This is the running history of changes we've shipped to ZiplineOS. Each entry leads with the headline changes as quick dot points; open Technical details at the foot of a release for the full breakdown.
Redesigned Deals workspace, sharper AI summaries and a security-hardening sweep
The Deals page has been rebuilt around the way you actually work a pipeline — one place to switch between board, table, timeline and calendar views, filter by referrer, and focus on just your favourites. Alongside it, the AI deal summary now reads your uploaded documents, the browser extension tells you exactly what it filled, and a broad security-and-reliability pass landed underneath.
Deals workspace
- A redesigned Deals page — cleaner header, toolbar and deal cards.
- Four ways to see your pipeline — Board, Table, Timeline and Calendar — switchable from a single control, with a board minimap for navigating large pipelines at a glance.
- Filter by referrer and "Show favourites only", now applied on the server so they stay fast and consistent as you page through deals.
- The view switcher is fully keyboard accessible.
AI deal summary
- The AI deal summary now also draws on data AI has extracted from uploaded documents, not just typed form answers — so the summary reflects what's actually in the client's paperwork.
Browser extension
- Per-field feedback when auto-filling — see at a glance which fields were filled, skipped or failed.
- An advisory warning when the applicant you're filling for doesn't match the deal's active applicant, so you catch a mismatch before it lands.
- Smarter dropdown matching — option lists and value mappings are reconciled and normalised, so more fields populate correctly the first time.
Fixes and polish
- Fixed a bug where a saved delay setting on a workflow item could abort saving a form submission.
- Client-intake (Collect) magic links and the browser-extension API stay reliable now that tenant isolation is enforced end to end.
Security and reliability (behind the scenes)
- Personal information and secrets are now automatically masked in every server log through a single central safeguard, rather than relying on each log line to sanitise itself.
- Resolved a batch of code-scanning findings — regular-expression denial-of-service and cross-site-scripting hardening, including rendering footer links and logo previews through normalised URLs.
- The admin/kernel console is now restricted to platform super-admins.
- Continued supply-chain and CI hardening across the build pipeline.
Technical details
- Input-portal Deals redesign: a rebuilt Deals page (header, toolbar, card cleanup) with a SegmentedViewSwitch across Board / Table / Timeline / Calendar, a Kanban minimap, a referrer filter, and a server-side
starredOnlyfavourites filter; the UpdateDeal response now populates PrimaryApplicantName, CurrentStepStageType and CreationSource so cards render fully after an edit; deal-card initials were consolidated into a shared avatar util (#2199, #2203, #2211, #2212, #2213, #2214). - A new Card Deck / SwipeDeck system (shared-ui, input and client portals) ships dark behind the
item_card_deckINPUT feature grant — the backing migration seeds the feature and role grants with no verbs, so no organisation sees it yet; it is foundation work rolling out progressively (AddInputCardDeckFeature). - The AI deal summary prompt now includes AI-extracted document data in addition to completed-form answers, and refreshes stay current as those inputs change (#2219).
- Chrome extension: per-field populate feedback (filled / skipped / failed), an advisory active-applicant reconcile warning, and dropdown-vocabulary reconcile with value-map match normalisation; multi-instance sections drop the legacy " #N" suffix in favour of underlying instanceNumber / dealApplicantId fields. The extension is published out of band and is version-coupled to this backend; existing tokens must be re-minted for the tightened
extension:writescope (#2230, #2231, #2232). - Ziplock D1 safe-logging chokepoint: a LogScrubbingEnricher runs on every Serilog event to strip control characters and mask PII/secrets centrally, on both logging pipelines (#2114).
- Security hardening: ReDoS and cleartext-log CodeQL alerts resolved, footer-link and logo-preview DOM sinks fed normalised/parsed URLs, an eslint no-unsanitized rule added, plus Trivy (IaC + image) scanning and a zizmor GitHub Actions static-analysis gate (#2233, #2215, #2234, #2227, #2218).
- Access control and tenant isolation: the kernel/admin portal is restricted to
PlatformRole=SuperAdminvia a new guard plus an/app-productsfilter; API-token principals now stamp tenant by GUID id so extension requests work under row-level security; Collect magic-link loads stamp the token's org and re-assert the soft-delete filter so links resolve when RLS is on (#2182, #2210, #2098, #2108). - Form templates gained a
Kindclassifier (Form=0 preserves existing semantics) as groundwork for distinct template types; the migration is additive and backward-compatible (AddFormTemplateKind). - Further fixes: a JSONB DelayConfig filter no longer aborts form-submission saves; per-session port offsets are applied to portal iframe URLs for multi-session local dev; and an admin tenant-overrides matrix UI with a batch endpoint plus a grant-history restyle landed (#2207, #2200, #2206, #1698, #1699).
- Platform / CI: GitHub PRs sync to Jira with draft-aware status, deploys treat an idempotent Firebase no-op release as success, and dependency/action bumps (actions/checkout v7, cache v6, setup-go v6) landed alongside a production-deployment runbook for the
prod-released..mainrange (#2226, #2252, #2255).
Multi-applicant client intake
When a deal has more than one applicant, client intake (Collect) now guides each person through their own part — organised into clear, sequential sections, with the option to invite a co-applicant to complete their details themselves while everyone else keeps moving.
Multi-applicant intake (Collect)
- Intake now splits into ordered sections — shared (joint) sections plus a section for each applicant — instead of one long interleaved form, with each section unlocking once the one before it is complete.
- For each co-applicant's section the primary can choose "I'll do it" and fill it in themselves, or invite the co-applicant to complete their own part through their own secure link — so two people can work on the same deal at the same time.
- An invited section shows live progress (for example, "Waiting on Jane — 1/3") and can be reclaimed at any time, keeping anything already entered.
