Gatewarden Nexus

Changelog

What's new

Follow the evolution of Gatewarden Nexus. New features, improvements, and platform updates will appear here.

v0.5.0

Document management, vector search, and onboarding improvements

Document Management

  • Project documents — upload, organize, and version documents per project with S3-backed storage and CloudFront CDN delivery.
  • Vector search — semantic search across uploaded documents using pgvector embeddings for intelligent retrieval.
  • OCR and AI analytics — automatic text extraction from PDFs and images with AI-powered metadata tagging and categorization.

Onboarding

  • Demo license request — new users can request a demo license to explore the full platform before committing.
  • Community showcase — read-only sample project with example ADRs, sessions, and documents for onboarding.
  • FAQ section — comprehensive FAQ and “Why Nexus” page based on real developer survey responses.

Improvements

  • Revised pricing — updated pricing model for Starter and Teams tiers.
  • Early Access landing page — updated public-facing page reflecting the current development stage.
  • Email templates — rebranded and streamlined across all outbound emails.
v0.4.0

Devbox integration, skill lifecycle, and entity reviews

Developer Experience

  • Devbox integration — interactive developer shell with module system for local development, diagnostics, and deployment tooling.
  • Skill lifecycle management — full CRUD for reusable agent skills with versioning, review workflow, and project assignment.

Governance

  • Entity review system — structured review workflow for skills and agent files with inline comments, state transitions, and audit trail.
  • Notification subscriptions — per-user notification preferences for ADR changes, session summaries, and letter updates.

Improvements

  • Performance — N+1 query elimination, batch loading for project overview widgets.
  • Session UI — enhanced with user attribution, avatars, timestamps, and markdown rendering.
  • CLI stabilization — improved install.sh, preflight checks, --yes flag for non-interactive usage.
  • MCP server — expanded to 38 tools across 4 layers.
v0.3.11

Customer billing fields, notification subscriptions, and CLI CDN migration

Customer Management

  • Billing fields — new customer_number, vat_id, reverse_charge, and short_id columns on the customers table.
  • Invoicing fieldset — dedicated section in customer edit form with reverse charge toggle and VAT ID input.
  • New customer wizard — extended with customer number, short ID, VAT ID, and reverse charge across creation steps.
  • Project agent prefix — new projects auto-derive agent prefix from the customer's short_id.

Notification Subscriptions

  • Topic-based subscriptions — subscribe to release updates, feature previews, and beta releases per product (App, CLI, MCP, or all).
  • Settings UI — toggle-based subscription management in the Settings page.
  • GDPR unsubscribe — public /unsubscribe?token=... page for one-click unsubscribe without login, plus List-Unsubscribe header in all subscription emails.

CLI & Infrastructure

  • CDN installer install.sh migrated from GitHub raw URLs to S3/CloudFront for reliable access from the private repo.
  • CLI v0.1.5 — released with corrected installer URLs.

Fixed

  • Dashboard overflow — long descriptions in recent sessions and decisions no longer break layout.
v0.3.10

Security hardening, DB indexes, and error sanitization

Security

  • MCP project access — added checkProjectAccess() to 14 MCP action handlers that were previously accessible to any authenticated user.
  • SQL injection fix — added escapeIlike() to decisions search route to prevent injection via unsanitized string interpolation.
  • Error sanitization — replaced 38 instances of raw Supabase error leaks with sanitizeDbError() across all 10 MCP route files.
  • CLI path traversal — reject .. components in agent file write paths.
  • HTTP timeouts — 30s fetch timeout on MCP server, 30s request + 10s connect timeout on CLI.

Performance

  • DB indexes — 10 B-tree indexes on FK columns across sessions, tasks, letters, and related tables.
  • MCP search — replaced select('*') + JS filtering with DB-level ILIKE filtering and per-type result limits.
  • Dashboard counts — capped unbounded count queries with BATCH_LIMIT (10,000).

