Skip to content

Änderungsprotokoll

Jede nennenswerte Änderung an SarvStack.

  1. v1.0.0 — 2026-07-08 — Product Hunt launch

    • Account deletion flow (GDPR): auth-gated server function that removes storage avatars, cascades DB rows via FKs, and calls `auth.admin.deleteUser`. Orders and subscriptions are retained (SET NULL) as financial records.
    • Playwright coverage expanded to 404 pages (EN + DE), locale switcher, `/verify-license` invalid key flow, and full footer link crawl.
    • Unit tests for `webhook-verify` (HMAC) and `resolvePlan` (entitlements).
    • CI pipeline: typecheck → lint → i18n check → unit tests → Playwright.
    • Buyer-facing license card in the dashboard: masked key with reveal + copy, status badge, direct link to `/verify-license`.
    • Public `/changelog` page for release transparency.
  2. v0.9.0 — 2026-07-03 — Security hardening

    • Closed the open mail relay: transactional senders are no longer public server functions. `sendWelcomeEmail` requires `requireSupabaseAuth` and sends only to the authenticated user's own email.
    • Rate-limited public license endpoints (validate/activate/deactivate): 10 req/minute per IP, in-process fixed window.
    • Timeouts on all outbound API calls (Polar checkout, Polar license, Lovable AI Gateway).
    • Polar webhook receiver paginates `auth.admin.listUsers` and is case-insensitive on email matching; order confirmation email is retry-safe.
    • Admin server functions: full type-safety, no `any` casts.
  3. v0.8.0 — 2026-07-03 — Roles, admin area, license key pattern

    • `user_roles` table with `SECURITY DEFINER has_role()` — never stored on `profiles`.
    • Admin server functions and `/admin` route (client-side gate is UX only; server always re-checks the role).
    • Polar License Key API wrappers: `validateLicenseKey`, `activateLicenseKey`, `deactivateLicenseKey`.
    • `/verify-license` demo page usable by anyone.
  4. v0.7.0 — 2026-07-03 — Subscriptions + entitlements

    • Config-driven Polar subscription support: set a product id in `src/config/billing.ts` and the UI lights up.
    • Webhook coverage for `subscription.created`, `.updated`, `.canceled`, `.active`, `.revoked`.
    • `usePlan()` resolves `free` / `early_adopter` / `subscriber` from orders + subscriptions.
    • Any paying signal grants entitlements.
  5. v0.6.0 — 2026-07-03 — Transactional emails (Resend)

    • Fail-safe email wrapper: missing `RESEND_API_KEY` never breaks signup or checkout — it logs and skips.
    • Welcome email on signup.
    • Order confirmation email from the Polar webhook.
  6. v0.5.0 — 2026-07-03 — AI module with metering

    • Lovable AI Gateway wired server-side; no external key required.
    • `ai_usage` table + `enforceAiQuota` (5 calls/month for free users, unlimited for paying users).
    • Dashboard shows the monthly usage indicator; upsell path to `/pricing` when the free cap is hit.
  7. v0.4.0 — 2026-07-03 — i18n (EN / DE / ES)

    • Trilingual UI across every public route.
    • `bun run check:i18n` validates dictionary parity, placeholders, and array shapes.
    • Localized URLs (`/de/*`, `/es/*`) with `hreflang` alternates and per- locale canonicals.
  8. v0.3.0 — 2026-07-03 — Polar billing (MoR) + webhook

    • Hosted Polar checkout via authenticated server function; buyers redirect to Polar and back to `/checkout/success`.
    • `public.orders` table (webhook is the sole writer; users SELECT-only).
    • Standard Webhooks signature verification with timing-safe compare.
  9. v0.2.0 — 2026-07-03 — RLS patterns

    • Canonical `profiles` example: auto-created via `AFTER INSERT` trigger, RLS scoped to `auth.uid() = id`, `updated_at` maintained by trigger.
    • `projects` table demonstrating the full user-owned CRUD pattern with four `auth.uid() = user_id` policies.
    • Private `avatars` bucket with per-user folder policies + signed URLs.
  10. v0.1.0 — 2026-07-03 — Auth foundation

    • Initial release: TanStack Start + Supabase Auth + shadcn/ui.
    • Email + password sign-up / sign-in, password reset.
    • `_authenticated/` layout gate with `ssr: false` and `supabase.auth.getUser()`.
    • Google OAuth via the Lovable Cloud OAuth broker.