Changelog

See what changed in every release.

v[Unreleased]

Added

**Embedding adapter** — `EMBEDDING_PROVIDER` env var (`openai` | `ollama`) for selecting embedding generation backend. Ollama support for fully local RAG.
**Vector store adapter** — `VECTOR_STORE_PROVIDER` env var (`sqlite` | `memory`). `VectorStoreAdapter` interface for future backends.
**AI config** — `appConfig.ai` section in `src/config/app.ts` (defaultModel, systemPrompt, ragEnabled, ragMaxChunks, ragMinScore, allowedModels).
**AI tool use** — Function calling in `/api/chat` with `getCurrentTime` and `getAppInfo` tools, `stepCountIs(3)` limit.
**Org AI quota** — `checkOrgQuota('aiChat')` enforcement in the chat route.
**Background RAG indexing** — `rag-index` job registered in the job system for async content indexing.
**MCP resources** — 6 read-only resources (schema, app config, AGENTS.md, .env.example, validation, navigation) for AI assistants.
**Context-aware MCP prompts** — `code_review` and `schema_design` prompts auto-inject current DB tables and app config.
**AI module Cursor rule** — `.cursor/rules/ai-module.mdc` with architecture and patterns.
**MCP auto-setup** — `codapult setup` now generates `.cursor/mcp.json` automatically.
**Demo mode** — `NEXT_PUBLIC_DEMO_MODE` env var, `DemoBanner` component with one-click sign-in, `seed-demo.ts` with a single admin account for public demo instances.
**Security headers** — `X-Content-Type-Options`, `X-Frame-Options: DENY`, `Strict-Transport-Security`, `Referrer-Policy`, `Permissions-Policy` on all routes via `next.config.ts`.
**Guards tests** — 13 unit tests for `requireAuth`, `requireOrgPermission`, `requireOrgMembership`, `requireOrgAdmin`.
**Branding sanitization tests** — 7 tests for CSS injection prevention and custom class validation.

Changed

**RAG indexing API** — `/api/ai/index` now uses Zod discriminated union validation for `index`, `search`, and `delete` actions.
**AI chat route** — Uses `appConfig.ai.systemPrompt`, respects `ragEnabled`/`ragMaxChunks`/`ragMinScore` from config.
**API keys** — Server action now validates input with Zod (`createApiKeySchema`); removed unsafe `as string` cast.
**API keys UI** — Replaced native `confirm()` with `AlertDialog`, added clipboard toast feedback, switched to `useTransition` for pending state, date formatting via `useFormatter` (next-intl), removed redundant `router.refresh()`.
**Admin API routes** — All admin routes now have rate limiting and Zod input validation (drip campaigns, jobs, multi-region, experiments, email domains, SSO, perf, webhook retry).
**GraphQL** — Added rate limiting (60 req/min per IP) on POST `/api/graphql`.
**Plugin API** — Added rate limiting (120 req/min per IP) on `/api/plugins/[...path]`.

Fixed

**Database CLI** — `drizzle.config.ts` and `seed.ts` now auto-load `.env.local` via `process.loadEnvFile()`. All `db:*` scripts (`db:push`, `db:seed`, `db:generate`, `db:studio`) work without manually exporting env vars.

Security

**Branding CSS injection** — Color values are now validated against an allowlist regex before `dangerouslySetInnerHTML` injection. `sanitizeCustomClass()` prevents arbitrary class injection.

v[0.1.0]

