bugAgent Changelog

New features:
- Add visual regression detection: Claude Vision compares screenshots between runs
- Add Schedule button and modal to Exploratory AI page
- Add screenshot comparison overlay on Recon tab
- Add green logo glow during exploration runs
- Add exploration progress endpoint for real-time phase updates

Bug fixes:
- Fix domains page: filter by d.verified boolean, not d.status string
- Fix domains page: CSS variables, global styles, back button uses history
- Fix screenshot comparison: read nested before/after objects from API
- Fix exploration trends: API resilience + field name mapping
- Fix exploration detail page data parsing + clickable link on bug reports

Improvements:
- Shared domain verification across all features
- Improve DNS TXT verification: check all records, log lookups, strip quotes
- Update homepage and docs with latest Exploratory AI features
- Make script parsing resilient — 5 fallback strategies, never fails
- Default schedule timezone to user's browser timezone

New features:
- Add 'Autonomously.' in green to homepage tagline
- Add green glow animation to logo during code review analysis
- Add role grants to claude_connections migration
- Add claude_connections table migration and restore query

Bug fixes:
- Fix review analytics not loading
- Fix open PRs table overflowing past right frame edge
- Fix code review: handle missing migration columns + button layout
- Fix: Code Review button layout breaks during analyzing state

Improvements:
- Update homepage: advanced code review features + unlimited reviews in pricing
- Remove repo selector from Code Review — auto-detect from active project
- Make Integrations page accessible to all users
- Unlimited code reviews for paid plans, Developers access for all users, AI Assistant code review features
- Code Review Phase 3: PR security integration + review analytics dashboard

New features:
- Add automated error monitor workflow (GitHub Actions)
- Add System Status link to website footer
- Add Performance Trends link on analytics dashboard

Bug fixes:
- Fix MCP server build: add appium_js to createMobileAutomation type
- Fix: cannot add postgres_changes callbacks after subscribe()
- Fix: add explicit pricing to AI Assistant to prevent hallucinated prices
- Fix: 'team is not defined' error in AI chat system prompt

Improvements:
- Expose bug report status in MCP server API
- deps(mcp-server): bump @sentry/node from 10.46.0 to 10.47.0
- AI Assistant: user-scoped storage, plan-aware random prompts
- Improve automations empty state with onboarding steps

New features:
- Add individual feature nav links in docs sidebar
- Add Feature Guide link to docs sidebar navigation
- Add comprehensive Feature Guide to docs with AI Assistant examples
- Add web/mobile automation + performance testing to AI assistant

Bug fixes:
- Fix sitemap: remove www subdomain from site URL

Improvements:
- Rewrite autonomous agents section with comprehensive platform cycles
- Remove Stripe from integrations docs — internal billing detail
- Comprehensive feature docs: standalone sections + Feature Guide additions
- Update docs: collapsible sidebar, AI perf testing, device filtering
- Sidebar: move collapse button to Main header + hover-to-expand

New features:
- Add p99 to k6 output: include summaryTrendStats in script options

Bug fixes:
- Patch @astrojs/node 9.1.3 → 9.5.4: fix 4 moderate Dependabot alerts
- Fix website build: escape {id} in api-reference to prevent Astro eval
- Fix k6 load test data not showing: normalize camelCase/snake_case field names
- Fix k6 metrics: use local execution with cloud streaming
- Fix k6 script: use options.cloud (not deprecated ext.loadimpact), fix distribution format, use k6 cloud run

Improvements:
- Rename feature card: Performance & Load Testing
- Remove vendor names from homepage features: k6 and Lighthouse
- Route all auth flows to /dashboard/analytics instead of /dashboard
- Update docs and marketing for performance testing + dashboard rebrand
- Capitalize first name in dashboard welcome message

New features:
- Add competitor comparison pages: bugAgent vs Functionize & Mabl
- Add error telemetry: client capture, server capture, admin logs, Slack alerts

Bug fixes:
- Fix Dependabot alerts: path-to-regexp ReDoS + @astrojs/node memory DoS
- Fix admin logs access: check ADMIN_EMAILS like other admin pages
- Fix geo-snap filters to display on one line

Improvements:
- Revert @astrojs/node to v9.1.3 — v10 requires newer Astro
- Update homepage marketing: no-code automation, team scaling, 2FA icon
- Hide Send to Claude button when ANTHROPIC_API_KEY not configured
- Simplify saving state: remove AI conversion text
- Replace × with trash can icon on schedule calendar cards

Bug fixes:
- Fix npm audit vulnerabilities across all packages
- Fix downgrade Stripe cancellation — fetch full team data
- Fix Mobile+ not showing as active after purchase
- Fix Mobile+ activation — bypass portal for addons + success fallback
- Fix Mobile+ cancel when no Stripe subscription ID exists

Improvements:
- Major homepage overhaul — concise copy, QA Wolf-inspired polish
- Update all Stripe price IDs to new pricing
- Update Pro monthly Stripe price ID to new $49 pricing
- Update pricing: Pro $49/mo, Team $99/mo, annual saves 10%
- Allow downgrade to any lower plan with Stripe cancellation

Bug fixes:
- Fix modal flash — show placeholders until API data loads
- Fix admin modal activity counts — robust queries + hours tracking
- Fix admin modal: use active team, fresh last sign-in, update plan_limits
- Fix admin user stats, backfill storage, clean up pricing
- Fix nav/footer links to use absolute paths with anchors

Improvements:
- Smaller font + spacing in admin modal activity section
- Admin user modal: IP info, storage, activity counts
- Org-level storage tracking + updated plan limits
- Update all docs, API reference, MCP, and marketing for mobile

New features:
- Add beforeunload warning during mobile app upload
- Add comprehensive mobile testing documentation and MCP tools
- Add Mobile Testing feature: BrowserStack + Maestro Cloud
- Add test case metrics to analytics dashboard

Bug fixes:
- Fix mobile run URL: /api/mobile/runs not /runs/create
- Fix mobile automation create URL: /api/mobile/automations not /create
- Fix mobile detail pages: define:vars scope issue
- Fix signed URL upload: use correct Supabase upload/sign endpoint
- Fix mobile app upload: signed URL flow for large files

