What we've shipped

Uploaded deal documents — term sheets, MOUs, regulatory filings, financial models (PDF, DOCX, XLSX, PPTX) — are now parsed by a new Docling extraction service into layout-aware markdown, chunked, and embedded with a multilingual model (English + Arabic, 1,024-dim) into a pgvector index. The chat and DD agents answer with passage-level citations drawn from the actual document text via a new search_documents tool, falling back to filename/keyword matching until a file finishes indexing. A status badge on the data-room file list shows each document's indexing state (queued / indexing / indexed). Ingestion runs in the background worker so large or scanned PDFs never block the upload.

New GET /api/deals/[id]/data-room/files/[docId]/download fetches the original PDF from S3, overlays a diagonal “CONFIDENTIAL” watermark plus a corner viewer banner (name · email · UTC timestamp) on every page using pdf-lib, and streams the watermarked bytes back. The original is never exposed — we don't hand out signed S3 URLs for confidential docs because a determined bidder could fetch the un-watermarked source. Soft-fails on watermark errors (log + serve original) so a malformed PDF can't break the download. Every download writes a FILE_DOWNLOADED activity row + an audit log entry that records whether watermarking succeeded. PreviewBanner on /deals/[id]/data-room updated to drop watermarking from the still-preview list.

Pre-existing gap: the notification store was only seeded from /ambient, so the bell badge in the global topbar showed 0 unread on every other page. The SSE stream hook now bootstraps the store from /api/notifications on mount and re-polls every 60s as a safety net, so the bell count actually reflects reality across the whole app. SSE still drives real-time updates between polls.

When a question is asked in a deal's Q&A thread, the deal owner now gets an in-app Notification + HTML email summary (with the auto-numbered Q reference + a clip of the question + a deep link to the Q&A page) gated by the DATA_ROOM_QA preference. Self-asks (owner asking on their own deal) are skipped. Closes the obvious gap where Q&A used to be a silent send.

New CFIUS Exposure widget on the dashboard rolls up every CfiusAssessment row in your org into a single workspace-wide view: count pills for each status (Mandatory / Declaration / Voluntary / Clear) plus up to 3 highest-severity deals as deep links to their per-deal CFIUS card. Backed by a new /api/cfius/portfolio endpoint that org-scopes via the parent Deal and respects soft delete. Auto-hides when no deals have been assessed yet, so fresh pilots see a clean dashboard until they run their first pre-screen.

New /settings/investment-theses page where OWNER/ADMIN can create, edit, activate/deactivate, and delete the investment theses that the Pipeline Scout scoring path consumes. Each thesis is a name + description + sector filter + corridor filter + min/max deal size + active toggle. Chip-style multi-selects across all 29 sectors and 26 corridors; inactive theses are excluded from scoring without losing history. Hard delete is safe (no FK references) — the scoring path simply ignores theses that are gone. OWNER/ADMIN only on writes; collaborators get read-only.

New CfiusStatusCard above the regulatory framework grid on /deals/[id]/regulatory shows the deal's persisted CfiusAssessment — status pill (Mandatory / Declaration / Voluntary / None required), filing type, ~timeline estimate, top 3 risk factors, recommended next action, model confidence, and the standard advisory disclaimer rendered inline. Empty state prompts running the deterministic rules engine. Backed by the existing GET /api/deals/[id]/cfius/assess endpoint; counsel review remains mandatory for any actual filing.

When the deal team moves an IOI to Under Review, Shortlisted, or Declined, the investor is now notified. Authenticated Meridian investors get an in-app Notification + email gated by the new IOI_STATUS_CHANGED preference (default: in-app on, email off). External bidders (those who submitted via a share-token portal and aren't Meridian users) get the email automatically since they have no other channel. Withdrawn is skipped — the submitter is the one initiating it. Notification dispatch is fire-and-forget so a flaky email provider can't fail the PATCH.

AuditLog now stores organizationId on every row, populated automatically by the logAudit() helper from the actor's user record (with an explicit override for hot paths). The admin Audit Log endpoint at /api/audit now filters by the caller's organizationId so an ADMIN/OWNER from one workspace can no longer see audit rows from any other workspace. Hand-written migration backfills existing rows by joining through User. Composite index (organizationId, createdAt) keeps the existing pagination queries fast.

New /settings/notifications page with per-event in-app and email channel toggles. Backed by a new NotificationPreference model — absence of an override means each event's registered defaults apply, so brand-new notification surfaces ship without needing to backfill any user rows. The preference resolver is now consulted by the external-IOI dispatcher (IOI_RECEIVED_EXTERNAL) and the regulatory-alerts generator (REGULATORY_DEADLINE) — toggling email off there immediately stops the Resend dispatch on the next cron pass, and toggling in-app off skips the Notification row creation entirely. Adoption is incremental: other dispatchers can wire in by passing the resolver one event key.

Closing the loop on the external-bidder portal: when a counterparty submits an IOI via a share-token link, we now create in-app Notification rows for both the token issuer and the deal owner (deduped), email the deal team an HTML summary of the bidder + valuation / structure / equity / financing fields, and email the bidder a confirmation with their submission summary and reference ID. Dispatch is best-effort — a flaky email provider can't bubble back as a 5xx to the bidder, and per-recipient failures are logged but swallowed so one bad address doesn't block the others. Templates escape user-controlled fields.

