GuideSpend
Sign in

Changelog

What we've shipped recently. Dates reflect when work merged to our main branch.

We only list items that are real engineering work with a linked pull request. When a capability is available to customers on the production domain, it also appears on our security and status pages.

  1. Trust

    Public status page + SOC 2 Type I target

    Shipped a public /status page that polls the app health endpoint every 30 seconds and links directly to the status pages of every infrastructure provider we depend on (Vercel, Supabase, Stripe, Upstash, SendGrid, Sentry). Our security page now locks a SOC 2 Type I target of Q3 2026 (July–September) and adds a 'What we do instead, today' callout so buyers can evaluate MVSP, whitepaper, and compliance posture without a sales call.

    PR #149
  2. Feature

    Team activity log for Business and Enterprise plans

    Added an org-scoped activity log under Settings → Activity for Business and Enterprise customers. Admins can audit who invited, removed, or reassigned members across the org, with clean pagination and deterministic empty states. Scoped through a new Business+ entitlement so the capability is backend-enforced, not a UI-only gate.

    PR #148
  3. Improvement

    Starter location cap raised to 3 + annual-savings and founding terms on pricing

    Multi-site small businesses on Starter can now create up to 3 locations (previously 1). Pricing page shows annual savings in dollars and percent ($298 / 17% on Pro, $698 / 17% on Business) so the monthly-vs-annual decision is explicit. Founding programme terms — 25 slots, 20% off for 12 months, case-study commitment — are now publicly disclosed instead of hidden in internal code.

    PR #146
  4. SecurityPlatform

    SQL parameterization hardening + foreign-key coverage

    Removed the last interpolated SQL fragments from dashboard and billing queries in favor of parameterized inputs. Added a source-table allowlist for dynamic queries and a migration to add missing foreign-key indexes on tenant-scoped tables, which prevents a class of tenant-isolation regressions at the database layer.

    PR #143
  5. Security

    Telemetry hygiene: raw error messages removed from logs

    Error messages now go to Sentry as structured extras (searchable by digest), not stringified into stdout logs where they could leak PII or request bodies. Structured JSON warning lines are now single-argument so they survive log pipelines cleanly.

    PR #142
  6. SecurityPlatform

    Weekly CVE scan + admin lockfile coverage

    CI now runs OSV-Scanner across both the customer app and the admin sibling lockfile on every PR and on a weekly cron. High-severity findings block merge. This closes a gap where the admin lockfile was previously unscanned.

    PR #141

Looking for something older or a specific area? Email hello@guidespend.com.