grith.aidocs

Changelog

What changed in each grith release.

The changelog is also available as an RSS feed — subscribe to be notified of new releases and security advisories.

Unreleased

Filters & scoring

  • New filter: destructive action coverage (Phase 2, the 18th filter). Hard-denies catastrophic, irreversible host/storage destruction (filesystem format, raw block-device overwrite, recursive removal of a system root or database data directory) and escalates destructive operations directed at production (managed-DB endpoints, prod/live-tagged resources) from review to deny. Also freezes docker/podman run host-escalation (writable -v /etc:…:rw mounts, the docker socket, --privileged, --pid=host).
  • Fixed thresholds — cold-start widening removed. Every call is now scored against the same thresholds (< 3.0 allow, > 8.0 deny); the first call in a session is filtered identically to the thousandth.
  • Fewer false positives. Secret scanning no longer flags provably-benign shapes (git SHAs, lockfile integrity hashes, JWTs, UUIDs, _test_ placeholder keys) and down-weights its generic heuristics when reading node_modules / minified bundles; the egress filter no longer treats s3:// / gs:// bucket URIs as unknown network destinations; the taint filter no longer flags an outbound tool (git push, aws s3 ls, npm publish) that merely uses its own credential. Real secrets and genuine exfil still fire (each carve-out is paired with a guard).

Security

  • IPC-delegated authority disclosed and partially mitigated. Enforcement is scoped to the supervised process tree, so actions delegated to a more-privileged peer (the docker daemon, a tmux pane, ssh-agent, the session D-Bus bus, X11) run outside it. Container host-escalation is now scored; connects to control-injection sockets and spawns of authority-delegating binaries are detected (audit-only). See the threat model.

v0.1.4 — 2026-06

Dashboard

  • Local authentication & CSRF hardening. The dashboard binds loopback-only and is now also gated by a per-server token, even on 127.0.0.1. Browser- facing mutations and sensitive reads require it; low-sensitivity status stays open. WebSocket streams are origin-checked and token-gated. See Browser authorisation and Trust boundaries.
  • Frictionless browser pairing. grith dashboard start (and grith run / grith exec) auto-open the dashboard pre-authorised; the token is never printed. Headless/SSH sessions get a single-use pairing link, and grith dashboard pair mints a fresh one on demand. Toggle with server.auto_open_dashboard.
  • Redesigned home — a security-posture hero (calls inspected, allow/review/ deny split, live agents, filters), sessions led by the project name the agent is supervising, a filter-pipeline view, and a Share stats button that exports a branded PNG (aggregate counts only — safe to post).
  • grith dashboard start now runs in the background by default and persists until grith dashboard stop (no more foreground log spam).

Supervisor

  • Ctrl+T select mode in the grith exec TUI — drop mouse capture and freeze the screen to drag-select and copy text, then resume scrolling. See PTY forwarding.
  • Fewer false-positive prompts. Source files whose names merely contain a credential word (AccessToken.php, Tokenizer.ts, OAuth2Client.java) are no longer treated as sensitive — reading a vendored OAuth/SDK library no longer floods the digest. Real secret files (.env, keys, credential dirs) are unaffected.

v0.1.0 — 2026-05 (launch)

The initial public release.

Features

  • 18 filters across 3 phases (static, pattern, context) — see Filter overview.
  • Supervisor profiles for 11 common AI agents — Claude Code, Codex, Aider, Goose, Cursor, Cline, OpenClaw, Copilot, generic-cli, grith-repl, generic.
  • Quarantine digest with CLI review and dashboard review.
  • Adaptive reputation with per-shape trust accumulation.
  • Canary tokens in 7 formats (AWS, GitHub, Slack, SSH, JWT, hex, custom).
  • Daemon with REST API + WebSocket for dashboard and IPC for thin clients.
  • 10+ notification channels — Slack, Discord, Telegram, Teams, email, webhook, PagerDuty, Opsgenie, WhatsApp, desktop, WebSocket.
  • Audit log in SQLite with export to JSON/CSV.
  • Pro tier — team sync, encrypted key sync, centralised policies, analytics, escalation, allow-always.
  • Enterprise tier — SIEM integration, compliance reporting, custom filters, multi-team scope. SSO/RBAC/air-gapped on the v2.0 plan.

Platform support

  • Linux x86_64 with ptrace + seccomp-bpf.
  • macOS, Windows, aarch64: planned v2.0.

Known limitations

  • Filter 17 (semantic analysis) is a stub. Full implementation planned v1.5.
  • Profile drift detection is in the v0.1.x plan.
  • Air-gapped Enterprise deployment is in the v2.0 plan.

Older

There are no public versions prior to v0.1. Beta and internal versions used by the early development team are not listed.


Subscribe

See also

Last updated: 2026-05-14Edit this page on GitHub →
© 2026 grith. All rights reserved.