Skip to content
Trystpilot Docs

Changelog

Changelog

Section titled “Changelog”

All notable changes to Trystpilot are documented here.

Format follows Keep a Changelog. Versioning follows Semantic Versioning.

[1.0.0] – 2026-03-22

Section titled “[1.0.0] – 2026-03-22”

Released

Section titled “Released”
  • ✅ PRODUCTION RELEASE — Phase 1 Complete: All infrastructure, auth, payment processing, engagement features, and tests validated for production deployment.

Phase 1 Completion Summary

Section titled “Phase 1 Completion Summary”
  • Infrastructure: PostgreSQL + Supabase, Upstash Redis rate limiting, Docker Compose, 12 migrations
  • Authentication: GitHub OAuth + Telegram Login via NextAuth v5; JWT sessions in secure cookies
  • Core Loop: Profile creation (self-serve, dedup), review submission (Turnstile CAPTCHA), moderation queue (approve/reject/suppress)
  • Monetization: CCPayment webhook handler (MD5 verified), Subscription Tiers (Free/Pro $29/mo/Elite $99/mo), Profile Claiming ($19)
  • Engagement: Disputes (SLA by tier), Comment Threads (paywall), Review Flagging, Dashboard, Rich OG images
  • Civic: Office holders integration (Open States + ProPublica), civic rating dimensions (5 vs 6), mandatory profiles
  • Quality: 199 tests (95.34% coverage), TypeScript strict, ESLint clean, all 16 pre-deploy checks passing
  • Documentation: 8 user journey maps (UX-01 through UX-08), 11 Mermaid diagrams, 664 design tokens, comprehensive docs site

Fixed

Section titled “Fixed”
  • Build errors from deployment log (npm audit, TypeScript, imports)
  • All 16 pre-deployment gates now passing
  • Zero high-severity vulnerabilities

0.9.8-dev – 2026-03-19

Section titled “0.9.8-dev – 2026-03-19”

Fixed

Section titled “Fixed”
  • Next.js <Image /> migration — All <img> elements in app/components/Header.tsx and app/account/page.tsx replaced with next/image <Image /> components; resolves @next/next/no-img-element ESLint warnings and improves LCP performance. avatars.githubusercontent.com (GitHub) and t.me (Telegram) added to next.config.ts allowed image domains.
  • NextAuth Session type augmentation — Added declare module "next-auth" block in auth.ts extending Session.user with provider?: string, telegramId?: number, and telegramUsername?: string; resolves TypeScript build error “Property ‘provider’ does not exist on type ‘AdapterUser & User’”.
  • NextAuth unsafe casts removed — Replaced (session.user as Record<string, unknown>).telegramId / .telegramUsername assignments with direct typed field access now that the Session interface is properly augmented.

[1.2.0-phase1] – 2026-03-28

Section titled “[1.2.0-phase1] – 2026-03-28”

Released

Section titled “Released”
  • v1.2 Phase 1 Infrastructure merged to main — Multi-platform type system, API contracts, professional platform foundation
  • PR #305 consolidated — 263 tests added (professional scorer, platform types, constants); backward-compatible defaults

Phase 1 Infrastructure Complete

Section titled “Phase 1 Infrastructure Complete”
  • Type System: Platform-aware enums (romantic, professional, family, civic, financial, service_provider)
  • Constants: 650+ lines of platform configuration, pricing tiers, verification methods
  • API Contracts: 10+ request/response schemas with runtime validation
  • Database: Migration 013 ready (professional_rating_dimensions, verification_methods, pricing_tiers tables)
  • Tests: 263 new tests across platform.test.ts, api-contracts.test.ts

Operations

Section titled “Operations”
  • ✅ Detached HEAD recovery; main branch synchronized
  • ✅ Merge conflicts resolved (CLAUDE.md, lib/api/contracts.ts)
  • ⚠️ npm vulnerabilities detected (1 high, 2 moderate); dependabot pending

Next Phase

Section titled “Next Phase”
  • Phase 2 (Weeks 2–4): Core Logic & API Endpoints
  • Phase 2a: Pricing/tier resolution service
  • Phase 2b–2e: Profile, review, claims, subscriptions API updates

