No marketing-shaped 'we improved performance' filler. If it changed your inbox, your bill, or your agents — it's here.
Findings ingested before the severity rework (Q1 2026) sometimes rendered "undefined" in the inbox. Resolver now falls back to the original CVSS bucket. 31 historical rows backfilled.
We were using Caddy as a thin TLS terminator in front of Hono. The upstream egress proxy now terminates TLS directly, removing a hop and ~14ms p50.
Second-generation race-condition agent. Targets coupon stacking, double-spend, and TOCTOU patterns in checkout/refund flows. Caught its first prod-shaped exploit (coupon stacking on /v1/checkout/apply) within 6h of going live in the eval harness.
Previously, blocked HTTP methods were caught at the L7 inspector after the request crossed the proxy boundary. Now blocked at SYN — preserves customer SOC2 boundary even if an agent gets clever.
/findings now supports multi-select with bulk actions: open PRs, mark as triage, mark as fixed. Powered by the new run.bulkAction mutation. Shipped behind a feature flag for design partners.
authn-01 now hypothesizes refresh-token reuse across rotated kid values. Caught a real cross-tenant token-replay window in two of our four design-partner staging tenants within 48h.
Validator was returning the *previous* run's finding ID when a hypothesis re-confirmed inside a 90s window. Affected ~0.6% of confirmed findings; no incorrect alerts, but inbox dedupe was unreliable.