Skip to content

0.5.0

Choose a tag to compare

@github-actions github-actions released this 03 Jul 22:15

Release Notes

Added

  • Guardrail / policy layer — Vallum now evaluates each command before it
    runs
    against a set of dangerous-command rules and returns Allow / Ask / Deny.
    Enforced through the Claude Code PreToolUse hook (native allow/ask/deny) and
    through direct vallum run (deny → exit 125; ask → terminal prompt or
    fail-closed when non-interactive). Ships with a narrow built-in rule set
    (rm -rf on root/home, curl … | sh, dd to a block device, fork bomb,
    recursive chmod 777, reading private keys/credentials, force-push, …),
    a benign-command precision gate, redacted policy.log auditing, and
    vallum doctor reporting. User rules and disables live under [policy].

Changed

  • Behavior change: the guardrail is enabled by default
    (security.guardrail = true) with all built-in rules set to ask — a
    genuinely dangerous command now prompts for confirmation instead of running
    silently. Built-in patterns are deliberately narrow so ordinary commands are
    unaffected. Opt out with security.guardrail = false; auto-approve prompts in
    scripts with security.assume_yes = true or VALLUM_ASSUME_YES=1.

Install vallum 0.5.0

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/kahramanemir/Vallum/releases/download/v0.5.0/vallum-installer.sh | sh

Install prebuilt binaries via Homebrew

brew install kahramanemir/tap/vallum

Install prebuilt binaries into your npm project

npm install vallum@0.5.0

Download vallum 0.5.0

File Platform Checksum
vallum-aarch64-apple-darwin.tar.xz Apple Silicon macOS checksum
vallum-x86_64-apple-darwin.tar.xz Intel macOS checksum
vallum-aarch64-unknown-linux-musl.tar.xz ARM64 MUSL Linux checksum
vallum-x86_64-unknown-linux-musl.tar.xz x64 MUSL Linux checksum

Verifying GitHub Artifact Attestations

The artifacts in this release have attestations generated with GitHub Artifact Attestations. These can be verified by using the GitHub CLI:

gh attestation verify <file-path of downloaded artifact> --repo kahramanemir/Vallum

You can also download the attestation from GitHub and verify against that directly:

gh attestation verify <file-path of downloaded artifact> --bundle <file-path of downloaded attestation>