Changelog

New features, improvements, and fixes — in reverse chronological order.

Subscribe via RSS feed or follow @gateco_ai for release announcements.

v0.9

ReBAC, API Keys, and Trust Center

Added
  • Relationship-based access control (ReBAC) — 1-hop relation policies using `relation.<name>` condition prefix. Define resource ownership, team membership, or project access with a single Policy Studio rule.
  • API Keys management — create and revoke named API keys directly from the dashboard. Keys are bcrypt-hashed at rest; plaintext shown exactly once on creation.
  • Failure mode config per-org — Enterprise orgs can now switch from fail-closed (default) to fail-open-with-audit via support request. Every error-time allow is flagged in the audit log.
  • Trust Center page at /trust with SOC 2 audit status, encryption details, and responsible disclosure contact.
  • Design Partners page at /design-partners for teams interested in early access and roadmap input.
Changed
  • Relationship cache TTL reduced from 120s to 60s. Cache invalidated automatically on any Relationship mutation.
  • Access Simulator Live Preview top_k cap enforced at 20 (was previously up to 100 in some edge cases).
Fixed
  • Policy evaluation now correctly returns `False` for `relation.*` conditions when evaluated in ingestion context (no resource to check against).
  • Qdrant lister returns `[]` on HTTP 404 (collection not found) instead of raising a connection error during retroactive registration.
v0.8

Vertex AI Search, Azure AI Search, and Classification Suggestions

Added
  • Vertex AI Search connector — hybrid + keyword + vector search against Google Discovery Engine data stores. Supports `serving_config_id` override.
  • Azure AI Search connector — ranked BM25 keyword and native RRF hybrid search. Supports `semantic_configuration` field (reserved for future semantic ranking).
  • Classification suggestion engine — rule-based keyword pattern matching on connector resources. Scan → review suggestions in UI → apply accepted labels. Available on all plans.
  • GCP Cloud Identity IDP adapter — sync principals from GCP Cloud Identity groups with `service_account_json` credentials.
  • Retroactive registration now available for Vertex AI Vector Search (listing via Management API).
Changed
  • GCP auth helper `get_gcp_access_token()` is now cached per-service-account for 55 minutes, reducing IAM token exchange overhead on high-volume deployments.
  • `metadata_resolution_mode` validation updated — `sql_view` mode explicitly rejected for Azure AI Search and Vertex connectors.
Fixed
  • Azure AI Search hybrid search now correctly ignores `alpha` parameter and uses native Azure RRF (alpha abstraction will be added in a future release).
  • Vertex AI Vector Search SQUARED_L2_DISTANCE score conversion fixed: now uses `1 / (1 + distance)` instead of `1 - distance`.
v0.7

Answer Synthesis, Live Preview, and Policy Templates

Added
  • Grounded Answers — policy-aware answer synthesis (Pro+). POST /api/answers/execute retrieves policy-filtered chunks, feeds them to an LLM, and returns an answer with citations. Three outcomes: answered, no_access, insufficient_context.
  • Access Simulator Live Preview — real retrieval against a connector as a specific principal, split into allowed/denied result panels. Batch preview evaluates up to 5 principals simultaneously.
  • Policy templates — 7 pre-built starting points: group_rbac, department_access, classification_ceiling, deny_sensitive, label_access, connector_scoped_allow, global_internal_read. Available via Policy Studio "Create from Template" button.
  • Principal resolver endpoint — POST /api/principals/resolve finds an active principal by email or provider_subject without creating new records.
  • CLI: `gateco principals resolve <email>` command.
Changed
  • Onboarding wizard rebuilt as computed (no stored step table) — 6 steps derived from existing DB state at read time. Step 3 (register resources) now requires ≥10 resources.
  • Answer synthesis available only for vector/keyword/hybrid search modes — grep excluded from answer synthesis.
Fixed
  • Deny policies now correctly fire the policy-level `effect=deny` when selectors match but none of the rules match.
  • Policy condition fields without `resource.` or `principal.` prefix now emit a warning and resolve against principal (old behavior was silent).
v0.6

