Changelog

New features, improvements, and fixes, in reverse chronological order.

Subscribe via RSS feed or follow @gateco_ai for release announcements.

v1.0

Production-Ready: BYOK LLM Keys, Three New Connectors, SDK 1.4, and Security Hardening

Added
  • Per-org LLM API key (BYOK): organizations can now add and rotate their own OpenAI API key in Organization Settings. Keys are encrypted at rest with KMS envelope encryption (AES-256-GCM, per-tenant context binding). Paid tiers (Team/Growth/Enterprise) receive 100 lifetime fallback synthesis calls on Gateco's shared key; free-tier orgs must configure their own key.
  • Milvus, Chroma, and OpenSearch connector guides added: setup documentation now covers all 12 supported vector databases.
  • Azure AI Search connector guide: step-by-step setup for Microsoft Azure Cognitive Search with RRF hybrid search and ranked BM25 keyword search.
  • Vertex AI Vector Search and Vertex AI Search connector guides: covers Google Cloud's two distinct vector search products with capability comparison.
  • Stripe subscription re-sync: "Plan not updated? Verify now" button on the Usage & Billing page triggers a manual subscription re-check for cases where a Stripe webhook was missed.
  • Batch Access Simulator: test up to 5 principals simultaneously against a connector in a single preview run. Matrix view shows allow/deny per principal.
  • Dashboard 7-day policy coverage sparkline now reflects real coverage snapshot data (previously flat-line placeholder).
  • TypeScript SDK 1.4.0: new root-level exports: OrgSettings, UpdateOrgSettingsRequest, UsersResource, RelationshipsResource.
  • Python and TypeScript SDK 1.2.0: major new methods: client.users.getOrgSettings/updateOrgSettings, client.billing.getSubscription/createPortal/syncSubscription, client.simulator.runPreview/runBatchPreview, client.policies.listVersions/restoreVersion, client.identity_providers.generateScimToken/revokeScimToken/suggestPolicies/applyPolicySuggestions, client.principals.resolve, client.api_keys.rotate.
  • OpenAPI contract CI gate: .github/workflows/openapi-contract.yml fails the build if SDK method coverage drifts from the spec.
Changed
  • POST /api/pipelines/{id}/run now returns 501 NOT_IMPLEMENTED instead of silently pretending to succeed. Use POST /api/ingest/document or the batch ingest endpoint for ingestion workflows.
  • GET /api/organization/settings now requires org_admin role (previously accessible to all org members). Member-safe fields remain available on GET /api/users/me.
  • Startup validation added for production Stripe price IDs: when STRIPE_SECRET_KEY starts with sk_live_, all six STRIPE_*_PRICE_ID environment variables are required at boot. Unknown price IDs in webhooks now return 500 (triggers Stripe retry) and emit a stripe_price_unrecognized audit event.
  • check_resource_limit now takes a PostgreSQL advisory transaction lock before counting, closing a TOCTOU race where concurrent creates could both pass the limit check.
  • Rate limiter upgraded to Redis-backed INCR+EXPIRE for cross-instance consistency. Falls back to in-memory when REDIS_URL is unset.
Fixed
  • OpenAI API errors in the embedding and answer synthesis paths no longer leak raw API keys (sk-...) into server logs or HTTP responses. All vendor exceptions are sanitized via sanitize_vendor_error() before logging.
  • Ingestion batch errors now run through _redact_string() before being surfaced in the batch error response: prevents credential leakage in error detail fields.
  • Log redaction patterns expanded: OpenAI sk-..., Anthropic sk-ant-..., GitHub PAT (ghp_/ghs_/gho_), Google OAuth (GOCSPX-), and Slack tokens (xoxb-/xoxp-/xoxe-) are now scrubbed from all log output.
  • no_access answer path now returns all 17 contract fields: cap_reached, is_partial, chunks_available, chunks_used_initial, chunks_used_final, retry_used, llm_calls: matching the shape of a successful synthesis response.
  • Timing-attack resistance test hardened against OS scheduler jitter: 50 samples (was 20), top/bottom 10% trimmed, CV threshold raised from 1.0 to 3.0.
v0.9

