Developer Changelog

Internal — Developer Audience

This changelog tracks API reference changes, internal endpoint updates, and technical implementation details. For user-facing changes, see the Changelog.

2026-03-10

WebSocket Transport for API Gateway (PR 1486)

New src/apigw/ws package bridges external WebSocket connections to the internal rpc.Stream (BidiStream) transport. Branch: hub/daily-2026-03-10.

Source files added:

• src/apigw/ws/ws.go — Router, Conn interface, gorillaConn adapter. Modules register WebSocket endpoints via ws.Router.WS (mirrors REST r.GET). JSON envelope format: { id, data, fin, error }. Client correlation ID is echoed back. fin: true signals end of stream. Auth uses existing JWT middleware.
• src/apigw/ws/ws_test.go — Integration tests for gorilla adapter and envelope framing.
• src/apigw/newapp/src/hooks/websocket.ts — React hook (useWebSocket) for managing WebSocket connections in the frontend. Handles reconnection, message queuing, and envelope parsing.
• src/apigw/apigw.go — WebSocket router wired into the API gateway alongside REST and RPC routes.

Behavioral changes:

• No changes required on the server-side BidiStream handler code. WebSocket is a new transport option alongside existing REST and gRPC endpoints.
• Conn.Recv returns io.EOF on clean client close or server fin. Frames with no data payload are skipped transparently.

AI Extended Thinking Support (PR 1478)

New ThinkingConfig type and setupThinking function in src/ai/. Branch: hub/daily-2026-03-10.

Source files changed:

• src/ai/thinking.go — New file. Defines ThinkingEffort (low/medium/high), ThinkingConfig (Effort + Budget), budget constants (low=4000, medium=10000, high=32000 tokens), BudgetTokens() method, setupThinking() function.
• src/ai/agent.go — AgentConfig gains three new fields: ThinkingMode ("auto" | "thinking" | "tool" | ""), ThinkingEffort, ThinkingBudget. NewAgent calls setupThinking on initialization. "auto" uses native extended thinking if the provider supports it, else falls back to create_plan tool. "thinking" requires native support (error if unsupported). "tool" always uses the create_plan fallback.
• src/ai/provider/anthropic/anthropic.go, googleai/googleai.go — Updated to support extended thinking via ThinkingConfig in send requests.
• src/ai/provider/ollama/ollama.go, openai/openai.go — Capability flags updated; do not support extended thinking natively.

No manifest mappings added. Thinking configuration is an SDK-level feature; no user-facing configuration UI was added in this release.

ID Mapper: Classification + Entity Type Rule Now Requires Both to Match (PR 1480)

Bug fix in src/iam/mapper/idmapper/idmapperRules.go. Branch: hub/daily-2026-03-10.

Change: MatchEntityOrClassification() logic corrected from OR to AND. When a rule specifies both RuleEntity (account type) and RuleClassification, the account must satisfy both filters. Previously, satisfying either was sufficient.

Doc impact: Updated note in discover/config/identify/acct-mapping.md.

Skills API: Frontmatter Field + Name Validation (PR 1486 / Skills.tsx)

Source files changed:

• src/ai/api/ai.proto — Skill message gains frontmatter field (field 7, string). Carries extra YAML frontmatter beyond name and description.
• src/apigw/newapp/src/components/Assist/Skills.tsx — New frontmatter field in SkillRow.message. UI adds "Additional Frontmatter" text area. Skill name now validated client-side: lowercase, [a-z0-9-], no leading/trailing hyphens, no consecutive hyphens, max 64 chars.

2026-03-06

AI Skills — Resource Archive Model Replaces Tools+Embeddings (PR 1475)

Refactored skill management. The SkillSettings struct (tools + embeddings) is removed. Skills now carry a resources field (base64-encoded ZIP) and a read-only resource_files listing. Branch: hub/daisy-2026-03-06.

Source files changed:

• src/ai/tools/skill.go — NewSkillTool replaced by three functions: BuildSkillCatalog (tier 1: adds skill names/descriptions to system prompt), NewActivateSkillTool (tier 2: loads full skill prompt on demand via activate_skill tool), NewReadSkillFileTool (tier 3: reads individual files from skill ZIP via read_skill_file tool). Skills without a Description are excluded from all tiers.
• src/ai/modules/agent/module.go — agentStream and agentSession updated. Skill loading now collects skills with descriptions, calls BuildSkillCatalog to append to acfg.SystemPrompt, registers NewActivateSkillTool, and conditionally registers NewReadSkillFileTool if any skill has resources.
• src/ai/api/api.go — SkillSettings struct removed. AgentSettings (tools + embeddings) remains for agents.
• src/ai/api/skill_zip.go — New file. ZIP utilities: parseSkillMD (extracts name, description, body from SKILL.md frontmatter), normalizeZip (strips path prefix so SKILL.md is always at archive root), readFileFromZip, listZipFiles, stripFromZip.
• src/apigw/newapp/src/components/Assist/Skills.tsx — SkillSettings interface removed. UI updated: Tools/Embeddings columns removed from skill list; skill dialog replaces Tools/Embeddings fields with a Resources section (ZIP upload); "Import Skill" button added to toolbar (imports a full skill from a ZIP); "Prompt Hint" label renamed to "Prompt".

