What we shipped

What's new

For students

- Help center. A dedicated /help/students walks through account setup,
applications, Gold Stars, offer letters, interviews, and email
preferences. Search-friendly accordion layout.
- System status page. /status shows live health of every dependency
we have, database, email, AI, calendars, billing, refreshed once a
minute.
- AI methodology disclosure. /legal/ai-methodology documents every
AI feature, what data each sees, the bias-monitoring stack, and how
to opt out.
- Welcome email sequence. Day 0 / 2 / 5 / 14 onboarding drip with
tracker tips, Gold Star primer, and OCI prep, paced so it doesn't
flood your inbox.

For firms

- WYSIWYG email + offer-letter designer. Two-pane live editor with
brand color, font, header logo, and signer block. Preview updates as
you type; merge fields render against sample candidate data.
- Zoom send-completion. Per-booking Zoom meetings are minted
automatically when your firm sets Zoom as preferred provider. Webhook
closes bookings to "completed" on meeting.ended.
- Interactive sales tour. /demo/firm-portal is a public,
unauthenticated walkthrough you can share with stakeholders before
signup.
- Firm portal help. /help/firms covers day-1 setup, templates,
calendars, send-offer flow, analytics, and compliance.
- Welcome email sequence for recruiters. Day 0 / 2 / 5 / 14 drip
drives activation through the template designer, calendar connect,
and a pipeline dry-run.

Reliability

- Atomic cross-firm fan-out. When a candidate accepts an offer at
another firm, the withdrawal of their other applications + the
notification emails now happen in a single Postgres transaction.
No more partial states.
- Email queue + retry. All transactional sends now flow through
a managed queue with exponential backoff (1m → 5m → 15m → 30m → 60m,
five attempts) and automatic dead-letter on persistent failures.

Compliance

- Migration 152. Audited 100 firms × 4 verifiable fields (program
type, billable hours, starting salary, work assignment). 257
citations recorded; 143 unverified fields wiped rather than left
asserting unverifiable claims.

What's improved

- Mobile audit pass, auth flow padding, signup grid, time pickers,
team-invite role buttons.
- Tightened CSP in production (drops unsafe-eval); full nonce
rollout planned per the security runbook.
- Sitemap regen with the new /demo, /help, /status, /legal pages.
- Footer carries /help and /status alongside the existing legal
links.

What's coming

- Public changelog (this page).
- Sales comparison content for prospects evaluating Big Law Bear vs
legacy ATS systems.
- Continued deepening of the firm portal, calendar conflict UX,
bulk action shortcuts, automated reference checks.

What's new

A six-week independent security review surfaced 35 findings across
crit / high / medium / low severities. We've closed 21 of them in this
batch:

Crits + Highs (closed)

- RLS on outreach tables. Every cross-firm enumeration vector
blocked at the database boundary.
- Voice-memo bucket scoping. Storage policies now match the firm
that owns the recording, not "any authenticated user."
- Gold Stars race fix. Concurrent star + un-star operations now
acquire a parent-row lock, eliminating the duplicate-row race.
- Application files / offer letters / exports. All three buckets
scoped to the owning firm via (storage.foldername(name))[1].
- Webhook event dedup. Stripe, Resend, Daily.co, and Zoom retries
no longer double-process events.
- Signed offer-letter download token. One-shot tokens replace the
permanent storage URLs on the candidate-facing signing page.
- Inbound mail signature verification. AEDT opt-out replies now
verify Svix signatures end-to-end.
- Outbound email log. Every send is correlated to its delivery /
bounce / complaint event for auditability.
- Firm-admin write policies. Member-vs-Admin distinction
consistently enforced at the DB layer, not just the UI.

Carryovers

- CSP nonce rollout (H8): partial mitigation shipped (drop unsafe-eval
in prod, scope origins). Full nonce migration tracked in a dedicated
runbook for a separate batch.
- Cross-firm fan-out atomicity (H11): closed in the next batch via a
Postgres RPC + transactional queue.

We also published our methodology so customers can verify our claims:
the security review report lives in the repo, and the per-firm
data-citation table tracks the sources behind every public claim we
make about a firm.