What we shipped, week by week. Subscribe to get it in your inbox.
The Studio Ingest tab now has a kind filter, debounced title search, and a side-panel row detail view that previews HTML in a sandboxed iframe, pretty-prints JSON, and shows other content with whitespace preserved.
Apps can now receive data pushed in from external services, scripts, or AI agents over HTTP. Tenant settings gained an Inbound API card to enable, rotate, and disable bearer tokens with a one-time reveal. Apps read incoming items via a new app.ingest SDK (list, get, subscribe, delete, plus a sandboxed HTML renderer), Studio's diagnostics panel has an Ingest tab for inspecting the dev stream, and there's a reference "inbox" example to crib from.
Edits made while previewing an app in Studio now go to a copy-on-write overlay instead of writing straight to your workspace's shared data. A banner in Studio lets you discard the preview changes or promote them to the live pool when you're ready.
Personal workspaces now get a fresh monthly grant of free credits, topping the balance up to the monthly allowance if it's below. The signup grant and the monthly reset share the same allowance so the rules are consistent.
Apps now have a single live instance per workspace instead of a tangle of tenants. Visiting an app auto-installs it for your workspace, and the canonical URL is /w/<workspace>/<app>. Old per-tenant URLs permanently redirect to the new ones, and the tenant switcher is gone — there's nothing to switch between anymore.
Whether an app allows anonymous visitors is now a per-install setting controlled by the workspace, not a property baked into the app. The same app can be public in one workspace and private in another.
When multiple viewers were subscribed to the same ingestion stream, replay via Last-Event-ID could miss or duplicate events. Each tenant channel now uses a single shared buffer so event IDs are stable across subscribers, and inserts plus notifications happen in one transaction so subscribers never see events for rolled-back rows.
Long notification lists now scroll inside the dropdown panel rather than spilling past it.
The ingestion read, item, stream, and delete endpoints now require explicit tenant membership rather than just an authenticated session, closing a gap where any signed-in user could read another tenant's ingested items by guessing the URL.
The old monthly/yearly subscription tier, paywall, seat management, and "subscribers-only" app flag have been retired. Billing is now uniformly credits-based: buy a pack, optionally enable auto-refill, and every app and integration draws from the same balance. The Subscription tab, subscription card, paywall component, requireSubscription SDK call, and Subscriber/Free labels in the nav are all gone.
Apps installed into the same workspace can now read and write the same underlying data — contacts in your CRM show up in your tasks app, calendar events flow into your dashboard, and so on. Apps declare what they need via tags and field shapes; matching collections are bound automatically on install, and any collisions surface a clear dialog where you can choose to share, keep separate, or rename. There's a new workspace Data page where admins can inspect every collection, edit field shapes, and re-bind which collection an app reads from.
Workspace admins can install apps into a workspace so the whole team uses the same instance. Workspace admins and editors automatically get access without needing individual invites, and usage is billed to the workspace's balance rather than the visiting member's personal balance. Each team app page shows a "Billed to: <workspace>" badge so members know whose budget is being used.
Apps reading shared data from another app now receive live updates the moment data changes, instead of waiting up to a minute for the next refresh. Revoking access also closes the stream immediately.
Creator payouts have been rewritten around credit consumption instead of paid seats. Each AI call and metered integration in a creator's app contributes to their share at a defined rate (20% for AI usage, 50% for platform integrations), attributed per-app and settled monthly. Workspace usage stats simplified to a single distinct-users count.
Sending emails, running workflows, geo lookups, owner notifications, outbound HTTP fetches, file uploads, scheduled fires, and shared-storage writes now deduct a small amount of credits per call, with automatic refunds if the call fails. If your balance hits zero, calls return a structured credits_exhausted response so generated apps can handle it gracefully.
The Studio chat textarea no longer paints a muted background when disabled, the cursor and placeholder share the same origin, and text selection no longer clips at the rounded corners.
The email sent when a scheduled task is dropped now points at the "Retry now" button in Studio, with reason-specific guidance (add credits and Retry, or fix the app and Retry) instead of saying the task won't run again.
If your credits are drained by anonymous visitors to a public app, auto-refill now pauses and sends you a heads-up email instead of silently charging your card. Owner- and member-driven usage still triggers refill as before.
You can now add images to your studio chat messages using the paperclip button, paste, or drag-and-drop — up to 10 per message, capped at 5 MB each. Attached images appear as thumbnails in the input, expand to a lightbox when clicked in sent messages, and are sent to the AI alongside your prompt. Failed uploads show a retry button, and rejected files (wrong type, too large, over the limit) surface a clear toast.
Shared links to public app pages now show the branded title (e.g. "Public Recipes · Feldova") on social cards, instead of just the bare app name.
The chat input is now a single rounded card with a clean footer row for help, attachments, and send — replacing the previous inline textarea and button layout.
The first-build discovery flow no longer stacks multiple questions into a single turn or leaks internal phrases like "first build" or "clarifying questions" into replies. The AI now asks one focused question at a time.
App cards in the studio now show explicit View live and Edit buttons, with Duplicate and Delete tucked into an overflow menu. Delete is only available to app owners and workspace admins. Cards display when the app was last updated, keep titles to a single truncated line, and reserve space for descriptions so layouts stay stable.
Delete confirmation dialogs across apps, workspaces, and tenants now include a small copy icon next to the slug you need to type, so you no longer have to retype it by hand.
The uptime-monitor example and the built-in polling pattern in the system prompt now use count-based retention pruned before each write, so they can't get stuck against the per-tenant storage cap. Previously, a long-running poll with time-based pruning could fill the cap and then fail every subsequent run with no way to self-recover.
