fix

* user session management

* WIP

* cleanup

* license

* cleanup

* don't cache index

* rename current device property

* fix

apps/client/package.json

@@ -10,76 +10,76 @@
     "format": "prettier --write \"src/**/*.tsx\" \"src/**/*.ts\""
   },
   "dependencies": {
-    "@casl/react": "^4.0.0",
+    "@casl/react": "^5.0.1",
     "@docmost/editor-ext": "workspace:*",
     "@emoji-mart/data": "^1.2.1",
     "@emoji-mart/react": "^1.1.1",
     "@excalidraw/excalidraw": "0.18.0-3a5ef40",
-    "@mantine/core": "^8.3.14",
-    "@mantine/dates": "^8.3.14",
-    "@mantine/form": "^8.3.14",
-    "@mantine/hooks": "^8.3.14",
-    "@mantine/modals": "^8.3.14",
-    "@mantine/notifications": "^8.3.14",
-    "@mantine/spotlight": "^8.3.14",
-    "@tabler/icons-react": "^3.36.1",
-    "@tanstack/react-query": "^5.90.17",
+    "@mantine/core": "^8.3.18",
+    "@mantine/dates": "^8.3.18",
+    "@mantine/form": "^8.3.18",
+    "@mantine/hooks": "^8.3.18",
+    "@mantine/modals": "^8.3.18",
+    "@mantine/notifications": "^8.3.18",
+    "@mantine/spotlight": "^8.3.18",
+    "@tabler/icons-react": "^3.40.0",
+    "@tanstack/react-query": "5.90.17",
     "alfaaz": "^1.1.0",
-    "axios": "^1.13.5",
+    "axios": "^1.13.6",
     "blueimp-load-image": "^5.16.0",
     "clsx": "^2.1.1",
     "emoji-mart": "^5.6.0",
     "file-saver": "^2.0.5",
     "highlightjs-sap-abap": "^0.3.0",
-    "i18next": "^23.16.8",
-    "i18next-http-backend": "^2.7.3",
-    "jotai": "^2.16.2",
+    "i18next": "^25.10.1",
+    "i18next-http-backend": "^3.0.2",
+    "jotai": "^2.18.1",
     "jotai-optics": "^0.4.0",
     "js-cookie": "^3.0.5",
     "jwt-decode": "^4.0.0",
-    "katex": "0.16.27",
+    "katex": "0.16.40",
     "lowlight": "^3.3.0",
     "mantine-form-zod-resolver": "^1.3.0",
-    "mermaid": "^11.12.2",
+    "mermaid": "^11.13.0",
     "mitt": "^3.0.1",
-    "posthog-js": "1.345.5",
+    "posthog-js": "1.363.1",
     "react": "^18.3.1",
     "react-arborist": "3.4.0",
-    "react-clear-modal": "^2.0.17",
+    "react-clear-modal": "^2.0.18",
     "react-dom": "^18.3.1",
     "react-drawio": "^1.0.7",
-    "react-error-boundary": "^4.1.2",
-    "react-helmet-async": "^2.0.5",
-    "react-i18next": "^15.0.1",
-    "react-router-dom": "^7.12.0",
-    "semver": "^7.7.3",
+    "react-error-boundary": "^6.1.1",
+    "react-helmet-async": "^3.0.0",
+    "react-i18next": "^16.5.8",
+    "react-router-dom": "^7.13.1",
+    "semver": "^7.7.4",
     "socket.io-client": "^4.8.3",
     "tiptap-extension-global-drag-handle": "^0.1.18",
     "zod": "^4.3.6"
   },
   "devDependencies": {
-    "@eslint/js": "^9.16.0",
-    "@tanstack/eslint-plugin-query": "^5.62.1",
-    "@types/blueimp-load-image": "^5.16.0",
+    "@eslint/js": "^9.28.0",
+    "@tanstack/eslint-plugin-query": "^5.94.4",
+    "@types/blueimp-load-image": "^5.16.6",
     "@types/file-saver": "^2.0.7",
     "@types/js-cookie": "^3.0.6",
-    "@types/katex": "^0.16.7",
+    "@types/katex": "^0.16.8",
     "@types/node": "22.19.1",
     "@types/react": "^18.3.12",
     "@types/react-dom": "^18.3.1",
-    "@vitejs/plugin-react": "^5.1.1",
-    "eslint": "^9.39.2",
-    "eslint-plugin-react": "^7.37.2",
-    "eslint-plugin-react-hooks": "^5.1.0",
-    "eslint-plugin-react-refresh": "^0.4.16",
+    "@vitejs/plugin-react": "^6.0.0",
+    "eslint": "^9.28.0",
+    "eslint-plugin-react": "^7.37.5",
+    "eslint-plugin-react-hooks": "^7.0.1",
+    "eslint-plugin-react-refresh": "^0.5.2",
     "globals": "^15.13.0",
     "optics-ts": "^2.4.1",
-    "postcss": "^8.4.49",
-    "postcss-preset-mantine": "^1.17.0",
+    "postcss": "^8.5.8",
+    "postcss-preset-mantine": "^1.18.0",
     "postcss-simple-vars": "^7.0.1",
-    "prettier": "^3.4.1",
-    "typescript": "^5.7.2",
-    "typescript-eslint": "^8.17.0",
-    "vite": "^7.2.4"
+    "prettier": "^3.8.1",
+    "typescript": "^5.9.3",
+    "typescript-eslint": "^8.57.1",
+    "vite": "^8.0.1"
   }
 }

apps/client/public/locales/en-US/translation.json

@@ -442,6 +442,9 @@
   "Prevent members from sharing pages publicly.": "Prevent members from sharing pages publicly.",
   "Toggle public sharing": "Toggle public sharing",
   "Toggle space public sharing": "Toggle space public sharing",
+  "Allow viewers to comment": "Allow viewers to comment",
+  "Allow viewers to add comments on pages in this space.": "Allow viewers to add comments on pages in this space.",
+  "Toggle viewer comments": "Toggle viewer comments",
   "Public sharing is disabled at the workspace level": "Public sharing is disabled at the workspace level",
   "Prevent pages in this space from being shared publicly.": "Prevent pages in this space from being shared publicly.",
   "Page permissions": "Page permissions",
@@ -708,5 +711,20 @@
   "Resend verification email": "Resend verification email",
   "Verification email sent. Please check your inbox.": "Verification email sent. Please check your inbox.",
   "Failed to resend verification email. Please try again.": "Failed to resend verification email. Please try again.",
-  "We've sent you an email with your associated workspaces.": "We've sent you an email with your associated workspaces."
+  "We've sent you an email with your associated workspaces.": "We've sent you an email with your associated workspaces.",
+  "Load more": "Load more",
+  "Log out of all devices": "Log out of all devices",
+  "Log out of all sessions except this device": "Log out of all sessions except this device",
+  "This Device": "This Device",
+  "Unknown device": "Unknown device",
+  "No active sessions": "No active sessions",
+  "Session revoked": "Session revoked",
+  "All other sessions revoked": "All other sessions revoked",
+  "Last used": "Last used",
+  "Created": "Created",
+  "Rename": "Rename",
+  "Publish": "Publish",
+  "Security": "Security",
+  "Enforce SSO": "Enforce SSO",
+  "Once enforced, members will not be able to login with email and password.": "Once enforced, members will not be able to login with email and password."
 }

apps/client/src/ee/components/cloud-login-form.tsx

@@ -21,6 +21,7 @@ import { useTranslation } from "react-i18next";
 import JoinedWorkspaces from "@/ee/components/joined-workspaces.tsx";
 import { useJoinedWorkspacesQuery } from "@/ee/cloud/query/cloud-query.ts";
 import { findWorkspacesByEmail } from "@/ee/cloud/service/cloud-service.ts";
+import { AuthLayout } from "@/features/auth/components/auth-layout.tsx";
 
 const formSchema = z.object({
   hostname: z.string().min(1, { message: "subdomain is required" }),
@@ -82,7 +83,7 @@ export function CloudLoginForm() {
   }
 
   return (
-    <div>
+    <AuthLayout>
       <Container size={420} className={classes.container}>
         <Box p="xl" className={classes.containerBox}>
           <Title order={2} ta="center" fw={500} mb="md">
@@ -145,12 +146,12 @@ export function CloudLoginForm() {
         </Box>
       </Container>
 
-      <Text ta="center">
+      <Text ta="center" mb="xl">
         {t("Don't have a workspace?")}{" "}
         <Anchor component={Link} to={APP_ROUTE.AUTH.CREATE_WORKSPACE} fw={500}>
           {t("Create new workspace")}
         </Anchor>
       </Text>
-    </div>
+    </AuthLayout>
   );
 }

apps/client/src/ee/features.ts

@@ -16,4 +16,5 @@ export const Feature = {
   AUDIT_LOGS: 'audit:logs',
   RETENTION: 'retention',
   SHARING_CONTROLS: 'sharing:controls',
+  VIEWER_COMMENTS: 'comment:viewer',
 } as const;

apps/client/src/ee/licence/components/activate-license-modal.tsx

@@ -1,6 +1,6 @@
 import { z } from "zod/v4";
-import React from "react";
-import { Button, Group, Modal, Textarea } from "@mantine/core";
+import React, { useRef } from "react";
+import { Button, Divider, Group, Modal, Stack, Textarea } from "@mantine/core";
 import { useForm } from "@mantine/form";
 import { zod4Resolver } from "mantine-form-zod-resolver";
 import { useTranslation } from "react-i18next";
@@ -49,6 +49,7 @@ interface ActivateLicenseFormProps {
 export function ActivateLicenseForm({ onClose }: ActivateLicenseFormProps) {
   const { t } = useTranslation();
   const activateLicenseMutation = useActivateMutation();
+  const fileInputRef = useRef<HTMLInputElement>(null);
 
   const form = useForm<FormValues>({
     validate: zod4Resolver(formSchema),
@@ -63,29 +64,68 @@ export function ActivateLicenseForm({ onClose }: ActivateLicenseFormProps) {
     onClose?.();
   }
 
+  function handleFileUpload(event: React.ChangeEvent<HTMLInputElement>) {
+    const file = event.target.files?.[0];
+    if (!file) return;
+
+    const reader = new FileReader();
+    reader.onload = (e) => {
+      const content = (e.target?.result as string)?.trim();
+      if (content) {
+        form.setFieldValue("licenseKey", content);
+        handleSubmit({ licenseKey: content });
+      }
+    };
+    reader.readAsText(file);
+
+    if (fileInputRef.current) {
+      fileInputRef.current.value = "";
+    }
+  }
+
   return (
     <form onSubmit={form.onSubmit(handleSubmit)}>
-      <Textarea
-        label={t("License key")}
-        description="Enter a valid enterprise license key. Contact sales@docmost.com to purchase one."
-        placeholder={t("e.g eyJhb.....")}
-        variant="filled"
-        autosize
-        minRows={3}
-        maxRows={5}
-        data-autofocus
-        {...form.getInputProps("licenseKey")}
+      <input
+        type="file"
+        accept=".txt"
+        ref={fileInputRef}
+        onChange={handleFileUpload}
+        hidden
       />
 
-      <Group justify="flex-end" mt="md">
-        <Button
-          type="submit"
-          disabled={activateLicenseMutation.isPending}
-          loading={activateLicenseMutation.isPending}
-        >
-          {t("Save")}
-        </Button>
-      </Group>
+      <Stack gap="xs">
+        <Textarea
+          label={t("License key")}
+          placeholder={t("e.g eyJhb.....")}
+          variant="filled"
+          autosize
+          minRows={3}
+          maxRows={5}
+          data-autofocus
+          {...form.getInputProps("licenseKey")}
+        />
+
+        <Group justify="flex-end">
+          <Button
+            type="submit"
+            disabled={activateLicenseMutation.isPending}
+            loading={activateLicenseMutation.isPending}
+          >
+            {t("Save")}
+          </Button>
+        </Group>
+
+        <Divider label={t("Or")} labelPosition="center" />
+
+        <Group justify="center">
+          <Button
+            variant="light"
+            onClick={() => fileInputRef.current?.click()}
+          >
+            {t("Upload license file")}
+          </Button>
+        </Group>
+      </Stack>
     </form>
   );
 }

apps/client/src/ee/licence/components/oss-details.tsx

@@ -68,7 +68,11 @@ export default function OssDetails() {
         </List>
 
         <Text size="sm" c="dimmed">
-          Contact <a href="mailto:sales@docmost.com?subject=Enterprise%20License%20Inquiry">sales@docmost.com </a> to purchase an enterprise license.
+          Get an enterprise trial key at <a href="https://customers.docmost.com/" target="_blank" rel="noopener noreferrer">customers.docmost.com</a>.
+        </Text>
+
+        <Text size="sm" c="dimmed">
+          Visit <a href="https://docmost.com/pricing" target="_blank" rel="noopener noreferrer">docmost.com/pricing</a> to purchase an enterprise license.
         </Text>
       </Stack>
     </Stack>

apps/client/src/ee/mfa/components/mfa-challenge.tsx

@@ -22,6 +22,7 @@ import APP_ROUTE, { getPostLoginRedirect } from "@/lib/app-route";
 import { useTranslation } from "react-i18next";
 import { z } from "zod/v4";
 import { MfaBackupCodeInput } from "./mfa-backup-code-input";
+import { AuthLayout } from "@/features/auth/components/auth-layout.tsx";
 
 const formSchema = z.object({
   code: z
@@ -66,6 +67,7 @@ export function MfaChallenge() {
   };
 
   return (
+    <AuthLayout>
     <Container size={420} className={classes.container}>
       <Paper radius="lg" p={40} className={classes.paper}>
         <Stack align="center" gap="xl">
@@ -157,5 +159,6 @@ export function MfaChallenge() {
         </Stack>
       </Paper>
     </Container>
+    </AuthLayout>
   );
 }

apps/client/src/ee/mfa/components/mfa-setup-required.tsx

@@ -5,6 +5,7 @@ import { useTranslation } from "react-i18next";
 import { MfaSetupModal } from "@/ee/mfa";
 import APP_ROUTE, { getPostLoginRedirect } from "@/lib/app-route.ts";
 import { useNavigate } from "react-router-dom";
+import { AuthLayout } from "@/features/auth/components/auth-layout.tsx";
 
 export default function MfaSetupRequired() {
   const { t } = useTranslation();
@@ -15,6 +16,7 @@ export default function MfaSetupRequired() {
   };
 
   return (
+    <AuthLayout>
     <Container size="sm" py="xl">
       <Paper shadow="sm" p="xl" radius="md" withBorder>
         <Stack>
@@ -44,5 +46,6 @@ export default function MfaSetupRequired() {
         </Stack>
       </Paper>
     </Container>
+    </AuthLayout>
   );
 }

apps/client/src/ee/pages/verify-email.tsx

@@ -9,6 +9,7 @@ import {
 import { notifications } from "@mantine/notifications";
 import APP_ROUTE from "@/lib/app-route.ts";
 import { useTranslation } from "react-i18next";
+import { AuthLayout } from "@/features/auth/components/auth-layout.tsx";
 
 export default function VerifyEmail() {
   const { t } = useTranslation();
@@ -59,20 +60,23 @@ export default function VerifyEmail() {
 
   if (token) {
     return (
-      <Container size={420} className={classes.container}>
-        <Box p="xl" className={classes.containerBox}>
-          <Title order={2} ta="center" fw={500} mb="md">
-            {t("Verifying your email")}
-          </Title>
-          <Text ta="center" c="dimmed">
-            {t("Please wait...")}
-          </Text>
-        </Box>
-      </Container>
+      <AuthLayout>
+        <Container size={420} className={classes.container}>
+          <Box p="xl" className={classes.containerBox}>
+            <Title order={2} ta="center" fw={500} mb="md">
+              {t("Verifying your email")}
+            </Title>
+            <Text ta="center" c="dimmed">
+              {t("Please wait...")}
+            </Text>
+          </Box>
+        </Container>
+      </AuthLayout>
     );
   }
 
   return (
+    <AuthLayout>
     <Container size={420} className={classes.container}>
       <Box p="xl" className={classes.containerBox}>
         <Title order={2} ta="center" fw={500} mb="md">
@@ -103,5 +107,6 @@ export default function VerifyEmail() {
         )}
       </Box>
     </Container>
+    </AuthLayout>
   );
 }

apps/client/src/ee/security/components/space-viewer-comments-toggle.tsx

@@ -0,0 +1,61 @@
+import { Group, Text, Switch, Tooltip } from "@mantine/core";
+import React, { useState } from "react";
+import { useTranslation } from "react-i18next";
+import { ISpace } from "@/features/space/types/space.types.ts";
+import { useUpdateSpaceMutation } from "@/features/space/queries/space-query.ts";
+import { useHasFeature } from "@/ee/hooks/use-feature.ts";
+import { Feature } from "@/ee/features.ts";
+import { useUpgradeLabel } from "@/ee/hooks/use-upgrade-label.ts";
+
+type SpaceViewerCommentsToggleProps = {
+  space: ISpace;
+};
+
+export default function SpaceViewerCommentsToggle({
+  space,
+}: SpaceViewerCommentsToggleProps) {
+  const { t } = useTranslation();
+  const hasViewerComments = useHasFeature(Feature.VIEWER_COMMENTS);
+  const upgradeLabel = useUpgradeLabel();
+  const isDisabled = !hasViewerComments;
+  const [checked, setChecked] = useState(
+    space.settings?.comments?.allowViewerComments === true,
+  );
+  const updateSpaceMutation = useUpdateSpaceMutation();
+
+  const handleChange = async (event: React.ChangeEvent<HTMLInputElement>) => {
+    const value = event.currentTarget.checked;
+    try {
+      await updateSpaceMutation.mutateAsync({
+        spaceId: space.id,
+        allowViewerComments: value,
+      });
+      setChecked(value);
+    } catch {
+      // error handled by mutation
+    }
+  };
+
+  return (
+    <Group justify="space-between" wrap="nowrap" gap="xl">
+      <div>
+        <Text size="md">{t("Allow viewers to comment")}</Text>
+        <Text size="sm" c="dimmed">
+          {t("Allow viewers to add comments on pages in this space.")}
+        </Text>
+      </div>
+      <Tooltip
+        label={upgradeLabel}
+        disabled={!isDisabled}
+        refProp="rootRef"
+      >
+        <Switch
+          checked={checked}
+          onChange={handleChange}
+          disabled={isDisabled}
+          aria-label={t("Toggle viewer comments")}
+        />
+      </Tooltip>
+    </Group>
+  );
+}

apps/client/src/features/auth/components/auth-layout.tsx

@@ -0,0 +1,26 @@
+import React from "react";
+import { Group, Text } from "@mantine/core";
+import classes from "./auth.module.css";
+
+type AuthLayoutProps = {
+  children: React.ReactNode;
+};
+
+export function AuthLayout({ children }: AuthLayoutProps) {
+  return (
+    <>
+      <Group justify="center" gap={8} className={classes.logo}>
+        <img
+          src="/icons/favicon-32x32.png"
+          alt="Docmost"
+          width={22}
+          height={22}
+        />
+        <Text size="28px" fw={700} style={{ userSelect: "none" }}>
+          Docmost
+        </Text>
+      </Group>
+      {children}
+    </>
+  );
+}

apps/client/src/features/auth/components/auth.module.css

@@ -1,12 +1,20 @@
+.logo {
+    margin-top: 80px;
+
+    @media (max-width: $mantine-breakpoint-sm) {
+        margin-top: 30px;
+    }
+}
+
 .container {
     box-shadow: rgba(0, 0, 0, 0.07) 0px 2px 45px 4px;
     border-radius: 4px;
     background: light-dark(var(--mantine-color-body), rgba(0, 0, 0, 0.1));
-    margin-top: 150px;
+    margin-top: 40px;
     margin-bottom: 20px;
 
