Changelog

All notable changes to cubby.network are documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

Pre-1.0: breaking changes may land in minor-version bumps (0.MAJOR.MINOR). At 1.0 the API surface freezes and subsequent breaks require a major bump.

[Unreleased]

Changed

• GitHub org renamed aethon-network → cubby-network. Brings the URL slug into line with the project name (cubby.network) that the v0.2.0-beta.1 brand cutover settled on. All repo and GHCR URLs that previously read github.com/aethon-network/platform / ghcr.io/aethon-network/platform are now cubby-network/platform. New clones / docker pulls should use the new URL.

Security

• /autonomy/incident-loop auto_execute=True now requires change-approver in addition to network-operator. Triage-only calls (auto_execute=False) are unchanged. Closes a defence-in-depth gap where a leaked plain-operator token could trigger an autonomous remediation.
• Adversarial audit pass: 22 findings closed across the safety spine, API surface, evidence chain, container/K8s hardening, and test coverage. Highlights: LlmDrivenChangeWorkflow.execute is now gated behind an explicit unsafe opt-in; legacy approval fallback fails closed; OIDC stale-JWKS capped at TTL × 5; JSON depth-bomb defence at the body-cap middleware; nested-injection scan; signed-approval expiry option; chain-tip orphan detection; production K8s manifest now fail-closed (PVC + digest required); injection_success_rate metric renamed to injection_attempt_rate with new injection_landed_rate.

[0.2.0-beta.1] — 2026-04-25

First external beta. Four adversarial audit cycles closed (35+ findings across three LLM audits and one human audit). CI is strict and blocking. Operator onboarding, rollback runbooks, and the cubby.network site shipped. Brand cutover from the legacy "Aethon" name complete.