Behavioral changes:

• Skills must have a non-empty Description to be exposed to agents.
• Skill invocation is now two-step: activate_skill loads prompt instructions; read_skill_file loads ZIP archive files on demand.
• Importing a ZIP with a SKILL.md auto-populates the skill's Name, Description, and Prompt fields from the frontmatter and body.

New manifest mappings: None (updates to existing using-ai-assistant.md mapping).

Clients and Credential Providers — New Documentation Pages

Expanded stub pages into full reference and procedure topics. Branch: hub/daisy-2026-03-06.

Source files mapped:

• src/apigw/newapp/src/components/Clients/index.tsx → discover/config/discover/clients.md
• src/apigw/newapp/src/components/Clients/JoinCode.tsx → discover/config/discover/clients.md
• src/apigw/newapp/src/components/CredentialProviders/index.tsx → discover/config/discover/credential-providers.md

Content added:

• clients.md: field reference for all client grid columns (Name, Site, Modules, Connection Targets, Advertise internal/external, Status, Version, Component, Platform, Uptime), procedures for Add/Edit/Delete/LiveLogs/Status.
• credential-providers.md: supported provider types (collection.cred.cyberark, collection.cred.beyondtrust), field reference, Configure procedure, certificate import/generate/manage procedures.

2026-03-05

AI Skills — New Configurable Skill Type for Agent Composition (PR 1466)

New ai.skill config type added to the AI module. Skills are composable agent units that wrap tools and embeddings behind a named, callable interface. Branch: hub/daisy2-2026-03-05.

Source files triggering updates:

• src/ai/tools/skill.go — New NewSkillTool function. Creates a skill as an ai.Tool with a single instruction parameter. Instantiates a scoped AgentConfig from the skill's PromptHint, registers tools from skill.Settings.Tools via NewRemoteTool, registers embeddings from skill.Settings.Embeddings via NewVectorTool, then runs a new agent session. Returns the session result as the tool output.
• src/ai/api/api.go — New SkillSettings struct (Tools []AgentTool, Embeddings []string). Added Skills []string to AgentSettings. New GetSkill function using api.CallGetConfig with SkillType.
• src/ai/api/pb.go — Added SkillType = "ai.skill" constant. Registered Skill message type in init(). Implemented config.ConfigHandler interface for Skill.
• src/apigw/newapp/src/components/Assist/Skills.tsx — New 427-line UI component for the Skills tab. CRUD operations (add, edit, delete, duplicate). Dialog fields: name, description, prompt_hint, tools (server/action pairs), embeddings (vector collection IDs via autocomplete).
• src/apigw/newapp/src/components/Assist/Agents.tsx — Updated Agents component to include Skills multi-select in agent settings form.
• src/ai/api/ai.proto — Protocol buffer additions for Skill and SkillSettings message types.
• src/registry/tagger.go — New tidyTags function and extractBucketEntities helper for orphaned tag cleanup. Runs as part of cleanupTags. Finds tag assignments referencing non-existent config entities and deletes them.
• src/tag/tag.go — New CleanIdentifier function: sanitizes arbitrary strings for use as LLM tool names. Replaces all separators (., /, spaces) with _, collapses consecutive underscores, trims leading/trailing underscores, returns "unnamed" for empty results.

Documentation changes:

• discover/config/ai/using-ai-assistant.md — Added "Set Up Skills" section with field table, workflow description, and duplication procedure. Updated "Set Up an Agent" table with the Skills field. Updated Related Topics.

No new manifest mappings required. src/apigw/newapp/src/components/Assist/*.tsx is already mapped to discover/config/ai/using-ai-assistant.md.

---

Configurable Display Name Attribute for Generic and IGA Collectors (PR 1472)

New dispAttribute field in GenericConfig. IGA collectors now support a separately tracked display name attribute alongside the existing identity attribute. Display attribute is read from the source schema (isDisplay flag) for SailPoint ISC and IIQ. Branch: hub/daisy2-2026-03-05.

Source files triggering updates:

• src/collectors/generic/config/generic.proto — Added string dispAttribute = 217. Fixed typo in igaDelete tag (jsonschem → jsonschema).
• src/collectors/igaData/iga.go — Added DisplayAttribute string to collectorInfo, CollectorIdentity, and DsConfig structs. GetCollectorStatus default id changed from "id" to "hydden_name", default display to "hydden_displayName". RefreshCollector and inner collector function now accept dispattr string parameter. InsertCollector call simplified (no longer passes id/display attrs — stored on the struct).
• src/collectors/sailpoint/iiq/syncToIiq.go — GetSchemaFromExtended callbacks now return (isId, isDisp bool) instead of bool. Display attribute is propagated alongside identity attribute through schema analysis.
• src/collectors/sailpoint/isc/syncToIsc.go — Same change as IIQ. isDisp is now tracked through the schema callback chain; displayAttribute variable is set when isDisp is true.
• src/apigw/newapp/src/components/DataSources/EditDialog.tsx — New Display Name Attribute field in the data source edit dialog.

Documentation changes:

• discover/config/discover/data-sources/cfg-universal-ds.md — Added "Identity and Display Name Attributes" section to IGA Integration block. Field table with defaults, edit steps, and guidance on choosing attribute values.
• discover/config/discover/data-sources/cfg-sailpoint-ds.md — Added "Display Name Attribute" subsection under ISC Bidirectional Sync. Updated Key Capabilities bullet. No-config-required note.

