Release Notes

🔒 What we improved:

• Sensitive data in logs — Authentication tokens and user identifiers are no longer written to server logs under any circumstances.
• Email verification codes — Now generated using a cryptographically secure process.
• Webhook URL validation — User-configured webhooks are validated to prevent requests being misdirected to internal network addresses.
• Billing redirect URLs — Post-payment redirects are now checked against an approved domain list.
• API playground limits — The playground now enforces the same per-hour and per-day request limits as the production API.
• IP address handling — Rate-limiting now correctly identifies the originating request source.
• Transport security — HTTPS strict transport security enforced at the infrastructure level.
• Admin tooling — Email addresses in internal dashboards are now partially masked.
• Dependencies — Framework and third-party library updates, including a Next.js upgrade resolving a publicly disclosed vulnerability.

🇪🇺 EU AI Act Compliance Page:

• August 2026 deadline - Article 50 transparency obligations explained
• Implementation timeline - Key milestones from Feb 2025 to Aug 2027
• How Provenix helps - Machine-readable provenance for compliance
• Official sources - Links to EU AI Act documentation

📚 Platform Integration Guides:

• Next.js - API routes and server actions
• Express - Middleware integration
• Django - View integration with Python SDK
• React - Client-side signing with verification
• Vue - Composition API integration

✨ Landing Page Refresh:

• Clearer messaging - Streamlined headlines and descriptions
• Improved CTAs - More direct call-to-action buttons
• Better dark mode - Enhanced theme consistency

📬 Feature Request System:

• In-page modal - Request features without email client
• Demand tracking - We prioritise based on requests
• Notify me - Leave email to be notified when available

🔍 Request ID Tracing:

• Unique request IDs - Every API call now includes a requestId for tracking
• Response headers - Check x-request-id header in any response
• Faster support - Include your requestId when contacting support for instant issue lookup

🔐 Secure Error Responses:

• No internal leaks - Error messages no longer expose implementation details
• Consistent format - All errors include code, message, and requestId
• Better debugging - Errors are logged server-side with full context

🐛 Fixes:

• CSV/JSON exports - Added loading states with spinner, improved download reliability
• Search by manifest ID - Now finds manifests by ID from verification URLs, not just hash
• Search reset - Clearing search field now automatically restores full listing
• Verify page - Fixed client-side crash on /verify/[id] pages

📚 New Documentation:

• Webhooks docs - Comprehensive /docs/webhooks page with signature verification examples
• Code examples in Node.js, Python, and Go
• Best practices, payload format, testing, and troubleshooting guides

🤖 AI Agent View Toggle:

• Human/Agent toggle - Switch between human-friendly and LLM-optimised views
• Persisted preference - Your view mode is saved in localStorage
• Smart visibility - Toggle hidden on dashboard/admin routes (not relevant for agents)

📄 Agent Views on 9 Pages:

• Homepage - Capabilities, limitations, use cases, topics
• Pricing - Tier comparison table, billing FAQ, key facts
• Documentation - API endpoints, SDK examples, error codes
• About - Mission, principles, company facts
• Help Center - Troubleshooting guides, setup examples
• FAQ - Q&A format optimised for agents
• Security - Security practices, compliance, data handling
• Contact - All contact emails and response times
• Release Notes - Version history and capabilities summary

📝 LLM Discoverability:

• /llms.txt - Concise index for AI agents (llmstxt.org standard)
• /llms-full.txt - Detailed documentation for comprehensive context
• JSON-LD structured data - Schema.org markup for SEO and AI discoverability

🔐 Cryptographic Signing (Dogfooding):

• Build-time signing - Agent view content signed with real Provenix signatures
• Verification URLs - Each agent view includes a clickable verification link
• Signed manifests - Ed25519 signatures proving content authenticity

📊 Admin Enhancements:

• Internal usage tracking - Separate internal vs customer API usage in admin dashboard
• API key rename - Rename API keys from the dashboard for better organisation

📊 Usage Insights:

• Usage History Chart - Visualise your sign/verify activity over the last 30 days
• Usage Predictions - See projected date when you'll hit your monthly limit
• Usage Alerts - Receive email notifications when you reach 80% of your limit

📋 Verification Log:

• View all your signed content with timestamps and hashes
• Search by content hash to find specific manifests
• Copy verification URLs with one click
• Export to CSV or JSON for compliance and auditing

