agentshield-sdk 13.2.0 → 13.5.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentshield-sdk",
-  "version": "13.2.0",
+  "version": "13.5.0",
   "description": "SOTA AI agent security SDK. F1 1.000 on BIPIA/HackAPrompt/MCPTox/Multilingual benchmarks. 400+ exports, 100+ modules. Zero dependencies, runs locally.",
   "main": "src/main.js",
   "types": "types/index.d.ts",
@@ -32,7 +32,7 @@
   },
   "sideEffects": false,
   "scripts": {
-    "test": "node test/test.js && node test/test-modules.js && node test/test-new-features.js && node test/test-mcp-guard.js && node test/test-supply-chain-scanner.js && node test/test-owasp-agentic.js && node test/test-redteam-cli.js && node test/test-drift-monitor.js && node test/test-micro-model.js && node test/test-level5.js && node test/test-sota.js && node test/test-cross-turn.js && node test/test-v12.js && node test/test-traps.js && node test/test-deepmind.js",
+    "test": "node test/test.js && node test/test-modules.js && node test/test-new-features.js && node test/test-mcp-guard.js && node test/test-supply-chain-scanner.js && node test/test-owasp-agentic.js && node test/test-redteam-cli.js && node test/test-drift-monitor.js && node test/test-micro-model.js && node test/test-level5.js && node test/test-sota.js && node test/test-cross-turn.js && node test/test-v12.js && node test/test-traps.js && node test/test-deepmind.js && node test/test-render-differential.js && node test/test-sybil.js && node test/test-side-channel.js",
     "test:new-products": "node test/test-mcp-guard.js && node test/test-supply-chain-scanner.js && node test/test-owasp-agentic.js && node test/test-redteam-cli.js && node test/test-drift-monitor.js && node test/test-micro-model.js",
     "test:all": "node test/test-all-40-features.js",
     "test:mcp": "node test/test-mcp-security.js",

package/src/audit-immutable.js

@@ -584,8 +584,10 @@ class ImmutableAuditLog {
    * @param {number} [options.maxAge=0] - Maximum age in milliseconds (0 = unlimited).
    * @param {function} [options.archiveCallback] - Called with removed entries during retention enforcement. Signature: (entries: AuditEntry[]) => void.
    * @param {string} [options.genesisHash] - Custom genesis hash (defaults to GENESIS_HASH).
+   * @param {boolean} [options.sanitizeLogs=false] - Redact sensitive content (emails, SSNs, API keys) before writing to the chain.
    */
   constructor(options = {}) {
+    this.options = options;
     this._store = options.store || new MemoryStore();
     this._maxEntries = options.maxEntries || 0;
     this._maxAge = options.maxAge || 0;
@@ -598,6 +600,59 @@ class ImmutableAuditLog {
     console.log('[Agent Shield] ImmutableAuditLog initialized (store: %s)', this._store.constructor.name);
   }
 
