v0.6.1

What's New

• Per-artifact provenance grading with evidence chain display in Examiner Portal
• Provenance chain tooltips — hover any chain step for full audit detail (command, timing, input files, SHA-256)
• vhir restore — restore cases from backup including OpenSearch indices
• OpenSearch backup via vhir backup --include-opensearch
• Interactive vhir case init prompts when run with no arguments
• Wintools watchdog with automatic restart on crash

Bug Fixes

• Masquerade detection scoped to curated system binaries, reducing false positives
• Evidence staging — VHDX/container evidence auto-staged to SMB share for wintools access
• Plaso --storage_file argument compatibility
• Config file permissions on samba.yaml/network.yaml
• Typosquatting false positives on short filenames
• Audit ID regex now supports hyphenated examiner names
• Case_id cache invalidation on mid-session case switch
• EVTX-only directory ingest crash (UnboundLocalError)

Existing Installs

Run vhir update — pulls new code, reinstalls packages, restarts gateway. No migration needed.

Full Changelog: v0.6.0...v0.6.1

v0.6.0

What's New

• opensearch-mcp: programmatic ingestion of major forensic artifacts into OpenSearch, reducing LLM token usage while providing structured access to processed evidence
• Improved forensic knowledge guidance and MCP response hints to assist the LLM throughout the investigation
• Gateway stability enhancements for automatic recovery from dropped backend sessions
• Bug fixes across all repos

Full Changelog: v0.5.4...v0.6.0

v0.5.4

Full Changelog: v0.5.3...v0.5.4

v0.5.3

What's New

Examiner Portal

• aiir portal command opens the Examiner Portal at /portal/
• aiir dashboard opens legacy v1 at /dashboard/
• All documentation updated: README, docs site, CLI reference

CLI Fixes

• _interactive_review now has full timeline + IOC coupling
• _review_mode loads IOCs into item lookup for dashboard delta processing
• tags added to editable fields for IOC tag editing via portal
• manually_reviewed set on direct IOC approve/reject
• IOC HMAC type label correctly identifies IOC items
• Cascade print messages split timeline and IOC into separate lines
• IOC rejection audit log entries in interactive reject path

New Commands

• aiir portal — open the Examiner Portal
• aiir backup — case backup with SHA-256 manifest and verification

Documentation

• Examiner Portal rename across all docs
• Tool counts updated (79 SIFT + 7 wintools = 86 total)
• iocs.json added to case directory structure
• IOC ID format documented
• Backup command documented
• New screenshots
• Clear Disclosure section added

Full Changelog: v0.5.2...v0.5.3

v0.5.2

Canonical examiner regex, backup command, example slug fixes.

v0.5.1

Full Changelog: v0.5.0...v0.5.1

v0.5.0

Initial release.