@safebrowse/daemon 0.1.2-rc.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. package/LICENSE +15 -0
  2. package/README.md +31 -0
  3. package/dist/cli.d.ts +8 -0
  4. package/dist/cli.d.ts.map +1 -0
  5. package/dist/cli.js +93 -0
  6. package/dist/cli.js.map +1 -0
  7. package/dist/index.d.ts +4 -0
  8. package/dist/index.d.ts.map +1 -0
  9. package/dist/index.js +21 -0
  10. package/dist/index.js.map +1 -0
  11. package/dist/loaders.d.ts +23 -0
  12. package/dist/loaders.d.ts.map +1 -0
  13. package/dist/loaders.js +181 -0
  14. package/dist/loaders.js.map +1 -0
  15. package/dist/runtime/config/adapter-registry.json +65 -0
  16. package/dist/runtime/config/adapter-registry.json.sig +1 -0
  17. package/dist/runtime/config/v2-compromised-fixtures.json +34 -0
  18. package/dist/runtime/knowledge_base/safebrowse_vf_action_integrity_patterns.json +1411 -0
  19. package/dist/runtime/knowledge_base/safebrowse_vf_artifact_surface_patterns.json +891 -0
  20. package/dist/runtime/knowledge_base/safebrowse_vf_evaluation_scenarios.json +217 -0
  21. package/dist/runtime/knowledge_base/safebrowse_vf_incident_response_playbooks.json +209 -0
  22. package/dist/runtime/knowledge_base/safebrowse_vf_knowledge_base_index.json +143 -0
  23. package/dist/runtime/knowledge_base/safebrowse_vf_knowledge_base_index.json.sig +1 -0
  24. package/dist/runtime/knowledge_base/safebrowse_vf_knowledge_bases.zip +0 -0
  25. package/dist/runtime/knowledge_base/safebrowse_vf_knowledge_bases.zip.sig +1 -0
  26. package/dist/runtime/knowledge_base/safebrowse_vf_memory_context_poisoning_patterns.json +803 -0
  27. package/dist/runtime/knowledge_base/safebrowse_vf_policy_controls_catalog.json +686 -0
  28. package/dist/runtime/knowledge_base/safebrowse_vf_prompt_injection_patterns.json +9930 -0
  29. package/dist/runtime/knowledge_base/safebrowse_vf_source_registry.json +345 -0
  30. package/dist/runtime/knowledge_base/safebrowse_vf_tool_protocol_supply_chain_patterns.json +879 -0
  31. package/dist/runtime/knowledge_base/safebrowse_vf_trust_signals_provenance.json +480 -0
  32. package/dist/runtime/knowledge_base/signing/safebrowse_vf_ed25519_public.pem +3 -0
  33. package/dist/runtime/policies/base/research.yaml +56 -0
  34. package/dist/runtime/policies/emergency/default.yaml +14 -0
  35. package/dist/runtime/policies/project/default.yaml +13 -0
  36. package/dist/runtime/policies/tenant/default.yaml +12 -0
  37. package/dist/server.d.ts +14 -0
  38. package/dist/server.d.ts.map +1 -0
  39. package/dist/server.js +195 -0
  40. package/dist/server.js.map +1 -0
  41. package/package.json +53 -0
package/dist/runtime/knowledge_base/safebrowse_vf_policy_controls_catalog.json ADDED
@@ -0,0 +1,686 @@
1
+ {
2
+ "kb_meta": {
3
+ "name": "SafeBrowse vf policy controls catalog",
4
+ "version": "vf-final",
5
+ "generated_on": "2026-03-28",
6
+ "entry_count": 45,
7
+ "purpose": "Canonical controls for policy packs, docs, and deployment profiles."