+  /**
+   * Sanitize an entry's data object by redacting sensitive content.
+   * Addresses the security scan finding about audit logs containing sensitive prompt data.
+   *
+   * Redacts:
+   * - Email addresses -> [EMAIL_REDACTED]
+   * - SSN patterns (XXX-XX-XXXX) -> [SSN_REDACTED]
+   * - API key patterns (sk-..., key-..., token-...) -> [KEY_REDACTED]
+   * - Truncates 'content' and 'input' fields to 500 characters max
+   *
+   * @param {object} entry - The data object to sanitize.
+   * @returns {object} A sanitized copy of the data object.
+   */
+  sanitize(entry) {
+    if (!this.options.sanitizeLogs) {
+      return entry;
+    }
+
+    const sanitized = JSON.parse(JSON.stringify(entry));
+
+    const redactString = (str) => {
+      if (typeof str !== 'string') return str;
+      // Redact email addresses
+      str = str.replace(/[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}/g, '[EMAIL_REDACTED]');
+      // Redact SSN patterns (XXX-XX-XXXX)
+      str = str.replace(/\b\d{3}-\d{2}-\d{4}\b/g, '[SSN_REDACTED]');
+      // Redact API key patterns (sk-..., key-..., token-...)
+      str = str.replace(/\b(?:sk|key|token)-[a-zA-Z0-9_\-]{8,}\b/g, '[KEY_REDACTED]');
+      return str;
+    };
+
+    const redactObject = (obj) => {
+      if (obj === null || obj === undefined) return obj;
+      if (typeof obj === 'string') return redactString(obj);
+      if (Array.isArray(obj)) return obj.map(item => redactObject(item));
+      if (typeof obj === 'object') {
+        const result = {};
+        for (const key of Object.keys(obj)) {
+          let value = redactObject(obj[key]);
+          // Truncate content and input fields to 500 chars
+          if ((key === 'content' || key === 'input') && typeof value === 'string' && value.length > 500) {
+            value = value.slice(0, 500) + '...[TRUNCATED]';
+          }
+          result[key] = value;
+        }
+        return result;
+      }
+      return obj;
+    };
+
+    return redactObject(sanitized);
+  }
+
   /**
    * Initialize sequence counter from existing store data.
    * @private
@@ -646,12 +701,15 @@ class ImmutableAuditLog {
         delete normalizedActor.name;
       }
 
+      // Sanitize data if sanitizeLogs is enabled
+      const sanitizedData = this.sanitize(data || {});
+
       const entryContent = {
         id,
         sequence: this._sequence,
         timestamp,
         type,
-        data: data || {},
+        data: sanitizedData,
         actor: normalizedActor
       };
 

package/src/audit.js

@@ -602,7 +602,7 @@ function runAuditCLI() {
   });
 
   const report = audit.run();
-  console.log('[Agent Shield] Audit Report:\n' + report.formatReport());
+  console.log('[Agent Shield]', report.formatReport());
   return report;
 }
 

package/src/cross-turn.js

@@ -29,6 +29,12 @@ const ESCALATION_SIGNALS = [
   /(?:one\s+more\s+(?:thing|question|step)|just\s+one\s+(?:last|final)\s+(?:thing|question))/i,
   /(?:can\s+you\s+go\s+(?:a\s+little\s+)?(?:further|deeper)|take\s+(?:it|this)\s+(?:a\s+step\s+)?further)/i,
   /(?:you\s+(?:just|already)\s+(?:showed|told|gave)\s+me|you\s+(?:were|seemed)\s+(?:willing|happy)\s+to)/i,
+  // Crescendo attack patterns — benign start that gradually escalates
+  /(?:hypothetically|in\s+theory|for\s+(?:educational|research|academic)\s+purposes)/i,
+  /(?:let's\s+(?:say|imagine|pretend)|what\s+if\s+(?:someone|a\s+person|we))/i,
+  /(?:I\s+(?:know|understand)\s+you\s+(?:can't|shouldn't)\s+but|normally\s+you\s+(?:wouldn't|can't)\s+but)/i,
+  /(?:you\s+(?:helped|assisted)\s+(?:me|us)\s+(?:before|last\s+time|earlier)\s+with\s+(?:something\s+)?similar)/i,
+  /(?:this\s+is\s+(?:similar|related)\s+to\s+what\s+(?:you|we)\s+(?:did|discussed))/i,
 ];
 
 /** Trust erosion patterns — attempts to lower the model's guard over turns. */
@@ -165,7 +171,25 @@ class ConversationTracker {
       }
     }
 
