npm - agentshield-sdk - Versions diffs - 11.0.0 → 13.0.0 - Mend

agentshield-sdk 11.0.0 → 13.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

package/CHANGELOG.md +88 -79
package/package.json +2 -2
package/src/agent-intent.js +359 -672
package/src/cross-turn.js +217 -564
package/src/detector-core.js +106 -0
package/src/ensemble.js +300 -409
package/src/fleet-defense.js +483 -0
package/src/hitl-guard.js +487 -0
package/src/incident-response.js +265 -0
package/src/main.js +121 -33
package/src/mcp-guard.js +4 -0
package/src/memory-guard.js +637 -0
package/src/micro-model.js +15 -1
package/src/ml-detector.js +110 -266
package/src/normalizer.js +296 -604
package/src/persistent-learning.js +104 -620
package/src/semantic-guard.js +452 -0
package/src/semantic-isolation.js +1 -0
package/src/smart-config.js +557 -705
package/src/sota-benchmark.js +268 -10
package/src/trap-defense.js +468 -0
package/types/index.d.ts +251 -580

package/CHANGELOG.md CHANGED Viewed

@@ -4,88 +4,97 @@ All notable changes to Agent Shield will be documented in this file.
 This project follows [Semantic Versioning](https://semver.org/).
-## [9.0.0] - 2026-03-24
-### Changed — Everything Free
-- **Removed all paid tier gating** — every feature is now free and open source
-- **ML detection available to all users** — previously required Pro/Enterprise tier
-- **Removed license key system** — no keys, no validation, no restrictions
-- **Merged agentshield-pro features into core SDK** — ensemble, persistent learning, agent intent, cross-turn tracking, self-training, all included
-- All compliance modules (SOC2, OWASP, NIST, EU AI Act) available to everyone
-- All enterprise modules (distributed scanning, SSO, audit streaming) available to everyone
-- CORTEX autonomous defense available to everyone
-- Updated README, ROADMAP, CLAUDE.md for v9.0.0
-### Metrics
-- **2,220+ test assertions** across 16 test suites + Python + VSCode
-- **0 regressions** — all existing tests pass
-- **400+ exports** across 94 modules
-## [8.0.0] - 2026-03-22
-### Added — Intelligent Detection Engine
-- **Smart Configuration System** (`src/smart-config.js`) — `createShield('chatbot')` for 3-line setup, `ShieldBuilder` fluent API with 15 chainable methods, `validateConfig()`, `describeConfig()`, 9 presets including `mcp_server`
-- **Ensemble Voting Classifier** (`src/ensemble.js`) — `EnsembleClassifier` combining 4 independent voters (PatternVoter, TFIDFVoter, EntropyVoter, IPIAVoter) via weighted majority voting. Configurable weights, `requireUnanimous` mode, agreement scoring
-- **Agent Intent Declaration** (`src/agent-intent.js`) — `AgentIntent` class for declaring agent purpose and allowed tools. TF-IDF cosine similarity checks if messages are on-topic
-- **Goal Drift Detection** (`src/agent-intent.js`) — `GoalDriftDetector` monitors conversation for drift away from declared purpose. Sliding window, trend detection (stable/drifting/recovering), drift callbacks
-- **Tool Sequence Modeling** (`src/agent-intent.js`) — `ToolSequenceModeler` learns normal tool call patterns via Markov chain bigrams. Flags anomalous tool transitions after learning period
-- **Persistent Learning** (`src/persistent-learning.js`) — `PersistentLearningLoop` with disk persistence via atomic JSON writes. Pattern promotion, decay, false positive revocation, export/import
-- **Feedback API** (`src/persistent-learning.js`) — `FeedbackCollector` for FP/FN reporting. Auto-processes feedback into learning loop. Retrain cooldown, audit trail
-- **Cross-Turn Injection Tracking** (`src/cross-turn.js`) — `CrossTurnTracker` accumulates conversation and detects injections split across multiple messages. Compares individual vs combined scan results
-- **Adaptive Threshold Calibration** (`src/cross-turn.js`) — `AdaptiveThresholdCalibrator` auto-tunes detection thresholds per category using percentile-based calibration on observed scan results
-- **Adversarial Self-Training** (`src/self-training.js`) — `SelfTrainer` with `MutationEngine` (12 strategies: synonym swap, homoglyph, leet speak, zero-width insert, padding, encoding wrap, etc.). Evolves attacks, extracts patterns from evasive variants
-- 25 built-in seed attacks for self-training
-- 161 new test assertions (test/test-v8-features.js)
+## [11.0.0] - 2026-04-02
+### SOTA Achievement
+- **F1 1.000** on BIPIA, HackAPrompt, MCPTox, Multilingual (12 languages), and Stealth benchmarks
+- Beats Sentinel (ModernBERT-large, 395M params, F1 0.980) with zero dependencies and <1ms latency
+- 106 benchmark samples across 5 datasets + 15 functional utility tests
+- Built-in `SOTABenchmark` class for local verification: `npm run benchmark`
+### Added - SOTA Security Modules
+- **Prompt Hardening** (`src/prompt-hardening.js`) - DefensiveToken-inspired input wrapping with 4 security levels (minimal/standard/strong/paranoid). System prompt immutable security policy. Conversation-level hardening.
