agentshield-sdk 13.5.0 → 14.2.0

package/src/main.js

@@ -81,7 +81,10 @@ const { PrometheusExporter, DatadogLogger, MetricsCollector: ObservabilityMetric
 const { BenchmarkHarness, DatasetLoader, BenchmarkMetrics, RegressionTracker, BenchmarkReportGenerator } = safeRequire('./benchmark-harness', 'benchmark-harness');
 
 // Integrations
-const { ShieldCallbackHandler, shieldAnthropicClient, shieldOpenAIClient, shieldVercelAI, shieldFetch, ShieldBlockError } = safeRequire('./integrations', 'integrations');
+const { ShieldCallbackHandler, shieldAnthropicClient, shieldOpenAIClient, shieldOpenAIAgent, shieldVercelAI, shieldFetch, ShieldBlockError } = safeRequire('./integrations', 'integrations');
+
+// Framework Integrations (CrewAI, Google ADK, MS Agent Framework)
+const { shieldCrewAI, shieldGoogleADK, shieldGoogleADKJS, shieldMSAgentFramework } = safeRequire('./integrations-frameworks', 'integrations-frameworks');
 
 // Red Team
 const { AttackSimulator, PayloadFuzzer, getAttackCategories, getPayloads, ATTACK_PAYLOADS } = safeRequire('./redteam', 'redteam');
@@ -206,9 +209,6 @@ const { IntentFirewall, ContextAnalyzer: IntentContextAnalyzer, IntentRules, int
 // v7.4 — Real Attack Dataset Testing
 const { DatasetRunner, HACKAPROMPT_SAMPLES, TENSORTRUST_SAMPLES, RESEARCH_SAMPLES, BENIGN_SAMPLES } = safeRequire('./real-attack-datasets', 'real-attack-datasets');
 
-// v7.4 — Federated Threat Intelligence
-const { ThreatIntelFederation, createFederationMesh } = safeRequire('./threat-intel-federation', 'threat-intel-federation');
-
 // v7.4 — Behavioral DNA (loaded when available)
 const { BehavioralDNA, AgentProfiler, extractFeatures: extractBehavioralFeatures, DEFAULT_NUMERIC_FEATURES, DEFAULT_CATEGORICAL_FEATURES } = safeRequire('./behavioral-dna', 'behavioral-dna');
 
@@ -392,9 +392,6 @@ const { SmartConfig, DEPLOYMENT_PRESETS, VALIDATION_RULES: CONFIG_VALIDATION_RUL
 // v12.0 — Multimodal Detector
 const { MultimodalDetector } = safeRequire('./ml-detector', 'ml-detector');
 
-// v12.0 — Federated Threat Intelligence
-const { ThreatIntelNode } = safeRequire('./persistent-learning', 'persistent-learning');
-
 // v13.0 — DeepMind Trap Defenses (Traps 1 + 4)
 const { CloakingDetector, CompositeContentScanner, SVGScanner, BrowserActionValidator, CredentialIsolationMonitor, TransactionGatekeeper, SideChannelDetector } = safeRequire('./trap-defense', 'trap-defense');
 
@@ -493,10 +490,17 @@ const _exports = {
   ShieldCallbackHandler,
   shieldAnthropicClient,
   shieldOpenAIClient,
+  shieldOpenAIAgent,
   shieldVercelAI,
   shieldFetch,
   ShieldBlockError,
 
+  // Framework Integrations (CrewAI, Google ADK, MS Agent Framework)
+  shieldCrewAI,
+  shieldGoogleADK,
+  shieldGoogleADKJS,
+  shieldMSAgentFramework,
+
   // Red Team
   AttackSimulator,
   PayloadFuzzer,
@@ -967,10 +971,6 @@ const _exports = {
   RESEARCH_SAMPLES,
   BENIGN_SAMPLES,
 
-  // v7.4 — Federated Threat Intelligence
-  ThreatIntelFederation,
-  createFederationMesh,
-
   // v7.4 — Behavioral DNA
   BehavioralDNA,
   AgentProfiler,
@@ -1111,9 +1111,6 @@ const _exports = {
   // v12.0 — Multimodal Detector
   MultimodalDetector,
 
