Changelog

IMPROVE: llms.txt updated from 8 endpoints to 48+ endpoints

IMPROVE: Now documents 9-dimension scoring system (was old 5-category)

IMPROVE: MCP section: 7 tools, 4 resources, 3 prompts documented

IMPROVE: 12 organized sections covering full API surface

HIGH-IMPACT IMPROVE: Scanner uses Promise.all — one failing dimension kills entire scan

MEDIUM: 5 public endpoints missing Cache-Control headers

MEDIUM: Sitemap missing 3 new pages (leaderboard, report, analytics)

NOTED: OpenAPI spec missing 21+ new routes (large effort, deferred)

NOTED: llms.txt outdated (references old 5-category system)

Scanner orchestrator: `Promise.all` → `Promise.allSettled` for graceful degradation (partial results on failure)

Discover endpoint: added `Cache-Control: public, max-age=60, s-maxage=120`

Sitemap: added leaderboard, report, analytics pages

0 critical, 0 high, 0 medium — codebase is clean

Final pass verified: scanner cap rules, TLS detection, data quality edge cases, batch scan caching, webhook HMAC security, API key hashing, Stripe Connect handling, all fetch error handling across 9 scanners

Scanner orchestrator: cap rule interaction correct (lowest cap wins)

D7 security: hasNoTls export + TLS detection working

D6 data quality: flattenObject handles nulls, empty objects, arrays

Batch scan: works with old engine, cached results correct

Webhook subscribe: HMAC secret generation secure (randomBytes 32)

API keys: SHA-256 hashing correct, IDOR prevention on delete

Stripe Connect: 503 when not configured, no crash

All scanners: probeEndpoint wraps every fetch in try/catch with timeout

CRITICAL: Certify route used old 5-category audit engine instead of new 9-dimension scanner

HIGH: Benchmarks median calculation wrong for even-count arrays (always overestimated)

HIGH: Robots.txt check matched path-specific Disallows as root blocks (false negatives)

MEDIUM: Semantic search threshold/limit params not validated (NaN/negative possible)

MEDIUM: Benchmarks queries unbounded (no limit, could timeout at scale)

Certify route: switched from `runAudit` to `runScan` (9-dimension scanner)

Benchmarks: proper median for even arrays (average of two middle values)

D1 scanner: robots.txt uses regex for root-only Disallow, handles CRLF

Semantic search: threshold validated 0-1, limit clamped 1-100

Benchmarks: added `.limit(1000)` to prevent unbounded queries

0 critical, 0 high — all critical/high from cycle 1 are fixed

3 MEDIUM: Score threshold misalignment across components (ScoreGauge, audit page, remediate page used different thresholds)

2 LOW: Leaderboard offset dependency, report missing platinum color tier

5 VERIFIED OK: Report math, hermes-json inference, mystery shopper null check, analytics pattern, HeroScanForm

ScoreGauge color thresholds aligned to 90/75/60/40 (was 80/60/40)

Audit page tier descriptions: "unaudited" → "Failing" for scanned-but-low businesses

Remediate page getStatus thresholds aligned to 0.75/0.40 (was 0.70/0.35)

Leaderboard: removed stale `offset` from useCallback dependencies

Report page: added platinum tier color for scores 90+

60 routes compiled

Deployed to production

CRITICAL: Scan route D2 dimension mislabeled as D3 — data corruption on save

CRITICAL: Signature verification could throw on malformed base64 input

HIGH: SSRF vulnerability in hermes-json verify endpoint (no private IP blocking)

HIGH: Trust score missing bounds clamping (could exceed 0-100 range)

HIGH: Webhook delivery failures silently swallowed (no logging)

Fixed D2 dimension lookup: `'D3'` → `'D2'` in scan/route.ts

Added try-catch + length check to signature verification (timing-safe)

Added SSRF protection to hermes-json verify (blocks private IPs)

Added bounds clamping to trust score (0-100)

Added webhook delivery failure logging

Batch scan uses old 5-category engine (works, just older format)

Hermes JSON dimension inference from old categories (works, less precise)

Leaderboard pagination race condition (cosmetic)

Report dimension math scaling (minor display issue)

60 routes compiled

Deployed to production via GitHub push