Change Log

New feature

• Event Stream now records every create / update / delete made through the v2 API, matching the coverage already in place for admin-UI actions.
• Add POST /crm/api/v2/custom-fields/contacts endpoint.
• Add POST /crm/api/v2/custom-fields/companies endpoint.
• v2 Activity responses now expose created_by (set once at creation, immutable on edit) alongside last_updated_by, so the original creator stays visible after the activity has been edited.

Security

• Upgrade axios to ^1.16.0 to pick up upstream security patches; admin UI now handles 401 responses cleanly without throwing.
• Admin sessions opened via 2FA or SSO now respect the configured platform session timeout.
• Breaking — v2 API authentication failures now return an inline 401 JSON response ({"error":"unauthorized"}) on the original URL across all HTTP methods. Previously the response was a 302 redirect to the login page; clients that followed the redirect must update to handle the 401 directly.

Breaking changes

• v2 action endpoints (archive / restore / complete / open on contacts, companies, tasks) switched from PATCH to POST. PATCH on these URLs now returns 405. API clients must update to POST.
• v2 DELETE endpoints now return 204 No Content (was 200 with body). DELETE against a missing resource returns 404 with a documented JSON body, and against a structurally invalid uuid returns 400 with a clean JSON body.
• Custom-fields create error response key changed from errors (array) to singular error (string). Clients that parse the errors array on this endpoint must switch to error.

Improvements

• CRM address autocomplete migrated to the new Google Places API (PlaceAutocompleteElement), keeping the feature working as Google retires the legacy widget.
• Settings → Instance Configuration: the page no longer flashes a "Failed to fetch Instance Configuration Details" error during the backend's reconnect heartbeat, and now connects through the production WebSocket endpoint.
• v2 API documentation refreshed across the board to match the v5.14.1 contract — HTTP methods, URL bases, request/response examples, body-field tables, and field-mapping notes have all been corrected and aligned with what the API actually returns.

Bug fixes

• Fix broken redirects when the configured old_url contained a leading slash (was producing double-slash URLs).
• Fix table pagination crash on CRM Tasks, CRM Activities, Tasks List, and Dashboard when loading a page.
• Task detail panel and edit drawer now reflect changes immediately after saving an edit, without needing a page reload.
• Partial PATCH on /v2/contacts/{uuid} now preserves every untouched property — previously, sending only the field you wanted to change could either return a 400 error or null out the rest of the contact.
• Fix task edit drawer showing the wrong due date for tasks that already had one stored.
• Partial PATCH on /v2/tasks/{uuid} and /v2/tasks/comments/{uuid} no longer returns 400 when the request body omits a field; untouched properties are preserved, matching the contacts behaviour.

New Features

• Move Import Tickets from All Events page to Tickets page.
• Add additional fields to Advanced Filter for Tickets.
• Add link to CRM records on Ticket Details drawer.
• Add Event Name to Tickets export and fix import header mismatch.
• Render Events list date columns in device-local time.
• Show selected timezone on date field labels; update API doc descriptions.
• Sort display field options alphabetically by default.

Improvements

• Update v2 API update endpoints from PUT to PATCH.
• Remove event_uuid from Add Event Tickets example payload; move to controller_payload.
• Regenerate ticket PDF on contact assignment; add loading toast on View PDF.
• Update Sponsors list card layout to group company and sponsorship details.
• Load venue contacts from live venue record when editing event.
• Style circular avatar image on Sponsors and Speakers info cards; add initials fallback.
• Refine sponsor link layout, hit area, and ellipsis truncation.
• Update sponsor card company name and top-alignment styles.
• Update sponsor card link, separator, computation wrapper, and button alignment styles.
• Apply sponsor card styling to Speaker list cards.
• Centre-align Speakers card content and set inner gap.
• Venue contact card: hover/remove action, compact treatment, and button alignment.
• Fix venue contacts card on Event Venue tab.
• Fix duplicate contact re-selection in Assign Contact drawer.
• Enforce required fields on Events, Speakers, and Sponsors PATCH mutations.
• Enforce required fields on Tickets PATCH.
• Enforce question and answer as required on FAQs PATCH.
• Update delete confirmation modal content for tickets.
• Rename area card buttons; update delete confirmation modal for venues.
• Update delete confirmation modal content for system fields.
• Simplify delete pricing tier confirmation dialog text.
• Update division and pricing tier card action button labels.

