Changelog

​

This week at a glance

​

New features

• Overwatch: Rule 17 deviation flags on vessel-to-vessel encounters. Each pairwise encounter now carries per-vessel max_course_change_deg and rule17_deviation fields. The flag fires on a vessel whose mean stand-on probability across the encounter window is at least 0.6 and whose maximum single-step course change during the window is 10° or more — the geometry of a stand-on vessel taking unilateral evasive action that COLREGS Rule 17 only authorizes when the give-way vessel has clearly failed to keep clear. Useful for surfacing unannounced maneuvers, attributing close-quarters action to the correct party, and cueing forensic review on encounters where the rule-of-the-road expectation and observed behavior diverge. The companion course-change magnitude is recorded directly on the encounter row so analysts can verify the trigger without replaying AIS.
• Overwatch: Per-port surface water density now refreshes monthly into the cargo validation pipeline. US ports use NOAA CO-OPS real-time temperature with climatological salinity (confirmed coverage at New Orleans, Houston, Baltimore, Norfolk, and Los Angeles), and a country- and water-body-aware climatology covers international ports — including extreme overrides for Arctic, Persian Gulf, Red Sea, Black Sea, and Hormuz waters. Density is computed via the UNESCO-80 seawater equation of state, stored at H3 resolution 8 with the underlying source identifier, and used directly in the displacement step of hydrostatic cargo estimates so freshwater-vs-saltwater corrections are accurate per port without manual tuning.
• Layer: Asset management ships in the Layer dashboard. Create assets manually, bulk-import up to 1,000 rows from CSV, and group recurring provisioning into reusable asset bundles with a cost rollup and one-click assignment to a user. Useful for laptop-plus-license starter kits and any other repeatable allocation that previously required clicking through individual assets.
• Layer: Four new SaaS-discovery connectors land on the integrations catalog — Microsoft Teams discovers Teams itself as a SaaS app and surfaces per-user activity from team membership, Atlassian emits a separate SaaS app per Jira / Confluence / etc. product with per-user last-active timestamps, Workday HRIS ingests paginated workers with department, cost center, and termination dates (Layer’s first dedicated HRIS source for headcount and offboarding signals), and Notion emits the connected Notion workspace as a SaaS app and inventories every workspace member as a Layer user via OAuth, so Notion seats roll into access reviews and offboarding alongside the rest of the stack.
• Layer: Gmail Receipt Scanner is now available for Layer. Receipts surfaced from Gmail and Microsoft 365 mail flow into the dashboard as Layer assets via the standard sync route, with a 12-month initial scan window so a fresh connection backfills the last year of SaaS receipts on first sync.
• Layer: The GitHub connector now emits a User per organization member alongside the SaaS app, with last-active timestamps from the org audit log and a separate Copilot License asset per active assignment so Copilot seats appear directly in license inventory and access reviews.
• Layer: The GitHub connector now also emits a Team asset per GitHub team within each connected org, alongside membership and repository relationships — every team member surfaces with a MemberOf relationship to its team, and every repository the team has access to surfaces with a GovernedBy relationship. Useful for spotting overprovisioned teams during access reviews, tracing repository access back to the team that grants it, and feeding offboarding when a departing employee belongs to multiple teams. Sub-fetches are fail-safe per team, so a single inaccessible team no longer blocks the rest of the sync.
• Layer: The JumpCloud connector now emits a SaaS app per distinct application surfaced in the trailing 30 days of SSO events, a Uses relationship per user→app pair (deduped, with the most recent timestamp preserved), and MemberOf relationships for every user group it discovers. Surfaces JumpCloud-managed seats in the integrations inventory and feeds access reviews and offboarding alongside Okta and OneLogin, with no additional API calls beyond the existing user and event fetch.
• Layer: The Google Workspace and Microsoft Entra ID connectors now emit a SaaS app per third-party OAuth grant detected during sync, so apps connected with “Sign in with Google” or “Sign in with Microsoft” show up in the integrations inventory automatically without a separate connector for each one. Both sides also record a per-user Uses relationship for every grant — with the approved scopes attached on the Google Workspace side — so each shadow app surfaces with the employees who actually consented to it attached for follow-up.
