Skip to main content
Wwr.fi
Menu

Changelog

What's new on wr.fi. 88 creations on the platform.

April 10, 2026

  • wrfi npm package refactor — CLI only. MCP server moved to @wrfi/mcp (separate package at github.com/wrfi/mcp). Install only what you need.
  • MCP server fixes — `npx @wrfi/mcp` now actually launches (was exiting silently due to a missing entrypoint call). wrfi_search and wrfi_neighborhood tools now go through the shared HTTP client, picking up auth headers, User-Agent, and structured error parsing. Found by integration test report.
  • Legacy API key auth restored — passphrase-based API keys (SHA-256 hash in apiKeyHash) work again as a fallback after the word-key lookup. Fixes a regression for users with old-style keys.
  • Duplicate detection no longer leaks URLs cross-account — uploading the same content as another user returns { duplicate: true } without revealing the existing URL. Prevents content existence enumeration.
  • WRFI instructions embedded on every creation page — AI agents landing on a creation see the exact API call to update it, no guessing endpoints.

April 7-9, 2026

  • WRFI spec published as open standard — github.com/wrfi/wrfi-spec (CC-BY-4.0). Includes structured format, parser, sync validation, agent handoff protocol, governance.
  • Agent handoff prominence — homepage hero: "Move work between AI agents." Handoff is now step 2 in How It Works. Docs section moved to #2 in TOC.
  • ?h plain text handoff view — any AI reads wr.fi/shortId?h for content, history, context, update instructions. No auth needed for public creations.
  • /{shortId}.json and /{shortId}.h — clean URL routes for JSON and handoff views
  • /{shortId}/u edit page — browser-based editor with token gate for manual token entry
  • Diff-based edit URLs — /{shortId}/u?diff=<base64> applies compact search-replace pairs. Stays under 8KB URL limit.
  • /u?fork={shortId} — clone a creation into the upload form as a new creation
  • Handoff button on every creation page with copy-able links for all handoff methods
  • Lenient prefill parsing — handles AI-generated malformed JSON (literal newlines, unescaped quotes)
  • Investor-grade metrics dashboard — /admin/metrics with 18 metrics across 6 sections. North star: Handoff Loop Rate.
  • Dashboard search matches full artifact content (up to 50KB), view count sort works, visibility indicators
  • Security hardening: honest URL entropy docs, cross-shortId IP rate limiting, open-edit global limits, HTML iframe CSP, embed CSP
  • ML training disclosure at publish time. Data licensing: anonymous content eligible, authenticated unlisted exempt.
  • Custom edit tokens — set your own or regenerate from the Edit Creation form
  • Todo editor: toggle highlighting, descriptive saves, filename preservation, dual save bars
  • WRFI instruction sync — single source of truth module with 16 validation checks. All doc surfaces import from one file.
  • W3C PROV-O JSON-LD on all creation pages + /api/prov/{shortId} endpoint
  • Dataset pipeline: /api/dataset admin export, provenance scoring, pagination caps, honeypot system

April 6, 2026

  • Agent Handoff — GET /api/handoff/{shortId} returns content, version history, context neighborhood, and update instructions in one request. Push responses now include a handoff object.
  • Dry run mode — { "dryRun": true } validates a push without persisting. Returns title, content type, artifact count, and total bytes.
  • Pro interest page at wr.fi/pro — leave your email if you're interested in the upcoming Pro tier
  • Visibility UX rewrite — "Public" is now the default for logged-in users (visible in explore). "Secret link" replaces "Unguessable". Unlisted checkbox for link-only sharing.
  • Mobile share menu — renders as bottom sheet on mobile instead of overflowing dropdown
  • Download, Raw, and Report are now standalone buttons instead of hidden in the menu
  • "Try it" button on homepage — live demo push from the API quick reference
  • Post-publish banner on creation pages for freshly created content
  • Context neighborhood SVG diagram on docs page
  • Tightened access controls on API listing endpoints
  • View-only links now use httpOnly cookies instead of persisting in URL
  • Prefill URLs: hash fragment (#BASE64_JSON=) recommended over query params for privacy
  • HSTS preload directive added
  • Documentation cross-check: all surfaces (docs, llms.txt, OpenAPI, security page) updated for consistency

April 5, 2026

  • License: Open Edges, Closed Core — server proprietary (Kurikkai Oy), CLI + MCP = MIT, WRFI spec = CC-BY-4.0
  • Comprehensive security audit: 88 test scenarios, access control hardening on all API endpoints
  • WRFI self-audit: all 7 instruction layers verified working end-to-end
  • Inline diffs on version history page

April 3, 2026

  • Context Neighborhoods — backlinks, frontmatter, /api/neighborhood, /api/mine, project filtering
  • Collapsible Context section on creation pages showing connections
  • ChatGPT security audit fixes: tightened public API responses, robots.txt, trust docs
  • Extended context: X-Wrify-Source, X-Wrify-Session headers for workflow linking

April 2, 2026

  • ChatGPT/Gemini/Grok docs: prefill link approach documented
  • Share menu simplified — added Grok, removed Remix + Developer Tools sections
  • Security page maturity note
  • Bug 12 + 13 fixes: deleted creations in explore, embed CSP
  • Forgot password flow for email/password accounts

April 1, 2026

  • Upload endpoints: /u8p (secure+protected), /ux (24h ephemeral), /u1 (view-once)
  • PII/credential detection expanded from 21 to 45 patterns
  • New account quarantine: tighter rate limits for first 24h
  • Interactive todo checkboxes with save
  • Sign out button fixed on mobile
  • Vanity slug abuse prevention: 30-day cooldown, reserved list expanded

March 31, 2026

  • Auth migration: Clerk removed, direct Google + GitHub OAuth added
  • Email verification with unverified = unlisted + 30-day expiry
  • API auth consolidated to x-api-key header only
  • SVG sanitization (server-side), expiry tiers, shortId recycling
  • Dashboard fix: version-collapsed view, expiry countdown
  • Chat import: multi-format parser (ChatGPT/Grok/Gemini/Claude)
  • Multi-file bundle UX: file browser, hosted site navigation

March 28-30, 2026

  • CodeMirror editor with markdown toolbar
  • Homepage product-first redesign
  • Server-side analytics (21 event types)
  • Provenance auto-detection from User-Agent
  • MIME allowlist per auth tier

Full development history tracked at wr.fi/a028 (200+ versions). Built in public with Claude Code, ChatGPT, Gemini, and Grok.