8
+ },
9
+ "controls": [
10
+ {
11
+ "control_id": "PC-01",
12
+ "name": "framework_only_boundary",
13
+ "category": "architecture",
14
+ "hot_path": true,
15
+ "description": "Keep SafeBrowse as a safety middleware/SDK that mediates observations and actions, but does not browse by itself.",
16
+ "applies_to": "core boundary",
17
+ "source_ids": [
18
+ "SRC_CAMEL_ARXIV_2025",
19
+ "SRC_ACE_NDSS_2026",
20
+ "SRC_OPENAI_PROMPT_INJECTION_2026"
21
+ ],
22
+ "credibility": "high",
23
+ "last_verified": "2026-03-28"
24
+ },
25
+ {
26
+ "control_id": "PC-02",
27
+ "name": "typed_action_envelopes",
28
+ "category": "architecture",
29
+ "hot_path": true,
30
+ "description": "Require all proposed actions to use typed JSON envelopes rather than free-form tool text.",
31
+ "applies_to": "all runtimes",
32
+ "source_ids": [
33
+ "SRC_CAMEL_ARXIV_2025",
34
+ "SRC_ACE_NDSS_2026",
35
+ "SRC_OPENAI_PROMPT_INJECTION_2026"
36
+ ],
37
+ "credibility": "high",
38
+ "last_verified": "2026-03-28"
39
+ },
40
+ {
41
+ "control_id": "PC-03",
42
+ "name": "typed_decision_envelopes",
43
+ "category": "architecture",
44
+ "hot_path": true,
45
+ "description": "Return structured decisions such as allow, block, replan_read_only, user_confirm, quarantine_artifact, or escalate_incident.",
46
+ "applies_to": "all runtimes",
47
+ "source_ids": [
48
+ "SRC_CAMEL_ARXIV_2025",
49
+ "SRC_ACE_NDSS_2026",
50
+ "SRC_OPENAI_PROMPT_INJECTION_2026"
51
+ ],
52
+ "credibility": "high",
53
+ "last_verified": "2026-03-28"
54
+ },
55
+ {
56
+ "control_id": "PC-04",
57
+ "name": "metadata_only_critic_inputs",
58
+ "category": "architecture",
59
+ "hot_path": false,
60
+ "description": "Any alignment critic should see action metadata, policy state, and provenance—not raw untrusted page text.",
61
+ "applies_to": "high-risk actions",
62
+ "source_ids": [
63
+ "SRC_CAMEL_ARXIV_2025",
64
+ "SRC_ACE_NDSS_2026",
65
+ "SRC_OPENAI_PROMPT_INJECTION_2026"
66
+ ],
67
+ "credibility": "high",
68
+ "last_verified": "2026-03-28"
69
+ },
70
+ {
71
+ "control_id": "PC-05",
72
+ "name": "policy_pack_compilation",
73
+ "category": "architecture",
74
+ "hot_path": true,
75
+ "description": "Compile user policy packs into efficient deterministic matchers for hot-path execution.",
76
+ "applies_to": "runtime",
77
+ "source_ids": [
78
+ "SRC_CAMEL_ARXIV_2025",
79
+ "SRC_ACE_NDSS_2026",
80
+ "SRC_OPENAI_PROMPT_INJECTION_2026"
81
+ ],
82
+ "credibility": "high",
83
+ "last_verified": "2026-03-28"
84
+ },
85
+ {
86
+ "control_id": "PC-06",
87
+ "name": "sidecar_optional_deployment",
88
+ "category": "architecture",
89
+ "hot_path": true,
90
+ "description": "Support in-process mode for low overhead and sidecar mode for stronger egress, secret, and quarantine controls.",
91
+ "applies_to": "deployment",
92
+ "source_ids": [
93
+ "SRC_CAMEL_ARXIV_2025",
94
+ "SRC_ACE_NDSS_2026",
95
+ "SRC_OPENAI_PROMPT_INJECTION_2026"
96
+ ],
97
+ "credibility": "high",
98
+ "last_verified": "2026-03-28"
99
+ },
100
+ {
101
+ "control_id": "PC-07",
102
+ "name": "instruction_data_separation",
103
+ "category": "prompt_containment",
104
+ "hot_path": true,
105
+ "description": "Never concatenate untrusted text into higher-trust prompt channels or policy logic.",
106
+ "applies_to": "observation path",
107
+ "source_ids": [