     @media (max-width: $mantine-breakpoint-sm) {
-        margin-top: 50px;
+        margin-top: 20px;
         margin-bottom: 20px;
     }
 }

apps/client/src/features/auth/components/forgot-password-form.tsx

@@ -7,6 +7,7 @@ import { Box, Button, Container, Text, TextInput, Title } from "@mantine/core";
 import classes from "./auth.module.css";
 import { useRedirectIfAuthenticated } from "@/features/auth/hooks/use-redirect-if-authenticated.ts";
 import { useTranslation } from "react-i18next";
+import { AuthLayout } from "./auth-layout.tsx";
 
 const formSchema = z.object({
   email: z
@@ -35,6 +36,7 @@ export function ForgotPasswordForm() {
   }
 
   return (
+    <AuthLayout>
     <Container size={420} className={classes.container}>
       <Box p="xl" className={classes.containerBox}>
         <Title order={2} ta="center" fw={500} mb="md">
@@ -69,5 +71,6 @@ export function ForgotPasswordForm() {
         </form>
       </Box>
     </Container>
+    </AuthLayout>
   );
 }

apps/client/src/features/auth/components/invite-sign-up-form.tsx

@@ -19,6 +19,7 @@ import { useGetInvitationQuery } from "@/features/workspace/queries/workspace-qu
 import { useRedirectIfAuthenticated } from "@/features/auth/hooks/use-redirect-if-authenticated.ts";
 import { useTranslation } from "react-i18next";
 import SsoLogin from "@/ee/components/sso-login.tsx";
+import { AuthLayout } from "./auth-layout.tsx";
 
 const formSchema = z.object({
   name: z.string().trim().min(1),
@@ -66,6 +67,7 @@ export function InviteSignUpForm() {
   }
 
   return (
+    <AuthLayout>
     <Container size={420} className={classes.container}>
       <Box p="xl" className={classes.containerBox}>
         <Title order={2} ta="center" fw={500} mb="md">
@@ -111,5 +113,6 @@ export function InviteSignUpForm() {
         )}
       </Box>
     </Container>
+    </AuthLayout>
   );
 }

apps/client/src/features/auth/components/login-form.tsx

@@ -21,6 +21,7 @@ import SsoLogin from "@/ee/components/sso-login.tsx";
 import { useWorkspacePublicDataQuery } from "@/features/workspace/queries/workspace-query.ts";
 import { Error404 } from "@/components/ui/error-404.tsx";
 import React from "react";
+import { AuthLayout } from "./auth-layout.tsx";
 
 const formSchema = z.object({
   email: z
@@ -62,52 +63,54 @@ export function LoginForm() {
   }
 
   return (
-    <Container size={420} className={classes.container}>
-      <Box p="xl" className={classes.containerBox}>
-        <Title order={2} ta="center" fw={500} mb="md">
-          {t("Login")}
-        </Title>
+    <AuthLayout>
+      <Container size={420} className={classes.container}>
+        <Box p="xl" className={classes.containerBox}>
+          <Title order={2} ta="center" fw={500} mb="md">
+            {t("Login")}
+          </Title>
 
-        <SsoLogin />
+          <SsoLogin />
 
-        {!data?.enforceSso && (
-          <>
-            <form onSubmit={form.onSubmit(onSubmit)}>
-              <TextInput
-                id="email"
-                type="email"
-                label={t("Email")}
-                placeholder="email@example.com"
-                variant="filled"
-                {...form.getInputProps("email")}
-              />
+          {!data?.enforceSso && (
+            <>
+              <form onSubmit={form.onSubmit(onSubmit)}>
+                <TextInput
+                  id="email"
+                  type="email"
+                  label={t("Email")}
+                  placeholder="email@example.com"
+                  variant="filled"
+                  {...form.getInputProps("email")}
+                />
 
-              <PasswordInput
-                label={t("Password")}
-                placeholder={t("Your password")}
-                variant="filled"
-                mt="md"
-                {...form.getInputProps("password")}
-              />
+                <PasswordInput
+                  label={t("Password")}
+                  placeholder={t("Your password")}
+                  variant="filled"
+                  mt="md"
+                  {...form.getInputProps("password")}
+                />
 
-              <Group justify="flex-end" mt="sm">
-                <Anchor
-                  to={APP_ROUTE.AUTH.FORGOT_PASSWORD}
-                  component={Link}
-                  underline="never"
-                  size="sm"
-                >
-                  {t("Forgot your password?")}
-                </Anchor>
-              </Group>
+                <Group justify="flex-end" mt="sm">
+                  <Anchor
+                    to={APP_ROUTE.AUTH.FORGOT_PASSWORD}
+                    component={Link}
+                    underline="never"
+                    size="sm"
+                  >
+                    {t("Forgot your password?")}
+                  </Anchor>
+                </Group>
 
-              <Button type="submit" fullWidth mt="md" loading={isLoading}>
-                {t("Sign In")}
-              </Button>
-            </form>
-          </>
-        )}
-      </Box>
-    </Container>
+                <Button type="submit" fullWidth mt="md" loading={isLoading}>
+                  {t("Sign In")}
+                </Button>
+              </form>
+            </>
+          )}
+        </Box>
+      </Container>
+    </AuthLayout>
   );
 }

apps/client/src/features/auth/components/password-reset-form.tsx

@@ -6,6 +6,7 @@ import { Box, Button, Container, PasswordInput, Title } from "@mantine/core";
 import classes from "./auth.module.css";
 import { useRedirectIfAuthenticated } from "@/features/auth/hooks/use-redirect-if-authenticated.ts";
 import { useTranslation } from "react-i18next";
+import { AuthLayout } from "./auth-layout.tsx";
 
 const formSchema = z.object({
   newPassword: z
@@ -38,6 +39,7 @@ export function PasswordResetForm({ resetToken }: PasswordResetFormProps) {
   }
 
   return (
+    <AuthLayout>
     <Container size={420} className={classes.container}>
       <Box p="xl" className={classes.containerBox}>
         <Title order={2} ta="center" fw={500} mb="md">
@@ -59,5 +61,6 @@ export function PasswordResetForm({ resetToken }: PasswordResetFormProps) {
         </form>
       </Box>
     </Container>
+    </AuthLayout>
   );
 }

apps/client/src/features/auth/components/setup-workspace-form.tsx

@@ -19,6 +19,7 @@ import SsoCloudSignup from "@/ee/components/sso-cloud-signup.tsx";
 import { isCloud } from "@/lib/config.ts";
 import { Link } from "react-router-dom";
 import APP_ROUTE from "@/lib/app-route.ts";
+import { AuthLayout } from "./auth-layout.tsx";
 
 const formSchema = z.object({
   workspaceName: z.string().trim().max(50).optional(),
@@ -50,7 +51,7 @@ export function SetupWorkspaceForm() {
   }
 
   return (
-    <div>
+    <AuthLayout>
       <Container size={420} className={classes.container}>
         <Box p="xl" className={classes.containerBox}>
           <Title order={2} ta="center" fw={500} mb="md">
@@ -117,6 +118,6 @@ export function SetupWorkspaceForm() {
           </Anchor>
         </Text>
       )}
-    </div>
+    </AuthLayout>
   );
 }

apps/client/src/features/comment/atoms/comment-atom.ts

@@ -3,3 +3,15 @@ import { atom } from 'jotai';
 export const showCommentPopupAtom = atom<boolean>(false);
 export const activeCommentIdAtom = atom<string>('');
 export const draftCommentIdAtom = atom<string>('');
+
+// Read-only comment state
+export const showReadOnlyCommentPopupAtom = atom<boolean>(false);
+export type YjsSelection = {
+  anchor: any;
+  head: any;
+};
+export type ReadOnlyCommentData = {
+  yjsSelection: YjsSelection;
+  selectedText: string;
+};
+export const readOnlyCommentDataAtom = atom<ReadOnlyCommentData | null>(null);

apps/client/src/features/comment/components/comment-dialog.tsx

@@ -6,6 +6,8 @@ import {
   activeCommentIdAtom,
   draftCommentIdAtom,
   showCommentPopupAtom,
+  showReadOnlyCommentPopupAtom,
+  readOnlyCommentDataAtom,
 } from "@/features/comment/atoms/comment-atom";
 import CommentEditor from "@/features/comment/components/comment-editor";
 import CommentActions from "@/features/comment/components/comment-actions";
@@ -19,12 +21,15 @@ import { useTranslation } from "react-i18next";
 interface CommentDialogProps {
   editor: ReturnType<typeof useEditor>;
   pageId: string;
+  readOnly?: boolean;
 }
 
-function CommentDialog({ editor, pageId }: CommentDialogProps) {
+function CommentDialog({ editor, pageId, readOnly }: CommentDialogProps) {
   const { t } = useTranslation();
   const [comment, setComment] = useState("");
   const [, setShowCommentPopup] = useAtom(showCommentPopupAtom);
+  const [, setShowReadOnlyCommentPopup] = useAtom(showReadOnlyCommentPopupAtom);
+  const [readOnlyCommentData, setReadOnlyCommentData] = useAtom(readOnlyCommentDataAtom);
   const [, setActiveCommentId] = useAtom(activeCommentIdAtom);
   const [draftCommentId, setDraftCommentId] = useAtom(draftCommentIdAtom);
   const [currentUser] = useAtom(currentUserAtom);
@@ -34,11 +39,17 @@ function CommentDialog({ editor, pageId }: CommentDialogProps) {
     handleDialogClose();
   });
   const createCommentMutation = useCreateCommentMutation();
-  const { isPending } = createCommentMutation;
+  const isPending = createCommentMutation.isPending;
 
   const handleDialogClose = () => {
-    setShowCommentPopup(false);
-    editor.chain().focus().unsetCommentDecoration().run();
+    if (readOnly) {
+      setShowReadOnlyCommentPopup(false);
+      // @ts-ignore
+      setReadOnlyCommentData(null);
+    } else {
+      setShowCommentPopup(false);
+      editor.chain().focus().unsetCommentDecoration().run();
+    }
   };
 
   const getSelectedText = () => {
@@ -47,6 +58,11 @@ function CommentDialog({ editor, pageId }: CommentDialogProps) {
   };
 
   const handleAddComment = async () => {
+    if (readOnly) {
+      await handleAddReadOnlyComment();
+      return;
+    }
+
     try {
       const selectedText = getSelectedText();
       const commentData = {
@@ -65,7 +81,6 @@ function CommentDialog({ editor, pageId }: CommentDialogProps) {
         .run();
       setActiveCommentId(createdComment.id);
 
-      //unselect text to close bubble menu
       editor.commands.setTextSelection({ from: editor.view.state.selection.from, to: editor.view.state.selection.from });
 
       setAsideState({ tab: "comments", isAsideOpen: true });
@@ -85,6 +100,33 @@ function CommentDialog({ editor, pageId }: CommentDialogProps) {
     }
   };
 
+  const handleAddReadOnlyComment = async () => {
+    if (!readOnlyCommentData) return;
+
+    try {
+      const createdComment = await createCommentMutation.mutateAsync({
+        pageId,
+        content: JSON.stringify(comment),
+        selection: readOnlyCommentData.selectedText,
+        type: "inline",
+        yjsSelection: readOnlyCommentData.yjsSelection,
+      });
+
+      setActiveCommentId(createdComment.id);
+      setAsideState({ tab: "comments", isAsideOpen: true });
+
+      setTimeout(() => {
+        const selector = `div[data-comment-id="${createdComment.id}"]`;
+        const commentElement = document.querySelector(selector);
+        commentElement?.scrollIntoView({ behavior: "smooth", block: "center" });
+      }, 400);
+    } finally {
+      setShowReadOnlyCommentPopup(false);
+      // @ts-ignore
+      setReadOnlyCommentData(null);
+    }
+  };
+
   const handleCommentEditorChange = (newContent: any) => {
     setComment(newContent);
   };

apps/client/src/features/comment/components/comment-list-with-tabs.tsx

@@ -44,7 +44,9 @@ function CommentListWithTabs() {
   const [isLoading, setIsLoading] = useState(false);
   const { data: space } = useGetSpaceBySlugQuery(page?.space?.slug);
 
-  const canComment = page?.permissions?.canEdit ?? false;
+  const canComment =
+    (page?.permissions?.canEdit ?? false) ||
+    (space?.settings?.comments?.allowViewerComments === true);
 
   // Separate active and resolved comments
   const { activeComments, resolvedComments } = useMemo(() => {
@@ -153,7 +155,7 @@ function CommentListWithTabs() {
         )}
       </Paper>
     ),
-    [comments, handleAddReply, isLoading, space?.membership?.role],
+    [comments, handleAddReply, isLoading, space?.membership?.role, canComment],
   );
 
   if (isCommentsLoading) {

apps/client/src/features/comment/components/comment-menu.tsx

@@ -75,7 +75,7 @@ function CommentMenu({
               {isResolved ? t("Re-open comment") : t("Resolve comment")}
             </Menu.Item>
           ) : (
-            <Tooltip label={upgradeLabel} position="left">
+            <Tooltip label={upgradeLabel} position="left" withPortal={false}>
               <Menu.Item disabled leftSection={<IconCircleCheck size={14} />}>
                 {t("Resolve comment")}
               </Menu.Item>

apps/client/src/features/comment/types/comment.types.ts

@@ -17,6 +17,10 @@ export interface IComment {
   deletedAt?: Date;
   creator: IUser;
   resolvedBy?: IUser;
+  yjsSelection?: {
+    anchor: any;
+    head: any;
+  };
 }
 
