Changelog

Every release, every feature, every fix, in one scrollable log.

2026-04-26, Full ISO/AIM/GS1 rendering compliance across every code type

Audited every QR / 2D / 1D barcode against its governing standard. bwip-js's includetext defaults to false for every bcid, so EAN/UPC/ITF-14 were shipping without the human-readable text strip that ISO 15420 §5.1.2 + GS1 §5.4.4 require. Set includetext: true + guardwhitespace: true for the entire EAN/UPC family, plus includetext: true for ITF-14, Code 128, Code 39, Code 93, Codabar, VIN.
EAN-13 quiet zones now asymmetric per ISO 15420 Annex A (paddingleft: 44 = 11 modules, paddingright: 28 = 7 modules at scale=4). EAN-8 / UPC-A / UPC-E use the symmetric envelopes their specs name. PDF417 + AAMVA driver license get 2-module quiet zones per ISO 15438 §5.5; Data Matrix gets 1 module per ISO 16022; Aztec gets 1 module recommended (zero permitted by ISO 24778 but breaks border-touch scanners).
QR QUIET_ZONE_MODULES bumped from 2 → 4, the full ISO/IEC 18004 §6.3.7 spec. The 2-module shortcut was an industry compromise that fails GS1 Digital Link prefix detection on some industrial laser scanners. Micro QR + rMQR now ship with a 2-module quiet zone (qrean emits the bare grid, so we add it manually in renderMicroQRResult).
ECC levels locked: Aztec at 23% (ISO 24778 default), PDF417 at level 5 (GS1 transport-and-logistics minimum). Locking against future bwip-js drift.
New authority page: /standards/barcode-rendering/. Per-symbology reference covering quiet zones, HRI, ECC, and check digits for all 17 types, with primary-source links to every ISO/AIM/GS1 standard cited.

2026-04-26, Hardened staging-first deploy gate

Production deploys for sites with staging now require the most recent staging deploy to be for the exact current commit (clean working tree on both sides). The prior gate's 24-hour time window let unrelated production deploys ride on stale staging history. SHA-tracked, fail-closed, override remains CF_DEPLOY_SKIP_STAGING_FIRST=1.
cf-deploy.py preflight check for CLOUDFLARE_API_TOKEN, fails fast with a source ~/.envrc hint instead of letting wrangler emit its cryptic "non-interactive environment" error.
Post-deploy content verifier on every deploy: fetches the live URL and confirms its cache-buster matches what was just stamped into dist/. Catches the "wrong CNAME" / "edge serving stale" / "wrong branch" class of bug that the 200-OK health check would silently miss.

2026-04-25, Mobile UX overhaul: peek-preview header, bottom-sheet preview, sticky download CTA

Sticky peek-preview header at the top of the page on phones (≤768px). Always shows a live thumbnail of the QR plus a one-line status, "Fill in the form below" when idle, "Your QR is ready · Tap to download" once a code renders. Pulses once when the QR first becomes valid so users notice it. Fixes the long-standing problem where mobile visitors didn't realise the result was rendered below the fold.
Tapping the peek bar (or the new sticky bottom Download button) opens the preview as a bottom sheet, full-width download buttons stacked vertically, swipe-down or backdrop-tap to close, safe-area padding for the iOS home indicator.
Soft-keyboard handling: visualViewport listener marks body.kb-open when the keyboard rises, the peek bar collapses to a slim pill, and focused inputs scroll into view so the keyboard never hides what the user is typing.
Tap-target sweep at ≤640px: type-picker tiles bumped from 14×8 / 0.78rem to 16×10 / 0.82rem and 56px min-height, panel tabs and primary buttons floored at 44px, export buttons stack full-width with a 48px floor inside the sheet.
Viewport meta gains interactive-widget=resizes-content and the two 100vh rules migrated to 100dvh for predictable layout on mobile browsers with dynamic toolbars.
Old scroll-to-preview FAB removed, the peek bar plus sticky CTA cover the same job more directly. Service-worker cache bumped to v132. New strings translated to all 25 languages.
CSS hygiene: 203 single-value space declarations in style.css migrated to --space-N tokens via codemod. Pure refactor, no visual change.
Inline-style ceiling 89 → 85: four style="text-transform:uppercase" attrs on AAMVA / Code 39 / Code 93 / VIN inputs replaced with the existing .input-uppercase class.

