The journal

What’s shipping across the studio, in the open.

Dated entries from the live ventures, newest first. Each entry links to the venture brief for the full current snapshot — roadmap, stack and stage.

Latest entries

Studio log.

One line per change, tagged with the venture it belongs to.

AdoptDontShop 1 Jul 2026

API reliability; session tokens hardened; cold-start fix.

A full review of the API gateway contract closed edge cases where some list endpoints mis-serialised array data, some DELETE and POST routes rejected valid requests, and the top picks endpoint returned malformed responses — all 939 gateway tests now pass and the interactive API docs at /docs accurately reflect every endpoint. Refresh tokens are now stored as one-way hashes; a database exposure can no longer replay an active session. The adopter portal, rescue dashboard and admin panel no longer return errors for around 40 seconds after a cold boot — all three now wait for the gateway to be healthy before serving.

AdoptDontShop 30 Jun 2026

Rescue events; live analytics data; profile update fix.

Rescues can now create, publish and manage their own events — adoption days, fundraisers, volunteer sessions and community meetups — with attendee registration, check-in and capacity tracking built in. The rescue dashboard analytics page now shows real-time figures for adoption trends, application status, pet performance and top breeds; the previous placeholder data has been removed. A bug that silently dropped profile updates has been fixed — account changes now save correctly.

AdoptDontShop 30 Jun 2026

Security: password-reset and verification links hardened.

The one-time tokens inside password-reset and email-verification emails are now stored as SHA-256 hashes on the server. A database read alone can no longer produce a valid link to take over an account.

AdoptDontShop 29 Jun 2026

Analytics reports: save, schedule and share. Policy and application security fixes.

Rescue analytics reports can now be saved with a name, re-run to pull live figures, scheduled for recurring delivery and shared with team members. A bug preventing changes to a rescue’s adoption policy from saving has been fixed. Adoption applications now derive the applicant’s identity strictly from their authenticated session — a crafted request can no longer submit an application as a different user.

AdoptDontShop 22–23 Jun 2026

Admin panel: triage inbox, bulk pet management, privacy tools and staff visibility.

A wave of admin improvements: moderation reports and support tickets now land in a single filterable, sortable triage inbox, making platform health easier to manage in one view. Admins can bulk-update pet listings and manage pets across every rescue from one place. A new privacy tools panel lets administrators export a user’s personal data and schedule account deletion. The Rescue detail Staff tab surfaces current staff and pending invitations at a glance. Several previously broken actions — rescue dashboard analytics, rescue detail controls, support ticket assignment and staff management — have been restored.

Pairflix Jun 2026

Watch on Netflix, Prime or Disney+ — one tap away. Picks now tracked.

The TonightPicker recommendation card now shows deep-link buttons for every streaming platform a title is available on — tap to open it directly in the app, no searching required. Every recommendation now records whether the household accepted it, swapped it out, or dismissed it. Per-household 30-day stats surface your first-pick acceptance rate and a breakdown by platform.

AdoptDontShop 23 Jun 2026

Account sanction notices; application drafts now autosave.

Adopters and rescue users with an active account sanction now see a clear banner explaining it, which they can acknowledge. In-progress adoption applications save automatically as you fill them in and can be resumed later — this also fixes a bug that had silently broken pre-filling new applications from your saved details.

AdoptDontShop 22 Jun 2026

Rescue dashboard: bulk application actions restored.

Approving, rejecting, withdrawing or advancing the stage of one or more applications at once had stopped working for rescue staff. Both bulk and single-application actions are now working correctly again.

AdoptDontShop 20 Jun 2026

Personalised pet recommendations; faster applications.

A new Top Picks page — and a refreshed home page — surfaces personalised pet recommendations ranked by your match preferences, each with a plain-language reason for the suggestion. New adoption applications now pre-populate from your saved details, and those defaults update automatically as you apply. Separately, a bug preventing rescues from saving changes on their dashboard Settings page has been fixed.

AdoptDontShop 19 Jun 2026

Security: inline styles removed from CSP. Full API documentation published.

The frontend’s Content-Security-Policy no longer permits unsafe-inline for stylesheets, closing a CSS-injection vector; a CI guard now blocks any regression. Every route across the application and document lifecycle now declares its contract in the interactive API docs at /docs, for integration partners and SDK generators.

AdoptDontShop 18 Jun 2026

Staff invitations, 2FA, pet favourites and custom application questions.

Rescue staff can now accept email invitations to join their organisation — the invite link creates or connects an account and grants team access automatically. Accounts can enrol in two-factor authentication (TOTP); once enabled, a one-time code is required at every sign-in. Adopters can save favourite pets and return to them at any time. Rescues can add their own screening questions to the adoption application form, with answers captured on submission.