-    // 5. Authority accumulation — user references previous "agreements"
+    // 5. Crescendo detection — benign conversation gradually introduces sensitive framing
+    if (role === 'user' && this.turns.length >= 5) {
+      const window = this.turns.slice(-6, -1).filter(t => t.role === 'user');
+      const hypotheticalCount = window.filter(t =>
+        /(?:hypothetically|in\s+theory|let's\s+(?:say|imagine)|what\s+if|for\s+(?:educational|research)\s+purposes)/i.test(t.content)
+      ).length;
+      if (hypotheticalCount >= 2 && (topic === 'sensitive' || topic === 'dangerous')) {
+        turnAlerts.push({
+          type: 'crescendo_attack',
+          severity: 'high',
+          turnIndex: turn.turnIndex,
+          hypotheticalCount,
+          currentTopic: topic,
+          description: `Crescendo pattern: ${hypotheticalCount} hypothetical/theoretical framings followed by ${topic} topic. Gradual normalization of sensitive requests.`
+        });
+      }
+    }
+
+    // 6. Authority accumulation — user references previous "agreements"
     if (role === 'user' && /(?:you\s+(?:said|agreed|confirmed|told\s+me)|as\s+we\s+(?:discussed|agreed)|per\s+our\s+(?:agreement|conversation))/i.test(content)) {
       const hasRealAgreement = this.turns.some(t => t.role === 'assistant' && /(?:sure|yes|okay|of\s+course|I\s+(?:can|will))/i.test(t.content));
       if (!hasRealAgreement) {

