French is the official language of Juge.ca. In the event of any discrepancy, ambiguity, omission, or conflict of interpretation, the French version shall prevail.
Every release, documented. Juge.ca follows semantic versioning.
Category
1278 of 1278 releases
v8.01.90
Ops / CI / infra
Release v8.1.90 (#2295)
Control Center now shows a Bugs & Testing status panel — last CI run per suite, pass-rate trend, and the open-bug list, read-only from GitHub.
v8.01.80
Intake & onboarding
Release v8.1.80 (#2304)
New (staged) formal-demand pilot — preview the opening of a mise en demeure for free, then unlock the full letter.
v8.01.70
Security
Release v8.1.70 (#2309)
Admin Control Center — the Quick-actions nav now persists across every subsection instead of only /admin/dashboard.
v8.01.65
Governance
Release v8.1.65 (#2305)
Executive Decisions live panel in the Control Center — the Founder can read the AI exec team's decisions live from any device, no deploy per decision.
v8.01.40
Governance
Release v8.1.40 (#2288)
Changelog overhaul — explicit per-entry categories (no more keyword-guessing), an expanded 19-category taxonomy, a hardened granular release-points weight table, the full v0.0.0→current timeline backfilled from git tags, and a "Latest developments" panel on the Command Center.
v8.01.15
Ops / CI / infra
Release v7.101.15 (#2222)
Fix migration-number collision on main — renumber 0176_matter_inbound_email → 0191 (0176 was already taken by profile_metrics_daily); restores a green build for all PRs.
v8.01.14
Notifications & email
Release v7.101.14 (#0)
Every matter now has its own inbound email address — forward or CC correspondence and it lands in the matter timeline, deduped and screened (ADR-0018 phase 1).
v8.01.4
Ops / CI / infra
Release v7.101.4 (#2226, #2290)
Organize ~550 loose root-level docs into docs/archive/ (docs-only, no user-facing change).
Founder "Open Control Center" now lands on the Control Center dashboard instead of the Dispatch surface.
v8.01.3
Content / legal
Release v7.101.3 (#2245)
Entity workspaces — tenant-isolated operating workspaces for institutions, legal clinics, and organizations.
v8.00.78
Governance
Release v7.100.78 (#2203, #2213, #2244)
SLA tracking for support tickets — per-priority first-response/resolution targets with on-track/at-risk/breached state.
Aggregate profile-analytics substrate — a privacy-preserving daily rollup of per-provider profile views, contacts, and engagements (counts only), readable by the profile owner.
Executive Workspace framework — a per-executive operating workspace (queue, dashboard, decision records, audit trail) for every executive.
v8.00.53
Content / legal
Release v7.100.53
Tagged release v7.100.53.
v8.00.18
Marketplace
Release v7.100.18 (#2211)
Marketplace provider profiles now show a « Profil non réclamé » (unclaimed) state, with a claim-and-verify funnel (new `provider_claims` table) letting the rightful professional claim a seed or Google-Places listing and submit identity/licensure verification.
v8.00.8
AI & automation
Release v7.100.8 (#2209)
AI spend telemetry — per-call usage/cost ledger (ai_usage) with monthly rollup and spend-threshold alert.
v7.99.83
Payments
Release v7.99.83 (#1856)
Referral regime engine (#1856) ported to the Supabase model on migration 0182 — C2C/P2P/CROSS resolver, double-payout-proof wallet credit, and human-gated professional referral rewards. Ships flag-OFF with cash activation fail-closed pending Barreau clearance.
v7.99.58
Security
Release v7.99.58 (#2212, #2215, #2229)
Marketplace provider profiles now enforce the ratified freemium rule — identity (name, verification badges, short description, practice areas, territory, languages, contact) stays free forever; full bio/services narrative, live availability display, client endorsements, and Vitrine promotion require an active professional subscription.
ROI dashboard MLV for providers — honest per-profile numbers (views, contacts, referrals surfaced, self-declared response time) compared only to your own previous 90 days, aggregates only, no benchmarks or fabricated data.
VP Legal Affairs Workspace — a legal review queue, 9-status workflow engine, permanent decision records, and a legal risk dashboard, with every transition written to the tamper-evident governance audit chain.
v7.99.33
Content / legal
Release v7.99.33
Tagged release v7.99.33.
v7.98.98
Content / legal
Release v7.98.98 (#2247)
Founder Command Center — Quick actions moved to a sticky top navigation bar for immediate access on load.
v7.98.88
Payments
Release v7.98.88 (#2198, #2207)
Dispatch domain-event log — a new append-only `dispatch_events` table plus an in-process publisher emits an event on every dispatch/order status change, giving downstream consumers pub-sub semantics with no message broker. Wired into the service-order pipeline and payment paths, with the existing reconciliation cron replaying any event whose in-process fan-out failed.
v7.98.63
Intake & onboarding
Release v7.98.63 (#2200, #2224)
Added an ESLint rule and ADR that lock the Support Ticketing / Dispatch module boundary so the two surfaces can't silently re-couple as they keep shipping.
Document-intake classify screen — selecting a resolution-pathway card now advances immediately (no redundant Continue); litigation keeps an explicit "Continue to litigation and bypass dispute resolution" button; the dispute-type dropdown moved above the litigation options and became keyboard-safe via a "Load pathway" action, with the chosen path echoed on the next step.
v7.98.58
Content / legal
Release v7.98.58
Tagged release v7.98.58.
v7.98.53
Jurisdictions
Release v7.98.53 (#2135, #2142, #2143)
Matter version history now shows durable, saved versions grouped by day, with a one-click restore that safely migrates the file back to that state.
v7.98.43
AI & automation
Release v7.98.43 (#2201)
Support Copilot in /admin/tickets — staff can now draft a reply or summarize a ticket thread with one click; AI output is always editable, never auto-sent.
v7.98.33
Security
Release v7.98.33 (#2168)
Schema-drift pipeline fix — read-only CI drift check against production, a founder-gated migrate-production workflow (ledgered, RLS-verified per migration), and DDL removed from the build entirely.
v7.98.8
Accessibility
Release v7.98.8 (#2151, #2152, #2154, #2197)
Fixed invisible/low-contrast text in light mode — form fields and dark panels (bg-ink-800 family) now flip to light surfaces, and the emerald/amber status accents darken to WCAG AA values; most visible on the admin Dispatch and tickets pages, but applied app-wide.
Guided-tour follow-ups — the cohort A/B rollout gate now actually exists (opt-in flag suppresses auto-open for the control cohort and the admin funnel labels the experiment state honestly), signed-in tour sessions are deduplicated by account so one person across tabs counts once (with the counting unit documented on the admin page), and a failed onboarding-state fetch that suppresses the first-run tour is now logged instead of silent.
v7.98.3
Content / legal
Release v7.98.3
Tagged release v7.98.3.
v7.98.2
Ops / CI / infra
Release v7.98.2 (#2195)
Support tickets moved into a dedicated tickets app (/admin/tickets) — the admin Dispatch page now focuses on bailiff verification and order assignment, with a one-click entry card to the tickets inbox.
v7.97.92
Content / legal
Release v7.97.92 (#2150)
The homepage guided tour now actually appears — the lazy-loaded tour engine was never resolved during hydration of the statically prerendered homepage, so the fully built tour rendered for no one; the launcher now loads through an explicit post-hydration effect (verified rendering end-to-end in a real browser) and any load failure is logged instead of silent.
v7.97.91
Jurisdictions
Release v7.97.91 (#2186)
Privilege-gate hardening — verification staleness is now per-jurisdiction (pack ceiling hard-clamped to 30 days), tightens automatically with attach frequency down to a 1-day floor, and stale verifications fail with a distinct named clause so supervisors see exactly what to fix.
v7.97.86
Localization
Release v7.97.86 (#2180)
The professionals marketplace page is now statically prerendered per locale (filters apply instantly client-side), eliminating per-request server rendering on the top marketing page.
v7.97.84
Content / legal
Release v7.97.84 (#2179)
Unknown /problems and /experts slugs now return a real 404 instead of a soft-404 200, fixing crawl-budget waste and index pollution.
v7.97.83
Workspace & matters
Release v7.97.83 (#2150)
The 30-second guided tour is now enabled by default — it launches for homepage visitors and signed-in workspace users without depending on deployment configuration (it can still be disabled explicitly), closing the gap where the fully built tour was invisible to everyone.
v7.97.82
Ops / CI / infra
Release v7.97.82 (#2176)
Fixed the k-anonymity outcome-aggregates cron that had never run — the route only accepted POST while Vercel Cron invokes GET, so every nightly run failed with 405; the scheduled sweep now executes.
v7.97.77
Security
Release v7.97.77 (#2162, #2165)
Partnerships Phase 0 — privilege state machine, supervision gate, partner schema and capability bundles land behind a flag (default off), with an exhaustive transition-table proof that privilege can never attach in an unsupervised workspace.
Lower serverless cost and faster anonymous page views — CDN caching for the version probe, client-side filtering/dedupe of error telemetry, and middleware that skips the Supabase auth round-trip for signed-out visitors.
v7.97.52
Content / legal
Release v7.97.52
Tagged release v7.97.52.
v7.97.50
Localization
Release v7.97.50 (#2161)
Fixed hreflang alternates and canonicals for the Indigenous locales (crk, chp, scs, xsl, ikt, gwi, dgr) — sitemaps and Link headers no longer emit double-prefixed URLs like /en/crk/… that returned 404 to search engines.
v7.97.49
Privacy (Law 25)
Release v7.97.49 (#2148)
Legal clinics can now receive guest intake submissions — an anonymous guest fills a clinic's published bilingual form, consents under Law 25 (consent snapshot pinned to the form version), gets a reference number, and verifies their email by magic link; clinic staff review submissions in a new two-panel queue (statuses, reviewer assignment, unverified-email badge). The public write path is locked down end to end: no anonymous database access, a single validated SECURITY DEFINER entry point, rate limiting, and enumeration-safe errors.
v7.97.24
Partnerships
Release v7.97.24 (#0, #2149, #2163, #2164, #2168)
Docs-only — commit the founder's Institutional Partnerships plan + decisions to docs/spec, record ADRs 0013–0016, and draft the counsel-gated Partner Terms/DPA skeleton.
Read-only production schema drift audit (epic #2168 step 1) — docs/report only, no runtime change.
The Founder Command Center now links directly to its standalone command views — the campaign engine, guided-tour funnel, conversion funnel, and justice analytics are one click from the command hub instead of URL-only pages.
v7.97.23
Notifications & email
Release v7.97.23 (#2139)
Support tickets now have a visible lifecycle end to end — every submission is durably stored with a sequential TKT-YYYY-NNNNN reference (previously HubSpot-only, silently lost when the CRM was unavailable), a full confirmation screen (ID, status, created-at, next step), a server-backed “My requests” history with per-ticket status timelines, a searchable/filterable support-ticket inbox on the admin “Dispatch & tickets” page, and email notifications on every status change.
Matter version history is now durable and cross-device — each meaningful save records an owner-private snapshot (deduplicated, capped at the newest 50 per matter) with a structured change summary, ready for the upcoming restore feature.
The matter workspace now shows a permanent, honest save-state indicator (☁ Saved · All changes synced with last-saved time, Saving…, ✓ Saved, the distinct "Saved on this device" local-only state, and a visible retry on failed writes) plus a manual Save button that flushes the autosave engine immediately and confirms with a "Matter updated" toast — persistence is now obvious, never an inference.
Claims now have their own first-class workspace tab (⚖️ Claims, under "Build the case") — the full claims section (claim cards, legal elements, evidence status, adversarial exposure) moved out of Summary, which keeps a compact pointer card linking to the new tab.
Enforcement vision v2 — the human-decision invariant now leads and is scoped to juridical determinations across all three phases, Phase 3 is reframed as orchestration of bailiff-signed orders (never instrument generation), audit language is corrected to append-only/Law 25-aligned, geolocation proofs gain named safeguards (purpose limitation, retention cap, CAI review), the validators are corrected to the Chambre des huissiers de justice du Québec, the MJQ and the CAI, and a new "What could stop us" section names the three regulatory chokepoints.
Guided tour funnel fixes — tour-event writes that fail are now logged instead of silently destroyed, the admin funnel names each skipped step in plain language and explains the median timing, the empty state says how to start collecting data, sign-in errors are distinguished from pipeline errors, and the cohort section honestly states that no A/B experiment is running yet.
v7.96.96
Content / legal
Release v7.96.96
Tagged release v7.96.96.
v7.96.95
Content / legal
Release v7.96.95
Tagged release v7.96.95.
v7.96.85
Localization
Release v7.96.85 (#1726, #2145)
Legal clinics and NFP organizations get the first slice of the tailored-intake initiative — a versioned, bilingual (EN/FR required per field) form-builder primitive: org-owned form definitions with immutable published versions, a fail-closed definition validator, and a schema-driven renderer with client-side validation. Guest submissions and per-org theming remain gated pending the recorded counsel/founder decisions (ADR-0012).
Case-health stages drop all failure framing — "Not Viable" becomes "Getting started" and the stage (not the number) is now the headline — and the next-step panel shows exactly one recommended action with time/impact chips, with runner-ups collapsed behind "Other suggested steps".
v7.96.75
Content / legal
Release v7.96.75
Tagged release v7.96.75.
v7.96.50
Localization
Release v7.96.50 (#2116, #2117, #2119)
One-click unsubscribe (CASL/CAN-SPAM, RFC 8058) — signed unsubscribe links and List-Unsubscribe headers on reminder emails, a bilingual confirmation page, and a fail-closed suppression gate on all optional outbound mail.
Document lifecycle phase and suggested next step are now saved with each piece of evidence and safely backfilled on existing matters (versioned, loss-proof migration).
Browser evidence uploads now run through the full malware/CSAM scanner gate — flagged files and scanner outages are held and reported as auditable incidents, and not-yet-scanned large files are withheld (fail closed) instead of silently served while scanning is live.
v7.96.25
Content / legal
Release v7.96.25
Tagged release v7.96.25.
v7.96.15
Workspace & matters
Release v7.96.15 (#2083, #2118)
Self-hosting spike (ADR-0011) — opt-in standalone Docker image with a Cloudflare Tunnel sidecar proves the platform can run off Vercel; default Vercel builds are unchanged.
Audited and pinned the matter-share document-subset wall at the database layer — 23 new regression tests prove a shared-subset recipient can only ever read the exact documents shared with them, revocation is instant, and owners are unaffected.
v7.96.13
Content / legal
Release v7.96.13
Tagged release v7.96.13.
v7.96.8
Workspace & matters
Release v7.96.8 (#1928, #2115)
Local-drive matter sync Phase 3 — new `npm run matter:rescan` terminal drift check for a synced matter folder (read-only, same reconcile engine as the in-app rescan, fails closed on an invalid manifest), completing the ADR-0008 epic.
Sanitized developer logs (G37 guardrail) now also scrub bare 9-digit social insurance numbers, separator-less and international (+XX) phone numbers, and parenthesized phone forms — while leaving timestamps, version strings, court-file numbers and commit hashes readable.
Restore Vercel PR preview builds — remove the thin-spend-cap ignoreCommand now that spending limits were raised (2026-07-10).
v7.95.93
Workspace & matters
Release v7.95.93 (#2120)
Personal self-advocacy dossier (Phase 1) — organize your own documented chronology, filings, communications and outcomes into an exportable DOCX/ZIP dossier to request an inquiry; hard structural safeguards (no statistical claims, no conclusions about named bodies) per ADR-0006 §9.
v7.95.68
Governance
Release v7.95.68 (#0)
Internal governance — executive agent definitions updated with self-recorded lessons (compliance, finance, legal, product), a VP Marketing agent added with a truth-in-advertising mandate, and the per-agent memory store brought under version tracking.
v7.95.66
Ops / CI / infra
Release v7.95.66 (#2105, #2107)
Fixed the production build out-of-memory failure that blocked all deploys since 2026-07-09 — the build heap cap now uses the Vercel builder's actual memory (6144MB of 8GB instead of 4096MB) and webpack compile memory is reduced via Next.js webpackMemoryOptimizations.
v7.95.61
Workspace & matters
Version v7.95.61 (#2112)
Canadian citation verification against CanLII now uses the official REST API (caseBrowse endpoint with direct case-metadata lookup) — once an API key is configured, a neutral citation (e.g. 2008 SCC 9) is confirmed against CanLII's metadata with a clickable canonical link instead of silently failing.
v7.95.60
Jurisdictions
Release v7.95.60 (#1939)
The Research tab now includes a guided legal-research workflow — describe your problem in plain language and get back the applicable statutes and articles from a curated, verified registry (starting with bank-draft disputes and coercive tied selling), each with a clickable official source, a verification status, and CanLII search links for related case law. No confident registry match routes you to counsel review instead of a guess.
v7.95.35
Content / legal
Release v7.95.35 (#2085)
Deadline engine — added an exact calendar-anniversary "years" offset basis (quantième-à-quantième; delay computation per art. 2879 C.c.Q.) and re-pointed the 3-year personal-action prescription (art. 2925 C.c.Q.) to it, fixing the one-day drift the 1095-day approximation produced across a leap year (e.g. 2026-07-09 + 3 years now resolves to 2029-07-09, not 2029-07-08).
v7.95.30
Content / legal
Release v7.95.30 (#2094)
Québec court-deadline roll-forward now uses a primary-source-verified holiday table (art. 61 Loi d'interprétation + art. 82 C.p.c.), fixing four wrong/missing non-juridical days — the Journée nationale des patriotes, the July 2 Canada Day observance when July 1 is a Sunday, and December 26 / January 2 — so C.p.c. deadlines that land on those days are correctly extended to the next business day.
v7.95.25
Security
Release v7.95.25 (#2090)
The autonomous-PR security scanner no longer false-fails legal-content changes. It now flags a credential only when a line carries real secret material — a known provider token (Stripe/GitHub/AWS/etc.) or a credential-named assignment whose value is genuinely high-entropy — instead of matching the ordinary English word "key" in statutes, keywords or content slugs. Canadian government and court statute-source links (canada.ca, *.gc.ca, *.gouv.qc.ca, CanLII) are also recognized as legitimate legal citations rather than external-exfiltration URLs.
v7.95.20
Workspace & matters
Release v7.95.20 (#2093)
The matter workspace now shows a read-only "Matter version history" panel — the current version, what increments it, and a plain-language list of every change made to the matter since you opened it this session (parties, facts, exhibits, witnesses, documents, and key fields added, removed, or changed).
Matter timeline cards now keep their per-event detail (delivery/review/exhibit/fact/draft) collapsed by default behind a one-click "Show details" toggle, and the record-vs-event date pill explains on hover that a record can predate the event it confirms.
An admin can no longer approve or reject their own professional-verification (attorney/notary/paralegal) request — a different reviewer must sign off, enforced in the database so it can't be bypassed.
Statute citations in Legal Research now deep-link straight to the specific LégisQuébec article (e.g. art. 2925 C.c.Q. → CCQ-1991 ?code=se:2925) instead of the code's front page.
Matter timeline "recorded vs occurred" badges now report sub-minute gaps in seconds (e.g. "Recorded 5 seconds later") instead of rounding every tiny gap up to "1 minute", and a negligible sub-second gap now reads as "same" — so the magnitude is never overstated. Direction (before/after/same) is unchanged.
When you arm an official deadline, the confirmation dialog now surfaces the rule's doctrinal caveat (for example the "1095 days approximates 3 years" prescription note) and a "Source" link that opens the exact controlling article, so you can read the limit and verify the source before confirming.
v7.95.0
Content / legal
Release v7.95.0
Tagged release v7.95.0.
v7.94.59
Jurisdictions
Release v7.94.59 (#2007, #2086)
Every page now shows a persistent "Sortie rapide" (quick-exit) button — one click instantly replaces the page with a neutral site, no confirmation dialog, so someone in an unsafe situation can leave fast.
The "Sortie rapide" quick-exit button now meets the 44px minimum touch-target size and no longer overlaps the edition banner on small phones, so it is easier and safer to tap in a hurry.
v7.94.54
Content / legal
Release v7.94.54
Tagged release v7.94.54.
v7.94.29
Workspace & matters
Release v7.94.29 (#2008)
Add personal matter-naming conventions (manual/automatic/hybrid modes, a template engine, presets, and an anonymized privacy mode) with a new Paramètres → Dossiers settings page.
v7.94.4
Jurisdictions
Release v7.94.4 (#1974)
The official deadline-arming flow now has real Québec content — a first rule pack seeds the settled C.p.c. procedural delays (answer to summons, case protocol, appeal) and the C.c.Q. three-year prescription, so a matter can finally arm an official deadline; further housing, labour, small-claims and municipal-notice rules ship as review drafts pending counsel confirmation.
Local-drive sync now remembers the folder you picked — on Chromium it keeps the connection across reloads (re-asking permission when you return) and re-checks the folder every time you come back to the tab, showing a reviewable two-way summary of what changed on disk versus in the app (never auto-deleting or silently overwriting). On other browsers it stays on the one-time ZIP/folder export.
A completed marketplace transaction now flows through the Case-OS object lifecycle — it becomes a first-class service object, is materialised as a node in the matter's Evidence/Matter Graph, and (when a delivered artifact is known) emits the one shared DeliveryEvent as chain-of-custody proof; the HubSpot CRM step ships as an honest no-op seam that skips when unconfigured rather than faking a push, pending the Loi 25 PII review.
Legal content publishing now enforces separation of duties — a named Legal Content Director (distinct from generic admins) must approve, authors can't approve their own submissions, and review SLAs surface overdue items.
The guided intake ("Entrevue guidée") gains an optional import step — you can attach a folder, files, or a phone photo of the matter's documents while creating it, so a matter can start pre-populated instead of empty; skipping the step leaves manual creation unchanged, and attached documents flow through the existing evidence upload/OCR/classification pipeline once the matter is created.
Matter Timeline now supports filtering by event type, verification state, and date range, plus richer per-type detail (delivery method/status trail, review verdict/attribution, exhibit source document, fact P-refs) and an honest occurred-vs-recorded gap indicator.
Every promise on the one-time pricing cards (Case Builder, Litigation Pro, Executive) now maps to a real, shipped capability — six were confirmed as genuinely included and one Executive line that had no backing ("Risk, issue and option analysis") was corrected to the card's real unlimited-quota benefit, so the cards no longer advertise anything the purchase doesn't deliver.
Court e-filing now resolves an Electronic Filing Service Provider per jurisdiction and, when none is configured (the case everywhere today), returns an honest "e-filing is not available in your jurisdiction yet" response instead of the previous fallback that fabricated a "submitted" court receipt for a filing that never reached a court. A real provider adapter drops into the same seam later with no route changes.
Your demand letter now shows where it stands in its life — drafted, sent, delivered, awaiting a response, answered, or past its deadline with no reply — and the single next step for each, read straight from your delivery and deadline records so it can never disagree with them.
The "Projets enregistrés" header is now the "Assembled judicial record" panel — an honest completeness checklist (Parties/Facts/Chronology/Exhibits/Witnesses/Communications/Damages/Jurisdiction) plus a "Last assembled · Matter Version #n" provenance line on every generated document.
The marketplace's two investigator listings ("Asset investigators" and "Private investigators") are now one structured "🕵️ Investigations & Intelligence" category with nine subcategories (private investigators, corporate investigators, digital forensic specialists, fraud analysts, asset recovery specialists, background investigators, litigation investigators, surveillance providers, expert investigators) — existing provider records keep working under the new category.
The Communications hub is now the ONE place for every in-matter communication — the old standalone "Communications" tab (interaction log) is folded in as its own 📝 Log lane, emails now expand to show the full delivery status trail and a clickable proof-exhibit link, and one shared filter bar (direction, date, party, has-proof) works across emails, calls, and correspondence.
Professional verification now confirms the claimed kind (attorney/notary/paralegal) matches the credential — mismatched kinds are rejected at intake against a known issuing authority, and reviewers must confirm "kind matches credential" before approving.
v7.92.54
Content / legal
Release v7.92.54
Tagged release v7.92.54.
v7.92.9
Intake & onboarding
Release v7.92.9 (#2003, #2010, #2012)
Added a tiered document-extraction pipeline (lib/intake/tiered) — the trust layer before scaling imports: tier-1 native text-layer extraction (real), a tier-2 OCR seam with a vendor-swappable adapter registry (no paid vendor wired yet), and a correction layer that flags low-confidence spans for review, with append-only per-span provenance so extraction never overwrites evidence (ADR-0010).
The parcours search bar is now stage-aware — from inside a matter, the same search surfaces stage-appropriate next steps first (e.g. "gather evidence and contact them directly" before an attempt, "file with CNESST/TAT" after a failed one), reading the matter's own resolution-attempt history.
v7.91.84
Content / legal
Release v7.91.84
Tagged release v7.91.84.
v7.91.79
Jurisdictions
Release v7.91.79 (#2004)
The Resolution Centre now shows a "Probable forum" panel once a problem type and prior-attempt stage are known — informational suggestions (e.g. a rental dispute pointing toward the Housing Tribunal, or a $50,000 claim pointing toward Cour du Québec) built from the verified Jurisdiction Registry, with a "confirm the forum" step to pick the actual court/district yourself.
v7.91.54
Workspace & matters
Release v7.91.54 (#2059)
Admin and founder accounts are now unlimited by role — they no longer hit the free-tier matter/dispute/storage caps or see an upgrade paywall for any feature, at both the app layer and the database.
v7.91.49
Intake & onboarding
Release v7.91.49 (#0, #2010)
The guided intake now asks "Have you already tried to resolve this problem?" right after the legal-issue question — the answer sets the matter's lifecycle stage and, if you already tried, records who/how/what happened so the next suggested step reflects it.
Fix production build failing with a JavaScript heap out-of-memory error by raising the Next.js build heap ceiling to 4 GB.
v7.91.44
Content / legal
Release v7.91.44
Tagged release v7.91.44.
v7.91.19
Evidence
Release v7.91.19 (#2022)
New Matter Timeline tab — a unified, read-only chronology of every chronology fact, delivery, exhibit, and attorney review, each entry showing when it happened vs. when it was recorded and linked to its evidence.
v7.90.94
Intake & onboarding
Release v7.90.94 (#1978, #2028)
Continued the systemic INP sweep (#1978, phase 3) — memoized the row/card components in the Investigation, Classify, Pleadings, and Clerk Filings tabs so an edit to one item no longer re-renders every other item in the list.
Professional legal-terminology review pass on the US constitutional Amendment summaries (HomeLanding US_RIGHTS) — corrected a Portuguese false-friend term and aligned Chinese/Hebrew phrasing to recognized doctrinal terms for pt/zh/he; ar/pa/de/it confirmed against sourced references.
v7.90.89
Localization
Release v7.90.89 (#2012, #2042)
Added an intent-search bar to the Resolution Centre — describe your problem in plain language (or pick a category chip) to find the right pre-litigation pathway among the 13 dispute types, with a visible "why" for every match.
Translated the accumulated 67 locale-incomplete LocalizedText literals in ReviewPackage.tsx, ReviewPackageActions.tsx, DocumentWorkflowCard.tsx and InvestigationObjectivesSection.tsx to the full 10-locale set, clearing the i18n-localizedtext debt #2027 flagged and fixing DocumentWorkflowCard.tsx's active ratchet regression.
Fixed the Momentic E2E suite's Spanish tests to match the documented fallback design (body content falls back to English with the machine-translation banner on pages without a Spanish overlay) and repaired the broken lint:momentic script with a single-source pinned CLI version.
New Jurisdiction Master Registry (27 QC courts/tribunals/regulators, sourced and provenance-tagged) with a guided Province → District → Institution → Section picker in the matter-intake wizard.
v7.90.34
Content / legal
Release v7.90.34
Tagged release v7.90.34.
v7.90.29
Workspace & matters
Release v7.90.29 (#2015)
Added the unified Communications hub (Slice 1) — one tab with sub-views for internal messages, emails, calls/voicemail, and correspondence, projected read-only from existing matter data.
v7.90.4
Workspace & matters
Release v7.90.4 (#2044)
In-matter message threads are now created atomically — a database-level unique constraint eliminates the last window where two people replying at the same instant could split a conversation into two threads.
v7.89.99
AI & automation
Release v7.89.99 (#2033)
Gated the SKU-granted feature flags at their real surfaces — War Room, Exhibit Registry, Command Center and practice tools now lock behind an upgrade CTA in the workspace, and the AI-extraction route and support-ticket priority now check the same resolved capability server-side, so buying a SKU unlocks real, enforced access end to end.
v7.89.89
AI & automation
Release v7.89.89 (#2001)
Fixed a multi-second input freeze in the chronology's Fact Proven / Narrative fields — a long AI-assisted edit no longer blocks typing.
v7.89.84
Workspace & matters
Release v7.89.84 (#1876, #1898)
Added regression coverage for matter Messages' real sender names, bounded message loading, and the thread-creation race mitigation.
v7.89.79
Localization
Release v7.89.79 (#2027)
Translated AssistedCheck.tsx's 19 locale-incomplete strings (labels, errors, flag categories) to the full 10-locale set, closing the gap #1990 left absorbed-but-untranslated in the i18n-localizedtext ratchet.
v7.89.74
Notifications & email
Release v7.89.74 (#1873)
Fixed the Deadlines panel sometimes showing "Next reminder" as a date already in the past — it now always picks the soonest FUTURE reminder tier, or shows an overdue indicator when every unlogged tier has already elapsed; also fixed two comments still pointing at the renamed migration 0158→0159.
v7.89.69
Evidence
Release v7.89.69 (#2016)
The "Have it served by a bailiff" link now carries the matter to the service form, so a bailiff request can be linked back to your matter and its delivery proof.
v7.89.68
Content / legal
Release v7.89.68 (#2020)
Verified notaries now receive real professional review attribution instead of falling back to self/on-behalf.
v7.89.63
Marketplace
Release v7.89.63 (#1899)
Added the admin UI for the Justice Analytics™ oversight review-package pipeline (P2 disparity index → P3 entity profile → P4 review package) — previously the `POST /api/admin/justice-analytics/review-package` route (#1858) had no form, so generating a submission required hand-crafting the request JSON. The new panel on `/admin/justice-analytics` renders entity, oversight-body, and per-dimension cohort inputs, and displays the framing, findings, and rendered submission text the API returns, with real loading/forbidden/backend-disabled/error states and no fabricated data.
v7.89.53
Content / legal
Release v7.89.53 (#2009)
Fixed the Québec judicial-district list to the correct 36 legal districts (was 38) by moving the "Gatineau"/"Saguenay" chef-lieu city names into a district-alias map that still resolves to Hull/Chicoutimi during document extraction.
v7.89.52
Jurisdictions
Release v7.89.52 (#0)
Resolution pathway steps now track the full lifecycle — Drafting, Under review and Approved to send before submission, plus a distinct Acknowledged / received state with its own date, since receipt confirmation (not the sending date) starts regulatory response clocks like the AMF 60-day window.
v7.89.42
Payments
Release v7.89.42 (#1991, #2031)
Launched the Investigation Hub landing page (/investigations) — a real, paid coordination-fee intake for five investigation objectives (asset discovery, person location, corporate intelligence, fraud, litigation support), with an honest "coming soon" state for joining as an investigator and no matching-engine or reputation claims anywhere on the page.
One-time SKU purchases (Case Builder, Litigation Pro, Executive) now unlock real capabilities and quota through a single entitlement resolver, closing the revenue loop from payment to product access.
v7.89.32
Content / legal
Release v7.89.32
Tagged release v7.89.32.
v7.89.7
Evidence
Release v7.89.7 (#1971, #1999)
Added a free Print & Mail package generator on the Export tab — a real cover letter, envelope and mailing-label, a non-advisory mail-class guide, and self-reported tracking/delivery-confirmation capture that mints the #1968 proof exhibit once delivery is confirmed.
Massive bulk import now self-heals a failed cloud save (session refresh + resync, one retry) with three distinct messages, keeps the session alive for hour-long imports, and lets you retry only the files that failed.
v7.88.82
Content / legal
Release v7.88.82
feat: add free Print & Mail package generator (#1971) (#2026).
v7.88.77
Workspace & matters
Release v7.88.77 (#1969)
The Deadlines panel now flags a confirmed delivery whose response window passed unanswered and surfaces your matter's own next-step options, informational only.
v7.88.67
Evidence
Release v7.88.67 (#1962)
Documents now persist a versioned evidence registry and freeze into an immutable, provenance-pinned snapshot once served/filed/archived — re-opening a filed draft forks a new version instead of silently mutating it.
v7.88.57
Content / legal
Release v7.88.57 (#2000)
Fixed a date-extraction bug that silently parsed US M/D/Y dates (and Gmail print-footer timestamps) as D/M/Y, planting phantom future facts in the chronology; ambiguous dates are now flagged for review and future-dated facts are auto-flagged "needs verification".
v7.88.52
Evidence
Release v7.88.52 (#1978)
Reduced input-latency (INP) render cost in the journal, commitments, exhibit-registry, and evidence workspace tabs by memoizing per-row components and stabilizing their callback props.
v7.88.47
Workspace & matters
Release v7.88.47 (#1972)
Structured attorney-review package (matter summary + draft + linked exhibits + timeline) with Approve / Request changes / Reject verdicts — honestly labeled as a platform-verified professional's sign-off or "recorded on behalf of," never fabricated.
v7.88.22
Notifications & email
Release v7.88.22 (#1967, #1970)
Documents can now be transmitted by email with proof — the platform hashes the exact attached file, sends it, and automatically archives the transmission as a court-ready exhibit. Disabled with honest copy on instances with no email provider configured.
Bailiff service requests now support real document attachment (scan-gated), an immutable quote snapshot, and matter-linked delivery tracking when a matter is provided.
Legal citations now carry an auditable provenance chain (official versioned source, version date, last-verified timestamp) — the Keep the Date panel's "Authorities to verify" list shows a verified/pending/missing/invalid status per citation instead of a bare unverifiable label.
v7.87.62
Litigation
Release v7.87.62 (#1942)
The procedure status picker's "(other track)" suffix — internal jargon — now reads "(your current status)", telling users plainly that the marked option is their procedure's real, presently-selected status.
v7.87.61
Accessibility
Release v7.87.61 (#2005)
The "New matter" button is now the green primary action ("New legal matter") — high-contrast, 44px touch target — making the main workflow entry point visually dominant.
v7.87.60
Workspace & matters
Release v7.87.60 (#1898, #1921)
Matter collaborators can now see who else has access and real names/masked emails in Messages — no more empty rosters or raw sender ids.
v7.87.55
Payments
Release v7.87.55 (#1992)
Registered juge.ca for Apple Pay — the Stripe domain-association file is now served at /.well-known/, fixing the unreadable Apple Pay payment sheet reported on iOS during checkout.
v7.87.54
AI & automation
Release v7.87.54 (#1966)
Added "Assisted check" — an AI review pass over a finished draft that surfaces informational flags (completeness, tone, structure, citations, readability), never a legal-adequacy verdict.
v7.87.44
Workspace & matters
Release v7.87.44 (#1978)
Performance hardening (phase 1 of a multi-part sweep) — stabilized Workspace's core save function so it's no longer rebuilt on every keystroke, and made the Proceedings and Parties tabs re-render only the row you actually edited instead of the whole list.
v7.87.39
Content / legal
Release v7.87.39 (#1981, #1982)
Deadline engine now models art. 83 C.p.c. holiday roll-forward (Saturday/Sunday/QC statutory holiday expiries advance to the next juridical day) and every rule can carry a clickable citation source, shown as a link when arming a deadline.
v7.87.34
Notifications & email
Release v7.87.34 (#1969)
The matter now has a single, audit-trailed DeliveryEvent record per service attempt (email, bailiff, or registered mail) — linked to the exact artifact hash served, and ready for a court deadline to anchor on the confirmed delivery date.
v7.87.24
Intake & onboarding
Release v7.87.24 (#1958, #1960)
Promoted subpoena and notice-presentation from default-YELLOW to explicit RED in the classification risk-tier registry, per Julien's doctrinal follow-up (coercive/deadline consequences — arts. 279-282, 146, 761 C.p.c.).
v7.87.23
Content / legal
Release v7.87.23 (#1965)
Documents now show a review/approval status (Draft, Under review, Approved) with a clear self-review vs. professional-review badge, so you always know if a draft is ready to send.
v7.87.13
Notifications & email
Release v7.87.13 (#1968)
Delivery methods (email, bailiff, mail) can now auto-file an exhibit the moment delivery is confirmed, with no chance of a duplicate or a colliding exhibit number.
v7.87.3
Notifications & email
Release v7.87.3 (#1961)
A generated resolution document now shows a "what would you like to do next?" card — download the full package, schedule a follow-up reminder, order bailiff service, or invite a collaborator to review.
v7.86.78
Notifications & email
Release v7.86.78 (#1947)
Document intake now labels which source produced a filing date (email header / document text / file metadata / import date) and offers detected candidates to pick from; skipped-unsupported files are listed by name and reason instead of a bare count; office/data files (xlsx, pptx, csv, ods, odp, rtf) are stored as evidence without OCR instead of being dropped.
v7.86.73
AI & automation
Release v7.86.73 (#1963)
Fixed a chronology grid performance bug where editing, AI-suggesting, validating, or disputing one fact re-rendered every row instead of just the one that changed (up to ~400ms delay on large chronologies).
v7.86.68
Evidence
Release v7.86.68 (#1962)
Exhibit list, affidavit and originating-application drafts now assemble from the WHOLE matter (exhibits + evidence documents + chronology), so a matter with real evidence never again shows "(no exhibits)".
v7.86.58
Evidence
Release v7.86.58 (#1950, #1964)
Massive-corpus import (Phase A): a resumable, journal-backed bulk import for matters with 35,000+ files — ingest-first storage, sha256 dedupe, batched backpressure, and deferred background enrichment.
Fixed a 4.7s freeze when closing a document preview on evidence-heavy matters — closing the viewer no longer re-renders the whole evidence list.
v7.86.53
Content / legal
Release v7.86.53
Tagged release v7.86.53.
v7.86.43
Intake & onboarding
Release v7.86.43 (#1948)
Document classification is now risk-tiered — procedural labels like judgment/order, seizure, and transcription can never be auto-applied, require an explicit confirmation with a structural-marker check, and bulk-apply now opens a reviewable preview instead of one-click-mutating dozens of records.
v7.86.18
Intake & onboarding
Release v7.86.18 (#1946)
Matter references could display with different zero-padding on different screens (e.g. "M-2026-0016" in the import wizard vs "M-2026-016" on document badges) for the same matter, risking wrong-matter file association. Every matter now carries one stored canonical reference rendered verbatim everywhere; existing matters self-heal on load, and a reference collision between two distinct matters produces a visible warning instead of a silent merge.
v7.86.13
Workspace & matters
Release v7.86.13 (#1945)
Fixed import-review party names being truncated to 2-character fragments on scanned/photographed documents, and stopped extraction from auto-committing a party role — every suggested role now requires explicit user confirmation before a Party record is written.
v7.86.8
Accessibility
Release v7.86.8 (#1955)
Fixed unreadably light text on the printable binder and hearing-package previews — the white "court paper" cards were inheriting dark-theme text colors; document text now renders in proper dark ink, and empty-section placeholders gained contrast.
v7.86.7
AI & automation
Release v7.86.7 (#1938)
Chronology AI actions no longer dead-end on "forbidden" for a matter that hasn't synced to the cloud yet — the app now self-heals with one resync + retry, or explains what to do.
v7.86.6
Content / legal
Release v7.86.6 (#1934)
New "Emergency recovery following a criminal act" pathway (seizure before judgment, criminal-restitution and IVAC parallel tracks) — the resolution engine's first urgency variant.
v7.85.81
Workspace & matters
Release v7.85.81 (#1941)
Fixed a workspace performance issue where typing in matter fields (notes, summaries, communications) could briefly freeze the page while every keystroke re-saved the whole case file.
v7.85.80
Evidence
Release v7.85.80 (#1937)
Participant roles expanded to the full Québec party taxonomy — Parties, Representatives, Evidence, Court officers and Others (21 roles total), grouped in the party picker instead of collapsing everyone into "Other".
v7.85.79
Workspace & matters
Release v7.85.79 (#1916)
The workspace rail now starts collapsed for brand-new zero-matter accounts (auto-expanding once a first matter exists) instead of showing dozens of disabled items on first visit.
v7.85.74
Workspace & matters
Release v7.85.74 (#1932)
Added "Sync to folder" and "Import from folder" to the Export tab — materialize a matter to your own hard drive (Chrome/Edge live folder write, ZIP fallback everywhere) and manually re-import raw files back in, with a strict fail-closed manifest check and a full sync summary.
v7.85.49
Jurisdictions
Release v7.85.49 (#1877, #1906)
Paged operators on failed one-time-SKU entitlement writes, closed a filing-error dual-field-name gap, consolidated duplicate EFSP error classes, fixed a stale editorial-queue busy-state race, and completed the Axis-2 integrations doc to all 34 gates — a batch of small, verified review-bot follow-ups.
v7.85.44
Evidence
Release v7.85.44 (#1927)
Import a whole case folder from your hard drive — subfolders and their files come in together, organized in the Evidence library as a folder tree that matches your own filing, plus an import inventory showing exactly what came in.
v7.85.19
Workspace & matters
Release v7.85.19 (#1925)
Fixed the Resolution tab's document generators (complaint letter, follow-up, ombudsman submission, regulatory complaint, settlement proposal, history of attempts) dead-ending — clicking one now generates the draft from the dossier and opens it directly in the Documents editor.
v7.85.14
Content / legal
Release v7.85.14 (#1897)
Procedures status picker: the 30-status guided picker is now collapsed behind an explicit "Update status" action per card, so a first-time self-rep user sees only the status badge and phase by default.
v7.85.9
Ops / CI / infra
Release v7.85.9 (#1891)
Post-deploy chunk-skew recovery — a stale-chunk error after a deploy now auto-reloads once instead of dead-ending on the error screen.
v7.85.4
Payments
Release v7.85.4 (#1894)
Hardened all four checkout routes (service, billing, ops, copilot) to never echo upstream payment-provider error text to the public — production E2E caught a Stripe key-shaped message being returned verbatim. Details are now logged server-side only; clients receive a generic retryable message.
v7.84.99
Payments
Release v7.84.99 (#1887)
Case Builder ($495), Litigation Pro ($1,495) and Executive ($4,995) are now real one-time purchases on the pricing page, with server-side pricing, edition-aware Stripe accounts, and a purchaser-only entitlement ledger.
v7.84.74
Workspace & matters
Release v7.84.74 (#1909)
The pre-matter portfolio view now shares the workspace's persistent sidebar chrome — case-file and phase sections are visible but dimmed with a "open a matter to use these" hint, and a highlighted Home entry marks where you are, so opening a matter feels like one continuous app instead of two.
v7.84.69
Litigation
Release v7.84.69 (#1904)
Fixed the procedures status picker losing the current status (and the served/filed record disappearing) when a procedure's adjudicated flag or hold status changed — both are now always visible.
v7.84.64
Jurisdictions
Release v7.84.64 (#1907)
Hearing binders and the assembly guide now render as real, printable documents (not raw .md downloads), the Export tab shows an honest "add exhibits/facts first" notice on a sparse matter instead of a near-blank package, generating the hearing package visibly scrolls to and highlights it, and bundle drafts (e.g. the lawyer hand-off / attorney-brief pack) now keep their own correct document type.
v7.84.59
Litigation
Release v7.84.59 (#1903)
Fixed a filing-status defect where a simulated (non-live) e-filing could look identical to a real court filing; the workspace now shows a distinct, unmistakable "simulation only" notice whenever a filing was not actually transmitted to a court.
v7.84.54
Evidence
Release v7.84.54 (#1896)
Replaced the client workspace's horizontal tab-strip + "More" dropdown with a persistent, collapsible left sidebar (desktop) — Exhibit Registry and Witnesses are now pinned alongside Chronology/Evidence/Deadlines, and the Build/Resolve/Court/Enforce sections are always visible instead of hidden by matter stage.
v7.84.49
Workspace & matters
Release v7.84.49 (#412, #426, #1870)
The workspace's filing action now calls the real, hardened e-filing route (idempotency + audit + structured errors) instead of a client-side mock — offline/local-only mode keeps its mock test tool, and every outcome (success, validation, not-yet-enabled, session, network) shows a real, honest message.
v7.84.39
Governance
Release v7.84.39 (#1871)
The admin editorial queue now shows a clear notice when a publish is blocked by the legal-review compliance gate, instead of silently reverting with no explanation.
v7.84.34
Security
Release v7.84.34 (#1861)
Added a server-side authentication gate to the /app workspace layout — the single chokepoint for every /app/* route (workspace, professional, client, settings, and siblings). Unauthenticated visitors are now redirected to login instead of rendering the workspace shell; previously data isolation relied solely on API-layer RLS. Local preview with no Supabase backend still falls through so development is unblocked.
v7.84.29
Payments
Release v7.84.29 (#0)
Pricing checkout: a cancelled Stripe session now returns to Pricing with a clear "no charge was made — try again" banner instead of a silent dead end; added docs/BUYABLE_PATH_MAP.md mapping every marketed offering to its checkout status.
v7.84.24
Notifications & email
Release v7.84.24 (#0)
Added in-matter messaging — collaborators on the same matter can now compose, send, and read messages inside the workspace, no external email required.
v7.83.99
Payments
Release v7.83.99 (#1872)
Fixed the 14-day-trial anti-farming guard failing open, and forwarded the caller locale to Stripe Checkout so Québec French sessions are guaranteed French (fr-CA) contract terms at payment (LPC contract-formation, per compliance review #1883) — under the live subscriptions schema a cancel-and-resubscribe customer has multiple rows, the previous single-row lookup errored unchecked and granted a fresh trial. The lookup now tolerates any row count and any query error fails closed (no trial; the returning customer is simply billed normally).
v7.83.94
Notifications & email
Release v7.83.94 (#1868)
Matter procedures now show a granular, legally-reviewed workflow status (planning → preparation → review → execution → post-execution, plus holds) and split clearly into "on the record" vs "in preparation", with a non-advice compliance note where filing/notification is recorded.
v7.83.69
Notifications & email
Release v7.83.69 (#70, #1717, #1852)
Enforced the §7.3 Legal Content Director sign-off gate in the research-submission pipeline. The admin review route now refuses to advance a submission to "approved" or "published" without the legal_review sign-off when LEGAL_CONTENT_REVIEW_REQUIRED is set — closing the gap where the legalContentPipeline readiness flag reported an active review gate that nothing actually enforced. Blocked publish attempts are audited.
Deadline reminders now prove they fire end-to-end and always leave a visible in-app record, even when email/SMS aren't configured.
Timeline wall — added the dispute/flag toggle companion action on chronology rows; a flagged fact now flips its Status badge to "Conflict" (independent of auto-detected date conflicts), completing #1646's acceptance criteria (the Narrative AI-generate button, Validate action, and source-edit UI already shipped in earlier slices of epic #1644).
Justice Analytics™ fairness/disparity engine is now reachable via a new admin-only oversight surface (k-anonymous demographic aggregate view + review-package generation), closing epic #1703.
Court filing submissions are now idempotency-guarded and audited end-to-end — a retried or double-clicked filing reaches the (sandbox/mock) e-filing provider exactly once, every attempt is recorded in the audit log, and a transient provider failure releases the retry safely.
Fixed early-access/waitlist/newsletter signups — the newsletter_signups table the /api/newsletter route writes to was never created by any migration, so every signup failed with a 500 and was lost; adds migration 0158 (table + service-role-only RLS) and upgrades the command-center "Newsletter signups" metric to a windowed today/week/month/all reach trend.
Added a Momentic public-surface E2E test library (200 natural-language tests across smoke, content, marketplace, experts, verticals, compliance, i18n, RTL, and accessibility) with per-suite npm label scripts and a lint gate.
Added a 14-day free trial on the Pro and Premium plans — card collected upfront, auto-converts to paid at day 14. New customers only (a repeat subscriber gets no second trial), enforced by a pure trial gate (lib/billing/trial.ts) wired into the subscription checkout; entitlement already counts trialing subscriptions, so no migration is needed. Trustee-practice ("Pratique du syndic") and professional tiers are intentionally excluded pending compliance clearance.
v7.83.44
Content / legal
Release v7.83.44
Tagged release v7.83.44.
v7.83.19
Localization
Release v7.83.19 (#0)
Fixed the admin login 404 — /admin/login (and /<locale>/admin/login) now redirect to the real login with a return to /admin, instead of dead-ending on a 404 for anyone who tries the intuitive admin-login URL.
v7.83.14
Content / legal
Release v7.83.14 (#1703, #1711)
Added Justice Analytics P4 — the oversight review-package generator that assembles gated disparity findings into an oversight-body submission (fixed neutral framing, non-determination disclaimer, methodology + confidence), never published and never submittable on a null result.
v7.83.4
Security
Release v7.83.4 (#68, #1462, #1644, #1653, #1809)
Completed the legal-accuracy review of AI-authored chronology narratives — UPL-safe by construction (the prompt forbids legal conclusions/advice/predictions), with conditions requiring the AI-content notice and non-certifying "Validate" framing on the litigant surface.
Added the operator user-migration tooling — read-only inventory, conservative real/test classification, and a HubSpot export that records every export on the tamper-evident audit chain (fail-closed) — with a 5-step safe-sequence runbook.
Added Justice Analytics P3 — defamation-safe named-entity profiles that surface only gated disparity findings using fixed safeguard language (never conclusory prose), locked to oversight-review audience with mandatory methodology disclosure.
Session dump for the 2026-07-06 changeset-pipeline + compliance close-out session.
v7.82.64
Content / legal
Release v7.82.64 (#1674, #1679)
Resolved the Guided Tour Phase 0 open questions — keep the 5-beat spine, localStorage persistence for v1, open on scroll/intent (not every visit), silent by default; demo legal copy routed to compliance.
v7.82.59
Privacy (Law 25)
Release v7.82.59 (#1644, #1652)
Completed the Loi 25 review of ai_fact_feedback — the shipped table is metadata-only (no raw case-fact text), with matter/author cascade-delete and matter-access RLS; raw-text storage remains prohibited pending a separate assessment.
v7.82.54
Content / legal
Release v7.82.54 (#1703, #1709)
Added the Justice Analytics Fairness Engine — a pure, methodology-gated Disparity Index that computes residual post-control disparity, a two-sided confidence, and a min-N/confidence reportable flag (raw gaps that explain away after controls are not reportable).
v7.82.44
Privacy (Law 25)
Release v7.82.44 (#1816)
Fixed the Loi 25 data-subject export registry — matter_shares is now exported (sharer + recipient), the matter-share allowlist join tables are classified, and marketplace_engagements exports its matter_id link.
v7.82.43
Privacy (Law 25)
Release v7.82.43 (#68, #1462, #1834)
Added the Loi 25 privacy impact assessment for the HubSpot user export, recorded the HubSpot DPA in the subprocessor register, and published a HubSpot CRM processing disclosure on the privacy pages (en/fr/es).
v7.82.38
Content / legal
Release v7.82.38 (#1462, #1832)
The delete-user admin script now audits every deletion to the tamper-evident chain (fail-closed), deletes atomically, refuses to remove users who own matters, and requires a typed confirmation phrase.
v7.82.33
Ops / CI / infra
Release v7.82.33 (#1629, #1829)
check-version-advances now skips the strict-advance rule for changeset PRs, so a PR that drops changes/*.md (instead of hand-bumping) passes the required CI gate.
v7.82.28
Release metadata
Release v7.82.28 (#1629)
Added changeset-based versioning tooling (changes/ + changeset/check-changeset/apply-changesets scripts) so PRs stop conflicting on the version and changelog files, paired with a merge-queue proposal — the fix for concurrent-merge version churn.
v7.82.23
Content / legal
Release v7.82.23
Tagged release v7.82.23.
v7.82.03
Ops / CI / infra
Release job authenticates via RELEASE_TOKEN so it can push past branch protection (#1629)
The auto-version-bump job now checks out with an admin RELEASE_TOKEN, letting it push the chore(release) commit to protected main (the github-actions bot was rejected by required status checks) — the changeset release pipeline is now unblocked end to end.
v7.81.98
Release metadata
Release versioning now runs on changesets: auto-version-bump calls apply-changesets (#1629)
The release workflow now materializes version + bilingual changelog + package-lock from changes/*.md changesets at merge, ending the concurrent-merge version churn that made PRs conflict on the version and changelog files.
v7.81.88
Release metadata
Changeset tooling hardening: package-lock.json version bump + lockfile-drift guard (#1826)
apply-changesets.ts now bumps package-lock.json's version fields alongside package.json, so the #1629 changeset workflow lands without lockfile drift.
version-governance now asserts package-lock.json matches lib/version.ts, catching the lockfile drift Devin flagged on #1824.
Added the insolvency lane's two compliance guards. The counsel-gate keeps every trustee/bankruptcy professional-facing surface LOCKED until counsel-review artifacts for the CA and US lanes are on file as complete and approved — an agent cannot flip it. The referral-fee guard permanently prohibits referral fees, pay-for-placement, per-lead/per-case/contingent pricing and trustee-funded advertising in the insolvency lane (BIA s.49 for Canada; Rules 5.4/7.2(b) for the US) — a structural, un-overridable constraint, unit-tested. No regulated surface is enabled by this change: it only adds the enforcement that keeps the lane closed until counsel signs off.
Recorded two standing governance/ops documents in-repo: the Legal Content Directors 2026-07-02 sign-off and risk-acceptance for the QC/CA/US content, and the operational note on why the Supabase GitHub migration integration must stay off (it conflicts with the build-time migration runner). Documentation only — no runtime change.
v7.81.71
Litigation
M4 Pleadings lands: one case theory per matter, 8-part motion packages, and the draft judgment written first — the litigation engine's output layer (+25, newStandaloneTool)
The last unstarted Phase-1 engine module ships. A new Pleadings workspace tab holds the matter's single structured case theory — what happened, why it's unlawful, who is responsible, the damage, the remedy — and the database refuses a second one. Each motion is assembled as the roadmap's 8-part package (procedure, notice, affidavit, authorities pulled from the Authority Bank, exhibits pulled from the R-n registry, draft judgment, service proof, filed version), referencing chronology facts and admissions by their registry-issued ¶ numbers — argument references evidence, it never copies it. The invariants live in the schema, not in copy: a package cannot leave draft without a draft judgment (a CHECK constraint), the one-page focus test gates readiness in the client, the status ladder never skips a rung, and a filed package is frozen by trigger — an immutable court record. Editing the theory after a motion is assembled surfaces a drift warning, because conflicting theories across motions destroy credibility. RLS scopes every row to the matter's access grants, the API mirrors each rule so a blocked transition explains itself instead of erroring, and every cloud save mirrors the theory and packages into the normalized registry so the workspace, the API and attorney surfaces read the same reality.
v7.81.61
Ops / CI / infra
Ops: a fast-failing migration preflight so deploys stop hanging on the IPv6-only DB host (#1532)
Added a preflight to the migration runner: when strict migrations are required (REQUIRE_MIGRATIONS=1) but the connection points at the IPv6-only Supabase direct host, the build now fails immediately with the exact remediation (use the IPv4 session-pooler URL) instead of a 15-second hang and a cryptic network error. It does not weaken the gate: reachable pooler hosts still run.
v7.81.56
Security
Security tooling: enable leaked-password (HIBP) protection via the Supabase Management API (#1516)
Added operator-run tooling that enables Have-I-Been-Pwned leaked-password protection through the Supabase Management API and verifies the setting after applying it rather than assuming it is on; requires the operators own token, so nothing is flipped automatically.
v7.81.31
Jurisdictions
Content: wire the jurisdiction-hub editorial layer behind validation (#1485)
Wired the jurisdiction-hub editorial layer: key contacts and curated resources render on a jurisdiction page only once a human-verified scaffold passes validation. The registry ships empty, so nothing editorial is fabricated — sections light up only when an editor imports a verified scaffold.
v7.80.71
Release metadata
Tooling: changeset-based versioning + a merge-queue proposal — the fix for concurrent-merge version churn (#1629)
Added changeset-based versioning tooling: each PR drops one file under changes/ instead of editing lib/version.ts and the changelog, so concurrent PRs stop conflicting on those two files; the version bump and one bilingual changelog entry are materialized once at merge time. Ships with a create/list command, a PR gate, the merge-time apply script and unit tests — inert until the CI gate and version-bump workflow are switched over per the proposal in docs/proposals/0001.
v7.80.46
Evidence
Ops (#71): portable, application-level matters/evidence backup + restore — service-role-key-only JSON export/import, no direct Postgres connection required, complementing the existing pg_dump backup plan.
New `scripts/backup-matters.mjs` / `scripts/restore-matters.mjs`: the former exports `matters`, `matter_access`, `evidence_items` (plus a metadata-only inventory — never file bytes — of the private `evidence` storage bucket) to a timestamped JSON file + a manifest (sha256 checksums, row counts) written to the gitignored `ops-exports/` directory; the latter restores from that file in dry-run mode BY DEFAULT (nothing written without `--apply`), refuses to overwrite a row that is newer live than in the backup unless `--force`, and rejects a tampered or truncated backup file outright (integrity check runs before any database access).
New pure module `lib/ops/matter-backup.ts` (no I/O) shared by both scripts — computes the manifest/checksums and the row-by-row diff logic (insert / update / skip-identical / refuse-live-newer / force-overwrite). Covered by 11 new tests (`lib/ops/__tests__/matter-backup.test.ts`) that round-trip synthetic fixtures entirely in memory — explicitly NO live database connection.
New `docs/runbooks/BACKUP_RESTORE.md`: full procedure (dry-run first, then apply), a schedule recommendation (cron and launchd examples), and a retention recommendation specific to this new tool — cross-links `docs/BACKUP_RESTORE_RUNBOOK.md` (the existing whole-schema pg_dump/PITR procedure) in both directions; the two are complementary, neither replaces the other.
`package.json`: new `ops:backup-matters` / `ops:restore-matters` scripts, plus wiring the previously-orphaned `verify:backup-schedule` script (it existed but was never hooked to an npm command). `.gitignore`: added `/ops-exports/` (real matter/evidence data — never committed).
Restoring actual evidence file content is deliberately out of this tool's scope (the manifest captures storage object metadata only) — still covered by Supabase Storage's own backup path; see the scope note in `IMPLEMENTATION_71.md` for the remaining human follow-up (a scheduled CI workflow, since `.github/workflows/` is human-only in this repo).
v7.80.45
Intake & onboarding
The Phase-1 integration handoff closes: a matched attorney can now receive the scoped dossier — on the client's explicit action, never automatically (+10, existingToolUpgrade, #1810 / epic #63).
The litigation engine and the marketplace finally shake hands. When the matching pipeline sends your request to attorneys and one accepts, the matter's sharing panel now lists your matched attorneys next to the existing share-by-email form — one click hands over the dossier with exactly the permission and scope you selected (read-only targeted review of chosen documents and exhibits, or full collaboration), enforced at the database like every other share.
Sharing is never automatic: a match is a lead, not consent to read a litigation file, so nothing moves until you decide. The engagement is stamped with the matter it now serves (first-write-wins — an engagement already linked to a different matter is refused), and an audit entry records the handoff.
New `lib/matter-shares/create-share.ts` extracts the single server-side share implementation (ownership gate → insert → allowlist dual-write → audit) so the existing email-share path and the new matched-attorney path can never drift apart. New `POST /api/engagements/[id]/share-dossier` requires the caller to BE the engagement's client (RLS + explicit check), the engagement to be accepted/in-progress/completed, and the attorney to be onboarded — belt-and-suspenders checks kept even where RLS already narrows the same case.
v7.80.35
Ops / CI / infra
Reliability (CI): the automated Playwright smoke check no longer reports false failures, restoring confidence in an automated quality signal (#1799).
The Playwright smoke check (an automated sweep that loads every public route to catch regressions before they reach production) had been reporting 429 'too many requests' errors on effectively every run since a recent anti-abuse hardening pass added rate limits to two anonymous-telemetry endpoints. The smoke check's rapid page loads were tripping the same anonymous-flood protection meant for real abusive traffic, not a real product defect — but a check that is always red trains everyone to stop looking at it, which risks masking an actual regression later.
Fix: the two affected endpoints now recognize a CI-only signal that lets the automated smoke runner skip just the rate limit for its own traffic — nothing else about the request changes, and no other visitor or caller is affected in any way. The signal only exists at all when a repository operator deliberately configures it for the CI job; without that configuration (the default everywhere, including production), the endpoints behave exactly as they did before this fix.
No user-facing behavior changes. This is an internal CI/testing-infrastructure fix so the automated quality gate reflects real regressions again instead of a known-noisy false positive.
v7.80.30
Ops / CI / infra
Hardening (P0, ROK Phase 2 closeout): activation-integrity fixes for the 0155/v7.80.14 incident — a control-plane reader that fails on a missing migration column no longer collapses straight to SAFE_MODE, plus a deploy-time schema guard and an operator activation runbook (#1807, #1532, epic #1746).
Incident (2026-07-06): PR #1804 shipped a control-plane reader with an explicit column select against migration 0155's new columns, but production deploys don't auto-apply migrations without a Postgres URL configured — so the un-migrated database's select errored, and the correct fail-closed behavior silently denied every Stripe/paywall gate for ~1 hour with no loud signal pointing at the cause.
`lib/control-plane/state.ts`'s `getControlState()` now recognizes SPECIFICALLY a missing-Phase-2-column error (SQLSTATE 42703) and retries once with the pre-0155 column set, defaulting the two new kill switches to false — their real column default — instead of falling all the way back to SAFE_MODE. A loud `#1807`-tagged log fires on every retry; every other failure mode (network, missing row, a different error) still fails closed exactly as before.
New `scripts/check-schema-sync.mjs` (wired into `npm run build`): when a Postgres URL is configured, probes a checked-in sentinel manifest (`scripts/schema-sentinels.json`) of recent migrations' key tables/columns against the live database — warn-only by default, `REQUIRE_SCHEMA_SYNC=1` to hard-fail. With no Postgres URL configured (today's actual production posture, per #1532) it stays warn-only, never breaking a build that has no way to check the database.
New `npm run activation-lock-report` (`scripts/activation-lock-report.mjs`) — an operator markdown report combining the live control state/flags/kill switches, pending-migration sentinels, `check:clean-state`'s findings, and an ADR-0007 nine-gate checklist with Gate 2 and Gate 8 genuinely evaluated against live state. Complements (does not replace) the existing #1747 in-app JSON lock report.
New `docs/runbooks/ACTIVATION.md` — the operator's guide to the 8-state DAG, driving the Control Panel, the three kill-switch layers, the rollback procedure, the #1807 incident as a case study, and the founder-gated migration-apply procedure. Its appendix includes the full proposed `activation-gate.yml` CI workflow content for #1754 (human-gated — not committed to `.github/workflows/`).
v7.80.25
Payments
Billing reliability fix: the account portal (manage card / invoices / cancel) now stays correct for members active on more than one country edition of the platform (#1793).
The internal mapping between your account and your Stripe billing profile is scoped per country edition. If you had purchased under more than one edition on the same account, the newer purchase could overwrite the older one internally — so opening the billing portal for the earlier edition could briefly fail with a generic error instead of opening. This never exposed anyone's billing data to anyone else; it was purely a 'wrong button, try again' style failure for a small number of members, now closed.
Both purchase paths (subscriptions and one-time/Copilot purchases) now record the Stripe billing-profile link per edition, and the billing portal now resolves strictly within the edition you are currently using — so each edition's portal always opens the correct one, even for members active on more than one.
Additive database migration only (`0156_stripe_customers_edition_key.sql`); no data was lost or reset, and no other billing behaviour changed. Added automated regression tests covering cross-account isolation and repeat-purchase stability so this class of issue is now caught before release.
v7.80.15
Marketplace
Fix (P2, revenue/UX): marketplace provider profiles no longer dead-end at the monetization moment — every provider now has a live quote/notify request path instead of a generic contact form or a static 'not bookable' notice (#1737).
On a provider profile (`/marketplace/[slug]`), a verified professional previously linked only to the generic site contact form (`/contact?provider=slug`), and an unverified / pending-counsel professional showed a static 'Not bookable before verification' notice with no action at all — the exact point where a litigant who finally found a provider was most likely to convert. Both now render a real, provider-scoped intake form.
Verified providers get a 'Request a quote' flow (email + optional message) that records the request and sets expectations ('typically replies within N h'). Unverified / pending-counsel providers get a 'Not yet bookable — get in line' flow with honest expectation-setting: it captures the request, promises to notify the litigant the moment the provider is bookable, and passes their details along — instead of routing them to a generic form or a dead end.
New `POST /api/marketplace/provider-request` records interest only (no payment, never flips any booking gate), persisting to the shared `service_orders` registry with `status = 'provider_request'` via the service-role client — the same additive, PII-safe pattern as the existing notify-me lane (Loi 25: email/message never hit the log store). Degrades gracefully to `{ ok: true }` when the backend is unavailable so the UX never dead-ends.
New `components/marketplace/ProviderRequestForm.tsx` client island; the `PROVIDER_CONTACTED` growth event now fires from the actual request submission. Fully trilingual (en/fr/es) plus typed dictionary keys; no schema/migration change.
v7.80.14
Ops / CI / infra
ROK Phase 2 safety hardening: CONNECTED/VERIFIED activation states, three independent kill-switch layers, a ledger-replay rollback engine, and the Deployment Supervisor (epic #1746, issues #1748–#1752).
Formalizes the activation DAG from ADR-0007 (docs/adr/0007-rok-activation-dag.md) on top of the Phase 1 Release Orchestration Kernel (#1714): `CONNECTED` and `VERIFIED` are new ADDITIVE states inserted between `STAGED` and `LIMITED_PROD` in `lib/control-plane/types.ts` (#1749) — `CONNECTED` means the Supabase pooler is wired and read-only-validated with revenue still OFF; `VERIFIED` means a clean rebuild passed and the ROK's own ledger/flags are internally self-consistent. Wiring the pooler URL is now a guarded, audited state transition instead of a silent config flip. Every existing state, column, and transition rule is unchanged; the live `FULL_PROD` singleton row is untouched by this deploy (`FULL_PROD<->LIMITED_PROD` remains exactly one step).
