docs: W12 marketing+trust accuracy — SCC alignment, changelog, subprocessors, encryption copy, llms.txt backend (#65)

* docs(trust): align SCC posture with DPA (B3)

The DPA explicitly incorporates Standard Contractual Clauses (Module Two,
controller-to-processor) under §7 as the EU/UK transfer mechanism, but
trust-residency.md was still claiming "we do not yet offer Standard
Contractual Clauses." That contradicted the legally-binding doc and
created a procurement-grade inconsistency.

DPA stays as the source of truth — SCCs ARE incorporated. Trust-residency
now matches: SCCs available by signing the DPA via support@instanode.dev,
with the residency gap (NYC3-only today, no eu-west-1) carved out as the
separate honest limitation.

* marketing(home): narrow encryption-at-rest claim on step-02 (B5)

Step-02 of the "Three steps" panel previously claimed unqualified
"encryption at rest" alongside the anonymous-tier visual. The platform
does encrypt vault secrets and stored connection_url ciphertext at rest
with AES-256-GCM, but the customer Postgres cluster's disk does NOT have
explicit at-rest encryption on the anonymous tier, and the panel sits
visually next to the anonymous-tier 24h-TTL row.

Narrows the claim to what is actually true: encryption at rest for vault
secrets and stored credentials. Drops the "automatic backups" sub-claim
from this panel — concrete per-tier backup retention lives on the Pro
card on /pricing and in the snapshot-retention table at
/docs/public/trust-residency where it belongs.

* feat(marketing): /changelog as a real route (B4)

The DPA (§6 sub-processor change notice), subprocessors.md, and
trust-residency.md egress section all reference /changelog as the
canonical change-feed customers should subscribe to. Before this commit
that link 404'd — every document making the 30-day-notice commitment
was technically pointing at nothing.

Ships a public lazy-loaded ChangelogPage in PublicShell chrome, mounts
it on /changelog in both AppRoutes (browser) and SSRRoutes (prerender),
and adds /changelog to PRERENDER_ROUTES so the page renders to static
HTML on first byte for crawlers and procurement reviewers.

Initial content: reverse-chronological entries for 2026-05-12,
2026-05-13, and 2026-05-14 covering the platform changes those days
shipped. New entries go at the top of the ENTRIES array — single PR
ships the change and the entry documenting it.

* docs(subprocessors): add Resend, Cloudflare, Fastly+GH Pages, Loops (H7)

The published subprocessor list omitted four real-world sub-processors
that the platform actually depends on. CAIQ Section H reviewers and
GDPR DPAs both require this list to be exhaustive, not aspirational.

Adds:
- Resend — transactional email (verification, magic-link sign-in,
  billing notifications). USA. Auth-token payload transits in the
  message body during the validity window.
- Cloudflare — CDN + DNS for marketing and dashboard hosts. Global
  edge. Calls out the TLS-termination-at-edge so reviewers know
  payload bytes are visible at the edge, not just request metadata.
- Fastly + GitHub Pages — marketing site and /docs/public/* SSG
  hosting. Public assets only; no PII on this path.
- Loops — lifecycle email forwarder. USA. Tagged lifecycle event
  metadata, matches the `Loops forwarder` audit kind in audit_kinds.go.

Date bumped to 2026-05-14.

* docs(llms): name DO Spaces nyc3 as the prod storage backend (M1)

llms.txt and llms-full.txt described the storage endpoint as
"S3-compatible storage" without naming the production backend. The
generic phrasing is technically correct — every documented API stays
identical regardless of backend — but a coding agent picking up the
file has no way to know which region the bucket actually lives in,
which matters for latency calculations and for the residency story
that lines up with the trust-residency doc and subprocessor list.

Names DigitalOcean Spaces (S3-compatible) in `nyc3` as the production
object-store. Also calls out the 24h lifecycle-rule auto-deletion on
the anonymous tier so an agent doesn't quietly rely on data sticking
around past expiry.

No "MinIO" string remained in either file — the in-cluster MinIO was
already replaced with DO Spaces on the production cutover (RETRO
2026-05-12). This commit closes the loop on the customer-visible doc.

Author: mastermanas805

public/docs/public/subprocessors.md

@@ -1,6 +1,6 @@
 # Subprocessors
 
-Last updated: 2026-05-13.
+Last updated: 2026-05-14.
 
 This page lists the sub-processors instanode.dev engages to provide the Service. It is the authoritative record referenced by the [Data Processing Agreement](./dpa.md) and by Cloud Security Alliance CAIQ Section H responses.
 
