Skip to content

Changelog

What we are building and shipping — one update at a time.

May 2026

May 23, 2026

Sector AI bundle — FDA GMLP (medical device), NYDFS Circular Letter (insurance), EEOC TAD (employment), ISO/IEC 23894 (AI risk)

  • Phase H.1 of the AI Governance roadmap ships the first sector-specific AI add-on bundle. Four new frameworks that bind general AI governance practice to specific regulated sectors — medical device, insurance, employment, and the ISO companion to ISO 42001. All four are wired with crosswalk companions to NIST AI RMF, ISO/IEC 42001, and (where applicable) the sector-baseline frameworks (ISO 13485 for FDA GMLP, NYC LL 144 + Colorado AI Act for EEOC, EU AI Act for FDA GMLP)
  • **FDA GMLP (Good Machine Learning Practice) — Oct 2021** — Joint guiding-principles document from FDA / Health Canada / UK MHRA. 10 principles covering multi-disciplinary TPLC expertise, software and security engineering, representative training and test data, reference dataset selection, model design fit-for-intended-use, human–AI team performance, clinical-condition testing, user-facing transparency, and post-deployment monitoring of AI/ML-enabled SaMD. 10 clauses, 30 directives at 979c body avg with named SKUs (21 CFR 820.30, ISO 14971, IEC 62304, ISO 13485 §7.3)
  • **NYDFS Circular Letter No. 7 (2024)** — New York Department of Financial Services guidance on AI use by insurers. Covers fairness analysis and disparate-impact testing across protected classes (race, color, national origin, gender, age, religion, sexual orientation, marital status, disability), governance and risk management, data sourcing and lineage, third-party vendor management, and consumer disclosure. 20 clauses, 59 directives at 1007c body avg. NYDFS explicitly recognises NIST AI RMF as suitable underlying methodology
  • **EEOC AI in Hiring TAD (May 2023)** — Equal Employment Opportunity Commission Technical Assistance Document on the assessment of adverse impact in employment selection procedures used to make employment decisions. Covers adverse-impact testing, the four-fifths rule, vendor responsibility under UGESP, remediation, and recordkeeping — all grounded in Title VII. 20 clauses, 60 directives at 1001c body avg with 87% named-SKU rate (UGESP, Title VII, EEO-1, 4 / 5ths rule, OFCCP)
  • **ISO/IEC 23894:2023 (AI Risk Management)** — companion to ISO/IEC 42001. Built on ISO 31000, supplies the AI-specific risk principles, framework integration, and risk-management-process detail (communication, consultation, scope-context-criteria, assessment, treatment, monitoring, recording-reporting). 21 clauses, 60 directives at 935c body avg. Paywalled — verbatim_allowed=false; clause titles paraphrase intent and reference the ISO standard for binding text
  • Each framework declares crosswalk companions so the workspace picker surfaces the broader baselines. FDA GMLP pairs with ISO 42001, NIST AI RMF, ISO 13485, EU AI Act. NYDFS pairs with NIST AI RMF, ISO 42001, Colorado AI Act. EEOC pairs with NIST AI RMF, NYC LL 144, Colorado AI Act, California AB 2013. ISO 23894 pairs with ISO 42001 and NIST AI RMF. With this release the cajeX catalog has the most comprehensive sector AI coverage we know of — workspace owners in regulated industries can pick the sector framework and get the cross-walked baseline practice in the same selection
May 23, 2026

AI jurisdictional bundle — California (AB 2013 + SB 1120 + AB 3030), Texas TRAIGA, Canada AIDA

  • Phase E.5 rounds out the Tier-2 AI jurisdictional surface in the cajeX catalog. Five new frameworks covering the practical surface a US / Canada-operating AI vendor or deployer needs in 2026 alongside the existing Colorado AI Act and NYC LL 144. All five are wired with crosswalk companions to NIST AI RMF and ISO/IEC 42001 so the workspace picker surfaces the broader baselines the laws explicitly reference
  • **California AB 2013 (GenAI Training Data Transparency)** — effective Jan 1, 2026. Requires developers of GenAI systems made available to Californians to publish a high-level summary of training data on their public website. 20 clauses, 45 directives. Codified at Cal. Bus. & Prof. Code §§22757-22757.4
  • **California SB 1120 (Physicians Made Decisions Act)** — in effect since Jan 1, 2025. Constrains AI / algorithm use in health-plan and disability-insurer utilization review. Requires licensed-physician oversight, evidence-based criteria, individualised review, and prohibits denials based solely on AI categorical determinations. 13 clauses, 33 directives. Codified at Cal. Health & Safety Code §1367.01 + Cal. Insurance Code §10123.135
  • **California AB 3030 (Generative AI in Healthcare Communications)** — in effect since Jan 1, 2025. Requires healthcare providers using GenAI to generate written or verbal patient-facing clinical communications to disclose the AI use and provide instructions for contacting a human provider. 8 clauses, 21 directives. Codified at Cal. Health & Safety Code §1339.75
  • **Texas Responsible AI Governance Act (HB 149)** — effective Jan 1, 2026. Texas's first comprehensive AI law, narrower than the originally-proposed HB 1709. Focuses on governmental-agency AI use, prohibited applications (manipulation, social scoring, biometric surveillance, discrimination, CSAM/deepfakes), and consumer disclosures. AG-enforced; NIST AI RMF / ISO 42001 compliance is an explicit affirmative defense to civil penalties. 15 clauses, 27 directives. Codified at Tex. Bus. & Com. Code Ch. 552 + 553
  • **Canada AIDA (Artificial Intelligence and Data Act)** — DRAFT. Originally bundled into Bill C-27 (2022); died on the order paper January 2025 when Parliament was prorogued; awaiting re-introduction or successor legislation. Imposes obligations on persons responsible for high-impact AI systems: risk assessment, mitigation, monitoring, human oversight, recordkeeping, incident notification. 21 clauses, 53 directives. Ships in draft status so Canadian-operating organisations can prepare ahead of finalisation
  • Each framework's status flag is honest about its enforcement state: AB 2013, SB 1120, AB 3030, and Texas TRAIGA are published and in effect; Canada AIDA carries status='draft' so the picker surfaces it as still-pending. With this release the cajeX catalog has the most comprehensive published AI-governance picker we know of in any architecture-governance platform — covers EU (AI Act, GMP Annex 22), US federal voluntary (NIST AI RMF + GAI Profile), US state-comprehensive (Colorado, Texas), US sector-narrow (NYC LL 144, California three-bill bundle), international voluntary (ISO 42001, OECD AI Principles), and Canada federal (AIDA, draft)
May 22, 2026

