Highlights

• 19 new CVE defenses — CVE tracker expanded from 26 to 45 real-world vulnerabilities with 80% full defense
  coverage. New rules protect Codex CLI config injection (CVE-2025-61260), Cursor workspace RCE
  (CVE-2025-61590), Roo Code config poisoning (CVE-2025-53536), and more.
• Subcommand consolidation — Removed redundant acp-wrap, mcp gateway, agents, and reload-rules subcommands.
  crust wrap handles all stdio proxy modes (ACP + MCP auto-detection). Use status --agents and list-rules
  --reload instead.
• Gin → stdlib — Replaced gin HTTP framework with Go's net/http.ServeMux, eliminating 30+ transitive
  dependencies and resolving CodeQL findings.
• Zero global singletons — Removed all 4 global singletons (globalEngine, globalManager, globalStorage,
  globalProvider). Full dependency injection throughout.
• Test coverage — 42 E2E tests + coverage improvements: telemetry 38→82%, proxyutil 45→97%, autowrap 50→75%.
• Clean architecture — Fixed inverted internal/ → pkg/libcrust/ dependency. Shared code moved to
  internal/proxyutil/ and internal/plugin/wire.go.

Security

• Add protection rules for .cursor/cli.json, .codex/config.toml, .roo/mcp.json, *.code-workspace (#117)
• Update CVE tracker to 45 entries covering Cursor, Copilot, Claude Code, Codex CLI, OpenClaw, OpenCode, Roo
  Code (#117)
• Fix DLP errWriter direction, data races, goroutine leaks (#108)
• Fix fuzz-found looksLikeShellCommand slice panic on whitespace input (#115)

Features

• Unified change monitor + CLI simplification (#103)
• Move hook protocol formatting to libcrust (#104)

Refactoring

• Replace gin with stdlib net/http.ServeMux (#113)
• Deduplicate plugin init and metrics seeding (#112)
• Remove all global singletons (#109, #110, #111, #119)
• Consolidate redundant subcommands (#115)
• Fix inverted internal → pkg/libcrust dependency (#118)

Bug Fixes

• Fix gomobile bind FormatHookResponse return type (#106)
• Fix ReDoS, race conditions, dependency injection (#105)
• Fix patched status when toggling agents (#102)

Testing

• Add 42 E2E tests across 5 packages (#114)
• Improve coverage: telemetry 82%, proxyutil 97%, autowrap 75% (#120)
• Add 7 CVE regression tests (#117)

Highlights

libcrust CGO FFI — Full daemon functionality is now embeddable via CGO for native GUI apps (macOS menubar,
iOS). Includes agent detection, config patching, MCP wrapping, hook evaluation, event streaming, and
protection lifecycle management.

AI Agent Detection — New crust agents CLI command scans running processes to detect AI coding agents (Claude
Code, Cursor, Windsurf, Codex, Aider, etc.) and shows their protection status.

Fast Hook Evaluation — Claude Code PreToolUse hooks now evaluate via a raw TCP socket to the running daemon,
eliminating ~4s cold-start rule engine initialization.

Features

• libcrust: embed full daemon functionality via CGO FFI (#92)
• libcrust: add agent detection, patching, and MCP wrap FFI exports (#95)
• libcrust: auto-protect lifecycle with HTTP proxy + Claude Code hooks
• libcrust: fast hook evaluation via running instance TCP socket
• libcrust: initialize plugin registry with sandbox plugin (#101)
• agents: AI agent process detection with crust agents CLI (#93)
• events: SSE event stream + libcrust CGO wrapper (#88)
• api: expose plugin stats via GET /api/security/plugins (#89)
• stats: 24h sliding-window stats from SQLite, server-side blocked filtering (#99)
• build: add GetCommit/GetBuildDate CGO exports for version display (#100)
• build: add gen-ffi-schema tool for Go/Rust FFI mismatch detection

