For the complete documentation index, see llms.txt.

Changelog

All notable changes to this project will be documented in this file.

[2026-04-12] — OAuth secret security fix and environment variable cleanup

OAuth client secrets (GOOGLE_CLIENT_SECRET, MICROSOFT_CLIENT_SECRET) no longer use the VITE_ prefix — prevents accidental exposure in the browser bundle
Client-side debug page (check-env.html) no longer displays VITE_GOOGLE_CLIENT_SECRET
Vercel environment variables audited across all three projects: server-side secrets removed from the frontend project, stale variables cleaned up from the API project
Deployment and Azure setup docs updated with correct environment variable names

Stripe subscription billing — plans table, subscription service, billing API routes, and platform fee collection via application_fee_amount
@vennio/mcp standalone package — npm-publishable MCP server with Firecrawl web scraping/search tools, enrich_meeting calendar enrichment, and Smithery tool annotations
Scheduling Health Check — /audit page with wizard flow, audit leads API, and personalised fix guide emails
OG image generation — /api/og/report-card endpoint for dynamic social sharing images
Sentry alert webhook — receives Sentry alerts and auto-creates Paperclip issues for triage
Redirect URI whitelist — OAuth connect flow now validates redirect URIs against an allowlist
Calendar events now sync using the business's configured timezone instead of hardcoded America/New_York
API error responses no longer leak error.message in production — details routed through Sentry only
All API logging migrated from console.log to structured Winston logger with Sentry error transport
North Tyneside pilot: 5 venue landing pages with working OAuth connect and registered businesses
Recurring bookings integration test suite added (291 lines, covers series CRUD and cancellation)
Google OAuth scope fix: restored calendar.events scope, added regression tests
MCP endpoint now allows unauthenticated initialize and tools/list for registry discovery
Internal: CI updated for Node.js 24, docs AI chatbot evals suite, AGENTS.md quality rules for IC agents

All calendar OAuth flows (Google, Microsoft, Salesforce) now use cryptographic nonces instead of exposing user IDs in state parameters
Salesforce PKCE verifier moved from in-memory storage to database — no longer lost on serverless cold starts
Sentry error tracking added across API and frontend with PII scrubbing, session replay, and source map uploads
Sensitive console.log statements removed from OAuth flows — errors now routed through Sentry
First API integration test suite: 21 tests covering booking CRUD and availability validation (vitest + real Supabase)
.env.example added with all 30+ environment variables documented
Internal: pre-commit hook fixed for git worktrees, vitest config corrected for sequential test execution

OAuth tokens (Google Calendar, Salesforce) are now encrypted at rest using AES-256-GCM — existing tokens migrated
Database security tightened: RLS enabled on 3 previously unprotected tables, function search paths fixed across 23 functions
Docs site now serves 153 pre-rendered HTML pages for SEO and AI crawlers, plus llms.txt, sitemap.xml, and robots.txt
MCP transport now returns proper JSON responses in stateless mode
Engine Room venue page redesigned with improved contrast and restructured information hierarchy
Internal: removed stale Salesforce connection check script, cleaned up 14 remote branches with leaked credential history

API keys and developer credentials now visible across onboarding touchpoints
Guest OAuth connect flow allows venue visitors to link calendars without a Vennio account
Engine Room venue landing page live at engineroom.vennio.app
Widget iframe URL updated from /book/ to /venn/ for consistency

Businesses can now accept payments for bookings via Stripe Connect (onboarding, pricing, checkout)
AI chatbot added to both docs site and main dashboard with user-context-aware responses
App redesigned with sidebar navigation and new Home view with grouped matches
Dashboards decluttered for intuitive self-serve experience
Fixed tab-switching instability from subscription thrashing, polling leak, and unmount races

MCP server enables AI agents to find availability, create bookings, and manage proposals
Team scheduling with cross-organisation members and consensus proposals
Recurring bookings with series management and occurrence tracking
Booking questions and custom fields on event types and venn links
Idempotency keys for safe API retries, sandbox/test mode for development
Google Meet links auto-created on bookings
Network graph API for connection analytics
npx vennio CLI with init wizard, status, links, bookings, and test commands
Webhook test endpoint for debugging integrations
Rate limit headers now included on all API responses

Migrated entire UI from Tailwind CSS to CSS Modules with design tokens (vennio-tokens.css)
Resolved all high, medium, and low-priority token gaps (colours, spacing, borders, sizing)
Applied unified design system to docs site at docs.vennio.app
Added npm run sync-tokens to propagate token changes to docs site
Launched /vibe-coders marketing page for developer community

Launched interactive documentation site at docs.vennio.app with API reference, search, and AI assistant
Resolved 15 QA issues on docs site (broken links, markdown rendering, button routing)
Added CORS OPTIONS preflight handling for Vercel edge compatibility
Scoped .vercelignore to prevent hobby plan serverless function limit (12 max)
Added 5 example projects: Node.js/Express, Python, Calendar Agent, Field Service Dispatch, Webhook Listener
Archived obsolete CalendarMatch MVP setup guides (replaced by docs.vennio.app)