Changelog

Your AI assistant can now work your CRM directly — at https://api.pact.place/mcp/:

• Nine tools, live today — query_accounts, query_contacts, query_deals, query_pipeline_health, get_metric_explanation, ask_workspace, list_agents, fire_agent, and read_briefing.
• Consent-native — every record passes the same consent gate the product enforces; suppressed or withdrawn subjects are filtered out and the hidden count is reported back to the agent.
• BYOK-respecting — contact PII is read through your tenant's encryption keys, never around them.
• An audit row per call — tool, client, argument digest, latency, result count, and what the consent gate hid.
• Cost-attributed and rate-limited — AI tool spend lands in your usage ledger and is echoed in the response; per-tenant and per-tool limits stop runaway agent loops.
• Native OAuth — standard discovery metadata plus Dynamic Client Registration, so MCP-native clients connect with no pre-shared keys. Scoped pact_live_* API keys work too.

Setup guides for Claude, Cursor, and custom clients: [/integrations/mcp](/integrations/mcp).

One agent is useful; a chain of them is a process — at /admin/agents → Orchestrator:

• Five prebuilt orchestrations — lead → qualified, stalled-deal rescue, account 360 brief, inbox → action (with branched routing), and inbound funnel health.
• Explicit handoff contracts — each step declares exactly which fields of the previous agent's output it consumes; no prompt-soup between agents.
• Gates and forks — a qualification gate stops the chain on a non-fit; a fork routes an inbox item to support or sales by intent.
• Three new roster agents — account qualification (ICP fit from firmographics + engagement), site optimization (first-party tracking stream), and data validation (a measured SQL profile of your data — null rates, duplicates, out-of-range values — not guesses).
• Yours to edit — installing an orchestration materializes a normal workflow, fully editable in the visual builder. Every step stays consent-gated, cost-attributed, and audit-trailed.

Pact's dashboards can now live anywhere you need them:

• Signed-token embeds — each embed is authorized by a short-lived signed JWT minted by your backend; no Pact accounts for your viewers.
• White-label — your branding on the embedded surface, not ours.
• The guarantees travel with the data — rows are consent-filtered and every view is audited and metered, exactly as in-app.
• Five starter templates and an in-app configurator at /admin/embed to compose, brand, and preview an embed before you ship it.

• Layout shift on the dashboard is gone — the welcome hero and KPI strip no longer jump as data arrives; cumulative layout shift on the home and dashboard routes dropped from 0.62 to 0.02 in production measurement.
• Steadier under load — fixed a server-side memory growth pattern that could slow the web app during long sessions, plus a structural watchdog so it can't recur silently.

Zapier-class automation, native to your CRM data — at /admin/workflows:

• Visual canvas with real branching — conditions actually fork execution paths, not just filter a list.
• 4 trigger types and 12 actions spanning records, sequences, notifications, and webhooks.
• Test-run mode — execute a workflow against a sample record and read every step's outcome before you arm it.
• Versioning — published workflows are immutable snapshots; edit a draft, compare, then promote.
• Consent-gated by construction — any step that touches a contact checks the consent ledger at execution time and records a consent_blocked outcome instead of silently sending. Automation a DPO can sign off on.

Switching CRMs is the moment vendors fear and we optimize for — at /admin/migrate:

• Schema-aware mapping — Salesforce Accounts, Contacts, and Opportunities map to Pact's model with owner assignment and field history preserved.
• Dry-run first — a full reconciliation report (counts, collisions, unmapped fields) before a single record is written.
• Consent state carries over — opt-in/opt-out status lands in the consent ledger with provenance, so day-one sends are as compliant as day-100 sends.
• Deduplication built in — existing records match on identity, not blind inserts.

HubSpot, Pipedrive, Close, and Apollo importers are next on the roadmap; the CSV importer covers them today.

Procurement teams shouldn't have to take a marketing page's word for it — /trust renders from the same compliance registry the product enforces:

• Code-backed status — each framework's state (compliant / in progress / available) comes from the live trust-center payload, not hand-edited copy.
• ISO 27001:2022 program — 93 Annex-A controls tracked in-product with a risk register and Statement of Applicability.
• SIG-Lite auto-fill — generate vendor-questionnaire answers from the same control data.
• DSAR, BAA, and sub-processor documentation linked from one place.

Conversational answers over your own CRM data, built the Pact way:

• Citations on every answer — each claim links back to the source records it was derived from; no unsourced assertions.
• Consent-filtered retrieval — records you're not permitted to use never enter the context window.
• Resistant to prompt injection in your data — retrieved content is treated as data, not instructions.
• Audited — every question, answer, and citation set lands in the audit trail.
• Threads: ask a follow-up and the engine keeps the conversation's context.

The transparent weighted health score now has an ML sibling:

• Churn-risk model with per-signal explanations — every score ships with the contribution of each input signal, so "why did this account turn red" has a real answer.
• Risk gauge on account pages and the CS at-risk view — the explanation renders next to the number, not in a data team's notebook.
• The weighted baseline stays — weights you can see and tune live — and both layers are auditable back to source events.

