{"id":50808442,"url":"https://github.com/duncatzat/vigils","last_synced_at":"2026-06-13T03:04:21.400Z","repository":{"id":361664109,"uuid":"1255251478","full_name":"duncatzat/vigils","owner":"duncatzat","description":"A local control plane for AI agents — see what they do, approve what matters, keep secrets out. Rust + Tauri + Chrome MV3.","archived":false,"fork":false,"pushed_at":"2026-06-08T00:55:14.000Z","size":2340,"stargazers_count":290,"open_issues_count":0,"forks_count":14,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-06-08T01:23:53.479Z","etag":null,"topics":["agent-security","ai-agents","audit-log","desktop","llm","local-first","pii","rust","sandbox","tauri"],"latest_commit_sha":null,"homepage":"https://vigils.ai","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/duncatzat.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-31T15:45:25.000Z","updated_at":"2026-06-08T00:55:17.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/duncatzat/vigils","commit_stats":null,"previous_names":["duncatzat/vigils"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/duncatzat/vigils","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duncatzat%2Fvigils","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duncatzat%2Fvigils/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duncatzat%2Fvigils/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duncatzat%2Fvigils/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/duncatzat","download_url":"https://codeload.github.com/duncatzat/vigils/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duncatzat%2Fvigils/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34270417,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-13T02:00:06.617Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agent-security","ai-agents","audit-log","desktop","llm","local-first","pii","rust","sandbox","tauri"],"created_at":"2026-06-13T03:04:20.615Z","updated_at":"2026-06-13T03:04:21.367Z","avatar_url":"https://github.com/duncatzat.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n# Vigils\n\n### A local-first control plane for AI agents — see what they do, approve what matters, keep secrets out.\n\n[![CI](https://github.com/duncatzat/vigils/actions/workflows/ci.yml/badge.svg)](https://github.com/duncatzat/vigils/actions/workflows/ci.yml)\n[![Release](https://img.shields.io/github/v/release/duncatzat/vigils?sort=semver\u0026color=blue)](https://github.com/duncatzat/vigils/releases)\n[![License: Apache-2.0](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](./LICENSE)\n[![Platforms](https://img.shields.io/badge/platforms-Windows%20%7C%20macOS%20%7C%20Linux-lightgrey.svg)](#installation)\n\n[Website](https://vigils.ai) · [▶ Watch the 20s demo](https://duncatzat.github.io/vigils/demo.html) · [Quick Start](#quick-start) · [Architecture](#architecture) · [Security Model](#security-model) · [Documentation](#documentation)\n\n**English** | [简体中文](./README.zh-CN.md)\n\n\u003c/div\u003e\n\n---\n\nAI agents (Claude Code, Cursor, Zed, MCP clients, browser assistants) call tools, read\nfiles, hit APIs, and paste into web UIs on your behalf. That power is useful — and risky.\n**Vigils sits between your agents and the tools/data they touch**, and it is *local-first*:\nyour prompts, secrets, and audit trail never leave your machine.\n\n```\n   AI agent ──▶  ┌─────────────────── Vigils ───────────────────┐  ──▶  tools / data\n (MCP client)    │  redact → firewall → approve → sandbox → audit │       (MCP servers,\n                 └───────────────────────────────────────────────┘        files, APIs, web)\n```\n\n## Why Vigils\n\nFour guarantees, enforced locally:\n\n| Guarantee | How |\n|---|---|\n| **See what the agent did** | Every tool call is recorded in a tamper-evident **SHA-256 hash-chained ledger** with full-text search. |\n| **Approve risky actions first** | Destructive / sensitive calls pause for human review in an **Approval