v0.9.8: status ribbon, deeper security, audit + pricing overrides#6
Closed
codehippie1 wants to merge 10 commits into
Closed
v0.9.8: status ribbon, deeper security, audit + pricing overrides#6codehippie1 wants to merge 10 commits into
codehippie1 wants to merge 10 commits into
Conversation
… hardening - Migrate to the Rust 2024 edition; declare an MSRV; move lint policy into Cargo.toml. - Add optional build features (audit/mcp/observe/logscrape/waste), all default-on; `cargo build --no-default-features` now produces a lean core-proxy build. - Make path/command security rules case- and separator-insensitive so `~/.SSH` and mixed-separator Windows paths cannot bypass a `~/.ssh` deny rule. - Forward --upstream-google and --rewrite-anthropic-cache through `start --daemon`. - Add opt-in cost-spiral enforcement via [loop_detection].cost_spiral_enforce (off by default). - Harden SQLite (WAL + busy_timeout, poisoned-lock recovery, response-path writes off the async runtime). - Deduplicate repository.rs row-mappers.
Pricing - Load ~/.burnwall/pricing.toml to override or add model rates without a release; entries take precedence over the built-in card and tolerate date-suffixed model IDs. Loaded once at startup, fail-open on a bad file. - `burnwall pricing list/path` to inspect the effective card and scaffold the override file; status surfaces the active-override count. - Signed remote cards: `burnwall pricing update` fetches a card over HTTPS and installs it only if its detached Ed25519 signature verifies against a trusted [pricing].publishers key (verify-before-parse, no fail-open). `pricing sign/verify` cover the publisher and offline-check sides. Resilience + install - Five-layer graceful degradation so a bad release can't break AI tools: BURNWALL_BYPASS kill-switch, panic-catching wrapper (502 + hint), per-platform crash-loop circuit breakers, `self-rollback`, and a sourced env-file activation model with one-place revert. - `enable-routing`/`disable-routing` (env file + rc hook + eval activation), `install-service`/`uninstall-service` (launchd/systemd/Scheduled Task), `/healthz` probe, and an extended two-step `init` flow.
… service Bump version to 0.9.4 across Cargo.toml/lock, the VS Code extension, and the MCP server manifest; date the CHANGELOG section.
codehippie1
changed the title
Status ribbon - New `burnwall statusline`: renders the Burnwall ribbon for Claude Code's customizable status line from its per-turn stdin JSON, enriched with cross-tool spend and security-block counts from the proxy DB. One-line settings.json wiring; fail-open on bad input. - Canonical ribbon renderer (src/ribbon.rs) with an honest context gauge: exact when the tool reports it, ~marked when estimated, — when untrusted, omitted when the tool shows its own. Reused by upcoming surfaces. - Proxy touches <data dir>/watch.signal after each recorded turn (off the response path) — groundwork for event-driven refresh. Fix - Windows install-service no longer needs admin: default to a per-user HKCU\...\Run entry launching `burnwall start --daemon` at logon; `--task` opts into the elevated Scheduled-Task variant (crash-restart). uninstall-service removes whichever was installed.
- New `burnwall watch`: a live status ribbon for a spare terminal pane, rendering the same ribbon as the Claude Code status line but for every tool that routes through the proxy (Codex/Gemini/Aider), sourced from the local DB. --oneline / --once / --interval. Refreshes event-driven off the watch.signal marker with a periodic fallback. Headline = today's spend across all tools. - Ribbon cost fields (sess/today) are now optional so the cross-tool view shows per-message + today without a misleading session figure; context gauge stays honest (estimate ~, or — when untrusted). - storage::most_recent_request for the DB-sourced ribbon.
Security depth - Data-exfiltration technique detection (opt-in under security.dlp): DNS exfil, secret-file piped to network, command-substituted uploads. Names the technique, never the data; conservative/high-signal. - `burnwall security --summary`: a "what Burnwall caught" receipt grouped by type, so passive protection registers as ongoing value. - MCP firewall validated against the published attacks (Invariant tool- poisoning/SSH exfil, MCPoison rug-pull, <IMPORTANT> shadowing) as a test corpus. Governance - `burnwall audit pack`: one-command evidence bundle (signed receipts + CycloneDX 1.6 AIBOM + SARIF 2.1.0 + a MANIFEST mapping artifacts to ISO 42001 / EU AI Act / FINRA). Docs - README: Trust & privacy, defense-in-depth framing, and the built-in mcp-watch firewall in the MCP scope note.
…ITY.md) - cargo-dist github-attestations=true + README verify recipes + SECURITY.md - burnwall savings: self-measured cache savings + underused-cache opportunity - status protection heartbeat (proxy-running self-test) - TLS-integrity guard test (no cert-validation weakening / CA injection in src)
…dgets, session attribution) - destructive-command detection by shape (recursive-force rm, disk destroy, drop/truncate) — catches reordered/spaced/expanded forms the literal deny-list misses - command_matches whitespace-normalized so padding can't evade literal rules - per-session/swarm budget ceiling (budget.per_session) keyed on opt-in x-burnwall-session header; enforced in handler, recorded off the response path - per-session cost capture + 'by session' view in status
…ion, swarm budgets, attestations Iter 1 (trust + ROI): cargo-dist attestations + SECURITY.md + README verify; burnwall savings (self-measured cache savings + opportunity); status protection heartbeat; TLS-integrity guard test. Iter 2 (security depth): catastrophic-command detection by shape; exfil technique detection (opt-in); whitespace-normalized command matching; per-session/swarm budget ceiling + session attribution. Iter 3 (frontier): burnwall sidecar (co-located egress for off-laptop sandboxes/CI); burnwall share (opt-in signed value card).
codehippie1
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Cumulative changes on the v0.9.x line (since v0.9.2).
Cost
~/.burnwall/pricing.tomloverrides + signed remote pricing cards (pricing list/update/sign/verify).burnwall savings— your own measured cache savings + models underusing caching.budget.per_session, opt-in via anx-burnwall-sessionrequest header).Status surfaces
burnwall statusline— ribbon for Claude Code's customizable status line (model · ↑↓ tokens · msg/session/today cost · context bar), with an honest context gauge (exact / estimated / hidden).burnwall watch— live cross-tool ribbon for a spare terminal pane.statusprotection heartbeat + per-session breakdown.Security
dd of=/dev/…,mkfs), destructive SQL — caught regardless of flag order/spacing/target expansion.security.dlp.Resilience & install
BURNWALL_BYPASSkill-switch, panic-catching wrapper, per-platform crash-loop bounds,self-rollback, and a sourced env-file activation model.enable-routing/disable-routing,install-service/uninstall-service(Windows uses a no-adminHKCU\…\Runentry),/healthz, and an extendedinit.burnwall sidecar— run the proxy as a co-located egress point for an agent that executes off your laptop (self-hosted sandbox / CI).Trust & audit
SECURITY.mddocuments integrity + TLS handling (rustls, no CA injection), with verify recipes.burnwall audit pack— bundled signed receipts + CycloneDX AIBOM + SARIF, mapped to common frameworks.burnwall share— opt-in, signed, screenshot-friendly value card.Tests pass offline (495);
clippy -D warningsclean; lean build OK.