Vigils v0.2.0-beta.1

First public beta. Vigil grows from "MCP gateway only" into a local data-flow control
plane: vigil-hub hook extends secret protection to an agent CLI's native tool calls
(Bash / Edit / …), covering Claude Code + Codex + Gemini + Cursor — not just MCP servers.
We're shipping it as a beta to gather real-world feedback: run vigil-hub setup, try the
postures, and tell us anything surprising. Bug reports welcome.

⚠️ Behavior change (BREAKING for defaults)

• Default install surface is now the hook. vigil-hub setup (no flags) registers the
  agent-CLI hook by default (Claude as the primary surface, plus any detected Codex / Gemini /
  Cursor) instead of MCP wrapping. MCP wrap is demoted to the explicit setup --mcp (its
  code and behavior are fully preserved — use it when you only want to protect an MCP tool
  flow). setup --all still does both in one step.
• Default posture is Low. A secret:// placeholder reaching a native tool is allowed
  at Low (α1 used to always deny). Three tiers: Low (deny only the highest risk — bare
  hard-fingerprint secrets — plus a reserved ledger-tamper tier whose detection isn't wired
  yet) / Medium (+ placeholder ask) / High
  (= the old enforce, deny everything). A bare real credential is denied in every tier (a
  non-negotiable floor). Switch with vigil-hub posture set|show.
• A hook ask is now co-approval. At Medium, a placeholder's ask enters Vigil's approval
  queue with a bounded wait; both Vigil (desktop / CLI) and the tool chain's own UI can
  approve — first approver wins (atomic state-machine arbitration), and it falls back to the
  tool-chain prompt on timeout. The MCP-wrap approval-queue behavior is unchanged.

Added

• Multi-agent hook adapter (hook.rs): a normalization layer that maps event and field
  names across Claude / Codex / Gemini / Cursor, then routes the response per CLI (Claude
  deny = exit 2 + stderr; Codex / Gemini / Cursor = exit 0 + each one's JSON contract). A
  bare secret is denied on any tool (including mcp__*) — the single defense-in-depth line.
• Multi-agent hook registration (setup_hooks.rs): Codex ($CODEX_HOME/hooks.json),
  Gemini (~/.gemini/settings.json), and Cursor surfaces, each idempotent, with --uninstall
  removing only Vigil's own entries. If Codex config.toml has [features] hooks = false,
  setup warns and never rewrites it. The Claude surface is completed (PreToolUse +
  PostToolUse + timeout).
• vigil-hub posture show|set <low|medium|high>: a turnkey entry to the three tiers
  (atomic config write + an audit event for every change).
• Execution-boundary injection (α2): on PreToolUse, a secret://<alias> placeholder inside
  a boundary tool (Bash / shell) is resolved to its real value via a lease and rewritten
  inline into updatedInput for the host to execute — the model transcript only ever
  sees the placeholder. Claude only (the CLI proven to honor updatedInput). Real values
  never reach audit / stderr / notes (sha256 fingerprints only).
• PostToolUse result re-redaction: before a boundary tool's result returns to the LLM, the
  real values of declared secrets are reverse-substituted back to secret://<alias> (plus a
  hard-fingerprint scrub as defense-in-depth), via Claude's updatedToolOutput. A declared
  secret that can't be resolved, or any residue found on self-check, triggers a fail-closed
  truncation.

Security invariants

• Fail-closed by construction: the hook never returns an error or panics; a parse failure,
  an injection failure, a re-redaction failure, or a missing ledger all converge to
  deny-or-truncate (deny is exit 2 — exit 1 is fail-open and is never used to block).
• Zero plaintext: a real value is exposed at a single point and flows straight to its
  injection target / re-redaction substitution; audit, reasons, notes, and stderr only ever
  carry the alias name + a sha256. Byte-level E2E confirms real values never hit disk.

Known scope limitations (this beta)

• Re-redaction covers only a boundary tool's direct result; it does not track a secret's
  second-order propagation (a boundary command writes to disk → a non-boundary tool reads
  it back). Full coverage needs egress-side (model-API proxy) interception.
• inject / re-redact use the OS keyring as the value backend, but keyring population has no
  turnkey CLI entry yet (the next increment); injection currently requires registering the
  hook command with --inject --secrets by hand.
• A full real-machine dual-CLI (Claude Code + Codex live) inject / re-redact round-trip is
  still pending a controlled environment; the binary layer and unit tests already cover every
  decision and protocol shape.

