Transparency · History

Changelog

A transparent record of every significant change — each linked back to the RFC or PR that introduced it.

Framework · Marketing · WAFPass Linked to PRs & RFCs Fully public

CHANGELOG

All changes

Select a component to view its change history. Each entry references the PR or RFC where the decision was made.

🚀

v1.0.0 released — WAF++ Framework v1.0.0 launched on 12 May 2026 on the pre-eve of Cloud Native Conference DE. All eight pillars are stable, the controls library is locked, and the PASS scoring model is finalized. Agentic (Pillar 8) announced for v1.1.

May 2026 v1.0.0

new WAF++ Framework v1.0.0 — first stable release. All seven pillars are fully documented with complete control sets, design principles, best practices, maturity models, regulatory mappings (GDPR, BSI C5, ISO 27001, SOC 2, HIPAA, NIS2), evidence, scope, and glossary. Released on the pre-eve of Cloud Native Conference DE.

improvement Security pillar (Pillar 1) — documentation finalized with full WAF-SEC control set, zero-trust model, IAM hardening guidelines, encryption requirements, and compliance evidence templates

improvement PASS scoring model v1.0 — stable scoring formula across all seven pillars; maturity levels L1 (Foundational) through L5 (Excellence) are locked and documented

improvement Controls library stabilized — all WAF-SEC, WAF-COST, WAF-PERF, WAF-REL, WAF-OPS, WAF-SUS, and WAF-SOV controls locked at v1.0; control schema frozen for stable tooling integration

new Cross-pillar reference architecture — canonical reference architecture published showing how all seven pillars interact in a production multi-cloud deployment

docs Framework documentation available at waf2p.dev/docs/wafpp/1.0/ — stable URL, versioned Antora component

March 2026 beta

improvement Cost Optimization pillar (Pillar 2) — full documentation finalised: complete control set, design principles, best practices, maturity model, evidence, scope, and glossary (PR #16)

improvement Sovereign pillar (Pillar 7) — full documentation finalised: complete control set with best practices, case studies, modular structure, maturity model, evidence, scope, and glossary (PR #16)

new Sustainability pillar (Pillar 6) — full documentation with 10 controls (WAF-SUS-010 through WAF-SUS-100), design principles, best practices (carbon measurement, compute efficiency, data efficiency, ESG reporting, green regions, idle elimination, workload scheduling), maturity model, evidence, scope, and glossary

new Performance Efficiency pillar (Pillar 3) — full documentation with 10 controls (WAF-PERF-010 through WAF-PERF-100), design principles, best practices, maturity model, evidence, scope, and glossary

new Reliability pillar (Pillar 4) — full documentation with controls (WAF-REL series), design principles, best practices, maturity model, evidence, scope, and glossary

new Operational Excellence pillar (Pillar 5) — full documentation with 10 controls (WAF-OPS-010 through WAF-OPS-100), design principles, best practices, maturity model, evidence, scope, and glossary

new Resource pages added — control schema reference, regulatory mapping (GDPR, BSI, ISO 27001, SOC 2, HIPAA), and WAFPass integration guide

improvement Controls catalog expanded — improved navigation, categorisation, and cross-pillar index in modules/controls/

new Security pillar (Pillar 1) — structure adopted, initial content and controls added

infra Controls relocated to modules/controls/controls/ — centralised control library under dedicated Antora module

new Cost Optimization pillar (Pillar 2) — initial structure and content added

new Sovereign pillar (Pillar 7) — initial control set of 10 controls (WAF-SOV-010 through WAF-SOV-100)

improvement Expanded Antora documentation index with full framework overview, pillar summaries, and navigation

February 2026 beta

docs Migrated all documentation to AsciiDoc / Antora format with structured navigation and component versioning (v1.0)

docs Added AGENTS.md guidelines for AI-assisted contributions and content style

new Added CONTRIBUTING.md, CODE_OF_CONDUCT.md, and SECURITY.md to the framework repository

fix Fixed email address typo in community-facing documentation

December 2025 beta

new Added initial descriptions and key questions for all 7 pillars

new Published public 2026 roadmap draft covering Q1–Q4 milestones

new Initial framework structure: governance, architecture guidelines, best practices, resources, and wording

new Framework repository initialised — first public commit

Full history: github.com/waf2p/framework

May 2026

new Release countdown modal and homepage counter — announcement modal (shown once per browser) and live countdown bar for the WAF++ 1.0 & WAFPass 1.0 release on 12 May 2026; bilingual (EN/DE); countdown resets to 'live' message after the release date

