March 3, 2026

Delete RFPs, public API access, session timeout, cookie consent, and security hardening.

Delete RFPs you no longer need, a public API for Pro and Enterprise tiers, session security, cookie consent, 30 bug fixes across security, billing, RFP workflows, and infrastructure, plus stronger security defaults, faster databases, and major infrastructure upgrades headline today's release.

New

  • Delete RFPs. You can now delete RFPs that are no longer needed. A confirmation dialog prevents accidental deletions, and Awarded RFPs are protected from deletion to preserve your procurement history. Available from the RFP detail page.
  • Public API. Pro and Enterprise organizations can now access their RFP data programmatically through a public REST API. Generate API keys from Settings, then use Bearer token authentication to list RFPs, fetch RFP details, retrieve vendor responses, and browse your vendor directory. Each key is securely hashed and rate-limited.
  • Session idle timeout. Users are now warned after 30 minutes of inactivity and automatically signed out after 35 minutes. Timeout durations are configurable by administrators.
  • Cookie consent. The marketing site now displays a cookie consent banner with Accept and Decline options. Preferences are stored in localStorage.

Improved

  • Admin navigation icons. The admin sidebar now uses custom SVG icons that match the app's design system, replacing the previous emoji-based icons for a cleaner, more professional look.
  • Messaging error feedback. When a message fails to send, you now see a clear error notification instead of silent failure. The send button also disables during submission to prevent duplicate messages.
  • Enterprise plan limits. Enterprise plan users are no longer incorrectly limited by Standard tier RFP caps. The billing system now correctly recognizes Enterprise subscriptions.
  • Teams reliability. Team member loading now handles individual lookup failures gracefully, so a single failed member lookup no longer breaks the entire team list. The API response also no longer includes sensitive token hash data.
  • Favicon and touch icons. The app now includes a proper favicon.ico, PNG icons at multiple sizes, and an Apple touch icon. Your browser tab and home screen bookmark will always show the Strutter logo.
  • Component architecture. The Review Dashboard has been split into 8 focused sub-components, improving load performance and making the codebase easier to maintain. Accessibility improvements include proper ARIA labels on interactive elements throughout the review flow.

Security

  • HSTS header. All responses now include Strict-Transport-Security, telling browsers to always use HTTPS.
  • Rate limiting. Three tiers of rate limiting protect against abuse: authentication endpoints (stricter), AI endpoints (moderate), and general API routes (permissive). Exceeding limits returns a clear 429 response.
  • Content Security Policy. Added Content Security Policy headers to restrict which domains can serve scripts, styles, fonts, and API calls.
  • Container security. Production containers now run with reduced privileges for improved security isolation.
  • Vendor upload security. File uploads from vendors now use randomized filenames with sanitized extensions for improved security.
  • AI chat rate limiting. The AI chat endpoint is now rate-limited, matching other AI endpoints.
  • Worker authentication. Hardened worker authentication to prevent unauthorized job execution.
  • HTML escape hardening. Improved HTML escaping coverage for stronger output security.
  • Vendor token protection. Improved vendor invite link security. Tokens are resolved server-side only.
  • Deleted RFP access. Vendors can no longer access soft-deleted RFPs through previously issued portal links.
  • Closed RFP submissions. Vendors can no longer submit responses to closed or awarded RFPs through direct API calls.
  • Team invite email verification. Team invite acceptance now verifies the accepting user's email matches the invitation, preventing unauthorized account access.
  • Issuer note privacy. Private issuer notes are now properly restricted from vendor-facing responses.
  • Tenant-scoped bulk operations. All bulk operations now enforce organization scoping for improved data isolation.
  • Vendor score privacy. Vendor portal responses no longer include internal scoring data.

