Releases: Security-Phoenix-demo/blue-shield-firewall
Release list
phoenix-firewall v0.4.0
Phoenix Security Blue Shield - Firewall v0.4.0
Installation (userland — no root, no MDM)
# macOS / Linux
curl -sSfL https://github.com/Security-Phoenix-demo/blue-shield-firewall/releases/download/v0.4.0/phoenix-firewall_0.4.0_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m | sed 's/x86_64/amd64/').tar.gz | tar -xz
mv phoenix-firewall ~/.local/bin/
phoenix-firewall init
phoenix-firewall enroll --api-key <your-key>Note on code signing: binaries in this release are unsigned.
Apple notarization and Windows EV code signing are pending procurement.
Verify integrity via the providedchecksums.txt(SHA-256).
Changelog
- 34e160d: Merge branch 'main' into feat/proxy-handshake-failmode-enrollment (@franksec42)
- b3c3be2: chore(deps): bump the go_modules group across 2 directories with 1 update (@dependabot[bot])
- fc2e8e5: chore(release): v0.4.0 — CHANGELOG, rules subcommand, version bump (@franksec42)
- b2511fb: feat(firewall): add proxy identity/health endpoint for shim handshake (@franksec42)
- 9fa0c7a: feat(firewall): enroll registers device with backend and reports comms failures (@franksec42)
- 3ed8978: feat(firewall): honor fail_mode (closed blocks) on backend API error (@franksec42)
- 45f0c01: feat(firewall): read agent.toml and expose FailMode in config (@franksec42)
- f1bf177: feat(firewall): report backend reachability via heartbeat and warn on comms failure (@franksec42)
- 44e823b: feat(firewall): shim HTTP identity handshake, fail-mode, and foreign-listener warning (@franksec42)
- bbba8d4: feat: containment for host-executed test packages (npm script deny + bypass detection) (@franksec42)
- 21a3a07: fix(firewall): address PR review critical and medium findings (@franksec42)
- 8ba252f: fix(firewall): resolve final-review findings (heartbeat, integrity, windows fail-mode, enroll chmod) (@franksec42)
- b454f67: fix(firewall): wire fail_mode through InstallPATH into shim generator (@franksec42)
- ee3fb65: fix: address PR #7 bot review findings (port validation, IPv6/schemeless URL handling, test coverage) (@franksec42)
- ee43288: fix: address code review – nil guards, idempotent stop, min interval, comment accuracy (@franksec42)
- b7d1277: fix: configurable proxy port via agent.toml + npm matcher :443 port stripping (@franksec42)
- 6057935: fix: correct ldflags symbol names in Makefile build/build-all targets (@franksec42)
- 26edf17: fix: proxy_port TOML override must respect PHOENIX_PORT env var (@franksec42)
- 178c385: fix: thread proxy_port into shim generator on all platforms (@franksec42)
- 0a99cb5: fix: thread tenant_id from enrollment through to evaluate + heartbeat (@franksec42)
- a85af20: fix: upsertTOMLLine inserts new keys before first [section] header (@franksec42)
Full Changelog: v0.3.1...v0.4.0
phoenix-firewall v0.3.2
What's fixed
Enrolled tenant_id now flows end-to-end — from agent.toml through to package-check evaluate payloads and heartbeats.
Root cause
Config had no TenantID field. tenant_id was written to agent.toml at enroll time but silently dropped on every subsequent startup — proxy, system, and heartbeat all ran without org context.
Changes
Config.TenantIDfield added; populated fromPHOENIX_TENANT_IDenv or agent.toml- New
loadConfigWithAgentTOML()helper — fully back-fills all fields includingtenant_id; used by bothproxyandsystemcommands proxymode now reads agent.toml (previously ignored it entirely)- Heartbeat reads
cfg.TenantIDfirst, env var as legacy fallback - Evaluate payload includes
tenant_idso backend can apply org-scoped rules WithTenantID()added toClientfor clean composition
Upgrade
phoenix-firewall enroll --api-key <your-key>--tenant-id is optional — the API key carries the org server-side.
Binaries
| Platform | File |
|---|---|
| macOS (Apple Silicon) | phoenix-firewall-v0.3.2-darwin-arm64 |
| Linux (amd64) | phoenix-firewall-v0.3.2-linux-amd64 |
phoenix-firewall v0.3.1
What's Changed
- Naming changed from phoenix-firewall to blue-shield-firewall by @MiguelReidRuiz in #1
- feat(proxy): shell-export mode (env / proxy --print-exports) to route package managers through the proxy by @franksec42 in #2
- fix(proxy): address shellenv PR #2 review follow-ups by @franksec42 in #3
- Readme ca changes by @MiguelReidRuiz in #4
New Contributors
- @MiguelReidRuiz made their first contribution in #1
- @franksec42 made their first contribution in #2
Full Changelog: v0.3.0...v0.3.1
phoenix-firewall v0.3.0
Phoenix Security Blue Shield - Firewall v0.3.0
Installation (userland — no root, no MDM)
# macOS / Linux
curl -sSfL https://github.com/Security-Phoenix-demo/phoenix-firewall/releases/download/v0.3.0/phoenix-firewall_0.3.0_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m | sed 's/x86_64/amd64/').tar.gz | tar -xz
mv phoenix-firewall ~/.local/bin/
phoenix-firewall init
phoenix-firewall enroll --api-key <your-key>Note on code signing: binaries in this release are unsigned.
