--- title: "Week of 2026-05-22 to 2026-05-29" slug: "platform-update-2026-05-29" date: "2026-05-29" tag: "Application" summary: "Full CRM domain, agent voice & screen share, chat privacy controls, disposable email blocking, and new standalone SPAs for CourseAI and VideoAI." author: "ibl.ai Engineering" --- ## Frontend ### API Changes - **Global roles query parameter integration** — Added global roles filtering to the roles endpoint via new query parameter support in the data layer API slice. - **Tool type streaming architecture** — Implemented comprehensive streaming support for tool types in advanced chat hooks with full test coverage and real-time updates. - **forceRedirect authentication bypass** — New `forceRedirect` option in `redirectToAuthSpa()` allows callers to bypass tenant-switching and login/logout timestamp checks for immediate redirect scenarios. ### Data Model - **Agent text-to-speech integration** — New TTS API endpoints and data layer constants for agent voice synthesis with real-time audio streaming capabilities. - **Integration credential schema v2 migration** — Enhanced credential schema model with improved field validation and security metadata for external service integrations. - **Call configuration models** — New voice and screen share configuration data models with pipeline validation and settings persistence. ### UI Components - **Agent voice and screen share tabs** — Comprehensive voice communication interface with audio preview, voice picker modal, call configuration settings, and screen share capabilities including unit tests and Playwright automation helpers. - **iOS restriction modal SDK integration** — Apple restriction modal moved to SDK with credit balance integration and reactive updates. - **Project management UI overhaul** — New project creation, deletion, and renaming modals with full sidebar integration and project chat navigation. - **Apple restriction modal components** — Platform-specific restriction handling with credit balance updates and user notification systems. ### Infrastructure - **Tauri plugin compatibility fixes** — Resolved `@tauri-apps/plugin-os` resolution failures in web-containers vitest config and web-utils rollup build with mock stubs and external marking. - **Advertising tenant access policy** — Removed auto-redirect restrictions allowing users to visit advertising tenant agents via direct URL access. ## Backend ### API Changes - **CRM REST endpoints** — Complete CRM domain with `pipelines/`, `deals/`, `activities/`, `persons/`, `organizations/` endpoints supporting full CRUD operations, pipeline stage transitions, and deal state management. - **Chat privacy control endpoints** — Four-tier hierarchy with tenant-level, session-level, and user-level privacy controls via `GET/PATCH /chat-privacy-config/`, `POST /disable-chathistory/`, and `GET /chat-privacy-effective/`. - **Anonymous platform configuration endpoint** — New `GET /core/users/platforms/config/public/` for unauthenticated platform policy checks with throttling. - **RBAC action catalog endpoints** — `GET /core/rbac/actions/tree/` (hierarchical) and `GET /core/rbac/actions/definitions/` (flat) for RBAC action discovery and UI autocomplete. - **Paginated catalog search** — New `GET /catalog/resources/search/` with `StandardPageNumberPagination`, filtering, and N+1 query optimization. - **Chat run tracking API** — Read-only `/users/{user_id}/chat-run-trackers/` endpoint with timing breakdowns, LLM provider metrics, and failure categorization. ### Data Model - **CRM domain implementation** — Platform-scoped `Pipeline`/`PipelineStage`/`LeadSource`/`Deal`/`Activity`/`Tag` models with conditional unique constraints and service-managed state derivation. - **LLM model registry with per-model kwargs** — New `LLMModelRegistry.kwargs` JSONField for model-specific initialization overrides (temperature, streaming, reasoning, `use_responses_api`) replacing hardcoded constants. - **Chat privacy session controls** — `Session.disable_chathistory` field enabling per-conversation privacy with one-way toggle protection and student unlinking. - **Chat run observability** — `ChatRunTracker` model capturing request-level timing, provider fallbacks, failure categories, and `generation_id` linking to `ChatMessageHistory`. - **Disposable email domain blocking** — Four-model system: `DisposableEmailDomain` (blocklist), `DisposableEmailDomainAllowlist` (overrides), `DisposableEmailRefreshLog` (sync