improvement Changelog pages (EN + DE) — v1.0.0 entries added for all four components (Framework, WAFPass CLI, WAFPass Dashboard, WAFPass Server); beta notices replaced with green 'released' notices for all WAFPass and Framework panes

improvement WAFPass page (EN + DE) — updated to v1.0.0: badge changed from 'v0.4.0 · Beta' to 'v1.0.0 · Stable'; hero lead updated to announce stable release; PyPI install instruction added (pip install wafpass-core); beta badge removed from requirements section; all v0.4.0 version references updated

improvement Roadmap pages (EN + DE) — NOW section updated from 'v1.0 target' to 'v1.0.0 released'; kicker changed from 'NOW' to 'RELEASED'; release tracker cards all show green check-circle; WAFPass tracker entry updated to show v0.3.0 → v0.4.0 → v1.0.0 progression

April 2026

improvement WAFPass page (EN + DE) — updated to v0.3.0: new WAFPass ecosystem section explaining the three-component architecture (wafpass CLI, wafpass-dashboard, wafpass-server) with architecture flow diagram; dashboard section rewritten to reflect the React/Vite SPA and FastAPI/PostgreSQL stack; intelligence layer expanded from 4 to 6 cards (Terraform plan analysis, exploit path analysis added); feature grid extended with Policy Version Tracking and Settings Persistence; badge updated to v0.3.0; PyPI note updated

improvement Roadmap page (EN + DE) — updated to reflect actual March 2026 progress: WAFPass v0.3.0 live, all 7 pillars documented ahead of schedule, dashboard and server stack live; Q4 2026 card revised from 'Complete Pillar Build-Out' to 'Stabilization & Ecosystem Growth' since the pillar milestone was achieved early

fix Fixed missing LinkedIn icons — polyfilled the 'linkedin' Lucide icon (removed alongside other brand icons); affects all staff member profile pages

improvement Changelog page — mobile layout fixed: tab navigation now scrolls horizontally on small screens (overflow-x: auto, hidden scrollbar, nowrap labels) preventing layout overflow on mobile

March 2026

fix Fixed missing GitHub icons — polyfilled the 'github' Lucide icon (removed in Lucide v1.x brand icons policy); affects footer, navigation, and all content pages

improvement Homepage redesign (EN + DE) — full visual overhaul of both index pages: cinematic hero with gradient headline and KPI card, 7-pillar icon grid with featured Sovereign card spanning 2 columns, WAFPass teaser section with terminal mockup and feature breakdown, Why WAF++ principle cards, redesigned final CTA with compliance badges; new home.scss design module added

new Custom 404 error pages — EN + DE versions with branded layout and navigation back to home

improvement Antora docs — language switcher (EN/DE) added to header; updated CSS and header partial to support bilingual documentation

new Imprint page (EN) — fully translated to English, corrected frontmatter, rebuilt with modern card layout to match all other pages

improvement Imprint page (DE) — rebuilt from plain text-container to the modern card grid layout matching the EN page

fix Dark mode fix: vision page — replaced all hardcoded rgba/hex colors in vision-quote, vision-principle cards, and text with CSS variables

fix Dark mode fix: comparison table — replaced hardcoded background and border colors with CSS variables; upgraded icons from text symbols (✔ ✖ ●) to Lucide icon set (check-circle-2, x-circle, minus-circle)

fix Dark mode fix: pillars page — replaced hardcoded #fff background and rgba borders on pillar cards and cta-soft with CSS variables

improvement Navigation dropdown (desktop) — added 250 ms close delay and invisible hover bridge to prevent accidental close when moving the mouse to the menu

fix SEO: homepage og:image now correctly uses the WAF++ logo instead of the first content image (review avatar)

fix Fixed all 7 pillar documentation links — corrected URL pattern to /docs/wafpp/1.0/pillars/{name}/, activated all pillar cards

new WAFPass product page (BETA) — marketing landing page for the WAFPass CLI with in-browser controls download (JSZip + GitHub API), EN + DE #57

improvement Theme structure updated and dashboard pages improved #56

fix Updated Slack community invite link #55

fix Fixed article SEO meta information #54

fix Fixed article image URLs #53

new New blog article published; language streamlined across all existing articles #51

new RFC Tracker page — data-driven, tab-filtered tracker for all WAF++ Requests for Comments (EN + DE)

