March 17, 2026

Updates deployed on March 17, 2026. This release adds OAuth 2.1 support for secure AI platform connections, introduces a comprehensive Buyer's Guide to Running an RFP, expands the buyer-side content library, and resolves 41 issues across security, vendor workflows, accessibility, and portal reliability.

New

Secure AI platform connections. Third-party AI platforms can now connect to Strutter AI using industry-standard OAuth 2.1 authorization. When a platform requests access, you see a consent screen explaining exactly what it wants to do, and you approve or deny the connection. Connections use short-lived tokens with automatic refresh, and you can revoke access at any time.
Buyer's Guide to Running an RFP. A new comprehensive guide walks you through the full buyer-side RFP journey in eight sections, from defining requirements through vendor selection. The guide includes a sticky table of contents and links to 13 supporting articles across the blog.
Content freshness alerts. Pro tier vendors now see freshness badges on Q&A library entries. Entries not updated or used in 60 or more days show an amber "Aging" badge, and entries untouched for 90 or more days show a red "Stale" badge. Ask Strutter AI to "show me stale Q&A entries" to get a sorted list. Entries automatically refresh their badge when used in a response.
Full analytics dashboard. Pro tier vendors get an expanded analytics suite: win/loss tracking with win rate trends, response quality metrics including Strutter AI confidence scores and library coverage rate, Q&A library health showing most-used entries, stale count, and coverage gaps, plus team performance with responses per member.
RFP import. Vendors can now import RFP files directly from the portal. Drag and drop a PDF, DOCX, XLSX, or JSON file, and Strutter AI automatically parses the document into structured questions with progress tracking. Start responding immediately after import.
Export dropdown. Completed RFP responses can now be downloaded as DOCX, XLSX, CSV, or JSON directly from the RFP detail page. The export format auto-detects based on how the RFP was originally imported.
Draft review screen. Before submitting, vendors can review all their answers in a read-only view grouped by section. Unanswered required questions are highlighted with jump-to links so nothing gets missed.

Improved

Vendor pricing updated. The Standard plan is now $1,000/mo and the Pro plan is now $2,000/mo, reflecting the expanded feature set in each tier.
Submission success screen. After submitting responses, vendors now see a confirmation screen with a celebratory animation, an export button to download their completed responses, and a link back to the dashboard. Previously, vendors were silently redirected with no confirmation.
Vendor dashboard. The dashboard now includes an "Import RFP" button in the header, a search bar to filter by title or issuer name, filter chips for response status and RFP status, and sort options for deadline, title, or status. Action buttons are contextual: "Start Response" for new RFPs, "Continue" for in-progress, and "View" or "Export" for submitted RFPs.
Marketing CTAs link to sign-up. All call-to-action buttons on strutterai.com now link directly to the sign-up page instead of the sign-in page. Visitors no longer have to find the sign-up link after landing on sign-in.
Portal dashboard accessibility. Filter buttons now communicate their toggle state to screen readers, decorative icons are hidden from assistive technology, and error messages announce themselves automatically.
Vendor card accessibility. Expand and collapse buttons on vendor cards now communicate their state to screen readers, decorative graphics are hidden from assistive technology, and error messages across vendor forms announce themselves automatically. Form inputs and search fields include accessible labels.
Export menu keyboard navigation. The export dropdown menu now supports full keyboard navigation with arrow keys and Escape to close. The rich text editor toolbar communicates button state to screen readers, the loading spinner is recognized by assistive technology, and the QA Library delete action includes a confirmation step. The Strutter AI prompt bar inputs include accessible labels.
Buyer-side blog cross-linking. Ten existing blog posts now include internal cross-links connecting related buyer-side RFP topics, making it easier to find relevant guides as you research. This update also fixes a broken link on the RFP management software comparison page.
Buyer-side content library expanded. Three new guides covering requirements gathering, vendor shortlisting and demos, and RFP templates round out the buyer-side content cluster. These guides help you navigate each stage of the procurement process.

