A running timeline of what shipped.

When an automation run hit a temporary error from the model provider, the retry could loop back and try to restart a run that had already finished — leaving the run wedged and filling the logs with errors instead of just reporting the failure. A run that fails now stays failed cleanly, and the retry no longer trips over it

Each automation run mints its own short-lived credential for talking back to Workunit, and we record which credential a run used for the audit trail. That link was being saved incorrectly and silently dropped — it's now stored correctly so every run's activity is properly attributable

On a project's workunit list or cards view, filtering by a status like Draft and then switching browser tabs (or having a workunit change in real time) would replace your filtered view with every workunit, even though the Draft chip still looked selected. The list now stays scoped to the filter you picked when it refreshes

The list and cards views are now remembered in the URL, so reloading or deep-linking a filtered view (e.g. ?status=paused) restores that view instead of dropping you onto a half-empty kanban board filtered to one column

Switching between List and Cards now keeps your active status filter, and the filter shows up in the URL so you can bookmark or share it. Switching to the Board clears the filter — the board groups by status itself, so it always shows every column

The footer Blog link is now a real blog at /blog — ten articles spanning context engineering, AI agents, and problem-first walkthroughs of Cloud Execution, Automations, Multi-Org, and @-Mentions. Posts publish on a schedule: future-dated ones stay hidden from the index until their day, so a batch can drip out week by week on its own

There's an RSS feed at /blog/feed.xml (autodiscoverable from the page head) and a /sitemap.xml covering the marketing pages, every guide, and all published posts — so search engines and feed readers can find everything

Each article carries proper SEO metadata — canonical URLs, article OpenGraph tags, and JSON-LD — and ends with the same signup CTA and related-guide links as the feature guides. The Blog link now also appears under Company in the in-app studio menus

The public guide pages had 20 dead links across 11 guides for logged-out visitors — anything pointing into your workspace rendered as a broken /orgs//… URL and 404'd, because there's no active org before you sign in. Logged-in readers still get the real deep link; logged-out readers now get a sensible public target instead (a related guide, or /signup for account-gated actions)

Guides now show a signup call-to-action when you're logged out, and the four asset-type cards on the Managing Assets guide use the rounded marketing style instead of the old brutalist card, matching the rest of the guides

Visiting an unknown /guides/… or /blog/… URL now renders the real 404 page instead of taking the page worker down — the not-found path could previously crash the server

If you connect Workunit to Claude (or any MCP client), the save_context tool — the one agents use to record decisions and progress onto a workunit — had started failing with "organization_id is required" on every call. It now passes your organization through correctly, so agents can write to a workunit's context trail again

Connecting an MCP client to the wrong organization's URL now fails immediately with a clear "not eligible for this organization" message, instead of connecting fine and then having every single tool call fail later for no obvious reason

The New Task modal now has an Acceptance Criteria editor — define what "done" looks like while you're already typing the title and description, instead of creating the task and opening the editor as a second step. Add as many rows as you need (up to 50), reorder by removing-and-re-adding, and @-mention teammates inside a criterion to ping them on the task they're meant to verify

If you hit submit with no title, the modal re-renders inline with your already-typed criteria rows intact — the previous behavior would have wiped them

The inline chat widget on the project show page was rendering empty on every live refresh — the SSE-driven partial wasn't telling the server which organization it was scoped to, so the server refused the request. Messages now appear and stay in the widget the way they always have on the dedicated chat page

Background OAuth token cleanup used to crash and back off whenever it tried to delete a refresh-token rotation parent that still had a child token pointing at it. Rotation chains now sever cleanly on cleanup, so expired tokens actually get removed instead of accumulating

Calendar event detail pages now have a Discussion section — post a comment, edit your own, delete it. The post box sits below the thread with @-mention autocomplete and a 5,000-character limit, the same shape as task comments. Notifications fire the moment you @-mention a teammate and link straight back to the event

Cross-tab live updates: if a colleague posts a comment on the same event you're viewing, the discussion refreshes in place — no reload, no losing your unsaved draft. The reply box lives outside the SSE-refreshed container so anything you've started typing stays put

Posting a task comment used to leave the just-sent text sitting in the box, inviting an accidental double-post. The compose box now clears the moment the comment lands, on both task and calendar surfaces

Validation errors on calendar comments (empty body, over the 5,000-character limit) preserve what you typed so you can fix it — the previous behavior wiped your draft on the way to showing the error. Edit-comment validation likewise keeps your in-progress edit instead of silently reverting to whatever was previously in the database

Editing a signal used to 404, pinning/unpinning/publishing silently failed, and adding a comment showed up only after a refresh — the underlying gRPC calls were missing the active organization the server needs to scope the request. Every signal action now passes it correctly, so the edit form loads, pins toggle, comments appear immediately, and the console stops logging "organization_id is required"

Signal cards on the list page were fragmenting into half-rendered slivers whenever a body contained a heading, a horizontal rule, or an @-mention chip — the whole card was a single link, and the browser silently auto-closed it the moment it hit anything else clickable inside, scattering the avatar, title, and footer across separate stripes. Cards are now a regular container with the title as the link, so the layout stays intact no matter what's in the body

Card titles bumped up to a true heading size and the body preview gained more vertical room (~4 lines instead of 1), so you can actually read the first paragraph of a signal without clicking in. Headings, lists, and rules inside the preview now collapse to inline text so nothing in the body out-shouts the title

Type @ in any text surface — workunit descriptions, task descriptions and acceptance criteria, task comments, chat, signal bodies and comments, asset descriptions across all four types, knowledge content, context atoms, calendar events and comments. A picker pops up scoped to your active org, you arrow-key or click a row, and the canonical token gets inserted at the caret. Mention a teammate and they get an in-app notification, an email, and a push — each linking back to exactly where they were named