- A completion review before submitting confirms every applicant's required sections are done.
- Each applicant's section pages through one question at a time, the same focused flow single-applicant deals already get.
Forms and workflows
- The workflow Documents tab now supports drag-and-drop and multi-file upload, with a single dialog to bulk-apply a category, description and "required" flag across the files — or edit each one before uploading them in a batch.
- A cleaner default form builder and workflow editor: advanced and power-user controls (field key, indexed and searchable toggles, JSON export, default entry steps, manual-creation form) can now be switched on per organisation rather than shown to everyone.
Deals
- The AI deal summary now refreshes automatically when something it reads has changed — form answers, stage, applicants or item progress — so the summary on the Summary tab stays current without a manual regenerate. It updates quietly in the background and never blanks the card.
Fixes and polish
- Form questions with both a minimum and a maximum now enforce both — previously a value over the maximum could slip through — and validation messages no longer show a stray "null".
- Desktop and sign-in background images are now served by ZiplineOS itself instead of a third party, so they load faster and reliably, with automatic recovery if a saved background ever goes missing.
Technical details
- Multi-applicant Collect renders as sequential, per-step sections computed from the deal's applicants: consecutive shared items stay in place as a shared section, and per-applicant runs expand to one section per applicant (primary first). Sections hard-lock until the prior blocking sections are complete; an invited (delegated) section is non-blocking and shows live progress derived from the fill context, with a reclaim affordance. Each applicant section reuses the single-applicant one-item-per-page pagination, and the single-applicant flow is unchanged.
- Co-applicant invites use the existing per-applicant magic link, so both parties write to the same deal in parallel (last-write-wins per item). Underneath, a hardened FillGrant primitive landed across seven phases — a tenant-scoped entity with its own row-level-security policy, SHA-256-hashed scoped tokens and an anonymous fill endpoint behind a single scope guard, an explicit lifecycle (issue / revoke fence / reclaim / decline / lock-on-submit), completion gating with per-applicant progress, email invites with reminders and bounce handling plus landing-page consent, and per-section delegation for non-applicant helpers (for example an accountant). It is rolling out progressively behind the scenes.
- Workflow template documents gained a drop-anywhere upload zone and multi-select, a unified Add Documents dialog with a tri-state bulk "required" control, partial-failure-safe batch upload through the shared file pipeline, and an extracted dropzone hook.
- Form-builder question advanced options and workflow-editor power-user controls were placed behind dark INPUT feature flags (advanced field options, field-key edit, indexed and searchable; workflow entry steps, manual-creation form, and JSON export), each registered in the capability provider so platform staff can enable them per tier × role from the kernel feature-grants matrix; JSON export is also enforced server-side.
- The AI deal summary auto-refreshes on landing when its source fingerprint (form answers, stage, applicants, item progress — not notes or emails) changes; refreshes run in the background, keep the stale text on screen with an "Updating…" hint and cross-fade the new text in, and fail quietly so a transient error never blanks the card.
- Validation: every numeric bound (length, range, selections, nested-cardinality, file constraints) now coerces through the same number / numeric-string handling as submitted values, restoring backend ⇄ front-end parity so minimum and maximum both enforce; unset (null) bounds are treated as unset, so messages no longer read "null"; sub-form-within-a-sub-form nesting is suppressed with a warning when linking.
- Security and maintenance: cross-organisation form-template references inside form and workflow visibility rules are now validated before saving; the deprecated marketing-site app was removed; dependency security updates were applied across portals (undici, dompurify, axios, vite, react-router and others); and SOC 2 / Vanta evidence, a disaster-recovery tabletop template and an over-privileged service-account split landed as part of ongoing security hardening.
- Desktop and sign-in backgrounds moved to ten self-hosted, same-origin images with a stable per-day rotation, a blob cache that now actually populates, and self-healing for dead or stale background URLs; legacy third-party URLs saved in settings fall through to the stock set.
Form archiving and new display formats
Quality-of-life updates to forms — tidy up your form list, show answers in more useful formats, and build richer conditional logic.
- Archive forms you no longer use, and restore them later, to keep your active form list clean.
- New display formats for questions — amount with a frequency (e.g. "$X per month") and a number with a unit.
- More conditional-logic operators for form rules, including "does not contain" and additional numeric comparisons.
Technical details
- Forms list gains Archive / Unarchive actions. Archived forms drop out of the active list and out of the form pickers used when assembling a deal, so they can't be attached by mistake — they stay fully restorable, and any submissions already captured against them are left untouched.
- Two new display formats: an amount paired with a frequency (e.g. "$X per month") and a number paired with a fixed unit. Both are presentation-only — the underlying stored value doesn't change — so existing answers re-render in the new format automatically, and the format is identical across the form-builder preview, the client intake (Collect) and the deal view.
- Form-rule evaluation gained a
notContainsoperator plus additional numeric comparisons. They're available both in a form's show/hide visibility rules and in the rule builder, and the builder preview now matches live form evaluation exactly, so what you see while authoring is what the client gets. - Ongoing behind-the-scenes work on reliability, security and deployment monitoring.
Self-service billing and unified Contact Profiles
Two major additions: a self-service billing area with secure card payments and invoices, plus Contact Profiles that build a single, up-to-date picture of each client across all of their deals.
Billing
- A new Billing area with a clear account overview.
- View and download invoices as PDFs, including one-off invoices.
- Pay securely by saved card.
- Automated payment reminders and access handling for overdue accounts.
Contact Profiles
- A Contact Profile that consolidates a client's details gathered across multiple deals.
- Suggested profile updates are routed to a broker for review before they're applied — nothing changes automatically.
- Cross-deal matching keeps a client's information consistent everywhere it appears.
