Changelog

All notable changes to DMBox are documented in this file.

The format follows Keep a Changelog, and the project adheres to Semantic Versioning.

The license under which a given version is released is governed by LICENSE (Business Source License 1.1; converts to Apache 2.0 four years after each version's release date).

Unreleased

Pricing revision (May 2026)

• Per-tier LLM model. Hobby now routes to Groq Llama 3.1 8B Instant (12× cheaper per call than 70B); Pro and Studio keep Cerebras Llama 3.1 70B Versatile as a quality differentiator. The cost gap fixes the previous pricing model where Pro/Studio LOST money at full cap utilization. See PRICING.md §provider-switches for the per-hour cost math.
• Paddle as Merchant of Record. New /billing/paddle-webhook route + paddle.py adapter (signature verify + Paddle→Stripe event normalization). Paddle is now the primary payment processor for Israeli operators because Stripe has limited Israeli seller support and Paddle as MoR handles all global VAT / sales tax filing. Stripe path stays in code for operators who can use it. See LAUNCH-PLAN.md §10 and PRICING.md §Israel.
• Per-user metered-overage consent. New User.overage_consent (defaults to False). Even on Studio (which supports metered overage), users start hard-capped and must explicitly opt in via Settings before they can be billed past the tier cap. Prevents surprise bills.
• Approaching-cap warning. check_quota now surfaces a soft warning when usage crosses user.cap_warning_pct (default 80%) with deep-links the cockpit banner uses to offer "Allow metered overage" or "Downshift to Free strategist."
• record_overage_cents / read_overage_cents in usage.py — metered overage accumulator separate from the base monthly cost counter so the operator can invoice overage independently.
• 80 new tests across the May-2026 revision (LLM routing per tier, Paddle signature + normalization, Paddle webhook route, overage metering, opt-in consent, approaching-cap warning).

Added

• Operator runbook (RUNBOOK.md) covering first-60-minute triage for the eight most common production failure modes (total outage, WebSocket churn, mixer/library failure, LLM/strategist outage, ASR outage, Stripe webhook drop, data-plane degradation, resource exhaustion), plus the full env-var quick reference.
• Security disclosure policy (SECURITY.md) with private-vulnerability reporting flow, response SLA (72h ack / 7d assessment / 30-90d fix), in/out-of-scope boundaries, and safe-harbor terms.
• Supply-chain CI workflow (.github/workflows/security.yml): weekly pip-audit + npm audit + CodeQL scans, results published to the repository Security tab.
• Dependabot configuration covering pip, npm (cockpit), GitHub Actions, and Docker base images. Minor/patch bumps grouped into weekly PRs.
• Ruff + mypy configuration in pyproject.toml; CI lint job runs ruff check and ruff format --check as a prerequisite to the backend test job.
• WebSocket lifecycle hardening: server → client heartbeat every 15s (configurable via DMBOX_WS_HEARTBEAT_INTERVAL_SECONDS, set to 0 to disable), idle-read timeout of 300s (DMBOX_WS_IDLE_TIMEOUT_SECONDS), structured close-reason logging with ws.opened / ws.closed.<reason> metrics.
• Test suite expanded from 437 → 626 (+189 cases). New coverage areas: Stripe webhook hardening (replay window, tampering, malformed headers, route end-to-end), Slack signature crypto, profile-template starter packs, postgres adapter DDL translation, LLM strategist fallback paths (HTTP errors, timeouts, malformed responses), ASR provider integration (Groq, Deepgram), store factory env-driven selection, in-process metrics + Prometheus exposition, flag registry, version info, observability/Sentry init, migrate CLI.

Changed

• Phase 0 legal templates added: LICENSE (BSL 1.1 with four-year Change Date to Apache 2.0), legal/TERMS.md, legal/PRIVACY.md, legal/DPA.md. All four carry explicit "counsel review required" banners and leave operating-entity name, governing jurisdiction, and contact addresses as marked placeholders for redline.
• LLMStrategist exception handler widened to also catch IndexError and TypeError so empty-choices responses and unexpected Nones fall back to FakeStrategist instead of crashing the orchestrator tick.
• Token verification in auth.py and cli.py narrowed from except Exception to specific exception classes (ValueError, UnicodeDecodeError, binascii.Error, JSONDecodeError). Unexpected exceptions now surface instead of silently failing closed.
• HTTP middleware now logs unhandled exceptions with request id before re-raising; the four health-probe handlers (/diagnostics db, /diagnostics library, /readyz db, /readyz library, /healthz/llm) log on failure rather than only reporting via response body.
• websockets>=14.0 pinned in pyproject.toml to address the websockets.legacy deprecation surfaced by uvicorn's transitive dependency.

Fixed

• Empty Stripe webhook signature header with a configured secret no longer silently bypasses verification (regression test pinned).
• Heartbeat task no longer immediately ends the WebSocket when DMBOX_WS_HEARTBEAT_INTERVAL_SECONDS=0. Subtle bug where a returning coroutine tripped asyncio.wait(FIRST_COMPLETED) and cancelled the reader/writer.

Security

• HTTPException re-raises in transport.py now use raise ... from None so user-facing error responses do not leak internal exception chains.

0.1.0 — Initial drop (private)

Initial commit and end-to-end DMBox: server + cockpit + tests + ops. Pre-Phase-0 internal milestone; no public release.