Przejdź do treści
Release notes

Changelog produktu

Jedno miejsce na nowe funkcje, zmiany zachowania, poprawki jakości i bezpieczeństwa. Filtruj po kategorii albo przejdź osią wersji prosto do konkretnego wydania.

Najnowsze wydanie Zobacz roadmapę

Latest stable

v3.4.0

Added the public legal document suite for Privacy Policy, Terms, GDPR, Cookies, DPA, SLA and Security, with sticky table of contents, document metadata and PDF download slots. This release gives procurement and compliance teams a single source of truth before the first sales call. See legal document RFC.

Wersje są pisane w formacie Keep a Changelog + semver.

Ostatnia wersja

v3.4.0

2026-04-22

Release entries

39

Semver, product notes i legacy historia.

Kategorie

5

Added, Changed, Fixed, Security, Deprecated.

v3.4.0

AddedChangedFixedSecurityDeprecated

Added the public legal document suite for Privacy Policy, Terms, GDPR, Cookies, DPA, SLA and Security, with sticky table of contents, document metadata and PDF download slots. This release gives procurement and compliance teams a single source of truth before the first sales call. See legal document RFC.

2026-04-22
Added3 zmian
  • Added the public legal document suite for Privacy Policy, Terms, GDPR, Cookies, DPA, SLA and Security, with sticky table of contents, document metadata and PDF download slots. This release gives procurement and compliance teams a single source of truth before the first sales call. See legal document RFC.
  • Added the Product Tour section on the homepage with real product screenshots for Command Center, Inbox, Agents Studio and Quality Lab. The tour replaces static mockups with screenshot-led proof so buyers can understand the product without logging in.
  • Added roadmap feedback capture under /roadmap, posting to /api/public/feedback and storing the suggestion as an operational contact_messages record. Product can now triage roadmap requests by module, priority and buying impact.
Changed2 zmian
  • Changed the marketing navigation to include mega-menu groups for Operations, Knowledge and Quality, Control and Developer. The menu now supports hover, focus, Escape close and keyboard navigation in the same interaction model.
  • Changed the first viewport on the homepage to use product screenshots framed like a real monitor, improving perceived clarity and reducing the amount of generated UI decoration.
Fixed2 zmian
  • Fixed duplicate Knowledge / RAG navigation entries in the dashboard sidebar. Existing deep links still redirect to the canonical Knowledge page, so bookmarked routes do not break.
  • Fixed empty sidebar badges for modules with zero items. Counts now render only when the loader returns a positive value.
Security1 zmian
  • Documented the latest DPA subprocessor model, transfer safeguards and incident response obligations. The public pages now cross-link to DPA, RODO, Security and SLA so audit reviewers can follow the evidence trail.
Deprecated1 zmian
  • Deprecated hand-built marketing mockups for production screenshots on public product sections. New public product visuals should use ProductScreenshot with assets from /public/images/products.

v3.3.0

AddedChangedFixedSecurityDeprecated

Added the Bot Builder acceptance pack: six-step wizard, Studio shell, live preview contracts, versioning, share preview and playground endpoints. This release does not make every provider fully configured by default, but it locks the product shape that customers will use most often. See bot builder RFC.

2026-03-27
Added3 zmian
  • Added the Bot Builder acceptance pack: six-step wizard, Studio shell, live preview contracts, versioning, share preview and playground endpoints. This release does not make every provider fully configured by default, but it locks the product shape that customers will use most often. See bot builder RFC.
  • Added official industry template seeds for clinic booking, e-commerce returns, real estate lead qualification, legal intake, restaurant reservations, recruitment, IT support, finance pre-loan, education, gym, SaaS CS and custom from scratch.
  • Added Supabase migrations for bot drafts, versions, share previews, preview feedback, A/B tests and collaborators. These tables are workspace-scoped and prepared for RLS and realtime presence.
Changed2 zmian
  • Changed bot editing from a simple settings form into a staged builder model with smart defaults, autosave and a persistent preview column. The goal is to keep the beginner path calm while keeping advanced settings reachable.
  • Changed bot templates so the same JSON config can seed a dashboard flow, API flow or future marketplace entry.
Fixed1 zmian
  • Fixed build-time route coverage for /dashboard/boty/[id]/wizard, /playground, /wersje, /analytics, /deploy and /share-preview/[token]. These routes now compile with typed props and can be expanded without changing navigation contracts.
Security1 zmian
  • Added validation hooks for bot publish, rollback and share-preview creation. Public preview links can be expired and optionally protected with a password hash.
Deprecated1 zmian
  • Deprecated single-page bot creation without template context. New bot creation should start from /dashboard/boty/nowy or the template API.

v3.2.0

AddedChangedFixedSecurityDeprecated

Added the dashboard wiring audit foundation with scripts/audit-wiring.ts, report generation and categories for dead onClicks, broken links, hardcoded KPI values, missing form handlers and dashboard mock-data imports. This gives engineering a repeatable way to find empty UI before release.

2026-03-12
Added3 zmian
  • Added the dashboard wiring audit foundation with scripts/audit-wiring.ts, report generation and categories for dead onClicks, broken links, hardcoded KPI values, missing form handlers and dashboard mock-data imports. This gives engineering a repeatable way to find empty UI before release.
  • Added local ESLint plugin rules for empty click handlers and hardcoded KPI patterns. The rules run in pre-commit so empty actions are caught before they reach review.
  • Added the complete API inventory document and placeholder coverage strategy for Inbox, Leads, Bots, Agents, Voice, Knowledge, Automations, CRM, Integrations, Analytics, Billing, Compliance, Security, Webhooks, Workspaces and public forms.
Changed1 zmian
  • Changed the project workflow so every wiring section is expected to finish with typecheck, lint, build and a focused commit. This keeps large product wiring work reviewable instead of arriving as one risky mega-change.
Fixed1 zmian
  • Fixed the first audit reports to normalize internal links, hash links and route handlers. The scanner now distinguishes navigation-only links from broken product actions.
Security1 zmian
  • Added audit requirements to every write endpoint pattern: rate limit, Zod validation, auth, workspace check, RLS-backed data access and logAudit.
Deprecated1 zmian
  • Deprecated console-only handlers and TODO-only form flows in dashboard modules. Any future placeholder must render an EmptyState with an explicit CTA and reason.

v3.1.0

AddedChangedFixedSecurityDeprecated

Added the unified dashboard component library under components/ui/data, including KpiCard, MetricCard, Sparkline, MultiLineChart, DonutChart, AreaChart, BarLineChart, StatusBadge, ChannelPill, PriorityChip, DataTable, PageShell, EmptyState, LoadingSkeleton, Drawer, CodeBlock and related primitives.

2026-02-26
Added3 zmian
  • Added the unified dashboard component library under components/ui/data, including KpiCard, MetricCard, Sparkline, MultiLineChart, DonutChart, AreaChart, BarLineChart, StatusBadge, ChannelPill, PriorityChip, DataTable, PageShell, EmptyState, LoadingSkeleton, Drawer, CodeBlock and related primitives.
  • Added value-based chart coloring through lib/chart-colors.ts, including metric thresholds for quality score, hallucination, citation coverage, freshness, latency, MFA coverage, RLS audit, uptime and revenue health.
  • Added marketing mockup splitting into Command Center, Inbox, Agents, Quality and phone preview components, all backed by editable marketing data.
Changed1 zmian
  • Changed dashboard pages to share PageShell layouts and common data primitives, reducing repeated one-off UI in module pages. The result is a tighter app surface with consistent cards, tables, badges and loading states.
Fixed1 zmian
  • Fixed inconsistent status colors by moving badges, priority chips and confidence bars to shared tone utilities. The same performance value now maps to the same visual meaning across modules.
Security1 zmian
  • Added accessible chart contracts with role="img" and screen-reader table fallbacks. This improves audit readiness for customers who require accessibility evidence in procurement.
Deprecated1 zmian
  • Deprecated hardcoded chart colors directly inside dashboard components. New chart implementations must use tokenized tones or explicit qualitative palettes.

v3.0.0

AddedChangedFixedSecurityDeprecated

Added the new dashboard module set for Voice, Knowledge / RAG, Automations, CRM, Integrations, Analytics, Billing, Compliance, Security, Developer, Mobile, Settings, Admin and Agency. Each module was designed around empty, loading and populated states.

2026-02-12
Added3 zmian
  • Added the new dashboard module set for Voice, Knowledge / RAG, Automations, CRM, Integrations, Analytics, Billing, Compliance, Security, Developer, Mobile, Settings, Admin and Agency. Each module was designed around empty, loading and populated states.
  • Added demo mode separation via NEXT_PUBLIC_DEMO_MODE, loader source metadata and a visible demo banner. Sales can show populated dashboards while production runtime remains connected to loaders.
  • Added onboarding checklist visibility across dashboard pages, encouraging the first bot, first channel, team invite, billing setup and MFA enablement.
Changed1 zmian
  • Changed the application from a few hero dashboard screens to a broader operating system shell. The sidebar, top navigation and module pages now support a larger product without collapsing into disconnected sections.
Fixed1 zmian
  • Fixed public offline and auth screens to align with the light landing design, including clearer CTA hierarchy, minimal card surfaces and accessible focus states.
Security1 zmian
  • Added security and compliance module requirements for active sessions, failed logins, MFA coverage, CSP violations, RLS audit pass rate, DSAR queue and evidence downloads.
Deprecated1 zmian
  • Deprecated dark split-screen auth as the default experience. The primary auth layout now follows the light landing design with a single centered card.

v2.9.0

AddedChangedFixedSecurityDeprecated

Added the expanded marketing homepage with Live Demo, How It Works, industry use cases, testimonials, integrations, trust strip, newsletter and final CTA. The page now explains both the product surface and the adoption path.

