v0.5.6

Security-correctness patch: external-content taint can no longer weaken approval strength. Also picks up a pending-approval store concurrency fix that landed after v0.5.5.

• Taint monotonicity (#103, #104). The classifier's EXTERNAL_CONTENT provenance branch returned SENSITIVE for any non-BLOCKED action, downgrading CRITICAL-policy actions (send_email, money_transfer, external_post, credential_access, run_shell_command, delete_file, legal_or_employment_message) from strong approval to normal approval. External content may raise risk but must never lower it: SAFE still escalates to SENSITIVE; SENSITIVE, CRITICAL, and BLOCKED keep their tier. Adds regression tests for all seven critical actions and a property test asserting the tainted classification is never lower than the untainted one for every default-policy action across both taint channels (provenance origin and source trust).
• Pending approval store concurrency (#100). Mutations of the pending-approval store are serialized, preventing concurrent approval flows from corrupting or losing pending entries. Adds concurrency regression tests.
• Compatibility. No breaking changes, no schema changes, no new runtime dependencies. Visible behavior change (intended, strictly tightening): actions whose policy tier is CRITICAL now require strong/passphrase approval when tagged with EXTERNAL_CONTENT provenance, and their audit records carry classification CRITICAL instead of SENSITIVE — relevant to anyone alerting on classification counts. Nothing previously blocked is allowed and nothing previously allowed is blocked.

v0.5.5

First-run and pip-only-user fixes surfaced by a fresh-install audit, plus a re-landed review fix. No engine behavior, schema, policy, or dependency changes.

• Friendly input errors (#69). check, run, generic-check, generic-run, hermes-check, and codex-check no longer dump a raw traceback (and the user's path) when given a missing file, invalid JSON, or an inline string instead of a file path. They now print a one-line error with a payload example and exit non-zero, and the positional file arguments carry --help descriptions with an example schema.
• doctor path consistency and no CWD litter (#71). agent-sudo doctor no longer creates a .agent-sudo/ directory in the current working directory. It probes the single home state root (~/.agent-sudo) for both the audit-log and delegation-store writability checks, so it reports one consistent location.
• No repo-relative examples in docs or setup output (#67). Documented commands and the agent-sudo setup verify steps (hermes/openclaw) no longer reference examples/*.json files that a pip/pipx install does not have. Each is now self-contained (an inline payload written to a temp file, or agent-sudo eval), so every documented command works from a clean install with no repository checkout. The demo closing line now points at agent-sudo eval.
• Improved agent-sudo-mcp --help (#72). --audit-log, --delegations-file, and --pending-approvals-file now have descriptions, and the server help carries a description and an epilog pointing at agent-sudo eval and agent-sudo setup.
• Test isolation (#84). The MCP gateway tests no longer depend on the developer's ambient ~/.agent-sudo/config.json workspace (or AGENT_SUDO_WORKSPACE), so they behave the same locally as on a clean CI runner.
• Re-landed missed PR #90 review fixes (#95). PR #90 was squash-merged without its review-fix commit; this restores it: the demo shell executor reports executed=False (not True) when the host fails to spawn a process (OSError), and the Windows file-lock retry filter replaces magic numbers (13, 33) with named errno/winerror sets via an _is_lock_busy() helper. Adds the regression tests whose absence let the fix silently drop.
• Compatibility. No breaking changes, no schema changes, no policy-behavior changes, no new runtime dependencies. Docs, CLI help/error text, test isolation, and the executed flag on a (rare) demo-executor spawn failure are the only user-visible changes.