Improvements:
- Migrate Sentry to new config pattern (fixes deprecation warning)
- deps(mcp-server): bump @modelcontextprotocol/sdk in /mcp-server
- deps(mcp-server): bump @supabase/supabase-js in /mcp-server

New features:
- Add Test Cases docs, MCP tools, reports tab, homepage marketing
- Add complete Test Cases feature: cases, suites, runs, execution
- Add draft/active toggle to automation detail page
- Add green glow sparkle to Regenerate button while optimizing
- Add download buttons for run history video and screenshots

Bug fixes:
- Fix time tracking: use window.__bugagentActiveProjectId as fallback
- Fix time tracking: always use active project, don't reset on clear
- Fix time tracking: remove project filters, add admin check
- Fix Regenerate Script to use optimize endpoint with version history
- Fix TS type annotation in inline script + update docs

Improvements:
- Show creator name on automation listing and detail pages
- Duplicate automation includes recorded_actions, description, selectors_strategy
- Change Improve with AI to subtle link style with chevron arrow
- Regenerate button: white text + green glow wave effect
- Force download for video/screenshots + spacing

The automation coverage mind map on the dashboard now uses D3.js for a force-directed layout. Nodes automatically spread apart to avoid overlap, with stronger repulsion for more scripts. Features include: drag-and-drop node repositioning, zoom and pan, curved link paths, hover highlighting of connected links, pulse animation on failing tests, auto-fit zoom to fill the 700px container, and click-to-navigate to automation details. Color-coded groups with 8 distinct colors make it easy to identify test areas at a glance.

The runner now auto-fixes getByLabel("Password") to locator("input[type=password]") and adds waitForLoadState after bare goto() calls. After a run completes, the script shows green/red line highlighting for passed/failed lines. The Run Now button glows neon green with increasing brightness the longer the run takes. Run history updates inline without page refresh.

When on a bug report detail page, the AI sees the report title, description, status, and severity. On an automation detail page, it reads the full Playwright script (up to 3KB). On a note page, it reads the title and content. When you say "this report", "improve this script", or "explain this note", the AI understands what "this" refers to. Also includes Playwright expert persona that activates when discussing automation topics.

The POST /api/automations/:id/optimize endpoint sends scripts to Claude Sonnet 4 with a comprehensive optimization checklist covering: selector reliability, wait strategies, assertions, error handling, authentication patterns, mobile compatibility, timing, cleanup, strict mode, network handling, and result verification. The optimized script is saved automatically with version history.

Every script change — manual edits, AI optimization, or regeneration — is saved to a version history. The undo button on the automation detail page reverts to the previous version instantly. A version badge (v1, v2, etc.) shows the current version number. Available via API (POST /automations/:id/undo) and MCP (undo_automation_script tool).

The Duplicate button on the automation detail page creates a new automation named "[Copy] Original Name" with the same script, target URL, and project. The copy starts in draft status with no version history. Device selector moved inline below the title, project dropdown removed (uses sidebar project).

Added bugAgent Skills section to homepage showcasing GitHub (repo sync), Claude (root cause analysis), and Jira (bi-directional sync) with SVG logos. "Build Your Own Skill" card with submission modal sends to support@bugagent.com. Migration section offers free export from existing platforms and dedicated QA team support. All documented in docs, API reference, and MCP pages.

Homepage hero changed to "The QA Layer Your AI Stack Is Missing" with secondary messaging "Your Agents Write Code. We Make Sure It Works." Added Context Engine section explaining how every QA action is fed by deep context. Updated quality score messaging to emphasize measuring testing quality, not just bug severity. Added "Why bugAgent? Our Philosophy" to documentation with context-aware intelligence and continuous improvement loop sections.

Repository moved from hamiltonmascioli/bugAgent to TestLauncher/bugAgent. Set up local dev with Supabase CLI (Docker), Google OAuth for localhost, environment-aware configuration (.env.local/.env.example), develop branch workflow, and convenience scripts (npm run dev starts both dashboard:4321 and website:4322). Created bugAgent Test Team in GitHub for QA access. Updated all hardcoded URLs, DNS CNAME, and GitHub Pages.

Documented the Quality Score feature across the website: added a new feature card to the homepage describing the 1-10 rating system using Rapid Software Testing heuristics across 10 dimensions (reproduction steps, expected vs actual, environment details, evidence, root cause analysis, impact assessment, context and history, heuristics and oracles, clarity and structure, actionability). Updated the docs capabilities section with Quality Score details. Added quality_score (integer 1-10) and quality_breakdown (object with 10 dimension scores 0.0-1.0) to the API reference GET /reports/:id response fields and example. Updated MCP docs with qualityScore and qualityBreakdown fields on get_bug_report.

## Team Booster

Provision pre-configured tester accounts on demand via the new **Team Booster** feature.

### What's new

- **MCP tool**: `scale_team` — specify team size (1-10), location, duration, technical levels, and budget to provision tester accounts instantly
- **REST API**: `POST /team-booster` — programmatic access with Bearer token auth (Pro and Team plans only)
- **Homepage**: Team Booster feature card added to the features grid
- **API Reference**: Full endpoint documentation with request/response examples
- **MCP Docs**: Tool documentation with example workflow
- **Docs**: Team Booster added to capabilities list and solution grid

### How it works

1. Specify team size, location, duration, technical level, and budget
2. Tester accounts are provisioned in seconds
3. New testers appear in your Team Management page with full platform access
4. You will not be charged until approval has been given

Available on **Pro** and **Team** plans.

Added push_to_claude MCP tool and POST /claude/push API endpoint for programmatic Claude analysis of bug reports. AI agents and API consumers can now trigger root cause analysis, read results via get_bug_report (claude_analysis and claude_pushed_at fields), and close the loop with automated fixes and re-verification. Updated the Self-Healing Development feature and documentation to describe bugAgent as a full-circle autopilot healing engine: Record > Diagnose > Automate > Heal, with humans in the loop at every stage.

