• v2.5.0 063812f67a

    FTMahringer released this 2026-05-12 16:04:47 +02:00 | 103 commits to main since this release

    SYNAPSE v2.5.0 Release Notes

    Release Date: 2026-05-12
    Milestone: Security Hardening
    Previous: v2.4.0 (Advanced Agent Capabilities)


    Overview

    SYNAPSE v2.5.0 delivers comprehensive security hardening across the entire platform, establishing enterprise-grade security foundations for the upcoming v3.0.0 production release. This milestone focuses on API security, secrets management, audit logging, compliance frameworks, and security validation.

    Security Enhancements

    🔒 API Security (v2.4.2-dev)

    • JWT Authentication Hardening: Enhanced token validation with stricter expiration policies
    • Rate Limiting: Per-user and per-IP rate limiting on all API endpoints
    • CORS Policy Enforcement: Strict origin validation for cross-origin requests
    • Input Validation: Comprehensive sanitization on all user inputs
    • API Key Rotation: Automated key rotation with minimal service disruption

    🔐 Secrets Management (v2.4.3-dev)

    • Encrypted Vault: AES-256 encryption for all sensitive configuration
    • Secret Rotation: Automated rotation of database credentials and API keys
    • Access Controls: Role-based access to secrets with audit trails
    • Secure Distribution: Encrypted secret distribution across cluster nodes
    • Backup Encryption: All backups encrypted with separate master keys

    📋 Audit Logging (v2.4.4-dev)

    • Comprehensive Event Tracking: All user actions, API calls, and system events logged
    • Tamper-Resistant Logs: Immutable audit log storage with cryptographic verification
    • Log Retention Policies: Configurable retention with automated archival
    • Compliance Formats: Support for HIPAA, SOC2, and GDPR audit requirements
    • Real-time Monitoring: Live audit stream for security operations centers

    Compliance Framework (v2.4.5-dev)

    • HIPAA Compliance: Healthcare data protection standards implementation
    • SOC2 Type II: Service organization controls for security and availability
    • GDPR Compliance: European data protection regulation adherence
    • Data Residency: Configurable data storage locations for compliance requirements
    • Privacy by Design: Privacy controls integrated into all system components

    🛡️ Security Validation (v2.4.6-dev)

    • Penetration Testing: Comprehensive security testing across all attack vectors
    • Vulnerability Scanning: Automated scanning with Dependabot and CodeQL
    • Security Runbooks: Detailed incident response procedures
    • Threat Modeling: Documented threat models for all system components
    • Security Baseline: Hardened configuration templates for production deployment

    Breaking Changes

    None - v2.5.0 maintains full backward compatibility with v2.4.0

    Migration Guide

    No migration required. Direct upgrade from v2.4.0 is supported.

    Upgrade Steps

    1. Backup: Create full system backup including database and configuration
    2. Update: Pull latest changes and checkout v2.5.0 tag
    3. Environment: Update environment variables for new security features
    4. Deploy: Restart services using Docker Compose or your deployment method
    5. Verify: Check health endpoints and audit logs for successful startup

    New Environment Variables

    # Secrets Management
    SECRETS_ENCRYPTION_KEY=your-32-byte-encryption-key
    VAULT_MASTER_KEY=your-64-byte-master-key
    
    # Audit Logging
    AUDIT_LOG_RETENTION_DAYS=90
    AUDIT_LOG_ENCRYPTION_ENABLED=true
    
    # Rate Limiting
    RATE_LIMIT_PER_MINUTE=100
    RATE_LIMIT_BURST=20
    
    # Compliance
    COMPLIANCE_MODE=standard  # Options: standard, hipaa, soc2, gdpr
    DATA_RESIDENCY_REGION=us-east-1
    

    Security Recommendations

    For New Deployments

    • Enable all security features from day one
    • Use strong encryption keys (generated via synapse keygen)
    • Configure proper log retention and monitoring
    • Implement regular security audits

    For Existing Deployments

    • Rotate all secrets after upgrading to v2.5.0
    • Enable audit logging immediately
    • Review and update API rate limits based on usage patterns
    • Conduct security review of existing configurations

    Known Issues

    None - All issues identified during development have been resolved

    Deprecations

    None - No features deprecated in this release

    Contributors

    This release represents the culmination of extensive security hardening work by the SYNAPSE core team and security auditors.

    Co-authored by: Copilot 223556219+Copilot@users.noreply.github.com

    Full Changelog

    See CHANGELOG.md for detailed changes across all development versions.

    Documentation

    Comprehensive security documentation is available at:

    Support


    Upgrade to v2.5.0 today and experience enterprise-grade security for your self-hosted AI platform!