Two ways to type less and capture more:

• Voice notes — tap the mic on any contact, company, or deal, talk, and Pact transcribes the audio, tidies the filler words, and attaches a clean note to the timeline. Works hands-free in the field on the mobile app.
• Magic Compose — an Apple-Intelligence-style menu on any text field: rewrite, shorten, expand, or change the tone, always in your tenant's brand voice. Changes land as a side-by-side diff you approve or reject — nothing is auto-saved.

Both run on a live model call and respect your AI cost controls.

The nine-agent framework now closes the loop:

• Override-and-learn — every agent suggestion can be accepted, edited, or rejected, and that feedback is stored per tenant so the agent's next pass reflects how your team actually works.
• Agent browser at /agents — a directory of every available agent with a detail page showing recent runs, accept/override/reject rates, and where each agent plugs into your workflow.
• Admins get an aggregate trust view to spot which agents are pulling their weight and which need tuning.

No black boxes: you can always see what an agent proposed and why before it touches a record.

Connect Pact to the rest of your stack without a services engagement:

• Public marketplace at /integrations — browse 73 connectors across CRM, marketing, data, billing, and support, each with what it syncs and how to set it up.
• Connection platform at /admin/integrations/connections — configure each connection's field mapping, sync schedule, and direction, and watch its health from one place.
• Custom webhooks with HMAC-signed delivery for anything not in the catalogue, reusing the same encrypted credential store as the first-party connectors.

The quote-to-cash chain now runs all the way through the books:

• Invoices — a first-class invoice object with a branded PDF, a hosted /p/invoice pay page, and a /sales/invoices board. Pay routes to Stripe; Pact never auto-debits.
• Refunds & chargebacks — issue a refund with contra-revenue and deferred-revenue reversal handled correctly.
• ASC 606 revenue recognition — point-in-time vs. ratable schedules, a CFO month-close, and a balanced double-entry journal CSV your accounting team can import.

Built on the existing CPQ and order lifecycle — order fulfillment is decoupled from financial status, with an append-only order-events ledger.

Every piece is live and tenant-scoped:

• Leads at /leads — a first-class Lead object with lifecycle states, scoring, conversion to account + contact, web-form capture, and round-robin / weighted routing.
• Multi-pipeline at /pipeline — deals are no longer single-pipeline. Define your own pipelines with configurable stages, mandatory entry / exit criteria, gated advance with explicit override audit, per-stage automations, and multi-currency forecast rollup.
• Cases (support tickets) at /cases — case lifecycle with SLAs, auto-routing rules, knowledge-base deflection, and conversion to deal.
• Multi-step approvals at /admin/approvals — branching, multi-step approval processes for discounts, refunds, and any custom object. Builds on the existing single-step framework.
• Team selling, compensation, and sharing rules — multi-rep deal participation with per-rep splits, compensation plans (quota and commission), and record-level sharing layered on top of RBAC.
• Forecast command center at /forecasting — rollup, commit / most-likely / best-case overrides, quota and commission, accuracy tracking, cohort trends, and velocity.
• Visual behavioral segment builder at /segments — live count preview, behavioral predicates (page view, form submit) correlated by contact ID, and campaign A/B tests scored with a real chi-square test (p-value, lift, confidence — tri-state, not a thumbs-up).
• Contact 360 — Relationship Strength — a per-contact score on /accounts/[id] summarizing interaction frequency, recency, and reciprocation across email, calls, meetings, and replies.

Why it matters: the full sales motion now lives in one product — from first lead through close, approvals, support handoff, and forecast — without bolt-on tools.

• E-invoice formats — Peppol BIS 3.0, UBL 2.1, and CFDI 4.0 generation with a validation oracle. Submission to AP and PAC providers is human-gated.
• Automated tax — pluggable engine with Avalara and TaxJar adapters, exemption support, and a flat-rate fallback when no provider is configured.
• Plaid ACH and wire reconciliation — encrypted Plaid token storage, an exact-match wire matcher on reference + amount (auto-reconcile when both match, manual queue otherwise), and buyer-initiated Stripe ACH.
• Polished quote PDF — branded header, repeat thead on long quotes, signature block, accept / draft watermark, page numbering, archivable filename, and a print stylesheet that matches the on-screen surface.

• Today / Coach summary on real Claude — the daily summary on /home is a live model call grounded in your own data, not a templated string. Three features that were misclassified as Hybrid were corrected on the public catalogue at /ai-features, which now shows 37 Real, 22 Hybrid, and 0 Not yet AI.
• Magic Compose brand-voice retrieval — hoisted into a leaf module so the brand-voice path that was silently dead in Magic Compose is now wired end-to-end. Existing Magic Compose flows benefit automatically.
• Campaign Builder agent — drafts a multi-step campaign (subject lines, body, sends, follow-ups) from a brief and lets you optimize before sending. Lives in /admin/automations and on the campaign editor.

Why it matters: every AI feature classified as "Real" actually runs a live model call on every request — and the catalogue is the same registry that powers the in-app honesty badges and a CI gate that blocks any feature shipped as "AI" without a real model call.