No new manifest mappings required. src/collectors/generic/**/*.go → cfg-universal-ds.md, src/collectors/sailpoint/**/*.go → cfg-sailpoint-ds.md, and src/collectors/igaData/**/*.go → data-sources/overview.md are all already mapped.

---

Certificate Handling — Skip Tombstoned Configs and Load Logging (PR 1470)

src/apigw/api/certs.go updated to filter tombstoned certificate entries from list responses and add structured logging for file-based certificate loading. Branch: hub/daisy-2026-03-05.

Source files triggering updates:

• src/apigw/api/certs.go — handleListCertificates: Added tombstone guard; tombstoned configs are skipped and not returned in the certificate list. CertMgr.ReloadCerts: Added Info log on start of file read ("Loading certificate from file", fields: file). Added Info log after successful load ("Loaded certificate from file", fields: file, cn, sans, default).

Documentation changes:

• discover/config/settings/certs.md — Full rewrite with Information Mapping structure. Added concept block, step-by-step add procedure, default certificate section, and certificate list behavior note (tombstoned certs excluded).

New source-to-doc mapping added to manifest:

• src/apigw/api/certs.go → discover/config/settings/certs.md

---

Attestation — Comprehensive Documentation Deep Dive

Deep-dive into src/attest/ and src/apigw/newapp/src/components/Certifications/ to document the full certification, attestation, and export feature set. Branch: hub/daisy-2026-03-05.

Source files consulted:

• src/attest/config/contracts.go — CertificationTypes map (3 types: collector/schema/report), CertificationStatuses slice (4 statuses), Certification struct (id, context_id, title, assigned_to, status, priority, due_date, activity, content, closed, closed_at, opened_at, actions), Settings struct (context_id, type, schedule, column_state, title). Status transition logic in Update(): auto-to-in_progress when assigned user acts on pending; auto-reset-to-pending on reassignment; completion guard (only assigned user can complete).
• src/attest/attest.go — handleCertificationList: tombstoned filter, role-based scoping (owner = all, others = assigned-only), source filter via ContextID. handleCertificationPut: tombstone guard returning errAlreadyClosed (409) for completed/abandoned certs.
• src/attest/schedule.go — ScheduleCertification: tombstoned collector skip, schedule expression from cache, lastRun seeded from most-recent completed cert to prevent duplicate fires on restart. CancelCertifications: cancels all tasks for a context when collector is tombstoned.
• src/attest/rest/rest.go — Full REST handler inventory: POST certification, GET certification (single + list + columns + records/stream), POST/GET/LIST/DELETE settings, GET types, GET statuses.
• src/apigw/newapp/src/components/Certifications/CollectorReviewData.tsx — handleExportCsv: api.exportDataAsCsv({ allColumns: true }), filename Certification_{collectorName}_{entityTypeName}.csv. Compare mode: CsvDiffViewer with Source A/B selectors. Column state persistence: debounced 1s save to settings column_state[entityType]. Activity tracking: view and export entries logged on dialog close.
• src/apigw/newapp/src/components/Certifications/ReviewDialog.tsx — Comment required before complete/abandon. Only assigned user can complete. Auto status tracking for in_progress transition.

Documentation changes:

• discover/config/certify/overview.md — New page. Full certification & attestation user guide (concept, lifecycle, review procedure, export, compare, priority/due dates, scheduling, workflow triggers, closed cert visibility).
• discover/api/attestation/certifications.md — Major expansion. Added types/statuses reference, full field reference table for POST certification, status transitions table, list query parameters (tombstoned, source), columns endpoint with example, records streaming endpoint with export notes, column state persistence, updated scheduled certifications with last-run seed detail.

2026-03-04

AI Vector Store — Hybrid Search (FTS + Semantic)

New full-text search (FTS5/BM25) layer added to vector store alongside existing HNSW semantic search. Collections now support configurable search parameters. Branch: hub/daisy-2026-03-04.

Source files triggering updates:

• src/ai/modules/vector/fts.go (new) — FTS5 virtual table schema, BM25-ranked keyword search, query sanitization, content indexing. Default alpha = 0.7 (semantic weight).
• src/ai/modules/vector/api/api.go — Added DefaultTopK, DefaultAlpha, DefaultMinScore fields to Collection struct. Added Alpha, MinScore to Query struct. New ScoredDocument type replaces raw document returns.
• src/ai/modules/vector/collection.go — New hybridSearch() method combining HNSW and FTS results with configurable alpha weighting. Candidate multiplier = 3× top_k for both search types.
• src/ai/modules/agent/module.go — Agent sessions now pass top_k (default 3), alpha, and min_score from collection defaults to vector queries.

Documentation changes:

• discover/config/ai/using-ai-assistant.md — Added Default Top K, Default Alpha, Default Min Score to collection config table. Added Hybrid Search section with alpha value guide.

Attestation — Certification Status Workflow Trigger

New AttestStatus event type registered as a workflow trigger. Fires when certification campaigns change status.

Source files triggering updates:

• src/attest/workflow/contracts.go — AttestStatus struct with fields: CertificationID, Title, Type, ContextID, Status, PreviousStatus, AssignedTo, AssignedToEmail, AssignedToName, Priority, DueDate. Event name: "Certification Status".
• src/business/triggers/rest.go — AttestStatus added to namedEvents slice. Event list reordered alphabetically.