Fixed

  • force-dynamic — added export const dynamic = 'force-dynamic' to 59 cookie-dependent API routes to prevent Next.js from statically caching auth-dependent responses.
v0.3.9

Community license tier with full quota enforcement

Community Tier

  • Hard quota limits — 1 seat, 0 customers, 3 private-only projects, 50 sessions, 10 decisions, 1 GB storage.
  • Quota enforcement — session, decision, storage, skill, and agent file creation blocked when limits are reached across both webapp and MCP APIs.
  • Seat check — new user registration blocked when seat quota is exceeded.
  • Private-only projects — community tier restricted to private project visibility.

License UI

  • Community badge — new tier badge styling for community accounts.
  • Quota gauges — sessions and decisions usage gauges added to the license page.
  • Plan comparison — 4-column grid comparing Community, Professional, Business, and Enterprise tiers.
v0.3.8

Landing page preference, agent file assignments, and admin mail

User Experience

  • Landing page preference — configure which page to show after login (Settings > Landing Page) with 2-level dropdown supporting direct project navigation.
  • Cross-project navigation — new Coordination menu item (placeholder for linked-projects feature).

Agent Files

  • Project assignments — M:N junction table for assigning global agent files to specific projects with version pinning and enable/disable toggle.
  • Scoped export af_export now returns project-level assignments instead of all tenant files. Project directives embedded into agent-category files during nexus pull.

Email & Notifications

  • Project membership emails — rich HTML templates for invite, role change, and removal notifications.
  • Admin mail inbox — full admin UI for inbound emails from Resend webhooks with search, pagination, bulk delete, and reply functionality.

Security

  • Admin mail hardening — ILIKE injection prevention, UUID validation, from-address allowlist, iframe sandbox XSS protection.
v0.3.7

Skill editor UX overhaul

Editor Improvements

  • Source-first editing — skill editor now opens in markdown source view by default with a segmented Source/Preview toggle.
  • Integrated upload — Upload .md button moved directly into the editor toolbar alongside the source/preview toggle.
  • Tags in control pane — tag picker relocated from the markdown area into the settings panel alongside command name and description.
  • Status badge — skill status now appears right-aligned in the actions bar next to Edit / Save / Cancel.

Lifecycle Management

  • Danger Zone — new section with archive/unarchive and permanent delete (slug-based confirmation), replacing the top-bar archive button.
  • DELETE API — new endpoint for permanent skill deletion with full cascade (tags, commands, versions, assignments, reviews).

Skill Creation

  • Blueprint template — downloadable skill-blueprint.md with all recommended sections, hosted on S3/CloudFront.
  • New default tags — Workflow, Code Quality, DevOps, Testing, Documentation, Agent, and Init added to the tag library.
v0.3.6

Code audit, security fixes, and dead code cleanup

Bug Fixes & Security

  • MCP auth profile lookup — fixed wrong column in profile query causing MCP tokens to always get displayName: null.
  • MCP actor identity — resolveActor now returns auth user UUID instead of surrogate PK.
  • Decision links security — DELETE handler now scopes by decision_id, preventing cross-project link deletion.
  • Guarded request.json() — 7 API routes now catch malformed JSON payloads instead of crashing.

Performance

  • Query parallelization — 6 dashboard pages now run independent queries via Promise.all (settings, customers, sessions, letters, session detail, decision edit).
  • License quota check — 5 independent quota queries parallelized; eliminated wasted query that fired but was never awaited.
  • Replaced framer-motion — mobile nav animation now uses pure CSS keyframes (~130KB removed from client bundle).

