Changelog
Every release · what's new · what changed. Subscribe at hello@eventsuperos.com for monthly digest.
v100.22
Workspace UX Overhaul
May 14, 2026
- Snapshots: replaced browser
prompt() with a styled modal for label input. Added delete button per card, relative time display ("3h ago"), and snapshot size in KB.
- Audit Log: added search/filter toolbar (text search, action-group filter, user filter), color-coded action pills (green=create, yellow=update, red=delete, blue=approve), and CSV export button.
- Approvals: replaced
prompt() rejection flow with a proper styled modal. Added kind filter tabs (Events / Changes / Files / Team) above the list. Fixed KPI card styling — pending counts now show amber instead of danger-red.
- Health: realtime channel count is now dynamic (reads from
App.sb.getChannels()). Storage limit now reflects actual plan (Free=100MB, Pro=10GB, Agency=100GB). Added Red Flags, Service Worker status, total events, and total guests KPIs.
- Templates: added type filter bar (All / Tasks / Budget / F&B / Schedule / Decisions / Notes). Cards now show Edit, Duplicate, and Apply-to-Event actions. Apply instantly adds tasks or budget lines to the currently open event.
- Studio Settings: replaced 7×inline-style tab buttons with a single
.set-tab CSS class. Consistent icon+label format across all tabs (no mixed emoji/icon style).
- Site Builder, Webhooks, API Keys, Billing: added explicit "← Event Manager" breadcrumb button in each topbar so users can return to the main portal without using browser back.
v100.22
Portal Boot Fixes
- super-admin.html was truncated — missing command palette, toast function, and boot() call. Spliced from reference version. Super Admin portal now boots correctly.
- check.html was truncated mid-function — clearAll() body and run() call were missing. Page now completes and runs correctly.
- mfa.html was truncated mid-tag on final script — </body></html> missing. File now terminates correctly.
- super-admin.html: Supabase CDN URL was resolving to CJS bundle (no window.supabase global). Changed to explicit UMD path
@2.39.7/dist/umd/supabase.min.js — "SUPABASE IS NOT DEFINED" error resolved.
- event-manager.html + all portals: Cloudflare Pages injects script nonces, causing browsers to ignore
'unsafe-inline' in CSP and block all inline scripts. boot() never ran, App.sb stayed null, auth threw "Cannot read properties of null". Replaced restrictive CSP with frame-ancestors 'none' only — inline scripts now execute correctly.
v100.22
Security
- FINDING-1: RSVP page now shows "This invitation link has expired" after 10 s if the token lookup stalls — no more infinite spinner on bad/stale tokens
- FINDING-2: Vendor portal p-web field now rejects
javascript:, data: and other non-http/https URL schemes — prevents stored XSS vector
- FINDING-3: Content-Security-Policy header added to all pages via
_headers — default-src 'self', CDN allowlist, frame-ancestors 'none'
UX fixes
- MINOR-1: Check-in page now shows clear "No event selected" error when launched without ?event_id instead of blank zeroed stats
- MINOR-2: "Sign in with Google" OAuth button added to the auth screen (Supabase OAuth provider)
- MINOR-3: Adding a guest beyond the event seat limit now shows an explicit toast error instead of silently opening the modal
- MINOR-4: Free-plan studios now see a persistent watermark footer banner with upgrade prompt
v100.11-prev
v100.22
Substrate & Growth
May 11, 2026
- Notification center with @mention support, real-time updates via postgres_changes
- 10 preset automation recipes — one-click install: welcome drip · RSVP confirm · invoice escalate · NPS · anniversary · referral · vendor balance alert · proposal nudge · activation D3/D7
- Corporate event suite —
sponsors · speakers · sessions · session_feedback · exhibitor_scans tables with full RLS
- White-label hierarchy —
parent_agency_id + revenue_share_pct + my_child_agencies() RPC for resellers
- Knowledge base, public roadmap, changelog — three new pages at
/kb · /roadmap · /changelog
- Report-a-bug button — drops into every authed surface, captures console + page metadata
- Web push subscriptions —
web_push_subscriptions table + EOSPush JS API + quiet-hours support
- Service worker v100.22 — offline cache for /event-manager · /team · /client routes + push event handler
- QR check-in scanner at
