# Changelog

```json
{"@context":"https://schema.org","@type":"ItemList","name":"Changelog \u2014 Mnemom","description":"What shipped recently across the Mnemom platform \u2014 security, reliability, and platform updates with honest posture, not marketing.","url":"https://www.mnemom.ai/changelog","inLanguage":"en-US","publisher":{"@id":"https://www.mnemom.ai#organization"},"dateModified":"2026-06-08","itemListElement":[{"@type":"ListItem","position":1,"item":{"@type":"CreativeWork","name":"Standard agent-discovery surfaces are published and resolvable.","datePublished":"2026-06-05","url":"/for-agents"}},{"@type":"ListItem","position":2,"item":{"@type":"CreativeWork","name":"AEGIS L5: public advisories and STIX 2.1 IoC feed are live.","datePublished":"2026-05-23","url":"/trust/advisories"}},{"@type":"ListItem","position":3,"item":{"@type":"CreativeWork","name":"The threat thermometer now reads live per-axis Protection Network state.","datePublished":"2026-05-23","url":"https://docs.mnemom.ai/concepts/protection-network"}},{"@type":"ListItem","position":4,"item":{"@type":"CreativeWork","name":"L1 cross-tenant aggregator: campaign-state rolling stats across customers.","datePublished":"2026-05-22","url":"https://docs.mnemom.ai/concepts/protection-network"}},{"@type":"ListItem","position":5,"item":{"@type":"CreativeWork","name":"Safe House per-evaluation webhooks (sh.*) are wired end-to-end.","datePublished":"2026-05-22","url":"https://docs.mnemom.ai/specs/webhooks"}},{"@type":"ListItem","position":6,"item":{"@type":"CreativeWork","name":"Continuous adversarial arena: 15 canonical personas, mutation-phase gated.","datePublished":"2026-05-22","url":"https://docs.mnemom.ai/concepts/arena"}},{"@type":"ListItem","position":7,"item":{"@type":"CreativeWork","name":"Customer false-negative and false-positive reports feed the Managed Rules pipeline.","datePublished":"2026-05-22","url":"https://docs.mnemom.ai/guides/recipes-report"}},{"@type":"ListItem","position":8,"item":{"@type":"CreativeWork","name":"Three reviewer modes \u2014 with a structural dual-control invariant on tier 1-2.","datePublished":"2026-05-22","url":"https://docs.mnemom.ai/concepts/protection-network"}},{"@type":"ListItem","position":9,"item":{"@type":"CreativeWork","name":"Admin review queue with append-only audit chain.","datePublished":"2026-05-22","url":"https://www.mnemom.ai/changelog#aegisReviewQueue"}},{"@type":"ListItem","position":10,"item":{"@type":"CreativeWork","name":"Ed25519-signed Managed Rules with KV+R2 dual-write and a 24h observe soak.","datePublished":"2026-05-21","url":"https://docs.mnemom.ai/concepts/protection-network"}},{"@type":"ListItem","position":11,"item":{"@type":"CreativeWork","name":"Substrate fingerprinting: every evaluation now carries the L0 axis identity.","datePublished":"2026-05-20","url":"https://docs.mnemom.ai/concepts/supply-chain-detection"}},{"@type":"ListItem","position":12,"item":{"@type":"CreativeWork","name":"Safe House detectors tightened across prompt injection and PII leak classes.","datePublished":"2026-03-31","url":"https://docs.mnemom.ai/guides/safe-house-config"}},{"@type":"ListItem","position":13,"item":{"@type":"CreativeWork","name":"Passkey and hardware-key agent identity are live.","datePublished":"2026-03-24","url":"https://docs.mnemom.ai/concepts/agent-identity"}},{"@type":"ListItem","position":14,"item":{"@type":"CreativeWork","name":"Gateway now auto-scales to M0 headroom with no operator changes.","datePublished":"2026-03-15","url":"https://www.mnemom.ai/changelog#scaleM0"}}]}
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.mnemom.ai/"},{"@type":"ListItem","position":2,"name":"What we shipped.","item":"https://www.mnemom.ai/changelog"}]}
```

Shipped

# What we shipped.

An honest log of what went live, when, and why it matters. No marketing gloss — just the changes, the posture they unlock, and the receipts.

2026-06-05

Platform

## Standard agent-discovery surfaces are published and resolvable.

An agent with no prior knowledge can now find the Mnemom API, learn how to authenticate, and see what skills it can invoke — entirely from standard files at www.mnemom.ai. Every URL resolves to something real; nothing is aspirational.

-   <code>/.well-known/api-catalog</code> (RFC 9727) points at the live OpenAPI 3.1 spec; <code>/.well-known/oauth-protected-resource</code> and <code>/.well-known/oauth-authorization-server</code> (RFC 9728) faithfully mirror our real upstream IdP (Supabase GoTrue) — we run no first-party OAuth server, stated plainly in <code>/auth.md</code>.
-   <code>/.well-known/agent-skills/\*</code> lists invokable skills backed only by real public endpoints, and <code>/.well-known/agent-card.json</code> ships an A2A-style service card; Content-Signal directives in robots.txt declare our search and AI posture.
-   Added the <code>api-auth-discovery</code> commitment to the agent-readiness manifest, verified nightly against production.

