Everything we've
shipped.
Every feature, fix, and trust improvement. Released continuously. No marketing gloss — these are the actual commits.
Content integrity — readiness methodology whitepaper retired
1 entries · 0 features · 1 fixes · 0 trust
- FIX
Readiness Score methodology whitepaper withdrawn
The paper claimed its insurance-discount ranges were calibrated against published industry loss ratios — a calibration we could not substantiate. Rather than soften the claim, we withdrew the paper. Four methodology disclosures remain at /whitepapers. The readiness scoring engine itself is unchanged and still drives every score in the platform.
Pre-launch hardening — six audit rounds, twelve PRs
12 entries · 4 features · 5 fixes · 3 trust
- TRUST
/api/dev/* routes invisible to anonymous prod scanners
Added explicit 404 handlers for GET/HEAD/OPTIONS/PUT/PATCH/DELETE on the dev-only test-email and confirm-email routes. Next.js returns 405 by default for undefined verbs on a defined route, which leaks the route surface. POST handler stays prod-gated as before.
- TRUST
GraphQL introspection disabled in production
Anonymous __schema query at /api/graphql previously exposed all 34 mutations and the full entity model — useful recon for an attacker mapping the auth surface. Now gated on VERCEL_ENV !== production. Dev + preview keep introspection for Apollo Sandbox.
- TRUST
Auth-page cache hardening + framework fingerprint stripped
Cache-Control: no-store on /login, /signup, /reset-password, /update-password, /auth/*. /auth/callback no longer reflects verbatim Supabase SDK errors in the URL. X-Powered-By: Next.js header removed.
- FEAT
Magic-link signup → checkout funnel
/signup replaced the legacy /contact redirect with a real two-field magic-link form (name + email). Middleware now routes unauthed /checkout → /signup so first-time buyers land on the signup form, not the login wall. Server-rendered so labels + inputs ship in the initial HTML payload, not just after hydration.
- FEAT
Branded OG share cards on the five most-shared pages
/pricing, /services, /scenarios, /community, /security each ship a 1200×630 Next.js Edge-rendered OG image. Slack and LinkedIn previews now show the right page-specific card instead of a blank fallback.
- FEAT
Trust signals on /security: subprocessors, DPA, SSO/MFA, breach SLA
Subprocessors table (Vercel, Supabase, Stripe, Resend, Anthropic optional) with purpose, data class, and region. Data Processing Agreement on request. SSO (SAML/OIDC) and MFA rows added to the compliance posture table — honest "Roadmap" state. Customer breach-notification SLA: 72 hours to org owners.
- FEAT
Product + Offer JSON-LD on /pricing
Three Product entries (Foundation $7,500 / Operational $15,000 / Enterprise $35,000) with Brand + Offer + seller, each marked InStock. Eligible for Google rich-result "$7,500 · In Stock" snippets that competitors hiding pricing behind contact forms cannot earn.
- FIX
Per-page canonical URLs
Root layout previously set alternates.canonical: "/", which Next.js inherited to every page. Every non-/ page told Google "my canonical is /", folding /pricing, /services, /security link equity into the homepage. Per-page canonical metadata now correctly self-identifies each commercial page.
- FIX
Sitemap expanded to include all commercial pages
Added /pricing, /services, /scenarios, /community, /products, /contact to sitemap.xml. Whitepapers + /readiness-check + /about + /security were already listed; the highest-intent commercial pages were not. Priority weighting reflects funnel intent.
- FIX
Default reply-to for transactional email
FROM address sits on the Resend-verified mail.afteraction.dev subdomain, which has no inbox. Transactional emails now default Reply-To to info@afteraction.dev so customer replies actually reach a person.
- FIX
A11y: labels on every lead-capture input
LeadMagnetForm inputs on /services had only placeholders. Now ship sr-only <label htmlFor> + aria-label + autoComplete. Zero visual change. WCAG 2.1 SC 1.3.1 + 3.3.2.
