Skip to content

Changelog

This page is the human-friendly, consolidated view of AKKO releases. For the exhaustive machine-readable history see CHANGELOG.md at the repository root.

Sprint 36 & 37 — 2026-04-16 (36 commits)

Tagline: AKKO is now repositioned as an AI-native sovereign data & AI platform.

No breaking changes — helm upgrade works in place, init jobs run automatically (akko-test-users-seed, akko-opa-sync).

Infrastructure & RBAC (10 commits)

  • NetworkPolicies on 23 sub-charts + namespace-scoped NPs for Bitnami (PostgreSQL, LLDAP/Keycloak, oauth2-proxy).
  • New podSelectorIn helper — 3 label variants (akko-X, X, Bitnami app).
  • OPA plural-group handling (akko-admins -> akko-admin) in column_masking, row_filter, aden_share.
  • Trino OPA policy fed with preferred_username from Cockpit (email was 403).
  • Destructive DDL (DropTable/Schema/View) restricted to admin.
  • Six /api/health/* 502s closed (Polaris, spark-master, akko-docs, Ollama, OPA for akko-init, oauth2-proxy).

AI stack & ADEN (7 commits)

  • ADEN authenticates OpenMetadata /api/v1/search via Keycloak service account — ends silent aden_catalog_degraded.
  • Trino error translator, catalog suggest, session history, banking-fraud seed.
  • Catalog fallback ranks business catalogs first, TPC benchmark whitelisted (tiny + sf1).
  • 10 BLOCKERS of hardcoding externalized (hostnames, endpoints, model names).
  • New doc pages: Trino ai_* functions, RAG pipeline, MCP servers.

Cockpit UX (9 commits)

  • Stable service counter (up+down+off+not-deployed == total).
  • Distinct DOWN / NOT DEPLOYED / DISABLED states.
  • Monitoring page: numbered sections, English-only, category chip filter, metric legend, service grouping.
  • ADEN entry in Welcome panel; Documentation/Reports split.
  • Nuclear CSS lockdown for closed dialogs (palette, drawers, modals) — fixes 22+ Playwright tests.
  • Architecture page refreshed.

Documentation (7 commits)

  • Major reposition as AI-native platform — README, DEPLOYMENT (EN+FR), site.
  • 10-category docs reorganization + bilingual DEPLOYMENT.
  • MkDocs nav refresh, broken-link fix, banking-fraud page.
  • New governance page (high-level RBAC).
  • Enterprise federation doc (EN+FR).
  • Memorable alice123/bob123 test seeds documented across README, DEPLOYMENT, site.

Demos (2 commits)

  • Banking-fraud demo end-to-end (DAG, Superset dashboard, Grafana panel, setup.sh, seeds).
  • setup.sh runs end-to-end on Netcup live (idempotent, zero manual ops).

Tests (7 commits)

  • 4-dimension RBAC matrix (5 roles x 4 services x infra + data + AI).
  • Post-deploy framework + Playwright cockpit-render-validate.
  • Woodpecker CI pipeline post-deploy.
  • Notebook execution harness (papermill/nbconvert).
  • Stage 03 demos-verify (banking 5/5 PASS).
  • Smoke-pipelines: distroless-aware probes (LiteLLM/MLflow/OM/Polaris).
  • Integration pytest: env-var passwords + SSH kubectl probes.

Init & auth plumbing (3 commits)

  • Helm init job auto-provisions test-user passwords (LLDAP + Keycloak).
  • OPA sync init job (Keycloak users/groups/attributes -> OPA policies).
  • oauth2-proxy client emits realm roles as groups claim.

Known issues carried forward

ID Summary Target
BUG A Column masking bypass for carol on jdbc.columns path Sprint 38 / 38A
BUG C ai_* functions bypass OPA; LiteLLM role-to-model RBAC missing Sprint 38 / 38B + 38J
BUG B/D/E Banking-fraud demo cosmetic issues (5) Backlog

Full release notes: RELEASE_NOTES_SPRINT_36-37.md.

Sprint 27 / Netcup live hardening — 2026-04-16

See CHANGELOG.md — 20 commits b2ca821..dee8d13, 12 cascade ADEN bugs fixed, pipeline end-to-end green on Netcup, banking demo seeded, Tempo tracing active.

Highlights: NetworkPolicy label portability, OPA volume mounts, env prefix normalization (AKKO_*), LLM prompt rewrite, role picker priority, jdbc.columns batch fetch, share routes wired, dashboard_id unified, CSS modal lockdown, X-User-Id = preferred_username.

Earlier sprints

  • Sprint 26 — ADEN separable (akko_ai_search scalar + Caffeine LRU + JMX metrics).
  • Sprint 25 — ADEN sharing (HMAC-signed per-user shares).
  • Sprint 24 / 24.5 — ADEN prerequisites, natural-language to SQL to dashboard.
  • Sprint 23 — Hardening (SecurityContext, NP first pass).
  • Sprint 22 — Observability (Prometheus, Grafana, Loki, Tempo OTLP).
  • Sprint 21 — Demos framework.
  • Sprint 19 — Glue end-to-end.
  • Sprint 18 — RBAC end-to-end (LLDAP + Keycloak + OPA).

For a month-by-month log see akko-technical-map/changelog/ (private repo).