Bug Fixes

• daemon: defer agent config restore, signal registration race, stale eval port (#98)
• hooks: target settings.json instead of removed hooks.json; seed stats from SQLite on startup
• hooks: fix idempotency check — marker must match .exe suffix
• agentdetect: show Claude Code as protected when hook is installed
• registry: accurate patch status for missing agent configs (#96)
• metrics: include hook counters in Reset(), fix TUI shimmer on first data fetch (#98)
• context: add timeouts to all background database operations (#99)
• freebsd: process detection, platform guards, and CI race detector (#97)
• ci: FreeBSD build support for agentdetect process scanning (#94)
• fuzz: correct SSE event oracle, disable DNS resolution during fuzz runs (#90, #91)

Refactoring

• Replace HTTP eval endpoint with raw TCP socket for lower latency

Highlights

iOS / Mobile Platform — Full CrustKit SDK for iOS with gomobile bindings, bringing the same 14-step
evaluation pipeline to mobile apps. Includes local reverse proxy, URLProtocol interceptor, async APIs, text
DLP, content scanning, and URL scheme validation.

DNS-based Loopback Detection — New defense-in-depth layer (Step 4) that resolves extracted hostnames via DNS
and blocks custom domains pointing to 127.0.0.0/8 or ::1 that target the crust management API. Catches
attacks that bypass regex and rebinding heuristics. Bounded LRU cache (256 entries, 60s TTL).

31 Bug Fixes — Data race in proxy, streaming bypass, hop-by-hop header leak, DLP ordering, clipboard thread
safety, shell parser crashes, selfprotect regex false positive, and more.

Features

• libcrust — Pure-Go library exposing the rule engine via gomobile for iOS/Android (#81)
• CrustKit Swift SDK — Type-safe Swift wrapper with CrustEngine, CrustURLProtocol, async variants,
  Codable/Sendable types (#82, #86)
• Mobile local proxy — On-device HTTP reverse proxy for intercepting AI API traffic on iOS
• Text DLP in AI responses — Scan Anthropic, OpenAI, and OpenAI Responses text blocks for leaked secrets;
  auto-redact
• Content scanning API — scanContent(), scanOutbound(), validateURL(), scanClipboard() for mobile apps
• URL scheme validation — Block dangerous mobile URL schemes (tel:, sms:, facetime:, itms-services:,
  app-settings:)
• DNS loopback detection — Resolve hostnames and check for loopback IPs using net.LookupNetIP + netip.Addr
  comparison (no string matching)

Bug Fixes

• Proxy data race — Snapshot proxy config under lock to prevent race with StopProxy
• Streaming bypass — Force non-streaming upfront for full security evaluation (single request, no wasteful
  retry)
• Hop-by-hop header leak — Strip hop-by-hop headers from proxy responses per RFC 7230
• Oversized response bypass — Skip interception on >16MB responses to prevent mobile OOM
• Double body close — Eliminate double resp.Body.Close on streaming path
• Google AI misparse — Remove generativelanguage.googleapis.com from default intercepted hosts
• DLP ordering — Run DLP scan before warning message append to avoid scanning our own warnings
• Clipboard thread safety — Fix scanClipboard sync variant for concurrent access
• Shell parser crashes — Pin mvdan.cc/sh/v3 to latest master; remove guards for 2 panics fixed upstream
  (${var@Q}, declClause); restore heredoc-in-pipe guard after fuzz found crash (<<0|''\n0)
• Selfprotect regex — Fix [:/.\w~] false positive on localhost8080crust (→ [:/.~])
• DLP verify — Fix phantom builtin:dlp-turso-token vector → builtin:dlp-jwt-token
• Selfprotect verify — Sync socket regex copy (add UNIX-CLIENT:, UNIX-LISTEN: vectors)
• AST fallback escapes — Fix diacritical mark bypass, upgrade to sh v3.13.0 (#80)
• DLP word boundaries — Add \b anchors to Twilio and Resend API key patterns to reduce false positives

Improvements

• 14-step evaluation pipeline (was 13) — DNS loopback check added as Step 4, all steps renumbered
• Code deduplication — getEngine()/getInterceptor() helpers, dlpRedact(), contentTypeText constant,
  CrustEngineTestCase Swift base class
• Selfprotect hardening — Iterative URL decoding (catches double/triple %25-encoding), socat
  UNIX-CLIENT:/UNIX-LISTEN: patterns
• SwiftLint + SwiftFormat pre-commit hooks for iOS code quality

