APX Labs Product Updates

App

What's Changed

Enhancements

• Regenerate SDKs, drop removed TestCase fields from detail view (#55)

Agent

What's Changed

Enhancements

• agent: Cipher-as-coordinator, batched verdicts, event-driven cache (#129)

Bug Fixes

• hotfix(agent): install findutils so JobCleaner's sudo script can run (#127)

Agent

What's Changed

Bug Fixes

• agent: log-level cleanup + root-privileged job cleanup + browser race fix (#126)

App

What's Changed

Bug Fixes

• fix(auth): Log Out now invalidates JWT server-side (#53)

Security

• fix(auth): Log Out now invalidates JWT server-side (#53)

What's Changed

New Features

• feat(soc2): self-service delete account, org deletion UI, global user search panel (#47)
• feat: add private network checkbox to scope editor (#38)

Enhancements

• Scope UI: reshape drawer around typed lists + honest discovery ETA (#50)
• feat: scope UI with domain discovery and seed protection (#49)
• feat: add extension-aware upload size limits (10 MB docs, 500 MB packages) (#37)

Bug Fixes

• auth: route agent 401s through centralized session-expired flow (#52)
• ws-stream: auto-reconnect, catch-up invalidate, dedup duplicates (#51)
• fix: add pull-requests:read permission for release notes (#48)
• fix(security): bump vite, tighten picomatch, add pnpm-lock CI gate (#45)
• fix: align vulnerability scan permissions to least privilege (#40)
• hotfix: fix private network checkbox UX and persistence bug (#39)

Security

• feat(soc2): self-service delete account, org deletion UI, global user search panel (#47)
• fix(security): tighten overrides + regenerate pnpm-lock.yaml with patched versions (#44)
• fix(security): pin vulnerable transitive npm deps via overrides (#43)
• Bump actions/setup-node from 4 to 6 (#35)
• Bump aws-actions/configure-aws-credentials from 4 to 6 (#34)
• Bump actions/checkout from 4 to 6 (#33)

Other Changes

• Add Dependabot config and vulnerability scan workflow (SOC2 CC7.1/CC6.8) (#32)
• Add release tagging and PR label enforcement (SOC2) (#31)
• feat(ui): improve activity sidebar and knowledge graph (#30)
• fix(ui): expandable activity messages and task list padding (#29)
• fix(ui): task list padding and event title fallback (#28)
• fix(ui): add bottom padding to project list (#27)
• fix(test): update admin tests for Tooltip migration (#26)
• fix(ui): replace title attrs with Tooltip components (#25)
• fix: update admin service paths to /sysadmin (#24)
• feat(apx-app): SYSTEM_ADMIN impersonation frontend (#23)
• fix: resolve CVE-2026-32141 (flatted) (#22)
• feat: add SYSTEM_NOTIFICATION support in activity panel (#21)
• Sort icons always visible + assumption timestamps (#20)
• Remove unused agentService import (#19)

Platform

What's Changed

New Features

• feat(soc2): GDPR right-to-erasure cascading deletion pipeline (#91)
• feat: add private network flag to skip URL reachability validation (#78)

Enhancements

• feat: enforce per-type document upload size limits (10 MB docs, 500 MB packages) (#77)

Bug Fixes

• agent: treat 503 as dependency outage, not agent death (#112)
• fix: add process watchdog timer for TargetDiscoveryService (#111)
• fix: resolve SSE timeout race condition in target discovery (#109)
• fix: add pull-requests:read permission for release notes (#97)
• fix: align vulnerability scan permissions to least privilege (#84)
• hotfix: send privateNetwork in manifest, bump agent client, update docs (#83)
• hotfix: fix production crash reading existing projects (FAIL_ON_NULL_FOR_PRIMITIVES) (#81)
• hotfix: add private_network to bundled OpenAPI specs (fixes E2E) (#80)
• fix: private_network nullable:false to stop generated client sending null (#79)
• fix: scope agent Secrets Manager access to mailsac API key (#74)
• Fix test isolation: security test mutating V11 seed data (#63)

Security

• fix: add regex character guard to prevent shell injection in target discovery (#113)
• build(deps): bump com.google.api-client:google-api-client from 2.8.1 to 2.9.0 (#107)
• build(deps): bump org.apache.httpcomponents:httpmime from 4.5.13 to 4.5.14 (#106)
• build(deps): bump io.swagger.core.v3:swagger-annotations from 2.2.47 to 2.2.48 (#105)
• build(deps): bump org.openapitools:jackson-databind-nullable from 0.2.6 to 0.2.10 (#104)
• build(deps): bump software.amazon.awssdk:bom from 2.42.33 to 2.42.36 (#103)
• build(deps): bump io.swagger.core.v3:swagger-annotations from 2.2.46 to 2.2.47 (#102)
• build(deps): bump com.stripe:stripe-java from 31.3.0 to 32.0.0 (#101)
• build(deps): bump commons-logging:commons-logging from 1.2 to 1.3.6 (#100)
• build(deps): bump software.amazon.awssdk:bom from 2.42.28 to 2.42.33 (#99)
• build(deps): bump org.apache.maven.plugins:maven-surefire-plugin from 3.5.3 to 3.5.5 (#98)
• Align shedlock-provider-jdbc-template to 7.7.0 (#96)
• fix(soc2): replace scan-logs job with scan-ci-logs.yml wrapper (round 10) (#95)
• feat(soc2): add scan-logs job for CI/CD credential leak detection (#94)
• feat(soc2): GDPR right-to-erasure cascading deletion pipeline (#91)
• build(deps): bump org.apache.tika:tika-core from 3.2.3 to 3.3.0 (#89)
• build(deps): bump org.owasp.encoder:encoder from 1.3.1 to 1.4.0 (#88)
• build(deps): bump software.amazon.awssdk:bom from 2.31.33 to 2.42.28 (#87)
• build(deps): bump io.swagger.core.v3:swagger-annotations from 2.2.22 to 2.2.46 (#86)
• build(deps-dev): bump org.apache.maven.plugins:maven-compiler-plugin from 3.13.0 to 3.15.0 (#85)
• build(deps): bump net.javacrumbs.shedlock:shedlock-spring from 5.10.2 to 7.7.0 (#72)
• build(deps): bump org.apache.httpcomponents:httpclient from 4.5.13 to 4.5.14 (#71)
• build(deps-dev): bump org.java-websocket:Java-WebSocket from 1.5.7 to 1.6.0 (#70)
• build(deps-dev): bump org.apache.maven.plugins:maven-dependency-plugin from 3.6.1 to 3.10.0 (#69)
• build(deps): bump actions/setup-java from 4 to 5 (#68)
• build(deps): bump org.springframework.boot:spring-boot-starter-parent from 4.0.0 to 4.0.5 (#67)
• build(deps): bump actions/checkout from 4 to 6 (#66)
• build(deps): bump aws-actions/configure-aws-credentials from 4 to 6 (#65)

