Linha do tempo de releases

v1.0.5

2026-03-23

ÚLTIMO

Scan Reliability Hotfixes

• OpenGrep macOS heavy-ruleset fixinteractive scans on macOS and Windows now compact large rule-config selections into a temporary directory proactively, avoiding unstable runs with hundreds of direct --config=... flags.
• Dependency scanner OSV SwiftPM fixdependencies from Package.resolved are no longer sent to OSV with the unsupported SwiftPM ecosystem, preventing one unsupported package manager from poisoning an entire vulnerability batch.
• OSV bad-batch isolationwhen OSV rejects a dependency batch with 400, the scanner now recursively splits the batch to isolate only the invalid dependency instead of dropping the whole set.
• Regression coverage expandedadded dedicated tests for Darwin heavy-ruleset OpenGrep compaction, unsupported SwiftPM OSV skipping, and resilient OSV batch isolation.

v1.0.4

2026-03-23

Ruleset Parsing & CWE Taxonomy

• CWE taxonomy load fixOryon Results no longer fails to build the rule-to-CWE index when bundled rule fixtures contain multi-document YAML.
• Rule config parsing alignedthe results taxonomy loader and ruleset inventory now share the same rule-config parser, ignore .test.* fixtures, and accept multi-document rule files safely.
• Regression coverage addeddedicated tests now lock the .test.yaml exclusion behavior and multi-document rule parsing across taxonomy and ruleset inventory paths.

v1.0.3

2026-03-17

Oryon Results Filters & Layout

• Faceted results filteringOryon Results now filters mixed scan output by source (All, Code, Dependencies), language, and CWE so teams can isolate the exact slice they need.
• Consistent dropdown UXLanguage, CWE, and Sort now use the same custom dropdown pattern and responsive toolbar layout, avoiding overlapping controls in narrower panels.
• Filtered export parityJSON/CSV exports now respect the currently filtered result set instead of always exporting the full dataset.
• Dependency detail overflow fixtechnical advisory content now wraps correctly in the details panel, with horizontal scrolling limited to code/diff blocks instead of the whole card.

Oryon Hub Scan Tracker

• Stage-based tracker redesignreplaced the old scan pill with a compact staged tracker in the Hub covering Collect, Scan, AI Triage, Enrichment, Sync, and Done.
• Clearer AI separationthe previous combined AI phase is now split into AI Triage and Enrichment so users can tell what the pipeline is doing.
• More stable progress semanticstracker percentages are now normalized for display so they do not start at a false 100%, regress between AI phases, or lose short-lived stages due to throttling.
• Terminal states cleaned upcompletion, cancellation, and failure states now stay visible briefly with explicit final status before the tracker clears.

v1.0.2

2026-03-14

AI Triage & Billing Flow

• Deterministic triage expansionstronger structural proofs now auto-drop additional safe cases across path confinement, typed deserialization, template auto-escaping, secure cookie flags, and constant/trust-boundary scenarios.
• Billing block handling unifiedupload and project-link flows now surface backend 402 subscription limits consistently, including upgrade links and enriched local exceptions.
• Dashboard sync flow simplifiedlocal scans no longer pre-emptively stop sync status handling based on stale quota checks in the extension UI.

Windows Scan Reliability

• OpenGrep Windows arg-limit fixoversized interactive ruleset selections now compact into a temporary config directory before execution, preventing ENAMETOOLONG failures on Windows workspaces with large active rulesets.
• Planner behavior preservedcompacted rule execution still keeps heavy-ruleset planning and concurrency limits aligned with the original selected config count.
• Regression coverage expandedadded dedicated tests for compacted Windows config execution and planner stability under heavy rulesets.

Project Linking & Dashboard Handoff

• Dashboard project creation link hardenedthe extension now builds the dashboard /projects/new URL from an explicit helper so name and repo_hash always survive handoff intact.
• Clearer follow-up guidance after web handoffwhen project creation is deferred to the dashboard, the extension now tells the user to rerun Oryon: Link Project or launch a new scan after finishing the web flow.
• Regression coverage added for dashboard handoffadded a dedicated unit test to lock the generated dashboard creation URL contract.

v1.0.1

2026-03-13

AI Triage Evidence Engine

• Structured evidence IRtriage now extracts reusable evidence blocks and deterministic drop hypotheses before model escalation.
• Proof-first 2-pass reviewPass A promotes semantic-safe candidates with stronger proof ranking, while Pass B acts as an explicit verifier with adaptive batching and safer split behavior.
• Broader language-aware reasoningexpanded support for multiline helpers, overwrite patterns, path proofs, command proofs and output-encoding checks.
• Telemetry and regression coverage expandedadded richer family stats, prefilter/triage counters, and dedicated unit suites for evidence and semantic candidate handling.

Scan Profiles & Deterministic Prefilter

• Production ruleset profilesinteractive scans can switch between production_security and full, with production_security as the default for cleaner actionable results.
• Deterministic prefilter redesignfindings are now filtered through structural and semantic proofs with blocker tracking instead of path-only heuristics.
• OpenGrep planning hardeninglarge repositories are bucketed with explicit argument-budget awareness to keep scans stable and predictable.
• Ruleset/profile controls exposedthe new scan profile setting is available directly in extension configuration.