• Layer: The OneLogin connector now emits a SaaS app per application in the OneLogin catalog and a per-user assignment for every user→app pairing it discovers, so OneLogin-managed seats roll into the integrations inventory and feed access reviews alongside Okta. Connections without the Manage Users scope continue to sync the catalog; granting the scope unlocks the assignment data automatically.
• Layer: The Okta connector now emits a SaaS app per Okta-managed application and a per-user assignment for every user→app pairing it discovers, with assigned_at timestamps. Surfaces which Okta-managed apps each employee actually has access to in the asset inventory, so dormant accounts and oversized license footprints show up directly in access reviews without manual cross-referencing.
• Layer: The JumpCloud connector now emits a SaaS app for every distinct application discovered in the trailing 30 days of SSO events, with a per-user Uses relationship for every employee who actually signed in to that app. User-group membership is also inventoried as a per-user MemberOf relationship, so JumpCloud-managed apps and group memberships flow into the integrations inventory and feed access reviews and offboarding without a separate import. No new permissions are required — the depth comes from data the connector was already fetching.
• Layer: The Jamf, Intune, and Kandji connectors now inventory every application installed across the managed device fleet. Each discovered app lands as a SaaS app in the integrations inventory with an installed on relationship to the devices running it, so unmanaged or out-of-procurement installs surface alongside the device record and feed access reviews and offboarding automatically. Jamf and Kandji pick up the new inventory with no permission change; Intune requires the DeviceManagementManagedDevices.Read.All Graph permission to enumerate detected apps and continues syncing devices unchanged when it isn’t granted.
• Layer: The JumpCloud MDM and Level.io connectors now emit an AssignedTo relationship from each managed device to its assigned user, so every laptop or workstation surfaced from those connectors lands in the integrations inventory wired directly to the employee it’s issued to. Useful for spotting devices whose assigned user has left, attributing installed-app footprints to the right person during access reviews, and fully driving device collection from the same view that already tracks app and license assignment during offboarding. No new permissions are required — the assignment is derived from data both connectors were already fetching.

​

Updates

• Layer: Sign-in and signup on the Layer dashboard now run through Auth0 Universal Login. The /login and /signup pages are now single-button handoffs to the Auth0-hosted page; the Continue with Google Workspace button takes the same Auth0 path and then mints a Supabase session in the background, so a single click lands you on the dashboard with both sessions established. The standalone email/password form on the Layer login page has been retired in favor of the Auth0 surface — credentials are entered on Auth0, never on the Layer dashboard. Post-login next redirects are preserved end-to-end. Existing accounts retain all of their organization data, integrations, and history. See Getting started.
• Layer: Tables across the Layer dashboard — integrations, spend, access reviews, contracts, and friends — now feel right on the edges they used to bite. Clicking a checkbox, button, link, menu, dropdown, or other interactive control nested inside a row no longer also fires the row’s primary navigation, so opening a row menu or selecting a row’s checkbox stops short of also drilling into the row. Paginated tables also clamp to the last available page when filters or data changes would otherwise leave you stranded on an empty out-of-range page, so toggling a filter on a deep page lands you on real rows instead of a blank table.
• Layer: Dashboard polish wave on app.axiomlayer.io. The sidebar is now collapsible to icon-only with persisted state and items grouped into Discover / Finance / Operations / Account, the dashboard layout clamps to a max width on large monitors, and missing Assets, Spend, and Integrations entries are now first-class. Every major page — Integrations, Settings, Search, Licenses, AI Usage, Benchmarks, Assets, virtual cards, license and AI usage sub-pages — now ships the shared PageHeader component with a consistent title → subtitle → border-bottom hierarchy and ← Back links on detail pages. Apps, Contracts, and Renewals open with four-card stats strips above the table, hand-rolled SVG charts on the Spend detail and Benchmarks pages have been replaced with recharts grouped-bar components with hover tooltips and legends, and loading skeletons matching the actual page layout now ship on Spend, Licenses, Contracts, AI Usage, Benchmarks, Assets, and Audit. The ⌘K command palette is synced to the new sidebar groups, the AssetTypeBadge now shows SaaS App correctly with labels and tints for all 17 asset types, table headers normalize to font-semibold, and every card and panel uses the same rounded-2xl corner radius across the dashboard.