• Break-glass admin recovery — a sealed, audit-logged path back into your tenant when SSO is misconfigured, so you can never lock yourself out.
• SAML group → role JIT — first-time sign-in maps SAML groups to Pact roles automatically.
• SP-side request signing — Pact signs its SAML AuthnRequests so identity providers can verify them.
• SCIM enterprise extension — supports employee number, department, manager, and cost center.
• Metadata-URL setup + Workday-tested guide — paste your IdP's metadata URL and Pact configures the rest. End-to-end tested with Workday.
• HMAC-signed webhooks with rotation — every outbound webhook carries a signature; admins can rotate the signing secret with a grace window so subscribers never miss a beat.
• Per-tenant inbound credentials and quota usage — see exactly which integration is sending what, with rate-limit headroom at a glance.

Why it matters: enterprise admins can stand up SSO, SCIM, and signed webhooks without filing a support ticket, and have full visibility into who's authenticated and what's hitting their tenant.

• Contact detail page — grid columns constrained so long identifiers no longer overflow at 320 px; the What's-happening card body no longer goes blank after refresh; $5,000k currency rollup formats correctly.
• Pipeline kanban virtualization — measureElement is wired correctly, so deal cards no longer overlap on tall stages.
• Visual builder drag-from-palette — every visual builder (sequences, journeys, workflows, custom workflows) now accepts a drag without crashing the canvas. Hardened against WebKit, mobile gestures, agent-built canvases, and empty canvases.
• Buyer Lens — pill wrap and a properly responsive 4-column channel grid that no longer cramps at 320 px.
• Pull-to-refresh — gated on scroll position so accidental pulls during reading don't trigger a refetch.

Internal improvements that customers don't see directly but feel as fewer deploy delays and tighter release safety:

• Vercel build headroom — Node heap and twitter-image runtime literals tuned so Vercel builds don't run out of memory partway through.
• Deploy guards — our deploy.sh wrapper refuses to deploy unmerged HEAD and pre-flights every pending Postgres migration before the cutover, so a botched release is caught before any user-visible change.
• Tighter security CI — the auth-hygiene scanner now recognizes require_module as a valid authorization guard, so the gate flags real issues without false positives that previously blocked unrelated PRs.

A new help layer that sits on top of the existing help bubble:

• Hover, click, or keyboard-focus the ⓘ icon to open a glass tooltip with a short description and a deep link to the relevant docs.
• Ask AI inline — the answer streams back in under two seconds, grounded in the specific control you asked about. If the AI doesn't have enough context, it says so instead of guessing.
• Wired into ten real controls today across API keys, notifications, appearance, and the dashboard, and rolling out to more surfaces every week.
• Touch devices get a full-width bottom sheet so the content never clips a screen edge; the controls without a help entry stay clean — no clutter where there's nothing to say.

Two surfaces, one source of truth:

• Public catalogue at /ai-features — every AI feature Pact ships, classified as REAL (a live model call on every request), HYBRID (model plus deterministic logic), or NOT YET AI, with the provider, surfaces, and what it does. No marketing fluff; the same registry powers the in-app honesty badges and a CI gate that blocks any feature shipped as "AI" without a live model call.
• Admin browser at /admin/ai/features — card grid with classification chips, search, filters, and sorts; a tenant-wide 30-day spend hero; and a cost-optimization panel with concrete recommendations (model efficiency, large-context warnings, low-usage flags, cache health).
• Per-feature detail page with a curated sample input/output, the last 20 anonymized runs, the system-prompt overlay (and whether you've overridden it), where the feature is used in the product, and tailored recommendations for that feature only.

Why it matters: admins can see exactly what every AI feature does, what it costs, and where to tune it — without filing a ticket or reading code.

A new gallery at /dashboards/new with eight category-grouped templates, each composed over real tenant-scoped data and clonable with one tap:

• Sales velocity — weighted pipeline, win rate, time-to-close trend, win rate by source, forecast by category.
• Deal aging — stale deals (>30 days idle), slipped close dates, aging buckets, average age by stage.
• Win rate by source — by source, industry, deal size, rep, and quarter.
• Rep ramp — deals and activity per rep, win rate by rep, tenure.
• Activity intelligence — activity mix, daily volume, per-rep load, sequence engagement.
• Customer success scorecard — health distribution, NPS trend, at-risk accounts, renewals.
• Marketing attribution — first-touch source pipeline and revenue, channel mix, engagement.
• Executive scorecard — ARR, bookings QTD, win rate, coverage, health, NPS plus trends.

Every template inherits the existing dashboard builder's anomaly badges, AI insight summaries, and threshold alerts.

Turns Pact's existing controls — tenant isolation, RBAC, append-only audit log, GDPR deletion, sub-processor management, encryption — into systematic, auditor-ingestible evidence:

• SOC 2 readiness scorecard at /admin/compliance/soc2 — per-criterion coverage across all five SOC 2 Trust Services Criteria, with per-evidence-type freshness.
• Automated nightly evidence collection for six evidence types (access review, audit-log retention, vendor/sub-processor schedule, customer data deletion, encryption posture, processing-integrity controls). Manual evidence (change management, vulnerability scans, backup-restore test, incident response, tenant-isolation CI gate) is surfaced as an honest gap list with collection instructions — never fabricated.
• Tamper-evident bundles — SHA-256 hashes over every artifact's exact bytes, a manifest hash over the sorted set, and an optional HMAC-SHA256 signature. Verifiable end-to-end; any byte-level edit is detected.
• One-click monthly bundle + multi-period auditor package, each with an auditor-facing index PDF.
• Self-serve HIPAA BAA at /admin/compliance/baa — preview the addendum with your covered-entity name pre-filled, download a signed PDF with a matching document hash.

