Shipped

What we shipped.

An honest log of what went live, when, and why it matters. No marketing gloss — just the changes, the posture they unlock, and the receipts.

2026-03-31

Security

XFD: Safe House detectors tightened across prompt injection and PII leak classes.

CFD and CBD detector families got a calibration pass. Fewer false positives on benign tool calls, sharper block rate on novel injection patterns — without expanding the data we collect.

Prompt-injection detectors retrained against fresh adversarial corpus; 12% fewer false positives.
CBD now catches split-token PII leaks (e.g. SSN or card numbers broken across streamed chunks).
Signed verdict format now includes detector version, so auditors can reproduce the exact classifier used.

Read the Safe House config guide

2026-03-24

Security

Passkey and hardware-key agent identity are live.

Agents can now be bound to a passkey or a hardware-backed key from day one. Ed25519 signing stays the default; WebAuthn-backed agent identity is available for teams that want human-unforgeable agent onboarding.

WebAuthn attestation supported for agent enrollment.
Agent-identity rotation does not break historical proof chains; old keys stay verifiable.
Works for self-hosted gateway and managed tenants.

Read the agent-identity guide

2026-03-15

Reliability

Gateway now auto-scales to M0 headroom with no operator changes.

Under-the-hood reliability work. The managed gateway now elastically provisions for burst traffic up to the M0 tier ceiling without any tenant config. Self-hosted deployments get the same autoscaler defaults in the Helm chart.

Auto-scale from 2 to 10 replicas based on sustained CPU > 70%.
Cold-start path cut by 40% for the self-hosted image.
No pricing change — scale-up stays inside your tier ceiling.

See what the platform actually proves.

Every shipped change backs up one of two claims: what we prove, or how we keep your agents safe.

What we prove The Safe House