Also in this release — bug fixes

• DEF-004: the firewall's project boundary now actually binds — --project-root flag,
  defaulting to the gateway's working directory. Found in real-machine testing.
  • The bug: every production entrypoint (serve / wrap / demo / desktop embed) started
    the firewall with an empty set of project roots, and the policy engine's Outside
    condition is vacuously true on an empty set — so the built-in deny-outside-project rule
    (priority 150) treated the entire filesystem as "outside the project", while its
    counterpart approve-repo-write (priority 80) could never match. The Inside/Outside
    boundary semantics were inverted wholesale: any call recognized as a filesystem write was
    hard-denied in every posture (monitor only downgrades the default-deny floor, not
    explicit Deny rules), with an audit reason that falsely claimed "writes OUTSIDE project".
    It went unnoticed for so long because most wrapped third-party tool names aren't in the
    effect-extraction vocabulary — no FsWrite extracted, rule never fired, calls fell to the
    floor and were observe-allowed under monitor.
  • Fail-safe guard in the policy engine: with empty roots, Outside no longer asserts
    "outside the project" (it doesn't match), so writes fall to the default-deny floor —
    still fail-closed, and the audit reason is now the honest "no rule matched" instead of a
    fabricated boundary violation. The risk scorer follows the same semantics (no more +30
    "outside-project write" score on empty roots), and its root matching is now
    case-insensitive on Windows, aligned with the policy engine.
  • serve / wrap accept a repeatable --project-root <DIR>; omitted, the boundary
    defaults to the process working directory (agents launch the gateway inside the project,
    matching git/cargo directory semantics). Roots are normalized to the same POSIX form the
    path extractor emits (canonicalized, \ → /, \\?\ prefix stripped) — without this,
    prefix comparison on Windows silently never matches and the boundary is inert.
  • Visible change under enforce: writes inside the boundary now route to the
    approve-repo-write approval queue (previously hard-denied); writes outside are still
    blocked by deny-outside-project, with the reason pointing at a real boundary violation.
  • The startup banner prints the bound boundary (project boundary -> <roots> / NONE),
    so a gateway spawned from the wrong directory is visible at a glance.
  • SDK FirewallBuilder::project_roots normalizes roots in build() the same way, so
    native-form paths (C:\proj) from consumers compare correctly.
  • demo / desktop embed intentionally keep empty roots (self-contained simulation / no
    meaningful CWD for a GUI); the engine guard covers them. Adversarially reviewed.

---

中文

首个公开测试版。 Vigil 从"仅 MCP 网关"成长为本地数据流控制平面:vigil-hub hook
把 secret 防护扩到 agent CLI 的原生工具调用(Bash / Edit / …),覆盖
Claude Code + Codex + Gemini + Cursor —— 不再局限于 MCP server。我们以 beta 形式发布以收集
真实反馈:跑 vigil-hub setup、试试三档姿态,把任何意外告诉我们。欢迎提 bug。

⚠️ 行为变更(影响默认行为)

• 默认安装面现在是 hook。 vigil-hub setup(无 flag)默认注册 agent CLI hook(Claude 为
  主面,外加检测到的 Codex / Gemini / Cursor),不再默认 MCP wrap。MCP wrap 降级为显式
  setup --mcp(代码与行为完全保留 —— 只想保护 MCP 工具流时用它)。setup --all 仍一步两者全做。
• 默认姿态为 Low。 到达原生工具的 secret:// 占位符在 Low 档放行(α1 时是恒 deny)。
  三档:Low(仅拦最高风险 —— 裸硬指纹 secret;账本篡改档位已在决策表预留但检测尚未接线)/
  Medium(+ 占位符 ask)/
  High(= 旧 enforce,全量 deny)。裸真凭据在任何档位恒 deny(不可降级的硬底线)。
  用 vigil-hub posture set|show 切换。
• hook 的 ask 现在是共同批准。 Medium 档下,占位符的 ask 进入 Vigil 审批队列有界等待;
  Vigil(desktop / CLI)与工具链自身 UI 两边都能批准 —— 先批者生效(审批状态机原子仲裁),
  超时回退工具链提示。MCP wrap 的审批队列行为不变。

新增

• 多 agent hook adapter(hook.rs):归一层,把事件名与字段名跨 Claude / Codex / Gemini /
  Cursor 归一,再按 CLI 分流响应(Claude deny = exit 2 + stderr;Codex / Gemini / Cursor =
  exit 0 + 各自 JSON 契约)。裸 secret 在任何工具(含 mcp__*)恒 deny —— 唯一的纵深防御线。
• 多 agent hook 注册(setup_hooks.rs):Codex($CODEX_HOME/hooks.json)、Gemini
  (~/.gemini/settings.json)、Cursor 各面,均幂等,--uninstall 仅删 Vigil 自有 entry。若
  Codex config.toml 含 [features] hooks = false,setup 仅警告、绝不改写。Claude 面完整化
  (PreToolUse + PostToolUse + timeout)。
• vigil-hub posture show|set <low|medium|high>:三档姿态的 turnkey 入口(原子写配置 +
  每次变更一条审计事件)。
• 执行边界注入(α2):PreToolUse 时,边界工具(Bash / shell)内的 secret://<alias> 占位符
  经 lease 授权解析为真值,内联重写进 updatedInput 交宿主执行 —— 模型 transcript 始终只见
  占位符。仅 Claude(实证支持 updatedInput)。真值绝不进审计 / stderr / note(仅 sha256 指纹)。
• PostToolUse 结果再脱敏:边界工具结果回 LLM 前,声明 secret 的真值经逆向替换回
  secret://<alias>(+ 硬指纹 scrub 作纵深防御),经 Claude updatedToolOutput 改写。声明的
  secret 无法解析、或自检发现残留 → fail-closed 裁剪。

安全不变量

• fail-closed by construction:hook 永不返错或 panic;解析失败、注入失败、再脱敏失败、缺
  ledger 一律收敛为 deny 或裁剪(deny 走 exit 2 —— exit 1 是 fail-open,绝不用作拦截)。
• 零明文:真值仅在单点暴露,直达注入目的地 / 再脱敏替换;审计、reason、note、stderr 全程
  只含 alias 名 + sha256。字节级 E2E 验证真值不落盘。

已知范围边界(本测试版)

• 再脱敏仅覆盖边界工具的直接结果;不追...

