Changelog

Casillero automático en registro web, numeración de pre-alertas, notificación al staff, seguridad completa: CORS activo, security headers endurecidos (COOP, CORP, preload HSTS, object-src none) y RLS completado en todos los modelos con organization_id.

v1.3.2 Highlights

• Registro en /register: clientes de la org principal reciben casillero único automático — el primer registrante crea la organización (instalación inicial)
• Pre-alertas: número legible generado al crear (PA-YYYY-NNNNN, usando el ID de BD — sin race conditions)
• Notificación al staff (admin/empleados) al recibir nueva pre-alerta via broadcast()
• CORS activado: config/cors.php creado + HandleCors registrado en stacks web y API
• Security headers endurecidos: COOP, CORP, X-Permitted-Cross-Domain-Policies, preload en HSTS, object-src 'none', worker-src
• RLS completado: BelongsToTenant añadido a CustomerContact y GeocodedAddress (únicos modelos con organization_id que faltaban)

Casillero & Registro Web

• RegisteredUserController — lógica bifurcada: si existe organización → cliente + casillero; si no existe → crea org + admin
• Casillero asignado via LockerCodeService::generate() — respeta formato configurado (secuencial o aleatorio) por organización
• Unicidad garantizada: verificación en servicio + constraint UNIQUE(organization_id, code) en DB
• Tras registro el cliente es redirigido a /my-locker
• NOTA: La ruta /register/customer/{slug} mantiene su comportamiento inalterado

Pre-Alertas

• Nueva columna pre_alerts.pre_alert_number (migración 2026_04_22_000001): VARCHAR(30) + índice compuesto
• Número generado en PreAlertController::store() formato PA-2026-00001 usando $preAlert->id
• Campo añadido a PreAlert::$fillable
• Nuevo listener NotifyStaffOnPreAlertCreated: notifica a todo el staff via InAppNotificationService::broadcast() cuando un cliente crea una pre-alerta
• Registrado en DomainEventServiceProvider como segundo listener de PreAlertCreated
• Claves de idioma añadidas en lang/es/pre_alerts.php y lang/en/pre_alerts.php: notification_staff_created_title y notification_staff_created_body

Seguridad — CORS, Headers & RLS

• CORS (config/cors.php): paths api/* + sanctum/csrf-cookie; allowed_origins desde CORS_ALLOWED_ORIGINS env o APP_URL; métodos: GET/POST/PUT/PATCH/DELETE/OPTIONS; credentials: true; max_age: 7200s
• HandleCors registrado en bootstrap/app.php: prepend en stack web y stack API
• Security Headers nuevos:
  • X-Permitted-Cross-Domain-Policies: none — bloquea crossdomain.xml de Flash/Adobe
  • Cross-Origin-Opener-Policy: same-origin — aísla el contexto de navegación (mitigación Spectre)
  • Cross-Origin-Resource-Policy: same-origin — impide que otros orígenes embebatan recursos
  • Strict-Transport-Security: añadido preload (elegible para lista HSTS preload de navegadores)
  • Permissions-Policy: añadidos usb=(), bluetooth=(), serial=(), hid=()
  • CSP: añadidos object-src 'none' (bloquea plugins), worker-src 'self' blob: y upgrade-insecure-requests
• RLS — Row Level Security completado: BelongsToTenant añadido a CustomerContact y GeocodedAddress. Total modelos con scope tenant: 34/34 (todos los que tienen organization_id). Modelos excluidos correctamente: Organization (es el tenant), User (gestión especial), PersonalAccessToken, SaasPlan, City, Country, State, Currency (datos globales sin tenant)

Archivos Modificados

• app/Http/Controllers/Auth/RegisteredUserController.php — bifurcación cliente/org-owner
• app/Http/Controllers/PreAlertController.php — genera pre_alert_number
• app/Models/PreAlert.php — pre_alert_number en fillable
• app/Models/CustomerContact.php — BelongsToTenant añadido
• app/Models/GeocodedAddress.php — BelongsToTenant añadido
• app/Listeners/NotifyStaffOnPreAlertCreated.php — nuevo archivo
• app/Providers/DomainEventServiceProvider.php — listener staff registrado
• app/Http/Middleware/SecurityHeaders.php — headers adicionales
• bootstrap/app.php — HandleCors en web y API
• config/cors.php — nuevo archivo
• lang/es/pre_alerts.php y lang/en/pre_alerts.php — claves staff
• database/migrations/2026_04_22_000001_add_pre_alert_number_to_pre_alerts_table.php

