Rilasciato
Cosa abbiamo rilasciato.
Un registro onesto di cosa è andato live, quando e perché conta. Niente vernice di marketing — solo i cambiamenti, la posture che sbloccano e le prove.
Standard agent-discovery surfaces are published and resolvable.
An agent with no prior knowledge can now find the Mnemom API, learn how to authenticate, and see what skills it can invoke — entirely from standard files at www.mnemom.ai. Every URL resolves to something real; nothing is aspirational.
- <code>/.well-known/api-catalog</code> (RFC 9727) points at the live OpenAPI 3.1 spec; <code>/.well-known/oauth-protected-resource</code> and <code>/.well-known/oauth-authorization-server</code> (RFC 9728) faithfully mirror our real upstream IdP (Supabase GoTrue) — we run no first-party OAuth server, stated plainly in <code>/auth.md</code>.
- <code>/.well-known/agent-skills/*</code> lists invokable skills backed only by real public endpoints, and <code>/.well-known/agent-card.json</code> ships an A2A-style service card; Content-Signal directives in robots.txt declare our search and AI posture.
- Added the <code>api-auth-discovery</code> commitment to the agent-readiness manifest, verified nightly against production.
AEGIS L5: public advisories and STIX 2.1 IoC feed are live.
The transparency surface of the Protection Network is open. /trust/advisories carries signed post-incident write-ups; /v1/trust/iocs serves a STIX 2.1 indicator bundle. Empty by design at GA — the system tells the truth.
- <code>/trust/advisories</code> is live with its first synthetic post-mortem, clearly labeled synthetic per the calm-at-GA contract.
- /v1/trust/iocs returns a STIX 2.1 bundle, authenticated and rate-limited, ready for threat-intel pipelines (curl + JSON-LD).
- New <code>advisory.published</code> and <code>ioc.added</code> webhook events join the catalog, so threat-intel pipelines can react the moment the Protection Network publishes.
The threat thermometer now reads live per-axis Protection Network state.
Customers now see the cross-tenant threat picture at <code>/dashboard/threats</code>: per-axis state across substrate, vertical, pattern, and source, refreshed every 30 seconds. Calm at GA, by design.
- <code>GET /v1/network/threat-state</code> returns per-axis aggregation of the live Protection Network picture, ready to poll from your dashboards.
- A dashboard page at <code>/dashboard/threats</code> ships with four per-axis cards and a totals card.
- A new <code>network.threat_level.changed</code> event lets you wire threat-level transitions straight into your own alerting.
L1 cross-tenant aggregator: campaign-state rolling stats across customers.
Per-axis rolling stats now correlate signals across arena, Sideband, and integrity-checkpoint traffic — the cross-tenant correlation engine that sees campaigns no single customer could.
- The correlation engine joins per-axis fingerprints across integrity, arena, and Sideband signals to build campaign-level state no single tenant can see.
- Per-bucket state machine with 6h-window hysteresis on exit; states wired to cells.ts via four concrete campaign_state cells (safe-house-hardening#246).
- The engine refreshes continuously, keeping the cross-tenant picture current across the whole Protection Network.
Safe House per-evaluation webhooks (sh.*) are wired end-to-end.
Five Safe House front-door events join the AEGIS catalog with per-org delivery mode controls — table-stakes for SOC/SIEM integration. Brings the AEGIS-GA webhook catalog from 10 to 15 fully-wired events.
- New <code>sh.evaluation.warn</code> / <code>quarantine</code> / <code>block</code> webhook events fire at each verdict point, plus <code>sh.session.escalated</code> when a session crosses a risk tier.
- Per-org delivery modes (full, 10% sampled, or summary-only) keep high-traffic orgs in control, with HMAC-signed delivery on every event.
- 13 sh_emission cells in the harness pin every checkpoint × mode firing path (safe-house-hardening#247).
Continuous adversarial arena: 15 canonical personas, mutation-phase gated.
The adversarial arena now spans every canonical threat type across all four Safe House checkpoints, with mutation-phase gating that lets attacks evolve only while detection holds. Findings that slip past feed straight into the Managed Rules pipeline.
- All 15 personas now cover every canonical threat type across the four Safe House checkpoints, including a supply-chain archetype at inside.integrity.
- Mutation-phase gating lets attacks evolve per fingerprint bucket only while detection holds, with hysteresis to prevent thrash.
- Attacks that beat detection are captured automatically as Managed Rules candidates over an isolated, attribution-stamped path — no human in the loop to lose a finding.
Customer false-negative and false-positive reports feed the Managed Rules pipeline.
Customer signal is now a first-class source. Reports flow through an authenticated endpoint, a CLI command, and an acknowledgment-email pipeline that ships in five locales — feeding the same candidate review queue as arena and the cross-tenant aggregator.
- The report endpoint is live, with a <code>recipe.candidate.created</code> webhook fan-out to your account whenever a report becomes a rule candidate.