Queue**, with per-agent policy and scoped grants. |\n| **Keep credentials out of prompts / logs / UI** | A **redaction engine** strips secrets and PII (hard-fingerprint rules + an optional ML ensemble) *before* text reaches a model, a log, or the screen. |\n| **Contain \u0026 roll back** | The ledger is traceable end-to-end and the **sandbox runner is fail-closed by default** (Wasm + native + Linux Landlock). |\n\n## Features\n\n- **🔒 Tamper-evident audit ledger** — SQLite + SHA-256 hash chain; every event links to the\n  previous one, so tampering is detectable. FTS5 full-text search over the redacted trail.\n- **🛡️ Default-deny firewall** — tool calls are gated by a Rust policy DSL; per-agent rules;\n  OAuth scope allow-lists for remote MCP. Nothing runs unless allowed.\n- **✅ Human-in-the-loop approval** — risky effects (file writes, network, destructive ops)\n  pause for review. Grants can be scoped (once / this-session).\n- **🙈 Secret \u0026 PII redaction** — hard-fingerprint detection for 13+ credential classes\n  (GitHub PAT, Stripe keys, Google/GitLab tokens, DB URLs, …) plus an optional multilingual\n  ML ensemble; a fail-closed merge layer decides what to mask.\n- **🎟️ Secret lease broker** — short-lived credential leases injected only into the child\n  process that needs them; plaintext is never persisted.\n- **📦 Sandbox runner** — one-shot tool execution in Wasm (Wasmtime) or native processes,\n  with **Linux Landlock LSM** filesystem isolation and `env_clear` so children don't inherit\n  your environment. Fail-closed by default.\n- **🔌 MCP gateway** — sits in front of MCP servers over **stdio and HTTP**; descriptor\n  pinning with drift detection (alerts when a tool's definition changes); bare-command stdio\n  upstreams (`npx`/`node`/`python`) resolve via host PATH before sandboxing.\n- **🖥️ Desktop app** (Tauri 2 + Vue 3) — Approval Queue, Activity Feed, Server Registry,\n  Session Replay, Privacy Findings; keyboard shortcuts, light/dark/system theme, real-time\n  updates, bilingual (zh / en) UI.\n- **🌐 Browser extension** (Chrome MV3) — redacts secrets/PII *before* paste or submit on AI\n  sites (ChatGPT, Claude, Gemini, Perplexity).\n\n## Architecture\n\nVigils is a Rust workspace of focused crates plus three apps. Each layer is independently\ntestable and composed by the **Hub** (the MCP gateway).\n\n| Layer | Crate | Responsibility |\n|---|---|---|\n| **Audit** | `vigil-audit` | SQLite ledger, SHA-256 hash chain, FTS5 search, redaction-scan records |\n| **Policy** | `vigil-policy` | Rust policy DSL + rule engine (default-deny) |\n| **Firewall** | `vigil-firewall` | Tool gating, per-agent rules, OAuth scope allow-lists |\n| **Approval** | `vigil-mcp` (broker) | Human-in-the-loop, scoped grants, cross-process resolution |\n| **Redaction** | `vigil-redaction` | Secret/PII detection (hard fingerprints + ML ensemble), fail-closed merge |\n| **Leases** | `vigil-lease` | Short-lived credential leases, prepared child env (RAII revoke) |\n| **Runner** | `vigil-runner` / `vigil-runner-types` | Native + Wasm execution, env policy, fail-closed |\n| **Sandbox** | `vigil-sandbox-linux` | Linux Landlock LSM filesystem isolation |\n| **Gateway** | `vigil-mcp` | MCP Hub: stdio + HTTP upstreams, descriptor pinning + drift |\n| **Remote auth** | `vigil-http-auth` / `vigil-http-transport` | OAuth (JWT + opaque), token refresh (singleflight), real TLS |\n| **UI protocol** | `vigil-ui-protocol` | Typed command/response contract for the desktop UI |\n| **Browser** | `vigil-browser` | Redaction classifier + audit for the extension bridge |\n| **SDK** | `vigil-sdk` | Thin, SemVer-stable facade over the engine |\n\n**Apps \u0026 binaries:**\n\n| Binary | Crate | What it is |\n|---|---|---|\n| `vigil-hub` | `vigil-hub-cli` | CLI MCP gateway: `vigil-hub serve --stdio`, `add-remote-mcp`, `inspect`, … |\n| `gui` | `apps/desktop` | Tauri 2 desktop app (embeds the Vue 3 UI + an