Changelog

April 28, 2026

Shipped

Recency-weighted tier calculation -- events count 0.5x toward tier for the first 7 days after MIR receives them; full weight thereafter. This closes a path where a batch of backdated events could instantly satisfy tier thresholds. Steady-state event flow is unaffected -- in normal operation, almost all events count at full weight. The policy/evaluate debug response now includes effectiveEventCount and effectivePartnerEventCount alongside the raw counts, so the recency weighting is directly inspectable.
EU compliance documentation pack -- new pages at /dpa (Data Processing Addendum, GDPR Article 28 with SCC Module 2/3 incorporated by reference), /sub-processors (current sub-processor list with change-notification commitment), and /incident-response (severity classification, 24h/72h/30d notification timelines, GDPR/DORA/NIS2 cooperation framework). Linked from the LEGAL footer block on both .com and .org.

Improved

Integration-guide actor-vocabulary clarifier -- the integration guide now spells out the difference between event-level actorType (HUMAN | AGENT | UNKNOWN, uppercase) and policy-level actor.type (human | service, lowercase). The enterprise API doc now shows a copy-pasteable request body for /policy/evaluate, with the canonical actor shape inline. Fewer first-call 400s for new integrators.
AI-citation discoverability -- robots.txt now serves dynamically per domain with the correct sitemap URL, and explicitly permits ClaudeBot, GPTBot, PerplexityBot, Google-Extended, and Applebot-Extended on public pages. Disallow rules for auth and API endpoints unchanged.
Social-share preview alignment -- og:image meta tags now match the request's host on both .com and .org, so previews on LinkedIn / X / Slack load images from the same domain as the URL being shared. Completes the pair with the earlier og:url alignment.

April 22, 2026

Shipped

Enterprise API documentation split -- .com/api now serves enterprise-specific docs covering policy/evaluate, claims, and org-managed linking. .org/api retains the marketplace API with resolve and user-initiated linking. Partners land on the docs that match the product they're actually using.
Email verification for all intra-org signups -- both free tier and paid intra-org signups now require email verification via a 30-minute token. Free tier activates on verification. Paid intra-org enters its 14-day trial on verification.

Improved

Rate limit headers on every response -- bulk event, bulk resolve, bulk policy evaluate, and agent-scoped endpoints now return RateLimit-Limit, RateLimit-Remaining, and RateLimit-Reset headers on every response, plus Retry-After on 429s. Matches the format already used by the standard API limiters. Clients can now implement smart backoff instead of guessing.
Architecture diagram -- inverted-triangle stack diagram showing MIR's position as the evidence layer, added to /why-mir and the enterprise home page alongside the existing FlowSignal diagram.

April 19, 2026

Shipped

Tier dormancy decay -- non-human entities (AI agents, service accounts) with no events for 90+ days drop one tier. 180+ days drops to tier 0. Human entities are exempt. Computed at query time, resets immediately when new events are submitted.
Free tier -- track up to 5 entities with full API access. No credit card, no expiry. All history carries forward on upgrade.
Early adopter pricing -- first 10 intra-org customers get 50% off for one year. Subscribe page shows spots remaining and auto-ends when all spots are taken.

Improved

Dormancy decay is actor-type aware -- only service accounts and AI agents experience tier decay for inactivity. Human entities retain their earned tier regardless of activity gaps.
Enterprise dashboard network count -- participating orgs count now excludes free tier partners for accurate network representation.

