Skip to content

Releases: mackeh/AegisClaw

v0.10.0

Choose a tag to compare

@mackeh mackeh released this 15 Jun 16:52

This release reframes AegisClaw from a skill executor into an inline control
plane that governs a whole running agent
(OpenClaw, Hermes, or any other),
brokering all four of its action paths — tools, model, network, and host —
behind one default-deny policy and one tamper-evident audit chain. See
aegisclaw-harness-architecture.md.

Added

  • Agent harness control plane (internal/harness/): wraps a whole running
    agent
    (OpenClaw, Hermes, or any other) in the AegisClaw envelope, not just
    skills AegisClaw launches itself. Introduces the pluggable AgentAdapter
    interface + Registry, a Supervisor that forces a filtering egress proxy
    and scoped, ephemeral secret injection onto the agent and records the full
    lifecycle to the hash-chained audit log, and a Launcher seam. Design doc:
    aegisclaw-harness-architecture.md.

  • aegisclaw harness run / harness list: launch an agent in the envelope.
    By default the agent runs as a host subprocess pointed at the egress proxy via
    HTTP(S)_PROXY; --image runs it inside a hardened sandbox container
    (read-only rootfs, all caps dropped, no-new-privileges, resource limits), with
    --runtime gvisor for stronger isolation.

  • generic agent adapter (internal/harness/adapters/generic): runs any
    agent that honours standard proxy/endpoint environment variables — the harness
    is not limited to OpenClaw and Hermes.

  • First-class OpenClaw and Hermes adapters (internal/harness/adapters/ {openclaw,hermes}): each declares its scoped secrets, a default egress
    allowlist for its endpoints (merged into the proxy allowlist by the
    supervisor), and its ingress surface. OpenClaw declares its messaging channels
    as ingress and reuses the existing internal/openclaw health probe; Hermes
    declares its self-generated-skills directory and implements a new optional
    SandboxRequirer interface so the supervisor warns when this code-executing
    agent is launched on the host instead of inside the sandbox. Adapters also
    contribute a default egress allowlist via the new AgentAdapter. DefaultEgressDomains method.

  • Detached sandbox execution (sandbox.DockerExecutor.Start + Process):
    long-lived containers with live log streaming and ctx-driven termination,
    reusing the existing hardened container configuration (refactored into a shared
    hardenedConfigs helper). Backs internal/harness/sandboxlauncher.

  • MCP gateway (mcp.Gateway + mcp.StdioDownstream): an inline Model
    Context Protocol proxy between an agent and a real downstream MCP server. Every
    tools/call is checked through a pipeline — rate limit → scope→policy
    decision → persistent approval → argument guardrail scan → forward → response
    guardrail scan → hash-chained audit (audit/mcp.log) — before it can reach the
    downstream. Reuses policy, guardrails, scope, and the existing rate
    limiter. CLI: aegisclaw gateway mcp -- <server cmd…>.

  • MCP tool-description pinning (mcp.PinStore): tools/list hash-pins each
    tool's name, description, and input schema (trust-on-first-use). A tool whose
    fingerprint changes after first approval is quarantined and its calls blocked
    until an operator re-approves it via aegisclaw gateway pins reset — a defense
    against tool-poisoning / rug-pull attacks.

  • LLM proxy (internal/llmproxy): an OpenAI/Anthropic-compatible reverse
    proxy between an agent and its model provider. Scans prompts and responses with
    the guardrails engine, scrubs known secrets from responses, enforces
    per-session token / cost / request budgets, detects runaway self-prompting
    loops (the same request repeated in a short window), and records every call
    (model, token counts, cost, decision) to the audit log. Standalone via
    aegisclaw gateway llm --upstream …, and wired into the harness model plane
    via aegisclaw harness run --llm-upstream … (which points the agent's
    OPENAI_BASE_URL / ANTHROPIC_BASE_URL at the proxy). Closes the agentic-loop
    & cost-guard roadmap item.

  • Egress proxy response scanning (internal/proxy): the proxy now scans the
    bodies of plaintext HTTP responses the agent fetches for indirect prompt
    injection (guardrails.CheckData) before relaying them — in "block" mode a
    poisoned page is replaced with a 502 so it never reaches the agent; in "warn"
    mode it is audited and passed through. Gated by Guard/GuardMode (wired from
    guardrails.mode by the harness). Text-like responses only; HTTPS CONNECT
    tunnels stay opaque (the MCP gateway and LLM proxy cover those planes).

  • Egress proxy SSRF protection + outbound DLP (internal/proxy): the proxy
    now blocks destinations resolving to loopback, private, link-local, and
    cloud instance-metadata addresses (169.254.169.254, 100.100.100.200,
    ...), validated at dial time (safeDial) to defeat DNS rebinding. It also
    blocks plaintext outbound requests carrying known secret values; the harness
    supervisor feeds the agent's own injected secrets to this DLP. SSRF protection
    is on by default; network.allow_private_egress opts out, and metadata
    endpoints stay blocked regardless.

