Skip to content

Release Notes

MazeVault Platform Version History

Document Version: 1.0.41
Last Updated: 2026-04-26

Version 1.0.41 (Current)

Release Date: 2026-04-26

Improvements

  • Documentation Sync — Comprehensive documentation update aligned with v1.0.41 codebase. Environment variable reference expanded with five new sections: License/Organization Registration, Orchestrator Mode, ACME DNS-01, KeyTab Management, and Agent Binary Proxy. All existing sections updated with previously missing variables.
  • Office 365 Email Variable Corrected — Fixed incorrect variable name O365_ENABLEDO365_EMAIL_ENABLED throughout documentation. Full Office 365 authentication configuration documented (client secret, certificate, and managed identity methods).
  • KeyTab API Reference — Full API documentation published for all 14 KeyTab management endpoints. See KeyTab API.
  • Reports API Reference — Full API documentation published for the Weekly Expiry Reports endpoints. See Reports API.
  • Platform Version Sync — All documentation pages updated to reflect current platform version.

Version 1.0.40

Release Date: 2026-04-25

New Features

  • OIDC Nonce Enforcement — New MAZEVAULT_ENFORCE_OIDC_NONCE flag enables strict nonce validation on OIDC tokens. When set to true, tokens without a valid nonce claim are rejected, providing protection against token replay attacks. Recommended for all production deployments.
  • Agent Trust Store Controls — New environment variables MAZEVAULT_AGENT_INSTALL_CHAIN_TO_TRUSTSTORE and MAZEVAULT_AGENT_TRUST_STORE_PATH control whether the MazeVault agent installs the internal CA certificate chain into the operating system trust store, and allow overriding the default trust store path on Linux.

Improvements

  • Certificate Rotation Target Sync StatusGET /api/v1/certificates/:id/targets/:targetId/status now returns full per-step result details, making failed target synchronizations easier to diagnose.
  • Gateway Registration Stability — Improved retry logic for bootstrap token exchange reduces failed registrations caused by transient network issues during first-time gateway setup.
  • OCSP URL ValidationOCSP_URL backend variable now validates URL format at startup to prevent misconfiguration from silently causing OCSP failures.

Bug Fixes

  • Corrected AGENT_VERSION=latest resolution to always fetch the highest tagged release version rather than the most recent commit.
  • Fixed display overlap in the certificate import modal under Orchestrator Mode when both keytab and private key sections were visible simultaneously.

Version 1.0.39

Release Date: 2026-04-22

New Features

  • Agent Binary Distribution Control — New configuration variables provide granular control over how agent updates are distributed across the fleet. AGENT_ROLLOUT_PERCENTAGE limits what percentage of agents receive update notifications (0–100), enabling staged rollouts. AGENT_MAX_CONCURRENT_DOWNLOADS caps parallel binary download streams to prevent network saturation.
  • Agent Binary Proxy — MazeVault can now proxy agent binary downloads from a private GitHub release repository, removing the requirement for agent hosts to reach the public GitHub Releases endpoint directly. Configure via AGENT_BINARY_GITHUB_TOKEN, AGENT_BINARY_CACHE_DIR, AGENT_DOWNLOAD_BASE_URL, and AGENT_VERSION.
  • Primary Backend Environment Seeding — New MAZEVAULT_PRIMARY_ENVIRONMENTS variable pre-seeds the list of environments served directly by the primary backend on first startup, simplifying initial deployment configuration of multi-environment setups.

Improvements

  • KeyTab Dashboard Refresh — Fixed cipher compliance breakdown chart not updating after importing a keytab with deprecated ciphers.
  • Weekly Report Multi-Channel Reliability — Resolved a scheduling race condition that could silently drop one delivery channel when multiple channels were all enabled simultaneously.

Bug Fixes

  • Fixed gateway heartbeat timestamp not updating correctly following a network partition recovery.

Version 1.0.38

Release Date: 2026-04-19

New Features

  • KeyTab Management — Full Kerberos Lifecycle — Enterprise-grade Kerberos KeyTab management with complete lifecycle support. Import, discover, and manage keytab files across your infrastructure. Key capabilities include:
    • Import & Parse — Import MIT Kerberos v2 keytab binary files with automatic extraction of principals, realms, key version numbers (KVNO), and encryption types. Supports base64-encoded upload.
    • Agent Discovery — Agents automatically discover .keytab files on managed hosts, reporting file path, permissions, owner, and encryption type fingerprint. Discovered keytabs can be imported into managed inventory with a single action.
    • Cipher Policy Enforcement — Define organization-level cipher policies specifying allowed and deprecated Kerberos encryption types. Three enforcement modes: audit (report only), warn (allow with warning), block (prevent non-compliant keytabs). Default policy blocks legacy ciphers (DES, RC4-HMAC) while allowing modern AES and Camellia ciphers.
    • Version History — All keytab updates create immutable version records with change reason tracking for full audit compliance.
    • Dashboard & Analytics — Dedicated KeyTab dashboard showing total/active/expired counts, cipher compliance breakdown (compliant/warning/critical), expiry forecasts, and cipher type distribution.
    • Orchestrator Mode Support — In Orchestrator Mode, keytab binary data is offloaded to an external provider; only metadata is stored locally.
  • Weekly Expiry Report — Automated weekly reports showing certificates and secrets expiring within 60 days, delivered to multiple channels simultaneously:
    • Email — HTML-formatted report to configured recipient list
    • Slack / Microsoft Teams — Webhook-based notifications with expiry summaries
    • JIRA — Automatic issue creation with expiry details for tracking
    • Generic Webhook — HTTP POST with full report payload for custom integrations
    • Reports can be previewed before sending and triggered manually on demand.
  • Local Gateway Registration — The primary backend can now register itself as a local gateway, enabling unified gateway management UI for both local and remote gateways. A unique constraint ensures only one local gateway per deployment.

