0.5.1
Release Notes
Fixed
- Hook mode no longer degrades silently on a broken config. A TOML or
regex error in the config file used to drop the user's custom policy rules
(and every other custom setting) without any diagnostic while the hook kept
running with defaults. The hook now prints a warning to stderr (surfaced by
Claude Code) and keeps gating with the built-in policy; directvallum run
still refuses to run (exit 125) on a broken config. - Trivial shell obfuscation no longer slips past the guardrail. Command
lines are lightly normalized before rule matching — empty quote pairs and
identity backslash escapes are stripped — sor''m -rf /and\rm -rf /
now triggerrm_rf_rootjust like the plain spelling. Raw matches are never
lost, and the benign-command precision gate is unchanged.
Changed
- A bare string in
[scrubber] extra_secret_patternsnow fails with an error
that shows the expected{ pattern = "…", replacement = "…" }table form
instead of a generic serde type error. vallum run --helpnow shows examples, including the--separator needed
when the wrapped command has flags of its own.
Documentation
- README: documented the guardrail's honest scope (text-pattern matching is a
defense-in-depth speed bump, not a sandbox) and the broken-config fallback
behavior in hook mode vs directvallum run.
Install vallum 0.5.1
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/kahramanemir/Vallum/releases/download/v0.5.1/vallum-installer.sh | shInstall prebuilt binaries via Homebrew
brew install kahramanemir/tap/vallumInstall prebuilt binaries into your npm project
npm install vallum@0.5.1Download vallum 0.5.1
| File | Platform | Checksum |
|---|---|---|
| vallum-aarch64-apple-darwin.tar.xz | Apple Silicon macOS | checksum |
| vallum-x86_64-apple-darwin.tar.xz | Intel macOS | checksum |
| vallum-aarch64-unknown-linux-musl.tar.xz | ARM64 MUSL Linux | checksum |
| vallum-x86_64-unknown-linux-musl.tar.xz | x64 MUSL Linux | checksum |
Verifying GitHub Artifact Attestations
The artifacts in this release have attestations generated with GitHub Artifact Attestations. These can be verified by using the GitHub CLI:
gh attestation verify <file-path of downloaded artifact> --repo kahramanemir/VallumYou can also download the attestation from GitHub and verify against that directly:
gh attestation verify <file-path of downloaded artifact> --bundle <file-path of downloaded attestation>