What's new in v0.1.3
Claude Code hook integration
aegis install-hooks wires AEGIS directly into Claude Code as a blocking pre-tool hook on every Bash command, and a warning post-tool hook on web fetches, Bash results, and MCP responses.
aegis install-hooksApproval bypass
When AEGIS blocks a command, it prints the exact command to approve it once:
AEGIS blocked this command (T1: sensitive-path).
To approve this exact command once, run:
aegis approve '<cmd>'
aegis approve is one-time and hash-based — consumed on first use, blocks again afterward. aegis revoke cancels a pending approval.
Detection improvements
- Sliding-window scan — 4096-byte window, 512-byte stride. Full document coverage. Middle-buried payloads can no longer hide past the first window.
- Credential taint — co-occurrence of a credential source with a network sink triggers
CRED_TAINT, even without explicit injection keywords. - WARN tier — L1 fired but judge cleared → surfaces as a warning instead of quarantine.
- Judge head+tail window — judge sees both head and tail of large documents to defeat truncation-based burial attacks.
- Better judge parsing — first-word + negation exclusion prevents ambiguous LLM responses from triggering false positives.
Eval
Measured on held-out corpus (30 labeled files, never used during tuning):
| Recall | Precision | F1 |
|---|---|---|
| 90% | 95% | 92% |
Binary
aegis-macos-arm64— macOS Apple Silicon