What’s new on unidorms.ph

Two new pages: /help with 12 plain-English answers about the ₱2,500 model, the 24-hour fraud window, refund timelines, and cancellation tiers; and /about explaining the trust stack behind the marketplace.

Every page now shares with a branded preview card instead of a generic stock photo — /listing/[id] and /uni/[slug] generate per-resource cards (photo + name + price + verified-units count), and everything else uses a clean default card.

Search autocomplete on the homepage hero and global header — fuzzy matches universities, Metro Manila cities, and the building catalog. Typo-tolerant via Fuse.js so "ateno" still finds Ateneo.

After reserving, you now drop straight into the chat with your host. The Xendit success URL was rewired to deep-link the right conversation; the free-preview path auto-redirects after a brief confirmation flash.

Each conversation also gets a pinned listing card at the top — photo, building, type, monthly rent — replacing the old bare "📍 listing name" tag that had no detail.

Cancellation now posts a clear cancellation card into the chat thread with the actor, reason, refund split, and processing timeline. The thread visibly closes the booking loop instead of just going quiet.

Every host payout and student refund now goes through an admin-approval queue before Xendit fires. Even with a compromised key, money can't move without a human approval.

Admins are notified the moment something hits the queue, and the /admin?section=payouts surface shows pending items first.

Webhook signature verification is now constant-time, with a 5-minute event-age window and a webhook_events dedup table.

Enabled row-level security on every internal table — conversations, messages, buildings, refunds, webhook_events, notifications, admin_actions, and abuse_reports. The browser never touches these directly; service-role API routes are the only path in.

Hardened Supabase Storage: dropped seven broken policies that were silently never enforcing anything, kept the public buckets serving via CDN, and made every upload go through server-signed URLs.

Revoked EXECUTE on the two SECURITY DEFINER RPCs from the public role surface so they can't be invoked by anonymous clients.

/admin?section=ops now shows live webhook lag, payout/refund queue depth, cron run history with per-job counts, and 24-hour client error totals. Auto-refreshes every 30 seconds, pauses when the tab is hidden.

A full append-only audit log of admin actions (approvals, rejections, dispute resolutions, KYC decisions) is browsable at /admin?section=audit with filters by entity type and free-text search.

A root ErrorBoundary on the client catches React render errors, uncaught JS exceptions, and unhandled promise rejections — they're logged and aggregated for the dashboard.

Filipino students book primarily from phones, so we audited the public pages on iPhone SE through iPhone 13. Bumped tap targets on the message back button, listing report link, and inquiry chips above iOS HIG minimums.

Login / signup / inquiry inputs now use 16px on mobile to prevent iOS Safari's zoom-on-focus during the most conversion-sensitive flows.

The Compare tray respects iPhone safe-area-inset-bottom; the ReserveModal switches to 100dvh so the address bar can collapse without hiding the Continue button.

Reduced layout shift on /for-landlords with explicit width/height attributes; added dns-prefetch for Google Fonts.

Bookings tab on student dashboards now defaults to hiding cancelled and refunded reservations — the active list stays focused. A small chip surfaces the hidden count and one click reveals them.

Landlord Reservations tab defaults to the Active queue. History is one click away via the existing All / Completed / Cancelled chips.

Notification preferences are now grouped (Bookings, Conversations, Discover, Account, Money) with per-section toggles for granular control. Saves are debounced.

Sitemap now emits per-listing lastmod timestamps and filters to indexable statuses only. Canonical URLs are consistent across every page.

Structured data: Organization + WebSite with SearchAction on the homepage, CollectionPage with ItemList on /uni/[slug], FAQPage on /help, AboutPage on /about, and the existing Accommodation + BreadcrumbList on /listing/[id].

robots.txt points at the canonical sitemap; the <html> root now has lang="en" for accessibility + SEO.