Changelog

Five new browser-based image tools — cropper, compress-to-KB, multilingual OCR, AI upscaler, photo-to-sketch

• NewImage Cropper at /tools/image-tools/image-cropper. Drop an image, drag the crop frame, get a JPG or PNG. 7 standard aspect ratios (1:1, 4:3, 16:9, 9:16, 3:2, 2:3, 3:4) plus free-form, with 90° rotation for sideways phone photos. Powered by react-easy-crop rendered to canvas locally — instant preview, no uploads.
• NewCompress to Target KB at /tools/image-tools/compress-to-size. Set the size you need (20 / 50 / 100 / 200 / 500 KB / 1 MB) and the tool finds the highest-quality JPG (or WebP) that fits — guaranteed within 1-2% of target, never over. Built specifically for Indian govt portals (UPSC: 20-300 KB, IBPS: 20-50 KB, Passport Seva: 10-200 KB, Aadhaar: 100 KB, NEET / JEE: 10-200 KB) that reject the form if you're a kilobyte over.
• NewAlgorithm — binary search over JPG quality (0.05 → 0.95) in 12 iterations. Reverses the usual compressor flow: instead of "pick a quality, see the size," you specify the exact size and we find the highest quality that fits. Critical when a portal demands "under 50 KB" exactly.
• NewImage to Text (OCR) at /tools/image-tools/image-to-text. 14 languages — English, Hindi (Devanagari), Marathi, Tamil, Telugu, Bengali, Kannada, Malayalam, Gujarati, Punjabi, Urdu, plus French / German / Spanish. Powered by tesseract.js (WebAssembly build of Google's open-source Tesseract engine). Language data fetched from tessdata.projectnaptha.com on first use (~10 MB per language) and cached.
• NewAI Image Upscaler at /tools/image-tools/image-upscaler. 2× super-resolution using the Swin2SR transformer model running entirely in the browser via @huggingface/transformers. WebGPU when available, WebAssembly fallback. Model is ~6 MB; first run downloads it once, after which inference takes a few seconds per image.
• NewPhoto to Sketch at /tools/image-tools/photo-to-sketch. Three styles — pencil (soft graphite shading), charcoal (high-contrast smudged), ink (stark line-art) — with live preview as you switch. Pure Canvas filters: edge detection + tone mapping + a configurable filter stack. No AI model needed.
• NewAll five tools are 100% in-browser — image never leaves the device. Verifiable in DevTools → Network: zero outbound requests for the image itself. Only one-time model / language fetches from open-source CDNs (HuggingFace, jsdelivr, tessdata.projectnaptha.com), cached locally after first use.
• NewSEO — each page has its own title / description / keywords / canonical, og:* tags, twitter:card, and three JSON-LD schemas (WebApplication, BreadcrumbList, FAQPage). Sitemap auto-includes all 5 via BESPOKE_TOOLS. Per-tool FAQ sections cover privacy, language support, model size, accuracy expectations, and edge cases.
• NewRelease blog post at /blog/5-new-image-tools-shipped covers all five with the gap each one fills — focus on the privacy-first / no-upload posture as the unifying frame.
• ImprovedFeaturesCarousel — 5 new tools added to the PDF & Image tab. Cluster now spans HEIC to JPG, Passport Photo Maker, Image Cropper, Compress to Target KB, Image to Text OCR, AI Upscaler, and Photo to Sketch alongside the original PDF tools.
• ImprovedCSP — connect-src now permits https://tessdata.projectnaptha.com so tesseract.js can fetch language traineddata files. Other model / WASM hosts (HuggingFace, jsdelivr, hf.co) were already allowed for the AI Background Remover and Passport Photo Maker.

Passport Photo Maker — auto-detect face, crop to 16 country specs (India / US / UK / Schengen / China / Japan / UAE / Saudi / etc.)

• NewPassport Photo Maker at /tools/image-tools/passport-photo. Upload a photo → in-browser face detection (via @vladmandic/face-api, lazy-loaded ~6MB tiny detector model from jsdelivr) → auto-crop and resize to the exact country spec. Live preview at correct physical scale, fine-tune crop with directional nudge buttons, re-detect button if first detection misses.
• New16 document specs across 5 regions: India (Passport, OCI, PAN Card 25×35mm, Voter ID / EPIC, Driving License), Americas (US Passport/Visa, Canada), Europe (UK 35×45mm light-grey, Schengen Visa / EU), Asia / Pacific (Australia, New Zealand, China Visa 33×48mm, Japan, Singapore), Middle East (UAE / Dubai Visa 43×55mm, Saudi Arabia 40×60mm). Each spec has its own size, head-height ratio, and background color rule.
• NewAll output rendered to canvas at 300 DPI for print quality — a 35×45mm spec produces a 413×531 pixel JPG. Background is filled with the spec-correct color (pure white for most, light grey/cream for UK + Schengen since those authorities reject pure white).
• NewPrint sheet generator — arrange 6 cropped photos on a standard 4×6 inch sheet (1800×1200 pixels at 300 DPI) with cut guides between each. Most photo labs accept this for "4×6 borderless" printing.
• NewHonest scope — tool crops and resizes but doesn't replace the background. For non-white backgrounds, a clear hint links to the existing AI Background Remover, save on white canvas, return. Background-replacement integration is on the roadmap for v2.
• NewSpec selector grouped by region (India / Americas / Europe / Asia-Pacific / Middle East) with regional headers. Reference table in the SEO content shows all 16 specs by region with size, background, and use-case notes.
• NewStructured data — WebApplication, BreadcrumbList, FAQPage JSON-LD. 9-question FAQ explaining face-detection accuracy, why UK/Schengen needs grey background, multi-face handling, 300 DPI print readiness, expression / glasses rules, watermark policy.
• ImprovedFeaturesCarousel — Passport Photo Maker added to the PDF & Image tab alongside HEIC to JPG and the AI Background Remover, completing the AI-photo cluster.

