Klyo Gateway
Product updates for Klyo Gateway, most recent first.
Subscribe via RSS.
- improvement v1.12.0Redesigned chat top bar and resizable sidebar
The chat top bar consolidates profile, admin, statistics, language, theme, and logout into a single account menu. The same menu and a clear…
- feature v1.11.1Default alerting with Prometheus rules and bundled Alertmanager
The gateway now ships with a default Prometheus alert rule set and a bundled Alertmanager service so a fresh install can page an operator wi…
- improvement v1.11.1Preflight validation and live startup visibility for self-hosted installs
make up now runs a preflight pass against the host before starting any container. The checks cover port conflicts, database password mismatc…
- feature v1.11.1Redacted diagnostics bundle for support cases
make support-bundle collects a single redacted tarball containing the artefacts most often requested during a support case: recent container…
- feature v1.11.1Verified database snapshot taken before every migration
Every schema migration now starts with an automatic, verified snapshot of the database. The snapshot is checksummed and a sample restore is…
- feature v1.11.0Automatic model fallback when a provider errors before the first token
If a model errors before it produces any reply content, the gateway now transparently retries the request against the next allowed model in…
- fix v1.11.0Cancelled replies, edit-regenerate, and provider errors now surface clearly
Three chat reliability fixes. Cancelling a reply mid-stream no longer leaves a spinner stuck on "Generating…" until reload. The bubble now r…
- feature v1.10.13Frontier model catalog refresh across Anthropic, OpenAI, and Google
The admin Providers page now lists current frontier models from the three major providers so they can be enabled without editing YAML. Added…
- security v1.10.12Hardening pass on firewall, egress, PII, and TOTP
Six safety-critical components received targeted hardening as part of the traceability gate that ships with every release. The firewall rege…
- improvement v1.10.11In-app changelog tab now reads the public release feed
The changelog tab inside the gateway no longer surfaces an internal engineering log. It now reads the public release feed at changelog.klyo.…
- security v1.10.10Closed login timing oracle and password-change race condition
Two authentication hardening fixes. The login endpoint previously took measurably less time to respond when the submitted email did not exis…
- improvement v1.10.10Verified-backup health endpoint and canary auto-rollback on SLO breach
Two reliability additions for self-hosted operators. The new /health/deep endpoint returns HTTP 503 when no SHA-256-verified backup complete…
- feature v1.10.9Safety evidence package shipped with every release
A signed safety evidence package is now attached to every gateway release. Customers deploying into regulated verticals — avionics, automoti…
- feature v1.10.8Appeal flow for false-positive PII redactions
End users can now report a false-positive redaction directly from the chat preview. Each finding on the preview banner exposes a "Report fal…
- improvement v1.10.7Unified routing for policy-flagged content with active-target visibility
When a Secure LLM or on-premise model is configured and the administrator opts in, content that would otherwise be blocked for policy reason…
- security v1.10.6Web framework upgraded to close RSC denial-of-service vulnerability
The bundled web framework is upgraded to close CVE-2026-23869, a denial-of-service vulnerability in Server Components endpoints where a craf…
- security v1.10.5Removed unused authentication library flagged by CVE-2026-27962
Removed an unused authentication library that customer dependency-scanners were flagging for CVE-2026-27962 — a JWT signature-verification b…
- improvement v1.10.3Secure LLM display name now shown in the chat attribution pill
The friendly display name administrators set for the Secure LLM provider — for example, "Our EU GPT-4o" — now appears under each assistant r…
- fix v1.10.2Hotfix for Secure LLM save returning a 500 error
Hotfix for v1.10.1. Saving a new Secure LLM provider on a self-hosted install returned a 500 error because the encryption master key generat…
- improvement v1.10.1Bundled on-premise model container is now opt-in
Self-hosted deployments without a GPU can now leave the bundled local-inference container out entirely, saving roughly 8 GB of resident memo…
- feature v1.10.0Secure LLM lane for policy-flagged content
Customers without on-premise GPUs can now nominate any trusted external or self-hosted model as the route for policy-flagged content. A new…
- fix v1.9.1.1Hotfix for strict Content-Security-Policy breaking the web UI
Hotfix for a regression introduced in v1.9.0. The strict Content-Security-Policy added during the security audit refused every framework scr…
- improvement v1.9.0Kernel egress firewall installs with no extra steps on supported hosts