Bug Fixes

• Fix sponsor link click opening edit drawer.
• Fix group ticket PDF empty content when created via API.
• Fix custom field time/datetime inputs to follow localization time format.
• Fix expense API docs showing incorrect required state for fields.
• Revert System Fields update endpoints from PATCH to PUT.
• Fix filter chips showing UUIDs for Purchased By Contact and Company fields.
• Fix failed to fetch data when filtering by Purchased By Contact/Company.
• Fix Category advanced filter showing invalid text conditions.
• Roll back Tax fields to conditional required and fix Tax* (%) label.
• Fix advanced filter chips not displaying dates using localization settings.
• Fix drawer delete not working on add event ticket list.
• Fix group ticket capacity error handling and drawer delete.
• Fix image upload failing on mobile.
• Fix date format in ticket PDF templates using day instead of month.
• Fix Company label in ticket contact details info table.
• Fix CRM Contact not prefilled when editing a speaker.
• Fix gross/net/tax calculation for expense and revenue fields in Events table.
• Fix page heading gross/net/tax totals and tax column display.
• Fix delete confirmation modals and wrong item deletion bugs.
• Fix ticket delete/PDF bulk action modal titles and button labels.
• Fix event date input/display timezone interpretation.

Improvement

• Faster related_records: Reduced object allocations in related_records, improving performance up to 4x.

• Asset cache invalidation now per-instance: Changed the internal implementation of cache invalidation for assets. The updated=... query parameter appended by the asset_url (and asset_path) filter is now derived from a per-instance assets_updated_at timestamp that is bumped whenever assets change, instead of being derived per asset. This means all asset URLs are invalidated together when any asset is updated, ensuring CDN caches stay consistent.

• Batched page loading on deploy: Pages are now loaded in batches during deploy, providing better support for very large deploys - particularly those containing pages generated by Static Site Generators (SSG).

• Faster Instance Clone asset dump: The asset manifest step of pos-cli clone is significantly faster, reducing the time spent in the export phase of cloning instances with large numbers of assets.

• InstanceClone clone-record status on export failure: Previously, InstanceClone could leave the target instance's clone record in pending indefinitely when export failed (for example due to an oversized file). Failures are now surfaced cleanly as a terminal failed status with a sanitized error message, so pos-cli polling resolves instead of hanging.

New Feature

• cache_control argument for admin_assets_create and admin_asset_update mutations: When provided, the value (for example max-age=31536000, public) is stored in the asset's metadata and applied as the Cache-Control header on the underlying object in the file storage provider (S3, R2, etc.), allowing CDNs and browsers to cache assets according to your policy.

• authorization_policies argument for admin_page_create and admin_page_update mutations: Authorization policies can now be associated with a page by name (the same identifier used in Liquid frontmatter, e.g. page_policy or modules/my_module/page_policy), in addition to the existing authorization_policy_ids. Names and ids can be combined; all provided names must resolve to existing AuthorizationPolicy records.

Deprecation

• Deprecated url argument in admin_assets_create: Asset URLs are now derived from the asset name and the per-instance CDN, so the argument is ignored. Upload bytes via admin_assets_presign_urls first, then call admin_assets_create without the url argument. The argument will be removed in a future release.

New Features

• Per-endpoint Markdown documentation, designed for use with AI assistants. Each endpoint can now be exported as a clean Markdown snippet containing the cURL and Controller request examples, parameter list, response shape, and object reference.
• "Copy for LLM" and "View as Markdown" buttons added to every endpoint — copy the endpoint's full Markdown to your clipboard, or open the raw Markdown in a new tab to share or paste into your AI tool of choice.
• Resource pages now have a sticky table of contents listing all endpoints, so you can jump between endpoints without scrolling back to the top. Responsive layout on narrower screens.
• Redesigned API documentation layout. Endpoint details on the left, live example request and response on the right — easier to scan, easier to compare an endpoint's parameters against its example output.
• Per-endpoint Markdown now includes the Controller (Liquid) example alongside the cURL example, matching what the HTML docs show.
• Search behaviour for list endpoints is now documented on the API Overview page — which fields are searchable, how search_by / keyword / exact interact, and how search combines with pagination and sort.