@@ -17,6 +17,10 @@ This page lists the sub-processors instanode.dev engages to provide the Service.
 | Google | OAuth sign-in | Email address; given name; family name | United States | Yes | Yes — EU-US Data Privacy Framework certified |
 | New Relic | Observability — logs, traces, metrics | Operational telemetry; may incidentally include customer identifiers (account UUIDs, email addresses) in error contexts | United States | Yes | Yes — EU-US Data Privacy Framework certified |
 | Amazon Web Services (SES bounce handling) | Email-deliverability webhooks (bounce, complaint, suppression) | Masked recipient addresses; delivery status codes | United States | Yes | Yes — EU-US Data Privacy Framework certified |
+| Resend | Transactional email — account verification, magic-link sign-in, billing notifications | Email address; auth-token payload contained in the message body during the validity window | United States | Yes | Yes — EU-US Data Privacy Framework certified |
+| Cloudflare | CDN + DNS for marketing and dashboard hosts (instanode.dev apex, *.instanode.dev) | HTTP request metadata; payload bytes are visible at the edge because Cloudflare terminates TLS before forwarding to origin | Global edge network | Yes | Yes — EU-US Data Privacy Framework certified |
+| Fastly + GitHub Pages | Marketing site and `/docs/public/*` SSG hosting (instanode.dev static assets) | Public marketing content + the dashboard SPA bundle; no PII transits this path | United States + EU edges | Yes | Yes — EU-US Data Privacy Framework certified |
+| Loops | Lifecycle email forwarder — onboarding drip, churn-prevention, win-back; sees the same audit event stream the backend emits under the `Loops forwarder` audit kind | Customer email address; tagged lifecycle event metadata (signup, upgrade, downgrade, deletion request) | United States | Yes | Yes — EU-US Data Privacy Framework certified |
 
 ---
 

public/docs/public/trust-residency.md

@@ -79,7 +79,7 @@ We aim to say only what is true. Here is what is true today.
 |---|---|
 | SOC 2 Type II | In progress. Target completion Q3 2026. Audit firm not yet selected. We do not have a SOC 2 report to share today. |
 | HIPAA | Not supported. We do not sign Business Associate Agreements today. If you need a BAA, email `enterprise@instanode.dev` so we can scope a Team-tier engagement and tell you whether and when we can support it. |
-| GDPR | Today, instanode.dev is not a suitable controller-of-record for EU resident PII. All infrastructure is US-only, and we do not yet offer Standard Contractual Clauses. EU customers requiring an EU data residency posture should wait for eu-west-1. |
+| GDPR | Standard Contractual Clauses (Module Two, controller-to-processor) are incorporated by reference in our [Data Processing Agreement](./dpa.md) — sign the DPA via `support@instanode.dev` to activate them. The product gating is separate: as of 2026-05, instanode.dev runs in NYC3 only, so customers whose users are EU residents should not route their PII through us without a separate residency commitment from the platform side. EU customers requiring an EU data-residency posture should wait for eu-west-1. |
 | PCI-DSS | We do not handle cardholder data. Payment processing runs through Razorpay. Do not store card numbers in instanode.dev resources. |
 
 If you are on a procurement call that requires a compliance answer not listed here, contact `security@instanode.dev` and we will tell you the truth instead of dodging.
@@ -108,4 +108,4 @@ We respond within 48 business hours. Coordinated disclosure for security issues
 
 ---
 
-_Last reviewed: 2026-05-13._
+_Last reviewed: 2026-05-14._

public/llms-full.txt

@@ -2,7 +2,7 @@
 
 ## What is instanode.dev?
 
-instanode.dev is an infrastructure provisioning API. Call one HTTP endpoint, get back a working resource — a Postgres database, a Redis cache, a MongoDB database, a NATS JetStream queue, S3-compatible storage, a webhook receiver, or a full deployed app stack. The resource works immediately with standard client libraries. No account required, no Docker, no configuration, no SDK.
+instanode.dev is an infrastructure provisioning API. Call one HTTP endpoint, get back a working resource — a Postgres database, a Redis cache, a MongoDB database, a NATS JetStream queue, S3-compatible object storage (backed by DigitalOcean Spaces in `nyc3`), a webhook receiver, or a full deployed app stack. The resource works immediately with standard client libraries. No account required, no Docker, no configuration, no SDK.
 
