Changelog

Last updated: 2026-07-08

2026-07-08 — Per-risk safety pages: every idea, richer schema

IMPROVED

Each /agent-safety/<code> page now lists every idea that tripped that OWASP-MCP risk — a proper paginated card list, not just a handful of samples — and every card links straight through to its /result page.

IMPROVED

Richer structured data on those pages: SoftwareApplication (marked free), ItemList of the flagged ideas, and a FAQPage answering what the risk is, how many ideas trip it, and how to mitigate it — all grounded in the real corpus, not a generic checklist.

IMPROVED

On every /result page, all three OWASP-MCP risk chips now deep-link to their per-risk page (not just the top one), so a fresh roast feeds traffic into each risk surface. Still free, still no signup.

2026-07-07 — Roast an idea from Slack or Discord

NEW

New /roastthis <idea> slash command for Slack and Discord. It replies right in the channel with the verdict tier, the readiness score, the top risk, and the “you’re the X% who…” framing — plus a button that opens the full /result page, so the link unfurls to the same share card everywhere.

NEW

Same engine as the website: every channel roast mints a real, shareable result page and runs through the same rate limits and budget guards. Requests are signature-verified (fail closed if a bot isn’t configured). Still free, still no signup.

2026-07-06 — One-tap “Download card” (client-side PNG)

NEW

Every verdict now has a “Download card” button that rasterizes a shareable card to a PNG entirely in your browser — nothing is uploaded, no server round-trip. Pick portrait (1080×1350, for stories & status) or landscape (1200×630, the same shape as the link preview). Saves as whycant-<slug>.png.

NEW

Same one-tap card on /battle (the losing side is dimmed) and /recap. It reuses the OG card’s own design tokens, so the saved image matches what X / LinkedIn / WhatsApp render as the preview.

NEW

Portrait was the piece the earlier Save card button (2026-06-27) deliberately skipped. Still no signup, no paywall — the image is generated on your device.

2026-07-05 — Ship It Anyway: the version that survives

NEW

Every roast now ends with a “Ship It Anyway” wedge on /result/[id]: the one differentiator that isn’t already taken, the single riskiest assumption to test first, and the honest cost (plus who this is not for). It’s the roast that then dares you — generated in the same Claude call as the verdict, so no extra API round-trip, and persisted with the result.

NEW

The wedge rides the share card too: the per-result OG image (/api/og/[id]) now paints the differentiator in a “the version that survives” band, so the salvage plan is screenshot-native and travels with the link.

NEW

The section closes into the existing free 20-minute Cal.com scoping call, reframed as “pressure-test this wedge live” — no new form, no email capture, no signup. The wedge is also machine-readable in each result’s llms.txt and feeds the /agent-for/[topic] hub (a new “how do you build a {topic} agent that isn’t already dead” FAQ answer), so it’s a durable, indexable long-tail surface.

2026-07-04 — Made the idea-topic pages discoverable

FIX

The /agent-for/[topic] long-tail pages rendered fine but were invisible: the index-gate (AGENT_FOR_INDEX_THRESHOLD) defaulted to 3 real matching ideas, and with the current corpus no topic cleared it — so every page was noindex and the sitemap listed zero of them. Dropped the default to 1: one real matching roast is enough differentiated content to index; genuinely empty topics still stay noindex and out of the sitemap.

NEW

New /agent-for hub that links every topic grouped by category, a “Browse by idea” shelf on /explore, and a footer link — so crawlers, LLMs, and humans finally have an internal path into the topic shelf (previously it had no inbound links).

2026-06-13 — Book a live scoping call from the result page

NEW

The result-page scope CTA is now a one-click inline Cal.com booking (@calcom/embed-react): click “Book 20 min — free” and the calendar opens inline, themed to match the site. The embed is lazy — it loads only on click, so a normal result view pays zero embed cost and nothing blocks the page's ISR.

NEW

The booking notes are pre-filled with the result id + verdict tier (mirrored into Cal metadata), so the call context is attached to whatever lands in the calendar.

