v3.5.0 - Ecommerce tracking, subdomain locale routing, single static tracker

Highlights

Ecommerce tracking on the dashboard

A new Ecommerce section appears on the main dashboard the moment your site records its first purchase event — no flag, no toggle, no admin action.

• 4 stat cards: Revenue · Orders · Avg order value · Conversion rate with period-over-period trends
• Revenue-over-time line chart
• Top products widget reading product_name (or product_id) from event properties
• Auto-hidden on non-ecommerce sites — never clutters the dashboard

Integrate by calling the tracker from your checkout success page:

Statalog.track('purchase', {
    value:      99.99,
    currency:   'USD',
    order_id:   'ORD-12345',
    product_name: 'Sneakers'
});

Works with Shopify, WooCommerce, custom React/Vue/Next.js checkouts — anywhere that supports the standard JS tracker.

Per-locale subdomain routing for marketing

Self-hosters can now serve the marketing site in multiple languages via subdomains: es.example.com, de.example.com, pt-br.example.com. Each language has its own canonical URL, hreflang tags, and a polished pill-style switcher in the nav. The dashboard stays on the bare domain and uses each user's saved locale preference.

The SetLocale middleware also redirects /account/* and /admin/* requests on locale subdomains to the bare domain, so the dashboard's language switcher always works as expected.

Single static tracker.js with data-site-id

The tracker snippet is now a single static script for every site:

<script async src="https://example.com/js/tracker.js" data-site-id="ST-XXX"></script>

Heatmap configuration is fetched at runtime via a new /api/site-config endpoint instead of being baked into a per-site script. The legacy /js/t/{siteId}.js URL still works as a backward-compat shim — existing snippets keep tracking without changes.

Translation tooling

• New php artisan lang:sync <code> command scaffolds and syncs translation files between en and any target locale, preserving existing translations and filling missing keys with [TRANSLATE]-prefixed English placeholders.
• Locale catalog now supports regional codes — pt_BR, pt_PT, zh_CN, zh_TW — with full BCP-47 hyphen↔underscore handling at the middleware level.

Auth UX polish

• Locale switcher integrated into the auth card header (sits next to the logo on the same row)
• Auth pages drop browser Accept-Language sniffing so URL is the consistent source of truth for language

Upgrade notes

Run after pulling:

php artisan view:clear
php artisan config:clear
php artisan route:clear

The locale subdomain feature is opt-in — set STATALOG_LOCALES=en,es,de in your .env to enable additional languages. With only en configured (or unset), the switcher stays hidden and the app behaves identically to v3.4.0.

For the cross-subdomain tracker to work cleanly, ensure your nginx vhost includes all subdomains in server_name and your TLS cert covers them.

v3.4.0 - Automatic bot & AI crawler detection

Highlights

Automatic bot & AI crawler detection

Statalog now identifies search engine crawlers, AI scrapers and SEO tools out of the box on every site — with no toggle to enable, no extra snippet, and no <noscript> pixel. The standard tracking script captures everything.

Detected automatically:

• Search engines — Googlebot, Bingbot, AppleBot, Yandex, DuckDuckBot, Baidu
• AI crawlers — GPTBot, ClaudeBot, PerplexityBot, Google-Extended, CCBot, Amazonbot, anthropic-ai
• Social previewers — Slackbot, Twitterbot, FacebookExternalHit, LinkedInBot, Discordbot
• SEO tools — AhrefsBot, SemrushBot, MJ12bot, DotBot, UptimeRobot, Pingdom

Bot hits are excluded from human stats and never count toward billable pageviews — they appear on the dedicated Bots page.

Unique domains per user

The Add Website / Edit Website forms now reject duplicate domains for the same user. Subdomains are still treated as distinct, so acme.com and blog.acme.com can coexist — but the same domain string can't be added twice.

Searchable dropdowns now actually work

Tom Select on selects with class="js-searchable" (the timezone picker etc.) was silently suppressed by a misconfiguration. They now open on click and let you type to filter.

