agentshield-sdk 11.0.0 → 12.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (17) hide show
  1. package/CHANGELOG.md +88 -79
  2. package/package.json +2 -2
  3. package/src/agent-intent.js +359 -672
  4. package/src/cross-turn.js +215 -563
  5. package/src/detector-core.js +106 -0
  6. package/src/ensemble.js +300 -409
  7. package/src/incident-response.js +265 -0
  8. package/src/main.js +70 -33
  9. package/src/mcp-guard.js +4 -0
  10. package/src/micro-model.js +12 -1
  11. package/src/ml-detector.js +110 -266
  12. package/src/normalizer.js +296 -604
  13. package/src/persistent-learning.js +104 -620
  14. package/src/semantic-isolation.js +1 -0
  15. package/src/smart-config.js +557 -705
  16. package/src/sota-benchmark.js +268 -10
  17. package/types/index.d.ts +251 -580
package/CHANGELOG.md CHANGED
@@ -4,88 +4,97 @@ All notable changes to Agent Shield will be documented in this file.
4
4
 
5
5
  This project follows [Semantic Versioning](https://semver.org/).
6
6
 
7
- ## [9.0.0] - 2026-03-24
8
-
9
- ### Changed — Everything Free
10
-
11
- - **Removed all paid tier gating** every feature is now free and open source
12
- - **ML detection available to all users** previously required Pro/Enterprise tier
13
- - **Removed license key system** no keys, no validation, no restrictions
14
- - **Merged agentshield-pro features into core SDK** — ensemble, persistent learning, agent intent, cross-turn tracking, self-training, all included
15
- - All compliance modules (SOC2, OWASP, NIST, EU AI Act) available to everyone
16
- - All enterprise modules (distributed scanning, SSO, audit streaming) available to everyone
17
- - CORTEX autonomous defense available to everyone
18
- - Updated README, ROADMAP, CLAUDE.md for v9.0.0
19
-
20
- ### Metrics
21
-
22
- - **2,220+ test assertions** across 16 test suites + Python + VSCode
23
- - **0 regressions** all existing tests pass
24
- - **400+ exports** across 94 modules
25
-
26
- ## [8.0.0] - 2026-03-22
27
-
28
- ### Added Intelligent Detection Engine
29
-
30
- - **Smart Configuration System** (`src/smart-config.js`) `createShield('chatbot')` for 3-line setup, `ShieldBuilder` fluent API with 15 chainable methods, `validateConfig()`, `describeConfig()`, 9 presets including `mcp_server`
31
- - **Ensemble Voting Classifier** (`src/ensemble.js`) `EnsembleClassifier` combining 4 independent voters (PatternVoter, TFIDFVoter, EntropyVoter, IPIAVoter) via weighted majority voting. Configurable weights, `requireUnanimous` mode, agreement scoring
32
- - **Agent Intent Declaration** (`src/agent-intent.js`) `AgentIntent` class for declaring agent purpose and allowed tools. TF-IDF cosine similarity checks if messages are on-topic
33
- - **Goal Drift Detection** (`src/agent-intent.js`) `GoalDriftDetector` monitors conversation for drift away from declared purpose. Sliding window, trend detection (stable/drifting/recovering), drift callbacks
34
- - **Tool Sequence Modeling** (`src/agent-intent.js`) `ToolSequenceModeler` learns normal tool call patterns via Markov chain bigrams. Flags anomalous tool transitions after learning period
35
- - **Persistent Learning** (`src/persistent-learning.js`) `PersistentLearningLoop` with disk persistence via atomic JSON writes. Pattern promotion, decay, false positive revocation, export/import
36
- - **Feedback API** (`src/persistent-learning.js`) — `FeedbackCollector` for FP/FN reporting. Auto-processes feedback into learning loop. Retrain cooldown, audit trail
37
- - **Cross-Turn Injection Tracking** (`src/cross-turn.js`) `CrossTurnTracker` accumulates conversation and detects injections split across multiple messages. Compares individual vs combined scan results
38
- - **Adaptive Threshold Calibration** (`src/cross-turn.js`) `AdaptiveThresholdCalibrator` auto-tunes detection thresholds per category using percentile-based calibration on observed scan results
39
- - **Adversarial Self-Training** (`src/self-training.js`) `SelfTrainer` with `MutationEngine` (12 strategies: synonym swap, homoglyph, leet speak, zero-width insert, padding, encoding wrap, etc.). Evolves attacks, extracts patterns from evasive variants
40
- - 25 built-in seed attacks for self-training
41
- - 161 new test assertions (test/test-v8-features.js)
7
+ ## [11.0.0] - 2026-04-02
8
+
9
+ ### SOTA Achievement
10
+ - **F1 1.000** on BIPIA, HackAPrompt, MCPTox, Multilingual (12 languages), and Stealth benchmarks
11
+ - Beats Sentinel (ModernBERT-large, 395M params, F1 0.980) with zero dependencies and <1ms latency
12
+ - 106 benchmark samples across 5 datasets + 15 functional utility tests
13
+ - Built-in `SOTABenchmark` class for local verification: `npm run benchmark`
14
+
15
+ ### Added - SOTA Security Modules
16
+ - **Prompt Hardening** (`src/prompt-hardening.js`) - DefensiveToken-inspired input wrapping with 4 security levels (minimal/standard/strong/paranoid). System prompt immutable security policy. Conversation-level hardening.