EU GMP Annex 11 (Computerised Systems) and Annex 22 (AI in pharma manufacturing — draft)

  • Phase E.4 of the AI Governance roadmap ships the two EU GMP annexes that supplement Volume 4 — the first end-to-end demonstration of the AI add-on pattern in cajeX. Both annexes are independent frameworks that declare a 'required' companion to eu-gmp-vol4; selecting either pulls Volume 4 in as the base, and selecting Annex 22 additionally pulls Annex 11 because AI/ML systems are a subset of computerised systems and inherit the Annex 11 baseline
  • **EU GMP Annex 11 (Computerised Systems)** — 51 clauses covering the 17 sections of the 2011 revision: risk management, supplier qualification, validation (URS/FS/IQ/OQ/PQ), data integrity, accuracy checks, audit trail, change and configuration management, IT security, electronic signatures, batch release, business continuity. 102 directives at round-2 quality. Major EU revision is in consultation through 2025 with finalisation expected 2026 — cajeX will regenerate against the final text once published. Crosswalks ISO 27001 for the IT-security overlap
  • **EU GMP Annex 22 (Artificial Intelligence in Pharma Manufacturing) — DRAFT** — 45 clauses across 12 sections: quality risk management for AI (with ICH Q9 integration), development of AI models, validation, operational performance monitoring, change control, data management, human oversight and decision support, documentation, continuous learning (Class B specific), and decommissioning. 99 directives at round-2 quality. **Currently DRAFT** — based on the July 2024 EMA stakeholder consultation; finalisation expected H2 2026. Marked status='draft' in the workspace picker so customers know the obligations may shift; cajeX will regenerate against the final text within one week of publication. Crosswalks both NIST AI RMF and ISO/IEC 42001 — pair them for cross-jurisdiction AI governance evidence
  • Strategic significance: this is the first add-on framework pattern in the cajeX catalog where the picker chains companions explicitly — Annex 22 requires Annex 11 requires Volume 4. The pattern generalises: future sector annexes (FDA 21 CFR Part 11, medical device cybersecurity, etc.) can layer on top of their respective bases the same way without polluting the base framework's clause set
May 22, 2026

New framework — EU GMP EudraLex Volume 4 (Good Manufacturing Practice for medicinal products)

  • Phase E.3 of the AI Governance roadmap lays the foundation for the pharma AI add-on pattern by adding the EU's primary GMP framework. EudraLex Volume 4 binds every Manufacturing Authorisation Holder (MIA, MIA-IMP) and Marketing Authorisation Holder (MAH) supplying medicinal products to the EU/EEA market — regardless of where the manufacturing physically takes place — under Directive 2001/83/EC. Harmonised across all EU/EEA national medicines agencies plus MHRA UK, and aligned with PIC/S GMP and ICH Q7-Q10
  • cajeX maps Part I (Basic Requirements for Medicinal Products) end-to-end across its nine chapters: §1 Pharmaceutical Quality System, §2 Personnel, §3 Premises and Equipment, §4 Documentation, §5 Production, §6 Quality Control, §7 Outsourced Activities, §8 Complaints, Quality Defects and Product Recalls, §9 Self-inspection. 80 clauses total, 59 in-scope leaf controls, 176 directives at body avg 1004 chars per directive — concrete, named-procedure framing (PQS quality manual structure, CAPA workflows, change control thresholds, ICH Q9 risk-management techniques, GDocP requirements, cross-contamination prevention, batch processing records, QC laboratory independence, root-cause-analysis methodology for product recalls, self-inspection cadence)
  • Part II (Active Substances), Part III (Quality Risk Management + Pharmaceutical Quality System guidance docs), and Part IV (Advanced Therapy Medicinal Products) are registered as out-of-scope placeholders for ToC completeness — they ship as separate cajeX frameworks if customer demand surfaces. The 22 Annexes (Annex 1 Sterile, Annex 11 Computerised Systems, Annex 22 AI in pharma manufacturing — draft, etc.) are NOT clauses on this framework; each ships as its own separate framework declaring a supplements companion to EU GMP Vol 4. This is the foundation for Phase E.4 which will add Annex 11 + Annex 22 as the first two such supplements
  • Cross-walks ISO 13485:2016 (medical device QMS — combination-product manufacturers often hold both certifications) and ISO 9001:2015 (general QMS — useful when transitioning from a general quality system to pharma-specific GMP). Picker surfaces these crosswalks automatically when EU GMP Vol 4 is selected. Pairs with ICH Q10 / Q9 / Q7 when those eventually ship
May 22, 2026

