Changelog

Platform Admin Overhaul, Evidence Panel & Blog Expansion

• Platform admin: full org editing (name, country, sector, entity type, employees, revenue), user provisioning with tier/billing/locale, last-admin protection, owner badge — 28 procedures (was 24)
• Evidence panel upgrade: multi-file drag-and-drop upload, XHR progress bars, 50 MB limit, 24 file types
• 4 new blog articles from real EU/ENISA developments (9 total). Chronological sorting, anchor navigation fix (ScrollToHash)
• Organization + user locale management: language selectors in admin create/edit flows for all 8 EU locales

Blog System, Sidebar Redesign & Locale Fixes

• Full blog system: landing section with featured post, /blog listing page, /blog/[slug] article pages with 5 initial articles
• Sidebar redesigned with grouped navigation sections: Overview, Compliance, Security, Operations, Enterprise
• Locale fallback fix for getRegulation + getAssessments — completes all 4 compliance procedures across all languages
• Dashboard compliance score and control health now work correctly in all 8 EU locales

Landing Page Enterprise Update

• New EnterpriseReadiness.tsx dark section: audit program, management review, auditor portal, readiness score
• Features section expanded to 10 cards: +Internal Audit Program, +Certification Readiness
• Pricing: Business tier enterprise features + 4 new comparison table rows
• FAQ expanded to 18 questions with 2 enterprise-specific FAQs
• HowItWorks Step 4 updated for certification path; CTA updated for certification readiness

Enterprise Readiness (Business Tier)

• Enterprise router with 24 tRPC procedures — gap verification, internal audit, management review, auditor portal
• DB migration 0021: 13 enums, 5 tables, 5 org columns for enterprise features
• Gap verification workflow with evidence collection and approval chain
• Internal audit program (/audit-program) with findings management and action tracking
• Management review lifecycle (/management-review) with readiness scoring
• External auditor portal: token-based read-only API for third-party auditors
• 169 new i18n keys across 8 EU locales (1743 total)

AI Caching, Queue Monitoring & Rate Limiting

• AI response caching (Redis, SHA-256 keys) — suggestGapAnswer 24h, sectionSummary 12h, scoreRisk 24h
• AI token/cost tracking with admin dashboard for usage analytics
• BullMQ queue monitoring dashboard for all 7 async job queues
• Redis-backed rate limiting with 4 tiers (anonymous, authenticated, AI, admin)
• Frontend tier-gating: useTierGate hook + UpgradeDialog for feature access control
• 5 email templates added; session cleanup cron job; Sentry release tracking

Audit Log Detail View & Billing Redesign

• Audit log: expandable rows with field-level diffs, user/date filters, snapshot display
• Billing redesign: tier-specific gradient cards, animated monthly/annual toggle, responsive invoice grid
• Removed support tiers from pricing — full self-service model
• 11 new i18n keys across all 8 locales (1568 total); native DE/SL/CS/HU/PL/RO translations for audit log

Enterprise Features: SSO, BYOK & Audit Log UI

• SSO Settings UI: full SAML/OIDC configuration page for Business tier
• BYOK Encryption Settings UI: key management with init/rotate/revoke workflows
• Dedicated /audit-log page with entity/action filters and change history
• TierGate component: reusable upgrade prompt for tier-gated features
• Dashboard dual-source: getDashboard derives from gapAnalysisResponses with assessment fallback
• 1557 i18n keys × 8 locales at 100% coverage; fixed duplicate keys in EN/HR

Migrations, Feature Overhaul & Production Readiness

• DB migrations 0016–0019 applied: created_by columns for policies, incidents, suppliers, training
• Comprehensive feature overhaul: i18n, role gating, UX consistency across all 10+ app pages
• Production readiness report: score 93.95/100
• Reports: approver-gated export with audit logging; NCA contacts: region labels translated
• AI Assistant: Loader2 spinner, Input component, toast notifications
• Bug reports: server-side search, Loader2 on delete, 27 new validator tests (626 total)
• 1476 i18n keys across all 8 EU locales, 100% coverage verified

Gap Analysis UX Overhaul

• Inline segmented answer buttons (desktop) with mobile fallback; sticky search/filter toolbar with color-coded count pills
• Progressive disclosure for notes and evidence; collapsible AI suggestion cards
• Evidence panel fully internationalized (16 new keys); all priority/risk/confidence labels translated
• Clean up unused imports and dead properties; i18n 100% across all 8 locales (1362 keys)

Dashboard i18n & Complete Locale Coverage

• Complete dashboard i18n: policies, NCA contacts, training, billing, management, supply chain — zero hardcoded English strings
• Training: 11 modules restructured to i18n key refs; billing: 55 new keys with dynamic date locale
• Management attestation document fully translated (30 keys); NCA milestone tooltips internationalized
• All 8 EU locales (EN, HR, DE, SL, HU, CS, PL, RO) at 1330 keys, 100% parity

Risk Register Bug Fix & Lifecycle Improvements

• Fixed risk create-after-delete bug: defensive error handling, nullable field fixes, state cleanup on delete
• Audit log write failures now caught gracefully — never break user mutations
• Delete uses .returning() with row verification; submit trims whitespace; error messages now visible

Risk Lifecycle, Incident Reporting & Bug Reports

• Risk register: bidirectional status flow, delete confirmation dialog, server-side transition validation
• AI locale-awareness: replaced hardcoded locale "en" with useLocale() in 6 pages for localized AI responses
• Incident reporting: status filters, NCA deadline enqueuing, timeline notes, archive functionality
• Bug reports: full CRUD with admin triage, environment auto-capture, i18n
• i18n: +29 new keys (1083 total), 100% coverage across all 8 EU locales