Multi-mode Search and SCIM v2 Groups

Added
  • Multi-mode search — keyword (BM25), hybrid (RRF fusion), and grep (regex/substring) modes added alongside existing vector search. All 4 modes available on all plans.
  • SCIM v2 Groups support — Group CRUD maps to PrincipalGroup model. Group rename propagates to all member principals' groups arrays. Group DELETE hard-deletes and removes from all member arrays.
  • Search mode recorded in audit trail — `search_mode` column added to secured_retrievals for per-query visibility.
  • Okta IDP adapter — sync principals and groups from Okta using SSWS token auth.
  • Policy suggestions (MVP) — analyze synced IDP data to suggest group RBAC and department access starting points. Applied suggestions create DRAFT policies.
  • SCIM tokens per-IDP — generate and revoke SCIM bearer tokens from the identity providers page.
Changed
  • OpenSearch hybrid uses boost-based alpha emulation (vector × alpha × 10 + keyword × (1 - alpha) × 10) rather than a native alpha parameter.
  • Qdrant and Milvus keyword search returns uniform score=1.0 — these connectors use payload filter matching, not ranked BM25.
Fixed
  • Grep patterns now validated before execution — max 200 chars, nested quantifiers rejected, trivial patterns rejected. Invalid patterns return 422.
  • Weaviate grep now explicitly rejects `pattern_type: "regex"` (only wildcard substring supported via `Like` operator).
v0.5

Vertex AI Vector Search, MCP Server, and Scheduled IDP Sync

Added
  • Vertex AI Vector Search connector — vector-only search against Google Vertex AI Index Endpoints. Supports `distance_measure` config (COSINE default, DOT_PRODUCT, SQUARED_L2).
  • MCP server — `gateco[mcp]` optional extra adds a FastMCP server with 6 tools: retrieve, ask (grounded answers), list connectors, list policies, list principals, resolve principal. Works with Claude, Cursor, and any MCP-compatible host.
  • CLI: `gateco mcp serve` command. Direct entry point `gateco-mcp` for host configs.
  • Scheduled IDP auto-sync — per-IDP configurable sync interval. Two-layer locking: asyncio.Lock + PostgreSQL advisory locks for multi-instance coordination.
  • Provider subject field on principals — raw IDP-side user ID stored separately from composite external_id. Enables precise principal resolution by IDP identifier.
Changed
  • MCP tools return markdown, never JSON. Denied content is never surfaced in tool output — only denial reasons and counts.
  • Auto-sync scheduler disabled by default when `DISABLE_SYNC_SCHEDULER=true` env var is set (useful for test and multi-instance deployments).
Fixed
  • Stripe webhook handler `subscription.deleted` no longer downgrades org plan if subscription was already canceled.
  • Frontend API functions now correctly extract `.data` from enveloped list responses — fixes empty-state false positives on connectors and policies pages.
v0.4

ABAC Policies, Policy Studio, and Hybrid Search

Added
  • Attribute-based access control (ABAC) — condition fields support `resource.*` and `principal.*` prefixes for fine-grained attribute checks.
  • Policy Studio — draft/active/archived lifecycle, version history with diff view, policy approval workflow.
  • Access Simulator Dry Run — test policy configurations against hypothetical queries without hitting the real vector DB.
  • Hybrid search for Postgres-family connectors — CTE-based vector + full-text fusion using Reciprocal Rank Fusion (RRF, k=60).
  • Metadata resolution modes: inline (from vector payload), sql_view (from Postgres view), sidecar (Gateco-stored), auto (tries all three).
  • Classification labels on resources: public / internal / confidential / restricted. Enforced at retrieval time via ABAC ceiling conditions.
Changed
  • Semantic readiness levels (L0-L4) revised — readiness now reflects connector capability progression, not coverage percentage.
  • Free plan retrieval limit increased from 100 to 1,000 per month.
Fixed
  • Retroactive registration no longer restricted to Tier 1 connectors — works for any connector with a `list_vector_ids` adapter.
  • Supabase connector linter now validates `metadata_columns` config before accepting inline metadata mode.

Shipping something that matters to you? Tell us what to build next →