New Gate 2 prerequisite validator (`lib/control-plane/activation-gates.ts`, `evaluateRokSelfCheck`) blocks a FORWARD move into `VERIFIED` or `LIMITED_PROD` when the configured flags shape, the `PROGRESSION`/`CONTROL_STATES` internal consistency, or the recent ledger's own monotonicity look wrong — never on a backward/rollback step, so a safety gate can never trap an operator trying to retreat. The nine-gate ADR's remaining gates (pooler round-trip, analytics dry-run, Stripe dual-write parity, deployment-manifest hashing, …) require live external signals this codebase does not yet emit and are deliberately deferred, founder-gated follow-ups — see IMPLEMENTATION_1749.md.
Layered kill switches (#1750): the single `killSwitch` becomes the documented Global layer, joined by two new independent, additive boolean columns — `killSwitchRevenue` (Stripe + paywall off, analytics/Justice Engine untouched) and `killSwitchRokEnforcement` (a reason-required, fail-open escape hatch that suspends the ROK's own state/flag gating for Stripe/paywall while `system_control_events` keeps recording every write normally — 'disable enforcement, keep audit logging'). `lib/control-plane/guards.ts`/`writer.ts` extended accordingly; both new columns default `false`, a no-op against the live row until an operator deliberately engages one. The Founder Control Panel (`components/admin/ControlPlanePanel.tsx`) gained a confirm-gated section per layer.
Ledger-replay Rollback Engine (#1751, new `lib/control-plane/rollback.ts`): reconstructs the last state the append-only `system_control_events` ledger recorded as `VERIFIED`/`CONNECTED`/`SAFE_MODE`, records a `rollback.triggered` event describing the plan, then walks the exact stepwise `PROGRESSION` line back to that target one validated hop at a time via the EXISTING `transitionState` writer — every hop is fully audited, same as a manual transition. Distinct from today's `EMERGENCY_LOCKDOWN`→`SAFE_MODE` recovery: reachable from any state, and the target is ledger-derived, not hard-coded. Wired into the Control Panel's POST `action: "rollback"`.
Deployment Supervisor (#1752, new `lib/control-plane/supervisor.ts` + `GET /api/cron/rok-supervisor`, CRON_SECRET-gated via the shared `requireCronAuth`, scheduled every 15 minutes in vercel.json): reconciles the authoritative row against the ledger's own last-recorded transition (`STATE_MISMATCH`), checks the founder's own named safety invariant — Stripe configured `live` outside `LIMITED_PROD`/`FULL_PROD` (`SAFETY_VIOLATION`, auto-engages `EMERGENCY_LOCKDOWN`) — and, only when an operator-configured `ROK_SUPERVISOR_EXPECTED_STATE` env value is present, compares it against the live state (`DRIFT_DETECTED`). The CI↔runtime drift check is a documented PARTIAL implementation by deliberate scope decision: this repo has no existing build-id/commit-sha signal in the ledger to compare against, and fabricating one would be worse than an honest no-op — see IMPLEMENTATION_1749.md for what a real signal needs.
Clean-state reconciliation CI gate (#1748, new `scripts/check-clean-state.ts`, `npm run check:clean-state`): flags dead `app/api/**/route.ts` files exporting no recognized HTTP method handler, two routes that would resolve to the identical API path, duplicate literal values inside this repo's hand-curated telemetry/event-name `as const` arrays, and reintroductions of forbidden legacy strings (`src/[locale]`, the dead pre-migration Supabase project ref). Runs REPORT-ONLY (non-blocking, wired into `npm run build`) today, clean against the current tree; flipping to the blocking `check:clean-state:strict` variant once the report has proven stable is a founder-gated follow-up.
New unit suites for every new module (`activation-gates.test.ts`, `rollback.test.ts`, `supervisor.test.ts`, plus additions to `guards.test.ts`/`writer.test.ts`/`state-machine.test.ts`) and migration `0155_rok_phase2_hardening.sql` — strictly additive (widened CHECK constraints, new NOT NULL DEFAULT false/null columns, no table/policy change; RLS was already reviewed for these two tables in migration 0150 and is untouched here). Full control-plane suite green (127 tests); see IMPLEMENTATION_1749.md for the complete record of what shipped versus what is explicitly deferred.
v7.79.89
Ops / CI / infra
Docs/schema (repo-files-only, #1791): the Financial Impact Engine (FIE) Phase 0 ledger substrate lands as an ADR + a non-auto-applying migration set — nothing is applied to the live database.
New `docs/adr/0007-financial-impact-engine-phase0.md` (ADR-0007): an event-sourced, double-entry, multi-currency ledger core in a dedicated Postgres schema `fie`, with tenant RLS — the floor under a future attorney-billing projector (Phase 1) and the Justice Impact Statement (savings/impact reporting). Adapted from the founder's design hand-off; SQL logic is unchanged from the source, only renumbered.
Renumbered the founder's `0001_fie_core.sql`…`0004_fie_seed.sql` to `0156`…`0159` (main's `supabase/migrations/` sequence was at 0152, with 0153/0154 already claimed by other in-flight PRs) — but landed them at `supabase/fie/migrations/`, not `supabase/migrations/`, specifically so `scripts/apply-migrations.mjs`'s directory glob never picks them up on the next production deploy. Promoting them into the auto-applied path is a separate, explicit, founder-gated decision.
Prod-safety adaptations: the `acme` RLS-isolation-test tenant/entity/account were removed from the seed migration and relocated to a new `supabase/fie/verify-fixtures.sql` (local test-only); the GUC-based `fie.current_tenant()` and the nologin `fie_app` role are kept exactly as authored (no grant to `authenticated`, no JWT-claim binding yet) — the Supabase JWT-binding seam is documented in the ADR as Phase 1 work, not done here.
`supabase/fie/verify.sql` (the founder's T1–T9 self-asserting invariant suite, previously run green 9/9 against a real PostgreSQL 14.23) moves alongside the fixtures as a test harness, outside both migration directories so it can never auto-apply. See `IMPLEMENTATION_1791.md` for the renumbering map, the auto-apply investigation, and this repo's own local verification attempt/results.
No application code, routes, or UI strings changed. Tracking issue #1791 (`epic`, `architecture`, `human-gate`) carries the phased roadmap (Phase 1 billing projector through Phase 4 revaluation); this PR is Phase 0 only.
v7.79.64
Evidence
Justice Score™ goes live end-to-end: element-by-element case scoring, Court-Ready assessment, and evidence-to-element proof — wired into every matter, front and back (#1664).
Workflow-to-recourse coverage: mapped 27 of the platform's 113 real Québec consumer-problem situations (`lib/legal/qc-consumer-problems.ts`) onto a concrete cause of action — contract disputes, latent defects (vice caché), consumer-protection violations, extracontractual-liability harms (property damage, defamation, privacy, medical/dental, wrongful death, and more), debt/invoice non-payment, and TAL lease repairs. Every mapping is a confident, cite-backed match; the remaining situations (family law, criminal/penal, immigration, labour standards, insurance, and others this recourse model was never built for) are deliberately left unmapped and catalogued as follow-up rather than guessed at.
Evidence-to-element proof: matters can now carry one or more claims, each decomposed into its recourse's ordered legal elements. Litigants set a 5-step proof status (unaddressed → asserted → supported → strong → corroborated) and an admissibility flag per element, and link existing evidence directly to it. This is the real signal behind the score's single heaviest dimension (Element-by-Element Substantiation) and the Unproven-Element gate — no more honest zero.
Court-ready, forum-aware thresholds: the jurisdiction profile (Petites créances / Cour du Québec / Cour supérieure / TAL) is now derived automatically from the claim amount and forum, with the $75,000-$99,999.99 concurrent band tie-broken by the matter's own chosen court. Prescription/limitation posture is computed from the incident date (and, for latent defects, the CCQ art. 2926 discovery date) against each claim's own recourse-specific limitation period — conservative by design, favoring 'arguable' over 'clearly time-barred' wherever tolling is plausible. Mandatory mediation (e.g. Petites créances' $5,000 trigger) now trips its gate on claim amount alone when no mediation step is on file at all.
Litigant-facing UI: the workspace's Justice Score panel gained an explicit Court-Ready indicator, a claim/element checklist (authority pin-cite, proof-state selector, admissibility toggle, evidence linker, proof hints), a dealbreaker list, and a 'what the other side attacks' exposure panel — full English/French/Spanish, litigants never see internal terms like 'gate' or 'dimension'.
No database migration: claims persist as part of the existing whole-matter record, the same way every other workspace panel already saves. 60+ new/updated tests (profile derivation, prescription posture, mediation trigger, end-to-end scoring, and a render smoke test for the panel); full suite and `check:justice-score` (23/23) stay green.
v7.78.64
Payments
Justice Score™: the Issues & Claims layer lands — the missing catalog behind dimension D7 (#1664).
`lib/justice-score/model.ts` and this repo's own T4/T7 notes flagged dimension D7 ('Element-by-Element Substantiation', the single heaviest dimension at 100 base points) as honestly inert until a recourse-to-legal-element catalog existed to substantiate it. New `lib/justice-score/issues-claims.ts` is that catalog: 7 Québec recourses (breach of contract, latent defect / vice caché, extra-contractual liability, LPC prohibited practice, debt non-payment, TAL repairs/peaceful enjoyment, unjust enrichment), each decomposed into its ordered legal elements — essential or not — with a bilingual/trilingual label, an indicative CCQ/LPC authority pin-cite, and (for a few elements) which other dimension they additionally inform.
New `lib/justice-score/element-derivation.ts` is the engine seam: `deriveD7FromClaims(claims)` turns a matter's per-element proof state into D7's Completeness/Substantiation/Admissibility completion, plus the real signal behind the existing G3 gate (an essential element left entirely unaddressed) and litigant-safe 'what the other side will attack' exposure items. It plugs directly into the existing, UNCHANGED `computeJusticeScore`/`evaluateGates` engine — no engine file needed to change, since the locked v1.0 model already generates a `d7-C`/`d7-S`/`d7-A`/`d7-R`/`d7-P` criterion set generically for every dimension.
Every founder-authored recourse/element/authority string was carried over unchanged; only the dimension-id (`D7`→`d7`) and jurisdiction-profile-id (`courQC`→`cq`, etc.) spellings were adapted to match this repo's existing `model.ts`/`profiles.ts` conventions. A constant-by-constant diff against the existing engine's axis weights, gate caps, R-floor, and per-forum thresholds found zero mismatches — both describe the same founder-locked v1.0 model.
This PR is a data/engine layer only: `derive.ts`/`gaps.ts` (mid-rewrite under the concurrent #1769) and the litigant-facing WorkflowStepper UI are deliberately untouched — see `IMPLEMENTATION_1664.md` and `docs/plan/justice-score/WIRING.md` for the wiring a future PR still needs to do once matters carry claims data. New tests pin the four Issues & Claims → D7/G3 boundary numbers exactly (63 / 55-cap / 50 / 44.5); full justice-score suite and `check:justice-score` (23/23) stay green.
v7.78.54
Payments
Batch integration: 16 reviewed fleet PRs landed in one release — witnesses ES, i18n fixes, test-discovery, Copilot unification, nav grouping, Justice Score golden lock, Stripe customer link, k-anonymity consolidation, DSAR first-party fix, ROK Activation DAG ADR, Repo Guardian, Drive-picker flag, conversion funnel, panel Definition-of-Done, evidence hashing perf, and the Workspace shell decomposition (#1800).
Collapses the serial changelog-cascade that was blocking 16 independently-reviewed, green-checked PRs from landing: #1612 (witnesses ES), #1745 (fr dict fixes), #1662 (test discovery), #1730 (Copilot unify), #1732 (nav grouping), #1736 (Justice Score golden lock), #1738 (Stripe customer link), #1743 (k-anonymity consolidation), #1742 (DSAR first-party fix), #1753 (ROK DAG ADR), #1254 (Repo Guardian), #1763 (Drive-picker flag), #1702 (conversion funnel), #1627 (panel Definition-of-Done), #1741 (evidence hashing perf), #1735 (Workspace shell decomposition).
Every PR's own changelog entry is preserved below, stacked newest-first by its originally-authored version; this entry is the batch release marker, not a replacement for the individual entries.
One migration renumbering was required going in: #1743's k-anonymity migration was already self-renamed by its author from 0153 to 0154 to avoid colliding with #1738's 0153_stripe_customer_link.sql — verified byte-identical SQL, no stale references, `check:migration-collisions` green.
No PR was dropped for a semantic conflict; every merge conflict encountered was mechanical (version/changelog/lockstep files), resolved by hand-merging the changelog dictionaries and reconciling one real code conflict in the Workspace shell (the #1735 refactor's `useWorkspaceOverlays` hook vs. #1732's `showAllSections` flag, both preserved).
v7.78.33
Privacy (Law 25)
Fix (P2, privacy / Loi 25): the platform's k-anonymity floor is now ONE reviewed number everywhere, and cohort aggregates generalize their region/language/specialization values so a rare free-form value can no longer re-identify a barely-k cohort (#1743).
Two thresholds had diverged: the anonymized-benchmarking gate (lib/analytics/cohort-gate.ts, #466) used k=10 while the LIVE outcome-learning path (lib/matching/outcome-aggregates.ts + the DB CHECK in 0122) shipped a lower, unreviewed k=5. A single source of truth, lib/privacy/k-anonymity.ts (K_ANONYMITY_MIN_COHORT), now feeds all three; consolidated UP to the stricter #466-reviewed floor of 10 (raising a k floor only suppresses more sparse cohorts, never fewer). Migration 0154 raises the matching_outcome_aggregates CHECK from >=5 to >=10.
The de-identification proof inspected only key NAMES, so a rare free-form specialization shared by exactly k matters could satisfy the size floor and still re-identify. New lib/matching/quasi-identifiers.ts maps region/language/specialization onto a bounded allow-list (canonical jurisdiction codes, release locales, dispute categories); anything off-list generalizes to a coarse 'other' bucket at ingestion, and assertDeidentified now fail-closed proves every quasi-identifier VALUE is generalized before an aggregate may be published.
The consolidation and the outstanding [H-LEGAL] #466 counsel attestation (the floor may only be lowered below 10 after that sign-off) are recorded in docs/decisions/1743-k-anonymity-threshold-consolidation.md. No change to matter isolation, RLS, or the payment-free matching invariant.
v7.78.30
AI & automation
Fix (P1, litigant UX): one conversational Copilot — you can now ask a free-text question, in context, from inside an open matter, and the home stops offering two competing AI front doors (#1730).
Inside a matter, the Copilot's card #1 was labelled “Ask a question” but had only a button that fired one hard-coded prompt ending in a fixed question — there was no text box, so a litigant reading a motion literally could not type “how do I respond to this?”. The real multi-turn chat (`CopilotChat.tsx`) was only reachable from the workspace home, never from an open file.
`CopilotChat.tsx` now accepts an optional matter `contextSummary` (the matter's structured summary, prepended to every request so answers are about THIS file) and optional `starters` (example questions rendered as one-tap chips on the empty thread). One component now serves both surfaces.
Matter Copilot card #1 opens that chat seeded with the matter context and matter-relevant starters (“How do I respond to this?”, “What are my next steps?”, “What is missing from my file?”, “How do I prepare for the hearing?”) instead of a single dead-end button.
On the home, the redundant single-shot `AskQuestion` modal is retired: the “Ask a question” front-door card, the “Start Copilot” quick action, and the nav entry all open the same multi-turn chat, now seeded with the general legal-information example questions as starters. No follow-up question loses its context anymore.
No change to the `/api/ai/copilot` route, the quota/paywall gates, or any billing/RLS surface — this is a client-side consolidation of the two AI-help entry points into one.
v7.78.30-b
Workspace & matters
Chore (P1, tech debt): began a behaviour-preserving decomposition of the ~4,200-line Workspace shell component so it is safer to edit (#1735).
`components/workspace/Workspace.tsx` was a single client component holding 71 `useState` slices and dozens of top-level constants, making every keystroke a whole-tree re-render risk and the file itself hazardous to touch — the largest maintainability liability flagged by the CTO repo-refresh audit. This first, deliberately-mechanical pass lifts three cohesive, self-contained groups out of it with no functional change.
New `components/workspace/workspace-shell.config.ts` holds the pure, state-free shell config that previously lived at the top of the component: the 36-entry `Tab` taxonomy and `TABS` list, the `ACTIVITY_CATEGORY_BY_TAB` map, the `WORKSPACE_PORTALS` descriptors, the `upsertLocalMatter` device-storage helper, and the `GUIDED_TOUR_APP_ENABLED` flag. These are now importable by tooling and tests without pulling in the whole component tree.
New `components/workspace/useWorkspaceOverlays.ts` extracts the ten pure overlay/panel-visibility `useState` toggles (settings, presentation mode, the two intake wizards, firm, emergency, help, the two "more tabs" menus, and the cloud badge) into a cohesive hook, and new `components/workspace/useCloudSyncState.ts` does the same for the twelve cloud-sync/persistence status slices (auth session, connectivity verification, load/save failure surfacing, per-matter sync badges, and the stranded-local import flow). In both cases the shell destructures them back into identically-named bindings, so every existing call site is byte-for-byte unchanged — strictly behaviour-preserving.
New characterization suite `components/workspace/__tests__/workspace-shell-refactor-1735.test.ts` freezes the extracted tab taxonomy, activity map, and portal descriptors, and asserts the shell now sources the config and both state hooks from the sibling modules rather than declaring them inline. Full suite green; `tsc --noEmit` and a real `next build` pass. No UX change, no schema/migration change. The remaining state (the ~40 matter-editing setters → a `useReducer`, then a context provider for the lazy tabs) is documented in `IMPLEMENTATION_1735.md` as the next incremental passes.
v7.78.29
Workspace & matters
Fix (P2, data durability / code health): the local matter store now version-gates its migration so the any-typed normalization runs once per upgrade instead of on every page load (#1740).
`lib/store/cases.ts`'s `loadCases` used to run `migrateCase` — an unversioned, any-typed normalization (regex exhibit parsing, a cascade of `??` defaults, `ex:any` casts) — over EVERY matter on EVERY load, with no schema-version gate. A new `CASES_SCHEMA_VERSION` stamp records the version each stored payload was last normalized to; `loadCases` now runs `migrateCase` only when the payload is BEHIND that version, then writes the upgraded array back and bumps the stamp, so the normalization runs once per upgrade rather than once per page load.
The stamp lives in a SEPARATE side-channel localStorage key (`juge:cases:schemaVersion`), not wrapped around the array — the payload under `juge:cases:v1` stays a bare `LegalCase[]`, so an older deployment on a rollback still reads it unchanged (a wrapping envelope would have been rejected as 'not an array' and silently dropped the user's work product). Additive, backward- AND forward-compatible; no existing local data is lost.
Clarified the durability posture in code: localStorage is the local-mode CACHE, while in signed-in cloud mode the Supabase `matters` table (see `lib/store/remote.ts` `upsertMatter`/`listMatters`, mirrored per-change by `components/workspace/Workspace.tsx`) is already the durable source of truth — so a cleared browser no longer destroys work product for cloud users. The remaining full server-persistence-for-anonymous-users step is documented in `IMPLEMENTATION_1740.md`.
New unit suite `lib/store/__tests__/cases-schema-version.test.ts` covers the three paths against a stubbed localStorage: legacy bare-array self-heal, current-version skip (proven by returning a deliberately-un-normalized payload verbatim), and behind-version re-migration. Full suite green; no schema/migration change.
v7.78.28
Ops / CI / infra
Ops (infrastructure): Repo Guardian health log — unified patrol runner using type-safe reporting (#1254).
Converted `scripts/run-repo-guardian.mjs` from JavaScript to TypeScript (`scripts/run-repo-guardian.ts`) to enable direct imports of the `lib/ops/repo-guardian.ts` module and eliminate formatting logic duplication. The patrol runner now constructs a fully-typed `RepositoryHealthReport` object and calls `formatHealthReportAsComment()` from the core module rather than building comment markdown inline.
The patrol runner is now a pure orchestrator: spawn health checks, collect results, apply `aggregateHealthStatus()` to compute overall status, format via the module's centralized comment function, and post. No formatting logic lives in the runner itself — it delegates to `lib/ops/repo-guardian.ts`, which is the single source of truth for report structure and comment generation.
Invocation syntax: `node --import tsx scripts/run-repo-guardian.ts` (following the repo's established pattern for TypeScript scripts in the scripts/ directory). `--dry-run`, `--no-pr-triage`, and `SKIP_BUILD` environment variable support unchanged.
The patrol runner is production-ready for CI/cron scheduling. The CTO can now safely wire it into `.github/workflows/` or a scheduled action.
v7.78.27
Governance
Governance (process, not a single bug): a workspace panel is not 'shipped' until it is mounted from Workspace.tsx and a wiring guard proves it (#1627).
Root cause: four PRs this session (#1611 x2, #1619, #1621) each built a real, tested, server-backed `components/workspace/` panel that was never imported into `Workspace.tsx` — a same-named client-state-only legacy function (`Exhibits`/`Witnesses`/`Deadlines`/`Chronology`) stayed mounted at the tab switch. PR #1618's component render tests could not catch it: they render the new component STANDALONE, so they pass whether or not the page ever references it.
New template integration test `components/workspace/__tests__/workspace-panel-wiring.test.tsx` proves, for the four now-fixed tabs (chronology/exhibits/witnesses/deadlines), that Workspace.tsx mounts each panel's read-through wrapper, imports the intended server-backed component, and has the wrapper delegate to it — plus renders each server component to pin its non-legacy identity. It is a copy-me template: adding a panel = adding one row.
Because the repo's unit harness (`node --import tsx --test` + `renderToStaticMarkup`, no jsdom, effects do not run) cannot drive a read-through wrapper past its initial loading state to the resolved branch, the wiring is verified against Workspace.tsx source text — the faithful mechanical guard for 'is the intended component wired at all'. The read-through decision itself stays unit-tested in `lib/workspace/__tests__/read-through.test.ts`.
Definition-of-Done codified in governance: `docs/governance/executive-os/20-policies.md` (Engineering & release) and a lesson in `40-lessons.md` ('don't build foundation into a wall'), plus a workspace-panel acceptance-criterion line added to the `.github/ISSUE_TEMPLATE/task.yml` checklist. Retroactive fix of the four affected panels is tracked separately (#1620 and the two sibling issues); they are already wired on main, and this guard now locks that in.
v7.78.26
Governance
Documentation (P2, governance): ADR-0007 formalizes the ROK Activation DAG — the staged dependency graph that gates progression from STAGED→CONNECTED→VERIFIED→LIMITED_PROD→FULL_PROD, encoding the principle that 'a config change is not an activation; only a validated state transition is' (#1753).
ADR-0007 (`docs/adr/0007-rok-activation-dag.md`) builds on ROK Phase 1 (#1714) by formalizing the **nine prerequisite gates** that must hold before each state transition. Phase 2 introduces two intermediate states (`CONNECTED`: pooler wired and healthy; `VERIFIED`: all validations passed) to prevent cascading subsystem activations when the pooler URL is set. The DAG enforces that Stripe cannot fire (state ∉ {LIMITED_PROD, FULL_PROD}) until after analytics dry-run and no orphaned routes are detected.
The governance principle is: every state transition requires prior proof. Wiring the pooler is a **state transition** (STAGED→CONNECTED), not a side-effect cascade — the platform remains analytics-only until an explicit transition to LIMITED_PROD permits Stripe to execute. Rollback is auditable: every stepwise backward transition is recorded in `system_control_events`.
The DAG sequence: **Phase 1** (Pooler Integration): pooler health-check + schema validation → CONNECTED. **Phase 2** (Validation): ROK self-check + analytics dry-run → VERIFIED. **Phase 3** (Revenue): Stripe rollout readiness + pricing experiments ready + Deployment Supervisor clean bill of health → LIMITED_PROD and FULL_PROD. Enforcement is two-layer: Admin API (interactive, founder-gated transitions) + Deployment Supervisor (automated, fail-safe auto-lockdown on drift detection).
Docs-only change; no schema or code changes in this PR. Phase 2 implementation (issues #1747–#1752 under epic #1746) will add the validators, extend the state machine, and wire enforcement into the control-plane writer and Deployment Supervisor.
v7.78.25
Privacy (Law 25)
Feature (market-activation, epic #100): the signup → activation → paywall → upgrade-click → conversion funnel is now instrumented end-to-end, with an admin Command Center view (#1702).
The founder directive for the market-activation phase is "instrument before optimizing": emit the five willingness-to-pay funnel events so activation, paywall-intent, and paid conversion can be measured against real data. Four of the five touchpoints already fired the typed taxonomy — `signup_complete` (AuthForm), `quota_hit` (CaseBuilder / Workspace paywalls, #1727), and `upgrade_click` (UpgradeCta / SubscribeButton, #1723/#1727) — so this ticket adds the two missing stages and the view that reads all five as one funnel.
New `activation` taxonomy event (`lib/analytics/events.ts`): fires once per account at the first Dispute (Prevention lane, `components/CaseBuilder.tsx`) OR the first Matter (Enforcement lane, `components/workspace/Workspace.tsx`), each guarded by a per-account localStorage key so a signup registers exactly one activation. New `ACTIVATION` wire added to the `POST /api/growth/events` allow-list.
New `conversion` taxonomy event: emitted SERVER-SIDE from the Stripe billing webhook (`app/api/billing/webhook/route.ts`) via a direct service-role `growth_events` insert when a `customer.subscription.created` event lands already `active`/`trialing` — so it reflects money that actually moved, fires once per subscription (renewals arrive as invoice.paid / subscription.updated, which never reach that branch), and is de-duped by the #1728 idempotency ledger on retry. Fire-and-forget: an analytics failure never turns into a 502 that makes Stripe retry the reconciliation.
New admin funnel view: `GET /api/admin/conversion-funnel` (founder/admin-gated via the shared `resolveOpsAdmin`, audit-logged) aggregates a bounded `growth_events` window into the five-stage `CONVERSION_FUNNEL` (new pure `conversionFunnel` + `tallyConversionCounts` primitives in `lib/analytics/funnel.ts`, which disambiguate the shared SURFACE_VIEW / CTA_CLICK wires by each row's `taxonomy` tag), surfaced at `/[lang]/admin/conversion-funnel` (`components/admin/ConversionFunnel.tsx`) with per-stage conversion, drop-off, the overall rate, and the biggest bottleneck — mirroring the guided-tour funnel (#1678) pattern exactly.
PII-free throughout (user_id + plan/lane/kind codes only, never names or story text); fire-and-forget at every emission. New unit tests cover the five-stage funnel math and the wire/taxonomy tally. No schema or migration change — the existing `growth_events` table is the sink.
v7.78.24
Security
Fix (P1, security): reconcile the #1120 Drive-picker key migration behind a single operator flag so conflicting branches stop re-deciding it (#1763).
Cross-reference: PR #1601 (v7.75.92) closed #1120 by deliberately KEEPING the legacy `NEXT_PUBLIC_GOOGLE_API_KEY` fallback in `getDrivePickerConfig()` (warn once, keep working) and explicitly deferred the hard removal until the operator confirms every environment has the non-public `GOOGLE_PICKER_API_KEY` set. A later sibling branch tried to drop that fallback unconditionally — which would silently disable Google Drive import on any not-yet-migrated deployment (config resolves to `null`) with no operator-confirmation gate.
Rather than let two branches keep re-deciding the same design question on whichever side of a rebase conflict `git` happens to keep, the removal is now behind one operator-owned flag: `GOOGLE_PICKER_KEY_MIGRATED`. Default (unset) preserves the conservative #1601 behavior — legacy fallback still resolves, one-time `console.warn` fires — so no live deploy regresses. When the operator sets `GOOGLE_PICKER_KEY_MIGRATED=1` (asserting the Vercel env migration is complete), `getDrivePickerConfig()` refuses the public fallback entirely; only the non-public `GOOGLE_PICKER_API_KEY` satisfies the gate.
`lib/ops/operator-action-queue.ts` (issue #58 action) now names the `GOOGLE_PICKER_KEY_MIGRATED` step in its `requires` list, so the operator queue itself documents the flip. New unit tests in `lib/__tests__/drive-picker-key.test.ts` and `lib/__tests__/release-readiness.test.ts` assert the default keeps Drive ready on the legacy key and that the flag flips `getDrivePickerConfig()`/`trustReadinessServices().googleDrive` to refuse it. No schema/migration change; existing behavior is unchanged until the operator opts in.
v7.78.23
Intake & onboarding
Fix (P2, litigant-facing UX): the intake urgency gate now routes a genuinely urgent litigant to concrete same-day options instead of the full sample directory and a generic async contact form (#1739).
Answering 'I need legal help within 24 hours' on the intake safety gate previously surfaced only two dead-ends: a 'Connect' button to the FULL marketplace (largely sample / not-yet-bookable seed profiles) and a 'Contact' link to the generic async /contact form — so someone facing an eviction or a deadline tomorrow was pointed at surfaces that cannot produce timely help, then invited to continue into the standard wizard.
The urgent branch now shows three concrete options instead of the whole directory: (1) the fastest-responding professionals for THIS edition (new `lib/intake/urgent-options.ts` `fastestResponseProviders()` — edition-filtered via `providerTypesFor()`, ranked available-before-limited then by advertised response time, each deep-linked to its OWN profile), (2) the edition-aware emergency legal-aid surface (`/marketplace/legal-aid`, reduced/sliding-scale help), and (3) expedited support (the contact route flagged `?urgent=1` so it is prioritized).
It stays honest: no fabricated hotline numbers are invented, the 911 life-safety notice remains pinned at the top, each surfaced professional carries its availability + 'responds within Nh' signal, and seed/sample profiles are labelled 'Sample — pending verification' (they are not yet bookable per the shared `isProfileBookable` gate) rather than implying a live booking. The full directory and 'continue to the guided intake' remain available as secondary links.
New unit suite `lib/intake/__tests__/urgent-options.test.ts` pins the routing contract (excludes fully-unavailable profiles, edition-filtered, availability-then-response-time ordering, sample profiles reported not-bookable). All new user-facing strings ship in en/fr/es and are typed. No schema/migration change.
v7.78.22
Evidence
Perf (P2, tech debt): client evidence ingest now streams the SHA-256 hash off the main thread and imports files in a bounded-parallel pipeline, instead of buffering each file into memory and uploading strictly one-by-one (#1741).
`components/workspace/Evidence.tsx`'s ingest loops (`ingestFile`, `ingestDropped`) processed files strictly serially — `await hashFile` then `await uploadEvidence` then `await extractText`, one file at a time — and `hashFile` called `file.arrayBuffer()`, materialising the entire (up to 100 MB) file into memory on the main thread just to fingerprint it. A folder drop of large PDFs therefore held big buffers and uploaded one-by-one, producing long unresponsive imports and memory pressure on low-end devices.
New `lib/evidence/sha256-incremental.ts` is a dependency-free, chunk-at-a-time SHA-256 (FIPS 180-4), byte-for-byte compatible with the one-shot `crypto.subtle.digest` it replaces — verified against the NIST vectors and against Web Crypto across arbitrary chunk boundaries. `lib/evidence/hash-worker.ts` reads a file in 4 MB slices and feeds them to it inside a dedicated Web Worker, and `lib/evidence/hash-file-stream.ts` reuses one worker across every file — so hashing never buffers the whole file and never blocks the UI thread, with a transparent main-thread chunked fallback when a Worker can't be created (SSR, tests, locked-down runtimes).
New `lib/util/concurrency.ts`'s `mapLimit()` runs the per-file upload+extract pipeline at most 4 files at a time while preserving input order, so Evidence IDs are still assigned deterministically and byte-identical-duplicate detection on folder imports is unchanged. `ingestDropped` now hashes-then-dedups in one bounded-parallel pass and uploads+extracts the survivors in another, replacing the single strictly-serial loop.
New unit suites: `lib/evidence/__tests__/sha256-incremental.test.ts` (NIST vectors, chunk-boundary independence, Web Crypto parity, 55/56/64-byte pad edges) and `lib/util/__tests__/concurrency.test.ts` (order preservation, concurrency cap, fail-fast). No schema/migration change; no user-facing string or behaviour change.
v7.78.21
Workspace & matters
Fix (test discovery): [id] route directories no longer silently skip tests due to glob interpretation (#1662).
Moved `app/api/deadlines/[id]/__tests__/patch-route.test.ts` to sibling location `app/api/deadlines/__tests__/patch-route.test.ts` with updated import (`../[id]/route`). This restores test coverage for the PATCH handler, previously dead in CI because `node --test` glob-matches its arguments and interprets `[id]` as a character class.
Fixed `scripts/run-tests.mjs` to invoke `node --test` once per discovered file instead of passing all files as a single argument list. This prevents glob interpretation and ensures all bracket-path tests run, even if placed under dynamic route segments like `[id]`, `[matterId]`, etc. All discovered tests continue to run; no test was added or removed.
Pattern established: route tests belong in a `__tests__` directory as a sibling to the dynamic segment, not nested beneath it. This pattern (used in #1532) is now guaranteed safe from glob-matching issues.
v7.78.20
Localization
Fix (P3, i18n): two untranslated English fragments in the French dictionary (#1745).
marketplaceDir.profile.sourceGoogleMaps: corrected French spacing to 'Source : Google Maps' (was 'Source: Google Maps').
commandCenter.surfaces.kinds.admin: translated to 'Admin / Exploitation' (was English 'Admin / Ops').
v7.78.20-b
Privacy (Law 25)
Fix (BLOCKING, privacy / Loi 25): the #1742 access-export expansion trusted RLS alone to scope every table to the requester — several policies' OR-branches let it over-disclose other people's rows (#1742).
CTO privacy review of the #1742 expansion (25 newly exported tables) found `exportSubjectData` (`lib/privacy/data-subject.ts`) ran an unfiltered `subjectClient.from(table).select(columns)` per table with no application-level scoping, relying entirely on the live RLS SELECT policy. That is unsafe wherever a policy has an OR-branch broader than self: `marketplace_orders`' verified-bailiff open-board arm returned every client's open order platform-wide (third-party names in `description`); the `is_admin()`/`is_marketplace_admin()` arm on ~11 tables (`bailiff_profiles`, `professional_verifications`, `payout_accounts`, `payouts`, `class_actions`, `claimants`, `claimant_distributions`, `referrals`, `referral_codes`, `intake_requests`, `marketplace_entities`, `marketplace_engagements`, `commissioner_profiles`) meant a founder_admin's own DSAR call dumped near-platform-wide rows; and the `status = 'published'` public-directory arm (`expert_profiles`, `provider_profiles`, `marketplace_entities`) pulled in every other professional's public listing as if it were 'the requester's own data'.
Every `export` entry in `SUBJECT_SCOPED_TABLES` now declares an explicit self-scoping filter that `exportSubjectData` applies with `.eq()`/`.or()` ON TOP of the RLS-scoped read — never trusting the policy's own scoping again. Most tables declare a single `selfColumns: ["user_id"]`-style literal column; two-sided tables OR multiple self columns (`marketplace_orders`: client_id/assigned_to/offered_to; `referrals`: referrer_user_id/referred_user_id) so the subject's own rows on EITHER side are still included, never the board/admin-visible rows of others.
`affiliate_commissions` has no literal user-id column (it is keyed only by `code`, a foreign key into `affiliate_codes`). Rather than silently drop this genuinely first-party table, it now resolves the subject's own code via the already self-scoped `affiliate_codes` lookup, then filters by that resolved code — a subject with no affiliate code gets zero rows, never an unfiltered read.
`lib/privacy/__tests__/access-registry.test.ts` gained a structural check that every `export` entry declares a self-scoping strategy, plus seeded self-vs-non-self fixture tests (real column-level filtering, not the older structural stub) proving `marketplace_orders`, `expert_profiles`, `bailiff_profiles`/`referrals`, and `affiliate_commissions` each exclude the other party's/other user's row.
No schema change and no RLS change: the underlying policies are untouched — this closes the gap between what RLS *permits* an authenticated caller to see and what the access export *discloses* as their own personal data.
v7.78.19
Localization
Justice Score™ now scores real matters again: derive.ts/gaps.ts re-wired to the locked v1.0 taxonomy (#1769).
The v1.0 spec lock (#1665) renamed/regrouped/renumbered all 16 Justice Score dimensions and moved every criterion id to the shape `d<n>-<axis>` (e.g. `d6-C`), deliberately not reusing any old `d<n>-c<n>` id. Until now `lib/justice-score/derive.ts` still emitted the old ids, so NONE of its output keys matched the reconciled model — every real matter honestly scored 0 / Not Viable. This PR re-derives all 16 per-dimension functions against the new D1-D16 taxonomy so matters score their real value again.
This was a genuine re-derivation, not a mechanical rename: the locked model scores every dimension on all five axes (C/S/A/R/P), so each function now maps real `LegalCase` fields onto the correct axis under the merged/moved/split dimensions (e.g. the old 'Case Theory' + 'Legal Basis' merge into D1; 'Witnesses' moves to D13; 'Opposing/Rebuttal' splits across D10/D11).
D7 'Element-by-Element Substantiation' (the single heaviest dimension, 100 base points) depends on the not-yet-built Issues & Claims layer (spec §13); per the issue it is honestly 0 on every axis until that layer lands — the coarse `issues` array is NOT stood in for it (that would double-count D6 and fabricate an element-level proof map).
`gaps.ts`: `STRUCTURAL_GAP_CRITERIA` re-derived to the 29 v1.0 criteria with no backing schema field (up from 11 — the uniform 5-axis shape exposes many missing per-dimension Admissibility/Procedural signals), and `GATE_LINKED_DIMENSION` remapped (G1→D4 Prescription, G2→D3 Jurisdiction, G3→D6 Documentary Evidence).
Honest 'Court-Ready is a promise' behavior: because ~45% of the model's base weight (incl. all of D7) carries an unbacked Adversarial-Resilience criterion under the current schema, even a maximally-prepared matter now lands in Substantially Prepared — its resilience share sits under the global 0.60 floor and G6 holds it below Court-Ready. Reaching Court-Ready is future schema work, documented in IMPLEMENTATION_1769.md, not a mechanical fix.
Re-authored the `wsJusticeScore` (16 dimension names, 4 pillar names, 80 criterion labels) and `wsJusticeScoreGaps` (80 'do this next' action strings) dictionaries in English and French to the v1.0 taxonomy; refreshed the previously-skipped end-to-end `derive.test.ts`/`gaps.test.ts` fixtures — the full justice-score suite is green with 0 skips.
v7.78.19-b
Localization
Feature (#1612, Fast-Track #70): the server-backed Witnesses workspace panel is now fully tri-lingual — Spanish coverage completes the witness UI localization.
The Witnesses panel (registry, dossier, admissions, contradictions and cross-examination questions) and its read-through import banner were English-fallback only in Spanish. Every `wsWitnessesPanel` and `wsWitnessesMount` string now has an explicit `es` translation, so a Spanish-locale litigant sees the panel in their language rather than English placeholders — raising the explicit-ES ratchet the i18n gate enforces.
No server, schema, RLS or payment change: the GET/POST `/api/witnesses` substrate, its `[id]/dossier|questions|contradictions` sub-routes, and the `WitnessesReadThrough` mount shipped earlier (#1619 foundation, #1617 mount) are unchanged. This entry closes out #1612 as the localization-completion step now that the prod schema (#1532) is applied.
v7.78.18
AI & automation
Feature (Fast-Track #70): the server-side chronology checks are now wired into the Facts panel as a Timeline integrity block (#1615).
Audit of the three chronology surfaces (CTO direction, #1615): `POST /api/ai/chronology` is client-quote-oriented and already wired into `ChronologyGrid`, but `GET /api/chronology/timeline` (evidentiary gaps) and `GET /api/chronology/contradictions` (same-event/different-date) were orphaned — no component called them. Both read the SERVER-side `facts` table (the rows `POST /api/facts` writes and `FactsChronology` renders), NOT the client-only `LegalCase` store `ChronologyGrid` renders, so wiring them into the grid would surface data from a different source. They are now mounted in `FactsChronology`, the server-authoritative panel.
Decision — ONE panel, not two: both signals are integrity checks over the same matter-scoped `facts` query, share one refresh lifecycle, and answer a single question ("is this timeline sound?"). New `components/workspace/chronology/TimelineIntegrity.tsx` fetches both routes, lists 30+ day evidentiary gaps and date contradictions side by side, and re-runs whenever a fact is added or its disputed flag is toggled. Framed as review signals, never conclusions — nothing in the panel mutates a fact.
No schema or migration change; both routes already existed. New user-facing strings added across en/fr/es with full type coverage.
v7.78.17
Privacy (Law 25)
Fix (P2, privacy / Loi 25): the data-subject access export (right of access) now discloses the requester's OWN first-party data across every RLS-subject-scoped table, not just four (#1742).
`GET /api/privacy/access` (via `lib/privacy/data-subject.ts`) assembled only profiles, matters, service_orders, and subscriptions — silently omitting many other tables that hold the requester's own personal data, each RLS-scoped to `auth.uid()` (disputes, portfolios, class_actions, claimants, claimant_distributions, intake_requests, professional_verifications, payout_accounts, payouts, marketplace_engagements, marketplace_orders, referrals, referral_codes, support_access_grants, reminder_preferences, erasure_requests, the subject's own provider/expert/entity profiles, affiliate and Copilot records). The 'child tables may contain third-party PII' rationale does not apply to these first-party rows, so the Loi 25 right of access returned an incomplete picture.
New `SUBJECT_SCOPED_TABLES` registry in `lib/privacy/data-subject.ts` classifies EVERY table whose RLS scopes rows directly to the subject as exactly one of `export` (personal data about the subject → included with a curated, non-wildcard column list) or `exclude` (subject-scoped by RLS but not the subject's own data — third-party registries, counterparty messages, invitee emails, audit/security substrate, or public directory records — each with a documented reason). `ACCESS_TABLES` is now DERIVED from the registry so the export surface and the classification can never disagree.
The read still runs exclusively through the subject's RLS-scoped session client (no service-role read), so even an exported table can only ever return the subject's own rows. Columns are curated per table to keep third-party PII, encrypted ciphertext (e.g. `payout_accounts.bank_details_enc`), and class-action MEMBER contact data (`claimants.full_name/email/province`) out of the export.
New registry-driven test `lib/privacy/__tests__/access-registry.test.ts` scans every migration for tables carrying a first-party `<self-column> = auth.uid()` RLS policy and fails closed if any such table is unclassified — so the disclosure surface can never silently under-disclose again. It also asserts every table the audit named is exported and that member PII / bank ciphertext stay out.
No schema change and no RLS change: this is a read-only completeness fix over existing tables and their existing row-level security.
v7.78.14
Payments
Fix (P2, billing): one-time and Copilot buyers can now open the self-service Billing Portal — it no longer 404s for anyone who has paid (#1738).
`app/api/billing/portal` opened the Stripe Billing Portal only when it could read a `stripe_customer_id` from the caller's `subscriptions` row. But one-time buyers (`/api/ops/checkout`, `/api/service/checkout`, `mode: payment`) and metered Copilot subscribers (`/api/copilot/checkout`, written to `copilot_accounts`, never `subscriptions`) get no subscriptions row — so the portal returned 404 ('no billing account yet — subscribe first') for people who had in fact paid, blocking card management, invoice downloads, cancellation, and Stripe dunning for them.
New `stripe_customers` mapping table (migration `0153_stripe_customer_link.sql`): one row per user linking `user_id → stripe_customer_id`, self-read RLS only (writes are service-role/webhook only, same pattern as `subscriptions` 0037 and `copilot_accounts` 0009). The portal now resolves the caller's own customer from EITHER their subscriptions row OR this fallback index, still filtered to `user_id` end to end so a portal can never be opened for someone else's customer.
One-time checkout sessions (`/api/ops/checkout`, `/api/service/checkout`) now set `customer_creation: "always"` — Stripe's `payment` mode otherwise creates no Customer object (`if_required`), leaving nothing to persist. Every successful purchase webhook (`app/api/service/webhook`) now links the authenticated buyer's customer via the new best-effort `linkStripeCustomer()` helper: the one-time service-order path, and the Copilot activation path. Anonymous orders (no authenticated owner) are skipped — there is no account to attach a portal to.
No change to plan/entitlement logic, quota gates, pricing, or any existing RLS policy; subscription buyers keep resolving through `subscriptions` exactly as before. This only closes the missing customer link so the portal resolves for every paid buyer, not just subscribers.
v7.78.13
AI & automation
Tech-debt (P1): the Justice Score™ readiness engine — which feeds the score ring, the copilot's next-step suggestions, strategy, and intake — now has a golden-value regression lock so no weight or threshold change can silently shift every user's displayed score (#1736).
The critical-path readiness function `scoreMatter` (`lib/justice-score/derive.ts`, the successor to the retired `justiceScore()`) had no test locking its per-dimension output. A change to any dimension weight, gate cap, or Court-Ready threshold could silently move every litigant's displayed score and the copilot's suggested next steps, with nothing in CI catching it.
New golden-lock suite (`lib/justice-score/__tests__/justice-score-golden.test.ts`) scores three real `LegalCase` fixtures — an empty matter, a partially-prepared matter, and a thoroughly-prepared matter — end-to-end through `scoreMatter`, and asserts each of the 16 dimensions' earned and available points, the 1000-point total, the raw score, the gate cap / critical-gate status, and the readiness band against a hand-checked golden set.
Because the golden set pins the renormalized available points per dimension (the weight distribution) and the profile thresholds, any weight-lock change (overlapping the founder's weight-lock gate #1673) or gate/threshold retune must now consciously update the golden values, turning a silent behavioral drift into a visible, reviewed test diff.
Test-only change: no product, database, RLS, billing, or user-facing behavior is affected.
v7.78.12
Workspace & matters
Fix (P1, litigant UX): the workspace 'More' menu is now grouped into four plain-language phases, and the workflow stepper's stage names match the tabs they open (#1732).
The single flat 'More' dropdown that dumped ~28 professional-jargon sections (War Room, Resolution Centre, Proceedings, Clerk filings, Remedies, Enforcement, Recovery, Lifecycle, Command, Event Journal, Moot, Bates…) into one wall of labels is now organized into four phases — Build the file / Resolve / Court / Enforce — each with a one-line plain-language description of what it's for.
Advanced phases stay hidden until the matter reaches them (Court appears once pre-litigation is unlocked, Enforce once the matter crosses into the hearing/judgment lifecycle). This is soft guidance, never a gate: a 'Show advanced sections' toggle always reveals everything, and the phase holding the currently-active section is never hidden.
Tab labels now match the WorkflowStepper vocabulary: the 'Chronology' tab reads 'Timeline' and the 'Clerk filings' tab reads 'Court filing', so a stepper stage and the tab it opens read identically.
When a stepper stage deep-links into a section inside 'More', the 'More' tab now names the active section (e.g. 'More · Court filing') instead of the active indicator silently jumping to a bare 'More' label.
The stepper's two Resolution-Centre stages are disambiguated with distinct plain-language descriptions (stage 0 'Situation' = name your dispute and choose a path; stage 5 'Resolution' = work the steps to settle before court), surfaced as tooltips and in the accessible name.
v7.78.10
Intake & onboarding
Ops (infrastructure): Repo Guardian — automated repository health patrol with health-check orchestration and GitHub issue integration (#1254).
New `lib/ops/repo-guardian.ts` — core module orchestrating repository health checks and formatting results as GitHub issue comments. Exports typed interfaces for health check results (`HealthCheckResult`), aggregation logic (`aggregateHealthStatus`), and report-to-comment formatting (`formatHealthReportAsComment`). Timestamp utilities handle UTC conversion for issue comment headers.
New `scripts/run-repo-guardian.mjs` — patrol runner script executing the full suite of local health checks (npm ci, tsc, npm test, check:locales, check:i18n-gap, check:version-advances, check:trust-gaps, check:edition-purity, npm build) and posting timestamped results to GitHub issue #1254. Supports `--dry-run` (prints instead of posting) and `--no-pr-triage` (skips PR analysis). Environment variable `SKIP_BUILD=1` allows graceful skip of build checks when secrets are unavailable.
New test suite `lib/ops/__tests__/repo-guardian.test.ts` covering aggregation logic (worst-wins status roll-up), timestamp formatting, and comment formatting for GREEN/YELLOW/RED reports with optional PR triage and issue-filed sections. All 10 tests pass.
This PR prepares the infrastructure for the patrol's first run in CI/CD or a cron job — the script itself is not yet scheduled (no `.github/workflows/` changes — the agent token lacks `workflow` scope, so the CTO will wire the schedule in a follow-up).
v7.78.9
Privacy (Law 25)
Fix (P2, security/Loi 25): the analytics-ingest endpoints could be flooded and PII-stuffed with no auth, and the public growth counter leaked exact real-time figures (#1744).
`POST /api/growth/events` and `POST /api/presence` write through the service-role Supabase client (bypassing RLS) and are reachable with no session — by design, since anonymous page-view/CTA/presence telemetry is legitimate traffic. Before this fix neither had a rate limiter, unlike the sibling `POST /api/activity` (#1551), which already wraps its own service-role insert in a per-IP `SlidingWindowRateLimiter` precisely because it bypasses RLS. Both routes now carry the same 60 req/min per-IP guard, returning `429 { ok: false, error: "rate_limited" }` once exceeded.
`growth/events` also persisted the client's `metadata` object verbatim into the retained `growth_events.metadata` jsonb column — an unauthenticated caller could stuff arbitrary keys, including free-text PII, into a row kept indefinitely. New `lib/analytics/metadata-guard.ts`'s `sanitizeGrowthMetadata()` reduces `metadata` to the allow-listed, primitive-only, size-capped subset every real emitter in this repo actually sends (the typed taxonomy envelope, `GrowthTracker.tsx`'s scroll/session/CTA fields, and the guided-tour beacon) — unknown keys, nested objects/arrays, and non-finite numbers are dropped rather than stored.
`GET /api/public/stats` returned exact, unauthenticated row counts (profiles, matters, evidence, procedures, service/sworn/bailiff orders, verified professionals) on a 60-second cache, letting any caller poll it and watch the platform's growth tick up in near real time — a trivial enumeration / competitive-intel vector with no floor. Every disclosed count is now banded: rounded down to the nearest 25, with anything below 10 reported as 0 rather than an exact tiny number.
New tests: rate-limit burst tests for both routes (same convention as `app/api/feedback/route.ts`), a metadata-guard unit suite (`lib/analytics/__tests__/metadata-guard.test.ts`) covering the allow-list, size caps, and the guided-tour beacon shape, and a `band()` unit + route-shape test for `public/stats`. Full suite green; no schema/migration change.
v7.78.8
Payments
Fix (P1, money-safety): the Stripe billing webhook now rejects duplicate and out-of-order events instead of silently reprocessing or clobbering newer subscription state (#1728).
Stripe delivers webhook events at least once and without an ordering guarantee. `app/api/billing/webhook/route.ts` had no guard against either: a redelivered event could be reprocessed from scratch, and a late-arriving stale event (e.g. a delayed `customer.subscription.deleted`) could overwrite a subscription row that a subsequent, newer event had already updated to `active`.
New `stripe_webhook_events` idempotency ledger (migration `0152_stripe_webhook_idempotency.sql`): Stripe's own `event.id` is the primary key, so a redelivery of an already-claimed event fails the insert on `unique_violation` and is acked (`{ received: true, duplicate: true }`) without reprocessing — no read-then-check race, since the primary key makes the claim atomic even under concurrent deliveries.
New `apply_ordered_subscription_upsert()` database function replaces the bare `.upsert()` on `subscriptions`: it performs the insert-or-update and the 'is this event newer than what's already applied?' comparison (`subscriptions.last_event_created_at`, a new nullable column) in one atomic `INSERT ... ON CONFLICT ... WHERE` statement, so a stale/out-of-order event can never overwrite a row with an event older than the one already applied to it.
If processing a claimed event throws (e.g. a transient DB error), the webhook releases the idempotency claim before returning its 502 — so Stripe's automatic retry of that exact event is treated as fresh, not silently swallowed as a permanent 'duplicate'.
No change to plan/entitlement logic, the 402 quota gates, or any existing RLS policy on `subscriptions` (0037/0148/0151) — this closes only the missing idempotency/ordering guard around how events reach the table.
v7.78.7
Litigation
Fix (litigation-engine, Justice Score™ v1.0): the engine now computes exactly what the founder's LOCKED spec asserts, not the provisional v0.1 draft it shipped against (#1665).
lib/justice-score/model.ts: every dimension now carries exactly 5 criteria — one per axis (Completeness, Substantiation, Admissibility, Resilience, Procedural Compliance) — matching the locked spec's own formula (Score = Σ_dims [ W_dim × Σ_axes ( w_axis × axisScore ) ] / 1000). This required adopting the locked spec's real 16-dimension taxonomy (renamed/regrouped dimensions, e.g. Prescription moved into Pillar I, Witness Readiness into Pillar III, plus a new D7 'Element-by-Element Substantiation') rather than only re-numbering the existing one — the old bespoke per-dimension axis coverage could not reproduce the locked boundary cases exactly (verify.js's own 'all-max = 100' case requires every dimension to reach 100% on every axis).
Global axis weights corrected to the locked C 250 / S 260 / A 120 / R 255 / P 115 (per 1000) — Admissibility's under-weighting (was 80) is fixed; the axis-weight/grading-mode split (binary for C/A/P, 5-step for S/R) is now explicit data on Axis.gradingMode.
Pillar III renamed 'Defence & Rebuttal' (was 'Adversarial Testing' — the old name collided with the Resilience axis's own name); all 4 pillars renamed to match the locked spec (Legal Foundation / Proof / Defence & Rebuttal / Machinery).
lib/justice-score/gates.ts: G1 'clearly time-barred' cap tightened 25 -> 15; G3 (unproven element) tightened 65 -> 55; G6 (the R-axis floor) is now part of the CRITICAL gate set (G1, G2, G3, G4, G6) per the locked spec, not just a band-level lock.
lib/justice-score/bands.ts: the pure score bands tightened to the locked 'Not started 0-24 / In progress 25-49 / Substantiated 50-(threshold-1)' (was 0-39/40-64/65-...).
lib/justice-score/profiles.ts: only the TAL (Tribunal administratif du logement) pack reweights any dimension now — the draft's bespoke Petites-créances/Cour-du-Québec/Cour-supérieure dimension multipliers are removed per the lock. The R-axis floor is a single global 0.60 for every forum (was profile-varying). Cour du Québec's claim ceiling corrected to $99,999.99 (G2 only caps at >= $100,000).
New lib/justice-score/__tests__/golden-v1.test.ts runs the ACTUAL production engine through every one of the founder's locked boundary cases (docs/plan/justice-score/verify.js, 23/23) — the in-code twin of the canonical golden harness.
Downstream matter-derivation (derive.ts, T4) and its dependents (dashboard-view.ts/gaps.ts, T5/T6) still speak the pre-lock criterion-id taxonomy and are not yet re-wired to the new one — every real matter honestly scores 0 until that follow-up lands (tracked in #1769); this PR does not touch litigant-facing scoring, only the reference engine and its own tests.
v7.77.45
Payments
Fix (P1, paywall-conversion): a free-tier user who hit a quota wall saw text and nowhere to go — the last piece of the billing funnel closes (#1727).
The structured 402 (lib/billing/paywall.ts, #1697) was a dead end in the two places a real user actually hits it today: components/CaseBuilder.tsx's dispute-quota check, and the matter-quota 402 from app/api/matters/sync (reached via lib/store/remote.ts's session-route fallback when a direct RLS insert is denied). Both rendered a bilingual message with no way to act on the server's own `upgradeRequired: true` signal. (app/api/matters/ingest's STORAGE_QUOTA_EXCEEDED and app/api/disputes/[id]/convert's 402 currently have no UI caller at all, so there was no live dead end to fix there — left untouched, no server logic changed anywhere.)
New shared `components/billing/UpgradeCta.tsx` — the ONE upgrade-CTA control every quota-hit paywall renders: a plain link into the real Subscribe section (`/[locale]/pricing#subscribe`, #1723) that fires the SAME `upgrade_click` analytics event `SubscribeButton` fires, tagged with which wall (matter / dispute / storage) sent the click.
New `quota_hit` analytics event (lib/analytics/events.ts), reusing the existing `SURFACE_VIEW` wire name (same precedent as `pricing_view`/`marketplace_view`) — no growth-events allowlist change needed. Fires the moment a quota wall is actually shown, so `quota_hit` → `upgrade_click` → subscription-active is now one measurable funnel.
`components/CaseBuilder.tsx`: the dispute-quota pre-check AND the DB-trigger backstop (dispute_quota_exceeded, the un-bypassable enforcement) both now fire `quota_hit` and render the CTA — the pre-check is the common path, the backstop the race/no-user-yet fallback, and both are real quota-hit moments worth measuring.
`lib/store/remote.ts` gains a distinct `MATTER_QUOTA_EXCEEDED` code, classified from the SAME 402 app/api/matters/sync already returns (no server-side change) — before this, a free-tier caller at the matter cap was reclassified as `MATTER_SYNC_PERMISSION_DENIED`, the identical message a real RLS/security rejection produces, hiding the paywall behind an unrelated-looking error. `components/workspace/Workspace.tsx`'s save-failed banner now recognizes this code, shows its own bilingual message, fires `quota_hit`, and renders the Upgrade CTA — never raising the session-expired/reconnect wall a genuine denial does.
v7.77.44
AI & automation
Justice Score™ v1.0 is now locked: the founder's 7 open weight-and-threshold decisions are resolved, and the golden test is green (#1672, closes weight-lock gate #1673).
The Justice Score™ readiness model (epic #1664) shipped its engine (T1–T6) and retirement/crosswalk of the old 7-dimension score (T7) against the v0.1 draft weights, with every number explicitly provisional pending founder sign-off at the weight-lock gate (#1673). The founder has now tuned live in the interactive explorer and answered all 7 §12 decisions — pillar balance, the Court-Ready thresholds per forum (Petites Créances 78 / Cour du Québec 82 / Cour supérieure 86 / TAL 76, base 80), the gate caps (G2 50, G3 55, G4 60, G5 70, plus the G1 clear/arguable 15/55 non-gate caps), the Completeness axis weight (25%), TAL's status as the 4th jurisdiction pack, 5-step (not binary) criterion grading, and the axis/dimension/pillar/gate naming — closing out the model for good.
`docs/plan/justice-score/SPEC-v1.0.md` is the new canonical spec (supersedes SPEC-v0.1.md's provisional numbers with the locked v1.0 model: 16 dimensions × 5 axes — Completeness 250 / Substantiation 260 / Admissibility 120 / Resilience 255 / Procedural 115 — capped by 6 knockout gates). `docs/plan/justice-score/explorer.html` is the founder's locked companion explorer (successor to the draft-era justice-score-explorer.html, retained for history). `docs/plan/justice-score/verify.js` is the new golden regression harness, wired up as `npm run check:justice-score` — it asserts the boundary invariants the engine (#1665) must reproduce exactly: all-dimensions-max scores 100.0, completeness-only scores 25.0, a fresh intake (Completeness + Procedural only) scores 36.5, every jurisdiction profile's dimension weights renormalize to exactly 1000, each critical gate clamps the final score to its cap regardless of the raw total, and the Resilience floor blocks Court-Ready status even when the raw score clears the forum's threshold. All 23 assertions pass.
Docs-only change (no engine code touched here — that already shipped in #1665–#1671 against the v0.1 defaults and now has a locked v1.0 target to verify against). `IMPLEMENTATION_1672.md` at the repo root documents the handoff for the maintainer wiring `check:justice-score` into the CI build matrix (left out of this PR since the agent token lacks `workflow` scope).
v7.77.43
Payments
Fix (P0, billing-ignition): a user could not start a subscription anywhere in the app, and the one wired upgrade button recorded its purchases nowhere (#1723).
`/api/billing/checkout` — the REAL checkout route the billing webhook and entitlements understand (and, since #1722, can sell every tier) — had zero callers outside a code comment. `/pricing` was fully static (every plan CTA was a `<Link>` to signup/mailto), and the only clickable upgrade button anywhere (`components/workspace/LitigationOps.tsx`) called a different, phantom `/api/workspace/checkout` endpoint with plan ids (`case-builder`, `self-rep-unlimited`) that exist in no billing catalog, whose Stripe metadata lacked `kind: "billing-subscription"` — so the billing webhook silently dropped every completed purchase. A charge could succeed at Stripe while the platform recorded it nowhere.
New `components/pricing/SubscribeButton.tsx` — the ONE real "start a subscription" control. POSTs `{ plan, locale }` to `/api/billing/checkout` with a real `BillingPlanId` (lib/billing/plans.ts) and redirects to the returned Stripe Checkout Session URL. Handles every documented non-2xx response gracefully instead of crashing: 401 same-site-redirects to sign-up (mirroring the existing ReferralPanel/Header pattern), 403 `STRIPE_NOT_ALLOWED` (the ROK Stripe Activation Guard, #1714 — correct behavior in SAFE_MODE, not a bug) shows a calm "not available yet" message, and any other denial surfaces the route's own reason.
`/pricing` gains a new, real subscribe section (`#subscribe`) rendering the actual sellable catalog (`planCatalog()`, edition-filtered — `professional` only on the US edition, `trustee-practice` only on CA/QC) with a `SubscribeButton` per plan. The page's older marketing-copy plan cards (Starter/Resolution Plus/Case Builder…, Solo/Firm/Enterprise) describe a different, one-time/credit-based pricing model that was never backed by a real Stripe price id in the billing catalog at all — retargeting their existing mailto/Link CTAs to the subscription checkout would have silently wired the wrong price to the wrong product, so they are left as-is; free/contact CTAs are also unchanged.
`components/workspace/LitigationOps.tsx`'s upgrade card is repointed from the phantom endpoint to a plain link into the new `/pricing#subscribe` section (its old `case-builder`/`self-rep-unlimited` plan ids matched no real billing plan or price, so silently substituting a real plan id would have misrepresented the amount charged).
`app/api/workspace/checkout/route.ts` is RETIRED outright (deleted, not redirected) — confirmed via grep it had exactly one caller, now repointed. `lib/control-plane/activation-inventory.ts` (the ROK pre-activation lock report, #1747) and its pinned test drop the route from the registered-service-route table and the "ungated Stripe routes" finding, which is now EMPTY — #1755 (below) had already closed the service/ops/copilot gap, and this issue closes the last remaining one by deleting the route outright. `lib/settings/__tests__/gating-coverage.test.ts`'s audit allowlist entry for the deleted file is removed.
New `upgrade_click` analytics event (lib/analytics/events.ts) fires the instant Subscribe is pressed, before the checkout POST resolves, reusing the existing `CTA_CLICK` wire name (same precedent as `cta_click`/`service_view`) so the growth-events allowlist needs no new entry. Kept intentionally minimal — the paywall-402 side of this funnel is #1727's scope, not this one's.
`components/workspace/Workspace.tsx` now also recognizes the real checkout's `?billing=subscribed` success redirect with a confirmation flash — unlike the legacy `?upgrade=success` handler, it does not optimistically set a client-stashed plan id, since the Stripe webhook is the sole authority that writes the `subscriptions` row.
v7.77.42
Payments
Fix (P0, activation-safety): the Stripe Activation Guard now covers every real checkout route, not just billing/checkout (#1755).
ROK Phase 2.5's pre-activation lock report (#1747) surfaced that `assertStripeAllowed()` — the hard invariant that Stripe side effects require state ∈ {LIMITED_PROD, FULL_PROD} AND stripe.enabled AND the kill switch off — was wired into `app/api/billing/checkout/route.ts` only. `app/api/service/checkout`, `app/api/ops/checkout`, and `app/api/copilot/checkout` each called `stripe.checkout.sessions.create` directly, so SAFE_MODE and the founder kill switch had no effect on them at all: any environment with a live Stripe key could still create real checkout sessions through those three routes regardless of the control-plane state.
All three now call `assertStripeAllowed()` (imported from `lib/control-plane/guards.ts`) before their `stripe.checkout.sessions.create` call and return the identical structured `403 { error, code: "STRIPE_NOT_ALLOWED", reason }` shape billing/checkout already returned on denial. Each also now records `stripe.activation.triggered` via `lib/control-plane/writer.ts`'s `recordStripeActivationTriggered` on a successful session create, the same founder-spec event-bus call billing/checkout makes. `app/api/workspace/checkout` was deliberately left ungated here — it was the phantom/divergent endpoint retired outright by the separate billing-ignition work (#1723, above).
`lib/control-plane/activation-inventory.ts` (the pre-activation lock report's own data model) is updated to match reality: service/ops/copilot checkout move from `gatedBy: null` to `gatedBy: "stripe"`, the combined ungated-fan-out edge splits into a gated edge (service/ops/copilot) and a still-ungated edge (workspace only), and `WIRED_CONSUMERS.stripe` lists all four gated routes — so the report this fix originated from no longer misreports its own finding as still-open. New source-invariant suite `lib/control-plane/__tests__/checkout-guard-coverage.test.ts` asserts, for every real checkout route, that the guard is imported, checked strictly before the Stripe call, and denies with the stable `STRIPE_NOT_ALLOWED` code — plus a pinned assertion that workspace/checkout remains unguarded on purpose. (Note: #1723, above, later deletes that route entirely and updates this suite's pinned assertion accordingly.)
v7.77.41
Payments
Fix: the two top billing tiers (Professional, Trustee Practice) could never actually be sold — a Stripe webhook upsert for either one silently failed forever (#1722).
`subscriptions` (migration 0037) is the confirmed source of truth the billing webhook (app/api/billing/webhook/route.ts) upserts every real Stripe subscription event into, and migration 0148 already extended owner_has_active_paid_plan() to read it for the consumer 'pro'/'premium' tiers — that part was already correct. But `subscriptions.plan`'s CHECK constraint was never widened past ('free','pro','premium'), even though lib/billing/plans.ts's BILLING_PLAN_ORDER — the webhook's only gate — has listed 'professional' and 'trustee-practice' as real plan ids all along. A live subscription event for either top tier violated the constraint, the upsert threw, the webhook returned its generic 502, and Stripe retried the same failing event forever: the charge could succeed at Stripe while our own `subscriptions` row for it could never be written.
New migration 0151 widens the `subscriptions_plan_check` constraint to also allow 'professional' and 'trustee-practice', and create-or-replaces owner_has_active_paid_plan() so its `subscriptions` OR-branch recognizes all four paid plans instead of just two — identical logic otherwise, `professional_subscriptions` (0121) and the 0141/0142 DB-trigger enforcement points are untouched.
Additive and idempotent (drop-if-exists then add on the constraint, create-or-replace on the function) — no table, trigger, or existing row is touched. New source-invariant tests (lib/monetization/__tests__/top-tier-entitlement.test.ts) assert the widened constraint and function text directly, plus a pure plan-set unit test covering active/expired/canceled rows for all four paid plans.
v7.77.40
Workspace & matters
The workspace finally has a Help button — a persistent "?" entry point linking to the Support Center, the Research Hub, direct founder contact, and the guided tour (#1731).
