Skip to content

VellaVeto 6.0.0

Choose a tag to compare

View all tags
@paolovella paolovella released this 28 Feb 16:40
· 920 commits to main since this release
Immutable release. Only release title and notes can be modified.
v6.0.0
d9bf3ba

Highlights

  • Repositions VellaVeto as a security-first control plane for MCP and AI agent tool calls, built around a fail-closed runtime gateway.
  • Completes the v6 foundation (phases 36-72) across runtime enforcement, IAM, discovery, analytics, compliance, deployment, and ecosystem tooling.
  • Ships Consumer Shield, including PII sanitization, encrypted local audit, session isolation, stylometric resistance, warrant canary support, and shield pipeline hardening.
  • Adds the admin console, setup wizard, inventory and posture APIs, billing/signup flows, policy lifecycle workflows, and expanded topology runtime wiring.
  • Expands the SDK and developer surface with Python, TypeScript, Go, and Java clients, framework integrations, a VS Code extension, Terraform provider, Helm chart, and Kubernetes operator.
  • Adds major security and assurance depth: centralized audit store, compliance evidence packs, OWASP ASI coverage, formal verification assets, MCPSEC benchmarking, and continued fail-closed hardening.
  • Aligns packaging and public docs for the 6.0.0 release, including current package versions, current install names, and the repository-wide multi-license model.

Included In This Release

Control Plane And Gateway

  • MCP-native stdio and HTTP gateway hardening across transports.
  • Topology discovery runtime with recrawl scheduling and live wiring.
  • Inventory routes and posture types for operator-facing visibility.
  • Policy lifecycle APIs and approval workflows.
  • Hosted signup, billing, and metering foundations.

Identity, Security, And Compliance

  • Expanded IAM, RBAC, OIDC, SAML, DPoP, federation, and tenant-aware controls.
  • Compliance evidence packs and broader framework coverage.
  • Centralized audit store, verification, ZK audit surfaces, and observability exporters.
  • Ongoing adversarial hardening through 231 audit rounds and 9,000+ tests.

Consumer And Ecosystem

  • Consumer Shield binaries and shield-specific runtime protections.
  • create-vellaveto setup wizard.
  • Python, TypeScript, Go, and Java SDK updates.
  • Marketplace, deployment, and release-facing documentation refresh.

Breaking Changes / Upgrade Notes

  • The project is now fully branded as VellaVeto (replacing older Sentinel naming throughout binaries, paths, and docs).
  • Package coordinates have changed or been normalized:
    • Python package: vellaveto-sdk
    • TypeScript package: @vellaveto-sdk/typescript
    • Java artifact version examples now target 6.0.0
  • Licensing is now repository-wide multi-tier open core:
    • MPL-2.0 for core and consumer surfaces
    • Apache-2.0 for canary and benchmark tools
    • BUSL-1.1 for enterprise surfaces
      See LICENSING.md for exact boundaries.
  • If you are upgrading older configs, revalidate policy/config files against current schema before rollout. Important changes across this release line include field-name normalization in policy rules and wizard-generated TOML.
  • Container examples and release-facing docs now target ghcr.io/paolovella/vellaveto:6.0.0.

Verification

  • Main branch includes release-prep packaging metadata cleanup and documentation sync.
  • Public docs, package versions, and package license metadata now match the 6.0.0 release line.

Full Changelog

See the commit history from v3.0.0 to v6.0.0 for the full change set.

Assets 3
Loading