March 6, 2026

Resend team invitations, Turkey notification badges, email notifications, and security hardening.

New

  • Resend team invitations. Admins can now resend pending team invitations directly from the team management page. Clicking Resend generates a fresh invite link with a new 7-day expiry and re-sends the email, eliminating the need to revoke and re-invite when someone misses the original email.

  • Inline post-publish actions. After publishing an RFP from the conversational wizard, a celebration card appears directly in the chat with quick actions: Find Matching Vendors, Invite Vendor, and Go to Dashboard. No more modal overlays.

  • Strutter AI vendor matching in conversation. Click "Find Matching Vendors" after publishing to see AI-matched vendors ranked by relevance score, right in the chat thread. Invite any recommended vendor with a single click without leaving the conversation.

  • Inline vendor invitations. Invite vendors directly from the conversation thread using the new inline invitation form. No need to navigate to a separate page.

  • Vendor response submitted notification. When a vendor submits a response to an RFP, all organization admins now receive an email notification with a direct link to review the submission.

  • Welcome email for new organizations. New users who create an organization now receive a welcome email with getting started resources, their current plan details, and next-tier upgrade benefits.

  • Usage threshold warning emails. When any metered feature (RFP creation, Strutter AI credits, team members, or visible vendor results) reaches 80% or 100% usage, organization admins receive a dashboard-style email showing all feature usage with color-coded progress bars. Notifications include a 24-hour cooldown to prevent duplicate alerts.

  • Turkey notification badge. The Turkey mascot in the bottom-right corner now displays a speech bubble with your unread notification count. The bubble bounces in when new notifications arrive and shows counts up to 99+.

  • Turkey mood animation. When new notifications arrive while the notifications panel is closed, the Turkey plays a quick excited animation to catch your attention without being disruptive.

  • Turkey opens notifications on click. When you have unread notifications, clicking the Turkey opens the panel directly to the Notifications tab. Without unreads, it behaves normally.

Improved

  • Publish button prevents double-publish. The Publish button on the RFP completion card now disables after the first click to prevent accidental duplicate publishes.

  • Confirmation before large AI edits. When Strutter AI makes significant changes to an RFP (adding or removing more than 5 questions), you now see Apply and Discard buttons before the changes take effect. Small edits still apply immediately with a summary.

  • Clearer guidance for vague editing requests. Strutter AI now more reliably asks clarifying questions when editing requests are ambiguous (e.g., "add more questions" or "make it better") instead of guessing what you meant.

  • Background notification polling. Notifications are now checked every 30 seconds regardless of whether the notifications panel is open, so the unread count stays current and the Turkey badge reflects new activity in real time.

  • Email branding consistency. All seven email templates now share standardized button styles, a consistent footer with copyright and tagline, and the Inter font. Visual presentation is uniform across every transactional email Strutter sends.

  • Outlook and legacy email client compatibility. The header logo now uses a hosted image instead of inline SVG, and buttons use inline-block instead of inline-flex, resolving rendering issues in Outlook, older Gmail, and other clients with limited CSS support.

  • Standardized email call-to-action buttons. CTA buttons across all email templates now use consistent sizing, font weight, and color, making emails feel cohesive regardless of the notification type.

  • IndexNow instant indexing. New content and page updates can now be submitted to Bing and Yandex for indexing within minutes instead of waiting for search engine crawlers.

  • FAQ rich snippets on blog posts. Blog posts with FAQ sections now include FAQPage structured data (JSON-LD), enabling Google to display expandable Q&A directly in search results. Four posts have been updated with FAQ markup.

  • Breadcrumb navigation schema. Blog and documentation pages now include BreadcrumbList structured data, helping search engines understand the site hierarchy and display breadcrumb trails in search results.

Fixed

  • Free tier "Add Vendor" button removed. Free tier users previously saw a "+ Add Vendor" button on the My Vendors tab that did nothing when clicked. The button is now hidden for free tier users, and an upgrade prompt is shown instead.

  • Free tier vendor directory no longer returns errors. Clicking vendor listings in the directory tab returned 403 errors for free tier users. The directory tab now shows an upgrade prompt instead of loading the directory, preventing the broken mid-flow experience.

  • Questions and vendors auto-saved on RFP close and award. When an RFP is closed or awarded, its questions and invited vendors are now automatically saved to the question library and vendor directory. This happens silently for all tiers, including free, so the data is ready when users upgrade. Manual library access remains gated by tier.

