scale4
Get an API key

Version history

Changelog

Protocol version bumps, new axes, and MCP server releases. Sorted newest first. Enterprise customers receive 30-day advance notice of breaking axis changes.

June 2026

v1.1.2

Swapped transactional email from scale4-mailer Worker to Resend API

  • Swapped transactional email from scale4-mailer Worker (Cloudflare Email Routing) to Resend API (lib/resend.ts). scale4-mailer marked deprecated.
  • New helper: sendEmail({ to, subject, html, text?, replyTo?, from? }) at lib/resend.ts. Reads RESEND_API_KEY + RESEND_DOMAIN; defaults from to noreply@${RESEND_DOMAIN} (e.g. noreply@marketprior.com). Returns { ok, id } | { ok: false, error } (never throws).
  • Root Worker [secrets].required updated: removed SCALE4_MAILER_SECRET (no longer needed), RESEND_API_KEY remains required.
  • packages/email-worker/ source kept for reference with a deprecation banner; not deleted. Cleanup (`wrangler delete scale4-mailer`) deferred.
v1.1.1

Migrated deployment target from Vercel to Cloudflare Workers

  • Mid-launch-prep migration: the Next.js app now deploys as a Cloudflare Worker via @opennextjs/cloudflare instead of Vercel. The portfolio is Cloudflare-first (scale4-mailer + scale4-license already ran on Workers; the Next.js app is the third).
  • One secrets-push surface: HMAC + Stripe + Supabase secrets now live exclusively in Cloudflare, pushed via `wrangler secret put` to each of the three Workers. Removes the previous Vercel-plus-Cloudflare split.
  • In-app deploy command: `npm run cf:deploy` from the repo root (wraps `opennextjs-cloudflare build` + `wrangler deploy`).
  • Operational docs updated: see ROLLOUT.md and SECURITY_ROTATION.md for the new flow.
v1.1.0

Security hardening + citation verification

  • scale4.deep_research_mode now ships citation verification (Mode B): POST { citations: [{ verbatim, source_url }, ...] } returns per-citation { valid, reason? } from @scale4/engine-deep verifyCitations(). Pro-tier gated, hard cap of 25 citations/request. Closes the "real URL, invented quote" fabrication gap that free-tier url_head validation could not catch.
  • Billing tier moved out of Supabase user_metadata (self-writable with anon key) into a service-role-only public.user_tiers table. Read path: getUserTier(supabase, userId) in lib/auth.ts. Migration: supabase/migrations/0002_user_tiers.sql.
  • Stripe webhook derives tier strictly from priceId — session.metadata.requested_tier is no longer trusted.
  • Session tokens are now bound to the issuing API key via a kid claim. Every /api/scale4/v1/* token-consuming route runs verifySessionToken(session, ctx), which 401s on session_key_mismatch. Legacy tokens with no kid still accepted.
  • Middleware backstop rejects unauthenticated calls to /api/scale4/v1/** with 401 (defense-in-depth for routes that forget requireApiKey).
  • Outbound-fetch validators SSRF-allowlist outbound URLs (RFC1918, loopback, link-local, IPv6 ULA blocked).
  • scale4.pitchforge_handoff now states honestly that the Pitchforge MCP server is not yet published; still emits the stable seed JSON for any deck-generation tool. Previously instructed users to run a non-existent npm package.
  • Secrets rotated (Stripe live key, webhook secret, three Scale4 HMAC secrets, the ed25519 axis-signing key). Runbook: SECURITY_ROTATION.md at the repo root.
v1.0.0

Initial release

  • 7-axis free protocol (problem, market, solutions, wedge, distribution, economics, founder) — each axis requires structured evidence with citations before a score is unlocked.
  • 3 verticalised paid protocols: healthcare-9-axis (+ phi_exposure, baa_requirements), fintech-9-axis (+ regulatory_passporting, aml_kyc_complexity), workforce-8-axis (+ payroll_jurisdiction).
  • 9 MCP tools: scale4.start, scale4.submit_signal, scale4.check_progress, scale4.score, scale4.generate_roadmap, scale4.export, scale4.deep_research_mode, scale4.stackforge_handoff, scale4.pitchforge_handoff.
  • Stateless session tokens (srv1.<payload>.<hmac>) — server holds zero PII at rest; 30-day expiry.
  • Ed25519-signed axis registry — public key pinned in the MCP server binary; quarterly rotation with 90-day grace window.
  • Free tier: 3 assessments/month, full 7-axis protocol, roadmap export — no API key required.
  • npm package scale4-mcp-server published; listed in MCP registry, Cursor marketplace, and Smithery.

The 7-axis protocol specification is open. Browse the axes catalog →