Transparency · History

Changelog

A transparent record of every significant change — each linked back to the RFC or PR that introduced it.

Framework · Marketing · WAFPass Linked to PRs & RFCs Fully public

CHANGELOG

All changes

Select a component to view its change history. Each entry references the PR or RFC where the decision was made.

⚠️

Public beta — Framework v1.0 is expected shortly before 12 May 2026. All entries below represent pre-release changes. The API, controls, and scoring model may still change.

March 2026 beta

improvement Cost Optimization pillar (Pillar 2) — full documentation finalised: complete control set, design principles, best practices, maturity model, evidence, scope, and glossary (PR #16)

improvement Sovereign pillar (Pillar 7) — full documentation finalised: complete control set with best practices, case studies, modular structure, maturity model, evidence, scope, and glossary (PR #16)

new Sustainability pillar (Pillar 6) — full documentation with 10 controls (WAF-SUS-010 through WAF-SUS-100), design principles, best practices (carbon measurement, compute efficiency, data efficiency, ESG reporting, green regions, idle elimination, workload scheduling), maturity model, evidence, scope, and glossary

new Performance Efficiency pillar (Pillar 3) — full documentation with 10 controls (WAF-PERF-010 through WAF-PERF-100), design principles, best practices, maturity model, evidence, scope, and glossary

new Reliability pillar (Pillar 4) — full documentation with controls (WAF-REL series), design principles, best practices, maturity model, evidence, scope, and glossary

new Operational Excellence pillar (Pillar 5) — full documentation with 10 controls (WAF-OPS-010 through WAF-OPS-100), design principles, best practices, maturity model, evidence, scope, and glossary

new Resource pages added — control schema reference, regulatory mapping (GDPR, BSI, ISO 27001, SOC 2, HIPAA), and WAFPass integration guide

improvement Controls catalog expanded — improved navigation, categorisation, and cross-pillar index in modules/controls/

new Security pillar (Pillar 1) — structure adopted, initial content and controls added

infra Controls relocated to modules/controls/controls/ — centralised control library under dedicated Antora module

new Cost Optimization pillar (Pillar 2) — initial structure and content added

new Sovereign pillar (Pillar 7) — initial control set of 10 controls (WAF-SOV-010 through WAF-SOV-100)

improvement Expanded Antora documentation index with full framework overview, pillar summaries, and navigation

February 2026 beta

docs Migrated all documentation to AsciiDoc / Antora format with structured navigation and component versioning (v1.0)

docs Added AGENTS.md guidelines for AI-assisted contributions and content style

new Added CONTRIBUTING.md, CODE_OF_CONDUCT.md, and SECURITY.md to the framework repository

fix Fixed email address typo in community-facing documentation

December 2025 beta

new Added initial descriptions and key questions for all 7 pillars

new Published public 2026 roadmap draft covering Q1–Q4 milestones

new Initial framework structure: governance, architecture guidelines, best practices, resources, and wording

new Framework repository initialised — first public commit

Full history: github.com/waf2p/framework

April 2026

improvement WAFPass page (EN + DE) — updated to v0.3.0: new WAFPass ecosystem section explaining the three-component architecture (wafpass CLI, wafpass-dashboard, wafpass-server) with architecture flow diagram; dashboard section rewritten to reflect the React/Vite SPA and FastAPI/PostgreSQL stack; intelligence layer expanded from 4 to 6 cards (Terraform plan analysis, exploit path analysis added); feature grid extended with Policy Version Tracking and Settings Persistence; badge updated to v0.3.0; PyPI note updated

improvement Roadmap page (EN + DE) — updated to reflect actual March 2026 progress: WAFPass v0.3.0 live, all 7 pillars documented ahead of schedule, dashboard and server stack live; Q4 2026 card revised from 'Complete Pillar Build-Out' to 'Stabilization & Ecosystem Growth' since the pillar milestone was achieved early

fix Fixed missing LinkedIn icons — polyfilled the 'linkedin' Lucide icon (removed alongside other brand icons); affects all staff member profile pages

improvement Changelog page — mobile layout fixed: tab navigation now scrolls horizontally on small screens (overflow-x: auto, hidden scrollbar, nowrap labels) preventing layout overflow on mobile

