TL;DR
- 23 commits across 4 repos, one theme: opening apps to the outside world, safely.
- Public: kickoff v1.32.0 ships SDK-free support-widget integration stubs.
- Private: external intake channels (token-authed API, cookie-free widget, signed webhooks) on a helpdesk product; signed public API + rebuild webhooks on an event platform.
Everything today was about external surfaces — letting the outside in without leaving the door unlocked.
What shipped
| Where | What |
|---|---|
kickoff v1.32.0 (public) |
SDK-free support-widget integration stubs: settings class + migration, Livewire admin settings page, Blade component, docs, Pest coverage |
| Helpdesk product (private) | External intake channels: token-authed API, magic-link requester view, cookie-free embeddable widget, signed outbound webhooks, hardening pass from an adversarial review |
| Event platform (private) | Signed public event API + landing-page rebuild webhooks, persona nav overhaul, 15 new MCP tools, offline PWA check-in, plan-limit enforcement |
| Event platform docs (private) | Tracker updates + before/after UX screenshots |
Stubs, not SDKs
kickoff now ships a support-widget integration as stubs — settings class, migration, admin page, Blade component — copied into your app. No composer dependency for glue code: you own it, you can read it, you can change it. For ~100 lines of integration code, a stub beats a package.
Intake is three problems
The helpdesk work was the day's core: letting outside systems and end users create tickets. Every inbound surface splits into the same three problems — who gets in (token auth, magic links), what they can do (rate limits, severity clamps, single-use entry), and what you send back out (signed, idempotent webhooks). An adversarial review caught four real issues before launch; that story gets its own post, next.
Static pages, fresh data
The event platform got a signed public API plus webhooks that fire on content changes — so landing pages can be static builds that rebuild themselves when an event changes. CDN speed, CMS freshness, nothing dynamic on the hot path.
Also: plan limits (active events, staff seats) are now enforced in the domain actions, not just the UI. The UI check is a courtesy; the exception in the action is the contract.
Takeaway
Every external surface came down to the same checklist: authenticate, clamp, sign, dedupe. Deep-dive on the widget hardening in the next post.
Top comments (0)