Skip to content
Zentro
Console

Zentro

Changelog

High-level shipped work — not every commit. For source history, use the GitHub repository.

  1. Jun 2026

    Universe ascension visual layer

    • Cosmic nebula backdrop, enhanced quantum particle field, and portal-style hero glow
    • Glowing Zentro wordmark, ascension live badge, and deeper space-grade color atmosphere

  2. Jun 2026

    Professional brand & SEO overhaul

    • Homepage company scale section, use cases, enterprise block, About and Careers pages
    • Auth and console routes noindexed; sitemap and robots tuned so Google shows the marketing homepage
    • Richer Organization + SoftwareApplication JSON-LD and unified enterprise metadata copy

  3. May 2026

    Copilot reliability pass

    • Built-in /api/copilot/chat now chains OpenAI → reasoning URL → guided offline (no proxy path required)
    • Cloud model requires sign-in when Supabase auth is on; thread list surfaces migration and DB errors
    • Regression: npm run test:copilot-reasoning

  4. May 2026

    Copilot ambient status layer

    • Live health pulse banner on /copilot with assistant mode, connector readiness, and saved-thread counts
    • Copilot-first phase order — ASSISTANT → CONNECTORS → INCIDENTS → THREADS → GUARDRAILS → APPROVALS
    • Regression: npm run test:console-ambient-status

  5. May 2026

    Runbooks ambient status layer

    • Live health pulse banner on /runbooks with catalog size, incident linkage coverage, and GRC procedure counts
    • Runbooks-first phase order — critical/high incidents missing runbooks surface as critical health
    • Regression: npm run test:console-ambient-status

  6. May 2026

    Audit ambient status layer

    • Live health pulse banner on /audit with trail recency, export readiness, and Slack delivery headlines
    • Audit-first phase order — append-only posture, whisper event type, and incident cross-signals
    • Regression: npm run test:console-ambient-status

  7. May 2026

    Automations ambient status layer

    • Live health pulse banner on /automations with dry-run success, guardrail, and connector-context headlines
    • Automations-first phase order — dry-run stats and approval blockers surfaced in the ambient lattice
    • Regression: npm run test:console-ambient-status

  8. May 2026

    Services ambient status layer

    • Live health pulse banner on /services with SLO burn, catalog, and connector-context headlines
    • Services-first phase order — critical/warning error budget counts surfaced in the ambient lattice
    • Regression: npm run test:console-ambient-status

  9. May 2026

    Approvals ambient status layer

    • Live health pulse banner on /approvals with approval-context headlines and high-risk / policy-gap counts
    • Approvals-first phase order and session-mode pending queue support in local dev
    • Regression: npm run test:console-ambient-status

  10. May 2026

    Incidents ambient status layer

    • Live health pulse banner on /incidents with incident-context headlines and hot/open queue counts
    • Extends console ambient telemetry — same lattice UI as /hub and /overview
    • Regression: npm run test:console-ambient-status

  11. May 2026

    Console jump search pinned shortcuts

    • Ctrl/Cmd+K idle dropdown lists pinned modules before recently opened routes
    • Synced from hub personalization (Supabase or local storage in dev mode)
    • Pin icon on pinned rows in the jump list

  12. May 2026

    Hub module personalization

    • Per-user quick link order and pins on /hub — Customize to reorder, add modules, and pin to nav rail
    • Pinned modules float to the top of the left console rail when signed in (migration #49: user_console_hub_prefs)
    • Local mode persists preferences in browser storage; regression: npm run test:hub-personalization

  13. May 2026

    Console ambient status layer

    • Live health pulse on /hub and /overview from incidents, approvals, connectors, and dry-runs
    • Subtle particle lattice banner with operational / attention / critical states
    • Regression: npm run test:console-ambient-status

  14. May 2026

    Staffing digest auto-chain

    • Single UTC-week cron: completion rollup → SLA breach digest → committee escalation
    • Console at /governance/compliance/staffing-digest-auto-chain
    • POST /api/governance/compliance/staffing-digest-auto-chain/scheduled
    • Migration #48; audit governance.staffing_digest_auto_chain_run