Vigils v0.1.34

Bug fixes from real-machine testing of the Claude Code / Codex integration.

• Desktop Activity Feed now reflects CLI-written events (DEF-001). Root cause was a
  ledger-path mismatch: the integration guide pointed at ledger.sqlite while the desktop
  reads ledger.sqlite3, so the CLI and the desktop used two different files and the feed
  stayed empty (the live watcher itself was fine). Fixed the bilingual integration guide;
  serve/wrap now print the resolved ledger absolute path at startup and warn loudly when
  an in-memory ledger is used (which the desktop cannot see).
• setup --mcp no longer nests-wraps Vigil's own server (DEF-002). The documented
  vigil-hub serve self-entry was mis-classified as wrappable, producing a wrap-around-serve
  nested gateway. setup now skips Vigil's own serve/wrap entries, and already-wrapped
  detection no longer depends on the binary's filename, so a renamed/versioned binary's wrap
  isn't double-wrapped. Reversible via --uninstall. Adversarially reviewed.

No changes to the production protection paths (firewall / redaction / audit). Build
provenance + checksums on every artifact as usual.

---

中文

真机测试 Claude Code / Codex 接入时发现的缺陷修复。

• 桌面 Activity Feed 现在能反映 CLI 写入的事件(DEF-001)。根因是账本路径不一致:接入指南
  指向 ledger.sqlite,而桌面读 ledger.sqlite3,导致 CLI 与桌面用了两个不同文件、Feed 一直空
  (实时监听本身正常)。已订正双语接入指南;serve/wrap 启动时打印解析后的账本绝对路径,使用
  内存账本(桌面看不到)时响亮警告。
• setup --mcp 不再嵌套 wrap Vigil 自身的 server(DEF-002)。文档里的 vigil-hub serve
  自指条目曾被误判为可包裹,产生 wrap 套 serve 的嵌套网关。setup 现在跳过 Vigil 自身的 serve/wrap
  条目,且"已包裹"检测不再依赖二进制文件名(改名/带版本号的二进制写出的 wrap 不会被二次包裹)。
  可经 --uninstall 还原。已对抗审查。

生产防护路径(firewall / redaction / audit)无变更。每个产物照例带 build provenance + 校验和。

---

Downloads — which file do I want?

• Desktop app (most users): the installer for your OS — Windows Vigils_*_x64-setup.exe (or .msi), macOS Vigils_*.dmg, Linux .AppImage / .deb / .rpm. Gives you the GUI: Activity Feed, Approval Queue, Server Registry.
• CLI gateway (put Vigils in front of an AI agent — Claude Code / Codex / Cursor / Zed): vigils-cli-<platform> (contains vigil-hub + vigil-native-host). This is the MCP proxy your agent connects to.
• Browser extension (guard pasting/typing secrets into AI web apps, Chrome MV3): vigils-chrome-extension.zip — unzip, then load unpacked at chrome://extensions.
• The .sig and Vigils.app.tar.gz files are desktop auto-updater artifacts — you do not need to download them.

New here? Full setup & agent-integration guide: https://duncatzat.github.io/vigils

Early releases are unsigned; your OS may show a Gatekeeper / SmartScreen prompt on first run.

Apache-2.0 · https://vigils.ai · Full changelog

Vigils v0.1.33

A guided first-run: vigil-hub quickstart.

Added

• vigil-hub quickstart — one screen that tells a new user exactly what to do. After
  installing, it's not obvious what to run first. quickstart answers it, read-only (it
  changes nothing): it detects the AI agents on your machine (Claude Code, Codex, Cursor,
  Windsurf), counts their MCP servers, and shows how many are already behind Vigil vs. still
  unprotected — then points you at the three next steps: see it work (vigil-hub demo), protect
  everything with one reversible command (vigil-hub setup --all, or setup --mcp to preview
  first), and watch/verify (setup --mcp --doctor, vigil-hub verify, or the desktop app).
  Detection reuses the same read-only preview that setup --mcp uses, so it never edits a
  config — actually protecting your agents still requires an explicit setup --all.

---

中文

引导首跑:vigil-hub quickstart。

新增

• vigil-hub quickstart —— 一屏告诉新用户该做什么。 装完之后先跑什么并不显然。quickstart
  来回答,且只读(它不改任何东西):它检测你机器上的 AI agent(Claude Code、Codex、Cursor、
  Windsurf),统计各自的 MCP server 数,并显示有几个已在 Vigil 保护下、几个还没保护 —— 然后给出
  三步:看它工作(vigil-hub demo)、一条可逆命令保护全部(vigil-hub setup --all,或先
  setup --mcp 预览)、查看/验证(setup --mcp --doctor、vigil-hub verify,或桌面应用)。
  检测复用了 setup --mcp 同一套只读 preview,因此从不改写配置 —— 真正接入仍需你显式跑
  setup --all。

---

Downloads — which file do I want?