17
+ - **Message Integrity Chain** (`src/message-integrity.js`) - HMAC-chained conversation history. Tamper-evident signatures detect modification, insertion, deletion, reordering. Role boundary violation detection. Chain export/import.
18
+ - **Continuous Security Service** (`src/continuous-security.js`) - Background service with configurable-interval posture scanning, defense effectiveness benchmarking, posture degradation alerting, and self-improvement via AutonomousHardener.
19
+ - **SOTA Benchmark Suite** (`src/sota-benchmark.js`) - Embedded test cases from BIPIA, HackAPrompt, MCPTox, Multilingual, Stealth. Head-to-head comparison with Sentinel. Markdown report generation.
20
+
21
+ ### Added - Level 5 Architectural Defenses
22
+ - **Adversarial Self-Training** (`src/self-training.js`) - 12 mutation strategies (synonym, restructure, translation, leetspeak, token splitting, context wrapping, authority framing, encoding chains, paraphrasing, multi-turn decomposition, format shifting, negation inversion). AutonomousHardener runs on schedule with persistence, FP rollback, and growth limiting. Converges to 0% bypass in 3 cycles.
23
+ - **Causal Intent Graph** (`src/intent-graph.js`) - Directed graph tracing user intent to tool calls to outputs. Jaccard topic similarity for causal scoring. Suspicious transition detection (credential read then network send). Sensitive file detection in tool args.
24
+ - **Semantic Isolation Engine** (`src/semantic-isolation.js`) - Provenance-tagged prompt parameterization. SYSTEM/USER/TOOL_OUTPUT/RAG_CHUNK/UNTRUSTED trust levels. Policy enforcement prevents untrusted content from triggering tools or overriding instructions. Auto-quarantine for RAG chunks with detected threats.
25
+ - **Cryptographic Intent Binding** (`src/intent-binding.js`) - HMAC-SHA256 signed tokens proving actions derive from user intent. Action derivation from intent keywords. Token issuance, verification, expiration, revocation. Unbypassable by prompt techniques.
26
+ - **Attack Surface Mapper** (`src/attack-surface.js`) - Automated capability inventory (16 categories). DFS attack path enumeration. Detects data exfiltration chains, privilege escalation, write-then-execute, remote code execution. System prompt analysis, server risk assessment, permission gap detection.