2026-01-29
Added3 zmian
  • Added the expanded marketing homepage with Live Demo, How It Works, industry use cases, testimonials, integrations, trust strip, newsletter and final CTA. The page now explains both the product surface and the adoption path.
  • Added ProductScreenshot assets and framing utilities so the homepage can show realistic application screens instead of generated dashboards. The real product should lead the story whenever a customer is evaluating trust.
  • Added missing public pages for contact, about, careers, pricing estimate, case studies, SLA, integrations, cookies and legal documents.
Changed1 zmian
  • Changed the top navigation into a mega-nav with grouped product areas and a mobile fullscreen overlay. Navigation now scales with the product catalog without burying key CTA buttons.
Fixed1 zmian
  • Fixed footer coverage so resource, company and compliance links point to existing marketing pages. Broken public links are now covered by E2E expectations.
Security1 zmian
  • Added cookie consent plumbing and public form endpoints for newsletter, contact and pricing requests. Tracking scripts remain gated by consent state.
Deprecated1 zmian
  • Deprecated public links to unfinished placeholder pages. Future footer additions must ship with a corresponding page or explicit external URL.

v2.8.0

AddedChangedFixedSecurityDeprecated

Added AI Quality Lab concepts for datasets, benchmark runs, alerts, model router events and cost optimization. The release introduced the measurement vocabulary used later by dashboard and bot builder flows.

2025-12-18
Added3 zmian
  • Added AI Quality Lab concepts for datasets, benchmark runs, alerts, model router events and cost optimization. The release introduced the measurement vocabulary used later by dashboard and bot builder flows.
  • Added Knowledge / RAG console requirements for source connectors, document tables, embedding model selection and citation playground tests.
  • Added Voice Contact Center concepts for live calls, transcripts, TTS voice previews, ASR selection and escalation policy graphs.
Changed1 zmian
  • Changed the product roadmap from "chatbot widget first" to "AI Business OS" with quality, compliance and operational analytics treated as first-class modules.
Fixed1 zmian
  • Fixed the RAG page direction so Knowledge became the canonical module name while legacy Wiedza / RAG routes can redirect or remain as aliases.
Security1 zmian
  • Added guidance that demo data must never be imported into dashboard runtime unless demo mode is explicitly enabled.
Deprecated1 zmian
  • Deprecated standalone RAG mockups that cannot trace answers back to citations. Future RAG visuals must include citation coverage and freshness signals.

v2.7.0

AddedChangedFixedSecurityDeprecated

Added the first enterprise security model: session management, MFA coverage, CSP violation tracking, password policy forms and RLS audit pass rate. These concepts shaped the later admin security page.

2025-11-27
Added3 zmian
  • Added the first enterprise security model: session management, MFA coverage, CSP violation tracking, password policy forms and RLS audit pass rate. These concepts shaped the later admin security page.
  • Added compliance evidence concepts for SOC 2 Type II, GDPR DPIA, retention policies and DSAR pipelines.
  • Added Developer Platform surfaces for API keys, webhook endpoints, recent deliveries, SDK snippets and copy actions.
Changed1 zmian
  • Changed admin and agency shells to use variants of the same AppShell instead of separate navigation systems. This makes platform, agency and customer workspaces easier to reason about.
Fixed1 zmian
  • Fixed billing vocabulary by standardizing plan, usage, invoices, payment method and upgrade CTA naming across public and dashboard surfaces.
Security1 zmian
  • Added audit-log-first expectations for every dashboard mutation, including status changes, approval actions, API key revoke and session logout.
Deprecated1 zmian
  • Deprecated generic "Coming soon" cards in admin and compliance modules. Empty states now require a clear title, explanation and action.

v2.6.0

AddedChangedFixedSecurityDeprecated

Added Unified Inbox concepts for saved views, queues, SLA timers, bulk actions, AI Draft, internal notes, tags, assignment, priority and lead score. The release defined Inbox as the operational center rather than a simple message list.

2025-10-30
Added3 zmian
  • Added Unified Inbox concepts for saved views, queues, SLA timers, bulk actions, AI Draft, internal notes, tags, assignment, priority and lead score. The release defined Inbox as the operational center rather than a simple message list.
  • Added CRM concepts for contacts, scoring, interaction timelines and a five-column pipeline view.
  • Added automation flow concepts with trigger icons, vertical node editors and run history.
Changed1 zmian
  • Changed conversations from channel-specific records into a workspace-scoped unified model. This allowed WhatsApp, Messenger, email, chat, Instagram, voice and SMS to share queues and SLA logic.
Fixed1 zmian
  • Fixed early navigation labels so "Leady", "Inbox", "Boty" and "Agenci AI" remain consistent between sidebar, mobile nav and page headers.
Security1 zmian
  • Added role-aware assignment and workspace scoping requirements for Inbox actions. Conversations should never leak across workspaces or agencies.
Deprecated1 zmian
  • Deprecated static conversation counts in the sidebar. Counts must be loader-driven and hidden when zero.

v2.5.0

AddedChangedFixedSecurityDeprecated

Added the first marketing design system for dark hero, cyan accent, product screenshot framing and enterprise trust language. It established the visual direction still used in current public pages.

2025-09-25
Added3 zmian
  • Added the first marketing design system for dark hero, cyan accent, product screenshot framing and enterprise trust language. It established the visual direction still used in current public pages.
  • Added offline page requirements with local cache, queued actions, auto-retry, encrypted local data copy and service worker fallback.
  • Added auth screens with clean light design, SSO buttons, magic link option, field validation, loading states and accessible focus rings.
Changed1 zmian
  • Changed public copy from generic chatbot positioning to AI Business OS language for conversations, leads, agents and compliance. The shift made Voice, API and security easier to explain as one platform.
Fixed1 zmian
  • Fixed mobile-first expectations for auth, offline and marketing pages so forms do not require horizontal scroll and CTAs remain visible on small screens.
Security1 zmian
  • Added TLS, SOC 2, MFA and privacy trust cues to auth and offline flows. Security evidence became part of product UX rather than a footer-only claim.
Deprecated1 zmian
  • Deprecated gradient-heavy CTA styles on light auth pages. Primary auth CTA uses the same black-navy button language as the landing page.

0.27.0

AddedSecurity

Iteracja 27 Unified Inbox v3: queue-driven /dashboard/inbox with unassigned, assigned-to-me, urgent, SLA risk, VIP, voice and social queues.

2026-05-03
Added7 zmian
  • Iteracja 27 Unified Inbox v3: queue-driven /dashboard/inbox with unassigned, assigned-to-me, urgent, SLA risk, VIP, voice and social queues.
  • Migration 030_unified_inbox_v3.sql with inbox operational fields, conversation_internal_notes, conversation_events, inbox_saved_filters, inbox_bulk_actions and expanded offline sync action types.
  • lib/inbox-v3.ts and lib/inbox-v3-server.ts for typed queue counts, SLA state, timeline serialization, filters and server snapshot loading.
  • Inbox APIs for notes, saved filters, bulk actions, suggested replies and the main list/reply/update route with Zod validation, auth guards, rate limits, structured logs and Sentry capture.
  • Offline sync support for conversation assignment, priority, status and internal notes.
  • Unit, E2E/a11y and k6 coverage for inbox helpers, auth guards, mobile viewport and list/send load paths.
  • docs/reports/iteration-27.md with the implementation report and external verification limits.
Security3 zmian
  • Assignment, status, priority, VIP, notes, saved filters and bulk actions write to audit_log where they affect operational state.
  • New inbox tables use UUID primary keys, created_at, updated_at, triggers, RLS policies and workspace/user FK indexes.
  • Internal note mentions are filtered to members of the active workspace before persistence.

0.26.0

AddedSecurity

Iteracja 26 Global Command Center: rebuilt /dashboard with real workspace KPI tiles, global search, alert center, role-aware quick actions and system health strip.

2026-05-03
Added8 zmian
  • Iteracja 26 Global Command Center: rebuilt /dashboard with real workspace KPI tiles, global search, alert center, role-aware quick actions and system health strip.
  • Migration 029_global_command_center.sql with job_runs and command_center_search_queries, RLS policies, FK indexes and updated_at triggers.
  • lib/command-center.ts for KPI aggregation, alert derivation, health normalization and typed global search without demo data.
  • lib/job-runs.ts and health-check-cron job run recording for first-party Inngest health visibility.
  • API route GET /api/dashboard/command-center/search with Zod validation, dashboard rate limit, membership guard, structured logs and Sentry capture.
  • CommandCenterSearch client component with typed response parsing and workspace-scoped filters.
  • Unit, E2E and k6 coverage for Command Center helpers, auth/search smoke, mobile overflow and load guard.
  • docs/reports/iteration-26.md with implementation report and limitations.
Security3 zmian
  • Search queries are persisted for workspace-scoped observability without exposing direct operational write policies.
  • New operational tables use UUID primary keys, created_at, updated_at, RLS and workspace/user FK indexes.
  • The search endpoint checks authenticated workspace membership before any service-role query.

0.25.0

AddedChangedSecurity

Iteracja 25 Native Mobile: Capacitor shell in packages/mobile with generated ios/ and android/ projects, pinned native plugin dependencies and App Store submission runbook.

2026-05-02
Added10 zmian
  • Iteracja 25 Native Mobile: Capacitor shell in packages/mobile with generated ios/ and android/ projects, pinned native plugin dependencies and App Store submission runbook.
  • Migration 028_push_v2_mobile_offline.sql with native push columns, mobile_device_registrations, offline_sync_queue, app_versions, RLS policies, FK indexes and updated_at triggers.
  • lib/native.ts bridge for push permission/token, biometric auth, haptics, share, clipboard, camera, device info, status bar and deep links.
  • Offline-first data layer: lib/offline-store.ts, lib/offline-sync.ts, service worker dashboard cache, Background Sync trigger and cache invalidation via BroadcastChannel.
  • Unified push v2 sender in lib/push-v2.ts for Web Push, APNs and FCM.
  • Mobile APIs: /api/push/subscribe, /api/dashboard/devices, /api/dashboard/sync.
  • Mobile UI components: inbox with pull-to-refresh/swipe-to-archive/infinite scroll, lead cards, bot cards, bottom sheet, biometric lock and offline banner.
  • k6 baseline scripts/load/offline-sync.js and npm run load:offline-sync.
  • docs/architecture/ADR-018.md and docs/reports/iteration-25.md.
  • Native app identifiers, permissions, custom URL scheme, iOS APNs entitlement and privacy manifest for store-readiness.
Changed4 zmian
  • Push workspace fan-out now uses the unified push v2 sender and soft-revokes expired subscriptions instead of deleting rows.
  • Push subscription and device endpoints now verify workspace membership and fail closed with structured error handling.
  • Offline sync now applies real server-side mutations for widget inbox replies, lead status, lead notes, conversation resolution and agent presence.
  • Capacitor root dependencies were aligned to the same 6.x major line used by the mobile workspace.
Security4 zmian
  • Native device registration requires authenticated workspace membership.
  • Offline sync mutations are idempotent through client_action_id and audited in offline_sync_queue.
  • Push unsubscribe uses soft revocation (revoked_at) for auditability.
  • Weak random fallback was removed from offline idempotency and device id generation.

