Ektasi.
← Ektasi

Changelog

Every release, in the open — so you always know the product is alive.

Changelog

All notable changes to Ektasi Core are documented here. Format follows Keep a Changelog; this project adheres to Semantic Versioning.

[1.10.0] - 2026-06-21

Added — Platform shell (acquisition · billing sync · telemetry · ops docs)

  • Subscription → license sync (migration 0014): marketplace.licenses.subscription_ref/status; the marketplace webhook now normalizes Stripe/Razorpay events — cancel/payment-failed → revokeLicense, renew/payment-succeeded → reactivateLicense. New linkSubscription / reactivateLicense. (Validated against real Postgres.)
  • Public docs hub /docs (getting-started, license API reference, SDK integration, anti-nulling) with sidebar + docs.* host routing; public /changelog rendering CHANGELOG.md.
  • Product telemetry: server-side captureServer (PostHog) on license_activated; complements the privacy-first client pageview analytics.
  • Ops docs: ENVIRONMENTS.md (staging parity + role/secret hygiene), DISASTER_RECOVERY.md (PITR + off-site/WORM), PLATFORM_AUDIT.md (reconciliation — most "outer shell" items already shipped).
  • SEO: sitemap now includes /docs, /changelog, /eula; footer links added.

[1.9.0] - 2026-06-21

Added — Launch readiness (resilience · comms · monitoring · legal)

  • Envato cache + outage fallback (verifyEnvatoPurchaseCodeCached): 24h fresh cache via Upstash; serves a previously-valid result if Envato is down so customer sites stay online.
  • Transactional emails: LicenseEmail + EmailService.sendLicenseActivated/Revoked, fired on activation/revocation (best-effort, skips synthetic addresses).
  • Zoho Desk sync: lib/marketplace/zoho.ts mirrors new tickets to a configured webhook.
  • Abuse alerting: abuseGuard.noteForbidden — Redis-windowed 403 counter → Sentry alert past a threshold; wired into all license API routes.
  • Domain-reset escalation (migration 0013): auto-approve early resets, open a HIGH review ticket on the Nth + log a DOMAIN_RESET event.
  • Legacy migration: scripts/migrate-legacy-licenses.mjs (idempotent CSV import, optional email notice, dry-run) + docs/LEGACY_MIGRATION.md.
  • EULA: /eula page + footer link (internet-required activation, domain lock, non-transfer, remote revocation). docs/LAUNCH_CHECKLIST.md maps every checklist item to its status.
  • Validated against real Postgres: migrations 00110013 apply; domain-reset escalation verified.

[1.8.2] - 2026-06-21

Added — End-to-end DB integration test + CI

  • tests/marketplace.integration.test.ts (gated by RUN_DB_IT=1): proves activation → domain-lock → heartbeat → revoke → heartbeat-revoked across providers, plus RLS isolation (a portal user cannot read/insert another user's licenses) against a real Postgres.
  • .github/workflows/integration.yml — spins a postgres:16 service and runs it in CI.
  • Validated locally against a real Postgres: migrations 0011+0012 apply cleanly and all RLS invariants hold (cross-tenant insert rejected by WITH CHECK; admin override scoped correctly).

[1.8.1] - 2026-06-21

Added — Client SDK

  • Ektasi License Guard reference SDK in /sdk: js/ektasi-license-guard.js (Node/browser) and php/EktasiLicenseGuard.php (PHP/WordPress). Drop-in activate → cached fail-soft heartbeat → entitlement-gated guard() for premium features, with graceful degradation on revoke/offline. Integration + security guide in sdk/README.md. JS verified via node --check + a mocked-API behavioral smoke (activate / cache / revoke / entitlement gating).

