Spring 2026 — Workflow Maturity, Passwordless Login & Collaboration
KanCAT v1.0 closes out the spring 2026 release wave with two months of work in one shipping window: passwordless login, multi-role linguist profiles, configurable workflow checkpoints, in-task collaboration, timezone-aware deadlines, a redesigned organisation settings area, and a new home page that walks visitors through the workflow one stage at a time. This release also lays the groundwork for the Introducer programme — a revenue-share model for translators who refer KanCAT to other agencies.
Added
Passkey / WebAuthn login. Sign in to KanCAT with Touch ID, Face ID, Windows Hello, or a hardware security key. Passkey counts as a second factor, so users with a passkey enrolled skip the TOTP prompt entirely. PMs and owners can require passkey enrolment for their whole organisation; SUPER_ADMIN accounts on the platform mandatorily enrol.
Email-first login picker. Start by entering your email; KanCAT then shows the right next step — passkey, password, or both — instead of stacking every option on one screen.
Multi-role linguists. A single linguist account can now hold multiple roles at once — TRANSLATOR, EDITOR, LQA — and be assigned per task in the role that fits the brief. Vendor invoices and per-linguist KPIs respect the role the work was performed in.
Configurable workflow checkpoints. A new CHECKPOINT column type lets PMs insert review gates anywhere between workflow stages. Tasks pause at a checkpoint until a PM explicitly clears them — ideal for client sign-off, final QA, or compliance review steps.
Task comments with @mentions. Discuss a task directly on its card. @-mention teammates to pull them in; mentions raise unread badges on the recipient's mention feed. Linguist names are privacy-masked from other linguists by default.
Timezone-aware due dates. Tasks now carry a precise dueDateTime (date + time) rather than a date-only field, with the linguist's timezone honoured throughout the calendar picker, deadline filters, and SLA cron. No more "due Friday" arguments across continents.
4-tab organisation settings. Organisation, Boards, Customers, and Language Pairs each have their own settings tab. Owners can also set a default board for new projects, an organisation-level VAT rate, and a registration number that flows into branded invoices.
T&C acceptance tracking. New users see an explicit acceptance line at registration and on invite acceptance. We record the timestamp and IP — useful for GDPR and audit-trail evidence.
Member consent flows. Invited team members get a clean accept / reject page with a clear summary of which organisation is inviting them and what role they're being asked to take.
Linguist self-export. Linguists working on a task can export the bilingual file directly from the task detail header, without asking the PM. XLIFF export remains tier-gated; CSV/DOCX export is available to everyone with task access.
Introducer programme (beta). Refer KanCAT to an agency or translator and earn recurring commission for 12 months — 20% for LSP referrals, 10% for freelancer referrals. The dedicated /referrals page details how commission is calculated and paid, with a public-facing legal document covering eligibility and payout terms.
New animated home page. The home page now walks visitors through the six-stage translation workflow — Quote → Assign → Translate → QA → Deliver → Invoice — as a scroll-driven sequence of dock-style windows that minimise into the left-rail stage navigator. Built with respect for prefers-reduced-motion; mobile and reduced-motion users see the same content as a clean stacked timeline.
Improved
Subscription payment reminders and grace period. Pre-renewal banners appear seven and one day(s) before charge. A short grace period after a failed charge keeps work accessible while the billing email loop runs; dunning emails go out at sensible intervals instead of all at once.
CAT editor multi-stage access control. The editor now correctly enforces who can see and edit what at each workflow stage, including read-only views for PROPOSED linguists and save-then-lock semantics after a task moves into Accounting.
Export UX. Export controls moved from the kanban card into the task detail header — easier to discover, with the file format options grouped by tier.
Admin panel polish. All entity IDs are click-to-copy. Platform admins get a hardened bootstrap script for first-run setup.
Smoother on-page scrolling. Site-wide smooth scroll powered by Lenis, with a much snappier feel than native (lerp 0.07, 0.7s settle). Respects prefers-reduced-motion.
Production deployment. KanCAT is now running on Railway with hardened Docker, lazy environment reads, a fresh argon2 build pipeline, and a graceful Playwright degradation path for environments without browsers.
Security
Step-up authentication for sensitive actions. Changing your email, disabling TOTP, deleting your account, or rotating your password now requires a freshly proven session via passkey or password — independent of how long you've been signed in.
Multi-tenant isolation hardening. A sweep across mentions, export, customer, and stage-gate routes closed several cross-org read paths discovered during the security audit. JWT claims are now re-verified on every privileged route.
Rate limiting for auth surfaces. Passkey, step-up, and email-resend endpoints each have their own rate-limit bucket — abuse on one cannot starve the others.
Mandatory passkey for platform admins. SUPER_ADMIN accounts cannot operate without an enrolled passkey, eliminating the password-only attack surface for the highest-privilege role.
Last-admin guard. You cannot delete, deactivate, or downgrade the last remaining SUPER_ADMIN — the API refuses the change with a clear error.
Audit log V2 coverage. Twelve new event types added for passkey enrolment, step-up, role changes, and checkpoint approvals. The full audit catalogue now covers 100+ events with 7-year retention on Team Pro and Enterprise.
Fixed
Auth-pipeline codemod across 160 sites to support the multi-role linguist shape — no more legacy single-role assumptions in services or tests.
TaskCommentMention.readAt schema drift patched so mention-read state persists correctly across sessions.
Vendor board correctly freezes when an organisation is suspended — vendors keep read access to past work but cannot accept new tasks.
Notification scoping bug where a notification could leak across organisations in rare race conditions.
Mobile menu Z-index and dark-mode contrast fixes following user reports.
Known Issues
Website translation CDN delivery is still in early access — heavy bidirectional content (RTL languages with complex inline tags) can produce visible reflow on initial render. A dedicated fix is in the v1.1 backlog.
Notification fan-out for very large agencies (>200 linguists) can take a few seconds to settle on the recipient's mention badge. Acceptable for now; queue-based fan-out is planned.
The passkey enrolment flow on iOS 17 has an extra confirmation tap that Apple introduced and has not yet removed.