Improvements

  • Gateway Multi-Environment Support — Gateways can now serve multiple environments simultaneously, removing the previous one-gateway-per-environment restriction.
  • Report RBAC Permissions — New report:read and report:write permissions provide fine-grained access control for the reporting system. All standard roles (User, Certificate Manager, Secret Manager, Auditor) receive report:read; Admin and Project Admin additionally receive report:write.
  • KeyTab RBAC Permissions — New keytab:read, keytab:write, keytab:delete, and keytab:admin permissions control access to keytab management. Standard users and auditors receive read access; operators and organization admins receive write and delete; organization admins additionally receive admin access for policy management.

Bug Fixes

  • Entra Sync Rule Cleanup — Removed orphaned sync rules left behind by deleted integrations, and cleaned up duplicate sync rules for entra_id provider type (now handled by the dedicated Entra Sync Scheduler). Fixes recurring "sync failed for rule" errors in production environments.

Version 1.0.37

Release Date: 2026-04-16

Improvements

  • Gateway Task Payload Encryption — Sensitive task payloads exchanged between the primary backend and gateways are now encrypted at rest in the database. The payload_encrypted flag on gateway tasks ensures that JSONB payloads containing credentials and private keys are protected even if database access is compromised.
  • Write Queue Exponential Backoff — Multi-datacenter write queue now tracks the timestamp of each retry attempt, enabling proper exponential backoff calculation for failed synchronization operations. This improves reliability and reduces unnecessary load on remote gateways during connectivity disruptions.

Security Updates

  • Gateway Payload At-Rest Encryption — Task results and payloads in the gateway task queue are now encrypted before database storage, closing a potential data exposure vector in multi-datacenter deployments.

Version 1.0.36

Release Date: 2026-04-15

New Features

  • KeyTab Database Schema — New database tables for keytab management: keytabs (encrypted keytab storage with cipher compliance tracking), keytab_versions (immutable version history), keytab_cipher_policies (organization-level cipher enforcement), and discovered_keytabs (agent discovery results with stale detection).
  • KeyTab RBAC Permissions — New permission set (keytab:read, keytab:write, keytab:delete, keytab:admin) assigned to appropriate system roles for keytab lifecycle management.

Improvements

  • Gateway API Token Enhancement — Improved gateway authentication with dedicated API tokens and bootstrap provisioning support.
  • Agent KeyTab Discovery — Agents can now discover Kerberos keytab files on managed hosts and report findings including file path, permissions, owner, encryption types, and SHA-256 fingerprint.

Version 1.0.35

Release Date: 2026-04-14

Bug Fixes

  • PEM Import — Private Key Preservation — Fixed a critical issue where importing a PEM file containing a certificate chain and a private key would silently discard the private key. The system correctly detected the key during file preview but lost it during the actual import, causing subsequent PFX/JKS exports to fail. The PEM bundle parser now correctly extracts PKCS#8, RSA, and EC private key blocks.
  • Certificate Import — Project Name in Error Messages — When importing a certificate that already exists, the error message now includes the project name where the duplicate resides (e.g., "certificate already exists … project=MyProject"), making it easier to identify conflicts.

Improvements

  • Private Key Visibility in UI — Certificates now display their private key status across all views:
    • Certificate lists show a green shield icon when a private key is stored.
    • The certificate dashboard shows a green key icon next to certificates with private keys.
    • The certificate detail modal displays a chip indicating whether the key is stored locally, externally, or not available.

Version 1.0.34 (Previous)

Release Date: 2026-04-10

New Features

  • Identity Provider Group Discovery — New API endpoint GET /identity-providers/{id}/groups fetches groups directly from the configured identity provider (Entra ID via Microsoft Graph, LDAP via directory search). Supports search filtering by group display name for easy role mapping.
  • Identity Provider Test Coverage — Added comprehensive unit test coverage for identity provider CRUD operations, test-connection flow, and group discovery endpoints.

Improvements

  • JKS Export — Pure Go Implementation — Replaced the external keytool (JDK) dependency with a native Go implementation using keystore-go/v4. JKS export now works in any environment without requiring a Java runtime, includes the full certificate chain, and has comprehensive test coverage.
  • Gateway API Token Authentication — New gateway_api_tokens table and middleware for gateway-to-backend API authentication. Gateways can now authenticate using dedicated API tokens with automatic bootstrap provisioning.
  • Gateway Write Queue — Added gateway_write_queue table for buffering write operations from gateways, enabling reliable data synchronization in multi-datacenter deployments.
  • Gateway Bootstrap Hardening — Improved gateway bootstrap flow with enhanced validation, Azure SQL connectivity checks, and more reliable initial registration.
  • Azure Test Environment Terraform — New Terraform configuration for automated Azure test environment provisioning, including Entra ID enterprise apps, Key Vaults, and Azure SQL.