[1.8.0] - 2026-06-21

Added — Provider-agnostic licensing + anti-nulling enforcement

  • Verifier registry (lib/marketplace/providers/): activation now routes by products.providerenvato (Author API) and direct (our own-platform signed EKD. codes, forgery-proof + revocable). Extensible for gumroad/paddle/etc. (migration 0012).
  • Own-platform codes: MarketplaceService.issueDirectCode + POST /api/v1/license/issue (server-to-server) mint codes recorded in marketplace.direct_codes for later revocation.
  • Anti-null layers: authoritative POST /api/v1/license/heartbeat (active|revoked|expired| domain_mismatch), refund/dispute POST /api/webhooks/marketplace (signed) → revoke, admin revoke control in /admin Marketplace Oversight, and a remote-execution entitlement endpoint that issues short-lived signed capabilities only when a license is live.
  • Forensic trail: append-only marketplace.license_events (activate/heartbeat/entitlement/ revoke/deny + IP) surfaced in the admin event panel.
  • Unit-proven crypto: directCode + entitlement (sign/verify/tamper/expiry). Strategy + client-side responsibilities documented in docs/ANTI_NULLING.md.

[1.7.1] - 2026-06-21

Docs

  • Added docs/LOCAL_DEV.md — exact local bring-up (env + secrets, prisma migrate deploy through 0011, seed, demo logins, end-to-end satellite walkthrough with the TEST- dev bypass, and curl examples for the license API).

[1.7.0] - 2026-06-21

Added — Satellite Licensing & Support Portal (support.ektasi.io)

  • Hub-and-spoke marketplace: new isolated marketplace PostgreSQL schema (0011_marketplace_schema) with ENABLE+FORCE RLS — per-user isolation via app.current_marketplace_user_id plus a server-only app.marketplace_admin override for hub oversight.
  • License protocol: Envato purchase-code verification (lib/envato.ts), domain-locked activation, and stateless HMAC license tokens (lib/marketplace/licenseToken.ts, unit-tested: sign/verify/tamper/expiry). Edge-style heartbeat via /api/v1/license/status (no DB); product call-home via /api/v1/license/validate (client-secret gated).
  • Portal UI (/portal): email sign-in (IdP seam), Activation Gate, Asset Vault with SHA-256 checksums + connection diagnostic, and a search-first Smart Support Center (tickets).
  • Admin oversight: /admin now shows Marketplace Oversight (users/licenses/tickets + recent activity) read through the admin override — one source of truth, no context switch.
  • Host routing: middleware.ts rewrites support.*/portal; enterprise Header hidden there.
  • Deps: pg + @types/pg. New env in .env.example; runbook in docs/SATELLITE_PORTAL.md.

Changed — Branding & domain

  • New logomark (refined secure-loop + kinetic spark) wired into the global Header, footer, app/icon.svg favicon, and the OG image (opengraph-image.tsx).
  • Email scheme rationalized to @ektasi.io; privacy/DPO contact → privacy@ektasi.io. Full inventory + subdomain map in docs/EMAIL_ADDRESSES.md. (Primary domain already ektasi.io.)

[1.6.1] - 2026-06-21

Security & Fixes (QA review pass)

  • Tenant-scoped mutations (defense-in-depth): ContentService.revise/revertTo/transition now mutate via updateMany({ where: { id, tenant_id } }) + findFirstOrThrow, so the tenant boundary is enforced on the write itself, not only on the preceding read guard.
  • Razorpay fail-loud config: RazorpayService.verifyWebhook now throws ConfigurationError when RAZORPAY_WEBHOOK_SECRET is missing instead of silently returning false; the /api/webhooks/razorpay and /api/webhooks/finance routes catch it and return 503 (was a misleading 400 Invalid signature).
  • Middleware anti-spoof: middleware now strips any inbound x-ektasi-* identity headers before injecting verified ones, so client-supplied identity headers can never be trusted.
  • API auth model documented as canonical: localized JWT guards (getSession / withAdminGuard) verify the cookie on every /api route; routes never trust request headers (docs/ARCHITECTURE.md).

