0.5.0
Release Notes
Added
- Guardrail / policy layer — Vallum now evaluates each command before it
runs against a set of dangerous-command rules and returns Allow / Ask / Deny.
Enforced through the Claude CodePreToolUsehook (native allow/ask/deny) and
through directvallum run(deny → exit 125; ask → terminal prompt or
fail-closed when non-interactive). Ships with a narrow built-in rule set
(rm -rfon root/home,curl … | sh,ddto a block device, fork bomb,
recursivechmod 777, reading private keys/credentials, force-push, …),
a benign-command precision gate, redactedpolicy.logauditing, and
vallum doctorreporting. User rules and disables live under[policy].
Changed
- Behavior change: the guardrail is enabled by default
(security.guardrail = true) with all built-in rules set toask— a
genuinely dangerous command now prompts for confirmation instead of running
silently. Built-in patterns are deliberately narrow so ordinary commands are
unaffected. Opt out withsecurity.guardrail = false; auto-approve prompts in
scripts withsecurity.assume_yes = trueorVALLUM_ASSUME_YES=1.
Install vallum 0.5.0
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/kahramanemir/Vallum/releases/download/v0.5.0/vallum-installer.sh | shInstall prebuilt binaries via Homebrew
brew install kahramanemir/tap/vallumInstall prebuilt binaries into your npm project
npm install vallum@0.5.0Download vallum 0.5.0
| File | Platform | Checksum |
|---|---|---|
| vallum-aarch64-apple-darwin.tar.xz | Apple Silicon macOS | checksum |
| vallum-x86_64-apple-darwin.tar.xz | Intel macOS | checksum |
| vallum-aarch64-unknown-linux-musl.tar.xz | ARM64 MUSL Linux | checksum |
| vallum-x86_64-unknown-linux-musl.tar.xz | x64 MUSL Linux | checksum |
Verifying GitHub Artifact Attestations
The artifacts in this release have attestations generated with GitHub Artifact Attestations. These can be verified by using the GitHub CLI:
gh attestation verify <file-path of downloaded artifact> --repo kahramanemir/VallumYou can also download the attestation from GitHub and verify against that directly:
gh attestation verify <file-path of downloaded artifact> --bundle <file-path of downloaded attestation>