Changelog

Cloud Hub — Dashboard & Scoring. All features below were driven by alpha tester feedback.

Performance

“The dashboard is slow to load after a multi-source scan.”

• Redis cache layer: dashboard responses served from cache — 3–5× faster load after first scan
• 8 gunicorn workers in parallel for concurrent ingests during beta

US Compliance

“We operate in the US — CCPA doesn’t cover our state-by-state obligations.”

• US Multi-State Privacy Landscape: 50-state table with revenue-based thresholds and cure period per state
• CCPA framework panel in Executive tab (US mode)
• Corrective actions tagged article_us in recommendations

Insurance Readiness V2

“Our broker needs a cyber insurance readiness assessment before renewal.”

• 8 cyber insurance controls scored and graded (backend + dashboard)
• Declarative questionnaire: IRP, coverage, deductible, exclusions
• Insurance Readiness section in Executive PDF export

What-If Engine

“We want to see what changes concretely if we fix a specific gap.”

• Exact GDPR/CCPA penalty recalculation per selected corrective action
• Breach cost projection with CEO-facing scenarios
• Available across 4 tabs: Executive, Risk, Compliance, Intelligence

Cross-Source Correlations (SCI)

“Risks are shown source by source — we don’t see the connections between them.”

• SCI cascade badge on priority actions — shows which actions unlock multiple risk reductions
• New APP↔FILES correlation: shadow data detection across ERP and file systems

JSON Export

“We want to integrate results into our internal tools.”

• Full dashboard export via exportAllTabsJSON(): all 6 tabs consolidated with client metadata in a single file

Changed

• Beta operational limits raised for real PME environments: max_files 100K → 500K (NAS 200–300K files), PII scan max_size 10MB → 50MB (ERP CSV exports), file read buffer 64KB → 256KB (PII detection in large headers), OneDrive max_file_size 100MB → 500MB (SharePoint archives), DB scan timeout 30s → 60s (VPN latency)

Changed

• Sprint 151: Agent UI Redesign — sidebar navigation, toast notifications, message slots system. Improved layout consistency across scan views.
• hub-link-section fixed bottom: Stop Scan + Reset Dashboard buttons always visible regardless of scroll position.
• Footer unified: single fixed bar with stop/reset buttons + copyright.

Fixed

• KI-119: ram_total_bytes=0 instead of null when psutil absent — init ram_total/ram_available to None (was 0). ImportError now emits JSON null for D180/D181. Same fix for disk OSError fallback D184/D185.

Fixed

• KI-118: MongoDB completeness_score=0.0, zone=null, sample_rate=null — wire _compute_quality_metrics + smart_sampler into MongoDB branch of _extract_schema. New elif mongodb in _compute_quality_metrics: motor aggregate pipeline $group/$sum/$cond/$ifNull to compute null_pcts per field (guard ≤ 100K docs). MongoDB collections now report real completeness_score, zone, sample_rate.

Changed

• Beta period: all connectors unlocked for all tiers (Sprint 115 L2). DB and Cloud scan buttons no longer locked for free tier during beta.

Docs

• VM_BUILD_PROCEDURE.md: add patch13 validation results (9 Windows + 8 Linux connectors, 102 PASS / 0 FAIL E2E on 2026-03-20).

Fixed

• F5: add logger.warning to all 6 except blocks in get_governance_metrics(). Silent exception swallowing replaced with named exception + warning log. Pattern: [governance/<metric>] <command> failed: <error>

Fixed

• KI-130: governance_metrics=null for MongoDB — implement get_governance_metrics() in MongoDBConnector. 6 MongoDB-native KPIs: documentation_coverage (JSON Schema validators), security_compliance (usersInfo root roles), access_control (read-only users ratio), change_tracking (replica set hello command), table_size_distribution (1-CV of collStats storageSize), ai_act_article11 (ML collection name heuristic). hasattr() guard at db_scanner.py:296 now activates automatically for MongoDB.