108
+ "SRC_OWASP_PI_CHEATSHEET_2026",
109
+ "SRC_MICROSOFT_INDIRECT_PI_2025",
110
+ "SRC_OPENAI_PROMPT_INJECTION_2026"
111
+ ],
112
+ "credibility": "high",
113
+ "last_verified": "2026-03-28"
114
+ },
115
+ {
116
+ "control_id": "PC-08",
117
+ "name": "visibility_labeling",
118
+ "category": "prompt_containment",
119
+ "hot_path": true,
120
+ "description": "Label observations as visible, hidden, metadata, annotation, or dynamic before they reach reasoning.",
121
+ "applies_to": "observation path",
122
+ "source_ids": [
123
+ "SRC_OWASP_PI_CHEATSHEET_2026",
124
+ "SRC_MICROSOFT_INDIRECT_PI_2025",
125
+ "SRC_OPENAI_PROMPT_INJECTION_2026"
126
+ ],
127
+ "credibility": "high",
128
+ "last_verified": "2026-03-28"
129
+ },
130
+ {
131
+ "control_id": "PC-09",
132
+ "name": "normalization_pass",
133
+ "category": "prompt_containment",
134
+ "hot_path": true,
135
+ "description": "Normalize unicode, zero-width characters, obvious encodings, and script-mixing cues before detection.",
136
+ "applies_to": "observation path",
137
+ "source_ids": [
138
+ "SRC_OWASP_PI_CHEATSHEET_2026",
139
+ "SRC_MICROSOFT_INDIRECT_PI_2025",
140
+ "SRC_OPENAI_PROMPT_INJECTION_2026"
141
+ ],
142
+ "credibility": "high",
143
+ "last_verified": "2026-03-28"
144
+ },
145
+ {
146
+ "control_id": "PC-10",
147
+ "name": "taint_tracking",
148
+ "category": "prompt_containment",
149
+ "hot_path": true,
150
+ "description": "Carry taint from untrusted observations into summaries, memory, and action payloads.",
151
+ "applies_to": "all flows",
152
+ "source_ids": [
153
+ "SRC_OWASP_PI_CHEATSHEET_2026",
154
+ "SRC_MICROSOFT_INDIRECT_PI_2025",
155
+ "SRC_OPENAI_PROMPT_INJECTION_2026"
156
+ ],
157
+ "credibility": "high",
158
+ "last_verified": "2026-03-28"
159
+ },
160
+ {
161
+ "control_id": "PC-11",
162
+ "name": "heuristic_prompt_pattern_scan",
163
+ "category": "prompt_containment",
164
+ "hot_path": true,
165
+ "description": "Use deterministic pattern families for obvious injection styles such as typoglycemia, hidden DOM, role reassignment, and instruction precedence.",
166
+ "applies_to": "observation path",
167
+ "source_ids": [
168
+ "SRC_OWASP_PI_CHEATSHEET_2026",
169
+ "SRC_MICROSOFT_INDIRECT_PI_2025",
170
+ "SRC_OPENAI_PROMPT_INJECTION_2026"
171
+ ],
172
+ "credibility": "high",
173
+ "last_verified": "2026-03-28"
174
+ },
175
+ {
176
+ "control_id": "PC-12",
177
+ "name": "optional_instruction_detector",
178
+ "category": "prompt_containment",
179
+ "hot_path": false,
180
+ "description": "Allow a specialized detector layer for indirect prompt injection when latency budget permits.",
181
+ "applies_to": "elevated-risk sessions",
182
+ "source_ids": [
183
+ "SRC_OWASP_PI_CHEATSHEET_2026",
184
+ "SRC_MICROSOFT_INDIRECT_PI_2025",
185
+ "SRC_OPENAI_PROMPT_INJECTION_2026"
186
+ ],
187
+ "credibility": "high",
188
+ "last_verified": "2026-03-28"
189
+ },
190
+ {
191
+ "control_id": "PC-13",
192
+ "name": "task_envelope",
193
+ "category": "action_integrity",
194
+ "hot_path": true,
195
+ "description": "Represent allowed verbs, origins, sinks, task phases, and data classes explicitly for every session.",
196
+ "applies_to": "planner boundary",
197
+ "source_ids": [
198
+ "SRC_GOOGLE_CHROME_AGENTIC_2025",
199
+ "SRC_OPENAI_PROMPT_INJECTION_2026",
200
