Releases

A chronological record of what shipped in each version of KAVACH, including breaking changes and links to the relevant documentation.

v2.0.1Latest2026-07-17

v2.0.1 - Replay Management

**Full Changelog**: https://github.com/thisisbhanuj/Kavach/compare/v2.0.0...v2.0.1

  • Added governed Replay discovery, validation, creation, execution, evaluation, comparison, drift analysis, and immutable result evidence.
  • Added durable SQLite and PostgreSQL storage for replay executions and discovery projections.
  • Added worker dispatch for replay execution, replay evaluation, evaluation, and experiment jobs, including leasing, retries, cancellation, and safe recovery.
  • Added Replay Management Console pages for listing, creating, inspecting, and tracing replays.
  • Added interactive lineage visualization, node metadata popovers, resettable layouts, copied identifiers, status colours, pagination, and configurable in-memory auto-refresh.
  • Added worker-health and job-status visibility to the Console/dashboard.
  • Added local demo seed data for replayable source executions, compatible source-evaluation baselines, runnable jobs, and paginated replay inventory.
  • Added Docker/runtime configuration and Replay Management architecture documentation.
  • Deliver durable replay management, worker execution, and Console workflow by @thisisbhanuj in https://github.com/thisisbhanuj/Kavach/pull/114
  • Deliver durable replay management, worker execution, and Console work… by @thisisbhanuj in https://github.com/thisisbhanuj/Kavach/pull/115
v2.0.02026-07-17

v2.0.0 - Native MCP Streamable HTTP

Kavach now supports remote MCP-aware clients through native, authenticated Streamable HTTP at `/mcp`.

  • Stateless native MCP HTTP transport on port `8002`.
  • Keycloak bearer-token authentication with end-to-end caller identity propagation.
  • Tenant-aware REST authorization and audit attribution remain enforced by Kavach.
  • Browser-compatible MCP Inspector support with explicit CORS protections.
  • Local tooling for Inspector launch and safe clipboard-based test-token retrieval.
  • Existing stdio MCP, MCPO, and REST integrations remain supported.
  • Add native MCP Streamable HTTP support on port 8002 using the official MCP Python SDK. by @thisisbhanuj in https://github.com/thisisbhanuj/Kavach/pull/112
  • Add authenticated native Streamable HTTP transport by @thisisbhanuj in https://github.com/thisisbhanuj/Kavach/pull/113
v1.1.92026-07-16

v1.1.9 - studio-experiment-management

`studio-experiment-management`

  • Experiment inventory with status filtering, pagination, owner, and last-modified details.
  • Experiment overview dashboard with execution health and leaderboard summary.
  • Governed candidate registration using backend-driven prompt, model, dataset, and provider versions.
  • Detailed candidate configuration and runtime parameter views.
  • Evaluation Runs tab with status, duration, and execution evidence.
  • Candidate Comparison tab with configuration differences and metric deltas.
  • Semantic comparison colors for improvements and regressions.
  • Leaderboard view with ranking, score, latency, cost, and ontology navigation.
  • REST and MCP support for candidates, runs, evaluations, and candidate comparisons.
  • Added Studio documentation and Experiment Management tutorial with screenshot placeholders.
  • Added workers heartbeat and persistence by @thisisbhanuj in https://github.com/thisisbhanuj/Kavach/pull/108
  • Persistent worker heartbeat health monitoring by @thisisbhanuj in https://github.com/thisisbhanuj/Kavach/pull/109
  • Add Studio experiment management with seeded evaluation workflows and ontology integration by @thisisbhanuj in https://github.com/thisisbhanuj/Kavach/pull/110
  • Add Studio experiment management with seeded evaluation workflows and ontology integration by @thisisbhanuj in https://github.com/thisisbhanuj/Kavach/pull/111
v1.1.82026-07-14

v1.1.8

Introduces Keycloak-based authentication and centralizes tenant context construction across REST and MCP flows while preserving development-mode compatibility and existing Kavach authorization behavior. Implements end-to-end Keycloak authentication for Kavach Studio using Authorization Code Flow with PKCE. Studio now obtains, refreshes, and forwards access tokens to the Kavach API, while Kavach validates JWTs and applies its existing tenant membership and role-based authorization model.