Why it matters: enterprise prospects' auditors can be handed a polished evidence ZIP covering every SOC 2 criterion on the spot — and HIPAA-covered customers can self-serve a BAA without going through legal back-and-forth.

Every seeded record now carries an is_seed_data flag, and the Admin → Data management surface gained a "Seeded emails" card with a DEMO badge and a one-click purge button (with a type-DELETE confirm and an audit-log entry). Use it as part of your go-live checklist to clear the demo emails the workspace shipped with — your real, customer-entered contact emails are never touched.

Two internal improvements that customers don't see directly but feel as a faster, more reliable platform:

• Recurring preview-environment cleanup — a unified engine reaps closed-PR preview databases, branches, and deploys on a nightly schedule and after every release, with safety rails that never touch open PRs, protected branches, or anything labeled keep-preview.
• Daily branch-hygiene sweep — automated audit of long-stale branches with a rolling tracking issue, so engineering work stays focused and the deploy surface stays clean.

Each persona gets its own walk-through of the surfaces it uses daily, anchored to real screens:

• CRM — accounts, contacts, deals, follow-ups, pipeline.
• Customer Success — health, at-risk accounts, playbooks, workload.
• Marketing — sequences, templates, AI steps, forms, attribution.
• Admin — users, integrations, audit log, AI usage, health.

Tours auto-start on first sign-in, resume if you leave mid-way, and can be replayed any time.

• Hybrid search — results are ranked across all entities using keyword and semantic matching together, so the right account, contact, or deal surfaces first.
• Graceful calendar links — calendar URLs redirect sensibly instead of dead-ending in a 404.
• Cross-module navigation — jumping from one module to another preserves your context, with a breadcrumb back to where you came from.

• Inbox triage — sorts and prioritizes incoming messages.
• Deal coach — suggests the next best move on an open deal.
• Customer-success save — flags at-risk accounts and drafts a save play.
• Sequence personalizer — tailors outbound steps to each recipient.

Trigger an agent yourself, or schedule it to run on its own.

• AI features return an honest "not enough information" rather than inventing details when context is thin.
• Untrusted input (record content, email bodies, uploads) is fenced from instructions across every AI surface, hardening against prompt injection.

• SSO required is now enforced at sign-in — closing a real gap where password login still worked when SSO was mandated.
• Audit log retention prunes on a schedule per your policy.
• Downloadable DPA — generate and download your Data Processing Addendum as a PDF.
• Cookie consent banner for public surfaces.
• Sub-processor list is tenant-aware and kept current.

• Three CRITICAL and three HIGH severity fixes shipped, including cross-tenant access paths.
• A new tenant-isolation gate runs in the test suite, so a route that derives a record from a request body instead of the auth context fails the build.

Read-heavy analytics and dashboard queries are served from a separate database replica. The result is faster reports and a snappier app everywhere, because reporting load no longer contends with interactive reads and writes.

The new /developers hub gathers everything you need to build on Pact:

• Quick-starts for API keys, your first call, OAuth, and webhooks.
• Copy-paste SDK examples in curl, TypeScript, and Python.
• An integration cookbook with end-to-end recipes.
• A redesigned webhook console with delivery health and per-subscription stats.

Connect Microsoft 365 calendars through a guided admin wizard — the same step-by-step flow already used for Google, so there's one consistent way to set up either provider.

Calendar OAuth credentials now resolve from your workspace's integration credentials, fixing a dead end where setup pointed at a platform store you couldn't reach.

• Two-way sync with Google and Microsoft calendars.
• Public booking pages at /book/<your-slug> so anyone can grab time with you.
• Round-robin team booking distributes meetings across a team.
• Confirmation emails are sent automatically on booking.

Set the mood of your workspace from Settings → Appearance. Eight ambient themes — Aurora, Ocean, Rainfall, Fireplace, Forest, Snowfall, Cosmos, and Minimal — each tuned for performance, with a mobile override that actually takes effect on phones.

Every ambient theme now has a proper light and dark variant. Previously some were eye-searing in light mode or blank in dark mode; each is now tuned for both.

• A consistent liquid-glass surface system across the app's panels and sheets.
• Fixed a build step that was dropping the -webkit- blur prefix, so iOS Safari 17 and earlier now get true frosted blur rather than a flat fallback.

• Tinted glass cards and a gaussian veil keep content legible over ambient backgrounds.
• The floating action buttons (Help and AI) are now coordinated into one stack instead of colliding.

Inputs no longer steal focus on page load on touch devices, so the keyboard stays down until you actually tap a field. The command palette still opens the keyboard, because there you asked for it.

• Dashboards animate on load — staggered cards, count-up metrics, an anomaly pulse, and a fade-in for insights.
• New workspaces get pre-populated demo dashboards so the product looks alive on day one.
• Admins can wipe demo data from Admin → Data management whenever they like.

• Lead routing assigns inbound leads to the right rep.
• Click-to-call and a power dialer for working a list fast.
• Threaded SMS keeps text conversations in one place.
• AI call transcripts capture and summarize calls.
• A mobile dialer for selling on the go.

