David/veylant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
v1
veylant/CHANGELOG.md
David 6b1ba49922 First commit
2026-02-23 13:35:04 +01:00

113 lines
6.8 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Changelog
All notable changes to Veylant IA are documented in this file.
Format: [Conventional Commits](https://www.conventionalcommits.org/) — `feat`, `fix`, `chore`, `docs`, `perf`, `security`.
---
## [1.0.0] — 2026-06-21 — Production Launch
### Milestone 6 — Beta, Polish & Launch (Sprint 13)
#### feat: Production K8s cluster on AWS eu-west-3 (E1-10)
- Terraform EKS module: 3-AZ managed node groups (eu-west-3a/b/c), t3.medium, cluster v1.31
- HPA `autoscaling/v2` template: CPU 70% + memory 80% targets, scale 3→15 replicas
- `values-production.yaml`: replicaCount=3, autoscaling enabled, fail_open=false for PII
- Daily PostgreSQL backup CronJob: pg_dump | gzip → S3, 7-day retention via S3 lifecycle
- S3 backup bucket with AES-256 encryption, public access blocked, IRSA for pod-level IAM
- PodDisruptionBudget: minAvailable=1 (Sprint 12)
- Topology spread constraints across AZs
#### feat: Production monitoring stack (E1-11)
- Alertmanager: PagerDuty (critical) + Slack (warning + critical channels), inhibit rules
- 4 new Prometheus alert rules: VeylantProxyDown, VeylantCertExpiringSoon, VeylantDBConnectionsHigh, VeylantPIIVolumeAnomaly
- Production SLO dashboard: uptime 99.5% gauge, error budget remaining, PII by type, DB connections, provider breakdown, Redis memory
- Extended proxy-overview dashboard: +3 panels (PII rate by type, DB connections, provider pie chart)
- Prometheus alertmanager integration + rule_files config
- Blackbox exporter config for TLS certificate expiry probing
#### feat: Pilot client migration runbook (E11-13)
- 5-phase migration runbook: pre-migration backup → PG data migration → Keycloak reconfiguration → validation → SSO cutover
- Rollback plan at each phase
- CORS update procedure for client domains
#### feat: 5 operational runbooks (E1-12)
- `provider-down.md`: circuit breaker recovery, fallback activation, escalation matrix
- `database-full.md`: connection pool exhaustion, VACUUM, PVC expansion via AWS EBS
- `certificate-expired.md`: cert-manager forced renewal, emergency self-signed rollback
- `traffic-spike.md`: HPA manual override, tenant rate limiting, maintenance mode
- `pii-breach.md`: GDPR Art. 33 notification procedure, CNIL 72h deadline, evidence collection
#### docs: Pentest remediation report (E11-12)
- CVSS heatmap: 0 Critical, 0 High, 0 Medium open
- 5 findings documented with remediation evidence
- Go/No-Go checklist for Sprint 13 production decision
#### docs: Commercial materials (E11-14)
- One-pager: Shadow AI problem → Veylant solution → differentiators → pricing → CTA
- Pitch deck (10 slides): problem, solution, PII demo, governance, compliance, business model, roadmap, team, CTA
- Battle card: RSSI / DSI / DPO personas — pain points, qualification questions, objection handling, MEDDIC grid, competitive positioning
---
## [0.2.0] — 2026-05-30 — Sprint 12 (Security & Polish)
### Security & UX hardening (E11-09 / E11-10)
- **fix(security): CORS middleware** — `Access-Control-Allow-Origin` allowlist per environment; OPTIONS preflight 204
- **fix(security): CSP segmented** — strict CSP for `/v1/*`, relaxed for `/docs` and `/playground` (unpkg.com allowed)
- **fix(security): COOP header** — `Cross-Origin-Opener-Policy: same-origin` added
- **fix(ratelimit): Retry-After header on 429** — RFC 6585 compliant; `RetryAfterSec: 1` default