April 18, 2026

Shipped

Tier dormancy decay -- entities with no events for 90+ days drop one tier. 180+ days of inactivity drops to tier 0. Computed at query time, no background job. Resets immediately when new events are submitted. Sandbox exempt.
Early adopter pricing -- first 10 intra-org customers get 50% off for one year ($5/entity/month or $50/entity/year). Auto-tracked via partner flag. Subscribe page shows spots remaining and updates dynamically when all spots are taken.
Why MIR page -- new page at /why-mir with visual comparison table, decision flow cards showing ALLOW vs STEP_UP outcomes, and use case grid. Linked from both footers.
Contractor storyboard blog post -- "Same Credentials, Different Outcome" at /blog/same-credentials-different-outcome. Side-by-side timelines: $200K lost in 3 weeks vs $0 lost in 16 minutes.
Monthly billing for intra-org -- $10/entity/month alongside $100/entity/year. New billing interval field on partner model. Entity metering job computes monthly rate.
Self-service intra-org checkout -- subscribe page at /intra-org/subscribe with Stripe checkout, monthly/annual toggle, and 14-day free trial.
Intra-org auto-approve -- intra-org applications are activated immediately with a 14-day trial. No manual admin approval required.
SDK v2.0.0 -- added Policy API and Claims API modules. Updated types to current architecture (numeric tiers, intra-org tier, claim status). Available as authenticated download from the enterprise dashboard.
Integration guide code samples -- complete end-to-end example in Node.js, Python, PHP, Go, and .NET showing the full loop: build history, evaluate policy, submit claim, re-evaluate.
Security.txt -- /.well-known/security.txt added per RFC 9116 for responsible vulnerability disclosure.

Improved

Enterprise dashboard -- participating orgs count and total entities cards added to overview stats. Intra-org partners see an upgrade nudge with current network size.
Usage analytics fixed -- switched from drifting Redis counters to authoritative database counts. Labels clarified to "Events (Last Hour)" and "Events (Last 24h)".
SLA credits push to Stripe -- credits now automatically applied to Stripe customer balance. SLA page updated: "Credits are calculated automatically. No request required."
Intra-org page rewritten -- headline changed to "Intra-Org Today. Cross-Platform Tomorrow." Expanded to 5 use cases. Added "How Value Builds Over Time" timeline. Pricing shows both monthly and annual options.

April 14, 2026

Shipped

Intra-org subscription mode -- organizations can now use MIR for their own internal entity tracking without waiting for the cross-platform network. Entities build tiers based on event volume and history age alone, no partner diversity required. $100/entity/year with a clear upgrade path to cross-platform. New landing page at /intra-org.
Sandbox interactive forms -- submit events, evaluate policy, and submit claims directly from the sandbox page using dropdown forms. No login required. Public sandbox key (mir_sandbox_public_2026) enables zero-friction exploration.
Claims in policy responses -- every policy evaluation now includes claimStatus with active claim count and risk level (clean, flagged, contested).
Claims in sandbox feed -- the live feed now shows both events and claims, with claims displayed in red. Submit a claim from the form and see it appear in the feed immediately.
Network stats on enterprise dashboard -- the dashboard overview now displays the number of participating organizations in the MIR network. Intra-org partners see an upgrade nudge with the current network size.
Sandbox cross-partner demo -- when two sandbox partners submit events for the same userExternalId, the second partner auto-links to the existing user. This enables demonstrating cross-partner history without manual account linking.
Magic link security hardening -- device fingerprint binding, login nonce cookies, and specific event types for fingerprint denial and browser mismatch. Blog post: "Magic Links Don't Have to Be Only as Secure as Email."
AI crawler manifest -- /llms.txt provides structured site information for AI crawlers.
Architecture diagram in API docs -- "Where MIR Sits in the Stack" section with diagram by Graham Brimage (FlowSignal), showing MIR as the evidence layer alongside the authority layer.

Improved

Sandbox bypasses cache -- policy evaluations in sandbox mode now return live signals instead of cached results, so changes are visible immediately after submitting events.
Enterprise footer reorganized -- four balanced columns (Product, Enterprise, Resources, Legal) with intra-org and sandbox links added.
Entity metering for intra-org billing -- hourly job now counts distinct users with events for intra-org partners and updates billing counts.
Admin paths and emails moved to environment variables -- admin route paths and notification emails are no longer hardcoded in source.
Build script reordered -- prisma generate now runs before tsc, fixing 21 accumulated TypeScript errors.
Morgan log filtering -- static assets, i18n requests, and sandbox polling excluded from access logs.
CSP and CORS updates -- mir.events added to connect-src, session header added to CORS allowed headers.