What changed

A new admin surface — /admin/forms — replaces the old "embed this iframe and pray" workflow.

• Drag-and-drop builder — every field type you'd expect (text, email, phone, dropdown, radio, multi-select, consent checkbox, hidden tracking fields) drags onto a live preview. Reorder, duplicate, or delete with a single click.
• Custom-field mapping — fields you've defined under Admin → Custom fields show up directly in the builder. A new lead-capture field can be wired into the form, mapped to the contact column, and live within the same minute.
• Starter templates — common shapes (Contact us, Demo request, Newsletter signup, Event RSVP, Beta access) come pre-built so you don't draw from a blank page.
• Hosted form sites — every form gets a public URL on pact.place, mobile-first, your branding, no iframe required. Embed it as a link, drop it in a marketing email, or share it on social.

Why it matters

Forms are where customers tell you they want to talk to you. Until this PR, you needed an engineer to ship a form change. Now any marketer can build, publish, and edit a form without leaving Pact — and every submission lands as a contact with consent recorded, so the marketing engine can take it from there.

What changed

The dashboard now follows a layout owned by you, not Pact.

• Editor at `/admin/page-layouts` — pick the page, pick the scope (default, role, group, user), drag the blocks into the order you want, then save.
• Cascading scopes — when Pact renders the dashboard it walks user > group > role > tenant > default and uses the first layout it finds. Power users can override the org-wide default for themselves; everyone else inherits the layout admins set for them.
• Graceful fallback — if your custom layout points at a block that no longer ships (e.g. a removed module), the renderer silently falls back to the next layer instead of throwing.
• Audit log — every layout change is recorded with who, when, and what changed. Roll back from the audit trail without losing other in-flight edits.

What's editable today

Dashboard v1 is the first page on the cascade. More pages (account detail, pipeline, inbox) will follow as we extend the block registry. The contract for adding a new editable page is one entry in web/src/lib/page-layouts/registry.tsx.

Why it matters

Sales leaders, customer-success leads, and product marketers each want a different dashboard. Until now they all looked at the same one and complained. Page layouts ship a real answer instead of "we'll add a toggle eventually."

What changed

/admin/schema-explorer is a new interactive map of the entire Pact data model.

• Auto-layout ERD — every ORM table renders as a card, every foreign key as an edge. The graph (185 nodes, 241 edges in the current snapshot) is computed server-side from Base.metadata.tables and served by GET /v1/admin/system/schema-graph.
• Side drawer per table — click a node to see its columns, their types, nullability, and the foreign keys leaving and entering the table.
• Tier filtering — toggle the tier chips to focus on just the public surface, the authenticated tier, or the staff/internal tables. Makes it tractable to answer "what does a customer actually see?" in one screen.
• Mobile pinch-zoom — the canvas pans and zooms on touch, so on-call engineers can reason about the model from a phone during an incident.

Why it matters

Until now the schema lived in models/*.py and a couple of out-of-date diagrams. Onboarding engineers and customer-facing teams now have a single, always-current ground truth for "what data does Pact actually store, and how is it connected."

What changed

The Pact Internal Ops console (/pact-admin, gated to is_pact_staff) was a feature-complete but rough surface. This change makes it usable on the phone and honest in its empty states.

• Tenants page (/pact-admin/tenants) — switched from a too-wide table to a mobile-first card layout. Each tenant card shows the things ops actually scans for (plan, status, last activity, support flag) without horizontal scrolling at 375px.
• Visible actions — "Impersonate", "Suspend", and "Open billing" used to hide behind a triple-dot menu that nobody discovered. Primary actions are now buttons; the rare ones stay in the menu.
• Meaningful empty states — Trials, Backups, and Health used to render a blank panel when the underlying list was empty. Each now says what the panel is for and how to add something to it.
• Relative-time fix — the "Last active 2 hours ago" string was misreading the timestamp on /pact-admin/tenants and /pact-admin/trials, making every row look stale. The shared fmtRelative / formatRelative helper has been fixed and the call sites unified.

Why it matters

The Internal Ops console is the surface our team reaches for during an incident — usually from a phone, away from a desk. A console that requires a laptop is a console that nobody uses.

What's now in admin

This release closes the last small gaps in three enterprise controls that already shipped most of their functionality earlier in the quarter:

• Audit log at /admin/audit-log and /admin/security/audit-log — searchable, cursor-paginated, with before/after diffs on edited rows, source IP, and CSV / JSONL / XLSX export. A watch subscription will notify you when a row matching your filter lands.
• GDPR self-service export — your end users can request a copy of their data from /v1/me/privacy/export; admins manage requests at /admin/privacy. Each export is delivered as a signed-URL ZIP. Deletions carry a 30-day grace period with an email cancellation token, so a tap of a wrong button doesn't permanently lose someone's data.
• Rate-limit visibility at /admin/security/rate-limits — per-tenant policies, per-API-key sliding-window counters, and the choice of block, log_only, or throttle mode per route, with sampled audit events. Plan-tier defaults are pre-loaded.

Why it matters: customers on enterprise plans now have one admin surface that answers *"who did what?"*, *"can my users get their data?"*, and *"what's hitting my API right now?"* — without needing to file a support ticket.

