Release Notes

MazeVault Platform Version History

Document Version: 1.0.47
Last Updated: 2026-06-14

---

Version 1.0.47 (Current)

Release Date: 2026-06-14

New Features

• Shared Entra Rollout Actions and Readiness Checks — Entra credential rotation now supports ordered rollout actions through the shared rotation platform, including Azure Key Vault, Kubernetes Secrets, agent-managed runtime files, Spring refresh/webhook delivery, and IIS app pool recycle on Windows targets. Dry-run and preflight checks validate the same runtime paths before production execution.
• Per-Certificate Renewal Key Policy — Certificate operators can now choose per certificate whether renewal regenerates a new private key or reuses the existing key material where the provider and custody path allow it. Target processing order is now preserved explicitly in the renewal workflow.
• Stronger Entra Integration Authentication Validation — The integration wizard and backend now validate interactive and background Entra authentication settings together, preventing save-time acceptance of configurations that cannot support background sync, dry-run, or post-rotation execution.

Improvements

• Unified Rotation Readiness in the Project Hub — The Project Rotations view now shows inline readiness and preflight state for Entra credentials, certificate renewal resources, and certificate deployment resources, including clearer manual review required surfacing for rollout targets that cannot be probed automatically.
• Role and Contract Alignment for Rotation Operations — RBAC migrations and project-surface permission checks were aligned with the expanded rotation and configuration surfaces, reducing cases where operators could open a screen without the permissions needed to complete the workflow.
• Swagger and Operational Signal Refresh — Generated Swagger output now reflects the updated severity vocabulary and improved host handling, while certificate and database health checks expose stronger diagnostics for rotation readiness and export paths.
• Secret Rotation API Contract Refresh — The secret rotation API and generated Swagger now document the explicit create/edit/delete lifecycle more accurately, including persisted post-rotation actions and the clean reset path after a secret rotation is removed.

Bug Fixes

• Entra Lifecycle Cleanup Consistency — Deleting an Entra integration or a locally managed app registration now removes associated Entra credential rotation resources in the same lifecycle operation. Upgrade migration 000155 also removes historical orphan rows, and repository reads defensively hide stale entra_credential entries that predate the cleanup.
• Certificate Rotation Defaults on Import — When an imported certificate is eligible for managed renewal, MazeVault now prepares the rotation configuration without silently enabling it. Initial lead days are resolved from the effective certificate, template, and CA-account policy instead of being masked by the model default.
• Rollout Validation and Export Robustness — Validation for agent_id versus direct agent_url rollout steps is stricter, and certificate export flows now return clearer PFX and private-key failures instead of partially masked errors.
• Secret Rotation Delete and Recreate Semantics — Deleting a secret rotation now removes the rotation config, canonical secret rotation resource, and linked rotation integrations without deleting the secret itself. After deletion, secret status surfaces show Rotation not configured, and reopening the rotation modal stays in create mode until the operator explicitly saves a new configuration.

---

Version 1.0.46 (Previous)

Release Date: 2026-06-09

New Features

• External CA Order Poller Baseline — MazeVault added background polling for externally issued certificate orders, allowing asynchronous CA workflows to complete and update the certificate lifecycle without manual tracking.

Notes

• Release Note Clarification — The Entra rotation rollout, certificate rotation UI unification, and related readiness and preflight work that had previously been drafted for v1.0.46 landed after the tag and are therefore documented under v1.0.47.

---

Version 1.0.45 (Previous)

Release Date: 2026-06-09

New Features

• Rotation Resource Registry and Platform Ownership Expansion — The rotation platform is expanding from certificate-only orchestration into a registry-backed resource model. New control-plane services introduce resource kinds, target registries, and shared ownership for rotation scheduling, making future secret, certificate, and Entra rotation flows converge on the same platform primitives.
• Agent Discovery Policy Bundles and Persistent Config Indexing — Agents now receive backend-driven discovery policy bundles built from active configuration templates. Filesystem discovery persists a local metadata index and reuses cached config and certificate findings across runs, reducing repeated scans while keeping policy-version changes authoritative.
• Configuration Discovery Submission — Agents can now submit configuration discovery findings back to the backend, including classification and rewrite-plan metadata, using the existing discovery result model.
• Certificate Template Code Deduplication and Conflict Resolution — Organization certificate template management now deduplicates template codes and blocks ambiguous conflicts. Upgrade migrations normalize existing duplicates so template routing and issuance remain deterministic.
• System Certificate Classification — Certificates now carry an is_system flag for internal mTLS and identity-management material. MazeVault can retain these certificates for platform use while keeping them separate from normal operator-facing inventory.
• Integration Groups — Projects now support named integration groups that map logical groupings to integration targets with structured JSONB configuration. Groups can be created, listed, updated, and deleted via the new /api/v1/projects/{id}/integration-groups and /api/v1/integration-groups/{id} API endpoints (migration 000152).
• Real Slack Incident Notifications — Incident management now dispatches real-time Slack notifications via a configured Incoming Webhook. When an incident is raised on a project with a Slack integration, the platform posts the incident type and resource name to the configured channel.
• GCP Secret Manager and Kubernetes Connectivity Tests — Integration health checks now validate live GCP Secret Manager API access (listing secrets in a given project) and Kubernetes API server reachability using in-cluster or kubeconfig credentials, in addition to the existing provider tests.
• HSM Key Operations — HSM providers (PKCS#11, AWS CloudHSM, GCP Cloud HSM, Azure Managed HSM) now expose full key lifecycle operations: GetPublicKey (reconstructs RSA/EC PKIX DER from hardware), DeleteKey (destroys all key objects on the device), ListKeys (enumerates all managed key handles), and GetKeyInfo (returns key type, size, and extractable flag).
• Vault PKI Full Lifecycle — HashiCorp Vault CA provider now implements the complete CA interface: RenewCertificate, GetCertificateStatus (checks revocation timestamp), ListIssuedCertificates (enumerates via PKI list endpoint), GetOrderStatus, and CancelOrder (revokes the underlying certificate).
• ADCS Deferred Certificate Retrieval — The ADCS (WCCE) provider now fetches certificates that were issued asynchronously by the CA via a SOAP Renew request. Previously pending certificates are retrieved and returned in PEM format once the CA completes issuance.
• Venafi VaaS Full Lifecycle — Venafi CA provider now implements RenewCertificate, GetOrderStatus (retrieves pick-up status from VaaS), and CancelOrder.
• DigiCert Rate Limit Reporting — The DigiCert provider now queries live rate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset) and surfaces them through the GetRateLimits interface.
• Config Injection with Live Secret Values — Configuration versioning now resolves ${VAULT:<placeholder>} tokens against live MazeVault secret values at snapshot time, so injected config files carry real credentials without storing them in the config version history.

