Changelog

Notable changes to aly.store, ordered most-recent first. Patch and infrastructure-only updates are omitted unless they change observable behavior.

2026-05

Storefront performance pass

• Storefront routes now render via one-shot Convex HTTP + ISR (revalidate=300) with on-demand revalidation on publish/update — first-paint latency drops materially.
• Cart rows are created lazily on buyer intent rather than eagerly on page load. Bot traffic no longer fills the carts table.
• Lazy-loaded voice agent assets — ElevenLabs + LiveKit only load on sites that render a voice section.

Headless CLI matures

• tools/aly-store-cli.ts now ships two transports — MCP and --direct — with consistent JSON output.
• Automatic redaction of sensitive flags (--api-key, --token, --secret, --password, --client-secret) in meta output.

2026-04

UCP v1 spec alignment (2026-04-08)

• Catalog lookup is now a POST with a body of up to 50 ids (was a GET with a comma-list).
• Checkout-session responses include a messages array surfacing non-fatal notes (substituted variant, removed out-of-stock item, expired coupon).
• Per-store discovery (/.well-known/ucp) is now host-aware — store hosts bind site_slug automatically.

JWS request/response signatures

• UCP and A2A requests can carry a Request-Signature JWS header for non-repudiable identity linking.
• Successful signed requests record the agent identity on resulting tasks and orders.
• Store-level enforcement is opt-in; default is “sign if you want, we'll verify and ignore if not.”

Security + correctness audit handoff

• Multi-round audit completed; full record at .audit/HANDOFF.md in the aly-store repo.
• Tightened bearer-token caching, rate-limit semantics on agent surfaces, and the internal-mutation ownership re-check pattern.

2026-03

x402 micro-payments live

• Per-product GET endpoint at /api/x402/product/{siteSlug}/{productId} returns 402 with EIP-712 transfer authorizations on Base, Ethereum, and Polygon.
• Eligibility: digital products only, USD price, ≤ site limit, file attached.
• Idempotency derived from a hash of the payment payload; settlement happens after the response, with PAYMENT-RESPONSE tx-hash header.

OAuth 2.1

• Dynamic client registration and a consent screen at /oauth/authorize.
• Workspace-scoped aly_oauth_* tokens; refresh tokens rotate.
• Discovery published at /.well-known/oauth-authorization-server (RFC 8414).

2026-02

A2A skill registry

• Default skills: catalog-search, ucp-checkout, x402-purchase, order-status, membership-signup.
• Streaming variant at POST /api/a2a/streaming using Server-Sent Events.
• Per-task subscription via POST /api/a2a/tasks/{taskId}/subscribe and push-config registration via /push-configs.

Membership tiers

• Sites can now sell recurring subscriptions via Stripe Subscriptions.
• Membership state gates product visibility, price-list eligibility, and gated content blocks.
• Webhook events: membership.subscriber.created, .updated, .cancelled, .payment_failed.

2026-01

MCP server ships

• JSON-RPC 2.0 endpoint at POST /api/mcp; ~80 tools across 23 families.
• Bearer auth (aly_* API keys); OAuth tokens followed in March.
• Per-principal durable rate limit and per-IP pre-auth bucket.

Hosted storefronts on wildcard

• Sites publish to <slug>.aly.store on a Vercel wildcard, with optional custom-domain attach (DNS-verified).
• Cloudflare R2 backs media; cdn.aly.store serves public assets with optional Image transforms.

Earlier

Pre-2026 history lives in the aly-storerepository's git log. The 0.1 line stabilized the editor, product/variant model, Stripe-Connect checkout, and the storefront ISR architecture.