v4.2.0 — TreeLoadOptions (configurable GOPROXY)

New

• FingerprintTreeWithOptions(rootDir, fileFilter, policy, opts TreeLoadOptions) — options-driven tree fingerprinting
• TreeLoadOptions struct:
  • Proxy string — overrides GOPROXY for the loader while keeping all other security hardening (CGO_ENABLED=0, GOFLAGS=-mod=readonly, GOWORK=off, etc.). Zero value = secure default ("off")
  • ModuleNameHint string — module path for the synthesised go.mod in pre-modules-era trees without a real go.mod; if empty, synthetic.local/anonymous is used as before

Unchanged

FingerprintTree and FingerprintTreeAdvanced behaviour is identical to v4.1.0 — zero-value TreeLoadOptions is the secure default.

v4.1.0 — FingerprintTree (directory-mode loader)

New

• FingerprintTree(dir string, filter []string, policy IRPolicy) ([]FunctionFingerprint, LoadMeta, error) — fingerprints an entire Go source tree in module mode
• FingerprintTreeAdvanced — same with strict-mode toggle
• LoadMeta struct: HadGoMod, SynthesizedGoMod, ModulePath, LoadErrors fields

Fixed

• Sibling-symbol-missing: tree-mode loads the full package so sibling-file helpers resolve correctly
• Qualifier deflation: stable synthetic module path synthetic.local/anonymous prevents temp-dir paths from inflating type qualifiers and deflating similarity scores on pre-module commits

Security

• Loader environment hardened: GOPROXY=off, CGO_ENABLED=0, GOFLAGS=-mod=readonly, GONOSUMDB=*

V4.0.0

Why v4

This release ships breaking changes to the fingerprinting
algorithm and the signature-database schema contract. Both are mechanical incompatibilities, not bug fixes:

• Fingerprints from v3 do not match v4. The SCEV
  affine-recurrence folding pass (PR #5) changes the canonical IR of any function containing loops, which changes its fingerprint hash. Code that was semantically equivalent under v3 will look different under v4 (and vice versa).

• Existing PebbleDB signature databases are rejected. v4
  fails closed when it opens a database whose stored schema version is older than the current binary's. The stored TopologyHash values were produced by v3's canonicalizer and will never match v4 fingerprints, so rebuilding the indexes cannot fix it; you have to re-index the original samples with the v4 binary.

• Module path bumped to /v4. Update your imports:
  github.com/BlackVectorOps/semantic_firewall/v3/... → github.com/BlackVectorOps/semantic_firewall/v4/....

Migrating

1. go install github.com/BlackVectorOps/semantic_firewall/v 4/cmd/sfw@v4.0.0
2. Re-index your malware samples against the new binary:
   sfw index <sample.go> --name <name> --severity HIGH
3. Update any Go code consuming sfw as a library to the
   /v4 import path.
4. If you used sfw audit in v3, the audit flow moves to a
   separate repo with an MCP server + agent loop:
   go install github.com/BlackVectorOps/semantic_firewall_m cp/cmd/sfw-mcp@latest

Then
sfw-mcp audit <old> <new> "<msg>" --provider <anthropic|openai|gemini|openai-compatible> --model <name>.
See (https://github.com/BlackVectorOps/semantic_firewall_mcp) for the full provider matrix.

Bug fixes (also in this release)

• jsondb: nil-pointer panic on non-ENOENT os.Stat errors
• jsondb: sigMap drift after AddSignatures batch inserts
• check: panic during analysis now flips the --strict
  exit code
• audit: new --no-sandbox flag for pre-sandboxed CI
  environments
• pebbledb: fail closed on older-schema databases (rather
  than silently returning zero matches)
• diff: fail closed on non-ENOENT os.Stat errors

What's Changed

• ⚡ Optimize string accumulation in ExtractTopology by
  @xkilldash9x in
  #8
• ⚡ Optimize GenerateTopologyHash allocations by
  @xkilldash9x in
  #10
• ⚡ Optimize indexing loop by batching signature additions
  by @xkilldash9x in
  #11
• Refine branch differentiation comment and add hash
  verification tests by @xkilldash9x in #12
• chore: solidify len/cap impurity check for maps/chans and
  add tests by @xkilldash9x in
  #15
• security: Refactor UTF-8 validation to prevent DoS by
  @xkilldash9x in
  #13
• fix: handle nested parenthesis and brackets in
  ShortFuncName by @xkilldash9x in
  #17
• Refactor: Use safe type assertion helper for closures in
  topology analysis by @xkilldash9x in
  #16
• ⚡ Optimize instruction string building in Canonicalizer
  by @xkilldash9x in
  #18
• Verify StringVal extraction and remove stale FIX comment
  by @xkilldash9x in
  #14
• ⚡ Optimize signature lookup to O(1) by @xkilldash9x in
  #9
• chore(deps): bump google.golang.org/grpc from 1.78.0 to
  1.79.3 by @dependabot in
  #19
• chore(deps): bump go.opentelemetry.io/otel from 1.39.0 to
  1.41.0 by @dependabot in
  #20
• Fix/security and logic issues by @xkilldash9x in
  #21

