All notable changes to VoidAccess are documented here.
- STIX relationship generation now avoids near-quadratic same-page edge explosions by emitting bounded semantic co-occurrence edges instead of every pair on a page.
- Persistent relationship loading now skips malformed non-UUID endpoints before graph hydration, preventing UUID coercion crashes during STIX export.
- THREAT_ACTOR_HANDLE and ORGANIZATION_NAME NER noise from repeated audits is filtered before persistence, including the confirmed generic security/programming vocabulary false positives.
- MISP, Sigma, API, and shared DB query paths now use explicit SQLAlchemy select constructs instead of passing subquery objects into
.in_(). - Optional configuration warnings are summarized once per process instead of printing a repeated warning wall.
- Refined query persistence now strips labelled/chatty LLM responses down to the actual short search query.
- Tor result-count variance was reassessed as environmental network/search-engine flakiness for this pass; no code change was made for that item.
- STIX export was silently producing an empty 82-byte bundle (regression from 1.6.3's working fix); now produces real bundles with entities and relationships
- Entity extraction quality had regressed on queries containing CVE/financial terms, returning only organization-name noise; CVE extraction now works correctly
- Confidence scores were clustered at 1-2 discrete values across an entire investigation; now show genuine multi-value spread reflecting source quality, extraction method, and corroboration
- Source-quality scoring (previously claimed but not actually implemented) is now genuinely present on extracted entities and contributes to confidence
- Fixed a CLI readback bug where entities were successfully extracted and persisted but the final displayed/exported count could read as zero, because the query only checked direct investigation_id matches and ignored entities linked via InvestigationEntityLink
- Fixed duplicate canonical entities appearing in results when the same entity existed in both the direct-match and linked-match branches of the entity query; results are now deduped after the union, not before
- corroborating_sources field still not populated (carried over from 1.6.4, tracked separately)
- --version now works as a top-level flag
- config.json now written with 0600 permissions
- Entities from Tor/.onion pages now persist to the entity store
- RFC 5737/2606 placeholder IPs/domains/emails filtered or flagged instead of treated as high-confidence threat intel
- Source-quality scoring added for low-trust sources (GitHub README docs)
- Stale OPENROUTER_API_KEY warning fixed
- Stuck 'running' investigation rows now cleaned up
- DATE entity extraction capped
- IOC package email export no longer drops emails
- STIX export SQLAlchemy warning fixed
- Non-interactive
voidaccess configureinput now detected and handled
- sentence-transformers, torch, transformers, telethon, playwright moved to optional extras (
voidaccess[nlp],[telegram],[js],[all]) - Added VOIDACCESS_NO_BANNER for session-level banner suppression
- corroborating_sources not populated for any entity (tracked for next release)
- LLM may under-tag malware names present in summary but not in structured extraction
- STIX relationship export now declares and installs its graph dependency, and export commands visibly warn when relationships cannot be built.
- Added missing third-party dependency declarations for imported libraries across the codebase.
- Entity store
corroborating_sourcesfield is silently null for all entities becausemerge_with_dbinextractor/normalizer.pynever callsupdate_entity_source_countafter the initial upsert. Every entity — from tor_search, RSS, GitHub, or enrichment — hassource_count=1andcorroborating_sources=nullinstead of the source name (e.g.["tor_search"]). Fix requires callingupdate_entity_source_countinmerge_with_dbafter each upsert, passing the page's source label derived from the page URL. Tracked as a separate fix cycle — do not treat as a footnote.
- LLM entity extraction no longer streams raw JSON fragments to stdout during investigations with LLM enabled.
- STIX export no longer writes an empty bundle silently when
stix2is missing;stix2is now a declared dependency and the export produces a real bundle. clickis now a declared dependency, so the first-run spaCy model download triggered byvoidaccess configureno longer fails silently and leave NER disabled.use_proxiesanduse_proxyconfig flags have been renamed torest_api_transport_enabledandresidential_proxy_enabled, with automatic migration for existing config files and a fix for BOM-prefixed JSON loading.
- (Resolved in v1.6.4) Entity extraction and persistence from Tor/.onion pages is now confirmed working end-to-end.
- Clarified the final release state after the residential proxy fallback QA pass and the
--use-scraping-apitransport reintroduction. - Confirmed the six live-verified safety guarantees from the verification arc, including silent fallback behavior when proxy credentials are invalid.
- Residential proxy credential handling and release metadata alignment.
- Optional clearnet ScrapingAnt integration for paste sites and RSS feeds.
- Three independent ScrapingAnt products are now documented and supported separately: Web Scraping API, Residential Proxy transport, and Datacenter Proxy transport.
- Web Scraping API transport uses
VOIDACCESS_USE_PROXIES=trueandSCRAPINGANT_API_KEY. - Residential Proxy transport uses
VOIDACCESS_USE_PROXY=truewithSCRAPINGANT_PROXY_USERNAMEandSCRAPINGANT_PROXY_PASSWORD. - Datacenter Proxy transport is configured with
SCRAPINGANT_PROXY_TYPE=datacenterand the same proxy credentials, but live verification is still open. - The transport selection model is mutually exclusive per request; if both transports are enabled, the proxy transport wins for that request and the chokepoint logs the choice once.
- Tor,
.onion, GitHub, and GitLab traffic remain unaffected by the integration.
- Corrected earlier documentation and configuration drift that conflated the Web Scraping API credential with the proxy credentials and described the wrong host model.
- Clarified that there is no chained transport mode.