All updates
frontend
backend
auth
devops

Public changelog pages: subdomains, Linear theme, and password gate

  • Public-facing changelog pages with subdomain URLs and a Linear-style themeThe app now serves public changelogs at [slug].suprlogs.app (or /changelog/[slug] in dev). Public list and entry pages are server-rendered with SEO/Open Graph metadata, a Linear-inspired design, tag filtering, inline expansion, and an optional password visibility gate.

New Features

  • Added transparent subdomain routing so requests to [slug].suprlogs.app are rewritten to /changelog/[slug]/*, allowing one deployment to serve both the admin site and public changelogs.devops
  • Added a server-rendered changelog list page (/changelog/[slug]) with a Linear-style feed, tag filter, date grouping, and inline entry expansion that updates the browser URL without a reload.frontend
  • Added an SEO-friendly entry page (/changelog/[slug]/entries/[id]) with article Open Graph/Twitter tags and a canonical link.frontend
  • Added a full-page password gate for visibility='private' changelogs that shows a branded unlock UI when the viewer lacks a valid cookie.frontend

API

  • Added public REST endpoints: GET /v1/changelog/:slug (list) and GET /v1/changelog/:slug/entries/:id (single entry) that return published entries without authentication.backend
  • Added POST /api/changelog/[slug]/unlock which verifies a supplied password against the stored bcrypt hash and sets a 24‑hour HttpOnly cookie on success.backend
  • Updated PATCH /api/projects/[slug]/settings to accept a plain-text visibility_password and store only a bcrypt hash (bcrypt rounds = 10).backend

Improvements

  • Added buildChangelogUrl() to consistently build canonical subdomain URLs in production and path-based URLs in development.frontend
  • Added groupEntriesByMonth() utility and used it to render date-grouped sections in the public feed; preserved input ordering within each group.frontend
  • Updated Project Settings UI to allow setting a changelog access password when visibility is set to private and showed the canonical public URL for each project.frontend
  • Installed bcryptjs and its types to support server-side password hashing and verification.backend
  • Updated middleware to exempt /changelog/* from Clerk auth so public changelog paths are bypassed when accessed directly under suprlogs.com.auth

Security

  • Hashed changelog visibility passwords with bcrypt before saving and never stored plain-text passwords.security
  • Set an HttpOnly, same-site, secure cookie when unlocking private changelogs to reduce exposure of credential data in the browser.auth

Documentation

  • Added NEXT_PUBLIC_CHANGELOG_DOMAIN to .env files, turbo.json, and README and documented how subdomain routing works and how to configure Vercel wildcard domains.devops
  • Documented the public changelog feature and implementation details in docs/changelog.md.docs

Testing

  • Added 14 tests (8 middleware/subdomain and 6 date-grouping); all web tests (57) passed.frontend