SaaS Starter — Kiln

**Fixed:** Seeded billing plans now remain in sync across environments. Previously, plan configurations could drift during deployment cycles—this is now corrected. **Docs:** Added quality gate report documentation for improved visibility into release standards and compliance checks. Update recommended for all deployments relying on seeded billing data.

Fixed API key usage accounting to fail closed (#90). The system now safely halts requests when usage cannot be reliably tracked, preventing silent overages or billing discrepancies. If you use metered API access or enforce rate limits, verify your monitoring and alerting are configured to catch closed-state events. This ensures you catch tracking failures before they impact production.

Maintenance release. Internal dependency and tooling updates to keep the Next.js SaaS starter current with upstream ecosystem changes. No breaking changes or new features in this release.

Improved validation and access control for API key and OAuth linking flows. This release hardens the gates that protect sensitive authentication operations, reducing the surface area for unauthorized access or misconfiguration. **Changes:** - Strengthened API key validation and scope enforcement - Enhanced OAuth linking authorization checks - Tightened permission boundaries for credential management No migration required. Update at your convenience to benefit from improved security posture.

Maintenance release. Internal updates and stability improvements.

Design token alignment: corrected accent token to match the current design catalogue (#88). This ensures consistency across component styling and theme application.

Closed review gaps identified in v1.14.53. Internal fixes to ensure code quality and consistency across the Next.js SaaS starter template. No breaking changes or new features in this release.

Fixed password review gaps in the OAuth flow that could expose sensitive credential handling. This patch tightens validation and review checkpoints during authentication to align with security best practices. No breaking changes. Update recommended for all deployments handling user authentication.

Fixed review gaps identified in v1.14.51 zip packaging. This release ensures the starter kit meets our internal quality standards with no changes to your project structure or dependencies.

Post-release review cleanups. Internal maintenance to improve code quality and consistency. No breaking changes or new features in this patch.

Fixed regressions in cleanup and API contracts identified during code review (#78). These fixes ensure proper resource teardown and maintain API contract integrity across the starter template. No breaking changes. Update recommended for improved stability.

Fixed regressions identified in release review phase 2. This patch addresses stability issues in the tl01-kiln-saas-starter-nextjs template that may have affected deployment or runtime behavior. No breaking changes or migration required — update at your convenience.

Fixed regressions in external review workflows that were introduced in a recent update. This release restores expected behaviour for review submission, approval routing, and stakeholder notifications. If you've experienced issues with external reviews not processing correctly, update to v1.14.48 to resolve.

Resolved Stripe checkout review findings (#73). This release addresses compliance and integration issues identified during Stripe's review process, ensuring smoother payment flows and better alignment with Stripe's platform requirements. No breaking changes. Update at your convenience.

Fixed display font token parsing to ensure tokens remain valid during build and runtime processing. This resolves an edge case where certain font token configurations could become unparseable in downstream tools.

Design token alignment: synchronized Kiln design tokens with the current catalogue to ensure consistency across component styling and theming. No breaking changes or new features.

Internal review gap closure from v1.14.42. No breaking changes or new features in this patch. Recommended for all users on v1.14.x.

**Subscription & Account Deletion Reliability** - Fixed subscription cancellation reconciliation after Stripe deletion failures, preventing orphaned subscription states. - Account deletion now fails gracefully before attempting to delete the account if Stripe cancellation fails, ensuring data consistency. These changes reduce edge-case failures in account lifecycle management and improve error handling when Stripe operations encounter issues.

**Activity Timeline Fix** Fixed an issue where soft-deleted actors were appearing in activity timelines. The timeline now correctly filters out deleted actors, ensuring activity logs display only current, valid references. This improves data clarity in audit trails and activity feeds without requiring any configuration changes.

**Fixed:** Removed inherited DataTable scope creep that was causing unintended style and behaviour leakage to child components. DataTable now properly isolates its internal state and styling, preventing conflicts when nested or reused in complex layouts. This fix improves component predictability and reduces debugging friction when working with multiple DataTable instances or integrating DataTable into custom layouts.

