Notifications Service, Password Reset, and Key Fixes

We created a centralized notifications microservice. We've developed and deployed a separate microservice for centralized notification delivery. A worker has been implemented that receives requests through the data bus and processes them. Support for three delivery channels has been added: Slack, Telegram, and e-mail. Each channel supports multiple message formats. The service has its own database, written specifications, and architectural integration into the system. CI/CD pipeline and production-ready deployment have been configured. Legacy sending code from the old copilot has been analyzed and cleaned up.
Impact: The entire system now has a unified control point for notifications. Any Enji component (PM Agent periodic tasks, alerts, reports) can now send notifications through the unified service, eliminating duplicate logic across modules. This ensures consistent message formatting across different channels. Maintenance and adding new notification types are now simplified. The load on the main backend has been reduced. The foundation has been laid for future expansion of delivery channels and notification types without changing the application's business logic.

We implemented a secure password reset interface with tokenization. A complete, protected password reset process has been created. Endpoints have been developed for token generation, validation checks, and setting new passwords with rate limiting. A table has been created to store one-time tokens with a 15–30 minute TTL. The frontend interface has been implemented: email input form, /reset-password?token=page for setting a new password, success notification, and redirect to login. Email delivery with one-time links has been added. The UI has been adapted to match the system's overall style. The system doesn't reveal information about whether an email exists in the database.
Impact: All users now have a secure access recovery process that complies with OWASP and GDPR standards. A critical vulnerability allowing arbitrary password resets for other users has been eliminated. Recovery is now only possible by confirming email ownership through a one-time link with a limited validity period. Protection against mass attacks has been added through rate limiting. This ensures a balance between company security and convenient, legitimate access recovery.

• Fixed task names and epic collapsing in Labor Costs. Correct functionality of expanded epics in the standard Labor Costs report has been restored. Proper display of task names within epics has been fixed, and the collapse/expand functionality for viewing task details has been restored.
• Temporarily hidden the incorrect employee breakdown on the Agile Dashboard. The dropdown with employee-level metric breakdown on the Agile Dashboard has been removed due to critical calculation errors. Only general project-level averages remain as a temporary solution until the calculation logic is completely reconsidered.