HEIC to JPG Converter — drop iPhone photos, get universally-compatible JPG, 100% in-browser

• NewHEIC to JPG Converter at /tools/image-tools/heic-to-jpg. Drag-and-drop or file-picker, multi-file batch support, adjustable JPG quality slider (50-100%, default 92). Per-file status (pending → converting → done with download / error). Output filename preserves the original (photo.heic → photo.jpg).
• NewPowered by heic2any (a WebAssembly build of libheif) — lazy-loaded only when the user clicks Convert, so the initial page bundle stays clean. Sequential conversion to keep memory pressure manageable on phones and Chromebooks. Already-allowed CSP directives (wasm-unsafe-eval, blob: in script-src) cover the WASM init.
• NewUse cases page covers vendor portals (GST, customs, FSSAI, IEC), WhatsApp Web, printing services, older Windows/Linux machines, and e-commerce listing platforms — all common contexts where HEIC fails and JPG is required.
• NewSEO content — "What is HEIC" explainer with the size-vs-compatibility tradeoff, 9-question FAQ (privacy, batch, quality, Live Photos, file size, max upload), JSON-LD (WebApplication, BreadcrumbList, FAQPage).
• NewSitemap auto-includes via BESPOKE_TOOLS. Targets one of the highest-volume image-tool queries — "convert heic to jpg" gets ~2M/month globally.
• ImprovedFeaturesCarousel — HEIC to JPG added to the PDF & Image tab between Image Convert and Text to PDF, slotted as a sibling converter.

HSN Code Lookup — 11,000+ Indian ITC-HS codes searchable by description or number, with per-chapter SEO pages

• NewHSN Code Lookup at /tools/data-tools/hsn-lookup. Single search input auto-detects: numeric query (8517, 85171210, 30049011) → code prefix lookup; text query (rice, mobile phone, t-shirt) → keyword search across CBIC ITC-HS descriptions. Live debounced results, expand-in-place rows showing the full chapter → heading → sub-heading → 8-digit hierarchy with copy buttons.
• NewPer-chapter SEO landing pages at /tools/data-tools/hsn-lookup/chapter/{NN} — pre-rendered for all 97 ITC-HS chapters (live animals at 01, electrical machinery at 85, vehicles at 87, miscellaneous at 96-98). Each chapter page lists all 4-digit headings with their 8-digit sub-codes, stats (heading count + total codes), and cross-links to other chapters.
• NewBundled dataset of 11,481 8-digit ITC-HS entries across 1,228 headings and 97 chapters — server-only via src/lib/hsnData.ts, loaded once at cold start into byCode/byChapter/byHeading maps for O(1) lookups. Source matches CBIC's official ITC-HS schedule wording (uppercase format with hierarchical " - " separators preserved).
• NewHardcoded WCO chapter titles map (98 entries) — "Live animals", "Electrical machinery and equipment", "Vehicles other than railway", etc. — used in result hierarchy display, per-chapter page hero, and the browse-by-chapter grid. Sourced from WCO HS 2022 nomenclature, India ITC-HS edition.
• NewHonest SAC handling — services queries ("consultancy", "software development", or chapter 99 prefix) trigger an amber notice explaining SAC service codes aren't in this dataset, with example codes (998313 IT consulting, 998314 software dev, 997331 legal, 996311 hotel accommodation, 998361 advertising). SAC-only complementary tool flagged on the roadmap.
• NewIntentional omission of GST rates — rates change at every Council meeting and stale rate data is misleading. Each result links to gst.gov.in for current rate lookup. Disclaimer on the page + in FAQ.
• NewStructured data — WebApplication, BreadcrumbList, FAQPage, and HowTo JSON-LD on the main page; BreadcrumbList on each per-chapter page. FAQ + HowTo qualify for Google rich-result snippets.
• NewSitemap auto-includes main tool + 97 per-chapter URLs at priority 0.7. Cumulative SEO surface across the data-tools cluster: 348 pre-rendered landing pages (2 main lookups + 30 IFSC bank + 30 SWIFT country + 150 SWIFT bank-in-country + 36 Pincode state + 97 HSN chapter + 3 validators).
• ImprovedFeaturesCarousel — HSN Code Lookup added to the Sheet & Web tab as the 6th data tool alongside GSTIN, PAN, IFSC, SWIFT, and PIN code lookups.

India PIN Code Lookup — 155,000+ post offices across 19,000 PINs, with per-state SEO landing pages

• NewPIN Code Lookup at /tools/data-tools/pincode-lookup. Forward (paste 6-digit PIN → all post offices, district, state, with BO/SO/HO type badges) and reverse (state → district → optional area keyword → matching offices with PIN). Cascading state→district dropdowns auto-populate as the previous selection changes.
• NewPer-state SEO landing pages at /tools/data-tools/pincode-lookup/{state} — pre-rendered for all 36+ Indian states/UTs. Each lists top districts by post-office count, most-covered PIN codes (urban areas with 20+ offices), state stats (district / PIN / office totals), and links to other states.
• NewBundled India Post dataset (~155k post offices, ~19k unique PINs) loaded server-only via the india-pincode-lookup npm package — kept out of the function bundle through serverExternalPackages and outputFileTracingIncludes, same pattern as IFSC's 45MB dataset.
• NewState assignment fixes applied at the loader: Telangana districts (Adilabad, Hyderabad, Karimnagar, Khammam, Mahbubnagar, Medak, Nalgonda, Nizamabad, Rangareddy, Warangal) remapped from Andhra Pradesh; Ladakh districts (Leh, Kargil) split from Jammu & Kashmir. The source export was from 2015, before either split propagated.
• NewThree new API routes — pincode-forward, pincode-reverse, pincode-meta — all returning JSON with appropriate cache headers. Linear scans run server-side over a one-time-built Map<pincode> + Map<state> index, so cold-start does the work once and every subsequent request is O(1)/O(district).
• NewSEO content on the main page — "What is a PIN code" with digit-by-digit breakdown (region / sub-region / sorting district / office), "How to find a PIN" 4-step guide, full FAQ explaining BO vs SO vs HO, why Telangana shows as Andhra in legacy lookups, and how Indian PINs differ from ZIP codes.
• NewStructured data — WebApplication, BreadcrumbList, FAQPage, and HowTo JSON-LD on the main page; BreadcrumbList on each per-state page. FAQ + HowTo qualify for Google rich-result snippets.
• NewSitemap auto-includes the main tool plus 36 per-state URLs at priority 0.75. Total cumulative SEO surface across IFSC + SWIFT + GSTIN + PAN + Pincode: 2 main lookup tools (IFSC + SWIFT) + 30 IFSC bank pages + 30 SWIFT country pages + 150 SWIFT bank-in-country pages + 36 Pincode state pages + 2 validators (GSTIN, PAN) + the new Pincode tool = 251 unique landing pages targeting Indian-compliance + cross-border banking queries.
• ImprovedReusable Combobox component — added a third "emerald" accent (alongside sky and amber) for visual distinction across data-tools. SWIFT uses sky, IFSC uses amber, Pincode uses emerald.
• ImprovedFeaturesCarousel — PIN Code Lookup added to the Sheet & Web tab alongside GSTIN, PAN, IFSC, and SWIFT lookups.