April 6, 2026

Shipped

Agent genealogy in docs -- enterprise guide now documents the full agent API: create, list, update, key rotation, suspend, revoke, plus the spawn lineage flow with human approval via approvedBy.
Audit API documentation -- query, summary, and export endpoints now fully documented with curl examples and response samples.
Events vs Actions section -- new comparison section in the integration guide explaining the difference between submitting events and evaluating actions.
Event submission examples -- new section with single event, build-history walkthrough, dynamic timestamps, agent key authentication, and zero-vs-built history comparison.
Complete event type and risk hint references -- exhaustive tables of all 50+ event types across 11 verticals and all 4 supported risk hints.
Integration patterns as tabs -- Kong, Node.js, Python, Go, PHP, and .NET examples consolidated into a tabbed interface.
Accordion navigation -- enterprise guide sections now collapse into an accordion for easier scanning.
Application status page -- partners can check their application status at /partners/status by entering their email.
SLA credit tracking -- monthly uptime is automatically calculated and credits are accrued per partner based on contract tiers (5%, 10%, 25%). Credits apply at the next annual billing cycle.
Shared header component -- 25 public pages now load nav from /js/header.js for consistent navigation across the site.
MIR-initiated policy denies -- policy engine now denies based on its own signals, not just partner-supplied risk hints: zero history on fail-closed actions, active claims, and quarantined events in the last 24 hours.
Welcome banner for new users -- first-time users landing on /account?welcome=1 now see a guided introduction to MIR.
Enterprise magic link branding -- magic links sent to enterprise contacts now display "MIR Enterprise" branding instead of generic "MIR".

Improved

Policy engine recommendations -- when an actor passes the tier check, the response now correctly returns allow with rate limits as metadata, instead of downgrading to limit.
Sandbox accounts are ACTIVE on creation -- sandbox events no longer create PENDING linked accounts, allowing immediate resolve/policy testing.
Resolve endpoint provisional response -- returns 202 provisional with explanation when events exist but the account isn't yet linked.
Unknown event type errors now return a clear 400 with INVALID_EVENT_TYPE code instead of a 500.
Unknown action errors now point to GET /v1/policy/actions for discovery.
Partner approval emails now link directly to the API key generation section of the dashboard.
Approval emails include rate limit reference and key concepts (events vs actions).
Audit log CSV export uses CRLF line endings and single-quoted values for spreadsheet compatibility.
Free email providers are now accepted on partner applications.
userExternalId minimum length lowered from 8 to 3 characters.
Magic link emails for enterprise users are sent from enterprise@ with enterprise-specific branding.

April 1, 2026

Shipped

Vertical event types -- added event types for gig economy, lending/fintech, and social/dating platforms. MIR now covers commerce, AI, gig, lending, and social verticals out of the box.
Policy engine: participation-optional mode -- partners can now configure hybrid enrollment where human actors are evaluated by policy but not blocked by tier requirements. Designed for organizations with mixed participation models.
Policy engine: sandbox-aware tier thresholds -- sandbox environments use relaxed tier thresholds so partners can test policy evaluation without needing multi-partner history or account age.
Sandbox daily caps -- sandbox API keys are now rate-limited to 5,000 events and 500 resolves per day to prevent abuse while keeping testing frictionless.
Graceful deploy: drain mode -- production nodes now support signal-based drain for zero-downtime rolling deploys.

