Shipping log
What shipped, when. Every entry below corresponds to merged, tested work — this page is generated from the same history an acquirer’s diligence team would read.
Anyone can now paste an execution-ledger export at /ledger-verify and recompute the SHA-256 hash chain in their own browser — plus a live public status page at /status. Self-hosted typography (Inter + Space Grotesk) and a unified motion system shipped alongside.
Org admins connect Salesforce from Settings → Integrations with a standard OAuth web-server flow — no manual Connected-App credential entry. Tokens are AES-256-GCM encrypted at rest.
GET /api/governance/audit/dcaa exports the org-scoped execution ledger as CSV or JSON for defense-contract audit workflows. Parameters are exported as SHA-256 hashes; access is owner/admin only and rate-limited.
The Nervos bot installs into a workspace via OAuth from Settings → Notifications. Approvers see proposals with Approve / Reject buttons inline; every decision is signature-verified, role-checked, and audit-logged.
A GDPR-aligned Data Processing Agreement template, a formal sub-processor register, and a security & engineering code of conduct joined the security documentation set, with the SOC 2 controls mapping updated to match.
QAMO board runs and write actions now meter against the billing tier, with clear 402 upgrade paths, usage meters on the billing page, and seat limits enforced on team invites.
Every remaining API surface — team, notifications, connectors, logout, demo seeding, proposal approve/reject — now carries distributed rate limiting, closing the gaps found in an internal audit.
Salesforce Task, Opportunity, Account, and Case creation now run through the same approve → execute → hash-chained ledger pipeline as NetSuite, with automatic delete-compensation rollback on created records.
Content-Security-Policy moved to per-request nonces, and connector credentials began migrating to Supabase Vault as the primary secret store (ADR-005).
All critical and high findings from the pre-audit penetration review were fixed, including privilege-escalation and cross-tenant vectors verified against the production database.
A due-diligence replay script lets an auditor or acquirer independently verify 13 platform claims — from RLS isolation to ledger integrity — with nothing but curl.
Every stage of every governed write — preflight, execute, persist, rollback, replay — appends to a SHA-256 hash-chained, append-only ledger, verifiable per proposal via API.
Reversible actions gained compensating writes (vendor bill → void transaction) and idempotent replay — re-driving a failed execution cannot double-write.
The legacy agent system was deleted in favor of one canonical engine: five specialist agents in parallel, grounded in live web signals, synthesized by a coordinator with deterministic Monte Carlo scenario modeling.
Earlier history — the QAMO engine, multi-tenant RLS foundation, Monte Carlo scenario modeling, and the NetSuite governed-write reference workflow — predates this public log.