Skip to content
← Back to release notes
v0.67.1 stable breaking major release

Release v0.67.1

May 26, 2026

Launch-readiness security sprint plus the Windows MSI upgrade hotfix: tamper-evident audit logs, forced MFA for admins, account lockout, encrypted tenant settings, GDPR erasure and export, tightened OAuth and MCP behavior, and end-to-end Sentry observability; packaged with the binary fixes that close out the v0.67.x line.

Security & Compliance

  • Tamper-evident audit trail. Audit records are now append-only at the database layer and chained together with cryptographic checksums, so a deleted or modified record is detectable. Failed writes retry instead of being silently dropped.
  • Daily audit log retention. A scheduled job prunes audit records past your configured retention window under a dedicated database role, so retention runs without weakening the append-only guarantee.
  • GDPR tenant erasure and export. New admin-only endpoints can export a full tenant snapshot or perform a cascading deletion across the platform's tenant-scoped tables. Both require MFA.
  • Encrypted partner and site settings. Settings that previously stored secrets in plain text (SMTP credentials, webhook tokens, integration keys) are now encrypted at rest with per-column key binding.
  • Multi-tenant isolation hardening. Dozens of previously-missed permission checks were closed across system tools, security routes, and other clusters. A new automated check catches future gaps before they ship.
  • Cross-tenant probe protection. Agent tokens that repeatedly attempt to access devices outside their organization are auto-suspended and flagged for review.
  • Per-source-IP agent rate limit and IP-change audit. Detects an agent token being used from a new network and logs the change with the old and new IPs.
  • Audit-log entries that contain user-supplied strings are now sanitized so a crafted hostname or filename can't break the log viewer.

Authentication & MFA

  • Forced MFA for partner administrators. Any account with administrator-level access must enroll MFA before continuing. Administrators are redirected into a guided enrollment flow on next login. Ops can flip this off via an environment variable if an enrollment outage needs immediate relief.
  • Per-account lockout. After five consecutive failed password attempts the account locks for 15 minutes and the user gets a security-alert email. Per-IP rate limit also tightened from 30 to 10 attempts per five minutes. Lockout window and threshold are tunable via env.
  • Login response timing is now equalized across denial branches (wrong password, no such user, locked account) so attackers can't enumerate valid emails by timing.
  • JWT key rotation. Signing keys can now be rotated without invalidating in-flight sessions. New tokens carry a key identifier so verifiers can hold both old and new keys during a rotation window.
  • Refresh-token family revocation. If a stolen refresh token is reused after the legitimate user has rotated theirs, the entire token family is invalidated and the user is forced to log in fresh.
  • Stolen-credential containment. When a partner is suspended or a user is removed from an organization, their access tokens and OAuth grants are revoked immediately rather than waiting to expire.
  • Password reset now works for partners whose accounts are pending email verification, so a forgotten password during signup doesn't create a stuck account.
  • Suspend, provision, and account-impersonation routes for administrators now require MFA, and the admin provision route fails closed if any of its prerequisites are unmet.

Integrations & APIs

  • MCP session integrity. The server now mints session identifiers itself and binds them to the calling user, so a client can't claim or share another user's session.
  • AI tool guardrails. Screenshot and screen-analysis tools were promoted to the highest privilege tier and require an explicit allowlist entry to use, so a granted general AI scope no longer implicitly authorizes them.
  • OAuth client registration. Dynamic client registration is now off by default in every environment, and when enabled in production it requires an initial access token. This closes a public-facing client-spam vector while still supporting controlled client onboarding.
  • OAuth bearer tokens are now strict on tenant status. Tokens stop working immediately when a partner is suspended, churned, or pending, rather than waiting for natural expiration.
  • MCP scope cleanup. A legacy compatibility shim that auto-expanded one OAuth scope into another was removed (the deprecation window closed on May 15). MCP clients should request the explicit ai:execute scope.
  • Outbound integration requests (DNS providers, SentinelOne, and similar third-party APIs) are checked against an SSRF allowlist so a misconfigured or malicious URL can't be coaxed into hitting internal infrastructure.

Reliability & Operations

  • Sentry observability. Errors from the web dashboard and the agent now report to Sentry with sensitive data scrubbed automatically. The agent wraps critical background routines with crash recovery so a single fault no longer takes down monitoring.
  • Boot-time configuration validation. Misconfigured proxy headers, missing release manifest signing keys, and other production secrets now refuse to boot with a clear error instead of starting in a partially-broken state. This makes deployment failures loud and fixable.
  • Signed agent updates are mandatory. The release manifest signing key is now required regardless of how the binary is sourced, so a downgrade attack can't slip in via a misconfigured update channel.
  • Operational kill-switches. MFA enforcement and account lockout both have environment-variable kill-switches so an incident can be relieved without a code deploy.
  • WebSocket session hardening. Remote-access tickets are now single-use and bound to the issuing IP and browser, with auditable rejection reasons on mismatch.
  • Authenticated Redis is now required in production deployments: the API refuses to boot without a Redis password in `NODE_ENV=production`. Self-hosters who run an unauthenticated Redis instance accessible only on `localhost` should add a password before upgrading.
  • API and web Docker images now pin to Node 24 LTS.
  • Installer signing rate cap. Each one-time install code is rate-limited to prevent abuse of leaked codes.