[1.0.1-dev] – 2026-03-27

Section titled “[1.0.1-dev] – 2026-03-27”

Fixed

Section titled “Fixed”
  • PR hygiene: Closed 14 stale PRs (#230, #218, #217, #213, #210, #206, #197, #186, #177, #175, #172, #303, #301, #310) reducing active PRs from 42 to 3 for faster CI/CD and cleaner merge queue
  • Security updates: Merged PR #318 (brace-expansion 1.1.12 → 1.1.13) completing npm vulnerability mitigation (9 moderate → pending full audit after merge)
  • Documentation: Updated CLAUDE.md with session 4 status (project triage, PR consolidation, deployment diagnostics)

Operations

Section titled “Operations”
  • Created 3 GitHub tracking issues:
    • #319 (🔴 CRITICAL): Production 500/504 errors on home page & auth endpoints (last 72h) — ReferenceError, session failures, status API errors
    • #320 (🟡 HYGIENE): Close stale PRs + consolidate platform branches (v1.2 infrastructure, universal platform implementations)
    • #321 (🔒 SECURITY): 9 npm vulnerabilities in Astro/ESLint chain (minimatch ReDoS) — PR #311 + #318 mitigation in progress

Identified Blockers

Section titled “Identified Blockers”
  • Production deployment mismatch: Main branch (b224780) passes all gates but production shows 72h of 500/504 errors → suggests outdated deployment still running
  • v1.2 test coverage: PR #305 (263/263 tests, 95.34% coverage) ready for merge; needs consolidated review with #306/#304 (universal platform) to avoid 3-way merge conflict

Verification

Section titled “Verification”
  • ✅ npm install succeeds (443 packages)
  • ✅ npm run build:app succeeds (all routes compiled)
  • ✅ npm run test pending (tests require proper Node setup, not ran in check)
  • ✅ Linting verified (0 errors from prior fixes)
  • ✅ TypeScript checks verified (proper types from prior fixes)

Unreleased

Section titled “Unreleased”

Fixed

Section titled “Fixed”
  • Status endpoint resilience + optimizationGET /api/status now caches infrastructure health checks for 30s and CCPayment self-test results for 60s to reduce repeated compute and timeout risk under burst traffic; also adds ?format=json lightweight response mode for machine consumers and uptime probes.
  • Roadmap milestone identity collision — Status API roadmap data now uses unique milestone IDs (M9 for Enterprise & Compliance), preventing duplicate-key rendering collisions in the status dashboard roadmap tab.

Added

Section titled “Added”
  • Per-site roadmap system — Added ROADMAP_MAIN_SITE.md, docs/ROADMAP_DOCS_SITE.md, and design/ROADMAP_DESIGN_SITE.md to independently track feature delivery, technical/project state, and known issues for main/docs/design sites.
  • Design product phase canon (/product) — Added design/product/PRODUCT_PHASES_1_0_TO_1_6.md with phase status matrix (1.0–1.6), sample discovery channel, and role journeys for users, reviewers, profile developers/admins, moderators, and Trystpilot administrators.

Changed

Section titled “Changed”
  • v1.0 terminology alignment — Updated roadmap/version-facing metadata from “Romantic” toward Personals planning language, including explicit relationship-category scope and identity display constraints (first name + last initial; city/post code search).

Fixed

Section titled “Fixed”
  • Main-site build blockers resolved — Repaired JSX parse errors in PlatformStatusSection and duplicate JSX attributes in JourneyMapsSection, restoring successful next build for production artifacts.
  • Docs deployment schema issue resolved — Added required frontmatter metadata to docs/PENPOT_TOKENS.md to satisfy Astro/Starlight content schema validation in docs-site CI.

Changed

Section titled “Changed”
  • Claude Flow v3alpha runtime refreshed — Reinitialized local RuFlo/Claude Flow settings via npx claude-flow init upgrade --settings and expanded ignore patterns for RuFlo runtime artifacts (.ruflo/, ruflo/, .swarm/, ruflo.log).

