DEV Community

Cover image for Dev Log: 2026-07-05
Nasrul Hazim
Nasrul Hazim

Posted on

Dev Log: 2026-07-05

TL;DR

  • 23 commits across 4 repos, one theme: opening apps to the outside world, safely.
  • Public: kickoff v1.32.0 ships SDK-free support-widget integration stubs.
  • Private: external intake channels (token-authed API, cookie-free widget, signed webhooks) on a helpdesk product; signed public API + rebuild webhooks on an event platform.

Everything today was about external surfaces — letting the outside in without leaving the door unlocked.

What shipped

Where What
kickoff v1.32.0 (public) SDK-free support-widget integration stubs: settings class + migration, Livewire admin settings page, Blade component, docs, Pest coverage
Helpdesk product (private) External intake channels: token-authed API, magic-link requester view, cookie-free embeddable widget, signed outbound webhooks, hardening pass from an adversarial review
Event platform (private) Signed public event API + landing-page rebuild webhooks, persona nav overhaul, 15 new MCP tools, offline PWA check-in, plan-limit enforcement
Event platform docs (private) Tracker updates + before/after UX screenshots

Stubs, not SDKs

kickoff now ships a support-widget integration as stubs — settings class, migration, admin page, Blade component — copied into your app. No composer dependency for glue code: you own it, you can read it, you can change it. For ~100 lines of integration code, a stub beats a package.

Intake is three problems

The helpdesk work was the day's core: letting outside systems and end users create tickets. Every inbound surface splits into the same three problems — who gets in (token auth, magic links), what they can do (rate limits, severity clamps, single-use entry), and what you send back out (signed, idempotent webhooks). An adversarial review caught four real issues before launch; that story gets its own post, next.

Static pages, fresh data

The event platform got a signed public API plus webhooks that fire on content changes — so landing pages can be static builds that rebuild themselves when an event changes. CDN speed, CMS freshness, nothing dynamic on the hot path.

Also: plan limits (active events, staff seats) are now enforced in the domain actions, not just the UI. The UI check is a courtesy; the exception in the action is the contract.

Takeaway

Every external surface came down to the same checklist: authenticate, clamp, sign, dedupe. Deep-dive on the widget hardening in the next post.

Top comments (0)