Documentation changes:

• discover/config/automate/triggers.md — Added Attestation category with Certification Status trigger and 12 variables. Updated overview from 9 to 10 trigger types.
• discover/config/automate/workflow.md — Added Certification Status to trigger dropdown. Added template variable support in email To field.

SailPoint ISC — Role Entitlement Sync

ISC collector now distinguishes between group and role entitlements using SourceSchemaObjectType. Roles get separate schema, aggregation, and entity types.

Source files triggering updates:

• src/collectors/sailpoint/isc/impl.go — ProcessEntitlementRequest now switches on SourceType (EntityGroup vs EntityRole). New Roles field on SailPointCloudCollector. CollectAccountEntitlements classifies by SourceSchemaObjectType.
• src/collectors/sailpoint/isc/syncToIsc.go — PushSchemaToIsc now processes group, role, and account schemas separately. AggregateOperation accepts sequence number and operation name. New CreateSchema method. Connection test added before aggregations.

Documentation changes:

• discover/config/discover/data-sources/cfg-sailpoint-ds.md — Added Role Sync section with entity type table. Updated key capabilities and monitoring.

CyberArk — Configurable Username Field

Vaulted credential checkout now exposes platform properties as selectable username fields.

Source files triggering updates:

• src/collectors/cyberark/validate.go — usernameFields extracted from PlatformAccountProperties and passed via cap.Options["username_fields"].
• src/collectors/cyberark/vaultapi.go — fetchAccounts includes usernameFields in account fields. fetchCredentialProviderSecret now unmarshals all response fields.
• src/vault/safe/creds.go — New SetUsername method on SafeAccount.

Documentation changes:

• discover/config/settings/credentials/vaulted-credential.md — Added username field selection step and CyberArk Username Field Selection section.

Email Template — To Field Variable Rendering

Email workflow To field now supports template variable rendering (e.g., {AssignedToEmail}). Empty recipients after rendering are skipped.

Source files triggering updates:

• src/actions/smtp/module.go — Each to entry is now rendered through tmpl.Render(). Empty results after trimming are skipped with a warning log.

Documentation changes:

• discover/config/automate/workflow.md — Added template variable example to To field documentation.

---

2026-03-03

Identify Module — Documentation Refresh from Source Code Analysis

Deep-dive into Discovery source code (src/iam/, src/collectors/, src/dashboard/) identified significant documentation gaps. All 8 Identify module pages updated to match source-verified data.

Source files consulted:

• src/collectors/models/CollectorModels.proto — IdentityEntity protobuf: ownerType enum (0–4: Human, Service, Resource, Vault, Other), status enum (0–7: Active through Deceased), identity fields (name, email, alternativeEmail[], alternativeName[], title, dept, manager, etc.).
• src/collectors/collector/reportEngine/score.go (v108) — Classification rule query operators (contains, equals, endswith, startswith), query fields (Path, Name, Type, Display Name, UPN, Email, Title, Department, IsPrivileged, Custom1–10, Employee ID, Group Name), default classifications (Service Account, Admin Account, Custom Account, Suspicious Account, Known Bad Account, CVE-2023-42793, CVE-2024-37085), rule flags (isAlert, isRepeatable).
• src/collectors/collector/reportEngine/score.go (v155) — All 27 default threat rules with scores, categories, propagationType, showInReports, showInImpact, disabled, isDetectionOnly, isHistorical, isAlert, isRepeatable, framework, function, recommendation, platformfilter, datasourcefilter. Z-Score default score = 5 (not 8 as previously documented). Aggregation method options: Totals Average (default), Maximum, Weighted Average.
• src/collectors/models/config.go — CreateOption values (always=1, ifmapped=2, iga=3), initFromAccount flag, match properties (displayname, email, upn, custom, iga).
• Individual collector files — Azure, AD/LDAP, Okta field mappings for identity auto-population (displayName, mail, jobTitle, department, manager, usageLocation, etc.).

Documentation changes:

• discover/config/identify/threat-detection/overview.md — Removed 155 lines of generic threat detection theory (lines 29–183). Added: Threat Score Architecture (8 categories × 10 = 100 max), Threat Score Ranges (Low 0–24.99, Moderate 25–74.99, Critical 75+), Detection-Only vs Scored Rules, Aggregation Methods, Supported Compliance Frameworks (NIST CSF V2.0, CIS, CRITIER4V2), Rule Properties Reference (14 properties).
• discover/config/identify/threat-detection/default-rules.md — Expanded from 11 to 27 rules across 7 categories. Added columns: Default State, Detection Only, Framework. Fixed Z-Score score: 8→5. Removed 34 lines of stale commented-out data. Added aggregation method note.
• discover/config/identify/threat-detection/tr-acct-z-score.md — Expanded from 35 to 86 lines. Added Z-Score formula, 5-row default parameters table, worked example (Z=4.0), interpretation ranges table, customization guidance, NIST CSF V2.0 / PR.AA-05 reference, report column descriptions.
• discover/config/identify/threat-detection/how-to-create-threat-rule.md — Added 11-row configuration options table, detection-only concept, propagation type (max/sum), score guidance (4-tier severity), expanded procedure steps 6/9/10.
• discover/config/identify/id-mapping.md — Added 5-row owner types table (values 0–4), 8-row identity status table (values 0–7), expanded status dropdown step 6, added Run Mapper/Delete Unmapped/Block Remapping concept blocks.
• discover/config/identify/owner-creation.md — Added 3-row create option modes table (Always/If Mapped/IGA), 9-row data population by source table (Azure AD/AD-LDAP/Okta), initFromAccount note, rule priority strategy.
• discover/config/identify/acct-mapping.md — Added 5-row match properties table (added Custom, IGA), 4-row operators table (added Equals), rule ordering strategy, match vs create interaction, second RegEx example.
• discover/config/identify/acct-class.md — Added Suspicious Account to default classifications, fixed CVE-2024-42793→CVE-2023-42793, added Equals operator, 13-row query fields table, 3-row rule flags table, CVE classification concept.