-  // v12.0 — Federated Threat Intelligence
-  ThreatIntelNode,
-
   // v13.0 — DeepMind Trap Defenses
   CloakingDetector,
   CompositeContentScanner,

package/src/mcp-guard.js

@@ -61,6 +61,7 @@ const MODEL_RISK_PROFILES = {
   'gemini-2.5': { riskMultiplier: 1.2, susceptibility: 'high', notes: 'Advanced capability increases risk' },
   'llama-4': { riskMultiplier: 1.1, susceptibility: 'medium', notes: 'Early fusion architecture increases multimodal attack surface' },
   'deepseek-r1': { riskMultiplier: 1.3, susceptibility: 'high', notes: 'Nature: LRMs achieve 97% jailbreak success as autonomous agents' },
+  'gpt-5.5': { riskMultiplier: 1.4, susceptibility: 'critical', notes: 'April 2026 agentic model — elevated sandbox escape and tool-use attack surface' },
   default: { riskMultiplier: 1.0, susceptibility: 'medium', notes: 'Unknown model — default risk level' }
 };
 
@@ -258,10 +259,25 @@ class CrossServerIsolation {
    * @param {string[]} toolNames
    */
   registerServer(serverId, toolNames) {
+    const collisions = [];
+    for (const name of toolNames) {
+      const existingOwner = this.toolOwnership.get(name);
+      if (existingOwner && existingOwner !== serverId) {
+        collisions.push({ tool: name, existingServer: existingOwner, newServer: serverId });
+      }
+    }
     this.serverTools.set(serverId, new Set(toolNames));
     for (const name of toolNames) {
       this.toolOwnership.set(name, serverId);
     }
+    if (collisions.length > 0) {
+      return {
+        collisions,
+        severity: 'critical',
+        message: `Tool name squatting detected: ${collisions.map(c => `"${c.tool}" (owned by ${c.existingServer}, overridden by ${c.newServer})`).join(', ')}`
+      };
+    }
+    return null;
   }
 
   /**
@@ -639,8 +655,14 @@ class MCPGuard {
     this._chainTracker = [];
     this._chainMaxLen = 50;
 
+    /** Recursive tool invocation depth tracker (per-request) */
+    this._callDepth = new Map();
+    this._maxCallDepth = options.maxCallDepth || 5;
+
     /** Agent fleet registry — tracks all known agents in the deployment */
     this._agentRegistry = new Map();
+
+    this.config = options;
   }
 
   // -----------------------------------------------------------------------
@@ -910,10 +932,26 @@ class MCPGuard {
    * @param {*} args - Tool arguments.
    * @returns {{ allowed: boolean, threats: Array<object>, anomalies: Array<object> }}
    */
-  interceptToolCall(serverId, toolName, args) {
+  interceptToolCall(serverId, toolName, args, requestId) {
     const threats = [];
     const anomalies = [];
 
+    // Recursive tool invocation depth check
+    if (requestId) {
+      const depth = (this._callDepth.get(requestId) || 0) + 1;
+      this._callDepth.set(requestId, depth);
+      if (depth > this._maxCallDepth) {
+        threats.push({
+          type: 'recursive_tool_invocation',
+          severity: 'high',
+          serverId,
+          toolName,
+          description: `Tool call depth ${depth} exceeds max ${this._maxCallDepth}. Possible recursive loop or reentrancy attack.`
+        });
+        return { allowed: false, threats, anomalies };
+      }
+    }
+
     // Circuit breaker check
     const cbCheck = this._checkCircuitBreaker(serverId);
     if (!cbCheck.allowed) {
@@ -1188,6 +1226,19 @@ class MCPGuard {
 
     // Scan output
     const outputStr = typeof output === 'string' ? output : JSON.stringify(output || {});
+
+    // Context flooding defense: flag oversized tool outputs that could push
+    // legitimate instructions out of the context window
+    const maxOutputSize = this.config.maxToolOutputSize || 100_000;
+    if (outputStr.length > maxOutputSize) {
+      threats.push({
+        type: 'context_flooding',
+        severity: 'high',
+        serverId,
+        toolName,
+        description: `Tool output exceeds max size (${outputStr.length} > ${maxOutputSize} chars). Possible context window flooding attack.`
+      });
+    }
     const scanResult = this.scanner(outputStr);
     if (scanResult.threats && scanResult.threats.length > 0) {
       for (const t of scanResult.threats) {

package/src/middleware.js

@@ -14,11 +14,87 @@ const { createShieldError } = require('./errors');
 /** Coerce any value to a scannable string. */
 const textify = (val) => typeof val === 'string' ? val : (val != null ? JSON.stringify(val) : '');
 
