March 19, 2026

Redesigned vendor portal home, MCP documentation page, dual connection instructions, pricing tier updates, Free tier Vendor Directory access, validation error timing fix, table validator TSV fix, major security hardening sprint with 26 protections across authentication, session management, and data handling, Import RFP nav removal, cleaner vendor portal cards, portal card polish.

Updates deployed on March 19, 2026.

New

  • MCP server documentation. A new documentation page at /docs/mcp covers how to connect your AI assistant to Strutter, lists all 16 available tools, and includes example prompts to get started quickly.

  • Launch App button in desktop header. A new "Launch App" call-to-action button is now visible in the desktop navigation bar, making it easier to jump into Strutter from the marketing site.

  • Redesigned Vendor Portal Home. Added a new vendor portal dashboard at /portal/home with an inline RFP import dropzone, AI Workspace banner, and card-based response list. Vendors can now import RFP documents and see their responses in a cleaner layout.

Improved

  • Updated pricing tiers. Free tier RFPs and Strutter AI credits now reset quarterly instead of monthly (1 RFP per quarter, 25 Strutter AI credits per quarter). Standard tier RFP limit is now 1 per month, and Pro tier is now 3 per month. All pricing displays across the app, marketing site, and documentation have been updated to reflect the new limits.

  • Quarterly reset cycles for the Free tier. The backend now supports quarterly usage resets for Free tier organizations, so RFP and Strutter AI credit counters roll over every three months instead of every month.

  • Faster vendor prefill searches. Embedding lookups for vendor prefill now run in parallel instead of sequentially, reducing wait times when vendors start a new response.

  • Prompt truncation respects sentence boundaries. When Strutter AI trims long prompts to fit context limits, it now cuts at the nearest sentence boundary instead of mid-word, producing cleaner and more accurate results.

  • Concurrent AI enrichment throttling. Strutter AI now limits how many vendor enrichment jobs run at the same time, preventing system overload during large batch operations.

  • Dual MCP connection instructions for vendors. The vendor portal MCP connection banner and settings page now show two connection methods stacked vertically. Desktop App (top) covers Claude Desktop, Cursor, and ChatGPT, where vendors just need the server URL and sign in via OAuth with no API key required. Terminal CLI (bottom) shows the existing JSON config with API key for Claude Code, Codex, and other terminal-based clients. Previously only the terminal/API key method was displayed.

  • Cleaner Vendor Portal Cards. Removed redundant View and Continue buttons from response cards. Clicking the card navigates directly, keeping only the Start Response and Export actions visible.

  • Portal Card Polish. Status badges now match the issuer dashboard color scheme. Response status displays human-readable labels (e.g., "In Progress" instead of "IN_PROGRESS"). Export action uses a clean icon instead of a text button.

Fixed

  • Free tier Vendor Directory access restored. Free tier customers can now browse the Vendor Directory tab again. A recent pricing update inadvertently blocked the directory for Free plans, showing an upgrade prompt instead of the vendor listings.

  • Incorrect Strutter AI credit values in feature comparison. The feature comparison table was displaying incorrect Strutter AI credit amounts for Standard (showed 250 instead of 150) and Pro (showed 750 instead of 500) tiers. These values now match the actual plan limits.

  • Account deletion checks org ownership. Deleting an account now verifies organization ownership before revoking sessions, preventing errors when the account is the sole org owner.

  • Directory invite matching by domain. Directory invites now match vendors by email domain instead of organization name alone, reducing misrouted invitations.

  • Preload invite RFP creation. Creating an RFP from a preloaded invite now processes atomically, preventing duplicate RFPs from concurrent requests.

  • SAML provider removal resilience. Removing a SAML provider now completes the database cleanup first. If the external identity service is temporarily unreachable, the local configuration still clears successfully and logs a warning, instead of rolling back the entire operation.

  • Orphaned data cleanup on RFP deletion. Deleting an RFP or removing expired invites now cleans up all associated embedding data, preventing orphaned records from accumulating over time.

  • Import cleanup race condition. Cleaning up completed import jobs now uses an atomic status check, preventing a timing issue where two concurrent processes could overwrite each other's results.

  • Notification badge count without time filter. Requesting only the notification count now works correctly even when no time window is specified. Previously, omitting the time filter returned the full notification list instead of a count, sending unnecessary data over the wire.

  • Audit trail integrity for admin changes. Audit log entries for organization tier and role type changes are now written only after the database update succeeds. Previously, a failed update could leave phantom audit entries recording changes that never actually persisted.

  • RFP deadline validation rejects past dates. Setting an RFP deadline to a date that has already passed is now blocked with a clear error message, preventing RFPs from being created with expired timelines.

  • Stale closure in RFP editor publish flow. The publish action in the RFP editor now always reads the latest draft state, fixing an issue where outdated content could be submitted when publishing quickly after edits.

  • Preload invite validates question count. Creating an RFP from a preloaded invite template now checks that the template contains at least one question before proceeding, preventing empty RFPs from being generated.

