Vigils v0.4.6
The stable roll-up of v0.4.6-beta.1 – beta.4, plus the consumer-mode browser-extension rework
(#32). Two new protection surfaces (dangerous commands on the hook path; a browser extension that
works without the desktop app), one real gateway fix (OAuth scope allow-lists), and a large
honesty/observability batch driven by four feature-by-feature user-level verification passes on
real binaries across all three platforms. Hard floors are untouched.
Added
- Command Guard — a dangerous-command line of defense on the hook path (#53, #54). The hook
path (Claude Code / Cursor / CodexBashtools) previously only scanned for secrets — with
"allow all commands" enabled, an agent gone sideways (intent drift, prompt injection, parameter
accidents) could runrm -rf ~,curl … | sh, or write a crontab entry without tripping
anything. The guard classifies effects, not intent (denylist, no ML): catastrophic actions
(filesystem wipe, raw device writes, fork bombs) are always denied at any posture — a hard
floor like raw secrets — while dangerous ones (persistence/autostart, remote-exec installs,
deletions outside the project root,rm -rf $VAR/empty-expansion accidents) get
posture-graded Ask (High=Deny). Project-root awareness keeps false positives down. Honest
boundary: a guardrail against accidents and low-effort injection, not a sandbox. - The browser extension now works out of the box — no desktop app required (#32; Chrome Web
Store listing Vigils Browser Guard,
0.2.0). Scanning was previously hard-wired to the local Native Host and failed closed to
block when it wasn't installed — which made the store build unusable without the desktop
app. Detection now runs behind a provider pipeline: an in-browser consumer scanner
(key/token/connection-string rules with plain-language prompts) is the default, an enterprise
provider stays pluggable, and results merge strictest-wins (block > confirm_redact > allow;
unknown actions fail closed). Protection can be extended to any site — the broad host
permission is optional and granted per-site at runtime. Popup and options were redesigned
around the current page's protection status. Raw text still never leaves the browser and never
toucheschrome.storage;nativeMessagingis no longer a default permission. - Daemon warm-up is observable (#55): during the ~45s model warm-up,
daemon statussays
"starting (warming the ML models)" instead of "not running";daemon status --jsonprovides a
stable, locale-independent machine schema (fields are only ever added); stale markers
self-heal. setup --statusshows gateway coverage across all agents — e.g.
23 server(s) wrapped (Claude Code 2 / Codex 11 / Cursor 10).- Server names with uppercase / spaces / dots are now protectable (
setup --mcp/--all)
via a slugifier (Playwright→user-playwright-<hash8>); already-valid names keep their
exact ids. - The CLI speaks Chinese and English (system-language detection). Bare
posture/engine/
daemondefault toshow/status;serve --monitorgives headless/e2e an observe-and-audit
posture. - Verification infrastructure: unattended user-acceptance CI on three platforms after every
release (download the published assets like a user, verify sha256 + SLSA provenance, run
functional / agent-integration / GUI smoke), remote-MCP e2e proving the protection invariants
over Streamable HTTP, a dual-engine parity tripwire (hook path and MCP gateway must agree),
extension tests wired into CI, a weekly scheduled acceptance run against Latest, and a release
pre-flight gate so a tag can never ship from a commit that failed fmt/clippy/test.
Fixed
ScopeNotInAllowListpolicy rules now actually fire for OAuth HTTP upstreams. The gateway
previously evaluated every outbound tools/call with a hard-coded non-OAuth scope context, so a
configured scope-allowlist Deny rule silently never triggered. The token's scope set now
reaches policy evaluation: out-of-allowlist scopes deny, an empty scope set fails closed,
stdio/bearer/none upstreams are unaffected.- The desktop app no longer misreads the daemon on non-English systems (#55): machine-parsed
subprocess output is pinned (VIGIL_LANG=en,--json), and the daemon card gained a
"STARTING · WARMING MODELS" state instead of a misleading "STOPPED" during warm-up. daemon statusuptime is no longer frozen at0s;daemon stopno longer leaks the OS kill
helper's localized output (mojibake on non-UTF-8 codepages).- Output-honesty batch:
setup --allper-agent scoping and "changes written" only when true;
agent-CLI status says "hook not registered" instead of "not installed";demopoints at the
turnkeysetup --all;checkpointtips are platform-aware;setup --mcpskip-reasons are
localized;model --helpon the standard build says up front that the ML variant is required;
posture level names are consistent between CLI and GUI (宽松 / 适中 / 严格); hook fail-closed
messages no longer hardcode "PreToolUse". - Desktop: the daemon card no longer promises ML protection when no model is installed; Naive UI
built-in texts follow the app language. Extension: internal spec references removed from
user-facing copy; disabled buttons look disabled.
Docs
docs/user-guide/: removed commands that don't exist, corrected the default ledger path,
replaced the stale "tools/list returns empty" note, pointed installation at GitHub Releases.- README + book (en/zh): the extension installs from the Chrome Web Store listing; crates.io
vigil-sdkis an early preview on its own cadence; the ML-variant availability note was
brought current (ML builds ship since v0.4.0).