Four entity types: @user for people (blue chip, fires a notification), @project (purple), @workunit (emerald), and @task (amber). The last three are render-only — they make text scannable and navigable without pinging anyone. Workunit and task chips also show their parent inline ("#Apollo: Ship the rocket", "#Ship the rocket: Refactor cache layer") so a reference stays unambiguous when you skim a paragraph weeks later

Paste a workunit, task, project, or user URL into a mention-aware field and it auto-converts to a canonical mention chip — Basecamp/Notion-style. Copy a tab URL, paste, done. Cross-org URLs and unrelated links pass through as normal text. The browser's Ctrl-Z still undoes the conversion if you didn't mean it

Power-user prefix filter: typing @user:, @project:, @workunit:, or @task: before what you're searching scopes the picker to that one type. Useful when the bare @ list is too long because your org has lots of names with the same starting letter

Nine typed notification variants instead of one generic "mention" — workunit, task, task comment, chat message, signal, signal comment, asset, calendar event, and calendar event comment all get their own enum and tailored subject + body copy in the email. The bell dropdown and email subject now say exactly what kind of mention you got, not just "mentioned you"

Smart deduplication: if you edit a workunit description and someone's mention is already in there, they don't get re-pinged. If they already read the prior notification or it's been more than six hours, the next mention does fire — so a morning edit and an end-of-day edit both land in the inbox, but an edit-storm collapses to one ping. Self-mentions and out-of-org mentions drop silently

Archived workunits, completed tasks, deleted org members, and inactive projects still resolve in old chips — but render in a muted state so you can tell at a glance that the reference is stale. The link still works (so you can navigate to the archived view if you want); the visual just tells you not to expect a reply

New /guides/mentions page walks through everything above with live chip examples — the four types, the picker, the prefix filter, the URL paste, the notification rules, and the 16 surfaces where mentions work. Linked from the Collaboration guide's "Coordinate The Work" section

Eleven other guide pages (Quick Start, Core Concepts, Team Setup, Collaboration, Cloud Execution, and several others) used to crash with a 502 for signed-out visitors — they dereferenced your org id to build their "Next Steps" buttons and there was no org id to dereference. The buttons now degrade gracefully and the pages render for everyone

Clicking the new "Load N more" button at the bottom of a kanban column used to keep loading the same workunits over and over — every click sent the same offset to the server, so the column filled with duplicate cards and the remaining count never changed. The button now correctly advances its offset each time, so each click loads the next slice and the button disappears once a column is exhausted. Same fix for the task kanban on the workunit show page

On the project overview page, the small kanban widget shows the 5 most recent workunits per status. If you'd favorited a workunit older than those 5, it never appeared at all — the query took the top 5 by recency before the favorites-first sort ever ran, so an older favorite silently fell off the page. Favorited workunits now sort first within each column on every kanban (project overview widget, dedicated workunits page, even when you click "Load more"), so the things you've starred always rise to the top of their column regardless of when they were last updated

The kanban board on the workunits index used to paginate the full list before bucketing into columns, so page 1 might show 0 cards in Completed while page 2 had a dozen — the column header ("Completed: 12") and the visible cards never matched. The board now fetches 20 cards per status column independently, with a "Load N more" button at the bottom of any column that has more, so what you see in each column always reflects what's actually there

List and Cards views on the workunits index dropped the numbered pagination too. Initial load is 50 items; clicking "Load N more" appends 50 more without paging away. Less cognitive overhead, easier to scan, easier on real-time updates

Task kanban on the workunit show page got the same treatment — used to fetch up to 200 tasks every render, now loads 20 per column with per-column load-more. The column-header counts now come from the database (not from the visible slice), so the To Do count stays right even when only the first 20 are rendered

Real-time refreshes (when a teammate changes status in another tab) preserve your column expansion. If you've expanded Active to 60 and Completed to 40, an SSE refresh keeps both at 60 and 40 instead of collapsing back to 20

On a project page — the project overview, edit, settings, archive, or any of its tabs — the sidebar used to expand the project entry inline with quick links to Workunits, Chat, Calendar, Signals, and Cloud for that project. A couple of weeks ago, when project URLs moved under /orgs/<your-org>/projects/, the bit of code that figures out which project you're "inside" was still looking for paths that started with /projects/ — so it never matched, and the tools list silently disappeared. Nested pages (a specific workunit, a task) were unaffected and kept working throughout. The expanded tools list is now back on every project-level page, regardless of how deep the URL nests

Adding Workunit to your Android home screen via Chrome now picks up the actual app icon, name, and standalone display mode instead of treating it as a regular bookmark. The web manifest was being served as text/plain, which Chrome's PWA installer silently ignores — it now ships with the application/manifest+json Content-Type the spec requires. iOS Safari was unaffected and already worked

Every notification produced from a task — completion, assignment, dependency change, new comment — used to land you on a 404 when clicked. The URL the email, push, and dropdown carried was shaped like /orgs//projects/…/workunits/…/tasks/… — the org segment was empty because the six builders that stamped these links forgot the org UUID. Workunit-level notifications were unaffected and already worked. Now they all click through to the actual task

A guard inside CreateNotification rejects any future notification whose action URL contains /orgs// — so if a new notification emitter ever forgets the org segment, it fails loudly at the source instead of shipping silently to inboxes. Existing notifications already in your dropdown still carry the old broken URLs; they'll fade out of the list as new ones arrive

Hitting a 404 while signed in — a deleted workunit, a malformed task-notification URL, any stale link — used to occasionally destroy your session as a side effect of rendering the error page. You'd see the 404, hit refresh, and end up at /login. The render path no longer fans out to the ten-or-so best-effort gRPC calls that could trip a session-killing token refresh; you stay logged in, the error page loads, refresh just shows it again. Cost of the fix: the 404 page's sidebar shows empty groups instead of your favorite projects, which we'd rather have than the logout