2026-04-19, N16 compliance sweep (45 pages), N3 batch 2, regression fixes, N3 tail, AAMVA disclosure, Expert-state persistence, a11y audit

Full N16 compliance sweep: all 34 payment-scheme landing pages now carry compliance-checklist + "when not to use this" blocks. Fourth pass (19 pages) covers the remainder: Alipay + WeChat Pay (PBoC + SAFE), Boleto (BACEN + FEBRABAN), Mercado Pago (seven-country regulator matrix), Payconiq (NBB + PSD2), EPC/Girocode (EPC069-12 + ZAG), Apple Wallet + Google Wallet (developer-program + FTC Endorsement + GDPR location), Kakao Pay + Naver Pay + LINE Pay (Korean FSC + Japanese FSA + Taiwan FSC + BOT), GCash + Maya (BSP EMI + AMLC + QR Ph + SEC PH), JPQR (METI + FSA Qualified-Invoice), FPS HK (HKICL + HKMA + SFC Alert List), DuitNow (PayNet + BNM + LHDN e-Invoice), M-PESA (Safaricom + CBK + eTIMS + CMA), MoMo (SBV + AMLID + GDT e-Invoice), PayID (NPP + RBA + APRA + AUSTRAC + ASIC). Combined with the prior three passes (AAMVA / Review pages / Coupon / Review Funnel / App Store / PayPal / Crypto / UPI / SEPA + Venmo / Cash App / Swiss QR-bill / PIX / PromptPay / EMVCo / TWINT + Bizum / PayNow / iDEAL / BLIK / Interac / MB WAY / Swish / Vipps), that's 45 compliance-blocked landing pages, every payment scheme on the site now has local-regulator references, merchant-classification rules, tax / invoicing duties, consumer-protection framework, and a "no investment solicitation" guardrail pointing at the correct securities regulator.

Total coverage now: 26 landing pages.

