Changelog

Everything we've
shipped.

Every feature, fix, and trust improvement. Released continuously. No marketing gloss — these are the actual commits.

Content integrity — readiness methodology whitepaper retired

1 entries  ·  0 features  ·  1 fixes  ·  0 trust

  1. FIX

    Readiness Score methodology whitepaper withdrawn

    The paper claimed its insurance-discount ranges were calibrated against published industry loss ratios — a calibration we could not substantiate. Rather than soften the claim, we withdrew the paper. Four methodology disclosures remain at /whitepapers. The readiness scoring engine itself is unchanged and still drives every score in the platform.

Pre-launch hardening — six audit rounds, twelve PRs

12 entries  ·  4 features  ·  5 fixes  ·  3 trust

  1. TRUST

    /api/dev/* routes invisible to anonymous prod scanners

    Added explicit 404 handlers for GET/HEAD/OPTIONS/PUT/PATCH/DELETE on the dev-only test-email and confirm-email routes. Next.js returns 405 by default for undefined verbs on a defined route, which leaks the route surface. POST handler stays prod-gated as before.

  2. TRUST

    GraphQL introspection disabled in production

    Anonymous __schema query at /api/graphql previously exposed all 34 mutations and the full entity model — useful recon for an attacker mapping the auth surface. Now gated on VERCEL_ENV !== production. Dev + preview keep introspection for Apollo Sandbox.

  3. TRUST

    Auth-page cache hardening + framework fingerprint stripped

    Cache-Control: no-store on /login, /signup, /reset-password, /update-password, /auth/*. /auth/callback no longer reflects verbatim Supabase SDK errors in the URL. X-Powered-By: Next.js header removed.

  4. FEAT

    Magic-link signup → checkout funnel

    /signup replaced the legacy /contact redirect with a real two-field magic-link form (name + email). Middleware now routes unauthed /checkout → /signup so first-time buyers land on the signup form, not the login wall. Server-rendered so labels + inputs ship in the initial HTML payload, not just after hydration.

  5. FEAT

    Branded OG share cards on the five most-shared pages

    /pricing, /services, /scenarios, /community, /security each ship a 1200×630 Next.js Edge-rendered OG image. Slack and LinkedIn previews now show the right page-specific card instead of a blank fallback.

  6. FEAT

    Trust signals on /security: subprocessors, DPA, SSO/MFA, breach SLA

    Subprocessors table (Vercel, Supabase, Stripe, Resend, Anthropic optional) with purpose, data class, and region. Data Processing Agreement on request. SSO (SAML/OIDC) and MFA rows added to the compliance posture table — honest "Roadmap" state. Customer breach-notification SLA: 72 hours to org owners.

  7. FEAT

    Product + Offer JSON-LD on /pricing

    Three Product entries (Foundation $7,500 / Operational $15,000 / Enterprise $35,000) with Brand + Offer + seller, each marked InStock. Eligible for Google rich-result "$7,500 · In Stock" snippets that competitors hiding pricing behind contact forms cannot earn.

  8. FIX

    Per-page canonical URLs

    Root layout previously set alternates.canonical: "/", which Next.js inherited to every page. Every non-/ page told Google "my canonical is /", folding /pricing, /services, /security link equity into the homepage. Per-page canonical metadata now correctly self-identifies each commercial page.

  9. FIX

    Sitemap expanded to include all commercial pages

    Added /pricing, /services, /scenarios, /community, /products, /contact to sitemap.xml. Whitepapers + /readiness-check + /about + /security were already listed; the highest-intent commercial pages were not. Priority weighting reflects funnel intent.

  10. FIX

    Default reply-to for transactional email

    FROM address sits on the Resend-verified mail.afteraction.dev subdomain, which has no inbox. Transactional emails now default Reply-To to info@afteraction.dev so customer replies actually reach a person.

  11. FIX

    A11y: labels on every lead-capture input

    LeadMagnetForm inputs on /services had only placeholders. Now ship sr-only <label htmlFor> + aria-label + autoComplete. Zero visual change. WCAG 2.1 SC 1.3.1 + 3.3.2.

