What changed

Public API v1 + workspace tokens

• New endpoints `/api/v1/sprint/analyze`, `/api/v1/qa/review`, and `/api/v1/me`.
• Opaque `spm_live_*` tokens with granular scopes (pm:*, qa:*).
• Settings → API tokens UI to create/revoke tokens and view usage.
• Public `/status` page with live health checks.

2FA TOTP + CSP + distributed rate limiter

• TOTP 2FA (RFC 6238) with encrypted secret and intermediate login challenge.
• Rate limiter on Upstash Redis (REST) with in-memory fallback.
• Content-Security-Policy + global security headers.
• GDPR no-tracking cookie banner on the root layout.

Admin dashboard + standalone pricing + contact form

• `/admin` gated by ADMIN_EMAILS with estimated MRR, signups, and plan breakdown.
• `/pricing` with a 16×5 feature comparison table and FAQ.
• `/contact` form to internal inbox + Enterprise CTA.

Audit log + GDPR data rights + welcome email

• Immutable `audit_log` table with auto-logging at 9 critical points.
• `/api/account/delete` with soft tombstone (GDPR right to erasure).
• `/api/workspace/:id/export` downloads JSON for the whole workspace.
• Welcome email via Resend when onboarding completes.
• Sitemap + robots.txt using Next 14 conventions.

Onboarding wizard + OAuth (GitHub/Slack/Linear)

• Three-step wizard on first login.
• OAuth with HMAC-signed state and AES-256-GCM encrypted tokens.
• Integrations page in Settings with badges and block reasons.

Settings + team invites

• `/app/settings` panel: account, workspace, members, billing.
• Email invites with opaque tokens and 7-day TTL.
• Personal workspace created idempotently on signup.

Stripe billing + Postgres + transactional email

• Checkout and billing portal with a zero-dep Stripe REST client.
• User store migrated to Neon Postgres.
• Email verification + forgot password via Resend.