Five more standards authority pages (N3 batch 2), AAMVA driver license, eSIM activation (LPA), EMVCo merchant QR, Micro QR / rMQR, ZATCA e-invoice. Hub now has 8 live reference pages covering the core specs.
Two regressions fixed: (1) homepage auto-scrolled down on load because showCategory() init called scrollIntoView({block:"nearest"}) on the category chip, replaced with manual horizontal scrollLeft so page scroll is never touched. (2) Type search for "paym" returned zero results because the filter only checked label + data-type substrings, DRY fix now reuses the same CAT_SEARCH + TYPE_SEARCH synonym tables the command palette uses.
N3 tail: new /standards/non-qr-2d/ combined reference page for Aztec (ISO/IEC 24778) + PDF417 (ISO/IEC 15438) + Data Matrix (ISO/IEC 16022). Side-by-side comparison table, native-scanner support matrix across iOS Camera / Android / Google Lens / industrial imagers / airline gates / DMV readers / pharma DPM readers, pick-the-right-one guide (Aztec for boarding passes, PDF417 for long ASCII flat-paper, Data Matrix for DPM / pharma, QR for consumer phone cameras). Standards hub now has all 9 pages live, 0 draft.
AAMVA form progressive disclosure (N19.3 follow-up): 25-input form split into Required (jurisdiction / license / doctype / family / first / DOB), Recommended collapsed-open (middle name + street + city/state/zip + issue/expiry dates), Expert tuning collapsed (sex/eye/height + class/restrictions/endorsements). Matches the pattern used on TOTP, HOTP, Aztec, PDF417, Swiss QR, EMVCo, GS1, SEPA.
Expert-tuning state persists across visits (N19.3 follow-up): when you open the Expert section on any form, the open state is saved to localStorage.qrExpertSectionsOpen keyed by type. Next time you pick that type, Expert is already open. Delegated toggle listener on .field-section[data-level="expert"], no wiring per form.
Internal accessibility audit (N8): manual WCAG 2.2 AA pass against the homepage, /print-size/, the new /standards/ hub + 9 authority pages, and the 45 payment-scheme landing pages. Verified passing on skip link target, focus-visible, form labels, button names, ARIA roles, contrast AAA primary / AA+ muted. Fixed a heading-level skip (three <h4> subheads inside vCard/MECARD extra-fields promoted to <h3> for a clean outline). Full findings published on /accessibility/.
Public corpus ZIP (N2 follow-up): /proof/corpus.zip, bundled fixtures JSON + CSV + methodology + README, ~4 KB, rebuilt on every deploy. Scanner fleets can now download the full corpus in one file instead of cloning the repo. Linked from /proof/corpus/ with a prominent Download button.
Scanner-fleet attestation log (N2 follow-up): new docs/SCANNER_ATTESTATION.md, dated per-row log of manual device/OS/app verifications. Seeded with 10 rows covering iPhone 15 Pro on iOS 18.3, Pixel 8 on Android 14, Zebra DS8100, Google Authenticator, 1Password. Grows with each device we verify.
In-generator preview realism (N19.6): compact 4-chip toggle below the live QR preview, Default / Phone / Mono / Low contrast. Applies CSS filters to the preview (scale for Phone, grayscale for Mono, reduced contrast for Low contrast) so designers see how the QR behaves on different substrates without leaving the generator. Zero effect on the encoded payload, downloads, or clipboard copy.
More semantic validators (N19.4 extension): HOTP secret Base32 + counter non-negative-integer check; eSIM SM-DP+ must be a bare FQDN (no https://, common phone-provisioning breaker); eSIM Matching ID rejects $ characters (collides with LPA field separator).
Progressive disclosure extended to UPI and Crypto (N19.3 extension): UPI amount + note grouped as Recommended; crypto amount + label grouped as Recommended. SIP, MMS, PromptPay, and Lightning reviewed and left flat, too few fields to benefit from disclosure.
Quality audit sweep across SEO, performance, security, link integrity, and code quality (i18n pass deferred). Service worker cache.put writes now run inside event.waitUntil so they can't be dropped mid-navigation; cache bumped to v121. Business-card print dialog switched off document.write to a Blob URL. Share and card-download click handlers wrapped in try/catch so rejections surface as toasts instead of silent failures. Magic-number timings (design-card hash auto-open, GIF frame rendering, dual PNG download gap, print-blob revoke) extracted to named constants. Latent CSS bug fixed: .card-text-row input selectors only matched [type="text"], but the HTML minifier strips the default type="text" attribute, added input:not([type]) so BCD tagline + caption inputs keep their styling in production. Two gratuitous !important declarations removed; noisy i18n console.warn silenced. CLAUDE.md updated, language pages are pre-rendered to site/{lang}/, not served via _redirects rewrites.

2026-04-18, Authority push: /standards/ hub + 3 standard pages, /proof/corpus/, Reviewer #6 wrap, N19.1 workflow-first Advanced

