Changelog

Last updated: 2026-05-27

All notable changes to the Foundation platform are documented in this file. The format is based on Keep a Changelog.

Versioning: SemVer (MAJOR.MINOR.PATCH) anchored on the VERSION constant in evoting-frontend/src/lib/version.ts. Going forward, headings use [vX.Y.Z]. The previous [v16] / [v17] sequential numbering is sunset.

[v2.6.0] - 2026-05-27 — Soulbound attestations on Solana + GaaS PoH API + CI optimization

Added

• Soulbound attestations — Non-transferable Solana PDAs auto-issued after every qualifying on-chain action. Three types: VERIFIED_HUMAN (type 0, 32 zero bytes context), VOTED (type 1, proposal PDA as context), SUPPORTED_PROPOSAL (type 2, proposal PDA as context). PDAs seeded from [b"attestation", holder, attestation_type, context_hash]. Revocation restricted to original issuing keypair.
• Anchor program — GQrFse7NiB6QdqtagGayNYwrr8zn4W4uWhji57VkKGky (Solana devnet). New instructions: issue_attestation, revoke_attestation. Program enforces soulbound constraint (unspendable PDA, issuer-only revoke).
• GaaS PoH API — pohAttestationsEndpoint Firebase Cloud Function (HTTP). Third-party governance platforms query a wallet's attestations via X-PoH-API-Key header. Returns hasVerifiedHuman: true/false as the single signal for humanity gating. API keys stored as SHA-256 hashes in poh_api_keys Firestore collection.
• Cloud Functions — issueAttestation, queryAttestations, revokeAttestation onCall callables; issueAttestationOnChainTask task queue handler routes attestation minting asynchronously to avoid Firestore transaction conflicts.
• Firestore mirror — attestations sub-collection under each voter document synced after on-chain confirmation; syncedAt + onChainAddress fields track mirror state.
• All-pillar Solana consistency — Voice, Share, and Market pillars all write to Solana consistently; soulbound PDAs issued across all qualifying actions regardless of pillar.
• CI conditional functions deploy — changes detection job diffs HEAD^..HEAD; functions deploy steps in both staging and prod jobs are skipped when only frontend/docs files changed (~5 min saved per run).
• Prod data reset — scripts/reset-and-seed-prod.mjs admin script wipes and reseeds prod Firestore with interesting demo state: 4 active proposals (vote now) + 3 near-threshold proposals (487/500, 762/800, 191/200 support).

Fixed

• Prod env write — printf '%s\n' (trailing newline) + SOLANA_ATTESTATIONS_PROGRAM_ID appended to both staging and prod .env files; previous single-line printf '%s' caused subsequent echo >> to concatenate onto the last token.
• Firestore Timestamps — serialized as ISO strings in API responses (was crashing with [object Object]).

[v2.5.2] - 2026-05-25 — Admin reset/seed fix + 7 Pillar 1 proposals + Firestore staging indexes

Fixed

• Reset All & Re-seed — removed votes, supporter_signatures (server-write-only, allow write:false) and savings_summary (allow delete:false) from the client-side delete list; these were causing every reset to fail silently after clearing 6 collections.
• Proposals showing 0 on staging — Firestore composite index (tenant_id + created_at) was never deployed to staging; proposals subscription silently returned 0 results. CI now deploys Firestore rules + indexes to staging on every push to main.
• Seed data — Pillar 1 — replaced 1 thin governance proposal with 7 rich real-world participatory budgeting proposals (free WiFi in parks, 500 trees, home internet subsidy, extended park hours, transit accessibility, open council Q&A, transparency report) across SF, NYC, Austin TX, Stockton. Mix of 4 active-voting + 3 support-gathering proposals.

Added

• 15 unit tests for seed data shape, pillar coverage, findSeededProposal, and RESET_COLLECTIONS safety invariants.
• RESET_COLLECTIONS exported constant for safe client-side reset scoping.

[v2.5.1] - 2026-05-24 — Real-time support/vote sync + research decks + Mobile v1.1

Fixed

• Support/Voted status not syncing across sessions — userSupported and userVotes in VotingContext were populated by a one-time getDocs fetch on login. If the same account supported or voted in another session or device, the status wouldn't reflect until a full page reload. Converted to live onSnapshot subscriptions: subscribeUserSupportedProposals + subscribeUserVotedProposals added to database.ts; VotingContext replaces the loadUserData() async effect with subscription refs that clean up on logout and re-subscribe on user change.

