Skip to main content
April 2026

Cortex — Full Tool-Calling Agent

Cortex has graduated from a single-shot autofill assistant into a full agentic loop. It can now perform multi-step reasoning, call tools in sequence, and write directly to the assessment without leaving the chat.
  • 15 tools available — requirement lookup, assessment reads, answer writes, TP detail writes, evidence queries, task creation, calendar events, scoping data, firm knowledge search, and PCI guidance search
  • Multi-step execution — Cortex iterates: read context → call tool → read result → decide next step → respond
  • Direct writes — “draft a justification for 1.2.6 and save it” now actually saves it; the form refreshes live without a reload
  • PII redaction — all knowledge base ingestion and tool context runs through a redaction layer (IPs, emails, credit card numbers, SSNs) before the model sees it
  • Status indicators — the old “Cortex is thinking…” is replaced with descriptive labels (“Looking up requirement 1.2.6”, “Writing TP response for 1.2.6.b”, “Scanning all requirements status”) so assessors can see what Cortex is doing at each step
  • Analyzing → Drafting phases — the UI distinguishes the initial reasoning phase, the per-tool execution phase, and the final response drafting phase
See the Cortex AI guide for the full tool list and behavior.

Knowledge Base & RAG Infrastructure

The underlying pipeline for ingesting firm data into Cortex is now built and wired. Firms can upload past ROCs, AOCs, meeting transcripts, and accepted evidence; Cortex can search across them when drafting.
  • Document ingestion — PDF, DOCX, TXT supported via dedicated extractors
  • Chunking by PCI requirement — text is split into semantic chunks keyed to requirement IDs so retrieval is targeted
  • Embedding — chunks are embedded via OpenAI text-embedding-3-small and stored in Postgres with pgvector
  • PII redaction on ingest — sensitive data is redacted before embedding, with a per-job count surfaced in the admin UI
  • Per-org isolation — every chunk is scoped to the uploading organization; semantic search never crosses tenant boundaries
  • Admin UI — upload, monitor ingestion progress, and see PII redaction counts from the Knowledge Base panel
  • New tool: search_firm_knowledge — Cortex can now retrieve grounded context from your firm’s past work during drafting

Interview Sessions with Cortex Analysis

Interviews are now first-class objects in the platform, with a dedicated session page for conducting, recording, and analyzing interviews.
  • Dedicated session page — each interview has its own route with a sortable, drag-and-drop question table and per-question response fields
  • Collapsible sections — questions grouped by PCI DSS section with expand/collapse per group
  • Cortex analysis — at the end of a session, Cortex generates a structured analysis of the interview responses, tied back to specific requirements
  • PDF export — full interview sessions export to PDF for evidence submission or QA review
  • Interviews tab in Assessment Hub — new top-level tab lists all interviews scheduled or completed for an engagement
  • Transcript import — paste a meeting transcript to seed interview responses

Atlassian Confluence & Jira Integration

Kliper now connects directly to Atlassian products for both evidence collection and gap remediation.
  • Confluence (client portal) — clients connect their Atlassian account via OAuth and attach pages directly from their Confluence spaces as evidence. Pages are imported as PDFs.
  • Jira (assessor side) — link Jira issues to specific PCI DSS requirements to track remediation. Supports creating issues, searching by JQL, and syncing status.
  • Dual display fix — the Jira integration panel now shows either the OAuth flow or the CSV import section, never both at the same time

Focus Mode & Live Mode

Two new viewing modes for the assessment workbench give assessors control over their working context.
  • Focus Mode — full-width single-subsection view with prev/next navigation. Sidebar hidden for distraction-free work on a single requirement.
  • Live Mode — real-time presence indicator showing which team members are currently viewing the assessment. Live status is displayed in the top bar.
  • Compact section rows — when a finding status is set, the row collapses to a single status chip. All four options only appear when no finding is set yet.
  • Compact hub stat cards — reduced padding, icon size, font size, and progress bar height on the Assessment Hub stat cards

Resume Card on Dashboard

The dashboard now remembers where you left off and offers a one-click resume.
  • localStorage tracking — the last subsection you worked on is tracked per-assessment in the browser
  • Resume card — appears on the dashboard with the assessment name, specific requirement label, and a “Continue” button that takes you to the exact subsection
  • Strict matching — the card only appears when localStorage has a confirmed match; no arbitrary “in progress” fallback

Interviews Tab in Assessment Hub

The Assessment Hub now has a dedicated Interviews tab listing all interview sessions for the engagement — scheduled, in-progress, and completed — with quick links into each session page.