What happened on 2026-05-28

Our Upstash Redis instance hit its monthly request quota at 03:34 UTC. Every Redis command started returning a quota error. The rate-limit dependency propagated that error to FastAPI — which meant every authenticated request, including /v1/auth/login, returned an HTTP 500. Users were locked out of the app for about fifteen minutes until we switched the counter to an in-memory backend.

Fail-open rate limiting

The rate-limit code now wraps every backend call in a guard. If the counter backend errors for any reason — quota, network, missing instance — the request is allowed through (rather than 500-ing), and a degraded-counter metric increments. A WARN line is logged with the error class, count, and route; Sentry tags the request rate_limit.degraded=true. The next time the counter is unhealthy, on-call gets a notification at the alarm threshold, not an outage at the quota.

Normal behavior is unchanged: when Redis is healthy, no warning fires and the counter stays at zero. When the backend genuinely denies a request, callers still get an honest 429.

Loud errors on the API reference

During the outage, the staff and authenticated tier tabs on /api-reference showed an infinite loading spinner instead of an error, because the spec-fetch effect had no timeout or error UI. The fix:

• 15-second timeout on the fetch, then a structured error state.
• Four error kinds — timeout, auth, network, http — each with the right call to action and a "Try again" button that re-runs the fetch without a page refresh.
• 401 / 403 prompts you to re-authenticate instead of looking like the docs are broken.

Why it matters: the next time a downstream dependency hiccups, auth stays up and the docs don't lie about it. A full postmortem lives at docs/incidents/2026-05-28-auth-outage.md.

/admin/ai/inventory

A sortable, color-coded table of all 32 audited AI features Pact ships. For each feature: the feature ID, display name, classification (REAL 14 · HYBRID 17 · NOT YET AI 1), provider, endpoint, and the UI surfaces it appears on. The same registry powers the public "Powered by Claude" honesty badges and a CI gate that fails any PR which lets a feature ship as "AI" without a live model call.

/admin/ai/cost-breakdown

Per-feature AI spend with a nested per-user drill-down. Filter by user and by time window — last 1, 7, 30, 90 days, or all-time. The view reads the raw AI usage ledger directly, so feature totals reconcile exactly with their per-user rows; no rounding, no double counting.

Why it matters: admins can answer two questions on the spot — *"which of my users is driving AI cost?"* and *"how real is each of the AI features we're paying for?"* Both pages are admin-only and recover work from two earlier chips that died mid-merge.

Public /status

The new /status page shows, for everyone, with no sign-in required:

• An overall status banner — operational, degraded, or major outage.
• Seven component health rows (API, Web app, Auth, Marketing engine, Sequence engine, Webhooks, Background workers), each with a 90-day uptime sparkline.
• A live list of active incidents and the rolling 90-day incident history.
• A one-field email subscription, plus an RSS feed for IT or status-monitoring tools.

A background health probe runs every minute, records a row per component, and feeds the sparklines without sitting on a shared web connection.

Admin /admin/status

Pact admins and owners get an incident-management console at /admin/status:

• Report a new incident — name, impact, affected components, opening update.
• Post updates as the incident progresses; mark it resolved when it's over.
• Every mutation writes an audit log entry, and the page is gated by the same role checks the rest of /admin uses.

Why it matters: customers can stop pinging support to ask "is it just me?" — they can see the truth on /status. And the next incident gets a clean public timeline instead of a Slack thread no one outside Pact can read.

One place for the API surface

We had three different ways to browse the API — anonymous /docs/api, an authenticated /dev page with a staff toggle, and a staff-only /internal-docs/api. Customers had no idea which was which.

The new `/api-reference` page lives inside the signed-in shell, replaces all three, and:

• Detects the highest tier your role is cleared for from your session and renders that by default.
• Shows a pill toggle for Public / Authenticated / Pact staff. Pills you can't access stay visible but disabled, with a lock icon and a tooltip explaining what would unlock them — so customers can see that a higher tier exists without being able to peek.
• Honors a ?tier= URL parameter for deep-linking, silently clamped to what your role is allowed to see.
• Is wired into the existing Developer nav group: API Reference, API keys, Webhooks.

The old /dev and /internal-docs paths now redirect to the unified surface. The authoritative gate is still server-side: even if someone fabricates the tier param, the OpenAPI proxy returns 401/403 unless the caller is actually cleared for that tier.

Why it matters: discoverability. The API reference is now reachable from the in-app sidebar like every other Pact surface, and it always opens at the right depth of detail for who's looking at it.

/login: actually centered now

The sign-in form used min-h-screen (which resolves to 100vh) for vertical centering. On mobile, 100vh is the height with the address bar hidden — so when the URL bar is showing, a "centered" card sits noticeably below the visible middle of the screen, and its bottom can clip off-screen. Swapped to 100dvh (dynamic viewport height), which tracks the current visible viewport and re-centers as the URL bar shows or hides. Verified on a Pixel 7 (Chromium) and an iPhone 14 Pro (WebKit) emulator.