Added

Competitive landscape research decks — three deep-research Spectacle decks published to partners.foundation-global.com (admin-only; promote to auth via Admin Visibility when ready to share with partners):

• /present/evoting — Global E-Voting Landscape 2025 (17 + 9 slides). Swiss Post, Estonia IVXV, Norway, Australia, France, Brazil, Voatz, ElectionGuard benchmarked against Foundation. Appendix: ElectionGuard integration path, Verificatum mixnet, ZK audit trail, EU AI Act regulatory strategy. AI wave: Slovakia 2023 deepfake, NH 2024 robocall, ZKML via EZKL as liveness path, Freedom House 18-year democratic decline.
• /present/ubi — UBI & Income Distribution Landscape 2025 (19 + 5 slides). Alaska PFD, Macau IVP, India DBT, Marshall Islands on-chain UBI, Worldcoin, GoodDollar, Circles, Self Protocol, Rarimo. Foundation's ZK ePassport approach identified as the strongest privacy-preserving option. AI wave: IMF 40% of advanced-economy jobs at risk, Goldman Sachs 300M jobs, CBDC milestone (BIS: 130+ countries, China e-CNY 260M wallets, EU Digital Euro 2026).
• /present/market — Collective Purchasing Landscape 2025 (19 + 5 slides). Pinduoduo, Groupon, Costco/REI, Healthcare GPOs, India GeM, ConstitutionDAO. OpenProcurement (Apache 2.0) identified as the key open-source reverse auction engine for Pillar 3. AI wave: Amazon 2.5M price changes/day destroying uniform pricing, US tariffs 10-145% as reshoring opportunity, supply chain disruption as Foundation moat.

Foundation Mobile v1.1

• WKWebView shell in HomeView.swift — loads https://app.foundation-global.com; injects window.__foundationMobileWebView = true at document start so Foundation's AccessGate detects the native shell.
• Lifebuoy (tech report) button — lifepreserver icon in native header opens a diagnostic sheet (app version, build, UID, ring).
• Adaptive native header — logo only when web view active (web app provides its own Navbar + logout); logo + lifebuoy + logout visible in native home screen only.
• "Open Foundation App" launch card below the ring card triggers the web view.
• Version: MARKETING_VERSION 1.0 → 1.1, CURRENT_PROJECT_VERSION 1 → 2. Tagged v0.2.0.

[v2.5.0] - 2026-05-15 — ToS: explicit Single Account Per Person clause

Added

• Single Account Per Person section appended to the Foundation ToS (functions/legal.js). Declares the one-human-one-account rule, lists the four prohibited patterns (document reuse, multi-document enrolment, proxying, multi-account ownership), names the legal exposures (electoral/ballot fraud, identity fraud, wire/computer fraud, conspiracy), and spells out the enforcement consequences (immediate suspension of all linked accounts, invalidation of votes/proposals/signatures/fund movements where technically possible, abuse-registry entry for the underlying document/nullifier, civil and law-enforcement referral). The section explicitly covers both the Foundation web client and the Foundation Mobile iOS app — the iOS shell renders the same markdown via getTermsOfService in its TosAcceptanceGate.
• ToS version bumped v2 → v3 (TOS_VERSION in functions/legal.js). Forces re-acceptance for every user at next sign-in regardless of prior consent, because the new Sybil/multi-account language is materially new and warrants fresh acknowledgment. Consent records continue to bind to the exact document hash via contentHash(tosMarkdown).

Notes

• Not a behaviour change to the verification flow. This release is text-only on the legal surface. The previously identified gap whereby a single physical passport can produce multiple distinct nullifiers in the current enrolment flow (Self SDK devMode: true in evoting-frontend/src/components/identity/SelfEnrollment.tsx:76) is not addressed in this release and is tracked as a separate follow-up. The ToS now puts users on explicit notice that the conduct is prohibited; technical enforcement parity is the next step.