PCI DSS Multiselect for Scoping

The “applicable requirements” textarea on client engagements has been replaced with a PCI DSS top-level multiselect. Assessors pick from the 12 principal requirements directly instead of typing them free-form.

Google Drive File Picker in Client Portal

Clients can now attach evidence directly from their Google Drive without downloading and re-uploading files.
  • OAuth flow — one-time authorization to grant Kliper read-only access to the client’s Drive
  • File picker — native Google Drive picker filters by file type
  • Cross-origin session fix — the portal now uses fetch-based downloads to include session cookies across origins, so cross-tenant auth works without a full page reload

CSV Table Preview in File Viewer

CSV and spreadsheet files now render as a proper table in the assessor file viewer and the client portal — no more forced download to read evidence.
  • Table view with column headers
  • Works in both portal and assessor contexts
  • Complements existing PDF preview (via blob URLs)

Client Portal — Mobile Responsive

The full client portal (login, verify, dashboard, request list, request detail, messaging) now works on mobile screens. Tables collapse to stacked cards, actions move to overflow menus, and touch targets meet accessibility minimums.

Main Branch Protection

Direct pushes to main are now blocked without authorization, enforcing the pull-request workflow for all changes.

Bug Fixes

  • Cortex writes & form refresh — Cortex justification and TP writes now correctly save to the database and refresh the assessor’s form without requiring a reload
  • pci_requirement column — added to assessment answers so requirement-level data has a dedicated column instead of living inside JSON
  • csrfFetch consistency — file delete, autofill suggestions, file preview, and file download all use csrfFetch to include CSRF tokens and the x-organization header correctly
  • PDF preview in portal — works cross-origin via blob URLs; CSP updated to allow blob: in frame-src
  • Client file delete — clients can delete any unsubmitted file on their own request, not just files they uploaded themselves
  • Confluence spinner merge — connection check and page load now share a single spinner instead of flashing twice
  • Cortex spinner alignment — loading spinner in the analysis sidebar now vertically centered
  • TDZ fix in assessment sections — moved a useEffect referencing structure to after its declaration
  • Resume URL param — now uses sub (subsection) instead of section
  • Auth session IP column — changed from inet to text to support proxied IP formats
March 2026
The main navigation sidebar has been reorganised to keep all controls in one place and keep the top header uncluttered.
  • Collapse button — moved inside the sidebar footer, labelled “Collapse sidebar” / “Expand sidebar” with a directional icon. Collapses to an icon with a tooltip in narrow mode.
  • Search (⌘K) — moved into the sidebar header, directly below the org switcher. Styled as a search input with the ⌘K shortcut badge. Collapses to a search icon in narrow mode.
  • Resources — Documentation and Changelog links moved into the sidebar under a Resources section, pinned to the bottom of the nav list.
  • Header cleaned up — the top bar now contains only breadcrumb navigation on the left and action icons (notifications, Cortex, settings, user) on the right.

Evidence Requests — Grouped by Assessment

The Evidence Requests panel now organises requests into collapsible sections, one per assessment. Each section header shows the assessment name, total request count, and summary badges (accepted / open) so assessors can see progress at a glance without opening every group.
  • Sections expand and collapse individually
  • All sections open by default
  • Badge counts update live as request statuses change

Email System Redesign

All platform emails have been redesigned with a clean, minimal layout — no gradients, no emoji, consistent Kliper branding with a blue logo visible in both light and dark mode.
  • Provider — switched from Mailcow SMTP to Resend for improved deliverability and monitoring
  • Templates redesigned — evidence invitation, magic link, task assigned, task due reminder, assessment due reminder, @mention notification, welcome email, email verification, password reset, and OTP
  • Dark mode compatibility — logo uses brand blue (#2346dd) which remains visible on both light and dark email backgrounds