/deals/[id]/ioi has a new Invitations tab where the deal team can generate single-use, time-bounded magic links (default 14 days, capped at 60). Each link points to a public bidder portal at /ioi/external/[token] that loads a minimal deal preview (no financials) and a focused IOI form — bidder identity, valuation range, structure, equity %, financing, target dates, conditions. Submission persists as a real DealIoi bound back to the token, marks the token used (single-use), and notifies the deal team via the existing IOI workflow. Tokens are 64-char hex from crypto.randomBytes; list views only reveal an 8-char fingerprint so leaked log files can't be replayed. Phase 2: token rotation, per-link memo download, allowed-domain pinning.

The regulatory-alerts generator (RA-06) is now scheduled inside the BullMQ worker at 02:30 UTC daily — fresh orgs get their deadlines surfaced without anyone having to click anything. A new ADMIN/OWNER-only POST /api/regulatory/alerts/trigger endpoint enqueues the same job on demand for pilot demos and ops triage, returning the BullMQ jobId for monitoring. The generator's idempotency (unique on regulatoryItemId+threshold) means repeat runs are safe — back-to-back cron + manual triggers won't double-notify.

Contact detail now shows which Meridian users have logged interactions with this person (with last-touched relative time + count), neighbors via shared deals + same-org links, and a real-data recent-touchpoints feed. Backed by new /api/contacts/[id]/network endpoint that aggregates from DealStakeholder + Interaction. Schema change: added optional userId to Interaction (backfilled from deal.createdById) so the org-coverage view is computable.

/pipeline/scoring dashboard wired to real PipelineOpportunity rows scored by Pipeline Scout, hydrated with deterministic sub-scores (sector / corridor / deal-size fit against the org's InvestmentThesis, plus Scout's qualitative strategic-fit). New /api/pipeline/scoring backing endpoint with SEC-01 scoping. New dashboard widget surfaces the top 3 highest-scoring inbound opportunities with rationale snippets and click-through to the scoring page. Multi-dimensional AI sub-scoring (close probability, risk-adjusted return, etc.) is honestly labeled as preview pending Phase 2 agent updates.

/deals/[id]/ioi (the indication-of-interest page) now persists submitted IOIs and status transitions (Under Review / Shortlist / Decline / Withdraw) to a new DealIoi model. Three new endpoints with SEC-01 deal scoping. Permission rules: only the deal owner can shortlist/decline; only the IOI submitter can withdraw. Per-status timestamps are auto-stamped for analytics. External-bidder share-token portal remains Phase 2.

New RegulatoryAlert model with idempotent generator that scans RegulatoryItem dueDates at 90/30/7-day and overdue thresholds. Each alert writes an in-app Notification row of type REGULATORY_DEADLINE and best-effort dispatches an HTML email via Resend (subject, status, due date, deal context, dismiss link). User-facing GET /api/regulatory/alerts (org-scoped, urgency-sorted) and POST .../dismiss endpoints (with ?suppressFuture=1 to mute subsequent thresholds for the same item). Dashboard Regulatory Alerts widget replaced with the live-data version — auto-hides when there are no active alerts.

New /api/activity/unified endpoint combines the cross-cutting AuditLog with the typed DataRoomActivity, FormationAuditLog, and MarketplaceActivity streams into a single org-scoped timeline. The /activity page now renders the union with expanded filter chips (Agents, Deals, Marketplace, Formation, Data Room, Regulatory, System). New Workspace Activity dashboard widget shows the last 5 events across the workspace and auto-hides when there's been no activity in the last 7 days.

New MarketplaceActivity model captures every listing creation, view, interest expression, and status transition for compliance + seller-side analytics. 2 new API endpoints — /api/marketplace/my-listings and /api/marketplace/my-interests with incoming/outgoing direction filter — replace the hardcoded demo arrays on the /marketplace/my-listings page. Withdraw and Approve Interest buttons now persist via the existing PATCH endpoints with status transitions audited to the new MarketplaceActivity table.

Full persistence layer for /deals/[id]/data-room and the Q&A subroute: 3 new Prisma models (DataRoomQa, DataRoomQaFollowUp, DataRoomActivity) and 4 enums, 6 API endpoints with SEC-01 deal-scoped access, per-deal auto-numbered Q&A, threaded follow-ups, append-only activity log of every file view / download / Q&A event, and folder-grouped file lists augmented with view/download counts. Files reuse the existing Document model. Phase 2 deferrals: server-side watermark rendering, inbound-email-to-Q&A, time-bounded share-token files.

New Corporate Formations summary widget on the dashboard. Renders in-flight count, average progress %, and the 3 most-recently-updated formations with status pills, ETA in relative time, and progress percentage. Empty-state nudge for orgs without any formations yet, with localStorage dismiss.

/deals/[id]/corporate replaces its DEMO_FORMATIONS array with a real fetch to /api/formations?dealId=X. Recommended-jurisdiction tiles and the New Entity button deep-link with ?dealId=… so arriving from a deal pre-selects it in the new-formation modal.