PAN Validator + Decoder — 10-character format check + entity-type decoder, 100% client-side

• NewPAN Validator & Decoder at /tools/data-tools/pan-validator. Paste any 10-character PAN — get instant format validation (regex against the 5-letter + 4-digit + 1-letter shape) and a color-coded breakdown of every segment: random series (chars 1-3), entity type (char 4), surname/name initial (char 5), 4-digit sequence (chars 6-9), and check letter (char 10).
• NewEntity-type decoder for the 4th character — surfaces all 10 PAN entity codes: P=Individual, C=Company, F=Firm/LLP, H=HUF, A=AOP, T=Trust, B=BOI, L=Local Authority, J=Artificial Juridical Person, G=Government. Pasting a Company PAN tells you it belongs to a registered company; pasting an Individual PAN tells you so.
• NewSEO content on the page — 'What is a PAN' explainer with character-by-character breakdown, 6 use-case cards (vendor onboarding / TDS compliance / KYC / fake-invoice spotting / etc.), full PAN entity codes reference table, 9-question FAQ (PAN vs Aadhaar, PAN vs GSTIN, why the 5th char matches your surname, why we can't checksum-verify the 10th char).
• NewJSON-LD structured data — WebApplication, BreadcrumbList, FAQPage, and HowTo schemas. FAQ + HowTo qualify for Google rich-result snippets.
• NewSitemap auto-updated via BESPOKE_TOOLS — pan-validator URL is now live in /sitemap.xml at priority 0.8.
• ImprovedFeaturesCarousel — PAN Validator added to the Sheet & Web tab alongside GSTIN, IFSC, and SWIFT lookups.
• ImprovedHonest stance taken on the page — unlike GSTIN, PAN's 10th-character algorithm is internal to the IT department and not publicly documented. The verdict card and FAQ both make this explicit and link out to incometax.gov.in for actual issuance verification. Format-only validation still catches typos, transposed characters, and fabricated PANs in seconds.

GSTIN Validator + Decoder, 150 SWIFT per-bank-in-country pages, expand-in-place result rows

• NewGSTIN Validator & Decoder at /tools/data-tools/gstin-validator. Pure client-side: paste a 15-character GST number, get live three-state verdict (valid / format-OK-but-checksum-mismatch / invalid), color-coded segment breakdown, and decoded state name + embedded PAN + entity type (Company / Firm / Proprietor / etc.). Implements GSTN's official base-36 modulus checksum algorithm.
• NewPer-bank-in-country SWIFT landing pages at /tools/data-tools/swift-lookup/{country}/{bank}. Pre-rendered for the top 30 banks in each of India / UK / US / Germany / Singapore — 150 unique SEO surfaces. Each lists branch count, top cities, sample SWIFT entries with deep-links into the forward lookup.
• NewCascading reverse search on the SWIFT page — country → bank → city dropdowns now populate based on the previous selection (instead of a single free-text query). Three sequential dropdowns plus optional branch keyword, all AND-filtered.
• NewReusable Combobox component at src/components/Combobox.tsx — search-as-you-type, match highlighting, count badges, smart 200-row cap. Used 3× on the SWIFT page; will replace the inline IFSC city picker in a follow-up.
• NewSWIFT blog post at /blog/swift-code-explained — full guide on the 8 vs 11-character format, SWIFT vs IFSC vs routing-number comparison, why correspondent-bank chains make wires slow, FEMA-compliant receiving from abroad.
• NewSitemap now includes 150 per-bank-in-country SWIFT URLs at priority 0.7. Total SEO surface across IFSC + SWIFT: 30 IFSC bank pages + 30 SWIFT country pages + 150 SWIFT bank-in-country pages = 210 unique landing pages, plus the two main tools and two long-form blog posts.
• ImprovedReverse-search result rows on both IFSC and SWIFT pages — clicking a row no longer switches tabs and scrolls to top. It now expands inline with a slide-down animation, revealing full bank details + payment-system pills (NEFT / RTGS / IMPS / UPI for IFSC) + copy buttons. Cards have proper cursor-pointer.
• ImprovedFeaturesCarousel — GSTIN Validator added to the Sheet & Web tab alongside the other Indian-compliance tools.
• Fixed/tools/data-tools/swift-lookup/[country].tsx → moved into a [country]/index.tsx subdirectory so the new [country]/[bank].tsx nested dynamic route can coexist (Next.js Pages Router doesn't allow file + same-named directory at the same level).

SWIFT / BIC Code Lookup — 51,000+ codes across 204 countries, with per-country SEO landing pages

• NewSWIFT / BIC Code Lookup at /tools/data-tools/swift-lookup. Forward (paste 8 or 11-char code → bank, country, city, address) with smart fallback from 11-char to 8-char primary office. Reverse (pick country → free-text query against bank name, city, branch, address) returns up to 100 matches with click-to-open-forward.
• NewCountry combobox with type-to-filter, match counts, and 200-row visible cap (full 204-country list available). Quick-pick chips for the top 10 countries when no country is selected.
• NewPer-country SWIFT landing pages at /tools/data-tools/swift-lookup/[country] — pre-rendered for the top 30 countries (UK, Germany, US, India, Italy, China, France, etc.). Each gets a country-specific title/meta/H1, real top-bank list with branch counts, top-city list with entry counts, and links to other countries.
• NewSEO content sections on the main SWIFT page — "What is a SWIFT/BIC code" with character-by-character breakdown, 4-step "How to find your SWIFT" guide, 9-question FAQ (8 vs 11 chars, IFSC vs SWIFT vs routing-number, why SWIFT transfers are slow, GDPR/privacy stance).
• NewStructured data — WebApplication, BreadcrumbList, FAQPage, and HowTo JSON-LD on the main page; BreadcrumbList on each per-country page. FAQ + HowTo qualify for Google rich-result snippets.
• NewSitemap update — added 30 per-country SWIFT URLs at priority 0.75.
• ImprovedServer-side dataset (51,686 entries from src/data/swift.json) is unwrapped from its Postgres json_agg shape once on cold start, then indexed into byCode + byCountry maps for O(1) per-request lookups.