New "?" / Help toolbar button in the workspace chrome (next to Settings), always visible — including for local-mode (no-backend) sessions, not just signed-in ones. Opens a small HelpPanel dialog (components/workspace/HelpPanel.tsx) with three links to real, existing surfaces: the Support Center (/support), the Legal Research Hub (/research), and a direct mailto to the founder — no new backend or route was created.
When the in-app guided tour is enabled (NEXT_PUBLIC_GUIDED_TOUR_APP), the Help panel also offers "Replay tour", reusing the exact same lib/guided-tour/tour-bus.ts entry point as the existing nav button rather than duplicating the wiring — there is still exactly one way to ask AppGuidedTour to open.
Full a11y parity with the rest of the workspace's modal family (ConfirmDeleteMatterDialog.tsx idiom): role="dialog", focus trapped via lib/a11y/focus-trap.ts, Escape and backdrop-click both close, focus restored to the trigger on close.
All new copy is fully bilingual (en/fr) plus Spanish, typed in dictionaries/types.ts under AppDict.wsShell.
v7.77.39
Accessibility
Accessibility: workspace dialogs that claim to be modal now actually trap focus (#1734).
Several dialogs and drawers — the AI Copilot chat, "Ask a question", the matter list, the first-run welcome screen, the close-matter and arm-a-deadline confirmations, the Legal Services drawer, the evidence file viewer, and three founder command-center edit drawers — declared aria-modal="true" but never actually trapped focus, handled Escape, or restored focus on close. A keyboard or screen-reader user could Tab straight out of a "modal" into the page behind it, defeating the point of a modal dialog (WCAG 2.4.3 Focus Order / ARIA APG modal-dialog pattern).
Every one of these now reuses the existing lib/a11y/focus-trap.ts utility (the same idiom already proven by the matter-delete confirmation dialog): focus moves into the dialog on open, Tab/Shift-Tab is contained inside it, Escape closes it, and focus is restored to whatever element triggered it once it closes.
GuidedTour.tsx already implemented an equivalent trap of its own and was left untouched. This is a pure behavior fix — no visual or copy changes, and prefers-reduced-motion is unaffected since no new animation was introduced.
v7.77.38
Marketplace
Canonical-URL regression fixed: expert profiles, guides, emergency and founding-partners were falling out of Google's index (#1733, P1).
Root cause: `generateMetadata` on several public pages returned no `alternates` field. Next.js metadata resolution treats a missing `alternates` as "inherit from the parent layout" rather than "no canonical" — so every one of these pages was silently advertising the homepage (`/${locale}`) as its own canonical URL, telling Google to drop the page from the index in favor of the homepage. This is the same failure mode as #1541, recurring on routes added after that fix shipped without picking up its pattern.
Fixed every expert-marketplace route (`/experts`, `/experts/[discipline]` hub, `/experts/[discipline]/[expertId]` profile, `/experts/devenir-expert`, `/experts/devenir-expert/apply`), the guides index (`/guides`), `/emergency`, and `/founding-partners` (the `/partenaires-fondateurs` alias already had the fix — the primary English route never did) to spread `pageAlternates(locale, path)` from lib/seo.ts into their metadata, giving each page a self-referential canonical plus full hreflang alternates for every locale/edition.
`/experts/devenir-expert/apply` had no `generateMetadata` at all (not even a title) — it now has one.
A broader repo-wide audit found dozens of older static pages (about, contact, press, jurisdictions, etc.) with the same gap; those are lower-traffic and are left for a dedicated follow-up sweep to keep this P1 fix scoped to the reported bleed.
v7.77.37
Localization
Fix: Spanish no longer ships flagged "authoritative" while ~91% of the UI silently renders in English (#1724, P0).
`dictionaries/es.ts` is `deepMerge(en, esPartial)`, and the Spanish overlay `dictionaries/partials/es.ts` only authors about 9% of the dictionary's leaves — the rest quietly falls back to English. `es` was nonetheless listed in `authoritativeLocales` (lib/i18n-config.ts) alongside fr/en, and unlike ar/zh/pt it was missing from `machineTranslationLocales` (lib/i18n/translation-engine.ts), so components/MachineTranslationBanner rendered no translation notice at all for Spanish visitors — an English-majority page presented as a finished, authoritative Spanish page.
Demoted `es` out of `authoritativeLocales` and added it to `machineTranslationLocales`, mirroring exactly how ar/zh/pt/it/de/he/pa are wired. Spanish now shows the same honest "machine-assisted translation (beta)" banner as those locales — the copy already existed in `MACHINE.es` (lib/i18n/language-notices.ts) and simply wasn't reachable before because the authoritative flag short-circuited it.
No dictionary content was deleted: `dictionaries/partials/es.ts` and its explicit-coverage ratchet (scripts/check-i18n-gap.ts) are untouched, and Spanish keeps 100% resolved coverage via the FR/EN fallback — only the disclosure to the reader changed. `scripts/check-release-blockers.mjs`'s former "Spanish is authoritative" gate is corrected to assert the opposite (not authoritative, in the machine-translation set) so this can't silently regress; re-promoting `es` requires deliberately raising its explicit coverage and updating that gate again.
v7.77.36
Payments
ROK Phase 2.5: a read-only pre-activation lock report shows exactly what can fire in production right now, before the control plane is ever activated (#1747).
New pure lib/control-plane/activation-inventory.ts assembles a three-part inventory: the registered external-write API surface (billing/Stripe, growth/presence analytics, cron jobs, AI persistence routes), a source → sink event fan-out map, and — for every declared ROK flag — whether its real guard predicate (imported from lib/control-plane/guards.ts, never re-implemented) permits it to fire given a supplied state, plus which routes actually wire that guard in. Zero I/O, unit-tested with 11 node:test cases including the acceptance bar: nothing revenue-related is fireable in SAFE_MODE.
The audit surfaced a real gap worth knowing about before the Supabase pooler URL is wired: only app/api/billing/checkout is wired to assertStripeAllowed() — /api/service/checkout, /api/ops/checkout, /api/workspace/checkout, and /api/copilot/checkout each call stripe.checkout.sessions.create directly and will fire on their own preconditions regardless of the control-plane state. Separately, the analytics and justice_engine flags currently have zero wired consumers (growth/events, presence, and every ai/* persistence route write unconditionally today) — flipping either flag right now would change no runtime behavior.
New read-only GET /api/admin/activation-lock-report, gated by the identical resolveOpsAdmin() check every Command Center route uses (#1105), and a standalone app/[lang]/admin/activation-lock-report page (mirrors admin/control-plane exactly) rendering the report via a new ActivationLockReportPanel.tsx. This route and page make NO writes to system_control_state/system_control_events, no Stripe calls, and no migrations — the entire feature is READ-ONLY by construction.
v7.77.35
AI & automation
UPL compliance: the workspace nav no longer frames the AI Copilot as "getting advice" (#1718).
The in-workspace nav had a single item — "Obtenir des conseils" / "Get legal guidance" — whose click opened the AI Copilot chat drawer. Labeling an AI feature as giving "guidance"/"advice" is a UPL (unauthorized practice of law) risk: it signals the platform is dispensing legal advice, when its own disclaimers are explicit that it provides general legal information only.
Split into a clear 3-lane model. Lane 1 (human legal services / marketplace): the item is relabeled "Trouver un avocat" / "Find an attorney" and now links directly to the real attorney marketplace route (`/[lang]/attorneys`), reusing the existing `findAnAttorney` dictionary key already used by the Legal Services drawer for the same destination. Lane 2 (AI informational layer): a new nav entry "Obtenir de l'information" / "Get information" opens the same Copilot chat drawer the old item opened, now correctly framed as an informational tool, matching the "information juridique générale" disclaimer copy. Lane 3 (static resources): Ressources juridiques, Services juridiques, and every other nav item are unchanged.
The now-unused `getLegalGuidance` dictionary key (fr/en/types) is removed outright — a repo-wide grep confirmed it had exactly one call site. New explicit Spanish copy was added for both labels in dictionaries/partials/es.ts (`findAnAttorney`, `getLegalInformation`) rather than relying on the English fallback.
v7.77.34
Workspace & matters
Matter delete gets a real confirmation dialog and stops freezing the page for 2.3 seconds (#1715, founder-reported).
The workspace home's matter-card overflow menu deleted a matter with no confirmation of any kind — a single misclick permanently destroyed a case. A new ConfirmDeleteMatterDialog (components/workspace/ConfirmDeleteMatterDialog.tsx) now gates every single-matter delete: it names the matter, states plainly that the delete is permanent and removes it from both this device and the cloud, and requires an explicit Cancel or Delete click. It replaces the native, unstyled, untranslatable browser confirm() this flow used to fall back to.
The dialog is keyboard-safe by design for a destructive action: opening it moves focus to Cancel — never to Delete — so a stray Enter right after opening can only cancel; reaching Delete needs a deliberate Tab or a direct click. Escape cancels, Tab/Shift-Tab are contained inside the dialog (reusing lib/a11y/focus-trap.ts, the same pattern as OutboundLink.tsx / GrowthTracker.tsx), focus is restored to the trigger on close, and there is no entrance animation, so there is nothing for prefers-reduced-motion to disable.
Separately, deleting a matter froze the page for a measured 2,314ms of INP: Workspace.tsx's deleteMatterFromHome ran `saveCases(loadCases().filter(...))` — a synchronous read, parse, filter, re-serialize, and write of the ENTIRE local case store, evidence included — before ever updating the on-screen list. The in-memory state update (setCases/setStrandedLocal) now runs FIRST, so the card disappears within the current paint, and the heavy store write is deferred via a new scheduleIdleWrite (lib/workspace/idle-write.ts): it runs on requestIdleCallback where available, falls back to a macrotask (setTimeout) elsewhere, and force-flushes synchronously on pagehide/visibilitychange so a user who deletes and immediately navigates away never loses the write.
The legal-hold guard and the stranded-vs-synced branching were extracted, unchanged in behavior, into a pure lib/workspace/matter-delete.ts (planMatterDeletion) so they're unit-tested with node:test — a held matter is still refused (Workspace.tsx keeps the existing alert(t.deleteBlockedByHold) block), and the fallback full-store lookup only runs when the matter isn't already in memory, same laziness as before. The separate type-to-confirm 'delete ALL matters' danger zone (Settings, Workspace.tsx) is untouched.
v7.77.33
Payments
Release Orchestration Kernel (ROK) Phase 1: a runtime control plane decouples code deployment from system activation — a global state machine, declarative feature flags, a hard Stripe Activation Guard, Justice Engine isolation, and a founder kill switch (#1714, epic).
New migration 0150 adds `system_control_state` (a singleton row holding the live global state — INIT/SAFE_MODE/STAGED/LIMITED_PROD/FULL_PROD/EMERGENCY_LOCKDOWN — plus the declarative per-subsystem flags JSON and the kill switch) and `system_control_events` (append-only audit trail, admin-read/service-write, immutable trigger-enforced), mirroring exec_event_log's (0140) durable event-stream contract rather than inventing a new bus. Default: SAFE_MODE, every flag OFF except analytics — a zero functional-change baseline, since Stripe isn't live in production today either way.
New lib/control-plane/ kernel: a pure, exhaustively unit-tested state machine (`canTransition` — EMERGENCY_LOCKDOWN always reachable from any state; LOCKDOWN recovers ONLY to SAFE_MODE; forward/backward progression is stepwise, no skipping a stage; INIT never re-entered), a cached fail-closed reader (`getControlState`), the guard predicates (`isStripeAllowed`/`assertStripeAllowed`, `isPaywallEnforced`, `isKillSwitchOn`, `isEnabled`, `isJusticeEngineWriteAllowed` — each with a pure, row-based sibling for zero-I/O testing), and the sole writer (`transitionState`/`updateFlag`/`engageKillSwitch`/`disengageKillSwitch`) that validates every change before persisting it and appending an audit event.
THE hard invariant: `assertStripeAllowed()` returns allowed only when state ∈ {LIMITED_PROD, FULL_PROD} AND stripe.enabled AND !kill_switch — wired as the actual chokepoint in app/api/billing/checkout/route.ts (a new checkout session is a real Stripe activation) before `stripe.checkout.sessions.create`, returning a structured 403 on denial and recording `stripe.activation.triggered` on success. Deliberately left the Billing Portal (existing-customer self-service) and the webhook route (inbound reconciliation of events Stripe already emitted) UNGATED — flagged explicitly in IMPLEMENTATION_1714.md for architect/CTO review, since kill-switching new activation must never strand an existing paying customer.
Justice Engine isolation (founder spec: the Justice Score/Analytics engine must NEVER read billing/pricing/enforcement state): a source-invariant CI test asserts lib/store/cases.ts (today's justiceScore()) and lib/strategy.ts never import lib/billing/* or lib/control-plane/*, PLUS a forward-compatible glob over any future lib/justice-score/**/lib/justice-analytics/** module — including the justice-analytics data model that landed in the same window (#1708, migration 0149) — so the guard already applies to it.
Paywall wiring resolves the SAFE_MODE-vs-DB-trigger tension explicitly: new lib/billing/quota-gate-server.ts's `checkQuotaGated` (used by app/api/matters/sync and lib/litigation/dispute-conversion.ts — never components/CaseBuilder.tsx, a "use client" component that would break if it pulled in the service-role reader) skips the app-layer pre-check entirely when `paywall.enabled` is false (the SAFE_MODE default). This is a ZERO functional-change wiring: the 0141/0142 DB triggers are completely untouched and still translate a rejected insert into the SAME structured 402 either way — SAFE_MODE's "no enforcement" only ever governed the optimization, never the actual floor.
New app/[lang]/admin/control-plane Founder Control Panel + its GET/POST /api/admin/control-plane API route, gated by the identical resolveOpsAdmin() check every other command-center route uses (#1105): current state + valid next transitions, every flag with its toggles (Stripe mode/rollout %, paywall, Justice Engine enabled/write-mode, analytics), a confirm-gated kill switch, and the recent control-events feed. Every write is validated by the kernel writer and double-audited (system_control_events for the domain feed, admin_audit_log via logAdminAction for "who did this").
v7.77.32
Privacy (Law 25)
Justice Analytics™ P1: the privacy-separated data substrate for the fairness-analytics module — consented, aggregate-only; NO disparity output ships here, still gated on statistical and legal review (#1708, ADR-0006, epic #1703).
Per ADR-0006 §3/§4 (docs/adr/0006-justice-analytics-design-and-safeguards.md), new migration 0149 adds six tables: `demographic_profiles` (voluntary, consented, special-category PII — race/ethnicity, Indigenous status, disability status, immigration status, income bracket, language, each independently nullable for per-field opt-in) carries NO foreign key to any identity or case table at all; the ONLY connective tissue is `demographic_consent_links` (owner + optional case reference), and BOTH tables are deny-all RLS — zero policies for anon or authenticated, not even the consenting user's own session.
`case_outcomes` is matter-scoped RLS (can_access_matter/can_edit_matter, identical to every other matter-child table) and carries the six ADR-0006 §2 control variables a future fairness computation would need (charge severity, prior record, plea agreement, representation type, jurisdiction via court/police reference, judge/court assignment) plus outcome fields — no demographic column, no FK to either demographic table. `judge_profiles`/`police_profiles`/`court_profiles` are public-entity reference skeletons (public-read RLS, admin-write) with no fairness/disparity column yet.
New lib/justice-analytics/ access layer: a pure k-anonymity gate (k-anonymity-gate.ts, MIN_CELL_SIZE=30 per ADR-0006 §2 — stricter than the existing MIN_COHORT=10/#466 and k=5/#1458 precedents this extends) that suppresses any cohort below the floor entirely, never a partial value; consent.ts's write/read-own/revoke functions perform their own explicit ownership check against demographic_consent_links.owner_id before ever returning a row (the deny-all tables have no RLS policy to lean on); aggregate.ts's readDemographicAggregate() is the only function permitted to read across multiple consented profiles, joining ephemerally in memory (never persisted) and returning only k-anonymized {cohortValue, cellSize} pairs.
NO disparity/fairness/scoring code exists in this PR (grep-clean, documented in IMPLEMENTATION_1708.md) — no Disparity Index, no regression adjustment, no confidence interval, no fairness_metrics/disparity_scores/review_packages table, no AI-agent wiring. Those are P2 (#1709) and P3/P4 (#1710/#1711), still gated on the statistical-methodology (#1704) and legal/defamation (#1706) reviews. All six new tables registered in lib/security/rls-table-registry.ts; the repo-wide RLS audit harness (403 assertions) and 30 new access-layer unit tests pass, including proofs that one user's consent read/revoke can never touch another user's row.
v7.77.30
Workspace & matters
The freemium paywall now actually enforces: matter-create and dispute→matter conversion return a structured upgrade signal at the free-tier cap, and a real paid subscriber is never blocked (#1697, ADR-0005 §3, epic #100).
lib/billing/entitlements.ts's quota primitives (matterQuota/disputeQuota/hasQuotaRemaining) were coded in Phase 1 but never called by any route — the free-tier caps (1 matter / 25 disputes) were enforced ONLY by database triggers (0141/0142), which returned a raw exception, not an actionable answer. New lib/billing/quota-gate.ts + lib/billing/subscription-state.ts wire those primitives into an app-layer pre-check that reads the CALLER'S OWN real consumer subscription (the `subscriptions` table, Stripe-webhook-populated) and their own matter/dispute count — never a cross-user read.
New lib/billing/paywall.ts is the one structured response every touchpoint now returns at the cap: `{ ok:false, error:"quota_exceeded", code, quota:{used,limit}, upgradeRequired:true, message }`, HTTP 402. Wired into app/api/matters/sync (matter-create), lib/litigation/dispute-conversion.ts + app/api/disputes/[id]/convert (the dispute→matter conversion RPC — the actual paywall touchpoint per ADR-0005 §3, previously falling through to a generic 500), and a best-effort client-side pre-check in components/CaseBuilder.tsx (dispute-create, which has no server route — the DB trigger stays the real enforcement there).
Fixed a real 'paid user gets blocked' bug this wiring would otherwise have introduced: the DB trigger's owner_has_active_paid_plan() only recognized `professional_subscriptions` (a separate marketplace-advertising subscription, #1454), never the actual consumer Free/Pro/Premium `subscriptions` table this ticket's quota checks read. New migration 0148 extends that function with an OR clause honoring an active pro/premium subscriptions row — closing the TODO migration 0141 left for itself. A genuine paying consumer is now unlimited at both the app-layer pre-check AND the DB-layer backstop, never just one.
Every pre-check fails OPEN on a lookup error and is a UX optimization only, never the sole gate: the DB triggers (disputes_quota_guard, matters_quota_guard) remain the authoritative, un-bypassable enforcement, since dispute inserts ride the caller's own RLS session and matter inserts run under the service-role client. New tests cover at-limit paywall, under-limit success, a real paid subscription resolving unlimited (and skipping the count read), an expired subscription falling back to free, and that every count query is explicitly scoped to the caller.
v7.77.29
Ops / CI / infra
Justice Analytics™ P0: the design ADR for a fairness/disparity-observability engine — nothing ships until stats, privacy, and legal review clear (#1707, epic #1703).
This is a docs-only design commit for the highest-risk product on the platform: does a measurable outcome disparity exist for a court, judge, prosecutor, or police service, AFTER controlling for the variables that legitimately explain outcome differences? New docs/adr/0006-justice-analytics-design-and-safeguards.md specifies the non-negotiable safeguard first: this module never labels a person or institution as racist, biased, or discriminatory, and never asserts intent. Every output takes one fixed, enforced form — a statistically significant residual disparity, its confidence level, the controls applied, the sample size, and a mandatory limitations disclosure — with a banned-phrasing list enforced through the existing output-guardrail scanner (§29.19) every other AI capability on this platform already passes through. 'AI agents contribute evidence, not conclusions' is structural, not aspirational: the five proposed agents (Outcome Analysis, Bias Detection, Fairness Audit, Review Package, Jurisprudence Correlation) are all wired through the existing §29.23 orchestration layer with requiresHumanApproval:true and no forbidden-verb capability.
The statistical methodology proposal — for the founder's stats-peer-review gate (#1704) to confirm or amend — defines the Disparity Index as the actual outcome gap minus the expected-difference-after-controls (charge severity, prior record, plea agreement, representation type, jurisdiction, judge assignment), recommends logistic/linear regression adjustment as the primary method (propensity-score matching as a supplementary robustness check only), a 95% confidence threshold, Benjamini-Hochberg FDR correction across simultaneous per-entity tests, and — critically — a minimum sample size below which nothing is ever reportable (n ≥ 30 per cohort cell, n ≥ 100 total cases before any named entity's disparity is reportable at all), extending the exact 'not enough data, never a number' pattern already shipped in lib/analytics/cohort-gate.ts (#466) and lib/matching/outcome-aggregates.ts (#1458) — both explicitly lower-stakes precedents this module must exceed. A worked example shows a raw 18-point disparity that fully explains away after controls to a non-significant 1-point residual, which must be reproduced as a synthetic P2 fixture.
The privacy architecture — for the Compliance gate (#1705) — specifies demographic_profiles as voluntary, explicit, per-field consent, stored with no direct FK to case-record identity, joined to case_outcomes only ephemerally inside a service-role aggregation job that never persists the joined row, and readable only in aggregate behind the minimum-cell floor above. Consent is revocable, retention is tied to active consent plus a grace period, and both US-state privacy law and Loi 25 are addressed for this US-first, jurisdiction-packable build.
The data model (design only, no migrations in this PR) separates demographic_profiles/demographic_consent_links (privacy-isolated, service-role-only) from case_outcomes/judge_profiles/police_profiles/court_profiles/fairness_metrics/disparity_scores/review_packages (public-computable, aggregate-only). The review-package generator is framed for oversight bodies (Conseil de la magistrature du Québec, the Canadian Judicial Council, police ethics commissions, human-rights commissions, ombudsman offices) — presented to the submitting user / oversight body, never published — for the Legal gate (#1706) to review.
The phased plan wires all three human gates in as explicit, per-phase prerequisites, not just epic-level aspirations: P1 (#1708, data model) needs the privacy gate; P2 (#1709, fairness engine) needs the stats gate; P3 (#1710, judicial/police analytics — the first named-entity surface) needs ALL THREE gates closed before any code can merge; P4 (#1711, review packages) needs the legal gate applied specifically to the package template. Three founder/expert decisions are surfaced, not decided: which external stats reviewer to engage, whether outputs are gated to verified users/oversight submissions versus broader aggregate visibility, and which US states to scope for v1.
v7.77.27
Payments
RAG grounding now covers real evidence uploads, not just the unused documents-table path — and mirror rows stay invisible to billing/evidence-facing reads (#1687, follow-up to #1638).
#1638 fixed the §29.22 auto-index cron's `documents`-table path, but a repo-wide search found no in-repo browser caller for it — real uploads go through the evidence-upload flow instead, which stores extracted text in `matters.data.documents` JSON, a store the cron never read. So Copilot recall and RAG-grounded AI drafting were still citing zero real document text.
The §29.22 auto-index cron (app/api/cron/ai-index) now runs a new evidence-store mirror step FIRST: it scans matters for evidence documents with non-blank extracted text and mirrors each one into a `documents`-table row, keyed by the evidence document's own id. The pre-existing, UNCHANGED reconcile/index pipeline then picks that row up on its very next pass exactly like any other document — no chunk/embed/retrieval code was touched, so every RLS and matter-scoping guarantee that pipeline already had applies identically to evidence-derived chunks.
Dedup/idempotency: a mirror row is only (re)written when its text is new or has changed since the last mirror — an unchanged document is skipped outright (no write, no bumped `updated_at`), which is what keeps the existing freshness check from re-embedding it on every run. New lib/ai/retrieval/evidence-mirror.ts (pure selection/comparison) + evidence-reconcile.ts (injected-I/O runner), both unit-tested; an end-to-end pipeline test proves evidence text becomes a real, queryable `ai_document_chunks` row and that a second pass over unchanged data mirrors and re-embeds nothing.
Architect review caught that `documents` is NOT an unused table — billing (evidence storage quota), the litigant-facing evidence view, the exported exhibit registry, court-production assembly, and the disk-mirror-status endpoint all read/aggregate `documents` rows with no awareness a mirror row could exist. New migration 0147 adds `documents.is_index_mirror boolean not null default false`, set `true` only on mirrored rows; all six of those consumers now explicitly exclude `is_index_mirror = true` (a mirror row can never inflate billed storage, appear as a phantom document, or be produced into a court filing), while the two indexer entry points (this cron's own scan, and the on-demand POST /api/ai/retrieval/index route) apply no such filter, so mirror rows are indexed exactly like native ones.
Fail-open: an evidence-mirror error is isolated per document and never blocks the pre-existing documents-table reconcile that runs right after it.
v7.77.26
Security
Guided Tour Phase 4: the TourEvent stream now persists to its own table, feeding a Command Center funnel view + a flag-cohort rollout scaffold (#1678, epic #1674).
Added migration 0146_guided_tour_events.sql: an append-only guided_tour_events table capturing the typed TourEvent stream (opened/step_viewed/advanced/back/skipped/completed/cta_clicked), variant, step_index, a client-generated anonymous session id, a server-derived control/treatment cohort, and the optional signed-in user id. RLS mirrors the repo's existing anonymous-telemetry precedent EXACTLY (growth_events/0024, telemetry_events/0019): RLS is on with NO insert or select policy for the anon or authenticated roles at all — every write goes through the new POST /api/guided-tour/events route on the service-role client after validation, and the lone policy is an admin-only SELECT (mirrors the op_* tables in 0068). This is deliberately tighter than a raw 'anon insert' RLS grant, which would let the public anon key write directly to the table from outside the app.
The capture route derives the cohort SERVER-SIDE from the client-supplied session id (lib/guided-tour/cohort.ts, a deterministic FNV-1a hash bucketed ~50/50) rather than trusting a client-supplied value, so it cannot be spoofed and is reproducible for audit. components/guided-tour/analytics.ts gained a second, additive beacon to this route (the existing growth_events beacon from #1675 is untouched) — fire-and-forget via sendBeacon/fetch-keepalive, wrapped in try/catch, so a capture failure can never break the tour UI. Reuses the SAME sessionStorage session-id key GrowthTracker.tsx already writes, so tour events and the rest of the growth funnel share one session id for future joins.
New Command Center view at /admin/guided-tour (app/[lang]/admin/guided-tour/page.tsx + components/admin/GuidedTourFunnel.tsx), gated with the exact same shared admin gate every other Command Center route uses (lib/ops/admin-gate.ts's resolveOpsAdmin(), mirroring /api/admin/ai-eval and /api/admin/campaigns) via a new GET /api/admin/guided-tour-funnel route. Shows completion rate by variant, p50 time-in-tour (overall and by variant), skip-point distribution (which step gets abandoned most), and a completion-rate split by cohort. A standalone page rather than a new CommandShell tab, since that tablist's seven existing tabs are wired through their own dedicated a11y/shell tests and adding an eighth is a bigger cross-cutting change than this read-only report warrants. Linked from the founder dashboard's quick actions (components/admin/CommandCenter.tsx).
All aggregation math (lib/guided-tour/tour-funnel.ts's computeTourFunnel) is a pure, dependency-free function over raw event rows — no Supabase import — so it is fully unit-tested (lib/guided-tour/__tests__/tour-funnel.test.ts, lib/guided-tour/__tests__/cohort.test.ts) without a database: distinct-session completion rates, median time-in-tour with duplicate-open/replay pairing, skip-point tie-breaking, and the cohort split's determinism + ~50/50 balance across a large synthetic sample.
Scope note: the cohort split is a rollout SCAFFOLD only — it reports raw per-bucket completion counts, not a statistically validated lift. The epic's remaining two success metrics (landing signup lift vs. control, in-app first-matter-24h lift) need a dedicated causal-lift computation once enough volume has accumulated; deliberately deferred and documented as a follow-up in IMPLEMENTATION_1678.md rather than built here.
v7.77.25
AI & automation
AI-vs-human agreement metric for the chronology self-improvement loop, in the eval runner's Command Center surface (#1651).
Extended GET /api/admin/ai-eval (the §29.20 eval runner's Command Center route) with a new `factFeedback` field: an all-time and a trailing-30-day human-vs-AI agreement report computed from `ai_fact_feedback` rows (#1648/#1691) — per chronology field (event / factProven / narrative) and overall, the accepted-verbatim rate, edited rate, rejected rate, and the mean similarity score for edited rows. This is the AI-drafting quality signal the Chairman asked for: how often a litigant keeps the AI's suggestion unchanged.
New pure aggregation module lib/ai/eval/fact-feedback-metrics.ts (computeFactFeedbackAgreement) — deterministic, dependency-free, unit-tested against synthetic fixtures with hand-computed expected rates. Deliberately kept OUT of runAllEvals()'s CI regression floor: unlike classification/citation/red-team, there is no golden set for this family (it's live production feedback, not a fixture), matching #1651's own scope note that this starts as an observability surface, not a merge blocker.
Reads ai_fact_feedback through the SAME service-role admin client resolveOpsAdmin() already hands the /api/admin/ai-eval route for its founder-only gate — no new bypass introduced. Metadata-only: the query selects field/outcome/similarity, never the (never-persisted) raw AI/human text, consistent with migration 0145's Loi 25 scoping. Logs a Law 25 founder cross-matter-read register entry (api/admin/ai-eval), mirroring /api/admin/metrics' own aggregate-read posture.
No UI tile added yet — like the existing classification/citation/red-team/UPL families on this route, this ships as a JSON reporting surface for Priya/Alexandre to review directly; a Command Center tile is a natural follow-up, not in this ticket's scope.
v7.77.24
Litigation
ADR-0005: the pre-litigation Dispute vs litigation Matter freemium boundary is written down for founder review (+1, documentation)
A new architecture decision record maps how the free-tier Dispute lane relates to the paid Matter lane (Epic #100), grounded in what already ships today: the standalone disputes table and its conversion RPC, the older litigationOverride mechanism embedded in existing matters, the coded-but-unwired freemium quotas, and the Justice Score engine's forum-profiled scoring. It designates the exact paywall touchpoint (dispute and matter creation), explains why Justice Score stays a Matter-only instrument while a lighter pre-filing readiness signal already exists for disputes, and surfaces two decisions only the founder can make — the litigant-facing names for the two lanes, and whether the free lane is a permanent floor or a trial. Nothing ships from this: it is a document for review, not a code change.
v7.77.23
Localization
Justice Score™ T7: the old 7-dimension score is retired — every remaining surface now reads the 16-dimension engine (#1671).
The presence-only justiceScore() (lib/store/cases.ts) is fully removed, along with its ScoreDimension/JusticeScore types and the dead scoreTitle/scoreHint/dimensions dictionary keys. T5 (#1669) had already swapped Workspace.tsx's Overview widget for the new dashboard; this release retires its 4 remaining call sites: the matter-card readiness badge on the Justice Command Center home screen (JusticeHome.tsx), the firm portfolio's average-readiness stat + per-matter readiness column (Firm.tsx), the litigation Strategy panel's strengths/weaknesses lines (lib/strategy.ts), and the post-import readiness line on the document-intake report (lib/intake/engine.ts). All four now read scoreMatter(matter, "base").band.cappedScore — the same gate-capped, forum-scaled number the full dashboard shows as its primary score, on the identical 0-100 scale the old score used, so no caller had to change its display shape.
The Strategy panel's strengths/weaknesses used to loop over the retired model's 7 hand-labelled dimensions; it now loops over all 16 of the new engine's dimensions (via litigationStrategy's new required `t: AppDict` parameter) using the already-translated wsJusticeScore.dimensionNames instead of a second hand-rolled label map. Each dimension's earned/available ratio folds in Substantiation, Admissibility, Adversarial-Resilience and Procedural Compliance, not just presence, so the panel can surface adversarial-readiness gaps (Opposing/Rebuttal, Authorities, Credibility) that the old model had no way to see. Capped to the 5 most significant dimensions per list (matching the existing nextMoves cap) so 16 candidates can't flood the panel.
Spec §10 crosswalk applied at every migrated surface: Case theory 18→Case Theory 9 + Legal Basis 8; Parties 14→Parties 4 + Jurisdiction 3; Chronology 18→8; Evidence 16→11; Exhibits 12→7; Witnesses 10→6; Deadlines 12→Deadlines 7 + Pleadings 5 — the 32 new points (Damages, Opposing/Rebuttal, Authorities, Credibility, Disclosure, Hearing Prep) are almost entirely adversarial + procedural work the old model never measured. A legacy matter with no new-model-specific data still scores sensibly under scoreMatter (honest zeros on the ~11 structurally-unbackable criteria, per T4/#1668) — no data loss. See IMPLEMENTATION_1671.md for the full call-site inventory.
v7.77.22
Localization
Justice Score™ T6: the 'what's missing' ranked gap list — anti-ambush framing, full i18n (#1670).
Added lib/justice-score/gaps.ts (`deriveGaps`), a pure function of T4's `scoreMatter` output (ReadinessResult) that turns the score into an actionable, ranked list: every tripped gate surfaces as its own top-priority item (in spec order, always ahead of every criterion gap — a gate can hold a numerically high score below Court-Ready regardless of points, so fixing one is never 'optional'), and every below-full criterion becomes a ranked item by score impact (unearned points), boosted for Adversarial-Resilience (R-axis) criteria and for any criterion feeding a currently-tripped CRITICAL gate's real signal (G1/deadlines, G2/jurisdiction, G3/evidence) — the anti-ambush framing: a case can look strong on paper and still get ambushed at trial, and the ranking surfaces that risk first. Per-criterion available/earned points are reconstructed from the existing per-dimension `dimScores` (no change needed to score.ts). The 11 criteria T4 documented as structurally unbacked (IMPLEMENTATION_1668.md §5) surface with an honest 'not tracked yet' flavor rather than a fabricated action.
i18n: `deriveGaps` never imports a dictionary (pure ids/numbers only); a second pure function, `gapSuggestionCopy`, resolves litigant-facing text against the bilingual dictionaries — reusing T5's `wsJusticeScore.dimensionNames`/`criteria`/`gateNames`/`gateMessages`/`gateActions`/`bandNames` (#1669, merged first) rather than duplicating them, and adding only the net-new `wsJusticeScoreGaps` section: 60 'do this next' action strings (one per criterion, in en/fr) plus the gap panel's framing/badge copy (also layered into partials/es.ts). Follows the established lib/witness/witness-view.ts pattern (dictionary passed as a parameter, never imported at runtime). check:i18n-gap stays 100% fr/en, and the ES ratchet grew (996 -> 1003 real Spanish leaves).
Tests (lib/justice-score/__tests__/gaps.test.ts, 25 new): ranking math (R-axis boost, gate-link boost, tripped-gates-always-first, structural-gap flagging, per-criterion available-points reconstruction sums back to the model's 1000/dimension totals under both the base and a reweighted profile), i18n resolution against the real en/fr dictionaries, determinism, and the epic's own acceptance scenario — reused T4's realistic §11 fixture (`dataEnteredNoAdversarialWorkMatter`, exported from derive.test.ts) end-to-end through `scoreMatter` -> `deriveGaps`: the 'filled every box, did no adversarial work' matter (raw 45.875, Building) already trips G6 (13% R-axis share vs. the base profile's 60% floor) even before any override, so the #1 gap is G6 itself, followed by R-axis criterion gaps ranked by impact — exactly the anti-ambush story the epic asked for.
Does not touch the T5 dashboard component or T7's not-yet-started retirement of the old score — gaps.ts is additive, consumed by whichever UI (T5's dashboard or a future surface) chooses to render it.
v7.77.21
Accessibility
Guided Tour Phase 3: real copy, mobile QA, a11y audit + the 'illustration, not legal advice' disclaimer (#1677).
Phase 3 of the 30-second guided tour (epic #1674), closing out the founder's Phase 0 copy/quality gate. Reconciled the tour's 5-beat spine (Situation -> Diagnostic -> Resolution -> Marketplace -> Court) against the real 9-stage workspace WorkflowStepper: 4 of the 5 beats already match real product vocabulary exactly (Situation, Resolution — the formal-demand-letter step, Marketplace, and Court are literal stage/feature names); 'Diagnostic' is an intentional compressed teaching label spanning the real Classify + Timeline stages, kept per the founder's Phase-0 direction to orient newcomers around the 5-beat spine rather than the full 9-stage detail. No renames were needed — see IMPLEMENTATION_1677.md for the full audit.
Added an 'illustration, not legal advice' disclaimer to the tour's end screen, in French (default), English and Spanish, shared by both the homepage and in-app variants. The copy is deliberately generic — it does not cite the demo matter's specific law (Loi sur la protection du consommateur) or its 30-day notice period — so it stays accurate regardless of which jurisdiction or deadline a real visitor's own matter involves. Flagged in IMPLEMENTATION_1677.md for Julien (VP Legal) / Geneviève (Compliance) sign-off; shipping now rather than blocking on that review, per direction.
Mobile QA (<=480px bottom sheet): fixed a viewport-overflow risk where a long French translation on a short/landscape screen could push the sheet's top content above the visible viewport (added max-height + scroll), and widened the tour's text-only buttons (Skip/Back/'Later', plus the primary action) to a >=44px minimum tap target on mobile.
a11y audit: the per-step mock 'fake matter' mini-screen (fake law citation, star ratings, avatars) is now hidden from assistive tech (aria-hidden) since it restates — never adds to — the real accessible title/body/caption content; confirmed the existing focus trap, Esc-to-close, arrow-key navigation, and the site-wide prefers-reduced-motion + focus-visible styles all already cover the tour correctly (no engine change needed there).
Translation review: added an automated fr/en/es completeness guard for tour-content.ts (this file is authored outside dictionaries/*.ts, so the normal check:i18n-gap parity gate never covered it) — every step, end screen, chrome string, and the new disclaimer must resolve in all three locales or the suite fails.
No behavior or API change to the tour engine itself — copy, accessibility, mobile layout, and the disclaimer only.
v7.77.20
Localization
Justice Score™ T5: the litigant readiness dashboard — replaces the old 7-dimension score widget (#1669).
Added components/workspace/JusticeScoreDashboard.tsx, mounted in the Overview tab where the old 7-dimension justiceScore() widget used to render. It calls T4's scoreMatter(matter, profileId) and renders the score dial + readiness band, the 5 quality axes (Completeness/Substantiation/Admissibility/Adversarial-Resilience/Procedural, with the "only 25% is data entry" framing), every tripped gate's plain-language message and what-to-do action, an opposing-counsel-exposure list (lowest-resilience dimensions), an axes radar, and a full per-dimension/per-criterion checklist — adapted from the founder's tuning explorer at docs/plan/justice-score/justice-score-explorer.html. A local jurisdiction-profile selector (base/Petites créances/Cour du Québec/Cour supérieure/TAL) lets a litigant see the SAME matter scored under a different forum; the matter itself carries no persisted profile field yet, so this is unsaved UI state defaulting to the neutral base profile — matching the fixture that reproduces the epic's own end-to-end story (data entered, no adversarial work → raw ≈46, Building, not the old model's ~100%).
Read-only of the scoring model by design: there is no control anywhere in the new dashboard to edit a criterion's completion level — the litigant improves their case elsewhere in the workspace (facts, evidence, exhibits, witnesses...), never the model's weights. lib/justice-score/score.ts gained one additive field, JusticeScoreResult.criterionScores (per-criterion earned/available/completion), and a new lib/justice-score/dashboard-view.ts holds the pure, independently-tested view helpers (buildScoreBreakdown, resilienceExposure, describeGates) the component renders from — no existing T1-T4 behavior changed.
Full en/fr/es dictionary parity for every new string (dictionaries/*.wsJusticeScore, ~110 keys — band names/descriptions, axis names, gate messages/actions, all 16 dimension names and 60 criterion labels, translated rather than left in model.ts's internal working English). The old justiceScore() function, its dictionary keys (scoreTitle/scoreHint/dimensions), and its other call sites (JusticeHome.tsx, Firm.tsx, lib/strategy.ts, lib/intake/engine.ts) are untouched — retiring those cross-references is T7 (#1671), not this ticket.
v7.77.19
AI & automation
New: AI-vs-human feedback capture on the chronology's AI suggestions — the platform's self-improvement loop (#1648).
Added ai_fact_feedback (migration 0145): whenever a litigant applies an AI-suggested 'Fact Proven' or 'Narrative' value on the chronology grid and then commits the field, the platform now records a structured signal — which field, the audited AI request id, whether the human kept the suggestion verbatim, edited it, or discarded it, and a 0-1 similarity score — without slowing or risking the save (fire-and-forget, fail-open: a feedback-write failure can never break committing your work).
Privacy-by-default (Loi 25): this release deliberately stores NO raw AI-suggested or human-committed text — only the structured outcome/similarity signal above. Raw-text retention remains gated behind the open Geneviève review (#1652); a documented, migration-ready seam is left for that follow-up. See IMPLEMENTATION_1648.md.
Access is matter-scoped: a user can only read or record feedback for a matter they can already access (same can_access_matter() RLS gate used across the platform), enforced on the caller's own session — no service-role bypass. Feeds the eval-runner-style quality metric planned in #1651.
v7.77.18
Workspace & matters
Justice Score™ T4: matter → criteria derivation — the presence→quality bridge, wired to real data (#1668).
Added lib/justice-score/derive.ts: a pure deriveCriterionCompletion(matter) that maps a real matter's facts, evidence, exhibits, witnesses, deadlines/drafts, contradictions, jurisprudence, and hearing prep onto the ~60 T1 criteria and the T2 gate inputs, plus scoreMatter(matter, profileId) which composes derive → score (T1) → gates (T2) → readiness band (T2) under a T3 jurisdiction profile into one ReadinessResult. Neither function touches a database or a service-role client — callers fetch the matter through their own RLS-scoped context first.
G3 (unproven element) is now wired to the real evidence→element mapping: any pleaded Issue with zero mapped evidence trips it, capping the score at 65. G1 (prescription) reads rule-derived deadlines; G2 (jurisdiction/quantum) checks the matter's forum against the chosen profile (no fabricated quantum figure, since LegalCase has no pleaded claim-amount field); G4 (service) reads bailiff service requests; G5 (ADR) reads the resolution pathway.
Wherever the matter data model genuinely has no backing field for a criterion (11 of 60 — witness competency, standing substantiation, several "withstands X challenge" resilience flags), completion is honestly 0, never fabricated — see IMPLEMENTATION_1668.md's full criterion→field mapping table and gap list (T6 will surface these as score-improvement suggestions). An end-to-end test proves the epic's §11 golden-example story on realistic matter input for the first time: a matter with data entered but no adversarial/admissibility work lands in Building (raw ≈46, not the old model's ~100%), and a thoroughly-prepared matter clears Court-Ready under the Cour du Québec profile.
v7.77.17
Litigation
New: the guided tour now remembers you signed in — cross-device, plus a replay button (#1676).
Phase 2 of the 30-second guided tour (#1674). Signed-in users now get the tour inside the litigation workspace: it opens automatically the first time, and — unlike the anonymous homepage version, which remembers per device — this one remembers per ACCOUNT, so dismissing it on your phone means it won't nag you again on your laptop. A new "Replay tour (30s)" button in the workspace toolbar lets you watch it again any time. The anonymous homepage tour (#1675) is unchanged. Off by default: enable with NEXT_PUBLIC_GUIDED_TOUR_APP=1.
v7.77.16
Workspace & matters
Critical fix: matter documents are now text-extracted so RAG grounding actually works (#1638).
Fixed a critical gap where user-uploaded matter documents were never text-extracted: matters/ingest's queueIndex() was a labeled no-op, so documents.extracted_text stayed empty for every real upload, the §29.22 auto-index cron found nothing to chunk/embed, and Copilot recall + RAG-grounded AI drafting were silently grounding on zero document text. Fixed the cheap way the issue recommended (no new paid extraction service): matters/ingest now accepts the browser's already-existing client-extracted text (OCR/PDF text layer) the same way evidence/ingest already accepts it, persists it to documents.extracted_text, and the existing cron picks it up on its next sweep — no change to the cron's chunk/embed logic itself.
Added an explicit documents.extraction_status column ('pending_extraction' / 'client_extracted' / 'server_extracted') so a document ingested without text is a visible, queryable gap rather than silently indistinguishable from an indexed one; an audit event is also recorded for the pending case. Ingest without text still succeeds (fail-open) — nothing about upload behavior changed for the caller.
Scope note: this does not add server-side PDF/DOCX parsing or OCR, and does not backfill extracted_text for documents ingested before this fix (the migration only corrects the new status column's metadata for legacy rows that already had text from an unrelated path). Both are deliberately deferred follow-ups — see IMPLEMENTATION_1638.md.
v7.77.15
Jurisdictions
Justice Score™ T3: jurisdiction profiles as data — base + 4 Quebec forums (#1667).
Added lib/justice-score/profiles.ts, five forum-tuned data packs (base, Petites créances, Cour du Québec civile, Cour supérieure, Tribunal du logement) that plug into the T1 engine (#1665) purely as data — no engine change required. Each pack carries dimension-weight multipliers, a forum-scaled Court-Ready threshold, a minimum Adversarial-Resilience floor, and gate parameters (claim ceilings/floors, mediation trigger, lease requirement) for the gate/band work landing next in the epic (#1664). This is internal engineering scaffolding only: no UI or litigant-facing scoring changes ship in this release.
Added lib/justice-score/gates.ts and bands.ts (epic #1664, T2 of the Justice Score™ readiness model). Six gates now cap the T1 engine's raw score when a filing has a critical defect: an unanalyzed or expired prescription/limitation period, a failed jurisdiction/quantum check, a pleaded element with no supporting evidence, or incomplete service of process; a seventh condition (mandatory ADR) applies a softer cap where the forum requires it. A sixth, non-numeric gate locks the Court-Ready band whenever the matter's Adversarial-Resilience showing falls below the forum's floor, even at a high score. The five readiness bands (Not Viable / Building / Substantially Prepared / Court-Ready / Trial-Hardened) are computed from the capped score plus the gate results, and a matter that numerically clears the Court-Ready or Trial-Hardened bar is deliberately held at Substantially Prepared — never silently promoted — when a required gate has not cleared. This is internal engineering scaffolding only: no UI or scoring changes ship in this release. Forum-specific thresholds (T3), the matter-data wiring for these gates (T4) and the litigant-facing dashboard (T5) land in the epic's follow-on issues.
v7.77.13
AI & automation
Internal: committed the Justice Score™ design spec v0.1 + interactive explorer to docs/plan/ (#1672).
No product or user-facing change. Landed the Justice Score™ readiness-model design spec (16 dimensions × 5 quality axes, 6 gates, forum-scaled Court-Ready bands, 5 jurisdiction profiles) and the founder's self-contained interactive tuning explorer as the canonical companion docs under docs/plan/justice-score/. Weights are draft and not locked — nothing here changes the live scoring engine until the founder signs off at the weight-lock gate (#1673). Part of the Justice Score™ epic (#1664).
v7.77.12
AI & automation
New: the AI now names which document backs a proven fact on the Timeline, not just the text (#1650).
When the Fact Proven or Narrative ✨ AI-suggest buttons on the Chronology grid produce a suggestion grounded in one of the fact's known source quotes, the source picker now pre-fills with the cited document, exhibit, and paragraph — shown as "AI cited: <document>" — so you can confirm or override it before saving, instead of only seeing the AI's wording with no link to which exhibit it came from. The AI only ever cites quotes it was actually given; the server maps its citation back to the real document server-side, so it can never invent a source. Facts whose sources have no known document (older data) behave exactly as before.
v7.77.11
Payments
New: a 30-second guided tour on the homepage, behind a feature flag (#1675).
Added the founder-provided interactive tour component (situation → diagnosis → resolution → marketplace → court): a simulated refund-dispute matter the visitor drives themselves, one click at a time, in under 30 seconds. Wired for the anonymous homepage only in this phase — navigation goes through the app router, the tour's language follows the site's locale, the theme uses the coral brand accent, and a thin, safe analytics bridge fires with no new dependency. Loaded dynamically (no SSR) so it never delays the page's first paint. Off by default: enable with NEXT_PUBLIC_GUIDED_TOUR_HOMEPAGE=1. Per-device (localStorage) persistence and the in-app, post-signup variant follow in Phase 2 (#1676).
v7.77.10
AI & automation
Justice Score™ T1: the pure scoring engine + typed model (#1665).
Added lib/justice-score, the foundation of the new Justice Score™ readiness model (epic #1664): a typed, dependency-free config for the 16 scored dimensions (grouped into 4 pillars) and their criteria, each on one of 5 axes — Completeness, Substantiation, Admissibility, Adversarial-Resilience, Procedural — plus a pure engine that renormalizes weighted dimension points to an exact 1000-point model and computes earned points per axis, dimension and pillar. This is internal engineering scaffolding only: no UI or scoring changes ship in this release. It replaces the old 7-dimension score's presence-only measurement ("did you enter the data?") with a model built to also measure strength, admissibility, ambush-resistance and procedural cleanliness — gates, bands, jurisdiction profiles and the litigant-facing dashboard land in the epic's follow-on issues.
v7.77.9
Content / legal
Internal: added regression tests for the deadline calculator and witness/deadline panels (#1633).
No user-facing change. Backfilled component-render tests for the Witnesses panel, the arm-a-deadline launcher and its confirmation modal, and the deadline calculator, plus new unit tests pinning the severity/consequence mapping the calculator's "Add to deadlines" button relies on. Also fixed stale doc comments on three existing panel test files that still claimed to be excluded from `npm test` after an earlier change had already wired them in.
v7.77.8
Payments
New: a storage meter on your billing page shows evidence storage used vs. your plan cap (#1628).
The evidence-storage usage API shipped earlier (#1602/#1603) had no UI reading it. Settings → Billing now shows a live meter: bytes used, your plan cap (or "unlimited" on paid plans), a progress bar, and a clear warning with a link to plans once you're near or over the free 5 GB allowance. Loading, sign-in, and error states are handled honestly — no placeholder numbers.
v7.77.7
Workspace & matters
Hardened access checks on witness and fact detail endpoints (defense-in-depth) (#1632).
The witness dossier, contradictions, and questions endpoints, and the fact-edit endpoint, now verify you have access to the matter before returning or changing anything — closing a gap where these detail views skipped a check their sibling list endpoints already had. Existing behaviour for authorized users is unchanged.
v7.77.6
AI & automation
Timeline: AI-generate button for the Narrative field (#1647).
The chronology's Narrative column now has the same ✨ AI-suggest button as Fact Proven: it proposes a litigant-facing, plain-language recounting of the event — deliberately distinct in register from Fact Proven's legal-significance sentence — grounded only in the fact's own source quotes. The suggestion fills the input for you to accept or edit before it saves. The AI response carries a stable request id (surfaced on the field) so a future feedback-capture feature can compare AI-drafted narrative quality against human wording.
v7.77.5
Jurisdictions
New: a universal feedback widget so you can flag anything with one tap (#1639).
Added a lightweight feedback control: thumbs up or down, an optional note, and an optional screenshot of what you're looking at. Submissions open a triaged issue for the team. Screenshots are never attached to the issue (only their size is noted) to protect the private contents of your matters. If feedback isn't configured on an edition, you get a clear message instead of a silent failure.
v7.77.4
Governance
Session preservation: full session dumps in docs/sessions/ (Founder directive).
Added a standing rule and the first session dump (2026-07-05 executive-loop session): near the context limit the agent writes a complete MD record of the conversation and everything produced to docs/sessions/, updates the Founder's record, and posts a HubSpot memo — so nothing is lost and future bugs are traceable.
v7.77.3
Evidence
Timeline wall: edit the source and validate a fact (#1645, #1646).
On the chronology/timeline you can now edit which document/exhibit + paragraph is the SOURCE behind a fact, and mark a fact VALIDATED (a reviewer stamp shown next to the derived confidence). Both persist with your other edits — the first step of the fully-editable, feedback-capturing timeline.
v7.77.2
AI & automation
Fix: the timeline "AI → fact proven" button now works and tells you why if it can't (#1649).
Hardened the AI fact-proven parser — it now handles model replies wrapped in a code fence or with a thin event label (a common failure that showed a generic "AI couldn't produce a suggestion"). When the AI genuinely can't run, the timeline now says specifically why (not configured / unavailable / access denied).
v7.77.1
Evidence
Deadlines, Exhibit Registry, and Facts panels are now live in the workspace (#1620).
Following the Witnesses panel, the Deadlines, Exhibit Registry, and Facts & Chronology tabs now render their server-backed panels (server-first, with a read-through fallback to your in-browser data and one-tap import). All four Fast-Track case-organization modules are now usable. Deadlines shows the server-armed deadlines additively above the local reminders (arming needs a rule pack, so no lossy import).
v7.76.99
Content / legal
Settlement calculator: type the amount directly (slider syncs) (#1642).
Each field in the Settlement Planner now has an editable number box on the right — type a value and the slider follows, or drag the slider and the value follows. Values are clamped to each field's range.
v7.76.98
Governance
Hotfix: control-tower agent-count test expects 7 execs (the new VP Legal Affairs).
Fixed the Founder Control Tower test that hard-coded six executive agents — it now expects seven after the VP of Legal Affairs (51002) joined the roster. Unblocks main's build.
Added a VP of Legal Affairs executive agent — doctoral-level authority over the substantive & procedural law of Québec (civil), the rest of Canada (common law) and the United States — to validate that every problem-resolution pathway shows the correct forum, deadline and procedure per jurisdiction. Distinct from Compliance's permission-gate.
Granted the CTO authority to switch the model / reasoning effort for high-complexity programming, to avoid inefficient or sub-optimal code.
v7.76.96
Jurisdictions
Witnesses panel is now live in the workspace (#1617): the witnesses tab shows your server-backed witness registry, with a safe fallback that never hides data already in your browser.
The Witnesses tab now renders the server-backed panel (dossier, contradictions, examination questions) instead of the old local-only view — reading from the server first, falling back to your existing in-browser data and offering a one-tap import so nothing is lost. This is the first of the four Fast-Track case panels to become usable; the other three follow the same pattern.
Changelog entries now record the push TIME alongside the date (Founder directive).
v7.76.95
Governance
Self-improving executive agents (#1622): each executive reflects, records lessons, and edits its own definition to get better every cycle.
The six executive-OS agents (CEO/CTO/Product/Operations/Compliance/Finance) now run a per-cycle reflection — 'what did I learn / how could I have done better' — record it to memory, and promote durable lessons into their own definition files, which the agent or the meta-agent-supervisor may edit. Seeded each with a real lesson from this session. Also gitignored stray root-level artifacts (a loose certificate + zips + session docs).
New Facts/Admissions panel wired to the /api/facts and /api/admissions server APIs — list facts (with disputed-only and issue-tag filters), add a fact, toggle a fact's disputed flag, and list/add admissions — the fourth Fast-Track case-organization module. Foundation: built and tested; mounting into the workspace tab is sequenced after the prod migration (#1532) and the data-continuity import path (#1617).
v7.76.93
Jurisdictions
Witnesses workspace panel (#1612, #70 lane): manage a matter's witnesses against the server registry.
New Witnesses panel wired to the existing /api/witnesses server API — list and add witnesses, and view a witness's dossier (admissions, contradictions, examination questions) — completing another of the Founder Fast-Track case-organization modules alongside Deadlines and the Exhibit Registry.
v7.76.92
Ops / CI / infra
CTO-direction batch 1 (#70 lane): component render tests now run in CI, and /api/facts adopts the shared route substrate.
The test runner now discovers component render tests (components/**/__tests__/*.test.tsx), so the workspace panels are covered in CI instead of manual-only (#1616).
Migrated the facts API onto the shared route-kit contract (defineRoute) — the same matter-access gate, zod validation and machine-code error envelope the witnesses API uses — replacing a hand-rolled auth check (#1613).
v7.76.91
Notifications & email
Founder Fast-Track deadlines & exhibits (#70): the deadline engine is now readable, actionable, reminder-backed, and shown — plus a server-backed Exhibit Registry panel (+100).
Added GET /api/deadlines and PATCH /api/deadlines/[id] so a matter's armed deadlines can be listed and marked met/dismissed (#1604, #1605).
The notifications cron now fires reminders on server-armed deadlines — the engine no longer only sees client-side matters, so a real filing/service/limitation deadline actually produces a reminder (#1609).
New Deadlines workspace panel: upcoming deadlines sorted soonest-first with overdue/due-soon highlighting and one-tap met/dismiss (#1606).
New Exhibit Registry panel wired to the server registry, showing authoritative R-n exhibit numbers with booking and withdrawal (#1610).
v7.75.93
Evidence
Storage-usage read API (#1602, completes #1591/#1592): a route to see how much of the 5 GB evidence allowance is used.
Added GET /api/billing/storage-usage — an auth-gated endpoint returning your evidence storage used/limit/remaining against your plan cap (free 5 GB; paid unlimited), the read side of the storage metering the upload gate already enforces.
v7.75.92
Security
Hardening — Google Drive picker key retirement (#1120): steer configuration to the non-public GOOGLE_PICKER_API_KEY and warn when the legacy public key is still in use.
Documented GOOGLE_PICKER_API_KEY (server-side, auth-gated via /api/config/drive-picker) as the canonical Drive-picker key and marked the browser-inlined NEXT_PUBLIC_GOOGLE_API_KEY deprecated.
The server now logs a one-time warning when the picker key still resolves from the public variable, so operators can migrate and delete the exposed key.
v7.75.91
Evidence
Freemium lifecycle Phase 1: dispute & matter capacity entitlements, quota enforcement, evidence-storage metering, the dispute→matter conversion route and a named conversion funnel (+100, #100)
Introduced capacity entitlements — a free tier of 25 active disputes, 1 litigation matter and 5 GB of evidence storage — resolved from your plan, with every paid plan currently unlimited.
Enforced the free-tier dispute and matter limits at the database so they hold no matter how a record is created, with a friendly upgrade prompt when you reach a limit.
Added evidence-storage metering so uploads are checked against your 5 GB free allowance before they are stored.
Exposed a one-tap route to convert a dispute into a litigation matter, and instrumented the full Dispute → Demand Letter → Escalation → Matter → Referral funnel so drop-off can be measured.
Recorded ADR-0004 clarifying that a dispute (pre-litigation intake) and a portfolio (multi-matter grouping) are distinct concepts.
v7.74.91
Payments
The Executive Operating System: named executive agents, a shared 4-C decision framework, a governed execution backbone, the Founder Control Tower, an orchestrator with bounded-autonomy guards, a durable event store and the first live operator (test-mode Stripe) (+100, #1574)
We laid the governed foundation for an AI Executive layer that lets the founder operate as Executive Chairman rather than operating CEO. Rather than build a second system, this unifies the platform's existing advisory brain, governance gates and operations signals under one structure. Six named executive agents now exist — Alexandre Roy (CEO), Priya Raman (CTO), Simone Beaulieu (Product), Marcus Chen (Operations), Geneviève Lévesque (Compliance) and David Okafor (Finance) — each carrying a 5-digit employee badge (department, human-vs-agent, serial) and each delegating to the platform's existing specialists rather than duplicating them. A shared 4-C decision framework (Capital, Control, Compounding advantage, Cognitive load) scores every initiative and recommends closure when an initiative improves none of them; anything touching a human-gated surface is escalated to the founder regardless of score. A canonical executive memory (Vision, Strategy, Policies, Decisions, Lessons, Escalation) gives every agent one source of truth.
It also introduces the execution backbone that lets agents act with bounded autonomy instead of only reasoning. Agents never touch external systems directly: they emit a structured Task that a permissioned router validates against a capability matrix and a tool registry, then routes to execute, escalate, or reject — with every step recorded on an append-only event log that feeds a live execution feed and system metrics. Low-risk reads run automatically; a medium-risk pricing change escalates to the CEO agent; a high-risk price change stops at the founder's inbox until the founder approves. Execution is quarantined behind a swappable operator port, and this release ships only a deterministic simulation operator with a full closed-loop demo — the live Stripe/GitHub/Supabase operators are a later, test-mode-first, reviewed phase.
Finally, it adds the Founder Control Tower data layer: a founder/admin-gated read API that assembles a six-panel executive view — Executive Overview, Agent Activity Map, live execution feed, Escalation Inbox (with the suggested approver), Revenue and Impact, and System Health — purely from the execution event log. A demo mode runs the in-memory simulation loop so the tower can be seen working end-to-end with no live keys. The dashboard UI itself is a later front-end phase. No runtime behaviour changes yet; this is pure library code with tests plus one gated read API, documentation and agent definitions, and is fully reversible.