Improvements

• Project-Aware Resource Visibility Policies — Azure discovery endpoints now apply resource_visibility_policy filtering in the context of the selected project. This keeps Integration Wizard choices aligned with project scope for non-admin operators instead of exposing subscription-wide results.
• Configuration Management Auditability — Configuration management flows now record audit-aware rewrite-plan activity so operational changes are traceable alongside the rest of the platform's lifecycle events.
• Generated CSR and Key Custody Metadata — Certificate request flows now carry generated-CSR and private-key custody metadata forward, improving visibility of whether MazeVault owns, reuses, or must preserve external key material in subsequent lifecycle actions.
• Delegated Agent Secret Sync Step — Rotation and execution pipelines now have an explicit agent-side secret synchronization step, improving parity between platform orchestration and what managed agents actually apply downstream.
• Certificate Owner-Surface Navigation — Certificate links from the main dashboard, project rotations, and the certificate inventory now resolve directly to the owning surface. Project-owned certificates open their project detail view, while unassigned inventory opens the Discovered Certificates owner surface via managed_certificate_id, replacing the legacy duplicate /certificates flow.
• Secret Dashboard Data Consistency — The Secrets Overview tab now uses the shared dashboard API, restoring missing-secret drill-ins and keeping overview counts and decrypted names aligned with the main dashboard data layer.
• Discovered Certificate Lookup Filter — Discovery APIs and generated Swagger documentation now support managed_certificate_id filtering, enabling targeted deep links from certificate overview tables to the matching discovered certificate record.

Bug Fixes

• Rotation Scheduling Ownership Cutover — Renewal scheduling is moving to the shared rotation platform owner model so follow-up workflows operate on the current certificate resource instead of stale pre-renewal anchors.
• Discovery Project Context Consistency — Integration discovery helpers now consistently pass project context, avoiding empty or over-broad Azure discovery responses when resource visibility filtering is enabled.
• Detect Drift Authentication — POST /api/v1/secrets/drift/detect now executes inside the authenticated secrets route group, fixing 401 failures caused by missing auth context on drift-detection requests.
• Dashboard Drill-In Regressions — Fixed stale certificate links that still pointed to the removed global certificates page and restored missing-secret links in the Secrets Dashboard overview.

---

Version 1.0.44 (Previous)

Release Date: 2026-05-25

New Features

• Certificate Rotation Post-Actions — Certificate rotation now supports explicit post-rotation action chains, including webhooks and other registered post-processing steps, so operators can trigger downstream refresh and rollout workflows after a successful renewal or deployment.
• Delegated Renewal and Rotation Publish Controls — Renewal orchestration gained delegated execution paths, runtime probes, and publish-gate safeguards that better separate readiness validation from side-effecting deployment work.
• Archive Center Lifecycle Enforcement — Archive restore and permanent delete flows are now treated as centralized archive-lifecycle operations with admin-only enforcement across runtime RBAC and role editing.
• Expanded Agent Binary Coverage — MazeVault agent distribution now includes additional ARM64 coverage and stronger build validation for heterogeneous Windows and Linux estates.

Improvements

• Discovered Certificate Key Custody Tracking — Adopted discovered certificates now preserve explicit key-custody state, preventing MazeVault from silently taking ownership of private keys during renewal or deployment flows.
• Certificate Issuance and Renewal Robustness — Certificate issuance, CSR handling, and renewal flows now use stronger locking, normalized post-action payloads, and clearer actor attribution across cross-project secret operations.
• CA Account Provider Coverage — CA account and EAB credential handling now covers more provider initialization paths, including Smallstep-specific fallback fields used during account creation and validation.

Bug Fixes

• Smallstep CA Account Initialization — Smallstep CA account creation now correctly falls back to credential fields such as server_url and provisioner metadata instead of failing before contacting the CA.
• Rotation Action Contract Alignment — Certificate post-action handling now exposes only action types supported by the certificate rotation executor, avoiding invalid UI selections and mismatched step names.

---

Version 1.0.43 (Previous)

Release Date: 2026-05-11

New Features

• Azure Key Vault Managed Identity Support — Azure Key Vault integrations now support Managed Identity and Workload Identity as authentication methods in addition to service principals. When Azure Key Vault is selected in the Integration Wizard, the background sync auth method defaults to managed_identity. Configure a specific managed identity client ID via AZURE_MANAGED_IDENTITY_CLIENT_ID, or leave it unset to let the platform resolve the bound identity from the environment (AZURE_FEDERATED_TOKEN_FILE + AZURE_CLIENT_ID + AZURE_TENANT_ID for workload identity).
• Agent Systemd Service Installation — The agent installer script now deploys the MazeVault agent as a proper systemd service. A dedicated mazevault-agent system user is created automatically, and locked-down directories are provisioned (/etc/mazevault, /var/lib/mazevault, /var/log/mazevault) with ownership and permissions (0750). The service is configured with automatic restart on failure. Existing deployments should re-run the deployment script to receive the updated service unit.
• Agent Binary Download Endpoint — A new deployment-scoped endpoint GET /deployments/:id/agent-binary serves the agent binary for a given deployment. The deployment UUID acts as the authentication token (unguessable 128-bit identifier), consistent with the /script and /config endpoints. Legacy agent binary download rewrite rules in the reverse proxy have been removed.
• Redis Multi-Endpoint Support — Redis connection handling now supports multiple endpoint addresses for high-availability and fallback setups. Configure the primary endpoint via REDIS_URL and one or more fallback addresses via REDIS_FALLBACK_URLS (comma, semicolon, or newline-separated). The client automatically falls back to the next available endpoint on connection failure, and switches to an in-memory fallback if all Redis endpoints are unavailable.
• Password Complexity Policy in Organization Settings — Organization Settings now exposes a dedicated Password Complexity Policy editor. Rules are enforced at password change time (minimum length, character class requirements, history depth). On upgrade, organizations are automatically migrated from the legacy secret_complexity_policy field.

Improvements

• Entra Credential Rotation History — Entra ID credential rotation operations now produce a persistent rotation history record for each event. The history captures the rotation type, old and new key identifiers, workflow and execution IDs, step-by-step progress, final status, error details if applicable, and elapsed duration. This enables full lifecycle traceability for Entra credential rotations.
• RBAC Permission Alignment — Role permissions updated to match the agreed product policy:
  • secret_manager — gains keytab:read and config:read (KeyTab Management and Configuration Management pages are now accessible)
  • certificate_manager — gains config:read (Configuration Management page is now accessible)
  • auditor — keytab:read removed (KeyTab Management is no longer visible to auditors; assign explicit keytab:read where audit access to keytabs is required)
• Admin Credential Reference Types Expanded — Database admin credentials now support two additional reference types: mazevault (credentials stored as MazeVault-managed secrets) and external (generic external references). Full set of supported types: internal, mazevault, external, keyvault, aws_sm.
• Secret Sync Async Seeding with Status Summary — Sync seed operations now run asynchronously and return immediately with a progress reference and detailed status summary (secrets created, updated, skipped, failed). Blocked seed incidents are now surfaced on the Conflict Resolution page.
• Certificate Issuance Linked to Agent — Certificates issued to a registered agent are now linked to the issuing agent record at issuance time, connecting the certificate lifecycle to the agent in the dashboard and rotation orchestration.
• Security Enhancements — Bootstrap and KeyTab Handlers — KeyTab update and delete handlers now enforce organization ownership checks (IDOR prevention): access to a keytab belonging to a different organization returns 404. The bootstrap password change endpoint is locked after initial bootstrap completes and rejects further calls with 403 Forbidden. A DAST scan workflow has been added to the CI pipeline.
• License Renewal Contact Updated — The license renewal contact email is now info@mazevault.com across all notification banners and expiry modals.