Complete permission system overhaul — removed all premium/orphaned permissions, added all missing Plus module permissions (Pickups, Lockers, Pre-Alerts, Commissions, Contracts, Returns, COD, Locations, Import), hardened every module route with can: middleware, and corrected 9 nav visibility checks. Final state: 94 permissions, all belonging to Deprixa Plus (zero premium).

v1.3.1 Highlights

• 94 permissions in total — every permission belongs to Deprixa Plus; zero premium/SaaS permissions remain in the database
• 7 premium permissions removed from DB and routes reguarded: manage organizations, view saas billing, manage saas billing, recharge wallet, view organizations, manage settings, manage users — routes now use role:super-admin
• 5 settings API permissions removed: settings.api.view, settings.api.tokens.manage, settings.api.clients.manage, settings.api.webhooks.manage, settings.api.logs.view — routes now use role:admin|super-admin
• All module permissions properly added and gated: Pickups, Lockers, Pre-Alerts, Commissions, Contracts, Returns, COD, Locations, Import
• Roles matrix now shows all 94 permissions in 37 groups; Admin can toggle any permission for Employee, Driver, and Customer roles
• 9 nav config items corrected to use the right permission for sidebar visibility
• SQL dump (database/sql/deprixa_lite.sql) fully synchronized — migrations 114–117 added, role_has_permissions updated for all roles

Permission System Remediation

• Removed premium permissions: manage organizations, view saas billing, manage saas billing, recharge wallet, view organizations, manage settings, manage users — deleted from DB; routes changed to role:super-admin
• Removed settings API permissions: settings.api.view, settings.api.tokens.manage, settings.api.clients.manage, settings.api.webhooks.manage, settings.api.logs.view — deleted from DB; routes changed to role:admin|super-admin
• Added Pickups: pickups.view, pickups.create, pickups.manage
• Added Lockers (admin): lockers.view, lockers.manage
• Added Pre-Alerts: pre-alerts.view, pre-alerts.create, pre-alerts.manage
• Added Commissions: commissions.view, commissions.manage
• Added Contracts: contracts.view, contracts.create, contracts.manage
• Added Returns: returns.view, returns.create, returns.update
• Added COD: cod.view, cod.collect, cod.remit
• Added Locations: locations.view, locations.manage
• Added Import: shipments.import
• Migrations: 2026_04_19_000001_cleanup_orphaned_permissions, 2026_04_19_000002_add_missing_module_permissions

Routes & Middleware Hardening

• GET /pickups/* → can:pickups.view; mutating routes → can:pickups.manage
• GET /lockers/* → can:lockers.view; mutating routes → can:lockers.manage
• GET /pre-alerts/* → can:pre-alerts.view; create → can:pre-alerts.create; admin actions → can:pre-alerts.manage
• GET /commissions/* → can:commissions.view + edition:commissions; mutating → can:commissions.manage
• GET /contracts/* → can:contracts.view + edition:contracts; create → can:contracts.create; mutating → can:contracts.manage
• GET /returns/* → can:returns.view; create → can:returns.create; update → can:returns.update
• GET /cod/* → can:cod.view; collect → can:cod.collect; remit → can:cod.remit
• GET /locations/* → can:locations.view; mutating → can:locations.manage
• POST /shipments/import → can:shipments.import
• /settings/shipment-statuses → can:settings.shipment-statuses.view/manage
• /settings/services → can:settings.services.view/manage
• /settings/updates → can:settings.updates.view
• /settings/hs-codes → can:settings.hs-codes.view/manage
• /settings/integrations → can:settings.integrations.view/update
• /admin/* → role:super-admin (was can:manage organizations)
• /my-billing/* → role:super-admin (was can:view saas billing)
• /api-tokens + /settings/api/* → role:admin|super-admin