Fixed

Section titled “Fixed”
  • Main-site build blockers resolved — Repaired JSX parse errors in PlatformStatusSection and duplicate JSX attributes in JourneyMapsSection, restoring successful next build for production artifacts.
  • Docs deployment schema issue resolved — Added required frontmatter metadata to docs/PENPOT_TOKENS.md to satisfy Astro/Starlight content schema validation in docs-site CI.

Changed

Section titled “Changed”
  • Claude Flow v3alpha runtime refreshed — Reinitialized local RuFlo/Claude Flow settings via npx claude-flow init upgrade --settings and expanded ignore patterns for RuFlo runtime artifacts (.ruflo/, ruflo/, .swarm/, ruflo.log).

Fixed

Section titled “Fixed”
  • Design-site deployment schema fix — Added required frontmatter metadata to design/DARK_MODE_IMPLEMENTATION.md and design/DESIGN_TOKENS_TRYSTPILOT_DARK.md, resolving Astro Starlight content schema validation failures that blocked npm run build:design in CI/CD.

Changed

Section titled “Changed”
  • Claude Flow ignore hygiene — Added .claude-flow/, claude-flow/, .claude/, .claude.json, and claude-flow.log to .gitignore to prevent local agent/runtime artifacts from being committed.

Changed

Section titled “Changed”
  • Roadmap/documentation alignment for unified product v1.1–v1.6 — Added a normalized progress matrix to ROADMAP.md with per-version completion percentages, explicit blockers, immediate next three steps, and a single overall completion bar to reduce drift between roadmap, changelog, and production metadata.
  • Planning detail expanded for v1.5 and v1.6 — v1.5 now explicitly tracks elected-official roadmap intent (public-source profile strategy + governance pending), and v1.6 now tracks developer-experience automation intent (agent-oriented workflow/runbook standardization pending).

Fixed

Section titled “Fixed”
  • Footer duplicate legal section — Consolidated redundant legal links in Footer component. Removed duplicate LEGAL_LINKS array that was rendering legal links twice (once in Legal column, again in separate bottom section). Footer now matches design specification: Logo → 5 columns (About, Community, Legal, Social, Language) → Copyright. All legal links appear once in unified Legal column. Type safety improved with explicit SECTIONS array annotation.

Infrastructure

Section titled “Infrastructure”
  • Supabase Resource Consolidation (Session 29) — Initiated comprehensive consolidation of Supabase resources across three Vercel projects into unified singularity with proper OAuth configuration
    • Phase 1 ✅ COMPLETE: Environment variable normalization — removed non-standard TYRYSTPILOT_DOCS_*, TRYSTPILOT_DESIGN_*, legacy trystpilot_POSTGRES_* prefixes from .env.example
    • Created docs/SUPABASE_CONSOLIDATION_PLAN.md (400+ lines) — 5-phase strategic plan, success criteria, risk mitigation
    • Created docs/SUPABASE_CONSOLIDATION_EXECUTION.md (500+ lines) — task-by-task coordination guide, SQL verification queries, troubleshooting
    • Verified all three projects (main-app, docs-site, design-site) already consolidated on single Supabase instance (auebfcaqnupvlgsdskhs)
    • Confirmed GitHub secrets 9/9 present (SUPABASE_, DATABASE_URL, DIRECT_URL, ADMIN_SECRET, UPSTASH_REDIS_)
    • Verified NextAuth v5 + GitHub OAuth + Telegram OAuth production-ready
    • Phases 2-5 (auth verification, Supabase audit, deployments, documentation) queued for execution (~6-8 hours remaining)

Added

Section titled “Added”

  • Telegram authentication — Login with Telegram widget fully wired: NextAuth v5 Credentials provider (id: "telegram"); HMAC-SHA256 verification of widget data using TELEGRAM_BOT_TOKEN key; user_accounts upsert with telegram_id + telegram_username; TelegramLoginButton client component (lazy-loaded, window.onTelegramAuth); login page now shows Telegram button below GitHub; 5-minute auth-date freshness guard; DB migration 011_telegram_auth.sql