1.6.0 — 2026-06-20

Added — Persistent dashboard shell + operational desk pages

  • app/dashboard/layout.tsx (server) fetches the real tenant + renders a persistent DashboardShell (collapsible sidebar, breadcrumb, logout) that wraps all dashboard pages.
  • Tech & Protocol desk (/dashboard/tech): routing-control view, simulated SecOps stream, crypto posture; shred action routes to the guarded admin flow.
  • Creative desk (/dashboard/campaigns): premium shell embedding the real live CampaignWorkspace (pipeline) + illustrative metrics.
  • Forensic Audit Ledger (/dashboard/audit): reads the tenant's real audit_logs with search/filter + CSV evidence export.
  • Financial Ledger (/dashboard/finance): the tenant's real FinancialLedger.
  • New landing Hero + Tier Matrix pricing page; redundant page wrappers stripped to nest cleanly in the shell.

1.5.0 — 2026-06-20

Added — Content version control + marketing pages

  • Asset/content version control (migration 0010): every content item carries a content_versions revision history. Edit creates a new revision; revert appends a new revision copying an older one (history is never rewritten). Routes /api/content/[id]/{revise,versions,revert}, audited CONTENT_REVISED / CONTENT_REVERTED; surfaced in the campaign workspace UI.
  • Public marketing + legal site: /about, /manifesto, /pricing (Tier Matrix), /security (zero-trust overview), /contact (terminal form wired to lead capture), /terms, /privacy, /dpa — all obsidian-themed and in the sitemap.
  • Global chrome: unified components/layout/Header (scroll-aware glass nav, hidden on authed routes) + Footer; redesigned terminal-style 404 (not-found.tsx).

1.4.0 — 2026-06-20

Added — Tax, self-serve RBAC, JIT access

  • Tax/GST engine (taxPolicy.ts, tested): 18% GST on INR, EU VAT reverse-charge for enterprise, applied to /api/finance/checkout as a tax-inclusive total stored in the ledger.
  • Self-serve enterprise RBAC: /api/admin/members/invite — admins invite teammates into their tenant with a role + secure handshake email (MEMBER_INVITED).
  • JIT access: /api/admin/jit/request — time-boxed, justified support access to a target tenant, immutably logged (JIT_ACCESS_GRANTED).

1.3.0 — 2026-06-20

Added — Creative & Campaign Desk + live portal data

  • Per-tenant content approval pipeline (Draft → Review → Approved → Live, contentPipeline.ts with a tested state machine), campaigns, and lead capture (ContentService, LeadService, migration 0009). Tenant-scoped routes: /api/campaigns, /api/campaigns/[id]/content, /api/content/[id]/status, /api/leads; /dashboard/campaigns workspace UI.
  • Live portal data: Low-Touch shows real lead/draft counts; High-Touch shows live webhook delivery counts + success rate via a webhook_deliveries log wired into all four webhooks.
  • Self-serve upgrade prompt (Low-Touch) and Forensic-Auditor link (High-Touch).

1.2.0 — 2026-06-20

Added — Tiered client portals

  • /dashboard now segments by tenant tier (verified in the session): LowTouchPortal (SMB/Growth self-service) vs HighTouchPortal (enterprise control tower with RLS/key status + Forensic Auditor link). docs/CLIENT_TIERS.md documents the four-desk model with a live-vs-shell reconciliation.

1.2.0 — 2026-06-20

Changed — Edge-native JWT auth (jose)

  • Replaced HMAC cookie sessions with jose HS256 JWTs (lib/auth/session.ts, jti, 12h TTL) that verify at the edge. middleware.ts gates /dashboard + /admin, redirects to /login, and injects verified x-ektasi-{tenant-id,client-tier,user-role} headers downstream.
  • RBAC guards withAdminGuard / withAuditorGuard (lib/auth/guards.ts); all guard call sites migrated to await (auth-bypass-checked); login/setup now sign JWTs with tier.
  • CSP extended with Stripe/Razorpay/Sentry origins (payment redirects + telemetry).

Added — Branded onboarding email & Sentry hardening

  • components/emails/WelcomeHandshake.tsx (React Email + Tailwind, obsidian/violet); EmailService now dispatches it (keeps the audited, non-blocking path).
  • Zero-trust Sentry scrubbing (lib/observability/scrub.ts via beforeSend): strips sensitive headers + stack-frame vars (keys, secrets, password hashes) before egress.
  • /api/webhooks/sentry — HMAC-verified alert webhook logs INFRASTRUCTURE_ALERT_TRIGGERED to the immutable ledger (telemetry-poisoning resistant).

