v3.0.0b
28 May 2026
Major release v3.0.0b (codename Nexus): Vexoris member accounts with Turso-backed auth, a protected dashboard and client portal (projects, domains, hosting, billing, support), profile and settings hub, and security tooling. Several integrations remain work-in-progress; see bullets below and the roadmap for the next patch line.
Added
- Vexoris Auth: Turso (libSQL) + Drizzle ORM, JWT access/refresh tokens, httpOnly cookies, and route proxy protection for `/dashboard`, `/portal`, and `/account`.
- Registration and sign-in: username/password login, email verification, magic-link sign-in, forgot password, forgot username, and automatic session refresh at the edge.
- Login step-up verification: email challenge when sign-in comes from an unrecognized IP or device; `/auth/verify-login` flow with resend API.
- Sessions and security: list active sessions, revoke one or all other sessions, structured audit log (register, login, magic link, email change, password reset, session revoke), and rate limiting on auth endpoints.
- Vexoris ID system: prefixed IDs (VXM member, VXC client, VXP partner, VXS staff, VXH HR, VXF founder, VXD developer) with My IDs wallet on the profile.
- Member dashboard shell: sidebar navigation, overview, user menu, and minimal chrome (no marketing header) on dashboard and auth routes via `SiteChrome`.
- Profile: overview card, primary/secondary location, role-themed UI, and ID wallet page.
- Settings hub: account (name, phone, timezone, language), password change, email verification and change, structured primary/secondary/billing addresses, notification preferences (JSON), display preferences, billing preferences, connections overview, and security (sessions + audit table).
- Vexoris client area — My Projects: submit project requests with build plans and add-ons from the pricing catalogue, serial numbers, status workflow, and threaded messages with staff.
- Vexoris client area — Domains & hosting: domain records (registration/transfer, DNS, SSL status), client hosting overview (site status, framework, Turso DB, R2 storage placeholders), and linked project notes.
- Vexoris client area — Billing: preferences and invoice-style overview UI (payment rails marked coming soon).
- Vexoris client area — Support: open tickets by category/priority, ticket serials, conversation threads, and staff notification hooks via env.
- Auth API routes: register, login, logout, refresh, session, magic-link send/verify, verify-email, login-verify confirm/resend, forgot-password, forgot-username.
- User API routes: account, email, location, notifications, preferences, billing, sessions (revoke), domains CRUD.
- Vexoris API routes: projects and support tickets with messages.
- Database migrations 0000–0012: users, sessions, tokens, audit, addresses, notification/display/billing preferences, login verification, project requests, user domains, support tickets, client hosting.
- Top utility bar on marketing pages; `AuthProvider` for client session state; consent-aware analytics wrapper.
- Login, register, account redirect, and auth flow layouts with shared `AuthFlowCard` styling.
Changed
- Site version bumped to v3.0.0b (codename Nexus); footer and change-logs hub read `CURRENT_VERSION`.
- ESLint flat config (`eslint.config.mjs`) replaces legacy `.eslintrc.json`.
- Roadmap and status development updated for the member portal release (see project status page).
- Work in progress — two-factor authentication: schema fields on users; settings UI shows coming soon.
- Work in progress — billing: online payments, PDF invoices, and accounting sync not yet connected.
- Work in progress — domains: registrar/API automation; records are client-managed placeholders until integration.
- Work in progress — hosting metrics: Vercel/Turso/R2 live sync and deploy hooks planned.
- Work in progress — profile avatar upload; connections (OAuth/social sign-in) marked planned or coming soon.
- Work in progress — dashboard UI copy is English-first; full DE/TH/ZH for the portal is on the roadmap.
- Planned next update — staff/admin console for reviewing project requests and support tickets.
- Planned next update — 2FA enable/disable, passkeys, and expanded login-attempt alerts.
- Planned next update — Stripe or similar for deposits/invoices; webhook-driven billing status.
- Planned next update — Japanese (ja-jp) and Korean (ko-kr) locales across portal and legal pages.
- Planned next update — Vexoris HR product (continues in active development on `/vexoris-hr`).
Security
- Password hashing with version counter; sessions invalidated on password change.
- Token hashing at rest for magic links, email verification, password reset, username recovery, and login verification.
- Account lockout after repeated failed logins; banned/suspended users blocked at token consumption.
- Separate SMTP profile for auth/no-reply vs marketing contact mail.