Skip to content

Changelog

April 2026

New features

Tool parameter constraints — Enforce field-level rules on tool call arguments. Configure per-tool constraints using 6 operators: eq, lt, gt, contains, regex, in. Deny code: PARAMETER_VIOLATION.

Environment enforcement — Scope agent sessions to specific environments (staging, production). Pass env in call_args and the policy engine verifies it against the role's allowed_envs. Deny code: ENV_VIOLATION.

Time-based access controls — Restrict agent sessions to specific UTC hour windows and days of the week. Deny code: TIME_VIOLATION.

Role inheritance — Child roles inherit all parent tools additively. Maximum depth: 2. Circular inheritance rejected at role creation time.

Policy versioning — Upload new policy bundles via the management API with hot-reload (no restart). Roll back to any of the last 10 versions in one API call.

Webhook secret hint — Role responses now include webhook_secret_hint (first 8 chars + ***). The full secret is never returned.

Performance

OPA evaluator warmup — The policy engine is pre-warmed at startup. First enforce call is now consistently sub-2ms (previously 10–50ms on cold start).

Bug fixes

  • Provision endpoint now accepts role name or UUID (previously UUID only)
  • Credentials file updated with live API key on partner re-onboarding
  • allowed_envs now correctly passed to OPA evaluator (was silently ignored)
  • GetRoleByName SELECT updated to include all columns

March 2026

  • Partner analytics dashboard at /dashboard
  • Webhook test endpoint — POST /mgmt/v1/roles/{id}/test-webhook
  • Rate limit fields in role response
  • MCP audit event types