Client Invite Improvements

  • Duplicate invite detection — re-inviting an existing client to the same assessment reuses the existing link and shows an “Already invited — link reused” confirmation instead of creating a duplicate
  • Job title — now saves correctly for both new and returning clients, and displays on the invited clients list below the client name alongside last seen date

Client Portal for Evidence Collection

A dedicated, secure portal where clients can view evidence requests, upload files, and communicate with assessors — without needing a full Kliper account.
  • Magic link authentication — passwordless login via email, no credentials to manage
  • Dashboard — summary cards (total, open, accepted, changes requested) with progress bar and per-assessment breakdown
  • Evidence request list — sortable, filterable table with status badges, priority levels, due dates, and file counts
  • Request detail page — view full request description, upload evidence files with progress indicator, submit for review, and exchange messages with the assessor
  • Client invitations — invite clients from the Evidence tab or Engagement Hub with name, email, company (auto-detected), and job title fields
  • Dark mode support — all portal pages (login, verify, dashboard, requests, detail) support light and dark themes with system preference detection
See the Client Portal Guide for full documentation.

Evidence Request Templates

56 pre-built PCI DSS evidence request templates covering all 12 principal requirements, enabling assessors to create requests in seconds instead of filling forms from scratch.
  • Template picker — “New Request” opens a chooser (Custom Request vs From Template), then routes to the appropriate form
  • Bulk creation — select multiple templates, optionally override priority and set a shared due date, then create all at once
  • Search and filter — search templates by title, requirement number, or description with category grouping
  • Full PCI DSS coverage — templates for firewall configs, network diagrams, encryption policies, access reviews, vulnerability scans, penetration tests, and more

Sort by Requirement Number

Evidence requests can now be sorted by PCI DSS requirement number on both the assessor Evidence tab and the Client Portal requests page.
  • Toggle button cycles through default → ascending → descending
  • Uses natural numeric sorting (1.9 sorts before 1.10, not after)

Public API with Rate Limiting

RESTful public API for programmatic access to Kliper data, secured with API key authentication and Redis-backed rate limiting.
  • API key management — generate, revoke, and manage API keys from the Integrations page
  • Rate limiting — 60 requests per minute per API key, enforced via Redis sliding window
  • Endpoints — assessments, clients, evidence requests, and organization data

Custom Webhook Integration

Webhook integration with HMAC-SHA256 request signing for secure event delivery to external systems.
  • Event types — assessment status changes, evidence request updates, and more
  • HMAC signing — every webhook payload is signed with a shared secret for verification
  • Delivery tracking — view delivery status and retry failed webhooks

Git Provider Integration

Connect Git repositories (GitHub, GitLab, Bitbucket) to assessments for automated evidence collection from version control.
  • Multi-platform adapter — unified interface across GitHub, GitLab, and Bitbucket APIs
  • Evidence attachment — link repository artifacts (commits, branches, configs) directly to evidence requests

Raycast Extension

Raycast extension for quick access to the Kliper public API, enabling keyboard-driven workflows for power users.

Integrations Hub — Slack, Google Drive, SharePoint, Jira, Google Calendar

Five new third-party integrations accessible from the Integrations page, enabling assessors to connect their existing tools with Kliper:
  • Slack — per-organization webhook integration for posting notifications to Slack channels
  • Google Drive & SharePoint — OAuth-based cloud file import, allowing assessors to browse and attach evidence files directly from Google Drive or SharePoint without downloading and re-uploading
  • Jira — create Jira issues from assessment findings, link existing issues to requirements, and sync status bidirectionally
  • Google Calendar — connect Google Calendar with a calendar picker, sync assessment milestones and deadlines as calendar events

Assessment Response Templates

Three-source template picker for assessment workbench responses, enabling assessors to populate findings and testing procedures faster:
  • From previous assessments — reuse responses from completed assessments for recurring clients
  • From Cortex AI — AI-generated suggestions based on requirement context and uploaded evidence
  • From saved templates — organization-wide response templates for common findings

Assessment Workbench Redesign

Redesigned assessment panels with compact headers, inline Cortex AI chat, and auto-expanding message composer. Audit trail and activity log components rebuilt with modern card layout, collapsible filters, and per-user action breakdown.

