Changelog

Notable changes to the SDK, server, and admin panel. Newest first.

SDK v2.1.0 — current

Added

• Standard event vocabulary — 25 constants + 14 typed helpers in ReflectStandardEvents (sign_up, level_up, add_to_cart, ad_impression, etc.) matching AppsFlyer / Firebase taxonomy.
• Global properties — SetGlobalProperty / UnsetGlobalProperty / ClearGlobalProperties, merged into every event automatically.
• Audience tagging — SetAudience(...) applies cohort tags; server upserts install_audiences.
• Anonymous → known stitching — SetUserId auto-fires _user_alias on first non-null transition; server populates user_aliases.
• GDPR / CCPA right-to-be-forgotten — DeleteUserData(callback) wipes local state + queues server cascade-delete.
• Deep linking — OnDeepLink event + HandleDeepLink(url, isCold). Deferred deep links auto-fire from install referrer / AdServices payload.
• Auto crash capture — _crash events on unhandled exceptions, throttled to 1/min.
• app_first_open event distinct from app_open (Firebase parity).
• Receipt validation — TrackPurchase / TrackSubscription accept optional receiptData; server validates against Apple/Google (cache-first to avoid repeat calls).
• Event validator — bounds-checks event names + properties client-side.
• UserId getter — ReflectSDK.UserId read-only property.

Changed

• Gzip compression on event batches ≥10. Typically 80% bandwidth reduction. Worker decompresses after HMAC verify.
• X-Reflect-Sdk header bumped 2.0.0 → 2.1.0.

Server

• Migration 008_sdk_v21.sql applied — adds deletion_requests, user_aliases, install_audiences, retention_cohorts, receipt_validations, plus attributions.is_revenue_validated and tracking_links.deep_link_path.
• New endpoints: POST /privacy/delete (queue + cron drain), POST /skan-postback (R2 audit).
• New crons: nightly privacy deletion cascade, daily retention cohort rollup.

Build

• consumer-rules.pro shipped with the Android plugin — keeps native bridge alive when R8 is enabled.
• License field cleaned up; package version bumped.

SDK v2.0.0

Breaking

• ReflectConfig.CompanyKey is now required when BaseUrl is set. Format: co_live_<hex>.
• ReflectConfig.AppKey is also required when BaseUrl is set (was optional in v1).
• New header on every POST /event: X-Reflect-Company-Key.
• Server rejects requests where app_key and company_key don’t match: 401 app_company_mismatch.
• Server rejects suspended companies: 401 company_suspended.

Compatibility window

For 90 days following v2.0 release, the server accepts v1 SDK traffic (missing company key) and logs sdk_v1_deprecated warnings. After that window the server returns 400 missing_auth_headers.

SDK v1.0.0

Initial public release. Single-tenant; per-app HMAC-signed event ingestion; Play Install Referrer + AdServices attribution; offline queue; debug overlay; ATT integration.

Server / admin (rolling)

• 2026-04 — Onboarding paywall step inserted (/onboard/plan). Indian Rupee pricing for IN visitors based on CF-IPCountry. Landing page pulls live plans from D1.
• 2026-04 — Resource usage dashboard (/admin/super/usage) — cross-tenant load + cost + margin with upgrade-candidate / over-cap callouts.
• 2026-04 — Plans & pricing super-admin UI (/admin/super/plans); PayPal Subscriptions integration; /billing tenant page; per-app usage breakdown + activity feed on company detail.
• 2026-04 — Migration 007: pricing tiers, subscriptions, usage counters, invoices, payments. Worker-side cap enforcement + monthly invoice close cron.
• 2026-03 — Multi-tenant migration (003). Per-tenant data isolation; super-admin view of all companies.