March 2026

fix Fixed missing GitHub icons — polyfilled the 'github' Lucide icon (removed in Lucide v1.x brand icons policy); affects footer, navigation, and all content pages

improvement Homepage redesign (EN + DE) — full visual overhaul of both index pages: cinematic hero with gradient headline and KPI card, 7-pillar icon grid with featured Sovereign card spanning 2 columns, WAFPass teaser section with terminal mockup and feature breakdown, Why WAF++ principle cards, redesigned final CTA with compliance badges; new home.scss design module added

new Custom 404 error pages — EN + DE versions with branded layout and navigation back to home

improvement Antora docs — language switcher (EN/DE) added to header; updated CSS and header partial to support bilingual documentation

new Imprint page (EN) — fully translated to English, corrected frontmatter, rebuilt with modern card layout to match all other pages

improvement Imprint page (DE) — rebuilt from plain text-container to the modern card grid layout matching the EN page

fix Dark mode fix: vision page — replaced all hardcoded rgba/hex colors in vision-quote, vision-principle cards, and text with CSS variables

fix Dark mode fix: comparison table — replaced hardcoded background and border colors with CSS variables; upgraded icons from text symbols (✔ ✖ ●) to Lucide icon set (check-circle-2, x-circle, minus-circle)

fix Dark mode fix: pillars page — replaced hardcoded #fff background and rgba borders on pillar cards and cta-soft with CSS variables

improvement Navigation dropdown (desktop) — added 250 ms close delay and invisible hover bridge to prevent accidental close when moving the mouse to the menu

fix SEO: homepage og:image now correctly uses the WAF++ logo instead of the first content image (review avatar)

fix Fixed all 7 pillar documentation links — corrected URL pattern to /docs/wafpp/1.0/pillars/{name}/, activated all pillar cards

new WAFPass product page (BETA) — marketing landing page for the WAFPass CLI with in-browser controls download (JSZip + GitHub API), EN + DE #57

improvement Theme structure updated and dashboard pages improved #56

fix Updated Slack community invite link #55

fix Fixed article SEO meta information #54

fix Fixed article image URLs #53

new New blog article published; language streamlined across all existing articles #51

new RFC Tracker page — data-driven, tab-filtered tracker for all WAF++ Requests for Comments (EN + DE)

new GitHub issue templates for marketing site: Bug Report, Content Issue, Feature Request

improvement Press page redesigned — brand asset gallery with live previews, approved boilerplate copy, Do/Don't guidelines, press contact updated to page@waf2p.dev

improvement Brand guidelines updated: canonical URL changed to waf2p.dev

new Community pages added: Contributing, Code of Conduct, Use Cases, Press & Media, Changelog, Stay Updated (EN + DE)

new Slack community integration — header icon, footer link, and CTA sections on homepage and governance page

new Navigation expanded: Contributing, Use Cases, Stay Updated added to Community; Code of Conduct, Press, Changelog added to Project

new Comprehensive SEO layer: canonical URLs, hreflang alternates, Open Graph tags, JSON-LD structured data, XML sitemap #49

fix Fixed language switch — EN/DE pages now consistently render the correct language throughout all sections

fix Dark mode fixes for footer background and navigation element visibility #48

February 2026 — v1.0 Redesign v1.0

new Complete visual redesign — new design system, component library, typography scale, light/dark mode #47

new Full bilingual site (EN/DE) — German translations for all marketing pages with language toggle

new New pages: Governance & Community, PASS scoring, Roles & Members, Why not X?, Vision, FAQ, Legal, Translations

new Antora documentation integration — docs built from framework repository and served at /docs/

new Staff member profiles with individual pages for all team members

improvement Blog post corrections and content improvements #46

January 2026

improvement Added new conference entries for 2026; added draw.io diagram support for architecture diagrams

December 2025

fix Fixed missing images and meta information across multiple pages

fix Fixed URLs and conference page updates

new Staff member profiles added

improvement Docs and conferences navigation added

infra Documentation outsourced to dedicated framework repository, served via Git submodule

November 2025 — Initial Launch

new First public release of the WAF++ marketing website

new Initial pages: home, about, pillars, blog

infra GitHub Actions deployment pipeline for Jekyll + GitHub Pages

Full history: github.com/waf2p/waf2p.github.io

⚠️

Public beta — WAFPass v1.0 is planned alongside Framework v1.0, shortly before 12 May 2026. All versions below v1.0 are beta. PyPI availability and a stable CLI interface will ship with v1.0.