Security Updates

  • Gateway Middleware Authentication — New dedicated middleware validates gateway API tokens with proper scope checks and request context propagation.

Version 1.0.33

Release Date: 2026-04-09

New Features

  • Azure Permissions Check Endpoints — Added new Azure access validation APIs for permissions and resource visibility:
  • POST /api/v1/admin/azure/mi-permissions-check
  • GET /api/v1/azure/user-permissions-summary
  • GET /api/v1/azure/subscriptions/{subscriptionId}/sql-servers
  • Managed Identity Permissions Validation — New managed identity check flow validates access across configured Azure integrations and returns per-integration status results.
  • User Permissions Summary — Added a consolidated subscription-level overview of Azure resources visible to the authenticated user, including Key Vault and SQL server discovery.

Improvements

  • RBAC Integration for Azure Permission Checks — Azure permissions endpoints are now protected by MazeVault RBAC with integration:read and integration:write guards.
  • Swagger Schema Coverage — OpenAPI definitions now include the Azure permissions check response models (MIPermissionsCheckResponse, MICheckResult) for accurate API client generation.

Security Updates

  • Role Permission Alignment — Migration 000109_add_audit_settings_permissions adds audit:read and project:write permissions to certificate_manager and secret_manager roles for consistent access control behavior.

Version 1.0.32

Release Date: 2026-04-08

New Features

  • Azure Managed HSM Integration — Full support for key storage and manipulation in Azure Managed HSM with automatic certificate updates and key rotation. All private key operations occur in the HSM with metadata returned to the database.
  • Organization-Level Password Policy — Define password enforcement rules (minimum length, complexity, expiry) for all organization users. Rules are enforced at password creation and change with legacy integration compatibility.

Improvements

  • CRDT Sync Performance — Optimized conflict resolution for datasets >100k records, 40% speed improvement on multi-DC setups.
  • Extended Audit Logs — Comprehensive recording of all password, certificate, and administrative operations.

Bug Fixes

  • Fixed cache invalidation timing in cluster deployments.
  • Resolved sync failures with large CSR transactions.

Version 1.0.31

Release Date: 2026-04-07

New Features

  • Orchestrator Mode — External Key Storage — MazeVault can now run in a mode where all private keys and secrets are stored exclusively in external key vaults (Azure Key Vault, AWS Secrets Manager, HashiCorp Vault). Local database contains only metadata.
  • License Compliance Tracking — Dashboard displays license status in real-time, including used licenses, upcoming expirations, and warning states.

Improvements

  • Standard → Orchestrator Mode Migration — New CLI commands for safely migrating existing Standard mode systems to Orchestrator mode.
  • Orchestrator Mode UI — Toggle in Onboarding Wizard and organization settings.

Bug Fixes

  • Fixed selective certificate copying in Orchestrator mode.

Version 1.0.30 (Previous)

Release Date: 2026-04-07

New Features

  • ACME Server — Full RFC 8555 Implementation — MazeVault now acts as a fully compliant ACME certificate authority. Any standard ACME client (cert-manager, Certbot, acme.sh, Kubernetes) can obtain and renew certificates directly from MazeVault without manual intervention. Supported challenge types: HTTP-01, DNS-01, TLS-ALPN-01.
  • External Account Binding (EAB) — Restrict ACME account registration to authorized clients using pre-shared EAB credentials (HMAC-based). Prevents unauthorized certificate issuance from unknown ACME clients.
  • Sync Dashboard — New dashboard section showing real-time synchronization status: configuration overview, active conflicts, and sync failures with per-item resolution guidance.
  • Sync Read Permission — New sync:read permission grants project members, auditors, and role holders access to sync status endpoints without requiring elevated privileges.

Improvements

  • ACME Authorization Nonce Hardening — Dedicated nonce table (acme_server_nonces) with TTL-based expiry ensures strict replay-nonce protection per RFC 8555 §6.5.
  • ACME Challenge Token Indexing — Challenge tokens now use a dedicated indexed column for O(1) validation lookups instead of JSON scanning, improving throughput under high ACME request volume.
  • RBAC — Sync Permissions Alignedproject_admin, certificate_manager, secret_manager, user, and auditor roles now include sync:read for consistent access to sync dashboard endpoints.

Bug Fixes

  • Fixed race condition in ACME order state transitions during concurrent finalize requests.
  • Resolved ACME authz table creation ordering issue (migration idempotency).

Version 1.0.29

Release Date: 2026-04-06

New Features

  • Configuration Management Interface — New multi-tab UI for lifecycle management of configuration files: discover YAML/JSON/INI files across environments, stage drafts, and promote configurations to production. Provides visibility into discovered vs. managed configuration counts.
  • Certificate Rotation Polymorphic Config — Rotation executions now support both secret and certificate rotation configs in a unified model. The config_type field distinguishes between the two, eliminating separate workflow tables.
  • Rotation Settings Source Tracking — Each certificate now records whether its renewal settings originate from a project template (template) or were manually configured (manual), providing clear audit attribution for rotation behavior.

Improvements

  • Organization Scoping for Certificate Requests — Certificate signing requests (CSRs) are now scoped to the originating organization. The organization_id field is backfilled from project associations, preventing cross-organization CSR data leakage.
  • ACME Server Authorization Tables — Database schema for the ACME server protocol (authorization objects and nonce tables) was provisioned in preparation for the v1.0.30 ACME server release.
  • Rotation Workflow Cleanup — Removed orphaned rotation_workflows and rotation_step_executions tables that were superseded by the unified rotation execution model.