• Overwatch: Tightened security headers on axiomoverwatch.io and tightened authentication on the internal cron endpoints that drive ingestion, archival, alert delivery, and Locus portfolio refresh. No user-facing behavior changes; browsers benefit from the stricter Content-Security-Policy and related headers automatically.
• Overwatch / Axiomancer: axiomoverwatch.io and axiomancer.io both received a professionalization pass — branded OpenGraph and Twitter summary_large_image social previews, a robots.txt and sitemap.xml at site root, refreshed alt text on marketing imagery, and analytics gating so PostHog and Amplitude only initialize on consent. Links unfurl with full-bleed branded previews on Slack, X, LinkedIn, and any embed-friendly surface, and search engines can index the public marketing surface without relying on link traversal.
• Axiomancer: Restored the desktop layout on axiomancer.io. A mid-week mobile-optimization pass to the hero, engine, footer, and platform reel had collapsed several desktop sections to single-column and skipped frames on narrow screens; those components have been rolled back to the pre-mobile-pass desktop layout. The legal page polish, RouteShift link fix, navbar improvements, source ticker, and static hero poster from the same week are retained. Mobile-specific layout refinements will return on a separate pass that doesn’t regress desktop.
• Overwatch: The public /api/v1/positions/latest endpoint now preserves and returns underlying error details when an upstream component fails, instead of collapsing to a generic 500. API consumers building live maps and dashboards on top of the endpoint can now distinguish between transient upstream issues and request-side problems without retrying blindly.
• Locus: Locus admin authorization on the authenticated API and /admin/* routes now resolves through stable identity claims first and only falls back to the email allowlist for compatibility. Two new environment variables — ADMIN_USER_IDS (immutable Supabase user UUIDs) and ADMIN_ROLE_CLAIMS (role names on app_metadata or user_metadata) — are checked before ADMIN_EMAILS, so admin access survives an email change at your identity provider. Existing ADMIN_EMAILS configurations keep working unchanged; legacy email-based grants now log a per-request warning naming the user ID so you can audit who’s still relying on them before you remove the variable. Only operators of self-hosted and preview deployments need to act.
• Overwatch: Admin auth on the Overwatch sensitive-endpoint surface — webhooks, key management, and the rest of the admin API — now resolves through least-privilege identity paths first and only falls back to the legacy shared admin key for compatibility. Three new environment variables are checked before ADMIN_API_KEY: ADMIN_USER_IDS (immutable Supabase user UUIDs), ADMIN_ROLE_CLAIMS (role names matched against trusted Supabase app_metadata only — user_metadata is excluded because it’s commonly user-writable), and ADMIN_MACHINE_KEYS (scoped per-automation secrets), so a single leaked admin key is no longer a fleet-wide compromise. The previous per-IP rate limit and constant-time hash compare are unchanged, and a leaked-secret incident can now be contained by rotating one row in ADMIN_MACHINE_KEYS instead of the shared ADMIN_API_KEY. Existing ADMIN_API_KEY configurations keep working unchanged; only operators issuing admin requests need to migrate.
• Locus: locus.axiomancer.io received the same professionalization pass that landed on Overwatch and Axiomancer — refreshed alt text and tap-target sizing on the marketing surface (mobile links and the Get Access button now meet the 44 px minimum), a PWA manifest with branded icon and theme color so the site installs cleanly on mobile home screens, and analytics gating that suppresses PostHog session recording outside of production and on /admin and /settings routes. The Locus marketing pages also now declare neighborhood analytics and demographic data as additional keywords for discovery. No user-facing behavior changes for authenticated workflows — the Explorer, dashboard, and API surface are unchanged.
