Changelog

Two community-engagement changes shipped together. (1) Daily login no longer hands out free packs on a flat schedule — it now grants pack fragments every day on a [3,3,3,5,5,5,8] cycle, and completing a consecutive-day week awards an escalating pack bonus (1 → 2 → 3 → 4, capped at 4). Miss any day and the streak resets to zero — finish the week to earn that anchor reward. (2) New profile-tab section to redeem codes (e.g. WELCOME-2026, partnership codes, content-creator giveaways). Codes can grant any combination of packs, fragments, and per-rarity pieces; admin authors them via the new admin Codes tab with optional usage caps and expiry timestamps.

Until today the UI chrome was localized but card content stayed in English: names, flavor lines, ability names and descriptions all read in English regardless of your selected language. We translated all 113 cards into Spanish (Spain + LATAM fallback), French, Italian, German, Portuguese (BR + PT fallback), Polish, Dutch, Russian and Turkish — that is the canonical name plus flavor, plus active and passive ability names and descriptions where present. The English server payload is still authoritative for the database; what you see on screen is overlaid client-side based on your locale, so a card identity stays the same across language switches and trades. If a translation is missing for any field on any card it falls through to the English text, never to a blank.

Player feedback after the Mass Dissolve launch: the changelog said "up to 50 per batch" but a player with only 21 copies of a card hit a cap of 20 and assumed something was broken. Nothing was broken — the server enforces "keep at least 1 copy of every card" so a 21-copy stack tops out at 20 in one go. The cap was always min(server max 50, eligible copies, total copies − 1); it was just invisible. Now the entry button label says exactly what your batch cap is in the form "max N of M eligible", and a hover tooltip explains the binding constraint (server cap, eligibility, or keep-1). The selection panel header repeats the constraint so you never need to guess.

Hoarders, this one is for you. Dissolving common copies one at a time was burning everyone's per-user dissolve rate-limit window — a player with 80 commons of a single card couldn't realistically clear them in one sitting. The Card detail view now shows a "Mass Dissolve…" button below the existing per-copy Dissolve, mounted whenever you have at least 2 eligible copies of the card you're looking at. Click it, pick which print numbers to destroy from a tile grid (locked / in-deck / in-active-trade copies are dimmed and disabled), and the whole batch goes through in a single confirm + a single rate-limit slot. Server-side cap is 50 per call so the response is always snappy. The reward preview shows you the exact fragments + rarity-specific pieces you'll get before you click Destroy All.

Two small but visible quality-of-life wins. In the Collection tab, the availability dropdown gained a "Rotating Soon" option that filters the grid to cards expiring within 30 days — same threshold as the badge that's been showing on those cards for a while now, so the filter and the badge always agree. On the Tournament tab, guild tournaments now show their standings panel to anyone browsing — not just enrolled participants. Before, you'd open a guild tournament and see participants but no bracket unless your guild was registered. Now the public standings panel renders for everyone, reading the same data the server already returned, so you can see who's leading without having to register first.

The final area of the 14-area hostile-review sweep — build pipelines and CI gates. Most of the changes are invisible to players (they live in `.github/workflows/` and `scripts/`) but they shift quality from "local-only with --no-verify bypass" to "merge-blocking on every PR". The full vitest suite (~2700 tests), TypeScript type-check, drizzle drift gate, i18n key parity, BullMQ pin, battle-config validation, and bare-db-execute baseline now all run in CI on every PR. Production CVE scanning gained a waiver-aware gate that surfaces moderate vulnerabilities (the previous threshold silenced six of them). The IAB Global Vendor List used by the cookie-consent banner now refreshes daily via a scheduled workflow that opens a PR when the vendor list changes. Two skipped tests in the battle suite carry tracked references (T-201, T-202) and a new invariant gate fails the build on any future untagged skip so dead code can't accumulate.

A pass through the observability + audit pipeline closed the gap between what the privacy policy says and what the server actually does. Nothing visually changed for players, but a few things improved underneath: the Node.js process now logs and counts uncaught errors instead of crashing silently and letting the platform restart it without an explanation; the audit_log table is now pruned daily by a cron job that enforces the 90-day retention window the privacy policy promises; player display names are now redacted from server log lines (GDPR Recital 30 treats display names as personal data); and the security event audit pipeline gained durability checks + per-action IP-hash provenance so a regulator inspection can reconstruct any account action with the timestamp, actor, and origin.

