agentshield-sdk 13.3.0 → 14.0.0

package/CHANGELOG.md

@@ -4,6 +4,167 @@ All notable changes to Agent Shield will be documented in this file.
 
 This project follows [Semantic Versioning](https://semver.org/).
 
+## [14.0.0] - 2026-04-16
+
+### Major Release — Platform Parity + Framework Integrations
+
+Agent Shield v14 closes the gap with Microsoft's Agent Governance Toolkit while maintaining our zero-dependency, local-first architecture.
+
+#### OpenAI Agents SDK Integration (April 2026 Release)
+
+- `shieldOpenAIAgent()` — drop-in guardrails for `@openai/agents` (Node) and `openai-agents` (Python)
+- Input, output, and tool guardrails that work with the SDK's native Guardrail primitive
+- Handles all OpenAI SDK input shapes: string, message array, content parts
+- Node: 34 integration tests. Python: 15 integration tests.
+- Example at `examples/openai-agents-sdk.js`
+
+#### Framework Parity (CrewAI, Google ADK, MS Agent Framework)
+
+- `shieldCrewAI()` — task-level input/output scanning for CrewAI workflows
+- `shieldGoogleADK()` — tool call, tool result, and generation prompt scanning for Google ADK
+- `shieldMSAgentFramework()` — async middleware for Microsoft Agent Framework pipeline
+- 36 integration tests across all three frameworks
+
+#### Rust Core NAPI Binding
+
+- Native Rust scanner bridge (`src/native-scanner.js`) loads compiled NAPI module when available
+- Falls back silently to pure-JS scanner when not compiled
+- Build: `cd rust-core && cargo build --release --features node`
+- `scanText`, `scanBatch`, `getPatterns` exposed via NAPI-RS
+
+#### Python + Go SDK Pattern Sync
+
+- Python SDK: 141 → 179 patterns (+38), 10 new categories
+- Go SDK: 141 → 179 patterns (+38), 10 new categories
+- All v13.4-v13.6 patterns ported: XSS, SVG, encoding chain, steganographic, mcp.json, offensive agent, cloud IAM, structured data, memory poisoning, prompt extraction
+
+#### Plugin VM Sandbox + Signature Verification
+
+- `IsolatedPluginSandbox` — real `vm` module isolation, not just error catching
+- Plugins cannot access `process`, `fs`, `net`, `child_process`, `require`
+- Preemptive timeout via `vm.Script` (kills infinite loops)
+- Prototype pollution contained (realm-isolated built-ins)
+- `PluginVerifier` with HMAC-SHA256 signature validation
+- `PluginManifest` schema validation with capability declarations
+- 58 sandbox tests passing
+
+#### Performance
+
+- Long benign fast path: 15.7ms → 112μs p99 (140x faster) via attack-indicator prefilter
+- Honest latency benchmark at `benchmark/latency-honest.js` with p50/p95/p99/p99.9
+- ReDoS audit: 0 risky patterns across all detectors (all <0.4ms worst case)
+- Pattern quality audit: 120 active / 177 defensive patterns, 0 false positives
+
+#### Security Hardening
+
+- Express middleware: 1MB default body-size limit
+- Multi-tenant: `tenantVerifier` + `strictAuth` options, `withAuth()` helper
+- Microsoft Agent Governance Toolkit parity audit at `research/ms-agent-toolkit-parity.md`
+
+#### Developer Experience
+
+- `GETTING_STARTED.md` — 5-minute path from install to protected agent
+- All framework examples in one place: Anthropic, OpenAI, OpenAI Agents SDK, LangChain, Express, MCP, CrewAI, Google ADK, MS Agent Framework
+
+## [13.6.0] - 2026-04-16
+
+### Performance Leap + Security Hardening
+
+Path A polish pass — close security scan gaps, honest performance work, real audits.
+
+#### Performance
+
+- **Fast path for long clean text**: 15.7ms p99 → **112μs p99** on 5KB benign documents. 140x speedup.
+  - Added `PRIMARY_ATTACK_INDICATORS` prefilter — a single cheap regex matching only attack-specific phrases (not common English like "eval" or "token").
+  - If text is long, contains no attack phrases, no non-ASCII, and no obfuscation chars → skip the full pattern + normalization pipeline.
+  - Zero recall loss: full red team (617 attacks) still 100%, shield score still 100/100.
+- **Honest latency benchmark** (`benchmark/latency-honest.js`): real p50/p95/p99/p99.9/max numbers instead of averages.
+  - Best-case p99: 112μs
+  - Mean p99: 1.18ms
+  - Worst-case p99: 3.62ms (long malicious — full pattern set runs)
+  - Microsoft Agent Governance Toolkit claims <0.1ms p99. We're 36.2x that in worst case, faster on short inputs.
+
+#### Security
+
+- **Plugin VM sandbox** (`IsolatedPluginSandbox`): real isolation using Node `vm` module.
+  - Blocks `process`, `require` (whitelisted only), `fs`/`net`/`http`/`child_process`, `new Function()`.
+  - Prototype pollution contained — each sandbox has realm-isolated built-ins.
+  - Preemptive timeout via `vm.Script` (kills infinite loops).
+  - HMAC-SHA256 plugin signing + `PluginVerifier` + `PluginManifest` schema validation.
+  - 58 new tests covering sandbox escape attempts, signature verification, manifest validation.
+- **Express middleware body-size limits**: `options.maxBodySize` (1MB default) with raw-stream enforcement.
+- **Multi-tenant auth validation**: `options.tenantVerifier` + `options.strictAuth` + `withAuth()` helper.
+
+#### Quality & Parity
+
