v0.2.0-rc.11

What's Changed

• chore: GA-readiness fixes (F1–F6) + Specter 100% structural-coverage gate by @remyluslosius in #602
• feat(remediation): free-core execution engine (Fix + rollback, kensa v0.5.1) by @remyluslosius in #601
• docs(governance): remediation approval ADR + role matrix + RBAC drift-lock by @remyluslosius in #604
• release: bundle 0.2.0-rc.11 (Kensa v0.5.2 + remediation governance/UX + auth fix) by @remyluslosius in #609

Full Changelog: v0.2.0-rc.10...v0.2.0-rc.11

v0.2.0-rc.10

What's Changed

• chore(kensa): update Kensa engine + rule corpus to v0.5.0 by @remyluslosius in #594
• feat: per-host SSH credential management + in-place credential editing by @remyluslosius in #595
• fix(packaging): generate demo TLS cert at install instead of shipping it (upgrade-safe) by @remyluslosius in #596
• chore(release): finalize 0.2.0-rc.10 by @remyluslosius in #597
• fix(packaging): preserve operator TLS cert across the cert-shipping → rc.10 transition by @remyluslosius in #598

Full Changelog: v0.2.0-rc.9...v0.2.0-rc.10

v0.2.0-rc.9

What's Changed

• fix(ssh): support PAM keyboard-interactive password auth by @remyluslosius in #591
• feat(worker): bounded scan-concurrency pool (scan N hosts at once) by @remyluslosius in #592
• chore(release): 0.2.0-rc.9 (Eyrie) docs freeze by @remyluslosius in #593

Full Changelog: v0.2.0-rc.8...v0.2.0-rc.9

v0.2.0-rc.8

What's Changed

• feat(settings): activate Audit log + About/License (settings activation Phase 1a) by @remyluslosius in #552
• feat(settings): activate Users invite + manage (settings activation Phase 1b) by @remyluslosius in #553
• feat(settings): activate Notifications — Slack/webhook channels (Phase 2a) by @remyluslosius in #554
• feat(settings): add email/SMTP notification channel (Phase 2b) by @remyluslosius in #555
• feat(settings): activate Security API tokens (Phase 3a) by @remyluslosius in #556
• feat(settings): activate Security authentication policy (Phase 3b) by @remyluslosius in #557
• feat(settings): activate Security SSO — OIDC end-to-end (Phase 3c) by @remyluslosius in #558
• feat(hosts): edit + delete host actions in the kebab menus by @remyluslosius in #560
• fix(packaging): make a fresh install actually run (Kensa corpus + identity keys) by @remyluslosius in #564
• feat(ssh): per-host auth/sudo learning + compliance-scan sudo -S (full SSH matrix) by @remyluslosius in #566
• feat(packaging): one-command upgrade — auto-migrate the DB safely on dnf/apt update by @remyluslosius in #569
• ci: halve the Quality gate (single race+json pass + golangci-lint cache) by @remyluslosius in #567
• fix: SMTP channel edit pre-fill + self-host fonts (airgap) by @remyluslosius in #561
• fix(frontend): remove all demo/fixture data from the app by @remyluslosius in #562
• docs(backlog): cleanup + CI/quality + regression-coverage follow-ups by @remyluslosius in #563
• chore(specter): untrack stale .specter-results.json by @remyluslosius in #568
• chore(deps): bump form-data from 4.0.5 to 4.0.6 in /frontend by @dependabot[bot] in #565
• chore(deps): bump react-hook-form from 7.78.0 to 7.79.0 in /frontend in the npm-production group across 1 directory by @dependabot[bot] in #543
• chore(deps): bump actions/setup-go from 5 to 6 by @dependabot[bot] in #540
• chore(deps): bump actions/github-script from 7 to 9 by @dependabot[bot] in #541
• chore(deps-dev): vite 6→8, vitest 3→4, @vitejs/plugin-react 4→6 by @remyluslosius in #571
• chore(deps): bump softprops/action-gh-release from 2 to 3 by @dependabot[bot] in #542
• chore(deps): lucide-react 0.460 → 1.18.0 by @remyluslosius in #572
• chore(deps): zod 3→4 + @hookform/resolvers 3→5 by @remyluslosius in #573
• docs: add SESSION_LOG (2026-06-16) + refresh BACKLOG by @remyluslosius in #574
• feat(ssh): wire per-host auth-method learning into discovery/intelligence/liveness by @remyluslosius in #575
• feat(ssh): wire per-host sudo-mode learning into discovery/intelligence/liveness by @remyluslosius in #576
• test(ssh): add opt-in live-host SSH/sudo integration test by @remyluslosius in #577
• test(auth): spec the JWT signature-verification deny path (AC-26) by @remyluslosius in #578
• test(db): per-package isolated test databases to drop -p 1 (CI ~halved) by @remyluslosius in #579
• fix(security): pre-release hardening batch — 8 SDD-specced fixes by @remyluslosius in #584
• docs: release-readiness sweep — spec + populate changelog, refresh guides, future-proof upgrade test by @remyluslosius in #585
• ci: harden rpmbuild install against flaky third-party apt repos by @remyluslosius in #586
• fix(frontend): redirect to /login on a terminal auth 401 from the interceptor by @remyluslosius in #583
• perf(server): gzip + immutable caching for the embedded SPA by @remyluslosius in #582
• chore(release): 0.2.0-rc.8 (Eyrie) docs freeze by @remyluslosius in #587
• fix(packaging): tilde-encode pre-release versions so RPM/DEB upgrades work by @remyluslosius in #588
• fix(release): normalize '~' in asset filenames so SHA256SUMS matches by @remyluslosius in #589
• fix(release): publish SBOMs flat so their SHA256SUMS lines verify by @remyluslosius in #590

