Changelog

Track every update, new feature, and improvement to the EchelonGraph platform.

v1.13.12026-05-07

Tier 3 Browser SDK hardening — production-readiness review

  • New FeatureBackend admin write endpoint for tenant_zk_config — PUT /api/v1/zk/config + DELETE /api/v1/zk/config (admin RBAC, 16 KiB body cap, per-provider validation: HTTPS-only Vault addr, AWS region+ARN regex, GCP key-resource-path regex). Closes the gap where T3.11 created the table but only shipped GET, leaving customers unable to configure their KMS provider via API.
  • ImprovementSingle-flight credential refresh in AWS + GCP Browser SDK providers — concurrent unwrapDek() calls during expired-credentials path now share one in-flight Promise instead of fanning out N STS / OAuth getter invocations under burst load.
  • SecurityHTTPS-only endpoint validation on Vault addr, AWS endpoint, GCP endpoint — rejects http:// and malformed URLs at provider construction; error messages redact URL paths so vault paths don't leak into dashboard error toasts.
  • ImprovementAbortSignal end-to-end plumbing — DecryptInput.signal flows through KMSProvider.unwrapDek to fetchWithTimeout. Caller aborts surface as DOMException(AbortError) and bypass retry; internal timeouts stay retryable.
  • Securitydispose() lifecycle on all Browser SDK providers — Local zeroes byok; Vault clears cached token; AWS/GCP clear cached creds + in-flight gate. React useZkDecrypt hook calls dispose on component unmount, options-key rotation, and resetProvider() so cached tokens don't outlive the component.
  • New Feature21 new unit tests covering the hardening pass — 111 total Browser SDK tests passing.
v1.13.02026-05-07

T3.13 Browser SDK — GCP Cloud KMS provider

  • New FeatureGCPProvider full implementation — hand-rolled REST against cloudkms.googleapis.com/v1/{keyName}:decrypt with Authorization: Bearer <oauth-access-token>. ~3 KB gzipped for GCP-only customers (no @google-cloud/kms dependency, ~200 KB+ of gRPC-Web + protobuf avoided).
  • New FeatureWire-compatible byte-for-byte with the Go agent's kms_gcp.go — agent stores wrapped DEK as UTF-8 bytes of Cloud KMS's base64 ciphertext; browser decodes → POSTs back as {ciphertext: <b64>}; response {plaintext: <b64>} → 32-byte DEK. No additionalAuthenticatedData (AAD bound at AES-GCM layer).
  • New FeatureAuth out-of-SDK — dashboard fetches OAuth access token (scope cloudkms) via Google Identity Services, Workload Identity Federation, or any token broker. SDK accepts either static GCPCredentials {accessToken, expiresAt?} or async getter; auto-refreshes within 60s of expiresAt.
  • ImprovementProduction hardening: retry on 429 RESOURCE_EXHAUSTED + 5xx; no retry on 401 UNAUTHENTICATED / 403 PERMISSION_DENIED → kms_auth_failed; no retry on 400 INVALID_ARGUMENT / 404 NOT_FOUND → kms_unwrap_failed; 15s timeout via AbortController; 64 KiB response cap; plaintext-cap before base64 decode; 32-byte DEK length check; atomic counters; regional + VPC SC perimeter endpoints supported.
  • New FeatureAll three KMS providers (Vault / AWS / GCP) are now live for the multi-cloud customer. The browser-side ZK decryption path is feature-complete.
v1.12.02026-05-07