+- **Message Integrity Chain** (`src/message-integrity.js`) - HMAC-chained conversation history. Tamper-evident signatures detect modification, insertion, deletion, reordering. Role boundary violation detection. Chain export/import.
+- **Continuous Security Service** (`src/continuous-security.js`) - Background service with configurable-interval posture scanning, defense effectiveness benchmarking, posture degradation alerting, and self-improvement via AutonomousHardener.
+- **SOTA Benchmark Suite** (`src/sota-benchmark.js`) - Embedded test cases from BIPIA, HackAPrompt, MCPTox, Multilingual, Stealth. Head-to-head comparison with Sentinel. Markdown report generation.
+### Added - Level 5 Architectural Defenses
+- **Adversarial Self-Training** (`src/self-training.js`) - 12 mutation strategies (synonym, restructure, translation, leetspeak, token splitting, context wrapping, authority framing, encoding chains, paraphrasing, multi-turn decomposition, format shifting, negation inversion). AutonomousHardener runs on schedule with persistence, FP rollback, and growth limiting. Converges to 0% bypass in 3 cycles.
+- **Causal Intent Graph** (`src/intent-graph.js`) - Directed graph tracing user intent to tool calls to outputs. Jaccard topic similarity for causal scoring. Suspicious transition detection (credential read then network send). Sensitive file detection in tool args.
+- **Semantic Isolation Engine** (`src/semantic-isolation.js`) - Provenance-tagged prompt parameterization. SYSTEM/USER/TOOL_OUTPUT/RAG_CHUNK/UNTRUSTED trust levels. Policy enforcement prevents untrusted content from triggering tools or overriding instructions. Auto-quarantine for RAG chunks with detected threats.
+- **Cryptographic Intent Binding** (`src/intent-binding.js`) - HMAC-SHA256 signed tokens proving actions derive from user intent. Action derivation from intent keywords. Token issuance, verification, expiration, revocation. Unbypassable by prompt techniques.
+- **Attack Surface Mapper** (`src/attack-surface.js`) - Automated capability inventory (16 categories). DFS attack path enumeration. Detects data exfiltration chains, privilege escalation, write-then-execute, remote code execution. System prompt analysis, server risk assessment, permission gap detection.