Forms and intake
- Live, as-you-type formatting for number, money and phone fields.
- Type-aware formatting of values across both the intake and deal views.
- A new Entity Reference question type that links a question to another form submission.
- Nested-form history coverage — keep adding entries (such as address or employment history) until a required number of years is covered.
- Mark forms and fields as internal-only.
- Client intake (Collect) layout fixes: removed unwanted horizontal scrolling, and validation errors now appear inline.
Technical details
- Billing redesigned into a ledger-style hub; invoice list and PDFs read from the live payment provider; saved-card capture via embedded secure card elements; one-off / ad-hoc invoices and proration on signup; dunning and access-restriction policy for overdue accounts (rolling out progressively).
- Contact Profile: a profile-core data model, a promotion pipeline that draws from deal data, cross-deal item matching with delta routing, and a broker review / apply / remove surface in the CRM portal.
- Number, money and phone fields format live as you type and according to their type across portals; compact option grids size dynamically so option text is never clipped.
- New Entity Reference field type (targets a form submission); nested-form temporal coverage; internal-only toggle for forms and fields; surfacing of all field-value validation errors inline.
Deal Workspace, AI management and Document Intelligence
A redesigned Deal Workspace, a central control plane for AI features (including spend controls), and AI-assisted document analysis.
Deal Workspace
- A redesigned deal view with a Summary tab and an AI Deal Summary.
- New workflow views — Detailed, Checklist and Board — plus Focus and Compare modes.
AI management and cost controls
- A central place to manage AI processes and tailor them per organisation.
- Prompt management with versioning and promotion.
- An audit trail, dashboards and alerts for AI activity.
- Cost controls — spend estimates and configurable spend limits.
Document Intelligence
- AI-assisted document analysis, with an extraction preview built into the deal's Documents area.
Forms and intake
- Modern calendar date and date-time pickers for date questions.
- Validation improvements — ABN format checks, numeric minimums and maximums, and cleaner number entry (no spinner arrows or accidental scroll-to-change).
- "Required later" file requests are gathered in the Documents section.
- A new comprehensive Australian mortgage fact-find form template.
- Transactional emails now read as plain, personal messages.
Technical details
- Deal Workspace Phase 1 (Summary tab plus an AI Deal Summary that includes completed-form answers) and Phase 2 (workflow redesign — Detailed / Checklist / Board with Focus and Compare).
- AI control plane: a process registry, per-organisation overrides and matrix, a unified prompt subsystem with versioning and promotion, an audit trail with dashboards and alerts, and a cost-limit admin UI backed by spend estimation and real-time enforcement.
- Document Intelligence: a category registry with CRUD, gateway infrastructure, an extraction pipeline with live analysis, and an AI preview drawer in deal Documents.
- Form questions use calendar date/time pickers; ABN and numeric min/max validation; "required later" file handling; contact-selection questions can be tied to an applicant role; new comprehensive AU mortgage fact-find template.
AI Fact-Find and smarter intake forms
Introduces AI Fact-Find — automatically draft answers from uploaded documents — alongside a wave of client-intake form improvements.
AI Fact-Find
- AI Fact-Find reads uploaded documents and drafts answers to your fact-find, which you review and apply before anything is saved.
- Configurable per organisation (enable or disable, and set a confidence threshold) from Admin settings.
Intake forms
- Richer question display modes, including grid layouts for dropdown and multi-select questions, shown consistently across the builder preview, intake and nested forms.
- Automatic page breaks between forms for a cleaner, step-by-step flow.
- A Back button alongside Continue in the form filler.
- The Add button moved below the cards in multi-instance and nested forms, with instant add and delete.
- Stronger completeness checks for nested and multi-instance forms.
- Answers are only flagged invalid once you leave a field, and clear the instant they become valid.
Deals
- The Lead-stage swim lane is hidden from deal views unless it's been granted.
Technical details
- AI Fact-Find delivered across five phases — foundations, ingest / digest / orchestration, a per-form guard-railed extraction loop, review-and-apply, and the input-portal front end — with an Admin settings card (enable, confidence, model) and a progressive rollout behind a kill-switch.
- Forms: all display modes render in builder preview, intake and nested forms; dropdown and multi-select default to grid display; implicit, mandatory page breaks between intake forms; a back button; the add button below cards; optimistic multi-instance add and delete; nested and multi-instance completeness enforcement; answers validated on blur and cleared when valid; step auto-advance skips items hidden by visibility rules.
- Security: dependency security updates applied across portals.
Form presentation controls and intake polish
More control over how each question is presented, plus visual polish in the client-intake (Collect) experience.
- Per-field presentation controls now live in the form builder, so you decide how each question looks.
- A slider option for money questions.
- Visibility rules are now fully portable — a form's show/hide logic behaves the same wherever the form runs.
- Collect polish — cleaner header and footer spacing, and the organisation name is hidden when a logo is shown.
Technical details
- Per-field question presentation options moved into the form builder, so the look of each question is set where the question is authored rather than configured globally; money questions can additionally render as a draggable slider instead of a typed amount.
- Visibility (show-when) rules made portable across environments by keying them to stable field identifiers rather than positions, so a form's show/hide logic behaves the same wherever the form runs; stale display-hint overrides are recovered by unique field key during backfill.
- Collect (client intake) reserves the top and bottom spacing even when the header or footer is hidden, so the layout no longer jumps; the organisation name is suppressed when a logo is present to avoid showing both at once.
Smarter validation and a rebuilt mobile intake
A new validation engine that checks answers consistently as they're entered, plus a ground-up rebuild of the form-filling experience on phones and tablets.
Validation
- A new validation engine checks each answer against its question type — text, number, email, phone, date, selection, file and nested forms — consistently across the form-builder preview, client intake and deal views.