Page Layout Standardization

Standardized all page layouts across the platform to a consistent pattern — flex column with fixed header and scrollable body. Affected pages include Engagement Hub, Calendar, Client Files, Project Files, Profile, and all sub-pages. Consistent button sizing (h-8/sm), input heights, and dropdown styling applied platform-wide.

Kliper v2 Branding

New Kliper symbol and logo deployed across the platform, documentation portal, and favicon. Framework logos updated to locally hosted SVGs for faster loading and consistent rendering.

Admin Dashboard & User Management Improvements

  • Admin dashboard restructure — reorganized admin layout with dedicated tabs for Cortex analytics, usage metrics, and system health
  • Users table actions dropdown — bulk actions menu on the user management table for role changes and account operations
  • Collapsible filters — activity log and audit trail filters now collapse into a compact bar, expanding on demand
  • User Management & 2FA table cleanup — modernized table styling with consistent spacing and alignment

Session Stability Fix

Fixed an issue causing random logouts during active sessions. Sessions now persist reliably across navigation and background tab activity.

Performance & Cleanup

  • Batched file stats — file metadata requests are now batched to reduce API calls on pages with many files
  • Production cleanup — removed all debug console.log statements from production code
  • Cortex calendar lookback — expanded from 30 days to 365 days for comprehensive event context

Cortex AI — Unified Persistent Panel

Cortex is now a single global panel accessible from any page via the navbar, replacing the three separate chat panels (assessment, calendar, inbox). Conversations are database-backed and persist across sessions, browser refreshes, and devices.
  • Persistent conversations — all chat history stored in PostgreSQL with auto-generated titles and conversation list
  • Context-aware — automatically adapts to the current page (Assessment, Calendar, Inbox, or General) with fresh data retrieval per message
  • Conversation management — browse, resume, and archive past conversations with context badges showing where each started

Cortex AI — Evaluation & Safety System

Three-layer safety check system that validates every AI response in assessment context against known-good PCI DSS reference data:
  • Requirement reference validation — extracts requirement numbers from responses and checks against 267 valid PCI DSS v4.0.1 requirement IDs. Flags fabricated requirements (e.g., “3.9.7” doesn’t exist)
  • File/evidence citation validation — checks file references against actual uploaded assessment files in the database. Flags references to non-existent files
  • Document validation tag validation — checks document tags (DOCFW, EVDFW, etc.) against 286 known tags from the ROC template. Flags potentially fabricated tags
  • Safety notices — when any check fails, a warning is appended to the response with specific details about what was flagged
  • Message ratings — thumbs up/down on any Cortex response for quality tracking
  • Autofill tracking — tracks when assessors accept AI-generated findings suggestions

Cortex AI — Token Usage & Cost Tracking

Every Cortex AI response now records prompt tokens, completion tokens, and model used. Cost is estimated automatically using published OpenAI pricing.
  • Token Usage card — total estimated cost, token count, and responses tracked for the selected period
  • Per-model breakdown — cost and token stats split by model (e.g., gpt-4o vs gpt-4o-mini)
  • Per-user cost — estimated cost column in the Usage by User table, calculated from each user’s token share
  • Daily activity date labels — chart bars now show date labels (e.g., “Mar 14”) for clear day-by-day visibility

Cortex Analytics Dashboard

Admin dashboard providing real-time metrics on Cortex AI usage across the organization:
  • Satisfaction rate, autofill acceptance, conversations, rating coverage, safety checks, and token usage cards
  • Safety check pass rate with validated/flagged response counts
  • Message rating breakdown (positive/negative) with per-user drill-down
  • Context distribution and autofill by type (template vs Cortex AI)
  • Daily chat and autofill activity charts with date labels
  • Per-user table with conversations, messages, ratings, autofill, tokens, estimated cost, and last active date
  • Recent negative ratings feed for quality review

