Release Notes

Production Hardening (2026-06)

A large block of work across every plane, recorded by ADR. Grouped by area.

LLM and providers

• Credit-aware DeepSeek to Gemini fallback. The provider layer falls back from DeepSeek to Gemini when DeepSeek credit is exhausted, then continues serving (ADR 031).
• deepseek-v4-flash is the documented default. The shipped .env.example selects the deepseek backend with deepseek-v4-flash (specialist) and deepseek-v4-pro (orchestrator). Granite via Ollama remains the air-gapped option.
• Hosted providers with runtime config. DeepSeek, Gemini, OpenAI, and Anthropic are first-class backends, switchable at runtime from the operator console (ADR 022).
• AI chat hardened against adversarial use. The operator chat now injects the current date and time, reports its active model, defends against direct and indirect prompt injection (input neutralization and untrusted-data fencing, output secret and system-prompt redaction), rate limits per user, and grounds answers in live alerts and cases (ADR 036). See AI Assistant Safety.

Endpoint detection and response (EDR)

• Linux network, file, and DNS telemetry. The Linux sensor now emits network-connection, file-access, and DNS-query OCSF events alongside process execution (ADR 044).
• Inbound TCP scan detection. The sensor captures inbound TCP connection attempts and the collector bridges them to the backend detection plane, so an nmap scan surfaces as a T1046 network-service-discovery alert end to end.
• Windows ETW pipeline. The Windows sensor compiles with a real ETW session controller and process-parent table (ADR 045).
• Native investigation GUI. The iced investigation app is feature-complete with a --demo mode, host-isolation control, a last-event line, and a live log tail (ADR 046).
• OCSF to timeline mapping. OCSF classes map to operator-console timeline categories.

Cyber-physical systems (CPS)

• STM32 bench node. A USB-serial bridge brings a STM32F401 bench node into the MQTT ingest path (ADR 042).
• ESP32-S3 bench node. A WiFi ESP32-S3 node publishes telemetry over a Mosquitto mTLS listener with full PKI and edge MQTT wiring (ADR 048).
• Network-segment enforcement. A network controller enforces per-segment isolation for CPS devices (ADR 033).

MCP plane

• Tool error and timeout contract. Every MCP tool returns a uniform {status, error_code, error} envelope and an optional per-call execution budget; internal detail never reaches the agent (ADR 047).
• Server boundary protection. A default tool timeout, per-IP rate limiting, OpenTelemetry tracing, and in-flight drain on shutdown protect each MCP server process (ADR 049).

Detection and web defense

• ATT&CK coverage map and purple-team harness. A generated coverage report plus an expanded Sigma corpus (ADR 040).
• Inline web-attack defense. An Envoy ext_authz filter blocks OWASP attack classes inline before they reach the protected app (ADR 032), hardened with a fail-mode switch, verdict cache, rate limiting, and client reputation (ADR 039).
• Standalone Suricata sensor. A self-contained sensor bundle runs Suricata on separate hardware (Linux container or native Windows) against a mirror or TAP and ships EVE alerts back to the API (ADR 050).

Autonomy and security

• Prompt-injection guardrail. An input guardrail and red-team harness screen agent inputs (ADR 036).
• Pre-LLM triage filter. A deterministic filter scores and auto-resolves alerts before they reach a model (ADR 037).
• Reversibility and kill-switch. A reversibility registry, post-action verification, and an autonomy kill-switch bound what agents can do (ADR 038).
• Per-site continuous learning. An opt-in, instantly reversible learning loop sharpens triage scoring and detection per deployment without raw telemetry leaving a site (ADR 043).
• Automated canary promotion and rollback. A regressing candidate model reverts on its own within one promotion pass (ADR 034).
• Production Vault auto-unseal. A production seal configuration for HashiCorp Vault (ADR 041).

Reports

• Signed, encrypted AI reports. AI-driven report generation with digital signatures and encrypted downloads, plus a corporate HTML and PDF design standard (ADR 035) and an operator-console report detail view with signature verification.

MVP-1.1: Dashboard Polish (in progress)

Highlights

• Streaming AI Chat. /chat consumes POST /api/v1/chat/stream SSE endpoint with token-by-token rendering, a Stop button, Regenerate action, and localStorage persistence across reloads.
• MCP/Tools panel for agent-NNN IDs. The MCP catalog resolver accepts dashboard-style identifiers (agent-001 to agent-014) in addition to PascalCase agent names.
• Single-host deployment indicator. When only one site is registered the per-agent Deploy to Site button row is replaced by a Running locally on this host status badge.
• Granular MCP/Tool-Call panel states. Panels render distinct loading, error (with retry), empty, and data branches instead of ambiguous still loading placeholders.
• GET /api/v1/system/topology. New endpoint returns deployment_mode, hostname, platform, runtime mode, and site list.
• Real-mode live-fire bring-up path. Repo-local task starts API, dashboard, Redis task worker, and local A2A agent mesh for single-host operation. Raw events persist in the new siem_logs table.
• WAF telemetry bridge. scripts/waf_log_bridge.py tails ModSecurity, nginx, AWS WAF, or Cloudflare JSONL events and posts them as WAF telemetry.
• Unified SIEM Collector supervisor. scripts/siem_collector.py runs Suricata EVE, WAF JSONL, and local host-log bridges under one parent process.
• Tamper-evident evidence custody ledger. Case evidence registration appends hash-chained ledger entries with sequence numbers and previous-entry hashes.
• CPS MQTT outbound bridge. scripts/mqtt_outbound_bridge.py relays attestation_request audit events from Redis Streams to device MQTT topics with QoS 2.
• Live EDR action adapter contract. Real-mode EDR isolate, unisolate, and scan actions can route to a configured HTTP adapter.
• Site-profile deployment guard. SOC sites carry persisted profile documents with declared asset classes. Agent deployment rejects unsupported site/agent combinations.

MVP-1: Single-Command SOC on a Laptop

Highlights

• Single-model lock. granite3.2:8b as default for both specialists and orchestrator with shared model pool.
• make llm-doctor. Validates Ollama connectivity, model presence, and configuration before stack startup.
• make stack-up. One target boots Postgres, Redis, FastAPI, and the Next.js dashboard against host Ollama.
• make agents-smoke. Live LLM round-trip smoke for the full fleet using the BeeAI A2A mesh.
• Network Command Center. Operator-facing HITL surface with Critical Approval Queue and dispatch deep-link receipts.
• Agent reasoning trail. Each network attack receipt carries the specialist's reasoning trail through the API into the dashboard timeline.
• Distributed mode runbook. docker-compose.host-ollama.yml lets a second machine target the operator's Ollama.

Operator quick-start

ollama serve &
ollama pull granite3.2:8b
make llm-doctor
make stack-up
make agents-smoke

The dashboard is at http://localhost:3100 and the API at http://localhost:8001. Use make stack-down KEEP_INFRA=1 to stop app processes while keeping Postgres and Redis warm.