  15. May 2026

    Living quantum dimension — marketing

    • Canvas particle lattice with singularity field across the homepage
    • Living pulse status, dimension gates, and breathing command core
    • Animated living headlines and non-terran operator copy

  16. May 2026

    Cross-staffing committee escalation

    • Escalate SLA-breaching staffing actions after weekly completion rollup email
    • Email and Slack to committee admins with rollup open-count context
    • Console at /governance/compliance/cross-staffing-committee-escalation
    • GET/POST /api/governance/compliance/cross-staffing-committee-escalation
    • Migration #47; audit governance.cross_staffing_committee_escalation_*

  17. May 2026

    Futuristic marketing homepage

    • Consolidated homepage into neural command hero, bento command surface, and capability orbit
    • Animated command preview, scrolling ticker, timeline operator flow, and proof rail
    • Redesigned /next roadmap as horizon bento columns

  18. May 2026

    Staffing action SLA breach digest

    • Weekly digest when open actions exceed configurable days-past-peak completion SLA
    • Email and Slack to owners and admins with breach queue
    • Console at /governance/compliance/staffing-sla-breach-digest
    • GET/POST /api/governance/compliance/staffing-sla-breach-digest
    • Migration #46; audit governance.staffing_sla_breach_digest_*

  19. May 2026

    Staffing completion rollup export

    • Printable HTML archive with open vs completed staffing actions and completion rate
    • Weekly email to owners and admins with Save-as-PDF link
    • Console at /governance/compliance/staffing-completion-rollup
    • GET/POST /api/governance/compliance/staffing-completion-rollup
    • Migration #45; audit governance.staffing_completion_rollup_*

  20. May 2026

    Staffing action overdue reminders

    • Email assignees and admins when accepted actions stay open past peak week
    • Slack digest with deduped reminder log per action and channel
    • Console at /governance/compliance/staffing-action-reminders
    • GET/POST /api/governance/compliance/staffing-action-reminders
    • Migration #44; audit governance.staffing_action_overdue_reminders_*

  21. May 2026

    Obligation staffing action tracker

    • Accept load-balance transfers and capacity what-if relief proposals
    • Track accepted actions through in progress to completed
    • Console at /governance/compliance/staffing-actions
    • GET /api/governance/compliance/staffing-actions
    • Migration #43; audit governance.obligation_staffing_action_*

  22. May 2026

    Committee peak-week staffing digest

    • Alert when capacity shortfall and load imbalance coincide in forecast peak week
    • Email, Slack, and optional webhook to owners and admins
    • Console at /governance/compliance/peak-week-staffing-digest
    • GET/POST /api/governance/compliance/peak-week-staffing-digest
    • Migration #42; audit governance.peak_week_staffing_digest_*

  23. May 2026

    Obligation owner load balancing

    • Peak-week obligations mapped to RACI primary accountables per framework
    • Rebalance suggestions when owner load is uneven across accountables
    • Console at /governance/compliance/obligation-load-balancing
    • GET /api/governance/compliance/obligation-load-balancing
    • Audit governance.obligation_owner_load_balancing_exported; no migration

  24. May 2026

    Committee obligation capacity budget

    • Weekly owner-hours from forecast obligations vs committee capacity
    • Shortfall weeks when estimated hours exceed available owner-hours
    • Console at /governance/compliance/committee-capacity-budget
    • GET /api/governance/compliance/committee-capacity-budget
    • Migration #41; audit governance.committee_obligation_capacity_budget_exported

  25. May 2026

    Board obligation what-if scenarios

    • Stress-test forecast when obligations shift by N weeks or frameworks are descoped
    • Peak week, current-week, and density breach deltas vs live baseline
    • Console at /governance/compliance/obligation-whatif
    • GET /api/governance/compliance/obligation-whatif
    • Audit governance.board_obligation_whatif_exported; no migration

  26. May 2026

    Obligation density trend history

    • Trailing-quarter weekly obligation counts by due week plus alert delivery trend
    • Forward forecast weeks overlaid for capacity planning
    • Console at /governance/compliance/obligation-density-trend-history
    • GET /api/governance/compliance/obligation-density-trend-history
    • Audit governance.obligation_density_trend_history_exported; no migration

