Major Release Changelog

This page tracks major platform updates relevant to administrators, ISSM/ISSO operators, assessors, and AOs.

• Celery worker now uses gevent pool with 16 concurrent green threads — bulk AI scoring runs up to 16 Bedrock calls in parallel instead of sequentially.
• Added exponential backoff retry (up to 4 retries) on Bedrock throttling errors (429/ThrottlingException) to handle burst traffic gracefully.

• Admin users page now manages global platform roles (Admin, Auditor, Viewer) instead of system-level roles — system-specific roles (AO, ISSO, ISSM, etc.) are managed exclusively on the Systems & Permissions page.
• Added platform role picker to user profile tab for changing global access level.
• Simplified organization memberships tab — removed system-level role picker; org membership is now add/remove only.
• System grants tab is now read-only with direction to the Systems page for role management.

• Added AI scoring progress modal — bulk 'Score All Controls' now displays a progress bar with completed/total count, percentage, and a 'don't navigate away' warning.
• Results table refreshes incrementally during scoring so completed scores appear in real-time.
• Renamed CyberEase to CyberTax across all pages and email templates.
• Fixed confirm dialog case-sensitivity — confirmation phrase matching is now case-insensitive to match the uppercase visual styling.

• Added permanent framework deletion for global admins — inactive frameworks with no linked assessments can now be removed from the admin framework library page.

• Added system-level classification and handling caveats -- systems can now have a classification level (Unclassified through Top Secret) and handling caveats (NOFORN, REL TO, etc.) configured on the admin systems page.
• Classification is displayed as a formatted banner (e.g., SECRET // NOFORN) on the systems table and detail view.
• Consolidated admin navigation -- Framework + AI, Framework Mappings, Notifications, Backup, and Classification are now grouped under System Settings as sub-tabs.
• Removed duplicate navigation bars from 8 admin pages to use the shared admin layout consistently.
• Fixed infinite re-render loops on Training and Classification admin pages caused by unstable getUser() references in useEffect dependencies.

• Added permanent system deletion (purge) for global admins on the admin systems page — deactivated systems can now be fully removed along with all assignments, access requests, and categorization data.

• Added Body of Evidence (BoE) documentation hub — unified page per assessment showing all RMF documents organized by category with generation status, download links, and completeness metrics.
• Added admin password reset — system admins can now set a temporary password for any user, which forces a password change on next login and revokes existing sessions.
• Fixed audit log visibility — system_admin users can now see audit records for their own organization across all 9 admin modules (audit, monitoring, backup, notifications, assessments, framework/AI, system, users, completeness).
• Verified and corrected example evidence accuracy for all 177 base controls against JSIG source text — fixed 10 role misattributions (e.g., AC-2 PSO→ISO, PM-2 PSO→SISO/CISO, IR-4/IR-8 CSA→CA SAPCO).
• Generated contextual example evidence for all 594 control enhancements — every control now has evidence suggestions (771/771).
• Added evidence generation engine to JSIG parsing script with keyword-based evidence rule matching.

• Added 594 NIST 800-53 control enhancements (e.g., AC-4(1) through AC-4(22)) parsed from JSIG Appendix C with CIA baseline applicability and classified overlay flags.
• Assessment sidebar now groups controls by family with collapsible section headers (e.g., 'Access Control (AC)') showing per-family progress counts.
• Enhancement items are visually indented under their parent control to distinguish base controls from enhancements.
• Implemented full OIDC/SAML/LDAP SSO authentication flow with KeyCloak support, JIT user provisioning, and Redis-backed CSRF state management.
• Added SSO completion handler, fixed provider selection page with initiate URLs, and inline LDAP login form.
• Dashboard assessment cards now display registration numbers for searchability.

• Added Body of Evidence (BoE) documentation hub — unified page per assessment showing all RMF documents organized by category with generation status, download links, and completeness metrics.
• New backend GET /assessments/{id}/boe endpoint returning structured BoE manifest with document catalog, generation history, and readiness percentage.
• BoE page accessible from assessment questionnaire navigation alongside Results and Report.

• Fixed server/client hydration mismatches by stabilizing initial theme attributes during SSR.
• Normalized dashboard box sizing/alignment and added stronger layout regression coverage.
• Cleaned selectable artifact status/control formatting on /sample-program for SCTM and POA&M workflows.
• Corrected assessment results score-bar severity mapping so low averages render critical (red).
• Hardened authentication and access-control flows, including registration/reset support and compatibility updates.
• Validated merge readiness with full backend and frontend test pass execution.

• Introduced formal RMF 6-phase lifecycle state machine with phase gate validation and audit trail.
• Added RMF Phase Stepper UI with advance/return actions and transition history.
• Implemented deny-by-default system access control with IAM-inspired permission UX.
• Added Access Matrix, Grant Access Wizard, and self-service access request workflow.
• Adopted semver versioning (major.minor.patch) targeting 1.0.0 GA release.

• Added ISO/PM governance capabilities for role assignments, artifact visibility, and RMF phase oversight.
• Expanded assessment assignment model with ISSM/ISSO and control owner linkage.
• Hardened AI fallback handling for empty-response edge cases during scoring failures.
• Implemented baseline filtering with CIA impact level capture and applicability-driven control selection.
• Added baseline summary, control applicability, and SCTM export workflows.
• Extended administration modules for users, organizations, framework/AI settings, and audit tooling.