Skip to content

v1.4.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 21 Apr 16:20
· 1254 commits to main since this release
v1.4.0
0eadbbf
This commit was signed with the committer’s verified signature.
itdove Dominique Vernier
GPG key ID: 04807E1FAC6E1ED9
Verified
Learn about vigilant mode.

Added

  • Default config creation in setup command (Issue #178)

    • New --create-config flag for ai-guardian setup command to create default ai-guardian.json config file
    • Two configuration modes:
      • Default (secure): Secret scanning and prompt injection enabled, Skills/MCP blocked by default
      • Permissive (--permissive): Same security features, but all tools allowed (permissions disabled)
    • --dry-run flag shows config preview without creating file
    • Improves onboarding experience - no manual config file copying required
    • Example usage:
      • ai-guardian setup --create-config - Create secure default config
      • ai-guardian setup --create-config --permissive - Create permissive config
      • ai-guardian setup --create-config --dry-run - Preview config without creating
    • Config includes:
      • Secret scanning with LeakTK patterns
      • Prompt injection detection (medium sensitivity)
      • Permission rules (Skills/MCP blocked by default in secure mode)
      • Empty directory rules (no restrictions)
      • Remote configs section for enterprise policies

  • Improved logging for skill and prompt injection violations (Issue #168)

    • Tool permission violations now include tool-specific details in logs:
      • Skill tool: Shows skill name and args parameter (e.g., (skill='daf-jira', args='view PROJ-12345'))
      • Bash tool: Shows command preview (first 100 chars, e.g., (command='rm -rf /path/to/file...'))
      • Read/Write/Edit tools: Shows full file path (e.g., (file_path='/etc/passwd'))
    • Prompt injection detection now logs comprehensive details:
      • Source information (file path, tool name, or "user_prompt")
      • Confidence score (e.g., confidence=0.90)
      • Matched regex pattern (e.g., pattern='ignore\s+(all\s+)?(previous|prior|above)...')
      • Matched text substring (e.g., text='Ignore all previous instructions')
      • Full prompt context (e.g., prompt='Please ignore all previous...') - up to 200 chars, sanitized
    • Secret sanitization: All logged tool parameters and matched text are sanitized to prevent secrets from leaking in logs
      • Redacts API keys, tokens, passwords, and other sensitive values
      • Replaces secrets with ***REDACTED*** or similar placeholders
      • Protects against credential leakage in audit logs
    • All logging modes include full details (block, warn, log-only)
    • Enables faster debugging and better audit trail for security violations

  • Documentation: Clarified configuration section differences (Issue #150)

    • Added comparison table and FAQ explaining differences between permissions, permissions_directories, and directory_rules
    • Key clarification: permissions_directories discovers tool permissions; directory_rules blocks filesystem paths

  • Action levels for audit mode and gradual policy rollout (Issues #84, #88, #159)

    • action="warn" - Logs violation + shows warning to user + allows execution
    • action="log-only" - Logs violation silently without user warning + allows execution (NEW in #159)
    • action="block" - Prevents execution (default)
    • Available for: tool permissions (per-rule), prompt injection (global), directory rules (global)
    • Secret scanning always blocks (no action field for security)
    • Useful for baseline metrics, impact analysis, compliance audits, and passive monitoring
    • All violations logged to TUI and violation log regardless of action

  • Flexible scanner engine support (Issues #153, #154)

    • Support for BetterLeaks (20-40% faster than Gitleaks) and LeakTK (auto-pattern management)
    • Automatic fallback to available scanners via engines configuration
    • Custom scanner support with configurable commands and output parsers
    • Enhanced error messages showing scanner type and pattern source
    • Includes fixes for betterleaks command template and validation flags

  • Directory rules system (Issue #82, #172)

    • Order-based access control with last-match-wins precedence
    • Each rule has mode: "allow"|"deny" and paths: [...]
    • Supports action: "warn"|"log-only"|"block" for audit mode
    • Wildcard support: ** (recursive), * (single-level), combined patterns including leading **
    • Can override .ai-read-deny markers with allow rules
    • Backward compatible: directory_exclusions auto-converted to allow rules
    • Consistent glob pattern matching with ignore_files

  • Ignore patterns for false positive handling (Issue #84)

    • ignore_tools: Skip detection for specific tools (e.g., "Skill:code-review", "mcp__*")
    • ignore_files: Skip detection for specific files (e.g., "**/.claude/skills/*/SKILL.md")
    • Works for both prompt injection and secret scanning

  • Pattern server test coverage (Issue #101)

    • Added 12 comprehensive tests for warn_on_failure configuration
    • Pattern server module now has 57% code coverage

  • User-friendly error handling for malformed configuration

    • Clear JSON parsing errors with file path, line number, column number
    • Fail-open with warning: continues with default configuration when config has errors

  • Enable contributor workflow (Issue #105)

    • Contributors can now use AI assistance to edit ai-guardian source code in development repos
    • Enables standard fork + PR workflow for external contributors
    • Config/hooks/cache/pip-installed always protected; development source allowed via Edit/Write/Read

Changed

  • Smart hook ordering in setup command
    • ai-guardian setup ensures ai-guardian is first in all hooks arrays
    • Critical for log mode warning visibility (only first hook's systemMessage is displayed)
    • Preserves existing hooks after ai-guardian

Fixed

  • Bug #183: Hardcoded pattern blocks legitimate user scripts

    • Fixed overly broad protection pattern from *mv*ai-guardian* to *mv*ai-guardian.json*
    • Users can now organize scripts with 'ai-guardian' in filename
    • Config files remain protected

  • Bug #165: Pattern server silently falls back to defaults when unavailable

    • SECURITY FIX: Operations now blocked when pattern server is configured but unavailable
    • Pattern server unavailable + cache expired → BLOCKS operation
    • Pattern server unavailable + cache valid → Uses cached patterns
    • Security impact: High - prevents organization-specific secrets from leaking

  • Bug #162: Pattern server requires authentication for public URLs

    • Pattern server now makes authentication optional for public URLs
    • Only adds Authorization header when token is available
    • Better error messages distinguishing public vs private URL failures

  • Bug #155: False positives in prompt injection detection for heredoc content

    • Heredoc content is now stripped before pattern matching
    • Prevents false positives when writing security documentation or test fixtures
    • Real injection attempts outside heredocs still detected

  • Bug #113: Self-protection bypass when file_path parameter is missing

    • File-path tools (Edit, Write, Read, NotebookEdit) now fail-closed when file_path is missing

  • Bug #174: Misleading warnings when Glob tool is used

    • Removed Glob from FILE_READING_TOOLS list
    • Glob uses pattern parameter, not file_path
    • Eliminates false warnings about missing file paths
Assets 4
Loading