Platform status
Auto-refreshed manually on every release. Last verification: 2026-05-11 (release v1.0.0 — General Availability). For per-tag changelog see dist releases and CHANGELOG.md in the tarball.
All NexaXT-controlled surfaces operational.
License-issuance API, marketing site, signed-release pipeline, sub-processor email delivery — all green.
License-issuance API, marketing site, signed-release pipeline, sub-processor email delivery — all green.
Surface coverage
| Surface | Last 30 days | Status |
|---|---|---|
| weco.nexaxt.com (marketing + buy + install docs) | 99.91% | Operational |
| /api/weco/* (license issuance backend) | 99.95% | Operational |
| github.com/antonorlov888/orox_siteconstuctor_admin-dist (release tarballs) | GitHub uptime | Operational |
| noreply@nexaxt.com (license-JWT email delivery via NetSol) | 99.7% delivery | Operational |
The customer-installed admin VM is on Customer's own infrastructure — its uptime is the Customer's responsibility, not NexaXT's. NexaXT publishes this page to commit to the surfaces NexaXT directly operates.
SLA — paid tiers
| Tier | License-issuance availability | Email-delivery target | Support response |
|---|---|---|---|
| Trial / Starter | Best effort (no SLA credit) | ≤ 1 hour business-hour | Community / next-business-day email |
| Standard | ≥ 99.5% / quarter | ≤ 30 min | 1 business day |
| Premium | ≥ 99.9% / quarter | ≤ 15 min | 4 business hours (KZ business hours, GMT+5) |
| Enterprise | Per Order Form (24/7 + custom RTO/RPO) | ≤ 5 min | Per Order Form |
SLA credits: Standard tier — 5% credit per 0.5% miss; Premium tier — 10% credit per 0.5% miss. Claim window: 30 days from incident close. Email anton.orlov@nexaxt.com with subject "SLA credit claim — <Order Form ID>".
Incident history
Public incident log starts at v0.0.18 (production-ready release). Earlier development incidents are not published.
| Date | Surface | Severity | Resolution |
|---|---|---|---|
| 2026-04-25 13:22 UTC | weco.nexaxt.com landing | Sev 3 — degraded visual | Unclosed HTML comment in index.html (introduced in v0.0.20 SEO meta block) caused browsers to swallow inline <style> block. Fixed in v0.0.20 hotfix. CSS extracted to external /assets/css/landing.css to harden against similar regressions. RCA: linting gap on raw HTML edits. |
| 2026-04-25 09:14 UTC | install-admin.sh | Sev 4 — feature-not-yet-shipped | install-admin.sh URL returned the SPA fallback HTML because the file was never uploaded after v0.0.17. Uploaded; nginx config also tightened so the fallback returns 404 for unknown .sh paths. |
| 2026-04-25 06:30 UTC | buy.html tier picker | Sev 2 — purchase funnel dead | Trial tier API returned price_kzt_approx:null; tier-card render loop crashed on null.toLocaleString(). Patched + null-safe rendering shipped in same hotfix. Re-render verified end-to-end in headless browser. |
Recent releases (v0.0.30+)
Detailed log: CHANGELOG.md in every release tarball or dist repo releases. Auditor-finding crosswalk: docs/AUDITOR_TRACEABILITY.md.
| Tag | Date | Headline |
|---|---|---|
v0.0.64 | 2026-04-28 | Critical: HTTPS IP-fallback location ordering — slug-at-root regex moved AFTER reserved prefixes (/_pdf/, /sites/.../token, /pdf-stream, /pdf-page, /pdf-search) so PDF viewer stops 404'ing over self-signed bare-IP TLS. |
v0.0.63 | 2026-04-28 | Critical: vms/bootstrap.sh reads ADMIN_EMAIL from /etc/ff-host/env on re-runs — closes the recurring "site at <domain>/<slug>/ but not at <domain>/" bug at root: the email-required guard was aborting every setHostDefaultSite bootstrap before it could regenerate the nginx IP-fallback. |
v0.0.62 | 2026-04-28 | Critical: un-wedge auto-update — chmod +x on update-runner.sh in git, ExecStart=/bin/bash … in both systemd units, default poll repo flipped from dev (zero releases) to orox_siteconstuctor_admin-dist, defensive setHostDefaultSite after domain attach. |
v0.0.61 | 2026-04-27 | Host VM license-presence beacon — daily anonymous heartbeat from each host (sha256(license_id) + version) so an admin pasting one JWT into N admin VMs surfaces as inadvertent overage. |
v0.0.60 | 2026-04-27 | Auto-update refreshes /etc/sudoers.d/ff-admin from canonical template each release (new grants land via timer, not gated on install.sh --upgrade-tls). |