  • Memory leak on import page. A polling timer on the file import page was not being cleaned up when navigating away. The timer is now properly stopped on unmount, eliminating the memory leak.

  • Stale mentions in message composer. The mention autocomplete in the message composer now refreshes its contact list when the underlying data changes, so users always see current names and roles.

  • Timer leak in conversational generation. A progress timer used during Strutter AI content generation was not cleared when the component unmounted. This has been fixed to prevent background timers from accumulating.

  • Invite vendor form stuck in submitting state. The invite vendor form could get stuck showing a loading spinner if the request failed. The form now resets correctly on errors, allowing users to retry.

  • Chat history not reloading when switching RFPs. Navigating between different RFPs did not reload the Strutter AI chat history, showing messages from the previous RFP. The chat now refreshes automatically on RFP change.

  • OAuth error handling. OAuth login and callback endpoints now return proper error responses instead of failing silently, making authentication issues easier to diagnose and resolve.

  • Chat streaming token metrics recording zero. Token usage metrics for Strutter AI chat streaming sessions were being recorded as zero. The counters now capture the actual token counts from the model response.

  • Team analytics response counting. The team analytics dashboard was miscounting vendor responses in certain edge cases. The query now accurately reflects the number of completed responses per team member.

  • Question type metadata lost after import or AI editing. Table questions, list and multiselect questions, sliders, and file upload fields were losing their configuration data (column headers, choice options, ranges, and upload limits) at multiple points: during RFP import, when loading in the editor, and when applying changes through Strutter AI chat. All three paths now preserve question type metadata correctly, so imported and AI-edited RFPs retain their full question configuration.

  • Browser refresh during RFP research no longer restarts the process. Refreshing the page while Strutter AI was researching and generating clarifying questions would restart the entire research process from scratch. The wizard now recognizes the in-progress research step and picks up where it left off.

  • Clarify job ID preserved across quick refreshes. A narrow race condition could cause the research job ID to be lost if the browser was refreshed in the first couple seconds after starting research. The job ID is now saved immediately, closing this window.

  • Strutter AI now reliably applies changes when asked. In some cases, asking Strutter AI to edit the RFP (e.g. "slim this down to 50 questions") would produce a text acknowledgment without actually making the changes. The AI is now required to use a tool for every response in editing mode, ensuring structural edits are always executed rather than just acknowledged.

  • Select questions require at least one option before saving. Multi-select and single-select questions in the RFP builder could previously be saved without any selection options configured, making them impossible for vendors to answer. The editor now validates that every select-type question has at least one option, shows inline errors on empty option fields, and displays a warning banner listing any broken questions. This also catches existing RFPs with missing options retroactively.

  • Auto-fill now flags questions that require file uploads. Previously, file upload questions (e.g. "Provide your SOC 2 audit report") were silently skipped during auto-fill, leaving vendors with no guidance on which questions needed a document. Auto-fill responses now include the question type on every suggestion and return a dedicated fileUploadActions list that tells the client exactly which questions need document generation.

  • Vendor-imported RFPs no longer appear on the issuer dashboard. RFPs imported by vendors were incorrectly showing up on the issuer dashboard in Draft status, where they could not be completed. Vendor-imported RFPs now open immediately for response and are correctly scoped to the vendor portal.

  • Proposal response form no longer shows validation errors on initial load. Required field warnings now only appear after clicking Submit or Review Answers, instead of displaying immediately when a vendor opens a new response form.

  • Submit and Review buttons no longer hidden by the prompt bar. The fixed prompt bar at the bottom of the vendor portal was covering the Submit Response and Review Answers buttons on longer response forms. The page content now has enough clearance so buttons are always visible and clickable.

  • Signed-in vendors now land on their dashboard from invite links. Clicking an RFP invite email link while already signed in previously showed a "Setting up your session" screen and opened only that single RFP. Vendors now go straight to their portal dashboard, where the new RFP appears alongside all their existing RFPs.

  • Select question parsing: Options containing commas (e.g., "Yes, with conditions") are now correctly handled in multi-select and single-select questions. Previously, commas in option text could cause answers to be rejected or misinterpreted.

  • Table question answers no longer show false validation errors. Editing a table question through the vendor response form displayed a validation error indicator even though the answer saved correctly. The validator now recognizes tab-separated table data, so valid answers no longer trigger a misleading error state.

Security

  • OAuth consent identity verification. OAuth consent now derives user and organization context from the authenticated session instead of browser-supplied values, preventing cross-account authorization.

  • OAuth authorization hardened. The OAuth authorize endpoint now validates session cookies and blocks redirect URLs that point outside your organization's registered domains, preventing session fixation and open redirect attacks.

  • Upload file inspection. Uploaded files are now inspected by content type rather than trusting file extensions, and compressed archives are scanned for nested threats before processing.

  • Archive size limits. Document parsing now enforces size limits on compressed archives, protecting against uploads designed to overwhelm system resources during extraction.

  • Stripe webhook ordering. Stripe webhook events are now processed with atomic idempotency checks, preventing duplicate charges or skipped events when notifications arrive out of order.