Bug Fixes

  • Fixed rotation_configs.next_rotation column rename to next_rotation_at — scheduler queries now use the correct column name.
  • Resolved foreign key constraint on rotation_executions.config_id that prevented polymorphic rotation config references.

Version 1.0.28

Release Date: 2026-04-05

New Features

  • Secret Naming Policies — Define organization-wide naming conventions for secrets using regex-based rules with three enforcement levels: block (prevent creation), warn (allow with warning), and disabled (informational). Policies are managed as configuration templates and validated in real-time on secret creation.
  • Naming Compliance Dashboard — New tab in the Secrets Dashboard shows a policy violation heatmap, per-rule compliance rates, and auto-generated rule suggestions based on existing secret naming patterns.
  • Consistency Framework — Create consistency groups to verify that specified secrets exist across all required environments. The POST /projects/{id}/consistency/groups endpoint and dashboard tab surface missing values and environment gaps, with resolve-warning support for documented exceptions.
  • Database Security Defaults — Organizations can now configure per-environment TLS/encryption baselines for database integrations. Production environments default to strict TLS (verify-full, encrypt, TCPS); non-production environments use permissive defaults. Supported providers: Oracle, MSSQL, PostgreSQL, MongoDB, MySQL.
  • Enhanced Shared Secrets — Shared secrets now support optional passphrase protection (bcrypt), recipient_email for intent tracking, automatic content-type tagging (secret or certificate), and rotation source attribution (source_type, source_id) for automated post-rotation distribution.

Security Updates

  • Consistency RBAC Permissions — New consistency:read and consistency:write permissions control access to consistency groups and warning resolution. Assigned to project_admin, certificate_manager, secret_manager, user, and auditor roles.
  • Auditor Role Refinement — The auditor role no longer has access to the deployment dashboard or general dashboard views, focusing the role strictly on audit logs, user management, gateway status, and agent status — reducing the attack surface of read-only accounts.

Bug Fixes

  • Fixed secret naming policy storage: policies are now persisted in config_management_templates instead of the deprecated organizations.secret_complexity_policy JSONB column.

Version 1.0.27

Release Date: 2026-04-04

New Features

  • New Roles: Certificate Manager & Secret Manager — Two new purpose-built roles provide fine-grained access control without granting cross-domain visibility:
  • certificate_manager — Full lifecycle management for certificates, CA accounts, templates, discovery, and deployment. No access to secrets.
  • secret_manager — Full lifecycle management for secrets, rotation, deployment, and integrations. No access to certificates.
  • SSO Authorization Code Pattern — Access tokens are no longer passed via URL query parameters on SSO callback. The callback now delivers a short-lived opaque code (sso_code, 60-second TTL) that the frontend exchanges for tokens via POST /auth/sso/exchange. This eliminates token exposure in browser history, server access logs, and Referer headers. Applies to Entra ID, GitHub, and GitLab SSO providers.
  • Entra Group Mapping Consolidation — Entra ID group-to-role mappings are now stored in the unified group_role_mappings table with a source column (local or entra). This enables consistent group management across local LDAP groups and Entra ID cloud groups from a single interface.

Security Updates

  • OIDC Nonce Validation — OAuth2 state now carries a server-generated nonce validated at token exchange. Prevents CSRF/token-hijacking via cross-site OAuth state substitution.
  • Deprecated Roles Removed — Legacy roles (operator, developer, org_admin, secret_editor, secret_viewer, certificate_admin, system_admin) have been removed. Existing users with these roles were automatically migrated: operatorproject_admin, developeruser. Integrations using deprecated role names in API calls must be updated.
  • User Role Data Integrity — Fixed zero-UUID primary key corruption in the user_roles table caused by a missing BeforeCreate hook. A composite unique index was added to prevent duplicate role assignments. Affected rows were deduplicated during migration.
  • Soft-Deleted User Email Index — The email uniqueness constraint is now a partial index (WHERE deleted_at IS NULL). Soft-deleted users no longer block new account creation or SSO registration with the same email address.

Bug Fixes

  • Fixed Entra group mapping duplication after SSO re-authentication.
  • Resolved role assignment failures for users created via LDAP group sync.

Version 1.0.26 (Previous)

Release Date: 2026-04-03

New Features

  • PFX/PKCS#12 Import Improvements — Enhanced PFX certificate import with improved parsing and validation
  • Certificate Template Fixes — Resolved template configuration issues affecting certificate enrollment workflows
  • Role Mapping Modifications — Updated group-to-role mapping logic for improved SSO integration
  • Audit Log Enhancements — Extended audit logging with additional event types and improved traceability