Two new AI jurisdictional frameworks — Colorado AI Act and NYC Local Law 144 (AEDT Bias Audit)

  • Phase E.2 of the AI Governance build adds the two highest-priority US state / city AI laws. Both are in-effect (NYC LL 144 since July 2023; Colorado AI Act takes effect February 2026) and both carry concrete employer-facing obligations, so workspaces preparing for either can now pick them directly. Each is wired with crosswalk companions to NIST AI RMF and ISO/IEC 42001 so the picker surfaces the broader AI governance baselines that the laws explicitly accept as evidence of reasonable care
  • **Colorado AI Act (SB 24-205)** — first US-state comprehensive AI law. 31 clauses covering the developer obligations under §6.5-1702 (reasonable care, documentation to deployers, public statement, AG notification of algorithmic discrimination, NIST AI RMF safe harbor), deployer obligations under §6.5-1703 (risk management policy, annual impact assessment, consumer notice, public summary), and consumer rights under §6.5-1704–§6.5-1706 (notice, explanation, correction, appeal, human review). 48 directives at round-2 quality. Definitions (§6.5-1701) and enforcement / exemptions (§6.5-1707) registered for ToC completeness as out-of-scope. The Colorado AG-enforcement / reasonable-care framing relies on NIST AI RMF compliance, so the framework cross-walks both NIST AI RMF and ISO 42001
  • **NYC Local Law 144 of 2021** — the AEDT (Automated Employment Decision Tool) bias audit law. 13 clauses covering §20-871 bias audit (independent auditor, annual cadence, disparate-impact analysis by sex / race-ethnicity / intersectional categories), §20-872 candidate and employee notice (10 business days before AEDT use, alternative selection process on request), and §20-873 publication of results on the employer's public website. 24 directives at round-2 quality. Triggered when an employer or employment agency uses an AEDT for any NYC-resident candidate or NYC role, regardless of employer headquarters. Cross-walks NIST AI RMF for the underlying bias risk-function methodology
  • Both frameworks ship at the same round-2 quality bar as ISO 27001 and the rest of the catalog — body avg 988–998 chars per directive with named statutory triggers, quantitative thresholds (the 10-business-day notice clock, $1,500 LL 144 penalty cap, $50M Colorado revenue exemption, four-fifths-rule impact ratios), and vendor-neutral framing. Each carries the system applicability scope since both laws are per-AEDT / per-AI-system in scope rather than program-level
May 20, 2026

Mouse back button + tab persistence on IT Services, App Landscape, and Data Architecture

  • The browser back button (and the back button on a mouse) now navigates between tabs on the IT Services (CMDB / ITSM / Correlation), App Landscape (Inventory / Sync / AI Review / Analytics), and Data Architecture (Assets / Domains / Sync / Quality / Lineage) views. Previously back left the page entirely; now it walks one tab at a time within the view, the same way it already did on the workspace surface
  • Those same views also remember which tab you were on after a refresh — previously every refresh dropped you back on the leftmost tab. The tab name is stored per-view, so e.g. landing on Data Architecture → Lineage and refreshing brings you back to Lineage
May 20, 2026

AI governance frameworks (ISO 42001, NIST AI RMF, OECD AI Principles) now render their scope label

  • Frameworks whose scope is the organisation's AI program (rather than the org as a whole, a single system, or a regulated data flow) now carry an "AI program" chip in the workspace Frameworks settings tab and in the onboarding framework picker. The chip and its tooltip ("Applies to the organisation's AI program / portfolio") were missing for these frameworks because the frontend hadn't been taught about the AI-program scope when the AI Governance pack shipped
  • Same fix also prevents an edge-case render error on a future framework added with a brand-new scope value the frontend hasn't seen yet — the chip falls back to the raw scope value with an empty tooltip rather than crashing the page
May 20, 2026

Activity thread on projects + readable state-change log on findings

  • Project detail now has an Activity section at the bottom that shows the project's full lifecycle history — every Activate / Put on Hold / Resume / Complete / Cancel / Reopen / Reactivate transition, plus the reason captured at the time of each change. You can also add free-form comments to the same thread (visible to anyone who can see the project), so discussion that previously had no home on a project finally has one. Previously the lifecycle reasons were recorded server-side but had no surface in the UI, and there was no way to leave a comment on a project at all
  • Finding state changes no longer render as blank rows in the comment thread. Clicking Start Work, Submit for Verification, Reopen for Work, or Reactivate (transitions that don't require a typed reason) previously left behind comment-thread entries that displayed only the user's name and timestamp — no badge, no text, nothing about what actually changed. Both the status badge (e.g. "Reopened for work (Pending Verification → In Progress)") and a derived action label now render in the row body, so every transition is legible whether or not the user typed something
  • The detail-page section that used to be called "Comments" on findings, projects, directives, and knowledge-base entries is now "Activity" — a single name that fairly covers both free-form discussion and the automatic state-change log it's always also displayed
May 19, 2026