[v2.4.3] - 2026-05-14 — Hotfix: getLoginAnalytics App Check carve-out

Fixed

• getLoginAnalytics was the only admin callable in functions/user-management.js without enforceAppCheck: false. On prod (ENFORCE_APP_CHECK=true), the web admin panel call returned unauthenticated even when the caller was a Tenant Admin, leaving the Login Analytics tab blank with a red "Unauthenticated" banner. Staging didn't surface it because ENFORCE_APP_CHECK=false there.
• Added the carve-out matching the 6 sibling admin callables (listUsers, setUserAccess, inviteUserWithAccess, adminResetUserHumanity, adminManualApproveHumanity, adminLockoutUser). Endpoint remains gated by requireRing(TENANT_ADMIN).

[v2.4.2] - 2026-05-14 — Login Analytics dashboard + SemVer anchor

Added

• Admin Login Analytics tab (evoting-frontend/src/components/voting/AdminLoginAnalyticsTab.tsx) — login-activity dashboard for the foundation, docs, and partners (yc) sites. Charts: hour-of-day, day-of-week, monthly trend, top-10 countries with flag emojis, per-day drill-down with the user list. Controls: 7d/30d/90d/1y range, per-site checkboxes, IANA TZ dropdown (re-buckets all charts client-side, no refetch), "Include admin/test/dev" filter (on by default; uncheck for external-only).
• getLoginAnalytics callable (functions/user-management.js) — Ring.TENANT_ADMIN-gated, queries the existing sessions collection, batches user lookup for ring/demo classification, resolves IP→country via geoip-lite server-side. Raw IPs never returned to the client. Hard cap 5,000 sessions per query.
• Single-source-of-truth version constant (evoting-frontend/src/lib/version.ts) — VERSION exported, consumed by Footer.tsx. Bumping the version is now a one-file edit.
• Dev-mode mock data path in the analytics tab — import.meta.env.DEV short-circuits the CF call and renders ~600 synthetic sessions across 15 mock users / 12 countries, so the layout is browseable on npm run dev without the CF deployed.

Changed

• cleanupOldSessions sweep cutoff bumped from 90d → 365d so the analytics tab's monthly chart has a full year of history. Pre-alpha so backfill is N/A.
• Frontend version display moved out of hardcoded Footer.tsx string into version.ts constant.

Operations

• Versioning convention switched to SemVer. Going forward, releases follow vMAJOR.MINOR.PATCH. Single source of truth: evoting-frontend/src/lib/version.ts. CHANGELOG headings use [vX.Y.Z]. Git deploy tag continues to be prod-YYYY-MM-DD per the existing workflow trigger pattern. The previous [v16] / [v17] sequential numbering is sunset; this entry is the bridge.
• docs/RELEASE_NOTES.md is deprecated. It has been stale since 2026-04-09 (last entry v0.8); the canonical release log is now this file. Future releases do not append there.

Notes

• Login Analytics tab caveats surfaced in-UI: docs site fires logSession on every authenticated page view (overstates "logins"); 5,000-session hard cap with a truncation banner if hit; geolocation is country-level only via GeoLite2 (MaxMind).
• Bump checklist for the next release lives in version.ts and the reference_foundation_versioning.md memory entry.

[v16] - 2026-05-04 → 2026-05-10 — No-Mac iOS CI, review-week hardening, docs polish

Added

iOS CI

• No-Mac mobile CI pipeline operational — GitHub Actions macos-15 runners + Xcode Cloud orchestrate the full archive → notarize → TestFlight upload chain with no dependency on a local Mac dev box. Apple App Store Connect API keys (rather than Apple-ID-tied certs) so secret rotation runs entirely in Linux. (2026-05-04 → 07)
• TF Build 4 — TestFlight build #4 ships the canonical TF Build 2 source through the new CI. End-to-end iOS auth + sign-in verified. Source = commit 604002d (= v0.1.0 = v0.1.1) plus 11 uncommitted files recovered from a Mac in repair.

Cloud Functions test gate

• 9 mock-smoke tests for hot-path Cloud Functions — createProposalDraft, castProposalVote, castProposalSupport, getMyWallet, issueAttestationNonce, recordMobileAttestation (AAGUID mismatch coverage that would have caught this week's bug), attachSemaphoreCommitment, requestSignInCode + verifySignInCode, anchorCommitment. Reuses the existing makeMockDb pattern from proposal-voting.test.js. (2026-05-09)
• CI deploy gate — .github/workflows/deploy.yml now runs cd functions && npm test as a test job; deploy-staging and deploy-prod declare needs: test. Failed tests block deploy.

