# Aperion Shield v0.7 – guardrails for AI coding agents now run as Git hooks

> Source: <https://github.com/AperionAI/shield/releases/tag/shield-v0.7.0>
> Published: 2026-05-26 15:17:55+00:00

## aperion-shield v0.7.0 — git hooks close the MCP-bypass gap

The release that closes the most-cited objection to MCP-only enforcement: *"the agent just opens a shell and reaches around your guardrail."* v0.7 runs the same engine on the way to `git`

, regardless of how the destructive change got there.

### Headline features

**1. aperion-shield --install-hooks (git pre-commit + pre-push)**

Writes a managed `pre-commit`

and `pre-push`

hook into `.git/hooks/`

. Same engine, same `shieldset.yaml`

, same severity tiers — now enforced on every `git commit`

and `git push`

. Idempotent (re-runnable). Coexists with husky / pre-commit / lefthook via `--chain-existing`

. Honours `git --no-verify`

and `SHIELD_HOOKS_DISABLE=1`

for the rare legitimate bypass.

``` php
$ aperion-shield --install-hooks
[aperion-shield] writing pre-commit  -> .git/hooks/pre-commit
[aperion-shield] writing pre-push    -> .git/hooks/pre-push
[aperion-shield] both hooks installed (managed by APERION-SHIELD-HOOK v1)
```

**2. aperion-shield --suggest-rules (audit-log → rule tuning)**

Reads your local `shield_eval`

JSON-Lines audit log and emits text / markdown / yaml-patch suggestions across three classes — rules that never fire, rules that get consistently demoted by decision memory, and noisy `Warn`

rules that should probably be `Info`

. `--suggest-format yaml-patch`

produces splice-ready snippets for `shieldset.yaml`

with `# rationale:`

comments. Stays local — never reads from a network source, never writes anywhere except the file you ask it to.

``` bash
$ aperion-shield --suggest-rules \
    --audit-log ~/.aperion-shield/audit.jsonl \
    --suggest-window-days 14 \
    --suggest-format yaml-patch
```

**3. Four new IDE quickstarts: Cline, Continue, Windsurf, Zed**

Joining Cursor + Claude Code. Per-IDE schema notes in the README (notably Zed uses `context_servers`

, not `mcpServers`

).

### What's under the hood

- New CLI surface:
`--install-hooks`

,`--uninstall-hooks`

,`--repo <PATH>`

,`--chain-existing`

,`--check-staged`

,`--check-pushed-refs`

,`--suggest-rules`

,`--audit-log <PATH>`

,`--suggest-window-days <N>`

,`--suggest-min-occurrences <N>`

,`--suggest-format <FMT>`

. `--check-staged`

parses`git diff --cached --unified=0`

, classifies files by kind (`.sql`

/ shell / Dockerfile / Makefile / source-code), evaluates each line through the engine, and exits`0`

clean /`1`

block /`2`

approval-required /`3`

operational-error.`--check-pushed-refs`

reads git's pre-push stdin protocol (`<local-ref> <local-sha> <remote-ref> <remote-sha>`

per line), recognises protected-branch deletions (remote-sha is zero) and force-pushes (via`git merge-base --is-ancestor`

). Override protected branches with`SHIELD_PROTECTED_BRANCHES=trunk,deploy/*`

.- Hooks are written with an
`APERION-SHIELD-HOOK v1`

banner so`--install-hooks`

is idempotent and never clobbers a foreign hook silently.`--chain-existing`

renames the foreign hook to`.aperion-backup`

and chains Shield in front of it. `--suggest-rules`

aggregates per-rule statistics across the analysis window, then evaluates three emit conditions:`RULE_NEVER_FIRES`

(zero matches with rule present in shieldset),`CONSISTENTLY_DEMOTED`

(≥ N matches with > 70%`Allow`

/`AllowWithWarn`

after the adaptive layer demoted),`NOISY_WARN`

(high-frequency`Warn`

with no human intervention recorded).

### Tests

192 total tests, all green (was 148 in v0.6.0):

- 26 new unit tests covering hooks install round-trips, diff parser fixtures, protected-branch glob matching, env-var override, audit JSONL parsing, RuleStats aggregator, and YAML-patch shape.
- 18 new end-to-end integration tests against real tempdir git repos: install/uninstall idempotency,
`DROP DATABASE`

in a migration blocked,`rm -rf /`

in a shell script blocked, force-push to`main`

blocked, fast-forward to`main`

allowed, branch-delete of`main`

blocked, audit-derived suggestion correctness, and YAML splice shape.

### Install

```
# macOS / Linux (Homebrew)
brew install AperionAI/tap/aperion-shield

# Docker (multi-arch distroless ~12 MB)
docker pull ghcr.io/aperionai/shield:shield-v0.7.0

# Direct download
# https://github.com/AperionAI/shield/releases/tag/shield-v0.7.0
```

Then enable git hooks in any repo where you want commit-time enforcement:

```
cd /your/repo
aperion-shield --install-hooks
```

### Supported platforms

- macOS: aarch64-apple-darwin · x86_64-apple-darwin
- Linux: aarch64-unknown-linux-gnu · x86_64-unknown-linux-gnu
- Windows: x86_64-pc-windows-msvc

### Security

No new advisories. Feature-only release. `cargo audit`

clean against `Cargo.lock`

at this commit. New surfaces (`--install-hooks`

, `--check-staged`

, `--check-pushed-refs`

, `--suggest-rules`

) all stay within the standalone process model — no new network endpoints, no new on-disk persistence beyond `.git/hooks/`

(Shield itself) and the operator-redirected audit log. See [SECURITY.md](https://github.com/AperionAI/shield/blob/main/SECURITY.md).

### Docs

- README:
[https://github.com/AperionAI/shield#readme](https://github.com/AperionAI/shield#readme) - Full docs:
[https://docs.aperion.ai/aperion-shield.html](https://docs.aperion.ai/aperion-shield.html)