Describe your repair, upload photos for AI diagnosis, receive competitive bids from verified contractors, and pay only when the job is done right — with escrow protection.

FixtMarket is Fixt’s NYC contractor materials shop. Search parts, add to one cart, and get same-day delivery across NYC boroughs. Order via web, phone, or Husham AI agent.

Does FixtMarket deliver same day in NYC?

Yes. FixtMarket offers same-day delivery to Manhattan, Brooklyn, Queens, the Bronx, and Staten Island for in-stock contractor supplies.

Is my payment protected on Fixt?

Yes. Repair payments are held in escrow until you confirm completion. FixtMarket orders are processed securely via Stripe.

Current deployed app version is 0.3.35 (from package.json). For operational status see Help.

Changelog

0.3.35 — 2026-05-07

Added

POST /api/preview-access/logout — Clears fixt_preview cookie; button on Coming Soon page (“End preview session”) so QA can lock the browser back to the splash without clearing all cookies.

Changed

qa:prod-beta — Without FIXT_PREVIEW_COOKIE, gated routes (/login, /home, etc.) must 307 → /coming-soon (no false PASS from following redirects).
Middleware — Sets X-Fixt-Coming-Soon: 1 on Coming Soon redirects (easy to verify in DevTools).

0.3.34 — 2026-05-07

Added

GET /api/health/openrouter — Operator probe (Bearer CRON_SECRET): confirms OpenRouter key + minimal completion.
npm run openrouter:probe — Local script to test models against your .env.local key.
OPENROUTER_DIAGNOSTICS=true — Temporary Vercel flag: DIY concierge returns the real API error text (turn off after fixing).

0.3.33 — 2026-05-07

Fixed

OpenRouter (public AI) — Default models use anthropic/claude-3.5-sonnet; chatCompletionResilient tries configured model → openrouter/auto → Claude 3.5 → Gemini 2.0 Flash (free). DIY Kit Concierge uses resilient completion (not free-first agent path).

Added

GitHub Actions — Vercel Go Live (public) workflow (COMING_SOON_MODE=false + deploy + smoke).
scripts/run-go-live-public.ps1 — Windows helper for npm run go:live.

0.3.32 — 2026-05-07

Fixed

vercel.json — Removed rewrite of /sitemap.xml → /api/sitemap (no such route; risk of GL-003 500). Sitemap is served by Next.js src/app/sitemap.ts.
src/app/sitemap.ts — Added /diy-kit to indexable URLs.

Added

npm run qa:go-live-p0-http — Automates GL-001/002/003/010 HTTP portions of docs/GO_LIVE_TEST_SCENARIOS.md and lists manual P0 items.
qa:prod-beta — GL-002 header check and GL-003 full sitemap validation (includes /diy-kit).

0.3.31 — 2026-05-07

Changed

OpenRouter env — Centralized key resolution in src/lib/ai/resolve-openrouter-key.ts: also reads FIXT_OPENROUTER_API_KEY and OPENROUTER_KEY (same sk-or-* secret, alternate Vercel names). npm run env:verify merges .env.local with process.env for that check and accepts sk-or-v1 prefixes. /api/ai/public-chat and /api/jobs/:id/verify-completion use isOpenRouterConfigured() instead of a misleading OPENAI_API_KEY gate (OpenRouter routes never read OPENAI_API_KEY).

0.3.30 — 2026-05-06

Added

DIY Kit Concierge — New supervised agent profile fixt-diy-concierge: POST /api/diy-kit/recommendation returns one short, safety-first plain-text answer (OpenRouter chatCompletionAgent, IP rate limit). /diy-kit includes Fixt recommended solution UI with Save answer as PDF (print dialog → Save as PDF). External repair hubs are labeled Other solutions alongside the DIY Library and checklist content. Workbench agents list documents the concierge stub.

0.3.29 — 2026-05-06

Added

/diy-kit — Curated free repair hub sections (phones/tablets + multi-device electronics/appliances): outbound links to iFixit, Repair Wiki, FCC / FTC smartphone resources, Wikibooks (Practical Electronics + Appliances category), and Repair FAQ small-appliance notes, each with a short license transparency line. Expanded the symptom matrix with phone / laptop spill first-response rows. We still do not bulk-download or re-host third-party kits; users open sources in their own browsers.