Connect your Anthropic API key in Settings → Integrations to push bug reports to Claude for root cause analysis and fix suggestions. Choose from Claude Sonnet 4, Opus 4, or Haiku 3.5. Configure per-project auto-push and custom instructions. From any bug detail page, click Send to Claude or Re-analyze for on-demand analysis. Combined with Playwright automation, bugAgent now creates a self-healing cycle: detect → analyze → fix → verify. Pro and Team plans only.

Bug reports and notes now include built-in timers that track testing time down to the exact second. Start, stop, and resume anytime. Click the time display to manually adjust. The timer appears on both the bug report creation form and detail page, as well as on notes. When converting a note to a bug report, tracked time transfers automatically. Perfect for tracking QA effort and billing testing hours.

The AI Assistant goes far beyond report creation. You can now create and update bug reports, change status, severity, and type, add comments, create testing notes in multiple formats (Markdown, Plain Text, Bug Template, Checklist, Outline), list and search reports, notes, automations, and schedules, and send feedback — all through natural conversation. Use voice input powered by Whisper transcription, attach files, and let the AI analyze session replays to auto-draft reports. Start a new chat anytime with the New Chat button. Available in both the dashboard and the in-app FAB popup (no login required for FAB). Updated homepage and documentation marketing copy to reflect the full command center capabilities.

Visualize and manage bug reports with a drag-and-drop Kanban board. Eight status columns (New, Awaiting Triage, Confirmed, In Progress, Resolved, Retesting, Closed, Reopened) let you move cards between stages instantly. Status changes sync bi-directionally to Jira in real time. Each card displays severity, type, description preview, and timestamps. Toggle between list and kanban views with a persistent preference. New batch sync endpoint (POST /api/jira/batch-sync-status) supports syncing multiple reports at once.

## Notes Feature Documentation

Updated the bugAgent website to document the new Notes feature across all relevant pages:

- **Homepage Features section** — Added Notes card highlighting 5 formats, voice-to-text dictation, time tracking timer, file attachments, private/shared visibility, auto-save, and keyword search with filters.

- **Documentation page** — Added Notes to the "What is bugAgent?" capabilities list, describing all key features and noting availability on all plans.

- **API Reference** — Documented 6 Notes API endpoints: GET /notes (list with search/filters), POST /notes (create), GET /notes/:id (detail), PATCH /notes/:id (update), DELETE /notes/:id (delete), POST /notes/upload (file attachments up to 10 MB).

- **MCP page** — Added Notes tools section with 5 MCP tools (list_notes, create_note, get_note, update_note, delete_note) and an example workflow.

Notes is available on all plans (Free, Pro, Team).

Quality score badge on bug detail pages (circular badge with hover tooltip showing breakdown dimensions), colored pill column in reports listing table, Q:score badge on kanban cards, and qualityScore/qualityBreakdown fields added to MCP BugReport type.

Added a new Analytics Dashboard feature card to the homepage with detailed description of all 12+ chart types (Bug Reports Over Time, Quality Score Trend, Severity/Status/Type distributions, Top Bug Reporters leaderboard, Automation Health, Time Tracking, Notes Created sparkline, Resolution Time) and a mini SVG chart preview. Added comprehensive Analytics documentation section to the docs page covering the Quality Testing Health Score formula (Quality 25%, Resolution 25%, Automation 25%, Low Severity 25%), all 12 chart sections with descriptions, filtering controls (7/14/30/90 days + project), crown icon for best-performing area, and API/MCP access details. Updated existing analytics references in docs to link to the new section.

New MCP tools: list_time_entries, create_time_entry, update_time_entry, delete_time_entry. New REST API endpoints: GET/POST/PATCH/DELETE /time-entries. Analytics dashboard now includes Hours by Day bar chart and Hours by Category horizontal bar chart. Time Tracking feature card added to homepage. Documentation updated across API reference, MCP docs, and main docs pages.

New Time Tracking page available under the dashboard for Team plan users. Features include a daily summary bar with 8-hour progress tracking, collapsible add-entry form with tester and developer category groups (Manual Testing, Exploratory Testing, Bug Reporting, Code Review, Development, Debugging, etc.), filterable card grid with search, project, category, member, and date range filters, inline card editing, delete confirmation dialog, localStorage-persisted filter state, and pagination for large entry sets.

Added Analytics page with key stats cards, stacked bar chart for reports over time, SVG line chart for quality trends, donut charts for severity and status, horizontal bar chart for bug types, leaderboard table, automation health bars, sparklines for notes and time spent, resolution time metric, and circular product health gauge. Pure CSS/SVG charts with time range selector and project filter. Gated to Pro/Team plans.

Notes gives testers a dedicated space to write and organize their thoughts during testing. Create notes in Markdown, Plain Text, Rich Text, Checklist, or Outline format. Notes auto-save as you type. Mark notes as Private (only you) or Shared (anyone on your team and project can read). Filter by project, author, or date range. Full-width editor with word count, Cmd+S shortcut, and auto-title from content.

Added Automation Coverage Map as a listed feature for Pro and Team pricing tiers. Updated Features, docs, session-replay, and API reference pages with coverage map information.

The Automation Coverage mind map on the dashboard is now only shown for Pro, Team, and Enterprise plans with at least one active automation. Free plan users no longer see the section.

Updated sidebar navigation, page titles, and all references from "Schedules" to "Scheduled" across the dashboard for consistency. URL paths remain unchanged.

The dashboard home page now features an interactive SVG mind map that visualizes your automation test coverage. Claude AI analyzes your Playwright scripts to extract pages, features, and assertions, grouping them into a hierarchical map. Tests are color-coded: green (passing), red (failing), gray (untested). Click any test node to jump to its automation detail page. Failing tests show a pulse indicator. Results are cached and only re-analyzed when automations change.