v0.5.4

• agent-sudo eval one-shot evaluator. New agent-sudo eval runs the full deny → delegate → allow-once → deny-exhausted → audit-verified ladder in a single command and prints a PASS/FAIL report. It runs entirely in a temporary directory and never reads or writes the user's ~/.agent-sudo state. Exits 0 only when all five steps pass (CI-safe); --json emits a machine-readable report and --output-dir DIR writes artifacts to a chosen location. This is the published "fastest path" referenced by the README and the 5-minute evaluator guide, which were previously broken on PyPI because the command did not ship.
• Claude Code + Codex CLI setup paths. agent-sudo setup adds a claude-code target (alongside codex, claude-desktop, hermes, and openclaw), closing the gap where the headline audience had no first-party setup path.
• Interactive setup selector. Running agent-sudo setup with no target presents an interactive picker; targets are also selectable by number or name. Bare invocations are guided rather than erroring out.
• Generated MCP config pins absolute paths and approval flags. Setup output now pins absolute --audit-log, --delegations-file, and --pending-approvals-file paths and the macOS approval flags, so a configured client's audit, delegation, and pending state land in predictable locations instead of relative defaults.
• First-run onboarding friction removed. A batch of onboarding fixes (demo Scenario 1 now correctly labeled Sensitive Read (REQUIRE_APPROVAL), clearer first-run guidance, and related copy fixes) so the first commands a new user runs behave as documented.
• CLI command reference. Adds a CLI command reference doc and corrects the audit review flag documentation.
• Compact gated wordmark. Interactive commands print a compact one-line wordmark.
• MCP registry description shortened. server.json description trimmed to satisfy registry length limits.
• Compatibility. No breaking changes, no schema changes, no policy-behavior changes, no new runtime dependencies. New CLI surface (eval, setup claude-code, the setup selector) is additive.

v0.5.3

• README repositioning. Agent_Sudo is framed as an authorization, delegation, provenance, and verifiable-audit engine for AI agents — MCP is the adapter, not the identity.
• Public metadata aligned. The PyPI summary and the MCP Registry server.json description carry the same authorization/delegation/provenance/verifiable-audit positioning, so package indexes and crawlers surface consistent framing.
• Audit Explorer — audit list filters + origin column. agent-sudo audit list gains --since, --decision, --origin, --actor, --tool, --target, and --non-allow, plus a provenance origin column. Read-only; --json output shape unchanged.
• Audit Explorer — audit trace <token_id>. Token-first delegation lifecycle inspection: resolves a token by full id or unique prefix, joins its store metadata with audit references, and reports observed consumes/denials and the causes denial reasons cite, with a raw-reason fallback. Read-only.
• Compatibility. No breaking changes, no schema changes, no policy-behavior changes, no new runtime dependencies.

v0.5.2

• Sensitive read/search hardening. Blocks sensitive read_file and search_files targets more consistently, including macOS Keychains, Messages, Mail, Cookies, and Safari stores; browser cookie/login profile stores; gcloud and kube config directories; and common credential files such as .netrc, .npmrc, and .pypirc.
• Git/GitHub mutation hardening. Blocks mutating Git and GitHub CLI shell commands at the classifier and executor boundary, including git push, git remote mutations, mutating gh issue/pr/release/repo/workflow/run commands, and mutating gh api calls. Read-only Git/GitHub commands remain approval-gated rather than hard-denied.
• Audit review command. Adds agent-sudo audit review, which verifies the audit chain, summarizes recent decision counts, and lists non-ALLOW records for a configurable window such as 30m, 24h, or 7d.
• Delegation store visibility. Keeps agent-sudo delegate create stdout as parseable token JSON while reporting the delegation file path on stderr. When the default ~/.agent-sudo/delegations.json store is used, the CLI warns that integrations may read a different delegation store.
• Delegation troubleshooting docs. Adds Hermes delegation-store guidance using explicit --delegations-file, plus a troubleshooting checklist for "delegation created but authorization still denied" cases covering action, path, actor, expiry, use count, and delegation-file mismatches.
• Compatibility. No new runtime dependencies. Delegation token format is unchanged, and existing JSON stdout consumers of agent-sudo delegate create remain compatible.

0.5.2

Release Notes: Agent_Sudo v0.5.2

Patch release. Tightens sensitive read/search and mutation blocking, adds a recent audit review command, and makes delegation-store mismatches easier to diagnose. No new runtime dependencies.

Security / Policy Hardening

• Sensitive read/search hardening. Blocks sensitive read_file and search_files targets more consistently, including macOS Keychains, Messages, Mail, Cookies, and Safari stores; browser cookie/login profile stores; gcloud and kube config directories; and common credential files such as .netrc, .npmrc, and .pypirc.
• Git/GitHub mutation hardening. Blocks mutating Git and GitHub CLI shell commands at the classifier and executor boundary, including git push, git remote mutations, mutating gh issue/pr/release/repo/workflow/run commands, and mutating gh api calls.
• Read-only command compatibility. Read-only Git/GitHub commands remain approval-gated rather than hard-denied.

