v0.1.3 — Claude Code integration

What's new in v0.1.3

Claude Code hook integration

aegis install-hooks wires AEGIS directly into Claude Code as a blocking pre-tool hook on every Bash command, and a warning post-tool hook on web fetches, Bash results, and MCP responses.

aegis install-hooks

Approval bypass

When AEGIS blocks a command, it prints the exact command to approve it once:

AEGIS blocked this command (T1: sensitive-path).
To approve this exact command once, run:
  aegis approve '<cmd>'

aegis approve is one-time and hash-based — consumed on first use, blocks again afterward. aegis revoke cancels a pending approval.

Detection improvements

• Sliding-window scan — 4096-byte window, 512-byte stride. Full document coverage. Middle-buried payloads can no longer hide past the first window.
• Credential taint — co-occurrence of a credential source with a network sink triggers CRED_TAINT, even without explicit injection keywords.
• WARN tier — L1 fired but judge cleared → surfaces as a warning instead of quarantine.
• Judge head+tail window — judge sees both head and tail of large documents to defeat truncation-based burial attacks.
• Better judge parsing — first-word + negation exclusion prevents ambiguous LLM responses from triggering false positives.

Eval

Measured on held-out corpus (30 labeled files, never used during tuning):

Recall	Precision	F1
90%	95%	92%

Binary

• aegis-macos-arm64 — macOS Apple Silicon

AEGIS v0.1.2

Adds an animated demo to the README and fixes a daemon false-positive found during a live attack test.

• Fix: the watcher read inbox files on creation — sometimes mid-write — and Blocked valid messages as "invalid JSON" (a false positive on benign traffic). Now waits for the write to settle before reading, and ignores its own staging files.
• Demo: see the README for an animation of AEGIS catching an infrastructure-impersonation attack live.
• Detection (held-out) unchanged: 82% recall / 95% precision / 4% FP.

brew install pilot-protocol/tap/aegis

AEGIS v0.1.1

Cross-platform, configurable, and quieter-but-not-silent.

New

• Runs on any platform. The watch daemon now works on Linux/*BSD/Windows/Pi via a portable polling watcher (macOS keeps a kqueue fast-path). One-shot scan already ran everywhere.
• Desktop notifications on quarantine (macOS / Linux) — the background daemon is no longer silent.
• Configurable via ~/.aegis/config.toml: toggle the judge (L1-only = super-lightweight, any host), pin a model, control watch targets. New: aegis init, aegis config, aegis version, --help.
• Layer naming fixed: the judge is L2 (the old DeBERTa L2 was removed earlier) — no more L1→L3 gap.
• CI: cross-platform release binaries build on tag.

Detection (unchanged, held-out)

82% recall · 95% precision · 4% FP · 0 FP on 80 benign dev/agent files.

Install

brew install pilot-protocol/tap/aegis → aegis install-models → aegis init → aegis daemon.
macOS arm64 binary attached; Linux + Intel builds added by CI. Binary ~831 KB.

AEGIS v0.1.0

First public release. A small local binary that guards an AI coding agent from the untrusted content it reads — prompt injection, jailbreaks, and infrastructure-impersonation (content that doesn't look like an attack but pushes the agent to act without the user).

How it works

• L1 — Aho-Corasick patterns (pure Rust, microseconds, runs anywhere incl. a Pi): known injection/IoC strings + base64/hex/rot13/homoglyph/zero-width decode passes.
• L3 — local Qwen3-1.7B judge (two passes via llama.cpp, fully offline): "is this attacking the agent?" OR "is it pushing the agent to act without the user?". A safe verdict vetoes L1's keyword hits, so a security doc that quotes an injection isn't flagged.
• Degrades gracefully to L1-only where the model can't run.

Held-out evaluation (190 files never used for tuning)

Recall	Precision	FP-rate	F1
82.1%	95.1%	4.2%	88.1%

0 false positives on 80 real benign dev + agent-surface files (code with subprocess/eval, command-heavy skills, MCP configs, security docs). Reproduce with tests/held_out_eval/.

Install

macOS arm64: download aegis-macos-arm64 below, chmod +x, move to /usr/local/bin/aegis. Then brew install llama.cpp && aegis install-models. Full steps + build-from-source in the README.

Footprint

Binary 848 KB · judge model ~1.8 GB · ~2.2 GB RAM when the judge runs · nothing leaves the machine.