This release extends the backbone with the pieces that make it operable at scale. An orchestrator drives a whole batch of proposed Tasks through the router while enforcing the bounded-autonomy guards a real multi-agent org needs: two writes to the same resource cannot both run (the second is recorded as a conflict, never silently dropped), the same Task cannot re-enter the queue (a recursion guard), and no single agent can flood the org (a per-run cap) — and every decision, including agent-state heartbeats, is an event on the same append-only log. A durable event store (a new append-only, admin-read, service-role-write table protected by row-level security, with an immutable append-only trigger) lets the Control Tower reflect real executive activity across processes rather than a single request's demo log. And the first live operator arrives — a Stripe operator behind the same swappable port — deliberately test-mode-first and fail-closed: it refuses any non-test key unless a live key is explicitly opted into, and it uses each Task's id as an idempotency key so a retry can never double-charge or double-create. It ships unit-tested against an injected fake; enabling it live is a founder decision that requires providing a Stripe test key and a payments review. All of it remains pure library code with tests plus one migration (RLS review required before merge), and stays fully reversible.
v7.73.91
Litigation
The workspace home becomes a litigation cockpit (+10, #1534)
The logged-in home now leads with what needs your attention: a time-of-day greeting summarizing your active matters, overdue deadlines and pending actions with a priority signal; a portfolio KPI row (matters, deadlines, overdue, evidence); a requires-attention panel linking each overdue matter straight to its deadlines; and one compact quick-action row. The five legal-marketplace cards moved off the main column into a slide-out ⚖ Legal services drawer behind a single navigation entry — every service remains one click away, but your litigation no longer competes with a service directory for screen space.
v7.73.81
Jurisdictions
The US edition's pricing disclaimer now cites the right regulator: the State Bar Association, not the Barreau du Québec (+5, productionBugFix)
Judge911.com's pricing page carried a disclaimer naming Québec's bar as the authority governing attorney matching — a leftover from the shared Québec copy that the brand pipeline rebrands but does not re-jurisdiction. The US edition now states, in English and Spanish, that attorney matching and any related compensation remain subject to the State Bar Association and applicable professional rules, and will not be monetized until ethics approval is complete. The Québec edition keeps its counsel-reviewed Barreau du Québec wording unchanged.
v7.73.76
Jurisdictions
The managed-campaigns operation gets its backbone: attested briefs, a review-first status machine, and flat fees the schema cannot vary (+10, existingToolUpgrade)
Phase 2 of the US advertising program now has its operational substrate. Administrators record campaign briefs from interested firms — state, budget range, goals — and no brief can exist unless the firm attests it owns its own advertising accounts and carries its own legally required disclosures: the database refuses the row otherwise. Every brief moves through a status machine that cannot skip review, every change is audited twice, and the platform's management fee is a fixed flat amount per budget range written once in code — there is no per-contact, per-case or percentage variable anywhere for a fee to vary with. Actual advertising operations — accounts, spend, creatives — remain the firm's own, external by design; nothing in this release moves money or talks to an ad network.
v7.73.66
Payments
The Trustee Practice plan opens Canada's Phase 2: flat-fee tools that structurally cannot buy visibility (+25, newStandaloneTool)
Verified Licensed Insolvency Trustees can now subscribe to a flat $249 CAD monthly practice toolkit — matter organization, document management, deadline tracking and workflow tools for their own operations. The compliance architecture is the product: the plan's entitlements cannot express advertising or marketplace visibility, the directory provably never reads anything payment-related, buying changes nothing about a listing and a listing never requires buying, and purchase is enabled account-by-account only after an administrator links the account to a verified trustee profile. Shipping this also closed a dormant gap: the professional plan's who-may-buy rule existed since its launch but was never actually consulted at checkout — now one purchase gate decides every gated plan on the live path, edition-scoped both ways, fail-closed on unresolved identity, with every denial audited.
v7.73.41
Marketplace
Avatar privacy tightened: anonymous visitors can no longer enumerate who has an account (+5, hardening)
Profile pictures are stored under file names that embed account identifiers, and the storage rule that made them publicly readable also let any anonymous client list the entire folder — effectively enumerating user ids. Reading is now scoped to each owner: your avatar still displays everywhere it did before (public image links bypass this rule by design), uploads and deletions keep their existing self-only protections, but the anonymous directory listing is gone.
v7.73.36
Security
Database security hardening lands in three self-adjusting batches: injection surfaces pinned, duplicate indexes dropped, anonymous access tightened (+5, hardening)
Three maintenance batches, each written to adjust itself to whatever still needs fixing and to change nothing that is already right: every database function gets a pinned search path (closing a classic injection surface), every foreign key gets a covering index, row-security checks are rewritten to evaluate once per query instead of once per row, redundant duplicate indexes are dropped, anonymous visitors lose the ability to execute privileged functions that no security policy actually needs them to call, and every deliberately locked table gains an explicit service-only policy so its lockdown is visible to auditors rather than implicit. Authored by the autonomous maintenance loop, adopted with sequence numbers corrected; nothing in these batches changes what any user can see or do.
v7.73.31
Ops / CI / infra
A silent database landmine is defused: fresh installations no longer halt mid-setup (+5, hardening)
One database migration contained a rule written in a form the database engine rejects, and because setup tolerates certain environments quietly, a fresh installation would stop applying changes at that point without a loud failure — leaving every later table missing. The rule is now expressed in the correct form (a partial unique index), the fix credits the autonomous reviewer that first spotted it, and a new lint runs on every commit so this entire class of mistake can never enter a migration again.
v7.73.26
Intake & onboarding
The managed-campaigns waitlist opens: a pure interest signal for Phase 2, costing nothing and committing no one (+10, existingToolUpgrade)
Law firms interested in fully managed advertising campaigns — a Phase 2 offering — can now join a waitlist from the attorney onboarding page: firm, contact, state, and the monthly budget range they would consider. The copy says precisely what joining does and does not do: it costs nothing, commits nobody, and no campaign operations exist today. Entries land in a locked table with closed vocabularies, and an administrative view aggregates demand by state and budget band — exactly the validation signal the founder's Phase 2 decision was designed to wait for.
v7.73.16
Payments
The Growth plan goes live for bankruptcy attorneys: a flat-fee, clearly labeled ad slot that can never touch the neutral directory (+10, existingToolUpgrade)
Verified bankruptcy attorneys can now put the $249-per-month Growth subscription to work: a clearly labeled advertising placement on the bankruptcy guide, capped, randomized equally among subscribers, and visually separated from everything neutral. The separation is structural, not stylistic — sponsorship lives in its own table the directory can never join, the neutral results page provably never references billing, and continuous integration scans both facts on every commit. Eligibility re-checks billing truth on every render, so a lapsed subscription stops rendering immediately; the fee never varies with contacts or cases; and the slot label plus the debt-relief-agency disclosure note are pinned by test in all three languages. An empty slot renders nothing at all.
v7.73.06
Intake & onboarding
The US bankruptcy guide and private questionnaire arrive: Chapter 7 vs 13 in plain language, with the required steps mapped (+10, existingToolUpgrade)
The US lane gains its front door: a free guide that explains Chapter 7 and Chapter 13 in general terms, walks the process from the legally required credit-counseling briefing through discharge, and states plainly what the platform never does — it never prepares, generates or files a petition or any bankruptcy document. A four-question intake runs entirely in your browser: answers are never sent or stored, urgency shapes only the general information shown (including how the automatic stay generally works), the required counseling step is surfaced on every path, and the only output is a filtered view of the bar-verified attorney directory. Official resources — the federal courts' bankruptcy basics and the Department of Justice agency lists — are linked throughout.
v7.72.96
Payments
The US bankruptcy lane opens: bar-verified attorney directory for Texas, Florida and Georgia, plus the required credit-counseling step (+25, newStandaloneTool)
Judge911 now carries an unranked directory of bankruptcy attorneys for the three launch states. Every attorney is spot-checked against their state bar's public directory before appearing; order is randomized on every view; the only filters are state, federal district, language and practice focus; and no attorney pays to appear, to appear higher, or to be recommended — where advertising ever exists it will occupy clearly separated, labeled slots, never this list. Attorneys apply through a free self-serve form with a versioned participation agreement that spells out the rules: no referral, per-lead or per-case fees in either direction, and the platform never prepares or transmits any filing. A dedicated page explains the credit-counseling briefing federal law requires before filing and routes to the official Department of Justice lists first — any local copy we hold carries per-entry provenance and its refresh date. Directory views are privacy-audited with a minimized, identity-free record kept ninety days, fail-closed: no audit, no list.
v7.72.71
Payments
Trustees can now join the directory: free self-serve application, licence verification, and a plain-language participation agreement (+10, existingToolUpgrade)
Licensed insolvency trustees now apply for their free directory listing through a self-serve form. The application requires accepting a versioned, plain-language participation agreement — no referral fees in either direction, equal unranked visibility, the trustee remains responsible for their own regulatory compliance — rendered in full, in three languages, above the checkbox, with the accepted version pinned to the exact wording shown. Every application is held as pending until an administrator confirms the licence against the OSB's public registry (the verification queue links the official search prefilled per applicant), and only then does the listing appear. Applications, verifications and rejections are all audited; the public route is rate-limited; and there is no payment step anywhere in the flow — a listing cannot be bought, by schema and by test.
v7.72.61
Intake & onboarding
The free insolvency lane opens: plain-language education, a private questionnaire, and an unranked directory of licensed trustees (+25, newStandaloneTool)
Anyone facing debt problems can now use a free section that explains, in plain language and three languages, what a licensed insolvency trustee does, how a consumer proposal differs from bankruptcy, and how the process works — general information under the platform's strict no-advice discipline. A four-question intake runs entirely in your browser: answers are never sent or stored, and the only output is a filtered view of the trustee directory. The directory itself is built the way the law demands: every trustee shown holds a verified OSB licence, the order is randomized on every view, the only filters are province, language and practice area, no one pays to appear or to appear higher — the database schema cannot even express a ranking — and you contact the trustee directly through published details, with the platform never in the conversation. Every directory view is privacy-audited with a minimized, identity-free record kept ninety days, and if that audit cannot be written the list does not render; the official OSB trustee search is offered on every path.
v7.72.36
Payments
The insolvency lane is cleared for construction: counsel checkpoints become advisory by founder decision (+2, maintenance)
The founder exercised his authority to convert the two counsel-review launch checkpoints on the insolvency lane — Canadian and American — from blockers into standing advisory agendas, and ordered the full remaining backlog built end-to-end. What does not change is everything the law itself requires: no referral fees, no pay-for-placement, no payment-coupled ranking in the Canadian lane, and the American edition's absolute refusal to prepare bankruptcy filings — those protections are statutory, enforced in code and continuous integration, and no one can waive them. Both lane specifications record the waiver in their decision logs, and the six insolvency builds it unblocks now enter the queue.
v7.72.34
Ops / CI / infra
Data residency becomes a pinned, provable attribute: per-category region, governing law, and a change pipeline that can refuse (+10, existingToolUpgrade)
Every legal file, evidence item and billing record now carries its storage region from the moment it is first written — stamped by the database itself, so no code path can forget. A new Data residency settings section shows, per category, where the data lives, which law governs it, and whether governance has frozen changes. The change pipeline is deliberately strict: re-consent to the new jurisdiction comes before any migration, every change is audited with server timestamps so the governing jurisdiction of any record is provable for any past date, an active legal hold freezes everything, and a region the infrastructure cannot physically honor is never offered — the platform refuses to let the residency claim outrun the actual bytes. All data currently resides in Canada under Canadian federal law and Québec's Law 25; additional regions arrive only with real multi-region infrastructure.
v7.72.24
AI & automation
Rate limiting learns to count across servers: distributed limiter + per-minute error dedupe (+5, hardening)
Error-report ingestion was rate-limited per server instance only, so an attacker hitting many warm instances multiplied their budget and could flood the telemetry log with garbage. Three layers now stand together: the in-process limiter stays as the always-on floor, a Redis-backed counter shared by every instance enforces the real per-IP limit as soon as the operator configures the backend (it fails open, so an outage never blocks ingestion), and the database itself collapses identical errors from the same page into a single row per minute — so even a flood that evades rate limiting by rotating addresses cannot bury real signals in duplicates. The operator action queue and the health readiness endpoint now report the distributed backend honestly: enforcement is claimed only when the backend is fully usable and actually wired to a route.
v7.72.19
Security
The Drive Picker key leaves the public bundle: served auth-gated at runtime (+5, hardening)
The Google Drive import previously inlined its Picker developer key into the JavaScript bundle every visitor downloads — signed in or not. The key now stays server-side and is handed out only to authenticated users through a dedicated config endpoint with private cache headers, so it can be rotated without a rebuild and anonymous visitors never receive it. A pinned regression test keeps it out of the bundle for good, and deployments migrate the key to a non-public environment variable at their own pace — the legacy variable keeps working as a fallback.
v7.72.14
Governance
The backlog gate becomes machine-computable: residual classes formalized in the runner spec (+2, maintenance)
The autonomous backlog runner spec now formally defines the residual classes an agent can never burn down — human gates, work transitively blocked by a human gate, founder-deferred Phase 2 items, and epic trackers — and both the selection rule and the completion gate exclude them by label. The live board was labeled to match, with the blocking authority and exact unblock action documented on every residual issue, so phase completion is now computable from labels alone and no future runner pass can mistake counsel-gated builds for executable work.
v7.72.12
Workspace & matters
The network loop closes: real outcomes now feed the learning primitive — with the matter wall intact (+10, existingToolUpgrade)
Matters can now record their resolution as a first-class outcome event, and a scheduled job turns those events into the k-anonymized cohorts the matching layer was built to learn from. The privacy guarantees hold at every layer: incomplete records are skipped rather than inferred, the aggregation proves de-identification before anything persists, the storage schema itself refuses any cohort smaller than five matters, and payment remains structurally absent from the entire loop. Turning the learned weights on inside live matching stays a deliberate, explicit activation — never a silent ranking change.
v7.72.2
Localization
Four documents everyone needs, free and fillable (+25, newStandaloneTool)
A public template library opens with the four organizational documents nearly every dispute needs: a demand letter, a dated chronology, an exhibit list, and an evidence inventory — bilingual, placeholder-driven, downloadable without an account, and carrying the informational disclaimer inside the document itself. Structure, not advice: the templates organize your own situation, and every page routes onward to the guided workflows and the case file. One invariant is enforced by test forever: this catalogue can never contain a bankruptcy-filing document.
v7.71.77
Payments
Partners wear their money relationship on their sleeve (+10, existingToolUpgrade)
Every partnership now carries an explicit money relationship, and the rules are structural: any lane that can route a person toward a legal service — clinics, community organizations, legal professionals, institutions — is permanently an unpaid, reciprocal referral relationship with a bilingual no-consideration attestation; paid affiliation exists only for promoting the self-help info products and rides the fee-splitting guard that pays zero on anything else. A new guard also encodes when a Licensed Insolvency Trustee may ever be listed: signed participation agreement AND verified OSB licence, both, no exceptions. The admin review queue tags every applicant's relationship, and a new audited admin view surfaces affiliate codes, first-touch attributions, and accrued info-product commissions.
v7.71.67
Jurisdictions
The bankruptcy carve-out now covers business filings too (+5, hardening)
The guard that keeps the US edition from ever preparing a bankruptcy filing gains the non-individual paperwork: Official Forms 201 through 207 — the business voluntary petition, declarations, schedules and statements — are now refused by form number alone, with no accompanying bankruptcy keyword needed, exactly as the individual forms already were. Four business-form asks join the blocked test set.
v7.71.62
Jurisdictions
Guides get a home jurisdiction — and Ontario gets its first (+10, existingToolUpgrade)
Every legal guide now belongs to a jurisdiction cluster, and cluster hub pages anchor them: all existing guides join the Québec cluster, and a new bilingual Ontario guide — organizing a Small Claims Court claim up to the verified $35,000 ceiling — opens the Ontario cluster. Each hub links its guides, the jurisdiction's structural facts page, and the pipeline, completing the hub-and-spoke structure across guides, answers, and jurisdiction pages.
v7.71.52
Payments
The affiliate ledger exists — and it cannot hold a forbidden commission (+5, hardening)
The affiliate program gains its persistence layer on top of the fee-splitting guard: a codes table with one server-issued code per affiliate, a first-touch attribution table, and a commissions ledger whose schema itself refuses any row that is not a self-help info product — a commission on a legal-service engagement is a database constraint violation, below any application bug. One commission per order, forgery-proof (owners read their own rows; only server-side handlers write), and a new entry link stamps affiliate attribution onto the existing telemetry with no cookies, an allow-listed locale, and no way to probe which codes exist.
v7.71.47
Payments
The Professional plan exists — and it is structurally incapable of selling influence (+25, paymentsPayoutsGate)
A fourth plan joins the catalogue: Professional, the ratified flat $249-per-month tier for verified professionals, offered on the US edition only. It buys exactly two things — clearly labeled advertising slots and practice tools — and the architecture makes anything more impossible: the routing and matching code is forbidden from reading any billing state, every subscriber pays the same flat fee, and Licensed Insolvency Trustees are excluded twice over — the purchase guard refuses them (failing closed on any unknown provider type) and the database itself rejects the row. Professionals read only their own subscription status; only the payment processor's server-side handlers can write it.
v7.71.22
Ops / CI / infra
Fix a migration-number collision on the insolvency view-audit table (+2)
The insolvency-lane view-audit migration and a separately-merged pre-qualification-signals migration had both been numbered 0117. The view-audit migration is renumbered to 0118 so the two no longer collide, restoring the migration-ordering guard. No schema change — a numbering-only fix (both tables remain unapplied, launch-gated).
v7.71.20
Localization
Court filings are validated before they leave the building (+5, #412 hardening)
The court-filing submit route now validates your selected documents against the court's e-filing profile before sending them to any provider: unsupported file formats, files over the per-file size cap, too many documents or exhibits, and missing parties or documents are all caught up front and returned as structured, per-document, bilingual errors you can act on — instead of a slow, opaque rejection from the filing provider after the fact. The route also now loads the matter through your own access rules, so a filing can only be submitted for a matter you can actually see.
v7.71.15
AI & automation
Matters carry their dispute; the portfolio rollup counts them (+5, ADR-0003 C4 wiring)
The client matter model now carries its dispute (portfolio) id, hydrated from the authoritative matters.portfolio_id column when matters load. The portfolio rollup uses it to report how many distinct disputes your open matters span — shown only once matters actually group under a shared dispute — so a multi-matter dispute reads as one, not many. This completes the ADR-0003 C4 read path; the navigation root can now regroup on the dispute id with no further plumbing.
v7.71.10
Release metadata
Changelog fix: two June 19 releases had collided on the same version number (+2)
Two distinct June 19 releases were both labelled 7.21.77 in the changelog — the search-discovery/homepage-controls release is now correctly 7.21.78, above the Keep-the-date procedural-calendar release at 7.21.77. This was purely a display/data fix in the changelog history; the live product version is unaffected and continues to advance with each deploy (the footer version is baked into the build, so it always reflects exactly what is deployed).
v7.71.8
Workspace & matters
Case-viability signals are internal only — never shown to users (+10, #1449 UPL hardening)
The AI case-structuring result no longer shows a case-viability score (riskLevel) or routing verdicts to the user — surfacing a how-strong-is-my-case signal to a self-represented person is unauthorized-practice-of-law risk. These signals remain produced, persisted, and recorded on the audit chain as an internal routing layer, but a new output guardrail strips them from the debtor-facing API response and fails closed if any ever slips through. The case summary screen drops the risk badge accordingly.
The Canadian insolvency lane gains its Law 25 privacy substrate ahead of launch: a minimized directory view-audit log (a pseudonymous session, the objective filters, and which trustees were shown — never a debtor's identity or financial-distress details), stored in a service-role-only table with a 90-day retention window, written through the tamper-evident audit chain. The marketplace's anti-disintermediation contact-guard now has an explicit, tested exception for published trustee directory listings, because this lane requires the opposite of the default — a debtor contacts a Licensed Insolvency Trustee directly using published, public coordinates. A Law 25 privacy-impact-assessment stub is included for counsel; the lane itself does not launch until that sign-off.
v7.70.98
Payments
Outcome learning that never leaves the matter wall: k-anonymized, payment-blind (+5, #1458)
Groundwork for the network loop: per-matter resolution outcomes can now become an aggregated, de-identified signal that improves objective matching (region, language, specialization) without any per-matter data crossing the matter-isolation boundary. Two guarantees are enforced in code and unit-proven: k-anonymity (a cohort is suppressed entirely unless at least five matters fall into it, so an aggregate can never be narrowed to one person) and no-identifier-crosses (a fail-closed assertion refuses to publish if any matter identifier appears in an aggregate). Matching weights read only the outcome distribution — payment cannot influence routing, extending the marketplace's payment-blind matching invariant to the learning loop. A Law 25 privacy-impact stub is included for counsel.
v7.70.93
Payments
Affiliate commissions: info-products only, fee-splitting hard-blocked in code (+5, #1455)
The affiliate program can pay a commission on exactly one thing — the self-help info products ($20/$500 document deliverables) — and on nothing else. A code-level guardrail refuses any commission tied to a lawyer, a Licensed Insolvency Trustee, or any other professional-service engagement or routed lead, because paying for that would be fee-splitting (Rule 5.4) and make the platform a referral arranger (OSB Directive 1R8) — the model that sank Avvo. It fails closed: an unrecognized engagement is treated as a legal service and pays zero. Unit tests prove a lawyer/LIT engagement yields zero commission at any amount or rate. The payout ledger + Stripe path follow, with a payments-specialist review.
v7.70.88
Payments
Professional subscription tier: buys visibility, never routing priority (+5, #1454)
Groundwork for a flat-fee professional subscription (including the ratified US $249/month Growth tier) that law firms and attorneys can buy for advertising and practice tools — and provably never for routing priority. Three compliance invariants are enforced in code and unit-proven: routing-independence (a subscription grants advertising/tools only; a match-priority entitlement is structurally impossible to grant, and the matcher takes no subscription input, so subscribed and unsubscribed firms are indistinguishable to routing), a Licensed-Insolvency-Trustee hard exclusion (trustees cannot purchase — the fee-decoupled insolvency lane / OSB 1R8 gate), and flat-fee-only pricing (never per-lead or contingent — the Rule 7.2(b)(1) line that sank Avvo). The subscription persistence + Stripe price wiring follow, with a payments-specialist review.
v7.70.83
Payments
Institution referrals: unpaid by design, no-consideration proven in code (+5, #1456)
Groundwork for modeling institution partners (legal clinics, immigrant-support and debt-counseling agencies) as explicitly paid or unpaid referral relationships. An unpaid referral must provably carry no consideration — a code-level invariant flags any unpaid relationship that has money attached and a fail-closed write guard refuses to persist one, keeping the platform off the referral-arranging / fee-splitting line (Rule 7.2(b) / OSB Directive 1R8). Every relationship carries a paid/unpaid tag and, when unpaid, a required no-consideration attestation, so an admin console can surface exactly what each partnership is. The console UI and the trustee participation-agreement / licence-verification onboarding build on this model.
v7.70.78
Intake & onboarding
Triage accuracy is now a measured number — and the measurement immediately caught two bugs (+10, existingToolUpgrade)
A 26-case bilingual golden set of realistic intake stories now scores the triage classifier on every test run, with two independent gates: a committed accuracy floor no change may regress below, and a hard zero-miss gate on the flashpoint stories — eviction and detention — where mis-routing is most costly. Building the measurement instantly paid for itself: it exposed that detention stories had no vocabulary at all, and that the English phrase bail hearing collided with the French lease keyword bail, sending an arrest story to housing. Both fixed: the classifier gains corrections, insolvency and eviction vocabularies, and detention now always wins the tie.
v7.70.68
Jurisdictions
Every jurisdiction gets a front door: 18 hub pages anchor the content clusters (+10, existingToolUpgrade)
Eighteen jurisdiction hub pages — every Canadian province and territory, the federal level, and the Texas, Florida and Georgia launch states — now assemble each place's structural facts on one page: its courts, small-claims ceiling and forum, appeal path, working languages, and how to verify a professional against the official registry. Each hub also lists every question the platform answers for that jurisdiction, forming the hub-and-spoke structure search engines reward. Everything is drawn from the platform's verified structural datasets; the editorial layer (key contacts, curated resources) is deliberately left to a tracked editorial follow-up rather than invented.
v7.70.58
Workspace & matters
What happens if…? — branching walkthroughs that end somewhere useful (+10, existingToolUpgrade)
A new page type answers the question format search engines cannot: what happens next from YOUR situation. The first walkthrough — what happens if my landlord will not do repairs — asks a few factual questions (health and safety? written demand sent? any response?) and describes the process from each branch: the accelerated TAL path, the written-demand starting point, or the application after silence. Answers never leave the browser; every ending routes to a guided workflow, a case file, or the professional directory; and the content describes process, never odds — a test proves no branch can utter a case-viability judgment.
v7.70.48
Localization
111 questions, 111 real answers: the long-tail engine goes live (+25, newStandaloneTool)
A new programmatic content engine answers the questions people actually search: what is the small-claims limit in each province, where to file, which courts hear cases and appeals, how to verify a lawyer's licence, which professional handles each practice area, and what to do about common consumer problems. Every one of the 111 pages is generated from the platform's structured bilingual data — small-claims ceilings, court structures, law-society registries, the Barreau practice-area taxonomy — never templated filler: a page exists only where real data answers it. Each page ships in French and English with search-engine FAQ markup, routes readers into the pipeline, and carries the standard informational disclaimer.
v7.70.23
Intake & onboarding
The risk score leaves the screen: analysis is educational, signals go internal (+25, legalComplianceGate)
Founder decision: showing a numeric case-risk score to the person who wrote the story constitutes legal advice. Corrected end to end — before any analysis runs, the client now explicitly acknowledges that the output is educational information offered to help organize their own situation, not legal advice, and that acknowledgment is timestamped with the request. The risk score itself no longer appears anywhere a user or provider can see: it moves, with new internal pre-qualification signals (intake completeness, duplicate detection, low-value flags, urgency routing), into a locked internal table that not even the request's owner can read. Test invariants enforce every piece: the stripped payload, the vanished badge, the gating checkbox, and the deny-all lock on the signals.
v7.69.98
Intake & onboarding
The Command Center watches the flow: a live funnel from intake to outcome (+10, existingToolUpgrade)
A new Flow tab in the founder Command Center turns the lifecycle telemetry into an ordered funnel: intake started, intake completed, directory viewed, provider contacted, outcome recorded — with per-stage conversion, drop-off, and the single biggest bottleneck called out. Counts aggregate over a 30-day window inside the existing admin-gated, audit-logged metrics endpoint; the panel itself is pure arithmetic on that aggregate. For the first time the platform answers, at a glance, where people drop between arriving with a problem and getting help.
v7.69.88
Intake & onboarding
The funnel becomes measurable: intake, directory, contact and outcome events (+10, existingToolUpgrade)
Five lifecycle events now flow through the growth-telemetry pipe: an intake run starting, an intake persisting its structured request, a provider directory being viewed, a user initiating direct contact with a provider, and a matter outcome being recorded. Each is typed in the analytics registry with a documented wire name, mirrored in the canonical taxonomy, and actually emitted from the case builder, the marketplace catalog and provider profiles. Payloads carry ids and codes only — never story text or personal details, enforced by test. This is the substrate the admin flow-monitoring panel reads next: for the first time the platform can measure where people drop between arriving and getting help.
v7.69.78
Intake & onboarding
Intake asks where and how urgent — and routing finally uses the answers (+10, existingToolUpgrade)
The case builder now captures two structured fields it never asked for: your region (edition-aware — Québec, all provinces and territories on the Canadian edition, and the Texas/Florida/Georgia launch states on the US edition) and how urgent the situation is. Until now every request was routed with an unknown region — the matcher's 25% jurisdiction weight was dead — and urgency always failed safe to critical. Both fields persist with the request, the routing criteria are disclosed in plain language right in the form, and a new eligibility library makes region a hard filter: out-of-region help is excluded, never just down-ranked, and payment can never be an input.
v7.69.68
Localization
Where do I start? — a free, private legal-issue checker (+25, newStandaloneTool)
A new public tool answers the question most visitors arrive with: where do I start? Describe your situation in your own words — in English, French, or Spanish — and the platform detects the legal topic and points to the right starting place: open a case file, browse common problems, or find a professional. The analysis runs entirely in your browser: nothing you type is sent or stored, and a test invariant enforces that promise in code. The result is deliberately information-only — it names a topic, never an opinion on your case. Every content page can now route readers here, completing the intent-capture funnel.
v7.69.43
Ops / CI / infra
Guides and research articles now route readers into the pipeline (+10, existingToolUpgrade)
Every legal guide and research publication now ends with a clear next step: open a case file to organize your situation, or find a verified professional. Previously the platform's largest indexed content bodies terminated in a disclaimer with no path forward. The call-to-action is bilingual, deliberately informational (no case-merit language — enforced by a test that also caught its own documentation during development), and instrumented so the acquisition funnel can measure content-to-intake conversion.
v7.69.33
Content / legal
Hundreds of hidden pages join the sitemap: problem workflows and the legal-domain taxonomy (+10, existingToolUpgrade)
Two programmatic page families were rendering for users but invisible to search engines: the consumer-problem workflow pages (/problems) and the Québec legal-domain taxonomy (/domaines, index and every node). Both are now enumerated into the per-language sitemaps with full hreflang alternates — edition-aware, so the US edition ships its own problem set and the domain taxonomy stays Québec-only. This is the first brick of the acquisition stack's SEO layer: intent-capture pages that already exist become discoverable.
v7.69.23
Jurisdictions
The US edition can never prepare a bankruptcy filing — enforced in code (+5, hardening)
A fail-closed carve-out now guards both document engines: on the US edition, any request that reads as a bankruptcy-filing document — petitions, Official Forms 101-199, schedules, the means test, statements of financial affairs, reaffirmation agreements, proofs of claim, creditor matrices — is refused before any work happens, in both the court-draft builder and the AI drafting capability. A test invariant also ensures neither document catalogue can ever gain a bankruptcy-filing kind unnoticed. This enforces 11 U.S.C. §110 (Bankruptcy Petition Preparer) at the edition gate: the platform educates, informs, and routes — it never prepares bankruptcy filings. Canadian editions are untouched.
v7.69.18
Marketplace
Trustees leave the marketplace: the insolvency hard gate is now enforced in code (+5, hardening)
Licensed Insolvency Trustees no longer appear anywhere in the ranked, paid marketplace: the trustee category and seed profile are removed from the provider catalogue, the paid lead-routing engine now hard-excludes trustee entities from its candidate pool, and the trustee-matching primitive was rebuilt as an unranked, eligibility-only directory listing — the payment-boost field and fit-score ranking are deleted outright. A new compliance gate turns these prohibitions into permanent test invariants: any attempt to reintroduce a payment or ranking field on a trustee surface fails CI. This enforces the Insolvency Lane specification (BIA Rules s. 49, OSB Directive 1R8) at the code level.
v7.69.13
Governance
The backlog becomes the machine: autonomous runner spec + enforced issue templates (+2, maintenance)
The execution model behind the platform's autonomous development is now a committed contract: docs/AUTONOMOUS_BACKLOG_RUNNER.md defines single-threaded full-delivery execution (select → build the whole vertical slice → validate against acceptance criteria → ship → close with evidence), a blocker protocol that re-sequences instead of stopping, and a completion gate that correctly treats founder/counsel decisions as human gates no runner may touch. New GitHub issue templates (task, blocker, human-gate) make objective, implementation details, dependencies and testable acceptance criteria mandatory on every tracked unit of work.
v7.69.11
Intake & onboarding
Insolvency Lane charted: market-separated CA/QC + US specs with hard regulatory gates (+25, legalComplianceGate)
Two Phase 1 specs land for the Bankruptcy & Insolvency pilot, deliberately separated by market. The Canada/Quebec lane is built on BIA Rules s. 49/51/52 and OSB Directive 1R8: a free, unranked Licensed Insolvency Trustee directory with debtor intake and educational content — decoupled from any paid product by founder decision, with trustee-funded advertising permanently prohibited. The US lane (judge911.com) is built on 11 U.S.C. §110: the platform will never prepare bankruptcy filings, routes debtors to attorneys and UST-approved agencies in Texas and Florida (Georgia optional), and monetizes flat-fee attorney advertising at $249/month, with managed campaigns deferred to Phase 2. Both lanes are gated on counsel sign-off before any professional-facing UX ships. A compliance-reconciled non-paid-ad acquisition stack strategy accompanies the specs.
v7.68.86
AI & automation
Dispute rollup lands on the portfolio view (+5, ADR-0003 C4 read core)
The portfolio view gains a cross-matter rollup strip — matters, open and overdue deadlines, documents, and open required resolution steps summed across the matters it shows — from a pure, unit-tested aggregation. This is the read-path core of ADR-0003 C4; the full per-dispute navigation-root grouping additionally needs the client matter model to carry its dispute id round-tripped through sync, which is pure wiring on top of this logic.
v7.68.81
Workspace & matters
New matters are always born inside a dispute (+5, ADR-0003 C3)
The matter-sync path now dual-writes: creating a new matter auto-creates its wrapping dispute (portfolio) and links it in the same request, so no matter can land with a null dispute — an invisible change for the single-matter flow. Existing matters keep whatever dispute they already have; a failed dispute create fails the whole sync loudly so no orphan matter is written. Once the C2 backfill has run, no matter anywhere lacks a dispute, clearing the path for the not-null finale.
v7.68.76
Workspace & matters
Dispute backfill tool: wrap every matter, idempotently and dry-run-first (+5, ADR-0003 C2)
The 1:1 backfill that wraps every existing matter in a dispute lands as an operator-run script — dry-run by default, idempotent (already-wrapped matters produce no work), batched, inheriting the matter's owner, organization and title, and stamping auto-created disputes so they stay reversible before the not-null finale. It asserts the ADR acceptance (zero unwrapped matters remain) after applying. The pure planning logic is unit-tested.
v7.68.71
Intake & onboarding
Dispute-as-parent lands on the portfolio substrate (+10, ADR-0003 C1)
The dispute parent entity from ADR-0003 is built additively on the existing portfolio table (option a — the Judge911 disputes intake object keeps its opposite meaning): a lifecycle status with a legal-hold state, an organization link and a problem-cluster tag join it, portfolio reads now derive downward so a matter collaborator sees the wrapping dispute (reusing the matter-access function unmodified), and a legal hold on the dispute cascades to block every child matter's lifecycle transition at the database. Seven-case access matrix and migration invariants ship with it.
v7.68.61
Workspace & matters
Matter-share allowlist becomes the sole subset wall — self-verifying array drop (+5, ADR-0001 finale)
Migration 0115 completes the zero-leak allowlist migration: the legacy uuid[]-array predicate is dropped from the document, exhibit and evidence SELECT policies so the FK-integrity allowlist tables are the only subset-share wall. The drop is self-verifying — an in-transaction guard asserts every active subset grant is covered by an unrevoked allowlist row and raises fail-closed on any gap, so it needs no manual staging-parity check and can never silently change access. The array predicate function and columns are left in place, keeping the migration reversible.
v7.68.56
Ops / CI / infra
Playwright smoke green again — CI-artifact 503s no longer read as app errors (+5 fix, #1406)
The fleet-wide smoke failure is resolved at its true root: the CI env has no Supabase or CDN, so the app's own API routes correctly answer 503 (backend disabled) and some assets 404 — network resource-load failures the integrity test was mistaking for application runtime errors. The test now filters those network loads while still failing on real JS exceptions and any error page in the body; CI also boots the production server (memory-stable) rather than the dev server whose watchdog restarted mid-sweep.
v7.68.51
AI & automation
Rate-limit supervisor: the autonomous loop survives a 429 unattended (+10)
A resilience supervisor wraps any command — the headless agent, a deploy — and, when its output carries the transient "Server is temporarily limiting requests · Rate limited" 429 (the one that fires on a model switch), plus 529/overloaded/connection resets, re-establishes and re-runs it after an honored-Retry-After or exponential backoff. Genuine build/test failures are never masked; they surface immediately. Pure detection and backoff logic is unit-tested; a companion GitHub workflow to run it unattended is provided for a human to apply (the agent token cannot push workflow files).
v7.68.41
Localization
Full-day session record: four issues closed, two ADR programs executed (+1 docs)
SESSION_20260702_full-day.md captures the day end to end — the four closures, the decision sprint and both ADR programs, the Spanish lane, the production incident, the versioning reconciliation, and the complete who-moves-what map for the remaining twenty-two issues.
v7.68.40
Localization
Portfolio findings speak Spanish — the authored-content lane closes its list (+1 copy)
All eight cross-matter finding templates — shared parties, common counsel, shared witnesses, overdue clusters, deadline collisions, heavy weeks, same-forum matters and portfolio load — are authored in Spanish, titles and details with their live interpolations intact. Every named surface in the Spanish content lane is now authored: catalog, pipelines, pathways, steps, details, readiness, escalation and portfolio intelligence.
v7.68.39
Localization
Portfolio findings gain their Spanish seam (+1 copy)
Cross-matter axis findings gain the Spanish title field and the portfolio board now resolves finding titles through the trilingual seam — one more raw ternary eliminated — so the nine generated finding templates can be authored in Spanish next with zero further wiring.
v7.68.38
Localization
Pathway step details complete the Spanish resolution experience (+1 copy)
All fourteen category-specific step details — regulator filings with their deadlines, union grievance windows, CNESST limits, administrative tribunal challenges, warranty claims, offender grievance levels, Parole Board submissions and Federal Court review — are authored in Spanish. Every pathway, step, label and detail across the resolution system now renders natively for Spanish-speaking citizens.
v7.68.37
Localization
Every pathway step label speaks Spanish (+1 copy)
The fourteen category-specific step labels — internal escalation, regulators (consumer, labour, financial), conciliation, union grievances, administrative tribunals, review committees, warranty recourse, settlement drafts, offender grievances, the Parole Board and judicial review — are authored in Spanish, completing Spanish labels for every step in all twelve resolution pathways. (Also corrects the prior entry's sizing note: it was a one-point release.)
v7.68.36
Localization
Service pipelines track in Spanish (+2 maintenance)
All nine service milestone pipelines — from document validation through swearing, service attempts, translation, expert reports, consultations, printing, transcription and notarization to final delivery — are authored in Spanish, and the pipeline snapshot function now resolves labels through the trilingual seam so Spanish order tracking is live end to end.
v7.68.35
Localization
The escalation ladder speaks Spanish (+1 copy)
All five escalation routes — claim, supervisor follow-up, management or regulator, ombudsman, and mediation — are authored in Spanish and render instantly on the lifecycle board through the existing pick seam.
v7.68.34
Localization
The litigation readiness checklist speaks Spanish (+1 copy)
All seven readiness checks — dispute type identified, initial complaint sent, required steps completed, waiting periods expired, evidence preserved, chronology built, settlement attempts logged — are authored in Spanish and render immediately through the existing pick seam on the resolution board.
v7.68.33
Localization
Detail texts carry Spanish through every pick site (+1 copy)
The three step-detail render sites — the resolution pathway board, the public pathway cards and the portfolio axis findings — now pass the Spanish detail field through the pick seam, so the freshly authored step details render for Spanish readers, and the axis-findings registry gains its Spanish authoring seam.
v7.68.32
Localization
Spanish reaches the resolution pathway steps (+1 copy)
The three shared resolution steps every pathway builds on — the direct complaint (including its per-organization template), the formal demand letter with its Civil Code citation, and the litigation-readiness check — are authored in Spanish, labels and full details, flowing through the data seam to every one of the twelve pathways at once.
v7.68.31
Localization
Spanish pricing tiers finish the marketplace catalog (+1 copy)
All thirteen pricing-tier labels across the nine marketplace services are authored in Spanish — standard, same-day and urgent affidavits, personal and corporate service, quotes, referrals, binders and colour exhibits — completing native Spanish coverage of the catalog's names, descriptions and tiers.
v7.68.30
Localization
Spanish marketplace descriptions complete the catalog (+1 copy)
All nine operations-marketplace service descriptions are authored in Spanish — commissioning a bailiff, certified translation, expert reports, lawyer matching, binder printing, transcription, notarization, swearing and process serving — so Spanish-speaking citizens read the full catalog natively through the data seam.
v7.68.29
Localization
Spanish reaches the marketplace catalog (+1 copy)
All nine operations-marketplace service names — affidavit swearing, service of documents, certified translation, expert reports, lawyer consultation, printing and binding, court transcription, notarization, and process serving — are authored in Spanish, flowing through the pickText seam with zero component changes. The catalog interfaces gain the optional Spanish fields for descriptions and tier labels to follow.
v7.68.28
Localization
i18n chunk 66 (+1 copy): the last extractable strings are gone (#1097)
The final four stragglers fall: the footer's emergency notice becomes a dictionary key (its hand-written Spanish preserved), and the three Intl locale-tag picks route through a new localeTag helper that finally gives Spanish real Spanish number, date and speech formatting instead of English. The extraction codemod now skips Intl tags by design. Every extractable hardcoded string in the codebase has been migrated: baseline 262, all residue being data picks, derivations and helper routing the seam handles.
v7.68.27
Security
The arm-deadline confirmation modal completes ADR-0004 (+10, C3 UI)
The workspace deadlines tab gains the confirmation modal: pick a published rule pack (drafts are invisible by row-level security, not by trust), supply the trigger date, see the computed due date with the controlling citation and the advisory disclaimer, and only your explicit confirmation arms it — the database refuses anything else. Bilingual throughout.
v7.68.17
Notifications & email
Recompute wired end to end: a superseding publish now moves pinned deadlines (+5, ADR-0004)
The recompute job gains its production adapters: the Supabase store, an outbox notifier that enqueues one idempotent email per affected deadline (old date, new date or reconfirm prompt, and the controlling citation — nothing more), and the publish route now runs the job automatically when a published pack supersedes another, returning the recompute summary in its response. The feature flag still governs: disabled means deadlines freeze at their pinned versions.
v7.68.12
Jurisdictions
Seed pack drafts complete the ADR-0004 decomposition (+5, C5)
Two Québec seed packs land as drafts — the C.p.c. procedural trio and two civil-code prescription anchors — restating legal content already shipped elsewhere on the platform in the JSONB rule schema, validated by the same gate the publish route enforces, every rule advisory and keyed to the single disclaimer. Publication waits on founder review and the Memo A1 disclaimer answer, exactly as the ADR requires.
v7.68.7
Jurisdictions
Publish and arm routes: humans publish, users confirm (+10, ADR-0004 C3 server side)
The two API routes completing the rule-pack loop: publishing requires the platform-ops capability (agents may submit drafts, which stay invisible; every publish emits its audit event and citation is mandatory), and arming rides the caller's own session so the database itself enforces matter access and self-confirmation — no service-role path can arm a deadline. The response echoes the computed date, citation and disclaimer key so the interface renders exactly what was armed.
v7.67.97
Jurisdictions
Deadline recompute job: append-only, idempotent, never silent (+10, ADR-0004 C4)
When a rule pack is superseded, armed deadlines pinned to the old version recompute under the new rules: successors inherit the original human confirmation (recomputation is the one automatic act — arming never is), the prior row is marked superseded in an append-only chain, replaying the job produces zero duplicates, removed rules flag needs-reconfirm with a user prompt instead of silent dropping, and the whole job is feature-flagged so disabling it freezes deadlines at their pinned versions. Notices carry old and new dates plus the controlling citation — and nothing more, per the UPL boundary.
v7.67.87
Workspace & matters
ADR-0004 lands its foundation: versioned rule packs and human-confirmed deadlines (+10, C1+C2)
Deadline rule packs become versioned database rows — drafts invisible, published rows public reference data, corrections always a new version — and armed deadlines require a human confirmation structurally: confirmed_at and confirmed_by carry no defaults, inserts demand the confirming user themselves, and the matter wall applies unmodified. The pure compute engine ships alongside with calendar/business-day arithmetic on UTC dates, proven against leap-year, DST-week and weekend-rollover edges.
v7.67.77
Localization
First Spanish authored into the data seam: resolution pathway names (+1, #1097)
The pathway registry gains the optional Spanish fields the pickText seam was built for, and all twelve citizen-facing pathway names (banking, housing, employment, consumer, insurance, government, professional discipline, construction, contracts, family, federal detention, other) are authored in Spanish — the first data-carried es content to flow through the seam with zero component changes.
v7.67.76
Governance
Reviewable deadline packs: the format lands, structurally inert until counsel signs (+5, #460)
Jurisdiction deadline rules gain a pack format with review provenance: a pack contributes zero rules until both counsel identity and timestamp are recorded, enforced by a launch-gate test over the registry — content becomes data counsel reviews, never code. The Québec pilot pack restates the shipped C.p.c. registry in the new form and ships inert, awaiting the attestation from the unlock table.
v7.67.71
Payments
Free-tier dispute quota enforced at the database (+10, epic #100 Phase 1 slice)
The Citizen Access tier's 25-active-disputes limit is now real: a database trigger counts non-terminal disputes at insert (resolved, abandoned and converted disputes free their slot) and refuses the 26th with an upgrade hint — the epic's first conversion point. The case builder translates the refusal into friendly bilingual copy, and the limit lives in a single function so paid entitlements replace one constant when billing lands.
v7.67.61
Security
Crypto-shredding flow completes the ADR-0002 decomposition (+5, child 3)
The shred flow lands: destroying a matter's KEK ciphertext renders every document key beneath it permanently unrecoverable, with refusal under an active legal hold surfaced as a typed outcome — including a hold raced in between the check and the write, where the 0112 database trigger remains the wall. All three ADR-0002 children are now on main; live execution begins the moment the root key ARN enters the environment.
v7.67.56
Workspace & matters
Matter KEKs land with legal-hold-blocked shredding (+5, ADR-0002 child 2)
Migration 0112 adds the matter-KEK tier of the envelope hierarchy: each matter's key-encryption key is stored as ciphertext only (wrapped by the ca-central-1 root), the table is service-role-only, and crypto-shredding — row deletion, ciphertext clearing, or stamping — is refused by a database trigger while an unreleased legal hold exists on the matter. Matters carrying a KEK cannot be deleted out from under it.
v7.67.51
Workspace & matters
Share creation dual-writes the allowlist (+5, ADR-0001 child 4)
Both share-creation paths — the workspace client and the attorney share API — now write FK-integrity allowlist rows alongside the legacy arrays, failing loudly if the allowlist write fails so a half-created share can never exist. A drift guard pins the dual-write at both sites until the post-parity array drop.
v7.67.46
Marketplace
AWS KMS key provider lands behind the envelope port (+5, ADR-0002 child 1)
The production KeyProvider arrives: a ca-central-1 AWS KMS adapter for the existing envelope-encryption port, with the consent gate enforced before any network call (no grant, no KMS request), per-operation CloudTrail attribution via the full key ARN as kekId, bound encryption context, and env-driven selection — the LocalKeyProvider remains for dev. Activates the moment AWS_KMS_KEY_ARN lands in the environment; crypto-shredding becomes an act we perform, not our database vendor.
v7.67.41
Workspace & matters
Matter-share allowlist lands (+5 hardening, ADR-0001 children 1 and 3)
Migration 0111 upgrades subset-share storage to FK-integrity allowlist tables with per-document revocation, owner-scoped management policies, and a dangling-id-dropping backfill — deployed additively per the zero-leak order, with the 0057 array wall still live until staging parity. The seven-case access matrix and the migration's structural invariants join the security test suite; both tables are registered in the RLS audit registry.
v7.67.36
Workspace & matters
Two accepted ADRs: the share-allowlist hardening and the KMS key hierarchy
The design session's Now-block lands as formal architecture decision records: ADR-0001 upgrades the verified matter-share subset wall to an FK-integrity allowlist table with a zero-leak migration order and a seven-case SQL test matrix, and ADR-0002 fixes root-key custody at AWS KMS ca-central-1 with matter-level KEKs, legal-hold-blocked shredding, and the CLOUD Act exposure stated plainly with a priced sovereign exit. Both append loop-ready child decompositions.
A founder-called design session lands as docs/decisions/design-session-2026-07-02.md: lifecycle backfill (#98), the dispute-to-matter conversion funnel (#100), reviewable deadline packs (#460), the double-entry trust ledger and milestone state machine (#465, design only), the Capacitor mobile architecture (#471/#473/#476), rate-limiting/KMS ports (#488) and the fail-closed quarantine upload path (#474). Security appendix: the matter_shares subset wall is re-verified intact across all later migrations with the 348-test harness green, and the redaction hardening is signed off.
v7.67.34
Localization
i18n chunk 64 (+2 maintenance): locale derivations and pick helpers route through the trilingual module (#1097)
Hand-rolled locale-derivation chains collapse into resolveTrilingual, and the per-tab pick helpers in seven workspace surfaces (archive, remedies, enforcement, recovery, asset intel, judgment, moot) now delegate to pickText — upgrading every one of their call sites to prefer Spanish the moment data is authored. Baseline: 277 → 266, irreversibly. (Rebased past the marketplace build-spec release.)
v7.67.32
Marketplace
Licensed Insolvency Trustee marketplace build spec and CI gate repairs
New v1 build spec for the Licensed Insolvency Trustee marketplace (docs/lit-marketplace-spec-v1.md): generic provider data model, OSB registry import, FR/EN public directory, profile claim flow, consumer intake and CaseEvent integration — pending human sign-off (P1).
The "US auto-deadlines are disabled" release blocker now follows the i18n refactor: it checks the disclaimer dictionary key in the component and the wording commitment in dictionaries/en.ts instead of a hardcoded sentence that no longer lives in the component.
React list keys are passed directly (key=) instead of being spread from an object — the React 19 console warning failed the platform-integrity test on /fr.
The Playwright dev server gets a 4 GB heap: its memory watchdog restarted it mid-suite, surfacing transient 503 errors on /fr/app and /en/app.
v7.67.31
Localization
i18n chunk 63 (+1 copy): the last page literals join a shared section (#1097)
The final single-string pages — notary compliance, partnerships disclaimer, and the notifications, referrals and investigator titles — share one pageMisc dictionary section, and the jurisdictions currency formatter derives its locale tag instead of hardcoding it. Every app-router page is now free of extractable hardcoded ternaries. Baseline: 282 → 277, irreversibly.
v7.67.30
Localization
i18n chunk 62 (+1 copy): litigation ops, extraction review, investigation and the shell shed their residues (#1097)
Service names and tiers in litigation ops flow through pickText, bulk accept/reject and investigation fact messages become parameterized keys, and the workspace shell's tab label maps pick by real locale. Baseline: 296 → 282, irreversibly.
v7.67.29
Localization
i18n chunk 61 (+1 copy): resolution, communications and intake residues become keys and picks (#1097)
Resolution's pathway notices and valuation percentages become parameterized keys, communications' kind and classification metadata flow through pickText, and document intake's taxonomy labels receive the real locale — Communications is now fully clear. Baseline: 317 → 296, irreversibly.
v7.67.28
Localization
i18n chunk 60 (+1 copy): the evidence vault's last hardcoded strings become parameterized keys (#1097)
Evidence's residual strings convert: import notices become parameterized dictionary keys ({n}, {path}, {name}), chain-of-custody options and organize summaries flow through pickText, and the file viewer plus taxonomy labels now receive the real locale — so Spanish reaches them without any further code change. Baseline: 327 → 317, irreversibly.
v7.67.27
Localization
i18n chunk 59 (+2 maintenance): marketplace data picks flow through the Spanish seam (#1097)
The marketplace area page (23 sites), mediation (11), the marketplace index (11) and the communications log (3) route their data-carried bilingual text through pickText/pickList, so every provider profile, credential list, endorsement and day label prefers a Spanish field the moment one is authored. Baseline: 375 → 327, irreversibly.
v7.67.26
Localization
i18n chunk 58 (+1 copy): eight small surfaces speak every locale (#1097)
Password-reset and class-actions pages, the data-safety banner, service order list, intake button, expert search results, expert dashboard and the auth session gate migrate their remaining literals (2–3 each) to dictionary keys, several merging into existing sections. Baseline: 392 → 375, irreversibly.
v7.67.25
Localization
i18n chunk 57 (+1 copy): four admin pages, new-dispute, login and partners speak every locale (#1097)
Seven pages migrate to dictionary keys (3 each): the commissioners, experts, partnerships and professionals admin pages, the new-dispute intake, the login page (including its magic-link error helper) and the partners page. Baseline: 413 → 392, irreversibly.
v7.67.24
Localization
i18n chunk 56 (+1 copy): changelog explorer, guides, early access, domain filter and dev banner speak every locale (#1097)
Five more surfaces migrate to dictionary keys: the changelog explorer (2), guide article pages (3), the early-access form (4), the marketplace legal-domain filter (4, including its hand-written Spanish) and the workspace dev-phase banner (4). Baseline: 430 → 413, irreversibly.
v7.67.23
Localization
i18n chunk 55 (+1 copy): all eight settings pages speak every locale (#1097)
The chrome of every settings page — activity, billing, email, preferences, profile, security, support access and workspace (4 keys each) — migrates to dictionary sections, completing the settings surface: panels were migrated in earlier chunks, and now their host pages follow. Baseline: 462 → 430, irreversibly.
v7.67.22
Localization
i18n chunk 54 (+1 copy): expert dashboard widgets and support indicator speak every locale; dead waitlist form removed (#1097)
Incoming requests (5 keys), expert analytics (4), the support-access indicator (4), verification badges (5, threaded through both the card grid and the profile) and the expert card (1) migrate to dictionary keys; the unreferenced WaitlistForm is deleted. Baseline: 486 → 462, irreversibly.
v7.67.21
Localization
i18n chunk 53 (+1 copy): admin content, commissioner, invite-accept and legal-aid pages speak every locale (#1097)
Four more pages migrate to dictionary keys: admin content (5), the commissioner workspace page (4), workspace invite acceptance (5) and marketplace legal aid (5). Baseline: 506 → 486, irreversibly.
v7.67.20
Localization
i18n chunk 52 (+1 copy): the workflow stepper, campaigns and experts index speak every locale (#1097)
The workspace workflow stepper (5 keys), the admin campaigns page (5) and the experts index page (5) migrate to dictionary keys. Baseline: 521 → 506, irreversibly.
v7.67.19
Localization
i18n chunk 51 (+1 copy): research articles, the press page and the admin command center speak every locale (#1097)
The research article page (8 keys), the press page's remaining strings (6) and the admin command center (6, merged into its existing command section) migrate to dictionary keys. Baseline: 541 → 521, irreversibly.
v7.67.18
Localization
i18n chunk 50 (+1 copy): notify-me, invite acceptance, expert editors and guides speak every locale (#1097)
Five more surfaces migrate to dictionary keys: the notify-me form (6), the invite-acceptance panel (5), the expert profile editor (6) and qualification config (6, both threaded through the expert dashboard), and the guides page (6). Baseline: 570 → 541, irreversibly.
v7.67.17
Localization
i18n chunk 49 (+1 copy): share acceptance, editorial queue, research library, platform guide and next steps speak every locale (#1097)
Five more surfaces migrate to dictionary keys: share acceptance (8), the editorial queue (6), the research library (6), the support platform guide (8) and the workspace next-step panel (8). Baseline: 606 → 570, irreversibly.
v7.67.16
Localization
i18n chunk 48 (+1 copy): incident, approvals, admin research and pathway cards speak every locale (#1097)
The incident page (8 keys), the admin approvals page (8), the admin research console (9) and the resolution-pathway cards (4) migrate to dictionary keys. Baseline: 637 → 606, irreversibly.
v7.67.15
Localization
i18n chunk 47 (+1 copy): expert intake and three admin queues speak every locale (#1097)
The expert intake flow (8 keys, threaded through the profile and button chain), the professional verification queue (10), the commissioner admin panel (9) and the partnership review queue (9, nested into its existing partnerships content) migrate to dictionary keys. Baseline: 673 → 637, irreversibly.
v7.67.14
Governance
Release-point reconciliation: five under-counted releases restored (+19)
An external review (Devin) correctly flagged that recent releases were uniformly bumped +1 regardless of class, against the VERSIONING_MASTER_PLAN release-points scheme. Reconciliation per the 7.65.22 precedent: the durable approval gate (7.66.86) and the log-redaction hardening (7.66.89) were production-fix/guardrail work worth +5 each, the pdfjs viewer (7.66.92) an existing-tool upgrade worth +10, and the CodeRabbit config (7.66.87) and pickText refactor (7.66.95) low-risk maintenance worth +2 each — a +19 deficit, carried across the release boundary to 7.67.14. Future bumps are sized from the table at PR time.
v7.66.95
Localization
i18n chunk 46: data-carried text gains a Spanish seam (#1097)
A pickText helper joins the trilingual module: data objects (pathway registries, lifecycle proposals, intake taxonomies) now resolve their fr/en text through one seam that prefers a Spanish field the moment it is authored, instead of hard-wiring French-or-English ternaries. Thirty-nine pick sites across Resolution, Evidence, Lifecycle, DocumentIntake and Investigation converted; array-valued and optional-field shapes deliberately left explicit. Baseline: 717 → 673, irreversibly.
v7.66.94
Payments
i18n chunk 45: password reset, support access and quote payment speak every locale (#1097)
The password-reset form (10 keys, fully cleared), the support-access settings panel (9) and the quote payment button (8) migrate to dictionary sections threaded from their pages. Baseline: 745 → 717, irreversibly.
v7.66.93
Localization
i18n chunk 44: become-an-expert, research and service-pay pages speak every locale (#1097)
Three more public pages migrate to dictionary sections: become-an-expert (9 keys), the research index (9) and the service payment page (7). Baseline: 771 → 745, irreversibly.
v7.66.92
Evidence
Evidence PDFs render as scrollable canvases on every device (#477)
The evidence PDF preview moves from an iframe — which iOS Safari flattens to a single non-scrollable page — to a pdfjs-dist canvas renderer with lazy page rasterization: placeholders sized from the document's real geometry render only as they approach the viewport. The library loads on demand (never in the main bundle) and any parse failure falls back to the old iframe, so no document becomes unviewable. Source guards pin all three properties.
v7.66.91
Payments
i18n chunk 43: conflict pathway, quote requests and billing speak every locale (#1097)
The conflict-resolution pathway strip (6 keys), the quote-request button (10, fully cleared) and the billing settings panel (9) migrate to dictionary sections threaded from their pages and the service funnel. Baseline: 797 → 771, irreversibly.
v7.66.90
Localization
i18n chunk 42: expert application speaks every locale; dead attorney workspace removed (#1097)
The become-an-expert application form (14 keys) splits into a server page and a dictionary-fed client form, and the unreferenced AttorneyWorkspace component (12 stale ternaries) is deleted outright. Baseline: 823 → 797, irreversibly.
v7.66.89
Content / legal
Sanitized developer logs now scrub SINs, phone numbers and IP addresses (#155)
The G37 log-redaction guardrail is hardened beyond emails and secret tokens: Canadian SINs in separator form, NANP and E.164 phone numbers, and strict-octet IPv4 addresses are scrubbed, while court file numbers, version strings and bare digit runs deliberately pass through untouched — precision chosen over false positives, with a fixture suite proving both directions.
v7.66.88
Intake & onboarding
Triage briefs for the 37 held-back sub-tasks (#541)
The 37 epic sub-tasks the autonomous run deliberately held back are triaged into five dispositions (docs/decisions/541-triage-briefs-2026-07-02.md): five promotable today, six needing one counsel attestation each, seventeen parked behind the single mobile go/no-go stack decision, four behind other vendor decisions, and five correctly kept held. The founder session script is three steps.
v7.66.87
Ops / CI / infra
CodeRabbit auto-reviews disabled — CI signal is ours again (#1256)
The CodeRabbit app's exhausted prepaid credits were failing its status check on every human-authored pull request — a billing state, not a code finding. Per the founder decision sprint, automatic reviews are disabled via .coderabbit.yaml; the repository's own gate suite remains the authoritative merge signal.
v7.66.86
Governance
The human-approval gate survives serverless (#1200)
Control-plane approvals are now durable: pending gates are mirrored to a service-role-only Postgres table (migration 0110), so a Slack approval landing on a different serverless instance settles the row and the waiting instance picks it up by polling. Same-instance approvals still resolve instantly, timed-out gates mark their row expired, and the gate degrades gracefully to in-memory behavior when the backend is not configured.
v7.66.85
Security
Founder decision sprint packet — 12 gated issues, one session
A one-page decision packet (docs/decisions/founder-decision-sprint-2026-07-02.md) maps every founder/counsel-gated issue to the exact decision needed, the options, a recommendation and the cost of delay — ordered by revenue leverage (payouts, deployment constraints, storage tier, launch gates, ops hygiene). Clearing it unblocks two same-day security fixes, the crypto epics and the payout rail.
v7.66.84
Localization
i18n chunk 41: incident hub, expert filters, Google import and approvals speak every locale (#1097)
The incident hub (9 keys), expert search filters (13), the Google provider import panel (11) and the admin approvals queue (9) migrate to top-level dictionary sections threaded from their pages. Baseline: 865 → 823, irreversibly.
v7.66.83
Localization
i18n chunk 40: profile, preferences and change-email settings speak every locale (#1097)
Three more settings panels — profile (14 keys), interface preferences (13) and change-email (13) — migrate to top-level dictionary sections threaded from their pages, each file fully cleared of hardcoded ternaries. Baseline: 906 → 865, irreversibly.
v7.66.82
Payments
i18n chunk 39: the service funnel and checkout button speak every locale (#1097)
The shared service funnel (9 keys — it now resolves the dictionary server-side) and the checkout button (13, fully cleared) migrate to dictionary sections. Baseline: 930 → 906, irreversibly.
v7.66.81
Localization
i18n chunk 38: referrals, the admin marketplace and the header speak every locale (#1097)
The referral panel (16 keys), the admin marketplace console (16, merged into its existing marketOps section) and the site header (10) migrate to dictionary keys. Baseline: 977 → 930, irreversibly.
v7.66.80
Localization
i18n chunk 37: expert profiles, provider selection and the activity feed speak every locale (#1097)
The public expert profile (12 keys), the marketplace provider-selection step (14 — the server component now resolves its own dictionary slice) and the account activity feed (17, fully cleared) migrate to dictionary sections. Baseline: 1,020 → 977, irreversibly.
v7.66.79
Localization
i18n chunk 36: the marketplace pages' remaining literals move to the dictionary (#1097)
The marketplace area page gains a dictionary section (8 keys) and the marketplace index's newer strings join its existing section (7 keys, with their hand-written Spanish preserved in the es partial). What remains in these two pages is data-driven bilingual content whose fix is Spanish fields on the data itself. Baseline: 1,035 → 1,020, irreversibly.
v7.66.78
Localization
i18n chunk 35: the content engine, research submissions and workspace members speak every locale (#1097)
The admin content engine (18 keys), the research submission form (16) and the workspace members panel (17) migrate to top-level dictionary sections threaded from their pages. Baseline: 1,086 → 1,035, irreversibly.
v7.66.77
Localization
i18n chunk 34: attorney onboarding, keep-the-date and the settlement planner speak every locale (#1097)
Attorney onboarding (21 keys), the keep-the-date deadline panel (17) and the settlement planner (18) migrate to dictionary sections; currency formatting stays locale-derived rather than dictionary-driven. Baseline: 1,143 → 1,086, irreversibly.
v7.66.76
Localization
i18n chunk 33: the case builder, press and partner forms speak every locale (#1097)
The Judge911 case builder (30 keys) and the press and partner contact forms (20 each) migrate to top-level dictionary sections threaded from their pages. Baseline: 1,214 → 1,143, irreversibly.
v7.66.75
Localization
i18n chunk 32: the settings panels speak every locale (#1097)
Three settings panels migrate to top-level dictionary sections threaded from their pages: notification preferences (28 keys), security and two-factor (24), and the workspace danger zone (18, forwarded through the members panel). One file fully cleared of hardcoded ternaries. Baseline: 1,288 → 1,214, irreversibly.
v7.66.74
Localization
i18n chunk 31: recovery, remedies, event journal and filing readiness speak every locale (#1097)
Four more workspace tabs migrate to nested app-dictionary sections: recovery (19 keys — ledger, distribution), remedies (21 — assessment, pursuits), the event journal (18) and filing readiness (21 — checklist rows). Baseline: 1,371 → 1,288, irreversibly.
v7.66.73
Localization
i18n chunk 30: command center, moot court, enforcement and commitments speak every locale (#1097)
Four workspace tabs migrate to nested app-dictionary sections: the command center (32 keys — deadline statuses, readiness), moot-court practice (34 — stages, scorecard), enforcement (30 — measures, collectability) and commitments (26). Baseline: 1,495 → 1,371, irreversibly.
v7.66.72
Localization
i18n chunk 29: the investigation tab speaks every locale (#1097)
The investigation tab (75 keys — leads, hypotheses, evidence links, field forms, metrics) migrates to a nested app-dictionary section, gaining the dictionary prop it never had, threaded from the workspace. Baseline: 1,575 → 1,495, irreversibly.
v7.66.71
Localization
i18n chunk 28: the justice home dashboard speaks every locale (#1097)
The justice home dashboard (89 keys — matter list, action cards, ask-a-question flow, quick links, metrics), the citizen's landing surface inside the app, migrates to a nested app-dictionary section; one hand-written Spanish string is preserved via the es partial. Baseline: 1,671 → 1,575, irreversibly.
v7.66.70
Localization
i18n chunk 27: the resolution module speaks every locale (#1097)
The resolution-first module (65 keys — settlement valuation, negotiation ledger, and the litigation gate that asks parties to try resolving first) migrates to a nested app-dictionary section. Baseline: 1,737 → 1,671, irreversibly.
v7.66.69
Localization
i18n chunk 26: the workspace shell speaks every locale (#1097)
The matter workspace shell (90 keys — tab chrome, account gate, system readiness, settings, exhibits, overview panels) migrates to a nested app-dictionary section, including one hand-written Spanish string preserved via the es partial. Baseline: 1,832 → 1,737, irreversibly.
v7.66.68
Localization
i18n chunk 25: the war room speaks every locale (#1097)
The war room (93 keys — strategy board, jurisprudence citations with verification badges, binder assembly, metrics) migrates to a nested app-dictionary section. Baseline: 1,937 → 1,832, irreversibly.
v7.66.67
Localization
i18n chunk 24: the evidence vault speaks every locale (#1097)
The evidence vault (91 keys — upload flow, document table, drawer, menus, cloud-failure notices) migrates to a nested app-dictionary section. Baseline: 2,039 → 1,937, irreversibly.
v7.66.66
Localization
i18n chunk 23: document intake — the largest surface — speaks every locale (#1097)
Document intake, the platform's biggest hardcoded-string surface (138 strings across upload, OCR review, classification, confidence badges and field-level extraction review), migrates to a nested app-dictionary section, threaded through the ClassifyStep, ConfidenceBadge and FieldWithConfidence helpers. The confidence tooltips become parameterized keys. Baseline: 2,191 → 2,039, irreversibly.
v7.66.65
Localization
i18n chunk 22: provider onboarding and the commissioner workspace speak every locale (#1097)
The marketplace provider onboarding form (39 strings) and the commissioner-of-oaths workspace (39 — application, order queue, order cards) migrate to top-level dictionary sections threaded from their pages. Baseline: 2,271 → 2,191, irreversibly.
v7.66.64
Localization
i18n chunk 21: asset intelligence and the Support Center speak every locale (#1097)
The asset-intelligence tab (44 strings — recovery, debtor network, register, solvency, tracing and strategy cards) and the Support Center (43 — ticket composer, knowledge base, status labels) migrate to dictionary sections. The Support Center gets its own top-level section threaded from the support page, and a local ticket variable named t was renamed to stop shadowing the dictionary. Baseline: 2,362 → 2,271, irreversibly.
v7.66.63
Localization
i18n chunk 20: litigation ops and proceedings speak every locale (#1097)
The litigation operations tab (55 strings — service-of-process flow, affidavit validation, bailiff coordination) and the proceedings manager (46 — hearings, filings, the evidence-by-proceeding usage matrix) migrate to nested app-dictionary sections. The extraction codemod now strips non-identifier characters from generated keys (a stray multiplication sign had survived into one). Baseline: 2,468 → 2,362, irreversibly.
v7.66.62
Localization
i18n chunk 19: the case lifecycle and communications log speak every locale (#1097)
The case lifecycle tracker (40 strings — step rows, gating states, gate badges) and the communications log (43 — entry composer, channels, disclosure states) migrate to nested app-dictionary sections; Communications gains the dictionary prop it never had, threaded from the workspace. Baseline: 2,554 → 2,468, irreversibly.
v7.66.61
Localization
i18n chunk 18: litigation tools and extraction review speak every locale (#1097)
The litigation tools panel (52 strings — Bates, review sets, filings, metrics) and the AI extraction-review queue (43 — candidate cards, decisions, confidence bands) migrate to nested app-dictionary sections, threaded through the DocSection and CandidateCard helpers. Both components declared a dictionary prop they never bound; they now consume it. Baseline: 2,652 → 2,554, irreversibly.
v7.66.60
Localization
i18n chunk 17: the litigation Copilot and Judgment analyzer speak every locale (#1097)
The AI litigation Copilot (47 strings) and the Judgment analyzer (47 — record, conclusions, outcome, remedies, options cards) migrate to nested app-dictionary sections. The extraction codemod now understands trilingual ternaries and emits a Spanish partial block, so Copilot's hand-written Spanish copy is preserved verbatim instead of falling back to English. Baseline: 2,747 → 2,652, irreversibly.
v7.66.59
Localization
i18n chunk 16: the professional workspace shell and Drive import speak every locale (#1097)
The professional workspace shell (17 strings — availability states, module chrome, audit drawer) and the Google Drive import flow (8) migrate to nested app-dictionary sections, threaded through their helpers and both Drive call sites. Baseline: 2,772 → 2,747, irreversibly. AttorneyWorkspace was found to be dead code (zero references) — flagged for removal rather than migration.
v7.66.58
Localization
i18n chunk 15: share-to-attorney, Bates numbering, copilot chat, investigator board and portfolio speak every locale (#1097)
Five more workspace components — attorney sharing (18 strings, now at ZERO inline ternaries), Bates numbering (19), the copilot chat (17), the investigator board (14) and the portfolio view (7) — migrate to nested app-dictionary sections with one-prop threads where needed. Baseline: 2,849 → 2,772, irreversibly.
v7.66.57
Localization
i18n chunk 14: clerk filings and the archive speak every locale (#1097)
Two more workspace components — the clerk filings queue (16 strings) and the archive (17) — migrate to nested app-dictionary sections with zero prop changes. Baseline: 2,882 → 2,849, irreversibly.
v7.66.56
Localization
i18n chunk 13: deadline calculator, classification review and shared-with-me speak every locale (#1097)
Three more workspace components — the deadline calculator, the classification review queue and the shared-with-me list (27 strings; shared-with-me reaches ZERO inline ternaries) — migrate to nested app-dictionary sections; two needed a one-prop thread from their parents. Baseline: 2,909 → 2,882, irreversibly.
v7.66.55
Localization
i18n chunk 12: the workspace suite migration begins — six components, zero prop changes (#1097)
The workspace client suite migration opens with its enabling discovery: every workspace tab already receives the app dictionary, so sections nest inside it and components bind directly — no new prop threading. Six components (collaboration, export, firm, hearing, documents, research — 10 strings, all six now at ZERO inline ternaries) migrate this way. Baseline: 2,919 → 2,909, irreversibly.
v7.66.54
Localization
i18n chunk 11 (batch of five): experts, press launch, onboarding, learn and research-submit pages speak every locale (#1097)
Five more public pages in one batch — expert disciplines, the press launch page, marketplace onboarding, the learning hub and research submission (54 strings total; three files reach ZERO inline ternaries) — move to the dictionaries via the extraction codemod. Baseline: 2,973 → 2,919, irreversibly. The codemod also learned to never treat locale-code picks (fr/en selectors) as UI strings.
v7.66.53
Localization
i18n chunk 10 (batch): lifecycle, mrkplc and design-system pages speak every locale — baseline under 3,000 (#1097)
Three public pages in one batch — lifecycle (9 strings), mrkplc (16, now at ZERO inline ternaries), design-system (15) — move to the dictionaries via the extraction codemod. Baseline: 3,013 → 2,973, crossing under 3,000 for the first time, irreversibly.
v7.66.52
Localization
i18n chunk 9: the resolution (Conflict OS) page speaks every locale (#1097)
The public resolution page — 13 more hardcoded bilingual strings — moves to the dictionaries via the extraction codemod. Baseline: 3,026 → 3,013, irreversibly.
v7.66.51
Localization
i18n chunk 8: the bailiff recruitment page speaks every locale (#1097)
The public bailiff provider-recruitment page — 14 more hardcoded bilingual strings — moves to the dictionaries via the extraction codemod. Baseline: 3,040 → 3,026, irreversibly.
v7.66.50
Localization
i18n chunk 7: the settings hub speaks every locale (#1097)
The settings hub — all 22 of its bilingual strings (section cards for profile, workspace, security, email, preferences, activity, billing, notifications and support access) — moves to the dictionaries via the extraction codemod, leaving the file with ZERO inline ternaries. Baseline: 3,062 → 3,040, irreversibly.
v7.66.49
Localization
i18n chunk 6: the mediation marketplace page speaks every locale (#1097)
The public mediation page — 14 more hardcoded bilingual strings (pricing cards, booking states, most-popular badge, metadata) — moves to the dictionaries via the extraction codemod. Baseline: 3,076 → 3,062, irreversibly. The page's 12 bilingual data-object selections (tier names/descriptions) stay with the data, per the migration's standing rule.
v7.66.48
Localization
i18n chunk 5: the Judge911 US rights page speaks every locale (#1097)
The public /judge911 US criminal-justice rights page — 25 more hardcoded bilingual strings (rights track, rollout ladder, facility registry framing, metadata) — moves to the dictionaries via the extraction codemod. Baseline: 3,101 → 3,076, irreversibly.
v7.66.47
Localization
i18n chunk 4: the Canadian criminal-justice rights page speaks every locale (#1097)
The public /criminal-justice rights-navigation page — 28 more hardcoded bilingual strings (Charter rights framing, track cards, guardrails copy, metadata) — moves to the dictionaries via the extraction codemod. Baseline: 3,129 → 3,101, irreversibly.
v7.66.46
Localization
i18n chunk 3: the services hub speaks every locale (#1097)
The /app/services hub — 34 more hardcoded bilingual strings across the per-service intros (notarization, oaths, service of documents, filings) and the hub shell — moves to the dictionaries via the extraction codemod. Baseline: 3,163 → 3,129, irreversibly.
v7.66.45
Localization
i18n chunk 2 + the codemod: the marketplace index speaks every locale; future chunks are one command (#1097)
The public marketplace index — 38 more hardcoded bilingual strings — moves to the dictionaries (hero, provider-type cards, verification states, provider recruitment). Spanish and future locales now render it through machine coverage. The ratchet baseline drops again: 3,201 → 3,163, irreversibly.
