Releases: mackeh/AegisClaw
Release list
v0.10.0
This release reframes AegisClaw from a skill executor into an inline control
plane that governs a whole running agent (OpenClaw, Hermes, or any other),
brokering all four of its action paths — tools, model, network, and host —
behind one default-deny policy and one tamper-evident audit chain. See
aegisclaw-harness-architecture.md.
Added
-
Agent harness control plane (
internal/harness/): wraps a whole running
agent (OpenClaw, Hermes, or any other) in the AegisClaw envelope, not just
skills AegisClaw launches itself. Introduces the pluggableAgentAdapter
interface +Registry, aSupervisorthat forces a filtering egress proxy
and scoped, ephemeral secret injection onto the agent and records the full
lifecycle to the hash-chained audit log, and aLauncherseam. Design doc:
aegisclaw-harness-architecture.md. -
aegisclaw harness run/harness list: launch an agent in the envelope.
By default the agent runs as a host subprocess pointed at the egress proxy via
HTTP(S)_PROXY;--imageruns it inside a hardened sandbox container
(read-only rootfs, all caps dropped, no-new-privileges, resource limits), with
--runtime gvisorfor stronger isolation. -
genericagent adapter (internal/harness/adapters/generic): runs any
agent that honours standard proxy/endpoint environment variables — the harness
is not limited to OpenClaw and Hermes. -
First-class OpenClaw and Hermes adapters (
internal/harness/adapters/ {openclaw,hermes}): each declares its scoped secrets, a default egress
allowlist for its endpoints (merged into the proxy allowlist by the
supervisor), and its ingress surface. OpenClaw declares its messaging channels
as ingress and reuses the existinginternal/openclawhealth probe; Hermes
declares its self-generated-skills directory and implements a new optional
SandboxRequirerinterface so the supervisor warns when this code-executing
agent is launched on the host instead of inside the sandbox. Adapters also
contribute a default egress allowlist via the newAgentAdapter. DefaultEgressDomainsmethod. -
Detached sandbox execution (
sandbox.DockerExecutor.Start+Process):
long-lived containers with live log streaming and ctx-driven termination,
reusing the existing hardened container configuration (refactored into a shared
hardenedConfigshelper). Backsinternal/harness/sandboxlauncher. -
MCP gateway (
mcp.Gateway+mcp.StdioDownstream): an inline Model
Context Protocol proxy between an agent and a real downstream MCP server. Every
tools/callis checked through a pipeline — rate limit → scope→policy
decision → persistent approval → argument guardrail scan → forward → response
guardrail scan → hash-chained audit (audit/mcp.log) — before it can reach the
downstream. Reusespolicy,guardrails,scope, and the existing rate
limiter. CLI:aegisclaw gateway mcp -- <server cmd…>. -
MCP tool-description pinning (
mcp.PinStore):tools/listhash-pins each
tool's name, description, and input schema (trust-on-first-use). A tool whose
fingerprint changes after first approval is quarantined and its calls blocked
until an operator re-approves it viaaegisclaw gateway pins reset— a defense
against tool-poisoning / rug-pull attacks. -
LLM proxy (
internal/llmproxy): an OpenAI/Anthropic-compatible reverse
proxy between an agent and its model provider. Scans prompts and responses with
the guardrails engine, scrubs known secrets from responses, enforces
per-session token / cost / request budgets, detects runaway self-prompting
loops (the same request repeated in a short window), and records every call
(model, token counts, cost, decision) to the audit log. Standalone via
aegisclaw gateway llm --upstream …, and wired into the harness model plane
viaaegisclaw harness run --llm-upstream …(which points the agent's
OPENAI_BASE_URL/ANTHROPIC_BASE_URLat the proxy). Closes the agentic-loop
& cost-guard roadmap item. -
Egress proxy response scanning (
internal/proxy): the proxy now scans the
bodies of plaintext HTTP responses the agent fetches for indirect prompt