• Desktop app (most users): the installer for your OS — Windows Vigils_*_x64-setup.exe (or .msi), macOS Vigils_*.dmg, Linux .AppImage / .deb / .rpm. Gives you the GUI: Activity Feed, Approval Queue, Server Registry.
• CLI gateway (put Vigils in front of an AI agent — Claude Code / Codex / Cursor / Zed): vigils-cli-<platform> (contains vigil-hub + vigil-native-host). This is the MCP proxy your agent connects to.
• Browser extension (guard pasting/typing secrets into AI web apps, Chrome MV3): vigils-chrome-extension.zip — unzip, then load unpacked at chrome://extensions.
• The .sig and Vigils.app.tar.gz files are desktop auto-updater artifacts — you do not need to download them.

New here? Full setup & agent-integration guide: https://duncatzat.github.io/vigils

Early releases are unsigned; your OS may show a Gatekeeper / SmartScreen prompt on first run.

Apache-2.0 · https://vigils.ai · Full changelog

Vigils v0.1.32

The audit checkpoint anchor (v0.1.31) now activates automatically.

Changed

• The gateway auto-anchors the audit chain on shutdown. v0.1.31 added vigil-hub checkpoint
  to anchor the tamper-evident ledger against a full-chain rewrite, but a turnkey user (who runs
  setup --all / setup --mcp and never invokes it by hand) would never have an anchor — leaving
  that protection inert for them. Now vigil-hub serve and vigil-hub wrap emit a checkpoint
  automatically when the gateway shuts down, so every agent session leaves an anchor without any
  manual step. It's best-effort and never blocks shutdown (the write runs on a separate thread with
  a 5-second bound, so a wedged or network filesystem can't stall exit), writes only when there are
  new events, and prints to stderr (never the MCP channel). Run vigil-hub verify any time to check
  both chain-internal consistency and the anchors. (To fully close the threat, keep the
  <ledger>.checkpoints file append-only or synced offsite — see ADR 0020.)

---

中文

审计 checkpoint 锚点(v0.1.31)现在自动生效。

变更

• 网关在关闭时自动锚定审计链。 v0.1.31 加入了 vigil-hub checkpoint 来把防篡改账本锚定起来、
  对抗整链重写,但 turnkey 用户(只跑 setup --all / setup --mcp、从不手动调用)永远不会有锚点
  —— 那项保护对他们形同虚设。现在 vigil-hub serve 与 vigil-hub wrap 在网关关闭时自动 emit 一个
  checkpoint,于是每次 agent 会话都会自动留下锚点,无需任何手动步骤。它是 best-effort、绝不阻断
  关闭(写操作在独立线程上跑、有 5 秒上界,wedged 或网络文件系统也卡不住退出),仅在有新事件时才写,
  且输出到 stderr(绝不污染 MCP 通道)。随时可跑 vigil-hub verify 校验链内一致性 + 锚点。(要完全
  闭合该威胁,请把 <ledger>.checkpoints 文件设为 append-only 或异地同步 —— 见 ADR 0020。)

---

Downloads — which file do I want?

• Desktop app (most users): the installer for your OS — Windows Vigils_*_x64-setup.exe (or .msi), macOS Vigils_*.dmg, Linux .AppImage / .deb / .rpm. Gives you the GUI: Activity Feed, Approval Queue, Server Registry.
• CLI gateway (put Vigils in front of an AI agent — Claude Code / Codex / Cursor / Zed): vigils-cli-<platform> (contains vigil-hub + vigil-native-host). This is the MCP proxy your agent connects to.
• Browser extension (guard pasting/typing secrets into AI web apps, Chrome MV3): vigils-chrome-extension.zip — unzip, then load unpacked at chrome://extensions.
• The .sig and Vigils.app.tar.gz files are desktop auto-updater artifacts — you do not need to download them.

New here? Full setup & agent-integration guide: https://duncatzat.github.io/vigils

Early releases are unsigned; your OS may show a Gatekeeper / SmartScreen prompt on first run.

Apache-2.0 · https://vigils.ai · Full changelog

Vigils v0.1.31

Audit checkpoint anchoring — detect a full-chain rewrite of the tamper-evident ledger.

Added

• vigil-hub checkpoint and vigil-hub verify — external anchoring against full-chain rewrite.
  The audit ledger's SHA-256 hash chain makes partial tampering evident, but an attacker with full
  write access to the database could rewrite the entire chain consistently and still pass internal
  verification (audit threat #7). vigil-hub checkpoint now records the current chain head into an
  append-only sidecar (<ledger>.checkpoints) kept separate from the database; vigil-hub verify
  checks chain-internal consistency and that every anchored head still matches — so a DB-only
  full-chain rewrite is detected (while the checkpoint file is intact), exiting non-zero on any tamper.
  Honest scope: this is not a tamper-proof guarantee against an attacker with full filesystem write
  access — for that, keep the .checkpoints file append-only (chattr +a) or synced offsite;
  verification reports Unanchored (never "verified") when no checkpoints exist. The embeddable
  vigil-audit gains the CheckpointLog API. The existing hash-chain digest and verify_chain are
  unchanged (purely additive). See
  ADR 0020.