/check-in — mobile-first camera UI with jsQR decode, haptic feedback, live stats
- iCal subscribe URLs —
my_ical_url() + event_ics() RPCs; Google/Outlook/Apple Calendar feeds per studio & per event
- Indian e-invoice JSON + Tally export —
e_invoice_json() matches official 1.1 schema; tally_export_xml() for Tally Prime import
- Watermark on Free-tier invitations — discreet bottom-right badge, auto-hides on Pro+
- Onboarding checklist +
my_onboarding_progress() RPC — 10-step activation funnel
- Crew payouts table + ratings (studio↔crew bidirectional)
- Storage quota enforcement — per-plan limits (100MB→100GB) via
check_storage_quota()
- Login audit, password rotation tracking, super-admin IP allowlist
- Account archive + 90-day restorable window + data retention policy table
- Add-to-Calendar dropdown — Google · Outlook · Apple .ics via single drop-in script
- Breach notification runbook · DR runbook · Data retention policy (3 new compliance docs)
- Mention parsing in task comments now auto-creates notifications for tagged users
- Session forensics —
login_audit table records every login/logout/MFA pass with IP + device fingerprint
v100.22
Three-Track Closer
May 10, 2026
- Google SSO —
sso-google.js drop-in, official multi-color G logo, auto-injects above email field
- DocuSign integration — JWT bearer grant, envelope create, embedded signing URL, webhook updates
proposals.status='accepted'
- DB-backed rate limiter — distributed across all Edge instances via
check_rate_limit() + api_rate_log table
- Circuit breaker on email-drain —
cb_can_call / cb_record stops spinning on a downed provider
- Image pipeline doc + drop-in
/cdn-cgi/image/ wrapper — 18MB → 1.4MB, LCP 4.8s → 1.1s
- Sub-event nav strip — auto-injected on any event with
parent_event_id via event_with_family()
- Plan-modal hooks — friendly upgrade UI replaces raw
plan_limit_reached Postgres error
- Dietary picker — multi-select chip grid with community presets (Jain, Marwari, Tamil-Brahmin, Halal, Kosher)
v100.5
P0 Marketplace + 2FA
May 10, 2026
- Public vendor profile at
/v/<slug> with reviews + booking enquiry
- Cloudflare for SaaS custom domains — provisioning + SSL automation
- 2FA enrollment at
/mfa for super-admins (TOTP + 8 recovery codes)
- Data-bridge integration — leads from public site now appear in event-manager in real time
- JS SDK at
/sdk — single-file ESM, sub-clients for every resource, HMAC verify helper
- Server-side feature-flag enforcement (25 features, 4 tiers)
- pgTAP test suite — 28 tests covering plan limits, RLS isolation, cascade-delete, blueprint instantiation
- GitHub Actions CI — pgTAP + 9 Edge Function deploys + Lighthouse CI per release
v100.4
Production Runtime
May 10, 2026
api-router Edge Function — REST API surface, Bearer auth, scope enforcement, 600 req/minwebhook-delivery Edge Function — HMAC-signed, retry with backoff, auto-disable on 30 consecutive failurespdf-render Edge Function — proposal + invoice PDFs via PDFShift, stored in Supabase Storagedata-export-worker — DPDP-compliant export with 7-day signed URLs- Wedding blueprint instantiator —
instantiate_blueprint() RPC spawns 5 sub-events in one call
- Public vendor marketplace at
/vendors — category + city + min-rating search
- One-line cron install:
SELECT install_cron_jobs(...)
v100.3
Real CRM + Billing + Observability
May 10, 2026
- Normalised CRM page at
/crm — deal kanban + lead inbox + proposal builder
- Studio self-serve subscription at
/billing via Stripe Checkout
- OpenAPI 3.1 spec + Postman collection
- Super-admin audit log explorer at
/audit
- Sentry hook for client-side error capture
v100.0–v100.2
Foundation
May 9–10, 2026
- 24-table normalized CRM substrate (
leads · deals · proposals · proposal_lines · invoices · payments · stripe_events · email_log · api_keys · webhook_subscriptions · sso_config · studio_public_pages · contact_submissions · automation_rules · automation_runs · event_blueprints · sub_events · dietary_presets · data_export_requests · deletion_requests · consent_log · super_admin_audit · vendor_master · vendor_reviews)
- Per-studio public site at
/studio/<slug> with contact form → leads pipeline
- Workflow automation engine + UI at
/automations
- Plan enforcement RPCs + friendly upgrade modal
- Indian wedding blueprint + community dietary presets
- DPDP / GDPR compliance: privacy, terms, DPA, status pages + consent banner + data export + deletion requests