Agents fetching a workunit through the get_workunits MCP tool now see the URLs of every file attached to it — screenshots, PDFs, anything you dropped on the workunit. Previously the response only carried metadata for linked assets (people, systems, products, knowledge); raw file uploads were invisible, so agents had no idea a screenshot existed unless you mentioned it out-of-band. They can now fetch attachments straight from the URLs in the response, no extra round-trip needed

Webhook automations now verify each vendor's native signature scheme — GitHub (X-Hub-Signature-256), Stripe (Stripe-Signature with timestamp anti-replay), Linear (Linear-Signature), Sentry (Sentry-Hook-Signature), and Shopify (X-Shopify-Hmac-Sha256). Point those vendors straight at your Workunit endpoint, no proxy and no payload reformatting required

Three new system recipes ride on the vendor schemes — "Stripe → workunit" turns subscription changes, failed payments, and disputes into triage workunits; "Shopify order → workunit" does the same for new orders; "Workunit → Workunit" lets one Workunit org call into another using the existing Workunit-native HMAC. The recipe library tab is where they live

Unsigned-with-IP-allowlist (signature scheme "none") is a supported option for senders that can't sign — the 43-character path token in the URL is the only auth, so treat that URL like a secret and lock the source IPs at your edge

Webhook URLs are now /hooks/<43-char-token> instead of /hooks/<endpoint-uuid>. The UUID is still the internal identifier — what changed is what's visible to the public internet. The token is regenerated whenever you create a new endpoint and is 256 bits of entropy

The New-automation form's signature-scheme picker auto-selects and locks based on the chosen recipe — pick "GitHub PR → review agent" and the scheme is GitHub, picked and disabled. The custom-signed-sender flow still lets you flip between Workunit-native HMAC and "none"

The reveal banner that appears once after creating a webhook automation now tailors its copy per scheme — for GitHub it tells you to paste Workunit's secret into GitHub's webhook settings; for Stripe/Linear/Sentry/Shopify it points you at the vendor dashboard to copy their secret back into Workunit. The signed-requests guide has a per-vendor card explaining the contract for each

Per-scheme signature headers (Stripe-Signature, X-Hub-Signature-256, Linear-Signature, Sentry-Hook-Signature, X-Shopify-Hmac-Sha256, X-WU-Signature) are now explicitly dropped from the persisted webhook-deliveries audit JSONB instead of being kept-by-coincidence. Verification still reads them; they just don't get stored long-term

On iPhone — especially when Workunit is installed as a PWA — the bottom of the sidebar used to sit underneath Safari's URL bar or the home-indicator strip, leaving the last few links hard or impossible to tap. The sidebar now resizes with the dynamic viewport and reserves space for the iOS safe area, so every entry stays reachable whether the URL bar is showing or hidden

Flipping any switch on /settings/notifications used to silently turn off the other two. Toggle one preference now updates only that preference and leaves the rest alone

The switch thumb in the studio toggle component now animates between left (off) and right (on) instead of staying stuck on one side — the dark track was the only signal you'd actually changed anything

We've taken the "Internal event" trigger off the New-automation form. It was listed as a third option alongside webhooks and schedules, but the runtime that would have actually fired them on a context atom being saved or a workunit closing was never wired up — automations created with that trigger silently never ran. Rather than leave a broken option sitting in the form, we've pulled it back until we have a clearer picture of what filtering and matching users actually want (per-project scope, status-transition predicates, content prefixes for chat triggers, …). Webhook + schedule still cover real workflows today, and the runtime substrate (NOTIFY triggers, the listener pipeline, the Fire path) stays in place so we can wire this back up cleanly once the design is informed by actual use cases instead of guesses

Two system recipes that only existed to demo internal events — "Decision atom watcher" and "Spec → scaffold session" — are removed. They were attractive on paper but couldn't fire under any code path that shipped

Automations is live. Trigger an AI workflow from an incoming webhook or a cron schedule — same recipe, same prompt, same tools, two different ways to fire it

Recipe library with built-in recipes — daily and weekly reporting digests, Linear → Workunit mirroring, GitHub PR review agents, Sentry triage, stale-workunit nudges, on-call summaries, and more. Each recipe owns its prompt template, its MCP tool allow-list, its execution tier, and an optional pinned model, so the prompt and the guardrails travel together

Bring-your-own recipes — write your own with the "New recipe" button on the recipe library tab. Schema-driven config form, prompt template with Go text/template syntax, per-recipe MCP tool picker, per-recipe model override. One recipe can back many automations

Two execution tiers per recipe. Lightweight is a one-shot LLM call with MCP tool access — fast and cheap, good for triage, classification, digests. Heavy boots a full Cloud Execution VM with opencode so the agent can run shell commands, read repos, and do multi-step work — same engine as your regular Cloud Executions, billed against the same quota

Inline webhook UX on every automation — copy the endpoint URL with one click, see exactly how to sign requests in curl/Node/Python/Go on the same page, fire a test request straight from the UI without leaving the tab, and rotate the signing secret with a confirmation step (the new secret is revealed once in-page, so you don't have to dig through email or settings)

HMAC-signed webhook ingestion in the Stripe model — every request carries an X-WU-Signature header you verify against a 32-byte secret, with timestamp anti-replay and per-delivery nonce dedup. 256 KB body cap, configurable per-automation rate limit, configurable JSONPath dedup so the same upstream event firing twice only runs your recipe once

Per-run detail page with a live xterm.js terminal — for heavy-tier runs you watch the agent work in real time, exactly like a manual Cloud Execution. For lightweight runs the same page renders the MCP tool-call transcript and the markdown response. Status flips, duration ticker, and cost stream live without refresh

Cost and token usage tracked per run and rolled up per automation — see at a glance which automation is the expensive one and which model it's burning tokens on

