Changelog

What changed, in plain language.

Reverse chronological. Customer-impact framed. Shipped means it’s live in the admin or on the kiosk. Improved means you’ll feel a difference. Fixed means we caught a bug before you did. Security means we closed a hole.

April 21, 2026Session 2 — adversarial close
Three adversarial review passes, 47 findings closed.
- ImprovedBody text contrast lifted across the entire admin so every label clears WCAG 2.2 AA on both surface tones.
- ImprovedToggles, pickers, and segmented controls in settings + tickets + broadcast now expose role + checked state to screen readers.
- ImprovedThe kiosk delete confirm uses a real Radix dialog instead of the browser's native prompt — focus moves correctly and reads cleanly with VoiceOver.
- FixedLive kiosk mirror now runs on the new Broadcast-from-DB realtime path. KioskMirror picks up health snapshots on either channel and dedups by id.
- SecurityRLS hole on the device-existence check was always evaluating false. Replaced with a SECURITY DEFINER helper. Anon-key attack test verifies SELECT works for known device IDs and stays blocked for fabricated ones.
- SecurityPublic REST API (/api/v1) now requires the merchant in the Bearer key to match the merchant in every read. Verified with curl against the bare anon key (401) and a cross-tenant token (404 — never leaks existence).
- SecurityStripe checkout edge function now requires Bearer auth, allowlists priceId, and binds the calling user to the merchant before minting a checkout session.
- ImprovedSkip-to-content link added to the admin shell and every public marketing page. Keyboard users land in the main content with one tab.
April 20, 2026Session 1 — the 10/10 push
Wedges 13, 14, 16, 17, 18, 20 shipped + a Stripe billing surface.
- ShippedOrder routing canvas (Wedge 13) — visual canvas to route tickets between bar, kitchen, and pickup with prep-time learning.
- ShippedPublic REST API + signed webhooks (Wedge 14). Documented OpenAPI spec at /docs, scope-gated keys, HMAC-signed webhook delivery with exponential backoff.
- ShippedAI photo pipeline (Wedge 16). Snap an iPhone photo, Claude vision describes it, gpt-image-1 or Recraft renders a brand-styled hero, you approve, the kiosk swaps the override.
- ShippedVoiced kitchen tickets (Wedge 17) — Claude rewrites your ticket templates in your tone while preserving every renderer variable. One-click revert.
- ShippedCustomer recognition (Wedge 18). Paid orders auto-ingest into the customer table; phone-keyed lookup powers loyalty surfaces across the admin.
- ShippedInteractive demo walkthrough (Wedge 20). The /demo page is now a live click-through of the customer flow.
- ShippedStripe billing surface — plan picker, billing portal, trial dates, renewal dates, owner-role gated.
- ShippedSentry wired end-to-end across server, client, and edge with merchant + device context. PII scrubbed.
- ShippedPlausible analytics, sitemap, robots, llms.txt, OG image — the full SEO + AI-crawl foundation.
- SecurityThree RLS defense-in-depth holes closed: role self-escalation, cross-tenant command push, cross-tenant kiosk override. 28 anon-key + 21 authenticated-JWT attack vectors all blocked.
- SecurityJune chat XSS path closed (replaced dangerouslySetInnerHTML with safe text rendering).
- Security/status no longer leaks cross-tenant fleet counts. Audit page replaced auth.admin.listUsers with a merchant-scoped lookup RPC.
April 19, 2026Session 1 base — the 20-wedge admin
Twelve wedges live, multi-tenant from day one.
- ShippedLive mirror + remote commands — see what each kiosk sees and push pause, resume, reset, restart, reload menu, or a custom message.
- ShippedJune AI assistant — plain-English questions about your sales, menu, and team, grounded in live merchant context.
- ShippedVoice templates — every on-screen line, in your tone, with search and tone tags.
- ShippedCatalog advisor — zero-sale items, top sellers, high-price low-velocity outliers with the data behind every call.
- ShippedLive preview, override layer with diff, versioned menu history, per-shift override profiles.
- ShippedFive-role RBAC — owner, manager, cashier, auditor, marketing. Append-only audit log on every mutation.
- ShippedPublic status page with live fleet health, no cross-tenant leaks.
- ShippedMobile manager PWA — install on home screen, manage the room from a phone.

What’s coming next.

