March 15, 2026

Strutter AI scoring now shows clear failure status with a retry option, plus auto-save for vendor responses and a comprehensive security hardening sprint.

Strutter AI scoring now surfaces failures clearly and lets you retry with one click. Vendor RFP responses now auto-save so no progress is lost. New organization creators can skip email verification and start onboarding immediately. Usage limit emails redesigned as milestone celebrations, plus a comprehensive security remediation sprint hardening Strutter AI prompt inputs against injection, strengthening authentication and billing controls, and tightening infrastructure protections.

New

  • Auto-save for vendor responses. Vendor responses now auto-save to both your browser and the server every 10 seconds, so no progress is lost if you navigate away, close the tab, or your browser crashes. A save status indicator in the progress bar shows "Saving...", "Draft saved", or "Save failed" at a glance. On reload, the most recent draft restores automatically. Auto-save works in both the vendor response form (from an email invite link) and the vendor portal.

  • Skip email verification for new organization creators. Users who create a new organization with email and password now go straight to onboarding without waiting for a verification email. Users joining an existing organization through a team invite still verify their email before gaining access, ensuring that shared data remains protected. If the system cannot determine the invite status, verification is required as a safeguard.

Improved

  • Retry button for failed Strutter AI scoring. If scoring fails on a vendor response, you can now re-trigger it with a single click instead of waiting for support. The invite list also shows the current scoring status for each vendor.

  • "In Progress" status for vendor invitations. Issuers can now see when a vendor has started filling out a response. The invite status updates to "In Progress" as soon as the vendor begins working, giving issuers better visibility into response activity before a formal submission.

  • Anchor links to unanswered required questions. The vendor response form now lists clickable links to each unanswered required question, labeled by section and question number (e.g., "Technical Q2", "General Q1"). Clicking a link scrolls directly to that question. Links disappear as questions are answered, making it easy to find and complete every required field before submitting.

  • Usage notification emails redesigned as milestone celebrations. Emails sent when your organization reaches a usage threshold now celebrate what you accomplished instead of warning about limits. Each notification features a personalized subject line and headline based on the feature you used, such as "You published your first RFP" or "You put Strutter AI to work." The progress bar at 100% now uses a celebratory indigo tone instead of amber, and the call-to-action copy is tailored to each feature (for example, "Upgrade to publish unlimited RFPs"). The email footer now includes a summary of what your current plan includes.

Fixed

  • Strutter AI scoring status now reflects failures. The scoring indicator previously showed "Scoring..." indefinitely when the background scoring job failed. It now detects the failure and displays "Scoring failed" so you know to retry.

  • RFP generation restored. The background worker responsible for generating RFP documents was failing to start because it was required to validate configuration settings it does not use. The worker now validates only the settings it needs, resolving the startup failure.

  • Generic AI notifications removed from the feed. Background Strutter AI tasks like chat responses, suggestion generation, and vendor enrichment were creating "AI task completed" notifications that provided no useful context. These generic notifications have been removed. Meaningful AI outcomes such as RFP generation, response scoring, and recommendations continue to produce specific, descriptive notifications.

  • Broken logo images in notification emails. The Strutter icon now displays correctly in email headers across all 12+ email types including vendor invites, welcome emails, password resets, and award notifications. The email layout referenced an image file that did not exist in the public directory.

  • Single Select, Multi Select, and Table options can now be defined. Typing comma-separated values in option fields (e.g., "Yes, No, N/A") no longer strips commas as you type. Options are now parsed when you finish editing the field, so the full text is preserved during input.

  • Sign-out button no longer fails silently. Clicking sign out could produce console errors and fail to end the session because the browser blocked the request before it reached the server. The session endpoint now responds correctly to all required request types, so sign-out completes reliably.

  • Blog content syncing to the live site. When multiple PRs merged to main in quick succession, the CD pipeline's concurrency controls could cancel a content-only deployment, leaving new blog posts unsynced to cloud storage. Content sync now runs as an independent workflow triggered on changes to site content files, so blog posts and other content always reach the live site regardless of concurrent code deployments.

Security

  • Session security hardened. Signing out now fully revokes all active sessions, preventing a previously authenticated session from being reused after logout.

  • Role-based access controls strengthened. Viewer users are now properly restricted from modifying vendors or triggering Strutter AI operations. Previously, some endpoints did not enforce role-level permissions for read-only users.

  • Strutter AI prompt injection protection. All user inputs sent to Strutter AI, including vendor Q&A, RFP reviews, vendor scoring, file context, clarifying answers, reprompt content, and review feedback, are now sanitized with text normalization and data boundary wrapping before processing. This prevents crafted prompts from influencing AI behavior through injection techniques across every input vector.

  • Strutter AI internal instructions protected. Strutter AI now detects and blocks attempts to extract internal system instructions, preventing prompt leakage through social engineering or adversarial inputs.

