PromptGate PromptGate v1.0
Coming soonComing soon Install free
v1.0 Public release · BSL 1.1

Changelog.

Curated highlights of what shipped in each version. The full Keep-a-Changelog file lives in the repo.

Coming soonComing soon Coming soonComing soon
v1.0.0 major

Public launch. Single-admin Community Edition under BSL 1.1, ready for self-hosting.

Added

  • Agent Proxy project type — the corporate egress framing of the wrapper engine. Setup page renders env-var snippets for Claude Code / Codex CLI / Cursor / Aider / Continue / Cline.
  • Anthropic Messages API on the wrapper (/v1/messages) so Claude Code routes via ANTHROPIC_BASE_URL with no client change.
  • OpenAI Responses API on the wrapper (/v1/responses) so Codex CLI works the same way.
  • Streaming on every wrapper shape — native SSE for Anthropic Messages, OpenAI Responses, OpenAI Chat Completions. Restoration-safe with reversible redaction.
  • Reversible redaction guardrail — tokenize PII before the LLM call, restore on response. The LLM never sees the real value.
  • Secret scanner guardrail — 18 well-known credential patterns. Block-mode 422 (without echoing the match) or redact-mode tokenization.
  • Cost dashboard with cache-saved KPIs, 30d trend, per-provider / per-endpoint / per-token roll-ups.
  • Endpoint versioning — every save snapshots config; diff + restore + audit on append-only history.
  • Anomaly alerts — 5-minute MAD-based detector on error rate / latency / spend. Webhook fires on detection.
  • Management API for programmatic token mint/rotate/revoke with two kill-switch toggles (Management REST API + MCP Control Plane).
  • Tool / function calling — pass-through with bidirectional translation between OpenAI and Anthropic shapes.
  • Embeddings on the wrapper (/v1/embeddings) for OpenAI / Mistral / Cohere / Together / Ollama.
  • Replay from logs, endpoint evals + diff, response cache, routing rules (YAML), first-run onboarding with auto-tick-off DB checks.

Security

  • Webhook secrets encrypted at rest (idempotent migration that encrypt-in-place existing rows).
  • SSRF guard extended to webhook delivery, MCP gateway dispatch, and OAuth token endpoints — was previously only on the API Gateway proxy.
  • SSRF_ALLOWED_HOSTS moved from runtime env() into config/security.php so php artisan config:cache doesn't silently zero the allowlist.
  • Token write surfaces (/api-tokens/*, /admin/tokens/*) throttled at 30 req/min so a leaked credential can't mint thousands of sub-tokens before detection.
  • .env.example hardened: APP_DEBUG=false, APP_ENV=production, SESSION_ENCRYPT=true, SESSION_SAME_SITE=lax.

Performance

  • Dashboard buildLastHourBars went from 60 separate count() queries to one grouped query.
  • Dashboard SQL is now driver-aware (Postgres date_trunc, MySQL DATE_FORMAT, SQLite strftime) — was crashing on Postgres before.
  • ProviderController N+1 collapsed: ~30 queries for 5 providers → 5 grouped queries total.
  • ProviderSetting::isEnabled() cached per request via static map; saved/deleted Eloquent listeners invalidate.
  • New gateway_logs indexes: composite (project_id, status, created_at) for error-rate panels, single created_at for global-scope, single api_token_id for cost-dashboard top-tokens.

Want the diff?

Every commit on every release is on GitHub. The CHANGELOG.md tracks the same content in Keep-a-Changelog format.

Coming soonComing soon Coming soonComing soon