Releases: antonorlov888/orox_siteconstuctor_admin-dist
v1.0.0 — General Availability
WECO v1.0.0 — General Availability
Released: 11 May 2026 · Source commit: c53ad50 · Codename: GA
WECO 1.0 is the first stable, customer-facing major release of the self-hosted SPV / SFO / fund-vehicle disclosure platform. This release consolidates 131 incremental tags (v0.0.1 → v0.0.131) into a single stable major and refreshes the public documentation and licensing surface.
Licensing
WECO uses two-tier licensing:
- Source code: FSL 1.1 / Apache 2.0 future — Functional Source License v1.1, which becomes Apache 2.0 two years after each release.
- Compiled binary / runtime: governed by the End-User License Agreement (EULA), the Public Offer (Oferta), and the Data Processing Agreement (DPA).
Each license is delivered as an Ed25519-signed JWT to the billing email after payment or trial issuance. The JWT carries tier, max_hosts, max_admin_users, features, exp. A 30-day post-expiry grace window keeps published SPV sites running and allows regulatory edits; new site/user creation is blocked after expiry.
| Tier | Price (EUR / yr) | Max hosts | Max admin users |
|---|---|---|---|
| Free | 0 | 1 | 2 |
| Standard | 1 600 | 5 | 5 |
| Corp | 4 200 | unlimited | 20 |
Full pricing + buy flow: https://weco.nexaxt.com/buy.html.
What's in v1.0.0
Site constructor (21 block types)
Navigation · Hero · Text + Image · Documents (PDF) · Footer · Activity · News · Contacts · Accordion · Table · Divider · Stats · Team · Gallery · Logos · CTA · Schedule · Embed · Q&A inbox · Capital tracker · Investor login.
Full field-level reference: https://weco.nexaxt.com/pages/blocks.html.
Theming
11 curated presets (Classic Corporate · Modern Minimal · Legal Document · Financial Gold · Dark Professional · Sunset Bronze · Ocean Slate · Forest Sage · Pastel Calm · High Contrast · Brutalist Yellow) plus full custom colour / font / radius / container width control.
Identity
TOTP 2FA · email OTP · WebAuthn AAL3 · SAML 2.0 SP · OIDC RP (PKCE) · SCIM 2.0 provisioning · JIT on first SSO · sealed-mode (FF_SSO_ONLY=1) · step-up MFA (FF_REQUIRE_STEP_UP=1) · read-only freeze (FF_FREEZE=1) · 4-eyes JIT · break-glass account.
Audit & compliance
HMAC-chained log + per-head Ed25519 witness · canonical JSON · append-only /var/log/ff-host-audit.jsonl · verifier CLI · SIEM queue · anomaly rules (off-hours / volume spike) · dashboard activity feed.
Crypto
AES-256-GCM at rest with AAD bound to row id · 5-provider master-secret (file:, env-cmd:, vault:, aws-kms:, gcp-kms:) · KEK-isolated backups · FF_KEY_LOCAL_FORBID for production lock-down · per-row MASTER_KEY_VERSION rotation.
PDF stack
PDF-only enforcement (magic bytes + Content-Type, no override flag) · stream-only viewer (HS256 token, 60s TTL, single-use, slug+doc+session bound) · Referer pinning · ClamAV scan · Ghostscript flatten (strips JS / active content) · per-page caching · per-document allow_download flag · custom watermark caption text · investor activity log.
Web hardening
Nonce CSP · CSRF double-submit · SSRF guard · fail2ban with admin-UI ban-by-IP · per-jail history · doc-viewer jail.
Build pipeline
Cosign keyless + Rekor public transparency log · osv-scanner · DAST · SBOM · minisign-signed release tarball · install.sh self-checked SHA-256.
Operations
Atomic deploys with <slug>.prev/ rollback dir · per-site .orxsite export/import · 3-slot snapshot rotation · host vitals dashboard · operator activity feed · RBAC · SEO editor · favicon upload · robots.txt + sitemap.xml · auto-update watchdog · EN/RU UI for dashboard and site builder (~620 keys).
Verification
Minisign public key (also baked into install.sh):
RWQHQhnHIdSeftw6PLpDHYqFQRzDvTslvKw5mluIjFjyYfwumLT+9siX
Verify locally before installing:
minisign -V -P 'RWQHQhnHIdSeftw6PLpDHYqFQRzDvTslvKw5mluIjFjyYfwumLT+9siX' \
-m ff-admin-v1.0.0.tar.gz
sha256sum -c ff-admin-v1.0.0.tar.gz.sha256Build attestation is also published to the public Rekor transparency log (Sigstore).
Artifact checksums
| Artifact | SHA-256 |
|---|---|
ff-admin-v1.0.0.tar.gz |
2140a9f3260718155256e2848d6a6e30b23a2c5826f3b0a1fb8cb1a1564ba169 |
install.sh (patched) |
645e125c217923c906046c8a9e18de5d75b4e99de3a8a0e5579a1470176b78bb |
Install (one-liner)
curl -fsSL https://github.com/antonorlov888/orox_siteconstuctor_admin-dist/releases/download/v1.0.0/install.sh \
| sudo FF_LICENSE_KEY=<your-license-jwt> bash -s -- --domain admin.example.comFull install guide: https://weco.nexaxt.com/install.html.
Documentation
| Surface | URL |
|---|---|
| Marketing site | https://weco.nexaxt.com/ |
| Full feature catalog | https://weco.nexaxt.com/pages/features.html |
| Block reference (21 types) | https://weco.nexaxt.com/pages/blocks.html |
| Security policy | https://weco.nexaxt.com/pages/security.html |
| Platform status | https://weco.nexaxt.com/pages/status.html |
| EULA (EN) | https://weco.nexaxt.com/pages/eula-en.html |
| DPA (EN) | https://weco.nexaxt.com/pages/dpa-en.html |
| Sub-processors | https://weco.nexaxt.com/pages/subprocessors-en.html |
| SLA | https://weco.nexaxt.com/pages/sla-en.html |
| Buy a license | https://weco.nexaxt.com/buy.html |
For the auditor-finding → release crosswalk, see docs/AUDITOR_TRACEABILITY.md inside the release tarball.
Versioning policy from v1.0.0 onward
Semantic versioning applies. Backwards-incompatible config-schema changes bump major (next: v2.0.0). Additive features bump minor (next: v1.1.0). Hotfixes bump patch (next: v1.0.1).
Legacy v0.0.x git tags remain available for customer installer URLs that pinned a specific point release; their corresponding GitHub Releases pages have been retired in favour of this single v1.0.0 listing.
Migration from v0.0.131
No code or schema changes. SCHEMA_VERSION=2 is unchanged; existing host VMs continue running without modification. Operators upgrade via the standard update-admin.sh flow.