FeatureSignalsFeatureSignals

Changelog

Product updates, new features, and improvements.

Latest

Flag Engine & Toggle Categories

  • Dashboard renamed to Flag Engine — The management UI is now called the Flag Engine across all pages, docs, and navigation
  • Toggle Categories — Classify flags as release, experiment, ops, or permission with category-aware staleness thresholds (14d, 30d, 90d, 90d)
  • Flag Lifecycle Status — Track flags through active → rolled_out → deprecated → archived
  • Environment Comparison — Compare and bulk-sync flag states across environments
  • Entity Inspector — See exactly what a specific user experiences across all flags
  • Entity Comparison — Compare flag evaluations for two users side-by-side
  • Usage Insights — View value distribution percentages (true/false) per flag per environment
  • SOLID Architecture — Core engine refactored with interface-driven design, evaluation middleware chain, operator registry, and domain error hierarchy

API Security Hardening

  • Broken Object Level Authorization fix — API key revocation now verifies org ownership to prevent cross-tenant access
  • JWT token type enforcement — Refresh tokens can no longer be used as access tokens (issuer claim validation)
  • User data minimization — Login and register responses no longer expose sensitive fields like password hash or internal flags
  • API key expiration — Optional expires_in_days parameter on key creation; expired keys rejected at evaluation time
  • Rate limit headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset on all rate-limited responses
  • Content-Type enforcement — POST/PUT/PATCH requests must use application/json (415 otherwise)
  • Content-Security-Policy header — Added default-src 'none'; frame-ancestors 'none' to all responses
  • SSRF protection — Webhook URLs block private IPs, localhost, and internal hostnames
  • Bulk evaluation limitflag_keys array capped at 100 items
  • PII masking in logs — Emails, tokens, and phone numbers are masked in server logs
  • Security audit logging api_key.created, api_key.revoked actions tracked in audit trail
  • JWT secret startup check — Server refuses to start with default secret in non-debug environments
  • Database SSL enforcement — Default connection string now requires sslmode=require
  • SSE CORS fix — Removed hardcoded Access-Control-Allow-Origin: * from SSE server
  • Request ID in errors — Error responses include request_id for correlation
  • Comprehensive test suite — 50+ new tests covering auth flows, middleware, org isolation, and security boundaries

Scale & Differentiation

  • A/B Experimentation — New ab flag type with weighted variants, consistent hashing assignment, and impression tracking API
  • Relay Proxy — Lightweight Go binary for edge caching with SSE or polling sync
  • Mutual Exclusion Groups — Prevent experiment interference with deterministic winner selection
  • Evaluation Metrics — In-memory counters, Flag Engine visualization with top-flags chart and reason breakdown
  • Eval Metrics page — Per-environment counts, reason distribution, top evaluated flags
  • Mutex group editor — Inline editor in flag detail with group member count
  • Stale Flag Scanner — CLI tool to find unused flag references in code, CI mode with exit code
  • Documentation Site — 35+ page Docusaurus site covering getting started, concepts, SDKs, API reference, and deployment

Enterprise Readiness

  • Python SDK — Client with polling/SSE, OpenFeature provider
  • Java SDK — Maven project with polling/SSE, OpenFeature provider, JUnit 5 tests
  • Approval Workflows — Request-review flow for production changes with automatic application
  • Webhook Dispatch — Background dispatcher with HMAC-SHA256 signatures, exponential retry, delivery logging
  • Flag Scheduling — Auto-enable/disable at specified times with 30-second granularity
  • Kill Switch — Emergency flag disable with one-click Flag Engine button
  • Flag Promotion — Copy flag configuration between environments
  • Flag Health — Health scores, stale flags, expiring flags, missing descriptions
  • Prerequisite Flags — Recursive dependency evaluation
  • RBAC — Owner/admin/developer/viewer roles with per-environment permissions
  • Audit Logging — Tamper-evident log with before/after state diffs
  • CI/CD Pipeline — GitHub Actions for all SDK tests, server tests, Flag Engine build, Docker build

Core Platform (MVP)

  • Evaluation Engine — Targeting rules, segments, percentage rollout with MurmurHash3
  • Management API — Full CRUD for projects, environments, flags, segments, API keys
  • SSE Streaming — Real-time flag updates via PostgreSQL LISTEN/NOTIFY
  • Go SDK — Polling, SSE, local eval, OpenFeature provider
  • Node.js SDK — Polling, SSE, local eval, OpenFeature provider
  • React SDK — Provider component, hooks (useFlag, useFlags, useReady, useError)
  • Flag Engine — Next.js with flag management, targeting editor, segments, environments
  • Docker Compose — One-command local development setup

Want deeper dives into feature management? Read our blog for best practices and engineering guides.