irdb/CHANGELOG.md

Changelog — IRDB

This is the project-wide changelog for the IRDB stack as a whole — a high-level record of what shipped in each cut of the bundled docker-compose deployment.

The api and ui containers are versioned independently and have their own changelogs:

• api/CHANGELOG.md
• ui/CHANGELOG.md

The format is based on Keep a Changelog, and the project adheres to Semantic Versioning.

Project-wide tags use the v<MAJOR>.<MINOR>.<PATCH> form so they don't collide with the per-component api-v… / ui-v… tags in this monorepo.

Unreleased

0.9 — 2026-05-06

First public preview of the bundled stack. Everything specified in SPEC.md milestones M1–M14 is in place; the 0.9 cut is the integration milestone where api 1.0.0 and ui 1.0.0 have been shipped together, hardened against the SEC_REVIEW findings, and verified end-to-end via the demo seed flow.

The remaining gap to a 1.0 project tag is operational rather than functional — exercising the stack against real reporters/consumers, finalising the upgrade story, and locking down the Compose defaults for production deployment.

Highlights

• Self-hosted abuse-report ingestion + tailored, decay-weighted blocklist distribution as a Compose stack: api (Slim 4 / FrankenPHP JSON backend), ui (Slim 4 / FrankenPHP PHP+Twig BFF), and optional mysql and scheduler sidecars.
• Four-kind token model (reporter, consumer, admin, service) with SHA-256 hashing and a service-token + impersonation-header pattern between the UI BFF and the api.
• Reputation engine with linear and exponential decay, per-reporter trust weighting, manual blocks and allowlist evaluated at distribution time, and a 365-day hard cutoff.
• GeoIP enrichment with MaxMind GeoLite2 and IPinfo adapters, refreshed via an internal job.
• OIDC login (Microsoft Entra ID, authorization code + PKCE) plus a local admin form with Argon2id password validation.
• Full admin UI: dashboard, IPs, subnets/allowlist, policies, reporters, consumers, tokens, categories, audit log, and the settings page used to display this version.
• Public-endpoint audit emission with global + per-entity toggles so the high-volume report.received / blocklist.requested rows can be silenced without a container restart.
• Hardening pass against the SEC_REVIEW queue (F1–F74 at time of writing): security headers, secret scrubbing, request body caps, bounded caches, rate limiting on public endpoints.

Container versions in this release

• api — 1.0.0 (see api/CHANGELOG.md)
• ui — 1.0.0 (see ui/CHANGELOG.md)