+ "SRC_OWASP_LLM02_OUTPUT_2026"
201
+ ],
202
+ "credibility": "high",
203
+ "last_verified": "2026-03-28"
204
+ },
205
+ {
206
+ "control_id": "PC-14",
207
+ "name": "read_write_origin_sets",
208
+ "category": "action_integrity",
209
+ "hot_path": true,
210
+ "description": "Track separate readable and writable origin sets per session.",
211
+ "applies_to": "browser adapters",
212
+ "source_ids": [
213
+ "SRC_GOOGLE_CHROME_AGENTIC_2025",
214
+ "SRC_OPENAI_PROMPT_INJECTION_2026",
215
+ "SRC_OWASP_LLM02_OUTPUT_2026"
216
+ ],
217
+ "credibility": "high",
218
+ "last_verified": "2026-03-28"
219
+ },
220
+ {
221
+ "control_id": "PC-15",
222
+ "name": "new_origin_gate",
223
+ "category": "action_integrity",
224
+ "hot_path": true,
225
+ "description": "Vet every new origin, frame, or redirect target before it becomes readable or writable.",
226
+ "applies_to": "browser adapters",
227
+ "source_ids": [
228
+ "SRC_GOOGLE_CHROME_AGENTIC_2025",
229
+ "SRC_OPENAI_PROMPT_INJECTION_2026",
230
+ "SRC_OWASP_LLM02_OUTPUT_2026"
231
+ ],
232
+ "credibility": "high",
233
+ "last_verified": "2026-03-28"
234
+ },
235
+ {
236
+ "control_id": "PC-16",
237
+ "name": "sensitive_sink_confirmation",
238
+ "category": "action_integrity",
239
+ "hot_path": true,
240
+ "description": "Require explicit confirmation or blocking for transmissions of tainted/sensitive data to external sinks.",
241
+ "applies_to": "transmission paths",
242
+ "source_ids": [
243
+ "SRC_GOOGLE_CHROME_AGENTIC_2025",
244
+ "SRC_OPENAI_PROMPT_INJECTION_2026",
245
+ "SRC_OWASP_LLM02_OUTPUT_2026"
246
+ ],
247
+ "credibility": "high",
248
+ "last_verified": "2026-03-28"
249
+ },
250
+ {
251
+ "control_id": "PC-17",
252
+ "name": "model_generated_url_validation",
253
+ "category": "action_integrity",
254
+ "hot_path": true,
255
+ "description": "Validate model-generated URLs, parameters, redirects, and publicness before navigation or transmission.",
256
+ "applies_to": "URL actions",
257
+ "source_ids": [
258
+ "SRC_GOOGLE_CHROME_AGENTIC_2025",
259
+ "SRC_OPENAI_PROMPT_INJECTION_2026",
260
+ "SRC_OWASP_LLM02_OUTPUT_2026"
261
+ ],
262
+ "credibility": "high",
263
+ "last_verified": "2026-03-28"
264
+ },
265
+ {
266
+ "control_id": "PC-18",
267
+ "name": "cross_origin_pair_policies",
268
+ "category": "action_integrity",
269
+ "hot_path": true,
270
+ "description": "Control which origin pairs are allowed for read-to-write copy or transmission.",
271
+ "applies_to": "browser and tool adapters",
272
+ "source_ids": [
273
+ "SRC_GOOGLE_CHROME_AGENTIC_2025",
274
+ "SRC_OPENAI_PROMPT_INJECTION_2026",
275
+ "SRC_OWASP_LLM02_OUTPUT_2026"
276
+ ],
277
+ "credibility": "high",
278
+ "last_verified": "2026-03-28"
279
+ },
280
+ {
281
+ "control_id": "PC-19",
282
+ "name": "bulk_operation_quotas",
283
+ "category": "action_integrity",
284
+ "hot_path": true,
285
+ "description": "Apply quotas and anomaly thresholds for enumeration, mass messaging, or large-file transfer patterns.",
286
+ "applies_to": "high-volume tasks",
287
+ "source_ids": [
288
+ "SRC_GOOGLE_CHROME_AGENTIC_2025",
289
+ "SRC_OPENAI_PROMPT_INJECTION_2026",
290
+ "SRC_OWASP_LLM02_OUTPUT_2026"
291
+ ],
292
+ "credibility": "high",
293
+ "last_verified": "2026-03-28"
294
+ },
295
+ {
296
+ "control_id": "PC-20",
297
+ "name": "decision_memory_and_cooldowns",
