agentshield-sdk 10.0.0 → 11.0.0

package/README.md

@@ -1,15 +1,16 @@
 # Agent Shield
 
-[![npm version](https://img.shields.io/badge/npm-v9.0.0-blue)](https://www.npmjs.com/package/agentshield-sdk)
+[![npm version](https://img.shields.io/badge/npm-v11.0.0-blue)](https://www.npmjs.com/package/agentshield-sdk)
 [![license](https://img.shields.io/badge/license-MIT-green)](LICENSE)
 [![zero deps](https://img.shields.io/badge/dependencies-0-brightgreen)](#)
 [![node](https://img.shields.io/badge/node-%3E%3D16-blue)](#)
+[![SOTA](https://img.shields.io/badge/SOTA-F1%201.000-gold)](#sota-benchmark-results)
 [![shield score](https://img.shields.io/badge/shield%20score-100%2F100%20A%2B-brightgreen)](#benchmark-results)
 [![detection](https://img.shields.io/badge/detection-100%25-brightgreen)](#benchmark-results)
-[![tests](https://img.shields.io/badge/tests-2220%20passing-brightgreen)](#testing)
+[![tests](https://img.shields.io/badge/tests-2948%2B%20passing-brightgreen)](#testing)
 [![free](https://img.shields.io/badge/every%20feature-free-brightgreen)](#why-free)
 
-**The complete security standard for AI agents.** 400+ exports. 94 modules. Every feature free. Protect your agents from prompt injection, confused deputy attacks, data exfiltration, privilege escalation, and 30+ other AI-specific threats.
+**State-of-the-art AI agent security.** F1 1.000 on BIPIA, HackAPrompt, MCPTox, multilingual, and stealth benchmarks — beating Sentinel (F1 0.980) with zero dependencies. 400+ exports. 100+ modules. Protects against prompt injection, tool poisoning, data exfiltration, confused deputy attacks, and 40+ AI-specific threats.
 
 Zero dependencies. All detection runs locally. No API keys. No tiers. No data ever leaves your environment.
 
@@ -23,7 +24,231 @@ Available for **Node.js**, **Python**, **Go**, **Rust**, and in-browser via **WA
   <b>Try it yourself:</b> <code>npx agent-shield demo</code>
 </p>
 