  • OWASP ASI compliance assessment (internal/compliance): maps AegisClaw
    controls to the OWASP Top 10 for Agentic Applications (ASI01-ASI10), exposed
    through aegisclaw compliance assess, MCP tools, and dashboard APIs.

  • Compliance report export: generates JSON reports combining OWASP ASI
    coverage, audit summaries, policy summaries, and audit chain verification via
    aegisclaw compliance report.

  • Data lineage tracking (internal/lineage): records and queries provenance
    metadata for skill inputs, outputs, secrets, external API calls, and file
    activity through MCP and dashboard APIs.

  • OpenTelemetry GenAI semantic convention constants (internal/telemetry):
    adds shared gen_ai.* and aegisclaw.* keys for future agent execution spans
    and metrics.

  • OpenClaw phishing case study in
    aegisclaw-threat-cases.md: maps the 2026
    Varonis Threat Labs social-engineered exfiltration test to AegisClaw controls
    and documents where action-layer gates hold beyond prompt-only defenses.

  • Agent Control Plane dashboard view (GET /api/harness): reports the four
    enforcement planes (tools, model, network, host) with activity derived from the
    audit and MCP logs (harness.SummarizeAudit), plus the registered adapters and
    their declared risk surface. The web dashboard renders this as an "Agent
    Control Plane" panel. A single source of truth for the built-in adapters now
    lives in internal/harness/adapters (used by both the CLI and the server).

Notes

  • Secret values resolved for an agent are injected only into the process
    environment for its lifetime; they are never written to disk or the audit log.
  • Egress is forced through the proxy; default-deny tightening of an empty
    allowlist is tracked with the dedicated egress plane (see roadmap).

0.9.0

Choose a tag to compare

@mackeh mackeh released this 20 May 12:46
f8ecc9c
Merge pull request #2: v0.9.0 — Guardrails 2.0 & evolving-threat hard…

v0.8.0

Choose a tag to compare

@mackeh mackeh released this 25 Mar 19:23

What's Changed

Removed

  • internal/notifications/ — Unused notification dispatcher, webhook notifier, and Slack notifier (never integrated into runtime)
  • internal/profiling/ — Unused behaviour profiling package (never wired into agent execution)
  • eBPF global singletonSetGlobal() / GetGlobal() and module-level state in internal/ebpf/monitor.go (never called)
  • NotificationConfig — Dead notification config type and field from internal/config/
  • AegisClaw_PROJECT_updated.md — Stale planning doc superseded by README and roadmap
  • MCP io import hack — Removed var _ io.Reader and unused import

Fixed

  • MCP server version — Corrected hardcoded version from 0.5.1 to 0.8.0

Changed

  • Version bump 0.7.10.8.0 across CLI, MCP server, and VS Code extension
  • Updated SECURITY.md supported versions (now 0.7.x and 0.8.x)
  • Updated Go prerequisite from 1.22+ to 1.24+ in CONTRIBUTING.md and GEMINI.md
  • Updated CLAUDE.md — removed references to deleted packages
  • Added v0.8.0 milestone to README roadmap
  • Updated roadmap dates and versioning
  • Added CHANGELOG.md

Net change: -1,181 lines deleted, +138 lines added (17 files changed)

Full Changelog: v0.7.3...v0.8.0

v0.7.3

Choose a tag to compare

@github-actions github-actions released this 13 Feb 18:12

Changelog

  • 91a117d fix: prevent eBPF release build failures on linux arm64

v0.7.1

Choose a tag to compare

@mackeh mackeh released this 13 Feb 17:10

Full Changelog: v0.7.0...v0.7.1

v0.6.0

Choose a tag to compare

@github-actions github-actions released this 12 Feb 20:01

Changelog

  • fdd2e09 feat: expand eBPF probes to include file and network tracing
  • 5dcb5d5 feat: implement eBPF foundation and initial syscall tracing
  • 1596f4c fix: resolve cross-platform build issues in doctor package and bump version to 0.6.0

v0.4.0

Choose a tag to compare

@mackeh mackeh released this 11 Feb 18:34

Full Changelog: v0.3.1...v0.4.0

v0.3.1

Choose a tag to compare

@mackeh mackeh released this 10 Feb 19:27

Full Changelog: v0.1.10...v0.3.1

v0.3.0

Choose a tag to compare

@mackeh mackeh released this 10 Feb 18:43

Full Changelog: v0.2.0...v0.3.0

v0.1.10

Choose a tag to compare

@github-actions github-actions released this 10 Feb 19:25

Changelog

  • 803a638 feat: v0.1.10 - Minimalist Security Dashboard & Enhanced GUI