Thursday, April 30, 2026
7 shipsChain integrity surfaced on /data-quality
Both nightly chain sweeps (audit log + money ledger) now have a status row on the data-quality dashboard. Operators see the verdict, the age of the last sweep, and the manual re-run command at a glance — no more digging through the audit log to confirm the cron held overnight.
Open dashboard →Nightly money-ledger integrity sweep
Companion to the audit-chain cron — runs at 03:45 UTC, walks every BillingEvent row, and verifies prior+amount=post, scope chain, and REVERSAL invariants. Fires ledger.chain_verified (heartbeat) or ledger.chain_break_detected (alarm). Subscribe at /app/settings/webhooks; manual re-run via npm run verify:ledger-chain.
Event catalog →Carrier-contact freshness gate
Auto-recon now holds dispatch when a carrier contact hasn't been verified in 90 days. Stops disputes from landing in a dead inbox after a quarter-end re-org. One click to re-verify, gate clears.
Review contacts →14-day-or-free guarantee — code-enforced
Tenant.activatedAt stamps on the first completed reconciliation. The guarantee verdict (met / active / breached) is now a code-enforced clock with a public admin endpoint, not a manual ops check. If activation slips past day 14, the credit-owed flag stays latched even if go-live eventually lands.
How it works →Auto-recon books the recovery to the ledger
When the inbound classifier confirms a carrier credit, the resolution now writes a CREDIT_APPLIED row to the BillingEvent ledger alongside the dispute close. The four-verb auto loop (drafts → sends → tracks → books) is now end-to-end real for tenants on auto mode.
Auto-recon settings →Member alias bridge — Q201 rename closure
When a carrier rotates a member's policy id AND their name normalization shifts in the same period, the matcher now bridges via MemberIdentityMap instead of splitting one human into two false-positive findings. Per-run learning loop accumulates rotations as they happen — your matcher gets smarter every cycle.
Webhook event catalog now lists 14 events
dispute.replied, invoice.parsed, invoice.parse_failed, billing_event.posted, audit.chain_verified, audit.chain_break_detected, ledger.chain_verified, ledger.chain_break_detected — all live, all signed, all retried with exponential backoff.
Event catalog →Wednesday, April 29, 2026
12 shipsData-quality dashboard
Six diagnostics surface what's invisibly broken: carriers missing a contact email, invoices below 70% parse confidence, enrollment older than 30 days, members lacking external IDs, disputes past SLA, and webhooks failing in the last week. Empty states return a green "clean" pill so you know the check ran and the workspace is healthy.
Open dashboard →Invoice viewer + flat invoice list
Every CarrierInvoice now has a canonical detail page — source metadata, line-sum sanity check, audit-run history, disputes filed, and the parsed line items. The flat list at /app/invoices surfaces invoices that ingested but never ran (previously invisible), with no-run / low-confidence / with-findings filter pills.
Browse invoices →Enrollment "what changed" diff
Compare the two newest enrollment snapshots: who joined, who termed, and whose tier / plan / coverage end / expected amount changed. Member matching prefers external ID and falls back to name+SSN-last-4 hash; unmatchable rows are flagged rather than silently dropped.
Open diff →Audits + disputes index — filters, scope, CSV export
Audit list gains date-range tabs (30/90/180/all), a findings-only toggle, a per-carrier dropdown, a disputes pill on each row, and CSV export that honors the filters. Disputes index gains a Stalled tab (open + no operator action in 14 days) and matching CSV export.
Open audits →Sign-in activity feed
Every successful login is audit-logged with factor count and IP. Tenant admins see the whole tenant's history; everyone else sees their own. SOX-deliverable.
Open the log →Audit ledger CSV + JSON export
Owners and admins can download the full chain-hashed ledger. RFC 4180 columns are stable so external auditor scripts can hard-code positions. Hash + prevHash columns travel with the export so verifiers work offline.