T3.12 Browser SDK — AWS KMS provider

  • New FeatureAWSProvider full implementation with hand-rolled SigV4 signer — Web Crypto HMAC-SHA256 derivation chain (kDate → kRegion → kService → kSigning); ~7 KB gzipped for AWS-only customers (no aws-sdk-js dependency, ~150-300 KB avoided).
  • New FeatureWire-compatible byte-for-byte with the Go agent's kms_aws.go — no EncryptionContext (AAD bound at AES-GCM layer); UTF-8 → base64 CiphertextBlob round-trip via KMS Decrypt.
  • New FeatureAuth out-of-SDK — dashboard fetches STS credentials via Cognito Identity Pool federation, AssumeRoleWithWebIdentity, or IAM Roles Anywhere. SDK accepts either static AWSCredentials {accessKeyId, secretAccessKey, sessionToken?, expiresAt?} or async getter; auto-refreshes within 60s of expiresAt. Long-term IAM-user creds also work (no sessionToken).
  • ImprovementProduction hardening: retry on 5xx + 429 (Throttling); no retry on 401/403 → kms_auth_failed; no retry on 400 InvalidCiphertextException → kms_unwrap_failed; 15s timeout via AbortController; 64 KiB response cap; plaintext-cap before base64 decode; 32-byte DEK length check; atomic counters; FIPS / VPC endpoints supported via config.aws.endpoint.
v1.11.02026-05-06

T3.11 Browser SDK — Zero-Knowledge customer-side decryption

  • New FeatureTypeScript Browser SDK at frontend/src/lib/zkdecrypt/ using Web Crypto API (crypto.subtle). Wire format mirrors the Go SDK byte-for-byte: byte 0 = version, bytes 1-4 = wrappedLen LE uint32, then wrapped DEK + 12-byte nonce + ciphertext + 16-byte AEAD tag.
  • New FeatureVault Transit provider fully implemented — OIDC token via X-Vault-Token; retry-with-backoff on 5xx/429; no retry on 401/403/400; 15s timeout; 64 KiB response cap; atomic counters.
  • New FeatureTree-shakable provider architecture via lazy dynamic imports — a Vault-only customer ships ~5 KB gzipped; AWS / GCP stubs are not pulled into the bundle unless tenant config selects them. (T3.12 / T3.13 fill in the AWS / GCP providers.)
  • New FeatureBackend GET /api/v1/zk/config endpoint (license-gated by zk_browser_decrypt feature claim). Persisted-but-disabled returns {enabled: false} — not 403 — so the dashboard always renders without leaking auth shape.
  • New FeatureMigration 045 applied to prod CloudSQL: tenant_zk_config table (tenant_id PK, enabled bool, provider enum {local,vault,aws,gcp}, config JSONB) + partial index on enabled=true.
  • New FeatureMarketing site adds /docs/tier3-zk-decryption (Browser SDK quick-start + auth flows + error codes + bundle size + Go SDK quick-start + KEK fetching commands + wire format + threat model + license gate).
  • New FeatureZkSdkError discriminated union with 12 stable codes (envelope_too_small, envelope_version_unsupported, envelope_malformed, wrapped_dek_invalid, kms_unwrap_failed, kms_auth_failed, aes_gcm_decrypt_failed, config_disabled, config_missing, no_subtle_crypto, etc.).
  • New FeatureReact hooks: useZkConfig(jwt) fetches the tenant config; useZkDecrypt(config, options) returns a memoised decrypt + error-surface API.
v1.10.12026-05-06

T3.10 hardening — Enterprise GA-prep drift fix-ups

  • Bug FixGrafana dashboard + PrometheusRule alerts metric prefix — referenced tier3_* but the agent exposes echelongraph_tier3_*. Rebuilt dashboard against the 42 actually-exposed series; rewrote 12 alerts to use only actually-exposed metrics.
  • Bug FixCustomer deployment guide verify commands — replaced kubectl exec curl/bpftool (distroless image has no shell) with kubectl port-forward + netshoot-pod fallback.
  • Bug FixAir-gap bundle README placeholder — clarified that docker save preserves the original image tag, customers re-tag to their private registry.
v1.10.02026-05-06