ReBAC, API Keys, and Trust Center

Added
  • Relationship-based access control (ReBAC): 1-hop relation policies using `relation.<name>` condition prefix. Define resource ownership, team membership, or project access with a single Policy Studio rule.
  • API Keys management: create and revoke named API keys directly from the dashboard. Keys are bcrypt-hashed at rest; plaintext shown exactly once on creation.
  • Failure mode config per-org: Enterprise orgs can now switch from fail-closed (default) to fail-open-with-audit via support request. Every error-time allow is flagged in the audit log.
  • Trust Center page at /trust with SOC 2 audit status, encryption details, and responsible disclosure contact.
  • Design Partners page at /design-partners for teams interested in early access and roadmap input.
Changed
  • Relationship cache TTL reduced from 120s to 60s. Cache invalidated automatically on any Relationship mutation.
  • Access Simulator Live Preview top_k cap enforced at 20 (was previously up to 100 in some edge cases).
Fixed
  • Policy evaluation now correctly returns `False` for `relation.*` conditions when evaluated in ingestion context (no resource to check against).
  • Qdrant lister returns `[]` on HTTP 404 (collection not found) instead of raising a connection error during retroactive registration.
v0.8

Vertex AI Search, Azure AI Search, and Classification Suggestions

Added
  • Vertex AI Search connector: hybrid + keyword + vector search against Google Discovery Engine data stores. Supports `serving_config_id` override.
  • Azure AI Search connector: ranked BM25 keyword and native RRF hybrid search. Supports `semantic_configuration` field (reserved for future semantic ranking).
  • Classification suggestion engine: rule-based keyword pattern matching on connector resources. Scan → review suggestions in UI → apply accepted labels. Available on all plans.
  • GCP Cloud Identity IDP adapter: sync principals from GCP Cloud Identity groups with `service_account_json` credentials.
  • Retroactive registration now available for Vertex AI Vector Search (listing via Management API).
Changed
  • GCP auth helper `get_gcp_access_token()` is now cached per-service-account for 55 minutes, reducing IAM token exchange overhead on high-volume deployments.
  • `metadata_resolution_mode` validation updated: `sql_view` mode explicitly rejected for Azure AI Search and Vertex connectors.
Fixed
  • Azure AI Search hybrid search now correctly ignores `alpha` parameter and uses native Azure RRF (alpha abstraction will be added in a future release).
  • Vertex AI Vector Search SQUARED_L2_DISTANCE score conversion fixed: now uses `1 / (1 + distance)` instead of `1 - distance`.
v0.7

Answer Synthesis, Live Preview, and Policy Templates

Added
  • Grounded Answers: policy-aware answer synthesis (Team+). POST /api/answers/execute retrieves policy-filtered chunks, feeds them to an LLM, and returns an answer with citations. Three outcomes: answered, no_access, insufficient_context.
  • Access Simulator Live Preview: real retrieval against a connector as a specific principal, split into allowed/denied result panels. Batch preview evaluates up to 5 principals simultaneously.
  • Policy templates: 7 pre-built starting points: group_rbac, department_access, classification_ceiling, deny_sensitive, label_access, connector_scoped_allow, global_internal_read. Available via Policy Studio "Create from Template" button.
  • Principal resolver endpoint: POST /api/principals/resolve finds an active principal by email or provider_subject without creating new records.
  • CLI: `gateco principals resolve <email>` command.
Changed
  • Onboarding wizard rebuilt as computed (no stored step table): 6 steps derived from existing DB state at read time. Step 3 (register resources) now requires ≥10 resources.
  • Answer synthesis available only for vector/keyword/hybrid search modes: grep excluded from answer synthesis.
Fixed
  • Deny policies now correctly fire the policy-level `effect=deny` when selectors match but none of the rules match.
  • Policy condition fields without `resource.` or `principal.` prefix now emit a warning and resolve against principal (old behavior was silent).
v0.6

