Aperion Shield 0.1.0 — First public release

Source

github.com/AperionAI/shield

Homebrew

brew install AperionAI/tap/aperion-shield

Docker

ghcr.io/aperionai/shield:0.1.0

What's in this release

Local MCP guardrail bridge

Core

A faithful MCP stdio proxy. Your IDE talks to aperion-shield; Shield spawns the upstream MCP server as a child process and transparently relays every JSON-RPC frame in both directions. The only frames it intercepts are tools/call, which it evaluates against the ruleset before forwarding. No protocol changes from the IDE's perspective — same tools, same names, same schemas.

12 starter rules across SQL, git, filesystem, and cloud

Security

The default ruleset, baked into the binary, covers:

SQL — DROP DATABASE, DROP TABLE, TRUNCATE, unscoped UPDATE / DELETE (no WHERE).
Git — git push --force to main / master / prod / release/*, filter-repo, reset --hard HEAD~, branch -D.
Filesystem — rm -rf /, rm -rf $HOME, dd to block devices, deletes of /etc / /var / /usr / /opt.
Cloud — aws s3 rb, DeleteBucket API calls, terraform destroy.

Each rule is tuned for near-zero false positives on Critical and a low false-positive rate on High. The default ruleset is identical to the one shipped with the enterprise Smartflow Shield, so what you tune at the laptop translates directly to production.

Three operating modes — shadow / enforce / auto-deny

Operability

Run with --shadow for the first day to surface every would-have-fired rule without breaking your workflow. Once you trust the ruleset, drop the flag — Critical rules block, High rules queue for human approval, Medium passes with a warning. For CI runners and unattended agent loops, --auto-deny-high declines anything queued instead of waiting for a human.

Local approval inbox — no server, no UI

Approvals

When a High-severity rule fires, Shield prints the rule, ticket id, and the call it caught to stderr (Cursor and Claude Code surface this in the tool-call panel). To approve, write approve <ticket-id> to a file in your project root:

$ echo "approve shld_4f17a3" >> .aperion-shield/inbox

Decision propagates instantly; the call resumes. Default 60s timeout; falls back to deny if no decision arrives. There is intentionally no global “disable Shield” switch.

Application-layer SQL predicates

Engine

Some patterns — “UPDATE without WHERE” chief among them — cannot be expressed in RE2 regex because they need look-behind. Shield ships SQL-aware predicates (unscoped_update, unscoped_delete) that parse the statement and reject the classic agent failure mode: UPDATE users SET email_verified = true; -- forgot the WHERE. Trailing comments, multi-statement scripts, and weird quoting don't fool them.

Five build targets, distroless Docker image, Homebrew tap

Distribution

Every shield-v* tag fires a release pipeline that builds Linux x86_64 / aarch64, macOS x86_64 / aarch64, and Windows x86_64 archives — plus a multi-arch distroless Docker image (~12 MB) published to ghcr.io/aperionai/shield, plus a Homebrew tap bump. All artefacts are SHA-256 checksummed and attached to the GitHub Release.

Offline by default — no telemetry

Privacy

Aperion Shield does not phone home. It does not check for updates. It does not send rule hits anywhere. Your code, your SQL, your shell commands, your approval decisions stay on your machine. A future opt-in --telemetry flag for an anonymised public block ticker is reserved and currently stubbed; setting it today prints a notice and exits without sending anything.

How to install

Homebrew (macOS / Linux)

$ brew install AperionAI/tap/aperion-shield

Docker

$ docker run --rm -i ghcr.io/aperionai/shield:0.1.0 --help

Binary download

# Linux / macOS / Windows · x86_64 + aarch64 $ curl -L -o aperion-shield.tar.gz \ https://github.com/AperionAI/shield/releases/download/shield-v0.1.0/aperion-shield-shield-v0.1.0-aarch64-apple-darwin.tar.gz $ tar -xzf aperion-shield.tar.gz $ ./aperion-shield --version

Attach to your IDE

Cursor — ~/.cursor/mcp.json

{ "mcpServers": { "postgres-shielded": { "command": "aperion-shield", "args": ["--shadow", "--", "npx", "-y", "@modelcontextprotocol/server-postgres", "postgresql://localhost/mydb"] } } }

Claude Code — ~/.claude/config.json or claude mcp add

$ claude mcp add github-shielded -- \ aperion-shield -- npx -y @modelcontextprotocol/server-github

Roadmap

v0.2 — SSE & HTTP MCP transports

v0.1 covers the dominant stdio transport. Adding SSE and HTTP MCP transports lifts coverage to every flavour of MCP server in the wild — including remote ones that aren't subprocesses.

v0.3 — Anomaly rules (burst detection, repeated-deny patterns)

The enterprise edition already ships sliding-window burst detection (e.g. “5 destructive ops in 5 minutes per (tool, actor)”). Porting an in-process, single-machine version into Aperion Shield gives free-tier users a second tier of catch beyond per-call regex.

v0.4 — Optional public block ticker

Reserved for an anonymised, opt-in, once-per-minute aggregate of (rule_id, severity) tuples that power a community dashboard (think CVE tracker for AI-agent destructive operations). Gated on legal/DPO review; will never enable without explicit opt-in via --telemetry.

At-a-glance summary

#	Capability	Tag	Notes
01	Local MCP stdio bridge	Core	Transparent proxy; intercepts `tools/call` only
02	12 starter rules (SQL / git / fs / cloud)	Security	Baked into binary; same as enterprise default
03	Three modes — shadow / enforce / auto-deny	Operability	Recommended path: shadow for 1 day, then enforce
04	Local approval inbox	Approvals	`./.aperion-shield/inbox`; 60s default timeout
05	SQL predicates (`unscoped_update`, `unscoped_delete`)	Engine	Parses SQL; not fooled by trailing comments
06	5 platform builds + multi-arch Docker + Homebrew tap	Distribution	GitHub Actions auto-release on `shield-v*` tags
07	Offline by default — no telemetry	Privacy	Future opt-in flag stubbed and gated on legal review

First public release of Aperion Shield