0.24.0

AddedChangedSecurity

Iteracja 24 Security Hardening v2: migration 027_security_hardening_v2.sql with security_events, ip_blocklist, csp_violation_reports, security_anomaly_thresholds tables, v_rls_audit view, _security_audit_definer_functions audit RPC, cleanup_expired_ip_blocklist, record_security_event helper functions, and a hardening DO block that retrofits SET search_path = public, pg_catalog onto every existing SECURITY DEFINER function.

2026-05-01
Added17 zmian
  • Iteracja 24 Security Hardening v2: migration 027_security_hardening_v2.sql with security_events, ip_blocklist, csp_violation_reports, security_anomaly_thresholds tables, v_rls_audit view, _security_audit_definer_functions audit RPC, cleanup_expired_ip_blocklist, record_security_event helper functions, and a hardening DO block that retrofits SET search_path = public, pg_catalog onto every existing SECURITY DEFINER function.
  • lib/security-headers.ts — centralized hardened headers builder with per-request CSP nonce (generateCspNonce, 16 random bytes / 128-bit entropy), buildCspDirective (nonce + 'strict-dynamic', no unsafe-eval, full directive set including report-uri + report-to), buildPermissionsPolicy (FLoC + Topics + Privacy Sandbox blocked), and parseCspReport (legacy csp-report + Reporting API formats).
  • lib/security-events.ts — typed recordSecurityEvent() + recordAndMaybeBlock() API with 26 strict event types (auth, authz, injection, rate_limit, moderation, webhook, storage, ip, csp, generic) and 4 severity levels.
  • lib/security-monitor.ts — Inngest-driven anomaly detector with 4 active rules (brute_force_per_ip, credential_stuffing_global, moderation_spike, webhook_signature_failures), tunable thresholds via DB, wasRecentlyRecorded deduplication, auto-block on critical severity.
  • lib/ip-blocklist.ts — two-tier blocklist (Postgres source of truth + Upstash Redis hot cache), Edge-safe isIpBlocked() reads, addToBlocklist() / removeFromBlocklist() / rebuildBlocklistCache() mutations, fail-open on Redis outage.
  • Inngest crons: securityMonitor (every 5 min) + ipBlocklistCacheRebuild (hourly), registered in /api/inngest/route.ts.
  • API routes: POST /api/security/csp-report (browser → DB), GET|POST /api/admin/security/events (list / acknowledge), GET|POST /api/admin/security/blocklist (list / add / remove / rebuild_cache).
  • Admin dashboard /admin/security — KPI strip (open critical/high, blocklist size, RLS-missing tables) + open events table + IP blocklist table + RLS audit + SECURITY DEFINER audit + CSP violation reports.
  • CI workflow .github/workflows/security.yml — npm audit (critical hard-fails), Snyk, gitleaks + trufflehog secret scanning, license-checker (blocks GPL v3+ in production deps), Retire.js on widget bundle, CycloneDX + SPDX SBOM, RLS audit (Postgres service container), Trivy filesystem scan, Mozilla Observatory smoke (warn-only).
  • scripts/security/audit-rls.sql — fail-closed audit for missing RLS, missing policies, and SECURITY DEFINER functions without search_path.
  • scripts/security/check-headers.mjs — production header smoke test (HSTS / CSP / COOP / Permissions-Policy / no unsafe-eval).
  • scripts/security/generate-sbom.mjs — local SBOM generator (CycloneDX or SPDX).
  • docs/runbooks/incident-response.md — full runbook (severity matrix, P0/P1 paging flow, breach response with RODO 72h notification, war-room SOP, per-rule playbooks, post-mortem template).
  • docs/architecture/ADR-026.md — security hardening v2 decision (CSP nonce, Edge IP blocklist, anomaly detection vs Cloudflare WAF).
  • New audit event types: security.alert_triggered, security.incident_acknowledged.
  • Iteration 24 unit tests in __tests__/lib/{security-headers,security-events,ip-blocklist,security-monitor}.test.ts.
  • Iteration 24 E2E tests in tests/e2e/iteration-24-security.spec.ts (header coverage, CSP enforcement, CSP report endpoint, admin endpoint auth guards, OWASP smoke).
Changed7 zmian
  • Fixed Iteration 24 review blockers: 027_security_hardening_v2.sql no longer uses now() inside a partial index predicate, new security tables now follow UUID/created_at/updated_at hygiene, and static tests assert this cannot regress.
  • Admin security guards now fail closed with 401/403 when auth/env is missing, instead of leaking 500s from admin-only endpoints.
  • lib/knowledge.ts now lazy-loads pdf-parse only when PDF parsing is actually needed, so protected dashboard API modules can reject unauthenticated requests before loading Node-only parser code.
  • middleware.ts now (1) checks the IP blocklist on every non-asset request — blocked IPs receive a generic 403, (2) generates a per-request 128-bit CSP nonce stored in x-dl-csp-nonce header for downstream Server Components, (3) applies the full hardened header set via buildRequestSecurityHeaders to every response.
  • next.config.mjs migrated CSP from Content-Security-Policy-Report-Only (with unsafe-inline) to per-request enforce path applied by middleware. Static fallback ships HSTS / COOP / COEP / Permissions-Policy with a hardened Permissions-Policy and a separate header rule for /widget/* (relaxed CORP) and /api/dashboard/* (forced Cache-Control: no-store).
  • docs/runbooks/key-rotation.md extended with Iteration 24 secret rotation cadences (ENCRYPTION_KEY two-key window pattern, STRIPE_WEBHOOK_SECRET Stripe-rotation overlap, blocklist Redis key rotation).
  • .env.local.example — added CSP_ENFORCE, CSP_REPORT_URI, HSTS_MAX_AGE, MFA_GRACE_PERIOD_HOURS, MFA_TOTP_ISSUER, SECURITY_ALERT_EMAIL, IP_BLOCKLIST_REDIS_KEY, PAGERDUTY_INTEGRATION_KEY, SNYK_TOKEN.
Security12 zmian
  • script-src no longer allows 'unsafe-inline'; CSP now relies on per-request nonce plus 'strict-dynamic'.
  • Security CI now hard-fails on npm audit --audit-level=high, missing SNYK_TOKEN, Snyk high/critical findings, migration/RLS audit failures and Mozilla Observatory grade below A on main.
  • scripts/security/check-headers.mjs, __tests__/lib/security-headers.test.ts, tests/security-hardening-static.test.ts and tests/e2e/iteration-24-security.spec.ts now block regressions for the Iteration 24 review findings.
  • Content-Security-Policy moved from Report-Only to enforce with strict per-request nonce + 'strict-dynamic'. 'unsafe-eval' is never allowed; CI smoke-test check-headers.mjs blocks regressions. CSP_ENFORCE=false env hatch reverts without redeploy.
  • Cross-Origin-Opener-Policy same-origin + Cross-Origin-Embedder-Policy credentialless enable cross-origin isolation, eliminating Spectre / cross-site capability leaks.
  • Permissions-Policy locks down geolocation, payment, USB, MIDI, sensors, FLoC, Topics API, Privacy Sandbox advertising APIs, leaving only camera/microphone (self) for the voice bot.
  • IP blocklist enforced at the Edge — blocked IPs cannot reach any route except the public CSP report endpoint and static assets.
  • Auto-blocking: securityMonitor extends the blocklist for 60 minutes when a severity=critical event fires (brute force, credential stuffing).
  • All SECURITY DEFINER Postgres functions now have explicit SET search_path = public, pg_catalog — eliminates search_path injection class.
  • New security_events table is append-only for non-admins (no UPDATE/DELETE policies); acknowledgement is the only mutation, performed by platform admins via audited API.
  • Supply chain: CI hard-fails on npm audit critical, gitleaks secret detection in PR diff, trufflehog --only-verified over full git history, GPL v3+ license, Trivy CRITICAL/HIGH CVEs.
  • SBOM (CycloneDX + SPDX) generated nightly and archived as artifact for 90 days — auditor-ready.

0.23.0

AddedChangedSecurity

Iteracja 23 Internationalization & Accessibility: migration 026_i18n_a11y.sql with profiles.preferred_locale, workspaces.default_locale, supported_locales reference table, accessibility_audit_log, locale distribution view and inheritance trigger.

