Skip to content

v1.6.0 — Security Hardening and Critical Fixes

Choose a tag to compare

View all tags
@rish-e rish-e released this 26 Mar 10:14
· 31 commits to main since this release
v1.6.0
a4fbda2

Autopilot v1.6.0 — Security Hardening & Critical Fixes

Major security audit and fixes. The guardian is significantly stronger, critical bugs are fixed, and the repo is cleaned up for open source.

Guardian Hardening

Fail closed — The guardian now blocks ALL commands if jq is missing or JSON parsing fails. Previously, a missing jq meant every command passed through unblocked. A safety-critical script should never fail open.

Anti-obfuscation — New Category 0 blocks attempts to bypass the guardian:

  • Encoded commands piped to shell interpreters
  • Subshell execution (bash -c, sh -c, eval)
  • Interpreter evasion (python -c os.system(), node -e exec(), ruby -e system())

Fixed: DELETE without WHERE — The rule that catches DELETE FROM table; without a WHERE clause was broken (piped grep wrong, never fired). Now works correctly. DELETE FROM ... WHERE ... is allowed; DELETE FROM ...; is blocked.

Fixed: --force-with-leasegit push --force-with-lease was incorrectly blocked by the force-push rule. It's now allowed (it's the safer alternative).

Fixed: Custom rules delimiter — The | delimiter conflicted with regex alternation. Guardian now supports ::: as the primary delimiter with | as legacy fallback, parsing the pattern correctly even if it contains pipe characters.

Test suite: 55 tests (up from 45) — all passing. New tests cover obfuscation bypass, DELETE without WHERE, force-with-lease, and proper non-Bash tool handling.

Critical Fixes

Uninstaller safety — The uninstaller now removes Bash from the auto-approve list when removing the guardian. Previously, uninstalling left all Bash commands auto-approved with zero protection.

Installer cleanup — Added trap for temp directory cleanup on failure. Previously, a failed install leaked temp directories.

Repo Cleanup

  • Removed personal MCP entries from trusted-mcps.yaml (local paths)
  • Removed personal MCPs from agent allowedTools (shadcn-ui, magicui, etc.)
  • Removed project-specific RenderKit section from agent definition
  • Clean slate for any user to install without seeing someone else's config
Assets 2
Loading