injection (guardrails.CheckData) before relaying them — in "block" mode a
poisoned page is replaced with a 502 so it never reaches the agent; in "warn"
mode it is audited and passed through. Gated byGuard/GuardMode(wired from
guardrails.modeby the harness). Text-like responses only; HTTPSCONNECT
tunnels stay opaque (the MCP gateway and LLM proxy cover those planes). -
Egress proxy SSRF protection + outbound DLP (
internal/proxy): the proxy
now blocks destinations resolving to loopback, private, link-local, and
cloud instance-metadata addresses (169.254.169.254,100.100.100.200,
...), validated at dial time (safeDial) to defeat DNS rebinding. It also
blocks plaintext outbound requests carrying known secret values; the harness
supervisor feeds the agent's own injected secrets to this DLP. SSRF protection
is on by default;network.allow_private_egressopts out, and metadata
endpoints stay blocked regardless. -
OWASP ASI compliance assessment (
internal/compliance): maps AegisClaw
controls to the OWASP Top 10 for Agentic Applications (ASI01-ASI10), exposed
throughaegisclaw compliance assess, MCP tools, and dashboard APIs. -
Compliance report export: generates JSON reports combining OWASP ASI
coverage, audit summaries, policy summaries, and audit chain verification via
aegisclaw compliance report. -
Data lineage tracking (
internal/lineage): records and queries provenance
metadata for skill inputs, outputs, secrets, external API calls, and file
activity through MCP and dashboard APIs. -
OpenTelemetry GenAI semantic convention constants (
internal/telemetry):
adds sharedgen_ai.*andaegisclaw.*keys for future agent execution spans
and metrics. -
OpenClaw phishing case study in
aegisclaw-threat-cases.md: maps the 2026
Varonis Threat Labs social-engineered exfiltration test to AegisClaw controls
and documents where action-layer gates hold beyond prompt-only defenses. -
Agent Control Plane dashboard view (
GET /api/harness): reports the four
enforcement planes (tools, model, network, host) with activity derived from the
audit and MCP logs (harness.SummarizeAudit), plus the registered adapters and
their declared risk surface. The web dashboard renders this as an "Agent
Control Plane" panel. A single source of truth for the built-in adapters now
lives ininternal/harness/adapters(used by both the CLI and the server).
Notes
- Secret values resolved for an agent are injected only into the process
environment for its lifetime; they are never written to disk or the audit log. - Egress is forced through the proxy; default-deny tightening of an empty
allowlist is tracked with the dedicated egress plane (see roadmap).
0.9.0
v0.8.0
What's Changed
Removed
internal/notifications/— Unused notification dispatcher, webhook notifier, and Slack notifier (never integrated into runtime)internal/profiling/— Unused behaviour profiling package (never wired into agent execution)- eBPF global singleton —
SetGlobal()/GetGlobal()and module-level state ininternal/ebpf/monitor.go(never called) NotificationConfig— Dead notification config type and field frominternal/config/AegisClaw_PROJECT_updated.md— Stale planning doc superseded by README and roadmap- MCP
ioimport hack — Removedvar _ io.Readerand unused import
Fixed
- MCP server version — Corrected hardcoded version from
0.5.1to0.8.0
Changed
- Version bump
0.7.1→0.8.0across CLI, MCP server, and VS Code extension - Updated SECURITY.md supported versions (now 0.7.x and 0.8.x)
- Updated Go prerequisite from 1.22+ to 1.24+ in CONTRIBUTING.md and GEMINI.md
- Updated CLAUDE.md — removed references to deleted packages
- Added v0.8.0 milestone to README roadmap
- Updated roadmap dates and versioning
- Added CHANGELOG.md
Net change: -1,181 lines deleted, +138 lines added (17 files changed)
Full Changelog: v0.7.3...v0.8.0
v0.7.3
Changelog
- 91a117d fix: prevent eBPF release build failures on linux arm64
v0.7.1
v0.6.0
v0.4.0
v0.3.1
v0.3.0
v0.1.10
Changelog
- 803a638 feat: v0.1.10 - Minimalist Security Dashboard & Enhanced GUI