March 13, 2026

Critical security hardening for multi-tenant isolation, credential hygiene, CORS defaults, and session identity, plus faster RFP generation and documentation fixes.

Critical security hardening for multi-tenant isolation, credential hygiene, CORS defaults, and session identity. Also includes faster RFP generation, smarter quality gate retries, lower AI costs with prompt caching, a more forgiving quality gate, improved error handling, page refresh resilience during RFP generation, a chat CSRF fix, and documentation accuracy fixes.

Improved

  • Faster RFP generation. Strutter AI now generates RFP questions roughly 50% faster by using a lighter, faster model for question generation and processing more sections in parallel (up from 3 to 5 concurrent sections). All generated questions still pass through the same quality review gate, so output quality is unchanged.

  • Smarter quality gate retries. When Strutter AI's quality gate requires a retry, the corrected content now carries forward to the next attempt instead of regenerating the section from scratch. Retries that previously took 3 to 8 minutes now complete in about two minutes.

  • More forgiving quality gate. Strutter AI's quality gate now passes a section when the average score across all eight review categories meets a 7.5 threshold, instead of requiring every individual category to score 8.0 or above. This significantly improves first-attempt pass rates while still maintaining high overall quality. Individual category scores are still reported so you can see exactly where a section is strong or weak.

  • Lower AI costs for section generation. Strutter AI now structures its prompts so that concurrent section workers share an identical prefix, enabling automatic prompt caching. This can reduce token costs by up to 75% during section generation with no change to output quality.

  • Faster RFP publishing. The embedding and indexing pipeline now processes large RFPs (250+ sections) significantly faster. Vendor responses and RFP content are indexed in parallel, so publishing completes sooner.

  • Friendlier error messages. Error pages now display a support reference code you can share with our team instead of raw technical details. API error responses also return clear, consistent messages across all endpoints.

  • Clearer AI assistant labels. The AI assistant now shows friendly, descriptive labels for its available actions instead of internal identifiers, making it easier to understand what each tool does.

  • Quality gate iteration stats on the admin dashboard. The review analytics dashboard now shows how sections perform through the quality gate: pass-on-first-try rate, average attempts per section, an attempt distribution breakdown, and a heatmap of the weakest scoring categories. This data was already being computed behind the scenes and is now visible to admins for faster diagnostics.

Fixed

  • RFP progress preserved on page refresh. Refreshing the browser during RFP generation or the quality review step no longer resets the wizard to the beginning. The wizard now resumes exactly where you left off, so an accidental refresh or browser restart does not lose your progress.

  • Chat commands now work reliably. Typing commands like "review my RFP" in the Strutter AI chat no longer fails with a CSRF error. All chat interfaces across the app now include the required request headers, resolving the issue.

  • Corrected pricing details in blog content. The blog post about free RFP tools now shows accurate pricing for the Standard, Pro, and Enterprise tiers. Previously, the listed prices and feature breakdowns did not match the actual plans.

  • Removed speculative language from blog content. The competitor comparison blog post no longer references unannounced features or future plans.

  • Corrected AI review scoring details in help docs. The help documentation now accurately describes the scoring categories, scale, and thresholds used by the AI self-review feature.

  • Fixed API documentation. The API reference now lists the correct response fields, matching what the API actually returns.

  • Updated FAQ with accurate security details. The FAQ section now correctly describes how Strutter AI handles data security and encryption.

  • Fixed vendor status labels in help docs. The vendor management documentation now uses the correct status labels shown in the app.

  • Fixed broken navigation link. A broken link in the RFP management documentation now points to the correct page.

  • Updated billing comparison table. The billing comparison table now includes four previously missing feature rows, giving a complete side-by-side view of plan differences.

  • Removed implementation details from settings docs. The settings documentation now focuses on what each setting does rather than how it works behind the scenes.

Security

  • Stronger multi-tenant isolation for vendor tokens. Vendor token validation now verifies that the token belongs to the requesting organization before granting access. Both the data layer and the authentication layer enforce this check independently, so a token from one organization cannot be used to access another organization's data. Attempts to use a token across organizations are logged for security review.

  • Credentials removed from source control. A production database connection string that was stored in a tracked file has been removed and replaced with environment-based configuration. Automated checks now scan tracked files to prevent credentials from being committed in the future.

  • Stricter cross-origin request defaults. Cross-origin requests are now denied by default when no allowed origins are configured, replacing the previous permissive default. The public chat endpoint no longer sends unnecessary credential-related headers, and cache behavior for cross-origin responses is now correct across different origin values.

  • Session identity fix. User sessions now correctly identify the logged-in user across all authentication methods, including email/password, SSO, and just-in-time provisioning. Previously, sessions could reference the organization instead of the individual user, which affected audit trail accuracy.

  • Reduced information disclosure. Error responses, health check output, and AI tool indicators no longer expose internal system details. Error pages show only a reference code, and API error messages use standardized, user-friendly text.

Under the Hood

  • Optimized API calls, database writes, and parallel indexing pipelines for faster large document processing.
  • Strutter AI's planning and quality review phases now use faster, lower-cost models with no change to output quality.
  • Defense-in-depth security checks at multiple layers for vendor token validation, with automated credential scanning to prevent future leaks.
  • Sanitized historical release notes to remove internal implementation details.
  • Centralized log storage now routes all application logs to a queryable data warehouse, enabling faster incident investigation and cross-service log analysis from the command line.
March 13, 2026 | Strutter AI