Fixed

• KI-128: tables_scanned=0 — add default assignment before differential branch. Full scan mode now sets tables_scanned=len(tables) before the differential override block.
• KI-129: total_size_bytes=null — aggregate sum(size_bytes) from scanned tables. size_values list comprehension skips None entries; result is None only if all tables have no size_bytes data.

Fixed

• KI-103: db_scanner._detect_pii() double-counting — add break after first valid PII match per cell value. Prevents French IBAN from generating 'iban' + 'iban_fr', and ITIN from generating 'ssn_us' + 'itin_us'. One type per cell value.

Added

• KI-101: estimated_data_subjects — distinct identifier count (CNIL Art.33 / D195). Track unique identifier values (email, phone_fr, ssn_fr, ssn_us) per file in pii_scanner + optimized_scanner. Aggregate across all files. Add to JSON summary. Fallback = files_with_pii when no identifiers found.

Fixed

• KI-097: normalize seen_values (strip spaces + uppercase) before dedup comparison — prevents iban/iban_fr double-counting when values differ only by spacing.
• Parallel path metadata bug: missing 'type' key in PII entries caused crash.

Fixed

• PII scan (KI-080/L-006): apply elfproef (BSN NL) and mod97 (NISS BE) validators in all 3 scan paths. PATH B (optimized_scanner, default prod) and PATH C (db_scanner) had no validator — every 9-digit number was counted as Dutch BSN.

Refactored

• PII scan (KI-080/L-011): consolidate 3 independent PII pattern dicts into single source + derivation. DICT-C (340 lines, dead code) deleted. 6 EU patterns (DNI/NIE/NIF/PESEL/CF/IBAN-SEPA) reactivated in PATH B. Net: -420 lines.

Fixed

• LDAP connector: warn when bind_dn uses DN format (CN=/DC=) instead of UPN. Windows Server 2022 AD rejects SIMPLE bind with DN format (KB4520011). Warning logged with truncated bind_dn and explicit hint to use UPN (user@domain.local).

Fixed

• Infra scan: add --mode infra to argparse choices + dispatch in main.py
• Infra scan: add agent.main_infra to mode_map in _build_scan_cmd (server.py)
• Infra scan: _silent_infra_scan now writes apollo_infra_{key_prefix}_{ts}.json to tempdir before Hub send — payload survives quota errors / network failures.

Fixed

• Windows: detect NTFS junction point loops in _walk_directory. os.walk(followlinks=False) does not detect junction points as symlinks — AppData\Local junctions looped back creating 21 phantom files per real file. Fix: track resolved canonical paths via seen_real_paths set.

Changed

• Exclusions: browser AppData paths excluded by default (Edge, Chrome, Firefox, Brave). Prevents false PII positives from minified JS files in Windows AppData.

Fixed

• LDAP/AD connector: fallback NTLM → SIMPLE bind for Active Directory Windows (KB4520011)
• ldap3 + pyasn1 added to requirements.txt and PyInstaller hidden-imports

Fixed

• Force UTF-8 encoding on Windows stdout/stderr — prevents CP1252 crash on Unicode characters (arrows, accented paths)

Changed

• Purged all Nuitka references from build docs — PyInstaller is the only authorized build tool
• Build docs now clarify: macOS = local PyInstaller, Windows/Linux = GitHub Actions
• Added 8-step pre-push checklist in GITHUB_ACTIONS_BUILD.md

Added

• Installers for macOS (install_macos.sh) and Windows (install_windows.ps1)
• SHA256 integrity verification on all installers (abort on mismatch)
• Distribution exclusively via aiia-tech.com/download
• BSL 1.1 v2 license with NOTICE, CLA, third-party licenses
• Beta tester guide (APOLLO_Beta_Guide_2026.docx)

Fixed

• Frozen binary subprocess routing via --mode flag (PyInstaller)
• Complete frozen binary fix for FILES + OneDrive + asyncpg connectors
• Infrastructure scan now runs automatically at login (was only triggered after FILES scan)

Changed

• macOS installer: native arm64 (Apple Silicon) — removed Rosetta 2 requirement
• DOWNLOAD_BASE configurable via env var for testing