Skip to content
← Back to release notes
v0.65.0 stable major release

Release v0.65.0

May 05, 2026

Major security and anti-abuse release: cross-cutting hardening across 24 review areas, platform-admin abuse controls, and email verification.

Security & Compliance

  • Twenty-four areas of the platform reviewed and hardened in one pass — covering remote access tickets, public installer and enrollment endpoints, AI tool execution and approvals, OAuth client lifecycle, multi-tenant isolation, backup and recovery authorization, webhook callbacks, agent trust boundary, API keys and service tokens, audit and report exposure, background workers, database row-level security, admin lifecycle, log ingestion, native viewer and helper apps, installer privilege, secret rotation, relay and TURN edges, and high-privilege third-party sync jobs.
  • Sensitive secrets at rest are now encrypted with a dedicated key separate from your session signing key, with a backwards-compatible read path so existing data and existing logins keep working through the upgrade.
  • Multi-factor TOTP secrets re-encrypted under the new key with a dual-decrypt fallback — every existing MFA user logs in normally after deploy, no re-enrollment needed.
  • Row-level security is now forced on every tenant-scoped database table, removing the possibility of an application-layer bug ever exposing data across organizations.
  • Browser content security policy tightened, reducing the blast radius of any future cross-site scripting.
  • Trusted reverse-proxy IPs are now configured explicitly, so audit logs and rate limits can never be tricked by a forged X-Forwarded-For header.

Anti-Abuse

  • Platform admins can now suspend an abusive partner with a single API call: every device gets queued for self-uninstall, sessions are deleted, non-admin users disabled, API keys revoked, and JWTs blanket-revoked in Redis. Fails closed if revocation fails so the operator never gets a misleading success.
  • Email verification on signup, with resend and a clear distinction between 'this link was replaced by a newer one' and 'this link was already used' so the copy users see actually matches reality.
  • Verifying email after a payment is attached automatically activates the partner and clears the 'Awaiting email verification' status banner.

Agent & Enrollment

  • Agent enrollment now expects a shared secret in production, with a warn-only mode for the first release so existing scripted enrollment doesn't break overnight.
  • Enrollment keys use stronger derivation; older keys still resolve via a legacy fallback for one release cycle.
  • Agent WebSocket auth now returns a clear re-enrollment-required signal when an old device record has no token hash, so operators can prompt the device to re-enroll instead of silently failing.

Integrations & Reports

  • Webhook senders are encouraged to upgrade to HMAC signatures; legacy header-secret webhooks still deliver but emit deprecation warnings so you can migrate at your own pace.
  • Reports export is now a distinct permission, automatically granted to any role that already had reports read or write so nothing breaks for existing users.
  • SSO token exchange returns refresh tokens in JSON for one more release with a Deprecation and Sunset header, giving integrations a clean migration window.

The biggest single security release we’ve shipped. We took the consolidated findings from a 24-area parallel security review (SR-001 through SR-024) and landed every accepted hardening in one coordinated change, then layered on rollout mitigations so existing deployments don’t get stranded by the new defaults. Self-hosters: read the deploy notes carefully — there are several new environment variables, and the migrations include a FORCE RLS step that requires every tenant table to be owned by the breeze role before deploy. The runbook is in PR #568.

The anti-abuse work is the other headline. After two paid signups on hosted cloud showed clear fraud signals — including one that rotated across 58 distinct proxy IPs in a few days — we shipped a proper platform-admin gate with suspend-for-abuse and unsuspend endpoints, plus the email verification flow that should have shipped on day one. The next time we see this pattern, removal is one POST instead of a hand-written SQL transaction, and unverified-but-paid signups now have to confirm their email before the tenant activates.

Everything is backwards compatible at the data layer. Existing MFA users, enrollment keys, encrypted secrets, and webhook integrations all keep working — the new defaults emit deprecation warnings instead of failing closed, with the strict cutover scheduled for the next release once telemetry confirms the warn-mode runs are clean.