A pass through the legal + consent surface closed a long list of compliance gaps. Headline items: the IAB TCF v2.3 consent string is now the official bit-packed format produced by the @iabtechlabtcf/* libraries instead of a base64(JSON) shim — Google AdSense's parser was rejecting our shim string since the 2026-03-01 deadline, which silently dropped EU visitors to Limited Ads. Every consent-banner choice (Accept All / Reject All / Customize / withdraw / version-bump prompt / re-open) now writes a durable audit_log row so we can demonstrate consent under GDPR Art.7(1) inquiry. The 16+ age confirmation and Terms of Service acceptance on sign-up are now enforced server-side via Better Auth additional fields — the previous client-only checkbox was bypassable via curl. The privacy policy now names the real third-party processors (Arsys for hosting + Google AdSense for ads) instead of placeholder copy — Postgres and Redis run on operator-managed Arsys infrastructure and aren't separate processors. Account deletion now wipes a much wider set of personal-data tables (friendships, guild membership, tournament entries, tickets, ad-watch history, provably-fair seeds, verification tokens, and several more), uses a crypto-random pseudonym suffix that breaks the prior audit-log linkability, refuses to re-create a deletion request for a fully-deleted account, and bounds cron retries so a transient failure can't loop forever. The data-export artifact gained six new sections (guild membership, tournaments, friendships, support tickets, ad-watch history, provably-fair seed history) and per-section row caps so a power user can't OOM the export build. The consent banner is now a proper modal with focus trap and aria-modal, the language switcher is visible at every breakpoint (was hidden on mobile), and admin bans now deliver a DSA Art.17 Statement of Reasons via in-app notification with the rule violated and an appeal route. Plus: a fresh IAB Global Vendor List bundled and a daily refresh script so vendor scope edits don't drift, AdSense first-party cookies now actually deleted on consent withdrawal (previously only the script tag was unmounted), and a new CSRF token gate on the account-deletion + data-export endpoints so a forged-form attacker page can't trigger a deletion countdown for a logged-in visitor. Consent version bumped from 3.1 to 3.2 — every visitor will see the cookie banner once on next visit to re-confirm under the updated processor list.

A pass through the bilingual surface closed every visible English-only chrome remnant on Spanish pages and tightened a few middleware + SEO gaps. Headline items: the marketing nav (About / How to Play / Cards / FAQ / Contact / Updates / Log in / Play for Free), every legal-page header link, the global cookie-consent banner, the offline banner, and the language-switcher screen-reader label all read from the active-locale message bundle now — Spanish visitors no longer see English wrappers around Spanish copy. The language switcher is also visible on phones (was hidden under the sm: breakpoint), so a visitor landing on the wrong locale on mobile can finally jump in-page. Changelog dates are stored as ISO YYYY-MM-DD and rendered through Intl.DateTimeFormat per locale — Spanish visitors see "26 de abril de 2026" / English visitors see "April 26, 2026". Email addresses across the legal + contact surface have been unified to a single canonical contact@drawntcg.com so visitors don't have to guess between info / privacy / support inboxes. A new /robots.txt now points crawlers at the per-locale sitemap, and link-preview crawlers (Slack, Discord, iMessage, Twitter) get an Open Graph card with the right locale tag. A subtle middleware bug that made the <html lang="…"> attribute always say "es" on /en/* pages — silently breaking screen-reader locale routing and Google's hreflang verification — has been fixed.

A pass through the anticheat surface (provably-fair seeds, replay sanitization, spectator state, collusion-detection telemetry) closed a small list of subtle but real defects. Headline items: pack-opening seed rotation is now atomic against in-flight pack opens, so a verifier replay can never reproduce N−1 of N openings while the Nth orphan dangles unverifiable; replay history scrubs raw player ids out of turn-log strings before persistence so the publishable replay file truly cannot be cross-correlated by id; spectator state strips two alpha-strategy hints (adrenaline counters and per-turn summon counts) that pre-fix flowed through unmasked; provably-fair seed rotations and client-seed changes are now durably audited so a player dispute has a recoverable trail; the history endpoint no longer 500s on garbage page params and no longer leaks raw Postgres errors to clients.

A pass through tournaments, guilds, the profile sections, and the in-battle internals fixed a long list of small bugs and added the visible affordances that were missing. Headline items: viewing a stranger's profile now tells you why bio / display case / achievements are hidden ("add as friend to see more") instead of rendering blank sections; achievement toasts auto-dismiss after 6 seconds (and cap at 5 visible at once) instead of stacking forever; every in-battle action — summon, attack, ability, mulligan, end turn, forfeit — now has a 5-second "no response from server" safety net so a flaky socket can't leave the UI stuck pending; the forfeit button uses an in-app modal instead of the browser's native confirm() popup that iOS PWAs sometimes silently suppress; the tournament bracket marks forfeit / disconnect / bye matches with a small badge so admins and spectators can tell them apart from real wins; deck-builder save validates the 3-copies-per-card limit client-side before letting you press Save; and a list of guild-management quality-of-life polish items (kick / promote confirmation, donation amount cap, war-end refresh filtering, identical-message dedupe).