Dependencies

• mvdan.cc/sh/v3 v3.13.0 → master (426d21c)
• github.com/zricethezav/gitleaks/v8 bumped (#83)
• github.com/charmbracelet/huh 0.8.0 → 1.0.0 (#84)
• GitHub Actions group bumped (#85)

Plugin System (NEW)

• Late-stage plugin system with JSON wire protocol, crash isolation, and circuit breaker
• Sandbox plugin with Exec method for bakelens-sandbox integration
• Concurrent plugin evaluation with unified type system
• Pipeline hot path optimization for plugin evaluation
• Hardened plugin concurrency: validate action values, fix close/evaluate race, nil-slice JSON, distinguish
  parent-cancel from timeout

Security Hardening

• Self-protection: binary modification guards, process kill guards, exfiltration detection
• Privacy layer, self-protection hardening, e2e security tests, SSH fix
• Build-time integrity checks, fix crust:// scheme bypass
• Fuzz-found fixes: SSE buffer incomplete tool calls, selfprotect regex tilde bypass
• Eliminate all semgrep XSS and SAST findings at code level

DLP & Secret Detection

• Integrate gitleaks as in-process Go library (performance: no subprocess overhead)
• In-process DLP scan benchmark and panic recovery test

Rules Engine

• JSON Schema for YAML rule validation with build-time checks
• Split engine.go into compiler.go, unexport internal types
• Split extractor.go, add ruleSource validation
• Eliminate ambiguity in YAML rules and plugin protocol
• Replace last panic with graceful exit in DLP init

TUI & Observability

• Stats aggregation API + TUI stats tab

CI/CD

• Add semgrep SAST, rule-lint, benchmark job
• Add gitleaks secret scanning to security job
• Move govulncheck from pre-push to pre-commit stage
• Use install.sh for all Linux/macOS CI jobs
• Fix: install git in FreeBSD VM prepare step

Refactoring

• Extract schemacheck library, replace panics, harden CI
• Unify schema tests, embed schemas, add validation tests
• Extract sys_install() for cross-platform package management
• Cleanup inconsistencies, fix bugs, improve lifecycle management

Dependencies

• Bump github.com/nwaples/rardecode/v2 2.1.0 → 2.2.0
• Upgrade ulikunitz/xz v0.5.12 → v0.5.15 (GO-2025-3922)

Security & DLP

• BIP39 multilingual DLP: Mnemonic seed phrase detection expanded from English-only to 10 languages (20,480
  words total: Chinese Simplified/Traditional, Czech, English, French, Italian, Japanese, Korean, Portuguese,
  Spanish). SHA-512 integrity verification at both compile-time (go:generate) and test-time against canonical
  bitcoin/bips checksums.
• Windows %VAR% expansion: Shell extractor now resolves cmd.exe-style %USERPROFILE%, %APPDATA% environment
  variable syntax in commands, closing an evasion vector on Windows.
• 4 new CVE defenses: Expanded CVE coverage with new detection rules and MSYS2 pwsh worker hang fix.
• CSRF origin validation: MCP HTTP gateway now validates Origin headers; malformed Referer fallback fails
  closed.
• WebSocket reverse proxy: MCP gateway adds WebSocket support with origin validation.
• VSCode config gap: Close self-protection gap for VSCode configuration access.
• cmd/wsl/bat/Invoke-Item support: Universal path normalization and shell detection for Windows-native, WSL,
  and batch environments.
• Credential rule actions: All credential protection rules now include execute and network actions for
  complete coverage.

Installation

• TUI installer: Interactive installer with progress display, auto-installs Go/git/curl dependencies.
• Alpine/apk support: install-common.sh now handles Alpine Linux package management.
• FreeBSD support: Build and install support for FreeBSD targets.
• Gitleaks as hard dependency: DLP requires gitleaks; single source of truth for version across install
  scripts, CI, and Docker.
• Uninstall --purge flag: Non-interactive full data wipe; three-tier data dir cleanup with prompts; preserves
  rules.d (user-authored rules) by default.
• 6 install script bug fixes: set -e for fail-close, PowerShell install.ps1 fixes, deduplicated local/remote
  build paths, CI non-interactive mode.