Improvements

• Endpoint parameters are now split into clearly-labelled Path Parameters, Body Fields, and Query Parameters sections — no more confusion about which values go in the URL versus the JSON body.
• Every endpoint now has a single canonical URL — /admin/api/<module>/<resource>#<endpoint>. Older URLs redirect there automatically so existing bookmarks and shared links keep working.
• Markdown export's Object section now matches the HTML resource reference — nested fields show with dot notation, object-type parents are typed correctly, and list-only query parameters no longer leak into the response shape.
• Sidebar navigation and dark mode now hold up cleanly across every module.
• Parent-resource path parameters (e.g. event_uuid on event sponsors, cart_uuid on cart items) now show a description instead of rendering blank.
• Body Fields in the Markdown export are cleaner on POST and PATCH endpoints — fixed duplicate rows and broken dot-notation paths on resources with object references.
• Body Fields no longer lists response-only file metadata (.file_name, .extension, .url) under upload fields. The information is still available in the resource's response Object reference where it belongs.
• Test Request panel cleaned up — the API URL preview now uses the same code-block styling as the Example Request, and the payload editor stays in sync with the URL preview.
• Overview and Module Versions pages now share consistent page spacing with the rest of the docs.
• Dark mode polish across the sticky example panel and sidebar.

Security

• Upgraded the axios HTTP client from 0.27.x (end-of-life) to 1.16.0, picking up two years of security patches and bug fixes.
• Removed the bundled jQuery 1.12.4 dependency (end-of-life since 2016, multiple unpatched vulnerabilities).

Bug Fixes

• Controller examples are now valid Liquid out of the box — placeholder values are properly quoted so copy-pasting the example works without manual edits.
• DELETE endpoint cURL examples no longer include an empty request body flag.
• Locale data cached in the browser is no longer wiped when a localisation request fails — previous translations stay loaded until a successful refresh.

Breaking Changes

• Renamed external API v2 routes from /all_assets/api/v2/... to /asset/api/v2/... for a cleaner public API surface. External integrators must update their base path.

New Features

• Added GET /asset/api/v2/credentials so external API consumers can retrieve the S3 presigned-POST credentials required by the Add Asset flow. Listed in the API documentation under a new "Assets Credentials" section.

New Feature

• @insites/logic-engine npm package — new TypeScript library that loads the rule and decision corpus, evaluates when/then decisions, renders scaffold templates, and exposes an MCP-server entry point.
• Versioned rule + decision corpus — markdown rule files plus JSON decision files for module detection, feature-pattern recognition, and scaffolding, used by the engine and by AI tooling.
• API endpoints reference — building inbound JSON endpoints under the V2 surface (api/_external/v2/<resource>/<action>.json.liquid), with auth, method, status-code, error, and pagination conventions.
• CRM controllers reference — controllers conforming to the CRM module's V2 surface using the path: front-matter alias.
• User profile types reference — schema location, GraphQL read via related_record + property accessors, write via record_create/record_update, multi-profile users.
• Payments reference — Stripe integration assembled from api_calls/, constants/, and form callback_actions. Worked Checkout Session example and webhook receiver shape.
• CRM module reference — V2 REST endpoints, custom and system fields, webhook coverage, tasks, activities, attachments, event streams, and a field-by-field schema reference.
• CMS module reference — covers 10 object types (Pages, Layouts, Partials, Web Files, Globals, Collections, Emails, SMS, Authorization Policies), file-based stance, IIA admin paths, and override patterns.
• Data module reference — V2 endpoints for user-defined databases, schema discovery, bulk-loop patterns, and an IIA configuration walkthrough.
• GraphQL profile queries — new section explaining how user_profile_types/ schemas are queried via related_record + property accessors, with multi-profile-type users called out explicitly.

