← Blog

Reliability, Security, and Notifications: Making VibeNest Easier to Trust

VibeNest Team· June 21, 2026

This release focuses on the parts of VibeNest that make a platform feel dependable: alerts you can find later, public pages that behave predictably, safer subdomains, and background checks that catch quiet drift.

Several changes came from production issues: a stuck project, a subdomain safety review, users with incorrect credit balances, and missing server telemetry.

A Notification Center Inside the Dashboard

Important platform events no longer disappear into email, Telegram, or a temporary toast.

VibeNest now has a persistent in-app inbox in the dashboard header. The bell combines tasks and unread messages, opens a slide-out panel, and links to a full /dashboard/notifications page with filtering, archiving, and deletion.

Existing alert paths now also write to the inbox, including billing events, project blocks and unblocks, deployment failures, redeploy events, and AI Doctor outcomes. This happens before email opt-out checks, so users who do not want emails still have a product-side history.

Admins can also send announcements to all users, a single email, a plan segment, or operational segments such as users with failed deployments or no projects. In-app delivery is always available, while email and Telegram are optional.

Notifications update in real time, and similar events can be grouped into one expandable row. That keeps noisy deployment flaps or announcement bursts from taking over the panel.

Public Projects Are Clearer by Default

New projects are now public by default, with an explicit Public/Draft choice during creation and in project settings. Existing projects keep their previous state.

The showcase and sitemap are more selective. A project can be public by direct link while still staying out of the gallery if its page is empty, placeholder-like, too short, or mostly headings. This prevents thin generated pages from becoming search and showcase noise.

When VibeNest generated the thin page itself, the platform can spend one free regeneration to improve the wiki content and beautified HTML. That keeps the product promise oriented toward helping the page become useful, rather than just hiding it.

Stronger Subdomain and Abuse Controls

A subdomain ownership signal led to a broader review of user subdomains.

The most important fix is server-side reserved-slug enforcement. Previously, some creation paths could bypass client-side slug checks, and reserved words were spread across multiple lists. VibeNest now uses one shared reserved-subdomain source, blocks IDN punycode slugs, and separates distinctive brand matches from generic exact matches so legitimate names are not overblocked.

There is also a new abuse-reporting path. Public project pages can expose a Report action, reports appear in the admin review queue, and admins can block a project from the same flow. Duplicate open reports are collapsed.

New accounts have a deployment cap during the early trust window. Subscription reversals can also suspend affected apps automatically.

The platform now sends X-Frame-Options: SAMEORIGIN on the apex and www surfaces, protecting the dashboard, admin, marketing, and wiki pages from clickjacking without changing tenant apps or database consoles.

Daily Checks for Quiet Platform Drift

The daily invariant checker introduced around billing now has more jobs.

Credit-balance reconciliation compares the denormalized user balance with the transaction ledger. Safe upward fixes can be repaired automatically; suspicious cases are reported instead of silently reduced.

The checker also detects duplicate free slots. It treats services in the same project group as one slot, which avoids false positives for valid grouped projects.

Another check reports infrastructure resources that are not referenced by any project. These are containers or services that may still cost money even though VibeNest no longer points at them. The check reports only; cleanup stays manual because different resource types have different deletion paths.

Daily results appear in an admin health surface and can be summarized in a Telegram digest.

More Honest Monitoring and Failure Signals

One stuck project exposed several monitoring gaps.

VibeNest now reads host-level container signals so it can distinguish a real out-of-memory kill from an ordinary crash. The agent reports Docker OOM state and exit code evidence, giving the deployment monitor a reliable basis for oom_failed instead of guessing from logs.

The same investigation fixed server telemetry that had been silently dead because a generated systemd unit lost its final newline during installation. With the agent actually running, CPU and memory signals are available again.

Heavy builds also get more patience. Instead of treating a long build as failed after a flat wall-clock timeout, the monitor checks whether build logs are still moving.

Private repository recovery was tightened too. Private detection now runs on deployment, not only during project creation, so projects broken by earlier behavior can repair themselves on the next deploy.

What This Means for Users

Users get a clearer project lifecycle, a place to review important events, and fewer vague deployment states. Admins get earlier warnings when platform invariants drift. Public surfaces are safer by default, and the monitoring layer has better evidence before it declares why an app failed.

Reconnecting to the server...

Reconnecting in sec.

Failed to reconnect.
The page will reload automatically.

Session paused by the server.

Failed to resume the session.
Reloading the page...