v0.0.59 | 2026-04-27 | Critical: admin pushes its own current bootstrap.sh to host before re-run (host VMs never auto-update on their own). |
v0.0.58 | 2026-04-27 | Manual "Run update now" button at /system/updates; live release-tag readout on the dashboard. |
v0.0.57 | 2026-04-27 | Critical: defensive chattr -a strip-restore around bootstrap re-runs (host VMs on releases v0.0.18-v0.0.40 EPERM on chown after audit log is sealed). |
v0.0.56 | 2026-04-27 | Critical: retroactive self-heal via update-runner — auto-heal default-site backfill on every auto-update tick. |
v0.0.55 | 2026-04-27 | Critical: auto-default-on-first-site fires even when listSites errors; HTTPS IP-fallback gains slug-at-root catch-all. |
v0.0.54 | 2026-04-27 | Silence install-log locale spam. |
v0.0.53 | 2026-04-27 | Silence Turbopack warnings for optional KMS providers. |
v0.0.52 | 2026-04-27 | Security: bump next 16.0.0 → 16.2.4 (CVE-2025-66478). |
v0.0.51 | 2026-04-27 | TOTP issuer label = operator's Branding product name; superadmin "Reset 2FA" button on user row. |
v0.0.50 | 2026-04-27 | License rotation from admin UI — paste new JWT, atomic write, no service restart. |
v0.0.49 | 2026-04-27 | NoNewPrivileges trap removed (admin-domain attach now actually works); site import UI; forgot-password via 2FA flow. |
v0.0.48 | 2026-04-27 | Favicons across admin + host sites with three-layer override (default → site asset → Branding upload). |
v0.0.47 | 2026-04-27 | install.sh — NEXTAUTH_URL scheme follows nginx (HTTPS on selfsigned, was HTTP; broke sign-out). |
v0.0.46 | 2026-04-27 | Hardening — Permissions-Policy header, RFC 9116 /.well-known/security.txt, rate-limit on IP-fallback slug-at-root catch-all. |
v0.0.45 | 2026-04-27 | Security: per-user 2FA opt-in always enforces (was bypassable when FF_REQUIRE_2FA unset). |
v0.0.44 | 2026-04-27 | "Attach domain to admin" page — operator-facing replacement for SSH + install.sh --upgrade-tls. |
v0.0.43 | 2026-04-27 | /api/domains rejects attach when slug doesn't exist on host (typo'd slugs no longer produce 404 sites behind real certs). |
v0.0.42 | 2026-04-27 | host-api → ff-certbot uses --preserve-env=ADMIN_EMAIL + sudoers env_keep (Let's Encrypt no longer rejected with "admin@example.com is invalid"). |
v0.0.41 | 2026-04-27 | bootstrap.sh chown idempotency; FF_AUDIT_SECRET auto-generated at install (HMAC chain works on first boot). |
v0.0.40 | 2026-04-27 | install.sh — ADMIN_EMAIL falls back to seed-admin email when no --domain (host bootstrap unblocked). |
v0.0.39 | 2026-04-27 | License multi-key verify (admin trusts trial pubkey + production pubkey); sign-out via next-auth/react. |
v0.0.38 | 2026-04-27 | ClamAV upload scan + Ghostscript flatten + 4-eyes JIT + host-api per-identity rate limit + AppArmor profile. |
v0.0.37 | 2026-04-27 | WebAuthn passkeys (AAL3) + SCIM 2.0 + device-bound sessions + anomaly rules. |
v0.0.36 | 2026-04-27 | Step-up MFA + SIEM back-pressure queue + break-glass account + egress allowlist + coverage gate. |
v0.0.35 | 2026-04-27 | SAML 2.0 SP + OIDC RP (PKCE) + JIT user provisioning + FF_SSO_ONLY sealed-mode. |
v0.0.34 | 2026-04-27 | 25-item bulk hardening: nonce CSP, CSRF, SSRF guard, FF_FREEZE, FF_KEY_LOCAL_FORBID, LUKS-enforce, cosign+osv, DAST workflow, threat model, evidence pack, master-secret rotation CLI. |
v0.0.33 | 2026-04-26 | Vendor-vs-customer doc + 4 customer primitives: --cloudflare, npm run status:render, npm run pentest:auto, customer-hardening checklist. |
v0.0.32 | 2026-04-26 | Ed25519 audit chain witness + sealed-mode MFA + admin-side DOMPurify. |
v0.0.31 | 2026-04-26 | Audit chain verifier CLI (npm run audit:verify) + canonical JSON + WCAG 2.2 focus ring. |
v0.0.30 | 2026-04-26 | Admin AuditEvent HMAC chain + host-api JSONL chain (chattr +a) + FF_TOTP_ONLY + WCAG 2.2 AA accessibility statement. |
Maintenance windows
Scheduled maintenance is announced on this page at least 72 hours in advance, including affected surfaces, expected duration, and rollback plan. Emergency maintenance (security CVE class) may proceed with shorter notice; all customers are emailed within 24 hours of completion.
Subscribe to status
JSON feed for monitoring: /pages/status.json (refreshed alongside this page). Webhook subscriptions on Premium/Enterprise via Order Form addendum.