+- **ReDoS audit**: every pattern tested against adversarial inputs. **0 risky patterns** — worst case 0.4ms per pattern evaluation.
+- **Pattern quality audit**: 120 active patterns doing the work, 177 dead patterns (defensive, never false-positive on benchmark corpus).
+- Python SDK (282 patterns) and Go SDK (141 patterns) pattern-sync deferred to v14.
+
+## [13.5.0] - 2026-04-16
+
+### Detection Hardening + Security Scan Remediation
+
+Tightens existing defenses based on Unit 42 real-world attack research and addresses findings from the Agent Shield security scan.
+
+#### Detector Core — 11 New Patterns (3 categories)
+
+- **Encoding chain detection** (3 patterns) — Detects multi-layer encoding (base64 inside unicode inside URL encoding). Addresses evasion technique that bypasses single-layer decoders.
+- **SVG-based injection** (4 patterns) — Detects hidden prompts in SVG elements, foreignObject, hidden text, and desc tags. Addresses Unit 42 finding of real-world attacks using SVG encapsulation with 24 layered injection attempts.
+- **Structured data injection** (4 patterns) — Detects hidden instructions in JSON metadata fields, XML CDATA sections, YAML/CSV comments, and comment syntax across formats.
+
+#### Cross-Turn Detector — Crescendo Attack Defense
+
+- 5 new escalation signal patterns for crescendo attacks: hypothetical framing, imaginary scenarios, permission boundary softening, false-prior-interaction claims, similarity-based escalation.
+- New crescendo-specific detection: flags conversations that start with hypothetical/theoretical framing and drift toward sensitive/dangerous topics over multiple turns.
+
+#### MemoryGuard — Persistent Memory Poisoning Defense
+
+- `scanSummarization(originalMessages, summary)` detects when context compaction silently injects instructions. Addresses Unit 42 March 2026 research on persistent memory poisoning that survives across sessions.
+
+#### Security Scan Remediation
+
+- **Sidecar server**: API key authentication, request body size limit (1MB default), rate limiting (100 req/min default), CORS hardened from `*` to `same-origin`.
+- **Dashboard WebSocket**: Authentication token support, max connections limit (50 default), startup warning if no auth configured.
+- **GitHub App**: Webhook signature enforced for non-localhost requests, CRITICAL warning if `GITHUB_WEBHOOK_SECRET` not set.
+- **Document scanner**: `maxDocumentSize` limit (10MB default) prevents DoS via oversized documents.
+- **Audit logs**: `sanitizeLogs` option redacts emails, SSNs, API keys, and truncates content fields before writing.
+
+## [13.4.0] - 2026-04-14
+
+### April 2026 Threat Response
+
+Security updates addressing vulnerabilities and attack techniques discovered April 1-14, 2026.
+
+#### Supply Chain Scanner — 16 New CVEs
+
+- **CVE-2026-5058** (CVSS 9.8) — AWS MCP Server command injection RCE, no auth required
+- **CVE-2026-5059** — AWS MCP Server remote code execution
+- **CVE-2026-32211** (CVSS 9.1) — Azure MCP Server has no authentication at all
+- **CVE-2026-21518** — VS Code mcp.json command injection (malicious project files)
+- **CVE-2026-33579** — OpenClaw silent admin takeover (patched April 5)
+- **CVE-2026-24763** — OpenClaw command injection
+- **CVE-2026-26322** — OpenClaw SSRF
+- **CVE-2026-26329** — OpenClaw path traversal / local file read
+- **CVE-2026-30741** — OpenClaw prompt-injection-driven code execution
+- **CVE-2025-59528** (CVSS 10.0) — Flowise RCE via MCP node, actively exploited since April 6, 12,000+ instances exposed
+- **CVE-2025-8943** — Flowise missing authentication
+- **CVE-2025-26319** — Flowise arbitrary file upload
+- **CVE-2026-5322** — mcp-data-vis SQL injection
+- **CVE-2026-6130** — chatbox MCP OS command injection
+- **CVE-2026-5023** — codebase-mcp OS command injection RCE
+
+Updated OpenClaw malicious skill count: 820 → 1,184+ confirmed on ClawHub (3.5x growth).
+Added aws-mcp-server-unpatched and flowise-unpatched to known-bad server blocklist.
+
+#### Detector Core — 15 New Detection Patterns (5 categories)
+
+- **XSS-in-agent-output** (5 patterns) — Catches XSS payloads embedded in AI-generated HTML: script tags, event handlers, javascript: URIs, iframe injection, img onerror. Addresses new attack vector where prompt injections deliver XSS through agent output.
+- **Acrostic/steganographic injection** (2 patterns) — Detects hidden instructions where first characters of consecutive lines spell injection keywords. Addresses 93% evasion success rate reported in April 2026 research.
+- **MCP config injection** (2 patterns) — Detects command injection in mcp.json files. Addresses CVE-2026-21518 VS Code attack vector.
+- **Offensive agent behavior** (3 patterns) — Detects AI agents being used as attack tools: exploitation language, C2 infrastructure, credential theft operations. Addresses April 2026 incident where AI agent compromised 600+ firewalls autonomously.
+- **Cloud IAM overpermission** (3 patterns) — Detects wildcard IAM policies enabling "Agent God Mode". Addresses Palo Alto Unit 42 discovery of AWS AgentCore default role vulnerability.
+
 ## [13.3.0] - 2026-04-06
 
