Skip to content

v1.7.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 14 May 01:14
· 787 commits to main since this release
v1.7.0
1e75ea1
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Added

  • Daemon service architecture (Issue #367, Phases 1-3)

    • Long-running daemon process for faster hook processing (~1-5ms vs ~50-100ms per-invocation)
    • Three modes: "auto" (default, daemon with local fallback), "local" (per-process, for CI/CD), "daemon" (require daemon, for testing/compliance)
    • Unix domain socket IPC on macOS/Linux, TCP localhost fallback on Windows
    • In-memory cross-hook state sharing between PreToolUse and PostToolUse via tool_use_id
    • Config auto-reload: mtime check per-request + periodic SHA256 checksum verification
    • Compiled regex pattern caching in memory (invalidated on config change)
    • Lazy daemon start: first hook call in auto mode starts daemon in background
    • Idle timeout auto-stop (default 30 minutes, configurable)
    • CLI commands: ai-guardian daemon start|stop|status|restart
    • System tray icon with status indicator and Pause/Resume menu (pystray + Pillow included as dependencies)
    • Graceful shutdown on SIGTERM/SIGINT with socket/PID file cleanup
    • New config section: daemon with mode, idle_timeout_minutes, client_timeout_seconds, tray.enabled
    • Environment variable override: AI_GUARDIAN_DAEMON_MODE=local for CI/CD
    • Extracted process_hook_data() for direct dict-based hook processing (daemon and direct mode)

  • MCP security advisor server (Issue #477)

    • MCP server with 12 read-only security tools for AI agents via stdio transport
    • Security check tools: check_path, check_command, check_mcp_trust, sanitize_text, check_annotations
    • Information tools: get_violations, get_config, get_scanner_status, get_scanner_supported, get_patterns_list, get_metrics, doctor
    • 3 MCP resources: security-posture, protected-paths, recent-violations
    • Security-limited responses: yes/no answers only, no rule/pattern/allowlist exposure
    • Runtime enable/disable via config flag (no IDE restart needed)
    • CLI: ai-guardian mcp-server (start), ai-guardian mcp enable/disable/status (toggle)
    • Setup: ai-guardian setup --mcp / --no-mcp (opt-in, installs MCP config + skill)
    • Tray menu MCP toggle
    • Console MCP enable/disable button
    • AI security awareness skill (ai-guardian-security) teaches AI when to use each tool
    • Support bundle export: prepare_support_bundle + send_support_bundle (sanitized diagnostics with user approval)
    • New dependency: mcp>=1.8.0 (Python >=3.10 only, MIT license)

  • Security instruction injection via systemMessage (Issue #580)

    • Injects never-bypass security rules into AI context on every UserPromptSubmit hook
    • Uses generic language — does not name specific bypass mechanisms or config files
    • Configurable via security_instructions.inject_on_prompt (default: enabled)
    • Supports time-based disabling for temporary development work
    • Updated SKILL.md and MCP server to remove specific bypass mechanism names

  • Self-Protection: Block Agent Read Access (Issue #512)

    • Read tool blocked for all ai-guardian config, state, and cache files
    • Bash cat/grep/head/tail/less/more blocked for same files
    • PowerShell Get-Content/Select-String blocked for same files
    • Immutable — cannot be overridden by user config
    • MCP server remains the approved way for agent to query security data
    • Doctor check (check_self_protection) verifies read protection is active

  • Multi-engine execution strategies (Issue #250, Phase 3)

    • Execution strategy support: first-match (default), any-match (block if ANY engine finds secrets), consensus (block only if N engines agree)
    • Parallel engine execution via ThreadPoolExecutor for any-match and consensus strategies
    • Smart deduplication across engines (prefers verified secrets, highest confidence)
    • Per-engine configuration: ignore_files, pattern_server, file_patterns
    • File type routing: route different file types to specialized engines (e.g., .env → TruffleHog, .py → Gitleaks)
    • Structured scan metrics logging (engine, duration, findings count)
    • New run_single_engine() executor for reusable single-engine subprocess execution
    • New select_all_engines() for multi-engine strategies
    • Console "Engine Configuration" panel with JSON editor for engines and strategy dropdown
    • 30 new tests (92% coverage for scanners module)

  • Result caching and incremental scanning (Issue #250, Phase 3)

