Changelog

Pre-launch build log. Every meaningful change to Noxen since the project started. Post-launch, each Sparkle release also appears here with the full release notes.

2026-04-14 — Phase 1 complete, feed live

• CVE feed ETL deployed to feed.noxen.app. Daily cron pulls NVD direct + OSV (Ubuntu, Debian) and emits a gzipped NDJSON snapshot.
• Manifest signed with Ed25519. Public key bundled in the macOS app via AppConstants.feedSigningPublicKeyBase64.
• Client FeedLoader + JSONLCVEMatcher wired end-to-end. First real match: CVE-2022-3602/3786 against Ubuntu 22.04 openssl 3.0.2.
• Worker hardened — path allowlist, cacheable 404s, dedicated REBUILD_TOKEN.
• Sparkle Ed25519 keypair generated; SUPublicEDKey wired into Info.plist.
• fastlane release lane added: build → notarise → zip → sign_update → prepend <item> to appcast.xml.

2026-04-14 — Phase 2 complete, full scan pipeline

• CipherSuiteScorer: TLS posture grading (SHA-1/MD5 signatures, small RSA, short EC, deprecated protocols, weak ciphers).
• HTTPHeaderProbe: OWASP Secure Headers checklist (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, banner disclosure).
• AdminSurfaceProbe: flag-only detection of phpMyAdmin, Grafana, Portainer, Kibana, Adminer, Traefik, Prometheus, unauth Redis/Mongo/Elasticsearch, .git/config, .env, directory listing.
• ScanEngine actor orchestrates all probes; ScanDiff computes diff-from-yesterday.
• SSHConfigParser + KeychainCredentialStore; onboarding wizard imports from ~/.ssh/config.
• PurchaseManager for StoreKit 2 (MAS stretch goal); SparkleUpdaterService for Developer ID direct.
• Multi-page PDF report via PDFKit — cover, per-host detail, remediation hints.
• CloudKit private-database wiring for host catalog + findings sync.

2026-04-14 — Phase 0 complete, green across four kill gates

• Test 1 (MAS competitor sweep): PASS — no Mac App Store hit clears the >100 reviews ∧ >3.5 stars ∧ meaningful overlap threshold. Pareto Security is the closest feature adjacency and is structurally off-MAS due to sandbox.
• Test 3 (1-evening prototype): PASS — full pipeline against a Vagrant Ubuntu 22.04 target in 0.11 s. 42% of Phase 0 LoC lifted from PingKitCore, validating the reuse claim.
• Test 4 (App Store Connect dry-run): PASS — ASC automated layer did not flag "vulnerability scanner" framing in any of 29 locales. Human App Review remains a separate concern; Developer ID direct is the re-validated primary channel.
• Test 7 (NVD reliability): PASS — 4% failure rate (all clustered in a 30 s TLS blip) against the anonymous NVD API; well below the 30% kill threshold.
• Test 5 (pre-launch signup infra): landing-page and payment scaffolding built; public launch deferred pending payment integration.

2026-04-14 — Scaffold complete, project renamed

• Project renamed from ScanDeck to Noxen after availability sweep.
• PingKit audit (docs/PINGKIT_AUDIT.md) written.
• All build targets (Noxen.app, NoxenAgent, NoxeniOS) compile end-to-end.
• Fastlane scaffolded. App Store Connect API key reused from PingKit.
• Three App IDs registered via Spaceship ConnectAPI; iCloud container + App Group created; provisioning working via -allowProvisioningUpdates.