What we shipped, as we shipped it.

The founding-customer programme is now accepting applications. Five slots are available in total — each for a South African enterprise willing to commit before RAG Studio general availability. Founding customers receive 70% off year one, direct access to the founding team, and a quarterly roadmap-shaping call. Customer identities remain confidential under NDA unless they explicitly opt to be named. The window stays open until RAG Studio reaches general availability in Q4 2026.

Semantic chunking joins recursive and sentence chunking on the chunk-and-embed configuration page. Particularly useful for long-form policy documents where natural topic shifts are more meaningful than character or sentence boundaries. The Airbyte-based Notion connector ships behind a feature flag for founding customers; general availability follows in v0.7.

• New — semantic chunking strategy. Available on /rag/[id]/configure alongside recursive and sentence options.
• New — Notion connector (beta). Airbyte-based source connector covering pages, databases, and inline blocks.
• Improved — Ragas eval reliability. Faithfulness scoring now retries on rate limit; eliminates a failure mode that affected 3% of evaluation runs.
• Fixed — PDF page-number citation off-by-one. Citations on PDFs now correctly reference the displayed page rather than the zero-indexed page.
• Fixed — embed widget CSS isolation. Embeddable chat no longer inherits host-page form styling.

The Insights newsletter moves from monthly to weekly. Each issue is one technical guide written by the founder — POPIA-compliant RAG patterns, AI agent architecture, enterprise procurement realities. Always one click to unsubscribe. Existing subscribers do not need to re-confirm; new subscribers can opt in from any contact form or directly at /insights.

Privacy Policy version 2.0 adds explicit, plain-language disclosures about AI and large-language-model processing — an area POPIA's original 2013 drafting did not anticipate but where the eight conditions for lawful processing apply fully. The new sections cover model-training disclosure, query-content handling, vendor LLM transfer mechanisms, and how sonofgraig treats every AI-processed document and query as personal information by default.

Human-in-the-loop approval gates land in Agent Builder beta. Built on LangGraph's interrupt_for_approval pattern, allowing customers to define checkpoints where an agent pauses for human review before executing high-impact tool calls — sending external emails, writing to production databases, posting to public channels. Critical for any regulated-industry agent. Approval requests route to Slack by default.

• New — approval gates. Drag the new "Human Review" node onto the canvas to define a pause point.
• New — trace viewer enhancements. Per-step timing, per-step cost, and per-step reasoning chain visible on /agents/[id]/traces.
• New — kill-switch SLA. Once toggled, an agent halts within 5 seconds; existing in-flight tool calls are cancelled or rolled back where supported.
• Improved — multi-agent message-passing. Supervisor-to-worker patterns from AutoGen now correctly preserve context across handoffs.
• Fixed — sandbox session leak. Closing the sandbox tab now cleanly terminates the LangGraph runner.

An upstream LiteLLM input-handling issue could allow malicious users to inject hidden instructions into LLM context windows under specific configurations. sonofgraig customers were not affected at any point. The upstream maintainers issued a fix; we deployed the patched version platform-wide on 18 April. Detailed disclosure follows the responsible-disclosure window closing.

• Severity: Medium — CVSS 6.4 (estimated, awaiting upstream score)
• Affected: No sonofgraig customers. Configuration filtering at our middleware layer prevented exploitation.
• Mitigation: Upstream LiteLLM patched and deployed within 4 hours of upstream release.
• Customer action required: None.

An 18-minute technical guide on the architectural decisions required to make a Retrieval-Augmented Generation system genuinely POPIA-compliant — not just "compliant on paper". The essay covers PII scrubbing in middleware, residency at the IAM layer, audit logs that cannot be deleted, and the eight conditions for lawful processing applied to AI activities. Reference architecture for sonofgraig's own platform — nothing held back.

Document-level access control reaches general availability after 6 weeks in beta. User groups map to document groups during scoping; the retrieval layer enforces this at the chunk level — the LLM never receives a chunk the user is not authorised to see. Critical for legal, HR, and finance use cases where document-level access matters. Audit log records which documents were considered for each query.

• New — access control GA. Configure user-group to document-group mapping on /rag/[id]/access.
• New — query audit log. Each query records the user, the documents considered, similarity scores, and the final answer hash.
• Improved — embed widget mobile rendering. Better behaviour on iOS Safari and Android Chrome.
• Improved — ingestion progress visibility. Per-document progress indicators during bulk ingestion.

The full SaaS Transformation Strategy is now published on the About page — the canonical document explaining how sonofgraig converts 18 service lines into 5 SaaS product clusters across three phases. Customer and ARR targets are real internal goals, not marketing puff. Phase 1 beachhead: 10 customers, R500K ARR. Phase 2 expansion: 50 customers, R3M ARR, SOC 2 Type II + POPIA cert. Phase 3 ecosystem: 200 customers, R50M ARR, all five clusters, Nigeria + Kenya, ISO 27001.

Enterprise Design System version 3.0 lands — a full rebuild from the previous service-agency aesthetic. Light and dark mode (no longer dark-only), single primary blue (#0EA5E9), Sora + Inter + JetBrains Mono type stack, custom SVG icon system, complete component library, skeleton loaders, empty states. Amber is now accent-only — reserved for pricing, upgrade flows, and premium contexts. Token discipline is enforced: no hard-coded hex values in component code.

• New — light mode across the entire platform and marketing site, with system-preference detection
• New — component library: data table, product nav, sidebar, cluster cards, dropdown, skeleton loaders, empty states
• New — type stack: Sora (display), Inter (body), JetBrains Mono (code & metadata)
• Changed — dual-primary palette retired. Single primary; amber accent-only

The first founding-customer agreement was executed today. A South African enterprise organisation in the legal sector becomes founding customer #1, with onboarding to RAG Studio scheduled within 5 business days. The customer name remains confidential under NDA. Onboarding follows the published guided session pattern: environment provisioned in af-south-1, founder-led setup, Slack Connect channel opened. 4 of 5 founding slots remain as of this entry.