Navigation Config Fixes

• Warehouse nav item: dispatch.create → warehouse.access
• Pickups nav item: dispatch.create → pickups.view
• Lockers nav item: dispatch.create → lockers.view
• Pre-Alerts nav item: dispatch.create → pre-alerts.view
• Customers nav item: manage users → customers.access
• Contracts nav item: customers.access → contracts.view
• Commissions nav item: finance.view → commissions.view
• Rates nav item: settings.shipping-config.view → settings.pricing.view
• Locations nav item: settings.company.view → locations.view

Roles Matrix

• Settings → Roles matrix now shows all 94 permissions in 37 groups
• All new module groups visible: Pickups, Lockers, Pre-Alerts, Commissions, Contracts, Returns, COD, POD, Customs, Locations
• Super-admin: 94/94 permissions; Admin: 94/94; Employee: 40; Driver: 8; Customer: 5
• Admin can toggle any permission for Employee, Driver, and Customer roles from the matrix
• Customer role (5 perms): view dashboard, create shipments, tracking.view, pre-alerts.view, pre-alerts.create
• Driver role (8 perms): view dashboard, dashboard.kpi.view, dashboard.activity.view, dispatch.view, dispatch.update, dispatch.access, change status shipments, tracking.view
• Employee role (40 perms): all operational permissions — shipments, dispatch, warehouse, customers, pickups, pre-alerts, lockers.view, import, returns, COD, POD, customs.view, contracts.view/create, locations.view, finance, billing.view, pricing.view, settings.shipment-statuses.view, settings.services.view
• Admin role (94 perms): all 94 Plus permissions
• Super-admin: synced to Permission::all() — always 100%

Database & SQL Dump

• database/sql/deprixa_lite.sql fully synchronized with all permission changes
• Migrations table: entries 114–117 added
• role_has_permissions updated for all roles (super-admin, admin, employee, driver, customer)
• Zero premium permissions in the SQL dump
• Migration 2026_04_18_000002_add_module_permissions — adds pickups, lockers, pre-alerts, commissions permissions
• Migration 2026_04_19_000001_cleanup_orphaned_permissions — deletes all premium/orphaned permissions
• Migration 2026_04_19_000002_add_missing_module_permissions — adds contracts, locations, shipment-statuses, services, updates permissions

Introduces the Customer Self-Registration Portal, a complete invitation system for staff and customers, My Locker customer dashboard, and critical role security hardening for the customer role.

v1.3.0 Highlights

• Customer self-registration portal at /register/customer/{org-slug} — customers sign up independently with full org branding (logo, color)
• Staff invitation system — creating a user sends a secure email invitation; no password is set by the admin
• Customer portal invitation from the Customers module — invite customers directly from admin panel or resend from their profile
• My Locker — dedicated customer dashboard at /my-locker showing the customer's locker, pre-alerts, and shipment counters
• Customer Portal Link in Settings → Company — one-click copy and preview of the public registration URL
• Customer role security hardened: removed customers.access, dashboard.kpi.view, dashboard.activity.view — customers can no longer access the admin area
• All data scoped to the customer: pre-alerts and shipments filtered by customer_id / created_by when the logged-in user has the customer role
• Customers redirected to /my-locker on login and dashboard access — never land on the admin logistics dashboard
• SMTP fallback: if email is not configured, invitation URL displayed in the dashboard for manual sharing
• All new UI strings fully internationalized — English and Spanish (en.json, es.json, lang/en/, lang/es/)

Customer Portal

• Public self-registration page per organization at /register/customer/{slug}
• Registration page inherits organization branding — logo, name, and primary color
• Fields: name, email, phone (optional), password, confirm password
• Email uniqueness is scoped per organization — the same email can exist in different organizations
• After registration, customer is auto-logged-in and redirected to My Locker
• Rate-limited: max 10 registration attempts per minute per IP
• Inactive organizations return a 404 — registration link only works for active organizations
• Translation files: lang/en/customer_portal.php and lang/es/customer_portal.php
• Routes: GET|POST /register/customer/{slug} → customer.portal.register / customer.portal.register.store

