Changelog

Format: Keep a Changelog.
Versioning: SemVer.

v0.3.0 — 2026-04-23 (Unreleased — current main)

Added

Dual-mode login — field identifier di POST /auth/login terima email ATAU username. Backend detect via presence ”@” untuk routing query. Legacy field email masih di-accept sampai v0.4
Username + nama lengkap di register — field baru username (3-40 char alnum+underscore, case-insensitive unique, reserved words blocked) + name untuk nama lengkap. Existing user di-backfill username dari email prefix via migration 017
Token anti-bypass layer — multi-layer defense untuk api_tokens:
- Strict format validation (regex cvsm_[0-9a-f]{64}) reject malformed tokens sebelum DB lookup
- Per-prefix rate limit (10 failed lookup dalam 5 menit → prefix locked 5 menit)
- Constant-time hash compare (defense-in-depth vs timing leak)
- Optional IP allowlist per token (array of CIDR atau single IP)
- Failed auth counter + auto-lock 1 jam setelah 5x IP allowlist miss
- Per-token last_ip + last_user_agent tracking untuk investigation
Support Agent — assistant built-in yang jawab pertanyaan user langsung di widget landing + dashboard, Indonesia-friendly, dengan escalate path ke tim support. Self-hosted semantic search (pgvector) + multi-layer retrieval. Auto-learn loop promote jawaban populer tanpa admin
Self-learning loop — user thumbs 👍/👎 otomatis naikkan akurasi jawaban seiring waktu. Near-miss paraphrase tracking via variants[]
Safety guardrails — PII masker untuk log, refusal untuk security-probing question, output scrubbing (Bearer token, env value, sensitive path)
Admin UI Agent panel — review logs, cluster grouping, CRUD knowledge, ML-draft answer saat promote cluster, visibility public/internal toggle, live ML status bar + 1-click reembed
Bulk operations untuk secrets:
- POST /teams/:id/secrets/bulk — create up to 500 secret per request, per-item error report
- POST /teams/:id/secrets/bulk/import-dotenv — paste isi .env langsung, parser support quoted value + export prefix + escape sequence
- POST /teams/:id/secrets/bulk/move-env — pindahkan banyak secret ke env baru (promote staging → production)
- DELETE /teams/:id/secrets/bulk — bulk delete (Admin+ only) dengan team_id scoping anti-IDOR
Dashboard bulk UI — checkbox per row, bulk-bar sticky dengan action “Pindah env” + “Hapus”. Import .env modal dengan file upload atau paste + preview line count + per-item result
Newsletter signup at register — checkbox di register form + auto-subscribe Google OAuth first-time user. SubscribeAuto skip double opt-in karena email sudah verified
Plan auto-fill di admin edit plan — pilih Starter → 50/3, Pro → 1000/20, Enterprise → manual
Public stats endpoint /api/v1/public/stats — landing metric ticker fetch real data (teams + secrets count), honest untuk bootstrap phase
4 SDK baru: Rust (cargo add calvery), PHP (composer require calvery/sdk), Ruby (gem install calvery), Shell (curl single-file install)
GitHub Actions SDK publisher — git tag sdk-vX.Y.Z auto-publish ke semua registry
Backup system — encrypted daily backup dengan 3-layer off-site: local AES-256-CBC, GitHub Releases (free forever), Telegram bot

Changed

Landing UI major upgrade — animated gradient mesh blobs di hero, 3D tilt feature cards (perspective 900px, rotate ±6° ikut cursor), magnetic CTA buttons (translate ikut cursor dalam radius 80px), metric ticker dengan ease-out counter animation, View Transitions API untuk smooth page nav (Chromium)
Dashboard shell — sidebar section heading + keyboard shortcut hint per nav item, team switcher dropdown caret fix (hilangkan duplikat Bootstrap default)
Public content — testimonial fake diganti founder’s note authentic, “Hubungi Sales” → “Hubungi Kami”, hapus “Hire/custom work” + “bug bounty payouts” (honest untuk solo maintainer)
Docs TOC scroll-spy — manual patch via JS supaya section terakhir tetap highlight saat scroll ke bottom (fix Starlight observer threshold bug)
Email contacts unified — semua user-facing kontak → [email protected]
Auto-migrate — Go app jalan migration SQL saat startup via internal/db/migrate.go + schema_migrations tracking

Security hardening (full audit)

FK cascade rules — team/user deletion tidak orphan secrets + audit logs
Privilege escalation guard — Admin tidak bisa invite/promote ke Admin atau Owner (hanya Owner)
Plan limits server-side — max_secrets + max_members enforced di CreateSecret, AddTeamMember, CreateTeamInvite (tidak bisa bypass lewat CLI)
Timing-uniformity login — dummy bcrypt compare saat user tidak ada, cegah user enumeration via response time
ILIKE escape — wildcard % dan _ di-escape di search query (ListSecrets, AdminListUsers, GlobalAudit)
Security headers middleware — XFO DENY, XCTO nosniff, HSTS 2 years, Permissions-Policy restrictive, remove X-Powered-By/Server
CORS production warning — log kalau APP_ENV=production + ALLOWED_ORIGINS=*
Newsletter strict rate limit — 5 req/10s per IP (sebelumnya 30/s, spam-friendly)
Generic error messages di invite token endpoint, login failures (tidak leak user existence / account type)
JSON binding validation — reject malformed payload di admin handlers + share creation (sebelumnya silent default to 0)
Docs implementation hiding — strip pg_trgm/sentence-transformers/rule-based dari FAQ + changelog + landing (resep stack tidak publish ke competitor)