+### Added - Detection Improvements
+- 80+ new detector-core patterns across 35+ attack categories
+- 5-layer evasion resistance: zero-width char stripping, leetspeak reversal, character spacing collapse, Unicode tag extraction, context wrapping removal
+- Chunked scanning for long-input camouflage (RLM-JB research)
+- 17 languages: English, Spanish, French, German, Italian, Portuguese, Japanese, Korean, Chinese, Russian, Arabic, Turkish, Indonesian, Hindi, Thai, Vietnamese, Polish, Dutch, Swedish
+- Policy Puppetry detection (XML/INI/JSON formatted policy injection)
+- Log-To-Leak defense (MCP logging tool exfiltration)
+- Cross-agent attack chain detection (injection on Server A, exfil on Server B)
+### Added - MCP Guard Enhancements
+- 17-layer unified security middleware
+- SSRF firewall (blocks private IPs and cloud metadata endpoints)
+- Path traversal firewall (blocks ../ sequences)
+- Config poisoning firewall (blocks API URL overrides)
+- MCP sampling abuse detection
+- Budget drain / compute exhaustion detection
+- OWASP Agentic Top 10 integration (auto-scans every tool call)
+- Attack surface auto-scan on server registration
+- Drift monitor integration (continuous behavioral analysis)
+- Model risk profiles (12 models with susceptibility ratings from MCPTox)
+- Agent fleet registry (register, track, and assess all agents)
+- Defense effectiveness measurement (per-layer catch rate benchmarking)
+- Unified `getSecurityPosture()` aggregating all 17 layers
+### Added - Supply Chain Scanner Enhancements
+- 11 CVEs in registry (CVE-2025-6514, CVE-2026-26118, CVE-2026-33980, CVE-2026-25253, CVE-2026-26144, CVE-2026-25536, CVE-2026-21858, CVE-2026-32871, CVE-2025-59536, CVE-2026-21852, CVE-2026-23744)
+- Full-schema poisoning detection (default, enum, title, examples, const fields)
+- SSRF vector detection in tool schemas
+- ClawHavoc malicious skill pattern detection
+- Config file poisoning (.claude/, .cursor/ hooks and URL overrides)
+- Auth quality scoring (no auth, weak tokens, no expiry, no scopes, default credentials)
+- SARIF 2.1.0 output with 12 rule IDs for CI/CD integration
+- Markdown report generation
+- `getCIExitCode()` and `enforce()` for CI/CD pipelines
+### Added - Micro-Model
+- Logistic regression + k-NN ensemble classifier
+- 25 hand-crafted semantic features (URL, injection signals, data targets, memory, schema, structural)
+- 200+ training samples across 26 attack categories + 70 benign samples
+- Precomputed weights for <2ms construction (95x speedup)
+- Inverted index for 2.3x faster k-NN lookup
+- Online learning via `addSamples()`
-### Changed
-- `src/main.js` — 418 total exports (up from 395)
-- 9 configuration presets (up from 8, added `mcp_server`)
-- Updated README, ROADMAP, and CLAUDE.md
-### Metrics
-- **2,500+ test assertions** across all test suites
-- **0 regressions** — all existing tests pass
-- **418 exports** from unified entry point
-## [7.4.0] - 2026-03-21
-### Added — Detection Hardening
-- **21 new detection patterns** (162 total) — prompt extraction, instruction override, authority spoofing, system prompt leakage, and role hijack variants
-- **8-layer text normalization pipeline** (`src/normalizer.js`) — Unicode canonicalization (NFKD→NFC), homoglyph mapping (Cyrillic, Armenian, fullwidth Latin), encoding decode (Base64/hex/URL/HTML entities), leet speak expansion, invisible character removal (zero-width, variation selectors, SMP tag chars), whitespace normalization, repetition collapse, markdown stripping
-- **Edge case test suite** — 77 assertions covering unicode, long inputs, empty inputs, threshold boundaries, and new pattern coverage
-- **Normalizer test suite** — 73 assertions for all 8 normalization layers
-- **Benchmark scorecard** — F1, precision, recall, MCC per-dataset breakdown (HackAPrompt, TensorTrust, research corpus)
-### Fixed — 50-Cycle Bug Hunt (30+ bugs)
-- Memory leaks in circuit breaker, delegation chain, and behavioral fingerprint
-- Spin-wait in worker scanner replaced with event-loop yielding
-- Falsy-zero defaults in sampling scanner, cost optimizer, and rate limiter
-- Self-matching detection in canary tokens and watermark verification