NEW

scope_cta_view + scope_cta_click beacons reuse the existing /api/analytics/share rollup (excluded from the share counter). The /api/contact consult form stays as an email fallback, now linked from the CTA. Added a non-conflicting Service JSON-LD for the free call.

2026-06-11 — A/B framing experiments (operator-facing)

NEW

Deterministic, no-PII variant assignment (lib/experiments.ts): a result's id hashes into an A/B bucket for the OG share-card framing eyebrow, and an anonymous localStorage bucket drives the homepage headline copy. Same input → same bucket, on server and client.

NEW

The existing beacons (/api/analytics/share, /api/views/[id]) now record the variant tag alongside each event — additive fields only, old payloads still work.

NEW

New auth-gated /admin/experiments reads share + view counts grouped by variant and shows share-rate with a two-proportion confidence note. Read-only; the numbers are exactly what's in the store.

2026-06-09 — Public webhooks: get pinged when a verdict lands

NEW

New POST /api/webhooks registers a subscriber (target_url, events, optional result_id scope). Subscribe to verdict.created for every new roast, or near_duplicate.submitted to get told when someone submits a near-duplicate of an idea you're watching.

NEW

Deliveries are signed (X-Whycant-Signature, HMAC-SHA256 over the body) and retried with exponential backoff, dead-lettering after 6 failures. Targets are SSRF-checked — https only, no internal/metadata IPs, DNS re-resolved before every send.

NEW

GET /api/webhooks lists your subscriptions and DELETE /api/webhooks/[id] unsubscribes — both scoped by the signing secret we hand you at registration. No account required.

2026-06-07 — Percentile framing: how rare is your verdict?

NEW

Every /result/[id] now states where its verdict ranks against the whole corpus — one roast-voice line under the badge, e.g. “Only 4% of ideas get this verdict. Frame it.” for SHUT_UP_AND_TAKE_MY_MONEY, or “You and 31% of everyone else. Congratulations on inventing the wheel.” for ALREADY_EXISTS. Pure distribution math over the existing verdict store — no new AI call.

NEW

The share card (/api/og/[id]) carries the same stat (“Top X% — told to ship”), so the percentile travels with every link. Existing OG images are cache-busted so platforms re-fetch the new card.

NEW

Home counter strip upgraded to the doctrine pattern: {total} ideas roasted · {x}% told to ship · {y}% already exist”, sourced from the same 30s-cached distribution behind /api/stats.

2026-05-25 — Topic landing pages (programmatic SEO)

NEW

New programmatic surface at /agent-for/[topic] — ~60 seed topics (e.g. customer-support, incident-triage, lease-review) each rendering verdict distribution, top-shared roasts, the best one-liner, and a competitor snapshot — all assembled at ISR time from real published analyses that keyword-match the topic. No boilerplate; every page is unique to its corpus.

NEW

Per-topic share row + schema.org ItemList + FAQPage JSON-LD + OG card reusing the existing /api/og/[id] route, anchored to each topic's featured (most-shared) result.

FIX

Indexability is gated, not unconditional. Topics below a threshold of three matching analyses render the “roast the first one” CTA but emit robots:noindex and are excluded from the sitemap. Promotion happens automatically on the next ISR pass once the corpus catches up. This is the helpful-content-update defense — we'd rather publish a dozen substantive pages than sixty thin ones.

2026-05-24 — Save the card people actually see

FIX

The result page “Save” button now downloads the canonical OG card straight from /api/og/[id] instead of rasterising the hero <div> client-side. The file you save is now byte-identical to what X, LinkedIn, and Slack render as the link preview — same 1200×630 layout, same verdict colour, same radar. Removes the html-to-image code path from ShareBar and the dead heroRef plumbing that fed it.

2026-05-23 — Share-first result page

NEW

On premium-tier verdicts (SHUT_UP_AND_TAKE_MY_MONEY, GENUINELY_BRILLIANT, ACTUALLY_NOT_BAD), an above-the-fold “Steal this idea →” secondary CTA next to “Try Your Own Problem” links straight to the claim board. Hidden on non-claimable verdicts so it never points anywhere useless.