---

2026-02-27

AI Agent — Type Field and Completion Mode

New type field on the Agent protobuf entity. Agents can now be configured as agentic (default, chat + tools) or completion (code autocomplete). Branch: hub/daisy-2026-02-27.

Source files triggering updates:

• src/ai/api/ai.proto — Added type field (field 7) to Agent message. Values: empty or "agentic" (default), "completion".
• src/ai/api/ai.pb.go, src/ai/api/ai_vtproto.pb.go — Generated code for new field.
• src/apigw/newapp/src/components/Assist/Agents.tsx — Agent dialog adds "Agent Type" dropdown (Agentic / Completion). Agents table shows Completion chip.

Documentation changes:

• discover/config/ai/using-ai-assistant.md — Added Agent Type field to agent configuration table.

---

AI Providers — Base URL, Token Cost Fields, Model Endpoint Display

Provider configuration dialog expanded with Base URL (OpenAI only), input/output cost per 1M tokens, and model endpoint chip. Branch: hub/daisy-2026-02-27.

Source files triggering updates:

• src/apigw/newapp/src/components/Assist/Providers.tsx — Added endpoint property to Model interface. Added Base URL text field (shown for OpenAI provider only). Added input_cost_per_1m and output_cost_per_1m number fields. Model dropdown shows endpoint chip for non-chat models. Fixed model selection to preserve existing options when changing model.

Documentation changes:

• discover/config/ai/using-ai-assistant.md — Added Base URL, Input cost, Output cost fields to provider configuration table.

---

AI Sessions — Cost Tracking

Sessions table and detail view now display per-session cost. Branch: hub/daisy-2026-02-27.

Source files triggering updates:

• src/apigw/newapp/src/components/Assist/Sessions.tsx — Added formatCost() utility. New "Cost" column in sessions table. Cost field in session detail dialog (read-only).

Documentation changes:

• discover/config/ai/using-ai-assistant.md — Updated session viewing section with cost information.

---

AI Architecture — Skills, Sub-agents, Planning Mode, Context Window Management

Major expansion of src/ai/DESIGN.md documenting the forward direction for modern agentic orchestration. Branch: hub/daisy-2026-02-27.

Source files triggering updates:

• src/ai/DESIGN.md — Rewritten section 5 "Direction: Modern Agentic Orchestration". New subsections: Skills (5.2), Sub-agents (5.3), Orchestration Patterns (5.4), Planning Mode (5.5), Context Window Management (5.6), IAM-Specific Applications (5.7), Streaming (5.8), Proactive Assistance (5.9). New section 6 "Phased Implementation Plan" with 6 phases.
• src/ai/provider.go — Added Capabilities() ProviderCapabilities interface method stub.
• src/ai/provider/anthropic/anthropic.go, googleai/googleai.go, ollama/ollama.go, openai/openai.go — Each provider now implements Capabilities() method.
• src/ai/api/api.go — Updated provider API layer.
• src/ai/modules/agent/module.go, history.go — Agent module changes for planning mode support.

Documentation changes:

• discover/config/ai/dev-overview.md — Added "Forward Direction: Modern Agentic Orchestration" section with Skills, Sub-agents, Planning Mode, Context Window Management, orchestration patterns, and phased implementation plan.

---

Search Library — Category Sort Order Change

Query category display order updated: Passwords/Secrets/Certificates now sorts at position 4, Resources/Entitlements at 7, Classification/Certification at 8. Branch: hub/daisy-2026-02-27.

Source files triggering updates:

• src/collectors/models/config.go — ReportsVersion bumped 823→824. Category Order values changed: "Classification & Certification" queries from 4 to 8, "Passwords, Secrets & Certificates" queries from 7 to 4, "Resources & Entitlements" queries from 8 to 7.

Documentation changes:

• discover/search/search-library/overview.md — Reordered category sections to match new display order.

---

Active Directory Collector — Group UniqueIdHash and Edge Type Changes

AD collector now generates group UniqueIdHash with /v1/ path separator and evaluates entity type before computing hash. Requires AD collectors to rerun. Branch: hub/daisy-2026-02-27.

Source files triggering updates:

• src/collectors/ActiveDirectory/ActiveDirectory.go — Moved UniqueIdHash generation after entity type detection loop. Groups use hydn://<platformId>/v1/<guidString> instead of hydn://<platformId>//<guidString>. Edge type switch changed from og.EntityType to o.EntityType; foreignsecurityprincipal now checked before group.

Documentation changes:

• None (internal behavioral change; recollection required).