Benchmark & Evaluation Tooling

• Cross-repo ground-truth workflowadded dataset import, materialization and local-registration utilities for OWASP Benchmark, Juliet and Vul4J.
• Official cohort runnerheadless evaluation can now execute reproducible benchmark cohorts across multiple repositories with stronger per-run telemetry.
• Reporting and scoring refreshbenchmark reports and scorers now support repo-specific ground truth, normalized local commits and larger cohorts.
• Evaluation docs expandeddocumented the official cohort workflow, repo feedback loop, ruleset profiles and the new prefilter strategy.

Shared False Positives

• Fingerprint alignment fixfalse-positive suppression fingerprints now match the API contract, preventing restore/filter mismatches for shared suppressions.

Packaging & Distribution

• VSIX cleanuprelease packages no longer include local build env files, eval configs, test stubs, backup assets or unused logo variants, trimming the universal artifact without changing runtime behavior.

v1.0.0

2026-03-10

AI Triage Maturity & Precision

• Semantic false-positive reviewPass A now detects semantic-safe patterns before escalation, while Pass B keeps the final conservative decision.
• Helper-aware context injectionneutral findings can include nearby helper blocks and mitigation code so AI decisions are grounded in local project behavior.
• Stronger guardrailsadded visible-secondary-risk vetoes, command execution locality hardening, Kotlin safe-flow coverage, and stricter conservative keeps for ambiguous code.
• Deterministic cache reuserepeated exact contexts are deduplicated and persisted for headless evaluation and repeated scans, reducing latency and model spend.
• Headless evaluation workflowadded benchmark/report tooling and semantic triage counters so triage quality can be measured and tuned systematically.

Scan Reliability & Noise Reduction

• Monolithic OpenGrep execution restoredlarge mixed repositories now prefer a stable all-in-one scan plan again where it performs better than fragmented execution.
• Unsupported-flag resiliencethe scanner now strips incompatible optional OpenGrep flags instead of failing scans on older binaries.
• .gitignore supportworkspace scans, single-file scans and dependency lockfile discovery now skip files ignored by the repository itself.
• Stronger finding identitycode findings now carry snippet hashes and stronger IDs to avoid collisions between same-rule findings on the same line.

Authentication & Onboarding

• First-login onboarding supportthe extension now handles backend onboarding_required responses instead of failing generic login flows.
• Unified login coverageGoogle, SSO, Enterprise SSO and Magic Link flows all preserve onboarding continuation when identity is valid but workspace setup is pending.
• Embedded onboarding UIusers can complete independent, create_company, or join_company directly from the login webview.

Oryon Hub & Project Workflows

• More visible project linkingunlinked repositories now show a highlighted CTA banner in the Hub, plus explicit link/unlink controls.
• Dashboard shortcutadded direct Open dashboard access from the Hub footer.
• Manage false positiveslinked repositories can restore shared false positives directly from the Hub.
• Workspace actions cleaned upscan, results, workspace switching and project actions are now wired consistently through the Hub webview.

Shared False Positives

• Red action in resultscode vulnerabilities now expose a False positive button next to Open issue.
• Confirmation before suppressionfalse positives require explicit confirmation before being hidden.
• Shared suppression cacheonce marked, a finding is filtered before triage, enrichment, upload, diagnostics and results for the exact repository.
• Restore flowshared false positives can be restored from the Hub without leaving VS Code.

Developer Experience

• OpenAPI sync refreshedgenerated API types now include onboarding and finding-suppression contracts.
• Expanded unit coverageadded tests for onboarding-preserving auth flows and stronger fingerprint generation.

v0.5.0

2026-02-27

AI Triage 2-Pass Engine (Major)

• Two-pass AI triage pipeline(rewrote/deleted on 1.0.0): introduced a dedicated Pass A candidate phase and Pass B reviewer phase for false-positive reduction with explicit keep/drop reasoning.
• Family-aware triage routing(rewrote/deleted on 1.0.0): findings are grouped into security families (sql_nosql_injection, xss_template, command_exec, auth_access, crypto_secrets, path_file, deserialization_ssrf_xxe, misc) before model evaluation.
• Structured schema validation for model outputtriage responses are normalized and validated to guarantee stable id/decision/reason contracts.
• Fail-safe behaviorwhen triage cannot issue a reliable decision (provider issues, invalid payloads, timeouts), findings default to keep.

Triage Decision Quality & Safety(rewrot/changed on 1.0.0)

• LLM-first final decisioningtriage no longer performs forced heuristic drop actions in the AI stage; heuristics are now used as contextual hints only.
• High-severity guardrailsCRITICAL (and HIGH outside generated assets) remain protected from aggressive dropping.
• Risk-language guardraildrop reasons that indicate explicit exploitability/risk are automatically converted to keep for analyst safety.
• Improved reason quality policyprompts now enforce concrete evidence-based rationale format with local anchors from snippet/context.
• Consistency metricsadded and stabilized triage counters (passADropCandidates, passBDropConfirmed, passBVetoedToKeep, forcedDrops) for clear runtime diagnostics.

Project Context Intelligence (Framework-Agnostic)

• Project mitigation context indexingtriage now scans the repository for local security helper definitions and injects relevant related definitions per finding.
• Broader language/template support in context extractionexpanded source/template recognition to better cover mixed modern stacks and heterogeneous codebases.
• Safer route-helper inferenceroute helper shortcuts are now constrained by framework context to reduce framework-specific false assumptions.