Project card badges no longer clip on narrow layouts

  • Project card badges (state, phase, organisation) now wrap to a second row when there isn't horizontal space for all three on one line — previously the rightmost badge clipped at the card's edge on the 5-column grid (most visible when the organisation name was long, e.g. "l2-developer-experience"). A single badge that's still wider than the card on its own row truncates with an ellipsis, and hovering reveals the full value via the existing tooltip
May 19, 2026

Doc Extract no longer fails with "R2 object missing" on workspaces with dedicated storage

  • Uploading a document to a project, finding, or directive on a workspace with dedicated R2 storage previously surfaced "Error: R2 object missing" in the AI Activity log — the upload itself succeeded (the file landed in the workspace's own bucket) but the follow-on text extraction read from the shared default bucket and found nothing. Doc Extract now routes the read through the same bucket resolver the upload uses, so files in dedicated buckets extract correctly. Shared-bucket workspaces were unaffected; only workspaces migrated to dedicated storage hit this
May 19, 2026

Project lifecycle now has Activate / Put on Hold / Complete / Cancel buttons (matches directive + finding pattern)

  • Project detail view now exposes a row of state-transition buttons at the top — Activate, Put on Hold, Resume, Complete, Cancel, Reopen, Reactivate — instead of forcing you into the edit form just to change the state dropdown. Buttons available at any moment depend on the project's current state (e.g. an On Hold project shows Resume and Cancel; a Completed one shows Reopen). Same state-machine pattern that already drives directives, findings, and knowledge-base entries — single source of truth in backend/src/services/transitions.ts
  • Transitions that materially change the audit trail (cancel, hold, complete, reopen, reactivate) prompt for a reason inline before dispatching. The reason is recorded against a semantically-named field — "Reason for cancellation", "Reason for putting on hold", "Closing summary" — so the audit log row carries intent, not just generic text. Terminal transitions (Complete, Cancel) also show a confirm dialog before firing
  • Activating a project from Draft and resuming from Hold are one-click — no reason required, since the audit trail of the activation/resume itself is the meaningful signal. The button bar disappears entirely for read-only seeded sample projects and for viewer-role members, so the affordance never appears for users who can't act on it
May 19, 2026

Project detail now reflects state and phase edits immediately, without close + reopen

  • Editing a project's state, phase, or other fields and clicking Update Project now refreshes the detail view in place — previously the detail panel kept showing the pre-edit values until you closed and re-opened it (even though the project list cards and dashboard reflected the change immediately). Cause: the detail view's data-fetch only ran on a new project ID, so an in-place edit silently left the panel stale. The save flow now signals the detail panel to re-fetch, while preserving local UI state like description expand and dismissed banners
  • Project cards in the grid no longer mash the "Updated" date against the Managers/Members count on narrow layouts — the date now wraps cleanly to its own line when there isn't horizontal room
May 19, 2026

Delete confirmation dialog now appears reliably for projects, directives, and knowledge base entries

  • Clicking the trash icon on a project, directive, or knowledge base entry detail panel sometimes did nothing — the page would dim slightly but no confirmation dialog appeared, leaving the user with no way to delete from the detail view. Cause: a CSS cascade conflict between two backdrop classes applied to the same portaled overlay (one set z-index to 20, the other to 400, and whichever loaded later won), which on some chunk load orders dropped the dialog underneath the detail panel itself. The redundant class is removed; the dialog now reliably renders on top, centered over the viewport
May 19, 2026

Directives seeded from retired framework templates now auto-deprecate with a reversible explainer

  • When a framework gets regenerated in the cajeX catalog at a higher quality bar, the old template rows are retired — but tenant workspaces that previously imported those templates kept the old directives, with their source-template reference now pointing to a deleted catalog row. Those directives now auto-deprecate with a clear explanation. The badge "Auto-deprecated" (amber) on the directive card and detail panel distinguishes them from manually-deprecated directives, and the directive detail shows the full reason inline — including the original catalog template_id for audit and the two paths forward (Reactivate to keep, or leave deprecated to clean up)
  • Auto-deprecation is fully reversible — click Reactivate on any auto-deprecated directive to move it back to draft. Edits and content are preserved. The 24-hour cron only runs at 06:00 UTC and is bounded by a 25% per-tenant safety cap so a catalog issue cannot trigger a mass deprecation event in one go
  • The catalog re-seed orchestrator (scripts/seed-curation/sweep-stale-directives.ts) is also available as an operator-side CLI for one-shot backfills with --dry-run and --tenant filters
May 19, 2026

Workspace Frameworks tab now shows the right "X of Y imported" count

  • The Workspace Settings → Frameworks tab counted each tenant directive against a single "primary" framework (the one with the lowest sort_order it was mapped to in the catalog). When a directive served multiple frameworks (a shared crypto / IAM / observability directive mapped to both cajeX General Best Practices 2026 and ISO/IEC 27001, for example), it counted only toward ISO 27001 — so the GBP row showed "280 of 284 imported" even though all 284 were physically present in the workspace. Each framework row now counts every catalog directive present in the workspace regardless of what else it's mapped to. Shared directives count toward every framework they serve
May 19, 2026

Four new AI governance frameworks live — ISO 42001, NIST AI RMF, NIST GAI Profile, OECD AI Principles