in-process Hub) |\n| `vigil-native-host` | `apps/native-host` | Native-messaging bridge for the Chrome extension |\n| — | `extensions/chrome-mv3` | Chrome MV3 extension (vanilla JS, zero npm deps) |\n\n## Installation\n\n**Quickest** — install the CLI in one line, then jump to [Quick Start](#quick-start):\n\n```bash\ncurl -fsSL https://vigils.ai/install.sh | sh         # macOS / Linux\n```\n\n```powershell\nirm https://vigils.ai/install.ps1 | iex              # Windows (PowerShell)\n```\n\nOr grab a pre-built installer / binary for **Windows, macOS, or Linux** from any\n[GitHub Release](https://github.com/duncatzat/vigils/releases):\n\n| Platform | Desktop app | CLI |\n|---|---|---|\n| **Windows** | `.exe` (NSIS) / `.msi` | `vigil-hub.exe` (in `vigils-cli-…-windows-msvc.zip`) |\n| **macOS** | `.dmg` | `vigil-hub` (in `vigils-cli-…-apple-darwin.tar.gz`) |\n| **Linux** | `.AppImage` / `.deb` / `.rpm` | `vigil-hub` (in `vigils-cli-…-linux-gnu.tar.gz`) |\n\n\u003e Early releases aren't OS-code-signed yet; your OS may show a Gatekeeper / SmartScreen prompt\n\u003e on first run — they're still independently verifiable (see below, or the full\n\u003e [Verifying your download](https://duncatzat.github.io/vigils/getting-started/verifying-downloads.html) guide).\n\n**Verify what you downloaded** (optional). Every release asset carries a SHA-256 checksum\n(`\u003cfile\u003e.sha256`, also checked automatically by the one-line installer) and a cryptographic\n**build-provenance attestation**. With the [GitHub CLI](https://cli.github.com):\n\n```bash\ngh attestation verify vigils-cli-linux-x64.tar.gz --repo duncatzat/vigils\n```\n\nThis confirms the artifact was built by Vigils' official CI from this repository (SLSA provenance\nvia Sigstore) — i.e. not swapped or tampered with after the build. The CLI archives, desktop\ninstallers, and the extension zip are all attested. Full guide (per-OS steps + the unsigned-app\nprompt): [**Verifying your download**](https://duncatzat.github.io/vigils/getting-started/verifying-downloads.html)\n([中文](https://duncatzat.github.io/vigils/getting-started/verifying-downloads.zh-CN.html)).\n\nThe **Chrome extension** lives in `extensions/chrome-mv3/` — load it unpacked via\n`chrome://extensions` → *Developer mode* → *Load unpacked* (it talks to `vigil-native-host`).\n\n## Quick Start\n\n### Install (one line)\n\n```bash\ncurl -fsSL https://vigils.ai/install.sh | sh         # macOS / Linux\n```\n\n```powershell\nirm https://vigils.ai/install.ps1 | iex              # Windows (PowerShell)\n```\n\nInstalls the `vigil-hub` CLI (to `~/.local/bin` on macOS/Linux, `%LOCALAPPDATA%\\Vigils\\bin` on\nWindows). It only puts the binaries on disk — **no shell/PATH edits, no `setup`, no agent-config\nchanges** — and prints what to do next, so you stay in control. The download is verified against the\nrelease's published SHA-256 before unpacking (fail-closed). Want to read them first? They're\n[`install.sh`](./install.sh) / [`install.ps1`](./install.ps1). Prefer a manual download? See\n[Installation](#installation).\n\n### See it in 60 seconds (zero setup)\n\nOne command shows Vigils' core value — **default-deny protection + reversible secret redaction +\ntamper-evident audit** — running through the real runtime code, contacting no LLM, needing no account,\nkey, or network:\n\n```bash\nvigil-hub demo            # default-deny → placeholder round-trip → real value only at the local tool → audit with no plaintext\nvigil-hub demo --tamper   # also: alter the audit ledger and watch verify-chain DETECT it (falsifiable)\n```\n\nWhat you'll see (real output, trimmed):\n\n```text\n  A demo secret — freshly generated locally for this run (never leaves this process):\n    github_pat = ghp_c7da264c45f58cd89aaa12cde5b8c69883e6\n\n  [1] default-deny: agent puts the RAW secret in the tool call\n    tool=github.create_issue  -\u003e  Vigil firewall: DENY  (rule=github_token)\n\n  [2] the Vigil way: the agent passes a PLACEHOLDER instead\n    What the REMOTE MODEL saw:    {\"token\":\"secret://github_pat\"}              plaintext secret? NO\n    What the LOCAL TOOL received: {\"token\":\"ghp_c7da264c45f58cd89aaa12c...