Shipped
What we shipped.
An honest log of what went live, when, and why it matters. No marketing gloss — just the changes, the posture they unlock, and the receipts.
Standard agent-discovery surfaces are published and resolvable.
An agent with no prior knowledge can now find the Mnemom API, learn how to authenticate, and see what skills it can invoke — entirely from standard files at www.mnemom.ai. Every URL resolves to something real; nothing is aspirational.
- <code>/.well-known/api-catalog</code> (RFC 9727) points at the live OpenAPI 3.1 spec; <code>/.well-known/oauth-protected-resource</code> and <code>/.well-known/oauth-authorization-server</code> (RFC 9728) faithfully mirror our real upstream IdP (Supabase GoTrue) — we run no first-party OAuth server, stated plainly in <code>/auth.md</code>.
- <code>/.well-known/agent-skills/*</code> lists invokable skills backed only by real public endpoints, and <code>/.well-known/agent-card.json</code> ships an A2A-style service card; Content-Signal directives in robots.txt declare our search and AI posture.
- Added the <code>api-auth-discovery</code> commitment to the agent-readiness manifest, verified nightly against production.
AEGIS L5: public advisories and STIX 2.1 IoC feed are live.
The transparency surface of the Protection Network is open. /trust/advisories carries signed post-incident write-ups; /v1/trust/iocs serves a STIX 2.1 indicator bundle. Empty by design at GA — the system tells the truth.
- <code>/trust/advisories</code> is live with its first synthetic post-mortem, clearly labeled synthetic per the calm-at-GA contract.
- /v1/trust/iocs returns a STIX 2.1 bundle, authenticated and rate-limited, ready for threat-intel pipelines (curl + JSON-LD).
- New <code>advisory.published</code> and <code>ioc.added</code> webhook events join the catalog, so threat-intel pipelines can react the moment the Protection Network publishes.
The threat thermometer now reads live per-axis Protection Network state.
Customers now see the cross-tenant threat picture at <code>/dashboard/threats</code>: per-axis state across substrate, vertical, pattern, and source, refreshed every 30 seconds. Calm at GA, by design.
- <code>GET /v1/network/threat-state</code> returns per-axis aggregation of the live Protection Network picture, ready to poll from your dashboards.
- A dashboard page at <code>/dashboard/threats</code> ships with four per-axis cards and a totals card.
- A new <code>network.threat_level.changed</code> event lets you wire threat-level transitions straight into your own alerting.
L1 cross-tenant aggregator: campaign-state rolling stats across customers.
Per-axis rolling stats now correlate signals across arena, Sideband, and integrity-checkpoint traffic — the cross-tenant correlation engine that sees campaigns no single customer could.
- The correlation engine joins per-axis fingerprints across integrity, arena, and Sideband signals to build campaign-level state no single tenant can see.
- Per-bucket state machine with 6h-window hysteresis on exit; states wired to cells.ts via four concrete campaign_state cells (safe-house-hardening#246).
- The engine refreshes continuously, keeping the cross-tenant picture current across the whole Protection Network.
Safe House per-evaluation webhooks (sh.*) are wired end-to-end.
Five Safe House front-door events join the AEGIS catalog with per-org delivery mode controls — table-stakes for SOC/SIEM integration. Brings the AEGIS-GA webhook catalog from 10 to 15 fully-wired events.
- New <code>sh.evaluation.warn</code> / <code>quarantine</code> / <code>block</code> webhook events fire at each verdict point, plus <code>sh.session.escalated</code> when a session crosses a risk tier.
- Per-org delivery modes (full, 10% sampled, or summary-only) keep high-traffic orgs in control, with HMAC-signed delivery on every event.
- 13 sh_emission cells in the harness pin every checkpoint × mode firing path (safe-house-hardening#247).
Continuous adversarial arena: 15 canonical personas, mutation-phase gated.
The adversarial arena now spans every canonical threat type across all four Safe House checkpoints, with mutation-phase gating that lets attacks evolve only while detection holds. Findings that slip past feed straight into the Managed Rules pipeline.
- All 15 personas now cover every canonical threat type across the four Safe House checkpoints, including a supply-chain archetype at inside.integrity.
- Mutation-phase gating lets attacks evolve per fingerprint bucket only while detection holds, with hysteresis to prevent thrash.
- Attacks that beat detection are captured automatically as Managed Rules candidates over an isolated, attribution-stamped path — no human in the loop to lose a finding.
Customer false-negative and false-positive reports feed the Managed Rules pipeline.
