[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-82868":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":15,"forks30d":15,"starsTrendScore":19,"compositeScore":20,"rankGlobal":10,"rankLanguage":10,"license":21,"archived":22,"fork":22,"defaultBranch":23,"hasWiki":24,"hasPages":22,"topics":25,"createdAt":10,"pushedAt":10,"updatedAt":36,"readmeContent":37,"aiSummary":38,"trendingCount":15,"starSnapshotCount":15,"syncStatus":16,"lastSyncTime":39,"discoverSource":40},82868,"vigils","duncatzat\u002Fvigils","duncatzat","A local control plane for AI agents — see what they do, approve what matters, keep secrets out. Rust + Tauri + Chrome MV3.","https:\u002F\u002Fvigils.ai",null,"Rust",385,24,1,0,2,179,283,69,4.19,"Apache License 2.0",false,"main",true,[26,27,28,29,30,31,32,33,34,35],"agent-security","ai-agents","audit-log","desktop","llm","local-first","pii","rust","sandbox","tauri","2026-06-12 02:04:28","\u003Cdiv align=\"center\">\n\n# Vigils\n\n### A local-first control plane for AI agents — see what they do, approve what matters, keep secrets out.\n\n[![CI](https:\u002F\u002Fgithub.com\u002Fduncatzat\u002Fvigils\u002Factions\u002Fworkflows\u002Fci.yml\u002Fbadge.svg)](https:\u002F\u002Fgithub.com\u002Fduncatzat\u002Fvigils\u002Factions\u002Fworkflows\u002Fci.yml)\n[![Release](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fv\u002Frelease\u002Fduncatzat\u002Fvigils?sort=semver&color=blue)](https:\u002F\u002Fgithub.com\u002Fduncatzat\u002Fvigils\u002Freleases)\n[![License: Apache-2.0](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-Apache_2.0-blue.svg)](.\u002FLICENSE)\n[![Platforms](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fplatforms-Windows%20%7C%20macOS%20%7C%20Linux-lightgrey.svg)](#installation)\n\n[Website](https:\u002F\u002Fvigils.ai) · [Quick Start](#quick-start) · [Architecture](#architecture) · [Security Model](#security-model) · [Documentation](#documentation)\n\n**English** | [简体中文](.\u002FREADME.zh-CN.md)\n\n\u003C\u002Fdiv>\n\n---\n\nAI agents (Claude Code, Cursor, Zed, MCP clients, browser assistants) call tools, read\nfiles, hit APIs, and paste into web UIs on your behalf. That power is useful — and risky.\n**Vigils sits between your agents and the tools\u002Fdata they touch**, and it is *local-first*:\nyour prompts, secrets, and audit trail never leave your machine.\n\n```\n   AI agent ──▶  ┌─────────────────── Vigils ───────────────────┐  ──▶  tools \u002F data\n (MCP client)    │  redact → firewall → approve → sandbox → audit │       (MCP servers,\n                 └───────────────────────────────────────────────┘        files, APIs, web)\n```\n\n## Why Vigils\n\nFour guarantees, enforced locally:\n\n| Guarantee | How |\n|---|---|\n| **See what the agent did** | Every tool call is recorded in a tamper-evident **SHA-256 hash-chained ledger** with full-text search. |\n| **Approve risky actions first** | Destructive \u002F sensitive calls pause for human review in an **Approval Queue**, with per-agent policy and scoped grants. |\n| **Keep credentials out of prompts \u002F logs \u002F UI** | A **redaction engine** strips secrets and PII (hard-fingerprint rules + an optional ML ensemble) *before* text reaches a model, a log, or the screen. |\n| **Contain & roll back** | The ledger is traceable end-to-end and the **sandbox runner is fail-closed by default** (Wasm + native + Linux Landlock). |\n\n## Features\n\n- **🔒 Tamper-evident audit ledger** — SQLite + SHA-256 hash chain; every event links to the\n  previous one, so tampering is detectable. FTS5 full-text search over the redacted trail.