Webhook delivery payloads are stored in your org's cloud storage for 30 days so you can inspect what actually came in, replay a delivery, and debug recipes against real upstream data. Counted against your storage quota with a dedicated "Webhook deliveries" line in the org storage breakdown

Full Automations guide at /guides/automations — concepts, recipe authoring, the complete prompt-template context reference (with per-trigger payload shapes), HMAC signing examples in four languages, status codes, dedup and rate-limit semantics, model selection, and GDPR notes

Automations, recipes, runs, and webhook deliveries are all included in GDPR data exports — your full automation history travels with your account

Cloud Execution agents now have live access to your workunit through the same MCP tools your editor uses. They can read your tasks, success criteria, atoms, and assets on demand instead of guessing from a one-shot prompt — and crucially, they can write back

Agents now move tasks through todo → in_progress → done as they actually work them, so you can watch a Cloud Execution's progress on the tasks board instead of only seeing the final diff. When the run finishes, the task it touched is already updated

Cloud Executions can save context atoms as they go — decisions made, gotchas hit, approaches that didn't work. The next agent (or you) picks up a workunit and the trail-of-thought is already there, with proper supersedes-links when a previous note turned out wrong

When an agent discovers follow-up work the original launch didn't anticipate, it now creates new tasks directly on the workunit instead of burying them at the bottom of a diff summary. The new tasks show up immediately in your task board

Cloud Execution prompts are now much tighter — the agent fetches what it needs from your workunit rather than receiving a 50-task context dump up front. Easier to read in the live transcript, and the agent reasons about a smaller, fresher context

Interactive runs get the same write-back access. When you steer an agent mid-session — "actually, do X instead" — it can update task statuses, save the new direction as an atom, and create follow-ups, all without leaving the chat

Cloud executions now stream their full agent transcript into a real xterm.js terminal on the execution page. Every shell command the agent runs (read, grep, bash …) renders as a bold cyan ▸ line followed by its actual stdout, reasoning chunks dim out so you can tell internal monologue from the agent's reply, and the live cursor follows along as new tokens arrive

Interactive run mode — pick "Interactive" on the explore/implement launch form and the terminal pane gets a live chat input at the bottom. Type a message and hit Enter to steer the agent mid-run; type /exit to gracefully end the session. A pulsing cursor next to the input shows when the agent is busy thinking versus waiting for your next message

Log viewer toolbar: Auto-scroll checkbox pins your view to the tail and auto-disables the moment you scroll up to inspect older output, then re-enables when you scroll back to the bottom — IRC-style follow mode. Download log saves the full execution log as an NDJSON file with one click

Tail-first loading on long runs — open an execution that produced 50k lines and the viewer renders the last batch instantly, then backfills older lines on demand as you scroll up. Terminal scrollback now holds 100k lines (was 1k), enough for ~18 full explore runs on a mid-size repo

Per-execution storage footprint surfaced as a `logs · NN KB` chip on the execution show page and on every list view (workunit, project, and the org-wide /cloud feed), so you can see at a glance which runs are heavy

Execution logs now share the same storage quota as attachments, with a two-line breakdown (Attachments / Execution logs) under the storage bar in org settings and billing. New cloud runs are blocked with a clear upgrade prompt once you hit your quota; in-flight runs keep streaming so nothing gets killed mid-execution

Deleting a project or workunit now cleans up its execution log files in cloud storage instead of leaving them orphaned and quietly accruing storage cost

The progress strip and the log viewer now stay in sync — the BUSY/IDLE indicator next to the chat input flips alongside the live terminal output instead of lagging behind it

MCP clients that follow the OAuth discovery spec — Zed, MCP Inspector, the new Claude.ai MCP connector — can now connect to a per-org URL without you having to copy a token out of the browser. Paste the URL once, approve the OAuth prompt, done

If you were seeing "Auth discovery failed" or "Could not fetch Protected Resource Metadata" while adding Workunit to Zed or a similar tool, that's resolved. Remove and re-add the server using your per-org URL from workunit.app/mcp

One Workunit account, many organizations. You can now belong to as many orgs as you like — accepting an invite no longer forces you to create a separate account, and your existing projects, settings, and 2FA all stay in place when you join a new team

Studio sidebar gets an organization switcher pill under the brand. Click it to jump between every org you're a member of in one tap — the chevron drops down a list when you belong to more than one, and the footer has a "+ Create organization" entry

Self-service organization creation at /orgs/new. Spin up a new workspace for a side project or client engagement without making a duplicate account. New orgs start on Free; billing is per-org so each one has its own plan, members, and Stripe subscription

The active organization is now part of the URL (every page lives under /orgs/{org-id}/…). Open two browser tabs on two different orgs and they stay independent — no more session-wide "active org" flipping under you when you switch in another tab

Deep links to a specific org now work even when your session was last active in a different org — clicking an email link or shared URL into org B takes you straight there and updates your last-visited org cookie, instead of silently bouncing you to org A

Live cross-tab updates when your memberships change — if someone adds you to a new org, removes you, or changes your role, every open tab refreshes the sidebar switcher within a second without a manual reload

Notifications and the activity feed are now scoped to the organization you're currently viewing — switching orgs swaps both surfaces to that org's data, so cross-org noise doesn't leak between workspaces

Signup form is now email + password + terms only. The org-name field and the create-vs-join picker are gone — org setup happens after you've verified your email, so you can pick what you actually want to do once you're in

New /account/welcome interstitial appears after verification (or on first login if you have no organization yet). One click creates a personal organization named "Personal Organization" (rename it any time from settings); team-joiners just wait for the email invite and click through

Invitation acceptance now drops you straight onto your new org's home page with a "You joined {Org}!" confirmation banner, instead of bouncing you through the org admin surface. The invitation email also clarifies that accepting will add this org to your existing account if you already have one

Invitation acceptance page rebuilt on the rounded auth design to match login, signup, and verify-email