0.3.28 — 2026-05-14

Changed

/diy-kit — Expanded “starter kit” with an original symptom → first step → DIY Library search → stop rule matrix (common plumbing, electrical, HVAC, envelope, and appliance cases), plus curated external links (EPA lead/mold/IAQ, CPSC education, NFPA heating safety, Wikibooks Home Improvements). Clarifies we do not re-host third-party commercial kits for copyright reasons; deep fixes live in /guides and job flows.

0.3.27 — 2026-05-14

Added

/diy-kit — printable “Fixt DIY starter kit” (browser Print / Save as PDF): safety, toolbox, checklist, when to hire a pro; linked from Navbar, Footer, /guides, Help, and guide detail sidebars. Public during Coming Soon (middleware allowlist).

Fixed

Guide list + detail — tolerate failed /api/guides responses instead of leaving a stuck spinner.

0.3.26 — 2026-05-14

Changed

Coming Soon (middleware) — /login and /signup are no longer public without the preview cookie (so fixt.live/login is not a live auth page for anonymous visitors). /forgot-password and /reset-password stay open for email-based recovery.

0.3.25 — 2026-05-14

Changed

Coming Soon (middleware) — While COMING_SOON_MODE is on, anonymous HTML is strict: /, /home, /guides, /blog, … redirect to /coming-soon unless the fixt_preview cookie matches PREVIEW_PASSWORD. /login, /signup, password reset, /terms, /privacy, /preview-access, and PWA manifest/icons stay reachable without the cookie.

Added

Playwright — tests/e2e/global-setup.ts saves a storageState preview cookie when PREVIEW_PASSWORD is set and PLAYWRIGHT_BASE_URL is fixt.live. GitHub UI smoke workflow now passes secrets.PREVIEW_PASSWORD.

Fixed

scripts/prod-beta-smoke.mjs — /home and /business checks accept 307 → /coming-soon when no preview cookie (or 200 when FIXT_PREVIEW_COOKIE is set).

0.3.24 — 2026-04-28

Added

docs/GO_LIVE_STEPS_1_2_3.md — step-by-step runbook for production database migrations + db:verify, db:grant-admin, and Stripe webhook setup (steps 1–2–3 from the go-live tracker).

0.3.23 — 2026-04-27

Added

Per-route SEO — src/lib/seo/marketing-meta.ts, src/lib/seo/marketing-routes.ts, and route layout.tsx files for major use client marketing pages (canonical, Open Graph, Twitter, robots index/follow).
services/[slug]/layout.tsx and guides/[id]/layout.tsx — dynamic titles/descriptions for category and guide pages.
Playwright — tests/e2e/public-interactions-and-seo.spec.ts (meta + navbar mobile/desktop checks).

Changed

src/app/sitemap.ts — base URL defaults to fixt.live; added /, /home, /landing, /compare, /changelog, /guides, /coming-soon, /preview-access, and related marketing URLs for discovery.
src/app/layout.tsx — Open Graph url uses NEXT_PUBLIC_APP_URL (was hardcoded fixt.com).
src/app/blog/[slug]/page.tsx — generateMetadata includes canonical URL and robots: { index, follow }.
data/public-marketing-paths.json — added /, /landing, /guides, /agent, /fixers/leaderboard for E2E coverage.
Privacy / Terms / Business — metadata now includes canonical + social fields via marketingMetadata.

0.3.22 — 2026-04-27

Fixed

scripts/prod-live-qa.mjs — removed insecure default preview password; PREVIEW_PASSWORD is required (match Vercel) before npm run qa:prod-live can unlock Coming Soon on production.

Changed

Docs — docs/GO_LIVE_TRACKER.md now includes a finish-line runbook (ordered steps) and explains “no new product code” vs dashboard work; docs/FLOW_TREE.md and docs/GO_LIVE_STATUS.md corrected for preview password / preview-access wording.

0.3.21 — 2026-04-27

Changed

CI: merged auto Vercel Production deploy on push to main (.github/workflows/trigger-vercel-production.yml).
data/public-marketing-paths.json — removed allow404Provisional now that /preview-access returns 200 on production; Playwright / k6 / qa:prod-beta require 200 for that route again.
Docs: docs/GO_LIVE_TRACKER.md (go-live checklist), docs/GO_LIVE_STATUS.md (preview-access note), docs/CLOUD_CI.md (workflow table).