April 2026 v0.4.0 beta

new Secret findings persistency — secret scanner results are now persisted to wafpass-server via the secret_findings JSONB column; results are synced on scan and visible across sessions in the dashboard

new Python library API — wafpass-core now exposes a stable public API: run_scan(paths, controls_dir) → WafpassResultSchema; import and embed the engine directly in Python applications or pipelines without invoking the CLI

docs TECH.md added — comprehensive technical reference covering internal architecture, IaC plugin system, assertion evaluation loop, SKIP semantics, scoring formula, known unimplemented operators, and contribution guidance

March 2026 beta

new wafpass control — new subcommand group for authoring, validating, and managing WAF++ controls directly from the CLI

new wafpass control generate — interactive 7-step wizard to author a new WAF++ control: describe the requirement, classify (pillar, severity, type), define checks, preview and edit (YAML + $EDITOR), validate, export (YAML control + Checkov Python stub), and optionally push to wafpass-server; also supports a non-interactive --non-interactive mode via JSON/YAML spec file

new wafpass control validate — validate any YAML control file against the WizardControl Pydantic schema; reports id, pillar, and severity on success or detailed field-level errors on failure

new wafpass control list — list all controls found under a controls directory, rendered as a table with id, pillar, severity, and type

new wafpass control show — print the full YAML of a single control by ID

new Checkov integration — controls can now target the 'checkov' engine; wafpass control generate exports a Python Checkov check stub alongside the YAML control file, enabling policy-as-code enforcement via Checkov pipelines

new control_schema.py — Pydantic schema (WizardControl, WizardCheck) as single source of truth for validating wizard-generated controls; defines allowed pillars, severities, types, and engines (terraform, checkov, manual)

March 2026 v0.3.0 beta

new Terraform plan dry-run analysis — WAFPass can now parse Terraform plan output and evaluate security, compliance, and blast-radius impact before `terraform apply`

new Exploit path analysis — controls can now expose attack chains and exploit paths that lead to a failing state, visualised in the dashboard

new Settings persistence — CLI and dashboard settings (API URL, report preferences, thresholds) are now persisted across sessions

new Policy version tracking — controls now carry a policy version field, enabling detection of stale controls against the current framework version

new Changelog and install tab in dashboard — in-app changelog and installation guide accessible from within the web UI

infra Architectural split — dashboard UI extracted to wafpass-dashboard (React / Vite SPA) and persistence layer to wafpass-server (FastAPI / PostgreSQL); wafpass CLI remains the core evaluation engine

improvement Enhanced CLI evaluation commands — additional control evaluation capabilities and improved output for programmatic consumption

improvement Dashboard data schema updated — extended schema for richer control and run metadata to support the new dashboard and server features

March 2026 v0.2.0 beta

new Web UI — browser-based dashboard to visualise control results, compliance state, and per-control details #13

improvement Mobile-responsive dashboard theme #13

new Deployed regions — compliance output now includes deployed region details per control #13

new Sandbox environment support — controls can be evaluated in sandbox mode #13

new Risk acceptance (waivers) — controls can be explicitly accepted with justification via a waivers file #13

new Auto-fix engine — automated remediation suggestions and fixes for failing controls #13

fix Favicon added to the web UI #13

new Carbon footprint estimation — ESG module tracks and reports carbon impact of cloud workload decisions #12

new Secret scanner and remediation — detects exposed secrets in configurations and provides actionable remediation guidance #11

new Blast radius information for controls — each control now includes a blast radius assessment to quantify potential failure impact #10

docs Permitted Git workflow documented — contributing guide for branching, PRs, and release process added to the repository

March 2026 v0.1.1 beta

fix Release workflow corrected — GitHub Actions pipeline for PyPI publishing was failing; resolved path and trigger issues #9

infra Release workflow fix attempt — intermediate fix for the broken PyPI release automation #8