Streaming AI Pipeline (Latency & Cost)

• Streaming orchestration addedenrichment starts as soon as triage emits kept batches, without waiting for full triage completion.
• Code pipeline decouplingtriage and enrichment now operate as separate services with controlled concurrency and deterministic ordering.
• Selective enrichmentonly keep findings proceed to AI enrichment, reducing unnecessary token usage and end-to-end latency.

Sidebar & Settings UX

• New triage strategy setting in sidebarusers can select conservative, balanced, or aggressive directly in configuration UI.
• Persistent strategy preferencetriage strategy selection is now persisted globally across sessions/workspaces.
• Status messaging updatesscan lifecycle now explicitly reports triage phase and AI pipeline progression.

Scan/Schema Hardening

• Default exclusions tightenedimproved workspace scan noise filtering for generated/minified assets and bulky frontend artifact paths.
• Built-in excludes always enforceduser-defined excludes now extend defaults rather than replacing them.
• Enrichment schema resiliencenormalized AI payload edge cases (e.g., impact arrays, unknown complexity values) to avoid enrichment failures.
• Cache version bumpsenrichment and triage persistent cache keys were updated to ensure clean rollout of new behavior.

Test Coverage & Documentation

• New triage unit suitesadded dedicated tests for family routing, prefiltering, streaming triage/enrichment pipeline, guardrails, and stats consistency.
• Architecture docs for triage flowadded internal design reference for the two-pass AI triage model.

v0.4.5

2026-02-23

Dependency Update Intelligence (Security + Upgrade Strategy)

• Update classification addeddependency vulnerabilities now include structured update strategy metadata (recommended_version, update_kind, security_context, major_jump_count, requires_intermediate, upgrade_path, analysis_confidence).
• Large-jump detectionwhen the fixed target implies a major version gap, the extension flags staged migration risk and recommends intermediate upgrade steps.
• Deterministic + AI update notesvulnerabilities now include actionable update notes (summary, security_changes, breaking_changes, migration_steps, sources, confidence) synthesized from OSV/advisory context and enrichment output.

Target Compatibility Analysis (Multidomain)

• Target-aware compatibility impactsfindings and dependency vulnerabilities now include compatibility impacts against configured targets (browser, runtime, framework, toolchain).
• JS browser compatibility surfacedbrowser-targeted incompatibilities are now reported with explicit unsupported-version context when available.
• Config-driven behaviorcompatibility analysis is controlled via settings and remains informational (it does not alter finding severity).

UI & Data Contract for Dependency Insights

• Results UI expansiondependency cards now render update strategy, update notes, and target compatibility sections in the extension results view.
• Upload payload enrichmentdependency bulk upload now sends top-level dependency update fields and keeps backward-compatible mirrors in enriched_json.
• OpenAPI syncextension API types were regenerated to align with dependency vulnerability contract updates.

Project Linking UX (Enterprise)

• Explicit link/unlink workflowadded Oryon: Link Project and Oryon: Unlink Project commands to manage workspace-to-project binding directly, without hidden cancellation flows.
• Action-based project pickerproject selection now exposes explicit actions to select existing, create from extension, or open dashboard project creation with prefilled name and repo_hash.
• No more ESC-dependent create pathcreating or linking a project is now discoverable and intentional from the picker itself.
• Workspace-safe unlinkingunlink removes only local workspace mapping and never deletes remote projects.
• Sidebar visibilitysidebar now shows live project link status and dynamically toggles action between Link project and Unlink project.
• Project-link refresh lifecycleproject link state refreshes after auth/profile sync, workspace switch, and successful uploads.

Reliability & Test Coverage

• Project cache metadata extensionlocal project mapping now stores optional project name alongside project ID for better UX context.
• Cleaner ensure flowensureProject now uses structured picker actions and clearer terminal states (selected, created, dashboard, cancelled).
• Unit coverage addedtests now validate project picker action outcomes (select, create, open_dashboard, cancel) and support regression safety for enterprise linking flow.

v0.4.4

2026-02-23

Results View Fixes

• Dependency card expansion fixopening one dependency card no longer expands other cards that shared the same advisory ID.
• Details hydration fixopening a finding detail now reliably loads content without requiring Expand all.
• Markdown rendering hardeningfixed mixed markdown/code rendering so placeholder tokens like @@CODE_BLOCK_X@@ are replaced correctly.
• Cleaner rule identifierslong internal rule paths are normalized for display in cards and logs.

AI Enrichment Reliability

• Ephemeral key request deduplicationconcurrent enrichment paths now reuse the same in-flight key request instead of issuing duplicates.
• Schema tolerance improvementsAI enrichment now accepts nullable cwe/owasp and normalizes reference types such as CVE/GHSA.
• Circuit-breaker behavior tuningtimeout/schema issues no longer aggressively trip breaker flow; timeout logging is cleaner and less noisy.

Logging & Diagnostics

• Readable output formatintroduced pretty log format with structured sections, key ordering, truncation/sampling for large payloads, and compact timestamps.
• Configurable format/levelnew settings oryon.logFormat (pretty/json) and oryon.logLevel (debug/info/warn/error).
• Rule sanitization warning fixremoved false-positive sanitize warnings when a configured ruleset path points to a file (e.g. rules/template.yaml).