- **fix(ux): 403 message with allowed models** — error now lists allowed models for the user's role
- **feat(ux): X-Request-Id in error responses** — `WriteErrorWithRequestID()` injects request ID in all error responses
### Observability (E2-12)
- **feat(observability): k6 load test suite** — 4 scenarios (smoke/load/stress/soak), `SCENARIO` env var selection, p99 < 500ms threshold
- **feat(observability): Prometheus recording rules** p99, p95, request rate, error rate pre-computed
- **feat(observability): 3 alert rules** VeylantHighLatencyP99, VeylantHighErrorRate, VeylantCircuitBreakerOpen
### Blue/Green Deployment (E1-09)
- **feat(deploy): Istio VirtualService + DestinationRule** blue/green subsets, atomic traffic switch
- **feat(deploy): blue-green.sh** 7-step orchestration: detect active slot deploy inactive smoke test patch VS verify scale down old slot
- **feat(deploy): PodDisruptionBudget** minAvailable=1
- **feat(ci): k6 smoke job in CI** runs before deploy-staging; blocks deployment on SLA breach
### Public Playground (E8-15)
- **feat(product): GET /playground** self-contained HTML demo page with PII visualization and color-coded entity badges
- **feat(product): POST /playground/analyze** IP rate-limited (20 req/min, 5-min eviction), graceful PII fallback
- **feat(security): Semgrep custom rules** 6 rules: context.Background() in handlers, SQL injection, sensitive logging, hardcoded keys, missing MaxBytesReader, Python eval()
### Documentation (E11-08 / E11-11)
- **docs: feedback-backlog.md** Sprint 12 MoSCoW from 2 pilot sessions (TechVision ESN + RH Conseil)
- **docs: pentest-scope.md** grey box pentest scope, attack surfaces, rules of engagement
---
## [0.1.0] — 2026-04-30 — Sprint 11 (Feature Flags, E2E Tests, OpenAPI, Guides)
- **feat: Feature flags** PostgreSQL-backed with in-memory fallback (E11-07)
- **feat: E2E tests** Playwright for dashboard UI, testcontainers for integration (E11-01a/b)
- **feat: OpenAPI 3.1 spec** swaggo annotations, Swagger UI at /docs (E11-02)
- **docs: Integration guide** OpenAI SDK compatibility, environment setup (E11-03)
- **docs: Admin guide** routing rules, RBAC, CORS configuration (E11-04)
- **docs: Onboarding guide** first-time setup, Keycloak federation (E11-05/06)
---
## [0.0.1] — 2026-02-15 — Sprints 110 (MVP Core)
- Go proxy: chi router, zap logger, viper config, graceful shutdown
- PII sidecar: FastAPI + gRPC, regex + Presidio + spaCy (fr_core_news_lg), 3-layer detection
- Intelligent routing engine: PostgreSQL JSONB, in-memory cache, priority ASC, first-match-wins
- RBAC: Keycloak OIDC, 4 roles (admin/manager/user/auditor), per-model restrictions
- Audit logs: ClickHouse append-only, async batch writer, TTL retention
- GDPR Article 30 registry + AI Act risk classification + PDF export
- Multi-tenant isolation: PostgreSQL RLS, `veylant_app` role, per-session `app.tenant_id`
- AES-256-GCM encryption for prompt storage, Redis pseudonymization mappings
- Provider adapters: OpenAI, Anthropic, Azure, Mistral, Ollama
- Circuit breaker: threshold=5, open_ttl=60s
- Token-bucket rate limiter: per-tenant + per-user, DB overrides
- Prometheus metrics middleware + Grafana dashboards
- React 18 dashboard: shadcn/ui, recharts, OIDC auth flow
- Helm chart v0.1.0, Docker multi-stage build, docker-compose dev stack
- CI/CD: golangci-lint, black, ruff, Semgrep SAST, Trivy image scan, gitleaks, OWASP ZAP DAST
Reference in New Issue View Git Blame Copy Permalink