Ausgeliefert
Was wir ausgeliefert haben.
Ein ehrliches Log dessen, was live ging, wann und warum es relevant ist. Kein Marketing-Glanz — nur die Änderungen, die Posture, die sie freischalten, und die Belege.
Standard agent-discovery surfaces are published and resolvable.
An agent with no prior knowledge can now find the Mnemom API, learn how to authenticate, and see what skills it can invoke — entirely from standard files at www.mnemom.ai. Every URL resolves to something real; nothing is aspirational.
- <code>/.well-known/api-catalog</code> (RFC 9727) points at the live OpenAPI 3.1 spec; <code>/.well-known/oauth-protected-resource</code> and <code>/.well-known/oauth-authorization-server</code> (RFC 9728) faithfully mirror our real upstream IdP (Supabase GoTrue) — we run no first-party OAuth server, stated plainly in <code>/auth.md</code>.
- <code>/.well-known/agent-skills/*</code> lists invokable skills backed only by real public endpoints, and <code>/.well-known/agent-card.json</code> ships an A2A-style service card; Content-Signal directives in robots.txt declare our search and AI posture.
- Added the <code>api-auth-discovery</code> commitment to the agent-readiness manifest, verified nightly against production.
AEGIS L5: public advisories and STIX 2.1 IoC feed are live.
The transparency surface of the Protection Network is open. /trust/advisories carries signed post-incident write-ups; /v1/trust/iocs serves a STIX 2.1 indicator bundle. Empty by design at GA — the system tells the truth.
- <code>/trust/advisories</code> is live with its first synthetic post-mortem, clearly labeled synthetic per the calm-at-GA contract.
- /v1/trust/iocs returns a STIX 2.1 bundle, authenticated and rate-limited, ready for threat-intel pipelines (curl + JSON-LD).
- New <code>advisory.published</code> and <code>ioc.added</code> webhook events join the catalog, so threat-intel pipelines can react the moment the Protection Network publishes.
The threat thermometer now reads live per-axis Protection Network state.
Customers now see the cross-tenant threat picture at <code>/dashboard/threats</code>: per-axis state across substrate, vertical, pattern, and source, refreshed every 30 seconds. Calm at GA, by design.
- <code>GET /v1/network/threat-state</code> returns per-axis aggregation of the live Protection Network picture, ready to poll from your dashboards.
- A dashboard page at <code>/dashboard/threats</code> ships with four per-axis cards and a totals card.
- A new <code>network.threat_level.changed</code> event lets you wire threat-level transitions straight into your own alerting.
L1 cross-tenant aggregator: campaign-state rolling stats across customers.
Per-axis rolling stats now correlate signals across arena, Sideband, and integrity-checkpoint traffic — the cross-tenant correlation engine that sees campaigns no single customer could.
- The correlation engine joins per-axis fingerprints across integrity, arena, and Sideband signals to build campaign-level state no single tenant can see.
- Per-bucket state machine with 6h-window hysteresis on exit; states wired to cells.ts via four concrete campaign_state cells (safe-house-hardening#246).
- The engine refreshes continuously, keeping the cross-tenant picture current across the whole Protection Network.
Safe House per-evaluation webhooks (sh.*) are wired end-to-end.
Five Safe House front-door events join the AEGIS catalog with per-org delivery mode controls — table-stakes for SOC/SIEM integration. Brings the AEGIS-GA webhook catalog from 10 to 15 fully-wired events.
- New <code>sh.evaluation.warn</code> / <code>quarantine</code> / <code>block</code> webhook events fire at each verdict point, plus <code>sh.session.escalated</code> when a session crosses a risk tier.
- Per-org delivery modes (full, 10% sampled, or summary-only) keep high-traffic orgs in control, with HMAC-signed delivery on every event.
- 13 sh_emission cells in the harness pin every checkpoint × mode firing path (safe-house-hardening#247).
Continuous adversarial arena: 15 canonical personas, mutation-phase gated.
The adversarial arena now spans every canonical threat type across all four Safe House checkpoints, with mutation-phase gating that lets attacks evolve only while detection holds. Findings that slip past feed straight into the Managed Rules pipeline.
- All 15 personas now cover every canonical threat type across the four Safe House checkpoints, including a supply-chain archetype at inside.integrity.
- Mutation-phase gating lets attacks evolve per fingerprint bucket only while detection holds, with hysteresis to prevent thrash.
- Attacks that beat detection are captured automatically as Managed Rules candidates over an isolated, attribution-stamped path — no human in the loop to lose a finding.
Customer false-negative and false-positive reports feed the Managed Rules pipeline.
Customer signal is now a first-class source. Reports flow through an authenticated endpoint, a CLI command, and an acknowledgment-email pipeline that ships in five locales — feeding the same candidate review queue as arena and the cross-tenant aggregator.
- The report endpoint is live, with a <code>recipe.candidate.created</code> webhook fan-out to your account whenever a report becomes a rule candidate.
- <code>mnemom recipes report-fn</code> and <code>report-fp</code> commands shipped in the @mnemom/mnemom CLI.
