March 8, 2026

Semantic search in RFP generation, instant find-and-replace editing, inline title editing, smarter AI prompts, and a comprehensive hardening pass addressing 61 bugs.

New

Research-informed clarifying questions. The RFP wizard now runs industry research, reviews your past RFPs, scans your question library, and checks similar content before asking clarifying questions. This means the questions you see are tailored to your industry, your organization's history, and gaps in your specific requirements, instead of generic prompts.
Research context carries through the pipeline. Research gathered during the clarification step is passed directly to the generation step, eliminating a redundant industry research call and speeding up RFP generation.
RAG semantic search in generation and editing. RFP generation now searches your organization's knowledge base using semantic embeddings during the research phase, pulling in relevant past questions and content. In editing mode, Strutter AI proactively suggests related content from your knowledge base as you work.
Find and replace across your entire RFP. A new findAndReplace tool lets you make instant text substitutions across all RFP content and questions without waiting for AI regeneration. Say "change Strutter to Butter everywhere" and every instance updates immediately.
Inline RFP title editing. You can now click the RFP title in the split-screen edit view to rename it directly. No need to navigate to settings or use the API.

Improved

Granular progress tracking during generation. The progress card now shows 8 distinct phases instead of 4 broad categories: Researching your industry, Researching your organization, Researching your past RFPs and questions, Planning your RFP, Generating RFP, Assembling RFP, Reviewing your RFP, and Addressing review feedback.
Real-time progress during clarification. The clarification spinner now shows live server-side progress messages ("Researching your industry...", "Preparing tailored questions...") instead of cycling through static placeholder text.
Higher-quality clarifying questions. The clarifying questions step now uses the same advanced model as RFP generation, producing sharper, more context-aware questions that better leverage the pre-clarification research. If parsing fails, it automatically retries with a faster fallback model.
Action-first AI editing. The AI editing assistant now acts immediately on your requests instead of asking multiple rounds of clarifying questions. Say "add 20 security questions" and it generates them right away. When the AI does need input, it presents clickable option chips so you can respond with a single click.
Section names in generation progress. The progress card now shows which section is being generated ("Writing Security questions") instead of a generic count ("Creating 7 evaluation questions").
Loading skeletons on every page. Navigating between pages now shows a centered loading spinner instead of a blank screen while data loads. All major routes (dashboard, RFPs, vendors, settings, and the vendor portal) have proper loading states.
Vendor directory search no longer fires on every keystroke. Typing in the vendor directory search box now waits 300ms after you stop typing before querying the API, reducing unnecessary network requests and improving responsiveness on slower connections.
Delete confirmation for vendor contacts. Deleting a vendor contact now shows a confirmation dialog before proceeding. Previously, clicking the delete button removed the contact immediately with no way to cancel.
RFP card error messages. Publishing or deleting an RFP from the card view now shows an inline error message when the action fails. Previously, failures were silently ignored with no feedback.
Error recovery on the RFP editor. The RFP edit page now has a dedicated error boundary that catches unexpected failures and offers a retry button, instead of crashing to a blank screen.
Modal keyboard accessibility. Modals now trap keyboard focus so that pressing Tab cycles through elements inside the dialog instead of escaping to the page behind it. Focus returns to the triggering element when the modal closes.
Vendor error responses. The vendor auto-fill endpoint returned HTTP 401 for all error types. It now returns the correct status code for each scenario: 404 for not found, 410 for expired or deleted, 409 for already submitted.
V1 API cross-origin requests. External API consumers calling Strutter's V1 endpoints from a browser received CORS errors. All V1 routes now include the proper CORS headers and handle preflight OPTIONS requests.
Vendor portal pagination bounds. The Q&A library endpoint accepted arbitrarily large page sizes. Page size is now capped at 100 items.
Auto-fill confidence scores capped at 100%. The vendor portal auto-fill feature could report confidence scores above 100%. Scores are now clamped to a maximum of 1.0.
AI vendor enrichment. The admin vendor re-enrichment endpoint now triggers AI profile enrichment using company name and domain, filling in missing capabilities, certifications, and descriptions.
Sidebar navigation state. The dashboard and vendor portal sidebar lock/unlock state now updates correctly. Previously, the locked state used a React ref that did not trigger re-renders, causing the sidebar to ignore lock changes until the next page navigation.