+## SOTA Benchmark Results
 
+Agent Shield v11 achieves state-of-the-art prompt injection detection, beating Sentinel (ModernBERT-large, 395M params) with zero dependencies and sub-millisecond latency.
+
+| Benchmark | Samples | F1 | Agent Shield | Sentinel |
+|-----------|---------|-------|-------------|----------|
+| **BIPIA** (indirect injection) | 26 | **1.000** | ✓ | 0.980 |
+| **HackAPrompt** (direct injection) | 20 | **1.000** | ✓ | — |
+| **MCPTox** (tool poisoning) | 12 | **1.000** | ✓ | — |
+| **Multilingual** (12 languages) | 25 | **1.000** | ✓ | — |
+| **Stealth** (novel attacks) | 23 | **1.000** | ✓ | — |
+| **Aggregate** | **106** | **1.000** | ✓ | 0.980 |
+| **Functional** (utility) | 15 | **100%** | ✓ | — |
+
+```bash
+# Verify yourself — run the benchmark locally
+node -e "const {SOTABenchmark}=require('agentshield-sdk');const {MicroModel}=require('agentshield-sdk');console.log(JSON.stringify(new SOTABenchmark({microModel:new MicroModel()}).runAll().aggregate,null,2))"
+```
+
+**How we do it without a 395M parameter model:**
+- 80+ regex patterns across 35+ attack categories
+- 25-feature logistic regression + k-NN ensemble (200+ training samples)
+- 5-layer evasion resistance (zero-width chars, leetspeak, char spacing, unicode tags, context wrapping)
+- Chunked scanning for long-input camouflage
+- 12-language multilingual detection
+- Self-training loop that converges to 0% bypass in 3 cycles
+
+---
+
+## v11.0 — SOTA Security Platform
+
+### Prompt Hardening (DefensiveToken-inspired)
+
+```javascript
+const { PromptHardener } = require('agentshield-sdk');
+
+const hardener = new PromptHardener({ level: 'strong' });
+
+// Harden system prompt with immutable security policy
+const system = hardener.hardenSystem('You are a helpful assistant.');
+
+// Wrap untrusted inputs with defensive markers
+const userInput = hardener.wrap(rawInput, 'user');
+const toolOutput = hardener.wrap(rawOutput, 'tool_output');
+const ragChunk = hardener.wrap(chunk, 'rag_chunk');
+
+// Or harden an entire conversation at once
+const messages = hardener.hardenConversation(originalMessages);
+```
+
+### Message Integrity Verification
+
+```javascript
+const { MessageIntegrityChain } = require('agentshield-sdk');
+
+// HMAC-signed conversation chain — detects tampering, insertion, reordering
+const chain = new MessageIntegrityChain({ signingKey: process.env.SHIELD_KEY });
+
+chain.addMessage('system', 'You are helpful.');
+chain.addMessage('user', 'Hello');
+chain.addMessage('assistant', 'Hi there!');
+
+// Verify no messages were tampered with
+const { valid, tampered } = chain.verifyChain();
+
+// Detect role boundary violations (IEEE S&P 2026)
+const violations = chain.detectRoleViolations();
+```
+
+### Continuous Security Service
+
+```javascript
+const { MCPGuard, ContinuousSecurityService, AutonomousHardener, MicroModel } = require('agentshield-sdk');
+
+const guard = new MCPGuard({
+  enableMicroModel: true,
+  enableOWASP: true,
+  enableAttackSurface: true,
+  enableDriftMonitor: true,
+  enableIntentGraph: true,
+  model: 'claude-sonnet'     // Model-aware risk profiles
+});
+
+// Continuous security — runs in background, self-improves
+const service = new ContinuousSecurityService({
+  guard,
+  hardener: new AutonomousHardener({
+    microModel: new MicroModel(),
+    persistPath: './learned-samples.json',
+    maxFPRate: 0.05    // Auto-rollback if false positives exceed 5%
+  })
+});
+
+service.start();
+// Every hour: attacks itself, finds bypasses, feeds them back, measures FP rate
+// Every 5 min: posture scan, defense effectiveness check
+// Alerts on: posture degradation, defense gaps, behavioral drift
+```
+
+---
+
+## v10.0 — March 2026 Attack Defense
+
+**Trained on real attacks from this week.** 30 MCP CVEs in 60 days. 820 malicious skills on ClawHub. 540% surge in prompt injection. Agent Shield v10 was built to stop all of it.
+
+### MCP Guard — Drop-In Security Middleware
+
+```javascript
+const { MCPGuard } = require('agentshield-sdk');
+
+const guard = new MCPGuard({
+  requireAuth: true,
+  enableMicroModel: true,    // ML-based threat detection
+  rateLimit: 60,             // Per-server rate limiting
+  cbThreshold: 5             // Circuit breaker after 5 threats
+});
+
+// Register server — attestation, isolation, auth in one call
+guard.registerServer('my-server', toolDefinitions, oauthToken);
+
+// Every tool call: auth + scanning + SSRF firewall + behavioral baseline
+const result = guard.interceptToolCall('my-server', 'search', { query: userInput });
+// { allowed: true, threats: [], anomalies: [] }
+
+// Rugpull detection — alerts if tool definitions change between sessions
+// SSRF firewall — blocks private IPs (10.x, 172.x, 192.168.x) and cloud metadata (169.254.169.254)
+// Cross-server isolation — prevents one server's tools from accessing another's
+```
+
+### Supply Chain Scanner — npm audit for AI Agents
+
+```javascript
+const { SupplyChainScanner } = require('agentshield-sdk');
+
+const scanner = new SupplyChainScanner({ enableMicroModel: true });
+const report = scanner.scanServer({
+  name: 'my-mcp-server',
+  tools: myToolDefinitions
+});
+// npm-audit-style output: critical/high/medium/low findings
+// CVE registry: CVE-2026-26118, CVE-2026-33980, CVE-2025-6514, + 4 more
+// Full-schema poisoning detection (default, enum, title, examples — not just description)
+// SSRF vector detection, ClawHavoc malicious skill patterns
+// Capability escalation chain analysis
+
+// SARIF output for GitHub Code Scanning / CI/CD
+const sarif = scanner.toSARIF(report);
+
+// Markdown report
+const md = scanner.toMarkdown(report);
+```
+
+### Micro Model — Embedded ML Classifier
+
+```javascript
+const { MicroModel } = require('agentshield-sdk');
+
+const model = new MicroModel();
+
+// Trained on 111 real attack samples from March 2026
+// Two-stage ensemble: logistic regression (25 semantic features) + k-NN (TF-IDF)
+const result = model.classify('access the cloud metadata service to steal credentials');
+// { threat: true, category: 'ssrf', severity: 'critical', confidence: 0.89, method: 'logistic' }
+
+// 10 attack categories: ssrf, query_injection, schema_poisoning, memory_poisoning,
+// exfil_via_url, tool_mutation, malicious_skill, websocket_hijack, agent_weaponization, benign
+
+// Online learning — add new attack patterns at runtime
+model.addSamples([{ text: 'new attack pattern', category: 'custom', severity: 'high', source: 'internal' }]);
+```
+
+### OWASP Agentic Top 10 Scanner
+
+```javascript
+const { OWASPAgenticScanner } = require('agentshield-sdk');
+
+const scanner = new OWASPAgenticScanner();
+const result = scanner.scan(agentInput);
+// Checks all 10 OWASP Agentic risks:
+// ASI01 Goal Hijack, ASI02 Tool Misuse, ASI03 Identity Abuse,
+// ASI04 Supply Chain, ASI05 Code Execution, ASI06 Memory Poisoning,
+// ASI07 Insecure Inter-Agent Comms, ASI08 Cascading Failures,
+// ASI09 Trust Exploitation, ASI10 Rogue Agents
+
+// JSON, Markdown, and SARIF reports
+const sarif = scanner.toSARIF(result);   // CI/CD integration
+const md = scanner.toMarkdown(result);   // Human-readable
+```
+
+### Red Team Audit CLI
+
+```bash
+npx agentshield-audit https://your-agent.com --mode full
+# Runs 617+ real attack payloads across 10 categories
+# Grades A+ through F with HTML/JSON/Markdown reports
+# Includes supply chain scan and micro-model secondary detection
+```
+
+```javascript
+const { RedTeamCLI } = require('agentshield-sdk');
+const cli = new RedTeamCLI();
+const report = cli.run('https://your-agent.com', { mode: 'standard' }); // quick(50), standard(200), full(617)
+cli.writeReports(report, './reports'); // JSON + Markdown + HTML
+```
+
+### Behavioral Drift Monitor — IDS for AI Agents
+
+```javascript
+const { DriftMonitor } = require('agentshield-sdk');
+
+const monitor = new DriftMonitor({
+  windowSize: 50,
+  alertThreshold: 2.5,
+  enableCircuitBreaker: true,
+  onAlert: (alert) => sendToSlack(alert),       // Webhook notifications
+  prometheus: prometheusExporter,                // Prometheus metrics
+  metrics: otelMetrics                           // OpenTelemetry export
+});
+
+// Feed observations — baseline builds automatically
+monitor.observe({ callFreq: 5, responseLength: 200, errorRate: 0, timingMs: 100, topic: 'search' });
+
+// Drift detected via z-score anomaly + KL divergence
+// Auto-tightens contracts or trips circuit breaker on alert
+```
 