Canonical fixture toolkit

• scripts/dump-fixture.mjs, scripts/seed-from-fixture.mjs, scripts/diff-projects.mjs ship as the official path for capturing and applying a curated demo dataset across staging + prod. Hard guardrails: pre-write Firestore export to GCS, --dry-run default, prod target requires --i-understand-this-rewrites-prod plus typed confirmation. Snapshot committed at functions/fixtures/canonical-fixture-2026-05-09.json — 32 proposals, 200 votes, 174 signatures, 20 voters / proofs / memberships, 14 funds, 6 distributions, 100 product requests, 2 tenants, 1 population. Applied identically to staging + prod (diff-projects total diff: 0). (2026-05-09)

Demo polish

• DemoBadge component (evoting-frontend/src/components/common/DemoBadge.tsx) — violet pill (FlaskConical icon) on any card or detail surface where demo === true, so reviewers can distinguish seeded content from real user activity at a glance. Wired into ProposalCard, ProposalDetail, MarketplaceListing, ProductRequestDetail, FundDashboard. (2026-05-09)
• 16 behavioral-econ-vetted proposal templates replace the prior SYNTHETIC dictionary in seed-foundation-staging.mjs; final mix is 8 round-0 + 6 active + 1 passed + 1 discarded. Near-end voting window bumped from +5 min to +24 h to stop demos auto-expiring under reviewer eyes. Composite Firestore index added for proposals(status, voting_ends_at) so expireVotingRoundsScheduled runs efficiently.
• Demo pool slot rotation — functions/demo-access.js switches from "lowest doc ID" to least-recently-released sorting; rotation observable across sequential tryDemo / releaseDemoSlot cycles. claimSlot exported for unit tests.

Changed

App Attest TF2 incident → resolved (2026-05-08)

• Real-device build TF2 hit App Attest with a cryptic INTERNAL response. Two overlapping causes:
  1. APP_ATTEST_ENV env var missing on the prod recordMobileAttestation Cloud Function (post-Rocket-retirement config drift). FUNCTIONS_ENV_PROD secret reconstructed; force-rebuild commit picked up the new value.
  2. Artifact Registry gcf-artifacts repo had been wiped by an over-aggressive cleanup policy (tagState: ANY + 7-day retention). Cloud Run revisions referenced now-deleted image digests. Policy reset to tagState: UNTAGGED + 30-day retention; runbook captured for re-application across new Firebase projects.
• Diagnosed via the cf-flow-monitor JSON-spec walker (scripts/monitor-flow.mjs driven by poh.flow.json) — checks the App Attest → email-link → ZK passport → Semaphore commit chain end-to-end with Cloud Functions trace + Firestore assertions per step. Reusable for any future server-side PoH regression.

Vocabulary sweep — "Humanity" → "Personhood" (2026-05-09)

• User-facing copy moved across IdentityProofView.tsx:148-156, registerFlow.ts:84 (Proof of Personhood), AdminUsersTab.tsx ("Reset humanity" → "Reset verification"). Data model retains humanityVerified for backward compatibility — only UI strings moved.

Auth-flow hardening (2026-05-09)

• adminResetUserHumanity cleanup gap closed — the reset path now atomically deletes flow_snapshots/foundation.register_<uid> (the doc that previously hung re-onboarding at "Loading registration…"), identity_proofs queried by voterId, voters/{uid}, the parent identity_commitments/{uid} doc, and tenant_memberships/*. Refactored into adminResetUserHumanityImpl for direct test invocation.
• submitProposal empty-author race fixed (evoting-frontend/src/contexts/VotingContext.tsx) — pre-flight currentUser?.displayName check + claims.sub-derived fallback so the Cloud Function never receives an empty author; submit button disabled until user hydration completes. Same race fixed for the auth context's logout (now await clearAuth()), eliminating the sticky-relogin loop.
• Runtime service-account signBlob self-binding — scripts/setup-ci-secrets.sh gained a grant_runtime_signblob() step that grants roles/iam.serviceAccountTokenCreator to the Cloud Run runtime SA on itself. Without this, firebase-admin's createCustomToken() (used by tryDemo for demo session minting) fails with Permission 'iam.serviceAccounts.signBlob' denied. Prod had been granted manually long ago; staging finally caught up.