中文
v0.4.6-beta.1 – beta.4 的稳定汇总,外加消费者模式浏览器扩展重构(#32)。两条新防线(hook 路径的
危险命令防护;不依赖桌面端即可使用的浏览器扩展)、一个真实网关修复(OAuth scope 白名单)、以及由
三平台真实二进制上四轮逐特性用户级验证驱动的大批文案/可观测性修正。硬地板未动。
新增
- Command Guard —— hook 路径的危险命令防线(#53, #54)。hook 路径(Claude Code / Cursor /
Codex 的Bash工具)此前只扫密钥 —— 在"放行全部命令"姿态下,跑偏的 agent(意图漂移、提示注入、
参数事故)可以执行rm -rf ~、curl … | sh或写 crontab 而不触发任何拦截。守卫按效果分类,
不猜意图(denylist,无 ML):灾难级动作(清盘、裸设备写入、fork 炸弹)在任何姿态下一律拒绝 ——
与裸密钥同级的硬地板;危险级动作(持久化/自启动、远程执行安装、项目根之外的删除、rm -rf $VAR/
空展开事故)按姿态分级 Ask(High=Deny)。项目根感知压低误报。诚实边界:防事故与低成本注入的护栏,
不是沙箱。 - 浏览器扩展开箱即用 —— 不再依赖桌面端(#32;Chrome 应用商店
Vigils Browser Guard,
0.2.0)。此前扫描硬绑本机 Native Host,未安装时 fail-closed 全阻断 —— 商店版离开桌面端根本
没法用。现在检测走 provider 管线:浏览器内消费者扫描器(密钥/token/连接串规则 + 通俗语言提示)
为默认,企业 provider 保持可插拔,结果按最严合并(block > confirm_redact > allow,未知动作
fail-closed)。保护可扩展到任意网站 —— 宽域名权限为可选、按站点运行时授权。Popup 与设置页围绕
"当前页面保护状态"重新设计。原文依旧不出浏览器、不落chrome.storage;nativeMessaging不再
是默认权限。 - Daemon 暖载可观测(#55):模型暖载(约 45s)期间
daemon status显示"启动中(正在预热 ML
模型)"而非"未运行";daemon status --json提供稳定、与语言无关的机读 schema(字段只增不改);
过期标记自愈。 setup --status展示全 agent 的网关覆盖面 —— 如
23 server(s) wrapped (Claude Code 2 / Codex 11 / Cursor 10)。- 大写/空格/点号的 server 名可保护了(
setup --mcp/--all):经 slugifier 派生网关 id
(Playwright→user-playwright-<hash8>);原本合法的名字保持原 id 不变。 - CLI 中英双语(按系统语言)。裸
posture/engine/daemon默认执行show/status;
serve --monitor为无 GUI 的 headless/e2e 提供观察审计姿态。 - 验证基础设施:每次发布后三平台无人值守用户级验收 CI(像用户一样下载已发布产物、校验
sha256 + SLSA 溯源、跑功能/agent 集成/GUI 冒烟)、远程 MCP e2e(在 Streamable HTTP 上游上
证明保护不变量)、双引擎一致性绊线(hook 路径与 MCP 网关必须同判)、扩展测试接入 CI、每周对
Latest 的定时验收、以及发布前置门禁(tag 永远不会从 fmt/clippy/test 红的提交上发出)。
修复
- **
ScopeNotInAllowList策略规则对 OAuth HTTP 上游真正生效了。**网关此前用硬编码的非 OAuth
scope 上下文评估所有出站 tools/call,配置的 scope 白名单 Deny 规则静默失效。现在 token 的
scope 集抵达策略评估:白名单外拒绝、空 scope 集 fail-closed、stdio/bearer/none 上游不受影响。 - 桌面端在非英文系统上不再误判 daemon 状态(#55):机读子进程输出固定
(VIGIL_LANG=en、--json);daemon 卡片新增"启动中 · 预热模型"第三态,取代暖载期误导性的
"已停止"。 daemon status运行时长不再冻结在0s;daemon stop不再泄漏 OS kill 助手的本地化输出
(非 UTF-8 代码页乱码)。- 输出如实化批次:
setup --all按 agent 限定范围、"已写入配置"只在真写入时出现;agent CLI 状态
改说"hook 未注册"而非"未安装";demo指向一键的setup --all;checkpoint提示按平台给出;
setup --mcp跳过原因本地化;标准构建的model --help开头即说明需要 ML 构建;姿态级别名
CLI 与 GUI 一致(宽松 / 适中 / 严格);hook fail-closed 文案不再硬编码 "PreToolUse"。 - 桌面端:未装模型时 daemon 卡片不再承诺 ML 防护;Naive UI 内建文案跟随应用语言。扩展:面向用户
的文案移除内部规格引用;禁用按钮有禁用观感。
文档
docs/user-guide/:移除不存在的命令、纠正默认账本路径、替换过期的 "tools/list 返回空" 说明、
安装指向 GitHub Releases。- README + book(中英):扩展改为从 Chrome 应用商店安装;crates.io
vigil-sdk为独立节奏的早期
预览;ML 构建可用性说明更新(自 v0.4.0 起随发布提供)。
Downloads — which file do I want?
- Desktop app (most users): the installer for your OS — Windows
Vigils_*_x64-setup.exe(or.msi), macOSVigils_*.dmg, Linux.AppImage/.deb/.rpm. Gives you the GUI: Activity Feed, Approval Queue, Server Registry. - CLI gateway (put Vigils in front of an AI agent — Claude Code / Codex / Cursor / Zed):
vigils-cli-<platform>(containsvigil-hub+vigil-native-host). This is the MCP proxy your agent connects to. - Browser extension (guard pasting/typing secrets into AI web apps, Chrome MV3):
vigils-chrome-extension.zip— unzip, then load unpacked atchrome://extensions. - The
.sigandVigils.app.tar.gzfiles are desktop auto-updater artifacts — you do not need to download them.
New here? Full setup & agent-integration guide: https://duncatzat.github.io/vigils
Every asset carries Sigstore build provenance (SLSA) — verify any download came from this repo's official CI with:
gh attestation verify <file> --repo duncatzat/vigils. (Not yet OS-code-signed — Authenticode/notarization — so your OS may still show a Gatekeeper / SmartScreen prompt on first run.)
Apache-2.0 · https://vigils.ai · Full changelog