Release Notes

v1.0.168 — April 2026

Scan History — missing scans after restart. Scans saved before project-path tracking was introduced had a NULL project_path and were excluded by the history filter. All such records are now included. Path comparisons are also now case-insensitive, fixing missing scans on Windows due to drive-letter case differences.
Report export — HTML and SARIF blank for certificate/quantum scans. The HTML and SARIF export paths were missing the certificate_analysis data fallback that the CSV export already had, resulting in empty tables. Fixed.
Report export — risk score always blank in bulk export. The bulk export risk score extractor was reading a key that no longer exists in the stored scan structure. Fixed to read the correct path.

PQC detection rules extended to 35+ programming languages, adding Dart, Dockerfile, YAML, SQL, Jsonnet, and all previously uncovered subdirs.
AES-192 detection added with WARNING severity, completing full AES-128/192/256 coverage.

Code analysis engine updated to OpenGrep v1.17.0.
Removed the PQC / All Vulnerabilities scan mode toggle — all built-in rules are quantum/crypto-focused so the distinction was meaningless. The setting has been removed from the UI and backend.

License key entry fields now show the correct placeholder format: CR-XXXXXXXX-XXXXXXXX-XXXXXXXX-XXXXXXXX.

Code Analyzer — AI fix now works end-to-end. Clicking Generate AI Code Fix or Generate AI Recommendation now shows a loading indicator and correctly returns the generated fix. Root cause was a key mismatch between the findings table and the fix state store on Windows paths (backslash vs forward slash normalization).
Code Analyzer — AI fix works for directory scans. Findings from directory scans with 1–10 files were returned with relative paths by the code scanner. These are now resolved to absolute paths before reading the file or saving the patch, preventing silent failures.
Certificate Analyzer — Security Grade no longer shows UNKNOWN. When the stored grade is the default sentinel value, the UI now derives a letter grade from the risk level instead.
Certificate Analyzer — Cert Expires no longer shows 12/31/1969. A null notAfter date was being passed to new Date(null), returning Unix epoch 0. Null dates now display as —.
Certificate Analyzer — Days to Expiry no longer appears blank. Shows — when the value is unavailable.

Added full User Guide (15 chapters covering all analyzers, risk scoring, AI fixes, CI/CD, reporting, and troubleshooting)
Added Quick Reference Card (algorithm scores, PQC replacements, confidence levels, log locations)
Added Binary Analyzer limitations section to docs and FAQ
Warranty Disclaimer updated to include static analysis scope clarification
Version number now consistent across all packages and documentation

Pattern detection engine path discovery is now fully portable — no longer hard-coded to a specific machine path
Removed duplicate detection rule file; single authoritative copy consolidated internally
Removed dead code files (analyzer_with_limits.py, analyzer_with_limits_hardened.py)

Added Dart, Lua, and Vue to supported code analysis languages
Backend startup timeout retry button — if the backend doesn't respond within 30 seconds, a Retry button appears on the splash screen
Port scan now supports standard TLS ports (443, 465, 587, etc.) — previously blocked incorrectly

Electron IPC hardening: open-external restricted to https:// URLs only
File read IPC enforces workspace path containment when a workspace root is provided
Settings IPC uses an allowlist of permitted keys with type validation
Path traversal fix for uploaded license files
LLM API key moved from query parameter to X-LLM-Key request header

AI Deep Scan — Optional AI-assisted code analysis layer that reasons across files and detects context-dependent vulnerabilities that pattern matching cannot catch. Supports cloud providers (Google Gemini, Anthropic Claude, OpenAI) and fully on-premise models (Ollama, LM Studio, vLLM) for air-gapped deployments.