Bug Fixes

• SSO Provider Modal: Provider ID Preserved on Save — Fixed a bug where saving an existing SSO provider configuration dropped the provider ID, causing duplicate provider creation on subsequent saves.
• Password Complexity Policy Backfill — Organizations that had configured a secret complexity policy via the legacy secret_complexity_policy field were incorrectly evaluated as having no password policy, causing false-positive PCI-DSS 8.3 compliance failures. The policy is now automatically propagated to the dedicated password complexity field on upgrade. Additionally, organizations without any complexity policy now receive a secure default policy on upgrade (16-character minimum, all character classes required, 10-entry history, 30-day rotation interval).

---

Version 1.0.42

Release Date: 2026-05-11

New Features

• Certificate Metadata Fields — Certificates now support three user-editable metadata fields accessible from the certificate detail view and via PUT /api/v1/certificates/:id:
  • Tags — Free-form string labels for grouping and filtering certificates. Tags set at import time are now persisted and remain editable after import. Send an empty array to clear all tags.
  • Documentation URL — Optional link (http/https) to external documentation, runbooks, or CMDB entries for the certificate. Maximum 500 characters.
  • Notes — Short free-text annotation (maximum 256 characters). Send an empty string to delete the note.
  • All metadata field changes are recorded in the audit log.

Improvements

• Environment Canonicalization Enforced at Task Creation — Gateway task creation now enforces environment slug canonicalization. All gateway tasks are stored with lowercase environment slugs regardless of caller casing, building on the canonicalization infrastructure introduced in v1.0.41. The MAZEVAULT_ENV_CANONICAL_ENFORCE variable (set to true to fail-close on non-canonical inputs) applies to task creation as of this release.

---

Version 1.0.41

Release Date: 2026-04-26

Improvements

• Documentation Sync — Comprehensive documentation update aligned with v1.0.41 codebase. Environment variable reference expanded with five new sections: License/Organization Registration, Orchestrator Mode, ACME DNS-01, KeyTab Management, and Agent Binary Proxy. All existing sections updated with previously missing variables.
• Office 365 Email Variable Corrected — Fixed incorrect variable name O365_ENABLED → O365_EMAIL_ENABLED throughout documentation. Full Office 365 authentication configuration documented (client secret, certificate, and managed identity methods).
• KeyTab API Reference — Full API documentation published for all 14 KeyTab management endpoints. See KeyTab API.
• Reports API Reference — Full API documentation published for the Weekly Expiry Reports endpoints. See Reports API.
• Platform Version Sync — All documentation pages updated to reflect current platform version.

---

Version 1.0.40

Release Date: 2026-04-25

New Features

• OIDC Nonce Enforcement — New MAZEVAULT_ENFORCE_OIDC_NONCE flag enables strict nonce validation on OIDC tokens. When set to true, tokens without a valid nonce claim are rejected, providing protection against token replay attacks. Recommended for all production deployments.
• Agent Trust Store Controls — New environment variables MAZEVAULT_AGENT_INSTALL_CHAIN_TO_TRUSTSTORE and MAZEVAULT_AGENT_TRUST_STORE_PATH control whether the MazeVault agent installs the internal CA certificate chain into the operating system trust store, and allow overriding the default trust store path on Linux.

Improvements

• Certificate Rotation Target Sync Status — GET /api/v1/certificates/:id/targets/:targetId/status now returns full per-step result details, making failed target synchronizations easier to diagnose.
• Gateway Registration Stability — Improved retry logic for bootstrap token exchange reduces failed registrations caused by transient network issues during first-time gateway setup.
• OCSP URL Validation — OCSP_URL backend variable now validates URL format at startup to prevent misconfiguration from silently causing OCSP failures.

Bug Fixes

• Corrected AGENT_VERSION=latest resolution to always fetch the highest tagged release version rather than the most recent commit.
• Fixed display overlap in the certificate import modal under Orchestrator Mode when both keytab and private key sections were visible simultaneously.

---

Version 1.0.39

Release Date: 2026-04-22

New Features

• Agent Binary Distribution Control — New configuration variables provide granular control over how agent updates are distributed across the fleet. AGENT_ROLLOUT_PERCENTAGE limits what percentage of agents receive update notifications (0–100), enabling staged rollouts. AGENT_MAX_CONCURRENT_DOWNLOADS caps parallel binary download streams to prevent network saturation.
• Agent Binary Proxy — MazeVault can now proxy agent binary downloads from a private GitHub release repository, removing the requirement for agent hosts to reach the public GitHub Releases endpoint directly. Configure via AGENT_BINARY_GITHUB_TOKEN, AGENT_BINARY_CACHE_DIR, AGENT_DOWNLOAD_BASE_URL, and AGENT_VERSION.
• Primary Backend Environment Seeding — New MAZEVAULT_PRIMARY_ENVIRONMENTS variable pre-seeds the list of environments served directly by the primary backend on first startup, simplifying initial deployment configuration of multi-environment setups.

Improvements

• KeyTab Dashboard Refresh — Fixed cipher compliance breakdown chart not updating after importing a keytab with deprecated ciphers.
• Weekly Report Multi-Channel Reliability — Resolved a scheduling race condition that could silently drop one delivery channel when multiple channels were all enabled simultaneously.

Bug Fixes

• Fixed gateway heartbeat timestamp not updating correctly following a network partition recovery.

---

Version 1.0.38

Release Date: 2026-04-19

New Features

• KeyTab Management — Full Kerberos Lifecycle — Enterprise-grade Kerberos KeyTab management with complete lifecycle support. Import, discover, and manage keytab files across your infrastructure. Key capabilities include:
  • Import & Parse — Import MIT Kerberos v2 keytab binary files with automatic extraction of principals, realms, key version numbers (KVNO), and encryption types. Supports base64-encoded upload.
  • Agent Discovery — Agents automatically discover .keytab files on managed hosts, reporting file path, permissions, owner, and encryption type fingerprint. Discovered keytabs can be imported into managed inventory with a single action.
  • Cipher Policy Enforcement — Define organization-level cipher policies specifying allowed and deprecated Kerberos encryption types. Three enforcement modes: audit (report only), warn (allow with warning), block (prevent non-compliant keytabs). Default policy blocks legacy ciphers (DES, RC4-HMAC) while allowing modern AES and Camellia ciphers.
  • Version History — All keytab updates create immutable version records with change reason tracking for full audit compliance.
  • Dashboard & Analytics — Dedicated KeyTab dashboard showing total/active/expired counts, cipher compliance breakdown (compliant/warning/critical), expiry forecasts, and cipher type distribution.
  • Orchestrator Mode Support — In Orchestrator Mode, keytab binary data is offloaded to an external provider; only metadata is stored locally.
• Weekly Expiry Report — Automated weekly reports showing certificates and secrets expiring within 60 days, delivered to multiple channels simultaneously:
  • Email — HTML-formatted report to configured recipient list
  • Slack / Microsoft Teams — Webhook-based notifications with expiry summaries
  • JIRA — Automatic issue creation with expiry details for tracking
  • Generic Webhook — HTTP POST with full report payload for custom integrations
  • Reports can be previewed before sending and triggered manually on demand.
• Local Gateway Registration — The primary backend can now register itself as a local gateway, enabling unified gateway management UI for both local and remote gateways. A unique constraint ensures only one local gateway per deployment.