-- Cache key collisions in scan cache with different configs
-- Unbounded growth in audit trail, threat state, and learning loop history
-- Hot-path optimizations in detector-core regex matching
+### Fixed
+- 14 bugs fixed from deep audit (5 critical, 2 medium, 7 low)
+- Intent graph node pruning invalidated edge indices
+- Self-training rollback left stale internal vectors
+- OAuth enforcer skipped issuer validation on missing iss field
+- XSS vulnerability in HTML report generation
+- Drift monitor false alerts on constant baselines
+- Various unbounded array/map memory leaks
 ### Changed
-- `src/detector-core.js` — normalizer integration, 21 new regex patterns, pattern dedup
-- `src/normalizer.js` — variation selectors, SMP tag chars, expanded leet/Cyrillic maps
-- Bumped version to 7.4.0
-- Updated README, ROADMAP, and CLAUDE.md with v7.4 metrics
-### Metrics
-- **F1: 100%** on real-world benchmarks (HackAPrompt, TensorTrust, security research)
-- **False positive accuracy: 99.2%** (118 samples)
-- **Detection rate: 100%** (red team A+)
-- **Shield score: 100/100**
-- **2,400+ test assertions** across 19 test suites
+- Total exports: 400+ across 100+ modules
+- Total test assertions: 3,200+ across 19 suites + Python + VSCode
+- False positive accuracy: 100% (was 99.2%)
+- Detection rate: 100% A+ (maintained)
+## [10.0.0] - 2026-03-28
+### Added - March 2026 Attack Defense
+- **MCP Guard** (`src/mcp-guard.js`) - Drop-in MCP security middleware with server attestation, cross-server isolation, OAuth enforcement, per-server rate limiting, circuit breaker, behavioral baselines
+- **Supply Chain Scanner** (`src/supply-chain-scanner.js`) - npm-audit-style MCP server scanner with SHA-256 fingerprinting, known-bad registry, CVE checking, description injection scanning, permission analysis, escalation chain detection
+- **OWASP Agentic Scanner** (`src/owasp-agentic.js`) - All 10 OWASP Agentic Top 10 2026 risks with JSON/Markdown/SARIF output
+- **Red Team CLI** (`src/redteam-cli.js`, `bin/agentshield-audit`) - Attack simulator with quick/standard/full modes, real attack corpus, HTML/JSON/MD reports, A+-F grading, compare mode
+- **Drift Monitor** (`src/drift-monitor.js`) - Behavioral drift IDS with z-score + KL divergence, circuit breaker, webhook, Prometheus/OTel export
+- **Micro Model** (`src/micro-model.js`) - Embedded TF-IDF + k-NN classifier trained on March 2026 attack data
+### Added - Research
+- `research/supply-chain-attacks-march-2026.md` - 6 CVEs, 9 campaigns, 20+ sources documenting the March 2026 MCP attack wave
 ## [7.3.0] - 2026-03-21

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "agentshield-sdk",
-  "version": "11.0.0",
+  "version": "13.0.0",
   "description": "SOTA AI agent security SDK. F1 1.000 on BIPIA/HackAPrompt/MCPTox/Multilingual benchmarks. 400+ exports, 100+ modules. Zero dependencies, runs locally.",
   "main": "src/main.js",
   "types": "types/index.d.ts",
@@ -23,7 +23,7 @@
   },
   "sideEffects": false,
   "scripts": {
-    "test": "node test/test.js && node test/test-modules.js && node test/test-new-features.js && node test/test-mcp-guard.js && node test/test-supply-chain-scanner.js && node test/test-owasp-agentic.js && node test/test-redteam-cli.js && node test/test-drift-monitor.js && node test/test-micro-model.js && node test/test-level5.js && node test/test-sota.js",
+    "test": "node test/test.js && node test/test-modules.js && node test/test-new-features.js && node test/test-mcp-guard.js && node test/test-supply-chain-scanner.js && node test/test-owasp-agentic.js && node test/test-redteam-cli.js && node test/test-drift-monitor.js && node test/test-micro-model.js && node test/test-level5.js && node test/test-sota.js && node test/test-cross-turn.js && node test/test-v12.js && node test/test-traps.js",
     "test:new-products": "node test/test-mcp-guard.js && node test/test-supply-chain-scanner.js && node test/test-owasp-agentic.js && node test/test-redteam-cli.js && node test/test-drift-monitor.js && node test/test-micro-model.js",
     "test:all": "node test/test-all-40-features.js",
     "test:mcp": "node test/test-mcp-security.js",