audit), `DisposableEmailBlockConfig` (runtime toggle). ### Security Capabilities - **Disposable email blocking across registration flows** — End-to-end protection covering form signup, SSO browser pipeline, SSO API tokens, magic-link authentication, and all eight custom IBL OAuth/SSO backends with upstream domain sync. - **Chat privacy memory protection** — Single-turn semantics for DISABLED mode: no `ChatMessageHistory` writes, empty reads from all four read paths, no in-process buffer, and `Session.student` nullification. - **RBAC action registry enforcement** — Production error logging for unregistered actions with strict CI validation via `StrictActionRegistry` pytest plugin. ### Infrastructure - **Migration backward-compatibility validation** — Real `sqlmigrate` SQL analysis replacing static AST engine, detecting DROP/RENAME operations that break running code with Claude-powered risk assessment. - **CRM pipeline state machine** — Atomic deal stage transitions with `select_for_update` serialization, audit `Activity` generation, and `deal_won`/`deal_lost` signal dispatch. - **Anonymous search tenant opt-out enforcement** — Server-side respect for `mentor_include_community_mentors` flag preventing API bypass of tenant community policy. - **Integration credential schema v2 finalization** — Data migration converting v1 shape (`{field: "string"}`) to v2 (`{field: {type, is_sensitive}}`) with fail-closed sensitive field detection. - **Starlette CVE-2026-48710 update** — Security update to starlette 1.1.0 addressing identified vulnerability. ## Infrastructure - **Agent and SkillsAI SPA support** — Complete docker-compose templates, env configurations, and CLI integration for `agent.{BASE_DOMAIN}` (port 5005) and `skillsai.{BASE_DOMAIN}` (port 5006) with inheritance from mentor/skills configurations. - **CourseAI and VideoAI SPA deployment** — New standalone SPAs at `course.ibl.ai` and `video.ibl.ai` with nginx server blocks, image catalog integration, and operator opt-in flags. - **HQ to OS subdomain migration** — Complete rename from `/hq` subpath to `os.ibl.ai` standalone domain with fallback removal and default-false rollout safety. - **Skills SPA header configuration** — Six new operator-tunable feature flags: `HIDE_DISCOVER_TAB`, `ADDITIONAL_LEFT/RIGHT_HEADER_MENU_ITEMS`, `ENABLE_AI_ANALYTICS_HEADER_MENU`, `ENABLE_STUDIO_HEADER_MENU`, `ENABLE_STATIC_COPYRIGHT`. - **Disposable email blocking configuration** — `IBL_DISPOSABLE_EMAIL_BLOCK_ENABLED` Django setting exposed as operator-facing config key for incident-response kill-switch capability. ## Documentation - **RBAC skill documentation** — Comprehensive iblai-rbac skill with default platform roles, account management policies screenshot, and [default-roles.py reference implementation](https://ibl.ai/docs/platform/). - **Agent chat sidebar integration guide** — Documentation for wrapping the Chat component with SDK `AppSidebar` including projects dropdown, pinned/recent messages, and host content integration patterns. - **Project management skill updates** — Renamed `iblai-projects` to `iblai-project` with updated documentation and visual references. ## REST API Changelog ### 🆕 New Endpoints - `GET /api/ai-account/orgs/{org}/integration-credential/schema/v2/` — V2 credential schema with enhanced field metadata - `GET /api/ai-mentor/orgs/{org}/users/{user_id}/chat-privacy-effective/` — Resolved chat privacy mode with source and lock status - `POST /api/ai-mentor/orgs/{org}/users/{user_id}/sessions/{session_id}/disable-chathistory/` — One-way session privacy toggle - `GET /api/ai-mentor/orgs/{org}/users/{user_id}/chat-run-trackers/` — Chat observability with timing and provider metrics - `GET /api/ai-mentor/orgs/{org}/users/{user_id}/chat-run-trackers/{id}/` — Individual chat run detail - `GET /api/catalog/resources/search/` — Paginated catalog resource search with filtering - `GET /api/core/rbac/actions/definitions/` — Flat RBAC action dictionary - `GET /api/core/rbac/actions/tree/` — Hierarchical RBAC action tree - `GET /api/core/users/platforms/config/public/` — Anonymous platform configuration access - `GET/POST /api/crm/organizations/`, `/api/crm/persons/`, `/api/crm/persons/{id}/invite/`, `/api/crm/persons/{id}/link-user/`, `/api/crm/persons/merge/` — Complete CRM REST API ### 🗑️ Removed Endpoints - `DELETE /api/ai-mentor/orgs/{org}/webhooks/github/pullrequest/` — Deprecated GitHub webhook endpoint removed