Engineering and product updates.
beta.35 ships three AD Operations features as one surface: Feature A automates the Federated → Managed flip with a 24-hour bounded rollback window, Feature B pre-registers phone + email on migrated users and issues one-shot Temporary Access Passes, and Feature C produces the 4-bucket MFA coverage report that satisfies NIS2 Art 21(2)(j). Live-validated against the Nobacmd P2 trial — with the intentionally un-tested paths named explicitly.
A 2026-04-15 audit of NOBA's social-login flow found that Microsoft/Entra SSO reduced OIDC to "trust whatever email the userinfo endpoint returns over TLS." All eleven findings — 5 P0 NIS2 blockers, 3 P1 items, 3 P3 items — closed across beta.29 (PKCE/nonce/id_token/tenant/JIT), beta.30 (strict at_hash/CAE/generic-OIDC hardening), beta.31 (RP-initiated + back-channel logout, jti replay, async httpx), and beta.32 (ADR-008 review triggers #3/#4 automated).
NOBA Enterprise now refuses to start in production without a shared Redis (or Valkey) cache, closing a silent 429-multiplier bug in multi-worker deployments. The hand-rolled Microsoft Graph client also gets a full OpenTelemetry tracer and meter stack, so the "we didn't adopt msgraph-sdk" architectural choice now has the same observability the SDK would have given us for free.
Thirteen days, twenty beta releases, one theme: stop claiming things work and start proving it against real infrastructure. Zero placeholder integration modules, a Rust-native agent with Windows support, and the browser no longer freezes when you lock a remote Windows session.
NOBA now syncs, migrates, and merges Active Directory users. Tested end-to-end against a real Microsoft Azure AD tenant and a Samba domain controller.
94,000 lines of code, a hand-built CBOR decoder, a 6-layer healing pipeline with circuit breakers, and a cross-platform remote desktop — a look at the engineering behind the platform.