AdoptDontShop 18 Jun 2026

Security: high-severity vulnerabilities patched; production images pinned.

Two CVE-grade advisories — an arbitrary file read risk in the email delivery library and a TLS certificate validation bypass in HTTP transport — have been resolved. All production container images are now pinned to immutable content digests; a CI gate blocks any unverified image from deploying. Automated audit reports zero high-severity findings.

AdoptDontShop 17 Jun 2026

Login restored after gateway migration.

Following the switch from the legacy monolith to the new Fastify API gateway, the adopter portal had an auth contract mismatch that prevented users from signing in. The contract is now aligned — login works correctly end-to-end across the adopter portal, rescue dashboard and admin panel.

AdoptDontShop 17 Jun 2026

Adopters can now update their own notification preferences.

A permissions gap meant adopters could not save changes to their notification settings without triggering an authorisation error. Each account can now update its own channel preferences — in-app vs. email, per notification type — without requiring a staff intervention.

AdoptDontShop 16 Jun 2026

Auth security hardening.

Registration no longer reveals whether an email address is already in use — your privacy is protected regardless of account state. New accounts now require email verification before becoming active. Signing out a device or resetting your password immediately invalidates all related access tokens; previously issued tokens can no longer be replayed.

AdoptDontShop 16 Jun 2026

Data isolation, notification opt-outs and infrastructure reliability.

Applications are now strictly scoped to the adopter who submitted them; pet listings are correctly isolated to the managing rescue — no cross-organisation data access is possible. Email notification opt-outs are enforced per notification type, so opting out of one category doesn’t affect others. A dead-letter queue now captures any background event that fails processing, eliminating silent data loss.

AdoptDontShop 15 Jun 2026

Email notifications live.

Adopters and rescue staff now receive application updates, new messages and rescue decisions by email as well as in-app. Each account’s saved channel preferences are enforced at send time — if you’ve opted out of email for a notification type, it stays in-app only. A deduplication guard ensures each alert arrives exactly once.

AdoptDontShop 15 Jun 2026

Microservices migration complete. Security hardening pass done.

All ten domain services now run as independent containers — the legacy monolith is deleted. Separately: all high-severity findings from an automated static-analysis security audit have been resolved, and the API documentation page is now gated behind admin credentials. The platform is closer to closed beta readiness.

AdoptDontShop 25 May 2026

Roadmap re-baselined to closed beta Aug–Sep 2026.

Original §15 beta target (Q4 2025) was missed. The May 2026 re-baseline replaces it with seven sequenced milestones: legal foundation, data protection package, platform hardening, closed beta, trust & safety, payments & commercial, and public launch in November. Demand signal preserved — 5 lister LOIs and a 1,000+ adopter waitlist carried in.

AdoptDontShop 25 May 2026

Sprint focus published.

Rescue profile builder (drag-and-drop, three columns) live in staging. Geographic search by postcode in review. 6-step application workflow in design. Welfare-incident reporting from the adopter side next.

AdoptDontShop 25 May 2026

Scope cuts logged.

Three features dropped on purpose: a rescue ratings system (against principle), an adopter “wishlist” (animal-as-listing — no thanks), and premium rescue placements (the £40k cheque we turned down).

AdoptDontShop 26 Apr 2026

Proposal moved to In Build.

The ADS proposal cleared the gate and is now an active venture on the studio platform. Stack locked: React + Vite + TypeScript, Node + Express + Sequelize, PostgreSQL 16 + PostGIS, Redis 7, Socket.io, Turborepo. Lead: Alex Jenkinson.

AdoptDontShop 26 Apr 2026

Alpha feature-complete.

Six engineering milestones standing: monorepo + Docker dev stack, JWT auth + rescue registration, pet listings with staff permissions + photo upload, adopter browse/filter/like flow, real-time messaging on Socket.io, and Docker dev + prod environments. Closing 18 open issues + QA pass before handing off to compliance.

Pairflix Apr 2026

Early alpha state captured.

Platform stack standing — three apps (client, admin, backend), JWT auth, watchlist + partner matching, TMDB integration, TypeScript strict mode, full test suite passing, multi-stage Docker builds behind Nginx. No public users yet; matcher and partner-pairing UX in flight before opening a closed alpha.

Operating principles · Journal

How this page is kept honest.

Within 24 hours

Every shipped feature gets a changelog line within twenty-four hours of going live.

Customer-facing language

Written for the people who use the product, not the engineers who built it. No commit-message jargon.

Workflow-breaking only

Bugs noteworthy enough to break a workflow get listed. Trivial fixes don’t clutter the page.