FIX

Production-readiness odds, OWASP-MCP risk badges, and the governance checklist are now collapsed into a single “How this was generated” disclosure (<details>) below the fold — defaults closed. Trust and provenance information is still on every result, just not interrupting the verdict→share read. Nothing was deleted.

2026-05-17 — JSON envelope fix

FIX

Verbose problem descriptions were silently failing — Claude's JSON response was being truncated at the 2048-token cap and falling through to a generic 500. Bumped the output ceiling to 4096, and truncations now surface as a 422 with a useful “try a shorter version” message instead of a black-box error.

2026-05-04 — Health endpoint + freshness pulse

NEW

/api/health public endpoint returning model pin, live count, and last-published timestamp.

NEW

Home page now shows a “last published” micro-stat alongside the running total. Repeat visitors can see the site is alive at a glance.

FIX

/api/stats now exposes live_count separately from total — the former counts only non-expired results, the latter is the all-time roast count.

v0.5.0 — 2026-04-29 — Honest odds

NEW

Production-readiness odds on every result — a single number, with a governance checklist underneath that grades the idea against the real things that kill agent projects (cost modeling, eval harness, abuse surface, kill-switch posture).

NEW

“Honest variant” renderer for the readiness score — shows you why a 38/100 isn't the same flavor of 38 as someone else's 38.

v0.4.0 — 2026-04-27 — Distribution surfaces

NEW

Embeddable readiness badge — drop a one-line snippet on your site and it renders the verdict + score from your roast.

NEW

Per-result llms.txt at /result/[id]/llms.txt — a plain-text feed crawlers and LLMs can ingest without parsing our HTML.

NEW

Public ?explain=1 query param opens an inline rationale panel on result pages without forcing a separate route.

NEW

Sora-generated hero banner on the home page.

v0.3.0 — 2026-04-26 — Cacheable result pages

NEW

/result/[id] moved from force-dynamic to ISR (revalidate=86400) and wrapped in unstable_cache — every result is now CDN-cacheable. View-counting moved to a client beacon so it doesn't bust the cache on first paint.

NEW

F-N1 “Build this with” bootstrap on every result — one-click starter context for shipping the agent the verdict describes.

NEW

F-N5 OWASP-MCP threat badges on results that touch tool-calling surfaces.

FIX

generateStaticParams added to /result/[id] for genuine static prerendering.

v0.2.0 — 2026-04-25 — Score + claim board

NEW

F1 Agent-Readiness Score — the 0-to-100 number that gates the rest of the verdict UI.

NEW

F2 “Steal This Idea” claim board — public list of unbuilt agents anyone can claim.

FIX

Apex canonical unification, breadcrumb JSON-LD on every content page, sitemap dedup (was double-listing /explore/hall-of-fame and /hall-of-fame), audit CI on PRs.

2026-04-20 — Post-Vercel-disclosure rotation

SECURITY

Every secret rotated at its source and re-added to Vercel with the “Sensitive” flag set, in response to the 2026-04-19 Vercel env-var enumeration disclosure. See /security for the full incident timeline.

SECURITY

Admin endpoints moved off query-param auth to an x-admin-key header with constant-time compare.

SECURITY

Pre-commit gitleaks hook, GitHub Secret Scanning, and Push Protection all turned on at the repo level. URLs returned by the AI for competitor links are now validated (HTTPS-only, no credentials-in-URL, no IP literals, tracking params stripped) before rendering.

Model pin

Current Anthropic model: claude-sonnet-4-6. Pinned in lib/model.ts as the single source of truth — privacy, security, and changelog pages all read from it. We bump it deliberately, not on release-day reflex.

What this page is and isn't

This is a curated changelog, not an automated commit feed. Internal refactors, cache-busting redeploys, and chore-tier commits don't show up here. If you want the full history, the repo is public.