Release Notes

v1.0.0 — General Availability (March 2026)

MergeGuide v1.0.0 is the first production release. What’s in this release:

4 enforcement layers: IDE, Git hooks, AI assistants, PR gates
4 SCM platforms: GitHub, GitLab, Bitbucket, Azure DevOps
18 compliance frameworks with NIST OSCAL export
711 detection rules across 15 languages

Detection Engine

711 detection rules — 237 regex + 474 Semgrep AST taint analysis rules
15 languages — Python, JavaScript, TypeScript, Java, Go, PHP, Ruby, C#, Kotlin, Swift, Rust, C, C++, Terraform, Dockerfile
Dual-layer analysis — Fast regex for known patterns; Semgrep for taint analysis and data flow across all supported languages
All 15 languages benchmark-validated at ≥85% precision

4-Layer Enforcement

VS Code Extension — Real-time violation detection with inline diagnostics, quick fixes, sidebar panels for violations/policies/evaluations, and pre-commit hook management
MCP Server — 10 tools for AI coding assistants: check_policy, list_policies, scan_repository, scan_vulnerabilities, scan_licenses, scan_cicd, scan_iac, generate_evidence, generate_sbom, get_remediation
Git Hooks — Pre-commit and pre-push enforcement; compatible with Husky, lint-staged, and the pre-commit framework
PR Gate — Webhook-driven evaluation on GitHub, GitLab, Bitbucket, and Azure DevOps with inline annotations and pass/fail status checks

SCM Integrations

All four SCM platforms supported with full PR gate integration:

GitHub (GitHub App: mergeguide-policy-check)
GitLab (Webhook + OAuth)
Bitbucket (OAuth App)
Azure DevOps (Azure DevOps App)

Compliance

18 framework templates — SOC 2, HIPAA, PCI-DSS, ISO 27001, GDPR, EU AI Act, DORA, NIS2, FedRAMP, StateRAMP, Colorado AI Act, NIST SSDF, OWASP Top 10, CWE Top 25, OWASP ASVS L1, OWASP ASVS L2, CIS Controls, SLSA
NIST OSCAL v1.1.2 native output — 16 custom catalogs, 3 document types, GRC platform interop
SBOM export — CycloneDX 1.5 + SPDX 2.3, streaming ZIP download, S3 upload integration
PolicyMerge — Multi-framework conflict resolution with strictest-wins logic and overlap visualization
Bypass rate tracking — Every policy override logged; dashboard widget and drill-down report on all tiers

Enterprise Features

Billing — 5 tiers: Free, Pro ( $29/seat), Team ($ 39/seat, 5 min), Business ($79/seat, 10 min), Enterprise (custom)
SAML 2.0 SSO + OIDC — Team, Business, and Enterprise plans
SCIM v2 provisioning — Business and Enterprise plans
WebAuthn/Passkeys + TOTP MFA — All plans
RBAC — Owner, Admin, Developer, Viewer roles (Business and Enterprise)
Immutable evidence trail — Business and Enterprise
Onboarding wizard — 7-step guided org setup

Dashboard

Compliance dashboard with framework coverage visualization for all 18 frameworks
Bypass rate widget and drill-down event log
OSCAL and SBOM export from the dashboard
PolicyMerge multi-framework visualization
Enforcement metrics with daily pass/fail trends
Date range filtering: 7d, 30d, 90d, all time

API

REST API v1 at api.mergeguide.ai
API key authentication with scoped permissions
OAuth 2.0 + PKCE for interactive applications
Evaluation, policy, compliance, SBOM, and webhook endpoints
Rate limiting with standard headers (X-RateLimit-*)

Upgrade Guide

MergeGuide v1.0.0 is the initial GA release. No migration from a prior version is required.

Installing the CLI

npm install -g @mergeguide/cli

Installing the VS Code Extension

Search “MergeGuide” in the VS Code Extensions panel, or:

code --install-extension mergeguide.mergeguide-vscode

Setting Up the MCP Server

npm install -g @mergeguide/mcp-server

See MCP Server Setup for configuration.

Feedback

Bug reports: support@mergeguide.ai
Feature requests: support@mergeguide.ai

Releases

​Release Notes

​v1.0.0 — General Availability (March 2026)

​Detection Engine

​4-Layer Enforcement

​SCM Integrations

​Compliance

​Enterprise Features

​Dashboard

​API

​Upgrade Guide

​Installing the CLI

​Installing the VS Code Extension

​Setting Up the MCP Server

​Feedback