v2.1.2

Changelog

• 3880176 ci: bump the ci-actions group with 2 updates (#358)
• adf3e37 deps: bump modernc.org/sqlite from 1.48.0 to 1.48.1 in the go-deps group (#357)
• 3870e10 feat: add action receipts with Ed25519 signing and verify-receipt CLI (#351)
• 8c6adc6 feat: hash-chained receipts and transcript roots (#354)
• 8d8eefb feat: immutable core scanner and bundle metadata v2 (#359)
• 44f1177 feat: onboarding stack (init CLI, README, Helm chart, FP guide) (#355)
• f6f562d feat: runtime hardening (airlock, browser shield, posture capsule) (#356)
• bdab6f7 fix: receipt emission for TLS interception, field-level redaction, and hot-reload lifecycle (#362)
• d37166f fix: respect pipelock:ignore inline comments in scan-diff mode (#365)
• 4c47d1e fix: runtime hardening follow-up — review findings and tracked issues (#371)
• 2e45ac4 fix: scan all multipart part bodies, headers, and transfer encodings (#370)

v2.1.1

Changelog

• ce7afb5 feat: ClusterFuzzLite integration and Hangul Filler normalization (#339)
• be84440 fix: SSRF hex/octal IP decoding + separate subdomain entropy threshold (#336)
• 5b12011 fix: SSRF trust gap for allowlisted domains resolving to internal IPs (#334)
• 0889578 fix: harden MCP input DLP with new patterns and path coverage (#337)
• 94d99be fix: harden chain detection and shell obfuscation coverage (#338)
• 6da4a85 fix: recursive response decode + remove numbered comment lists (#344)
• c3d7bf4 fix: reject MCP batch requests at ingress (#335)
• 4c4a7cb fix: widen DLP and tool scanner patterns for gauntlet coverage (#348)
• 208bedc fix: widen Tool Invocation pattern and add SYS closing tag to Instruction Boundary (#350)
• 7951e28 refactor: BodyScanRequest struct, server timeout constants, token field docs (#345)
• e71b19d refactor: consolidate signal recording + split mcp/input.go (#346)
• 3f0911a refactor: extract LogContext and InterceptContext structs for audit + intercept pipelines (#340)
• e0b2b07 refactor: extract relay and hop-by-hop helpers into relay.go (#347)

v2.1.0

Changelog

• b346ac0 Add support for trusted_domains to forward proxy mode (#297)
• 57abaa4 Improve scanner coverage for encoded payloads and cross-transport DLP (#315)
• 2dcb48f chore(deps): bump requests (#300)
• b261e8e ci: bump the ci-actions group across 1 directory with 6 updates (#331)
• 872bdf7 ci: fix deprecated goreleaser format field (formats plural) (#332)
• 0b1257a deps: bump the go-deps group with 3 updates (#326)
• 8841118 feat: A2A protocol scanning foundation — types, field walker, detection (#316)
• 40bcc17 feat: MCP binary integrity and denial-of-wallet detection (#310)
• a561070 feat: MCP tool provenance and profile-then-lock baseline (#311)
• 2dfaf58 feat: add SecureIQLab Docker Compose test harness (#318)
• 20ea349 feat: add exempt_domains to response scanning (#305)
• f8a41e5 feat: add pipelock assess command for signed security assessments (#296)
• 789079b feat: add session admin API for adaptive enforcement recovery (#308)
• 71a2d51 feat: canary token detection and simulate expansion (#313)
• 9794e35 feat: compliance evidence mappings and trust attestation (#314)
• b418d3c feat: flight recorder and agent bill of materials (#309)
• fb2e4ce feat: implement MCP redirect handlers (fetch-proxy + quarantine-write) (#307)
• 4e3d355 feat: policy capture and replay engine (#319)
• fe1384a feat: session manifest and signed decision records (#312)
• defc715 fix(assess): HTML report with visual hierarchy and remediation (#306)
• e268702 fix: add best_effort mode for file sentry in MCP proxy (#292)
• 68cac04 fix: autonomous block_all recovery for adaptive enforcement (#304)
• 04dcfec fix: classify scanner results to prevent adaptive enforcement death spiral (#295)
• 41ef558 fix: scan redirect handler output through DLP pipeline (#323)
• 63c6a2f fix: structured exit codes and subprocess error handling (#320)
• 04589d8 fix: v2.1.0 RC test findings and feature wiring (#328)
• 2f9784c fix: v2.1.0 polish — audit logging, transport tests, config validation (#321)
• da95706 refactor: extract shared escalation recording helper (#290)
• cb2e784 refactor: introduce MCPProxyOpts to replace long MCP proxy parameter lists (#294)
• 76ee281 refactor: split 91-file CLI god package into 10 subpackages (#303)
• baa13bf refactor: split config.Validate, DRY audit logger, coverage boost (#322)
• 96609f6 security: redact secrets and server names from assess evidence (#301)

v2.0.0

Changelog

• 67e2ed3 ci: bump the ci-actions group with 4 updates (#287)
• c609b0b deps: bump modernc.org/sqlite from 1.46.1 to 1.47.0 (#282)
• e87d8c2 feat: JetBrains/Junie MCP proxy integration (#260)
• b7145d2 feat: adaptive enforcement exempt_domains for DLP scoring (#268)
• d8f1ef4 feat: add --sandbox and --workspace flags to jetbrains install (#269)
• 33330fb feat: add redirect policy action for MCP tool call routing (#271)
• 65b936b feat: built-in attack simulation command (#277)
• f98bf70 feat: config security scoring and tool policy overpermission audit (#273)
• d735d3e feat: full-schema tool poisoning + state/control response patterns (#270)
• f5a1fa6 feat: generic HTTP reverse proxy with body scanning (#278)
• 62094cb feat: macOS sandbox via sandbox-exec (seatbelt) (#275)
• 6624862 feat: per-agent sandbox profiles, strict mode, diagnostics, redirect handler (#272)
• cfec5f8 feat: sandbox --best-effort for container environments (#289)
• ce39f12 feat: unprivileged process sandbox (Landlock + seccomp + netns) (#267)
• 2332fb1 fix: harden reverse proxy scanning and kill switch preemption (#281)

