# CRP Gateway
## RELEASE NOTES
> v2.3.0

### Upgrade Steps
* Refer to CRP Gateway Patching Guide v2.0 or above
* Run SQL patch: `18-v2.3.0-msg-signing-key-notification/configuration_tbl_add_email_v2.3.0.sql`
  * Adds configuration for Message Signing Key Expiry notification email recipients
  * Configure `crp.gateway.smtp.mail.addr.msg-signing-key.expiry` property with comma-separated recipient email addresses
* Run SQL patch: `18-v2.3.0-crp-message-log/add_crp_message_log_role.sql` (MSSQL and MySQL)
  * Adds CRP_MESSAGE_LOG_READ role for CRP Message Logs feature

### New Features

* **CRP Message Logs**
  * View and search ICL CRP message history with related messages
  * Search, filter, paginate, and drill into message details and history

* **Unified Account Management API**
  * New `/api/v1/account-management` endpoints for CRP credential operations with server-side validation and orchestration
  * OAuth2 client secret amendment — amend via CRP with automatic local credential update on success
  * Message signing key regeneration — request new key from CRP with participant code auto-populated from license

* **Message Signing Key Expiry Email Notification**
  * Automated email notification when CRP sends message signing key expiry warning
  * Template-based system with recipients configured via `crp.gateway.smtp.mail.addr.msg-signing-key.expiry` property

* **Portal-Based Message Signing Key Management**
  * Visual status indicators: Active (green), Expiring Soon (yellow, <30 days), Expired (red)
  * "Regenerate" button (with refresh icon) available for active/expiring keys — automatically requests new key from CRP and refreshes page on success
  * "How to Renew" button (with info icon) shown for expired keys — displays manual renewal instructions
  * Manual secret replacement with optional expiration date/time validation (requires both date and time)
  * New signing keys immediately applied to all subsequent outbound messages

* **Message Signing Key Expiry Warning Banner**
  * Alert banner displayed on Home and Account Management pages when the message signing key is expired or expiring soon
  * Red alert for expired keys, yellow alert for keys expiring within the configurable warning threshold (default 30 days)
  * Warning threshold configurable via `crp.message-signing-key.expiry-warning-days` property

### Bug Fixes

### Improvements

* **Simplified OAuth2 Credential Model**
  * Simplified to single active credential model
  * OAuth2 client configuration now fetches credentials dynamically at runtime instead of caching

* **Message Signing Key Always Fetched from Database**
  * Removed in-memory caching — signing key retrieved from database on every operation
  * Ensures regenerated keys take effect immediately without application restart
  * Supports distributed deployment with consistent key changes across instances

* **Enhanced Message Signing Key Regeneration Response Handler**
  * Improved error handling with transaction isolation — message records always persisted even if key update fails
  * Handler never throws exceptions; errors logged with comprehensive context
  * Three-transaction pattern: (1) Request message, (2) Response message, (3) Key update
  * Failed key updates preserve audit trail and allow manual correction

* **Refactored Account Management Architecture**
  * Both OAuth2 and message signing key operations now routed through Account Management API with proper orchestration
  * Service layer handles license validation, credential lookup, CRP message construction, and post-response updates
  * Portal no longer needs to provide participant code — resolved server-side from license