Changelog

We've decided to defer the paid in-app template library (Written Statement of Tenancy Terms, Form 4A Notice of Rent Increase, Tenant Welcome Handout) to v1.1, pending a written opinion from a housing solicitor on one specific question: where the distribution of those three templates sits relative to the Legal Services Act 2007 Schedule 2 paragraph 6 boundary (reserved-instrument activity).

What this means for you today:

• The standalone Form 4A Notice of Rent Increase template is still available for free at /free-form-4a-template — no sign-up required, no tier gate.
• The statutory Information Sheet for the Renters' Rights Act 2026 (the government-published document prescribed by SI 2026/324 under RRA 2025 Sch 6 para 7) is linked from your dashboard today.
• The Written Statement audit tool (the 23-clause scoring check aligned to SI 2026/324 Schedule Part 1, in force 1 May 2026) is unchanged and fully live. That is the scoring tool, not a downloadable template.
• Every other Core feature — unlimited properties, Bulk AST view, Readiness PDF export, deadline-reminder emails, regulatory-update alerts, founder-direct email support — is live from launch day.

Why we're doing this now: we'd rather ship narrower and honest than wider and hedged. The three templates have been aligned to SI 2026/324 as part of the pre-launch citation audit — that work is preserved in the codebase. When the solicitor opinion comes back (or another acceptable trigger is met), reactivation is a well-scoped afternoon's work, not a rebuild.

If you'd like template access as soon as it ships, there's nothing to do — the feature reactivates transparently for every Core subscriber in the v1.1 release.

Not legal advice — for active enforcement or disputes, consult a housing solicitor.

Second round of the 2026-04-16 sweep. First round (earlier today) was the regulatory-accuracy correction pass — rule engine v1.1.0. This round is the security hardening + the commercial features the product needs to stand on by Phase 1.

Security defence-in-depth

• Admin RLS scope narrowed. Prior policies OR-combined admin access with user access on properties, documents, deadlines, readiness_assessments, written_statement_audits, and feedback — an admin hitting a user-facing endpoint received every tenant's rows. Dropped those admin policies (migration 013) and added explicit .eq(user_id) filters to every matching API route as belt-and-braces.
• Rate limiter fails closed in production. Previous no-op fallback on missing Upstash env was indistinguishable from "rate limiting is on" from outside. Now throws at startup if APP_ENV=production.
• CSRF localhost escape is exact-match. Previous substring check accepted attacker.localhost.evil.com. Fixed.
• Admin settings keys whitelisted. The admin settings PUT only accepts the nine KPI-threshold keys the dashboard actually uses. No more arbitrary-key writes.
• Account deletion revokes every session. admin.auth.admin.signOut(user.id, 'global') is called immediately after the soft-delete flip so a second device can't keep operating on the account through the 90-day window.
• GDPR export rate-limited. 5 exports / 24-hour fixed window per user. Fails closed on limiter errors.
• Server errors route through Sentry. New src/lib/logger.ts — migrated health, checkout, cancel-subscription, webhooks (non-rollback paths), readiness, audit, kpi-events, account, subscription-status, customer-portal.
• CSP tightened. 'unsafe-eval' removed from script-src. 'unsafe-inline' kept pending a post-launch nonce rework.

Commercial unblockers

• 14-day fully-featured trial on the Free tier. New signups get unlimited properties, documents, and deadlines plus bulk AST view, branded PDF export, and Written Statement audit for 14 days. No card required. On day 15, the account reverts to the Free-tier cap (3 properties, 5 documents, 3 custom deadlines). Deadline-reminder emails and regulatory-update alerts stay Core-only throughout — upgrade to keep them.
• Weekly deadline-reminder digest for Core users. Daily cron at 07:00 UTC; per-user 7-day frequency cap + per-day idempotency. Top 3 imminent deadlines (next 30 days) per email. Service/transactional classification — not marketing; opt-out is still honoured.
• Portfolio CSV export. Shipped day one for Core users (and trial users). Download button next to the Bulk AST table — UTF-8 with Excel BOM, every column.
• Free-tier PDF preview. The Readiness Report PDF is now downloadable by free-tier users as a watermarked single-page preview with the top 3 actions and an "Unlock with Core" callout. Core users and trial-active free users still get the full report.
• Marketing copy scrub. "Priority email support" → "Email support at support@rentersactready.co.uk — founder-direct, response within 1 working day". Team tier and one-time template packs removed from public pricing until they're built.
• Phase 2 / 3 roadmap on home page. A small three-card block below "How it works" reframes the Phase-1-urgency positioning against the long-horizon RRA rollout. "You bought a product for Phase 1 urgency. Here's how the post-1-May commitment looks."