Full Changelog: https://github.com/BlackVectorOps/semant
ic_firewall/compare/v3.2.0...v4.0.0

v3.2.0 - Parallel Analysis & Sandbox Hardening

What's New

Performance

• Parallel file processing - Analysis now utilizes all available CPU cores via errgroup, significantly improving throughput on multi-file scans
• Optimized I/O - 32KB buffered copies for database operations, reducing syscall overhead

Security Hardening

• Symlink attack prevention - All sandbox mount paths now resolve through filepath.EvalSymlinks() to prevent escape attacks
• Root mount protection - Explicit checks prevent accidentally mounting / into the sandbox
• Secure temp directories - Uses os.MkdirTemp() to avoid collisions and symlink attacks in shared environments
• Symlink filtering - Database copy operations skip symlinks to prevent destination escape

Robustness

• Panic recovery - SSA generation and analysis goroutines now recover from panics, preventing single-file failures from crashing entire runs
• PebbleDB sandbox compatibility - New PrepareSandboxDB() helper automatically copies databases to writable temp storage when running inside gVisor
• Module-aware dependency filtering - Internal packages are no longer incorrectly flagged as external dependencies

Workflow & Action Improvements

• Restored *_generated.go exclusion filter for diff/audit modes
• Added stderr capture (2>&1) for better error diagnostics
• New/Deleted file status now properly reported in analysis summaries
• Added runsc --version verification after gVisor installation

Bug Fixes

• Fixed ssautil.AllPackages return type handling (returns (*Program, []*Package), not error)
• Fixed collectDependencies signature to support root module filtering

---

Full Changelog: v3.1.6...v3.2.0

v3.1.4 -- Hardened Sandbox Orchestration & Workflow Integrity

This release finalizes the transition to a fully sandboxed execution model within GitHub Actions. Version 3.1.4 resolves critical pathing and mounting issues within the gVisor (runsc) environment that previously caused semantic analysis failures in the automated workflow pipeline.

Full Changelog: v3.1.4...v3.1.4

launch v3.0.0 - hardened architecture & standard layout

Full Changelog: v2.4.2...v3.0.0

v2.3.0

Full Changelog: v2.2.1...v2.3.0

v2.2.1

Full Changelog: v2.2.0...v2.2.1

Refactor storage to Pebble, add LLM audit, and polish core analysis

This commit overhauls the storage engine and analysis pipeline. Migrated from BoltDB to Pebble to better support range scanning and snapshots for specific use case. Huge shout out to HD Moore (runZero) for the advice on the storage switch and for the concept behind the new intent verification system.

-- Storage Migration (BoltDB -> Pebble) --

• Replaced BoltScanner with PebbleScanner.

• Added MigrateFromBolt to allow importing existing databases.

• Implemented Checkpoint, Compact, and iterator management for Pebble.

• Refactored entropy and threshold setters.

• Added ScanByEntropyRange and ScanTopologyWithSnapshot.

• Removed scanner_bolt.go and associated tests.

-- Core Analysis & Fingerprinting --

• Updated GenerateFingerprint, countLoops, and deriveTripCount for better SSA handling.

• Refined generateTopologyHash and computeTopologySimilarity.

• Tweaked Zipper logic to reduce false negatives.

• Modified toSCEV and classifyIV for complex loop detection.

-- CLI & Features (The "Lie Detector") --

• Added audit command (runAudit) to cmd/sfw.

• Implemented LLM based intent verification (llm.go) supporting OpenAI and Gemini. (If you prefer another provider, drop an issue and let me know.)

• Added logic to cross reference commit messages against structural code changes to detect deceptive descriptions (Verdict: MATCH / SUSPICIOUS / LIE).

• Updated scan, index, and diff to use PebbleScanner.

• Added runMigrate command.

-- Housekeeping --

• Moved sample beacon files to examples/samples/.

• Updated go.mod and go.sum.

• Cleaned up main.go.

• Rewrote README.md to be less academic and more approachable.

The diff is huge, but the performance gains on the topology lookups are significant. As always, please open an issue if you spot any edge case that got through my testing. I'm averaging about 74% accuracy right now so there are definitely edges, I'm only one man. Thank you for the stars and for letting me know this has potential.

Back to work.

v2.0.1: Go Module Path Fix

Fixes module path to include /v2 suffix. Updates examples to be buildable.

Full Changelog: v2.0.0...v2.0.1