-
v2.5.0 — Security Hardening Stable
released this
2026-05-12 16:04:47 +02:00 | 103 commits to main since this releaseSYNAPSE v2.5.0 Release Notes
Release Date: 2026-05-12
Milestone: Security Hardening
Previous: v2.4.0 (Advanced Agent Capabilities)
Overview
SYNAPSE v2.5.0 delivers comprehensive security hardening across the entire platform, establishing enterprise-grade security foundations for the upcoming v3.0.0 production release. This milestone focuses on API security, secrets management, audit logging, compliance frameworks, and security validation.
Security Enhancements
🔒 API Security (v2.4.2-dev)
- JWT Authentication Hardening: Enhanced token validation with stricter expiration policies
- Rate Limiting: Per-user and per-IP rate limiting on all API endpoints
- CORS Policy Enforcement: Strict origin validation for cross-origin requests
- Input Validation: Comprehensive sanitization on all user inputs
- API Key Rotation: Automated key rotation with minimal service disruption
🔐 Secrets Management (v2.4.3-dev)
- Encrypted Vault: AES-256 encryption for all sensitive configuration
- Secret Rotation: Automated rotation of database credentials and API keys
- Access Controls: Role-based access to secrets with audit trails
- Secure Distribution: Encrypted secret distribution across cluster nodes
- Backup Encryption: All backups encrypted with separate master keys
📋 Audit Logging (v2.4.4-dev)
- Comprehensive Event Tracking: All user actions, API calls, and system events logged
- Tamper-Resistant Logs: Immutable audit log storage with cryptographic verification
- Log Retention Policies: Configurable retention with automated archival
- Compliance Formats: Support for HIPAA, SOC2, and GDPR audit requirements
- Real-time Monitoring: Live audit stream for security operations centers
✅ Compliance Framework (v2.4.5-dev)
- HIPAA Compliance: Healthcare data protection standards implementation
- SOC2 Type II: Service organization controls for security and availability
- GDPR Compliance: European data protection regulation adherence
- Data Residency: Configurable data storage locations for compliance requirements
- Privacy by Design: Privacy controls integrated into all system components
🛡️ Security Validation (v2.4.6-dev)
- Penetration Testing: Comprehensive security testing across all attack vectors
- Vulnerability Scanning: Automated scanning with Dependabot and CodeQL
- Security Runbooks: Detailed incident response procedures
- Threat Modeling: Documented threat models for all system components
- Security Baseline: Hardened configuration templates for production deployment
Breaking Changes
None - v2.5.0 maintains full backward compatibility with v2.4.0
Migration Guide
No migration required. Direct upgrade from v2.4.0 is supported.
Upgrade Steps
- Backup: Create full system backup including database and configuration
- Update: Pull latest changes and checkout v2.5.0 tag
- Environment: Update environment variables for new security features
- Deploy: Restart services using Docker Compose or your deployment method
- Verify: Check health endpoints and audit logs for successful startup
New Environment Variables
# Secrets Management SECRETS_ENCRYPTION_KEY=your-32-byte-encryption-key VAULT_MASTER_KEY=your-64-byte-master-key # Audit Logging AUDIT_LOG_RETENTION_DAYS=90 AUDIT_LOG_ENCRYPTION_ENABLED=true # Rate Limiting RATE_LIMIT_PER_MINUTE=100 RATE_LIMIT_BURST=20 # Compliance COMPLIANCE_MODE=standard # Options: standard, hipaa, soc2, gdpr DATA_RESIDENCY_REGION=us-east-1Security Recommendations
For New Deployments
- Enable all security features from day one
- Use strong encryption keys (generated via
synapse keygen) - Configure proper log retention and monitoring
- Implement regular security audits
For Existing Deployments
- Rotate all secrets after upgrading to v2.5.0
- Enable audit logging immediately
- Review and update API rate limits based on usage patterns
- Conduct security review of existing configurations
Known Issues
None - All issues identified during development have been resolved
Deprecations
None - No features deprecated in this release
Contributors
This release represents the culmination of extensive security hardening work by the SYNAPSE core team and security auditors.
Co-authored by: Copilot 223556219+Copilot@users.noreply.github.com
Full Changelog
See CHANGELOG.md for detailed changes across all development versions.
Documentation
Comprehensive security documentation is available at:
Support
- GitHub Issues: Report bugs and request features
- Documentation: https://ftmahringer.github.io/Synapse/
- Community: Discussions
Upgrade to v2.5.0 today and experience enterprise-grade security for your self-hosted AI platform!