Cortex AI — Content Moderation

Four-tier content moderation system applied to all Cortex endpoints (unified and legacy):
  • Frustration handling — when users vent at Cortex (“you’re useless”), it acknowledges briefly and redirects to helping rather than lecturing or refusing
  • Off-topic deflection — non-IT topics (politics, sports, creative writing) are politely declined with a scope reminder
  • Prompt injection defense — attempts to override instructions, extract system prompts, or change Cortex’s persona are refused without acknowledgment
  • Harmful content refusal — threats, hate speech, illegal requests, and unauthorized data access attempts receive a firm refusal

Export UX Improvements

  • Loading toast feedback — ROC exports now show a loading spinner toast (“Generating Word export…”) that updates in-place to success or error, replacing the silent wait
  • LOE export dropdown — assessments table in LOE detail page now has a dropdown menu with Export ROC (PDF), Export ROC (Word), and placeholder AOC options
  • Dismissible toasts — all toasts across the platform now have a close (x) button for manual dismissal

Database Connection Fix

Replaced 97 separate PrismaClient() instances with a shared singleton, fixing PostgreSQL connection pool exhaustion that caused 500 errors on exports and other DB-heavy operations. Idle connections dropped from 97 to 10.

UI Consistency & Polish

Comprehensive pass across the platform to standardize visual identity and eliminate browser-native dialogs:
  • Standardized page headers — all remaining pages (Permissions, Profile, Billing, Integrations) now use the shared PageHeader component with consistent icon, title, and subtitle layout
  • Skeleton loaders — replaced all loading spinners with skeleton loaders that mirror actual page layouts for a smoother perceived loading experience across Files, Analytics, Inbox, Calendar, Billing, Workbench, and Profile pages
  • Shared EmptyState component — consistent empty data views across all list pages with contextual icons and descriptions
  • Native alert() removal — replaced all 30+ browser alert() calls with the app’s toast notification system (showToast) across 18 files
  • Native confirm() removal — replaced all 13 browser confirm() dialogs with styled shadcn AlertDialog via a reusable useConfirmDialog hook across 13 components, with support for destructive variant styling

Client Delete with Deactivate Option

The client detail page now offers two removal options when clicking the delete button:
  • Set as Inactive — hides the client from active views while preserving all data (LOEs, assessments, files). The client can be reactivated later
  • Delete Permanently — removes the client and all associated data. Blocked if the client has active LOEs

Task & Cache Reliability Fixes

Fixed critical issues preventing task creation, deletion, and status updates from reflecting in the UI:
  • Redis cache invalidation — the cache invalidation function was a stub that logged but never deleted keys. Now properly scans and removes matching cache entries after every task create, update, and delete
  • CSRF protection — added csrfFetch to all mutating requests (POST/PUT/PATCH/DELETE) in tasks, permissions, and integrations services
  • Field name mismatch — fixed organizationId (camelCase) vs organization_id (snake_case) mismatch that caused 400 errors when creating roles and integrations

Cortex AI Chat — Data Accuracy Overhaul

Complete rewrite of the Cortex chat data pipeline to eliminate hallucinations and ensure accurate PCI DSS assessment data retrieval:
  • Model upgrade — switched from DeepSeek to GPT-4o for higher accuracy and instruction-following. Model name now displayed dynamically in the chat header
  • Fixed requirement data matching — findings and justification keys now use suffix-based matching instead of prefix-based, preventing cross-requirement data leakage (e.g., requirement 1.1.1 no longer shows data from 1.1.2)
  • Fixed testing procedure mapping — TP keys now matched by exact dotted ID after the dash delimiter, eliminating false matches across requirements
  • Framework-aware TP display — Cortex merges saved assessment data with the canonical PCI DSS v4.0.1 framework template, so unsaved testing procedures appear as “not started” rather than being omitted entirely
  • Correct PCI DSS hierarchy — testing procedures (e.g., 1.2.4.a, 1.2.4.b) and reporting instructions (array elements within each TP) are now labeled with correct terminology
  • Follow-up question support — requirement context is preserved across conversation turns by scanning the last 3 user messages for requirement IDs
  • LLM debug logging — full request/response logging to cortex-llm.log for troubleshooting

Standardized Alert UI

Extended the shadcn Alert component with 3 new variants (warning, success, info) and replaced custom Tailwind-styled alert divs across auth pages, workbench, and assessment views for consistent styling with dark mode support.

