Project Releases

All official versions of the Cyber Sentinel project are available on GitHub Releases.

Version	Status	Date	Tag
v1.0.2-rc1	🟡 Pre-release (RC)	2026-05-05	`v1.0.2-rc1`
v1.0.1-alpha	🟢 Released	—	`v1.0.1`
v1.0.0	🟢 Released	—	`v1.0.0`

v1.0.2-rc1

🛡️ Detection-First AI Scoring & Database Hardening — Released 5 May 2026 · Tree at tag · Compare to main

Release Candidate

This is a pre-release. The architecture and APIs are now frozen — pending real-world validation, this RC will be promoted to the final v1.0.2. Test on staging before deploying to production. Issues found during RC testing should be opened with the rc-feedback label on the issue tracker.

The largest functional overhaul since the project began. The release refines how Cyber Sentinel reasons about threats, hardens the data layer for long-term operation, and modernizes operator-facing components. Changes touch the AI agent, the MySQL schema, the Vault provisioning workflow, and the alerting pipeline.

Highlights

New 1–5 threat scale — replaces the previous 1–10 scale. Score levels are no longer hardcoded in the AI prompt; they are loaded dynamically from the database at every invocation via v_threat_scale_for_agent, paving the way for a future self-healing AI workflow.
URLhaus reweighted as a supporting source — primary scoring now relies on VirusTotal and ThreatFox. URLhaus may add at most +1 to the score, and only when a primary source has already flagged the indicator. Eliminates false positives on legitimate platforms (GitHub, Bitbucket, Pastebin, etc.).
Partitioned core tables — dns_queries, network_events, threat_indicators now use monthly RANGE partitioning with automated 6-month retention.
Color-graded alert emails — score 1–2 renders as green INFO, score 3 as amber REVIEW, score 4–5 as red ALERT. No more red exclamation marks for clean traffic.
Unified Vault lifecycle playbook — initialization, unsealing, and provisioning are now handled by a single idempotent playbook.

🧠 AI Agent — Detection-First Scoring (v3.0)

Threat scale reduced from 1–10 to 1–5 for clearer operator action mapping:

Score	Action
1	`Allow`
2	`Monitor`
3	`Review`
4	`Block`
5	`Block + Alert`

Scale is now loaded from dic_threat_levels at runtime via the new v_threat_scale_for_agent view. Future workflows can update the scale without touching the prompt.
Source weighting:
- Primary: VirusTotal, ThreatFox
- Supporting: URLhaus (max +1 modifier, never a sole driver)
Big Player guard hardened: trusted infrastructure (AWS, Cloudflare, Google, Microsoft) is capped at score 2 unless ThreatFox confirms a specific malware family.
New scoring_rationale field in agent output — explains why the score was assigned, intended as audit input for the future self-healing meta-agent.

🗄️ Database — Schema v3.0

See the dedicated Database Schema page for the full v3.0 reference.

Threat scale migration: dic_threat_levels rewritten with a 1–5 scale and is_malicious_flag driving downstream logic. Historical scores in ai_analysis_results are preserved via deterministic remapping (see Migration Notes).
Composite primary keys on partitioned tables (dns_queries, network_events, threat_indicators) — required by MySQL when partitioning by a non-PK column.
threat_indicators UNIQUE KEY extended to include last_scan, allowing the same (dns_query, analysis_result) pair to be scanned multiple times over its lifetime.
Foreign keys removed from partitioned tables (MySQL constraint). Relational integrity is now enforced at the n8n workflow layer.
Grafana views updated — v_grafana_malicious_stats, v_grafana_daily_trends, v_grafana_threat_explorer, and v_grafana_threat_alerts now use is_malicious_flag instead of a hardcoded score > 5 threshold.

Partitioning & Retention

Monthly partitions for dns_queries, network_events, threat_indicators. Full DDL and procedures documented on the Database Schema page and applied by Ansible playbook 04.6.
Automated maintenance via the MySQL Event Scheduler:
- evt_drop_old_partitions — runs monthly at 02:00, drops partitions older than 6 months.
- evt_add_future_partitions — runs monthly at 03:00, ensures 3 months of forward partitions exist.
All maintenance actions logged to partition_maintenance_log (success and failure paths).
Stored procedures: sp_drop_old_partitions iterates INFORMATION_SCHEMA.PARTITIONS to drop every monthly partition past the cutoff in a single run; sp_add_future_partitions reorganizes p_future to materialize the next 3 monthly partitions, skipping months that already exist.