\n- **🛡️ Default-deny firewall** — tool calls are gated by a Rust policy DSL; per-agent rules;\n  OAuth scope allow-lists for remote MCP. Nothing runs unless allowed.\n- **✅ Human-in-the-loop approval** — risky effects (file writes, network, destructive ops)\n  pause for review. Grants can be scoped (once \u002F this-session).\n- **🙈 Secret & PII redaction** — hard-fingerprint detection for 13+ credential classes\n  (GitHub PAT, Stripe keys, Google\u002FGitLab tokens, DB URLs, …) plus an optional multilingual\n  ML ensemble; a fail-closed merge layer decides what to mask.\n- **🎟️ Secret lease broker** — short-lived credential leases injected only into the child\n  process that needs them; plaintext is never persisted.\n- **📦 Sandbox runner** — one-shot tool execution in Wasm (Wasmtime) or native processes,\n  with **Linux Landlock LSM** filesystem isolation and `env_clear` so children don't inherit\n  your environment. Fail-closed by default.\n- **🔌 MCP gateway** — sits in front of MCP servers over **stdio and HTTP**; descriptor\n  pinning with drift detection (alerts when a tool's definition changes); bare-command stdio\n  upstreams (`npx`\u002F`node`\u002F`python`) resolve via host PATH before sandboxing.\n- **🖥️ Desktop app** (Tauri 2 + Vue 3) — Approval Queue, Activity Feed, Server Registry,\n  Session Replay, Privacy Findings; keyboard shortcuts, light\u002Fdark\u002Fsystem theme, real-time\n  updates, bilingual (zh \u002F en) UI.\n- **🌐 Browser extension** (Chrome MV3) — redacts secrets\u002FPII *before* paste or submit on AI\n  sites (ChatGPT, Claude, Gemini, Perplexity).\n\n## Architecture\n\nVigils is a Rust workspace of focused crates plus three apps. Each layer is independently\ntestable and composed by the **Hub** (the MCP gateway).\n\n| Layer | Crate | Responsibility |\n|---|---|---|\n| **Audit** | `vigil-audit` | SQLite ledger, SHA-256 hash chain, FTS5 search, redaction-scan records |\n| **Policy** | `vigil-policy` | Rust policy DSL + rule engine (default-deny) |\n| **Firewall** | `vigil-firewall` | Tool gating, per-agent rules, OAuth scope allow-lists |\n| **Approval** | `vigil-mcp` (broker) | Human-in-the-loop, scoped grants, cross-process resolution |\n| **Redaction** | `vigil-redaction` | Secret\u002FPII detection (hard fingerprints + ML ensemble), fail-closed merge |\n| **Leases** | `vigil-lease` | Short-lived credential leases, prepared child env (RAII revoke) |\n| **Runner** | `vigil-runner` \u002F `vigil-runner-types` | Native + Wasm execution, env policy, fail-closed |\n| **Sandbox** | `vigil-sandbox-linux` | Linux Landlock LSM filesystem isolation |\n| **Gateway** | `vigil-mcp` | MCP Hub: stdio + HTTP upstreams, descriptor pinning + drift |\n| **Remote auth** | `vigil-http-auth` \u002F `vigil-http-transport` | OAuth (JWT + opaque), token refresh (singleflight), real TLS |\n| **UI