  • Added JWT authentication and Keycloak JWKS validation.
  • Added AuthenticatedPrincipal and tenant context factory abstractions.
  • Updated REST tenancy dependencies to derive runtime actor identity from the authenticated principal.
  • Added organization and project tenant scoping.
  • Preserved development-mode actor resolution.
  • Added bootstrap configuration for organizations, projects, and administrator accounts.
  • Updated MCP control-plane handling to propagate authenticated principal identity.
  • Added actor-type mapping for MCP write envelopes.
  • Added configuration support for authentication mode, OIDC issuer, and bootstrap administrator settings.
  • Added tenant-scope and authentication error handling.
  • Updated Docker, documentation, API references, and architecture documentation.
  • Added authentication, bootstrap, configuration, and tenancy tests.
  • Added a Keycloak authentication smoke-test script.
  • Added browser-only Keycloak client and centralized Studio authentication provider.
  • Added PKCE login, token refresh, logout, and in-memory token handling.
  • Added bearer-token propagation and bounded `401` retry to the centralized Studio API client.
  • Removed hard-coded caller actor headers from Studio API requests.
  • Added Keycloak public environment variables to Studio Docker build and Compose configuration.
  • Added `sub` mapping to the Studio Keycloak client.
  • Disabled lightweight Studio access tokens so Kavach receives required identity claims.
  • Added stable local Keycloak administrator subject and bootstrap configuration.
  • Added local tenant claims for `org_default` and `project_default`.
  • Provisioned the local Keycloak administrator with active Kavach membership and `ORGANIZATION_ADMIN`.
  • Added developer onboarding documentation for local Keycloak setup, troubleshooting, and reset procedures.
  • Enhanced Studio access and role-management experience.
  • Automated Keycloak, MCP actor, MCPO, and Docker startup flows.
  • Improved MCP authentication, token refresh, and service-account provisioning.
  • Expanded MCP/MCPO developer documentation and troubleshooting guidance.
  • Studio TypeScript checks pass.
  • Studio production Docker build succeeds.
  • Fresh Keycloak administrator token includes `sub`, `organization_id`, and `project_ids`.
  • Tenant-scoped policy API request succeeds with HTTP `200`.
  • Added chmod +x permissions on docker scripts by @thisisbhanuj in https://github.com/thisisbhanuj/Kavach/pull/102
  • Added chmod +x permissions on docker scripts by @thisisbhanuj in https://github.com/thisisbhanuj/Kavach/pull/103
  • Add end-to-end Keycloak authentication and tenant authorization for Studio by @thisisbhanuj in https://github.com/thisisbhanuj/Kavach/pull/104
  • Add end-to-end Keycloak authentication and tenant authorization for Studio by @thisisbhanuj in https://github.com/thisisbhanuj/Kavach/pull/105
  • Developer workflow and studio ux by @thisisbhanuj in https://github.com/thisisbhanuj/Kavach/pull/106
  • Improve developer workflow and Studio user experience by @thisisbhanuj in https://github.com/thisisbhanuj/Kavach/pull/107
v1.1.72026-07-10

v1.1.7

This release introduces the **Settings Control Plane**, providing centralized, hierarchical, and versioned configuration management across the Kavach platform.

  • Hierarchical settings inheritance
  • Immutable typed settings registry
  • Runtime operational configuration
  • Optimistic concurrency control
  • Versioned audit history
  • Tenant-aware scoped settings
  • REST Settings APIs
  • MCP Settings tools
  • Studio Settings UI
  • SQLite and PostgreSQL persistence
  • Environment override support
  • Runtime configuration enforcement
  • Comprehensive documentation
  • 873 backend tests passed
  • 85 external-backend tests skipped
  • Focused settings integration suites passed
  • Ruff passed
  • Studio TypeScript passed
  • Next.js production build passed
  • Docker stack validated with durable settings backend
  • Implement Settings Control Plane with runtime configuration management by @thisisbhanuj in https://github.com/thisisbhanuj/Kavach/pull/100
  • Implement the Settings Control Plane with hierarchical configuration, runtime enforcement, and tenant-aware inheritance by @thisisbhanuj in https://github.com/thisisbhanuj/Kavach/pull/101