🔗 Webhooks:

• Configure webhook endpoints to receive real-time notifications
• Subscribe to sign and/or verify events
• HMAC-SHA256 signed payloads for security
• Test webhooks directly from the dashboard
• Auto-disable after consecutive failures (circuit breaker)

🧪 API Playground:

• Test the sign and verify APIs directly in your browser
• Select your API key and see real responses
• Auto-populate verify fields after signing for easy testing

🛡️ Security:

• Added Security Hall of Fame to recognise responsible disclosure
• Enhanced security headers (X-Frame-Options, CSP)

📚 New Developer Documentation:

• Quick Start Guide - Get up and running in 60 seconds with platform-specific examples
• Installation Guide - Comprehensive setup for npm, Python, CLI, and browser
• Platform tabs for Node.js, Python, cURL, and Browser code examples
• Troubleshooting section covering common errors (Invalid API Key, Connection Refused, Rate Limits)
• Use case examples for EdTech, Healthcare, Legal, and Compliance

🎯 UX Improvements:

• Navigation cards on main docs page for quick access to guides
• Sidebar navigation with scroll detection for easy section jumping
• Section feedback buttons to rate documentation helpfulness
• Fully mobile responsive with collapsible navigation

📚 Now Available:

• Platform guides shipped in v0.2.5 (Next.js, Express, Django, React, Vue)

💰 Better Pricing, More Value:

• Significant price reductions across all tiers based on improved operational efficiency
• Substantially increased request allowances to better serve growing applications
• All existing customers automatically benefit from new pricing
• No action required - changes apply immediately to your account

📉 New Pricing (AUD):

• Starter: $69 → $25/month (-64%) • 8K → 10K requests/month (+25%)
• Growth: $169 → $119/month (-30%) • 20K → 50K requests/month (+150%)
• Pro: $449 → $239/month (-47%) • 50K → 100K requests/month (+100%)
• Enterprise: $1,500+ → $1,199+/month (-20%) • 200K+ → 500K+ requests/month (+150%)

🎯 What This Means for You:

• More competitive pricing against Auth0, Clerk, and enterprise identity solutions
• Better value for high-volume applications with significantly increased request allowances
• Predictable, transparent pricing as your usage grows
• Lower barrier to entry for startups and growing businesses

🎉 Beta Launch:

• Provenix is now in public beta and accepting early adopters
• All core features battle-tested and production-ready
• Free tier: 2,000 requests/month (no credit card required)
• Early adopter perks: Locked-in pricing for 12 months, roadmap influence

🔔 Subscription Cancellation Visibility:

• Dashboard now shows accurate "Canceling" status for subscriptions pending cancellation
• Displays "Cancels [date]" instead of misleading "Renews [date]"
• Audit logs track cancellation and reactivation events
• Full transparency when users cancel via Stripe Customer Portal

📚 Documentation Consolidation:

• Created MASTER-GUIDE.md - single source of truth for testing and operations
• Comprehensive changelog with all features documented
• Archived 10 obsolete docs into clean repository structure

🔐 Password Reset Functionality:

• Complete forgot password flow with email-based reset
• Secure token generation (SHA-256 hashed, 1-hour expiry)
• Professional HTML email templates via Resend
• Frontend pages: /forgot-password and /reset-password
• Password requirements enforced on backend and frontend

🐛 Critical Bug Fixes:

• Fixed JWT authentication for billing endpoints (was incorrectly using API keys)
• Fixed Stripe webhook signature verification
• Fixed subscription tier limits display in dashboard
• Fixed Next.js 15 useSearchParams hydration errors (wrapped in Suspense)

🎨 Branding Consistency:

• Replaced generic icons with branded Provenix logo in homepage animations
• Updated verification badges to use actual widget image
• Added gradient text highlighting to hero section
• Consistent visual identity across all customer touchpoints

🎨 Improved Pricing Display:

• Cleaner currency formatting following industry standards
• Clear, professional pricing presentation
• Zero ambiguity for international customers

⚡ Optimized Rate Limits:

• Right-sized tier volumes for better performance
• Improved hourly, daily, and monthly limit structure
• Backend and frontend limits now fully synchronized
• Enhanced usage tracking across all tiers

🏢 Enterprise Tier:

