What shipped, when, and why.

Brand system + 47 audit findings closed

Pre-Daybreak baseline закрыт. Все Critical + High из internal review (3 раунда Codex GPT-5.5, vердикт «correct», confidence 0.82) — в проде на testnet.

• security

  All Critical + High findings from internal pre-Daybreak audit closed (3 Codex review rounds; verdict: correct, confidence 0.82)

• feature

  V0.6 Telegram bot — @WeftBot end-to-end (commands /start /balance /deposit /quote /services /call /refer /leaderboard /help)

• feature

  Operator caps + rotation timelock + 72h emergency freeze в WeftEscrow V1+V2 (94 Hardhat tests, S-001 + S-002 + S-006)

• security

  Forward-chained ledger HMAC — deletion-detectable audit trail (C-001)

• security

  21 reserved service IDs prevent brand-squat (openai, anthropic, stripe, etc.) + mandatory manifest signature for x402 (C-004)

• feature

  Subscription idempotency — pg_advisory_xact_lock + deterministic request_id (C-005)

• feature

  tenants.hd_index column — V0.6 HD wallet collision-free, заменили формулу 1000+(tg mod 1M) (A-004/A-005)

• feature

  /auth/internal/issue — body-signed HMAC + 127.0.0.1 only + replay window (A-002/C-007)

• fix

  SIWE replay defense — domain pinned via WEFT_PUBLIC_DOMAIN env, fail-closed (A-001 V2/V3)

• fix

  SSRF guard — agent-based per-socket DNS validation + full IPv4/IPv6 ranges, BullMQ webhook worker covered (A-003 V2/V3)

• fix

  /auth/cli/scoped-token — intersects with parent JWT scope (A-007)

• fix

  Atomic referral credit + subscription runner DB-backed tenant lookup (C-006 + C-008)

• infra

  Next.js 15.1.6 → 15.5.18 (CVE-2025-66478)

• infra

  deploy.sh: source /opt/weft/.env before pm2 reload + env propagation sanity check

• infra

  GHA paths-filter auto-deploy on push:main + idempotent migrate-runner.sh + schema_migrations

• infra

  Sentry + per-IP rate-limit on TG webhook + /internal/tg-stats endpoint

V0.5 — Escrow + Subscriptions + Webhooks + Quotas + Legal

17 MCP tools live на https://weft.91-98-116-15.nip.io. Custodial→non-custodial bridge запущен. Подписки verified end-to-end (alice → coinflip × 2).

• feature

  WeftEscrow.sol deployed на Base Sepolia — 0xacb59f…62cd0 (Hardhat 30/30 tests pass)

• feature

  Subscription runner verified e2e — alice→coinflip × 2

• feature

  Webhooks HMAC-SHA256 + BullMQ delivery + retry/backoff

• feature

  Quotas + tiered pricing per tenant

• feature

  /api/stats public endpoint + /status.html (legacy)

• infra

  scripts/backup.sh + RUNBOOK.md + DR drill validated

• infra

  Legal drafts shipped — Privacy / Terms / DPA / Compliance / Security

V0.4 — Console UI + Escrow on Base Sepolia

• feature

  Next 15 App Router static export — /app/login, /app/dashboard, /app/marketplace, /app/keys

• feature

  SIWE login (wagmi + viem + siwe) + JWT в localStorage weft.session.v1

• feature

  JWT reveal/copy/revoke + claude_desktop_config snippet generator

• feature

  WeftEscrow Phase B — operator + owner = 0xF828…Cb22, USDC=0x036C…CF7e

• infra

  Smoke 6/6 200 OK — full console deployed

V0.3 — Custodial wallet model + first investor docs

• feature

  Investor docs unified — /flow.html / /audit.html / /roadmap.html с Mermaid диаграммами

• feature

  Personas + wallet model V0.3/V0.4/V1 + use cases + FAQ публично