March 2026 v0.1.0 beta

new Alicloud, Yandex Cloud, and Oracle Cloud datacenter support added to geographic data model #3

new Executive summary added to PDF reports — high-level compliance overview at the start of each report #3

new Decision board added to PDF reports — structured decision support section for stakeholder communication #3

improvement Financial impact split into distinct root groups in PDF reports for clearer risk cost attribution #3

new Multi / split report mode — single wafpass run can now generate separate reports per pillar or module #3

new Intentional skip support — controls can be explicitly marked as skipped via a skip file; skipped items are reflected in report output #3

fix CLI skip file detection — corrected path resolution for the skip configuration file #3

new Risk estimation in PDF reports — fact-based risk estimation and risk cost estimation added to compliance report output #3

new OpenStreetMap integration in PDF reports — geographic map rendered directly in the PDF output #3

new Regional spread map in PDF reports — map visualising worldwide data distribution across regions #3

new Regulatory controls mapping — controls can now be mapped to regulatory frameworks (e.g. GDPR, BSI, ISO 27001) in PDF reports #3

new Dynamic pillar loading — control logic is now embedded in each control file; any new pillar loads automatically without code changes #2

new PDF export of compliance check results — shareable reports directly from the CLI #2

new Security pillar (Pillar 1) checks added — first non-cost control set integrated #2

new Initial control check application — base architecture, control loading, and pillar evaluation engine #1

February 2026 — Initial Commit beta

infra WAFPass repository initialized — first public commit

Full history: github.com/waf2p/pass

⚠️

Public beta — WAFPass Dashboard is the React / Vite SPA companion to the WAFPass CLI. It connects to wafpass-server and visualises control results, compliance state, exploit paths, and Terraform plan changes.

April 2026 v0.4.0 beta

new Run comparison page (#/diff) — side-by-side finding-level diff between any two stored runs; highlights newly introduced, resolved, and unchanged findings across the run history

new Secret Scanner page (#/secrets) — dedicated view for hardcoded credential findings; results are persisted to wafpass-server and shown across sessions; findings include file path, line, secret type, and severity

new Module Scores page (#/modules) — per-Terraform-module pass rate breakdown; surfaces which modules contribute most to compliance failures and score regressions

new Audit Log page (#/audit) — timestamped event log of all waiver and risk acceptance create/update/delete events; exportable as CSV or JSON; includes first-seen failure tracking per control

new Changes & Drift page enhancements (#/changes) — new drift detection view alongside the Terraform plan changes view; surfaces controls that changed status between runs without an explicit code change

new Gap Analysis page (#/gapanalysis) — regulator gap analysis showing the shortest path to full compliance for each supported regulatory framework (SOC2, ISO 27001, PCI-DSS, GDPR, BSI C5, HIPAA, NIS2)

new Cost Impact page (#/cost) — $/month impact estimate for failing WAF-COST controls; quantifies financial risk of each failing cost control so remediation can be prioritised by business impact

new Waivers page (#/waivers) with server persistence — waivers are stored in wafpass-server via the /waivers API; local waivers are automatically synced to the server when a connection is available (configurable in Settings)

new Risk Acceptance page (#/risk) — formally accept residual risks with approver sign-off, RFC reference, Jira link, risk level, and expiry date; stored in wafpass-server with full traceability

new Evidence Package page (#/evidence) — generates a self-contained timestamped HTML audit report for auditors; includes passing controls with regulatory mapping, active waivers, risk acceptances, audit event log, and embedded JSON manifest; printable to PDF for submission

new Persistent deep links — every page and run combination has a shareable URL; a Copy link button in the header copies the current deep link to clipboard

new Sandbox deep link — sandbox run results can be bookmarked and shared via a stable URL; result state is encoded in the URL for instant replay

new Findings bulk actions — select multiple findings with checkboxes to waive all selected (shared reason, owner, expiry) or export selection as CSV; per-filtered-view CSV export always available in the filter bar

improvement Settings: maturity level presets — five presets (L1 Foundational through L5 Excellence) configure active controls, pillars, and feature toggles; runtime server URL override stored in localStorage without rebuild

improvement Empty state guidance — all pages now show contextual guidance when no data is available, directing users to run a scan or configure the server connection

fix Blast radius and dependency graph view corrected — rendering edge cases with circular dependencies and missing nodes resolved

docs TECH.md added — documents routing implementation, page inventory, maturity level configuration, LocalStorage schema, and component contribution guidance

