Elevarq Signals Beta 7: the road to 1.0
Elevarq Signals is a read-only PostgreSQL diagnostic collector. It runs on your own infrastructure, connects to your databases with a read-only role, runs a fixed catalog of diagnostic queries on a schedule, and packages the results as portable, signed snapshots. No data leaves your machine. No AI, no cloud, no phone-home.
Today we shipped ghcr.io/elevarq/signals:0.10.0-beta.7 — multi-arch, cosign-signed, with an SBOM and SLSA provenance. It's the seventh beta in three weeks, and honestly, 1.0 now feels within reach. Here's the journey from the first beta to here — and what landed in Beta 7.
What Signals is, after seven betas
The core that the beta line was built on:
- 99 read-only diagnostic collectors — server config, session activity, table / index / I/O statistics, schema metadata, storage placement, query intelligence (via
pg_stat_statements), transaction-wraparound risk, vacuum health, replication, and more. - Read-only by design, enforced at three independent layers: static SQL linting at startup, role-attribute validation (superuser / replication / bypassrls are blocked before any query runs), and a session
READ ONLYtransaction with defensive statement, lock, and idle timeouts. - Specification- and test-driven — every requirement has a spec and tests, and the snapshot format is a versioned contract, not an accident of the implementation.
- A signed, verifiable supply chain — every release is a multi-arch image with a cosign signature, an SBOM, and SLSA provenance.
Connect anywhere — without a password in your config
The defining theme of the beta line, and the feature we're proudest of: you never put a database password in Signals' configuration. Betas 6 and 7 added a full set of credential providers, so Signals authenticates with your existing cloud identity, or fetches the secret live at connect time:
- Passwordless cloud IAM — AWS RDS / Aurora (IAM tokens via instance profile / IRSA / Pod Identity), Azure Flexible Server (Entra ID via Managed Identity), and Cloud SQL (IAM via Workload Identity). No password exists at all.
- Cloud secret stores — fetch the password live from AWS Secrets Manager, AWS Systems Manager Parameter Store (new in Beta 7), Azure Key Vault, or GCP Secret Manager. The shape of the reference selects the backend; nothing is written to disk.
- mTLS for on-prem and regulated environments — and even the plain
passwordmethod never lets the secret live inline (it comes from a file, an env var, or a Kubernetes Secret).
A secret_store target looks like this — no secret in the config:
targets:
- name: prod
host: db.internal
dbname: appdb
user: signals
auth_method: secret_store
secret_ref: arn:aws:secretsmanager:eu-west-1:123456789012:secret:prod/db-AbCdEf
# …or a Parameter Store ARN: arn:aws:ssm:eu-west-1:123456789012:parameter/prod/db
sslmode: verify-full
Whichever method you use, the credential is resolved at connect time, used for a single connection, and never written to the snapshot, logs, metrics, or audit events.
TimescaleDB, privacy controls, and the details
Along the way the betas also added:
- TimescaleDB support (Beta 4) — detection plus a set of metadata collectors for hypertables, chunks, compression, and continuous aggregates.
- A privacy model you control (Beta 1) — collect-everything by default, with a high-sensitivity gate you can switch off to redact or skip the sensitive columns, so a snapshot carries only what you're comfortable sharing.
- And the operational polish you'd expect across betas 1–7: a per-target circuit breaker, a Prometheus metrics endpoint, a
signalsctl doctorpre-flight, per-target sensitivity profiles, and per-class retention.
A new name: Elevarq Signals
Betas 6 and 7 completed our move to the Elevarq house brand. The product is now Elevarq Signals: the daemon is signals, the CLI is signalsctl, the image is ghcr.io/elevarq/signals, and the repository is Elevarq/Signals.
This was a deliberate, breaking change — the Go module path is now github.com/elevarq/signals, and the transitional arqctl / arq-signals binary aliases have been removed. If you packaged against the old names, update your imports and pulls; old GitHub URLs redirect automatically. We did the rename now, during beta, precisely so 1.0 ships under its final name with nothing left to migrate.
Security, hardened in the open
Signals' core promise is that credentials never reach a snapshot. Beta 7 extends that guarantee to one more surface: query text captured from pg_stat_statements. PostgreSQL doesn't normalize the literal in utility statements like CREATE ROLE … PASSWORD '…', so a password can sit verbatim in the view's query text. Signals now redacts these structured credential literals — role and user passwords, and libpq password= connection strings inside dblink / postgres_fdw / subscriptions — before the row is ever written to disk or exported.
We're deliberate about the boundary: we redact the well-defined credential syntax, and we do not pretend to scrub secrets a user hard-codes into a PL/pgSQL or PL/Python function body. Finding secrets in arbitrary code is undecidable; promising it would be dishonest. So we redact what we can guarantee, and document the rest.
What's in Beta 7
- AWS Systems Manager Parameter Store as a
secret_storebackend. - Credential redaction for
pg_stat_statementsquery text. - The move to Elevarq Signals, completed end to end (module path, binaries, repository).
- A cleaner Prometheus metric set (
signals_*) plus documentation and packaging polish.
Verify it
Every release is verifiable end to end. Confirm the image was built by our release workflow and nothing was swapped:
cosign verify ghcr.io/elevarq/signals:0.10.0-beta.7 \
--certificate-identity-regexp='github.com/Elevarq/(Signals|signals)/.github/workflows/release.yml@' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com'
The SBOM and SLSA provenance are attached as attestations on the same digest.
Try it in two minutes
git clone https://github.com/elevarq/signals.git
cd signals
docker compose -f examples/docker-compose.yml up -d
That starts Signals alongside PostgreSQL 16 with a pre-configured monitoring role, begins collecting automatically, and lets you export your first snapshot.
The road to 1.0
Seven betas in, the collector surface is stable, the read-only safety model is proven, and the cloud-connectivity story — the thing that makes Signals genuinely easy to adopt — is complete. What's left for 1.0 is polish, documentation, and the real-world testing that betas exist for. We're very close.
If you run PostgreSQL and want clean, portable, read-only diagnostics with nothing phoning home, this is a great moment to try the beta and tell us what breaks.