298
+ "category": "action_integrity",
299
+ "hot_path": true,
300
+ "description": "Remember prior vetoes and apply cooldowns to prevent approval grinding.",
301
+ "applies_to": "all sessions",
302
+ "source_ids": [
303
+ "SRC_GOOGLE_CHROME_AGENTIC_2025",
304
+ "SRC_OPENAI_PROMPT_INJECTION_2026",
305
+ "SRC_OWASP_LLM02_OUTPUT_2026"
306
+ ],
307
+ "credibility": "high",
308
+ "last_verified": "2026-03-28"
309
+ },
310
+ {
311
+ "control_id": "PC-21",
312
+ "name": "artifact_classification",
313
+ "category": "artifact",
314
+ "hot_path": true,
315
+ "description": "Classify surfaces such as html, pdf, image, blob, annotation, archive, or tool output before processing.",
316
+ "applies_to": "artifact gateway",
317
+ "source_ids": [
318
+ "SRC_ANTHROPIC_BROWSER_USE_2025",
319
+ "SRC_OWASP_PI_CHEATSHEET_2026",
320
+ "SRC_NIST_AGENTIC_EMERGING_2026"
321
+ ],
322
+ "credibility": "high",
323
+ "last_verified": "2026-03-28"
324
+ },
325
+ {
326
+ "control_id": "PC-22",
327
+ "name": "render_vs_text_diff",
328
+ "category": "artifact",
329
+ "hot_path": false,
330
+ "description": "Compare rendered view and extracted text for documents and opaque viewers.",
331
+ "applies_to": "document handling",
332
+ "source_ids": [
333
+ "SRC_ANTHROPIC_BROWSER_USE_2025",
334
+ "SRC_OWASP_PI_CHEATSHEET_2026",
335
+ "SRC_NIST_AGENTIC_EMERGING_2026"
336
+ ],
337
+ "credibility": "high",
338
+ "last_verified": "2026-03-28"
339
+ },
340
+ {
341
+ "control_id": "PC-23",
342
+ "name": "annotation_channel_separation",
343
+ "category": "artifact",
344
+ "hot_path": true,
345
+ "description": "Keep comments, notes, and tracked changes separate from main-body content by default.",
346
+ "applies_to": "document handling",
347
+ "source_ids": [
348
+ "SRC_ANTHROPIC_BROWSER_USE_2025",
349
+ "SRC_OWASP_PI_CHEATSHEET_2026",
350
+ "SRC_NIST_AGENTIC_EMERGING_2026"
351
+ ],
352
+ "credibility": "high",
353
+ "last_verified": "2026-03-28"
354
+ },
355
+ {
356
+ "control_id": "PC-24",
357
+ "name": "download_quarantine",
358
+ "category": "artifact",
359
+ "hot_path": true,
360
+ "description": "Quarantine downloads and nested containers before any parsing or opening.",
361
+ "applies_to": "download path",
362
+ "source_ids": [
363
+ "SRC_ANTHROPIC_BROWSER_USE_2025",
364
+ "SRC_OWASP_PI_CHEATSHEET_2026",
365
+ "SRC_NIST_AGENTIC_EMERGING_2026"
366
+ ],
367
+ "credibility": "high",
368
+ "last_verified": "2026-03-28"
369
+ },
370
+ {
371
+ "control_id": "PC-25",
372
+ "name": "no_auto_execute_downloads",
373
+ "category": "artifact",
374
+ "hot_path": true,
375
+ "description": "Disable automatic opening or execution for downloaded or embedded files.",
376
+ "applies_to": "download path",
377
+ "source_ids": [
378
+ "SRC_ANTHROPIC_BROWSER_USE_2025",
379
+ "SRC_OWASP_PI_CHEATSHEET_2026",
380
+ "SRC_NIST_AGENTIC_EMERGING_2026"
381
+ ],
382
+ "credibility": "high",
383
+ "last_verified": "2026-03-28"
384
+ },
385
+ {
386
+ "control_id": "PC-26",
387
+ "name": "ocr_confidence_thresholds",
388
+ "category": "artifact",
389
+ "hot_path": false,
390
+ "description": "Escalate or downgrade low-confidence OCR/vision extractions rather than promoting them silently.",
391
+ "applies_to": "vision path",
392
+ "source_ids": [
393
+ "SRC_ANTHROPIC_BROWSER_USE_2025",