 export interface ICommentData {

apps/client/src/features/editor/components/bubble-menu/readonly-bubble-menu.tsx

@@ -0,0 +1,159 @@
+import type { Editor } from "@tiptap/react";
+import { TextSelection } from "@tiptap/pm/state";
+import { FC, useCallback, useEffect, useRef, useState } from "react";
+import { IconMessage } from "@tabler/icons-react";
+import classes from "./bubble-menu.module.css";
+import { ActionIcon, Tooltip } from "@mantine/core";
+import { useAtom } from "jotai";
+import {
+  showReadOnlyCommentPopupAtom,
+  readOnlyCommentDataAtom,
+} from "@/features/comment/atoms/comment-atom";
+import { useTranslation } from "react-i18next";
+import { getRelativeSelection, ySyncPluginKey } from "@tiptap/y-tiptap";
+
+type ReadonlyBubbleMenuProps = {
+  editor: Editor;
+};
+
+export const ReadonlyBubbleMenu: FC<ReadonlyBubbleMenuProps> = ({ editor }) => {
+  const { t } = useTranslation();
+  const [showReadOnlyCommentPopup, setShowReadOnlyCommentPopup] = useAtom(
+    showReadOnlyCommentPopupAtom,
+  );
+  const [, setReadOnlyCommentData] = useAtom(readOnlyCommentDataAtom);
+  const menuRef = useRef<HTMLDivElement>(null);
+  const [visible, setVisible] = useState(false);
+  const [position, setPosition] = useState({ top: 0, left: 0 });
+  const isInteractingRef = useRef(false);
+
+  const updateMenuPosition = useCallback(() => {
+    if (isInteractingRef.current) return;
+
+    const pmSelection = editor.state.selection;
+    if (!(pmSelection instanceof TextSelection) || pmSelection.empty) {
+      setVisible(false);
+      return;
+    }
+
+    const selection = window.getSelection();
+    if (
+      !selection ||
+      selection.isCollapsed ||
+      selection.rangeCount === 0 ||
+      showReadOnlyCommentPopup
+    ) {
+      setVisible(false);
+      return;
+    }
+
+    const editorDom = editor.view.dom;
+    if (
+      !editorDom.contains(selection.anchorNode) ||
+      !editorDom.contains(selection.focusNode)
+    ) {
+      setVisible(false);
+      return;
+    }
+
+    const range = selection.getRangeAt(0);
+    const rect = range.getBoundingClientRect();
+
+    if (rect.width === 0) {
+      setVisible(false);
+      return;
+    }
+
+    const editorRect = editorDom
+      .closest(".editor-container")
+      ?.getBoundingClientRect();
+    if (!editorRect) {
+      setVisible(false);
+      return;
+    }
+
+    setPosition({
+      top: rect.top - editorRect.top - 44,
+      left: rect.left - editorRect.left + rect.width / 2,
+    });
+    setVisible(true);
+  }, [editor, showReadOnlyCommentPopup]);
+
+  useEffect(() => {
+    const handleSelectionChange = () => {
+      updateMenuPosition();
+    };
+
+    document.addEventListener("selectionchange", handleSelectionChange);
+    return () => {
+      document.removeEventListener("selectionchange", handleSelectionChange);
+    };
+  }, [updateMenuPosition]);
+
+  useEffect(() => {
+    if (showReadOnlyCommentPopup) {
+      setVisible(false);
+    }
+  }, [showReadOnlyCommentPopup]);
+
+  const handleCommentClick = () => {
+    if (!editor) return;
+
+    const view = editor.view;
+    const ystate = ySyncPluginKey.getState(view.state);
+
+    if (ystate?.binding) {
+      const selection = getRelativeSelection(ystate.binding, view.state);
+      const { from, to } = editor.state.selection;
+      const selectedText = editor.state.doc.textBetween(from, to);
+
+      // @ts-ignore
+      setReadOnlyCommentData({
+        yjsSelection: {
+          anchor: selection.anchor,
+          head: selection.head,
+        },
+        selectedText,
+      });
+
+      setShowReadOnlyCommentPopup(true);
+      setVisible(false);
+    }
+  };
+
+  if (!visible) return null;
+
+  return (
+    <div
+      ref={menuRef}
+      style={{
+        position: "absolute",
+        top: position.top,
+        left: position.left,
+        transform: "translateX(-50%)",
+        zIndex: 199,
+      }}
+    >
+      <div className={classes.bubbleMenu}>
+        <Tooltip label={t("Comment")} withArrow withinPortal={false}>
+          <ActionIcon
+            variant="default"
+            size="lg"
+            radius="6px"
+            aria-label={t("Comment")}
+            style={{ border: "none" }}
+            onMouseDown={(e) => {
+              e.preventDefault();
+              e.stopPropagation();
+              isInteractingRef.current = true;
+              handleCommentClick();
+              isInteractingRef.current = false;
+            }}
+          >
+            <IconMessage size={16} stroke={2} />
+          </ActionIcon>
+        </Tooltip>
+      </div>
+    </div>
+  );
+};

apps/client/src/features/editor/components/drawio/drawio-menu.tsx

@@ -8,6 +8,7 @@ import {
 } from "@/features/editor/components/table/types/types.ts";
 import {
   ActionIcon,
+  LoadingOverlay,
   Modal,
   Text,
   Tooltip,
@@ -46,6 +47,8 @@ export function DrawioMenu({ editor }: EditorMenuProps) {
   const computedColorScheme = useComputedColorScheme();
   const isDirtyRef = useRef(false);
   const isSavingRef = useRef(false);
+  const [isSaving, setIsSaving] = useState(false);
+  const [isLoading, setIsLoading] = useState(false);
 
   const editorState = useEditorState({
     editor,
@@ -140,6 +143,7 @@ export function DrawioMenu({ editor }: EditorMenuProps) {
     if (isSavingRef.current) return;
 
     isSavingRef.current = true;
+    setIsSaving(true);
 
     try {
       const svgString = decodeBase64ToSvgString(svgXml);
@@ -167,6 +171,7 @@ export function DrawioMenu({ editor }: EditorMenuProps) {
       isDirtyRef.current = false;
     } finally {
       isSavingRef.current = false;
+      setIsSaving(false);
     }
   }, [editor, editorState?.attachmentId]);
 
@@ -196,6 +201,7 @@ export function DrawioMenu({ editor }: EditorMenuProps) {
   const handleOpen = useCallback(async () => {
     if (!editorState?.src) return;
 
+    setIsLoading(true);
     try {
       const url = getFileUrl(editorState.src);
       const request = await fetch(url, {
@@ -213,6 +219,7 @@ export function DrawioMenu({ editor }: EditorMenuProps) {
     } catch (err) {
       console.error(err);
     } finally {
+      setIsLoading(false);
       isDirtyRef.current = false;
       open();
     }
@@ -307,6 +314,7 @@ export function DrawioMenu({ editor }: EditorMenuProps) {
               size="lg"
               aria-label={t("Edit")}
               variant="subtle"
+              loading={isLoading}
             >
               <IconEdit size={18} />
             </ActionIcon>
@@ -339,7 +347,8 @@ export function DrawioMenu({ editor }: EditorMenuProps) {
       <Modal.Root opened={opened} onClose={handleClose} fullScreen closeOnEscape={false}>
         <Modal.Overlay />
         <Modal.Content style={{ overflow: "hidden" }}>
-          <Modal.Body>
+          <Modal.Body pos="relative">
+            <LoadingOverlay visible={isSaving} />
             <div style={{ height: "100vh" }}>
               <DrawIoEmbed
                 ref={drawioRef}

apps/client/src/features/editor/components/drawio/drawio-view.tsx

@@ -2,6 +2,7 @@ import { NodeViewProps, NodeViewWrapper } from "@tiptap/react";
 import {
   ActionIcon,
   Card,
+  LoadingOverlay,
   Modal,
   Text,
   useComputedColorScheme,
@@ -34,6 +35,7 @@ export default function DrawioView(props: NodeViewProps) {
   const computedColorScheme = useComputedColorScheme();
   const isDirtyRef = useRef(false);
   const isSavingRef = useRef(false);
+  const [isSaving, setIsSaving] = useState(false);
 
   const handleOpen = async () => {
     if (!editor.isEditable) {
@@ -47,6 +49,7 @@ export default function DrawioView(props: NodeViewProps) {
     if (isSavingRef.current) return;
 
     isSavingRef.current = true;
+    setIsSaving(true);
 
     try {
       const svgString = decodeBase64ToSvgString(svgXml);
@@ -79,6 +82,7 @@ export default function DrawioView(props: NodeViewProps) {
       isDirtyRef.current = false;
     } finally {
       isSavingRef.current = false;
+      setIsSaving(false);
     }
   };
 
@@ -136,7 +140,8 @@ export default function DrawioView(props: NodeViewProps) {
       <Modal.Root opened={opened} onClose={handleClose} fullScreen closeOnEscape={false}>
         <Modal.Overlay />
         <Modal.Content style={{ overflow: "hidden" }}>
-          <Modal.Body>
+          <Modal.Body pos="relative">
+            <LoadingOverlay visible={isSaving} />
             <div style={{ height: "100vh" }}>
               <DrawIoEmbed
                 ref={drawioRef}

apps/client/src/features/editor/components/excalidraw/excalidraw-menu.tsx

@@ -56,6 +56,8 @@ export function ExcalidrawMenu({ editor }: EditorMenuProps) {
   const computedColorScheme = useComputedColorScheme();
   const isDirtyRef = useRef(false);
   const isSavingRef = useRef(false);
+  const [isSaving, setIsSaving] = useState(false);
+  const [isLoading, setIsLoading] = useState(false);
   const isInitialLoadRef = useRef(true);
   const lastFingerprintRef = useRef("");
 
@@ -153,6 +155,7 @@ export function ExcalidrawMenu({ editor }: EditorMenuProps) {
   const handleOpen = useCallback(async () => {
     if (!editorState?.src) return;
 
+    setIsLoading(true);
     try {
       const url = getFileUrl(editorState.src);
       const request = await fetch(url, {
@@ -166,6 +169,7 @@ export function ExcalidrawMenu({ editor }: EditorMenuProps) {
     } catch (err) {
       console.error(err);
     } finally {
+      setIsLoading(false);
       isDirtyRef.current = false;
       isInitialLoadRef.current = true;
       open();
@@ -178,6 +182,7 @@ export function ExcalidrawMenu({ editor }: EditorMenuProps) {
     }
 
     isSavingRef.current = true;
+    setIsSaving(true);
 
     try {
       const { exportToSvg } = await import("@excalidraw/excalidraw");
@@ -223,6 +228,7 @@ export function ExcalidrawMenu({ editor }: EditorMenuProps) {
       isDirtyRef.current = false;
     } finally {
       isSavingRef.current = false;
+      setIsSaving(false);
     }
   }, [editor, excalidrawAPI, editorState?.attachmentId]);
 
@@ -339,6 +345,7 @@ export function ExcalidrawMenu({ editor }: EditorMenuProps) {
               size="lg"
               aria-label={t("Edit")}
               variant="subtle"
+              loading={isLoading}
             >
               <IconEdit size={18} />
             </ActionIcon>
@@ -390,7 +397,7 @@ export function ExcalidrawMenu({ editor }: EditorMenuProps) {
           bg="var(--mantine-color-body)"
           p="xs"
         >
-          <Button onClick={handleSaveAndExit} size={"compact-sm"}>
+          <Button onClick={handleSaveAndExit} size={"compact-sm"} loading={isSaving}>
             {t("Save & Exit")}
           </Button>
           <Button onClick={handleClose} color="red" size={"compact-sm"}>

apps/client/src/features/editor/components/excalidraw/excalidraw-view.tsx

@@ -52,6 +52,7 @@ export default function ExcalidrawView(props: NodeViewProps) {
 
   const isDirtyRef = useRef(false);
   const isSavingRef = useRef(false);
+  const [isSaving, setIsSaving] = useState(false);
   const isInitialLoadRef = useRef(true);
   const lastFingerprintRef = useRef("");
 
@@ -70,6 +71,7 @@ export default function ExcalidrawView(props: NodeViewProps) {
     }
 
     isSavingRef.current = true;
+    setIsSaving(true);
 
     try {
       const { exportToSvg } = await import("@excalidraw/excalidraw");
@@ -120,6 +122,7 @@ export default function ExcalidrawView(props: NodeViewProps) {
       isDirtyRef.current = false;
     } finally {
       isSavingRef.current = false;
+      setIsSaving(false);
     }
   }, [excalidrawAPI, editor, attachmentId, updateAttributes]);
 
@@ -191,7 +194,7 @@ export default function ExcalidrawView(props: NodeViewProps) {
           bg="var(--mantine-color-body)"
           p="xs"
         >
-          <Button onClick={handleSaveAndExit} size={"compact-sm"}>
+          <Button onClick={handleSaveAndExit} size={"compact-sm"} loading={isSaving}>
             {t("Save & Exit")}
           </Button>
           <Button onClick={handleClose} color="red" size={"compact-sm"}>

apps/client/src/features/editor/components/link/link-menu.tsx

@@ -5,7 +5,7 @@ import { useAtom } from "jotai";
 import { isTextSelected } from "@docmost/editor-ext";
 import { showLinkMenuAtom } from "@/features/editor/atoms/editor-atoms";
 import { LinkEditorPanel } from "@/features/editor/components/link/link-editor-panel";
-import { normalizeUrl } from "@/features/editor/components/link/link-view";
+import { normalizeUrl } from "@/lib/utils";
 import { TextSelection } from "@tiptap/pm/state";
 import { Paper } from "@mantine/core";
 

apps/client/src/features/editor/components/link/link-view.tsx

@@ -29,12 +29,7 @@ import { useSharePageQuery } from "@/features/share/queries/share-query.ts";
 import { buildSharedPageUrl } from "@/features/page/page.utils.ts";
 import { extractPageSlugId } from "@/lib";
 import { sanitizeUrl, copyToClipboard } from "@docmost/editor-ext";
-
-export const normalizeUrl = (url: string): string => {
-  if (!url) return url;
-  if (url.startsWith("/") || /^(\S+):(\/\/)?\S+$/.test(url)) return url;
-  return `https://${url}`;
-};
+import { normalizeUrl } from "@/lib/utils";
 
 const parseInternalLink = (
   href: string,

apps/client/src/features/editor/full-editor.tsx

@@ -16,6 +16,7 @@ export interface FullEditorProps {
   content: string;
   spaceSlug: string;
   editable: boolean;
+  canComment?: boolean;
 }
 
 export function FullEditor({
@@ -25,6 +26,7 @@ export function FullEditor({
   content,
   spaceSlug,
   editable,
+  canComment,
 }: FullEditorProps) {
   const [user] = useAtom(userAtom);
   const fullPageWidth = user.settings?.preferences?.fullPageWidth;
@@ -46,6 +48,7 @@ export function FullEditor({
         pageId={pageId}
         editable={editable}
         content={content}
+        canComment={canComment}
       />
     </Container>
   );

apps/client/src/features/editor/page-editor.tsx

@@ -37,9 +37,11 @@ import { asideStateAtom } from "@/components/layouts/global/hooks/atoms/sidebar-
 import {
   activeCommentIdAtom,
   showCommentPopupAtom,
+  showReadOnlyCommentPopupAtom,
 } from "@/features/comment/atoms/comment-atom";
 import CommentDialog from "@/features/comment/components/comment-dialog";
 import { EditorBubbleMenu } from "@/features/editor/components/bubble-menu/bubble-menu";
+import { ReadonlyBubbleMenu } from "@/features/editor/components/bubble-menu/readonly-bubble-menu";
 import TableCellMenu from "@/features/editor/components/table/table-cell-menu.tsx";
 import TableMenu from "@/features/editor/components/table/table-menu.tsx";
 import ImageMenu from "@/features/editor/components/image/image-menu.tsx";
@@ -73,12 +75,14 @@ interface PageEditorProps {
   pageId: string;
   editable: boolean;
   content: any;
+  canComment?: boolean;
 }
 
 export default function PageEditor({
   pageId,
   editable,
   content,
+  canComment,
 }: PageEditorProps) {
   const collaborationURL = useCollaborationUrl();
   const isComponentMounted = useRef(false);
@@ -93,6 +97,7 @@ export default function PageEditor({
   const [, setAsideState] = useAtom(asideStateAtom);
   const [, setActiveCommentId] = useAtom(activeCommentIdAtom);
   const [showCommentPopup, setShowCommentPopup] = useAtom(showCommentPopupAtom);
+  const [showReadOnlyCommentPopup] = useAtom(showReadOnlyCommentPopupAtom);
   const [isLocalSynced, setIsLocalSynced] = useState(false);
   const [isRemoteSynced, setIsRemoteSynced] = useState(false);
   const [yjsConnectionStatus, setYjsConnectionStatus] = useAtom(
@@ -421,7 +426,13 @@ export default function PageEditor({
             <ColumnsMenu editor={editor} />
           </div>
         )}
+        {editor && !editorIsEditable && (editable || canComment) && providersRef.current && (
+          <ReadonlyBubbleMenu editor={editor} />
+        )}
         {showCommentPopup && <CommentDialog editor={editor} pageId={pageId} />}
+        {showReadOnlyCommentPopup && (
+          <CommentDialog editor={editor} pageId={pageId} readOnly />
+        )}
       </div>
       <div
         onClick={() => editor.commands.focus("end")}

apps/client/src/features/page/queries/page-query.ts

@@ -110,15 +110,7 @@ export function useUpdatePageMutation() {
   return useMutation<IPage, Error, Partial<IPageInput>>({
     mutationFn: (data) => updatePage(data),
     onSuccess: (data) => {
-      updatePage(data);
-
-      invalidateOnUpdatePage(
-        data.spaceId,
-        data.parentPageId,
-        data.id,
-        data.title,
-        data.icon,
-      );
+      updatePageData(data);
     },
   });
 }

