Weekly Update - May 11, 2026

SSR confirmed, multilingual expansion, UI improved, and incident resolved

par Sam Rogers
11 min de lecture
update
i18n
security
technical
governance
Weekly Update - May 11, 2026

A big week under the surface. Localization functionalities have been expanded for Spanish, French, and Portuguese, and a newly refined testers onramp page gives beta testers an in-language path from production to the staging feedback environment. On the security side, a malware IOC scan workflow landed, an infected build file was replaced, and admin auth and assessment scoring were hardened across the stack. Content-wise, the week covered the Collaboration dimension, AI collaboration for contract attorneys, and a sharp analysis of why the AI training market is measuring the wrong thing.

One strategic update: the EU AI Act's high-risk AI compliance deadline moved to December 2027 (from August 2026), announced May 7 as part of the Digital Omnibus revision. That shift re-prioritizes our multilingual roadmap. We're focusing on Western Hemisphere languages — English, Spanish, and Portuguese — and targeting beta exit for all three this quarter. French and other European languages will follow in a later phase.

Content Published Last Week

Monday (May 4): "Weekly Update - May 4, 2026"

Tuesday (May 5): "The Collaboration Dimension" A guide to PAICE's Collaboration dimension — what it measures, why treating AI as a partner rather than a search engine is a distinct and scorable skill, and how to develop it.

Wednesday (May 6): "AI Collaboration for Contract Attorneys" How contract attorneys can build effective People+AI collaboration practices for document review, due diligence, and clause analysis — with a focus on the verification judgment that AI can't replace.

Thursday (May 7): "The Input Obsession" The AI training market is obsessed with inputs. Almost nobody measures whether people actually verify the outputs. That gap is where risk lives — and why prompt training without measurement is like safety training without incident reporting.

Friday (May 8): Video - "The Infrastructure Gap" An AI agent tried to buy something from your website this morning. It failed silently and moved on to your competitor. You never got an alert. 4-minute video on the distance between "optimized for humans" and "usable by agents."

Multilingual Expansion: Full Stack Ships

Blog Corpus: Spanish, French, and Portuguese Live

The full ES_MX, FR-FR, and PT-BR translation corpora shipped — 132 posts each, validated against structural pass criteria. The pipeline includes a local-first translation engine with Sonnet 4.6 fallback adapter that triggers on sentinel mismatch or heading drift, per-locale prompt guidance (FR: vous + masculine brand; PT-BR: você, reject tu), and per-file telemetry sidecars for cache auditability. Sonnet rescue rate across FR + PT was 95.7% (66 of 69 fallbacks resolved).

Language Picker: Waves 1+2 Shipped

The supported set is now EN, ES, FR, PT, UR, with all nine downstream tickets from the language picker spec shipped. Locale storage was migrated at app boot for backward compatibility. On the backend, a language_preference column landed with PATCH/GET endpoints, and magic-link authentication routes shipped with per-locale email templates for ES, FR, PT. Tokens are SHA-256 hashed, single-use enforced, and TTL-indexed. 28 frontend tests and 94 backend tests cover the new flows. About and Accessibility pages were translated into ES, FR, and PT. A pre-existing gap between each of the three non-English locale files was closed — all three locales are now at parity. A new script handles this automatically: it imports English, diffs against the target locale locally via Gemma4, and batches problematic areas through Sonnet 4.6 with "do not translate" terms preserved verbatim.

Multilingual Roadmap: Western Hemisphere First

On May 7, the EU Council reached a political agreement revising the EU AI Act's Digital Omnibus provisions, pushing the high-risk AI system compliance deadline from August 2, 2026 to December 2, 2027. That 16-month extension changes the calculus on European language prioritization.

We're updating our multilingual roadmap accordingly. The infrastructure we've built — translation pipeline, language picker, locale dictionaries, prerendered routes — already covers 3 European languages. The question is sequencing for beta exit. We're narrowing that focus: English, Spanish, and Portuguese are the Western Hemisphere languages where our current and near-term pipeline applies most directly, and we're targeting beta exit for all three this quarter. Other European languages will be prioritized in a later phase, timed closer to when EU compliance conversations heat up again. Or when we're expanding our customer base beyond North & South America.

Technical Improvements

Frontend Hosting Migration

We finally have the Server Side Rendering (SSR) functionality we needed, though it took migrating the frontend of our application to get it. This is a big win for SEO and for speeding up user experiences for any static content.

Security Hardening: Malware IOC Scan + Infected File Remediation

A GitHub Actions workflow for malware IOC scanning landed this week (Phase 6 of the security hardening program), alongside a hardened sitemap bot. Separately, a compromised file was identified and replaced with a clean version — a fast, targeted remediation. These changes reduce supply-chain risk and give the team automated detection for future IOC events. Though the timing of coinciding with our planned service migration was unfortunate, the process speaks for itself: our security practices are working.

Admin Auth and Assessment Scoring Hardened

Backend dependencies, admin routes, cohort routes, and token routes were refactored to tighten authentication boundaries. The assessment scoring flow received parallel hardening on both frontend and backend. 424 insertions across 13 files, with expanded test coverage to lock in the new behavior. Assessment and Backend eval test coverage was also expanded. The backend test suite now has an updated coverage configuration and a clean fixture hierarchy.