Improvements

• Gateway Multi-Environment Support — Gateways can now serve multiple environments simultaneously, removing the previous one-gateway-per-environment restriction.
• Report RBAC Permissions — New report:read and report:write permissions provide fine-grained access control for the reporting system. All standard roles (User, Certificate Manager, Secret Manager, Auditor) receive report:read; Admin and Project Admin additionally receive report:write.
• KeyTab RBAC Permissions — New keytab:read, keytab:write, keytab:delete, and keytab:admin permissions control access to keytab management. Standard users and auditors receive read access; operators and organization admins receive write and delete; organization admins additionally receive admin access for policy management.

Bug Fixes

• Entra Sync Rule Cleanup — Removed orphaned sync rules left behind by deleted integrations, and cleaned up duplicate sync rules for entra_id provider type (now handled by the dedicated Entra Sync Scheduler). Fixes recurring "sync failed for rule" errors in production environments.

---

Version 1.0.37

Release Date: 2026-04-16

Improvements

• Gateway Task Payload Encryption — Sensitive task payloads exchanged between the primary backend and gateways are now encrypted at rest in the database. The payload_encrypted flag on gateway tasks ensures that JSONB payloads containing credentials and private keys are protected even if database access is compromised.
• Write Queue Exponential Backoff — Multi-datacenter write queue now tracks the timestamp of each retry attempt, enabling proper exponential backoff calculation for failed synchronization operations. This improves reliability and reduces unnecessary load on remote gateways during connectivity disruptions.

Security Updates

• Gateway Payload At-Rest Encryption — Task results and payloads in the gateway task queue are now encrypted before database storage, closing a potential data exposure vector in multi-datacenter deployments.

---

Version 1.0.36

Release Date: 2026-04-15

New Features

• KeyTab Database Schema — New database tables for keytab management: keytabs (encrypted keytab storage with cipher compliance tracking), keytab_versions (immutable version history), keytab_cipher_policies (organization-level cipher enforcement), and discovered_keytabs (agent discovery results with stale detection).
• KeyTab RBAC Permissions — New permission set (keytab:read, keytab:write, keytab:delete, keytab:admin) assigned to appropriate system roles for keytab lifecycle management.

Improvements

• Gateway API Token Enhancement — Improved gateway authentication with dedicated API tokens and bootstrap provisioning support.
• Agent KeyTab Discovery — Agents can now discover Kerberos keytab files on managed hosts and report findings including file path, permissions, owner, encryption types, and SHA-256 fingerprint.

---

Version 1.0.35

Release Date: 2026-04-14

Bug Fixes

• PEM Import — Private Key Preservation — Fixed a critical issue where importing a PEM file containing a certificate chain and a private key would silently discard the private key. The system correctly detected the key during file preview but lost it during the actual import, causing subsequent PFX/JKS exports to fail. The PEM bundle parser now correctly extracts PKCS#8, RSA, and EC private key blocks.
• Certificate Import — Project Name in Error Messages — When importing a certificate that already exists, the error message now includes the project name where the duplicate resides (e.g., "certificate already exists … project=MyProject"), making it easier to identify conflicts.

Improvements

• Private Key Visibility in UI — Certificates now display their private key status across all views:
  • Certificate lists show a green shield icon when a private key is stored.
  • The certificate dashboard shows a green key icon next to certificates with private keys.
  • The certificate detail modal displays a chip indicating whether the key is stored locally, externally, or not available.

---

Version 1.0.34 (Previous)

Release Date: 2026-04-10

New Features

• Identity Provider Group Discovery — New API endpoint GET /identity-providers/{id}/groups fetches groups directly from the configured identity provider (Entra ID via Microsoft Graph, LDAP via directory search). Supports search filtering by group display name for easy role mapping.
• Identity Provider Test Coverage — Added comprehensive unit test coverage for identity provider CRUD operations, test-connection flow, and group discovery endpoints.

Improvements

• JKS Export — Pure Go Implementation — Replaced the external keytool (JDK) dependency with a native Go implementation using keystore-go/v4. JKS export now works in any environment without requiring a Java runtime, includes the full certificate chain, and has comprehensive test coverage.
• Gateway API Token Authentication — New gateway_api_tokens table and middleware for gateway-to-backend API authentication. Gateways can now authenticate using dedicated API tokens with automatic bootstrap provisioning.
• Gateway Write Queue — Added gateway_write_queue table for buffering write operations from gateways, enabling reliable data synchronization in multi-datacenter deployments.
• Gateway Bootstrap Hardening — Improved gateway bootstrap flow with enhanced validation, Azure SQL connectivity checks, and more reliable initial registration.
• Azure Test Environment Terraform — New Terraform configuration for automated Azure test environment provisioning, including Entra ID enterprise apps, Key Vaults, and Azure SQL.

Security Updates

• Gateway Middleware Authentication — New dedicated middleware validates gateway API tokens with proper scope checks and request context propagation.

---

Version 1.0.33

Release Date: 2026-04-09

New Features

• Azure Permissions Check Endpoints — Added new Azure access validation APIs for permissions and resource visibility:
• POST /api/v1/admin/azure/mi-permissions-check
• GET /api/v1/azure/user-permissions-summary
• GET /api/v1/azure/subscriptions/{subscriptionId}/sql-servers
• Managed Identity Permissions Validation — New managed identity check flow validates access across configured Azure integrations and returns per-integration status results.
• User Permissions Summary — Added a consolidated subscription-level overview of Azure resources visible to the authenticated user, including Key Vault and SQL server discovery.

Improvements

• RBAC Integration for Azure Permission Checks — Azure permissions endpoints are now protected by MazeVault RBAC with integration:read and integration:write guards.
• Swagger Schema Coverage — OpenAPI definitions now include the Azure permissions check response models (MIPermissionsCheckResponse, MICheckResult) for accurate API client generation.

Security Updates

• Role Permission Alignment — Migration 000109_add_audit_settings_permissions adds audit:read and project:write permissions to certificate_manager and secret_manager roles for consistent access control behavior.

---

Version 1.0.32

Release Date: 2026-04-08

New Features

• Azure Managed HSM Integration — Full support for key storage and manipulation in Azure Managed HSM with automatic certificate updates and key rotation. All private key operations occur in the HSM with metadata returned to the database.
• Organization-Level Password Policy — Define password enforcement rules (minimum length, complexity, expiry) for all organization users. Rules are enforced at password creation and change with legacy integration compatibility.

Improvements

• CRDT Sync Performance — Optimized conflict resolution for datasets >100k records, 40% speed improvement on multi-DC setups.
• Extended Audit Logs — Comprehensive recording of all password, certificate, and administrative operations.

Bug Fixes

• Fixed cache invalidation timing in cluster deployments.
• Resolved sync failures with large CSR transactions.

---

Version 1.0.31

Release Date: 2026-04-07

New Features

• Orchestrator Mode — External Key Storage — MazeVault can now run in a mode where all private keys and secrets are stored exclusively in external key vaults (Azure Key Vault, AWS Secrets Manager, HashiCorp Vault). Local database contains only metadata.
• License Compliance Tracking — Dashboard displays license status in real-time, including used licenses, upcoming expirations, and warning states.