---

中文

审计 checkpoint 锚定 —— 检出防篡改账本的整链重写。

新增

• vigil-hub checkpoint 与 vigil-hub verify —— 对抗整链重写的外部锚定。 审计账本的 SHA-256
  哈希链能让部分篡改可见,但持完整数据库写权限的攻击者可一致重写整条链并仍通过内部校验
  (审计 threat #7)。vigil-hub checkpoint 现把当前链头记入一份与数据库分离的 append-only
  sidecar(<ledger>.checkpoints);vigil-hub verify 同时校验链内一致性与每个锚点是否仍匹配
  —— 只要 checkpoint 文件完好,仅改数据库的整链重写即被检出,发现任何篡改即非零退出。诚实边界:
  这不是对持完整文件系统写权限者的 tamper-proof 保证 —— 为此请把 .checkpoints 设为
  append-only(chattr +a)或异地同步;无锚点时校验报告 Unanchored(绝不报 "verified")。可嵌入的
  vigil-audit 新增 CheckpointLog API。既有哈希链摘要与 verify_chain 不变(纯增量)。详见
  ADR 0020。

新增

• setup --mcp --doctor 现在覆盖全部四个 agent 接入面。 这个只读的启动健康预检 —— 回答"wrap 之后,
  每个 MCP server 的底层程序在本环境还能起来吗" —— 此前只查 Claude Code 的 server。现在一次过查 Claude
  (user + 各项目)、Codex、Cursor、Windsurf,每行按 agent 标注。--doctor --probe 同样对四个面的 server
  做真实 MCP 握手测试。它看穿 Vigil 的包裹 —— 检查的是底层程序(如 npx / uvx / python)而非
  vigil-hub 自身。这直接回应 setup --all 后最常见的担忧:"wrap 之后我的工具是不是被弄坏了?"

修复 / 安全

• 非 Claude agent 的配置坏了(无法解析 或 读不了),现在会作为计入失败的 doctor 项报告,并给出准确成因
  (解析失败 vs 权限/IO 错误),而不再被静默跳过 —— 这样 --doctor 不会在某个 agent 面整个没被检查到的情况下
  仍宣称"所有 server 都可解析"。所有诊断输出(含配置路径)在打印前都经脱敏。

---

Downloads — which file do I want?

• Desktop app (most users): the installer for your OS — Windows Vigils_*_x64-setup.exe (or .msi), macOS Vigils_*.dmg, Linux .AppImage / .deb / .rpm. Gives you the GUI: Activity Feed, Approval Queue, Server Registry.
• CLI gateway (put Vigils in front of an AI agent — Claude Code / Codex / Cursor / Zed): vigils-cli-<platform> (contains vigil-hub + vigil-native-host). This is the MCP proxy your agent connects to.
• Browser extension (guard pasting/typing secrets into AI web apps, Chrome MV3): vigils-chrome-extension.zip — unzip, then load unpacked at chrome://extensions.
• The .sig and Vigils.app.tar.gz files are desktop auto-updater artifacts — you do not need to download them.

New here? Full setup & agent-integration guide: https://duncatzat.github.io/vigils

Early releases are unsigned; your OS may show a Gatekeeper / SmartScreen prompt on first run.

Apache-2.0 · https://vigils.ai · Full changelog

Vigils v0.1.30

--doctor now health-checks every agent, not just Claude.

Added

• setup --mcp --doctor now covers all four agent surfaces. The read-only launch-health preflight —
  which answers "after wrapping, can each MCP server's underlying program still start in this
  environment?" — previously checked only Claude Code's servers. It now checks Claude (user +
  per-project), Codex, Cursor, and Windsurf in one pass, each row tagged by agent. --doctor --probe
  likewise runs a real MCP-handshake test for servers across all four. It sees through Vigil's wrapping —
  it checks the underlying program (e.g. npx / uvx / python), not vigil-hub itself. This directly
  answers the most common worry after setup --all: "did wrapping break any of my tools?"

Fixed / Security

• A broken (malformed or unreadable) config for a non-Claude agent is now reported as a counted doctor
  failure with an accurate cause (parse failure vs permission/IO error), instead of being silently
  skipped — so --doctor can no longer claim "all servers resolve" while an entire agent surface went
  unchecked. All diagnostic output (including config paths) is scrubbed before printing.

---

中文

--doctor 现在体检每个 agent,不再只是 Claude。

新增

• setup --mcp --doctor 现在覆盖全部四个 agent 接入面。 这个只读的启动健康预检 —— 回答"wrap 之后,
  每个 MCP server 的底层程序在本环境还能起来吗" —— 此前只查 Claude Code 的 server。现在一次过查 Claude
  (user + 各项目)、Codex、Cursor、Windsurf,每行按 agent 标注。--doctor --probe 同样对四个面的 server
  做真实 MCP 握手测试。它看穿 Vigil 的包裹 —— 检查的是底层程序(如 npx / uvx / python)而非
  vigil-hub 自身。这直接回应 setup --all 后最常见的担忧:"wrap 之后我的工具是不是被弄坏了?"

修复 / 安全

• 非 Claude agent 的配置坏了(无法解析 或 读不了),现在会作为计入失败的 doctor 项报告,并给出准确成因
  (解析失败 vs 权限/IO 错误),而不再被静默跳过 —— 这样 --doctor 不会在某个 agent 面整个没被检查到的情况下
  仍宣称"所有 server 都可解析"。所有诊断输出(含配置路径)在打印前都经脱敏。

---

Downloads — which file do I want?

