Pratvi AI
Changelog

What's new in Pratvi AI.

The release history below covers backend version tags and frontend deploys during private beta. Detailed, formatted release notes continue here through GA.

June 2026

Frontend

Unreleased

Design refresh — brand, motion, and anti-slop pass on the marketing site and app shell. Frontend-only, shipped via Vercel auto-deploy; backend unchanged.

  • Brand color moved to brass (#C8932E) via a single design token that cascades to every brand surface.
  • Motion vocabulary added across hero, How-It-Works, and mid-page sections — stagger reveals, word morph, sticky-stack, count-up stats — with reduced-motion fallbacks.
  • Real /app/dashboard screenshot replaces the placeholder mockup, labeled "synthetic data" for FTC §255 compliance.
  • App shell: grouped 25 flat sidebar items into 5 sections, animated stat counters, skeleton loaders, and real empty/error states.
  • Fixed a React #418 SSR hydration mismatch under prefers-reduced-motion and resolved 4 pre-existing dev-dependency audit findings.

May 2026

Infra + DX

Unreleased

Database hardening applied to production Supabase, plus a developer-experience pass on type generation. Frontend deployed; database migration applied.

  • Revoked EXECUTE on a SECURITY DEFINER function from anon/authenticated roles and pinned a non-mutable search_path on the RAG lookup function.
  • Added 14 covering indexes on previously-unindexed foreign keys, prioritizing tenant and audit-log keys.
  • OpenAPI→TypeScript generation (`npm run gen:api`) so frontend types derive from the real FastAPI contract, mitigating schema drift.

May 2026

Pending tag

v0.1.24

Backend security, AI-cost, and audit-coverage changeset accumulated on main. Backwards-compatible across the wire; deploys when tagged.

  • Closed five security findings: SSRF filter on outbound webhooks, deactivated-user JWT invalidation, impersonation-token TTL fix, admin-only API-key minting, and full audit-log coverage across all 9 mutating router groups.
  • Backend HttpOnly cookie auth and CSRF middleware shipped behind a default-off flag, with the cutover sequence documented.
  • AI cost work: real Anthropic prompt caching, task-budget headers on every Opus call, and two templated tasks retasked from Opus to Sonnet.
  • Frontend Sentry wired across browser/server/edge runtimes (no-op until DSN is set); shared form-hydration hook applied to all 6 forms.
  • Centralized tenant-scoping helper replaced 9 router-local copies; new test suites for scoping, audit, CSRF, SSRF, and cookie auth.

May 15, 2026

Released

v0.1.20

Tier-2 + Tier-3 governance — 14 new feature areas closing competitive-parity gaps, plus the lint/security fixes for the rolled-back v0.1.19.

  • Added automated red-teaming, deeper drift metrics (PSI/KL/JS/KS/Wasserstein), an explainability ingest layer, and a third-party AI vendor risk registry.
  • Added AIBOM export (CycloneDX 1.6), annual model-owner attestations, MCP-server governance, a custom-policy DSL, and a governance knowledge graph.
  • Shipped 11 new tables, 14 new routers, and 6 new services, with 110 new unit tests on top of the Tier-1 set.
  • Folded in the v0.1.19 fixes (black formatting + gitleaks allowlist) that had triggered an automatic rollback to v0.1.18.

May 14, 2026

Rolled back

v0.1.19

Tier-1 competitive-parity release. Passed tests but failed the production pipeline at formatting and secret-scanning; auto-rollback held prod on v0.1.18.

  • Introduced the governed-agent registry, an LLM firewall, shadow-AI discovery, NIST AI RMF / ISO 42001 policy packs, a use-case intake workflow, and model-card auto-generation.
  • CD-prod correctly rejected the build: new Python files weren't black-formatted and a firewall regex tripped the AWS-key secret scanner.
  • Auto-rollback worked as designed — production stayed on v0.1.18 throughout — and the fixes shipped in v0.1.20.

May 2026

Released

v0.1.18

Mobile-responsive app layout.

  • Slide-in sidebar drawer, stacked headers, and horizontally-scrolling tables for the authenticated app on small screens.
  • Established the overflow-x-auto + drawer pattern reused by every app page added afterward.

May 13, 2026

Released

v0.1.17

SSO / identity-provider catalog fills.

  • Added 8 manual-onboarding identity stubs (Auth0, Ping, OneLogin, JumpCloud, Google Workspace, Duo, SailPoint, Saviynt).
  • Brought the integrations catalog to 175 registered providers.

May 13, 2026

Released

v0.1.16

Integrations waves 3 + 4 — cloud, DevOps, healthcare, banking, insurance, and version-control providers.

  • Added 50 providers across the remaining clusters, with 132 new provider tests.
  • Introduced the catalog-stub pattern for vendors that require manual app registration or per-tenant deployment.

May 13, 2026

Released

v0.1.15

Integrations wave 2 — SIEM, BI, data-warehouse, ML-platform, and ticketing providers.

  • Added roughly 87 providers, consolidated from parallel build branches onto main.
  • Exercised the provider base and its five pattern mixins (outbound webhook, API key, SIEM push, inbound webhook, OAuth) at scale.

May 13, 2026

Released

v0.1.14

Integrations framework + first 30 reference providers.

  • Shipped the provider base class, Fernet-encrypted credential storage with key rotation, and a tenant-scoped admin-gated CRUD router.
  • Added the /app/integrations surface (list, catalog, connect flow) and 30 reference providers such as Slack, Teams, and PagerDuty.

May 5, 2026

Released

v0.1.13

Parallel-workstream landing — schema sync, end-to-end testing in CI, and admin user management.

  • Added admin user-management writes (invite, role change, deactivate) with a self-lockout guard, all audit-logged.
  • Wired Cypress end-to-end tests into CI to run against production on push and nightly.
  • Introspected the live database against the schema and confirmed zero drift, with an idempotent safety-net migration.

May 2026

Released

v0.1.12

Hotfixes from a live admin walkthrough — seven issues fixed and verified in production.

  • Fixed the Bias and Security pages, which threw on a list-shape mismatch between the API and the frontend.
  • Corrected the current-user payload so admins no longer displayed as viewers with a blank email.
  • Added a customer-facing, tenant-scoped users endpoint and rewrote the in-app docs page with real troubleshooting content.

May 2026

Released

v0.1.11

Security pass — dependency CVEs closed and CI gates tightened.

  • Closed 15 CVEs, principally by upgrading Next.js, plus backend bumps to black and pytest.
  • Cleared all bandit low-severity findings with explicit rationale and added Dependabot for weekly grouped updates.
  • Tightened CI: strict pip-audit, non-bypassable secret scanning, and a new frontend npm-audit gate.

May 2026

Released

v0.1.10

Internal staff tooling and per-tenant API keys.

  • Added an internal staff router and per-tenant API-key authentication (X-API-Key: pak_...).
  • Shipped an idempotent per-vertical seed script for populating demo data.

Early 2026

Foundation

v0.1.0 – v0.1.9

Pre-changelog foundation work. These tags predate this structured changelog, so they are summarized here rather than itemized per version; see DEVLOG.md and git history for detail.

  • Built the core governance platform: AI model inventory, RAG-powered compliance Q&A, SHA-256 hash-chained audit trail, bias and drift monitoring, and MITRE ATLAS security scoring.
  • Stood up the FastAPI backend, the Supabase data layer with per-tenant isolation, and the CI/CD pipelines to staging and production.
  • Established per-vertical compliance modules across regulated industries and the executive risk-scoring dashboard.