apps/client/src/features/session/components/session-list.tsx

@@ -0,0 +1,165 @@
+import { useState } from "react";
+import {
+  Button,
+  Divider,
+  Group,
+  Skeleton,
+  Stack,
+  Table,
+  Text,
+} from "@mantine/core";
+import { IconDevices } from "@tabler/icons-react";
+import { useTranslation } from "react-i18next";
+import {
+  useGetSessionsQuery,
+  useRevokeSessionMutation,
+  useRevokeAllSessionsMutation,
+} from "@/features/session/queries/session-query";
+import { formattedDate } from "@/lib/time";
+
+const PAGE_SIZE = 5;
+
+export default function SessionList() {
+  const { t } = useTranslation();
+  const { data: sessions, isLoading } = useGetSessionsQuery();
+  const revokeSessionMutation = useRevokeSessionMutation();
+  const revokeAllSessionsMutation = useRevokeAllSessionsMutation();
+  const [visibleCount, setVisibleCount] = useState(PAGE_SIZE);
+
+  const otherSessions = sessions?.filter((s) => !s?.isCurrentDevice) ?? [];
+  const visibleSessions = sessions?.slice(0, visibleCount) ?? [];
+  const hasMore = sessions && visibleCount < sessions.length;
+
+  if (isLoading) {
+    return (
+      <Table verticalSpacing="md">
+        <Table.Thead>
+          <Table.Tr>
+            <Table.Th>{t("Device Name")}</Table.Th>
+            <Table.Th>{t("Last Active")}</Table.Th>
+            <Table.Th />
+          </Table.Tr>
+        </Table.Thead>
+        <Table.Tbody>
+          {[1, 2, 3].map((i) => (
+            <Table.Tr key={i}>
+              <Table.Td>
+                <Group gap="xs">
+                  <Skeleton height={18} width={18} radius="sm" />
+                  <Skeleton height={14} width={140} radius="xs" />
+                </Group>
+              </Table.Td>
+              <Table.Td>
+                <Skeleton height={14} width={120} radius="xs" />
+              </Table.Td>
+              <Table.Td>
+                <Skeleton height={30} width={70} radius="sm" />
+              </Table.Td>
+            </Table.Tr>
+          ))}
+        </Table.Tbody>
+      </Table>
+    );
+  }
+
+  return (
+    <Stack>
+      {otherSessions.length > 0 && (
+        <>
+          <div>
+            <Text fw={500}>{t("Log out of all devices")}</Text>
+            <Group justify="space-between" align="center" mt={4}>
+              <Text size="sm" c="dimmed">
+                {t(
+                  "Log out of all sessions except this device",
+                )}
+              </Text>
+              <Button
+                variant="outline"
+                color="red"
+                size="xs"
+                loading={revokeAllSessionsMutation.isPending}
+                onClick={() => revokeAllSessionsMutation.mutate()}
+              >
+                {t("Log out of all devices")}
+              </Button>
+            </Group>
+          </div>
+          <Divider />
+        </>
+      )}
+
+      <Table verticalSpacing="md">
+        <Table.Thead>
+          <Table.Tr>
+            <Table.Th>{t("Device Name")}</Table.Th>
+            <Table.Th>{t("Last Active")}</Table.Th>
+            {otherSessions.length > 0 && <Table.Th />}
+          </Table.Tr>
+        </Table.Thead>
+        <Table.Tbody>
+          {visibleSessions.map((session) => (
+            <Table.Tr key={session.id}>
+              <Table.Td>
+                <Group gap="xs">
+                  <IconDevices size={18} stroke={1.5} />
+                  <div>
+                    <Text size="sm">
+                      {session.deviceName || t("Unknown device")}
+                    </Text>
+                    {session?.isCurrentDevice && (
+                      <Text size="xs" c="blue">
+                        {t("This Device")}
+                      </Text>
+                    )}
+                  </div>
+                </Group>
+              </Table.Td>
+              <Table.Td>
+                <Text size="sm">
+                  {session?.isCurrentDevice
+                    ? t("Now")
+                    : formattedDate(new Date(session.lastActiveAt))}
+                </Text>
+              </Table.Td>
+              {otherSessions.length > 0 && (
+                <Table.Td>
+                  {!session?.isCurrentDevice && (
+                    <Button
+                      variant="outline"
+                      size="xs"
+                      loading={revokeSessionMutation.isPending}
+                      onClick={() =>
+                        revokeSessionMutation.mutate({
+                          sessionId: session.id,
+                        })
+                      }
+                    >
+                      {t("Log out")}
+                    </Button>
+                  )}
+                </Table.Td>
+              )}
+            </Table.Tr>
+          ))}
+        </Table.Tbody>
+      </Table>
+
+      {hasMore && (
+        <Button
+          variant="subtle"
+          size="xs"
+          onClick={() => setVisibleCount((c) => c + PAGE_SIZE)}
+        >
+          {t("Load more")}
+        </Button>
+      )}
+
+      {(!sessions || sessions.length === 0) && (
+        <Text size="sm" c="dimmed" ta="center">
+          {t("No active sessions")}
+        </Text>
+      )}
+    </Stack>
+  );
+}

apps/client/src/features/session/queries/session-query.ts

@@ -0,0 +1,55 @@
+import {
+  useMutation,
+  useQuery,
+  useQueryClient,
+  UseQueryResult,
+} from "@tanstack/react-query";
+import {
+  getSessions,
+  revokeSession,
+  revokeAllSessions,
+} from "@/features/session/services/session-service";
+import { ISession } from "@/features/session/types/session.types";
+import { notifications } from "@mantine/notifications";
+import { useTranslation } from "react-i18next";
+
+export function useGetSessionsQuery(): UseQueryResult<ISession[], Error> {
+  return useQuery({
+    queryKey: ["session-list"],
+    queryFn: () => getSessions(),
+  });
+}
+
+export function useRevokeSessionMutation() {
+  const queryClient = useQueryClient();
+  const { t } = useTranslation();
+
+  return useMutation<void, Error, { sessionId: string }>({
+    mutationFn: (data) => revokeSession(data),
+    onSuccess: () => {
+      notifications.show({ message: t("Session revoked") });
+      queryClient.invalidateQueries({ queryKey: ["session-list"] });
+    },
+    onError: (error) => {
+      const errorMessage = error["response"]?.data?.message;
+      notifications.show({ message: errorMessage, color: "red" });
+    },
+  });
+}
+
+export function useRevokeAllSessionsMutation() {
+  const queryClient = useQueryClient();
+  const { t } = useTranslation();
+
+  return useMutation<void, Error, void>({
+    mutationFn: () => revokeAllSessions(),
+    onSuccess: () => {
+      notifications.show({ message: t("All other sessions revoked") });
+      queryClient.invalidateQueries({ queryKey: ["session-list"] });
+    },
+    onError: (error) => {
+      const errorMessage = error["response"]?.data?.message;
+      notifications.show({ message: errorMessage, color: "red" });
+    },
+  });
+}

apps/client/src/features/session/services/session-service.ts

@@ -0,0 +1,17 @@
+import api from "@/lib/api-client";
+import { ISession } from "@/features/session/types/session.types";
+
+export async function getSessions(): Promise<ISession[]> {
+  const req = await api.post<{ sessions: ISession[] }>("/sessions");
+  return req.data.sessions;
+}
+
+export async function revokeSession(data: {
+  sessionId: string;
+}): Promise<void> {
+  await api.post("/sessions/revoke", data);
+}
+
+export async function revokeAllSessions(): Promise<void> {
+  await api.post("/sessions/revoke-all");
+}

apps/client/src/features/session/types/session.types.ts

@@ -0,0 +1,8 @@
+export type ISession = {
+  id: string;
+  deviceName: string | null;
+  geoLocation: string | null;
+  lastActiveAt: string;
+  createdAt: string;
+  isCurrentDevice?: boolean;
+};

apps/client/src/features/space/components/settings-modal.tsx

@@ -3,6 +3,7 @@ import SpaceMembersList from "@/features/space/components/space-members.tsx";
 import AddSpaceMembersModal from "@/features/space/components/add-space-members-modal.tsx";
 import React from "react";
 import SpaceDetails from "@/features/space/components/space-details.tsx";
+import SpaceSecuritySettings from "@/features/space/components/space-security-settings.tsx";
 import { useSpaceQuery } from "@/features/space/queries/space-query.ts";
 import { useSpaceAbility } from "@/features/space/permissions/use-space-ability.ts";
 import {
@@ -59,6 +60,14 @@ export default function SpaceSettingsModal({
                   <Tabs.Tab fw={500} value="members">
                     {t("Members")}
                   </Tabs.Tab>
+                  {spaceAbility.can(
+                    SpaceCaslAction.Manage,
+                    SpaceCaslSubject.Settings,
+                  ) && (
+                    <Tabs.Tab fw={500} value="security">
+                      {t("Security")}
+                    </Tabs.Tab>
+                  )}
                 </Tabs.List>
 
                 <Tabs.Panel value="general">
@@ -91,6 +100,20 @@ export default function SpaceSettingsModal({
                     )}
                   />
                 </Tabs.Panel>
+
+                <Tabs.Panel value="security">
+                  <ScrollArea h={580} scrollbarSize={5} pr={8}>
+                    <div style={{ paddingBottom: "100px" }}>
+                      <SpaceSecuritySettings
+                        space={space}
+                        readOnly={spaceAbility.cannot(
+                          SpaceCaslAction.Manage,
+                          SpaceCaslSubject.Settings,
+                        )}
+                      />
+                    </div>
+                  </ScrollArea>
+                </Tabs.Panel>
               </Tabs>
             </div>
           </Modal.Body>

apps/client/src/features/space/components/space-details.tsx

@@ -18,7 +18,7 @@ import {
   ResponsiveSettingsControl,
   ResponsiveSettingsRow,
 } from "@/components/ui/responsive-settings-row.tsx";
-import SpacePublicSharingToggle from "@/ee/security/components/space-public-sharing-toggle.tsx";
+
 
 interface SpaceDetailsProps {
   spaceId: string;
@@ -27,7 +27,6 @@ interface SpaceDetailsProps {
 export default function SpaceDetails({ spaceId, readOnly }: SpaceDetailsProps) {
   const { t } = useTranslation();
   const { data: space, isLoading, refetch } = useSpaceQuery(spaceId);
-  const showSharingToggle = !readOnly;
   const [exportOpened, { open: openExportModal, close: closeExportModal }] =
     useDisclosure(false);
   const [isIconUploading, setIsIconUploading] = useState(false);
@@ -89,13 +88,6 @@ export default function SpaceDetails({ spaceId, readOnly }: SpaceDetailsProps) {
 
           <EditSpaceForm space={space} readOnly={readOnly} />
 
-          {showSharingToggle && (
-            <>
-              <Divider my="lg" />
-              <SpacePublicSharingToggle space={space} />
-            </>
-          )}
-
           {!readOnly && (
             <>
               <Divider my="lg" />

apps/client/src/features/space/components/space-security-settings.tsx

@@ -0,0 +1,34 @@
+import { Text, Divider } from "@mantine/core";
+import React from "react";
+import { useTranslation } from "react-i18next";
+import { ISpace } from "@/features/space/types/space.types.ts";
+import SpacePublicSharingToggle from "@/ee/security/components/space-public-sharing-toggle.tsx";
+import SpaceViewerCommentsToggle from "@/ee/security/components/space-viewer-comments-toggle.tsx";
+
+type SpaceSecuritySettingsProps = {
+  space: ISpace;
+  readOnly?: boolean;
+};
+
+export default function SpaceSecuritySettings({
+  space,
+  readOnly,
+}: SpaceSecuritySettingsProps) {
+  const { t } = useTranslation();
+
+  if (readOnly) return null;
+
+  return (
+    <div>
+      <Text my="md" fw={600}>
+        {t("Security")}
+      </Text>
+
+      <SpacePublicSharingToggle space={space} />
+
+      <Divider my="lg" />
+
+      <SpaceViewerCommentsToggle space={space} />
+    </div>
+  );
+}

apps/client/src/features/space/types/space.types.ts

@@ -9,8 +9,13 @@ export interface ISpaceSharingSettings {
   disabled?: boolean;
 }
 
+export interface ISpaceCommentsSettings {
+  allowViewerComments?: boolean;
+}
+
 export interface ISpaceSettings {
   sharing?: ISpaceSharingSettings;
+  comments?: ISpaceCommentsSettings;
 }
 
 export interface ISpace {
@@ -29,6 +34,7 @@ export interface ISpace {
   settings?: ISpaceSettings;
   // for updates
   disablePublicSharing?: boolean;
+  allowViewerComments?: boolean;
 }
 
 interface IMembership {

apps/client/src/features/user/components/account-name-form.tsx

@@ -1,9 +1,8 @@
 import { useAtom } from "jotai";
-import { focusAtom } from "jotai-optics";
 import { z } from "zod/v4";
 import { useForm } from "@mantine/form";
 import { zod4Resolver } from "mantine-form-zod-resolver";
-import { currentUserAtom } from "@/features/user/atoms/current-user-atom.ts";
+import { userAtom } from "@/features/user/atoms/current-user-atom.ts";
 import { updateUser } from "@/features/user/services/user-service.ts";
 import { IUser } from "@/features/user/types/user.types.ts";
 import { useState } from "react";
@@ -17,18 +16,15 @@ const formSchema = z.object({
 
 type FormValues = z.infer<typeof formSchema>;
 
-const userAtom = focusAtom(currentUserAtom, (optic) => optic.prop("user"));
-
 export default function AccountNameForm() {
   const { t } = useTranslation();
   const [isLoading, setIsLoading] = useState(false);
-  const [currentUser] = useAtom(currentUserAtom);
-  const [, setUser] = useAtom(userAtom);
+  const [user, setUser] = useAtom(userAtom);
 
   const form = useForm<FormValues>({
     validate: zod4Resolver(formSchema),
     initialValues: {
-      name: currentUser?.user.name,
+      name: user?.name,
     },
   });
 

apps/client/src/lib/api-client.ts

@@ -74,8 +74,12 @@ function redirectToLogin() {
   ];
   if (!exemptPaths.some((path) => window.location.pathname.startsWith(path))) {
     const redirectTo = window.location.pathname;
-    const params = new URLSearchParams({ redirect: redirectTo });
-    window.location.href = `${APP_ROUTE.AUTH.LOGIN}?${params.toString()}`;
+    if (redirectTo === APP_ROUTE.HOME) {
+      window.location.href = APP_ROUTE.AUTH.LOGIN;
+    } else {
+      const params = new URLSearchParams({ redirect: redirectTo });
+      window.location.href = `${APP_ROUTE.AUTH.LOGIN}?${params.toString()}`;
+    }
   }
 }
 

apps/client/src/lib/config.ts

@@ -1,6 +1,7 @@
 import bytes from "bytes";
 import { castToBoolean } from "@/lib/utils.tsx";
 import { AvatarIconType } from "@/features/attachments/types/attachment.types.ts";
+import { sanitizeUrl } from "@docmost/editor-ext";
 
 declare global {
   interface Window {
@@ -66,7 +67,7 @@ export function getFileUrl(src: string) {
   if (src.startsWith("/files/")) {
     return getBackendUrl() + src;
   }
-  return src;
+  return sanitizeUrl(src);
 }
 
 export function getFileUploadSizeLimit() {

apps/client/src/lib/utils.tsx

@@ -94,6 +94,12 @@ export function getPageIcon(icon: string, size = 18): string | ReactNode {
   );
 }
 
+export const normalizeUrl = (url: string): string => {
+  if (!url) return url;
+  if (url.startsWith("/") || /^[a-zA-Z][a-zA-Z0-9+.-]*:/.test(url)) return url;
+  return `https://${url}`;
+};
+
 export function castToBoolean(value: unknown): boolean {
   if (value == null) {
     return false;

apps/client/src/pages/page/page.tsx

@@ -53,6 +53,9 @@ function PageContent({ pageSlug }: { pageSlug: string | undefined }) {
   const { data: space } = useGetSpaceBySlugQuery(page?.space?.slug);
 
   const canEdit = page?.permissions?.canEdit ?? false;
+  const canComment =
+    canEdit ||
+    (space?.settings?.comments?.allowViewerComments === true);
 
   if (isLoading) {
     return <></>;
@@ -104,6 +107,7 @@ function PageContent({ pageSlug }: { pageSlug: string | undefined }) {
           slugId={page.slugId}
           spaceSlug={page?.space?.slug}
           editable={canEdit}
+          canComment={canComment}
         />
         <MemoizedHistoryModal pageId={page.id} />
       </div>

apps/client/src/pages/settings/account/account-settings.tsx

@@ -8,6 +8,7 @@ import { getAppName } from "@/lib/config.ts";
 import { Helmet } from "react-helmet-async";
 import { useTranslation } from "react-i18next";
 import { AccountMfaSection } from "@/features/user/components/account-mfa-section";
+import SessionList from "@/features/session/components/session-list";
 
 export default function AccountSettings() {
   const { t } = useTranslation();
@@ -36,6 +37,10 @@ export default function AccountSettings() {
       <Divider my="lg" />
 
       <AccountMfaSection />
+
+      <Divider my="lg" />
+
+      <SessionList />
     </>
   );
 }

apps/client/vite.config.ts

@@ -2,7 +2,7 @@ import { defineConfig, loadEnv } from "vite";
 import react from "@vitejs/plugin-react";
 import * as path from "path";
 
-export const envPath = path.resolve(process.cwd(), "..", "..");
+const envPath = path.resolve(process.cwd(), "..", "..");
 
 export default defineConfig(({ mode }) => {
   const {
@@ -35,6 +35,20 @@ export default defineConfig(({ mode }) => {
       APP_VERSION: JSON.stringify(process.env.npm_package_version),
     },
     plugins: [react()],
+    build: {
+      rolldownOptions: {
+        output: {
+          codeSplitting: {
+            groups: [
+              { name: "vendor-mantine", test: /@mantine/ },
+              { name: "vendor-mermaid", test: /mermaid|cytoscape|elkjs/ },
+              { name: "vendor-excalidraw", test: /excalidraw/ },
+              { name: "vendor-katex", test: /katex/ },
+            ],
+          },
+        },
+      },
+    },
     resolve: {
       alias: {
         "@": "/src",