Pro Code Welcome Message and First-Message Interception

Pro codes are now surfaced in the welcome message across all five locales, giving new users immediate confirmation that their code is recognized. A first-message interception layer checks whether the user's first input looks like a promo code or license key before routing it to the normal chat flow: promo codes are validated client-side and respond with a confirmation; license keys are validated. If the input doesn't match a code pattern, the normal assessment flow begins without interruption.

A full cookie audit memo documents the findings: the backend sets zero cookies; the frontend sets zero cookies in any user-facing flow; PostHog uses localStorage persistence, not cookies. One functional auth-session cookie is now available to be set for authenticated users only (pending PAICE Pro v2 release later this month). The privacy policy was updated from "We do NOT use cookies" to accurate disclosure: anonymous users get zero cookies, authenticated users will get one functional session cookie. The security page was updated to "No tracking or advertising cookies." The privacy/security whitepaper was bumped to v1.2.0 with a cookie posture callout added to the executive summary. We like to make these kinds of policy updates before they're needed, not after.

Testers Onramp: In-Language Path from Production to Staging

Beta testers need a clear, branded path from production to the staging environment where in-assessment flag UI and feedback backend live. A new /testers page (and /<lang>/testers via existing path-prefix routing) explains the handoff in the user's language with consent framing, then a single CTA opens the staging testing landing page for the active locale. The production environment deliberately does not capture this feedback — testers must explicitly cross the boundary.

Platform Stability

This is the first week since exiting Research Preview in 2025 that we've had a service disruption. A malware incident coincided with our scheduled frontend deployment migration to our new hosting platform, resulting in intermittent downtime during the transition window. Some users who completed the assessment during the affected period did not receive their PAICE Score. Because our privacy-first architecture does not store conversation data in the production database, affected users needed to retake the 25-minute assessment — we understand that's a real cost and we're sorry for it. The malware was identified and remediated quickly, the deployment was stabilized, and all systems have been operating normally since. We've added automated IOC scanning to prevent recurrence.

The migration itself landed cleanly. SSR prerendering is confirmed working on our new hosts' static-site routing for all. All routes serve pre-rendered HTML with correct meta, hreflang, and structured data, as verified by the SEO eval suite against production.

The Week in Numbers

  • 5 blog posts published (1 dimension guide + 1 industry guide + 1 analysis + 1 video + 1 weekly update)
  • 50+ commits merged to main
  • 264 new translation cache files (FR + PT blog corpus complete)
  • 132/132 structural pass rate on PT-BR; 131/132 on FR-FR
  • 95.7% Sonnet rescue rate across fallback translations
  • 511/511 locale key parity across ES, FR, PT (209-key gap closed)
  • 133/133 ES site pages validated; 132/133 FR; 132/133 PT
  • 9 language picker tickets shipped (F2-F7, B1, B2) — 28 frontend + 94 backend tests
  • 4 per-locale magic-link email templates (ES, FR, PT, UR)
  • 878 insertions across locale dictionary parity + language picker backend (2 commits)
  • 797 insertions across security + auth hardening (2 commits)
  • 1,107 insertions across 15 files for blog translation frontend wiring
  • 132/132 routes SSR-confirmed on new app platform
  • 17 SPA-only routes fixed (were silently 404ing; now served via SPA shell copy)
  • Pro code welcome message + first-message interception shipped across all 5 locales
  • Full cookie audit complete; privacy policy updated; whitepaper bumped to v1.2.0
  • New /testers onramp page (+ /<lang>/testers) for beta tester handoff to staging
  • Malware IOC scan workflow live; infected build file remediated
  • 1 service disruption (malware + deployment migration overlap); resolved — first downtime since Research Preview exit in 2025

Why This Week Matters

Thursday's post on the input obsession is the sharpest argument we've made for why measurement matters more than training. The AI training market has built an entire industry around teaching people to write better prompts — and almost none of it measures whether those people actually verify what comes back. For compliance teams and governance leads, that asymmetry is the core of the risk argument: you can't audit intent, but you can measure behavior. That's what PAICE does, and that's the gap the post names directly.

The multilingual expansion is equally significant for organizations. PAICE now serves assessments in five languages — English, Spanish, French, Portuguese, and Urdu — with a translation pipeline that's validated, cached, and extensible. The language picker closes the loop on the user-facing side: users can now select their preferred language, have that preference persisted to their profile, and receive magic-link authentication emails in their locale.

The EU AI Act deadline shift is worth naming directly. The extension to December 2027 doesn't reduce the compliance pressure on organizations deploying AI — it changes the timeline on which European regulators will enforce it. For organizations in the Western Hemisphere, the relevant pressure is already here: AI is in workflows, governance is lagging, and measurement is the gap. That's where our roadmap focus goes this quarter. With Spanish, French, and Portuguese already covered (still in beta but with new functionality landing every week) and the 12+ European language expansion is infrastructure-ready, we plan activate more languages when the timing is right.

Thank You

Thank you to the team for a week that combined sharp content delivery with significant infrastructure work. The security remediation was fast and clean. The multilingual pipeline is a genuine engineering achievement. And to the contract attorneys, compliance leads, and governance professionals reading this week's posts — the frameworks are yours to use.

Get Involved:

📖 This Week's Posts:

📖 Previous Updates:

Curieux mais pressé ?

Faites le PAICE Pulse en 3 minutes — une vérification rapide qui cartographie votre perception de votre posture de collaboration IA. Aucune connexion requise.