Skip to content

v3.7.0 — "Zero-Trust-on-Premises closed at 12/12"

Release date: 2026-05-12 Previous release: v3.6.0 (2026-05-05, 7 days) Container registry: ghcr.io/nollagluiz/web-agent-*:v3.7.0

Headline

Zero-Trust-on-Premises (ZTP-prem) reaches 12/12 layers operational. The twelve composed defence layers that protect TLSStress.Art against an insider operator with kubectl and root credentials are now either shipping in code, or shipping as scaffold with a published Wave-B implementation roadmap. This release closes the architectural milestone that makes the product enterprise-ready in posture, not just in marketing copy.

What "closed at 12/12" means precisely

# Camada Status in v3.7.0 Reference
1 Cloud HSM custody Runtime gate shipping (Wave 9+) + Patent #18 cross-lang signing tool (Wave 7) dashboard/src/lib/license/hsm-heartbeat.ts, pkg/ztp-prem-signctl/
2 Confidential Computing detection Shipping (per-node DaemonSet + admin card) pkg/ztp-prem-detect/, dashboard/src/components/CCStatusCard.tsx
3 TPM measured boot Probe scaffold shipping; real PCR signing scheduled (Wave 11-B) pkg/ztp-prem-tpm/, platform/ztp-prem/TPM-MEASURED-BOOT.md
4 Sealed audit hash-chain Shipping (chain + replay verifier + admin card) dashboard/src/lib/license/sealed-audit.ts
5 K8s admission webhook Audit + enforce + break-glass + chain cross-correlation shipping pkg/ztp-prem-admission/, k8s/ztp-prem/admission-webhook.yaml
6 Anti-debug runtime Distroless + readonly-rootfs + dropped caps posture across all Tier B containers every Tier B Dockerfile
7 Tier A/B partition Policy YAML + CI lint shipping platform/ztp-prem/tier-policy.yaml, scripts/ztp-tier-lint.sh
8 UTXO token vault Shipping (notes-not-balance; auto-issue dev mode) dashboard/src/lib/license/utxo.ts
9 Tier B binary obfuscation CI gate shipping (garble matrix across 6 Go modules) scripts/ztp-prem-obfuscate-tier-b.sh, .github/workflows/ztp-prem-tier-b-obfuscation.yml
10 DLP egress monitor Shipping (5 rules, host skiplist, redaction) dashboard/src/lib/dlp/
11 Behavioural anomaly Rule-based 4-detector shipping (ML overlay scheduled Wave 13-B) dashboard/src/lib/ztp-prem/anomaly-detector.ts
12 Separation of duties CODEOWNERS + nightly SoD audit + policy memo .github/CODEOWNERS, platform/ztp-prem/SEPARATION-OF-DUTIES.md

Two layers (3 and 11) carry the "scheduled" follow-up — that is honest roadmap, not gap. The scheduled work is named, scoped, and pointed at specific upcoming releases. The cells that ship today are running in the operator dashboard at /admin/ztp-prem.

Two differentiators that did not exist in the market before this release

  • Patent #18 — cross-language signing contract. Go (pkg/ztp-prem-signctl/) and Node (dashboard/src/lib/license/envelope.ts) produce byte-identical canonical envelope signatures, including post-quantum primitives (ML-KEM-768 + ML-DSA-65). Both reference implementations verified to produce a 295-byte signature with the same SHA-256. This is the cross-platform signing primitive that Vault Enterprise / Snowflake / Cisco Smart Licensing do not have on their public roadmaps.

  • Admission ↔ sealed audit cross-correlation. K8s admission decisions (Wave 8/9) are lifted from the webhook's local ring buffer into the sealed audit hash-chain (Wave 1) on operator command (Wave 10) or via cron. Pod restarts no longer erase forensic evidence; tampering attempts break the chain and are detectable on cloud-side replay verification. Reference: dashboard/src/lib/ztp-prem/admission-correlate.ts.