new GitHub issue templates for marketing site: Bug Report, Content Issue, Feature Request

improvement Press page redesigned — brand asset gallery with live previews, approved boilerplate copy, Do/Don't guidelines, press contact updated to page@waf2p.dev

improvement Brand guidelines updated: canonical URL changed to waf2p.dev

new Community pages added: Contributing, Code of Conduct, Use Cases, Press & Media, Changelog, Stay Updated (EN + DE)

new Slack community integration — header icon, footer link, and CTA sections on homepage and governance page

new Navigation expanded: Contributing, Use Cases, Stay Updated added to Community; Code of Conduct, Press, Changelog added to Project

new Comprehensive SEO layer: canonical URLs, hreflang alternates, Open Graph tags, JSON-LD structured data, XML sitemap #49

fix Fixed language switch — EN/DE pages now consistently render the correct language throughout all sections

fix Dark mode fixes for footer background and navigation element visibility #48

February 2026 — v1.0 Redesign v1.0

new Complete visual redesign — new design system, component library, typography scale, light/dark mode #47

new Full bilingual site (EN/DE) — German translations for all marketing pages with language toggle

new New pages: Governance & Community, PASS scoring, Roles & Members, Why not X?, Vision, FAQ, Legal, Translations

new Antora documentation integration — docs built from framework repository and served at /docs/

new Staff member profiles with individual pages for all team members

improvement Blog post corrections and content improvements #46

January 2026

improvement Added new conference entries for 2026; added draw.io diagram support for architecture diagrams

December 2025

fix Fixed missing images and meta information across multiple pages

fix Fixed URLs and conference page updates

new Staff member profiles added

improvement Docs and conferences navigation added

infra Documentation outsourced to dedicated framework repository, served via Git submodule

November 2025 — Initial Launch

new First public release of the WAF++ marketing website

new Initial pages: home, about, pillars, blog

infra GitHub Actions deployment pipeline for Jekyll + GitHub Pages

Full history: github.com/waf2p/waf2p.github.io

🚀

v1.0.0 released — WAFPass v1.0.0 (wafpass-core) launched on 12 May 2026 alongside Framework v1.0.0. The CLI is stable, the Python library API is published on PyPI, and all 8 pillars are covered. Agentic (Pillar 8) announced for v1.1.

May 2026 — Control Pack & Localization v1.0.0

new Control pack management — `wafpass control pack init` and `wafpass control pack update` commands for versioned control snapshots; regulatory mapping stored in controls-releases directory

new Internationalization support — complete i18n system with 6+ languages; English and German fully translated; framework for adding new languages

May 2026 v1.0.0

new WAFPass v1.0.0 — first stable release of the WAFPass CLI (wafpass-core). Python library API (run_scan / WafpassResultSchema) is stable and published on PyPI. CLI interface frozen. Released alongside WAF++ Framework v1.0.0 on the pre-eve of Cloud Native Conference DE.

improvement Full 7-pillar control coverage — controls for WAF-SEC, WAF-COST, WAF-PERF, WAF-REL, WAF-OPS, WAF-SUS, and WAF-SOV are all evaluated in a single wafpass check run; pillar loading is fully dynamic

improvement Stable regulatory mapping — all controls carry locked GDPR, BSI C5, ISO 27001, SOC 2, HIPAA, and NIS2 tags for v1.0; mapping is used by PDF reports and the dashboard Gap Analysis page

improvement Control authoring (wafpass control generate) stable — wizard, validator, and Checkov export are part of the v1.0 stable interface

docs Published on PyPI as wafpass-core 1.0.0 — pip install wafpass-core installs the stable CLI and Python library

April 2026 v1.0.0

new Authentication module — `wafpass login` authenticates against wafpass-server and stores a bearer token; all subsequent CLI calls include it automatically; `wafpass auth status` shows the active session; `wafpass auth logout` clears stored credentials

new Group role mapping support — `wafpass auth roles` lists roles assigned by the server; role-aware output adapts CLI messaging for team deployments

new API key bearer-token support — `--api-key` flag or `WAFPASS_API_KEY` environment variable injects the token into every server request; enables headless CI/CD runs without interactive login

new `stage` field on run output — `--stage` CLI flag (dev / staging / prod / etc.) is recorded in `WafpassResultSchema` and persisted to wafpass-server; enables per-stage compliance comparisons

new Evidence lock with QR code — `wafpass evidence lock` cryptographically signs the current compliance evidence package and generates a QR code pointing to the immutable locked record on wafpass-server; enables offline verification of audit evidence

infra Pre-commit hooks — `hooks/install.sh` and `hooks/install.ps1` add commit-time checks for formatting, linting, and test gates; setup documented in README and TECH.md