Cache

• Persistent cache resetenrichment cache storage key bumped from ORYON_ENRICHMENT_CACHE_V4 to ORYON_ENRICHMENT_CACHE_V5.

v0.4.3

2026-02-23

Immediate Local Results + Background Sync (Scan UX)

• Local-first completionworkspace scan now publishes normalized/enriched findings to the UI immediately after enrichment, without waiting for backend upload.
• Upload decoupled from renderdashboard sync now runs in background after local publish, so users can inspect results while sync is still running.
• Run isolation with anti-race guardsscan lifecycle now uses a runId guard to prevent stale callbacks (enrichment/upload from old runs) from overriding active scan status.
• Clearer end statesresults now differentiate between:
• local-ready (Results ready locally ...)
• syncing (Syncing results to dashboard ...)
• synced (Synced to dashboard ...)
• local-only fallback when upload is unavailable/fails.

High-Fidelity Progress Orchestration (Pipeline)

• Structured progress eventsadded across scanner/enrichment/upload layers to report real work instead of generic status text:
• code scan chunk progress (OpenGrep)
• dependency scan stage progress (lockfile discovery/parsing/OSV querying)
• AI enrichment progress (code + dependency streams, cache hits, retries, timeouts, processed totals)
• upload sync progress (project resolution, scan creation, findings chunks, dependency upload).
• Throttled status dispatch(UI-safe cadence) to avoid status spam and unnecessary render pressure while preserving responsive progress.
• Unified status fan-outprogress now consistently feeds VS Code progress notification + results status + sidebar status.

Results Webview Performance & Responsiveness

• Message protocol split
• type: "data" sends dataset only
• type: "ui" sends status/busy/counts/meta only
• optional type: "toast" for non-blocking UX feedback.
• Reduced unnecessary rerendersstatus-only updates no longer force full dataset rerender.
• Background preparation workeradded views/results/worker.js to offload heavy filter/sort/tree model preparation from main thread.
• Best-effort fallbackif worker cannot run, panel automatically falls back to synchronous in-thread preparation.

Expand-All UX Improvements (Non-Blocking)

• No more blocking alertsreplaced window.alert with in-panel toast notifications.
• Filtered-scope expansionExpand all now applies to the currently filtered dataset (not the full raw list).
• Configurable safety capadded oryon.results.maxExpandAll setting (default 40) to control mass expansion limits.
• Runtime config propagationresults panel receives cap dynamically via webview meta payload.

Security/Infrastructure

• Webview CSP updateadded worker-src policy in results view to safely enable web workers for background processing.
• GCM decryption hardeningAiKeyIssuer now enforces a 16-byte AES-GCM authentication tag and passes explicit authTagLength to createDecipheriv, reducing false-positive security findings and tightening crypto validation.

Tests

• New unit coverage for enrichment progressadded monotonic progress assertions to ensure done never regresses and final state reaches done=total.

v0.4.2

2026-02-22

Authentication Provider Parity (Auth)

• 4 Explicit Login Methods in IDEthe login view now exposes dedicated actions for Google, Microsoft SSO, Magic Link, and Enterprise SSO.
• Backend Flow Alignmentextension auth manager now implements explicit sso_url/sso_callback, enterprise_url/enterprise_callback, and magic_link/magic_link_exchange flows, matching WebAPI capabilities.
• SSO Deep-Link Routing FixURI callback handling now correctly routes provider=sso to the SSO callback exchange path instead of defaulting to the Google callback path.
• Clearer Login UX Statesunified button pending/error/success handling in the login webview with provider-specific startup guidance.

Session Refresh Reliability (Auth)

• Cross-Window Session Syncauth now syncs the latest stored session from SecretStorage before access-token checks and refresh attempts.
• Stale Refresh Token Mitigationrefresh flow now retries once with the newest persisted refresh_token when a 401 occurs, reducing false logout scenarios caused by token rotation races.
• Improved Refresh Diagnosticsauth.refresh logs now include backend status and error.code metadata for faster root-cause analysis.

v0.4.1

2026-02-22

Reliability & Security (Critical Security Fixes & Performance Improvements)

• Refresh Token Rotation Supportauth refresh now persists rotated refresh_token values returned by backend, avoiding stale-token loops after tenant/session renewals.
• Concurrent Refresh Coverageexpanded auth unit tests to assert refresh payload correctness and token rotation across consecutive refresh cycles.
• Scan Lifecycle Guardadded a workspace scan in-progress lock to prevent overlapping full scans and race-prone UI states.
• Clearer Results Statusesresults view now reflects explicit completed/cancelled/failed states during workspace scan flow.
• Fast Fix Boundary Validation"Apply Fix" now validates target files against the active workspace root (including realpath checks) and blocks out-of-workspace patch attempts.
• AI Pipeline Safeguardstuned enrichment defaults (timeouts/retries) and circuit-breaker tripping behavior for repeated service pressure and parse-time failures.
• Large Result Set Stabilityresults rendering now auto-disables server-side Shiki highlighting when finding volume exceeds a safe threshold.

Packaging & UI Hardening (Build)

• Binary Integrity Checkspackage download script now validates SHA-256 checksums for OpenGrep binaries and fails fast on mismatch.
• Safer Sidebar Renderingreplaced dynamic innerHTML composition in key sidebar/tooltip/action paths with explicit DOM builders.
• Dependencies Updatedbumped axios to ^1.13.5 and diff to ^5.2.2.