Fixed

AI edits now persist to the database. Changes made by AI tools (find-and-replace and full reprompt) updated the editor UI but were not saved to the database. Refreshing the page reverted the changes. Both content and question updates now save immediately after the AI applies them.
Split pane shows fresh content after AI changes. Running AI edits with the split pane collapsed would leave stale content in the editor state. Opening the pane showed the pre-change version until a page refresh. The editor state now syncs after every AI update.
Large RFPs no longer timeout during AI editing. RFPs with 40+ questions could fail with "operation was aborted" when adding questions via AI. Timeout and token limits now scale more aggressively with RFP size.
RFP overview capped at 500 characters. The AI could write multi-paragraph descriptions that overflowed the overview field. All description write paths now enforce a 500-character limit with smart truncation.
"RFP Updated" card shows the RFP name. The notification card after AI edits now displays which RFP was updated instead of a generic message.
API Keys page dark theme. The API Keys settings page was rendering with light-mode colors that clashed with the rest of the dark-themed interface. All colors now match the platform theme.
API keys response format. Creating an API key returned a non-standard response shape. It now uses the same {data, error} format as every other endpoint.
Portal and vendor response size limits aligned. The vendor portal allowed response content up to 100KB while the direct vendor token endpoint capped it at 50KB. Both now enforce the same 50KB limit.
Onboarding compliance frameworks validated. The onboarding endpoint accepted unlimited compliance framework entries of any length. It now caps the list at 20 items with a maximum of 100 characters each.
Question library updates preserve existing entries. The AI-powered question library management tool previously deleted all entries and recreated them on every update, losing item IDs and history. It now performs a differential update: keeping unchanged items and only adding truly new entries.
Bulk vendor tagging uses database transactions. Applying tags to multiple vendors at once now runs in a single database transaction instead of individual updates, preventing partial failures from leaving tags in an inconsistent state.
Soft-deleted RFPs excluded everywhere. Soft-deleted RFPs were still visible in the vendor portal, could be referenced by directory invitations, modified by AI editing tools, and indexed by the search pipeline. All query paths now filter out deleted RFPs.
Organization cleanup cascades to message threads. Deleting an organization now automatically removes its message threads and messages.
Vendor messages preserve visibility setting. The isPublic flag on vendor messages was silently dropped by both the create-thread and reply endpoints. Vendor messages are now correctly marked as public or private based on the sender's choice.
User role preserved during invite acceptance. Accepting a team invite could overwrite an existing user's role to the default. The role field is now only set when explicitly provided.
Tier upgrade resets usage counters. Completing a checkout to upgrade tiers now resets usage counters, so the new tier's limits take effect immediately instead of carrying over stale counts from the previous tier.
RFP updates reject mixed requests. Sending both a status change and content edits in a single RFP PATCH request could cause inconsistent state. The endpoint now rejects these mixed requests with a clear error, requiring status changes and content edits to be submitted separately.
Team invite expiry enforced. Expired team invites could still be accepted. The accept flow now verifies the invite exists, has not expired, and is still pending before processing.
Directory invite duplicate check. Sending a directory invite for a vendor that was already invited to the same RFP now returns a 409 conflict instead of creating a duplicate record.
Directory invite email failure rollback. When a directory invite email failed to send, the invite record and consumed usage credit were left in the database. The invite is now deleted and the credit restored on email failure.
Vendor prefill and auto-fill handle missing organizations. Both the vendor prefill and suggest-response endpoints silently skipped feature gates and credit checks when the issuing organization could not be found. They now return a 404 immediately.
Chat route handles malformed JSON. Sending non-JSON request bodies to chat endpoints previously caused unhandled exceptions. All chat routes now catch JSON parse errors and return a structured 400 response.
Onboarding uses schema validation. The onboarding endpoint replaced manual field checks with schema validation, catching invalid input earlier and returning consistent error messages.
Notification date parameter validated. The notifications endpoint accepted invalid date strings in the since parameter, causing silent errors. Invalid dates now return a 400 error.
Worker distinguishes parse errors from processing errors. The task queue worker now returns 400 for malformed requests (preventing automatic retries on bad input) and 500 only for genuine processing failures that should be retried.
Portal export validates format early. The vendor portal export endpoint now validates the requested format before running expensive database queries, returning a 400 immediately for unsupported formats.
Auth session consistent response shape. The auth session endpoint now uses the standard {data, error} response format for all error cases.
Public chat CORS credentials. The public chat endpoint now includes the Access-Control-Allow-Credentials header, allowing authenticated cross-origin requests from the marketing site.

Security

Middleware path matching hardened. Strengthened authentication path matching to require exact matches or proper segment boundaries.
Middleware cookie validation. Strengthened session cookie validation to verify token structure, not just presence.
Worker authentication hardened. Improved worker authentication security with timing-safe token validation.
Directory profiles require feature access. The vendor directory profile endpoint served full vendor profiles to any authenticated user, regardless of their subscription tier. It now checks the vendor_directory_access feature gate.
Portal enrichment requires vendor access. The vendor portal enrichment endpoint could be triggered by any authenticated org member. It now requires proper vendor portal access for RESPONDER and BOTH organization types.
Portal enrichment checks AI credits. The vendor portal enrichment endpoint made AI calls without checking or consuming AI credits. It now uses atomic credit consumption with rollback on failure.
Atomic usage limit enforcement. Usage limit checks and consumption now happen atomically, preventing usage from exceeding tier limits under concurrent requests.
Consumed credits restored on validation failures. Invite endpoints that consumed a usage credit before validating the request now perform all validation first, so credits are never deducted for requests that would fail.
File download security. Improved file download path validation for stronger security.
API key secret isolation. Improved API key generation security. Each secret is strictly required and isolated.
Per-invite file upload cap. Vendor file uploads are now limited to 50 files per invitation across all questions.
Bulk invite respects per-email limits. The bulk vendor invitation tool now checks and consumes a usage credit for each email individually.
Health endpoint sanitizes error details. The health check endpoint no longer exposes internal error details in its response.
Input validation added to additional API routes. Chat, onboarding, QA library, admin user move, vendor claim, and notification endpoints now use strict schema validation to reject malformed input before processing.

Under the Hood

Security headers added to all pages.
HTML escaping for all user-supplied values in email templates.
Strengthened vendor response sanitization.
Duplicate prompt bar code consolidated to a shared constant.
API key routes use the standard authentication wrapper.
Query optimization in search indexing and vendor suggestions, replacing sequential lookups with batched operations.
Generation polling timeout extended with structured logging for long-running jobs.
AI output token limits now scale dynamically based on RFP size to prevent truncation.