Partners + docs sites (2026-05-09 → 10)

• Google sign-in restored on partners.foundation-global.com + docs.foundation-global.com — three older PRs (#25-#27) had been blocked by 33k-line merge conflicts; recovered via surgical cherry-pick onto a fresh branch (PR #56). Adds "Continue with Google" to LoginPage; removed the 5-app icon strip from Sidebar; removed the "Deadline: May 4, 2026" countdown footer.
• Partners-site Pillar 1 deck — status updated to reflect TF Build 4: Phase 5 (Passive anti-spoof, MiniFASNet .mlpackages shipped on-device) and Phase 6 (Face match, MobileFaceNet + CoreMLFaceEmbedder) flipped to LIVE; Phase 7 (Secure-Enclave seal) marked LIVE iOS / server-side P-256 verifier WIP. Cloud Functions Surface card corrected to 69 callables + 19 triggers (was stale at 25 + 9). (PRs #59, #60)
• Docs site — cherry-picked the stale feat/docs-site-cleanup-2026-05-03 branch that had never reached main; reconciled with the May timeline + narrative-overview rename + Phase 0 caption work. Result: 50+ YC-brand mentions across rendered docs scrubbed down to 26 load-bearing technical identifiers (access.yc Firebase claim, tos-yc Firestore key, yc-site/ directory, hosting:yc target, etc., that can't be renamed without breaking user records / API contracts / git history). Sidebar made collapsible with native <details>; Security & PoH group promoted above API Reference; group-count badges added; one stale "App Check enforcement pending" claim in poh-threat-model.md corrected (App Check enforced on all callables since 2026-04-20). (PRs #61, #62)

Security

• Firestore export captured for both prod + staging projects before the canonical-fixture apply on 2026-05-09 — rollback insurance for review week (gs://<bucket>/seed-rollback-2026-05-09/).

Operations

• Firebase v2 gcf-artifacts cleanup-policy pitfall captured. firebase-functions-cleanup with tagState: ANY deletes images that Cloud Run still references; revisions zombie on layer cache and new deploys fail. Use tagState: UNTAGGED.

[v15] - 2026-05-03 — Mobile pivot, PoH end-to-end, security hardening, partners site

Added

Mobile (iOS / Swift)

• Native iOS client — sign-in + App Attest + NFC ZK ePassport + active liveness. Phase 0 sign-in via branded Resend email-link, switched away from custom-token exchange for the canonical flow (2026-04-23 — 30bfa704, d4cbcd0d).
• Mobile platform-attestation Cloud Functions (appAttest*) wired into the deploy script (2026-04-23 — 5f436abd).
• AASA + Universal Links — claim Firebase Auth email-link paths + mirror header overrides (2026-04-23 — d669449c).

Proof-of-Humanity end-to-end

• PoH end-to-end validation receipt (2026-04-29) — full passport NFC → ZK proof → liveness → enclave seal → Solana anchor in 94 seconds on iPhone 13 / iOS 26.4.2 / devnet / real Israeli + Portuguese ePassport. Solana tx 24zvj9xWr3HX3QPz4MvfWX1VAuEYpmXTY7RDaK82XshbKCexr9nmi2Zo5gdhjJfaLzionrqPJ4pWszWevXdHS32S (slot 458982088, finalized).
• identity_commitments Anchor program deployed on devnet at 2eLQB1hoLv7nXvu1RYWFZw6eSkVjzUZEYeLDWpms1WkC. Queue-based humanity-seal anchor + anchorCommitment callable (2026-04-25 — 2519e3fd, 2cf19289).
• PoH bridge fix — new humanity-seal flow now writes identity_proofs/{nullifier} + voters/{uid} + tenant_memberships/{tenantId}_{uid}, so desktop AccessGate and admin user lists surface new-flow users. Backfill: scripts/backfill-poh-bridge-docs.mjs (2026-05-01).
• Self Protocol contribution — IL + PT CSCA/DSC chain coverage upstreamed via selfxyz/self#1962.
• Per-user Solana wallet exposed as the user's UI identity (2026-04-23 — f4637cb2).