0.3.20 — 2026-04-27

Changed

/preview-access is included in crawlExtra, loadTestExtra, and httpSmokeGetExtra in data/public-marketing-paths.json.
allow404Provisional — for listed paths, Playwright, k6, and qa:prod-beta treat 200 or 404 as pass (5xx still fails) so checks stay green if Production has not deployed the route yet. Remove /preview-access from that array after Production serves the page.

0.3.19 — 2026-04-27

Changed

data/public-marketing-paths.json — added /privacy, /terms to marketing (E2E link checks, k6, and qa:prod-beta GET smoke). Crawl/k6 seeds stay /coming-soon only so production smoke does not fail on /preview-access until that route is deployed everywhere.
docs/GO_LIVE_ACTION_PLAN.md — PREVIEW_PASSWORD documented as required (no default); matches middleware fail-closed behavior.

0.3.18 — 2026-04-26

Added

data/public-marketing-paths.json — single source of truth for public marketing URLs. Used by Playwright E2E (public-marketing-pages.ts), k6 (scripts/k6/smoke-public.js via PUBLIC_MARKETING_PATHS_FILE from run-k6.mjs), and qa:prod-beta / prod-extended-smoke.mjs (marketing + httpSmokeGetExtra for coming-soon, login, signup).

0.3.17 — 2026-04-26

Added

tests/e2e/public-marketing-pages.ts — single list of public marketing paths shared by public-nav.spec and public-clicks.spec (includes /gallery in nav load + crawl).

Security

PostCSS 8.5.10 — direct dev dependency and overrides so the tree matches the patched version (clears the moderate postcss npm audit advisory that nested under next).

0.3.16 — 2026-04-25

Added

/preview-access page — unlock Coming Soon via the same POST /api/preview-access flow as /coming-soon (fixes “404 on /preview-access” when users bookmark that path).

0.3.15 — 2026-04-25

Added

go-live-full root check — exits with a clear error if not run from the project root (avoids npm in wrong folder / System32).
scripts/run-go-live.cmd and scripts/run-go-live.ps1 — double-click or run from scripts\ to cd to repo root and run npm run go:live:full.
scripts/rebuild-install-go-live.mjs + npm run rebuild:install-go-live — regenerates install-go-live.cjs when go-live-full.mjs changes.

0.3.14 — 2026-04-25

Added

scripts/install-go-live.cjs + npm run install:go-live — writes go-live-full.mjs from embedded base64 (no raw.githubusercontent.com; works when the repo is private and irm returns 404). Run after git pull or copy this file from the repo in the browser.
scripts/windows-sync-go-live.ps1 — optional: downloads from public raw GitHub (fails for private repos).

0.3.13 — 2026-04-25

Added

npm run go:live:full — one script: npm ci → db:ping → db:apply-remote → db:verify → vercel:deploy:production (if VERCEL_TOKEN) → qa:prod-smoke (+ local Playwright when installed). Wrappers: scripts/go-live-full.sh, scripts/go-live-full.ps1. See docs/GO_LIVE_ACTION_PLAN.md.
db:verify — also checks auth_telemetry, stripe_event_log, client_telemetry after migration 013.

0.3.12 — 2026-04-24

Added

Admin observability — migration 013_admin_telemetry.sql adds auth_telemetry, stripe_event_log, and client_telemetry (RLS on, no policies; service role only). POST /api/telemetry/auth and POST /api/telemetry/client record client-safe events. Stripe webhook upserts into stripe_event_log. OAuth callback records exchange success/failure.
GET /api/admin/observability/summary — admin-only aggregates (24h counts + recent rows) for auth, Stripe, client beacons, and agent_operations.
Admin dashboard — "Live observability" panel wiring the summary API.
Optional custom admin URL — set NEXT_PUBLIC_ADMIN_PATH to a path segment (e.g. fxt-ops-abc12); next.config rewrites /<segment>/* → /admin/*, sidebar and login use adminHref(), /admin redirects to the custom path when set. robots.txt disallows both when custom.

0.3.11 — 2026-04-24

Fixed

Remote DB migrations — if public.users already exists (schema from an earlier db push / manual setup) but 001_initial_schema.sql was never recorded in fixt_migrations, the script now backfills that row and skips re-applying 001, avoiding relation "users" already exists in CI.

0.3.10 — 2026-04-24

Added

npm run db:ping — tests DATABASE_URL (connect + select 1) without printing the password; shows host so you can confirm pooler vs direct.

