Phoenix Firewall v0.2.0
First public release of the Phoenix Security Blue Shield Firewall — an intelligence-driven supply chain firewall that intercepts package manager
traffic and blocks malicious packages before they execute.
What's included
MITM Proxy — sits transparently between your package manager and the registry. Intercepts npm, pip, yarn, pnpm, uv, and poetry traffic, evaluates
every package against the Phoenix Security MPI engine, and returns a 403 before installation if blocked.
Userland shim mode (--ci) — wraps package manager commands with no root or MDM required. Works on developer machines and CI runners alike.
14-condition rules engine — per-tenant policy rules with AND/OR logic and action precedence: block > require_approval > warn > audit > allow.
Conditions include MPI confidence score, signal IDs, threat type, package age, MITRE techniques, license category, and more.
LaunchAgent / systemd-user / schtasks — optional persistent background service installation for macOS, Linux, and Windows without system
privileges.
Local ED25519 bypass tokens — signed offline exception tokens for air-gapped or controlled environments.
Offline / fallback feed mode — --fallback-feed for air-gapped environments using a locally cached blocklist.
CI/CD integrations — GitHub Actions, GitLab CI, Jenkins, Azure DevOps, Bitbucket Pipelines, and a generic installer.
Sigstore keyless signing — checksums.txt is signed via Sigstore (Fulcio + Rekor) using this workflow's GitHub OIDC identity. No secrets, no keys
to rotate.
Installation
macOS / Linux
curl -sSfL https://github.com/Security-Phoenix-demo/blue-shield-firewall/releases/download/v0.1.0/phoenix-firewall-$(uname -s | tr A-Z
a-z)-$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
-o ~/.local/bin/phoenix-firewall
chmod +x ~/.local/bin/phoenix-firewall
phoenix-firewall --version
Windows — download phoenix-firewall-windows-amd64.exe from the assets below, place it on your PATH.
Get started
export PHOENIX_API_KEY=phx_...
eval $(phoenix-firewall --api-key $PHOENIX_API_KEY --ci)
npm install # protected
Get your API key at phxintel.security.
Verify integrity
sha256sum -c checksums-sha256.txt
Sigstore verification:
cosign verify-blob checksums-sha256.txt
--signature checksums-sha256.txt.sig
--certificate checksums-sha256.txt.pem
--certificate-oidc-issuer https://token.actions.githubusercontent.com
--certificate-identity-regexp "https://github.com/Security-Phoenix-demo/blue-shield-firewall"
Note on code signing
Binaries in this release are unsigned. Apple notarization and Windows EV code signing are pending procurement.
- macOS: if Gatekeeper blocks the binary, run xattr -d com.apple.quarantine phoenix-firewall after download, or allow it via System Settings →
Privacy & Security. - Windows: click More info → Run anyway if SmartScreen warns on first launch.
Integrity can be independently verified via the SHA-256 checksums and Sigstore signature above.