 Designed for two audiences:
 1. AI coding agents (Claude, Copilot, Cursor, etc.) that need to provision real infrastructure while generating working application code.

public/llms.txt

@@ -369,7 +369,7 @@ Response 200:
 
 ### POST /storage/new
 
-Provision an S3-compatible object storage bucket. Returns AWS-compatible credentials.
+Provision an S3-compatible object storage bucket. Returns AWS-compatible credentials. Production backend is DigitalOcean Spaces (S3-compatible) in `nyc3`. Anonymous-tier buckets are auto-deleted at 24h by a bucket lifecycle rule enforced at the storage layer.
 
 Response 201:
 ```json

scripts/prerender.mjs

@@ -69,6 +69,10 @@ async function loadRoutes() {
     '/docs',
     '/blog',
     '/use-cases',
+    // W12 B4: /changelog ships as a real pre-rendered HTML so crawlers
+    // and a procurement reviewer pasting the URL into a browser both
+    // see the actual entries on first byte.
+    '/changelog',
     ...blogSlugs.map((s) => `/blog/${s}`),
     ...useCaseSlugs.map((s) => `/use-cases/${s}`),
   ]

src/App.tsx

@@ -55,6 +55,15 @@ const UseCasesPage = lazy(() =>
 const UseCaseDetailPage = lazy(() =>
   import('./pages/UseCaseDetailPage').then((m) => ({ default: m.UseCaseDetailPage })),
 )
+// ChangelogPage (W12 B4) — public /changelog. The DPA, subprocessor list,
+// and trust-residency egress section all reference /changelog as the
+// contractual change-notice channel; before this route existed every doc
+// that linked to it 404'd. Lazy-loaded for parity with the other
+// secondary marketing surfaces (Blog, Docs, Use cases) — a homepage
+// visitor doesn't pay for these bytes.
+const ChangelogPage = lazy(() =>
+  import('./pages/ChangelogPage').then((m) => ({ default: m.ChangelogPage })),
+)
 
 // Authenticated dashboard surfaces — lazy-loaded. These pages only render
 // behind AuthGate (token must be present), so a marketing visitor never
@@ -205,6 +214,10 @@ export function AppRoutes() {
         <Route path="/docs" element={<DocsPage />} />
         <Route path="/use-cases" element={<UseCasesPage />} />
         <Route path="/use-cases/:slug" element={<UseCaseDetailPage />} />
+        {/* W12 B4: /changelog — referenced by DPA §6 (sub-processor
+            change notification), subprocessors.md, and trust-residency
+            egress section. Used to 404 because no route existed. */}
+        <Route path="/changelog" element={<ChangelogPage />} />
 
         {/* ─── auth surfaces (no chrome, dedicated layout) ───────── */}
         <Route path="/login" element={<LoginPage />} />

src/entry-server.tsx

@@ -43,6 +43,7 @@ import { BlogPostPage } from './pages/BlogPostPage'
 import { DocsPage } from './pages/DocsPage'
 import { UseCasesPage } from './pages/UseCasesPage'
 import { UseCaseDetailPage } from './pages/UseCaseDetailPage'
+import { ChangelogPage } from './pages/ChangelogPage'
 
 // SSRRoutes — the SSG-only route tree. Mirrors the public surface of the
 // client AppRoutes (everything reachable without auth). The /app/* subtree
@@ -61,6 +62,7 @@ function SSRRoutes() {
       <Route path="/docs" element={<DocsPage />} />
       <Route path="/use-cases" element={<UseCasesPage />} />
       <Route path="/use-cases/:slug" element={<UseCaseDetailPage />} />
+      <Route path="/changelog" element={<ChangelogPage />} />
       <Route path="*" element={<Navigate to="/" replace />} />
     </Routes>
   )

src/pages/ChangelogPage.tsx

@@ -0,0 +1,216 @@
+/* ChangelogPage — public, unauthenticated /changelog.
+ *
+ * The contractual change-notice channel referenced by the DPA, the
+ * subprocessor list, and trust-residency.md ("we notify customers at
+ * least 30 days before adding or replacing a sub-processor; subscribe to
+ * the changelog"). Before this page existed the link 404'd and every doc
+ * that promised customers a change-feed was technically lying.
+ *
+ * Reverse-chronological. Each entry: date heading + 3-5 concise bullets.
+ * Entries are inlined here as a TypeScript array (vs. a content repo /
+ * markdown loader) because (a) the cadence is low — call it weekly at
+ * most — and (b) keeping the source in-tree means a single PR ships the
+ * fix and the entry that documents the fix.
+ *
+ * Wrapped in PublicShell so the top nav + footer match the rest of the
+ * marketing surfaces. Mirrors the IncidentsPage layout vocabulary