\"}   contains real value? YES\n    The tool's result LEAKED a credential; Vigil re-redacted it:\n      {\"debug_trace\":\"authenticated with [REDACTED github_token] ...\",\"ok\":true}    secret back to model? NO\n\n  [3] tamper-evident audit ledger (no plaintext secrets stored)\n      0002 sha256:947ce1fe0d30  raw_secret_attempt_detected\n      0008 sha256:17e875d2e47e  secret.leak_detected\n    hash chain valid: YES        plaintext secret in audit: NO\n```\n\n\u003e **The aha:** the agent did useful work with a real secret — while the model, logs, and audit never\n\u003e received the real value. It's a planted scenario with a freshly-generated local fixture; the\n\u003e firewall, redaction, and audit are Vigils' real code, only the model/tool provider is simulated.\n\n### Protect Claude Code in one command (turnkey)\n\nDownload the release, then run **one command** to get fully protected. No manual config editing —\nyour existing settings are backed up and only Vigils' own entries are added (fully reversible):\n\n```bash\nvigil-hub setup --all       # protect everything, in one step\n```\n\n`setup --all` wires up **both** layers of protection:\n\n1. **Native-tool input guard** — a Claude Code `PreToolUse` hook so **every tool call** (Bash,\n   Edit, Write, Read, MCP tools, …) is checked before it runs; a real credential heading *into* a\n   tool is **blocked fail-closed** and recorded in your tamper-evident audit ledger.\n2. **MCP gateway** — routes each of your stdio MCP servers through Vigils so secrets in tool\n   **results** are scrubbed before the model ever sees them, and every call is audited. It defaults\n   to **monitor** posture — your servers stay fully usable while every hard protection stays on\n   (raw-secret block, result redaction, tamper-evident audit). Add `--enforce` for default-deny gating.\n\n```bash\nvigil-hub setup --mcp --doctor    # pre-flight: will each wrapped MCP server actually start? (PATH check, read-only)\nvigil-hub inspect protection      # after using your agent: see what Vigils caught (secrets blocked, leaks redacted, chain intact)\nvigil-hub setup --all --uninstall # cleanly remove everything (your config restored byte-for-byte)\n```\n\nRestart Claude Code (or start a new session) and you're protected. This is the fastest path from a\nGitHub download to real protection.\n\n### As an MCP gateway (CLI)\n\nPut Vigils in front of your MCP servers so every tool call is firewalled, approved, and audited:\n\n```bash\n# Serve as an MCP endpoint your agent connects to (stdio)\nvigil-hub serve --stdio --upstream-config ./upstreams.json\n\n# upstreams.json — bare commands resolve via PATH automatically\n# { \"upstreams\": [ { \"name\": \"fs\", \"argv\": [\"npx\", \"-y\", \"@modelcontextprotocol/server-filesystem\", \"/data\"] } ] }\n\n# Register a remote (HTTP) MCP server with OAuth onboarding\nvigil-hub add-remote-mcp https://mcp.example.com/\n\n# See what Vigils has protected at a glance (secrets blocked, leaks redacted, audit chain intact)\nvigil-hub inspect protection\n\n# Inspect the local audit ledger from the command line (one-line JSON, pipe to jq)\nvigil-hub inspect --db-path ./vigil.db activity --limit 20\n```\n\nPoint your agent (Claude Code / Cursor / Zed) at `vigil-hub` instead of the raw MCP server. See\nthe **[Agent Integration \u0026 Test guide](https://duncatzat.github.io/vigils/getting-started/agent-integration.html)**\nfor per-agent config and how to verify it's gating.\n\n### Desktop app\n\nLaunch the desktop app to watch and control agents in real time: **Approval Queue** (approve /\ndeny / bulk), **Activity Feed** (live audit stream), **Server Registry**, **Session Replay**,\nand **Privacy Findings**.