Changelog

Release notes for the Quickback compiler, CLI, and platform.

v0.5.11 — February 24, 2026

Email OTP & Auth Fixes

• Fixed email-OTP magic links not working correctly
• Removed deprecated /internal/validate endpoint — use standard Better Auth session validation instead
• Auth is now required for all API routes when running locally (previously some routes were unprotected in dev)

Multiple Table Exports Fix

• Fixed a compiler error when a single file exports multiple Drizzle tables alongside a defineTable() default export
• The CLI now properly detects and reports this with a clear error message pointing to the fix

Headless Drizzle Rename Hints

• Added compiler.migrations.renames configuration for CI/CD environments where Drizzle's interactive rename prompts would block compilation
• Compile errors now include explicit rename key paths and fail fast on malformed rename config keys
• See Configuration for details

Security Contract Report Artifacts

• Added generated security contract artifacts to compiler output:
  • reports/security-contracts.report.json
  • reports/security-contracts.report.sig.json
• Added config-driven signing controls:
  • compiler.securityContracts.report.signature.enabled
  • compiler.securityContracts.report.signature.required
  • compiler.securityContracts.report.signature.key / keyEnv / keyId
• Missing required signing keys now fail loudly with explicit remediation guidance
• Added strict config validation for report/signature paths and signing options

Mandatory Unsafe Action Audit Trail

• Added structured unsafe action config (unsafe: { reason, adminOnly, crossTenant, targetScope })
• Cross-tenant unsafe actions now require Better Auth authentication plus platform admin role (ctx.userRole === "admin")
• Added mandatory audit logging for unsafe cross-tenant actions (success, denial, and error paths)
• Cloudflare output now includes optional AUDIT_DB wiring, drizzle.audit.config.ts, and db:migrate:audit:* scripts when unsafe actions are present
• Added compile-time raw SQL guard for actions and handlers (allowRawSql: true required per action)

v0.5.10 — February 19, 2026

Compiler Page Parsing & CLI Output

• Improved compiler page parsing for definePage() definitions
• Better CLI output formatting during compilation
• Added apiPath to schema registry for CMS integration

Bug Fixes

• Fixed hyphenated action names not being properly quoted in generated code (e.g., mark-complete now generates valid JavaScript)
• API key authentication (x-api-key header) is now handled separately from session tokens (Bearer header)

v0.5.9 — February 16, 2026

CMS Pages & CLI Page Support

• Added definePage() support for CMS-managed pages
• Auth middleware improvements for page routes
• CLI now supports page definitions alongside table and action definitions

v0.5.8 — February 14, 2026

CMS App

• Introduced the Quickback CMS — a schema-driven admin panel that connects to your generated API
• CMS namespace added to actions for admin-specific operations
• Fixed guard → access naming inconsistency in CMS action definitions

Schema Registry & Firewall Improvements

• Added schema registry generator — the compiler now outputs a JSON schema registry used by the CMS
• Firewall error modes: choose between reveal (403 with details) and hide (opaque 404) for security-sensitive deployments

Bug Fixes

• Fixed anonymous user email format generation
• Organization selector improvements in Account UI
• Config validation now catches more errors at compile time
• Better CRUD error handling with structured error responses
• Fixed masking to use representative star counts instead of fixed formatting

v0.5.7 — February 12, 2026

Scoped Database for Actions

Actions now receive a security-scoped database instead of a raw Drizzle instance. The compiler generates a proxy wrapper that automatically enforces org isolation, owner filtering, and soft-delete visibility — the same protections that CRUD routes have always had.

The scoped DB uses duck-typed column detection at runtime:

This means every action is secure by default — no manual WHERE clauses needed.

defineActions(todos, {
  complete: {
    type: "record",
    execute: async ({ db, ctx, record, input }) => {
      // db is scoped — only sees records in user's org, excludes soft-deleted
      const siblings = await db.select().from(todos);
      // ↑ automatically filtered to ctx.activeOrgId + deletedAt IS NULL
    },
  },
});

Unsafe Mode

Actions that intentionally need to bypass security (admin reports, cross-org queries, migrations) can declare unsafe: true to receive a raw, unscoped database handle:

defineActions(analytics, {
  globalReport: {
    unsafe: true,
    execute: async ({ db, rawDb, ctx, input }) => {
      // db → still scoped (safety net)
      // rawDb → bypasses all security filters
      const allOrgs = await rawDb.select().from(organizations);
    },
  },
});

Without unsafe: true, rawDb is undefined.

