DEV Community

TerminalBlog
TerminalBlog

Posted on • Originally published at terminalblog.com

gitlawb-zero Heads to 0.4.0 With a Native npm Binary and Tighter Sandbox

gitlawb-zero is winding up a 0.4.0 release, and the commit stream shows a project maturing its distribution and its security boundaries at the same time.

Shipping the native binary the right way

A merged PR ships the native binary as platform optionalDependencies on npm. That is the correct packaging move for a tool with per-platform builds: instead of one bloated package that downloads everything, npm pulls only the binary for your OS/arch. Faster installs, smaller footprint, and no "why did a Linux binary land on my Windows machine" confusion. For a security-focused coding agent, clean distribution also means fewer opportunities for a bad binary to ride along.

Sandbox: tell the truth about Windows failures

Two sandbox commits landed in the window. One classifies silent wrapped Windows command failures as sandbox denials — fixing the misdiagnosis where a failed command was reported as a blocked one (the same class of bug we flagged on the Hermes side). The other uses a WRITE_RESTRICTED token when no DenyRead paths are configured, tightening the default write posture. Together they show the project taking least-privilege seriously instead of defaulting open.

A GitHub Copilot provider enters

An open issue and a corresponding PR add GitHub Copilot provider and authentication support. That widens gitlawb-zero from its own model backend to a router you can point at Copilot — useful if your team already pays for a Copilot seat and wants the agent's DevSecOps workflow on top.

Where it fits

gitlawb-zero's angle has always been the DevSecOps framing — scan, guard, and constrain the agent rather than just accelerate it. The deep-dive on gitlawb-zero lays out that model, and this 0.4.0 batch is the practical proof it is still moving. If you want an agent whose defaults lean toward "deny and prove" rather than "run and hope," this is the branch to track. The Hermes security writeup is a good companion read on why provider isolation and sandbox truthfulness are the same battle.

Top comments (0)