Pitch ReadyBack to Home

Changelog

Every notable change to Pitch Ready — what shipped, when, and why. Security, reliability, observability, and product features grouped by release.

Deploy stabilization

#2026-04-28

Hotfixes resolving a chain of Vercel build failures uncovered after our first production push. End-to-end verified live: edge rate limiter active, healthcheck returning 200, landing p95 ~740ms.

  • Fixed

    Vercel deploy chain unblock

    Three coordinated fixes: bumped inngest ^3.49.1 → ^3.54.0 to satisfy Vercel's marketplace CVE check; pinned @aws-sdk/client-s3 + @aws-sdk/s3-request-presigner to exact 3.967.0 because newer versions transitively pulled ESM-only @nodable/entities@2.1.0 which broke Next.js page-data collection with ERR_REQUIRE_ESM; updated vercel.json installCommand to npm ci --legacy-peer-deps to bypass an irrelevant @sveltejs/kit peerOptional conflict.

  • Fixed

    E2E test fixes from first CI run

    MVP banner test now matches the actual copy. Get-Started + About navigation tests use page.waitForURL with a longer timeout to handle dev-mode first-compile latency. Playwright output directories added to .gitignore.

Production-hardening sprint

#2026-04-27

Multi-phase production-readiness arc covering security, reliability, observability, quality, performance, and operational readiness. The platform graduated from MVP-banner-only to defensibly production.

  • Security

    OAuth account-linking lockdown

    Removed allowDangerousEmailAccountLinking: true from Google + GitHub providers. Eliminates a silent-account-merge vector via OAuth same-email.

  • Security

    AI provider opt-out signaling

    Added X-Pitch-Ready-Origin: commercial-api headers to all OpenAI / Anthropic SDK clients across the analysis pipeline and chat / script / roadmap / investor-view routes. Documents the commercial-API stance explicitly for auditors and abuse monitoring.

  • Security

    Explicit S3 server-side encryption

    PutObjectCommand now sets ServerSideEncryption: AES256 with a matching x-amz-server-side-encryption header on the upload client so the SigV4 signature validates. Defense in depth on top of R2's default at-rest encryption.

  • Security

    Privacy policy data-retention disclosure

    Added an explicit "no automatic deletion" section. Encryption claim clarified to AES-256. Last-updated date refreshed.

  • Security

    Vulnerability disclosure policy

    SECURITY.md added with disclosure email, safe-harbor language, and scope guidelines.

  • Reliability

    Distributed rate limiter (Upstash)

    Replaced the in-memory Map with @upstash/ratelimit sliding-window backed by Vercel KV. Sliding window prevents fixed-window boundary bursts. Fail-open with Sentry warning so a Redis hiccup doesn't take down the API. ephemeralCache for in-process repeat-rejection speedup.

  • Reliability

    Edge rate limiting in middleware

    120/min per-identity ceiling on /api/* (excluding /api/auth and /api/inngest). Identity hierarchy: authenticated userId > IP. Rejections happen at the edge before reaching the route function — saves invocation cost during abuse.

  • Reliability

    Mock-fallback fail-fast

    /api/assessments/[id]/analyze now returns HTTP 503 in production when AI keys are missing instead of silently mocking. Mock requires an explicit MOCK_ANALYSIS=true opt-in (dev only). Boot fails loudly on Vercel if OpenAI / Anthropic / KV env vars are missing.

  • Reliability

    Sentry tag consistency

    Every /api/* catch block now calls Sentry.captureException with a route tag. Filterable by route in Sentry Issues for faster triage.

  • Observability

    Structured logging foundation

    Adopted pino. Production JSON output, dev-mode pretty-print. Service tag on every line. Redaction for authorization / cookie / password / token paths. Migrated all server console calls in the analysis pipeline, Inngest functions, and 18+ API routes to structured logger calls — Vercel logs are now filterable by route, userId, assessmentId, and stage.

  • Observability

    Healthcheck endpoint

    GET /api/health pings Supabase + Upstash in parallel. Returns 200 ok or 503 degraded with a sanitized checks object. No auth — designed for external uptime monitors. Cache-Control: no-store. Includes the deploy SHA for correlation.

  • Observability

    SLO targets documented

    docs/SLOs.md: latency p50/p95/p99 per endpoint, availability targets per surface (99.9% landing, 99.5% upload, 99.0% AI-dependent), error rate (<1% 5xx), error budget arithmetic, breach-response order of operations.

  • Observability

    k6 load testing

    Three scenarios (landing burst, healthcheck flood, rate-limit verification). Weekly Monday cron via GitHub Actions runs against production with 10% smoke load. Manual dispatch supports full load against preview deploys. Thresholds map directly to SLO numbers.

