What you get

Module-by-module catalog of every feature shipped in the WECO admin, host-api, and renderer.

Effective: 2026-05-11 · Applies to release ≥ v1.0.0. For boundaries (what we do not deliver), see security.html §6 and the Shared-Responsibility matrix in the dist repo. Full block catalog: blocks.html.

How to read this page Status pills: Shipped the feature is implemented and verifiable in the release tarball; Partial the API/runtime exists but the GUI is incomplete (operator may need CLI for some flows); Planned the feature is on the roadmap with a target release. Anything marked NEW v0.0.74, NEW v0.0.75, or NEW v0.0.76 just shipped.

1. Identity & access

Feature	Status
Email + bcrypt password (cost 12, ≥12 chars), per-IP rate limit, 15-min lockout	Shipped
TOTP 2FA (RFC 6238) with single-use recovery codes	Shipped v0.0.19
Email one-time-code 2FA via SMTP	Shipped
WebAuthn / FIDO2 passkey (AAL3)	v0.0.37 — API only, GUI planned
SAML 2.0 SSO (SP) + OIDC RP (PKCE S256)	Shipped v0.0.35
Just-In-Time provisioning on first SSO login (domain-allowlisted)	Shipped v0.0.38
SCIM 2.0 provisioning	v0.0.37 — API only, GUI planned
SSO-only sealed mode (`FF_SSO_ONLY=1`)	Shipped v0.0.35
Step-up MFA on destructive routes (`FF_REQUIRE_STEP_UP=1`)	Shipped v0.0.36
Read-only freeze (`FF_FREEZE=1`)	v0.0.36 — runtime only, banner GUI planned

2. Hosts & provisioning

Feature	Status
Add a host through the UI; admin SSHes in, uploads source, runs `bootstrap.sh` with phase-by-phase progress	Shipped
SSH auth — key (default)	Shipped
SSH auth — password + non-22 port (for VyOS-NAT customers)	NEW v0.0.74
Resume bootstrap (idempotent re-run after a failure)	Shipped
Capabilities + cert-expiry telemetry pulled on every deploy	NEW v0.0.75
Daily TLS-cert-expiry probe on each host (systemd timer); banner appears in admin when any host's cert is < 14 days from expiry	NEW v0.0.75
Customer registry (Settings → Customers): per-customer admin VM IP, host VM IPs, web panel URL+credentials, VyOS router URL+credentials. Encrypted at rest with AAD bound to row id.	NEW v0.0.74
Operator credential vault (workspace-side `_vault/`) + tiny CLI for SSH-command lookup	NEW v0.0.74

3. Sites & content

Feature	Status
21 block types: navigation, hero, text+image, documents (PDF), footer, text section, news, contacts, accordion, table, divider, stats, team, gallery, partner logos, CTA, schedule, Q&A inbox, capital tracker, custom embeds, investor login. See blocks.html for field-level reference.	Shipped v1.0.0
Theme presets — 11 curated palettes (Classic Corporate, Modern Minimal, Legal Document, Financial Gold, Dark Professional, Sunset Bronze, Ocean Slate, Forest Sage, Pastel Calm, High Contrast, Brutalist Yellow)	NEW v0.0.74 (6 added)
Per-site multi-language (BCP-47 tab strip; per-language block content)	Shipped
Atomic deploys (renderer writes a side dir, `rename(2)` swaps over live, prior live is preserved as `<slug>.prev/`)	Shipped
Per-site snapshot + restore (one click → tar.gz at `/var/sites/_backups/<slug>/<ts>.tar.gz`; retention keeps 10 newest)	NEW v0.0.76
Site export (`.orxsite` signed bundle) and import	Shipped v0.0.49
Site delete with optional host purge (default OFF — admin record removed but host data preserved; checkbox to also wipe `/var/sites/<slug>/` + `/var/www/<slug>/` + per-site nginx file; bytes freed audited)	NEW v0.0.74

4. Documents

Feature	Status
PDF-only upload (validated by both magic bytes and Content-Type; no override flag)	Shipped
Stream-only viewing (HS256 token, 60s TTL, single-use, slug+doc+session bound; no raw PDF URL exposed)	Shipped
Image-rendered viewer (per-page PNG via pdftoppm) for no-download mode	Shipped
Per-PDF text search (pdftotext with per-page caching)	Shipped
Optional ClamAV scan + Ghostscript flatten (strips embedded JS / active content)	Shipped

