RapidValue

Appearance

Changelog

Notable changes to RapidValue, grouped by release wave. Customer-visible features only — internal refactors, test coverage, and dev-tooling changes are omitted.

Subscribe

Want to be notified of new releases? Add docs.rapidvalue.be to your RSS reader or watch the GitHub repository.

May 2026

POC trial program

A 30-day trial path designed for "let me show this to my CISO and DPO".

  • Sales-bootstrap CLI (rv-poc) — single bash command provisions a tenant, registers the first agent, and prints the customer install one-liner. → Sales CLI reference
  • Take-home report — privacy-safe HTML/Markdown export of the tenant's posture. CISO + DPO can review without logging in. → POC mode
  • POC expiry write-blocking — read-only mode after day 30 (HTTP 423 Locked on writes, safe paths whitelisted for report download + conversion)
  • Cross-tenant POC dashboard — internal funnel view across all active trials (bootstrapped → connected → activated → formalized)
  • Agent-default execution mode — POC tenants create connectors with execution_mode=agent by default, surfacing the tier-3 architecture from day one

Tier-3 hybrid agent

The agent that runs in your VPC and brokers all connector calls.

  • Single-file Python agent (~700 lines) — tier3_agent.py, no daemonizing framework required. → Install the agent
  • All 18 connector methods routedAgentProxyConnector is a drop-in Connector subclass; call sites stay unchanged
  • Local credential vault — agent reads agent-vault.json keyed on connector business_id. Secrets never travel from control plane to agent.Security model
  • HMAC-verified self-update — per-agent signing key, timing-safe compare. Control plane can't ship arbitrary code without a valid signature.
  • Crash-loop rollback.bak + .stable marker. If a new agent binary crashes during boot, next start auto-reverts and reports.
  • Optional mTLS — register a client cert fingerprint per agent; the spine validates on every request
  • Chunked streaming — large syncs stream records back in configurable chunks (default 500) without flipping task state
  • Full audit logging — every claim/complete/fail/update event visible in the tenant's audit log + take-home report

Connector onboarding

Targets live in under 5 minutes via the 5-step wizard.

  • SCIM 2.0 + LDAP/AD engines — covers ~25 SaaS vendors out of the box plus any standards-compliant directory
  • Quick-add wizard — 5-step Dialog (type → connection → discovery → mapping → first sync). → Wizard onboarding
  • Auto-discovery + heuristic field mapping — pre-fills IGA schema; override per field
  • Connector catalog landing page — browseable catalog with already-connected badges and one-click add
  • Sector-pack recommendation — wizard suggests field mappings based on your tenant's installed sector pack
  • ConnectorProtocol v1 — wire-stable Pydantic envelopes; custom connectors get the agent-proxy treatment for free

Role mining — Opportunities

Replaces "role mining run output" with a business-readable view.

  • 3-bucket intent framingFormalize a pattern · Extend an existing role · Bring drift under control. → Quick start step 3
  • Business stories — each opportunity reads as plain-language framing instead of statistical output
  • One-click formalize — opens the role with live grant tail and member preview pre-filled
  • PostFormalizePanel — Day-2 priorities surfaced as soon as a role is created (governance to attach, members to migrate)
  • Bulk-formalize — select multiple opportunities, formalize in one flow
  • Live grant tail — drawer shows actual downstream entitlements before you commit

Resource lifecycle governance

End-to-end management of applications, entitlements, and the deprecation flow.

  • DeprecationPlan + cascade — schedule removal of an app or entitlement; downstream impact computed and surfaced
  • AUTO_MIGRATE for affected identities — pre-staged migration to successor resources, executed at deprecation cutover
  • Onboarding governance — provenance tracking + DT spawning when new applications are added
  • Service Library + Identity Overview tab — drawer-default for identity inspection
  • Modification governance — security-review DT auto-revert if approval rejected
  • Scheduler integration — lifecycle transitions fire on schedule, not on manual trigger

Identity model + 3-layer policy

  • IdentityTypeDefinition registry — human / contractor / service / NHI as first-class with type-specific properties
  • 3-layer policy model — Layer 1 cohort birthrights · Layer 2 role-derived · Layer 3 explicit grants
  • Context unificationmembership_roles, is_primary, schema_object_id as one consistent concept
  • JSON-DSL policy evaluator — readable, audit-friendly policy expressions
  • Cohort preview + Layer-3 rollup — see who's affected before activating a policy
  • WhoAmI tab + sensitive-context DT — drill into any identity's effective access with full provenance

SOL/IST 7-status compliance

Canonical taxonomy for "what's the state of this grant?":

compliant · to_provision · action_missing · non_compliant · to_deprovision · drift_explicit · drift_unmanaged

  • Auto-recompute on policy activation + identity attribute change
  • SoD-aware — preventive checks at request time + detective re-scan after sync
  • Attribute-level drift detection — fine-grained beyond membership-only
  • Persisted IdentityWarning — historical state preserved for audit

DecisionTask unification

Replaces five legacy task systems (ApprovalStep · CertificationItem · SmartCert · RecertTask · Survey) with one model.

  • Single inbox — every decision lives in one place per persona
  • Audit-event consistency — same audit shape regardless of task origin
  • Field-visibility matrix per role — column-level RBAC for the inbox grid

Sector packs

Industry-baseline bundles of approval rules + certification policies.

Available: Financial Services · Healthcare · Public Sector · Manufacturing · Mid-Market · AI Enterprise. → Sector packs

  • Pre-configured approval rules per risk tier
  • Cert cadences keyed to sector norms (90/180/365 days)
  • SoD policies typical for the industry
  • Field-mapping templates for sector-typical targets
  • Diff-vs-pack tracking — see where you've diverged from the baseline, for audit conversations

Documentation site

Public docs portal at docs.rapidvalue.be — wizard reference, agent install, security model, sector packs, POC mode, API orientation.

Earlier history

Older sprint detail is archived in the internal sprint history (docs/sprints/ in the repository). Customer-relevant highlights from those waves:

  • Sector Packs + sovereignty self-assessment — early framework that led to the current sector-pack architecture
  • Toxic Combinations + Unstructured Data — SoD-adjacent risk surface for files + folders
  • Connector Auto-Discovery + Blast Radius — what-changes-if-I-grant preview
  • Quick Scan Wizard + NHI Discovery — the precursor to today's 5-step wizard
  • SMART Certifications + Guided Policy Builder — the foundation for the current cert engine

Release cadence

We ship continuously to the SaaS control plane. Agent binaries roll out via HMAC-signed self-update; pin a version with RV_AGENT_SELF_UPDATE=0 if your change-management process requires it.

For breaking changes (rare), we publish migration notes here at least 30 days in advance.

RapidValue IGA · Built in Belgium

© 2026 RapidValue. Sovereignty-first identity governance.