What's new

A running log of changes to GatiFlow that affect customers. Hand-curated; internal refactors and minor fixes are omitted.

v2.5

May 2026
  • AI-generated content now declares itself in report metadata (EU AI Act compliance).
  • Confidence intervals exposed on every report — see the score range, not just the headline number.
  • Trial Grace Period state now visually distinct from active trial in dashboard.
  • Double opt-in for the academy email course (CAN-SPAM-safe).
  • Monthly cap on AI spend prevents runaway billing in case of stuck cron.

v2.4

April 2026
  • Reddit removed from active sources (API access not viable). Marketing copy now says '10+ sources' to match reality.
  • Stripe webhook idempotency made robust against partial failures.
  • Watchlist signal collection moved to background tasks — internal cron no longer blocks on slow orgs.
  • Sentry sampling on /collect reduced from 100% to 20% to extend free-tier capacity.
  • Body size limit middleware streams chunks instead of buffering — no more OOM risk on chunked uploads.

v2.3

March 2026
  • Centralized opt-out filter — opted-out subjects now reliably excluded from all report paths.
  • Registration requires explicit Terms + Privacy consent (LGPD/GDPR).
  • DPO/Encarregado named on privacy page; data inquiry response time tightened to 15 business days.
  • Stripe webhook signature validation now has explicit test coverage.
  • Real client IP propagation: per-user rate limits and audit logs now reflect the actual caller, not the BFF edge.

v2.2

February 2026
  • Saturday Deep Dive: 1800-word weekly investigative article with web-grounded fact-checking.
  • Daily intelligence narratives use Claude Sonnet with fact-check pass against numeric facts.
  • RS256 JWT activated in production. Refresh token rotation hardening.
  • Body size limit middleware (1 MB cap) — prevents accidental DoS via large payloads.
  • Public report endpoint with caching for landing-page preview.

v2.1

February 2026
  • Token blacklisting via Redis (jti in JWT, /auth/logout endpoint).
  • Refresh token set as httpOnly cookie (XSS protection).
  • Auth rate limiting (10 attempts/min per IP).
  • Stripe webhook signature validation (stripe.Webhook.construct_event).
  • Quota race condition fix: increment only after successful report.
  • PDF export reads plan and timestamp from canonical fields.

v2.0

February 2026
  • Unified monorepo: 9 separate repos consolidated into one.
  • Full intelligence pipeline: RealCollector → Enricher → Scorer → Assembler.
  • First production deployment of Pro and Business plans.

For the complete technical history including bug fixes, see the repository CHANGELOG.md. For incident reports and uptime, see status updates.