Full Slack OAuth integration for teams on Pro and Team plans. Connect your Slack workspace from Settings, then configure per-schedule failure notifications: choose None, Email, Slack (with channel picker), or both. When a scheduled automation fails, a bug report is auto-created AND notifications are sent to your configured channels. The automation detail page now has a Schedule button with an inline form for time, days, timezone, and notification preferences. The Schedules dashboard shows notification icons next to each schedule.

Added GitHub as an active integration on the homepage with its own card. Updated the Playwright Automation feature and Delegate Testing sections to mention GitHub script sync. Created full GitHub Integration API documentation with five new endpoints (connect, repos, mapping, status, disconnect). Added GitHub FAQ to docs page and updated SDK docs with sync details.

Added a sync icon button on the bug report detail page next to the existing AUTO SYNC badge. Clicking it triggers an immediate force sync: pushes the current title and description to Jira, pushes any local comments not yet synced, and pulls any Jira comments not yet in bugAgent. The button shows a spinning animation during sync and displays a toast summarizing what was synced (e.g. "Description synced, 2 comment(s) pushed to Jira, 1 comment(s) pulled from Jira"). New API endpoint: POST /api/jira/force-sync.

When a WCAG audit is run before sending a session to the AI, the results are stored alongside the session data and displayed in a new collapsible "WCAG Accessibility Audit" section within the SRT area on the report detail page. Each violation shows an impact badge (critical/serious/moderate/minor with color coding), the axe-core rule ID, WCAG criteria tags, a description of the issue, the CSS selector of the affected element, an HTML snippet of the offending markup, and a link to Deque's remediation documentation. The homepage Features grid now includes a dedicated WCAG Accessibility Audit card, and the SRT documentation page has a full WCAG Audit section covering how it works, what rules are checked, and the report output format.

Full GitHub OAuth integration that syncs automation scripts bidirectionally with mapped GitHub repos. When you record an automation, the generated Playwright script is pushed to tests/bugagent/ in the mapped repo. Editing the script in bugAgent updates the file in GitHub. Deleting an automation removes the file. Project-to-repo mapping is configured in Settings → Integrations. SHA conflict recovery handles cases where files are edited directly on GitHub.

Full-stack automation feature: (1) FAB Automate button records clicks, inputs, navigation, and form interactions with enriched selectors (role, testid, aria-label, text, CSS). (2) Claude AI generates reliable Playwright test scripts using semantic selectors and automatic assertions. (3) Separate runner service executes scripts in headless Chromium, captures video and screenshots, uploads artifacts to storage. (4) Dashboard Automations page lists all automations with run history, script viewer/editor, and CI/CD integration section with curl and GitHub Actions examples. (5) Schedules page manages recurring cron-based runs with timezone support. (6) Public CI/CD API at /api/v1/automations/run for pipeline integration with webhook callbacks. New database tables: automations, automation_runs, automation_schedules with full RLS. Timezone setting added to user profile.

The AI Assistant now proactively uses all data captured by the FAB SDK to auto-draft comprehensive bug reports: console errors with stack traces, failed network requests with status codes, user click sequences, form field interactions, WCAG accessibility audit findings (grouped by severity), annotated screenshots, screen recordings, DOM mutations, and performance metrics (FCP, LCP, CLS, TTFB). When session replay data is present, the AI immediately presents a ready-to-confirm draft rather than asking step-by-step questions. On the dashboard (without session data), the AI correctly avoids analyzing the current page and instead guides the user through report creation, using any uploaded media as context.

All Jira sync paths now convert markdown descriptions into proper Atlassian Document Format (ADF) nodes. Headings (## Summary, ## Steps to Reproduce), ordered lists, unordered lists, bold, italic, and inline code are rendered correctly in Jira's editor — no more lost formatting when editing. A new shared markdownToAdf() utility is used by sync.ts, force-sync.ts, merge.ts, push-field.ts, and create-report.ts. API reference updated with the new POST /jira/force-sync endpoint and complete behavior documentation for severity last-updated-wins, bi-directional comments, and media sync with filename deduplication.

Both auto-sync (polling) and manual force sync now compare report.updated_at vs Jira fields.updated to determine which platform was modified most recently — the latest change wins and the other side is updated automatically. Media attachments are now synced bi-directionally: local images/videos are pushed to Jira as issue attachments, and Jira attachments are pulled into bugAgent storage. Deduplication checks both jira_attachment_id and filename (case-insensitive) to prevent any duplicates across sync cycles.

Added three major new data capture and display features to Session Replay. Stack Trace / Console Log captures all console output (log, info, warn, error, exceptions) with full stack traces — the last 50 entries are shown in a searchable, scrollable section. Network Waterfall shows failed (4xx/5xx) and slow (>1s) API requests with method, URL, status code, and duration — also searchable. Performance Metrics auto-captures page load time, first contentful paint, DOM ready, FPS, memory usage, DOM node count, and long tasks. The SDK now intercepts console.log and console.info in addition to warn/error, runs a lightweight FPS tracking loop, and collects performance data at submit time.

The recorder popup was opening at 320x72 which was too small for Chrome to render its getDisplayMedia permission dialog (share screen confirmation). Now opens at 420x550 so the full permission prompt with cancel/share buttons is visible. Once the user approves and recording begins, the popup auto-resizes to a compact 320x80 recording bar with timer and stop button.

Removed the Screen Recording video player and DOM Replay badge from the Session Replay section since they were duplicated in Attachments. Video attachments now render as full-width playable players instead of cropped 140px thumbnails. DOM replay info cards also span full width. This is cleaner and ensures attachments are properly included when reports are pushed to Jira.

Moved the screen recording logic from inline MediaRecorder to a dedicated popup window. The popup handles getDisplayMedia, MediaRecorder, timer, and 60-second auto-stop independently of the main page. Communication between the popup and main page uses BroadcastChannel for real-time status and IndexedDB for blob persistence. When you choose Full Desktop, Chrome shows monitor options; when you choose Browser Window, Chrome shows window options — using the displaySurface constraint to guide the picker.