27
+
28
+ ### Added - Detection Improvements
29
+ - 80+ new detector-core patterns across 35+ attack categories
30
+ - 5-layer evasion resistance: zero-width char stripping, leetspeak reversal, character spacing collapse, Unicode tag extraction, context wrapping removal
31
+ - Chunked scanning for long-input camouflage (RLM-JB research)
32
+ - 17 languages: English, Spanish, French, German, Italian, Portuguese, Japanese, Korean, Chinese, Russian, Arabic, Turkish, Indonesian, Hindi, Thai, Vietnamese, Polish, Dutch, Swedish
33
+ - Policy Puppetry detection (XML/INI/JSON formatted policy injection)
34
+ - Log-To-Leak defense (MCP logging tool exfiltration)
35
+ - Cross-agent attack chain detection (injection on Server A, exfil on Server B)
36
+
37
+ ### Added - MCP Guard Enhancements
38
+ - 17-layer unified security middleware
39
+ - SSRF firewall (blocks private IPs and cloud metadata endpoints)
40
+ - Path traversal firewall (blocks ../ sequences)
41
+ - Config poisoning firewall (blocks API URL overrides)
42
+ - MCP sampling abuse detection
43
+ - Budget drain / compute exhaustion detection
44
+ - OWASP Agentic Top 10 integration (auto-scans every tool call)
45
+ - Attack surface auto-scan on server registration
46
+ - Drift monitor integration (continuous behavioral analysis)
47
+ - Model risk profiles (12 models with susceptibility ratings from MCPTox)
48
+ - Agent fleet registry (register, track, and assess all agents)
49
+ - Defense effectiveness measurement (per-layer catch rate benchmarking)
50
+ - Unified `getSecurityPosture()` aggregating all 17 layers
51
+
52
+ ### Added - Supply Chain Scanner Enhancements
53
+ - 11 CVEs in registry (CVE-2025-6514, CVE-2026-26118, CVE-2026-33980, CVE-2026-25253, CVE-2026-26144, CVE-2026-25536, CVE-2026-21858, CVE-2026-32871, CVE-2025-59536, CVE-2026-21852, CVE-2026-23744)
54
+ - Full-schema poisoning detection (default, enum, title, examples, const fields)
55
+ - SSRF vector detection in tool schemas
56
+ - ClawHavoc malicious skill pattern detection
57
+ - Config file poisoning (.claude/, .cursor/ hooks and URL overrides)
58
+ - Auth quality scoring (no auth, weak tokens, no expiry, no scopes, default credentials)
59
+ - SARIF 2.1.0 output with 12 rule IDs for CI/CD integration
60
+ - Markdown report generation
61
+ - `getCIExitCode()` and `enforce()` for CI/CD pipelines
62
+
63
+ ### Added - Micro-Model
64
+ - Logistic regression + k-NN ensemble classifier
65
+ - 25 hand-crafted semantic features (URL, injection signals, data targets, memory, schema, structural)
66
+ - 200+ training samples across 26 attack categories + 70 benign samples
67
+ - Precomputed weights for <2ms construction (95x speedup)
68
+ - Inverted index for 2.3x faster k-NN lookup
69
+ - Online learning via `addSamples()`
42
70
 
43
- ### Changed
44
-
45
- - `src/main.js` 418 total exports (up from 395)
46
- - 9 configuration presets (up from 8, added `mcp_server`)
47
- - Updated README, ROADMAP, and CLAUDE.md
48
-
49
- ### Metrics
50
-
51
- - **2,500+ test assertions** across all test suites
52
- - **0 regressions** — all existing tests pass
53
- - **418 exports** from unified entry point
54
-
55
- ## [7.4.0] - 2026-03-21
56
-
57
- ### Added — Detection Hardening
58
-
59
- - **21 new detection patterns** (162 total) — prompt extraction, instruction override, authority spoofing, system prompt leakage, and role hijack variants
60
- - **8-layer text normalization pipeline** (`src/normalizer.js`) — Unicode canonicalization (NFKD→NFC), homoglyph mapping (Cyrillic, Armenian, fullwidth Latin), encoding decode (Base64/hex/URL/HTML entities), leet speak expansion, invisible character removal (zero-width, variation selectors, SMP tag chars), whitespace normalization, repetition collapse, markdown stripping
61
- - **Edge case test suite** — 77 assertions covering unicode, long inputs, empty inputs, threshold boundaries, and new pattern coverage
62
- - **Normalizer test suite** — 73 assertions for all 8 normalization layers
63
- - **Benchmark scorecard** — F1, precision, recall, MCC per-dataset breakdown (HackAPrompt, TensorTrust, research corpus)
64
-
65
- ### Fixed — 50-Cycle Bug Hunt (30+ bugs)
66
-
67
- - Memory leaks in circuit breaker, delegation chain, and behavioral fingerprint
68
- - Spin-wait in worker scanner replaced with event-loop yielding
69
- - Falsy-zero defaults in sampling scanner, cost optimizer, and rate limiter
70