Documentation [Docs]

• Architecture Deep Diveadded a full technical architecture guide for the extension (docs/extension-architecture-deep-dive.md).

v0.4.0

2026-02-18

UI/UX Overhaul (Major)

• Unified Results Experienceremoved the old split between results tree + external summary panel. Findings now live in one richer results webview.
• Full Sidebar Refreshredesigned structure, cards, controls, spacing, labels, and state model to align with the new dashboard-style UX.
• Complete Visual Redesignrebuilt the results shell for list/tree modes with cleaner hierarchy, modernized sorting controls, and better interaction flow.
• VS Code Theme Compatibilitymigrated styling to VS Code design tokens and semantic variables, making the extension compatible with dark, light, and custom themes.
• Live Theme Syncauto, dark, and light apply instantly across webviews without reload.
• Better Readabilityricher markdown rendering (headings, lists, fenced code, inline code), cleaner remediation blocks, and improved advisory structure.
• Multi-Engine Highlightingadded Shiki tokenized rendering with Highlight.js fallback and improved language inference from file path/snippet context.
• Overflow/Clipping Fixesfixed clipping in snippets, code boxes, and diffs; improved wrapping/scroll behavior for long lines.
• Logo Assets Updateadded alternative wide logo variants for dark/light contexts.

Scanning, Ingestion & Data Consistency

• Robust State Handlingimproved scan lifecycle transitions in sidebar/results, including cancellation handling and post-scan trend refresh hooks.
• Pre-Upload Normalizationadded validation and dedup normalization for SAST findings and SCA dependency vulnerabilities.
• Accepted/Rejected Trackingbulk upload now tracks submitted/accepted/rejected counts and duplicate responses.
• Partial Success Feedbackusers now get clearer feedback when backend accepts only part of a batch.
• Local vs Backend Checkslogs explicit warnings when local finding totals differ from backend persisted totals.
• Lockfile Noise Reductionexcluded .ruby-lsp from lockfile discovery to avoid unstable SCA variance across scans.
• Better Vulnerability MappingOSV detail retrieval now resolves unique vuln IDs first, then maps back to all dependency associations.
• Status Copy Normalizationstandardized project resolution/upload progress messages in English.

Developer Experience & Tooling (Build)

• One-Shot Dev Bundleadded bundle:dev (esbuild --once) for faster local compile cycles.
• New Utility Scriptsadded compile and check script aliases.
• Launch Integrationadded preLaunchTask compile + workspace tasks to improve extension-host startup reliability.
• Architecture Alignmentupdated docs to reflect the unified results architecture and new sidebar/results behavior.

Removed / Deprecated (Cleanup)

• Removed resultsPaneldeleted deprecated panel implementation and old panel assets.
• Removed openPanel Flowremoved obsolete commands, labels, and action hooks tied to the legacy panel.

v0.3.9

2026-02-16

UI/UX Refinements & Stability (Major)

• Modern SidebarRedesigned the sidebar with a cleaner, more professional look. Buttons are now flatter and more compact, and summary cards use a dense grid layout to maximize space.
• Theme SelectionAdded a new "Theme" setting in the sidebar, allowing users to explicitly choose between 'Auto', 'Dark', and 'Light' modes for the results view.
• Live Scanning ToggleAdded a direct toggle for "Real-time analysis" in the sidebar settings, making it easier to enable/disable automatic scanning on type.
• Dynamic Theme SwitchingChanging the theme now updates the UI instantly without requiring a window reload.
• Scan StabilityFixed a critical issue where the scan status could get stuck on "Collecting..." or "Enriching..." if the scan was cancelled or interrupted.
• Tree View ImprovementsFixed a layout issue where the tree view would progressively shrink in width. Added text truncation for long filenames and optimized nested padding for a better hierarchy visualization.
• LocalizationAdded full Spanish translations for all new sidebar settings and controls.

v0.3.8

2026-02-16

Performance & Stability (Critical)

• 400% Faster AI EnrichmentOptimized the enrichment pipeline by increasing concurrency to 8 threads and implementing smarter request staggering.
• Zero TimeoutsImplemented intelligent context limiting (4k chars) to prevent large code lines from hanging the AI engine.
• Resilient Circuit BreakerThe enrichment process no longer aborts on transient network issues or rate limits, ensuring complete results even under heavy load.
• Transparent CachingUpgraded cache storage to V4, automatically resetting old caches to ensure all users benefit from the new optimization logic immediately.

v0.3.7

2026-02-14

Authentication (Enterprise SSO)

• Smart LoginThe "Login with Email" form now automatically detects if a domain has Enterprise SSO enabled.
• Enterprise OIDC BrokerAdded support for enterprise identity providers (Okta, Auth0, Microsoft Entra) via a secure OIDC broker flow.
• Deep Link SSOIntegrated enterprise SSO callbacks into the deep link handler for seamless VS Code redirection.
• UI EnhancementsUpdated login view labels and instructions to support the new enterprise flow.

v0.3.6

2026-02-13

Authentication (Magic Link)

• Passwordless LoginReplaced email/password login with Magic Link authentication.
• IDE Deep LinkOpening the Magic Link email completes the login via vscode://... automatically, with manual code fallback.
• API Contract UpdatesUpdated generated API types for the new magic link endpoints.

v0.3.5

2026-02-13

Workspaces & Multi-Org (Major)