  27. May 2026

    Compliance obligation density alerting

    • Org thresholds for current week, peak week, and overdue obligation spikes
    • Slack and email to owners/admins with per-breach dedup delivery log
    • Console at /governance/compliance/obligation-density-alerts
    • GET/POST /api/governance/compliance/obligation-density-alerts
    • Migration #40; audit governance.obligation_density_alert_*

  28. May 2026

    Obligation executive rollup PDF

    • Printable HTML board packet combining forecast, crossover, consolidation, and SLA
    • Download HTML and Print → Save as PDF for distribution
    • Console at /governance/compliance/obligation-rollup
    • GET /api/governance/compliance/obligation-rollup?format=html
    • Audit governance.obligation_executive_rollup_exported; no migration

  29. May 2026

    Quarterly obligation committee digest

    • Email digest for owners/admins with forecast peaks, crossover clusters, and SLA breaches
    • 90-day cadence with delivery log and optional HTTPS webhook
    • Console at /governance/compliance/committee-digest
    • GET/POST /api/governance/compliance/committee-digest
    • Migration #39; audit governance.obligation_committee_digest_*

  30. May 2026

    Board obligation forecast timeline

    • Weekly forward-looking obligation density from live calendar and requests
    • Peak week, committee summary, and milestone queue for leadership prep
    • Console at /governance/compliance/obligation-forecast
    • GET /api/governance/compliance/obligation-forecast
    • Audit governance.board_obligation_forecast_exported; no migration

  31. May 2026

    Obligation consolidation playbook

    • Six-step operator workflow per crossover cluster with evidence sprint runbook
    • Track planned → in progress → collected → verified in consolidation plays
    • Console at /governance/compliance/obligation-consolidation
    • GET /api/governance/compliance/obligation-consolidation
    • Migration #38; audit governance.obligation_consolidation_*

  32. May 2026

    Multi-framework obligation crossover report

    • Clusters obligations sharing SOC 2 ↔ ISO crosswalk and thematic control links
    • Framework pair rollup and evidence reuse notes for aligned due windows
    • Console at /governance/compliance/obligation-crossover
    • GET /api/governance/compliance/obligation-crossover
    • Audit governance.obligation_crossover_report_exported; no migration

  33. May 2026

    Regulatory obligation heatmap

    • Framework, vendor tier, and testing-schedule concentration from live calendar and requests
    • Overdue and due-soon urgency bands with CSV/JSON export
    • Console at /governance/compliance/obligation-heatmap
    • GET /api/governance/compliance/obligation-heatmap
    • Audit governance.regulatory_obligation_heatmap_exported; no migration

  34. May 2026

    Control testing evidence linker

    • Maps automation dry-runs to controls and evidence bundle windows
    • Schedule coverage rollup and assessor workbook testing/ appendix
    • Console at /governance/compliance/testing-evidence-linker
    • GET/POST /api/governance/compliance/testing-evidence-linker
    • Audit governance.control_testing_evidence_*; no migration

  35. May 2026

    Compliance evidence request SLA dashboard

    • Overdue and at-risk queues with fulfillment and on-time SLA metrics
    • Assignee and framework rollups plus auditor digest email/webhook
    • Console at /governance/compliance/evidence-request-sla
    • GET/POST /api/governance/compliance/evidence-request-sla
    • Migration #37; audit governance.evidence_request_sla_*

  36. May 2026

    Compliance attestation renewal calendar

    • Renewal waves with 14-day lead windows across all framework attestations
    • Per-framework rollup and owner email nudges with weekly dedup
    • Console at /governance/compliance/attestation-renewal
    • GET/POST /api/governance/compliance/attestation-renewal
    • Migration #36; audit governance.attestation_renewal_*

  37. May 2026

    Compliance committee meeting pack

    • ZIP bundle for quarterly committee reviews with printable HTML summary
    • Includes health scorecard, posture, exception register, and open gap queue
    • Console at /governance/compliance/committee-meeting-pack
    • GET /api/governance/compliance/committee-meeting-pack
    • Audit governance.compliance_committee_meeting_pack_exported; no migration

  38. May 2026

    Compliance control health scorecard

    • Leadership health score blending posture, vendor inherited controls, and gap closure
    • RAG metric table and board-ready leadership actions
    • Console at /governance/compliance/control-health-scorecard
    • GET /api/governance/compliance/control-health-scorecard
    • Audit governance.compliance_control_health_scorecard_exported; no migration