April 2026 — v0.4.1 beta

new Skipped controls overview — Terraform plugin now collects skipped controls and exposes them in run output; `WafpassResultSchema` includes a `skipped_controls` list with count and per-control skip reasons #22

docs Environment setup documentation — `.env.example` added to repository; TECH.md updated with environment variable reference and local setup guide #22

April 2026 v0.4.0 beta

new Secret findings persistency — secret scanner results are now persisted to wafpass-server via the secret_findings JSONB column; results are synced on scan and visible across sessions in the dashboard

new Python library API — wafpass-core now exposes a stable public API: run_scan(paths, controls_dir) → WafpassResultSchema; import and embed the engine directly in Python applications or pipelines without invoking the CLI

docs TECH.md added — comprehensive technical reference covering internal architecture, IaC plugin system, assertion evaluation loop, SKIP semantics, scoring formula, known unimplemented operators, and contribution guidance

March 2026 beta

new wafpass control — new subcommand group for authoring, validating, and managing WAF++ controls directly from the CLI

new wafpass control generate — interactive 7-step wizard to author a new WAF++ control: describe the requirement, classify (pillar, severity, type), define checks, preview and edit (YAML + $EDITOR), validate, export (YAML control + Checkov Python stub), and optionally push to wafpass-server; also supports a non-interactive --non-interactive mode via JSON/YAML spec file

new wafpass control validate — validate any YAML control file against the WizardControl Pydantic schema; reports id, pillar, and severity on success or detailed field-level errors on failure

new wafpass control list — list all controls found under a controls directory, rendered as a table with id, pillar, severity, and type

new wafpass control show — print the full YAML of a single control by ID

new Checkov integration — controls can now target the 'checkov' engine; wafpass control generate exports a Python Checkov check stub alongside the YAML control file, enabling policy-as-code enforcement via Checkov pipelines

new control_schema.py — Pydantic schema (WizardControl, WizardCheck) as single source of truth for validating wizard-generated controls; defines allowed pillars, severities, types, and engines (terraform, checkov, manual)

March 2026 v0.3.0 beta

new Terraform plan dry-run analysis — WAFPass can now parse Terraform plan output and evaluate security, compliance, and blast-radius impact before `terraform apply`

new Exploit path analysis — controls can now expose attack chains and exploit paths that lead to a failing state, visualised in the dashboard

new Settings persistence — CLI and dashboard settings (API URL, report preferences, thresholds) are now persisted across sessions

new Policy version tracking — controls now carry a policy version field, enabling detection of stale controls against the current framework version

new Changelog and install tab in dashboard — in-app changelog and installation guide accessible from within the web UI

infra Architectural split — dashboard UI extracted to wafpass-dashboard (React / Vite SPA) and persistence layer to wafpass-server (FastAPI / PostgreSQL); wafpass CLI remains the core evaluation engine

improvement Enhanced CLI evaluation commands — additional control evaluation capabilities and improved output for programmatic consumption

improvement Dashboard data schema updated — extended schema for richer control and run metadata to support the new dashboard and server features

March 2026 v0.2.0 beta

new Web UI — browser-based dashboard to visualise control results, compliance state, and per-control details #13

improvement Mobile-responsive dashboard theme #13

new Deployed regions — compliance output now includes deployed region details per control #13

new Sandbox environment support — controls can be evaluated in sandbox mode #13

new Risk acceptance (waivers) — controls can be explicitly accepted with justification via a waivers file #13

new Auto-fix engine — automated remediation suggestions and fixes for failing controls #13

fix Favicon added to the web UI #13

new Carbon footprint estimation — ESG module tracks and reports carbon impact of cloud workload decisions #12

new Secret scanner and remediation — detects exposed secrets in configurations and provides actionable remediation guidance #11

new Blast radius information for controls — each control now includes a blast radius assessment to quantify potential failure impact #10

docs Permitted Git workflow documented — contributing guide for branching, PRs, and release process added to the repository

March 2026 v0.1.1 beta

fix Release workflow corrected — GitHub Actions pipeline for PyPI publishing was failing; resolved path and trigger issues #9

infra Release workflow fix attempt — intermediate fix for the broken PyPI release automation #8