📧 Alert Email — Severity-Aware Rendering

Email styling now adapts to the severity score, surfaced from dic_threat_levels.action_recommended:

Score	Accent	Header	Badge
1–2	🟢 Green	`✅ INFO`	`Clean / Monitor`
3	🟡 Amber	`⚠️ REVIEW`	`Suspicious`
4–5	🔴 Red	`🚨 ALERT`	`Malicious / Critical`

Severity label is displayed beneath the score for instant context.
Accent colour is consistently applied across the top border, header background, score number, analysis side bar, and action button — no more red ALARM banners for clean traffic.

🔐 Vault — Unified Lifecycle Playbook

The previously separate 06_1_initialize_vault.yml and 06_2_provision_vault.yml have been merged into a single 06_initialize_provision_vault.yml. Full reference on the Vault & Secrets page.

Pre-flight validation — playbook fails fast if any required variable (API keys, DB passwords, certs) is missing, before any secret is written.
Idempotent dual-mode operation:
- First run → initializes Vault, captures fresh credentials, auto-unseals, provisions all secrets.
- Re-run → detects existing Vault, unseals from group_vars if sealed, updates secrets in place.
Secure key handling — Unseal Keys are never written to Vault itself (chicken-and-egg problem). They are displayed exactly once at first init and must be saved by the operator to an external secure location.
Final-message logic: first init shows root token + unseal keys with a save-now warning; re-runs only confirm success without exposing any sensitive material.

⚠️ Migration Notes (v1.0.1 → v1.0.2-rc1)

This release contains breaking changes to the database schema. Read this section before upgrading an existing deployment.

Threat Scale: 1–10 → 1–5

If your cyber_intelligence database already contains historical analysis data, the score migration is required. Score remapping:

Old (1–10)	New (1–5)	Action
1, 2	1	`Allow`
3, 4	2	`Monitor`
5	3	`Review`
6, 7	4	`Block`
8, 9, 10	5	`Block + Alert`

Use migration_threat_scale_v3_fixed.sql for in-place migration of existing data.
For fresh deployments, use db_deployment.sql directly — it includes the new scale.

Backup first

Always back up your database before running either script. The migration includes irreversible schema changes (composite PKs, dropped FKs).

Schema Changes Requiring Rebuild

The following changes cannot be applied with a simple ALTER on a populated table:

Composite primary keys on dns_queries, network_events, threat_indicators
Removal of foreign keys from partitioned tables
Extension of threat_indicators UNIQUE KEY with last_scan

For environments with existing data, the recommended path is: dump → drop database → recreate with the v3.0 deployment script → reload data. For fresh deployments no action is needed.

Deployment Order

# 1. Database
mysql -u root -p < db_deployment.sql
mysql -u root -p < db_partitioning_retention.sql

# 2. Vault (idempotent — safe to re-run)
ansible-playbook -i hosts.ini ansible/06_initialize_provision_vault.yml \
  --vault-password-file ansible/.vault_pass

# 3. Master playbook (full stack)
ansible-playbook -i hosts.ini ansible/00_main.yml \
  --vault-password-file ansible/.vault_pass

The same commands are also documented as Ansible playbooks: 04.3 — DB create, 04.6 — Partitioning, and 06 — Vault. The recommended path is to use the master 00_main.yml which sequences all of them.

n8n Workflow Update

The AI agent prompt and email template must be updated in n8n to match the new schema. This is delivered separately — workflow JSON updates will follow shortly after this RC ships (see Known Issues).

✅ What's Frozen for Stable v1.0.2

The following are now considered stable and will not change between this RC and the final release (unless a critical bug is found):

Database schema (tables, views, partitioning strategy)
AI agent prompt structure and output JSON schema
Email template variable contracts
Vault playbook variable names and secret paths

If you find an issue during RC testing, please open a GitHub issue tagged rc-feedback so it can be addressed before promotion to stable.

🐛 Known Issues / Pending

n8n workflow JSON has not yet been republished — coming in a follow-up commit.
Self-healing AI meta-agent (auto-tuning of dic_threat_levels) is scoped for v1.1.0 — see Future Roadmap.
No automated test suite for the SQL migration path — manual validation only.

📂 Deployment Command

# Master playbook deploys the entire stack including the unified Vault module
ansible-playbook -i hosts.ini ansible/00_main.yml \
  --vault-password-file ansible/.vault_pass

For a fresh deploy, run the database scripts first as shown in the Migration Notes section above.

v1.0.1-alpha

Unified Vault Orchestration: Merged separate HashiCorp Vault playbooks into one master configuration for simplified secret management.
Enhanced Grafana Dashboards: Updated dashboard configurations for better visibility into CTI metrics and AI-driven threat verdicts.
Streamlined Ansible Logic: Refactored roles to ensure a faster and more reliable deployment of the entire stack.
Initial Automated Deployment: Transitioned to a full Infrastructure as Code (IaC) workflow using Ansible.

v1.0.0

First stable release of the project.
Implementation of core scanning mechanisms.
Initial integration with AI workflows.