Improved

Policy evaluate now accepts Time-Zone header -- responses include timestamps in the caller's timezone
Audit trail now includes continuity ID on event and claim records
Internationalization expanded to 19 languages across all public and gated pages

Fixed

Policy engine now resolves actors using partner slug consistently across events and policy evaluation
Sandbox events are no longer marked provisional -- allows immediate testing without account linking
SMTP transport security hardened

March 11, 2026

Shipped

AI platform event types -- five new event types for AI model providers, agent orchestration systems, and safety layer providers: mir.ai.query.executed, mir.ai.api.accessed, mir.ai.agent.spawned, mir.ai.safety.passed, mir.ai.safety.failed
Cross-system behavioral visibility for AI -- AI platforms can now submit API usage events to MIR, enabling cross-platform pattern detection that no single provider can see alone. Existing velocity limits automatically quarantine anomalous bursts.
Trust boundary classification -- AI query and API access events are classified as cross_system; safety check events are classified as privileged
MIR Capture integration -- MIR Capture now emits participation events to MIR on capture completion, assertion creation, and verification -- building history for content creators automatically
Sandbox improvements -- daily caps (5,000 events, 500 resolves), better error messages for validation failures, fixed feed anonymization and portable event counts

Improved

Updated Integration Guide with AI platform event type reference and usage guidance
Enterprise dashboard login detection -- homepage button changes to "View Dashboard" when already signed in

Fixed

Sandbox event type examples now use only valid MIR protocol types
Sandbox user ID examples updated to meet minimum length requirements

March 7, 2026

Shipped

Agent Genealogy — agents can now spawn child agents via POST /v1/agents/:id/spawn, with full lineage tracking. Every spawned agent records its parentAgentId, rootAgentId, and spawnDepth. MIR records the lineage — your enterprise decides what to do about it.
Lineage query — GET /v1/agents/:id/lineage returns the full ancestor chain from root orchestrator to self, plus direct children
Genealogy tree — GET /v1/agents/tree returns the full agent family tree for the enterprise, filterable by root agent
Lineage kill switch — POST /v1/agents/:id/revoke-descendants revokes an agent and all of its descendants in the spawn tree. API keys are nullified permanently.
Spawn guardrails — child agents can never escalate beyond parent permissions, rate limits, or event-type allowlists. Enterprise spawn policy controls max depth and optional human approval thresholds.

Design Philosophy

MIR is a record keeper, not a policy engine. We record what agents did — who spawned whom, what actions were taken, and how identities relate over time. Your enterprise decides what to do about it: automate policy evaluations, set alerts, or integrate with your existing security stack. MIR provides the continuity layer; you provide the judgement.

Week of March 2, 2026

March 2 - 8, 2026

Shipped

MIR self-events — MIR now records behavioral events about its own users (logins, registrations, passkey usage, session creation) through the same event pipeline that partners use, bootstrapping every user toward tier 1
Unified live event feed — the demo activity feed now shows both partner agent events and MIR platform events in real time with distinct badge types
New blog post: IAM? IGA? PAM? You Need MIR. — positioning MIR as the behavioral signal layer that identity tools are missing
Actor type attribution — events and claims now support an actorType field (HUMAN, AGENT, UNKNOWN) to distinguish human from autonomous agent activity
Enterprise referral program — partners can now refer other organizations and track referral status through a dedicated dashboard
Context Safety guide — engineering guidance for partners integrating AI agents with MIR's API, addressing context window compaction risks
Acceptable Use Policy — comprehensive policy covering data interpretation, agent accountability, actor type attestation, and network integrity
Published The Rogue Agent Problem — position paper on autonomous agent trust failure modes and why continuity must not become trust
Continuity Log — the live event feed now includes a filterable continuity log showing identity activity across the MIR network, with filters for identity type, activity category, and result status
Audit logging for authentication — all login flows (email/password, magic link, passkey) now write to the audit log for compliance visibility
Configurable data retention policies for partners with automated lifecycle management
Daily claim digest notifications for users with recent activity
Multi-node deployment — MIR now runs across multiple app nodes behind a load balancer for high availability and zero-downtime deploys
Socket.IO Redis adapter — real-time event broadcasts now fan out across all nodes via Redis pub/sub
Leader election — Redis-based lease system ensures background jobs (monitoring, uptime, key rotation, retention, claim digest) run on exactly one node at a time
Health endpoint — GET /health returns database and Redis connectivity status for load balancer probes
Containerized deployment — MIR now ships as a Docker image pushed to a private container registry, with automated rolling deploys via deploy-mir
One-command deploy script — builds, tests, pushes, runs migrations, and rolls nodes with health checks