394
+ "SRC_OWASP_PI_CHEATSHEET_2026",
395
+ "SRC_NIST_AGENTIC_EMERGING_2026"
396
+ ],
397
+ "credibility": "high",
398
+ "last_verified": "2026-03-28"
399
+ },
400
+ {
401
+ "control_id": "PC-27",
402
+ "name": "tool_manifest_allowlisting",
403
+ "category": "tool_protocol",
404
+ "hot_path": true,
405
+ "description": "Allow only reviewed or signed tool manifests and schemas in production modes.",
406
+ "applies_to": "tool registry",
407
+ "source_ids": [
408
+ "SRC_MCP_SECURITY_BEST_PRACTICES_2025",
409
+ "SRC_OWASP_SECURE_MCP_GUIDE_2026",
410
+ "SRC_OWASP_AGENTIC_TOP10_2026"
411
+ ],
412
+ "credibility": "high",
413
+ "last_verified": "2026-03-28"
414
+ },
415
+ {
416
+ "control_id": "PC-28",
417
+ "name": "tool_delta_approval",
418
+ "category": "tool_protocol",
419
+ "hot_path": true,
420
+ "description": "Require review when tool lists or capabilities change mid-session.",
421
+ "applies_to": "tool registry",
422
+ "source_ids": [
423
+ "SRC_MCP_SECURITY_BEST_PRACTICES_2025",
424
+ "SRC_OWASP_SECURE_MCP_GUIDE_2026",
425
+ "SRC_OWASP_AGENTIC_TOP10_2026"
426
+ ],
427
+ "credibility": "high",
428
+ "last_verified": "2026-03-28"
429
+ },
430
+ {
431
+ "control_id": "PC-29",
432
+ "name": "token_audience_validation",
433
+ "category": "tool_protocol",
434
+ "hot_path": true,
435
+ "description": "Reject tokens not explicitly issued for the receiving service or broker.",
436
+ "applies_to": "auth paths",
437
+ "source_ids": [
438
+ "SRC_MCP_SECURITY_BEST_PRACTICES_2025",
439
+ "SRC_OWASP_SECURE_MCP_GUIDE_2026",
440
+ "SRC_OWASP_AGENTIC_TOP10_2026"
441
+ ],
442
+ "credibility": "high",
443
+ "last_verified": "2026-03-28"
444
+ },
445
+ {
446
+ "control_id": "PC-30",
447
+ "name": "exact_redirect_uri_validation",
448
+ "category": "tool_protocol",
449
+ "hot_path": true,
450
+ "description": "Use exact redirect URI matching and post-consent validation for OAuth-like flows.",
451
+ "applies_to": "auth paths",
452
+ "source_ids": [
453
+ "SRC_MCP_SECURITY_BEST_PRACTICES_2025",
454
+ "SRC_OWASP_SECURE_MCP_GUIDE_2026",
455
+ "SRC_OWASP_AGENTIC_TOP10_2026"
456
+ ],
457
+ "credibility": "high",
458
+ "last_verified": "2026-03-28"
459
+ },
460
+ {
461
+ "control_id": "PC-31",
462
+ "name": "ssrf_egress_controls",
463
+ "category": "tool_protocol",
464
+ "hot_path": true,
465
+ "description": "Use HTTPS enforcement, private-range blocking, redirect validation, and preferably egress proxying for metadata discovery.",
466
+ "applies_to": "network paths",
467
+ "source_ids": [
468
+ "SRC_MCP_SECURITY_BEST_PRACTICES_2025",
469
+ "SRC_OWASP_SECURE_MCP_GUIDE_2026",
470
+ "SRC_OWASP_AGENTIC_TOP10_2026"
471
+ ],
472
+ "credibility": "high",
473
+ "last_verified": "2026-03-28"
474
+ },
475
+ {
476
+ "control_id": "PC-32",
477
+ "name": "progressive_least_privilege_scopes",
478
+ "category": "tool_protocol",
479
+ "hot_path": true,
480
+ "description": "Start with minimal scopes and elevate only when a task needs more.",
481
+ "applies_to": "auth paths",
482
+ "source_ids": [
483
+ "SRC_MCP_SECURITY_BEST_PRACTICES_2025",
484
+ "SRC_OWASP_SECURE_MCP_GUIDE_2026",
485
+ "SRC_OWASP_AGENTIC_TOP10_2026"
486
+ ],
487
+ "credibility": "high",
488
+ "last_verified": "2026-03-28"
489
+ },
490
+ {
491
+ "control_id": "PC-33",
492
+ "name": "local_server_sandboxing",