- <code>mnemom recipes report-fn</code> and <code>report-fp</code> commands shipped in the @mnemom/mnemom CLI.
- Customer-FN acknowledgment email rendered in en/fr/de/it/es via the Track D template pipeline.
Three reviewer modes — with a structural dual-control invariant on tier 1-2.
Platform admins can flip reviewer mode between manual, auto-approve-trusted-sources, and auto-approve-high-confidence. The protective invariant is structural, not procedural: tier-1 and tier-2 rules can never auto-promote without human dual-control, regardless of mode.
- Reviewer mode and threshold persist platform-wide and are read and written through <code>/v1/admin/settings/reviewer-mode</code>, with every change written to the audit trail.
- The admin reviewer-mode control ships with a confirmation step and full audit attribution on every change.
- Three concrete reviewer_mode cells pin the invariant: trusted-sources promotes tier-3, high-confidence inserts ONE approval on tier-1 but does NOT promote, manual blocks all auto-approval (safe-house-hardening#245).
Admin review queue with append-only audit chain.
Platform admins now triage Managed Rule candidates from a dedicated queue: approve, reject, needs-changes, or promote. Every action lands as a service-role-only INSERT on an append-only chain — the audit surface CISOs and regulators can rely on.
- Every review action lands on an append-only chain, rooted at candidate creation and running through promotion or retirement — the audit surface CISOs and regulators can rely on.
- An admin review-queue UI ships with full rule detail and telemetry.
- Every state transition emits a governance signal, and no rule can go active without dual-control sign-off — two-person approval enforced by the platform, not by policy.
Ed25519-signed Managed Rules with KV+R2 dual-write and a 24h observe soak.
Promoting a recipe to a Managed Rule is now a cryptographically signed event. Each rule is Ed25519-signed, served fail-closed, and routed through a 24-hour observe soak before it enforces in production.
- Promotion cryptographically signs each rule; gateways verify the signature and serve through a tiered, fail-closed read path with a sub-30s P95 propagation target.
- Rules escalate from observe to active automatically, with auto-rollback if the false-positive rate climbs; the reasoning surfaces in <code>recipe.promoted</code> and <code>recipe.retired</code> webhooks.
- A nightly sweep automatically retires rules with zero hits after 90 days, so the active rule set stays lean and current.
Substrate fingerprinting: every evaluation now carries the L0 axis identity.
The supply-chain detection signal is live. Every integrity checkpoint, arena attempt, and sideband analysis is now stamped with substrate, vertical, pattern, and source fingerprints — the cross-tenant correlation key that catches behavioral deviation across every customer running on the same substrate.
- Every evaluation is now stamped with its four-axis substrate fingerprint at write time — deployed in production.
- The underlying data model for the Protection Network is in place, with row-level isolation enforced from the first write.
- Rules compose like cards — Platform → Org → Team → Agent, strictest-wins.
Detector Safe House rafforzati sulle classi di prompt injection e di leak di PII.
I detector front-door e back-door hanno ricevuto una passata di calibrazione. Meno falsi positivi sulle chiamate a strumenti legittime, tasso di blocco più netto sui nuovi pattern di injection — senza ampliare i dati che raccogliamo.
- Detector di prompt injection riaddestrati su un corpus avversariale recente; 12 % di falsi positivi in meno.
- Lo screening back-door ora cattura i leak di PII con token frammentati (per es. SSN o numeri di carta spezzati tra chunk in streaming).
- Il formato di verdetto firmato include ora la versione del detector, così gli auditor possono riprodurre l'esatto classificatore usato.
Identità agente con passkey e chiave hardware è live.
Gli agenti possono ora essere legati a una passkey o a una chiave hardware dal primo giorno. La firma Ed25519 resta il default; l'identità agente basata su WebAuthn è disponibile per i team che vogliono un onboarding non falsificabile.
- Attestazione WebAuthn supportata per l'enrollment degli agenti.
- La rotazione dell'identità agente non spezza le proof chain storiche; le vecchie chiavi restano verificabili.
- Funziona sia per il gateway self-hosted che per i tenant managed.
Il gateway auto-scala ora fino al tetto M0 senza cambi lato operatore.
Lavoro di affidabilità sotto il cofano. Il gateway managed provisiona elasticamente per i picchi di traffico fino al tetto del tier M0, senza config lato tenant. I deploy self-hosted ricevono gli stessi default dell'autoscaler nel chart Helm.
- Auto-scale da 2 a 10 repliche con CPU sostenuta > 70 %.
- Percorso di cold-start ridotto del 40 % per l'immagine self-hosted.
- Nessun cambio di prezzo — lo scale-up resta dentro il tetto del tuo tier.
Vedi cosa la piattaforma dimostra davvero.
Ogni cambiamento rilasciato sostiene una di due affermazioni: cosa dimostriamo, o come proteggiamo i tuoi agenti.