Demo & onboarding

• 20-slot demo pool — pre-seeded demo-user-pool-NN identities replace single shared demo-user-foundation; eliminates concurrent-reviewer collision on the on-chain "already voted" check. Frontend has distinct DemoCapacityError UX. releaseDemoSlot callable on explicit sign-out (2026-05-01 — 22ac34e3).
• ?demo=true URL param + Foundation 0.0.1 demo tenant for casual visitors at foundation-global.com (2026-04-21 — 01e888fa).
• Admin manual humanity-approval path — adminManualApproveHumanity + orange-shield UI flagging demo / manual-approve users distinct from real PoH-verified (2026-05-01 — bb2afb8a).
• Submit-support callable — anonymous diagnostic dump for stuck users (2026-04-25 — 59923185).

Desktop pairing

• Pair claim/release CFs with stale-auth_time reject + 30-min server pair-auth threshold (2026-04-25 — f240fea6, ab87083f, c5408ba6).
• Per-user N-pair-per-mobile cap + FEATURES.desktopPairing flag (2026-04-27 — 97f07fd6).

Partners site (partners.foundation-global.com)

• New invite-only review surface for VCs / advisors / pilot communities. Decks, whitepapers, grants pipeline, narrative overview, technical reviews. Auth-by-default with per-route visibility tiers (public / auth / admin / hidden).
• Email + password sign-in (replaces email-link). Single shared credential partners@foundation-global.com works across the partners + docs sites via per-site access.{yc,docs,foundation} claims. Provisioned via scripts/provision-partner.mjs (2026-05-03 — PR #23).
• Reviewer magic-link flow (/reviewer-signin?token=…) for one-off zero-friction VIPs — generateReviewerLink callable now stamps access.yc=true on the resulting custom token.
• Admin visibility console at /admin/visibility — flip per-item tier from a Firestore-backed map (Path B). PR #15.
• Sidebar restructure — Frontend / Mobile / Backend / System Architecture grouping; Pillar parents as toggles (Path A). PR #14.
• Branding cleanup — noindex + robots.txt blocks all crawlers + AI bots (GPTBot, ClaudeBot, Google-Extended, CCBot). PR #18.

Docs site (docs.foundation-global.com)

• Email + password sign-in (replaces email-link). Same shared partner credential authorizes both sites. PR #24.
• New API surface docs — docs/foundation-api.md (narrative integration guide, ~25 callables) and docs/cf-reference.md (catalog of all 86 Cloud Functions).

Build snapshots

• docs/build-history-2026-04-28.md and docs/build-history-2026-05-01.md — operations-grade reproducibility snapshots (deployed state, branches, version tags, npm hoisting issues, etc.).

Security

• 2026-04-26 multi-agent security review — 12-document audit, 7 critical findings, remediation roadmap published. See docs/security-review*-2026-04-26*.md.
• Phase 1 security closure (2026-04-27) — CRITICAL Q1/Q2/D/C fixes from the review (4c2cd1c7).
• Phase 1.U — biometric consent + BIPA Illinois geo-block (e8035124).
• Phase 2.A2 — ring-elevation guard in setUserAccess (b291134e).
• Phase 2.B — public-callable rate limits (HIGH severity gaps closed) (19971403).
• Phase 2.C — server-side governance round transitions (b2cc113b), voter-profile CFs (744cdddf), tenant + membership CFs (73ddd98c).
• Phase 2.E — manual-review path hardening (HIGH F-H-6) (d9d42ecb).
• App Check — helper applied globally; enforcement enabled progressively, PoH callables first.
• Tier 1 lifecycle sweepers + Tier 4 audit pipeline (73b9144f).
• Bulk cleanup — 42 legacy webauthn_credentials docs deleted (2026-04-26 — 27dcf6fb).
• Auth smoke tests — scripts/security-smoke-*.sh covering P1-P24 (e1235788, cfc3317e).
• App Check exchange — louder + actionable failure when debug-token exchange fails in scripts (4c992be3, dc2e5124).

Changed

• Auth gates rebranded — the old yc-site is now the partners site at partners.foundation-global.com. Email-link sign-in replaced with email + password on both partners + docs (2026-05-03).
• Per-site ToS gates — Foundation, Docs, Partners each require one-time consent (legal_consents/{tos-foundation,tos-docs,tos-yc}_v1). Acceptance recorded with content hash (2026-04-22 — 109378f2).
• Per-site access claims — Admin Users tab + per-site claim editor + session logging (2026-04-22 — efe9756c).
• resendInviteLink — accepts site param (app / yc / docs) for per-site continue URL; subject-tag breaks Gmail thread-collapse (2026-04-24 — 76a053cb).
• iOS sign-in — drops custom-token exchange, uses branded Resend email-link as the canonical flow.
• Brand cleanup — final scrub of "Rocket" / "REST gateway" references from public docs and live UI (2026-04-21).
• Canonical app URL — flipped to foundation-global.com from foundation-vote.web.app; legacy hosts auto-redirect (2026-04-21 — 0b006042, 2850299c).
• Hostname-aware initial pillar view — subdomain deploys (voice / share / market) now route directly to the matching pillar (2026-04-21 — 63fd9159).