The two-phase video upload (session capture then separate FormData upload) was silently failing for all users — zero video files were ever stored. Replaced with inline base64 upload in the same JSON payload as session data, matching the pattern used for screenshots. Also improved the report detail page to ensure session screenshots and videos always appear in the attachments section even if not in the report media array. DOM replay mutation count card is now properly styled and rendered.

Added a source picker modal to the SDK screen recording flow. Users now see two options — Full Desktop (captures everything on screen) and Browser Window (captures the entire browser window). This replaces the previous tab-based capture which would stop recording whenever the page refreshed or navigated. The picker features a styled modal with icons, descriptions, and a cancel option, followed by the existing 3-second countdown before recording begins.

Fixed critical CORS preflight issue preventing video uploads by adding separate OPTIONS exports on capture endpoints. Added IndexedDB persistence for video blobs to survive page navigation. Added DOM replay info card with mutation count in bug report attachments. Improved video upload error logging and screen recording tab selection.

Each bug report now displays an Impact Score ring that combines three data-driven factors: severity weight (0-40 based on S1-S4), frequency (0-30 based on similar reports in the same project over 30 days), and affected users (0-30 based on distinct reporters). The score uses logarithmic scaling for frequency and user count. Hover the score to see the full breakdown. Helps teams prioritize based on data instead of gut feel.

Enhanced the Session Replay SDK to intercept console.error() and console.warn() calls (in addition to uncaught exceptions and unhandled rejections), each tagged with a severity level. Also added a rolling 60-second URL navigation history that tracks every page the user visited in chronological order. Both are included in the session payload, stored in the database, and fed to the AI analysis for richer bug report context.

The All Users admin page now supports: inline plan switching (Free/Pro/Team/Enterprise) per user that updates their team plan and limits, a toggle switch to grant or revoke platform admin access, live admin count in stats bar, and toast notifications for all actions. Added is_admin column to profiles with database migration.

New comprehensive Session Replay documentation page covering: SDK installation, configuration options, event types captured, AI analysis workflow, CoTester integration, privacy and security details, API endpoints, and plan comparison. Also added a Docs link to the website header navigation, a Session Replay card to the docs Get Started and Developer Resources sections, a cross-reference callout in the API reference, and linked the feature list entry.

New Session Replay feature: Add bugagent-sdk.js to your site, and when users click Report Bug, the last 60 seconds of their browser session is captured and sent to CoTester AI. The AI analyzes clicks, navigation paths, console errors, and failed network requests to automatically draft a structured bug report. Developers can view the event timeline, errors, and AI analysis directly on the report detail page. New API endpoints: POST /api/sessions/capture, GET /api/sessions, GET /api/sessions/:id, PATCH /api/sessions. Database migration adds session_replays table with RLS policies. Updated pricing, features, docs, API reference, and MCP pages.

Resolved an esbuild compilation error in the API reference page where raw JSON objects inside HTML code tags were being parsed as Astro template expressions. The fix uses the set:text directive to properly escape inline JSON examples. All homepage updates (CoTester context-awareness, pricing, docs) are now live.

Added a new Admin CoTester Knowledge page with four sections: Master Testing Prompt for core AI instructions, Testing Keywords for domain-specific terminology, Reference URLs for testing frameworks and methodologies, and Knowledge Document uploads for testing guides and best practices. All global knowledge is injected into every CoTester AI session across all organizations, making CoTester a true testing expert that can teach testing concepts and help with complex testing problems.

The homepage Features section, Platform Pillars, documentation page, API reference, and MCP page now describe the CoTester AI Assistant as context-aware — reflecting its ability to use custom organization instructions, uploaded knowledge documents (product specs, testing playbooks), voice-to-text input, and full org data awareness in every session.

The CoTester AI Instructions section in Settings now includes a Knowledge Documents area. Upload product specs, testing playbooks, API documentation, or onboarding guides — the AI will reference them automatically in every conversation. Supports PDF (with text extraction), Markdown, TXT, CSV, JSON, YAML, and HTML files. Includes drag-and-drop upload, character usage meter (200K limit), and document management with delete. Up to 20 documents, 10MB each.

The root cause was that targetEl.click() on an anchor link would navigate the browser immediately, killing JS execution before the remaining rewind state could be saved. The fix adds two layers: (1) pre-click detection checks if the target is inside an <a href> or is a form submit button — if so, the full rewind state is saved to sessionStorage before the click executes; (2) a beforeunload safety net listener saves progress if the page unloads unexpectedly during rewind, covering edge cases like JS-driven window.location navigations. On the new page, the SDK picks up the saved state and resumes with the full progress bar intact.

DOM Replay in attachments now shows an interactive mutation timeline with color-coded entries (DOM/ATTR/TEXT), searchable filter, and collapsible panel. Removed redundant in-browser recording indicator — timer and stop button now handled entirely by the popup recorder window. Updated homepage with 10x tester velocity messaging, Delegate/Heal coming soon sections, and footer trademark.

All three feature sections (Stack Trace / Console Log, Network Waterfall, Performance Metrics) are now always visible in the Session Replay card on bug reports, even when no data was captured. Each section displays an empty state message when data is unavailable, and includes a feature icon in the toggle header for better visual identification.

The DOM Replay mutation timeline with searchable, color-coded mutation entries has been moved from the Attachments section into the Session Replay card. It now uses the same collapsible toggle pattern as the other session replay features, and is always visible with an empty state when no mutations were captured.

A Reset button has been added next to the "Send Session to AI" button in the SDK popup. Clicking it clears all captured data: video recordings, event buffer, console logs, network requests, URL history, DOM mutations, performance metrics, sessionStorage buffers, and IndexedDB video blobs. Any active recording is also stopped. This lets testers discard a bad capture and redo their workflow cleanly.

The webm video data URL contains commas in its MIME type (e.g. video/webm;codecs=vp8,opus) which caused the base64 split to grab the wrong segment. All previously uploaded videos were only 7 bytes and showed zero duration. The fix now correctly locates the ";base64," marker to extract the actual video payload.