Apple notarization and Windows EV code signing are pending procurement.
Verify integrity via the providedchecksums.txt(SHA-256).
Changelog
- 3f5b499: Add bypass cmd, release workflow, and docs updates (@franksec42)
- 514c2b2: Update session-context.txt (@franksec42)
- c369f2e: feat(agent-bridge,system): implement fallback evaluation and service management (@franksec42)
- ebe9b3c: feat(scf-v4): B1+B2-B7 scaffold — system/agent-bridge subcommands, service/shim/policy/telemetry/integrity/bypass/mdm packages (@franksec42)
- 1efe34c: feat(scf-v4/userland): B2 — userland shims (~/.local/bin), init subcommand, agent-bridge home-dir discovery (@franksec42)
- 9a0e8e0: feat(scf-v4/userland): B4 LaunchAgent/systemd-user/schtasks, B5 local ED25519 bypass tokens, B7.0 enroll subcommand (@franksec42)
- 56d33f1: feat(scf-v4/userland): B6 goreleaser pipeline — cross-platform unsigned release, checksums, SBOM (@franksec42)
- 36fb5c7: feat: add GitLab package registry + custom registry interception (@franksec42)
- 1e4a748: fix(proxy): wire userland MITM proxy and fix shim interception (@franksec42)
- a49f662: fix: remove invalid secrets context from step if-condition (@franksec42)
- eb50284: fix: single goreleaser release call; --skip=build removed in v2.16 (@franksec42)
- b129fdc: fix: workflow Azure signing gate + goreleaser repo name + format deprecation (@franksec42)
- 6187a83: refactor: complete module path migration nicokoenig → Security-Phoenix-demo (@franksec42)
Full Changelog: v0.2.0...v0.3.0
Phoenix Firewall v0.2.0
First public release of the Phoenix Security Blue Shield Firewall — an intelligence-driven supply chain firewall that intercepts package manager
traffic and blocks malicious packages before they execute.
What's included
MITM Proxy — sits transparently between your package manager and the registry. Intercepts npm, pip, yarn, pnpm, uv, and poetry traffic, evaluates
every package against the Phoenix Security MPI engine, and returns a 403 before installation if blocked.
Userland shim mode (--ci) — wraps package manager commands with no root or MDM required. Works on developer machines and CI runners alike.
14-condition rules engine — per-tenant policy rules with AND/OR logic and action precedence: block > require_approval > warn > audit > allow.
Conditions include MPI confidence score, signal IDs, threat type, package age, MITRE techniques, license category, and more.
LaunchAgent / systemd-user / schtasks — optional persistent background service installation for macOS, Linux, and Windows without system
privileges.
Local ED25519 bypass tokens — signed offline exception tokens for air-gapped or controlled environments.
Offline / fallback feed mode — --fallback-feed for air-gapped environments using a locally cached blocklist.
CI/CD integrations — GitHub Actions, GitLab CI, Jenkins, Azure DevOps, Bitbucket Pipelines, and a generic installer.
Sigstore keyless signing — checksums.txt is signed via Sigstore (Fulcio + Rekor) using this workflow's GitHub OIDC identity. No secrets, no keys
to rotate.
Installation
macOS / Linux
curl -sSfL https://github.com/Security-Phoenix-demo/blue-shield-firewall/releases/download/v0.1.0/phoenix-firewall-$(uname -s | tr A-Z
a-z)-$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
-o ~/.local/bin/phoenix-firewall
chmod +x ~/.local/bin/phoenix-firewall
phoenix-firewall --version
Windows — download phoenix-firewall-windows-amd64.exe from the assets below, place it on your PATH.
Get started
export PHOENIX_API_KEY=phx_...
eval $(phoenix-firewall --api-key $PHOENIX_API_KEY --ci)
npm install # protected
Get your API key at phxintel.security.
Verify integrity
sha256sum -c checksums-sha256.txt
Sigstore verification:
cosign verify-blob checksums-sha256.txt
--signature checksums-sha256.txt.sig
--certificate checksums-sha256.txt.pem
--certificate-oidc-issuer https://token.actions.githubusercontent.com
--certificate-identity-regexp "https://github.com/Security-Phoenix-demo/blue-shield-firewall"
Note on code signing
Binaries in this release are unsigned. Apple notarization and Windows EV code signing are pending procurement.
- macOS: if Gatekeeper blocks the binary, run xattr -d com.apple.quarantine phoenix-firewall after download, or allow it via System Settings →
Privacy & Security. - Windows: click More info → Run anyway if SmartScreen warns on first launch.
Integrity can be independently verified via the SHA-256 checksums and Sigstore signature above.