T3.10 — Enterprise Packaging & GA-prep

  • New FeatureCHANGELOG.md (Keep a Changelog format covering all phases T3.0 → T3.9), UPGRADING.md (version compatibility matrix + migration list 041-044 + breaking-change notice for v3.0.0), docs/TIER3_DEPLOYMENT.md (customer Helm install + air-gap guide + troubleshooting catalog + observability setup + DB migration playbook), docs/TIER3_BACKUP_RESTORE.md (Postgres + ClickHouse export/import + RTO/RPO matrix).
  • New FeaturePrometheusRule with 12 production alerts at deploy/prometheus/alerts.yaml (eBPF detach, circuit breaker open, high RSS, KMS healthcheck failing, ingester unreachable, anomaly engine panic spike, rotation failure spike, audit log write failure, license expiring, remediation apply pending, compliance score dropped).
  • New FeatureGrafana overview dashboard at deploy/grafana/echedeep-overview.json (6 row groups: Health, Detection, Threat Intel, Remediation, KMS, Compliance; ~20 panels).
  • New Featurescripts/airgap-bundle.sh — air-gap image+chart+observability bundle creator with zstd compression and optional --include-ioc IOC snapshot.
v1.9.02026-05-06

T3.9 — Custom Compliance Framework Builder

  • New FeatureBackend-only phase shipping production-grade in a single commit. New core-backend/internal/compliancecustom/ with Postgres-backed Store + tenant-scoped fiber handler at /api/v1/compliance/custom/*. Migration 044 adds three tables: custom_frameworks (versioned, status flow draft → published → archived), custom_controls (hierarchical with severity/weight), control_rule_mappings (control → EchelonGraph rule_id).
  • New FeatureBuilt-in template library: DORA (5 controls), NIS2 (10 controls), CMMC 2.0 (14 domains), FedRAMP Moderate (17 families) — clone via POST {from_template: "DORA"}.
  • New FeatureScore calculator: weighted pass/fail/NA per control with non-linear severity weighting (1× CRITICAL outweighs 2× LOW). JSON import/export for portability.
  • New FeatureAdmin RBAC enforced on writes; immutable-once-published with version flow on edit. 16 unit tests covering validation, templates, JSON round-trip, severity weights, constants.
v1.8.02026-05-06

T3.8 — Hardware KMS & Key Management

  • New FeatureAWS / GCP / Vault providers shipped production-grade in a single commit. AWS uses hand-rolled SigV4 (auditable, ~80 LOC, no aws-sdk-go-v2 dep); GCP uses REST + auto-refreshing OAuth from GCE metadata server; Vault uses Transit engine REST + token auth.
  • New FeatureRotatingProvider rotates DEK every 24h OR 1M events (async; preserves prior DEK on rotation failure).
  • ImprovementPer-provider TLS 1.2 floor + retry-with-backoff (5xx + 429 only; 4xx fails fast) + body-size caps (16KiB wrapped DEK, 64KiB response) + atomic counters + structured slog. Setup guide at docs/TIER3_KMS_SETUP.md.
v1.7.02026-05-06

T3.7 — Auto-Remediation via IaC Patches

  • New FeatureNew internal/master/remediation/ package shipped production-grade in a single commit. Patch generation engine with 9 templates (K8s NetworkPolicy/PodSecurity/RBAC/Capabilities + Terraform AWS SG/S3/IAM/CloudTrail/RDS); strict-substitution layer that hard-fails on missing variables (no broken IaC).
  • New FeatureGitHub App PR client (full flow: get base ref → create branch → commit → open PR) with TLS 1.2 floor + retry-with-backoff + panic recovery + atomic counters. Slack incoming-webhook client with severity-coded formatting.
  • New FeatureEngine modes: dry-run (default) / pr / approval / auto-gated (license + RequiresReview hard-block). Migration 043: remediation_patches audit table + status transitions + actor tracking.
  • New FeatureREST: GET /api/v1/remediation/t37/{history,history/:id,stats}; admin-only POST /approve/:id and /rollback/:id.
v1.6.02026-05-05

