR (Data Subject Access Request) compliance script that was inadvertently left in production code. This cleanup ensures compliance tooling runs silently in production environments without polluting browser or server logs.

**Fixed:** Compliance scaffold surfaces now propagate correctly through component hierarchy (#51). This resolves an issue where nested compliance-related components would not inherit surface styling and layout properties as expected. If you've noticed inconsistent rendering in compliance audit sections, this update restores the intended behavior.

Propagate phase 4 inherited safety fixes from upstream. Internal stability improvements with no breaking changes or new features.

Security: Fixed propagation of inherited phase 4 hardening configurations. This ensures security policies are correctly applied across component hierarchies without requiring manual intervention.

Fixed smooth scroll behavior declaration for Next.js environments. This ensures scroll-behavior CSS is properly applied across the dashboard layout without conflicts or resets.

**Fixed:** Browser-based Server-Sent Events (SSE) streams now correctly handle refresh cookie propagation. Previously, SSE connections would fail to maintain authentication when refresh tokens were involved. This fix ensures seamless real-time event streaming in authenticated dashboard contexts without manual cookie management workarounds.

Documentation: clarified default access control behaviour in activity module. No code changes.

**Data Table Primitives**: Expanded primitive components for data tables give you finer control over column rendering, sorting, and filtering. Build custom table layouts without fighting the component API. **Full-Width Dashboard Shell**: The dashboard container now respects full-width layouts, eliminating padding constraints for edge-to-edge content. Useful for immersive data visualizations and full-bleed sections. **Dependencies**: Updated Next.js to 16.2.6 for stability and performance improvements. No breaking changes. Existing dashboards continue to work; new primitives are opt-in.

- fix(deps): override vulnerable fast-xml-builder (#48)

- fix(auth): propagate account deletion hardening

- fix: align commerce surfaces with feature matrix (#46)

- fix(tl02): align showcase visuals with Nexus spec (#45)

- fix(mech-review): clear release findings

- fix(health): create local uploads dir before probe (#42)

- fix(marketing): gate demo copy for buyer builds (#40)

- fix(a11y): propagate base skip links and focus rings (#38)

- fix(ui): replace hardcoded colour classes with semantic tokens

- feat(demo): add Template Empire live demo banner (#35)

- fix(package): slim buyer zip contents

- test: allow db-backed vitest hooks to complete

- fix(ui): use buyer brand placeholder in inherited chrome

- fix(db): wait for demo postgres before migrations

- fix(dev): fail fast when demo database is unavailable

- fix(ui): preserve outline button contrast

- fix(theme): align accent token with catalogue

- fix(deps): satisfy full dependency audit

- fix(tl02): remove hardcoded api docs styling - fix(tl02): stabilise api docs lighthouse - test(tl02): use pnpm for e2e dev server - fix(tl02): stabilise buyer e2e checks - docs(readme): align TL02 release version - fix(theme): enforce globals-driven styling - fix(landing): align TL02 with command-centre research layout - fix(api): stabilise timing-safe response delay - fix(theme): make TL02 palette globally customisable

_(no release notes provided)_

_(no release notes provided)_

- fix(tl02): stabilise tests and showcase landing - fix(email): escape CTA href attributes - feat(landing): TL02-specific hero + features — trust-first §14.2 redesign

- feat(tl02): phase 4 b8 — backend differentiators (demo seed, email templates, breadcrumbs)

- feat(tl02): phase 4 b7 — admin utilities (settings store + cmd+k palette)

- feat(tl02): phase 4 b6 — dashboard command-center widgets

- feat(tl02): phase 4 b5 — audit log viewer with diff view

- feat(tl02): phase 4 b4 — import/export with validation preview

- feat(tl02): phase 4 b3 — bulk ops + URL filters + inline edit + date range

- fix(tl02): block login() for suspended users (Phase 4 B2 follow-up)

- feat(tl02): phase 4 b2 — user & role management UI

- feat(tl02): phase 4 b1 — relational RBAC schema + service helpers

- feat(tl02): phase 4 b0 — admin paradigm foundation reset (§14.2)

- feat(activity): backport activity-timeline helper (Phase 3.7)

- feat(uploads): backport file-upload abstraction (Phase 3.6)

- feat(events): backport in-memory event bus + SSE primitive (Phase 3.5)

- feat(data-table): backport generic DataTable primitive (Phase 3.4)

- feat(commerce): backport Stripe Connect marketplace primitive shim (Phase 3.3)

- feat(commerce): backport commerce.mode + commerce.requireAccount flags

- feat(marketing): adopt per-family content override slots from TL00-BASE v1.6.0

- ci: pass catalogue-canonical theme tokens to mech-review

- fix(copy): secondary marketing sweep + TL02 dark-mode default

- fix(copy): replace false hero/marketing claims with truthful foundation framing

- feat(config): backport SITE_CONFIG.auth + SITE_CONFIG.commerce flags

- fix(base): propagate TL00-BASE v1.4.0 universal deltas

- fix(licence): commit licence.json placeholder so CI prebuild can run

- fix(package): exclude .npmrc from buyer ZIP

- fix(ci): mech-review now runs on GH Release ZIP regardless of Supabase upload

- fix(toolchain): pin packageManager: pnpm@10.33.0 + tighten engines.pnpm

- fix(ci): chain release → publish → mechanical-review in single workflow - chore(ci): inherit canonical workflows from TemplateEmpire/.github

v1.3.1 — backport user.login_failed + sweep from TL00-BASE v1.3.1 Verified 11/11 PASS by te-verify-fullstack v0.2.1. Backport from TL00-BASE v1.3.1 (commit 5926a75).