Data migration notes

Three DB migrations land with this update. Each has a matching .down.sql for operational rollback (Ground Rule 16):

• 013_scope_admin_rls_policies.sql — drops admin SELECT policies on user-data tables.
• 014_free_trial_window.sql — adds profiles.free_trial_expires_at; backfills existing free-tier rows as expired (grandfathered — no retroactive unlimited).
• 015_handle_new_user_free_trial.sql — updates the signup trigger to stamp now() + 14 days on fresh accounts.
• 016_processed_reminder_runs.sql — idempotency ledger for the deadline-reminder cron.

Not legal advice — for active enforcement or disputes, consult a housing solicitor.

Third and final round of the 2026-04-16 sweep. Round 1 (Session 1, earlier today) was the regulatory-accuracy correction pass — rule engine v1.1.0. Round 2 (Session 2) was security hardening + commercial features. This round closes the compliance wiring, content polish, and code-quality items that remained.

Compliance wiring

• Disclaimer blocks live everywhere it matters. The "not legal advice" disclaimer that previously lived only in the Terms is now on the Readiness Report PDF (long variant as a new section after Methodology), every email (medium variant in the _layout footer), every free tool's output card (short variant via a new shared ToolDisclaimer), and a persistent banner at the top of every blog post. The home page's old "cite to a council inspector" language is replaced with the Option-D paper-trail paragraph that names the actual value: "Your readiness report becomes a dated paper trail of the compliance work you've done — the kind of thing you want on hand if a council investigation hits."
• Data Processing Agreement published at /legal/dpa. Agent-ICP accounts are prompted to accept the DPA on first property add via a one-time dashboard modal. Acceptance is logged to dpa_acceptances with the accepted version; bumping the version re-triggers the modal.
• Marketing-consent capture at signup — shipped in this phase as an unticked signup checkbox writing to a marketing_consents ledger. Superseded 2026-04-23 by the service-notification posture for Core subscribers under UK GDPR Article 6(1)(f); the marketing_consents table was dropped in migration 033 and the signup checkbox removed. See the current Privacy Policy and Legitimate Interests Assessment for the live model.
• Audit-log retention narrowed to 6 years citing Limitation Act 1980 s.5 (the contractual-claim window). Revised Privacy policy update follows once founder completes the external identity reconciliation (Companies House / ICO / Stripe / domain / bank).

Content + SEO

• Form 4A post restructured as three top-of-article Q&As (AI-citation optimised) with a dated banner reflecting GOV.UK's current state — the watermarked preview is live since 20 March 2026; the usable version releases on 1 May 2026.
• New Form 4A template download micro-post at /blog/form-4a-template-download-where-to-get targeting the top GSC query form 4a template word.
• Fair-rent defensibility softening. The "3–5% commonly cited uncontested increase range" was circular sourcing — removed. Replaced with an evidence-first framing: tribunal case law on RRA rent determinations is thin; there is no safe-harbour percentage; the protection is the comparables.
• Duplicate RRA definitive-guide posts consolidated. The shorter, older "complete-guide" post redirects to the longer, more recent "definitive-guide" via [[redirects]] in netlify.toml.
• Per-post lastReviewed dates fixed. The whole blog was carrying lastReviewed: 2026-03-04 regardless of actual touch date. A prebuild-time script (sync-last-reviewed.mjs) now syncs from git log -1; 12 posts flipped to their true last-edit dates. CI-read-only — mutations only happen locally via SEED_LAST_REVIEWED=1.
• Per-post OG images. Every blog post now renders a 1200×630 Amber/Stone branded OG card with the post title + publish date via Next.js 16's opengraph-image.tsx route convention. No more generic brand card.