  • Four AI-governance frameworks are now available in every workspace, covering both the certifiable management-system standard (ISO/IEC 42001:2023), the US risk-management baseline (NIST AI RMF 1.0), the Generative AI extension (NIST AI 600-1), and the global values-based principles (OECD AI Principles 2019/2024). Combined with the EU AI Act 2024 that was already live, cajeX now covers the four most-referenced AI compliance vocabularies in one workspace — pick whichever your customers, regulators, or board demand, and have your directives traced back through their clause to the originating principle
  • **ISO/IEC 42001:2023** — first certifiable AI management system standard. 93 clauses across the §4–10 management-system structure (same as ISO 27001 / 9001) plus the AI-specific Annex A control set (10 control objectives, 38 controls). 195 directives at round-2 quality (named SKUs, quantitative bounds). Layered companion to ISO 27001 for organizations adding AI governance on top of their existing ISMS
  • **NIST AI Risk Management Framework 1.0** — voluntary US risk framework organized around 4 functions (GOVERN, MAP, MEASURE, MANAGE) and 72 subcategories. 214 directives. Foundation for most US enterprise AI programs
  • **NIST AI 600-1 — Generative AI Profile** — companion to AI RMF specifically for generative and dual-use foundation models. 212 actions organized around 12 GAI-specific risk categories (CBRN information, confabulation, data privacy, environmental impacts, harmful bias, human-AI configuration, information integrity, information security, intellectual property, value chain integration, and others). 633 directives. Cross-walks back to its parent AI RMF subcategories — when you select both, the GAI actions surface alongside the AI RMF baseline they refine
  • **OECD AI Principles (2019, updated 2024)** — the global intergovernmental baseline adopted by 46 countries. Five values-based principles (inclusive growth + well-being; human rights and democratic values; transparency and explainability; robustness, security and safety; accountability). 15 directives. Crosswalks to ISO 42001 and NIST AI RMF — typically layered with one or both rather than standalone
  • All four frameworks ship at the same round-2 quality bar as ISO 27001, PCI DSS, and the rest of the catalog (1,057 directives total across the four, body average 973 chars per directive). ISO 42001 + NIST AI RMF are declared as mutual crosswalk companions — picking one surfaces the other as a complementary option in the workspace framework picker. NIST GAI Profile is declared as a crosswalk on top of NIST AI RMF so the two pair naturally for organizations doing generative-AI risk work
May 18, 2026

Findings now show their framework → clause → directive trail everywhere

  • Every finding on the Findings page (and inside the finding detail panel) now shows the same framework → clause → directive trail that AI Review results already displayed — so you can tell at a glance which framework clause a finding traces back to without having to re-open the originating review run. Previously the trail only rendered inside an AI Review's results view; on the standalone Findings page the only context you had on a finding was the directive ID it was filed against
  • The Framework dropdown in the AI Architecture Review modal no longer overflows the modal when long framework names are involved (for example "ISO/IEC 27017:2015 — Code of Practice for Information Security Controls Based on ISO/IEC 27002 for Cloud Services"). The dropdown now shows the short name ("ISO/IEC 27017:2015") with the full name on hover, and stops appending the version when it's already part of the name
May 18, 2026

Expand all in the Frameworks browser no longer dumps every parent's directives

  • Clicking Expand all in the framework clause browser now opens the children tree under each category, but stops short of auto-rendering the directives mapped directly to top-level clauses. Previously, on frameworks where parent clauses themselves carry directives (ISO/IEC 27001 §4 "Context of the organization" maps three; same for §5, §6, etc.), Expand all unfolded the entire directive list for every fat parent in one go — a wall of content. Clicking an individual parent row in the tree still surfaces both its own directives and its children in one click; only the bulk Expand all action is now the lighter, structure-only view
May 18, 2026

Expand all / Collapse all in the Frameworks browser now works on every click

  • In the framework clause browser (the side panel that opens when you click a framework card on the Frameworks page), the Expand all and Collapse all buttons now reliably fire every time you click them. Previously a click was a no-op if the panel was already in that state — for example, after Expand all had already opened everything, manually closing a category and clicking Expand all again silently did nothing. Both buttons now act as commands rather than a toggled state, so they always re-apply across whatever individual categories you've opened or closed in between
May 18, 2026

Frameworks tab no longer disappears after switching workspaces

  • If you switched from a workspace with no selected frameworks to one with frameworks enabled (e.g. moving between a personal sandbox and your main workspace), the Frameworks tab in the Library section could stay hidden for up to two minutes even though the new workspace had frameworks. Cause: the cache that the sidebar uses to decide whether to show the tab was shared across all workspaces, so the empty result from the previous workspace silently carried over. Every workspace-scoped cache (frameworks, projects, findings, sessions, KB entries, directives, documents, dashboard metrics, calendar) is now isolated per workspace, so the sidebar — and every other view that reads them — reflects the active workspace immediately on switch
May 18, 2026

Press Esc or click outside to close any dialog — consistent across the platform

  • Every modal and confirmation dialog in cajeX (Upload Document, Invite Member, AI Review, generate wizards, finding/session/project detail views, plan-change, billing, settings — the lot) now behaves the same way when you want to dismiss it. Esc closes, clicking on the dimmed area outside the panel closes, and the close button still works. Previously a handful of dialogs — including the Upload Document modal — only responded to the X button, so once you'd opened them you had no way out except finding the corner button. Long-running operations like saving, generating, or charging Stripe still block Esc/outside-click so you can't accidentally abandon them mid-flight
May 14, 2026