0.3.9 — 2026-04-24

Changed

Apply remote DB migrations (GitHub Actions) — when CI=true, fail immediately if DATABASE_URL uses Supabase Direct host db.*.supabase.co, with instructions to use Connect → Session pooler instead (IPv4). Workflow comment updated.

0.3.7 — 2026-04-24

Fixed

Remote DB migrations in CI — scripts/apply-pending-supabase-migrations.mjs resolves the Postgres hostname to IPv4 when CI=true (or FORCE_DB_IPV4=true) and sets ssl.servername to the original host so TLS still validates. This fixes GitHub Actions failures: connect ENETUNREACH when the client was using an AAAA (IPv6) target.

0.3.6 — 2026-04-23

Added

GitHub Dependabot — .github/dependabot.yml for weekly npm and GitHub Actions update PRs.
GitHub Action: Apply remote DB migrations — manual workflow_dispatch with confirm: APPLY; uses repository secret DATABASE_URL and runs npm run db:apply-remote (idempotent migrations).
docs/GO_LIVE_ACTION_PLAN.md — ordered go-live checklist (secrets, DB, Vercel, smoke, Coming Soon, security).

Changed

Next.js — patch bump 14.2.21 → 14.2.35 and matching eslint-config-next (addresses several published advisories in the 14.2 line; run npm audit after merges).

0.3.5 — 2026-04-23

Changed

Vercel Cron — vercel.json schedule is 0 8 * * * (once per day at 08:00 UTC). Vercel Hobby only allows one cron invocation per day; the previous hourly schedule (0 * * * *) requires Pro for multiple runs. For more frequent ticks, upgrade Vercel or trigger /api/cron/agents/tick from another scheduler (e.g. admin “orchestrator tick”).

0.3.4 — 2026-04-22

Fixed

Coming Soon + APIs — when COMING_SOON_MODE is on, all /api/* routes bypass the marketing lock redirect. This fixes RSC “Failed to fetch” and JSON parse errors (HTML from /coming-soon), and lets Vercel Cron reach /api/cron/agents/tick with 401/503 instead of 307 → /coming-soon. Auth/roles remain enforced in each route handler.

0.3.3 — 2026-04-22

Added

Vercel Cron — hourly GET /api/cron/agents/tick (configure CRON_SECRET; Vercel sends Authorization: Bearer …). Middleware allowlists /api/cron/* during Coming Soon.
Approval notifications — optional AGENT_NOTIFY_EMAIL + RESEND_API_KEY / RESEND_FROM_EMAIL send an ops email when a task is approved (failures logged to agent_operations).
Safe auto-apply — Paperclip digest proposal includes auto_apply_safe: true; on approve, a draft row is inserted into email_broadcasts with status: draft_saved and recipient_count: 0 (no recipients, no send).

Changed

PWA install prompt — listens for fixt-show-pwa-install; shows a desktop install hint when beforeinstallprompt never fires; session dismiss so repeat visits are not spammed; higher z-index.
Footer — “Get the app” buttons (Windows / iOS / Android) under the logo trigger the install prompt.

0.3.2 — 2026-04-22

Added

Admin → Agents (/admin/agents) — oversee logical agent workers, task queue, audit log; run orchestrator tick; assign manual tasks; approve/reject/dismiss tasks (same semantics as workbench).
APIs under /api/admin/agents/* — workers roster + status (activate / suspend / terminate), tasks CRUD-style queue, operations feed, orchestrator tick (admin session).
Migration 012_agent_workers_and_operations.sql — agent_workers, agent_operations, agent_tasks.assigned_worker_id; seeds default Hermes / Paperclip / Core workers.
Orchestrator enqueue — proposals auto-assign an active worker by persona when workers exist; experience bumps on approved tasks (and small penalty on reject).

Important (product + legal)

Zero-human autonomous business (unsupervised money movement, deploys, legal hiring/firing of people, self-modifying production without oversight) is not supported and would be unsafe. This release is a supervised “digital workforce” UI: humans remain accountable; workers are logical agents, not employees.

