March 11, 2026

SSO/SAML authentication for Enterprise, SOC 2 security hardening, password manager compatibility improvements, and emergency app deployment migration.

SSO/SAML authentication for Enterprise organizations, SOC 2 security remediation, AI quality assurance improvements, password manager compatibility on the sign-in page, and an infrastructure migration to improve reliability.

New

  • SSO/SAML authentication. Enterprise organizations can now configure SAML-based single sign-on for their team. Org admins set up SSO through a guided wizard that walks through domain verification, SAML provider configuration, and enforcement settings. Once enabled, users signing in with a matching email domain are automatically routed to the organization's identity provider.

  • Just-in-time user provisioning. When a user signs in through SSO for the first time, their account is automatically created and linked to the organization. No manual invitations or pre-registration required.

  • Admin access controls. If an SSO misconfiguration locks out all users, an administrator can disable SSO enforcement for the organization, restoring password-based sign-in immediately.

  • Automatic quality gate. RFP generation now evaluates every generated RFP against eight quality categories and automatically regenerates with targeted feedback if any category scores below 8 out of 10. The system tries up to three attempts, keeping the best result. You see real-time progress as each attempt is reviewed.

  • Automated data retention. Expired data is now purged on a scheduled basis. Soft-deleted RFPs and completed AI jobs are removed after 90 days, and expired vendor invitations are removed 30 days after expiration. Audit logs are retained indefinitely for compliance.

  • Audit log tamper detection. Audit log entries are now integrity-protected, making unauthorized modifications detectable. Admins can verify the full audit trail on demand.

  • Strutter AI PII redaction. Strutter AI automatically detects and redacts personally identifiable information before sending content to AI services. All redaction decisions are logged for compliance.

Improved

  • Higher quality floor. Every generated RFP now meets a minimum quality threshold across completeness, question quality, question count, industry relevance, fairness, specificity, structure, and scoring balance. Previously, generation produced a single attempt regardless of quality scores.

  • Smarter retries. When the quality gate triggers a retry, specific feedback from the review is injected into the next generation attempt, telling the AI exactly which areas need improvement. This targeted approach produces better results than starting from scratch.

  • Smoother RFP generation progress. Sections and questions now generate in an interleaved stream rather than in separate batches. Each section shows a spinner while generating, then a checkmark on completion, with its questions appearing immediately after. This eliminates the dead period users previously saw between section and question generation.

  • Generation timeout budget. Worker-side timeouts now accommodate up to three generation-plus-review cycles for the quality gate. The task queue dispatch deadline stays at a 30-minute maximum, while the worker extends its own processing window to handle multi-cycle flows without timing out.

  • Faster deployments. Changes merged to main now go live significantly faster with streamlined deployment pipelines.

  • Faster CI checks. Pull request checks now complete significantly faster. Combined lint and typecheck jobs, increased test parallelism, and removed redundant build steps cut the feedback loop.

  • Better password manager compatibility on sign-in. Password managers (Apple Passwords, 1Password, Chrome) now correctly detect and auto-fill both the email and password fields on the sign-in page. Previously, some password managers failed to associate the two fields because they were in separate form sections. The sign-in page also stores credentials after successful authentication, so password managers prompt to save new logins automatically.

Security

  • RBAC enforcement. Write operations now require appropriate permissions. Restricted roles receive read-only access across all API routes.

  • Vendor token hardening. Vendor authentication tokens are now transmitted and stored more securely, eliminating previous exposure risks.

  • API request body limits. All API endpoints now enforce request size limits to prevent abuse. Routes that handle file uploads allow larger payloads.

  • Database SSL/TLS enforcement. Database connections now require encrypted transport in production.

  • Security event logging. Security-relevant events are now captured for monitoring and incident investigation.

Fixed

  • Strutter AI review retries on server and network errors. The dual-model quality review now retries automatically when the AI provider returns a server error (5xx) or the connection is interrupted (reset, refused, or timed out). Previously, these transient failures caused the review to fail immediately with no retry.