Added

**Auth adapter** — Better-Auth (default) and Kinde, switchable via `AUTH_PROVIDER` env var. Includes 2FA (TOTP), magic link sign-in, passkeys, and OAuth (Google, GitHub).
**Payment adapter** — Stripe (default) and LemonSqueezy. Subscriptions, one-time payments, tiered/volume pricing, add-ons, multi-line checkout, usage credits, seat-based pricing, pause/resume, and Stripe Connect marketplace.
**AI chat** — Vercel AI SDK with streaming, model selector (GPT-4o, Claude), rate limiting, conversation memory, and RAG pipeline (chunking, embeddings, vector search).
**Multi-tenancy** — Organizations, team switching, invitations, granular RBAC (owner/admin/member/viewer), permission guards.
**Enterprise SSO (SAML)** — BoxyHQ Jackson adapter with admin UI.
**SCIM 2.0 provisioning** — Automated user/group sync from identity providers.
**MDX blog** — i18n posts, tag filtering, author profiles, Fuse.js fuzzy search, RSS feed.
**Email system** — React Email templates (welcome, invite, billing, password reset), Resend integration, custom email domains via Resend Domains API, email drip campaigns.
**Notifications** — Real-time transport adapter (poll/SSE/WebSocket), in-app bell, email preferences.
**Admin dashboard** — Users, subscriptions, MRR, impersonation, bulk actions, CSV export, feature flags, A/B testing, cron dashboard, webhook monitor.
**Activity log** — Audit trail with org-scoped filtering, admin and user-facing pages.
**Event sourcing** — Immutable event store, optimistic concurrency, stream replay with reducers.
**Outgoing webhooks** — User-defined event subscriptions, HMAC-SHA256 signing, exponential backoff retries, dead letter queue with admin replay.
**GDPR compliance** — Data export (14 tables), account deletion with cascading cleanup, confirmation phrase.
**Workflow automation** — Event-triggered actions (email, webhook, Slack, delay), template interpolation, execution logging.
**Referral program** — Unique codes, signup/conversion/reward tracking, configurable rewards (credit/discount/cash).
**In-app onboarding tours** — Code-defined tours, DB-tracked progress, floating card UI, auto-trigger by pathname.
**Self-serve analytics** — First-party event tracking, org-level aggregation, dashboard UI.
**Scheduled reports** — Org-level email digests (daily/weekly/monthly).
**Feature request board** — Public voting page, upvotes, status filters, admin management.
**File uploads** — Adapter pattern (local/S3/R2), sharp image optimization, drag-and-drop component.
**Background jobs** — Adapter pattern (in-memory/BullMQ), cron schedules, built-in jobs (email, webhook retry, credit reset).
**API versioning** — URL-prefix routing with deprecation headers.
**OpenAPI 3.1** — Auto-generated spec from endpoint definitions.
**tRPC v11** — Type-safe API layer with server prefetch and client provider.
**GraphQL** — graphql-yoga with SDL schema, resolvers, and GraphiQL playground.
**Interactive API docs** — Swagger-like UI with endpoint catalog, param tables, code examples, and "Try it" panel.
**Help center** — MDX-based documentation with categories, search, and sidebar navigation.
**Plugin system** — `CodapultPlugin` interface, lifecycle hooks, sidebar + API route registration, marketplace UI.
**Changelog widget** — In-app "What's new" sheet, localStorage tracking, unseen badge.
**Multi-region DB** — Turso Platform API, add/remove replica locations, admin dashboard.
**White-labeling** — Per-org branding (colors, logo, app name), CSS variable injection, live preview.
**Custom domains** — Per-org CNAME/TXT DNS verification.
**Design tokens** — Typed definitions, CSS/JSON/Tailwind/Style Dictionary export.
**Performance monitoring** — Core Web Vitals reporter (p50/p75/p95), admin dashboard.
**OpenTelemetry** — Optional tracing with OTLP HTTP exporter.
**CLI wizard** — Interactive `npx @codapult/cli setup` with 15+ module toggles, .env generation.
**`create-codapult`** — NPM package for `npx create-codapult my-app` scaffolding.
**Infrastructure templates** — Terraform (AWS), Pulumi (AWS), Helm chart (Kubernetes), Docker, Vercel config.
**i18n** — next-intl with EN/RU message files, locale-aware blog.
**Testing** — Vitest unit tests + Playwright E2E tests.
**CI/CD** — GitHub Actions (lint, format, test, build, E2E).

