Changelog

v7.10.7 Safe-Major Composer Trio April 15, 2026

laravel/tinker ^2.9 → ^3.0 — Dev-only REPL. v3 requires PHP 8.4, which the project is already on. Zero runtime impact.
resend/resend-php ^0.23.0 → ^1.0 — v1.0 is the stable release, not a breaking rewrite. Bounded to the Resend mail adapter — email verification notification path verified via the EmailVerificationControllerTest suite.
darkaonline/l5-swagger ^10.1 → ^11.0 — Pulls in swagger-php v5, which is stricter about OpenAPI annotation validation. php artisan l5-swagger:generate regenerates a clean 2.7 MB api-docs.json.
X402StatusController Annotation Fix — The l5-swagger upgrade surfaced one pre-existing bug: the #[OA\Get] + #[OA\Response] attributes for /api/v1/x402/supported were misattached to the wellKnown() method instead of supported(), because PHP attributes attach to the next declaration and the docblock between them did not reset the anchor. Old swagger-php v4 tolerated the duplicate response="200" silently; v5 errors out. Moved the attributes down to the right method — each now carries exactly one #[OA\Get] + one #[OA\Response(response: 200)].
Still-Deferred Majors — Laravel 12 → 13 (ecosystem lock-step), Filament 3 → 5 (two majors), Livewire 3 → 4, Pest 3 → 4, Predis 2 → 3, Cashier 15 → 16, Scout 10 → 11, Symfony http-client 7 → 8, Tailwind 3 → 4, Vite 6 → 8 + laravel-vite-plugin 1 → 3, and @ledgerhq/hw-app-eth 6 → 7 each remain their own dedicated migration project.

v7.10.6 Composer Dependency Sweep April 14, 2026

Composer Semver-Safe Update — 230 packages upgraded within the existing composer.json ranges. Notable bumps include Laravel 12.55.1 → 12.56.0, Filament 3.3.49 → 3.3.50, Livewire 3.7.11 → 3.7.15, Larastan 3.9.3 → 3.9.5, PHPStan 2.1.42 → 2.1.47, php-cs-fixer 3.94.2 → 3.95.1, AWS SDK 3.373.8 → 3.379.0, Lighthouse 6.65.0 → 6.66.0, Behat 3.29.0 → 3.30.0, Laravel Passport 13.6.0 → 13.7.4, plus 220+ smaller / transitive bumps.
PHPStan Level 8 Kept Clean — Larastan 3.9.5 tightened several rules, surfacing 6 pre-existing errors across RecordPaymentActivity, MessageDeliveryWorkflow, RegulatoryCalendarService, BasketController, StatusController, and the Account Exceptions test. All fixed in-PR per the CLAUDE.md policy against suppression — dead null-coalesces removed, Collection covariance resolved by closure type hints and by flattening to plain arrays where invariance bit, and the Pest toThrow() dead-code false positive worked around with try/catch assertions.
php-cs-fixer 3.95.1 Repo-Wide Reformat — The new fixer version tightened match-arm alignment, flagging 65 files where existing match expressions had inconsistent whitespace around the fat arrow. 218 insertions / 218 deletions — pure whitespace normalization, no semantic changes.
Zero Security Advisories — composer update reported "No security vulnerability advisories found." No CVE-driven bumps in this release; strictly maintenance within the Laravel 12 / PHP 8.4 line.
Out of Scope — Major-version backend bumps are each dedicated migration projects and deliberately deferred: Laravel 12 → 13, Filament 3 → 5 (two majors), Livewire 3 → 4, Pest 3 → 4, Predis 2 → 3, Cashier 15 → 16, Scout 10 → 11, Tinker 2 → 3, Symfony http-client 7 → 8, L5-Swagger 10 → 11, Resend 0 → 1. Each of these needs its own migration plan and review pass.

v7.10.5 npm Dependency Sweep April 14, 2026

npm Semver-Safe Update — Ran npm update within the existing package.json ranges, which pulled minor/patch bumps for @ledgerhq/hw-transport-webusb (6.32.0 → 6.33.0), autoprefixer (10.4.27 → 10.5.0), postcss (8.5.8 → 8.5.9), plus transitive dedup across the @ledgerhq/* tree.
Lockfile Dedup — package-lock.json shrank by ~500 lines as newer axios/vite/ledger versions consolidated redundant transitive dep trees.
follow-redirects Cleared — The remaining moderate-severity follow-redirects advisory carried over from the v7.10.4 cycle was resolved by this update. Audit now reports zero critical, zero high, zero moderate — 18 lows remain in deep transitive dev tooling.
Zero Runtime Impact — Lockfile-only change. No package.json edits, no application code touched. Production bundle rebuilds byte-equivalent under the existing Vite 6.4.2 configuration.
Out of Scope — Major-version bumps (@ledgerhq/hw-app-eth 6.x → 7.x, laravel-vite-plugin 1.x → 3.x, tailwindcss 3.x → 4.x, vite 6.x → 8.x) are deliberately deferred. Each is a dedicated migration project — Tailwind v4 and the laravel-vite-plugin/vite alignment in particular need their own brainstorming pass.

