What we shipped

Security hardening + design system

Added

• Cloudflare Turnstile on signin (Google + magic link), free key redemption, and promo code redemption — bot protection across every public-input endpoint.
• Sentry error monitoring across all 23 pages with PII stripping, ad-blocker noise filtered, performance tracing off to conserve quota.
• Branded /security page with sub-processor list and security practices. Branded /500 error page with request-ID display.
• Design system v2 in global.css — color/spacing/type/motion tokens for consistent styling across new components.
• 5 new use-case landing pages: YouTube creators, podcasters, agencies, course creators, video editors.
• 4 new comparison pages: vs Descript, vs Opus Clip, Premiere Pro auto edit plugins, vs AutoPod, vs TimeBolt.
• /contact, /changelog, dedicated /features/auto-zoom pages.

Security

• Strict-Transport-Security with HSTS preload (max-age=63072000; includeSubDomains; preload).
• X-Frame-Options switched from SAMEORIGIN to DENY; full Permissions-Policy lockdown; COOP same-origin; CORP same-site.
• Content-Security-Policy in report-only mode, violations route to Sentry. Enforce mode after 24h of clean reports.
• Session cookies migrated to __Host- prefix — blocks subdomain takeover attacks.
• Per-user rate limiting on free tier (independent of IP); webhook race condition closed via atomic insert claim; refund handler refuses to guess on ambiguous license matches.
• CodeQL, Semgrep, gitleaks, Dependabot configured for the GitHub repo.

Fixed

• Browser prompt() dialog removed from checkout flow — replaced with proper signed-in detection + login redirect.
• Admin user table now defaults to "Active" filter; Revoked and Blocked users hidden by default but reachable via filter tabs.
• FAQ accordion JS no longer crashes when page contains <details>-based FAQ (homepage CSP report-only no-blank-page regression).
• Privacy page provider list updated to reflect actual sub-processors (Anthropic, Pexels, Pixabay added).

SEO foundation + landing

Added

• 6 feature landing pages: silence removal, retake removal, auto captions, auto B-roll, podcast multi-cam, long-form to shorts. Each with SoftwareApplication + FAQPage JSON-LD.
• FAQ section on homepage with 11 questions and FAQPage schema.
• Open Graph banner image (1200×630) generated and wired across all pages.
• GDPR consent banner with DNT/GPC respect.
• /.well-known/security.txt, /robots.txt, /sitemap.xml auto-generated and served with proper headers.
• Branded /404 page.

Security

• Refund handling fully wired in Paddle webhook (transaction.refunded + adjustment.created with action refund/chargeback) — license + device activations revoked atomically.
• Multi-tier promo code system rebuilt to support trial / pro_monthly / pro_yearly with admin direct-grant.
• HTTP error responses now strip Postgres internals, return user-friendly messages with request IDs for support.

Music feature overhaul (extension)

Added

• AI music planner with YouTube source support and improved ducking against speech.
• Auto Reframe enabled by default for Long → Shorts pipeline.
• Trial gate for free tier (3 videos / week) wired through the Auto Edit pipeline.

Long → Shorts cleanup & multi-clip rebuild

Added

• Take group system v24 — multi-signal scoring with Keep Last / Keep Longest / Keep Best strategies.
• Backup sequence created automatically before any destructive timeline edit.
• Multi-clip rebuild now handles timelines with dozens of clips from different source files.

Initial release

• Six core features shipped: silence removal, retake detection, auto captions, auto zoom, auto B-roll, podcast multi-cam.
• Paddle billing integration with subscription + one-time credit pack pricing.
• Supabase auth (Google OAuth + magic link).
• Vercel-hosted serverless API for licensing, credits, telemetry.