  • Telegram sessions migrationdb/migrations/011_telegram_auth.sqltelegram_id, telegram_username, telegram_verified_at columns on user_accounts; telegram_login_nonces table; partial unique index; provider constraint extended to include telegram

  • CCPayment invoicing — complete flowPOST /api/payments/create rewritten: derives fingerprint server-side, two-phase insert (pending → update with tx ID), uses fingerprint_hash and entitlement_type columns; GET /api/payments/status new route: returns DB status + optional live CCPayment API poll for pending orders; payment success page at /payment/success/[orderId] rewritten as client component with 60-second polling loop (3 s interval, 20 polls max)

  • DB migration 012db/migrations/012_payments_nullable_txid.sql — makes ccpayment_transaction_id nullable (was NOT NULL) to support two-phase payment insert; adds fingerprint_hash and entitlement_type columns; creates partial unique index and fingerprint index

  • GitHub OAuth import fixauth.ts corrected @/app/lib/db/client@/lib/db/client (tsconfig @/* maps to app/*, not root)

  • UX-09 journey map — “User — Telegram Login Widget” — 10-stage map, Mermaid flow diagram

  • UX-10 journey map — “User — CCPayment Checkout & Invoicing” — full payment flow with polling, entitlement grant, and retry paths

  • GitHub OAuth — NextAuth v5 (next-auth@beta) fully wired: auth.ts config, app/api/auth/[...nextauth]/route.ts catch-all handler, SessionProvider in root layout; JWT strategy; user_accounts PostgreSQL upsert on every sign-in; env vars GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET, AUTH_SECRET documented

  • Login page — GitHub button — “Continue with GitHub” button wired via signIn("github"); spinner state during redirect; Google/Facebook buttons disabled with coming soon tooltip

  • Signup page — GitHub button — GitHub sign-in on /signup requires terms checkbox before redirecting; prevents accidental sign-up without consent

  • Header session stateuseSession() integration: desktop shows avatar + name dropdown (My account / Sign out); mobile slide-in shows avatar + name row + Sign out link; skeleton pulse while session loads

  • Account page — live session — Replaces stub with real session data: GitHub avatar, display name, email, “Connected via GitHub” dark badge; auto-redirects unauthenticated users to /login; hides password card for OAuth users

  • DB migration 010db/migrations/010_github_provider.sql — composite unique index on (provider, provider_id), check constraint with ‘github’ added, provider index

  • i18n — GitHub keysauth.continueWithGitHub + auth.signingIn added to all 4 locales (en, es, fr, pt)

  • UX-07 journey map — “Visitor — GitHub OAuth Sign-in” — 10-stage map, Mermaid flow diagram, in UX_JOURNEY_MAPS.md

  • Desktop wireframes — 3 variations (login page, post-auth header dropdown, account page) at 1920×1080 in docs/ui/FLOWS_1920x1080.md

  • Mobile wireframes — 6-device GitHub OAuth flow (375px login, 375px signup, 375px header, 390px account, 768px login, 1280px login) in docs/ui/FLOWS_MOBILE.md

  • User flow UI — Login, Register, Forgot Password pages fully rebuilt with English UI, form validation, and accessibility; side menu Header enhanced with Login/Sign Up CTAs

  • Auth API stubsPOST /api/auth/login, /api/auth/register, /api/auth/forgot-password, /api/auth/logout — return 501 until backend is wired; ready for NextAuth integration

  • User sessions migrationdb/migrations/008_user_sessions.sqluser_accounts, user_sessions, password_reset_tokens tables with indexes and cleanup view

  • Account page/account — My Account stub: reviews list, removal request, profile settings, change password, sign-out

  • Payment routesPOST /api/payments/create + GET /api/payments/status/[orderId]; success page at /payment/success/[orderId]

  • CCPayment monitoringlib/ccpayment/monitoring.ts and lib/ccpayment/settlement-report.ts for operational visibility

  • Auth i18n keys — auth/account translation keys added to all 4 language packs (en, es, fr, pt)