New framework — General Best Practices 2026 (cross-industry engineering baseline)

  • A new directive framework called General Best Practices 2026 is now available in every workspace. 19 clauses spanning the modern software-delivery lifecycle — code quality, architecture, APIs, test strategy, build & CI/CD, deployment, reliability + error budgets, performance & capacity, observability, incident response, security, IAM, data governance, vendor & supply-chain risk, FinOps, developer experience, documentation, sustainability, and compliance operations. 91 directives total, each at the same depth as the ISO 27001 / EU AI Act content — named technologies (OpenTelemetry, Sigstore, OpenSLO, Sloth, Backstage, FIDO2, SCIM, SLSA, Vault, OneTrust, etc.), quantitative bounds (SLO burn-rate windows, retention SLAs, cost-attribution cadences), and vendor-neutral framing. Designed as a daily engineering reference that complements certification-driven frameworks (ISO 27001, SOC 2, EU AI Act, PCI DSS, HIPAA) — pick it up alongside whichever regulated framework your industry requires, or as the standalone baseline before you adopt one. The legacy General Best Practices framework remains enabled for now; both coexist while workspaces transition
May 13, 2026

New dedicated pages for AI Co-Worker, Team Workspaces, and Integrations

  • The Product page used to fold AI, Workspaces, and Integrations into hash-based tabs that all shared a single URL. Each is now a standalone page — /features/ai-co-worker, /features/team-workspaces, and /features/integrations — with deeper content, example findings, FAQ sections, and full SEO metadata. The Product page itself becomes an overview with teaser cards linking to each. Anyone still on the old /product#ai, /product#tenancy, or /product#integrations URLs is automatically forwarded to the new feature page
May 12, 2026

Stuck AI document extractions auto-recover instead of spinning forever

  • If a document extraction job ever gets stuck in "pending" (rare, but possible when the Worker DO is evicted mid-dispatch under heavy load), a new background sweeper now marks it as failed after 15 minutes so the AI Usage view doesn't show a perpetual "Running" row. The matching sweeper for the AI Usage placeholder row was already in place (30-minute timeout); this closes the gap on the extraction-row side. The DO's own 10-minute watchdog still runs first under normal conditions
May 12, 2026

Parallel PDF extraction is now actually parallel — and the batch progress is visible

  • AI document extraction's parallel fan-out no longer does the work twice. The 5 page-range batches are now dispatched sequentially (each POST returns its 202 in under a second) instead of as a single connect-burst that the Cloudflare tunnel layer would occasionally treat as a flap and silently retry. On the previous parallel-burst code path a single retry doubled the proxy load — extracting a long PDF on the sandbox proxy ran 10 concurrent Claude vision jobs instead of 5, took ~10 min instead of ~4 min, and burned twice the Anthropic quota. Same wall-clock improvement applies in production
  • The "Extracting attachments" status panel now shows the "batch X / N" sub-progress as soon as fan-out starts, not after every batch successfully dispatched. Previously the row only got its `batches_total` count after all 5 dispatches landed; on a slow proxy this delay was long enough that users saw a frozen "Extracting attachments (0/1)…" without any per-batch visibility
May 12, 2026

AI KB Generation also benefits from parallel extraction

  • AI Knowledge Base Generation now reuses the same upload-time document extraction that AI Project Generation already uses, so a large PDF only gets extracted once even when you re-trigger generation. Previously KB Generation re-ran extraction from scratch every time, which on a long book-length PDF would add another ~1.5 minutes per attempt. The KB Generation progress panel now also shows the "batch X/N" per-attachment substage while parallel extraction is running
May 12, 2026

AI document extraction now runs in parallel — long PDFs finish in roughly a minute

  • Document extraction for AI features (AI Project Generation, AI Review attachments, KB attachments) now fans out large PDFs into 5 parallel sub-jobs and merges the results in page order. End-to-end extraction wall-clock on a 50-page document drops from ~6 minutes to ~1.5 minutes because the bottleneck — Claude vision OCR of the rendered pages — runs concurrently across the slices instead of sequentially in one call. Smaller files (under 1 MB) are unchanged; they were already fast
  • AI Project Generation's status panel now shows live per-batch progress — "Bible.pdf: batch 3/5" — while a fanned-out PDF is extracting, so the wait no longer looks like a frozen spinner
May 12, 2026

AI generation no longer times out on very long PDFs

  • AI Project Generation and AI KB Generation no longer fail with a "Document extraction failed — please retry" error when the uploaded PDF is hundreds of pages long. Internally the document-to-image step was rendering every page of the input before applying a 50-page cap, so a long book-length PDF would blow past the 60-second render budget and return nothing. The cap is now applied during rendering so wall-clock time is bounded by the cap (≈15s) regardless of document length, and the first 50 pages — typically the executive summary, scope, and overview — make it through to the AI
May 12, 2026

Admin Overview and project limits now match your actual plan

  • The Admin Overview "Workspace Usage" badge and the project / directive / member quota gates now read your plan from the same source as the Billing tab, so they can no longer disagree. Previously a subscribed workspace could see Billing show "Current Plan: Basic (Active)" while Admin Overview still rendered a "FREE" badge and the Create Project button rejected at the 1-project free limit. The discrepancy happened when the Stripe webhook that mirrors your plan onto the platform record didn't deliver (rare in production, easy in sandbox), and previously needed a manual "Refresh from Stripe" click to clear
May 12, 2026