Hover over the bug FAB to reveal the new pen icon. Click it to enter annotation mode with a full toolbar: 7-color palette, circle/arrow/freehand drawing tools, undo, done/cancel. Annotations are composited over a base screenshot and sent as the screenshot in the bug report, replacing the auto-captured one. Reset clears any saved markup.

New reports appear with a slide-in toast notification and highlighted row animation. Uses polling fallback for reliability alongside Supabase Realtime subscriptions.

Applied a WebM duration metadata fix on the report page (seek-to-end workaround for Chrome MediaRecorder bug). SDK now passes actual recording duration to the capture API instead of hardcoded 60s.

Added console.debug (purple badge), console.trace (gray badge with stack), and console.assert capture. Report page now displays up to 100 console entries and shows all network requests including successful ones for complete visibility.

The yes/no detection is stricter — questions with "or" options, information-seeking questions (what, which, how), and multi-part questions no longer show yes/no buttons. Instead, a Submit button appears to expedite sending your typed reply. Bug reports generated by the AI no longer include bugAgent SDK tool steps (recording, annotation, FAB) in the description or repro steps. The session replay FAB is now hidden when the AI chat panel is open.

The SRT documentation page now includes full coverage of the Rewind feature: a highlight card in the overview, a capture item in the tools listing, and a dedicated section with step-by-step usage guide, supported actions (clicks, text input, checkboxes, selects, scroll, navigation), controls (ESC key, Stop button), and a callout explaining the CSS selector-based element targeting strategy.

The homepage Features grid now includes a dedicated Rewind card describing the real-time action replay capability. The SRT feature card description was updated to mention Rewind. The Enrich pillar in Platform Pillars now lists Rewind as a feature bullet.

Previously, when Rewind replayed a navigation action that loaded a new page, the progress bar would reset and only show the remaining steps — losing visual continuity. Now the full rewind state (all actions, total step count, completed/skipped step statuses, and current index) is serialized to sessionStorage before navigation and restored on the new page. The progress bar shows all original steps with previously completed ones already marked as done, and the step counter updates live (e.g. "step 3/5").

Added a trash icon that appears on hover next to each bug report title on the reports list page. Clicking it shows a confirmation dialog. On confirm, the report is deleted via a new DELETE /api/reports/:id endpoint and the row fades out. The DELETE endpoint is scoped to the user's team to prevent unauthorized deletions.

Added a voice input button next to the file attachment button in the bug report composer. Click the mic to start recording — audio is transcribed in 30-second chunks via the /api/ai/transcribe endpoint. A live transcript review panel appears with a timer, recording status, and editable transcript text. Users can review and edit the transcription before inserting it into the bug report textarea. Includes discard/accept workflow, recording dot animation, and pulse effect matching the AI Assistant voice input pattern.

A new "Template" toggle in the bug report composer toolbar prefills the textarea with a structured Jira-style bug template including: Summary, Steps to Reproduce, Expected Result, Actual Result, Environment, and Additional Notes. The setting is saved to localStorage and persists across sessions. When using Rapid Entry mode, the template automatically re-fills after each submission. Toggling off clears the template if it hasn't been modified.

Replaced the custom inline WCAG checker with axe-core v4.10.2 (by Deque), the same engine used by Google Lighthouse and Chrome DevTools. axe-core is lazy-loaded from CDN on first click so there's no impact on initial SDK bundle size. It covers 80+ WCAG 2.0/2.1 Level A and AA rules with zero false positives, including comprehensive checks for color contrast, ARIA validation, focus management, form labels, heading structure, link purpose, image alt text, and much more. Results now include impact severity levels (critical, serious, moderate, minor), WCAG criterion tags, element CSS selectors, offending HTML snippets, and links to remediation documentation. The overlay shows a richer summary with violation count, affected elements, rules passed, and impact breakdown.

A new "CoTester AI Instructions" section in Settings allows admins to define: product description, testing guidelines, documentation links, known issues, custom terminology, and general instructions. These are automatically injected into every CoTester AI session so the assistant always has context about your product and team practices. Each field supports up to 5000 characters and is sanitized before injection into the system prompt.

The voice-to-text feature now uses MediaRecorder with chunked Whisper transcription instead of the browser Web Speech API. Audio is recorded continuously and sent in 30-second chunks to OpenAI Whisper for accurate transcription. Text appears progressively in a review panel where users can edit before accepting. Includes a timer display, discard/use controls, and a new /api/ai/transcribe backend endpoint with full authentication and validation.

The CoTester AI Assistant now supports voice-to-text input. Click the microphone button next to the attach button to start dictating — real-time transcription streams directly into the text field. A pulsing red indicator shows when recording is active. Works on Chrome, Edge, and Safari. The button is gracefully hidden on unsupported browsers.

CoTester AI Assistant is now listed as a feature in all four pricing plans (Free, Pro, Team, Enterprise) on both the website pricing section and dashboard billing settings. Enterprise tier highlights a dedicated CoTester AI Assistant experience.

Added CoTester AI Assistant to the Enrich pillar on the homepage, highlighting guided bug creation as a key platform capability alongside existing features like Jira sync and email reporting.

Updated MCP server OAuth fallback URL, dashboard integrations setup guide, and README to use mcp.bugagent.com instead of the Railway deployment URL. This prepares for the custom domain DNS configuration on Railway.

Configured Sentry MCP server for querying issues and alerts directly from Claude Code. Set up Sentry uptime monitors for the bugAgent dashboard (5-minute checks) and marketing site (10-minute checks). Removed .mcp.json from git tracking and added to .gitignore to protect sensitive credentials including Stripe, Supabase, and Sentry tokens. Dependabot already configured for daily dependency scans at 6 AM ET across website, dashboard, MCP server, and GitHub Actions ecosystems.

Updated Astro site config, CNAME, robots.txt, JSON-LD structured data, RSS feed links, OG image, and legal pages to use www.bugagent.com instead of bare bugagent.com. This eliminates the redirect flagged by Google Search Console and ensures consistent canonical URLs for SEO.

The built-in AI assistant is now called CoTester AI Assistant. Updated across the dashboard chat panel, header tooltip, system prompt, homepage features section, API reference docs, general docs, and MCP documentation. CoTester helps teams create detailed bug reports through guided conversation, answer questions about bug data, and suggest testing strategies.