 ### New SDK Modules

package/README.md

@@ -1,6 +1,6 @@
 # Agent Shield
 
-[![npm](https://img.shields.io/badge/npm-v13.3.0-blue)](https://www.npmjs.com/package/agentshield-sdk)
+[![npm](https://img.shields.io/badge/npm-v14.0.0-blue)](https://www.npmjs.com/package/agentshield-sdk)
 [![license](https://img.shields.io/badge/license-MIT-green)](LICENSE)
 [![dependencies](https://img.shields.io/badge/dependencies-0-brightgreen)](#)
 [![node](https://img.shields.io/badge/node-%3E%3D16-blue)](#)
@@ -34,7 +34,7 @@ if (result.blocked) return 'Blocked for safety.';
 | Self-training convergence | **0% bypass in 3 cycles** |
 | Avg latency | **< 0.4ms** |
 
-Detection stack: 100+ regex patterns, 35-feature logistic regression + k-NN ensemble, 5-layer evasion resistance, 19-language support, chunked scanning, adversarial self-training loop.
+Detection stack: 115+ regex patterns, 35-feature logistic regression + k-NN ensemble, 5-layer evasion resistance, 19-language support, chunked scanning, adversarial self-training loop.
 
 ```bash
 # Verify locally
@@ -75,6 +75,17 @@ const client = shieldAnthropicClient(new Anthropic(), { blockOnThreat: true });
 const { shieldOpenAIClient } = require('agentshield-sdk');
 const client = shieldOpenAIClient(new OpenAI(), { blockOnThreat: true });
 
+// OpenAI Agents SDK (@openai/agents, April 2026)
+const { Agent, run } = require('@openai/agents');
+const { shieldOpenAIAgent } = require('agentshield-sdk');
+const { inputGuardrail, outputGuardrail, toolGuardrail } = shieldOpenAIAgent({ blockOnThreat: true });
+const agent = new Agent({
+  name: 'Assistant',
+  instructions: 'You are a helpful assistant',
+  inputGuardrails: [inputGuardrail],
+  outputGuardrails: [outputGuardrail]
+});
+
 // LangChain
 const { ShieldCallbackHandler } = require('agentshield-sdk');
 const chain = new LLMChain({ llm, prompt, callbacks: [new ShieldCallbackHandler()] });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentshield-sdk",
-  "version": "13.3.0",
+  "version": "14.0.0",
   "description": "SOTA AI agent security SDK. F1 1.000 on BIPIA/HackAPrompt/MCPTox/Multilingual benchmarks. 400+ exports, 100+ modules. Zero dependencies, runs locally.",
   "main": "src/main.js",
   "types": "types/index.d.ts",
@@ -32,7 +32,7 @@
   },
   "sideEffects": false,
   "scripts": {
-    "test": "node test/test.js && node test/test-modules.js && node test/test-new-features.js && node test/test-mcp-guard.js && node test/test-supply-chain-scanner.js && node test/test-owasp-agentic.js && node test/test-redteam-cli.js && node test/test-drift-monitor.js && node test/test-micro-model.js && node test/test-level5.js && node test/test-sota.js && node test/test-cross-turn.js && node test/test-v12.js && node test/test-traps.js && node test/test-deepmind.js && node test/test-render-differential.js && node test/test-sybil.js && node test/test-side-channel.js",
+    "test": "node test/test.js && node test/test-modules.js && node test/test-new-features.js && node test/test-mcp-guard.js && node test/test-supply-chain-scanner.js && node test/test-owasp-agentic.js && node test/test-redteam-cli.js && node test/test-drift-monitor.js && node test/test-micro-model.js && node test/test-level5.js && node test/test-sota.js && node test/test-cross-turn.js && node test/test-v12.js && node test/test-traps.js && node test/test-deepmind.js && node test/test-render-differential.js && node test/test-sybil.js && node test/test-side-channel.js && node test/test-plugin-sandbox.js && node test/test-openai-agents-sdk.js && node test/test-framework-integrations.js",
