Changelog

What's new

User-visible changes to Veriva, ordered newest first. We ship continuously and post anything customers should know about here.

May 3, 2026v0.10
Merge policy spec alignment.
- BreakingSTANDARD merge policy now blocks HIGH findings in addition to CRITICAL findings, matching the documented 5-tier gate.
Apr 19, 2026v0.9
Pre-pilot polish — pricing, landing, trial flow.
- NewDedicated pricing page at /pricing with per-seat plans (Hobby free, Pro $29/dev/mo, Ultra $79/dev/mo).
- New14-day Pro trial on signup with sticky in-app banner; auto-downgrade to Hobby on day 14 unless a card is on file.
- NewOrg data export — JSON bundle of every PR, finding, audit entry, policy, hook, and agent (Settings → General → Data).
- ImprovedLanding page rewritten around governance positioning — 10-stage pipeline, 5-tier merge policy, agent identity.
- ImprovedFAQ now describes the CROSS-CHECK + DEEP AUDIT loop instead of generic 3-layer framing.
Apr 18, 2026v0.8
Governance surface + observability buildout.
- NewPer-finding provenance: every finding carries its stage, rule, prompt version, and LLM call ID.
- NewCross-repo PR inbox — single triage view across every analyzed PR in the org.
- NewrequireOrgRole middleware applied to every write surface (merge policy, hooks, billing, agents, audit export).
- NewIn-app notification inbox with unread badge, type filter, and mark-all-read.
- NewEmail fanout: critical findings, payment failures, plan changes, usage warnings now trigger transactional email via Resend.
- ImprovedGitHub webhook signature failures are now audit-logged with onError handler.
- ImprovedOutbound webhook hooks signed with HMAC-SHA256 + 5-minute replay window.
Apr 17, 2026v0.7
Production readiness pass.
- NewSentry error tracking + /health endpoint reporting DB / Redis / Bedrock circuit-breaker state.
- NewPer-org rate limits on auth endpoints; webhook redelivery dedup via X-GitHub-Delivery in a 24hr Redis set.
- NewAccount & security settings: change email, change password, view active sessions with per-session revoke, MFA enrollment.
- NewOrg data retention + GDPR soft-delete with 30-day hard-delete grace window.
- NewAPI key management page with last-used timestamp + revoke.
- NewCustomer org overview metrics: PRs analyzed, severity breakdown, trust score trend, cost spent + budget remaining.
- ImprovedStructured logging with traceId propagated through tRPC, BullMQ, and Bedrock calls.
- ImprovedWeb security headers: CSP (report-only), HSTS, X-Frame-Options DENY, X-Content-Type-Options nosniff.

Pre-pilot polish — pricing, landing, trial flow.

NewDedicated pricing page at /pricing with per-seat plans (Hobby free, Pro $29/dev/mo, Ultra $79/dev/mo).

New14-day Pro trial on signup with sticky in-app banner; auto-downgrade to Hobby on day 14 unless a card is on file.

NewOrg data export — JSON bundle of every PR, finding, audit entry, policy, hook, and agent (Settings → General → Data).

ImprovedLanding page rewritten around governance positioning — 10-stage pipeline, 5-tier merge policy, agent identity.

ImprovedFAQ now describes the CROSS-CHECK + DEEP AUDIT loop instead of generic 3-layer framing.

Governance surface + observability buildout.

NewPer-finding provenance: every finding carries its stage, rule, prompt version, and LLM call ID.

NewCross-repo PR inbox — single triage view across every analyzed PR in the org.

NewrequireOrgRole middleware applied to every write surface (merge policy, hooks, billing, agents, audit export).

NewIn-app notification inbox with unread badge, type filter, and mark-all-read.

NewEmail fanout: critical findings, payment failures, plan changes, usage warnings now trigger transactional email via Resend.

ImprovedGitHub webhook signature failures are now audit-logged with onError handler.

ImprovedOutbound webhook hooks signed with HMAC-SHA256 + 5-minute replay window.

Production readiness pass.

NewSentry error tracking + /health endpoint reporting DB / Redis / Bedrock circuit-breaker state.

NewPer-org rate limits on auth endpoints; webhook redelivery dedup via X-GitHub-Delivery in a 24hr Redis set.

NewAccount & security settings: change email, change password, view active sessions with per-session revoke, MFA enrollment.

NewOrg data retention + GDPR soft-delete with 30-day hard-delete grace window.

NewAPI key management page with last-used timestamp + revoke.

NewCustomer org overview metrics: PRs analyzed, severity breakdown, trust score trend, cost spent + budget remaining.

ImprovedStructured logging with traceId propagated through tRPC, BullMQ, and Bedrock calls.

ImprovedWeb security headers: CSP (report-only), HSTS, X-Frame-Options DENY, X-Content-Type-Options nosniff.

Merge policy spec alignment.

Pre-pilot polish — pricing, landing, trial flow.

Governance surface + observability buildout.

Production readiness pass.

Merge policy spec alignment.

Pre-pilot polish — pricing, landing, trial flow.

Governance surface + observability buildout.

Production readiness pass.