T3.6 — Threat Intelligence Feeds

  • New FeatureNew internal/threatintel/ package with IOC store (IPs/CIDRs/domains/SHA-256/MD5/CVE), feed loaders (abuse.ch URLhaus + Feodo Tracker + CISA KEV), STIX 2.1 parser + TAXII 2.1 client (bearer auth, body-cap), DGA detector (entropy + v/c ratio + bigram analysis).
  • New FeatureRefresh manager (TIER3_THREAT_FEED_INTERVAL_SEC; TIER3_AIRGAPPED for offline customers; TIER3_CUSTOM_FEED_URL for private STIX bundles).
  • New FeatureWires into the T3.5 Enricher seam → IOC matches bump anomaly severity to CRITICAL. Wires into the T3.3 ShadowAPI ThreatIntelMatcher → known-bad hosts surface as HIGH.
  • New FeatureCore-backend exposes /api/v1/threat-intel/iocs and /api/v1/threat-intel/matches (tenant-scoped, fiber).
v1.5.52026-05-05

T3.5 — ML Anomaly Detection Engine

  • New FeatureStatistical z-score + EWMA + seasonal baselines, 24h rolling window, 1-min buckets, per-NS warm-up, LRU eviction, atomic gob persistence.
  • New Feature4 detection rules (traffic_spike, new_destination, api_pattern, off_hours) with MITRE map + confidence score 0..1; per-rule rate limiter + per-rule emit/throttle counters.
  • New Feature/api/v1/anomalies REST routing; frontend AnomaliesPage; migration 042 partial index.
v1.5.32026-05-04

T3.4 — Process Monitoring & Syscall Tracing

  • New FeatureProcess pipeline (tree + 24h namespace-scoped baseline + sensitive-path watchlist + 5 detection rule families with MITRE mapping); stable finding IDs; ReportVulnerability gRPC emit.
  • New FeatureGET /api/v1/runtime/findings + /stats REST; frontend RuntimeFindingsPage with severity/category/MITRE columns + drawer.
v1.5.22026-05-04

T3.3 — Shadow API Discovery (GA-1)

  • New FeatureParser/inventory/detector with ThreatIntelMatcher hook for T3.4. h2c hybrid ingester, TLS auto-detect on :443. GET /api/v1/shadow-apis + /stats + PUT /:id/acknowledge REST endpoints.
  • New FeatureShadowApisPage frontend (table + filters + drawer + acknowledge), 6F5 lane tests.
  • ImprovementHTTP/1.1, HTTP/2, gRPC, GraphQL, WebSocket, TLS-SNI parsing. OpenAPI-vs-discovered classifier. DiscoverShadowAPI gRPC emission to Master → ingestion processor → shadow_apis table.
v1.4.02026-04-30

T3.2 — PII Auto-Stripping & Zero-Knowledge Pipeline

  • New Featurepii.Stripper (HTTP creds + PCI/PHI hash + JWT + custom rules) — 11 default rules. Custom JSON rules supported.
  • New FeatureEnvelope encryption: per-event AES-256-GCM DEK + 96-bit counter nonce + KMS provider interface.
  • New FeatureCustomer SDK sdk/zkdecrypt (Go) for server-side decryption — Lambda, Cloud Run, on-prem worker. Open-source under Apache 2.0.
v1.3.12026-04-25

T3.1 — eBPF Engine Hardening & Multi-Hook

  • New FeatureThree eBPF C programs (XDP + TC + tracepoints) shipped via cilium/ebpf loader.
  • New FeatureSafety scanner + port-filter map. Per-CPU kernel-stat aggregation. Decoder pool. PII hook.
  • New FeatureKernel verifier compliance + 26 new unit tests.
v1.0.02026-04-20

T3.0 — Tier 3 EcheDeep agent — initial deploy

  • New FeatureHelm chart at deploy/helm/echelongraph-tier3/ with Master Deployment + Tentacle DaemonSet + RBAC + ConfigMap + Secret + NetworkPolicy + PodDisruptionBudget. Published to oci://ghcr.io/echelongraph/echelongraph-tier3.
  • New FeatureZero-knowledge ingest pipeline live in prod. Cloud Run h2c hybrid handler at ingest.echelongraph.io:443.
  • New FeatureTier 3 EcheDeep agent — eBPF runtime security for Kubernetes. Customer-managed encryption (BYOK with AWS KMS, GCP Cloud KMS, or HashiCorp Vault Transit). Distroless agent image; no shell, no curl, minimal CVE surface.
v0.9.52026-04-11