---

Report Engine — ExpandGroupsAndRoles Refactoring

ExpandGroups renamed to ExpandGroupsAndRoles with new SQL-based implementation mode and comparison mode for validation. Branch: hub/daisy-2026-02-27.

Source files triggering updates:

• src/collectors/collector/reportEngine/reportExpander.go — New expandGroupsAndRolesSQL() using recursive CTE for group closure computation. New expandGroupsAndRolesBoth() comparison mode. Three modes: legacy (default), sql, both/compare.
• src/collectors/collector/reportEngine/reportEngine.go — filterModelToSQL and all downstream filter functions now accept viewTime int64 parameter. Date filter functions use normalized viewTime instead of time.Now().

Documentation changes:

• None (internal optimization).

2026-02-23

Safes Page — Manager Assignment API

New /api/v1/global/setmanager/:id endpoint for assigning managers to PAM safe entities. Branch: hub/daisy-2026-02-23.

Source files triggering updates:

• src/dashboard/rest/rest.go — New handleSetManager REST handler accepting id (string or array) and managerId parameters.
• src/apigw/newapp/src/components/Safes/index.tsx — New Safes page component (830 lines) with SSRM grid, bulk selection, timeline integration, and SetManagerDialog.
• src/apigw/newapp/src/pages/Identify/Safes.tsx — Page wrapper for Safes component.

Documentation changes:

• discover/config/identify/safes.md — Updated with timeline integration, grid controls table, enhanced procedure steps.

---

Azure Collector — Optimized Sign-In Activity Collection

Refactored Azure collector to fetch signInActivity in a separate API call, improving performance for large tenants. Branch: hub/daisy-2026-02-23.

Source files triggering updates:

• src/collectors/Azure/AzureCollectorGraph.go — Removed signInActivity from initial user list call; added second pass fetching id,signInActivity only; correlates via usersMap.
• src/collectors/Azure/AzureCollectorGraph.go — Service principal KeyCredentials and PasswordCredentials now inherited from parent application via appListByAppId lookup.

Documentation changes:

• discover/config/discover/data-sources/cfg-az-ds.md — Added Sign-In Activity Collection section, enhanced App Registration Credential Collection with service principal linkage.

---

Windows Collector — Foreign Security Principal Edge Type

Enhanced Windows local group member processing to distinguish cross-domain memberships. Branch: hub/daisy-2026-02-23.

Source files triggering updates:

• src/collectors/Windows/WindowsCollector.go — New fspBySID map for deduplication; SID prefix check (S-1-5-21- not matching computerSid); edge.foreignmember edge type for cross-domain relationships; principal.alias.foreignsecurityprincipal.windows entity creation.

Documentation changes:

• discover/config/discover/data-sources/cfg-win-host-ds.md — Expanded Foreign Security Principals section with edge type and search guidance.

---

Global Search — Saved Search Scheduling and Delete

Added schedule assignment to saved searches and delete capability for custom searches. Branch: hub/daisy-2026-02-23.

Source files triggering updates:

• src/apigw/newapp/src/components/GlobalSearch/index.tsx — New deleteCurrentSavedSearch mutation; useListConfig for schedule.cron; scheduleId/schedule fields in save/update flow; scheduleNameMap and scheduleIdByNameMap for ID resolution.
• src/apigw/newapp/src/components/Triggers/ScheduledReport.tsx — New component (344 lines) for scheduled report trigger configuration.

Documentation changes:

• discover/search/global-search/overview.md — Added Schedule row to saved searches table.
• discover/config/automate/triggers.md — Added Configuration steps for Scheduled Report triggers.

---

2026-02-17

Dayforce Non-Employee Accounts Report

New feature enabling collection of non-employee accounts from custom Dayforce reports. Branch: hub/daisy-2026-02-13.

Source files triggering updates:

• src/collectors/dayforce/dayforce.go — New collectNonEmployeeReport method, custom config JSON parsing for Report XRefCode, Username Property, Rolename Property, Start Date Property.
• src/collectors/dayforce/dayforceModels.go — New NonEmployeeReportConfig struct, report response models.
• src/apigw/newapp/src/components/DataSources/DayforceConfig.tsx — New UI fields for non-employee report configuration.

Documentation changes:

• discover/config/discover/data-sources/cfg-dayforce-ds.md — Added "Non-Employee Accounts Report" section with configuration table, Mermaid workflow diagram, and step-by-step explanation.

---

Role Membership Tabs & Saved Searches

New Role Membership tabs added to Account Details and Owner Details pages, backed by new saved search query IDs. Branch: hub/daisy-2026-02-13.

Source files triggering updates:

• src/collectors/collector/reportEngine/reportEngine.go — New report queries: AccountRoleMembership (6jZNu3bAmCBJ5rZtN6V1FDQN6ms) and OwnerRoleMembership (XxQ9DzWCqtCIUNduJ8AmOsf6oVR).
• src/collectors/collector/reportEngine/reports.go — New saved search definitions: 1gbrYrq61lu5dymofZGYu8ACOTT (Account Role Membership) and GcN0B8yAZVqXi3SvOjLVeL581I8 (Owner Role Membership).
• src/apigw/newapp/src/components/GlobalSearch/EntityDetails/AccountRoleMembership.tsx — New Role Membership tab component for account details.
• src/apigw/newapp/src/components/GlobalSearch/EntityDetails/OwnerRoleMembership.tsx — New Role Membership tab component for owner details.