The project section in Settings now includes a Set as default project checkbox alongside the rename field. When toggled, the previous default is unset and the active project becomes the default. New bug reports are automatically assigned to the default project.

The project selector has been reorganized: a new sidebar project switcher (below the org dropdown) lets users quickly switch between projects or create new ones via a modal. The bug reports page filter bar now includes a project dropdown alongside type, severity, status, and resolution filters. The settings page has a new Project section for renaming the active project. New users automatically get a Default project created with their account.

The MCP SDK auth router uses express-rate-limit in sub-routers that do not inherit the parent Express app trust proxy setting. Behind Railway reverse proxy, this threw ERR_ERL_UNEXPECTED_X_FORWARDED_FOR and crashed the server. Disabled SDK built-in rate limiting since bugAgent applies its own rate limiting at the application level.

The Jira check endpoint now compares descriptions between bugAgent and Jira. When a description change is detected, the top-of-page sync banner appears. The merge flow handles description updates in both directions, converting between plain text and Jira ADF format.

When pushing a bug report to Jira for the first time, users now see a dropdown of all available Jira projects instead of typing a project key manually. The dropdown pre-selects the default project if one was previously saved. New API endpoint: GET /api/jira/projects.

Two fixes in this release:\n\n**Admin Plan Switcher Bug Fix**\n- Root cause: service role key was only checked via process.env which is empty in Astro SSR runtime. Now also checks import.meta.env as fallback.\n- The endpoint was falling back to the user's Supabase client which couldn't update the teams table due to RLS policies, causing silent failure.\n- Now uses locals.team?.id directly instead of a redundant DB query.\n- Returns proper error if service role key is not configured.\n\n**Uplifting Organization Names**\n- All existing teams renamed from "X's Team" pattern to unique uplifting names (e.g., "Noble Wellspring Hub", "Breeze Harbor Works")\n- New accounts auto-generate uplifting names via the handle_new_user() DB trigger\n- Auth callback safety-net also generates uplifting names using the shared org-names utility\n- Organization name field in settings validates non-blank and shows error if empty\n- Unique constraint (teams_name_unique) prevents duplicate org names in the database\n- Uniqueness check with friendly error message before saving\n- DB function generate_org_name() uses 50 adjectives x 50 nouns x 10 suffixes (25,000 combinations) with collision retry loop

Major feature additions:\n\n**Multi-Organization Support**\n- Users can belong to multiple organizations with different roles in each\n- Sidebar org switcher dropdown appears when user is in 2+ orgs\n- Shows org name, role, and plan for each org\n- Active team tracked via cookie and profiles.active_team_id column\n- Middleware loads all memberships and resolves active team (cookie > profile > first)\n- New /api/switch-team endpoint validates membership and switches context\n- Invite acceptance automatically sets the new org as active\n- Migration 013 applied: adds active_team_id to profiles with indexes\n\n**Organization Settings**\n- New "Organization" section in account settings\n- Manager, admin, and owner roles can rename the organization\n- Contributors see read-only organization info\n\n**Billing Downgrade Restrictions**\n- Free plan: cannot be downgraded to from any paid plan\n- Pro plan: can only upgrade to Team, no downgrade path\n- Team plan: can downgrade to Pro with confirmation modal\n- Downgrade modal shows warnings if >3 active members (excess will be deactivated) or if storage exceeds 1GB Pro limit\n- Requires typing DOWNGRADE to confirm\n\n**Invite Improvements**\n- Client-side check prevents inviting existing org members\n- Shows info message: user is already in the organization\n- Users in other orgs can still be invited (multi-org supported)

Security fixes found during automated audit:\n\n- **Critical**: team_members INSERT policy required role='member' which was removed in migration 011. Users could not accept invitations through the normal auth path. Fixed to allow all valid roles.\n- **Critical**: team_members UPDATE/DELETE policies only allowed team owner. Managers could not manage members despite UI showing controls. Extended to include admin and manager roles.\n- **High**: change_role action had no server-side allowlist validation. Added strict allowlist (contributor, manager, admin) and blocked self-role-change.\n- **Medium**: Invite acceptance did not verify that the logged-in user email matched the invitation email. An authenticated user with a different email could join any team via a shared invite link. Added email match verification.\n- **Fix**: team_invitations management policy now includes manager role.\n- **Fix**: team_members SELECT policy now allows all team members to see each other (was previously self-only).

Built comprehensive team management for the dashboard:\n\n- **New roles**: owner, manager, contributor (DB migration 011 applied)\n- **Role-based sidebar**: contributors see limited navigation (no billing, team, integrations)\n- **Middleware protection**: contributors blocked from restricted routes\n- **Team page rewrite**: invite with role selection (owner/manager/contributor), role change dropdown, member status management (activate/deactivate), resend invites with fresh 5-day expiry, owner transfer with confirmation\n- **Settings restrictions**: danger zone sections (delete project, flush reports, delete account) hidden based on role\n- **Invite flow**: new users create password + full name directly from invite link; existing users redirected to login\n- **Send-invite edge function**: supports manager role for inviting, improved welcome email with inviter name and role descriptions, 5-day expiry\n- **Security**: pre-commit scan passed, managers cannot escalate to owner/admin, contributors cannot access restricted pages

New comments posted in bugAgent on Jira-synced reports are automatically pushed to the Jira issue. When checking for Jira updates, new Jira comments are detected and can be imported during the merge flow. Comments from Jira appear with a "[Jira — Author]" prefix. Duplicate prevention ensures comments are never imported twice. Reactions and edits are not synced between systems.

When viewing a bug report synced to Jira, bugAgent now checks if the Jira issue has been modified. If changes are detected, an amber banner prompts you to review. A merge dialog shows field-by-field comparison (title, severity, status, type) so you can choose which value to keep. After confirming, both systems are updated to match. Comments are never synced. After editing a synced report locally, a Sync to Jira button appears to push your changes.

