Changelog.
What changed on instanode. Subprocessor adds, sub-processor swaps, and material posture changes are announced here at least 30 days in advance — see the DPA and the subprocessor list for the formal commitment.
Marketing + dashboard hardening pass
- Pricing comparison grid corrected to four tier columns — a stale six-track layout left a dead empty column.
- Marketing pages now have a mobile navigation menu below 880px (previously all nav links vanished on phones).
- Every public page now ships its own <title>, meta description, and canonical URL — subpages no longer self-canonicalize to the homepage.
- sitemap.xml is generated at build time and now covers every page including blog posts and use-case detail pages.
- Billing checkout is no longer suppressed for freshly-claimed paid teams; tier-wall messages now carry the agent action and upgrade link.
Bug-hunt remediation — P0/P1 fixes
- Hardened POST /claim against account-takeover: a claim now requires the session it claims into and no longer mints a token for a pre-existing email.
- Large deploy tarballs are read in full (io.ReadAll) — fixed a truncation bug where big multipart uploads built on a partly-zero buffer.
- Redeploys now re-resolve vault:// env references, so vault-backed apps no longer break on redeploy.
- Customer-deploy NetworkPolicy egress now covers the production DOKS pod/service CIDRs (was hardcoded to the dev cluster ranges).
- Continuous deployment: a push to the api, worker, or provisioner default branch now builds, pushes, and rolls out to production automatically, with an in-cluster build-SHA verification gate.
Tier enforcement + billing resilience
- Provisioning responses now redact secret-bearing env values (credential URLs, *_KEY/_SECRET/_TOKEN keys); the dashboard masks them behind a reveal toggle.
- Storage-quota enforcement now does a real provisioner-side revoke (Postgres REVOKE CONNECT, Redis ACL disable, Mongo role revoke) with auto-unsuspend when usage drops.
- Plan upgrades now elevate deployments and stacks alongside resources and clear their anonymous 24h TTL — a paid app is no longer expired by the lifecycle worker.
- Billing reconciler added: a 15-minute poll against Razorpay closes any missed-webhook gap in either direction.
- Dedicated Redis is capped at provision time with a per-tier maxmemory; the entitlement reconciler re-applies the cap on tier changes.
Pro storage bump + annual pricing
- Pro-tier storage raised to 10 GB Postgres / 512 MB Redis / 5 GB MongoDB — a material limits increase across all Pro subscriptions.
- Annual billing added for Hobby, Hobby Plus, Pro, and Team: same limits as the monthly plans, billed yearly at a discount.
- Free, Hobby Plus, and Growth tiers reconciled across the pricing page, billing page, and API documentation so every surface quotes the same numbers.
- Default provisioning environment is now "development" — a call that omits `env` lands in the lowest-stakes bucket instead of merging with production state.
Trust + marketing accuracy pass (W12)
- DPA + trust-residency aligned on Standard Contractual Clauses (Module Two, controller-to-processor) as the EU/UK transfer mechanism.
- Subprocessor list expanded with Resend (transactional email), Cloudflare (CDN/DNS), Fastly + GitHub Pages (marketing/docs serving), and Loops (lifecycle email forwarder).
- Homepage step-02 encryption-at-rest claim narrowed to "vault secrets and stored credentials" — the customer Postgres cluster's disk is not blanket-encrypted on the anonymous tier.
- /changelog is now a real route (was 404; referenced by DPA §6, subprocessor list, and trust-residency egress section).
- llms.txt and llms-full.txt clarified to call out DigitalOcean Spaces (S3-compatible) as the production object-store backend.
Hobby Plus tier + W11 dashboard honesty pass
- Hobby Plus tier ($19/mo) shipped as the middle step in the pricing grid — research-backed triple-tier pricing decoy.
- Agent error envelope standardised across all provisioning endpoints with `agent_action` next-step hints.
- security.md + PGP key + DPA + subprocessor list published at /docs/public/* (was 404 from W10 onward).
- Per-tenant MinIO IAM credentials by default in production — anonymous-tier internal_url scrubbed from response payloads.
- GitHub auto-deploy webhook live; /status page now consumes real GET /api/v1/status backend.
DO Spaces production cutover + deploy wedge live
- Object-storage production backend cut over from in-cluster MinIO to DigitalOcean Spaces (`nyc3`); 24h lifecycle rule enforces anonymous-tier auto-expiry at the storage layer.
- POST /deploy/new live end-to-end (Kaniko → k8s Deployment → Ingress + cert-manager TLS on *.deployment.instanode.dev).
- Idempotency-Key replay header honoured on every provisioning endpoint; provisioner-auth regression test bundle added to CI.
- dashboard-api retired — agent API now serves the dashboard directly. Removes the gRPC bridge that was the source of a long tail of cross-service auth drift.