Org-create button on the welcome interstitial now shows a "Creating your workspace…" spinner and disables itself while submitting — the server work takes a few seconds and double-clicking previously created two orgs

Errors creating your first organization (duplicate name, network hiccup) now show an inline banner with a clear message instead of looking like the button did nothing

Each organization now has its own MCP endpoint at /mcp/orgs/{org-id}. If you're migrating an existing AI client, swap your old /mcp URL for the per-org one — you'll find it on the new MCP tab under Organization Settings or on the cross-org discovery page at /mcp

Cross-org discovery page at /mcp lists every org you belong to with its dedicated URL, server name, and copy-paste install commands for popular clients — handy if you want one AI client connected to several orgs at once

Copy-paste install commands now suggest a unique slugified name per org (e.g. workunit_acme_corp) so when you wire several orgs into the same AI client they show up under distinguishable names instead of all colliding as "workunit"

MCP tools no longer take an organization_id input argument — the URL pins the org, so a single AI client connected to /mcp/orgs/{A} can never accidentally write into org B even if asked

get_authenticated_user now returns the list of every organization the caller belongs to (id, name, role) so AI clients can discover which org URLs are available without leaving the conversation

MCP integration guide rewritten to cover the multi-org model — per-call org targeting, what happens when you accept or leave an org, and the three concrete cross-org error messages with explanations

Transfer organization ownership — a new password-protected picker in account settings lets the current owner promote a member to owner and step down in one atomic action. Required before you can delete an account that owns multi-member orgs, but available standalone any time you want to rebalance ownership

Account deletion is now multi-org aware. /settings shows one row per active org with a badge: "Will be deleted" (sole-member orgs cascade with you), "You will leave this org", or "Needs action" (you own a multi-member org — transfer ownership or delete the org first). The Delete my account button stays disabled until every blocked row is cleared

Deleting an organization no longer logs you out. You stay signed in and land on your next remaining org's home page (or the welcome interstitial if it was your last one). Other members of the deleted org are still signed out, as before

Removing a member from an org no longer signs them out of every other org they belong to — their session in unrelated workspaces continues uninterrupted, and only their access to the org they were removed from is cut

Deleting an org with multiple Stripe subscriptions (Pro + Storage add-on, multi-add-on orgs, etc.) now cancels every single one instead of just the primary plan. Restoring within the 30-day grace window also restores them all — no more surprise charges on add-ons that should have been canceled

The org-delete confirmation page now lists every chargeable subscription with its period-end date — including trialing subs and add-ons — so you can see exactly what will keep running through period end before you confirm

Organization-deletion emails (request confirmation, member notification, purge completion) now correctly say the membership in this org is ending, not that the whole Workunit account is being closed

Two-factor authentication now survives org membership changes. Your TOTP secret is encrypted per-user instead of per-org, so you can leave or be removed from any org — including the one you were in when you enabled 2FA — and your authenticator app keeps working without re-enrollment

Cross-organization access is now enforced at the database layer for every resource type (projects, workunits, tasks, assets, chat, signals, calendar, check-ins, attachments, directories). A multi-org user acting in org A can no longer read, edit, or delete a resource in org B even if they belong to both — every cross-org probe returns a clean "not found" with no existence leak

Read-only OAuth tokens are now rejected by every mutating MCP tool — a token meant for read access can't be used to create, update, or delete data even by accident

Hitting your plan's project cap on the inline onboarding form now redirects you to the pricing page with a clear upgrade prompt, instead of a generic server error

Toast notifications and "You joined X!" confirmations now actually render on Studio pages — they were silently swallowed before, so successful invitation acceptances looked like nothing happened

Several edge-case redirect loops fixed: clicking "Not now" on an invitation page while logged in but orgless used to ping-pong between / and the removed-from-org interstitial; brand-new verified users without an org no longer see broken /orgs// links in the navigation chrome

Multiple browser tabs open during an org membership change no longer log you out of all of them — token refreshes are now coalesced so one tab's refresh doesn't invalidate the others' sessions

Per-seat billing is now enforced end-to-end. Accepting an invitation or removing a member reconciles your Stripe seat count automatically: upgrades invoice immediately (prorated), downgrades take effect next cycle

Invite form on org settings now shows a live cost preview — discount-aware, so a 50% coupon shows the discounted price with the list price struck through, a 100% gift coupon shows "Your gift covers it, no charge", and orgs with unused seats see how many invites they can send before the bill grows

Pricing page now recognises active Pro subscribers — instead of bouncing you off a duplicate checkout, it shows a read-only "You're on Pro" card with your current seat count and a link to manage your subscription. Past-due subscribers see a dedicated "Payment failed" card with an "Update payment method" CTA

/billing no longer has a manual seat picker — seats are derived from membership now, so the page shows a read-only "Members on this subscription" card linking to org settings for actual member management

Users removed from their only organization can no longer silently re-login into an empty auto-created workspace — they're now parked on a clear interstitial explaining the situation until they sign out, and accepting a re-invitation correctly drops them back into the app instead of looping on the interstitial

"Scheduled to cancel" no longer sticks on /billing forever after a resubscribe — when Stripe clears the cancel timestamp, the UI clears it too

Studio sidebar now shows your active organization name under the wordmark instead of a hardcoded placeholder, and updates immediately when you rename the org

Studio sidebar and mobile topbar brand badges now render the W glyph that matches the favicon, instead of a bare colored block

Workunit got a brand-new in-app design. Every authenticated page now renders in the calmer Studio look: soft white surfaces, stone-tone palette, and a persistent sidebar + topbar shell so navigation, search, and notifications follow you everywhere

New left sidebar groups your tools into For you, Workspace, Library, Insights, and Personal. The active project expands inline with its own sub-list (Overview, Workunits, Chat, Calendar, Signals, Cloud) so you stay one click away from every part of it