Simple mode gets a subtle "96 more types in Advanced" hint below the 8-tile grid. Clicking the link flips the mode toggle so users don't scroll back up. Simple stays at 8 tiles; Advanced stays the discoverability path for the long tail.
Pro CTA bullet list rewritten to reflect what's actually shipped: password-gated codes, scheduled activation and expiry, heatmap/weather/ROI/cohort analytics, public shareable stats pages, code groups for large portfolios, webhooks + REST API, multi-team and audit log, SSO (SAML/OIDC) + SCIM provisioning. Old generic "Scan analytics / API workflows / Teams" bullets are gone.
"Save to Pro" hint below the generator now names password-gating, scheduled activation, heatmap and ROI analytics, and public stats pages instead of just "scan analytics."
Progressive disclosure on field-heavy advanced generators (N19.3): TOTP, HOTP, Aztec, PDF417, Swiss QR, and EMVCo collapse their expert knobs (algorithm/digits/period, EC level, columns/compact, message, MCC/AID) under an Expert tuning section. GS1 Digital Link groups AI 17/10/21 as Recommended; SEPA separates reference (Recommended) from BIC (Expert tuning). Collapsed Expert summaries show an "expert" pill so power users spot the extra knobs without clicking.
Saved profiles (N19.8): name-and-save any advanced generator's current field values to localStorage, list them in the Saved profiles panel above the compatibility legend, and load them with one click or via the command palette (Cmd/Ctrl+K). Storage is client-side only; nothing leaves the browser.
Print-production authority (N15): /print-size/ now carries a substrate guide (8 substrates × size penalty × ECC), CMYK-safe palette rules with catalog-level CMYK/RGB-only annotations, outdoor/signage rules (UV fade, cold-weather camera behaviour, oblique scan angles), a 4-check printable QA protocol, and plain-English preflight grade definitions ("D = will fail on glossy signage under 3 m").
Compliance fencing (N16): new "Compliance checklist" + "When not to use this" blocks on five reviewer-flagged landing pages, App Store (Apple 5.2 / Play policy / TestFlight distribution), PayPal (AUP / F&F abuse / 1099-K / MSB classification), Bitcoin & Crypto (FATF Travel Rule / FinCEN/FCA registration / Howey-test exposure / OFAC), UPI (NPCI circular / GST / anti-fraud overlay scams / SEBI on investment QRs), SEPA (EPC069-12 conformance / PSD2 return rights / no-recurring-mandate warning). Joins the pre-existing compliance blocks on AAMVA, Google / Yelp / TripAdvisor Review, Coupon, Review Funnel.
Recent types in the command palette (N19.7): the last 8 types you picked surface first when Cmd/Ctrl+K opens with an empty query; with a partial query, recent types get a small ranking bonus so "tot" reliably jumps to your most-used OTP flow. Also marked with a "Recent" category chip so the boost is visible, not magic. Tracked in localStorage only.
Simple-mode polish (N6): Simple now also hides the Saved profiles panel (not a beginner concept) and the Batch tab. Already-hidden items unchanged (type search, industry presets, compat legend, category tabs, compat chips).
Four-pillar trust strip (N7): the top-of-page claim strip collapsed from 5 items to 4, each explicitly carrying its pillar label, "Truly free, no signup, no paywalls", "Privacy-first, 0 outbound requests, verify live", "Production-safe, compatibility tested April 2026", "No lock-in, static backup QR, export anytime". The Comparison-updated link was dropped from the strip (it's a credibility signal, not a pillar) but still lives in the nav + footer.
Decisive "Use this if / Do not use" callouts (N19.11) at the top of field-heavy advanced forms, Data Matrix, Aztec, PDF417, TOTP, HOTP, eSIM, GS1. Orange-accented, two clauses, before any field input. Replaces the pattern where explanatory prose sat at the bottom and users only read it after they'd finished typing.
Capability banner (N19.9) on the Style panel for non-QR symbologies, explicit chip + title ("No styling, plain barcode only") + description, replacing the old single-paragraph hint with something glanceable.
Semantic validation (N19.4): TOTP Base32 secret validator, Swiss QR IBAN CH/LI prefix + 21-char length check, SEPA IBAN mod-97 checksum (catches mistyped digits), and a cross-field WiFi Enterprise warning when EAP is selected but identity is blank. Inline, non-blocking, reuses the existing VALIDATION_RULES registry.
QR Lab now one click from Download (N5), a dashed-border chip ("Test before you print in QR Lab →") sits inline with the download buttons so verification is visible at the point of export.
Advanced opens task-first (N19.1): the category strip is now organised by what you're doing instead of what symbology it is. Nine workflow buckets, Everyday sharing, Events & venues, Media & files, Marketing & reviews, WiFi & telecom, Payments & banking, Retail & GS1, Boarding & ID, Auth & dev, replace the old symbology taxonomy (Everyday / Business / Payments / Identity / Security / Industrial / Advanced Standards). All 105 type buttons remapped; footer type-grid regrouped to match.
Authority push (N3): new /standards/ hub with eight full reference pages, GS1 Digital Link (Sunrise 2027, live GTIN check-digit validator), TOTP & HOTP (RFC 6238 / 4226, live Base32 entropy validator, authenticator compatibility), Swiss QR-bill (SIX IG v2.3, live CH/LI IBAN validator with QR-IBAN detection), AAMVA driver license (CDS v10, element-code table, IIN table, lawful-use framing), eSIM activation (LPA) (GSMA SGP.22, iOS 17.4+ / Android 13+ compatibility), EMVCo merchant QR (MPM / CPM structure, regional derivatives PIX/UPI/PromptPay/SGQR/DuitNow, MCC table), Micro QR & rMQR (ISO/IEC 18004 Annex M + ISO/IEC 23941, capacity charts, specialist-scanner compatibility), and ZATCA e-invoice (Saudi FATOORA, TLV tags 01–09, Phase 1 vs Phase 2). Each page: spec link + canonical test vectors + live validator where applicable + pitfalls + scanner compatibility + dated next-review. First step toward the encyclopedia-grade authority goal.
Public test corpus scaffold (N2): new /proof/corpus/ page documenting the methodology anyone can use to audit scanner-compatibility claims, download the fixtures, regenerate QRs, scan with your own fleet, report discrepancies. Curated 18-row expected-scan-result table across iOS Camera, Android Camera, and pro scanners. Links /test-vectors/ (the developer JSON) and /standards/ as the authority layer above.
Earlier Reviewer #6 items shipped this day in prior commits: jobs-first tile grid (N14), "The most trustworthy QR tool on the internet" brand sentence (N17), command palette (N19.2), expert presets (N19.5), payload inspector (N19.10), canonical <title> format sweep (N20).
Translation backlog: N14 and N17 copy is in 25 languages; everything else from today's Reviewer #6 wrap (N19.3 / N19.4 / N19.7 / N19.8 / N19.9 / N19.11 / N5 / N6 / N7 / N15 / N16 / Pro SSO/SCIM) is English-only for now and falls back to English in other locales until the next translation pass.