A pass through the in-battle screen, the deck builder, and the card / trade modals fixed a long list of small but visible bugs. The headline items: spectators were seeing the battle mirrored to the wrong side (their view labelled the opponent as "you"), the mulligan timer reset to 30 every time anything happened on the board, the queue size showed blank when joining casual matchmaking, and trade history's wishlist 🎯 markers showed the wrong player's wishlist. The card modal now cancels in-flight fetches when you flip through a gallery, the deck builder caps how many pages it loads (so a server hiccup can't lock the screen), and copying a deck export now actually tells you whether it worked.

When you summon a creature, attack, or end your turn, the client now waits up to 5 seconds for the server to confirm. If the confirmation never arrives — server hiccup, network drop, dropped packet — you get a clear "No response from server — check your connection" message instead of a button that just stops responding. If the server rejects the action (out of phase, illegal target, rate-limited, etc.) the rejection reason now reaches you immediately even on flaky connections, instead of riding the next state push and arriving seconds late. The other (less critical) actions are unchanged. Spanish and English locales also got `not-found` and `loading` pages so a stale link or a slow load lands on a localised page instead of the framework default.

The bilingual public surface is now wired up for search engines. Every Spanish and English page emits a `<link rel="canonical">` pointing at its own locale URL plus an `<link rel="alternate" hreflang>` map covering both locales and an `x-default` fallback, so Google can pair the /es and /en variants of the same page instead of treating them as duplicates. A new `/sitemap.xml` enumerates every Phase 1 public page in every locale with the same hreflang alternates per entry. With this release Phase 1 of the i18n project is fully closed: 4 legal pages bilingual, 7 marketing pages bilingual, controlling-version clauses live in both languages, locale switcher in both headers, hreflang plumbing in metadata and sitemap, and a written workflow template for any future page.

A big batch of player-facing work landed across the spring. The headline items: a public marketing surface for new visitors, a card mastery system that rewards loyalty to specific cards, a tournament bracket viewer that finally lets you see how a tournament is unfolding, and a long list of small UX fixes that close gaps players have been pointing out for months. Below is the rough shape of what changed, organised by area. Patch notes for individual cards and balance tweaks live in the in-game patch feed; this changelog covers the structural and surface-level stuff.

Six more marketing pages are now bilingual, closing out Phase 1 of the marketing translation effort. /es/about renders the team / vision / game-world write-up in Spanish. /es/contact translates every channel. /es/faq covers all 12 Q&A items. /es/how-to-play translates the 10-minute rundown. /es/showcase renders the curated 7-card showcase with bilingual card names + flavor blurbs. /es/changelog (this page) is now bilingual too — every ChangelogEntry carries both Spanish and English copy together in the source so future updates land in both locales atomically. The four legal pages shipped bilingual earlier this month, so the public surface is now fully bilingual end-to-end.

The homepage hero is now bilingual. Spanish-speaking visitors landing on /es see the full marketing pitch in Spanish — anti-pay-to-win positioning, daily-free-packs promise, multi-pace modes (casual, ranked, AI, just collecting), element chips, and the 'built among friends' footer — all in informal tú voice. English visitors keep the original wording at /en. This is the first marketing page to land in two languages; the rest are queued up next.

The Privacy Policy is now bilingual, closing out Phase 1 of the legal-page localization effort. Spanish-speaking visitors land on a fully translated /es/legal/privacy, English visitors keep the original wording at /en/legal/privacy. With this release, all four legal pages — Terms of Service, Cookie Policy, Legal Notice, and Privacy Policy — ship in both English and Spanish, each carrying the controlling-version notice that names the English text as the legally authoritative version. Phase 1 legal coverage is now fully complete.

The Terms of Service page is now bilingual. Spanish-speaking visitors land on a fully translated /es/legal/terms, English visitors keep the original wording at /en/legal/terms. Both versions carry the same controlling-version notice at the top, making clear that the English text remains the legally authoritative version and the Spanish translation is provided for convenience. Three of four legal pages — Terms, Cookies, and Legal Notice — now ship in both languages; Privacy is the next page in line.

The Cookie Policy and Legal Notice pages are now bilingual. Spanish-speaking visitors land on fully translated /es/legal/cookies and /es/legal/notice, English visitors keep the original wording at /en/legal/cookies and /en/legal/notice. All four pages carry a controlling-version notice at the top making clear that the English text is the legally authoritative version and the Spanish translation is provided for convenience. Terms and privacy will follow the same pattern in upcoming releases.