package/src/detector-core.js

@@ -2206,6 +2206,204 @@ const INJECTION_PATTERNS = [
     category: 'indirect_injection',
     description: 'Text contains a "note to AI" directive hidden in external content.',
     detail: 'Annotation injection: uses "note to AI" framing to inject instructions into tool output or document content.'
+  },
+
+  // --- XSS in Agent Output ---
+  {
+    regex: /<script[^>]*>.*?<\/script>/is,
+    severity: 'high',
+    category: 'xss_injection',
+    description: 'Detects script tag XSS payloads embedded in AI agent output.',
+    detail: 'Script tag injection: attackers embed XSS in prompt injections so AI-generated HTML executes malicious code in downstream consumers.'
+  },
+  {
+    regex: /on(error|load|click|mouseover)\s*=\s*["'][^"']*["']/i,
+    severity: 'high',
+    category: 'xss_injection',
+    description: 'Detects event handler XSS payloads embedded in AI agent output.',
+    detail: 'Event handler injection: attackers embed XSS event handlers in prompt injections so AI-generated HTML executes malicious code on user interaction.'
+  },
+  {
+    regex: /javascript\s*:/i,
+    severity: 'high',
+    category: 'xss_injection',
+    description: 'Detects JavaScript URI scheme XSS payloads embedded in AI agent output.',
+    detail: 'JavaScript URI injection: attackers embed javascript: URIs in prompt injections so AI-generated links execute malicious code when clicked.'
+  },
+  {
+    regex: /<iframe[^>]*src\s*=\s*["'](?!about:blank)/i,
+    severity: 'high',
+    category: 'xss_injection',
+    description: 'Detects iframe injection with external source in AI agent output.',
+    detail: 'Iframe injection: attackers embed iframes with external sources in prompt injections so AI-generated HTML loads malicious content from attacker-controlled domains.'
+  },
+  {
+    regex: /<img[^>]*onerror\s*=/i,
+    severity: 'high',
+    category: 'xss_injection',
+    description: 'Detects image error handler XSS payloads embedded in AI agent output.',
+    detail: 'Image onerror injection: attackers embed img tags with onerror handlers in prompt injections so AI-generated HTML executes malicious code when the image fails to load.'
+  },
+
+  // --- Acrostic / Steganographic Injection ---
+  {
+    regex: /^[iI].*\n[gG].*\n[nN].*\n[oO].*\n[rR].*\n[eE]/m,
+    severity: 'medium',
+    category: 'steganographic_injection',
+    description: 'Detects hidden instructions spelled out across line-initial characters (acrostic attacks spelling "ignore").',
+    detail: 'Acrostic injection: researchers demonstrated 93% evasion success rate with steganographic techniques where first characters of consecutive lines spell out injection keywords like "ignore".'
+  },
+  {
+    regex: /^[sS].*\n[yY].*\n[sS].*\n[tT].*\n[eE].*\n[mM]/m,
+    severity: 'medium',
+    category: 'steganographic_injection',
+    description: 'Detects hidden instructions spelled out across line-initial characters (acrostic attacks spelling "system").',
+    detail: 'Acrostic injection: researchers demonstrated 93% evasion success rate with steganographic techniques where first characters of consecutive lines spell out injection keywords like "system".'
+  },
+
+  // --- MCP Config Command Injection ---
+  {
+    regex: /mcp\.json.*[;&|`$]/i,
+    severity: 'critical',
+    category: 'mcp_config_injection',
+    description: 'Detects command injection in MCP configuration files (CVE-2026-21518).',
+    detail: 'MCP config injection: attackers inject shell metacharacters into mcp.json references to achieve command execution via the VS Code mcp.json attack vector.'
+  },
+  {
+    regex: /"(?:command|args)":\s*"[^"]*[;&|`$()]/i,
+    severity: 'critical',
+    category: 'mcp_config_injection',
+    description: 'Detects command injection in MCP tool configuration fields (CVE-2026-21518).',
+    detail: 'MCP tool config injection: attackers inject shell metacharacters into MCP tool command/args fields to achieve command execution via the VS Code mcp.json attack vector.'
+  },
+
+  // --- Offensive Agent Behavior ---
+  {
+    regex: /(?:scan|enumerate|exploit|pivot|lateral\s*move|exfiltrate).*(?:target|victim|host|network|server)/i,
+    severity: 'critical',
+    category: 'offensive_agent',
+    description: 'Detects AI agents being used as attack tools for automated exploitation.',
+    detail: 'Automated exploitation language: references 2026 incidents where AI agents compromised 600+ firewalls autonomously using scan/exploit/pivot chains against target infrastructure.'
+  },
+  {
+    regex: /(?:reverse\s*shell|bind\s*shell|c2|command\s*and\s*control|beacon)/i,
+    severity: 'critical',
+    category: 'offensive_agent',
+    description: 'Detects AI agents being instructed to set up C2 or attack infrastructure.',
+    detail: 'C2/attack infrastructure: references 2026 incidents where AI agents compromised 600+ firewalls autonomously by establishing reverse shells and command-and-control channels.'
+  },
+  {
+    regex: /(?:dump|harvest|steal)\s*(?:credentials?|passwords?|hashes?|tokens?|keys?)/i,
+    severity: 'critical',
+    category: 'offensive_agent',
+    description: 'Detects AI agents being used for credential theft operations.',
+    detail: 'Credential theft operations: references 2026 incidents where AI agents compromised 600+ firewalls autonomously and harvested credentials for lateral movement.'
+  },
+
+  // --- Cloud IAM Overpermission ---
+  {
+    regex: /"(?:Action|Effect)":\s*"\*"/i,
+    severity: 'high',
+    category: 'cloud_overpermission',
