Changelog

What's new in Tracelight.

Reverse chronological. Subscribe via the RSS feed.

May 15, 2026shipped

▸Public blog at /blog with RSS feed
▸Owner/admin diagnostics page (env-var health + live integration tests for Anthropic, Resend, Stripe, Supabase admin)
▸Step-by-step Resend domain verification guide at /dashboard/admin/email-setup
▸Use-case landing pages: M&A diligence, background checks, fraud investigations, journalism
▸Public REST API documentation at /docs

May 14, 2026shipped

▸Hero video on the marketing landing page
▸New Tracelight wordmark + badge logo across every header
▸Onboarding step 3 redesigned: guided 'run your first lookup' replaces the webhook URL field
▸Settings page restructured into a left-rail tabbed view
▸Empty-state CTAs + skeleton loaders across the dashboard
▸Subject detail page now opens with a 4-stat overview strip

May 14, 2026security

▸Fixed an SQL injection vector in the natural-language search RPC by flipping it to SECURITY INVOKER (RLS now enforces workspace isolation directly)
▸Slack bot tokens encrypted at rest with AES-256-GCM
▸SSRF guard on outbound webhooks — DNS-resolved private IPs are blocked
▸Strict security headers: HSTS, CSP, X-Frame-Options DENY, Permissions-Policy
▸Cron auth: Bearer-only with constant-time compare; URL ?secret= fallback removed
▸Middleware now 401s any /api/* request without a session (defense in depth)

May 14, 2026shipped

▸Workspace invite flow finished end-to-end: brand-new signups join via the migration trigger; existing customers click an invite link, sign in, and get moved into the inviting workspace via /api/auth/accept-invite
▸Stripe payment_failed handling: workspace.billing_status flips to past_due, owner gets an email, dashboard shows a billing banner
▸Hourly enrichment quota on the public REST API (plan-tier caps + 429 with Retry-After)
▸/privacy and /terms pages
▸Route-level loading skeletons for /dashboard/cases, /alerts, /inbox, /intelligence