  39. May 2026

    Inherited control coverage gap report

    • Vendor-level gaps for inherited controls missing audit evidence or attestation by tier
    • Tier readiness floors and CSV/JSON export
    • Console at /governance/compliance/inherited-control-gaps
    • GET /api/governance/compliance/inherited-control-gaps
    • Audit governance.inherited_control_coverage_gaps_exported; no migration

  40. May 2026

    Regulatory mapping change digest

    • Webhook and email when compliance catalog controls or SOC 2 ↔ ISO crosswalk mappings change
    • Fingerprint snapshots per org with delivery log at /governance/compliance/mapping-digest
    • GET/POST /api/governance/compliance/mapping-digest
    • Migration #35 compliance_mapping_digest_deliveries

  41. May 2026

    Compliance obligation ICS export

    • iCalendar feed of attestation, vendor review, bundle, checkpoint, and evidence-request deadlines
    • Import into Google Calendar, Outlook, or Apple Calendar
    • Console at /governance/compliance/obligation-ics
    • GET /api/governance/compliance/obligation-ics and assessor API obligation-ics resource
    • Audit governance.compliance_obligation_ics_exported; no migration

  42. May 2026

    Assessor evidence request workflow

    • Auditors open document requests per control with due dates, assignees, and fulfillment tracking
    • Console at /governance/compliance/evidence-requests
    • GET /api/governance/compliance/evidence-requests
    • Migration #34 compliance_assessor_evidence_requests; audit assessor_evidence_request_* events

  43. May 2026

    Compliance exception register

    • Central register of control gaps, policy drift, and dismissed compensating remediations
    • Expiry, approver, and framework linkage from live assessments and attestations
    • Console at /governance/compliance/exception-register
    • GET /api/governance/compliance/exception-register
    • Audit governance.compliance_exception_register_exported; no migration

  44. May 2026

    GRC control ownership matrix

    • RACI matrix per control — accountable from attestations, responsible from in-scope services and vendors
    • Policy reviewers and workspace roles as consulted / informed; linked to scope boundary mapper
    • Console at /governance/compliance/control-ownership
    • GET /api/governance/compliance/control-ownership
    • Audit governance.control_ownership_matrix_exported; no migration

  45. May 2026

    Unified compliance posture score

    • Single 0–100 org-wide score with grade A–F from readiness, attestations, vendors, gaps, and risk pillars
    • Live pillar breakdown and improvement drivers at /governance/compliance/posture-score
    • GET /api/governance/compliance/posture-score
    • Audit governance.compliance_posture_score_exported; no migration

  46. May 2026

    Compliance KPI trend dashboards

    • Weekly gap started/resolved and attestation signed activity from audit_log and remediation tables
    • Per-framework readiness sparklines with measured prior vs current baselines
    • Console at /governance/compliance/kpi-trends; GET /api/governance/compliance/kpi-trends
    • Audit governance.compliance_kpi_trends_exported; no migration

  47. May 2026

    Compliance scope boundary mapper

    • Maps services, vulnerability assets, vendors, and dependency data flows to framework control packs
    • In-scope vs out-of-scope zones with per-framework coverage at /governance/compliance/scope-boundary
    • GET /api/governance/compliance/scope-boundary; JSON or CSV export
    • Audit governance.scope_boundary_exported; no migration

  48. May 2026

    Automated control testing schedules

    • Recurring evidence windows from attestation due dates, quarterly framework checkpoints, stale-control retests, and bundle cadence
    • Overdue / due / upcoming schedule board at /governance/compliance/testing-schedules
    • GET /api/governance/compliance/testing-schedules?horizonDays=90
    • Audit governance.control_testing_schedules_exported; no migration

  49. May 2026

    Compliance evidence lineage tracking

    • Six-stage pipeline from audit log and accepted policies through evidence bundles to assessor workbook
    • Per-control trails with audit event types, playbooks, and bundle linkage at /governance/compliance/evidence-lineage
    • GET /api/governance/compliance/evidence-lineage; JSON or CSV export
    • Audit governance.evidence_lineage_exported; no migration

