github Dicklesworthstone/destructive_command_guard v0.6.7
dcg v0.6.7

latest release: v0.6.8
7 hours ago

dcg v0.6.7

Security and correctness release focused on indirect command input, strict Git enforcement, installer integrity, and Windows policy compatibility.

Highlights

  • Closes the database-client stdin bypass class across Redis, PostgreSQL, MySQL/MariaDB, MongoDB, and SQLite. Bounded static producers, redirects, heredocs, script loaders, and command substitutions are evaluated with the consumer pack; dynamic or unsafe input fails closed.
  • Blocks Git's leading-plus force-refspec forms, including constructed variants, in strict mode.
  • Fixes project allowlists outside Git repositories, quoted /tmp recursive-delete false positives, inert sed-substitution false positives, and n/N environment-flag semantics.
  • Makes the PowerShell installer compatible with ConstrainedLanguage primitives by using signed inbox tooling for hashing and archive handling.
  • Adds strict minisign verification to both installers and strengthens archive-layout, version-selection, and installed-version checks.

Release integrity

All six binaries were built manually from annotated tag v0.6.7 at commit d847471364adf24d819c34a96058bc136cdc00b1; repository GitHub Actions workflows were disabled before the commit/tag push and were not used for builds or publication. Archives contain exactly one root-level dcg or dcg.exe.

Release assets include SHA-256 checksums, minisign signatures using key ID 36B847D11BA5A0D0, signed DSR local-build SLSA provenance statements, and a source-tree SPDX SBOM. No Sigstore bundle is claimed for these manual builds.

Verify an artifact with:

sha256sum -c dcg-<target>.<archive>.sha256
minisign -Vm dcg-<target>.<archive> -P RWTQoKUb0Ue4NsqTpPWnABCrIU0+m25zsMlbv6UcRClQ7jmRP3A7NmTB

Validation

  • Rust: check, clippy with warnings denied, formatting, full tests, audit, and cargo-deny gates passed.
  • Packaging: crates.io dry-run, unpacked-crate build, all-target compile, and packaged runtime proof passed.
  • Installers: 165/165 Bats and 15/15 PowerShell tests passed.
  • End to end: 323/323 release-binary scenarios and the hermetic scan golden passed on a quiet real Linux host.

The crate is also available from crates.io as destructive_command_guard 0.6.7.

See CHANGELOG.md in the tagged source for the complete technical detail.

Don't miss a new destructive_command_guard release

NewReleases is sending notifications on new releases.