Skip to content

Releases: mthamil107/Recuse

Recuse v0.1.1 — Debian package + Kubernetes adapter

05 Jun 09:05
@mthamil107 mthamil107
v0.1.1
c2cd627
This commit was signed with the committer’s verified signature.
mthamil107 Thamilvendhan Munirathinam
SSH Key Fingerprint: M+qFWbC4XLr3U8CLBBKFezaQolAjoNDD5ZgwPHyTjiA
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Recuse v0.1.1 — Debian package + Kubernetes adapter Latest
Latest

Adds a Debian/apt package for the SSH adapter and a Kubernetes adapter, on top of the v0.1.0 SSH + PostgreSQL signal.

Install on Ubuntu

One line (SSH signal — set your policy URL):

curl -fsSL https://raw.githubusercontent.com/mthamil107/Recuse/v0.1.1/adapters/ssh/bootstrap.sh \
  | sudo bash -s -- --ref=https://yourco/ai-policy

Or the .deb (attached below, CI-built + smoke-tested):

sudo apt install ./recuse-ssh_0.1.1-1_all.deb

Kubernetes (new)

A ValidatingAdmissionWebhook that emits the RECUSE/0.1 signal on governed create/update/delete/exec/port-forward by non-exempt identities — default warn (non-blocking; the agent recuses), deny optional. Works on EKS, k3s, kubeadm. Cannot wedge a cluster: failurePolicy: Ignore (fail-open), system namespaces excluded, system/own identities exempt, kill-switch documented. Image: ghcr.io/mthamil107/recuse-webhook:v0.1.1. See adapters/kubernetes/. (Admission webhooks don't see reads; that's documented.)

Assets

  • recuse-ssh_0.1.1-1_all.deb — Debian package (attached by CI on this tag).
  • recuse-pg-proxy-linux-amd64 + SHA256SUMS — prebuilt PostgreSQL proxy (static ELF).

Cooperative governance signal, not a security control (spec §9).

Assets 5
Loading

Recuse v0.1.0 — cooperative AI-access governance

05 Jun 08:15
@mthamil107 mthamil107
v0.1.0
4953bf1
This commit was signed with the committer’s verified signature.
mthamil107 Thamilvendhan Munirathinam
SSH Key Fingerprint: M+qFWbC4XLr3U8CLBBKFezaQolAjoNDD5ZgwPHyTjiA
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Recuse v0.1.0 — cooperative AI-access governance

Recuse is a published standard plus tools for cooperative AI-access governance: a server emits an in-band RECUSE/0.1 deny signal asking automated/LLM agents to voluntarily withdraw (recuse themselves). It is a cooperative governance control — not a security boundary (see spec §9).

Install the SSH adapter on Ubuntu (one line)

curl -fsSL https://raw.githubusercontent.com/mthamil107/Recuse/v0.1.0/adapters/ssh/bootstrap.sh \
  | sudo bash -s -- --ref=https://yourco/ai-policy

Signal + JSON audit log only by default — it never blocks a login, is idempotent and sshd -t-gated, and uninstalls with sudo recuse-uninstall. Optional delay-only throttle (--throttle, hard-capped at 10s, IP-allowlisted, never denies).

What's included

  • The Recuse Signal spec (v0.1) — the standard.
  • SSH adapter — pre-auth banner + PAM hook + config (/etc/recuse/recuse.conf) + one-line installer.
  • PostgreSQL adapter — a pgproto3 proxy that injects the deny NOTICE with zero DB-config change. Prebuilt linux/amd64 binary attached below (no Go needed).
  • Agent-recusal experiment harness + paper (paper/recuse-paper.pdf).

Validated

SSH and Postgres adapters validated live on Ubuntu 22.04 / PostgreSQL 14. Pilot study: GPT-4o, GPT-4o-mini, and Claude Code all recuse on the deny signal (100% with the signal vs 100% task completion without it).

Assets

  • recuse-pg-proxy-linux-amd64 — prebuilt PostgreSQL proxy (static ELF).
  • SHA256SUMS — checksum for the binary.
Loading