Changelog

All notable changes to Redstick Agents are documented here.

2026-04-15#

Added#

  • Marketing and docs pages now prerender to static HTML at build time via React Router v7 Framework mode — 26 public URLs ship with full <title>, description, canonical, Open Graph, Twitter Card, and JSON-LD (Organization, SoftwareApplication, Product, ContactPage, TechArticle, BreadcrumbList) before any JavaScript executes
  • Optional GA4 analytics gated behind a cookie consent banner — no tracking scripts load and no data is sent until the visitor opts in
  • Google Search Console and Bing Webmaster verification via VITE_GOOGLE_SITE_VERIFICATION / VITE_BING_SITE_VERIFICATION

Changed#

  • Per-page metadata is authored as route-module meta exports (built via src/shared/seo/meta-helpers.ts); the previous <SEO> component and react-helmet-async dependency have been removed
  • Cookie Policy updated to cover optional analytics cookies alongside the strictly-necessary session/CSRF cookies

2026-04-05#

Added#

  • Tenant-wide MFA enforcement — workspace owners can require all members to use multi-factor authentication
  • Audit log metadata encryption (AES-256-GCM) for enhanced compliance
  • Kubernetes ResourceQuota for namespace-level resource limits

Fixed#

  • Cache invalidation, credential validation, and security header improvements
  • Redis TLS support for encrypted cache connections

2026-04-02#

Added#

  • Hybrid Redis+PostgreSQL session storage with concurrent session limits and session history
  • Docs hub served path-based at redstick.ai/docs (with 301 redirect from the legacy docs.redstick.ai subdomain)
  • Real Stripe test credentials for E2E billing tests (replacing stripe-mock)
  • Per-suite tenant isolation for parallel billing E2E execution

Fixed#

  • Help menu links updated to point to marketing site
  • Contact form moved from docs to marketing site

2026-03-31#

Fixed#

  • Security hardening: email verification enforcement, path matching, impersonation TTL
  • CORS wildcard validation and Cross-Origin-Resource-Policy header
  • K8s RBAC permission scoping (SOC 2 CC8.2)
  • Password history enforcement made mandatory (SOC 2 CC6.2)
  • CVE patches for litellm and go-jose/v3

2026-03-30#

Added#

  • SOC 2 / GDPR / ePrivacy compliance remediation (36 findings addressed)
    • Privacy policy, terms of service, and cookie policy pages
    • Cookie consent banner
    • Mandatory consent checkbox on signup
    • Data deletion extended to notifications, MFA config, and password history
    • Forensic log pruner (90-day retention)
    • Production health endpoint returns status only
  • Reliable feature dependency tracking with case-insensitive matching and validation warnings
  • E2E billing tests migrated to stripe-mock

Changed#

  • Optional Docker Compose services moved to profiles (email, stripe, vectors) to reduce dev memory usage

2026-03-27#

Added#

  • In-app help menu with quick access to documentation, FAQ, and support
  • In-app feedback widget for bug reports and feature requests
  • Changelog page for tracking platform updates

2026-03-20#

Added#

  • Expanded egress firewall to block all dangerous ports
  • Admin plan management UI with max_services configuration
  • Outbound SMTP port blocking from user-accessible containers

Fixed#

  • Payment recovery and billing state machine improvements
  • Paused state now properly cleared on all subscription transitions