• Layer: The Microsoft Entra ID connector now reads each user’s signInActivity.lastSignInDateTime and flags accounts inactive for 90+ days. Useful for surfacing dormant identities ahead of an access review or scheduled offboarding without exporting the directory by hand.
• Layer: The Google Workspace connector picks up the same dormant-user signal — last sign-in time is read from the Admin Reports API on every sync, and accounts with no activity in the trailing 90 days now flag as inactive in the access review surface. Connections without the new reports scope continue syncing without error; granting View Reports on the existing OAuth consent screen unlocks the signal automatically.

​

Fixes

• Overwatch: SAR chokepoint confirmation is running on schedule again. The daily Sentinel-1 SAR confirmation pass for vessel transits through Bab-el-Mandeb, the Strait of Hormuz, the Suez approaches, and Cape Agulhas — and the related corridor monitoring pass — had stopped producing new confirmations; both are now back on cadence so the dark-transit flag and missed-transit timeouts on chokepoint transits stay current.
• Overwatch: AIS downsampling is processing positions again, so the live database’s tiered retention surface stays within its 90-day window without a backlog. Recent positions remain at full resolution, older positions thin out per the retention tiers, and anything older than 90 days continues to live in the cold archive.
• Overwatch: Pairwise encounter ingestion is durable against table-size-driven timeouts. As the encounter table grew, batched upserts began exceeding the API tier’s statement timeout and silently killing the hourly run, producing gaps in the Risk and Investigations feeds. Writes now flow through a hardened bulk-upsert path that isn’t subject to the API statement-timeout cap, so encounter geometry — CPA, TCPA, range, closing speed, and COLREGS posteriors — keeps landing on schedule as the table continues to grow. Backfill of the gap window is in progress.
• Overwatch: Cleared roughly 7,800 vessel enrichment records that were permanently stuck in the pending queue — vessels whose Equasis profile requires JavaScript to render, plus a handful of malformed IMO numbers that could never resolve. The pending queue dropped from about 22,700 to about 14,800, so enrichment freshness on the remaining backlog improves immediately. Equasis-blocked vessels will pick up automatically once the JS-capable enrichment path ships.
• Overwatch: Retryable failed vessel enrichment queue rows that hadn’t exhausted their attempt budget are now reset back to pending automatically, so transient Equasis errors no longer leave otherwise-resolvable vessels parked in the failed bucket.
• Codex: The envelope coverage dashboard refresh no longer times out on very large tables. Tables estimated above 1M rows — primarily ais_positions — are now sized from the live row-count statistic rather than an exact COUNT(*) scan, so the nightly refresh completes cleanly and per-table compliance percentages stay current. Coverage numbers for smaller tables are unchanged.
• Overwatch: The course-alteration worker is now self-observable. A new monitor checks for fresh course_alteration events every hour and raises a worker_inactive alert if none have landed in the trailing 7 days, instead of silently leaving the Ghost Vessels inference cron with no input. Alerts auto-resolve as soon as events resume.
• Overwatch: Course-alteration anomaly detection is now actually running in production. The detector that emits course_alteration events when an underway vessel turns 45° or more off its 6-hour mean heading was wired into a path the production worker never executed, so no events had ever landed in the live vessel risk feed or the unified alerts inbox. Detection now runs on every AIS tick on the production worker, with each emit logged at the database layer for observability and a course_alterations_detected counter exposed in the worker’s heartbeat. Roughly 1,300 vessels per run qualify under the existing 45° / 10-km-from-port thresholds, so course-alteration events, the matching Alert Rule Builder template, and the worker_inactive self-observability monitor all start producing real signal from the next worker run forward. No backfill — this is forward-only from the fix.
