Lantern

Appearance

Changelog - Dev - 05.11.2026 โ€‹

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog.

[Unreleased] - 2026-05-11 โ€‹

Fixed โ€‹

  • Fix NULL type casting in UNNEST seed serializer โ€” Resolved a BigQuery type inference issue where bare NULL values in UNNEST structs defaulted to INT64, causing subsequent DATE casts to fail. Now explicitly casts NULL to STRING to preserve correct column types in dataform seed generation. (#487) bug

Update - 2026-05-11 00:20 UTC โ€‹

Fixed โ€‹

  • Fix JSON_VALUE paths in fact_cost_attributed โ€” Resolved a BigQuery query error where dynamic JSON_VALUE paths violated the requirement that path arguments must be constant expressions. Replaced dynamic path construction with explicit constant-path CASE branches for the three label keys actually emitted by fact_cost_line_items. (#488) bug

Update - 2026-05-11 00:47 UTC โ€‹

Added โ€‹

  • Add GCP as second vendor in billing pipeline โ€” Integrated Google Cloud Platform as a second billing vendor to enable real end-to-end attribution in the billing pipeline. GCP's native resource-level billing export provides resource identifiers that Cloudflare's free tier could not, allowing the pipeline to carry actual usage data. (#489) enhancement

Update - 2026-05-11 00:57 UTC โ€‹

Fixed โ€‹

  • Dedup GCP export re-emits in fact_cost_line_items โ€” GCP's billing export re-emits the same line item multiple times with different export timestamps during the settling correction window (~4 days). The deduplication logic now qualifies rows by export_time to prevent collision errors during full-refresh operations. (#491) bug

Update - 2026-05-11 01:39 UTC โ€‹

Added โ€‹

  • Sealed-identity Stage A phase 3 with phoneHash lookup โ€” The /auth/phone/lookup endpoint can now query by hashed phone numbers instead of plaintext, gated behind STAGE_A_PHONE_HASH_LOOKUP_ENABLED (default OFF). This advances the sealed-identity roadmap to reduce plaintext phone exposure in the database. (#485) enhancement
  • Banned accounts system with admin and check APIs โ€” Complete end-to-end banned accounts layer: new banned_accounts collection, admin endpoints (ban-phone, ban-email, overturn-ban), public check-banned API, Firestore security rules, and web signup gate that blocks banned phone numbers from registering. (#485) enhancement

Changed โ€‹

  • Move phoneHash helper to shared encryption package โ€” Refactored phoneHash utilities into packages/shared/encryption and isolated them from browser-reachable barrels to prevent accidental exposure of hashing logic in client code. (#485) enhancement

Update - 2026-05-11 01:52 UTC โ€‹

Added โ€‹

  • Add POST /auth/phone/createUser server endpoint โ€” Implements Phase 4 of sealed-identity Stage A design to stop writing plaintext phone numbers on new signups. The new server-side endpoint handles user creation with encrypted identity storage, improving privacy for phone-based authentication. (#490) enhancement

Changed โ€‹

  • Refactor PhonePinSignup to use server-side createUser โ€” Updates the phone PIN signup flow to delegate user creation to the new server-side endpoint, ensuring plaintext phone data is never stored client-side during registration. (#490) enhancement

Update - 2026-05-11 02:06 UTC โ€‹

Added โ€‹

  • Add Anthropic and GitHub billing vendors โ€” Integrated Anthropic and GitHub as new vendors in the Phase 4 billing pipeline. Anthropic captures per-request metrics via admin API logging, while GitHub uses a dedicated Cloud Run Job for granular usage tracking across products and repositories. (#494) enhancement

Update - 2026-05-11 02:10 UTC โ€‹

Changed โ€‹

  • Consolidate debug helpers under lantern. namespace* โ€” Unified 26 console-accessible debug, spoof, and dev helpers from multiple naming conventions into a single window.lantern.* namespace with organized sub-namespaces (lantern.debug.*, lantern.spoof.*, lantern.dev.*). Enables tab-completion discovery and cleaner developer experience during QA and debugging. (#493) breaking-change enhancement

Update - 2026-05-11 02:24 UTC โ€‹

Fixed โ€‹

  • Fix raw_payload serialization for BigQuery insert โ€” The ingest-github Cloud Run job was failing on BigQuery inserts because raw_payload was being sent as a raw JavaScript object instead of a JSON-encoded string. BigQuery JSON columns require string-encoded payloads when streamed in. This fix aligns the behavior with the existing ingest-cloudflare implementation. (#496) bug