Customer signal is now a first-class source. Reports flow through an authenticated endpoint, a CLI command, and an acknowledgment-email pipeline that ships in five locales — feeding the same candidate review queue as arena and the cross-tenant aggregator.
- The report endpoint is live, with a <code>recipe.candidate.created</code> webhook fan-out to your account whenever a report becomes a rule candidate.
- <code>mnemom recipes report-fn</code> and <code>report-fp</code> commands shipped in the @mnemom/mnemom CLI.
- Customer-FN acknowledgment email rendered in en/fr/de/it/es via the Track D template pipeline.
Three reviewer modes — with a structural dual-control invariant on tier 1-2.
Platform admins can flip reviewer mode between manual, auto-approve-trusted-sources, and auto-approve-high-confidence. The protective invariant is structural, not procedural: tier-1 and tier-2 rules can never auto-promote without human dual-control, regardless of mode.
- Reviewer mode and threshold persist platform-wide and are read and written through <code>/v1/admin/settings/reviewer-mode</code>, with every change written to the audit trail.
- The admin reviewer-mode control ships with a confirmation step and full audit attribution on every change.
- Three concrete reviewer_mode cells pin the invariant: trusted-sources promotes tier-3, high-confidence inserts ONE approval on tier-1 but does NOT promote, manual blocks all auto-approval (safe-house-hardening#245).
Admin review queue with append-only audit chain.
Platform admins now triage Managed Rule candidates from a dedicated queue: approve, reject, needs-changes, or promote. Every action lands as a service-role-only INSERT on an append-only chain — the audit surface CISOs and regulators can rely on.
- Every review action lands on an append-only chain, rooted at candidate creation and running through promotion or retirement — the audit surface CISOs and regulators can rely on.
- An admin review-queue UI ships with full rule detail and telemetry.
- Every state transition emits a governance signal, and no rule can go active without dual-control sign-off — two-person approval enforced by the platform, not by policy.
Ed25519-signed Managed Rules with KV+R2 dual-write and a 24h observe soak.
Promoting a recipe to a Managed Rule is now a cryptographically signed event. Each rule is Ed25519-signed, served fail-closed, and routed through a 24-hour observe soak before it enforces in production.
- Promotion cryptographically signs each rule; gateways verify the signature and serve through a tiered, fail-closed read path with a sub-30s P95 propagation target.
- Rules escalate from observe to active automatically, with auto-rollback if the false-positive rate climbs; the reasoning surfaces in <code>recipe.promoted</code> and <code>recipe.retired</code> webhooks.
- A nightly sweep automatically retires rules with zero hits after 90 days, so the active rule set stays lean and current.
Substrate fingerprinting: every evaluation now carries the L0 axis identity.
The supply-chain detection signal is live. Every integrity checkpoint, arena attempt, and sideband analysis is now stamped with substrate, vertical, pattern, and source fingerprints — the cross-tenant correlation key that catches behavioral deviation across every customer running on the same substrate.
- Every evaluation is now stamped with its four-axis substrate fingerprint at write time — deployed in production.
- The underlying data model for the Protection Network is in place, with row-level isolation enforced from the first write.
- Rules compose like cards — Platform → Org → Team → Agent, strictest-wins.
Safe House detectors tightened across prompt injection and PII leak classes.
Front-door and back-door detectors got a calibration pass. Fewer false positives on benign tool calls, sharper block rate on novel injection patterns — without expanding the data we collect.
- Prompt-injection detectors retrained against fresh adversarial corpus; 12% fewer false positives.
- Back-door screening now catches split-token PII leaks (e.g. SSN or card numbers broken across streamed chunks).
- Signed verdict format now includes detector version, so auditors can reproduce the exact classifier used.
Passkey and hardware-key agent identity are live.
Agents can now be bound to a passkey or a hardware-backed key from day one. Ed25519 signing stays the default; WebAuthn-backed agent identity is available for teams that want human-unforgeable agent onboarding.
- WebAuthn attestation supported for agent enrollment.
- Agent-identity rotation does not break historical proof chains; old keys stay verifiable.
- Works for self-hosted gateway and managed tenants.
Gateway now auto-scales to M0 headroom with no operator changes.
Under-the-hood reliability work. The managed gateway now elastically provisions for burst traffic up to the M0 tier ceiling without any tenant config. Self-hosted deployments get the same autoscaler defaults in the Helm chart.
- Auto-scale from 2 to 10 replicas based on sustained CPU > 70%.
- Cold-start path cut by 40% for the self-hosted image.
- No pricing change — scale-up stays inside your tier ceiling.
See what the platform actually proves.
Every shipped change backs up one of two claims: what we prove, or how we keep your agents safe.
