Skip to content

v1.8.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 19 May 20:24
· 730 commits to main since this release
v1.8.0
f5e24c5
This commit was signed with the committer’s verified signature.
itdove Dominique Vernier
GPG key ID: 04807E1FAC6E1ED9
Verified
Learn about vigilant mode.

Added

  • Desktop shortcut and autostart for tray (Issue #649)

    • ai-guardian tray --install creates a desktop shortcut (Applications menu)
    • ai-guardian tray --install --autostart additionally configures launch on login
    • ai-guardian tray --uninstall removes shortcut and autostart configuration
    • First-run detection: prompts to create shortcut on first ai-guardian tray launch
    • Linux: .desktop file in ~/.local/share/applications/ and ~/.config/autostart/
    • macOS: .app wrapper in ~/Applications/ and launchd plist in ~/Library/LaunchAgents/
    • Windows: Start Menu shortcut and startup folder shortcut (via PowerShell)
    • Shortcut launches tray without requiring a terminal window

  • Monochrome tray icons (Issue #652)

    • Shield silhouette template images for clean system tray rendering at 16x16, 22x22, 32x32, and 44x44
    • macOS *Template.png naming convention for automatic light/dark mode adaptation
    • Platform-specific icon selection: Windows (16px), Linux (22px), macOS (Template @1x/@2x)

  • Multi-Daemon Tray Client with Podman Auto-Discovery (Issue #527)

    • New discovery engine (discovery.py) finds daemons across local, Podman/Docker containers, Kubernetes pods, and manual targets
    • Cascading container discovery: label filter (ai-guardian.daemon=true) with port filter fallback
    • New multi-client (multi_client.py) routes tray actions to correct daemon via socket, REST API, podman exec, or kubectl exec
    • New REST API (rest_api.py) for cross-network daemon communication (stdlib http.server, no new deps)
    • REST API endpoints: GET /api/status, GET /api/stats, GET /api/health, POST /api/pause, POST /api/resume
    • Tray menu shows discovered daemons with status indicators and supports daemon selection
    • New ai-guardian tray CLI subcommand for standalone multi-daemon tray client
    • Configurable REST port (daemon.rest_port, default 63152) with container label override (ai-guardian.rest-port)
    • Container engine auto-detection (podman preferred) with manual override (daemon.container_engine)
    • Kubernetes discovery opt-in (daemon.tray.discover_kubernetes) with user-scoped pod filtering
    • Manual targets via ~/.config/ai-guardian/tray-targets.json with auth token support
    • Instance name (name in config, defaults to hostname) displayed in Console banner, tray, REST API, and MCP
    • Daemon is now always headless — tray is a separate process (ai-guardian tray start/stop)
    • ai-guardian tray stop command to cleanly stop the standalone tray
    • Tray lock file prevents duplicate tray instances across all platforms
    • Auto-selects the first running daemon target (no manual selection needed)

  • Custom Scanner SDK — Python-based scanners (Issue #474)

    • Scanner base class and Finding dataclass in ai_guardian.scanners.sdk
    • Write custom scanners as Python classes that run in-process (~1ms vs ~50ms subprocess)
    • Registration via config: module path + class name, or file path + class name
    • Registration via pip entry points (ai_guardian.scanners group)
    • Auto-discovery from ~/.config/ai-guardian/scanners/ directory
    • Python scanners work alongside subprocess engines in all execution strategies
    • configure() method for scanner-specific config from ai-guardian.json
    • Security: module path validation, Scanner subclass verification, startup logging
    • run_engine() dispatcher routes between subprocess and in-process scanners

  • Daemon auto-reload for project-level config (Issue #617)

    • Daemon client sends its CWD to the daemon server on each hook request
    • Thread-local project directory override enables correct project config discovery in daemon context
    • Per-project mtime tracking detects config changes across multiple projects
    • Tray icon flashes yellow on project config changes (same as global config reload)
    • daemon status shows project configs tracked and last project config reload time
    • Stale project entries auto-pruned after 24 hours of inactivity

  • init-project command with language auto-discovery (Issue #608)

    • New CLI command: ai-guardian init-project detects programming languages and generates project-level prompt injection allowlist
    • Pattern-aware: tests language identifiers against live detection patterns, only generates entries that actually trigger false positives
    • Supports 15 languages: Python, JavaScript, TypeScript, HTML, PHP, Ruby, C/C++, Go, Rust, Java, Kotlin, Swift, Scala, CSS, Shell
    • Python projects: generates allowlist for __init__, __class__, __import__, __globals__, __builtins__, __mro__, __subclasses__
    • HTML projects: generates ignore_files globs instead of allowlisting XSS-triggering patterns (safer)
    • Options: --dry-run (preview), --force (overwrite with backup), --json (machine-readable), --dir (specify project path)

