v1.0-prod release notes — Microsoft Graph Permission Scope Auditor

Hardening pass complete (2026-06-02)

Promoted from v0.1-shipped to v1.0-prod after squad-discipline pass — shipped + hardened same day.

What's verified

• CI green on Node 20 + Node 22 matrix (npm run ci = lint + test)
• 15 structure + data-integrity tests passing — 4 tabs, 4 stat tiles match data, 6 anomaly cards, 8 audit events, all 9 security headers, CSP no-frame-ancestors + no-object-src, AGPL-3.0 license, favicon CSP-safe, CNAME = scopes.kineticgain.com, exactly 1 inline script, zero external scripts
• HTML5 validation clean (html-validate, zero errors)
• Security headers verified at .htaccess (CSP / HSTS / XFO / XCTO / Referrer-Policy / COOP / CORP / COEP / Permissions-Policy)

What's in scope for this release

• Single-page static HTML operator surface
• 30 synthetic Microsoft Graph-consented apps (8 MS 1P + 10 ISV Tier 1 + 8 mid-market SaaS + 4 in-house custom)
• 4-tab dashboard (Overview · Anomalies · Conditional Access coverage · Audit chain)
• 6 anomaly detection patterns with regulatory anchors
• 8-policy × 30-app Conditional Access coverage matrix
• 8-event hash-chained audit-stream (ed25519-signable)
• Apex-aligned visual language (onyx + cream + emerald, KG SVG mark)
• AGPL-3.0 license

What's NOT in scope (deferred)

• Screenshot fixtures — needs headless browser runtime
• Live Microsoft Graph API ingestion (this is buyer-facing demo surface, not production tool)
• Multi-tenant rendering beyond the canonical example
• Per-tenant customization

Cross-portfolio surfacing

• Live at https://scopes.kineticgain.com/ (pending hPanel CNAME + FTP secrets in repo Settings → Secrets)
• Will be indexed in apex /constellation/ "Buyer-facing operator surfaces" lane (5 total: cert + jml + mt + pv + scopes)
• Will be surfaced on mizcausevic-dev profile README under "Buyer-facing operator surfaces lane"
• Will be included in AI Procurement Pulse universe quarterly crawl
• Repo topics: kinetic-gain · operator-surface · static-html · audit-stream · entra · microsoft-graph · oauth-scopes · conditional-access · iam · security · v1.0-prod

Founder lever

IAM stack + Microsoft enterprise depth. Bridges three existing v1.0-prod surfaces:

• entra-access-review-control-plane
• conditional-access-posture-board
• intune-device-compliance-ops

v0.1-shipped — Microsoft Graph Permission Scope Auditor

What's in this release

5th surface in the Kinetic Gain buyer-facing operator-surface lane.

Operator dashboard

• 30 synthetic Microsoft Graph-consented apps across MS 1P (8), ISV Tier 1 (10), mid-market SaaS (8), in-house custom (4)
• 4-tab pattern: Overview · Anomalies · Conditional Access coverage · Audit chain
• 6 anomaly detection patterns with regulatory anchors (CIS Microsoft 365, SOX ITGC, NIST 800-53, ISO 27001, Microsoft Purview DLP)
• 8-policy × 30-app Conditional Access coverage matrix
• 8-event hash-chained audit-stream (ed25519-signable per CIS Control 8.5)

Security posture

• Browser-only, no backend, no telemetry, no login
• AGPL-3.0 license
• Full security headers in .htaccess (CSP / HSTS / XFO / XCTO / Referrer-Policy / COOP / CORP / COEP / Permissions-Policy)
• CSP forbids frame-ancestors + object-src
• Exactly 1 inline script (tab switcher), zero external scripts

Founder lever

IAM stack + Microsoft enterprise depth. Bridges three existing v1.0-prod surfaces:

• entra-access-review-control-plane
• conditional-access-posture-board
• intune-device-compliance-ops

Deployment

• FTP-Deploy-Action workflow targeting /scopes/ server-dir
• Live at https://scopes.kineticgain.com/ (pending subdomain CNAME + FTP secrets)

Status

• v0.1-shipped: MVP scaffold complete
• v1.0-prod: hardening to follow (CI matrix, structure tests, html-validate lint)