REWRITEBETA

Changelog

What's shipped recently.

Hand-curated. Dated. Linked to the underlying commit so you can read the change. Newest first.

May 12, 2026

  • Security

    Investor package no longer leaks a default password

    68fe93c

    The login page used to tell visitors the default viewer password in the help text. Removed the default; the unlock endpoint now refuses access until an operator sets the password env var explicitly.

  • Security

    Ownership verification gate for paid delivery

    e8c2a71

    The build and handoff endpoints now refuse to ship the iOS bundle until you've verified ownership of the source repo or live URL. Stops anyone with a session URL from minting an app for someone else's site.

  • Security

    SSRF protection, zip-extraction hardening, admin token compares

    8b4410a

    Server now refuses fetches to private IPs (loopback, AWS metadata, RFC1918), zip uploads can't escape their extraction directory or smuggle symlinks, admin password / metrics-token compares are constant-time. Full audit in docs/security-audit-2026-05-12.md.

  • Feature

    Pricing reference page

    42419d0

    New /pricing page surfaces the typical cost bands by app shape (marketing site, SaaS, multi-tenant) before you have to scan. Numbers come from the same formula the scan uses, so they're not marketing fiction.

  • Feature

    Ownership verification step in the wizard

    a191581

    You can now verify you control your repo or live URL through GitHub OAuth, a well-known file, a meta tag, or a DNS TXT record before we generate the iOS bundle. Closes the security gap from this morning.

  • Feature

    Per-integration parity verifier

    79a5cd4

    Before we hand off the iOS bundle, we now check that every detected integration (Stripe, Auth0, Firebase, Supabase, etc.) actually emitted real wiring — not just a named stub. Catches generator regressions before they ship.

  • Fix

    Build screens now populate one at a time, not all at once

    a4b0ae0

    The focus card on step 10 used to show nothing until every screen finished polishing. Now each finished screen shows up the moment its polish lands — so you can leave chat directives on early ones while later ones are still building.

  • Fix

    Drop hallucinated and metadata-file routes from the native plan

    5e39b43

    Routes like /apple-icon (a Next.js icon, not a page) and /pricing (when the LLM guessed it but no such page exists) used to slip into the build queue. We now skip framework metadata files and probe each inferred route to drop ones that 404.

  • Fix

    Review-agent chat input clears the moment you hit send

    2da4176

    The textarea used to keep your message until the network round-trip finished, which made it look like nothing happened. Now it clears immediately on send — and restores if the request fails.

  • Design

    Stripe checkout dialog and /start hero centered properly

    19a5c80

    Both used to sit visibly below true viewport center. Fixed the asymmetric padding so they actually land where the eye expects them.

Want to see your app in this list next?

Paste your URL — preview is free, scan + quote come next, and the build runs page-by-page with your sign-off.

Start preview →Open-source repo

The full commit history is on GitHub.