Improvements

• Standard → Orchestrator Mode Migration — New CLI commands for safely migrating existing Standard mode systems to Orchestrator mode.
• Orchestrator Mode UI — Toggle in Onboarding Wizard and organization settings.

Bug Fixes

• Fixed selective certificate copying in Orchestrator mode.

---

Version 1.0.30 (Previous)

Release Date: 2026-04-07

New Features

• ACME Server — Full RFC 8555 Implementation — MazeVault now acts as a fully compliant ACME certificate authority. Any standard ACME client (cert-manager, Certbot, acme.sh, Kubernetes) can obtain and renew certificates directly from MazeVault without manual intervention. Supported challenge types: HTTP-01, DNS-01, TLS-ALPN-01.
• External Account Binding (EAB) — Restrict ACME account registration to authorized clients using pre-shared EAB credentials (HMAC-based). Prevents unauthorized certificate issuance from unknown ACME clients.
• Sync Dashboard — New dashboard section showing real-time synchronization status: configuration overview, active conflicts, and sync failures with per-item resolution guidance.
• Sync Read Permission — New sync:read permission grants project members, auditors, and role holders access to sync status endpoints without requiring elevated privileges.

Improvements

• ACME Authorization Nonce Hardening — Dedicated nonce table (acme_server_nonces) with TTL-based expiry ensures strict replay-nonce protection per RFC 8555 §6.5.
• ACME Challenge Token Indexing — Challenge tokens now use a dedicated indexed column for O(1) validation lookups instead of JSON scanning, improving throughput under high ACME request volume.
• RBAC — Sync Permissions Aligned — project_admin, certificate_manager, secret_manager, user, and auditor roles now include sync:read for consistent access to sync dashboard endpoints.

Bug Fixes

• Fixed race condition in ACME order state transitions during concurrent finalize requests.
• Resolved ACME authz table creation ordering issue (migration idempotency).

---

Version 1.0.29

Release Date: 2026-04-06

New Features

• Configuration Management Interface — New multi-tab UI for lifecycle management of configuration files: discover YAML/JSON/INI files across environments, stage drafts, and promote configurations to production. Provides visibility into discovered vs. managed configuration counts.
• Certificate Rotation Polymorphic Config — Rotation executions now support both secret and certificate rotation configs in a unified model. The config_type field distinguishes between the two, eliminating separate workflow tables.
• Rotation Settings Source Tracking — Each certificate now records whether its renewal settings originate from a project template (template) or were manually configured (manual), providing clear audit attribution for rotation behavior.

Improvements

• Organization Scoping for Certificate Requests — Certificate signing requests (CSRs) are now scoped to the originating organization. The organization_id field is backfilled from project associations, preventing cross-organization CSR data leakage.
• ACME Server Authorization Tables — Database schema for the ACME server protocol (authorization objects and nonce tables) was provisioned in preparation for the v1.0.30 ACME server release.
• Rotation Workflow Cleanup — Removed orphaned rotation_workflows and rotation_step_executions tables that were superseded by the unified rotation execution model.

Bug Fixes

• Fixed rotation_configs.next_rotation column rename to next_rotation_at — scheduler queries now use the correct column name.
• Resolved foreign key constraint on rotation_executions.config_id that prevented polymorphic rotation config references.

---

Version 1.0.28

Release Date: 2026-04-05

New Features

• Secret Naming Policies — Define organization-wide naming conventions for secrets using regex-based rules with three enforcement levels: block (prevent creation), warn (allow with warning), and disabled (informational). Policies are managed as configuration templates and validated in real-time on secret creation.
• Naming Compliance Dashboard — New tab in the Secrets Dashboard shows a policy violation heatmap, per-rule compliance rates, and auto-generated rule suggestions based on existing secret naming patterns.
• Consistency Framework — Create consistency groups to verify that specified secrets exist across all required environments. The POST /projects/{id}/consistency/groups endpoint and dashboard tab surface missing values and environment gaps, with resolve-warning support for documented exceptions.
• Database Security Defaults — Organizations can now configure per-environment TLS/encryption baselines for database integrations. Production environments default to strict TLS (verify-full, encrypt, TCPS); non-production environments use permissive defaults. Supported providers: Oracle, MSSQL, PostgreSQL, MongoDB, MySQL.
• Enhanced Shared Secrets — Shared secrets now support optional passphrase protection (bcrypt), recipient_email for intent tracking, automatic content-type tagging (secret or certificate), and rotation source attribution (source_type, source_id) for automated post-rotation distribution.

Security Updates

• Consistency RBAC Permissions — New consistency:read and consistency:write permissions control access to consistency groups and warning resolution. Assigned to project_admin, certificate_manager, secret_manager, user, and auditor roles.
• Auditor Role Refinement — The auditor role no longer has access to the deployment dashboard or general dashboard views, focusing the role strictly on audit logs, user management, gateway status, and agent status — reducing the attack surface of read-only accounts.

Bug Fixes

• Fixed secret naming policy storage: policies are now persisted in config_management_templates instead of the deprecated organizations.secret_complexity_policy JSONB column.

---

Version 1.0.27

Release Date: 2026-04-04

New Features

• New Roles: Certificate Manager & Secret Manager — Two new purpose-built roles provide fine-grained access control without granting cross-domain visibility:
• certificate_manager — Full lifecycle management for certificates, CA accounts, templates, discovery, and deployment. No access to secrets.
• secret_manager — Full lifecycle management for secrets, rotation, deployment, and integrations. No access to certificates.
• SSO Authorization Code Pattern — Access tokens are no longer passed via URL query parameters on SSO callback. The callback now delivers a short-lived opaque code (sso_code, 60-second TTL) that the frontend exchanges for tokens via POST /auth/sso/exchange. This eliminates token exposure in browser history, server access logs, and Referer headers. Applies to Entra ID, GitHub, and GitLab SSO providers.
• Entra Group Mapping Consolidation — Entra ID group-to-role mappings are now stored in the unified group_role_mappings table with a source column (local or entra). This enables consistent group management across local LDAP groups and Entra ID cloud groups from a single interface.

Security Updates

• OIDC Nonce Validation — OAuth2 state now carries a server-generated nonce validated at token exchange. Prevents CSRF/token-hijacking via cross-site OAuth state substitution.
• Deprecated Roles Removed — Legacy roles (operator, developer, org_admin, secret_editor, secret_viewer, certificate_admin, system_admin) have been removed. Existing users with these roles were automatically migrated: operator → project_admin, developer → user. Integrations using deprecated role names in API calls must be updated.
• User Role Data Integrity — Fixed zero-UUID primary key corruption in the user_roles table caused by a missing BeforeCreate hook. A composite unique index was added to prevent duplicate role assignments. Affected rows were deduplicated during migration.
• Soft-Deleted User Email Index — The email uniqueness constraint is now a partial index (WHERE deleted_at IS NULL). Soft-deleted users no longer block new account creation or SSO registration with the same email address.

Bug Fixes

• Fixed Entra group mapping duplication after SSO re-authentication.
• Resolved role assignment failures for users created via LDAP group sync.