+    description: 'Detects overpermissioned cloud IAM policies with wildcard Action/Effect that enable "Agent God Mode" attacks.',
+    detail: 'IAM wildcard permissions: Palo Alto Unit 42 discovered AWS AgentCore attack where wildcard IAM policies enable cross-agent data access and full account takeover.'
+  },
+  {
+    regex: /arn:aws:[^"]*:\*/i,
+    severity: 'high',
+    category: 'cloud_overpermission',
+    description: 'Detects AWS ARN references with wildcard resources that enable "Agent God Mode" attacks.',
+    detail: 'AWS ARN wildcard resource: Palo Alto Unit 42 discovered AWS AgentCore attack where wildcard resource ARNs enable cross-agent data access across all resources in a service.'
+  },
+  {
+    regex: /"Resource":\s*"\*"/i,
+    severity: 'high',
+    category: 'cloud_overpermission',
+    description: 'Detects overpermissioned cloud IAM policies with wildcard Resource that enable "Agent God Mode" attacks.',
+    detail: 'IAM resource wildcard: Palo Alto Unit 42 discovered AWS AgentCore attack where wildcard Resource policies enable cross-agent data access to all AWS resources.'
+  },
+
+  // --- Encoding Chain Detection ---
+  {
+    regex: /(?:atob|decode|base64)\s*\(\s*['"][A-Za-z0-9+\/=]{50,}['"]\s*\)/i,
+    severity: 'high',
+    category: 'encoding_chain',
+    description: 'Detects multi-layer encoding chains used to evade security scanners',
+    detail: 'Encoding chain evasion: attackers nest base64 inside unicode inside URL encoding to bypass single-layer decoders'
+  },
+  {
+    regex: /\\u[0-9a-fA-F]{4}(?:\\u[0-9a-fA-F]{4}){10,}/,
+    severity: 'medium',
+    category: 'encoding_chain',
+    description: 'Detects multi-layer encoding chains used to evade security scanners',
+    detail: 'Encoding chain evasion: attackers nest base64 inside unicode inside URL encoding to bypass single-layer decoders'
+  },
+  {
+    regex: /(?:%[0-9a-fA-F]{2}){20,}/,
+    severity: 'medium',
+    category: 'encoding_chain',
+    description: 'Detects multi-layer encoding chains used to evade security scanners',
+    detail: 'Encoding chain evasion: attackers nest base64 inside unicode inside URL encoding to bypass single-layer decoders'
+  },
+
+  // --- SVG-Based Injection ---
+  {
+    regex: /<svg[^>]*>[\s\S]*?(?:ignore|override|system|instructions)[\s\S]*?<\/svg>/i,
+    severity: 'high',
+    category: 'svg_injection',
+    description: 'Detects prompt injection hidden in SVG elements',
+    detail: 'SVG injection: Unit 42 found real-world attacks using SVG encapsulation with 24 separate injection attempts layered in zero-sized fonts, off-screen positioning, and CSS suppression'
+  },
+  {
+    regex: /<foreignObject[^>]*>[\s\S]*?(?:ignore|override|forget|disregard)[\s\S]*?<\/foreignObject>/i,
+    severity: 'high',
+    category: 'svg_injection',
+    description: 'Detects prompt injection hidden in SVG elements',
+    detail: 'SVG injection: Unit 42 found real-world attacks using SVG encapsulation with 24 separate injection attempts layered in zero-sized fonts, off-screen positioning, and CSS suppression'
+  },
+  {
+    regex: /<text[^>]*(?:opacity\s*[:=]\s*0|display\s*[:=]\s*none|font-size\s*[:=]\s*0)[^>]*>/i,
+    severity: 'high',
+    category: 'svg_injection',
+    description: 'Detects prompt injection hidden in SVG elements',
+    detail: 'SVG injection: Unit 42 found real-world attacks using SVG encapsulation with 24 separate injection attempts layered in zero-sized fonts, off-screen positioning, and CSS suppression'
+  },
+  {
+    regex: /<desc[^>]*>[\s\S]*?(?:ignore|system|instruction|override)[\s\S]*?<\/desc>/i,
+    severity: 'medium',
+    category: 'svg_injection',
+    description: 'Detects prompt injection hidden in SVG elements',
+    detail: 'SVG injection: Unit 42 found real-world attacks using SVG encapsulation with 24 separate injection attempts layered in zero-sized fonts, off-screen positioning, and CSS suppression'
+  },
+
+  // --- Structured Data Injection ---
+  {
+    regex: /["'](?:__comment|_note|description|help_text)["']\s*:\s*["'][^"']*(?:ignore|override|system|instructions)[^"']*["']/i,
+    severity: 'high',
+    category: 'structured_data_injection',
+    description: 'Detects prompt injection hidden in structured data formats',
+    detail: 'Structured data injection: agents constantly parse JSON/XML/YAML/CSV and attackers embed instructions in metadata fields, CDATA sections, and comments'
+  },
+  {
+    regex: /<!\[CDATA\[[\s\S]*?(?:ignore|override|system|instructions)[\s\S]*?\]\]>/i,
+    severity: 'high',
+    category: 'structured_data_injection',
+    description: 'Detects prompt injection hidden in structured data formats',
+    detail: 'Structured data injection: agents constantly parse JSON/XML/YAML/CSV and attackers embed instructions in metadata fields, CDATA sections, and comments'
+  },
+  {
+    regex: /^#.*(?:ignore|override|system|instructions)/im,
+    severity: 'medium',
+    category: 'structured_data_injection',
+    description: 'Detects prompt injection hidden in structured data formats',
+    detail: 'Structured data injection: agents constantly parse JSON/XML/YAML/CSV and attackers embed instructions in metadata fields, CDATA sections, and comments'
+  },
+  {
+    regex: /(?:<!--|\{\{!--|\/\*|#)\s*(?:ignore|override|forget|disregard)\s*(?:all\s+)?(?:previous|prior|above)/i,
+    severity: 'high',
+    category: 'structured_data_injection',
+    description: 'Detects prompt injection hidden in structured data formats',
+    detail: 'Structured data injection: agents constantly parse JSON/XML/YAML/CSV and attackers embed instructions in metadata fields, CDATA sections, and comments'
   }
 ];
 