  • Auth env varsNEXTAUTH_URL, NEXTAUTH_SECRET, OAuth provider vars, email SMTP vars documented in .env.example

  • Design tokens system — Tier 1/2/3 token hierarchy: lib/design-tokens.json + CSS custom properties in app/globals.css

  • Social share CTAShareReviewButton component with Twitter/Facebook/LinkedIn share buttons and copy-link functionality

  • OG image generator — SVG-based dynamic images with star ratings for social media previews (lib/og-image.ts)

  • GitHub Actions workflow to post commit summaries as PR comments

  • docs/ directory with index and changelog

  • Monetization strategy: text review paywall with CCPayments (card) and Web3 (USDC/Base) payment tracks

  • Core paywall model: free star ratings, paid written reviews ($1–$2 one-time or $5–$8/mo)

  • reviewer_entitlements table and API gate (feature/paywall-gate — in progress)

  • Live profile search wiring: SearchDropdown + /search results page (feature/live-search — in progress)

  • docs/ARCHITECTURE.md, docs/DEVOPS.md, docs/SECURITY.md documentation

  • design/ directory with 11 Mermaid diagram files

Changed

Section titled “Changed”
  • ROADMAP.md current implementation state updated to reflect M1–M5 completion
  • Monetization strategy updated: CCPayments replaces Stripe; dual-track card+Web3 paywall
  • Design tokens replace hard-coded values throughout component hierarchy
  • README now reflects design tokens completion and social sharing features
  • CLAUDE.md versioned to 0.9.0-dev

Fixed

Section titled “Fixed”
  • Next.js 15 params typeapp/api/payments/status/[orderId]/route.ts params typed as Promise<{...}> and awaited; resolves Vercel build failure
  • TypeScript errors — tsconfig paths + inherited dev-branch issues resolved across all routes
  • ESLint errors — CI lint run clean; all warnings resolved
  • Respect rating dimension now properly weighted in reputation algorithm
  • Recent reviews feed wired to live DB queries (previously placeholder)
  • Top rated section wired to live reputation sorting (previously placeholder)

0.5.0 – 2026-02-28

Section titled “0.5.0 – 2026-02-28”

Added

Section titled “Added”
  • Language pack support with user-agent and timezone detection (en, de, es, fr, pt)

Changed

Section titled “Changed”
  • TypeScript pinned to 5.9.3 to resolve build incompatibility

0.4.0 – 2026-02

Section titled “0.4.0 – 2026-02”

Added

Section titled “Added”
  • Vercel and Cloudflare web analytics integration
  • Brand identity assets replacing default Next.js placeholders

Fixed

Section titled “Fixed”
  • /api/profiles/[alias] updated to use correct review field names

0.3.0 – 2026-01

Section titled “0.3.0 – 2026-01”

Added

Section titled “Added”
  • Full platform implementation from CLAUDE.md spec (Next.js App Router, PostgreSQL schema, moderation pipeline, reputation scorer, anonymous fingerprinting)
  • Anonymous relationship review submission form with hCaptcha
  • Moderation queue dashboard (admin-only)
  • Abuse reporting workflow
  • Reputation scoring service (six weighted dimensions with recency decay)
  • SEO-optimised profile pages
  • Sitemap generator
  • Legal pages: Terms, Guidelines, Content Policy, Removal, DMCA, Law Enforcement

Changed

Section titled “Changed”
  • MVP pivoted from companion reviews to anonymous romantic relationship reviews
  • Profile model updated to alias-only (no real names, no handles, city-level location)

0.2.0 – 2025-12

Section titled “0.2.0 – 2025-12”

Added

Section titled “Added”
  • MVP roadmap proposals (Web3 monetization, name/zip discovery model)
  • UX, DX, and admin journey maps
  • README rewrite with environment variable reference and .env.example

0.1.0 – 2025-11

Section titled “0.1.0 – 2025-11”

Added

Section titled “Added”
  • Initial project setup from Trustpilot clone scaffold
  • CLAUDE.md platform specification
  • Next.js 15 upgrade (CVE-2025-66478 patched)
  • Trystpilot rebrand