Changelog
All notable changes to TRACIO are documented here. Versions follow semantic versioning (major.minor.patch).
v2.0.0 — V3 Tiered Visitor ID, 146 Signals, Production Ready
Released: March 2026
This is a major release introducing the V3 tiered hashing system, expanding signal collection to 130+ signals, and achieving production-ready status after a comprehensive audit.
New Features
- V3 Tiered Visitor ID: New three-tier hashing system with independent Tier 1 (frozen hardware, 20 chars), Tier 2 (semi-stable browser, 10 chars), and Tier 3 (volatile context, 10 chars) producing 40-character base62 visitor IDs
- 130+ signals: Expanded from 70 to 130+ total signals (FingerprintJS Pro v4 signal coverage plus custom extensions and proprietary signals)
- Signal parity: Achieved full match coverage against FingerprintJS Pro v4 in automated Playwright comparison tests
- AI confidence scoring: Signal frequency weighting (IDF-based) and fuzzy matching using bit-level Hamming distance for returning visitor identification
- Admin dashboard: Real-time metrics, API key management, and ClickHouse analytics
Signal Collection Improvements
- Shared iframe optimization (single hidden iframe for emoji, MathML, system colors, fonts, screen frame)
- Web Worker for s22 (WASM features) and s30 (doNotTrack)
- s36 DOM blockers expanded to 48 filter lists with
offsetParent check
- s117 property getter introspection for extension-based spoofing detection
- s118/s136 prototype chain verification for plugins and mimeTypes
- Audio retry for iOS (3x retry on suspended state with visibility awareness)
- s56 browser cache probe with real localStorage persistence
Server-Side Improvements
- VPN detection with 4 methods (timezone mismatch, ASN, relay, TURN) — surfaced as the boolean
network.vpn on webhook payloads
- Proxy detection with residential/datacenter classification — surfaced as
network.proxy / network.datacenter
- Tor exit-node detection — surfaced as
network.tor
- 7-day rolling timezone-mismatch rate per IP as an internal VPN-detection input
Advanced Detection (Phase 4)
- Threat intelligence feeds (FireHOL + Spamhaus integration)
- Behavioral fingerprinting (mouse/keyboard/scroll pattern analysis)
- Signal normalizer (Chrome 125-131 and Firefox 126-131 cross-version rules)
- Replay detection via request deduplication and timing analysis
- Brave canvas farbling detection (per-session canvas comparison)
- Header order pattern matching against known browser profiles
Bug Fixes (50+)
- P0: JA4 ALPN field, TLS-UA consistency check, Client Hints validation, TURN probe IP comparison, cookie-match confidence
- P1: s75 extensions hash, canvas stability check, relay detection, first-visit confidence floor, incognito multi-signal correlation
- P2: iPad/iPadOS platform fixup, vendor typeof check, HDR signal wiring, per-key Client Hints, touch event detection, cookie domain iteration, TURN timing, request retry, VPN ASN expansion
v1.5.0 — Smart Signals and Bot Detection
Released: February 2026
New Features
- Smart Signals: 24 server-side enrichment signals including VPN, proxy, Tor, tampering, incognito, VM, emulator, and suspect score
- Bot Detection Engine: 14 independent detectors covering Selenium, Puppeteer, Playwright, PhantomJS, headless browsers, and behavioral analysis
- Good bot allowlisting: 22 good bot types with reverse DNS IP verification
- TURN server: WebRTC IP probe for VPN detection bypass
- IP intelligence: VPN ASN matching, residential proxy detection, Tor exit node checking
- Velocity tracking: Per-IP and per-visitor activity tracking with Redis sorted sets
Server-Side
- VM detection (VMware, VirtualBox, Parallels, QEMU, Hyper-V)
- Emulator detection (mobile emulator weighted scoring)
- Frida/instrumentation detection
- Privacy browser detection (Tor, Brave, Firefox ETP, Safari ITP)
- Cloned app and factory reset detection
- Suspect score computation (category-based, 0-100 scale)
- Headless v2 detection with 11 markers
- Automation framework classification (Puppeteer, Playwright, Cypress, Selenium)
Client-Side
- s157 automation framework scanning (14 framework categories)
- s158 iframe webdriver check
- s159 native function integrity check
- s155 window property CRC32 scan
- s163 console DevTools trap
v1.0.0 — Initial Release
Released: January 2026
Features
- 70 browser signals: Canvas, WebGL, audio, fonts, navigator, screen, storage, CSS media queries
- Visitor identification: MurmurHash3-x64-128 server-side hashing
- Encrypted transport: XOR encryption envelope with deflate compression
- Cookie persistence: AES-GCM encrypted first-party cookie (365-day expiry)
- GeoIP integration: MaxMind GeoIP2 for city-level geolocation
- JA3/JA4 TLS fingerprinting: TLS ClientHello analysis for browser verification
- Webhook delivery: Real-time event notification with retry and signature verification
- Docker deployment: Single-command deployment with Docker Compose
- Redis caching: Visitor cache and rate limiting
- PostgreSQL storage: Persistent visitor records
Client SDK
Tracio.init() initialization with public key configuration
tracio.getResult() with tag and linkedId options
- Typed error handling with error code classification
- 128KB minified bundle size
- Browser compatibility: Chrome 57+, Firefox 52+, Safari 11.1+, Edge 79+
API
- Server-side event retrieval endpoint for individual events
- Event response format compatible with FingerprintJS Pro v4
- Authenticated, rate-limited server API
- CORS support with credentials
Upgrade Guide
v1.x to v2.0
The v2.0 upgrade introduces a new visitor ID format (V3 tiered hash). Existing visitor IDs will be recomputed. This means:
- All visitors appear "new" in the database after upgrade
- Confidence scores will be lower for 24-48 hours as the database rebuilds
- linkedId continuity is preserved (your business identifiers remain)
Recommended upgrade procedure:
# 1. Backup your database
pg_dump tracio > tracio_backup_$(date +%Y%m%d).sql
# 2. Pull the latest version
docker compose pull
# 3. Run database migrations
docker compose run tracio-ingress migrate
# 4. Restart services
docker compose up -d
No client-side SDK changes are required. The client protocol is backward compatible.