Landing page: Sign in is now discoverable

In the installed iOS PWA, the marketing landing's "Sign in" was rendered as a faint ghost link, crammed against the system status icons because the header had no safe-area inset. Two changes:

• The header now respects the device's top safe area, so the logo and the Sign in button clear the notch and Dynamic Island.
• "Sign in" is now a solid primary button — high contrast, clearly tappable, harder to lose against the status bar.

Why it matters: if someone has the PWA installed and lands on the marketing page, getting back into the app is now an obvious one-tap action. And the sign-in form itself is correctly positioned the first time on every device profile we tested.

The combined symptom

Reported as: *"tapping a segment in the iOS PWA logs me out."* It was two separate bugs stacked together.

Bug 1 — dead in-app link

The segments list linked each row to /segments/[id] — a route that never existed. Tapping a segment landed on a 404. (The correct path is /marketing/segments/[id].) Every segment row now links to the right place.

Bug 2 — 404 looked like a logout

There was no dedicated "not found" page inside the signed-in shell. Any 404 fell through to the root, marketing-shell "not found" — which has no sidebar, no top bar, and a "Home" button pointing at the signed-out landing page. The session was never actually cleared, but the chrome vanished, so it read as "I just got logged out."

A new not-found page now lives inside the signed-in shell. A 404 keeps the sidebar, top bar, and your session visible, and shows a friendly back-to-dashboard link instead of dumping you at marketing.

Why it matters: in the installed PWA, the navigation feels coherent again. A typo in a URL won't masquerade as a session expiry. End-to-end tests for both the segment-builder and journey-builder paths landed alongside the fix so this regression doesn't recur.

What was happening

When a tenant didn't yet have enough sends or audience signal, the API correctly returned an empty body — and two shared layout components, the module-permissions provider and the "viewing as" header, tried to read array properties off that empty object. The exception bubbled into a render crash that looked like an outage on the Personalize and Send-time windows surfaces.

What changed

Both components now treat an empty payload as "no data yet" instead of dereferencing into it. The genuinely empty states the marketing surfaces already shipped (No audience yet, Add more sends before we can recommend a window) now render cleanly instead of being masked by a runtime error.

Why it matters: new tenants and any segment lacking signal will see the intended empty state from now on, not a blank screen. Existing tenants with data are unaffected.

You should know what's actually AI

Three label variants, driven by a single feature registry on the backend:

• Powered by Claude (green) — always calls Claude; errors loudly if the model isn't configured.
• Hybrid: Claude + rules (blue) — calls Claude when configured, falls back to rule-based logic otherwise.
• Not yet AI (red) — surfaces marketed as AI that don't yet make a model call. We're calling that out as honesty debt instead of hiding it.

Each badge has a tooltip with the provider and endpoint, plus a link to "How AI works in Pact" for the longer explanation.

Why it matters: when a screen says "AI", you can now confirm — without reading a docs page — whether that's a real model call or a smart-looking heuristic. No AI feature can over-claim how real it is, because the badge is generated from the same registry the backend uses to enforce live model calls.

Two blank-panel bugs, one solved surface

The /docs/api reference is rendered by Redoc inside a CSP-strict iframe. Two bugs were making it disappear:

1. Cross-origin spec fetch. The page tried to load its OpenAPI spec from app.pact.place while sitting on www.pact.place. The strict connect-src 'self' blocked the request and Redoc rendered an empty pane.

2. Stale Content Security Policy nonce on client-side navigation. When you reached /docs/api via an in-app link (rather than a hard refresh), the iframe inherited a CSP nonce minted at the parent's original load — different from the one stamped on the freshly rendered Redoc script. The script was blocked and the panel went blank until you hit refresh.

What changed

• The OpenAPI spec is now proxied same-origin from /api/openapi-public, so the fetch is matched by connect-src 'self' and triggers no CORS preflight.
• The Redoc iframe now lives at /docs/api/redoc, a dedicated route that mints a fresh per-request nonce on every load — hard refresh and SPA navigation alike.

Why it matters: the API reference is now load-stable. You can click into it from the docs sidebar, refresh, or open it cold from a bookmark — it renders every time, no white pages.

Why this matters

Until this week, the auto-generated FastAPI spec was served anonymously and exposed every internal route — admin, impersonation, replay-cost — alongside the genuinely public endpoints. The MDX guides on /docs had the same problem: a single sidebar listed staff-only Self-hosting pages next to the public quickstart.

This release closes that gap end to end. Every API route and every docs page is now classified into one of three tiers:

• Public — what anyone on the internet can see.
• Authenticated — what a signed-in customer of your tier sees.
• Pact staff — internal surfaces, only visible to Pact employees.

What you'll notice

• The full /openapi.json and /docs//redoc endpoints on the API origin are gone. Three filtered specs replace them: /api/openapi-public, /api/openapi-authenticated, /api/openapi-staff.
• /docs only renders public articles to anonymous visitors. Signing in unlocks the authenticated tier; staff additionally see the Administration section.
• Search is tier-aware — anonymous search never returns titles or excerpts from gated pages.
• A CI guard blocks any PR that would publish a staff or authenticated MDX snippet through a public surface.

For customers building integrations: if a route disappeared from your reference, it was never meant to be public. Use the in-app API Reference (/api-reference) to see the routes your role actually has access to.

