GitHub teams, members, and repository governance
The GitHub integration now emits a Team asset for every team in each connected GitHub organization, along with two new relationship types that map the real access path through teams:- MemberOf — every team member is linked to the team they belong to.
- GovernedBy — every repository a team is granted access to is linked back to the team, with the team’s permission level (
pull,push,admin, etc.) stored on the relationship.
One-click Slack OAuth
Connecting Slack to Layer no longer requires creating a Slack app or pasting a bot token. The connector now uses a one-click OAuth flow brokered through Auth0 — click Sign in with Slack on the integration card, approve the bot scopes on Slack’s consent screen, and you’re connected. The same six read-only scopes apply (users:read, users:read.email, channels:read, groups:read, team:read, apps:read), and Layer still never asks for message-content access.Existing tenants on the legacy bot-token flow keep working unchanged — Layer transparently falls back to the previous credential field. Reconnecting through the OAuth flow upgrades the connection automatically. See the updated Slack integration guide.Collapsible sidebar and grouped navigation
The Layer dashboard sidebar now collapses to an icon-only rail. Click the toggle in the sidebar footer to switch between the full 256px sidebar and a compact 60px rail; the choice persists across page loads, so the sidebar opens in the same state on your next visit. In collapsed mode, hovering an icon shows the item name as a native tooltip.Nav items are now organized into four sections — Discover (Apps, People, Assets, Hardware), Finance (Spend, Renewals), Operations (Integrations, AI Usage, Audit log), and Account (Settings) — and three pages that already shipped but were missing from the nav are now linked directly: Assets, Spend, and Integrations. Section labels collapse to thin dividers in icon mode.The main content area is now constrained to a max width on large monitors so dashboard pages stay readable instead of stretching edge-to-edge, and page headers gained a subtle bottom border plus an optional badge slot next to the title.More complete vote tallies for council decisions
Fixed an issue where vote history for council decisions could be missing even when the HTML fallback was available. When a city’s Legistar JSON API partially responded — returning meeting history but failing on the vote detail request — the system incorrectly treated the partial response as complete and skipped the HTML scraping fallback. Vote tallies are now captured reliably for all Legistar-powered cities, including New York City. If you query council decisions through the Locus API or the Civic Intelligence schema, you should see more complete vote results. No action is required on your part.Provider authentication required for virtual card authorization commits
Tightened the virtual card authorization endpoint so that only the card provider — not ordinary dashboard or session users — can commit authorization rollups against a card’s hard limit. Requests from authenticated users without the provider secret now run as a read-only evaluation: the response still returns the approval decision and remaining balance, butcommitted is false and the spend rollup is left untouched.To commit a rollup, the caller must pass a matching shared secret in the x-virtual-card-provider-secret header. Layer looks up the secret per provider (for example, VIRTUAL_CARD_AUTH_STRIPE_ISSUING_SECRET for stripe_issuing) and falls back to VIRTUAL_CARD_AUTH_WEBHOOK_SECRET or the existing STRIPE_ISSUING_WEBHOOK_SECRET. Comparison is constant-time. If no secret is configured for the provider, commits are rejected with 403 Provider authentication required for committed authorizations. Existing webhook deliveries from your card provider continue to work as long as the matching secret is set in your environment — no dashboard changes are required.