apps/server/package.json

@@ -30,123 +30,124 @@
     "test:e2e": "jest --config test/jest-e2e.json"
   },
   "dependencies": {
-    "@ai-sdk/google": "^3.0.29",
-    "@ai-sdk/openai": "^3.0.29",
-    "@ai-sdk/openai-compatible": "^2.0.30",
-    "@aws-sdk/client-s3": "3.1000.0",
-    "@aws-sdk/lib-storage": "3.1000.0",
-    "@aws-sdk/s3-request-presigner": "3.1000.0",
-    "@clickhouse/client": "^1.17.0",
+    "@ai-sdk/google": "^3.0.52",
+    "@ai-sdk/openai": "^3.0.47",
+    "@ai-sdk/openai-compatible": "^2.0.37",
+    "@aws-sdk/client-s3": "3.1014.0",
+    "@aws-sdk/lib-storage": "3.1014.0",
+    "@aws-sdk/s3-request-presigner": "3.1014.0",
+    "@clickhouse/client": "^1.18.2",
     "@fastify/cookie": "^11.0.2",
     "@fastify/multipart": "^9.4.0",
     "@fastify/static": "^9.0.0",
     "@keyv/redis": "^5.1.6",
-    "@langchain/core": "1.1.29",
+    "@langchain/core": "1.1.34",
     "@langchain/textsplitters": "1.0.1",
     "@modelcontextprotocol/sdk": "^1.27.1",
     "@nestjs-labs/nestjs-ioredis": "^11.0.4",
     "@nestjs/bullmq": "^11.0.4",
     "@nestjs/cache-manager": "^3.1.0",
-    "@nestjs/common": "^11.1.14",
+    "@nestjs/common": "^11.1.17",
     "@nestjs/config": "^4.0.3",
-    "@nestjs/core": "^11.1.14",
+    "@nestjs/core": "^11.1.17",
     "@nestjs/event-emitter": "^3.0.1",
-    "@nestjs/jwt": "11.0.0",
+    "@nestjs/jwt": "11.0.2",
     "@nestjs/mapped-types": "^2.1.0",
     "@nestjs/passport": "^11.0.5",
-    "@nestjs/platform-fastify": "^11.1.14",
-    "@nestjs/platform-socket.io": "^11.1.14",
+    "@nestjs/platform-fastify": "^11.1.17",
+    "@nestjs/platform-socket.io": "^11.1.17",
     "@nestjs/schedule": "^6.1.1",
     "@nestjs/terminus": "^11.1.1",
-    "@nestjs/websockets": "^11.1.14",
+    "@nestjs/websockets": "^11.1.17",
     "@node-saml/passport-saml": "^5.1.0",
-    "@react-email/components": "1.0.7",
+    "@react-email/components": "1.0.10",
     "@react-email/render": "2.0.4",
     "@socket.io/redis-adapter": "^8.3.0",
-    "ai": "^6.0.86",
-    "ai-sdk-ollama": "^3.7.0",
+    "ai": "^6.0.134",
+    "ai-sdk-ollama": "^3.8.1",
     "bcrypt": "^6.0.0",
-    "bullmq": "^5.70.1",
+    "bowser": "^2.14.1",
+    "bullmq": "^5.71.0",
     "cache-manager": "^7.2.8",
     "cheerio": "^1.2.0",
     "class-transformer": "^0.5.1",
     "class-validator": "^0.15.1",
     "cookie": "^1.1.1",
-    "fs-extra": "^11.3.3",
-    "happy-dom": "20.1.0",
-    "ioredis": "^5.4.1",
+    "fs-extra": "^11.3.4",
+    "happy-dom": "20.8.4",
+    "ioredis": "^5.10.1",
     "jsonwebtoken": "^9.0.3",
-    "kysely": "^0.28.2",
+    "kysely": "^0.28.14",
     "kysely-migration-cli": "^0.4.2",
     "kysely-postgres-js": "^3.0.0",
-    "ldapts": "^7.4.0",
+    "ldapts": "^8.1.7",
     "lib0": "^0.2.117",
-    "mammoth": "^1.11.0",
-    "mime-types": "^2.1.35",
-    "msgpackr": "^1.11.8",
-    "nanoid": "3.3.11",
+    "mammoth": "^1.12.0",
+    "mime-types": "^3.0.2",
+    "msgpackr": "^1.11.9",
+    "nanoid": "5.1.7",
     "nestjs-cls": "^6.2.0",
-    "nestjs-kysely": "^1.2.0",
-    "nestjs-pino": "^4.5.0",
-    "nodemailer": "^7.0.12",
-    "openid-client": "^5.7.1",
-    "otpauth": "^9.4.1",
-    "p-limit": "^6.2.0",
+    "nestjs-kysely": "^3.1.2",
+    "nestjs-pino": "^4.6.1",
+    "nodemailer": "^8.0.3",
+    "openid-client": "^6.8.2",
+    "otpauth": "^9.5.0",
+    "p-limit": "^7.3.0",
     "passport-google-oauth20": "^2.0.0",
     "passport-jwt": "^4.0.1",
-    "pdfjs-dist": "^5.4.394",
+    "pdfjs-dist": "^5.5.207",
     "pg-tsquery": "^8.4.2",
     "pgvector": "^0.2.1",
     "pino-http": "^11.0.0",
     "pino-pretty": "^13.1.3",
     "postgres": "^3.4.8",
-    "postmark": "^4.0.5",
+    "postmark": "^4.0.7",
     "react": "^18.3.1",
     "reflect-metadata": "^0.2.2",
     "rxjs": "^7.8.2",
     "sanitize-filename-ts": "1.0.2",
     "socket.io": "^4.8.3",
-    "stripe": "^17.5.0",
+    "stripe": "^17.7.0",
     "tlds": "^1.261.0",
     "tmp-promise": "^3.0.3",
     "tseep": "^1.3.1",
-    "typesense": "^2.1.0",
+    "typesense": "^3.0.3",
     "ws": "^8.19.0",
-    "yauzl": "^3.2.0",
+    "yauzl": "^3.2.1",
     "zod": "^4.3.6"
   },
   "devDependencies": {
-    "@eslint/js": "^9.20.0",
+    "@eslint/js": "^9.28.0",
     "@nestjs/cli": "^11.0.16",
-    "@nestjs/schematics": "^11.0.1",
-    "@nestjs/testing": "^11.0.10",
-    "@types/bcrypt": "^5.0.2",
+    "@nestjs/schematics": "^11.0.9",
+    "@nestjs/testing": "^11.1.17",
+    "@types/bcrypt": "^6.0.0",
     "@types/debounce": "^1.2.4",
     "@types/fs-extra": "^11.0.4",
     "@types/jest": "^30.0.0",
-    "@types/mime-types": "^2.1.4",
-    "@types/node": "^22.13.4",
-    "@types/nodemailer": "^6.4.17",
-    "@types/passport-google-oauth20": "^2.0.16",
+    "@types/mime-types": "^3.0.1",
+    "@types/node": "^25.5.0",
+    "@types/nodemailer": "^7.0.11",
+    "@types/passport-google-oauth20": "^2.0.17",
     "@types/passport-jwt": "^4.0.1",
     "@types/supertest": "^6.0.3",
     "@types/ws": "^8.18.1",
     "@types/yauzl": "^2.10.3",
-    "eslint": "^9.39.2",
-    "eslint-config-prettier": "^10.0.1",
-    "globals": "^15.15.0",
-    "jest": "^30.2.0",
+    "eslint": "^9.28.0",
+    "eslint-config-prettier": "^10.1.8",
+    "globals": "^17.4.0",
+    "jest": "^30.3.0",
     "kysely-codegen": "^0.20.0",
-    "prettier": "^3.5.1",
-    "react-email": "5.2.8",
+    "prettier": "^3.8.1",
+    "react-email": "5.2.10",
     "source-map-support": "^0.5.21",
     "supertest": "^7.2.2",
     "ts-jest": "^29.4.6",
     "ts-loader": "^9.5.4",
     "ts-node": "^10.9.2",
     "tsconfig-paths": "^4.2.0",
-    "typescript": "^5.7.3",
-    "typescript-eslint": "^8.24.1"
+    "typescript": "^5.9.3",
+    "typescript-eslint": "^8.57.1"
   },
   "jest": {
     "moduleFileExtensions": [

apps/server/src/collaboration/collaboration.gateway.ts

@@ -116,7 +116,7 @@ export class CollaborationGateway {
 
       // Forward close events
       client.on('close', (code: number, reason: Buffer) => {
-        this.redisSync!.onSocketClose(socketId, code, reason);
+        this.redisSync!.onSocketClose(socketId, code, reason.buffer as ArrayBuffer);
       });
 
       // Forward pong events for keepalive

apps/server/src/collaboration/collaboration.handler.ts

@@ -5,6 +5,7 @@ import {
   prosemirrorNodeToYElement,
   tiptapExtensions,
 } from './collaboration.util';
+import { setYjsMark, updateYjsMarkAttribute, YjsSelection } from './yjs.util';
 import * as Y from 'yjs';
 import { User } from '@docmost/db/types/entity.types';
 
@@ -27,6 +28,53 @@ export class CollaborationHandler {
         //   const fragment = doc.getXmlFragment('default');
         //});
       },
+      setCommentMark: async (
+        documentName: string,
+        payload: {
+          yjsSelection: YjsSelection;
+          commentId: string;
+          resolved: boolean;
+          user: User;
+        },
+      ) => {
+        const { yjsSelection, commentId, resolved, user } = payload;
+        await this.withYdocConnection(
+          hocuspocus,
+          documentName,
+          { user },
+          (doc) => {
+            const fragment = doc.getXmlFragment('default');
+            setYjsMark(doc, fragment, yjsSelection, 'comment', {
+              commentId,
+              resolved,
+            });
+          },
+        );
+      },
+      resolveCommentMark: async (
+        documentName: string,
+        payload: {
+          commentId: string;
+          resolved: boolean;
+          user: User;
+        },
+      ) => {
+        const { commentId, resolved, user } = payload;
+        await this.withYdocConnection(
+          hocuspocus,
+          documentName,
+          { user },
+          (doc) => {
+            const fragment = doc.getXmlFragment('default');
+            updateYjsMarkAttribute(
+              fragment,
+              'comment',
+              { name: 'commentId', value: commentId },
+              { resolved },
+            );
+          },
+        );
+      },
       updatePageContent: async (
         documentName: string,
         payload: {
@@ -58,8 +106,7 @@ export class CollaborationHandler {
             } else {
               const newContent = prosemirrorJson.content || [];
               const yElements = newContent.map(prosemirrorNodeToYElement);
-              const position =
-                operation === 'prepend' ? 0 : fragment.length;
+              const position = operation === 'prepend' ? 0 : fragment.length;
               fragment.insert(position, yElements);
             }
           },

apps/server/src/collaboration/yjs.util.ts

@@ -1,7 +1,7 @@
 import {
   initProseMirrorDoc,
   relativePositionToAbsolutePosition,
-} from 'y-prosemirror';
+} from '@tiptap/y-tiptap';
 import * as Y from 'yjs';
 import { Document } from '@hocuspocus/server';
 import { getSchema } from '@tiptap/core';

apps/server/src/common/features.ts

@@ -0,0 +1,22 @@
+export const Feature = {
+  SSO_CUSTOM: 'sso:custom',
+  SSO_GOOGLE: 'sso:google',
+  MFA: 'mfa',
+  API_KEYS: 'api:keys',
+  COMMENT_RESOLUTION: 'comment:resolution',
+  PAGE_PERMISSIONS: 'page:permissions',
+  AI: 'ai',
+  CONFLUENCE_IMPORT: 'import:confluence',
+  DOCX_IMPORT: 'import:docx',
+  ATTACHMENT_INDEXING: 'attachment:indexing',
+  SECURITY_SETTINGS: 'security:settings',
+  MCP: 'mcp',
+  SCIM: 'scim',
+  PAGE_VERIFICATION: 'page:verification',
+  AUDIT_LOGS: 'audit:logs',
+  RETENTION: 'retention',
+  SHARING_CONTROLS: 'sharing:controls',
+  VIEWER_COMMENTS: 'comment:viewer',
+} as const;
+
+export type FeatureKey = (typeof Feature)[keyof typeof Feature];

apps/server/src/common/middlewares/audit-context.middleware.ts

@@ -7,6 +7,7 @@ export interface AuditContext {
   actorId: string | null;
   actorType: 'user' | 'system' | 'api_key';
   ipAddress: string | null;
+  userAgent: string | null;
 }
 
 export const AUDIT_CONTEXT_KEY = 'auditContext';
@@ -19,11 +20,15 @@ export class AuditContextMiddleware implements NestMiddleware {
     const workspaceId = (req as any).workspaceId ?? null;
     const ipAddress = this.extractIpAddress(req);
 
+    const userAgent =
+      (req.headers['user-agent'] as string) ?? null;
+
     const auditContext: AuditContext = {
       workspaceId,
       actorId: null,
       actorType: 'user',
       ipAddress,
+      userAgent,
     };
 
     this.cls.set(AUDIT_CONTEXT_KEY, auditContext);

apps/server/src/core/attachment/services/attachment.service.ts

@@ -70,8 +70,8 @@ export class AttachmentService {
       }
 
       if (
-        existingAttachment.pageId !== pageId &&
-        existingAttachment.fileExt !== preparedFile.fileExtension &&
+        existingAttachment.pageId !== pageId ||
+        existingAttachment.fileExt !== preparedFile.fileExtension ||
         existingAttachment.workspaceId !== workspaceId
       ) {
         throw new BadRequestException('File attachment does not match');

apps/server/src/core/auth/auth.controller.ts

@@ -5,12 +5,14 @@ import {
   HttpStatus,
   Inject,
   Post,
+  Req,
   Res,
   UseGuards,
   Logger,
 } from '@nestjs/common';
 import { LoginDto } from './dto/login.dto';
 import { AuthService } from './services/auth.service';
+import { SessionService } from '../session/session.service';
 import { SetupGuard } from './guards/setup.guard';
 import { EnvironmentService } from '../../integrations/environment/environment.service';
 import { CreateAdminUserDto } from './dto/create-admin-user.dto';
@@ -22,7 +24,7 @@ import { JwtAuthGuard } from '../../common/guards/jwt-auth.guard';
 import { ForgotPasswordDto } from './dto/forgot-password.dto';
 import { PasswordResetDto } from './dto/password-reset.dto';
 import { VerifyUserTokenDto } from './dto/verify-user-token.dto';
-import { FastifyReply } from 'fastify';
+import { FastifyReply, FastifyRequest } from 'fastify';
 import { validateSsoEnforcement } from './auth.util';
 import { ModuleRef } from '@nestjs/core';
 import { AuditEvent, AuditResource } from '../../common/events/audit-events';
@@ -37,6 +39,7 @@ export class AuthController {
 
   constructor(
     private authService: AuthService,
+    private sessionService: SessionService,
     private environmentService: EnvironmentService,
     private moduleRef: ModuleRef,
     @Inject(AUDIT_SERVICE) private readonly auditService: IAuditService,
@@ -115,8 +118,15 @@ export class AuthController {
     @Body() dto: ChangePasswordDto,
     @AuthUser() user: User,
     @AuthWorkspace() workspace: Workspace,
+    @Req() req: FastifyRequest,
   ) {
-    return this.authService.changePassword(dto, user.id, workspace.id);
+    const currentSessionId = (req.raw as any).sessionId;
+    return this.authService.changePassword(
+      dto,
+      user.id,
+      workspace.id,
+      currentSessionId,
+    );
   }
 
   @HttpCode(HttpStatus.OK)
@@ -178,8 +188,18 @@ export class AuthController {
   @Post('logout')
   async logout(
     @AuthUser() user: User,
+    @Req() req: FastifyRequest,
     @Res({ passthrough: true }) res: FastifyReply,
   ) {
+    const sessionId = (req.raw as any).sessionId;
+    if (sessionId) {
+      await this.sessionService.revokeSession(
+        sessionId,
+        user.id,
+        user.workspaceId,
+      );
+    }
+
     res.clearCookie('authToken');
 
     this.auditService.log({
@@ -192,6 +212,7 @@ export class AuthController {
   setAuthCookie(res: FastifyReply, token: string) {
     res.setCookie('authToken', token, {
       httpOnly: true,
+      sameSite: 'lax',
       path: '/',
       expires: this.environmentService.getCookieExpiresIn(),
       secure: this.environmentService.isHttps(),

apps/server/src/core/auth/dto/jwt-payload.ts

@@ -11,6 +11,7 @@ export type JwtPayload = {
   email: string;
   workspaceId: string;
   type: 'access';
+  sessionId?: string;
 };
 
 export type JwtCollabPayload = {

apps/server/src/core/auth/services/auth.service.ts

@@ -8,6 +8,8 @@ import {
 import { LoginDto } from '../dto/login.dto';
 import { CreateUserDto } from '../dto/create-user.dto';
 import { TokenService } from './token.service';
+import { SessionService } from '../../session/session.service';
+import { UserSessionRepo } from '@docmost/db/repos/session/user-session.repo';
 import { SignupService } from './signup.service';
 import { CreateAdminUserDto } from '../dto/create-admin-user.dto';
 import { UserRepo } from '@docmost/db/repos/user/user.repo';
@@ -44,6 +46,8 @@ export class AuthService {
   constructor(
     private signupService: SignupService,
     private tokenService: TokenService,
+    private sessionService: SessionService,
+    private userSessionRepo: UserSessionRepo,
     private userRepo: UserRepo,
     private userTokenRepo: UserTokenRepo,
     private mailService: MailService,
@@ -90,19 +94,19 @@ export class AuthService {
       metadata: { source: 'password' },
     });
 
-    return this.tokenService.generateAccessToken(user);
+    return this.sessionService.createSessionAndToken(user);
   }
 
   async register(createUserDto: CreateUserDto, workspaceId: string) {
     const user = await this.signupService.signup(createUserDto, workspaceId);
-    return this.tokenService.generateAccessToken(user);
+    return this.sessionService.createSessionAndToken(user);
   }
 
   async setup(createAdminUserDto: CreateAdminUserDto) {
     const { workspace, user } =
       await this.signupService.initialSetup(createAdminUserDto);
 
-    const authToken = await this.tokenService.generateAccessToken(user);
+    const authToken = await this.sessionService.createSessionAndToken(user);
     return { workspace, authToken };
   }
 
@@ -110,6 +114,7 @@ export class AuthService {
     dto: ChangePasswordDto,
     userId: string,
     workspaceId: string,
+    currentSessionId?: string,
   ): Promise<void> {
     const user = await this.userRepo.findById(userId, workspaceId, {
       includePassword: true,
@@ -138,6 +143,16 @@ export class AuthService {
       workspaceId,
     );
 
+    if (currentSessionId) {
+      await this.userSessionRepo.deleteAllExceptCurrent(
+        currentSessionId,
+        userId,
+        workspaceId,
+      );
+    } else {
+      await this.userSessionRepo.deleteByUserId(userId, workspaceId);
+    }
+
     this.auditService.log({
       event: AuditEvent.USER_PASSWORD_CHANGED,
       resourceType: AuditResource.USER,
@@ -244,6 +259,8 @@ export class AuthService {
         .execute();
     });
 
+    await this.userSessionRepo.deleteByUserId(user.id, workspace.id);
+
     this.auditService.setActorId(user.id);
     this.auditService.log({
       event: AuditEvent.USER_PASSWORD_RESET,
@@ -276,7 +293,7 @@ export class AuthService {
       };
     }
 