Documentation changes:

• discover/search/global-search/entity-details/account-entity-details.md — Added Role Membership tab section.
• discover/search/global-search/entity-details/owner-entity-details.md — Added Role Membership tab section.
• discover/api/search/global-search.md — Added both saved search IDs to catalog.
• discover/api/search/query-data-reference.md — Added field reference tables for both role membership queries.

New source-to-doc mappings added to manifest:

• src/collectors/collector/reportEngine/reports.go → discover/api/search/global-search.md

---

SailPoint ISC Sync Enhancements

Improved duplicate application handling and attribute schema mapping for SailPoint ISC bidirectional sync. Branch: hub/daisy-2026-02-13.

Source files triggering updates:

• src/collectors/sailpoint/isc/iscSync.go — Duplicate Hydden application detection logic, description attribute mapping in schema upload.
• src/collectors/sailpoint/isc/iscModels.go — Updated schema attribute models with description field.

Documentation changes:

• discover/config/discover/data-sources/cfg-sailpoint-ds.md — Added Duplicate Application Handling and Attribute Schema Mapping to Key Capabilities. Added troubleshooting entries.

---

2026-02-13

Configuration Reference — Full Rewrite

Rewrote all three pages in discover/config/cfg-reference/ with Information Mapping structure (concept + reference blocks). Added platform IDs derived from PlatformMap in source code. Branch: hub/daisy-2026-02-13.

Source files consulted:

• src/collectors/models/CollectorModels.go — Data type constants (DataTypeAzureUser, DataTypeLinuxUser, etc.), entity type registrations.
• src/collectors/models/CollectorModels.proto — PrincipalEntity, UserEntity, GroupEntity protobuf definitions: account attributes, MFA status enum (0-4), group fields.
• src/collectors/models/config.go — PlatformMap with all 32 platform ID→name mappings (ad→Active Directory, azure→Azure, etc.).
• src/collectors/common/CollectorCommon.go — CollectorType field additions.
• src/dashboard/module.go — Dashboard module registration: "Provides access to metadata for the Hydden Dashboard", new SetManager/ClearManager handlers, cache purge task.
• src/dashboard/rest/rest.go — Dashboard REST handlers: Account/Identity/Group/Threat/Audit dashboards, report execution, SSRM query, approval workflows.
• src/collectors/collector/reportEngine/reportEngine.go — Report engine expansion (692+ lines): query rule definitions, entity alias mapping, batch processing.
• Individual collector registration files for GitHub (collector.github), CyberArk (collector.cyberark), and others — entity type declarations per collector.

Source code changes since last pipeline commit (db9bfdba..2719ba31):

• src/dashboard/module.go — New module: SetManager/ClearManager API handlers, dashboard cache purging.
• src/dashboard/rest/rest.go — Expanded REST handlers with report and approval endpoints.
• src/collectors/collector/reportEngine/reportEngine.go — Major expansion: query rules, entity aliasing, batch processing.
• src/actions/approvals/approvals.go — Refactored approval normalization.
• src/collectors/models/CollectorModels.proto — Removed deprecated field.
• src/collectors/models/config.go — Updated platform mappings.

Documentation changes:

• discover/config/cfg-reference/overview.md — Added concept block, restructured as reference table.
• discover/config/cfg-reference/modules.md — Replaced flat table with 6 categorized collector tables (with platform IDs and collection methods) plus platform module table. Added StrongDM and Tableau collectors. Updated all platform module descriptions from source.
• discover/config/cfg-reference/collected-data.md — Replaced single table with 5 categorized tables. Resolved "Coming Soon" and "?" entries against source code. Added column definitions section. Added StrongDM, Tableau, Dayforce rows.
• German translations updated for all three pages (de/discover/config/cfg-reference/).

---

Data Source Presets — CSV Import Documentation

Rewrote discover/config/settings/ds-presets.md with Information Mapping structure (concept + procedure blocks). Added CSV format reference derived from source code analysis of src/collectors/collector/api/handler.go and src/apigw/newapp/src/components/DataSourcePresets/index.tsx. Branch: hub/daisy-2026-02-13.

Source files consulted:

• src/collectors/collector/api/handler.go — CSV parsing logic: accepted header names (Name/name, Hostname/hostname/Target/target/Address/address), fallback behavior when one field is missing, UTF-8 BOM stripping, custom argument handling.
• src/collectors/collector/rest/api.go — Import endpoint POST /internal/v1/collection/import/{type} and ImportTargets protobuf message (collectionId, type, targets, config, duplicateName, duplicateHostname).
• src/apigw/newapp/src/components/DataSourcePresets/index.tsx — ImportDialog component: CSV format label, duplicate checkboxes, sudo options, import result counts.

Documentation changes:

• discover/config/settings/ds-presets.md — Added "What it is" / "Why it matters" concept block, Mermaid workflow diagram, CSV format reference table with accepted header names, three CSV examples (Linux with sudoshell, hostname-only minimal, Windows with port/environment), UTF-8 BOM tip, validation warning, restructured procedures with purpose statements and result blocks.
• de/discover/config/settings/ds-presets.md — Full German translation updated to match new English structure.