Threat Intelligence Suite — 5 New Security Tools

Five new threat intelligence tools added to the Security Tools panel, bringing the total to 20 integrated tools:
  • CVE Lookup + EPSS Enrichment (Req 6.3) — every CVE result is now enriched with FIRST EPSS exploit probability scores and percentile rankings, enabling risk-based prioritization beyond CVSS severity alone
  • CISA KEV Tracker (Req 6.3, 11.3) — search and monitor CISA’s Known Exploited Vulnerabilities catalog with stats dashboard, keyword/CVE search, recent additions (90 days), ransomware-linked filter, and top affected vendors breakdown. Data sourced via NVD API with CISA extension fields
  • Secret Scanner (Req 6.2, 6.3) — scan public Git repositories for leaked secrets using Gitleaks. Detects API keys, tokens, passwords, and private keys across full commit history. Findings grouped by rule with file path, commit hash, author, and masked secret
  • Credential Leak Monitor (Req 8.3, 8.6) — check domains and company names against the Have I Been Pwned breach database. Includes breach stats, domain check, company search, recent breaches, and largest breaches views
  • Threat Briefing (Req 6.3, 11.3) — aggregated threat intelligence from NVD (critical CVEs), CISA KEV (exploited vulnerabilities), FIRST EPSS (top exploit probabilities), and HIBP (recent breaches). Configurable time range with deduplicated, severity-sorted results
See the Security Tools Guide for full documentation.

Security Tools Suite — 15 Integrated Tools

Five new security tools added to the Assessment Workbench, bringing the total to 15 integrated tools with sidebar navigation:
  • Payment Page Script Monitor (Req 11.6.1) — live-scan payment page URLs to extract all scripts and verify SRI integrity hashes and CSP headers, or import a CSV script inventory with approval status. Addresses the brand-new PCI DSS 4.0.1 requirement for payment page script monitoring
  • Firewall Rule Analyzer (Req 1.2.5, 1.3) — upload iptables, Cisco ACL, pfSense XML, or AWS Security Group JSON exports. Auto-detects format, flags any-any rules, deprecated protocols (Telnet, FTP, TFTP), overly broad CIDRs, and dangerous ports without source restriction
  • Password Policy Analyzer (Req 8.3) — upload AD GPO .inf, Azure AD JSON, AWS IAM JSON, or CSV policy exports. Checks all 7 PCI password requirements: minimum length (12+), complexity, history (4+), max age (90d), lockout threshold (10), lockout duration (30min), and first-login change
  • Anti-Malware Deployment Checker (Req 5.2, 5.3) — upload endpoint protection CSV reports from Windows Defender, CrowdStrike, SentinelOne, or generic formats. Verifies agent deployment, signature freshness (7-day threshold), real-time protection, and scan recency across all endpoints
  • FIM Report Parser (Req 11.5) — upload file integrity monitoring reports from OSSEC/Wazuh (JSON), Tripwire (CSV), AIDE (text), or generic CSV. Detects unauthorized modifications to critical system files (/etc/passwd, /etc/shadow, SAM, SYSTEM, etc.)
Previously shipped tools (10):
  • Port & Service Scanner — live nmap scans or import existing nmap XML, detects risky open ports (Telnet, FTP, SMB, RDP), auto-fill for Req 1.2.1
  • Patch Management Parser — upload WSUS, SCCM/Intune, or Qualys Patch CSV exports, flags critical/high patches overdue beyond the 30-day PCI window, auto-fill for Req 6.3.3
  • Log Audit Validator — upload syslog, Windows Event XML/CSV, JSON, or CSV logs to verify all 6 PCI-required audit trail fields, auto-fill for Req 10.2
  • Access Review Parser — upload Active Directory, Azure AD, or AWS IAM CSV exports, detects inactive accounts, shared/generic accounts, missing MFA, and excessive privileges, auto-fill for Req 7.2 & 8.6
  • SSL/TLS Checker — domain certificate validation with SSL Labs grading, auto-fill for Req 4.2.1
  • CVE Vulnerability Lookup — NVD-powered vulnerability search by software/version, auto-fill for Req 6.3
  • ASV Scan Import — upload Qualys/Tenable/Rapid7 CSV scan results, PASS/FAIL compliance, auto-fill for Req 11.3.2
  • Penetration Test Parser — upload Burp Suite XML, Nessus CSV, or OWASP ZAP XML reports, auto-fill for Req 11.4
  • HTTP Header & DNS Checker — A-F grading on HSTS, CSP, X-Frame-Options, SPF, DMARC, CAA, auto-fill for Req 2.2.5
  • Remediation Dashboard — unified view aggregating findings from all tools with severity, status, tool, and PCI requirement breakdowns