 ---
 
@@ -171,13 +396,17 @@ const result = shield.scanInput(userMessage); // { blocked: true, threats: [...]
 
 | Metric | Score |
 |--------|-------|
+| **SOTA F1** (BIPIA/HackAPrompt/MCPTox/Multilingual/Stealth) | **1.000** |
+| vs Sentinel (prev SOTA, ModernBERT 395M) | **+0.020 F1** |
 | Internal red team (39 attacks) | **100% detection** |
+| Manual red team (60 novel attacks, 4 waves) | **100% detection** |
 | Real-world benchmark (HackAPrompt/TensorTrust/research) | **F1 100%, MCC 1.0** |
-| Adversarial mutations (336 variants) | **95.3% detection** |
+| Adversarial self-training convergence | **0% bypass in 3 cycles** |
 | False positive rate (118+ benign inputs) | **0%** |
+| Multilingual coverage | **12 languages** |
 | Certification | **A+ 100/100** |
-| Throughput | **~48,000 scans/sec** |
-| Avg latency | **< 1ms** |
+| Avg latency (scan + classify) | **< 0.4ms** |
+| Throughput | **~2,700 combined ops/sec** |
 
 ## Install
 
@@ -907,20 +1136,24 @@ npx agent-shield threat prompt_injection            # Threat encyclopedia
 npx agent-shield checklist production               # Security checklist
 npx agent-shield init                               # Setup wizard
 npx agent-shield dashboard                          # Security dashboard
+npx agentshield-audit <endpoint>                    # Red team audit (v10)
+npx agentshield-audit <endpoint> --mode full        # 617+ attack simulation
+npx agentshield-audit <endpoint> --out ./reports    # HTML/JSON/MD reports
 ```
 
 ## Testing
 