Fixed

• Web clearAuth delegates to iOS shell when running in Foundation WebView (2026-04-26 — 0f2f0cec).
• docs-site flash-of-gate after auth-state change — pre-unauthed class properly swapped on sign-in (2026-04-23 — 19f2eea0).
• docs-site sign-out moved to topbar icon + fixed broken sign-out action (2026-04-22 — 6e44ce09).
• backfillTenantClaim now preserves existing customClaims (2026-04-23 — bfa96d19).
• Pairing — client-side lease check + tighter grace + architecture doc (2026-04-26 — a8a8d136).
• Firestore — user can read own identity_commitments; explicit deny on /support + /support_usage for clients (2026-04-25 — 6ac104c9, ed211300).
• Anchor compilation script + multi-platform Solana BPF toolchain installer (2026-04-26).

Deprecated / removed

• The legacy evoting-rocket-server/ REST gateway (already retired 2026-04-19, fully scrubbed from docs/UI on 2026-04-21).

[v14] - 2026-04-13 — DB Validator, Multi-Tenant Plan, Growth Strategy

Added

• Firestore DB Validator — schema validation for 11 collections, referential integrity checks (7 cross-entity relationships), aggregate consistency checks (vote counts, duplicate detection). Dedicated Admin Panel tab with progress bar and expandable results.
• Dynamic Action Items — migrated from hardcoded arrays to Firestore-backed CRUD with real-time subscriptions, inline editing, quick status changes, and full history preservation (23 historical items seeded).
• Growth Strategy document — $100 sign-up bonus design, two-sided referral program, organizational partnership playbook. Backed by PayPal, Robinhood, Dropbox, Nextdoor case studies with real numbers.
• Multi-Tenant Architecture plan — phased approach from tenant_id field (Phase 1) to full isolation (Phase 2) to self-service provisioning (Phase 3). Covers Firestore, Solana, auth, routing, security rules.
• 3 new E2E test specs — admin-tools, proposal-flow, api-health (Playwright).
• Admin tools documentation page added to docs-site.
• Both strategy docs registered in docs-site and partners site ("Growth & Architecture" nav section).

Changed

• Updated all 6 existing E2E tests for pillar rebrand and consistent AccessGate bypass.
• Action Items UI improved — removed text truncation, increased icon/badge sizes, better multi-line readability.
• action_items added to Firestore security rules (full CRUD for devnet).
• action_items included in DB Validator schema checks and Reset All tool.

Fixed

• Biometric login session timeout — extended from 5 minutes to 2 hours on devnet (30 min production). Now clears both JWT and svote_access together on timeout to prevent half-authenticated state.
• Login flash on reload — isAuthenticated now initializes synchronously from in-memory JWT instead of waiting for async Firestore fetch, eliminating the brief "Login" button flash.
• ResultsDashboard crash on proposals with empty options maps.

[v13] - 2026-04-13 — Admin Tools, Biometric Fixes, Branding

Added

• Reset All & Re-seed tool — clears all collections and re-seeds fresh demo data.
• Reset Voters tool — batch-deletes all voter records with progress indicator.
• Population Seeder — address picker + configurable 100–100K voter generation.
• Vote Seeder — per-proposal vote injection with distribution patterns (random, landslide, head-to-head).
• Progress bars for all long-running admin operations.
• ID Reviews admin tab with Firestore composite index.

Changed

• Pillar rebrand — "Your Voice / Your Share / Your Market" across all UI, docs, tests, hero section.
• Pillar filtering — proposals, results dashboard, and active proposal banners now filter by pillar context.
• Admin panel — Governance tab renamed to Workflows, date range filter added to Reports.
• Hero section — stacked pillar lines with icons, aligned flush left.
• Voter names anonymized (Anon-XXXXXXXX format).
• Vote seeding uses UUID option keys and creates matching voter records.