Added — Financial clearing house & live telemetry

  • FinancialLedger (migration 0008) + financeRouting (tier/currency → gateway, tested)
    • session-secured /api/finance/checkout (Stripe/Razorpay/WIRE) with PENDING intent logging.
  • Unified /api/webhooks/finance — signature-branched, idempotent ledger settlement.
  • InvoiceTerminal UI + /dashboard/invoices/[referenceId] page.
  • Dunning grace window (BILLING_DUNNING_MAX_FAILURES): soft DUNNING vs hard LOCK (billingApply.ts, migration 0007); landing CheckoutCTA (pay → auto-provision).
  • Live Sentry issues via lib/observability/sentryFetcher.ts wired into the Copilot (getSentryAlerts).

Added — Billing & subscriptions

  • Provider-agnostic billing: Stripe + Razorpay (UPI/cards/netbanking) behind one schema (migration 0006_billing) and one pure policy (billingPolicy.ts, unit-tested).
  • ProvisioningService (shared atomic path), BillingService (Stripe), RazorpayService (REST + HMAC verify, no SDK); /api/billing/checkout (provider-aware) and /api/webhooks/{stripe,razorpay} — payment provisions the tenant, dunning auto-locks it.
  • docs/BILLING.md (incl. honest UPI-via-Razorpay vs. direct-NPCI note).

Added — Docs

  • docs/DASHBOARD_OPERATIONS.md — the control plane framed as five operational desks (sales intake, tenant lifecycle, SecOps, compliance/audit, secure offboarding), each mapped to backing code with a narrative-vs-shipped reconciliation.

Added — Self-hosted / air-gapped inference

  • Provider-agnostic model factory lib/agents/llm.ts: agents route to any OpenAI-compatible endpoint (vLLM/TGI/Ollama) via EKTASI_LLM_BASE_URL + EKTASI_LLM_AUTH_TOKEN + EKTASI_LLM_MODEL, falling back to OpenAI when unset.
  • Copilot, Auditor, and Provisioning agents switched to the factory (no behavior change by default).
  • scripts/deploy-vllm.sh (Track 1 GPU deploy) and docs/SELF_HOSTED_LLM.md (dual-track pipeline + secure bridge).

1.1.0 — 2026-06-20

Added — Security enforcement

  • Tenant containment (SIRP Phase 2): tenants.status, migration 0003_tenant_lock (lock-aware RLS that blocks runtime data but keeps the audit ledger queryable), TenantService.lock/unlock, /api/admin/tenants/lock, and a console control.
  • Auth/session layer: HMAC-signed cookie sessions (lib/security/session.ts), /api/auth/login
    • /api/auth/logout, profiles.role, and a /login page.
  • Server-side page guards (lib/security/requireSession.ts) on /admin and /dashboard; real auth checks wired into the Copilot, Auditor, and admin-provision routes.
  • Database migrations: 0001_init (schema DDL) + 0002_zero_trust (RLS tenant-isolation policies + append-only audit_logs trigger) + lib/security/rls.ts forTenant() helper.
  • Real audit evidence: KEY_ROTATION (SecretService.rotateSecret + /api/admin/keys/rotate) and AUTHENTICATION (login) events now emitted in production paths.
  • Rate limiting on login, the AI agent routes (Copilot/Auditor/Provision), and lead capture.
  • Public /api/request-access lead capture; ContactTerminal no longer hits admin provisioning.
  • Sentry server + edge configs; getTenantHealthMetrics reads live Redis with sample fallback.
  • Feature-flag kill-switch API (/api/admin/flags) + FlagControls admin UI.

Added — Multi-factor authentication

  • TOTP MFA (RFC 6238, no external deps) in lib/security/totp.ts, verified against the canonical test vector. Enrolled during /auth/setup (encrypted secret), enforced at /api/auth/login; /api/auth/mfa/enable activates it. Migration 0005_mfa.

