What's new

Five changes that compound on the May-4 push:

• Stripe Tax. Checkout now computes sales tax automatically based on the billing address. Required for software-taxable states (TX, NY, WA, AZ).
• Import tier-cap pre-flight. The QuickBooks import bridge enforces tier arrangement limits before mutation. No more accidental over-cap imports.
• Cross-org contract test suite. A new npm run e2e:cross-org probes every authenticated path-id endpoint and asserts the 404-on-unknown contract. Locks the multi-tenant promise as code, not claim.
• Workflow revert with required reason. Reviewers can now send arrangements back from review with a 10–500 char reason field. Prior path was admin-side direct DB edits.
• Subprocessor list + BAA template. Two new public pages (/subprocessors, /baa-template) for procurement files. The BAA template documents the no-PHI architecture for offices that nonetheless require a signed form.

Admins and compliance officers can now edit arrangements after creation — title, type, status, compensation, dates, applicable Stark exception, FMV opinion fields. The edit dialog opens from the arrangement detail page; every change extends the tamper-evident audit chain so you can always reconstruct who changed what and when.

Status changes to terminated or expired still go through the workflow advance — those have notification + board reporting side effects the bare edit deliberately skips.

Press ⌘K (Mac) or Ctrl-K (Windows / Linux) on any dashboard page to search across arrangements, physicians, and the public DOJ enforcement-case database. Results group by type; arrow keys + Enter open. Mobile users tap the search icon in the header.

All nine dashboard surfaces now render correctly down to 360px — slide-in sidebar, full-screen modals, table rows that collapse to cards, 44×44 touch targets. The audit-log timeline is a first-class mobile experience because the subpoena moment is when a CCO is most likely on their phone.

Stripe checkout, customer portal, and webhook-driven tier transitions are live. Free-tier orgs are read-only after trial; tier-gated capabilities (FMV Sentinel, Safe Harbor validation, audit export) return a structured 403 with an upgrade-to-Starter call to action.

The sidebar tier badge surfaces your plan on every page; a persistent banner appears if your subscription falls past due.

Every arrangement gets a chronological audit-log timeline accessible from the detail page. Each state change shows the actor, version transition, and the truncated SHA-256 hash that anchors it. The chain integrity banner verifies the previous-hash → current-hash chain on every read; a "Re-verify chain" button forces a fresh check. Patent pending on the cryptographic ledger architecture.

Postgres triggers now block hard deletes against the arrangements table — only soft-delete via deleted_at is permitted, and every soft-delete extends the SHA-256 hash chain. The 21-case DOJ Stark/AKS enforcement database powers a public reference index plus an enforcement-case card on the Risk tab when a matching case exists for the current arrangement.

Sentry application-error capture with PII scrubbing; Slack alerts for cron failures, hash-chain violations, MCP auth-failure spikes, and rate-limit exhaustion; Upstash-backed sliding-window rate limits across public, MCP, and authenticated endpoints; daily digest email cron that fires at 7am Central. Notification preferences are per-user.