A running log of notable changes to the KARG platform. For the underlying commits, see the engineering team.
24 April 2026Feature
Public legal site
- Privacy Policy, Terms of Service, Security & Trust, Sub-processors, Contact, DPA, Cookie Policy and Changelog now live at karg.to.
- Cookie consent banner with strictly-necessary / analytics split.
- RFC 9116 security.txt published at /.well-known/security.txt.
23 April 2026Infrastructure
Production domain switched to karg.to
- Marketing site and product served from karg.to with strict TLS.
22 April 2026Security
Security review remediation
- Internal review covering authn, multi-tenant isolation, secrets handling, webhook verification and Sentry scrubbing.
- All HIGH and MEDIUM findings closed in two follow-up commits.
- Fail-closed defaults in production, JWT issuer enforced, diagnostics endpoints removed.
April 2026Integration
Border declarations live (HMRC Sandbox)
- End-to-end declaration flow against HMRC Sandbox: OAuth, token encryption, PPNS notifications, RLS-enforced storage.
- 8 issues found during activation resolved (RLS policies, naming consistency, idempotency).
April 2026Feature
iCustoms F1–F6 shipped
- Six customs-document features delivered after technical-debt sweeps TD-02 and TD-03.
- Unified pdf_documents table; Gemini extraction stabilised across CMR, T1 and invoice templates.
April 2026Infrastructure
S8 — fleet model retired
- Removed the legacy vehicles table and the deprecated backend paths that depended on it.
- Telematics queries now go through the per-tenant ITelematics provider.
April 2026Feature
S7 — PDF road documents
- Carriers can attach PDF files to road documents; structured fields are extracted automatically using the hybrid pdfplumber + Gemini pipeline.
March 2026Infrastructure
Sentry and QStash live
- Sentry capturing 5xx with tenant and request tags, scrubbed of secrets.
- Hourly load-matching schedule on QStash, HMAC-verified at the webhook.