Changelog

User-visible changes, newest first. Technical details live in the commit history.

April 29, 2026
Strava brand attribution + Help Center
  • newHelp Center. A real /help page with a table of contents, search, and how-to mini-articles for every feature (SSO, auctions, P2P, athons, scavenger hunts, text-to-give, Stripe Connect, parental consent, and more).
  • newStrava brand attribution shipped. Required for Strava developer program approval. The Connect with Strava button now uses Strava's exact wording. Imported activities show a View on Strava link per row. Admin athon view source badges are clickable links back to strava.com. Powered by Strava attribution wherever Strava data is displayed.
  • newPost-OAuth Strava activity picker. After connecting Strava, participants now see their last 7 days of activities and can import any one as a tracked log. Previously the OAuth completed but the import UI was missing.
  • newContextual help icons on admin form fields where the meaning isn't obvious (auction reserve price, athon verification mode, district scope, Stripe Connect status).
  • newWhat's New callout on the dashboard so existing users can find features that shipped after their last visit.
April 28, 2026
SSO portfolio expansion + commerce hardening
  • newMicrosoft 365 / Entra SSO live. Multitenant. Cert-based client_assertion JWT (10-year cert, no client secret to rotate). Schools and districts on Microsoft can sign in with their work account.
  • newClassLink admin + parent SSO. Admin OAuth and parent-side SSO both live. Uses full scope (cascade /v2/my/info, /v2/my/profileinfo, id_token) so we can match parents to their kid's fundraiser.
  • newDistrict SSO playbook covering 5 providers (Microsoft, Google for Education, Clever, ClassLink, generic OIDC). Single SSO login gates the district dashboard.
  • newReserve price on auctions. Set a private minimum bid on any auction item. The auction won't auto-award if bids stay below reserve, you decide whether to award anyway, re-list, or cancel.
  • newText-to-give keyword admin UI. Set a per-org keyword from your Org Settings page. Donors text it to (515) 461-8728 and get a payment link back.
  • newMulti-property SMS architecture. A single A2P 10DLC brand and campaign covers every StanHattie property. ScanRaise rides on the verified registration so messages don't get filtered as spam.
  • newCommerce hardening: 4 confirmation emails (placed, shipped, delivered, refunded), atomic inventory (no overselling under load), abandon cleanup that releases held inventory after 15 minutes.
  • fixStripe Connect onboarding empty-email bug fixed. Eliminates the redundant pre-fill call that was breaking new merchant verification.
  • fixParental-consent grant now uses XFF first-hop+clamp (45 chars, IPv6-safe) so the audit log can't get hosed by a spoofed XFF header.
  • fixTwilio webhook signature validation rebuilds URL from forwarded headers (Cloudflare/Railway proxy chain doesn't forward original Host header to Flask). Real Twilio inbound was 403'ing because the URL didn't match the HMAC input.
  • fixLive page: switched QR library to qrcode-generator (the qrcode npm package has no UMD build); shows error immediately on first-load failure instead of waiting 60s; fixed overlapping overlays.
  • fixTicket QR security: check-in rejects raw ticket IDs, accepts valid signed QR tokens, accepts ID + email fallback, rejects ID + wrong email and forged tokens. Server-side HMAC verified on every check-in.
  • fixOIDC multitenant validation correctly detects {tenantid} placeholder in discovery issuer for Microsoft /common/, /organizations/, and /consumers/ tenants.
  • fix/start wizard auth panel now shows a "Sign in here" link for first-timers with an existing account. Hero CTA meta updated.
  • newCron-driven demo seed (/api/cron/seed-demo) so the public demo always has fresh, realistic data.
April 27, 2026
Smartwatch fundraising scaffolding
  • newGarmin Connect IQ submission. Direct integration scaffolded; awaiting Garmin's developer program reopening (currently paused on their side, no ETA).
  • newCOROS submission in flight.
  • newMulti-size favicon.ico (16, 24, 32, 48, 64 px) for legacy-browser fallback.
  • newFavicon link added to 103 HTML heads. /es/contact mirror page added. Sitemap entries refreshed.
  • fixAudit log: clamp X-Forwarded-For to first hop and 45 chars (the same VARCHAR overflow class that hit parental-consent).
  • fixDrop the "Submit your match request" employer-match CTA (was misleading, we don't actually broker employer matches yet).
April 16, 2026
Spanish site is real now
  • i18nLocale-aware nav, footer, hero rotator. One shared script detects <html lang="es"> and serves the right copy on every page.
  • i18n/es/start wizard fully translated - step indicators, field labels, placeholders, error messages, resume-draft banner, submit button.
  • i18n/es/donate and /es/d/{code} donation flow fully translated - amount buttons, donor fields, cover-fees checkbox, success states, athon pledge tabs.
  • i18n/es/find search results UI translated; dynamic rows now render in Spanish.
  • i18n/es/homepage hero gained the split layout with QR collage image, four trust chips, and proper CTA buttons to match the English version.
  • i18nAccent sweep across every /es/*.html file - campaña, recaudación, términos, política, código, cómo, más, configuración, nadatón, caminatón, pruébalo, fácil, and more.
  • newHomepage product line under the rotating hero headline: a clear one-sentence description of what ScanRaise is, for cold visitors who land before the rotator cycles.
  • newChangelog (this page).
  • fixLegal pages (terms, privacy, disclaimer, DMCA) now redirect /es/* → English; no more partial Spanish legal docs.
April 15, 2026
Bug sweep - friction removed from the primary funnel
  • fix/start no longer hides behind a login wall. Anyone can fill out the wizard; auth only kicks in at submit, and your draft auto-restores after sign-in.
  • fix/pricing now 301-redirects to the pricing anchor on the homepage instead of silently serving duplicate content.
  • fixFundraiser-not-found page now has two clear next actions - "Find My QR Code" and "Back to home" - instead of being a dead end.
  • fixCustom donation amount now shows a visible "Up to $2,500 per transaction" hint instead of silently rejecting larger values.
  • fixDuplicate footer rendering mid-page (footer.js was loading twice on some routes) - footer is now idempotent and waits for DOMContentLoaded.
  • fixCompetitive comparison row renamed from "QR codes" to "Per-person QR cards" - the new label is a defensible differentiator, the old one overstated the gap.
April 15, 2026
Recurring donations + Stripe Connect onboarding
  • newRecurring donation management on the org dashboard - list active recurring gifts, cancel from one place.
  • newOrg settings page (/orgs/<id>/settings) with Stripe Connect onboarding CTA, bank-account status, and return URL fixes.
  • new12 org-type-specific roster CSV templates - schools, sports (rec + travel), boosters, dance, band, scouts, church, fire, robotics, veterans, default.
  • fixMobile hero now scales correctly at 480px and 860px breakpoints.
April 14, 2026
Full pentest pass
  • fixSession management, rate limiting, strict CSP, admin moved to the admin.scanraise.com subdomain.
  • fix468 pytest tests passing. Zero console errors on key user flows.
April 9, 2026
Enterprise hardening - schools edition
  • newSDPC registered (Student Data Privacy Consortium).
  • newClever SSO + ClassLink SSO live for K-12 districts.
  • newDistrict-level management + /for/district landing page.
  • newCOPPA/FERPA compliance and Next Insurance (GL + E&O) coverage.