v0.34.12

Changed

• JobManager.GetRobotsRules now caches results per normalised domain (1h
  positive TTL, 60s negative TTL), and collapses concurrent misses onto a single
  origin fetch via singleflight. A long crawl previously refetched /robots.txt
  every five minutes (stream worker's job-info TTL) and a 429 on /robots.txt
  returned on the next read; both are now bounded.

v0.34.11

Changed

• Crawler user agent is now always exactly config.UserAgent. Dropped the dead
  Worker-<id> suffix branch in crawler.New along with the unused variadic ID
  parameter and struct field.

v0.34.10

Changed

• Pacer's per-domain adaptive delay is now durable:
  domains.adaptive_delay_seconds is read on every job-info cache miss and
  reseeded into Redis, and the learned value is written back from the pacer's
  success/rate-limit path (debounced per domain at five-minute intervals). The
  startup FlushAdaptiveDelays is now opt-in via
  GNH_PACER_FLUSH_ON_START=true for incident recovery; default behaviour
  preserves the learned rate across worker restarts.
• Dispatcher now caps per-domain inflight tasks at
  ceil(GNH_PACER_EST_RESPONSE_MS / adaptive_delay_ms) (default response
  estimate 1500ms). Above the cap, additional entries skip dispatch without
  consuming the gate, preventing the burst-then-collapse pattern that elevates
  egress IP reputation on CF-fronted domains.

v0.34.9

Fixed

• WAF detection now recognises Cloudflare managed challenges served as HTTP 429
  with Cf-Mitigated: challenge. Previously the verdict was gated behind status
  403 or 202 only, so CF challenge responses (observed against CF-fronted
  Shopify storefronts with Super Bot Fight Mode enabled) were misclassified as
  plain "Too Many Requests" and jobs burnt three retries before failing with a
  misleading error. Jobs now fail fast and stamp domains.waf_blocked = true
  with waf_vendor = cloudflare.

v0.34.8

Security

• Enabled RLS (no policies) and revoked anon/authenticated grants on
  task_outbox, task_outbox_dead, and lighthouse_runs; these tables are
  only accessed by the Go server via the service role.
• Switched the organisation_quota_status view to security_invoker = true so
  it honours the caller's RLS rather than the creator's.
• Revoked anon/authenticated EXECUTE on 19 server-internal
  SECURITY DEFINER functions (OAuth token store/get/delete for Google
  Analytics, Slack, and Webflow; vault cleanup helpers; Slack user-link helpers;
  increment_daily_usage). These RPCs are only called by the Go server via the
  service role; the three RLS-helper functions used inside policies
  (user_is_member_of, user_organisation_id, user_organisations) remain
  callable.

Performance

• Rewrote 14 RLS policies on notifications, daily_usage,
  google_analytics_connections, google_analytics_accounts, and
  organisation_domains to wrap auth.uid() in a (select …) so it is
  evaluated once per query instead of once per row.
• Scoped the Service role can manage usage policy on daily_usage
TO service_role so it no longer fires during anon/authenticated SELECTs,
  removing the multiple-permissive-policies overhead.
• Pinned search_path on update_job_queue_counters and
  get_daily_quota_remaining.
• Added covering indexes on nine previously-unindexed foreign keys
  (google_analytics_accounts.installing_user_id,
  google_analytics_connections.installing_user_id,
  lighthouse_runs.source_task_id, organisation_invites.created_by,
  page_analytics.ga_connection_id, platform_org_mappings.created_by,
  slack_connections.installing_user_id, task_outbox_dead.lighthouse_run_id,
  webflow_connections.installing_user_id) so cascade deletes and FK joins no
  longer fall back to sequential scans.

Documentation

• Added
  docs/security/SUPABASE_ADVISORS.md
  recording the deliberate "won't fix" advisor findings (the three RLS-helper
  SECURITY DEFINER functions, the empty-policy state of domain_hosts) and
  deferred items (unused indexes, Auth DB connection strategy).

v0.34.7

Added

• Sentry browser SDK + replay loader on the homepage, auth-callback, welcome,
  invite-welcome, and extension-auth pages so existing
  window.Sentry.captureException calls in auth.js stop silently no-op-ing on
  the auth flow.
• Sentry transactions wrapping the job scheduler tick, the health-monitor
  completion and system checks, and inbound HTTP requests (via the sentryhttp
  middleware), so existing sentry.StartSpan calls in
  internal/jobs/manager.go and internal/db/queue.go get parented and bill as
  performance units.
• Sentry Logs forwarding for Warn+ slog records (EnableLogs plus a LogLevel
  on the slog handler), separate from the existing error-event surface.

Changed

• Extracted the duplicated frontend Sentry init block into
  web/static/js/sentry-init.js so future tweaks land once instead of per HTML
  page.

v0.34.6

Changed

• Bump Go to 1.26.3 and golang.org/x/net to v0.53.0 to clear GO-2026-4918
  (HTTP/2 SETTINGS_MAX_FRAME_SIZE infinite-loop) flagged by govulncheck.
• Split Fly machine pool reconcile into its own CI job so downstream autoscaler
  releases no longer block on clone-start-stop warm-up. Review apps drop their
  per-PR pool target from 10/5 to 3/3 (analysis/worker); prod retains 10/5.

v0.34.5

Changed

• Migrated GitHub Actions workflows back to Blacksmith runners now that
  Blacksmith is configured on the good-native org.

CLI 0.1.19

CLI release cli-v0.1.19

v0.34.4

Changed

• Repository moved from Harvey-AU to good-native GitHub org. Go module path
  is now github.com/good-native/hover and npm package is @good-native/hover.
  CI runners switched from Blacksmith to GitHub-hosted ubuntu-24.04 pending
  Blacksmith setup on the new org.