What shipped
All reposKey FrontendKeystoneKey Service Sites (KSL/GHK)Training Centre (STC/CPD)Key ProtosKeyflowCompany Backend (Strapi)Key Docs
All authorsJoshYG-TheKeyOwenTourlamainRhadamanthus1TheTomWardalex-wilson-the-keycpoteylunky84robin-agentsarahcthekeysnyk-io-eu[bot]
28 PRs · 4 repos · 8 contributors · 6 Jun – 6 Jul
Monday, 6 July 2026
Key Frontend
- JJoshYG-TheKeyThe frontend now displays AI-generated answers with styled source links to knowledge documents, enabling users to see where KeyGPT found its information.#2109 — feat(sources): PENG-3401 apply keydoc-aware source styling to KeyGPT messages
Keystone
- Rrobin-agentKeystone's gRPC calls now have timeouts to prevent workers from hanging indefinitely on slow services, retries for transient failures, and the assignment cleanup moved off the blocking request path.#1497 — feat: PENG-3675 gRPC deadlines, retries & async assignment cleanup (supersedes #1496)
Thursday, 2 July 2026
Key Frontend
- CcpoteyRestored a missing academic year filter that wasn't appearing when viewing school organization pages in group workspaces.#2120 — fix(3674): add missing academic year picker
- Rrobin-agentEnabled administrators to assign coming-soon training items in advance and fixed the My Training notification badge to exclude those items that aren't yet available.#2108 — feat: PENG-3648 make coming-soon items selectable and fix badge count
- TTheTomWardUpdated user-facing text on training records pages to provide clearer information to end users.#2119 — fix(update-copy): PENG-3603 Update copy for better info on training records
Keystone
- Rrobin-agentAutomatically deleted orphaned training assignments when a user account is permanently removed from the system to prevent data inconsistencies.#1494 — feat(signals): PENG-3643 delete assignments when KeyUser is deleted
Wednesday, 1 July 2026
Key Frontend
- Llunky84The frontend now includes a record ID in API requests for certificate retrieval, enabling the system to fetch certificates based on specific record identifiers.#2116 — PENG-3540 certificates from record id
Keystone
- Llunky84User authentication now bypasses caching during password resets so that login immediately validates against the new password hash instead of stale cached credentials.#1493 — PENG-3667 fix reset password stop caching KeyUser
Tuesday, 30 June 2026
Key Frontend
- Aalex-wilson-the-keyRemoved a temporary restriction on training assignment creation that is no longer needed.#2115 — Revert " PENG-3663 assign training academic year date restriction"
- Llunky84Fixed certificate downloads to match what's actually displayed in the table by reusing existing download logic instead of re-querying the server with different filters, and cleaned up orphaned code.#2114 — 3540 certificates download refinements
- Llunky84Added a restriction to prevent training assignments from being created beyond the current academic year.#2113 — PENG-3663 assign training academic year date restriction
- Llunky84Unified certificate downloads across multiple apps by routing them through the orchestration service and consolidated duplicated code into shared utilities.#2107 — 3540 call orca service for certificates
Friday, 26 June 2026
Key Frontend
- CcpoteyFixed CSS cascade ordering issues in Next.js by adding !important declarations to ensure styles apply correctly.#2110 — fix(3653): fix css in wrong order
- CcpoteyRestored the ability for logged-out users to return to their original training link after login by preserving and passing through the return URL across the authentication flow.#2101 — fix(3642): add return url chaining to training app correctly
Keyflow
- CcpoteyEnsured the local development database doesn't restore a stale deprecated validation URL when reset, preventing authentication issues during testing.#68 — fix(db): PENG-3645 clear MYKEY authorisation_redirect_url in set-data…
Keystone
- CcpoteyRemoved a stale redirect URL from the MYKEY application record that was causing login flows to hit a deprecated endpoint instead of returning users to their intended destination.#1490 — fix(auth): PENG-3645 clear MYKEY authorisation_redirect_url via data …
Thursday, 25 June 2026
Key Frontend
- Rrobin-agentThe expired assignment feature is now enabled in production, allowing users to see assignments marked as expired at the end of the academic year instead of overdue.#2105 — feat: enable SHOW_EXPIRED_ASSIGNMENTS in production
- Llunky84Staff members with in-progress courses now appear in the course result table filter under their current academic year instead of being hidden when their completion date is missing.#2106 — PENG-3647 course result table date filter fix
- Rrobin-agentAdmins assigning training courses now receive warnings when selecting courses being replaced, the extend assignment feature has been removed from the UI, and expiry messaging has been updated to reflect the new academic year-end expiration model.#2104 — feat(training): course end date restrictions and expired assignment updates
- Llunky84An empty commit was created to resolve a technical pipeline issue unrelated to functionality.#2102 — chore: empty commit to trigger pipeline
- Aalex-wilson-the-keyThe training app was refactored to use a new orca service for handling certificates instead of the previous implementation.#2093 — PENG-3540 certificates via orca service
- CcpoteyA timing fix prevents training data from being incorrectly recorded under the wrong organization when workspace switches fail.#2100 — fix(3636): tiny tweak to switch and start ordering
Wednesday, 24 June 2026
Company Backend (Strapi)
- Rrobin-agentFixed security vulnerabilities in lodash-es and fast-xml-parser by adding dependency overrides and upgrading packages to safer versions.#68 — fix: PENG-3041 override lodash-es and upgrade fast-xml-parser to 5.x
Key Frontend
- SsarahcthekeyUpdated the protobufjs library to patch 7 high-severity security vulnerabilities that were affecting multiple parts of the application through its dependencies.#2099 — fix(deps): PLA-411 bump protobufjs to 7.6.4 to fix 7 high-severity CVEs
Tuesday, 23 June 2026
Company Backend (Strapi)
- Rrobin-agentAdditional vulnerable transitive dependencies in company-backend have been patched through pnpm overrides to address remaining security vulnerabilities like prototype pollution and HTTP response splitting issues.#67 — fix: PENG-3041 override additional vulnerable transitive dependencies
- Rrobin-agentSeventy-one vulnerable transitive dependencies introduced by Strapi have been mitigated by pinning safe patched versions through pnpm overrides, addressing critical security issues while maintaining API compatibility.#66 — fix: PENG-3041 override vulnerable transitive dependencies
Key Frontend
- OOwenTourlamainThe dashboard now groups overdue and expired assignments under a single 'Overdue' label while keeping separate visual indicators in tables, and fixes progress bars to show the combined proportion of overdue work in red and expired work in dark red.#2084 — feat: PENG-3480 expired assignment status
- Rrobin-agentSocket.IO WebSocket connections from the browser to the assistant tunnel on rentabot are now proxied through the frontend domain to avoid being blocked by Cloudflare Access restrictions.#2095 — fix: PENG-3498 proxy Socket.IO through frontend domain on rentabot