• Switch WorkspaceAdded Oryon: Switch Workspace to let users select the active company/workspace without editing settings manually.
• Tenant-Aware SessionSwitching workspace refreshes tokens and updates the extension state to match the selected tenant context.
• Entitlements by WorkspacePlan limits and feature gating (AI, quotas) are now evaluated against the active workspace, aligning with the B2B model.
• API Contract UpdatesExtended TypeScript API types to match the new /me/companies and /me/switch_company responses and limits payloads.
• TestsAdded unit coverage for multi-workspace authentication and entitlements normalization.

v0.3.4

2026-02-10

Subscription Entitlements (Major)

• Plan-Aware UXThe extension now loads /api/v1/billing/limits and keeps plan limits in sync after login, profile refresh, scans, and blocked uploads.
• Feature GatingAI enrichment is automatically skipped when the active subscription does not include AI features.
• Quota EnforcementUpload and project-creation flows now detect backend 402 payment_required responses and show a clear upgrade path to pricing.
• Sidebar VisibilityAdded live plan information in the sidebar (plan, AI availability, project usage, monthly scan usage).
• Safer Upload Floworyon.project.allowCreate is respected again, instead of forcing auto-create behavior.

v0.3.3

2026-02-10

UI & UX Experience (Enhanced)

• Cyber-Premium BridgeCompletely redesigned the OAuth bridge page with a modern dark theme, smooth animations, and better guidance.
• Multi-IDE SupportAdded automatic deep link support for Cursor, VS Code Insiders, and other forks by dynamically detecting the IDE's URI scheme.

v0.3.2

2026-02-10

Authentication Experience (Fix)

• Automatic Login FixResolved a critical race condition where the manual authorization code InputBox blocked the automatic deep link flow from completing.
• Improved UXThe extension now automatically detects when a deep link login is successful and dismisses the manual input box, providing a seamless "one-click" login experience.
• Enhanced URI HandlingImproved deep link processing to ensure reliably resolving authentication flows without manual intervention.

v0.3.1

2026-02-03

Authentication Experience (Major)

• Deep Link LoginImplemented automatic login via Deep Linking. After authenticating with Google in the browser, users are automatically redirected back to VS Code (vscode://) and logged in instantly, eliminating the need to manually copy and paste authorization codes.
• Robust FallbackAdded a manual code entry fallback that automatically appears if the deep link redirection fails or is blocked by the browser.

Dependency Vulnerability Scanning (Major Feature)

v0.3.0

2026-01-29

Dependency Vulnerability Scanning (Major Feature)

• Automatic DetectionNew feature that automatically detects vulnerable dependencies in your project using the [OSV (Open Source Vulnerabilities)](https://osv.dev/) database.
• 10+ Ecosystems Supportednpm, PyPI, Maven, Go, RubyGems, Cargo, NuGet, Composer, Pub, SwiftPM, and more.
• Comprehensive Lockfile SupportParses package-lock.json, yarn.lock, pnpm-lock.yaml, requirements.txt, Pipfile.lock, poetry.lock, Gemfile.lock, Cargo.lock, go.mod, pom.xml, build.gradle, .csproj, pubspec.lock, Package.resolved, and more.
• Parallel ScanningDependency analysis runs in parallel with code scanning for faster results.
• Sidebar StatsThe sidebar now displays dependency vulnerability statistics including total dependencies scanned and vulnerable packages count.
• Backend SyncDependency vulnerabilities are synced to the Oryon dashboard alongside code findings.

AI-Powered Dependency Analysis

• Expert Security AnalysisProfessional-grade AI enrichment for dependencies providing realistic exploitation examples and technical breakdown.
• Structured InsightsAI extracts and displays Cause, Impact, Risk, and Mitigation for each vulnerability.
• Full Backend IngestionAI insights are synchronized with the Oryon WebAPI for dashboard visibility.

GitHub Advisory-Style UI (Visual Overhaul)

• Two-Column LayoutMain content with metadata sidebar, inspired by GitHub's Advisory UI.
• Structured SectionsInformation organized as Summary → Technical Details → Impact → Mitigation → References.
• Markdown RenderingProper rendering of code blocks, inline code, lists, and headers within vulnerability details.
• Affected Versions TableComplete version table showing all affected ranges and their corresponding patched versions:
• | Affected | Patched |
• |----------|---------|
• | < 2.2.20 | 2.2.20 |
• | >= 3.0, < 3.1.18 | 3.1.18 |
• Severity BadgesColor-coded severity indicators matching GitHub's design language.
• Category BadgesVisual distinction between CODE vulnerabilities and DEP (dependency) vulnerabilities.

Technical Improvements

• Resilience & StabilityAdded idempotency support for scan uploads and improved reliability during bulk ingestion.
• CSP FixFixed sidebar logo not displaying by adding 'unsafe-inline' to Content Security Policy for style-src.
• Translation LabelsFixed dependency stats labels showing raw l10n keys instead of translated text.
• Code QualityRemoved all debug logging, fixed ESLint warnings, and ensured consistent brace styling throughout the codebase.
• WorkspaceScanResultExtended to include dependency vulnerability data and statistics.

v0.2.6

2026-01-23

Fixed

• UI Light ModeFixed legibility issues in the sidebar, results view, and login view when using VS Code's Light themes.
• Dynamic LogoThe branded logo now automatically switches between dark and light variants to match the active theme.

