Changelog | Larkum

2026-03-04 - MFA Rollout, Invitation Flow, and Account Recovery Controls

Introduced full MFA onboarding and verification improvements, role-aware invitation prompts, and admin recovery/reset controls.

Updated MFA verification page UX to default to authenticator app when configured, with quick switch to email or recovery code methods.
Added post-login MFA invitation screen in login-page style with role-aware messaging (recommended for members, mandatory wording for admin/mod roles).
Added decline tracking so dismissed MFA invitations are recorded and not repeatedly shown unless manually reset.
Added admin-side user MFA reset action to clear authenticator/email MFA and recovery codes when a user loses access.
Added superadmin-only action to reset a user's declined MFA invitation state so prompt flow can be re-issued.
Added account-level MFA decision visibility by showing invitation decline timestamps/notes and moderation notes in account/admin user views.
Updated MFA setup flow to include scannable QR code, manual secret display, and one-click copy button for easier mobile authenticator setup.

Added a new admin area to disable and enable major site features without editing environment files.

Added an Admin > Features page where blog and automation can be toggled on or off.
Added database-backed feature flags with admin change tracking for runtime feature state.
Updated route protection to use feature middleware so disabled features return 404 immediately.
Updated admin navigation and dashboard logic to respect current feature toggle state.

Hardened uptime detection to reduce false alerts and added one-click admin maintenance tooling.

Adjusted scheduler strategy for uptime checks to improve compatibility on shared hosting environments.
Added manual 'Run Manual Check' action on the uptime dashboard for sanity checks.
Implemented staged outage confirmation logic with repeated probes and delayed reconfirmation before marking down.
Set configurable uptime target threshold to 95% and updated graph/legend status logic.
Added admin dashboard one-click maintenance action for migrate, cache clear, and cache rebuild commands.

Expanded uptime access controls, added role-based admin invites, and updated Plex monitor target reachability.

Changed Plex uptime target to plex.harrisonlink.uk on port 443 for reliable remote-server connectivity.
Added admin invite flow with email + role selection (Member, View Access, Admin).
Updated invite acceptance flow to create account with real name, locked email display, and password setup.
Added per-user toggle for View Access accounts to disable or enable uptime alert emails.
Updated uptime alert recipients to include admins and View Access users with notifications enabled.

Added backend Plex uptime monitoring with transition alerts, a 90-day graph dashboard, and a view-only observer role.

Added scheduled uptime checks for harrisonlink.uk:32400 with one alert on offline transition and one alert on recovery.
Added persistent uptime samples and outage events for historical analysis.
Added private uptime dashboard with 90-day daily graph and uptime/downtime percentage stats.
Added Uptime Observer role with read-only access to uptime pages.
Added admin user tools to create/assign/remove Uptime Observer access via invite-capable flow.

Added a public changelog page and footer link so updates are visible on the site.

All site requests and generated URLs are now forced to HTTPS.

Introduced invite-based user accounts, separated admin vs user areas, and added user lifecycle automation.

Added admin-only and non-admin middleware for access control.
Added user invite flow with emailed invite links and acceptance pages.
Added user portal routes for ticket history, ticket details, and account password updates.
Added admin user management and inactivity jobs for warning and pruning inactive users.
Updated navigation/login flow to route admins and users to their respective dashboards.

Expanded ticketing to support robust email workflows, lifecycle automation, and admin tooling.

Enabled IMAP ingestion from support inbox and scheduled polling via Laravel scheduler.
Added 6-digit random unique ticket number allocation with reuse policy tracking.
Added lifecycle jobs: 24-hour expiry warning, 15-day inactive close, 90-day archive, and 2-year prune.
Added admin ticket merge flow for duplicate issues from the same requester.
Updated ticket email behavior to use support@larkum.uk with ticket number-based subject matching.

Delivered end-to-end ticket updates with link-only access, notifications, and inbound reply support.

Added tokenized ticket access links and reply tokens on tickets.
Added public ticket portal for viewing, replying, and closing tickets via secure links.
Added themed HTML ticket update emails with user/admin links and close-ticket action.
Added inbound email webhook endpoint with sender checks to append replies to tickets.
Wired notifications for new tickets, replies, status changes, and ticket closure.

Migrated from static starter files to a Laravel application with initial ticketing, blog, and admin controls.

Scaffolded Laravel app structure in repository root with routes, controllers, and Blade views.
Added initial ticket, ticket reply, and blog post models/migrations.
Added contact ticket submission flow and public blog pages.
Added admin login flow, dashboard, admin blog management, and admin ticket management routes.
Prepared deployment workflow for shared hosting and Laravel public/ serving.