2026-06-09·v2.7
Phase 1 closed; ticketing scaffold; non-goals tightened
Phase 1 closes after a deliberate cleanup of two long-pending items. PhishTank is removed because registrations have been paused indefinitely upstream since 2024 — OpenPhish + URLhaus + urlscan.io already cover the same surface. CVSS v4 moves to the non-goal list because v3 + EPSS + KEV is already the strict-superset prioritisation signal for production decisions. Phase 4 #6 ticketing scaffold lands with GitHub Issues wired, JIRA to follow.
- NEWTicketing scaffold: GitHub Issues client + ticket_links table joining cases ↔ external issues; routes for create / refresh / comment
- IMPROVEDPhase 1 closes 🟢 — confirmed-phishing coverage reframed around the OpenPhish + URLhaus + urlscan.io triad already live in production
- IMPROVEDRoadmap non-goals expanded: CVSS v4 and PhishTank both moved to the "won't build" list with reasons
2026-06-08·v2.6
Phase 2 closed; Phases 1, 3, 4 substantially shipped (24 PRs)
A focused push closed Phase 2 outright and pushed Phases 1, 3, and 4 to near-completion. STIX 2.1 federation is now fully two-way (TAXII push + provenance markings). The detection-as-code surface gained Sigma + YARA. Three LLM-backed analyst surfaces went live (actor summary, NL→Cypher, embedding similarity backend). Outbound integrations grew to cover the standard SOC toolchain — Teams/Discord/PagerDuty notifications, CEF/LEEF/ECS SIEM codecs, vendor firewall blocklists, a playbook DSL, and sandbox triggers across ANY.RUN, Joe Sandbox, and Hybrid Analysis. A security-driven dependency audit cleared all 39 outstanding advisories.
- NEWSigma rule ingester + MITRE ATT&CK tag mapping; YARA persistence + binary scan-sample upload
- NEWSTIX 2.1 federation complete: provenance + TLP markings on export, expanded bundle import (incl. malware + relationships), outbound TAXII 2.1 push, entity tables for campaign / course-of-action / infrastructure, Neo4j auto-hydration on relationship INSERT
- NEWLLM analyst surfaces live: actor activity summary, natural-language → Cypher with read-only safety, embedding similarity (backend)
- NEWSIEM exporters: CEF, LEEF, ECS NDJSON joining the existing JSON / CSV / MISP / STIX / Suricata-Snort outputs
- NEWVendor blocklist feeds: Fortinet, Palo Alto, Cisco firewall formats at stable URLs with ETag + HMAC signing
- NEWNotification channels: Teams (MessageCard), Discord (embed), PagerDuty (Events API v2 with dedup_key) + a rule-based routing DSL on top
- NEWSOAR-style playbook DSL: condition operators ($and / $or / $gte / $regex / dotted-key traversal) + per-step guards (if, continueOnError, label)
- NEWSandbox triggers: ANY.RUN, Joe Sandbox, Hybrid Analysis clients + scheduled poller + sandbox_trigger playbook action
- IMPROVED16 droplet-deploy footguns closed — production now installs from a clean git clone with no manual workarounds
- FIXEDSecurity audit cleared: 39 advisories (3 critical + 19 high) → 0 across drizzle-orm, vitest, OpenTelemetry, and 11 transitive overrides
2026-06-02·v2.5
Production launch — app.rinjanianalytics.com is live
The hosted platform is now live with multi-user authentication, OAuth via Google and GitHub, and role-based access control. Nine intelligence feeds are ingesting daily, the worker pipeline is correlating + enriching IOCs end-to-end, and nightly Postgres backups with restore-verified parity are running off a 03:00 UTC cron.
- NEWHosted platform at https://app.rinjanianalytics.com
- NEWOAuth sign-in via Google + GitHub, alongside API-key + Bearer auth
- NEWAdmin / viewer RBAC with auto-promotion from ADMIN_EMAILS
- NEWNightly pg_dump backup cron at 03:00 UTC with 7-day retention
- IMPROVED9 feeds active: OTX, CISA KEV, NVD, ThreatFox, URLhaus, MalwareBazaar, OpenPhish, MITRE ATT&CK, MISP Galaxy
- FIXEDSchema drift hotfix: users.avatar_url, iocs.risk_score, galaxy_clusters table
- FIXEDMarketing site CTAs wire through to the live app instead of GitHub-only
2026-06-01·v2.4
Compose profiles + login redesign
Default `docker compose up -d` now starts only the 6-service data plane; apps, gateway, telemetry, and SSO live behind opt-in profiles. The auth screen got a two-pane redesign that pairs the brand identity with the secure-access form.
- NEW`apps`, `gateway`, `platform`, `telemetry`, `dashboard` compose profiles
- NEWTwo-pane login layout with live UTC clock + ambient node graph
- IMPROVEDPrometheus scrape key templated via env var; no literal key in repo
- FIXED`docker compose up -d` no longer collides on :3001 with host `pnpm dev`
2026-05-28·v2.3
Worker pipeline + Workbench schedulers
Workers + scheduler + feed-sync daemon now run inside the API process. Workbench gets Edit / Disable / Run-now controls that delegate to the same reconcileScheduledJob backend the dashboard uses.
- NEWEmbedded BullMQ ops UI at `/admin/workbench`
- NEWFlowProducer parent/child graphs for feed-sync batches
- IMPROVEDSingle `pnpm dev` boots api, gateway, and worker in-process
- FIXEDStale schedules no longer survive the boot reconcile loop
2026-05-12·v2.2
Graph explorer + Neo4j attribution
Force-directed graph view for actor / IOC / vuln / technique pivots, backed by Neo4j. Shortest-path queries answer 'is X reachable from Y' in one click.
- NEWGraph explorer at `/graph` with k-hop expansion
- NEWShortest-path resolver for attribution chains
- IMPROVEDLayout persistence across page reloads
2026-04-22·v2.1
Enrichment pipeline expansion
VirusTotal LiveHunt, ZoomEye, and Google Safe Browsing added to the parallel enrichment fan-out. Per-provider rate limits enforced in the worker.
- NEWVT LiveHunt, ZoomEye, Google Safe Browsing providers
- IMPROVEDBackoff is per-provider; one slow source doesn't slow the others
- FIXEDCached enrichment results respect 24h TTL correctly
2026-04-03·v2.0
v2 release — split unit + integration suites
Test suites split: CI runs the pure unit tests against the schema; integration tests opt in via `pnpm test:integration` against a full local stack. CI no longer needs Neo4j or OpenSearch service containers.
- NEWv2 API surface alongside v1 (legacy preserved)
- IMPROVEDCI pipeline 4× faster — no spin-up for unused service containers