---

Version 1.0.26 (Previous)

Release Date: 2026-04-03

New Features

• PFX/PKCS#12 Import Improvements — Enhanced PFX certificate import with improved parsing and validation
• Certificate Template Fixes — Resolved template configuration issues affecting certificate enrollment workflows
• Role Mapping Modifications — Updated group-to-role mapping logic for improved SSO integration
• Audit Log Enhancements — Extended audit logging with additional event types and improved traceability

Security Updates

• Comprehensive Vulnerability Remediation — Resolved 18 out of 24 identified vulnerabilities across all platform components through systematic dependency scanning and updates
• SAML Signature Bypass Fix (CRITICAL) — Fixed critical SAML XML signature bypass vulnerability in SSO authentication flow (goxmldsig v1.3.0 → v1.6.0)
• HTTP/2 CONTINUATION Flood Fix (CRITICAL) — Resolved actively exploitable HTTP/2 denial-of-service vulnerability in Kubernetes Operator (golang.org/x/net v0.19.0 → v0.52.0)
• gRPC Authorization Bypass Fix — Fixed gRPC authorization bypass via missing leading slash in path (google.golang.org/grpc → v1.80.0)
• JOSE/JWE Denial-of-Service Fixes — Resolved 3 separate DoS vulnerabilities in JSON Web Encryption handling (go-jose/v3 v3.0.0 → v3.0.4)
• Node.js SDK Critical Fix — Eliminated 8 critical Handlebars.js advisories including JavaScript injection and prototype pollution
• CI/CD Security Hardening — Pinned Trivy security scanner to specific version (supply chain protection), enabled security scanning on all CI events

Improvements

• Kubernetes Operator Overhaul — Major dependency update to controller-runtime v0.22.5 and k8s.io/* v0.34.3 with code quality improvements including extracted reconciliation methods, configurable refresh intervals, proper watch propagation, and structured logging
• Terraform Provider Fix — Fixed compilation error and updated all dependencies to latest stable versions (terraform-plugin-framework v1.19.0, grpc v1.80.0)
• Go SDK Enhancement — Added Environment field to Project model for improved project management
• Docker Image Hardening — Pinned OCSP Responder base image to alpine:3.21 (reproducible builds), switched Frontend to npm ci for deterministic dependency installation
• Dependency Alignment — Aligned golang.org/x/crypto, golang.org/x/net, and other standard library packages across all 7 Go modules to latest stable versions

---

Version 1.0.25

Release Date: 2026-04-01

New Features

• Swagger API Documentation Overhaul — Comprehensive regeneration of Swagger/OpenAPI documentation with complete endpoint coverage, improved schema definitions, and accurate request/response examples
• Entra ID SSO Environment Configuration — New environment variables for Entra ID SSO and Azure Managed Identity configuration in .env.example for streamlined deployment setup

Improvements

• LDAP & OAuth Provider Configuration — Enhanced SSO provider setup with improved LDAP bind DN handling and OAuth2 flow configuration
• Email Status Endpoint — New GET /api/v1/system/email-status endpoint for monitoring email notification delivery status
• Certificate Rotation Handlers — New API handlers for certificate rotation execution and status tracking
• Agent Integration Enhancements — Improved agent discovery and integration handlers with better error reporting
• SSH Key Management — Extended SSH key service with improved import and rotation capabilities

Security Updates

• Updated authentication service with enhanced token validation and session management
• Improved Entra ID Graph client with additional security headers

---

Version 1.0.24

Release Date: 2026-03-30

Bug Fixes

• Entra ID SSO Fix — Resolved critical Entra ID SSO authentication issue affecting login flow and token refresh
• Code Cleanup — Removed deprecated handler code and unused Entra mapping endpoints for cleaner codebase

Improvements

• Updated schema models with additional field definitions for improved data integrity

---

Version 1.0.23

Release Date: 2026-03-30

Improvements

• Certificate Templates and Expiry Management — Enhanced certificate template configuration with improved expiry tracking, scheduler optimizations, and better CA integration status indicators
• Certificate Import Validation — Improved certificate import service with stricter chain validation and better error messages
• SSLmarket CA Sync — Extended SSLmarket CA provider with improved product synchronization and certificate status tracking
• Extended Logging — Enhanced logging across certificate services for better troubleshooting and audit trail

Bug Fixes

• Fixed certificate status calculation in X.509 utility functions
• Resolved certificate dashboard display issues for expiring certificates
• Fixed certificate edit modal preserving incorrect values on save

---

Version 1.0.22

Release Date: 2026-03-30

New Features

• Multi-Gateway Environment Support — New database migration and service layer for multi-gateway deployments with environment-specific gateway configuration, health monitoring, and task execution
• Gateway Health Monitor — Real-time gateway health monitoring service with heartbeat tracking, automatic failover detection, and Prometheus metrics
• Gateway Routing Service — Intelligent request routing across multiple gateway instances with load balancing and environment awareness
• Gateway Task Executor — Distributed task execution framework for gateway operations with retry logic and status tracking
• Identity Provider Management — New API handlers for identity provider configuration and management

Improvements

• Cipher Key Resolver Hardening — Comprehensive test coverage for cipher key resolution with 715+ lines of new tests eliminating dual storage inconsistencies
• Database Health Checks — Updated expected tables and columns for new gateway-related database schema
• Integration Wizard — New multi-step integration wizard UI for configuring CA providers, secret managers, and external integrations
• Key Derivation Fix — Resolved key derivation issue affecting encryption operations

Security Updates

• Eliminated cipher key dual storage vulnerability via migration 000089
• Enhanced authentication service with improved session handling

Bug Fixes

• Fixed test failures in certificate orchestrator and configuration management services
• Resolved EntraID SSO redirect issue on certain browser configurations

---

Version 1.0.21

Release Date: 2026-03-26

New Features

• Azure Resource Discovery — New API handlers for Azure cloud resource discovery with Key Vault, certificate, and secret enumeration
• Integration Wizard UI — Multi-step wizard for configuring integrations with CA providers and secret managers, including type selection, provider configuration, and review steps

Improvements

• CA Account Service — Enhanced CA account management with improved error handling and status tracking
• Model Schema Updates — Updated data models across SSH keys, MFA, OAuth, CRL, and zero-trust modules for improved consistency and validation
• Test Coverage — Expanded test coverage for integration service providers, key offload service, and secret service offload operations

Bug Fixes

• Fixed certificate audit event model inconsistency
• Resolved discovered certificate model field alignment issues

