a Shoal Valley System
StartManaging-Legal
Request a demo

Changelog

What we shipped, when.

Every release is dated and announced in-product to tenants. The recent items are below; once the changelog crosses ten entries, older ones move into an archive.

May 14, 2026

First production deploy + multi-user writes

  • Customer app went live on Vercel (Hobby plan) at the staging URL while DNS is wired to the registered domain.
  • Every store mutation now writes through to the Postgres tenant database, not just the local browser tab. Creating a client / matter / time entry in one browser shows up in another. (Closes the localStorage gap from the 3.2 store-swap.)
  • Server-side auth gate on / so the firm dashboard can never serve to an unauthenticated visitor.
May 13, 2026

Compliance hardening + audit log

  • Zod-backed request validation across the API, with `parseJsonBody` as the canonical pattern.
  • Token-bucket rate limits on login (5/min per email), password reset (3/10min per user), and invite-accept (5/min per IP).
  • PII redaction in log statements — emails and phones masked before anything reaches console.log.
  • AES-256-GCM column encryption toolkit ready for SSN / DOB / bank-routing columns.
  • Audit log: every successful mutation writes an AuditEvent with actor + IP + user-agent. Owner-only viewer at Firm Settings → Audit Log.
May 13, 2026

Marketing site + legal documents

  • Public marketing site at apps/marketing/ — Home, Features, Pricing, About, Security, Contact, Demo.
  • Five public legal documents at /legal: Privacy, Terms, Security Practices (GLBA Safeguards Rule §314.4 mapped), DPA, Cookie Notice. Texas §521.053 breach-notification language across all.
  • Sub-processor list (Neon / Vercel / Resend / Sentry / Cloudflare / Better Stack) with 30-day-notice commitment.
May 13, 2026

Teammate invite flow

  • Owner enters email + role on /firm/team → API mints a 7-day token → invitee opens /accept-invite, sets a password, and lands in the studio with the right Membership.
  • Resend-backed magic-link email when configured; copy-paste link fallback when not.
  • Revoke, reissue, and expired/accepted state all in the team view.
May 12, 2026

Postgres + Auth.js + first-tenant seed

  • Multi-tenant Postgres schema with row-level security on every tenant-scoped table.
  • Auth.js: email + password + TOTP MFA + recovery codes. Force-reset on first login.
  • 11 system roles seeded into every tenant. Server-side `requirePermission` on every mutating endpoint.
  • Founder seed: T. Maxwell Smith, PLLC with three offices, twelve staff, 34 practice areas, full engagement-letter template + clause library.

What's next?

Sentry + Better Stack for production observability, the admin console, the DNS cutover to the custom domain, and the soft-launch with the founding firm. Customer firms see the next milestone in-product on the build-plan tab.

Request a demo