- FIX
Content integrity: stripped unsubstantiated metrics across 9 pages
Pre-launch /services, /pricing, /login, /get-assessed, and all 7 /services/<sector> pages carried fabricated client outcomes ("40% Faster IR", "120+ Exercises Run", "Trusted by 7 sectors", etc.). Tomorrow is the first paying customer. Every fabricated stat was replaced with platform facts that are true today, removed entirely, or pulled from a canonical source (pricing tiers from @/lib/pricing, methodology claims from /whitepapers).
Public lead-gen funnel + trust surface
17 entries · 7 features · 7 fixes · 3 trust
- FEAT
Free 2-minute Readiness Check
8-question cyber readiness preview with instant scoring across the NIST 800-61 capability areas. No signup. Share results on LinkedIn/X with one click or email the breakdown to any address. Feeds directly into the ops leads pipeline with source tracking.
- FEAT
Whitepaper library
Five methodology disclosures published at /whitepapers: Readiness Score Methodology, Mispriced Risk, FAIR Risk Quantification, AAR Auto-Drafting, and Decision Analytics. Markdown-rendered with per-whitepaper Open Graph cards and TechArticle JSON-LD.
- FEAT
Public trust pages
/about (founder + principles), /security (8 controls + compliance posture), /privacy (GDPR-aware policy). Linked from the homepage footer and cross-referenced from the whitepaper and readiness-check pages.
- FEAT
Ops visibility: email sequences + suppressions
Two new internal monitoring pages track enrollment status (active, completed, unsubscribed, failed) and the blocked email list (hard bounces, complaints, unsubscribes). Wired into the ops sidebar nav.
- FEAT
Leads page source filter
Source filter chips and a "self-serve (mo)" stat card track which funnels are producing. Ops dashboard also gained a clickable "new leads (7d)" stat that routes to the pipeline.
- FEAT
Email unsubscribe flow
HMAC-signed one-click unsubscribe link in every sequence email. Clicking cascades into the email_suppressions table so no future transactional mail hits that address. Honors RFC 8058 one-click POST.
- FEAT
Exercise request notification
When a client submits a self-service exercise request from the scenario library, a notification email now fires to ops automatically. Client flow was working; visibility was the missing piece.
- FIX
Docs site unreadable
Every API doc and authentication reference was rendering white text on white background — the docs layout was designed for dark mode but wrapped in bg-white. Full migration to light theme, prose classes retuned for gray-900 headings and gray-700 body.
- FIX
Checkout flow invisible headlines
The Stripe checkout page and success page had "Review Your Order" and "Payment Confirmed" set to text-zinc-900 on a bg-white wrapper — invisible to every paying customer. Restored the intended dark theme.
- FIX
Signup and reset-password white-on-white
Both auth pages used legacy dark-theme tokens (text-zinc-900, bg-surface-container) inside a light wrapper. Headlines and input values were invisible. Rewrote on the design system with proper contrast and RHF validation.
- FIX
Password recovery flow completely broken
Neither /auth/callback nor /update-password existed. Users who clicked the reset-email link got 404s. Built both routes with open-redirect protection and added them to the stealth-gate exemption list.
- FIX
Pricing page CTAs bypassed checkout
Engagement tier "Get Started" buttons routed to /contact instead of /checkout?plan={tierId}. Self-serve Stripe payment was unreachable from the pricing page. Annual programs still route to /contact since they need scoping.
- FIX
Facilitator control room hex literals
Three text-brand-dark hardcoded colors replaced with text-gray-900. Design system compliance.
- FIX
Contact form validation
Migrated to react-hook-form + zod with inline error messages, proper htmlFor labels, and aria-invalid wiring.
- TRUST
JSON-LD structured data
Organization schema in the root layout (name, logo, founder, contact points). TechArticle schema per whitepaper. Enables Google Knowledge Graph and LinkedIn article previews.
- TRUST
Dynamic Open Graph images
Edge-rendered 1200x630 social cards for /whitepapers/[slug], /about, and /readiness-check. LinkedIn and X shares now render distinct cards instead of a generic brand image.
- TRUST
sitemap.xml and robots.txt
Public lead-gen surfaces now indexed. /app/*, /api/*, and auth routes explicitly disallowed for crawlers.
See where your program stands