[Read the agent-readiness manifest](/for-agents)

2026-05-23

Protection

## AEGIS L5: public advisories and STIX 2.1 IoC feed are live.

The transparency surface of the Protection Network is open. /trust/advisories carries signed post-incident write-ups; /v1/trust/iocs serves a STIX 2.1 indicator bundle. Empty by design at GA — the system tells the truth.

-   <code>/trust/advisories</code> is live with its first synthetic post-mortem, clearly labeled synthetic per the calm-at-GA contract.
-   /v1/trust/iocs returns a STIX 2.1 bundle, authenticated and rate-limited, ready for threat-intel pipelines (curl + JSON-LD).
-   New <code>advisory.published</code> and <code>ioc.added</code> webhook events join the catalog, so threat-intel pipelines can react the moment the Protection Network publishes.

[Read the latest advisory](/trust/advisories)

2026-05-23

Protection

## The threat thermometer now reads live per-axis Protection Network state.

Customers now see the cross-tenant threat picture at <code>/dashboard/threats</code>: per-axis state across substrate, vertical, pattern, and source, refreshed every 30 seconds. Calm at GA, by design.

-   <code>GET /v1/network/threat-state</code> returns per-axis aggregation of the live Protection Network picture, ready to poll from your dashboards.
-   A dashboard page at <code>/dashboard/threats</code> ships with four per-axis cards and a totals card.
-   A new <code>network.threat\_level.changed</code> event lets you wire threat-level transitions straight into your own alerting.

[Read the Protection Network concept](https://docs.mnemom.ai/concepts/protection-network)

2026-05-22

Protection

## L1 cross-tenant aggregator: campaign-state rolling stats across customers.

Per-axis rolling stats now correlate signals across arena, Sideband, and integrity-checkpoint traffic — the cross-tenant correlation engine that sees campaigns no single customer could.

-   The correlation engine joins per-axis fingerprints across integrity, arena, and Sideband signals to build campaign-level state no single tenant can see.
-   Per-bucket state machine with 6h-window hysteresis on exit; states wired to cells.ts via four concrete campaign\_state cells (safe-house-hardening#246).
-   The engine refreshes continuously, keeping the cross-tenant picture current across the whole Protection Network.

[Read the Protection Network concept](https://docs.mnemom.ai/concepts/protection-network)

2026-05-22

Platform

## Safe House per-evaluation webhooks (sh.\*) are wired end-to-end.

Five Safe House front-door events join the AEGIS catalog with per-org delivery mode controls — table-stakes for SOC/SIEM integration. Brings the AEGIS-GA webhook catalog from 10 to 15 fully-wired events.

-   New <code>sh.evaluation.warn</code> / <code>quarantine</code> / <code>block</code> webhook events fire at each verdict point, plus <code>sh.session.escalated</code> when a session crosses a risk tier.
-   Per-org delivery modes (full, 10% sampled, or summary-only) keep high-traffic orgs in control, with HMAC-signed delivery on every event.
-   13 sh\_emission cells in the harness pin every checkpoint × mode firing path (safe-house-hardening#247).

[Read the webhook spec](https://docs.mnemom.ai/specs/webhooks)

2026-05-22

Protection

## Continuous adversarial arena: 15 canonical personas, mutation-phase gated.

The adversarial arena now spans every canonical threat type across all four Safe House checkpoints, with mutation-phase gating that lets attacks evolve only while detection holds. Findings that slip past feed straight into the Managed Rules pipeline.

-   All 15 personas now cover every canonical threat type across the four Safe House checkpoints, including a supply-chain archetype at inside.integrity.
-   Mutation-phase gating lets attacks evolve per fingerprint bucket only while detection holds, with hysteresis to prevent thrash.
-   Attacks that beat detection are captured automatically as Managed Rules candidates over an isolated, attribution-stamped path — no human in the loop to lose a finding.

[Read the arena concept](https://docs.mnemom.ai/concepts/arena)

2026-05-22

Protection

## Customer false-negative and false-positive reports feed the Managed Rules pipeline.

Customer signal is now a first-class source. Reports flow through an authenticated endpoint, a CLI command, and an acknowledgment-email pipeline that ships in five locales — feeding the same candidate review queue as arena and the cross-tenant aggregator.

-   The report endpoint is live, with a <code>recipe.candidate.created</code> webhook fan-out to your account whenever a report becomes a rule candidate.
-   <code>mnemom recipes report-fn</code> and <code>report-fp</code> commands shipped in the @mnemom/mnemom CLI.
-   Customer-FN acknowledgment email rendered in en/fr/de/it/es via the Track D template pipeline.