Security Updates

  • Comprehensive Vulnerability Remediation — Resolved 18 out of 24 identified vulnerabilities across all platform components through systematic dependency scanning and updates
  • SAML Signature Bypass Fix (CRITICAL) — Fixed critical SAML XML signature bypass vulnerability in SSO authentication flow (goxmldsig v1.3.0 → v1.6.0)
  • HTTP/2 CONTINUATION Flood Fix (CRITICAL) — Resolved actively exploitable HTTP/2 denial-of-service vulnerability in Kubernetes Operator (golang.org/x/net v0.19.0 → v0.52.0)
  • gRPC Authorization Bypass Fix — Fixed gRPC authorization bypass via missing leading slash in path (google.golang.org/grpc → v1.80.0)
  • JOSE/JWE Denial-of-Service Fixes — Resolved 3 separate DoS vulnerabilities in JSON Web Encryption handling (go-jose/v3 v3.0.0 → v3.0.4)
  • Node.js SDK Critical Fix — Eliminated 8 critical Handlebars.js advisories including JavaScript injection and prototype pollution
  • CI/CD Security Hardening — Pinned Trivy security scanner to specific version (supply chain protection), enabled security scanning on all CI events

Improvements

  • Kubernetes Operator Overhaul — Major dependency update to controller-runtime v0.22.5 and k8s.io/* v0.34.3 with code quality improvements including extracted reconciliation methods, configurable refresh intervals, proper watch propagation, and structured logging
  • Terraform Provider Fix — Fixed compilation error and updated all dependencies to latest stable versions (terraform-plugin-framework v1.19.0, grpc v1.80.0)
  • Go SDK Enhancement — Added Environment field to Project model for improved project management
  • Docker Image Hardening — Pinned OCSP Responder base image to alpine:3.21 (reproducible builds), switched Frontend to npm ci for deterministic dependency installation
  • Dependency Alignment — Aligned golang.org/x/crypto, golang.org/x/net, and other standard library packages across all 7 Go modules to latest stable versions

Version 1.0.25

Release Date: 2026-04-01

New Features

  • Swagger API Documentation Overhaul — Comprehensive regeneration of Swagger/OpenAPI documentation with complete endpoint coverage, improved schema definitions, and accurate request/response examples
  • Entra ID SSO Environment Configuration — New environment variables for Entra ID SSO and Azure Managed Identity configuration in .env.example for streamlined deployment setup

Improvements

  • LDAP & OAuth Provider Configuration — Enhanced SSO provider setup with improved LDAP bind DN handling and OAuth2 flow configuration
  • Email Status Endpoint — New GET /api/v1/system/email-status endpoint for monitoring email notification delivery status
  • Certificate Rotation Handlers — New API handlers for certificate rotation execution and status tracking
  • Agent Integration Enhancements — Improved agent discovery and integration handlers with better error reporting
  • SSH Key Management — Extended SSH key service with improved import and rotation capabilities

Security Updates

  • Updated authentication service with enhanced token validation and session management
  • Improved Entra ID Graph client with additional security headers

Version 1.0.24

Release Date: 2026-03-30

Bug Fixes

  • Entra ID SSO Fix — Resolved critical Entra ID SSO authentication issue affecting login flow and token refresh
  • Code Cleanup — Removed deprecated handler code and unused Entra mapping endpoints for cleaner codebase

Improvements

  • Updated schema models with additional field definitions for improved data integrity

Version 1.0.23

Release Date: 2026-03-30

Improvements

  • Certificate Templates and Expiry Management — Enhanced certificate template configuration with improved expiry tracking, scheduler optimizations, and better CA integration status indicators
  • Certificate Import Validation — Improved certificate import service with stricter chain validation and better error messages
  • SSLmarket CA Sync — Extended SSLmarket CA provider with improved product synchronization and certificate status tracking
  • Extended Logging — Enhanced logging across certificate services for better troubleshooting and audit trail

Bug Fixes

  • Fixed certificate status calculation in X.509 utility functions
  • Resolved certificate dashboard display issues for expiring certificates
  • Fixed certificate edit modal preserving incorrect values on save

Version 1.0.22

Release Date: 2026-03-30

New Features

  • Multi-Gateway Environment Support — New database migration and service layer for multi-gateway deployments with environment-specific gateway configuration, health monitoring, and task execution
  • Gateway Health Monitor — Real-time gateway health monitoring service with heartbeat tracking, automatic failover detection, and Prometheus metrics
  • Gateway Routing Service — Intelligent request routing across multiple gateway instances with load balancing and environment awareness
  • Gateway Task Executor — Distributed task execution framework for gateway operations with retry logic and status tracking
  • Identity Provider Management — New API handlers for identity provider configuration and management

Improvements

  • Cipher Key Resolver Hardening — Comprehensive test coverage for cipher key resolution with 715+ lines of new tests eliminating dual storage inconsistencies
  • Database Health Checks — Updated expected tables and columns for new gateway-related database schema
  • Integration Wizard — New multi-step integration wizard UI for configuring CA providers, secret managers, and external integrations
  • Key Derivation Fix — Resolved key derivation issue affecting encryption operations

Security Updates

  • Eliminated cipher key dual storage vulnerability via migration 000089
  • Enhanced authentication service with improved session handling

Bug Fixes

  • Fixed test failures in certificate orchestrator and configuration management services
  • Resolved EntraID SSO redirect issue on certain browser configurations

Version 1.0.21

Release Date: 2026-03-26

New Features

  • Azure Resource Discovery — New API handlers for Azure cloud resource discovery with Key Vault, certificate, and secret enumeration
  • Integration Wizard UI — Multi-step wizard for configuring integrations with CA providers and secret managers, including type selection, provider configuration, and review steps

Improvements

  • CA Account Service — Enhanced CA account management with improved error handling and status tracking
  • Model Schema Updates — Updated data models across SSH keys, MFA, OAuth, CRL, and zero-trust modules for improved consistency and validation
  • Test Coverage — Expanded test coverage for integration service providers, key offload service, and secret service offload operations