Pinned projects rail in the sidebar — every page surfaces your most recently updated projects so you can switch between them in one click without going back to the projects list

Topbar gains a real search input, a notifications bell with the 5 most recent items in a dropdown, and Help / More menus that put support, guides, changelog, pricing, and legal pages one click away from inside the app

Transactional emails (welcome, verification, password reset, 2FA codes, invitations, notifications, check-in nudges, data export ready, deletion confirmations) restyled to match the new in-app aesthetic so the inbox matches what you land on after clicking through

Mobile responsiveness across every page — the sidebar collapses behind a hamburger that slides in a full-viewport menu, dense headers wrap their actions below titles, and multi-column layouts stack vertically on narrow viewports

AI Digest on every workunit show page — a three-section summary (State / Recent decisions / Open questions) generated from your atoms, tasks, comments, and linked assets. Regenerate on demand; no auto-refresh, so you control when OpenRouter is called

Writer model — a third org-level default for one-shot content tasks like digests, alongside the existing exploration and implementation models. Usage is tracked separately so the homepage model-mix widget can show how your tokens split across the three roles

Project-level model overrides — each project can override the org default for exploration, implementation, and writer models, with a searchable picker that filters as you type

If a model you previously selected gets removed from OpenRouter, a banner now flags it so you can pick a replacement before your next run

Personal favorites — star projects and workunits to surface them in your sidebar and at the top of list and kanban views. Favorites are personal: only you see what you've starred

Favorites sync across tabs in real time — toggling a star in one tab updates the button and reorders the sidebar in every other open tab

Assigned page lists every open task across the org assigned to you, grouped by Project › Workunit, paginated 50 per page

Homepage "My workunits" card now has three real tabs — Assigned, Subscribed, and Recently done. Subscribed excludes implicit subscriptions and your own workunits; Recently done shows the last 14 days

Homepage right rail surfaces live signals — atoms this week, closed tasks this week, pending check-ins, coming-up calendar and due dates, and per-model token mix

Daily check-in button in the homepage header now shows your pending count and links straight to /checkins

Acceptance criteria checklist on every task — define "what does done look like" as a list of checkbox rows, with a live done/total count in the header. Each row toggles independently and persists across sessions

AI agents can read and write task acceptance criteria via the update_task MCP tool — full-array replacement semantics matching tags and depends_on, so agents echo the whole array when toggling one row

Acceptance criteria included in GDPR data exports

Claim a task in one click (self-assign) or use the searchable assignee picker — filter by display name, ↑/↓ to navigate, Enter to assign, Escape to close. Unassign lives inside the picker for already-assigned tasks

+ Link button on the Dependencies card opens a searchable modal of other tasks in the workunit, with already-blocking and already-dependent tasks filtered out and the same keyboard navigation

Per-task Activity feed — direct events plus comment activity, with a View all link to a paginated activity page for the task

Hand to agent dropdown on task and workunit pages — copies a tailored prompt for an AI agent (Explore / Implement / Explain on tasks, plus Implement next task on workunits) with the absolute URL embedded so the agent can ground itself via the workunit MCP server

Share / Copy link buttons on project, workunit, and task pages now actually copy the URL to your clipboard with a "Copied!" confirmation

Edit due dates on workunits — create and edit forms gain a date input, with empty input clearing the date

File attachments now render inline below the description on task and workunit pages, with live updates — uploads and deletions in other tabs appear without a refresh

Velocity card on the project page — atoms-per-day and workunits-closed-per-week averages over a 30-day window, with a sparkline of daily atom activity and a delta vs the prior half-window so the numbers read as trending up or down

Project-wide executions feed lists every cloud run across the project's workunits in one place, with parent workunit names inline

Org-wide Cloud feed lists every execution in your organization across all projects and workunits, with Project · Workunit context inline on each row

Workunits page now defaults to Kanban view with a Cards / List / Kanban switcher. Kanban shows every status column populated by default so cards moved between statuses always reappear

Real chip editor for tag fields across workunits, tasks, projects, and assets — Enter, comma, space, or Tab commits a chip; paste comma- or space-separated lists to bulk-add; Backspace removes the last chip; arrow keys navigate between chips

Analytics page Last 7/30/90 days tabs now actually filter the data — daily completions, day-of-week patterns, and completion-time buckets recompute against the active range

Disabling 2FA now requires your password AND a TOTP code or recovery code — matching GitHub, Google, and AWS. An attacker who only has your password (or one-time access to a logged-in browser) can no longer disable your second factor and take over the account

Read-only OAuth tokens can no longer trigger mutations — every mutating endpoint now enforces write scope, so a token meant for read access can't be used to create, edit, or delete data

Assigning a task to a user from another organization is now blocked — the foreign-key check previously allowed it and would silently create an implicit subscription and notification for the other-tenant user

Invitees with "+" aliases in their email (e.g. [email protected]) can now sign up — the redirect previously dropped the "+" as a space and failed the email format check

Users who signed up via an organization invitation can now enable 2FA in the same browser session — a UUID format mismatch was silently rejecting the request

Knowledge asset markdown now renders tables and is sanitized against XSS, matching every other markdown surface in the app

Chat Reply buttons now work on both the dedicated chat page and the project chat widget, with reply preview bars and quoted-message rendering

Form validation errors now render inline next to the offending field, instead of redirecting away or dropping a blank page on empty submit

Marking all notifications as read now actually clears the badge in real time across every open tab

Cloud session launch form no longer wipes your repo URL, model, and timeout input when the workunit page refreshes from another tab

Start explore / Start implement buttons now correctly enable once you've filled both the repo URL and picked a model

Context atoms no longer carry a related_task_ids field — atoms are already scoped to a workunit, which already exposes its task list, so an extra hard link inside that scope was redundant. Production data showed only 8% of atoms used it and 0% of human-authored ones did

save_context MCP tool drops the related_task_ids parameter, removing one more knob from the prompt surface AI agents see when capturing decisions, attempts, and progress