Audit UX

• Recent audit review. Adds agent-sudo audit review, which verifies the audit chain, summarizes recent decision counts, and lists non-ALLOW records for a configurable window such as 30m, 24h, or 7d.

Delegation Diagnostics

• Delegation store visibility. Keeps agent-sudo delegate create stdout as parseable token JSON while reporting the delegation file path on stderr.
• Default-store warning. When delegate create uses the default ~/.agent-sudo/delegations.json store, the CLI warns that integrations may read a different delegation store.
• Integration docs. Adds Hermes delegation-store guidance using explicit --delegations-file.
• Troubleshooting checklist. Adds a "delegation created but authorization still denied" checklist covering action, path, actor, expiry, use count, and delegation-file mismatches.

Compatibility

• No new runtime dependencies.
• Delegation token format is unchanged.
• Existing JSON stdout consumers of agent-sudo delegate create remain compatible.

v0.5.1

• Concurrency-safe one-use delegation consumption. The delegation consume path (DelegationStore.authorize(consume=True), plus create/revoke) now performs its entire read → check → increment → write under an exclusive POSIX advisory lock (fcntl.flock) and re-reads token state from disk inside the lock. This closes a race in which concurrent consumers could each observe uses=0 and all be allowed, double-spending a max_uses=1 token. save() now publishes atomically (temp file → fsync → os.replace → directory fsync) so a reader or crash never sees a partial delegations file.
• Concurrency-safe audit append. AuditLogger._write_entry now holds the same exclusive lock across read-last-hash → link → append → fsync, so concurrent appends can no longer read the same previous_hash and fork the SHA-256 hash chain. The chain stays linear and verify-audit-clean under parallel writes.
• Fail-closed under lock contention and corruption. If the lock cannot be acquired within the timeout, or the store is unreadable/corrupt, or the audit log has a torn tail, the gateway denies (delegation) or raises (audit) rather than falling open or silently continuing. No broad except masking is introduced; existing fail-closed behavior is preserved.
• No format changes. delegations.json and audit.jsonl are byte-for-byte identical to v0.5.0. The only new on-disk artifacts are sibling *.lock files used purely for lock state.
• No new dependencies. Standard library only (fcntl). Public signatures are unchanged — lock_timeout is a keyword-only argument with a default on DelegationStore and AuditLogger. POSIX-only (macOS/Linux), matching the supported runtimes.

0.5.1

Release Notes: Agent_Sudo v0.5.1

Patch release. Makes the file-backed delegation and audit stores safe under
parallel tool execution. No format changes, no new dependencies, no public API
changes.

Security / Correctness

• Concurrency-safe one-use delegation consumption (#38). The delegation
  consume path (DelegationStore.authorize(consume=True), plus create and
  revoke) now performs its entire read → check → increment → write under an
  exclusive POSIX advisory lock (fcntl.flock) and re-reads token state from
  disk inside the lock. This closes a race in which concurrent consumers could
  each observe uses=0 and all be allowed, double-spending a max_uses=1
  token. save() now publishes atomically (temp file → fsync → os.replace
  → directory fsync) so a reader or crash never sees a partial delegations
  file.
• Concurrency-safe audit append (#38). AuditLogger._write_entry now holds
  the same exclusive lock across read-last-hash → link → append → fsync, so
  concurrent appends can no longer read the same previous_hash and fork the
  SHA-256 hash chain. The chain stays linear and verify-audit-clean under
  parallel writes.
• Fail-closed under lock contention and corruption (#38). If the lock
  cannot be acquired within the timeout, or the store is unreadable/corrupt, or
  the audit log has a torn tail, the gateway denies (delegation) or raises
  (audit) rather than falling open or silently continuing. No broad except
  masking is introduced; existing fail-closed behavior is preserved.