Integration Documentation — End-User Conceptual Overhaul

Rewrote the CyberArk and BeyondTrust integration overview pages with Information Mapping structure (concept blocks). Branch: hub/daisy-2026-02-13.

Source files triggering updates:

• No source code changes; documentation-only improvements driven by content quality review of discover/integrations/ section.

Documentation changes:

• discover/integrations/overview.md — Replaced marketing-style prose with structured "What Integrations Are" concept block, added category introductions, fixed incorrect Okta link (pointed to AWS config), removed "Kubernetes Pods" duplicate section, added missing config links for HIBP/Keeper/Salesforce/Active Directory/Linux/Windows.
• discover/integrations/cyberark/overview.md — Full rewrite: added "What It Is", "Why It Matters", "How It Works" concept blocks with Mermaid diagram, capabilities reference table, "What You Can Do" end-user guidance, and restructured setup steps.
• discover/integrations/beyond-trust/overview.md — Full rewrite: added concept blocks paralleling CyberArk structure, Mermaid diagram, capabilities table, end-user guidance.
• discover/integrations/beyond-trust/cfg-beyond-trust-ds.md — Fixed broken anchor IDs (#adding-the-cyberark-module-to-a-client → #adding-the-beyondtrust-module-to-a-client, #configure-your-hydden-cyberark-data-source → #configure-your-hydden-beyondtrust-data-source).
• discover/integrations/cyberark/use-integration/ca-vaulting.md — Fixed broken link: /de/discover/search/search-library/#vault-integration → /discover/use/search/search-library#vault-integration.
• All modified English files tagged with localization_status: translated.
• German translations updated for 3 overview pages (de/discover/integrations/overview.md, de/discover/integrations/cyberark/overview.md, de/discover/integrations/beyond-trust/overview.md).

2026-02-12

API Reference — Comprehensive Expansion

Expanded the Discovery API reference from Control-facing endpoints to a comprehensive reference covering all Discovery REST endpoints. Branch: dg-release-api-ref-agent.

New API reference pages:

• Identity Mapper — 5 endpoints

  • GET /internal/v1/idmapper/status — mapper run status
  • POST /internal/v1/idmapper/rule/test — regex pattern testing
  • POST /internal/v1/idmapper/rule/preview — rule preview with sample results
  • POST /internal/v1/idmapper/run — trigger mapper execution
  • POST /internal/v1/idmapper/prune — prune orphaned identity mappings

• Entity Management — 6 endpoints

  • POST /internal/v1/entman/store — create entity index store
  • POST /internal/v1/entman/store/query — query entity index
  • POST /internal/v1/entman/edge/add and edge/del — edge CRUD
  • POST /internal/v1/entman/entity/add and entity/del — entity CRUD

• Registry Configuration — 18 endpoints

  • 3 scopes: config (system), usrcfg (user), modcfg (module)
  • 5 operations per scope: create, list, get by ID, soft-delete, hard-delete (erase)
  • GET /internal/v1/registry/collector/attributes — collector attribute metadata
  • GET /internal/v1/registry/scheduler/:module/jobs — scheduler job listing
  • GET /internal/v1/registry/scheduler/:module/job/:id — individual job status

• Backup & Restore — 6 endpoints

  • Registry and datastore backup creation with encryption
  • Multipart form upload restore with passphrase decryption
  • Binary ZIP download by node/backup ID (KSUID format)

• Diagnostics — 1 REST endpoint + gRPC reference

  • POST /internal/v1/pprof — Go pprof profiling (cpu, allocs, heap, goroutine, block, mutex, threadcreate)
  • Grid runtime stats documented for reference (gRPC-only, no REST surface)

Expanded existing pages:

• Datastore API — expanded from 2 to 9 endpoints

  • Added: collection info, shard info, entity fetch (streaming), entity GET/PUT/DELETE, edge PUT, module config GET/POST
  • Full protobuf-derived response structures: CollectionInfo, ReplicationInfo, TargetEntity, ModuleConfig

• Licensing API — expanded from 3 to 12 endpoints

  • Added: POST/PATCH license, store token, OTP (with/without tenant), GET/DELETE record, GET server, POST/PATCH registration, GET request
  • Full license lifecycle coverage

Infrastructure:

• Added 15 new source-to-doc mappings in manifest.json
• Updated VitePress sidebar config with 5 new navigation entries
• All pages tagged with draft: true, audience: developer, localization_status: translated

2026-02-11

Documentation pipeline baseline established (commit 94aa9acf). Key product updates in this release:

Attestation & Certification

• Added CSV diff viewer for certification reviews
• Enhanced certification review workflow with improved UI components
• New attestation hooks and settings for better control

Data Collection

• SailPoint ISC Sync: Added bidirectional sync capabilities for SailPoint Identity Security Cloud
• Generic Collector Enhancements: New Expect/sandboxed Python session handling for custom scripting
• Updated Active Directory, LDAP, and Linux collectors
• Expanded IGA data models for external IGA system integration

Actions & Automation

• Updated approvals workflow
• Enhanced ServiceNow integration
• Improved webhook and email action modules
• Refined add-to-vault automation

User Interface

• New grid user management hooks
• Updated data source configuration editors
• Enhanced schema editor for custom collectors
• Improved identity query components

Infrastructure

• Registry and collector management updates
• Datastore and scheduler refinements
• Service bus messaging improvements