Skip to content

Releases: prodnull/cloneguard

CloneGuard v0.6.0

09 Apr 20:31
@github-actions github-actions
v0.6.0
9c020bf

Choose a tag to compare

View all tags
CloneGuard v0.6.0 Latest
Latest

Full Changelog: v0.5.0...v0.6.0

Assets 4
Loading

v0.5.0 — CaMeL-lite Enforcement

21 Mar 22:24
@prodnull prodnull
v0.5.0
9b37a7a

Choose a tag to compare

View all tags
v0.5.0 — CaMeL-lite Enforcement

Breaking Change

SEQ-001, SEQ-002, and SEQ-005 now block tool calls (exit code 2) instead of logging only. If you have legitimate workflows that read sensitive files then make network requests, you may need to allowlist them:

# Allowlist a trusted domain for SEQ-001/002
cloneguard sequence-allow SEQ-001 vault.company.com

# Allowlist a specific config path for SEQ-005
cloneguard sequence-allow SEQ-005 .vscode/settings.json

Allowlist stored at ~/.cloneguard/sequence_allowlist.json.

New Features

Enforcement Rules (block)

🔴 SEQ-001 — Sensitive file read → WebFetch to external URL
🔴 SEQ-002 — Sensitive file read → Bash curl/wget to external URL
🔴 SEQ-005 — Agent/IDE config write (.vscode/settings.json, .claude/settings.json, .cursor/mcp.json, .windsurf/settings.json, .gemini/settings.json, mcp*.json) or pkg/git config write (.npmrc, .pypirc, .gitconfig) followed by build command

Advisory Rules (log only)

🟡 SEQ-003 — Same MCP tool called >5x in 10 events
🟡 SEQ-004 — Build file write → build command
🟡 SEQ-006 (new) — Sensitive file read → MCP tool with exfil-capable name (send, post, create, write, push, upload, email, message, comment)

Architecture

  • Typed event markers replace fixed 10-event lookback window for SEQ-001/002/006. Padding with benign events no longer evades detection.
  • Sequence allowlist — domain-level for SEQ-001/002, exact-path SHA-256 for SEQ-005
  • Bash mv/cp bypass closedmv /tmp/evil.json .vscode/settings.json now caught by SEQ-005
  • Expanded sensitive file patterns — added 15 cloud/infra credential paths (.aws/, .azure/, .kube/, .docker/config, .netrc, .pgpass, kubeconfig, service_account, private_key, .pem, .key, api_key, auth.json, application_default_credentials)

Research & Validation

This release is grounded in:

  • 22 published papers (STAC, AgentLAB, CaMeL, LlamaFirewall, InjecAgent, AgentDojo, and more)
  • 12 real-world incidents (Invariant GitHub MCP, AgentHopper, DockerDash, CVE-2025-53773, CVE-2025-59536, CVE-2025-54135, and more)
  • 17 detection tools surveyed (only 3 do genuine sequence detection)
  • Cross-examination with Gemini 2.5 Pro

Adversarial Validation

30 adversarial test sequences generated by Gemini 2.5 Pro red team analysis:

  • ✅ 2 bypasses found and fixed (expanded patterns, mv/cp closure)
  • 📋 13 known gaps documented with test coverage
  • ⚠️ 2 false positives confirmed and documented

Coverage Matrix

15 real-world incidents mapped against all defense layers:

  • 33% fully covered (HIGH confidence)
  • 33% partially covered
  • 33% architectural gaps (documented)

89 benchmark cases (InjecAgent + AgentDojo) analyzed — 46 use MCP-tool-only exfiltration, addressed by new SEQ-006 (advisory).

Numbers

  • 1,321 tests passing (was 1,261 in v0.4)
  • 7 SEQ rules (was 4 in v0.4)
  • 197 regex patterns (unchanged)
  • +2,594 lines across 17 files

Files

File Purpose
src/cloneguard/sequence_allowlist.py New — sequence enforcement allowlist
tests/test_monitor_enforcement.py New — 43 enforcement tests
tests/test_sequence_allowlist.py New — 13 allowlist tests
tests/test_adversarial_sequences.py New — 20 adversarial validation tests
scripts/analyze_redteam_datasets.py New — red team dataset analysis
Loading

CloneGuard v0.4

12 Mar 22:23
@github-actions github-actions
v0.4
8fa0f44

Choose a tag to compare

View all tags
CloneGuard v0.4

Full Changelog: v0.3...v0.4

Loading

CloneGuard v0.2.1

10 Mar 02:55
@prodnull prodnull
v0.2.1
847a3dd

Choose a tag to compare

View all tags
CloneGuard v0.2.1

What's Changed

Retrained Tier 1.5 Model (v3)

Two rounds of data-driven augmentation guided by a new adversarial robustness benchmark:

  • FPR fixed: 40-87% on real-world content → 0-33% (production mode with sliding window)
  • Training data: 5,671 → 6,340 samples (+352 real benign from 59 GitHub repos, +149 synthetic gap-fill, +104 targeted adversarial augmentation, +42 selective malicious)
  • Encoding evasion: 85% → 100% recall
  • Structural dilution: 55% → 95% recall
  • Truncation padding: 80% recall with sliding window (was invisible to raw classifier)

Adversarial Robustness Benchmark

New systematic benchmark (scripts/adversarial_benchmark.py):

  • 185 adversarial payloads across 9 categories + multilingual smoke test
  • 234 held-out benign samples (no training overlap)
  • Threshold sweep, per-category recall, per-content-type FPR
  • --production flag for sliding window evaluation
  • --eval-corpus flag for held-out evaluation sets
  • --compare for delta reporting between runs

Licensing

  • Apache-2.0 NOTICE file with security tool disclaimer
  • CITATION.cff for academic attribution

Stats

  • 968 tests passing
  • 191 regex patterns, 24 categories
  • ~17ms/sample inference

Full Changelog: v0.2.0...v0.2.1

Loading

CloneGuard v0.2.0

09 Mar 18:47
@github-actions github-actions
v0.2.0
2ba541f

Choose a tag to compare

View all tags
CloneGuard v0.2.0

Full Changelog: v0.1.0...v0.2.0

Loading

CloneGuard v0.1.0

09 Mar 03:44
@github-actions github-actions
v0.1.0
fea4455

Choose a tag to compare

View all tags
CloneGuard v0.1.0

Full Changelog: https://github.com/prodnull/cloneguard/commits/v0.1.0

Loading