2026-04-17, Keep-Alive live, Pro roadmap + support pages, webhook audit fixes

Keep-Alive tier live on Pro: $4/mo, $36/yr, or $240 Decade (10-year prepay, $2/mo effective). Preserves existing codes with a 30-day destination-edit cooldown; no new codes, no seats, no API. Migration 007, three Stripe products, webhook path for the one-time Decade payment, plan gates across dashboard/codes/edit. Reverted the "Ships Q3 2026" banners on /compare/ and /no-lock-in/.
New page at pro.qr.abundera.ai/roadmap/: what's shipped, Q3/Q4 commitments with kill criteria, explicit list of things we're not building.
New page at pro.qr.abundera.ai/support/: per-tier response-time targets, security disclosure address, scope.
Stripe webhook fixes: idempotency race (could swallow a retried payment), dedup via SELECT before handling, INSERT on success. Decade payment handler throws on missing/unknown price_id or mismatched tier instead of silently dropping. DEFAULT_SEAT_LIMIT undef in team-invite accept. Signature tolerance 60s → 300s. incomplete_expired maps to trialing (was expired).
Docs: ABUNDERA_JWT_AUDIENCES documented as required; PLAN_PRICE_MAP schema in docs/INTEGRATIONS.md; removed the unused ABUNDERA_SERVICE_SECRET references.
Tests: 70 passing. Added 8 for Keep-Alive predicates and the 30-day cooldown.

2026-04-16, Pro launch, pricing ladder rework, external-review followups

Pro portal live at pro.qr.abundera.ai.
Pricing ladder (monthly / billed-annually per month): Solo $12/$9, Business $39/$29, Team $129/$99, Agency $449/$349, Enterprise $1,800/$1,500. Annual is the default selection on the pricing grid.
Explicit monthly scan caps on dynamic codes (50K / 150K / 500K / 1.5M / 6M) replace "unlimited". Static-forever codes are unmetered on every plan because the link lives in the QR itself. Exceeding the dynamic-code cap doesn't break redirects; we meter overage at the tier's own list rate ($0.06–$0.18 per 1K scans).
Every tier has an explicit dynamic-code count (200 / 1,200 / 4,000 / 12,000 / 50,000), no "unlimited*" fine print, plus unmetered static-forever codes on every plan.
13 payment landing pages added: Apple Wallet, Google Wallet, EPC Girocode, BLIK, Interac, MB WAY, GCash, Maya, Kakao Pay, Naver Pay, LINE Pay, iDEAL, Boleto. Type count 91 → 104; sitemap now 3,224 URLs.
Scan-preflight expanded from 4 generic conditions to 8 job-specific scenarios (menu sticker, window poster, lanyard, shelf tag, warehouse label, outdoor signage, packaging, business card). Grade C/D/F shows a pre-download modal.
/compare/ pricing matrix split into six capacity-matched groups. Competitor entries added for Bitly, Flowcode, Uniqode, QR Code Chimp, QRTIGER, each dated and flagged for monthly re-verification. Per-code monthly cost shown on every row.
Count-drift check in pre-deploy script: scans all generated pages under site/ for hardcoded type counts. The 91/104 drift on /compare/ shipped because the old check only watched three pages.
Pro-site framing: "Free is for keeping. Pro is for changing." carried through /no-lock-in/, /static-vs-dynamic/, and the homepage Pro CTA.
Stripe products created via the idempotent stripe-setup.py script (Solo + Team bumped to rev 2 for the new amounts). PLAN_PRICE_MAP holds both old and new price IDs so any existing subscribers stay mapped.
Other: compat detail strip above generator fields, homepage trust strip, freshness stamp on every page, /accessibility/ skeleton page, /for/ industry preset packs (8), Wizard/QR Lab discoverability hint, count audit (120 → 375 icons, 24 → 50 BCD presets), repo-language scrub (repo is private; "Open source generator code" → "Client-side code auditable in your browser"), OG image regenerated with a valid iCalendar event QR.