-    const authToken = await this.tokenService.generateAccessToken(user);
+    const authToken = await this.sessionService.createSessionAndToken(user);
     return { authToken };
   }
 

apps/server/src/core/auth/services/token.service.ts

@@ -4,6 +4,7 @@ import {
   UnauthorizedException,
 } from '@nestjs/common';
 import { JwtService } from '@nestjs/jwt';
+import type { StringValue } from 'ms';
 import { EnvironmentService } from '../../../integrations/environment/environment.service';
 import {
   JwtApiKeyPayload,
@@ -24,7 +25,7 @@ export class TokenService {
     private environmentService: EnvironmentService,
   ) {}
 
-  async generateAccessToken(user: User): Promise<string> {
+  async generateAccessToken(user: User, sessionId: string): Promise<string> {
     if (isUserDisabled(user)) {
       throw new ForbiddenException();
     }
@@ -34,6 +35,7 @@ export class TokenService {
       email: user.email,
       workspaceId: user.workspaceId,
       type: JwtType.ACCESS,
+      sessionId,
     };
     return this.jwtService.sign(payload);
   }
@@ -96,7 +98,7 @@ export class TokenService {
     apiKeyId: string;
     user: User;
     workspaceId: string;
-    expiresIn?: string | number;
+    expiresIn?: StringValue | number;
   }): Promise<string> {
     const { apiKeyId, user, workspaceId, expiresIn } = opts;
     if (isUserDisabled(user)) {

apps/server/src/core/auth/strategies/jwt.strategy.ts

@@ -5,6 +5,8 @@ import { EnvironmentService } from '../../../integrations/environment/environmen
 import { JwtApiKeyPayload, JwtPayload, JwtType } from '../dto/jwt-payload';
 import { WorkspaceRepo } from '@docmost/db/repos/workspace/workspace.repo';
 import { UserRepo } from '@docmost/db/repos/user/user.repo';
+import { UserSessionRepo } from '@docmost/db/repos/session/user-session.repo';
+import { SessionActivityService } from '../../session/session-activity.service';
 import { FastifyRequest } from 'fastify';
 import { extractBearerTokenFromHeader, isUserDisabled } from '../../../common/helpers';
 import { ModuleRef } from '@nestjs/core';
@@ -16,6 +18,8 @@ export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
   constructor(
     private userRepo: UserRepo,
     private workspaceRepo: WorkspaceRepo,
+    private userSessionRepo: UserSessionRepo,
+    private sessionActivityService: SessionActivityService,
     private readonly environmentService: EnvironmentService,
     private moduleRef: ModuleRef,
   ) {
@@ -57,6 +61,16 @@ export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
       throw new UnauthorizedException();
     }
 
+    if ((payload as JwtPayload).sessionId) {
+      const sessionId = (payload as JwtPayload).sessionId;
+      const session = await this.userSessionRepo.findActiveById(sessionId);
+      if (!session || session.userId !== payload.sub || session.workspaceId !== payload.workspaceId) {
+        throw new UnauthorizedException();
+      }
+      req.raw.sessionId = sessionId;
+      this.sessionActivityService.trackActivity(sessionId, payload.sub, payload.workspaceId);
+    }
+
     return { user, workspace };
   }
 

apps/server/src/core/auth/token.module.ts

@@ -1,5 +1,6 @@
 import { Module } from '@nestjs/common';
 import { JwtModule } from '@nestjs/jwt';
+import type { StringValue } from 'ms';
 import { EnvironmentService } from '../../integrations/environment/environment.service';
 import { TokenService } from './services/token.service';
 
@@ -10,7 +11,7 @@ import { TokenService } from './services/token.service';
         return {
           secret: environmentService.getAppSecret(),
           signOptions: {
-            expiresIn: environmentService.getJwtTokenExpiresIn(),
+            expiresIn: environmentService.getJwtTokenExpiresIn() as StringValue,
             issuer: 'Docmost',
           },
         };

apps/server/src/core/comment/comment.controller.ts

@@ -58,13 +58,13 @@ export class CommentController {
       throw new NotFoundException('Page not found');
     }
 
-    await this.pageAccessService.validateCanEdit(page, user);
+    await this.pageAccessService.validateCanComment(page, user, workspace.id);
 
     const comment = await this.commentService.create(
       {
-        userId: user.id,
         page,
         workspaceId: workspace.id,
+        user,
       },
       createCommentDto,
     );
@@ -120,7 +120,7 @@ export class CommentController {
 
   @HttpCode(HttpStatus.OK)
   @Post('update')
-  async update(@Body() dto: UpdateCommentDto, @AuthUser() user: User) {
+  async update(@Body() dto: UpdateCommentDto, @AuthUser() user: User, @AuthWorkspace() workspace: Workspace) {
     const comment = await this.commentRepo.findById(dto.commentId, {
       includeCreator: true,
       includeResolvedBy: true,
@@ -134,14 +134,14 @@ export class CommentController {
       throw new NotFoundException('Page not found');
     }
 
-    await this.pageAccessService.validateCanEdit(page, user);
+    await this.pageAccessService.validateCanComment(page, user, workspace.id);
 
     return this.commentService.update(comment, dto, user);
   }
 
   @HttpCode(HttpStatus.OK)
   @Post('delete')
-  async delete(@Body() input: CommentIdDto, @AuthUser() user: User) {
+  async delete(@Body() input: CommentIdDto, @AuthUser() user: User, @AuthWorkspace() workspace: Workspace) {
     const comment = await this.commentRepo.findById(input.commentId);
     if (!comment) {
       throw new NotFoundException('Comment not found');
@@ -152,8 +152,7 @@ export class CommentController {
       throw new NotFoundException('Page not found');
     }
 
-    // Check page-level edit permission first
-    await this.pageAccessService.validateCanEdit(page, user);
+    await this.pageAccessService.validateCanComment(page, user, workspace.id);
 
     // Check if user is the comment owner
     const isOwner = comment.creatorId === user.id;
@@ -169,7 +168,7 @@ export class CommentController {
       // Space admin can delete any comment
       if (ability.cannot(SpaceCaslAction.Manage, SpaceCaslSubject.Settings)) {
         throw new ForbiddenException(
-          'You can only delete your own comments or must be a space admin',
+          'You can only delete your own comments',
         );
       }
       await this.commentRepo.deleteComment(comment.id);

apps/server/src/core/comment/comment.module.ts

@@ -1,8 +1,10 @@
 import { Module } from '@nestjs/common';
 import { CommentService } from './comment.service';
 import { CommentController } from './comment.controller';
+import { CollaborationModule } from '../../collaboration/collaboration.module';
 
 @Module({
+  imports: [CollaborationModule],
   controllers: [CommentController],
   providers: [CommentService],
   exports: [CommentService],

apps/server/src/core/comment/comment.service.ts

@@ -7,7 +7,8 @@ import {
 } from '@nestjs/common';
 import { InjectQueue } from '@nestjs/bullmq';
 import { Queue } from 'bullmq';
-import { CreateCommentDto } from './dto/create-comment.dto';
+import { CreateCommentDto, yjsSelectionSchema } from './dto/create-comment.dto';
+import { CollaborationGateway } from '../../collaboration/collaboration.gateway';
 import { UpdateCommentDto } from './dto/update-comment.dto';
 import { CommentRepo } from '@docmost/db/repos/comment/comment.repo';
 import { Comment, Page, User } from '@docmost/db/types/entity.types';
@@ -27,6 +28,7 @@ export class CommentService {
     private commentRepo: CommentRepo,
     private pageRepo: PageRepo,
     private wsService: WsService,
+    private collaborationGateway: CollaborationGateway,
     @InjectQueue(QueueName.GENERAL_QUEUE)
     private generalQueue: Queue,
     @InjectQueue(QueueName.NOTIFICATION_QUEUE)
@@ -45,10 +47,10 @@ export class CommentService {
   }
 
   async create(
-    opts: { userId: string; page: Page; workspaceId: string },
+    opts: { page: Page; workspaceId: string; user: User },
     createCommentDto: CreateCommentDto,
   ) {
-    const { userId, page, workspaceId } = opts;
+    const { page, workspaceId, user } = opts;
     const commentContent = JSON.parse(createCommentDto.content);
 
     if (createCommentDto.parentCommentId) {
@@ -71,11 +73,39 @@ export class CommentService {
       selection: createCommentDto?.selection?.substring(0, 250) ?? null,
       type: createCommentDto.type ?? 'page',
       parentCommentId: createCommentDto?.parentCommentId,
-      creatorId: userId,
+      creatorId: user.id,
       workspaceId: workspaceId,
       spaceId: page.spaceId,
     });
 
+    if (createCommentDto.yjsSelection) {
+      const parsed = yjsSelectionSchema.safeParse(createCommentDto.yjsSelection);
+      if (!parsed.success) {
+        this.logger.warn(
+          `Invalid yjsSelection for comment ${inserted.id}: ${parsed.error.message}`,
+        );
+      } else {
+        const documentName = `page.${page.id}`;
+        try {
+          await this.collaborationGateway.handleYjsEvent(
+            'setCommentMark',
+            documentName,
+            {
+              yjsSelection: parsed.data,
+              commentId: inserted.id,
+              resolved: false,
+              user,
+            },
+          );
+        } catch (error) {
+          this.logger.warn(
+            `Failed to apply comment mark for comment ${inserted.id}, comment saved without inline highlight`,
+            error,
+          );
+        }
+      }
+    }
+
     const comment = await this.commentRepo.findById(inserted.id, {
       includeCreator: true,
       includeResolvedBy: true,
@@ -83,7 +113,7 @@ export class CommentService {
 
     this.generalQueue
       .add(QueueJob.ADD_PAGE_WATCHERS, {
-        userIds: [userId],
+        userIds: [user.id],
         pageId: page.id,
         spaceId: page.spaceId,
         workspaceId,
@@ -101,7 +131,7 @@ export class CommentService {
       page.id,
       page.spaceId,
       workspaceId,
-      userId,
+      user.id,
       !isReply,
       createCommentDto.parentCommentId,
     );

apps/server/src/core/comment/dto/create-comment.dto.ts

@@ -1,4 +1,22 @@
-import { IsIn, IsJSON, IsOptional, IsString, IsUUID } from 'class-validator';
+import { IsIn, IsJSON, IsObject, IsOptional, IsString, IsUUID } from 'class-validator';
+import { z } from 'zod';
+
+const yjsIdSchema = z.object({
+  client: z.number().int().nonnegative(),
+  clock: z.number().int().nonnegative(),
+});
+
+const yjsRelativePositionSchema = z.object({
+  type: yjsIdSchema,
+  tname: z.string().nullable(),
+  item: yjsIdSchema.nullable(),
+  assoc: z.number().int(),
+});
+
+export const yjsSelectionSchema = z.object({
+  anchor: yjsRelativePositionSchema,
+  head: yjsRelativePositionSchema,
+});
 
 export class CreateCommentDto {
   @IsString()
@@ -18,4 +36,11 @@ export class CreateCommentDto {
   @IsOptional()
   @IsUUID()
   parentCommentId: string;
+
+  @IsOptional()
+  @IsObject()
+  yjsSelection?: {
+    anchor: any;
+    head: any;
+  };
 }

apps/server/src/core/core.module.ts

@@ -20,6 +20,7 @@ import { AuditContextMiddleware } from '../common/middlewares/audit-context.midd
 import { ShareModule } from './share/share.module';
 import { NotificationModule } from './notification/notification.module';
 import { WatcherModule } from './watcher/watcher.module';
+import { SessionModule } from './session/session.module';
 import { ClsMiddleware } from 'nestjs-cls';
 
 @Module({
@@ -38,6 +39,7 @@ import { ClsMiddleware } from 'nestjs-cls';
     ShareModule,
     NotificationModule,
     WatcherModule,
+    SessionModule,
   ],
 })
 export class CoreModule implements NestModule {

apps/server/src/core/page/page-access/page-access.service.ts

@@ -6,12 +6,14 @@ import {
   SpaceCaslAction,
   SpaceCaslSubject,
 } from '../../casl/interfaces/space-ability.type';
+import { SpaceRepo } from '@docmost/db/repos/space/space.repo';
 
 @Injectable()
 export class PageAccessService {
   constructor(
     private readonly pagePermissionRepo: PagePermissionRepo,
     private readonly spaceAbility: SpaceAbilityFactory,
+    private readonly spaceRepo: SpaceRepo,
   ) {}
 
   /**
@@ -99,4 +101,25 @@ export class PageAccessService {
 
     return { hasRestriction: hasAnyRestriction };
   }
+
+  async validateCanComment(
+    page: Page,
+    user: User,
+    workspaceId: string,
+  ): Promise<void> {
+    try {
+      await this.validateCanEdit(page, user);
+      return;
+    } catch {
+      // User cannot edit — check if reader commenting is enabled
+    }
+
+    await this.validateCanView(page, user);
+
+    const space = await this.spaceRepo.findById(page.spaceId, workspaceId);
+    const settings = space?.settings as Record<string, any> | null;
+    if (!settings?.comments?.allowViewerComments) {
+      throw new ForbiddenException();
+    }
+  }
 }

apps/server/src/core/session/dto/revoke-session.dto.ts

@@ -0,0 +1,7 @@
+import { IsNotEmpty, IsUUID } from 'class-validator';
+
+export class RevokeSessionDto {
+  @IsUUID()
+  @IsNotEmpty()
+  sessionId: string;
+}

apps/server/src/core/session/session-activity.service.ts

@@ -0,0 +1,36 @@
+import { Injectable } from '@nestjs/common';
+import { RedisService } from '@nestjs-labs/nestjs-ioredis';
+import type { Redis } from 'ioredis';
+import { UserSessionRepo } from '@docmost/db/repos/session/user-session.repo';
+import { UserRepo } from '@docmost/db/repos/user/user.repo';
+
+const THROTTLE_SECONDS = 15 * 60; // 15 minutes
+
+@Injectable()
+export class SessionActivityService {
+  private readonly redis: Redis;
+
+  constructor(
+    private readonly redisService: RedisService,
+    private readonly userSessionRepo: UserSessionRepo,
+    private readonly userRepo: UserRepo,
+  ) {
+    this.redis = this.redisService.getOrThrow();
+  }
+
+  trackActivity(sessionId: string, userId: string, workspaceId: string): void {
+    const key = `session:activity:${sessionId}`;
+
+    this.redis
+      .set(key, '1', 'EX', THROTTLE_SECONDS, 'NX')
+      .then((result) => {
+        if (result === null) return; // key already exists, throttled
+
+        this.userSessionRepo.updateLastActiveAt(sessionId).catch(() => {});
+        this.userRepo
+          .updateUser({ lastActiveAt: new Date() }, userId, workspaceId)
+          .catch(() => {});
+      })
+      .catch(() => {});
+  }
+}

apps/server/src/core/session/session.controller.ts

@@ -0,0 +1,80 @@
+import {
+  BadRequestException,
+  Body,
+  Controller,
+  HttpCode,
+  HttpStatus,
+  Post,
+  Req,
+  UseGuards,
+} from '@nestjs/common';
+import { SessionService } from './session.service';
+import { JwtAuthGuard } from '../../common/guards/jwt-auth.guard';
+import { AuthUser } from '../../common/decorators/auth-user.decorator';
+import { AuthWorkspace } from '../../common/decorators/auth-workspace.decorator';
+import { User, Workspace } from '@docmost/db/types/entity.types';
+import { RevokeSessionDto } from './dto/revoke-session.dto';
+import { FastifyRequest } from 'fastify';
+
+@UseGuards(JwtAuthGuard)
+@Controller('sessions')
+export class SessionController {
+  constructor(private readonly sessionService: SessionService) {}
+
+  @HttpCode(HttpStatus.OK)
+  @Post()
+  async listSessions(
+    @AuthUser() user: User,
+    @AuthWorkspace() workspace: Workspace,
+    @Req() req: FastifyRequest,
+  ) {
+    const currentSessionId = (req.raw as any).sessionId ?? null;
+    const sessions = await this.sessionService.getActiveSessions(
+      user.id,
+      workspace.id,
+      currentSessionId,
+    );
+    return { sessions };
+  }
+
+  @HttpCode(HttpStatus.OK)
+  @Post('revoke')
+  async revokeSession(
+    @Body() dto: RevokeSessionDto,
+    @AuthUser() user: User,
+    @AuthWorkspace() workspace: Workspace,
+    @Req() req: FastifyRequest,
+  ) {
+    const currentSessionId = (req.raw as any).sessionId;
+    if (dto.sessionId === currentSessionId) {
+      throw new BadRequestException(
+        'Cannot revoke current session. Use logout instead.',
+      );
+    }
+    await this.sessionService.revokeSession(
+      dto.sessionId,
+      user.id,
+      workspace.id,
+    );
+  }
+
+  @HttpCode(HttpStatus.OK)
+  @Post('revoke-all')
+  async revokeAllSessions(
+    @AuthUser() user: User,
+    @AuthWorkspace() workspace: Workspace,
+    @Req() req: FastifyRequest,
+  ) {
+    const currentSessionId = (req.raw as any).sessionId;
+    if (!currentSessionId) {
+      throw new BadRequestException(
+        'Current session not found. Please log in again.',
+      );
+    }
+    await this.sessionService.revokeAllOtherSessions(
+      currentSessionId,
+      user.id,
+      workspace.id,
+    );
+  }
+}

apps/server/src/core/session/session.module.ts

@@ -0,0 +1,14 @@
+import { Global, Module } from '@nestjs/common';
+import { SessionService } from './session.service';
+import { SessionActivityService } from './session-activity.service';
+import { SessionController } from './session.controller';
+import { TokenModule } from '../auth/token.module';
+
+@Global()
+@Module({
+  imports: [TokenModule],
+  controllers: [SessionController],
+  providers: [SessionService, SessionActivityService],
+  exports: [SessionService, SessionActivityService],
+})
+export class SessionModule {}