  • Project-level ai-guardian.json config overlay (Issue #594)

    • Place .ai-guardian/ai-guardian.json at repo root to tune scanning rules per-project
    • Deep merge: project config overlays global config (project wins for non-locked fields)
    • immutable in global config sections prevents project override (true locks entire section, array locks specific fields)
    • Global-only sections (daemon, mcp_server, support, etc.) cannot be overridden by project
    • Self-protection: agent blocked from reading project-level config (existing IMMUTABLE_DENY_PATTERNS)
    • Console: scope toggle (Global/Project) in Settings and Config Editor panels
    • Doctor: new check_project_config check reports active project config
    • MCP: get_config() reports project_config path when active
    • New utilities: get_project_config_path(), deep_merge(), GLOBAL_ONLY_SECTIONS
    • Discovery: AI_GUARDIAN_PROJECT_CONFIG env var → git root → CWD

  • Console MCP Security panel shows IDE config file source (Issue #604)

    • Each MCP server now shows which IDE config file(s) it was found in
    • Multiple IDE configs shown when a server appears in more than one (e.g., Claude + Cursor)
    • IDE labels: Claude, Cursor, Windsurf, Codex
    • Added Windsurf (~/.windsurf/mcp.json) and Codex (codex.json) config discovery
    • CLI verbose mode (ai-guardian mcp list -v) also shows labeled sources

  • MCP server security scanning (Issue #468)

    • ai-guardian mcp list — list MCP servers with trust status
    • ai-guardian mcp audit — config audit for credential exposure, unpinned packages, npx auto-install, suspicious URLs
    • ai-guardian mcp scan [server] — deep source code scan for outbound HTTP, sensitive file reads, subprocess calls, base64 exfiltration, environment variable harvesting
    • Console panel "MCP Security" under Permissions group
    • Trust derived from permissions.rules — no separate config needed

  • Daemon session state persistence (Issue #592)

    • Persist security injection tracking across daemon restarts
    • Write-behind with debounced writes (2-second delay) to avoid excessive I/O
    • Atomic file writes with secure permissions (0600) for crash safety
    • Auto-prune sessions older than 24 hours on load and persist
    • State file: ~/.local/state/ai-guardian/daemon_sessions.json
    • Flush pending state on daemon shutdown for clean exit

  • Tray Local Setup submenu for IDE hook configuration (Issue #669)

    • New "Local Setup" submenu in tray for configuring IDE hooks without terminal
    • Section headers for Hooks, Config, and IDE entries
    • "Create Config" entry generates ai-guardian.json if missing

  • Setup preserves existing config with --force override (Issue #668)

    • ai-guardian setup no longer overwrites existing ai-guardian.json
    • New --force flag to explicitly overwrite existing configuration

Changed

  • BREAKING: Daemon no longer launches system tray automatically (Issue #527)

    • ai-guardian daemon start now runs headless (no tray icon)
    • System tray is a separate process: ai-guardian tray start
    • Migration: If you relied on the tray appearing automatically with daemon start, add ai-guardian tray start to your workflow (e.g., login items, shell alias, or startup script)
    • The --no-tray flag on daemon start is deprecated (daemon is always headless)
    • This separation enables the tray to manage multiple daemons (local + containers) independently

  • Replaced subprocess-based container discovery with Docker Python SDK (Issues #659, #654, #672)

    • Container discovery now uses docker Python SDK (docker>=7.0,<9) instead of subprocess calls
    • Multi-engine discovery: scans both Podman and Docker simultaneously instead of picking one
    • Container engine detected via API instead of socket path heuristic
    • Faster and more reliable container detection with native API access

  • Simplified tray menu layout and reordered items (Issues #655, #656)

    • Single-daemon layout optimized for common case (no daemon submenu when only one daemon)
    • Statistics entries moved below Metrics in Console menu
    • Improved config-aware local daemon discovery

  • Refactored monolithic __init__.py into focused modules (Issues #619, #620, #607)

    • Extracted CLI entry points to cli.py and cli_handlers.py
    • Extracted hook processing to hook_processing.py
    • Extracted config loading to config_loaders.py
    • Extracted shared constants to constants.py (ActionMode, ViolationType, HookEvent enums)
    • Extracted response formatting to response_format.py
    • All public symbols re-exported from __init__.py for backward compatibility

  • Python 3.13 and 3.14 support (Issue #645)

    • Added Python 3.13 and 3.14 to CI test matrix
    • Added PyPI classifiers for Python 3.13 and 3.14

  • PII Detection Phase 2 - Advanced Types (Issue #329)