Security

• Plan-hash binding. canonical_plan_payload now mixes in intent_type + workflow_pack_version, so captured approvals can't be replayed onto a semantically different change.
• Rejector veto removed. Single rejector can no longer block a legitimate change; rejections are group-scoped with a quorum symmetric to approvals.
• Rewrite policy escalation. Injection-sanitise path now enforces rewritten_keys ⊆ original_keys. Keeps malicious rewrite policies from smuggling new privileged fields.
• Unicode injection bypass. NFKD-normalise + Cf-to-space replacement catches zero-width-space and fullwidth-glyph evasions.
• Snapshot credential leak. Secret scanner extended with 9 HIGH-severity network-device patterns (SNMP community, BGP password, enable secret, TACACS/RADIUS key, IKE PSK, JunOS auth-key, Cisco type-7, key-string).
• OIDC algorithm confusion. Validator enforces an explicit asymmetric-only allowlist (RS256/RS384/RS512, ES256/ES384, PS256). alg=none and HS* rejected outright on the OIDC path.
• OIDC JWKS spoofing. 15-minute TTL on cached JWKS, HTTPS-only scheme, falls back to cache on transient fetch failure.
• Workflow race. Per-intent asyncio.Lock + new get_or_create helper prevent concurrent callers from driving the same workflow twice.
• Signer key_id enumeration. User-facing "failed signer verification" message is now generic; detail stays in the log.
• Metadata DoS. 64 KB body cap on both declared Content-Length and streamed requests (chunked transfer can't bypass).
• Runtime rewrite enforcement. _execute_tool_call now honours the SafetyGate.review() verdict and executes rewritten args. Previously authorize() silently discarded them, making the injection-sanitise path dead code.
• Anthropic system-prompt boundary. agent.system_prompt goes through the real system parameter; tool output returns as tool_result content blocks — not stuffed inside a user-role JSON blob.
• Production fails fast on simulated adapters. build_demo_harness derives allow_simulated from NETOPS_ENV; a production boot refuses to register any simulated plugin.
• Web-research injection scan. Every hit's title + snippet is run through the same scanner that guards persistent memory before persisting to the wiki store. Poisoned hits are dropped and surfaced as refused_hits.
• Route RBAC. /runbooks/evaluate and /events/webhook require the network-operator role. make_role_dependency factory added for future gates.
• Probe info disclosure. /livez stays unauth and minimal; /health and /readyz?detail=1 expose plugin / signer / backend state only to authenticated callers.
• Shared-secret CAB. Boot warning is ERROR-logged + printed to stderr; production boot raises RuntimeError unless NETOPS_CAB_ACKNOWLEDGE_SHARED_SECRET=1 is set.
• Autonomy privilege laundering fixed. /autonomy/incident-loop now propagates the caller's identity and roles into the cascaded drift remediation (previously forged system:autonomy / team-lead). Cascade path escalates risk to HIGH to force CAB sign-off.
• Policy fail-closed. Triage, drift, and capacity workflows check policy_decision.allowed and return FAILED before any side-effectful work (ticketing, evidence writes, remediation cascade).
• Verify contract unified across SDK, router, simulator, real adapter, and engine. Previously dropped credentials; verification was silently unauthenticated.
• Evidence scan-before-write. Secret scanner runs against the in-memory payload first; on a HIGH finding, nothing touches disk.
• OAuth refresh HTTPS-only. NETOPS_CODEX_TOKEN_URL must be https://; rejected at construction.
• Artifact path traversal. LocalFsArtifactStore._path resolves the candidate and uses Path.relative_to for containment. Catches symlink-escape that textual .. checks miss.
• .env.example ships empty NETOPS_EVIDENCE_LEGACY_KEY_IDS + NETOPS_EVIDENCE_CHAIN_RESET_BUNDLE_IDS defaults instead of non-empty values that normalised bypass.
• CI security job is blocking. pip-audit . --strict + bandit -ll against the real dep graph — no || true swallows.
• Docker compose dev-only posture. Every service binds to 127.0.0.1; stock credentials replaced with ${*:-CHANGE_ME_*} placeholders. README warns that compose is not a production baseline.
• Per-principal rate limiting on the four expensive routes. LLM bucket (intent/compile, autonomy/incident-loop, architect/) burst=10 / 10-per-min; evidence-write bucket (digital-twin//refresh) burst=30 / 1-per-2s; search bucket (knowledge/similar) burst=60 / 1-per-second. 429 with Retry-After: 60 on exhaustion.
• Drift risk ladder corrected. Manual review = LOW, auto-remediate = MEDIUM, autonomy cascade = HIGH. Earlier code had auto-remediate at a lower approval threshold than manual review — the opposite of what risk classification is for.
• Drift fail-close is top-level. Policy denial closes the workflow with FAILED regardless of whether auto-remediate is happening. Earlier the fail-close only ran inside the auto-remediate branch.
• Autonomy survives denied triage. The incident loop no longer KeyErrors on missing artifacts when triage was policy-denied — returns a clean FAILED envelope with the reasons.
• action_taken reflects real execution. Was set on whether drift existed; now keys on remediation_result.workflow_state == CLOSED.
• MCP host + scaffold verify contract unified to verify(plan, snapshot, creds). Anyone driving the platform via MCP or generating an adapter from scaffold no longer hits a broken signature.
• Production CAB escape hatch removed. NETOPS_CAB_ACKNOWLEDGE_SHARED_SECRET=1 no longer bypasses the production refusal. An open-source product can't ship a crypto-separation opt-out.
• K8s single-writer posture. replicas: 1 + Recreate rollout for both the API and worker. Header comment spells out the distributed-lock + shared-storage prerequisites for horizontal scale.
• K8s pod hardening. runAsNonRoot + runAsUser: 10001 + seccompProfile: RuntimeDefault + automountServiceAccountToken: false. Per-container allowPrivilegeEscalation: false, readOnlyRootFilesystem: true, dropped ALL capabilities. Default-deny NetworkPolicy.
• Supply-chain hardening. Every GitHub Action SHA-pinned (not tag-pinned). Dockerfile base image (python:3.11-slim-bookworm) digest-pinned. CI security job is blocking; PyPI publishing is gated on a repo variable and uses trusted publishing (no long-lived PYPI_API_TOKEN).

