RiskSonnar

Changelog

Customer-visible platform changes. The full engineering ledger lives at PHASE-PROGRESS.md.

  1. 2026-05-14UI

    rev-47/48 — incident bell, feature flags, compact mode, scenario history

    • Incident bell in the toolbar — pulses red when a critical platform banner is live.
    • Per-tenant /admin/feature-flags read-only matrix with 9 flags + runbook links.
    • Compact / Cosy density toggle in the toolbar; preference persists per user.
    • /scenarios/{id}/history filters the audit chain to one scenario for regulator-defended evidence.
    • Global keyboard shortcuts: g t / g i / g c / g a / g g / g w / g s / g h / g p / g r + '?' for help.
  2. 2026-05-14UI

    rev-46 — landing, /docs, recently-viewed

    • Marketing landing at /, public /docs index with every runbook + policy.
    • Recently-viewed drawer in the toolbar — last 16 cases / alerts / people / transactions / scenarios / watchlists you opened, per-tenant.
    • RecordView wired into /cases/{id}, /alerts/{id}, /people/{id}.
  3. 2026-05-14Platform

    rev-45 — SCIM Groups, /help, /jobs trigger

    • SCIM Groups endpoint completes the auto-provisioning surface (Pro tier).
    • /help cheat sheet — 12 keyboard shortcuts, 9-role can/cannot grid, all runbook links.
    • /jobs page gains 'Trigger now' button per row, gated jobs.run.
  4. 2026-05-14Platform

    rev-44 — public /status

    • Stripe-style status page customers can bookmark without an account.
    • Service grid with 30-day uptime + lag, open incidents, recently-resolved feed.
  5. 2026-05-14Platform

    rev-43 — banner authoring, webhook test-fire, /welcome

    • Tenant-wide banner authoring on /settings/banners, gated health.toggle_maintenance.
    • MaintenanceBannerStrip mounted in the cockpit shell, with per-session dismiss state.
    • Webhook 'Test fire' button (synthetic delivery with X-RiskSonnar-Test: true header) + 256-bit signing-secret rotation.
    • /welcome first-run checklist auto-detects setup state and points at the right next step.
  6. 2026-05-14UI

    rev-41 — error pages, SCIM bearer mgmt

    • Typed app-scope error boundary for PERMISSION_DENIED / STEP_UP_REQUIRED / QUOTA_EXCEEDED / NO_SESSION with per-code CTAs.
    • Cockpit-shell 404 + skeleton loading + root global-error fallback.
    • ScimBearerCard on /settings/identity mints a fresh 256-bit bearer client-side with the ready-to-paste Railway command.
  7. 2026-05-14Auth

    rev-39 — MFA enforcement + sign-in audit

    • OIDC callback honours `amr` claim; RISKSONNAR_REQUIRE_MFA=1 refuses sessions without a second factor (NIST AC-7 / PSD2 Art. 97).
    • auth.session_issued / auth.session_refused events hash-chained in the audit log.
    • Dedicated /settings/sign-in-audit page with filter chips + top-actor summary.
    • Typed callback errors redirect to /login?error=<code> with friendly hints.
  8. 2026-05-14Auth

    rev-38 — Auth0 one-click bootstrap wizard

    • /onboarding/auth0 wizard provisions Application + Post-Login Action + claims mapper + bootstrap user assignment in ~30 seconds.
    • Management API token is read-once, never persisted.
    • Returns ready-to-paste Railway commands.
  9. 2026-05-14UI

    rev-35..37 — UI redesign, Keycloak deploy, /pricing polish

    • Nav regrouped from work-shape into business domains: Home / TM / WLM / Compliance / Investigations / Admin / Platform.
    • Section landing pages at /tm /wlm /compliance /admin /platform with KPI tiles + quick-link grids.
    • Self-hosted Keycloak Railway deploy package (Dockerfile + realm export + runbook).
    • /pricing extensions: integrations matrix + 3 case-study vignettes.
    • Login page redesign with plan welcome banner + typed error hints.
  10. 2026-05-14Billing

    rev-30..34 — SaaS billing + SCIM + RBAC audit

    • 4-tier plan catalogue (Free / Starter €499 / Pro €1,999 / Enterprise) with quotas + Stripe Price env-var refs.
    • Stripe webhook receiver with HMAC-SHA256 + 300s replay protection.
    • /settings/billing with current plan, usage gauges, plan switcher, invoice history.
    • Per-tenant quota enforcement layer in lib/billing/quota.ts.
    • SCIM 2.0 Users endpoints + ServiceProviderConfig + ResourceTypes.
    • 9 server actions discovered + closed: case.addCaseNote, sar.submitSar (now requires fresh MLRO step-up), triage.dispositionAlert, etc.