March 2026 v0.1.0 beta

new Alicloud, Yandex Cloud, and Oracle Cloud datacenter support added to geographic data model #3

new Executive summary added to PDF reports — high-level compliance overview at the start of each report #3

new Decision board added to PDF reports — structured decision support section for stakeholder communication #3

improvement Financial impact split into distinct root groups in PDF reports for clearer risk cost attribution #3

new Multi / split report mode — single wafpass run can now generate separate reports per pillar or module #3

new Intentional skip support — controls can be explicitly marked as skipped via a skip file; skipped items are reflected in report output #3

fix CLI skip file detection — corrected path resolution for the skip configuration file #3

new Risk estimation in PDF reports — fact-based risk estimation and risk cost estimation added to compliance report output #3

new OpenStreetMap integration in PDF reports — geographic map rendered directly in the PDF output #3

new Regional spread map in PDF reports — map visualising worldwide data distribution across regions #3

new Regulatory controls mapping — controls can now be mapped to regulatory frameworks (e.g. GDPR, BSI, ISO 27001) in PDF reports #3

new Dynamic pillar loading — control logic is now embedded in each control file; any new pillar loads automatically without code changes #2

new PDF export of compliance check results — shareable reports directly from the CLI #2

new Security pillar (Pillar 1) checks added — first non-cost control set integrated #2

new Initial control check application — base architecture, control loading, and pillar evaluation engine #1

February 2026 — Initial Commit beta

infra WAFPass repository initialized — first public commit

Full history: github.com/waf2p/pass

🚀

v1.0.0 released — WAFPass Dashboard v1.0.0 is the stable React / Vite SPA companion to the WAFPass CLI. All 22+ pages are stable. Connects to wafpass-server and visualises compliance state, exploit paths, gap analysis, and audit evidence.

May 2026 — Control Pack & Localization v1.0.0

new Control pack system integration — dashboard reflects versioned control snapshots from wafpass-server; control update notifications shown when local packs drift from published versions

new Complete internationalization — full support for 6+ languages (en, de, fr, es, pt, br); all 58+ pages fully localized with translated UI strings, help text, and error messages

new LANGUAGE.md documentation — complete i18n guide documenting translation workflow, adding new languages, and managing locale files

new i18n framework — `src/i18n/` directory with locale loaders, translation context, and language selector component; runtime language switching without page reload

May 2026 v1.0.0

new wafpass-dashboard v1.0.0 — first stable release. All 22+ pages are stable and ship with the v1.0.0 Docker image. Full SSO integration (OIDC/SAML2) and role-based access control (clevel → ciso → architect → engineer) enabled by default.

improvement Evidence Package page (#/evidence) stable — auditor-ready HTML report with regulatory mapping, active waivers, risk acceptances, and embedded JSON manifest; printable to PDF for regulatory submissions

improvement Gap Analysis page (#/gapanalysis) stable — regulatory gap analysis covers SOC 2, ISO 27001, PCI-DSS, GDPR, BSI C5, HIPAA, and NIS2; directly linked to v1.0.0 control regulatory tags

improvement Maturity level presets (L1–L5) locked — control sets and feature toggles for each maturity level are frozen at v1.0.0 and aligned with the PASS scoring model

new Docker image published as waf2p/wafpass-dashboard:1.0.0 on Docker Hub — stable tag; deployable standalone (nginx) or as part of the full WAFPass stack

April 2026 v1.0.0

new Project Overview page (`#/projects`) — per-project compliance summary, run history, score timeline, and team member list

new Passport Dashboard page (`#/passport`) — project maturity passport showing PASS score levels, active pillar coverage, regulatory badge grid, and a shareable passport image configured in wafpass-server

new Leaderboard page (`#/leaderboard`) — team compliance leaderboard ranked by PASS score with score delta badges per member

new Badges page (`#/badges`) — earned achievement badges per user; badge verification drawer shows the ECDSA-signed proof fetched from wafpass-server

improvement Evidence page overhaul — Evidence Package page redesigned to support the evidence lock flow; locked evidence records display a SHA-256 fingerprint and a QR code for offline audit verification

infra Test suite introduced — `src/__tests__/api.test.ts`, `audit.test.ts`, and `useControlsCatalogue.test.ts` added; vitest configuration included; covers API helpers, audit utilities, and the controls catalogue hook

infra Sidebar component extracted — `src/components/Sidebar.tsx` replaces inline navigation in `App.tsx`; routing refactored for all new pages; navigation state managed via `AuthContext`