Build optimization: removed remote font build dependency. No changes to font delivery, rendering, or application behaviour. This reduces build complexity and improves local development setup reliability.

**Fixed:** Stripe customer deletion is now guarded in demo mode, preventing accidental data loss when testing payment flows in non-production environments. This ensures demo instances remain stable during development and testing cycles.

Resolved internal review blockers from v1.14.36. No breaking changes or new features in this patch release.

Internal release addressing v1.14.35 review process items. No changes to buyer-facing functionality, APIs, or dependencies. Stable continuation of the v1.14.x line.

Fixed accent token alignment with the design catalogue (#56). This ensures consistent colour application across components and maintains parity with the latest design system specifications.

Improved validation logic in the checkout billing flow to prevent edge-case failures and ensure payment processing completes reliably. This release hardens blockers that could interrupt transaction completion under specific conditions. No breaking changes. Update recommended for production SaaS deployments relying on consistent checkout performance.

Documentation polish and billing phase 7 closure. Routine maintenance release with no breaking changes or new features.

Maintenance release. Routine dependency updates and internal improvements to keep the Next.js SaaS starter template current and stable.

Fixed billing logic and documentation issues identified in phase 7 review. These corrections ensure accurate billing calculations and clearer setup guidance for new projects. **Changes:** - Billing phase 7 findings resolved - Documentation updates for clarity No breaking changes. Update at your convenience.

Resolved findings from phase 7 review cycle (#47). This release addresses quality and compliance issues identified during internal audit, improving the overall stability and readiness of the starter kit. Updates include bug fixes and refinements across the codebase to ensure the template meets production standards. No breaking changes — safe to update.

**Auth:** Fixed API key validation to reject invalid keys before attempting browser session fallback (#46). This prevents unintended session escalation in edge cases where malformed or expired API credentials were present. No breaking changes — existing integrations continue to work as expected.

**Fixed:** Pricing analytics and authentication boundaries are now properly aligned (#45). This resolves inconsistencies where analytics data visibility and pricing tier access controls were not synchronized. No migration required—update and deploy.

Documentation: cleaned up buyer-facing docs branding for consistency and clarity. No functional changes.

Magic links and upload downloads have been hardened to improve security posture and prevent potential attack vectors. **Changes:** - Enhanced magic link validation and expiration handling - Strengthened upload download verification and access controls - Improved token entropy and rate-limiting safeguards No breaking changes. Update recommended for all deployments handling authentication or file uploads.

Documentation: clarified production Docker Compose environment variable requirements for deployment. No code changes.

Applied phase 7 review fixes across the template. These updates address issues identified during QA review, improving overall stability and correctness of the Next.js SaaS starter. No breaking changes—update at your convenience.

Fixed console.log statement in DSAR script that was inadvertently logging to browser console during data subject access request processing. This cleanup ensures compliance tooling runs silently in production environments.

Fixed compliance scaffold surface propagation to ensure all compliance-related surfaces are properly initialized and available throughout the application lifecycle. This resolves cases where compliance scaffolding was not fully accessible in nested components or dynamic contexts. **What changed:** Compliance scaffold surfaces now propagate correctly through the component tree. **Who benefits:** Teams using the compliance scaffold feature in their SaaS implementations.

**Fixed:** Multipart uploads now require a valid `Content-Length` header. This prevents malformed upload requests from being processed and improves upload reliability. If you're using the built-in file upload components, no changes needed—they already send this header correctly.

Closed phase 4 inherited review gaps identified during QA. This release addresses technical debt and compliance issues discovered in the previous phase, improving overall stability and reliability of the starter template. No breaking changes. Update at your convenience.

Fixed smooth scroll behavior declaration for Next.js layouts. This ensures scroll-behavior: smooth CSS is properly applied across the template without conflicts or resets during navigation.