Production Scanner Pipeline & Findings Persistence

  • New FeatureEnd-to-end scanner→findings pipeline: Scanner discovers assets, evaluates 440+ rules, reports via gRPC to Ingester, persists to PostgreSQL + Neo4j via NATS
  • New FeatureVulnConsumer: new NATS JetStream consumer that batch-writes telemetry.vuln findings to PostgreSQL findings table with auto-classification and SLA tracking
  • New FeatureFindingsWriter: PostgreSQL persistence layer with CVSS scoring, blast radius estimation, risk scoring, and auto-generated remediation steps
  • New FeatureScan Trigger API: POST /api/v1/scans/trigger — tenants can trigger cloud scans from the Dashboard UI
  • New FeatureCloud Run Job deployment for Tier 1 scanner with per-tenant isolation and GCP service account permissions
  • ImprovementDashboard now shows real scan data: 76 assets discovered, 212 findings (12 critical, 59 high, 132 medium) from actual cloud infrastructure
  • ImprovementAlerts pagination: removed hardcoded LIMIT 50, now uses query parameter with default 200
  • ImprovementFindings query limit increased from 200 to 2000 to prevent truncation of real scan results
  • SecurityRemoved direct PostgreSQL bypass from scanner — all findings flow through the proper Ingester→NATS→Processor pipeline for full data integrity
  • SecurityIngester deployed on Data VM alongside NATS for secure internal gRPC communication without public exposure
  • Bug FixFixed count mismatch: Alerts UI showed 200 instead of 212 due to hardcoded query limits
  • Bug FixRemoved dummy seed migration (020_seed_admin_findings) — all findings must come from actual scanner runs
v0.9.42026-04-11

Scanner Hardening & CVE Correlation Engine

  • New FeatureCVE Correlation Engine: matches scanned cloud assets against known CVEs (Kubernetes, PostgreSQL, MySQL, Node.js, Python, Go, Nginx)
  • New FeatureGCP Cloud Run scanner: discovers services, ingress, VPC connector, service account, scaling, CMEK
  • New FeatureGCP Cloud Armor scanner: WAF policies, OWASP rules, rate limiting, geo-blocking, adaptive protection
  • New FeatureGCP Cloud DNS scanner: DNSSEC status, wildcard records, zone configuration
  • New FeatureGCP Secret Manager scanner: secret discovery, rotation labeling, replication audit
  • New Feature16 new GCP security rules: Cloud Run (7), Cloud Armor (4), DNS (3), Secret Manager (2)
  • ImprovementTotal scanner rules increased to 440+ across AWS (224), GCP (130), Azure (72)
  • ImprovementThree-phase scan pipeline: misconfig detection → CVE correlation → attack path analysis
  • ImprovementEnhanced scan summary with per-phase metrics (assets, findings, CVEs, attack paths)
  • SecurityRemoved /status page from public marketing site — infrastructure health data restricted to admin dashboard
  • Bug FixCVE Pulse data synchronization: hero badges, severity filters, and list API now show consistent counts
  • Bug FixAdded missing /contact page to sitemap.xml for complete SEO coverage
v0.9.32026-03-28

Production Hardening & Light/Dark Theme

  • New FeatureLight/dark theme toggle with localStorage persistence and system preference detection
  • New FeatureCVE Pulse Explorer: interactive search, filter, sort, and pagination across 7,800+ CVEs
  • New FeatureCompliance Framework Comparison Matrix: 8 frameworks × 10 security domains with expandable citations
  • New FeatureAuto-refresh status page with real-time countdown timer
  • ImprovementAll components now use CSS custom properties for theme compliance
  • ImprovementTable alignment fix: replaced invalid nested tbody with React Fragments
  • SecurityCVE API proxy with rate-limit headers, input validation, and request timeouts
  • SecurityAuto-login JWT with token caching, exp-based refresh, and 401 retry
v0.9.22026-03-28