Added

• The cubby.network site — https://cubby.network. Hand-written landing page (hero → install → why → what → how → guarantees → docs grid). Static doc rendering from canonical Markdown. Auto-deployed via Cloudflare Pages on every push to main that touches website/ or the markdown sources.
• Three-tier install path. Docker (ghcr.io/cubby-network/platform), pipx (pipx install cubby-network once PyPI is claimed), source. Multi-arch (amd64 + arm64) image with SBOM and provenance attestations.
• Release workflow. Tag push → CI matrix + security + contract gate → wheel + sdist + multi-arch Docker → GitHub Release with the CHANGELOG as notes.
• Auto-deploy workflow. Pushes to main that touch website/ or the markdown docs rebuild and republish the site.
• docs/OPERATOR_GUIDE.md — env-var matrix, demo-vs-production posture, real-adapter wiring, per-approver Ed25519 upgrade path, auth upgrade, secrets custody, "ready for a second human" checklist.
• docs/ROLLBACK.md — how to recover when a change leaves the network in a bad state. Covers self-rollback, stuck-workflow recovery, false-success triage, evidence-chain recovery.
• docs/RELEASE.md — single runbook for cutting a release. SemVer, CHANGELOG, tagging, hotfix flow.
• docs/GLOSSARY.md — every term cubby.network uses differently than the industry baseline.
• docs/adr/ — Architecture Decision Records folder. Three initial ADRs: plan-hash binding, wiki-over-RAG, SafetyGate three-verdict contract.
• QUICKSTART.md — 30-minute path from clone to first signed change against a real Nokia SR Linux lab. Verified clean from a fresh venv.
• CONTRIBUTING.md — branching model (GitHub Flow + SemVer + pre-release chain) + DCO sign-off requirement.
• CHANGELOG.md — Keep-a-Changelog format. This file.
• .github/CODEOWNERS — auto-requests reviews on safety-critical files.
• .github/ISSUE_TEMPLATE/tester-friction.yml — structured form for friction reports.
• cubby smoke reports selected runtime, simulated-vs-real device mix, signer state, and a readiness verdict.
• cubby config — renders the resolved RuntimeConfig with per-field set-vs-default state; redacts sensitive values.
• api_max_body_bytes runtime config knob (default 64 KB).
• cab_acknowledge_shared_secret runtime config knob for non-production deployments that accept the shared-secret limitation.
• ClaudeAgentRuntime has 7 unit tests pinning the message shape (system channel, tool_result blocks, is_error flagging, convergence bound) plus a live-API contract test gated on NETOPS_LLM=1.
• Richer demo network fixture. Two access switches, two-peer distribution layer (vPC peer-link), edge firewall. 19 interfaces, six services, six telemetry series, three alerts, five incidents.
• Live Nokia SR Linux devicelab validated end-to-end (snapshot, CAB-signed change, rollback-on-verification-failure, evidence chain verify).

Changed

• Brand cutover from Aethon → cubby.network. Product name in prose, cubby-network package slug, cubby CLI, Cubby as standalone persona name. The NETOPS_* env-var prefix is intentionally kept (descriptive, not branded). At this release the GitHub org was still aethon-network; the org slug was renamed to cubby-network post-release (see [Unreleased]).
• GET /digital-twin/{name} → POST /digital-twin/{name}/refresh. The route writes signed evidence; GET-with-side-effects was REST-wrong and a CSRF risk. Breaking change for any caller of the old GET path.
• Agent runtime resolution order: ANTHROPIC_API_KEY > OPENAI_API_KEY > Codex CLI OAuth > mock. Claude Opus 4.7 is the default model.
• Evidence scanner now catches network-device credentials (SNMP community, BGP MD5, enable secret, TACACS/RADIUS key, IKE PSK, JunOS authentication-key, Cisco type-7, key-string).
• Ruff ignore list curated for a Python 3.9+ codebase; format-string rules are deliberately off.

Fixed

• Three latent bugs: ValidationFinding TypeError (wrong kwarg), CAB duplicate-approver counting (same signer counted twice toward quorum), undefined p in cdn_placement.total_offload_rps.

Prior history

Pre-0.2 releases were not tagged. Major milestones in main history, in order:

[Unreleased]: https://github.com/cubby-network/platform/compare/v0.2.0-beta.1...HEAD [0.2.0-beta.1]: https://github.com/cubby-network/platform/releases/tag/v0.2.0-beta.1