All notable changes to Breeze RMM will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Cloudflare mTLS client certificate management for agent-to-server mutual TLS authentication
- Device quarantine workflow with admin approval/deny for certificate-based trust
- AI agent migration to Claude Agent SDK with managed query loop
- Per-organization mTLS settings via JSONB configuration
- AI brain connector now uses Claude Agent SDK managed query loop instead of manual orchestration
- Hardened CORS policies with strict origin allowlisting
- Hardened portal session handling and cookie security
- Strengthened MCP endpoint authentication
- Added APP_ENCRYPTION_KEY for field-level encryption at rest
- Improved XSS defenses across the web dashboard
- Added secret scanning configuration for public repository
Initial public release of Breeze RMM.
- Multi-tenant hierarchy: Partner (MSP) > Organization > Site > Device Group > Device
- Role-based access control (RBAC) with cascading permissions
- JWT authentication with session management
- API key authentication with SHA-256 hashed secrets
- Redis-backed sliding window rate limiting
- Audit logging for all mutating operations
- Hardware and software inventory (CPU, memory, storage, network, installed applications)
- Real-time device health checks with configurable thresholds
- Policy engine for defining and enforcing configuration across device groups
- Advanced device filtering across any attribute
- Network discovery with ping sweep and port scanning
- Agent enrollment with secure token exchange
- Remote terminal with full PTY support (macOS and Windows)
- Remote file browser with upload and download
- Remote desktop via WebRTC with optimized streaming pipeline
- TURN relay support for NAT traversal
- Remote script execution (PowerShell, Bash, Python) across devices
- Patch management with inventory, approval, and deployment workflows
- Windows patching via winget provider with user helper IPC
- Configurable alerting with severity classification and routing
- BullMQ job queue for asynchronous task processing
- Cross-platform agent binary (macOS, Windows, Linux)
- Per-interface network bandwidth tracking
- Session broker with SID-based identity and protocol validation (Windows)
- Deep filesystem analysis and disk cleanup preview
- Registry key management commands (Windows)
- Secure config file permissions (0700 dir, 0600 file)
- Agent token authentication with SHA-256 hashed bearer tokens
- AI chat assistant on every dashboard page via Claude Agent SDK
- Tool-equipped agent capable of querying devices, running diagnostics, and executing remediations
- Risk-classified action engine (Low/Medium/High/Critical) enforced at the platform level
- Bring-your-own-key support for Anthropic API keys
- Docker Compose development environment (PostgreSQL, Redis, MinIO)
- Drizzle ORM with push-based schema migrations
- Prometheus and Grafana monitoring configuration
- SNMP client with discovery, metrics collection, and polling
- File transfer storage via MinIO/S3-compatible backend
- Enrollment key management for streamlined agent onboarding
- README with quick start, architecture overview, and FAQ
- Contributing guide with development setup instructions
- Security policy with responsible disclosure process
- Agent installation and Windows installer signing guides
- Admin guide with deployment and configuration reference
- Desktop deep link reliability, mouse alignment, and keyboard input for remote desktop
- File manager path traversal hardening and migration runner stability
- Session broker protocol validation and scope enforcement
- Discovery results silently dropped when dispatched via WebSocket without DB record
- PTY support on macOS rewritten with cgo for correct TIOCPTYGNAME behavior
- Terminal race condition resolved by waiting for server connected message before sending data
- URL references updated from lanternops.com to lanternops.io
- Hardened secret handling with secure-by-default auth flows
- Agent REST routes require bearer token authentication (except enrollment)
- WebSocket agent authentication accepts both header and query parameter tokens
- API security review addressing 39 findings across patching, desktop streaming, and auth
- Dependabot enabled for Go modules, npm packages, and GitHub Actions