Behavry

Release History

Every sprint, what shipped, and when

34
Total Sprints
33
Completed
1
Upcoming
100%
MVP Complete
Agentic Security — March 2026
Sprint DOCS-1 — Professional Documentation Site
March 2026
Completed
  • Docusaurus 3 docs site with Behavry brand (navy + amber, Inter font)
  • 11 sections: Intro, Getting Started, Integrations (10 clients), Concepts, Agentic Security, Deployment, API, Compliance, Operations, Changelog
  • Custom landing page with hero, feature cards, integration tiles
  • Dashboard sidebar "Documentation" link + HelpPage docs banner
  • Visual-explainer changelog (this page!)
Sprint AD.2 — Passive Activity Classification + Confidence Scoring
March 2026
Completed
  • 8-signal SignalEvaluator — endpoint match, service account origin, call cadence, non-interactive timing, session continuity, chained consumption, tool schema present, structured handoff
  • 4-tier confidence model: Telemetry Observed → Likely AI-Related → Strongly Indicative → Operator Confirmed
  • ActivityWindowAggregator — async, queries audit_events, detects chaining/p50/session_continuity
  • PassiveFinding model + passive_findings table (TimescaleDB)
  • 4 event types: PASSIVE_FINDING_CREATED, PASSIVE_FINDING_UPGRADED, STRONGLY_INDICATIVE_DETECTED, OPERATOR_REVIEW_REQUESTED
  • 6 finding endpoints: list / breakdown / get / classify (Tier 4) / suppress / reclassify
  • classification_policy.rego — alert_severity, review_overdue, proxy_enrollment_recommended
  • ExposurePage 3-bucket layout (Confirmed / Suspected / Ungoverned) + findings tab + FindingSlideOver
  • 35-test suite — all passing
Sprint AD — AI Asset Discovery
March 2026
Completed
  • Platform fingerprint database — 30 AI platforms (OpenAI, Anthropic, Google, Microsoft, Mistral, Cohere, and more)
  • IdP connectors: Okta, Azure AD, Google Workspace
  • SaaS admin API connectors: M365, GitHub, Slack, Salesforce, Atlassian, ServiceNow, Zendesk, Google
  • Discovery service: state machine (detected → evaluated → governed/ungoverned/suppressed) + OPA evaluation
  • exposure_policy.rego — alert on ungoverned high-risk platforms, recommend enrollment
  • Browser extension: 10 DOM fingerprinting rules for AI service detection
  • ExposurePage — exposure score gauge, platform table, governance slide-over
  • Alerts: "AI Exposure" tab; Settings: "Discovery Connectors" panel
  • 82-test suite — all passing
Sprint G — SIEM Integration
March 2026
Completed
  • 6 connectors: Splunk HEC, Microsoft Sentinel, Google Chronicle (UDM), QRadar (LEEF 2.0 syslog), Syslog (RFC 5424), Webhook (HMAC-SHA256)
  • LEEF 2.0 serializer — injection-safe, tab-delimited, severity map (critical→10, high→7, medium→5, low→3)
  • Exponential backoff retry with jitter; auto-disable at 10 consecutive failures
  • Dead-letter queue (DLQ) — store, retry, or discard failed batches
  • Credential encryption via KMS pipeline — credential never returned on GET
  • Cursor-based audit export: X-Next-Cursor / X-Total-Events headers, no 10k cap
  • 3 OPA policies; Settings SIEM Destinations panel; Compliance SIEM Evidence panel
  • 68-test suite — all passing
Sprint RT — Red Team Policy Automation Loop
March 2026
Completed
  • PolicyGenerator singleton — subscribes to 6 event types (injection detected/blocked, conditioning suspected, drift detected, session cycling, behavior reversal)
  • 3-factor confidence scoring: pattern frequency (1→0.3, 3→0.6, 10→0.9) + severity (+0.3/0.2/0.1) + corroboration (+0.2)
  • 7 Rego templates: injection_block, conditioning_block, drift_escalate, resource_restrict, rate_ceiling, requester_validation, behavior_reversal
  • Auto-activation at configurable confidence threshold (tenant-level auto_activate_threshold)
  • Policy Suggestions dashboard page — stats strip, inline Rego editor, test dry-run, approve/reject
  • Amber badge on nav with 30s poll on proposed count
  • 55-test suite (30 unit + 13 API + 12 integration) — all passing
Sprint V — Cross-Session Trust Reset Detection (AOC-4) + Workflow Behavioral Baselines
March 2026
Completed
  • TrustResetDetector — 3 detection conditions: opposite disposition in new session ≤2h, ≥3 prior blocks for requester+action now allowed, ≥3 sessions in 30min with varying dispositions
  • 5-minute per-agent cooldown on BEHAVIOR_REVERSAL; 60s DB flush loop for disposition records