Windows MSI & Agent

  • Windows MSI upgrades reliably replace the agent binary. v0.67.0 shipped Windows binaries with no embedded version metadata, which caused the MSI to silently refuse to overwrite an existing `breeze-agent.exe` on upgrade or reinstall in many real-world scenarios. The agent would log v0.67.0 in its own output, but the file on disk could still be the older version. v0.67.1 embeds the correct VersionInfo into all four Windows executables and broadens the installer's process-kill step so the file is always replaceable. **Self-hosters running v0.67.0 should upgrade to v0.67.1 to ensure their next agent upgrade actually applies.**
  • Windows service auto-restart on crash. If the BreezeAgent service stops unexpectedly, Windows now restarts it at 5 seconds, then 10 seconds, then 30 seconds, with a 24-hour reset window. Pairs with the watchdog auto-restart that shipped in v0.67.0; the watchdog handles wedged-but-running processes, this handles outright crashes. Earlier MSIs shipped without these recovery actions configured.
  • The Windows agent now also supervises the watchdog process from inside itself, so the two services keep each other alive instead of relying on a single direction of monitoring.
  • On Domain Controllers where the standard Windows management-detection tool fails, the agent now falls back to a registry-based check and reports the device's management state correctly.

Devices & Enrollment

  • Sidebar version-staleness indicator. The version pill in the sidebar turns red when your API is behind the latest published release and green when it's current.
  • Admin endpoint to pre-create device rows ahead of enrollment, paired with a new cross-organization device-move endpoint. Both come with a full dual-axis audit trail.
  • Re-enrolling a previously-decommissioned device now mints a fresh device ID and renames the old row out of the way in a single transaction, so audit history on the prior row is preserved and the slot is free to use again.
  • Enrollment-key creation rejects unknown fields. Typos like `maxUsage` instead of `maxUses` now fail loudly with a 400 instead of silently being ignored and the defaults being used.
  • Enrollment keys are no longer burned on failed enrollments. Hostname collisions and device-limit errors used to consume one of the key's uses; now the usage count is only incremented on success.
  • DNS Security web UI scaffold (new sidebar entry and dedicated page) is live ahead of full provider configuration UI in subsequent releases.

Upgrade note for self-hosters on v0.67.0: please upgrade to v0.67.1 so that subsequent Windows agent MSI upgrades reliably replace the agent binary. v0.67.0 shipped Windows binaries without embedded VersionInfo, which caused the MSI’s “preserve user-modified files” rule to silently skip the upgrade in many cases. v0.67.1 fixes the version metadata and the installer’s kill-processes step.

v0.67.1 is the largest release in the v0.67.x line. It packages two distinct bodies of work into a single tag: the launch-readiness security sprint that had been tracking as “v0.68.0” internally, and the Windows MSI upgrade hotfix that closes out v0.67.0’s binary-versioning regression. We rolled them together so self-hosters who upgrade from v0.67.0 pick up both the binary fix and the security hardening in one step, rather than chasing two consecutive deploys.

For administrators and end users, the most visible changes are forced MFA enrollment for partner administrators, a new account-lockout policy after five failed logins, and a sidebar indicator that turns red when your dashboard is behind the latest release. Both MFA enforcement and account lockout have environment-variable kill-switches so an enrollment outage or a runaway lockout pattern can be relieved without redeploying. Tenant settings that previously held secrets in plain text are now encrypted, and we added GDPR-grade tenant export and erasure endpoints for compliance requests.

For integrators, MCP and OAuth clients see tightened session and scope handling: server-minted session identifiers bound to the calling user, default-off dynamic client registration, and an explicit allowlist for high-privilege AI tools (screenshot, screen analysis). A long-deprecated MCP scope shim that auto-expanded one scope into another was removed; clients that relied on it must now request the explicit ai:execute scope. OAuth bearer tokens also stop working immediately when a partner is suspended or churned, rather than waiting for natural expiration.

For operators, deployments now fail fast on a set of common misconfigurations (missing release-manifest signing keys, mis-set proxy headers, unauthenticated Redis in production) instead of starting in a broken state. The dashboard and agent both report errors to Sentry with automatic redaction, and critical background routines in the agent are wrapped with crash recovery so monitoring keeps running through transient faults. Audit logs are now append-only at the database layer with a per-tenant cryptographic checksum chain, and a scheduled retention job prunes old records under a dedicated database role without weakening the immutability guarantee.

The Windows MSI fix is the reason this is also a hotfix-grade release. v0.67.0’s Windows binaries shipped with no embedded VersionInfo, which caused Windows Installer’s “preserve user-modified files” heuristic to silently skip the upgrade in many real-world scenarios. The installer reported success while the binary on disk stayed at the older version. v0.67.1 embeds the correct VersionInfo into all four Windows executables, broadens the installer’s process-kill step so the file is always replaceable, and adds a version check to the release pipeline so we can’t ship the same regression again. It pairs with a new Windows service auto-restart policy: if the agent process crashes, Windows itself restarts it on an escalating schedule (5s, then 10s, then 30s). Combined with the watchdog auto-restart shipped in v0.67.0 (the watchdog handles a wedged-but-running process, Windows service recovery handles outright crashes), the two together form a complete self-healing loop on Windows.