  • Background worker authentication. Background worker requests now require cryptographically verified identity tokens. Development-only authentication shortcuts have been removed.

  • Environment configuration safety. Production services no longer fall back to default values for sensitive configuration. Missing configuration now surfaces immediately at startup instead of silently using insecure defaults.

  • Build cache isolation. Build caches are now isolated between testing and deployment pipelines, preventing test artifacts from influencing production builds.

  • Invite token security. Issuer and vendor invite tokens now use cryptographic signing, preventing token forgery and ensuring invite links cannot be tampered with.

  • Email verification before sign-in. Password-based accounts now require a verified email address before a session is created, preventing access from unverified email addresses.

  • OAuth code exchange protection. OAuth authorization codes are now consumed atomically, preventing a single code from being exchanged for multiple access tokens.

  • OAuth registration rate limiting. OAuth client registration is now rate-limited, preventing automated creation of large numbers of OAuth applications.

  • Vendor conversation access control. Vendor conversations are now restricted to the specific invite they belong to, preventing cross-invite message access.

  • Issuer invite admin requirement. Managing issuer invitations now requires a vendor admin role, preventing non-admin team members from creating or modifying invitations on behalf of the organization.

  • JSON import size limits. JSON imports now enforce complexity and nesting limits, preventing oversized or deeply nested payloads from consuming excessive server resources.

  • Automatic idle session timeout. Sessions now expire automatically after a period of inactivity, with silent background refresh for active users. Idle sessions are closed server-side without disrupting active work.

  • Authentication cookie protection. Vendor authentication cookies now store a hashed value instead of the raw token, so intercepted cookies cannot be reused directly.

  • Invite endpoint data minimization. The issuer invite endpoint no longer returns RFP details in its response, limiting the information exposed through invitation workflows.

  • Health endpoint rate limiting. Health check endpoints are now rate-limited with cached responses, preventing them from being used to probe or overload the system.

  • Build-time secret removal. Sensitive values used during the build process are no longer retained in the final container image layers.

  • CI/CD permissions tightened. Automated workflow permissions are now scoped to the minimum required access for each job.

  • Secret access audit logging. Access to deployment secrets is now logged for audit trail purposes.

  • Production deployment gating. Production deployments now require approval through a protected environment gate, preventing unauthorized releases.

  • Unique email enforcement. Email addresses are now enforced as unique at the database level, preventing duplicate accounts with the same email.

  • Email verification token safety. Email verification tokens are now consumed atomically, preventing a single token from being used more than once.

  • Logo URL validation. Logo URLs are now validated to ensure they point to permitted external hosts, preventing server-side requests to internal network addresses.

  • Portal invite backfill scoped to requesting user. Enabling invites on a portal now backfills only the requesting user's pending invites, instead of processing invites across all organization members. This prevents one user's action from exposing data belonging to other organizations.

  • Email verification enforced for all sessions. Users who signed up before email verification was required are now prompted to verify their email address. Previously, legacy sessions could bypass this check.

Under the Hood

  • Faster database queries and smaller deployments. The database engine now uses a modern, JavaScript-native driver that delivers roughly 3x faster queries and a 90% smaller deployment footprint, improving page load times and reducing infrastructure costs.

  • Duplicate job execution prevention. Clarification, response scoring, and import handlers now claim jobs atomically before processing, so retried background tasks no longer risk running the same work twice.

  • Vendor seed data consolidation. Vendor reference data now lives in a single file with duplicates removed, simplifying the data seeding process and reducing maintenance overhead.

  • Batch directory listing upserts. Directory listing sync now batches upserts into a small number of bulk operations, reducing the query count from roughly 3,000 individual inserts down to 4.

  • Batch auto-fill searches. Strutter AI auto-fill now combines multiple full-text lookups into a single query instead of issuing one query per question, significantly reducing database load.

  • Batch audit log writes during account deletion. Deleting a user account now writes all associated audit log entries in a single batch instead of one at a time, speeding up the deletion process and reducing database round-trips.

  • Tiptap rich text editor upgraded to v3. Upgraded the rich text editor from v2 to v3, consolidating extension packages and improving editor reliability across RFP editing, question editing, and vendor response workflows.

  • MCP endpoint HEAD request support. The MCP endpoint now responds to HEAD requests with 200 OK without requiring authentication, enabling connector discovery tools to detect the server automatically.

  • MCP server documentation URL updated. The mcp-server.json configuration now points to the new /docs/mcp documentation page.

  • Import RFP nav item removed. Removed the Import RFP menu item from the vendor portal navigation and cleaned up the associated page component, API routes, and test files.

  • Test suite optimization. Removed approximately 4,400 lines of redundant, duplicate, and trivial test code across 5 cleanup PRs. Eliminated copy-pasted authentication boilerplate from 66 integration tests, consolidated session, SSO, and RBAC test files from 15 separate files into 7, removed overlapping Stripe and Chat/AI test coverage, and deleted dead tests. Zero test coverage was lost.

March 19, 2026 | Strutter AI