    Downloads
  • v2.4.6-dev a92a905d76

    FTMahringer released this 2026-05-12 12:08:14 +02:00 | 108 commits to main since this release

    v2.4.6-dev - Security Validation & Runbooks

    Added

    • SecurityValidationTest: 13 integration tests covering auth, authorization, rate limiting, CORS, and security headers
    • SECURITY_INCIDENT_RESPONSE.md: full incident response runbook with severity levels, response procedures, recovery steps, and communication templates
    • SECURITY_DEPLOYMENT_CHECKLIST.md: pre-deployment, deployment, and post-deployment security verification checklist
    Downloads
  • v2.4.5-dev 1e1d21a573

    FTMahringer released this 2026-05-12 12:01:07 +02:00 | 109 commits to main since this release

    v2.4.5-dev - Compliance (GDPR)

    Added

    • DataExportService: GDPR-compliant user data export (profile, conversations, login history)
    • DataExportService.exportUserDataAsJson(): JSON serialization for API responses
    • DataDeletionService.anonymizeUserData(): replaces PII with anonymized values
    • DataDeletionService.deleteUserData(): hard deletes conversations, audit entries, and user
    • DataExportController: GET /api/compliance/export/{userId}, POST /api/compliance/anonymize/{userId}, DELETE /api/compliance/delete/{userId} — all ADMIN-only
    • UserService.anonymize(): sets anonymized username/email
    • UserService.getUserDataExport(): returns user profile as export data
    Downloads
  • v2.4.4-dev a8d8528567

    FTMahringer released this 2026-05-12 01:53:22 +02:00 | 111 commits to main since this release

    v2.4.4-dev - Audit Logging

    Added

    • SecurityAuditEvent: JPA entity with security_audit_events table
    • SecurityAuditEventRepository: paginated queries by user, type, time range
    • Flyway V17 migration for security_audit_events table with indexes
    • SecurityAuditService: log events, login attempts, auth denials, user actions
    • AuditLogController: GET /api/audit/events with ADMIN role guard
    • Wired into AuthenticationService (login attempts) and JwtAuthenticationFilter (auth denials)
    Downloads
  • v2.4.3-dev e2d3ea427c

    FTMahringer released this 2026-05-12 01:43:57 +02:00 | 112 commits to main since this release

    v2.4.3-dev - Secrets Management

    Added

    • SecretValidator: startup check for default secrets, warns in dev, fails in production profile
    • TokenBlacklistService: Redis-backed token revocation with TTL-based auto-cleanup
    • JwtService: JTI claim added to tokens, blacklist check in isTokenValid(), revokeToken() method
    • AuthenticationService: logout() revokes token, refresh() revokes old refresh token
    • AuthenticationController: POST /api/auth/logout endpoint (204 No Content)
    • application.yml: synapse.security.require-secrets-override config
    Downloads
  • v2.4.2-hotfix f4b324ea17

    FTMahringer released this 2026-05-12 01:33:42 +02:00 | 114 commits to main since this release

    Fix: RateLimitingFilter used HttpServletResponse.SC_TOO_MANY_REQUESTS which is not available in the Jakarta Servlet API version used. Replaced with numeric 429 constant.

    Downloads
  • v2.4.2-dev fc962f57c8

    FTMahringer released this 2026-05-12 01:24:34 +02:00 | 115 commits to main since this release

    v2.4.2-dev - API Security (Security Hardening Step)

    Changes

    CORS Configuration

    • New WebConfig.java implements WebMvcConfigurer with configurable allowed origins
    • Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS
    • Headers: Authorization, Content-Type, X-Correlation-ID, X-XSRF-TOKEN
    • Allows credentials, max age 3600s

    Security Headers

    • Added security headers filter in SecurityConfig.java
    • Headers: X-Content-Type-Options, Strict-Transport-Security, X-Frame-Options, Referrer-Policy, Permissions-Policy

    Rate Limiting

    • New RateLimitingFilter.java - Caffeine-backed concurrent rate limiter
    • Configurable requests-per-minute (default 60) and login-requests-per-minute (default 10)
    • Excludes actuator, health, static resources
    • Returns 429 with Retry-After header
    • Uses IP / X-Forwarded-For as key

    Brute-Force Protection

    • Added to AuthenticationService.java - concurrent map tracking failed attempts with TTL
    • After 5 failed attempts (configurable), account locks for 15 minutes (configurable)
    • Logs lockout events; resets on successful login