Full Changelog: v0.2.0-rc.7...v0.2.0-rc.8

v0.2.0-rc.7

What's Changed

• docs: split remaining work to its own file; reconcile for rc.6 by @remyluslosius in #525
• docs(engineering): remediation ships as beta in GA; ignore local nav plan by @remyluslosius in #526
• fix(shell): disable unrouted sidebar links instead of 404ing by @remyluslosius in #527
• feat(frontend): public Radar homepage + enhanced login; dashboard to /dashboard by @remyluslosius in #528
• feat(frontend): dashboard MVP at /dashboard wired to live fleet endpoints by @remyluslosius in #529
• feat(frontend): activity feed MVP at /activity + backend scope doc by @remyluslosius in #530
• feat(frontend): scans overview MVP at /scans by @remyluslosius in #531
• feat(nav): Groups + Reports MVP (sites/OS-categories + reports library) by @remyluslosius in #533
• fix(shell): set the topbar breadcrumb on every nav page by @remyluslosius in #534
• feat: durable per-scan compliance evidence + /scans read & OSCAL surface by @remyluslosius in #535
• feat: Kensa rule-library browser tab on /scans by @remyluslosius in #536
• feat(host-compliance): per-rule evidence/OSCAL drill-down on Compliance tab by @remyluslosius in #537
• chore(release): 0.2.0-rc.7 (Eyrie) — navigable application candidate by @remyluslosius in #538

Full Changelog: v0.2.0-rc.6...v0.2.0-rc.7

v0.2.0-rc.6

What's Changed

• fix(correlation): read clock under the lock to keep IDs unique by @remyluslosius in #503
• docs: reconcile all documentation with the Go codebase by @remyluslosius in #505
• test(perf): make latency budgets non-gating to stop CI flakes by @remyluslosius in #506
• chore: clear documentation-reconciliation follow-ups by @remyluslosius in #507
• docs: rewrite the bannered legacy operator guides for the Go stack by @remyluslosius in #508
• chore(specter): wire the pre-push annotation hook + fix manifest description by @remyluslosius in #509
• fix(specs): restore dropped connectivity API specs + concurrency AC by @remyluslosius in #510
• chore(specter): reword malformed AC prose; gate check --test in CI by @remyluslosius in #512
• chore(backlog): rewrite for OpenWatch Go; drop Python-era tasks by @remyluslosius in #481
• chore(deps): bump the npm-production group across 1 directory with 6 updates by @dependabot[bot] in #489
• chore(deps-dev): bump the npm-development group across 1 directory with 3 updates by @dependabot[bot] in #513
• fix(frontend): clear live CodeQL warnings + ignore prototype mockups by @remyluslosius in #514
• feat(scan): end-to-end compliance scanning — Kensa engine, on-demand scans, lens UI (Phases 0-3 + 5) by @remyluslosius in #515
• feat(scan): operator-editable kensa scan variables by @remyluslosius in #517
• feat(host-detail): posture trends, live hero tiles, OS-aware lenses by @remyluslosius in #518
• test(daemon): guard that every server builder is wired in main.go by @remyluslosius in #519
• docs: reconcile scan/compliance docs before remediation work by @remyluslosius in #520
• feat(compliance): exception governance backend (request/approve/revoke) by @remyluslosius in #521
• feat(exceptions): host-detail exception surfaces (view + request) by @remyluslosius in #522
• feat(exceptions): fleet approver queue on Compliance policies by @remyluslosius in #523
• chore(release): 0.2.0-rc.6 (Eyrie) — compliance scanning candidate by @remyluslosius in #524

