Core v1.8.1Released May 15, 2026

Core v1.8.1 — MCP server, workspaces, billing, and operator visibility

The rollup release: a real MCP HTTP server, workspace-scoped multi-tenancy, Stripe-backed billing, full onboarding, and the new operator identity surfaces.

Core Agent MCP Billing Onboarding Security UX

Highlights

Real MCP HTTP server at /api/agent/mcp with workspace-scoped Bearer auth and ten read-only tools.
Workspace switcher + operator profile in the dashboard sidebar; copyable user IDs on /settings/account.
Stripe billing with three plans (Pro / Agency / Business), signature-verified webhooks, and a customer portal.
Self-serve signup → onboarding → first-event → upgrade flow, gated by CORE_SIGNUP_ENABLED.
API key management (/settings/api-keys) with sha256-at-rest tokens shown exactly once.
Audit log surfaces with safe metadata projection and operator-facing badges.

Overview

Core v1.8.1 is the first version where everything an operator needs to use WebmasterID end-to-end is shipped: signup, onboarding, billing, MCP, and identity. Previous milestones built the substrate; this version makes the platform usable without operator-side hand-holding.

Why this release matters

Operators can now connect Claude to their workspace in three steps, upgrade through Stripe Checkout, and audit every change inside the workspace — without source-code reads or founder help. The platform crossed the gap from internal beta to real self-serve SaaS.

MCP server shipped

Model Context Protocol HTTP endpoint at /api/agent/mcp. JSON-RPC 2.0 envelope; methods: initialize, tools/list, tools/call. Ten read-only tools cover sites, events, bot intelligence, AI referrals, top pages, recommendations, repo mappings, execution sessions, and plan status. Plan-gated (Free blocked; Pro+ allowed) with structured -32003 PLAN_LOCKED responses.

Bearer auth against the api_keys table; sha256 hash lookup; revoked keys rejected.
Per-key rate limit (120 req/min) and 64KB payload cap.
Every initialize / tools/list / tools/call written to admin_audit_logs with stable action codes.

API keys + Claude integration

Workspace-scoped api_keys table with plaintext shown exactly once at creation. Three copy-paste configs (Claude Desktop, Claude Code, VS Code) ship on /settings/mcp. An in-page verification block calls tools/list against the real endpoint and renders the outcome without echoing the raw response body.

Onboarding improvements

Signup → workspace creation → first site → install snippet → first event → /onboarding/success → upgrade pathway. The onboarding wizard derives its current step from DB state (not client storage) so refreshes and tab-restores resume cleanly. Welcome email auto-fires after signup with the five-step checklist.

Billing stabilisation

Stripe-backed three-plan model: Pro $49/mo (Core + Agent + MCP), Agency $199/mo (Core + Agent + Team Operations), Business custom (Core + Agent + Advanced Operations). Signature-verified webhooks update workspace_subscriptions idempotently; the Stripe customer portal handles cancellations + invoice viewing. /settings/billing/health surfaces operator-readable diagnostics with no secret leakage.

Workspace architecture

Multi-tenant workspaces with role-based access control (Owner / Admin / Operator / Analyst / Support / Readonly). Every Agent + MCP + billing action is workspace-scoped at the query layer. Workspace switcher in the sidebar persists the operator's preference via a HttpOnly cookie that is re-validated against current memberships on every request.

Identity visibility

Operator profile in the sidebar footer with display name, role pill, plan pill, and copyable user ID. Account page (/settings/account) gains Identity / Memberships / Security / Privacy sections plus a Recent operator activity widget that surfaces the last 10 audit-log entries with re-sanitised metadata.

Security improvements

API keys hashed at rest (sha256). Reset tokens hashed at rest (sha256). Stripe webhook secret verified on every receive; replays idempotent via the stripe_event_id unique index. MCP requests fully audited including auth-failure paths (revoked-key reuse, plan-locked attempts). Privacy posture unchanged: no third-party cookies, no fingerprinting, no raw IP storage.

Operator workflow improvements

Detect → Prioritise → Prepare → Execute → Verify → Remember lifecycle visible across the Agent, MCP setup, and /agent marketing pages. Operator approval required for every change — no autonomous deploy, no auto-merge, no hidden execution. Same review-first model whether the operator works in the dashboard or through Claude.

Migration notes

Applying this release requires database migrations 0014 (workspaces + RBAC), 0015 (billing), 0016 (M53.1 hardening + onboarding milestones), and 0017 (api_keys). All are additive and idempotent. Set the documented env vars before exposing public CTAs.

Required env: DATABASE_URL, DASHBOARD_ADMIN_EMAIL, DASHBOARD_ADMIN_PASSWORD, DASHBOARD_SESSION_SECRET.
Public signup: CORE_SIGNUP_ENABLED=true.
Stripe: STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET, STRIPE_PRICE_PRO, STRIPE_PRICE_AGENCY, STRIPE_PRICE_BUSINESS.
Cross-app linking: NEXT_PUBLIC_DASHBOARD_URL on both apps/web and apps/dashboard deployments.
Email: RESEND_API_KEY, EMAIL_FROM (or RESEND_FROM_EMAIL).

What's next

The MCP surface ships read-only today. Future write tools (e.g. approve_recommendation) will land behind their own RBAC permission and an explicit operator opt-in. Workspace-aware Supabase Auth + Google Sign-In is a separate planned sprint. The changelog you're reading is the public-side of that work.

Infrastructure notes

Migrations 0014 / 0015 / 0016 / 0017 applied in order; each is idempotent.
No new background services; everything runs on the existing Next.js + Postgres footprint.
Stripe is the only new third-party integration. No card data or webhook payloads stored locally.

Security notes

API keys + reset tokens hashed at rest with sha256.
Stripe webhook signature verified on the raw body before any state mutation.
Workspace isolation enforced at the query layer — no API request can resolve to another workspace's data.
Audit log captures revoked-key reuse + plan-locked auth attempts.

Identity + operator visibility

Operator profile in the sidebar, workspace switcher, identity / memberships / security / privacy sections on /settings/account.

Workspace switcher at the top of the dashboard sidebar with HttpOnly-cookie-persisted selection and full server-side membership validation.
Operator profile in the sidebar footer: user badge, role pill, plan pill, copyable user ID, and dropdown menu.
/settings/account redesigned with Identity, Memberships, Security, and Privacy sections plus a Recent operator activity widget.
+ 1 more — see the release page

Read release notes →