Changelog

Last updated: May 18, 2026

v0.2.6 — May 18, 2026

MIRA is for signed-in users only (same pattern as CoverIQ): the floating assistant appears after login, and the API rejects unauthenticated chat requests.

API and scanner

• POST /api/mira/chat requires a valid Bearer JWT; anonymous daily caps are removed.
• GET /api/mira/status stays public so the site can detect whether MIRA is enabled before showing the widget to signed-in users.

Website

• MIRA launcher is hidden until you are logged in; guests are directed to sign up or log in.
• After sign-in, the widget refreshes without a full page reload when possible.

v0.2.5 — May 18, 2026

Security pass on the API and marketing site: stronger defaults for outbound scans and passwords, safer error surfaces, and browser hardening on the static host.

API and scanner

• Outbound scans: TLS certificate verification is on by default (disable only for local dev via SYNTRIX_PROBE_TLS_VERIFY=false).
• Waitlist ingest and CSV export: Bearer token checks use timing-safe comparison (same pattern as admin routes).
• MIRA: 502 responses no longer echo raw model-server error bodies to the browser; operators see actionable copy, details stay in server logs.
• Registration and password change: API enforces the same 12-character policy as the site (letter, number, and special character)—closing the gap where direct API calls could use weaker passwords.
• Production deploys refuse to start with authentication disabled on the hosted API (SYNTRIX_AUTH_REQUIRED=false).

Website

• Global security headers on the static host: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, and a Content-Security-Policy aligned with Auth0 and the API.
• Signup notification function: CORS default origin is https://syntrix.solutions (override with SYNTRIX_ORIGIN if needed). www continues to redirect to the apex host.

v0.2.4 — May 14, 2026

Production Ollama for MIRA is exposed through a hardened reverse proxy (TLS, authentication, rate limits, HSTS). The scanner and scan UI pick up related fixes so self-scans and guest flows behave as intended.

API and scanner

• Outbound scans: per-IP API rate limiting with X-RateLimit-* headers and 429 when exceeded (addresses RATE-01-style gaps on the scanner service).
• Scanner API: stronger default HSTS when your deployment enables it.
• Network exposure check: no false “unauthenticated MCP” noise when the target is our own scanner root JSON or a stock Ollama HTTP banner (Ollama is running).

Infrastructure (MIRA / Ollama)

• Reference stack for a VPS-hosted Ollama: Docker bound to localhost, nginx terminating TLS on the public port, Bearer gate in front of the API, request rate limits, and HSTS on success and auth-failure responses.
• Deployment helper applies domain and API-key placeholders in one step (avoids fragile manual edits on reload).
• Operator documentation for DNS, certificates, Render OLLAMA_BASE_URL / OLLAMA_API_KEY, and common troubleshooting (duplicate containers, placeholder cert paths).

Website

• Scan form: Continue as guest only when you are not signed in; the guest option is hidden for authenticated users.
• Scan limits: guest-specific 429 copy only applies in guest mode (signed-in users see the appropriate limit message).

v0.2.3 — May 14, 2026

MIRA is text-only on the site: paste scan text or questions in the composer. The API rejects file uploads, answers are steadier on severity follow-ups, anonymous chat gets a daily cap, and prompts are aligned so built-in “Try asking” chips get full defensive answers.

API and scanner

• MIRA chat: attachments removed from POST /api/mira/chat; non-empty attachments in JSON returns validation error with guidance to paste text instead. Chat path is text-only end to end; pypdf dropped from dependencies.
• MIRA: if OLLAMA_MODEL is exactly llama3.1:8b (a stale value often left in Render but not pulled on typical Hetzner hosts), the scanner now treats it as llama3.2:1b unless SYNTRIX_DISABLE_OLLAMA_MODEL_AUTO_CORRECT=true.
• MIRA: clearer 502 when Ollama reports the configured model tag is missing—message names OLLAMA_MODEL and suggests ollama pull or aligning the env var with ollama list on the VPS.
• MIRA: default OLLAMA_MODEL when the env var is unset is now llama3.2:1b (matches typical Hetzner CPU deployments). Set OLLAMA_MODEL explicitly for larger tags when you have the RAM.
• MIRA system prompt: canonical Syntrix severities (critical, high, medium, low, info)—not a numeric “severity 3” product scale—plus guidance for very short follow-ups (for example “2?”) so they are read as severity or list continuations.
• MIRA: false refusal guard—if the model emits certain unrelated extreme-safety phrases after an obviously benign last user turn in a scan/severity thread, the API replaces that reply with corrective copy and emits a scrub telemetry event (no prompt logging).
• MIRA: curated UI quick prompts are called out in the system prompt as sanctioned in-product help; “how does Syntrix detect …” stays in scope as high-level defensive methodology. Generic brush-off refusals on those topics are explicitly out of policy.