Doctor & Agent Management

• crust doctor agent scan: Detects unguarded AI agent servers on localhost.
• Unified agent registry: Single registry for HTTP proxies and MCP clients; always restores agent configs on
  stop, even after daemon crash.

CI & Testing

• Go 1.26 modernization: sync.Map.Range, strings.SplitSeq, goroutine leak profiler on platform tests.
• CI pipeline optimization: Merged lint jobs, parallelized fuzz suite (batch size 2), added go mod tidy
  check.
• Full CI fuzzing: All 39 fuzz targets now get real mutation fuzzing in CI (previously 6 packages only ran
  seed corpus). GOMEMLIMIT=4GiB for heavyweight targets.
• Fuzz consolidation: 43 → 39 targets by merging overlapping targets
  (FuzzParseAnthropicEvent+FuzzParseOpenAIEvent → FuzzParseEvent,
  FuzzSelfProtectAPIRegex+FuzzSelfProtectSocketRegex → FuzzSelfProtectBypass) without coverage loss. Enhanced
  oracles for FuzzParseSSEEventData (4 invariants) and FuzzBufferEvent (3 invariants).
• MSYS2 pwsh timeout fix: Shared singleton pwsh worker across 28 TestPSWorker tests eliminates 28× process
  spawn overhead.
• Windows BIP39 CRLF fix: .gitattributes enforces LF for wordlist files, preventing SHA-512 mismatch on
  Windows checkout.
• Failing fuzz seed artifact upload: actions/upload-artifact@v4 on failure for all 7 fuzzed packages.
• CVE regression test suite: Auto-discovery pipeline with --archive flag for resolved CVEs.
• Docker proxy tests, E2E install tests, shellcheck for install scripts.
• Dependabot: Added for Actions and Go modules; bumped golang.org/x/crypto 0.48.0, golang.org/x/text 0.34.0,
  klauspost/compress 1.18.4.

Bug Fixes

• MCP config corruption: Fix race in JSON config patching.
• DB key rotation: Fix secret store key rotation logic.
• Path case-sensitivity: Filesystem-aware case comparison in path operations.
• PowerShell WorkerPool: Replace single worker with pool for concurrent parsing; fix pipe-hang and per-parse
  timeout; remove eager restart after timeout.
• FuzzForkBombDetection false positive: Oracle now parses original command with syntax.Simplify, matching
  extractor pipeline.
• MSYS2 path robustness: stripADS edge case, mount path expansion, .exe interpreter stripping, idempotent
  ToSlash.

Internal

• pwsh WorkerPool: Concurrent parsing with warm-up; sync.Once for Engine.Close.
• internal/platform: ShellEnv enum with WSL/MSYS2/Cygwin detection.
• Stale doc/comment cleanup: Updated DLP pattern count (34→42), locked rule count (19→24), fuzz badge (39
  targets).

PowerShell / Windows Support

• Persistent pwsh worker (internal/rules/pwsh): dual-parse architecture runs every command through both the bash parser and the
  PowerShell native AST when pwsh.exe/powershell.exe is available. This catches .NET static method calls
  ([System.Net.WebClient]::new()), instance method chains, & $var call-operator resolution, and expandable string args that the bash
  parser misses entirely.
• .NET API detection: [System.IO.File], [System.Net.WebClient], [System.Net.Sockets.TcpClient], Invoke-WebRequest,
  Invoke-RestMethod, and 20+ other .NET types mapped to operations in commandDB.
• ::new() constructor lookup: [Type]::new(path) now falls back to the base type name in commandDB after stripping the ::new
  suffix.
• -EncodedCommand replaced with temp file: avoids Windows command-line length limit (8191 chars) for long scripts.
• PSScriptAnalyzer compliance: bootstrap script passes PSScriptAnalyzer on Windows CI.
• Platform detection module (internal/platform): ShellEnv string enum (unix, wsl, windows-native, msys2, cygwin) with IsWindows(),
  HasBash(), HasPwsh() helpers. PS heuristic fallback now also fires in MSYS2/Git Bash (HasPwsh()) where users can invoke pwsh.exe
  from a bash-compatible shell.