493
+ "category": "tool_protocol",
494
+ "hot_path": true,
495
+ "description": "Sandbox local MCP/helper processes and require explicit consent with exact command display.",
496
+ "applies_to": "local integrations",
497
+ "source_ids": [
498
+ "SRC_MCP_SECURITY_BEST_PRACTICES_2025",
499
+ "SRC_OWASP_SECURE_MCP_GUIDE_2026",
500
+ "SRC_OWASP_AGENTIC_TOP10_2026"
501
+ ],
502
+ "credibility": "high",
503
+ "last_verified": "2026-03-28"
504
+ },
505
+ {
506
+ "control_id": "PC-34",
507
+ "name": "tool_to_tool_data_barriers",
508
+ "category": "tool_protocol",
509
+ "hot_path": true,
510
+ "description": "Enforce capability and data barriers between tools to prevent cross-tool harvesting/pollution.",
511
+ "applies_to": "tool chains",
512
+ "source_ids": [
513
+ "SRC_MCP_SECURITY_BEST_PRACTICES_2025",
514
+ "SRC_OWASP_SECURE_MCP_GUIDE_2026",
515
+ "SRC_OWASP_AGENTIC_TOP10_2026"
516
+ ],
517
+ "credibility": "high",
518
+ "last_verified": "2026-03-28"
519
+ },
520
+ {
521
+ "control_id": "PC-35",
522
+ "name": "memory_write_policy",
523
+ "category": "memory",
524
+ "hot_path": true,
525
+ "description": "Apply explicit policy to durable memory writes; untrusted content should not become durable instructions by default.",
526
+ "applies_to": "memory store",
527
+ "source_ids": [
528
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
529
+ "SRC_OWASP_AGENTIC_TOP10_2026",
530
+ "SRC_NIST_AGENTIC_EMERGING_2026"
531
+ ],
532
+ "credibility": "high",
533
+ "last_verified": "2026-03-28"
534
+ },
535
+ {
536
+ "control_id": "PC-36",
537
+ "name": "snapshot_before_commit",
538
+ "category": "memory",
539
+ "hot_path": true,
540
+ "description": "Snapshot mutable memory before durable writes to enable rollback.",
541
+ "applies_to": "memory store",
542
+ "source_ids": [
543
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
544
+ "SRC_OWASP_AGENTIC_TOP10_2026",
545
+ "SRC_NIST_AGENTIC_EMERGING_2026"
546
+ ],
547
+ "credibility": "high",
548
+ "last_verified": "2026-03-28"
549
+ },
550
+ {
551
+ "control_id": "PC-37",
552
+ "name": "integrity_hash_baselines",
553
+ "category": "memory",
554
+ "hot_path": true,
555
+ "description": "Hash memory objects, summaries, and tool manifests to support integrity checks.",
556
+ "applies_to": "memory store",
557
+ "source_ids": [
558
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
559
+ "SRC_OWASP_AGENTIC_TOP10_2026",
560
+ "SRC_NIST_AGENTIC_EMERGING_2026"
561
+ ],
562
+ "credibility": "high",
563
+ "last_verified": "2026-03-28"
564
+ },
565
+ {
566
+ "control_id": "PC-38",
567
+ "name": "approval_non_persistence",
568
+ "category": "memory",
569
+ "hot_path": true,
570
+ "description": "Do not store approvals as free text in memory; bind them to structured IDs with expiry.",
571
+ "applies_to": "memory + action integrity",
572
+ "source_ids": [
573
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
574
+ "SRC_OWASP_AGENTIC_TOP10_2026",
575
+ "SRC_NIST_AGENTIC_EMERGING_2026"
576
+ ],
577
+ "credibility": "high",
578
+ "last_verified": "2026-03-28"
579
+ },
580
+ {
581
+ "control_id": "PC-39",
582
+ "name": "retrieval_corroboration",
583
+ "category": "memory",
584
+ "hot_path": false,
585
+ "description": "Require corroboration or trust-tier weighting for high-impact RAG-backed claims.",