  50. May 2026

    Regulatory change impact simulator

    • Five curated regulatory scenarios with projected readiness deltas vs live org baseline
    • Per-control current vs simulated status and framework rollups at /governance/compliance/regulatory-impact
    • GET /api/governance/compliance/regulatory-impact; catalog 2026.05-regulatory-v1
    • Audit governance.regulatory_impact_exported; no migration

  51. May 2026

    Cross-framework control dependency graph

    • Links controls via SOC 2↔ISO crosswalk, thematic bridges, shared audit events, and accepted policy mappings
    • Hub controls, framework pair density, and weighted edge table at /governance/compliance/control-graph
    • GET /api/governance/compliance/control-graph; JSON or CSV export
    • Audit governance.control_graph_exported; no migration

  52. May 2026

    Compliance policy drift detection

    • Flags accepted automation policies whose guardrails diverge from live continuous assessment gaps
    • Detects missing dry-run, change-window, blast-radius enforcement and uncovered control gaps
    • Console at /governance/compliance/policy-drift; GET /api/governance/compliance/policy-drift
    • Audit governance.policy_drift_exported; no migration

  53. May 2026

    Continuous control benchmarking

    • Compare live org readiness to anonymized industry p25–p90 reference cohorts per framework
    • Estimated peer percentile, delta vs median, and distribution bars at /governance/compliance/benchmarking
    • GET /api/governance/compliance/benchmarking; catalog 2026.05-industry-v1
    • Audit governance.control_benchmark_exported; no migration

  54. May 2026

    Compliance calendar & audit season planner

    • Month-grid GRC calendar from live attestations, vendor review dates, evidence bundles, and framework quarter checkpoints
    • Scheduled digest and SLA cadence when org webhooks/settings are configured
    • Console at /governance/compliance/calendar; GET /api/governance/compliance/calendar
    • Audit governance.grc_calendar_exported; no migration

  55. May 2026

    Board-ready GRC executive summary

    • One-page leadership rollup from live program dashboard, risk heatmap, and attestation posture
    • Console at /governance/compliance/executive-summary with print and export (HTML, Markdown, JSON, CSV)
    • GET /api/governance/compliance/executive-summary; assessor API resource executive-summary
    • Audit governance.grc_executive_summary_exported; no migration

  56. May 2026

    Compliance risk heatmap

    • Framework and vendor risk concentration from live baseline comparison, program dashboard, and third-party register
    • Console at /governance/compliance/risk-heatmap; GET /api/governance/compliance/risk-heatmap (CSV/JSON)
    • Tier × category vendor matrix, top hotspots, and assessor API resource risk-heatmap
    • Audit governance.compliance_risk_heatmap_exported; no migration

  57. May 2026

    Compliance automation runbooks

    • Link live framework assessment gaps to in-repo runbooks and guarded automation playbooks
    • Console at /governance/compliance/runbooks; GET /api/governance/compliance/gap-remediations
    • Program dashboard shows open remediations; audit gap_remediation_started / _resolved
    • Migration #33 — compliance_gap_remediations; shared ComplianceHubLinks on compliance pages

  58. May 2026

    Assessor-scoped compliance API tokens

    • Org-scoped zentro_ca_* read-only tokens for external auditors
    • GET /api/governance/compliance/assessor/{resource} — live evidence, workbook, crosswalk, and framework exports
    • Token management at /governance/compliance/assessor-api; requires SUPABASE_SERVICE_ROLE_KEY to resolve
    • Migration #32 — compliance_assessor_api_tokens; audit assessor_api_token_* and assessor_api_accessed

  59. May 2026

    Multi-framework baseline comparison

    • Side-by-side readiness and 30d vs prior-30d deltas for all eight framework packs from live org audit and policy data
    • Console at /governance/compliance/baseline-comparison; GET /api/governance/compliance/baseline-comparison
    • Highlights lowest readiness and most control regressions; CSV/JSON export
    • Audit governance.baseline_comparison_exported; no migration

  60. May 2026

    Control evidence freshness dashboard

    • Per-control last audit and policy evidence timestamps with fresh / aging / stale bands
    • Stale control queue and framework rollup at /governance/compliance/evidence-freshness
    • GET /api/governance/compliance/evidence-freshness — CSV or JSON export
    • Audit governance.evidence_freshness_exported; no migration