Bug Fixes

  • Fixed certificate audit event model inconsistency
  • Resolved discovered certificate model field alignment issues

Version 1.0.20

Release Date: 2026-03-23

New Features

  • Office365 OAuth2 Email Notifications — Send email notifications via Microsoft Graph API using OAuth2 client credentials flow instead of legacy SMTP; supports 3 authentication methods (client secret, certificate, managed identity); reuses existing Entra ID infrastructure with connection caching and retry logic; transparent replacement — all 6 email trigger points (expiry alerts, incidents, weekly reports, rotation failures, discovery summaries, test notifications) work automatically; new GET /api/v1/system/email-status endpoint and frontend status indicator in System Outputs → Notifications tab
  • SmallStep CA Provider — Integration with open-source step-ca as a Certificate Authority backend supporting JWK, X5C, and OIDC provisioners; mTLS authentication, certificate signing, renewal, revocation, and CRL signing with root fingerprint verification; ideal for zero-trust short-lived certificate architectures
  • Multi-Target Certificate Rotation — Deploy certificates to 5 destination types: Secret Managers (Azure Key Vault, AWS Secrets Manager, HashiCorp Vault), Kubernetes Secrets (TLS/Opaque), Agent Keystores (JKS, PKCS12, Windows), Agent Files (PEM), and Database Wallets (Oracle OCI); content mode selection (public only, public+chain, full chain with key, key only), format auto-detection, retry policies with configurable attempts and delays, and post-install command execution
  • Enterprise Entra ID Credential Lifecycle — Complete lifecycle management with states (created, active, expiring, expired, revoked, grace period), configurable grace periods (default 30 days), rotation history tracking with old/new key IDs and workflow tracing, expiry monitoring dashboard, idempotency protection against duplicate rotations, and sync conflict resolution for local vs. remote state
  • Compliance Report Viewer — Generate and view compliance reports with template-based formatting, organization-wide certificate compliance analysis, and exportable report output
  • Rotation Execution History — Detailed per-certificate rotation history with execution timestamps, status tracking (success/failed/pending), and target-level sync status visualization
  • Certificate Lifecycle Phase Tracking — New lifecycle phases (stable, renewing, rotating, revoking) prevent duplicate CA requests during in-flight operations; orthogonal to certificate status, ensuring certificates remain valid during phase transitions

Improvements

  • Audit Stream Destinations — New Elasticsearch destination with index template management, cluster mode and CosmosDB support; new Syslog destination with TCP/UDP transport, CEF and Syslog format support; enhanced log stream service with destination-specific configuration validation
  • LDAP Authentication Improvements — Enhanced LDAP service with improved bind DN handling, group membership resolution, schema configuration flexibility, and better error diagnostics for connection failures
  • Notification Scheduler Redesign — Improved scheduling logic for certificate expiry notifications with batching support to reduce alert fatigue, JIRA integration for incident ticket creation, and email notification enhancements
  • Weekly Expiry Report Service — Redesigned report generation with recipient management, customizable report content, and improved delivery reliability
  • Project Template Enhancements — Extended template configuration with naming convention integration, advanced default settings, and improved template-to-project application workflow
  • Naming Convention Service — Extended naming convention engine with additional pattern support, validation rules, and convention-to-template linking for automated enforcement
  • Prometheus Metrics — New histogram and counter metrics for certificate rotation, compliance reporting, and audit stream performance monitoring
  • CI/CD Pipeline — New GitHub Actions workflow for automated build, test, and deployment
  • SSO Provider Modal — Added LDAP provider configuration with server, bind DN, and schema settings directly from the SSO configuration interface
  • WebLogic Deploy Rotation Step — New rotation step type for Oracle WebLogic Server keystore deployment with automated domain configuration updates

Security Updates

  • Entra ID credential rotation with full audit trail — every rotation recorded with actor, timestamp, old/new key IDs, and execution status
  • SmallStep CA operations logged to audit stream with complete request/response metadata
  • Certificate lifecycle phase prevents concurrent CA operations, eliminating race conditions in renewal and rotation workflows
  • Entra sync conflict detection with automatic tracking of local vs. remote state discrepancies

Version 1.0.19

Release Date: 2026-03-20

New Features

  • Azure Gateway Deployment — Multi-region Azure Gateway infrastructure with Terraform modules for AKS, Key Vault, PostgreSQL, Redis, networking, monitoring, and identity management; Helm chart values for gateway configuration; Azure DevOps CI/CD pipeline for automated deployment
  • Key Vault RBAC Service — Granular role-based access control for Azure Key Vault operations with per-secret and per-certificate permission management
  • Key Vault Watch Connector — Real-time synchronization between MazeVault and Azure Key Vault with change detection and automatic secret updates
  • Naming Convention Engine — Domain-specific naming rules with wildcard pattern matching, priority ordering, and template-level enforcement for consistent resource naming across projects
  • Dashboard Reports Tab — Redesigned reporting dashboard with certificate overview statistics, interactive charts, and exportable report data
  • Node.js SDK — Official MazeVault SDK for Node.js with TypeScript definitions, supporting authentication (SRP), organizations, projects, and secrets management