April 2026 — Authorization & User Management beta

new Login page — `/login` route with JWT auth form; `AuthContext` manages token storage, refresh, and logout state across the entire SPA

new User Management page (`#/users`) — list, invite, and remove users; assign roles per user within the configured role hierarchy (clevel → ciso → architect → engineer)

new API Management page (`#/api-management`) — generate and revoke API keys for CI/CD integrations; view per-key usage log sourced from wafpass-server

new SSO Settings page (`#/sso-settings`) — configure OIDC and SAML2 identity providers from within the dashboard; test-provider connectivity button sends a live validation request to wafpass-server

new Group Mappings page (`#/group-mappings`) — map IdP group claims to WAFPass roles per provider; create, edit, and delete mappings stored in wafpass-server

April 2026 — Scanning & Stage beta

new Run Scan from UI — RunScanPage sends POST `/api/scans` to wafpass-server and streams the result into the dashboard; removes dependency on a local CLI installation for interactive scanning

new Stage indicator on runs list — runs list now displays a deployment stage badge (dev / staging / prod) sourced from the `stage` field persisted per run

improvement Access Roles page redesigned — RBAC scope annotations added per feature; page now reflects the full role hierarchy from wafpass-server

improvement Dashboard page redesign — DashboardPage fully rebuilt with new KPI cards, compliance score ring, pillar-by-pillar breakdown, and improved run comparison view; CostImpactPage updated to match the new design system

April 2026 — v0.4.1 beta

new Skipped Controls page (`#/skipped`) — dedicated page listing all controls that were skipped in the latest run with skip reason and pillar breakdown

fix Issue #2 — run list rendering bug corrected; issue #3 — waiver expiry date display corrected #4

April 2026 v0.4.0 beta

new Run comparison page (#/diff) — side-by-side finding-level diff between any two stored runs; highlights newly introduced, resolved, and unchanged findings across the run history

new Secret Scanner page (#/secrets) — dedicated view for hardcoded credential findings; results are persisted to wafpass-server and shown across sessions; findings include file path, line, secret type, and severity

new Module Scores page (#/modules) — per-Terraform-module pass rate breakdown; surfaces which modules contribute most to compliance failures and score regressions

new Audit Log page (#/audit) — timestamped event log of all waiver and risk acceptance create/update/delete events; exportable as CSV or JSON; includes first-seen failure tracking per control

new Changes & Drift page enhancements (#/changes) — new drift detection view alongside the Terraform plan changes view; surfaces controls that changed status between runs without an explicit code change

new Gap Analysis page (#/gapanalysis) — regulator gap analysis showing the shortest path to full compliance for each supported regulatory framework (SOC2, ISO 27001, PCI-DSS, GDPR, BSI C5, HIPAA, NIS2)

new Cost Impact page (#/cost) — $/month impact estimate for failing WAF-COST controls; quantifies financial risk of each failing cost control so remediation can be prioritised by business impact

new Waivers page (#/waivers) with server persistence — waivers are stored in wafpass-server via the /waivers API; local waivers are automatically synced to the server when a connection is available (configurable in Settings)

new Risk Acceptance page (#/risk) — formally accept residual risks with approver sign-off, RFC reference, Jira link, risk level, and expiry date; stored in wafpass-server with full traceability

new Evidence Package page (#/evidence) — generates a self-contained timestamped HTML audit report for auditors; includes passing controls with regulatory mapping, active waivers, risk acceptances, audit event log, and embedded JSON manifest; printable to PDF for submission

new Persistent deep links — every page and run combination has a shareable URL; a Copy link button in the header copies the current deep link to clipboard

new Sandbox deep link — sandbox run results can be bookmarked and shared via a stable URL; result state is encoded in the URL for instant replay

new Findings bulk actions — select multiple findings with checkboxes to waive all selected (shared reason, owner, expiry) or export selection as CSV; per-filtered-view CSV export always available in the filter bar

improvement Settings: maturity level presets — five presets (L1 Foundational through L5 Excellence) configure active controls, pillars, and feature toggles; runtime server URL override stored in localStorage without rebuild

improvement Empty state guidance — all pages now show contextual guidance when no data is available, directing users to run a scan or configure the server connection

fix Blast radius and dependency graph view corrected — rendering edge cases with circular dependencies and missing nodes resolved

docs TECH.md added — documents routing implementation, page inventory, maturity level configuration, LocalStorage schema, and component contribution guidance