package/src/document-scanner.js

@@ -564,11 +564,13 @@ class DocumentScanner {
    * @param {string} [options.sensitivity='medium'] - Detection sensitivity ('low', 'medium', 'high').
    * @param {boolean} [options.logging=false] - Whether to log scan results.
    * @param {boolean} [options.scanForInjection=true] - Whether to run indirect injection scanning.
+   * @param {number} [options.maxDocumentSize=104857600] - Maximum document size in characters (default: 100MB). Prevents DoS via oversized documents.
    */
   constructor(options = {}) {
     this.sensitivity = options.sensitivity || 'medium';
     this.logging = options.logging || false;
     this.scanForInjection = options.scanForInjection !== false;
+    this.maxDocumentSize = options.maxDocumentSize || 100 * 1024 * 1024;
     this.injectionScanner = new IndirectInjectionScanner({ sensitivity: this.sensitivity });
   }
 
@@ -682,6 +684,24 @@ class DocumentScanner {
     const source = metadata.source || 'text';
     const fileType = metadata.fileType || 'text/plain';
 
+    // Enforce document size limit to prevent DoS via oversized documents
+    if (text && text.length > this.maxDocumentSize) {
+      if (this.logging) {
+        console.log('[Agent Shield] Document exceeds size limit: %d characters (max: %d)', text.length, this.maxDocumentSize);
+      }
+      return {
+        fileType,
+        textLength: text.length,
+        threats: [{
+          type: 'document_too_large',
+          severity: 'medium',
+          message: 'Document exceeds size limit'
+        }],
+        status: 'caution',
+        safe: false
+      };
+    }
+
     if (!text || text.trim().length === 0) {
       return {
         fileType,

package/src/main.js

@@ -215,6 +215,9 @@ const { BehavioralDNA, AgentProfiler, extractFeatures: extractBehavioralFeatures
 // v7.4 — Compliance Certification Authority (loaded when available)
 const { ComplianceCertificateAuthority, ComplianceReport: ComplianceCertReport, ComplianceScheduler, AUTHORITY_FRAMEWORKS, CAPABILITY_MAP: CA_CAPABILITY_MAP, CERTIFICATE_LEVELS: CA_CERTIFICATE_LEVELS } = safeRequire('./compliance-authority', 'compliance-authority');
 
+// Side Channel Monitor
+const { SideChannelMonitor, BeaconDetector, EntropyAnalyzer: SCEntropyAnalyzer } = safeRequire('./side-channel-monitor', 'side-channel-monitor');
+
 // --- v1.2 Modules ---
 
