# Clearview changelog This file is the **release-summary** changelog used by `build-and-push.sh` to determine the current version. The first heading must be the most recent release in the form `## vX.Y.Z — YYYY-MM-DD`. For day-by-day development history see [`changelog-develop.md`](changelog-develop.md). ## v0.2.0 — 2026-05-28 ### Added - **Authentication** — session-based login (Argon2id, HttpOnly cookie, 8h sliding / 30d remember-me), first-run setup page, admin/user roles, user-management UI under Settings (CRUD + password reset), and an audit log. All API endpoints now require an authenticated session. - **Mailbox permission scanning** — new `scan_type=mailbox` enumerates Exchange Online delegated access (Full Access, Send As, Send on Behalf, Calendar/Inbox folder delegations) via PowerShell + `ExchangeOnlineManagement`. Supports manual UPNs, CSV import, and "all mailboxes in tenant". - **Entra Group scanning** — new `scan_type=entra_groups` enumerates Microsoft 365 / Azure AD group memberships (Members + Owners, with nested-group expansion). Manual IDs, CSV import, and "all groups in tenant". - **SharePoint root-permissions mode** — `scan_type=sharepoint_root` inventories site-root role assignments without traversing libraries/folders/files; recursive expansion of SharePoint groups, AAD/M365 groups, and readable UPNs for directly-assigned users. - **Resolve sharing links / groups** — post-scan actions to expand SharingLinks recipients and SharePoint/AAD group memberships into the deviation rows. - **Connection preflight per target** with persisted last-probe status and a manual "Test" button. - **Excel export** of Targets + Deviations sheets, with type-aware sheet names and columns. - **Tenant `primary_domain` field**, expanded mailbox onboarding instructions, and English-only UI. - **Sidebar layout** — fixed left sidebar with hash-based routing. ### Changed - `main.py` split into per-route modules (`api_tenants`, `api_jobs`, `api_onboarding`) with shared helpers; behaviour-preserving. - Scanner split into `scanners/` package (sharepoint, mailbox, entra). - Token cache now has TTL + lock + MSAL app reuse; worker job claim is atomic (`SELECT … FOR UPDATE SKIP LOCKED`); all datetimes are timezone-aware UTC (`timestamptz` migration). - Schema management moved from startup `create_all` to **Alembic migrations** (baseline + timestamptz + auth tables). - Build number visible in the UI; build script reads version from `docs/changelog.md`. - Dockerfile now installs PowerShell 7 + `ExchangeOnlineManagement` (~150 MB). ### Fixed - SharePoint REST `$filter=HasUniqueRoleAssignments` (unsupported as OData filter) — now client-side. - Dead CSS removed; accessibility focus styles strengthened; risk badge colours made distinct. ## v0.1.0 — 2026-04-13 ### Added - Initial Clearview release: SharePoint permission deviation scanning across multiple customer tenants. - Tenant Profiles with certificate-based or client-secret authentication. - Asynchronous scan job queue with per-target preflight probe and retry handling. - Job Details panel with site filter, Excel export, and SharingLinks resolution. - CSV import of Microsoft Sites export format. - Two onboarding modes (automated via Graph platform app, or manual).