protocol** | `vigil-ui-protocol` | Typed command\u002Fresponse contract for the desktop UI |\n| **Browser** | `vigil-browser` | Redaction classifier + audit for the extension bridge |\n| **SDK** | `vigil-sdk` | Thin, SemVer-stable facade over the engine |\n\n**Apps & binaries:**\n\n| Binary | Crate | What it is |\n|---|---|---|\n| `vigil-hub` | `vigil-hub-cli` | CLI MCP gateway: `vigil-hub serve --stdio`, `add-remote-mcp`, `inspect`, … |\n| `gui` | `apps\u002Fdesktop` | Tauri 2 desktop app (embeds the Vue 3 UI + an in-process Hub) |\n| `vigil-native-host` | `apps\u002Fnative-host` | Native-messaging bridge for the Chrome extension |\n| — | `extensions\u002Fchrome-mv3` | Chrome MV3 extension (vanilla JS, zero npm deps) |\n\n## Installation\n\nPre-built installers and binaries for **Windows, macOS, and Linux** are attached to each\n[GitHub Release](https:\u002F\u002Fgithub.com\u002Fduncatzat\u002Fvigils\u002Freleases):\n\n| Platform | Desktop app | CLI |\n|---|---|---|\n| **Windows** | `.exe` (NSIS) \u002F `.msi` | `vigil-hub.exe` (in `vigils-cli-…-windows-msvc.zip`) |\n| **macOS** | `.dmg` | `vigil-hub` (in `vigils-cli-…-apple-darwin.tar.gz`) |\n| **Linux** | `.AppImage` \u002F `.deb` \u002F `.rpm` | `vigil-hub` (in `vigils-cli-…-linux-gnu.tar.gz`) |\n\n> Early releases are unsigned; your OS may show a Gatekeeper \u002F SmartScreen prompt on first run.\n\nThe **Chrome extension** lives in `extensions\u002Fchrome-mv3\u002F` — load it unpacked via\n`chrome:\u002F\u002Fextensions` → *Developer mode* → *Load unpacked* (it talks to `vigil-native-host`).\n\n## Quick Start\n\n### As an MCP gateway (CLI)\n\nPut Vigils in front of your MCP servers so every tool call is firewalled, approved, and audited:\n\n```bash\n# Serve as an MCP endpoint your agent connects to (stdio)\nvigil-hub serve --stdio --upstreams .\u002Fupstreams.json\n\n# upstreams.json — bare commands resolve via PATH automatically\n# { \"upstreams\": [ { \"name\": \"fs\", \"argv\": [\"npx\", \"-y\", \"@modelcontextprotocol\u002Fserver-filesystem\", \"\u002Fdata\"] } ] }\n\n# Register a remote (HTTP) MCP server with OAuth onboarding\nvigil-hub add-remote-mcp https:\u002F\u002Fmcp.example.com\u002F\n\n# Inspect the local audit ledger from the command line (one-line JSON, pipe to jq)\nvigil-hub inspect --db-path .\u002Fvigil.db activity --limit 20\n```\n\nPoint your agent (Claude Code \u002F Cursor \u002F Zed) at `vigil-hub` instead of the raw MCP server.\n\n### Desktop app\n\nLaunch the desktop app to watch and control agents in real time: **Approval Queue** (approve \u002F\ndeny \u002F bulk), **Activity Feed** (live audit stream), **Server Registry**, **Session Replay**,\nand **Privacy Findings**.\n\n## Build from source\n\nRequirements: a recent **stable Rust** toolchain (see `rust-toolchain.toml`) and **Node.js 20+**\nfor the desktop UI. On Linux, Tauri needs GTK\u002FWebKit dev packages.\n\n```bash\n# Workspace tests \u002F lints (no GPU or model deps by default)\ncargo test --workspace\ncargo clippy --workspace --all-targets -- -D warnings\ncargo fmt --all -- --check\n\n# CLI gateway\ncargo build --release -p vigil-hub-cli --bin vigil-hub\n\n# Desktop UI + app (the `gui` feature embeds the built UI)\ncd apps\u002Fdesktop\u002Fui && npm ci && npm run build && cd -\ncargo build --release -p vigil-desktop --features gui --bin gui\n```\n\n> Crate names use the historical `vigil-*` prefix; the product and project are **Vigils**.