Multi-Operation Command Classification

• CommandInfo.ExtraOps []Operation and ExtractedInfo.Operations []Operation: commands can now declare multiple operations (e.g.
  socat → [OpExecute, OpNetwork], vim → [OpRead, OpWrite]).
• Rule.HasAnyAction(ops []Operation): rule matching fires when any of a command's operations matches a rule's actions list.
• Host extraction gate updated: socat, nc, ncat, netcat with ExtraOps:[OpNetwork] now extract hostnames even though their primary
  operation is OpExecute.

CommandDB Fixes & Additions

• Editors (vim, vi, nano, emacs, pico, ed, ex): ExtraOps:[OpWrite] — editors both read and write files.
• Decompression tools (gunzip, bunzip2, unlzma, unzstd, unlz4): ExtraOps:[OpWrite] — decompress reads compressed input and writes
  decompressed output.
• awk/gawk/mawk/nawk: added -f/--file to PathFlags for awk script files.
• sed: added -f/--file to PathFlags.
• find: primary OpRead (filesystem search) + ExtraOps:[OpExecute] (for -exec).
• xargs: removed incorrect PathArgIndex (arg0 is a command name, not a path); added -a/--arg-file to PathFlags.
• truncate: added -r/--reference to PathFlags.
• setfacl: moved -M/--modify-file and -X/--remove-file from SkipFlags to PathFlags.
• gdb, lldb: ExtraOps:[OpRead] — debugger executes target binary and reads it.

Bug Fixes

• normalizeParsedCmdName: removed spurious || strings.Contains(name, "-") condition that lowercased PowerShell Verb-Noun cmdlets,
  breaking PSWorker tests.
• extractHosts — FQDN trailing dot (nc A.): falls back to looksLikeHost(rawToken) when the dot-stripped normalized host fails the
  check, so single-label FQDNs like A. are correctly extracted as a.
• extractHosts — hex FQDN (nc 0X0.): fuzz invariant now checks normalizeIPHost(strippedHost) so 0x0. → 0x0 → 0.0.0.0 is found in
  info.Hosts.
• Source builtin UNC hang (. //0.//0): CallHandler returns early for ./source builtins, preventing scriptFromPathDir → os.Stat
  from triggering a ~14s SMB timeout on Windows UNC-like paths.
• extractor_commands.go: extracted scp/rsync, socat, tar, sed command-specific logic into a dedicated file; uses strings.Cut and
  tagged switch.

Internal

• pwsh worker moved to internal/rules/pwsh subpackage.
• internal/platform package created as an independent reusable module.
• New fuzz targets: FuzzPSWorker_NoCrash, FuzzExtractor_PSCommand.
• Release workflow: Commit/BuildDate ldflags, SHA-256 checksums in release assets.

Highlights

• MCP Ecosystem — crust mcp namespace unifies the MCP gateway, adds
  crust mcp-discover (auto-patches Claude/Cursor/Windsurf configs) and
  crust mcp-http (Streamable HTTP gateway)
• Critical SSE Buffer Fix — Buffer overflow previously bypassed the rule
  engine; now retries the full request as non-streaming for complete evaluation
  (fail-closed)
• Fail-Closed Shell Parsing — Unparseable shell commands now block by
  default instead of passing through, closing a rule-bypass vector
• OS Keyring — API keys stored in OS keyring (macOS Keychain, Windows
  DPAPI, Linux Secret Service) with file fallback; no more plaintext env vars
  at rest
• Locked Rules — New rule category that survives --disable-builtin,
  protecting self-management endpoints and git hooks
• 4 New Builtin Rules — System config, persistence, reverse shell, and
  SSRF protection
• 13 Security Gaps Closed — Percent-encoded self-protect bypass, nc/socat
  UNIX socket variants, macOS Keychain/GNOME Keyring/1Password/KeePassXC
  paths, .netrc, browser credential DBs, Anthropic DLP pattern fix, and more
• NTFS ADS Defense — Strips alternate data stream suffixes
  (file.txt:Zone.Identifier) before path matching on Windows
• Filesystem-Aware Case Sensitivity — internal/pathutil probes the
  actual filesystem to decide case-folding rather than using compile-time OS
  constants

