The dated, inspectable
history of the grade.

Engine and schema versions on a Veriqa report are the version of the rules that fired and the version of the output contract that was emitted, respectively. A change to either is logged on this page with a date, a one-line summary, and a bulleted note of what moved.

• Area

  Rules engine

  The deterministic scoring and gating in api/app/analysis.py and the PQC analyzer in api/app/pqc.py.

• Area

  Schema

  The output contract in data/report_schema.json — the same JSON the API returns and the SPA renders.

• Area

  Platform

  The surfaces — marketing site, SPA, API, build system — and the wiring between them.

• Area

  Methodology

  Written rules of how a claim is graded and how a verdict is defended.

• Area

  Security

  HTTP headers, input handling, secrets posture, dependency hygiene.

1. Methodology Schema 2025-11-04 schema v0.1.0

   Initial JSON Schema — output contract drafted

   The first draft of data/report_schema.json — a strict shape for the readiness report so the API, SPA and the static demo share one contract instead of three.

   • Top-level fields fixed: subject, context, verdict, vlabel, exec, tracks, scores, ev, missing, next, engine.
   • Verdict vocabulary fixed at the wire level: go / monitor / nogo (rendered as Proceed / Monitor / Require further diligence in the UI).
   • Scores constrained to integers 0-100 across the three axes — maturity, urgency, hype.
   • Evidence rows fixed as [claim, source_id, confidence] with confidence in 0-1.
   • Drift gate stood up: TS types in packages/shared are generated from the schema and CI fails if they diverge.
2. Rules engine 2025-12-12 engine v0.2.0

   Claim-discipline gate — first cut

   The baseline rule is written into the engine, not just the marketing site. An advantage claim without a classical baseline is flagged in code, and the verdict is gated accordingly.

   • Added ADVANTAGE_RE / BASELINE_RE regexes in analysis.py to detect the central advantage claim and whether a comparator is present.
   • Introduced the needs-baseline flag on the report and on individual evidence rows.
   • Verdict downgrade: a go verdict is invalidated to monitor while any core advantage claim is needs-baseline. Enforced in the analyzer return path.
   • Maturity score capped at 55 when needs-baseline fires — the discipline cap, written down in code rather than in copy.
3. Methodology 2026-01-21 method note

   Evidence confidence — definition pinned

   A written definition for the 0-1 confidence value on every evidence row, so the number means the same thing across the engine, the SPA and a printed report.

   • Confidence is defined as how strongly the cited source supports that specific sub-claim — not a probability of the underlying claim being true.
   • Degrades with the source (undated whitepapers and press releases score lower than peer-reviewed work with a method section), not with the optimism of the framing.
   • Uncitable factual claims are marked unverified and cannot raise the verdict — absence of evidence is recorded as absence.
   • Definition published on science.html § Evidence & confidence.
4. Platform Methodology 2026-02-09 platform

   Reviewer gate — software-enforced

   Every customer-facing report is held in draft until an internal reviewer approves it; the gate is enforced in software, not by goodwill. The marketing site banner makes the gate visible to readers of the public demo.

   • Backend: a report cannot be released around the reviewer gate — the workflow is enforced on the API side.
   • SPA: the verdict surface holds the report in draft until an approval is logged against the exact engine + schema version that produced it.
   • Marketing site: "Advisor review required" banner added in web/js/main.js on every demo report so the gate is visible on public surfaces too.
   • Explicitly not claimed: we do not represent that an outside expert reviews every report yet. The current gate is internal.
5. Rules engine 2026-02-24 engine v0.3.0

   PQC analyzer — separate vertical, same discipline

   A dedicated PQC analyzer in api/app/pqc.py: cryptographic inventories are graded against the finalised NIST standards, then prioritised by exposure and data shelf life — not by vendor enthusiasm.

   • Mapping fixed to FIPS 203 (ML-KEM, key establishment), FIPS 204 (ML-DSA, signatures) and FIPS 205 (SLH-DSA, signatures).
   • Asset model added: system, role, current, target, status, phase, rationale, optional shelf_life_years and deadline.
   • Phase buckets — P1 (next 12 months), P2 (12-36 months), P3 (36+ months) — prioritised by shelf life and harvest-now exposure.
   • Schema extended with the optional pqc_plan block and an agent discriminator (readiness / pqc) — see schema v0.4.0 below.
6. Schema 2026-02-26 schema v0.4.0

   Schema additions for the PQC plan

   The output contract grows to carry a PQC plan when an asset inventory is in scope, without disturbing the existing readiness-report shape.

