M53Released May 15, 2026

SaaS onboarding + Stripe billing

Self-serve signup, the onboarding wizard, the three-plan Stripe model, real Checkout + customer portal, and plan enforcement on /api/sites.

Onboarding Billing Core

Highlights

Self-serve signup (gated by CORE_SIGNUP_ENABLED) replaces the request-access flow.
Onboarding wizard: workspace → first site → tracker snippet → first event → /onboarding/success.
Three plans wired end-to-end: Pro $49/mo (Core + Agent), Agency $199/mo (Core + Agent + Team Operations), Business custom (Core + Agent + Advanced).
Stripe Checkout + customer portal; signature-verified webhooks update workspace_subscriptions idempotently.
Plan enforcement on POST /api/sites returns 402 plan_site_limit_reached with the next-plan cap.
CashWorkspace bundled with every paid plan.

Why this matters

Before M53, WebmasterID was a private-access platform. After M53, an operator can sign up, install the tracker, see their first event, and upgrade through Stripe — without operator intervention.

Schema additions

Migration 0015 adds workspace_subscriptions (plan_id + Stripe pointers + period state) and billing_audit_logs (idempotency via stripe_event_id unique index). Both are additive; existing workspaces resolve to Free until a Stripe row exists.

Webhook contract

POST /api/billing/webhook verifies the raw body signature, idempotently inserts an audit row, and updates plan / status / period_end via stable Stripe event handlers. The customer portal handles cancellations + invoice viewing inside Stripe — no card data ever lands locally.

Self-serve gate

/signup honours CORE_SIGNUP_ENABLED. When the gate is closed the form renders a clear 'Signup is disabled because CORE_SIGNUP_ENABLED is not enabled' message rather than a generic empty state. The bootstrap window (zero users) is preserved for first-deploy admin creation.

Infrastructure notes

Migration 0015_m53_billing.sql adds workspace_subscriptions + billing_audit_logs.
STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET, STRIPE_PRICE_PRO, STRIPE_PRICE_AGENCY, STRIPE_PRICE_BUSINESS required for live billing.
Cross-app linking via NEXT_PUBLIC_DASHBOARD_URL.

Activation polish + API keys + MCP setup

Welcome email auto-fire, the api_keys infrastructure, /settings/mcp documentation, /getting-started richer post-first-event page, and three Claude/MCP SEO landing pages.

Welcome email auto-fires from /api/auth/signup. Delivery failure never blocks signup; production never falls back to logging plaintext tokens.
Migration 0017 adds the api_keys table — sha256 hash at rest, six-char prefix, plaintext shown once, workspace-scoped + RBAC-gated.
/settings/api-keys ships with one-time plaintext reveal, label + create + revoke flow, audit-log writes.
+ 3 more — see the release page

Read release notes →

M52May 14, 2026

InfrastructureUXCore

Platform stabilization — route registry, sidebar, dashboard chrome

Closed-allow-list dashboard route registry, maturity-aware sidebar rendering, and route-health diagnostics. The substrate the rest of M53 / M54 / M55 builds on.

M52-core route registry — single source of truth for every dashboard route's maturity, RBAC permission, and sidebar visibility.
Sidebar items render based on maturity (stable / beta / coming-soon hidden / broken / experimental hidden) so the chrome reflects what the operator can actually use.
Route-health diagnostics surface broken / experimental routes in the dashboard's diagnostics view rather than 404-ing operators.
+ 1 more — see the release page

Read release notes →