Skip to main content
All notable changes to PensionPortal.ai are documented here. Dates follow ISO 8601 (YYYY-MM-DD). Versioning follows Semantic Versioning.

v0.5.0 — 2026-02-27

Forgot Password Flow, Docs Cleanup & Devil’s Advocate Review

Features

  • Forgot Password Flow: Full self-service password reset via email. Cryptographically secure tokens (SHA-256 hashed, 60-minute expiry, single-use). Includes POST /api/auth/forgot-password, POST /api/auth/reset-password, UI pages, and Resend email template.
  • Password Reset Token Schema: New password_reset_tokens table with migration 0003_add_password_reset_tokens.sql.

Documentation

  • Added password reset flow documentation to security.mdx, authentication.mdx, data-model.mdx.
  • Added forgot-password and reset-password endpoints to OpenAPI 3.1 specification.
  • Updated OpenAPI spec version to 0.5.0 with Auth tag.
  • Archived outdated prototype files from /docs/ to /docs/archive/ (HTML/JS compliance portal prototype, out-of-scope GTM analyses).

UX / Branding (Devil’s Advocate Review)

  • Environment-controlled DEMO banner: Landing page “DEMO APP” banner now gated behind NEXT_PUBLIC_DEMO_MODE env var. Defaults to hidden.
  • Fixed remaining “PensionsApp” branding to “PensionPortal.ai” in mobile nav, auth config, session hook, session provider, and AI prompts.
  • Updated root layout metadata: title, description, and OpenGraph tags for PensionPortal.ai branding.
  • Added trust/compliance signal strip to landing page (IORP II, GDPR, DORA, AES-256).
  • Added Documentation and Security links to landing page footer.
  • Reduced hero text sizes for better mobile responsiveness.
  • Added NEXT_PUBLIC_DEMO_MODE to .env.example.

v0.4.0 — 2026-02-27

Documentation Cleanup & Devil’s Advocate Review

Documentation

  • Separated implemented GDPR controls from pre-launch requirements in compliance.mdx. Controls are now clearly marked as “Implemented” or “Pre-Launch Required” with explicit status labels instead of inline TODO markers.
  • Fixed 3 broken runbook references: security.mdx referenced non-existent runbooks/key-rotation.mdx; tenancy.mdx referenced non-existent runbooks/rls-migration.mdx and runbooks/tenant-cleanup.mdx. All references now point to existing documentation sections.
  • Updated placeholder documents in /docs/ (PA-ACS-Form-2025.md, PA-ACS-Guidance-2025.md, DORA-ICT-Policy-Requirements.md) with clear status labels instead of ambiguous “placeholder” language.
  • Corrected architecture.mdx technology table: openai package is used as the OpenRouter client for RAG embeddings, not as a direct OpenAI integration. Updated RAG architecture diagram to reflect OpenRouter as the embedding provider.
  • Corrected quickstart.mdx development credentials to list all 3 test accounts (SuperAdmin, BrokerAdmin, Employer) matching README.md.
  • Updated compliance.mdx vendor note: clarified that the openai npm package is used for OpenRouter embeddings, not direct OpenAI API access.
  • Replaced raw TODO markers in data subject rights section with structured status notes using Mintlify <Note> and <Warning> components.
  • Cleaned up tenancy.mdx provisioning lifecycle TODO to use proper “Planned” label with cross-reference to tenant provisioning runbook.

UX / Branding

  • Fixed landing page branding inconsistency: changed “PensionsApp” to “PensionPortal.ai” across navbar, footer, and copyright notice.
  • Changed “Demo - Enter App” CTA to “Launch Portal” linking to /auth/login instead of directly to /dashboard (prevents unauthenticated dashboard access attempts).
  • Updated footer copyright to “PensionPortal.ai” for brand consistency with Mintlify documentation.

Devil’s Advocate Findings Addressed

  • Runbook references now resolve to real files or inline documentation sections.
  • Compliance traceability matrix no longer conflates implemented controls with planned features.
  • Landing page branding aligned with documentation and marketing site identity.
  • Development credentials consistent across README, quickstart, and API authentication docs.

v0.3.0 — 2026-02-27

Agent Teams: Security & Docs

Security

  • Extended middleware to protect all /api/* routes. Previously only /dashboard routes were covered by authentication middleware, leaving API routes unauthenticated.
  • Added NODE_ENV=production guard on hardcoded development credentials in auth.ts to prevent dev-only bypass credentials from being active in production builds.

Docs

  • Added complete Mintlify docs-site structure at /docs-site.
  • Added GDPR Article mapping and DORA requirements traceability matrix (docs-site/compliance.mdx).
  • Added tenant isolation documentation covering ActorContext, row-level scoping, and middleware enforcement.
  • Added Vercel deployment guide and Cloudflare deployment/DNS configuration guide.
  • Added incident response runbook (runbooks/incident-response.mdx).
  • Added backup and restore runbook (runbooks/backup-restore.mdx).
  • Added tenant provisioning runbook (runbooks/tenant-provisioning.mdx).
  • Added OpenAPI 3.1 specification covering all API routes.

CI

  • Added GitHub Actions workflow enforcing test, lint, typecheck, build, and docs-check on every pull request.
  • Added docs-check script to enforce documentation-as-code policy: all new API routes must have a corresponding entry in the OpenAPI spec, and all runbook references in compliance.mdx must resolve to existing files.

v0.2.0 — 2026-02-26

Design Updates
  • Applied Figma Make UX/UI design updates across the portal.
  • Fixed bugs introduced by design update and added missing UI components.

v0.1.0 — 2026-02-26

Agent Teams: Phase 2
  • Database seed implementation for development and staging environments.
  • Scheme tabs navigation and layout.
  • RAG document ingestion pipeline for regulatory corpus.
  • Compliance hub link added to scheme navigation.
  • Loading states added across async data-fetching components.
  • Policy Register: 11 mandatory IORP II written policies plus DORA ICT Risk Management Policy.
  • ACS Wizard: guided Annual Compliance Statement completion flow with AI pre-fill.

v0.0.1 — Initial

Foundation
  • Next.js 16 App Router project setup.
  • Auth.js v5 with Credentials provider for broker and trustee authentication.
  • Drizzle ORM with Neon PostgreSQL for schema management and type-safe queries.
  • Anthropic Claude AI integration for compliance assistance and policy drafting.
  • Core database schema: schemes, members, employers, and compliance tables (written_policies, health_check_assessments, ora_reports, acs_wizard, key_function_holders).
  • RAG pipeline with pgvector for semantic search over regulatory documents.