v0.5.37 — Tier Clarity

v0.5.37 — Tier Clarity

Makes rate-limit responses tell you why you're being throttled — and how to fix it.

What changed

• The 429 (rate-limit) response now adapts to your situation:
  • No UUID configured → how to register a free Scholar UUID (3× the quota, plus BYOK and a usage dashboard).
  • UUID present but invalid → a recovery hint pointing at your VERIFIMIND_UUID setting and /setup, so a misconfigured Scholar isn't told to "register" when they already have an account.
• Added a uuid_status field to the 429 response so the cause is explicit.
• Privacy reminder kept inline: your UUID is only a quota key, BYOK keys are never logged, and registration adds no public identification.

Why

A connected Scholar-tier user was being rate-limited as Anonymous because their UUID header wasn't reaching the server — silently. Now the response says so and points to the fix.

PR: #226

v0.5.36 — Changelog Endpoint Redirect

Single-sources the changelog to end dual-maintenance drift.

What changed

• /changelog now 302-redirects to GitHub Releases (this page). The hand-curated on-domain changelog HTML is retired — GitHub Releases is the single source of truth.
• Version 0.5.35 → 0.5.36; server.json 3.12.0 → 3.13.0.

Why

The /changelog endpoint had drifted (CHANGELOG.md updated, rendered page not). Rather than dual-maintain, the endpoint points here. Disclosure-safe by design: redirect targets Releases (sanitized), not CHANGELOG.md (which retains internal forensic detail).

Process

Ran through the full deploy skill v2.5 — all 9 version-assertion test files bumped up front, release cut with the scripted full SHA. (Earlier v0.5.34/v0.5.35 bypassed the skill via direct gcloud and accumulated drift; an anti-bypass guard was added.)

Merge: 142368e · PR #224

v0.5.35 — Honest-Baseline Metrics Sync

Phase 90 metrics publication sync — surfaces the post-forensic-rebuild honest baseline on the public Library timeline.

What's new

• /library timeline: new "May 2026" milestone — 4,139.1 flying hours (Success-Gated, aggregate; owner-IP + bot/scraper excluded). Tagline: "we audit our own numbers the same way we ask others to audit theirs."
• April 17 milestone preserved as history.

Data-Disclosure Doctrine v1.0 compliance

• Aggregate only — flying hours + methodology. No per-user behavioral facts, no named individuals.
• EA Cohort Taxonomy (34/92/1) + AY's paradox-page reflection routed through AY (domain owner) via change-request, not edited by RNA.

Also in this release

• 9 test files: SERVER_VERSION assertions bumped 0.5.33 → 0.5.35 (latent drift since v0.5.34, caught by CI).
• server.json 3.11.0 → 3.12.0.

Merge commit: 37cb445 · PR #223

v0.5.34 — Evaluation Roadmap v1.0

Phase 90 strategic spine. Alton's Decisions #1 + #2 from the May 13 Recursive Paradox session shipped as a bundled release.

What's new

• /research/evaluation-roadmap — pre-registered Evaluation Roadmap v1.0, year-one window May 2026 → April 2027. Ten dated milestones (M0–M9), pre-registered numerical thresholds (Cohen's κ, ECE, Brier, F1 lift, ESR), 8 pre-registered kill-conditions, named external witnesses for M3 / M5 / M7 / M8.
• Companion to /research/paradox — both pages cross-linked bidirectionally. The Validation Paradox names the problem; the Evaluation Roadmap is the structural answer.
• Canonical markdown at docs/research/evaluation-roadmap/roadmap-v1.0.md with full Section B technical RFC appendix (math, dataset spec, reproducibility checklist, co-maintainer terms).
• Tagged roadmap-v1.0 — any future change to a milestone date or definition requires a new tag.
• README + /changelog updated; _RESEARCH_INDEX JSON-LD bumped to v1.4.

Why

The Validation Paradox page ended on a single line — the only available exit from a closed validation loop is an external signal. This release ships the external signal: a public clock with pre-registered failure conditions. Git tags make silent edits visible. Milestone-keyed retrospectives make silent skips visible. Named external witnesses make false completions visible. Pre-registered failure conditions make rationalization visible. Failure numbers will ship in the same font size as success numbers.

Per Alton's May 13 ruling: Beta v0.6.0 is now redefined as M0 + M1 from this roadmap (NOT first paying customer). Credibility milestone.

PR: #218 · Merge commit: d38bc9f

v0.5.33 — Changelog Hygiene

v0.5.33 — Changelog Hygiene

Disclosure-policy clarification + retroactive sanitization of the public-facing /changelog.

What changed

• Removed specific blocked-IP addresses from the v0.5.30 and v0.5.32 entries on the public-facing /changelog page rendered by the server. Brings them in line with the v0.5.22 / v0.5.26 pattern (attack-type only, no specific identifier).
• Added a "Disclosure policy" header to the internal CHANGELOG.md documenting the split: full forensics live in the internal repo CHANGELOG and PR history; the public surface carries the security narrative without operational leakage.
• Added a v0.5.33 entry to public /changelog explaining the hygiene change itself (transparency about the policy fix).
• Added PR# links to public v0.5.30 and v0.5.32 entries.