2026-04-15, Simple/Advanced, /compare/, Save-to-Pro

Simple / Advanced toggle on the homepage. Simple curates 8 everyday types (URL, WiFi, vCard, Email, Phone, SMS, Event, Text); Advanced restores the full 104. Mode is sticky in localStorage; landing pages for non-Simple types auto-switch.
/compare/ competitor matrix shipped: feature-by-feature against QR Code Generator, QRCode Monkey, and Uniqode. Dated, re-reviewed monthly.
"Save to Pro" button on the free site: one-click promote a generated code into the Pro portal. State round-trips via URL hash; unsigned users land back on the generator with their work preserved.
Category-tab scroll arrows on desktop; smooth-scroll on mobile.
History restore auto-switches to Advanced when a saved code's type isn't available in Simple mode.
Pro CTA copy softened; anti-hostage story (static backup QR, 90-day grace, domain portability) pulled forward.

2026-04-14, Pro portal online, 3 new types, autofill fix

Pro portal (pro.qr.abundera.ai) online end-to-end.
Three new free-site types: M-PESA Kenya (EMVCo MPM), Video Meeting (Zoom/Meet/Teams/Webex shortcuts), Coupon/Promo Code.
GS1 Digital Link type now supports all 12 Sunrise-2027-mandated Application Identifiers.
New SEO pages: /static-vs-dynamic/, /no-lock-in/ (contractual: 90-day grace, one-click export, 30-day GDPR delete, static backup QR).
Autofill fix (sixth attempt): per-type field blocks are real <form> elements with their own autocomplete tokens; inactive forms get display: none so Chrome doesn't flag the off-screen inputs. vCard/Address/Contact/WiFi-Enterprise vertical grouping now works across Chrome, Safari, Firefox. Playwright harness at 0 violations.
Review funnel: platform dropdown (Google/Yelp/TripAdvisor) with per-platform placeholder copy.
Wizard: 8 broken result-slug references fixed.
Header/footer unified via shared partials; tool pages (Wizard, QR Lab, Test Vectors) moved to the same template system.
Pre-deploy check: internal-link validation + raw-English showToast() guard.
BCD fixes: vertical layout stability, landing-page UI regression, RFC-link labels, watermark artifact.
Generated landing-page HTML is no longer git-tracked (still deployed; git tracks the template and generator).

2026-04-13, 25-language parity, header/footer redesign, Playwright harness

6,660 English-fallback keys translated across 25 language files. Non-English landing pages no longer fall back to English strings. Translation pipeline refactored into a validator/planner.
i18n extended to the tool pages: Wizard, QR Lab, and Test Vectors now have 25 language variants, with hreflang tags and sitemap entries.
Playwright round-trip harness: generates a code for every type in every language, decodes the canvas, checks fields. 0 violations.
Header/footer redesign: slim header, 3-column footer matching the sign.abundera.ai pattern. Mobile hamburger drawer now shows the nav items when opened (previously broken).
Click QR preview → zoom lightbox. Label shows type name + first input (previously showed raw payload).
First-pass autofill fix (landed properly 2026-04-14).
Type search surfaces advanced types; closes on pick; empty category tabs hidden in Popular mode; history restore switches type inline instead of redirecting.