Added

• Scan Cancellationadded a "Stop" button to the workspace scan progress notification. Users can now instantly cancel a running scan, which cleanly kills the underlying analysis processes.

Changed

• Scan ExclusionsAdded default exclusions for sensitive files (e.g., .env, .env.*) and rule definitions to prevent accidental scanning or uploading of secrets and internal tools.

v0.2.5

2026-01-22

Changed

• Project Auto-CreationWhen a workspace is not linked to an Oryon project, the extension now asks for the project name and creates it automatically (no more manual project_id prompts). Creation is enabled by default via oryon.project.allowCreate = true.
• Upload Flow SimplificationIf project creation is cancelled, uploads stop immediately instead of deferring to dashboard flows.
• Backend URLDevelopment mode now respects the configured backend (dev override removed).

v0.2.4

2026-01-20

Added

• INFO Severity SupportAdded full support for INFO severity level in the extension core and UI. This allows for more granular filtering of findings.

Changed

• Rule Severity TuningDowngraded "Internationalization" and "Best Practice" rules from WARNING to INFO to reduce noise and help users focus on actual security issues.
• Backend URLUpdated the default backend URL to point to the new production domain (https://dashboard.oryontechnology.com).

v0.2.3

2026-01-12

Fixed

• Live Scanning Stability (Critical)Fixed a critical issue where the live scanner would spawn infinite opengrep processes when editing binary files (e.g., Z80 assembly) or unsupported file types. Now, the live scanner explicitly filters for supported languages only.
• CPU SpikesFixed CPU spikes during rapid typing by implementing immediate process cancellation (SIGKILL) for stale scans. If you continue typing, the previous scan is killed instantly to free up resources.
• PerformanceAdded a heuristic to skip live scanning for files with extremely long lines (>2000 chars), preventing the extension from hanging on minified files or large data dumps.

v0.2.2

2026-01-08

Fixed

• MacOS Stability (Critical)Implemented aggressive cleaning of .DS_Store and other system files from rule directories immediately before scanning. This resolves persistent "Exit Code 2" crashes when opengrep attempts to parse these files as configurations.

Debugging

• Diagnostic Run (Enhanced)When a scan crashes (Exit Code 2), the extension now automatically re-runs the failing file in "verbose mode" (without --quiet) to capture the full error message (e.g., config parsing errors, missing rules). This provides vastly better debugging information in the output logs.

v0.2.1

2025-12-30

Fixed

• macOS Gatekeeper:Automatically remove com.apple.quarantine attribute from bundled binaries to prevent "Exit Code 2" crashes on macOS.
• Smart Rule Loading:Fully mitigates crashes caused by .DS_Store or other toxic files in the rules directory by loading rules explicitly.

Improved

• User ExperienceThe Login window now automatically closes upon successful authentication, providing a smoother onboarding flow.

v0.2.0

2025-12-30

Performance (Major)

• Scanning SpeedReduced workspace scan times by up to 75%(e.g., from 90s to 24s).
• Smart Rule SelectionThe scanner now intelligently loads only the OpenGrep rules relevant to your project (e.g., Ruby rules for a Rails app), avoiding the overhead of thousands of irrelevant checks.
• Smart ConcurrencyImplemented p-limit and CPU-aware concurrency to maximize scan speed (using up to 8 threads) without freezing the UI.
• Persistent AI CacheAI enrichment results are now cached on disk. Re-scanning the same code is instant and costs 0 tokens.

Robustness

• Smart FixesImplemented a "fuzzy" patch application strategy. The "Apply Fix" feature is now much more resilient to whitespace differences, line endings (CRLF vs LF), and minor context mismatches.
• Build & DependenciesResolved TypeScript/ESM interoperability issues with p-limit and execa to ensure reliable builds across all platforms.
• CompatibilityLowered vscode engine requirement to ^1.93.0 to support Cursor and other VS Code forks.

Improved

• UI VisibilityThe extension version is now displayed in the sidebar footer for easier debugging.
• Process RecoveryAdded automatic retry logic for busy files (ETXTBSY) and robust handling for "toxic" files that crash the scanner.

v0.1.16

2025-12-30

Improved

• OpenGrep SpeedIncreased process concurrency from 3 to 6 batches, resulting in significantly faster workspace scans on modern multi-core machines.
• AI ReliabilityIncreased enrichment pipeline timeout from 4 to 15 minutes and parallel request limit from 3 to 12. This solves timeouts when enriching large finding sets (>200 findings) while keeping the user workflow intact.

v0.1.15

2025-12-30

Fixed

• Critical CompatibilityLowered vscode engine requirement to ^1.93.0 to support Cursor and other VS Code forks.
• Startup StabilityAdded automatic retry logic for ETXTBSY errors to prevent scan failures when the extension binary is still locked by the filesystem.

