Changelog

All Gateway Chat Portal Desktop Spec Trust
2026-07-08
Gateway

The gateway is now a pure blind token relay

Now that tokenisation runs on the customer side across every way of using CloakAPI, the gateway no longer does any content processing of its own — it is a literal blind byte relay. It cannot see raw PII, because personal data is tokenised on your device before the request ever reaches us.

  • Removed the server-side detectors, the Presidio pass, and the residual-scan 422 enforcer from the gateway: it no longer inspects, detects, or tokenises content on our servers.
  • The gateway forwards only what your device sends, signs the receipt, and meters token counts — never content. Billing reads provider-returned usage, not your prompts.
  • To tokenise with a plain SDK, point it at the local proxy (Quickstart Option C) so tokenisation stays on your own machine — the gateway blind-relays whatever it receives.
2026-07-05
Chat

CloakAPI Chat — a private front door you can try without signing up

A client-side chat is now the easiest way to try CloakAPI: open it, type, and personal data is tokenised in your browser before anything is sent. Streaming replies, no account required to start.

  • Try free, no signup — an anonymous demo pool is available immediately, protected by per-IP and global daily caps so it stays up for everyone.
  • Names, emails, and IDs are tokenised on your device before the request leaves the browser; the gateway is a blind token relay that forwards only those tokens and never sees your data in the clear.
  • Streaming responses, token by token.
  • Register to claim $2 in credit and lift the demo caps.
2026-07-05
Release

Local proxy, browser extension, and Complete-local desktop

Three ways to keep tokenisation on your own machine — so only tokens ever leave it (and in the desktop app's Complete-local mode, nothing leaves at all). The homepage now lays out the three ways to use CloakAPI side by side.

  • Local proxy (drop-in): point your OpenAI- or Anthropic-compatible SDK at a localhost port and PII is tokenised on your machine by the native Rust engine — only tokens leave. Default port 8799, configurable via CLOAK_PROXY_LISTEN.
  • Local proxy ships as a Docker image and a Linux binary on the downloads page; macOS and Windows builds are coming soon via CI.
  • Browser extension: files you attach to claude.ai (pdf / docx / xlsx) are extracted and tokenised entirely in your browser, so the file itself never reaches our gateway. Store listings are pending review; sideload builds are available now.
  • Desktop app adds a Complete-local mode — the model runs on your own hardware, so your prompt never leaves your machine — alongside the existing Gateway mode. Windows build refreshed; macOS and Linux via CI.
  • Homepage gains a first-class "Three ways to use CloakAPI" section: API (drop-in proxy / SDK), Chat (browser chat, with the desktop app as a power-up), and the browser extension.
2026-07-04
Gateway

Pre-tokenised passthrough, fail-closed backstop, and wider coverage

The gateway now trusts client-tokenised traffic end to end — issuing signed receipts and billing without ever tokenising or storing raw PII itself — while adding a fail-closed backstop for anything that still arrives with personal data in the clear.

  • Pre-tokenised passthrough: traffic already tokenised on your device gets a signed receipt and metered billing, with the gateway relaying only tokens.
  • Fail-closed backstop: if the gateway still detects raw PII in a sensitive category, it blocks the request rather than forwarding it, and monitor-alarms the rest — defence in depth.
  • International coverage hardened across roughly 20 markets — national IDs, tax and VAT IDs, IBAN, cards, and phone numbers are tokenised with the correct categories.
  • Honest privacy wording across the site: personal data is tokenised on your device; the gateway relays only tokens and blocks detected raw PII.
  • Fixed: the $2 signup trial credit is now reliably granted on email verification.
2026-05-04
Sweep

Launch readiness sweep — iter-14

Nine-wave audit run the day of open access. Every finding was fixed, dispatched, or gated behind a feature flag. Zero fake company names, zero fixture credentials, zero hardcoded numbers remain in user-visible code.

  • Receipt verifier shipped on signedreceipts.org — valid, tampered body, swapped signature, and expired-key cases all return the correct HTTP status + reason code.
  • 4 backend gaps closed: compliance-pack lifecycle, audit-log filter + CSV export, transparency-log toggle + auto-advance, privacy-tier preview / cancel / commit state machine.
  • IP allowlist enforcement on API keys — CIDR validation, per-request middleware, audit-log event on block.
  • Sanctum abilities + Spatie permissions on 63 mutation routes — read-only tokens correctly 403 on writes.
  • F1–F6 auth flow audit — invite-signup security holes patched: token consumption, email/token binding, expiry enforcement.
  • Concurrent dashboard sessions — 10-token retention window + 30-day stale-prune scheduled task.
  • SES outbound mail in production — Stockholm region; DMARC alignment via custom MAIL FROM mail.cloakapi.io.
  • Stripe live keys + webhook endpoint with HMAC signature verification.
  • Trust portal: CAIQ-lite, SLA, BCP, and insurance-status pages published.
  • BAA template + HIPAA structural non-BA primer published.
  • Threat model, key-rotation policy, transparency-log spec, detection-coverage doc, and reproducibility roadmap published at docs.cloakapi.io/security/threat-model/.
  • OpenReceipt + cloakapi-cli reference implementations — Python + JS verifiers, conformance suite, Apache-2.0 licensed.
  • Chrome + Firefox extension builds complete (v0.1.0); store submission (Chrome Web Store / Mozilla AMO) is pending, so install today from the downloads page (signed build) — store install links land there once each listing is approved. Linux desktop binary (AppImage + .deb) is in progress; targeting iter-15.
  • Mobile-responsive portal shell — sidebar collapses below 768 px with hamburger toggle.
  • 30+ admin and portal surfaces stripped of fixture data; empty states show graceful copy.
  • Fake compliance-auditor claims removed from /trust — now honest "not yet engaged".
2026-05-03
Sweep

Pre-launch sweep — iter-13

Wave-5 walkthrough preparation: role-based test accounts seeded and two auth regressions fixed ahead of the iter-14 launch-readiness run.

  • 11 role-based test accounts seeded (admin, owner, billing, developer, read-only, partner-L1/L2, API-only, SSO-only, auditor, org-member).
  • Admin gate fixed — user.roles array threaded through shapeUser(); admin layout now reads it correctly.
  • Login race condition fixed — await invalidateAll() before goto('/dashboard') prevents stale-data layout bounce.
2026-05-02
Release

Production deployment — Hetzner CX43, Nuremberg

All seven public subdomains go live on dedicated bare-metal in Nuremberg. SES SMTP, Cloudflare DNS, and TLS certs provisioned in a single pass.

  • Initial deployment of gateway, portal, docs, signedreceipts.org, status, demo, and marketing-site containers.
  • SES SMTP wired — Stockholm region, custom MAIL FROM, SPF + DKIM + DMARC aligned.
  • Cloudflare DNS configured for the full cloakapi.io zone.
  • TLS certificates issued for all subdomains via Let's Encrypt.
2026-04-29
Release
Trust

DPA, sub-processor list, and trust portal first cut

trust.cloakapi.io ships the full GDPR Article 28 DPA template, a 21-row sub-processor list with change-notification subscription, and the live per-tenant transparency-log toggle (opt-in / opt-out in settings).

2026-04-25
Release
Portal

Onboarding wizard + privacy posture model

Six-step onboarding wizard shipped with provider validation and API-key generation at the final step. Privacy posture model (Max / Balanced / Continuity / No Tokenization) lands as the first configurable privacy tier in the portal.

Stay current: RSS feed ↗ · JSON feed ↗ ·