Blueprint compliance: 2FA, integration wizards, dynamic AEO, rollback
2026.04.26 · 26 Apr 2026Major security and operations refresh aligning autoreceptionist.ai with the Apps 365 generic blueprint.
### Added
- `/health` JSON endpoint for deploy gates and monitors
- Mandatory admin 2FA (TOTP, recovery codes)
- Session idle timeout middleware (configurable `SESSION_IDLE_MINUTES`)
- `security_events` table + admin viewer at `/admin/security-events`
- `audit_log_diff` with side-by-side before/after viewer
- Six new integration wizards: Vapi, Twilio, Google OAuth+Calendar, Gmail, Lead sources, Porting
- IntegrationHealth probes every external service
- Admin dashboard "Integrations" tile showing live status of every API
- Customer dashboard integration tiles (Phone, Calendar, Billing, Knowledge)
- `/changelog` public release notes page
- Admin Changelog & Rollback page with commit picker tied to GitHub
- `deploy_history` table records every deploy + rollback
- CSP report-uri sink at `/csp-report`
- Dynamic `/llms.txt` (admin-editable description)
- ULID helper for new primary keys
### Changed
- Replaced 49 one-off `deploy-*.ps1` scripts with `deploy-test.sh` + `deploy-live.sh`
- Deploy scripts now run `composer audit` and a smoke test before pushing
- CSP now sends violation reports to the database via `/csp-report`
### Removed
- Static `public/llms.txt` and `regen-llms.php` - replaced by dynamic controller
- Stale debug helpers (`debug-staging.php`, `set-admin-password.php`, etc.)
- `/health` JSON endpoint for deploy gates and monitors
- Mandatory admin 2FA (TOTP, recovery codes)
- Session idle timeout middleware (configurable `SESSION_IDLE_MINUTES`)
- `security_events` table + admin viewer at `/admin/security-events`
- `audit_log_diff` with side-by-side before/after viewer
- Six new integration wizards: Vapi, Twilio, Google OAuth+Calendar, Gmail, Lead sources, Porting
- IntegrationHealth probes every external service
- Admin dashboard "Integrations" tile showing live status of every API
- Customer dashboard integration tiles (Phone, Calendar, Billing, Knowledge)
- `/changelog` public release notes page
- Admin Changelog & Rollback page with commit picker tied to GitHub
- `deploy_history` table records every deploy + rollback
- CSP report-uri sink at `/csp-report`
- Dynamic `/llms.txt` (admin-editable description)
- ULID helper for new primary keys
### Changed
- Replaced 49 one-off `deploy-*.ps1` scripts with `deploy-test.sh` + `deploy-live.sh`
- Deploy scripts now run `composer audit` and a smoke test before pushing
- CSP now sends violation reports to the database via `/csp-report`
### Removed
- Static `public/llms.txt` and `regen-llms.php` - replaced by dynamic controller
- Stale debug helpers (`debug-staging.php`, `set-admin-password.php`, etc.)