๐ณ Stripe Billing System โ Full Subscription Infrastructure
Complete payment and subscription management system integrated with Stripe, featuring 4-tier pricing, IP-restricted access, automated email notifications, and admin revenue dashboard. System built production-ready but held behind "Coming Soon" gates for beta period.
New**Stripe Checkout Integration** โ Secure server-side session creation with redirect to Stripe-hosted checkout. Supports both one-time payments (Combat Trial) and recurring subscriptions (Operative, Tactical, Commander)
New**Stripe Webhook Handler** โ Processes checkout completed, subscription updates, cancellations, and payment failure events with cryptographic signature verification
New**Subscriptions Table** โ Full Supabase schema with row-level security, tier enums, customer and subscription ID tracking, billing period timestamps, and auto-renewal flags
New**Profile Sync** โ Every Stripe event automatically syncs subscription tier, status, and period end to the profiles table for instant access control updates
New**Customer Portal** โ Self-service billing management for subscribers to update payment methods, view invoices, and cancel subscriptions
New**IP Access Restriction System** โ Database-backed tracking for free 24hr and Combat Trial usage per IP address. Combat checkout blocks duplicate IPs; registration occurs on successful payment via webhook
New**Free 24hr Access Flow** โ Signup-gated free trial with IP lock (one use per IP). "Start Free" redirects to signup with auto-activation on registration
New**Subscription Email Notifications** โ Three NOVA-branded email templates: subscription activated, payment failed (with update payment CTA), and subscription canceled (with resubscribe CTA). All triggered automatically from Stripe webhook events via Resend
New**Automated Trial Expiry** โ Hourly cron job expires Combat Trials after 7 days and cleans up expired free 24hr access records, resetting user profiles to free tier
New**Admin Protocol โ Subscriptions Tab** โ New admin dashboard section with MRR calculation, active/past due/canceled subscriber counts, per-tier revenue breakdown, searchable and filterable subscription table, and direct links to Stripe customer records
New**Dashboard Access Control Upgrade** โ Dashboard now evaluates both manually assigned roles and Stripe subscription tiers, granting whichever provides higher access. Enables seamless transition from manual role management to self-service subscriptions
New**useSubscription Hook** โ Shared React hook providing checkout trigger, portal access, tier detection, and access checks across all pricing surfaces
New**Checkout on All Surfaces** โ Subscribe buttons wired on homepage (#pricing), dedicated /pricing page, and dashboard subscription management. Consistent UX across all entry points
Improved**Homepage CTAs** โ "Start Free" buttons updated to "Join Beta" linking to /betalaunch during beta period
Improved**Pricing Page Banner** โ Added "Subscriptions Coming Soon โ Currently in Beta" notice
Improved**Dashboard Subscription UI** โ Unified blue button styling, real-time current plan detection from Stripe data, and wired Manage Billing button
Security**Webhook Signature Verification** โ All incoming payment events cryptographically verified before processing
Security**Server-Side Payment Handling** โ All sensitive payment operations isolated to server-side API routes with authenticated sessions
Security**Secured Automation Endpoints** โ Trial expiry and access management endpoints protected with randomized authentication tokens
Security**Proxy-Aware IP Detection** โ Accurate client IP resolution behind reverse proxy for reliable access restriction enforcement
v1.9.0February 14, 2026
๐งพ Tax Center โ Multi-Jurisdiction Tax Estimation Engine
New dashboard section providing institutional-grade tax estimation across 15 countries with verified 2025 tax rates, auto-populated trade data, and PDF export.