Fixed

Logout loop race — setMe(null) sebelum navigate, flag cvsm_logging_out guard
Logout security — /me/logout-all otomatis saat logout supaya JWT server-side ter-invalidate
Admin /admin crash (Agent tab) — null-safe variants/tags/citations; backend ensure [] bukan null untuk empty arrays
Docs build warnings — delete custom 404.md (Starlight built-in handle), auto-clear .astro cache prebuild
Light mode docs inline code tidak terbaca — CSS override explicit

Migrations

011_agent.sql — agent_logs, agent_feedback, agent_knowledge
012_agent_autolearn.sql — auto_generated flag, last_tuned_at, knowledge_id FK
013_agent_embedding.sql — pgvector column + HNSW index (graceful skip kalau extension missing)
014_agent_visibility.sql — public/internal gating + variants[] tracking
015_site_content_honest.sql — UPDATE existing seed content (testimonial + pricing CTA)
016_fk_cascade_security.sql — cascade rules untuk team/user deletion, preserve audit trail via SET NULL
017_username_token_hardening.sql — add username (case-insensitive unique) ke users + backfill dari email prefix; add failed_auth_count, locked_until, last_ip, last_user_agent, allowed_ips ke api_tokens

v0.2.0 — 2026-04-21

Added

Google OAuth SSO — login dengan Google di calvery.xyz + dash. Akun lokal bisa di-link.
Secret sharing link — shr_* token, expire by view count (1-10×) + waktu (1h - 7d), revokeable
SDK publik — Node.js (@calvery/sdk), Python (calvery), Go (github.com/RenzyArmstrong/calvery-sdks/go)
Email campaign system — admin bisa send mass email ke subscribers/user, template editor di dashboard
Newsletter double opt-in — subscribe form di landing page footer
Docs site — docs.calvery.xyz pakai Astro Starlight, i18n (id/en) ready

Changed

Landing page cloud-first repositioning — hero terminal demo diganti dashboard mockup, deploy section featured managed cloud
Feature card “CLI nyaman” → “Browser-first”
Access Tokens page rebranded “Personal Access Tokens” → “API Access Tokens” (icon + copy)

Fixed

Logout redirect loop antara dash.calvery.xyz ↔ calvery.xyz/login. Solusi: /logout page cross-origin clear localStorage
Envelope from SMTP tidak pakai SMTP_USER (“resend”) lagi — extract dari SMTP_FROM

Migrations

009_oauth.sql — provider/provider_id/avatar_url di users, password_hash nullable
010_secret_shares.sql — tabel secret_shares + indexes

v0.1.3 — 2026-03-15

Added

Combo Tahap 1: 2FA/TOTP, usage quota per plan, onboarding checklist, session management
Admin content CMS (SEO, hero, pricing editable via dashboard)
Team slug system (globally unique, URL-safe)
Cross-origin token handoff via URL hash antara calvery.xyz ↔ dash.calvery.xyz

Fixed

Sidebar scroll mengikuti content (jadi sticky position)
Register error “users_email_key” → translate jadi “email sudah terdaftar”

Migrations

007_twofa_sessions.sql

v0.1.2 — 2026-02-20

Added

Email verification + password reset flow
Resend SMTP integration
Team invite via email (link token)
Personal Access Tokens dengan cvsm_* prefix

Migrations

004_email_flows.sql

v0.1.1 — 2026-02-10

Added

Admin panel (users, teams, plan management, audit global)
System admin badge (is_admin=true)
Audit log dengan IP + user agent

Migrations

003_admin.sql

v0.1.0 — 2026-01-25

Added

Initial public release
React + Vite + Bootstrap dashboard
Go + Gin backend
AES-256-GCM encryption
RBAC: Owner, Admin, Member, Viewer
Multi-environment (production, staging, development)
JWT auth
REST API
Docker Compose + systemd deploy

Migrations

001_init.sql
002_api_tokens.sql

SDK versioning

SDK berevolusi independent — pakai tag terpisah (sdk-vX.Y.Z untuk publish semua paralel):

SDK	Version	Registry
Node.js	`v0.1.0` (2026-04-21)	npmjs.com/package/@calvery/sdk
Python	`v0.1.0` (2026-04-21)	pypi.org/project/calvery
Go	`go/v0.1.0` (2026-04-21)	pkg.go.dev/github.com/RenzyArmstrong/calvery-sdks/go
Rust	`v0.1.0` (2026-04-22)	crates.io/crates/calvery
PHP	`v0.1.0` (2026-04-22)	packagist.org/packages/calvery/sdk
Ruby	`v0.1.0` (2026-04-22)	rubygems.org/gems/calvery
Shell	`v0.1.0` (2026-04-22)	`curl` single-file install

Roadmap

v0.4 (planned Q3 2026)

Billing (Midtrans + Stripe)
Webhook system untuk event notifications
Scoped tokens (per-environment, read-only)
Helm chart resmi
Audit log export CSV
Agent: Ollama backend opsional (self-hosted LLM, pluggable di atas interface Backend existing)

v0.5 (planned Q4 2026)

End-to-end encryption (E2EE) mode — user hold encryption key
Secret rotation otomatis (schedule + webhook)
OpenAPI spec publik untuk auto-generate client lain
Desktop app (macOS, Windows) pakai Tauri
Java SDK + C#/.NET SDK

v1.0 (planned Q1 2027)

Stable API lock (no breaking change tanpa major bump)
SOC 2 Type 1 audit
Public beta exit → GA
Terraform provider resmi
Kubernetes External Secrets Operator backend support