Improved

Expanded health endpoint with subsystem status reporting
Improved consistency of tier assignment across policy endpoints
Referral attribution now surfaced in partner application notifications
Request logging now covers all routes (previously limited to page navigations only)
Server listen address is now configurable via HOST environment variable, enabling containerized deployments

Fixed

Blog router 404 fallback now correctly renders the styled error page instead of failing silently

Week of February 23, 2026

February 23 - March 1, 2026

Shipped

Domain split: enterprise services now live on myinternetreputation.com, marketplace and consumer features remain on myinternetreputation.org
Real-time activity feed for enterprise demos — live visualization of agent events as they happen, with resolve signal sidebar
Dual attribution for AI agents — events submitted by agents are now recorded against both the agent and the user, so each accumulates independent participation history
New event type: mir.agent.action.completed for tracking agent activity across partners
Socket.io event emission on the primary event ingestion endpoint — real-time listeners now fire for all event submissions

Improved

Agent LinkedAccount creation now uses atomic upsert to prevent race conditions under concurrent submissions

Week of February 9, 2026

February 9 - 15, 2026

Shipped

Media Assertions is now its own platform at mirassertions.org — dedicated infrastructure for cryptographic media provenance, separate from MIR's participation history services
Perceptual hash cross-referencing: when assertions are created, MIR automatically detects visually similar artifacts on different hashes and alerts admins
Visually similar artifacts section on the assertion lookup page — shows related artifacts with distance badges, collapsed by default
File upload lookup now returns related artifacts alongside exact matches
Perceptual hash backfill: uploading a file for lookup automatically populates perceptual hashes on older assertions that predate the feature
Disputes page explaining all three dispute mechanisms (event disputes, assertion disputes, issuer appeals) with scenarios, edge cases, and resolution lifecycle
Agent registration for enterprise partners — register AI agents and service accounts with scoped permissions, independent rate limits, and event-type allowlists
Enterprise partners can now enforce agent-only API access across their organization
New blog post: The Internet Learned How to Remember — Just Not Who Was There
Introduced dual branding: MIR is "MIR" for individuals, "Memory Infrastructure Registry" for enterprises
MIR Badge Overlay widget — embeddable script that displays a verification badge on images with MIR assertions, with auto-hashing and one-click verification links
Blog images now carry MIR assertion badges, verifying provenance via the badge overlay

Improved

Strengthened session security for user accounts
New sign-in notification emails when your account is accessed from an unfamiliar device or location
Alerts for unusual concurrent session activity
Passkey-based verification now required for sensitive account operations when passkeys are registered
Hardened SSO authentication: partner disabled status is now checked during SSO callback
Suspended user accounts are now blocked from SSO login
Disabling a partner immediately invalidates all active sessions for its members
Platform-reprocessed images (LinkedIn, Twitter, etc.) now match original assertions via perceptual hashing
Improved session stability during page loads
Issuer portal and browser signer now recognize existing user sessions — no separate login required if already signed in to MIR
Session key rotation now propagates correctly across all assertion endpoints, preventing "Session expired" errors during signing
Badge overlay intelligently wraps images only when needed, preserving layout on third-party sites
Rebranded "reputation" terminology to "participation history" across the platform, emails, and all 16 supported languages

Week of February 2, 2026

February 2 - 8, 2026

Shipped

Multi-device signing: issuers can register signing keys on multiple devices and sign assertions from any of them
Smooth new-device onboarding with inline registration form, auto-detected device name, and pre-filled email
File timestamps on assertions: the lookup page now shows when asserted media was created or last modified
Enterprise SSO add-on available mid-cycle or at next billing, with Stripe proration
Self-serve enterprise plan upgrades with mid-cycle proration
SSO included directly in Stripe checkout for both monthly and annual plans
"About MIR" page — plain-English explanation of what MIR does, linked from homepage and footer
Image and video thumbnails in the Browser Signer file list
Founder pricing: first 1,000 issuers get their rate locked forever
Issuer applications now auto-approve — payment replaces admin approval
Browser Signer for media assertions with biometric-protected keys
Issuer verification pathways: DNS domain verification
Auto-verification for issuers after 20 successful assertions
Stripe subscription billing for assertion issuers ($79/year individual)
Billing portal in Issuer Portal: subscribe, cancel, reactivate
Shortened enterprise SSO session lifetime with automatic idle timeout
Expanded abuse protections for authentication flows
Desktop-responsive layout for Browser Signer page
Paste-to-search on the assertions verification page
Badge overlay widget: lightweight MIR logo overlay for images with assertions