IFSC Lookup tool with reverse search across 95,000+ branches + per-bank SEO landing pages

• NewIFSC Code Lookup at /tools/data-tools/ifsc-lookup — two modes in one tool. Forward (paste IFSC → bank/branch/address/MICR/SWIFT/payment-systems) hits Razorpay's public per-IFSC API. Reverse (pick bank → city dropdown auto-populates → branch keyword) runs against a bundled RBI-sourced dataset of 95,000+ branches via the indian-bank-details package.
• NewCustom city combobox in the reverse-search UI — auto-fetches the cities for the selected bank (cached server-side), opens a styled dropdown panel with type-to-filter, match highlighting, and a smart 200-result cap with 'type to refine' hint when there are more matches.
• NewPer-bank SEO landing pages at /tools/data-tools/ifsc-lookup/{bank} — pre-rendered for the top 30 Indian banks (SBI, HDFC, ICICI, Axis, etc.). Each page has bank-specific title/meta/H1, total branch count, top cities ranked by branch count, and contextual content about that bank's IFSC structure.
• NewIFSC SEO content on the main tool page — 'What is an IFSC code' explainer with character-by-character breakdown, six 'when you need an IFSC' use cases, five-step 'how to find your IFSC' guide, nine-question FAQ, and a browse-by-bank section linking to each per-bank landing page.
• NewStructured data on the IFSC page — WebApplication, BreadcrumbList, FAQPage, and HowTo JSON-LD scripts. FAQ + HowTo schemas qualify for Google rich-result snippets.
• NewBlog post: 'IFSC Code Explained: What Each Character Means and How to Find Yours' — full guide covering format, IFSC vs MICR vs SWIFT, bank merger history (ALLA→IDIB, SYNB→CNRB), and common mistakes.
• NewSitemap update — added 30 per-bank landing page URLs (/tools/data-tools/ifsc-lookup/{bank}) and the new blog post. toolPages lastmod bumped to 2026-04-29.
• ImprovedBank list now matches reality — replaced incorrect codes (AXIS → UTIB) and removed banks not in the dataset (small finance banks, payments banks, merged banks).
• FixedReverse search initially failed because the assumed Razorpay GitHub-Pages URL doesn't exist. Replaced with the indian-bank-details npm package which bundles an offline RBI-sourced dataset (~45MB, server-only via serverExternalPackages).

SaaS Cost Calculator, PDF Redactor, and an in-browser AI background remover

• NewSaaS Cost Calculator at /tools/data-tools/saas-cost-calculator — pick the SaaS tools your team uses (40+ supported across tasks/chat/notes/time/CRM/HRMS) + team size, see annual cost vs Pyrelo's flat plan, with live savings %.
• NewPDF Redactor at /tools/pdf-tools/pdf-redact — drag rectangles over confidential text, save a PDF where each page is rasterized at 2× resolution with the redactions painted on. Underlying text is genuinely destroyed (not just visually covered). Trade-off: output PDF is image-only / not searchable, but redaction is real.
• NewAI Background Remover at /tools/image-tools/background-remover — runs the MODNet segmentation model entirely in the browser via @huggingface/transformers (WebGPU when available, WebAssembly fallback). No image data is uploaded; first run downloads ~50MB model into IndexedDB, subsequent runs are instant.
• NewRelease blog post at /blog/3-new-tools-saas-cost-pdf-redact-ai-bg-remover covering all three.
• ImprovedFeaturesCarousel — added the 3 new tools to the homepage features section (PDF Redactor, AI Background Remover under PDF & Image; SaaS Cost Calculator under Sheet & Web).
• FixedStrict CSP was silently breaking the existing PDF tools and the new ones — script-src now permits 'wasm-unsafe-eval' and blob: URLs (required for ONNX runtime + transformers.js workers); connect-src now allows huggingface.co, cdn-lfs.hf.co, cdn.jsdelivr.net, plus blob: and data: for in-browser inference.
• Fixedpdf.js worker URL switched from unpkg.com to cdn.jsdelivr.net (already in our CSP allowlist). Affects every PDF tool — they were all silently broken under strict CSP, this restores them.
• FixedReact 19 <title> warning — fixed across BlogPostLayout, /tools/[category], /careers, /careers/[slug], /meet/[id]. React no longer accepts arrays of children in <title> tags; converted JSX expressions to template literals.

11 new website inspector tools — OG preview, DNS, SSL, PageSpeed and more

• NewOG Link Preview — paste a URL, see how it'll render on Twitter/X, LinkedIn, Slack, iMessage, and Discord side-by-side. Surfaces all detected og:* and twitter:* meta tags.
• NewHTTP Headers Inspector — every response header for any URL plus the full redirect chain (each hop with status), and a security-header scorecard for HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
• NewSSL Certificate Checker — subject, issuer, expiry with days-remaining banner (amber at 30d, red at 0d), alt names, fingerprint, TLS protocol, negotiated cipher.
• NewDNS Lookup — A, AAAA, MX, TXT, CNAME, NS, SOA in one view. MX sorted by priority; TXT keeps SPF/DMARC/verification records as separate rows.
• NewWHOIS Lookup (RDAP) — registrar, registration date, expiry, status flags, and authoritative nameservers via rdap.org. JSON-clean replacement for legacy WHOIS scraping.
• NewRobots.txt & Sitemap Inspector — fetches and parses robots.txt, lists every sitemap referenced, and peeks inside each sitemap to show its URL count + a 10-URL sample.
• NewURL to PDF — server-side headless Chromium renders any URL as a clean full-page PDF with selectable paper size (A4/Letter/A3/Legal) and orientation. Handles JS-heavy pages that the browser print dialog mangles.
• NewOG Image Generator — extracts a URL's title, description, and site name; renders a Pyrelo-styled 1200×630 social card you can drop straight into your og:image meta tag.
• NewPage Weight Analyzer — loads a URL in headless Chromium, captures every request, reports total bytes / request count / breakdown by resource type / 10 largest assets, and flags render-blocking resources and images over 100KB.
• NewPage Speed Audit — Lighthouse-powered scorecard via Google PageSpeed Insights v5. Performance / Accessibility / Best Practices / SEO scores plus lab metrics (LCP, FCP, CLS, TBT, Speed Index, TTI) and Core Web Vitals from real-user data (CrUX) when Google has it. Mobile or desktop strategy.
• NewRelease blog post at /blog/11-website-inspector-tools-shipped covering all 11 tools with full SEO metadata.
• ImprovedShared SSRF protection — extracted the URL/host validation from screenshot.ts into src/lib/urlGuard.ts. Every new server-side tool reuses it; HTTP Headers re-checks every redirect hop so a redirect can't trick us into hitting an internal address.
• ImprovedBrowser-safe URL helper — split normalizeUrl() into src/lib/normalizeUrl.ts (no Node deps) so client pages don't drag dns/net into the bundle.
• ImprovedShared puppeteer browser bootstrap — extracted into src/lib/puppeteerBrowser.ts so screenshot, url-to-pdf, og-image-gen, and page-weight share the same warm Chromium instance instead of each instantiating their own.
• ImprovedSheet Tracker layout — added min-w-0 on the panel grid track so wide sheets scroll horizontally inside the table instead of pushing the whole layout past the viewport.

