Changelog
What shipped recently. Most changes land the same day they're written.
2026-04-17
Domain ownership verification, CI safety invariants, broader secret detection
- Domain ownership verification — DNS TXT and HTML file methods, stored in `domain_claims.verified_at`.
- CI safety invariants — every push runs `test:safety` before `next build` to catch scanner regressions.
- Gitleaks-style secret detection — 32 new secret types added to the in-page scanner.
- Supabase 100-row sampling for exposed tables (up from 10), so evidence reflects real leakage scale.
2026-04-16
Ethical tier system, attack scenarios, full .env evidence
- Ethical tiers — `passive`, `active`, and `intrusive` scans gated by ownership proof.
- Attack scenarios attached to every finding so engineers see the `so what` without pivoting docs.
- `.env` full-content evidence — when a `.env` file is publicly served, the report shows the exact secrets found.
2026-04-15
Stealth proxy, universal API probes, new platform detectors
- Stealth proxy via staticgate.dev to bypass aggressive WAF challenges during scans.
- Universal API probe — GraphQL, PocketBase, AppWrite, and Convex endpoint detection.
- Better detection on Base44, Lovable, Bolt, Bubble, and raw Supabase-backed apps.