March 2026 beta

new Controls Catalogue page — replaces the Controls Library with a full-featured catalogue that unifies WAF++ core controls and custom controls authored via wafpass control generate; supports filtering by pillar, severity, type, and engine (terraform, checkov, manual)

improvement Navigation: 'Controls Library' renamed to 'Controls Catalogue' — reflects the expanded scope of the page (core controls, custom controls, browse, filter, author, and export)

new Checkov engine badge in the catalogue — controls targeting the checkov engine are displayed with a dedicated badge, distinguishing them from terraform and manual controls

improvement Controls API integration — catalogue fetches and creates controls via the wafpass-server /controls endpoints, enabling custom controls authored from the CLI or the wizard to appear alongside framework controls in real time

March 2026 — Initial Release v0.3.0 beta

new Terraform plan changes page — visualises resource-level changes from a Terraform plan dry-run before apply; integrates with wafpass-server

improvement Dashboard page overhaul — richer metrics, control state breakdown, compliance score timeline, and run comparison view

improvement Exploit paths page redesigned — clearer attack chain visualisation with severity badges and remediation links

improvement Controls and run scan pages polished — improved layout, filtering, and user interaction flows

fix Release workflow bugfix and missing file patch

new Full-featured SPA — Dashboard, Compliance, Controls, Findings, Regions, Risk Acceptance (Waivers), Sandbox, Settings, Exploit Paths, and Run Scan pages

new React / Vite SPA with Docker + nginx — self-contained container served behind nginx; deployable standalone or as part of the WAFPass stack

Full history: github.com/waf2p/wafpass-dashboard

🚀

v1.0.0 released — WAFPass Server v1.0.0 is the stable FastAPI / PostgreSQL persistence layer for the WAFPass stack. Full SSO (OIDC/SAML2), API key management, role-based access control, and all 14 database migrations ship with the stable Docker image.

May 2026 — Control Pack Management v1.0.0

new Versioned control snapshot system — `wafpass control pack init` and `wafpass control pack update` commands; snapshots stored in `controls-releases/` with version tags and regulatory mapping files

improvement Control update management — `wafpass control update` downloads and validates the latest control packs from the central registry; detects version drift between local controls and published packs

May 2026 v1.0.0

new wafpass-server v1.0.0 — first stable release. Full authentication stack (local accounts, OIDC, SAML2, CI/CD API keys), complete role hierarchy (clevel → ciso → architect → engineer → admin), all 14 Alembic migrations included, and production-ready Docker image published.

new Full SSO support — OIDC and SAML2 providers configurable via the sso_configs table (migration 0013); group-to-role mappings via group_role_mappings (migration 0014)

new API key management with usage logging — api_keys (migration 0010) and api_key_usage_logs (migration 0011) enable CI/CD integrations with full audit trail

new User audit log — user_audit_logs (migration 0012) records all user-visible state changes for compliance and traceability

improvement OpenAPI documentation stable at /api/docs — all endpoints documented, typed, and covered by integration tests

April 2026 v1.0.0

new Project Passport — `/api/projects` router with Alembic migrations 0016 (`add_project_passports`) and 0017 (`add_passport_image_url`); stores per-project maturity metadata and a custom passport image URL; returned via `PassportOut` schema

new Leaderboard, badges, and achievements — `/api/leaderboard`, `/api/badges`, `/api/achievements` routers; Alembic migration 0018 (`add_achievements`); achievement grants are ECDSA-signed for cryptographic verification; badge earn events are triggered by scan runs

infra Compliance audit event log — Alembic migration 0019 (`add_compliance_audit_events`) and `/api/compliance-audit` router; structured log of compliance-relevant state changes across waivers, risk acceptances, and run outcomes

infra Run findings table — Alembic migration 0023 (`run_findings_table`) splits per-finding records out of the run JSONB blob into a dedicated table; enables server-side filtering, pagination, and first-seen tracking

infra Typed expiry dates — Alembic migration 0022 (`typed_expiry_dates`) converts all text expiry columns in waivers and risk_acceptances to `timestamptz` for reliable sorting and comparison

infra Refresh token family — Alembic migration 0021 (`add_refresh_token_family`) adds family-based refresh token rotation to prevent token reuse attacks

infra Runs cursor index — Alembic migration 0020 (`add_runs_cursor_index`) adds a B-tree index on `(project, created_at)` for efficient cursor-based run history pagination