v7.10.4 Frontend Security Patch April 14, 2026

axios Security Patch — Raised axios from ^1.13.5 to ^1.15.0 (also mirrored in the npm overrides block) to close GHSA-3p68-rc4w-qgx5, a NO_PROXY hostname normalization bypass that could be leveraged into SSRF. The single advisory cascaded through 4 @ledgerhq/* hardware-wallet packages, so bumping axios resolved all 5 critical severity entries at once.
Vite Security Patch — Bumped Vite from ^6.4.1 to ^6.4.2 to close a high-severity path traversal in the Optimized Deps .map handling code path.
Zero Runtime Impact — Both affected packages are dev/build-time only. axios is a devDependency and Vite is the build bundler; neither ships in the Laravel runtime. No application code or PHP dependencies were touched in this release.
npm Audit Before/After — 23 vulnerabilities (16 low, 1 moderate, 1 high, 5 critical) → 19 vulnerabilities (18 low, 1 moderate). Remaining lows and the 1 moderate (follow-redirects) live in deep transitive dev tooling and are scheduled for the next general npm bump PR.

v7.10.3 Onboarding Welcome Modal Fix April 14, 2026

Dashboard Welcome Modal — Removed the broken "Take Tour" header button and startTour() placeholder from the new-user welcome modal. The placeholder contained PHP string-concat syntax dropped into a raw <script> block, which JavaScript parsed as member access on a string literal and threw TypeError at runtime, silently breaking the onboarding flow for every new registrant.
Onboarding Flow — Stripped the startTour() fallback from startOnboarding()'s .catch branch so a failed /onboarding/complete POST no longer cascades into a second runtime error.
Registration Verified — RegistrationTest suite confirmed green end-to-end (POST /register → CreateNewUser → team provisioning → dashboard). The bug was confined to the post-registration welcome modal JavaScript, not the registration pipeline itself.
Tour Deferred — A real interactive tour (Shepherd.js / Intro.js etc.) is parked for a future design pass. Removing the stub is the honest minimum fix.

v7.10.2 Deployment Pipeline Fix April 13, 2026

Deploy Pipeline — Fixed a 1GB OOM in the Pre-deployment Validation job that had been blocking the Deploy to Production workflow since v7.10.0. Unit tests now run in batched PHP processes via the shared bin/pest-batch runner, mirroring the CI Pipeline unit test step.
Cache Driver — Switched the Pre-deployment Validation step to the array cache driver (matching .env.testing). The previous redis driver broke tests that mock the Redis facade because Cache::put silently failed through the swapped facade.
Dotenv Quoting — Wrapped BRAND_LEGAL_JURISDICTION in .env.example and BRAND_TAGLINE in .env.zelta.example in double quotes. The unquoted whitespace was tripping vlucas/phpdotenv with "Failed to parse dotenv file. Encountered unexpected whitespace". Affects anyone copying .env.example for a fresh setup.
First Deployable Release — v7.10.2 is the first release tag since v7.10.0 whose Deploy to Production pipeline is actually functional. v7.10.0 and v7.10.1 both had Pre-deployment Validation failures that blocked the deployment artifact build.

v7.10.1 Stripe Bridge Ramp Hardening April 13, 2026

Stripe Bridge Ramp — Working Stripe Crypto Onramp integration with proper t=,v1= signature verification (HMAC-SHA256, 300s replay window, multi-v1 support), real session status fetch, and event envelope normalization. Replaces broken scaffolding that would have rejected every real Stripe webhook.
Platform-Generic Webhook Abstraction — Widened RampProviderInterface with normalizeWebhookPayload() and getWebhookSignatureHeader(); validator callable now receives raw HTTP body bytes (not re-encoded JSON) and the full signature header. Onramper, Stripe Bridge, and Mock providers all share the same contract.
Lazy RampProviderRegistry — Webhook controller resolves providers by name via a registry that lazily instantiates only the provider for the inbound webhook. Production deployments using only Stripe no longer need fake Onramper credentials to boot.
Provider-Aware Validation — RampService::validateRampParams() reads supported currencies from the active provider instead of global config; requesting BTC through Stripe now returns a clear 422 naming the active provider.
Race Safety — Both webhook processing and session status polling wrap DB updates in DB::transaction() + lockForUpdate() with terminal-state idempotency; webhooks arriving during a poll are no longer clobbered.
Parallel Webhook Cleanup — Deleted the legacy StripeBridgeWebhookController and its /api/webhooks/stripe/bridge route. The old code path used the wrong event type prefix and had a non-production signature bypass. The generic /api/v1/ramp/webhook/{provider} route is now the single Stripe webhook entry point.
Test Coverage — 95 ramp tests passing including a parameterized provider-contract suite (every provider inherits the same checks), Stripe signature verification, raw-body preservation, and a non-custody regression test asserting zero row growth in ledgers/transactions tables on ramp completion.

