Changelog

## v2.3.0 — TenantNet Complete + Security Fixes ### Features - **S3-ZT Profile Engine**: Full ABAC rule engine per profile — bucket/prefix, allowed operations, max object size, TTL, time windows (day-of-week + hour range), IP/CIDR whitelist, file extension whitelist - **Compliance Mode Selector**: BASIC / ENS_MEDIO / ENS_ALTO / NIS2_IMPORTANTE / NIS2_ESENCIAL — each mode enforces minimum TTL and heartbeat interval defaults - **Device Posture Requirements**: Configurable per profile — OS type, minimum agent version, disk encryption required flag - **Anomaly Detection Thresholds**: Per-profile configuration — bulk download ops/min ceiling, off-hours sensitivity, high frequency threshold - **Tenant Groups**: Group model with member management and bulk profile assignment; users inherit profiles from all their groups - **Tenant IAM**: 4 locked system roles (TENANT_OWNER/ADMIN/USER/VIEWER) + unlimited custom roles with 21 granular permissions - **CSP Provider Catalog**: Platform-level catalog of supported S3 providers (AWS S3, MinIO, Cloudflare R2, Backblaze B2, Wasabi, Scaleway) with connection templates - **Email Engine**: Platform SMTP configuration + customizable email templates per tenant - **Platform Users Page**: Hover-reveal action buttons, self-user "Tú" badge (no actions), role-only EditDrawer for federated users ### Security Fixes - **CRITICAL**: SSO first-login now creates users with VIEWER role instead of ADMIN — eliminates automatic privilege escalation for any SSO-authenticated user - **HIGH**: POST-SSO redirect now uses `window.location.replace()` instead of Next.js router — fixes silent redirect failure after OIDC full-page navigation - **HIGH**: GET /iam/members now filters `status: ACTIVE` — soft-deleted users no longer appear in the UI - **MEDIUM**: SSO badge detection fixed — reads `oidcSub` field (was incorrectly reading non-existent `federationId`) - **MEDIUM**: PATCH /iam/members now supports `displayName` and `password` updates; password change blocked for federated users ### Data Model - New migrations: S3ZtProfile, S3ZtSession, ActivityTrail, TenantGroup, TenantGroupProfile, PlatformEmail, EmailTemplate, CspProvider, TenantCspConfig, structured tenant address and contact fields ### Infrastructure - PLATFORM_ROLES expanded to include VIEWER and SUPPORT — SSO-created users with minimal roles now visible in admin panel - Docker images: backend:3.3.0, admin:2.3.0

Phase 0 complete. Monorepo Turborepo with apps/admin, apps/tenant, packages. Docker Compose dev environment (PostgreSQL, ClickHouse, Redis, Keycloak). Keycloak multi-tenant auth with OIDC/SAML broker for Entra ID, Okta, PingFederate, ADFS. FastAPI backend with JWT middleware, RBAC, scope separation. Connectors framework: Entra ID (Graph API), Okta (System Log API), Generic CEF/Syslog bridge. Shared packages: @pms/auth, @pms/ui, @pms/types.

fix: Empty bucket edge case chore: AWS SDK v3.500

fix: SSO token validation — Entra ID v2 edge case