+ * (public-eyebrow / public-h1 / public-sub / public-section) so a
+ * visitor moving between /status, /incidents, /changelog feels the
+ * pages are the same surface. */
+
+import { PublicShell } from '../layout/PublicShell'
+
+// ─── types ────────────────────────────────────────────────────────────────
+
+interface ChangelogEntry {
+  /** ISO date (YYYY-MM-DD). Sort key — newest first. */
+  date: string
+  /** Short headline summarising the day's changes. */
+  title: string
+  /** 3-5 concise bullets describing what shipped. */
+  bullets: string[]
+}
+
+// ─── content ──────────────────────────────────────────────────────────────
+
+/* Reverse-chronological. Add new entries at the TOP of the array. Keep
+ * each bullet single-line, no marketing fluff — the audience is a
+ * procurement reviewer or an on-call engineer checking what changed. */
+const ENTRIES: ChangelogEntry[] = [
+  {
+    date: '2026-05-14',
+    title: 'Trust + marketing accuracy pass (W12)',
+    bullets: [
+      'DPA + trust-residency aligned on Standard Contractual Clauses (Module Two, controller-to-processor) as the EU/UK transfer mechanism.',
+      'Subprocessor list expanded with Resend (transactional email), Cloudflare (CDN/DNS), Fastly + GitHub Pages (marketing/docs serving), and Loops (lifecycle email forwarder).',
+      'Homepage step-02 encryption-at-rest claim narrowed to "vault secrets and stored credentials" — the customer Postgres cluster\'s disk is not blanket-encrypted on the anonymous tier.',
+      '/changelog is now a real route (was 404; referenced by DPA §6, subprocessor list, and trust-residency egress section).',
+      'llms.txt and llms-full.txt clarified to call out DigitalOcean Spaces (S3-compatible) as the production object-store backend.',
+    ],
+  },
+  {
+    date: '2026-05-13',
+    title: 'Hobby Plus tier + W11 dashboard honesty pass',
+    bullets: [
+      'Hobby Plus tier ($19/mo) shipped as the middle step in the pricing grid — research-backed triple-tier pricing decoy.',
+      'Agent error envelope standardised across all provisioning endpoints with `agent_action` next-step hints.',
+      'security.md + PGP key + DPA + subprocessor list published at /docs/public/* (was 404 from W10 onward).',
+      'Per-tenant MinIO IAM credentials by default in production — anonymous-tier internal_url scrubbed from response payloads.',
+      'GitHub auto-deploy webhook live; /status page now consumes real GET /api/v1/status backend.',
+    ],
+  },
+  {
+    date: '2026-05-12',
+    title: 'DO Spaces production cutover + deploy wedge live',
+    bullets: [
+      'Object-storage production backend cut over from in-cluster MinIO to DigitalOcean Spaces (`nyc3`); 24h lifecycle rule enforces anonymous-tier auto-expiry at the storage layer.',
+      'POST /deploy/new live end-to-end (Kaniko → k8s Deployment → Ingress + cert-manager TLS on *.deployment.instanode.dev).',
+      'Idempotency-Key replay header honoured on every provisioning endpoint; provisioner-auth regression test bundle added to CI.',
+      'dashboard-api retired — agent API now serves the dashboard directly. Removes the gRPC bridge that was the source of a long tail of cross-service auth drift.',
+    ],
+  },
+]
+
+// ─── page ─────────────────────────────────────────────────────────────────
+
+export function ChangelogPage() {
+  const sorted = [...ENTRIES].sort((a, b) => b.date.localeCompare(a.date))
+  return (
+    <PublicShell>
+      <ChangelogStyles />
+
+      <section className="changelog-header">
+        <span className="public-eyebrow">Changelog · public · reverse-chronological</span>
+        <h1 className="public-h1">
+          Changelog<span className="dot">.</span>
+        </h1>
+        <p className="public-sub">
+          What changed on instanode. Subprocessor adds, sub-processor swaps, and material
+          posture changes are announced here at least 30 days in advance — see the{' '}
+          <a href="/docs/public/dpa.md">DPA</a> and the{' '}
+          <a href="/docs/public/subprocessors.md">subprocessor list</a> for the formal
+          commitment.
+        </p>
+      </section>
+
+      <section className="public-section">
+        <ol className="changelog-list" aria-label="Changelog entries">
+          {sorted.map((entry) => (
+            <li key={entry.date} className="changelog-entry">