New list_assets MCP tool — filter your asset library by type, status, tags, project, or directory in a single call. Use project_filter="none" to find assets that aren't linked to any project, the answer to a long-standing "how do I see my unlinked assets?" question

Batch fetches across the board — get_assets, get_workunits, get_projects, and get_tasks now each accept up to 100 IDs in one call. AI clients can pull a whole working set in a single round-trip instead of one-at-a-time

Faster get_assets responses — the four type-specific enrichment fetches (product/system/people/knowledge) now run in parallel, halving p95 on mixed-type batches

Stricter cross-organization isolation on the asset list and search APIs — direct gRPC callers can no longer enumerate assets in organizations they don't belong to

Asset sorting gained NAME_DESC, UPDATED_AT_ASC, and CREATED_AT_ASC options, with stable pagination when sort keys collide

Listing assets with an explicit empty tag filter ([]) used to silently return zero results — empty filter slices are now correctly treated as "no filter"

Type-specific asset responses now include the directory the asset belongs to (previously returned as null even for assets in a directory)

Batch responses now report which IDs were not found or weren't accessible, alongside totals — callers can tell exactly what came back instead of guessing from a shorter list

Delete tasks directly from the task page — a Danger Zone with a confirmation dialog removes a task, its attachments, and its comments in one go

AI agents can delete tasks through the unified MCP delete tool — pass a task ID to delete and the tool detects the entity type, no separate delete_task tool needed

Deleting a task automatically detaches it from any other tasks that depended on it, so dependent tasks don't carry dangling references

If you're viewing a task when it gets deleted in another tab, your view auto-redirects to the parent workunit instead of showing a 404

Removed the unused force_delete flag from the task delete API — the dependency-cleanup behaviour it was meant to gate is now the unconditional default

Every MCP tool with a constrained-value field (priority, status, asset_type, action, atom_type, importance, …) now declares allowed values via JSON Schema enums — passing an out-of-range value like priority='urgent' to create_task is rejected with a validation error instead of silently being coerced to 'normal'

Tightened 12 tools across tasks, workunits, projects, assets, asset_link, directory, delete, search, and save_context — covers status, priority, action, entity_type, asset_type, asset_subtype, availability_status, criticality, lifecycle_stage, relationship_type, atom_type, importance, strength, confidence, and search result_types

Typing a task comment, time log, or signal comment and switching tabs no longer wipes your draft when you come back — forms now sit outside the live-update area so real-time refreshes leave your unsaved text alone

TOTP-based Two-Factor Authentication — enable 2FA from Settings using any authenticator app (Google Authenticator, Authy, 1Password)

Recovery codes generated at setup — 10 single-use backup codes in case you lose access to your authenticator

Seamless login flow — after password verification, enter your 6-digit code to complete sign-in

Organization-enforced 2FA — owners and admins can require all members to enable two-factor authentication, with a compliance dashboard

Security notifications — email alerts when 2FA is enabled or disabled on your account

Rate-limited verification attempts protect against brute force attacks

Project Calendar — create events, meetings, and milestones tied to any project with a month grid view and day detail pages

Recurring events with daily, weekly, biweekly, monthly, and custom frequencies — series-level editing keeps things simple

Attendees and RSVP — invite team members to events with pending, accepted, declined, and tentative statuses

8-color preset palette for visual grouping — blue, red, green, yellow, purple, pink, orange, teal

Aggregated calendar view — workunit and task due dates appear alongside standalone events on the same timeline

Personal calendar at /calendar aggregates your events across all projects in one view

Calendar widget on project dashboard now shows live event count with direct link to the full calendar

Real-time updates via SSE — new events, edits, and RSVP changes appear instantly across all open tabs

Project Chat — a persistent chat room for every project. Quick questions, status updates, and casual coordination without leaving your workspace

Quote-reply lets you reference a specific message in your response, keeping context in flat conversations

Markdown support in chat messages — use formatting, code blocks, and links for clear communication

Edit and delete your own messages — edited messages show an (edited) indicator

Real-time updates via SSE — new messages, edits, and deletions appear instantly across all open tabs

Signals — a new way to communicate within projects. Post announcements, ask questions, share ideas, or give updates without switching to a separate chat tool

Rich markdown support in signal bodies and comments — use headings, lists, code blocks, and links to write clear, structured posts

Four signal categories — Announcement, Question, Idea, and Update — so your team can filter and find what matters

Draft mode lets you write and refine a signal before publishing it to the team

Pin up to 3 important signals per project so they stay at the top of the list

Threaded comment discussions on every signal — reply, edit, or delete your comments

Signal edits, new comments, and deletions appear instantly across all open tabs — no refresh needed

Deleting a signal from the show page redirects all other tabs viewing that signal back to the signal list

Activity feed on every project dashboard — see who created workunits, completed tasks, added assets, and more, all in one timeline

Full activity page with pagination so you can scroll back through the complete history of a project

Activity count in the project stats strip showing how much has happened across the project lifetime

Activity updates arrive in real time — new events appear instantly in both the widget and the stats count without refreshing

Every page now updates in real time — when a teammate changes a task status, adds a comment, or completes a workunit, you see it instantly without refreshing

Live notification badge — new notifications appear in the nav bar the moment they're sent, no more stale counts

Execution progress streams live — watch AI agents work step-by-step as they explore your codebase or implement tasks

Task boards, workunit lists, project pages, and timelines all refresh automatically when anything changes

No more HTMX polling — replaced with efficient server-sent events that use less bandwidth and update faster

Multi-tab friendly — open the same project in multiple tabs and all stay in sync

Explicit consent checkbox at signup with age verification — clear record of what you agreed to and when

