What we shipped, when we shipped it.

Email-notification preferences + Square Connect verification

Owners now choose which platform emails they get from PrintFlow OS, and the Square customer-payment webhook now verifies merchant alignment before mutating order/payment state — closing the parity gap with the Stripe Connect hardening from earlier this week.

• New /admin/settings/notifications page: toggle first-sale celebrations, referral-earned, credit-applied, and PrintFlow OS billing emails. Defaults stay opt-in for backward compat
• Each owner-email helper short-circuits before composing HTML when the user opted out — no wasted compose+send round-trip
• Security-critical mail (password reset, suspicious-login alerts) always sends regardless of preferences
• Square webhook: verifies event.payment.merchant_id matches the tenant's stored Connect merchant before flipping payment status. Mismatch logs loudly and acks 200 (no DB write, no Square retry)

Password reset, 2FA for admins, and a much lighter signup form

Three pieces that round out account security and onboarding. Forgot-password actually works (was a real gap — owners with no recovery path), 2FA can be enabled from the admin settings page, and the public signup form drops to five visible fields with live shop-URL availability.

• Forgot-password flow: /forgot-password and /reset-password/[token]. HMAC-SHA256'd tokens at rest (DB leak doesn't replay), 1-hour TTL, single-use, auto sign-in on success. No enumeration leak — we always claim "if an account exists, link sent"
• 2FA: tenant admins now have /admin/settings/security with the full enable/QR/verify/backup-codes/disable flow. The login flow already understood 2FA_REQUIRED — this is the missing setup page
• Signup form: live ✓/✗ availability check on the shop URL field as you type, plus phone/industry/volume collapsed behind an "Optional details" disclosure. Visible required fields go from 8 to 5
• Latent fix: /api/start was missing from PUBLIC_PREFIXES so unauthenticated POSTs would have been 401'd; signup is now genuinely reachable for new prospects

Team invites with email + one-click data export + Stripe Connect routing

Three additions that round out the platform for real-world shop ownership: invite teammates by email instead of copy-pasting links, download a complete JSON snapshot of your data any time you want, and customer Stripe payments now flow to your connected Stripe account (not the platform).

• Tenant invites now send a branded email with an accept link — no more copy-pasting tokens. Recipients land on /invite/[token], sign in or register if needed, and one-click join the team
• Data export — /admin/settings/data-export downloads a full JSON snapshot: products with variants, orders, customers, coupons, branding. Encrypted credentials never included. You own your data and can prove it
• Customer Stripe checkouts route through each tenant's connected Stripe account (OAuth-bound) so funds land with you, not us. Webhook events verified against the Connect account and tenantId metadata before any DB write — defense-in-depth against misroutes

Stripe Connect, email deliverability rollup, and a complete referral loop

Three operational additions land together: Stripe-only shops can now connect with one click, platform staff has a single page showing which tenants have email at deliverability risk, and the referral program runs end-to-end without manual bookkeeping.

• Stripe Connect OAuth — Stripe-only shops connect via the same one-click flow we already had for Square. Manual secret-key paste still works as a fallback
• Email deliverability dashboard — one page lists every tenant whose SPF/DKIM didn't verify, plus the count of tenants with no email config at all (those fall back to platform SMTP)
• Referral auto-redemption — when your Square subscription invoice is paid, available credit deducts up to the invoice amount automatically; idempotent on webhook replays
• Owner email when credit is applied (invoice amount, credit, net charged, remaining balance)
• Owner email when a referred shop converts ("you earned $25, share your link again")
• Referral-credit widget on /admin home; platform-admin /admin/referrals dashboard for tracking unsettled Square refunds across tenants

WooCommerce migration

Bring your existing WooCommerce catalog into PrintFlow OS in one upload. The /admin/migration page now has tabs for Shopify and WooCommerce; same one-step flow, different parser under the hood.

• Handles Woo's row-typed format: simple, variable, and variation rows
• Preview before commit; idempotent re-imports update by slug
• Auto-creates an "Imported from WooCommerce" category to keep things organized

Refer & Earn affiliate program

Every shop now gets a unique referral link in /admin/settings/referrals. Share it with another print shop — when they sign up and convert to a paid plan, you earn $25 of platform credit toward your next bill.

• One-click Copy + native Web Share
• Live stats: clicks, signups, conversions, credit balance
• Self-referral and duplicate attribution blocked automatically

Notification inbox

The bell icon now opens a real notification feed. New orders, refunds, support tickets, and system events all surface here, scoped per-shop. The full inbox at /admin/notifications adds filters, mark-as-read, and link-out to the source.

First-order celebration + reorder reminders

Two automatic engagement loops. We email you when your shop receives its first paid order ("you made your first sale 🎉"). And a daily cron emails your dormant customers at 30, 60, and 90 days from your shop's domain — driving repeat revenue without manual outreach.

• Once-per-tenant celebration email with next-step CTAs
• Reminders sent through your tenant email transport (so the From: line is your domain)
• Each customer receives at most one reminder per bucket, ever

Per-tenant analytics — your data, only your data

The analytics dashboard now correctly filters every metric to your shop only. Previously, top products, revenue, RFM segments, and production stats aggregated platform-wide. Numbers are now real and yours.

Storefront templates + trial reminders + email DNS verify

Three operational additions. Pick from three storefront looks (Classic, Minimal, Bold) at /admin/settings/storefront. Trial-expiry reminders go out automatically 3 days and 1 day before your trial ends. Email integrations now verify SPF + DKIM at your sender domain so messages reach the inbox, not spam.

Shopify product migration

Upload a Shopify products CSV at /admin/migration → preview the parsed catalog → click Import. Titles, descriptions, vendors, variants with options, prices, and image URLs all come over. Re-running with an updated CSV updates products in place, never duplicates.

Custom domain + Vercel SSL automation

Point your own domain (shop.yourbrand.com) at your storefront from /admin/integrations/domain. Add the TXT and CNAME records we show you, click Verify, and we automatically attach the domain to our hosting platform — SSL provisions in minutes.

Square OAuth — one-click connect

No more digging through Square Developer Dashboard for an access token. Click "Connect with Square", authorize on Square's consent screen, and you're done. Refresh tokens are stored encrypted; the platform auto-refreshes before access tokens expire.

SaaS billing — pay PrintFlow OS via Square

Self-serve subscription management at /admin/settings/billing. Card details are tokenized by the Square Web Payments SDK and never touch our server. Subscribe / cancel / change plan / update card all live in the admin.

Per-tenant payments, email, and shipping

Customer payments route to YOUR Square account. Order emails come from YOUR domain. Shipping labels charge YOUR Shippo. The platform never holds your money. Connect each at /admin/integrations/{payments,email,shipping}.

• AES-256-GCM encryption for stored credentials
• Per-tenant configuration; the platform stays out of the money flow
• SMTP, Resend, and Postmark email transports supported

Self-serve trial + 6-step onboarding

The new /start form provisions a tenant + 14-day free trial in one click — no admin approval. The wizard at /app/onboarding walks owners through branding, first product, pricing, payment connect, email connect, and publish.

Three-theme marketing site + tenant-aware storefront branding

printflowos.org marketing now defaults to Executive Light (Stripe/Linear feel). Toggle to Premium Purple or Dark Command Center; preference persists. The storefront layout reads each tenant's name, logo, and primary color from the host so your shop looks like yours, not ours.

Tenant data isolation — foundational

Every catalog, order, customer, admin write, and analytic is now strictly scoped to the calling tenant. printflowos.org and uchooseweprint.com cannot see each other's data. ~95 unsafe default-tenant fallbacks removed; admin write paths now use tenant-scoped findFirst.