- Built-in checks for Australian postcodes, valid phone numbers, and required acceptances (such as ticking a consent box), plus contact-role rules.
- Errors show in a live preview while you build the form, so what you author is what the client sees.
Mobile and tablet intake
- A rebuilt mobile form-filler — the Continue button stays docked to the bottom of the screen, the page no longer jumps on load, and sizing is correct on iOS.
- Smoother paging between forms and steps on small screens.
Technical details
- InputValidationV2 shipped across phases — engine scaffolding and editor shell, a workflow-merge lift and read-DTO surface, then the parity-tested engine with submit-path and renderer migration, followed by per-cluster authoring UIs (text / numeric / email / phone, dates, selection, files and nested forms) each with a live preview.
- Rollout was gated end to end: registered as a capability, enabled per organisation behind a runtime gate, then flipped on globally behind a kill switch once parity tests passed.
- Validation additions: AU postcode and phone-number format checks, a "must be true" acceptance type for consent, contact-role validation, and type guards for computed defaults and bound fields.
- The mobile form-filler was rebuilt around the visual viewport — a sticky Continue dock pinned to the keyboard-aware height, document-scroll lock, each next page opening at the top, and iOS / tablet sizing fixes. Collect also moved to SEO-correct edge routing.
Formulas, merge fields and repeatable forms
Forms can now calculate values, reuse answers across repeated sections, and render the right number of copies automatically.
- A new Formula field — a read-only, calculated value derived from other answers that you can drop into merge fields and documents.
- Formula values on PDFs — calculated figures can be stamped onto generated documents.
- Aggregate merge fields for repeatable forms (for example, totalling across every entry), with the merge-field picker now finding fields across nested forms.
- Repeatable forms by cardinality — intake renders the right number of form copies automatically, such as one per applicant.
- A read-only Display (Message) question for adding instructions or notes inside a form.
- Per-document sending for signing, with reactions and clearer invalidation when something changes.
- A refreshed disclaimer checkbox.
Technical details
- Formula form-field type — numeric, read-only, with merge-field interpolation — plus a Formula PDF-annotation type that replaces the old form-field formula and stamps computed values onto generated PDFs.
- Aggregate merge fields for repeatable forms, with recursive form discovery and de-duplication in the merge-field picker.
- Cardinality-driven multi-instance rendering, per-card Continue, final-form completion and a branded done view.
- Read-only Display (Message) question type for the collect portal; per-document send for signing with reactions and directional invalidation operators; disclaimer-checkbox redesign.
Collect polish, quote estimates and rule-builder fixes
A wave of polish across the client-intake experience, improvements to quote estimates, and fixes to the form rule builder.
Quote estimates
- An Include Residual toggle wired through to the calculation engine.
- A clearer finance disclaimer in place of the old comparison-rate note.
- A manual-continuation Continue button for quote integrations.
Intake polish
- Consistent branding and theme across the documents and completion views.
- Responsive width on tablet and mobile.
- Faster completion — the round-trips after submitting a form were collapsed.
Rule builder
- The field picker now shows fields from the selected form, and no longer renders blank for valid rules.
- Cross-form visibility rules preserve answers when forms are partitioned.
- Signatures are now applied to the finalised document.
Technical details
- Quote Estimate: Include Residual toggle wired to the calc engine, a finance disclaimer replacing the comparison-rate note, a manual-continuation Continue for integrations, and onItemView trigger-timing fixes.
- Presentation chrome applied consistently across collect documents and complete views with theme tokens honored; responsive collect form width on tablet and mobile.
- Rule builder reads from the selected form's source partition; the cross-form visibility evaluator preserves user answers; "This Form" links are kept after source partitioning.
- Performance: the post-submit GET cascade collapsed from many round-trips to one, and magic-link validation was pre-compiled and instrumented.
Inventory and Invoicing portals (early access)
Two new portals begin rolling out — an Inventory portal for tracking stock, and the foundations of an Invoicing portal.
Inventory (early access)
- Items with locations, stock levels and movements, and a per-item activity feed.
- Per-tenant tags to organise items, replacing the single category.
- Server-side search and pagination on the items list, inline on-hand editing, and a primary image per item.
- Scan-to-accumulate for fast stock-takes, and printable labels for registered machine codes.
Invoicing (foundations)
- An Invoicing portal scaffold, with per-tenant invoice numbers and SKUs.
Both portals are dark-launched behind access flags while they're built out.
Technical details
- Inventory: an InventoryItem entity with create / update / get / list and list-and-detail UI, InventoryLocation, stock levels + movements + an adjust UI, a per-item activity feed, per-tenant many-to-many Tags under Settings, server-side search and pagination, inline on-hand editing, a scan-to-accumulate MVP, printable machine-code labels, and a primary (denormalised) image per item.
- Invoicing: a portal scaffold with a placeholder dashboard, plus a per-tenant SequenceGenerator for invoice numbers and SKUs.
- Shared groundwork: a Money value object, a QuestPDF + IPdfRenderer skeleton, inventory / invoicing seeds, and dark-launched access features with shell icons for the new portals.
Faster intake, lead forms and presentation defaults
A big performance pass on the client-intake experience, per-source lead forms for capturing enquiries, and cleaner default form presentation.
Performance
- The client-intake (Collect) experience loads noticeably faster — routes are code-split, the PDF stack loads only when needed, and pages stream in without long freezes.
Lead forms
- Per-source lead forms — capture different information depending on where an enquiry came from.
- A broker Lead section on the deal page, with anonymous enquiries hidden until they convert.
Forms
- A cleaner default presentation: inline, borderless, one question at a time.
- Image display fields — add images to forms with upload, size presets and a live preview.
