@@ -7,6 +7,67 @@ Versions follow [Semantic Versioning](https://semver.org/).
77
88---
99
10+ ## [ 0.75.0] – 2026-03-23
11+
12+ ### Added
13+ - ** Dashboard UX** — posture grade (A-F) hero, top 5 attack path cards, security graph page with interactive React Flow, insight layer toggle (risk/credentials/default), 11-framework compliance heatmap
14+ - ** Remediation page** — priority table sorted by blast radius impact, Jira ticket creation per finding, compliance impact summary, severity/framework filters, JSON export
15+ - ** Compliance narratives** — ` GET /v1/compliance/narrative ` generates auditor-ready text per framework with control-level detail and remediation-compliance bridge
16+ - ** ` --posture ` flag** — 5-line workstation posture summary for solo developers
17+ - ** ` --fixable-only ` flag** — show only vulnerabilities with available fixes
18+ - ** ` agent-bom doctor ` ** — preflight diagnostic (Python, DB, network, Docker, MCP configs, API keys)
19+ - ** Cross-agent behavioral detection** — ` CrossAgentCorrelator ` detects lateral movement (3+ agents same tool in 5min), anomaly baseline per agent
20+ - ** SSE proxy transport** — ` agent-bom proxy --url ` for remote SSE/HTTP MCP servers
21+ - ** SBOM multi-hop graph** — dependency depth tracking (A→B→C) + CycloneDX ` vulnerabilities[] ` ingest
22+ - ** API rate-limit headers** — ` X-RateLimit-Limit/Remaining/Reset ` on all responses, ` X-API-Version: v1 `
23+ - ** Jira API endpoint** — ` POST /v1/findings/jira ` with ephemeral credentials, SSRF-validated
24+ - ** False positive feedback** — ` POST/GET/DELETE /v1/findings/false-positive ` with tenant-scoped persistence
25+ - ** Break-glass endpoint** — ` POST /v1/shield/break-glass ` with admin RBAC + audit logging
26+ - ** Prometheus ` /metrics ` ** — fleet_total and fleet_quarantined gauges
27+ - ** 75 UI component tests** (Vitest + @testing-library/react )
28+ - ** 8 intent-based OpenClaw skills** — discover, scan, scan-infra, enforce, comply, monitor, analyze, troubleshoot
29+ - ** CONTRIBUTING.md** — contributor onboarding guide
30+ - ** Enterprise Deployment guide** — MDM push, fleet API, zero-credential architecture
31+
32+ ### Changed
33+ - ** Homepage reworked** — posture grade + blast radius chains at top, stats compressed to one row
34+ - ** Compliance page** — now shows all 14 frameworks (was 6)
35+ - ** Security graph** — uses pre-computed blast_radius scores (risk_score, is_kev, epss_score)
36+ - ** All dashboard pages** — consistent Loader2 spinners, overflow-x-auto tables, confirmation dialogs on destructive actions, Snowflake-only banners in error state
37+ - ** Vulns page** — pagination (50/page), search, FP feedback button, confidence scores
38+ - ** Jobs page** — status filter tabs, search, pagination (25/page), JSON export
39+ - ** Fleet page** — search, JSON export, confirmation on state transitions
40+ - ** Agents page** — search by name
41+ - ** CLI output** — severity text labels alongside colors (accessibility)
42+ - ** CycloneDX** — ` formulation ` field identifies agent-bom as generator
43+ - ** GitHub Action** — ` exclude-unfixable ` input for CI gating
44+ - ** Architecture diagram** — compact horizontal layout (LR)
45+ - ** Count alignment** — all docs now single-source-of-truth (14 frameworks, 138 IaC rules, 112 patterns, 20 pages, 33 tools, 19 formats)
46+
47+ ### Fixed
48+ - ** Full-stack alignment** — ` severity_source ` , ` confidence ` , ` nist_800_53_tags ` , ` fedramp_tags ` , ` automation_settings ` , ` vector_db_scan ` , ` gpu_infra ` now serialized in JSON output (were silently dropped)
49+ - ** Compliance router** — ` /v1/compliance/narrative ` no longer shadowed by ` /{framework} ` wildcard
50+ - ** UI field names** — ` risk_score ?? blast_score ` , ` summary ?? description ` , ` is_kev ?? cisa_kev ` with backward compat
51+ - ** Offline mode strict** — no silent network fallback when ` --offline ` set
52+ - ** AST prompt detector** — ` description ` , ` help ` , ` title ` fields no longer misclassified as system prompts
53+ - ** CodeQL SSRF** — defense-in-depth ` validate_url() ` at transport layer
54+ - ** HSTS header** — ` Strict-Transport-Security ` added to all API responses
55+ - ** OIDC SSRF** — ` validate_url() ` on discovery URL
56+ - ** ECS/EKS test mocks** — updated to paginator pattern
57+ - ** Protection engine** — ` stop() ` persists cleared kill-switch state, semaphore cache bounded to 8 entries
58+ - ** Chain-hashed audit log** — each entry includes previous entry's HMAC for tamper-evidence
59+ - ** Multi-tenancy isolation** — tenant_id enforced at middleware level
60+ - ** Quarantine enforcement** — quarantined agents excluded from fleet list by default
61+ - ** Log file permissions** — 0o600 on audit DB, fleet DB, log files
62+ - ** Node.js 20 deprecation** — ` FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 ` on dependency-review
63+ - ** Local fonts** — Inter + JetBrains Mono bundled (no Google Fonts network dependency)
64+
65+ ### Security
66+ - 10/10 OWASP web categories PROTECTED (verified by code audit)
67+ - SLSA L3 provenance on releases, Sigstore signing on PyPI
68+ - 91 SHA-pinned GitHub Actions, 0 npm/Python vulnerabilities
69+ - scrypt KDF for API keys, HMAC constant-time comparison, parameterized SQL everywhere
70+
1071## [ 0.74.1] – 2026-03-22
1172
1273### Security
0 commit comments