v7.10.0 Webhook Architecture Refactor April 7, 2026

Webhook Infrastructure — webhook_endpoints table with per-user address monitoring, AlchemyWebhookManager, SmartAccountObserver, evm:sync-webhooks command, and config cleanup
Webhook Hardening — Unique (tx_hash, chain) constraint, ProcessAlchemyWebhookJob and ProcessHeliusWebhookJob for async queue-based processing, Cache-based deduplication, spam filter, and reorg detection
Per-User Sharding — Per-user webhook endpoints with encrypted signing keys and 100K address sharding for scalable on-chain monitoring
Mobile Backend — CardWaitlistController, TrustCertPaymentController with 3 payment methods (wallet, card, IAP), and RequireKycVerification middleware for Level 0 user restrictions
Ramp Migration — StripeBridgeService and generic RampWebhookController replacing Onramper with Stripe Bridge for fiat on/off-ramp
Security — bcmath for all financial amounts, encrypted stripe_client_secret, webhook timestamp tolerance, IAP production gate, 15 security findings identified and fixed via post-phase review

v7.9.0 Compliance & Polish April 1, 2026

Address Screening — Multi-layer OFAC SDN + GoPlus Security API + Chainalysis sanctions checking
Website — Professional copywriting pass, fixed broken social links, consistent branding across all pages
Developer Portal — Fixed Blade compile error on code examples, corrected API URLs and env vars
SEO — Schema.org markup and breadcrumbs added to subproduct pages
Mobile Jobs — Fixed tenant context verification in global scheduled jobs

v7.8.2 Maintenance April 1, 2026

Registration — Mobile API signup no longer blocked by admin registration gate
Developer Portal — Honest SDK install commands, OpenAPI spec link, consolidated rate limits
Infrastructure — Daily log rotation, CRON expression fix, CORS header update

v7.8.1 Website Polish March 31, 2026

GCU page redesigned — migrated to unified brand layout
Platform page simplified — module cards replaced with features link
Public changelog page added at /changelog

v7.8.0 Standards & Compliance March 30, 2026

ISO 20022 — Full pacs, pain, and camt message suite with standards-compliant schema validation
Open Banking PSD2 — AISP/PISP consent lifecycle, Berlin Group and UK Open Banking adapters
ISO 8583 — Card transaction messaging with PIN management and authorization flows
US Payment Rails — ACH, Fedwire, RTP, FedNow with intelligent rail routing and same-day settlement
Interledger Protocol — ILP connector, Open Payments (GNAP), and cross-currency streaming quotes
Double-Entry Ledger — Chart of accounts, journal entries, GL auto-posting, optional TigerBeetle driver
Microfinance — Group lending, IFRS provisioning, share accounts, teller operations, field officer tools

v7.1.1 Security Patch March 29, 2026

JIT funding TOCTOU fix — Eliminated race condition in just-in-time funding that could allow double-spend
Webhook SSRF prevention — Added URL allowlist validation and DNS rebinding protection for outbound webhooks
Rate limiter hardening — Switched to atomic Cache::add + increment pattern to prevent counter bypass under concurrency
Threat model remediation — All 15 items from the v7.6 threat model audit resolved and verified

v7.1.0 Production Hardening March 29, 2026

Prometheus observability — Full metrics export for API latency, queue depth, error rates, and domain events
Mobile compatibility — Responsive layout fixes across dashboard, account, and GCU trading screens
Smoke test suite — Production environment smoke tests covering auth, payments, GCU, and API health checks
Security audit preparation — PHPStan Level 8 compliance, PHPCS clean, zero critical findings pre-audit
Helm chart — Kubernetes deployment chart with horizontal pod autoscaling and Redis Streams support

v7.0.0 Production Release March 28, 2026

Web3 consolidation — Unified EthRpcClient and AbiEncoder under app/Infrastructure/Web3/ with legacy adapter shim
Zelta SDK v1.0 — Composer-installable payment SDK with transparent x402 + MPP auto-retry and fallback logic
Production guards — Demo-only service gates check app()->environment('production') and throw safely
Post-quantum crypto — ML-KEM-768 and ML-DSA-65 hybrid encryption integrated into key storage and signing flows
Event sourcing v7.7+ — Domain-specific event tables, Spatie upgrade, full aggregate replay support

Sandbox Environment

Stay up to date