The embeddable chat widget reaches feature-complete: configurable styling, system-prompt editor, domain whitelist, and a copy-paste embed snippet. Customers can now stand up a styled, branded RAG chat experience on their intranet, support portal, or internal tooling without writing any frontend code. The widget uses the same retrieval API and access controls as the rest of the product — no separate compliance posture.

• New — embeddable chat widget. Configure on /rag/[id]/deploy; embed via single <script> tag.
• New — chunk & embed configuration page. Live preview of how chunking strategy affects retrieved chunks.
• New — Confluence connector. Spaces and pages, including inline blocks.
• Improved — query latency. Average end-to-end query time down from 3.4 seconds to 2.8 seconds.

The public status page goes live at status.sonofgraig.com. Real-time uptime per service (RAG Studio query API, Agent Builder runtime, ingestion pipeline, auth, billing), historical incident log, and a subscribe-by-email option for status updates. Driven by synthetic checks running from inside af-south-1 every 60 seconds — not a vendor's cached snapshot.

A 5-minute essay walking through how sonofgraig priced its tiers in ZAR — the FX-risk reasoning, the local market reference points, and why "translate from USD" produces the wrong answer for South African enterprise procurement. Written for buyers preparing to defend ZAR-denominated SaaS spend to their CFO.

Magic-link email authentication is deprecated for new account sign-ups. Existing magic-link users continue working unchanged. New sign-ups default to Google SSO + MFA for individual accounts and SAML 2.0 SSO for organisation-managed accounts. The change reduces the credential-loss risk surface and aligns the platform with where enterprise auth is moving.

• Removed: Magic-link sign-up for new accounts
• Replaced by: Google SSO + MFA (individual) or SAML 2.0 SSO (org-managed)
• Existing users: No action required — magic-link sign-in continues to work for accounts created before this date

The Ragas evaluation dashboard ships on /rag/[id]/eval. Faithfulness, answer relevancy, context precision, and context recall metrics computed per query and aggregated over time. Customers can now define test query sets and watch metrics change as they iterate on chunking strategy, embedding model, and retrieval mode. Numbers, not adjectives.

• New — Ragas eval dashboard. Four standard metrics + custom thresholds.
• New — Google Drive connector via Airbyte. Sync schedules, OAuth scoped to selected folders only.
• New — Unstructured.io integration. Reliable text and table extraction from PDF, Word, PowerPoint, scanned documents.
• Improved — query tester UX. Inline citation hover-cards show the retrieved chunk in context.

SOC 2 Type I audit officially kicked off with a SOC 2-accredited assessor. Evidence collection runs through Q2; expected completion mid-2026 in line with Phase 1 closing milestones. SOC 2 Type II (the 6-month evidence period) starts immediately after Type I, targeting completion alongside the Phase 2 milestone of POPIA certification. Customers receive the SOC 2 report under NDA on request once issued.

• SOC 2 Type I: targeting completion mid-2026 — Phase 1 close
• SOC 2 Type II: Phase 2 milestone — with POPIA certification
• ISO 27001: Phase 3 deliverable

Agent Builder enters beta with the core surface live: visual canvas (React Flow), single-agent runtime (LangGraph), tool integration (Composio for Slack, Gmail, web search, code execution), test sandbox, and trace viewer. Available to founding customers only. This is the second product in Phase 1 — after RAG Studio — and the second of the four AI Dev Platform surfaces to ship. General availability targets Q1 2027.

• New — visual canvas. React Flow-powered drag-and-drop agent designer.
• New — LangGraph runtime. Stateful agent execution with checkpointing.
• New — tool integrations via Composio. Slack, Gmail, web search, code execution — ~200+ tools available.
• New — LiteLLM proxy. Anthropic Claude default; Google Gemini available on Growth.
• New — trace viewer & sandbox. Full execution trace logging from day one.

Hybrid retrieval ships — combining dense semantic search with BM25 keyword search for higher accuracy than either alone. Particularly meaningful for legal and policy documents where exact phrasing matters and semantic-only retrieval can miss precise terminology. The default retrieval mode for new knowledge bases moves from semantic-only to hybrid.

• New — hybrid retrieval (default). Dense semantic + BM25 sparse keyword fusion.
• New — sentence chunking strategy. Better for legal text where paragraph boundaries matter.
• Improved — per-tenant Qdrant collection naming. Convention now {org_id}_{kb_id} for clearer ops.

RAG Studio reaches general availability — the first SaaS product to ship on the sonofgraig platform. Three months from day one, in line with the published Phase 1 build sequence. The full surface is live: knowledge base list, ingestion pipeline (Drive, S3, direct upload), chunk & embed configuration, query tester, and a basic eval dashboard. Per-tenant Qdrant collections in af-south-1, end-to-end PII scrubbing, source citation on every answer.

The platform shell goes live: Auth.js with Google SSO, magic link, and session management; Stripe + Lago billing integration with Starter and Growth metering; Next.js shell with navigation, organisation creation, team invite, and API key management; Cloudflare WAF, rate limiting, and CDN at the edge. This is the foundation — every subsequent product (RAG Studio, Agent Builder, Governance Hub) sits on top of it.

• AWS EKS cluster setup via Terraform — af-south-1 region for POPIA compliance
• Supabase PostgreSQL — tenant schema, RLS policies, migrations
• Auth.js — Google SSO, magic link, session management
• Stripe + Lago — subscription billing with usage metering
• Cloudflare — WAF, rate limiting, edge caching