Cleanup

  • Removed 4 unused npm deps — zod, dayjs, react-use-measure, framer-motion.
  • Removed ~64 template assets — placeholder images and SVGs from Radiant/Tailwind UI template across 12 directories.
  • Dead code removal — deleted unused proxy.ts, dead CSS keyframe, and no-op useEffect.
  • Error boundaries — added root not-found.tsx (branded 404) and error.tsx (root error boundary).
  • MCP auth refactor — deduplicated token logic by importing shared utilities from api-auth.ts.
v0.3.5

Code quality, performance, and consistency fixes

Performance

  • N+1 query elimination — letters and sessions list pages now fetch message/entry counts in a single batch query instead of one query per row.
  • Query parallelization — customer detail page now runs projects, contracts, and profile queries in parallel via Promise.all.
  • Loading skeleton — new dashboard loading.tsx provides a shimmer placeholder during RSC navigation.

Code Quality

  • Safe error handling — new shared toApiError() utility replaces 29 unsafe error casts across 13 API routes with proper type checking.
  • Unified status styles — consolidated 7 duplicate STATUS_COLORS maps into a single shared module, fixing color inconsistencies between pages.
  • Explicit column selects — skills API GET now uses explicit column lists instead of .select('*').
  • Error observability — 5 silent catch blocks now log warnings for easier debugging.
  • Removed debug logging — cleaned up console.log left in project delete endpoint.
v0.3.4

Skill versioning, markdown editing, and UI refinements

Skill Versioning

  • Version history panel — skill detail page now shows all version snapshots with view/switch capability. Older versions display read-only with amber banner.
  • Create new version — checkbox in edit mode saves content as a new version (v{N+1}) and resets status to draft, requiring a new review cycle.
  • Version seeding — existing skills with version > 1 now have backfilled snapshots, making all versions selectable in the project skills dropdown.

Skill Editing

  • Markdown preview/source — skill content uses the same MarkdownDocument component as ADRs, with live preview and source toggle.
  • File upload — upload .md/.txt files directly in edit mode. Frontmatter extraction for description.
  • Custom command slug — editable command name when auto-generate is enabled (default derives from skill ID).

UI/UX

  • Clickable skills — skill names and IDs in both the management table and project skills view are now clickable links to the skill detail/edit page.
  • Governance widget — redesigned Accept/Reject buttons with icons, joined vote button group, and right-aligned controls.
  • Billing fonts — plugin prices now match the License Fee row styling.

API

  • Versions endpoint — new GET /api/skills/[id]/versions returns all version snapshots with metadata and accepted-by profiles.
  • Enhanced PATCH PATCH /api/skills/[id] now supports create_new_version and command_slug parameters.
v0.3.3

Performance hardening, error recovery, and dead code cleanup

Performance

  • Query parallelization — dashboard, project detail, and decision detail pages now batch independent Supabase queries into parallel Promise.all calls, reducing waterfall latency by 200–400ms per page
  • N+1 elimination getProjectsWithStats reduced from 4N count queries to 4 batch queries; getCustomerSummaries from N to 1; skills export version lookup from N to 1
  • Explicit column selection — replaced 10 high-value .select('*') instances with explicit column lists across pages and API routes

Error recovery

  • Error boundaries — added global-error.tsx, dashboard/error.tsx, and projects/[id]/error.tsx with retry buttons and fallback navigation

Cleanup

  • Removed 10 unused component files (~3,000 lines of dead code including a 1,050-line keyboard component with framer-motion)
v0.3.2

ADR governance, change requests, license UX, and performance audit

ADR governance

  • Governance widget — unified panel with status badge, lifecycle buttons (submit, accept, reject), and community voting with required reason on downvotes
  • Change request flow — accepted ADRs show a “Request Change” link; the form creates a new ADR with supersedes pointing to the original

Dashboard & navigation

  • Projects section moved before Customers; starred projects sort first
  • Recent sessions now link directly to session detail pages
  • Recent decisions link to ADR detail with full governance context
  • Planning feature removed from sidebar and project overview (deferred to v1.0)
  • Top progress bar for page transitions via nextjs-toploader

Skills & directives

  • Skills table restructured with skill_id as primary identifier and merged name/description column
  • Version-pinning dropdown in project skills manager replacing pin/unpin buttons
  • Directives priority changed to high / medium / low enum with colored badges and client-side sort; body made optional