Invitation System

• Creating a staff user (Settings → Users) now sends a UserInvitationMail — no password set by admin
• Invitation token: Str::random(64), stored in users.invitation_token, valid 7 days
• Resend Invitation action in user dropdown menu (visible for users with pending invitations)
• Creating a customer from the admin panel also sends a portal invitation email
• Customer Detail page shows portal status badge: Active / Pending / No Access
• Resend invitation button on Customer Detail page
• If SMTP not configured: invitation URL exposed in amber banner — admin can copy and share manually
• Translation files: lang/en/invitation.php and lang/es/invitation.php
• DB columns added to users: invitation_token (varchar 100, unique), invitation_sent_at (timestamp), invitation_accepted_at (timestamp)
• Routes: GET /invitation/{token} → invitation.show | POST /invitation/{token}/accept → invitation.accept
• Routes: POST /settings/users/{user}/resend-invitation → settings.users.resend-invitation
• Routes: POST /customers/{customer}/resend-portal-invitation → customers.resend-invitation

My Locker (Customer Dashboard)

• Dedicated customer dashboard at /my-locker
• Displays the customer's assigned locker: code, address, warehouse
• Pre-alert list scoped to the logged-in customer with status counters (pending, received, converted, cancelled)
• All data is strictly scoped to customer_id = Auth::id() — no cross-customer data exposure
• Navigation item visible to all authenticated users without additional permission

Security — Customer Role Hardening

• Removed customers.access from customer role — customers could previously access the customer management admin area
• Removed dashboard.kpi.view and dashboard.activity.view from customer role
• Customer role now holds exactly: view dashboard, create shipments, tracking.view
• LoginController: customers redirected to /my-locker after login (all other roles → /dashboard)
• DashboardController::index(): redirects customers to /my-locker as a secondary guard
• PreAlertController::index(): scopes results to customer_id = Auth::id() for customer role
• ShipmentController::index(): scopes results to created_by = Auth::id() for customer role; stats follow same scoping
• All role name references normalized to lowercase 'customer' throughout codebase (CustomerController, CustomersExport, CustomersImport, DeprixaProImporter, ContractController)
• Migration: 2026_04_18_000001_fix_customer_role_permissions

Settings — Customer Portal Link

• Settings → Company now shows a Customer Portal Registration Link section
• Displays the full public URL for customer self-registration under this organization
• One-click Copy button with visual feedback (icon changes to checkmark after copy)
• Preview button opens the registration page in a new tab for testing

Database & Demo SQL

• users: added invitation_token (varchar 100, unique), invitation_sent_at, invitation_accepted_at (timestamps)
• Migration 2026_04_17_600001_add_invitation_fields_to_users_table
• Migration 2026_04_18_000001_fix_customer_role_permissions — revokes excess permissions from customer role
• database/sql/deprixa_lite.sql updated: role_has_permissions and migrations table aligned with all of the above

First public release of Deprixa Plus on Envato CodeCanyon — a complete courier and logistics management platform built with Laravel 12, React 18, and Inertia.js.

v1.2.0 Highlights

• Invoice number permanently stored in database at shipment creation — guarantees audit trail and financial traceability across all time
• Invoice search now covers both tracking number and invoice number simultaneously
• COD (Cash on Delivery) module: full field set on shipments — is_cod, cod_amount, cod_currency, cod_status, cod_collected_at, cod_collected_by
• Proof of Delivery module: capture signatures, photos, and recipient confirmation linked to each shipment
• Return Shipments module: manage reverse logistics with full status lifecycle
• HS Codes & Customs Declarations: international shipment compliance fields
• Import Jobs: bulk shipment import tracking with validation and error reporting
• Install wizard fully automated — imports database, runs pending migrations, and creates storage symlink in a single flow with zero manual steps
• Production-hardened CSP — all dev-server origins removed from security middleware
• Sequential numbering system: configurable prefix, padding, and periodic reset rules for both invoice numbers and tracking numbers

