Skip to content

shield-v0.8.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 27 May 20:31
· 13 commits to main since this release
shield-v0.8.0
b65c33a

Aperion Shield v0.8.0 — closes the non-git command bypass

v0.7 closed the agent-reaches-around-MCP-and-commits-something-destructive bypass with git hooks.
v0.8 closes the parallel agent-reaches-around-MCP-and-runs-something-destructive-from-the-shell bypass with shell shims — plus ships first-class decision transparency via --explain.

$ aws s3 rm --recursive s3://prod-bucket
[aperion-shield/check-cmd] APPROVAL-REQUIRED -- `aws s3 rm --recursive s3://prod-bucket`
  rule    : cloud.aws_s3_recursive_delete  (severity=High)
  reason  : Bulk S3 delete -- irreversible if versioning is off.
  suggest : Enable versioning, then use lifecycle rules to expire -- never `--recursive --force`.

What shipped

1. Shell shims (--install-shims)

aperion-shield --install-shims --for aws,kubectl,terraform
  • Writes tiny /bin/sh wrappers to ~/.aperion-shield/bin/ (or --shim-dir PATH) for 10 high-blast-radius CLIs out of the box: aws, gcloud, az, kubectl, helm, terraform, psql, mongosh, redis-cli, rm.
  • User puts that dir first on $PATH; every invocation goes through Shield's engine before reaching the real binary.
  • Same engine, same YAML rules, same audit JSONL stream — the shim path reuses the shell tool-call scope that MCP + --check-staged already use, so a rule you add for one surface automatically covers all three.
  • Foreign-file collision protection: Shield never overwrites a wrapper it didn't write. --install-shims exits non-zero, file untouched, operator told what was found.
  • Bypass: SHIELD_SHIMS_DISABLE=1 <cmd> (env override, parity with --no-verify for hooks).
  • Fail-open posture: if aperion-shield isn't on $PATH, the shim execs the real binary directly (teammates without Shield aren't broken).
  • Companion commands: --uninstall-shims, --list-shims, --check-cmd (runtime entry point each shim calls into; also debug-invokable).

2. --explain (decision transparency)

echo '{"name":"shell","arguments":{"command":"rm -rf /"}}' \
    | aperion-shield --explain --input -
  • Takes any tool-call descriptor (MCP {"name":..., "arguments":...} or legacy {"tool":..., "params":...}) and prints a complete decision walkthrough.
  • Three output formats: text (terminals), markdown (PR review comments), json (stable schema for piping into tooling).
  • Shows every rule that matched (sorted severity desc, points desc), every adjustment signal applied, the full severity ladder (raw → composite + points → final), the decision, the safer alternative.
  • What-if exploration via --explain-force-prod, --explain-force-burst, --explain-force-repeatedly-approved, --explain-force-recently-denied — see how the same call would decide in a different context without rebuilding the environment.
  • Exit codes mirror --check-cmd: 0 allow/warn, 1 block, 2 approval/identity.

Tests: 243 passing (was 192 in v0.7)

  • +22 in-module + +7 e2e for shims — install / uninstall / refresh round-trips, foreign-file refusal, missing-upstream skip, --for parsing + dedup + path-reject; full /bin/sh integration tests against a fake real binary covering allowed pass-through, blocked refusal (real binary never runs), SHIELD_SHIMS_DISABLE=1 bypass, fall-through when Shield isn't on $PATH.
  • +15 in-module + +7 e2e for --explain — descriptor parsing for both MCP and legacy shapes, allow/block/approval emission, format aliases, text/markdown/JSON render contracts, JSON parseable with stable schema, --explain-force-* flags honoured, missing tool-name refused.

Heads up: HTTP/SSE MCP transport is the v0.9 headline

The Streamable HTTP transport (POST + SSE relay with backpressure) is a multi-day implementation that deserves to be the headline of its own release, not a half-shipped breadth bump here. v0.8 is the bypass-closing release; v0.9 will be the any-transport release.

Install

brew install AperionAI/tap/aperion-shield
# OR
docker pull ghcr.io/aperionai/shield:shield-v0.8.0
# OR grab a platform tarball from the Assets list below

After install:

# v0.7 (still recommended): git-hook coverage for code landing in commits
cd your-repo
aperion-shield --install-hooks

# v0.8 (NEW): shell-shim coverage for commands run directly
aperion-shield --install-shims --for aws,kubectl,terraform,rm

# v0.8 (NEW): explain a gating decision
echo '{"name":"shell","arguments":{"command":"rm -rf /"}}' \
    | aperion-shield --explain --input -

Platforms

Platform Tarball
Linux x86_64 (glibc) shield-v0.8.0-x86_64-unknown-linux-gnu.tar.gz
Linux aarch64 (glibc) shield-v0.8.0-aarch64-unknown-linux-gnu.tar.gz
macOS x86_64 shield-v0.8.0-x86_64-apple-darwin.tar.gz
macOS aarch64 (Apple Silicon) shield-v0.8.0-aarch64-apple-darwin.tar.gz
Windows x86_64 shield-v0.8.0-x86_64-pc-windows-msvc.zip

Each tarball is paired with a .sha256 sidecar; verify before installing in CI.

Docker:

docker pull ghcr.io/aperionai/shield:shield-v0.8.0
docker pull ghcr.io/aperionai/shield:latest
# multi-arch: linux/amd64 + linux/arm64

Security

  • No new advisories. cargo audit clean against the v0.8.0 Cargo.lock.
  • No new network endpoints or on-disk persistence outside ~/.aperion-shield/bin/ (shims, 0755 inside 0700 dir).
  • v0.7.x dropped to security-only support; see SECURITY.md.

Full changelog

b65c33a chore(v0.8): release prep -- version 0.8.0, README, SECURITY, env-race fix
237f5f3 feat(v0.8): aperion-shield --explain renders decision walkthroughs
fcf51c9 feat(v0.8): shell shims close the non-git command-bypass surface

Compare to v0.7.0: shield-v0.7.0...shield-v0.8.0

Assets 12
Loading