Security
- Env var poisoning defense: 46 dangerous environment variables (LD_PRELOAD, PATH, NODE_OPTIONS, etc.)
detected across 4 OSes via shell parser + PowerShell AST integration (#121, #122) - Config redirect scanner: Detects malicious API endpoint overrides in .env files (CVE-2026-21852 defense)
(#126) - Git config protection: Blocks writes to ~/.gitconfig, ~/.config/git/config, /etc/gitconfig — prevents
fsmonitor/filter driver code execution (#130) - Exfil-redirect detection upgraded to AST: Replaces regex with parsed shell AST — checks redirect output
path overlap with exfil command args (#133, #134) - Shell interpreter hardened: Guards against 3 upstream mvdan/sh panics (shopt -p/-q, nameref array append,
pattern.go glob crash), with defer/recover as defense-in-depth (#134, #135) - CVE tracker expanded to 50 entries: 2 CVEs upgraded to full defense via Executor interface (#128)
Features
- In-memory EvalLog: Wire reload re-evaluation in libcrust — rules changes take effect immediately without
restart (#131, #132) - Executor interface: Plugin system gains process-level enforcement capability (#128)
- Unified protect lifecycle: All protection mechanisms (HTTP proxy, MCP wrapping, hooks) managed through
single registry — PatchAll/RestoreAll ensures complete cleanup on every exit path including SIGKILL recovery
(#127, #137)
Bug Fixes
- CJK false positives eliminated: Fullwidth punctuation (:), digits (2), and confusable characters no
longer blocked in filenames. NFKC normalization in command DB lookup provides same protection without
blocking (#136) - Hook cleanup on crash: Claude Code hooks in ~/.claude/settings.json are now removed even after
SIGKILL/crash via stopCleanup → registry.RestoreAll() (#137) - Bare fd number false positives: >0, >1 in shell redirects no longer treated as file paths (#134)
- PowerShell env var detection: Set-Item/New-Item env var assignments and backtick escapes now detected
(#125) - Layer 0 DLP hardened: SSH key protection, smart exfiltration detection (#107, #130)
Refactoring
- hookutil package: Shared hook management (Install/Uninstall/FormatResponse/IsInstalled) used by both CLI
daemon and GUI app (#137) - Shared protect lifecycle: internal/protect package with unified Start/Stop for daemon and libcrust (#127)
- Layer 0 history scanning removed: Replaced with reload re-evaluation (#131)
Dependencies
- mvdan.cc/sh/v3 updated to v3.13.1-0.20260322 (redirect panics fixed upstream)
- github.com/zalando/go-keyring 0.2.6 → 0.2.7
- github.com/klauspost/compress 1.18.4 → 1.18.5