 ```bash
-npm test                 # Core + module tests (248 assertions)
+npm test                 # Core + module + v10 tests (728 assertions)
 npm run test:all         # Full 40-feature suite (149 assertions)
-npm run test:ml          # ML detector tests (37 assertions)
-npm run test:ipia        # IPIA detector tests (117 assertions)
 npm run test:mcp         # MCP security runtime tests (112 assertions)
+npm run test:deputy      # Confused deputy prevention (85 assertions)
 npm run test:v6          # v6.0 compliance & standards (122 assertions)
 npm run test:adaptive    # Adaptive defense tests (85 assertions)
-npm run test:deputy      # Confused deputy prevention (85 assertions)
+npm run test:ipia        # IPIA detector tests (117 assertions)
+npm run test:production  # Production readiness tests (24 assertions)
 npm run test:fp          # False positive accuracy (99.2%)
+npm run test:new-products # v10 modules only (460 assertions)
 npm run redteam          # Attack simulation (100% detection)
 npm run score            # Shield Score (100/100 A+)
 npm run benchmark        # Performance benchmarks
@@ -935,7 +1168,7 @@ node vscode-extension/test/extension.test.js  # VS Code (607 tests)
 cd python-sdk && python -m unittest tests/test_detector.py  # Python (32 tests)
 ```
 
-Total: **2,220 test assertions** across 16 test suites + Python + VSCode.
+Total: **2,948 test assertions** across 16 test suites + Python + VSCode.
 
 ## Project Structure
 
@@ -988,6 +1221,12 @@ Total: **2,220 test assertions** across 16 test suites + Python + VSCode.
 │   ├── enterprise.js            # Multi-tenant, RBAC, debug mode
 │   ├── redteam.js               # Attack simulator, payload fuzzer
 │   ├── ipia-detector.js         # v7.2 — Indirect prompt injection detector (IPIA pipeline)
+│   ├── mcp-guard.js             # v10.0 — MCP security middleware (attestation, SSRF firewall, isolation)
+│   ├── supply-chain-scanner.js  # v10.0 — MCP supply chain scanner (CVEs, schema poisoning, SARIF)
+│   ├── owasp-agentic.js         # v10.0 — OWASP Agentic Top 10 2026 scanner
+│   ├── redteam-cli.js           # v10.0 — Red team audit engine (617+ attacks, A+-F grading)
+│   ├── drift-monitor.js         # v10.0 — Behavioral drift IDS (z-score, KL divergence)
+│   ├── micro-model.js           # v10.0 — Embedded ML classifier (logistic regression + k-NN ensemble)
 │   └── ...                      # + 25 more modules
 ├── python-sdk/                 # Python SDK
 │   ├── agent_shield/           # Core package (detector, shield, middleware, CLI)
@@ -1008,6 +1247,8 @@ Total: **2,220 test assertions** across 16 test suites + Python + VSCode.
 ├── otel-collector/             # OpenTelemetry receiver & processor
 ├── vscode-extension/           # VS Code inline diagnostics (167 tests)
 ├── instructions/               # Detailed feature guides (10 chapters)
+├── bin/                        # CLI tools (agent-shield, agentshield-audit)
+├── research/                   # Attack research (March 2026 MCP attacks, 20+ sources)
 ├── test/                       # Node.js test suites
 ├── examples/                   # Quick start & integration examples
 └── types/                      # TypeScript definitions

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "agentshield-sdk",
-  "version": "10.0.0",
-  "description": "The security standard for MCP and AI agents. 141 detection patterns, CORTEX threat intelligence, pre-deployment audit, intent firewall, flight recorder, and 390+ exports. Zero dependencies, runs locally.",
+  "version": "11.0.0",
+  "description": "SOTA AI agent security SDK. F1 1.000 on BIPIA/HackAPrompt/MCPTox/Multilingual benchmarks. 400+ exports, 100+ modules. Zero dependencies, runs locally.",
   "main": "src/main.js",
   "types": "types/index.d.ts",
   "exports": {
@@ -23,7 +23,7 @@
   },
   "sideEffects": false,
   "scripts": {
-    "test": "node test/test.js && node test/test-modules.js && node test/test-new-features.js && node test/test-mcp-guard.js && node test/test-supply-chain-scanner.js && node test/test-owasp-agentic.js && node test/test-redteam-cli.js && node test/test-drift-monitor.js && node test/test-micro-model.js",
+    "test": "node test/test.js && node test/test-modules.js && node test/test-new-features.js && node test/test-mcp-guard.js && node test/test-supply-chain-scanner.js && node test/test-owasp-agentic.js && node test/test-redteam-cli.js && node test/test-drift-monitor.js && node test/test-micro-model.js && node test/test-level5.js && node test/test-sota.js",
     "test:new-products": "node test/test-mcp-guard.js && node test/test-supply-chain-scanner.js && node test/test-owasp-agentic.js && node test/test-redteam-cli.js && node test/test-drift-monitor.js && node test/test-micro-model.js",
     "test:all": "node test/test-all-40-features.js",
     "test:mcp": "node test/test-mcp-security.js",