  61. May 2026

    FedRAMP POA&M export pack

    • POA&M CSV/JSON from SOC 2, ISO 27001, and CMMC L2 continuous assessment exceptions
    • Curated catalog → NIST SP 800-53 Rev 5 crosswalk with risk rating and scheduled completion dates
    • Console at /governance/compliance/fedramp-poam; GET /api/governance/compliance/fedramp-poam
    • Includes org deployment tier/region/boundary metadata; audit governance.fedramp_poam_exported; no migration

  62. May 2026

    Compliance control SLA reminders

    • Slack summary and Resend email nudges for attestations due soon, overdue, and SOC 2 / ISO readiness regression
    • Console at /governance/compliance/sla-reminders; GET/POST /api/governance/compliance/sla-reminders
    • Weekly dedup log; cron POST .../sla-reminders/scheduled with ZENTRO_SLA_CRON_SECRET
    • Migration #31 — org SLA settings + compliance_sla_reminder_log; audit governance.compliance_sla_reminders_sent

  63. May 2026

    Scheduled compliance digest webhooks

    • Weekly HTTPS digest of program readiness deltas, SOC 2 trend changes, and newly overdue attestations
    • Console at /governance/compliance/digest; POST /api/governance/compliance/digest and scheduled cron route
    • Org compliance_digest_webhook_url; delivery history in compliance_digest_deliveries
    • Migration #30 — audit event governance.compliance_digest_delivered

  64. May 2026

    Unified assessor workbook export

    • ZIP download bundles evidence pack, SOC 2/ISO crosswalk, and framework assessment JSON
    • Tamper-evident manifest.json with per-file SHA-256 inside the archive
    • Console at /governance/compliance/workbook; GET /api/governance/compliance/workbook
    • Depends on jszip — audit event governance.assessor_workbook_exported; no migration

  65. May 2026

    SOC 2 / ISO 27001 crosswalk export

    • Curated mapping matrix linking catalog SOC 2 criteria to ISO 27001:2022 Annex A controls
    • 30-day audit evidence overlay per side with unified-evidence indicator
    • Console at /governance/compliance/crosswalk; GET /api/governance/compliance/crosswalk (CSV or JSON)
    • Audit event governance.soc2_iso_crosswalk_exported on download — no migration

  66. May 2026

    GDPR Article 32 technical measures

    • Twelve Article 32(1) security-of-processing measures across encryption, CIA, resilience, and assurance domains
    • DPA-oriented readiness bands (DPA-ready through At risk) from shared audit and policy evidence
    • Console at /governance/compliance/gdpr-art32; GET /api/governance/compliance/gdpr-art32
    • Program dashboard and evidence export add gdpr_art32_controls — no migration

  67. May 2026

    CMMC 2.0 Level 2 control overlay

    • Twelve NIST SP 800-171 Rev 2 practices across AC, AU, CM, IA, IR, RA, SC, and SI families
    • SPRS-style estimated score (0–110) and practice family readiness from shared audit evidence
    • Console at /governance/compliance/cmmc-l2; GET /api/governance/compliance/cmmc-l2
    • Program dashboard and evidence export add cmmc_l2_controls — no migration

  68. May 2026

    CIS Controls v8 safeguard pack

    • Twelve CIS v8 safeguards across Implementation Groups IG1, IG2, and IG3
    • IG readiness scoring and attained posture from shared audit and policy evidence
    • Console at /governance/compliance/cis-v8; GET /api/governance/compliance/cis-v8
    • Program dashboard and evidence export add cis_v8_controls — no migration

  69. May 2026

    NIST CSF 2.0 alignment

    • Twelve NIST Cybersecurity Framework 2.0 outcomes across Govern, Identify, Protect, Detect, Respond, and Recover
    • Function maturity tiers (Partial through Adaptive) from shared audit and policy evidence
    • Console at /governance/compliance/nist-csf; GET /api/governance/compliance/nist-csf
    • Program dashboard and evidence export add nist_csf_controls — no migration