Other Changes

• agent: route all ECS orchestration through Managed Instances (#114)

Agent

What's Changed

New Features

• Network discovery: scan + Scout synthesis + VPN gateway fix (#110)
• Mobile discovery: decompile + extract + Scout synthesis (#109)
• feat: IP-level scope enforcement via ipset + iptables (#106)
• feat(playground): DNS allowlist filtering and sandbox execution (#90)
• feat: verify private-network target URLs after VPN connection (#73)
• feat: add web discovery agent with browser tools and configurable agent traits (#68)

Enhancements

• discovery orchestration: central scope service + API reshape (#112)
• Clean up Sonnet thinking config, tune per-agent levels (#111)
• feat: seed domain guard for scope (#108)
• feat: add target filter to test case query API (#107)
• feat: DNS-based scope enforcement with customer review flow (#104)
• feat: DNS allowlist service with host discovery and 3P filtering (#92)
• Stealth browser, 3P JS intel, browser data archival, and dev tooling (#89)
• Add untested surfaces to session completion output (#72)

Bug Fixes

• fix: sync VectorConfigTest to 200k maxInputTokens (#125)
• auth: 503 on Identity outage + sandbox sweep + evaluate_test_case slots (#123)
• discovery: copy polish + auto-assessment cache-invalidation fix (#121)
• fix: API validation codes + nmap scan reliability (#120)
• discovery: load missing config + unblock Phase-1 discovery & scope UI (#119)
• fix: add pull-requests:read permission for release notes (#97)
• fix(ux): suppress private-network URL reachability check at agent init (#88)
• fix(vpn): bake OpenSSL legacy config + cap TLS at 1.2 for old VPN servers (#83)
• fix(vpn): OpenSSL 3.5 legacy compat for old VPN servers (#79)
• fix(vpn): OpenSSL 3.5 legacy compat for old VPN servers (#78)
• fix(vpn): add legacy cipher support for OpenVPN compatibility (#77)
• fix: align vulnerability scan permissions to least privilege (#76)
• hotfix: add FAIL_ON_NULL_FOR_PRIMITIVES=false and private_network to agent spec (#75)
• Fix review findings from #69 (#70)

Security

• auth: 503 on Identity outage + sandbox sweep + evaluate_test_case slots (#123)
• chore(deps-dev): bump org.codehaus.mojo:flatten-maven-plugin from 1.6.0 to 1.7.3 (#117)
• chore(deps-dev): bump org.codehaus.mojo:build-helper-maven-plugin from 3.6.0 to 3.6.1 (#115)
• chore(deps): bump net.datafaker:datafaker from 2.5.3 to 2.5.4 (#114)
• chore(deps): bump com.google.guava:guava from 33.5.0-jre to 33.6.0-jre (#113)
• feat: IP-level scope enforcement via ipset + iptables (#106)
• chore(deps): bump org.apache.tika:tika-core from 3.2.3 to 3.3.0 (#103)
• chore(deps): bump io.swagger.core.v3:swagger-annotations from 2.2.45 to 2.2.47 (#100)
• chore(deps): bump actions/cache from 4 to 5 (#98)
• fix(soc2): replace scan-logs job with scan-ci-logs.yml wrapper (round 10) (#95)
• feat(soc2): add scan-logs job for CI/CD credential leak detection (#93)
• feat(playground): DNS allowlist filtering and sandbox execution (#90)
• chore(deps): bump de.sstoehr:har-reader from 4.0.0 to 4.0.2 (#87)
• chore(deps): bump io.swagger.parser.v3:swagger-parser from 2.1.35 to 2.1.39 (#86)
• fix(security): remediate ECR image scan CVE findings (#85)
• Bump software.amazon.awssdk:bom from 2.31.33 to 2.42.23 (#67)
• Bump actions/checkout from 4 to 6 (#63)
• Bump actions/setup-java from 4 to 5 (#64)
• Bump io.swagger.core.v3:swagger-annotations from 2.2.22 to 2.2.45 (#62)
• Bump ai.djl.onnxruntime:onnxruntime-engine from 0.35.0 to 0.36.0 (#61)
• chore(deps): bump dorny/paths-filter from 3 to 4 (#60)
• Bump alpine from 3.21 to 3.23 in /docker/apx-playground (#59)
• Bump aws-actions/configure-aws-credentials from 4 to 6 (#57)

Other Changes

• agent: separate sandbox UID (1001), shared /workspace group, UID-routed DNS filter (#124)
• ci: expand tilde in intel SHA check using $HOME (#122)