Skip to main content
Version: 0.2.0

Changelog

All notable changes to jGuard are documented here.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[0.2.0] - 2026-01-13​

Added​

Multi-Module Support​

  • Auto-discovery of policies embedded in signed JARs (META-INF/jguard/policy.bin)
  • Per-module policy enforcement with module isolation
  • Support for JPMS modular applications with multiple security domains
  • jguard.allowUnsignedPolicies flag for development mode

External Policies with Grant/Deny​

  • External policy files for deployment-time customization
  • deny statement to remove capabilities from embedded policies
  • deny(defensive) to suppress warnings for intentional defensive denials
  • _global.jguard for environment-wide restrictions (e.g., airgapped networks)
  • Merge logic: effective = (embedded ∪ external_grants ∪ global_grants) - (external_denials ∪ global_denials)

Legacy Library Support​

  • External policies for third-party libraries without jGuard policies
  • MODULE pattern matching for automatic modules (JAR-derived module names)
  • Restrictive by default: unentitled operations are blocked

CLI Tools​

  • jguardc - Standalone compiler for .jguard policy files
  • jguard inspect - Inspect policies in JARs or binary files
  • jguard list - List all policies found in JARs on a path
  • jguard diff - Compare two policy files
  • jguard validate-override - Validate override policies

Policy Hot Reload​

  • Zero-downtime policy updates via file watching
  • Configurable poll interval (jguard.reload.interval)
  • Support for both explicit path and discovery mode
  • External policy directory watching

Compiler Enhancements​

  • --strict flag treats warnings as errors (useful for CI)
  • Redundant deny warnings when denying capabilities not in granted set
  • Improved error messages with file:line:column format

Changed​

  • Gradle plugin now configures tests to run on classpath (not module path) for JUnit/AssertJ compatibility
  • Binary policy format version 2 includes denial support

Fixed​

  • JPMS test isolation issue where test frameworks couldn't be found on module path

[0.1.0] - 2026-01-07​

Added​

  • Initial release with core capability-based security model
  • Policy descriptor format (module-info.jguard)
  • Capabilities:
    • fs.read - Read files matching glob patterns
    • fs.write - Write files matching glob patterns
    • network.outbound - Outbound network connections
    • network.listen - Server socket binding
    • threads.create - Thread creation
    • native.load - Native library loading
    • env.read - Environment variable access
    • system.property.read - System property reading
    • system.property.write - System property writing
  • ByteBuddy-based JDK instrumentation
  • Gradle plugin (io.jguard.policy)
  • Three enforcement modes: STRICT, PERMISSIVE, AUDIT
  • Package-level entitlements with glob patterns