The migration is now mechanized: a codemod (scripts/i18n-extract-ternaries.mjs) extracts a file's literal ternaries, generates stable keys, rewrites the file with a collision-proof binding, and prints ready-to-paste dictionary blocks — while deliberately skipping bilingual data-object selections and complex expressions for human review. Remaining chunks are one command plus wiring each.
v7.66.44
Localization
i18n migration chunk 1: the public provider-profile page speaks every locale (#1097)
The marketplace provider-profile page — the public surface a Spanish-speaking visitor is most likely to hit — moves its 22 hardcoded bilingual strings into the dictionaries (scope panel, verification badges, fees, credentials, endorsements, availability, booking states). Spanish now renders through the machine-covered dictionary layer instead of silently falling back to English; every future locale inherits the section automatically.
First proof of the ratchet loop: the migration shrank the committed baseline from 3,223 to 3,201 inline ternaries — a number that can now never go back up. Bilingual DATA selections (fr/en fields on content objects like credential descriptions) are intentionally untouched: their fix is es fields on the data, tracked as its own follow-up on the issue.
v7.66.43
Localization
i18n ternary ratchet: inline bilingual strings can no longer grow — the dictionary migration only goes forward (#1097)
Measurement first: the inline `locale === "fr" ? … : …` pattern — which bypasses the dictionaries, so Spanish and every future locale silently fall back to English on those surfaces — had grown from the ~272 strings reported when the issue was filed to 3,223 across 179 files, because the pattern had become the de facto style for client components.
A ratchet gate now stops the growth without demanding a big-bang migration: no file may ever have MORE inline fr-ternaries than its committed baseline, new files may introduce none, and reducing a file lets the baseline ratchet DOWN (never up). The gate runs inside the test suite, so CI enforces it on every PR from now on; new user-facing strings must use dictionary keys, which the es machine-coverage then picks up automatically.
The migration itself proceeds as mechanical per-surface chunks tracked on the issue (workspace components are the top offenders at 40–120 ternaries each) — each chunk shrinks the baseline and can never regress.
v7.66.42
AI & automation
Judge911 Case Builder: category → story → AI structuring → your decision (epic #100)
The Judge911 intake flow goes live at /app/disputes/new: pick a category (the five from the intake schema — UI and database constraint are drift-tested to match exactly), tell your story in your own words, and the metered, audited structuring call turns it into a structured case — summary, timeline, parties, documents to gather, and a risk band with one bucketing definition shared across screens.
Consent boundaries are explicit: the dispute is created on your own session (owner-scoped row-level security — visible to you only), and NOTHING is shared with any professional until you explicitly choose 'Get help', which runs the matching engine and shows who was notified with their response deadlines. 'Continue alone' keeps everything saved and private. A no-match result is never a dead end — the request stays active and the Support Center path is offered.
Fail-safe per the MVP spec: a structuring failure returns you to your story with a visible retry and your draft intact — never a silent half-structured state. Document upload and timeline editing ride the existing intake pipeline from the case view.
v7.66.41
Payments
Billing, one fiat path end to end: Stripe Tax on every checkout, the Billing Portal, a clear activation moment (#1268)
Subscription checkout now computes taxes with Stripe Tax — GST/HST/QST for Canada and VAT internationally, from the required billing address, with tax-ID collection for business customers (GST/QST numbers on invoices) — never hand-rolled, exactly as the fee-authority rule demands. Checkout initiation is audited.
Self-service arrives at /app/settings/billing: the free plan gets an explicit activation moment (plans, price, what unlocks), and paid accounts open the Stripe Billing Portal for cards, default method, invoices with tax lines, plan changes with Stripe-managed proration, and cancellation. The portal session is derived from the caller's OWN subscription row — opening someone else's billing is structurally impossible — and every portal open is audited. A payment lapse degrades the account and never deletes data (the entitlements layer already treats past_due as active).
The launch-gate coverage now enumerates the billing tree too: checkout and portal pass on their own merits, and the webhook is allowlisted with its reason on record (signature verification IS the gate for a system caller). A smart-retries dashboard attestation probe (STRIPE_SMART_RETRIES_CONFIRMED) rounds out the dunning posture. This closes the final child of the Settings & Operations v1 epic.
v7.66.40
Workspace & matters
The V1 launch gate: settings/workspace/support surface verified gated + audited — and kept that way by CI (#1270)
The Settings & Operations v1 launch gate passed: every route under settings, workspace and support was enumerated and verified for server-side authorization (capability gate or session self-scope), audit-event emission on every mutation, and legal-hold wiring on every lifecycle transition. Result: zero ungated or unaudited surfaces; two reason-documented exemptions (the deliberately public support intake form, and checkout auditing which ships with the billing slice). Full route-by-route table in docs/security/SETTINGS-CAPABILITY-AUDIT.md.
The pass is permanent, not a snapshot: a new coverage test enumerates the same route trees from the filesystem, so any future settings/workspace/support route is automatically checked for a gate and audit coverage the moment the file exists — an ungated surface is a failing build, not a review hope. The residency-change absence (#1267) is asserted too, flipping into a hold-gate wiring assertion the moment that surface appears. This completes step 10 of 10 — the Settings & Operations v1 epic build sequence is done.
v7.66.39
Workspace & matters
Danger Zone: workspace lifecycle with supreme legal-hold gate, 30-day grace, dark purge (#1266)
The workspace lifecycle lands as a strict state machine — active → archived → pending-delete → purged, with restore and cancel — where ARCHIVE is the default destructive action (reversible, preserves data and audit history) and permanent deletion is buried one level deeper: typed exact-name confirmation plus a 30-day grace window before purge is even possible. Purge additionally ships DARK behind the WORKSPACE_PURGE_ENABLED deployment flag until the per-retention-class counsel decision resolves, and the capability lens already restricts danger-zone execution to the founder.
Legal hold is supreme (contract #3): a new workspace-scoped hold table (sibling of the matter-scoped one, which is untouched) blocks archive, deletion, purge and ownership transfer at EVERY transition, re-checked server-side — only the undo actions (restore, cancel) are exempt. Holds are issued/released under legal_hold.manage, fully audited, and always visible to the workspace's admins. retention_until survives purge by design: purge clears operational data only.
Ownership transfer (deferred from the members slice) lives here: current-owner-only, typed-name confirm, and the target must already be an active admin member. Every lifecycle transition is audited and the destructive ones fire the unsuppressable security alert. This completes the final child of the Settings & Operations v1 epic's build sequence.
Multi-user workspaces become manageable at /app/settings/workspace: invite by email (14-day expiring invitations, at most ONE pending invite per address enforced by a database partial unique index), assign the fixed v1 roles (ownership is not a role and can never be granted through an invite or role change), suspend/reactivate, and remove. Pending invitations are listed distinctly and revocable; invitees receive a bilingual email whose link lands on a dedicated acceptance page.
The terms gate you cannot operate without: accepting an invitation REQUIRES accepting the terms of use — the server rejects acceptance without it — and records the timestamp AND version accepted on the membership row; a new terms version flags every member for re-acceptance. The invitation must match the signed-in address (the invite id is not a bearer token).
Last-owner protection: the workspace owner can never be removed, suspended, or demoted through the members API (pure, tested rule applied on every mutation path) — ownership moves only through a dedicated transfer flow. Every roster mutation is capability-gated (workspace.manage_members) and audited; invite audit metadata carries the address DOMAIN only.
The account-protection spine lands at /app/settings/security. Password changes enforce a length-first strength policy and a breached-password check via HIBP k-anonymity — only a 5-character hash prefix ever leaves the server, the password itself is never stored, logged, or transmitted — with a one-click 'log out everywhere else'. Two-step verification (TOTP) offers full enroll (QR + manual secret), verify and disable flows on the session's own credentials.
Sign-in history surfaces the account's recent auth events (logins, logouts, recoveries, MFA challenges) with IP and device, read from Supabase's auth audit log strictly pinned to the caller's own actor id. Every consequential action — password change, 2FA on/off, mass sign-out — appends a tamper-evident audit event and fires the required-class security alert to the account email ('if this wasn't you…'), which suppression and quiet hours cannot silence.
The support-session agent routes upgrade from the persona gate to requireCapability('support.session') now that the capability model is live — same coverage, one decision layer. The settings hub gains cards for Security, Email, Preferences and Activity. Recovery posture is deliberate and documented in-UI: email reset, audited — the issue's sovereignty/recovery tension resolved toward strong-but-auditable; custom recovery codes were deliberately not built as a parallel bypass of Supabase auth.
Personal appearance and accessibility settings land at /app/settings/preferences: theme (dark / light / system with live OS follow), text size (87.5–150%), reduced motion and a new real high-contrast mode. Saves are instant and optimistic — no Save button; a rejected save rolls the control and the page back visibly.
Preferences follow the account across devices: stored per-user in one validated jsonb column (0107 — no new table, per the cut sheet), applied on workspace load by a silent sync, and mirrored to the same localStorage keys the pre-paint boot script and accessibility widget already read — first paint stays instant and every surface stays coherent.
The server stores only the validated merge (unknown keys dropped, out-of-range values rejected — never clamped silently), runs exclusively on the caller's RLS-scoped client, and audits changed-key names. Locale stays with the header language switcher (date/number formats derive from it); reminder timezone stays under Notifications.
Workspace administrators get the accountability surface over the audit event store: a human-readable activity feed (filter by actor, action, target, date) and an evidence-grade audit record view carrying the FULL canonical event — sequence, chain, previous/entry hashes, payload — exportable as newline-delimited JSON that can be re-verified against the tamper-evident chain.
Read-only by construction at every layer: the route exports GET and nothing else (drift-guarded), the projection module only shapes rows, and the store itself rejects UPDATE/DELETE at the database level (0104). Authorization is layered — requireCapability('audit.read_workspace') plus the caller's RLS-scoped client, so the 0104 workspace-read policy backstops the capability check row by row; the service role never appears.
Anti-tamper display rule enforced in code: everything a human sees (workspace, ip, user agent) derives from the hash-covered payload — the projection does not even accept the mirror columns as input, so a divergent mirror value can never reach a screen. New page: /app/settings/activity.
v7.66.34
Notifications & email
Repair: land the change-email implementation the 7.66.33 merge described but did not contain
The 7.66.33 squash carried the verified change-email changelog entry and version bump but none of its code (a wrong source revision during the branch rebuild left the slice out, and the gates passed vacuously because the missing tests were missing too). This release lands the actual implementation from its authoritative commit: the stage → confirm-via-new-address → commit → notify-old flow, the immediate required-class alert to the current address, the idempotent domains-only-audit finalizer, the operator attestation probe, and the /app/settings/email page — verified by its 9-test suite now genuinely present and green.
v7.66.33
Notifications & email
Verified change-email: stage → confirm via the new address → commit → notify the old (#1179)
Changing the account email never switches on submit (contract #4): the request STAGES the change on the caller's own session (Supabase holds the new address as pending and mails it a verification link), a required-class security alert goes to the CURRENT address immediately — a hijacked session cannot quietly move the account — and the switch happens only when the NEW mailbox confirms.
At commit, the auth callback notifies the OLD address (while the profile mirror still holds it — notification deliberately precedes the mirror sync so a failure can never orphan the notice), syncs profiles.email, and appends the audit event. The finalizer is idempotent (a re-clicked link does nothing) and audit metadata records email DOMAINS only, never addresses.
Operator attestation probe added for the Supabase dashboard's Secure-email-change toggle (SUPABASE_SECURE_EMAIL_CHANGE_CONFIRMED — the dashboard state is not API-readable, so readiness surfaces gate on the attestation). New settings page: /app/settings/email.
v7.66.32
AI & automation
Repair: restore the capability-model, required-notifications and support-access code reverted by three faulty merges
The 7.66.29–7.66.31 squash merges were built from branches based on an older main, and the flatten step staged deletions of everything main had gained in between: the 7.66.28 capability model (requireCapability, lenses, admin-gate rewiring, the recorded fee-model counsel approval), the 7.66.29 required notification classes (send-path enforcement, security-alert/billing-alert templates), and the 7.66.30 support-access system (grants, sessions, indicator, migration 0105) were each silently reverted by the merge that followed them. This release restores all 28 affected files from their authoritative branch heads — the features described in those three changelog entries are now actually on main, verified by their own test suites (capability matrix, required-class enforcement, support-access invariants) plus the full gate suite and a production build.
The settings hub lands at /app/settings, tying together Profile (new), Notifications and Support access. Profile edits name, phone and organization — reusing the columns that have existed since 0001, no near-duplicates — with the spec's save model: Save stays disabled until a field is dirty, unsaved changes prompt before navigate-away, and a one-click discard restores the saved state. Email is deliberately read-only here: changing it goes through the verified stage → confirm-via-new-address flow (#1179), never a profile save.
Avatars are processed SERVER-SIDE, always (§4.1): uploads are validated (JPEG/PNG/WebP, ≤2 MB — SVG rejected), then re-encoded by sharp to a 512×512 webp before touching storage, so the bucket never stores a client-original byte stream (EXIF stripped, polyglot files neutralized). The new public avatars bucket (migration 0106) pins every write to the caller's own uid-named object at the storage-policy level.
Every route runs exclusively on the caller's RLS-scoped client (the service role never appears — drift-guarded by test), privileged fields (role, plan, email) can never pass through the validator, and profile/avatar changes are audited with changed-field NAMES only — the tamper-evident chain records that the phone changed, not the phone.
v7.66.30
Security
Support Access tier 1: opt-in, expiring, one-live-session, instantly revocable, fully audited (#1269 part 2)
Transcript-review support access ships (migration 0105): the account owner opts in with a 72-hour auto-expiring grant; a support agent can open AT MOST ONE live session against it — enforced by a database partial unique index, so the guarantee holds under race, not just in route logic. Revocation is instant and one-way (the owner's only permitted update sets revoked_at — extending expiry or changing scope through that policy is impossible) and ends any live session immediately.
Transparency by construction: the granting user can always see every session opened on their account (RLS visibility policy), a persistent banner follows them across the entire workspace while access is active — pulsing when a session is live — with a one-click revoke, and every grant, revocation, session open and session end is recorded in the tamper-evident audit chain with server-generated timestamps. New settings page: /app/settings/support.
Agent-side session routes are ops-admin gated in v1 (platform admins are tier-1 support), documented to upgrade to requireCapability('support.session') when the capability model lands — same people, one decision layer.
v7.66.29
Security
Required notification classes: Security & Billing cannot be silenced — enforced in the send path (#1269 part 1)
Every notification template now belongs to exactly one class (security / billing / legal / account / product — mapping is total, test-enforced), and the Security and Billing classes are REQUIRED: sendNotification no longer consults the suppression list for them (an unsubscribed address still receives security and billing notices — they are transactional, not marketing; the unsubscribe keeps silencing every optional class), and the reminder dispatcher never defers a required-class message to quiet hours. Enforcement lives in the send path — the preferences screen marks the two classes Required with locked toggles, but that is explicitly cosmetic.
First two required templates ship with the machinery: security-alert and billing-alert (bilingual), ready for the change-email/2FA flows (#1179/#1180) and billing events (#1268) to emit.
v7.66.28
Payments
Capability model: one tree, 7 role lenses, requireCapability as the only backend gate (#1177); fee/referral model counsel approval recorded (#448)
The Settings & Ops authorization layer lands: one capability tree (18 capabilities, each with a sensitivity tier) projected through 7 seed role lenses (Founder/Owner holds everything; nothing else holds the danger zone). requireCapability is the only authorization primitive settings/ops server actions use — workspace-scoped capabilities demand a workspaceId and the caller's active membership, and every path fails closed (no session 401, missing workspace 403, capability not held 403).
Reconciles the two EXISTING role systems instead of forking them: profiles.role (platform admins) and organization_members.role (workspace roles, 0084) both project into the same tree, so existing platform admins and org admins hold their capabilities from day one with no backfill. resolveOpsAdmin and requireAdminSession now route their decision through the capability layer (platform.ops) — internal callers, not siblings. <Can> and visibleNav ship as cosmetic lens projections only; hiding never substitutes for the server check (#1177).
Counsel approval of the fee/referral model is now durably recorded in code (FEE_MODEL_COUNSEL_APPROVAL, approved 2026-07-02, linked to the issue attestation): the fee-engine DEFAULT schedule is thereby the approved production schedule (FEE_MODEL_VERSION 2026-07-approved-1). Approval and activation stay deliberately separate — the monetized lane remains off until the operator sets ATTORNEY_ETHICS_MEMO_APPROVED=1 and ATTORNEY_MARKETPLACE_MONETIZATION_LIVE=1; blocked fee models (percentage-of-legal-fee, success fees) remain blocked (#448).
The hash-chained audit substrate (0045) is formalized as the V1 Audit Event Store (migration 0104). UPDATE/DELETE are now revoked at the database-grant level from every API role — anon, authenticated, AND service_role — on both chain tables, so the append-only contract holds even if a trigger is ever dropped. workspace_id/ip/user_agent become GENERATED columns derived from the hash-covered payload: they can never disagree with what the entry hash covers, making mirror tampering impossible by construction.
Workspace admins can now read their own workspace's audit trail: can_read_workspace_audit(w) (SECURITY DEFINER, fail-closed, active org-admins only) backs a new SELECT policy additive to the 0045 platform-admin read — the capability the upcoming Activity feed (#1182) consumes as a projection.
New emitter lib/security/audit-events.ts is the one way server code records a workspace event: it derives ip/user-agent from the request server-side, stamps the workspace, and delegates to the chain writer, which assigns the server-clock timestamp — the emitter's type surface cannot carry a client timestamp, and reserved context keys cannot be spoofed via metadata. Acceptance tests cover the grants, the generated mirrors, the capability, and the emitter contracts.
v7.66.26
Security
Founder metrics move to SQL aggregation; adapter drift-guards; auth/billing unit tests; inline theme script externalized (#1098 #1102 #1106 #1107)
Founder Command Center metrics now aggregate in Postgres (admin_metrics_rollup, migration 0103) instead of downloading up to 50,000 growth_events rows (plus 2–10K-row scans of service_orders, order_tickets, ai_audit_events, procedures and matters) into the serverless function for JS-side loops. Beyond the old caps, rows were silently dropped — dashboard figures were a lower bound; at scale the fetches risked memory exhaustion. The rollup is service-role-only, keeps the canonical ticket bucketing in lib/ops/ticket-counts, and a drift-guard test bans re-introducing bulk fetches (#1098).
Supabase adapter interfaces are now verified against the real client: rpc-port adapters (scoped retrieval, recall, matter edit gate) are statically asserted in lib/types/supabase-adapter-compat.ts, and every from()-chain adapter (audit chain, privacy export/erasure, proposals, reminder stores) is walked at runtime by a chain-shape test — a supabase-js upgrade that breaks a surface now fails CI by name instead of throwing in production (#1102).
Unit tests added for the auth-critical lib modules that had none: assertCanEditMatter fail-closed behavior (tenant isolation), portal routing + open-redirect allowlist, auth-callback error paths and locale resolution, and Copilot metered-billing Stripe calls (#1106).
The pre-paint theme script moved from an inline <body> script to the external /theme-init.js, so first-party code no longer requires CSP 'unsafe-inline' (JSON-LD is a non-executed data block CSP ignores); the CSP header documents that only Next.js's own bootstrap scripts still depend on it (#1107).
Audited every matter-scoped API route for its tenant-isolation gate. Result: no cross-tenant/RLS-bypass gap — each service-role (admin-client) route is protected by an explicit ownership check, an RLS read-back, or is self-scoped to the caller's own row. One privileged route, /api/production/[id]/build, relied solely on RLS: it now returns a clean 401 to unauthenticated callers and enforces can_edit_matter (403) so a read-only collaborator can no longer trigger a court production — matching the extraction accept/reject precedent. The full audit (each route + its gate, plus the deliberately RLS-only and system/cron routes) is documented in docs/security/MATTER-ROUTE-ACCESS-AUDIT.md.
v7.66.24
Ops / CI / infra
Fix: version-advances guard no longer false-fails on main (green build-and-test)
The check:version-advances guard only skipped when HEAD's SHA exactly equalled origin/main. After every merge the auto-version-bump workflow pushes a `[skip ci]` release commit, so by the time CI runs, origin/main has advanced to a different SHA carrying the same version — the exact-match skip missed and the guard failed on equal versions, reddening main after each merge even though nothing had regressed. The guard now skips whenever HEAD is contained in origin/main (on main, on a post-merge commit, or on a commit origin/main has since advanced past), while still requiring a strict version advance on a genuine open feature branch. Restores a green build-and-test on main.
v7.66.23
AI & automation
Fix: consolidate AI draft + copilot onto the shared per-user rate limiter (green main)
The AI-route rate-limit consolidation (#1222) had not reached /api/ai/draft and /api/ai/copilot — they kept separate inline limiters (and copilot still returned the inconsistent 'rate-limited' token). Both now use the shared aiUserRateLimiter and the canonical AI_RATE_LIMITED token, so all six orchestrated AI routes enforce one per-user aggregate cap. The #1112 drift-guard test was updated to verify the shared-limiter wiring (with a module-level check that the shared limiter is a SlidingWindowRateLimiter), restoring a green build-and-test on main.
v7.66.22
Workspace & matters
Retention: reconcile disclosed vs enforced categories; matter-linked notifications follow the matter (#1229)
The disclosed data-retention policy now covers every category the sweep engine actually enforces (telemetry, growth, notification outbox, matter shares were enforced but undisclosed — a Loi 25 gap), each annotated with its enforcement mechanism (auto-swept / retained-by-design / provider-managed / infra-managed), with a test asserting disclosure can never again omit an enforced category.
Notification-outbox delivery history tied to a matter is no longer purged at 180 days — matter-linked rows are retained for the life of the matter (never age-swept while linked; released to a 180-day grace window only once the matter itself is deleted), so a matter revived years later keeps its full history. Matter-less operational notifications still purge at 180 days. The retention test was converted from vitest to the repo's node:test runner and registered.
v7.66.21
Content / legal
Fix: CSAM safety gate lists all three required env controls (#1213)
The operator action queue's CSAM safety item now lists CSAM_REPORTING_CONTACT alongside CSAM_SAFETY_LIVE and CSAM_HASH_MATCHER_URL in its requires list, matching what its satisfied check (and the canonical csamSafetyReadiness gate) actually enforce — no more split-brain where the displayed requirements understated the real three-variable gate.
Privacy & ops: PII (emails, user/matter ids) redacted from public-route logs and copilot happy-path traces removed from outside the audit chain; 11 inline admin gates consolidated onto resolveOpsAdmin() with the last profile non-null assertion removed; /api/ai/draft and /api/ai/copilot rate-limited before model spend; rateLimiting readiness now reflects real enforcement; server errors captured from all routes via Next instrumentation onRequestError; brain/memory-consolidation/reconciliation/uptime crons scheduled.
Workspace access & review gates: G1 default-deny workspace-module visibility enforced with injective slugs; one shared per-user AI rate limiter with a canonical rate_limited error across AI routes; robust YAML parsing + full sign-off validation for the legal/native review gates, wired as check:* scripts.
UX & i18n: localized error.tsx/loading.tsx boundaries under app/[lang]; marketplace ProviderCard availability/verified labels moved into the dictionary; truncate() guarded against non-positive limits and safeNext dropped from the client-safe barrel; expert sort default, ownership-claim, and shared fact-date formatter cleanups.
Migration 0102 adds intake fields to disputes (category, urgency_level, structured_data, jurisdiction) and match_score/lead_expires_at to marketplace engagements. New endpoints: /api/disputes/[id]/structure (AI structuring via the orchestrator with structured outputs, metered, fail-safe on error), /api/disputes/[id]/match (rule-based top-3 provider match creating leads + realtime broadcast), /api/leads/[id] (provider accept/decline with entity-owner ownership check and optimistic concurrency), /api/providers/leads (entity-scoped lead inbox), and an hourly lead-expiry cron behind requireCronAuth.
Urgency triage fails safe (unknown escalates, never de-escalates); every mutation flows through the tamper-evident audit chain; provider payouts remain gated (no money moves in v1). The Case Builder frontend is a tracked follow-up.
v7.66.18
Privacy (Law 25)
Judge911 Revenue Operating System (compliance-corrected doctrine)
Landed docs/doctrine/JUDGE911-REVENUE-OS.md — the single governing document for how Judge911 is sold, marketed, priced, and represented by every person and AI system, after an adversarial UPL/privacy review. Corrections applied: no merits/outcome assessment in copy or feature names (a completeness/urgency indicator replaces the rejected risk indicator); the compliance sections forbid applying law to a user's facts however the output is labeled or disclaimed; lawyer-matching carries an independent per-jurisdiction referral-service gate on top of the fee gate; sales claims are conditioned on measured data and security claims on green trust-readiness flags.
Expanded the privacy posture (Loi 25 privacy officer, cross-border assessment, incident register, automated-decision disclosure, express consent for sensitive case data) and added CASL/Loi-25 consent, sender identification, and unsubscribe requirements to the marketing playbook; added a mandatory per-response informational-not-advice disclosure rule for in-product AI. Doctrine only — no runtime behavior changes.
v7.66.17
Payments
Fix: trust-gaps payout-rails gate follows the deduplicated payout config
The check:trust-gaps payout-rails assertion now reads lib/payouts/config.ts alongside release-readiness.ts, so it still detects the Stripe Connect / CA-EFT / provider-payouts controls after they were consolidated into the shared payout-config helper. Restores a green build-and-test on main; no behavior change to the payout gates themselves.
v7.66.16
Ops / CI / infra
Settings & Operations v1 build spec
Landed docs/spec/SETTINGS-OPS-V1.md — the synthesized architecture for the Settings & Operations epic (audit-event store + capability model as the substrate, every settings surface a capability consumer and audit emitter), with each of the 11 child issues mapped onto existing tables rather than new ones (extend the tamper-evident hash chain, reconcile the two existing role systems, reuse the profile/preferences/erasure tables).
Records the blocking security rule the design review surfaced: any audit-event database view must be declared security_invoker with locked-down grants, or it silently leaks the cross-tenant audit chain past row-level security. Includes the ordered 6-train build plan with the permission/audit-coverage pass as the verification caboose. Planning documentation only — no runtime changes.
JusticeHome aggregates, filtered lists, and per-card derivations are memoized; Workspace selected-matter lookup, conflict detection, and JusticeHome callbacks no longer recreate every render; 30+ tab panels lazy-load via React.lazy/Suspense.
importStrandedLocalMatters reports per-matter outcomes instead of a blanket failure when a partial cloud write succeeded; FilingReadiness package removal and ActionCard disabled CTAs gain confirmation/helper affordances. The #1201 legal-hold guard on local matter deletion is preserved through the callback-hoisting refactor.
Security & data: hardened service_orders RLS against cross-tenant matter_id injection with optimistic-locked updates (migration 0101); legal-hold now blocks retention sweeps, local purge, and delete-all, with an append-only hold history; 0093 fresh-rebuild guards schema-qualified; RLS registry/harness reconciled.
Payments & compliance: Stripe checkout requestId gated on the authenticated owner; live disbursement gated on the payout-readiness check with deduplicated payout config; pricing breakdown adds SK/MB/BC PST and reconciles the QC/NS rates in the fee-authority modules; subprocessor change-readiness no longer bypasses on bad dates.
Logic: jurisdiction time-bar evaluator now fails safe (missing field flags for review instead of reporting time-barred); courtroom reducer preserves the ADJOURN timestamp and gates transitions; jurisdiction allow-list wildcard case-fix + who-enabled audit; document-taxonomy classifier locale/staleness fixes.
i18n & accessibility: localized the French upload error banner and Spanish litigation-readiness actions; per-jurisdiction lawyer-license validation (ON/BC/QC); apple-app-site-association served as application/json; ScrollNav/NotificationBell aria-labels localized; OutboundLink and exit-intent modals get focus traps + 44px targets; light-mode contrast raised to WCAG AA; expert-apply form labels, loading states, and human error copy.
Tests & ops: fixed the health-probe promise leak cancelling sibling tests; incident-alerting readiness env-var and channel over-reporting corrected.
v7.66.13
Ops / CI / infra
Judge911 MVP v1: port-mapped build spec
Landed docs/spec/JUDGE911-MVP-V1.md — the Judge911 (US edition) MVP build plan ported onto the real architecture: disputes gain intake fields via migration 0102, providers and leads ride the unified marketplace core (0100), documents ride the scanned-storage pipeline, and events flow through the tamper-evident audit chain instead of a new table.
Compliance rails are recorded as blocking: urgency triage fails safe to higher urgency (mis-triage is a P0), intake follows Law 25 data minimization, and v1 moves no money so the counsel-review monetization gates stay closed. Deferred infrastructure keeps explicit revisit triggers.
v7.66.12
Security
Marketplace core: RLS invariants locked in CI
The RLS audit harness gains a marketplace-core section: CI now fails if the escrow table ever gains a user write path (it is service-role-only by design), if conflict checks lose their admin-only gate, if the entity self-insert stops forcing pending status, or if the verification-protection trigger disappears.
The two defects fixed when landing migration 0100 are pinned as regression tests: every enum creation must stay idempotency-guarded, and the phantom e.status column reference can never return.
Promoted the unified marketplace-core migration (0100): seven tables — entities, listings, engagements, availability, endorsements, conflict checks, escrow — consolidating the fragmented bailiff/expert/provider marketplaces into one exchange layer with row-level security on every table.
Security posture: escrow is read-only for the parties and writable only by the service role (money state is never user-mutable); conflict checks are admin-only; verification fields are protected by a dedicated trigger. Two defects fixed at promotion: all eight enum creations are idempotency-guarded, and the availability policy referenced a nonexistent column (e.status → e.entity_status).
All seven tables are registered in the RLS table registry with their expected scoping, so the CI audit harness enforces the isolation model from this release onward.
v7.66.10
Security
Cron auth: one shared guard across every scheduled endpoint
All nine cron endpoints (retention, uptime, filing-status, memory-consolidation, reconciliation, brain, ai-index, and both notifications routes) now authenticate through a single shared requireCronAuth guard in lib/notifications/cron — Bearer-only CRON_SECRET, timing-safe comparison, and one generic 401 body for every auth failure. The seven routes that still returned a distinct cron_not_configured body no longer reveal configuration state to external callers; the misconfiguration is logged server-side per job instead.
New static drift-guard test (lib/__tests__/cron-auth-consistency.test.ts): scans every cron route and fails if any hand-rolls its own CRON_SECRET check or reintroduces the config-state-leaking body — the shared guard is now enforced by CI, not convention.
v7.66.7
Release metadata
Versioning tooling: package-lock.json joins the release lockstep
scripts/sync-version-to-changelog.ts now also mirrors the changelog version into package-lock.json's two root version fields (top-level and packages[""]), closing the gap that let the lockfile lag entire release trains (it sat at 7.65.57 while package.json reached 7.66.x) despite docs/VERSIONING_MASTER_PLAN.md requiring one version across all four files.
The lockfile update is a targeted string replacement of only the root project version strings — the dependency tree stays byte-identical, so npm ci resolution is unaffected. This release's own version stamp was produced by the fixed script as its end-to-end proof.
v7.66.6
Ops / CI / infra
CI gating policy v1 — hard, soft, and informational checks
Published docs/ci-policy.md: a three-tier gating policy for the repo's CI surface — Tier 1 hard gate (build-and-test, must be green to merge), Tier 2 soft gates (Playwright/Momentic/Testim end-to-end suites, blocking only when a diff touches UI surface), Tier 3 informational (previews, heuristic scanners, bot reviews).
The policy includes a binding clause (platform configuration wins over the document), a human-applied enforcement blueprint for branch protection, and a verification audit so the written policy and the actual GitHub configuration cannot silently drift.
v7.66.5
Evidence
Large-file uploads: real progress + resilient path handling
Evidence uploads above 25 MB now report real byte-level progress (XMLHttpRequest path with SDK fallback), so large files show a progress bar instead of an indeterminate spinner; above 100 MB the existing quarantine posture is unchanged — files stay withheld from serving until scanned.
Fixed the direct-upload endpoint path to encode each segment individually, so the matter-scoped storage path (matterId/file) reaches Supabase Storage intact instead of a %2F-encoded single segment.
v7.66.4
Marketplace
Expert marketplace: public directory API
New GET /api/marketplace/experts — lists published expert profiles with paginated filtering by discipline, region, and language. The service-role read projects an explicit public-column allow-list (EXPERT_PUBLIC_COLUMNS) — never select(*) — so auth identifiers, member numbers, insurance dates, subscription tier, and internal qualification data can never leak through the public directory.
Added unit tests covering pagination math, filter pass-through, the response-shape contract, and the public-column projection.
v7.66.3
Ops / CI / infra
Notifications cron: one shared hardened handler
The canonical /api/cron/notifications route and its /api/notifications/cron alias now re-export a single shared handler (handleNotificationsCronRequest in lib/notifications/cron): auth and dispatch are defined exactly once, so the two routes can never drift in behaviour, authentication, or error shape.
The shared handler keeps the strict auth posture from the 7.65.59 hardening on BOTH routes: only the Authorization: Bearer header is accepted (the ?secret= query channel is refused so the secret cannot leak into access logs), and every unauthorized request returns the same generic 401 whether CRON_SECRET is unset or the credential is wrong — misconfiguration is logged server-side, never exposed.
v7.66.2
Jurisdictions
CI fix: edition-purity gate loader hardening
The check:edition-purity gate now runs via the repo-standard `node --import tsx` loader with regular module imports, fixing the environment-dependent MODULE_NOT_FOUND crash (issue #1252) that the scoped tsImport loader could hit on nested CommonJS requires.
Added a loader-wiring invariant test so the gate's execution path stays aligned with the other TypeScript-based checks (check:locales, check:security-scan).
v7.66.1
Ops / CI / infra
CI guard: migration collisions (no new duplicate migration numbers)
Added the check:migration-collisions gate (scripts/check-migration-collisions.mjs): the build fails if two Supabase migration files share a 4-digit number prefix, so concurrent branches can no longer silently claim the same "next" migration number.
The five legacy duplicate groups already applied in production (0043, 0045, 0069, 0092, 0093 — 14 files) are frozen exactly as they exist; adding a file to a frozen group also fails. The guard runs ahead of apply-migrations in the build, covering both CI and production deploys.
Added the secure backend for bidirectional matter folder-sync: migration 0095 adds disk-mirror + provenance columns to documents and a private matter-documents Storage bucket with matter-scoped RLS.
New /api/matters/ingest route commits uploaded and folder-synced files with cookie auth, a server-side can_edit_matter re-check, malware scan before durable write, SHA-256 chain-of-custody, and source provenance — Supabase is the system of record.
New /api/matters/mirror-status route records the best-effort disk-mirror outcome for a document, ownership-checked; audit flows through the existing tamper-evident hash chain (no parallel audit table).
v7.65.62
Workspace & matters
Docs: Matter Workspace v1 spec + issue breakdown
Added the Matter Workspace v1 feature spec (local-first, zero-knowledge encrypted workspace) and its 8-epic / 30-issue build breakdown under docs/spec/, reconciled to the Supabase data model.
Documented the configurable security-posture model (per-matter Hard/Soft/Hybrid backup confidentiality + a jurisdiction-enforced call-recording consent floor) and the bidirectional folder-sync design (Supabase system-of-record, disk best-effort mirror, source provenance).
Flagged the open storage-tier decision (zero-knowledge evidence vault vs. server-readable working layer). Planning documentation only — no code or runtime behavior changes.
v7.65.61
Ops / CI / infra
CI guard: fee-authority (single source of truth for money math)
Added the check:fee-authority gate (scripts/check-fee-authority.mjs): fails the build if any file outside the authoritative fee/tax modules (lib/marketplace/fee-engine.ts, lib/payouts/ledger.ts, and the other listed authorities) defines a fee/tax rate table, multiplies an amount by a fee/tax rate, or hardcodes a QST tax constant.
Prevents a recurrence of the rejected #1064 pattern — a parallel, UI-driven pricing engine that inverted the fee direction and drifted from the ledger. The presentation layer must render server-computed values; a reviewed exception uses a `fee-authority-allow` comment.
Hardened the payout readiness gate: no payout rail (US Stripe Connect or CA EFT) reports ready until BOTH TAX_POSTURE_APPROVED and PAYOUT_RUNBOOK_APPROVED are set — human attestation flags for the tax-posture memo and the operator payout runbook.
The two flags are AND-ed into the existing payoutRailReadiness().live report and the providerPayouts trust signal — no parallel gate. Because regulated-lane checkout (expert/lawyer) is gated on providerPayouts, an unmet gate holds those checkouts. Both flags are surfaced in the per-rail blockers list.
Fail-safe direction: if the flags are unset, the payout readiness signal is held (not green). Operators must set both env vars — alongside PROVIDER_PAYOUTS_LIVE and the rail credentials — before regulated payouts are considered ready.
Added jsonLdSafe() to lib/seo.ts: escapes </script> sequences in JSON-LD structured data to prevent script-injection when any field is sourced from a user-editable record (RFC 4627 / Google Structured Data recommendation).
Applied jsonLdSafe() to all 6 dangerouslySetInnerHTML JSON-LD blocks: layout.tsx, research/[slug], guides/[slug], editions/[country], experts/[discipline]/[expertId], and press/lancement.
Fixed CRON_SECRET log-exposure in /api/cron/retention and /api/cron/notifications: added { allowQuery: false } so the secret can no longer be passed via ?secret= query parameter (which Vercel logs record in plaintext). Consistent with the 6 other cron routes already using this flag.
v7.65.58
Security
Dependency maintenance: safe in-range upgrades
Upgraded low-risk dependencies within their existing semver ranges: @supabase/supabase-js 2.108→2.110, @playwright/test 1.60→1.61.1, pg 8.21→8.22, nodemailer 9.0.1→9.0.3, vitest 4.1.8→4.1.9, the Vercel AI SDK (ai) 6.0.202→6.0.217, and @anthropic-ai/sdk 0.104.1→0.104.2.
Bumped the pinned CSS toolchain in lockstep: autoprefixer 10.4.20→10.5.2 and postcss 8.5.15→8.5.16, moving the direct dependency and the tree-wide postcss override together so the whole tree keeps a single postcss version.
No source changes — tsc --noEmit stays green and npm audit reports 0 vulnerabilities.
Major upgrades deliberately deferred to their own reviewed PRs: Next 16, React 19, Tailwind 4, TypeScript 6, the Stripe SDK 22, @supabase/ssr 0.12, pdfjs-dist 6, and the AI SDK v7.
v7.65.57
AI & automation
Legal-hold automation (#435)
Added a legal-hold flag to matters: applyLegalHold / removeLegalHold helpers in lib/legal-hold/index.ts set and clear a LegalHoldMeta field on the LegalCase object.
LegalHoldBanner component renders a yellow alert banner whenever a matter is under hold, showing the reason, applied date, and actor.
Bilingual EN/FR i18n strings added for all legal-hold UI copy.
DB migration placeholder added (DBA review required): legal_hold boolean and legal_hold_reason text columns on the matters table.
Unit tests cover apply/remove/guard helpers and edge cases (empty reason rejection, idempotent remove).
v7.65.56
Jurisdictions
Jurisdiction allow-list and enable/disable flip mechanism (#452)
Added lib/jurisdictions/allow-list.ts with a typed JURISDICTION_ALLOW_LIST constant covering every Canadian province/territory, federal, US launch states, and France (national), each carrying enabled, phase, and counselVerified flags.
Added isJurisdictionEnabled(code) helper: consults the compiled allow-list by default; honours the JURISDICTIONS_ENABLED env var (comma-separated or '*') as a runtime override — no deploy needed to flip a jurisdiction.
Added getEnabledJurisdictions() and getJurisdictionEntry() helpers for listing and looking up entries.
Added scripts/audit-jurisdictions.mjs: reads the allow-list and prints a structured report (text or JSON via AUDIT_FORMAT) with integrity checks — duplicate codes, env-override unknown codes, enabled-but-unverified violations.
Added unit tests covering structural integrity, default enable/disable behaviour, env-var override paths (including '*' wildcard), and case-insensitive lookups.
Added bilingual EN/FR i18n strings for the allow-list UI labels (admin panels, audit tooling).
v7.65.55
Localization
Mobile deep linking & universal links (#478)
Added lib/mobile/deep-links.ts with deepLinkPath(type, id), universalLink(), and customSchemeLink() helpers — a single source of truth for every URL the native shell deep-links into.
Added public/.well-known/apple-app-site-association (AASA) and public/.well-known/assetlinks.json placeholder files; both are empty-detail stubs ready to be populated when the first native build is registered.
Added docs/mobile/DEEP_LINKING.md explaining the deep-link scheme, generation API, AASA/assetlinks population steps, and how to add a new link type.
Added bilingual EN/FR strings under the mobileLinks key (openInApp, copyLink, deepLinkFallback, downloadApp, and one label per link target).
Added unit tests covering deepLinkPath, universalLink, customSchemeLink, and the DEEP_LINK_PATH_PREFIXES constant.
Added scripts/aup-agent.mjs — a self-contained static-HTML auditor that checks our sites against the AI-use obligations (AI disclosure, human-review-at-output, not-legal-advice scoping, age-gating) of every model provider in the call path (Anthropic, OpenAI, HuggingFace/Llama, Qwen). Reports FAIL / UNCONFIRMED with explicit manual checks. Self-audit of juge.ca: 0 FAIL.
Tightened the security-scan detector (lib/security/secret-scan.ts): the dangerous-command check no longer matches property-access `.exec()` (RegExp/String methods — ubiquitous and safe), only bare exec/execSync invocations and Node's child-process module. The exec-style and external-URL heuristics are now skipped for dev/CI tooling paths (the scripts directory, .mjs files, config files) that legitimately call git and cite provider URLs — but genuinely destructive constructs (recursive file deletion, privilege escalation, remote pipe-to-shell, dynamic evaluation) and the hardcoded-credential check still run on every file, tooling included. This clears the last false-positives that failed PRs shipping build tooling (e.g. the PR-wave planner and the AUP auditor) while keeping the gate's teeth for both runtime code and scripts.
Added an advisory release tool (lib/release/pr-wave.ts + scripts/pr-wave.ts, npm run pr-wave): it classifies open PRs by file path (INFRA → SCHEMA → CONSUMER → RELEASE), prints the deterministic merge-wave order, and flags cross-open-PR version collisions and regressions — the blind spot of check:version-advances, which only compares each PR to origin/main. First run surfaced 5 real collision clusters and ~18 stale PRs whose version no longer advances beyond main. Advisory only; merge-time enforcement is delegated to GitHub-native required checks + merge queue.
v7.65.50
Security
Federal corrections/parole problem taxonomy (#1244)
Added a plain-language problem taxonomy for the federal corrections/parole system (lib/litigation/corrections-problems.ts): 14 subject groups (grievances, security classification, transfers, SIU/segregation, discipline, health, parole, conditions, contact, property, Indigenous s.81/84, records, reintegration, safety), each problem routed to the recourse step it triggers in the corrections resolution pathway. General information structured from the CCRA + CSC/PBC framework, explicitly marked unverified (verifiedAt null) — orientation only, to be counsel-checked; the governing deadline is the one printed on the decision.
Replaced the autonomous-PR security scan's bare-word grep (which matched the property name `key` and failed every PR touching the resolution pathways) with a tested detector in lib/security/secret-scan.ts: it flags a credential only when a secret noun is followed by an assignment and a 16+ character quoted value, scans added lines only, and allowlists env/GitHub-secret references — while still catching real hardcoded secrets, dangerous shell, and un-allowlisted external URLs.
v7.65.47
Litigation
Federal corrections/parole resolution pathway + government-module de-dup (#1240)
Added the federal corrections/parole resolution pathway: a new 'corrections' dispute category walks the distinct federal ladder — CSC institutional request → offender grievance (initial then final) → Office of the Correctional Investigator → Parole Board of Canada + Appeal Division → Federal Court judicial review / habeas corpus — with the jurisdiction trap the generic path gets wrong (the Protecteur du citoyen has no federal jurisdiction; an ombudsman complaint suspends no appeal or judicial-review deadline). Folded the corrections-canada body into the canonical government-recourse directory (lib/litigation/government-recourses.ts) and removed the redundant parallel lib/litigation/government-bodies.ts introduced in #1238.
v7.65.46
Localization
Government-service recourse directory (#1238)
Added a para-judicial gateway: lib/litigation/government-bodies.ts maps 21 Québec and federal public bodies (RAMQ, SAQ, SAAQ, Revenu Québec, Hydro-Québec, health network, social assistance, Retraite Québec, municipality, school, police ethics, CNESST, IVAC, CRA, EI/IRCC, federal pensions, student aid, CERB, federal corrections/parole…) to their specific recourse ladder — the exact order a self-represented litigant must exhaust before court, with the jurisdiction traps the generic path gets wrong (Protecteur du citoyen covers RAMQ/SAAQ but not SAQ/Hydro; 15-day municipal notice; 90-day tax objection). Bilingual, editions-pluggable, orientation deadlines only.
Fixed a production build failure: #1073 added a required commandCenter.migrationGaps type but its en/fr dictionary strings were dropped during the rebase, so tsc failed during next build and every deploy since 7.65.43 errored. Restored the bilingual migrationGaps strings so the site builds and deploys again.
v7.65.43
Ops / CI / infra
Migration renumber plan + gap-checker follow-through (#939)
Added the DBA-handoff MIGRATION_RENUMBER_PLAN.md documenting the duplicate-numbered migrations to renumber, and corrected the count from '12 duplicates' to the actual 7 extra files. Kept main's existing gap-checker (scripts/check-migration-gaps.mjs) and added a drift-tolerant guard test.
v7.65.42
Security
Email/magic-link auth-config audit (#103)
Added an email-auth configuration audit helper (lib/auth/email-config.ts) surfacing whether the magic-link/SMTP env is set. Fixed the presence check to trim env values, so whitespace-only variables are correctly treated as not-configured.
Fixed a malformed changelog object in dictionaries/en.ts and fr.ts introduced while stacking the 7.65.40 entry during a rebase — the 7.65.40 entry's changes array and object were left unclosed, breaking the TypeScript/build parse. Restores valid structure so the site builds and deploys.
v7.65.40
Accessibility
WCAG AA contrast fix — SafetyNotice light-theme legibility
Fixed WCAG 2.1 AA contrast failures in the SafetyNotice life-safety banner under the manual light theme (data-theme="light"); the dark default theme is unchanged.
Prominent/emergency banner (and the /emergency page variant): replaced text-rose-50 (#fff1f2) with text-fg so disclaimer text renders as dark navy (#16213e) on the light-rose background — contrast rises from ~1.23:1 to ~11.8:1.
Discrete banner (Québec institutional edition): added a safety-notice-subtle class with a light-mode override that swaps the pale gold tint for the standard near-white surface and darkens the gold accents (#8a6516), lifting them from ~1.4:1 to ~5.2:1.
v7.65.35
Governance
High-severity fixes: audit integrity, OCR race, lost edits, test coverage, approval gate
Fix (#1199): audit-trail redaction no longer strips legitimate forensic fields (author/authority/signingDate) via broad prefix matching, and no-metadata entries no longer verify as falsely TAMPERED — the stored and hashed payloads now agree.
Fix (#1202): background OCR uses a monotonic generation counter instead of a boolean abort flag, so a superseded batch can't interleave results into a new import; the Tesseract worker is disposed on every abort path, and files that error now show an inline Error/Erreur marker instead of a false ✓.
Fix (#1203): Workspace.update() uses a functional state updater and persists the committed value, so concurrent edits from different panels no longer silently overwrite each other locally or on the server.
Fix (#1205): the test suite is now glob-discovered (scripts/run-tests.mjs) instead of a hand-maintained file list, so newly-added suites always run in CI and a single bad path can't abort the whole run.
Fix (#1200): the human-approval gate reads its timeout per call (unfreezing the test override) and drops dead code; the shared-store requirement for serverless callbacks is tracked as follow-up.
v7.65.27
Ops / CI / infra
Fix: unbreak production deploys (build no longer dies on unreachable DB)
Critical (#1192): every production deploy had been failing because the build runs scripts/apply-migrations.mjs first, which tried to reach Supabase's IPv6-only direct Postgres endpoint from Vercel's build container and got ENETUNREACH — killing the build before next build ran, so the live site was frozen on an old version regardless of what merged. The migration runner now treats network-unreachable/connection errors as a clean skip (the Next.js build doesn't need the DB) while keeping genuine SQL/migration errors fatal; REQUIRE_MIGRATIONS=1 forces strictness. Production deploys can succeed again, so version bumps and content actually reach the site.
v7.65.22
Governance
Version reconciliation — credit unversioned merged work
Reconciled the platform version from 7.56.46 to 7.65.22. Many feature PRs (courtroom engine, cryptographic ownership, audit trail, backup/retention/incident gates, provider payouts, malware/CSAM safety, the reminder system, document taxonomy, profession registries, service funnels, the EFSP adapter, and more) had merged from old branch bases carrying stale version bumps, so they advanced the version by zero and their release points were lost. This single bump credits 876 release points — 816 from 65 stale/no-bump feature merges plus the new-database migration, Google Sign-In integration, and Settings & Operations v7.0 groundwork — per the lib/versioning/release-points scheme. Single source of truth for both juge.ca and judge911.com; full per-PR audit in docs/VERSION_RECONCILIATION_7.65.md.
Docs (#1175–#1183): added a design-only architecture brief (docs/architecture/settings-operations-v7-brief.md) for Settings & Operations v7.0 — capability model + role lenses, an append-only Audit Event Store over the existing hash-chained substrate, workspace/EULA, auth surfaces, settings shell, a dependency graph, and Loi 25 / RLS considerations. No production code; implementation follows after design review.
v7.56.45
Localization
Spanish locale for the Copilot panel
i18n (#1128): localized all 41+ user-facing strings in the Copilot panel and its client to Spanish (es), including the payment-critical quota / subscribe / checkout-failed messages, so es users no longer see English. check:i18n-gap reports 100% es parity.
v7.56.44
AI & automation
Per-user rate limiting on AI routes
Security (#1131): added per-authenticated-user rate limiting (20 req/min, HTTP 429 + Retry-After) to 5 AI routes (translate, chronology, marketplace, extract, research-memo) that could exhaust the Anthropic budget, reusing the existing SlidingWindowRateLimiter. Keyed on user id; guard runs before any model spend; AI output unchanged.
v7.56.39
Security
Defense-in-depth: explicit authentication gate on 7 litigation API routes
Security (#1122): added an explicit getUser() → 401 then can_access_matter → 403 authorization gate to 7 litigation API routes (evidence views, facts, admissions, exhibits, witnesses, bates, production — 13 handlers) that previously relied solely on row-level security. Defense-in-depth on top of RLS — no policy changed; unauthenticated reads now return 401 instead of an empty 200.
Security — founder recovery (#1129): the recovery secret is now accepted only via the x-auth-recovery-secret header (no request-body fallback that proxies/WAFs log), and the live magic-link is no longer returned in the API response — it is delivered by email instead.
Security — activity telemetry (#1132): POST /api/activity now enforces per-IP rate limiting and only accepts matter-bound signals from authenticated callers who can access that matter, closing a database-flood and analytics-poisoning vector.
Security — marketplace relay-inbound (#1130): the inbound-mail secret is no longer read from the URL query string (logged by proxies/CDNs); it is accepted via header, HTTP Basic auth, or the request body with a constant-time comparison.
Security — class-action claimants (#1149): added an explicit owner/admin authorization check on top of row-level security before reading or writing claimant data.
Fix — ChronologyGrid (#1143, #1144): the AI Fact-Proven action is wrapped in try/finally so its button can no longer get stuck disabled, and AI errors now surface inline instead of failing silently.
Fix — JusticeHome (#1148): JSON-backup import failures now show an inline, localized error notice instead of a native browser alert().
Fix — AskQuestion (#1133): raw HTTP status, provider name, and request ID are no longer shown to end users; a generic localized message is shown and the details are logged to the console.
Accessibility — NotificationBell (#1136): the notification dialog now receives focus on open, restores focus on close, and closes on Escape (WCAG 2.4.3).
Accessibility — Remedies & close-matter dialog (#1138, #1139): the pursuit-status and case-outcome selects now have accessible labels, and the close-matter dialog manages focus and closes on Escape.
Accessibility — DocumentIntake (#1137): Copilot priority indicators now carry a visible text label so priority no longer depends on color alone (WCAG 1.4.1).
Fix — Google OAuth readiness (#1118): the readiness gate now requires the server-side GOOGLE_CLIENT_ID, not just the public browser client id, before reporting the integration as configured.
Chore: relocated loose root files into a gitignored .attic/ and stopped throwaway .claude/worktrees checkouts from polluting git status.
Fix — RLS audit (CI): removed phantom `orgs`/`org_memberships` entries from the RLS table registry; the canonical tables are `organizations`/`organization_members` under migration 0084, and migration 0092 explicitly forbids parallel `orgs` tables — restoring a green RLS-audit harness.
Fix package.json 'test' script: a stray quote and a dropped comma (introduced by the #1169 rebase) produced invalid JSON that failed the Vercel build before Next.js even started. Restores parseable JSON so deploys succeed.
v7.56.32
Localization
QA fixes: legal-aid i18n badge, notary static params, ChronologyGrid AI preview, Copilot status code
Fix /marketplace/legal-aid: 'Recommended' badge and perMonth visibility now locale-aware — badge uses FR/EN label prop, free tier detection is config-driven (tier.maxMonthlyCAD === 0) instead of brittle string comparison.
Fix /marketplace/notary: add generateStaticParams so the page is pre-rendered at build time and sitemap paths resolve correctly.
Fix ChronologyGrid ✨ AI Fact Proven button: AI suggestion now populates the input for user review instead of auto-committing; onBlur commits when the user accepts or edits.
Fix Copilot: 'not-configured' error path now includes the HTTP status code for easier debugging, consistent with the generic error branch.
Add jurisdictions.contentScaffold i18n strings (EN + FR).
v7.56.29
Localization
ChronologyGrid: locale-aware fact date formatting
Fact dates in the Chronology grid and Judge (print-ready) view now render in a locale-aware short format (e.g. '15 janv. 2024' in French, 'Jan. 15, 2024' in English, '15 ene. 2024' in Spanish) instead of raw ISO strings. The date input field used during editing still receives the ISO value required by the HTML date picker.
v7.56.28
Evidence
Rule-enforcing Courtroom Reducer Engine
Introduced lib/courtroom/types.ts — canonical types for the deterministic trial state machine: TrialPhase (ARRAIGNMENT → BAIL_HEARING → PRELIMINARY_INQUIRY → TRIAL_PREP → TRIAL → DELIBERATION → SENTENCING), PartyRole, CourtAction union, TrialState, and ReducerResult.
Introduced lib/courtroom/reducer.ts — pure reduceTrialState() function that enforces five procedural rules: (1) Objection Lock (witness speech and evidence submission blocked while an objection is PENDING), (2) Judge-only permissions for ruling on objections, admitting/excluding evidence, and advancing phases, (3) Attorney-only permissions for raising objections and submitting exhibits, (4) Witness Stand Gate (witnesses may only speak in TRIAL phase when designated as activeWitnessId), (5) Deliberation Gate (only JURORs may speak during DELIBERATION).
Added lib/courtroom/__tests__/courtroom.test.ts with 25 deterministic unit tests covering all five rules, full phase progression, audit log integrity, and edge cases (duplicate objections, phase regression, empty-stand dismissal).
v7.56.13
Content / legal
Release v7.56.13
Tagged release v7.56.13.
v7.56.3
Workspace & matters
Last-activity date on matter cards
Each matter on the workspace home now shows its most recent activity date, derived from the matter's facts, creation, and closing — so you can see at a glance which files are moving.
v7.56.2
Workspace & matters
Mobile section navigation for the workspace
Added a mobile bottom navigation bar to the matter workspace: the four primary sections (Summary, Documents, Advice, Deadlines) plus a "More" menu for the rest.
Each section keeps its own scroll position when you switch, so you no longer jump back to the top.
The open matter and section are now deep-linkable via the URL, so you can return to exactly where you were.
v7.56.1
AI & automation
Fix hearing-prep readiness (Fix #1027)
New hearing readiness scorer (lib/litigation/hearing-readiness): evaluates concrete prep deliverables (hearing date, examinations, argument points, checklist, exhibits, issues, notes) starting from 0% on an empty matter, avoiding falsely elevated readiness scores.
Fixed vacuous defaults in court readiness (lib/litigation/readiness): empty dimensions (procedures, deadlines, exhibits) now score 0% instead of high defaults.
Updated Copilot (components/workspace/Copilot.tsx): Card 5 now uses the new specific hearing readiness score instead of the general court-readiness overall score.
Added and updated unit tests to validate deterministic behaviors and new edge cases in the readiness triad.
v7.56.0
Evidence
Chronology Evidence Command Center
Rebuilt the matter chronology — in both the Chronology tab and the hearing-prep timeline wall — as a verifiable grid: Date, Event, Fact Proven, Narrative, Source, and Status columns.
Click any row's source to open the original document (PDF/image) and verify the entry; status badges show confidence (human-verified, multi-document corroboration, AI-extracted, or conflict).
Fixed date normalization so ambiguous formats (e.g. US-style 6/9/26) resolve correctly and flag uncertainty instead of silently mis-sorting the timeline.
Added cross-source conflict detection, instant issue/witness filters, and five role views (Investigation, Lawyer, Judge one-page/print, Witness, Damages), plus an advisory AI clean-up that rewrites an event from its source quote.
Shared one chronology command center across the self-represented and attorney workspaces.
v7.55.83
Ops / CI / infra
Control Plane Ingestion Microservice & HMAC Verification
Introduced a new secure, event-driven ingestion microservice under services/control-plane-ingest for processing Vercel webhook events.
Implemented HMAC-SHA1 signature verification using raw request body buffers to authenticate incoming webhooks securely.
Wired Pub/Sub publisher logic to forward verified, normalized events to Google Cloud Pub/Sub for downstream rule evaluation.
Insulated main Next.js project compilation by excluding the services directory in tsconfig.
v7.55.75
Security
Auth callback 500 hotfix
Fixed an HTTP 500 on /auth/callback and /auth/confirm that blocked all sign-in completion (OAuth, magic-link, and email confirmation): the server route handlers imported the redirect helper safeNext from a 'use client' module, so calling it on the server threw.
Moved the pure routing helpers safeNext and portalFor into a server-safe module (lib/auth/portal-routing.ts) and re-exported them from the client module, so the route handlers no longer cross a client/server boundary. No change to redirect behavior.
Set auth callback and confirmation routes to force-dynamic to prevent static rendering errors under Next.js 15.
Wrapped core code/OTP exchanges and route handlers in try-catch blocks to gracefully redirect to fallback paths on verification errors or timeouts instead of serving a 500 error page.
Fixed a time-bomb test failure in litigation administrative deadline tracking.
v7.55.72
Security
Password-reset link path fix
Password recovery emails now use a dedicated /auth/callback/reset path so Supabase redirect allow-list matching no longer strips the post-login destination.
The reset page waits for the recovery session before scrubbing auth tokens from the URL, and can exchange a stray ?code= if the link lands there directly.
v7.55.71
Security
Sign-in flow hardening
Normalized email addresses before Supabase auth calls so copied spaces or casing do not cause avoidable failures.
Distinguished unconfirmed-email responses with an actionable message instead of a generic credential failure.
Added a post-login redirect fallback when profile/portal resolution is temporarily unavailable after a successful session.
Moved auth callback redirect validation into a server-safe module so email, magic-link, and password-reset callbacks no longer fail at the server/client boundary.
Carried expired-link errors to the reset and login screens with clearer guidance to request the newest email link.
Implemented the Stripe Connect payout reconciliation poll as a safety-net for the settlement webhook, so a missed transfer reversal or confirmation is still corrected on the next sweep (idempotent, inert until payouts are configured).
Added unit coverage for the reconciliation poll and wired the payout webhook/reconciliation tests into CI.
Added unsigned counsel/CPA/native-reviewer artifact templates for the jurisdiction-legal, native-language, tax-posture, and payout-runbook pre-activation gates — no gate is closed or activated by these drafts.
v7.55.69
Privacy (Law 25)
Open privacy issue control plane
Added a tested registry for the open privacy-related issues, tying every item to shipped modules, acceptance criteria, and remaining human gates.
Added a Settings disclosure for account deletion and data rights, routed through the audited Law 25 flow instead of an immediate destructive delete.
Formalized App Store and Google Play data-safety answers with Canadian storage, no data sale, and explicit exclusions for human-only declarations and approvals.
v7.55.44
Litigation
Next 20 open-issue platform batch
Closed the next 20 non-human-gated open issues across marketplace liquidity, compliance, mobile offline access, rich-feature readiness, lifecycle continuity, filing, notifications, and product polish.
Added tri-edition procedure scoping so reviewed Quebec procedure templates do not render as live Canada-wide or US procedure.
Added tested secure-offline mobile posture and a completion registry tying all 20 issues to shipped modules and acceptance evidence.
v7.54.49
Ops / CI / infra
Bailiff migration deploy fix
Made the bailiff tariff correction migration safe to re-run after production has already promoted the tariff id column to a primary key.
Added regression coverage for the guarded primary-key promotion and kept the deploy-blocker release metadata in lockstep.
v7.54.44
Security
Release handoff validation
Added a follow-up release metadata update after the manual security review of the autonomous PR.
Kept lib/version.ts, package.json, package-lock.json, and the bilingual changelog in sync for the GitHub handoff.
v7.54.43
Security
25-issue foundation batch
Closed a new 25-open-issue batch without touching human gates, counsel approvals, payments, CSAM, jurisdiction launches, or live provider integrations.
Added a tested mobile foundation covering edition identity, auth redirects, deep links, evidence capture, document annotation, push readiness, and native release gates.
Added a tested completion registry tying every selected issue to shipped modules, acceptance criteria, and the batch versioning proof.
v7.54.18
Release metadata
Release metadata bump
Bumped the platform release metadata from 7.54.17 to 7.54.18.
Kept lib/version.ts, package.json, package-lock.json, and the bilingual changelog in lockstep.
v7.54.17
Content / legal
Bailiff tariff service and estimator expansion
Added a server-side TariffRuleService for the bailiff estimator: active rows in bailiff_tariff_rules now win, and the in-code placeholder is used only when no active tariff row exists.
Expanded the static estimator beyond service of documents to judgment enforcement and eviction, including enforcement-time and complexity reserves in the Low / Likely / High calculation.
Kept OQ-29 through OQ-32 human-gated: placeholder tariffs remain low-confidence pending counsel-maintained tariff, tax, distance, and recovery inputs.
v7.54.07
Evidence
25-issue admin-authorized implementation batch
Closed the latest 25-issue batch with admin-authorized gates, including Epic 20 bailiff prediction, marketplace routing, actual-cost feedback, root hygiene phase 1, and v3.0 completion evidence.
Recorded OQ-29 through OQ-32 decisions as admin-authorized while preserving human approval for dispatch and low-confidence labels until reviewed data matures.
v7.53.07
Accessibility
WCAG audit closure
Registered the command-center WCAG 2.2 AA audit against task #631 with shipped contrast math, ARIA tab wiring, and review evidence.
Added a tested accessibility completion registry proving the audit maps to concrete modules, tests, and invariants.
Documented the manual per-tab pass posture for command landing, jurisdictions, impact, editions, surfaces, subsystems, and DevOps tabs.
v7.53.02
Jurisdictions
Command foundation closure
Registered the what-changed feed, edition-scoped readiness donut, readiness matrix, and funnel diagnosis against tasks #649, #650, and #652.
Added a tested command completion registry proving each task maps to shipped modules, reviewable tests, and operator-facing invariants.
Kept the command center deterministic: feed ordering is stable, readiness math is finite, and funnel fixes carry measurable labels.
v7.52.92
Jurisdictions
Actuation foundation closure
Registered the governed runner, proposal decision workflow, and confidence escalation gate against tasks #670, #672, and #679.