Related docs: Actions, Actions API

Cascading Soft Delete

Soft-deleting a parent record now automatically cascades to child and junction tables within the same feature. The compiler detects foreign key references at build time and generates cascade UPDATE statements.

DELETE /api/v1/projects/:id

Generated behavior:

// 1. Soft delete the parent
await db.update(projects)
  .set({ deletedAt: now, deletedBy: userId })
  .where(eq(projects.id, id));

// 2. Auto-cascade to children (compiler-generated)
await db.update(projectMembers)
  .set({ deletedAt: now, deletedBy: userId })
  .where(eq(projectMembers.projectId, id));

await db.update(projectTasks)
  .set({ deletedAt: now, deletedBy: userId })
  .where(eq(projectTasks.projectId, id));

Rules:

• Only applies to soft delete (the default). Hard delete relies on database-level ON DELETE CASCADE.
• Only cascades within the same feature — cross-feature references are not affected.
• Child tables must have deletedAt / deletedBy columns (auto-added by the compiler's audit fields).

Related docs: Actions API — Cascading Soft Delete

Advanced Query Parameters

New query parameter capabilities for all list endpoints:

• Field selection — ?fields=id,name,status returns only the columns you need
• Multi-sort — ?sort=status:asc,createdAt:desc sorts by multiple fields
• Total count — ?count=true returns total matching records in response headers (X-Total-Count)
• Full-text search — ?search=keyword searches across all text columns

# Get only names and statuses, sorted by status then date, with total count
GET /api/v1/todos?fields=id,name,status&sort=status:asc,createdAt:desc&count=true

# Search across all text fields
GET /api/v1/todos?search=urgent

Related docs: Query Parameters

Audit Field Improvements

• deletedAt and deletedBy fields are now always injected by the compiler for tables with soft delete enabled — no need to define them in your schema
• All audit fields (createdAt, createdBy, modifiedAt, modifiedBy, deletedAt, deletedBy) are auto-managed

v0.5.6 — February 8, 2026

Database Naming Conventions

• Default table and column naming changed to snake_case with usePlurals: false
• Table names derived from generated Better Auth schema for consistency
• Removed legacy single-database mode — split databases (auth + features) is now the standard

Auth Variable Shadowing Fix

• Fixed member variable in auth middleware that shadowed the Drizzle member table import
• Renamed to sessionMember to avoid conflicts in generated routes

v0.5.5 — February 5, 2026

Better Auth Plugins

• Published @kardoe/better-auth-upgrade-anonymous v1.1.0 — post-passkey email collection flow
• Published @kardoe/better-auth-combo-auth — combined email + password + OTP authentication
• Published @kardoe/better-auth-aws-ses — AWS SES email provider for Better Auth

OpenAPI Spec Generation

• Generated APIs now include a full OpenAPI specification at /openapi.json
• Better Auth endpoints included in the spec
• Runtime route: GET /openapi.json

Security Hardening

• Global error handler prevents leaking internal error details
• Security headers middleware (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)
• BETTER_AUTH_SECRET properly passed to generated config

v0.5.4 — January 30, 2026

Account UI

• Pre-built authentication UI deployed as Cloudflare Workers
• Features: sessions, organizations, passkeys, passwordless, admin panel, API keys
• Dual-mode: standalone (degit template) or embedded with Quickback projects

Webhook System

• Inbound webhook endpoints with signature verification
• Outbound webhooks via Cloudflare Queues with automatic retries
• Configurable per-feature webhook events

Realtime & Vector Search

• Durable Objects + WebSocket realtime subscriptions
• Vector embeddings via Cloudflare Vectorize
• KV and R2 storage integrations

v0.5.0 — January 2026

Initial Release

• Quickback Compiler — TypeScript-first backend compiler
• Four Security Pillars — Firewall, Access, Guards, Masking
• defineTable() — Schema + security configuration in a single file
• Templates — Cloudflare Workers, Bun standalone, B2B SaaS
• Cloud Compiler — Remote compilation via compiler.quickback.dev
• CLI — quickback create, quickback compile, quickback init
• Better Auth Integration — Organizations, roles, sessions
• Drizzle ORM — Schema-first with automatic migrations
• Cloudflare D1 — Split database support (auth + features)