- "0 = unlimited" repetitions for forms and workflow items.
Technical details
- Collect performance phases 1–5: bundle analysis and TipTap removal, route code-splitting with a lazy-loaded PDF stack, CDN origin headers and @mui de-duplication, a deferred pdfjs worker and latin-only fonts, long-task chunking with web-vitals RUM, and a lazy CollectPage with eager self-register.
- Lead capture: per-source lead forms (backend foundation, admin picker UI, and a broker Lead section on the deal-detail page), source-aware steps and forms, anonymous workflows hidden until conversion, and path-based slug routing for self-registration.
- Forms: presentation defaults to inline, borderless and one-question-at-a-time; Image (Display) fields with environment upload, size presets and a live preview; FormField and WorkflowItem repetition switched to "0 = unlimited".
- Security hardening: user input sanitised before logging, DOMPurify with a URL-scheme allowlist in the client portal, and logo-URL scheme validation before preview.
One unified navigation, a new Flows connector, and a faster CRM
This release brings every part of ZiplineOS under one consistent side navigation, introduces Flows for connecting outside tools straight into your CRM, and makes the CRM noticeably faster. You can also now install ZiplineOS as an app. Behind the scenes, we began rolling out a safer draft-and-merge way to edit form workflows, which is starting to reach tenants gradually.
Navigation & app experience
- One unified navigation rail now spans every part of ZiplineOS. The new collapsible side rail remembers whether you've pinned it open or tucked it away, auto-expands on hover, and keeps your icons in place as it slides — so jumping between your forms, Drive, Broadcast, CRM and the other portals feels like one product instead of many.
- Folder trees and in-context menus are built in: Drive shows its folder structure right in the rail, form workflows can be starred for quick access, and row actions are a click away without leaving the page.
- Install ZiplineOS as an app. You can now add ZiplineOS to your desktop or phone home screen and launch it in its own window like any other app.
Flows (connect your other tools)
- New Flows connector lets outside tools push data straight into ZiplineOS. A flow can create a contact in your CRM automatically — mapping names, email, phone, tags and custom fields from whatever sent the data.
- Clearer setup and safer duplicate handling. Each flow now has an endpoint panel showing its web address, keys and a ready-to-copy example, plus an always-visible field picker for mapping incoming data. Contacts are only treated as duplicates on an exact first-name, last-name, email and phone match.
CRM
- A noticeably faster CRM. Contact lists, dashboards and search have been reworked to load quicker, especially for larger organisations with deep contact hierarchies.
- More accurate billing — practice and test deals are now kept out of your usage and billing figures so your numbers reflect real client work.
Forms & workflows
- Safer workflow editing is on the way. We've started rolling out a new draft-and-merge way to edit form workflows — edit a working copy, review every change side by side, and merge it in only when you're happy, with a version history you can roll back to and deals that stay pinned to the version they were created on. It's being switched on gradually, so it may not be visible in your account yet.
- Cleaner editing throughout — friendlier in-app dialogs replace abrupt browser pop-ups, edits to form items save reliably even when you rename them, and new workflow-creation forms make starting a workflow from scratch quicker.
Admin & distribution
- Central catalog for sharing workflow packs. Admins can now version, review and publish reusable workflow packs from a central catalog and push updates out to tenants, with new admin screens to manage it all.
Technical details
- The integrated shell nav is a phased rollout: an embedded portal mode with a nested sub-nav protocol and a row-actions protocol, with input, broadcast, drive and the remaining seven portals opting in, plus iframe absolute-positioning to remove the loading gap, and a PWA manifest/service worker/install button for app install (#1198-#1217, #1264).
- Workflow versioning is built on a new draft/release-candidate model: WorkflowDraft and WorkflowReleaseCandidate entities, a diff/merge type system and schema contract, a three-way merge algorithm with an auto-resolver, MergeSession persistence with JSON endpoints, and merge-aware promote plus refresh-from-Published flows, with Deal version-pinning columns and a test-deal picker (#1224, #1226-#1243, #1260-#1268).
- An entity-resolution and conflict-projection layer surfaces every change for explicit acceptance, including cross-path move detection for items, a MovedToDifferentParents conflict variant and a merge audit page; it also fixed an inverted KeepCurrent/KeepOther mapping, stale-base-snapshot fallbacks and projector root-path prefixes. Stable Id keying for items and annotations prevents renames from duplicating entries (#1277, #1281, #1283, #1284, #1286, #1289, #1290, #1291, #1299, #1300, #1301, #1302).
- The workflow_drafts capability ships dark behind a kernel feature grant, gated on both backend commands and the UI, with RC terminology hidden from ungranted users — which is why the draft/merge editing experience is not yet generally available (#1304, #1305, #1306, #1308, #1345, #1379).
- Catalog distribution adds pack-version drafts/RCs, an admin UI, promote-to-catalog, a prod seeder and distribution evaluator, tenant-side seed-from-update, and git sync that opens a GitHub PR on catalog publish (#1247-#1256).
- Flows (the protocol portal) authenticate through the unified ApiToken system, write audit-log entries for flow and key lifecycle events, surface draft graph validation in the editor, and fixed a bug that persisted an empty graph; CreateContact targets were expanded to tags, CRM entity, external ids and dynamic tenant custom fields (#1407, #1416, #1417, #1421, #1422, #1426-#1430).
- Performance: forced custom plans on request connections fixed a 78x dashboard regression, the RLS tenant predicate was rewritten to IN(unnest()) for O(1) per-row hashing, omni-search Pass-1 moved to a dedicated reader role for sub-millisecond results (debounce also raised 50ms->150ms), and the /forms/breakdown telemetry query dropped a Deal JOIN in favour of composite indexes; CRM also batches contact counts/fuzzy lookups and lazy-loads dashboards (#1219, #1220, #1222, #1223, #1230, #1246, #1253, #1270, #1278, #1280, #1282).