Shipments Module

• Full shipment lifecycle management: Created → Assigned → Picked Up → In Transit → Out for Delivery → Delivered
• Exception recording with reason codes and reattempt scheduling
• On Hold and Returned status branches with appropriate next-action flows
• Auto-generated tracking numbers in TRK######## format (8-digit zero-padded sequential)
• Shipment creation wizard: Sender/Receiver → Package Details → Service Selection → Review & Confirm
• Bulk status updates with branch-level permission controls
• Shipment label PDF generation in four formats: A4 Full Page, A4 Half Page, Thermal 4×6, Thermal 4×4
• Clone shipment functionality for recurring senders and receivers
• Archive shipments to keep the active list clean without deleting records
• Full activity log per shipment capturing every status change, user action, and timestamp
• Multi-dimensional search and filter: status, date range, courier, branch, service type, zone, COD, exception flag, client, tracking number
• COD (Cash on Delivery) tracking with reconciliation flags
• Parcel dimensions and weight capture with volumetric weight calculation
• Fragile goods and declared value fields
• Internal reference number field for e-commerce order correlation
• File attachments per shipment (photos, documents, proof of delivery)
• Export shipment list to CSV

Dispatch Module

• Dispatch board showing unassigned and in-progress shipments for the current branch
• Individual and bulk assignment of shipments to couriers
• Auto-optimize route engine (POST /dispatch/auto-optimize) — groups shipments by zone and assigns to optimal couriers
• In-app courier notification on assignment
• Re-assignment and unassignment from the dispatch board
• Real-time driver locations map showing courier GPS positions, last update time, and assigned shipment count
• Driver location history playback for any courier and any date (retained 30 days)
• Dispatch board filters: branch, courier, zone, status, date, service type

Customers Module

• Individual and company client profiles with full field sets (name, type, ID/tax number, email, phone, address, tags, notes)
• Customer list with search by name, phone, email, or ID
• Filter by customer type, city, and tags
• Shipment history tab per customer showing all linked shipments with status and date
• Customer summary stats: total shipments, total billed, outstanding balance
• CSV import with downloadable template and import preview
• CSV export respecting active filters
• Quick-create modal from within the shipment wizard — create a customer without leaving the form
• Search-as-you-type customer lookup in shipment forms with address auto-fill
• Soft delete (archive) for customers with linked shipments

Rates & Pricing Module

• Geographic zone management — name, code, description, city assignments
• Rate card creation per origin zone → destination zone → service type combination
• Weight-tier rate rules with base price, per-kg surcharge, and dimensional weight factor
• Automatic price calculation at shipment creation based on zones, weight, and service type
• Price override capability for operators with appropriate permission
• Internal rate calculator (staff): enter origin, destination, weight, dimensions → get full price breakdown
• Public rate calculator at /rate — no login required, for customer self-service quotes
• Rate card active/inactive toggle for managing pricing changes without deleting history

Billing Module

• One invoice per shipment — auto-generated at shipment creation
• Billing list with filters by date range, payment status, and branch
• Invoice detail page with full company branding, line items, tax breakdown, and payment history
• Payment recording: date, method (cash, bank transfer, card, check), reference number, amount, notes
• Partial payment support — invoice status updates to Partially Paid with remaining balance tracked
• Invoice send via Email (PDF attachment), WhatsApp (link), and SMS (link)
• Single invoice PDF download from detail page
• Bulk PDF export with ZIP packaging from the billing list
• Invoice void capability
• Online payment endpoint (/shipments/{shipment}/payment/success) for gateway integrations
• Tax configuration per organization applied automatically to all invoices

Reports Module

• Financial Report at /reports/financial — revenue by period, paid vs. unpaid, top clients, total shipments, delivered %, exception %
• Revenue bar chart showing billed amounts over time (daily/weekly/monthly granularity)
• Payment status donut chart showing Paid / Partially Paid / Unpaid distribution with collection rate %
• Top 5 clients by revenue table with billed, collected, and outstanding columns
• Filters: date range (7 presets + custom) and branch
• PDF export of the full financial report with charts
• Access restricted to roles with settings.billing.view permission

Dashboard

• KPI cards: Total Shipments, Pending Shipments, Delivered Today, Revenue (MTD), Exceptions (Open), Overdue Invoices
• Recharts-powered charts: daily shipment volume line chart, status distribution donut, revenue by period bar chart
• Logistics sub-dashboard at /dashboard/logistics for operational metrics
• Exception Alert Panel: live list of open exceptions with direct links to affected shipments
• Date range presets plus custom range picker
• Branch filter: Admins and Managers can switch between branches or view company-wide data
• Role-adapted dashboard views: Couriers see only their own assigned shipments; Accountants see financial KPIs

