Skip to content

v1.6.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 04 May 20:18
· 959 commits to main since this release
v1.6.0
1dff240
This commit was signed with the committer’s verified signature.
itdove Dominique Vernier
GPG key ID: 04807E1FAC6E1ED9
Verified
Learn about vigilant mode.

Changed

  • Renamed all TUI references to Console (Issue #440)
    • ai-guardian console is now the primary documented command
    • ai-guardian tui remains as backward-compatible alias
    • Updated all user-facing text, help strings, error messages, and documentation
    • Renamed docs/TUI.md to docs/CONSOLE.md
    • Renamed GitHub tui label to console
    • Internal src/ai_guardian/tui/ directory unchanged (no import breakage)

Added

  • Sanitize Command (Issue #443)

    • New ai-guardian sanitize command for redacting secrets, PII, and threats from text
    • Neutralizes: secrets, PII, prompt injection patterns, unicode attacks (zero-width chars, bidi overrides, tag chars, homoglyphs)
    • Reads from stdin or file, outputs only redacted text to stdout (pipe-safe)
    • Ignores user config — hardcoded maximum detection, no allowlists, no ignore patterns
    • Flags: --no-secrets, --no-pii, --no-threats, --summary, --exit-code
    • Designed for cleaning transcripts before sharing with other AI agents

  • OSC 52 terminal escape sequence as clipboard fallback (Issue #433)

    • Added wl-copy support for Wayland environments
    • Added OSC 52 escape sequence as final fallback for containers/SSH/headless
    • Works in UBI 10 containers and SSH sessions without xclip/xsel
    • Fallback chain: xclip → xsel → wl-copy → OSC 52
    • Existing pbcopy (macOS) and clip (Windows) behavior unchanged
    • Extracted _try_clipboard_command() helper to reduce duplication

Documentation

  • Warning about ! shell command bypass (Issue #431)
    • Added security note to README.md Known Limitations section
    • Added to AGENTS.md Common Issues section
    • Added top-level comment in ai-guardian-example.json
    • Added recommendation in Console Security Dashboard and help panel
    • ! commands bypass all ai-guardian hooks; use regular commands instead
    • Transcript scanning (Issue #430) provides after-the-fact detection

Security

  • Gitleaks exit code 1 treated as "no secrets found" — secrets bypass detection (Issue #411)

    • Gitleaks exit code 1 (default for "secrets found") was incorrectly added to the success codes list, causing detected secrets to be silently allowed through
    • Now correctly treats exit code 1 as "secrets found" when --exit-code 42 is specified
    • Added debug logging for scanner command and exit code to aid troubleshooting
    • Bug introduced in v1.4.0 (PR #154)

  • PostToolUse allowed secrets through when secret_redaction was disabled (Issue #414)

    • When secret_redaction.enabled = false, detected secrets were allowed through as an "emergency bypass" instead of being blocked
    • PostToolUse now correctly blocks tool output containing secrets regardless of redaction settings

Added

  • Transcript Scanning for Secrets, PII, and Prompt Injection (Issue #430)

    • Incrementally scans conversation transcript on each UserPromptSubmit event
    • Detects threats that entered via ! command shell mode (which bypasses hooks)
    • Scans for secrets (via gitleaks/engines), PII, and prompt injection patterns
    • Detection only: warns via systemMessage (cannot block — content already in AI context)
    • IDE-agnostic: supports Claude Code, Cursor, and GitHub Copilot transcript paths
    • New violation types: secret_in_transcript, pii_in_transcript, prompt_injection_in_transcript
    • Position tracking in ~/.local/state/ai-guardian/transcript_positions.json prevents re-scanning
    • Configurable via transcript_scanning.enabled (default: true)
    • Performance: reads only new bytes since last scan via byte-offset tracking

  • Multi-Engine Scanner Support — TruffleHog and detect-secrets (Issue #249)

    • TruffleHog: 700+ detectors with entropy analysis and verified secrets detection ("engines": ["trufflehog"])
    • detect-secrets: Baseline workflow for CI/CD pipelines with plugin-based detection ("engines": ["detect-secrets"])
    • Execution Strategies: first-match (default), any-match (maximum security), consensus (reduce false positives with threshold)
    • Smart deduplication when multiple engines find the same secret
    • License: TruffleHog is AGPL-3.0 (used via subprocess, no AGPL obligations); detect-secrets is Apache-2.0
    • Interactive license notice during ai-guardian scanner install trufflehog