Added a tested completion registry proving each foundation task maps to shipped modules, reviewable tests, and human-control invariants.
Kept actuation default-off: the runner opens pull requests only, human-gated tasks are skipped, and low-confidence reasoning escalates before any side effect.
v7.52.82
Governance
Brain cognition completion
Registered the shipped read-only brain run, reasoning playbooks, CEO/CTO/CFO briefs, anomaly detector, and salience queue against tasks #665 through #669.
Added a machine-checked completion registry proving each task maps to a shipped module and at least two reviewable proof points.
Kept the brain advisory-only: world and memory reads, brain_log append, governance audit, and founder queue reads remain the only approved surfaces.
v7.52.72
Intake & onboarding
Live integration bindings
Added read-only GitHub and Vercel binding readers for the production branch, commit state, and bound deployment projects.
Added Stripe revenue cards through an injected revenue client, aggregating gross, net, fees, and transaction count by currency without moving money.
Added Vercel Analytics edition and surface metric normalization with project-bound reads, provider readiness reporting, and full mock coverage.
v7.52.47
Governance
Governance owner decisions
Resolved OQ-13 through OQ-22 as typed owner decisions covering repo/Vercel binding, impact weights, ethics ownership, Judge911 scope, analytics binding, risk appetite, approver lanes, and autonomy ceiling.
Added regression coverage proving the master-plan open questions are answered while consequential actions still require approval and phase_3 actuation remains outside the current ceiling.
Documented the 2026-06-22 governance decision record without weakening the existing kill switch, ratchet, approval, or confidence gates.
v7.52.37
Jurisdictions
Lifecycle foundations
Closed the first foundation batch with edition-scoped resolution pathways, manual deadline posture, and archive retention so non-Québec matters no longer show unreviewed Québec-only content.
Added the lifecycle cascade engine: confirmable deadline proposals for service and judgment, blocking-precondition panel, lifecycleAudit ledger, and mandatory human confirmation before any deadline is saved.
v7.51.37
Jurisdictions
Draft PR reconciliation
Reconciled the remaining approved draft PRs after the 23-PR batch and preserved the current production release train.
Shipped partnership lanes for legal professionals, justice-sector institutions, academia, non-profits, technology platforms, enterprise partners, and capital partners.
Closed stale draft sitemap/theme work as superseded by the current main implementation rather than reintroducing old layout and changelog state.
v7.51.7
Security
23-PR batch and 10 issue closures
Integrated the 23 remaining ready PRs as one batch, with centralized conflict resolution for version and register files.
Closed the 10 selected open issues (#502, #500, #493, #451, #445, #443, #442, #440, #436, #433) through their already-prepared end-to-end PR fixes.
Added operations resilience, payments, notifications, EFSP filing, marketplace, document-security, and content-provenance safeguards in one traceable release.
v7.48.77
Ops / CI / infra
Vercel deploy payload fix
Anchored .vercelignore rules to root folders so large local artifacts are excluded without removing lib/docs from the Next.js build.
Restored the production compile after the Module not found failure on workspace document templates.
v7.48.76
Security
82-PR release train and resolution pricing
Closed 82 approved PRs in the release train and applied the +820 release-point catch-up from 7.40.56 to 7.48.76.
Repositioned the Pricing page around Proof of Attempts™: 50 free problems, then per-problem pricing and prepaid credits.
Added credit packs, the Problem → Court escalation ladder, updated public tiers, matching pricing smoke/persona expectations, and the missing filing_submissions RLS registry entry.
v7.40.56
Payments
Bailiff cost estimate foundation
Added Epic 20 planning and the §35 bailiff charge prediction spec as the controlled foundation for operational service-cost estimates.
Added a gated bailiff tariff table plus deterministic Low / Likely / High estimate logic with line items for base service, attempts, travel, after-hours reserve, third-party costs, and tax reserve.
Added the manual estimate panel to the service form without changing today’s checkout amount or dispatch flow.
v7.40.55
Ops / CI / infra
Vercel release-global build hardening
Reduced Next.js build and static-generation concurrency on Vercel builders so the release-global deployment can complete within the standard 8 GB build container.
Kept local development and non-Vercel builds unchanged while preserving the brain and attention features as read-only advisory surfaces.
Documented the PR #847 deployment failure as a Vercel build OOM, not a brain runtime or cron authorization failure.
v7.40.54
Notifications & email
Reminder unsubscribe and suppression list
Added a one-click unsubscribe endpoint for email and SMS reminders, verified by signed tokens and backed by a persistent suppression list.
Connected the delivery layer to the suppression list so a suppressed reminder is logged without calling the email/SMS provider.
Added a deny-by-default RLS migration and regression coverage for pre-send blocking and signed unsubscribe links.
v7.40.44
Notifications & email
Proactive deadline alerts
Replaced the short deadline reminder cadence with the EPIC 17 proactive 90/60/30/14/7/3/1-day escalation ladder.
Kept hearing and appointment reminders on their existing operational cadences, with no cross-edition leakage or automated legal advice.
Added regression coverage for due-window selection, email/SMS multi-channel delivery, per-channel idempotency keys, and the overdue-deadline red strip.
v7.40.34
Privacy (Law 25)
Connector action layer, tenant-isolation harness, and attention controls
Added a governed connector-action layer in default-off mode: every connector action must clear the action registry, the UPL/Law 25 inhibitor, the governance gate, and an explicit executor opt-in before any side effect — and the shipped registry wires no executors at all.
Hardened the actuation gate to refuse any request below an actuating maturity phase, keeping the default ceiling provably zero-execution.
Added a row-level-security audit harness that locks in cross-tenant matter isolation as a continuous regression check.
Added an attention-axis filter and a compliance/blocker tracker to the Command Center operator panels.
v7.40.33
Content / legal
Governed operations, deadlines, safeguards, and learning
Added the governed actuation layer in default-off mode: the runner opens PRs only after phase ceiling, ratchet, kill switch, confidence, and human approval checks pass.
Added the proposal-to-approval flow for admin actions, with audit logging and a new approval surface before any action is carried out.
Added the Law 25/PIPEDA founder access register for cross-matter reads, with immutable logging and founder_admin-only register reads.
Added Command Center tabs for editions, surfaces, subsystems, DevOps, readiness, and operator panels, with admin routes and regression coverage.
Added the UPL/Law 25 hard-inhibitor layer and adversarial UPL assessment gate so blocked brain output is not persisted and unsafe advice probes stay fail-closed.
Added the advisory reward-learning layer that scores outcomes against typed objectives and emits bounded, audit-shaped refinement signals under the governance ratchet.
Added UPL-safe deadline presentation and a multi-jurisdiction deadline framework, with jurisdiction-pack and presentation regression coverage.
Fixed surface-view analytics ingestion so instrumented public pages no longer emit browser-side 400 errors.
Fixed changelog category inference so legal problem front doors and governance registries are no longer shown as jurisdiction rollouts.
v7.39.33
Ops / CI / infra
Fail-loud migration gate before build
The build script now fails loudly when migration application fails, preventing deploys with missing or partial schema changes.
RLS verification remains advisory during build, surfacing policy drift without masking the mandatory migration gate.
Aligned the package version, lockfile, and bilingual changelog so the CI hardening ships as its own traced release.
v7.39.32
Content / legal
Edition-aware legal problem front doors
Added public /problems and /problems/[slug] routes that render front-door groups, category pages, and guided problem workflows for the active edition.
Added US, Quebec, and global consumer problem taxonomies with localized labels, summaries, workflow steps, route resolution, and slug uniqueness coverage.
Wired the Quebec homepage to show French-first legal problem cards while Judge911 gains a guided US problem workflow section.
v7.39.7
Workspace & matters
Shared professional-workspace lifecycle
Added the shared professional-workspace foundation: a common module library, invited-scope context switcher, availability gate, and one closed assignment lifecycle for role workspaces.
Added hash-chained assignment audit records, idempotent accept/decline/revoke handling, immediate revocation, and default-deny module access for invited scopes.
Added UTC-store/local-render deadline helpers and regression coverage for lifecycle transitions, scoping, audit chaining, availability, revocation, and deadline behavior.
v7.38.82
Governance
Canonical human-gate registry
Added the typed human-gate registry for never-auto surfaces: CRM writes, regulated-surface enablement, free A2J floor changes, security canaries/break-glass, and spec/version bumps.
Added pure helpers that classify gated subjects and require an explicit approved GovernanceApproval with approver and timestamp before a gate clears.
Documented the gate categories, handoff convention, and registry tests so human-gated issues cannot be marked Done by autonomous work alone.
v7.38.81
Ops / CI / infra
Operator-exclusion canaries in CI
Added an operator-exclusion canary harness that exercises consent-gated unwrap, audit-commit fail-closed behavior, and hardware-attestation gates before any protected plaintext can be released.
Added negative-control and meta-canary tests for G46, G102, G104, and G107 so wall-weakening providers red-fail the suite.
Added a dedicated CI step and npm script so the canaries run continuously on pull requests and pushes without requiring secrets.
v7.38.80
Security
Audit-chain anchor export
Added audit-chain anchoring that reads a tenant chain, verifies it end-to-end, computes the Merkle root and chain head, signs an independent notary anchor, and persists it to audit_chain_anchors.
Added offline proof-bundle export for individual audit records so third parties can verify record integrity with only the signed anchor and notary secret.
Added regression coverage for sequence-ordered reads, signed anchor persistence, empty/broken-chain refusal, offline verification, tamper failure, and missing-anchor failure.
v7.38.55
Security
Quorum-gated break-glass core
Added the G48 break-glass decision core for the only no-consent operator path to a protected object, with object/scope binding and owner-indicator metadata.
Enforced distinct security, legal, and executive approver identities with single-operator denial, policy-capped time boxes, and fail-closed authorization checks.
Added trigger/release audit-event builders and recorders that append to the tamper-evident audit chain, with deterministic tests for quorum, expiry, object scope, and verifiable audit trails.
v7.38.30
Content / legal
Class-action product surface
Added a private /app/class-actions console for creating class actions, reviewing claimant roll-ups, running settlement distributions, and sending class notices.
Added class-action API routes for owner-scoped CRUD, claimant opt-in/out and eligibility updates, persisted pro-rata distribution runs, and SMTP-backed mass notifications that degrade safely when mail is unconfigured.
Extended the class-action engine with persistDistribution(), which upserts claimant_distributions idempotently and moves the action into distributing, with regression coverage for the persistence contract.
v7.37.30
Security
Adobe Sign e-signature substrate
Added migration 0086 for esign_agreements and esign_recipients, scoped to matters, documents, and service orders.
Added the pure agreement model for commissioning and procedure-package signature requests, Adobe status normalization, signed-document and audit-certificate storage paths, and matter-activity mapping.
Added env-gated Adobe Sign provider request shaping plus service-role-only persistence/RLS guard tests so users cannot forge signature status or audit references.
v7.37.05
Evidence
Video session engine for commissioning
Added migration 0085 with video_sessions and video_session_participants linked to matters, sworn-document orders, and service orders.
Added a typed video lifecycle engine for scheduling, entering a session, participant verification, attendance, RON-gated recording controls, and audited completion/cancellation.
Separated read and manage authorization in the RPCs so participants or review-only readers cannot start, cancel, complete, or enable recording without an authorized role.
v7.36.05
AI & automation
AI research-memo route
Added POST /api/ai/research-memo so the deterministic §29.9 assembler now flows through runAiRequest with capability gating, matter scope, and fail-closed audit.
Added deterministic plain-text research memo rendering with the advisory banner, issues presented, proposition-by-proposition analysis, cited authorities, and research gaps.
Added no-network shape tests for rendering, locale handling, and orchestrator-result mapping, and registered the route test in npm test.
v7.35.95
Localization
Québec TPR taxonomy scaffold
Added a pure lib/taxonomy/tpr.ts module for the Québec Taxonomie Professionnelle de Référence, with TprCode/TprEntry types and tprByCode, allTprCodes, and isTprCode helpers.
Published only the four spec-named codes as counsel-pending placeholder content, with no provider, matcher, or scope-decision wiring.
Added integrity tests for unique codes, bilingual labels, resolved parents, and the counsel-pending status so counsel-confirmed taxonomy content can replace the placeholder set without changing the API.
v7.35.94
Security
Organization sharing foundation
Added migration 0084 with organizations, organization members, and cross-organization matter shares so firms and legal teams can be modeled directly.
Connected cross-firm sharing through the can_access_matter_via_org RLS predicate, limited to active organization members, accepted unexpired full-scope shares, and non-archived matters.
Explicitly preserved the existing owner, matter_access, full-scope review-share, and founder/admin access arms, with a structural test covering the migration number, live-only access, and audited acceptance flow.
v7.35.69
Workspace & matters
Portfolio and pre-matter dispute foundation
Added migration 0083 with portfolios, pre-matter disputes, and optional portfolio placement for matters.
Added atomic dispute-to-matter conversion that preserves the source dispute, keeps ownership, links the created matter, and records both audit and immutable matter activity.
Added a typed server wrapper and structural migration test covering the migration number, owner-scoped RLS policies, and conversion invariants.
v7.35.44
Workspace & matters
Timeline generated from matter activity
Connected the litigation timeline to the immutable matter_activity stream so manually entered facts merge with system events for views, downloads, shares, and other object actions.
Added fact/activity provenance to timeline items and kept system events out of asserted-fact conflict detection.
Updated the litigation tools panel with Facts, Events, and Conflicts counters plus an auto badge for generated activity events.
v7.35.34
Brand & marketing
Governed marketing-claim inventory
Added a typed registry of marketing claims to realign, covering automatic chronology, unlimited document types, available-today feature claims, and strategy/prediction messaging.
Added a human-readable inventory doc and inert detector that can power a future CI guard without blocking current copy before product and counsel sign-off.
Added tests that lock the registry shape, claim families, counsel-gated strategy/prediction posture, and the absence of approved exceptions at this slice.
v7.35.33
Litigation
Multi-edition procedure template plan
Added the #587 plan for replacing Québec procedure templates applied to every edition with edition- and jurisdiction-aware procedure profiles.
Defined a no-behaviour-change first slice that preserves the Québec profile exactly and introduces an unavailable state for editions without counsel-reviewed content.
Named the human and counsel decisions required before non-Québec procedure profiles can be activated.
v7.35.32
AI & automation
v2.3/v2.5 gap-closure sequencing plan
Added a master plan for epic #590 that groups Master Spec gaps by foundation, hierarchy, missing engines, AI surface, multi-edition product work, and hardening.
Defined a delivery sequence that starts with the event and access substrate, then moves through Portfolio/Dispute hierarchy, video and signature engines, governed AI, product surfaces, and hardening.
Updated the first safe slice for the current migration line and reserved migrations 0083 and onward for additive epic work.
v7.35.31
Workspace & matters
Recoverable matter archiving
Added migration 0082 with deleted_at/deleted_by matter tombstones and archive_matter/restore_matter RPCs so user removal can become recoverable archiving instead of hard deletion.
Updated RLS helpers so archived matters disappear from normal views while preserving owner, collaborator, full-review-share, and read-only founder/admin access for live matters.
Added a structural migration test and hardened the production-hardening plan with explicit protected child tables and expected links into the existing audit chain.
v7.35.06
AI & automation
AI agent allow-list enforcement
Added an AI orchestration gate that denies unknown agents by default before any model call and records the denial in the tamper-evident audit chain.
Mapped AI capabilities explicitly to the authorized actions in the agent roster so each calling surface can request only the capabilities intended for its agent.
Added tests covering unknown agents, unauthorized capabilities, live surface aliases, and the explicit test-only opt-out for allow-list enforcement.
v7.34.81
Governance
Read-only cognition and attention spine
Added the read-only brain service that assembles salience, anomaly, projection, memory, and governance signals into advisory executive briefs without executing autonomous actions.
Added protected admin and cron routes for cognition and attention snapshots, with brain_log persistence and a tenant-scoped Supabase adapter.
Added tests covering anomalies, playbooks, capacity limits, governance denials, and the invariant that this layer remains advisory by default.
v7.33.81
Security
Read-only founder RLS proof
Added an RLS migration that gives admin and founder_admin roles cross-matter read visibility while keeping writes restricted to owners and authorized collaborators.
Added an executable RLS policy model and proof suite covering tenant isolation, full and subset review shares, expired or revoked shares, and unauthenticated callers.
Hardened insert gates that reused can_access_matter so a founder can audit matters without inserting comments, documents, or evidence into a client's matter.
v7.33.56
AI & automation
Litigation copilot UPL guardrails
Added a pre-model screen that redirects legal-advice requests to vetted informational copy without calling the model, so the copilot does not answer questions such as whether a user should sue or will win.
Added a post-output screen that blocks any remaining directive or predictive answer, records the event in the tamper-evident audit chain, and appends a jurisdiction-specific UPL disclaimer to every delivered response.
Added adversarial input and output tests across French, English, and Spanish to keep legal-advice leakage at zero while allowing legitimate matter-organization requests through.
v7.33.31
Privacy (Law 25)
Founder Fast-Track and user-cleanup epic plans
Added the Founder Fast-Track epic plan with a verified built-vs-remaining map, explicit residency/reminder/backup gates, and a narrow founder-only path that does not imply public-launch readiness.
Added the user wipe and HubSpot export epic plan with read-only inventory/classification scaffolding, destructive deletion and PII export gates, and Law 25 consent/backup requirements before any action.
Updated both plans to avoid stale migration-number assumptions and align with the current main migration stream before future additive implementation work begins.
v7.33.30
Ops / CI / infra
Attorney beta and backup/restore epic plans
Added the Phase 1 attorney beta epic plan with a built-vs-remaining map, the real M4 pleadings/UI-port/compliance gaps, and explicit human/counsel gates before any beta-open claim.
Added the automated backups and tested-restore epic plan with guarded restore-drill scope, Canadian-region/PITR human gates, and no live gate flips or runtime behaviour changes.
Updated both plans to reserve migration numbers only at implementation time, avoiding stale 0075 assumptions while Claude's active migration stream continues on main.
HITL policy + fail-closed approval gates (lib/governance/policy, TASK-14.2, #821): consequential-action taxonomy — money, matters, legal, communications, live — with a fail-closed execution model that blocks every action in those categories until an explicit approval record is written to the tamper-evident audit chain from TASK-14.1. Every decision is audited whether approved, denied, or timed-out. 14 tests. Completes the EPIC 14 governance prefrontal layer.
Kill switch + capability ratchet (lib/governance/ratchet, TASK-14.3, #822): global stop that halts all autonomous action immediately, plus a phase-ladder (phase_0–phase_4) that enforces autonomy ≤ governance at every level — the platform cannot unlock a higher autonomy phase until the corresponding governance gate is certified. Default ceiling is phase_0. 21 tests. Together with #821 and #767, EPIC 14 (governance/prefrontal core) is now complete.
Episodic memory store (lib/memory/episodic, TASK-9.1, #823): append-only cross-source queryable timeline that unifies event_bus, audit_chain, and matter_activity into a single coherent episodic record — any component can query 'what happened, in order, across all sources' without joining three tables manually. Migration 0076 adds the episodic_memory table with append-only RLS. 25 tests. First delivery of EPIC 9 (memory). (Note: #823 lands imminently; this entry covers it on arrival.)
Jurisdictions tab in command-center (TASK-2.2, #824): region roll-ups and a readiness-matrix gate surface show per-jurisdiction coverage status at a glance; an admin edit drawer backed by an admin-gated write route updates jurisdiction config and writes every change to the governance audit chain. 10 tests. (Note: #824 lands imminently; this entry covers it on arrival.)
Surface engagement events (lib/analytics, TASK-4.3, #831): tagged view events on 7 public surfaces (landing, about, research hub, marketplace, pricing, attorneys, jurisdictions) feed the funnel instrumentation layer so the founder can see which pages drive conversion without any raw PII leaving the server. 36 tests. (Note: #831 lands imminently; this entry covers it on arrival.)
Event ingestion bus (lib/events, TASK-8.1, #791): Stripe, GitHub, Vercel, Supabase and HubSpot webhooks are now normalized into a single replayable event format — {source, type, payload, ts} — with idempotency keys so duplicate deliveries are safe to drop. Migration 0074 adds the event_bus table with append-only RLS (admin read, service write). 29 tests. This is the perception infrastructure layer the operator command center reads from.
Founder 'What needs me now?' view (TASK-15.1, #795): the command-center default tab now lands on a live attention surface built from the selectCommandSignals aggregator — overdue deadlines, attention-flagged rows and down subsystems bubble up in priority order, with an 'All clear' empty state when nothing requires action. 7 tests. (Note: #795 lands imminently; this entry covers it on arrival.)
Operational schema spine: editions, jurisdictions, surfaces, subsystems and metrics tables with full row-level security — the persistent backbone the v3.0 task graph writes against (TASK-1.1, #705).
Operational seed importer: reproducible baseline data for all editions and jurisdictions, letting the platform boot into a known state on any fresh deployment (TASK-1.2, #726).
Founder command-center shell: tabbed readiness/attention token dashboard giving the founder a single pane of glass over platform health, open gates and required human actions (TASK-2.1, #749).
Subsystem health API fan-out (/api/health): each platform subsystem reports its own status; the health endpoint aggregates them into a structured readiness signal for monitoring and Vercel checks (TASK-3.1, #771).
Typed edition-aware analytics event taxonomy: every key product event (landing, signup, first matter, workspace surface, marketplace intent, support) carries edition, surface and required categorical properties; PII-shaped properties are rejected at the schema level so telemetry stays minimal and non-sensitive (TASK-4.1, #712).
Funnel instrumentation end-to-end: landing→account→signup→first-matter conversion funnel is now wired with typed events and aggregated server-side so the founder can see where users drop off without any raw PII leaving the server (TASK-4.2, #780).
Law 25 data-subject endpoints: access, deletion, retention and breach reporting routes satisfy Québec privacy law's data-subject rights obligations — access returns a structured export, deletion is gated on matter-closure, breach logging is append-only and auditable (TASK-5.2, #750).
Upload scanning + CSAM safety (fail-closed): every file upload is scanned before it is stored; CSAM detection fails closed — the upload is quarantined and an auditable report is written before any storage operation proceeds (TASK-5.5, #730).
Orphaned-exhibit linker: exhibits that were uploaded but never attached to a matter are detected and surfaced so the founder can resolve dangling evidence before it becomes a chain-of-custody gap (TASK-6.3, #725).
Founder overdue-deadline red alert: deadlines that have passed without resolution are promoted to a red attention token on the command-center dashboard so the founder cannot miss them during a review session (TASK-6.1, #737).
Canonical metric registry: platform-wide metric definitions live in a single typed registry — no ad-hoc metric strings, consistent dimensions, and a stable contract for the analytics pipeline (TASK-6.5, #765).
Governance audit log (TASK-14.1, #767): immutable append-only log of every governance decision and operator action; enforced at the schema level so entries cannot be updated or deleted.
QC limitation/prescription ruleset (CcQ): complete Code civil du Québec prescription periods modelled as versioned structured data with a typed reader — the authoritative source for all deadline-calculation logic in the QC edition (TASK-17.1, #738).
Prescription deadline calculator: derives the prescription deadline from the CcQ ruleset given a matter type and start date, surfaces it in the workspace timeline, and flags overdue matters (TASK-17.2, #778).
Fix /fr/login 100% bounce: hardened the French-edition authentication gate to catch getSession failures and fall back to an INITIAL_SESSION sentinel, eliminating the stuck-spinner that caused 100% bounce on /fr/login (#716).
v7.27.73
Payments
Operator action queue with agent/human split
Added a tracked plan for operator-blocked items: Supabase access, destructive user operations, Stripe Connect, attorney monetization, email/SMS, CSAM safety, malware scanning, Google Drive import and quote-service payments. The document separates agent-ready work from items that require human decisions, credentials or legal review; no production flag is enabled.
v7.27.72
Litigation
Live EFSP adapter plan for court filing
Added an implementation plan for replacing the court-filing 501 state with a live EFSP adapter: provider selection, envelope mapping, document validation, status flow, structured errors, idempotency and audit. The plan remains behind human provider decisions and credentials; no live-filing flag is enabled.
v7.27.71
Privacy (Law 25)
Safe analytics taxonomy for product events
Added a typed, provider-neutral analytics contract: key events (landing, signup, first matter, workspace surface, marketplace intent and support) now carry edition, surface and required categorical properties. Properties that look like matter content, evidence, documents, messages or personal data are rejected so telemetry stays minimal and non-sensitive.
v7.27.70
Workspace & matters
The matter timeline now shows real activity (§17)
Your matter's recorded activity — document downloads, productions assembled, and more as they wire up — now appears as a 'Recent activity' stream in the litigation timeline, read securely so you only ever see activity on matters you can access. The audit trail is no longer just captured; it's visible.
v7.27.69
Evidence
Audit timeline goes live — first real access events (§15/§17)
The matter activity stream now captures real events: every evidence download is logged, and assembling a document production (disclosure set) records a chain-of-custody event. Access events are recorded only after the server re-verifies you can access that matter, so the log reflects authorized activity only — and substantive milestones (judgments, hearings) can never be reported by a browser, only emitted by the platform at their source. The first emission points of the gap-closure foundation (#578); more lifecycle events wire up next.
v7.27.68
Workspace & matters
Matter activity stream — foundation for a true audit timeline (§15/§17)
Laid the foundation for the platform's long-promised automatic, auditable timeline: a matter-scoped, append-only activity-event store with the full §17 event vocabulary (created/uploaded/shared/downloaded/viewed/served/hearing/judgment/enforcement and more). Events are immutable once recorded, readable only by a matter's collaborators (row-level security), and written only by the platform — the substrate every object action and document access will log to, so chain-of-custody and the timeline finally reflect what actually happened. First step of a tracked gap-closure (issue #578); event emission points wire up next.
v7.27.67
Intake & onboarding
Document classification — sharper recognition of pleadings and emails (§29.4/§29.20)
Acting on the new AI evaluation gates, improved the document classifier where it was measurably weakest: it now recognizes court-pleading language (a party pleading material facts / a statement of claim) and structured email-header blocks (From:/Subject:/To:) from a document's text — cases it previously mislabeled. On the classification eval this lifts body-text-only accuracy from 60% to 100%, and the eval's regression gate was raised to lock that in. No change to filename-based classification.
v7.27.66
AI & automation
AI evaluation — measurable quality + regression gates for the AI layer (§29.20)
AI quality is now measured, not assumed. A new evaluation runner scores the platform's AI primitives against curated golden datasets — document classification accuracy, legal-citation extraction precision/recall, and how reliably the prompt-injection guard catches adversarial inputs without false alarms — and these run in continuous integration as regression gates, so a change that degrades AI quality fails the build. The founder Command Center gains an AI-evaluation view of the results. Also hardened a background-job authentication path to avoid logging a shared secret.
v7.27.65
AI & automation
AI drafting — automatic grounding so your drafts always use your latest documents (§29.22)
Drafts now stay grounded automatically. A background reconciliation job periodically embeds any of a matter's documents that are new or have changed since they were last indexed, so when you request a draft it draws on your current document set without you having to index anything by hand. The job runs with strict isolation — it only writes searchable chunks within each document's own matter, so retrieval can still only ever read documents you're permitted to see — and is bounded per run to keep cost predictable.
v7.27.64
AI & automation
AI drafting — your first approval-gated AI document drafts (§29.8/§29.23)
The first AI drafting capability is live, and it exercises the whole governed pipeline. Pick a matter you have access to and a document kind — demand letter, chronology summary, issues memo, evidence summary, or settlement proposal — and the AI produces a DRAFT grounded in that matter's indexed documents. Critically, the draft is never used automatically: it is held as a 'suggested' draft requiring your approval, lands in your review queue to approve / edit / reject, and is fully audited on the tamper-evident chain. Every draft states its assumptions, flags uncertainty, and never claims to be a lawyer or to file anything. A new panel on the AI reviews page lets you request one.
v7.27.63
AI & automation
AI orchestration Phase 4 — AI feedback loop & Command Center quality metrics (§29.20/§29.21)
Closed the loop on AI quality. You can now rate any AI output — useful, or flag it as incorrect / incomplete / irrelevant / unsafe / needs-review — with an optional note; ratings are stored privately to you (row-level security) and surfaced as drivers for improving prompts and retrieval. The founder Command Center gains an AI-quality view that reads the tamper-evident audit chain (request volume, guardrail-block and failure rates) alongside the rating distribution, so the system's quality is measurable. With the chain now the single AI record of truth, the older ai_audit_events table is formally deprecated.
v7.27.62
AI & automation
AI orchestration Phase 3 — grounded retrieval over your own matter documents (§29.17/§29.22)
The Litigation Copilot can now ground its answers in your matter's actual documents (retrieval-augmented generation). A new vector store holds embedded chunks of a matter's documents; when you ask the copilot about a matter you can access, it semantically retrieves the most relevant passages and works from them. Isolation is enforced by the database: retrieval runs through your own row-level-security session, so it can only ever read documents from matters you're permitted to see — never anyone else's. An indexing endpoint embeds a matter's documents (gated by edit access and audited fail-closed), and the embedding model is swappable without touching the rest of the layer.
v7.27.61
AI & automation
AI orchestration Phase 2 — human review & approval of AI drafts (§29.18/§29.23)
Added the review-and-approval system that lets a person approve, edit, or reject AI-generated drafts before they can be used — the §29.23 requirement that no AI material output bypasses review where approval is required. A new owner-private store (RLS-protected, service-role-write only) holds drafts a human must sign off on; the orchestrator persists approval-gated output as a 'suggested' draft fail-closed. A new review-queue page lets the owner approve / edit / reject each draft, with every decision validated against the review state machine and an app-layer ownership check before any write. Available in English, French, and Spanish.
v7.27.60
AI & automation
AI orchestration Phase 1 — copilot, marketplace & extract under the governed layer (§29.23)
Migrated the remaining AI routes onto the controlled service layer. The Litigation Copilot now runs through the orchestrator (capability + scope checks, output guardrails, FAIL-CLOSED tamper-evident audit) while preserving its Anthropic thinking mode, quota gate, pay-as-you-use metering, and citation verification. The marketplace assistants gained audit they never had (additive). Evidence extraction — a multi-call job that writes to the database — is now audited fail-closed before it runs, so no extraction happens without a tamper-evident record. The response shapes callers depend on are preserved.
v7.27.59
AI & automation
AI orchestration — approval-gate foundation for Phases 1 & 2 (§29.23)
Extended the orchestrator contract ahead of migrating the remaining AI routes: the result now exposes prompt-safety details and guardrail warnings separately (so the copilot surface keeps its shape), supports a caller-supplied request id, and adds the §29.23 human-approval gate — a counsel-signed capability→approval policy (drafting/workflow-generation require human approval; advisory capabilities do not). Approval-gated output is held as a 'suggested' draft and persisted FAIL-CLOSED for review before any use. Internal only; no route behaviour changes yet.
v7.27.58
Localization
AI orchestration Phase 0b — the controlled AI service layer + translate migrated (§29.23)
Introduced lib/ai/orchestrator.ts: the single entry point every AI request will flow through (permission → orchestrate → retrieve → model → output-review → audit → approval), with pluggable Retrieval/Model ports (pass-through in this phase). It enforces the §29.23 invariants — deny-by-default capability checks, scope enforcement, prompt-injection sanitization, post-generation legal-output guardrails, and FAIL-CLOSED audit (the tamper-evident chain write must succeed before any AI output is returned). Migrated the translate route onto it as the first consumer; the caller-visible response is unchanged. Streaming (for copilot) is intentionally deferred — tracked as a TODO.
v7.27.57
Security
AI orchestration Phase 0a — serialize the tamper-evident audit chain (§29.23)
Hardened the audit-chain writer ahead of wiring AI requests through it: concurrent appends could previously read the same chain head and one would spuriously fail, dropping an audit event. appendAuditChainEvent now retries against the advanced head on a serialization conflict (bounded, fail-fast on real errors), and a new BEFORE INSERT trigger (migration 0062) makes the database itself reject any row that doesn't chain onto the committed head — turning 'trust the app-computed hash' into a database-enforced invariant. Foundation for the §29.23 permission-checked AI orchestration layer.
Final safe-AI-Layer batch: workflow-abandonment/failed-run detection (§29.13), a storage/volume anomaly z-score primitive (§29.13), a jurisdiction+role disclaimer envelope for strategy outputs (§29.10), and a red-team / prompt-injection eval corpus exercising the live input guard (§29.20) — plus a previously-orphaned cohort-gate test wired into CI. Completes the additive AI-governance/primitive layer of §29.
v7.27.55
AI & automation
AI Layer batch 5 — context audit, eval datasets, document & research helpers (§29)
6 more pure AI-Layer modules: a scoped-context access-event auditor that feeds the existing audit chain (§29.17), typed AI eval-case + golden-dataset scaffolding (§29.20), a line/clause document version-diff (§29.4), an advisory privilege-risk + signature/stamp cue scanner (§29.4), a chronology proposed-event state machine (§29.6), and a research-memo assembler (§29.9). All pure, additive, advisory-only.
v7.27.54
AI & automation
AI Layer batch 4 — guardrails, research mapping & analytics (§29)
6 more pure AI-Layer modules: a disclosure guard (asserts AI legal output states its disclaimer/uncertainty/jurisdiction + flags uncited assertions, §29.19), an argument-map builder linking claims→grounds→rebuttals (§29.9), an aggregate cohort-gated AI-usage tally (§29.13), a timeline event-to-party linker (§29.6), a prompt-version registry (§29.22), and a likelihood×impact risk-matrix typing (§29.10). All pure and advisory-only.
v7.27.53
AI & automation
AI Layer batch 3 — extraction, sufficiency, analytics & research helpers (§29)
6 more pure AI-Layer modules: a bilingual monetary-amount extractor with verbatim spans (§29.4), a per-issue evidence-sufficiency scorer (§29.10), aggregate funnel/conversion analytics (§29.13), an agent retry/failure-policy state primitive (§29.16), an enumerated chronology-variant projector (§29.6), and a legal-authority-type classifier — binding/persuasive/secondary/procedural/regulatory (§29.9). All pure and advisory-only.
6 more pure AI-Layer modules: the AI capability matrix + governance verdict (§29.1), an explainable professional-matching engine that shows why each provider was recommended (§29.11), a unified litigation/resolution/enforcement readiness triad (§29.10), cross-document duplicate + version-diff detection (§29.4), timeline deadline-risk flagging (§29.6), and AI eval metric/dataset scaffolding (§29.20). All pure, deterministic, advisory-only.
v7.27.51
Governance
AI Layer foundations — governance primitives (§29)
Began the AI Layer (spec §29) with 6 pure, additive foundation modules + 81 tests: an AI output-review status state machine (Draft→…→Superseded), AI feedback rating types, a typed model registry + routing/cost helpers, the 12-agent capability roster with guardrails, a scoped-context model with a cross-entity-leakage guard, and post-generation legal-output guardrail checks. Types/helpers only — no live-LLM, RLS, or data surface.
v7.27.50
Evidence
Wire reviewed RON + evidence regression tests into CI
Merged two reviewed regression-test PRs (now registered in the CI test suite): RON jurisdiction-gating coverage (US FL/TX/VA/WA + QC-only, fail-closed) and the #74 'no privileged evidence in the browser' invariant (a storage error never falls back to local IndexedDB).
Reviewed + merged 3 of the held PRs after an adversarial multi-agent pass: a reusable realtime postgres-changes subscriber (data-isolation preserved), a dormant minimum-cohort gate primitive for future anonymized analytics, and the encrypted-offline security-stance doc.
v7.27.48
Localization
Machine-translation disclosure on the translate API
The AI translate endpoint now returns an explicit machine-translation provenance notice (bilingual FR·EN, 'verify against the authoritative source') and a machineTranslated flag, so callers always disclose that output is machine-generated — per the always-disclose i18n guardrail and Loi 96.
v7.27.47
Localization
AI audit logging on the translate route
The AI translation endpoint now records a metadata-only audit event per request (character counts, model, request id — never the translated text), scoped to the signed-in user, for accountability and abuse monitoring.
v7.27.46
Security
Security: auth open-redirect fix
Closed an open-redirect in the magic-link/confirmation auth flow: the post-login `next` destination is now allowlisted to same-origin paths only (rejecting //host, /\\host, and absolute/scheme URLs), with defense-in-depth on the portal resolver.
The master litigation calendar export now carries each deadline's consequence (ICS + CSV), and the Command Center surfaces a peremptory/strict deadline severity badge.
Added edition-purity, Niveau-0 lifecycle, catalog-funnel E2E, and professional-registry coverage tests to lock these behaviors against regression.
Added a state-machine determinism guard for the matter lifecycle (every step has a satisfiable forward path — no silent dead-ends), plus tests pinning edition-gating of dispute pathways and a workspace-registry governance drift-guard.
Reminder copy can now cite its own source authority (edition-pure), and the Command Center gained a per-deadline status master calendar list.
Made dispute-resolution pathways and government recourses edition-aware (filterable by edition, defaulting to Québec), and added a document-stage helper mapping document types to lifecycle stages.
Enriched the /lifecycle page with OpenGraph/Twitter SEO metadata, added ICS calendar round-trip import, professional-registry tier accessors, and an accessibility pass on the Conflict-OS stepper.
v7.27.42
Jurisdictions
Community availability note & iOS Smart App Banner
Added a data-driven 'where Juge.ca is live' note to the legal-community page, derived from jurisdiction phase data (currently Québec) — general information, not legal advice.
Added an edition-aware iOS Smart App Banner so the native app surfaces on mobile Safari when configured.
v7.27.41
Workspace & matters
Community/Academy preview, mobile deep-links & matter timeline
Added 'Community Q&A' and 'Juge Academy' coming-soon preview sections to the legal-community page (general information only, clearly not legal advice).
Mobile deep-linking groundwork: a per-edition Android assetlinks.json route, a two-listings-one-codebase architecture doc, and a right-to-left mobile smoke test for Arabic/Hebrew.
Added a unified matter-timeline read-model (merging facts, deadlines and service milestones) and corrected a stale data-sharing caveat on the share-to-attorney screen.
v7.27.40
Localization
Mobile PWA, i18n cleanup & analytics scaffolding
Added a PWA web app manifest and proper viewport/theme-color metadata so the app is installable and renders edge-to-edge on mobile, edition-aware (Juge.ca vs Judge911).
Moved the file viewer's remaining inline text into the translation dictionary with full en/fr/es parity, and extended the online-notarization (RON) rule labels to every supported locale.
Added an app-store submission reference doc, a typed confidence/provenance envelope for analytics insights, and a read-only/no-copilot banner on the shared-matter accept view.
Litigation deadline notices now follow the matter's own jurisdiction/edition instead of always showing the U.S. caption — Québec matters no longer see a U.S.-flavoured deadline note.
Document intake screens file type and size on the client before any OCR/upload — a UX guard layered on top of the authoritative server-side safety scan.
The AI copilot answer now shows an audit reference and a 'human verification required before filing' flag when citations are unverified.
Internal groundwork for right-to-left languages and the mobile app shell: an RTL-locale helper + CI guard, a per-edition mobile app-config matrix, and per-edition Apple app-site-association for deep links.
v7.27.38
Accessibility
Calendar exports, accessibility & mobile discoverability
Calendar (.ics) exports now carry proper all-day end dates and mark completed deadlines as cancelled, so they display and strike through correctly in Outlook and Google Calendar.
Accessibility: the file viewer and the commissioner online-swearing toggles now expose proper labels, dialog focus, and disabled-state reasons to screen readers.
Locale smoke-checks and deep-link domain-isolation tests now cover all 18 locales and both editions, and a MobileApplication structured-data node (with a clear 'not a court' disambiguation) was added for app discoverability.
v7.27.37
Localization
Mobile & accessibility polish — touch targets, intake, i18n disclosure
Made the file viewer and document intake touch-friendly on phones: full-width modals, 44px tap targets, multi-page photo capture, and smooth touch scrolling.
Added mobile safe-area and minimum tap-target CSS utilities, scoped to the native app shell so the web build is unchanged.
Introduced an inline 'machine-translated — verify against source' disclosure badge for translated content, plus a CI guard for French coverage of Quebec legal-surface strings.
Added a typed agent-contract module (provenance + confidence scaffolding) for the lifecycle AI roster.
v7.27.36
Workspace & matters
Lifecycle: hide non-functional modules for beta
Cleaned up the matter lifecycle view for the beta — a genuinely non-functional 'coming soon' control is now hidden behind a single explicit flag instead of showing a dead button, while everything that actually works stays visible. The toggle is one reversible switch, with no overpromised functionality.
Added a configurable data-retention policy and a scheduled cleanup that removes old records past their retention window — and always skips anything under an active legal hold, layered on top of the existing deletion guard. The destructive sweep runs only behind a secret-protected scheduled job, supports a dry-run, and logs every action to the audit trail.
v7.27.34
Jurisdictions
Edition-purity guard — no foreign-jurisdiction leakage
Added an automated check that each edition's content stays inside its own jurisdiction's vocabulary — flagging, for example, a Québec court type surfacing in the US edition or a US role in Québec. It derives the markers from the edition registry itself (so new editions are checked automatically) and can gate CI; the three live editions pass clean today.
v7.27.33
Marketplace
Provider tax-reporting export (1099-K/NEC, T4A)
Added a reporting-only generator that totals what each provider was paid in a tax year and produces 1099-K/1099-NEC (US) and T4A (Canada) export rows + CSV. It only summarizes existing payout records — it computes no tax owed, files nothing, and moves no money; reporting thresholds are configurable and flagged for finance/counsel confirmation.
v7.27.32
Workspace & matters
Professional's progress flows back into the matter
When a professional you engaged from a matter updates their order (accepted, in progress, served/done, cancelled), that progress now maps back onto the matter's service request and ticks its milestones — so 'Served' can later arm the response clock, all without leaving the matter.
v7.27.31
Notifications & email
Reminder-engine test coverage
Hardened the deadline/hearing/appointment reminder engine with a comprehensive test suite — edition-aware lead times, duplicate suppression, unsubscribe-link integrity, quiet-hours and preference gating, and odd inputs like past or malformed dates.
v7.27.30
Workspace & matters
Engage a professional from a matter — linked order + scoped share
Engaging a bailiff/service from inside a matter now creates a real marketplace order linked back to that matter, and remembers the order on the request so its status can flow back later.
Added scoped, time-boxed sharing of a matter with the engaged professional — a review-only grant limited to the documents you choose, expiring after a set window (default 30 days), never opening the whole file.
v7.27.29
Marketplace
Marketplace orders link back to the matter
A marketplace order can now record which matter it serves and which documents/evidence were shared with the professional — the data link that lets engaging a bailiff, notary, or expert happen inside a matter. You can only link an order to a matter you own, enforced by the database.
A matter under an active legal hold can no longer be deleted — the database refuses the deletion (for everyone, including automated processes) instead of silently destroying preserved evidence. The app shows a clear message to release the hold first.
Added an operator runbook for database backup and a tested-restore drill, and extended the data-isolation checks to confirm the new legal-hold deletion guard works.
v7.27.27
Workspace & matters
Behavioral data-isolation checks
Added a verification tool that exercises the live database to confirm one account cannot read another's matter, and that the tamper-evident audit log truly rejects edits and deletes. It runs entirely inside a rolled-back transaction, so it writes nothing.
v7.27.26
Evidence
Evidence integrity verified before court production
When assembling a Bates-stamped court production, each file's stored bytes are now re-checked against the SHA-256 hash recorded when it was ingested. If a file was altered in storage since then, the production is stopped with a clear tampering warning instead of producing compromised evidence.
v7.27.25
Evidence
Server-side evidence integrity hash (chain of custody)
Uploaded evidence is now fingerprinted with a SHA-256 hash computed on the server from the bytes actually stored — not a value supplied by the browser — so the file can later be proven unaltered. The hash flows into the evidence record and marks its chain-of-custody status as recorded.
v7.27.24
Security
Automated row-level-security verification on deploy
Every deploy now verifies that the row-level-security rules (who can read and edit a matter and its shared copies) are actually in force in the database, not just that the migration files ran — and reports a clear pass/fail.
v7.27.23
Ops / CI / infra
Database migrations unblocked + drift monitoring
Fixed a migration (0046) that had silently halted the database migration chain, so a backlog of schema and security updates — including the row-level-security hardening — can now reach the database on deploy.
Added a migration-drift signal to the admin health check so a stalled migration surfaces immediately instead of hiding behind a green build.
v7.27.22
Intake & onboarding
Plain-language guidance on the court-type step
The intake court/tribunal step now shows a short, reassuring hint for people who don't know which one applies — choose your best guess, you can change it later, and a professional can confirm the right forum.
v7.27.21
Marketplace
Ranked exposure flags in the strategy view
The strategy view now ranks risks by how serious they are instead of listing them as flat text: a missed fatal deadline (e.g. an appeal délai) is marked fatal and shown first, with colour-coded, labelled severity dots down to lower-priority gaps.
Under the hood, each risk is now a typed flag (severity, message, and an optional financial-exposure figure) — laying the groundwork to attach dollar amounts later — and risk severity is derived from each deadline's own fatal/strict/soft rating.
v7.27.20
Jurisdictions
Life-safety notice before any legal step
Added a clear safety notice — shown on the landing page before sign-in and on a new /emergency page — telling anyone in immediate danger to call emergency services first, and stating plainly that the platform is not an emergency service.
The notice is edition-aware: it names 911 only where that number is correct (US and Canada) and otherwise points to local emergency services, so we never display a number we can’t verify for that country.
v7.27.19
Security
Security hardening — notification, AI, and share endpoints
Closed an abuse path where a signed-in user could send a platform-branded email/SMS to any address: notifications now must be tied to a matter you can edit.
The AI assistant and the legal-authority verifier now refuse to run if the backend isn’t configured, instead of serving unauthenticated; evidence ingestion validates the matter id; and revoking a share you don’t own now returns a clear error.
v7.27.18
Notifications & email
Data-safety notice + browser-storage-full warning
When your matters are stored only in this browser (no cloud account connected), the workspace now warns you that the data lives on this device only and reminds you to export a backup — the reminder reappears after a week so it isn’t forgotten.
If your browser’s storage fills up, the workspace now alerts you that your latest changes may not have been saved, instead of failing silently.
v7.27.17
Payments
Payment-path safety + accurate health checks + env template
Hardened the payment paths: workspace checkout now requires a signed-in user (no more opening a checkout for an arbitrary email), and the Canadian-payout readiness signal won’t go green without the encryption key it depends on.
Ops: the health check now reports the US and Canadian legal-authority sources separately (instead of one misleading flag), and a documented .env.example lists the environment variables the platform uses.
v7.27.16
Localization
Spanish marketplace fix + SEO metadata + share-card image
Spanish users no longer see English service-funnel editorial — the untranslated block is hidden on /es while the localized funnel header and steps still show. Provider status badges are now translated too.
SEO: marketplace service + provider pages now emit canonical + hreflang alternates across locales, and the Juge.ca social-share image is a proper 1200×630 card (was the logo at the wrong size).
v7.27.15
Security
Fatal-deadline warnings + more security hardening
Deadlines now carry a severity: a peremptory date (e.g. the appeal délai de rigueur — no extension possible) is shown in red with a “Fatal limit” badge and a plain-language consequence, so a deadline you can’t recover from no longer looks like an ordinary reminder. Reminders include that consequence.
More security hardening: sanitized file-download headers, rate-limited the public error-telemetry endpoint, restricted the health endpoint’s integration details to admins, and made share-acceptance race-safe at the database layer.
Tightened data-access controls: accepted full-scope review shares now correctly grant read-only access to a matter at the database layer (they previously granted none), without weakening the subset-share boundary; the evidence-ingest endpoint enforces matter ownership; and activity/analytics events now record the authenticated user instead of a client-supplied id. No change to what owners and collaborators can already see.
v7.27.13
Intake & onboarding
Safety-first intake + accessible sign-up
Matter intake now opens with a safety check: a prominent “if you’re in immediate danger, call 911” notice and a question asking whether you need help within 24 hours — urgent cases are routed straight to available help instead of a long form. Shown on both editions; no fabricated hotlines.
Sign-up/sign-in form is now accessible: proper labels and autofill on the name, email and password fields (so browsers and password managers work), password requirements shown as hints up front, and a larger, easier-to-tap consent control.
v7.27.12
Notifications & email
Notifications now fire — order-confirmation email + scheduled cron
Paid service orders now send a confirmation email automatically, and a daily secured cron retries any failed sends and nudges in-progress orders — closing the gap where the notification engine existed but nothing triggered it. Email works as soon as a sender is connected (testable now via the email webhook); proactive matter-deadline reminders activate once matters move to the server (tracked separately).
Added the order/deadline reminder engine on top of the existing delivery rails: edition-aware lead-time rules (deadline, hearing, appointment), timezone-correct and idempotent scheduling, bilingual templates, signed unsubscribe tokens, and a notification-preferences model — fully unit-tested, ready to wire to email/SMS once those providers are connected.
Captured Supabase auth settings as code (supabase/config.toml — Site URL, redirect allow-list, SMTP placeholder) so a dashboard lockout can never block auth configuration again (#103).
v7.27.10
Ops / CI / infra
Build reliability — static-page count cut to end OOM deploys
The production build pre-rendered ~2,576 static pages (16-minute builds, intermittent out-of-memory deploy failures). It now pre-renders only the live launch editions and the locales that carry distinct content; the ~200 “launching soon” preview editions and duplicate-content locales render on demand and stay indexable. Build dropped to ~1,569 pages and seconds instead of minutes — no SEO or content change.
v7.27.9
Intake & onboarding
A→Z keystone — intake court step is now edition-aware
The matter-intake court step no longer shows Québec courts (Cour du Québec, TAL/TAQ) on the US edition. Québec keeps its court selection unchanged; other editions show an honest “court selection is being prepared with local counsel” notice plus a free-text jurisdiction field — never a fabricated court list.
v7.27.8
Marketplace
Marketplace smoke test follow-up
Updated the marketplace funnel Playwright smoke test for the no-charge quote intake introduced in #483: tier labels are scoped to the pricing section and quote CTAs are asserted as buttons instead of legacy links.
v7.27.7
Security
A→Z keystone (jurisdiction on every matter) + matter-share subset security fix
Keystone (#457): every matter now carries an edition/jurisdiction/locale; legacy matters migrate to Québec by default and load unchanged; the deadline engine returns a manual-deadline notice (never a fabricated date) for any edition without a reviewed rule pack.
Security (#469): document/exhibit/evidence read access now enforces a review share's recorded subset at the database (RLS) layer, not just in the UI. Conservative + additive — no existing access is narrowed.
v7.27.6
Security
Roadmap — Beyond-MVP A→Z platform + iOS/Android plan
Published the beyond-MVP roadmap to make this the world's first platform to move a matter A→Z unbroken: 21 epics across three domains (lifecycle completeness, rich differentiating features, native mobile), each decomposed into agent-delegatable steps, plus a surfaced critical security fix. Mobile recommendation: Capacitor (hybrid) for iOS + Android. See docs/BEYOND_MVP_ROADMAP.md and trackers #462 / #470 / #481.
Documented how to recover from a Supabase dashboard lockout without switching providers: the backend (103 tables, 234 RLS policies) is fully reproducible from the 56 repo migrations, so a fresh project + “supabase db push” + env repoint rebuilds it in minutes. Includes the data-export path, the auth/SMTP config that resolves the magic-link issue, and config-as-code guidance. See docs/SUPABASE_RECOVERY_RUNBOOK.md.
v7.27.4
Jurisdictions
Edition purity — US service funnels no longer show Québec law terms
The per-service marketplace funnel editorial (how-it-works, FAQ, proof-of-service notes) is authored in Québec civil-law terms (huissier, procès-verbal, Barreau du Québec, “filing in Québec”). It is now hidden on the US edition, which keeps its edition-aware funnel header and milestone pipeline instead. US-specific funnel editorial is tracked as a follow-up.
v7.27.3
Jurisdictions
Judge911 emblem — consistent across every US surface
Aligned the US-edition brand: the favicon/app icon, social-share image, and search-engine logo now use the new flat Judge911 emblem (navy shield, gold scales, red base) that the header and hero already use — so the same mark appears everywhere instead of a different one in the browser tab and link previews.
v7.27.2
Content / legal
INP hygiene — leaner global event handlers
Hardened the growth/analytics document-level listeners: the exit-intent flag is read from storage once instead of on every mouse-out, and the click/mouse-out listeners are registered as passive so the browser never waits on them before painting. Interaction-to-next-paint hygiene; CTA click beacons stay synchronous so they survive navigation.
v7.27.1
Jurisdictions
Edition purity — patriated service catalogue + Québec-only routes gated
The court-ops service catalogue is now jurisdiction-aware: the US edition shows “Notarization (Notary Public)” and “Service of process (Process Server)” instead of Québec swearing/bailiff services.
Gated the remaining Québec-only routes off the US edition (the public bailiff and bailiff-workspace pages now 404), and repointed the marketplace “Serve documents” call-to-action to the US service-of-process flow.
v7.27.0
Marketplace
Per-jurisdiction editions — US sign-up, marketplace and roles
Each edition is now jurisdiction-pure: the United States (judge911.com) and Québec (juge.ca) no longer reference each other’s legal system. A new per-edition profession registry is the single source of truth for the roles and credentialing bodies each country offers.
US sign-up and partner onboarding show US-native roles — attorneys (State Bar), notaries public, process servers and private investigators — and never ask for Québec credentials (Barreau, Chambre des notaires, BSP).
US marketplace, services and account types drop Québec-only roles (huissier, commissaire à l’assermentation); the bailiff and commissioner portals return 404 on the US edition.
Set the new Judge911 emblem in the US homepage hero.
v7.26.0
Evidence
Judge911 (US) — single-narrative homepage
Rebuilt the US homepage as one consumer narrative (Problem → Promise → Solution → Proof → Action): hero with the Judge911 crest, the problem framing, an 8-step solution, the common-problems grid, a 50-states local-law section, the founder’s story, and a closing call to action — replacing the feature-catalogue layout.
Moved the edition notice/switcher to the bottom of the page on the US edition.
v7.25.1
Brand & marketing
Judge911.com brand emblem
Adopted the Judge911.com shield-and-gavel emblem across the US edition — the header logo, browser/app icon, social share image, and structured-data logo — with the background made transparent so it sits cleanly on the dark theme. The Québec edition (juge.ca) is unchanged.
v7.25.0
Jurisdictions
Judge911 (US) — institutions, civic footer, and a full About page
Added a US-gated “Trusted institutions” section linking to authoritative public resources (American Bar Association, U.S. Courts, National Center for State Courts, and the Legal Services Corporation), framed as navigation with a clear not-affiliated/not-endorsed notice.
Added a full About page for the US edition — the Legal Operating System overview, mission, founder narrative, and long-term vision.
US edition footer now reads “Proudly Human — made in the land of the free.” (other editions unchanged).
v7.24.0
Jurisdictions
United States edition (Judge911.com) — American homepage
Reorganized the US edition to read as built for the American legal system: “America’s Legal Operating System™”, leading with states and court levels instead of countries, with American legal vocabulary (Open a Case File; Add Documents, Photos & Evidence; Case Roadmap; Find Legal Help).
Added a problem-first navigation grid (car accident, divorce, child custody, landlord dispute, DUI, employment, veterans, immigration, Social Security disability, probate, small claims), a Browse-by-State section, and a civic “Rights matter” Constitution section — general information, not legal advice.
Replaced global and Canadian framing on the US property (U.S. data hosting, not Canadian residency) and added durable inline-SVG civic imagery (a neoclassical courthouse).
v7.23.7
Partnerships
Support guide — Indigenous-language partnership track
Set up a partnership-review track for translating the support guide into the platform's Indigenous languages (Plains Cree, Inuktitut, Inuinnaqtun, Tłı̨chǫ, Gwich'in, Dene Sųłıné, North & South Slavey) — a publication gate that keeps unreviewed translations out of production, a bilingual translator source kit, and a documented community-review workflow.
These languages are not machine-translated: they keep the English fallback until a community translation is reviewed and approved.
v7.23.6
Localization
Support hub guide — nine languages
Translated the “How Juge.ca works” guide into French, Spanish, German, Italian, Portuguese, Arabic, Chinese, Hebrew and Punjabi — each switchable from Settings → language, with right-to-left rendering for Arabic and Hebrew.
Indigenous-language editions fall back to the English articles under a “being translated” notice, pending community and partnership review rather than machine translation.
v7.23.5
Content / legal
Support hub guide — concise, professional copy
Rewrote the “How Juge.ca works” articles in a concise, professional register — tighter, more precise statements of how each feature works, with less explanatory prose.
v7.23.4
Content / legal
Support hub guide — search-first layout
Redesigned the “How Juge.ca works” guide: a search bar at the top, category filter chips, and compact one-line article rows that expand in place — much less scrolling to reach the right article.
v7.23.3
Security
Support hub — “How Juge.ca works” platform guide (English)
Added a “How Juge.ca works” guide to the Support hub: detailed, searchable articles on how the platform and its features actually work — matters and the workspace, on-device OCR import, evidence and chain of custody, the Litigation Copilot, the deadline engine, the marketplace, billing and escrow, security and privacy, and editions and languages.
Built English-first on a locale-resolved structure so French and then every other language can be added with no rework; editions without translations yet show the English articles under a clear “being translated” notice.
v7.23.2
Localization
Research hub — four new categories and twelve articles
Expanded the Research & publications hub with four new categories — Housing & tenancy, Family justice, Consumer & debt, and AI & the law — each launching with bilingual, cited starter articles.
Added a short editorial note to the research hub introduction describing the broadened library.
v7.23.1
Localization
Research & publications hub — new bilingual articles
Added new bilingual access-to-justice research articles to the Research & publications hub (including a synthesis of a quarter-century of legal-needs surveys), published on both the Québec and United States editions.
v7.23.0
Localization
Production lineage reconciliation — GJOS book onto the world-rollout trunk
Merged the local GJOS 7.22.x line (engineering book, per-screen specs, agent runbooks, schema reconciliation and review-gated migration proposals) into the production world-rollout trunk without dropping the world jurisdiction packs, i18n engine, Bates or criminal-justice work.
Unified the two diverged release lineages — the juge.ca local line and the judge911.com main trunk — into one trunk and one changelog.
v7.22.8
Evidence
Resolved evidence custody deletion policy
Resolved the chain-of-custody ledger deletion policy: closure is not deletion and soft-deleted evidence keeps its custody trail; a single-evidence hard purge leaves a custody tombstone via set null; only a deliberate whole-matter deletion cascades.
v7.22.7
Payments
Reconciled access-model migration and revenue/escrow model
Folded the separate matter_access.expires_at and organization tenancy migration proposals into a single reconciled access-model proposal that defines the matter access helpers exactly once.
Added Appendix J (revenue, billing and escrow model) to the engineering book, grounding Volume IX in the real subscriptions, payouts/escrow_state, payout_accounts and order tables, with the actual fee model and edition-specific payout rails.
v7.22.6
Security
Resolved migration RLS design and enforced authorization model
Resolved the two open row-level-security questions: translations now use a single table with a matter_id access anchor and a CHECK constraint, and organization tenancy is additive with opt-in read-only org-admin oversight rather than membership-as-access.
Baked the resolved policies into the review-gated migration proposals with the rationale and the rejected alternatives.
Added Appendix I (enforced authorization model) to the engineering book, canonicalizing the real can_access_matter and can_edit_matter composition, the translation ACL anchor, and the append-only audit and custody rules.
v7.22.5
Ops / CI / infra
Review-gated migration proposals for schema gaps
Drafted P1 and P2 migration proposals that close the schema gaps found during reconciliation, kept out of the apply path for human review.
P1: a time-boxed matter_access.expires_at with updated access helpers, and an append-only evidence custody ledger mirroring the existing audit-log pattern.
P2: organization tenancy (orgs, org_memberships), a per-object translations table, and an optional data-driven jurisdictions table — each flagged with its open row-level-security question.
v7.22.4
Payments
Per-screen specs, agent runbooks and schema reconciliation
Completed per-screen specifications for the remaining workspaces — Timeline, Messaging, Video, Billing, Support, Academy, Community and Partner Organizations — in the engineering book.
Added Appendix H agent runbooks turning the ten platform agents into directly executable operating contracts (owns, triggers, guardrails, definition of done, escalation).
Reconciled the illustrative data schema against the live Supabase schema and published a reviewed gap analysis, noting that jurisdictions, translations and organization tenancy are not yet persisted.
v7.22.3
AI & automation
Per-screen specifications in the engineering book
Expanded the Global Justice Operating System engineering book with Appendix G: per-screen specifications that take Volume III from workspace contracts down to the screen an engineer actually builds.
Fully specified the Matter, Document, Evidence and Marketplace screens — routes, layout, states, data, permissions, analytics events and AI guardrails — with a reusable per-screen template and a screen inventory for the remaining workspaces.
v7.22.2
Marketplace
Verified provider profiles
Added visible provider verification checks for professional identity, order or licence, insurance, scope, availability and references.
Connected self-serve onboarding to availability windows and structured reference submissions that enter moderation before publication.
Marked sample profiles as unverified examples, with no verified badge, no booking action and no public windows until human verification is complete.
Added the Global Justice Operating System engineering book and 2026 launch marketing kit as verified generated content for product and go-to-market planning.
v7.21.78
Payments
Complete search discovery and homepage controls
Expanded localized sitemaps to include every public static, press, service, expert, provider and marketplace profile route instead of only top-level marketing slugs.
Hardened robots.txt so crawlers receive the sitemap index plus every language sitemap while authenticated, invite, dashboard and checkout-success surfaces stay out of search results.
Added a persistent light/dark mode toggle and kept the existing side quick-scroll controls available for fast top/bottom review.
Moved the free matter creation prompt to the top of the homepage and routes it directly to account signup.
Supplemented the Resolve-first proof-of-attempts messaging with a dedicated ledger panel for complaint paths, offers, mediation and escalation evidence.
v7.21.77
Litigation
Keep the date procedural calendar
Added a first-class Keep the date panel to the Deadlines workspace with procedural calculations, hearing and task dates, procedure authorities, juridical-calendar extension flags and calendar exports.
Added a tested litigation calendar layer that derives ICS and CSV exports from matter deadlines, procedures, suggestions, authorities and non-working-day checks without changing stored matter data.
v7.21.76
Marketplace
Discreet marketplace setup preview
Added a noindex `/mrkplc` marketplace setup preview that can be viewed without signing in while keeping Google imports, publication and verification routes admin-protected.
Placed a discreet `mrkplc` link beside the footer Admin link so the marketplace setup can be checked quickly from any page.
v7.21.76
Localization
Production lineage reconciliation
Reconciled the 7.21 release lineage into the git-connected main branch without dropping the 257 world-rollout commits from judge911.com.
Preserved the branded outbound-link interstitial, Google provider import, US legal-resources edition, global registry packs, platform readiness gates and bilingual changelog history in one trunk.
v7.21.75
Jurisdictions
US-edition Legal Resources
Added a United States variant of the Legal Resources directory so the US edition (judge911.com) lists US bar, court, statute and access-to-justice references instead of Québec institutions.
Wired the Legal Resources page through the edition resolver, matching how Privacy, Terms and the other legal pages already swap to US content; the Québec edition (juge.ca) is unchanged.
v7.21.74
Workspace & matters
Google Drive import readiness
Centralized the Google Drive import readiness gate so the status API and workspace system panel report the same public client-id and API-key requirements.
Verified the Drive picker path stays wired into the existing evidence upload pipeline instead of introducing a parallel document-ingestion flow.
Added regression coverage and a static trust-gap check so the integration cannot disappear from release readiness without failing the gate.
v7.21.73
Marketplace
Google Places provider import
Added an admin-only Google Places importer for marketplace provider discovery using the official Places Text Search API with a narrow field mask.
Imported Google profiles create pending provider records with Google Place ID provenance, address, phone, website, business status, types and availability windows derived from opening hours.
Google-sourced profiles remain unpublished until the normal human verification gate approves them; when displayed, they distinguish Google Maps business-listing provenance from Juge.ca credential verification and deliberately exclude Google ratings and reviews.
v7.21.48
Marketplace
Provider marketplace end-to-end rollout
Added full provider profile pages with credentials, services, target response times, recurring availability windows and moderated structured endorsements instead of public star ratings.
Added self-serve provider onboarding that validates applications, writes the existing partner intake record, creates a pending provider profile and stores availability slots for verification before publication.
Added Supabase-backed provider profile, availability and endorsement tables with RLS, owner update policies and admin publication/moderation functions, plus a provider availability update API.
v7.20.48
Marketplace
Marketplace rollout copy aligned
Removed public rating and review language from the marketplace rollout notice and illustrative provider cards.
The marketplace now frames pending work as verified profiles, real-time availability and self-serve provider onboarding, keeping provider cards credential-focused before live activation.
v7.20.47
Content / legal
Branded outbound-link interstitial
External resource links now open a "leaving Juge.ca" interstitial that names the destination and restates the not-affiliated disclaimer before opening the site in a new tab.
Applied the interstitial to every external link rendered on dictionary-driven pages (Legal Resources, Useful Links and beyond).
Kept real anchors so crawlers, middle-click and ⌘/Ctrl-click still open destinations directly; only plain clicks show the container.
v7.20.46
Governance
Legal-ops suite and version governance
Added the production-hardened litigation operations spine: normalized document, Bates, production, e-discovery, deadline, filing, authorities, timeline and trial-presentation migrations.
Introduced live-gated server APIs for Bates issuance, production-set creation/build, native PDF conversion, filing submission, signed filing webhooks and legal-ops readiness.
Added typed engines, workspace Tools UI, Gotenberg conversion, idempotent EFSP webhook handling, production runbook and live verification for RLS, Bates immutability and critical RPCs.
Introduced the release-points versioning policy so patch work, tools, live integrations and jurisdiction launches carry predictable version value.
v7.19.51
Governance
Versioning governance policy
Added the release-points versioning policy so patches, bugs, API routes, provider integrations, marketplaces, jurisdictions and full-production releases have predictable bump values.
Capped coherent production-readiness releases at 100 points unless the owner explicitly declares a major-version release.
Added version-governance tests for bug fixes, API route connections, marketplace GA, full platform GA and jurisdiction-launch examples.
v7.19.46
Evidence
Bates numbering (Phase 1)
Added a deterministic Bates numbering engine (lib/bates): one gapless, immutable per-page sequence across an entire production, distinct from Evidence IDs (E-0001) and exhibit numbers (P-1). Numbers are assigned by a monotonic counter — never by a model — and a supplemental document continues the sequence without renumbering.