Full Changelog: v0.2.0-rc.5...v0.2.0-rc.6

v0.2.0-rc.5

What's Changed

• fix(release): mark pre-release tags as GitHub pre-releases by @remyluslosius in #499
• feat(about): live version endpoint; de-hardcode Settings → About by @remyluslosius in #500
• fix(frontend): always redirect to /login on auth failure by @remyluslosius in #501
• chore(release): cut 0.2.0-rc.5 by @remyluslosius in #502

Full Changelog: v0.2.0-rc.4...v0.2.0-rc.5

v0.2.0-rc.4

What's Changed

• chore(deps): bump actions/stale from 8 to 9 by @dependabot[bot] in #2
• feat: Add comprehensive group compliance scanning functionality by @remyluslosius in #23
• 🛡️ MODERATE: Update 6 moderate-severity dependencies by @remyluslosius in #34
• fix: Remove unnecessary async keywords from synchronous functions by @remyluslosius in #20
• fix: Remove unused variables and improve code clarity by @remyluslosius in #21
• feat: Add database compliance rules system by @remyluslosius in #30
• 🚨 CRITICAL: Fix FastAPI ReDoS vulnerability (CVE-2024-24762) by @remyluslosius in #32
• 🔒 HIGH: Fix 6 high-severity dependency vulnerabilities by @remyluslosius in #33
• 🔧 MAINTENANCE: Update remaining dependencies for comprehensive security by @remyluslosius in #35
• 🛡️ SECURITY: Comprehensive fix for all 14 Dependabot vulnerability alerts by @remyluslosius in #36
• chore(deps): bump actions/download-artifact from 3 to 5 by @dependabot[bot] in #4
• chore(deps-dev): bump prettier from 2.8.8 to 3.6.2 in /frontend by @dependabot[bot] in #11
• chore(deps): bump @types/node from 20.19.9 to 24.3.0 in /frontend by @dependabot[bot] in #12
• chore(deps-dev): bump @vitejs/plugin-react from 4.7.0 to 5.0.2 in /frontend by @dependabot[bot] in #13
• chore(deps): bump date-fns from 2.30.0 to 4.1.0 in /frontend by @dependabot[bot] in #16
• fix: Address security vulnerabilities and code quality issues by @remyluslosius in #22
• chore(deps): bump actions/first-interaction from 1 to 3 by @dependabot[bot] in #37
• chore(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in #38
• chore(deps-dev): bump eslint from 8.57.1 to 9.35.0 in /frontend by @dependabot[bot] in #43
• chore(deps-dev): bump @typescript-eslint/parser from 5.62.0 to 8.42.0 in /frontend by @dependabot[bot] in #45
• chore(deps-dev): bump vite from 7.1.4 to 7.1.5 in /frontend by @dependabot[bot] in #46
• feat: Host-centric compliance scan interface with enhanced UX by @remyluslosius in #47
• Fix: Resolve import chain errors and enable container runtime support by @remyluslosius in #64
• Complete Remediation Engine + Security Updates + MongoDB Integration by @remyluslosius in #74
• Fix TypeScript compilation errors (Phase 1) by @remyluslosius in #79
• [Phase 1] Add XCCDFVariable Model and XCCDF Variables Support by @remyluslosius in #95
• [Phase 1] Enhanced SCAP Converter with Variable and Remediation Extraction by @remyluslosius in #97
• [Phase 1] XCCDF Data-Stream Generator from MongoDB by @remyluslosius in #99
• [Phase 1 Issue #4] MongoDB-Based Scan Service with Multi-Scanner Routing by @remyluslosius in #101
• [Phase 1 Issue #5] ORSA Remediation Engine - Ansible & Bash Executors by @remyluslosius in #103
• [Phase 1 Issue #6] Scan Configuration API - Framework Discovery & Template Management by @remyluslosius in #105
• OW-REFACTOR-001: QueryBuilder utility for SQL query construction by @remyluslosius in #115
• OW-REFACTOR-001B: Refactor hosts.py GET /{host_id} with QueryBuilder by @remyluslosius in #116
• OW-REFACTOR-002: Implement MongoDB Repository Pattern by @remyluslosius in #117
• Complete MongoDB compliance rules migration to Repository Pattern by @remyluslosius in #131
• Migrate health monitoring service to Repository Pattern by @remyluslosius in #132
