--- title: "Week of May 8–15, 2026" slug: "platform-update-2026-05-15" date: "2026-05-15" tag: "Application" summary: "Watcher notification system, monetization UI with paywall configuration, agent sandbox management tabs, voice transcription abstraction, skills monetization platform, and comprehensive security hardening." author: "ibl.ai Engineering" --- ## Frontend ### Watcher Notification System - **AlertsTab Component** — new `AlertsTab` with full subscription management, event filtering, and notification preferences UI; backed by 1,000+ tests covering subscription CRUD, filter persistence, and real-time update flows - **Notification Preferences UI** — per-user global preference controls with per-type toggles and tag-based filtering, surfaced through a unified preferences panel integrated into user settings ### Monetization UI - **Paywall Configuration** — complete paywall management with `PaywallDetail` component for editing paywall rules, `PaywalledItemsList` for managing gated content, and `WizardStepIndicator` guiding administrators through multi-step paywall setup workflows - **Skills Monetization Platform** — paywall guards for individual skills with 300+ Playwright end-to-end tests covering purchase flows, access control enforcement, and subscription state transitions ### Agent Sandbox Management - **New Configuration Tabs** — added Settings, Sandbox, Skills, and Prompts tabs to the agent configuration panel with conditional visibility based on feature flags and user permissions, providing a structured interface for comprehensive agent customization - **Responsive Navigation Improvements** — dynamic max-width constraints on LLM name display prevent overflow in constrained viewports, improving readability across screen sizes ## Backend ### Notification & Watching Infrastructure - **Watched Groups CRUD Endpoints** — new `WatchedGroupViewSet` with full RBAC enforcement, inline watcher management, and user assignment controls; supports group-level subscription scoping for targeted notification delivery - **Notification Preferences API** — per-user global preference storage with per-type toggle granularity and tag-based filtering, enabling fine-grained control over which events trigger notifications and through which channels ### AI & Agent Capabilities - **Voice Transcription Provider Abstraction** — configurable transcription provider layer supporting OpenAI, Google, and Groq backends with automatic fallback on provider failure, decoupling transcription from a single vendor dependency - **LangChain Tool Output Sanitization** — HTML stripping, content wrapping, and recursive sanitization applied to all LangChain tool outputs, preventing malformed or malicious content from propagating into agent responses - **Message Content Validation** — agent message handler now rejects empty or whitespace-only messages with a 400 response before invoking LLM inference, reducing unnecessary compute and improving API predictability ### Security Hardening - **XSS Prevention in XBlocks** — `bleach.clean()` with an explicit tag allowlist applied to all XBlock-rendered HTML, preventing cross-site scripting via user-supplied course content - **Email Template SSTI Protection** — `SafeEmailFormatter` with field-level validation replaces direct template rendering, blocking server-side template injection through email template fields - **OAuth Account Takeover Hardening** — email verification requirements enforced on OAuth-linked account changes with audit logging of all account association events, closing account takeover vectors via social auth flows ### OpenClaw Integration - **Usage & Cost Data Exposure** — new `/usage/` and `/usage/full/` endpoints expose per-session OpenClaw usage and cost data with session attribution, enabling platform-level cost monitoring and per-tenant billing analysis ## Infrastructure ### Database & Backup Operations - **TimescaleDB-Aware Backup Restoration** — backup restoration pipeline updated to handle hypertables and continuous aggregates, ensuring TimescaleDB-managed tables restore correctly without data loss or constraint violations - **PostgreSQL Client Version Pinning** — explicit client version pins in backup tooling prevent silent client/server version mismatches that caused intermittent restore failures - **Read Replica Kill Switch** — new operational control to suspend all read replica traffic during active restore windows, preventing stale reads and replica lag from affecting production queries during maintenance ## Documentation - **Agent Sandbox Documentation** — comprehensive SDK docs for `SandboxConfig`, `AgentConfigPrompts`, and `AgentSkills` covering configuration schema, API contracts, and integration patterns - **Enhanced Testing Guides** — updated guides covering E2E coverage tracking methodology, SSO auth setup for test environments, and Playwright test organization best practices - **Security Assessment & Hardening Skills** — new security assessment skills with accompanying validation scripts for auditing XSS, SSTI, OAuth, and credential handling across platform deployments ## Deployment - **Next.js Server-Side Deployment** — `iblai-app-cli` v1.4.0 adds auto-detection of Next.js server-side rendering requirements, selecting the appropriate deployment mode without manual configuration ## REST API — New Endpoints - `GET /api/core/orgs/{org}/usage/` — OpenClaw session usage summary with cost attribution per session - `GET /api/core/orgs/{org}/usage/full/` — full OpenClaw usage detail including model breakdowns and session metadata - `GET/POST/PUT/PATCH/DELETE /api/core/orgs/{org}/watched-groups/` — watched group subscription management with RBAC - `GET/PUT/PATCH /api/core/users/{username}/notification-preferences/` — global and per-type notification preference management