Modals and confirmation dialogs now float correctly over the page

  • Uploading attachments directly to a Knowledge Base entry's detail view now succeeds. The form was sending a stale value for the upload target ("knowledge_base" instead of "kb") so the backend rejected every file with a generic validation error. Uploads from the KB entry form, projects, and the Documents view were unaffected
  • The Upload Documents modal now floats correctly centered over the page regardless of which view opened it. Previously, when opened from the KB entry slide-over or any other slide-over panel, the modal rendered offscreen at the top and you had to scroll inside the panel to find it
  • Every other confirmation dialog, edit-acknowledgement modal, and "mark as reviewed" / regeneration modal also now appears centered over the page when opened from inside a detail panel (Knowledge Base entries, Directives, Projects, Sessions) — same root cause as the file-upload fix above, swept across the codebase
  • State-transition comment boxes (e.g. archive a Knowledge Base entry, deprecate a Directive, change a Finding's state) now correctly say "Add a comment (required)…" instead of "(optional)…". The Confirm button has always required a non-empty comment on these flows; the placeholder used to claim optional, so users typed nothing and wondered why Confirm stayed grey
May 11, 2026

Admin Organisations — new orgs now keep the values you entered

  • Creating an Organisation now correctly persists the Abbreviation, Display Order, and Active state from the form. Previously the create endpoint silently dropped those three fields, so every new Organisation came back with no abbreviation, display order zero, and an Inactive badge — even though the form had captured the values you typed. Existing Organisations are unaffected; only new creates were broken
May 11, 2026

Small bug fixes — KB, Reports, Projects, Admin Organisations

  • Archiving or restoring a Knowledge Base entry now updates the overview filters and entry list immediately. Previously the status change went through on the detail page but the overview cached its previous status until you hard-refreshed the browser
  • Reports → Report Card → back button now reads "Back to Reports" instead of "Back to Projects" (the destination was always Reports; only the label was wrong)
  • Create Project form in Safari no longer pops the iOS / macOS Contacts picker on the Project Name field — Safari's autofill heuristic was matching the substring "name" and offering to fill the field with people from your address book
  • Admin → Organisations → Add Organisation modal now exposes the Active checkbox at creation, matching Expert Roles and Categories. Defaults to checked, so the create flow is one click for the common case
May 11, 2026

AI Directive Generation progress UI now matches the KB Generation flow

  • Step 2 (generating directives) and Step 3 (analyzing relationships) of the AI Directive Generation modal now use the same stage-row layout as KB Generation — a checked-or-spinning row per stage with clear running/done/pending labels — instead of an outsized top spinner with redundant stage text underneath
  • The analyzing step now shows both stages explicitly ("Scoring against existing directives" and "Classifying with AI (N/M)") so it's obvious which phase you're in and how far along the per-draft classification has progressed
  • Both steps now show a consistent dismiss hint making it clear generation continues in the background if you close the window
  • Closing the modal during relationship analysis no longer prompts you to discard your unsaved drafts — analysis continues in the background, and a new "AI directive analysis in progress" banner lets you re-open the modal and resume exactly where you left off. Previously the close button asked whether to discard, and accepting silently dropped the in-flight work
  • Version History on the directive detail page now reflects the correct "Viewing" version after navigating between siblings (e.g. clicking v2 from the v1 page). Previously the "Viewing" tag stayed on the version you opened from, because the timeline data was cached on the original directive and never re-fetched for the new one
May 11, 2026

Free signup now reliably seeds your new workspace

  • Free-plan workspaces created via magic-link signup now reliably receive their starter directives and sample project — previously the workspace could ship empty whenever the underlying shard fleet wasn't perfectly balanced, because the routing record and the foreign-key anchor for the new workspace's data landed on different shards and every seed insert was rejected silently
May 11, 2026

Admin Overview directive count + onboarding picker polish

  • Admin → Overview's "Directive Health" tiles now show the true counts for every status (Approved, Draft, In Review, Deprecated) regardless of library size. Previously the panel fetched a paginated directive list and capped at the first 100, so any workspace with more than 100 directives quietly undercounted
  • Workspace Usage panel now has a small note clarifying that sample data and framework-seeded content are read-only and excluded from these quotas — so seeing "Directives 0 / 1,000" right next to a full library of seeded directives no longer reads as a bug
  • Onboarding wizard's framework picker gets a "Clear all" link next to the selection counter, so a user who has manually ticked several frameworks can deselect everything except General Best Practices (which stays locked) in one click
May 10, 2026

Workspace creation reliability + framework directives no longer count toward your plan quota