Improved

• PerformanceEnabled parallel batch execution (concurrency: 3) for the OpenGrep scanner to significantly speed up analysis on multi-core systems.
• RobustnessImplemented chunked execution (batch size 50) for OpenGrep scans to prevent crashes (exit code 2) on large workspaces or complex file structures.
• ResilienceAdded automatic failure recovery mechanism that detects if a scan chunk crashes, identifies the specific "toxic" file causing the crash, and seamlessly continues scanning the rest of the workspace.
• DiagnosticsEnhanced logging for scanner process errors, capturing full stderr, stdout, and exitCode for precise debugging.

v0.1.14

2025-12-29

Fixed

• Fixed OpenGrep scan failing on large build directories (e.g., .next, dist) by updating default exclude patterns.
• Fixed glob pattern construction for file scanning to avoid invalid nested braces.
• Added extensive default excludes for images, binaries, and temporary files to improve scan performance and stability.

v0.1.13

2025-12-29

Fixed

• CriticalImproved error handling for OpenGrep exit code 2 (fatal errors)
• Added detailed error messages explaining common causes of scan failures
• Enhanced logging to show file counts, command length, and first few files being scanned

Improved

• PerformanceExpanded file exclusion patterns to include:
• Turbopack build artifacts (.turbo/, .turbopack/)
• Source maps (**/*.map)
• Minified files (/*.min.js, /*.min.css)
• Nuxt output directory (.output/**)
• DiagnosticsAdded detailed logging when collecting workspace files
• User ExperienceBetter error messages that explain why scans fail and how to fix them

Added

• File count and command length validation before scanning

v0.1.12

2025-12-26

Changed

• Added proprietary license configuration for Open VSX Registry compliance
• Updated package.json license field to "Proprietary"
• Added LICENSE file with copyright information

v0.1.11

2025-12-22

Fixed

• Removed all non-YAML test files from rules directory (only rule definitions remain)
• Reduced package from 2,653 to 1,962 files
• Reduced package size from 226.5MB to 226MB
• Faster Marketplace validation (no false positive secrets in test files)

v0.1.10

2025-12-22

Fixed

• Excluded Semgrep rule test files from VSIX package to avoid false positive secret detection in VS Code Marketplace
• Reduced package size from 4,011 to 2,653 files while maintaining full detection capability

v0.1.9

2025-12-22

Added

• MajorBundled 2,025 Semgrep security rules (18MB) directly in the extension
• Offline SupportExtension now works 100% offline for security scanning
• No SSL IssuesEliminates SSL certificate problems in corporate networks

Fixed

• Made time_to_fix_minutes optional in AI schema with default value of 15 minutes
• Removed invalid configuration files from rules directory

Improved

• No internet connection required for security scans
• Faster scans (no download time)
• More reliable in restricted network environments

v0.1.8

2025-12-22

Improved

• PerformanceExpanded file exclusion patterns to skip non-analyzable files (images, documents, multimedia, compressed files, fonts, binaries, databases, logs)
• Scan SpeedAdded exclusions for lock files, framework build directories (.next, .nuxt), and common cache folders (target, __pycache__, vendor)
• AccuracyReduced false positives by not scanning binary and non-code files

v0.1.7

2025-12-22

Fixed

• CriticalAdded scan subcommand to OpenGrep execution to fix exit code 2 error on Windows
• CriticalChanged --config format from two separate arguments to --config=value format for better compatibility
• Improved error logging to include full command, stderr, and exit code for easier debugging

Known Issues

• In corporate networks with SSL interception (e.g., EY, Deloitte), OpenGrep may fail to download rules from semgrep.dev due to certificate verification errors.
• WorkaroundSet environment variables before launching VS Code:
• `cmd
• set REQUESTS_CA_BUNDLE=
• set SSL_CERT_FILE=
• `

v0.1.6

2025-12-17

General

• - Architectural RefactorModularized the extension by introducing specialized services (ScanService, EnrichmentService, UploadService, FindingsManager) to replace the monolithic "God Object" pattern in extension.ts.
• - AI Schema ValidationImplemented strict Zod schema validation for AI responses (src/ai/schema.ts), ensuring robust and type-safe data enrichment.
• - Centralized Error HandlingImproved error message extraction and logging consistency.
• - PerformanceOptimized memory usage by better state management in FindingsManager.

v0.1.5

2025-12-11

General

• - Multi-Platform SupportAdded bundled OpenGrep binaries for Windows (x64), Linux (x64, ARM64), and macOS (Intel, Apple Silicon). The extension now works out-of-the-box on all major platforms.
• - Robust ExecutionImproved binary execution logic to handle permission restrictions more gracefully.
• - Windows CompatibilityFixed path resolution and binary execution specifically for Windows environments.

v0.1.4

2025-12-11

General

• - Bundled EngineOpenGrep is now included directly in the extension. No external installation required for Linux (x64/ARM64) and macOS (x64/ARM64).
• - Engine UpdateUpgraded bundled OpenGrep to v1.12.1 for improved detection capabilities.
• - DocumentationComplete overhaul of the User Guide (README.md).

v0.1.2

2025-12-10

General

• - Better severity normalization for OpenGrep results (handles WARNING/ERROR aliases and alternate severity fields).
• - Updated branding assets to PNG logos in the login and sidebar views.
• - Production builds now optionally obfuscate the bundle for publishing.

v0.1.0

2025-01-08

General

• - Initial public preview of the Oryon extension.
• - OpenGrep runner for single files and workspaces with live diagnostics.
• - Authentication lifecycle (login, refresh, whoami, logout) backed by SecretStorage.
• - AI enrichment pipeline with ephemeral key issuance and concurrency-limited requests.
• - Bulk uploader with idempotent chunking and exponential backoff.
• - Results webview with filtering, AI context, and JSON/CSV export.
• - English and Spanish localization plus JSON output logging.