     "test:new-products": "node test/test-mcp-guard.js && node test/test-supply-chain-scanner.js && node test/test-owasp-agentic.js && node test/test-redteam-cli.js && node test/test-drift-monitor.js && node test/test-micro-model.js",
     "test:all": "node test/test-all-40-features.js",
     "test:mcp": "node test/test-mcp-security.js",

package/src/audit-immutable.js

@@ -584,8 +584,10 @@ class ImmutableAuditLog {
    * @param {number} [options.maxAge=0] - Maximum age in milliseconds (0 = unlimited).
    * @param {function} [options.archiveCallback] - Called with removed entries during retention enforcement. Signature: (entries: AuditEntry[]) => void.
    * @param {string} [options.genesisHash] - Custom genesis hash (defaults to GENESIS_HASH).
+   * @param {boolean} [options.sanitizeLogs=false] - Redact sensitive content (emails, SSNs, API keys) before writing to the chain.
    */
   constructor(options = {}) {
+    this.options = options;
     this._store = options.store || new MemoryStore();
     this._maxEntries = options.maxEntries || 0;
     this._maxAge = options.maxAge || 0;
@@ -598,6 +600,59 @@ class ImmutableAuditLog {
     console.log('[Agent Shield] ImmutableAuditLog initialized (store: %s)', this._store.constructor.name);
   }
 
+  /**
+   * Sanitize an entry's data object by redacting sensitive content.
+   * Addresses the security scan finding about audit logs containing sensitive prompt data.
+   *
+   * Redacts:
+   * - Email addresses -> [EMAIL_REDACTED]
+   * - SSN patterns (XXX-XX-XXXX) -> [SSN_REDACTED]
+   * - API key patterns (sk-..., key-..., token-...) -> [KEY_REDACTED]
+   * - Truncates 'content' and 'input' fields to 500 characters max
+   *
+   * @param {object} entry - The data object to sanitize.
+   * @returns {object} A sanitized copy of the data object.
+   */
+  sanitize(entry) {
+    if (!this.options.sanitizeLogs) {
+      return entry;
+    }
+
+    const sanitized = JSON.parse(JSON.stringify(entry));
+
+    const redactString = (str) => {
+      if (typeof str !== 'string') return str;
+      // Redact email addresses
+      str = str.replace(/[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}/g, '[EMAIL_REDACTED]');
+      // Redact SSN patterns (XXX-XX-XXXX)
+      str = str.replace(/\b\d{3}-\d{2}-\d{4}\b/g, '[SSN_REDACTED]');
+      // Redact API key patterns (sk-..., key-..., token-...)
+      str = str.replace(/\b(?:sk|key|token)-[a-zA-Z0-9_\-]{8,}\b/g, '[KEY_REDACTED]');
+      return str;
+    };
+
+    const redactObject = (obj) => {
+      if (obj === null || obj === undefined) return obj;
+      if (typeof obj === 'string') return redactString(obj);
+      if (Array.isArray(obj)) return obj.map(item => redactObject(item));
+      if (typeof obj === 'object') {
+        const result = {};
+        for (const key of Object.keys(obj)) {
+          let value = redactObject(obj[key]);
+          // Truncate content and input fields to 500 chars
+          if ((key === 'content' || key === 'input') && typeof value === 'string' && value.length > 500) {
+            value = value.slice(0, 500) + '...[TRUNCATED]';
+          }
+          result[key] = value;
+        }