2026-04-12, 26-language parity, 13 new payload types, 3 non-QR 2D barcodes

Full 26-language parity: every English key exists in every language file (1,302 keys × 25 langs). 5,533 entries added across 4 passes (proper nouns, short labels, form-field labels, toasts, hints). The 30 brand-payment hints stay English by design, URLs and brand names are authoritative in English.
Dedupe: 113 stale duplicate-key blocks removed across 19 lang files (drift from earlier rebases).
Info-page header fix: blog/about/privacy/changelog were using .brand/.header-inner/.brand-text classes with no CSS attached. Switched to the same .logo markup as the main app.
4 standards-based URI types: HOTP (RFC 4226), eSIM (GSMA SGP.22 LPA), SIP/SIPS (RFC 3261), MMS/MMSTO.
WPA2/WPA3-Enterprise WiFi: extends the WIFI: format with EAP method, Phase-2 auth, identity, anonymous identity.
6 regional payment types: Alipay, WeChat Pay, Swish (SE), Vipps (NO), Mercado Pago (LatAm), Payconiq (Benelux).
3 non-QR 2D barcodes: Data Matrix (ISO 16022), Aztec (ISO 24778), PDF417 (ISO 15438). bwip-js (~1 MB) lazy-loaded only when one of those types is picked.
26-language showcase section added to the homepage with native-script links.
Pre-deploy audit script: BATCH_VALID_TYPES sync check + raw-English showToast() guard.
Footer, landing pages, and i18n keys added for all 13 new types (English source).

2026-04-11, BCD photo URL fetch, preview-sticky, expandable presets

BCD: photo URL field now fetches and inlines remote images as data URLs so the export canvas isn't tainted by cross-origin loads (PDF/PNG export now works on hosts without CORS).
BCD desktop layout: preview pane is now position: sticky, so when a user expands every section the controls scroll freely without losing visibility on the live preview. (Previously, expanding Content + Layout + Options would push Show-Fields off-screen.)
BCD preset grid is now expandable, shows 12 layouts initially with a "Show all layouts" toggle, mirroring the icon-picker UX.
Tagline + QR-caption inputs reskinned: stacked label + full-width input (was cramped 150px sidecar).
Scanability badge raised from bottom: -24px to -18px so it stops covering the copy button.
Batch CSV instructions now mention Google Sheets, Excel, Numbers explicitly.

2026-04-08, Vertical-specific icon library

24 new center-logo icons (96 → 120) targeting healthcare, food & bev, tech, finance verticals.
10 new BCD layout presets (40 → 50): Concrete, Honey, Indigo, Luxe, Midnight II, Ocean II, Slate, Verdant, Wine, Candy.
Cache-buster strategy bug: ?v= params on page-init.js + lang-redirect.js were missing on landing pages, causing stale module loads after deploys. Fixed.

2026-04-04, BCD gradient backgrounds + card back + 12 new presets

BCD: 12 new presets (Dark Mode, Pastel, Ocean, Cherry, Slate, Emerald, Amber, Mono, Rose, Midnight, Sand, Carbon). 36 presets total.
User-controlled gradient backgrounds with second color picker.
Card back rendering with company + tagline + CTA text.
Social icons row (LinkedIn / X / Instagram).
Address block rendering from vCard fields.
Visual preset thumbnails, each preset button now renders a mini canvas instead of a placeholder.

2026-03-29, BCD overhaul + 600 DPI export

Business Card Designer collapsible accordion sections, sticky mobile preview, sticky export footer.
Hex color inputs with bidirectional color-picker sync, color palette swatches.
4 photo shapes (circle, square, rounded, hexagon).
Bumped export resolution to 600 DPI for crisp print output.
Kebab menu: Export template, Import template, Surprise me, Share card, Print sheet (10-up US Letter + A4).
Photo crop forced square. Minimum-data guard before opening designer.
BCD presets bumped: 8 new visually-distinct (Neon, Art Deco, Sunset, Forest, Brutalist, Kraft, Nordic, Retro 80s). 24 presets total.

2026-03-22, 20 new QR types + Link-in-Bio + competitor comparisons

20 new QR types (35 → 55): YouTube, Apple Music, Google Review, Yelp Review, TripAdvisor, Venmo, Cash App, Support/Tip Jar (Ko-fi/Patreon/BMAC/Liberapay), TWINT, Bizum, PayNow (SG), PayID (AU), ZATCA (SA), BIP-21 Bitcoin + Lightning, webcal://, JPQR (JP), HKFPS (HK), DuitNow (MY), MoMo (VN), Link-in-Bio.
Link-in-Bio renders the entire bio page from the QR's URL hash, no backend, no account, no tracking.
/embed/ iframe widget (postMessage API for parent integration).
/vs/ competitor comparison pages (26-language variants).
@abundera/qr npm package + CLI with 25 type encoders.