Operator-visible surface

/admin/ztp-prem ships seven cards in v3.7.0:

  1. Confidential Computing status (per-node attestation readiness)
  2. Tier A/B policy (live consistency check vs source-of-truth YAML)
  3. License envelope summary (current envelope + features + expiry)
  4. License envelope import (signed envelope upload)
  5. Sealed audit log replay verifier (chain integrity check + browse)
  6. DLP egress monitor (top hosts + recent events + pattern hits)
  7. Admission audit (mode banner + 6 tile row + DENIED / BREAK-GLASS badges + "Correlate to sealed audit" button)

Three admin endpoints back the cards plus three new ones land in v3.7.0: /admission-audit · /admission-correlate · /hsm-heartbeat · /anomalies.

What else shipped in this release

Beyond the ZTP-prem milestone, v3.7.0 includes:

  • Wave NSO — NetSecOPEN Option C + Production Realism (22 PRs)
  • Wave SUS — Sustainability MVP: energy + CO2 + AWS-cost competitive TCO comparison (14 PRs)
  • Wave MACARP — MAC/ARP capacity stress agent + Grafana dashboard + Prometheus alerts
  • Wave LDS — Lab Deployment Staging wizard with abandon + clone-as-template
  • Wave PURE — Production URL Replay engine with HAR ingest
  • Documentation — Trilingual index, banner sweep across docs corpus, gitleaks workflow fix
  • Dependency hygiene — 14 protobufjs CVE Dependabot alerts closed via scoped override (Wave 8++ this session); Go 1.26.3 fleet adoption; Node 24 features adoption
  • Auto-merge drain — From 238 queued admin-merges to 4

Container images

Multi-arch (amd64 + arm64), Cosign-signed (keyless OIDC) and SBOM-attested:

docker pull ghcr.io/nollagluiz/web-agent-agent:v3.7.0
docker pull ghcr.io/nollagluiz/web-agent-dashboard:v3.7.0
docker pull ghcr.io/nollagluiz/web-agent-webserver:v3.7.0
docker pull ghcr.io/nollagluiz/web-agent-persona-seeder:v3.7.0
docker pull ghcr.io/nollagluiz/web-agent-mock-engine:v3.7.0
docker pull ghcr.io/nollagluiz/web-agent-har-engine:v3.7.0

New images in v3.7.0:

docker pull ghcr.io/nollagluiz/web-agent-ztp-prem-admission:v3.7.0
docker pull ghcr.io/nollagluiz/web-agent-ztp-prem-detect:v3.7.0
docker pull ghcr.io/nollagluiz/web-agent-ztp-prem-signctl:v3.7.0
docker pull ghcr.io/nollagluiz/web-agent-ztp-prem-tpm:v3.7.0

Verify image signatures with:

cosign verify ghcr.io/nollagluiz/web-agent-dashboard:v3.7.0 \
  --certificate-identity-regexp "https://github.com/.*/.github/workflows/release.yml@refs/tags/v.*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

Upgrade notes

  • No breaking changes to the operator-facing API surface.
  • ZTP_PREM_HSM_REQUIRED env defaults to false. Setting it to true activates the heartbeat gate added in Wave 9+. Flip only after the operator has wired a real HSM probe (Wave 9++ scheduled) or set up a cron that POSTs /api/admin/ztp-prem/hsm-heartbeat.
  • ZTP_PREM_ADMISSION_MODE env defaults to audit. Setting it to enforce activates the admission denial path added in Wave 9-A. Follow the 4-step canary rollout guide embedded in k8s/ztp-prem/admission-webhook.yaml.
  • ZTP_PREM_DEPLOYMENT_ID env is consumed by the new correlation
  • heartbeat endpoints. Defaults to developer-mode; set to a stable deployment identifier in production.
  • CODEOWNERS now requires the @nollagluiz/ztp-prem-reviewers team to approve changes to ZTP-prem critical paths. Sole member is the project owner; the team mapping is codified so adding members later doesn't require touching every PR's mental model.

Marketing materials

Companion documents land in this release for designer + sales-engineering production:

Forensic asset manifest

Every owned YAML / Markdown / Caddyfile asset in this release is hashed and the manifest published as a release asset (asset-hashes.txt). If a third party ships any of these assets byte-equal, the hash match is forensic evidence of derivation. Manifest SHA-256 is printed in the GitHub Release page.

Full changelog

The complete commit log (≈500 commits over 7 days, ~40 of those landed during the 2026-05-12 ZTP-prem closing session) is auto-generated by the release workflow and appears below this section on the GitHub Release page. Use it to map specific PRs to the layer numbers in the table at the top of this document.