Improved

Large file hashing now streams in chunks — no more crashes on mobile for big videos
Hashing progress shows "Computing fingerprint locally..." with percentage and "never uploaded" note
Assertion errors now stay visible with prominent styling instead of disappearing after 1 second
Failed files remain in the file list after submission so you can see what went wrong
Error alerts last longer (8 seconds for errors) and include the actual failure reason

Fixed

Fixed mobile assertion failures caused by loading entire large files into memory for hashing
Fixed broken image thumbnails caused by Content Security Policy blocking blob: URLs
Fixed enterprise plan upgrades being blocked for accounts in trial status

Week of January 26, 2026

January 26 - February 1, 2026

Shipped

Account data export now available in both HTML and JSON formats
Invite-only provisioning for enterprise SSO

Improved

Strengthened SSO state validation and integrity protections
Enhanced audit logging for enterprise authentication
Improved redirect and callback validation in SSO flows

Week of January 19, 2026

January 19 - 25, 2026

Shipped

Added separate claims layer for partner-submitted assertions
New endpoint: POST /claims for submitting attributed assertions
Resolve endpoint now returns claims separately from history
Constitution v1.1: Added "What MIR Will Never Do" section with explicit anti-box commitments
Account linking documentation added to Integration Guide with Web and Mobile sections
Mobile app linking samples for Android (Kotlin/Jetpack Compose) and iOS (Swift/SwiftUI)
New page: "The Man Who Kept Starting Over" - a story about continuity and why the internet keeps forgetting

Week of January 12, 2026

January 12 - 18, 2026

Shipped

Blog index now groups posts by month with collapsible accordion sections
Partner logo resources available in multiple sizes (100px to 960px) in the Integration Guide
New blog posts: "Why Portable Reputation Stalled" and "Self-Sovereign Identity Proved Identity Isn't Enough"
Constitution page explaining MIR's governance principles
Enhanced partner login experience
This changelog page

Improved

Upgraded SSO provider SDK to latest version
Hardened authentication reliability
Improved submission integrity and platform resilience
Better participation history transparency in API responses

Fixed

Blog post dates now display correctly regardless of timezone
Resolved all dependency security advisories

Week of January 5, 2026

January 5 - 11, 2026

Shipped

Enterprise SSO support for partners
Webhook delivery system for real-time partner notifications
Bulk event submission API for high-volume partners
API versioning infrastructure
Usage analytics dashboard for partners
Audit log exports for compliance
New blog posts: "Continuity Is the Internet's Missing Primitive" and "How MIR Augments LifeLock"
Constraint page explaining MIR's operational boundaries

Improved

Enhanced rate limiting with partner-specific tiers
Better monitoring and alerting for API health
Uptime tracking and SLA reporting

Week of December 29, 2025

December 29, 2025 - January 4, 2026

Shipped

Blog launched with initial posts on trust, continuity, and reputation
Contact form for inquiries
Full internationalization (i18n) support across the platform
Policy evaluation system for partner-defined rules
Partner tier system with configurable rate limits
Shopify app customer linking flow

Improved

Account linking flow with better error handling
Email authentication with passwordless login option

Week of December 22, 2025

December 22 - 28, 2025

Shipped

Shopify integration with OAuth authentication
Account deletion workflow with data export
Request logging for debugging and audit trails
Initial partner onboarding flow

Notes

This marks the beginning of MIR's public changelog. Earlier development history is not included.