• Added dedicated Enterprise tier for high-volume customers
• Custom SLA agreements available
• Dedicated support and onboarding assistance
• White-label options for large organizations

📚 Documentation:

• Updated setup guides and technical documentation
• Comprehensive pricing validation reports
• Improved README with current architecture details

✅ SDK Reliability FIXED:

• SDK 500 errors completely resolved
• Refactored Prisma queries to eliminate connection pooling issues
• Replaced findFirst()/findMany() with findUnique()/direct queries
• Verified with 10/10 successful requests in production
• SDK now 100% reliable for beta users

🛡️ Monthly Usage Limits:

• Free tier: 100 requests/month hard cap
• Paid tier: 10,000 requests/month hard cap
• Prevents runaway API costs during beta testing
• Calendar month boundaries for billing periods
• Enhanced 429 responses with tier, upgrade URL, reset timestamp

⚠️ 90% Warning System:

• Dashboard shows red progress bar at 90%+ usage
• Orange warning at 70%+ usage
• Clear upgrade CTAs when approaching limits
• Red banner with upgrade link for users at risk

📦 Widget Update:

• Published @provenix/widget v0.1.1-preview to NPM
• Updated URLs and fixed integration issues

🏗️ Architecture:

• Removed duplicate rate limiting from auth middleware
• Better separation of concerns: auth verifies identity, separate middleware enforces limits
• Consistent 429 response format across all endpoints

🎉 NPM Package Publishing:

• Published @provenix/sdk to NPM (v0.1.0-preview)
• Published @provenix/widget to NPM (v0.1.0-preview)
• Published @provenix/shared to NPM (v0.1.0-preview)
• Widget now available via unpkg CDN
• Complete developer self-serve onboarding enabled
• Documentation updated with real package names and CDN URLs

✅ End-to-End Testing:

• Comprehensive test suite created
• NPM package installation verified
• Widget CDN confirmed functional
• API health validated (sign/verify endpoints)
• Authentication working correctly
• Interactive widget test page generated

🎨 Professional Branding:

• Professional logo integration (light + dark mode variants)
• Theme-aware logo switching in navigation
• Logo size optimised for visibility (40% larger on mobile)
• Transparent backgrounds for seamless integration
• Interactive widget theme comparison slider in docs

🔒 Audit Trail System:

• Comprehensive security event logging (auth, API keys, security events)
• Database-backed audit log storage with indexed queries
• IP address and user agent tracking for forensics
• Severity levels (info, warning, critical)
• Dashboard UI for viewing audit history (/dashboard/audit-logs)
• RESTful API endpoint (/api/v1/audit-logs) with filtering

Enhanced Rate Limiting:

• IP-based rate limiting (30 req/hour) for auth endpoints to prevent brute force attacks
• Tier-based rate limiting for API keys (100/hr free, 400/hr starter, 1,000/hr growth, 2,500/hr pro, 100,000/hr enterprise)
• Both hourly and daily limits enforced
• Rate limit info exposed via X-RateLimit-* response headers
• Automatic cleanup of expired entries to prevent memory leaks

Mobile Responsive Fixes:

• Verification code inputs now properly sized on mobile devices
• Password requirements grid stacks vertically on small screens
• Dashboard create key form stacks vertically on mobile
• Navigation padding reduced for better mobile experience

Stripe Billing:

• Test mode fully configured with webhooks
• Comprehensive setup and testing documentation
• Ready for end-to-end checkout testing

SDK & Widget:

• Fixed ESM import issues (explicit .js extensions)
• SDK tested with standalone test script
• Widget tested with sample HTML page
• Verified sign, verify, and tamper detection functionality

Email Verification System:

• 6-digit code verification for new signups (10-minute expiry)
• Resend integration with beautiful HTML email templates
• Verification page with auto-focus and paste support
• Password requirements enforced (8 chars, uppercase, number, special char)
• Graceful email fallback (logs to console if sending fails)

New Endpoints:

• /api/v1/auth/verify-email - Verify code and issue JWT
• /api/v1/auth/resend-verification - Resend verification code

Real-Time Usage Tracking:

• New /api/v1/usage endpoint with JWT authentication
• Dashboard now displays actual usage data instead of mock data
• Usage limits based on subscription tier (Free/Paid)
• First API call celebration triggers on real usage