Changelog

Added

• "Dev" tier renamed. The middle paid plan is now called Dev (it was "Pro") — same $149/year price and the same features, just a clearer name for the developer / API tier.
• Team tier (NEW) — $179/seat/year. Multi-seat workspace with shared notes, shared folders, owner / admin / member roles, dead-man alerts with one-click ack, per-team API tokens, and a 90-day audit log. 2-seat minimum, up to 25 seats. Manage from /team after subscribing.
• Team notes at /team/notes — every team feature from the personal side: full CRUD, search/sort/filter, soft-delete + undo, public share links, append-only locking, revisions, bulk delete. Notes carry the writer's user id for audit and the workspace id for visibility.
• Team folders at /team/folders — workspace-shared folder containers (100/team max). A personal "Q4" folder and a team "Q4" coexist freely; the API scope-validates folder ids so a team token can never park a team note in a personal folder.
• Team API tokens at /team/api_tokens — owner/admin-only bearer tokens that hit the team's pool, not the actor's personal pool. Same /api/v1/* surface, same wire format; bulk endpoint enabled on every team token. 30 active tokens per team.
• Team dead-man alerts + one-click ack. Overdue append-only team notes email every accepted member; the first ack mutes the alert team-wide for 4 hours so the same outage doesn't page everyone repeatedly. Ack works from any phone/tab without sign-in (signed token, 24h TTL).
• Team audit log at /team/audit_events — owner/admin-only. Every workspace write recorded with who/what/when, 90-day retention.
• Public per-note share links. Toggle Share on any note to mint a public, read-only URL — anyone with the link can read; toggle off to revoke instantly. Pages set noindex so search engines won't list them.
• Service limits page at /limits — single canonical reference for every cap and rate limit, pulled live from running configuration.
• End-User License Agreement at /eula.
• Per-user API error log at /settings/api_errors — every 4xx your bearer-token requests received, newest first.
• Idempotency-Key header on API write endpoints — opt-in, 24h dedup window per user, stable error code on conflict.
• Durable inbound webhook buffer. POST /h/:token now persists every accepted delivery to the database before formatting, so a Rails restart, hot-note contention, or a transient database blip no longer drops in-flight events. Failed deliveries surface on /settings/monitoring as a dead-letter panel with one-click Replay and Delete. Senders get back a 200 OK with an X-Ingestion-Id response header so a curl -i on the sender side correlates to the buffer row on this side. Pro / Team only — same tier gate as inbound-inbox tokens.
• Free-tier usage meter on the dashboard and notes list.
• Welcome note auto-created on first signup; welcome email sent on first confirmation.
• Folder view pagination (30 notes per page).
• SEO metadata: per-page descriptions, Open Graph / Twitter cards, canonical URLs, branded titles.
• Sign-up rate limit (5/hour/IP) and per-email login throttle (5/20 min) in Rack::Attack.
• Honeypot field on the sign-up form.
• API tier (Pro and Team plans) — bearer-token REST API at /api/v1, with notes and folders resources, atomic append, bulk creates, append-by-filename addressing, and /settings/api_tokens for token management.
• 14-day API trial token on signup (code mode). Picking the developer onboarding mode mints a free mn_… bearer token usable against /api/v1/* for 14 days, with no plan attached. Plaintext is shown once on the post-onboarding flash and emailed alongside a one-line curl example; a Trial badge marks the row on /settings/api_tokens until it expires. Expired trial rows are swept daily; non-trial tokens are never swept.
• Pricing redesigned to four tiers: Free, Personal ($24/yr), Pro ($149/yr), Team ($179/seat/yr).
• Lapsed paid users transition to read-only — every existing note remains readable + exportable for up to 12 months after the last payment.
• Plan-change flow with downgrade gates — switching to a lower tier surfaces a per-cap blocker list.
• Public API docs at /docs.
• bin/backup — Postgres dump runner with retention pruning and optional rsync/S3 off-host copy.
• Sentry error tracking (no-op unless SENTRY_DSN is set).

Changed

• Full-account export is now async, delivered by email. Options → Download all enqueues a background job, builds the archive off-request, and emails a one-time signed download link valid for 24 hours.
• API token expiry policy. Tokens default to 90-day expiry; user-set expiries beyond 1 year are rejected.
• Notes list Latest sort now orders by updated_at (most recently edited) rather than created_at.
• Pro per-note plain-text limit raised from 1.5 MB to 3 MB, matching the Team tier. Free and Personal stay at 1 MB. No migration — existing notes are unaffected; Pro scripts can now POST larger single payloads in one request.

Security

• Email-change abuse window tightened. Devise's email-change endpoint is capped at 3/day per account and 3/day per target address.
• Tighter throttles on expensive surfaces. Note writes 120 → 30/min/user; per-note PDF/DOCX/TXT downloads 60 → 10/min; billing portal/change-plan 30 → 5/min; full-account export request 5 → 2/hour.
• api_errors log scoping. The per-user error log is read through current_user.api_errors only — wrong-owner lookups return nothing rather than leaking another user's request paths.

Removed

• Monthly subscription plan — paid plans are now annual-only (Personal, Pro, Team).
• 30-day trial infrastructure — the freemium 10-note cap replaced it.