Improvements

  • Audit Log Project Scoping — Audit events now include project association for efficient per-project filtering and compliance reporting; existing events backfilled from entity relationships
  • Orchestrator Storage Mode Fix — Normalized inconsistent storage mode values for Orchestrator Mode deployments, resolving constraint violations
  • Entra Group Mappings — Improved group-to-role mapping reliability with better error handling and UI feedback
  • Config Encryption Hardening — Enhanced configuration encryption service with additional test coverage and improved error handling for edge cases
  • Certificate Import Validation — Improved certificate import service with stricter chain validation
  • Go SDK Updates — Updated project and model definitions for consistency with latest API
  • Python SDK Updates — Model alignment with latest API schema

Bug Fixes

  • Fixed environment creation for unused projects being triggered unnecessarily
  • Resolved Entra ID SSO login redirect issue on certain browser configurations
  • Fixed project template modal not preserving environment associations on save

Version 1.0.18

Release Date: 2026-03-14

Improvements

  • Customer Documentation Updated — Comprehensive ACME certificate automation guide with step-by-step Kubernetes setup, cert-manager ClusterIssuer examples, ACME profile routing, troubleshooting, and complete end-to-end YAML examples; updated Certificates API reference with ACME endpoints and EAB management; release notes reformatted to correct 1.0.x versioning scheme
  • Azure Entra ID Integration Improved — Enhanced token refresh handling, improved group-to-role mapping reliability, faster SSO login flow with reduced redirect latency, and better error messages for misconfigured tenant settings

Version 1.0.17

Release Date: 2026-03-14

New Features

  • ACME Server (RFC 8555) — MazeVault now acts as a full ACME Certificate Authority, enabling automated certificate issuance via cert-manager and other ACME clients
  • External Account Binding (EAB) — Secure cluster registration with one-time-use credentials linking ACME clients to organizations and projects
  • ACME Profile Routing — Map cert-manager profile names to MazeVault Certificate Templates for automatic CA backend selection (cert-manager v1.18+)
  • Domain Rule Engine — Configure domain-to-template routing rules with wildcard pattern matching and priority ordering
  • Auto-Approve for Internal Domains — Certificates for .local, .internal, .lan, and .corp domains are issued instantly without HTTP-01 challenge
  • ADCS Bridge via ACME — Issue certificates from Microsoft Active Directory Certificate Services through standard ACME protocol
  • ADCS Agent Improvements — DCOM retry logic for pending certificate requests with configurable intervals
  • EAB Credential Management UI — Generate, list, and revoke EAB credentials from the web interface with cert-manager YAML examples

Improvements

  • ACME directory endpoint with meta profiles for automated client discovery
  • JWS middleware with ES256 and RS256 signature verification
  • Nonce-based replay protection per RFC 8555 §6.5
  • Full PEM certificate chain delivery for ACME clients
  • EAB credentials table with status tracking (Available / Used / Revoked)
  • One-click copy for ACME directory URL and generated credentials

Security Updates

  • EAB HMAC keys encrypted at rest with AES-256-GCM
  • EAB credentials are single-use and support expiration and revocation
  • JWK Thumbprint verification (RFC 7638) for account binding
  • All ACME operations recorded in audit log

Version 1.0.16

Release Date: 2026-02-28

Improvements

  • Organization settings redesign with tabbed navigation
  • Certificate Authority account cards with sync status indicators
  • Improved CA product discovery and sync trigger via UI
  • Agent heartbeat interval optimization for large fleets
  • Database connection pool tuning for high-concurrency deployments

Bug Fixes

  • Fixed certificate chain validation for intermediate CA certificates
  • Resolved race condition in concurrent secret rotation scheduling
  • Fixed OCSP responder cache invalidation on certificate revocation

Version 1.0.15

Release Date: 2026-02-14

Improvements

  • PFX/PKCS#12 import with configurable key storage (software / HSM)
  • Certificate template override support for CA account-level defaults
  • Improved agent reconnection logic after network interruptions
  • Enhanced audit log filtering by event type and date range

Bug Fixes

  • Fixed certificate export with chain for cross-signed intermediates
  • Resolved project template settings not persisting after save
  • Fixed SSH key discovery deduplication for rotated keys

Version 1.0.14

Release Date: 2026-01-31

Improvements

  • SSH key management enhancements — authorized key tracking and discovery
  • Rotation trigger improvements with foreign key constraint handling
  • Secret sharing post-rotation with automatic re-encryption
  • Improved error messages for agent proxy authentication failures

Bug Fixes

  • Fixed rotation scheduler timezone handling for non-UTC installations
  • Resolved dashboard certificate count discrepancy after bulk import
  • Fixed API token expiration check for service identities

Version 1.0.13

Release Date: 2026-01-24

Improvements

  • React import modernization — tree-shaking optimized MUI imports
  • Frontend build size reduction (~15% smaller bundle)
  • Improved certificate search with wildcard SAN matching
  • Enhanced monitoring Prometheus metrics with histogram buckets

Bug Fixes

  • Fixed RBAC permission check for nested project environments
  • Resolved Terraform export formatting for complex secret values
  • Fixed health check endpoint returning stale Redis status

Version 1.0.12

Release Date: 2026-01-17

Improvements

  • Trivy container image scanning integration in CI/CD pipeline
  • Security vulnerability remediation for dependency chain
  • Improved TLS cipher suite configuration with Mozilla Intermediate profile
  • Enhanced rate limiting with sliding window algorithm