    • New PII types (all opt-in, add to pii_types to enable):
      • medical_id: Medical Record Numbers with context keywords (MRN, Patient ID)
      • passport: International Passport Numbers with context keywords
      • canada_sin: Canadian Social Insurance Numbers with Luhn validation
      • uk_nin: UK National Insurance Numbers
      • india_aadhaar: Indian Aadhaar Numbers (12-digit, separated format)
      • address: Street Addresses (regex-based, common US suffixes)
    • Enhanced intl_phone pattern: now detects formatted international numbers with spaces, dashes, and dots (e.g., +44 20 7946 0958)
    • Context-aware detection for medical_id and passport reduces false positives
    • Canadian SIN uses Luhn algorithm validation (same as credit cards)
    • All new types available in Console TUI and JSON schema
    • 64 new tests covering detection, false positive prevention, and validation

  • Safe fix suggestions in MCP get_violations() tool (Issue #627)

    • Each violation now includes a suggestion field with safe-only remediation guidance
    • Covers all 8 violation types: secret_detected, pii_detected, directory_blocking, tool_permission, prompt_injection, ssrf_blocked, config_file_exfil, jailbreak_detected
    • Suggestions never include bypass instructions, allowlist syntax, or config disabling hints

  • AGENTS.md bypass-prevention policy (Issue #627)

    • Documents that AI Guardian must never provide bypass information to AI agents
    • Covers MCP tool responses, skill instructions, error messages, and Console output

  • Block Console in non-interactive AI sessions (Issue #627)

    • ai-guardian console now checks sys.stdin.isatty() and refuses to run in non-interactive environments
    • Prevents AI agents from accessing full security configuration, patterns, and allowlists via the Console TUI

  • Simplify CONTRIBUTING.md + create Developer Guide (Issue #628)

    • Reduced CONTRIBUTING.md from 679 lines to ~50 lines (fork workflow, commit format, checklist)
    • Created docs/DEVELOPER_GUIDE.md with architecture overview, development setup, testing, new feature checklist
    • Updated for v1.8.0-dev features: daemon, MCP server, Console, profiles, annotations, custom scanner SDK
    • Removed basic git tutorials and duplicate PR/issue templates from CONTRIBUTING.md

  • Document deny-by-default for MCP servers and Skills (Issue #606)

    • README: added prominent callout after Quick Start explaining MCP/Skills are blocked by default
    • README: updated Default Behavior table to distinguish built-in tools (allowed) from MCP/Skills (blocked)
    • TOOL_POLICY.md: added "Default Security Posture" section with rationale table
    • Error message for "no permission rule" now explains deny-by-default policy instead of "matches a denied pattern"

  • Performance: Cache config file reads across _load_*_config() calls (Issue #569)

    • Single file read per hook invocation instead of 4-6 redundant reads
    • Uses mtime-based invalidation for automatic cache refresh
    • Refactored _load_pattern_server_config() to use shared _load_config_file() cache

Fixed

  • Restore full Security Disclaimer + fix broken PyPI README links (Issue #624)

    • Restored full Security Disclaimer section with bullet points about limitations and defense-in-depth recommendations
    • Converted all relative links in README.md to absolute GitHub URLs so they work on PyPI

  • Rename desktop entries from "AI Guardian" to "AI Guardian Tray" (Issue #663)

    • Fixed desktop shortcut and autostart entries to use correct "AI Guardian Tray" name

  • Bug: GNOME system tray icon not visible after AppIndicator extension install (Issue #602)

    • pystray setup= callback prevents icon from appearing on newer GNOME/GTK
    • Replace with timer-based stderr restore so icon displays correctly

  • Bug: Console startup prints MCP permission check messages to terminal (Issue #600)

    • Suppress stderr logging (INFO/DEBUG) when running ai-guardian console or ai-guardian tui
    • File logging remains at full verbosity for debugging
    • MCP permission check results still available in Console MCP panel

  • Bug: paused daemon returns null causing Claude Code errors (Issue #618)

    • Return valid JSON string instead of None when daemon is paused
    • Prevents "Failed with non-blocking status" errors in Claude Code

  • Bug: tray Console launch fails on macOS before shell init (Issue #599)

    • Defer tray Console command until after shell initialization on macOS

  • Bug: unlisted MCP servers always blocked (Issue #595, AAP-75435)

    • Switch permission rules to last-match-wins evaluation (consistent with directory_rules)
    • Rules evaluated in order: broad allow → category deny → specific allow
    • mode: deny supports action: block|warn|log-only (default: block)
    • New unlisted MCP servers warned instead of blocked with standard profile
    • Backward compatible: old action on mode: allow rules still works (deprecated)
    • Updated @minimal, @standard, @strict profile defaults
    • Updated default config templates with layered permission rules

Contributors

minimal, strict, and 2 other contributors
Assets 4
Loading