The studio's Backend tab no longer crashes if it receives an incomplete summary payload (e.g. from a stale cache). It now degrades gracefully to an empty panel instead.
Calling app.schedule.fireNow(...) from a published app will now reject the returned promise if the scheduled handler throws, instead of silently resolving as if it succeeded. Apps that surface errors via toasts or try/catch will start working as expected.
PopoverTrigger now properly honors asChild, so date pickers, location search fields, and any other full-width input or button wrapped in a popover trigger will expand to fill their container instead of collapsing to content width.
The credits indicator in the studio nav now updates on its own when a generation finishes, is aborted, or errors out — no more manual page reload to see your remaining balance.
The Combobox component now supports server-driven search: pass filter={null} to skip client-side filtering and let server-ranked results through untouched, and use onInputValueChange's reason argument to debounce queries and ignore the synthetic clear emitted after selection. The component also now fills its parent width, so anchored dropdowns size correctly.
If you've uploaded a custom avatar for a workspace, it now appears in the workspace switcher dropdown alongside the user menu, instead of falling back to initials.
Default signup grant is now 250 credits (was 500), referred-signup grant is 500 credits (was 1,000), and the per-referral inviter payout is 250 credits (was 200). The 1,000-credit referral cap is unchanged, now reached in 4 referrals instead of 5.
Prefix filters in app storage and shared storage list APIs now treat % and _ as literal characters. Previously, a prefix like "%" would match every key in the collection, and "foo_bar" could match unintended keys like "fooXbar".
Referral credit transactions now show as "Referral bonus" in your billing history instead of the raw "referral" string.
Per-tenant storage quota checks now use a database count aggregate instead of loading every row, making the check fast and constant-time regardless of how many keys you have. Broadcast notifications to tenant members now fan out 10 at a time in parallel, cutting wall-time roughly 10x for large tenants.
Inline code chips in the Studio AI chat are now readable in dark mode (they were near-black on near-black), and the Discord preview card on the dev page has a subtle outline so it no longer blends into the page background.
The Workflows tab in app settings is now labeled Webhooks throughout — tab label, headings, buttons, dialogs, and empty states — to better match what it actually configures. The webhook-name input also no longer triggers password-manager autofill suggestions.
A typo in a notify recipient ID used to pass validation and only fail later when the schedule actually fired, surfacing as a confusing "is not a tenant member" failure. Schedules now reject invalid recipient IDs at creation time with a clear error message.
The buy-credits button in the account menu now reads "Buy 1k credits · €5.00" instead of just the price, so you can see how many credits a purchase delivers before clicking.
Billing links in deferred-schedule and dead-letter alert emails used to rely on your last-active workspace, which could land you on the wrong workspace's billing page if you belong to several. Those links now carry the workspace they refer to, so you always arrive in the right place (access is still checked on load).
The example-app render endpoint used by the dev page gallery was reachable without a session, so the gallery could be enumerated by anyone. It now requires sign-in. The in-app experience is unchanged for signed-in users.
A new Backend tab in the Studio diagnostics panel shows plain-English step cards for each handler and trigger in your app, with icons for the SDK calls they make. The view is cached per app and refreshes as your code changes, giving you a quick map of what runs on the server without reading the code.
If auto-refill fails three times in a row (typically an expired card), it disables to avoid repeated charges. Workspace admins now get an email explaining what happened with a direct link to the right workspace's billing page, so generations don't unexpectedly start failing with "out of credits" later.
The composer, billing page, and account menu used to disagree about when your credit balance was "running low" — you might see an amber warning in one place and nothing in another. All three surfaces now use the same threshold, and the low-balance state in the account menu is also conveyed through font weight and screen-reader hints, not color alone.
When a scheduled trigger and a manual run fired in the same window, the combined rate could exceed the configured per-minute limit on a workflow. Scheduled fires now honor the same limit and retry with normal backoff on contention, keeping webhook traffic within the cap you set.
Every generation now runs through a lightweight router that decides (a) whether to send the whole project or just the files relevant to your prompt, and (b) whether a smaller, faster model can handle trivial single-line or cosmetic edits. Small edits return more quickly and cost less, while complex changes still get the full-power model and full project context. The router's choice and reason are surfaced in the chat activity timeline (e.g. "Editing 3 file(s)" or "Editing whole project — app is small"), with an "Easy Mode" suffix when the lighter model is used.
The admin generations page now supports selecting rows and copying their full payloads (events, prompt, assistant message, files changed, error message, etc.) to the clipboard as JSON for offline analysis. Heavy fields are fetched on demand so the listing stays fast. A new Routing column also shows which model and routing mode each generation used, with token cost and tool-call diagnostics in the tooltip.
We've cut the credit pack price in half (€10 → €5 per 1,000 credits) and rebalanced our margin, making each generation roughly 35% cheaper. Existing credit balances were automatically topped up by 30% so your pre-change credits buy at least as many generations as before. Subscriber discounts have been retired — everyone now pays the same lower price.
Map tiles in apps served from the app host (including published apps on their own subdomain) now load correctly via a token-authorized cross-origin tile route. Previously, MapView in published apps could fail to render tiles; tiles are now signed per-tenant on the server and the SDK handles the handshake automatically.
The shared-storage `list` action accepts an optional `withValues: true` flag that returns all matching values inline. This eliminates the N+1 request pattern where listing keys and then fetching each value separately could overwhelm the browser's request pool — a real issue we hit on a long-running monitor app that had accumulated thousands of rows.