    • ScanResultCache: File-based cache for scan results keyed by content hash + engine type + config hash
    • Configurable TTL (cache_ttl_hours, default 24h) with automatic expiry
    • FileStateTracker: Track file states for incremental scanning — skip unchanged files
    • Cache integrates transparently with run_single_engine() and all execution strategies
    • Config: "cache_results": true, "cache_ttl_hours": 24, "incremental": true

  • Secretlint integration (Issue #250, Phase 3)

    • New secretlint engine preset (MIT license, Node.js-based, plugin architecture)
    • SecretlintOutputParser for JSON output (array and newline-delimited formats)
    • Rule ID normalization (extracts short name from @secretlint/secretlint-rule-* chains)
    • Install: npm install -g @secretlint/secretlint-rule-preset-recommend

  • GitGuardian integration (Issue #250, Phase 3)

    • New gitguardian engine preset (ggshield CLI, 350+ secret types)
    • GitGuardianOutputParser with verified secret support (validity: "valid_data")
    • Consent mechanism for cloud engines: ai-guardian engine consent gitguardian
    • API key validation via GITGUARDIAN_API_KEY environment variable
    • Cloud service warning in Console and documentation
    • License: Proprietary (free tier for individuals)

  • Enterprise features (Issue #250, Phase 3)

    • Remote engine configuration: fetch engine config from remote URL with caching
    • Merge strategies: remote engines prepended to local (or replace with immutable: true)
    • Audit logging: JSONL at ~/.local/state/ai-guardian/scan-audit.jsonl
    • Compliance reporting: generate reports for HIPAA, PCI-DSS, SOC2 frameworks
    • Export audit data for external audits

  • Per-engine pattern_server config in scanning flow (Issue #519)

    • Engines can now override the global pattern server via per-engine pattern_server config
    • pattern_server: null disables patterns for that engine (uses built-in rules)
    • pattern_server: { url: "..." } fetches engine-specific patterns from a dedicated server
    • No override (key absent) uses the global pattern server (backward compatible)
    • Added resolve_engine_config_path() helper centralizing config_path resolution logic
    • Execution strategies (first-match, any-match, consensus) now resolve config_path per-engine
    • Replaces inline engine-type filtering in __init__.py with centralized resolver

  • Directory Scanning MCP Tools (Issue #544)

    • scan_directory tool returns violation summary (counts and types only — no file paths or secret values)
    • scan_directory_report tool generates detailed report in temp directory for user review
    • Two-step flow: AI sees summary only, user reviews detailed report directly
    • Path validation blocks system directories
    • Supports JSON and SARIF output formats

  • Engine Tester (Issue #542)

    • CLI command ai-guardian engine-test to test strings against individual scanner engines
    • Flags: --engine NAME, --all, --compare, --pattern-server, --json
    • Console panel under Tools for interactive engine testing with comparison view
    • Side-by-side engine comparison shows which engines detect a secret and which miss it

  • Security profile templates (Issue #466)

    • Built-in profiles: @minimal (personal, low friction), @standard (team, moderate), @strict (enterprise SOC2/compliance)
    • CLI: ai-guardian setup --create-config --profile @strict
    • Custom profiles: save with --save-profile my-team, stored in ~/.config/ai-guardian/profiles/
    • List all profiles: ai-guardian setup --list-profiles
    • File path profiles: --profile /path/to/profile.json
    • @standard matches existing --create-config output (backward compatible)
    • @strict: fail-closed (on_scan_error: block), high sensitivity, audit logging, annotations disabled
    • @minimal: warn-only actions, low sensitivity, permissions disabled, reduced PII types

  • Inline and block annotation suppression (Issue #481)

    • ai-guardian:allow on a line suppresses secrets and PII for that line
    • ai-guardian:begin-allow / ai-guardian:end-allow suppresses a block of lines
    • gitleaks:allow suppresses secrets only (default alias)
    • Configurable aliases: inline_allow, inline_allow_secrets, block_begin, block_end
    • User config extends defaults — add custom aliases without losing built-in ones
    • Pre-processing approach: suppressed lines blanked before any scanner runs
    • Suppresses secrets and PII detection (both blocking and redaction)
    • Prompt injection, jailbreak, and config exfil are always scanned (cannot be suppressed)
    • File content only (PreToolUse/beforeReadFile) — never applies to PostToolUse, prompts, or transcripts
    • Fail-safe: unmatched begin-allow without end-allow is ignored with a warning
    • Language-agnostic: searches for marker string anywhere on a line
    • Audit trail: suppressions logged via ViolationLogger (annotation_suppressed type)
    • Configurable: annotations.enabled (default: true) to disable for strict compliance
    • Detection messages include annotation hint showing available suppression markers
    • TUI: new Annotations panel under Threat Detection for managing aliases