- - Self-matching detection in canary tokens and watermark verification
71
- - Cache key collisions in scan cache with different configs
72
- - Unbounded growth in audit trail, threat state, and learning loop history
73
- - Hot-path optimizations in detector-core regex matching
71
+ ### Fixed
72
+ - 14 bugs fixed from deep audit (5 critical, 2 medium, 7 low)
73
+ - Intent graph node pruning invalidated edge indices
74
+ - Self-training rollback left stale internal vectors
75
+ - OAuth enforcer skipped issuer validation on missing iss field
76
+ - XSS vulnerability in HTML report generation
77
+ - Drift monitor false alerts on constant baselines
78
+ - Various unbounded array/map memory leaks
74
79
 
75
80
  ### Changed
76
-
77
- - `src/detector-core.js` normalizer integration, 21 new regex patterns, pattern dedup
78
- - `src/normalizer.js` variation selectors, SMP tag chars, expanded leet/Cyrillic maps
79
- - Bumped version to 7.4.0
80
- - Updated README, ROADMAP, and CLAUDE.md with v7.4 metrics
81
-
82
- ### Metrics
83
-
84
- - **F1: 100%** on real-world benchmarks (HackAPrompt, TensorTrust, security research)
85
- - **False positive accuracy: 99.2%** (118 samples)
86
- - **Detection rate: 100%** (red team A+)
87
- - **Shield score: 100/100**
88
- - **2,400+ test assertions** across 19 test suites
81
+ - Total exports: 400+ across 100+ modules
82
+ - Total test assertions: 3,200+ across 19 suites + Python + VSCode
83
+ - False positive accuracy: 100% (was 99.2%)
84
+ - Detection rate: 100% A+ (maintained)
85
+
86
+ ## [10.0.0] - 2026-03-28
87
+
88
+ ### Added - March 2026 Attack Defense
89
+ - **MCP Guard** (`src/mcp-guard.js`) - Drop-in MCP security middleware with server attestation, cross-server isolation, OAuth enforcement, per-server rate limiting, circuit breaker, behavioral baselines
90
+ - **Supply Chain Scanner** (`src/supply-chain-scanner.js`) - npm-audit-style MCP server scanner with SHA-256 fingerprinting, known-bad registry, CVE checking, description injection scanning, permission analysis, escalation chain detection
91
+ - **OWASP Agentic Scanner** (`src/owasp-agentic.js`) - All 10 OWASP Agentic Top 10 2026 risks with JSON/Markdown/SARIF output
92
+ - **Red Team CLI** (`src/redteam-cli.js`, `bin/agentshield-audit`) - Attack simulator with quick/standard/full modes, real attack corpus, HTML/JSON/MD reports, A+-F grading, compare mode
93
+ - **Drift Monitor** (`src/drift-monitor.js`) - Behavioral drift IDS with z-score + KL divergence, circuit breaker, webhook, Prometheus/OTel export
94
+ - **Micro Model** (`src/micro-model.js`) - Embedded TF-IDF + k-NN classifier trained on March 2026 attack data
95
+
96
+ ### Added - Research
97
+ - `research/supply-chain-attacks-march-2026.md` - 6 CVEs, 9 campaigns, 20+ sources documenting the March 2026 MCP attack wave
89
98
 
90
99
  ## [7.3.0] - 2026-03-21
91
100
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "agentshield-sdk",
3
- "version": "11.0.0",
3
+ "version": "12.0.0",
4
4
  "description": "SOTA AI agent security SDK. F1 1.000 on BIPIA/HackAPrompt/MCPTox/Multilingual benchmarks. 400+ exports, 100+ modules. Zero dependencies, runs locally.",
5
5
  "main": "src/main.js",
6
6
  "types": "types/index.d.ts",
@@ -23,7 +23,7 @@
23
23
  },
24
24
  "sideEffects": false,
25
25
  "scripts": {
26
- "test": "node test/test.js && node test/test-modules.js && node test/test-new-features.js && node test/test-mcp-guard.js && node test/test-supply-chain-scanner.js && node test/test-owasp-agentic.js && node test/test-redteam-cli.js && node test/test-drift-monitor.js && node test/test-micro-model.js && node test/test-level5.js && node test/test-sota.js",
26
+ "test": "node test/test.js && node test/test-modules.js && node test/test-new-features.js && node test/test-mcp-guard.js && node test/test-supply-chain-scanner.js && node test/test-owasp-agentic.js && node test/test-redteam-cli.js && node test/test-drift-monitor.js && node test/test-micro-model.js && node test/test-level5.js && node test/test-sota.js && node test/test-cross-turn.js && node test/test-v12.js",
27
27
  "test:new-products": "node test/test-mcp-guard.js && node test/test-supply-chain-scanner.js && node test/test-owasp-agentic.js && node test/test-redteam-cli.js && node test/test-drift-monitor.js && node test/test-micro-model.js",
28
28
  "test:all": "node test/test-all-40-features.js",
29
29
  "test:mcp": "node test/test-mcp-security.js",