Platform updates, new features, and improvements to the Stratoscope governance engine.
Shipped a complete workspace isolation model with 11 enforced invariants. Each workspace maintains fully isolated credentials, discovery data, agent memory, and audit history. Multi-tenant MSP operations now supported with hard cross-workspace data boundaries at every layer.
Complete overhaul of the plan execution runtime. Multi-step governance plans now run through a deterministic LangGraph with parallel discovery and verification fan-out across four WAF lenses (functional, cost, security, drift). Plan learning captures succeeded and failed patterns for future routing improvements.
Tenant health summaries (WAF scores, cost trends, permission changes, drift counts) are now pre-computed and injected into Scout's context before every conversation. The agent no longer needs to ask which tenant you're working on — it already knows the current posture.
Four-tier drift detection running nightly: static structural assertions, behavioral golden inputs with LLM judge scoring, SHA-256 hash pinning per domain, and a goal-completion feedback loop. Ensures specialist behavior stays accurate as the platform evolves.
Service principals now registered with Reader-only scope for discovery. Elevated operations surface a specific HITL escalation request — the exact permission, scope, and operation — executed under delegated identity with immediate expiration. Permission intelligence layer parses AuthorizationFailed errors and proposes the minimal escalation path.
Every specialist tool is now registered in a risk registry with scope classification. Tools unavailable at the current scope are structurally absent from the agent — not filtered at runtime. Test suite expanded to 184 routing cases across all major domains, all passing.
All internal governance signals now emit structured CloudEvents with Stratoscope extension attributes. Discovery sweeps emit AZURE_RESOURCE_DRIFTED, AZURE_PERMISSION_CHANGED, and AZURE_COST_COLLECTED events. Watch rules fire WATCH_RULE_FIRED/RESOLVED/SILENCED events. Event-driven watch evaluation added alongside polling.
Three-cadence memory curation: per-turn dedup and confidence stamping, compaction-time candidate marking, and nightly promotion to the knowledge graph. Promoted facts become persistent entity context in the knowledge graph, queryable by specialists across sessions.
First GA of continuous tenant sweep. Resources, permissions, cost signals, and WAF posture tracked sweep-by-sweep with diff detection. Tag changes, SKU changes, kind changes, and location drifts all surface as discrete events. Cost data uses FOCUS standard with period-over-period anomaly detection.
Stratoscope enters private preview for Azure governance teams. Closed-loop governance: Discover → Assess → Remediate → Watch → Verify. Scout available for early access customers.