Skip to content

v4.4.0

Latest

Choose a tag to compare

@cyyever cyyever released this 24 Mar 01:26
8b92c7c

Security

  • Env var poisoning defense: 46 dangerous environment variables (LD_PRELOAD, PATH, NODE_OPTIONS, etc.)
    detected across 4 OSes via shell parser + PowerShell AST integration (#121, #122)
  • Config redirect scanner: Detects malicious API endpoint overrides in .env files (CVE-2026-21852 defense)
    (#126)
  • Git config protection: Blocks writes to ~/.gitconfig, ~/.config/git/config, /etc/gitconfig — prevents
    fsmonitor/filter driver code execution (#130)
  • Exfil-redirect detection upgraded to AST: Replaces regex with parsed shell AST — checks redirect output
    path overlap with exfil command args (#133, #134)
  • Shell interpreter hardened: Guards against 3 upstream mvdan/sh panics (shopt -p/-q, nameref array append,
    pattern.go glob crash), with defer/recover as defense-in-depth (#134, #135)
  • CVE tracker expanded to 50 entries: 2 CVEs upgraded to full defense via Executor interface (#128)

Features

  • In-memory EvalLog: Wire reload re-evaluation in libcrust — rules changes take effect immediately without
    restart (#131, #132)
  • Executor interface: Plugin system gains process-level enforcement capability (#128)
  • Unified protect lifecycle: All protection mechanisms (HTTP proxy, MCP wrapping, hooks) managed through
    single registry — PatchAll/RestoreAll ensures complete cleanup on every exit path including SIGKILL recovery
    (#127, #137)

Bug Fixes

  • CJK false positives eliminated: Fullwidth punctuation (:), digits (2), and confusable characters no
    longer blocked in filenames. NFKC normalization in command DB lookup provides same protection without
    blocking (#136)
  • Hook cleanup on crash: Claude Code hooks in ~/.claude/settings.json are now removed even after
    SIGKILL/crash via stopCleanup → registry.RestoreAll() (#137)
  • Bare fd number false positives: >0, >1 in shell redirects no longer treated as file paths (#134)
  • PowerShell env var detection: Set-Item/New-Item env var assignments and backtick escapes now detected
    (#125)
  • Layer 0 DLP hardened: SSH key protection, smart exfiltration detection (#107, #130)

Refactoring

  • hookutil package: Shared hook management (Install/Uninstall/FormatResponse/IsInstalled) used by both CLI
    daemon and GUI app (#137)
  • Shared protect lifecycle: internal/protect package with unified Start/Stop for daemon and libcrust (#127)
  • Layer 0 history scanning removed: Replaced with reload re-evaluation (#131)

Dependencies

  • mvdan.cc/sh/v3 updated to v3.13.1-0.20260322 (redirect panics fixed upstream)
  • github.com/zalando/go-keyring 0.2.6 → 0.2.7
  • github.com/klauspost/compress 1.18.4 → 1.18.5