Deprecate ProductBoard and redirect customers to Featurebase

Deprecate ProductBoard and redirect customers to Featurebase

Security Decisions

R-002: SRI Hash for Featurebase SDK — Risk Accepted

Decision: SRI (Subresource Integrity) is intentionally omitted for the Featurebase SDK script (https://do.featurebase.app/js/sdk.js).

Rationale: Featurebase manages their SDK on their CDN and updates it without notice. A static SRI hash would cause silent load failures on every vendor update (hash mismatch → browser refuses to execute script), effectively breaking the changelog widget for all users until we detect and update the hash.

Mitigations in place:

• HTTPS transport (integrity in transit)
• Statsig feature gate (featurebase_widget_enabled) provides kill-switch
• Scoped JWT from broker (not Chariot platform token) — limits blast radius
• Auth-gated loading (widget only loads for authenticated users)
• Error handling prevents SDK failures from crashing the application

Review date: Re-evaluate if Featurebase provides versioned/pinned SDK URLs or SRI hashes.