  • Post-publish flow now works in collapsed wizard mode. Previously, the publish celebration modal was invisible when the editor was collapsed because it rendered inside a hidden container. The entire post-publish experience now appears inline in the conversation thread, so it works regardless of editor state.

  • AI clarification questions now visible in chat. When Strutter AI asked follow-up questions during RFP editing (e.g., "What topic should these questions cover?"), the text was not displayed in the conversation. Clarification responses now appear properly in the chat panel.

  • RFP wizard no longer scrolls horizontally on mobile. The RFP creation wizard, editor, and question configuration inputs could overflow the screen width on mobile devices, causing an unwanted horizontal scrollbar. All wizard containers now stay within the viewport, and height calculations account for mobile browser chrome.

  • Q&A usage tracking now enforces organization boundaries. Database queries for Q&A usage tracking could previously return counts across organizations. Usage is now scoped to the correct organization, preventing inaccurate quota calculations.

  • Chat issue resolution scoped to organization. Resolving chat issues now correctly verifies organization ownership, even when the organization field is optional in the underlying data model.

  • RFP conversations verify organization ownership. Creating or resuming an RFP conversation now checks that the RFP belongs to the requesting user's organization, blocking access to conversations in other organizations.

  • Hydration warnings resolved on Team Invite and Settings pages. Fixed Next.js hydration mismatches on the Team Invite and Settings pages by adding proper loading boundaries for URL parameter handling.

  • Strutter AI usage limits enforced atomically. Concurrent requests could previously bypass tier quotas by reading stale usage counts. Usage limits now use atomic operations to prevent over-consumption, and failed AI operations automatically restore consumed credits.

Security

  • Vendor search no longer exposes cross-organization RFP titles. Vendor search results could previously include RFP titles from other organizations. Search results are now scoped strictly to the requesting organization.

  • Replaced vulnerable file parsing library. The spreadsheet parsing library has been replaced with a more secure, actively maintained alternative. Note: .xls (legacy Excel) format is no longer supported. Please use .xlsx files instead.

  • Upgraded MDX processing on marketing site. The MDX rendering library has been upgraded on the marketing site, picking up security hardening for JavaScript execution in MDX content.

  • Output token limits on all Strutter AI operations. All AI operations now enforce output token limits, preventing runaway API costs from unexpectedly long AI responses.

  • URL escaping in email templates. All dynamic URLs in email templates are now properly escaped for improved security.

  • Tighter Content Security Policy. Strengthened Content Security Policy to block additional script execution vectors.

  • Stricter image proxy rules. Next.js image optimization now only serves images from specific approved domains instead of accepting any external hostname.

  • Security headers on marketing site. strutterai.com now sends HSTS and Content Security Policy headers on every response, instructing browsers to enforce HTTPS and restrict script sources.

  • Sanitization library patched. Updated the HTML sanitization library with security improvements.

  • Leaner production builds. Production builds no longer ship development-only dependencies, reducing the surface area in production.

  • Scoped secret access. Permissions for secret management are now granted per-secret instead of at the project level, following the principle of least privilege.

Under the Hood

  • Notification cooldowns. Usage threshold alerts now enforce a 24-hour cooldown window per organization, feature, and threshold level, preventing notification spam.

  • Usage threshold checks across 16+ API routes. All routes that increment metered features (RFP creation, Strutter AI credit consumption, team member invitations, vendor result access) now trigger usage threshold checks after each action, so admins are alerted proactively as limits approach.

  • Email accessibility attributes. All email templates now include lang="en" on the root element and a descriptive <title> tag, improving screen reader and assistive technology support.

  • Inter font in email font stack. The Inter typeface has been added to the email CSS font stack, aligning email typography with the rest of the Strutter brand.

  • Pinned CI dependencies. All CI workflow action references are now pinned to exact commit SHAs instead of version tags, improving supply chain security.

  • Health checks. All production services now include health check configuration, enabling the orchestrator to detect and restart unhealthy instances automatically.

  • Explicit deploy authentication policy. Deploy steps now declare their authentication policy explicitly, preventing unintended access changes from configuration drift.

  • Build pipeline security annotations. Build configurations now include clear warnings about the limitations of passing secrets through build arguments, guiding contributors toward safer patterns.

March 6, 2026 | Strutter AI