Changelog

​

Versioning policy

• Major (v2.x): Breaking changes to request/response contracts or authentication. Announced with a migration guide and deprecation period.
• Minor (v1.2): New endpoints, fields, or features. Backwards-compatible.
• Patch (v1.1.1): Bug fixes and performance improvements. No contract changes.

​

Stability guarantees

• Existing response fields are never removed or renamed within a major version.
• New optional fields may be added to responses at any time — clients should ignore unknown fields.
• Webhook payload schemas follow the same policy.

​

API version header

​

v1.1.0

• Added policy groups (CRUD + listing policies within a group).
• Added alert webhook subscriptions with HMAC-signed delivery.
• Added webhook delivery history and statistics endpoints.
• Added decision SSE stream (GET /v1/decisions/stream).
• Added audit log verification (POST /v1/audit-log/verify).
• Added API key naming (key_name) for audit attribution.
• Added advisory mode for policies.
• Added two-tier rate limiting (pre-auth + post-auth).

​

v1.0.1

• SDK apiKey configuration is now required (throws a clear error if missing).
• idempotency_key is now required when recording decisions (no longer auto-generated).
• Added dryRun() as a semantic alias for evaluate().
• Recorded decisions now capture audit attribution (api_key_id, api_key_name).
• Infrastructure failures (database, pool exhaustion) now return 503 Service Unavailable with retry_after instead of 500.
• SKIP_AUTH environment variable is ignored in production with a security warning.

​

v1.0.0

• Initial release.
• Policy CRUD with immutable versioning.
• Decision evaluation (dry-run) and recording (persisted).
• Decision replay for audit verification.
• Alert listing and acknowledgement.
• API key management with scoped access.
• Audit event listing.
• OpenAPI 3.0 spec and Swagger UI.