⚠️ Breaking Change

crust mcp-gateway has been renamed to crust mcp.
Update any scripts, systemd units, shell aliases, or CI configs that reference
the old command name.

New Features

• crust mcp — unified MCP command namespace (replaces crust mcp-gateway)
• crust mcp-discover — auto-discovers installed MCP servers and patches
  Claude/Cursor/Windsurf configs
• crust mcp-http — MCP Streamable HTTP gateway
• OS keyring secret storage with file fallback; ANTHROPIC_API_KEY /
  OPENAI_API_KEY env vars still accepted as fallback
• Locked rules: rules that survive --disable-builtin (self-management, git
  hooks, agent configs)
• 4 new builtin locked rules: protect-system-config, protect-persistence,
  block-reverse-shell, block-ssrf-metadata
• Auto-restore agent configs on daemon shutdown
• Desktop app token protection (VS Code, JetBrains, browser credential DBs)
• $HOME expansion in YAML rule patterns
• Locked rule count exposed in API and TUI rule list header
• Atomic file lock-on-open (O_EXLOCK/O_SHLOCK) eliminating TOCTOU on rule
  file reads/writes
• ACP E2E test suite with mock agent
• FreeBSD CI

Security Fixes

• Critical: SSE buffer overflow now retries as non-streaming — previously
  FlushAll() sent uninspected buffered events and io.Copy streamed the
  remainder unfiltered (security bypass)
• Critical: Percent-encoded self-protect bypass (%63%72%75%73%74 for
  "crust") — URL-decode before regex match
• High: Fail-closed on unparseable shell commands — unanalyzable input
  now blocks instead of passing through
• High: nc.traditional / nc.openbsd reverse shell bypass — word
  boundary \bnc\b didn't match dotted variants
• High: ncat --exec= bypass — regex required trailing space, missed
  = form
• High: nc -U, ncat --unixsock, socat UNIX: added to socket
  self-protection regex
• High: Dynamic self-protection rules (rules-dir delete, rule-file write,
  socket access) now locked so --disable-builtin cannot remove them
• High: Trailing-dot FQDN bypass of SSRF metadata rule
  (metadata.google.internal.) — strip trailing dot before hostname match
• High: HTML escaping corruption — json.Marshal was encoding &, <,
  > as \u0026/\u003c/\u003e in intercepted responses and
  non-streaming retry bodies; fixed with SetEscapeHTML(false) throughout
• Medium: NTFS alternate data stream suffix stripping
  (file.txt:Zone.Identifier)
• Medium: macOS Keychain, GNOME Keyring, KDE Wallet, 1Password,
  KeePassXC, LastPass paths added to protection rules
• Medium: GitHub CLI hosts.yml, .netrc, Edge/Brave Login Data /
  Cookies, Gradle/Maven credential files added
• Medium: Anthropic DLP pattern fixed (sk-ant-api03 →
  sk-ant-api\d{2}) to match future key versions
• Medium: Fish history XDG path fix; fish conf.d added to persistence
  protection
• Medium: git credentials severity upgraded to critical
• Medium: 4 additional security gaps closed (action gaps, missing paths,
  over-blocking)
• Client disconnect now cancels non-streaming retry (was using
  context.Background())
• Unknown YAML fields in rule files now warn instead of silently dropping
  (catches typos like stale alert_webhook:)
• SSE scanner errors checked; sync.Once for session close; upstream
  failures logged