- Test/security hardening: the A4 org-isolation kit (Ring 0/1/1b plus Phase C drains across Registry, Drive, Marketing, Organizations, Catalog and Forms) builds out tenant-isolation convention coverage, and a Collect endpoint moved its INPUT.deals gate off shared queries onto an authed endpoint (#1272, #1273, #1275, #1287, #1311, #1420).
- Plumbing fixes: EF Core 10 PendingModelChangesWarning suppression at startup migration, restoration of Referrer ModelSnapshot entries lost in the #1407 merge, env-aware dashboard URLs after login, a marketing-site TS6 peer-conflict fix added to the CI matrix, and a SuperAdmin license bypass via synthetic AppProduct rows (#1271, #1381, #1382, #1383, #1413, #1414).
Flows begins rolling out, plus a sharper Quote Tool
This release begins the rollout of Flows — a new way to capture data from anywhere and run it through your own automated steps, starting with an early pilot — and gives the Quote Tool a sharper, more reliable foundation for gathering client details and reusing your setups.
Flows (early rollout)
- Visual flow builder — design your own automations on a canvas: add steps, configure each one, and run a test before going live. This first version is rolling out in phases, starting with a pilot, so it won't appear for every account yet.
- Capture data from anywhere — a new secure intake link lets outside systems and forms send information straight into your flows, so nothing has to be re-keyed by hand.
- See every run at a glance — each flow keeps an execution log and live KPI tiles, so you can confirm work happened and track the numbers that matter.
Quote Tool
- Refreshed qualifying questions — the questionnaire now uses a single, consistent 36-field set, so you capture the right client details every time without duplicate or missing fields.
- Reuse your setups in one step — quote configurations can now be exported and imported as a file, making it easy to copy a working setup between environments or roll out an update.
- Smoother end-to-end quoting — runtime fixes and a more reliable two-phase save mean importing a published sheet and producing a quote now works cleanly from start to finish.
- Simpler calculation setup — the standalone calculation picker has been removed in favour of one clear scope selector, so there's only one place to choose how a quote is worked out.
Dashboard & access
- See the apps you're entitled to — your dashboard now shows the apps available to you based on your access rather than your subscription, so the right tools appear where they should.
- Sign-in and invitation fixes — Gmail-style email addresses (with dots and aliases) are now matched correctly at sign-in, and previously removed users can be re-invited and restored without getting stuck.
Technical details
- The new Flows engine ships as a full 9-part build: data model and feature grant (#1177), a flow executor with individual node executors (#1182), a public ingest endpoint secured with bearer auth plus idempotency and an async worker (#1186), the builder UI — list, canvas editor, node configs and test panel (#1187), and execution logging with KPI cells (#1188). It is rolled out in a launch phase behind the flows_manage capability (#1190) and piloted with a first customer (Stratton, #1188) — not yet generally available.
- Tenant isolation hardening: TenantRls is now enabled in production so row-level-security policies see the stamped GUCs (#1164), SuperAdmin organisation reads (Members/Subscriptions) are routed through worker context (#1157), and accessible_org_ids was widened for SuperAdmin in the user-context middleware (#1161).
- Provisioning robustness: default app subscriptions are now seeded on root-org creation and /me self-lookups are RLS-safe (#1153), live User rows are preferred when a ghost record shares a Cognito sub or email (#1174), and invitation handling stamps DeletedAt for clean user resurrection (#1172).
- Dashboard app visibility was decoupled from subscription and the legacy RequiredRole gate deprecated (#1175).
- Code-quality tooling: a new A3 Roslyn analyzer (ZIP001/002/003) landed alongside a 56-site cleanup (#1193), plus a fix to memoize the flows API hook to stop an infinite render loop (#1191), and assorted compliance-hosting, sandbox-spacing and dashboard-flicker fixes (#1176).
OmniSearch, a built-in Quote Tool, and a smarter Contact view
This release introduces OmniSearch — a single, fast search box that finds contacts, referrers and records from anywhere — alongside an early Quote Tool for client intake forms and a redesigned Contact 360 view in the CRM. Plenty of behind-the-scenes hardening rounds it out.
Search
- OmniSearch is here — one search box to find contacts, referrers and records across the app. It opens with your recent items, then fills in matches as you type, with typo-tolerant fuzzy matching so near-misses still surface what you meant.
- Filter as you search — entity-type chips and inline filter tokens let you narrow to just the entity you want (for example, only contacts) without leaving the keyboard.
- Searches your custom fields too — results can reach into custom fields on contacts and referrers, and you choose which fields are indexed for search. Items you open often rise to the top automatically, based on your own recent activity.
Collect (client intake)
- New Quote Tool step (early access) — intake forms can include a live quoting step that runs your calculation engine inline, takes over the screen for a focused quote experience, and maps answers into your quote logic. It is dark-launched behind a feature flag to start, so it rolls out gradually rather than being switched on for everyone.
CRM
- Contact 360 redesign — a cleaner contact view that pulls everything together in one place, including a new Rolodex dashboard. It rolls out behind feature gates.
- Linked form answers on the contact — values from a contact's linked intake forms now appear directly in the Contact Details sidebar, so you can see what the client told you without digging.
- Custom fields for referrers — add, edit and manage your own fields on referrer records to track the details that matter to your business.
Quoting
- Easier rule building — rule editors now offer schema-aware autocomplete, plain-English explainer cards for how figures are combined, and a clear summary of what changed each time you publish.
- Change safety — new drift detection flags when published quote logic has diverged from its source, helping you catch surprises before clients do.