New**Tax Center Section** โ 5-step wizard: jurisdiction selection โ taxpayer info โ data review โ tax estimate โ PDF export
New**15 Jurisdictions** โ US (Form 8949/Schedule D, Section 1256 60/40), UK (SA108, CGT 18/24%), Netherlands (Box 3, vermogensrendementsheffing), Germany (Anlage KAP, Abgeltungsteuer 25% + Soli), France (PFU 30%), Canada (50/66.67% inclusion), Australia (50% CGT discount), Japan (20.315% bunri kazei), India (STCG 20%, LTCG 12.5%), Ireland (33% CGT), Sweden (30% kapitalskatt + ISK), Switzerland (private investor exempt, cantonal wealth tax), Singapore (investor exempt, trader income tax), Italy (26% imposta sostitutiva), Spain (savings brackets 19-30%)
New**Auto-Population** โ Pulls short-term gains, long-term gains, options P&L, dividends, and other income from NOVA trades table
New**Editable Tax Parameters** โ All rates, deductions, exemptions, and filing thresholds configurable per jurisdiction before computation
New**PDF Export** โ Client-side generation via jspdf with dark NOVA-themed styling, taxpayer info, income breakdown, tax computation, and estimated liability. Filename: `NOVA-Tax-{COUNTRY}-{YEAR}.pdf`
New**Legal Disclaimers** โ Three-layer protection: UI estimate disclaimer, PDF export disclaimer, and embedded PDF document disclaimer. NOVA is not a licensed tax preparer, CPA, or financial advisor
NewNOVA blue theme throughout (blue-950/blue-500/blue-400 palette replacing default emerald)
NewCountry selection cards with flag emojis, hover glow effects, and active state indicators
NewProgress bar with blue-400 gradient tracking wizard steps
NewResponsive layout consistent with existing dashboard sections
v1.8.0February 13, 2026
๐ Economic Calendar, Crypto 3D Visualizations & Market Overview Redesign
Major UI overhaul across the Market Overview and Crypto sections with new data integrations, canvas-rendered 3D charts, and layout improvements focused on readability and information density.
New**Economic Calendar (Left Panel)** โ Full vertical sidebar with upcoming macro events from Finnhub API. Shows country codes, impact level bars (high/medium/low), date/time, previous values, forecasts, and actual results. Supports 8 countries (US, EU, GB, CN, JP, DE, CA, AU) with 7-day lookahead and up to 12 events
New**Live Event Indicators** โ Events within 5 minutes show cyan LIVE badge, upcoming events display countdown timers, past events fade gracefully. High-impact events highlighted with red left border and impact bars
New**Crypto Depth Chart 3D Mode** โ Full canvas-rendered time-evolution depth visualization with 20 historical snapshots in isometric projection. Features floor grid, back-to-front painter's algorithm rendering, per-slice opacity fade, specular highlights, side walls for depth perception, and time labels (NOW to -20s)
New**Crypto Candlestick Chart** โ Canvas-rendered OHLCV candlestick chart replacing the old sparkline SVG in the Overview tab. Includes volume bars subplot, crosshair tooltip, DPR scaling for Retina displays, price labels, and grid
New**Crypto 2D/3D Toggles** โ All six crypto tabs (Overview, Orderbook, Liquidity, Depth, Trades, Liquidations) now have 2D/3D view toggles in their toolbars
New**Crypto Orderbook Cumulative Column** โ Running total depth column added to the orderbook with enhanced spread display showing ratio percentage
New**Crypto Trades Whale Detection** โ Trades over $50K marked with ๐ emoji, volume-scaled gradient rows, and elevated shadow effects in 3D mode
New**Crypto Liquidations Visualization** โ Impact-scaled gradients with left border intensity, elevated REKT events, and long/short pressure bar in 3D mode
New**Asset Ticker Strip** โ Market Overview bottom bar showing all tracked instruments (AAPL, NVDA, TSLA, MSFT, BTC, ETH, GOLD, EUR/USD) with prices and change percentages, plus sector mini-badges (TECH, ENERGY, CHIPS, CRYPTO)
Improved**Market Overview Layout Redesign** โ Economic Calendar moved to left sidebar (vertical, scrollable), asset list relocated to bottom ticker strip, analyst note given more vertical space. Sectors panel removed to reduce clutter
Improved**Crypto Color Consistency** โ All crypto section colors migrated from blue (#3B82F6) to NOVA teal (#26a69a) across 33+ instances for brand-consistent terminal aesthetic
Improved**Canvas DPR Scaling** โ All canvas-rendered charts now properly scale for Retina/HiDPI displays using devicePixelRatio, fixing blurry rendering on high-resolution screens
Improved**Depth Chart Crosshair** โ Interactive crosshair with price and quantity tooltips on hover in 2D mode
Improved**Landing Page Color Fix** โ Inline rgba blue references in grid overlay, orbital ring shadows, and CTA button corrected to NOVA teal
Improved**BETA Badge Styling** โ Sidebar BETA badges dimmed for cleaner visual hierarchy (reduced opacity and border intensity)
Improved**Copyright Year** โ Landing page footer updated from 2025 to 2026
Fixed**X Bot Double-Posting** โ Both nova-bot and x-bot now use absolute paths for history files (previously relative paths caused split history between working directory and bot folder). Added 2-hour cooldown guard to prevent duplicate posts on PM2 restarts
Fixed**nova-bot History Path** โ Fixed history file writing to wrong directory (/var/www/nova-terminal/ instead of /home/ubuntu/nova_bot/) due to PM2 cwd mismatch
Fixed**Global Color Revert** โ Safely reverted accidental global rgba color replacement that affected branded blue elements outside of Crypto and Landing sections
v1.7.0February 12, 2026
๐ Security Hardening & Platform Integrity
Comprehensive pre-beta security audit and full-stack hardening. Platform security score improved from 6/10 to 10/10 across server infrastructure, database policies, and application layers. Every security surface has been reviewed and fortified ahead of the beta launch.
