agent-shield 0.8.4

Security scanner for AI agent extensions — offline-first, multi-framework, SARIF output
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

# AgentShield Release Checklist

Use this checklist for public AgentShield releases.

## Pre-release

- [ ] Confirm `Cargo.toml` has the intended version.
- [ ] Confirm the release tag is `v<version>` and exactly matches `Cargo.toml`.
- [ ] Confirm `README.md` describes only commands and adapters that exist in the release branch.
- [ ] Confirm `CHANGELOG.md` has a dated top entry for the release.
- [ ] Confirm `docs/releases/<version>.md` exists and summarizes scope, notable changes, and readiness state.
- [ ] Confirm `action.yml` metadata reflects the supported scanner scope.
- [ ] Run `.github/scripts/check-release-invariants.sh v<version>` before pushing the tag.
- [ ] Confirm no `.env` files, private keys, tokens, or local secrets are staged.

## Validation

- [ ] Run `cargo test`.
- [ ] Run `cargo clippy -- -D warnings`.
- [ ] Run `cargo fmt --check`.
- [ ] Run a CLI smoke scan against a known vulnerable fixture.
- [ ] Run `agentshield list-rules` and check the rule list for release drift.
- [ ] If `runtime` is part of the release, build with `--features full` and smoke test `agentshield wrap`.
- [ ] Confirm release workflow builds with `--features full`.
- [ ] Confirm the release workflow `Check release invariants` job passed before any build matrix started.
- [ ] Confirm release workflow fails when the pushed tag does not match `Cargo.toml`.
- [ ] Confirm native release jobs smoke-check `agentshield --help` for the `wrap` command.
- [ ] Do not execute cross-compiled aarch64 Linux artifacts on x86 runners.
- [ ] Confirm the Docker image includes `wrap` and reports the intended version.
- [ ] Confirm the Docker image publishes both `linux/amd64` and `linux/arm64` manifests.
- [ ] If the GitHub Action changed, test SARIF upload in a disposable repository or workflow run.

## Packaging

- [ ] Build release artifacts for all supported targets.
- [ ] Generate SHA256 checksums.
- [ ] Confirm archive names match `action.yml` download expectations.
- [ ] Confirm the binary starts and reports the intended version on each target.
- [ ] Confirm `docker pull ghcr.io/aiconnai/agentshield:<version>` works on supported platforms.
- [ ] Confirm crate/package metadata points to the correct repository, license, README, and homepage.

## Publication

- [ ] Tag the release with `v<version>`.
- [ ] Publish the GitHub release with release notes and artifacts.
- [ ] Publish the crate if this is a crates.io release.
- [ ] Confirm the GitHub Action can resolve `latest` after publication.
- [ ] Confirm GitHub Code Scanning accepts generated SARIF from the release binary.

## Post-release

- [ ] Announce the release in the appropriate project channels.
- [ ] Open follow-up issues for any known gaps deferred from the release.
- [ ] Verify documentation links and badges after publication.