- Customer-FN acknowledgment email rendered in en/fr/de/it/es via the Track D template pipeline.
Three reviewer modes — with a structural dual-control invariant on tier 1-2.
Platform admins can flip reviewer mode between manual, auto-approve-trusted-sources, and auto-approve-high-confidence. The protective invariant is structural, not procedural: tier-1 and tier-2 rules can never auto-promote without human dual-control, regardless of mode.
- Reviewer mode and threshold persist platform-wide and are read and written through <code>/v1/admin/settings/reviewer-mode</code>, with every change written to the audit trail.
- The admin reviewer-mode control ships with a confirmation step and full audit attribution on every change.
- Three concrete reviewer_mode cells pin the invariant: trusted-sources promotes tier-3, high-confidence inserts ONE approval on tier-1 but does NOT promote, manual blocks all auto-approval (safe-house-hardening#245).
Admin review queue with append-only audit chain.
Platform admins now triage Managed Rule candidates from a dedicated queue: approve, reject, needs-changes, or promote. Every action lands as a service-role-only INSERT on an append-only chain — the audit surface CISOs and regulators can rely on.
- Every review action lands on an append-only chain, rooted at candidate creation and running through promotion or retirement — the audit surface CISOs and regulators can rely on.
- An admin review-queue UI ships with full rule detail and telemetry.
- Every state transition emits a governance signal, and no rule can go active without dual-control sign-off — two-person approval enforced by the platform, not by policy.
Ed25519-signed Managed Rules with KV+R2 dual-write and a 24h observe soak.
Promoting a recipe to a Managed Rule is now a cryptographically signed event. Each rule is Ed25519-signed, served fail-closed, and routed through a 24-hour observe soak before it enforces in production.
- Promotion cryptographically signs each rule; gateways verify the signature and serve through a tiered, fail-closed read path with a sub-30s P95 propagation target.
- Rules escalate from observe to active automatically, with auto-rollback if the false-positive rate climbs; the reasoning surfaces in <code>recipe.promoted</code> and <code>recipe.retired</code> webhooks.
- A nightly sweep automatically retires rules with zero hits after 90 days, so the active rule set stays lean and current.
Substrate fingerprinting: every evaluation now carries the L0 axis identity.
The supply-chain detection signal is live. Every integrity checkpoint, arena attempt, and sideband analysis is now stamped with substrate, vertical, pattern, and source fingerprints — the cross-tenant correlation key that catches behavioral deviation across every customer running on the same substrate.
- Every evaluation is now stamped with its four-axis substrate fingerprint at write time — deployed in production.
- The underlying data model for the Protection Network is in place, with row-level isolation enforced from the first write.
- Rules compose like cards — Platform → Org → Team → Agent, strictest-wins.
Safe-House-Detektoren über Prompt-Injection- und PII-Leak-Klassen hinweg nachgezogen.
Die front-door- und back-door-Detektoren haben einen Kalibrierungslauf erhalten. Weniger False Positives bei harmlosen Tool-Calls, schärfere Block-Rate bei neuartigen Injection-Mustern — ohne dass wir mehr Daten erheben.
- Prompt-Injection-Detektoren wurden auf einem frischen adversarialen Korpus neu trainiert; 12 % weniger False Positives.
- Das back-door-Screening erkennt jetzt PII-Leaks mit aufgeteilten Tokens (z. B. SSN oder Kartennummern, die über gestreamte Chunks hinweg zerrissen sind).
- Das signierte Verdict-Format enthält jetzt die Detektor-Version, sodass Auditoren den exakt eingesetzten Classifier reproduzieren können.
Passkey- und Hardware-Key-Agent-Identität sind live.
Agenten können ab dem ersten Tag an einen Passkey oder einen hardwaregestützten Key gebunden werden. Ed25519-Signatur bleibt Standard; WebAuthn-gestützte Agent-Identität steht Teams zur Verfügung, die ein unfälschbares Agent-Onboarding wollen.
- WebAuthn-Attestation für Agent-Enrollment unterstützt.
- Rotation der Agent-Identität bricht keine historischen Proof-Chains; alte Keys bleiben verifizierbar.
- Funktioniert für self-hosted Gateway und Managed-Tenants.
Gateway skaliert jetzt automatisch bis zum M0-Headroom — ohne Operator-Änderungen.
Zuverlässigkeitsarbeit unter der Haube. Das Managed Gateway provisioniert elastisch für Lastspitzen bis zur M0-Tier-Decke, ganz ohne Tenant-Config. Self-hosted-Deployments bekommen dieselben Autoscaler-Defaults im Helm-Chart.
- Auto-Scale von 2 auf 10 Replicas bei anhaltender CPU > 70 %.
- Cold-Start-Pfad für das Self-Hosted-Image um 40 % verkürzt.
- Keine Preisänderung — das Scale-up bleibt innerhalb Ihrer Tier-Decke.
Sehen Sie, was die Plattform tatsächlich beweist.
Jede ausgelieferte Änderung stützt eine von zwei Aussagen: was wir beweisen, oder wie wir Ihre Agenten absichern.