Website

• MIRA widget: no attach / file UI—composer, send, and “Try asking” chips only; disclaimer and placeholders tell users to paste findings.
• MIRA: Prompt injection quick chip reworded for defensive, educational framing so models answer reliably; error hints for validation failures remind users that chat is text-only.
• Styles: removed attachment toolbar, pending-file chips, and attachment message bubble CSS tied to the old flow.

v0.2.2 — May 13, 2026

MIRA file chat: clearer analysis of screenshots and documents, safer handling of adversarial text inside images, and a cleaner attachment experience on the site.

API and scanner

• MIRA: vision and system guidance tuned so defensive review of screenshots and exports is in scope without wholesale refusals.
• MIRA: multimodal hardening—text visible inside photos is handled like untrusted pasted content; no treating embedded “system”, “ignore”, or command-like strings in images as instructions you must follow (describe or flag injection bait; keep answers defensive).
• MIRA: attachment validation—raster images must be PNG/JPEG/GIF/WebP with magic bytes matching the declared type; PDFs must begin with a real %PDF header; assistant replies are capped for size; chat responses carry Cache-Control: no-store so shared caches do not retain POST bodies.

Website

• MIRA chat: add-style control for attachments; each file appears in its own message bubble (with image previews where applicable).
• MIRA: clearer in-panel error text for API failures (including validation, rate limits, and oversized requests) plus short tips where it helps.
• api.js: POST responses are read as text first so non-JSON error bodies (e.g. proxy pages) can still surface a useful message.

v0.2.1 — May 12, 2026

Hardening, billing tiers, reproducibility metadata, MIRA prompt clarity, and new marketing content. API and website roll out together when we publish a release.

API and scanner

• Stronger HTTP security headers (including optional strict transport when your deployment is ready).
• Optional hostname allowlist for operators who want an extra guardrail on incoming requests.
• Tighter browser CORS policy for API calls (fewer wildcard headers).
• MIRA chat: request size limits to reduce abuse and oversized payloads.
• Guest scans: additional per-IP throttling on top of existing daily limits.
• Outbound scanning: bounded concurrency so one job cannot exhaust connection pools.
• Billing: account profile exposes a coarse plan tier (none / Pro / Team); Team-only integration endpoint stub for future signed webhooks.
• Reproducibility: public check catalog includes a short methodology blurb per check; completed scans can carry an optional build stamp on status for support and auditing.
• MIRA: system guidance updated so product education and suggested prompts get full answers—including how detection works at a high level—while pasted or tool content is still treated cautiously for policy overrides.

Website

• New About page — product overview, environments, scan philosophy, severity guide, MIRA, principles, responsible use, privacy pointer, AI disclaimer, evolution, contact/disclosure.
• Documentation hub links to About; site footer Resources includes About across main pages.

v0.2.0 — May 11, 2026 · milestone

Ship milestone: public marketing site and scanner API crossed a bar we’re willing to stand behind — coherent positioning, deliberate security choices, and operator hooks for what comes next.

• Primary contact and audit bookings: chandler@syntrix.solutions across the site.
• Nav and footer Syntrix logo links home from every marketing page.
• MIRA: attach images, PDFs, and text files in the in-site assistant.
• Scanner: operator-visible telemetry for the assistant (latency and volume signals, without raw prompts).
• Interactive API explorer off by default in production; operators can turn it on when appropriate for support or integration work.

v0.1.0 — May 10, 2026

• Initial public release.
• 10 security checks covering network exposure, transport security, authentication enforcement, prompt injection, permission scoping, sampling abuse, rate limiting, error disclosure, and CORS misconfiguration.
• Public scan endpoint at api.syntrix.solutions.
• Manual penetration testing service available by booking.
• Password authentication with Argon2 + JWT.
• MIRA assistant available on landing page for vulnerability questions.