Skip to content

Releases: leefowlercu/agent-hook-vault-radar

v3.0.0

17 Oct 16:06
@leefowlercu leefowlercu
v3.0.0
b86f310

Choose a tag to compare

View all tags
v3.0.0 Latest
Latest

[3.0.0] - 2025-10-17

Added

  • Remediation engine subsystem with concurrent strategy execution
  • Protocol system with configurable triggers (on_block, on_findings, severity_threshold, finding_types)
  • Log remediation strategy supporting JSON and text output formats
  • Decision engine message enrichment with remediation results
  • Comprehensive test suite for remediation strategies (13 test cases for log strategy)
  • Unit tests for decision engine and message formatting (decision_test.go)
  • Template variable system for future remediation strategies
  • Success/failure indicators (✓/✗) in user-facing messages
  • Configuration example file (config.yaml.example)

Changed

  • Configuration structure to include remediation settings with protocols and strategies
  • README documentation significantly expanded with remediation system documentation
  • Processor architecture to integrate remediation engine
  • Decision engine to support message enrichment with remediation results
Assets 2
Loading

v2.0.0

16 Oct 06:23
@leefowlercu leefowlercu
v2.0.0
7a94cf2

Choose a tag to compare

View all tags
v2.0.0

Release Notes - v2.0.0

Version 2.0.0 includes significant architectural improvements, breaking changes, and bug fixes. This release centralizes decision-making, improves Claude Code integration, and changes the default severity threshold to detect common secrets like AWS keys.

Breaking Changes

Default Severity Threshold Changed to "medium"

The default threshold changed from "high" to "medium". AWS access keys and other secrets reported as "info" severity are now blocked by default.

To restore v1.x behavior, set severity_threshold: "high" in config.yaml:

decision:
  block_on_findings: true
  severity_threshold: "high"

Architecture: Centralized Decision-Making

Decision-making is now centralized in the decision.Engine component. Hook handlers no longer make blocking decisions independently.

Changes to interfaces:

  • HookHandler: Removed MakeDecision() method
  • HookFramework: Added GetExitCode(decision Decision) int method
  • Decision type: Removed ExitCode field

Migration for custom handlers:

  1. Remove MakeDecision() method implementation
  2. Implement GetExitCode() in your framework
  3. Decision-making uses centralized engine automatically

Affected files:

  • internal/framework/framework.go
  • internal/framework/claude/userpromptsubmit.go
  • internal/processor/processor.go
  • pkg/types/types.go

Claude Code Integration Changes

Output format changed to properly display blocking messages in Claude Code:

  • Always set "continue": true
  • Set "decision": "block" when blocking
  • Always exit with code 0

Previous behavior used "continue": false and exit code 2, which prevented custom messages from displaying.

Features

"info" Severity Level Support

Added mapping for Vault Radar's "info" severity level (level 2, same as "medium"). Ensures AWS keys and similar secrets are properly detected.

Framework-Specific Exit Code Control

Frameworks now control exit code semantics through GetExitCode() method. Claude Code always returns 0 with blocking controlled by JSON fields.

Bug Fixes

Fixed Number Formatting in Reason Messages

Numbers in reason messages were appearing as control characters (\u0001 instead of "1"). Changed from string(rune(number)) to strconv.Itoa(number).

Before:

Vault Radar detected  security finding:

. [INFO] aws_access_key_id...

After:

Vault Radar detected 1 security finding:

1. [INFO] aws_access_key_id...

Improved Message Formatting

Added leading newline to reason messages for better visual separation in Claude Code UI.

Documentation

  • Corrected Claude Code output examples to show actual JSON format
  • Fixed exit code documentation to reflect framework-specific behavior
  • Updated severity level documentation to include "info" level
  • Changed all default examples to use "medium" threshold
  • Updated installation path to config directory location
  • Updated .env.example with new default threshold

Installation

From Release Binaries

# macOS (Apple Silicon)
curl -Lo hook-vault-radar https://github.com/leefowlercu/agent-hook-vault-radar/releases/download/v2.0.0/hook-vault-radar-darwin-arm64
chmod +x hook-vault-radar
mv hook-vault-radar ~/.agent-hooks/vault-radar/

# macOS (Intel)
curl -Lo hook-vault-radar https://github.com/leefowlercu/agent-hook-vault-radar/releases/download/v2.0.0/hook-vault-radar-darwin-amd64
chmod +x hook-vault-radar
mv hook-vault-radar ~/.agent-hooks/vault-radar/

# Linux (ARM64)
curl -Lo hook-vault-radar https://github.com/leefowlercu/agent-hook-vault-radar/releases/download/v2.0.0/hook-vault-radar-linux-arm64
chmod +x hook-vault-radar
mv hook-vault-radar ~/.agent-hooks/vault-radar/

# Linux (AMD64)
curl -Lo hook-vault-radar https://github.com/leefowlercu/agent-hook-vault-radar/releases/download/v2.0.0/hook-vault-radar-linux-amd64
chmod +x hook-vault-radar
mv hook-vault-radar ~/.agent-hooks/vault-radar/

Windows binaries (ARM64 and AMD64) are available in release assets.

From Source

git clone https://github.com/leefowlercu/agent-hook-vault-radar.git
cd agent-hook-vault-radar
git checkout v2.0.0
go build -o hook-vault-radar
cp hook-vault-radar ~/.agent-hooks/vault-radar/

Upgrade Guide

From v1.1.0 to v2.0.0

  1. Replace existing hook-vault-radar binary with v2.0.0
  2. Review severity threshold (default changed to "medium")
  3. Test with your prompts to verify threshold behavior
  4. Update custom handlers if applicable (remove MakeDecision() method)

Testing

# Check version
hook-vault-radar version

# Test with clean input (should pass)
cat testdata/claude/userpromptsubmit_clean.json | hook-vault-radar --framework claude

# Test with AWS key (should block)
cat testdata/claude/userpromptsubmit.json | hook-vault-radar --framework claude

Expected output for AWS key test:

{
  "decision": "block",
  "reason": "\nVault Radar detected 1 security finding:\n\n1. [INFO] aws_access_key_id: AWS access key ID (scan-content.txt)\n\nPlease remove or redact sensitive information before proceeding.",
  "hookSpecificOutput": {"hookEventName": "UserPromptSubmit"},
  "continue": true,
  "suppressOutput": false,
  "systemMessage": "Vault Radar detected 1 security finding:..."
}

Full Changelog

Changed

  • Default severity threshold from "high" to "medium" (internal/config/constants.go)
  • Removed MakeDecision() from HookHandler interface (internal/framework/framework.go)
  • Removed ExitCode field from Decision struct (pkg/types/types.go)
  • Claude Code framework always sets "continue": true with blocking via "decision": "block" (internal/framework/claude/claude.go)
  • Decision-making centralized in decision.Engine (internal/processor/processor.go)

Added

  • GetExitCode(decision Decision) int to HookFramework interface (internal/framework/framework.go)
  • "info" severity level mapping at level 2 (internal/decision/decision.go)
  • Leading newline to reason messages (internal/decision/decision.go)

Fixed

  • Number formatting in reason messages (internal/decision/decision.go)
  • Claude Code integration to display blocking messages (internal/framework/claude/claude.go)

Documentation

  • Updated README with correct output examples and exit code behavior
  • Updated .env.example with new default threshold
  • Updated all examples to use "medium" threshold
  • Added "info" severity level documentation

Removed

  • MakeDecision() method from UserPromptSubmitHandler (internal/framework/claude/userpromptsubmit.go)

Links

Loading