Skip to content

Changelog

All notable changes to the Fulcrum project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[0.1.0-beta.1] - 2026-01-19

Added

  • Infrastructure Hardening: Production-ready configuration and security
  • Strict Config Validation: All Go services now enforce environment variable validation with failsafe defaults
  • Doppler Verification: Integrated script for secret mapping and environment consistency checks
  • Kubernetes Hardening: Restricted NetworkPolicies for internal service isolation
  • Security & Compliance: Enterprise-grade access control and auditing
  • Granular RBAC: Scope-based authentication (e.g., policy:write, audit:read) enforced via gRPC interceptors
  • Action Ledger: Canonical, immutable audit trail for all agent activity and administrative actions
  • Database Level Security: Enforced Row-Level Security (RLS) across all core and audit tables
  • Beta Release Candidate Build: Final polish and verification
  • Terminology Standardization: Unified "Action Ledger" and "Policy" terminology across Dashboard and SDKs
  • End-to-End Verification: Validated critical user journeys including onboarding and policy enforcement

Fixed

  • Integration test migration dependencies and environment consistency
  • Dashboard terminology mismatch for "Flight Recorder"

[2.3.0] - 2026-01-10

Added

  • API-First Expansion: Complete programmatic access layer for enterprise integrations
  • REST Client Libraries: PolicyClient, BudgetClient, ApprovalClient, MetricsClient in both Python and TypeScript SDKs
  • MCP Server Enhancement: 19 tools for AI agent self-governance (Policy Management, Budget Management, Approval Workflows, API Key Management, Observability)
  • CLI Tool (fulcrum): Cobra-based CLI with full policy, budget, approval, and key management
  • Policies-as-Code: GitOps workflow support with YAML policy definitions (Kubernetes-style)

Documentation

  • MCP Tools Reference: Complete reference for all 19 MCP tools (docs/api/mcp-tools-reference.md)
  • CLI README: Full command reference with examples (cmd/fulcrum-cli/README.md)
  • Architecture Diagram: Programmatic Access Layer visualization in system overview
  • SDK Documentation: Updated Python and TypeScript READMEs with REST client examples

Changed

  • System architecture updated to show MCP/SDK/CLI access layer
  • SDK version bump to include REST clients

[2.2.1] - 2026-01-08

Security

  • Dashboard Dependencies: Updated preact transitive dependency from 10.28.1 to 10.28.2 (fixes JSON VNode Injection - HIGH severity)
  • Ollama Advisory: Documented 8 known vulnerabilities in Ollama v0.13.5 with mitigations (docs/security/2026-01-08-ollama-vulnerabilities.md)
  • No upstream fix available; risk accepted with architectural mitigations
  • Network isolation, timeout protection, fallback providers documented

Verified (No Action Required)

  • golang.org/x/crypto already at v0.45.0 (patched)
  • langchain-core and langgraph-checkpoint alerts already fixed in Python SDK

[2.2.0] - 2026-01-03

Added

  • Brain Service Proto: Complete protobuf contracts for cognitive layer (brain/v1/brain_service.proto)
  • SemanticJudgeService: LLM-based intent evaluation API
  • OracleService: Predictive cost modeling API (unique differentiator)
  • ImmuneSystemService: Automated policy generation API
  • Spec Version Registry: docs/SPEC_VERSIONS.md - Single source of truth for all specification versions
  • Dashboard Pricing Section: Landing page pricing tiers
  • Commercial Product Model: Transitioned from open-source to commercial positioning

Changed

  • Updated all documentation URLs to Fulcrum-Governance/fulcrum-io
  • Deep cleaned root directory structure
  • Added .claude/ configuration directory

Fixed

  • Corrected 28+ broken documentation links
  • Fixed MCP Registry identifier in launch materials

[2.1.0] - 2026-01-02

Added

  • Full System Audit: Comprehensive codebase audit (docs/audits/)
  • Dashboard Investor Walkthrough: Sprint 3 landing page for investor demos
  • Policy Audit Logs Table: Database migration for compliance auditing
  • Dashboard Redesign: Complete UIUX overhaul with Swiss Industrial aesthetic

Changed

  • Dashboard route groups and component extraction (Sprint 0-3)
  • Production hardening across dashboard components

Fixed

  • React hydration mismatch on overview page (P0-002)
  • Dashboard SSE handling for traces page (P0-001)
  • Docker proto volume mount for dashboard container (P0-004)
  • ESLint errors and warnings (P1-001/P1-002)
  • Next.js workspace root warning (P2-002)

Security

  • Removed PyPI recovery codes and orphaned sensitive files
  • Repaired security tests for API and prompt injection

[2.0.1] - 2026-01-01

Added

  • Cognitive Layer Complete (Phase 7 & 8):
  • Semantic Judge: LLM-based policy evaluation with Ollama integration
  • Oracle: Statistical cost prediction using normal distribution models
  • Immune System: Automated policy generation from incident patterns
  • CrewAI Integration: Multi-agent workflow support
  • Offline Demo Mode: Run platform without external dependencies
  • Error Infrastructure: Comprehensive error handling across services
  • Svix Integration: Webhook delivery for event notifications

Changed

  • Python SDK updated for nested policy evaluation results
  • Dashboard components modernized with new policy views

Fixed

  • Clerk auth hooks when authentication disabled
  • Investor landing page routing

[2.0.0] - 2025-12-18

Added

  • MCP Governance Server: Production-grade Model Context Protocol implementation
  • Statistical Anomaly Detection: Z-score based policy evaluation for token and cost spikes
  • Dynamic Guardrails: External context fetching during policy evaluation via EXTERNAL_CALL
  • Row-Level Security (RLS): Hard tenant isolation at the database layer
  • Mission Tape Scrubber: Interactive UI for replaying execution event history
  • Durable JetStream Persistence: Optimized NATS tuning with file-backed storage
  • Multi-tenant SDKs: Tenant-aware execution envelopes in Python and TypeScript

Changed

  • Dashboard Aesthetic: Swiss Industrial identity (high-contrast, mono-typography)
  • Core Architecture: Migrated to Go 1.24 and TimescaleDB for high-frequency ingestion
  • Deployment: Integrated Terraform for AWS/GCP infrastructure-as-code

Fixed

  • Policy evaluation latency reduced to <2ms via Redis caching
  • Event store delivery reliability with explicit JetStream acknowledgments

[1.0.0] - 2025-11-20

Added

  • Initial "Execution Envelope" abstraction
  • LangGraph adapter prototype
  • Basic cost tracking and token budgeting
  • PostgreSQL storage for policies and envelopes

Safety is the foundation.