  70. May 2026

    HIPAA Security Rule mapping

    • Eleven HIPAA safeguards (45 CFR 164) in the compliance catalog with readiness and gap analysis
    • Console at /governance/compliance/hipaa; healthcare_baa vendor category for full BAA control inheritance
    • GET /api/governance/compliance/hipaa; evidence export adds hipaa_controls column
    • Migration #29 — healthcare_baa third_party_vendors category

  71. May 2026

    PCI DSS control pack

    • Eleven representative PCI DSS v4 requirements in the compliance catalog
    • Readiness scoring and gap analysis at /governance/compliance/pci-dss
    • Audit and policy mappings reuse shared evidence; export adds pci_dss_controls column
    • Program dashboard rollup includes PCI readiness — no migration

  72. May 2026

    Compliance program dashboard

    • Executive rollup across SOC 2 Type II, ISO 27001, control attestations, and third-party vendors
    • Weighted program readiness score with top gaps and overdue attestation queue
    • Console at /governance/compliance/program; GET /api/governance/compliance/program
    • No migration — aggregates existing compliance modules at read time

  73. May 2026

    Third-party risk register

    • Vendor inventory with risk tier, category, and status
    • Inherited SOC 2 / ISO controls per vendor with attestation and audit evidence reuse
    • Console at /governance/third-party-risk; GET/POST /api/governance/third-party/vendors
    • Migration #28 — third_party_vendors + third_party_vendor_controls

  74. May 2026

    Control attestation workflows

    • Per-control owner assignment, due dates, and sign-off with append-only attestation trail
    • Console at /governance/compliance/attestations; links to mapped audit evidence (30d)
    • GET /api/governance/compliance/attestations — attestation board JSON
    • Migration #27 — compliance_control_attestations + compliance_control_attestation_events

  75. May 2026

    ISO 27001 continuous assessment

    • Annex A control monitoring with 30d vs prior 30d trends and domain readiness rollup
    • Gap analysis surfaces missing, partial, and regressed controls by organizational and technological domain
    • GET /api/governance/compliance/iso-assessment — structured assessment JSON for assessors
    • Shared continuous-assessment engine with SOC 2 Type II (no new migration)

  76. May 2026

    SOC 2 Type II report mode

    • Continuous control monitoring dashboard with 30d vs prior 30d trends and exceptions
    • Auditor org role — read-only workspace limited to governance/compliance and /audit
    • GET /api/governance/compliance/type-ii — structured report JSON for assessor workpapers
    • Migration #26 — auditor role on organization_members

  77. May 2026

    Assessor evidence bundles

    • Persisted compliance packs with SHA-256 manifests over JSON and CSV artifacts
    • Console at /governance/compliance/bundles; optional HTTPS webhook delivery per org
    • POST /api/governance/compliance/bundles and cron POST .../bundles/scheduled
    • Migration #25 — compliance_evidence_bundles table + evidence_bundle_webhook_url

  78. May 2026

    Legal hold markers

    • Incidents can be frozen with reason and timestamp; linked audit rows inherit hold
    • Retention purge (apply_org_retention_policy) skips held incidents and audit evidence
    • Console at /governance/legal-holds; apply/clear from incident detail (owner/admin)
    • Migration #24 — legal_hold columns and updated org purge helpers

  79. May 2026

    Custom retention policies

    • Org-level audit and closed-incident retention overrides capped by deployment tier
    • Effective policy display and editor on /settings/deployment
    • GET /api/deployment/retention — tier defaults, overrides, and max limits
    • Migration #23 — apply_org_retention_policy(org_id) purge helper for scheduled jobs

  80. May 2026

    Org-scoped audit log

    • audit_log.org_id shares append-only evidence across organization members
    • Role-aware event filters on /audit — viewer, operator, and approver subsets
    • CSV export gated by org role; compliance packs use org-scoped audit rows
    • Migration #22 — audit_log org_id column, indexes, and member RLS policy

  81. May 2026

    Compliance evidence export

    • CSV and JSON assessor packs with SOC 2 / ISO control columns on audit events
    • Accepted automation policies included with guardrail metadata
    • Export buttons on /governance/compliance; GET /api/governance/compliance/export
    • Appends governance.compliance_exported audit event on download