• Overwatch: Hardened webhook URL validation on alert channels — only https:// destinations on the public internet are accepted, with explicit rejection of internal hostnames, link-local ranges, and other non-routable addresses. Existing webhook subscriptions are unaffected; new and updated subscriptions return a clear error message when an invalid URL is submitted instead of silently accepting it.
• Overwatch: Production sweep retired stale pg_cron schedules invoking deleted Edge Functions and added a reusable detector so future drift surfaces immediately instead of failing silently. The MPO TIP scout now triages no-op upserts against the live target-table count, so swallowed write failures (records fetched, zero upserted, empty target) raise a silent_upsert_failure alert instead of looking like an idempotent run.
• Layer: The virtual-card authorization endpoint now requires provider authentication before it will commit a balance change. Dashboard and session-based callers can still evaluate an authorization against the configured spend limit, but the response returns committed: false and the running spend total is left untouched — only the card provider (currently Stripe Issuing) can drive a real commit by presenting the shared x-virtual-card-provider-secret header on the webhook callback. Closes a path where an authenticated dashboard user could move the cumulative spend total without a provider-side authorization actually clearing. Existing webhook subscriptions, per-vendor spend caps, limit windows, and the audit log entries on virtual-card events are unaffected.
• Layer: Tightened the production Content-Security-Policy on the Layer dashboard — 'unsafe-eval' is no longer permitted in script-src outside local development. 'unsafe-inline' is retained in production so Next.js App Router hydration and RSC bootstrap scripts continue to run; without it, dashboard pages render as static HTML and client components — including the Continue with Google Workspace button — never hydrate. 'unsafe-eval' stays scoped to development builds so the local workflow keeps working, while production responses now serve the stricter policy on every route. Existing integrations, billing, and embedded video continue to work unchanged.
• Layer: Rolled back the preload directive on the Strict-Transport-Security response header for the Layer dashboard and the Rogue Stack app, while keeping max-age=63072000; includeSubDomains in place. HTTPS-only enforcement and subdomain coverage are unchanged; preload-list submission moves to an explicit rollout decision once every subdomain has been verified to serve HTTPS, so a misconfigured subdomain can’t get pinned into the browser preload list.
• Layer: The cross-product marquee on the Layer marketing site no longer overflows the viewport on mobile — the row now stays on-screen and stops introducing horizontal scroll on small breakpoints.
• Layer: Sign-in on the Layer login page and signup on /signup now hand off to Auth0 Universal Login. The Continue with Google Workspace button routes through Auth0 first and then mints a Supabase session in the background, so a single click lands you on the dashboard with both sessions already established. The standalone email/password form has been retired in favor of the same Auth0-hosted page — credentials are entered on Auth0, never on the Layer dashboard surface — and the post-login next redirect is preserved end-to-end. Existing dashboard data, integrations, and history are untouched. See Getting started.
• Layer: The post-login next redirect on the dashboard sign-in page and the Supabase OAuth callback now decodes the parameter before validating it and rejects anything that isn’t a same-origin path. Encoded protocol-relative payloads (for example %2F%2Fexample.com), backslash-prefixed forms, and control characters all fall back to /dashboard instead of bouncing the browser to an attacker-controlled destination. The shared helper is reused by the email/password sign-in path, the Continue with Google Workspace button, and the Supabase OAuth callback, so all three flows enforce the same allowlist.
• Layer: The public API surface on the Layer dashboard now only matches a request when the path is an exact declared prefix or a child path beneath it, instead of any path that happens to share the same opening characters. Requests that previously slipped through on a coincidental string match — for example, a path that began with the same letters as a public API prefix but was a sibling rather than a child — now fall through to the authenticated dashboard surface as intended. Existing endpoints under /api/mcp, the discovery extension, and the rest of the public surface continue to work unchanged.
• Drift: Tightened the production Content-Security-Policy on Drift — 'unsafe-inline' and 'unsafe-eval' are no longer permitted in script-src outside local development, frame-src is now 'none' so the dashboard cannot embed any third-party iframes, and base-uri, object-src, and frame-ancestors are also locked down by default. No user-facing behavior changes; the analytics, billing, and provider integrations powering shadow-IT discovery continue to work unchanged, and browsers benefit from the stricter policy automatically.