2026-05-01
Added12 zmian
  • Iteracja 23 Internationalization & Accessibility: migration 026_i18n_a11y.sql with profiles.preferred_locale, workspaces.default_locale, supported_locales reference table, accessibility_audit_log, locale distribution view and inheritance trigger.
  • next-intl integration with i18n/request.ts configuration, messages/<locale>/<namespace>.json bundles for Polish, English and German across common, auth, dashboard, billing, bot, email, errors, compliance namespaces.
  • lib/i18n.ts with locale validation, Accept-Language parsing with q-factor support, resolveLocale priority chain (cookie → profile → header → default) and Intl.*-backed formatCurrency / formatNumber / formatDate / formatRelativeTime helpers.
  • LocaleSwitcher client component (select + compact variants) and /api/dashboard/locale endpoint setting NEXT_LOCALE cookie and persisting to profiles.preferred_locale for cross-device default.
  • Accessibility helpers: SkipToContent (WCAG 2.4.1), LiveRegion / useAnnouncer (WCAG 4.1.3), VisuallyHidden, useFocusTrap (WCAG 2.1.2 + 2.4.3) and prefers-reduced-motion global handling.
  • RTL readiness: <html dir="…"> driven by getDirection(locale) in root layout, CSS logical properties, RTL_LOCALES constant pre-declared (ar, he, fa, ur).
  • High-contrast (forced-colors) media query support and locale-aware <html lang="…"> (BCP-47 tag).
  • Iteration 23 unit tests in __tests__/lib/i18n.test.ts (locale validation, header parsing, resolution priority, formatters).
  • Message catalog regression test in tests/i18n-messages.test.ts covering all registered namespaces and requiring PL/EN/DE key parity.
  • Iteration 23 E2E tests in tests/e2e/iteration-23-i18n-a11y.spec.ts and dedicated axe-core suite in tests/e2e/iteration-23-a11y.spec.ts.
  • Dedicated .github/workflows/a11y.yml blocking PRs on axe-core critical/serious violations for the Iteration 23 route set.
  • ADR-023 documenting the choice of next-intl + cookie-based locale routing without URL prefixes.
Changed8 zmian
  • Root layout (app/layout.tsx) now wraps the tree in NextIntlClientProvider and sets <html lang> / <html dir> from the resolved locale.
  • Top-level middleware.ts resolves the request locale from Accept-Language and forwards it as x-dl-locale header.
  • i18n/request.ts now applies the real priority chain cookie → profiles.preferred_locale → middleware/header → default, reading the authenticated profile server-side when Supabase env is available.
  • Auth forms, key marketing pages, /status, /dashboard, /dashboard/boty/[id], /dashboard/inbox, /dashboard/leady and /dashboard/rozliczenia moved their visible copy to next-intl namespaces.
  • BillingConsole and InboxConsole now format dates/numbers with useLocale() and use logical ms/me/pe classes on the converted UI paths.
  • next.config.mjs wired through createNextIntlPlugin("./i18n/request.ts"), hardened Permissions-Policy (blocks interest-cohort and browsing-topics) and added Cross-Origin-Opener-Policy: same-origin.
  • playwright.a11y.config.ts focuses the Iteration 23 a11y suite and scans the required 10+ routes on desktop and mobile.
  • viewport.maximumScale raised from 1 to 5 to satisfy WCAG 1.4.4 (Resize Text).
Security2 zmian
  • New accessibility_audit_log table is restricted to platform admins via RLS; reference table supported_locales exposes only active rows publicly.
  • Locale persistence endpoint validates input via Zod and never trusts the client to write arbitrary strings to profiles.preferred_locale.

0.22.0

AddedChangedSecurity

Iteracja 22 Advanced Integrations: migration 025_integrations_crm.sql with external_contacts, crm_sync_queue, integration_connections, integration_field_mappings, integration_sync_logs, RLS and CRM indexes.

2026-05-01
Added7 zmian
  • Iteracja 22 Advanced Integrations: migration 025_integrations_crm.sql with external_contacts, crm_sync_queue, integration_connections, integration_field_mappings, integration_sync_logs, RLS and CRM indexes.
  • Bidirectional HubSpot sync engine in lib/crm-sync.ts with outbound lead upsert, inbound webhook handling, external contact mapping, full sync and sync logs.
  • Edge HubSpot webhook receiver at /api/webhooks/hubspot with v3 HMAC verification and public webhook rate limiting.
  • HubSpot CRM dashboard at /dashboard/integracje/hubspot with status, field mapping, full sync, inbound webhook instructions and recent sync logs.
  • Salesforce sync scaffold with OAuth 2.0 PKCE, token exchange, Lead creation, Opportunity stage update and outbound message XML handling.
  • Microsoft Teams Incoming Webhook support with Adaptive Card lead notifications.
  • k6 baseline scripts/load/hubspot-webhook.js and npm run load:hubspot-webhook.
Changed2 zmian
  • Lead created events now use HubSpotSync.pushLead() so HubSpot contact IDs are persisted in external_contacts.
  • OAuth integration support now includes Salesforce and preserves provider-specific config returned by token exchange.
Security2 zmian
  • HubSpot webhook requests require X-HubSpot-Signature-v3 and timestamp validation before processing.
  • New CRM tables are protected by workspace-scoped RLS policies.

0.21.0

AddedSecurity

Iteracja 21 Customer Success: migration 024_customer_success.sql with onboarding progress, NPS surveys, workspace health scores, health score history and in-app message tracking.

2026-04-30
Added6 zmian
  • Iteracja 21 Customer Success: migration 024_customer_success.sql with onboarding progress, NPS surveys, workspace health scores, health score history and in-app message tracking.
  • Health Score Engine in lib/health-score.ts with engagement, growth, feature adoption, support/compliance, billing components and daily Inngest recalculation.
  • Churn prediction in lib/churn-prediction.ts with deterministic logistic regression and recommended CS actions.
  • Dashboard onboarding checklist and NPS widget backed by /api/dashboard/onboarding/* and /api/dashboard/nps.
  • Admin Customer Success dashboard at /admin/cs with at-risk workspaces, upcoming churns, NPS and activation table.
  • NPS scheduler Inngest job and k6 baseline scripts/load/onboarding-progress.js.
Security2 zmian
  • Customer Success tables are protected by workspace-scoped RLS policies.
  • Manual onboarding and NPS mutations are rate limited and audited.

0.20.0

AddedChangedSecurity

Iteracja 20 Developer Ecosystem: migration 023_webhooks_v2_cli.sql with Webhooks v2 endpoint/delivery tables, CLI device flow tokens, webhook forwarding sessions, encrypted workspace env secrets, RLS and indexes.

2026-04-30
Added9 zmian
  • Iteracja 20 Developer Ecosystem: migration 023_webhooks_v2_cli.sql with Webhooks v2 endpoint/delivery tables, CLI device flow tokens, webhook forwarding sessions, encrypted workspace env secrets, RLS and indexes.
  • Webhooks v2 delivery engine in lib/webhook-delivery.ts with Stripe-like DL-Signature, retry backoff, replay, endpoint auto-disable and Inngest retry dispatcher.
  • Dashboard /dashboard/deweloperzy/webhooks with endpoint creation, event selection, one-time secret display, test ping, secret rotation, delivery log and replay.
  • Public API v1 support for webhook endpoint CRUD and bot create/delete for infrastructure-as-code clients.
  • DarhimLabs CLI package packages/cli with dl login, workspace-aware API calls, bot commands, webhook forwarding/list/trigger/replay, knowledge upload/list/delete, lead export, env pull/push and deploy hook trigger.
  • CLI OAuth device flow endpoints under /api/cli/device, browser approval page /cli/authorize and CLI token auth middleware.
  • Terraform provider scaffold in packages/terraform-provider with real API client, darhimlabs_bot, darhimlabs_webhook_endpoint and darhimlabs_bot data source.
  • Preview environment helper lib/preview-envs.ts, script scripts/preview-env.mjs and GitHub Actions workflow .github/workflows/preview.yml.
  • k6 baseline scripts/load/webhooks-v2.js and npm run load:webhooks-v2.
Changed3 zmian
  • API key scopes now include webhooks:read and webhooks:write.
  • Public bot detail responses include embed_script for SDK/Terraform consumers.
  • Event emission now enqueues Webhooks v2 deliveries before legacy integration dispatch.
Security3 zmian
  • Webhook secrets are generated server-side and shown only once on create/rotation.
  • CLI access tokens and device codes are stored only as SHA-256 hashes.
  • Workspace env values pushed by CLI are AES-GCM encrypted at rest with ENCRYPTION_KEY.

0.19.0

AddedChangedSecurity

Iteracja 19 Compliance: migration 022_compliance_gdpr.sql with DSAR requests, erasure logs, consent records, retention policies, SOC2 evidence, HIPAA workspace controls, RLS and storage buckets.

2026-04-30
Added8 zmian
  • Iteracja 19 Compliance: migration 022_compliance_gdpr.sql with DSAR requests, erasure logs, consent records, retention policies, SOC2 evidence, HIPAA workspace controls, RLS and storage buckets.
  • GDPR automation engine in lib/gdpr.ts: DSAR export ZIP with JSON/PDF, portability CSV/JSON export, erasure/pseudonymization, retention policy runner and deadline alerts.
  • Public DSAR flow at /privacy/request and /privacy/request/[id] with email verification tokens and hCaptcha verification in production.
  • Workspace privacy dashboard at /dashboard/ustawienia/prywatnosc with DSAR processing, retention policy editing, consent stats, compliance score and HIPAA mode controls.
  • SOC2 evidence collection in lib/soc2-evidence.ts, superadmin page /admin/compliance and quarterly export endpoint /api/admin/compliance/export.
  • Inngest jobs for DSAR deadline monitoring, GDPR retention policies and weekly SOC2 evidence collection.
  • k6 baseline scripts/load/privacy-request.js and npm run load:privacy-request.
  • Unit tests for GDPR helpers and Playwright smoke tests for Iteration 19 public/dashboard routes.
Changed3 zmian
  • Lead capture now writes consent_records for lead_processing.
  • Middleware enforces HIPAA workspace controls with MFA requirement, 8-hour session cookie TTL and 15-minute idle timeout.
  • Admin navigation includes Compliance evidence.
Security3 zmian
  • DSAR status and verification links use SHA-256 token hashes in the database.
  • GDPR and SOC2 exports are stored only in private Supabase Storage buckets and served through short-lived signed URLs.
  • npm audit --audit-level=moderate passed with zero vulnerabilities.

0.18.0

AddedChangedSecurity

Iteracja 18 Performance & Scale: migration 021_performance_cache.sql with materialized analytics views, cache tables, slow query log, workspace stats counter, RLS and covering indexes.

2026-04-30
Added8 zmian
  • Iteracja 18 Performance & Scale: migration 021_performance_cache.sql with materialized analytics views, cache tables, slow query log, workspace stats counter, RLS and covering indexes.
  • Edge-compatible crypto, analytics, booking, channel sender, Inngest and Stripe REST helpers for public bot and webhook paths.
  • SWR cache layer in lib/cache.ts with Upstash Redis support, in-memory fallback, bot config cache, entitlement cache, knowledge-search cache and cache invalidation helpers.
  • Query monitoring utility in lib/query-optimizer.ts that records slow Supabase work to Sentry/logger and slow_query_log.
  • Edge dynamic widget loader at /api/bot/[id]/widget.js with ETag and CDN cache headers.
  • Node-only attachment parsing fallback at /api/bot/[id]/parse-attachment for PDF parsing libraries that cannot run on Edge.
  • k6 load baselines for chat, widget config and lead capture, plus npm run load:smoke for CI.
  • Iteration 18 Playwright smoke coverage and unit tests for Edge crypto, cache and query monitoring.
Changed5 zmian
  • /api/bot/[id]/chat, /api/bot/[id]/config, /api/webhooks/whatsapp and /api/webhooks/messenger now declare Edge runtime.
  • Bot config responses use Cache-Control: public, s-maxage=60, stale-while-revalidate=300.
  • Hybrid RAG v2 wraps knowledge search results in the shared SWR cache.
  • Bot Voice/Agent settings updates invalidate the bot cache.
  • Next.js config enables CSS optimization, optimized package imports and AVIF/WebP image output with long static TTL.
Security3 zmian
  • Meta webhook signature verification uses Web Crypto HMAC SHA-256 and timing-safe comparison.
  • PDF parsing is isolated to a documented Node runtime fallback route.
  • npm audit --audit-level=moderate passed with zero vulnerabilities.

