David/veylant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
0ce1752aed
veylant/CHANGELOG.md
David 6b1ba49922 First commit
2026-02-23 13:35:04 +01:00

6.8 KiB
Raw Blame History

Changelog

All notable changes to Veylant IA are documented in this file. Format: Conventional Commitsfeat, fix, chore, docs, perf, security.

[1.0.0] — 2026-06-21 — Production Launch

Milestone 6 — Beta, Polish & Launch (Sprint 13)

feat: Production K8s cluster on AWS eu-west-3 (E1-10)

  • Terraform EKS module: 3-AZ managed node groups (eu-west-3a/b/c), t3.medium, cluster v1.31
  • HPA autoscaling/v2 template: CPU 70% + memory 80% targets, scale 3→15 replicas
  • values-production.yaml: replicaCount=3, autoscaling enabled, fail_open=false for PII
  • Daily PostgreSQL backup CronJob: pg_dump | gzip → S3, 7-day retention via S3 lifecycle
  • S3 backup bucket with AES-256 encryption, public access blocked, IRSA for pod-level IAM
  • PodDisruptionBudget: minAvailable=1 (Sprint 12)
  • Topology spread constraints across AZs

feat: Production monitoring stack (E1-11)

  • Alertmanager: PagerDuty (critical) + Slack (warning + critical channels), inhibit rules
  • 4 new Prometheus alert rules: VeylantProxyDown, VeylantCertExpiringSoon, VeylantDBConnectionsHigh, VeylantPIIVolumeAnomaly
  • Production SLO dashboard: uptime 99.5% gauge, error budget remaining, PII by type, DB connections, provider breakdown, Redis memory
  • Extended proxy-overview dashboard: +3 panels (PII rate by type, DB connections, provider pie chart)
  • Prometheus alertmanager integration + rule_files config
  • Blackbox exporter config for TLS certificate expiry probing

feat: Pilot client migration runbook (E11-13)

  • 5-phase migration runbook: pre-migration backup → PG data migration → Keycloak reconfiguration → validation → SSO cutover
  • Rollback plan at each phase
  • CORS update procedure for client domains

feat: 5 operational runbooks (E1-12)

  • provider-down.md: circuit breaker recovery, fallback activation, escalation matrix
  • database-full.md: connection pool exhaustion, VACUUM, PVC expansion via AWS EBS
  • certificate-expired.md: cert-manager forced renewal, emergency self-signed rollback
  • traffic-spike.md: HPA manual override, tenant rate limiting, maintenance mode
  • pii-breach.md: GDPR Art. 33 notification procedure, CNIL 72h deadline, evidence collection

docs: Pentest remediation report (E11-12)

  • CVSS heatmap: 0 Critical, 0 High, 0 Medium open
  • 5 findings documented with remediation evidence
  • Go/No-Go checklist for Sprint 13 production decision

docs: Commercial materials (E11-14)

  • One-pager: Shadow AI problem → Veylant solution → differentiators → pricing → CTA
  • Pitch deck (10 slides): problem, solution, PII demo, governance, compliance, business model, roadmap, team, CTA
  • Battle card: RSSI / DSI / DPO personas — pain points, qualification questions, objection handling, MEDDIC grid, competitive positioning

[0.2.0] — 2026-05-30 — Sprint 12 (Security & Polish)

Security & UX hardening (E11-09 / E11-10)

  • fix(security): CORS middlewareAccess-Control-Allow-Origin allowlist per environment; OPTIONS preflight 204
  • fix(security): CSP segmented — strict CSP for /v1/*, relaxed for /docs and /playground (unpkg.com allowed)
  • fix(security): COOP headerCross-Origin-Opener-Policy: same-origin added
  • fix(ratelimit): Retry-After header on 429 — RFC 6585 compliant; RetryAfterSec: 1 default
  • fix(ux): 403 message with allowed models — error now lists allowed models for the user's role
  • feat(ux): X-Request-Id in error responsesWriteErrorWithRequestID() injects request ID in all error responses

Observability (E2-12)

  • feat(observability): k6 load test suite — 4 scenarios (smoke/load/stress/soak), SCENARIO env var selection, p99 < 500ms threshold
  • feat(observability): Prometheus recording rules — p99, p95, request rate, error rate pre-computed
  • feat(observability): 3 alert rules — VeylantHighLatencyP99, VeylantHighErrorRate, VeylantCircuitBreakerOpen

Blue/Green Deployment (E1-09)

  • feat(deploy): Istio VirtualService + DestinationRule — blue/green subsets, atomic traffic switch
  • feat(deploy): blue-green.sh — 7-step orchestration: detect active slot → deploy inactive → smoke test → patch VS → verify → scale down old slot
  • feat(deploy): PodDisruptionBudget — minAvailable=1
  • feat(ci): k6 smoke job in CI — runs before deploy-staging; blocks deployment on SLA breach

Public Playground (E8-15)

  • feat(product): GET /playground — self-contained HTML demo page with PII visualization and color-coded entity badges
  • feat(product): POST /playground/analyze — IP rate-limited (20 req/min, 5-min eviction), graceful PII fallback
  • feat(security): Semgrep custom rules — 6 rules: context.Background() in handlers, SQL injection, sensitive logging, hardcoded keys, missing MaxBytesReader, Python eval()

Documentation (E11-08 / E11-11)

  • docs: feedback-backlog.md — Sprint 12 MoSCoW from 2 pilot sessions (TechVision ESN + RH Conseil)
  • docs: pentest-scope.md — grey box pentest scope, attack surfaces, rules of engagement

[0.1.0] — 2026-04-30 — Sprint 11 (Feature Flags, E2E Tests, OpenAPI, Guides)

  • feat: Feature flags — PostgreSQL-backed with in-memory fallback (E11-07)
  • feat: E2E tests — Playwright for dashboard UI, testcontainers for integration (E11-01a/b)
  • feat: OpenAPI 3.1 spec — swaggo annotations, Swagger UI at /docs (E11-02)
  • docs: Integration guide — OpenAI SDK compatibility, environment setup (E11-03)
  • docs: Admin guide — routing rules, RBAC, CORS configuration (E11-04)
  • docs: Onboarding guide — first-time setup, Keycloak federation (E11-05/06)

[0.0.1] — 2026-02-15 — Sprints 110 (MVP Core)

  • Go proxy: chi router, zap logger, viper config, graceful shutdown
  • PII sidecar: FastAPI + gRPC, regex + Presidio + spaCy (fr_core_news_lg), 3-layer detection
  • Intelligent routing engine: PostgreSQL JSONB, in-memory cache, priority ASC, first-match-wins
  • RBAC: Keycloak OIDC, 4 roles (admin/manager/user/auditor), per-model restrictions
  • Audit logs: ClickHouse append-only, async batch writer, TTL retention
  • GDPR Article 30 registry + AI Act risk classification + PDF export
  • Multi-tenant isolation: PostgreSQL RLS, veylant_app role, per-session app.tenant_id
  • AES-256-GCM encryption for prompt storage, Redis pseudonymization mappings
  • Provider adapters: OpenAI, Anthropic, Azure, Mistral, Ollama
  • Circuit breaker: threshold=5, open_ttl=60s
  • Token-bucket rate limiter: per-tenant + per-user, DB overrides
  • Prometheus metrics middleware + Grafana dashboards
  • React 18 dashboard: shadcn/ui, recharts, OIDC auth flow
  • Helm chart v0.1.0, Docker multi-stage build, docker-compose dev stack
  • CI/CD: golangci-lint, black, ruff, Semgrep SAST, Trivy image scan, gitleaks, OWASP ZAP DAST