Skip to content

Releases: Azerax/Starfish

Project Starfish v0.10.1

Choose a tag to compare

@Azerax Azerax released this 21 Jun 15:01

Project Starfish v0.10.1 - Visibility, your-call friction, one-command lockdown

A usability release on top of v0.10.0's Claude Code governance. Same deny-by-default core; nicer to live with.

Highlights

  • You can see Starfish working. A [Starfish] status line shows governed state, allow/deny counts,
    daemon/safe-mode status, and your write profile - e.g. ⬡ Starfish ✓ governed · 42✓ 3⛔ · daemon up · writes:auto.
    Every decision Claude Code surfaces is prefixed [Starfish] so you always know the source.
  • You choose the friction, per project. A writes profile lets you pick auto (no prompts on
    in-project writes, with versioned backups in .starfish/backups/) or ask (prompt every write). The
    system-risk floor - writes outside the project, secrets, .starfish, raw shell, catastrophic commands -
    stays gated no matter what. Set it with --writes auto|ask, STARFISH_WRITES, or --backups N.
  • One-command lockdown. starfish install --claude-code --managed now requests elevation itself: a UAC
    prompt on Windows, sudo on macOS/Linux. No more hunting for an admin shell. --no-elevate to opt out.

Also

  • Platform-aware elevation guidance (Windows has no sudo).
  • Cross-platform tests (Windows named pipes; symlink tests skip where unsupported); the desktop app
    typechecks again; a daemon strictness bug fixed.

Upgrade

After upgrading, re-run starfish install --claude-code --managed to re-baseline the integrity hash
(the verify-before-exec launcher refuses an unrecognized cli.mjs until you do).

Apache-2.0. Full detail: CHANGELOG.md.

Project Starfish v0.10.0

Choose a tag to compare

@Azerax Azerax released this 21 Jun 14:27

Project Starfish v0.10.0 - Govern Claude Code

Starfish can now run as a deny-by-default governance overlay on Claude Code itself. Every tool call is
adjudicated by a local Policy Decision Point before it runs, authorized on the way in and contained on the
way out, and written to a tamper-evident audit log. Fail-closed: if governance isn't running, governed
tool calls are denied, not allowed.

Highlights

  • Govern an existing project in three steps
    starfish init --overlay --yes        # seed governance under .starfish (project untouched)
    starfish install --claude-code        # wire the hooks
    starfish daemon                       # start the resident PDP; build as normal, now governed
    
  • Real enforcement, verified. Reading stays allowed, edits ask for approval, writes outside the project
    or into the governance dir are denied, a benign shell command asks while rm -rf / is denied outright,
    and unknown tools hit default-deny. Native Claude Code tools (Read/Edit/Bash/WebFetch/…) are mapped onto
    the governed model.
  • Machine-wide lockdown (Strategy A). sudo starfish install --claude-code --managed deploys a
    root-owned policy so Claude Code itself refuses competing hooks, user permission rules, and bypass mode.
    Verified against Claude Code 2.1.183.
  • starfish doctor audits the whole posture (pins, absolute hook path, cli integrity, perms, daemon)
    and exits non-zero on any failure.

Security hardening

  • Absolute node + cli paths (no PATH hijack); NODE_OPTIONS pin + env scrub (no loader injection).
  • Pinned disableAllHooks:false and disableBypassPermissionsMode in managed scope (the two switches R0
    proved are unsafe from user scope).
  • Governed-projects registry (deleting .starfish can't silently downgrade a governed repo).
  • Config-drift tripwire → daemon safe-mode (deny-all) until starfish attest.
  • Integrity baseline + a verify-before-exec launcher that refuses a tampered cli.mjs at run time.

Also in this release

  • BoundarySet deny-subtrees; session-keyed PreToolUse→PostToolUse correlation; single source of truth for
    the governance seed; one-init-per-install lock.

Upgrade note

After upgrading, re-run sudo starfish install --claude-code --managed to re-baseline the integrity hash
(the verify-before-exec launcher will refuse an unrecognized cli until you do).

Apache-2.0 · free for personal and commercial use. Full detail in CHANGELOG.md.