Skip to content

0.8.0

Choose a tag to compare

@github-actions github-actions released this 09 Jul 14:14

Release Notes

Security

  • TUI-headed commands are now gated in hook mode on all four agents.
    less /etc/shadow and friends were previously skipped before policy
    evaluation (a disclosed known gap); they are now evaluated like any
    command — Ask prompts natively on Claude Code/Cursor and fails closed on
    Gemini CLI/Codex CLI. A clean Allow still passes the command through
    unwrapped, and an approved Ask on Claude Code runs the original command
    directly, so interactive TTYs keep working.

Added

  • vallum policy test "<cmd>" — one-shot guardrail verdict without
    running an agent: prints ALLOW / ASK [rule] (built-in|user rule) /
    DENY [rule] … / PASS-THROUGH (…) and exits 0/10/20 (125 on config
    error) for scripting.

Fixed

  • vallum install-hook no longer panics when a hand-edited agent config
    has the right JSON syntax but the wrong shape (e.g. a hooks key that
    is a string) — it reports a clean error with the file path instead.
  • Welcome screen says 1 rule active instead of 1 rules active.

Changed

  • vallum doctor and the welcome screen derive their per-agent probe
    paths from the installers' own path helpers, so the three can no longer
    drift apart.

Install vallum 0.8.0

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/kahramanemir/Vallum/releases/download/v0.8.0/vallum-installer.sh | sh

Install prebuilt binaries via Homebrew

brew install kahramanemir/tap/vallum

Install prebuilt binaries into your npm project

npm install vallum@0.8.0

Download vallum 0.8.0

File Platform Checksum
vallum-aarch64-apple-darwin.tar.xz Apple Silicon macOS checksum
vallum-x86_64-apple-darwin.tar.xz Intel macOS checksum
vallum-aarch64-unknown-linux-musl.tar.xz ARM64 MUSL Linux checksum
vallum-x86_64-unknown-linux-musl.tar.xz x64 MUSL Linux checksum

Verifying GitHub Artifact Attestations

The artifacts in this release have attestations generated with GitHub Artifact Attestations. These can be verified by using the GitHub CLI:

gh attestation verify <file-path of downloaded artifact> --repo kahramanemir/Vallum

You can also download the attestation from GitHub and verify against that directly:

gh attestation verify <file-path of downloaded artifact> --bundle <file-path of downloaded attestation>