Compatibility

• No format changes. delegations.json and audit.jsonl are byte-for-byte
  identical to v0.5.0. The only new on-disk artifacts are sibling *.lock files
  used purely for lock state.
• No new dependencies. Standard library only (fcntl). Public signatures
  are unchanged — lock_timeout is a keyword-only argument with a default on
  DelegationStore and AuditLogger.

Known Limitations

• Locking is POSIX-only (macOS/Linux), matching the supported runtimes. There is
  no Windows code path.

v0.5.0

• Stabilizes the approval-helper opener test. Replaces a brittle assertNotIn("pwd", ...) substring scan — which false-positived whenever the temp-dir path contained pwd — with a deterministic check that parses the AppleScript do script body and asserts it launches only the approval-helper invocation, preserving the original intent (the requested command is never executed by the opener). No production behavior change.

• Replaces the PydanticAI example with a real, deterministic, offline end-to-end dogfood. A FunctionModel-driven agent loop exercises the full path — agent → PermissionGateway → real temp-dir file I/O → scoped delegation → hash-chained audit → audit verification — across four scenarios (safe USER_DIRECT allow; sensitive write held at REQUIRE_APPROVAL then allowed via a delegation token; blocked exfiltration denied; audit chain verified). The LLM is a deterministic test double (no key, no network); the gateway/delegation/audit path and file I/O are real. Adds a pydantic-ai examples optional extra (never a runtime dependency) and a dedicated CI job; the example test skips cleanly when the extra is absent.

• Positioning: clarifies engine vs. demo executor. Documents Agent_Sudo as an authorization/approval/delegation/audit engine whose primary integration is embedding the library in your agent; the MCP server is a distribution channel and reference demo. The MCP write_file (scoped to /tmp/agent-sudo-demo) and run_shell_command (narrow allowlist) tool descriptions now state plainly that they are demo executors, not a turnkey way to mediate a client's real file/shell tools. README "Choose Your Path", the Claude Desktop guide, and the security model are updated accordingly. No behavior change — labeling and docs only.

• Adds agent-sudo verify-routing, a read-only command that reports observed evidence of whether actions are flowing through Agent_Sudo: configuration state, observed gateway activity (audit record count, last record, decision histogram, hash-chain integrity), a best-effort scan of the client MCP config for agent-sudo and other bypass-capable servers, and the standing trust-boundary limits. It performs no probing, execution, or telemetry, and deliberately makes no aggregate "you are protected" claim — it can only report observed signals, not certify routing completeness.

• Security hardening: contradictory provenance is reconciled, not trusted. When a request asserts a source_trust higher than its source / origin_type evidence supports (e.g. source="webpage" or origin_type="EXTERNAL_CONTENT" paired with source_trust="USER_DIRECT"), the gateway now downgrades the trust to the most restrictive level the evidence supports (EXTERNAL_CONTENT/UNKNOWN) instead of honoring the inflated claim, and records an inconsistent_provenance reason on the decision and audit entry. Impact: such requests are escalated to REQUIRE_APPROVAL rather than allowed. Internally consistent provenance — including an explicit USER_DIRECT whose source/origin_type agree — is honored exactly as before. A consistently-forged USER_DIRECT remains a known limitation pending host attestation. See docs/architecture/security_model.md (Default Trust Posture).

• Security hardening (behavior change): missing provenance now fails closed. A request that does not assert a trust level — no source_trust, no provenance — is treated as UNKNOWN (untrusted) instead of USER_DIRECT. The change is applied at the MCP JSON-RPC boundary (tool_call_from_jsonrpc), the ActionRequest.from_dict path, and the ActionRequest constructor default. Impact: a SAFE action (e.g. read_file) arriving without provenance is now escalated to REQUIRE_APPROVAL rather than allowed silently. Clients/integrations that speak for the operator must attest provenance explicitly (source_trust="USER_DIRECT"); explicit trust is honored exactly as before. Self-attested USER_DIRECT remains believed — host attestation / nonce binding is tracked separately. See docs/architecture/security_model.md (Default Trust Posture).

v0.4.3

• Capitalizes the verification namespace in README.md and aligns version metadata to resolve case-sensitive publisher check errors during official registry submission.