cd /news/ai-safety/aperion-shield-v0-7-guardrails-for-a… · home topics ai-safety article
[ARTICLE · art-14579] src=github.com pub= topic=ai-safety verified=true sentiment=↑ positive

Aperion Shield v0.7 – guardrails for AI coding agents now run as Git hooks

Aperion Shield v0.7.0 now enforces AI coding agent guardrails as Git hooks, closing the loophole where agents bypass MCP-only restrictions by opening a shell. The update introduces `--install-hooks` for pre-commit and pre-push enforcement, `--suggest-rules` for audit-log-driven rule tuning, and four new IDE quickstarts. This release ensures destructive changes are blocked at the Git level regardless of how they were generated, addressing a key security gap in AI-assisted development workflows.

read3 min publishedMay 26, 2026

aperion-shield v0.7.0 — git hooks close the MCP-bypass gap #

The release that closes the most-cited objection to MCP-only enforcement: "the agent just opens a shell and reaches around your guardrail." v0.7 runs the same engine on the way to git

, regardless of how the destructive change got there.

Headline features

1. aperion-shield --install-hooks (git pre-commit + pre-push)

Writes a managed pre-commit

and pre-push

hook into .git/hooks/

. Same engine, same shieldset.yaml

, same severity tiers — now enforced on every git commit

and git push

. Idempotent (re-runnable). Coexists with husky / pre-commit / lefthook via --chain-existing

. Honours git --no-verify

and SHIELD_HOOKS_DISABLE=1

for the rare legitimate bypass.

$ aperion-shield --install-hooks
[aperion-shield] writing pre-commit  -> .git/hooks/pre-commit
[aperion-shield] writing pre-push    -> .git/hooks/pre-push
[aperion-shield] both hooks installed (managed by APERION-SHIELD-HOOK v1)

2. aperion-shield --suggest-rules (audit-log → rule tuning)

Reads your local shield_eval

JSON-Lines audit log and emits text / markdown / yaml-patch suggestions across three classes — rules that never fire, rules that get consistently demoted by decision memory, and noisy Warn

rules that should probably be Info

. --suggest-format yaml-patch

produces splice-ready snippets for shieldset.yaml

with # rationale:

comments. Stays local — never reads from a network source, never writes anywhere except the file you ask it to.

$ aperion-shield --suggest-rules \
    --audit-log ~/.aperion-shield/audit.jsonl \
    --suggest-window-days 14 \
    --suggest-format yaml-patch

3. Four new IDE quickstarts: Cline, Continue, Windsurf, Zed

Joining Cursor + Claude Code. Per-IDE schema notes in the README (notably Zed uses context_servers

, not mcpServers

).

What's under the hood

  • New CLI surface: --install-hooks

,--uninstall-hooks

,--repo <PATH>

,--chain-existing

,--check-staged

,--check-pushed-refs

,--suggest-rules

,--audit-log <PATH>

,--suggest-window-days <N>

,--suggest-min-occurrences <N>

,--suggest-format <FMT>

. --check-staged

parsesgit diff --cached --unified=0

, classifies files by kind (.sql

/ shell / Dockerfile / Makefile / source-code), evaluates each line through the engine, and exits0

clean /1

block /2

approval-required /3

operational-error.--check-pushed-refs

reads git's pre-push stdin protocol (<local-ref> <local-sha> <remote-ref> <remote-sha>

per line), recognises protected-branch deletions (remote-sha is zero) and force-pushes (viagit merge-base --is-ancestor

). Override protected branches withSHIELD_PROTECTED_BRANCHES=trunk,deploy/*

.- Hooks are written with an APERION-SHIELD-HOOK v1

banner so--install-hooks

is idempotent and never clobbers a foreign hook silently.--chain-existing

renames the foreign hook to.aperion-backup

and chains Shield in front of it. --suggest-rules

aggregates per-rule statistics across the analysis window, then evaluates three emit conditions:RULE_NEVER_FIRES

(zero matches with rule present in shieldset),CONSISTENTLY_DEMOTED

(≥ N matches with > 70%Allow

/AllowWithWarn

after the adaptive layer demoted),NOISY_WARN

(high-frequencyWarn

with no human intervention recorded).

Tests

192 total tests, all green (was 148 in v0.6.0):

  • 26 new unit tests covering hooks install round-trips, diff parser fixtures, protected-branch glob matching, env-var override, audit JSONL parsing, RuleStats aggregator, and YAML-patch shape.
  • 18 new end-to-end integration tests against real tempdir git repos: install/uninstall idempotency, DROP DATABASE

in a migration blocked,rm -rf /

in a shell script blocked, force-push tomain

blocked, fast-forward tomain

allowed, branch-delete ofmain

blocked, audit-derived suggestion correctness, and YAML splice shape.

Install

brew install AperionAI/tap/aperion-shield

docker pull ghcr.io/aperionai/shield:shield-v0.7.0

Then enable git hooks in any repo where you want commit-time enforcement:

cd /your/repo
aperion-shield --install-hooks

Supported platforms

  • macOS: aarch64-apple-darwin · x86_64-apple-darwin
  • Linux: aarch64-unknown-linux-gnu · x86_64-unknown-linux-gnu
  • Windows: x86_64-pc-windows-msvc

Security

No new advisories. Feature-only release. cargo audit

clean against Cargo.lock

at this commit. New surfaces (--install-hooks

, --check-staged

, --check-pushed-refs

, --suggest-rules

) all stay within the standalone process model — no new network endpoints, no new on-disk persistence beyond .git/hooks/

(Shield itself) and the operator-redirected audit log. See SECURITY.md.

Docs

source & further reading
github.com — original article
── more in #ai-safety 4 stories · sorted by recency
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/aperion-shield-v0-7-…] indexed:0 read:3min 2026-05-26 ·