Changelog
What we shipped recently
A curated list of recent ships. Internal refactors don’t make the cut — only changes you’d notice as a buyer or a user.
Looking ahead? See the roadmap.
Shipped today
30 April 2026
Stripe webhook hardening
Three defence-in-depth fixes on the billing path: idempotency guard (a stripe_event PK table that short-circuits Stripe retries before the event handler runs), checkout-completed upsert (first paid checkout always creates the subscription row, no more silent no-op), and cancellation revokes paid features (subscription.deleted now flips plan back to trial). See /security → Recently shipped.
Hardened file uploads
/api/upload now enforces a MIME whitelist (PNG/JPEG/WEBP/PDF), 25 MB size cap, RBAC check (viewers can't upload), and UUID paths so two uploads in the same millisecond can't collide. Closes the SVG-with-inline-JS gap.
AI receipt extraction in the expense form
Upload a receipt at /app/docs/expenses/new and FirmWorks now pre-fills vendor, date, total (THB), VAT, and line items from the image — Vercel AI Gateway with Anthropic vision, Thai-receipt-aware (Buddhist-era → Gregorian conversion).
Pricing dedicated route
/pricing now exists as a real page (was an anchor on /). Includes a feature × plan-tier comparison table — modules, prices, seat caps, SLA tiers, audit log/SSO/custom roles availability — with the Pro column highlighted and a sticky table header.
Trust center + DPA + security expansion
New /dpa (full Data Processing Addendum, 17 sections, 72-hour breach notification, tiered audit rights), new /security/trust-center (procurement-FAQ shape with sub-processors and "what we don't claim"), and /security gained an "In flight" + "Recently shipped" + "Responsible disclosure" trio.
/api page documents the live /api/v1/me endpoint
Per-org API keys now have a working surface: a 3-step quickstart with copy-pasteable curl, the actual JSON response shape ({ apiKeyId, orgId, orgName, orgSlug, scopes }), and a cross-link to /security for scope semantics.
Audit log filters
/app/settings/audit gained chip filters for actor (member dropdown), entity type (document / project / member / billing), and date range (7d / 30d / 90d / custom). The "who changed what to whom last month" question is now a 3-click answer.
Notes body search
/app/notes search now matches inside note bodies, not just titles + tags. Same plain-text projection as the index previews, with %-escaped LIKE so search input can't collide with SQL wildcards.
HR leave-balance widget
Each employee detail page (/app/hr/[id]) now shows YTD leave taken vs annual allowance for each leave type — sums approved leave-request days within the current calendar year against a 10-day-per-type default.
Onboarding wizard polish
Tightened the success-path guard (was redirecting on undefined results), surfaced field-level validation errors in the toast (were swallowed by a generic fallback), and added aria-busy + a disabled-during-submit fieldset for accessibility.
Marketing surface adds — /press, /careers, /case-studies, /import/flowaccount, /vs/*
Brand kit (logos, color palette, typography), recruiting stub, honest case-studies empty state, FlowAccount-to-FirmWorks import landing, and four new comparison pages (QuickBooks, Zoho Books, Wave, Sage) plus a /vs index card grid.
Auth pages polish sweep
Sign-in / sign-up / forgot-password / reset-password / verify-email now share a single AuthCard shell, with consistent card width, gradient hairline, header rhythm, and trailing-link spacing across every screen.
Settings keyboard-shortcut cheatsheet
/app/settings/shortcuts lists every shortcut wired into the in-app surface (⌘K search, J/K navigation, etc.) so a new teammate can ramp without spelunking.
Earlier this week
April 2026
Per-module feature pages
/features/docs, /features/hr, /features/projects, /features/chat, /features/notes, /features/kanban — each with a 3-bullet "what's in it" and a direct link from the home-page comparison.
Switching-from-X comparison pages
/vs/flowaccount, /vs/notion, /vs/slack, /vs/clickup, /vs/bamboohr — what you keep, what you gain, side-by-side feature matrix.
Public roadmap and security pages
/roadmap (Now / Next / Later) and /security (the controls we actually run, no fabricated certifications).
Animated dashboard preview on the home page
Pure-CSS mock dashboard floats next to the hero copy on desktop — invoice rows fade in with a stagger, a "new invoice paid" toast pulses in.
Privacy & terms with full sub-processor list
Singapore data residency, retention windows, rights under PDPA / GDPR, and the Vercel / Neon / Stripe / Resend sub-processor table.
PDPA cookie consent banner
Bottom-of-viewport bar on marketing surfaces, persists Accept / Decline as a 90-day cookie, never shows on the app.
Earlier this month
April 2026
Onboarding wizard collapsed to one screen
Down from two steps. Only company name is required; industry and tax ID stay inline-optional.
Auth-form parity sweep
Sign-up, sign-in, forgot-password, and reset-password all share the same email-format validation, aria-invalid wiring, and (for sign-up + reset) a 4-bar password-strength meter with a common-password blocklist.
Verify-email landing page
After sign-up the form router-pushes to /verify-email with provider-aware quick-actions (Open Gmail / Outlook / Yahoo) and a Resend link with a cooldown.
Vercel BotID on every auth endpoint
Blocks credential-stuffing, sign-up spam, and password-reset spam without putting captchas in front of real users.
Database-mode rate limiter on credentials
5 attempts / 15 min on /sign-in, /sign-up, /reset-password; 3 / 15 min on /forget-password. Backed by a real `rate_limit` table, not in-memory.
Cross-tenant integration test
tests/cross-tenant.test.ts round-trips real rows through Postgres in two orgs and locks in that the org-id filter is what isolates them.
Try the latest
Every change above is live in the product today. 14-day Pro trial, no credit card.