Changelog - Dev - 05.10.2026 โ
All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog.
[Unreleased] - 2026-05-10 โ
Removed โ
- Remove noisy best-effort IAM step from deploy workflows โ Eliminated a redundant IAM binding step that warned on every deploy due to intentionally-limited CI service account permissions. Phase 1 manual grants are durable, so the best-effort automation was unnecessary noise. (#474)
devops
Update - 2026-05-10 19:55 UTC โ
Added โ
- Scaffold Dataform project for billing phase 2 โ Establishes the Dataform project structure, Cloudflare source declaration, and CI compile job to support Phase 2 BigQuery billing infrastructure. Provides the foundation for normalize, attribute, and marts transforms to follow in subsequent PRs. (#475)
enhancement
Update - 2026-05-10 20:58 UTC โ
Added โ
- Flesh out Cloudflare billing normalize and attribute DAG โ Replaces the billing scaffold's placeholder with a real normalize โ attribute โ marts DAG for Cloudflare costs in dev. Adds seed includes and a deploy-dataform-billing-transforms job to enable attributed cost data production per spec ยง11. (#477)
enhancement
Update - 2026-05-10 21:16 UTC โ
Fixed โ
- Pivot billing deploy to Dataform REST API โ The
gcloud dataformCLI surface was unavailable at the time of writing. Switched to calling the Dataform v1beta1 REST API directly via curl to ensure portability across gcloud versions without requiring component installation. (#478)bug
Update - 2026-05-10 21:44 UTC โ
Fixed โ
- Set serviceAccount on workflow-config and document Dataform-agent IAM โ Resolved runtime failures in the billing-phase-2 Dataform deployment where workflow-config creation returned HTTP 400 due to missing serviceAccount configuration and Git fetch errors during on-demand compile. Dataform requires explicit service account impersonation for daily workflow invocations. (#480)
bug
Update - 2026-05-10 21:44 UTC โ
Added โ
- Sealed-identity Stage A: phoneHash dual-write trigger โ Implements Stage A phase 1 of sealed-identity architecture with a Firestore
onDocumentCreatedtrigger that dual-writes HMAC-SHA-256 hashed phone numbers (peppered via Secret Manager) on every new signup, replacing plaintext phone storage. (#479)enhancement - Sealed-identity Stage A: idempotent phoneHash backfill script โ Provides Stage A phase 2 backfill tooling to retroactively hash existing user phone numbers in Firestore, enabling gradual migration to sealed-identity without service disruption. (#479)
enhancement
Fixed โ
- Strip PII from production log statements โ Removes personally identifiable information from production logs to close a data exposure surface and improve compliance posture. (#479)
enhancement
Update - 2026-05-10 22:50 UTC โ
Fixed โ
- Nest serviceAccount under invocationConfig for v1beta1 schema โ Corrected the schema location of the
serviceAccountfield in Dataform workflow configuration. The field must be nested underinvocationConfigrather than at the rootworkflow_configlevel to comply with Dataform v1beta1 API requirements. (#482)bug
Update - 2026-05-10 23:30 UTC โ
Fixed โ
- Switch Dataform to package.json mode for GCP compile โ Dataform 3.x requires package.json-based dependency declaration for GCP-managed compilation, which runs
npm cibefore invoking the SQLX compiler. The previous workflow_settings.yaml approach was incompatible with GCP's build environment and caused NPM execution failures. (#484)bug