Audit ledger →Onboarding checklist
New tenants land at /app and see a six-step path to first value: account, carrier, census, invoice, recon, outcome. Self-correcting — derives from actual state, no stored progress flag.
Overview →Audit chain integrity verifier
On-demand button on the audit ledger page walks every row and confirms the SHA-256 chain. Nightly cron re-runs across all tenants and surfaces any break in console-log alerting. Pure verifier with 7 pinned regression cases.
Verify chain →Broker recovery-accounting report
QBR generator: per-client recovered$, dollar-weighted win rate, dispute-weighted MTTR, top-3 carriers. None of the direct competitors markets this angle — recovery accounting was a wedge gap.
Open report →Public API + webhook reference
Authentication, rate limits, error format, pagination, endpoint catalog, HMAC signature verification, Slack/Teams behavior, manual retry — all documented. Stop hiding behind 'contact sales.'
Read the docs →Slack + Microsoft Teams as webhook targets
Paste an incoming-webhook URL — we detect the channel and translate each event into Block Kit (Slack) or MessageCard (Teams) automatically. No schema change required. Ops gets dispute SLA breaches in their channel.
Add a webhook →TOTP MFA — opt-in or tenant-required
RFC 6238 second factor with QR enrollment, backup codes, and a tenant-policy toggle that requires MFA for every user. Login flow detects mfaEnabledAt and routes through /login/mfa. Compatible with Google Authenticator, 1Password, Authy.
Enable MFA →Tuesday, April 28, 2026
7 shipsDiscrepancy category × carrier heatmap
Third report in the carrier-analysis trio (scorecard / trend / heatmap). Surfaces the shape of error per carrier — which kind of mistake that carrier specifically makes. 90-day window so it stays current.
Open the heatmap →Manual webhook delivery retry
Operators can re-fire a failed delivery from the log viewer using the EXACT original payload + signature. Receivers depending on idempotency keys correctly treat it as a duplicate.
Webhook log →Daily ops digest email
Opt-in 24-hour summary delivered every morning at 14:00 UTC. Subject leads with the highest-stake number — breaches > high-sev findings > generic > quiet. Quiet days suppress entirely.
Set recipients →Carrier × month trend grid
12-month at-a-glance matrix. Cell-by-cell billed total + dispute count + finding count. Sticky carrier column on the left, sticky total on the right.
Open the trend →GL CSV export — QuickBooks Online + NetSuite
Discrepancies emit balanced debit/credit pairs in the format your accounting tool expects. Per-tenant chart-of-accounts override so the export lands directly on your real account ids — no manual remapping at import.
Configure GL →Per-carrier scorecard
Dispute outcomes by carrier — win rate (closed-only), avg days to resolve, SLA breach rate, dollars at risk. Sorted by problem-magnitude descending.
Carrier scorecard →Dispute SLA breach cron + webhook
Daily sweep marks disputes past slaDueAt and fires dispute.sla_breached webhook (with the column flip BEFORE the webhook so a delivery failure can't cause a re-fire). Disputes list gains an 'Overdue' tab.
Saturday, April 18, 2026
2 shipsFuzzy member matcher
Member identity persists across SSN rotations, name changes, and typos via signal scoring (SSN / DOB / name nickname expansion). EXACT / HIGH / REVIEW / NONE decision tree with audit trail.
Retroactive enrollment + reversal/reinstate flows
180-day retro window with idempotency on sourceRef. NSF + reinstate paths on top of the BillingEvent ledger. The Q202 add → term → reinstate scenario closes cleanly.
Friday, April 17, 2026
2 shipsAppend-only BillingEvent ledger
Tamper-evident, period-close gated, with priorBalance/postBalance chaining. Pairs with the chain-hashed AuditEvent ledger for ERISA-defensible recovery evidence.
Recon money math migrated to @velora/money
Eliminates 'phantom $0.07' disputes from JS-number accumulation drift. 5,000 × $0.07 = $350.00 exact, not $350.07.