Release notes

Changelog

Newest first. The product is under active development; we ship features sprint-by-sprint and document each one here.

Changelog

All notable changes to pentest-saas, newest first.

[unreleased]

Added

  • Cloudflare R2 / S3-compatible artifact storage as a pluggable backend.

Local filesystem remains the default in dev.

  • GDPR data export — full zip of every row + audit log from

Settings → Data & privacy.

  • GDPR account deletion with email-confirm gate. Solo-owned organizations

and their artifact blobs are removed atomically.

  • Privacy Policy page at /privacy, separate from Terms of Service.
  • Mobile-responsive sidebar (drawer pattern) and top bar on small screens.
  • Public changelog page at /changelog (you're reading it).

[2026-04-27] Phase B — Toolkit + scripted actions

Added

  • 10 new recipes: web-shopify, web-drupal, web-joomla, web-spa, api-rest,

api-graphql, subdomain-enum, ssl-tls-deep, network-portscan, tech-stack, secrets-grep. Recipe library now totals 13.

  • Proper nmap-XML parser with risky-service severity bumping

(telnet/ftp/smb/rdp/vnc/redis/mongo/elastic).

  • 16 scan profiles (Quick / Standard / Deep / per-CMS / per-API). One-click

bundles of recipes covering common engagements.

  • Scripted action library — 10 high-level pre-vetted playbooks the AI agent

calls instead of free-form shell: enumerate_subdomains, port_scan, http_fingerprint, nuclei_tags, dns_records, tls_cert_check, check_http_status, wpscan_full, grep_secrets, http_headers.

  • Per-user AI model preference (Haiku 4.5 / Sonnet 4.6 / Opus 4.7).
  • Findings filter — search by title/CVE/dedup-key, severity chips, target

filter, hide/show false-positives.

  • False-positive marking on findings with confirm prompt.

Changed

  • AI agent system prompt rewritten to convey the full authorization chain

(TOS, per-scan ack, verified ownership, egress firewall) so the model doesn't second-guess legitimate offensive operations.

  • Agent prefers run_action over shell — actions emit findings

automatically via the same parser pipeline as recipes.

[2026-04-27] Phase A — Production hardening

Added

  • Sandbox egress firewall — every container starts with

iptables -P OUTPUT DROP and explicit ACCEPTs only for the resolved IPs of the verified target plus DNS to public resolvers.

  • Sliding-window rate limits (Redis-backed) on triggerScan, addTarget,

redeemTrialCode, checkVerification.

  • GitHub Actions CI: typecheck + lint + test + build on every PR with

Postgres + Redis as job services.

  • Playwright E2E happy-path: signup → onboarding → TOS → dashboard.

[2026-04-26] Sprint 8 — Soft launch readiness

Added

  • Production Dockerfile (multi-stage, standalone Next output).
  • docker-compose.prod.yml — host PG/Redis, app on 127.0.0.1:3500.
  • Worker Dockerfile with docker CLI + Playwright chromium.
  • Health endpoint /api/health (DB + Redis ping).
  • Public status page at /status.
  • Trial codes for design partners — issue via CLI, redeem in

Settings → "Have a trial code?". Atomic claim is race-safe.

  • Pricing A/B variant flag on the landing.
  • DB backup script with 14-day retention.
  • nginx vhost template + PM2 ecosystem.config.cjs.
  • Payment provider abstraction with Stripe + NowPayments stubs.
  • DEPLOY.md with step-by-step Contabo deployment.

[2026-04-26] Sprint 7 — Polish + legal

Added

  • Click-wrap Terms of Service at /tos with version pinning.
  • Per-scan re-acknowledgment checkbox (TZ §7.2).
  • Audit log writes from every key server action (target/scan/schedule/

secret/alert/disclosure/TOS).

  • /audit page — last 200 events for the active org with actor/IP/metadata.
  • Public landing page replacing the placeholder home.
  • Bug-bounty disclosure flow on findings.
  • Onboarding banner on dashboard (4-step checklist).
  • middleware.ts → proxy.ts migration (Next 16 convention).

[2026-04-26] Sprint 6 — Plans + scheduling + alerts

Added

  • 5 plan tiers (Starter/Growth/Pro/Business/Enterprise) with per-plan limits

enforced server-side.

  • Scheduled scans via BullMQ repeatable jobs, synced from DB on worker boot.
  • Alert dispatcher: email + Slack + Telegram + webhook with per-channel

min-severity thresholds.

  • Settings page now hosts plan switcher, schedules CRUD, alert routing.

[2026-04-26] Sprint 5 — Reporting

Added

  • Executive PDF and Technical PDF generated via Playwright headless Chromium.
  • JSON export endpoint /api/scans/[id]/export.json.
  • Diff engine — new / fixed / unchanged / worsened / improved between scans.
  • Email delivery via Resend, with console-log fallback when no key is set.

[2026-04-26] Sprint 4 — Admin + UI + verification

Added

  • Domain verification flow — DNS TXT, HTML meta tag, well-known file.
  • Encrypted per-org secrets store (AES-256-GCM).
  • Platform admin role + /admin cross-tenant overview.
  • shadcn-style UI primitives + dashboard layout.
  • Targets / scans / findings UI with live polling.

[2026-04-26] Sprint 3 — Offensive AI agent

Added

  • Anthropic Claude tool-use loop with shell + report_finding +

mission_complete tools.

  • RED-OPERATOR system prompt.
  • Per-mission iteration cap and cost cap.
  • Per-org Anthropic API key override.

[2026-04-26] Sprint 2 — Scan engine

Added

  • Recipe engine with YAML loader and Zod validation.
  • BullMQ scan queue + worker process.
  • Sandboxed Docker executor with per-step containers.
  • 11 output parsers (nuclei JSONL, wpscan, TLS cert, SPF/DMARC, etc.).
  • Findings aggregator with cross-scan dedup.

[2026-04-26] Sprint 1 — Foundation

Added

  • Next.js 16 + Drizzle + Postgres 16 with row-level security.
  • better-auth with organization plugin and 2FA.
  • Multi-tenant withOrgContext helper enforcing RLS via SET LOCAL.