Changelog

v2.1.0 (2026-03-17)

Console — Tiered Impersonation

• Tenant admin → app admin impersonation — tenant admins can enter any app in their tenant as app admin (Console-only, audited, session-scoped)
• Platform admin → tenant admin impersonation (introduced in v2.0.0) now stacks with app impersonation
• Amber banner with exit link for both impersonation tiers
• Audit events: app_impersonation_started, app_impersonation_ended

Console — SSO-Based Authentication

• Console login now uses SSO session (km_sso) directly — no app enrollment required to access the Console
• Console JWT issued with audience keymaster-console (decoupled from any specific app)
• Platform Keymaster Console app serves as auth gateway only (open policy)
• Per-tenant Console apps serve as role containers (tenant admin = admin role on tenant Console app)

Console — Multi-Tenant UX

• Tenant picker for users who are admin on multiple tenants
• "Switch Tenant" sidebar link only shown when user has 2+ tenants
• Active tenant stored in session cookie (km_active_tenant)

Fixes

• get_user_tenant_ids now impersonation-aware — all routes work correctly during impersonation
• Platform admins auto-enrolled in Console apps on login regardless of registration policy

v2.0.0 (2026-03-17)

Per-Tenant Console Isolation

• Each tenant now gets its own Console app ({Tenant Name} Console), auto-created on tenant bootstrap
• Tenant admin access is determined by admin role on the per-tenant Console app (replaces UserTenantRole)
• Platform admins access tenant contexts via impersonation, not enrollment
• Tenant creation now requires an admin email — no orphan tenants

Platform Admin Impersonation

• Platform admins can impersonate any tenant admin (Console-only, no SSO tokens issued)
• Session-scoped via km_impersonate cookie (1-hour TTL)
• All impersonated actions logged with impersonated_by in audit trail
• Visible to tenant admins in their audit log

SDK Developer Docs Portal

• Full SDK documentation at /docs/ (also accessible from Console sidebar)
• LLM-digestible endpoints: /llms.txt, /llms-full.txt
• OpenAPI/Swagger moved to /api/docs
• build-docs.sh script for regenerating docs on feature changes
• Version display in Console sidebar footer

Breaking Changes

• UserTenantRole table deprecated — tenant admin access now via per-tenant Console app enrollment
• Console JWT audience changed from app ID to keymaster-console

v1.0.1 (2026-03-17)

Fixes

• Docs routing: handle .md extensions in URLs
• Swagger/OpenAPI moved to /api/docs (was /docs)
• Landing page updated with SDK docs link

v1.0.0 (2026-03-17)

Initial public release.

Authentication

• Password + Google + GitHub + Microsoft + Apple OAuth (shared provider registration)
• Cross-app SSO via km_sso cookie (8-hour sessions)
• Magic links (passwordless email login, 15-min expiry)
• TOTP 2FA with encrypted secrets + backup codes
• OAuth invite-required flow (policy-aware routing for invite-only apps)

Tokens

• RS256 JWT access tokens (configurable TTL, default 15 min)
• Refresh token rotation with replay detection (30-day rolling window)
• Client credentials grant (POST /auth/token, grant_type=client_credentials)
• Service tokens with scope enforcement (push:send)

User Management

• Three-tier admin: platform admin → tenant admin → app admin
• App roles: user, manager, admin (standardized)
• Manager role: invite/revoke users only, no config access
• Invite system with email delivery, per-app branding, expiration
• Password policy: 16-char minimum, configurable per tenant

Console

• Full admin Console with dark/light theme
• App configuration: branding, auth methods, token TTLs, redirect URIs
• User management: invite, roles, suspend, rate limit viewer
• Tenant admin dashboard with admin management
• Audit log viewer with filtering and pagination
• Session management (view/revoke active SSO sessions)
• In-app help system (role-scoped, searchable)

Infrastructure

• App logo upload (base64 encoded, served via public endpoint for emails)
• Outbound webhooks (HMAC-SHA256 signed, retry with backoff, SSRF protection)
• Redis session store (OAuth state, SSO cache, rate limiting)
• Health check endpoint (GET /health)
• Email infrastructure (Postfix DKIM, branded templates)
• Auto-apply migrations on startup
• OIDC discovery + JWKS endpoints

Security

• Argon2id password hashing
• TOTP secret encryption (AES-256-GCM)
• Push token encryption at rest
• Webhook URL SSRF validation (blocks private/reserved IP ranges)
• Rate limiting (Redis + in-memory fallback, auto-clear on success)
• Refresh token replay detection with automatic revocation