Fixed

Vendor claim endpoint error codes. The vendor claim endpoint now returns the correct HTTP status codes (unauthorized, not found, forbidden) instead of returning a generic error for every failure. Multi-step claim operations now run inside database transactions, preventing partial data if something fails midway.
Deleted organizations in vendor directory. Deleted organizations no longer appear in vendor directory search results. The directory listing API no longer exposes internal database fields. Directory searches are faster thanks to new database indexes.
Empty file imports blocked. Importing an empty file no longer silently creates an RFP with zero questions. The server now validates file size (10 MB limit) before processing. Failed imports correctly refund usage credits.
Portal dashboard table on mobile. The portal dashboard table now scrolls horizontally on mobile devices instead of overflowing off screen.
Expired invite button. Expired invitations no longer show a misleading "Start Response" button. The button text now reflects the actual invite status.
Export failure feedback. When an export fails, vendors now see a clear error message instead of silent failure.
Directory pagination. The vendor directory now uses the page size returned by the API instead of a hardcoded value, so pagination works correctly for all result sets.
Vendor invite credit refund. Deleting a vendor invite now correctly returns the usage credit that was consumed when the invite was sent.
DOCX export restored. DOCX exports work again after resolving a missing dependency that was causing downloads to fail.
Invite backfill scope documented. The invite backfill process now has clear documentation explaining its scope and behavior.
Stuck RFP imports recovered automatically. RFP import jobs that stall during processing are now detected and marked as failed automatically. The import credit is refunded so you can retry without losing usage.
API request validation. Twelve API endpoints now return proper validation errors for malformed request bodies instead of returning internal server errors.
Vendor invitation linking under load. Fixed a race condition where two simultaneous requests during the vendor invitation flow could cause one to silently fail, leaving the vendor unlinked to their RFP. The operation is now atomic and works correctly under concurrent requests.
Stale organization check on invite linking. Vendor invitations now verify that the target organization still exists before completing the link. Previously, linking to a deleted organization could fail silently.
Rich text fields now display saved draft responses. Rich text editor fields in the vendor RFP portal were not displaying previously saved draft responses when the page loaded. The editor only read its content at mount time, so any value arriving from the server after initial render was silently ignored. The editor now syncs with server-loaded content as it arrives, ensuring vendors see their saved work immediately.
Strutter AI MCP tools now produce properly formatted text. When using the Strutter AI workspace tools to fill in RFP responses, the text was being inserted as raw markdown (headers, bold markers, bullet characters) instead of rich text. The app's text editor expects HTML, but the tools were passing markdown straight through. All tools that write response content now convert markdown to HTML automatically, with smart detection that skips content already in HTML format. Output is sanitized for security.
File uploads restored. File uploads in the vendor portal and AI workspace were failing because the underlying storage bucket did not exist. Uploads now target a dedicated Google Cloud Storage bucket and work reliably on both local and deployed environments.
File uploads now count toward RFP progress. File uploads via the AI workspace tools were stored in cloud storage but not recorded as responses in the database. This caused the response count and completion progress bar to exclude file-based answers. Each file upload now creates a response record with file metadata, so uploaded files properly count toward RFP completion.

Security

Vendor token no longer exposed to the browser. Raw vendor authentication tokens are no longer passed to the client through page properties. Tokens now remain in secure, server-only cookies where client-side code cannot access them.
Vendor contact editing restricted by role. The vendor contact edit and delete endpoints now enforce role-based permissions. Users with viewer-level access can no longer modify or remove vendor contacts.
Invite acceptance no longer trusts caller-supplied identity. Accepting an organization invite now requires authentication, and the target organization is determined from the invite record itself. This prevents unauthorized users from joining an organization by manipulating the request.
AI chat tools restricted by role. The AI chat now enforces role-based access to actions like publishing, closing, and awarding RFPs. Viewer-level users are limited to read-only tools, and the chat no longer accepts externally supplied system instructions.
SSO account linking requires full verification. Linking an SSO identity to an existing account now requires completing email verification before a session is granted. Disabling SSO for an organization also fully deactivates the associated identity provider.
Vendor prefill scoped to current organization. Previously saved vendor responses are now retrieved only within the organization that owns the RFP. Vendors no longer see answers they submitted to other organizations when prefilling a new response.

Under the Hood

Expanded automated test coverage for vendor claim transactions, directory search filtering, file import validation, portal accessibility, and API request validation.
Resolved test conflicts from merge order across the bug fix sprint, updating mocks and assertions to match the final codebase state.
Cleaned up noisy test output in the CI pipeline caused by an outdated mock configuration.
Added test coverage for vendor authentication cookie security settings to prevent future regressions.
Migrated file storage from Firebase Storage to direct Google Cloud Storage. The MCP server deploy configuration was simplified by removing Firebase credential secrets that are no longer needed. On Cloud Run, GCS authentication is handled automatically through workload identity.
Replaced the GitHub Actions marketing cron workflow with a /marketing slash command in Claude Code. Blog publishing (with pull requests), X/Twitter posting, and LinkedIn content display for manual copy-paste are now triggered on demand instead of on a schedule, saving GitHub Actions minutes.
Implemented full OAuth 2.1 authorization server for the MCP API: four new database models (clients, authorization codes, access tokens, refresh tokens), PKCE enforcement on all authorization flows, Protected Resource Metadata (RFC 9728) and Authorization Server Metadata (RFC 8414) discovery endpoints, Dynamic Client Registration (RFC 7591), token revocation (RFC 7009), refresh token rotation, and dual-mode authentication so both API keys and OAuth tokens are accepted. 42 new tests cover the OAuth stack.
Added MCP safety annotations (read-only, destructive, and idempotent hints) to all 16 workspace tools and created a server metadata file for AI registry listings. The MCP server version was bumped to 1.0.0, with 67 new test cases validating annotation correctness.