jimmyracheta/AI-Runtime-Guard

This release finalizes post-v1.1 hardening and policy/UI parity work, with a focus on clearer network controls, cleaner policy surface, and improved operator UX.

Highlights

1. Network policy model improved

• Added network.block_unknown_domains for optional default-deny behavior.
• Clear precedence now documented and implemented:
• blocklist always wins on overlap
• unknown domains are allowed unless block_unknown_domains=true
• Subdomain matching remains supported (example.com matches api.example.com).

1. Removed non-enforced payload-size policy key

• Removed network.max_payload_size_kb from active policy/schema defaults and setup templates.
• Avoids exposing a control that has no runtime enforcement.

1. Runtime safety enforcement added

• allowed.max_files_per_operation is now enforced for default-allowed multi-target command flows.

1. Advanced Policy UI refinement

• Reordered and renamed Advanced Policy sections for clarity.
• Merged backup-related controls into Backup & Restore.
• Removed fixed single-option controls (scope/counting mode) from GUI.
• Added Network info panel describing real runtime behavior and limits:
• subdomains
• redirect/short-link handling limits
• referral/query behavior

1. Documentation alignment for v1.1 baseline

• Updated release/checklist/manual/architecture/status/testing docs to current behavior.
• Added release checklist steps for:
• UI build
• package build
• packaged CLI smoke checks
• policy baseline verification

Notes
No breaking API/tool-surface changes.
Existing installs remain compatible; policy defaults are cleaner and better aligned with enforced behavior.
For strict outbound control, enable network.enforcement_mode=enforce and network.block_unknown_domains=true.