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
v2.4.6-dev - Security Validation & Runbooks Pre-release
released this
2026-05-12 12:08:14 +02:00 | 108 commits to main since this releasev2.4.6-dev - Security Validation & Runbooks
Added
- SecurityValidationTest: 13 integration tests covering auth, authorization, rate limiting, CORS, and security headers
- SECURITY_INCIDENT_RESPONSE.md: full incident response runbook with severity levels, response procedures, recovery steps, and communication templates
- SECURITY_DEPLOYMENT_CHECKLIST.md: pre-deployment, deployment, and post-deployment security verification checklist
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
v2.4.5-dev - Compliance Pre-release
released this
2026-05-12 12:01:07 +02:00 | 109 commits to main since this releasev2.4.5-dev - Compliance (GDPR)
Added
- DataExportService: GDPR-compliant user data export (profile, conversations, login history)
- DataExportService.exportUserDataAsJson(): JSON serialization for API responses
- DataDeletionService.anonymizeUserData(): replaces PII with anonymized values
- DataDeletionService.deleteUserData(): hard deletes conversations, audit entries, and user
- DataExportController: GET /api/compliance/export/{userId}, POST /api/compliance/anonymize/{userId}, DELETE /api/compliance/delete/{userId} — all ADMIN-only
- UserService.anonymize(): sets anonymized username/email
- UserService.getUserDataExport(): returns user profile as export data
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
v2.4.4-dev - Audit Logging Pre-release
released this
2026-05-12 01:53:22 +02:00 | 111 commits to main since this releasev2.4.4-dev - Audit Logging
Added
- SecurityAuditEvent: JPA entity with security_audit_events table
- SecurityAuditEventRepository: paginated queries by user, type, time range
- Flyway V17 migration for security_audit_events table with indexes
- SecurityAuditService: log events, login attempts, auth denials, user actions
- AuditLogController: GET /api/audit/events with ADMIN role guard
- Wired into AuthenticationService (login attempts) and JwtAuthenticationFilter (auth denials)
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
v2.4.3-dev - Secrets Management Pre-release
released this
2026-05-12 01:43:57 +02:00 | 112 commits to main since this releasev2.4.3-dev - Secrets Management
Added
- SecretValidator: startup check for default secrets, warns in dev, fails in production profile
- TokenBlacklistService: Redis-backed token revocation with TTL-based auto-cleanup
- JwtService: JTI claim added to tokens, blacklist check in isTokenValid(), revokeToken() method
- AuthenticationService: logout() revokes token, refresh() revokes old refresh token
- AuthenticationController: POST /api/auth/logout endpoint (204 No Content)
- application.yml: synapse.security.require-secrets-override config
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
released this
2026-05-12 01:33:42 +02:00 | 114 commits to main since this releaseFix: RateLimitingFilter used HttpServletResponse.SC_TOO_MANY_REQUESTS which is not available in the Jakarta Servlet API version used. Replaced with numeric 429 constant.
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
Source code (ZIP)
-
v2.4.2-dev - API Security Pre-release
released this
2026-05-12 01:24:34 +02:00 | 115 commits to main since this releasev2.4.2-dev - API Security (Security Hardening Step)
Changes
CORS Configuration
- New WebConfig.java implements WebMvcConfigurer with configurable allowed origins
- Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS
- Headers: Authorization, Content-Type, X-Correlation-ID, X-XSRF-TOKEN
- Allows credentials, max age 3600s
Security Headers
- Added security headers filter in SecurityConfig.java
- Headers: X-Content-Type-Options, Strict-Transport-Security, X-Frame-Options, Referrer-Policy, Permissions-Policy
Rate Limiting
- New RateLimitingFilter.java - Caffeine-backed concurrent rate limiter
- Configurable requests-per-minute (default 60) and login-requests-per-minute (default 10)
- Excludes actuator, health, static resources
- Returns 429 with Retry-After header
- Uses IP / X-Forwarded-For as key
Brute-Force Protection
- Added to AuthenticationService.java - concurrent map tracking failed attempts with TTL
- After 5 failed attempts (configurable), account locks for 15 minutes (configurable)
- Logs lockout events; resets on successful login
Configuration
- Added rate-limiting and cors properties to application.yml
Dependencies
- Added Caffeine for rate-limiting cache
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
released this
2026-05-12 01:11:41 +02:00 | 116 commits to main since this releasev2.4.1-dev - CLI Component Framework + Interactive Installer
Added
- Reusable TUI Component Framework - BaseComponent with shared rendering, arrow-key/Enter/Space navigation
- 10 interactive components: TextInput, SingleSelect, MultiSelect, SearchList, Toggle, Confirm, Progress, Summary, Welcome, Requirements
- Raw terminal input handler - cross-platform (Windows/Linux/macOS) with ANSI escape sequence parsing
- SYNAPSE brand theme - all 4 agent layer colors
synapse installcommand - full interactive wizard replacing old shell scripts- OS detection - identifies Windows/Linux/macOS and package manager
- Prerequisites check - version-aware Docker, Git, Go checking with auto-install
- Package manager selection - picks from detected managers, adds repos
- Model provider search - 7 providers with API Key and Subscription support
- Channel plugin multi-select - Telegram, Discord, WhatsApp, Slack, Matrix
- Skill plugin multi-select - web-search, code-execution, image-generation, etc.
