What we shipped, and when.

Website

1. 27 May 2026 sutracrm.io

   Live demo, beta download, and contact request capture

   • The demo, beta download, and contact pages now take real submissions — CSRF-protected, spam-trapped, validated, and stored. Each submission emails the team and sends you an acknowledgement.
   • Admins triage submissions from a queue inside the site admin, with a full delivery log for every email sent.
   • Email runs on AWS SES. Admin sign-in gained a self-service password reset by email.

Product (demo.sutracrm.net)

1. 28 May 2026 Security

   Country access

   • Allow or block sign-in by country — set installation-wide by an admin and, optionally, narrowed per user. An empty list means no restriction; the app-wide rule is the outer boundary and each user can only tighten within it on their own Access tab.
   • The country is worked out from the sign-in address using a lookup database that runs entirely on your server — no third-party service, no API key. Install it with one click from Admin → Access (the free DB-IP IP-to-Country Lite database, refreshed monthly).
   • Lockout guards throughout: your current country is shown on every card, and saving a rule that would shut out your own location asks for confirmation first. Behind a reverse proxy, a trusted-proxies setting makes sure the visitor address — not the proxy — is the one checked.
2. 28 May 2026 Security

   Two-factor authentication

   • Add a second step at sign-in. Each user picks their own method: an authenticator app, a code emailed to them, or a code texted to their mobile — turn on as many as you like, and any one of them satisfies the prompt.
   • Single-use recovery codes are issued the first time any method is turned on and act as a universal fallback if you lose your device; they are shown once with Copy and Download. An optional “remember this device” skips the prompt on a trusted browser for 30 days.
   • Changing your password now always requires a verification code — from your authenticator if you have one, otherwise an emailed or texted one. Turning any factor on or off sends a security-alert email (never the code itself).
3. 28 May 2026 Integration

   Admin integrations — email + SMS

   • A new Admin → Integration home for outbound channels. Send email through a standard mail relay or Amazon SES, and text messages through Twilio. Each card has a test-send so you can confirm delivery before relying on it.
   • Credentials are stored encrypted in the database, not in config files. This is the shared home that two-factor email and text delivery plug into — and where the upcoming currency-rates key will live too.
4. 28 May 2026 M1.6b

   User account menu

   • The name chip in the topbar is now a real account menu: Profile, Settings (timezone preference), sign-in history, and a Security tab, alongside sign out. No more accidental logout from a single click.
   • Profile holds your display name and mobile number; sign-in history is a read-only audit of recent sign-ins (address, device, and time). The Security and Access tabs are where two-factor authentication and country access live.
5. 27 May 2026 M1.6

   One-click schema rebuild

   • Apply schema changes to your custom entities with one click from Admin → Rebuild — no more pasting a script into a database tool. It compares every entity to its table and creates tables, adds columns, and widens columns as needed.
   • Additive and safe by design: a rebuild never drops a column or table, so it cannot remove data. Deleting a field is metadata-only — the column stays, and nothing is destroyed, so there is nothing to revert.
   • Every change is recorded in a rebuild history with status, duration, and who ran it. If a step fails, the earlier ones stay applied and re-running Rebuild picks up only what is left.
6. 27 May 2026 M1.5.8

   Inline edit per card

   • Click Edit on any card (Identity, Address, System, etc.) and the card switches to a form in place. Save commits just that card’s fields; other cards stay in view mode.
   • AJAX swap means no page reload between view and edit. Dirty-state Save button (disabled until any field changes). Concurrent-edit guard rejects a save if someone else changed the record while you were typing.
   • SYSTEM panel becomes inline-editable for Owner + Assigned to. Bonus: user IDs across the rail (Owner, Assigned to, Created by, Modified by) now resolve to display names that link to the user’s record.
   • Activity stream now says "updated Identity" / "updated Primary address" instead of generic "updated this record" when the changes are all in one group.
7. 27 May 2026 M1.5.6

   Duplicate detection rules

   • Admins write per-entity dedupe rules from a new /admin/duplicate-rules surface. Match by Equals / Starts with / Contains / Ends with on one or more fields. Warn or Block on save.
   • “Save anyway” override on Warn rules captures an optional reason and writes an audit event. “Not a duplicate” pair exemption silences false positives without disabling the rule.
   • Live check fires as the user types — the same warn/block banner appears inline on debounced field-blur, before save.
   • Whitespace normalisation (trim + collapse internal runs) on every text field at save time, lowercase email, digits-only phone. Cleaner data overall.
8. 27 May 2026 M1.5.5

   Relationships system

   • One-to-Many, Many-to-Many, and Child-to-Parent relationships as first-class metadata. Admins define a relationship at /admin/relationships and the runtime generates both halves: a picker on the child form and a sub-tab on the parent detail page.
   • Built-in Account → Contacts / Opportunities / Cases links migrated through the same machinery. Picklist labels resolve in the field grids and activity diff lines (no more raw "IN" or "CA" stored keys).
   • ACL filtering on relationship reads — sub-tab counts and tables only show rows the viewer can see.
9. 26 May 2026 M1.5

   Entity Manager + Global Pick Lists

   • Build custom entities (Project, Task, anything) from the admin UI without touching code. Field editor supports varchar, textarea, picklist, number, currency, date, boolean, relationship.
   • Global Pick Lists at /admin/picklists: Country, State, Industry, Lead source, Priority. Cascade (state → country). Reuse across the app — one source of truth.
   • Address fields on Account / Contact / Lead now use Country + State picklists with cascade. No more free-text country strings.
10. 25 May 2026 M1.4.7

    Field-level audit + non-destructive restore

    • Every save writes a field-diff event to the Stream tab. Old → new value per field, picklist labels resolved.
    • Stream is append-only by convention — foundation for 21 CFR Part 11 (audit_logs already there).
    • Restore a previous save without losing the intermediate history. Each restore is itself an audit event.
11. 25 May 2026 M1.4

    ACL voter + role-based access

    • Per-entity, per-action access rules: own / team / all. Admin UI for roles. Query-level filtering on lists, voter checks on every POST.
    • UTC storage of all timestamps; the browser shifts to the user’s timezone client-side. User timezone preference persisted on the user record.
12. 24 May 2026 M1.3 + M1.3.5

    Detail enrichment + filter builder

    • Activity rail on every record. Live sub-tab counts on Account → Contacts / Opportunities / Cases.
    • Visual filter builder on every list view. Saved views per user.
13. 23 May 2026 M1.1 + M1.2

    Entity views + forms

    • Accounts, Contacts, Leads, Opportunities, Cases. Filter chips, sortable columns, sub-tabs, dense field grids.
    • Create + edit forms at /{entity}/new and /{entity}/{id}/edit. CSRF, validation, version bumps on update, currency / percent / date / picklist inputs.
14. 22 May 2026 M0

    Walking skeleton

    • Install wizard, kernel boot, DI container, session auth, dashboard, diagnose page.
    • Live at demo.sutracrm.net. Enterprise-style dense dashboard, blue module nav, hamburger drawer on narrow viewports.