• Drift: Per-IP rate limits on the Drift ingest webhook, manual connection creation, and sync endpoints now key on the trusted platform-supplied client IP instead of the raw X-Forwarded-For header, so a spoofed forwarding header can no longer be used to evade per-IP throttling. No action is required on your part; legitimate forwarders are unaffected.
• Layer: Connection connect and disconnect events on the integrations page now record the trusted platform-supplied client IP in the audit log instead of the raw X-Forwarded-For header, so admins reviewing audit entries see an IP that can’t be spoofed by a forwarded-header rewrite. Existing audit entries are unaffected; new entries pick up the hardened attribution automatically.
• Locus: Tightened the production security headers on locus.axiomancer.io. Responses now ship a strict Content-Security-Policy with explicit allowlists for the third-party services Locus actually uses (Mapbox, Stripe, Supabase, Mux, Sentry, PostHog, Intercom, Mixpanel, Amplitude), a restrictive Permissions-Policy that disables sensors, camera, microphone, geolocation, payment, and other powerful APIs by default, and the standard X-Content-Type-Options, X-Frame-Options: DENY, and Referrer-Policy: strict-origin-when-cross-origin headers. No user-facing behavior changes; browsers benefit from the stricter policy automatically.
• Locus: POI ingestion is back on its 6-hourly cadence. The collect-pois and collect-pois-premium crons that populate poi_snapshots had drifted onto a once-a-year schedule, leaving the Nearby POIs rail in the Explorer, the GET /api/pois endpoint, and the POI counts in GET /api/enrich and the discovery and intelligence endpoints up to 35+ days stale. Both crons now run at 00:00, 06:00, 12:00, and 18:00 UTC daily, restoring the documented <7 days POI freshness window. Backfill of the gap window is in progress.
• Locus / Codex: The three Locus catalog tables still showing 0% APRS envelope coverage on the envelope coverage dashboard — uscis_h1b_employers, usda_nass_county_crops, and muckrock_foia_requests — now have nightly backfill jobs scheduled in the 03:30–03:40 UTC low-traffic window. Coverage on these tables will climb toward 100% over the next several nightly cycles, after which they’ll join the rest of the Locus catalog in the aprs.civic, aprs.commodity, and aprs.permits profile rosters with full envelope-driven joinability and incremental sync.
• Locus: The RouteShift entry in the cross-product navigation bar on locus.axiomancer.io now points to routeshift.io instead of an unowned .com domain, so clicks from Locus no longer dead-end.
• Locus: HTML-escaped the geocoded place name in the free Location Report confirmation email body, closing a path where a maliciously crafted Mapbox place_name could inject markup into the rendered confirmation message. Subject lines continue to render the place name as readable text with control characters stripped. Legitimate report requests are unaffected.
• Codex: The RouteShift entry in the cross-product navigation bar on axiomcodex.io now points to routeshift.io instead of an unowned .com domain, so clicks from Codex no longer dead-end. The brand mark in the bar was also refreshed to match the canonical RouteShift glyph.
• Axiomancer: Tightened spacing on the privacy and terms pages — long sections no longer leave awkward gaps between headings and paragraphs, and the pages read cleanly on both desktop and mobile.
• Overwatch: Hardened the cold archive writer’s credential handling — surrounding whitespace on archive credentials is trimmed before the upload signs, and credentials containing control characters now fail fast with a clear configuration error instead of producing an opaque “invalid character in header” runtime failure that could quietly stall historical-position archival.
• Overwatch: Failed vessel-visit writes now stay retryable. When the visit pipeline failed to insert a new visit or update an in-progress visit to loading, the underlying port event was still being marked processed, so the failure dropped silently and never replayed. The pipeline now raises on the database error before clearing the event, leaving the source port event in the queue for the next run, and the visit pipeline status page tile and ingestion_logs row now surface a readable Supabase error message instead of [object Object].
