This page records LinkSilo's release history in human-readable language: what was added, what changed, what was removed, and which decisions reshaped the privacy posture. Pre-launch, a single entry documents the development snapshot that will form the v1 release. Post-launch, each release appends a dated entry at the top.
Last reviewed 2026-05-17
This changelog covers product-facing changes — features users interact with, architectural decisions that change what LinkSilo stores or doesn't store, and removals that close known foot-guns. It is hand-curated per release, not generated from commit history. Each release follows the Keep-a-Changelog convention: Added, Changed, Removed, Security.
The codebase-level history lives in our open-source monorepo on GitHub. Every line of LinkSilo's server and client code is open source and every change is publicly readable. The changelog here is the product-facing summary; the commits are the authoritative record. When a change has security implications worth pinning, the entry below cross-references the security and transparency pages where the underlying posture is documented.
The first release of LinkSilo. Functionality scope is the v1 launch feature set per the launch plan; bug fixes and incremental refinements from the pre-launch hardening arc are folded into this entry rather than enumerated individually. Post-launch releases will track incremental changes against this baseline.
linksilo.io/p/<slug>. Connects to PostgreSQL under a SELECT-only role restricted to render-required columns; cannot read API keys, sessions, or admin tables.customer=None, no persistent Stripe Customer record) or opt-in auto-top-up via Stripe Checkout setup mode. The daily debit cron draws per-tier cost from the balance.Accept-Language across five enumerated cases, rather than from a frontend-supplied hint. When Geo-IP and Accept-Language disagree the allocation_code is flagged for redemption-step user confirmation.payment_method_id) instead of the previous list-then-detach two-call sequence. The change shrinks LinkSilo's Stripe-side observability footprint on every disable.Changed -> Billing model.setup_intent.succeeded webhook). If the user closes the tab mid-setup, no DB state is written; previously a partially-completed setup could leave the ledger marked enabled with no working payment method, leading to a downgrade the user did not see coming.allocation_code rather than a direct foreign key. A subpoena of the payment row alone does not produce the account it credited; both rows must be read together, and the bridging code is HMAC-hashed at rest.tracing! calls anywhere in the codebase. No recipient emails, no tokens, no key material, no payment-method identifiers. Audit logs use daily-rotated IP HMACs rather than IP addresses.