Sheet Tracker — turn any Google Sheet into a live dashboard

• NewSheet Tracker — connect a public Google Sheet by URL and get an instant filterable dashboard. Auto-detects column types (date / number / text / email / phone), maps owner / status / dedupe columns, and serves date presets (Today / Yesterday / Last 7d / Last 30d), per-column filters with auto-dropdowns for low-cardinality columns, global search, dedupe-by-key toggle, 30-day trend sparkline, top-owners and by-status breakdowns, and CSV export of the filtered view. Lives at /tools/data-tools/sheet-tracker (public, no signup) and inside the dashboard under Tools → Sheet Tracker — both share the same browser-side storage.
• NewSheet CSV proxy — new /api/tools/sheet-csv route fetches Google's gviz CSV server-side to dodge CORS, validates id/gid shape, follows redirects, and detects the 'sheet not public' case (HTML response → 403 with a 'share as Anyone with the link → Viewer' hint). Response is piped back to the browser without storage.
• NewTwo new blog posts under /blog: 'Sheet Tracker: Turn Any Google Sheet Into a Live Dashboard' and 'Preview Any Website On 24 Device Sizes At Once' — both with full SEO metadata and FAQ schema.
• ImprovedSitemap lastmod bumped across home, blog index, tools index, and tool pages so Sheet Tracker and Website Multi-Device Preview surface as fresh in search engines. Both bespoke tools were already auto-included via BESPOKE_TOOLS.

Profile PII encryption, Drive-token hardening, and per-user dashboard scoping

• FixedSensitive profile fields (pan_number, aadhaar_number, bank_account_number, pf_uan) are now encrypted at rest with AES-256-GCM. A new /api/profile/sensitive endpoint handles the encrypted read/write round-trip — clients send plaintext, the server encrypts before storage and decrypts on read. Non-admins can only access their own; admins/HR can access teammates (for onboarding/payroll) but cross-tenant reads are blocked.
• FixedHR Vault Google OAuth tokens (hr_drive_config.drive_tokens) are now encrypted at rest. A leaked DB dump no longer exposes Google Drive access — the encryption key lives in server env, outside the database. loadDriveConfig handles both new encrypted rows and legacy plaintext rows transparently.
• FixedDrive disconnect in Settings and Storage pages was silently failing — the button used plain fetch without the auth Bearer token, so the server returned 403 and the cookie was never cleared. Restored apiFetch so the Authorization header is attached. The hr_drive_config row is now correctly wiped on disconnect.
• FixedAdmin dashboard was showing every team member's pending tasks and time entries instead of the admin's own. The queries now explicitly scope to the current user — Work Tracker still supports the team view through its own All Users toggle.
• ImprovedWork Tracker defaults to the current user's own tasks instead of 'All Users' for admins/HR. Cleaner landing state; the All Users option is still available in the dropdown for team management.

Own-DB credential hardening — encryption at rest, no browser-side service role keys, and redacted webhook payloads

• FixedOwn-DB customer secrets (Supabase service role key, database password, access token) are now encrypted at rest in the master database with AES-256-GCM. The encryption key lives outside the database in the server environment, so a database-only compromise cannot expose customer credentials.
• FixedService role keys no longer sit in browser cookies — the previous pyrelo_srk cookie (30-day expiry) is retired. The server now resolves each own-DB tenant's SRK per request from the encrypted master row, with a 60-second in-memory cache to keep latency flat. Legacy cookies from older clients are explicitly cleared on next login.
• FixedWebhook payloads (license.setup, purchase.completed) no longer carry plaintext credentials — service role keys, database passwords, access tokens, and temporary admin passwords are replaced with a redaction marker before dispatch. Payload shape is preserved so existing Sheets/Zapier/n8n flows keep working.
• FixedMaster/owner admin creating a new user in the master DB no longer pollutes master.user_licenses with their personal license mapping. The inheritance path is now gated on the new user being provisioned into a tenant DB, so master-only admins created by the owner don't get routed to a hosted tenant on first login.
• FixedLogin flow no longer hard-reloads the page when switching between master/hosted/own-DB contexts. The Supabase client is swapped in place and the auth subscription re-binds via a new onClientSwap event, so session state transitions cleanly without a full navigation.
• FixedclearLicense now awaits the cookie-clear request before triggering a redirect, closing a narrow race where the browser could navigate away before the Set-Cookie response landed — leaving stale routing cookies on disk.
• ImprovedLoginPage removes the 'Enter License Key' button and the 'Self-hosted customer?' help block. Own-DB admins are pre-registered in master.user_licenses during provisioning, so email + password is enough to sign in from any browser — no license-key entry needed.

