MERLONIX
Sign inStart free

v0.10.0

Released 2026-05-05

OAuth sign-in — Google and GitHub

You can now sign in to Merlonix with your Google or GitHub account in addition to the magic-link email flow.

  • Click Continue with Google or Continue with GitHub on the login page
  • First sign-in creates your account and associates it with the trial plan automatically
  • Returning users are recognized by their OAuth provider ID — no email address collision risk
  • Magic-link email sign-in remains available as a fallback

OAuth uses a PKCE flow with no server-side token storage — the callback issues a standard session JWT identical to the magic-link path.

Rules-based fallback classifier

SSL and DNS classification now has a deterministic fallback path when the LLM chain is exhausted.

SSL fallback rules:

  • Certificate expiring within 14 days → imminent_expiry
  • Issuer change detected → unexpected_issuer
  • SAN set changed → san_change
  • All other changes → needs_review

DNS fallback rules:

  • NS or MX record changed → ns_change / provider_migration
  • CAA record changed → caa_edit
  • TTL-only change → ttl_only (benign, no alert)
  • All other changes → needs_review

Uptime fallback rules:

  • HTTP 4xx → client_error
  • HTTP 5xx → server_error
  • Connection refused / timeout → unreachable

The fallback activates only when Groq, Gemini, Cerebras, and Claude Haiku all fail or rate-limit. Under normal conditions the LLM chain runs as before.

Table partitioning for SSL and DNS checks

The ssl_checks and dns_checks tables are now range-partitioned by month. This keeps query performance predictable as check volume grows.

  • Child partitions: one per calendar month from May 2026, plus a default partition
  • New partitions for the next two months are created automatically on the first day of each month
  • Existing data was migrated with no downtime using a shadow-copy strategy
  • Legacy tables (ssl_checks_legacy, dns_checks_legacy) are retained for 48 hours then dropped

No changes to API response shapes — the partition boundary is invisible to clients.

Agents package consolidation

alert-deduplicator and legal-filter agents are now exported from @merlonix/agents alongside the SSL, DNS, and vendor classifiers. Import paths in alertDispatch and assets routes updated accordingly. No behavior changes.

Bug fixes

  • Fixed ESLint warnings in all API source files (--max-warnings=0 now passes cleanly)
  • Fixed OAuth callback route shadowed by :provider wildcard parameter