  • Chat validation improved. Message validation and output size limits are now enforced on chat endpoints, preventing oversized or malformed requests from reaching the AI engine.

  • One-time code comparison hardened. Email verification codes are now compared using timing-safe methods, preventing attackers from guessing valid codes through response-time analysis.

  • Email verification rate limiting. The email verification endpoint now enforces per-account rate limits, preventing automated brute-force attempts against verification codes.

  • Stronger password requirements. Minimum password length has increased from 6 to 8 characters, improving baseline account security for all new and updated passwords.

  • Feature usage checks are now atomic. Feature limit checks and consumption now happen in a single atomic operation, closing a race condition where simultaneous requests could bypass usage limits.

  • Feature flags fail closed. Unknown feature flag keys now default to disabled rather than enabled, ensuring that new or misconfigured flags do not accidentally grant access to unreleased functionality.

  • Checkout price validation. Checkout now validates the selected price against a list of approved prices before proceeding, preventing manipulation of billing amounts during the payment flow.

  • Billing account creation race condition closed. Simultaneous billing operations no longer create duplicate customer records. If a duplicate is detected, the orphan is automatically cleaned up.

  • Usage counters reset on plan changes. When an administrator changes an organization's plan tier, usage counters now reset to reflect the new plan's limits, preventing stale counts from carrying over.

  • Quarterly usage reset race condition closed. Periodic usage counter resets now use optimistic locking, preventing a timing window where concurrent resets could produce incorrect counts.

  • Daily cost cap for public chat. The public-facing chat now enforces a daily cost budget, automatically pausing responses once the cap is reached to prevent runaway spending from unauthenticated traffic.

  • Shorter file download links. Signed file download URLs now expire sooner, reducing the window during which a shared or leaked link can be used to access files.

  • Filename sanitization in downloads. Control characters are now stripped from filenames in file download headers, preventing potential header injection when serving user-uploaded files.

  • Marketing site content security policy upgraded. The marketing site now uses nonce-based script authorization instead of blanket inline script permissions, reducing the risk of cross-site scripting attacks.

  • DNS verification protected against server-side request forgery. Domain verification for DNS records now validates target addresses before making requests, preventing internal network scanning through crafted DNS entries.

  • GDPR consent compliance. Analytics tracking now respects cookie consent preferences, ensuring that data collection only begins after a user grants consent. Consent preferences update in real time when changed.

  • Client IP detection hardened. Rate limiting and access logging now use the verified client IP address from trusted proxy headers, closing a bypass where attackers could spoof their IP to evade rate limits.

  • Cross-origin access locked down in production. Cross-origin request settings are now required in production, preventing accidental permissive configurations from reaching live environments.

  • Sensitive credential data removed from storage. A legacy plaintext credential column used during SSO configuration has been permanently dropped from the database, eliminating any risk of unencrypted certificate exposure.

  • File access authorization strengthened. Signed file download URLs now verify that the requesting user belongs to the correct organization, preventing unauthorized access to files through URL manipulation.

  • API key permissions corrected. API keys now correctly inherit the permissions of the user who created them, preventing keys from gaining elevated access beyond their creator's role.

  • Vendor invitation race condition closed. Vendor invitation acceptance now uses atomic operations to prevent a timing window where simultaneous requests could create duplicate memberships or bypass validation checks.

  • SSO enforcement includes emergency recovery. Administrators can now disable SSO enforcement through a secure recovery mechanism if an identity provider outage locks out all users. The recovery action is fully logged for compliance.

  • Legacy authentication keys phased out safely. Deprecated authentication keys are now logged when used, giving administrators visibility into remaining usage before final removal. This prevents surprise breakage for integrations still relying on older keys.

  • Encryption key rotation support. Encrypted fields now support seamless key rotation, allowing administrators to rotate encryption keys without downtime or data loss. Previously encrypted data is transparently re-encrypted on access.

  • SSO certificate fallback operations logged. When SSO authentication falls back to a secondary certificate during rotation, the event is now recorded in the audit log for security monitoring and compliance tracking.

  • Rate limiting architecture documented. A formal architecture decision record now documents the platform's multi-tier rate limiting strategy, establishing clear guidelines for current and future rate limiting protections.

  • CI/CD workflow permissions minimized. Automated build and deployment workflows now run with the minimum permissions required for each step, reducing the blast radius if a workflow is compromised.

  • Vendor email addresses excluded from AI context. Vendor contact information is now redacted before being sent to the AI engine, preventing personal email addresses from appearing in AI-generated content or being stored in AI provider logs.

  • Audit log metadata ordering corrected. Audit log entries now consistently record the intended metadata fields, fixing an issue where field ordering could cause some metadata to be silently overwritten.