Refactoring

• internal/selfprotect extracted as an independent package
• internal/proxy renamed to internal/httpproxy
• Evaluate() modularized into 3 phase methods (PreparePaths,
  EvaluateConditions, ApplyDLP)
• Null byte stripping unified to single stripNullBytes function
• Hardcoded path protections unified into pathGuard registry
• internal/message module for centralized block message formatting
• internal/pathutil for filesystem-based case sensitivity detection
• Phantom newtype IDs (TraceID, SessionID, SpanID) prevent parameter
  swap bugs
• InterceptionContext, SSEBufferConfig, SSERequestContext structs
  replace positional constructor args
• Sum types for shellExecResult, bufferState, NewMatch/NoMatch

Testing

• ACP E2E tests with mock agent
• FuzzInterceptAnthropicResponse uses real rule engine + HTML-escaping
  invariant (\u0026 must not appear in re-serialized output)
• FuzzBufferEvent now exercises size-limit overflow path on every seed
• TestBufferedSSEWriter_Timeout verifies fail-closed: flush after timeout
  writes zero bytes
• TestRetryAsNonStreaming_RespectsClientContext verifies client disconnect
  cancels retry
• TestRetryAsNonStreaming_ErrorStatusCodes covers 429/500 upstream
  propagation
• Bypass regression tests for FQDN trailing-dot and dynamic rule lockout
• FreeBSD CI added; macOS CI gated to main branch

Highlights

• MCP Gateway — New stdio proxy for MCP servers (crust mcp-gateway), intercepting tools/call and
  resources/read requests with full rule engine evaluation
• Auto-detect Proxy — New crust wrap command that inspects both MCP and ACP methods in both directions,
  automatically detecting the protocol
• Response DLP Scanning — Bidirectional inspection: DLP now scans server/agent responses before they reach
  the client, catching leaked secrets in MCP/ACP output
• Cryptocurrency Wallet Protection — BIP39 mnemonics, xprv/WIF private keys (checksum-validated), and wallet
  directory blocking for 16 chains
• DLP Expansion — From 19 to 34 hardcoded token patterns (HuggingFace, Groq, Vercel, Supabase, DigitalOcean,
  Vault, Linear, Postman, Replicate, Twilio, Doppler, Firebase, and more)
• Hybrid Shell Extraction — Interpreter + AST hybrid mode for higher path coverage in mixed shell scripts
• 17-Step Evaluation Pipeline — Reordered pipeline with symlink resolution before all hardcoded checks,
  closing symlink bypass vectors

New Features

• crust mcp-gateway — Stdio proxy for MCP servers (filesystem, database, custom)
• crust wrap — Auto-detect proxy supporting both MCP and ACP protocols
• Response DLP scanning in all stdio proxy modes (MCP, ACP, auto-detect)
• DLP scanning of JSON-RPC error response fields
• Crypto wallet DLP: BIP39 mnemonic detection (sliding window, embedded 2048-word wordlist)
• Crypto wallet DLP: Extended private key detection (xprv/yprv/zprv/tprv with base58check validation)
• Crypto wallet DLP: WIF private key detection (checksum + version byte validation)
• Hardcoded wallet path protection for 16 chains (Bitcoin, Ethereum, Solana, Cardano, etc.)
• 15 new DLP token patterns (34 total)
• Hybrid interpreter+AST shell extraction for higher coverage
• E2E test suite with real MCP filesystem server
• E2E CI job in GitHub Actions

Security Fixes

• Close 3 MCP gateway security bypasses (notification bypass, batch bypass, syntax quoting)
• Fix /proc symlink bypass — hardcoded check moved after symlink resolution
• Fix crypto wallet symlink bypass — check runs on resolved paths
• Reject deeply nested JSON to prevent stack overflow
• AST-based command builder in shellutil for safe argument handling

Refactoring

• Unified internal/jsonrpc shared package for all stdio proxies (MCP, ACP, auto-detect)
• Deduplicated proxy entry points in main.go
• Replaced btcutil.AppDataDir() with Go stdlib for wallet path discovery
• Delegated prefilter evasion checks to shell parser
• User-friendly evasive command error messages
• Replaced old demo scripts with unified TUI demo

