Changelog

All notable changes to Bulk Email Boxer. Latest at top.

2026-05-03

Lead-import dedup with helpful UX: duplicate emails within an upload (or already in the campaign) are skipped and the user sees a toast counting exactly what was dropped, with a "find more leads" link.
11 prerendered competitor comparison pages at /alternatives/{competitor} (Instantly, Smartlead, Apollo, Lemlist, Mailshake, Reply.io, Woodpecker, Saleshandy, QuickMail, Outreach, Salesloft).
Standalone /pricing, /faq, /about pages with rich JSON-LD (Product/Offer, FAQPage, AboutPage, BreadcrumbList).
/llms-full.txt — concatenated full content of every blog post for one-shot LLM ingestion.
Prerendered static HTML for all 11 blog posts so AI crawlers (GPTBot, ClaudeBot, OAI-SearchBot, PerplexityBot, etc.) can read them.
Crash-recovery dedup on email send: every dispatched job carries a dispatch_token UUID; workers refuse to send if the token is stale, preventing duplicate sends after a crash recovery.
Stripe invoice.paid webhook handler resyncs subscription state on trial → active conversions that don't always fire customer.subscription.updated.

Removed the Coming Soon page; site is live for everyone.
Expanded robots.txt from 7 to 22 explicit AI-crawler allow rules.
Sitemap grew from 12 to 30 URLs and now includes per-post lastmod dates.
RSS feed switched from description-only to full <content:encoded> blocks for LLM aggregator pickup.
Auth: case-insensitive email lookup so Foo@x.com and foo@x.com no longer create two separate trials.

JIT user-creation race condition on concurrent first-logins (web + mobile tab opened simultaneously) — now resolves cleanly via IntegrityError catch instead of a 500.
Cloud Tasks executor: production now defaults to refusing the in-process mock fallback when ENVIRONMENT env var is unset.
Trial-reminder Cloud Tasks endpoint returns 503 (instead of 200) when SMTP transport is unavailable, so reminders retry instead of vanishing.
Vercel rewrite no longer shadowed prerendered static pages at /pricing, /about, /faq, /alternatives/*.
HTTPS preserved in 307 redirect Location headers (was emitting http:// due to missing TRUSTED_PROXIES config).
Removed orphaned git submodule reference that was breaking Cloud Run deploys with git exit 128.

Rotated leaked Supabase database password (was in committed file backend/fix_alembic.py deleted from HEAD; rotated v9 of DATABASE_URL secret + previous versions disabled).
History rewrite: scrubbed AI-authorship metadata (Co-Authored-By) from all commits.
Repo cleanup: removed 29 tracked __pycache__ files, removed backend/spam_keywords.txt (gitignored but leftover).

support@bulkemailboxer.com email forwarding via Google Workspace user alias domain (MX swapped to smtp.google.com priority 1 in IONOS DNS).

Cloud Scheduler integration: 17 cron jobs hitting /internal/* endpoints (campaign-dispatch, warmup-dispatch, sweep-stuck-jobs, etc.). Scheduler-create script is idempotent.
Comprehensive prelaunch audit + auto-deploy CI workflow (deploy.yml) for backend.

Frontend migrated to Vercel (edge / global CDN). Cloud Run frontend service kept as fallback.
Markdown-driven blog at /blog: 8 launch posts on cold-email deliverability, warmup, RFC 8058, comparisons.
Auto-generated sitemap.xml + RSS feed at build time.
Founder admin dashboard at /admin (dashboard, users, audit logs, waitlist viewer).
Waitlist endpoint POST /api/waitlist + CSV export (GET /api/admin/waitlist.csv, CSV-injection safe).
Coming Soon holding page on / with founder bypass via ?early=boxer2026.
RFC 8058 List-Unsubscribe + List-Unsubscribe-Post SMTP headers on every customer email.
Full security headers (CSP, HSTS, X-Frame-Options, etc.) via Vercel.

Initial production deploy: backend on Cloud Run (us-central1), DB on Supabase, Stripe live keys, custom domain bulkemailboxer.com.
Sentry error tracking wired (PII scrubbing in backend before_send).
Pre-launch deliverability + legal hardening (DMARC, privacy/terms pages, GDPR self-serve export).