  • SSO account linking requires explicit consent. Linking an existing account to an SSO provider now requires the user to explicitly confirm the connection, preventing automatic account takeover through SSO misconfiguration.

  • SSO account linking verified with email OTP. When an SSO identity matches an existing account, a 6-digit one-time code is now sent to the existing user's email. The account link only completes after the code is verified, preventing hijacking even if an identity provider is compromised. Codes are hashed before storage, limited to 5 attempts before lockout, and rate limited per IP.

  • Public chat rate limiting strengthened. The public-facing chat endpoint now applies stricter rate limits, reducing the risk of abuse or resource exhaustion from unauthenticated traffic.

  • Access denial logs enriched. Permission denial events now include additional request context in the audit log, giving administrators better visibility when investigating unauthorized access attempts.

  • API documentation content policy tightened. The API documentation page now enforces a stricter content security policy, reducing the risk of script injection on that endpoint.

  • Database migration container hardened. The container used for database migrations now runs with a minimal base image and reduced privileges, limiting exposure during schema updates.

  • URL validation on vendor creation. Vendor website URLs are now validated for correct protocol format during creation, preventing storage of malformed or potentially malicious URLs.

  • Deployment secrets handling secured. Secrets used during automated deployments are now passed through secure channels rather than potentially appearing in build logs or process arguments.

  • Password reset rate limiting per domain. Password reset requests are now rate-limited per email domain, preventing attackers from flooding an organization's email infrastructure through rapid reset requests.

  • Expanded security test coverage. Automated security tests now cover a broader set of authentication, authorization, and input validation scenarios, catching regressions before they reach production.

  • Organization creation rate limiting. New organization creation is now rate-limited, preventing automated abuse of the signup flow.

  • Critical configuration validated at startup. The application now verifies that essential security configuration is present before starting in production, preventing silent fallback to insecure defaults.

  • Development encryption key blocked in production. The application now rejects a known development-only encryption key when running in production, preventing accidental use of a weak key in live environments.

  • Clickjacking protection on all routes. All application routes now include frame-embedding restrictions, preventing the application from being embedded in malicious third-party sites.

  • SSO certificate expiry warnings. Administrators now receive advance warning when an SSO certificate is approaching expiration, giving time to rotate certificates before authentication breaks.

  • RFP metadata sanitized in AI conversations. User-provided RFP fields such as titles, descriptions, vendor names, and question text are now cleaned before being included in Strutter AI conversation context, preventing crafted content from influencing AI behavior.

  • SSO domain verification race condition closed. Domain ownership verification for SSO now uses database row-level locking within a transaction, eliminating a timing window where two organizations could simultaneously claim the same domain.

  • Knowledge base content sanitized against prompt injection. All user-provided content is now cleaned when indexed into the knowledge base and wrapped with data boundaries when retrieved, preventing malicious content in vendor responses or RFP documents from influencing Strutter AI behavior in future queries.

Under the Hood

  • Stale browser drafts older than 24 hours are automatically discarded on page load, preventing outdated answers from overwriting newer server-side data.

  • Already-submitted vendor responses are protected from accidental overwrites. The server rejects draft saves once a response has been formally submitted.

  • Removed three unused dependencies from the application bundle, reducing install size and potential attack surface.

  • Redacted a hardcoded API key from internal migration documentation, ensuring credentials are not stored in version-controlled files.

  • Updated internal documentation that referenced deprecated database query patterns, keeping developer guides aligned with current security practices.

  • Audit log integrity improved with hash chain verification across all write paths, ensuring that log entries cannot be silently modified or removed.

  • SSO enforcement now fails closed on database errors, preventing authentication bypass if the database is temporarily unreachable during SSO checks.

  • Global error boundary added to prevent internal error details from leaking to end users when an unexpected failure occurs.

  • Docker base image scanning enabled, automatically flagging known vulnerabilities in container images before they reach production.

  • Removed invalid test helper exports from the public chat API route that were breaking the Next.js production build. Next.js route files only allow handler exports (GET, POST, OPTIONS), and the presence of non-handler exports caused the CD pipeline to fail. Tests were updated to exercise the rate limiting logic without relying on internal exports.

  • Added post-deploy sign-in verification to the CD pipeline. Production sign-in is now automatically tested after each app deployment, with visual regression screenshots of the dashboard. Release tagging is gated on this verification passing.

  • Restored canary deploys with auto-rollback. New app revisions now deploy with zero traffic, pass a health check, then get promoted to serve requests. If the post-deploy sign-in test fails, traffic automatically reverts to the previous stable revision. Release tags are only created after the rollback window closes successfully.

  • Content sync workflow now triggers independently on push to site content paths, with manual dispatch support. This decouples content publishing from the main CD pipeline, preventing concurrency cancellation from blocking blog posts and release notes from reaching the live site.

March 15, 2026 | Strutter AI