Technical details
- Tenant-isolation (RLS) hardening sweep across roughly fifteen write endpoints: they now validate cross-tenant foreign keys and caller membership before writes, stamp OrganizationId on inserts, and block cross-tenant tree pollution on organization create/move — closing a batch of tracked isolation gaps. PRs: #1090, #1108, #1109, #1110, #1111, #1112, #1113, #1114, #1116, #1117, #1118, #1123, #1124, #1125, #1126, plus admin-portal cross-tenant writes routed through worker context (#1054).
- Auth tightening: /users endpoints gate mutations to the caller's org tree and drop a join-first-org footgun, system-updates mutations are restricted to SuperAdmin, /collect file downloads are scoped by applicant, and a new SuperAdmin endpoint can set a user's Firebase password (#1127, #1119, #1123, #1037).
- OmniSearch search architecture: scored results with a two-pass endpoint split (fast /search plus deep /search/deep), providers emitting ScoredSearchResult sorted by score, ExternalId Tier-1 matching, and per-user recency scoring (#1034, #1038, #1041, #1053, #1092).
- Performance and DB-context plumbing: keyword providers routed through background/read-only DbContexts with Pass 1 latency restored by serialising them and RLS Layer 2 reinstated, tenant predicates inlined per policy, a new IX_Contacts_OrgSource index for the Rolodex dashboard, raw telemetry queries routed through the EF connection, and feature-grant audit-log inserts moved to background context (#1122, #1115, #1135, #1133, #1134, #1027, #1024, #1137).
- Hardening of input handling: smuggled widget IDs rejected on desktop widget PUTs, field-access-preset validation mapped to 4xx instead of 500, and the webhook auth-type whitelist tightened to stop leaking values in 500s (#1093, #1094, #1095).
- Test-data seeder made RLS-safe and re-runnable on any org with orphan test-user cleanup, quoting tool primitives and CSS extracted into shared UI, a deploy fix to set the Firebase ProjectId in the Cloud Run env, and the ContactSearchProvider perf p95 threshold raised to 250ms (#1102, #1103, #1139, #1144, #1048, #1128).
Lender matching and pricing in a quoting sandbox, plus contact, deal, and team controls
This release brings the first preview of a new quoting engine that matches your clients to suitable lenders and works out indicative pricing — all built inside a safe sandbox you can test against sample applicants before anything goes live. It launches as a pilot with a small group of lenders. We've also added contact warning flags, automatic emails when a deal changes hands, and easier control over team roles and access.
Quoting & lender matching (early preview)
- Introducing lender matching — set up your lender offerings and tiers, then shortlist the lenders that fit each client's situation, with an AI assistant that can suggest policy rules and read them straight from a lender's PDF.
- A new pricing engine calculates an indicative final rate for each matched lender offering, so a shortlist comes with pricing attached rather than a manual lookup.
- All of this lives in a new quoting sandbox where you build and test lender policies against sample applicants before publishing — compare your changes against what's live, try live overrides, and import or export your policy collections and groups. It launches as a 10-lender pilot, with Pepper and Metro among the first.
CRM & contacts
- Added contact warning flags so you can flag a contact with a banner, pick from a catalogue of warnings, and dismiss or remove them as situations change.
Deals
- When a deal is reassigned, the new owner is now emailed automatically, so nothing slips through the cracks during a hand-off.
Team & access
- You can now deactivate and reactivate team members directly from the user edit screen, keeping access tidy when people join or leave.
- Introduced the first version of a roles and permissions matrix, letting admins create custom roles and set what each role can do.
Technical details
- The quoting engine moved to its own logic portal under /api/v1/logic/quoting/* and is built in rings — policy authoring, a matching service with a lender-shortlist preset, applicant fixtures with diff-against-published, a pricing service bridged into rate enrichment (finalRate), and live-override recompute in the sandbox. Includes a guard against zero-rate tiers crashing the match endpoint.
- Multi-tenant isolation hardening (the 'ziplock' workstream): the CalculationEngine is now tenant-scoped (ITenantScoped) with row-level security, worker/shared services use separate DbContexts, and RLS-aware seeding plus foreign-key fixes resolve Ring 1 backfill issues under FORCE RLS on child organisations.
- Security: SegmentEvaluationService hardened against SQL-injection regressions; startup/auth fixes for CalcEngine dependency injection and pre-tenant DbContext use in SessionService and AuditService.
- Platform plumbing: role-capability grants v1 (with custom roles, LISTEN/NOTIFY, and a health-check interface), a result-card preset option for workflow integration items, shared EndpointHelpers for org-ID lookup, and the compliance portal wired up alongside a telemetry GroupBy fix.
- User deactivate/reactivate is synced across both Firebase auth and the database.
Smarter documents, quoting foundations, and a more polished Deal Workspace
This release brings a redesigned document experience with thumbnails and bulk upload, the first building blocks of in-app quoting, and a smarter AI pipeline that sorts and names client files automatically. It also delivers a sweep of usability, accuracy, and accessibility improvements across the Deal workspace, CRM, client intake, and reporting dashboards.
Documents & Drive
- Redesigned Documents tab — files now appear as visual thumbnails, with one-click bulk upload and the ability to download everything at once as a single ZIP.
- Automatic file sorting — uploaded client documents are now classified, checked, and renamed automatically by AI, so files land in the right place with sensible names without manual tidying.
- Safer file handling — deleting a document now asks for confirmation first, and document cards can be operated entirely by keyboard.
Quoting (new)
- Quoting groundwork — the first version of the in-app quoting experience is now in place, laying the presentation layer and provider connections that future quote features will build on.
