v1.2.6
Release v1.2.6
Previous release: v1.2.5
Release date: 2026-06-15
Highlights
Compliance Integrity — AI can no longer self-verify controls
AI assistants using the MCP server were able to mark controls as pass without verification, producing false 100% compliance scores. This release closes that loophole entirely. Only the GESF audit engine scanning actual source code can produce a pass status.
Phantom Framework F-grade — Fixed
Installing a policy pack (e.g., AI) created a phantom framework entry with 0 controls and an F-grade in the dashboard. The overall score showed 100% while individual frameworks showed F. This was a 4-layer mismatch now fixed across the entire scoring pipeline.
What's New
.dev-logs/ — Official Developer Directory
ges init and MCP init_project now create .dev-logs/ with:
README.mdexplaining purpose and structure.gitignoreentry — never submitted to remoteai-recommendations/subdirectory — where AI assistants log improvement ideas
record_recommendation MCP Tool (30th tool)
AI assistants can now log security findings, architectural suggestions, and improvement ideas to .dev-logs/ai-recommendations/ as structured markdown files for developer review.
Each recommendation includes:
| Field | Values |
|---|---|
| Category | security, compliance, architecture, performance, best-practice, bug, improvement |
| Severity | info, low, medium, high |
| Fields | title, description, suggested_action, affected_controls, affected_files |
Core Recommendations Module
New module: @greenarmor/ges-core → packages/core/src/recommendations/
| Function | Purpose |
|---|---|
recordAIRecommendation() |
Writes structured markdown to .dev-logs/ai-recommendations/ |
loadAIRecommendations() |
Reads recommendations back, sorted by date |
Compliance Integrity Changes
What AI Can Do via MCP
| Action | Allowed |
|---|---|
implement_control — generate implementation files |
Yes (but status unchanged) |
run_audit — trigger audit engine to verify |
Yes |
apply_control_override with status: "not-applicable" |
Yes (requires reason, min 10 chars) |
record_recommendation — log improvement ideas |
Yes |
What AI Cannot Do via MCP
| Action | Blocked |
|---|---|
apply_control_override with status: "pass" |
Rejected with explanation |
implement_control auto-writing pass override |
Removed — shows warning instead |
What Humans Can Still Do (CLI, unrestricted)
| Action | Available |
|---|---|
ges control <id> pass --reason "..." |
Yes — human has manually verified |
Bug Fixes
Phantom Framework F-Grade (4-layer fix)
Root cause: Installing the AI pack added "AI" to config.frameworks (from pack.id.toUpperCase()), but AI controls have framework: "GDPR". No controls matched "AI" → 0-control entry with score 0, grade F.
| Layer | Bug | Fix |
|---|---|---|
| Policy install (CLI + MCP) | Added pack.id.toUpperCase() to config |
Now iterates pack.frameworks array |
| Scoring engine | Created entries for frameworks with 0 controls | Skips frameworks where fwControls.length === 0 |
| Dashboard | Scored config.frameworks but displayed control.framework values |
Both now use getFrameworksFromControls(controls) |
| Audit CLI | Didn't load disk-installed controls; used config frameworks only | Loads disk controls + derives frameworks from actual controls |
MCP Server Tool Count
Now 30 tools (was 29 in v1.2.5).
New tool:
| # | Tool | Description |
|---|---|---|
| 30 | record_recommendation |
Log AI recommendation to .dev-logs/ai-recommendations/ |
Files Changed
| Area | Files | Changes |
|---|---|---|
| Core (recommendations module) | packages/core/src/recommendations/index.ts |
NEW |
| Core (barrel export + tests) | packages/core/src/index.ts, index.test.ts |
+4 tests |
| Scoring engine | packages/scoring-engine/src/index.ts, index.test.ts |
Skip 0-control frameworks |
| Web dashboard | packages/web-dashboard/src/index.ts |
Derive frameworks from controls |
| MCP server | packages/mcp-server/src/server.ts, server.test.ts |
Override restriction, recommendation tool, +3 tests |
| CLI (audit) | packages/cli/src/commands/audit.ts |
Load disk controls, derive frameworks |
| CLI (init) | packages/cli/src/commands/init.ts |
.dev-logs/ creation |
| CLI (policy) | packages/cli/src/commands/policy.ts |
Use pack.frameworks |
Test Results
- 421 tests passing (up from 412 in v1.2.5)
- All 16 packages build clean
- E2E verified:
ges initcreates.dev-logs/with README +.gitignore- MCP
apply_control_overridewithstatus: "pass"is rejected - MCP
record_recommendationwrites markdown to.dev-logs/ai-recommendations/ - AI pack install no longer creates phantom "AI" framework
- CIS pack install correctly adds "CIS" as its own framework
Upgrade Guide
No breaking changes.
npm update @greenarmor/ges
# or
pnpm update @greenarmor/gesFor existing projects with a phantom framework in .ges/config.json:
- Run
ges policy remove aithenges policy install ai— config will be corrected - Or manually edit
.ges/config.jsonand remove the erroneous framework entry - Run
ges auditto regenerate.ges/score.jsonwith correct framework scores