Changelog

All notable changes to this repository are documented here. This file is the source of truth — changelog.html is a hand-curated marketing surface and may lag.

The format follows Keep a Changelog and this project adheres to Semantic Versioning for the API surface (versioned via the OpenAPI artifact at docs/api/openapi-v1.json).

[Unreleased] — Enterprise Readiness Program

This batch lands the 12 prioritized items from the enterprise readiness assessment (/root/.claude/plans/how-close-is-this-synthetic-hejlsberg.md). Together they close the highest-leverage gaps for defending a $100K+ contract: P0 hygiene, identity, GDPR, observability, billing.

Security (P0)

• Item 1: Refuse to boot in production/staging when

ARXSEC_ENCRYPTION_KEY is unset or equal to the dev sentinel. Dev warns instead. (app/config.py)

• Item 2: Real SAML XML-DSig verification via signxml + lxml, plus

full claim checks (NotBefore/NotOnOrAfter, Audience, Destination/Recipient, InResponseTo) and replay protection on Response.ID. Fails closed when the IdP cert can't be fetched. (app/core/saml_security.py, app/api/v1/saml.py)

• Item 3: Rate limiter fails closed for state-changing methods

during Redis outages, fails open for safe methods, and trips a circuit breaker after 3 failures in 30 s to avoid hot-looping. (app/middleware/rate_limiter.py)

• Item 4: New Security CI workflow runs Bandit (Python SAST),

pip-audit, npm audit, and CodeQL on every PR + nightly. SARIF uploaded to the GitHub Security tab. (.github/workflows/security.yml)

Compliance & Data Lifecycle

• Item 5: Retention policy CRUD + GDPR right-to-be-forgotten queue

with org-scoped guardrails. audit_log retention is intentionally not configurable via the API to preserve INV-001 (immutable audit log). Daily Celery beat sweep + hourly deletion processor. (migrations/014_data_retention.sql, app/core/data_lifecycle.py, app/api/v1/data_lifecycle.py)

Trust artefacts

• Item 6: Public /trust page driven by trust.config.ts,

.well-known/security.txt (RFC 9116), vulnerability disclosure policy, and incident-response runbook with severity rubric + customer notification SLAs. (frontend/src/app/(legal)/trust/, docs/security/)

Operations

• Item 7: Component-level /health/components endpoint with a

provider-agnostic JSON shape mappable to BetterStack, statuspage.io, or Instatus. Health endpoints exempt from rate limiting so a Redis outage can't blind external monitoring. (app/api/health.py, docs/ops/status-page-setup.md)

• Item 8: Versioned OpenAPI 3.1 artifact at

docs/api/openapi-v1.json (110 paths) regenerated from the live app; CI fails on drift. (scripts/export_openapi.py, .github/workflows/openapi.yml)

• Item 11: DR restore-drill scripts + runbook with RPO=24h /

RTO=4h targets, the integrity check (CRITICAL_TABLES, RLS_REQUIRED_TABLES, audit_log immutability triggers, optional row-count minimums), and a quarterly drill schedule. (scripts/dr/, docs/ops/disaster-recovery.md)

• Item 12: Prometheus /metrics with bounded-cardinality labels;

Sentry with strict PII scrubber (sensitive keys, free-form bearers/emails); Datadog now required in production via config validator. (app/observability/)

Performance

• Item 10: Atomic Redis-Lua token bucket replaces the raced

INCR+EXPIRE counter. Falls back transparently to legacy counter for test stubs / pre-Lua Redis. New k6 load test (load-tests/k6/top10.js) with p95 SLO budgets enforced as thresholds. (arxsec-api/lua/token_bucket.lua, app/middleware/rate_limiter.py)

Commercial

• Item 9: Stripe subscription lifecycle. New subscriptions and

invoices tables with org-scoped RLS; pure-function state machine for customer.subscription.* and invoice.* events; webhook receiver fails closed without STRIPE_WEBHOOK_SECRET. Single source of truth for plan entitlements consumed by the rate limiter, with a minimal admin billing page. (migrations/015_billing.sql, app/billing/, frontend/src/app/(dashboard)/settings/billing/)