v2026.03.18.1156

What's Changed

🔧 Maintenance

• Fix vulnerabilities and update dependencies (#54) — Resolve all npm audit vulnerabilities and update 13 packages including next, better-auth, vitest, and jsdom.

Full Changelog: v2026.02.28.1353...v2026.03.18.1156

v2026.02.28.1353

What's Changed

🐛 Bug Fixes

• Replace NextAuth references with Better Auth (#52) — Update setup script env vars (NEXTAUTH_SECRET → BETTER_AUTH_SECRET, NEXTAUTH_URL → BETTER_AUTH_URL), remove unused optional vars (OIDC_PROVIDER_NAME, OIDC_SCOPE, OIDC_WELL_KNOWN_URL, NEXTAUTH_DEBUG), fix step count, and update all stale NextAuth references across documentation.

Full Changelog: v2026.02.26.1827...v2026.02.28.1353

v2026.02.26.1827

What's Changed

🔧 Maintenance

• Update dependencies and fix security vulnerabilities (#51) — Fixed 3 security vulnerabilities (rollup CVE-2026-27606 High/Arbitrary File Write, minimatch GHSA-3ppc-4f35-3m26 High/ReDoS, ajv GHSA-2g4f-4pwh-qvx6 Moderate/ReDoS), synced packages to latest major versions, and applied safe patch/minor updates.
• CI: Discord notification fixes — Fixed literal \n\n in Discord embed description and added workflow_dispatch trigger for testing.

Full Changelog: v2026.02.26.1751...v2026.02.26.1827

v2026.02.26.1751

What's Changed

🚀 Features

• Load user roles and groups into MPUserProfile (#50) — Extends MPUserProfile with roles and groups loaded via UserService, surfacing them to the app via useUser() context; also adds a GitHub Actions Discord embed notification on new releases.

📚 Documentation

• Testing reference guide (#46) — Adds .claude/references/testing.md with comprehensive Vitest patterns (vi.hoisted, MPHelper mocks, singleton resets, auth/headers mocking), coverage data, and full test inventory; updates CLAUDE.md.

🔧 Maintenance

• Add GitHub Actions test workflow with Codecov (#47) — Runs Vitest with v8 coverage on push to main and on pull requests; uploads to Codecov and adds status/coverage badges to README.
• Restore CODECOV_TOKEN for protected branch uploads (#49) — Re-adds the CODECOV_TOKEN secret parameter required for Codecov uploads on protected branches.
• Improve test coverage from 137 to 228 tests (#45) — Adds 91 new tests across services, server actions, proxy, provider, and React contexts; fixes 3 pre-existing test failures; all 228 tests now pass.

Full Changelog: v2026.02.20.1735...v2026.02.26.1751

v2026.02.20.1735

What's Changed

⚠️ Breaking Changes

• OAuth Redirect URI must be updated in Ministry Platform. The Better Auth migration (#44) changes the callback URL from /api/auth/callback/ministry-platform to /api/auth/oauth2/callback/ministry-platform. Update the Redirect URI in your Ministry Platform OAuth Client configuration before deploying.

🚀 Features

• Migrate from NextAuth v5 to Better Auth (#44) — Replace NextAuth v5 (beta) with Better Auth for OAuth authentication against Ministry Platform's OIDC endpoints. Stateless JWT sessions with cookie cache — no database required. OAuth sub claim (MP User_GUID) stored as user.userGuid via additionalFields + mapProfileToUser.

• Upgrade to Next.js 16 and update all dependencies (#41) — Upgrade from Next.js 15.5 to 16.1.6 (Turbopack now default), rename middleware → proxy, replace next lint with native ESLint flat config, and update all major dependencies (TypeScript 5.9, Zod 4.x, OpenAI 6.x, Tailwind CSS 4.2).

🐛 Bug Fixes

• Fix model generator crash for digit-prefixed tables (#39, #40) — sanitizeTypeName() now prefixes an underscore when the generated type name starts with a digit, preventing invalid TypeScript identifiers and build failures for tables like _2016CampElkhart.

📚 Documentation

• Update CLAUDE.md, components reference, and upgrade @inquirer/prompts v8 (#42) — Add missing architectural layers (services, contexts, Zod v4 note, setup commands), fix stale component references, and upgrade @inquirer/prompts to v8.

Full Changelog: https://github.com/MinistryPlatform-Community/MPNext/commits/v2026.02.20.1735