Changelog · what shipped
Built in the open.
Most recent first. Kept honest because Steve writes it as the work happens, not after.
2026-05-06
Public surface hardening overnight
- Branded 404 page (HTML for browsers, JSON for /api/*)
- Favicon — gold connector-graph SVG · served at .ico/.svg/apple-touch-icon paths
- /healthz?format=json exposes uptime, mem, demo cache size, LLM endpoints
- Allowlist env loader extended for OLLAMA_FALLBACK_URL + CC_KEY_ID
- robots.txt cleanup — removed dead duplicate handler
- /docs page · 5 curl examples for public + auth API surface
- /faq page (separate URL) with FAQPage JSON-LD for Google rich-result eligibility
- /privacy /terms /about — required SaaS pages
- Initial git commit · 88 files · secrets clean
2026-05-05 (evening)
Public homepage shipped
- / now serves a real public homepage (was login redirect)
- Live-demo widget — type a command, watch the LLM route it to one of 56 connectors
- 10-min LRU response cache + parallel preset-prime on boot + 25-min keep-alive ping
- /connectors directory — 1 hub + 56 indexable per-connector pages
- ItemList JSON-LD on /connectors · sitemap grew from 3 to 64 URLs
- Live route trail · rotating taglines · tile float anim · animated thinking state
- ?demo=<query> deep-link from connector pages auto-fires the demo
- "How it works" 3-step · 8-question FAQ section · footer cross-links
2026-05-05 (afternoon)
Security floor
- AES-256-GCM at-rest encryption with versioned key_id envelope (rotation supported)
- Atomic write + fsync(2) in save() — no partial writes, no power-loss corruption
- Loud-fail load() — corrupt JSON → move file aside + exit · never return defaults
- chmod 0700 data/ · 0600 *.json · plaintext never persists
- CSP · HSTS preload · X-Frame DENY · X-Content-Type-Options nosniff
- Rate limits (login 5/15min, demo 8/min)
- esc() XSS sweep across all 5 user-facing HTML pages
- Type-coerce req.session.sub to string everywhere (mixed-id partition fix)
2026-05-05 (morning)
Foundation
- Express + JSON store · per-user credential vault
- OAuth2 generic handler for 7 vendors (Google · Slack · Stripe · Notion · HubSpot · Mailchimp · Discord)
- 56 connector catalog · sensitive-action approval queue · audit log
- Local Ollama routing (qwen3:14b on Mac Studio 1) — zero third-party LLM API
- Browserbase OAuth-app registration sandbox
- API.md (~520 lines) · DEPLOY.md · PLAN.md
Subscribe via RSS · or email info@agentabrams.com for direct notifications.