---

Version 1.0.20

Release Date: 2026-03-23

New Features

• Office365 OAuth2 Email Notifications — Send email notifications via Microsoft Graph API using OAuth2 client credentials flow instead of legacy SMTP; supports 3 authentication methods (client secret, certificate, managed identity); reuses existing Entra ID infrastructure with connection caching and retry logic; transparent replacement — all 6 email trigger points (expiry alerts, incidents, weekly reports, rotation failures, discovery summaries, test notifications) work automatically; new GET /api/v1/system/email-status endpoint and frontend status indicator in System Outputs → Notifications tab
• SmallStep CA Provider — Integration with open-source step-ca as a Certificate Authority backend supporting JWK, X5C, and OIDC provisioners; mTLS authentication, certificate signing, renewal, revocation, and CRL signing with root fingerprint verification; ideal for zero-trust short-lived certificate architectures
• Multi-Target Certificate Rotation — Deploy certificates to 5 destination types: Secret Managers (Azure Key Vault, AWS Secrets Manager, HashiCorp Vault), Kubernetes Secrets (TLS/Opaque), Agent Keystores (JKS, PKCS12, Windows), Agent Files (PEM), and Database Wallets (Oracle OCI); content mode selection (public only, public+chain, full chain with key, key only), format auto-detection, retry policies with configurable attempts and delays, and post-install command execution
• Enterprise Entra ID Credential Lifecycle — Complete lifecycle management with states (created, active, expiring, expired, revoked, grace period), configurable grace periods (default 30 days), rotation history tracking with old/new key IDs and workflow tracing, expiry monitoring dashboard, idempotency protection against duplicate rotations, and sync conflict resolution for local vs. remote state
• Compliance Report Viewer — Generate and view compliance reports with template-based formatting, organization-wide certificate compliance analysis, and exportable report output
• Rotation Execution History — Detailed per-certificate rotation history with execution timestamps, status tracking (success/failed/pending), and target-level sync status visualization
• Certificate Lifecycle Phase Tracking — New lifecycle phases (stable, renewing, rotating, revoking) prevent duplicate CA requests during in-flight operations; orthogonal to certificate status, ensuring certificates remain valid during phase transitions

Improvements

• Audit Stream Destinations — New Elasticsearch destination with index template management, cluster mode and CosmosDB support; new Syslog destination with TCP/UDP transport, CEF and Syslog format support; enhanced log stream service with destination-specific configuration validation
• LDAP Authentication Improvements — Enhanced LDAP service with improved bind DN handling, group membership resolution, schema configuration flexibility, and better error diagnostics for connection failures
• Notification Scheduler Redesign — Improved scheduling logic for certificate expiry notifications with batching support to reduce alert fatigue, JIRA integration for incident ticket creation, and email notification enhancements
• Weekly Expiry Report Service — Redesigned report generation with recipient management, customizable report content, and improved delivery reliability
• Project Template Enhancements — Extended template configuration with naming convention integration, advanced default settings, and improved template-to-project application workflow
• Naming Convention Service — Extended naming convention engine with additional pattern support, validation rules, and convention-to-template linking for automated enforcement
• Prometheus Metrics — New histogram and counter metrics for certificate rotation, compliance reporting, and audit stream performance monitoring
• CI/CD Pipeline — New GitHub Actions workflow for automated build, test, and deployment
• SSO Provider Modal — Added LDAP provider configuration with server, bind DN, and schema settings directly from the SSO configuration interface
• WebLogic Deploy Rotation Step — New rotation step type for Oracle WebLogic Server keystore deployment with automated domain configuration updates

Security Updates

• Entra ID credential rotation with full audit trail — every rotation recorded with actor, timestamp, old/new key IDs, and execution status
• SmallStep CA operations logged to audit stream with complete request/response metadata
• Certificate lifecycle phase prevents concurrent CA operations, eliminating race conditions in renewal and rotation workflows
• Entra sync conflict detection with automatic tracking of local vs. remote state discrepancies

---

Version 1.0.19

Release Date: 2026-03-20

New Features

• Azure Gateway Deployment — Multi-region Azure Gateway infrastructure with Terraform modules for AKS, Key Vault, PostgreSQL, Redis, networking, monitoring, and identity management; Helm chart values for gateway configuration; Azure DevOps CI/CD pipeline for automated deployment
• Key Vault RBAC Service — Granular role-based access control for Azure Key Vault operations with per-secret and per-certificate permission management
• Key Vault Watch Connector — Real-time synchronization between MazeVault and Azure Key Vault with change detection and automatic secret updates
• Naming Convention Engine — Domain-specific naming rules with wildcard pattern matching, priority ordering, and template-level enforcement for consistent resource naming across projects
• Dashboard Reports Tab — Redesigned reporting dashboard with certificate overview statistics, interactive charts, and exportable report data
• Node.js SDK — Official MazeVault SDK for Node.js with TypeScript definitions, supporting authentication (SRP), organizations, projects, and secrets management

Improvements

• Audit Log Project Scoping — Audit events now include project association for efficient per-project filtering and compliance reporting; existing events backfilled from entity relationships
• Orchestrator Storage Mode Fix — Normalized inconsistent storage mode values for Orchestrator Mode deployments, resolving constraint violations
• Entra Group Mappings — Improved group-to-role mapping reliability with better error handling and UI feedback
• Config Encryption Hardening — Enhanced configuration encryption service with additional test coverage and improved error handling for edge cases
• Certificate Import Validation — Improved certificate import service with stricter chain validation
• Go SDK Updates — Updated project and model definitions for consistency with latest API
• Python SDK Updates — Model alignment with latest API schema

Bug Fixes

• Fixed environment creation for unused projects being triggered unnecessarily
• Resolved Entra ID SSO login redirect issue on certain browser configurations
• Fixed project template modal not preserving environment associations on save

---

Version 1.0.18

Release Date: 2026-03-14

Improvements

• Customer Documentation Updated — Comprehensive ACME certificate automation guide with step-by-step Kubernetes setup, cert-manager ClusterIssuer examples, ACME profile routing, troubleshooting, and complete end-to-end YAML examples; updated Certificates API reference with ACME endpoints and EAB management; release notes reformatted to correct 1.0.x versioning scheme
• Azure Entra ID Integration Improved — Enhanced token refresh handling, improved group-to-role mapping reliability, faster SSO login flow with reduced redirect latency, and better error messages for misconfigured tenant settings

---

Version 1.0.17

Release Date: 2026-03-14

New Features

• ACME Server (RFC 8555) — MazeVault now acts as a full ACME Certificate Authority, enabling automated certificate issuance via cert-manager and other ACME clients
• External Account Binding (EAB) — Secure cluster registration with one-time-use credentials linking ACME clients to organizations and projects
• ACME Profile Routing — Map cert-manager profile names to MazeVault Certificate Templates for automatic CA backend selection (cert-manager v1.18+)
• Domain Rule Engine — Configure domain-to-template routing rules with wildcard pattern matching and priority ordering
• Auto-Approve for Internal Domains — Certificates for .local, .internal, .lan, and .corp domains are issued instantly without HTTP-01 challenge
• ADCS Bridge via ACME — Issue certificates from Microsoft Active Directory Certificate Services through standard ACME protocol
• ADCS Agent Improvements — DCOM retry logic for pending certificate requests with configurable intervals
• EAB Credential Management UI — Generate, list, and revoke EAB credentials from the web interface with cert-manager YAML examples

Improvements

• ACME directory endpoint with meta profiles for automated client discovery
• JWS middleware with ES256 and RS256 signature verification
• Nonce-based replay protection per RFC 8555 §6.5
• Full PEM certificate chain delivery for ACME clients
• EAB credentials table with status tracking (Available / Used / Revoked)
• One-click copy for ACME directory URL and generated credentials

Security Updates

• EAB HMAC keys encrypted at rest with AES-256-GCM
• EAB credentials are single-use and support expiration and revocation
• JWK Thumbprint verification (RFC 7638) for account binding
• All ACME operations recorded in audit log

