What we shipped recently

Stripe webhook hardening

Three defence-in-depth fixes on the billing path: idempotency guard (a stripe_event PK table that short-circuits Stripe retries before the event handler runs), checkout-completed upsert (first paid checkout always creates the subscription row, no more silent no-op), and cancellation revokes paid features (subscription.deleted now flips plan back to trial). See /security → Recently shipped.

Hardened file uploads

/api/upload now enforces a MIME whitelist (PNG/JPEG/WEBP/PDF), 25 MB size cap, RBAC check (viewers can't upload), and UUID paths so two uploads in the same millisecond can't collide. Closes the SVG-with-inline-JS gap.

AI receipt extraction in the expense form

Upload a receipt at /app/docs/expenses/new and FirmWorks now pre-fills vendor, date, total (THB), VAT, and line items from the image — Vercel AI Gateway with Anthropic vision, Thai-receipt-aware (Buddhist-era → Gregorian conversion).

Pricing dedicated route

/pricing now exists as a real page (was an anchor on /). Includes a feature × plan-tier comparison table — modules, prices, seat caps, SLA tiers, audit log/SSO/custom roles availability — with the Pro column highlighted and a sticky table header.

Trust center + DPA + security expansion

New /dpa (full Data Processing Addendum, 17 sections, 72-hour breach notification, tiered audit rights), new /security/trust-center (procurement-FAQ shape with sub-processors and "what we don't claim"), and /security gained an "In flight" + "Recently shipped" + "Responsible disclosure" trio.

/api page documents the live /api/v1/me endpoint

Per-org API keys now have a working surface: a 3-step quickstart with copy-pasteable curl, the actual JSON response shape ({ apiKeyId, orgId, orgName, orgSlug, scopes }), and a cross-link to /security for scope semantics.

Audit log filters

/app/settings/audit gained chip filters for actor (member dropdown), entity type (document / project / member / billing), and date range (7d / 30d / 90d / custom). The "who changed what to whom last month" question is now a 3-click answer.

Notes body search

/app/notes search now matches inside note bodies, not just titles + tags. Same plain-text projection as the index previews, with %-escaped LIKE so search input can't collide with SQL wildcards.

HR leave-balance widget

Each employee detail page (/app/hr/[id]) now shows YTD leave taken vs annual allowance for each leave type — sums approved leave-request days within the current calendar year against a 10-day-per-type default.

Onboarding wizard polish

Tightened the success-path guard (was redirecting on undefined results), surfaced field-level validation errors in the toast (were swallowed by a generic fallback), and added aria-busy + a disabled-during-submit fieldset for accessibility.

Marketing surface adds — /press, /careers, /case-studies, /import/flowaccount, /vs/*

Brand kit (logos, color palette, typography), recruiting stub, honest case-studies empty state, FlowAccount-to-FirmWorks import landing, and four new comparison pages (QuickBooks, Zoho Books, Wave, Sage) plus a /vs index card grid.

Auth pages polish sweep

Sign-in / sign-up / forgot-password / reset-password / verify-email now share a single AuthCard shell, with consistent card width, gradient hairline, header rhythm, and trailing-link spacing across every screen.

Settings keyboard-shortcut cheatsheet

/app/settings/shortcuts lists every shortcut wired into the in-app surface (⌘K search, J/K navigation, etc.) so a new teammate can ramp without spelunking.

Per-module feature pages

/features/docs, /features/hr, /features/projects, /features/chat, /features/notes, /features/kanban — each with a 3-bullet "what's in it" and a direct link from the home-page comparison.

Switching-from-X comparison pages

/vs/flowaccount, /vs/notion, /vs/slack, /vs/clickup, /vs/bamboohr — what you keep, what you gain, side-by-side feature matrix.

Public roadmap and security pages

/roadmap (Now / Next / Later) and /security (the controls we actually run, no fabricated certifications).

Animated dashboard preview on the home page

Pure-CSS mock dashboard floats next to the hero copy on desktop — invoice rows fade in with a stagger, a "new invoice paid" toast pulses in.

Privacy & terms with full sub-processor list

Singapore data residency, retention windows, rights under PDPA / GDPR, and the Vercel / Neon / Stripe / Resend sub-processor table.

PDPA cookie consent banner

Bottom-of-viewport bar on marketing surfaces, persists Accept / Decline as a 90-day cookie, never shows on the app.

Onboarding wizard collapsed to one screen

Down from two steps. Only company name is required; industry and tax ID stay inline-optional.

Auth-form parity sweep

Sign-up, sign-in, forgot-password, and reset-password all share the same email-format validation, aria-invalid wiring, and (for sign-up + reset) a 4-bar password-strength meter with a common-password blocklist.

Verify-email landing page

After sign-up the form router-pushes to /verify-email with provider-aware quick-actions (Open Gmail / Outlook / Yahoo) and a Resend link with a cooldown.

Vercel BotID on every auth endpoint

Blocks credential-stuffing, sign-up spam, and password-reset spam without putting captchas in front of real users.

Database-mode rate limiter on credentials

5 attempts / 15 min on /sign-in, /sign-up, /reset-password; 3 / 15 min on /forget-password. Backed by a real `rate_limit` table, not in-memory.

Cross-tenant integration test

tests/cross-tenant.test.ts round-trips real rows through Postgres in two orgs and locks in that the org-id filter is what isolates them.