Skip to main content
February 2026

Documentation Portal

Launched a public documentation portal with 14 pages covering every platform feature — step-by-step operations guides, platform architecture, and technical deep dives.

Document Validation & Evidence Pipeline

Cortex AI now validates every uploaded file against requirement-specific PCI DSS criteria. Results (Complete / Partial / Insufficient) appear inline in the attachments table without leaving the workbench. Malware scan status column added, plus unlink/unassign support for evidence files.Bug fixes: Tailwind darkMode config, radio button selection in validation criteria, double scrollbar on attachments tab.

Assessment Workbench Overhaul

Major restructure of the primary assessment interface — redesigned section tree, prefill from previous assessments, per-section progress bars, bookmarks and stamps, interview question dialog with Cortex context, dedicated Cortex AI chat panel, and complete DOCX export tag mapping for all 12 PCI DSS principal requirements.Bug fixes: Section 5/6 DOCX field mapping, fixed scrollbar layout, radio button findings, auto-summary for Req 1.8.1, Kanban progress calculation, textarea caret positioning.

Calendar 2.0 & Command Palette

RFC 5545 RRULE recurrence with safety limits (max 500 occurrences, 2-year expansion), task-linked calendar events (Teams/Zoom/Google Meet), command palette with fuzzy search across assessments/tasks/settings, and full keyboard/ARIA accessibility on calendar.Security: Fixed passkey (WebAuthn) registration and auth flow, session accumulation on repeated logins, device OS detection, input sanitization, rate limiting, and XSS prevention.
January 2026

Production Hardening & Infrastructure

Database connection pooling, dynamic XLSX import (lazy-loaded), Sentry tree-shaking, Next.js Image component for logo, conditional logging (dev only). Activity logs migrated from JSON files to PostgreSQL. All npm audit vulnerabilities resolved.

Sentry Error Tracking

Integrated Sentry for frontend error capture — source map uploads for readable production stack traces, user context linked to sessions, environment-based configuration, and CSP headers updated for Sentry domains.

2FA Verification Page Redesign

Modern OTP input with 6-digit auto-advance, paste support, dark-background centered card matching the login page, trust-device checkbox (30 days), and countdown timer with resend.

Login & Signup Page Redesign

Split-screen layout — gradient brand sidebar alongside the auth form. Mobile-responsive, Google/GitHub/Microsoft OAuth buttons, inline validation, and server error handling.
December 2025

Engagement Hub — Client & LOE Architecture

Complete Client → LOE → Assessment data hierarchy. Client profiles with PCI context (merchant level, acquirer, transaction volume), LOE setup with scope/milestones/financials/legal terms/QSA signer, Engagement Hub dashboard, and tabbed LOE detail page (overview, scope, timeline, assessments, documents, terms, signatures, payment).

Session Management

Active sessions list with device info, browser, and IP. Remote logout for any session, configurable concurrent session limits, and OS/browser detection.

Password Security with HIBP Integration

Breach detection via the Have I Been Pwned API using k-Anonymity (only first 5 chars of hash sent). Real-time warning if password appears in known breaches, enhanced strength indicator.

Security Penetration Testing Fixes

IDOR protection (org-scoped validation on all resource endpoints), enhanced rate limiting on auth and API routes, XSS prevention on all user-input fields, CORS hardening.
November 2025

Calendar Improvements with Big Calendar

Migrated to react-big-calendar — month/week/day views, drag-and-drop event rescheduling, date/time picker for new events, recurring events, and LOE milestone/deadline visualization.
October 2025

Major Infrastructure Upgrade

Complete infrastructure overhaul — Supabase for real-time and file storage, Redis for server-side caching, TanStack React Query for frontend data management, and 100+ bug fixes.
  • Supabase Storage — 4 auto-initialized buckets (evidence-files, avatars, org-logos, reports) with org-scoped paths and signed URLs
  • Supabase Realtime — replaced 30-second polling with WebSocket connections for instant notifications, presence, and live assessment updates
  • Redis Caching — 50%+ route coverage, 10-minute TTL, automatic invalidation, 60–70% response time reduction
  • TanStack React Query — 35 hooks, 15+ components refactored, ~2,000 lines of boilerplate removed, 60–70% API call reduction
  • Prisma schema — standardized 100+ field references to snake_case, 144-folder PCI DSS file structure per assessment

Trusted Device Management for 2FA

Mark devices as trusted to skip 2FA for 30 days. View and revoke trusted devices from security settings.

Admin Dashboard & Log Management

Database health dashboard (connection status, table stats), security audit dashboard (failed logins, suspicious activity), usage analytics (daily trends, feature breakdown), real-time log viewing with level/date/search filtering, and plan badge indicators.

Architecture & Workflow Documentation

Internal docs suite with business workflow guides, 9 Mermaid architecture/data-flow diagrams, and technical references for database schema, RBAC, and caching strategies.

Critical Bug Fixes & System Stability

Analytics crash fixes with data validation, authorization header forwarding in Next.js API proxy, single-instance enforcement for frontend (3000) and backend (3001), Cloudflare caching optimization (API bypass, static assets 2-hour cache).

Performance Optimization Suite

85% faster API responses — strategic database indexes (40–60% query improvement), 5-minute in-memory API cache (80–90% DB load reduction), Cloudflare CDN with Gzip compression (70–80% payload reduction). Average API response time: 4–7ms (down from 50–100ms).

Dark Mode & UI Improvements

React MutationObserver for real-time dark/light mode switching, professional PCI DSS assessment cover page, reorganized toolbar (filter/export, review/accept, members/help groups), scoping categories collapsed by default.

Stripe Integration & Advanced Scoping

Multi-tier Stripe billing (checkout, portal, webhook handling), 8-rule scoping engine (wireless, P2PE, CHD storage, segmentation), automatic N/A pre-fill for scoped-out requirements, browser push notifications (VAPID + service worker), Mailcow SMTP email system, and Microsoft OAuth.

Smart Notifications & Email System

@mention instant alerts, task assignment notifications, mobile-responsive email templates (Mailcow SMTP), automated daily/weekly/monthly task reminders via cron, enhanced task management (edit, delete, creator tracking), and activity audit logging.

2FA Authentication & Scoping Engine

TOTP setup wizard (QR code, manual key, code verification), 8 one-time backup codes, admin 2FA adoption panel, dedicated verification page. Scoping engine fixes: persistence, N/A auto-fill, visual N/A banner, conditional rule evaluation.

Initial Platform Launch

The first release of Kliper — a PCI DSS 4.0.1 compliance platform for QSA firms and internal security teams.
  • Assessment Engine — 200+ testing procedures, 3-panel workbench (tree, questions, context), findings (In Place / Not Applicable / Not Tested / Not in Place), compensating controls, DOCX ROC export
  • Multi-Tenant Architecture — org-isolated workspaces, 4 roles (Admin/Manager/Contributor/Viewer) with 28 granular permissions, Better Auth with Google/GitHub/Microsoft OAuth
  • Evidence & File Management — SHA-256 hashing, dual-engine malware scanning (ClamAV + VirusTotal), MIME validation, 40+ blocked extensions, magic bytes inspection
  • Collaboration — threaded comments with @mentions, Kanban tasks, calendar, live presence (who is viewing which section in real-time)
  • Analytics — gap assessment with 5 severity levels, 4-factor risk scoring (finding 45% / documentation 25% / completeness 15% / staleness 15%), Cortex AI remediation recommendations