License & billing

  • Enterprise tier badge with black/gold styling and circle icon; “Active” label moved to the right
  • Billing restructured as line-item rows with right-aligned amounts
  • Three plugin line items: OpenCode Audit, Advanced Sessions, External Encryption Provider

Quality & safety

  • Danger zone uses project slug instead of name for delete confirmation
  • Fixture letters replace test data with [Fixture] prefix
  • Architectural audit: identified 7 categories of improvements including query parallelization, N+1 fixes, missing error boundaries, and dead code cleanup
v0.3.1

CLI install pipeline, MCP npm mode, preflight checks

CLI (nexus-cli v0.1.1)

  • install.sh oneliner curl -fsSL .../install.sh | bash with platform detection, pre-built binary download from GitHub Releases, SHA256 checksum verification, and cargo fallback
  • GitHub Actions CI/CD — test matrix (ubuntu + macos), clippy, rustfmt, and automated 4-target release builds (aarch64-apple-darwin, x86_64-apple-darwin, x86_64-unknown-linux-gnu, aarch64-unknown-linux-gnu)
  • nexus preflight — environment readiness checks (git, node, npm, npx, config, credentials, API reachability, workspace, MCP configs)
  • --shadowed-ai flag on init — adds all AI scaffold files to .gitignore (AGENTS.md, .claude/, .opencode/, opencode.json)
  • --yes / -y global flag — non-interactive mode for CI/CD and scripted usage

MCP Server (nexus-mcp v0.6.1)

  • npm distribution npx @gwdn/nexus-mcp for zero-install MCP server startup. CLI default switched from local to npm mode via mcp_source config key
  • 38 MCP tools total (added task_list, doc_list, session_delete)

Platform

  • Updated Tools page with current MCP/CLI versions, npm install instructions, full command reference, and correct tool counts
v0.3.0

Project stars, ADR voting, directives, and session filters

Project management

  • Star/unstar projects — starred projects appear first in all listings (dashboard, project list, project detail)
  • Project directives: configurable rules and guidelines per project with categories, priorities, and enable/disable toggles

ADR governance

  • Community voting on architecture decisions: up/down votes with net score display
  • ADR linking in session timeline: clickable ADR badges and auto-detection of ADR-XXXX references in notes

Session improvements

  • Status tab filter: All / Resumable / Closed with live counters
  • Timeline date-range filter with quick presets (today, 7d, 30d, 90d) and custom from/to inputs

Infrastructure

  • Cache revalidation endpoint for on-demand Next.js cache flushing via make revalidate
  • Three new database migrations: project_stars, decision_votes, project_directives
v0.2.6

Session UI, governance actions, and skill reviews

Sessions

  • User attribution with avatar display and display names in session timelines
  • Markdown rendering for session summaries and entry content
  • Formatted timestamps with relative time display

ADR governance

  • Governance action buttons: submit for review, accept, and reject with confirmation dialogs
  • Decision comments system with append-only chronological thread
  • Decision links and file attachments management
  • Entity tagging system for decisions

Skills & reviews

  • Review workflow for skills: submit, accept, reject, request revision with inline comments
  • Skill detail page with full content view and review status
v0.2.5

MCP API layer, skill management, and expanded dashboard

MCP integration

  • Full MCP API backend: identity resolution, knowledge search, memory retrieval, sessions, tasks, letters, governance, skills, and reviews
  • PAT-based authentication with project-scoped permission checks

Skill management

  • Skill creation and editing with markdown body, versioning, and auto-generated OpenCode commands
  • Project skill assignments with version pinning and enable/disable
  • Skill export endpoint for CLI workspace synchronization

Dashboard

  • My Work section with pending reviews and open tasks
  • Project detail pages for sessions, decisions, tasks, letters, research, planning, and ingest
  • Team management page with role assignment
v0.2.4