Real AI, or nothing

Two marketing surfaces used to show stand-in content: Personalization was a "ships next" placeholder, and Send-time windows quietly fell back to a hardcoded "9:30–11am Tue/Wed/Thu" when a segment didn't have much send history. Both are now wired to the same production AI optimizers the rest of Pact uses.

Personalization

Enter a base subject line and Claude rewrites it for each audience segment's dominant role and industry — the exact optimizer that already runs inside journeys. Each suggestion is generated live, and segments that don't change are clearly marked "No change" rather than padded with invented variants.

Send-time windows

Every segment is now routed through the real send-time optimizer (engagement history → tenant default → AI inference). Recommendations are labeled Engagement-backed or AI-inferred so you can see where each window came from. Applying a window rewrites the hour-of-day on every scheduled campaign for that segment.

Honest empty states

When a segment lacks the signal to ground a recommendation — no audience yet, or fewer than 100 delivered emails — you'll see a clear "add more data" prompt instead of a confident-looking number that isn't real.

Why it matters: you can trust what these screens tell you. Every subject line and send-time window is now produced by the same AI that powers the rest of your workspace, and when the data isn't there yet, Pact says so plainly instead of guessing.

One fix, two symptoms

The top navigation bar handled the device "safe area" (the strip behind the notch, Dynamic Island, and status bar) inconsistently across layouts. That produced two opposite problems on phones:

• On iPhone, the docs header sat *under* the status bar, so the "Menu" label was partly hidden behind the clock.
• On Android, the installed app reserved iOS-only spacing it never needed, leaving a large white gutter above the icon bar.

Both are now resolved with a single rule applied to every sticky top bar — the in-app bar and the docs header alike. The safe-area reservation only kicks in on Apple touch devices that actually need it, so iPhone and iPad PWAs get the right padding while Android and desktop are left untouched.

Why it matters: if you use Pact installed to your home screen, the top bar now lines up correctly on every device — nothing clipped behind the status bar on iOS, no wasted space on Android.

White-label branding

Agency tenants on the Agency plan can now configure a fully custom brand identity applied across all client-facing surfaces.

Configurable in Settings → Brand:

• App name shown in the browser tab and email footers
• Primary logo (SVG or PNG, shown in the top bar and sidebar)
• Favicon
• Custom sender domain for outbound sequences (requires DNS verification)
• Accent color for the UI

Branding changes take effect immediately for all sub-tenants managed under your agency account.

Contact your account manager to enable the Agency plan.

AI agents

The Ask AI panel (⌘K → "Ask AI", or the ✨ button in the top bar) now supports agentic tasks that go beyond simple Q&A.

Try asking:

• *"Research Acme Corp and summarize their recent news"* — pulls public data and returns a brief
• *"Draft a follow-up email for my last call with Jordan Smith"* — uses call notes and contact history
• *"Which accounts in my book are most likely to churn?"* — scores your pipeline using engagement signals

How it works:

Agents run in the background and stream results token by token. You can keep working while they run. Results are copied to the clipboard or inserted into the editor.

All agent activity is logged in Activity → AI for audit purposes.

Bulk operations

List views now support row-level multi-select. Use the checkbox in the table header to select all visible rows, or click individual rows to build a selection.

Available bulk actions:

• Tag — apply one or more tags to all selected records
• Add to sequence — enroll the selection into any active sequence
• Update field — set owner, status, lifecycle stage, or any custom field
• Export — download as CSV in the background; a toast links to the file when ready
• Delete — moves records to the trash (restoreable for 30 days)

Actions run server-side in batches of 100. A progress banner keeps you updated.

Public REST API

Your Pact account now has a stable public REST API, secured with per-tenant API keys.

Get started:

1. Go to Settings → Integrations → API Keys

2. Generate a key and store it securely (shown only once)

3. Pass Authorization: Bearer <key> on every request

Full reference docs at /docs/api. The same OpenAPI spec powers the built-in API explorer.

What's available

• Accounts and contacts — read, create, patch
• Sequences — list, trigger, pause
• Segments and tags — read
• Webhook events for real-time push

Rate limit: 1 000 req/min per key. Raise limits from the API Keys page.

What shipped

Plan picker & checkout (/billing/upgrade)

Choose from Starter, Pro, or Enterprise tiers. Clicking "Start Starter" or "Start Pro" opens a Stripe-hosted checkout session and returns you to the billing admin page on success. Enterprise routes to the sales team.

Stripe Customer Portal (/billing/portal)

Tenants can now update their card, download invoices, or cancel their subscription directly from the Pact billing admin page. Clicking "Manage billing" launches the Stripe Customer Portal in-tab.

Operator billing panel (/pact-admin/billing)

Pact staff get a live view of:

• Stripe mode — live / test / unconfigured / no-op
• MRR & ARR — summed from active + trialing subscriptions
• Subscription counts by status (active, trialing, past_due, canceled…)
• Failed-payment queue — tenants in past_due / grace_period / soft_lock with links to their tenant detail page

Anti-abuse guards

Tenants with a hard_lock dunning state receive HTTP 402 on checkout. Attempting to start a second active subscription for the same plan returns HTTP 409.

Go-live runbook

Full step-by-step instructions in docs/ops/stripe-go-live.md. Set Stripe keys via Admin → Platform secrets — never via fly secrets set.