ThreatForge v0.6.9

ThreatForge v0.6.9

English cleanup and README screenshots release.

Highlights

• Translated remaining UI labels, report strings and internal text to English.
• Added sanitized demo screenshots to the README.
• Added screenshots for Dashboard, Indicators, Brand monitoring, Users, Audit trail and Operations/Tenants.
• Used fictional tenant, brand, observable and user data.
• Confirmed tenant isolation selftest still passes.

Security notes

• Screenshots use fictional demo data only.
• No real customer data, credentials, tokens or API keys were added.
• Local demo data remains ignored through .local/.
• Invitation tokens remain redacted in logs.

ThreatForge v0.6.8

ThreatForge v0.6.8

Community roadmap and public backlog release.

Highlights

• Updated README roadmap.
• Separated completed public readiness work from future roadmap work.
• Added docs/ROADMAP.md.
• Documented current Community baseline.
• Documented planned v0.7, v0.8, v0.9 and v1.0 work.
• Added contributor-oriented roadmap structure.
• Created public backlog labels and roadmap issues for future community contributions.

Security notes

• Completed public readiness work remains documented separately.
• Enterprise implementation remains isolated in the private threatforge-enterprise repository.
• Community roadmap only references public adapters, documentation and extension points.

ThreatForge v0.6.7

ThreatForge v0.6.7

Public readiness check release.

Highlights

• Added public readiness check summary.
• Confirmed no committed .env file.
• Confirmed gitleaks history scan reported no leaks.
• Confirmed Bandit reported no issues.
• Confirmed pip-audit reported no known vulnerabilities.
• Confirmed Semgrep OSS reported 0 findings.
• Confirmed Trivy filesystem scan was clean for scanned config scope.
• Confirmed Trivy image scan reported 0 CRITICAL/HIGH fixable vulnerabilities.
• Confirmed Docker build and isolation selftest passed.
• Confirmed invitation tokens remain redacted in logs.
• Confirmed Enterprise adapter remains optional and does not include premium implementation code.

Security notes

Generated raw scan outputs remain local under security-reports/ and are intentionally ignored by Git.

ThreatForge v0.6.6

ThreatForge v0.6.6

Optional Enterprise adapter tests release.

Highlights

• Added tests for the optional Enterprise adapter.
• Covered behavior when the Enterprise package is unavailable.
• Covered Enterprise license status handling.
• Covered Enterprise feature availability checks.
• Covered premium PDF generation bridge behavior.
• Confirmed adapter unit tests pass.
• Confirmed Community selftest still passes.

Security notes

• Community continues working when the private Enterprise package is not installed.
• Enterprise feature checks fail closed when Enterprise is unavailable or errors.
• Premium implementation remains isolated in the private threatforge-enterprise repository.
• Invitation tokens remain redacted in mailer logs.

ThreatForge v0.6.5

ThreatForge v0.6.5

Optional Enterprise adapter release.

Highlights

• Added optional Enterprise adapter to the Community repository.
• Added app/enterprise_adapter.py.
• Added Enterprise package detection.
• Added Enterprise license status lookup.
• Added Enterprise feature availability checks.
• Added optional premium PDF generation bridge.
• Added docs/ENTERPRISE_ADAPTER.md.
• Updated README with Optional Enterprise Adapter documentation.

Security notes

• No premium Enterprise implementation code was added to the Community repository.
• Community continues working normally without the private Enterprise package.
• Enterprise features remain unavailable unless the private package is installed and licensed.
• Premium implementation remains isolated in the private threatforge-enterprise repository.

ThreatForge v0.6.4

ThreatForge v0.6.4

Security hardening release.

Highlights

• Masks invitation tokens when e-mail content is written to logs.
• Preserves full invitation links for real SMTP delivery.
• Preserves API/UI invite_link behavior for local development without SMTP.
• Confirms tenant invitation flow still works through the isolation selftest.

Security note

This reduces accidental exposure of single-use invitation tokens in development logs while keeping the no-SMTP local development workflow usable.