Operational Pages & Site Polish

  • New FeatureSystem Status page with live service health monitoring
  • New FeatureChangelog page with release history
  • New FeatureDocumentation hub with MDX-rendered guides
  • New FeatureBlog with seed articles on cloud security topics
  • ImprovementUpdated sitemap with all new pages
v0.9.12026-03-27

Real Data Integration

  • New FeatureCVE Pulse page fetches live data from EchelonGraph CVE feed API
  • New FeatureCompliance Directory pulls framework data from compliance-engine API
  • New FeatureReadiness Calculator scoring mirrors live compliance engine
  • New FeatureHero section stats (CVEs, frameworks, runs) from live APIs
  • ImprovementISR revalidation every 30 minutes across all pages
  • ImprovementGraceful fallback to cached data when APIs are unreachable
v0.8.02026-03-24

Frontend Dashboard & UI

  • New Feature3D Blast Radius visualization with react-force-graph
  • New FeatureReal-time WebSocket alert feed with toast notifications
  • New FeatureCompliance dashboard with framework scores and trend charts
  • New FeatureSettings page with profile, team, SSO, and security tabs
  • SecurityJWT-authenticated API proxy via nginx reverse proxy
v0.7.02026-03-20

Multi-Cloud Scanning & Attack Path Analysis

  • New FeatureAWS cloud scanner: EC2, VPC, S3, RDS, IAM, Lambda, EKS, and 14 more resource types
  • New FeatureGCP cloud scanner: Compute, VPC, Cloud SQL, GCS, IAM, GKE, Cloud Armor
  • New FeatureAzure cloud scanner: VMs, VNet, Azure SQL, Storage, AKS, Key Vault, Defender
  • New FeatureAttack path analysis engine with graph-based BFS traversal and risk scoring
  • New FeatureContainer image scanning: ECR, GCR, ACR, Docker Hub, GHCR
  • SecurityCredential encryption with AES-256-GCM and tenant-specific keys
v0.6.02026-03-16

Core Backend Hardening

  • New FeatureNVD/CVE integration with auto-polling every 2 hours
  • New FeatureCompliance engine with 8 frameworks (SOC 2, GDPR, ISO 27001, NIST CSF, PCI DSS, HIPAA, DPDP, ISMS-P)
  • New FeatureUnified risk scoring engine (0-100 scale, A-F grade)
  • New FeatureWebhook event system with HMAC-SHA256 signatures and retry logic
  • New FeatureReport generation service with PDF/CSV export
  • ImprovementJWT middleware on all /api/v1/* endpoints
  • ImprovementPrometheus metrics and structured logging
v0.5.02026-03-12

Authentication & Identity

  • New FeatureSAML 2.0 SSO with Okta, Azure AD, OneLogin, PingIdentity support
  • New FeatureOIDC SSO with Google Workspace, Auth0, Keycloak support
  • New FeatureLDAP/Active Directory authentication with TLS
  • New FeatureSCIM 2.0 user provisioning (Okta, Azure AD compatible)
  • New FeatureRBAC with 5 roles, 18 permissions, Redis-cached middleware
  • New FeatureTOTP MFA with recovery codes and QR enrollment
  • SecurityRS256 JWT with refresh token rotation and reuse detection
  • SecurityAccount lockout after 5 failed attempts (15 min)
v0.4.02026-03-08

Data Layer & Tenant Isolation

  • New FeaturePostgreSQL Row-Level Security (RLS) with 32 policies on 6 tables
  • New FeatureNeo4j label-based tenant isolation with composite indexes
  • New FeatureClickHouse tenant-partitioned telemetry with 90-day TTL
  • New FeatureRedis sliding-window rate limiter with circuit breaker
  • SecurityPer-tenant data isolation verified with cross-tenant query tests
v0.3.02026-03-04

GCP Infrastructure & Ingestion Pipeline

  • New FeatureGCE VM provisioned with PostgreSQL, Neo4j, ClickHouse, Redis, NATS
  • New FeaturegRPC ingestion pipeline with NATS JetStream and batch processing
  • New FeatureCore backend Fiber server with health endpoints
  • New FeatureReact+Vite frontend with nginx API proxy
  • ImprovementIntegration test suite with 37 automated tests