What we've shipped.

1. v0.317 May 2026security

   Security hardening pass

   Added an SSRF allow-list (isSafePublicUrl) so destinations cannot point at internal hostnames or private ranges. The password cookie used by password-protected links is now an HMAC envelope so a leaked cookie cannot be replayed against another link. WebSocket auth moved off URL tokens onto subprotocol-based auth. Workspace-level CI added for cross-repo checks.

2. v0.217 May 2026feature

   Marketing site v0.2

   Extracted homepage sections into composable components, shipped legal pages (privacy, terms, cookies), added sitemap and Open Graph defaults, and wired SoftwareApplication and Product JSON-LD on the homepage and pricing page.

3. v0.116 May 2026note

   Beta open

   OrphLink is live in public beta. Three production domains are now serving traffic: api.orphl.ink (API + redirects), app.orphl.ink (admin dashboard), and www.orphl.ink (this marketing site).

Subscribe to release notes by email — coming soon. In the meantime, follow along by checking back here.