What's shipped, in order.

Material changes to the product and the public site. Internal-only refactors are not listed; user-visible behavior, security posture, and integration surface are.

2026-04-27

• Real-time card authorization webhook is live. The card-network real-time auth path now flows through the same identity / policy / budget / audit pipeline as the public /v1/authorize endpoint. End-to-end verified against sandbox cards: allow and deny paths both confirmed.
• HMAC signature verification added to the card-network webhook. Optional in sandbox (logs a warning), strict in production via LITHIC_REQUIRE_SIGNATURE=1.
• Public marketing surface published. /how-it-works, /threat-model, /compliance, /team, /security (+ /.well-known/security.txt), /docs/api, /changelog, and three Tier-1 articles on /blog. Shared design system in /site.css.
• Admin UI auto-polls the audit log every 2 seconds on Overview and Audit tabs; per-card "simulate webhook" button now displays the inline approve/decline result.

2026-04-09

• Lithic sandbox card issuing wired end-to-end. First real virtual card issued and frozen via the kill-switch path.
• Authorization hot path live: POST /v1/authorize walks the identity chain, evaluates policies, checks budgets, reserves on permit, writes the audit row.
• Hash-chained audit log shipped with single-call integrity verification at GET /v1/audit/verify.
• Admin UI v0.1 with identity tree, authorization tester, card management, audit log viewer, chain integrity verification.
• ledgerline.dev domain on Cloudflare. Holding page deployed.

What's next

Listed for transparency, not for commitment. Order is rough priority, not a roadmap.

• Cedar policy engine integration (replaces the current JSON evaluator)
• Public uptime monitoring on a credible third-party service (not a self-reported page)
• SOC 2 Type I attestation scoping (in progress with our auditor)
• SDK for TypeScript (today the API is REST + JSON only)
• Contract co-signing integration alongside card authorization
• ACH and wire-via-banking-as-a-service for non-card spend

If something on this page is wrong or out of date, write directly: [email protected].