1.1.0 — Session scoring

Edge session scoring lands as the headline feature for 1.1.0, alongside a security hardening pass and operator-tunable scorer URL exclusion.

Highlights

• Edge session scoring — Fastly Compute scorer + 6-snippet VCL preflight (recv / pass / fetch / deliver / miss / enforce) with AES-GCM session cookies carrying rotating sid and L2 transition state. L1 (cookie compliance + timing) + L2 (PageRank-trained transition matrix) produce a combined 0–100 score on every request.
• Admin UI at /admin/session-scoring — live ROC-AUC against operator labels, score-distribution / top-reasons / matrix-staleness cards, threshold slider with counterfactual flag/pass preview, ROC + PR curves, per-reason AUC breakdown, label CRUD with click-to-view-events, matrix retrain + version history + rollback, AES key rotation, operator audit log.
• Live edge enforcement — operator commits a threshold and a response code (default 429, operator-overridable to 403 / 451 / 503 / any 4xx-5xx). The enforce snippet rejects scored requests on the post-scoring restart within seconds of commit.
• URL exclusion regex override — per-service regex telling the scorer which URLs to skip. Defaults to the built-in static-asset extension list. Three-layer validation (input policy → falco static analysis → Fastly VCL compiler) before any VCL ships. Focused orchestrator swaps only the recv snippet in ~5–15s.
• Security hardening across the FastAPI backend, Fastly VCL, Next.js frontend, and Rust scorer — trust-boundary normalisation, destructive-op token auth, DuckDB user-SQL parse-tree validator, VCL header & cache discipline, cross-tenant scope enforcement, path-traversal cages, SSH host-key pinning, and scorer signal tightening.
• Dashboard performance — DuckDB connection pool, hourly Top-N rollup precomputation pipeline, bounded cache primitive, streaming Suspense skeletons on admin routes.
• Reliability — cron-progress reaping fixes, state_sync merge guards closing a class of "remote-overwrites-code-managed-state" data-loss paths, per-key in-flight collapse in the analytics cache.

Full details, including the security capability breakdown, reliability fixes, performance work, and infrastructure / dependency changes, are in CHANGELOG.md.