**Fixed:** Browser-based Server-Sent Events (SSE) streams now correctly handle refresh cookie propagation. Previously, cookie refresh logic could interfere with long-lived SSE connections; this release ensures cookies are properly maintained without disrupting the stream lifecycle. If you're using real-time event subscriptions in your SaaS application, this fix improves reliability and eliminates potential session timeout issues during active streaming.

Documentation: clarified default access controls for activity logging. No functional changes.

Dependency update: Next.js bumped to 16.2.6. This patch release includes upstream stability improvements and bug fixes. No action required — update at your convenience.

Fixed external review hardening propagation in the tl01 module. This ensures review state and validation rules are correctly applied across external review workflows, improving consistency and reducing edge-case failures in multi-reviewer scenarios.

**Layout:** Dashboard shell now renders full width, eliminating unnecessary side margins and improving space utilization on larger screens. This provides a cleaner, more spacious interface for dashboard content without requiring any configuration changes.

- fix(tl01): buyer-test cleanup for webhooks, email, and integrations (#34)

- fix(tl01): propagate base auth and API guardrails (#33)

- fix(tl01): align surfaces with feature matrix (#32)

- fix(tl01): label analytics date inputs (#30)

- fix(tl01): complete billing and audit matrix gaps (#28)

- fix(auth): propagate account deletion hardening

- fix(tl01): complete feature-matrix wiring and remove marketplace primitives (#24)

- fix(tl01): gate public docs page copy for buyer builds (#23)

- fix(tl01): clean final buyer-facing docs drift (#22)

- fix: align commerce surfaces with feature matrix (#21)

- fix(ui): replace hardcoded colour classes with semantic tokens

- fix(tl01): backport base accessibility and buyer cleanup

- feat(demo): add Template Empire live demo banner (#18)

- fix(package): slim buyer zip contents

- test: allow db-backed vitest hooks to complete

- fix(ui): use buyer brand placeholder in inherited chrome

- docs(install): clarify buyer auth setup

- docs(install): correct native postgres port example

- docs(install): align buyer verification steps

- fix(db): wait for demo postgres before migrations

- fix(landing): resolve TL01 annotation issues

- fix(dev): fail fast when demo database is unavailable

- fix(ui): preserve outline button contrast

- fix(e2e): use buyer compose flow

- fix(qg): remove TODO extension markers

- fix(deps): satisfy full dependency audit - fix(tl01): stabilise buyer release checks - fix(theme): centralise app visual tokens - fix(api): stabilise timing-safe response delay

- fix(email): escape CTA href attributes - feat: backport buildEmailHtml + breadcrumbs from TL00-BASE

- feat(activity): backport activity-timeline helper (Phase 3.7)

- feat(uploads): backport file-upload abstraction (Phase 3.6)

- feat(events): backport in-memory event bus + SSE primitive (Phase 3.5)

- feat(data-table): backport generic DataTable primitive (Phase 3.4)

- feat(commerce): backport Stripe Connect marketplace primitive shim (Phase 3.3)

- feat(commerce): backport commerce.mode + commerce.requireAccount flags

- ci: pass catalogue-canonical theme tokens to mech-review

- feat(config): backport SITE_CONFIG.auth + SITE_CONFIG.commerce flags

- fix: propagate TL00-BASE deep-review fixes to TL01

- Maintenance release

- Maintenance release

- fix(licence): commit licence.json placeholder so CI prebuild can run

- fix(package): exclude .npmrc from buyer ZIP

- fix(ci): mech-review now runs on GH Release ZIP regardless of Supabase upload

- fix(toolchain): pin packageManager: pnpm@10.33.0 + tighten engines.pnpm

- fix(ci): chain release → publish → mechanical-review in single workflow - chore(ci): inherit canonical workflows from TemplateEmpire/.github

v1.3.1 — backport user.login_failed + sweep from TL00-BASE v1.3.1 Verified 11/11 PASS by te-verify-fullstack v0.2.1. Backport from TL00-BASE v1.3.1 (commit 5926a75).