Changelog

See what changed in every release.

v[Unreleased]

Added

**Embedding adapter** — `EMBEDDING_PROVIDER` env var (`openai` | `ollama`) for selecting embedding generation backend. Ollama support for fully local RAG.
**Vector store adapter** — `VECTOR_STORE_PROVIDER` env var (`sqlite` | `memory`). `VectorStoreAdapter` interface for future backends.
**AI config** — `appConfig.ai` section in `src/config/app.ts` (defaultModel, systemPrompt, ragEnabled, ragMaxChunks, ragMinScore, allowedModels).
**AI tool use** — Function calling in `/api/chat` with `getCurrentTime` and `getAppInfo` tools, `stepCountIs(3)` limit.
**Org AI quota** — `checkOrgQuota('aiChat')` enforcement in the chat route.
**Background RAG indexing** — `rag-index` job registered in the job system for async content indexing.
**MCP resources** — 6 read-only resources (schema, app config, AGENTS.md, .env.example, validation, navigation) for AI assistants.
**Context-aware MCP prompts** — `code_review` and `schema_design` prompts auto-inject current DB tables and app config.
**AI module Cursor rule** — `.cursor/rules/ai-module.mdc` with architecture and patterns.
**MCP auto-setup** — `codapult setup` now generates `.cursor/mcp.json` automatically.
**Demo mode** — `NEXT_PUBLIC_DEMO_MODE` env var, `DemoBanner` component with one-click sign-in, `seed-demo.ts` with a single admin account for public demo instances.
**Security headers** — `X-Content-Type-Options`, `X-Frame-Options: DENY`, `Strict-Transport-Security`, `Referrer-Policy`, `Permissions-Policy` on all routes via `next.config.ts`.
**Guards tests** — 13 unit tests for `requireAuth`, `requireOrgPermission`, `requireOrgMembership`, `requireOrgAdmin`.
**Branding sanitization tests** — 7 tests for CSS injection prevention and custom class validation.

Changed

**RAG indexing API** — `/api/ai/index` now uses Zod discriminated union validation for `index`, `search`, and `delete` actions.
**AI chat route** — Uses `appConfig.ai.systemPrompt`, respects `ragEnabled`/`ragMaxChunks`/`ragMinScore` from config.
**API keys** — Server action now validates input with Zod (`createApiKeySchema`); removed unsafe `as string` cast.
**API keys UI** — Replaced native `confirm()` with `AlertDialog`, added clipboard toast feedback, switched to `useTransition` for pending state, date formatting via `useFormatter` (next-intl), removed redundant `router.refresh()`.
**Admin API routes** — All admin routes now have rate limiting and Zod input validation (drip campaigns, jobs, multi-region, experiments, email domains, SSO, perf, webhook retry).
**GraphQL** — Added rate limiting (60 req/min per IP) on POST `/api/graphql`.
**Plugin API** — Added rate limiting (120 req/min per IP) on `/api/plugins/[...path]`.

Fixed

**Database CLI** — `drizzle.config.ts` and `seed.ts` now auto-load `.env.local` via `process.loadEnvFile()`. All `db:*` scripts (`db:push`, `db:seed`, `db:generate`, `db:studio`) work without manually exporting env vars.

Security

**Branding CSS injection** — Color values are now validated against an allowlist regex before `dangerouslySetInnerHTML` injection. `sanitizeCustomClass()` prevents arbitrary class injection.

v[0.1.0]