Improvement

• Repository renamed insites-ai-tools → insites-logic-engine to align with the npm package identifier @insites/logic-engine. Install URLs and the GitHub repository updated; the previous URLs remain redirected for a transition period.
• README rewritten around the two deliverables shipped from this repository: skills/insites/ for AI-tool consumption (Claude Code, OpenCode, Cursor) and engine/ + logic-engine/ for programmatic tooling.
• Modules-based project layout documented as the canonical structure: modules/<name>/public/{views,forms,graphql,authorization_policies,api_calls,schema,user_profile_types,emails,migrations,assets}/. New project-structure reference covers per-directory purpose, naming conventions, and module-prefixed render/include/graphql paths.
• State changes via form callback_actions — form definitions at modules/<name>/public/forms/<name>.liquid are documented as the canonical pattern for create/update/delete operations: YAML schema for field declarations and per-field validation, a Liquid callback_actions block for GraphQL mutations and side effects. Worked update_password example covering form_set_error / form_set_field_error / form.errors.
• Pages-as-controllers rule calibrated — small page-specific markup, JSON-page bodies, and short redirect/error pages may live inline; reusable markup belongs in partials, with ~10 lines of HTML as the extract-it threshold.
• Data-fetching boundary — pages own GraphQL calls for new code; partials receive their data through render arguments.
• CLI reference rewritten against the actual insites-cli help output (see also Bug Fix below).

Bug Fix

• Authorization policy output invariant — corrected the truthy/falsy framing. Policies are not Liquid return true/false controllers; the platform compares the file's output as a string against the literal "true". Canonical examples now use single-line {%- ... -%} whitespace-trimmed Liquid that emits exactly true or false. Three concrete failure modes documented: trailing newline, returning a Liquid truthy object, and policy-name typos.
• Logic Engine corpus loading — discriminated-union schema for decision kinds so every module-detection decision is loaded and validated correctly. Added a prepack script that bundles the corpus into the published npm package, plus regex tightening on partial-resolution rules. 23/23 tests passing.
• CLI reference accuracy — the CLI command reference contained 8 inaccurate command signatures, 1 invented command, and 6 missing real commands. Rewritten against the actual insites-cli help output.
• 26 broken markdown links across the skill repaired in a single sweep. Post-fix scan: 0 broken across 812 relative links in 201 files.
• Modules install messaging — replaced misleading 'insites-cli modules install is not yet available' copy with accurate prose: modules are preinstalled per Insites instance and updated through the Insites console; there is no CLI command to install or uninstall modules.
• Install URL branch reference — install scripts pointed at master, but the repository's default branch is main. Corrected to main everywhere so install commands work.

New Features

• Real-Time Instance Creation Status
  • The instance creation process now shows live status updates as each step completes — from setting up the instance to installing each module. The instance card updates in real time (e.g. "Installing CRM / System on My Instance...") so you always know exactly what's happening. The connection automatically recovers if you lose and regain network during the process.
• Custom Date Range for Usage Charts
  • Monthly usage charts (Data Objects, Peak Storage) now include a custom date range picker. Select a specific Start Month and End Month, or use quick presets — This Year, Last Year, Last 12 Months, or Last 6 Months — to filter the chart to the period you need.

Improvements

• Localisation-Aware Date Display
  • Dates across the Console now follow your account's localisation settings, applied consistently across Module Versions, Marketplace items, the Dashboard, and other date displays.
• Relative Dates on Module Versions
  • The Module Version list now shows both the formatted publish date and a relative time label (e.g. "3 months ago", "yesterday", "today") for quicker reference.
• Mobile Filter Layout
  • Filters on the People and Marketplace pages now display as full-width rows on mobile, matching the layout used on the Instances list.
• Usage Charts Default to Last Month
  • Daily usage charts now default to showing the previous month's data instead of the current month, giving you a complete data set to start with.
• CRM / System Breakdown in Data Objects
  • The Data Objects chart now includes a per-table record count breakdown for the CRM / System module, showing exactly where your data objects are being used.
• Retry Mechanism for Module Installation
  • Module installations now automatically retry on transient failures, reducing the chance of a failed install requiring manual intervention.

Bug Fixes

• Fixed an issue where changing the date filter on daily usage charts did not update the chart.
• Fixed "Invalid Date" appearing in the module version list for users with a day-before-month date format (DD/MM/YYYY).

Improvement

• context.environment and context.location.host in background jobs: Background jobs now receive the same context.environment (e.g., production, staging) and context.location.host values that are available in web requests. This makes it easier to branch logic by environment or build host-aware URLs from asynchronous code.