The bootstrap script now auto-detects whether the host kernel supports the optional eBPF egress sidecar shipped in v1.8.2, generates the req…
- fix v1.9.0Login no longer hangs when LDAP is not configured
Fixed a regression where login could block for around 48 seconds on installs that did not have LDAP configured. The auth flow tried LDAP fir…
- improvement v1.9.0Local-inference runtime tunable from environment variables
Self-hosted operators can now tune the bundled local-inference runtime directly from .env. CPU and memory limits, the maximum number of conc…
- security v1.9.0Security audit closes backlog of vulnerabilities
A full-stack security audit has closed a backlog of vulnerabilities. Highlights include a command-injection fix in the backup-restore endpoi…
- feature v1.8.2Optional kernel-level firewall for outbound LLM traffic
A new optional sidecar enforces LLM egress directly in the Linux kernel via eBPF. The gateway authorizes each LLM call; without an authoriza…
- fix v1.8.1Hotfix for database extension version mismatch on first start
Hotfix for v1.8.0. Some self-hosted installs whose database had previously pulled a newer time-series extension via a rolling tag failed on…
- security v1.8.0Container hardening for self-hosted deployments
Self-hosted containers now run as a non-root user with a read-only root filesystem, no Linux capabilities beyond what bootstrap requires, an…
- feature v1.7.0PII detection expansion, admin approval gate, and on-prem fallback
Four new detection plugins ship by default: API keys and bearer tokens, employee IDs (including localized variants), client identifiers pair…
- improvement v1.6.8Pre-built container images for self-hosted installs
Gateway and web images are now published to a public container registry on every release, with :<version>, :<major>.<minor>, and :latest tag…
- fix v1.6.6Custom branding now applies across the entire chat and admin UI
Fixed a regression that limited admin-configured branding to the login page only. The configured logo, application name, and favicon now pro…
- security v1.6.5Bundled admin interfaces now bind to loopback by default
The bundled monitoring, identity, and routing interfaces (Grafana, Prometheus, Uptime Kuma, the proxy dashboard, the secret store, the direc…
- fix v1.6.4Self-hosted installs no longer require direct access to the gateway port
Fixed a class of "cannot reach the API server" failures on fresh self-hosted installs. The web tier now proxies all API calls to the gateway…
- security v1.6.2Firewall now strips invisible Unicode characters before keyword matching
Closed a bypass where zero-width, bidirectional-override, and soft-hyphen characters could split a blocked keyword and evade the firewall's…
- improvement v1.6.1Schema migrations now apply automatically on upgrade
Gateway now manages its database schema through a versioned migration system. On startup, the container detects the existing schema, brings…
- feature v1.6.0Klyo Marketplace integration for plugin discovery and reviews
Gateway can now connect to Klyo Marketplace to register the install, sync available plugins, and submit star-rating reviews from the admin c…
- feature v1.5.0Self-host licensing and tiered billing plans
Gateway now runs in two deployment modes behind a shared billing surface: managed SaaS and self-hosted. Self-hosted deployments validate aga…
- feature v1.4.0Monthly budgets and routing markup per LLM group
Each LLM group can now carry a monthly budget ceiling. When a group exceeds its budget, further requests are blocked with HTTP 402 until the…
- improvement v1.4.0Ten cloud LLM providers preconfigured out of the box
New deployments ship with ten cloud providers already registered in the catalog: OpenAI, Google Gemini, Azure OpenAI, Groq, Mistral, DeepSee…
- feature v1.3.0Plugin marketplace with search, categories, and ratings
The admin console now includes a plugin marketplace with search, category filters, star ratings, and customer reviews. Plugins install and u…
- improvement v1.2.0Multi-language firewall, IP allow/deny lists, and session management
The firewall now normalizes input with Unicode NFKC and evaluates rules across seven languages, closing bypasses that relied on alphabet swa…
- feature v1.2.0GDPR data export and configurable message retention
Administrators can now configure a retention window that auto-deletes conversations and messages after the set period. End users can downloa…
- feature v1.2.0Shared conversations with per-link permissions
Conversations can now be shared with individual users or with entire LLM groups, as view-only or edit. Shared links support an optional expi…
- feature v1.1.0Cost intelligence panel and routing decision log
The admin console now breaks down spend per model with trend indicators and an estimated savings figure against an always-cheapest baseline.…
- feature v1.0.0Klyo Gateway is generally available
Klyo Gateway is generally available. Traffic routes across LLM providers using one of four strategies — cost, quality, latency, or balanced…