Performance, edit forms, and deployment automation

Performance

  • Self-hosted Switzer fonts replacing external fontshare dependency for faster LCP
  • Navbar bundle optimization: framer-motion replaced with CSS keyframes, Supabase SDK replaced with lightweight cookie heuristic
  • Lazy-loaded Supabase client for sign-out to reduce initial JS payload

Edit forms

  • Customer edit page with fieldsets for general info, contact, billing address, and notes
  • Project edit page with fieldsets for general info and timeline
  • Edit buttons on customer and project detail pages

Landing page

  • Redesigned hero with “Gatewarden / Nexus” heading and watermark logo
  • Cool Steel gradient replacing the original color scheme
  • Footer promotion line with Gatewarden Labs branding

Login

  • Restructured login page with email/password above GitHub OAuth
  • Forgot password flow with Supabase password reset email

DevOps

  • GitHub Actions post-deploy healthcheck verifying site and login page availability after each push to main
v0.2.3

Multi-step wizards, agent setup, and document management

Project creation wizard

  • Five-step wizard: basics, timeline & budget, document upload, agent setup, and review
  • Offer and SOW PDF uploads with S3 storage and CloudFront delivery
  • Agent configuration: CLI flavor (OpenCode / Claude CLI) and plugin selection
  • Sidebar info panel with step guide and contextual tips

Customer creation wizard

  • Four-step wizard: basics, contact & billing, contract upload, and review
  • Adaptive flow: internal customers skip contact, billing, and contract steps automatically
  • Structured billing address with street, postal code, city, and country fields

Data model

  • New project_agents table for agent assignments per project
  • New project_offers table for offer/proposal document storage with lifecycle states
  • Extended document upload API to support offer, SOW, and contract types
v0.2.2

Project visibility, private projects, and RLS fixes

Data model

  • Project visibility scopes: private, members only, and team
  • Optional customer assignment: private projects no longer require a customer
  • Owner tracking on projects for private project access control
  • Fixed RLS infinite recursion in project membership policies using SECURITY DEFINER helpers

UI improvements

  • Redesigned project creation form with visibility selector and conditional customer field
  • Project list shows lock icon for private projects
  • Non-private visibility options disabled when no customers exist
v0.2.1

Internal customers and tag system

Data model

  • Internal customer flag: marks customers like Gatewarden Labs as internal, hiding contact, billing, and contract fields
  • Normalized tag system with shared tags table and polymorphic entity_tags junction supporting 11 entity types

UI improvements

  • New Customer form: internal customer checkbox that conditionally hides contact fields
v0.2.0

Landing page redesign, CRUD forms, and quality improvements

Landing page

  • Hero banner with gradient background, version pill, and quick-access buttons
  • Public navigation with dark “Get access” sign-up button
  • Roadmap page with timeline, status legend, and sidebar
  • Roadmap link added to navigation and footer

New features

  • New Project form with customer selector, slug auto-generation, and status picker
  • New Customer form with industry, contact info, and notes fields
  • POST /api/projects endpoint for project creation
  • Admin-request widget on Dashboard and Projects empty states

Code quality

  • 46 audit findings resolved: DB-backed rate limiter, typed Supabase queries, N+1 fixes, pagination
  • Full type safety with generated Supabase types across all API routes and pages
  • Fixed column name mismatches exposed by strict Database generic
  • Fixed DataInteractive SSG crash in link component
  • Dashboard logo alignment fix
v0.1.0

Initial platform launch

  • GitHub OAuth authentication with automatic profile creation
  • Project-scoped RBAC with admin, editor, reviewer, and viewer roles
  • Long-term memory schema: sessions, decisions, research, planning, letters
  • MCP server with 11 tools across 3 layers (knowledge, coordination, governance)
  • API key system for delegated agent access
  • Customer, contract, and SOW management
  • S3 document storage with CloudFront delivery
  • Transactional email via Resend (nexus.gatewarden.eu domain)
  • Netlify deployment with CSP headers, HSTS, and security hardening
View roadmap