v0.6.1

Changelog

• 48aa397 fix: improve Windows UX in doctor and installer (#118)

v0.6.0

Changelog

• 2d7aba0 v0.6.0: Windows Support + Cross-Platform CI (#116)

v0.5.0

Changelog

• 5a9a409 v0.5.0: Security for Humans — allow/block/rules + visual polish (#115)

v0.4.12

Changelog

• 48606ac v0.4.12: token persistence + e2e tests + policy hardening (#114)

v0.4.11

What's fixed in v0.4.11

• rampart upgrade skipped policy refresh when already on latest — the command returned early when the installed binary matched the latest release, bypassing the policy update step. Users who upgraded binaries manually or were already on the latest version never received policy improvements from newer releases without knowing to run rampart init --force separately. Now always refreshes installed profiles unless --no-policy-update is set.

---

Full changelog: CHANGELOG.md

v0.4.10

What's fixed in v0.4.10

Six bugs found during hands-on testing on agent-01 and agent-02 after v0.4.9 shipped.

• rampart audit subcommands crash with default path — tail, verify, stats, search, and replay all failed immediately because ~ in the default --audit-dir was never expanded. Fixed in the shared helpers (listAuditFiles, listAnchorFiles) so all five subcommands are covered.
• rampart bench approval-gated coverage always 0% — corpus entries with expected_action: require_approval were never counted in coverage math. The 4 correctly-gated sudo/shred entries appeared in decisions but were invisible to the percentage. Coverage now correctly reflects both deny and require_approval expected entries. Privilege-escalation coverage: 28% → 50%.
• rampart bench crashes with no args on installed binaries — default corpus path was bench/corpus.yaml relative to CWD, breaking for any installed user. Corpus is now embedded in the binary. rampart bench works anywhere and shows Corpus: built-in.
• rampart doctor shows lint error for call_count — call_count was added to the engine in v0.4.8 but the linter's known-fields map was never updated. Every user running rampart doctor with standard.yaml saw a spurious red lint error.
• rampart status undercounts blocking decisions — require_approval and webhook decisions were silently dropped from today's event stats. Now counted alongside deny.
• rampart policy generate emits verbose null/empty fields — generated YAML included priority: 0, enabled: null, agent: "", and all-empty condition slices. Added omitempty to relevant struct fields. Marshaling-only change — existing policy files parse identically.

---

Full changelog: CHANGELOG.md

v0.4.9

What's new in v0.4.9

Added

• rampart policy generate — natural language to policy YAML. Describe what you want to block in plain English (rampart policy generate "block all curl requests to external hosts") and get a ready-to-use policy file.
• rampart bench — policy coverage scoring against a built-in 84-entry attack corpus. Shows what percentage of known attack patterns your active policy catches, broken down by category (exfil, credential-theft, supply-chain, persistence, privilege-escalation, prompt-injection, destructive). Includes --strict flag and --json output for CI.
• block-prompt-injection profile — installable via rampart init --profile block-prompt-injection. Three tiers: deny (high-confidence role override attempts), require_approval (medium-confidence patterns), watch (existing standard patterns). Covers "ignore previous instructions", DAN-style jailbreaks, exfil directives, and more.
• Approval message enrichment — install commands in approval messages now include a direct link to the package registry entry (npm, PyPI, crates.io) so reviewers can inspect the package before approving.

Fixed

• Prompt injection pattern false positives — tightened four patterns in standard.yaml and block-prompt-injection.yaml: bare ignore instructions now requires a qualifier; you are now (a|an) removed; your new (role|task|purpose) is narrowed to instructions-only context; [SYSTEM] token removed. developer mode enabled demoted from deny to require_approval.
• rm -rf deny scoped to dangerous paths — no longer hard-denies rm -rf on all paths. Denies are scoped to home dirs and system dirs (/etc, /usr, /boot, /root, /lib, /lib64, /var). Explicitly excluded: /tmp, /var/tmp, /var/log, /var/run, /var/cache — agents can clean up build artifacts and logs without hitting a wall.
• rampart bench accepts require_approval in corpus — corpus entries with expected_action: require_approval now parse correctly. Previously caused an immediate error.
• rampart upgrade refreshes opt-in profiles — upgrade now re-installs block-prompt-injection.yaml alongside standard.yaml when the profile is active.

---

Full changelog: CHANGELOG.md

v0.4.8

Changelog

• 930e497 release: v0.4.8 — transparency mode, call_count, help grouping, token rotate (#102)

v0.4.7

Changelog

• 05ad59a release: v0.4.7 — policy conditions, UX overhaul, dashboard, security hardening (#90)

v0.4.6

Changelog

• accd7cf Merge branch 'main' into staging
• 8672c93 feat(hook): inject PostToolUseFailure feedback on deny
• 7a4eac7 feat(policy): block environment variable injection attacks
• 658ef90 feat(policy): block environment variable injection attacks
• d355472 fix(dashboard): responsive header on mobile — Connect button no longer clipped
• a3b1872 fix(policy): split env-var-injection into hard-deny and watch tiers
• 6a8bbc3 fix(preload): default port 19090 → defaultServePort (9090) + honour RAMPART_URL env
• 4da9621 fix(site): mobile UX — Docs link, code font size, hero/install button layout
• 4aee720 fix: address code review findings for v0.4.6
• c04f7c3 fix: apply all validation fixes to main repo docs
• ab0c8d3 fix: correct stale port 18275 in hook and setup CLI descriptions
• 3799e4a fix: stale port 18275 in docs-site markdown + CHANGELOG env var list