All notable changes to the STEAM Security Dashboard are documented in this file.
Format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and this project uses [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
- **BU reassignment detail view** — click the "BU reassignment" count in the anomaly banner to see which specific findings moved and from/to which team
- **Atlas sync scoped to active teams** — Atlas sync now respects BU scope and defaults to managed BUs, preventing cache pollution from unrelated teams
- **Atlas known host distinction** — badge only renders for hosts Atlas actively tracks, suppressing noise from BUs not covered by Atlas (e.g., ACCESS-OPS)
- **Per-user Ivanti identity** — FP workflow views filtered by individual Ivanti first/last name for personalized queue
- **Searchable dropdowns for Granite Loader** — team, operation type, and status columns now use filterable select inputs
- **IPv6 fallback display** — findings without IPv4 show Qualys IPv6 (amber Q badge) or primary IPv6 (indigo v6 badge)
- **Remediate workflow type** — new workflow option in Ivanti Queue with remediation notes appended to Jira tickets
- **DECOM workflow type** — added to RedirectModal workflow options
- **View in CARD button** — added to tooltip and action modal for direct CARD web UI navigation
- **CARD asset-search by Host ID** — faster lookup path for enrichment operations
- **Non-metric category filters** on compliance page
- **Ivanti Findings Data Guide** — Knowledge Base article explaining common data patterns (missing CVEs, BU reassignment, Atlas badges, etc.)
- **Markdown table rendering** in Knowledge Base viewer (remark-gfm support)
- **In-app notifications** table and infrastructure
### Fixed
- **Drift checker re-classifying same findings every sync** — archived findings were never removed from ivanti_findings, causing ~500 false re-classifications per sync. Now properly cleaned up after archive detection
- **Atlas Coverage tab not responding to scope changes** — metrics and status endpoints now filter by active teams and re-fetch on scope switch
- **Knowledge Base content/download failing for relative file paths** — sendFile now resolves paths correctly
- **remark-gfm compatibility** — upgraded to v4 for react-markdown v10 (was causing blank KB viewer)
- **SearchableSelect** — only opens on focus, closes properly on blur/select
- **Clipboard copy on HTTP** — use execCommand fallback for non-secure contexts
- **Empty description in single-item Jira modal** on ReportingPage
- **CARD enrich for items without IP** — uses host_id lookup as fallback
- **update_token error handling** — shows CARD link for assets that can't be actioned via API
- **Decom workflow migration** — includes Remediate in state check constraint
### Changed
- Atlas sync defaults to `IVANTI_MANAGED_BUS` when no scope is specified instead of syncing all BUs
- BU change history API accepts `since` and `limit` query params for scoped queries
- Anomaly banner uses 60-minute lookback window to capture drift checker records
- Archive activity chart should now show near-zero on normal syncs (only genuinely new disappearances)
- **Group by Host toggle** on the Ivanti findings table — collapses duplicate assets (same hostname + IP) with multiple finding IDs into expandable host rows. Hosts with only one finding remain as flat rows. Toggle between grouped and flat views from the toolbar.
- **CARD ownership tooltip on IP hover** — hover over any IP address in the findings table to see CARD asset ownership data (confirmed/unconfirmed/candidate teams) in an interactive tooltip. Results cached per session for instant re-display.
- **CARD direct action modal** — click "Actions" in the CARD tooltip to open a full confirm/decline/redirect modal that works directly against the CARD API without needing a queue item.
- **Inline view panel** in the Archer Template Manager with per-section copy buttons
- **Queue item redirect in place** — pending queue items can now be redirected without duplicating
- **Archer Template Library** — new template management system for Archer Risk Acceptance forms. Store static content (Environment Overview, Segmentation, Mitigating Controls) organized by Vendor > Platform > Model. Full CRUD with clone, search/filter, and per-section copy-to-clipboard. Accessible from the nav drawer (Template Mgr) and integrated into the Ivanti Queue for Archer workflow items.
- **Estimated resolution date per metric** — the compliance asset sidebar now shows each noncompliant metric's estimated resolution date at the top of its section, in `YYYY-MM-DD` format, with placeholders for metrics that have no date set or an invalid date (closes #20)
- **CARD Action Modal** with full owner context
- **Granite Loader Sheet generator** with CARD enrichment, plus a Loader Sheet button on the Reporting page queue panel
- **Vendor-specific issue type dropdown** for Jira ticket creation, with all vendor project keys
- **LIVE and LAST REPORT badges** on the VCL compliance page
- **Collapsible sections** on the Ivanti Queue page and side panel
### Bug Fixes
- Fix remediation plan and resolution date missing from the compliance table; format `resolution_date` as `YYYY-MM-DD`
- Improve CARD action error messages and default loader columns
- Fix CARD production timeout by forcing IPv4 (`dns.setDefaultResultOrder('ipv4first')`)
- Add IP address validation to CARD confirm/decline/redirect actions
- Auto-resolve bare IP to CARD asset ID with suffix lookup
- Increase CARD API timeout from 15s to 30s
- Rewrite CARD enrich-batch to use the team assets endpoint for full data
- **PostgreSQL migration** — database engine switched from SQLite to PostgreSQL. Requires running `deploy-postgres.sh`, data migration, and `DATABASE_URL` env var. SQLite is no longer supported.
- **Multi-BU tenancy** — data is now scoped per business unit with per-user team assignments. Replaces the previous binary scope toggle.
