Aegis 0.1.3

Aegis 0.1.3

A precision release. Scanning a Grafana checkout under
~/Documents/Coding/maxlabs-terminal/maxsignal_v2 produced 71 obfuscation
findings on minified Monaco editor bundles and 2 critical secrets findings
on HTML/TSX templates that contained the literal -----BEGIN ... PRIVATE KEY----- label without any actual PEM body. Both were false positives.
This release fixes them and adds regression tests so they cannot resurface.

Fixed

• secrets/private_key_block now requires a real PEM body — at least
  100 base64 characters between matching BEGIN and END markers. Label-only
  content (placeholders, docs, configuration UI strings) no longer
  triggers the rule.
• obfuscation/obfuscated_loader skips minified vendor bundles. Files
  whose name contains .min. or ends in .bundle.js, or whose path
  components include min, vendor, monaco, or monaco-editor, are no
  longer scanned. Minified Monaco JS is build output, not a packer.

Tests

• tests/test_v013_fp_regressions.py (4 tests):
  • Label-only PEM no longer fires.
  • Real PEM body still fires (positive case).
  • Minified bundles are skipped.
  • Real packer-style JS is still detected.

Verified

• 36 passed + 1 skipped (the arctryx loader fixture is environment-bound).
• PyPI: https://pypi.org/project/aegis-sec/0.1.3/
• GitHub Release: https://github.com/verrysimatupang99/aegis/releases/tag/v0.1.3
• Sigstore-signed via PyPI trusted publishing.

Install

Same one-liner. No client config changes:

{
  "mcpServers": {
    "aegis": {
      "command": "uvx",
      "args": ["--from", "aegis-sec", "aegis-mcp"]
    }
  }
}