v0.34.15

Fixed

• fly-autoscaler no longer logs
  metrics collection failed: empty prometheus result once a minute on both
  hover-autoscaler-worker and hover-autoscaler-analysis. The broker gauges
  (bee_broker_stream_length, bee_broker_scheduled_zset_depth) are
  synchronous OTel Int64Gauges, which only emit when Record() lands inside a
  collect interval; during idle the series goes stale in Fly's managed
  Prometheus and the autoscaler's PromQL returns no result. The autoscaler
  queries now wrap with or on() vector(0) so an empty result collapses to zero
  rather than erroring. Scaling behaviour is unchanged at idle (the existing
  max(1, …) floor already kept a single machine running). Trade-off documented
  inline: a true Redis outage now reads 0 instead of producing a series gap,
  so the autoscaler scales to MIN=1 rather than holding count — acceptable
  because idle workers can't crawl during an outage anyway and restart cleanly
  once Redis recovers. The full fix (async observable gauges) is tracked in a
  follow-up issue.

Security

• Bump github.com/jackc/pgx/v5 from v5.7.6 to v5.9.2 to resolve a
  memory-safety vulnerability (Dependabot alert #54).
• Bump @webflow/webflow-cli from ^1.12.4 to ^1.21.0 in
  webflow-designer-extension-cli/ to clear transitive dev-dep vulnerabilities
  (axios, follow-redirects, fast-uri, babel, postcss). Webflow extension is
  dev-only tooling and does not ship to production.

v0.34.14

Security

• Bump github.com/jackc/pgx/v5 from v5.7.6 to v5.9.2 to resolve a
  memory-safety vulnerability (Dependabot alert #54).
• Bump @webflow/webflow-cli from ^1.12.4 to ^1.21.0 in
  webflow-designer-extension-cli/ to clear transitive dev-dep vulnerabilities
  (axios, follow-redirects, fast-uri, babel, postcss). Webflow extension is
  dev-only tooling and does not ship to production.

v0.34.13

Fixed

• App, worker, and analysis binaries no longer Fatal on the first Redis PING
  failure at startup. The ping is now wrapped in a bounded retry loop (30 s
  total, 3 s per attempt, capped exponential backoff) so the binary rides out
  the Upstash-on-Fly cold-start window that briefly closes connections with EOF
  on freshly-provisioned review apps. Production behaviour is unchanged — a
  healthy Redis still succeeds on the first attempt and persistent
  misconfiguration still fails fast. Resolves the recurring EOF burst on every
  PR preview deploy (Sentry: HOVER-JX, HOVER-MD, HOVER-JZ).

v0.34.12

Changed

• JobManager.GetRobotsRules now caches results per normalised domain (1h
  positive TTL, 60s negative TTL), and collapses concurrent misses onto a single
  origin fetch via singleflight. A long crawl previously refetched /robots.txt
  every five minutes (stream worker's job-info TTL) and a 429 on /robots.txt
  returned on the next read; both are now bounded.

v0.34.11

Changed

• Crawler user agent is now always exactly config.UserAgent. Dropped the dead
  Worker-<id> suffix branch in crawler.New along with the unused variadic ID
  parameter and struct field.

v0.34.10

Changed

• Pacer's per-domain adaptive delay is now durable:
  domains.adaptive_delay_seconds is read on every job-info cache miss and
  reseeded into Redis, and the learned value is written back from the pacer's
  success/rate-limit path (debounced per domain at five-minute intervals). The
  startup FlushAdaptiveDelays is now opt-in via
  GNH_PACER_FLUSH_ON_START=true for incident recovery; default behaviour
  preserves the learned rate across worker restarts.
• Dispatcher now caps per-domain inflight tasks at
  ceil(GNH_PACER_EST_RESPONSE_MS / adaptive_delay_ms) (default response
  estimate 1500ms). Above the cap, additional entries skip dispatch without
  consuming the gate, preventing the burst-then-collapse pattern that elevates
  egress IP reputation on CF-fronted domains.