  • WorkflowBaselineMonitor — EWMA baselines (α=0.2), Bray-Curtis divergence for tool distribution
  • 6 new event types: BEHAVIOR_REVERSAL, REQUESTER_SESSION_CYCLING, WORKFLOW_PARTICIPANT_UNEXPECTED, WORKFLOW_DEPTH_SPIKE, WORKFLOW_TOOL_DISTRIBUTION_ANOMALY, WORKFLOW_DURATION_ANOMALY
  • action_disposition_records TimescaleDB hypertable + workflow_baselines table
  • 80-test suite — all passing
Sprint Y — Blast Radius Limits + Exception Hardening (AOC-2)
March 2026
Completed
  • blast_radius.rego — 5 rules: shallow delete deny, recipient limit escalate, bulk threshold escalate, config path escalate, protected file pattern escalate
  • Step 4d in proxy engine — pre-OPA blast radius check; deny returns immediately, escalate creates HITL hold
  • GET/PATCH /api/v1/admin/blast-radius — per-tenant threshold config, syncs to OPA
  • Exception hardening: POST /api/v1/exceptions now requires justification (≥10 chars) + expires_in_hours
  • Exception frequency anomaly alert at >5 creations/hr per agent
  • Baseline poisoning detection: BASELINE_POISONING_SUSPECTED at >3 approvals/24h per agent
  • PolicyLimitsSection in Settings; 82-test suite — all passing
Sprint R — Policy Approval Workflow
March 2026
Completed
  • PolicyChangeRequest model — proposed Rego content, author, reviewer, notes, status
  • 5 new routes: submit / list / get-pending-count / approve / reject
  • Approve auto-applies Rego + re-syncs OPA when policy is active
  • Audit-logged: policy_change_approved / policy_change_rejected
  • Dashboard: SubmitChangeRequestForm + ChangeRequestsPanel in PoliciesPage
  • Amber pending-changes badge on Policies nav (30s poll)
  • 30-test suite — all passing
Sprint W — Control / Data Plane Split (Hybrid Architecture)
March 2026
Completed
  • BEHAVRY_DEPLOYMENT_MODE: standalone | control-plane | data-plane — route gating in api/router.py
  • JWKS endpoint: GET /.well-known/jwks.json (RSA→JWK Set)
  • Data-plane token CRUD: issue / list / revoke; heartbeat endpoint
  • OPA bundle endpoint: GET /api/v1/opa/bundle/{tenant_id} (dp_token auth, .tar.gz)
  • License validation endpoint; data-plane startup: license check + 60s heartbeat loop
  • docker-compose.control-plane.yml + docker-compose.data-plane.yml + OPA bundle-polling config
  • 28-test suite — all passing
Sprint Q — Sessions Tab + Browser Extension AI Coverage
March 2026
Completed
  • GET /api/v1/sessions — session list with tool_call_count, dlp_hit_count, risk_score_at_close
  • GET /api/v1/sessions/{id}/events — chronological event timeline per session
  • SessionsPage.tsx — table + event slide-over, Sessions nav item
  • Browser extension: added Mistral Le Chat + GitHub Copilot Chat — AI service coverage now 12 of 12 services
Sprint P — Gemini + Ollama API Proxies
March 2026
Completed
  • Gemini proxy: POST /api/v1/gemini/{path}X-Gemini-Key → upstream, model from URL path, usageMetadata token counts
  • Ollama proxy: POST /api/v1/ollama/{path} — native + OpenAI-compatible endpoints, 300s streaming timeout
  • AI API Coverage: 62% → 80% (now covering OpenAI, Anthropic, Gemini, Ollama)
  • Settings: AiApiCoverageSection — 4 providers with endpoint + key header + env var info
Sprint U — Delegation Token Chain (AOC-3 Phase 3)
March 2026
Completed
  • POST /api/v1/delegations — issue scoped d_token JWT; scope intersection + ceiling guard + depth guard
  • enforce_delegation_token() in proxy — verify DB row, confirm delegatee + session match
  • Step 2e in proxy engine: validate d_token, set requester_verified=True
  • Step 4c: scope probe counter — DELEGATION_SCOPE_PROBE alert at threshold of 3
  • delegation_policy.rego — deny unverified; escalate tool not in effective_permissions
  • GET /api/v1/workflows/{id}/sessions/{sid}/delegations endpoint
Sprint F — Multi-Tenant Foundation + SaaS Onboarding
March 2026
Completed
  • PostgreSQL Row-Level Security on 10 tables; behavry_superadmin BYPASSRLS role
  • set_tenant_context() injected into every admin request via PasswordAuthProvider
  • TenantConfig model: plan_tier, max_agents, max_rpm_per_agent, audit_retention_days, deployment_mode
  • POST /api/v1/signup — atomic tenant + admin + enrollment_token + config; 5-req/IP/hr rate limit, 409 on duplicate