5. Domains & TLS

Feature	Status
Attach a domain to a site → admin orchestrates nginx config + Let's Encrypt	Shipped
Detach domain (removes site config + reloads nginx)	Shipped
Admin domain (TLS for the admin panel itself)	Shipped v0.0.36

6. Audit & compliance

Feature	Status
Hash-chained audit log (every event carries `prev_mac` + `mac`; tampering breaks every later row)	Shipped v0.0.30
Ed25519 witness signature on each chain head (dual-control, key disjoint from chain HMAC secret)	Shipped v0.0.32
Real-time SIEM forward with back-pressure queue (Splunk HEC, Elastic, any HTTP receiver). Optional sealed-mode refuses to write when forward fails.	Shipped v0.0.36
Anomaly detection (outside-business-hours logins, impossible-travel)	Shipped v0.0.36
Verifier CLI (`npm run audit:verify`) — exit 0 only when chain validates	Shipped
CSV export (license-gated)	Shipped
v0.0.74-76 audit actions: `site.purged_from_host`, `customer_site.{create,update,delete}`, `site.snapshot_{created,restored}`	NEW

7. Operator safety

Feature	Status
4-eyes JIT approval for destructive actions (`site.delete`, `host.rotate_credentials`, `self-update`); 30-min TTL, single-use	v0.0.38 — API only, approver GUI planned
Break-glass account (one-time admin via CLI, audited)	v0.0.36 — CLI only
IP allowlist for admin panel (CIDR-based)	v0.0.36 — env-only, GUI planned
Device-bound sessions (cookie tied to obtaining IP)	v0.0.36 — runtime only, session list GUI planned
Auto-update kill switch (Stop / Resume the daily timer)	Shipped v0.0.72

8. Encryption at rest

Feature	Status
AES-256-GCM with per-row AAD on every sensitive column (host SSH keys, host bearers, 2FA seeds, customer panel + VyOS credentials)	Shipped
5-provider master-key chain (file, env-cmd, HashiCorp Vault Transit, AWS KMS, GCP KMS) with rotation CLI	Shipped v0.0.23 / rotation v0.0.34
CI-enforced AAD-binding lint (`npm run check:security`)	Shipped
Backup encryption with separate KEK (refuses `BACKUP_PASSPHRASE == MASTER_SECRET`)	Shipped v0.0.34

9. Updates & rollout

Feature	Status
Auto-update timer (admin VM polls GitHub releases daily; cosign + Rekor verified before install)	Shipped v0.0.58
Manual "Run update now" button	Shipped v0.0.58
GitHub release webhook receiver (release-event POST → immediate update)	Shipped
Per-host rollout after admin update (each host runs `/self-update` against pinned commit)	v0.0.30 — runtime only, per-host progress GUI planned
Update-run history (last 50 runs)	Planned — only latest run currently visible

10. Backup & recovery

Feature	Status
Per-site snapshot + restore (see §3 above)	NEW v0.0.76
Off-host nightly admin DB backup (encrypted via the same envelope as row-level secrets)	Shipped
Snapshots stay on the host VM (never sent to admin) — data sovereignty preserved by design	Shipped

11. Observability

Feature	Status
systemd-everything: `ff-admin`, `ff-host-api`, `ff-cert-check` (NEW v0.0.75), `ff-host-heartbeat`	Shipped
Structured bootstrap log: `/var/log/ff-bootstrap.json` (one JSON per phase, with status + detail)	Shipped
Append-only host-api audit at `/var/log/ff-host-audit.jsonl`	Shipped
License-presence beacon (daily anonymous heartbeat to the licensor; sha256(license_id) + admin version only). Disclosed in EULA §6.2; opt-out via `FF_HEARTBEAT=off` for Enterprise tier.	Shipped v0.0.59

12. What you do not pay for

Transparency:

We do not run your host VMs. They live inside your network. We never have inbound SSH or any cron job dialling out.
We do not store site content in our cloud. Configs, assets, PDFs all live on your host VM.
We do not have a NOC, a paging team, or a published SLA. The admin VM is yours; uptime is yours. We ship code + updates + audit material so your auditor can sign off — not 24/7 hand-holding.

Roadmap

Drawn from _deploy/PLAN_v0.0.74_and_beyond.md:

Per-viewer watermarked PDF (v0.0.77)
Per-document investor activity log (v0.0.78)
Per-deal Q&A inbox (v0.0.79)
Login-gated investor portal section (v0.0.80)
Accreditation self-attest gate (v0.0.81)
Capital tracker per LP (v0.0.82)
One-button compliance export bundle (v0.0.83)