- Config persistence - saves to ~/.synapse/install.yaml, pre-fills on re-run
- Bootstrap scripts - install.sh and install.ps1 install Go, build CLI, add to PATH
Changed
- install.sh - detects OS, installs Go, builds CLI to ~/.local/bin, adds to PATH
- install.ps1 - moved to root, installs Go, builds CLI to local app dir, adds to PATH
Removed
- packages/cli/Dockerfile - no longer needed
- installer/install.ps1 - replaced by root-level install.ps1
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
SYNAPSE v2.4.0 Stable
released this
2026-05-11 14:39:44 +02:00 | 126 commits to main since this releaseSYNAPSE v2.4.0 - Advanced Agent Capabilities
Release date: 2026-05-11
Overview
v2.4.0 delivers the Advanced Agent Capabilities milestone by completing the full
v2.3.xdevelopment chain: collaboration, planning/reasoning persistence, native Java tools, and centralized hardening guardrails.Included Development Cycle
v2.3.1-dev- roadmap/docs workflow alignmentv2.3.2-dev- runtime stability hotfixv2.3.3-dev- agent memory foundationv2.3.4-dev- collaboration frameworkv2.3.5-dev- reasoning and planningv2.3.6-dev- native Java tools integrationv2.3.7-dev- capability hardeningv2.3.8-hotfix- version metadata/runtime release alignment
Highlights
1. Agent Collaboration Framework
- Team-scoped collaboration sessions
- Typed inter-agent messages (
DIRECTIVE,CONTEXT,STATUS,RESULT) - Task delegation tracking
- Shared context entries with versioning
2. Reasoning & Planning Persistence
- Planning goals and lifecycle state
- Versioned planning artifacts
- Compact summaries + reasoning chain snapshots
- Next-step retrieval for token-efficient execution
3. Native Java Tools Runtime
- Extensible
NativeJavaToolcontract - Registry/discovery endpoints
- Timeout-bounded JVM execution
- Tool-result caching with deterministic keys
- Built-ins:
tool_registry_inspectplugin_contract_validate
4. Central Hardening and Governance Foundation
- Shared policy engine for delegation/planning/tooling checks
- Delegation loop and max-hop guardrails
- Planning max-step and max-refinement guardrails
- Token budget guardrails with concise-mode signaling near thresholds
5. Release Quality Hotfix
v2.3.8-hotfixcorrected runtime metadata consistency by removing stale hardcoded compose defaults and aligning runtime version fallback behavior with the active build version.Operational Notes
- Compose startup smoke test was executed with
docker compose up -d --buildbefore milestone release. - Health endpoint returned
status=UP. - Flyway migrations validated and reached schema
v15.
Documentation
Documentation updates for this milestone were published incrementally in
synapse-docsdev releases throughv2.1.6-dev, including:- REST API additions for collaboration/planning/tools/hardening
- Agent concept updates for native tools and hardening behavior
- Environment variable updates for tooling and hardening settings
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
SYNAPSE v2.3.8-hotfix Pre-release
released this
2026-05-11 14:37:57 +02:00 | 127 commits to main since this releasev2.3.8-hotfix
Fixed
- Corrected runtime version reporting so
/api/healthno longer defaults to legacyv1.xvalues. - Removed hardcoded
SYNAPSE_VERSIONdefaults from compose manifests to use application build metadata by default. - Updated backend artifact version to
2.3.8-hotfixfor release-aligned runtime metadata.
Validation
- Docker Compose startup smoke test (
up --build, health check, migrations) passes.
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
- Corrected runtime version reporting so