What's new

May 9, 2026

Enforces conflict checks on claim_coverage_request (previously bypassable). Adds a master ai_features_enabled kill-switch across all /api/ai/* routes. Service worker now blocks caching of authenticated pages and guards notification-click to same-origin URLs only; deploy-hash cache busting replaces the manual version-string bump. Adds messages.sender_id index and a max_offered_rate_cents cap. GitHub CI workflow added (required status check, branch protection enforced). Closed 11 deferred UI stress findings: 3 modal Esc handlers, 5 dark-mode component fixes, global :focus-visible rule, time grid responsive fix, sidebar auto-close on route change. GitHub repo moved to CoverageCobraAZ org. Migrations 064, 065, 067 applied to staging and production. Migration 066 (SMS trigger CRON_SECRET via custom GUC) remains deferred pending Supabase Vault availability.

Closes 8 of 9 findings from the 2026-05-09 security sweep: admin payout compare-and-swap, credentials bucket server-side constraints, two RLS policy gaps (migration 065), SMS fanout migrated to CRON_SECRET, subscription double-billing guard, Sentry beforeSend log noise removed, JSON-LD escape helper applied to public attorney and court pages. Sentry is now verified working in production for both captureMessage and unhandled-throw paths. Migration 066 (SMS DB trigger migrated to CRON_SECRET via custom GUC) is deferred — Supabase hosted blocks ALTER DATABASE for custom GUC parameters; revisit with Supabase Vault post-launch.

May 8, 2026

Closes the Critical / High findings from the 2026-05-08 launch-readiness audit: tightened email + SMS send routes against phishing abuse, moved the service-role key out of the database, added Stripe idempotency keys to checkout/Connect/subscription flows, capped firm bulk-import row counts, MIME-validated audio uploads to AI transcribe, added audit-log entries on admin credential views, locked down the avatars storage bucket, and patched the high-severity axios CVE.

May 4, 2026

Inquiry threads now refresh in real time as messages come in — no more page reloads. The requester is notified when an attorney inquires, and the inquirer is notified when the requester replies.

May 3, 2026

Dashboard stats and onboarding checks now use Postgres estimated counts instead of full COUNT(*) scans, eliminating the 503s some users hit on first page load.

May 2, 2026

A regression caused the coverage browse page to fire 100+ Supabase queries per page load. Fixed the dependency stability bug in useCoverageRequests so the page now does exactly one fetch per filter change.

May 1, 2026

Some attorneys were being unexpectedly signed out when navigating between pages. The middleware now preserves Supabase session cookies on redirect responses, and AuthContext + the in-app links no longer force full reloads that re-armed the auto-signout flag.

April 30, 2026

Closed the Critical and High issues found during the first internal tester walkthrough — including hardened cookie handling, fixed signup edge cases, and addressed several null-safety crashes on coverage detail pages.

April 17, 2026

Subscribe from Settings → Notifications or the in-app prompt. Get instant alerts for new coverage requests, claims, and messages — even when CoverageCobra is closed. Works on Chrome, Edge, Firefox, and iOS 16.4+ Safari.

New /forgot-password and /reset-password pages so users can recover their accounts. New users are walked through a 3-step profile wizard (basic info → practice areas → rate & bio) the first time they sign in.

April 16, 2026

New Settings tab in /admin lets admins tune platform fee, auto-match radius, min hourly rate, referral credit, and toggle welcome drips, SMS, AI features, signups, and maintenance mode — all without a redeploy. A site-wide amber banner appears when maintenance mode is on.

Four new admin capabilities: SMS template preview + send-test (Twilio), manual Stripe payout button for stuck transfers, a rich per-user detail page at /admin/users/[id], and a reports moderation queue for users flagging each other.

Any attorney profile now has a "Report" button. File a report with a category (spam, harassment, fraud, no-show, etc.) — admins see it in their moderation queue and can resolve or dismiss with notes.

Admins can now preview every notification email template (welcome drips, request updates, payments, firm invitations) with a live iframe preview and send a test to their own inbox before anything goes to real users.

Once an admin verifies your bar number, malpractice insurance, or background check, a green "Verified" badge shows on your public profile, internal profile page, and search results. Expired credentials show an amber warning so you know to re-upload.

Admins can now review uploaded bar cards, insurance certificates, and background checks with one-click verify or remove. Verified insurance + background-check uploads automatically flip the attorney’s trust flags.

Admins can now verify all integration env vars (Stripe, Resend, Twilio, Anthropic) at a glance, see a 30-day growth chart for signups / requests / completed / revenue, and promote/demote admins or suspend users inline.

If your request has been sitting without a claim, one click escalates it to urgent priority. Covering attorneys in your area get notified immediately.

Download a 19-column CSV of your year’s completed hearings from /hearings or the tax report — receipt URLs included. Ready for Excel, your CPA, or reimbursement workflows.

A new dashboard card surfaces up to 5 open urgent/high-priority requests that match your practice areas. Never miss an opportunity.

The notifications dropdown now has filter tabs — All / Unread / Messages / Requests / Payments — with per-tab counts. Triage faster.

Hit Cmd+K (or Ctrl+K on Windows) from any page to fuzzy-search across every section and quick action. Navigation at your fingertips.

A smart status pill in the top bar shows whether you are checked in, broadcasting availability, or offline — one click to toggle.

Shipped a full sitemap.xml + robots.txt so Google can now discover public attorney profiles, city landing pages, and the court directory.

For repeat cases, click "Duplicate Request" on any completed hearing. The form prefills everything except the date — just pick a new time and post.

Clicking "Use" on a case template now prefills the new coverage request form with your saved defaults. Previously a silent no-op.

Any hearings happening today surface at the top of the dashboard with a live countdown, directions to court, and one-click check-in.

New dashboard cards show your 12-month earnings trend and the five courts where you earn the most. Instant feedback on how the platform’s working for you.

Every completed coverage request now has a receipt at /receipts/[id] — logo, parties, hearing details, itemized charges, Stripe reference. Ctrl+P to save as PDF.

Generate an AI-written recap of your last 7 days — coverages completed, earnings, upcoming hearings, and one concrete next step.

Shipped the final shield logo across the app, refined the dark mode theme, and added a one-click toggle in the sidebar.

Sign up with a `?ref=` link and we now automatically credit the referrer when you complete your first hearing — plus a clear how-it-works panel on the referrals page.

Shipped 17 fixes: timing-safe auth comparisons, XSS-safe email templates, query hardening against RLS edge cases, and stuck-loading guards across ~15 data hooks.