  • Observability

    Operational runbook

    docs/RUNBOOK.md: deploy rollback, rate-limiter KV flush, Inngest stuck-analysis re-trigger, OAuth-binding reset for lost-email-access users, incident-response-by-symptom matrix, quarterly Supabase backup-recovery drill (<30 min RTO target), Sentry/Vercel alert wiring.

  • Added

    Email assessment notifications

    Inngest events fire on analysis completion (gated on user opt-in) and failure (always sends — failure isn't promotional content). Inline-styled HTML + plain text email templates. Idempotency keys on every event prevent duplicate emails on retry.

  • Added

    DB-persisted user preferences

    Replaced localStorage notification settings with profiles table columns. Preferences now sync across devices. Migration 011 added email_on_complete, email_weekly_digest, email_product_updates, browser_notifications, and reduce_motion (the last one provisioned for an upcoming accessibility feature).

  • Quality

    Vitest unit test suite

    47 tests across 5 lib files (rate-limit, helpers, env, retry, scoring calculator). 78% line coverage on the tested surface with thresholds enforced in CI. Vitest 3 + jsdom + @vitest/coverage-v8.

  • Quality

    Multi-browser end-to-end testing

    Playwright now runs across chromium, firefox, and webkit in CI as a parallel matrix. @axe-core/playwright scans landing / login / privacy for serious or critical WCAG 2.1 AA violations.

  • Quality

    CI/CD pipeline

    GitHub Actions workflow with four jobs (lint+typecheck, unit tests, build, e2e × 3 browsers). Dependabot configured for weekly grouped npm updates and monthly Actions updates. Vercel deploy config explicit in vercel.json.

  • Quality

    All ESLint errors resolved

    Fixed three errors including a latent stale-closure bug in the assessment creation flow. MVP banner refactored to useSyncExternalStore for SSR-safe + cross-tab sync. Final state: 0 errors, 37 unused-import warnings (safe to leave).

  • Performance

    Bundle hygiene

    Removed unused html2canvas direct dep (PDF export uses jspdf programmatically). Added framer-motion to optimizePackageImports for tree-shaken motion components.

  • Performance

    Image optimization config

    next/image remotePatterns allowlist for YouTube thumbnails, Supabase storage, and Cloudflare R2. Prevents the image-optimization endpoint from being abused as an open proxy.

  • SEO

    JSON-LD structured data

    Root layout embeds Organization + WebApplication schema in a @graph. Helps search engines render rich snippets for the platform.

  • Operations

    Authentication & account recovery documented

    README now describes the passwordless-only auth stance and links to the manual recovery procedure in RUNBOOK.md for users who lose email access.

Earlier

Pre-2026-04-27 platform iterations

#earlier

Summarized from commit history. Detail is high-level — these features predate the changelog.

  • Added

    Pitch analysis pipeline

    File upload via presigned R2 URLs; Whisper transcription with FFmpeg fallback for >25MB videos; Claude V2 deck-vision + content analysis; 6-dimension scoring calculator with vertebrae framework; iteration tracking via parent_assessment_id.

  • Added

    Reports + exports

    Score gauge, breakdown components, vertebrae checklist, score simulator, roadmap-to-ready, script generator, archetype coaching, benchmark display. Markdown + PDF export.

  • Added

    Claude chat assistant

    Three modes — assistant, coach, investor — with company-profile-aware prompts. Sonnet for everyday assistance, Opus for deeper coaching and investor simulation.

  • Added

    Assessment management + comparison

    CRUD with soft-delete. Side-by-side comparison view showing dimension deltas, finding diffs, and vertebrae status changes between iterations.

  • Added

    Investor view + benchmarking

    Claude-generated FOMO indicators, red flags, predicted investor questions, and verdict. Rule-based fallback when generation fails. Aggregate score benchmarking endpoint.

  • Added

    Public sharing

    Token-based assessment shares with 30-day expiry. Read-only /shared/[token] view for sending reports to advisors or investors.

  • Added

    Authentication

    NextAuth.js v4 with magic-link (Resend SMTP) plus Google + GitHub OAuth. Supabase adapter. 30-day JWT session.

  • Added

    Demo mode

    DEMO_MODE=true env flag enables a credentials provider for local testing without infrastructure. Mocked assessment data for UI development.

  • Added

    Settings, About, Privacy, Terms pages

    Full account settings panel (profile, notifications, appearance, accessibility). Static legal + about pages.

  • Added

    Light/dark theme

    next-themes integration. Defaults to light mode. Landing page uses an amber accent scope that doesn't bleed into other pages.