Changelog
What changed in each grith release.
The changelog is also available as an RSS feed — subscribe to be notified of new releases and security advisories.
Unreleased
Filters & scoring
- New filter: destructive action coverage
(Phase 2, the 18th filter). Hard-denies catastrophic, irreversible host/storage
destruction (filesystem format, raw block-device overwrite, recursive removal
of a system root or database data directory) and escalates destructive
operations directed at production (managed-DB endpoints,
prod/live-tagged resources) from review to deny. Also freezesdocker/podman runhost-escalation (writable-v /etc:…:rwmounts, the docker socket,--privileged,--pid=host). - Fixed thresholds — cold-start widening removed. Every call is now scored
against the same thresholds (
< 3.0allow,> 8.0deny); the first call in a session is filtered identically to the thousandth. - Fewer false positives. Secret scanning no longer flags provably-benign
shapes (git SHAs, lockfile integrity hashes, JWTs, UUIDs,
_test_placeholder keys) and down-weights its generic heuristics when readingnode_modules/ minified bundles; the egress filter no longer treatss3:///gs://bucket URIs as unknown network destinations; the taint filter no longer flags an outbound tool (git push,aws s3 ls,npm publish) that merely uses its own credential. Real secrets and genuine exfil still fire (each carve-out is paired with a guard).
Security
- IPC-delegated authority disclosed and partially mitigated. Enforcement is
scoped to the supervised process tree, so actions delegated to a
more-privileged peer (the docker daemon, a
tmuxpane, ssh-agent, the session D-Bus bus, X11) run outside it. Container host-escalation is now scored; connects to control-injection sockets and spawns of authority-delegating binaries are detected (audit-only). See the threat model.
v0.1.4 — 2026-06
Dashboard
- Local authentication & CSRF hardening. The dashboard binds loopback-only
and is now also gated by a per-server token, even on
127.0.0.1. Browser- facing mutations and sensitive reads require it; low-sensitivity status stays open. WebSocket streams are origin-checked and token-gated. See Browser authorisation and Trust boundaries. - Frictionless browser pairing.
grith dashboard start(andgrith run/grith exec) auto-open the dashboard pre-authorised; the token is never printed. Headless/SSH sessions get a single-use pairing link, andgrith dashboard pairmints a fresh one on demand. Toggle withserver.auto_open_dashboard. - Redesigned home — a security-posture hero (calls inspected, allow/review/ deny split, live agents, filters), sessions led by the project name the agent is supervising, a filter-pipeline view, and a Share stats button that exports a branded PNG (aggregate counts only — safe to post).
grith dashboard startnow runs in the background by default and persists untilgrith dashboard stop(no more foreground log spam).
Supervisor
Ctrl+Tselect mode in thegrith execTUI — drop mouse capture and freeze the screen to drag-select and copy text, then resume scrolling. See PTY forwarding.- Fewer false-positive prompts. Source files whose names merely contain a
credential word (
AccessToken.php,Tokenizer.ts,OAuth2Client.java) are no longer treated as sensitive — reading a vendored OAuth/SDK library no longer floods the digest. Real secret files (.env, keys, credential dirs) are unaffected.
v0.1.0 — 2026-05 (launch)
The initial public release.
Features
- 18 filters across 3 phases (static, pattern, context) — see Filter overview.
- Supervisor profiles for 11 common AI agents — Claude Code, Codex, Aider, Goose, Cursor, Cline, OpenClaw, Copilot, generic-cli, grith-repl, generic.
- Quarantine digest with CLI review and dashboard review.
- Adaptive reputation with per-shape trust accumulation.
- Canary tokens in 7 formats (AWS, GitHub, Slack, SSH, JWT, hex, custom).
- Daemon with REST API + WebSocket for dashboard and IPC for thin clients.
- 10+ notification channels — Slack, Discord, Telegram, Teams, email, webhook, PagerDuty, Opsgenie, WhatsApp, desktop, WebSocket.
- Audit log in SQLite with export to JSON/CSV.
- Pro tier — team sync, encrypted key sync, centralised policies, analytics, escalation, allow-always.
- Enterprise tier — SIEM integration, compliance reporting, custom filters, multi-team scope. SSO/RBAC/air-gapped on the v2.0 plan.
Platform support
- Linux x86_64 with ptrace + seccomp-bpf.
- macOS, Windows, aarch64: planned v2.0.
Known limitations
- Filter 17 (semantic analysis) is a stub. Full implementation planned v1.5.
- Profile drift detection is in the v0.1.x plan.
- Air-gapped Enterprise deployment is in the v2.0 plan.
Older
There are no public versions prior to v0.1. Beta and internal versions used by the early development team are not listed.
Subscribe
- RSS:
/changelog.xml - GitHub Releases: github.com/grith-ai/grith/releases
- Mailing list: grith.ai/announce
See also
Last updated: 2026-05-14Edit this page on GitHub →