  • Super-admin CRUD: provision / list / get / patch / suspend / usage
  • OnboardingPage.tsx — 3-step flow: org setup → enroll agent → SSE verify
  • 38-test suite — all passing
Sprint T — Proxy Integration + Decision Trace
March 2026
Completed
  • WorkflowContext dataclass + validate_workflow_context() — validates X-Workflow-Session JWT in proxy step 2d
  • Audit threading: workflow_session_id, causal_depth, parent_event_id, delegation_chain on every audit event
  • workflow_policy.rego — deny depth > max_depth; escalate tool not in ceiling
  • GET /api/v1/workflows/{id}/sessions/{sid}/trace — causal tree + per-agent policy summaries
  • Trace export as downloadable JSON; WorkflowTracePage with SVG swimlane visualization
  • 28-test suite — all passing
Sprint EXT-1 — Exception Extension + Urgency Escalation
March 2026
Completed
  • PATCH /api/v1/exceptions/{id}/extend — extend expiry up to 4× (configurable max_extensions)
  • Urgency color escalation: yellow → orange → red border as extensions accumulate
  • Returns 409 when max extensions reached; extension_count + max_extensions in response
  • Activity feed: absolute timestamps on exception events
Sprint AOC-1.5 — Content Trust Domain Tagging + Behavioral Drift Detection
March 2026
Completed
  • Content trust tiers: trusted (skip scanner), block (immediate substitution), untrusted (scan with severity promotion)
  • domain_trust.rego — OPA policy for trust-level routing decisions
  • DriftDetector — linear slope analysis over rolling windows; fires INJECTION_CONDITIONING_SUSPECTED + BEHAVIORAL_DRIFT_DETECTED
  • DELETE /api/v1/agents/{id}/baselines — admin reset of behavioral baseline
  • 43-test suite — all passing
Sprint AOC-3 — Requester Identity Propagation
March 2026
Completed
  • X-Requester-Id header propagated to every audit event
  • instruction_hash SHA-256 per tool call
  • REQUESTER_IDENTITY_MISMATCH alert — 15-min sliding window detector
  • OPA policy: block/escalate on null requester for high/critical risk agents
  • Dashboard Requester badge in Audit Events with channel chip + verified status
  • 29 unit tests — all passing
Dev Setup Hardening
March 4, 2026
Completed
  • Fixed agent registration race condition — await db.commit() before HTTP response
  • make setup + make tokens — zero-friction one-command onboarding
  • Auto-detect installed editors; auto-apply MCP configs without second script
Sprint M.1 — Observability & Integrity Hardening
March 4, 2026
Completed
  • SSE live stream fix — nginx proxy_http_version 1.1 (HTTP/1.0 was closing SSE after each event)
  • Hash chain race condition fix — SELECT FOR UPDATE on last-event lookup
  • Chain break history tracker with ChainBreakEntry + acknowledge workflow
  • New endpoints: GET /api/v1/audit/chain/breaks + acknowledge
Sprint M — Test Coverage
March 2026
Completed
  • 157 tests total across 3 new test files — all passing
  • test_policy_enforcement.py — 74 tests: OPA client, DLP validators, all 26 patterns
  • test_mcp_proxy.py — 28 tests: rate limiter, tool call extraction, enforce() pipeline
  • test_behavioral_monitor.py — 55 tests: anomaly scoring, baselines, alert evaluation
  • Pure mocking via unittest.mock — no DB or OPA required
Sprint AOC-1 — Inbound Injection Detection
March 2026
Completed
  • 7-class inbound scanner: imperative_command, authority_claim, permission_expansion, role_reassignment, encoded_payload, structured_escalation, urgency_framing
  • Scanner runs on every tool result before it reaches agent context
  • HITL escalation with Allow Sanitized / Allow Original / Block resolution options
  • Per-domain source rules CRUD API — hot-reloadable from DB
  • 52 unit tests — all passing, no DB or OPA required
Hardening — February – March 2026
Sprint S.1 — Extension Token Dashboard
March 3, 2026
Completed
  • Token generate / rotate / revoke UI in Settings page
  • Auto-push bridge: generate in dashboard → extension auto-configures via chrome.storage.local
  • Popup token status indicator (green / amber)
Sprint L — Audit Hash-Chain Verify + Extension DLP Sync
March 3, 2026
Completed
  • GET /api/v1/audit/verify — cryptographic chain verification, cached + on-demand
  • Lock icon in Audit Events + Integrity section in Compliance page
  • 14 new DLP patterns ported to browser extension — 26/26 total synced