  • PII Detection in Tool Outputs (Issue #262)

    • GDPR/CCPA compliance: detect and redact PII across all three hooks (UserPromptSubmit, PreToolUse, PostToolUse)
    • 7 PII types: SSN, Credit Card (Luhn), US Phone, Email, US Passport, IBAN (mod-97), International Phone (E.164)
    • Top-level scan_pii config section with enabled, pii_types, action, ignore_files, and allowlist_patterns
    • Enabled by default; action: "redact" masks PII in PostToolUse, blocks in PreToolUse/UserPromptSubmit

  • Jailbreak Detection Patterns (Issue #263)

    • 13 built-in patterns across 4 categories: role-play jailbreaks (DAN/sudo/god mode), identity manipulation, constraint removal, hypothetical framing
    • New jailbreak_patterns config key for user-defined patterns
    • Error messages distinguish "Jailbreak Attempt Detected" from "Prompt Injection Detected"
    • New jailbreak_detected violation logging type
    • Patterns only checked for user prompts (not file content) to minimize false positives

  • Enhanced Prompt Injection Detection — 24 new patterns (Issue #285)

    • 15 CRITICAL patterns: fake completion, HTML comment injection, chain-of-thought exploitation, instruction replacement, auto-approval manipulation, and more
    • 8 DOCUMENTATION patterns: output format manipulation, workflow chaining, Base64 encoding, delimiter injection
    • Sources: PayloadsAllTheThings, Hermes Security Patterns, Open-Prompt-Injection (USENIX 2024), arXiv 2601.17548
    • All patterns maintain <1ms detection target

  • Allowlist patterns for scan_pii and secret_scanning (Issue #357)

    • allowlist_patterns config option suppresses false positives for known-safe values (e.g., corporate email domains, test API key prefixes)
    • Supports simple string patterns and time-based patterns with expiration (valid_until)
    • ReDoS protection and dangerous catch-all pattern blocking
    • Console updated with allowlist pattern editing for both PII and secret scanning

  • Auto-Generate Directory Rules from Skill Permissions (Issue #144)

    • Auto-generate directory access rules from skill permissions, eliminating duplicate configuration
    • Multi-IDE support: Claude Code, Cursor, VSCode/Copilot, Windsurf
    • Opt-in via auto_directory_rules.enabled: true
    • Rule order (last-match-wins): User rules → Generated rules → Immutable rules
    • Generated rules override broad user deny rules for specific permitted skill paths
    • allow_symlinks option (default: true) for container environments (Issue #324)
    • Plugin cache directory scanning for Claude Code plugins
    • New ai-guardian config show command with --all, --section, --preview-auto-rules flags
    • All rules visible with [USER], [GENERATED], [IMMUTABLE] labels

  • Hook Simulator panel in Console (Issue #397)

    • Simulate UserPromptSubmit, PreToolUse, and PostToolUse hook events
    • Test detection rules without triggering real hooks
    • View BLOCKED/ALLOWED/WARNING decisions with detection details
    • IDE format selector (Claude Code, Cursor, GitHub Copilot)

  • JSON Config Editor in Console (Issue #388, #391)

    • Raw JSON editor for ai-guardian.json with syntax highlighting and line numbers
    • Real-time JSON validation with schema validation warnings on save
    • Console Settings panel with theme selector (Monokai, VS Code Dark, Dracula, GitHub Light)
    • New console section in schema, setup defaults, and example config
    • New dependencies: tree-sitter>=0.25.0 and tree-sitter-json>=0.24.0 (MIT license)

  • Show default values in Console config panels from schema (Issue #371)

    • Each config field shows its default value from the schema
    • Fields changed from default are highlighted with a yellow left-border
    • Applied to all 11 config panels

  • Copy-to-clipboard support in Console (Issue #362)

    • Auto-copy on text selection (like Claude Code)
    • Copy button on Violation Details modal
    • Platform-native clipboard fallback for macOS Terminal.app, Linux, Windows (Issue #377)

  • Enriched violation log entries (Issue #408)

    • context_snippet: redacted context around detection (for PII and secret violations)
    • command: Bash command that produced flagged output
    • tool_use_id and session_id: correlation IDs for matching PreToolUse/PostToolUse events

  • ssrf_blocked and config_file_exfil violation logging types (Issue #322)