Bug Fixes

  • Fixed certificate renewal scheduling for certificates with custom validity
  • Resolved sync conflict for simultaneously edited secrets across datacenters
  • Fixed agent registration token validation for re-registered agents

Version 1.0.11

Release Date: 2026-01-10

Improvements

  • PostgreSQL connection health monitoring with automatic reconnection
  • Bidirectional sync architecture improvements for multi-region deployments
  • Agent installation script fixes for air-gapped environments
  • Onboarding flow improvements for remote deployment scenarios

Bug Fixes

  • Fixed database migration rollback for failed upgrades
  • Resolved LDAP group sync not reflecting membership changes
  • Fixed certificate list pagination for projects with > 1000 certificates

Version 1.0.10

Release Date: 2026-01-03

Improvements

  • Enhanced external change detection for CA-managed certificates
  • Improved Helm chart values documentation with inline comments
  • Certificate expiry notification batching to reduce alert fatigue
  • Updated Go dependencies with security patches

Bug Fixes

  • Fixed CRDT merge for concurrent secret version creation
  • Resolved Azure Key Vault sync retry logic for transient failures
  • Fixed OCSP responder returning incorrect status for renewed certificates

Version 1.0.9

Release Date: 2025-12-15

New Features

  • Certificate Template System — Pre-configured certificate profiles for common use cases (Web Server, Client Auth, Code Signing, Email/S-MIME)
  • Bulk Certificate Operations — Import and manage certificates in bulk via PEM bundles
  • Enhanced Agent Discovery — Automatic discovery of certificates across agent-managed infrastructure
  • Sync Improvements — CRDT-based multi-datacenter synchronization with improved conflict resolution
  • Terraform Export — Export project configurations as Terraform HCL for infrastructure-as-code workflows

Improvements

  • Improved certificate import validation and error reporting
  • Enhanced OCSP responder performance with response caching
  • Updated RBAC with granular certificate management permissions
  • Improved audit logging with structured JSON output
  • Enhanced health check endpoints with component-level status

Security Updates

  • TLS 1.3 as default protocol
  • Improved CSRF protection with double-submit cookie pattern
  • Enhanced rate limiting with per-endpoint configuration
  • Updated cryptographic dependencies

Version 1.0.8

Release Date: 2025-11-20

New Features

  • External CA Integration — Connect to DigiCert, Venafi, Microsoft ADCS, and other external Certificate Authorities
  • HSM Support — Hardware Security Module integration for key protection (PKCS#11, Azure Managed HSM)
  • ACME Protocol — Automated Certificate Management Environment for automated certificate issuance
  • Multi-Factor Authentication — TOTP-based MFA for enhanced account security

Improvements

  • Redesigned certificate management interface
  • Improved secret rotation scheduling
  • Enhanced API rate limiting
  • Expanded Azure Key Vault integration

Version 1.0.7

Release Date: 2025-09-10

New Features

  • Zero-Knowledge Encryption — Client-side encryption for personal vault secrets
  • SCEP Protocol Support — Simple Certificate Enrollment Protocol for device certificate management
  • EST Protocol Support — Enrollment over Secure Transport for modern certificate enrollment
  • Agent Proxy — Agents can proxy secret access for local applications

Improvements

  • Improved database migration system
  • Enhanced logging and monitoring
  • Updated Kubernetes deployment manifests
  • Performance improvements for large certificate stores

Version 1.0.6

Release Date: 2025-06-15

New Features

  • Multi-Datacenter Sync — Bidirectional synchronization between MazeVault installations
  • Azure Entra ID SSO — Single Sign-On with Azure Active Directory
  • Project-Level RBAC — Granular role-based access control per project
  • CRL Distribution — Automated Certificate Revocation List generation and distribution

Improvements

  • Improved dashboard with real-time status updates
  • Enhanced certificate search and filtering
  • Updated API documentation with OpenAPI 3.0 specifications
  • Improved container image security

Version 1.0.5

Release Date: 2025-03-20

New Features

  • OCSP Responder — Real-time Online Certificate Status Protocol responder
  • Secret Versioning — Full version history with rollback capabilities
  • Agent Management — Centralized agent registration and monitoring
  • LDAP Integration — Directory service authentication support

Version 1.0.4

Release Date: 2024-12-10

New Features

  • Internal Certificate Authority — Full PKI with root and intermediate CA support
  • Certificate Lifecycle Management — Request, approve, issue, renew, and revoke certificates
  • Helm Charts — Standardized Kubernetes deployment via Helm

Version 1.0.3

Release Date: 2024-09-15

New Features

  • Azure Key Vault Integration — Sync secrets with Azure Key Vault
  • Secret Rotation — Automated and manual secret rotation
  • Kubernetes Deployment — AKS deployment with Terraform

Version 1.0.2

Release Date: 2024-06-20

New Features

  • Role-Based Access Control — User roles and permissions
  • Project Management — Organize secrets into projects
  • API v1 — Full REST API for secrets management

Version 1.0.1

Release Date: 2024-03-01

Initial Release

  • Encrypted secrets storage with AES-256-GCM
  • Web-based management interface
  • PostgreSQL backend with Redis caching
  • Docker Compose deployment
  • Local authentication with SRP protocol

Support Policy

MazeVault supports the current version and one previous minor version. Customers on older versions are encouraged to upgrade to receive security updates and new features.