Release v0.3.0

[0.3.0] - 2026-03-10

🚀 Features

• (iam_scan) Add high‑risk action detection for credential‑theft
• (tagging) Log skipped Lambda functions on tag lookup failure
• (cli) Add 30‑day cost forecast and extend anomalies to 30d
• (cloudwatch) Add alarm gap detection for ElastiCache and Redshift
• (cost_scan) Make snapshot age configurable via env
• (cost) Add cost forecast and enhance anomaly detection
• (inventory) Make lambda stale days configurable via env
• (security) Enhance scans and refactor S3 block public access
• (types) Add CRITICAL severity and extend CostAnomaly fields
• (aws_lighthouse) Add cost attribution tool and CLI rendering
• (aws_lighthouse) Add CloudTrail cost attribution tool
• (aws_lighthouse) Add cost attribution types
• (aws_lighthouse) Add RI/SP purchase recommendations and CLI panel
• (aws_lighthouse) Add RI and SP purchase recommendation tool
• (aws_lighthouse) Add remediation plan tool and CLI support
• (aws_lighthouse) Add remediation plan builder and phase parser
• (aws_lighthouse) Add SG blast radius analysis tool and CLI support
• (aws_lighthouse) Implement SG blast radius analysis tool
• (aws_lighthouse) Add multi-profile scanning support
• (aws_lighthouse) Add Terraform drift classification utility
• (aws_lighthouse) Add Terraform drift classification and CLI support
• (aws_lighthouse) Add SARIF output support to analyze command
• (aws_lighthouse) Add Compute Optimizer EC2 rightsizing tool
• (aws_lighthouse) Add VPC flow logs check to security scan
• (aws_lighthouse) Add Terraform drift snippet for flow logs
• (aws_lighthouse) Add cost allocation tag enforcer
• (aws_lighthouse) Add tag cost coverage tool
• (aws_lighthouse) Add tag cost coverage reporting
• (aws_lighthouse) Add idle NAT gateway and load balancer checks
• (aws_lighthouse) Add NAT gateway and load balancer drift checks
• (aws_lighthouse) Add webhook notification utilities for alerts
• (aws_lighthouse) Add webhook alerts for high/critical findings
• (aws_lighthouse) Add idle RDS instance detection to cost scan
• (aws_lighthouse) Add idle DB instance suggestion to terraform drift
• (aws_lighthouse) Add idle Lambda function detection
• (aws_lighthouse) Add HCL fix for non‑invoked Lambda functions
• (aws_lighthouse) Add CloudWatch log group retention check
• (aws_lighthouse) Add retention detection for CloudWatch logs
• (aws_lighthouse) Add audit log command and DB query
• (aws_lighthouse) Add proactive session expiry handling
• (aws_lighthouse) Add Effective Rate analysis tool
• (aws_lighthouse) Add effective rate analysis tool
• (aws_lighthouse) Add scenario planning tool and cost estimator CLI

🐛 Bug Fixes

• (logger) Synchronize error capture stack with threading lock
• (auth) Handle BotoCoreError in authentication flow
• (tools) Handle fetch errors in RI/SP coverage

🚜 Refactor

• (agent) Add strict filter parsing and safe-tool validation
• (security_scan) Share IAM credential report between checks
• (remediation) Delegate EBS deletion to delete_ebs_volume helper
• (aws_lighthouse) Tidy cost tool formatting
• (aws_lighthouse) Add precise type hints to agent functions