\n\n## Build from source\n\nRequirements: a recent **stable Rust** toolchain (see `rust-toolchain.toml`) and **Node.js 20+**\nfor the desktop UI. On Linux, Tauri needs GTK/WebKit dev packages.\n\n```bash\n# Workspace tests / lints (no GPU or model deps by default)\ncargo test --workspace\ncargo clippy --workspace --all-targets -- -D warnings\ncargo fmt --all -- --check\n\n# CLI gateway\ncargo build --release -p vigil-hub-cli --bin vigil-hub\n\n# Desktop UI + app (the `gui` feature embeds the built UI)\ncd apps/desktop/ui \u0026\u0026 npm ci \u0026\u0026 npm run build \u0026\u0026 cd -\ncargo build --release -p vigil-desktop --features gui --bin gui\n```\n\n\u003e Crate names use the historical `vigil-*` prefix; the product and project are **Vigils**.\n\n## Security model\n\n- **Local-first** — prompts, secrets, and the audit ledger stay on your machine.\n- **Default-deny** — the firewall blocks tool calls unless a policy explicitly allows them.\n- **Fail-closed** — when a guarantee can't be enforced (e.g. Landlock unsupported, redaction\n  engine unavailable but requested), Vigils refuses rather than silently degrading.\n- **Tamper-evident** — the audit ledger is a SHA-256 hash chain; the desktop app can verify\n  the whole chain.\n- **No raw secrets at rest** — redaction stores only label / count / fingerprint metadata;\n  plaintext credentials are never written to the ledger.\n- **Least privilege spawning** — child processes get a cleared environment plus only the\n  approved env and short-lived secret leases; Linux runs add Landlock filesystem isolation.\n\nFound a vulnerability? Please report it privately — see [SECURITY.md](./SECURITY.md). Please\ndon't open a public issue for security reports.\n\n## Project structure\n\n```\ncrates/          # 15 library crates (audit, policy, firewall, mcp, redaction, runner,\n                 #   lease, sandbox-linux, http-auth/transport, ui-protocol, browser, sdk, types)\napps/\n  desktop/       # Tauri 2 + Vue 3 desktop app (bin: gui)\n  native-host/   # Chrome native-messaging bridge (bin: vigil-native-host)\n  vigil-hub-cli/ # CLI MCP gateway (bin: vigil-hub)\nextensions/\n  chrome-mv3/    # Chrome MV3 extension (vanilla JS)\ndocs/\n  adr/           # Architecture Decision Records\n  book/          # User guide (mdBook)\n  threat-model/  # Security threat model\n```\n\n## Documentation\n\n- **User guide** (mdBook): **\u003chttps://duncatzat.github.io/vigils/\u003e** — or build [`docs/book/`](./docs/book) locally\n- **Security audit**: [`docs/security/SECURITY-AUDIT-2026-06-03.md`](./docs/security/SECURITY-AUDIT-2026-06-03.md) — comprehensive baseline (OWASP + STRIDE + supply chain), 9.9/10, 0 critical / high\n- **Architecture Decision Records**: [`docs/adr/`](./docs/adr)\n- **Threat model**: [`docs/threat-model/`](./docs/threat-model)\n- **SDK surface**: [`docs/sdk-shallow-api.md`](./docs/sdk-shallow-api.md)\n\n## Contributing\n\nIssues and pull requests are welcome. Before submitting, please ensure:\n\n```bash\ncargo fmt --all -- --check\ncargo clippy --workspace --all-targets -- -D warnings\ncargo test --workspace\n```\n\nCI runs the same gates on Linux and the UI build on every PR.\n\n### Documentation (bilingual)\n\nVigils serves both the Chinese and international communities, so **user-facing docs are\nbilingual**. When you add or change a guide / how-to / explanatory doc, evaluate whether it needs\nboth languages — if so, write an English page **plus a separate Chinese page** (never\nsentence-by-sentence interleaving), e.g. `foo.md` + `foo.zh-CN.md`, cross-linked at the top.\nReference / ADR / internal docs may stay English-only.\n\n## License\n\n[Apache-2.0](./LICENSE) © Vigils Authors.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fduncatzat%2Fvigils","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fduncatzat%2Fvigils","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fduncatzat%2Fvigils/lists"}