• Desktop app (most users): the installer for your OS — Windows Vigils_*_x64-setup.exe (or .msi), macOS Vigils_*.dmg, Linux .AppImage / .deb / .rpm. Gives you the GUI: Activity Feed, Approval Queue, Server Registry.
• CLI gateway (put Vigils in front of an AI agent — Claude Code / Codex / Cursor / Zed): vigils-cli-<platform> (contains vigil-hub + vigil-native-host). This is the MCP proxy your agent connects to.
• Browser extension (guard pasting/typing secrets into AI web apps, Chrome MV3): vigils-chrome-extension.zip — unzip, then load unpacked at chrome://extensions.
• The .sig and Vigils.app.tar.gz files are desktop auto-updater artifacts — you do not need to download them.

New here? Full setup & agent-integration guide: https://duncatzat.github.io/vigils

Early releases are unsigned; your OS may show a Gatekeeper / SmartScreen prompt on first run.

Apache-2.0 · https://vigils.ai · Full changelog

Vigils v0.1.29

Cursor and Windsurf are protected now too — four agent surfaces from one command.

Added

• setup --mcp now protects Cursor and Windsurf, not just Claude Code and Codex. vigil-hub setup --mcp (preview / --apply / --uninstall) and the all-in-one setup --all now also detect and wrap
  the stdio MCP servers in Cursor's ~/.cursor/mcp.json and Windsurf's
  ~/.codeium/windsurf/mcp_config.json. One command now protects all four agent surfaces you might
  have. Both reuse the exact same gateway wrap (result redaction + raw-secret block + tamper-evident
  audit, default monitor posture), reversibly — --uninstall restores the originals. Each server gets a
  cursor-<name> / windsurf-<name> gateway id, namespace-disjoint from the Claude user-/local-
  and Codex codex- ids so the same server name across agents never collides in the shared audit ledger.

Security

• Cursor and Windsurf use the very same JSON mcpServers shape as Claude's user scope, so the new code
  reuses the same classifier and safe-edit machinery (sentinel exact-match, dangerous-character
  rejection, non-stdio skip, server-id validation, atomic write + backup). Two hardenings to the shared
  path: a remote server declared with Windsurf's serverUrl field (not just url) is now correctly
  skipped instead of mistaken for stdio; and a config file that exists but can't be read (e.g. a
  permission error) is now reported as a real error instead of being silently treated as "not
  configured" — so an inaccessible config is never silently left unprotected. Reviewed adversarially.

---

中文

Cursor 与 Windsurf 现在也受保护 —— 一条命令覆盖四个 agent 接入面。

新增

• setup --mcp 现在也保护 Cursor 与 Windsurf,不再只限 Claude Code 与 Codex。 vigil-hub setup --mcp(预览 / --apply / --uninstall)与一键的 setup --all,现在还会检测并包裹 Cursor
  ~/.cursor/mcp.json 与 Windsurf ~/.codeium/windsurf/mcp_config.json 里的 stdio MCP server。一条命令
  现在覆盖你可能拥有的全部四个 agent 接入面。两者复用完全相同的网关包裹(结果脱敏 + 裸 secret 拦截 +
  防篡改审计,默认 monitor 姿态),可逆 —— --uninstall 还原原样。每个 server 用 cursor-<name> /
  windsurf-<name> 网关 id,与 Claude 的 user-/local-、Codex 的 codex- 命名空间不相交 —— 跨 agent
  的同名 server 在共享审计账本里绝不串身份。

安全

• Cursor 与 Windsurf 用与 Claude user scope 完全相同的 JSON mcpServers 形态,故新代码复用同一个
  分类器与安全编辑机制(sentinel 精确匹配、危险字符拒绝、非 stdio 跳过、server-id 校验、原子写 + 备份)。
  对共享路径两处加固:用 Windsurf 的 serverUrl 字段(而非 url)声明的远程 server,现在被正确跳过而非误
  当 stdio 包裹;以及一个存在但读不到的配置文件(如权限错误),现在会如实报错,而不是被静默当成"未配置"
  —— 让不可访问的配置绝不被悄悄漏保护。已经对抗审查。

---

Downloads — which file do I want?

• Desktop app (most users): the installer for your OS — Windows Vigils_*_x64-setup.exe (or .msi), macOS Vigils_*.dmg, Linux .AppImage / .deb / .rpm. Gives you the GUI: Activity Feed, Approval Queue, Server Registry.
• CLI gateway (put Vigils in front of an AI agent — Claude Code / Codex / Cursor / Zed): vigils-cli-<platform> (contains vigil-hub + vigil-native-host). This is the MCP proxy your agent connects to.
• Browser extension (guard pasting/typing secrets into AI web apps, Chrome MV3): vigils-chrome-extension.zip — unzip, then load unpacked at chrome://extensions.
• The .sig and Vigils.app.tar.gz files are desktop auto-updater artifacts — you do not need to download them.

New here? Full setup & agent-integration guide: https://duncatzat.github.io/vigils

Early releases are unsigned; your OS may show a Gatekeeper / SmartScreen prompt on first run.

Apache-2.0 · https://vigils.ai · Full changelog

Vigils v0.1.28

One command now protects Codex too — not just Claude Code.

