v0.5.0 - **BREAKING AUTH CHANGES**

This release is a breaking change. It removes the ability to log in with passkeys. While that was cool, it added complexity and attack surface to the app and ran into weirdness across different browsers and operating environments. It also caused library problems as the version conflicts with maintained webauthn stuff and NextAuth.

SSO is a better fit for this use case, and it allows auth providers to do what they do best.

This version adds additional SSO providers (Okta, Keycloak, GitHub, GitLab) to the already-enabled Google SSO. It also adds a "demo mode" for local test/dev if you want to spin it up really quick without an auth provider.

It also updates en var names, so you may need to look at the example files and update yours.

Checklist before upgrading:

• Ensure you understand passkeys will no longer work.
• Read docs/installation.md for a intro on SSO requirements or demo mode
• Review .env.example-dev for developers and deploy/docker/.env.example-prod for those pulling the pre-built containers
• Review deploy/docker/docker-compose.yml as it has changed slightly (due to env var names mostly)
• Update your env file with the new naming scheme and new auth variables

What's Changed

• Simplify auth to SSO with optional demo mode by @initstring in #69
• Simplify Docker installation flow and standardize env variables by @initstring in #70
• Add Keycloak and Okta SSO configuration and sign-in UI by @initstring in #71
• Remove Authenticator model and add drop-table migration by @initstring in #72
• Add GitHub and GitLab SSO support by @initstring in #73
• Bump version for tagging by @initstring in #74
• Ensure bootstrap admin is enforced on each init run by @initstring in #75
• Disable demo auth when SSO providers are configured by @initstring in #77

Full Changelog: v0.4.3...v0.5.0

v0.4.3

What's Changed

• Feature/light theme by @initstring in #59
• Update packages and tests by @initstring in #60
• chore: Bump docker tag by @initstring in #61

Full Changelog: v0.4.2...v0.4.3

v0.4.2

What's Changed

Mostly library updates to address security alerts.

• Update security reporting by @initstring in #47
• 0.4.2 by @initstring in #52

Full Changelog: v0.4.1...v0.4.2

v0.4.1

What's Changed

This introduces a new, more flexible model for "target" which can or can not be a crown jewel. There are many UI improvements for this, including displaying planned and compromised targets in multiple views, keeping tracking of more than 1 target per technique, etc.

• feat: evolve crown jewels to more flexible targets by @initstring in #35

Full Changelog: v0.4.0...v0.4.1

v0.4.0

What's Changed

This release enables DB migrations by standardizing on Postgres even in dev. Going forward, this will enable seamless version upgrades even during schema changes.

• fix example env file by @initstring in #31
• Enable DB migrations by swapping to Postgres in dev by @initstring in #33
• Bump docker version by @initstring in #34

Full Changelog: v0.3.0...v0.4.0

v0.3.0

What's Changed

Version bump mostly due to renaming of project to something more descriptive.

Iterative changes:

• refactor: remove class variance authority by @initstring in #27
• Bump typescript-eslint from 8.40.0 to 8.44.0 by @dependabot[bot] in #26
• Bump recharts from 3.1.2 to 3.2.1 by @dependabot[bot] in #25
• Bump @tailwindcss/postcss from 4.1.12 to 4.1.13 by @dependabot[bot] in #22
• Bump prisma from 6.15.0 to 6.16.2 by @dependabot[bot] in #24
• Rename platform to Red Team Assessment Platform by @initstring in #28
• Fix lint regressions after env dependency bump by @initstring in #29
• Bump zod from 3.25.76 to 4.1.11 by @dependabot[bot] in #23
• Bump docker version by @initstring in #30

Full Changelog: v0.2.2...v0.3.0

v0.2.2

What's Changed

• Update readme by @initstring in #18
• docs: Clarify install stuff by @initstring in #19
• Restrict default GitHub token permissions by @initstring in #20
• Add attack timeline visualization to operation detail page by @initstring in #21

Full Changelog: v0.2.1...v0.2.2

v0.2.1 - Authentication Interopability Bugfix

What's Changed

• Silence experimental webauthn warning by @initstring in #15
• Fix Google OAuth linking to existing accounts by @initstring in #16
• Bump docker version by @initstring in #17

Full Changelog: v0.2.0...v0.2.1

v0.2.0 - Passwordless Authentication

Highlights

The big change here is the removal of support for passwords, and implementing login with passkeys as a replacement. Users can now choose Google OAuth and/or passkeys. When using only passkeys, a helper script provides an initial single-use login URL for the admin to add a passkey.

What's Changed

• docs: Revamp docs and add screenshots by @initstring in #9
• Add MITRE licensing info by @initstring in #10
• fix: Remove unused enc key env var by @initstring in #11
• feat: replace password auth with passkeys and login links by @initstring in #12
• Simplify data management settings by @initstring in #13
• bump docker version by @initstring in #14

Full Changelog: v0.1.0...v0.2.0

Initial MVP - "It Works"

This is the initial working concept, with fully functioning:

• Credential and Google OAuth login
• RBAC and groups
• Operations and analytics
• Database backup and restore operations
• Full ATT&CK integration
• Local sqlite and production Docker/PostgreSQL