Sprint S — Multi-Agent Workflow Foundation
March 2026
Completed
  • Workflow CRUD API + wf_token JWT (RS256) with permission ceiling + delegation depth
  • Extension token auth — closes browser ingest gap; X-Extension-Token header required
  • 4 OPA Rego workflow policy modules: membership, delegation scope, depth, ceiling
  • Self-hosted deployment guide (TLS, Let's Encrypt, backup, upgrade process)
Sprint K.5 — DLP Fragment Reassembly Detection
February 2026
Completed
  • Detects credential fragmentation across sequential requests (e.g. AWS key split over 3 calls)
  • DLP_FRAGMENT_REASSEMBLY critical alert with matched patterns + window size
  • 5-minute per-agent cooldown; 8 unit tests
Sprint K — Cross-Session DLP Correlation
February 2026
Completed
  • Shannon entropy scorer — concentrated single-pattern distributions score higher
  • Alert fires when same DLP pattern appears in ≥3 distinct sessions within 1-hour window
  • Per-agent ring buffer (maxlen=200) with 5-minute alert cooldown
Sprint O — Observability
February 2026
Completed
  • OpenTelemetry metrics across proxy engine, monitor, risk scorer, audit service
  • Sentry error tracking via SENTRY_DSN env var
  • /metrics Prometheus endpoint with optional bearer token auth
  • BUILD_SHA baked into Docker image at build time
Sprint J — Per-Agent Rate Limiting
February 2026
Completed
  • Sliding-window rate enforcement in proxy engine
  • Risk-tier coupling — limits tighten automatically as risk tier increases
  • Configurable live via admin UI without restart
Sprint I — Global Kill Switch
February 2026
Completed
  • Fleet-wide instant agent suspension — POST /api/v1/admin/killswitch
  • Break-glass override for super-admins
  • All admin actions audit-logged with actor identity
Sprint H — Durable Escalation Queue
February 2026
Completed
  • Escalation state moved from in-memory asyncio.Future to DB-polled queue
  • Pending approvals survive backend restarts and container redeploys
Sprint Z — Alembic Migrations
February 2026
Completed
  • Versioned schema history with dedicated Docker Compose migration container
  • make migrate / make migrate-stamp / make migrate-new
  • Backend healthcheck waits for migration container to complete
Phase 3 — Integrations · February 2026
Phase 3 — Full Integration Coverage
Mid–Late February 2026
Completed
  • DLP expanded to 26 patterns — Luhn credit card validation, SSN, hot-reload via DB
  • Browser extension (MV3) — 10 AI services, real-time DLP scanning, dashboard events
  • MCP client enrollment — 8 clients: Claude Code, Desktop, Cursor, Windsurf, VS Code, Zed, Warp
  • OpenAI API proxy + Anthropic API proxy — governs all programmatic AI usage
  • Outbound webhooks — HMAC-signed delivery to Slack / PagerDuty / SIEM
  • Compliance mapping — SOC 2, ISO 27001, NIST AI RMF, EU AI Act, GDPR, HIPAA
Phase 2 — Behavioral Intelligence · February 2026
Phase 2 — Behavioral Monitor & HITL
Mid February 2026
Completed
  • Behavioral monitor — rolling per-agent metrics, baseline tracking (TimescaleDB)
  • Anomaly detection — frequency spikes, new resource access, error rate, data volume
  • Behavry Risk Framework — six-dimension weighted score (0–100)
  • Human-in-the-loop escalation — approval queue, admin approve/deny with notes, auto-deny on timeout
  • Risk tier → policy behavior mapping (low / medium / high / critical)
  • Dashboard: risk cards, behavioral trend charts, alert management, escalation panel
Phase 1 — Foundation · February 2026
Phase 1 — Core Governance Stack
Early February 2026
Completed
  • Agent Identity Service — registration, OAuth 2.1 client credentials, JWT RS256, rotation
  • Policy Engine — OPA sidecar, Rego policies, CRUD API, OPA sync on activate
  • MCP Proxy — Streamable HTTP, HTTP + stdio backends, full auth→DLP→OPA→audit pipeline
  • Audit Logger — TimescaleDB hypertable, SHA-256 hash chaining, SSE stream to dashboard
  • DLP Scanner — 12 patterns, critical-severity auto-block before OPA evaluation
  • React dashboard — login, agent registry, live activity feed, policy viewer, alerts
  • Python SDK — thin auth client, identity binding, token refresh
Upcoming — Roadmap
Sprint N Compliance PDF Export
Sprint W.1 SaaS Ops Layer
Sprint MOB Firefox + Safari Extensions
Behavry Last updated March 17, 2026 · docs.behavry.com