Added

• setup --mcp now protects Codex CLI's MCP servers, not only Claude Code's. vigil-hub setup --mcp (preview / --apply / --uninstall) and the all-in-one setup --all now also detect and
  wrap the stdio MCP servers in Codex's ~/.codex/config.toml (the [mcp_servers.*] tables), in
  addition to Claude Code's ~/.claude.json. One command protects every agent surface you have. Each
  Codex server is rewritten to launch through the Vigil gateway (result redaction + raw-secret block +
  tamper-evident audit, default monitor posture), reversibly — --uninstall restores the originals.
  Edits are format-preserving: only the wrapped entry's command/args change; your comments,
  key order, env tables, and other settings (model, approval policy, …) are left exactly as they
  were. Codex servers get a codex-<name> gateway id, namespace-disjoint from the Claude
  user-/local- ids so the same server name across agents never collides in the shared audit ledger.

Security

• The Codex path reuses the same classifier and safety machinery as the Claude path (sentinel
  exact-match for idempotency, dangerous-character rejection, non-stdio skip, server-id validation,
  abort-on-malformed-config with atomic write + backup) — one source of truth, no drift. env values
  are never copied into the rewritten command line (key names only) and never printed. Reviewed
  adversarially (two rounds): uninstall refuses a lossy restore of any hand-edited entry, and a failing
  Codex step after the Claude side already applied is reported honestly with recovery guidance.

---

中文

一条命令现在也保护 Codex —— 不再只是 Claude Code。

新增

• setup --mcp 现在也保护 Codex CLI 的 MCP server,不再只限 Claude Code。 vigil-hub setup --mcp
  (预览 / --apply / --uninstall)与一键的 setup --all,现在除 Claude Code 的 ~/.claude.json 外,
  还会检测并包裹 Codex ~/.codex/config.toml 里([mcp_servers.*] 表)的 stdio MCP server。一条命令
  保护你拥有的每个 agent 接入面。每个 Codex server 被改写为经 Vigil 网关启动(结果脱敏 + 裸 secret 拦截 +
  防篡改审计,默认 monitor 姿态),可逆 —— --uninstall 还原原样。改写保留格式:只改被包裹条目的
  command/args;你的注释、键序、env 表、以及其它设置(model、approval policy……)逐字不动。Codex
  server 用 codex-<name> 网关 id,与 Claude 的 user-/local- 命名空间不相交 —— 跨 agent 的同名 server
  在共享审计账本里绝不串身份。

安全

• Codex 路径复用与 Claude 路径完全相同的分类器与安全机制(sentinel 精确匹配保证幂等、危险字符拒绝、
  非 stdio 跳过、server-id 校验、配置损坏即 abort 且原子写 + 备份)—— 单一真源,绝不漂移。env 的值
  从不被复制进改写后的命令行(只含键名)、也从不打印。经两轮对抗审查:uninstall 拒绝对任何被手改条目做
  lossy 还原;Claude 侧已应用后 Codex 步若失败,会如实报告并给出恢复指引。

---

Downloads — which file do I want?

• Desktop app (most users): the installer for your OS — Windows Vigils_*_x64-setup.exe (or .msi), macOS Vigils_*.dmg, Linux .AppImage / .deb / .rpm. Gives you the GUI: Activity Feed, Approval Queue, Server Registry.
• CLI gateway (put Vigils in front of an AI agent — Claude Code / Codex / Cursor / Zed): vigils-cli-<platform> (contains vigil-hub + vigil-native-host). This is the MCP proxy your agent connects to.
• Browser extension (guard pasting/typing secrets into AI web apps, Chrome MV3): vigils-chrome-extension.zip — unzip, then load unpacked at chrome://extensions.
• The .sig and Vigils.app.tar.gz files are desktop auto-updater artifacts — you do not need to download them.

New here? Full setup & agent-integration guide: https://duncatzat.github.io/vigils

Early releases are unsigned; your OS may show a Gatekeeper / SmartScreen prompt on first run.

Apache-2.0 · https://vigils.ai · Full changelog

Vigils v0.1.27

Verifiable supply chain, and a firewall that finally classifies risk on real MCP servers.

Added

• Build-provenance attestation for every release artifact. The CLI archives, desktop
  installers, and the extension zip now carry a cryptographic SLSA build-provenance attestation
  (via GitHub OIDC + Sigstore — no key to manage). Verify any download with
  gh attestation verify <file> --repo duncatzat/vigils: it confirms the artifact was built by the
  official CI from this repository, closing the "swapped/tampered release" gap that a checksum alone
  can't. See Installation.
• Effect catalog — the tool-call firewall now classifies risk on real MCP servers. Until now the
  firewall inferred effects only from call arguments, so for third-party servers whose risk is
  implied by tool identity (a github create_issue, a fetch) it saw "no effects" and the heavy
  policy machinery idled. A built-in catalog now seeds baseline effects by identity for common servers
  (filesystem, github, fetch, git, brave-search, slack, postgres) — so what each tool actually does
  (file read/write, network, secret use, outbound message) is now visible in the audit ledger, and
  --enforce can gate on it. It's fail-safe by construction: the catalog only ever raises
  visibility/severity (never suppresses a real effect), and it does not change the default
  monitor posture — no new approval prompts.