apps/server/src/core/session/session.service.ts

@@ -0,0 +1,127 @@
+import { Injectable, Logger } from '@nestjs/common';
+import { Interval } from '@nestjs/schedule';
+import { TokenService } from '../auth/services/token.service';
+import { UserSessionRepo } from '@docmost/db/repos/session/user-session.repo';
+import { EnvironmentService } from '../../integrations/environment/environment.service';
+import { User } from '@docmost/db/types/entity.types';
+import { ClsService } from 'nestjs-cls';
+import {
+  AuditContext,
+  AUDIT_CONTEXT_KEY,
+} from '../../common/middlewares/audit-context.middleware';
+import * as Bowser from 'bowser';
+
+const MAX_SESSIONS_PER_USER = 25;
+const RETENTION_DAYS = 7;
+
+@Injectable()
+export class SessionService {
+  private readonly logger = new Logger(SessionService.name);
+
+  constructor(
+    private readonly tokenService: TokenService,
+    private readonly userSessionRepo: UserSessionRepo,
+    private readonly environmentService: EnvironmentService,
+    private readonly cls: ClsService,
+  ) {}
+
+  @Interval('session-cleanup', 24 * 60 * 60 * 1000)
+  async cleanupSessions() {
+    try {
+      await this.userSessionRepo.deleteStale(RETENTION_DAYS);
+      await this.userSessionRepo.trimExcessSessions(MAX_SESSIONS_PER_USER);
+      this.logger.debug('Session cleanup completed');
+    } catch (err) {
+      this.logger.error('Session cleanup failed', err);
+    }
+  }
+
+  async createSessionAndToken(user: User): Promise<string> {
+    const auditContext = this.cls.get<AuditContext>(AUDIT_CONTEXT_KEY);
+    const ipAddress = auditContext?.ipAddress ?? null;
+    const userAgent = auditContext?.userAgent ?? null;
+
+    const deviceName = this.parseDeviceName(userAgent);
+    const expiresAt = this.environmentService.getCookieExpiresIn();
+
+    const session = await this.userSessionRepo.insertSession({
+      userId: user.id,
+      workspaceId: user.workspaceId,
+      deviceName,
+      ipAddress,
+      expiresAt,
+    });
+
+    return this.tokenService.generateAccessToken(user, session.id);
+  }
+
+  async getActiveSessions(
+    userId: string,
+    workspaceId: string,
+    currentSessionId: string | null,
+  ) {
+    const sessions = await this.userSessionRepo.findActiveByUser(
+      userId,
+      workspaceId,
+    );
+
+    const mapped = sessions.map((s) => ({
+      id: s.id,
+      deviceName: s.deviceName,
+      geoLocation: s.geoLocation,
+      lastActiveAt: s.lastActiveAt,
+      createdAt: s.createdAt,
+      isCurrentDevice: s.id === currentSessionId,
+    }));
+
+    return mapped.sort((a, b) => {
+      if (a.isCurrentDevice) return -1;
+      if (b.isCurrentDevice) return 1;
+      return 0;
+    });
+  }
+
+  async revokeSession(
+    sessionId: string,
+    userId: string,
+    workspaceId: string,
+  ): Promise<void> {
+    await this.userSessionRepo.revokeById(sessionId, userId, workspaceId);
+  }
+
+  async revokeAllOtherSessions(
+    currentSessionId: string,
+    userId: string,
+    workspaceId: string,
+  ): Promise<void> {
+    await this.userSessionRepo.revokeAllExceptCurrent(
+      currentSessionId,
+      userId,
+      workspaceId,
+    );
+  }
+
+  private parseDeviceName(userAgent: string | null): string | null {
+    if (!userAgent) return null;
+
+    try {
+      const parsed = Bowser.parse(userAgent);
+
+      const os = parsed.os?.name;
+      const browser = parsed.browser?.name;
+      const platformType = parsed.platform?.type;
+
+      if (platformType === 'mobile' || platformType === 'tablet') {
+        return parsed.platform?.model || os || 'Mobile Device';
+      }
+
+      if (os) {
+        return browser ? `${browser} on ${os}` : os;
+      }
+
+      return browser || null;
+    } catch {
+      return null;
+    }
+  }
+}

apps/server/src/core/space/dto/update-space.dto.ts

@@ -11,4 +11,8 @@ export class UpdateSpaceDto extends PartialType(CreateSpaceDto) {
   @IsOptional()
   @IsBoolean()
   disablePublicSharing: boolean;
+
+  @IsOptional()
+  @IsBoolean()
+  allowViewerComments: boolean;
 }

apps/server/src/core/space/services/space.service.ts

@@ -13,6 +13,7 @@ import { Space, User } from '@docmost/db/types/entity.types';
 import { UpdateSpaceDto } from '../dto/update-space.dto';
 import { executeTx } from '@docmost/db/utils';
 import { InjectKysely } from 'nestjs-kysely';
+import { Feature } from '../../../common/features';
 import { SpaceMemberService } from './space-member.service';
 import { SpaceRole } from '../../../common/helpers/types/permission';
 import { QueueJob, QueueName } from 'src/integrations/queue/constants';
@@ -133,17 +134,34 @@ export class SpaceService {
       }
     }
 
-    if (typeof updateSpaceDto.disablePublicSharing !== 'undefined') {
+    if (
+      typeof updateSpaceDto.disablePublicSharing !== 'undefined' ||
+      typeof updateSpaceDto.allowViewerComments !== 'undefined'
+    ) {
       const workspace = await this.workspaceRepo.findById(workspaceId, {
         withLicenseKey: true,
       });
 
       if (
-        !this.licenseCheckService.hasFeature(workspace.licenseKey, 'security:settings', workspace.plan)
+        typeof updateSpaceDto.disablePublicSharing !== 'undefined' &&
+        !this.licenseCheckService.hasFeature(
+          workspace.licenseKey,
+          Feature.SECURITY_SETTINGS,
+          workspace.plan,
+        )
       ) {
-        throw new ForbiddenException(
-          'This feature requires a valid license',
-        );
+        throw new ForbiddenException('This feature requires a valid license');
+      }
+
+      if (
+        typeof updateSpaceDto.allowViewerComments !== 'undefined' &&
+        !this.licenseCheckService.hasFeature(
+          workspace.licenseKey,
+          Feature.VIEWER_COMMENTS,
+          workspace.plan,
+        )
+      ) {
+        throw new ForbiddenException('This feature requires a valid license');
       }
     }
 
@@ -179,6 +197,22 @@ export class SpaceService {
         }
       }
 
+      if (typeof updateSpaceDto.allowViewerComments !== 'undefined') {
+        const prev = settingsBefore?.comments?.allowViewerComments ?? false;
+        if (prev !== updateSpaceDto.allowViewerComments) {
+          before.allowViewerComments = prev;
+          after.allowViewerComments = updateSpaceDto.allowViewerComments;
+        }
+
+        await this.spaceRepo.updateCommentSettings(
+          updateSpaceDto.spaceId,
+          workspaceId,
+          'allowViewerComments',
+          updateSpaceDto.allowViewerComments,
+          trx,
+        );
+      }
+
       updatedSpace = await this.spaceRepo.updateSpace(
         {
           name: updateSpaceDto.name,

apps/server/src/core/workspace/dto/update-workspace-user-role.dto.ts

@@ -1,4 +1,5 @@
-import { IsNotEmpty, IsString, IsUUID } from 'class-validator';
+import { IsEnum, IsNotEmpty, IsUUID } from 'class-validator';
+import { UserRole } from '../../../common/helpers/types/permission';
 
 export class UpdateWorkspaceUserRoleDto {
   @IsNotEmpty()
@@ -6,6 +7,6 @@ export class UpdateWorkspaceUserRoleDto {
   userId: string;
 
   @IsNotEmpty()
-  @IsString()
+  @IsEnum(UserRole)
   role: string;
 }

apps/server/src/core/workspace/services/workspace-invitation.service.ts

@@ -22,6 +22,7 @@ import InvitationEmail from '@docmost/transactional/emails/invitation-email';
 import { GroupUserRepo } from '@docmost/db/repos/group/group-user.repo';
 import InvitationAcceptedEmail from '@docmost/transactional/emails/invitation-accepted-email';
 import { TokenService } from '../../auth/services/token.service';
+import { SessionService } from '../../session/session.service';
 import { nanoIdGen } from '../../../common/helpers';
 import { PaginationOptions } from '@docmost/db/pagination/pagination-options';
 import { executeWithCursorPagination } from '@docmost/db/pagination/cursor-pagination';
@@ -49,6 +50,7 @@ export class WorkspaceInvitationService {
     private mailService: MailService,
     private domainService: DomainService,
     private tokenService: TokenService,
+    private sessionService: SessionService,
     @InjectKysely() private readonly db: KyselyDB,
     @InjectQueue(QueueName.BILLING_QUEUE) private billingQueue: Queue,
     private readonly environmentService: EnvironmentService,
@@ -350,7 +352,7 @@ export class WorkspaceInvitationService {
       };
     }
 
-    const authToken = await this.tokenService.generateAccessToken(newUser);
+    const authToken = await this.sessionService.createSessionAndToken(newUser);
     return { authToken };
   }
 

apps/server/src/core/workspace/services/workspace.service.ts

@@ -7,6 +7,7 @@ import {
   NotFoundException,
 } from '@nestjs/common';
 import { LicenseCheckService } from '../../../integrations/environment/license-check.service';
+import { UserSessionRepo } from '@docmost/db/repos/session/user-session.repo';
 import { CreateWorkspaceDto } from '../dto/create-workspace.dto';
 import { UpdateWorkspaceDto } from '../dto/update-workspace.dto';
 import { SpaceService } from '../../space/services/space.service';
@@ -17,6 +18,7 @@ import { WorkspaceRepo } from '@docmost/db/repos/workspace/workspace.repo';
 import { KyselyDB, KyselyTransaction } from '@docmost/db/types/kysely.types';
 import { executeTx } from '@docmost/db/utils';
 import { InjectKysely } from 'nestjs-kysely';
+import { Feature } from '../../../common/features';
 import { User } from '@docmost/db/types/entity.types';
 import { GroupUserRepo } from '@docmost/db/repos/group/group-user.repo';
 import { GroupRepo } from '@docmost/db/repos/group/group.repo';
@@ -67,6 +69,7 @@ export class WorkspaceService {
     @InjectQueue(QueueName.BILLING_QUEUE) private billingQueue: Queue,
     @InjectQueue(QueueName.AI_QUEUE) private aiQueue: Queue,
     @Inject(AUDIT_SERVICE) private readonly auditService: IAuditService,
+    private userSessionRepo: UserSessionRepo,
   ) {}
 
   async findById(workspaceId: string) {
@@ -350,7 +353,7 @@ export class WorkspaceService {
         typeof updateWorkspaceDto.trashRetentionDays !== 'undefined' ||
         typeof updateWorkspaceDto.restrictApiToAdmins !== 'undefined'
       ) {
-        if (!this.licenseCheckService.hasFeature(ws.licenseKey, 'security:settings', ws.plan)) {
+        if (!this.licenseCheckService.hasFeature(ws.licenseKey, Feature.SECURITY_SETTINGS, ws.plan)) {
           throw new ForbiddenException(
             'This feature requires a valid license',
           );
@@ -667,11 +670,15 @@ export class WorkspaceService {
       }
     }
 
-    await this.userRepo.updateUser(
-      { deactivatedAt: new Date() },
-      userId,
-      workspaceId,
-    );
+    await executeTx(this.db, async (trx) => {
+      await this.userRepo.updateUser(
+        { deactivatedAt: new Date() },
+        userId,
+        workspaceId,
+        trx,
+      );
+      await this.userSessionRepo.revokeByUserId(userId, workspaceId, trx);
+    });
 
     this.auditService.log({
       event: AuditEvent.USER_DEACTIVATED,
@@ -785,6 +792,8 @@ export class WorkspaceService {
       await this.watcherRepo.deleteByUserAndWorkspace(userId, workspaceId, {
         trx,
       });
+
+      await this.userSessionRepo.revokeByUserId(userId, workspaceId, trx);
     });
 
     this.auditService.log({

apps/server/src/database/database.module.ts

@@ -17,6 +17,7 @@ import { KyselyDB } from '@docmost/db/types/kysely.types';
 import * as process from 'node:process';
 import { MigrationService } from '@docmost/db/services/migration.service';
 import { UserTokenRepo } from './repos/user-token/user-token.repo';
+import { UserSessionRepo } from '@docmost/db/repos/session/user-session.repo';
 import { BacklinkRepo } from '@docmost/db/repos/backlink/backlink.repo';
 import { ShareRepo } from '@docmost/db/repos/share/share.repo';
 import { NotificationRepo } from '@docmost/db/repos/notification/notification.repo';
@@ -76,6 +77,7 @@ import { normalizePostgresUrl } from '../common/helpers';
     CommentRepo,
     AttachmentRepo,
     UserTokenRepo,
+    UserSessionRepo,
     BacklinkRepo,
     ShareRepo,
     NotificationRepo,
@@ -95,6 +97,7 @@ import { normalizePostgresUrl } from '../common/helpers';
     CommentRepo,
     AttachmentRepo,
     UserTokenRepo,
+    UserSessionRepo,
     BacklinkRepo,
     ShareRepo,
     NotificationRepo,

apps/server/src/database/migrations/20260326T121350-user-sessions.ts

@@ -0,0 +1,45 @@
+import { Kysely, sql } from 'kysely';
+
+export async function up(db: Kysely<any>): Promise<void> {
+  await db.schema
+    .createTable('user_sessions')
+    .addColumn('id', 'uuid', (col) =>
+      col.primaryKey().defaultTo(sql`gen_uuid_v7()`),
+    )
+    .addColumn('user_id', 'uuid', (col) =>
+      col.notNull().references('users.id').onDelete('cascade'),
+    )
+    .addColumn('workspace_id', 'uuid', (col) =>
+      col.notNull().references('workspaces.id').onDelete('cascade'),
+    )
+    .addColumn('device_name', 'varchar')
+    .addColumn('user_agent', 'text')
+    .addColumn('ip_address', sql`inet`)
+    .addColumn('geo_location', 'varchar')
+    .addColumn('last_active_at', 'timestamptz', (col) =>
+      col.notNull().defaultTo(sql`now()`),
+    )
+    .addColumn('expires_at', 'timestamptz', (col) => col.notNull())
+    .addColumn('metadata', 'jsonb')
+    .addColumn('revoked_at', 'timestamptz')
+    .addColumn('created_at', 'timestamptz', (col) =>
+      col.notNull().defaultTo(sql`now()`),
+    )
+    .execute();
+
+  await sql`
+    CREATE INDEX idx_user_sessions_active
+    ON user_sessions (user_id, workspace_id, last_active_at DESC)
+    WHERE revoked_at IS NULL
+  `.execute(db);
+
+  await sql`
+    CREATE INDEX idx_user_sessions_revoked
+    ON user_sessions (expires_at)
+    WHERE revoked_at IS NOT NULL
+  `.execute(db);
+}
+
+export async function down(db: Kysely<any>): Promise<void> {
+  await db.schema.dropTable('user_sessions').execute();
+}

apps/server/src/database/repos/session/user-session.repo.ts

@@ -0,0 +1,162 @@
+import {
+  InsertableUserSession,
+  UserSession,
+} from '@docmost/db/types/entity.types';
+import { KyselyDB, KyselyTransaction } from '@docmost/db/types/kysely.types';
+import { dbOrTx } from '@docmost/db/utils';
+import { Injectable } from '@nestjs/common';
+import { InjectKysely } from 'nestjs-kysely';
+import { sql } from 'kysely';
+
+@Injectable()
+export class UserSessionRepo {
+  constructor(@InjectKysely() private readonly db: KyselyDB) {}
+
+  async insertSession(
+    session: InsertableUserSession,
+    trx?: KyselyTransaction,
+  ): Promise<UserSession> {
+    const db = dbOrTx(this.db, trx);
+    return db
+      .insertInto('userSessions')
+      .values(session)
+      .returningAll()
+      .executeTakeFirstOrThrow();
+  }
+
+  async findActiveById(id: string): Promise<UserSession | undefined> {
+    return this.db
+      .selectFrom('userSessions')
+      .selectAll()
+      .where('id', '=', id)
+      .where('expiresAt', '>', new Date())
+      .where('revokedAt', 'is', null)
+      .executeTakeFirst();
+  }
+
+  async findActiveByUser(
+    userId: string,
+    workspaceId: string,
+  ): Promise<UserSession[]> {
+    return this.db
+      .selectFrom('userSessions')
+      .selectAll()
+      .where('userId', '=', userId)
+      .where('workspaceId', '=', workspaceId)
+      .where('expiresAt', '>', new Date())
+      .where('revokedAt', 'is', null)
+      .orderBy('lastActiveAt', 'desc')
+      .execute();
+  }
+
+  async updateLastActiveAt(id: string): Promise<void> {
+    await this.db
+      .updateTable('userSessions')
+      .set({ lastActiveAt: new Date() })
+      .where('id', '=', id)
+      .execute();
+  }
+
+  async revokeById(
+    id: string,
+    userId: string,
+    workspaceId: string,
+  ): Promise<void> {
+    await this.db
+      .updateTable('userSessions')
+      .set({ revokedAt: new Date() })
+      .where('id', '=', id)
+      .where('userId', '=', userId)
+      .where('workspaceId', '=', workspaceId)
+      .where('revokedAt', 'is', null)
+      .execute();
+  }
+
+  async revokeAllExceptCurrent(
+    currentSessionId: string,
+    userId: string,
+    workspaceId: string,
+  ): Promise<void> {
+    await this.db
+      .updateTable('userSessions')
+      .set({ revokedAt: new Date() })
+      .where('userId', '=', userId)
+      .where('workspaceId', '=', workspaceId)
+      .where('id', '!=', currentSessionId)
+      .where('revokedAt', 'is', null)
+      .execute();
+  }
+
+  async revokeByUserId(
+    userId: string,
+    workspaceId: string,
+    trx?: KyselyTransaction,
+  ): Promise<void> {
+    const db = dbOrTx(this.db, trx);
+    await db
+      .updateTable('userSessions')
+      .set({ revokedAt: new Date() })
+      .where('userId', '=', userId)
+      .where('workspaceId', '=', workspaceId)
+      .where('revokedAt', 'is', null)
+      .execute();
+  }
+
+  async deleteByUserId(
+    userId: string,
+    workspaceId: string,
+  ): Promise<void> {
+    await this.db
+      .deleteFrom('userSessions')
+      .where('userId', '=', userId)
+      .where('workspaceId', '=', workspaceId)
+      .execute();
+  }
+
+  async deleteAllExceptCurrent(
+    currentSessionId: string,
+    userId: string,
+    workspaceId: string,
+  ): Promise<void> {
+    await this.db
+      .deleteFrom('userSessions')
+      .where('userId', '=', userId)
+      .where('workspaceId', '=', workspaceId)
+      .where('id', '!=', currentSessionId)
+      .execute();
+  }
+
+  async deleteStale(retentionDays: number): Promise<void> {
+    const cutoff = new Date(Date.now() - retentionDays * 24 * 60 * 60 * 1000);
+    await this.db
+      .deleteFrom('userSessions')
+      .where((eb) =>
+        eb.or([
+          eb('revokedAt', '<', cutoff),
+          eb('expiresAt', '<', cutoff),
+        ]),
+      )
+      .execute();
+  }
+
+  async trimExcessSessions(maxPerUser: number): Promise<void> {
+    const overflowed = await this.db
+      .selectFrom('userSessions')
+      .select(['userId', 'workspaceId'])
+      .groupBy(['userId', 'workspaceId'])
+      .having(sql`COUNT(*)`, '>', maxPerUser)
+      .execute();
+
+    for (const { userId, workspaceId } of overflowed) {
+      await sql`
+        DELETE FROM user_sessions
+        WHERE id IN (
+          SELECT id FROM user_sessions
+          WHERE user_id = ${userId} AND workspace_id = ${workspaceId}
+          ORDER BY last_active_at DESC
+          OFFSET ${maxPerUser}
+        )
+      `.execute(this.db);
+    }
+  }
+}

