Changelog

All notable changes to Aura are documented here. Format: Keep a Changelog Versioning: Semantic Versioning

---

[Unreleased]

Added

docs/api-versioning.md — breaking change policy and deprecation timeline

docs/data-classification.md — full data inventory by sensitivity tier

docs/ir-plan.md — incident response plan with P0–P3 severity levels

docs/data-retention-policy.md — retention schedule and deletion procedures

docs/slos.md — API and pipeline SLO targets

docs/support-sla.md — response time commitments by severity

docs/runbooks/credential-rotation.md — zero-downtime rotation for all credentials

supabase/migrations/0003_least_privilege_role.sql — aura_app least-privilege PostgreSQL role

CI: secrets scanning via truffleHog on every PR

CI: ESLint now blocking (violations fail the build)

CI: coverage report generated on every test run

CHANGELOG.md — this file

Changed

POST /api/scan — deprecated implementation replaced with 301 permanent redirect to POST /api/v1/scan. Sunset: 2026-12-31.

CI: needs: [lint, typecheck, test] — build now requires lint and tests to pass

Security

aura_app role: warning_acknowledgments is now INSERT/SELECT-only at PostgreSQL role level (not just application layer)

truffleHog secrets scanning blocks PRs containing verified secrets

---

[0.5.0] — 2026-05-11 — Parallel Sprint A–E

Added

A-001: RLS policies extended to vector_overrides, feedback, workspaces, workspace_repos; scans DELETE policy added

A-002: scripts/backfill-agile-encryption.ts — idempotent re-encryption of plaintext agileConfig rows

A-003: POST /api/admin/cleanup — CRON_SECRET-gated endpoint for DB hygiene

B-003: POST /api/v1/overrides and PATCH /api/v1/overrides/[id]/approve — vector override workflow

B-004: tests/integration/orchestrator-pipeline.test.ts — TST-003 synthetic CPG fixture

C-001: ScanWarningModal — per-warning-type contextual acknowledgment dialog

C-003: /settings — plan, usage bar, data disclosure, danger zone

C-004: OverrideChallengeDrawer — Sheet UI for classification challenges

D-001: .windsurf/workflows/provision-infra.md — 28-step provisioning runbook

D-002: scripts/staging-gate.ts — 5 automated go-live checks

E-001: scripts/calibrate-mcs.ts — MCS lambda + LRS weight calibration from feedback data

Changed

B-001/002: toFriendlyError exhausted — all pipeline failure paths mapped (INV-1..9, engines, git, auth, refusal)

A-001: supabase/migrations/0002_rls_policies.sql — stale filename fixed; PERFORMANCE NOTE added

Scripts added

npm run staging:gate

npm run backfill:encrypt

npm run calibrate:mcs

---

[0.4.0] — Security, UX, Test, CI Sprint

Added

CSP nonce-based middleware

Per-request X-Request-ID propagation

hashClientIp() — GDPR-compliant IP hashing (SHA-256 + salt)

encryptAgileConfig() — AES-256-GCM encryption for GitHub PATs

DLQ overflow three-tier alerting (10/50/100 jobs)

ResultsRefresher — 4-second auto-poll on results page

UpgradeModal — free tier scan limit enforcement

---

[0.3.0] — User Flow Sprint

Added

Catalogue page with scan history

Real-time scan progress via Supabase Realtime

Scan warning system (warningAcknowledgments table)

RepoDropzone — GitHub URL submission with language warnings

---

[0.2.0] — DB Closure Sprint

Added

supabase/migrations/0001_breezy_terrax.sql — enum types, FK constraints, indexes

BullMQ DLQ configuration with retry limits

workers/pipeline/closure-contract.ts — semantic invariants INV-1..9

Pipeline orchestrator with pre-delivery invariant enforcement

---

[0.1.0] — Initial Remediation Sprint

Added

Next.js 15 app router with Clerk authentication

Drizzle ORM with PostgreSQL schema

BullMQ scan queue with Redis

Core pipeline engines (E1–E8)

/api/v1/scan, /api/v1/health, /api/v1/feedback

Row-Level Security baseline on core tables