Jira integrations are now shared across all team members. Any member can sync bugs to Jira using the team connection. Only managers and owners can connect, configure, or disconnect. If the person who set up the integration leaves or is removed, the connection persists for all remaining and future team members.

Integrated Sentry error tracking with separate projects for dashboard (javascript-astro) and MCP server (node-express). Configured nightly security scan at 3am via scheduled task.

Fixed SQL injection in search, added rate limiting on auth, removed Jira sync privilege escalation, added file upload path traversal protection, input validation limits, 15s API timeouts, pendingAuth memory leak fix, credential file permissions, and externalized Stripe price IDs to env vars.

All 24 MCP tools now include behavior annotations (readOnlyHint, destructiveHint, idempotentHint, openWorldHint) to help clients understand tool behavior. The list_bug_reports tool returns pagination metadata (has_more, next_offset). All error responses now include the isError flag per MCP convention.

Five new MCP tools: check_jira_sync (detect remote changes), merge_jira_sync (bi-directional merge), add_comment (with auto-push to Jira), list_team_members, and invite_team_member. README updated with quick setup guides for Claude Code, Claude Desktop, Cursor, Windsurf, and remote HTTP connections. Evaluation suite with 10 test questions added for quality assurance.

New AI wand button on bug detail page reformats descriptions into structured bug templates. format_description flag available on MCP create_bug_report and dashboard quick-submit. Jira sync handles pre-formatted descriptions without duplicate sections.

Pro and Team plan users can now create multiple organizations from the sidebar. Click the org dropdown and select "Create Organization" to start a new workspace. Auto-generates a unique uplifting name or enter a custom one. Free plan users can belong to multiple orgs via invites but cannot create new ones.

Bug reports now store the full description as-is without splitting into separate sections (steps, expected, actual). Added Internal Testing Notes field — editable on the bug detail page but never synced with Jira or external integrations. AI Format feature still available to reformat descriptions on demand. Removed deprecated fields from all APIs and MCP tools.

Fixed row-level security policies on bug_reports to allow any team member to update team reports. Previously only the original creator could edit, which blocked Jira sync for reports filed by other team members.

When a synced Jira issue is deleted or becomes inaccessible, the report detail page shows a notification with two options: Unlink (remove the Jira reference so the report can be re-pushed as a new ticket) or Keep Reference (grey out the link as a historical record).

Three new sections added to the marketing homepage:

**Platform Pillars** — "Enrich bugs. Delegate testing. Heal code."
- Three-pillar overview with Enrich (Live), Delegate (Coming Soon), and Heal (Coming Soon)
- Each pillar card has feature checklist and interactive visual
- Enrich shows raw-to-enriched bug report transformation
- Delegate shows AI or PM requesting human QA
- Heal shows the agent swarm grid

**Delegate Testing** — "Real humans. Real testing. Requested by agents or you."
- Exploratory Testing card with demo showing CI Agent requesting human testers
- Automation Testing (Playwright) card with demo showing PM triggering test suite
- "Agents in the loop" callout explaining autonomous QA delegation

**Agent QA Swarm** — "Agents that lint, scan, and heal your codebase"
- 10 specialized agent cards: Code Lint, Dependency, Accessibility, Security, Performance, Visual Regression, API Contract, Dead Code, Test Coverage, Localization
- Each card shows what the agent does and its action types (auto-fix, scan, report)
- 3-step flow: Agents scan → Auto-heal → File reports

Two new pages added to the marketing website:

**API Reference** (`/api-reference/`)
- Left sidebar with collapsible navigation sections for all endpoint categories
- Welcome/Getting Started, Introduction, Base URL, Authentication docs
- All REST endpoints documented with method badges, auth requirements, parameter tables, and response examples
- Covers: Auth, Reports, Comments, Projects, API Keys, Profile/Settings, Usage/Stats, Billing, Jira Integration, Changelog
- SDKs section (Node.js, Python, Rust, Go — coming soon)
- Contribute section and MIT License info
- Recommendations with best practices
- Mobile responsive with floating sidebar toggle

**Changelog** (`/changelog/`)
- Fetches entries from Supabase at build time
- Groups entries by date with right-side date navigation
- Color-coded tag filtering (security, api, mcp, new-feature, agents, improvement, bugfix)
- Expandable detail sections for each entry
- Subscribe via RSS button linking to `/changelog.xml`

Footer updated to link both API Reference and Changelog.

The MCP server uses a Supabase service role key that bypasses Row Level Security. Three core functions had no application-level ownership checks. Added userId parameter and .or() ownership filtering to all three, plus a shared getUserTeamId() helper to eliminate duplicate team lookups across 7+ functions.

New endpoints:
- POST /api/auth/register, POST /api/auth/login
- GET/POST /api/reports, GET/PATCH /api/reports/:id
- GET/POST /api/keys, DELETE /api/keys/:id, POST /api/keys/:id/regenerate
- GET/PATCH /api/profile, POST /api/profile/password
- GET/PATCH /api/settings
- GET /api/usage, GET /api/stats

All endpoints enforce ownership filtering and work with both session cookies and Bearer API key authentication.

Added middleware that validates Authorization: Bearer ba_live_... headers by SHA-256 hashing the token and looking up the api_keys table. Populates the request context with user and team info so all existing endpoints work automatically with API key auth.

- New changelog_entries table with public read access
- GET /api/admin/changelog (public) lists entries
- POST /api/admin/changelog (admin only) creates entries
- /changelog.xml serves RSS 2.0 feed with content:encoded support
- Entries support tags for categorization (security, api, mcp, new-feature, etc.)

New MCP tools:
- register_account, login — agent self-service onboarding
- update_profile, change_password — profile management
- get_settings, update_settings — notification preferences
- create_project, delete_project — project CRUD with plan limits
- flush_reports — bulk cleanup with owner/admin check
- generate_api_key, list_api_keys, regenerate_api_key, delete_api_key — API key lifecycle
- upgrade_plan — returns Stripe checkout URL

Agent accounts are flagged with is_agent=true in profiles.