SysML Studio

Changelog

All notable changes to SysML Studio — newest first. Full history on GitHub Releases.

Unreleased In development

Changes being built — not yet in production.

1.0.0 2026-04-08 Latest

Added

  • Legal pages: Privacy Policy, Terms of Service, Cookie Policy (EN + ES) — covers GDPR, CCPA/CPRA, Chilean Law 19.628/21.719, US state privacy laws, LGPD
  • Cookie consent banner (vanilla JS, no deps) with opt-in Session Replay
  • Global Privacy Control (GPC) signal auto-respect
  • Feedback widget with Supabase backend — bug reports and feature requests
  • Sentry Session Replay gated behind cookie consent
  • Cloudflare Web Analytics beacon (cookieless, no consent required)
  • App footer with Privacy / Terms / Cookies / Security links
  • Security headers via _headers (CSP Report-Only, HSTS, X-Frame-Options, Permissions-Policy)
  • SRI integrity hashes on all CDN script tags
  • monaco-config.js extraction of inline script → drops unsafe-inline from CSP
  • robots.txt and /.well-known/security.txt (RFC 9116)
  • Supabase migrations directory — 6 migrations including account deletion RPC and usage analytics
  • GDPR Art. 17 — account deletion: cascade-deletes all user data with typed confirmation
  • GDPR Art. 20 — data export: downloads a ZIP with all diagrams, projects, and profile data
  • Privacy-respecting product analytics via analytics.js + Supabase log_event() RPC
  • Unit tests (Vitest) — 103 tests across 6 suites: notation-helpers, unified-model, parser, code-generator, round-trip, fuzz
  • GitHub Actions CI (lint + typecheck + test + coverage artifact upload)
  • ESLint 9 flat config with custom XSS detection rule for innerHTML template literals
  • Prettier, EditorConfig, Husky pre-commit hooks with lint-staged
  • docs/xss-audit.md — full inventory of 42 innerHTML sites
  • status.html — system status page
  • changelog.html — this page

Fixed

  • XSS: tooltip in visual-editor.js used unescaped element names
  • XSS: avatar initials in supabase.js (email + Google full_name) were unescaped
  • XSS: _esc() in collaboration.js did not escape " (attribute injection via collab names)
  • DB: handle_new_user trigger had mutable search_path (search_path injection vector)
  • DB: pro_grants RLS intent undocumented (service_role policy now explicit)
  • Logout: cleaned only user data keys, now preserves UI preference keys (theme, sidebar, consent)

Security

  • CSP Content-Security-Policy-Report-Only active — will enforce after 48-72h observation
  • All external CDN resources have SRI hashes
  • Supabase RLS verified: all 7 tables protected with explicit policies
  • delete_account() RPC uses SECURITY DEFINER SET search_path = ''
  • log_event() RPC validates event names against allowlist regex