🚀 Features
DEV-16051 – Delivered a new Menu Management screen in the new Web UI, allowing administrators to configure and manage navigation menus directly within the platform.
DEV-16042 – Implemented the Org Structure view in the new Web UI, bringing organizational hierarchy management to parity with the legacy interface.
ZEN-47805 – Introduced Automatic Expense Approval Rules, allowing tenants to define conditions for auto-clearing expenses upon settlement. Rules are evaluated in order with first-match-wins logic, with both a master switch and per-rule toggles.
ZEN-48296 – Added Budget Allocation Reclaim, enabling finance and admin users to recover unused budget from allocations by percentage or absolute amount, with full audit trail via auto-approved change request records.
INF-1588 – Added backend support for Card Terms & Conditions Consent acceptance flow.
INF-1600 – Added ICC Clearing File Exchange Rate support in the ledger, with a new preview API for inspecting clearing files before processing and an optional feature flag to derive conversion rates from clearing data.
INF-1596 – Added DiPocket transaction list, company account endpoints, and improved error handling.
🛠 Improvements
DEV-16045 – Added navigation linkage between the legacy Angular UI and the new React UI, enabling users to transition between interfaces seamlessly.
DEV-16004 – Moved the "Jobs Report" access to a top-right icon for improved discoverability and consistency with the overall UI layout.
INF-1568 – Added user avatar photos in the new Web UI and sourced the build version from GitHub tags.
DEV-16089 – Reworked page metadata for browser tab titles into a reusable utility hook for consistency across all pages.
ZEN-47407 – Made merchant budget restrictions editable, allowing budget owners and admins to remove and modify merchant restrictions. Also fixed a "Categorys" → "Categories" typo.
ZEN-48294 – Granted read access to OrgTeam.findWithHierarchyMapping for all authenticated users, fixing permission issues for roles like team-manager that need to view team hierarchy data.
DEV-16040 – Added a front-end security review agent to the development toolchain for automated security assessments of UI code changes.
🐛 Bug Fixes
ZEN-47962 – Fixed an issue where the hideLimits flag was overwritten to null when admin users created business trip activities, and ensured budget allocations correctly inherit limit-visibility flags from the parent allocatable.
ZEN-48142 – Fixed a critical issue where future-dated settlement timestamps from card-network clearing files caused budget utilization to freeze, allowing spend beyond the allocated budget. Timestamps are now capped at server time and stale events trigger a fresh recalculation.
ZEN-48084 – Resolved an issue where merchants with explicitly excluded expense types still appeared in cost-type filtered search results due to missing scope-priority deduplication.
ZEN-48488 – Fixed a bug where keywords passed in the createActivity payload were silently ignored because hasOwnProperty fails on LoopBack model instances. The payload is now converted to a plain object before processing.
ZEN-48225 – Fixed the recurring bulk activity dialog (Employee Helpdesk) not displaying the recurring type and end date by reading from the correct data source with appropriate fallback.
INF-1598 – Added a null guard for invalid companyId in /Features/getFeaturesPerCompany to prevent uncaught errors.
🔧 Infrastructure & Maintenance
INF-1592 – Upgraded the legacy Angular UI from Angular 18 (end-of-life) to Angular 20, along with all peer dependencies.
INF-1603 – Fixed Angular Material UI regressions after the Angular 18→20 upgrade: removed hidden checkboxes in button toggles that shifted text, and added spacing between chip groups on the employee helpdesk screen.
INF-1591 – Updated dependencies across multiple services for security and compatibility.
INF-1595 – Replaced node-canvas with @napi-rs/canvas in custodia-cdr for improved compatibility and reduced native build requirements.
INF-1601 – Improved S3 client resilience: filtered noisy NoSuchKey errors, added proxy timeouts, hardened rename operations, and fixed async/cleanup issues in bucket file processing.
INF-1602 – Improved the compress mixin to recover from corrupted or uncompressed data in compressed database columns, with automatic re-compression on next persist.
DEV-16077 – Merged the custodia-ui-2 branch into main and resolved build errors.
⚠️ Important Notice: Node.js 20 End-of-Life
Node.js 20 reaches end-of-life on April 30, 2026. After this date, Node.js 20 will no longer receive security patches, critical bug fixes, or any upstream support. Partners and customers still running Custodia services on Node.js 20 should plan their upgrade to Node.js 22 LTS (supported until April 2027) before the deadline. Running end-of-life runtimes may also impact compliance posture for SOC 2, PCI DSS, and ISO 27001 audits. We strongly recommend completing the migration by the end of March 2026.