[Read the recipes report guide](https://docs.mnemom.ai/guides/recipes-report)

2026-05-22

Security

## Three reviewer modes — with a structural dual-control invariant on tier 1-2.

Platform admins can flip reviewer mode between manual, auto-approve-trusted-sources, and auto-approve-high-confidence. The protective invariant is structural, not procedural: tier-1 and tier-2 rules can never auto-promote without human dual-control, regardless of mode.

-   Reviewer mode and threshold persist platform-wide and are read and written through <code>/v1/admin/settings/reviewer-mode</code>, with every change written to the audit trail.
-   The admin reviewer-mode control ships with a confirmation step and full audit attribution on every change.
-   Three concrete reviewer\_mode cells pin the invariant: trusted-sources promotes tier-3, high-confidence inserts ONE approval on tier-1 but does NOT promote, manual blocks all auto-approval (safe-house-hardening#245).

[Read the Protection Network concept](https://docs.mnemom.ai/concepts/protection-network)

2026-05-22

Security

## Admin review queue with append-only audit chain.

Platform admins now triage Managed Rule candidates from a dedicated queue: approve, reject, needs-changes, or promote. Every action lands as a service-role-only INSERT on an append-only chain — the audit surface CISOs and regulators can rely on.

-   Every review action lands on an append-only chain, rooted at candidate creation and running through promotion or retirement — the audit surface CISOs and regulators can rely on.
-   An admin review-queue UI ships with full rule detail and telemetry.
-   Every state transition emits a governance signal, and no rule can go active without dual-control sign-off — two-person approval enforced by the platform, not by policy.

2026-05-21

Protection

## Ed25519-signed Managed Rules with KV+R2 dual-write and a 24h observe soak.

Promoting a recipe to a Managed Rule is now a cryptographically signed event. Each rule is Ed25519-signed, served fail-closed, and routed through a 24-hour observe soak before it enforces in production.

-   Promotion cryptographically signs each rule; gateways verify the signature and serve through a tiered, fail-closed read path with a sub-30s P95 propagation target.
-   Rules escalate from observe to active automatically, with auto-rollback if the false-positive rate climbs; the reasoning surfaces in <code>recipe.promoted</code> and <code>recipe.retired</code> webhooks.
-   A nightly sweep automatically retires rules with zero hits after 90 days, so the active rule set stays lean and current.

[Read the Protection Network concept](https://docs.mnemom.ai/concepts/protection-network)

2026-05-20

Protection

## Substrate fingerprinting: every evaluation now carries the L0 axis identity.

The supply-chain detection signal is live. Every integrity checkpoint, arena attempt, and sideband analysis is now stamped with substrate, vertical, pattern, and source fingerprints — the cross-tenant correlation key that catches behavioral deviation across every customer running on the same substrate.

-   Every evaluation is now stamped with its four-axis substrate fingerprint at write time — deployed in production.
-   The underlying data model for the Protection Network is in place, with row-level isolation enforced from the first write.
-   Rules compose like cards — Platform → Org → Team → Agent, strictest-wins.

[Read the supply-chain detection concept](https://docs.mnemom.ai/concepts/supply-chain-detection)

2026-03-31

Security

## Safe House detectors tightened across prompt injection and PII leak classes.

Front-door and back-door detectors got a calibration pass. Fewer false positives on benign tool calls, sharper block rate on novel injection patterns — without expanding the data we collect.

-   Prompt-injection detectors retrained against fresh adversarial corpus; 12% fewer false positives.
-   Back-door screening now catches split-token PII leaks (e.g. SSN or card numbers broken across streamed chunks).
-   Signed verdict format now includes detector version, so auditors can reproduce the exact classifier used.

[Read the Safe House config guide](https://docs.mnemom.ai/guides/safe-house-config)

2026-03-24

Security

## Passkey and hardware-key agent identity are live.

Agents can now be bound to a passkey or a hardware-backed key from day one. Ed25519 signing stays the default; WebAuthn-backed agent identity is available for teams that want human-unforgeable agent onboarding.

-   WebAuthn attestation supported for agent enrollment.
-   Agent-identity rotation does not break historical proof chains; old keys stay verifiable.
-   Works for self-hosted gateway and managed tenants.

[Read the agent-identity guide](https://docs.mnemom.ai/concepts/agent-identity)

2026-03-15

Reliability

## Gateway now auto-scales to M0 headroom with no operator changes.

Under-the-hood reliability work. The managed gateway now elastically provisions for burst traffic up to the M0 tier ceiling without any tenant config. Self-hosted deployments get the same autoscaler defaults in the Helm chart.

-   Auto-scale from 2 to 10 replicas based on sustained CPU > 70%.
-   Cold-start path cut by 40% for the self-hosted image.
-   No pricing change — scale-up stays inside your tier ceiling.

## See what the platform actually proves.

Every shipped change backs up one of two claims: what we prove, or how we keep your agents safe.

[What we prove](/what-we-prove)[The Safe House](/security)

---
_Source: /changelog/index.html · Generated by build-markdown-mirrors.mjs · For agent-readability commitment #4 see https://www.mnemom.ai/for-agents_