🧪 Testing

• (agent) Add edge case and validation tests for approval and filters
• Add high-risk IAM action detection tests
• Add tests for credential report reuse and pre‑fetched IAM reports
• (tagging) Assert warning logged when per-function tag lookup fails
• (cli) Use 30‑day fields in anomaly tests and add forecast output
• (cloudwatch) Add ElastiCache and Redshift alarm gap tests
• (tests) Add cost forecast and env var override tests
• (inventory) Add env var override test for lambda stale days
• (opportunities) Update anomaly fields to 30d and add detection_type
• (remediation) Mock delete_ebs_volume and simplify error handling
• Add test for preserving partial results on unexpected exception
• (security) Add KMS rotation tests and improve security mocks
• (tests) Add integration tests for full cycle scenarios
• (tests) Add comprehensive bash tool unit and security tests
• (tests) Reformat test code and improve readability
• (tests) Add cost_attribution field to JSON output verification
• (tests) Add comprehensive CloudTrail attribution unit tests
• (tests) Add RI/SP advisor tests and update CLI test expectations
• (remediation) Add remediation plan tests and adjust CLI selection
• (sg_blast_radius) Add unit tests and CLI expectations
• (tests) Add unit tests for profile parsing and listing
• (tests) Add tests for --terraform-dir flag on analyze command
• (tests) Add unit tests for Terraform drift classification utilities
• (tests) Add SARIF output tests and improve output validation
• (tests) Add unit tests for Compute Optimizer tool
• (tests) Add unit tests for VPC flow logs check
• (tests) Add VPC flow logs unit test
• (tests) Add unit tests for tag cost enforcer
• (tests) Add unit tests for tag cost coverage and untagged spend
• (tests) Add unit tests for idle NAT gateways and load balancers
• (tests) Add NAT gateway and load balancer drift tests
• (tests) Add unit tests for notify utilities
• (tests) Add unit tests for idle RDS instance detection
• (tests) Add unit test for RDS instances with no connections
• (tests) Add comprehensive idle Lambda function checks
• (tests) Add lambda not invoked detection test
• (tests) Add tests for _check_log_group_retention
• (tests) Add test for log group retention detection
• (tests) Add tests for audit CLI command and DB audit log
• (tests) Combine multiple patches into a single with block
• (tests) Add comprehensive session expiry unit tests
• (tests) Clean up assertions and add effective_rate tests
• (tests) Add cost estimator and scenario planner unit tests

⚙️ Miscellaneous Tasks

• (test) Add pytest markers for unit, integration, slow, security
• (.github) Add test matrix and build check jobs to CI workflow
• (.github) Use uv pip install for wheel smoke-test
• (.github) Install Gitleaks and switch to CLI scanning
• (.github) Add Gitleaks config file and use it in CI
• (lint) Add C90, SIM, RUF selects and enable mccabe complexity
• Bump version to 0.3.0

Release v0.2.1

[0.2.1] - 2026-03-06

🚀 Features

• (agent) Normalize schema arguments for safe tool calls
• (shell) Add /logs command and direct analyze execution support
• (logger) Add file logging with timestamps and exception logging
• Add schema normalization utility and CLI error log path reporting
• Add default opportunity account handling and CLI health panels
• (scan_contract) Add expected unavailable error classification
• (logger) Add detail and display options to error method

🚜 Refactor

• (security_scan) Simplify GuardDuty error handling

🧪 Testing

• (logger) Add test for silent error logging
• Add tests for SP coverage and utilization unavailable handling
• (scan_contract) Add tests for expected unavailable scan errors
• (security-scan) Add GuardDuty subscription test without display

⚙️ Miscellaneous Tasks

• Bump version to 0.2.1

Release v0.2.0

[0.2.0] - 2026-03-06

🚀 Features

• (agent) Add Ollama runtime health check and configurable host
• (cli) Add Ollama runtime check and alert UI

🧪 Testing

• (agent) Add comprehensive Ollama runtime health check tests
• (cli) Add comprehensive Ollama runtime health alert tests

⚙️ Miscellaneous Tasks

• Bump version to 0.2.0

Release v0.1.5

[0.1.5] - 2026-03-06

🚀 Features

• (cli) Add explicit scan policy config
• (agent) Add persistent opportunities hub
• (cli) Add executive summary UI and enhanced shell commands
• (db) Add latest scan activity getter and opportunity summary
• (opportunities) Add global security and S3 tagging helpers

🚜 Refactor

• Simplify function signatures and error messages

📚 Documentation

• (readme) Document scan policy config and audit behavior

🧪 Testing

• Standardize quoting and format CLI arguments
• (db) Add tests for latest scan activity and opportunity summary
• (cli) Add tests for parsing, watch view, and shell commands

⚙️ Miscellaneous Tasks

• (dependency-audit) Ignore CVE-2026-28277 in pip-audit
• (release) Bump version to 0.1.5