    • SSRF and config exfiltration violations now have dedicated log types instead of being misclassified as tool_permission
    • Console tabs and checkboxes for both new types
    • Backward compatible with existing configs

  • Scanner/Pattern-Server Discovery Commands (Issue #320)

    • ai-guardian scanner supported — lists all supported scanners with versions, repos, and licenses
    • ai-guardian pattern-servers supported — lists all configured pattern servers
    • --json flag for scanner list, scanner info, scanner supported, and pattern-servers supported

  • --json flag for setup --create-config (Issue #326)

    • Outputs raw JSON only, pipeable to jq
    • $schema field now uses file:// URI pointing to bundled schema (works offline)

  • ai-guardian tui alias for ai-guardian console (Issue #389)

  • --yes/-y flag for violations --clear (Issue #360)

    • Skips confirmation prompt for non-interactive use (CI, Claude Code ! prefix, piped scripts)

  • Dependabot and scanner version monitoring (Issues #288, #289, #290, #291, #292, #293, #309)

    • Dependabot configuration for automated GitHub Actions and Python package updates (monthly, grouped PRs)
    • Daily scanner version health monitoring via CI (scripts/check_scanner_versions.py)
    • Scanner version existence pre-flight checks in CI (fail fast if versions missing)
    • Automated monthly prompt injection pattern research reminders
    • Comprehensive dependency management documentation in AGENTS.md

Changed

  • Console: Replaced 'Directory Protection' panel with 'Directory Rules' panel (Issue #426)

    • New panel manages directory_rules configuration (allow/deny path access control)
    • Moved from Configuration section to Permissions section in navigation

  • Console violations panel no longer auto-modifies config (Issue #421)

    • Removed approve/deny action buttons; details modal now shows resolution instructions with copyable config snippets
    • Users must manually edit config via Console panels, JSON editor, or text editor

  • Enhanced error messages across all protection layers (Issue #287)

    • Consistent 🛡️ [Protection Type] format (replaced 🚨 BLOCKED BY POLICY)
    • Shows exact regex pattern, confidence level, and sanitized matched text for prompt injection
    • Shows secret type and location for secret scanning (value NEVER shown)
    • Context-specific recommendations and config paths for all violation types

  • Remove email from default scan_pii.pii_types list (Issue #370)

    • Email PII detection now opt-in (add "email" to pii_types to re-enable)
    • Existing configs with explicit "email" continue to work

  • Remove dev source code patterns from immutable deny rules (Issue #369)

    • Dev source protection was redundant with git/PR workflow
    • Pip-installed package protection kept; config/cache/hooks/markers unchanged

  • XDG Base Directory compliance (Issue #352)

    • Logs and violations now stored in XDG_STATE_HOME/ai-guardian (default ~/.local/state/ai-guardian)
    • Cache paths respect XDG_CACHE_HOME via centralized get_cache_dir()
    • Environment variable overrides: AI_GUARDIAN_STATE_DIR, AI_GUARDIAN_CACHE_DIR
    • Backward-compatible migration from old config dir on first run

Fixed

  • Console pattern server toggle no longer destroys configuration (Issue #418)

    • Toggle modes now only write the enabled field; other settings (url, auth, cache) are preserved

  • gitleaks:allow guidance now correctly says "at the end of the line" (Issue #416)

    • Fixed incorrect placement instructions in block messages and Console help text

  • Prompt injection violation logs show actual pattern details (Issue #420)

    • Previously hardcoded "Heuristic pattern detected" with confidence 0.95 for all violations
    • Now shows actual matched pattern, matched text, and real confidence score from detector

  • Directory blocking violations report correct reason (Issue #347)

    • Previously always reported ".ai-read-deny marker found" even for directory rule violations
    • Now correctly distinguishes between marker-based and rule-based blocking with matched pattern

  • PII violations now include line numbers (Issue #359)

    • PII and secret redaction violation logging populates line_number and column from redaction results instead of hardcoding None

  • Scanner installer respects --use-pinned and --version flags (Issue #295)

    • After package manager installation, verifies installed version matches target; falls back to direct download if mismatched

  • GitHub Workflows: scanner versions synced with pyproject.toml (Issue #289)

    • CI now installs exact pinned versions of all three scanners (gitleaks, betterleaks, leaktk) from pyproject.toml

  • Pattern server configuration section name corrected (PR #318)

    • Integration test workflow now uses pattern_servers (plural) instead of incorrect singular form
Assets 4
Loading