Landing Page Overhaul & Dashboard i18n

• Hero section redesigned: product dashboard mockup, "Get Started" CTA, trust signals (GDPR, EU Data Centers, AES-256)
• GDPR cookie consent banner — blocks Google Analytics until user accepts; Privacy Policy updated
• New /contact page with form, response SLA, and direct email fallback
• New /security Trust Center page — encryption, data residency, audit trail, certifications roadmap
• Google & Microsoft OAuth buttons on login/signup; terms consent checkbox added
• FAQ expanded from 6 to 17 questions with 5 category tabs; pricing comparison table added
• Social proof section: 15 NIS 2 sector icons; SEO structured data (JSON-LD)
• All 11 dashboard widgets + app shell fully internationalized: 115+ new keys (886 total), 100% coverage

Landing Page Visibility & CSP Fixes

• Landing page copy corrections and black CTA buttons across all sections
• CSP nonce correctly propagated to all inline scripts via Next.js middleware
• All documentation updated with latest feature coverage

Vercel Infrastructure & API Hardening

• API deployed as Vercel serverless function with tsup bundling
• Resilient API boot — catches startup errors instead of crashing
• All @shieldbase/* packages bundled inline for Vercel compatibility

AI Engine Expansion & Test Coverage

• 5 new AI features: risk scoring, risk treatment, supplier assessment, training recommendations, report narratives
• 555 unit tests across 32 files — including 46 new AI prompt tests and 32 router mutation tests
• Server-side pagination on all 5 list endpoints with total counts
• Per-user AI rate limiting (20 req/min) across all 11 AI procedures
• DB performance indexes on audit_log, sessions, incidents, risks, and more

UI/UX Polish — Every Feature Page

• Risk register: interactive heatmap, AI auto-scoring, treatment workflow with status advancement
• Gap analysis: search + filter toolbar, accordion layout with AI section summaries
• Supply chain: AI supplier assessment panel with risk scoring and recommendations
• Training: AI-recommended modules, per-user progress tracking
• Policies: version history dialog, expiry notification badges, tag management
• Settings: profile editing, session management, notification preference controls

Critical Bug Fixes & Infrastructure

• Fixed 2FA toggle bug — settings now reads actual TOTP status from user profile
• CSP nonce wired end-to-end: middleware generates, headers propagate, layout consumes
• Session management UI — view active sessions, revoke by session, "Current" badge
• Health endpoint enhanced — checks DB connectivity, returns structured status with version
• i18n: all 8 locales at 100% coverage (725+ keys each)

Incident Milestones, Policy Tags & Dashboard Widgets

• Per-milestone NCA submission tracking (24h early warning, 72h notification, 30-day final report)
• Policy tagging system with UI badge pills and review date warnings
• Dashboard widgets: active incidents card, compliance score gauge, risk heatmap mini
• DB migrations 0013–0015: incident NCA fields, supplier AI summary, policy tags, performance indexes, notification preferences
• Alpha testing banner, PWA icons, favicon set, and middleware matcher fixes

Copy Consistency, SEO & Analytics

• All contact emails unified to [email protected] across landing page and subpages
• Pricing & tier copy aligned across Pricing, Documentation, Investors, and About pages
• Google Analytics (gtag.js) added site-wide via Next.js Script component
• Investors page: corrected Business tier to €349/mo, timeline aligned with NIS 2 focus
• Full SEO audit — Investors page upgraded with OG, Twitter cards, hreflang, and added to sitemap
• FAQ updated: additional regulation modules (DORA, GDPR) marked as coming soon

Social Login & Tier Simplification

• Google & Microsoft OAuth with PKCE S256 and CSRF state protection
• MFA enforcement — OAuth users with TOTP still complete 2FA
• Free tier removed — Starter is now the entry plan (€99/mo)
• OAuth rate limiting (10 req/min) on all social login endpoints

Role System Refactor

• Four clear functional roles: Admin, Approver, Editor, Reader
• Granular tRPC middleware: adminProcedure, approverProcedure, writerProcedure
• Minimum-admin and minimum-approver safety constraints per organisation

Compliance Audit Trail

• Full before/after change log on 20+ mutation endpoints (NIS 2 Art. 21 evidence)
• Structured JSONB diffs with field-level comparison and snapshot storage
• Queryable history: filter by regulation, entity, user, date range

Security Hardening, SSO & BYOK

• Deep security audit — 2 critical IDOR fixes, 5 RBAC fixes, 3 defense-in-depth patches
• Row-Level Security (RLS) on 13 tenant-scoped tables
• SAML SSO with IdP configuration, enforcement toggle, and assertion replay protection
• BYOK encryption — AES-256-GCM envelope encryption with key rotation
• Security headers, CSRF protection, and auth rate limiting

Billing & Tier Enforcement

• Stripe billing integration with checkout, portal, invoices, and webhooks
• Tier enforcement on user limits, AI usage, risk entries, storage, and regulations
• Billing UI with plan cards, monthly/annual toggle, and invoice history

AI Engine & Validators

• Claude & GPT-4o providers with automatic failover routing
• 4 AI features live: policy generation, gap analysis, compliance chat, incident reports
• 391 unit tests across 20 test files — validators, prompts, rate limiter, tier limits

Full Platform Build

• 10 app pages — dashboard, gap analysis, risk register, policies, incidents, and more
• Auth system with bcrypt, TOTP 2FA, session tokens, and email verification
• Landing page, onboarding flow, i18n (EN + HR), and 20+ database tables

Project Scaffold

• Turborepo + pnpm monorepo with 8 packages
• 13 project documents — PRD, design system, security model, legal pack, and more