0.17.0

AddedChangedSecurity

Iteracja 17 AI v2: Voice AI with OpenAI Realtime WebRTC client-secret flow, voice_sessions, voice_transcripts, widget microphone UI and public Edge voice token endpoint.

2026-04-29
Added7 zmian
  • Iteracja 17 AI v2: Voice AI with OpenAI Realtime WebRTC client-secret flow, voice_sessions, voice_transcripts, widget microphone UI and public Edge voice token endpoint.
  • Agent Mode with agent_tools, agent_tool_executions, ReAct loop, confirmation continuation, tool execution logging and SSRF-protected HTTP tools.
  • Real agent tool integrations for Supabase REST queries, Google Calendar, Resend email, Twilio SMS, HubSpot/Pipedrive CRM lookup/create, Stripe PaymentIntent and external sandboxed custom code.
  • Hybrid RAG v2 through lib/rag-v2.ts: dense pgvector + sparse FTS/BM25-style search fused with RRF and optional Cohere reranking.
  • Fine-tuning pipeline with dataset snapshots, JSONL export, PII filtering, OpenAI file upload, job tracking and bot activation UI.
  • Dashboard controls for Voice AI and Agent Mode on bot settings, plus dedicated Agent Tools and Fine-tuning pages.
  • k6 baseline scripts/load/voice-session.js and npm run load:voice.
Changed2 zmian
  • lib/rag.ts now routes existing knowledge matching calls through hybrid RAG v2.
  • OpenAI Realtime default model is gpt-realtime, still overrideable through OPENAI_REALTIME_MODEL.
Security2 zmian
  • Agent HTTP tools block loopback, private, link-local and metadata hosts and require explicit allowed domains.
  • Browser voice sessions receive only short-lived OpenAI Realtime client secrets; OPENAI_API_KEY remains server-side.

0.16.0

AddedAddedAddedAddedAdded

lib/saml.ts — SP-initiated SSO przez HTTP-Redirect Binding; parsowanie metadanych IdP XML (parseIdpMetadataXml), generowanie metadanych SP (generateSpMetadataXml), budowanie AuthnRequest URL z deflate+base64+urlencode, walidacja SAMLResponse przez @node-saml/node-saml

2026-04-27
Added8 zmian
  • lib/saml.ts — SP-initiated SSO przez HTTP-Redirect Binding; parsowanie metadanych IdP XML (parseIdpMetadataXml), generowanie metadanych SP (generateSpMetadataXml), budowanie AuthnRequest URL z deflate+base64+urlencode, walidacja SAMLResponse przez @node-saml/node-saml
  • lib/oidc.ts — Authorization Code Flow z PKCE (S256); auto-discovery .well-known/openid-configuration, in-memory cache konfiguracji (1h), wymiana code na tokeny, walidacja ID Token przez JWKS (biblioteka jose)
  • lib/sso-session.ts — findOrCreateSsoUser (znajdź/utwórz konto + dodaj do workspace), completeSsoLogin (generuje magic link przez Supabase Admin API), checkEmailDomainForSso (detekcja SSO po domenie)
  • app/api/sso/check/route.ts — GET ?email= — wykrywa SSO po domenie emaila
  • app/api/sso/saml/[slug]/metadata/route.ts — GET — metadane SP w formacie XML
  • app/api/sso/saml/callback/route.ts — POST — ACS endpoint (HTTP-POST Binding), runtime = "nodejs"
  • app/api/sso/oidc/[slug]/authorize/route.ts — GET — inicjuje flow OIDC, zapisuje sso_session z PKCE + nonce
  • app/api/sso/oidc/callback/route.ts — GET ?code&state — wymienia code, weryfikuje ID Token, tworzy sesję
Added8 zmian
  • lib/scim.ts — typy SCIM, extractBearerToken, hashScimToken, validateScimBearer, buildery odpowiedzi, workspaceMemberToScimUser, roleToScimGroup, applyScimPatch (PatchOp), buildServiceProviderConfig
  • app/api/scim/v2/ServiceProviderConfig/route.ts — publiczny endpoint konfiguracji SCIM SP
  • app/api/scim/v2/ResourceTypes/route.ts — publiczny, zwraca User i Group
  • app/api/scim/v2/Schemas/route.ts — publiczny, pełne definicje schematów SCIM
  • app/api/scim/v2/Users/route.ts — GET (lista + filtr userName, paginacja), POST (provisioning idempotentny)
  • app/api/scim/v2/Users/[id]/route.ts — GET, PUT (replace), PATCH (PatchOp), DELETE (204)
  • app/api/scim/v2/Groups/route.ts — GET (5 grup ról), POST (idempotentny)
  • app/api/scim/v2/Groups/[id]/route.ts — GET, PUT, PATCH — aktualizuje role workspace_members
Added6 zmian
  • app/api/dashboard/sso/route.ts — GET/POST/DELETE konfiguracji SSO; SAML: parsuje metadata URL/XML, szyfruje cert; OIDC: szyfruje client_secret; upsert z onConflict: "workspace_id"
  • app/api/dashboard/sso/scim-token/route.ts — GET (metadane tokenu), POST (generuje nowy raw token, zwracany tylko raz), DELETE (revoke)
  • app/api/dashboard/sso/test/route.ts — POST — testuje połączenie SAML/OIDC, zapisuje last_test_result
  • app/dashboard/ustawienia/sso/page.tsx — strona ustawień SSO (dostęp: owner + admin)
  • components/settings/SsoConfigForm.tsx — formularz z zakładkami SAML/OIDC, informacje SP, przełączniki enforce_sso i is_active
  • components/settings/ScimTokenCard.tsx — zarządzanie tokenem SCIM, jednorazowy podgląd raw tokenu, instrukcje konfiguracji Okta/Azure AD
Added6 zmian
  • Tabela sso_configurations (UNIQUE na workspace_id, przechowuje zaszyfrowany cert/client_secret, domain_hint, enforce_sso, last_test_result)
  • Tabela scim_tokens (SHA-256 hash tokenu, partial unique index dla aktywnego tokenu, last_used_at)
  • Tabela sso_sessions (RelayState/state, PKCE, nonce, expires_at 10 min, brak RLS dla userów)
  • Tabela sso_identities (mapowanie provider_user_id → user_id + workspace_id, unikalne per provider)
  • Funkcja cleanup_expired_sso_sessions() — usuwa wygasłe sesje SSO
  • Trigger set_updated_at na sso_configurations
Added11 zmian
  • @node-saml/node-saml ^4.0.0 — zależność produkcyjna do walidacji SAML
  • jose ^5.9.6 — zależność produkcyjna do weryfikacji JWT/JWKS (OIDC)
  • next.config.mjs — serverExternalPackages dla @node-saml/node-saml, xmldom, xml-crypto, xml2js
  • lib/inngest.ts — ssoSessionCleanup cron co 15 min (woła cleanup_expired_sso_sessions())
  • app/api/inngest/route.ts — rejestracja ssoSessionCleanup
  • lib/audit.ts — nowe typy zdarzeń: sso.configured, sso.activated, sso.deactivated, sso.login_success, sso.login_failed, scim.user_provisioned, scim.user_deprovisioned, scim.token_regenerated
  • lib/workspace.ts — canManageSso(role) → owner | admin
  • components/dashboard/Sidebar.tsx — link "SSO & Enterprise" (z ikoną Shield) widoczny dla owner/admin
  • components/dashboard/MobileNav.tsx — prop canManageSso, link "SSO & Enterprise" w nawigacji mobilnej
  • app/dashboard/layout.tsx — przekazuje canManageSso do Sidebar i MobileNav
  • .env.local.example — SAML_CERT_PUBLIC, SAML_CERT_PRIVATE
Added3 zmian
  • __tests__/lib/saml.test.ts — 20 przypadków: parsowanie XML IdP (namespace, brak prefix, błędy), generowanie metadanych SP, AuthnRequest URL, helpery (RelayState, entityId, ACS URL, normalizacja PEM, hashToken)
  • __tests__/lib/scim.test.ts — 25 przypadków: hashScimToken, extractBearerToken, workspaceMemberToScimUser, roleToScimGroup, buildScimList, extractEmail/Name, applyScimPatch (PatchOp), scimErrorResponse, buildServiceProviderConfig
  • tests/e2e/iteration-16-sso.spec.ts — 11 grup: auth guard SSO page, SCIM public endpoints, SCIM auth rejection (401), SSO check API, SAML metadata 404, Dashboard SSO auth guard, SAML/OIDC callback error redirects
Completion update12 zmian
  • Added the fourth enterprise plan with custom quote pricing, unlimited limits, SSO, SCIM, dedicated infrastructure, data residency and SLA fields.
  • Added BUILD-SPEC-V3 compatibility SSO routes under /api/auth/sso/[workspaceSlug]/*: init, callback, oidc/callback, metadata.xml and logout.
  • Added lib/sso.ts as the Enterprise SSO facade required by the spec: SP metadata, SAML/OIDC initiation and callbacks, and JIT provisioning.
  • Hardened SAML handling with DTD/ENTITY rejection and metadata URL SSRF guards for private, loopback and link-local destinations.
  • Extended SCIM provisioning with scim_configs, group-to-role mapping, synced user counters, SCIM root discovery and dashboard editing for mapping JSON.
  • Added Enterprise contract signing and download flows backed by enterprise_contracts and the private enterprise-contracts storage bucket.
  • Added Enterprise Security dashboard panels for SSO, SCIM, Data Residency and Contracts on /dashboard/ustawienia/sso.
  • Added load testing baselines for SSO initiation and SCIM user listing in scripts/load/sso-init.js and scripts/load/scim-users.js.
  • Added npm run load:sso and npm run load:scim wrappers for local k6 execution.
  • Updated Iteration 16 documentation: README, ADR-016, secrets rotation and docs/reports/iteration-16.md.
  • Fixed production build for /offline by moving reload interactivity into a Client Component.
  • Fixed agent SSRF protection for IPv6 loopback hosts ([::1]) and IPv4-mapped IPv6 loopback addresses.

