Vendor RFP Actions, MCP Observability & RBAC Hardening

Vendors can now delete imported RFPs and decline invitations, plus new MCP usage tracking and tighter role-based access controls.

New

  • Delete Imported RFPs: Vendors can now remove RFPs they imported from the portal. A trash icon appears on imported RFPs, with a confirmation step before deletion.

  • Decline RFP Invitations: Vendors can now decline an RFP invitation they received from an issuer. The issuer sees a "Declined" status on their review dashboard so they know the vendor has opted out.

  • MCP Usage Tracking: Every MCP tool call is now automatically logged with execution time, success/failure status, and organization context. This data flows into GCP Cloud Logging and is stored in the database for querying.

  • MCP Usage Dashboard: Admins can now view MCP tool usage statistics, top tools and organizations, error rates, and recent activity in the new Observability section.

  • Unified Observability Section: The admin panel now has a dedicated Observability area with an overview landing page, bringing together AI Pipeline, AI Review Analytics, and MCP Usage dashboards under one roof.

Security

  • Vendor scoring protected. Only authorized team members can adjust vendor scores. Read-only users can no longer modify scoring results.
  • Conversation threads protected. Only authorized team members can modify internal discussion threads or access invite response details.
  • Vendor messaging protected. Only authorized team members can send or modify vendor communications. Read-only users can view messages but cannot create or change them.
  • Readiness probe hardened. The health check endpoint no longer exposes specific backend service state to anonymous callers. Response labels are now generic, reducing the information available to potential attackers during reconnaissance.
  • Soft-deleted data now purged on schedule. Organizations and vendors that were soft-deleted are now automatically purged after the 90-day retention window. Previously, deleted tenant data could persist indefinitely, creating a compliance gap. This ensures data removal aligns with the advertised retention policy.
  • Hardened document upload validation -- Strengthened protections against crafted Word and Excel files that could bypass ZIP archive safety checks. Added central directory cross-verification, ZIP64 rejection, and data descriptor abuse detection.
  • OAuth token endpoint hardened. Confidential API clients now must authenticate with their credentials when exchanging authorization codes, refreshing tokens, or revoking access. Previously, these requests could succeed without proper client verification.
  • OAuth consent flow protected against cross-site scripting. The consent flow now validates redirect destinations before sending users back after authorization. Only safe, approved redirect targets are allowed, preventing attackers from injecting malicious scripts through crafted authorization links.
  • Admin directory actions now audit-logged. Added audit logging to admin directory listing creation and batch re-enrichment actions, ensuring all super-admin mutations have complete, tamper-evident audit trails.
  • OAuth tokens restricted to granted permissions. API tokens are now limited to only the capabilities they were approved for. Previously, a token could access resources beyond its authorized scope. Tokens are validated at every step, from consent through issuance, ensuring third-party integrations can only do what you allowed.

Under the Hood

  • New McpToolCall database table with indexes optimized for admin dashboard queries.
  • Admin API endpoint for MCP usage data with super-admin authentication.
  • Restructured admin routing: /admin/ai and /admin/ai/reviews now redirect to /admin/observability/ai-pipeline and /admin/observability/ai-reviews. Bookmarks and links continue to work.
Vendor RFP Actions, MCP Observability & RBAC Hardening | Strutter AI