# Changelog

## 6.82.190 — 2026-07-12

- Added controlled HTTP 204 handling for all `/api/*` OPTIONS requests without enabling permissive cross-origin access.
- Closed the public form API preflight 404 found during the Node runtime recheck.
- Added a regression contract for API preflight handling and unrestricted-CORS prevention.
- Rebuilt the final Next.js output and regenerated route/asset evidence from the rendered build so stale chunk hashes cannot be certified.

## 6.82.189 — 2026-07-12

- Added HTTP HEAD support for `/api/mpc/listing-image/*`, image-slot assets, Next static assets, liveness and readiness probes.
- Closed 77 asset-validator 404 responses while preserving the existing GET image delivery and cache controls.
- Rebuilt and re-audited all public routes, internal destinations, assets and downloads for the staging candidate.
- Removed generated `.next/server` and `.next/static` source maps after each clean production build.

## 6.82.188 — 2026-07-12

- Removed hard-coded CloudLinux Passenger paths from the distributed release.
- Stopped the release from overwriting cPanel-managed `.htaccess` and `node_modules`.
- Added idempotent `.htaccess` hardening merge with automatic backup and preservation of Passenger/environment blocks.
- Added Node 20/cPanel preflight checks and a selector-safe deployment path that uses `npm install`, not `npm ci`.
- Added explicit recovery instructions for CloudLinux generic SAVE/DESTROY errors and stale application locks.
- Rebuilt the source-matched Next.js production output as v6.82.188.

## 6.82.188 — 2026-07-11

- Hardened staging environment defaults so absent configuration cannot select production behaviour.
- Enforced canonical staging HTTPS redirects in middleware, Passenger runtime and Apache configuration.
- Added per-request CSP nonces, strict executable-content controls and removal of legacy inline event attributes.
- Added unique request correlation IDs plus distinct `/healthz` liveness and `/readyz` dependency-readiness endpoints.
- Forced staging noindex/nofollow through headers and rendered metadata, including direct runtime HTML.
- Corrected the legacy Ingwe route to a direct canonical redirect.
- Rebuilt and verified the Next.js production artifact; removed public source maps.
- Added complete Codex compliance, route, performance, security, test, deployment and promotion reports.

## Historical releases

## 6.82.186 — Route Atlas Codex 2.1 commercial PDF repair

- Rebuilt all seven paid Route Atlas guides as tagged, searchable, accessible PDFs.
- Corrected route conflicts, placeholders, clipping, overlap, metadata, verification and purchaser-licence defects.
- Integrated Route Atlas product version 2.0.0 as a protected paid/manual-fulfilment bundle.
- Preserved payment processing as disabled and kept the customer ZIP outside public paths.
- Rebuilt and validated the staging production output and cPanel package.

## 6.82.185 — Staging deployment and private bundle integration

- Uses v6.82.184 MPC Kidz Production Ready as the sole baseline.
- Packages the Route Atlas Flagship Edition and First-Time Visitors Bundle in protected private storage.
- Keeps both commercial bundles out of the default public product catalogue.
- Adds exact cPanel staging deployment configuration for `staging.marlothparkcentral.com`.
- Adds staging noindex/robots verification and a private-bundle integrity audit.
- Retains disabled payment processing until an approved provider is configured.

## 6.82.184 — MPC Kidz production-ready division

- Added the complete 50-product MPC Kidz catalogue and five bundle structures.
- Added 50 protected A4 masters, 10 US Letter launch variants, 11 free public PDFs and six public samples.
- Added catalogue search, filtering, sorting, progressive loading and shareable filter URLs.
- Added product, bundle, parent, safety, conservation, printable, digital, free and Junior Ranger routes.
- Added product/bundle SEO, canonical metadata, Open Graph assets, ItemList, CreativeWork, breadcrumb and visible-FAQ schema.
- Added privacy-conscious analytics events through the existing MPC mechanism.
- Added protected admin inventory and maintainable JSON/TypeScript schema validation.
- Added route, download, product, PDF, filter, SEO and accessibility audits.
- Added responsive Kidz artwork and corrected the production runtime HTML/RSC boundary.
- Preserved the seven existing interactive Kidz activities and local-only child progress.
- Kept payments, checkout, subscriptions and premium public downloads disabled.
