March 10, 2026

Generation progress polish, nonce-based CSP, HTML sanitization, and SOC 2 security hardening.

Security hardening, new account management capabilities, and AI quality review reliability improvements.

New

  • Authentication audit trail. All login, logout, failed authentication, and password reset events are now recorded in the audit log with IP address and browser details. This gives administrators visibility into who accessed the system and when, supporting SOC 2 monitoring requirements.

  • Account deletion. Organization admins can now delete their account and all associated data through a self-service endpoint. Non-admin users can remove themselves from an organization without affecting other members.

  • Data export. You can now export all of your organization's data as a JSON file for portability and compliance purposes. The export includes organization details, users, RFPs, vendors, AI job history, and audit logs.

  • Session management. A new "revoke all sessions" option lets you sign out of all devices at once. Administrators can manage sessions across their organization.

  • Admin dashboard improvements. Administrators can now manage organization data from the admin panel with confirmation safeguards and full audit logging.

Improved

  • Generation progress details. The RFP generation screen now shows individual questions as they're being written, cycling through each one under its parent section. Completed sections display a total question count instead of a content preview, giving you a clearer picture of progress without the noise.

  • Staggered section entrance during generation. Sections in the generation progress view now appear one-by-one with a smooth entrance animation instead of all appearing at once when progress updates arrive in batches.

  • Per-section question preview cycling. Each section in the generation progress view now independently cycles through its question previews as they are written, so you can follow the AI's progress across multiple sections simultaneously.

  • CSRF protection. All state-changing API requests now require a custom security header, preventing cross-site request forgery attacks. The change is transparent to users since the app's fetch wrapper includes the header automatically.

  • AI prompt safety. Vendor-submitted content is now sanitized before being passed to the AI scoring and recommendation engines. Common prompt injection patterns are stripped as a defense-in-depth layer alongside existing system prompt guardrails.

  • Session security on password reset. Requesting a password reset now automatically revokes all existing sessions, ensuring that a compromised session cannot persist after the password is changed.

  • Database connection security. Database connections now enforce SSL/TLS encryption in transit. Documentation covering encryption at rest, backup policies, audit logging, and data retention is now published for compliance review.

  • Stronger session cookie protection. The session cookie now uses strict same-site mode, providing additional defense against cross-site request forgery. Authentication flows are unaffected since login uses a popup-based flow.

  • Health endpoint hardening. The public health endpoint no longer exposes build version, server uptime, or timestamps. This information is still available in server logs for monitoring, but is no longer visible to unauthenticated requests.

  • Quality review resilience. The dual-model review now runs a correction pass using the available model's suggestions when one model is temporarily unavailable. Previously, a single model failure skipped all quality corrections, leaving the RFP unchanged regardless of identified issues.

  • Review analytics accuracy. Per-model score averages on the admin review dashboard now exclude reviews where a model did not participate. Previously, unavailable model scores were recorded as zero, artificially deflating that model's average and masking its true performance.

  • Automatic retry on rate limits. AI quality reviews now automatically retry with exponential backoff when rate-limited by the AI provider. Previously, rate-limit errors caused reviews to fail silently, producing RFPs without quality scores.

  • Configurable review pipeline. Review timeouts, retry behavior, and convergence settings are now configurable through environment variables, allowing tuning without code changes.

  • Shorter session duration. Login sessions now expire after 24 hours instead of 5 days. This reduces the window of exposure if a session cookie is compromised, aligning with SOC 2 access control requirements.

Security

  • Error response sanitization. API error responses no longer expose internal details. Detailed errors are still logged server-side for debugging, but clients receive only generic messages.

  • Dependency vulnerability scanning. Dependabot now monitors both the app and marketing site for known vulnerabilities in npm dependencies. An audit check also runs on every pull request to surface issues before code is merged.

  • Immutable deployment images. All production deployments now reference build artifacts by commit SHA instead of mutable tags. This ensures that every deployment is traceable to a specific build.

  • Database credential masking. Build pipeline credentials are now properly masked in CI logs during migration steps.

  • Nonce-based Content Security Policy. Added Content Security Policy headers with per-request cryptographic nonces for stronger script execution control.

  • Robust HTML sanitization. Upgraded vendor content sanitization to a more robust parsing approach, eliminating known bypass categories.

Fixed

  • Silent model failures now logged. When one AI model fails during the dual-model quality review, the error reason is now captured in the logging system. Previously, failures were silently swallowed, making it impossible to diagnose why a model was unavailable.

  • Review dashboard shows correct model scores. Category breakdowns in the review analytics dashboard and RFP review panel now display "-" for models that did not run, instead of showing a misleading zero score.

  • Question progress during RFP generation. The generation progress view now correctly shows individual questions being written under each section. Previously, question details were missing because the AI model passed questions through a different internal step than expected.

  • Question preview text overflow during generation. Question previews in the generation progress view are now truncated to a single line instead of wrapping and pushing the layout around as long question text appeared.

  • AI quality review reliability. The dual-model quality review now retries on response parsing failures and falls back to a single model sequentially when both models fail at the same time. Previously, truncated AI responses caused immediate failures with no retry, and simultaneous model outages resulted in reviews failing entirely instead of using the first model to recover.

  • CSRF header on all API calls. All client-side API calls now include the required security header introduced earlier today. Previously, the CSRF middleware was deployed without updating the frontend, causing "Missing required security header" errors on form submissions, RFP creation, and other actions.

Under the Hood

  • Blog posts in the content schedule. The marketing content scheduler now tracks blog publish dates alongside LinkedIn and Twitter posts. Each blog automatically generates paired social promotion posts, and the schedule tracks all three as coordinated entries. Six new blog posts covering vendor evaluation, sustainability in procurement, risk assessment, total cost of ownership, and agentic AI are queued through the end of March.

  • Automated database backups. The backup infrastructure now runs daily automated backups by default. A new monitoring script checks backup freshness and outputs structured JSON for alerting integration. Recovery point and recovery time objectives are documented with step-by-step restoration procedures.

  • Faster content publishing. Blog posts, release notes, and documentation changes now publish in under 30 seconds via cloud storage sync and on-demand page revalidation. Previously, every content change triggered a full build and deploy cycle. Content pages also refresh automatically every 5 minutes.

  • Parallel research during RFP generation. Organization profile, past RFP patterns, question library, and knowledge base lookups now run simultaneously before the AI starts generating content, instead of sequentially during the generation loop. The results are assembled into a research briefing that informs the entire generation process.

March 10, 2026 | Strutter AI