Release v0.1.4

[0.1.4] - 2026-03-04

🐛 Bug Fixes

• (release) Verify git-cliff with asset sha512 file
• (release) Make git-cliff install resilient to archive layout

⚙️ Miscellaneous Tasks

• (release) Bump version to 0.1.4

Release v0.1.1

[0.1.2] - 2026-03-03

⚙️ Miscellaneous Tasks

• (release) Update uv publish command to verify PyPI URL

v0.1.1

What's Changed

• refactor(cli): add emojis and improve status messages for better UX by @Eaglemann in #12

Full Changelog: v0.1.0...v0.1.1

Release v0.1.0

[0.1.0] - 2026-03-03

🚀 Features

• Add initial pyproject, .python-version and lockfile
• (aws_lighthouse) Add CLI, auth, agent graph and infra tools
• (agent) Bypass approval for safe tools
• (cli) Add security findings table for public RDS instances
• (inventory) Add EC2, RDS, and S3 inventory tools
• Add security scan tool and integrate into CLI
• (cli) Add cost waste scanning and reporting
• Add memory checkpointer and thread config for persistent sessions
• (cli) Add rich UI components and default REPL loop
• (lambda) Add inventory tool and dashboard for Lambda functions
• (cost-anomaly) Add cost anomaly detection tool and CLI integration
• (tagging) Add tag compliance check tool and integrate into CLI
• (iam) Add over‑permissive IAM policy scanning tool
• (cloudwatch) Detect missing EC2 and RDS CloudWatch alarms
• (remediation) Add one‑click remediation UI and actions
• (multi-region) Add region-aware inventory tools and scanning
• (ri_sp_coverage) Add RI and Savings Plan coverage tool
• (agent) Add cost and security scan tools
• (lambda) Add alarm and tag compliance checks for Lambda
• (security_scan) Add IMDSv2 and EBS encryption checks
• (cli) Add --region option to scan a single AWS region
• (security) Add S3 default encryption check
• Add Lambda support to CloudWatch, tagging, and security scans
• (agent) Add OLLAMA_HOST env var to configure Ollama base URL
• (docker) Add Dockerfile, compose and .dockerignore
• (remediation) Add GuardDuty, CloudTrail, IMDSv2, S3 encryption
• (tests) Add remediation action tests and validation
• (security) Block sensitive file paths in read/write tools
• (bash) Add dangerous command detection and blocking
• (auth) Add adaptive retry config to boto3 clients
• (docker) Run container as non-root user
• (ci) Add dependency, container, and secret scanning
• (agent) Add user approval flag and conditional routing
• (bash) Add allowlist and shlex parsing for safer command execution
• (cfn_deploy) Add bucket hardening and switch to get_client
• (tools) Add blocked path validation to Terraform parsing
• (auth) Add client caching to reduce Boto3 client creation
• (cloudwatch_scan) Add paginator and alarm detection for EC2/RDS
• (remediation) Report per-volume deletion status
• (security) Block additional sensitive files and directories
• (db) Add audit_log table and record_audit_log method
• (audit) Log tool execution decisions in audit database
• (db) Implement audit log recording and add tests
• (cli) Add JSON output option and return section data
• (types) Add Severity literal and apply to finding typings

🐛 Bug Fixes

• (cli) Capture previous snapshot before saving
• (db) Tighten file permissions for database directory and file

💼 Other

• (docker) Pin images to digests for reproducible builds
• (docker) Copy README.md for hatchling wheel build

🚜 Refactor

• (cfn_deploy) Use authenticated session for AWS clients
• Improve formatting and readability across modules
• Add type hints and improve sorting in cost anomaly tool
• (agent) Reformat tool_execute_bash signature for readability
• (tools) Use paginators for AWS describe calls
• (aws) Handle specific botocore errors
• (agent) Defer Ollama init to runtime avoid import side-effects
• (auth) Add get_client and replace direct client calls
• (types) Add TypedDicts for findings and update return types
• (cli) Modularize analyze command, add region to findings
• (mypy) Remove ignore_errors override for cli module
• Modernize type hints and clean up imports across project
• (tests) Condense inline policy list literals
• (auth) Add thread‑safe double‑checked locking for session
• Rename get_aws_client to get_client across tools
• (tests) Replace get_aws_client with get_client in tests
• Add region param to AWS remediation funcs
• (tools) Narrow exception handling to specific errors
• (db) Add return type hints to DatabaseManager methods
• (logger) Add return type hints to logger methods