Deals & workflows
- A more reliable Deal workspace — the back button now returns you to the Kanban board with your tabs intact, deal titles can no longer be left blank, deal cards show tidy compact currency, and deleting notes asks for confirmation first.
- Manage applicants on a deal — you can now remove an applicant from a deal directly, with sensible per-role limits on how many applicants a deal can hold.
- Clearer progress tracking — the stage navigator now counts only the items that are actually required, so the "complete" tally reflects what genuinely needs doing.
- Cleaner Kanban views — irrelevant stage columns hide based on your status filter, table sorting handles empty values gracefully, and workflow status labels read in plain English.
Collect (client intake) & forms
- Smoother client intake — forms now auto-advance correctly end to end, hidden fields no longer leave awkward blank gaps, and step visuals and completion indicators were polished throughout.
- More dependable form logic — visibility rules now handle unanswered and outstanding-document fields correctly, and form templates must have unique names within each organisation.
- Safer portal links — revoking a client portal link now asks for confirmation first, so access can't be cut off by accident.
CRM
- Better contact search — you can now find contacts by phone number, including matches across different number formats.
- Quick Actions that work — the Log Call and Add Note buttons on a contact now do what they say, and the Add Contact dialog lays out cleanly on every screen size.
Broadcast & marketing
- Flexible email starts — the broadcast wizard now offers both a visual builder and an HTML start-from-scratch path, with clearer labelling that the email body is markdown.
- Safer sending — the Send Email button stays disabled until a subject, body, and recipients are all present.
Dashboards & reporting
- More accurate Telemetry charts — deal statuses (including On Hold) now show as their own slices, monthly trends no longer drop recent months, currency and dates display in correct Australian formatting, and "new this month" counts reflect the actual calendar month.
- Clearer audit logs — action filters are complete, details render as readable text instead of raw code, and custom date ranges are validated.
Everywhere
- Navigation and polish across the board — proper 404 pages for unknown links, working deep-links and breadcrumbs, the sidebar auto-collapsing on tablets, and dozens of small accessibility, layout, and wording fixes throughout the app.
Technical details
- Security hardening: cross-tenant
dealIdis now rejected on/upload-url, deal notes are sanitised server-side with a TipTap allowlist, session-scoped list endpoints reject anorganizationIdquery param, and thumbnail/ZIP fetches skip credentials for external URLs (#850, #891, #791, #887). - API correctness:
GET /api/v1/contactsreturns a realtotalCountand honourspageSize;PATCH /deals/{id}rejects unknown fields and normalisesexpectedCloseDateto UTC; settings endpoints return200 nullinstead of erroring when no config exists; empty note content returns 400 rather than 500 (#648, #902, #904, #782, #892). - Engine/Logic builder: per-parameter Required toggles, Test Panel JSON generated from engine parameters, output-schema placeholder fixes, and graceful empty/not-found states for missing engines (#693, #692, #694, #696, #792).
- Infrastructure and integration:
X-Api-Keyallowed in CORS for Engine webhooks,X-Forwarded-Protohonoured when building external URLs, webhook request/response payloads captured on error paths, and a Magick.NET migration for image handling (#664, #695, #787, #750). - CI: the AI-review jq pipeline now coerces object-shape items to strings (#909).
- Carry-forward refactor: form-list scoping with exclusion handling, plus removal of dead
formTemplateMatchMapcode from the execute handler (#788, #789).
AI fills forms from documents, plus referrer tracking
This release lets AI read a client's uploaded documents and fill in their form answers automatically, and introduces referrer records so you can start tracking who's sending you business. Forms also got tidier, clearing away answers that no longer apply.
Collect (client intake)
- AI document data extraction — upload a document and let AI read it and fill the matching form fields for you, so clients and your team spend less time re-typing details that are already on the page.
- Cleaner forms — when a question is hidden because it no longer applies, its answer is now cleared on save, so saved forms only keep the answers that actually matter.
- Various small fixes and polish across the form-filling experience.
CRM
- Referrer records (early access) — a first phase of referrer tracking lands, with a dedicated portal screen to create, view, and manage referrers so you can start keeping track of who is referring clients to you. More referrer functionality is on the way.
Technical details
- The AI extraction feature required teaching the document pipeline to load the underlying file bytes whenever auto-extraction runs (AutoExtract is now included in the needsVision check), so vision-based reading has the full document to work from (#500).
- Behind the CRM referrer work, the dormant legacy Contact.ReferrerId field was retired to keep the data model clean as the new Referrer entity takes over (#502).
- Cloud Tasks callbacks on staging now accept a Google OIDC token, fixing background-job authentication in that environment (#501).
- Security and maintenance hardening: resolved critical and high npm audit vulnerabilities, and bumped Terraform to 1.6.6 to work around an expired GPG key blocking infrastructure runs (#525, #526).
A richer client intake experience in Collect
This release gives your client intake forms a proper documents workflow, lets clients defer non-urgent information, and supports filling out repeatable sections inline — so clients can get started faster and you collect everything in one place.
Collect (client intake)
- Documents in Collect — clients can now see a dedicated Documents section and act on their files inline (upload, view and manage) without leaving the form.
- "Required Later" toggle — mark information as needed down the track rather than blocking submission, so clients can get started straight away and finish the rest when they're ready.
- Repeatable sections inline — forms that need more than one of something (multiple applicants, properties or income sources) can now be filled out as inline multi-instance forms, right where you are.
Technical details
- Security hardening across the platform: tightened token expiry handling, a Content-Security-Policy header, and signature verification on inbound Twilio webhooks (#462).
- Email connections now deactivate automatically when a token refresh fails, preventing silent send/receive failures from a stale connection (#461).
- Telemetry test coverage expanded with several new tests to close gaps, plus stabilisation of flaky end-to-end tests (#456, #473).