Own-db auto-provisioning, admin calendar clarity, mobile fixes, and RLS hardening on the shared hosted DB

• NewOwn-db auto-provisioning — customer submits Supabase credentials, schema + admin account are created automatically and the temp password is emailed. No more manual setup step waiting on the owner.
• NewLicense-row setup badge — Owner dashboard shows 'Setup Pending / Running / Complete / Failed' per own_db license. Failed badges reveal the error on hover so the manual Setup DB button can target the right fix.
• NewTop progress bar — thin NProgress-style indicator animates during in-app navigation (sidebar clicks), snaps to 100% when the destination page paints. Safety timeout prevents it from ever sticking.
• NewAdmin leave-calendar view — Dashboard calendar and Leave Management calendar now show a count + per-employee detail on days multiple people are off. Previously collapsed every overlapping leave into a single ambiguous badge that looked like it belonged to the viewing admin.
• NewCustom calendar popover on Leave Management — styled HTML card replaces the native browser tooltip. Lists each employee's leave type + status with colored dots. Works on hover (desktop) and tap (mobile), closes on outside tap.
• ImprovedMobile layouts — Onboarding, Offboarding, Recruitment, Payroll (both sections), Work Tracker search toolbar, Request License plan selector, and QuickShare receive form now stack cleanly on mobile. Action buttons always visible without needing horizontal scroll.
• ImprovedPost-purchase own_db setup feedback — shows 'Setting things up…' during the provisioning window and 'Your dashboard is ready! Check your email' on success. Falls back to the prior 'we'll set up within a few hours' message when auto-provision isn't available.
• FixedDashboard Quick Actions — 'Log Time' and 'New Task' buttons pointed at invalid page IDs ('time', 'tasks') and silently bounced back to the dashboard. Now navigate to timesheet and work respectively.
• FixedNew own_db admin couldn't log in after auto-provision — the master user_licenses mapping wasn't being written on admin creation, so /api/lookup-license returned no_mapping, which the login page treats as 'master/owner login attempt' and clears the license. Mapping is now written as part of provisioning.
• FixedProfiles cross-tenant SELECT leak on the shared hosted DB — the policy was `USING (true)`, letting any authenticated user read every other tenant's profile rows (including PII and stored API keys). Now team-scoped with an own-row fallback so onboarding reads still work.
• FixedShared-DB write-side RLS — meeting_rooms, meeting_messages, direct_messages, message_reactions, task_requests, leave_balances, asset_registers, asset_register_rows, and notes/goals/habits UPDATEs now pin team_id to the caller's team. Blocks writing rows that claim to belong to another tenant.

• NewPayroll module — salary structure setup with editable fields, auto-calculated PF/ESI/Gratuity/TDS, revision history, monthly summary
• NewPayslip generation — bulk and individual payslip creation, PDF download with professional layout, company branding
• NewHR role — three-tier RBAC (Admin / HR / Employee) with granular access control across all modules
• NewManager-based leave approvals — employees' leave requests route to their direct manager, HR can override
• NewOnboarding — structured checklist per new hire with embedded forms (profile fields, document uploads, policy acknowledgement), auto-complete on profile save, Drive status indicator
• NewOffboarding — resignation submission, manager approval, notice period tracking, clearance checklist (IT/Finance/HR/Admin), exit interview notes, account deactivation
• NewOrg Chart — visual tree from manager relationships, click for employee details
• NewExpense Claims — submit expenses with category/amount, manager approval flow, HR reimbursement tracking
• NewRecruitment — job postings with public careers page, candidate applications, stage pipeline (Applied→Screening→Interview→Offer→Hired), shareable links
• NewPublic Careers page — unified job board showing all client postings, company branding, Pyrelo CTA for customer acquisition, full SEO
• NewDashboard widgets — My Attendance, Leave Balance, Team on Leave, Birthdays & Anniversaries, Quick Actions
• NewDashboard customization — toggle widgets on/off via Customize button, preferences saved to localStorage
• NewSidebar search — filter navigation items by typing, keyboard shortcut ( / )
• NewUpcoming widget — next leaves, holidays, and events shown alongside dashboard calendar
• ImprovedPolling optimization — 83% reduction in background queries via mount-only-active pages and per-component intervals
• ImprovedSkeleton loaders — replaced spinners with content-shaped placeholders across all pages
• ImprovedSidebar contrast — improved readability with lighter text on dark background
• ImprovedDashboard calendar — compact sizing, no longer stretches full width
• ImprovedProfile name — Dashboard greeting and Sidebar now show display_name instead of email prefix
• ImprovedEmployee self-upload — employees can upload their own onboarding documents to HR Drive
• ImprovedNo-manager warning — Manage Users shows a banner when employees have no reporting manager assigned
• FixedSecurity hardening — database trigger prevents admin_role escalation from browser console, role changes go through server API
• FixedDrive disconnect — now properly clears both cookie and HR Drive config
• FixedUnused code cleanup — removed 2 dead npm packages, 8 redundant SQL files, 45 unused imports across 20 files

Full design system overhaul — homepage, login, dashboard, blog, and AI Tools all share one consistent visual language

• ImprovedHomepage redesign — replaced 4 redundant feature sections with a single tabbed feature grid (HRMS / Work / Communication / AI / Privacy Tools), restructured 18 sections down to 12 with clearer hierarchy, moved pricing higher up the page, merged 3 separate security sections into one.
• NewHero — aurora gradient background with animated drift, blur-in headline reveal, animated underline squiggle on the brand phrase, live-status pill at top, trust row + 4 stat chips below the CTAs.
• NewActive section highlighting in the homepage nav — IntersectionObserver tracks which section is in view and highlights the matching nav link with a soft background + gradient indicator dot.
• NewBlog redesign — `/blog` index now uses a 2-column post grid with the latest post featured full-width, gradient hover effects per card, dark-mode footer CTA. Individual post layouts upgraded with bigger hero, decorative blobs, and a dark-mode end-of-post CTA card with two actions.
• NewLogin page redesign — soft radial gradient background, logo in a rounded tile with subtle glow, larger inputs with branded focus ring, blue→purple gradient Sign In button, fixed Back to home button in the top-left.
• ImprovedSidebar redesign — gradient gray-900→gray-950 background, logo with subtle blue/purple glow on hover, active nav item shows a gradient bar on the left + soft white background, license days-left card with tone-aware colors (orange near expiry, red expired), gradient avatar in the user footer.
• NewShared PageHeader primitive — consistent header pattern across every dashboard page (icon tile + title + description + right-aligned actions). Applied to 23 pages.
• NewShared EmptyState primitive — drop-in 'no data yet' card with icon, copy, and CTA. Applied to WorkTracker, Goals/Habits, FinanceTracker, Notes, Announcements, MeetingRooms, Storage, AssetRegister, ActivityLog, LeaveManagement, Support, DocumentsPanel.
• ImprovedButton design system standardised everywhere: primary 'Add X' actions use green→emerald gradient + shadow glow, modal Save buttons use blue→purple gradient, secondary actions are gray with rounded-xl, destructive actions are red. Every CTA across the app shares one of these four classifications.
• ImprovedAll dashboard cards bumped from rounded-xl to rounded-2xl with consistent hover lift (shadow + slight translate-y). Stat tiles get tinted icon squares, internal sub-cards get hover effects.
• ImprovedFormModal — backdrop now has subtle blur, panel uses rounded-2xl with sticky header that has a backdrop blur, larger title, polished close button.
• ImprovedSelect + DateInput — rounded-xl, larger padding, subtle hover border, soft branded focus ring (4px instead of 2px). Global CSS rule applies the same focus ring to every input/textarea/select app-wide.
• NewFeatures carousel/grid on the homepage — 36 features grouped into 5 tabs (HRMS, Work, Communication, AI, Privacy Tools). Each card has a gradient icon tile, title, description, and highlight chips. Switches between tabs with a smooth fade animation.
• ImprovedAI Tools redesign — guided one-line intro for new users, 4 compact tool cards with distinct selected-border colors per tool (cyan / emerald / violet / orange), Groq usage banner moved to the top with inline progress bar.
• ImprovedFooter redesign — multi-column layout with Product / Resources / Legal columns, brand pill, primary + secondary CTAs, made-with-♥-in-India tagline.
• ImprovedNotifications popup — gradient icon tiles (green for calls, blue→purple for messages), rounded-2xl with shadow lift on hover.
• ImprovedDashboard home — welcome greeting based on time of day (Good morning / afternoon / evening + first name), stat tiles with hover lift and tinted icon squares.