New**Fail2Ban Intrusion Prevention** โ Installed and configured brute-force detection on SSH with a 3-attempt limit and 1-hour automatic IP ban. Within minutes of activation, 6 malicious IPs were detected and blocked from 131 unauthorized login attempts
New**SSH Key-Only Authentication** โ Generated and deployed ED25519 key pair. Password-based authentication permanently disabled. Root login blocked. Maximum authentication attempts reduced to 3 per connection
New**HTTP Security Headers** โ 5 critical headers added to all NOVA responses via Nginx:
Improved**CORS Lockdown** โ API subdomain (api.tradewithnova.eu) Access-Control-Allow-Origin changed from wildcard (*) to https://www.tradewithnova.eu only. Previously any website on the internet could make authenticated requests to the NOVA API
Improved**Server Fingerprint Removal** โ Nginx server version (1.24.0) and Next.js X-Powered-By header stripped from all HTTP responses, preventing attackers from targeting version-specific vulnerabilities
Improved**Network Attack Surface Reduction** โ Next.js application bound to localhost (127.0.0.1) instead of all interfaces (0.0.0.0), meaning it can only be accessed through the Nginx reverse proxy where security headers and TLS are enforced. Internal ThetaData ports and CORS proxy port removed from public firewall rules
Improved**Privilege Escalation Prevention** โ Background TikTok content scheduler was running as root (full system access). Terminated and restarted under standard ubuntu user. If compromised, an attacker can no longer gain root-level control
Improved**Credential File Hardening** โ All 5 environment files (.env) across the server locked to owner-only read/write permissions (chmod 600). Previously world-readable. Stale project backup directory containing duplicate API keys and tokens permanently deleted
Improved**Dependency Vulnerability Patching** โ Next.js upgraded from 15.6.0-canary.0 to stable 16.1.6, resolving 3 high-severity Denial of Service vulnerabilities (Image Optimizer remote patterns exploit, HTTP request deserialization attack, and unbounded memory consumption via PPR resume endpoint). Axios updated in TikTok engine to patch prototype pollution DoS vector. All projects now report zero known vulnerabilities
Security**Row Level Security โ Admin Access Controls** โ Four database tables had admin-only policies that actually granted access to every logged-in user. Fixed by adding proper ADMIN role verification:
Security**Row Level Security โ Data Isolation Enforcement** โ Six tables allowed any authenticated user to insert rows with arbitrary user IDs, potentially injecting data into other users' accounts. Added WITH CHECK (auth.uid() = user_id) constraints on: expenses, portfolios, trades, prop_firm_accounts, tickets, and profiles
Security**Row Level Security โ Profile Privacy** โ "Public profiles are viewable by everyone" policy replaced with "Authenticated users can view profiles", ensuring unauthenticated visitors cannot enumerate user accounts, email addresses, or role assignments
Security**Row Level Security โ Duplicate Policy Cleanup** โ Removed duplicate INSERT policy on profiles table ("Users can insert their own profile" alongside "Users can insert own profile")
Security**RLS Audit Verification** โ All 14 public database tables confirmed with Row Level Security enabled. All INSERT policies verified with WITH CHECK constraints. All admin policies verified with proper role checks. Zero open policies remaining
Security**Service Role Key Audit** โ Verified SUPABASE_SERVICE_ROLE_KEY (which bypasses all Row Level Security) is only referenced in server-side API routes and backend scripts, never exposed to client-side browser code
Security**SSL/TLS Verification** โ Confirmed TLSv1.3 with AES-256-GCM-SHA384 cipher suite and X25519 key exchange. Both certificates (main domain and API subdomain) valid with auto-renewal via Certbot
v1.7.0February 12, 2026
๐ Security Hardening & Platform Integrity
Pre-beta security audit and full-stack hardening across server, database, and application layers.