Security Tools Sidebar Navigation

Replaced the horizontal tab bar with a vertical sidebar for the Security Tools panel. All 20 tools are now accessible from a compact sidebar that scales without overflow.See the Security Tools Guide for full documentation.
February 2026

Documentation Portal

Launched a public documentation portal with 14 pages covering every platform feature — step-by-step operations guides, platform architecture, and technical deep dives.

Document Validation & Evidence Pipeline

Cortex AI now validates every uploaded file against requirement-specific PCI DSS criteria. Results (Complete / Partial / Insufficient) appear inline in the attachments table without leaving the workbench. Malware scan status column added, plus unlink/unassign support for evidence files.Bug fixes: Tailwind darkMode config, radio button selection in validation criteria, double scrollbar on attachments tab.

Assessment Workbench Overhaul

Major restructure of the primary assessment interface — redesigned section tree, prefill from previous assessments, per-section progress bars, bookmarks and stamps, interview question dialog with Cortex context, dedicated Cortex AI chat panel, and complete DOCX export tag mapping for all 12 PCI DSS principal requirements.Bug fixes: Section 5/6 DOCX field mapping, fixed scrollbar layout, radio button findings, auto-summary for Req 1.8.1, Kanban progress calculation, textarea caret positioning.

Calendar 2.0 & Command Palette

RFC 5545 RRULE recurrence with safety limits (max 500 occurrences, 2-year expansion), task-linked calendar events (Teams/Zoom/Google Meet), command palette with fuzzy search across assessments/tasks/settings, and full keyboard/ARIA accessibility on calendar.Security: Fixed passkey (WebAuthn) registration and auth flow, session accumulation on repeated logins, device OS detection, input sanitization, rate limiting, and XSS prevention.
January 2026

Production Hardening & Infrastructure

Database connection pooling, dynamic XLSX import (lazy-loaded), Sentry tree-shaking, Next.js Image component for logo, conditional logging (dev only). Activity logs migrated from JSON files to PostgreSQL. All npm audit vulnerabilities resolved.

Sentry Error Tracking

Integrated Sentry for frontend error capture — source map uploads for readable production stack traces, user context linked to sessions, environment-based configuration, and CSP headers updated for Sentry domains.

2FA Verification Page Redesign

Modern OTP input with 6-digit auto-advance, paste support, dark-background centered card matching the login page, trust-device checkbox (30 days), and countdown timer with resend.

Login & Signup Page Redesign

Split-screen layout — gradient brand sidebar alongside the auth form. Mobile-responsive, Google/GitHub/Microsoft OAuth buttons, inline validation, and server error handling.
December 2025

Engagement Hub — Client & LOE Architecture

Complete Client → LOE → Assessment data hierarchy. Client profiles with PCI context (merchant level, acquirer, transaction volume), LOE setup with scope/milestones/financials/legal terms/QSA signer, Engagement Hub dashboard, and tabbed LOE detail page (overview, scope, timeline, assessments, documents, terms, signatures, payment).

Session Management

Active sessions list with device info, browser, and IP. Remote logout for any session, configurable concurrent session limits, and OS/browser detection.

Password Security with HIBP Integration

Breach detection via the Have I Been Pwned API using k-Anonymity (only first 5 chars of hash sent). Real-time warning if password appears in known breaches, enhanced strength indicator.