infra Secret encryption at rest — `secret_enc.py` module encrypts all secret-class fields (OIDC client secrets, SAML private keys) using `WAFPASS_ENCRYPTION_KEY` before database writes; transparent decryption on read

fix OIDC security hardening — `oidc_callback` now fetches the IdP JWKS endpoint and verifies the `id_token` signature; nonce is embedded in the signed state JWT and validated in the callback to prevent replay attacks; forged tokens return `sso_error=token_verification_failed`

fix JWT and encryption key startup validation — `Settings` model raises `ValueError` at startup if `WAFPASS_JWT_SECRET` is still the default value or `WAFPASS_ENCRYPTION_KEY` is unset in any non-local environment; local development is unaffected

April 2026 — Authorization & Scanning beta

new `/scans` REST endpoint — POST `/api/scans` triggers a wafpass scan remotely from the dashboard; accepts a project reference and returns a streaming run result; integrates with the Run Scan page in wafpass-dashboard

new Authorization layer — JWT-based authentication added to all protected endpoints; `/api/auth/*` routes include login, logout, token refresh, and current-user; local-account provider ships in-box with `WAFPASS_JWT_SECRET` and `WAFPASS_ENV` config keys

new Evidence REST API — `/api/evidence` router with Alembic migration 0015 (`add_evidence`); evidence packages are cryptographically locked with a SHA-256 fingerprint and QR-code URL; locked records are immutable

infra Stage field on runs — Alembic migration 0008 (`add_stage_to_runs`) adds a `stage` column to the runs table; `RunIn`/`RunOut` schemas and the runs router expose the field for per-stage compliance filtering

April 2026 — v0.4.2 beta

fix Skipped controls endpoint — server correctly exposes `skipped_controls` data from run JSONB to support the new Skipped Controls page in wafpass-dashboard #4

April 2026 — v0.4.1 beta

fix Dependency correction — pyproject.toml dependency set corrected; removes version conflicts that prevented clean installation #2

April 2026 v0.4.0 beta

new Secret findings persistence — new secret_findings JSONB column on the Run model stores hardcoded credential findings produced by the wafpass secret scanner; Alembic migration 0006_add_secret_findings applies automatically on container start

new Waivers REST API — new /waivers router with GET (list, project-filtered), PUT (idempotent upsert by control ID), and DELETE; waivers created locally in the dashboard are synced to the server when a connection is available

new Risk acceptances REST API — new /risks router with GET, PUT (upsert with approver, RFC, Jira link, risk level, residual risk, expiry), and DELETE; formally accepted risks are stored with full traceability metadata

infra Alembic migration 0007_add_waivers_risks — adds waivers and risk_acceptances tables with fields for reason, owner, expires, project, approver, rfc, jira_link, risk_level, residual_risk, and accepted_at

new Sandbox deep link support — sandbox endpoint enriched to support deep-linkable evaluation sessions; dashboard can generate a shareable URL for any sandbox run result

docs TECH.md added — technical reference covering request lifecycle, database session management, JSONB storage strategy, ORM model design decisions, and migration history

March 2026 beta

new Controls REST API — new /controls router with POST (idempotent upsert by id), GET (list with pillar and severity filtering, paginated), and DELETE endpoints; allows custom controls authored via wafpass control generate to be stored and queried server-side

new Control database model — new Control ORM model with fields for id, pillar, severity, type, description, checks (JSON), source, created_at, and updated_at

infra Alembic migration 0005_add_controls — adds the controls table to the PostgreSQL schema; applied automatically on container startup via the Docker entrypoint

new ControlIn / ControlOut schemas — typed Pydantic request and response models for the controls API, with envelope wrapping consistent with the rest of the API surface

March 2026 — Initial Release v0.3.0 beta

new Terraform plan changes schema — Alembic migration and REST API support for storing and querying Terraform plan dry-run results per run

improvement Run metadata and controls meta schema — extended run model with metadata fields; added controls meta table for per-control persistence across runs

infra Docker entrypoint script — automatic Alembic migration on container start; production-ready containerised deployment

new FastAPI REST server with PostgreSQL — initial release: runs CRUD API, Alembic migrations, Docker image, OpenAPI docs, and GitHub Actions release workflow

Full history: github.com/waf2p/wafpass-server

STAY INFORMED

Never miss an update.

Subscribe to the RSS feed, watch the GitHub repository, or join Slack to get notified when new releases ship.

Stay updated → Roadmap GitHub