Upgrade notes

• Run php artisan migrate — adds a one-time backfill that flips every existing site to the new always-on bot-detection mode
• The sites.track_bots column is kept for one release in case anyone needs to revert. It will be dropped in a future version.
• The Site::bot_tracking_snippet accessor is now a deprecated alias for tracking_snippet — it returns the same standard snippet as before.

v3.3.0 - Multi-language support and PDF report margins

Highlights

Multi-language infrastructure

The dashboard, auth pages, and notification emails are now ready to be served in any language.

• Supported locales are defined in config/statalog.php under the locales array (code => native name)
• A new SetLocale middleware picks the active language using this priority chain:
  1. ?lang=xx query parameter (one-shot, persisted as cookie)
  2. The authenticated user's saved locale column
  3. statalog_locale cookie (for guests)
  4. Browser Accept-Language header
  5. The configured default
• POST /locale/{code} saves the choice to users.locale for authed users and a long-lived cookie for guests
• A language switcher appears automatically in the user dropdown (authed) and below auth cards (guests) — but only when more than one locale is configured
• The User model now implements HasLocalePreference, so verification and password-reset emails are sent in the recipient's saved language

To add a new language, drop a folder into lang/{code}/ (and packages/cloud/lang/{code}/ if you have the cloud package), add the code to config('statalog.locales'), and the switcher will appear.

PDF reports

• Generated PDFs now have proper 18mm / 14mm page margins (previously zero)

Upgrade notes

• A new migration adds a nullable locale column to the users table — run php artisan migrate
• Run php artisan view:clear and php artisan config:clear after deploy

v3.2.0 - Internationalization-ready dashboard, email verification enforced

Highlights

Internationalization

Every user-facing string in the dashboard, analytics reports, settings, auth screens, and shared components now flows through Laravel's translation system. Adding a new language is now a copy-paste of the English lang files plus translation — no Blade edits required.

• 6 new language files: SEO tools, GA import, public dashboard, configuration, profile, PDF reports
• Existing app, auth, analytics, sites lang files extended with shared keys
• ~750+ translation keys total across the project
• JS-injected strings safely embedded via @json(__('...'))
• Confirm modal default labels (title, Confirm, Cancel) now translatable

Email verification

• New accounts must verify their email before accessing the dashboard
• verified middleware applied to all authenticated routes
• Existing accounts will be prompted to verify on next login

UX polish

• Confirm modal shows a loading spinner on the confirm button after click, so users know something is happening on slow forms

Upgrade notes

• Run php artisan view:clear and php artisan config:clear after deploy
• Existing logged-in users with no email_verified_at will be redirected to the verification screen on next request — they can resend the verification email from there
• If you have custom Blade overrides, hardcoded English strings in those files will still work; the translation pass only modified core views

Team access controls & UX improvements

Team & multi-account

• Redesigned team members page: full-width layout, toggle switches for site access, richer explanatory text
• Fixed site access: individual toggles were disabled when "All sites" was on — sites were never saved
• Added site access edit modal for existing members
• Fixed account switcher loading the viewer's own sites instead of the owner's
• Fixed stale current_site_id after switching accounts
• Viewer role: fixed access to all read-only analytics pages (live, campaigns, pages, locations, devices, funnels, goals, events, bots, SEO tools, errors)
• Clean up pending invitations when a member is removed
• Fixed access modal missing backdrop and centering

Topbar

• Selected website name and domain shown in the top bar

SEO Tools

• Redirect Checker: domain-locked input — path only, site domain shown as fixed prefix; server-side domain validation
• Meta Tags: same domain restriction as redirect checker
• Removed Core Web Vitals (required Google API key, slow to load)

Visitors log

• Browser icons (Chrome, Edge, Firefox, Safari) and OS icons (Windows, macOS, Android, Linux) in visitor table
• Smaller visitor avatar circle

Page Transitions

• Full-width URL selector
• Dropdown pre-loads top 25 pages on open — no typing required

Bug fixes

• Fixed pages avg time calculation (per-path heartbeat duration)
• Fixed avg duration queries and visitor avatar color hash
• Fixed TomSelect opening on external focus events

REST API, Bot pixel tracking & Page Transitions

REST API v1

Statalog now exposes a read API so you can pull your analytics data into your own dashboards, scripts, or integrations.