The next month of work — allergen display for SB 68, kitchen ticket polish, the dedicated Order June Supabase project cutover — lives on the public roadmap.

See the roadmap

Changelog

What changed, in plain language.

April 21, 2026Session 2 — adversarial close
Three adversarial review passes, 47 findings closed.
- ImprovedBody text contrast lifted across the entire admin so every label clears WCAG 2.2 AA on both surface tones.
- ImprovedToggles, pickers, and segmented controls in settings + tickets + broadcast now expose role + checked state to screen readers.
- ImprovedThe kiosk delete confirm uses a real Radix dialog instead of the browser's native prompt — focus moves correctly and reads cleanly with VoiceOver.
- FixedLive kiosk mirror now runs on the new Broadcast-from-DB realtime path. KioskMirror picks up health snapshots on either channel and dedups by id.
- SecurityRLS hole on the device-existence check was always evaluating false. Replaced with a SECURITY DEFINER helper. Anon-key attack test verifies SELECT works for known device IDs and stays blocked for fabricated ones.
- SecurityPublic REST API (/api/v1) now requires the merchant in the Bearer key to match the merchant in every read. Verified with curl against the bare anon key (401) and a cross-tenant token (404 — never leaks existence).
- SecurityStripe checkout edge function now requires Bearer auth, allowlists priceId, and binds the calling user to the merchant before minting a checkout session.
- ImprovedSkip-to-content link added to the admin shell and every public marketing page. Keyboard users land in the main content with one tab.
April 20, 2026Session 1 — the 10/10 push
Wedges 13, 14, 16, 17, 18, 20 shipped + a Stripe billing surface.
- ShippedOrder routing canvas (Wedge 13) — visual canvas to route tickets between bar, kitchen, and pickup with prep-time learning.
- ShippedPublic REST API + signed webhooks (Wedge 14). Documented OpenAPI spec at /docs, scope-gated keys, HMAC-signed webhook delivery with exponential backoff.
- ShippedAI photo pipeline (Wedge 16). Snap an iPhone photo, Claude vision describes it, gpt-image-1 or Recraft renders a brand-styled hero, you approve, the kiosk swaps the override.
- ShippedVoiced kitchen tickets (Wedge 17) — Claude rewrites your ticket templates in your tone while preserving every renderer variable. One-click revert.
- ShippedCustomer recognition (Wedge 18). Paid orders auto-ingest into the customer table; phone-keyed lookup powers loyalty surfaces across the admin.
- ShippedInteractive demo walkthrough (Wedge 20). The /demo page is now a live click-through of the customer flow.
- ShippedStripe billing surface — plan picker, billing portal, trial dates, renewal dates, owner-role gated.
- ShippedSentry wired end-to-end across server, client, and edge with merchant + device context. PII scrubbed.
- ShippedPlausible analytics, sitemap, robots, llms.txt, OG image — the full SEO + AI-crawl foundation.
- SecurityThree RLS defense-in-depth holes closed: role self-escalation, cross-tenant command push, cross-tenant kiosk override. 28 anon-key + 21 authenticated-JWT attack vectors all blocked.
- SecurityJune chat XSS path closed (replaced dangerouslySetInnerHTML with safe text rendering).
- Security/status no longer leaks cross-tenant fleet counts. Audit page replaced auth.admin.listUsers with a merchant-scoped lookup RPC.
April 19, 2026Session 1 base — the 20-wedge admin
Twelve wedges live, multi-tenant from day one.
- ShippedLive mirror + remote commands — see what each kiosk sees and push pause, resume, reset, restart, reload menu, or a custom message.
- ShippedJune AI assistant — plain-English questions about your sales, menu, and team, grounded in live merchant context.
- ShippedVoice templates — every on-screen line, in your tone, with search and tone tags.
- ShippedCatalog advisor — zero-sale items, top sellers, high-price low-velocity outliers with the data behind every call.
- ShippedLive preview, override layer with diff, versioned menu history, per-shift override profiles.
- ShippedFive-role RBAC — owner, manager, cashier, auditor, marketing. Append-only audit log on every mutation.
- ShippedPublic status page with live fleet health, no cross-tenant leaks.
- ShippedMobile manager PWA — install on home screen, manage the room from a phone.

What’s coming next.

The next month of work — allergen display for SB 68, kitchen ticket polish, the dedicated Order June Supabase project cutover — lives on the public roadmap.

See the roadmap