Multi-mode Search and SCIM v2 Groups

Added
  • Multi-mode search: keyword (BM25), hybrid (RRF fusion), and grep (regex/substring) modes added alongside existing vector search. All 4 modes available on all plans.
  • SCIM v2 Groups support: Group CRUD maps to PrincipalGroup model. Group rename propagates to all member principals' groups arrays. Group DELETE hard-deletes and removes from all member arrays.
  • Search mode recorded in audit trail: `search_mode` column added to secured_retrievals for per-query visibility.
  • Okta IDP adapter: sync principals and groups from Okta using SSWS token auth.
  • Policy suggestions (MVP): analyze synced IDP data to suggest group RBAC and department access starting points. Applied suggestions create DRAFT policies.
  • SCIM tokens per-IDP: generate and revoke SCIM bearer tokens from the identity providers page.
Changed
  • OpenSearch hybrid uses boost-based alpha emulation (vector × alpha × 10 + keyword × (1 - alpha) × 10) rather than a native alpha parameter.
  • Qdrant and Milvus keyword search returns uniform score=1.0: these connectors use payload filter matching, not ranked BM25.
Fixed
  • Grep patterns now validated before execution: max 200 chars, nested quantifiers rejected, trivial patterns rejected. Invalid patterns return 422.
  • Weaviate grep now explicitly rejects `pattern_type: "regex"` (only wildcard substring supported via `Like` operator).
v0.5

Vertex AI Vector Search, MCP Server, and Scheduled IDP Sync

Added
  • Vertex AI Vector Search connector: vector-only search against Google Vertex AI Index Endpoints. Supports `distance_measure` config (COSINE default, DOT_PRODUCT, SQUARED_L2).
  • MCP server: `gateco[mcp]` optional extra adds a FastMCP server with 6 tools: retrieve, ask (grounded answers), list connectors, list policies, list principals, resolve principal. Works with Claude, Cursor, and any MCP-compatible host.
  • CLI: `gateco mcp serve` command. Direct entry point `gateco-mcp` for host configs.
  • Scheduled IDP auto-sync: per-IDP configurable sync interval. Two-layer locking: asyncio.Lock + PostgreSQL advisory locks for multi-instance coordination.
  • Provider subject field on principals: raw IDP-side user ID stored separately from composite external_id. Enables precise principal resolution by IDP identifier.
Changed
  • MCP tools return markdown, never JSON. Denied content is never surfaced in tool output: only denial reasons and counts.
  • Auto-sync scheduler disabled by default when `DISABLE_SYNC_SCHEDULER=true` env var is set (useful for test and multi-instance deployments).
Fixed
  • Stripe webhook handler `subscription.deleted` no longer downgrades org plan if subscription was already canceled.
  • Frontend API functions now correctly extract `.data` from enveloped list responses: fixes empty-state false positives on connectors and policies pages.
v0.4

ABAC Policies, Policy Studio, and Hybrid Search

Added
  • Attribute-based access control (ABAC): condition fields support `resource.*` and `principal.*` prefixes for fine-grained attribute checks.
  • Policy Studio: draft/active/archived lifecycle, version history with diff view, policy approval workflow.
  • Access Simulator Dry Run: test policy configurations against hypothetical queries without hitting the real vector DB.
  • Hybrid search for Postgres-family connectors: CTE-based vector + full-text fusion using Reciprocal Rank Fusion (RRF, k=60).
  • Metadata resolution modes: inline (from vector payload), sql_view (from Postgres view), sidecar (Gateco-stored), auto (tries all three).
  • Classification labels on resources: public / internal / confidential / restricted. Enforced at retrieval time via ABAC ceiling conditions.
Changed
  • Semantic readiness levels (L0-L4) revised: readiness now reflects connector capability progression, not coverage percentage.
  • Free plan retrieval limit increased from 100 to 1,000 per month.
Fixed
  • Retroactive registration no longer restricted to Tier 1 connectors: works for any connector with a `list_vector_ids` adapter.
  • Supabase connector linter now validates `metadata_columns` config before accepting inline metadata mode.

Shipping something that matters to you? Tell us what to build next →