0.15.0

AddedAddedAddedAddedAdded

Guard — dostęp przez admin.darhimlabs.pl lub email w ADMIN_EMAILS env; lib/admin-guard.ts sprawdza też profiles.role = superadmin

2025-04-25
Added7 zmian
  • Guard — dostęp przez admin.darhimlabs.pl lub email w ADMIN_EMAILS env; lib/admin-guard.ts sprawdza też profiles.role = superadmin
  • Przegląd /admin — MRR, ARR, rozkład planów, signups 7d/30d, aktywne boty, dzisiejsze statsy
  • Workspace'y /admin/workspaces — lista z wyszukiwarką (email/nazwa/plan), strona szczegółów
  • Impersonacja — magic link przez Supabase Admin API, zapis do audit_log z event=admin.impersonate
  • Kupon / trial — /api/admin/coupon, /api/admin/trial z zapisem do admin_coupons i audit_log
  • Flagged accounts /admin/flagged — workspace'y z incydentami PII, naruszeniami moderation, wysokim użyciem (>10k msg/30d)
  • Feature Flags /admin/feature-flags — toggle + rollout % slider, CRUD przez /api/admin/feature-flags
Added3 zmian
  • lib/bi-export.ts — eksport daily_stats do BigQuery (dynamiczny import @google-cloud/bigquery), Snowflake (snowflake-sdk) lub JSONL
  • Inngest job biDailyExport — cron 0 5 * * *, respektuje feature flag bi_export
  • /api/admin/export — ręczny trigger eksportu z panelu admin (/admin/bi)
Added9 zmian
  • public/manifest.json — name, icons 192/512, shortcuts (Inbox, Nowy bot), screenshots
  • public/sw.js — service worker: pre-cache, stale-while-revalidate dla API, network-first HTML, offline fallback /offline
  • app/offline/page.tsx — strona offline
  • components/ServiceWorkerRegistrar.tsx — client component do rejestracji SW
  • app/layout.tsx — manifest, appleWebApp, viewport.themeColor = #22d3ee
  • Install prompt components/InstallPrompt.tsx — banner beforeinstallprompt, z localStorage dismiss, widoczny w dashboardzie
  • Push notifications — lib/push-notifications.ts (web-push VAPID), /api/push/subscribe (POST/DELETE), /api/push/notify (admin only)
  • components/dashboard/PushSubscriber.tsx — toggle subskrypcji push w dashboardzie
  • Wire on lead — po zapisaniu leada w /api/bot/[id]/lead wysyłany push do właściciela workspace'a (fire-and-forget)
Added5 zmian
  • Tabela feature_flags (key unique, enabled, rollout_pct, allowed_workspace_ids)
  • Tabela push_subscriptions (user_id, workspace_id, endpoint unique per user, p256dh, auth_key)
  • Tabela admin_coupons (workspace_id, code, discount_pct, issued_by_email)
  • ALTER audit_log: kolumna impersonated_workspace_id
  • 6 domyślnych feature flag w seed
Added2 zmian
  • web-push ^3.6.7 + @types/web-push ^3.6.3
  • nanoid ^5.0.9

0.14.0

AddedAddedAddedChanged

Strona główna — hero z live demo widgetu, stats bar, siatka 6 funkcji, CTA

2025-04-25
Added13 zmian
  • Strona główna — hero z live demo widgetu, stats bar, siatka 6 funkcji, CTA
  • Cennik v2 — przełącznik miesięczny/roczny (−20%), kalkulator wiadomości, FAQ accordion
  • Funkcje — 8 sekcji z alternatywnym layoutem siatki
  • Szablony marketplace — galeria z bazy danych, strony szczegółowe, pre-fill BotWizarda
  • Przykłady — 6 case studies z metrykami i cytatami klientów
  • Blog — lista postów z MDX, pierwsze artykuły
  • Dokumentacja — sidebar nav, quickstart, instalacja widgetu, API reference
  • Porównania z konkurencją — strony MDX (darhim-vs-tidio, darhim-vs-intercom, darhim-vs-chatbot-com)
  • Changelog — renderowanie CHANGELOG.md przez MDXRemote
  • Roadmap — kanban: Zrobione (11), W budowie (5), Planowane (8)
  • DPA / RODO — pełna Umowa Powierzenia, spis treści, link do PDF
  • Bezpieczeństwo — 6 filarów, certyfikacje, data residency, responsible disclosure
  • Partnerzy — program affiliate (30% / 12 mies.) i agencyjny (20% lifetime), kalkulator prowizji
Added4 zmian
  • Program referralowy — link /r/SLUG, 1 msc Pro gratis dla poleconego, 20% discount dla polecającego
  • Program afiliacyjny — cookie 90 dni, 30% recurring przez 12 mies., dashboard /dashboard/partner ze Stripe Connect
  • Katalog botów — publiczny /katalog (opt-in), widok kart z branżami
  • Template pre-fill — ?template=slug przy rejestracji i tworzeniu bota wypełnia BotWizarda
Added2 zmian
  • Tabele: bot_templates, referrals, affiliates, affiliate_conversions, bot_directory
  • 6 szablonów w seed.sql
Changed2 zmian
  • BotWizard — prop template z pre-filled wartościami
  • app/dashboard/boty/nowy/page.tsx — czyta ?template=slug

0.13.0

AddedAddedFixed

11 nowych Inngest cron jobs (retencja, billing digest, analytics daily, trial reminder, leads followup, health check co 5 min)

2025-04-20
Added7 zmian
  • 11 nowych Inngest cron jobs (retencja, billing digest, analytics daily, trial reminder, leads followup, health check co 5 min)
  • Backup offsite — pg_dump → gzip → S3/R2, GitHub Actions weekly Sunday 01:00 UTC
  • DR Runbook — docs/DR-RUNBOOK.md: Supabase down, OpenAI down (Anthropic fallback), Stripe down, Vercel down; RTO 2h, RPO 24h
  • Status page /status — uptime dots (30 dni), % uptime per service
  • Health endpoint /api/health — publiczny, sprawdza DB / OpenAI / Resend / Stripe
  • lib/ai-provider.ts — unified provider: AI_PROVIDER=anthropic dla DR fallback
  • lib/health-check.ts — runAllHealthChecks + storeHealthChecks
Added2 zmian
  • Tabele: daily_stats, health_checks
  • ALTER response_cache: kolumna last_hit_at
Fixed2 zmian
  • lib/inngest.ts: poprawne API supabase.delete({ count: "exact" })
  • recurringKnowledgeSync cron: co 6h → daily 04:00

0.13.0

Changed

Dodano migracje 013_whitelabel_agency.sql z:

Iteracja 10 BUILD-SPEC-V2 White-label, Custom Domains i Agency Mode
Changed69 zmian
  • Dodano migracje 013_whitelabel_agency.sql z:
  • rozszerzeniem workspaces o parent_workspace_id, is_agency, branding (JSONB), stripe_connect_account_id, stripe_connect_onboarding_completed_at, stripe_connect_payouts_enabled, commission_rate_bps, agency_billing_mode, powered_by_enabled, whitelabel_enabled,
  • tabela custom_domains z purpose (widget, dashboard, email), status (pending, verifying, verified, failed, disabled), dns_target, verify_token, verification_provider, provider_domain_id, provider_metadata, last_error, last_checked_at, verified_at,
  • tabela agency_commissions z amount_gross_cents, amount_net_cents, commission_cents, commission_rate_bps, status (pending, paid, failed, skipped), stripe_invoice_id, stripe_charge_id, stripe_transfer_id,
  • funkcja RPC resolve_workspace_by_host(host_lookup),
  • funkcja RPC get_child_workspaces(agency_id) i is_agency_owner(target_workspace_id),
  • politykami RLS dla custom_domains, agency_commissions oraz child workspaceow.
  • Dodano helpery white-label i custom domains:
  • lib/branding.ts (brandingInputSchema, DEFAULT_BRAND, mergeBranding, brandingFromWorkspace, isPoweredByVisible, brandingPublicPayload, normalizeBrandingForStorage),
  • lib/host.ts (normalizeHost, isValidHostname, classifyHost, isCustomDomainCandidate, protocolForHost),
  • lib/host-routing.ts (resolver workspace po hoscie),
  • lib/custom-domains.ts (customDomainInputSchema, dnsInstructionsFor, describeDomainStatus, createCustomDomain, verifyCustomDomain, deleteCustomDomain, resolveWorkspaceByHost),
  • lib/vercel.ts (addVercelDomain, removeVercelDomain, verifyVercelDomain, getVercelDomainConfig, VercelApiError, vercelTargetForPurpose),
  • lib/resend-domains.ts (createResendDomain, verifyResendDomain, deleteResendDomain, getResendDomain, ResendApiError).
  • Dodano helpery agency i prowizji:
  • lib/agency.ts (childWorkspaceInputSchema, listChildWorkspaces, createChildWorkspaceRecord, updateChildCommissionRate, markAsAgency, getAgencyFinanceSummary),
  • lib/commission.ts (calculateCommissionCents, recordCommissionForInvoice, listCommissionsForAgency, payoutPendingCommissions, totalsFromCommissions, loadWorkspaceCommissionContext),
  • rozszerzone lib/stripe.ts o Stripe Connect Express: createStripeConnectAccount, createStripeConnectOnboardingLink, createStripeConnectLoginLink, transferCommissionToConnect, retrieveStripeAccount.
  • Rozszerzono middleware i cors:
  • middleware.ts i lib/supabase/middleware.ts rozpoznaja custom domeny widgetu i dashboardu,
  • lib/cors.ts przyjmuje requesty z zweryfikowanych custom domen dla widgetu i publicznego API.
  • Zintegrowano branding z produktem:
  • lib/workspace-server.ts zwraca aktualne branding, is_agency, whitelabel_enabled, powered_by_enabled,
  • lib/public-bot.ts dolacza branding do /api/bot/[id]/config dla widgetu,
  • widget widget-src/index.ts uzywa branding.product_name w statusach i renderuje stopke Powered by ... tylko gdy workspace zezwala,
  • widget-src/styles.ts dodaje klase .dl-poweredby.
  • Dodano nowe endpointy:
  • PATCH /api/dashboard/workspace/branding
  • GET / POST /api/dashboard/workspace/domains
  • POST /api/dashboard/workspace/domains/[id] (verify)
  • DELETE /api/dashboard/workspace/domains/[id]
  • POST /api/dashboard/workspace/email-domain
  • GET / POST /api/dashboard/agency/children
  • PATCH / DELETE /api/dashboard/agency/children/[id]
  • GET /api/dashboard/agency/commissions
  • POST /api/stripe/connect/onboarding
  • POST /api/stripe/connect/login
  • Zaktualizowano webhook Stripe:
  • invoice.payment_succeeded zapisuje rekord prowizji child workspace'u,
  • account.updated synchronizuje stripe_connect_payouts_enabled i stripe_connect_onboarding_completed_at.
  • Dodano nowe ekrany dashboardu:
  • /dashboard/workspace/brand z <BrandingEditor />,
  • /dashboard/workspace/domeny z <DomainManager />,
  • /agency dashboard agencyjny (karty klientow / botow / wiadomosci / pending payouts, Stripe Connect onboarding, lista top 5 klientow),
  • /agency/klienci z tabela child workspaceow,
  • /agency/klienci/nowy z <ChildWorkspaceForm />,
  • /agency/klienci/[id] z <ChildWorkspaceActions />, lista zespolu, botow i prowizji danego klienta,
  • /agency/rozliczenia z totalami prowizji per waluta i <CommissionTable />.
  • Dodano komponenty:
  • components/dashboard/AgencySidebar.tsx
  • components/dashboard/BrandingEditor.tsx
  • components/dashboard/DomainManager.tsx
  • components/dashboard/ChildWorkspaceForm.tsx
  • components/dashboard/ChildWorkspaceActions.tsx
  • components/dashboard/CommissionTable.tsx
  • components/dashboard/StripeConnectOnboarding.tsx
  • Zaktualizowano nawigacje dashboardu:
  • Sidebar i MobileNav pokazuja sekcje Marka i Domeny,
  • owner workspaceu oznaczonego jako is_agency widzi link Agencja,
  • branding workspace (logo, kolor glowny, product_name) jest uzywany w Sidebar / MobileNav.
  • Dodano testy:
  • tests/branding.test.ts
  • tests/host.test.ts
  • tests/commission.test.ts
  • tests/custom-domains.test.ts
  • tests/agency.test.ts
  • Zaktualizowano dokumentacje:
  • sekcje White-label i custom domains oraz Agency mode i prowizje w README,
  • nowe zmienne srodowiskowe (VERCEL_API_TOKEN, VERCEL_TEAM_ID, VERCEL_PROJECT_ID_WIDGET, VERCEL_PROJECT_ID_APP, CUSTOM_DOMAIN_WIDGET_CNAME, CUSTOM_DOMAIN_DASHBOARD_CNAME, CUSTOM_DOMAIN_VERIFY_SECRET).

0.12.0

Changed

Dodano migracje 012_billing_v2.sql z:

Iteracja 9 BUILD-SPEC-V2 Billing v2
Changed45 zmian
  • Dodano migracje 012_billing_v2.sql z:
  • rozszerzeniem workspaces o pola billingowe i stripe metadata,
  • overage_messages_count w usage_counters,
  • tabela invoices,
  • politykami RLS dla faktur,
  • bucketem invoices,
  • nowa wersja RPC increment_usage_counter z obsluga overage.
  • Dodano helpery billingowe:
  • lib/billing.ts
  • lib/billing-service.ts
  • rozszerzone lib/plans.ts
  • rozszerzone lib/entitlements.ts
  • rozszerzone lib/stripe.ts
  • Dodano obsluge:
  • planow miesiecznych i rocznych,
  • overage wiadomosci po przekroczeniu limitu,
  • pause subscription na 1-3 miesiace,
  • self-service refund faktury do 14 dni,
  • walidacji NIP PL i trybu reverse charge EU,
  • prostego generatora PDF faktury.
  • Dodano nowe endpointy dashboardu:
  • PATCH /api/dashboard/billing/company
  • POST /api/dashboard/billing/company/lookup
  • POST /api/dashboard/billing/pause
  • POST /api/dashboard/billing/refund
  • Przepisano Stripe routes:
  • POST /api/stripe/checkout
  • POST /api/stripe/portal
  • POST /api/stripe/webhook
  • Rozszerzono /dashboard/rozliczenia o:
  • konsole billingowa workspace,
  • plan cards z cyklem miesiecznym i rocznym,
  • usage z overage,
  • dane do faktury,
  • historie faktur z pobieraniem PDF,
  • refund i pause controls,
  • ostrzezenia downgrade dla liczby botow i wiedzy.
  • Rozszerzono publiczny chat i public API o:
  • workspace billing source,
  • naliczanie overage bez blokowania odpowiedzi,
  • raportowanie zuzycia overage do Stripe usage records.
  • Rozszerzono eksport danych konta o faktury.
  • Dodano testy:
  • tests/billing.test.ts
  • rozszerzenie tests/plans.test.ts

0.11.0

Changed

Dodano migracje 011_analytics_pro.sql z:

Iteracja 8 BUILD-SPEC-V2 Analytics PRO
Changed57 zmian
  • Dodano migracje 011_analytics_pro.sql z:
  • conversation_feedback
  • widget_events
  • topic_clusters
  • analytics_share_links
  • rozszerzeniem conversations o:
  • sentiment
  • topics
  • country_code
  • device_type
  • browser
  • Dodano helpery analityczne:
  • lib/analytics.ts
  • lib/analytics-ai.ts
  • lib/xlsx.ts
  • Dodano publiczne endpointy widgetu:
  • POST /api/bot/[id]/event
  • POST /api/bot/[id]/feedback
  • Rozszerzono widget o:
  • tracking funnelu:
  • widget_loaded
  • widget_opened
  • first_message_sent
  • bot_responded
  • lead_form_shown
  • lead_captured
  • conversation_ended
  • prompt CSAT po zakonczeniu rozmowy
  • wysylke feedbacku do backendu
  • Rozszerzono backend chatu i leadow o:
  • geolokalizacje kraju z naglowkow edge
  • wykrywanie urzadzenia i przegladarki
  • automatyczne planowanie analizy rozmowy po zakonczeniu
  • Dodano joby Inngest:
  • analiza sentymentu i tematow po conversation/ended
  • odswiezanie klastrow tematow co 24h
  • Dodano dashboard analityczny:
  • /dashboard/boty/[id]/analityka
  • funnel
  • aktywnosc dzienna
  • CSAT
  • sentyment
  • retencja
  • kraje
  • urzadzenia
  • przegladarki
  • heatmap godzin
  • tematy rozmow
  • Dodano publiczny widok read-only raportu:
  • /raport/[token]
  • Dodano API dashboardu:
  • POST /api/dashboard/analytics/share
  • GET /api/dashboard/analytics/export
  • Dodano eksporty CSV i XLSX dla raportow.
  • Dodano testy:
  • tests/analytics.test.ts
  • tests/analytics-ai.test.ts

0.10.0

Changed

Dodano migracje 010_human_handoff.sql z:

Iteracja 7 BUILD-SPEC-V2 Human Handoff plus Live Inbox
Changed30 zmian
  • Dodano migracje 010_human_handoff.sql z:
  • polami handoff w bots
  • polami live inbox w conversations
  • tabela canned_responses
  • tabela agent_presence
  • Dodano helpery lib/handoff.ts do:
  • triggerow keyword i low similarity
  • serializacji rozmow inboxu
  • walidacji canned responses, presence i odpowiedzi agenta
  • Dodano dashboard:
  • /dashboard/inbox
  • /dashboard/workspace/szablony
  • Dodano API dashboardu:
  • GET/PATCH/POST /api/dashboard/inbox
  • PATCH /api/dashboard/presence
  • GET/POST/PATCH/DELETE /api/dashboard/canned-responses
  • Dodano publiczne endpointy widgetu:
  • POST /api/bot/[id]/handoff
  • GET /api/bot/[id]/conversation/[conversation_id]/updates
  • Rozszerzono widget o:
  • reczne przekazanie do czlowieka
  • polling nowych odpowiedzi z inboxu
  • prezentacje odpowiedzi czlowieka z nazwa nadawcy
  • stan oczekiwania na agenta
  • Rozszerzono publiczny chat o automatyczny handoff przy:
  • slowach kluczowych
  • niskiej trafnosci wiedzy
  • Dodano opoznione przypomnienia handoff po 60 sekundach przez Inngest i event conversation.handoff_requested.
  • Dodano strone /dashboard/rozmowy/[id].
  • Dodano testy tests/handoff.test.ts.