  • Accurate convergence detection on final review iteration. When the quality review reaches its last allowed iteration, the result now reflects whether scores actually converged rather than always reporting non-convergence. Previously, the final iteration was hardcoded as non-converged, which could misrepresent a successful review.

  • Correct model comparison in single-model fallback. When one AI model is unavailable and the review falls back to a single model, the review result now correctly reports that no model comparison occurred. Previously, the fallback path could incorrectly label one model as producing harsher scores even though only one model ran.

  • Login session creation. A recent infrastructure change caused intermittent login failures, now resolved. Token verification is correctly enforced during login.

  • Strutter AI job reliability. AI-powered RFP generation and scoring jobs no longer fail in production due to missing module files. The production build now includes all required dependencies for the AI pipeline.

  • App availability restored. A temporary infrastructure issue caused rfp.strutterai.com to be unreachable. The app was migrated to a new deployment platform, restoring access. No data was lost.

  • Stable section ordering during RFP generation. Sections and questions no longer duplicate, shuffle, or re-render as new content streams in. Each section now appears once in a consistent position, and new sections append smoothly without disturbing previously rendered content.

  • RFP generation progress shows sections in plan order. During RFP generation, sections and questions now appear in the progress UI in their planned sequence (Section 1, then 2, then 3, and so on) rather than in the order the parallel workers happen to finish. Later sections are also gated so they do not appear before earlier ones have started.

  • Status messages match the current generation phase. During RFP generation, the bottom status text now reflects the active phase. Previously, writing-phase messages continued to display while the progress tracker showed the review or refinement phase, creating a mismatch. Status messages now update to match each phase as it progresses.

Under the Hood

  • Review pipeline diagnostic logging. Strutter AI quality reviews now log model configuration details at startup, structured error context when both models fail, and fallback decisions when a single model takes over. This improves visibility into review behavior during outages and debugging.

  • Tenant-scoped SSO authentication. SSO configurations are isolated per organization to prevent cross-tenant session leakage. Domain ownership is verified before SSO activation.

  • Session error diagnostics. Authentication error logs now capture the actual error message from token verification failures instead of generic hardcoded strings, making login issues faster to diagnose.

  • Encryption-at-rest verification. New documentation and an automated verification script confirm that database and storage encryption are active, with a SOC 2 compliance mapping table linking controls to verification evidence.

  • Rate limiting architecture documentation. A new ADR documents the multi-tier rate limiting architecture.

  • Short-lived deploy credentials. CI/CD deployments now use short-lived, traceable credentials instead of long-lived keys. Every deployment is traceable to a specific CI run.

  • CI pipeline simplified. Combined lint and typecheck into a single job, increased test parallelism, and removed build jobs from CI.

  • Automated app deployment. The app now auto-deploys on push to main with streamlined deployment pipelines.

  • Source-based site deployment. The marketing site now deploys directly from source for faster, simpler deployments.

  • Backward-compatible migration discipline. Documented a safe migration approach to enable concurrent database migrations and app deploys without downtime.

  • Infrastructure cleanup. Removed legacy build configs and deploy scripts that are no longer needed with the new deployment pipelines.

  • Shared CI setup action. A new composite action consolidates the repeated checkout, setup, and dependency install steps used across CI jobs into a single reusable action, reducing workflow duplication.

  • App deployment migrated. The app now deploys via source-based deployment, matching the marketing site's deployment pattern. Legacy build configs and deploy scripts were removed. Runbook and infrastructure diagram updated to reflect the new architecture.

  • Flaky integration test resolved. An intermittent integration test failure that caused spurious CI red builds is now fixed, improving CI signal reliability.

  • Password change discovery for password managers. The app now advertises a standard well-known URL that password managers use to locate the password change page, improving interoperability with browser and OS-level credential managers.

March 11, 2026 | Strutter AI