📚 Documentation

• Add project overview and usage guide in README
• (readme) Revamp README with detailed usage and install guide
• Update security checks and remediation actions in README
• (tools) Expand docstrings with detailed usage and region info
• Add comprehensive project metadata and stricter mypy settings
• (readme) Increase security checks to eleven and add considerations

⚡ Performance

• (iam_scan) Reduce IAM API calls by batching auth details
• (cli) Parallelize region scans to improve performance
• (ri_sp_coverage) Run CE calls in parallel to reduce latency
• (security_scan) Use credential report to reduce IAM API calls
• (tagging) Bulk-fetch Lambda tags to reduce API calls

🧪 Testing

• Add unit tests for cloudwatch, cost, and tagging tools
• (lambda) Add coverage for Lambda alarm gaps and tag compliance
• (security_scan) Add tests for IMDSv2 and EBS encryption checks
• (security_scan) Add comprehensive S3 encryption checks
• Add unit tests for cost, inventory and security scans
• (agent) Add comprehensive tests for approval gating and denial
• Refactor tests to use paginator helpers and add inventory tests
• (bash) Add comprehensive dangerous command detection tests
• Use ClientError for AWS API error mocks in scans
• (agent) Remove unnecessary sys.modules mock for langchain_ollama
• Replace get_aws_client with get_client in tests
• Adjust API error test to expect empty result
• Add comprehensive unit tests for auth, cli, and db
• (auth) Add tests for adaptive retry config forwarding
• Replace timezone.utc with datetime.UTC in test suite
• Add pytest-cov and pytest-timeout, configure coverage
• (iam_scan) Add extensive overpermissive IAM tests and mock helpers
• (agent) Add comprehensive approval routing tests
• (bash) Add comprehensive allowlist behavior tests
• Remove unused _ALLOWED_COMMANDS import
• (cfn_deploy) Add comprehensive unit tests for deploy_cur_template
• (terraform) Add comprehensive tests for parse_terraform_context
• (auth) Add concurrent session authentication test
• (auth) Add client caching tests and update get_client delegation
• Add paginator-based mocks and pagination regression tests
• (ri_sp_coverage) Add unit tests for fetchers and parallel execution
• (security_scan) Add credential report tests, refactor IAM checks
• (tagging) Use bulk tagging API for Lambda tags and pagination
• (remediation) Add unit tests for remediation functions
• (remediation) Verify region is passed to client calls
• Replace generic Exception with BotoCoreError in test suites
• (cost) Add comprehensive unit tests for monthly cost summary
• (security) Add unit tests for s3_block_public_access
• (bash) Add blocked path tests covering new patterns
• (cli) Add integration tests for JSON output

⚙️ Miscellaneous Tasks

• Add .gitignore
• Add GitHub Actions CI workflow
• (mypy) Add mypy config to ignore missing imports
• Reformat blocked path set and test assertions for readability
• (mypy) Suppress type errors for cli module
• (lint) Add ruff configuration to enforce lint rules
• (dependabot) Add weekly dependabot config for pip, docker, actions
• (workflow) Use pip-audit file export and upload Trivy SARIF results
• (workflow) Allow Trivy scan errors and guard SARIF upload
• Simplify Python dependency audit step
• Set Trivy action exit-code to 0 to avoid CI failure
• Add Trivy install step and use CLI for image scan
• Switch to Trivy GitHub Action for container scanning
• (workflow) Update Trivy action to v0.34.1
• Simplify CI pipeline and remove Docker build files
• (workflows) Add --no-hashes flag to uv export
• (release) Add GitHub Actions workflow for automated releases
• (release) Fix git-cliff version to v2.12.0 (v2.4.0 never existed)
• (release) Fix git-cliff download URL (v2.12.0, no v-prefix in filename)