Fixed

• Biometric login loop — 4 incremental fixes: set svote_access after WebAuthn success, grant access on devnet even if server verification fails, show authenticated state after reload, demo fallback for JWT.
• Reset Voters — switched to raw Firestore batch queries (no orderBy) to catch all documents.
• Backend health check — corrected Cloud Run endpoint URL (applied before the backend consolidation).
• Reports crash on proposals with empty options.
• Data Stats permissions error on restricted collections.

[v12] - 2026-04-11/12 — Proof-of-Humanity (Self Protocol + Semaphore)

Added

• PoH Phase 0 — identity_proofs collection scaffolded with nullifier-keyed documents.
• PoH Phase 1 — Self Protocol ZK enrollment via verifyPassportProof Cloud Function. Groth16 verifier validates passport proofs server-side.
• PoH Phase 1.5 — identity_proofs locked to server-only writes (Admin SDK bypass).
• PoH Phase 1.6 — Country coverage matrix, mdl-iso18013 type surface, credential expiry policy.
• PoH Phase 2a — Device-side Semaphore identity generation (commitment from passport nullifier).
• PoH Phase 2b — attachSemaphoreCommitment Cloud Function links Semaphore commitment to identity proof.
• PoH Phase 3 — Semaphore group management, anonymous voting circuit, ZK proof generation and verification.
• PoH Phase 3a — Manual review fallback for non-ePassport users.
• E2E tests for auth → PoH → vote flow across pilot countries.
• Action items tracker in Admin Panel (initial hardcoded version).
• Self Protocol open-source contribution — IL/PT CSCA/DSC coverage issue filed.
• Legal pages (Security, Resources, Legal) added to footer.
• Supabase completely removed; migrated to Firestore-only.

[v11.5] - 2026-04-09/10 — Three-Pillar Platform, Partners Site

Added

• Partner-materials site (later renamed to partners.foundation-global.com; initial URL solanavote-yc.web.app) — React + Spectacle presentation decks, markdown document viewer, Google auth gate.
• Three-pillar documentation — whitepapers, summaries, deck outlines, and demo plans for all three pillars.
• Pillar 2 (Your Share) — Community Fund with fund management, distribution tracking, allocation voting.
• Pillar 3 (Your Market) — Cooperative Commerce with product requests, supplier bidding, demand aggregation.
• API Playground — interactive explorer for the backend HTTP endpoints (later superseded by the Cloud Functions admin-testing panel).
• Governance State Machine — XState v5 engine with 5 predefined workflow templates (Standard, Express, Constitutional, Emergency, Community Budget).
• AI Constitution Review — Claude AI evaluates proposals against community-authored principles.
• Multi-site Firebase Hosting — 5 sites (devnet, docs, yc, foundation-vote, foundation-platforms).
• Admin Testing & Tools tab — health check, voting simulation, data seeding, data stats.
• Sign-out button in navbar to return to access gate.
• Firestore data layer for all three pillars with real-time subscriptions.
• E2E test suite (Playwright) — 6 initial specs.

Changed

• Rebranded SolanaVote → Foundation across all UI and docs.
• Google auth added to docs site.
• CORS configuration reads from environment variables.

[v11] - 2025-08-16 — FROZEN BASELINE

Core Voting System (Original Release)

• Smart Contract — Rust/Anchor voting contract on Solana with create_population, register_voter, create_proposal, support_proposal, cast_vote.
• REST API — Node.js/Express server (later migrated to Rust/Rocket) with complete endpoint coverage.
• Testing — Automated API testing, performance benchmarks (Artillery/k6), security testing framework.
• Deployment — One-command deployment with deploy-evoting.sh, system monitoring with system-status.sh.
• Documentation — README, Smart Contract docs, API reference, Deployment guide, Testing guide.
• Security — PDA-based duplicate prevention, authority access control, time-based deadlines, input validation.

[v11.1–v11.4] - 2026-03-21/25 — Pre-Platform Prep

Added

• Access code gate for platform entry.
• Biometric (WebAuthn) registration and login.
• OCR name parsing for identity documents.
• Footer pages (Security, Resources, Legal).
• Location services integration (free API).

Fixed

• OCR name parsing edge cases.
• Biometric login flow issues.

Version Summary