   • Added optional agent field with enum readiness | pqc (defaults to readiness) — routes UI rendering.
   • Added optional pqc_plan object with assets[] and phases{P1,P2,P3}.
   • Constrained enums: asset role ∈ {key_exchange, signature, encryption, hash, other}; status ∈ {ok, needs-migration, broken}; phase ∈ {P1, P2, P3, none}.
   • Backwards compatible — existing readiness reports validate unchanged.
7. Rules engine 2026-03-18 engine v0.4.0

   Feature-driven rewrite of the analyzer — same-number bug fixed

   Internal task #53. The earlier analyzer leaned too hard on keyword presence, which produced near-identical scores for very different inputs — the so-called "same-number bug". Rewritten as a feature-driven function of evidence density, hedge/superlative balance, named-entity hits, dated specifics and the baseline gate.

   • Each score is now a deterministic function of counted text features, not a flat keyword toggle.
   • New feature lexicons: HYPE, SPECULATION, EVIDENCE, HEDGE, URGENCY — each with stated weights in analysis.py.
   • Named-entity and known-org detection: a benchmark with a named institution attached carries weight a bare keyword does not.
   • Quantitative-claim and dated-year detection: superlatives without numbers push hype up; specifics with dates push maturity up.
   • Distinct inputs now produce distinct, defensible scores. The evidence table reflects what was actually detected in the material — not a fixed template.
   • Discipline cap preserved: needs-baseline still caps maturity and still blocks a Proceed verdict in code.
8. Schema 2026-04-09 schema v1.0.0

   Schema v1.0 — output contract frozen

   The schema is promoted to v1.0 after a quarter of use in production. Every field is documented, the verdict vocabulary is locked, and the CI drift check between schema and generated TS types is required to pass on every merge.

   • All required top-level fields enumerated; descriptions added to every property.
   • Verdict vocabulary locked at the wire level (go / monitor / nogo) — the public-facing labels (Proceed / Monitor / Require further diligence) are rendered in the UI from those values.
   • Evidence-row tuple [claim, source_id, confidence] formally constrained: minItems/maxItems=3, confidence in 0-1.
   • Claim-discipline rules attached at the schema root in a non-validating claim_discipline block — documented, not silently enforced by validation alone.
   • Forward changes will be additive minor versions unless explicitly noted; any breaking change is a new major version and a separate entry on this page.
9. Security Platform 2026-05-15 platform

   HTTP security headers + self-XSS sink escape

   Hardening pass across the static site and the SPA shell: HTTP security headers added at the edge, and a self-XSS sink in the demo's report-render path escaped at the boundary.

   • Added Content-Security-Policy, X-Content-Type-Options, Referrer-Policy, Strict-Transport-Security and Permissions-Policy at the edge for the marketing site and the SPA.
   • Escaped a self-XSS sink in the demo report renderer — user-supplied subject and material strings are now HTML-escaped before insertion.
   • CORS posture re-checked: production ALLOWED_ORIGINS is an explicit allowlist, dev default remains permissive.
   • No change to the rules engine or the schema.
10. Platform 2026-06-08 engine v0.5.0 · schema v1.0.0

    Information-architecture fix — dedicated pages, no front-page anchors

    Today's deploy. The marketing site is restructured so each major topic — Science & Methodology, Insights, FAQ, Company, Changelog, Trust — has a dedicated, deep-linkable page rather than a front-page anchor. Engine and schema versions stamped on reports issued today are the ones at the top of this page.

    • Front-page anchors retired in favour of dedicated pages; deep links into specific sections are stable.
    • This Changelog page added — the dated, inspectable history that was previously only readable in the git log.
    • Reviewer-gate language audited across surfaces: the gate is software-enforced; we do not represent that an outside expert reviews every report.
    • Engine v0.5.0 is a maintenance bump — no scoring-rule changes since v0.4.0, only logging and the version-stamp wiring that backs this page.

1. Read the engine and schema versions on the report

   Every Veriqa report carries the engine version and the schema version in its footer alongside the issue date. Those three values are the report's coordinates on this page.

2. Find the matching entries above

   Scan the timeline for the engine version and the schema version cited. The rules that fired on your report are the ones described in those two entries — earlier history is context, not what produced your verdict.

3. Compare against today, if you need to

   The latest release card at the top of this page is what a new report on the same input would be graded under today. A re-check produces a new, dated report — it does not overwrite the original. Both are defensible against the rules they were graded under.

4. If anything does not match, ask

   If a version on a report is not represented on this page, that is a bug and we want to know. Email hello@quantum-nexus.dev with the report's engine + schema versions and we will reconcile it.

Public verdict vocabulary is Proceed / Monitor / Require further diligence. The scoring engine is a transparent rule-based heuristic over text features — it is not a sentiment score and not a statistically validated model. The reviewer gate is software-enforced; we do not represent that an independent outside expert reviews every report. See trust.html § methodology integrity and science.html for the full method.