0.9.0

Changed

Dodano migracje 009_public_api.sql z:

Iteracja 6 BUILD-SPEC-V2 Public API plus SDK
Changed29 zmian
  • Dodano migracje 009_public_api.sql z:
  • api_keys
  • api_request_logs
  • rozszerzeniem audit_log.actor_type
  • Dodano auth i rate limiting dla kluczy API w:
  • lib/api-keys.ts
  • lib/public-api.ts
  • Dodano warstwe publicznego API v1:
  • GET /api/v1/bots
  • GET /api/v1/bots/{id}
  • PATCH /api/v1/bots/{id}
  • POST /api/v1/bots/{id}/messages
  • GET /api/v1/leads
  • POST /api/v1/leads/{id}/status
  • GET /api/v1/conversations
  • GET /api/v1/usage
  • Dodano dashboard /dashboard/deweloperzy z:
  • tworzeniem kluczy API,
  • edycja zakresow i wygasniecia,
  • wycofywaniem kluczy,
  • logami requestow z ostatnich 24h,
  • przykladami curl, JS i Python.
  • Przepisano lib/openapi.ts na generowanie OpenAPI 3.1 z Zod przez @asteasolutions/zod-to-openapi.
  • Dodano viewer Swagger UI pod /api-docs oraz zachowano /api/openapi.
  • Dodano paczke packages/sdk z klientem DarhimClient.
  • Dodano testy:
  • tests/api-keys.test.ts
  • tests/openapi.test.ts
  • tests/sdk.test.ts

0.8.0

Changed

Dodano migracje 008_integrations_events.sql z tabelami:

Iteracja 5 BUILD-SPEC-V2 Integracje zewnetrzne v1
Changed39 zmian
  • Dodano migracje 008_integrations_events.sql z tabelami:
  • integrations
  • events
  • Rozszerzono bots o:
  • booking_mode
  • booking_integration_id
  • booking_config
  • Rozszerzono leads.status o wartosc scheduled.
  • Dodano warstwe integracji w lib/integrations.ts:
  • OAuth connect / callback dla Slack, Google Calendar, Calendly, HubSpot i Pipedrive,
  • listowanie kanalow Slack,
  • listowanie kalendarzy Google,
  • listowanie event types z Calendly,
  • wysylke leadow do Slacka,
  • tworzenie wydarzen w Google Calendar,
  • push leadow do HubSpot i Pipedrive,
  • webhooki HMAC dla webhook / Zapier.
  • Dodano event bus w lib/events.ts i dispatcher Inngest dla tabeli events.
  • Dodano ekran /dashboard/integracje z konfiguracja:
  • Slack,
  • Google Calendar,
  • Calendly,
  • HubSpot,
  • Pipedrive,
  • webhookow,
  • Zapier / Make,
  • dodatkowych emaili.
  • Dodano booking per bot na /dashboard/boty/[id] przez BotBookingForm.
  • Rozszerzono publiczny chat o:
  • proponowanie slotow z Google Calendar,
  • zapisywanie wydarzenia po potwierdzeniu terminu,
  • przekierowanie do Calendly przy intentach bookingowych.
  • Dodano webhook inbound:
  • /api/integrations/calendly/webhook
  • Dodano dokumentacje webhookow pod:
  • /api-docs/webhooks
  • Dodano testy:
  • tests/integrations.test.ts
  • tests/booking.test.ts

0.7.0

Changed

Dodano migrację 007_knowledge_base_v2.sql z tabelami:

Iteracja 4 BUILD-SPEC-V2 Knowledge Base v2
Changed35 zmian
  • Dodano migrację 007_knowledge_base_v2.sql z tabelami:
  • knowledge_sources
  • knowledge_connections
  • bot_knowledge_versions
  • crawl_jobs
  • Rozszerzono bot_knowledge o:
  • source_url
  • content_hash
  • quality_score
  • superseded_by
  • sync_config
  • low_quality
  • updated_at
  • Dodano crawler domeny z obsługą:
  • robots.txt
  • sitemap.xml
  • limitów max_pages i max_depth
  • deduplikacji po hashu treści
  • Dodano joby wiedzy i cykliczny sync w Inngest.
  • Dodano wersjonowanie fragmentów wiedzy i rollback do poprzedniej wersji.
  • Dodano ekran /dashboard/boty/[id]/wiedza z:
  • zarządzaniem źródłami,
  • crawl jobami,
  • historią wersji,
  • debugiem semantycznym,
  • generatorem FAQ,
  • podglądem chunków i jakości.
  • Dodano połączenia OAuth dla Google Docs i Notion:
  • connect
  • callback
  • browse
  • disconnect
  • Dodano pobieranie źródeł z Google Docs i Notion po podpięciu prawdziwych kluczy środowiskowych.
  • Dodano scoring jakości chunków z fallbackiem heurystycznym.
  • Dodano testy crawler.test.ts i knowledge-connections.test.ts.

0.6.0

Changed

Dodano migrację 006_widget_v2.sql z ustawieniami launchera, pozycjonowania, motywu, bot_proactive_rules, bucketem conversation-attachments oraz załącznikami i metadanymi wiadomości.

Iteracja 3 BUILD-SPEC-V2 Widget v2
Changed6 zmian
  • Dodano migrację 006_widget_v2.sql z ustawieniami launchera, pozycjonowania, motywu, bot_proactive_rules, bucketem conversation-attachments oraz załącznikami i metadanymi wiadomości.
  • Dodano publiczne endpointy widgetu: /api/bot/[id]/config, /api/bot/[id]/chat, /api/bot/[id]/lead, /api/bot/[id]/attachment i /api/bot/[id]/message/[msg_id]/read.
  • Dodano nowy ekran /dashboard/boty/[id] z embed code, live preview, ustawieniami widgetu v2 i edytorem reguł proactive.
  • Rozszerzono BotSettingsForm o motyw widgetu, launcher, pozycjonowanie desktop/mobile i tryb offline lead capture.
  • Przepisano widget-src/* do wersji v2: Shadow DOM, custom launcher, pozycjonowanie, rich responses [IMG], [CARD], [QR], file upload, read receipts, offline queue, cookie gating, focus trap i mobile fullscreen.
  • Dodano stronę /widget-preview, testy widget-rich.test.ts, Playwright E2E widgetu v2 z @axe-core/playwright i screenshoty regresji.

0.5.0

Changed

Dodano migrację 005_workspaces_roles_invites.sql z tabelami workspaces, workspace_members, workspace_invites, typem workspace_role, backfillem istniejących danych i RLS opartym o role.

Iteracja 2 BUILD-SPEC-V2 Workspaces
Changed7 zmian
  • Dodano migrację 005_workspaces_roles_invites.sql z tabelami workspaces, workspace_members, workspace_invites, typem workspace_role, backfillem istniejących danych i RLS opartym o role.
  • Dodano workspace_id do botów, wiedzy, rozmów, wiadomości, leadów i liczników użycia wraz z triggerami uzupełniającymi.
  • Dodano helpery lib/workspace.ts, lib/workspace-server.ts i lib/workspace-invites.ts.
  • Dodano API do przełączania workspace, zapraszania osób, zmiany ról, usuwania członków oraz wycofywania zaproszeń.
  • Dodano /dashboard/workspace/zespol z listą członków, oczekującymi zaproszeniami i opisem ról.
  • Dodano /invite/[token] oraz obsługę tokenu invite w logowaniu, rejestracji i magic linku.
  • Dodano workspace switcher do top nav oraz menu Zespół w sidebarze.

0.4.0

Changed

Dodano migrację 004_auth_security_audit.sql z audit_log, user_sessions, mfa_backup_codes oraz polami MFA i wymuszenia zmiany hasła w profiles.

Iteracja 1 BUILD-SPEC-V2 Auth security
Changed7 zmian
  • Dodano migrację 004_auth_security_audit.sql z audit_log, user_sessions, mfa_backup_codes oraz polami MFA i wymuszenia zmiany hasła w profiles.
  • Middleware rejestruje sesje dashboardu, blokuje unieważnione sesje, respektuje wymuszenie zmiany hasła i wymaga AAL2 przy włączonym MFA.
  • Dodano audyt zdarzeń dla logowania, logoutu, botów, wiedzy, Stripe, eksportu danych i kasowania konta.
  • Dodano /dashboard/ustawienia/bezpieczenstwo z TOTP 2FA przez Supabase MFA i kodami zapasowymi.
  • Dodano /dashboard/ustawienia/sesje ze zdalnym wylogowaniem urządzeń.
  • Dodano /dashboard/ustawienia/aktywnosc z filtrowaniem audytu i eksportem CSV.
  • Dodano magic link login przez supabase.auth.signInWithOtp.

0.3.0

Changed

Dodano Prettier, eslint-config-prettier, .editorconfig, .nvmrc, format i format:check.

Iteracja 0 BUILD-SPEC-V2
Changed9 zmian
  • Dodano Prettier, eslint-config-prettier, .editorconfig, .nvmrc, format i format:check.
  • Rozszerzono .env.local.example do pełnej listy v1.0.
  • Dodano GitHub Actions: CI, E2E i deploy note dla Vercel GitHub Integration.
  • Dodano lib/logger.ts ze strukturalnymi logami i captureException.
  • Dodano x-request-id do requestów i response.
  • Dodano rate limiting przez Upstash z fallbackiem in-memory dla dev.
  • Uszczelniono CORS publicznych endpointów widgetu.
  • Dodano security headers w next.config.mjs.
  • Dodano Playwright config i bazowe testy E2E.

0.2.1

Changed

Dodano migrację 003_production_hardening.sql.

Production hardening
Changed5 zmian
  • Dodano migrację 003_production_hardening.sql.
  • Dodano grupowanie źródeł wiedzy i możliwość usunięcia całego źródła z panelu.
  • Dodano cookie banner w widgecie.
  • Wydzielono prompt systemowy chatu do lib/chat-prompt.ts.
  • Dodano widok zmiany hasła po resecie.

0.2.0

Changed

Dodano typy bazy w lib/database.types.ts.

MVP expansion
Changed7 zmian
  • Dodano typy bazy w lib/database.types.ts.
  • Dodano migrację 002_mvp_enhancements.sql.
  • Dodano kreator bota z React Hook Form, Zod i multipart upload.
  • Dodano ingestion wiedzy: FAQ, URL, PDF, chunking, embeddings i zapis do bot_knowledge.
  • Dodano publiczne API widgetu: config, chat SSE z RAG oraz lead capture z Resend.
  • Dodano Stripe Checkout, Customer Portal i webhook.
  • Dodano RODO export JSON i delete account.

0.1.0

Changed

Dodano osobny scaffold aplikacji SaaS w katalogu app.darhimlabs.pl.

Initial scaffold
Changed4 zmian
  • Dodano osobny scaffold aplikacji SaaS w katalogu app.darhimlabs.pl.
  • Dodano konfigurację Next.js 14, TypeScript, Tailwind CSS i shadcn/ui.
  • Dodano Supabase Auth helpers, middleware i chroniony dashboard.
  • Dodano strony rejestracji, logowania i resetu hasła.