March 18, 2026

Vendor plan subscriptions, batch QA entry creation, and a wave of fixes across billing, security, and reliability.

Updates deployed on March 18, 2026.

New

  • Vendor plan subscriptions. Vendor teams can now upgrade to Standard ($1,000/mo) or Pro ($2,000/mo) plans directly from the vendor settings page. Each plan card highlights included features, shows your current plan, and displays usage stats for AI credits and RFP imports.

Improved

  • Stripe billing for vendor organizations. Stripe checkout and the billing portal now correctly route vendor organizations to the vendor subdomain, so you stay in the right context throughout the payment flow.

  • Faster page loads. Pages now load fonts more efficiently, eliminating a render-blocking step that could delay the initial page display.

  • Batch QA entry creation. Creating multiple QA entries for a vendor library now processes them in a single operation instead of one at a time, making bulk imports noticeably faster.

Fixed

  • OAuth error page. Sign-in errors from third-party providers now display a clear message instead of landing on a 404 page.

  • Strutter AI credit refund on auto-fill failure. Vendor auto-fill now refunds the Strutter AI credit if suggestion generation fails, instead of consuming it permanently.

  • Vendor pricing FAQ accuracy. The vendor pricing FAQ now accurately reflects Free tier limitations: 25 Strutter AI credits per month, 1 RFP import, and 1 team member.

  • Stripe billing portal error messages. The Stripe billing portal now returns a clear error message when the payment service is unavailable, instead of a generic server error.

  • Onboarding invite check on database failure. The pending invite check during onboarding now returns a proper error response instead of raw HTML when the database is temporarily unreachable.

  • Portal settings validation. Updating portal settings now returns a clear "invalid request" error when the request body is malformed, instead of a server error.

  • Error page visibility. Unauthenticated users now see error messages directly instead of being redirected to the sign-in page.

  • Submission confirmation email timestamps. Submission confirmation emails now use a single consistent timestamp across HTML and plain text formats.

  • Onboarding error handling. New users now receive clear, structured error messages if something goes wrong during signup, instead of a generic error page.

  • Rate limit path matching. Rate limiting now uses exact path segment matching instead of substring matching, so similarly named routes are no longer misrouted to the wrong rate limiter.

  • Strutter AI credit refund on scoring failure. Response scoring now refunds consumed Strutter AI credits when scoring fails, instead of losing them permanently.

  • Stale job recovery. Background job cleanup now recovers jobs that were never picked up, not just jobs that stalled mid-processing. This prevents queued work from being silently dropped.

  • RFP generation credit refund accuracy. RFP generation now only refunds Strutter AI credits when content was never written, preventing free generations from failures that occur after content is already saved.

  • Scoring job cleanup on enqueue failure. Response scoring now marks jobs as failed and cleans up immediately when the background task cannot be queued, instead of leaving them stuck in a pending state.

  • Import job recovery on enqueue failure. RFP imports now mark jobs as failed and refund Strutter AI credits when the background task cannot be queued, instead of consuming credits with no work performed.

  • Admin listing claim validation. Claiming an organization listing now correctly rejects the request if the organization has been removed, instead of allowing claims against stale records.

  • Onboarding data consistency. Onboarding now creates the organization, user profile, and vendor record as a single atomic operation, so a partial failure no longer leaves accounts in an incomplete state.

Security

  • Session cookie security flags. Session cookie deletion now includes all security flags matching cookie creation, preventing stale session data from persisting in the browser.

  • Vendor authentication cookie cleanup. The vendor authentication cookie is now cleared after submission and when validation fails, preventing stale sessions from carrying over.

  • Webhook rate-limit path matching. The webhook rate-limit exemption now uses proper path segment matching, preventing accidental bypasses on similarly named routes.

  • API key name validation. API key names are now validated and limited to 100 characters, preventing oversized or malformed input.

  • Admin API data minimization. Organization and user listing responses no longer expose internal account identifiers, reducing the surface area for data leakage.

  • Development environment credentials hardened. Default credentials are no longer hard-coded in the development environment, and services bind to localhost only.

  • Webhook rate limiting. Inbound webhooks are now rate-limited, matching other API endpoints.

  • IndexNow verification key secured. The IndexNow verification key is now stored securely instead of in plaintext, reducing the risk of accidental exposure.

  • Container image integrity. All container images used in the build pipeline are now pinned to specific digests, protecting against compromised or tampered upstream images.

  • Portal template management restricted to admins. Creating, editing, and deleting portal templates now requires a vendor admin role, preventing non-admin members from modifying shared templates.

  • Strutter AI suggestion access restricted. Strutter AI suggestions now require an active admin or member role, preventing viewer accounts from consuming credits.

  • Conversation input filtering. The conversation endpoint now rejects messages that attempt to impersonate system or AI roles, preventing prompt injection through crafted input.

  • OAuth revoke rate limiting. Token revocation is now rate-limited, protecting against abuse that could disrupt session management.

Under the Hood

  • Vendor billing and credit accounting. Vendor-specific pricing is now included in the build pipeline, and RFP generation tracks Strutter AI credit usage more accurately by consuming credits before starting work.

  • Infrastructure documentation cleanup. Internal setup documentation updated to reflect current security practices, removing outdated guidance that recommended overly broad permissions.

  • Consolidated service build configuration. The worker and MCP server now share a single build template instead of maintaining separate, near-identical copies, reducing configuration drift.

  • Codebase cleanup. Removed unused components, duplicate files, and stale configuration. Consolidated shared type definitions and utility hooks into single locations, eliminating duplication and improving code organization.

  • Expanded automated test coverage. Vendor library syncing, portal messaging, and admin audit workflows now have comprehensive test coverage, improving confidence in future changes across these areas.

March 18, 2026 | Strutter AI