apps/server/src/database/repos/space/space.repo.ts

@@ -111,6 +111,28 @@ export class SpaceRepo {
       .executeTakeFirst();
   }
 
+  async updateCommentSettings(
+    spaceId: string,
+    workspaceId: string,
+    prefKey: string,
+    prefValue: string | boolean,
+    trx?: KyselyTransaction,
+  ) {
+    const db = dbOrTx(this.db, trx);
+    return db
+      .updateTable('spaces')
+      .set({
+        settings: sql`COALESCE(settings, '{}'::jsonb)
+          || jsonb_build_object('comments', COALESCE(settings->'comments', '{}'::jsonb)
+          || jsonb_build_object('${sql.raw(prefKey)}', ${sql.lit(prefValue)}))`,
+        updatedAt: new Date(),
+      })
+      .where('id', '=', spaceId)
+      .where('workspaceId', '=', workspaceId)
+      .returningAll()
+      .executeTakeFirst();
+  }
+
   async insertSpace(
     insertableSpace: InsertableSpace,
     trx?: KyselyTransaction,

apps/server/src/database/types/db.d.ts

@@ -429,6 +429,21 @@ export interface PagePermissions {
   updatedAt: Generated<Timestamp>;
 }
 
+export interface UserSessions {
+  id: Generated<string>;
+  userId: string;
+  workspaceId: string;
+  deviceName: string | null;
+  userAgent: string | null;
+  ipAddress: string | null;
+  geoLocation: string | null;
+  metadata: Json | null;
+  lastActiveAt: Generated<Timestamp>;
+  expiresAt: Timestamp;
+  revokedAt: Timestamp | null;
+  createdAt: Generated<Timestamp>;
+}
+
 export interface DB {
   apiKeys: ApiKeys;
   attachments: Attachments;
@@ -451,6 +466,7 @@ export interface DB {
   spaces: Spaces;
   userMfa: UserMfa;
   users: Users;
+  userSessions: UserSessions;
   userTokens: UserTokens;
   watchers: Watchers;
   workspaceInvitations: WorkspaceInvitations;

apps/server/src/database/types/entity.types.ts

@@ -22,6 +22,7 @@ import {
   Shares,
   FileTasks,
   UserMfa as _UserMFA,
+  UserSessions,
   ApiKeys,
   Watchers,
   Audit as _Audit,
@@ -157,6 +158,11 @@ export type PagePermission = Selectable<_PagePermissions>;
 export type InsertablePagePermission = Insertable<_PagePermissions>;
 export type UpdatablePagePermission = Updateable<Omit<_PagePermissions, 'id'>>;
 
+// User Session
+export type UserSession = Selectable<UserSessions>;
+export type InsertableUserSession = Insertable<UserSessions>;
+export type UpdatableUserSession = Updateable<Omit<UserSessions, 'id'>>;
+
 // Audit
 export type Audit = Selectable<_Audit>;
 export type InsertableAudit = Insertable<_Audit>;

apps/server/src/integrations/export/export.service.ts

@@ -28,8 +28,7 @@ import { PageRepo } from '@docmost/db/repos/page/page.repo';
 import { PagePermissionRepo } from '@docmost/db/repos/page/page-permission.repo';
 import { Node } from '@tiptap/pm/model';
 import { EditorState } from '@tiptap/pm/state';
-// eslint-disable-next-line @typescript-eslint/no-require-imports
-import slugify = require('@sindresorhus/slugify');
+import slugify from '@sindresorhus/slugify';
 // eslint-disable-next-line @typescript-eslint/no-require-imports
 const packageJson = require('../../../package.json');
 import { EnvironmentService } from '../environment/environment.service';

apps/server/src/integrations/import/utils/import-formatter.ts

@@ -4,8 +4,7 @@ import * as path from 'path';
 import { v7 } from 'uuid';
 import { InsertableBacklink } from '@docmost/db/types/entity.types';
 import { Cheerio, CheerioAPI, load } from 'cheerio';
-// eslint-disable-next-line @typescript-eslint/no-require-imports
-import slugify = require('@sindresorhus/slugify');
+import slugify from '@sindresorhus/slugify';
 
 // Check if text contains Unicode characters (for emojis/icons)
 function isUnicodeCharacter(text: string): boolean {

apps/server/src/integrations/static/static.module.ts

@@ -71,7 +71,10 @@ export class StaticModule implements OnModuleInit {
 
       app.get(RENDER_PATH, (req: any, res: any) => {
         const stream = fs.createReadStream(indexFilePath);
-        res.type('text/html').send(stream);
+        res
+          .header('Cache-Control', 'no-cache, no-store, must-revalidate')
+          .type('text/html')
+          .send(stream);
       });
     }
   }

apps/server/src/ws/ws.gateway.ts

@@ -65,12 +65,10 @@ export class WsGateway
   async handleMessage(client: Socket, data: any): Promise<void> {
     if (this.wsService.isTreeEvent(data)) {
       await this.wsService.handleTreeEvent(client, data);
-      return;
     }
-
-    client.broadcast.emit('message', data);
   }
 
+  /*
   @SubscribeMessage('join-room')
   handleJoinRoom(client: Socket, @MessageBody() roomName: string): void {
     // if room is a space, check if user has permissions
@@ -81,6 +79,7 @@ export class WsGateway
   handleLeaveRoom(client: Socket, @MessageBody() roomName: string): void {
     client.leave(roomName);
   }
+ */
 
   onModuleDestroy() {
     if (this.server) {

apps/server/src/ws/ws.service.ts

@@ -27,6 +27,15 @@ export class WsService {
   async handleTreeEvent(client: Socket, data: any): Promise<void> {
     const room = getSpaceRoomName(data.spaceId);
 
+    if (!client.rooms.has(room)) {
+      return;
+    }
+
+    if (data.operation === 'refetchRootTreeNodeEvent') {
+      client.broadcast.to(room).emit('message', data);
+      return;
+    }
+
     const hasRestrictions = await this.spaceHasRestrictions(data.spaceId);
     if (!hasRestrictions) {
       client.broadcast.to(room).emit('message', data);

apps/server/src/ws/ws.utils.ts

@@ -14,4 +14,5 @@ export const TREE_EVENTS = new Set([
   'addTreeNode',
   'moveTreeNode',
   'deleteTreeNode',
+  'refetchRootTreeNodeEvent',
 ]);

nx.json

@@ -17,5 +17,6 @@
   },
   "affected": {
     "defaultBase": "main"
-  }
-}
+  },
+  "analytics": false
+}

package.json

@@ -19,73 +19,71 @@
     "clean": "rm -rf apps/*/dist packages/*/dist apps/client/node_modules/.vite"
   },
   "dependencies": {
-    "@braintree/sanitize-url": "^7.1.0",
+    "@braintree/sanitize-url": "^7.1.2",
     "@casl/ability": "6.8.0",
     "@docmost/editor-ext": "workspace:*",
     "@floating-ui/dom": "^1.7.3",
     "@hocuspocus/provider": "3.4.4",
     "@hocuspocus/server": "3.4.4",
     "@hocuspocus/transformer": "3.4.4",
-    "@joplin/turndown": "^4.0.74",
-    "@joplin/turndown-plugin-gfm": "^1.0.56",
-    "@sindresorhus/slugify": "1.1.0",
-    "@tiptap/core": "3.17.1",
-    "@tiptap/extension-code-block": "3.17.1",
-    "@tiptap/extension-collaboration": "3.17.1",
-    "@tiptap/extension-collaboration-caret": "3.17.1",
-    "@tiptap/extension-color": "3.17.1",
-    "@tiptap/extension-document": "3.17.1",
-    "@tiptap/extension-heading": "3.17.1",
-    "@tiptap/extension-highlight": "3.17.1",
-    "@tiptap/extension-history": "3.17.1",
-    "@tiptap/extension-image": "3.17.1",
-    "@tiptap/extension-link": "3.17.1",
-    "@tiptap/extension-list": "3.17.1",
-    "@tiptap/extension-placeholder": "3.17.1",
-    "@tiptap/extension-subscript": "3.17.1",
-    "@tiptap/extension-superscript": "3.17.1",
-    "@tiptap/extension-table": "3.17.1",
-    "@tiptap/extension-text": "3.17.1",
-    "@tiptap/extension-text-align": "3.17.1",
-    "@tiptap/extension-text-style": "3.17.1",
-    "@tiptap/extension-typography": "3.17.1",
-    "@tiptap/extension-unique-id": "^3.17.1",
-    "@tiptap/extension-youtube": "3.17.1",
-    "@tiptap/html": "3.17.1",
-    "@tiptap/pm": "3.17.1",
-    "@tiptap/react": "3.17.1",
-    "@tiptap/starter-kit": "3.17.1",
-    "@tiptap/suggestion": "3.17.1",
-    "@tiptap/y-tiptap": "^3.0.2",
-    "@types/qrcode": "^1.5.5",
+    "@joplin/turndown": "^4.0.82",
+    "@joplin/turndown-plugin-gfm": "^1.0.64",
+    "@sindresorhus/slugify": "3.0.0",
+    "@tiptap/core": "3.20.4",
+    "@tiptap/extension-code-block": "3.20.4",
+    "@tiptap/extension-collaboration": "3.20.4",
+    "@tiptap/extension-collaboration-caret": "3.20.4",
+    "@tiptap/extension-color": "3.20.4",
+    "@tiptap/extension-document": "3.20.4",
+    "@tiptap/extension-heading": "3.20.4",
+    "@tiptap/extension-highlight": "3.20.4",
+    "@tiptap/extension-history": "3.20.4",
+    "@tiptap/extension-image": "3.20.4",
+    "@tiptap/extension-link": "3.20.4",
+    "@tiptap/extension-list": "3.20.4",
+    "@tiptap/extension-placeholder": "3.20.4",
+    "@tiptap/extension-subscript": "3.20.4",
+    "@tiptap/extension-superscript": "3.20.4",
+    "@tiptap/extension-table": "3.20.4",
+    "@tiptap/extension-text": "3.20.4",
+    "@tiptap/extension-text-align": "3.20.4",
+    "@tiptap/extension-text-style": "3.20.4",
+    "@tiptap/extension-typography": "3.20.4",
+    "@tiptap/extension-unique-id": "3.20.4",
+    "@tiptap/extension-youtube": "3.20.4",
+    "@tiptap/html": "3.20.4",
+    "@tiptap/pm": "3.20.4",
+    "@tiptap/react": "3.20.4",
+    "@tiptap/starter-kit": "3.20.4",
+    "@tiptap/suggestion": "3.20.4",
+    "@tiptap/y-tiptap": "3.0.2",
     "bytes": "^3.1.2",
-    "cross-env": "^7.0.3",
+    "cross-env": "^10.1.0",
     "date-fns": "^4.1.0",
     "diff": "8.0.3",
     "dompurify": "^3.3.3",
     "fractional-indexing-jittered": "^1.0.0",
     "highlight.js": "^11.11.1",
     "image-dimensions": "^2.5.0",
-    "ioredis": "^5.4.1",
     "jszip": "^3.10.1",
     "linkifyjs": "^4.3.2",
-    "marked": "13.0.3",
+    "marked": "17.0.5",
     "ms": "3.0.0-canary.1",
     "qrcode": "^1.5.4",
-    "rfc6902": "5.1.2",
-    "uuid": "^11.1.0",
+    "rfc6902": "5.2.0",
+    "uuid": "^13.0.0",
     "y-indexeddb": "^9.0.12",
     "y-prosemirror": "1.3.7",
-    "yjs": "^13.6.29"
+    "yjs": "^13.6.30"
   },
   "devDependencies": {
-    "@nx/js": "22.5.3",
+    "@nx/js": "22.6.1",
     "@types/bytes": "^3.1.5",
+    "@types/qrcode": "^1.5.6",
     "@types/turndown": "^5.0.6",
-    "@types/uuid": "^10.0.0",
-    "concurrently": "^9.1.2",
-    "nx": "22.5.3",
-    "tsx": "^4.19.3"
+    "concurrently": "^9.2.1",
+    "nx": "22.6.1",
+    "tsx": "^4.21.0"
   },
   "workspaces": {
     "packages": [
@@ -100,28 +98,33 @@
       "@tiptap/core": "patches/@tiptap__core.patch"
     },
     "overrides": {
-      "jsdom": "25.0.1",
-      "jsonwebtoken": "9.0.3",
-      "prosemirror-changeset": "2.3.1",
+      "prosemirror-changeset": "2.4.0",
       "y-prosemirror": "1.3.7",
-      "qs": "6.14.2",
-      "glob": "10.5.0",
-      "lodash": "4.17.23",
+      "glob": "13.0.6",
       "ws": "8.19.0",
-      "cross-spawn": "7.0.5",
       "dompurify": "3.3.3",
       "tmp": "0.2.5",
+      "hono": "4.12.8",
+      "mermaid": "11.13.0",
+      "nanoid@^3": "3.3.8",
+      "socket.io-parser": "4.2.6",
+      "serialize-javascript": "7.0.3",
       "lodash-es": "4.17.23",
-      "markdown-it": "14.1.1",
-      "@tiptap/core": "3.17.1",
-      "@tiptap/pm": "3.17.1",
-      "@tiptap/starter-kit": "3.17.1",
-      "@tiptap/extension-blockquote": "3.17.1",
-      "@tiptap/extension-bold": "3.17.0",
-      "@tiptap/extension-bubble-menu": "3.17.1",
-      "@tiptap/extension-bullet-list": "3.17.1",
-      "@tiptap/extension-list": "3.17.1",
-      "@tiptap/extension-code": "3.17.1"
+      "@hono/node-server": "1.19.10",
+      "undici": "7.24.0",
+      "ajv@^6": "6.14.0",
+      "ajv@^8": "8.18.0",
+      "underscore": "1.13.8",
+      "immutable": "4.3.8",
+      "express-rate-limit": "8.2.2",
+      "minimatch@^3": "3.1.5",
+      "minimatch@^5": "5.1.8",
+      "flatted": "3.4.2",
+      "picomatch@<2.3.2": "2.3.2",
+      "picomatch@>=4.0.0 <4.0.4": "4.0.4",
+      "fastify": "5.8.3",
+      "yaml@>=1.0.0 <1.10.3": "1.10.3",
+      "yaml@>=2.0.0 <2.8.3": "2.8.3"
     },
     "neverBuiltDependencies": []
   }

packages/editor-ext/src/lib/attachment/attachment.ts

@@ -1,5 +1,6 @@
 import { Node, mergeAttributes } from "@tiptap/core";
 import { ReactNodeViewRenderer } from "@tiptap/react";
+import { sanitizeUrl } from "../utils";
 
 export interface AttachmentOptions {
   HTMLAttributes: Record<string, any>;
@@ -42,9 +43,12 @@ export const Attachment = Node.create<AttachmentOptions>({
     return {
       url: {
         default: "",
-        parseHTML: (element) => element.getAttribute("data-attachment-url"),
+        parseHTML: (element) => {
+          const url = element.getAttribute("data-attachment-url");
+          return sanitizeUrl(url);
+        },
         renderHTML: (attributes) => ({
-          "data-attachment-url": attributes.url,
+          "data-attachment-url": sanitizeUrl(attributes.url),
         }),
       },
       name: {
@@ -101,7 +105,7 @@ export const Attachment = Node.create<AttachmentOptions>({
       [
         "a",
         {
-          href: HTMLAttributes["data-attachment-url"],
+          href: sanitizeUrl(HTMLAttributes["data-attachment-url"]),
           class: "attachment",
           target: "blank",
         },