  • Global on_scan_error configuration (Issue #461)

    • New top-level on_scan_error config parameter: "allow" (default) or "block"
    • Controls fail-open/fail-closed behavior when scanners encounter errors
    • "allow": Current behavior — log warning, allow operation (developer productivity)
    • "block": Block operation if any scanner fails (strict compliance environments)
    • Applies to: tool policy, prompt injection, config scanning, secret scanning, transcript scanning
    • TUI shows new setting in Global Settings panel
    • Default is "allow" for backward compatibility

  • Cross-hook context passing (Issue #366)

    • HookContextManager module (hook_context.py) for PreToolUse to PostToolUse correlation via tool_use_id
    • PostToolUse inherits file_path from PreToolUse context for violation entries
    • Skip double-scanning: PostToolUse skips secret scan when PreToolUse already scanned clean
    • ignore_files consistency: PostToolUse respects ignore decisions from PreToolUse
    • PII skip consistency: PostToolUse skips PII scan when PreToolUse skipped via ignore_files
    • Daemon mode: uses DaemonState in-memory store (zero I/O overhead)
    • Local mode: session-scoped temp file with secure 0600 permissions
    • TUI: correlation ID and hook event shown on violation cards
    • TUI: "Correlated" button shows the paired PreToolUse/PostToolUse violation
    • Fail-safe: if context unavailable, PostToolUse processes normally (no regression)

  • Support bundle CLI command (Issue #511)

    • ai-guardian support prepare — create sanitized bundle in temp dir for review
    • ai-guardian support send — send prepared bundle to configured destination
    • ai-guardian support status — show export destination, auth, and pending bundles
    • Options: --output PATH, --no-log, --no-violations, --json, --prepare, --yes, --bundle PATH
    • One-shot mode: ai-guardian support send --prepare --yes for CI/automation
    • Shares underlying logic with MCP tools (prepare_support_bundle, send_support_bundle)
    • Cross-process support: bundle ref persisted to state dir so prepare and send work in separate terminals

  • GCS bucket support for support bundle export (Issue #513)

    • gs://bucket-name/prefix/ destination format supported in config
    • Auto-detects Google Application Default Credentials (Vertex AI or gcloud auth application-default login)
    • Falls back to gcloud auth print-access-token CLI
    • No additional dependencies required (uses GCS REST API directly)

  • Project-level .aiguardignore.toml (Issue #497)

    • Per-project ignore_files via .aiguardignore.toml in project root
    • Global [allowlist] paths apply to all scanners
    • Per-scanner sections: [secret_scanning], [scan_pii], [prompt_injection], [config_file_scanning]
    • Consistent with .gitleaks.toml allowlist structure
    • Merged with JSON config ignore_files (both sources apply)
    • Cached with mtime-based invalidation for performance

  • Project .gitleaks.toml allowlist support (Issue #488)

    • ai-guardian reads .gitleaks.toml from the project root and applies its allowlist rules
    • Works with all scanner engines (gitleaks, betterleaks, leaktk, etc.)
    • Supports global allowlists: paths, regexes, stopwords
    • Supports per-rule allowlists via [[rules]] sections
    • Path-based early skip (before scanning) and finding-level post-scan filtering
    • Cached with mtime-based invalidation for performance
    • Does not conflict with ai-guardian's own allowlist_patterns config

  • Health Check (Doctor) panel in Console (Issue #502)

    • New panel under Tools section displaying all ai-guardian doctor checks
    • Color-coded pass/warn/fail/skip indicators with expandable details
    • Auto-refresh on navigation, manual refresh button
    • Fix Issues button with confirmation dialog for auto-fixable problems
    • Reuses existing Doctor class — same checks as the CLI

  • Pattern server doctor checks (Issue #493)

    • ai-guardian doctor now checks pattern server cache path writability
    • Checks auth token availability (env var or token file)
    • Checks pattern server URL reachability (with --check-connectivity)
    • Checks cache freshness against configured refresh/expiry thresholds
    • Each failure includes actionable fix instructions

  • Tray menu status submenu with stats (Issue #508)

