All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Default-deny policy gateway for LLM/AI agent tool calls
- YAML-based policy with hot-reload via SIGHUP or
/v1/reloadendpoint - Path traversal protection with canonicalization, null-byte rejection, and blocklist matching
- Argument filtering with configurable blocklist patterns and length limits
- Sliding-window rate limiter with configurable burst
- Bearer token authentication for mutating endpoints (fail-closed)
- Structured JSONL audit logging for all policy decisions
securectlCLI companion for policy management- Container image with multi-arch support (amd64/arm64)
- Systemd unit with strict sandboxing (DynamicUser, PrivateNetwork, seccomp)
- Seccomp profile for minimal syscall allowlist
- Signed releases with cosign keyless signing and SLSA provenance
- Threat model documentation
- mTLS deployment guidance for multi-host setups
- Default-deny: unlisted tools are rejected
- Deny list evaluated before allow list
- Constant-time token comparison prevents timing attacks
- 64 KB request body limit prevents memory exhaustion
- Localhost-only bind by default (127.0.0.1:8475)