Documentation

• New: docs/mcp.md — MCP gateway setup guide
• Updated docs/how-it-works.md — 17-step pipeline, crypto DLP, shell analysis, evasion detection
• Updated README.md — crypto wallet protection, pipeline step count, new DLP patterns

Testing

• E2E tests against real MCP filesystem server (532 lines)
• Response DLP E2E tests
• Crypto DLP tests (27 cases: detection, false positives, wallet paths, OS-specific, wordlist count)
• Hybrid shell extraction tests
• Shell fuzz tests (453 lines)
• False positive regression tests (156 lines)
• Shared test helper package (internal/testutil)

Features

• DLP token detection — 19 hardcoded content-based patterns (AWS, GitHub, Stripe, OpenAI, Anthropic, etc.) + optional gitleaks
  Tier 2 scanning (dlp.go, dlp_scanner.go)
• Security hardening — Unicode normalization (NFKC), null byte blocking, tool name sanitization at engine boundary

Bug Fixes

• Stale WAL/SHM recovery — SQLite recovers from crashed/force-killed processes on Windows instead of failing to start
• Upstream base path preservation — --endpoint mode now preserves the upstream base path when forwarding (e.g. OpenRouter's /api)
• JetBrains/PhpStorm compatibility — /api/v1/... prefix stripped automatically from client requests (#19)

Refactoring

• Reduced code complexity in proxy, main, and SSE buffer (-628 / +1867 lines net)
• Extracted API prefixes and CLI API handler into dedicated modules
• Improved test coverage (new dlp_test.go, storage_test.go, expanded proxy_test.go)

Chores

• Docs: consolidated client table, updated how-it-works with DLP section

New Features

• Per-provider API keys with env variable expansion — Providers in config.yaml now support both short form (URL string) and
  expanded form (url + api_key) with $VAR/${VAR} expansion, ideal for Docker deployments. (456e489)
• Remote TUI via management API on proxy port — The management API is now exposed on the proxy port for non-loopback
  --listen-address, enabling remote dashboard access. (e762ff1)
• Hardened Docker setup — Non-root user (UID 1000), HEALTHCHECK instruction, .dockerignore, and a docker-compose.yml added to the
  repo. (39b7d68)
• Conditional TTY suppression in earlyinit — New earlyinit package suppresses bubbletea's terminal escape queries before init()
  runs, preventing garbage output in containers. (15d642b)

Bug Fixes

• Propagate provider env vars to daemon — Env vars referenced in provider api_key fields are now passed to the daemon child
  process. Credential redaction hardened via MarshalJSON/String() on ProviderConfig and RequestContext. (4aa7b6e)
• Pass API base URL to dashboard for remote TCP connections (211ea7e)
• Dockerfile rewritten as multi-stage build from local source (a9b8fa2, 7c1c775)
• Fix Docker TUI — Foreground mode now correctly enables styled output when a TTY is present; logger colors preserved. (0dcd235)
• Fix stale comments about earlyinit and init ordering (fbbd959)
• Resolve lint issues — Add json tags to StatusData, remove unused nolint directives, fix gofmt. (067e8f5)

Refactoring

• Unify local and remote API client creation (e4d1247)
• Simplify main.go — Removed sandbox-related CLI commands and streamlined startup. (net ~200 lines removed from main.go)

Documentation

• README restructured as a focused landing page; CLI reference, configuration, and Docker guides moved to dedicated docs/ files.
  (0dcd235)
• New docs: docs/cli.md, docs/configuration.md, docs/docker.md added. (c5b8758)
• README improvements — Better beginner onboarding, Docker quick start, value-first ordering. (62705df, 507379c, 2245a38)
• Migration guide updated with v2.2 section, Windows pipe path fix. (c5b8758)

Tests & CI

• Docker CI job — Build image, health check, and SIGTERM graceful shutdown test. (b57732d)
• New test coverage: dashboard unit tests for remote API connections, earlyinit tests (25 cases),
  MarshalJSON/String()/ProviderEnvKeys tests, deduplicated test helpers across multiple packages. (711a364, 0d997fd, 1728b8a)