+              <header className="changelog-entry-head">
+                <time dateTime={entry.date} className="changelog-entry-date">
+                  {formatDate(entry.date)}
+                </time>
+                <h2 className="changelog-entry-title">{entry.title}</h2>
+              </header>
+              <ul className="changelog-entry-bullets">
+                {entry.bullets.map((b, i) => (
+                  <li key={i}>{b}</li>
+                ))}
+              </ul>
+            </li>
+          ))}
+        </ol>
+      </section>
+
+      <section className="public-section changelog-links">
+        <a href="/docs/public/subprocessors.md" className="changelog-link">
+          Subprocessors
+        </a>
+        <span className="changelog-link-sep">·</span>
+        <a href="/docs/public/trust-residency.md" className="changelog-link">
+          Trust + residency
+        </a>
+        <span className="changelog-link-sep">·</span>
+        <a
+          href="mailto:privacy@instanode.dev?subject=Subscribe%20to%20changelog%20notices"
+          className="changelog-link"
+        >
+          Subscribe (email)
+        </a>
+      </section>
+    </PublicShell>
+  )
+}
+
+// ─── helpers ──────────────────────────────────────────────────────────────
+
+function formatDate(iso: string): string {
+  // Parse manually so we render the same date regardless of viewer
+  // timezone — a 2026-05-14 entry should never appear as "May 13" to a
+  // visitor in the Pacific timezone.
+  const [y, m, d] = iso.split('-').map(Number)
+  const date = new Date(Date.UTC(y, m - 1, d))
+  return date.toLocaleDateString('en-US', {
+    year: 'numeric',
+    month: 'short',
+    day: 'numeric',
+    timeZone: 'UTC',
+  })
+}
+
+// ─── styles ───────────────────────────────────────────────────────────────
+
+function ChangelogStyles() {
+  return (
+    <style>{`
+      .changelog-header { padding-top: 8px; }
+
+      .changelog-list {
+        list-style: none;
+        padding: 0;
+        margin: 0;
+        display: grid;
+        gap: 28px;
+      }
+      .changelog-entry {
+        border: 1px solid var(--border);
+        border-radius: 12px;
+        background: var(--surface);
+        padding: 24px 24px 20px;
+      }
+      .changelog-entry-head {
+        display: flex;
+        align-items: baseline;
+        gap: 14px;
+        margin-bottom: 14px;
+        flex-wrap: wrap;
+      }
+      .changelog-entry-date {
+        color: var(--text-faint);
+        font-family: var(--font-mono);
+        font-size: 12.5px;
+        font-variant-numeric: tabular-nums;
+        letter-spacing: 0.04em;
+        text-transform: uppercase;
+      }
+      .changelog-entry-title {
+        margin: 0;
+        font-size: 18px;
+        font-weight: 500;
+        color: var(--text);
+        letter-spacing: -0.005em;
+      }
+      .changelog-entry-bullets {
+        margin: 0;
+        padding-left: 18px;
+        color: var(--text-dim);
+        font-size: 14px;
+        line-height: 1.6;
+      }
+      .changelog-entry-bullets li { margin-bottom: 6px; }
+      .changelog-entry-bullets li:last-child { margin-bottom: 0; }
+
+      .changelog-links {
+        display: flex;
+        align-items: center;
+        gap: 10px;
+        font-size: 13px;
+        flex-wrap: wrap;
+      }
+      .changelog-link { color: var(--text-dim); transition: color 120ms; }
+      .changelog-link:hover { color: var(--accent); }
+      .changelog-link-sep { color: var(--text-faint); }
+    `}</style>
+  )
+}

src/pages/MarketingPage.tsx

@@ -332,8 +332,8 @@ export function MarketingPage() {
               <div className="mkt-step-num">STEP 02 · PROVISION</div>
               <h3>Real infra spins up.</h3>
               <p>
-                Managed Postgres, Redis, or Mongo — encryption at rest, automatic backups, a
-                connection string in 1.4 s. 24 h TTL on the free tier.
+                Managed Postgres, Redis, or Mongo — encryption at rest for vault secrets and
+                stored credentials, a connection string in 1.4 s. 24 h TTL on the free tier.
               </p>
               <div className="mkt-how-visual" aria-hidden="true">
                 <div className="r"><span className="k">service</span><span className="v">postgres 16.2</span></div>