v3.3.6 6 February 2026 Improvement Feature

Admin Bug Reports Redesign, Policy Hardening, Contact Page

Admin Bug Reports — Stripe-Grade Redesign

The bug report detail pane was a single scrolling column where the admin notes composer could scroll out of view. Redesigned as three fixed zones so context and actions are always visible.

Three-Zone Detail Panel

  • Command bar (pinned top) — title, severity badge, clickable status pill, copy/delete/close actions
  • Scrollable content (flex-1) — tab bar + tab content, only this zone scrolls
  • Composer dock (pinned bottom) — always-visible input with inline submit button

Tab Bar Replaces Accordions

Browser context and API call logs were collapsible accordions buried in the scroll area. Replaced with a proper tab bar between the command bar and content area.

  • Summary — description, meta grid (reporter, org, page, submitted), activity history
  • Browser — browser context JSON (only shown if data exists)
  • API — API call list with status codes, methods, paths, and timing (only shown if data exists)

Tabs are conditionally rendered — Browser and API tabs only appear when the report contains that data.

Event-Style Admin Notes

Admin notes were a mutable textarea with “Saved”/“Unsaved changes” state — felt like editing a database field. Redesigned as an event-style update system.

  • Existing notes display as a read-only activity block in the Summary tab
  • Composer dock has an empty textarea that clears after each submission
  • Each update is timestamped and appended to the notes history
  • Button says “Add” not “Save Notes” — positioned inline inside the textarea
  • No “Saved”/“Unsaved” state text — just the button appearing when you type

Search Bar Removed

Removed the duplicate search input from the bug reports header. The sidebar OmniSearch (⌘K) already handles global search across all admin pages.

Visual Polish

  • Reduced border noise — list dividers use border-edge-subtle, single border between list and detail panes
  • Action icon hit targets — hover:bg-surface-hover rounded-md instead of colour-only hover
  • Status pill accessibility — aria-expanded, aria-haspopup, focus:ring-2
  • Composer dock depth — subtle top shadow to visually lift from content
  • Meta grid spacing — wider horizontal gaps for scannability
  • Description width — capped at 65ch with relaxed line-height

Policy Pages — Security Review & Hardening

The security and sub-processors pages were reviewed against a formal policy audit checklist and updated to close coverage gaps.

Security (/security)

New sections:

  • Data Handling — explicitly states what we store and what we don’t. No banking credentials or card numbers. Stripe handles all payment processing. Customer data never used for testing.
  • Key Management — cloud KMS, key rotation, secrets outside source control, per-environment credentials.
  • Environment Separation — production, staging, and development fully isolated. No production data in non-production systems.
  • Data Retention — 90-day grace period after cancellation for export and recovery, then permanent deletion. HMRC record-keeping obligations are the account holder’s responsibility.
  • Compliance & Standards — honest posture. GDPR compliant, auditable controls, explicitly states we do not hold ISO 27001 or SOC 2.

Tightened wording: “assume breach scenarios during design”, JWT refresh tokens and HTTP-only cookies clarified, rate limiting scoped as baseline per-endpoint, Argon2id parameters specified, coordinated vulnerability disclosure language, Zod + Fastify JSON Schema validation specifics. Cross-linked Transparency page from Incident Response.

Sub-processors (/sub-processors)

  • Fixed AWS SES location from EU (eu-west-2) to London, UK (eu-west-2)
  • Added data processing agreement language to sub-processor description
  • Added support@speybooks.com contact for objections
  • Updated UK Data Residency box to reference “UK and EU-based infrastructure”

Cookies (/cookies)

Passed audit cleanly. No changes required.

Contact Page (New)

New page at /contact providing direct communication channels.

  • Email channels — General/Support and Security reporting, each with expected response times
  • Elsewhere — GitHub and LinkedIn as interactive cards with hover states
  • Company details — SpeyTech Ltd, Scotland, with cross-links to Privacy, Security, Sub-processors, Transparency, and Changelog

No contact form. No phone number. No live chat widget. “No chatbot. No ticket queue. Just email.”

Email Forwarding

Configured support@speybooks.comwilliam@fstopify.com via Namecheap email forwarding. Removed unused SES inbound MX record that was blocking the setup. SES outbound sending unaffected.

Changelog Page — Layout Fix

Removed max-w-xl constraint from manifesto paragraphs so they align with changelog entry content width below.