Update - 2026-05-11 02:30 UTC โ€‹

Added โ€‹

  • Encrypt user mood and interests fields โ€” User mood/vibe and interests are now encrypted at rest, closing plaintext-PII gaps in the threat model. A Firestore dump or subpoena now yields significantly less sensitive user data. (#498) enhancement
  • Geohash-truncate lantern coordinates to ~111m โ€” Lantern latitude and longitude are now geohash-truncated to reduce location precision, limiting exposure of exact venue coordinates in data breaches. (#498) enhancement
  • Document multi-sprint privacy hardening roadmap โ€” New privacy hardening roadmap document outlines the multi-sprint plan to systematically close PII exposure gaps across the application. (#498) enhancement

Update - 2026-05-11 02:41 UTC โ€‹

Fixed โ€‹

  • Address Copilot review findings on Sprint A โ€” Resolved six post-merge review comments including a roadmap documentation inconsistency (lantern metadata scope clarification) and a silent failure in truncateCoord when handling non-finite values (NaN/Infinity), which now throws as expected. (#499) bug

Update - 2026-05-11 02:51 UTC โ€‹

Security โ€‹

  • Enforce scheduled Firestore data retention โ€” Implements automatic TTL-based deletion of user data in Firestore, closing the gap between documented retention policies and actual enforcement. Limits the window of exposure if a Firestore dump is compromised. (#500) enhancement

Update - 2026-05-11 02:54 UTC โ€‹

Added โ€‹

  • Capture GitHub plan and Copilot subscription state historically โ€” Billing data now includes historical snapshots of GitHub plan tier and Copilot subscription status. Previously only metered usage was tracked; this change captures flat subscription fees (Pro, Copilot Pro, Team) that appear in GitHub's billing UI but not in their public APIs. (#501) enhancement

Update - 2026-05-11 03:01 UTC โ€‹

Security โ€‹

  • Migrate plaintext phone numbers to encrypted storage โ€” Closes the largest remaining direct-PII leak by migrating existing plaintext phone numbers in the users table to encrypted storage. Implements read-path switching to support gradual rollout, with operator-run migration script and runbook included. (#502) enhancement

Update - 2026-05-11 03:11 UTC โ€‹

Added โ€‹

  • BigQuery user_id pseudonymization with 90-day window โ€” Implements Sprint B.2 of the privacy hardening roadmap by automatically replacing user_id with SHA-256 hashes in analytics.events rows older than 90 days. This closes the threat-model gap for unbounded retention of user-keyed analytics data and requires operator setup with Cloud Scheduler. (#503) enhancement

Update - 2026-05-11 03:13 UTC โ€‹

Fixed โ€‹

  • Detect personal Copilot subscriptions via GraphQL โ€” Personal Copilot subscriptions were showing as NULL because GitHub's REST endpoint for subscription billing is organization-only. This fix uses GraphQL to detect individual Copilot subscriptions and ensures subscription rows are correctly categorized instead of falling into the unknown app bucket. (#504) bug

Update - 2026-05-11 03:29 UTC โ€‹

Added โ€‹

  • Server-side cascade deletion Cloud Function โ€” Implements deleteUserCompletely callable Cloud Function that cascades deletion of user data across Firestore collections, Firebase Auth accounts, and Cloud Storage avatars. Resolves orphaned data left behind by account deletion. (#506) enhancement

Update - 2026-05-11 03:37 UTC โ€‹

Security โ€‹

  • Pseudonymize BigQuery events on user deletion โ€” User deletion now immediately pseudonymizes BigQuery events, making them unlinkable to the original userId even internally. Completes GDPR-erasure compliance by ensuring events from the last 90 days are no longer traceable to deleted accounts. (#507) enhancement

Update - 2026-05-11 03:54 UTC โ€‹

Added โ€‹

  • Bootstrap GCP Secret Manager integration โ€” Completes GCP Secret Manager setup for Cloud Functions secret injection, closing gaps from earlier work. Enables secure credential management across deployed functions. (#505) enhancement

Fixed โ€‹

  • Fix secret injection in Cloud Functions โ€” Resolves a production bug in createFeatureRequest where GITHUB_TOKEN and DISCORD_WEBHOOK_URL secrets were not being properly injected into Cloud Functions. (#505) enhancement

Update - 2026-05-11 04:14 UTC โ€‹

Added โ€‹

  • Supplemental invoice-actuals layer via Gmail โ€” Introduces a ground-truth billing reconciliation pipeline that polls vendor invoices from Gmail daily, parses totals, and compares pipeline-estimated costs against actual charges. Flags cost drift exceeding 5% or $1 per vendor-month pair, enabling better visibility into billing accuracy without disrupting the existing cost attribution pipeline. (#508) enhancement

Update - 2026-05-11 04:50 UTC โ€‹

Fixed โ€‹

  • Match Anthropic invoices from mail.anthropic.com subdomain โ€” The invoice ingestion regex was missing Anthropic receipts sent from mail.anthropic.com because it didn't account for the mail subdomain. Updated the pattern to match any subdomain, enabling parsing of previously missed invoices. (#511) bug

Built with VitePress

Copyright ยฉ 2026 Lantern