  • cajeX-provided framework directives (anything you got from importing General Best Practices, ISO 27001, NIST, GDPR, etc.) no longer count toward your workspace's directive quota — only directives you author yourself do. Workspaces that imported large frameworks were showing thousands of directives against a 5-directive Free-plan cap; that's now corrected everywhere it appeared (Workspace Usage panel, Billing usage, plan-downgrade eligibility checks)
  • New workspace onboarding no longer hangs on the Launch step when you select multiple frameworks. Directive seeding now writes in batches instead of one row at a time, so even a maximal-import workspace finishes well within the request window
  • Framework recommendations on the Plan step are now industry-specific instead of cross-industry by default. Picking your industry pre-selects only frameworks explicitly tagged for that industry (plus General Best Practices); broad cross-industry frameworks like SOC 2, ISO 27001, and GDPR remain visible and one-click selectable but no longer auto-tick on every onboarding
  • Frameworks you select during workspace onboarding now appear correctly in the Frameworks tab and the Directives page's framework filter. Previously the initial onboarding wizard seeded the directives but didn't record which frameworks were imported, so the picker only listed General Best Practices even when you'd added several others
  • Sample workspace data shipped with new onboardings (the demo projects, sessions, findings, attachments, and pre-completed AI reviews) is now properly tagged as cajeX-provided. Two consequences: (1) sample data no longer counts against your plan's project, storage, or AI-review quotas — only your own work does — and (2) sample rows are read-only in the UI, so you can't accidentally edit or delete the demo content. New workspaces start with extra room to create your own work, and a small lock icon marks every sample item
May 10, 2026

AI Directive Generation — major upgrade to the relationship analysis step

  • Two-axis decisions instead of a single conflated dropdown — Step 3 now lets you choose what happens to the proposed draft (create as standalone, create as a new version of an existing directive, or discard) and what happens to the impacted existing directive (no change, or deprecate) independently
  • Approved directive content is never mutated in place. Every content change creates a new draft v2 row that links to v1, and v1 stays effective for AI Review until v2 is approved — at which point v1 auto-deprecates in the same request
  • AI explanations are substantively richer: a 2–3 sentence "Why v{N}" rationale on every version recommendation, plus a "Show full AI analysis" disclosure that expands to a 4–6 sentence chain-of-thought walkthrough so you can verify the reasoning before approving
  • When a new version materially changes the scope of an existing directive (e.g. AS/400-specific → all legacy modernization), the AI now suggests a fitting v2 title with a one-click "Use this title" apply button
  • Comparisons between existing and new content are easier to read — the diff renders sentence-rewrites as block-level delete-then-insert pairs while keeping inline word-level marks for small edits, so heavy rewrites read as prose instead of token salad
  • Saves through this flow write a comment to both the new and impacted directives, with the source KB entry referenced — visible in the Comments panel on each directive's detail page
  • Smaller polish across the screen: dynamic v{N} labels (no more "v2" when the existing is already v3), confidence badges with explicit "Low/Medium/High confidence" labels and tooltips, internal token-overlap scores no longer leaked into user-facing prose, and a clear banner if AI semantic analysis is temporarily unavailable so deterministic match results are honestly labelled
  • Relationship analysis cost now appears on the AI Usage page as its own row alongside Directive Gen and Doc Extract, so per-workspace AI spend is fully attributable
May 8, 2026

Framework picker upgrades on the Directives page and AI Review

  • Directives page now has a strict, multi-select framework picker — pick "Custom" and/or one or more installed frameworks, and the list shows only directives from those buckets (no more silent mixing of custom directives into a framework view)
  • AI Architecture Review now scopes one review to one framework: pick "Workspace custom directives" (the new default) or a specific framework, and the directive count, categories, and types update to match
  • Both surfaces now agree on what "belongs to" a framework — fixing a bug where the Directives list and AI Review reported different directive counts for the same framework
May 8, 2026

Cleaner experience after scheduling a workspace deletion

  • Deleting the workspace you were currently signed into no longer blocks you from listing or switching to your other workspaces
  • Workspaces scheduled for deletion now show a clear "Scheduled for deletion" badge in the workspace switcher; clicking one opens its Danger Zone so you can cancel deletion in one click
  • API error responses are no longer cached by the browser, so transient errors clear immediately on retry instead of sticking until you clear cookies
May 7, 2026

Framework Compliance view for AI Review results and findings

  • AI Review results now group findings by compliance framework (ISO 27001, GDPR, etc.) with a toggle to switch back to the previous verdict-grouped layout
  • Each finding in AI Review shows its full framework → clause → directive trail so you can see exactly which normative requirement it relates to
  • Finding detail modal now shows the framework and clause context above the finding metadata
  • New Framework Compliance Report option in Reports — select a framework and download a CSV covering clause-by-clause coverage, gaps, and finding detail
May 4, 2026

Workspace usage limits now match your plan

  • Fixed the Workspace Usage panel showing the wrong storage cap on Pro, Team, and Enterprise plans — limits now match exactly what's listed on the pricing card
May 4, 2026

Free workspace inactivity flow

  • Free workspaces now auto-restore on return — signing in cancels a pending archive instead of leaving the workspace blocked
  • Added a second pre-archive email so every archive is preceded by two warnings, with at least 48 hours between the final notice and the archive itself
May 1, 2026

General Availability

  • Knowledge Base for curating architecture standards, best practices, and reference materials
  • AI-generated directives — principles, decisions, and guardrails extracted from your knowledge base
  • Directive lifecycle with draft, review, approval, and deprecation stages
  • Architecture Sessions with AI-powered review against approved directives
  • Findings Management with severity levels, AI confidence scores, and a full remediation lifecycle
  • Dashboard & Analytics with real-time KPIs across projects and findings
  • Document Management with versioning, backed by Cloudflare R2
  • Reports & Compliance with Markdown and PDF exports
  • Multi-tenant workspaces with strict data isolation and per-workspace branding
  • Role-based access control and SSO-ready identity management