• Overwatch: Database-level idempotency for AIS positions and port events. Duplicate inserts — whether from an AIS worker retrying a transient batch or from concurrent processing pipelines racing on the same fix — are now silently skipped at the row level rather than landing as duplicate rows that downstream analytics had to dedupe later. The new guard keys off the upstream provider record ID when present and falls back to the natural identity (source + IMO + timestamp for positions; IMO + port + event type + timestamp for events) so heterogeneous feeds — AISHub, AIS Stream, satellite, Spire, and the port-event scrapers — all converge on a single canonical row. No user-facing behavior changes; vessel position freshness, pairwise encounter extraction, risk feeds, and vessel visit accounting all continue exactly as before, with a cleaner upstream guarantee that duplicate rows can no longer creep into the live database.
• Layer: Plans and billing endpoints — checkout sessions and the Stripe customer portal — now require an admin or owner role on the workspace before they will start a session, with a clear 403 returned to non-admins instead of silently letting any authenticated member kick off a billing change. The same gate is enforced on the Drift dashboard. Existing admin and owner workflows are unchanged; member-tier accounts no longer see the Manage billing path act on the workspace.
• Drift: Team invites and member role changes now write the resulting workspace ID and role into the trusted Supabase app_metadata claim alongside the workspace membership row, so server-side authorization checks read from a single tamper-resistant source instead of reconstructing the role from a user-writable surface. Existing members keep their current role; new invites land as viewer and inherit any subsequent role change automatically.
• Layer / Drift: PII in production error reports is now scrubbed before it leaves the dashboard. Email addresses, IP addresses, authorization headers, cookies, and form-field values matching common PII names are redacted in Sentry breadcrumbs, request payloads, and exception extras across the dashboard, Edge runtime, and server runtime, so engineering can keep diagnosing production errors without storing customer identifiers in the error stream.
• Drift: The Load sample data action on a fresh Drift workspace is wired up again — the seed endpoint had been writing against a stale org_id column and silently failing on every insert, leaving demo workspaces empty. Discovered apps, action items, and email receipts now seed cleanly into the new workspace on first click. The 5-row guard against re-seeding a workspace with existing data is unchanged.
• Layer: The Apps, Assets, dashboard, and Cost per employee pages on the Layer dashboard are populating again. A row-level security regression had silently zeroed every read for these views, so the pages rendered as empty even when the underlying inventory and spend data was intact. Reads now flow through the corrected tenant-resolution path, and the previously empty rollups, app lists, and asset tables surface their full contents on next load.
• Drift: Dashboard reads on the Drift Apps, Benchmarks, dashboard, Inventory, and Renewals pages now query the canonical workspace identifier instead of a stale legacy column, so paid workspaces no longer see an empty inventory or zeroed spend totals after the recent multi-tenant migration.
• Layer: Sentry Session Replay is now disabled on every authenticated route in the Layer dashboard and stops cleanly on client-side route transitions, so tenant data inside the dashboard never enters a replay buffer even on long-lived single-page navigations. Marketing-surface replay sampling is unchanged.
• Layer: The public marketing surface and the sign-in / sign-up pages on the Layer dashboard now render a friendly recovery screen with a Try again button when an unexpected server error occurs, instead of leaving the browser stuck on a blank page after a closed RSC stream. The dashboard, billing, and integrations surfaces — which already had their own error boundaries — are unaffected.
• Layer: Adding a connector to a workspace now succeeds for every source in the integrations catalog. A registration step had been skipped for some new connectors, surfacing as an “unsupported source” error on first sync — most visibly for Microsoft Entra ID, which is now correctly aliased to its underlying directory connector. Existing connections are unaffected; new connections complete their first sync without manual retry.
• Axiomancer: The scroll-driven platform reveal on axiomancer.io is visible again. A page-level overflow setting was preventing the sticky scroll behavior from engaging on descendant elements, leaving a tall blank section where the product reel should have been. Visitors now see the full scroll-driven reveal of the product lineup as intended.