Full persistence layer for the /corporate-formation feature: 4 new Prisma models (Formation, FormationMilestone, FormationDocument, FormationAuditLog), 6 API endpoints with SEC-01 org scoping and per-transition audit, S3 document upload via the OPS-01 bucket with 10-minute signed-URL download, and a JSON timeline export. The 4-step wizard, the 14-jurisdiction catalog, and the demo data all still work — but the data is now real, scoped, and forensically auditable. Phase 2 will add per-jurisdiction direct-filing integrations (DIFC, ADGM, MISA, Delaware SOS) behind a FilingAgent abstraction.

POST /api/recordings uploads multipart audio to the OPS-01 S3 bucket with a per-user/per-day key. The new GET /api/recordings/[id]/download endpoint mints a 10-minute signed URL on demand. Audio survives across requests and is downloadable from the desktop + mobile clients.

POST /api/meetings now best-effort creates a primary-calendar event via the host's connected Google Calendar (INT-02) and / or Microsoft Graph Calendar (INT-06) integrations. Invitee emails are attached, the join URL appears in the event body, and the external event IDs persist to ExternalCalendarEvent for future update / delete.

Reaffirmed: Meridian ships its own SEC-02 hash-chain e-signature flow rather than integrating DocuSign. Help center, platform overview, and roadmap now position the native flow as the product answer — no third-party signer, no per-envelope licensing tax, ESIGN Act + eIDAS-equivalent audit via the chain + optional Polygon anchor.

Four-tier structure (Free → Navigator → Compass → Enterprise) with monthly / annual toggle and a 36-row feature comparison matrix. Eliminates the procurement-side "what does this cost" friction.

Live operational health for the app, Postgres, Redis, and the Gulf-harvester sidecar. Per-source freshness for Etimad / SPA / MISA / WAM / UAE MOE. Polls every 60s; subscribable via email.

Consolidates compliance status, security controls, audit-trail policy, encryption + key management, incident response, and operational facts onto a single shareable URL.

Six representative buyer profiles with full workflow descriptions, data-source coverage, and recommended tier. Prospects self-identify against a profile rather than against a feature list.

First-org guided setup at /onboarding (corridor → integrations → calendar). Dashboard widget tracks six derived milestones and auto-hides when complete.

23 topics across 7 categories with in-page search, expand / collapse all, per-answer deep links with clipboard helper.

Live in-flight progress strip on /agents/runs/[runId] with 2-second polling and a one-click cancel that's respected mid-ReAct-loop. Idempotent cancel of terminal runs.

Side-by-side recursive JSON diff with ADDED / REMOVED / CHANGED classification. Cross-agent guard prevents nonsense comparisons; metric deltas use green-better / amber-worse arrows.

Expanded from 9 cases to 30 hand-written golden cases across 7 task types: classifier, draft, stakeholder brief, risk analysis, compliance check, document Q&A, deal summary. Covers Gulf-corridor specifics (bilingual drafting, OFAC adjacency, MISA validity, ITAR USML categories, FCPA exposure). Builds fail on score regression.

Print-ready single-page overview at /documents/Meridian-Platform-Overview.html updated for Trust Center, /onboarding, /help, agent UX layer, and the 30-case eval gate.

Python 3.12 FastAPI + Playwright crawler deployed to a dedicated Railway service in both staging and production environments. Etimad, SPA, MISA, WAM, UAE MOE sources live.

ProxyCurl LinkedIn, Newscatcher EN+AR, Crunchbase basic, and Magnitt MENA sources wired with per-org budget gating + the ENR-BRIEF2 schema covering role / influence / investment / activity / network signals.

OpenSanctions 200-list screener, SEC EDGAR full-text, CourtListener litigation, GDELT global events, OpenOwnership beneficial-ownership sources wired.

Enrichment-aware contact UI surfaces sanctions exposure, network connections, recent communications, and audit trail.

Standard data-processing addendum referenced from the page; 30-day notification for material changes.

Cross-border data-flow, Saudi PDPL, and CASA-deferral disclosures added. Standalone scrollable subpages that work around the landing-page custom scroll container.

Dunning-aware billing state machine with idempotent per-incident notification map. Grace middleware gates writes during PAYMENT_PENDING / GRACE.

One-click subscription, invoice history, and payment-method management via the Stripe-hosted billing portal.

Pipeline Scout, DD Analyst, Regulatory Navigator, Relationship Manager all running on real data with autonomy-level enforcement (AI-04) and per-org cost caps (AI-02).

Baseline of 9 hand-written cases across 4 task types. PRs that regress the score fail CI.

Multi-step ReAct with hard step ceiling (default 12) and cost ceiling (default $1.00 USD). Semantic dispatch routes simple classification to Haiku, complex synthesis to Sonnet, vision to Gemini.

Untrusted input sanitization step before agent prompts; output policy-checked against deny list.

Centralized getOrgFilter + loadAuthUserFromDb. Cross-org leak tests pinned in CI for every entity model.

Every e-signature event cryptographically anchored to the prior event. Tampering invalidates every subsequent signature.