v0.10.0 — Agent Trust Surface
Added
Agent Trust Surface — SafeInstall now protects the files that program your AI agent and configure SafeInstall itself: safeinstall.config.json, the agent hook configs, AGENTS.md/CLAUDE.md/rules files, and .mcp.json. In the agent era these are the persistence surface — whoever edits them owns the next session.
safeinstall trust lock records a hash baseline; SafeInstall reconciles against it before guard decisions and every install/check. Three zones with proportionate responses: enforcement drift locks down, hidden Unicode (Trojan Source, incl. U+061C) always blocks, MCP drift and unpinned (rug-pull) servers block installs.
New commands: trust lock [--mode warn|strict] [--ci github], trust status [--require-lock] (read-only, exit 2 on drift), trust approve (human-gated), trust unlock (human-gated).
CI is the durable anchor. trust lock --ci github scaffolds a workflow that re-verifies the committed baseline on every pull request, with the CLI pinned to an exact version — tampering done on a compromised local machine does not survive review. For it to enforce, make it a required status check and require review of .safeinstall/ (CODEOWNERS).
Honest scope
Locally this is tamper-evident against mistakes and non-targeted tampering, not tamper-proof against a scheme-aware agent in your own account. The durable guarantee is CI re-verification of the committed lock on a machine the agent does not control.
Full changelog: https://github.com/Mickdownunder/SafeInstall/blob/main/CHANGELOG.md