v0.34.9

Fixed

• WAF detection now recognises Cloudflare managed challenges served as HTTP 429
  with Cf-Mitigated: challenge. Previously the verdict was gated behind status
  403 or 202 only, so CF challenge responses (observed against CF-fronted
  Shopify storefronts with Super Bot Fight Mode enabled) were misclassified as
  plain "Too Many Requests" and jobs burnt three retries before failing with a
  misleading error. Jobs now fail fast and stamp domains.waf_blocked = true
  with waf_vendor = cloudflare.

v0.34.8

Security

• Enabled RLS (no policies) and revoked anon/authenticated grants on
  task_outbox, task_outbox_dead, and lighthouse_runs; these tables are
  only accessed by the Go server via the service role.
• Switched the organisation_quota_status view to security_invoker = true so
  it honours the caller's RLS rather than the creator's.
• Revoked anon/authenticated EXECUTE on 19 server-internal
  SECURITY DEFINER functions (OAuth token store/get/delete for Google
  Analytics, Slack, and Webflow; vault cleanup helpers; Slack user-link helpers;
  increment_daily_usage). These RPCs are only called by the Go server via the
  service role; the three RLS-helper functions used inside policies
  (user_is_member_of, user_organisation_id, user_organisations) remain
  callable.

Performance

• Rewrote 14 RLS policies on notifications, daily_usage,
  google_analytics_connections, google_analytics_accounts, and
  organisation_domains to wrap auth.uid() in a (select …) so it is
  evaluated once per query instead of once per row.
• Scoped the Service role can manage usage policy on daily_usage
TO service_role so it no longer fires during anon/authenticated SELECTs,
  removing the multiple-permissive-policies overhead.
• Pinned search_path on update_job_queue_counters and
  get_daily_quota_remaining.
• Added covering indexes on nine previously-unindexed foreign keys
  (google_analytics_accounts.installing_user_id,
  google_analytics_connections.installing_user_id,
  lighthouse_runs.source_task_id, organisation_invites.created_by,
  page_analytics.ga_connection_id, platform_org_mappings.created_by,
  slack_connections.installing_user_id, task_outbox_dead.lighthouse_run_id,
  webflow_connections.installing_user_id) so cascade deletes and FK joins no
  longer fall back to sequential scans.

Documentation

• Added
  docs/security/SUPABASE_ADVISORS.md
  recording the deliberate "won't fix" advisor findings (the three RLS-helper
  SECURITY DEFINER functions, the empty-policy state of domain_hosts) and
  deferred items (unused indexes, Auth DB connection strategy).

v0.34.7

Added

• Sentry browser SDK + replay loader on the homepage, auth-callback, welcome,
  invite-welcome, and extension-auth pages so existing
  window.Sentry.captureException calls in auth.js stop silently no-op-ing on
  the auth flow.
• Sentry transactions wrapping the job scheduler tick, the health-monitor
  completion and system checks, and inbound HTTP requests (via the sentryhttp
  middleware), so existing sentry.StartSpan calls in
  internal/jobs/manager.go and internal/db/queue.go get parented and bill as
  performance units.
• Sentry Logs forwarding for Warn+ slog records (EnableLogs plus a LogLevel
  on the slog handler), separate from the existing error-event surface.

Changed

• Extracted the duplicated frontend Sentry init block into
  web/static/js/sentry-init.js so future tweaks land once instead of per HTML
  page.

v0.34.6

Changed

• Bump Go to 1.26.3 and golang.org/x/net to v0.53.0 to clear GO-2026-4918
  (HTTP/2 SETTINGS_MAX_FRAME_SIZE infinite-loop) flagged by govulncheck.
• Split Fly machine pool reconcile into its own CI job so downstream autoscaler
  releases no longer block on clone-start-stop warm-up. Review apps drop their
  per-PR pool target from 10/5 to 3/3 (analysis/worker); prod retains 10/5.