---

Version 1.0.16

Release Date: 2026-02-28

Improvements

• Organization settings redesign with tabbed navigation
• Certificate Authority account cards with sync status indicators
• Improved CA product discovery and sync trigger via UI
• Agent heartbeat interval optimization for large fleets
• Database connection pool tuning for high-concurrency deployments

Bug Fixes

• Fixed certificate chain validation for intermediate CA certificates
• Resolved race condition in concurrent secret rotation scheduling
• Fixed OCSP responder cache invalidation on certificate revocation

---

Version 1.0.15

Release Date: 2026-02-14

Improvements

• PFX/PKCS#12 import with configurable key storage (software / HSM)
• Certificate template override support for CA account-level defaults
• Improved agent reconnection logic after network interruptions
• Enhanced audit log filtering by event type and date range

Bug Fixes

• Fixed certificate export with chain for cross-signed intermediates
• Resolved project template settings not persisting after save
• Fixed SSH key discovery deduplication for rotated keys

---

Version 1.0.14

Release Date: 2026-01-31

Improvements

• SSH key management enhancements — authorized key tracking and discovery
• Rotation trigger improvements with foreign key constraint handling
• Secret sharing post-rotation with automatic re-encryption
• Improved error messages for agent proxy authentication failures

Bug Fixes

• Fixed rotation scheduler timezone handling for non-UTC installations
• Resolved dashboard certificate count discrepancy after bulk import
• Fixed API token expiration check for service identities

---

Version 1.0.13

Release Date: 2026-01-24

Improvements

• React import modernization — tree-shaking optimized MUI imports
• Frontend build size reduction (~15% smaller bundle)
• Improved certificate search with wildcard SAN matching
• Enhanced monitoring Prometheus metrics with histogram buckets

Bug Fixes

• Fixed RBAC permission check for nested project environments
• Resolved Terraform export formatting for complex secret values
• Fixed health check endpoint returning stale Redis status

---

Version 1.0.12

Release Date: 2026-01-17

Improvements

• Trivy container image scanning integration in CI/CD pipeline
• Security vulnerability remediation for dependency chain
• Improved TLS cipher suite configuration with Mozilla Intermediate profile
• Enhanced rate limiting with sliding window algorithm

Bug Fixes

• Fixed certificate renewal scheduling for certificates with custom validity
• Resolved sync conflict for simultaneously edited secrets across datacenters
• Fixed agent registration token validation for re-registered agents

---

Version 1.0.11

Release Date: 2026-01-10

Improvements

• PostgreSQL connection health monitoring with automatic reconnection
• Bidirectional sync architecture improvements for multi-region deployments
• Agent installation script fixes for air-gapped environments
• Onboarding flow improvements for remote deployment scenarios

Bug Fixes

• Fixed database migration rollback for failed upgrades
• Resolved LDAP group sync not reflecting membership changes
• Fixed certificate list pagination for projects with > 1000 certificates

---

Version 1.0.10

Release Date: 2026-01-03

Improvements

• Enhanced external change detection for CA-managed certificates
• Improved Helm chart values documentation with inline comments
• Certificate expiry notification batching to reduce alert fatigue
• Updated Go dependencies with security patches

Bug Fixes

• Fixed CRDT merge for concurrent secret version creation
• Resolved Azure Key Vault sync retry logic for transient failures
• Fixed OCSP responder returning incorrect status for renewed certificates

---

Version 1.0.9

Release Date: 2025-12-15

New Features

• Certificate Template System — Pre-configured certificate profiles for common use cases (Web Server, Client Auth, Code Signing, Email/S-MIME)
• Bulk Certificate Operations — Import and manage certificates in bulk via PEM bundles
• Enhanced Agent Discovery — Automatic discovery of certificates across agent-managed infrastructure
• Sync Improvements — CRDT-based multi-datacenter synchronization with improved conflict resolution
• Terraform Export — Export project configurations as Terraform HCL for infrastructure-as-code workflows

Improvements

• Improved certificate import validation and error reporting
• Enhanced OCSP responder performance with response caching
• Updated RBAC with granular certificate management permissions
• Improved audit logging with structured JSON output
• Enhanced health check endpoints with component-level status

Security Updates

• TLS 1.3 as default protocol
• Improved CSRF protection with double-submit cookie pattern
• Enhanced rate limiting with per-endpoint configuration
• Updated cryptographic dependencies

---

Version 1.0.8

Release Date: 2025-11-20

New Features

• External CA Integration — Connect to DigiCert, Venafi, Microsoft ADCS, and other external Certificate Authorities
• HSM Support — Hardware Security Module integration for key protection (PKCS#11, Azure Managed HSM)
• ACME Protocol — Automated Certificate Management Environment for automated certificate issuance
• Multi-Factor Authentication — TOTP-based MFA for enhanced account security

Improvements

• Redesigned certificate management interface
• Improved secret rotation scheduling
• Enhanced API rate limiting
• Expanded Azure Key Vault integration

---

Version 1.0.7

Release Date: 2025-09-10

New Features

• Zero-Knowledge Encryption — Client-side encryption for personal vault secrets
• SCEP Protocol Support — Simple Certificate Enrollment Protocol for device certificate management
• EST Protocol Support — Enrollment over Secure Transport for modern certificate enrollment
• Agent Proxy — Agents can proxy secret access for local applications

Improvements

• Improved database migration system
• Enhanced logging and monitoring
• Updated Kubernetes deployment manifests
• Performance improvements for large certificate stores

---

Version 1.0.6

Release Date: 2025-06-15

New Features

• Multi-Datacenter Sync — Bidirectional synchronization between MazeVault installations
• Azure Entra ID SSO — Single Sign-On with Azure Active Directory
• Project-Level RBAC — Granular role-based access control per project
• CRL Distribution — Automated Certificate Revocation List generation and distribution

Improvements

• Improved dashboard with real-time status updates
• Enhanced certificate search and filtering
• Updated API documentation with OpenAPI 3.0 specifications
• Improved container image security

---

Version 1.0.5

Release Date: 2025-03-20

New Features

• OCSP Responder — Real-time Online Certificate Status Protocol responder
• Secret Versioning — Full version history with rollback capabilities
• Agent Management — Centralized agent registration and monitoring
• LDAP Integration — Directory service authentication support

---

Version 1.0.4

Release Date: 2024-12-10

New Features

• Internal Certificate Authority — Full PKI with root and intermediate CA support
• Certificate Lifecycle Management — Request, approve, issue, renew, and revoke certificates
• Helm Charts — Standardized Kubernetes deployment via Helm

---

Version 1.0.3

Release Date: 2024-09-15

New Features

• Azure Key Vault Integration — Sync secrets with Azure Key Vault
• Secret Rotation — Automated and manual secret rotation
• Kubernetes Deployment — AKS deployment with Terraform

---

Version 1.0.2

Release Date: 2024-06-20

New Features

• Role-Based Access Control — User roles and permissions
• Project Management — Organize secrets into projects
• API v1 — Full REST API for secrets management

---

Version 1.0.1

Release Date: 2024-03-01

Initial Release

• Encrypted secrets storage with AES-256-GCM
• Web-based management interface
• PostgreSQL backend with Redis caching
• Docker Compose deployment
• Local authentication with SRP protocol

---

Support Policy

MazeVault supports the current version and one previous minor version. Customers on older versions are encouraged to upgrade to receive security updates and new features.