Added — Per-tenant cryptography

  • HKDF per-tenant Data-Encryption-Keys derived from the platform KEK + a per-tenant salt (crypto.ts, migration 0004_per_tenant_keys); SecretService seals/opens secrets under the tenant DEK.
  • TenantKeyService.rotateTenantKey re-keys all secrets + /api/admin/keys/rotate-tenant.
  • Crypto-shredding: decommission nulls the tenant salt, making its ciphertext underivable.

Added — Telemetry & offboarding

  • Live Sentry telemetry: SentryService.recentExceptionCount wired into the SecOps Copilot health tool (replaces sampled exception counts; graceful fallback).
  • Tenant decommissioning (SOC2 offboarding): TenantService.decommission (wipes secrets + profiles, retains the append-only ledger, logs TENANT_DECOMMISSIONED), confirmation-guarded /api/admin/tenants/decommission, and a destruction runbook.

Added — Docs & pipeline

  • docs/DEPLOYMENT_PIPELINE.md (5-phase zero-trust CD) and docs/TENANT_PROVISIONING_RUNBOOK.md (with an implementation-reconciliation section).
  • CI: postinstall: prisma generate; Playwright webServer now starts in CI with placeholder env; multi-region deploy ["bom1","sin1"].

Added — Ops & polish

  • Dockerfile (+ standalone output) + .dockerignore, .eslintrc.json, CONTRIBUTING.md, LICENSE, scripts/restore.mjs (DR drill), and a generated OpenGraph image.

1.0.0 — 2026-06-20

First production-ready release. Enterprise-hardened, multi-tenant infrastructure ecosystem on Next.js 14 (App Router).

Added — Security & Infrastructure

  • AES-256-GCM secret vault with authenticated encryption / tamper detection (lib/security/crypto.ts).
  • Single-use, 24h onboarding tokens with SHA-256 storage hashing (lib/security/token.ts).
  • SecretService (audited resolution), AuditService (append-only forensic ledger), EmailService (Resend onboarding), FeatureFlagService (Redis kill-switch).
  • Per-tenant sliding-window rate limiting via Upstash Redis (lib/middleware/rateLimit.ts).
  • Prisma schema: tenants, profiles, tenant_secrets, audit_logs.

Added — API

  • Atomic tenant provisioning route with async, non-blocking onboarding email (app/api/admin/provision/route.ts).
  • Sentry-tagged credential proxy with client-facing error masking (app/api/proxy/[...path]/route.ts).

Added — Frontend

  • Component-driven landing page: Nav, Hero, Manifesto, Protocol, Roadmap, ContactTerminal, Footer (components/landing/).
  • Gradient SVG Logomark with per-instance useId() gradient ids (no DOM collisions).
  • ProvisioningForm with live validation + loading/success/error states; QuotaMonitor.
  • Obsidian-themed error, loading, and not-found pages; LoadingSkeleton.
  • Privacy-first AnalyticsProvider (no-op unless an analytics src is configured).

Added — Observability

  • Sentry instrumentation (instrumentation.ts, sentry.client.config.ts), every error tagged with tenant_id.

Added — SEO

  • Root metadata (OpenGraph + Twitter), sitemap.ts, robots.ts, public/robots.txt.

Added — CI/CD & Resilience

  • Hardened pipeline: lint → unit (Vitest + coverage) → build → e2e (Playwright) → migrate → deploy.
  • Nightly encrypted pg_dump → S3 WORM bucket (.github/workflows/backup.yml, scripts/backup.mjs).
  • Playwright provisioning suite + crypto unit tests (round-trip, random IV, tamper rejection).

Added — Deployment & Docs

  • vercel.json: sin1 region, npm ci builds, and security headers (X-Frame-Options, X-Content-Type-Options, HSTS, Permissions-Policy, Referrer-Policy).
  • Documentation: SECURITY.md, docs/INCIDENT_RESPONSE.md, docs/OBSERVABILITY.md, docs/GO_LIVE_CHECKLIST.md.

Security notes

  • Clients receive generic 500 Infrastructure Failure; full stack traces stay server-side.
  • No secret resolution or provisioning occurs without a corresponding audit_logs entry.