Added

**Auth adapter** — Better-Auth (default) and Kinde, switchable via `AUTH_PROVIDER` env var. Includes 2FA (TOTP), magic link sign-in, passkeys, and OAuth (Google, GitHub).
**Payment adapter** — Stripe (default) and LemonSqueezy. Subscriptions, one-time payments, tiered/volume pricing, add-ons, multi-line checkout, usage credits, seat-based pricing, pause/resume, and Stripe Connect marketplace.
**AI chat** — Vercel AI SDK with streaming, model selector (GPT-4o, Claude), rate limiting, conversation memory, and RAG pipeline (chunking, embeddings, vector search).
**Multi-tenancy** — Organizations, team switching, invitations, granular RBAC (owner/admin/member/viewer), permission guards.
**Enterprise SSO (SAML)** — BoxyHQ Jackson adapter with admin UI.
**SCIM 2.0 provisioning** — Automated user/group sync from identity providers.
**MDX blog** — i18n posts, tag filtering, author profiles, Fuse.js fuzzy search, RSS feed.
**Email system** — React Email templates (welcome, invite, billing, password reset), Resend integration, custom email domains via Resend Domains API, email drip campaigns.
**Notifications** — Real-time transport adapter (poll/SSE/WebSocket), in-app bell, email preferences.
**Admin dashboard** — Users, subscriptions, MRR, impersonation, bulk actions, CSV export, feature flags, A/B testing, cron dashboard, webhook monitor.
**Activity log** — Audit trail with org-scoped filtering, admin and user-facing pages.
**Event sourcing** — Immutable event store, optimistic concurrency, stream replay with reducers.
**Outgoing webhooks** — User-defined event subscriptions, HMAC-SHA256 signing, exponential backoff retries, dead letter queue with admin replay.
**GDPR compliance** — Data export (14 tables), account deletion with cascading cleanup, confirmation phrase.
**Workflow automation** — Event-triggered actions (email, webhook, Slack, delay), template interpolation, execution logging.
**Referral program** — Unique codes, signup/conversion/reward tracking, configurable rewards (credit/discount/cash).
**In-app onboarding tours** — Code-defined tours, DB-tracked progress, floating card UI, auto-trigger by pathname.
**Self-serve analytics** — First-party event tracking, org-level aggregation, dashboard UI.
**Scheduled reports** — Org-level email digests (daily/weekly/monthly).
**Feature request board** — Public voting page, upvotes, status filters, admin management.
**File uploads** — Adapter pattern (local/S3/R2), sharp image optimization, drag-and-drop component.
**Background jobs** — Adapter pattern (in-memory/BullMQ), cron schedules, built-in jobs (email, webhook retry, credit reset).
**API versioning** — URL-prefix routing with deprecation headers.
**OpenAPI 3.1** — Auto-generated spec from endpoint definitions.
**tRPC v11** — Type-safe API layer with server prefetch and client provider.
**GraphQL** — graphql-yoga with SDL schema, resolvers, and GraphiQL playground.
**Interactive API docs** — Swagger-like UI with endpoint catalog, param tables, code examples, and "Try it" panel.
**Help center** — MDX-based documentation with categories, search, and sidebar navigation.
**Plugin system** — `CodapultPlugin` interface, lifecycle hooks, sidebar + API route registration, marketplace UI.
**Changelog widget** — In-app "What's new" sheet, localStorage tracking, unseen badge.
**Multi-region DB** — Turso Platform API, add/remove replica locations, admin dashboard.
**White-labeling** — Per-org branding (colors, logo, app name), CSS variable injection, live preview.
**Custom domains** — Per-org CNAME/TXT DNS verification.
**Design tokens** — Typed definitions, CSS/JSON/Tailwind/Style Dictionary export.
**Performance monitoring** — Core Web Vitals reporter (p50/p75/p95), admin dashboard.
**OpenTelemetry** — Optional tracing with OTLP HTTP exporter.
**CLI wizard** — Interactive `npx @codapult/cli setup` with 15+ module toggles, .env generation.
**`create-codapult`** — NPM package for `npx create-codapult my-app` scaffolding.
**Infrastructure templates** — Terraform (AWS), Pulumi (AWS), Helm chart (Kubernetes), Docker, Vercel config.
**i18n** — next-intl with EN/RU message files, locale-aware blog.
**Testing** — Vitest unit tests + Playwright E2E tests.
**CI/CD** — GitHub Actions (lint, format, test, build, E2E).