\n\n## Security model\n\n- **Local-first** — prompts, secrets, and the audit ledger stay on your machine.\n- **Default-deny** — the firewall blocks tool calls unless a policy explicitly allows them.\n- **Fail-closed** — when a guarantee can't be enforced (e.g. Landlock unsupported, redaction\n  engine unavailable but requested), Vigils refuses rather than silently degrading.\n- **Tamper-evident** — the audit ledger is a SHA-256 hash chain; the desktop app can verify\n  the whole chain.\n- **No raw secrets at rest** — redaction stores only label \u002F count \u002F fingerprint metadata;\n  plaintext credentials are never written to the ledger.\n- **Least privilege spawning** — child processes get a cleared environment plus only the\n  approved env and short-lived secret leases; Linux runs add Landlock filesystem isolation.\n\nFound a vulnerability? Please report it privately — see [SECURITY.md](.\u002FSECURITY.md). Please\ndon't open a public issue for security reports.\n\n## Project structure\n\n```\ncrates\u002F          # 15 library crates (audit, policy, firewall, mcp, redaction, runner,\n                 #   lease, sandbox-linux, http-auth\u002Ftransport, ui-protocol, browser, sdk, types)\napps\u002F\n  desktop\u002F       # Tauri 2 + Vue 3 desktop app (bin: gui)\n  native-host\u002F   # Chrome native-messaging bridge (bin: vigil-native-host)\n  vigil-hub-cli\u002F # CLI MCP gateway (bin: vigil-hub)\nextensions\u002F\n  chrome-mv3\u002F    # Chrome MV3 extension (vanilla JS)\ndocs\u002F\n  adr\u002F           # Architecture Decision Records\n  book\u002F          # User guide (mdBook)\n  threat-model\u002F  # Security threat model\n```\n\n## Documentation\n\n- **User guide** (mdBook): **\u003Chttps:\u002F\u002Fduncatzat.github.io\u002Fvigils\u002F>** — or build [`docs\u002Fbook\u002F`](.\u002Fdocs\u002Fbook) locally\n- **Security audit**: [`docs\u002Fsecurity\u002FSECURITY-AUDIT-2026-06-03.md`](.\u002Fdocs\u002Fsecurity\u002FSECURITY-AUDIT-2026-06-03.md) — comprehensive baseline (OWASP + STRIDE + supply chain), 9.9\u002F10, 0 critical \u002F high\n- **Architecture Decision Records**: [`docs\u002Fadr\u002F`](.\u002Fdocs\u002Fadr)\n- **Threat model**: [`docs\u002Fthreat-model\u002F`](.\u002Fdocs\u002Fthreat-model)\n- **SDK surface**: [`docs\u002Fsdk-shallow-api.md`](.\u002Fdocs\u002Fsdk-shallow-api.md)\n\n## Contributing\n\nIssues and pull requests are welcome. Before submitting, please ensure:\n\n```bash\ncargo fmt --all -- --check\ncargo clippy --workspace --all-targets -- -D warnings\ncargo test --workspace\n```\n\nCI runs the same gates on Linux and the UI build on every PR.\n\n## License\n\n[Apache-2.0](.\u002FLICENSE) © Vigils Authors.\n","Vigils 是一个本地控制平面，用于管理AI代理的行为，确保其操作的可见性、可控性和安全性。项目采用Rust编写，并结合Tauri和Chrome MV3技术，提供四大核心功能：通过SHA-256哈希链日志记录所有工具调用以保证行为可追溯；对敏感或破坏性操作实施先审批机制；利用红字引擎在文本到达模型、日志或屏幕前移除敏感信息和个人身份信息；以及默认关闭的安全沙箱环境，支持WebAssembly与Linux Landlock，防止未授权访问。适用于需要对本地运行的AI助手（如Claude Code, Cursor等）进行严格监控与安全控制的场景，确保数据隐私不泄露且所有操作都在用户掌控之中。","2026-06-11 04:09:29","CREATED_QUERY"]