    • Main menu header shows "● AI Guardian — Running/Paused" with status submenu
    • Submenu displays: Requests, Blocked (with percentage), Warned, Logged counts
    • Violations grouped by severity: Critical (blocked) and Warning (warned)
    • Last block type and time-ago display (e.g., "secret_detected 2m ago")
    • All stats from daemon in-memory counters (fast, no file I/O)
    • Numbers formatted with commas for readability
    • No subjective labels — numbers only

  • Terminal emulator support for tray Console on Linux (Issue #553)

    • Added kgx (GNOME Console, Fedora 44+ default) to the terminal fallback chain
    • ai-guardian doctor checks for a supported terminal emulator on Linux
    • Documentation: terminal emulator requirement listed in docs/CONSOLE.md

  • GNOME AppIndicator Detection (Issue #552)

    • ai-guardian doctor detects GNOME without AppIndicator extension and shows fix command
    • Daemon logs warning when tray icon cannot start on GNOME (no longer silent)
    • Documentation: GNOME setup steps in docs/CONSOLE.md and README requirements

  • Action field dropdowns in Console Global Settings (Issue #447)

    • Global Settings panel now shows action dropdowns (block/warn/log-only) for Prompt Injection, PII Detection, SSRF Protection, and Config File Scanning
    • Action changes auto-save to config and stay in sync between global settings and individual panels

  • Documentation: pre-commit hook (Issue #467)

    • Added pre-commit hook entry to README features table
    • Created docs/PRE_COMMIT.md covering ai-guardian setup --pre-commit, direct git hook, and pre-commit framework installation methods
    • Updated docs/README.md index with new documentation link

  • Documentation: per-engine pattern server auth (Issue #458)

    • Document that AI_GUARDIAN_PATTERN_TOKEN is the default env var for all pattern server sections
    • Document how to override token_env per section for multi-server setups
    • Document token_file as alternative to env var
    • Example config showing different tokens per pattern server
    • Updated docs/PATTERN_SERVER.md, ai-guardian-example.json, and README.md

Changed

  • Security rules injected only on first prompt + after blocks (Issue #584)

    • Previously injected _SECURITY_SYSTEM_MESSAGE via systemMessage on every UserPromptSubmit
    • Now injects only on the first prompt per session and re-injects after any block event
    • Adds SessionStateManager with dual-mode support: in-memory (daemon) and file-based (local)
    • Session state included in support bundle for diagnostics
    • Reduces token overhead in long conversations

  • Deprecate secret_scanning.pattern_server — migrate to per-engine (Issue #530)

    • Global secret_scanning.pattern_server is deprecated (gitleaks-specific but implied all engines)
    • Per-engine format is now canonical: engines[{"type": "gitleaks", "pattern_server": {...}}]
    • Deprecation warning logged when global format detected
    • ai-guardian doctor warns about deprecated format (check_global_pattern_server)
    • ai-guardian doctor --fix auto-migrates to per-engine format
    • ai-guardian setup --migrate-pattern-server handles full migration chain (root → global → per-engine)
    • Enhanced per-engine pattern_server schema to match full global schema (auth, cache, immutable, etc.)
    • Example config updated to show per-engine pattern_server as the documented format
    • Legacy format still works (backward compatible); removal planned for v2.0.0

  • Quick Start updated with one-liner setup and profiles (Issue #566)

    • Single command now includes --create-config, --mcp, and --install-scanner
    • Added security profile comparison table (@minimal, @standard, @strict)

  • Simplified README to ~230 lines (Issue #454)

    • Moved detailed documentation to docs/ folder with links
    • Created docs/SECURITY_DESIGN.md for self-protection architecture details
    • Created docs/README.md as documentation index
    • Added documentation guidelines to AGENTS.md (README ~300 line limit)
    • No information lost — all content accessible via docs/ links

  • Support bundle keeps original file names (Issue #543)

    • ai-guardian.json no longer renamed to config.json in the bundle
    • violations.jsonl no longer renamed to violations.json in the bundle

Removed

  • mcp_server.enabled config flag (Issue #516)
    • MCP server presence is controlled by IDE config (.claude/settings.json), not ai-guardian config
    • Removed enabled property from schema, example config, setup defaults, and template profiles
    • Removed _is_mcp_enabled, _disabled_check decorator, and DISABLED_RESPONSE from MCP server
    • Removed ai-guardian mcp enable/disable/status CLI subcommands
    • Removed MCP enable/disable toggle from Console TUI and tray menu
    • ai-guardian setup --mcp / --no-mcp remains the install/uninstall mechanism

Contributors

minimal, strict, and standard
Assets 4
Loading