v1.5.0

Changelog

• 3f93984 feat: OTLP log export sink (HTTP/protobuf) (#262)
• 753a258 feat: adaptive enforcement v2 — escalation-aware enforcement across all transports (#256)
• 35d831b feat: community rules rollout — build wiring, docs, and registry URL (#255)
• f76467a feat: filesystem sentinel for subprocess MCP mode (#261)
• 48bb939 feat: financial DLP patterns with checksum validation (#258)
• 66eda7b feat: key-scoped tool policy matching (arg_key) (#257)
• aca9df9 fix: adaptive enforcement death spiral (#266)
• e188cb6 fix: harden shell normalization against 3 evasion techniques (#259)
• 3309fdd fix: reject unsupported dlp.action and per-pattern action fields (#263) (#264)
• dda4c33 fix: transport parity — WS header DLP + forward HTTP response scanning (#254)

v1.4.0

Changelog

• 03a5eaa Merge pull request #242
• 41ee2bd ci: bump docker/login-action from 3.7.0 to 4.0.0 (#241)
• 9da483f ci: bump sigstore/cosign-installer from 4.0.0 to 4.1.0 (#237)
• ce3e754 feat: add DLP patterns for Groq, xAI, GitLab, New Relic, and Stripe webhooks (#246)
• 6dfdef9 feat: add VS Code MCP proxy integration (vscode install/remove) (#248)
• f62ad5f feat: add address similarity tracker for blockchain address poisoning detection (#231)
• d9dadac feat: add crypto address poisoning detection (#233)
• 7a25a07 feat: add crypto secret DLP detection (BIP-39 seed phrases, WIF, xprv, ETH keys) (#249)
• eb0a59e feat: add response scanning pre-filter for keyword-gated regex (#230)
• 8d4c9c7 feat: community rule bundles — signed YAML detection patterns (#247)
• 22639c3 feat: detect delimiter-separated hex encoding in DLP scanner (#243)
• 2f37db1 feat: trial tier and one-time purchase support for license service (#232)
• f17a8d2 fix: k8s Secret volume compatibility for key and license file loading (#229)
• e92466c fix: make rules lock cross-platform for Windows release builds (#252)
• 1d1ac98 fix: skip general response scanning on empty tools/list responses (#250)
• 324a509 perf: extend response pre-filter to opt-space and vowel-fold passes (#245)

v1.3.0

Changelog

• e995702 Sentry: Initial support (#211)
• 0b2089c feat: add CRLF injection and path traversal detection to scanner pipeline (#224)
• 037e82f feat: add POST /api/v1/scan evaluation endpoint (#223)
• bbe9ddc feat: add SARIF output for audit and git scan-diff (#217)
• fa7e92f feat: add license service scaffold (enterprise, ELv2) (#218)
• 36cd8f9 feat: add pipelock license install command (#216)
• dff1c99 feat: add subdomain entropy exclusions for high-entropy cloud domains (#214) (#222)
• dce46c3 feat: add tier and subscription_id fields to license token (#215)
• 5f64534 feat: runtime license loading from env var and file path (#213)
• bf51529 fix: close config fail-open, WS header DLP bypass, and secrets_file permission gap (#219)
• 6d8aaf4 fix: set explicit archive ID for Homebrew formula matching (#227)
• c18e894 refactor: thread request context through Scanner.Scan for DNS cancellation (#221)

v1.2.0

Changelog

• b546d91 feat: add DLP prefix pre-filter to skip regex on clean traffic (#209)
• 8f31933 feat: cross-request exfiltration detection (CEE) (#206)
• 767f3d0 feat: expand DLP patterns from 22 to 36 (#208)
• 6471b7f fix: normalize license headers, update docs for dual-license clarity (#204)
• d993223 fix: shut down agent listeners on config reload when license revoked (#205)

v1.1.0

Changelog

• bafc95d ci: bump actions/checkout from 4.3.1 to 6.0.2 (#198)
• b640cb9 ci: bump actions/dependency-review-action from 4.7.1 to 4.9.0 (#196)
• 6207977 ci: bump docker/setup-buildx-action from 3.12.0 to 4.0.0 (#199)
• 748e86c ci: bump docker/setup-qemu-action from 3.7.0 to 4.0.0 (#200)
• 42bb8ba ci: bump github/codeql-action from 4.32.4 to 4.32.6 (#197)
• f13d590 feat: add discover command for MCP server protection scanning (#194)
• 76d701d feat: add parallel benchmarks, concurrent scaling test, and performance doc (#201)
• d40ea7b feat: split enterprise features into dedicated module under ELv2 (#202)

v1.0.0

Changelog

• 9e2bc5b feat: add per-agent identity, budgets, and config isolation (#186)
• 413f20f feat: add persistence detection for MCP tool policy and chain patterns (#187)
• 11c38f7 fix: TLS interception follow-up (shared transport, reload warnings, certgen coverage) (#185)