Security hardening, polished UI (modals, date/time pickers, confirm dialogs), and realtime fixes across the dashboard

• FixedMaster-DB RLS hardening — dropped the `FOR ALL USING (true)` policies on licenses, teams, purchases, and user_licenses. The anon key bundled in the browser previously granted any visitor full read/write on those tables, including every customer's supabase_service_role_key and db_password. Server API routes use the service role and continue to work unchanged.
• FixedShared-DB team_members policy drop — `FOR ALL USING (true)` let any authenticated user self-insert into any team. All team_members writes go through server API routes using the service role; the SELECT policy (Users can read own team) is kept.
• Fixedmeeting_guests policy drop — the old `FOR ALL USING (true)` allowed an unauthenticated attacker to forge verified guest session rows with an attacker-chosen session_token, bypassing the OTP flow entirely.
• FixedAssets IDOR — PATCH/DELETE on asset registers and rows now verify the target's team_id matches the caller's before mutating, matching the pattern in support/tickets/[id].
• FixedCross-tenant membership injection — `/api/hosted/register-member` now looks up the calling admin's own team_id from team_members and rejects if the body teamId differs.
• FixedUnauthenticated `/api/submit-credentials` — now requires the license_key to exist, be active, and still be pending provisioning, preventing forged credential submissions.
• Fixed`/api/keep-alive` fail-open — the endpoint now requires CRON_SECRET to be configured and matched (previously when the env var was unset, anyone could fetch the active-customer list).
• FixedNEXT_PUBLIC_CONTACT_WEBHOOK_URL was bundled to every client. Removed the dead webhook code from verify-payment and submit-credentials.
• FixedAdmins couldn't delete or update other users' tasks — the DELETE/UPDATE policies had no admin override, so the write was silently denied and the row reappeared on refetch. Policies now mirror the SELECT admin override.
• FixedTask-request recipients couldn't accept requests — the RLS policy referenced `(SELECT email FROM auth.users WHERE id = auth.uid())`, which authenticated users can't read. Replaced with `lower(auth.jwt() ->> 'email')` so both sender and recipient UPDATEs now pass.
• Fixed`/api/check-user` was admin-only, causing 'no account found' when a non-admin tried to verify a recipient's email while sending a task request. Relaxed to any authenticated user.
• FixedPublic meeting-page realtime connected to the shared DB even when the host wrote to the master DB, so guests only saw host messages after a reload. Realtime client now prefers the master DB (matches where the API routes writes).
• NewWork Tracker — 'All' tab in list view hides completed tasks (they now live exclusively in the Done tab). Count badge reflects the same.
• NewWork Tracker — status icon is now a proper interactive toggle (hover ring, pop animation, tooltip showing the next action: 'Start task' / 'Send for review' / 'Mark as done' / 'Reopen task'). Removed the redundant 'Mark as Done' text button.
• NewWork Tracker — live realtime subscription on tasks. Assignments accepted by a teammate, status changes, or deletions from any device now appear within ~1s without a reload.
• NewRequests — 3-second polling fallback ensures status changes (accept / decline / cancel) propagate to the counterparty's screen quickly without depending on the realtime publication being configured.
• NewCustom DateInput — replaced every `<input type="date">` with a popover calendar (month navigation, today highlight, Today / Tomorrow / Next week quick picks, min/max bounds). Renders through a React portal so it's never clipped inside modals or scrollable panels.
• NewCustom TimeInput — replaced the native time input with a slider-based picker (big 12-hour display, hour slider with AM/PM tick labels, 5-min-step minute slider, 9 AM / 12 PM / 3 PM / 6 PM quick picks). Also portaled.
• NewCustom confirm/alert dialogs — removed all 15 native `window.confirm` / `window.alert` calls across Chat, Notes, Goals, Work Tracker, Finance Tracker, Timesheet, Calendar, Leave Management, Requests, Meeting Rooms, License Tab, User Management, Asset Register, Tools, and the tools marketing page. Unified variants (default / danger / warning / success) with icon, backdrop, escape-to-close, click-outside-to-close.
• NewEvery user-triggered delete now shows a styled confirmation dialog (14 new spots covered: tasks, notes, goals, habits, transactions, time entries, events, messages, channels, leaves, requests, meeting rooms, purchase records, leave cancel).
• ImprovedAdd-entry forms (New Task, New Transaction, New Event, Manual Time Entry, New Goal, New Habit, Send Request, Edit Request, Add User) now render as proper centered modals on desktop (they were inline cards) with bottom-sheet behavior preserved on mobile. Sticky header, close button, Escape to close, backdrop click to close, body scroll locked while open.
• ImprovedForm layouts restructured from cramped 4-5 column rows to a 2-column grid with proper field labels. Fixes 'No Recurrenc…' text clipping and the cramped native select dropdown arrow.
• NewShared Select component — custom chevron icon, consistent styling, matches the other inputs. Replaces native `<select>` in every modal form.
• ImprovedDark mode is now scoped to the dashboard (/app/**). The landing pages (/, /blog, /tools, /meet, /privacy, /terms, /changelog) always render in light mode regardless of the user's theme setting — they're designed for a light palette only.