Why

Disclosing specific blocked IPs in a public changelog (a) signals to attackers what triggered the block, (b) tells the blocked actor they're caught and should rotate, (c) looks reactive in customer-facing copy. Internal records keep the full forensic record for attribution; the public surface keeps the trust signal without operational leakage.

No functional change

This is a documentation / public-surface fix only. No API or behavior change. SERVER_VERSION bumped to 0.5.33 to preserve deploy-tracker convention.

PR: #216

v0.5.32 — Secret Scanner Block + SonarCloud P1

v0.5.32 — Secret Scanner Block + SonarCloud P1

Two combined tracks: another rogue IP blocked + SonarCloud P1 cleanup from XV's May 12 audit.

Security

• Blocked a credential / secret enumeration scanner identified via GCP forensic analysis; 7 rogue IPs blocked at the application layer total
• 77% of the burst was already caught by the rate limiter as 429; zero leak verified (the only requests that returned 200 hit the safe public root/register page)

SonarCloud P1 cleanup

• Extracted MCP_ENDPOINT_PATH, MCP_SERVER_URL, MCP_REMOTE_QUICKSTART as module constants in http_server.py — collapsed ~13 duplicate string literals across JSON/dict responses (URL changes now propagate from a single source)
• Refactored http_exception_handler 404 branch — extracted _extract_tool_call_metadata() and _client_ip_from_request() helpers; Cognitive Complexity 23 → ≤15
• CodeQL py/empty-except × 2 resolved: http_server.py JSON parse now catches (ValueError, UnicodeDecodeError) specifically; trinity_history.py RuntimeError branch now logs at debug level
• Lightweight-registration 500 path uses logger.exception() for full traceback

Expected impact

SonarCloud Critical Code Smells 13 → ~6 · CodeQL open 15 → 13 · Cognitive-complexity violations (production) 1 → 0

PR: #215

v0.5.31 — SonarCloud P0

v0.5.31 — SonarCloud P0

Resolves P0 security hardening items from XV's May 12 SonarCloud audit. SonarCloud Security count 14 → 3, BLOCKER 15 → 2, Vulnerability 14 → 2.

Real fixes

• .github/workflows/security-scan.yml — permissions moved workflow → job level (least privilege)
• templates/import_url.py:121,148 — explicit TLSv1_2 minimum on both SSL contexts
• templates/library/__init__.py — removed broken __all__ listing YAML files as Python symbols
• examples/demo_iterative_generation.py:61,221 — datetime.utcnow() → datetime.now(timezone.utc)

Suppressions with justification

• 7× test fixture api_key lines in tests/unit/llm/test_providers.py (mock keys whose prefixes the auto-detection tests intentionally validate)
• http_server.py host="0.0.0.0" (required by Cloud Run for proxy traffic)
• 2× API-schema dicts with "password" keys in examples/demo_iterative_generation.py (field type indicators, not credentials)

PR: #214

v0.5.30 — Config Scanner Block

v0.5.30 — Config Scanner Block

Application-layer security hardening — config / secret enumeration scanner identified via GCP forensic analysis and blocked.

What changed

• Blocked a config / secret enumeration scanner at the application layer (ip_blocklist.py); 6 rogue IPs blocked total at this point
• Most of the burst was already absorbed by the rate limiter as 429s prior to the block; the explicit filter eliminates server-side processing entirely

Why blocklist, not Cloud Armor

Cloud Armor pricing (~$5/mo + per-rule + per-request) is not cost-justified at solo-builder scale. The app-layer blocklist in ip_blocklist.py is free, deployed at the outermost middleware layer, and effective at this volume.

PR: #213

v0.5.29 — Growth-First Pages

v0.5.29 — Growth-First Pages

Align GCP-served pages with the strategic pivot ratified Session 13/14 (May 11). All public pages now reflect "Growth First, Monetization Later" — no current paid services, no pricing on display, all 13 tools free for everyone.

Page updates

• /terms → v2.1 — pricing tier table removed; Payment / Refund sections rewritten as forward-looking; Section 6 (Beta) reframed; Section 8 (Acceptable Use) dropped Pioneer-specific resale clause
• /privacy → v2.2 — Payment Processing section rewritten as forward-looking; data-collection and retention tables simplified; Polar references removed
• /register — benefit cards now show "All 13 tools / Free forever / Beta access / Direct feedback"

Polar payment infrastructure remains in place for future services. This is a positioning change, not a technical rollback.

PR: #210

v0.5.28 — Tools Free

v0.5.28 — Tools Free

Option B refactor (PR1 of 3) — paywall removed from the 3 coordination tools.

What changed

• coordination_handoff_create, coordination_handoff_read, coordination_team_status are now free for everyone
• pioneer_key parameter is now optional and used for namespace identity only, never as a gate
• Anonymous callers (no pioneer_key) are namespaced under anonymous; existing keyed callers unchanged

Why

Fulfills the Core Tools Always Free pledge ratified May 9, 2026 by L (CEO) + Alton + T (CTO). All 13 MCP tools are now free for everyone.

PR: #209