  82. May 2026

    FedRAMP-oriented deployment

    • Org deployment tier (standard / regulated / fedramp_ready) with region and data boundary
    • GovCloud validation: FedRAMP-ready requires gov_cloud boundary + us-gov-* region
    • Console at /settings/deployment; GET /api/deployment/profile
    • Migration #21 — organizations.deployment_tier, data_region, data_boundary

  83. May 2026

    Compliance control mapping

    • SOC 2 TSC and ISO 27001 annex A control tags on audit_log event types
    • Accepted automation policies contribute policy-side evidence in coverage matrix
    • Console at /governance/compliance; control badges on /audit
    • GET /api/governance/compliance/summary — computed at read time (no migration)

  84. May 2026

    Attack path simulation

    • What-if paths from open high/critical vulns through dependency pivots to production targets
    • Console at /assets/attack-paths with ranked risk scores and step-by-step path detail
    • GET /api/attack-paths/simulate (optional targetServiceId, maxDepth)
    • Computed at read time — uses org-scoped services, dependencies, and findings

  85. May 2026

    Org SLO & dependencies

    • SLO configs, error budget snapshots, and dependency edges share org scope with the service catalog
    • Burn triage on /services and /overview reflects org-wide incident history
    • Automation SLO guardrails use org-scoped burn state during critical budget windows
    • Migration #20 — org_id on service_slos, error_budget_windows, service_dependencies

  86. May 2026

    Exposure prioritization

    • Vulnerability queue ranked by exposure score (CVSS + asset criticality + recency)
    • Matches findings to service catalog environment (production hosts surface first)
    • Console stats: urgent count and production-asset exposure at /assets/vulnerabilities
    • Computed at read time — no migration required

  87. May 2026

    Pen-test finding rollup

    • Auto-link new vulnerability findings to active pen-test scope (host matching)
    • Increments pen_test_engagements.findings_count via increment_pen_test_findings_count()
    • Optional header X-Zentro-Pen-Test-Engagement to force engagement attribution
    • Migration #19 — vulnerability_findings.pen_test_engagement_id

  88. May 2026

    Org-wide resource scope

    • Shared incidents, services, and automation history for active organization
    • Migration #18 — org_id on incidents, services, automation_dry_runs, automation_executions
    • Alert/vuln ingest attributes incidents to primary org membership

  89. May 2026

    Organization RBAC

    • Organizations + member roles (owner, admin, operator, approver, security reviewer, viewer)
    • Delegated approval queue with self-approval prevention
    • Members console at /settings/members
    • Migration #17 — org RBAC tables and approval_requests org columns

  90. May 2026

    Vulnerability & pen-test operations

    • Qualys/Tenable ingest via POST /api/integrations/vulnerabilities
    • Exposure queue console at /assets/vulnerabilities
    • Pen-test engagement tracking at /changes/pentest
    • Migration #16 — vulnerability_findings + pen_test_engagements tables

  91. May 2026

    Cybersecurity & enterprise positioning

    • SIEM/EDR alert adapters: Splunk, Microsoft Sentinel, CrowdStrike via POST /api/integrations/alerts
    • Pricing compare matrix (Pro / Team / Enterprise) at /pricing
    • Homepage upgrade — SOC metrics strip, 6-panel command preview, cyber + enterprise sections
    • New pages: /cybersecurity, /enterprise, /next

  92. May 2026

    Postgres & platform spine

    • Postgres excellence migration (#15), /api/health/db, Supabase CLI config
    • Expanded modules and use cases on marketing site

  93. April 2026

    Console UX and API docs

    • Route-level loading skeletons (incidents, overview, automations, audit, approvals, services, copilot, runbooks, hub, vision, new incident, runbook detail)
    • Richer empty states (incidents, audit, services catalog, approvals) with guided CTAs
    • Public /docs/api catalog + OpenAPI sketch from lib/docs/api-catalog

  94. April 2026

    Positioning and buyer narrative

    • Public /platform overview — flow, guarded model, capabilities, differentiation, architecture
    • Learn hub at /docs, /why philosophy page, /pricing, /status, /changelog
    • Homepage: product preview strip, mechanics grid, use cases, control section

  95. April 2026

    Incidents and operations depth

    • Incident owner hint, runbook slug, markdown export API
    • Health endpoint hardening and public status cleanup
    • Alert ingest payload extensions

← Home