Adaptive guardrails for AI coding agents

v0.2 quadruples coverage. The bundled ruleset now spans:

• SQL (9) — DROP DATABASE / TABLE / SCHEMA, TRUNCATE, ALTER DROP COLUMN, unscoped UPDATE/DELETE, GRANT/REVOKE ALL, REVOKE FROM PUBLIC, Postgres COPY FROM PROGRAM (RCE), MySQL LOAD DATA INFILE.
• Git (5) — force-push to protected branches, filter-branch / filter-repo / reflog expire, push --mirror --force, branch -D, checkout . / git clean -fxd.
• Filesystem (5) — rm -rf at filesystem root, sensitive paths under /etc / ~/.ssh / ~/.aws, dd to block device, find … -delete sweeps, world-writable chmod, recursive chown root.
• Secrets exfil (3) — compound predicate catching read-secret + post-to-network in one command, raw SSH/AWS key reads, bulk cloud secrets dumps.
• Supply chain (2) — curl | sh, bash <(curl …), untrusted npm/pip/yarn/gem/cargo registries.
• Reverse shells (1) — 10 incantations across bash, nc, python, perl, ruby, openssl, socat, PowerShell.
• Privilege (2) — sudo-prefixed destructive verbs, setuid grants.
• Cloud / k8s / Docker (11) — aws s3 rm --recursive, rds delete --skip-final-snapshot, terraform destroy -auto-approve, gcloud sql delete, az group delete --yes, kubectl delete namespace / --all / drain, helm uninstall, docker system prune -a --volumes, docker rm -fv.
• LLM-response (5) — assistant plan text mentioning DROP DATABASE / force-push / rm -rf / curl|sh / secret-exfil — second pair of eyes before a destructive call is attempted.
• Anomaly (1) — destructive-burst marker.

Every shipping rule has at least one positive integration test plus a negative test proving it doesn't over-fire on benign inputs. 51 integration tests + 36 unit tests = 87 tests, all green.

Every rule now contributes a points score (defaulting to severity rank). When multiple rules fire on the same call, Shield sums their points and maps the total to its own severity tier: 2 → Medium, 5 → High, 9 → Critical. The final severity is whichever is higher — top single match or composite total.

Why this matters: an isolated git branch -D feature/legacy is a Medium warning. The same call inside a script that also reads ~/.aws/credentials and runs chmod 777 /var/data stacks four matches at 2 + 4 + 3 + 3 = 12 points and gets promoted to Critical. Composite scoring catches the shape of a destructive session even when no single command crosses the line.

At startup, Shield checks the working directory for production-management signals — .env.production, kubeconfig, prod/, terraform state, a Procfile. When any of them match, Shield logs a banner and bumps the severity of every subsequent match one tier. The probe takes under 1 ms and never recurses outside cwd. Disable per-run with --no-workspace-probe.

Approvals and denials are journaled to .aperion-shield/decisions.jsonl in your project root, fingerprinted by sha256(rule_id + canonical-JSON(params)). The log is append-only and never leaves your machine. Two adaptive behaviours derive from it:

• Demote-after-approvals: three approvals of the same fingerprint with no denial since demotes one tier.
• Escalate-on-recent-deny: any denial within the last 7 days bumps the next match one tier.

So after the third time you approve the same legitimate UPDATE users SET email_verified=true WHERE id IN (…), Shield stops prompting. But if you ever deny one, the next attempt is treated harder. Disable per-run with --no-memory.

An in-process sliding window. Five or more destructive matches within five minutes bumps every subsequent match one tier until the burst quiets. Useful when an agent has gone off the rails and is running ten rms and a git push --force back-to-back — exactly the moment you want the brakes to tighten, not stay constant. Configurable threshold and window under policy.burst_detector; disable with --no-burst.

Some patterns can't be expressed as a single regex — they require parsing a pipeline or normalising a path. v0.2 ships six new predicates beyond the SQL pair:

• curl_pipe_sh — sees through sudo -u root bash and env FOO=bar python wrapper prefixes.
• network_fetch_to_interpreter — process-substitution form (bash <(curl …)).
• env_to_network — compound: secret source + network sink in the same command line.
• reverse_shell — 10 classic incantations.
• world_writable_chmod — numeric AND symbolic forms.
• untrusted_pkg_registry — allowlist-based detection of non-default npm/pip/yarn registries (since Rust regex has no negative lookahead).

Plus a sensitive_paths matcher with ~ expansion and .. traversal normalisation, closing a class of evasion tricks (cat /etc/../etc/shadow and cat /etc/shadow resolve identically).

Every blocked or approval-required decision now includes a safer_alternative field in the JSON-RPC error payload, surfaced to the user in the IDE's tool-call panel. Examples:

• fs.recursive_delete_root: “Scope to a specific subdirectory, e.g. rm -rf ./build/.”
• git.history_rewrite: “If you need to remove a commit, git revert it; rewrites strand collaborators.”
• supply.curl_pipe_sh: “curl -fSLo install.sh URL && shasum -a 256 install.sh && bash install.sh.”
• secret.env_to_network: “Never let an agent share a secret with an outside service. Copy manually and rotate afterwards.”

Aperion Shield is also a teaching tool. Every block is a small lesson.

The Rust crate is now [lib] + [bin]. The library at aperion_shield::engine exposes Engine, Adjustments, Evaluation, and decide() so embedders can drop the engine into non-MCP contexts: custom proxies, lint tools, pre-commit hooks, CI step that scans pending shell commands. Same YAML format, same predicates, no MCP plumbing required.

Every new feature lives entirely on your machine. Decision memory writes to a local JSONL. The workspace probe reads cwd. The burst detector is in-process. The --telemetry flag remains reserved and stubbed — setting it today still prints the privacy-review notice and exits without sending anything. Nothing is phoning home in v0.2.