Security Penetration Testing Fixes

IDOR protection (org-scoped validation on all resource endpoints), enhanced rate limiting on auth and API routes, XSS prevention on all user-input fields, CORS hardening.
November 2025

Calendar Improvements with Big Calendar

Migrated to react-big-calendar — month/week/day views, drag-and-drop event rescheduling, date/time picker for new events, recurring events, and LOE milestone/deadline visualization.
October 2025

Major Infrastructure Upgrade

Complete infrastructure overhaul — Supabase for real-time and file storage, Redis for server-side caching, TanStack React Query for frontend data management, and 100+ bug fixes.
  • Supabase Storage — 4 auto-initialized buckets (evidence-files, avatars, org-logos, reports) with org-scoped paths and signed URLs
  • Supabase Realtime — replaced 30-second polling with WebSocket connections for instant notifications, presence, and live assessment updates
  • Redis Caching — 50%+ route coverage, 10-minute TTL, automatic invalidation, 60–70% response time reduction
  • TanStack React Query — 35 hooks, 15+ components refactored, ~2,000 lines of boilerplate removed, 60–70% API call reduction
  • Prisma schema — standardized 100+ field references to snake_case, 144-folder PCI DSS file structure per assessment

Trusted Device Management for 2FA

Mark devices as trusted to skip 2FA for 30 days. View and revoke trusted devices from security settings.

Admin Dashboard & Log Management

Database health dashboard (connection status, table stats), security audit dashboard (failed logins, suspicious activity), usage analytics (daily trends, feature breakdown), real-time log viewing with level/date/search filtering, and plan badge indicators.

Architecture & Workflow Documentation

Internal docs suite with business workflow guides, 9 Mermaid architecture/data-flow diagrams, and technical references for database schema, RBAC, and caching strategies.

Critical Bug Fixes & System Stability

Analytics crash fixes with data validation, authorization header forwarding in Next.js API proxy, single-instance enforcement for frontend (3000) and backend (3001), Cloudflare caching optimization (API bypass, static assets 2-hour cache).

Performance Optimization Suite

85% faster API responses — strategic database indexes (40–60% query improvement), 5-minute in-memory API cache (80–90% DB load reduction), Cloudflare CDN with Gzip compression (70–80% payload reduction). Average API response time: 4–7ms (down from 50–100ms).

Dark Mode & UI Improvements

React MutationObserver for real-time dark/light mode switching, professional PCI DSS assessment cover page, reorganized toolbar (filter/export, review/accept, members/help groups), scoping categories collapsed by default.

Stripe Integration & Advanced Scoping

Multi-tier Stripe billing (checkout, portal, webhook handling), 8-rule scoping engine (wireless, P2PE, CHD storage, segmentation), automatic N/A pre-fill for scoped-out requirements, browser push notifications (VAPID + service worker), Mailcow SMTP email system, and Microsoft OAuth.

Smart Notifications & Email System

@mention instant alerts, task assignment notifications, mobile-responsive email templates (Mailcow SMTP), automated daily/weekly/monthly task reminders via cron, enhanced task management (edit, delete, creator tracking), and activity audit logging.

2FA Authentication & Scoping Engine

TOTP setup wizard (QR code, manual key, code verification), 8 one-time backup codes, admin 2FA adoption panel, dedicated verification page. Scoping engine fixes: persistence, N/A auto-fill, visual N/A banner, conditional rule evaluation.

Initial Platform Launch

The first release of Kliper — a PCI DSS 4.0.1 compliance platform for QSA firms and internal security teams.
  • Assessment Engine — 200+ testing procedures, 3-panel workbench (tree, questions, context), findings (In Place / Not Applicable / Not Tested / Not in Place), compensating controls, DOCX ROC export
  • Multi-Tenant Architecture — org-isolated workspaces, 4 roles (Admin/Manager/Contributor/Viewer) with 28 granular permissions, Better Auth with Google/GitHub/Microsoft OAuth
  • Evidence & File Management — SHA-256 hashing, dual-engine malware scanning (ClamAV + VirusTotal), MIME validation, 40+ blocked extensions, magic bytes inspection
  • Collaboration — threaded comments with @mentions, Kanban tasks, calendar, live presence (who is viewing which section in real-time)
  • Analytics — gap assessment with 5 severity levels, 4-factor risk scoring (finding 45% / documentation 25% / completeness 15% / staleness 15%), Cortex AI remediation recommendations