Asset Register — flexible spreadsheet-like tracking for laptops, networks, equipment, anything

• NewAsset Register — create unlimited custom registers (Laptops, Networks, AWS Accounts, Office Equipment, anything) with user-defined columns. No fixed schema.
• NewColumn types: text, number, date, and color-coded select. Define your own dropdown options with colors (e.g. Status = Active/Unassigned/Needs Repair) just like Google Sheets.
• NewImport CSV — paste any CSV or TSV (copy directly from Excel or Google Sheets) to instantly create a new register. Auto-detects delimiter, parses headers, bulk-inserts rows in a single API call. Live preview as you paste shows detected columns and the first few rows.
• NewAggregate cards on top of every register show counts per status — click a card to instantly filter the table to those rows
• NewMulti-column filters — filter by any column, AND together. Click the Filter button to expand a panel with one input per column. Filter count badge shows how many filters are active.
• NewChart view — toggle Table ↔ Chart to see a CSS bar chart breakdown by any column. Pick a 'Group by' column, click any bar to drill into those rows. Bars use the option's color.
• NewCSV export — download the currently filtered rows as a CSV with proper escaping. Filename auto-derived from the register name.
• NewSchema editor — add, rename, or delete columns at any time. Convert column types, add or remove select options, pick colors. Inline UI, no SQL needed.
• NewPer-team caps on hosted plan — 10 registers per team, 500 rows per register. Configurable via PYRELO_MAX_REGISTERS_PER_TEAM and PYRELO_MAX_ROWS_PER_REGISTER env vars. Sized so 10 teams fit comfortably in the free Supabase tier (~13% of 500 MB used by asset data).
• NewSupport tickets — users can file support tickets from a new Support page in the sidebar. Admins see all tickets, can change status (open/in progress/resolved/closed) and post a response. Plan-agnostic — works for hosted, Own DB, and master DB.
• ImprovedLogin page — removed the always-visible 'first time logging in?' notice that no longer applied to most users. The license-key recovery hint now only appears contextually after a failed sign-in attempt.
• ImprovedHosted plan first-login on a new device — verify-payment now pre-registers the email→license mapping at purchase time so customers can sign in with just email + password from any browser, no license key entry required.
• ImprovedTeam member invites — when an admin adds a new team member via the Manage Users page, the new user's email→license mapping is auto-created. They can sign in from any device with just email + password.
• FixedStale license routing cookies (pyrelo_srk, pyrelo_url) from previous sessions could cause API calls to silently route to the wrong database. Cookies are now cleared automatically on logout, license removal, and on first AuthProvider mount when no license is active.
• FixedWipe Team and Reset All Data now also clean up support tickets and asset register data — earlier they left orphan rows behind for newer features.

Meeting rooms — end-to-end realtime messaging fix

• FixedMeeting room creation on the hosted plan — removed a broken team_id NOT NULL trigger that depended on auth.uid() (unavailable when the API uses the service role key)
• FixedPublic /meet/[id] page returning 'Meeting room not found' — both meeting room API routes now connect to the shared DB directly via SHARED_SUPABASE_URL instead of dynamic cookie/header routing
• FixedRealtime messages on the public meeting page silently connected to the wrong database — added NEXT_PUBLIC_SHARED_SUPABASE_URL and NEXT_PUBLIC_SHARED_SUPABASE_ANON_KEY env vars so the browser realtime client points at the shared DB
• Fixed'Multiple GoTrueClient instances detected' warning that broke realtime event delivery — the public meet page client now runs at module level with persistSession: false and a unique storageKey, avoiding conflicts with the main app's Supabase client
• FixedHost messages duplicated when pressing Enter rapidly — added a re-entry guard in sendMessage and clear the input before awaiting the insert so multiple submissions can't queue
• ImprovedBoth host and guest now see their own messages instantly via optimistic insert with id-based dedupe so realtime broadcasts don't double-add
• FixedRealtime publication on the shared DB was missing several messaging tables (channel_messages, direct_messages, meeting_messages, channel_members, message_reactions) — new idempotent migration database-fix-realtime-publication.sql adds them all
• FixedWipe Team on the hosted plan was missing newer tables — channel chat (channels, channel_messages, channel_members, message_reactions), meeting rooms, and leave requests were not being deleted. Now explicitly deletes from every team-scoped table in the correct order with errors logged

6 new browser-based PDF tools + privacy-first /tools marketing site

• NewSplit PDF — break a PDF into individual page files, entirely in your browser
• NewRotate PDF — rotate all pages 90°, 180°, or 270° with a single click
• NewOrganize PDF — delete specific pages (supports ranges like '2,4,7-9')
• NewCrop PDF — trim whitespace margins from all pages uniformly
• NewAdd Page Numbers — stamp sequential 'N / total' numbers in any corner position
• NewWatermark PDF — add diagonal text watermark (CONFIDENTIAL, DRAFT, etc.) with adjustable opacity
• NewStandalone public /tools pages — each converter now has its own SEO-optimized landing page at /tools/{slug} with FAQ, schema markup, and privacy verification instructions
• ImprovedAll converters remain 100% browser-based — zero network requests during conversion, verifiable in DevTools
• Improved13 total tools now available (7 original + 6 new), all running entirely on your device

New About page — full transparency on how Pyrelo works

• NewAdded a dedicated About page inside the dashboard explaining how Pyrelo works end-to-end — pick a plan, log in, add your team, own your data
• NewSecurity & Privacy section breaking down exactly how your data is stored, who can access it, and how isolation works on both Hosted and Own DB plans
• NewStep-by-step 'How it works' walkthrough so new team members can understand the product without reading a doc
• ImprovedAbout page is now accessible from the sidebar for every user (no admin required)

Smoother navigation + checkout cleanup

• NewAdded a 'Back to Home' link on the login page and a home shortcut in the sidebar/mobile header
• ImprovedSimplified the license purchase form — removed the 'Number of team members' field since the hosted plan supports up to 20 users by default
• ImprovedDefault team size now set to 20 for hosted plans, no need to ask upfront