Fixed

  • RFP page error handling. RFP list and detail pages now catch database errors gracefully instead of crashing with a generic "Something went wrong" message. A new PageError component shows a clear error title, description, and refresh button. The dashboard error boundary also displays the actual error message for easier debugging.
  • Payment webhook stability. Payment webhooks no longer crash when processing events with incomplete data.
  • Payment event coverage. The billing system now handles invoice payment failures, subscription pauses, and expired checkout sessions. Tier downgrades properly reset usage quotas.
  • Subscription cancellation enforcement. Cancelling a subscription now immediately enforces Free tier limits and expires any pending vendor invites that exceed the free allowance.
  • Auto-save error visibility. Auto-save failures in the RFP editor now display a visible error notification instead of failing silently.
  • Atomic close and award. Closing and awarding an RFP now happens in a single database transaction, preventing partial state if the operation is interrupted.
  • Empty RFP publishing. Publishing an RFP now requires at least one question. Previously, empty RFPs could be sent to vendors.
  • RFP overview lock. RFP overview fields are no longer editable after publishing, preventing unintended changes to live RFPs.
  • AI recommendation gating. AI vendor recommendations now check feature access and track usage against your plan's AI credit allowance.
  • Question Library safety. Question Library AI updates now add new questions before removing old ones, preventing data loss if the operation fails midway.
  • Binary file import. Binary file imports in the RFP wizard now correctly trigger the text extraction and processing pipeline.
  • Email connection pooling. Email delivery now uses a persistent connection pool instead of creating a new connection for each message, improving reliability under load.
  • API docs dark theme. The API documentation page now correctly uses dark theme styling, matching the rest of the dashboard.
  • Onboarding validation. Organization name validation during onboarding now enforces a 2-100 character limit on the server, matching the client-side rule.
  • Signup email logging. Signup welcome email failures are now logged for troubleshooting instead of being silently ignored.
  • Admin audit logging. Admin actions (role changes, invitations, removals, and other sensitive operations) now generate audit log entries.
  • File download links. Signed file download URLs no longer expire after 7 days. Links are now regenerated on demand when accessed.

Under the Hood

  • Faster builds. Upgraded the build pipeline. Builds run significantly faster with parallel multi-stage execution and inline cache support.
  • Deployment infrastructure update. Migrated to a modern, actively maintained image registry for improved reliability.
  • Feature flag migration. Feature flag kill-switches now use a managed configuration service instead of a self-hosted solution. Server-side evaluation with cached refresh. No new dependencies, no new secrets, no external service to maintain.
  • Database indexes. Seven new indexes on high-traffic query patterns (RFP lookups by org, vendor searches, invite resolution, message threading, scoring queries, and usage tracking). Query performance improves significantly on larger datasets.
  • Soft deletes. RFPs and Vendors now use soft deletes (deletedAt timestamp) instead of permanent removal, preserving data integrity and enabling future recovery features.
  • Pagination guards. All previously unbounded list queries now enforce pagination limits, preventing runaway queries on large datasets.
  • Route protection. All API routes now use a shared authentication wrapper that handles authentication, error responses, and org scoping in one place, replacing duplicated auth boilerplate across every route.
  • Build pipeline optimization. Lint, typecheck, test, and build jobs now only run when relevant files change. Documentation-only changes skip the full build pipeline entirely. Build and deploy workflows are now split, with deploys batched on a 20-minute schedule instead of running per-push.
  • Unused dependencies removed. Removed unused JavaScript packages that were installed but never imported, along with their related wrapper code.
  • Monitoring and backups. Uptime checks for both the app and marketing site with email alerting. Automated database backup scripts with verification and restore support. All scripts are dry-run by default.
  • Operations runbook. A comprehensive runbook covering deployment, rollback, database migrations, incident response, troubleshooting, monitoring, secret rotation, scaling, and log access.
  • Payment webhook test coverage. Webhook tests significantly expanded, covering all tier checkouts, upgrade and downgrade paths, subscription deletions, idempotency, and error handling.
  • Deploy pipeline migrations. The deploy workflow now runs database migrations before deploying services, preventing breakage from unapplied schema changes.
  • Cookie consent feature flag. The cookie consent banner is now gated behind a feature flag, keeping it hidden until the implementation is ready to ship.
March 3, 2026 | Strutter AI