---

中文

可验证的供应链,以及终于能对真实 MCP server 做风险分类的防火墙。

新增

• 每个发布产物都带 build-provenance 证明。 CLI 压缩包、桌面安装包、扩展 zip 现在都附带密码学
  SLSA build-provenance 证明(经 GitHub OIDC + Sigstore,无需自管密钥)。用
  gh attestation verify <文件> --repo duncatzat/vigils 校验任一下载:确认产物由官方 CI 从本仓库构建,
  关闭"release 被替换/篡改"的缺口(单凭校验和无法关闭)。见安装。
• Effect 目录 —— tool-call 防火墙现在对真实 MCP server 做风险分类。 此前防火墙只从调用参数推断
  效应,故对那些风险由工具身份隐含的第三方 server(github 的 create_issue、fetch)只看到
  "无效应",重型策略机器空转。现在内置目录按身份为常见 server(filesystem、github、fetch、git、
  brave-search、slack、postgres)预置 baseline 效应 —— 每个工具实际做什么(读写文件、网络、用 secret、
  对外发消息)现在都在审计账本可见,--enforce 可据此 gate。它结构性 fail-safe:目录只会抬高
  可见性/严重度(绝不掩盖真实效应),且不改默认 monitor 姿态 —— 不新增任何审批弹窗。

---

Downloads — which file do I want?

• Desktop app (most users): the installer for your OS — Windows Vigils_*_x64-setup.exe (or .msi), macOS Vigils_*.dmg, Linux .AppImage / .deb / .rpm. Gives you the GUI: Activity Feed, Approval Queue, Server Registry.
• CLI gateway (put Vigils in front of an AI agent — Claude Code / Codex / Cursor / Zed): vigils-cli-<platform> (contains vigil-hub + vigil-native-host). This is the MCP proxy your agent connects to.
• Browser extension (guard pasting/typing secrets into AI web apps, Chrome MV3): vigils-chrome-extension.zip — unzip, then load unpacked at chrome://extensions.
• The .sig and Vigils.app.tar.gz files are desktop auto-updater artifacts — you do not need to download them.

New here? Full setup & agent-integration guide: https://duncatzat.github.io/vigils

Early releases are unsigned; your OS may show a Gatekeeper / SmartScreen prompt on first run.

Apache-2.0 · https://vigils.ai · Full changelog

Vigils v0.1.26

The Linux CLI now runs on virtually any glibc Linux from the last decade — not just recent releases.

Changed

• Linux CLI binaries now target a glibc 2.17 floor (any-distro reach). Until now the published
  Linux CLI was built on Ubuntu 22.04 and required GLIBC_2.34, so it failed to start with
  version 'GLIBC_2.xx' not found on older-but-common distros — Ubuntu ≤20.04, Debian ≤11,
  RHEL/CentOS 7–8, Amazon Linux 2. The release now builds the Linux CLI with
  cargo-zigbuild targeting
  x86_64-unknown-linux-gnu.2.17, lowering the required glibc symbols to 2.17 (the manylinux2014
  floor, covering essentially every glibc Linux from the last decade). No behavior change — the
  binary is functionally identical; it just links against older glibc symbols. The release pipeline
  also gained an objdump guard that fails the build if the glibc floor ever regresses above 2.17.
  macOS and Windows builds are unchanged. (Verified in real CI: both vigil-hub and
  vigil-native-host now top out at GLIBC_2.17, down from GLIBC_2.34.)

---

中文

Linux CLI 现在能在近十年几乎任何 glibc Linux 上运行 —— 不再只限较新发行版。

变更

• Linux CLI 二进制改为 glibc 2.17 地板(覆盖几乎所有发行版)。 此前已发布的 Linux CLI 在
  Ubuntu 22.04 构建、要求 GLIBC_2.34,因而在更老但常见的发行版上 version 'GLIBC_2.xx' not found
  起不来 —— Ubuntu ≤20.04、Debian ≤11、RHEL/CentOS 7–8、Amazon Linux 2 全中招。现在发布流程改用
  cargo-zigbuild 以 x86_64-unknown-linux-gnu.2.17
  为目标构建 Linux CLI,把所需 glibc 符号下沉到 2.17(manylinux2014 同款地板,覆盖近十年几乎所有 glibc
  Linux)。功能完全不变 —— 二进制行为一致,只是链接到更老的 glibc 符号。发布管线还新增 objdump
  守门:glibc 地板一旦回升超过 2.17 即构建失败。macOS 与 Windows 构建保持不变。(真实 CI 已验证:
  vigil-hub 与 vigil-native-host 现在最高均为 GLIBC_2.17,低于原 GLIBC_2.34。)

---

Downloads — which file do I want?

• Desktop app (most users): the installer for your OS — Windows Vigils_*_x64-setup.exe (or .msi), macOS Vigils_*.dmg, Linux .AppImage / .deb / .rpm. Gives you the GUI: Activity Feed, Approval Queue, Server Registry.
• CLI gateway (put Vigils in front of an AI agent — Claude Code / Codex / Cursor / Zed): vigils-cli-<platform> (contains vigil-hub + vigil-native-host). This is the MCP proxy your agent connects to.
• Browser extension (guard pasting/typing secrets into AI web apps, Chrome MV3): vigils-chrome-extension.zip — unzip, then load unpacked at chrome://extensions.
• The .sig and Vigils.app.tar.gz files are desktop auto-updater artifacts — you do not need to download them.

New here? Full setup & agent-integration guide: https://duncatzat.github.io/vigils

Early releases are unsigned; your OS may show a Gatekeeper / SmartScreen prompt on first run.

Apache-2.0 · https://vigils.ai · Full changelog