  12. FIX

    Content integrity: stripped unsubstantiated metrics across 9 pages

    Pre-launch /services, /pricing, /login, /get-assessed, and all 7 /services/<sector> pages carried fabricated client outcomes ("40% Faster IR", "120+ Exercises Run", "Trusted by 7 sectors", etc.). Tomorrow is the first paying customer. Every fabricated stat was replaced with platform facts that are true today, removed entirely, or pulled from a canonical source (pricing tiers from @/lib/pricing, methodology claims from /whitepapers).

Public lead-gen funnel + trust surface

17 entries  ·  7 features  ·  7 fixes  ·  3 trust

  1. FEAT

    Free 2-minute Readiness Check

    8-question cyber readiness preview with instant scoring across the NIST 800-61 capability areas. No signup. Share results on LinkedIn/X with one click or email the breakdown to any address. Feeds directly into the ops leads pipeline with source tracking.

  2. FEAT

    Whitepaper library

    Five methodology disclosures published at /whitepapers: Readiness Score Methodology, Mispriced Risk, FAIR Risk Quantification, AAR Auto-Drafting, and Decision Analytics. Markdown-rendered with per-whitepaper Open Graph cards and TechArticle JSON-LD.

  3. FEAT

    Public trust pages

    /about (founder + principles), /security (8 controls + compliance posture), /privacy (GDPR-aware policy). Linked from the homepage footer and cross-referenced from the whitepaper and readiness-check pages.

  4. FEAT

    Ops visibility: email sequences + suppressions

    Two new internal monitoring pages track enrollment status (active, completed, unsubscribed, failed) and the blocked email list (hard bounces, complaints, unsubscribes). Wired into the ops sidebar nav.

  5. FEAT

    Leads page source filter

    Source filter chips and a "self-serve (mo)" stat card track which funnels are producing. Ops dashboard also gained a clickable "new leads (7d)" stat that routes to the pipeline.

  6. FEAT

    Email unsubscribe flow

    HMAC-signed one-click unsubscribe link in every sequence email. Clicking cascades into the email_suppressions table so no future transactional mail hits that address. Honors RFC 8058 one-click POST.

  7. FEAT

    Exercise request notification

    When a client submits a self-service exercise request from the scenario library, a notification email now fires to ops automatically. Client flow was working; visibility was the missing piece.

  8. FIX

    Docs site unreadable

    Every API doc and authentication reference was rendering white text on white background — the docs layout was designed for dark mode but wrapped in bg-white. Full migration to light theme, prose classes retuned for gray-900 headings and gray-700 body.

  9. FIX

    Checkout flow invisible headlines

    The Stripe checkout page and success page had "Review Your Order" and "Payment Confirmed" set to text-zinc-900 on a bg-white wrapper — invisible to every paying customer. Restored the intended dark theme.

  10. FIX

    Signup and reset-password white-on-white

    Both auth pages used legacy dark-theme tokens (text-zinc-900, bg-surface-container) inside a light wrapper. Headlines and input values were invisible. Rewrote on the design system with proper contrast and RHF validation.

  11. FIX

    Password recovery flow completely broken

    Neither /auth/callback nor /update-password existed. Users who clicked the reset-email link got 404s. Built both routes with open-redirect protection and added them to the stealth-gate exemption list.

  12. FIX

    Pricing page CTAs bypassed checkout

    Engagement tier "Get Started" buttons routed to /contact instead of /checkout?plan={tierId}. Self-serve Stripe payment was unreachable from the pricing page. Annual programs still route to /contact since they need scoping.

  13. FIX

    Facilitator control room hex literals

    Three text-brand-dark hardcoded colors replaced with text-gray-900. Design system compliance.

  14. FIX

    Contact form validation

    Migrated to react-hook-form + zod with inline error messages, proper htmlFor labels, and aria-invalid wiring.

  15. TRUST

    JSON-LD structured data

    Organization schema in the root layout (name, logo, founder, contact points). TechArticle schema per whitepaper. Enables Google Knowledge Graph and LinkedIn article previews.

  16. TRUST

    Dynamic Open Graph images

    Edge-rendered 1200x630 social cards for /whitepapers/[slug], /about, and /readiness-check. LinkedIn and X shares now render distinct cards instead of a generic brand image.

  17. TRUST

    sitemap.xml and robots.txt

    Public lead-gen surfaces now indexed. /app/*, /api/*, and auth routes explicitly disallowed for crawlers.

See where your program stands

2 minutes. 8 questions. No signup.