0.3.1 — 2026-04-21

Added

/changelog — public page that renders root CHANGELOG.md plus current semver from package.json.
Footer build stamp — v{version} + link to Changelog on the marketing footer.
/icon-512 — 512×512 high-contrast favicon / PWA icon; metadata.icons and manifest reference it for clearer tab / home-screen marks.
npm run qa:prod-beta — extended HTTP smoke (scripts/prod-extended-smoke.mjs): more marketing routes + GET /changelog + HEAD /icon + HEAD /icon-512.
NEXT_PUBLIC_SUPPORT_PHONE (optional) — E.164 public line for Footer + Contact; falls back to existing number when unset.
Admin dashboard — version strip + links to Changelog and operator workbench; notes on human-in-the-loop agents vs autonomous self-heal.
/admin/settings — redirects to /admin/dashboard so the sidebar item does not 404 until a real settings page exists.

Changed

Favicon (/icon, /apple-icon) — bolder monogram on dark gold ring for better visibility at small sizes.

0.3.0 — 2026-04-19

Added

5,200+ DIY placeholder rows — migration 010_diy_bulk_seed.sql (tagged fixt-bulk-seed-v1 + CC BY-SA reference links for editorial replacement). Apply with npm run db:apply-remote / supabase db push.
Wikibooks import helper — scripts/import-wikibooks-diy.mjs + npm run diy:wikibooks-sample (MediaWiki API, attribution fields). See docs/DIY_CONTENT_PIPELINE.md.
Supervised Fixt Orchestrator — src/lib/agents/fixt-orchestrator.ts, agent_tasks table (011_agent_tasks.sql), workbench APIs: GET /api/workbench/agent-tasks, PATCH /api/workbench/agent-tasks/:id, POST /api/workbench/agents/tick. UI on /workbench/fxt-a9m2k7 to approve/reject. No autonomous hire/fire, payroll, schema, or deploy paths; FIXT_AGENT_AUTONOMY=destructive is rejected.
Android native project — npx cap add android committed under mobile/android/ (removed android/ from mobile/.gitignore). Store copy drafts in store/.
Store listing drafts — store/android-play-listing.md, store/ios-app-store-listing.md.

Changed

Coming Soon API allowlist prefixes /api/workbench/*.

0.2.1 — 2026-04-19

Added

Capacitor shell in mobile/ (iOS/Android WebView loading the live Next app via server.url). See docs/MOBILE_CAPACITOR.md. Root scripts: mobile:install, mobile:sync, mobile:ios, mobile:android.

Fixed

GET /api/public/profiles/:id for homeowners: when SUPABASE_SERVICE_ROLE_KEY is set on the server, job aggregates use the service client so counts are not under-counted by anonymous RLS. Response includes stats_scope (full | rls_limited).

0.2.0 — 2026-04-19

Added

Social deep links: NEXT_PUBLIC_WHATSAPP_URL and NEXT_PUBLIC_TELEGRAM_URL wired in Footer, Contact, and Agent page.
Fixt DIY Library: /guides and /guides/* require sign-in; /api/guides endpoints require auth. Footer link “Fixt DIY Library”.
Obscured operator workbench at /workbench/fxt-a9m2k7 (not /admin) with env-based username/password and signed cookie (FIXT_WORKBENCH_USER, FIXT_WORKBENCH_PASSWORD, FIXT_WORKBENCH_SECRET). Stub “Hermes / Paperclip” agent panel via GET /api/workbench/agents.
APIs: GET /api/fixers/rankings (city, category, composite score + Fixt experience tier), GET /api/public/profiles/:id (fixer or homeowner analytics), POST /api/jobs/:id/verify-completion (AI before/after advisory before escrow release).
Fixt API CLI: scripts/fixt-api.mjs for scripted HTTP calls with X-Fixt-Client header.
HTTP branding: all /api/* responses get X-Fixt-API: 1 and X-Fixt-Product: Fixt from middleware.
Nav + favicon: Logo supports inline /icon mark; root metadata.icons points at /icon and /apple-icon; desktop nav uses equal-width CSS grid columns.
Homeowner job flow: Chat links to /homeowner/messages?job=… with auto-select; “Run AI before/after check” calls verify-completion.

Changed

Removed duplicate CTAs under “How Fixt Works” (Post job / Apply / Compare) — those actions remain in the hero and platform sections.
Removed /guides from sitemap.xml output (auth-gated content).

Not shipped (by design)

Bulk synthetic DIY content, scraped third-party repair data, fake homeowner emails, or gallery images copied from other sites.
Fully autonomous agents that modify production code, hire or fire staff, or move money without human controls.

Mobile

PWA: existing manifest.webmanifest + install flow.
Native shell (v0.2.1+): Capacitor project under mobile/ for App Store / Play wrappers.