2026-03-15, 96 center-logo icons + 5 new languages

96 center-logo icons (12 → 96): crypto, communication, media, utility, commerce, transport, nature, food, people, events, 12 smiley faces, 18 social network glyphs (X, Facebook, Instagram, LinkedIn, TikTok, YouTube, Pinterest, Reddit, Snapchat, Discord, Telegram, GitHub, Threads, Bluesky, Mastodon, Twitch, Signal, Medium). Expandable via <details> toggle.
5 new languages (21 → 26): Swedish, Czech, Danish, Norwegian, Finnish. 1,106 keys each with native translations.
EPS export (embedded-JPEG Level 2 PostScript, ASCII85-encoded) for print-shop workflows (Illustrator, InDesign, CorelDRAW).
Animated GIF export (gif.js, 8-frame rainbow).
BCD SVG export, BCD JPG export.

2026-03-08, Platform audit + accessibility sweep

Bug-bash sprint: 3 CRITICAL + 7 HIGH + 10 MEDIUM issues fixed.

CSP inline-script violation on all 55 landing pages, moved to data-qr-preselect body attribute.
Service worker stale-cache bug, query-stripped keys → full-URL + stale-while-revalidate.
Form-type desync when clicking BCD pill on non-vCard landing page.
Background image visibility (opacity slider, modules at 90% alpha, crop modal routing).
Crop modal mobile overflow.
Wheel-zoom hijacking mouse scroll (removed entirely).
Avatar IP leak mitigated (referrerpolicy + no-referrer header).
WiFi batch open-network fix, MeCard batch field parity, TOTP base32 validation.
WCAG 2.5.8 touch targets (44×44 min on coarse pointer).
aria-hidden sweep on 87 decorative SVGs.
prefers-reduced-motion respect.
Toast aria-live, focus-visible ring, crop keyboard navigation, overflow menu Home/End keys.
Font preload optimization.

2026-03-01, 15 standards-based types + scannability validator

15 new QR types: TOTP/2FA, Swiss QR-bill (with mandatory red Swiss cross overlay), PIX (Brazil), PromptPay (Thailand), EMVCo generic merchant, Lightning BOLT11, SSH public key, OpenPGP public key, WireGuard config, GS1 Digital Link, Spotify, Fediverse (Mastodon/Bluesky/Nostr/Matrix/Threads), Geo URI, Magnet, full iCalendar.
Scannability validator, runs jsQR over the rendered canvas and warns on decode failures.
Printable URL fallback, toggle adds the destination URL as plain text under the QR.
jsQR lazy-loaded (saves 262 KB eager payload).

2026-02-22, Multi-stop gradient editor + per-eye colors

Multi-stop gradient editor (up to 5 colors).
Per-eye independent inner/outer color.
Background image QR mode (opacity slider, EC=H auto-forced).
Pinch-zoom on the preview canvas.
Web Share API for QR codes and business cards.
WebP export format.
Undo/redo (Ctrl/Cmd-Z, 50-step buffer).
Random template button ("Surprise me").

2026-02-15, Privacy & security pages + i18n hardening

4 new credibility pages: /privacy/, /terms/, /security/, /about/, in all 21 languages.
/.well-known/security.txt published.
29 hardcoded English strings replaced with qrT() calls; ~100 new i18n keys translated into all 21 languages.
Inline scripts externalized, CSP hardened (unsafe-inline dropped).

2026-02-08, Modal a11y + focus management

Focus trap on all 3 modals (crop, BCD, custom dialogs).
Keyboard navigation polish across the BCD overflow menu, language switcher, and type selector.
Critical bug fixes: SVG frame borders rendering one pixel off, XSS vulnerability in batch zoom preview, btoa() Latin1 error on preset logo click.

2026-02-01, Initial launch

Launched Abundera QR with 20 QR types, 40 templates, batch CSV generation (500 codes), Business Card Designer (300 DPI), 20 languages, 420 static landing pages.
Privacy-first stance: 100% client-side, no accounts, no tracking, no dynamic-redirect codes.