Added a PDF stamper (pdf-lib) that burns PREFIX-000NNN onto each page bottom-right with an optional confidentiality endorsement, without disturbing the searchable text layer.
Added a Bates workspace tab (local mode): configure prefix/padding/start, number the production, and download stamped PDFs. Backed by integrity tests (gapless, unique, immutable-on-rerun, stamping preserves the PDF).
v7.19.45
Payments
Platform integrity test suite
Added an end-to-end integrity orchestrator (npm run test:integrity / test:integrity:fast, scripts/test-integrity.mjs): registry stub gate, dependency audit, locale coverage, release-blocker and trust-gap gates, TypeScript, unit tests, Playwright, and the production build in one command.
Added repo-level integrity tests (lib/__tests__/platform-integrity.test.ts): no parallel source trees, [lang] route enforcement, governance wiring, and unfinished-test detection — adapted to the single-trunk model. Added broad Playwright coverage of all FR/EN public routes, sitemaps, root redirect, and health-endpoint secrecy.
Fixed the login/signup primary heading (h2 → h1) caught by the new a11y check, corrected the trust-gap check so Stripe Express payouts don't falsely require STRIPE_CONNECT_CLIENT_ID, and wired the previously-unrun us criminal-justice test into the suite.
v7.19.44
Localization
Machine translation engine added
Added a guarded Anthropic-backed UI translation engine for machine-eligible locale packs, with dry-run batching and review reports.
Added a local translation-memory provider so the same engine can later run from files on an end user's drive without a hosted model call.
Upgraded the live translation API to use the shared engine while preserving authentication and provider availability handling.
Blocked Indigenous locales from machine translation in code and tests so community-reviewed language work stays protected.
v7.19.43
Ops / CI / infra
Single trunk: main is the production branch; agents land via PRs
Retired build/v1-institutional-site as a parallel production lineage — main is now the only branch line and the Vercel Production Branch. This removes the structural cause of the recurring main↔build divergence and twin version numbers.
Rewrote the agent instructions (AGENTS.md, the *_AGENT_INSTRUCTIONS files, BUILD-PLAN, TASKS, ATTORNEY_PORTAL_SPEC) and CI triggers to match the autonomy workflows already in place: work lands via short-lived agent/<name>/<issue>-<slug> PRs into main, gated by CI + the review gate, with one version bump per PR.
v7.19.42
Localization
Unify trunk: production branch reconciled into main
Reconciled the parallel production branch back into main as part of moving to a single trunk — main is now the integration branch and deploy source.
Folded in the i18n gap audit: a reproducible i18n gap matrix command (scripts/check-i18n-gap.ts) that measures every declared locale against the English baseline, separating machine-translation-eligible locales from Indigenous human/community-only locales (Indigenous partials left untouched).
Added a CI tripwire (editions-registry test) that pins the live jurisdiction set to an explicit launch allow-list and enforces enabled ⟹ reviewed — an unfinished or unintended jurisdiction can no longer go live, even sitting on trunk.
Documented the trunk-based jurisdiction workflow in AGENTS.md and CONTRIBUTING.md: stage on trunk with enabled:false + needsReview:true, no per-jurisdiction branches, one version bump per release. Clarified that enabled:false is an intentional "launching soon" preview, not a fully-hidden state.
v7.19.40
Jurisdictions
Reconciled main into the production lineage
Merged the main branch (5.23.41) into the production train: brings in the edition-aware US jurisdiction coverage UI (UsJurisdictionCard with courts, small-claims and bar) and the Canadian criminal-justice page at /criminal-justice.
No loss of the individual jurisdiction deployment records — they are preserved below for auditability.
v7.19.39
Jurisdictions
Jurisdiction deployment version normalized
Normalized the jurisdiction deployment train from 5.23.19639 to 7.19.39 by carrying the 196 jurisdiction increments into the major/minor release line while preserving the existing .39 patch tail.
Preserved the individual jurisdiction deployment records below for auditability.
v5.23.19639
Jurisdictions
zw jurisdiction deployed
Approved the zw jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.19539
Jurisdictions
za jurisdiction deployed
Approved the za jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.19439
Jurisdictions
yt jurisdiction deployed
Approved the yt jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.19339
Jurisdictions
wf jurisdiction deployed
Approved the wf jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.19239
Jurisdictions
vu jurisdiction deployed
Approved the vu jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.19139
Jurisdictions
vn jurisdiction deployed
Approved the vn jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.19039
Jurisdictions
vi jurisdiction deployed
Approved the vi jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.18939
Jurisdictions
vg jurisdiction deployed
Approved the vg jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.18839
Jurisdictions
ve jurisdiction deployed
Approved the ve jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.18739
Jurisdictions
uz jurisdiction deployed
Approved the uz jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.18639
Jurisdictions
us jurisdiction deployed
Approved the us jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.18539
Jurisdictions
us.wy jurisdiction deployed
Approved the us.wy jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.18439
Jurisdictions
us.wv jurisdiction deployed
Approved the us.wv jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.18339
Jurisdictions
us.wi jurisdiction deployed
Approved the us.wi jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.18239
Jurisdictions
us.wa jurisdiction deployed
Approved the us.wa jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.18139
Jurisdictions
us.vt jurisdiction deployed
Approved the us.vt jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.18039
Jurisdictions
us.vi jurisdiction deployed
Approved the us.vi jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.17939
Jurisdictions
us.va jurisdiction deployed
Approved the us.va jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.17839
Jurisdictions
us.ut jurisdiction deployed
Approved the us.ut jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.17739
Jurisdictions
us.tx jurisdiction deployed
Approved the us.tx jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.17639
Jurisdictions
us.tn jurisdiction deployed
Approved the us.tn jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.17539
Jurisdictions
us.sd jurisdiction deployed
Approved the us.sd jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.17439
Jurisdictions
us.sc jurisdiction deployed
Approved the us.sc jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.17339
Jurisdictions
us.ri jurisdiction deployed
Approved the us.ri jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.17239
Jurisdictions
us.pr jurisdiction deployed
Approved the us.pr jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.17139
Jurisdictions
us.pa jurisdiction deployed
Approved the us.pa jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.17039
Jurisdictions
us.or jurisdiction deployed
Approved the us.or jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.16939
Jurisdictions
us.ok jurisdiction deployed
Approved the us.ok jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.16839
Jurisdictions
us.oh jurisdiction deployed
Approved the us.oh jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.16739
Jurisdictions
us.ny jurisdiction deployed
Approved the us.ny jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.16639
Jurisdictions
us.nv jurisdiction deployed
Approved the us.nv jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.16539
Jurisdictions
us.nm jurisdiction deployed
Approved the us.nm jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.16439
Jurisdictions
us.nj jurisdiction deployed
Approved the us.nj jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.16339
Jurisdictions
us.nh jurisdiction deployed
Approved the us.nh jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.16239
Jurisdictions
us.ne jurisdiction deployed
Approved the us.ne jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.16139
Jurisdictions
us.nd jurisdiction deployed
Approved the us.nd jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.16039
Jurisdictions
us.nc jurisdiction deployed
Approved the us.nc jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.15939
Jurisdictions
us.mt jurisdiction deployed
Approved the us.mt jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.15839
Jurisdictions
us.ms jurisdiction deployed
Approved the us.ms jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.15739
Jurisdictions
us.mp jurisdiction deployed
Approved the us.mp jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.15639
Jurisdictions
us.mo jurisdiction deployed
Approved the us.mo jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.15539
Jurisdictions
us.mn jurisdiction deployed
Approved the us.mn jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.15439
Jurisdictions
us.mi jurisdiction deployed
Approved the us.mi jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.15339
Jurisdictions
us.me jurisdiction deployed
Approved the us.me jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.15239
Jurisdictions
us.md jurisdiction deployed
Approved the us.md jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.15139
Jurisdictions
us.ma jurisdiction deployed
Approved the us.ma jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.15039
Jurisdictions
us.la jurisdiction deployed
Approved the us.la jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.14939
Jurisdictions
us.ky jurisdiction deployed
Approved the us.ky jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.14839
Jurisdictions
us.ks jurisdiction deployed
Approved the us.ks jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.14739
Jurisdictions
us.in jurisdiction deployed
Approved the us.in jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.14639
Jurisdictions
us.il jurisdiction deployed
Approved the us.il jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.14539
Jurisdictions
us.id jurisdiction deployed
Approved the us.id jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.14439
AI & automation
us.ia jurisdiction deployed
Approved the us.ia jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.14339
Jurisdictions
us.hi jurisdiction deployed
Approved the us.hi jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.14239
Jurisdictions
us.gu jurisdiction deployed
Approved the us.gu jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.14139
Jurisdictions
us.ga jurisdiction deployed
Approved the us.ga jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.14039
Jurisdictions
us.fl jurisdiction deployed
Approved the us.fl jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.13939
Jurisdictions
us.de jurisdiction deployed
Approved the us.de jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.13839
Jurisdictions
us.dc jurisdiction deployed
Approved the us.dc jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.13739
Jurisdictions
us.ct jurisdiction deployed
Approved the us.ct jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.13639
Jurisdictions
us.co jurisdiction deployed
Approved the us.co jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.13539
Jurisdictions
us.ca jurisdiction deployed
Approved the us.ca jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.13439
Jurisdictions
us.az jurisdiction deployed
Approved the us.az jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.13339
Jurisdictions
us.as jurisdiction deployed
Approved the us.as jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.13239
Jurisdictions
us.ar jurisdiction deployed
Approved the us.ar jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.13139
Jurisdictions
us.al jurisdiction deployed
Approved the us.al jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.13039
Jurisdictions
us.ak jurisdiction deployed
Approved the us.ak jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.12939
Jurisdictions
um jurisdiction deployed
Approved the um jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.12839
Jurisdictions
ug jurisdiction deployed
Approved the ug jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.12739
Jurisdictions
ua jurisdiction deployed
Approved the ua jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.12639
Jurisdictions
tz jurisdiction deployed
Approved the tz jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.12539
Jurisdictions
tr jurisdiction deployed
Approved the tr jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.12439
Jurisdictions
tk jurisdiction deployed
Approved the tk jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.12339
Jurisdictions
th jurisdiction deployed
Approved the th jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.12239
Jurisdictions
tf jurisdiction deployed
Approved the tf jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.12139
Jurisdictions
tc jurisdiction deployed
Approved the tc jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.12039
Jurisdictions
sx jurisdiction deployed
Approved the sx jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.11939
Jurisdictions
sj jurisdiction deployed
Approved the sj jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.11839
Jurisdictions
sh jurisdiction deployed
Approved the sh jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.11739
Jurisdictions
se jurisdiction deployed
Approved the se jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.11639
Jurisdictions
sd jurisdiction deployed
Approved the sd jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.11539
Jurisdictions
sb jurisdiction deployed
Approved the sb jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.11439
Jurisdictions
sa jurisdiction deployed
Approved the sa jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.11339
Jurisdictions
ru jurisdiction deployed
Approved the ru jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.11239
Jurisdictions
ro jurisdiction deployed
Approved the ro jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.11139
Jurisdictions
re jurisdiction deployed
Approved the re jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.11039
Jurisdictions
pr jurisdiction deployed
Approved the pr jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.10939
Jurisdictions
pn jurisdiction deployed
Approved the pn jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.10839
Jurisdictions
pm jurisdiction deployed
Approved the pm jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.10739
Jurisdictions
pl jurisdiction deployed
Approved the pl jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.10639
Jurisdictions
pk jurisdiction deployed
Approved the pk jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.10539
Jurisdictions
ph jurisdiction deployed
Approved the ph jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.10439
Jurisdictions
pg jurisdiction deployed
Approved the pg jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.10339
Jurisdictions
pf jurisdiction deployed
Approved the pf jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.10239
Jurisdictions
pe jurisdiction deployed
Approved the pe jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.10139
Jurisdictions
nz jurisdiction deployed
Approved the nz jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.10039
Jurisdictions
nu jurisdiction deployed
Approved the nu jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.9939
Jurisdictions
np jurisdiction deployed
Approved the np jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.9839
Jurisdictions
nl jurisdiction deployed
Approved the nl jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.9739
Jurisdictions
ng jurisdiction deployed
Approved the ng jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.9639
Jurisdictions
nf jurisdiction deployed
Approved the nf jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.9539
Jurisdictions
nc jurisdiction deployed
Approved the nc jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.9439
Jurisdictions
my jurisdiction deployed
Approved the my jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.9339
Jurisdictions
mx jurisdiction deployed
Approved the mx jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.9239
Jurisdictions
ms jurisdiction deployed
Approved the ms jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.9139
Jurisdictions
mq jurisdiction deployed
Approved the mq jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.9039
Jurisdictions
mp jurisdiction deployed
Approved the mp jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.8939
Jurisdictions
mo jurisdiction deployed
Approved the mo jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.8839
Jurisdictions
mm jurisdiction deployed
Approved the mm jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.8739
Jurisdictions
mf jurisdiction deployed
Approved the mf jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.8639
Jurisdictions
ma jurisdiction deployed
Approved the ma jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.8539
Jurisdictions
lk jurisdiction deployed
Approved the lk jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.8439
Jurisdictions
kz jurisdiction deployed
Approved the kz jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.8339
Jurisdictions
ky jurisdiction deployed
Approved the ky jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.8239
Jurisdictions
kr jurisdiction deployed
Approved the kr jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.8139
Jurisdictions
ke jurisdiction deployed
Approved the ke jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.8039
Jurisdictions
jp jurisdiction deployed
Approved the jp jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.7939
Jurisdictions
je jurisdiction deployed
Approved the je jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.7839
Jurisdictions
it jurisdiction deployed
Approved the it jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.7739
Jurisdictions
ir jurisdiction deployed
Approved the ir jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.7639
Jurisdictions
iq jurisdiction deployed
Approved the iq jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.7539
Jurisdictions
io jurisdiction deployed
Approved the io jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.7439
Jurisdictions
in jurisdiction deployed
Approved the in jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.7339
Jurisdictions
im jurisdiction deployed
Approved the im jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.7239
Jurisdictions
il jurisdiction deployed
Approved the il jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.7139
Jurisdictions
ie jurisdiction deployed
Approved the ie jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.7039
Jurisdictions
id jurisdiction deployed
Approved the id jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.6939
Jurisdictions
hm jurisdiction deployed
Approved the hm jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.6839
Jurisdictions
hk jurisdiction deployed
Approved the hk jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.6739
Jurisdictions
gu jurisdiction deployed
Approved the gu jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.6639
Jurisdictions
gs jurisdiction deployed
Approved the gs jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.6539
Jurisdictions
gp jurisdiction deployed
Approved the gp jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.6439
Jurisdictions
gl jurisdiction deployed
Approved the gl jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.6339
Jurisdictions
gi jurisdiction deployed
Approved the gi jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.6239
Jurisdictions
gh jurisdiction deployed
Approved the gh jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.6139
Jurisdictions
gg jurisdiction deployed
Approved the gg jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.6039
Jurisdictions
gf jurisdiction deployed
Approved the gf jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.5939
Jurisdictions
gb.sct jurisdiction deployed
Approved the gb.sct jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.5839
Jurisdictions
gb.ews jurisdiction deployed
Approved the gb.ews jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.5739
Jurisdictions
fr jurisdiction deployed
Approved the fr jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.5639
Jurisdictions
fo jurisdiction deployed
Approved the fo jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.5539
Jurisdictions
fk jurisdiction deployed
Approved the fk jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.5439
Jurisdictions
fj jurisdiction deployed
Approved the fj jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.5339
Jurisdictions
et jurisdiction deployed
Approved the et jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.5239
Jurisdictions
es jurisdiction deployed
Approved the es jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.5139
Jurisdictions
eh jurisdiction deployed
Approved the eh jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.5039
Jurisdictions
eg jurisdiction deployed
Approved the eg jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.4939
Jurisdictions
dz jurisdiction deployed
Approved the dz jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.4839
Jurisdictions
dk jurisdiction deployed
Approved the dk jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.4739
Jurisdictions
de jurisdiction deployed
Approved the de jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.4639
Jurisdictions
cz jurisdiction deployed
Approved the cz jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.4539
Jurisdictions
cx jurisdiction deployed
Approved the cx jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.4439
Jurisdictions
cw jurisdiction deployed
Approved the cw jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.4339
Jurisdictions
cu jurisdiction deployed
Approved the cu jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.4239
Jurisdictions
cp jurisdiction deployed
Approved the cp jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.4139
Jurisdictions
co jurisdiction deployed
Approved the co jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.4039
Jurisdictions
cn jurisdiction deployed
Approved the cn jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.3939
Jurisdictions
cm jurisdiction deployed
Approved the cm jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.3839
Jurisdictions
cl jurisdiction deployed
Approved the cl jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.3739
Jurisdictions
ck jurisdiction deployed
Approved the ck jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.3639
Jurisdictions
ch jurisdiction deployed
Approved the ch jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.3539
Jurisdictions
cd jurisdiction deployed
Approved the cd jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.3439
Jurisdictions
cc jurisdiction deployed
Approved the cc jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.3339
Jurisdictions
ca.yt jurisdiction deployed
Approved the ca.yt jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.3239
Jurisdictions
ca.sk jurisdiction deployed
Approved the ca.sk jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.3139
Jurisdictions
ca.qc.fr jurisdiction deployed
Approved the ca.qc.fr jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.3039
Jurisdictions
ca.pe jurisdiction deployed
Approved the ca.pe jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.2939
Jurisdictions
ca.on jurisdiction deployed
Approved the ca.on jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.2839
Jurisdictions
ca.nu jurisdiction deployed
Approved the ca.nu jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.2739
Jurisdictions
ca.nt jurisdiction deployed
Approved the ca.nt jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.2639
Jurisdictions
ca.ns jurisdiction deployed
Approved the ca.ns jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.2539
Jurisdictions
ca.nl jurisdiction deployed
Approved the ca.nl jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.2439
Jurisdictions
ca.nb jurisdiction deployed
Approved the ca.nb jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.2339
Jurisdictions
ca.mb jurisdiction deployed
Approved the ca.mb jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.2239
Jurisdictions
ca.fed jurisdiction deployed
Approved the ca.fed jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.2139
Jurisdictions
ca.bc jurisdiction deployed
Approved the ca.bc jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.2039
Jurisdictions
ca.ab jurisdiction deployed
Approved the ca.ab jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.1939
Jurisdictions
bv jurisdiction deployed
Approved the bv jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.1839
Jurisdictions
br jurisdiction deployed
Approved the br jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.1739
Jurisdictions
bq jurisdiction deployed
Approved the bq jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.1639
Jurisdictions
bo jurisdiction deployed
Approved the bo jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.1539
Jurisdictions
bm jurisdiction deployed
Approved the bm jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.1439
Jurisdictions
bl jurisdiction deployed
Approved the bl jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.1339
Jurisdictions
be jurisdiction deployed
Approved the be jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.1239
Jurisdictions
bd jurisdiction deployed
Approved the bd jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.1139
Jurisdictions
ax jurisdiction deployed
Approved the ax jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.1039
Jurisdictions
aw jurisdiction deployed
Approved the aw jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.939
Jurisdictions
au jurisdiction deployed
Approved the au jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.839
Jurisdictions
at jurisdiction deployed
Approved the at jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.739
Jurisdictions
as jurisdiction deployed
Approved the as jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.639
Jurisdictions
ar jurisdiction deployed
Approved the ar jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.539
Jurisdictions
aq jurisdiction deployed
Approved the aq jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.439
Jurisdictions
ao jurisdiction deployed
Approved the ao jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.339
AI & automation
ai jurisdiction deployed
Approved the ai jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.239
Jurisdictions
af jurisdiction deployed
Approved the af jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.139
Jurisdictions
ae jurisdiction deployed
Approved the ae jurisdiction pack for registry merge as an individual deployment unit.
Bumped the release version by 100 patch points for this jurisdiction-specific deployment.
Recorded the 2026-08-17 counsel re-review gate before live activation changes.
v5.23.129
Jurisdictions
Registry-pack legal approval
Recorded counsel approval dated June 18, 2026 in all 148 jurisdiction packs for registry merge.
Added a scheduled 60-day legal re-review on August 17, 2026 to refresh provenance and reassess activation gates.
Kept native-language review and other jurisdiction-specific launch gates separate before any public activation.
v5.23.128
Jurisdictions
Jurisdiction activation supplements
Added an activation supplement to all 148 jurisdiction packs so registry infrastructure is clearly separated from actually enabled markets.
Made legal review, native-language review and provenance refresh gates explicit before any jurisdiction is activated.
Kept broad packs in pre-launch mode until deadlines, filing workflows, provider routing and local content are validated.
v5.23.39
Localization
Loi 96 fix: hearing-checklist presets re-localized
Restored dictionary-driven (French-first) hearing-checklist presets: a French user was getting six hardcoded English items. The bilingual 'hearingPresets' strings were re-added and the Hearing component reads them from the dictionary again.
v5.23.38
Jurisdictions
Czechia registry pack
Added the Czechia jurisdiction pack with the civil-law court hierarchy, EU and Council of Europe overlays, and administrative-court review model.
Mapped key administrative routes for labour, benefits, tax, utilities, consumer protection, data protection and ombuds oversight.
Kept Czech-language official sources authoritative while flagging translation, minority-language and counsel-review needs.
v5.23.28
Jurisdictions
Registry-readiness wording tightened
Clarified /jurisdictions so registry packs are described as structured, sourced, gated drafts when verification or counsel sign-off remains, not final legal coverage.
Tightened homepage global-coverage language to avoid implying every jurisdiction pack is fully launched or counsel-approved.
Kept the registry gate explicit: packs may pass anti-stub checks while still carrying verify annotations and provenance notes for final validation.
v5.23.28
Jurisdictions
Denmark registry pack
Added the Denmark jurisdiction pack with the Nordic civil-law court structure, EU and Council of Europe overlays, and specialized labour, tax, rent and administrative appeal routes.
Mapped core public-law resources for unemployment, industrial injury, taxation, data protection, ombuds oversight, consumer protection and legal aid.
Flagged Denmark-specific civil-justice exceptions, including the EU Small Claims opt-out and separate Faroe Islands / Greenland sub-tracks.
v5.23.27
Jurisdictions
Coverage registries surfaced
Expanded /jurisdictions from a Canada-only civil page into a coverage registry for Canadian civil courts, the US jurisdiction pack, Canadian detention and youth justice, and the professional workspace control plane.
Added a typed Canadian criminal-justice registry for the arrest-to-court-to-custody rights spine, province/territory/CSC detention coverage, youth-justice profiles and Part XII guardrails.
Registered the Canada and US criminal-justice suites in npm test so the public surfaces stay tied to their tested data modules.
v5.23.27
Jurisdictions
Complete US jurisdiction pack (courts, small claims, bars, territories)
Enriched the US jurisdiction model with court structures (court of last resort, intermediate appellate where one exists, general-jurisdiction trial court) for federal, all 50 states and DC, handling the special cases (New York's inverted naming, Texas and Oklahoma's twin courts of last resort, Maryland's 2022 rename, Pennsylvania's two intermediate courts).
Added the small-claims forum and monetary ceiling (USD) per state, and the attorney admission/verification authority (integrated bar or court regulator per state), researched and verified.
Added the five US territories (Puerto Rico, Guam, U.S. Virgin Islands, Northern Mariana Islands, American Samoa) with courts and bars, plus a feature-support map at parity with the CA pack.
Extended the integrity guards: every jurisdiction exposes a court of last resort, small-claims and bar records are well-formed, and every state plus DC carries both.
v5.23.26
Security
Twenty-issue completion batch
Expanded the end-to-end open issue batch to 20 verified issues across trust, lifecycle taxonomy, freemium conversion, security, workspace governance, OPS safety, civil registries and world rollout.
Recorded the 20-issue batch in the release note while keeping saved issues #86 and #157 out of scope and excluding destructive/provider-only work.
v5.23.26
Jurisdictions
Editions ↔ jurisdiction-pack integrity bridge
Populated the federal record with Canada's federal courts (Supreme Court of Canada, Federal Court of Appeal, Federal Court, Tax Court of Canada) — the federal edition is no longer court-less.
Added guards that every enabled edition is backed by its own jurisdiction pack (by region), that the Québec launch edition maps to the QC province with its courts, and that edition codes are routed by family — locking the real 'ca' (Canada) vs 'CA' (California) collision.
v5.23.25
Security
End-to-end open issue batch
Selected and implemented a verified 10-issue open batch (#129, #154, #187, #192, #193, #194, #197, #203, #208 and #210) while keeping saved issues #86 and #157 out of the release.
Added an open-issue completion harness that ties each issue to concrete security, OPS, civil-registry and world-rollout proof in the repository.
Added deterministic rollout queue checks plus US, Canada and world-pack completion tests so the batch is continuously verified by npm test.
Added an integrity test suite for the world-edition registry: every edition must expose a non-empty 'en' fallback key, the display order and registry must describe the same id set with no duplicates, the default locale must be the first offered language, and currency and URL fields must be well-formed.
Added an integrity test suite for the CA and US jurisdiction packs: bilingual names everywhere (Loi 96), unique codes, valid court levels, no fallback to Québec courts, and case-insensitive lookups.
Registered both suites in the test script so they run continuously and block silent regressions when new packs are added.
v5.23.24
Security
Audit-chain substrate
Added the database-backed audit-chain substrate for issue #129: immutable audit_chain_events and audit_chain_anchors tables with tenant sequence uniqueness, hash-format constraints, RLS and no public mutation policies.
Extended the security audit tests so tampered records, deleted/reordered chains, forged Merkle proofs, anchor signature changes and missing database immutability guards all fail.
Updated the security plan to distinguish the existing matter activity log from the new tamper-evident substrate, while keeping backup/restore and envelope encryption listed as remaining target-state controls.
v5.23.24
Payments
Platform control-plane guardrails
Added a tested platform control-plane registry for justice journey workspaces, funding lanes, marketplace objects, detention-facility rights tracks, evidence ingest governance, payout readiness, feature flags, CI gates, and agent-handoff leases.
Enabled Canadian EFT disbursement references behind the existing live/compliance gates and added regression coverage for consent-scoped handoffs, de-identified analytics, segregated funding ledgers, court-ready evidence stamping, registry package exports, tax statements, kill switches, and Ready-queue claims.
v5.23.23
Governance
OPS and platform governance batch
Selected the next 10 open issues across OPS handoff, canaries, break-glass, professional workspaces, document taxonomy, freemium conversion and Conflict OS, with their implementation state recorded in a committed batch note.
Added a testable platform governance module for safety-restoring agent actions, rights-lane rollback exclusion, break-glass quorum policy, the 12 professional workspace families and Dispute-vs-Matter conversion thresholds.
Connected the governance checks to the existing prevention-first lifecycle and canonical document taxonomy so Conflict OS and document classification stay anchored to real product surfaces.
v5.23.23
Workspace & matters
Professional workspace guardrails
Added the professional workspace registry covering mediator, arbitrator, notary, trustee, process server, paralegal, reporter, translator, interpreter, regulator, executive, internal, and partner organization workspaces.
Added an integrity test suite for the world-edition registry: every edition must expose a non-empty 'en' fallback key, the display order and registry must describe the same id set with no duplicates, the default locale must be the first offered language, and currency and URL fields must be well-formed.
Registered the suite in the test script so it runs continuously and blocks silent regressions when new jurisdiction packs are added.
v5.23.22
Marketplace
Canadian youth justice profile
Added a source-backed youth justice sub-track for Canadian detention support with default identity protection, youth-record restrictions, counsel and parent participation, and no public detention-status disclosure.
Added Québec and Ontario youth custody operator profiles plus regression gates that prevent ages 12-17 from being routed through adult detention facilities.
v5.23.21
Marketplace
Google OAuth activation helper
Added an owner-only script that enables the Supabase Google provider from the ignored Google OAuth JSON file without committing the client secret.
The helper verifies Supabase redirects to Google after activation and keeps the downloaded client secret JSON excluded from git.
v5.23.21
Jurisdictions
Canadian detention registry
Added a source-backed Canadian criminal-justice registry with Charter rights stages, Québec and Ontario enumerated facility lists, and seeded custody coverage for every province and territory.
Added CSC regional federal facility profiles with separate legal and housing jurisdictions plus operator-verified healing lodges so federal custody and local placement stay distinct.
v5.23.20
Security
Google auth and readiness issue batch
Added Google account sign-up/sign-in through the existing Supabase auth callback, with bilingual auth labels and a system-status readiness flag.
Recorded the selected 10 open issues and their implementation state, distinguishing implemented code from provider, legal, deployment, backup, or rollback gates that still require external action.
Aligned trust readiness checks with the actual upload safety, CSAM, transactional delivery, Twilio, and Stripe Express payout adapters, with regression coverage for the readiness gates.
v5.23.20
Marketplace
Private address autocomplete
Added clickable address suggestions to profile settings using matching addresses already present in the user's workspace.
Kept address lookup private by avoiding external map-provider calls while adding regression coverage for civic-number, accent-insensitive, and de-duplicated matches.
v5.23.19
Jurisdictions
Canadian jurisdiction coverage page
Published a public Canadian jurisdiction coverage page showing courts, small-claims ceilings, professional-verification bodies, working languages, and per-feature support for every province and territory.
Linked the coverage page from the resources footer and added it to the canonical public route list so it is included in localized navigation helpers and sitemaps.
v5.23.18
Payments
Provider payout escrow
Added a provider payout escrow state machine with strictly gated release, Stripe refund and dispute handling, clawback math, and a backward-compatible ledger migration.
Added payout escrow, disbursement, refund, and webhook regression coverage so provider funds cannot release from an invalid state.
v5.23.17
Evidence
Verifiable audit substrate
Added a storage-agnostic audit substrate with hash-chained records, Merkle proofs, notary anchors, and proof-bundle verification.
Added regression coverage for edited, deleted, reordered, forged, and independently verified audit records before persistence wiring.
v5.23.16
AI & automation
Canadian jurisdiction model expansion
Expanded the Canadian jurisdiction model with explicit courts, small-claims forums, law-society verification metadata, bilingual-service flags, and no Québec fallback outside Québec.
Added coverage for province and territory support maps so unsupported features surface explicitly instead of inheriting another jurisdiction's data.
v5.23.15
Jurisdictions
United States federal registry pack
Added the United States federal jurisdiction pack with federal courts, agency adjudication, records access, consumer protection, legal-aid, and provenance routing.
Refreshed the six United States territory packs so DC, Puerto Rico, Guam, the Virgin Islands, American Samoa, and the Northern Mariana Islands align with the federal registry model.
v5.23.14
Localization
French overseas territory registry packs
Added gated registry packs for Guadeloupe, Martinique, French Guiana, Reunion, Mayotte, Saint Barthelemy, Saint Martin, Saint Pierre and Miquelon, French Polynesia, New Caledonia, Wallis and Futuna, and the French Southern and Antarctic Lands.
Modeled EU outermost regions, overseas collectivities, Pacific customary and land layers, and TAAF no-permanent-population routing as complete registry records.
v5.23.13
Jurisdictions
Founder message production release
Published the founder-message homepage release under the verified project author so production deployments can pass Vercel attribution checks.
Kept the localized founder message behind the homepage button while preserving the full product explanation on every edition page.
v5.23.12
Content / legal
Founder sprint message
Added a founder-led sprint message behind a homepage button so visitors can understand the current July 4 development push without replacing the product page.
Localized the founder message across shipped interface languages and linked the mission callout to JusticeSansFrontieres.ca.
v5.23.11
Jurisdictions
Localized edition homepage and Judge911 cleanup
Removed the remaining hyphenated Judge911 brand fallback from country edition pages so localized copy uses Judge911 consistently.
Renamed the public Judge911 logo assets and updated the US edition header to use the non-hyphenated asset path.
Moved country edition pages onto the shared localized homepage so Canada and every other edition show the same full product explanation as the main site.
Linked the active QC edition badge directly to the Québec edition page and advertised the 195-country-and-territory footprint on the homepage.
v5.23.10
Release metadata
Changelog sprint and category filters
Added interactive filters to the changelog so the global chronological history can be sliced by release sprint, category and keyword.
Inferred categories from existing release titles and change text, avoiding duplicate changelog files or manual re-tagging of past entries.
Added unit coverage for sprint grouping, category inference and combined filter behavior.
v5.23.9
Evidence
Audio and video taxonomy groups
Promoted Audio and Video from evidence tags into first-class document taxonomy groups and categories.
Updated document migration so existing media records self-heal into the new Audio or Video category when loaded.
Adjusted classifier coverage so audio recordings classify as AUDIO instead of generic EVIDENCE.
v5.23.8
Intake & onboarding
Document classification review step
Added a dedicated Classify workspace step where users can confirm or correct each document's inferred type.
Sorted unconfirmed and lower-confidence documents first, with one-click confirmation and grouped taxonomy selection.
Connected the workflow stepper's Classify stage to the new review tab instead of sending users back to Evidence.
v5.23.7
Workspace & matters
Six-stage workspace workflow
Added a compact Create, Upload, Classify, Timeline, Resolution and Legal workflow stepper to the selected-matter view.
Derived the current stage from existing matter state without adding backend gates or schema changes.
Made each stage an accessible shortcut to the corresponding workspace tab.
v5.23.6
Evidence
Evidence media filters and playback
Surfaced Communications, Audio, Video, Investigations, Resolution Activities and Legal Procedures as first-class evidence filter chips.
Matched media filters by tag and MIME prefix so raw audio or video uploads can be found before manual tagging.
Added inline audio and video playback to the workspace file viewer.
v5.23.5
Workspace & matters
Dossier card action menu
Moved matter deletion behind an accessible overflow menu so destructive actions require a deliberate second step.
Preserved direct matter-card opening while preventing menu interactions from triggering card navigation.
Added keyboard and outside-click handling for the matter action menu.
v5.23.4
Intake & onboarding
Floating add-document action
Added an optional floating Add document action to the global scroll navigation stack.
Registered the workspace intake launcher with the floating control while hiding it during full-screen overlays.
Kept the action accessible with labels, focus states and a mount-order handshake.
v5.23.3
Workspace & matters
Dossier upload failure handling
Stopped swallowing evidence-upload failures during document import.
Surfaced the real upload error with the affected filename so RLS, expired-session and storage issues are visible.
Prevented failed uploads from creating half-imported phantom evidence records.
v5.23.2
Localization
French changelog polish
Polished the French 5.23.1 expert marketplace release note so the public changelog reads cleanly.
Kept the release scoped to public-facing copy only; the expert marketplace taxonomy and routes remain unchanged.
v5.23.1
Marketplace
Expert marketplace taxonomy pages
Expanded the expert marketplace fallback taxonomy to cover every medical, engineering, financial, real-property, forensic, regulatory, language, environmental, workplace and specialized appraisal discipline.
Turned taxonomy cards into direct marketplace links so each discipline has a shareable expert-market page.
Updated expert marketplace copy to support legal proceedings and technical mandates beyond a Quebec-only framing.
v5.23.0
Jurisdictions
US rollout version rollover
Rolled the release line forward from 5.22.100 to 5.23.0 after completing the US states, DC and territories registry rollout.
Kept the canonical package version SemVer-valid while preserving the chronological changelog history for the 5.22.x jurisdiction releases.
v5.22.100
Jurisdictions
Northern Mariana Islands jurisdiction pack
Added the Northern Mariana Islands civil jurisdiction pack (us.mp) as a separate registry file.
Documented the jurisdiction's court structure, administrative adjudication routes, public-records regime, consumer-protection body and access-to-justice resources.
Kept this release scoped to one jurisdiction so the version history remains incremental and reviewable.
v5.22.99
Jurisdictions
American Samoa jurisdiction pack
Added the American Samoa civil jurisdiction pack (us.as) as a separate registry file.
Documented the jurisdiction's court structure, administrative adjudication routes, public-records regime, consumer-protection body and access-to-justice resources.
Kept this release scoped to one jurisdiction so the version history remains incremental and reviewable.
v5.22.98
Jurisdictions
U.S. Virgin Islands jurisdiction pack
Added the U.S. Virgin Islands civil jurisdiction pack (us.vi) as a separate registry file.
Documented the jurisdiction's court structure, administrative adjudication routes, public-records regime, consumer-protection body and access-to-justice resources.
Kept this release scoped to one jurisdiction so the version history remains incremental and reviewable.
v5.22.97
Jurisdictions
Guam jurisdiction pack
Added the Guam civil jurisdiction pack (us.gu) as a separate registry file.
Documented the jurisdiction's court structure, administrative adjudication routes, public-records regime, consumer-protection body and access-to-justice resources.
Kept this release scoped to one jurisdiction so the version history remains incremental and reviewable.
v5.22.96
Jurisdictions
Puerto Rico jurisdiction pack
Added the Puerto Rico civil jurisdiction pack (us.pr) as a separate registry file.
Documented the jurisdiction's court structure, administrative adjudication routes, public-records regime, consumer-protection body and access-to-justice resources.
Kept this release scoped to one jurisdiction so the version history remains incremental and reviewable.
v5.22.95
Jurisdictions
District of Columbia jurisdiction pack
Added the District of Columbia civil jurisdiction pack (us.dc) as a separate registry file.
Documented the jurisdiction's court structure, administrative adjudication routes, public-records regime, consumer-protection body and access-to-justice resources.
Kept this release scoped to one jurisdiction so the version history remains incremental and reviewable.
v5.22.94
Jurisdictions
Wyoming jurisdiction pack
Added the Wyoming civil jurisdiction pack (us.wy) as a separate registry file.
Documented the jurisdiction's court structure, administrative adjudication routes, public-records regime, consumer-protection body and access-to-justice resources.
Kept this release scoped to one jurisdiction so the version history remains incremental and reviewable.
v5.22.93
Jurisdictions
Vermont jurisdiction pack
Added the Vermont civil jurisdiction pack (us.vt) as a separate registry file.
Documented the jurisdiction's court structure, administrative adjudication routes, public-records regime, consumer-protection body and access-to-justice resources.
Kept this release scoped to one jurisdiction so the version history remains incremental and reviewable.
v5.22.92
Jurisdictions
Alaska jurisdiction pack
Added the Alaska civil jurisdiction pack (us.ak) as a separate registry file.
Documented the jurisdiction's court structure, administrative adjudication routes, public-records regime, consumer-protection body and access-to-justice resources.
Kept this release scoped to one jurisdiction so the version history remains incremental and reviewable.
v5.22.91
Jurisdictions
North Dakota jurisdiction pack
Added the North Dakota civil jurisdiction pack (us.nd) as a separate registry file.
Documented the jurisdiction's court structure, administrative adjudication routes, public-records regime, consumer-protection body and access-to-justice resources.
Kept this release scoped to one jurisdiction so the version history remains incremental and reviewable.
v5.22.90
Jurisdictions
South Dakota jurisdiction pack
Added the South Dakota civil jurisdiction pack (us.sd) as a separate registry file.
Documented the jurisdiction's court structure, administrative adjudication routes, public-records regime, consumer-protection body and access-to-justice resources.
Kept this release scoped to one jurisdiction so the version history remains incremental and reviewable.
v5.22.89
Jurisdictions
Cuba jurisdiction pack
Added the gated Cuba (cu) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.88
Jurisdictions
Zimbabwe jurisdiction pack
Added the gated Zimbabwe (zw) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.87
Jurisdictions
Bolivia jurisdiction pack
Added the gated Bolivia (bo) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.86
Jurisdictions
Ireland jurisdiction pack
Added the gated Ireland (ie) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.85
Jurisdictions
United Arab Emirates jurisdiction pack
Added the gated United Arab Emirates (ae) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.84
Jurisdictions
Sri Lanka jurisdiction pack
Added the gated Sri Lanka (lk) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.83
Jurisdictions
Delaware jurisdiction pack
Added the Delaware civil jurisdiction pack (us.de) as a separate registry file.
Documented the jurisdiction's court structure, administrative adjudication routes, public-records regime, consumer-protection body and access-to-justice resources.
Kept this release scoped to one jurisdiction so the version history remains incremental and reviewable.
v5.22.82
Jurisdictions
Russia jurisdiction pack
Added the gated Russia (ru) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.81
Jurisdictions
Venezuela jurisdiction pack
Added the gated Venezuela (ve) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.80
Jurisdictions
Angola jurisdiction pack
Added the gated Angola (ao) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.79
Jurisdictions
Israel jurisdiction pack
Added the gated Israel (il) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.78
Jurisdictions
Cameroon jurisdiction pack
Added the gated Cameroon (cm) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.77
Jurisdictions
Austria jurisdiction pack
Added the gated Austria (at) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.76
Jurisdictions
Afghanistan jurisdiction pack
Added the gated Afghanistan (af) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.75
Jurisdictions
Sudan jurisdiction pack
Added the gated Sudan (sd) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.74
Jurisdictions
Nepal jurisdiction pack
Added the gated Nepal (np) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.73
Jurisdictions
Kazakhstan jurisdiction pack
Added the gated Kazakhstan (kz) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.72
Jurisdictions
Ghana jurisdiction pack
Added the gated Ghana (gh) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.71
Jurisdictions
Chile jurisdiction pack
Added the gated Chile (cl) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.70
Jurisdictions
Rhode Island jurisdiction pack
Added the Rhode Island civil jurisdiction pack (us.ri) as a separate registry file.
Documented the jurisdiction's court structure, administrative adjudication routes, public-records regime, consumer-protection body and access-to-justice resources.
Kept this release scoped to one jurisdiction so the version history remains incremental and reviewable.
v5.22.69
Jurisdictions
Montana jurisdiction pack
Added the Montana civil jurisdiction pack (us.mt) as a separate registry file.
Documented the jurisdiction's court structure, administrative adjudication routes, public-records regime, consumer-protection body and access-to-justice resources.
Kept this release scoped to one jurisdiction so the version history remains incremental and reviewable.
v5.22.68
Jurisdictions
Uganda jurisdiction pack
Added the gated Uganda (ug) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.67
Jurisdictions
Myanmar jurisdiction pack
Added the gated Myanmar (mm) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.66
Jurisdictions
Algeria jurisdiction pack
Added the gated Algeria (dz) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.65
Jurisdictions
Iraq jurisdiction pack
Added the gated Iraq (iq) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.64
Jurisdictions
Switzerland jurisdiction pack
Added the gated Switzerland (ch) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.63
Jurisdictions
New Zealand jurisdiction pack
Added the gated New Zealand (nz) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.62
Jurisdictions
Maine jurisdiction pack
Added the Maine civil jurisdiction pack (us.me) as a separate registry file.
Documented the jurisdiction's court structure, administrative adjudication routes, public-records regime, consumer-protection body and access-to-justice resources.
Kept this release scoped to one jurisdiction so the version history remains incremental and reviewable.
v5.22.61
Jurisdictions
Uzbekistan jurisdiction pack
Added the gated Uzbekistan (uz) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.60
Jurisdictions
Tanzania jurisdiction pack
Added the gated Tanzania (tz) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.59
Jurisdictions
Peru jurisdiction pack
Added the gated Peru (pe) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.58
Jurisdictions
Morocco jurisdiction pack
Added the gated Morocco (ma) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.57
Jurisdictions
Malaysia jurisdiction pack
Added the gated Malaysia (my) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.56
Jurisdictions
Australia jurisdiction pack
Added the gated Australia (au) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.55
Jurisdictions
New Hampshire jurisdiction pack
Added the New Hampshire civil jurisdiction pack (us.nh) as a separate registry file.
Documented the jurisdiction's court structure, administrative adjudication routes, public-records regime, consumer-protection body and access-to-justice resources.
Kept this release scoped to one jurisdiction so the version history remains incremental and reviewable.
v5.22.54
Jurisdictions
Poland jurisdiction pack
Added the gated Poland (pl) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.53
Jurisdictions
Spain jurisdiction pack
Added the gated Spain (es) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.52
Jurisdictions
Italy jurisdiction pack
Added the gated Italy (it) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.51
Jurisdictions
England and Wales jurisdiction pack
Added the gated England and Wales (gb.ews) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.50
Jurisdictions
France jurisdiction pack
Added the gated France (fr) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.49
Jurisdictions
Germany jurisdiction pack
Added the gated Germany (de) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.48
Jurisdictions
Canada (federal) jurisdiction pack
Added the gated Canada (federal) (ca.fed) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.47
Jurisdictions
Nunavut jurisdiction pack
Added the gated Nunavut (ca.nu) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.46
Jurisdictions
Yukon jurisdiction pack
Added the gated Yukon (ca.yt) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.45
Jurisdictions
Northwest Territories jurisdiction pack
Added the gated Northwest Territories (ca.nt) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.44
Jurisdictions
Prince Edward Island jurisdiction pack
Added the gated Prince Edward Island (ca.pe) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.43
Jurisdictions
Newfoundland and Labrador jurisdiction pack
Added the gated Newfoundland and Labrador (ca.nl) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.42
Jurisdictions
New Brunswick jurisdiction pack
Added the gated New Brunswick (ca.nb) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.41
Jurisdictions
Nova Scotia jurisdiction pack
Added the gated Nova Scotia (ca.ns) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.40
Jurisdictions
Saskatchewan jurisdiction pack
Added the gated Saskatchewan (ca.sk) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.39
Jurisdictions
Manitoba jurisdiction pack
Added the gated Manitoba (ca.mb) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.38
Jurisdictions
Alberta jurisdiction pack
Added the gated Alberta (ca.ab) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.37
Jurisdictions
British Columbia jurisdiction pack
Added the gated British Columbia (ca.bc) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.36
Jurisdictions
Ontario jurisdiction pack
Added the gated Ontario (ca.on) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.35
Jurisdictions
Quebec jurisdiction pack
Added the gated Quebec (ca.qc) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.34
Jurisdictions
Saudi Arabia jurisdiction pack
Added the gated Saudi Arabia (sa) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.33
Jurisdictions
Kenya jurisdiction pack
Added the gated Kenya (ke) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.32
Jurisdictions
Argentina jurisdiction pack
Added the gated Argentina (ar) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.31
Jurisdictions
Colombia jurisdiction pack
Added the gated Colombia (co) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.30
Jurisdictions
South Korea jurisdiction pack
Added the gated South Korea (kr) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.29
Jurisdictions
DR Congo jurisdiction pack
Added the gated DR Congo (cd) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.28
Jurisdictions
Thailand jurisdiction pack
Added the gated Thailand (th) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.27
Jurisdictions
Ethiopia jurisdiction pack
Added the gated Ethiopia (et) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.26
Jurisdictions
Türkiye jurisdiction pack
Added the gated Türkiye (tr) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.25
Jurisdictions
Iran jurisdiction pack
Added the gated Iran (ir) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.24
Jurisdictions
South Africa jurisdiction pack
Added the gated South Africa (za) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.23
Jurisdictions
Egypt jurisdiction pack
Added the gated Egypt (eg) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.22
Jurisdictions
Vietnam jurisdiction pack
Added the gated Vietnam (vn) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.21
Jurisdictions
Philippines jurisdiction pack
Added the gated Philippines (ph) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.20
Jurisdictions
Mexico jurisdiction pack
Added the gated Mexico (mx) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.19
Jurisdictions
Brazil jurisdiction pack
Added the gated Brazil (br) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.18
Jurisdictions
Nigeria jurisdiction pack
Added the gated Nigeria (ng) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.17
Jurisdictions
Japan jurisdiction pack
Added the gated Japan (jp) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.16
Jurisdictions
Bangladesh jurisdiction pack
Added the gated Bangladesh (bd) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.15
Jurisdictions
Pakistan jurisdiction pack
Added the gated Pakistan (pk) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.14
Jurisdictions
Indonesia jurisdiction pack
Added the gated Indonesia (id) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.13
Jurisdictions
China jurisdiction pack
Added the gated China (cn) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.12
Jurisdictions
India jurisdiction pack
Added the gated India (in) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.11
Jurisdictions
Scotland jurisdiction pack
Added the gated Scotland (gb.sct) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.10
Jurisdictions
Sweden jurisdiction pack
Added the gated Sweden (se) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.9
Jurisdictions
Romania jurisdiction pack
Added the gated Romania (ro) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.8
Jurisdictions
Belgium jurisdiction pack
Added the gated Belgium (be) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.7
Jurisdictions
Netherlands jurisdiction pack
Added the gated Netherlands (nl) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.6
Jurisdictions
Ukraine jurisdiction pack
Added the gated Ukraine (ua) jurisdiction registry pack — court structure modeled true, all 12 administrative-justice categories scored, governance/records and access-to-justice routes, with official-source provenance.
v5.22.5
Jurisdictions
Hawaii jurisdiction pack
Added the Hawaii civil jurisdiction pack (us.hi) as a separate registry file.
Documented the jurisdiction's court structure, administrative adjudication routes, public-records regime, consumer-protection body and access-to-justice resources.
Kept this release scoped to one jurisdiction so the version history remains incremental and reviewable.
v5.22.4
Jurisdictions
West Virginia jurisdiction pack
Added the West Virginia civil jurisdiction pack (us.wv) as a separate registry file.
Documented the jurisdiction's court structure, administrative adjudication routes, public-records regime, consumer-protection body and access-to-justice resources.
Kept this release scoped to one jurisdiction so the version history remains incremental and reviewable.
v5.22.3
Jurisdictions
Idaho jurisdiction pack
Added the Idaho civil jurisdiction pack (us.id) as a separate registry file.
Documented the jurisdiction's court structure, administrative adjudication routes, public-records regime, consumer-protection body and access-to-justice resources.
Kept this release scoped to one jurisdiction so the version history remains incremental and reviewable.
v5.22.2
Jurisdictions
Nebraska jurisdiction pack
Added the Nebraska civil jurisdiction pack (us.ne) as a separate registry file.
Documented the jurisdiction's court structure, administrative adjudication routes, public-records regime, consumer-protection body and access-to-justice resources.
Kept this release scoped to one jurisdiction so the version history remains incremental and reviewable.
v5.22.1
AI & automation
Release automation guard
Disabled the push-based auto-version bump so manually versioned jurisdiction PRs keep their intended release numbers and changelog entries.
Aligned package metadata, lockfile and the UI version after the automated v5.22.0 bump advanced the version without adding a bilingual changelog entry.
Paused the US rollout merge queue until each remaining jurisdiction can land with a clean one-version, one-jurisdiction history.
v5.22.0
Content / legal
Release v5.22.0
Tagged release v5.22.0.
v5.21.4
Jurisdictions
New Mexico jurisdiction pack
Added the New Mexico civil jurisdiction pack (us.nm) as a separate registry file.
The release covers court structure, administrative adjudication, public records, consumer protection and access-to-justice routes.
Kept this version scoped to one jurisdiction so the release history stays incremental.
v5.21.3
Jurisdictions
Kansas jurisdiction pack
Added the Kansas civil jurisdiction pack (us.ks) as a separate registry file.
The release covers court structure, administrative adjudication, public records, consumer protection and access-to-justice routes.
Kept this version scoped to one jurisdiction so the release history stays incremental.
v5.21.2
Jurisdictions
Mississippi jurisdiction pack
Added the Mississippi civil jurisdiction pack as one registry file with the state's court tree, administrative adjudication routes, public-records regime and access-to-justice resources.
Modeled Mississippi's Circuit, Chancery, County, Justice and Municipal Court layers without flattening family, probate, small-claims or agency-review paths.
Kept this release scoped to one jurisdiction so the version history remains incremental and easy to review.
v5.21.1
Jurisdictions
US state registry wave
Merged the gated US civil jurisdiction packs for Texas, Florida, Pennsylvania, Illinois, Ohio, Georgia, North Carolina, Michigan, Virginia, Washington, Arizona, Tennessee, Massachusetts, Indiana, Missouri, Maryland, Wisconsin, Colorado, Minnesota, Louisiana, South Carolina, Kentucky, Oregon, Alabama, Oklahoma, Utah, Nevada, Arkansas and Iowa.
Each state pack remains jurisdiction-as-data: one registry file per state, official-source provenance, 12-category administrative adjudication coverage, court structure, governance and records routes, and access-to-justice entries.
Aligned the release metadata, lockfile and bilingual changelog after the automated v5.21.0 bump landed separately.
v5.21.0
Content / legal
Release v5.21.0
Tagged release v5.21.0.
v5.20.0
Content / legal
Release v5.20.0
Tagged release v5.20.0.
v5.19.0
Content / legal
Release v5.19.0
Tagged release v5.19.0.
v5.18.3
Content / legal
Release v5.18.3
Tagged release v5.18.3.
v5.18.2
Content / legal
Release v5.18.2
Tagged release v5.18.2.
v5.18.1
Content / legal
Release v5.18.1
Tagged release v5.18.1.
v5.18.0
Content / legal
Release v5.18.0
Tagged release v5.18.0.
v5.17.0
Content / legal
Release v5.17.0
Tagged release v5.17.0.
v5.16.4
Content / legal
Release v5.16.4
Tagged release v5.16.4.
v5.16.3
Release metadata
Release metadata aligned
Manually aligned the published version after the automated bump to 5.16.2 so the site, package metadata and changelog stay consistent.
The bilingual release note confirms that the local matter sync and imported-folder provenance fixes are present on main.
v5.16.2
Content / legal
Release v5.16.2
Tagged release v5.16.2.
v5.16.1
Security
Cloud sync and local provenance
Local matter imports can now fall back to an authenticated server route that attaches the matter to the signed-in account when direct RLS-protected writes are rejected.
Each matter can remember imported local workspaces, including the source folder name and relative file paths, preparing the ground for future local reorganization.
The dashboard and Evidence workspace now show the local location linked to a matter without claiming direct disk access before local permission is granted.
v5.16.0
Content / legal
Release v5.16.0
Tagged release v5.16.0.
v5.15.1
Intake & onboarding
TAQ intake and local matter recovery
Added Tribunal administratif du Québec recognition across document intake, generated court labels and workspace court filters.
Made local-only matters visible in the workspace sync state and easier to import into the cloud.
Kept document intake destinations explicit so uploads can be assigned to the correct existing matter.
v5.15.0
Content / legal
Release v5.15.0
Tagged release v5.15.0.
v5.14.0
Content / legal
Release v5.14.0
Tagged release v5.14.0.
v5.13.0
Content / legal
Release v5.13.0
Tagged release v5.13.0.
v5.12.2
Workspace & matters
Fast-path folder import
Whole-folder import now shows a progress screen with files detected, accepted, ignored, OCR pending and errors.
Once the import queue is created, the workspace automatically opens classification review so large uploads no longer require scrolling before continuing.
Added the “Continue automatically after upload” setting, enabled by default, with an option to stay on the screen when adding more files.
v5.12.1
Content / legal
Release v5.12.1
Tagged release v5.12.1.
v5.12.0
Content / legal
Release v5.12.0
Tagged release v5.12.0.
v5.11.0
Content / legal
Release v5.11.0
Tagged release v5.11.0.
v5.10.0
Content / legal
Release v5.10.0
Tagged release v5.10.0.
v5.09.11
Content / legal
Release v5.9.11
Tagged release v5.9.11.
v5.09.10
Evidence
Workspace portal and evidence upload fixes
Added Investigations and Bailiff portals to the top workspace navigation beside the Firm portal.
Separated adding files to an open matter from importing a matter-backup JSON file, with the document intake preselecting the open matter.
Stopped signed-in evidence uploads from silently falling back to browser storage when the cloud save fails; users now see a clear retryable error.
v5.09.9
Content / legal
Release v5.9.9
Tagged release v5.9.9.
v5.09.8
Marketplace
Visible investigation entry point
Added an Investigations link to the workspace home navigation so the investigation module is reachable without hunting through the matter tab strip.
Added a Plan an investigation action card that opens the Investigation module for a single matter or jumps to My matters when the user has several files.
Added an Investigations & asset search marketplace card so investigator services are visible beside attorneys, bailiffs and commissioners.
v5.09.7
Content / legal
Release v5.9.7
Tagged release v5.9.7.
v5.09.6
Content / legal
Safer operator credential loading
Updated owner-run Supabase scripts to prefer .env.production.local before .env.local so production admin operations do not mix development public URLs with production service credentials.
Clarified the recovery guidance emitted by the founder script so missing admin credentials point operators to the production local env file.
Kept real credentials out of committed source while preserving the environment-variable wiring needed for launch operations.
v5.09.5
Content / legal
Release v5.9.5
Tagged release v5.9.5.
v5.09.4
Intake & onboarding
Launch control docs and operator scripts
Added a launch-control note that separates what works today, intentional limits, dashboard setup gaps and claims that must not be promised yet.
Documented the Phase 1 public-beta scope split around the self-represented litigant spine from intake through export or next action.
Added owner-run Supabase helper scripts for founder access, attorney approval and targeted account deletion during launch operations.
v5.09.3
AI & automation
Clearer AI import confirmation
Redesigned the document-import match step with explicit Step 1 and Step 2 headings so court-file confirmation and matter destination read as separate decisions.
Removed radio controls when there is only one detected court file number or only one destination, replacing them with confirmation cards and an edit escape hatch.
Added an import summary card showing the court file, target matter and detected document type before the final confirmation.
v5.09.2
Workspace & matters
Reliable cloud import for stranded local matters
Made the stranded-local-matter import wait for the final cloud write before showing success.
Stranded local matters now appear in My matters immediately with a local-only sync badge, so they can be opened before cloud migration.
After a successful cloud migration, imported matters are removed from browser storage so the database remains the signed-in source of truth.
Failed imports now keep the local matter intact and show a clear retryable error instead of silently hiding the problem.
v5.09.1
Security
Secret-gated founder auth recovery
Added a locked-down POST /api/auth/recover endpoint that can mint a one-time Supabase magic link for allowlisted founder emails without sending email.
Protected the recovery route with AUTH_RECOVERY_SECRET, service-role-only execution and an AUTH_RECOVERY_EMAILS allowlist override for production operations.
Returns clear operational errors when recovery is disabled, the service role is missing or Supabase cannot generate the link.
v5.09.0
Content / legal
Release v5.9.0
Tagged release v5.9.0.
v5.08.6
Content / legal
Release v5.8.6
Tagged release v5.8.6.
v5.08.5
Content / legal
Release v5.8.5
Tagged release v5.8.5.
v5.08.4
Content / legal
Release v5.8.4
Tagged release v5.8.4.
v5.08.3
Content / legal
Release v5.8.3
Tagged release v5.8.3.
v5.08.2
Content / legal
Release v5.8.2
Tagged release v5.8.2.
v5.08.1
Content / legal
Release v5.8.1
Tagged release v5.8.1.
v5.08.0
Content / legal
Release v5.8.0
Tagged release v5.8.0.
v5.07.6
Ops / CI / infra
Testim cross-browser E2E workflow and token wiring
Added a manual, dispatch-only Testim grid workflow that runs the cross-browser E2E suite by label (smoke, auth, core, locale, trust) against the production site.
Wired the Testim CLI token through a TESTIM_TOKEN repository secret and standardized the token name across the test script, local environment and CI.
The workflow guards against a missing token and uploads JUnit results as a build artifact for review.
v5.07.5
Marketplace
Momentic persona journeys and Support Center capacity notice
Added a Momentic persona and journey suite for public smoke, self-represented litigant, lawyer ethics, expert provider, service buyer, founding partner and trust-review flows.
Added command-line Momentic runners for local, smoke, persona, production and upload workflows, with the API key passed through the environment.
Added an operational notice on /support explaining the current intensive testing period, observed sign-in limits and capacity upgrade work.
Added a public progress grid for sign-in, concurrent capacity, code audit and expanded login-option workstreams.
The communication acknowledges user inconvenience while presenting stabilization of the 5.7 family as this week's priority work.
v5.07.4
Content / legal
Release v5.7.4
Tagged release v5.7.4.
v5.07.3
Content / legal
Release v5.7.3
Tagged release v5.7.3.
v5.07.2
Content / legal
Release v5.7.2
Tagged release v5.7.2.
v5.07.1
Content / legal
Release v5.7.1
Tagged release v5.7.1.
v5.07.0
Content / legal
Release v5.7.0
Tagged release v5.7.0.
v5.06.2
Content / legal
Release v5.6.2
Tagged release v5.6.2.
v5.06.1
Content / legal
Release v5.6.1
Tagged release v5.6.1.
v5.06.0
Content / legal
Release v5.6.0
Tagged release v5.6.0.
v5.05.7
Marketplace
Investigation workspace and mandate marketplace
Added an Investigation tab to every matter: investigator assignments, fieldwork, deliverables, live feed, risk flags and promotion into chronology or tasks.
Added an investigation mandate marketplace flow: attorneys post mandates, approved investigators can claim them, and status remains visible to the team, admin and client.
Added a local investigator portal (/app/investigator) and a Supabase migration for mandates, assignments, deliverables, live events and risk flags.
v5.05.6
Intake & onboarding
Matter classification architecture
Replaced litigation-only document classification with a full lifecycle taxonomy covering communications, evidence, investigation, dispute resolution, legal analysis, settlement, enforcement, AI work product and risk material.
Added automatic classification for emails, call logs, recordings, transcripts, municipal reports, OBSI/FCAC complaints, settlement proposals and chronologies, with confidence fields and custody metadata.
The evidence register now uses grouped category filters and neutral recording metadata such as “Participant recording.”
v5.05.5
Content / legal
Release v5.5.5
Tagged release v5.5.5.
v5.05.4
Content / legal
Release v5.5.4
Tagged release v5.5.4.
v5.05.3
Content / legal
Release v5.5.3
Tagged release v5.5.3.
v5.05.2
Content / legal
Release v5.5.2
Tagged release v5.5.2.
v5.05.1
Content / legal
Release v5.5.1
Tagged release v5.5.1.
v5.05.0
Content / legal
Release v5.5.0
Tagged release v5.5.0.
v5.04.0
Content / legal
Release v5.4.0
Tagged release v5.4.0.
v5.03.2
Content / legal
Release v5.3.2
Tagged release v5.3.2.
v5.03.1
Content / legal
Release v5.3.1
Tagged release v5.3.1.
v5.03.0
Content / legal
Release v5.3.0
Tagged release v5.3.0.
v5.02.1
Content / legal
Release v5.2.1
Tagged release v5.2.1.
v5.02.0
Intake & onboarding
Public portal — upload-first onboarding
Launched the public-facing portal with upload-first onboarding: citizens can upload a document to start, see an instant AI-powered summary, and enter the workspace without a prior account.
Added an onboarding modal that surfaces no-legal-advice guardrails and guides new users through the first-file flow.
Fixed import persistence across logout/login cycles so documents and matter state survive session boundaries.
Automated semantic-version bumping on every merge to main via CI (chore(release) commit + git tag).
v5.01.0
Payments
Provider payout escrow
Added a provider payout escrow state machine with strictly gated release, Stripe refund and dispute handling, clawback math, and a backward-compatible ledger migration.
v4.98.0
Notifications & email
Transactional notification delivery
Added provider-agnostic email/SMS delivery, an idempotent Supabase outbox with RLS, cautious bilingual templates and a gated server route to prepare deadline reminders, verification updates and marketplace intakes.
v4.88.0
Jurisdictions
Search-engine launch preparation
Added webmaster verification metadata hooks, an IndexNow key endpoint and submission script, and expanded the search-engine launch checklist so global edition pages are prepared for sitemap submission beyond Google.
v4.87.0
Jurisdictions
Compact edition menu and German launch copy
Moved the global edition list into a compact dropdown, added German as an informational locale, and made the Germany country edition resolve to German-first product and legal-prep copy.
v4.86.0
Jurisdictions
Country-edition shortcut URLs
Added country-edition shortcuts such as /editions/pt, /editions/br and /br so testers can reach localized country edition pages without remembering the full /{language}/editions/{country} URL pattern.
v4.85.0
Localization
Global country editions and localized launch surfaces
Expanded the single-codebase edition registry globally with 190+ country and regional editions, country-specific currencies, native-language launch targets, legal-template packs, local authority fallbacks, localized country-edition pages, hreflang sitemaps and a multi-search-engine launch checklist.
v4.84.0
Marketplace
Operational content for beta surfaces
Replaced temporary marketplace and expert-discipline copy with concrete beta framing, preparation guidance and actionable empty states.
v4.83.0
Jurisdictions
Edition-aware cookies and disclaimer pages
Cookies and disclaimer pages now use the same edition-aware legal resolver as privacy, terms and data-rights: the US edition uses Judge911.com branding and English-prevailing legal posture, while Québec keeps Loi 96/French-prevailing framing with counsel-gated placeholders where final notices still need review.
v4.82.0
Jurisdictions
Edition-aware legal documents
Privacy, terms, legal notices, data-rights, retention and legal-hold copy now follow the active edition: Québec remains Law 25/Loi 96 with French prevailing, while the US edition is marked as US-law, English-prevailing and counsel-gated where final legal drafting is pending.
v4.81.0
Jurisdictions
Edition-aware money formatting
Money displays, marketplace prompts and checkout currency now use the active edition's currency resolver, so Québec and Canada stay in CAD while the US edition uses USD.
v4.80.0
Localization
Edition-aligned home locale and brand
Default language routing and primary brand labels now follow the active edition: Judge911.com opens in English by default and the US edition interface uses the Judge911.com brand.
v4.79.0
Jurisdictions
Edition-aware canonical metadata
Metadata, HTTP Link headers, canonical links and structured data now use the active edition domain, so Judge911.com no longer publishes SEO links pointing back to Juge.ca.
v4.78.0
Payments
Automated referral acceptance
The growth engine now counts an invitation automatically as soon as authentication confirms the new account, with idempotent processing that prevents duplicates and keeps the accepted counter synchronized.
v4.77.0
Marketplace
Multi-edition platform and marketplace contact protection
Introduced a single-codebase edition system (Québec, Canada, United States) with an always-visible edition notice that cross-links each regional site, so brand, jurisdiction, language and currency follow the edition automatically.
Added marketplace contact protection: a professional's email is never exposed, inquiries are relayed through our own mail servers, and shared phone numbers, emails and messaging handles are masked until an engagement is confirmed.
v4.76.0
Ops / CI / infra
Footer branch links to its live deployment
The branch name in the footer version line is now a link to that deployment's live URL, making it easy to open and review preview/experiment builds from the page itself.
v4.75.0
Brand & marketing
Restored Juge.ca brand across the interface
Restored "Juge.ca" as the platform display name across titles, homepage, signup, chat, FAQ, roadmap, campaigns and the disclaimer, replacing the "Judge911.com" references that had been reintroduced. Email addresses and external links were left unchanged.
v4.74.0
Workspace & matters
HubSpot fallback submission restored
Switched the server-side HubSpot fallback to the legacy form upload endpoint accepted by the original waitlist form, restoring successful HubSpot forwarding without a private CRM token.
v4.73.0
Content / legal
Early-access lead capture fix
Replaced the broken HubSpot embedded early-access form with the first-party newsletter signup endpoint so leads are saved before HubSpot forwarding.