• skip_ssl_verification option for api_call_send: The api_call_send mutation accepts a new skip_ssl_verification boolean in its options. When set to true, SSL certificate verification is skipped for HTTPS requests - useful when integrating with internal services that use self-signed certificates. Disabled by default.

• assign and function tags accept arguments in multiline.

• assign tag supports string interpolation inside hash values.

• [] and {} empty array/hash literals can be used as argument values.

• pos-cli deploy improvements:

  • Significantly faster cold deploys: Deploying a ~1,000-file application is now approximately 3× faster. Benchmarked against a real-world pos application (5,883 files): cold deploy time dropped from ~11.8s to ~3.9s. Warm deploys (no file changes) are slightly faster thanks to a better algorithm for skipping unchanged files. It also affects the Instance Clone feature.
  • All validation errors reported at once: When a deploy contains multiple invalid files, all errors are now collected and reported together in a single response instead of stopping at the first failure. This means you can fix all issues in one round rather than discovering them one by one.
  • Deploy report: Each deploy now returns a structured report listing which files were upserted or deleted per resource type (partials, GraphQL queries, pages, assets, etc.), making it easier to understand exactly what changed. Requires pos-cli 6.0.0+.
  • pos-cli deploy --dry-run now includes assets: Dry-run mode reports which assets would be added or removed without uploading them. Requires pos-cli 6.0.0+.
  • Automatic cleanup for public-only modules (opt-in, requires auto_manage_public_only_modules: true in config.yml): platformOS can now detect when a module contains only public files and, when it does, treat those files with the same lifecycle rules as regular application files - meaning files removed from the deploy are automatically deleted from the instance. Previously, module files were never deleted on deploy, which required adding each module name individually to the modules_that_allow_delete_on_deploy setting in the config. Because this changes deletion behaviour, it is disabled by default and must be explicitly opted into.

• Improved asset_manifest generation during pos-cli pull: greatly improves internal memory management and performance of generating asset_manifest (which includes all Assets). This also affects the Instance Clone feature.

• Module handling — warning when a declared module is missing: If a module is listed in pos-modules.lock.json but its source files are missing from the deploy, a warning is now emitted.

• Unknown app/config.yml properties are now warnings, not errors: If your config.yml contains a feature flag that does not exist in the target environment (for example when deploying from staging to a production environment that hasn't received that flag yet), the deploy no longer fails.

• Better error messages for duplicate translation keys: When multiple translation files define the same key for the same locale, the reported error now lists each offending key alongside the specific files that defined it, instead of lumping all files together.

• Duplicate model name detection on deploy: If two Model Schemas, Profile Types, or User Profiles resolve to the same parameterized name, the deploy now fails fast with a clear error listing the conflicting name and the files that introduced it.

Bug Fix

• raw_url handling for cloned instances: When an asset's raw_url points at an instance CDN path (/instances/N/assets/...), the host and instance ID are now rewritten to match the current instance's CDN configuration. This fixes broken asset URLs on cloned instances. External raw_url values (without the instance path segment) continue to be served as-is.

New Features

• External API V2 Endpoints - New v2 API endpoints are now available. Please visit API > Insites API Endpoints for more details.
  • Pipelines
  • Pipeline Stages
  • Opportunities
  • Opportunity Related Contacts
  • System Fields
  • Opportunity Custom Fields

Deploy, manage, and interact with your Insites instances directly from Claude Desktop — no CLI installation or browser login required.

What is CloudShell?

CloudShell is an MCP (Model Context Protocol) server that connects Claude Desktop to your live Insites instances over HTTP. It gives you a direct bridge between your AI assistant and your Insites environment, so you can deploy files, manage environment variables, check logs, and more - all from a single conversational interface.

Why it matters

Traditional Insites development workflows require switching between terminal commands, browser tabs, and deployment tools. CloudShell removes that friction. With a single connection, Claude can read from and write to your instance without you ever leaving the conversation.

This is particularly useful for:

• Rapid prototyping and iteration on pages and templates
• Debugging issues by pulling logs in real time
• Managing environment variables across instances
• Deploying changes without touching the command line

What you can do with CloudShell

Getting started

CloudShell connects via a single endpoint and authenticates using your Insites console credentials passed as HTTP headers. Once configured in Claude Desktop, your AI assistant has direct access to your instance - no additional software to install.

For full setup instructions and tool reference, see the CloudShell documentation.