qwexvf/aegis-cli

v0.8.0 Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 29d CLI & Terminal

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ast-analysis cli cve dependency-scanner security go

+13 more

lockfile malware-detection npm-security osv python-security sbom sca shai-hulud supply-chain-attack supply-chain-security tree-sitter typosquatting vulnerability-scanning

Summary

AI summary

Signal handling, shell completions, grouped help, and JSON output for read‑only inspection commands were added.

Full changelog

aegis-cli v0.8.0

Supply-chain security CLI for npm / bun / yarn / pnpm.

Verifying releases

All artifacts are checksummed (checksums.txt) and the checksums file
is signed via cosign keyless OIDC. To verify:

cosign verify-blob \
  --certificate-identity-regexp 'https://github.com/qwexvf/aegis-cli/.github/workflows/release.yml.*' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --certificate checksums.txt.pem \
  --signature   checksums.txt.sig \
  checksums.txt
sha256sum -c checksums.txt

SLSA build provenance is attached to every artifact and can be
verified with gh attestation verify <file> --owner qwexvf.

CLI ergonomics + scriptability pass. Signal handling, shell completion, grouped help, and --json on every read-only inspection command.

Added

Signal handling — aegis now installs signal.NotifyContext for SIGINT/SIGTERM in Execute. Long-running commands (snapshot enrich, ci, analyze, the install gate) cancel cleanly mid-flight instead of dropping HTTP requests. Ctrl-C exits 130 (Unix convention).
aegis completion {bash|zsh|fish|powershell} — generates shell completion scripts. Install instructions in the command's --help.
Grouped help — aegis --help now renders four sections (Install gate, Inspect, Configure, Maintain) instead of a flat 14-item list.
--json output for read-only inspection commands — for CI scripts that need to parse aegis output:
- aegis cache list --json — emits [{key, decision, severity, expires_at}, ...]
- aegis audit tail --json — emits the same snake_case shape as the underlying NDJSON audit log
- aegis allowlist list --json — emits [{ecosystem, name, version_range, capability, reason, source}, ...] (composes with --source filter)
- aegis snapshot show --json — marshals the saved snapshot directly; respects --all for transitive deps
usecase.Snapshot.Load(projectDir) — public accessor so callers can render a saved snapshot themselves instead of going through the presenter.

Changed

NewInstallGate signature — 7 positional parameters → InstallGateDeps struct. Internal-only (internal/usecase), no external API impact.
buildReportRequest — 9-parameter signature → internal reportInputs struct.
loadDiffOperands — 3-case switch body extracted into loadDiffFromFiles and loadDiffSavedVsLive helpers.
version subcommand — Run → RunE, output via cmd.OutOrStdout() for testability.

Fixed

aegis npm install exit-code path — pm wrappers used os.Exit(1) directly inside RunE, bypassing deferred cleanup and the established exitCodeError flow. Now returns a silent exit-code error.
pm wrapper context — install gate now runs under cmd.Context() instead of context.Background(), so Ctrl-C actually cancels the gate.
doctor/cache/audit output — switched from direct os.Stdout writes to cmd.OutOrStdout() so tests can capture output.
Allowlist loader — removed four else-after-return blocks; replaced ad-hoc string concatenation in risk reporting with strings.Builder.

Tests

675 pass with race detector across 26 packages (no change in count from 0.7.1 — refactors preserved behaviour).

Apache-2.0 — see LICENSE.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track qwexvf/aegis-cli

Get notified when new releases ship.

About qwexvf/aegis-cli

All releases →