// CHANGELOG
Releases.
Every version of agentjail and what changed in it.
Check detailed commits on GitHub releases.
-
First public alpha
The first public cut of agentjail: hook-based policy guardrails for coding agents, evaluated locally before a tool call ever runs.
- Added Hook-based enforcement for Claude Code, evaluated before each tool call with no agent changes required.
- Added OPA/Rego policy engine evaluating every tool call in under 5ms.
- Added Local daemon with fail-closed defaults: if evaluation fails, the call is denied.
- Added
agentjail install --for claude-coderegisters the PreToolUse hook and starts the local policy daemon. - Added Documentation site with full guides, fuzzy in-page search, and a copyable raw-Markdown view for agents.
- Added Per-page social cards generated at build time, plus a sitemap, robots, and complete SEO metadata.
- Security Ships rules that block destructive shell commands and reads of credential paths before execution.
-
Credential broker & MCP proxy
Secrets stop flowing through the agent in the clear, and MCP traffic now passes through a policy-aware proxy.
- Added Credential broker hands out short-lived, scoped secrets instead of raw environment variables.
- Added MCP reverse proxy gates which MCP servers an agent is allowed to reach.
- Changed Policy bundle format streamlined; rules are easier to read and diff.
- Fixed Race condition during daemon socket startup on cold boot.
-
Faster evaluation
A rewrite of the evaluation hot path and a proper structured audit trail.
- Changed Rewrote the policy evaluation hot path, bringing p99 latency down roughly 60%.
- Added Structured JSON audit log via stdlib
log/slogfor every decision. - Fixed Windows path normalization in file-access policies.
-
Initial release
First cut of the hook + daemon architecture.
- Added Hook + local daemon architecture for intercepting tool calls.
- Added Starter rule library covering the most common dangerous operations.