Cross-cutting input-validation, isolation, and DoS-resistance fixes across
the app, API, billing, queue, and infra layers.
- Runtime validation (zod) for client-supplied admin actions (role/plan/
limits), series generation index, and all pg-boss queue payloads
- Auth: require email verification before sign-in; reject weak/placeholder/
short BETTER_AUTH_SECRET in production
- Billing: sanitize Stripe/PayPal errors (log server-side, generic to client);
race-safe subscription upsert; only count "processed" webhook events as
handled; verify org membership in getEffectivePlan to block plan escalation
- Series generation: reserve usage up front and refund on failure; bill the
owning org, not the caller's active org
- Injection defenses: HTML-escape user fields in emails, strip CR/LF from
subject/recipient, validate ElevenLabs voiceId before URL interpolation
- Media routes: stream off disk instead of buffering whole files; rate-limit
anonymous public audio/cover endpoints by client IP
Ship the Podcast Distribution AI wordmark as real assets and replace the
Mic-tile + text placeholder everywhere it appeared.
- public/logo-dark.png (dark wordmark, for light backgrounds) and
public/logo-light.png (light wordmark, for dark backgrounds)
- New <Logo> component swaps the two via Tailwind dark: variants, so the
dark logo shows on all non-themed surfaces (marketing, auth, admin,
public share) and the light logo only in dark-mode app surfaces
- Wire <Logo> into the marketing header/footer, auth layout, app header
(default branch only - white-label org logos untouched), admin header
(+ Admin badge), and the public share page
- Favicon via App Router file convention: app/icon.png + app/apple-icon.png
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Leon Serfaty