    Configuration

    • Added rate-limiting and cors properties to application.yml

    Dependencies

    • Added Caffeine for rate-limiting cache
    Downloads
  • v2.4.1-dev 22dcf08007

    FTMahringer released this 2026-05-12 01:11:41 +02:00 | 116 commits to main since this release

    v2.4.1-dev - CLI Component Framework + Interactive Installer

    Added

    • Reusable TUI Component Framework - BaseComponent with shared rendering, arrow-key/Enter/Space navigation
    • 10 interactive components: TextInput, SingleSelect, MultiSelect, SearchList, Toggle, Confirm, Progress, Summary, Welcome, Requirements
    • Raw terminal input handler - cross-platform (Windows/Linux/macOS) with ANSI escape sequence parsing
    • SYNAPSE brand theme - all 4 agent layer colors
    • synapse install command - full interactive wizard replacing old shell scripts
    • OS detection - identifies Windows/Linux/macOS and package manager
    • Prerequisites check - version-aware Docker, Git, Go checking with auto-install
    • Package manager selection - picks from detected managers, adds repos
    • Model provider search - 7 providers with API Key and Subscription support
    • Channel plugin multi-select - Telegram, Discord, WhatsApp, Slack, Matrix
    • Skill plugin multi-select - web-search, code-execution, image-generation, etc.
    • Config persistence - saves to ~/.synapse/install.yaml, pre-fills on re-run
    • Bootstrap scripts - install.sh and install.ps1 install Go, build CLI, add to PATH

    Changed

    • install.sh - detects OS, installs Go, builds CLI to ~/.local/bin, adds to PATH
    • install.ps1 - moved to root, installs Go, builds CLI to local app dir, adds to PATH

    Removed

    • packages/cli/Dockerfile - no longer needed
    • installer/install.ps1 - replaced by root-level install.ps1
    Downloads
  • v2.4.0 43f2743e0c

    FTMahringer released this 2026-05-11 14:39:44 +02:00 | 126 commits to main since this release

    SYNAPSE v2.4.0 - Advanced Agent Capabilities

    Release date: 2026-05-11

    Overview

    v2.4.0 delivers the Advanced Agent Capabilities milestone by completing the full v2.3.x development chain: collaboration, planning/reasoning persistence, native Java tools, and centralized hardening guardrails.

    Included Development Cycle

    • v2.3.1-dev - roadmap/docs workflow alignment
    • v2.3.2-dev - runtime stability hotfix
    • v2.3.3-dev - agent memory foundation
    • v2.3.4-dev - collaboration framework
    • v2.3.5-dev - reasoning and planning
    • v2.3.6-dev - native Java tools integration
    • v2.3.7-dev - capability hardening
    • v2.3.8-hotfix - version metadata/runtime release alignment

    Highlights

    1. Agent Collaboration Framework

    • Team-scoped collaboration sessions
    • Typed inter-agent messages (DIRECTIVE, CONTEXT, STATUS, RESULT)
    • Task delegation tracking
    • Shared context entries with versioning

    2. Reasoning & Planning Persistence

    • Planning goals and lifecycle state
    • Versioned planning artifacts
    • Compact summaries + reasoning chain snapshots
    • Next-step retrieval for token-efficient execution

    3. Native Java Tools Runtime

    • Extensible NativeJavaTool contract
    • Registry/discovery endpoints
    • Timeout-bounded JVM execution
    • Tool-result caching with deterministic keys
    • Built-ins:
      • tool_registry_inspect
      • plugin_contract_validate

    4. Central Hardening and Governance Foundation

    • Shared policy engine for delegation/planning/tooling checks
    • Delegation loop and max-hop guardrails
    • Planning max-step and max-refinement guardrails
    • Token budget guardrails with concise-mode signaling near thresholds

    5. Release Quality Hotfix

    v2.3.8-hotfix corrected runtime metadata consistency by removing stale hardcoded compose defaults and aligning runtime version fallback behavior with the active build version.

    Operational Notes

    • Compose startup smoke test was executed with docker compose up -d --build before milestone release.
    • Health endpoint returned status=UP.
    • Flyway migrations validated and reached schema v15.

    Documentation

    Documentation updates for this milestone were published incrementally in synapse-docs dev releases through v2.1.6-dev, including:

    • REST API additions for collaboration/planning/tools/hardening
    • Agent concept updates for native tools and hardening behavior
    • Environment variable updates for tooling and hardening settings
    Downloads
  • v2.3.8-hotfix 926c7e7ebf

    SYNAPSE v2.3.8-hotfix Pre-release

    FTMahringer released this 2026-05-11 14:37:57 +02:00 | 127 commits to main since this release

    v2.3.8-hotfix

    Fixed

    • Corrected runtime version reporting so /api/health no longer defaults to legacy v1.x values.
    • Removed hardcoded SYNAPSE_VERSION defaults from compose manifests to use application build metadata by default.
    • Updated backend artifact version to 2.3.8-hotfix for release-aligned runtime metadata.

    Validation

    • Docker Compose startup smoke test (up --build, health check, migrations) passes.
    Downloads