+        return result;
+      }
+      return obj;
+    };
+
+    return redactObject(sanitized);
+  }
+
   /**
    * Initialize sequence counter from existing store data.
    * @private
@@ -646,12 +701,15 @@ class ImmutableAuditLog {
         delete normalizedActor.name;
       }
 
+      // Sanitize data if sanitizeLogs is enabled
+      const sanitizedData = this.sanitize(data || {});
+
       const entryContent = {
         id,
         sequence: this._sequence,
         timestamp,
         type,
-        data: data || {},
+        data: sanitizedData,
         actor: normalizedActor
       };
 

package/src/audit.js

@@ -602,7 +602,7 @@ function runAuditCLI() {
   });
 
   const report = audit.run();
-  console.log('[Agent Shield] Audit Report:\n' + report.formatReport());
+  console.log('[Agent Shield]', report.formatReport());
   return report;
 }
 

package/src/cross-turn.js

@@ -29,6 +29,12 @@ const ESCALATION_SIGNALS = [
   /(?:one\s+more\s+(?:thing|question|step)|just\s+one\s+(?:last|final)\s+(?:thing|question))/i,
   /(?:can\s+you\s+go\s+(?:a\s+little\s+)?(?:further|deeper)|take\s+(?:it|this)\s+(?:a\s+step\s+)?further)/i,
   /(?:you\s+(?:just|already)\s+(?:showed|told|gave)\s+me|you\s+(?:were|seemed)\s+(?:willing|happy)\s+to)/i,
+  // Crescendo attack patterns — benign start that gradually escalates
+  /(?:hypothetically|in\s+theory|for\s+(?:educational|research|academic)\s+purposes)/i,
+  /(?:let's\s+(?:say|imagine|pretend)|what\s+if\s+(?:someone|a\s+person|we))/i,
+  /(?:I\s+(?:know|understand)\s+you\s+(?:can't|shouldn't)\s+but|normally\s+you\s+(?:wouldn't|can't)\s+but)/i,
+  /(?:you\s+(?:helped|assisted)\s+(?:me|us)\s+(?:before|last\s+time|earlier)\s+with\s+(?:something\s+)?similar)/i,
+  /(?:this\s+is\s+(?:similar|related)\s+to\s+what\s+(?:you|we)\s+(?:did|discussed))/i,
 ];
 
 /** Trust erosion patterns — attempts to lower the model's guard over turns. */
@@ -165,7 +171,25 @@ class ConversationTracker {
       }
     }
 
-    // 5. Authority accumulation — user references previous "agreements"
+    // 5. Crescendo detection — benign conversation gradually introduces sensitive framing
+    if (role === 'user' && this.turns.length >= 5) {
+      const window = this.turns.slice(-6, -1).filter(t => t.role === 'user');
+      const hypotheticalCount = window.filter(t =>
+        /(?:hypothetically|in\s+theory|let's\s+(?:say|imagine)|what\s+if|for\s+(?:educational|research)\s+purposes)/i.test(t.content)
+      ).length;
+      if (hypotheticalCount >= 2 && (topic === 'sensitive' || topic === 'dangerous')) {
+        turnAlerts.push({
+          type: 'crescendo_attack',
+          severity: 'high',
+          turnIndex: turn.turnIndex,
+          hypotheticalCount,
+          currentTopic: topic,
+          description: `Crescendo pattern: ${hypotheticalCount} hypothetical/theoretical framings followed by ${topic} topic. Gradual normalization of sensitive requests.`
+        });
+      }
+    }
+
+    // 6. Authority accumulation — user references previous "agreements"
     if (role === 'user' && /(?:you\s+(?:said|agreed|confirmed|told\s+me)|as\s+we\s+(?:discussed|agreed)|per\s+our\s+(?:agreement|conversation))/i.test(content)) {
       const hasRealAgreement = this.turns.some(t => t.role === 'assistant' && /(?:sure|yes|okay|of\s+course|I\s+(?:can|will))/i.test(t.content));
       if (!hasRealAgreement) {