March 2026 beta

new Controls Catalogue page — replaces the Controls Library with a full-featured catalogue that unifies WAF++ core controls and custom controls authored via wafpass control generate; supports filtering by pillar, severity, type, and engine (terraform, checkov, manual)

improvement Navigation: 'Controls Library' renamed to 'Controls Catalogue' — reflects the expanded scope of the page (core controls, custom controls, browse, filter, author, and export)

new Checkov engine badge in the catalogue — controls targeting the checkov engine are displayed with a dedicated badge, distinguishing them from terraform and manual controls

improvement Controls API integration — catalogue fetches and creates controls via the wafpass-server /controls endpoints, enabling custom controls authored from the CLI or the wizard to appear alongside framework controls in real time

March 2026 — Initial Release v0.3.0 beta

new Terraform plan changes page — visualises resource-level changes from a Terraform plan dry-run before apply; integrates with wafpass-server

improvement Dashboard page overhaul — richer metrics, control state breakdown, compliance score timeline, and run comparison view

improvement Exploit paths page redesigned — clearer attack chain visualisation with severity badges and remediation links

improvement Controls and run scan pages polished — improved layout, filtering, and user interaction flows

fix Release workflow bugfix and missing file patch

new Full-featured SPA — Dashboard, Compliance, Controls, Findings, Regions, Risk Acceptance (Waivers), Sandbox, Settings, Exploit Paths, and Run Scan pages

new React / Vite SPA with Docker + nginx — self-contained container served behind nginx; deployable standalone or as part of the WAFPass stack

Full history: github.com/waf2p/wafpass-dashboard

⚠️

Public beta — WAFPass Server is the FastAPI / PostgreSQL persistence layer for the WAFPass stack. It stores run results, control metadata, and Terraform plan changes, and exposes a REST API consumed by wafpass-dashboard.

April 2026 v0.4.0 beta

new Secret findings persistence — new secret_findings JSONB column on the Run model stores hardcoded credential findings produced by the wafpass secret scanner; Alembic migration 0006_add_secret_findings applies automatically on container start

new Waivers REST API — new /waivers router with GET (list, project-filtered), PUT (idempotent upsert by control ID), and DELETE; waivers created locally in the dashboard are synced to the server when a connection is available

new Risk acceptances REST API — new /risks router with GET, PUT (upsert with approver, RFC, Jira link, risk level, residual risk, expiry), and DELETE; formally accepted risks are stored with full traceability metadata

infra Alembic migration 0007_add_waivers_risks — adds waivers and risk_acceptances tables with fields for reason, owner, expires, project, approver, rfc, jira_link, risk_level, residual_risk, and accepted_at

new Sandbox deep link support — sandbox endpoint enriched to support deep-linkable evaluation sessions; dashboard can generate a shareable URL for any sandbox run result

docs TECH.md added — technical reference covering request lifecycle, database session management, JSONB storage strategy, ORM model design decisions, and migration history

March 2026 beta

new Controls REST API — new /controls router with POST (idempotent upsert by id), GET (list with pillar and severity filtering, paginated), and DELETE endpoints; allows custom controls authored via wafpass control generate to be stored and queried server-side

new Control database model — new Control ORM model with fields for id, pillar, severity, type, description, checks (JSON), source, created_at, and updated_at

infra Alembic migration 0005_add_controls — adds the controls table to the PostgreSQL schema; applied automatically on container startup via the Docker entrypoint

new ControlIn / ControlOut schemas — typed Pydantic request and response models for the controls API, with envelope wrapping consistent with the rest of the API surface

March 2026 — Initial Release v0.3.0 beta

new Terraform plan changes schema — Alembic migration and REST API support for storing and querying Terraform plan dry-run results per run

improvement Run metadata and controls meta schema — extended run model with metadata fields; added controls meta table for per-control persistence across runs

infra Docker entrypoint script — automatic Alembic migration on container start; production-ready containerised deployment

new FastAPI REST server with PostgreSQL — initial release: runs CRUD API, Alembic migrations, Docker image, OpenAPI docs, and GitHub Actions release workflow

Full history: github.com/waf2p/wafpass-server

STAY INFORMED

Never miss an update.

Subscribe to the RSS feed, watch the GitHub repository, or join Slack to get notified when new releases ship.

Stay updated → Roadmap GitHub