Users & Roles

• Seven roles: Super Admin, Admin, Manager, Dispatcher, Courier, Accountant, Customer
• Spatie Laravel Permission for fine-grained RBAC — permissions covering Shipments, Dispatch, Customers, Billing, Reports, Settings, Rates/Pricing
• Full permission matrix with role-to-permission mapping, customizable per role in Settings → Roles
• Two-factor authentication (TOTP): optional per user or enforced by admin for specific roles
• Recovery codes for 2FA lockout scenarios
• Admin 2FA override for locked-out users (logged in audit trail)
• Password policies: minimum length, complexity requirements, history, expiry, lockout thresholds — configured in Settings → Security
• User deactivation (preserves history) vs. permanent deletion
• User invitation via email with 24-hour expiring activation link
• Role-adapted UI: navigation and features shown/hidden based on the logged-in user's role

Settings

• Company Profile: name, tax ID, address, phone, email, website, logo variants (main, dark, light, invoice, favicon)
• Branding: primary/secondary/accent color configuration, theme selection, font selection
• Locale: language (EN/ES), timezone, date/time format, weight/dimension units, currency with symbol configuration
• Branch management: multi-branch support with individual address, phone, and operational hours per branch
• Shipment status configuration: rename status labels, change indicator colors
• Service type configuration: add, rename, and set expected transit time for each service type
• Notifications: email event triggers with template preview and per-event enable/disable
• Security settings: password policy and session controls including login attempt limits and session timeout
• Tracking page: public tracking toggle, page headline, branded cover image, show/hide courier name
• Shipping config: COD settings, label formats, tracking number prefix
• Audit log: full user action log filterable by user, action type, and date
• Maintenance tools: clear cache, clear sessions, run database backup, enable maintenance mode
• Updates: License activation and OTA update management with version history

Public Tracking

• Public tracking page at /tracking — no login required
• Enter tracking number or scan QR code to view shipment status
• Full status timeline with timestamps, courier notes, and delivery confirmation
• Branded tracking page — shows company logo, colors, and custom headline from Settings → Tracking
• Optional show/hide of courier name on the public tracking page

Public Rate Calculator

• Public rate calculator at /rate — no login required
• Customer selects origin city, destination city, weight, and service type to get a price estimate
• Uses the same rate cards and rules configured in the Rates & Pricing module
• No account or purchase commitment required — purely informational quoting tool

REST API

• Laravel Sanctum token authentication with fine-grained ability scoping
• Base URL: /api/v1 — versioned for forward compatibility
• Shipments endpoints: list, create, get by tracking number, update status, record exception, download label, cancel
• Public tracking endpoint: no authentication required, returns status history
• Customers endpoints: list, create, get, update
• Billing endpoints: list invoices, get invoice (with PDF option), record payment
• Reports endpoint: financial report summary
• Webhook support: shipment status events with HMAC-SHA256 signature verification and retry logic
• Rate limiting per token with differentiated limits for read/write/report endpoints
• Standardized pagination envelope with meta and links objects
• Standardized error responses with code, message, errors, and request_id

Platform & Infrastructure

• Laravel 12 (PHP 8.2+), React 18, Inertia.js 2 — full-stack SPA without a separate API layer for the web UI
• Tailwind CSS 4 + Vite 5 for asset compilation
• Spatie Laravel Permission for RBAC
• Spatie Laravel Activity Log for full audit trails across all models
• DomPDF for server-side PDF generation (invoices, labels, reports)
• Recharts for interactive dashboard analytics
• React i18next for EN/ES internationalization — UI strings, email templates, and PDF content
• Ziggy for exporting named Laravel routes to JavaScript
• Redis support for cache, sessions, and job queues
• Laravel Horizon for queue monitoring
• License activation and over-the-air update delivery integration
• S3-compatible object storage support for document uploads, invoice PDFs, and export files
• Multi-branch architecture: data scoped by branch with cross-branch views for Admin+
• Full dark mode UI with responsive layout (mobile-adaptive sidebar, touch-friendly shipment list)
• Distributed as a ZIP download via Envato/CodeCanyon — no GitHub repository