Shipped, not promised
Changelog
A real changelog, generated from actual commit history — not a marketing timeline. Every entry below corresponds to a real merged change; nothing here is planned-but-unshipped (see /roadmap.html for what's not built yet). Grouped by date, most recent first. Internal-only commits (typo fixes, dependency bumps) are folded into the entry they support rather than listed one-by-one.
2026-07-13
- Pricing Unified credit pricing across every product: Free (500 credits/mo), Starter $19 (5,000), Pro $59 (18,000), Business $199 (60,000), Enterprise from $999 (250,000+) — one credit balance, prepaid top-up packs, and every competitive claim on the site recomputed against it.
- Homepage Rebuilt the homepage around the full 6-product catalog (CapchaID, Consent/Lead, CapchaSign, CapchaVerify, CapchaShield, Banking/ISO 20022) plus a platform-services strip; the CapchaVerify product page shipped;
roadmap.htmlrewritten to match portfolio reality; sitemap completed. - Trust Shipped the public chain explorer (/explorer.html): live chain status, a block-by-block explorer, OTS anchor + Merkle-inclusion verification, the published signing key, a one-click record verifier, and the offline-verify how-to — wired into the homepage services strip and sitemap.
- SDK Published
@capchacloud/sdk— a typed TypeScript client for the public API (ESM + CJS + type defs, live-smoke-tested against production, v0.1.0). - Docs OpenAPI now documents CapchaID auth (22 endpoints) and CapchaSign (34 endpoints): full set lives in the CI-gated
openapi.yaml; a curated public subset ships asopenapi.jsonso/api-reference.htmlrenders cleanly. Fixed/api-reference.htmlrendering blank in production (Redoc's CDN script was CSP-blocked; now vendored locally). - Honesty CapchaVerify's native (non-vendor) screening path for CapchaSign was overstating what it actually checked — fixed to report only what really ran. The live demo's "production fingerprint" badge previously stayed green even when the response was tampered with; it now correctly flips on tamper. Fixed the CC-GATE demo hitting an already-expired purpose credential.
- Security Added rate limits to CRITICAL/HIGH-severity POST endpoints that had none; hardened transport at the edge (http→https and www→apex redirects, HSTS header).
- CI Added
capcha-shieldandtrust-dashboardjobs to CI and made workflows fire onharden/**branches; fixed a CI-blocking worker crash (excluded the node-only verifier spec from the Workers test pool), a stale pnpm lockfile, a pre-existing tsc error blocking capcha-mcp's first CI run, and a console-lint false-positive on co-located test files. - Site polish Sitewide Docs-nav parity fix, comparison-page footer cross-links, and OG-tag gaps closed across the marketing site.
2026-07-11
- CapchaShield Shipped KYC/AML with bring-your-own vendor credentials: tenants can supply their own compliance-vendor keys per check, with a same-origin proxy in trust-engine and a BYO vendor credential vault in CapchaShield. Made the whole product discoverable — product-page CTAs, a live demo panel, homepage links — plus a Sumsub webhook handler and rate limiting, and synced the dashboard's new Verification (KYC/AML) section.
- Trust Threaded real Merkle-inclusion proofs into the evidence verify/bundle surfaces (previously a stub); surfaced previously-hidden capabilities on the public site — Integrate nav, product links, the offline evidence-bundle download, the consent wallet, and the auth-evidence doc.
- Comparisons Added the
vs-docusign.htmlcomparison page and cross-linked all three (vs-Clerk, vs-DocuSign, vs-TrustedForm). - CapchaMCP
embedSnippetnow pins to the frozen/v1/widget.jsURL contract; shipped tenant/org/billing/wallet MCP tools with an honesty-parity pass and a live-probe script. - Demo Consolidated three separate demo pages into one unified
/demopage; added the versioned, frozen/v1/widget.jsURL contract (Stripe.js-style pinning, so integrations don't break under us). - Reliability Added a Cloudflare-native dead-letter-queue backstop for lead webhooks so failed deliveries aren't silently lost.
- Design Unified the marketing / trust / legal page theme sitewide onto one design system.
- Adversarial audits Ran structured adversarial audits against CapchaSign (4 real gaps found and fixed) and the lead-capture → webhook-delivery path (3 real gaps found and fixed) — plus a real-DOM deploy gate and portfolio embed-presence canary for the embed widget.
- CI Excluded co-located
src/*.test.tsfrom the standalone tsc pass, unblocking the predeploy gate.
Generated from git log on the production branch. Source-of-truth commit range: the 40 most
recent commits as of 2026-07-13. Older history isn't summarized here yet.