Authentication

Set STATALOG_API_KEY in your .env file and pass it on every request:

Authorization: Bearer YOUR_API_KEY

Endpoints

Endpoint	Description
GET /api/v1/stats	Summary: visitors, pageviews, sessions, bounce rate, avg duration
GET /api/v1/stats/timeseries	Visitors and pageviews grouped by day
GET /api/v1/pages	Top pages by pageviews
GET /api/v1/referrers	Top referrer domains
GET /api/v1/channels	Traffic by channel
GET /api/v1/locations	Visitors by country
GET /api/v1/devices	Device type, browser, and OS breakdown
GET /api/v1/events	Custom events
GET /api/v1/campaigns	UTM campaign stats
GET /api/v1/live	Visitors active in the last N minutes

Other changes

• SEO Tools collapsible sidebar group
• Viewer role enforcement — write routes protected
• Fix: visitor map blank on page load
• Fix: New vs Returning showing 0
• Fix: Page Transitions analyticsFor() undefined method
• Fix: sites/create returning 404

Bot pixel tracking, Page Transitions & bug fixes

Bot pixel tracking

When Store bot traffic is enabled, the settings page shows a second tracking snippet with a <noscript> pixel image. Crawlers fetch this pixel when parsing page HTML, triggering bot detection.

Page Transitions

Select any page URL and see which pages visitors came from (entries) and where they went next (exits).

SEO Tools sidebar group

Collapsible group in the sidebar.

Bug fixes

• Visitor map blank on load
• Leaflet SRI integrity hash mismatch
• New vs Returning showing 0
• Page Transitions analyticsFor() error
• sites/create returning 404

Acquisition reports, SEO Tools, Visitor Map & Page Transitions

Acquisition section

• Channels — Search, Social, AI Assistants, Campaigns, Websites, Direct
• Search Engines, Websites, Social Networks, AI Assistants referrer reports

SEO Tools

• Sitemap checker, Robots.txt viewer, Broken links scanner
• Redirect checker — follows the full redirect chain with status badges
• Meta tags preview — Google SERP preview, Open Graph social card, raw tag table

Audience

• Visitor Map — dedicated page with date range selector and Leaflet.js auto-zoom
• Visitor Log — paginated session table with flags, device, browser, and source
• Performance — page timing breakdown (TTFB, FCP, DOM, load)
• Country flags throughout

Behaviour

• Page Transitions — for any page, shows the top pages visitors came from and went to next

Team invitations and bot analytics

Team invitations

• Invite people by email — no pre-signup required
• Invited user gets a link showing who invited them, their role, and site access before accepting
• Owners can revoke pending invitations at any time
• Viewers can be scoped to specific sites

Post-login account routing

• Users with no own sites are auto-switched into their sole member account on login
• Users belonging to multiple accounts see an account picker

Bots page

• Bot hits vs human hits totals
• Top-bot breakdown table
• Top pages hit by bots
• Bot activity over time chart

Websites becomes the global dashboard, Tools sidebar group, tracker fixes

Websites page is now the global dashboard

The old separate Overview page is gone — everything lives on /account/sites. Date-range picker, totals across every site, per-site cards sorted by visitors.

Tools sidebar group

The Monitoring group is renamed to Tools and absorbs Error tracking.

Cleaner tracking snippet

<script async src="https://YOUR-DOMAIN/js/tracker.js"></script>

async instead of defer. data-site-id attribute no longer required.

Site delete purges ClickHouse

Deleting a website now removes its pageviews, custom events, and JS error rows from ClickHouse.

Upgrade

git pull
php artisan cache:clear