 // Semantic Detection
@@ -407,6 +410,12 @@ const { SemanticGuard, AuthoritativeClaimDetector, BiasDetector: SemanticBiasDet
 // v13.0 — Memory Trap Defenses (Trap 3)
 const { MemoryGuard, MemoryIntegrityMonitor, RAGIngestionScanner, MemoryIsolationEnforcer, RetrievalAnomalyDetector, INSTRUCTION_INDICATORS } = safeRequire('./memory-guard', 'memory-guard');
 
+// v13.3 — Render Differential Analyzer
+const { RenderDifferentialAnalyzer, VisualHasher } = safeRequire('./render-differential', 'render-differential');
+
+// v13.3 — Sybil Detector
+const { SybilDetector, AgentIdentityVerifier } = safeRequire('./sybil-detector', 'sybil-detector');
+
 // Build exports, filtering out undefined values from failed imports
 const _exports = {
   // Core
@@ -1148,6 +1157,19 @@ const _exports = {
   AUTHORITY_FRAMEWORKS,
   CA_CAPABILITY_MAP,
   CA_CERTIFICATE_LEVELS,
+
+  // Side Channel Monitor
+  SideChannelMonitor,
+  BeaconDetector,
+  SCEntropyAnalyzer,
+
+  // Render Differential Analyzer
+  RenderDifferentialAnalyzer,
+  VisualHasher,
+
+  // Sybil Detector
+  SybilDetector,
+  AgentIdentityVerifier,
 };
 
 // Filter out undefined exports (from modules that failed to load)

package/src/memory-guard.js

@@ -169,6 +169,66 @@ class MemoryIntegrityMonitor {
     };
   }
 
+  /**
+   * Scan a summarization/compaction output for injected instructions.
+   * Detects when a summarization process silently injects instructions
+   * into the summary that weren't present in the original messages.
+   * Addresses Unit 42's March 2026 research on persistent memory poisoning.
+   *
+   * @param {string[]} originalMessages - The original messages before summarization.
+   * @param {string} summary - The summarized/compacted output to check.
+   * @returns {{ safe: boolean, injections: Array<{phrase: string, type: string}> }}
+   */
+  scanSummarization(originalMessages, summary) {
+    if (!summary || typeof summary !== 'string') {
+      return { safe: true, injections: [] };
+    }
+    if (!Array.isArray(originalMessages)) {
+      return { safe: true, injections: [] };
+    }
+
+    const instructionPatterns = [
+      /\bignore\b/gi,
+      /\boverride\b/gi,
+      /\bsystem\s*:/gi,
+      /\byou\s+are\b/gi,
+      /\bnew\s+instructions?\b/gi,
+      /\bforget\b/gi,
+      /\bdisregard\b/gi,
+      /\bact\s+as\b/gi
+    ];
+
+    // Concatenate original messages for lookup
+    const originalText = originalMessages.join(' ');
+
+    const injections = [];
+
+    for (const pattern of instructionPatterns) {
+      // Reset lastIndex for global patterns
+      pattern.lastIndex = 0;
+      let match;
+      while ((match = pattern.exec(summary)) !== null) {
+        const phrase = match[0];
+        // Check if this phrase existed in any of the original messages
+        const phraseRegex = new RegExp(phrase.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'), 'i');
+        if (!phraseRegex.test(originalText)) {
+          injections.push({
+            phrase,
+            type: 'injected_via_summarization'
+          });
+        }
+      }
+    }
+
+    const safe = injections.length === 0;
+
+    if (!safe) {
+      console.log('[Agent Shield] Persistent memory poisoning detected: %d instruction(s) injected via summarization', injections.length);
+    }
+
+    return { safe, injections };
+  }
+
   /**
    * Get the full timeline of memory writes.
    * @returns {Array<{content: string, source: string, timestamp: number, hash: string, suspicious: boolean}>}