Changelog
All major changes in reverse chronological order. See the roadmap for upcoming plans.
2026-04-15v0.12.0feature
Reachability 25 Languages — Full Precise upgrade + 28-case benchmark precision 1.00 / recall 1.00
- **Phase 1** — Promoted C/C++/Objective-C/Haskell/R/Clojure (6 languages) from coarse to precise
- C/C++ — Curated symbol DB for zlib/openssl/libcurl/libxml2/libpng/pcre/sqlite3/libarchive/libssh + stdlib blacklist
- Objective-C — Apple framework prefix map for Foundation(NS*)/UIKit(UI*)/CoreGraphics(CG*) + message_expression parser
- Haskell — Full parsing for all 4 import forms: qualified / as alias / hiding / explicit list
- R — 250 base function blacklist + symbol DB for ggplot2/dplyr/tidyr/stringr/purrr
- Clojure — (ns (:require/:use)) parsing + sym_ns alias matching
- **Phase 2** — 25 languages x avg 6 patterns = 106 regression cases (alias, qualified, multiline, explicit, hiding, negative)
- **Phase 3** — OSV ecosystem normalization (accepts `PyPI`/`pypi`/`Python`/etc.) + Hex composite (auto dispatch for Elixir + Erlang)
- **Phase 4** — 25-language real CVE fixture benchmark: **precision 1.00 / recall 1.00 / F1 1.00 (28 cases)**
- **Phase 5** — Leaderboard `language_count` + `reachability_language_count` updated from 12 to 25
2026-04-15v0.11.0feature
Reachability expanded to 25 languages — tree-sitter coverage 12 to 25 (+13)
- 7 new Precise languages — Ruby / Elixir / Erlang / Lua / Perl / OCaml / Julia
- 6 new Coarse languages — C / C++ / Objective-C / Haskell / R / Clojure (later promoted to Precise in Phase 1)
- New ecosystem dispatcher — rubygems / hex / erlang / luarocks / cpan / opam / julia / conan / vcpkg / cocoapods / hackage / cran / clojars
- BaseAnalyzer `_name_variants` hook — automatic package-to-module name convention mapping (e.g. phoenix to Phoenix, foo_bar to FooBar)
- 29 new reachability tests + zero regressions, total **754 passed**
2026-04-15v0.9.0feature
Option 4 Complete — Full 10-Lane support (B Adjacent Lanes + C AI-Native + D Enterprise)
- Phase 0 — Polymorphic findings architecture, Scanner Protocol, FixPipeline, Policy Engine, Unified Findings View, 14 queues expanded to 15
- Phase A — AI Fix Rate **80% to 95% measured**, exemplar corpus 1,500 to 11,500 (GHSA 10k), reachability 5 to 12 languages (later 25), dep-confusion corpus 11,899 pkgs, zero-day radar 5 sources
- Phase B — Container scan (Dockerfile + Trivy JSON), IaC (1,065+ rules — Trivy/tfsec integrated), Secrets (1,000+ patterns — TruffleHog verified), SAST (3,200+ rules — Semgrep integrated), Malicious Package (5 ecosystems, 41 signals, typosquat)
- Phase C — LLM Guard (OWASP LLM Top 10, 17 rules), ML-BOM (CycloneDX 1.6 mlModelInventory), Hugging Face pickle scanner, MCP Audit, Agent Supply Chain (7 frameworks)
- Phase D — SCIM 2.0 provisioning (Okta/Azure AD), OpenTelemetry tracing/metrics, Python SDK + CLI (patchops/patchops-cli), VS Code extension, Helm air-gapped chart, Terraform 3-region active-active, SOC2/FedRAMP/ISO27001 gap docs
- Benchmark leaderboard expanded to 46 metrics x 29 features
- Full regression **700 passed** / frontend 53 passed / ruff+tsc clean / 9 new DB migrations applied
2026-04-15v0.10.0-previewfeature
Quality Engine — CVE feed sanitization + budget + cost tracking + audit hash chain
- CVE feed fixed_versions pollution filter — removes backward/non-semver entries, corpus quality significantly improved
- Org budget hard enforcement — atomic UPDATE ... RETURNING, monthly auto-reset
- Anthropic token-based monthly cost tracking — /settings/cost
- AI Repair Redis sliding window rate limit (10/min/org)
- Audit log tamper-proof hash chain — SHA256, /audit-logs/verify
- Outgoing webhook HMAC-SHA256 signing
2026-04-15v0.9.0fix
Dep-upgrade fast path + LLM JSON retry + sandbox timeout reduction
- Lockfile-only patches skip sandbox — repairs possible even in network-free environments
- Automatic single retry when LLM returns non-JSON response
- Sandbox timeout 300s to 120s, default retries 3 to 1
- Benchmark 20 runs: Fix Rate 80%, avg 12.7s/iter
2026-04-15v0.8.0feature
Launch hygiene — /health/deep, /metrics, SEO meta, robots.txt
- Prometheus-compatible /metrics endpoint
- Comprehensive health check: DB + Redis + disk + scheduler
- OG / Twitter / canonical meta, robots + sitemap, favicon
- Optional S3 sync hook for pg_dump cron
2026-04-14v0.7.0feature
Settings editing + legal pages + Stripe skeleton + CD pipeline
- Settings PATCH (org general / repo delete / member invite / role change)
- /terms, /privacy, /cra-compliance static pages
- Stripe checkout-session / portal / webhook (active when keys are configured)
- .github/workflows/deploy.yml (SSH deployment)
- nginx 6 security headers + logrotate + daily pg_dump
2026-04-14v0.6.0security
HTTPS + RLS + cookie auth + first real AI Repair PR
- Let's Encrypt TLS + nginx reverse proxy
- PostgreSQL Row Level Security (FORCE) — 17 tenant tables
- HttpOnly Secure SameSite=lax session cookies
- First real AI Repair E2E — CVE-2026-33671 to robogate PR #1
2026-04-13v0.5.0feature
PASS-01 through PASS-06 complete
- 26 DB tables, 5-stage AI Repair pipeline
- CycloneDX 1.6 / SPDX 2.3 / VEX SBOM export
- EU CRA Annex VII PDF report auto-generation
- Semgrep + Claude rescan gate
- APScheduler-based Weekly Digest + audit retention