Code quality + CI

• website/ARCHITECTURE.md — one-stop reference for the codebase shape: auth flow, RLS model, API envelope, rule-engine versioning, Stripe state machine, retention lifecycle, env variables, CI pipeline, migrations discipline.
• Stripe typed event adapter. Three event.data.object as any casts in the webhook handler moved into a single src/lib/stripe-events.ts helper; the webhook file now has @typescript-eslint/no-explicit-any: 'error' as a file-scoped rule.
• 'trial' SubscriptionStatus removed. Dead code: the product doesn't run a Stripe trial. The free-tier 14-day trial is tracked via profiles.free_trial_expires_at (from last round). Migration 019 drops 'trial' from the CHECK constraint and the webhook mapper folds trialing → active.
• Server-side CheckoutIntent. A user who starts on desktop and finishes signup on mobile no longer loses the paid-plan selection. One-shot token with a 30-minute httpOnly cookie; sessionStorage retained as fallback.
• CI hardening. npm audit --audit-level=high --omit=dev runs before build. New scripts/secret-scan.sh greps src / content / public for AWS access key IDs, Stripe live secrets, and JWT-shaped tokens.
• Portfolio-rollup explanation. The 80% Well Prepared threshold feels harsh to a 50-property agent with 2 expired EICRs — that's the intended behaviour (any rule-0 line is an enforcement-triggering gap) but the UI didn't explain it. Now does.

Gated on founder

The revised Privacy + Terms deploy with the populated registered-office, ICO registration number, and DPA effective-date placeholders is ready to ship the moment founder external reconciliation completes (Companies House, ICO, Stripe, domain, bank). The three placeholders stay in the P3 artefacts until then. Email footer and PDF running footer carry interim disclosures ("Crocker Digital Ltd · 17008789 · Registered in England and Wales") that extend to include the registered-office line on deploy.

Deferred post-launch

• Full nonce-based CSP (the narrow fix — removing unsafe-eval — is already live).
• Page subcomponent extraction from large dashboard / admin / home pages (pure refactor with regression risk; not worth the exposure in a solo-maintenance phase).

Not legal advice — for active enforcement or disputes, consult a housing solicitor.

We audited every statutory claim in the readiness engine against legislation.gov.uk and corrected the following:

• Rent Repayment Orders — previously described as "up to 24 months" with a "first vs repeat" split. The statutory position is up to 12 months under HPA 2016 s.44 today, rising to 2 years from 1 May 2026 under RRA 2025 s.103, applied universally.
• Written Statement audit — the 18 clauses we audit were labelled "Schedule 1 §1–§18". Schedule 1 is actually "Changes to grounds for possession"; Written Statement contents will be specified in regulations under s.12 (not yet published). We've relabelled the citations to s.12 + regulations-TBC and added a banner to the audit output.
• Section 48 notice address — the statute (LTA 1987 s.48(1)) says "in England and Wales". We had "England-based". Corrected.
• Section 21 transitional deadline — we captured the 31 July 2026 / 6-month branch but missed the separate branch for s.21(4) longer-notice notices (RRA 2025 Sch 6 para 4(2)). Now covered.
• Pet requests — we said silence defaults to consent after 28 days. RRA 2025 s.11 is silent on the consequence of non-response; there's no deemed-consent rule. Copy corrected.
• Penalty amounts — the £7,000 / £40,000 cap is a breach-severity / enforcement-route split covering HA 1988 s.16D (inserted by RRA 2025 s.12) + s.16E (inserted by RRA 2025 s.13), with the penalty regime at s.16I / s.16K (inserted by RRA 2025 s.15). It is not a "first offence vs repeat offender" one. Reworded throughout.
• EPC C by 2030 — stated as a fixed deadline. It's an unenacted 2022 BEIS / DESNZ consultation proposal; MEES 2015 still sets the minimum at E. Softened.
• Phase 3 date — we had "no earlier than 2030". The GOV.UK roadmap says 2035 or 2037 pending consultation. Aligned.
• Minor — RentIncreaseCalculator used calendar months where HA 1988 s.13(2)(b)(ii) specifies 52 weeks (the 2026-04-16 change-log entry originally inverted this direction; a later pass reverts the arithmetic to the statutory 52-week unit); council investigatory powers cited as ss.55–62 (correct: ss.114–136 Part 4 Ch.3); a blog post had "c. 24" (correct: c. 26); Gas Safety custodial max listed as 6 months (correct: 2 years on indictment); a few other small wording precisions.

We take accuracy seriously — this is the kind of thing we want to catch once and get right. We've added a pre-commit gate that prevents any act-section URL or chapter number drifting without review.

Follow-up (2026-04-22): the Phase 3 date alignment above was partial — the home-page FAQ, the rule-engine Decent Homes Standard help text, the deadline-tracker Phase 3 row, and one table row of the "Key Dates" guide still carried the old "no earlier than 2030" phrasing. We've now centralised Phase 3 copy on RRA_PHASE_3_DESCRIPTION from our regulatory-dates.ts module and added a regression test so the four surfaces can't drift apart again.

Not legal advice — for active enforcement or disputes, consult a housing solicitor.