Re-consent flow when our privacy policy changes — a non-blocking banner lets you review and accept updated terms at your own pace

Sub-processor list page showing every third-party service that handles your data, with purpose and legal basis

Consent records included in GDPR data exports — your full consent history is part of your downloadable data archive

Privacy policy updated with Cloudflare Web Analytics disclosure

Pricing switched from USD to EUR — European-made product, European currency

Pro plan lowered from €9 to €8 per seat/month

Free plan expanded: 3 projects, 25 workunits per project, 250 MB storage

Full homepage redesign with new hero, walkthrough, shared-memory visualization, and inline pricing cards

All auth pages (login, signup, password reset, email verification) redesigned

Features, pricing, guides, apps, support, status, privacy, and terms pages rebuilt

Guides index and individual guide layouts redesigned with cleaner navigation

Simplified pricing to Free + Pro only — removed deprecated plans

Relationship types on project-asset links — when linking an asset to a project, specify how it relates: involves, requires, affects, depends on, owns, or references

Relationship badges displayed on project asset cards so you can see at a glance how each asset connects to your project

AI models can now link and unlink assets to workunits (not just projects) via the unified asset_link MCP tool

Delete workunits directly from the UI with a confirmation dialog — no more needing to archive first

Delete context atoms from the timeline view when they're no longer relevant

AI models can now update task dependencies via MCP — add or change depends_on relationships without recreating tasks

Project selector on asset forms now includes a relationship type dropdown for richer project associations

Workunit updates via MCP now return accurate task counts and completion stats immediately after changes

Asset type icons and labels now display correctly in project asset search results

Interactive Learn page guiding new users through platform concepts — chapters for Workspace, AI Tools, and Collaboration with step-by-step tasks

Inline project, workunit, and task creation directly from onboarding tasks — practice with real data without leaving the guide

MCP configuration generator with tool selector for Claude Code, Cursor, and Windsurf — copy-paste ready JSON config

Per-user onboarding progress tracking with dismiss and resume — pick up where you left off across sessions

Navigation link to Learn page shown for users who haven't dismissed onboarding

Export all your personal data as a ZIP archive from Settings — workunits, tasks, assets, projects, check-ins, comments, and file attachments in machine-readable JSON

Email and in-app notification when your export is ready to download, with a 7-day availability window

Privacy policy and terms of service updated to document data export and retention

Delete your account from Settings — a 30-day grace period lets you change your mind and recover your account before data is permanently purged

Organization owners can delete their organization, with the same 30-day recovery window

Organization owners can remove and restore members, with session invalidation on removal

Global banner shown during the grace period with a one-click cancel option to restore your account or organization

Every MCP tool response now includes a clickable url field — workunits, tasks, assets, projects, search results, and directories all link directly to their web UI pages

AI models no longer generate incorrect URLs (e.g., /workunits/{id} which 404s) — correct URLs like /projects/{pid}/workunits/{wid} are provided in every response

Link people assets to platform users — assign a linked user, team lead, and team members directly from the create and edit forms

Capabilities field now fully supported — set on create, edit on update, and displayed on the show page

Team member selection uses checkbox list (matching project selection UX) instead of multi-select dropdown

User associations section conditionally shown when organization has members, with pre-selected values on edit

Attachment URLs (images, documents) now included in MCP get_workunit and get_task responses — AI models can see file attachments on workunits, tasks, and task comments

Batch GetTasks API now fetches task and comment attachments (previously only single GetTask did)

Shared MCPAttachment type for consistent attachment representation across all MCP tools

File attachments on task comments, task descriptions, and workunit descriptions — upload screenshots, wireframes, diagrams, and documents (images, PDF, markdown, CSV, zip, up to 50 MB)

Paste-to-upload: paste images directly from clipboard into any attachment zone, with Firefox compatibility (dual clipboardData.items / files API + document-level routing)

Inline image previews and filename + download links for non-image attachments

Storage quota system: per-org limits by plan tier (Free 100 MB → Team 100 GB) with 80% warning banner and UI indicators

Storage add-on packs (+10 GB for €2/mo) purchasable via Stripe from billing dashboard and pricing page

Pre-signed R2 PUT URL upload flow — browsers upload directly to Cloudflare R2, no binary data through the server

Direct R2 CDN URLs for file serving (Discord/Slack model) — UUID-based keys are unguessable access control, no Worker proxy, permanent browser caching

Immediate async deletion with hourly garbage collector — files deleted from R2 immediately, GC catches crash/deploy edge cases

Edit and delete functionality for task comments

Attachment upload available in task creation modal alongside comment and edit forms

Storage add-on count shown in billing dashboard with stacked quota calculation

Cloudflare R2 file storage disclosures added to privacy policy and terms of service

Comment delete restricted to comment author only

Zip upload now accepts application/x-zip-compressed MIME type in addition to application/zip

New structured context atoms system replacing monolithic AI context: typed records (decision, insight, question, attempt, progress) with importance levels

Timeline UI on workunit detail page with filtering by atom type, importance, and full-text search

Supersedes/conflict visualization for decision chains — see when decisions were updated or conflicted

save_context MCP tool for AI assistants to save structured context atoms instead of updating a free-form markdown blob

Token-budget assembly for efficient context retrieval — critical atoms always included, others selected by importance

Legacy AI context migration support — existing ai_context_markdown content surfaced alongside new atoms

Context atoms sidebar on workunit detail page with direct link to full context view

URL push state on context filter bar — filters are reflected in the URL for shareability

Dead code cleanup from context migration — removed stale docs and unused code paths

MCP clients registering via dynamic client registration (RFC 7591) with partial scopes now get all server-allowed scopes merged in, fixing authorization failures when clients like OpenCode request 'mcp' scope during authorization

OAuth scope validation in client registration now uses centralized config instead of hardcoded map, ensuring consistency with server-wide scope settings