ThreatForge v0.6.3

ThreatForge v0.6.3

Product strategy and Community/Enterprise split release.

Highlights

• Added PRODUCT_STRATEGY.md.
• Documented ThreatForge Community Edition as the future public open source repository.
• Documented ThreatForge Enterprise Edition as a future private commercial repository.
• Clarified that premium Enterprise implementation code must not be placed inside the public Community repository.
• Updated README with a Product Strategy section.

Notes

This is a documentation and product architecture release. No application runtime behavior was changed.

ThreatForge v0.6.2

ThreatForge v0.6.2

Selftest hardening and security scanner cleanup release.

Highlights

• Replaced assert statements in the isolation selftest with explicit RuntimeError checks.
• Removed synthetic hardcoded password literals from the selftest.
• Cleaned remaining Portuguese text in the selftest.
• Confirmed the isolation selftest still passes.
• Confirmed Bandit returns no issues identified.

Security validation

• Bandit: no issues identified.
• Isolation selftest: passed.
• CI: validated through PR #6.

ThreatForge v0.6.1

ThreatForge v0.6.1

Open source readiness, English i18n and baseline security hardening release.

Highlights

• Translated README to English.
• Standardized backend, selftest, reports, alerts and UI messages in English.
• Added and validated CI workflow.
• Added open source governance files: SECURITY.md, CONTRIBUTING.md and CODE_OF_CONDUCT.md.
• Removed legacy master branch confusion and standardized main as the default branch.
• Added Docker HEALTHCHECK.
• Updated Docker base image to python:3.12-slim-bookworm.
• Upgraded base packages and pip during image build.
• Replaced manual frontend HTML escaping with DOM-based escaping.
• Ignored local security scan outputs through .gitignore.

Security validation

Baseline checks included:

• selftest isolation validation;
• Semgrep review;
• Bandit review;
• Trivy filesystem scan;
• Trivy image scan;
• Critical/High fixable image vulnerabilities checked with Trivy using --ignore-unfixed.

Notes

Some low-risk Bandit findings remain in the local selftest script due to assert usage and synthetic test credentials. These are not production secrets and should be addressed in a future test-hardening task.

ThreatForge v0.6.0 — Multi-tenant, support operators and tenant isolation

ThreatForge v0.6.0

First stable multi-tenant release of ThreatForge.

Highlights

• Multi-tenant architecture with strong tenant isolation.
• Platform operator onboarding.
• Tenant-scoped users with admin, analyst and viewer roles.
• Platform roles: platform_admin, support_operator and support_viewer.
• Support access restricted by tenant assignment.
• Invite flow by e-mail with hashed token, expiration and single use.
• Tenant-scoped API keys.
• Audit logs with user, operator, tenant, IP and user-agent context.
• Automated isolation selftest covering admin, support and client flows.
• Updated README with installation, .env configuration and validation steps.

Validation

The following checks were validated before release:

Healthcheck: OK
ThreatForge version: 0.6.0
Multi-tenant selftest: OK
Client A login: OK
Client B login: OK
Support restricted to Client A: OK
Tenant isolation: OK

Expected selftest output:

ISOLAMENTO + CONVITES + PAPÉIS DE OPERADOR: TODOS OS TESTES PASSARAM ✅

Recommended installation

cp .env.example .env

openssl rand -hex 32
openssl rand -hex 32
openssl rand -hex 32

vi .env
docker compose up -d --build
curl http://localhost:8000/health
docker compose exec api python -m app.selftest_isolation

Required minimum .env values:

API_KEY=<generated_value>
POSTGRES_PASSWORD=<generated_value>
JWT_SECRET=<generated_value>
COOKIE_SECURE=false
APP_BASE_URL=http://localhost:8000

Notes

This version is intended for local testing, development, research and defensive CTI/DRP workflows.

Before production usage, review secrets management, HTTPS, cookie security, CORS, SMTP, logging policy, dependency audit and infrastructure hardening.