New**Fail2Ban Protection** โ Brute-force detection and automatic IP banning on SSH (3 attempts, 1-hour ban). 6 malicious IPs blocked within minutes of activation
New**SSH Key Authentication** โ ED25519 key pair configured with password authentication disabled and root login blocked
Improved**CORS Policy** โ API subdomain restricted from wildcard (*) to platform domain only, preventing unauthorized cross-origin requests
Improved**Server Privacy** โ Nginx version and Next.js X-Powered-By headers removed from all responses
Improved**Network Hardening** โ Next.js bound to localhost only (no longer directly accessible), internal service ports removed from firewall
Improved**Process Security** โ Background scheduler moved from root to standard user, eliminating privilege escalation risk
Improved**Credential Security** โ All environment files locked to owner-only permissions, stale backup with exposed credentials removed
Security**RLS Admin Policies** โ Restricted beta_signups, newsletter_campaigns, newsletter_sends, and discord_submissions admin access to verified ADMIN role (previously open to all authenticated users)
Security**RLS INSERT Policies** โ Added WITH CHECK constraints on expenses, portfolios, trades, prop_firm_accounts, tickets, and profiles to prevent cross-user data injection
Security**Profile Visibility** โ Public profile access restricted to authenticated users only
Security**Dependency Patches** โ Next.js upgraded to 16.1.6 (3 high-severity DoS fixes), Axios prototype pollution patched. Zero known vulnerabilities across all projects
v1.6.0February 11, 2026
๐ Earnings Calendar, Secure Inbox & Daily Brief PDF
New**Earnings Calendar (Right Panel)** โ Clickable Mon-Fri weekly view showing earnings counts with impact indicators (red = $50B+ mega cap, yellow = $10B-$50B large cap). Click any day to open a full-screen popup with detailed company cards grouped by Pre-Market and After-Hours, including company name, sector badge, EPS and revenue estimates
New**Earnings Calendar (Full Page)** โ Dedicated sidebar section with monthly grid view, clickable day cells, and detail sidebar for browsing upcoming earnings across any month
New**Earnings API** โ Finnhub-powered earnings calendar endpoint enriched with sector classifications and impact ratings from a curated database of 170+ major publicly traded companies ($10B+ market cap)
New**Secure Inbox & Feedback System** โ Submit feature requests, support tickets, and bug reports directly from Profile โ Feedback tab. Tickets are created in the Secure Inbox with threaded message support, and the NOVA team can reply directly within the platform
New**Email Notifications** โ New ticket submissions automatically send a NOVA-branded email to support@tradewithnova.eu via Resend API with full ticket details
New**Unread Message Indicator** โ Real-time red pulsing dot on the envelope icon (top-right header) powered by Supabase real-time subscriptions on the messages table. Clears when you open the Secure Inbox
New**Daily Intelligence Brief PDF** โ Downloadable NOVA-branded dark-themed PDF report from Market Overview (blue file icon next to refresh). Includes analyst narrative, market regime status, key price levels, economic calendar events, and today's earnings schedule
New**NovaWiki v3.1** โ Added comprehensive documentation for Earnings Calendar (5 articles) and Secure Inbox & Feedback System (4 articles). Updated dashboard layout descriptions to reflect new right panel structure and header bar features
Improved**Right Panel Redesign** โ Wire news feed on top, Earnings Calendar weekly view on bottom. Replaced NOVA AI chatbot placeholder with actionable earnings data
Improved**Feedback Flow** โ Submissions now create proper tickets in the tickets/messages tables (previously used discord_submissions), enabling full conversation threading and status tracking through the existing Secure Inbox infrastructure
v1.5.12026-02-11
๐ค Automated Discord Intelligence & System Monitoring
New**EOD Market Snapshots** โ Automated daily market cards posted to Discord at midnight EST for SPX, NDX, and VIX with price chart, technical indicators (RSI, SMA 20/50, MACD), EOD levels, and AI-generated market summary with technical bias
New**System Status Reports** โ Automated platform health checks posted to Discord twice daily (8 AM & 5 PM EST) covering service uptime, endpoint availability, and overall system health
New**PM2 Auto-Start** โ NOVA app now automatically restarts after server reboots
Improved**Server Security** โ Applied 17 system updates including kernel upgrade (6.8.0-90 โ 6.8.0-100)
Improved**Cron Cleanup** โ Removed deprecated ThetaData startup scripts and old EOD card jobs
Improved**ThetaData References** โ Cleaned up legacy ThetaTerminal cron entries no longer in use