586
+ "applies_to": "RAG or knowledge tools",
587
+ "source_ids": [
588
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
589
+ "SRC_OWASP_AGENTIC_TOP10_2026",
590
+ "SRC_NIST_AGENTIC_EMERGING_2026"
591
+ ],
592
+ "credibility": "high",
593
+ "last_verified": "2026-03-28"
594
+ },
595
+ {
596
+ "control_id": "PC-40",
597
+ "name": "tenant_partitioned_cache",
598
+ "category": "memory",
599
+ "hot_path": true,
600
+ "description": "Partition caches and vector stores by tenant/session/risk boundary to reduce poisoning blast radius.",
601
+ "applies_to": "stateful systems",
602
+ "source_ids": [
603
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
604
+ "SRC_OWASP_AGENTIC_TOP10_2026",
605
+ "SRC_NIST_AGENTIC_EMERGING_2026"
606
+ ],
607
+ "credibility": "high",
608
+ "last_verified": "2026-03-28"
609
+ },
610
+ {
611
+ "control_id": "PC-41",
612
+ "name": "trace_and_replay",
613
+ "category": "incident_eval",
614
+ "hot_path": true,
615
+ "description": "Persist structured decisions, provenance, and replayable artifacts for forensics.",
616
+ "applies_to": "telemetry",
617
+ "source_ids": [
618
+ "SRC_NIST_HIJACK_EVAL_2025",
619
+ "SRC_AGENTDOJO_BENCHMARK_2026",
620
+ "SRC_BROWSERGYM_GITHUB_2026"
621
+ ],
622
+ "credibility": "high",
623
+ "last_verified": "2026-03-28"
624
+ },
625
+ {
626
+ "control_id": "PC-42",
627
+ "name": "adaptive_red_teaming",
628
+ "category": "incident_eval",
629
+ "hot_path": false,
630
+ "description": "Continuously test with adaptive attacks, not only baseline canned prompts.",
631
+ "applies_to": "evaluation",
632
+ "source_ids": [
633
+ "SRC_NIST_HIJACK_EVAL_2025",
634
+ "SRC_AGENTDOJO_BENCHMARK_2026",
635
+ "SRC_BROWSERGYM_GITHUB_2026"
636
+ ],
637
+ "credibility": "high",
638
+ "last_verified": "2026-03-28"
639
+ },
640
+ {
641
+ "control_id": "PC-43",
642
+ "name": "multi_attempt_benchmarking",
643
+ "category": "incident_eval",
644
+ "hot_path": false,
645
+ "description": "Measure security over repeated attempts, not just single-shot success.",
646
+ "applies_to": "evaluation",
647
+ "source_ids": [
648
+ "SRC_NIST_HIJACK_EVAL_2025",
649
+ "SRC_AGENTDOJO_BENCHMARK_2026",
650
+ "SRC_BROWSERGYM_GITHUB_2026"
651
+ ],
652
+ "credibility": "high",
653
+ "last_verified": "2026-03-28"
654
+ },
655
+ {
656
+ "control_id": "PC-44",
657
+ "name": "task_specific_security_metrics",
658
+ "category": "incident_eval",
659
+ "hot_path": false,
660
+ "description": "Track utility and security per task family, sink type, and consequence level.",
661
+ "applies_to": "evaluation",
662
+ "source_ids": [
663
+ "SRC_NIST_HIJACK_EVAL_2025",
664
+ "SRC_AGENTDOJO_BENCHMARK_2026",
665
+ "SRC_BROWSERGYM_GITHUB_2026"
666
+ ],
667
+ "credibility": "high",
668
+ "last_verified": "2026-03-28"
669
+ },
670
+ {
671
+ "control_id": "PC-45",
672
+ "name": "degrade_to_read_only",
673
+ "category": "incident_eval",
674
+ "hot_path": true,
675
+ "description": "When confidence drops or attacks persist, downgrade the session to read-only rather than failing open.",
676
+ "applies_to": "runtime",
677
+ "source_ids": [
678
+ "SRC_NIST_HIJACK_EVAL_2025",
679
+ "SRC_AGENTDOJO_BENCHMARK_2026",
680
+ "SRC_BROWSERGYM_GITHUB_2026"
681
+ ],
682
+ "credibility": "high",
683
+ "last_verified": "2026-03-28"
684
+ }
685
+ ]
686
+ }