• 🔧 Fix: Resolve FastAPI/Starlette Dependency Conflict (URGENT - Blocks All PRs) by @remyluslosius in #141
• Phase 1: Automated Triage System (FREE - No API Keys Required) by @remyluslosius in #140
• chore(docker): Update base images to latest patch versions (PostgreSQL 15.14, MongoDB 7.0.25, Redis 7.4.6) by @remyluslosius in #147
• chore(deps): Bump codecov/codecov-action from 4 to 5 by @dependabot[bot] in #163
• chore(deps): Bump redis from 5.2.1 to 7.0.1 in /backend by @dependabot[bot] in #171
• chore(deps-dev): Bump @vitest/ui from 3.2.4 to 4.0.8 in /frontend by @dependabot[bot] in #178
• chore(deps-dev): Bump vitest from 3.2.4 to 4.0.8 in /frontend by @dependabot[bot] in #177
• chore(deps): Bump react and @types/react in /frontend by @dependabot[bot] in #172
• chore(deps): Bump react-router-dom from 6.30.1 to 7.9.5 in /frontend by @dependabot[bot] in #173
• chore(deps-dev): Bump the npm-development group in /frontend with 5 updates by @dependabot[bot] in #166
• chore(deps): Bump the npm-production group in /frontend with 9 updates by @dependabot[bot] in #164
• fix(frontend): ESLint cleanup batches 117-119 - Eliminate 98 warnings by @remyluslosius in #181
• chore(deps-dev): Bump js-yaml from 4.1.0 to 4.1.1 in /frontend by @dependabot[bot] in #180
• chore(deps): Bump actions/stale from 9 to 10 by @dependabot[bot] in #159
• chore(deps): Bump github/codeql-action from 3 to 4 by @dependabot[bot] in #161
• chore(deps): Bump ubi9/ubi from 9.6 to 9.7 in /docker by @dependabot[bot] in #190
• chore(deps): Bump nginx from 1.29.3-alpine to 1.29.4-alpine in /docker by @dependabot[bot] in #200
• chore(deps): Bump aiohttp from 3.12.14 to 3.13.3 in /backend by @dependabot[bot] in #206
• chore(deps): Bump the python-minor group across 1 directory with 28 updates by @dependabot[bot] in #205
• chore(deps-dev): Bump eslint-plugin-react-hooks from 5.2.0 to 7.0.1 in /frontend by @dependabot[bot] in #174
• chore(deps-dev): Bump @storybook/react from 9.1.3 to 10.0.8 in /frontend by @dependabot[bot] in #186
• chore(deps): Bump @mui/material from 5.18.0 to 7.3.5 in /frontend by @dependabot[bot] in #169
• chore(deps): Bump recharts from 2.15.4 to 3.5.0 in /frontend by @dependabot[bot] in #184
• chore(deps): Bump @reduxjs/toolkit from 1.9.7 to 2.11.0 in /frontend by @dependabot[bot] in #185
• fix(ci): Resolve CI pipeline blocking issues - Python 3.12, Node 20, MUI v7 by @remyluslosius in #214
• fix(ci): Resolve CI pipeline technical debt and migrate to Celery by @remyluslosius in #237
• refactor(routes): Complete E1 Route Consolidation (S5-S10) by @remyluslosius in #238
• refactor(E4): Frontend component extraction, adapters, and test infrastructure by @remyluslosius in #239
• test(E5): Comprehensive backend unit tests for critical paths by @remyluslosius in #241
• test(E5): Add S5-S8 testing coverage (142 new tests) by @remyluslosius in #242
• ci(E5-S10): Enforce CI coverage and add Codecov badge by @remyluslosius in #243
• fix(tasks): correct stale scan detection query for pending scans by @remyluslosius in #244
• chore(deps-dev): Bump js-yaml from 4.1.0 to 4.1.1 in /frontend by @dependabot[bot] in #231
• chore(deps): Bump python-multipart from 0.0.21 to 0.0.22 in /backend by @dependabot[bot] in #228
• chore(deps): Bump psutil from 6.1.1 to 7.2.1 in /backend by @dependabot[bot] in #221
• chore(deps): Bump @types/node from 24.10.0 to 25.0.10 in /frontend by @dependabot[bot] in #222
• chore(deps): Bump react-dom and @types/react-dom in /frontend by @dependabot[bot] in #227
• fix(ci): merge paginated gh api results in automated triage workflow by @remyluslosius in #247
• docs: Add comprehensive GitHub PR workflow guide by @remyluslosius in https://...