Aperion Shield v0.7 – guardrails for AI coding agents now run as Git hooks

Aperion Shield v0.7.0 now enforces AI coding agent guardrails as Git hooks, closing the loophole where agents bypass MCP-only restrictions by opening a shell. The update introduces `--install-hooks` for pre-commit and pre-push enforcement, `--suggest-rules` for audit-log-driven rule tuning, and four new IDE quickstarts. This release ensures destructive changes are blocked at the Git level regardless of how they were generated, addressing a key security gap in AI-assisted development workflows.

aperion-shield v0.7.0 — git hooks close the MCP-bypass gap The release that closes the most-cited objection to MCP-only enforcement: "the agent just opens a shell and reaches around your guardrail." v0.7 runs the same engine on the way to git , regardless of how the destructive change got there. Headline features 1. aperion-shield --install-hooks git pre-commit + pre-push Writes a managed pre-commit and pre-push hook into .git/hooks/ . Same engine, same shieldset.yaml , same severity tiers — now enforced on every git commit and git push . Idempotent re-runnable . Coexists with husky / pre-commit / lefthook via --chain-existing . Honours git --no-verify and SHIELD HOOKS DISABLE=1 for the rare legitimate bypass. php $ aperion-shield --install-hooks aperion-shield writing pre-commit - .git/hooks/pre-commit aperion-shield writing pre-push - .git/hooks/pre-push aperion-shield both hooks installed managed by APERION-SHIELD-HOOK v1 2. aperion-shield --suggest-rules audit-log → rule tuning Reads your local shield eval JSON-Lines audit log and emits text / markdown / yaml-patch suggestions across three classes — rules that never fire, rules that get consistently demoted by decision memory, and noisy Warn rules that should probably be Info . --suggest-format yaml-patch produces splice-ready snippets for shieldset.yaml with rationale: comments. Stays local — never reads from a network source, never writes anywhere except the file you ask it to. bash $ aperion-shield --suggest-rules \ --audit-log ~/.aperion-shield/audit.jsonl \ --suggest-window-days 14 \ --suggest-format yaml-patch 3. Four new IDE quickstarts: Cline, Continue, Windsurf, Zed Joining Cursor + Claude Code. Per-IDE schema notes in the README notably Zed uses context servers , not mcpServers . What's under the hood - New CLI surface: --install-hooks , --uninstall-hooks , --repo <PATH , --chain-existing , --check-staged , --check-pushed-refs , --suggest-rules , --audit-log <PATH , --suggest-window-days <N , --suggest-min-occurrences <N , --suggest-format <FMT . --check-staged parses git diff --cached --unified=0 , classifies files by kind .sql / shell / Dockerfile / Makefile / source-code , evaluates each line through the engine, and exits 0 clean / 1 block / 2 approval-required / 3 operational-error. --check-pushed-refs reads git's pre-push stdin protocol <local-ref <local-sha <remote-ref <remote-sha per line , recognises protected-branch deletions remote-sha is zero and force-pushes via git merge-base --is-ancestor . Override protected branches with SHIELD PROTECTED BRANCHES=trunk,deploy/ .- Hooks are written with an APERION-SHIELD-HOOK v1 banner so --install-hooks is idempotent and never clobbers a foreign hook silently. --chain-existing renames the foreign hook to .aperion-backup and chains Shield in front of it. --suggest-rules aggregates per-rule statistics across the analysis window, then evaluates three emit conditions: RULE NEVER FIRES zero matches with rule present in shieldset , CONSISTENTLY DEMOTED ≥ N matches with 70% Allow / AllowWithWarn after the adaptive layer demoted , NOISY WARN high-frequency Warn with no human intervention recorded . Tests 192 total tests, all green was 148 in v0.6.0 : - 26 new unit tests covering hooks install round-trips, diff parser fixtures, protected-branch glob matching, env-var override, audit JSONL parsing, RuleStats aggregator, and YAML-patch shape. - 18 new end-to-end integration tests against real tempdir git repos: install/uninstall idempotency, DROP DATABASE in a migration blocked, rm -rf / in a shell script blocked, force-push to main blocked, fast-forward to main allowed, branch-delete of main blocked, audit-derived suggestion correctness, and YAML splice shape. Install macOS / Linux Homebrew brew install AperionAI/tap/aperion-shield Docker multi-arch distroless ~12 MB docker pull ghcr.io/aperionai/shield:shield-v0.7.0 Direct download https://github.com/AperionAI/shield/releases/tag/shield-v0.7.0 Then enable git hooks in any repo where you want commit-time enforcement: cd /your/repo aperion-shield --install-hooks Supported platforms - macOS: aarch64-apple-darwin · x86 64-apple-darwin - Linux: aarch64-unknown-linux-gnu · x86 64-unknown-linux-gnu - Windows: x86 64-pc-windows-msvc Security No new advisories. Feature-only release. cargo audit clean against Cargo.lock at this commit. New surfaces --install-hooks , --check-staged , --check-pushed-refs , --suggest-rules all stay within the standalone process model — no new network endpoints, no new on-disk persistence beyond .git/hooks/ Shield itself and the operator-redirected audit log. See SECURITY.md https://github.com/AperionAI/shield/blob/main/SECURITY.md . Docs - README: https://github.com/AperionAI/shield readme https://github.com/AperionAI/shield readme - Full docs: https://docs.aperion.ai/aperion-shield.html https://docs.aperion.ai/aperion-shield.html