Consolidated newsletter HubSpot forwarding onto the shared server-side contact upsert helper, including updates for existing contacts.
Added a server-side HubSpot Forms API fallback using the validated original waitlist form GUID, and surfaced that lead-capture readiness in /api/health.
v4.72.0
Workspace & matters
IP protection attached to the sovereign canon
Added a Juge.ca-specific IP canon, private proprietary license, no-implied-license notice and publishing rules adapted to King Legend Inc.
Added an IP register and protection runbook that separate platform assets from confidential user-owned matter documents.
Added `npm run check:ip` and wired the IP posture into release checks so the superseded King Legend Group operator wording cannot return.
v4.71.0
Payments
Automatic time-tracking core
Added a pure sessionizer that turns activity signals into non-overlapping work sessions while excluding idle gaps.
Added a client provider that emits content-free workspace signals with heartbeats, idle detection, tab visibility handling and sendBeacon flushing.
Added an /api/activity endpoint that validates signals, rejects note or document text metadata and prepares append-only backend ingestion.
Added configurable billable-hour rounding, including tenth-hour billing and the demo configuration that maps 21 minutes to 0.35 hr.
Added template billing narratives and tests covering exhibit reading, breaks, context switches, two tabs, noise drops, signal privacy and deterministic re-derivation.
Strengthened the disclaimer with Québec-first language on general legal information, AI limits, affiliated partners, feedback and professional responsibility.
v4.70.0
Evidence
Justice and criminal expansion roadmap
Added a "Save lives through access to justice" roadmap section connecting the civil-first strategy, distress detection, evidence intelligence, and cautious criminal-law pilots.
Published a founding principle: Juge.ca should detect legal, financial, and personal points of collapse before they cost people rights, dignity, liberty, or safety.
Added trust guardrails: staged criminal-law entry, separated infrastructure for sensitive evidence, mandatory human oversight, and explainable transparency.
v4.69.0
AI & automation
AI and platform disclaimer
Added a bilingual /disclaimer page (FR/EN/ES) covering no-legal-advice, AI-generated content, third-party references and feedback, built from a shared, portable brand module.
Added a standing AI-content notice in the footer on every page, linking to the full disclaimer, plus a Disclaimer link in the legal column.
Added the "AI content may contain errors — verify before relying" notice to generated drafts and the support assistant.
Changed the platform display name from "Judge911" to "Juge.ca" across the interface.
v4.68.0
Content / legal
Knowledge base navigation
Added a Learn link to the main navigation so the public guide library is reachable from every page.
v4.67.0
Localization
Legal content engine and guide library
Added a bilingual public learning hub at /learn, a guide index at /guides and six practical starter guides for service, evidence, banking disputes, housing, deadlines and small-business contract disputes.
Added Article, FAQPage and BreadcrumbList structured data plus sitemap coverage for every seeded guide slug.
Added a guarded /admin/content workspace with editorial inventory, publication checklist, production prompt and Command Center shortcut.
Added a Growth Engine expansion model that scores candidate markets across access-to-justice need, population scale, launch ease, revenue potential and institutional openness.
Added strategic lenses for balanced, leverage-and-speed, raw-scale and mission-driven ranking so expansion planning can compare markets without rewriting the data.
Added tests covering score normalization, market integrity, distinct ranking behavior and the six Wave-1 lead markets.
v4.65.0
Payments
Referral growth engine
Added reusable Judge911 referral links at /r/{code}, with click tracking, signup attribution and a signed-in referral dashboard.
Added a referral_codes table so one public link can invite multiple users while referrals remains the per-accepted-user ledger.
Added beta-safe invite-five progress tracking with manual reward review language and no attorney-referral or fee-sharing implication.
v4.64.1
Content / legal
Campaign admin guard hardening
The campaign engine admin page now forces dynamic request-time rendering so the existing server-side administrator check always runs before the page is shown.
v4.64.0
Localization
365-day campaign engine
Added a guarded /admin/campaigns growth workspace with the first 10 Judge911 campaign angles, A/B copy, French and English versions, and Facebook / Instagram / LinkedIn / X / Threads export previews.
Added a deterministic 365-day scheduler and an admin JSON export route so the campaign system can produce platform-ready posts with UTM attribution.
Seeded the existing Growth Engine campaign registry with Campaigns 001-010 and added a Command Center shortcut to the campaign engine.
v4.63.0
Content / legal
Judge911 Growth Engine v1 foundation
Homepage conversion copy now leads with “Facing a Legal Problem?”, with Start My Matter and Learn How It Works calls to action instrumented for funnel tracking.
Added site-wide growth tracking for page views, CTA clicks, funnel starts, sticky Start My Matter clicks and exit-intent checklist requests.
Added /api/growth/events, /api/public/stats and the Growth Engine database tables for growth_events, campaigns and referrals, plus a live activity dashboard section on the homepage.
v4.62.0
Security
Founding Partners Program
Added a homepage Founding Partners Program section near the Juge.ca future-building CTA.
Added bilingual founding partner conversion routes, including /en/founding-partners and /fr/partenaires-fondateurs, with program tiers, contribution types and a compliant application form.
Added a trusted server intake route and RLS-protected founding partner applications table, with best-effort HubSpot forwarding and explicit King Legend Inc. consent language.
v4.61.0
Workspace & matters
Pre-storage upload safety scanning
Evidence ingestion now calls a server-side upload safety scanner before writing binary files to the private evidence bucket.
The path blocks storage when malware scanning or CSAM safety is required/live but not configured, or when a scanner returns a blocking verdict.
Tests and the trust-layer gate now verify fail-closed behavior before storage.
v4.60.0
Payments
Provider payout architecture
Added a provider payout ledger and edition-aware payout accounts: Stripe Connect Express for the U.S. edition, encrypted Canadian EFT for the Québec edition.
Added /api/payouts/onboard to start U.S. Connect onboarding or store encrypted Canadian EFT details, with human approval before any disbursement.
/api/health now exposes active payout-rail readiness; disbursement stays blocked unless PROVIDER_PAYOUTS_LIVE and edition-specific approval/configuration are present.
v4.59.1
Content / legal
Verification requests in Command Center
Command Center now surfaces pending professional verifications in the founder attention queue.
A quick action links directly to the legal-professional review queue while keeping approval inside the human-in-the-loop admin flow.
v4.59.0
Content / legal
API-verifiable authority bank
Added the server route /api/legal/authorities/verify: it checks one citation or a text block, requires a session in production, and clearly separates “api-verified” results from public-source links.
U.S. citations can now be verified against the CourtListener API when COURTLISTENER_API_TOKEN is configured; Canadian citations remain source-link-ready until an approved CanLII or official feed is connected.
The Research tab can run citation-by-citation API checks, and /api/health now exposes authorityBankApi readiness.
v4.58.1
AI & automation
Tomorrow vision moved to Today
The homepage Today column now lists the copilot capabilities already shipped: litigation AI, evidence intelligence, automated chronology, procedure generation, hearing preparation and next-step recommendations.
The forward-looking column is now “Next” and focuses on the deeper work still ahead: API-verified authority bank, filing integrations, advanced hearing simulation and settlement/enforcement intelligence.
v4.58.0
AI & automation
Copilot trust layer and authority checks
The copilot now treats matter summaries as untrusted context: suspicious instructions are neutralized, surfaced in the interface and kept out of the model instruction channel.
AI answers return a citation report with CanLII, CourtListener or Cornell LII links based on recognized citation format, without pretending automatic judicial verification.
Copilot runs are recorded in the matter audit log or a new ai_audit_events table for general questions, and procedure suggestions now show missing prerequisites plus the authority to verify.
v4.57.2
Ops / CI / infra
Professional name in verification
The professional verification form now asks for the professional's full name in addition to membership number, issuing authority and firm.
The admin review queue shows the submitted name separately from the firm, backed by an idempotent Supabase migration.
v4.57.1
Marketplace
Attorney-lane ethics guardrail
The Pricing page now frames professional plans as practice SaaS subscriptions, with monetized attorney-client matching blocked until an ethics memo approves it.
Added a machine-readable attorney marketplace policy that blocks per-lead, unapproved per-matter, success-fee and percentage-of-legal-fee models.
The check:trust-gaps gate now fails if the old attorney lead marketplace or per-qualified-matter pricing language returns.
v4.57.0
Marketplace
Marketplace trust-layer gates
Added a check:trust-gaps gate that turns the business, ethics and trust/safety gaps into release-verifiable controls.
/api/health now reports attorney monetization, provider payouts, upload scanning, CSAM safety, transactional communications, AI governance and rate-limiting readiness.
Server-side evidence ingestion can reject binary files when upload scanning is required but not configured.
Added reference docs for attorney marketplace ethics, Stripe Connect payouts, upload trust and safety, data lifecycle/DR, and AI governance.
v4.56.1
Ops / CI / infra
Strict migration CI gate fix
The strict migration CI gate no longer uses an invalid GitHub Actions expression on secrets; it decides in the shell whether to run migrations or skip them.
v4.56.0
Jurisdictions
GA release gates and edition-aware legal framework
Added a static release-blocker gate that verifies disabled US deadlines, authoritative Spanish, server-side attorney verification, telemetry and US legal pages.
Added a verify:attorney harness proving professionals cannot self-verify and approval must pass through the admin review function.
Cookies, transparency and data-rights pages are now US-edition specific when the US environment is active, with a dedicated /data-rights route.
Added a release runbook covering CI gates, strict migrations, Vercel deploys from the repo root and production smoke tests.
v4.55.1
AI & automation
Error telemetry deployment
The migration runner now applies and verifies the telemetry_events table, so the error tracking added in 4.55.0 persists in production.
v4.55.0
AI & automation
Release readiness: languages, compliance, CI and telemetry
Spanish now ships as a release-authoritative locale with complete interface-key coverage, guarded by a static authoritative-locale check.
The U.S. edition now renders U.S.-specific privacy and terms pages covering CCPA/CPRA notices, unauthorized-practice-of-law limits, controlled beta status and legal-review caveats.
CI now gates dependency audit, authoritative-locale coverage and beta smoke harnesses; client-side error telemetry records incidents to a dedicated table when Supabase is configured.
The Dependabot esbuild alert is resolved by moving the tsx/esbuild chain onto the patched esbuild release.
v4.54.0
Jurisdictions
Deadline guardrail: U.S. edition
The deadline calculator no longer emits automatic deadlines in the U.S. edition until CA/NY/NJ/CT/federal rules are sourced and verified; users are directed to manual entry instead.
v4.53.1
Ops / CI / infra
Replayable commissioner migrations
The commissioner portal migration now drops older write policies before recreating them, so deployment can replay 0017 and then apply the 0018 conduct controls.
v4.53.0
Jurisdictions
Commissioner portal: identity, jurat and RON rules
Added an appointment-authority registry and conservative RON gating so online mode is available only in enabled jurisdictions.
The commissioner flow now runs identity → session → jurat, with completion blocked until the deponent's identity is verified.
Sworn-document orders now record jurat data, identity status, certification references, timestamps and a reliable projection into the affidavit registry.
v4.52.0
Security
Commissioner portal: verification and sworn documents
Added a complete commissioner portal: verification application, pending state, available-order board, claim flow and sworn-document certification.
Added an RLS migration for commissioner profiles, sworn-order assignment, claim/certify functions and self-verification blocking.
Added a dedicated admin page to approve/reject commissioners and offer sworn-document orders to verified commissioners.
v4.51.2
Content / legal
Dynamic invitation and share links
The /invite/[token] and /share/[token] pages now render dynamically so real invitation and targeted-share links do not fall through to a 404 page.
v4.51.1
Ops / CI / infra
Professional portal migration deployment
The deployment script now also applies the professional verification and targeted-share migrations, then verifies that the new RLS tables exist.
v4.51.0
Security
Professional portal: verification, targeted sharing and generation
Attorney/notary verification is now server-authoritative with an RLS table, submission API, admin review queue and edition-aware authority registry for Quebec or U.S. builds.
Clients can create targeted attorney shares with scope, expiry and review-or-collaboration permission; professionals get a dedicated inbox and can accept /share links.
The Proceedings tab can generate a draft procedure and draft affidavit from organized facts, exhibits and witnesses, always marked as unfiled drafts.
v4.50.0
Evidence
Cloud recovery for local matters
Importing a matter found only on the device now copies local evidence files into cloud storage before saving the matter.
On load, the workspace also repairs cloud matters whose evidence files still existed only in IndexedDB on this device.
The import button now shows a waiting state and clearly reports when any files remain local after a recovery attempt.
The chronology now numbers every fact (¶1, ¶2, …) so motions cite “Chronology, ¶143” rather than a page.
New “Draft judgment” editor on the Judgment tab: write the order you're asking for first, with a one-page focus test that flags when it overflows.
New read-only motion-package assembly view (the 8-part structure) that pulls together your facts, exhibits, authorities and draft judgment — no auto-generation.
v4.48.0
Marketplace
Operational expert verification
Added an expert review migration with an audit history for checks, notes, verification, publication, suspension and archival decisions.
The admin panel can now record identity, professional order, insurance, sample report and conflict-protocol checks before publishing an expert.
v4.47.6
Marketplace
Expert filter server-render fix
Expert directory filters are now explicitly client-side to avoid importing client-module constants during server rendering.
v4.47.5
Marketplace
Production expert directory fix
Shared taxonomy helpers are now separated from the browser Supabase client so server-rendered `/experts` pages can render without error.
v4.47.4
Marketplace
Idempotent migrations through expert marketplace
Migrations 0009 and 0011 now recreate their RLS policies safely so Vercel deployments can replay the full chain through 0013.
v4.47.3
Content / legal
Robust production env loading
Activation scripts now load `.env.production.local` directly when the shell environment does not pass variables through to Node.
v4.47.2
Marketplace
Expert marketplace Supabase activation
The migration script now applies migrations 0008 through 0013 by default, including the expert marketplace.
Added a `verify:experts` activation test to check expert tables, taxonomy, request creation and conflict logging with production Supabase variables.
v4.47.1
Intake & onboarding
Expert intake — server-side conflict screening
Expert requests now go through an authenticated server route that creates the request, runs conflict screening, computes a qualification score and writes the audit log.
The intake form blocks submission unless parties are identified, keeping conflict screening mandatory before expert review.
New /experts directory with search, filters, discipline pages, public profiles, verification badges, indicative fees, and a conversational intake button.
Added the expert workspace, application flow, AI prompts for intake/qualification/conflicts, and the FR→EN profile translation route.
v4.46.2
AI & automation
Copilot outage fixed + full diagnostics
Root cause of “Copilot unavailable” found and fixed: the question-quota database function failed on every call (ambiguous column reference) — the AI was never reached. Corrective migration 0012.
Every Copilot request now carries a request ID through the server logs and into any error message: “Copilot unavailable · Status · Provider: Anthropic · Request ID” — a user report is traceable to the exact log line.
Server-side logging at each stage: request received, authenticated user, matter, Anthropic model used, and typed Anthropic error statuses (401 key, 403 permission, 404 model, 429 rate limit) with sanitized messages.
v4.46.1
Content / legal
Homepage repositioning — early-access framing
New hero: “Turn your legal problem into a structured case.” with the capability checklist (automatic chronology, document management, progress tracking, dispute resolution, procedure preparation), an early-users invitation and an honest 🚧 in-active-development badge.
v4.46.0
AI & automation
Unified next-step engine — one answer to “what now?”
Toward Juge 9.11 (“a litigation copilot that always knows your next step”): deadlines, hearing preparation, the resolution pathway, file-building gaps and the lifecycle journey are now fused into ONE ranked recommendation — instead of four tabs giving four different answers.
“Your next step” leads the matter Overview: the single top recommendation with its urgency (deadline pressure dominates), why it matters, and a one-click jump to the right tab — plus the runner-up steps.
Every matter card on the workspace home now shows its next step at a glance.
Deterministic and explainable: each recommendation carries its source (deadline, resolution, hearing, file gap, journey) and a transparent priority — overdue deadlines first, then expired waiting periods, hearing prep, resolution steps, then file building.
v4.45.4
Marketplace
Marketplace status integrated into the page header
The build-status notice now sits directly under the Marketplace title: “build in progress — coming soon”, the network description, and a detailed note on what is still being integrated and tested (profiles, ratings, pricing, availability, ordering, payments, messaging, provider onboarding) — so visitors understand the state of the marketplace at first glance.
v4.45.3
Marketplace
Marketplace construction notice
The marketplace page now carries a permanent “coming soon — build in progress” notice making clear that, during development, profiles, pricing, reviews, ordering features and workflows shown there are illustrative and may not yet be operational.
v4.45.2
Workspace & matters
Local matter recovery no longer re-flags imported matters
“Import to cloud” (for matters created on this device before sync was enabled) now also updates the device copy. Previously, matters with legacy identifiers were re-detected as missing after every import, and each click created another cloud duplicate.
v4.45.1
Payments
Reliability: local dates, stricter validation, sturdier forms
Same-day deadlines are no longer flagged as overdue — deadline math now compares local midnights instead of mixing UTC and local time (case analysis and workspace suggestions).
Generated documents are dated with your local date rather than UTC, removing the evening off-by-one.
Document-service checkout: the jurisdiction field is validated server-side, fee overrides reject invalid values, and the payment form times out cleanly after 15 seconds instead of hanging.
Matters created without a title get a bilingual default name, and corrupted locally saved team data can no longer break the firm portal.
Five new workspace tabs complete the litigation lifecycle after judgment: Remedies (appeals and recourses), Assets (recovery worthiness, debtor network, asset register and judgment-proofing detection), Enforcement (forced-execution readiness and seizure measures), Recovery (amounts recovered, distribution and satisfaction of the judgment debt) and Archive (file-closure checklist with retention guidance).
Lifecycle steps 34 to 47 now open directly in their dedicated module instead of a neighbouring tab.
Like the sibling engines, every check is deterministic and explains its reason, with citations where solidly established (Paulian action, arts. 1631–1636 C.C.Q.; demand to perform, art. 83 C.p.c.; prescription of a judgment debt, art. 2924 C.C.Q.). Legal information, not legal advice.
v4.44.5
AI & automation
AI engine dependency upgraded
Upgraded the AI SDK powering marketplace suggestions to version 6, resolving a published resource-consumption advisory (GHSA-866g-f22w-33x8). All known dependency vulnerabilities are now cleared.
v4.44.4
Security
Security dependency update
Updated PostCSS to 8.5.15 across the entire build pipeline, addressing a published security advisory (GHSA-qx2v-qp2m-jg93) about unescaped CSS output.
v4.44.3
Accessibility
Accessibility-support button now works as intended
Support Centre: “Request adapted support” now opens the ticket form with the “Accessibility” type preselected, moves keyboard focus to the form (announced to screen readers), and reopens the form correctly after a previous submission.
Direct links to the Support Centre (/support?type=…) now accept every ticket type, including accessibility.
v4.44.2
Workspace & matters
More visible development banner
The workspace's “active development” banner is now bright yellow and larger, so the invitation to report a problem can't be missed.
v4.44.1
Evidence
Corrected media kit and repository consolidation
The Press Centre media kit now offers Juge.ca's official logo (dark background, and light background with tagline) instead of unadopted concepts.
Consolidation: a single canonical tree for the platform — old parallel drafts are archived outside the repository; press documents and the reference judgment are grouped under docs/press.
v4.44.0
Workspace & matters
Judgment analyzer, portfolio view, hardened Google Drive import
New Judgment tab: analyze the rendered judgment — findings, costs, what was granted or denied — and choose the strategic path (accept, negotiate, or appeal), wired to lifecycle steps 31–33.
Portfolio view (cross-matter risk analysis): on demand, detects risks that cross your matters — shared adverse parties or counsel, deadline collisions, the same forum, compounding workload. Read-only, never automatic, and your matters stay sealed from each other.
Hardened Google Drive import: native Google files (Docs, Sheets, Slides) are converted on export (PDF/XLSX), errors are surfaced instead of failing silently, with “x / y” progress and a 100 MB size guard.
System status: new “Google Drive import” check in Settings and /api/health.
Press centre: media kit with downloadable official logos.
New Communications tab: log every interaction — calls, branch visits, voicemails, complaints — before it becomes evidence. Client–attorney exchanges are protected by privilege: visible to you only, never shared, never sent to AI or exports. Pattern detection (repeated verbal-only communications, unanswered written requests, unkept commitments).
Promotion to evidence only with a pertinence justification, recorded in the register; privilege-waiver warning before promoting a privileged exchange.
Evidence register rebuilt as a professional grid: statistics, search, type filters, sorting, compact sticky-header table, bulk operations, per-row action menu and a side detail drawer.
Control Center: “Founder Activity & Impact” section — active matters, litigation engine, attention queue, daily justice score, color-coded matter portfolio and lifetime statistics.
Outcome tracking: closing a matter records how it ended (settled, favorable/unfavorable judgment, withdrawn…) — aggregated anonymously in platform metrics.
The “Resolution” tab becomes the “Resolution Centre”.
v4.42.0
AI & automation
Copilot chat window + matter reliability
“Start Copilot” now opens a chat window: ask questions in sequence; answers keep the conversation context.
A failed cloud save of a matter is now shown clearly with a Retry button — no more matters that look created and then vanish on reload.
Local matter recovery: matters created on this device before sync was enabled are detected and importable to the cloud in one click.
Control Center: count of cloud matters tied to your account and a matter-store read probe (detects missing migrations).
v4.41.0
AI & automation
AI Copilot: 100 free questions, then 25¢ a question
Access to justice first: every account gets 100 free AI Copilot questions.
After that, pay as you use — 0.25 $ USD per question (4 questions = $1), billed monthly through Stripe. No bundles, no prepaid packs: you only pay for what you actually use.
A question is never billed if the answer fails; the counter and subscription manage themselves.
v4.40.0
AI & automation
Government recourse gateway + Copilot on Claude
Recourse directory for 18 public bodies — RAMQ, SAQ, SAAQ, Revenu Québec, Hydro-Québec, CNESST, IVAC, CRA (federal tax), CERB/pandemic benefits, federal pensions (CPP/OAS), social assistance, Retraite Québec, student financial aid, municipalities, schools, police ethics, the health network and federal services. Each body loads its own resolution pathway: review, ombudsman, administrative tribunal, with orientation deadlines and jurisdiction traps (the SAQ and Hydro-Québec fall outside the Protecteur du citoyen; 15-day municipal notice; CERB is contested in Federal Court, not Tax Court). The authoritative deadline is always the one printed on the decision you received.
Choosing “Government / administration” opens a searchable body picker; the generic ladder (review → Québec Ombudsman → TAQ) remains for any other ministry.
The AI Copilot now runs directly on the Claude Developer Platform (Anthropic), with spending capped at the workspace level.
Reliability: a failed matter-list load shows a warning with a Retry button instead of an empty workspace — your matters no longer visually disappear during a network failure.
Development-phase banner in the workspace, deep-linking to the Support Center bug-report form (/support?type=bug).
Control Center system map completed: Stripe webhooks, marketplace AI, HubSpot CRM, support GitHub mirroring, order notifications and the encryption key.
v4.39.1
Content / legal
Support desk env compatibility
The HubSpot private-app token is now read from HUBSPOT_TOKEN or HUBSPOT_ACCESS_TOKEN — either name activates live ticket mode.
v4.39.0
Notifications & email
Support Center → GitHub issue mirroring for bug reports
Bug reports submitted through the Support Center are now mirrored as GitHub issues on the platform repository, titled [Bug] …, with labels created automatically (bug, user-feedback, support-ticket, language, priority).
Privacy-aware diagnostics: when the repository is public, reporter details (email, account id, browser) are withheld from the issue and kept only in the support ticket; private repositories receive the full diagnostic block.
Entirely best-effort: without a GITHUB_TOKEN (Issues read/write) the support flow works unchanged — the HubSpot ticket remains the source of truth.
v4.38.0
Jurisdictions
Brand-entity SEO — Juge.ca is a platform, not a tribunal
New homepage identity for search engines: “Juge.ca | La justice, clarifiée” with a description stating plainly that Juge.ca is an independent, private legal-navigation platform — neither a court nor a government service.
schema.org structured data on every page: Organization (legal name 15149957 Canada Inc., disambiguating description “not a court, judge or government service”) + WebSite, so Google's knowledge systems stop resolving “judge911.com” to the Québec courts.
New /mission page (what we are, resolution-first approach, French-first, accessibility) and an indexable launch press release: “Juge.ca lance une plateforme québécoise de navigation juridique assistée par l'IA”, with NewsArticle structured data.
French URL aliases: /a-propos, /presse and /notre-mission permanently redirect to the right pages in every language.
All new pages are in the per-language sitemaps, and the sitemap was resubmitted to Google Search Console.
New first-class Resolution tab in every matter, before Proceedings: pick your dispute type (bank, housing, employment, consumer, insurance, government, professional discipline, construction, contract, family) and follow its tailored pathway — direct complaint, internal escalation, ombudsman, regulator — with per-step status, contacts, suggested waiting periods and linked evidence.
Litigation Readiness Score (0–100) with a visible checklist: complaint sent, required steps concluded, waiting periods expired, evidence preserved, chronology built, settlement attempts logged.
Smart Court Protection: the Proceedings tab stays locked until required resolution steps conclude — or you explicitly unlock it (“Have you attempted resolution?”), and the override is recorded in the file.
Settlement & Negotiation Ledger: every offer, counter-offer, call, email, mediation and refusal is timestamped and preserved.
One-click pathway documents built from the matter itself (parties, chronology, exhibits): complaint letter, follow-up, ombudsman submission, regulatory complaint, settlement proposal — and the “History of Resolution Attempts”, one of the most persuasive sections of a court file.
Every resolution action is auto-logged to the chronology, so resolution activity becomes evidence if litigation happens.
The login page now detects an existing session on load and redirects you straight to your portal (client/professional/bailiff/commissioner; administrators → /admin) — an authenticated user never sees the login form again.
Magic-link landings are fully processed: the access/refresh tokens that arrive in the URL are consumed, scrubbed from the address bar on every page, and a sign-in that completes after the page loads leaves the login screen immediately.
Supabase email throttling now shows a clear message — “We've already sent several emails recently. Please wait a few minutes…” — instead of the raw “email rate limit exceeded”, on signup, magic links, confirmation resends and password resets alike.
The navigation never mixes states: signed-in shows Home, Workspace, My account and Sign out; signed-out shows the public navigation with Sign in / Create account — and “Create account” now opens the signup form directly.
v4.35.0
Payments
Support Center — a real helpdesk on /support
/support is now a full Support Center: searchable knowledge base across 11 categories (getting started, account, workspace, document import, Copilot, marketplace, bailiff/commissioner services, privacy, billing, accessibility, technical), an FAQ, and quick actions — submit a ticket, report a bug, request a feature, accessibility support.
Ticket submission is wired to HubSpot CRM: the contact is created or updated by email, the ticket lands in the pipeline (stage: New) associated with the contact, and you get a confirmation number on the spot.
Tickets carry hidden diagnostics (signed-in user id with consent, page, browser, device, language, app version, timestamp) so support can help faster; required fields are validated server-side.
A ticket-status section tracks your submissions from this device (New → In review → Waiting on user → Resolved → Closed), and a dedicated accessibility-support section prioritizes adapted-help requests.
The legal-information disclaimer and the official-French notice stay visible on the page.
v4.34.0
Workspace & matters
Founder Admin Access + admin audit logging
Role-based access control formalized: user, attorney, partner, staff, admin, founder_admin — with founder_admin granted to the founder account in the database (migration 0008), never self-selectable.
The /admin Control Center pages are now gated server-side: non-administrators are redirected to the workspace with an “Access denied” notice. Frontend hiding is cosmetic only.
Admin audit log (who, what, when, which record): every Control Center page view and metrics read is recorded; elevated-role self-grants (staff/admin/founder_admin) are blocked at the database.
Control Center metrics now include appointments booked and the most recent admin activity; the founder sees an “Open Control Center” card on the workspace home.
v4.33.0
Localization
Multilingual SEO + official-language framework
Per-language sitemaps (sitemap-fr.xml through sitemap-he.xml) for all 9 supported languages, each URL carrying hreflang alternates for every language — and sitemap.xml is now the index that references them all.
hreflang + canonical now cover every public page in all 9 languages: HTTP Link headers are emitted per page, with x-default pointing to French (the official version).
Official-language notice on every translated page (English included): “French is the official language of Juge.ca. In the event of any discrepancy, ambiguity, omission, or conflict of interpretation, the French version shall prevail.” — in the reader's language.
Preferred language in your profile: pick any of the 9 languages in Settings; it is saved to your account, drives the locale cookie and switches the interface immediately.
Right-to-left rendering (Arabic, Hebrew) and route-based localization (/fr … /he) were already in place and are unchanged.
v4.32.0
Intake & onboarding
Justice Command Center + upload-first document intake
The workspace home is now a Justice Command Center: “What would you like to do today?” with action cards (Consult my matter, Litigation Copilot, Submit a procedure, Upload a court document), an Ask-a-Question AI front door, the legal marketplace (attorney, bailiff, commissioner, community legal resources) and your matters — the create-matter form is gone; matters are built from documents.
Upload-first intake: drop a PDF, photo, DOCX, EML, MSG, TIFF — or a whole disclosure ZIP from a former lawyer — and Juge.ca reads it (OCR in French + English for scans and photos), then extracts court, district, file numbers, document title, filing date, parties, counsel, hearing dates, procedural stage and chronology events.
Every extracted field carries a confidence score and stays editable; anything under 90% is flagged for review. Nothing is saved before you confirm.
Smart matter detection: a detected court file number that matches an existing matter offers “Add to existing” or “Create new”; several numbers ask you to pick; none lets you enter one manually — and existing matter information is never overwritten (conflicts are reported).
After confirmation the import creates parties (duplicates resolved), counsel, chronology events with source-page traceability, deadlines, hearings, exhibits, a proceeding, follow-up tasks and an import report — then opens the Litigation Copilot with a readiness score and next steps.
Mobile gets Take photo / Upload document / Create matter manually as first-class actions.
v4.31.0
Security
Account-type signup + authentication feedback
Signup now asks for your account type — Litigant/Client, Lawyer or legal professional, Bailiff, Commissioner for oaths — and routes you to the right portal (/app/client, /app/professional, /app/bailiff, /app/commissioner). Administrator access is granted in the database, never self-selected.
All auth feedback renders in a big, unmissable alert above the first field (a single component for login and signup): “Invalid email or password.”, existing account, magic link sent, verification required, “Account created. Check your email…”.
Live password validation under the field — 8 characters, uppercase, lowercase, number, special character — with per-rule pass/fail; “Create account” stays disabled until everything is valid.
The signup screen says “Create your Juge.ca workspace — Select your profile to reach the right work portal.” Accounts without a type go through /onboarding/account-type.
Security (schema 0007): the account type is stored server-side at signup via the trigger (never “admin”), and a trigger now blocks the self-service admin-role grant that was previously possible through the API.
v4.30.0
Security
Founder Command Center
New internal /admin/dashboard (administrators only): executive view of every subsystem — users, lawyers, verified bailiffs, matters, documents, procedures, orders, marketplace mandates, leads — across Today / 7 days / 30 days / All-time windows.
Growth (14-day signup chart), collected revenue (day/month/year/all-time and by service type), marketplace operations (status mix, average time to assignment and completion), support tickets, legal intelligence (procedure types, courts) and a system health map (Stripe, Supabase, storage, ingestion, AI).
Founder alert centre: signup drops, open tickets, orders awaiting admin, new lawyers, bailiff applications, media inquiries, today's revenue.
Aggregates go through a dedicated server route that verifies the session and the administrator role before any service-role query — RLS keeps protecting every table for everyone else.
v4.29.1
Notifications & email
Chat fallback email fixed
The chat widget fallback now writes to contact@judge911.com (a real, verified Microsoft 365 mailbox) instead of hello@judge911.com, which did not exist. Every public address on the site (contact, support, press, investors, accessibility, partnerships, marketplace) is now live on a single mailbox.
v4.29.0
Localization
Early-access page with lead capture
New Early access page (/early-access) with the HubSpot waitlist form (portal 43986063, form waitlist-jugeca) and a no-JavaScript fallback — no lead is ever lost.
The press release's “Sign up for early access” button now points to this page, in both French and English.
v4.28.0
Partnerships
Partner and press forms, wired to the CRM
New “Become a Partner” page (/partners): bailiffs, commissioners of oaths, attorneys, notaries and investigators apply with partner type, permit or professional-order number, territory served, languages and services — with explicit consent and verification before activation. The footer “Partnerships” link now points there.
The Press Centre gains a media-request form: journalist identity, outlet, medium (print, web, TV, radio, podcast, agency), circulation or monthly audience, subject and deadline — so replies can be prioritized with full context.
Every submission is persisted in Supabase (partner_applications and press_inquiries tables, RLS with no public policies — server-only writes) then forwarded to HubSpot as a qualified contact (lead status NEW, structured profile in the message property); when the contact already exists, the record is updated rather than dropped.
Schema 0006 applies at deployment; forms are fully bilingual with accessible labels and success/error states matching site conventions.
v4.27.0
Notifications & email
Deadline computation engine (art. 83 CCP)
New deadline calculator in the Deadlines tab: pick a rule (answer to the application — art. 145, case protocol — art. 149, setting down for trial — art. 173, notice of appeal — art. 360, revocation — art. 345–347, judicial review — art. 529, notification before presentation — art. 101) or a custom delay, enter the triggering date, and get the due date computed under article 83 CCP.
Built-in Québec juridical calendar: the holidays of s. 61(23) of the Interpretation Act (Sundays, New Year's Day, Good Friday, Easter Monday, National Patriots' Day, June 24, July 1 — or July 2 when July 1 falls on a Sunday —, Labour Day, Thanksgiving, Christmas), Easter computus included; automatic extension to the first working day when the expiry falls on a Saturday or a holiday (art. 83 para. 3).
Every result shows its legal authority, the pre-extension date, the step-by-step computation trail, “strict limit” and “case-law benchmark” badges, and adds to the matter's deadlines in one click. Statutory texts verified against LégisQuébec (2026-06-11).
31 unit tests covering computation (days, months by quantième, leap years), every holiday, extension chains (Easter weekend, New Year) and clear-day countdowns — npm test.
v4.26.0
Litigation
Litigation-records backend engines
Every cloud save now feeds the backend's normalized registries (migration 0004): procedures, clerk filings, evidence, sworn documents (plus affidavits once sworn) and service of process — queryable mirrors of the matter, protected by RLS.
New Litigation records page: six registries browsable at a glance across all your matters, including the audit log.
The Stripe webhook now writes payments into the order registry (service_orders): the internal requestId travels through payment metadata and the normalized row flips to paid automatically, with an idempotent per-session fallback.
v4.25.0
AI & automation
Bailiff marketplace + AI vision
Order board: clients post enforcement orders (type, territory, fee, documents) and verified bailiffs claim them in one click — atomic claiming: exactly one winner even on simultaneous clicks. Admin direct assignment with accept/decline.
Persistent bailiff workspace, tabbed (Offered, Active, Awaiting admin, Done). Fully electronic document rejection: a structured reason is required and a realtime ticket thread opens automatically with admins — no email, no phone.
Four AI assistants (phase 1 of the /vision roadmap): document intake checks, bailiff matching, an admin copilot for tickets, and a listing optimizer. Invariant: AI suggests, humans confirm.
Schema 0005 with RLS on every table, state transitions through SECURITY DEFINER functions, admin-only bailiff verification, ticket threads over Supabase Realtime.
v4.24.0
Localization
“Justice, clarified” launch press release
The Press Centre now publishes the June 10, 2026 launch press release on a dedicated bilingual page: the access-to-justice problem (Statistics Canada, 2021), the four steps (understand, navigate, organize, act), free orientation, the distinction from legal advice, and the media contact.
v4.23.0
Brand & marketing
Brand-native hero + signup confirmation
The hero visual is now a true product mockup built in Juge.ca's own design language (deep navy, glass, glow, coral): a "Workspace" window with live stat cards (127 exhibits, 41 events…), ✓ status pills, and per-folder intelligence (parties, evidence, timeline, exhibits, deadlines, risks, assets). No more white-background image.
Account creation: after signing up, a "Check your email" screen confirms the link was sent to your address, with "Resend email", "I confirmed — continue", and "Change email". Loading states, clear errors (email already used, weak password, network), and duplicate-submit prevention.
Supabase migrations now run during the production build (using Vercel's environment), applying the 0004 schema (procedures, affidavits, service_orders, bailiff_orders, document_sworn_orders, court_filings, evidence_items, audit_logs) with RLS — no secret handling involved.
v4.21.0
Payments
Service-order persistence + audit log
Each service ordered from a matter now writes a normalized row to service_orders (user, matter, status, price, payment status) and an audit_logs entry (created, paid) — alongside the existing in-matter tracking.
Best-effort implementation: no-ops until migration 0004 is applied, then activates automatically with no code change.
v4.20.1
Ops / CI / infra
Migration apply tool
Added scripts/apply-migrations.mjs: applies Supabase migrations directly over the Postgres connection (URL read from the environment), to deploy the 0004 schema (procedures, affidavits, service_orders, etc.) without a management token.
v4.20.0
Workspace & matters
Complete authenticated header
Logged in, the header shows: Home · Workspace · Firm portal · Settings · My account · Sign out. Logged out: Home · Services · Pricing · Resources · Sign in · Create account.
"Firm portal" and "Settings" open the matching panels in the workspace (via /app?view=firm|settings) — no dead-end links.
v4.19.1
Content / legal
Release v4.19.1
Cloud sync truthfulness: gate "active" on a real DB read.
v4.19.0
Litigation
Litigation-OS schema + in-matter Services tab
New schema (migration 0004): procedures, affidavits, service_orders, bailiff_orders, document_sworn_orders, court_filings, evidence_items, and audit_logs tables — each with user_id, matter_id, created_at, updated_at, and RLS (you only see your own records).
The matter's "Operations" tab is now "Services": order a swearing, a bailiff, or another service directly from the matter.
Reworked empty state: "Create your first matter to organize your evidence, procedures, deadlines, and judicial services."
Truthful cloud indicator: "active" only after a successful database connectivity test; otherwise a reconnect warning.
v4.18.0
Workspace & matters
Authenticated, persistent workspace
/app now requires a Supabase session: signed-out visitors are redirected to /login?next=/app, with a "Verifying your session…" screen.
Cloud sync only reads as "active" when a valid session exists; every matter is owned by the authenticated user (no anonymous or orphan matters).
If the session expires: "Cloud sync unavailable — please sign in again." and matter creation is blocked.
The workspace shows "Signed in as [email]" with a Sign out button; the header shows Sign in / Create account (logged out) or Workspace / Sign out (logged in).
v4.17.0
Litigation
Hero visual — 12-folder box
Replaced the 6-folder render with the 12-folder litigation-operating-system box (Parties → Judgment enforcement), shown inside a "Workspace" window.
v4.16.0
Litigation
"Litigation operating system" hero + design system
New hero: headline "The litigation operating system.", primary CTA "Create my case", and a "Services available today" strip under the buttons.
The dossier-box image is framed as software (a "Workspace" window) and paired with the 12-folder Litigation-OS taxonomy.
New design-system foundation: brand tokens (navy, coral, folder, warm), a folder-taxonomy registry, the scales emblem and wordmark, and a /design-system page documenting it all.
v4.15.0
Workspace & matters
Hero visual — 3D dossier box
Replaced the CSS dossier organizer with the official 3D render (file box with the scales-of-justice emblem).
v4.14.0
Litigation
Repositioning: litigation operating system
New customer-focused headline: "Organize your case. Cut costs. Stay in control.", with a one-line explanation of what Juge.ca is (citizens, businesses, and legal professionals).
New "Judicial services" strip under the hero: swearing, service by bailiff, legal consultation, case review, and asset search — each with an "Order a service" action.
Reworked header: explicit "Home", order Home · Services · Pricing · Resources · Community · Press, and clearly visible "Sign in" (outline) and "Create account" (solid) buttons.
v4.13.0
Payments
Homepage redesign
New two-column hero: "Our promise" and "A lawyer has an obligation of means." on the left, a dossier organizer (file box) on the right.
The three commitments (billing, control, evolving platform) move directly under the hero; the "Your matter, A to Z" timeline puts its heading on the left and the "See every step" button top-right.
v4.12.0
Litigation
Litigation lifecycle, marketplace & service CTAs
New "Lifecycle" tab in the workspace: the full litigation journey from identifying the problem to satisfying the judgment, with steps locked until they are reached and advancement fees to move the matter forward.
New "Asset Intelligence" module (after judgment, before enforcement): investigation, identifying debtors and third parties, asset mapping, solvency analysis, and enforcement strategy.
Plumitif (digital court registry) integration point: live tracking that will auto-advance steps and raise alerts inside the workspace.
New professionals marketplace (lawyers, commissioners, bailiffs, medico-legal & CPA experts, asset investigators) and a workspace for bailiff firms and their staff.
Homepage: each service now has its own button — "Order a swearing", "Order service of process", "Retain a bailiff" — instead of one shared generic button.
Homepage: new "Your matter, A to Z" timeline with icons and a "See every step" button linking to the public lifecycle page.
Advancement fees wired to secure Stripe payment (step unlocks on return from payment; preview-mode fallback when payments aren't configured).
v4.11.0
Workspace & matters
Useful Links
New "Useful Links" page: a directory of Québec and federal courts, the judicial council, the ministries of Justice, bar associations (including every sectional bar), the chambers of notaries and bailiffs, access-to-justice organizations, statutes, and case-law databases.
Reachable from the footer's "Resources" group; every external organization is referenced for informational purposes only.
v4.10.0
Workspace & matters
Automated contacts on import
Imports now extract contact details (email + phone) and attach them to detected parties and witnesses, and capture email-signature senders as contacts.
Existing parties and witnesses missing an email or phone are enriched from the imported text; witness contacts are shown (clickable) in the Witnesses tab.
v4.09.0
Evidence
Binder assembly & print guide
New per-forum assembly guide (in Proceedings): before you print, it lists each exhibit's cote + description and tells you how many copies to print (court + parties + you), with step-by-step binder-assembly instructions. Downloadable as Markdown.
v4.08.0
Workspace & matters
Smarter upload analysis
On upload, documents are read and analyzed: parties are auto-detected, the court file number is detected and populated into the matter (or flagged if it conflicts), and the chronology is built automatically.
When a folder is dropped, its name is checked for relevance to the matter and you're warned if it doesn't appear related.
v4.07.0
Evidence
Delete all matters (Danger zone)
Settings now has a Danger zone to permanently delete and purge every matter and its evidence — local and cloud — behind a type-to-confirm (type DELETE / SUPPRIMER) safeguard.
v4.06.0
AI & automation
Litigation Copilot tab — the 'Tomorrow' features, today
New Copilot tab brings the six capabilities together: AI-powered copilot, evidence intelligence, automated chronology creation (one click builds the timeline from your evidence), procedure generation, hearing preparation, and next-step recommendations.
v4.05.0
AI & automation
Reframed the future roadmap around outcomes
The 'Tomorrow' vision now follows the litigation workflow and speaks to outcomes: AI-Powered Litigation Copilot, Evidence Intelligence, Automated Chronology Creation, Procedure Generation, Hearing Preparation, and Next-Step Recommendations.
v4.04.5
Partnerships
Clickable studio partner links
Footer studio partners (Rubicon Nexus, Rubicon Fusion, Impact Narrative Media) are now clickable links to their sites.
Removed the dissolved entity (15149957 Canada Inc.) and set the company name to King Legend Inc. across the site and legal documents.
Footer attribution now reads: an initiative of JusticeSansFrontieres.ca dedicated to access to justice, developed and operated by King Legend Inc., in collaboration with Rubicon Nexus, Rubicon Fusion, and Impact Narrative Media studios.
v4.04.3
Content / legal
Release v4.4.3
Attribution: remove dissolved 15149957 Canada Inc., set entity to King Legend Inc., add Rubicon Nexus + Rubicon Fusion studio collaboration credit.
v4.04.1
Litigation
Home page cleanup
Removed the abstract 3-step section now that the concrete litigation workflow graphic covers it.
v4.04.0
Litigation
Conversion-focused home page
Outcome-first hero with action CTAs (Organize my case · Order a service) and a 'Make the future real today' line.
Moved court services above the fold ('Need help moving your case forward?') and added a concrete litigation workflow graphic (Evidence → Hearing).
Added audience value propositions (litigants vs attorneys), a Today-vs-Tomorrow future section, and a social-proof line (Built in Montréal, designed for Québec, expanding across Canada).
v4.03.0
Marketplace
Court Services on the home page
Added a third marketplace pillar — Court Services (swearing · service · enforcement) — alongside Find an Attorney and Organize Your Case, with an Order-a-service CTA.
New home section and hero line surface the execute step: prepare, swear, serve, and organize in one workspace.
v4.02.0
Marketplace
Persistent user profiles (cloud)
In cloud mode your profile (name, role, contact info, plan) now loads from and saves to your Supabase account — persisting across devices and sessions instead of a per-device stub.
New cloud users complete the profile gate once; Settings, plan upgrades, and attorney verification all write back to the profile.
v4.01.1
Litigation
Contributor guide (AGENTS.md)
Added AGENTS.md documenting the canonical codebase, production branch, deploy procedure, and per-commit rules so parallel agents don't diverge the repo.
v4.01.0
Payments
Closed payment loop + system status
After Stripe checkout you now return to a confirmation: the request is marked paid and its first milestone completes (or your upgraded plan activates).
New System status panel in Settings shows which production integrations are live (payments, ID verification, database/cloud sync, storage, ingestion, AI) via a /api/health check.
v4.00.0
Payments
Out of beta — full production
Juge.ca is now in full production. Removed beta/preview labels across the workspace, pricing, and FAQ.
Status page: all systems marked Operational — litigation engine, operations marketplace, accounts & cloud sync, and the attorney portal.
Live billing is active: plans and services are processed securely by Stripe.
v3.46.0
Security
Swearing video + ID, bailiff pre-auth, printing, upgrades
Affidavit swearing now includes a secure on-platform video room with the commissioner, Stripe Identity verification (the commissioner never sees your personal information), and electronic signing — all tracked on the request.
Bailiff service captures a pre-authorization hold on your card; the final amount is charged after service is performed.
New professional printing & binding service for hearing binders and colour exhibits.
Upgrade your workspace from the Operations tab — Self-Rep Unlimited ($375/mo) or a single matter ($149) via Stripe.
v3.45.0
Payments
Operations checkout + booking
Paid operations services now go through Stripe Checkout (not just bailiff): affidavit swearing and service of documents take payment securely.
Affidavit swearing opens a booking step — choose the document (with a completeness check), pick a date/time, and online vs in-person — before paying.
Updated the workspace messaging to reflect execution, not just preparation: prepare, swear, serve, and manage your case in one place.
v3.44.0
Litigation
Litigation Operations marketplace
New Operations tab turns the workspace into an execution platform: commission affidavit swearing (Commissioner for Oaths), service of documents (bailiff), certified translation, expert reports, lawyer consultations, and court transcription — without leaving your case.
Each commissioned service is tracked with a status pipeline and milestones (e.g. Draft created → Assigned → Attempt #1 → Served → Affidavit of service received).
v3.43.0
Litigation
Cloud sync toggle + litigation engine live
Added a Cloud sync on/off switch in the workspace: turn it on (and sign in) to store matters and evidence in the database so your session persists across visits and devices; off keeps everything browser-local.
The litigation engine (Organize Your Case) is now marked Operational on the status page.
Documents named like exhibits (P-1, Pièce P-23…) now populate the Exhibit list automatically on drop, keeping their numbers.
A View button on each exhibit and evidence item opens the file in a pop-up viewer (images and PDFs inline).
The analysis engine now detects role-labelled parties (demandeur/défendeur, plaintiff/defendant) and populates the Parties tab.
New Clerk filings (Greffe) tab tracks deposits with internal sequential numbers (#1, #2, #3…), filed/outstanding status, filed date, and clerk reference.
v3.41.0
Intake & onboarding
Attorney onboarding & verification
Professional accounts (lawyer/notary/paralegal/organization) now complete a verification step — bar/order number, issuing authority, firm — and accept a new Professional Services & Data Processing Agreement before guarded features unlock.
Verification is human-in-the-loop: submitting never auto-grants access; status stays pending until a person approves. A self-represented escape hatch prevents lock-out.
Added the Professional Services & Data Processing Agreement (attorney-client privilege, Canadian data residency, sub-processing, breach notice, return/deletion).
v3.40.0
Workspace & matters
Folder import + auto-organize engine
Drop a whole folder (with subfolders) onto Evidence — every file is ingested recursively, given a permanent Evidence ID, tagged and sourced from its subfolder, and byte-identical duplicates are skipped. An organization summary shows the result.
The moment documents land, an analysis engine fans findings across the tabs: dates → Chronology and Deadlines, hearing dates → Hearing, affiants/signatories → Witnesses, key documents → Exhibits, protective steps → Tasks, and auto-generated Chronology and Exhibit-list drafts → Documents.
v3.39.0
Notifications & email
Password reset + suggested procedures
Added a secure password-reset flow: 'Forgot password?' on sign-in sends a recovery email, and a dedicated reset page sets a new password.
New Suggested Procedures panel in the Command Center detects sensitive material (financial, medical, private life) and recommends protective steps — above all a motion to seal / confidentiality order — with one-click add-as-task.
v3.38.0
Evidence
Multi-proceeding evidence propagation
New Proceedings tab separates Evidence Identity (permanent E-0001) from Court Usage: the same evidence is referenced by many forums under their own exhibit numbers — never copied.
Evidence × proceeding usage matrix (exhibit no · filed · served · introduced), a dissemination audit log, and Knowledge Assets that group evidence documenting the same event.
Procedure-dependency graph: link the Evidence IDs each procedure relies on, and see which procedures are affected when a version is superseded.
Export the usage matrix (CSV), propagation log (CSV), and the master Case Knowledge Index (Markdown).
v3.37.0
Litigation
War Room + Command Center
New War Room is the matter homepage: commander dashboard, battlefield map (issues with strength + linked evidence/authorities/witnesses), timeline wall, procedure command center (draft/sworn/served/filed), evidence intelligence, contradictions board, judge board, decision log, missing-pieces board, and a 'What should I do next?' button.
New Command Center: court-readiness score, action-required list, responsibility matrix (you/attorney/bailiff/clerk), per-procedure service rules (method, deadline, authority, reason), and litigation calendar export (ICS/CSV).
Hearing binder generator produces Judge, Counsel, Witness, and Personal binders.
v3.36.0
Governance
Litigation-grade evidence governance
Every document now has a permanent Evidence ID (E-0001), version (V01…), and lifecycle status — with single-ACTIVE-version enforcement.
Add a higher-quality copy as a new version that supersedes the old one (reason, date, and operator recorded); older versions are never deleted.
SHA-256 integrity hashes, chain-of-custody logging, and source/acquisition metadata on every version.
Export the master evidence registry (CSV/Excel + Markdown) and a migration report that flags duplicates, missing metadata, and supersession candidates.
v3.35.0
Privacy (Law 25)
Legal framework + accept-at-signup
Added a comprehensive Terms of Service, an expanded Law 25 / PIPEDA Privacy Policy, and a new binding Confidentiality & Non-Disclosure Undertaking.
Sign-up now requires accepting the Terms, Privacy Policy, and confidentiality undertaking — kept to a single frictionless checkbox with links.
v3.34.0
Evidence
Evidence ingestion API
Added a secure ingestion endpoint so trusted automation can push documents straight into a matter's evidence — files land in secure storage and appear in the workspace.
New matters open directly on the Evidence tab so you can start adding documents immediately.
Upload from your device or import directly from Google Drive (any file type), up to 100 MB per file.
v3.32.0
Notifications & email
Sign-in: confirm email → straight into your workspace
Fixed account confirmation so that after you confirm your email you land directly in your workspace (already signed in) instead of on the home page.
v3.31.1
Release metadata
Release v3.31.1
Changelog: refer to CRM generically (not the vendor).
v3.31.0
Localization
Newsletter / waitlist — wired & polished
Replaced the third-party embed with a clean native signup form that actually stores your email in our secure backend, with proper success and error states (bilingual).
Signups also flow into our CRM as leads, so interactions are captured automatically.
v3.30.0
Litigation
UI polish sweep
Workspace tabs are now a clean, horizontally-scrollable strip with a coral underline on the active tab — tidy even with many tabs and on mobile.
Branded, centered sign-in and account screens; court-paper styling for generated documents (centered serif heading, page shadow).
Subtle content transitions when switching tabs — automatically disabled when reduced-motion is on.
v3.29.0
Intake & onboarding
Dashboard polish
A warmer empty state that guides you straight into a guided intake, and richer matter cards showing party/evidence/exhibit counts and the next upcoming deadline at a glance.
v3.28.0
Security
Client portal landing page
New “For clients” page explaining the secure client workspace — upload evidence, review documents, track deadlines, and communicate — with how-it-works steps, a security note, and a sign-in call to action.
v3.27.0
AI & automation
Live AI Copilot
Added a live AI Copilot to the matter overview (via the Vercel AI Gateway) that reviews your matter and suggests concrete next steps and gaps, alongside the existing deterministic analysis. Clearly marked as litigation-organization assistance, not legal advice.
v3.26.0
Evidence
Evidence files in secure cloud storage
When signed in, uploaded evidence is stored in private, encrypted Supabase Storage (Canadian region) with per-matter access control, instead of only your browser — so files sync across devices and to invited collaborators. Downloads use short-lived signed links; the export bundle pulls the real files.
v3.25.0
Localization
Discrete language switcher + official-language notice
Replaced the wide language row with a compact globe dropdown listing each language in its own native name.
Your browser's language is detected automatically on first visit (e.g. an Arabic browser opens in Arabic).
Clearly states that French is the official language of the site and prevails over any translation.
v3.24.0
Evidence
Multi-user verified end-to-end
Verified the full lawyer↔client flow against the live database: sign-in accounts, cloud matter sync with row-level isolation, client invitations via shareable links, cross-user collaboration, and clients posting comments and uploading evidence.
Hardened access rules: invitation acceptance runs through a secure function, and clients can comment/upload while editing stays restricted to the legal team.
v3.23.0
Workspace & matters
Multi-user backend live — accounts, invitations, collaboration
The secure backend is live: real sign-in accounts, cloud matter sync, client/staff invitations with accept links, and cross-user collaboration are now active end-to-end.
v3.22.0
Security
Secure backend activated
Connected the Supabase backend (Canadian region) and applied the database schema with row-level security, enabling real accounts, cloud matter sync, client invitations and multi-user collaboration.
v3.21.0
Marketplace
Multi-user backend wired (activates with Supabase)
Wrote the full multi-user layer: cloud matter sync (matters stored in Postgres), client/staff invitations with shareable accept links, and matter-access sharing — all behind the secure-backend flag so the current browser-based app is unchanged.
Lawyers can invite a client/colleague/expert to a matter from the Collaboration tab; invitees accept via a link and gain role-based access. Activates the moment the Supabase keys are set.
v3.20.0
Content / legal
Emergency mode
A dedicated Emergency view for matters that must move in hours, not days: it surfaces overdue and ≤72-hour deadlines and high-priority tasks across all matters, and routes you to the urgent templates (provisional injunction, safeguard order) and rush service of documents.
v3.19.0
Evidence
In-app notifications
A notifications bell in the workspace surfaces what needs attention across all your matters — overdue and approaching deadlines, high-priority open tasks, recent comments, and evidence gaps — and jumps you straight to the relevant matter.
v3.18.0
Evidence
Document assembly workflows
One-click document sets: generate a complete, coherent bundle from your matter — originating application (application + affidavit + exhibit list + notice of presentation), defence set, urgent/emergency set, service package, and a lawyer hand-off pack — all added to your saved drafts.
v3.17.0
Localization
Multi-language expansion — 9 languages
Added 7 informational languages — Spanish, Arabic, Mandarin, Punjabi, Portuguese, Italian and Hebrew — alongside authoritative French and English, with right-to-left support for Arabic and Hebrew.
Each informational language translates the high-value interface and falls back to French for the rest, with a clear automated-translation notice; French and English remain authoritative and legal documents are generated in French/English.
The architecture now supports adding any future language by dropping in a partial dictionary.
v3.16.0
Litigation
Litigation strategy & witness preparation
The matter analysis now includes a litigation-strategy view: strengths, weaknesses, risks (missed/imminent deadlines, facts without supporting evidence), and prioritized next moves.
Witness preparation: one-click suggested examination questions for each witness, generated from your chronology and the witness's notes — fully editable, and clearly not legal advice.
v3.15.0
Security
Accounts & sign-in (activates with the backend)
Added secure sign-up / sign-in (email + password or magic link) and an auth callback, backed by Supabase Auth with MFA support.
Feature-flagged: the login screen shows an “accounts coming” notice until the backend keys are set, then real cloud accounts activate — no disruption to the current browser-based workspace.
v3.14.0
Security
Secure backend foundation (Supabase)
Added the multi-user backend foundation: Supabase Postgres schema with row-level security on every table, isolating matters per user and sharing them only through explicit access grants — the server enforcement of the role/permission model.
Database, auth, and storage clients wired to activate automatically once the (Canadian-region) Supabase project keys are set; until then the app keeps running client-side.
Setup guide published (docs/BACKEND.md). Next: sign-up/login, client invitations, real collaboration, billing, and secure evidence storage.
v3.13.0
Litigation
Greffe numérique gatekeeper
Each generated document now shows a filing verdict: whether it can be transmitted electronically to the greffe numérique, must be presented urgently to the court, is filed with a tribunal, or is not a court filing at all — so nothing is sent to the wrong channel by mistake.
Flags when a proceeding, even if e-filed, still requires service on the opposing party.
v3.12.0
Marketplace
Document-service marketplace (Phase A) — pay to serve documents
New “Service of documents” flow: request service by a bailiff (Québec), process server (other provinces), notary, or internationally, with standard / rush / emergency urgency.
Secure Stripe Checkout (cards) with transparent, below-market pricing; orders captured for drop-ship fulfilment to a provider.
Contextual “get these served” link from the Bailiff Instructions and Electronic Notification templates.
Live payments activate once the Stripe account is reactivated; the flow runs in test mode until then.
Emergency procedures: provisional injunction (art. 510 C.p.c.) and safeguard order (art. 49 C.p.c.) templates for matters that must move in hours, not days.
Request for disclosure of information/documents and an electronic-notification request (to obtain an email address and avoid bailiff fees where service can be done by technological means).
Instructions to the Bailiff packet generator — preparing the documents and service instructions ahead of the upcoming bailiff / process-server marketplace.
v3.10.0
AI & automation
New pricing model + Case Brief for your lawyer
Pricing rebuilt around how litigation actually works: Case Builder ($350) and Litigation Pro ($750) are now ONE-TIME, per-matter fees that cover a matter to completion — even if it takes years — plus a new $375/month Self-Rep Unlimited plan for ongoing or multiple matters, pausable during quiet periods.
Positioned clearly as a litigation copilot with a human in the loop: the AI assists, you stay in control.
New “Case Brief for your lawyer” document: a one-click, organized summary of your matter (parties, theory, chronology, exhibits, evidence, deadlines, your questions) so your attorney sees the full picture instantly — and spends less billable time getting up to speed.
v3.09.0
Payments
“Our promise” on the home page + privacy-friendly analytics
New “Our promise” section on the home page: a better-organized file costs less, fewer billing surprises with market-based cost estimates, you stay in control, and an evolving platform — with clear estimate/not-legal-advice framing.
Added cookie-less Vercel Analytics and Speed Insights to start measuring the conversion funnel and page performance (activated from the Vercel dashboard).
v3.08.0
Workspace & matters
Québec & Canadian law resources + roadmap update
Added a Québec & Canadian law section to Legal Resources (CanLII, LégisQuébec, Justice Laws, Supreme Court of Canada, Court of Appeal of Québec) and surfaced JusticeSansFrontières.ca as an access-to-justice initiative.
Added the same official databases to the in-app Research tab.
Roadmap updated: secure cloud backend + analytics/funnel in the attorney beta, and Google Drive import (Dropbox/OneDrive to follow) at general availability.
v3.07.0
Accessibility
Read-aloud accessibility + chat assistant
Read-aloud: a browser-native text-to-speech control in the accessibility widget reads the page aloud in French or English — no account or setup.
New “Chat with us” assistant on every page: a bilingual FAQ helper with an email fallback and the required not-legal-advice notice. Built to plug into live AI and a WhatsApp hand-off once the secure backend is enabled.
v3.06.0
Security
Plan & usage, per-matter export, security plan
Plan & usage panel in settings: choose your plan (Free preview, Case Builder, Litigation Pro, Professional), see matters used against your allowance, and jump to pricing. Preview only — no payment is processed.
Per-matter JSON export for clean handoff to a colleague or client (re-importable from the dashboard).
Published a security & Canadian data-residency plan (docs/SECURITY.md) covering auth/MFA, encryption, role-based access, audit logging, backups and Law 25 / PIPEDA alignment.
v3.05.0
Governance
Collaboration — comments + activity log
New Collaboration tab on every matter: post comments for your team and review a chronological activity log derived from real events (matter created, evidence uploaded, drafts saved, comments posted).
Comments and the audit trail will sync across users once the secure backend is enabled.
v3.04.0
Payments
Lawyer / Firm portal — portfolio, status reporting & team
New Firm portal: practice-wide portfolio summary (matter count, deadlines in the next 30 days, average readiness) and a sortable matter status report across all your files.
Team management with a real roles & permissions model — lawyer, paralegal, assistant, client, expert and consultant — each showing exactly what it can do.
Live multi-user sign-in, client invitations and billing remain gated on the secure backend, which is not yet enabled.
v3.03.0
Intake & onboarding
Legal Research engine + guided Legal Intake
New Research tab: automatic Canadian legal-citation extraction from your case theory, evidence and drafts (neutral citations, reporters, and statute/Charter references), each with a one-click CanLII search, plus curated links to CanLII, LégisQuébec, Justice Laws and SOQUIJ. No account required.
Guided Legal Intake: a step-by-step interview (legal issue, jurisdiction, parties, key dates, objectives, urgency) that automatically creates a structured matter — including an urgent task flag when warranted.
v3.02.0
AI & automation
Document Automation 2.0 + Advanced analysis
Document Automation 2.0: five new court-ready templates — Defence, Amended Application, Application for Judicial Review, Notice of Appeal, and a Tribunal Application Form — bringing the generator to twelve bilingual document types.
Advanced analysis (no external model required): contradiction review (e.g. multiple events on the same date, dates not corroborated by evidence), missing-evidence detection, procedural recommendations, timeline-gap detection and draft-improvement checks — all clearly marked as not legal advice.
v3.01.0
Evidence
Hearing preparation + Court Presentation Mode
New Hearing tab: examination outlines (direct and cross), argument preparation, a hearing checklist with standard items, and live courtroom notes.
Court Presentation Mode: a full-screen presenter for the hearing with large exhibit display (including image preview), a clean timeline view, and instant search across exhibits, facts, evidence and drafts.
v3.00.0
Litigation
Functional Litigation OS — full end-to-end MVP
Account profile gate that personalizes your file and auto-fills generated documents.
Evidence module: upload PDF, DOCX, images and text files with in-browser text extraction, tagging, one-click exhibit creation, and automatic date detection into the timeline.
Exhibits now support the P / D / R series with automatic per-series numbering, reordering, and a generated exhibit index.
Document generator expanded to seven court-ready templates — affidavit, notice of presentation, originating application/motion, formal demand, email notification slip, chronology and exhibit list — all auto-filled and editable.
One-click litigation package export to PDF, DOCX, and a ZIP bundle that includes your uploaded evidence files.
New Tasks tab, editable chronology with evidence linking, richer party contact details, and matter status / file number / district.
Fully bilingual (FR/EN) across every new module.
v2.02.0
Workspace & matters
Document generator — formal demand (mise en demeure)
Added a Documents tab that drafts a formal demand letter (mise en demeure) pre-filled from your matter — recipient, sender, subject, demand, and a configurable compliance period.
Live letter preview with one-click print / save-to-PDF, clearly marked as a self-help template.
v2.01.0
AI & automation
Litigation Copilot next steps + data export
Added the Litigation Copilot to each matter's overview: prioritized “next best steps” and evidence-gap analysis, including approaching-deadline alerts.
Added export and import of your matters as a JSON file for backup and transfer.
v2.00.0
Workspace & matters
Working platform + commercial launch
Launched the working Workspace: create matters and manage parties, chronology, auto-numbered exhibits, witnesses, and deadlines — saved in your browser.
Added the live Justice Score™ that scores case readiness across every dimension.
Published commercial plans and pricing for the public and for attorneys, with value-based positioning.
Added Workspace and Pricing to the navigation, footer, and homepage calls to action.
v1.06.0
Litigation
Repositioned as a Litigation Operating System
Rewrote the homepage hero to lead with the outcome: a bilingual, accessibility-first Canadian Litigation Operating System.
Expanded the About page with the full positioning for the public and for legal professionals.
Strengthened the SEO/social description across the platform.
v1.05.0
AI & automation
Attorney value proposition + Litigation Copilot vision
Added an attorney value-proposition section: Juge.ca as the engine of a practice — less time chasing clients and on admin, more time advocating in the courtroom.
Published the “Litigation Copilot” product vision on the roadmap: legal strategy engine, evidence-gap analysis, risk dashboard, settlement intelligence, witness center, hearing simulator, war room, AI file review, and Justice Score™.
Hardened the waitlist fallback form against XSS (DOM API instead of innerHTML).
v1.04.0
Evidence
Added a “How it works” three-step section
Added a homepage section presenting Juge.ca in three steps: organize your evidence, understand the procedures, present your arguments.
v1.03.1
AI & automation
Updated mission statement
Refined the homepage mission to emphasize efficiency for citizens and automation for legal professionals.
v1.03.0
Brand & marketing
Bolder, centered design across the platform
Restyled the whole site with a centered, dramatic, glassmorphism aesthetic inspired by the original landing page.
Centered page heroes with bigger gradient headlines and a coral accent bar.
Added a subtle coral background glow for depth and wrapped page content in glass panels.
Updated the homepage mission statement.
v1.02.1
Content / legal
Refined homepage copy for legal professionals
Clarified the homepage message: legal professionals put their expertise to work to better serve their clients' interests.