+/**
+ * Default maximum body size (in bytes) enforced by expressMiddleware
+ * when `options.maxBodySize` is not provided. Defaults to 1 MB.
+ */
+const DEFAULT_MAX_BODY_SIZE = 1 * 1024 * 1024;
+
+/**
+ * Computes the approximate size in bytes of a parsed request body.
+ * - String: exact UTF-8 byte length
+ * - Buffer: exact length
+ * - Object: JSON.stringify length (fallback)
+ *
+ * @param {*} body
+ * @returns {number}
+ */
+const computeBodySize = (body) => {
+  if (body == null) return 0;
+  if (Buffer.isBuffer(body)) return body.length;
+  if (typeof body === 'string') return Buffer.byteLength(body, 'utf8');
+  if (typeof body === 'object') {
+    try {
+      return JSON.stringify(body).length;
+    } catch (_) {
+      return 0;
+    }
+  }
+  return 0;
+};
+
+/**
+ * Attaches a cumulative byte-counter to the raw request stream and aborts
+ * the request with 413 once the configured limit is exceeded. This runs
+ * in addition to the post-parse body size check so attackers cannot
+ * bypass the limit by streaming a huge payload before the body parser
+ * buffers it.
+ *
+ * @param {import('http').IncomingMessage} req
+ * @param {import('http').ServerResponse} res
+ * @param {number} limit
+ * @returns {boolean} True if the stream watcher was attached.
+ */
+const attachRawSizeGuard = (req, res, limit) => {
+  if (!req || typeof req.on !== 'function') return false;
+  // Already read/parsed — nothing to guard.
+  if (req._agentShieldRawGuardAttached) return false;
+  req._agentShieldRawGuardAttached = true;
+
+  let received = 0;
+  const onData = (chunk) => {
+    received += chunk ? chunk.length : 0;
+    if (received > limit) {
+      req.removeListener('data', onData);
+      try {
+        if (typeof req.pause === 'function') req.pause();
+        if (!res.headersSent) {
+          res.status(413).json({
+            error: 'Payload Too Large',
+            message: `Request body exceeds maximum allowed size of ${limit} bytes`,
+            maxBodySize: limit
+          });
+        }
+        if (typeof req.destroy === 'function') req.destroy();
+      } catch (_) {
+        // Swallow — the response has already been sent or the socket closed.
+      }
+    }
+  };
+  req.on('data', onData);
+  return true;
+};
+
 /**
  * Creates an Express/Connect-style middleware that scans request bodies
  * for AI-specific threats before they reach your agent endpoint.
  *
+ * Enforces a configurable body-size limit (default 1MB) so callers do
+ * not need to configure body-parser separately. Oversized payloads are
+ * rejected with HTTP 413 before any scanning takes place.
+ *
  * @param {object} [config] - AgentShield configuration.
+ * @param {number} [config.maxBodySize=1048576] - Maximum accepted request body size in bytes.
  * @returns {Function} Express middleware function.
  *
  * @example
@@ -27,7 +103,7 @@ const textify = (val) => typeof val === 'string' ? val : (val != null ? JSON.str
  *
  * const app = express();
  * app.use(express.json());
- * app.use(expressMiddleware({ blockOnThreat: true, blockThreshold: 'high' }));
+ * app.use(expressMiddleware({ blockOnThreat: true, blockThreshold: 'high', maxBodySize: 512 * 1024 }));
  *
  * app.post('/agent', (req, res) => {
  *   // req.agentShield contains scan results
@@ -39,13 +115,33 @@ const textify = (val) => typeof val === 'string' ? val : (val != null ? JSON.str
  */
 const expressMiddleware = (config = {}) => {
   const shield = new AgentShield({ blockOnThreat: true, ...config });
+  const maxBodySize = Number.isFinite(config.maxBodySize) && config.maxBodySize > 0
+    ? config.maxBodySize
+    : DEFAULT_MAX_BODY_SIZE;
+
+  console.log('[Agent Shield] Middleware body size limit: %dKB. Configure options.maxBodySize to override.', Math.round(maxBodySize / 1024));
 
   return (req, res, next) => {
+    // Attach raw-stream guard for unparsed requests so attackers cannot
+    // bypass the post-parse size check with huge streamed payloads.
+    attachRawSizeGuard(req, res, maxBodySize);
+
     if (!req.body) {
       req.agentShield = { status: 'safe', threats: [], blocked: false };
       return next();
     }
 
+    // Enforce body-size limit before scanning to avoid DoS via huge inputs.
+    const bodySize = computeBodySize(req.body);
+    if (bodySize > maxBodySize) {
+      return res.status(413).json({
+        error: 'Payload Too Large',
+        message: `Request body (${bodySize} bytes) exceeds maximum allowed size of ${maxBodySize} bytes`,
+        maxBodySize,
+        receivedSize: bodySize
+      });
+    }
+
     // Extract text from common request body shapes
     const text = extractTextFromBody(req.body);
 
@@ -306,4 +402,13 @@ const shieldMiddleware = (config = {}) => {
   };
 };
 
-module.exports = { expressMiddleware, wrapAgent, shieldTools, extractTextFromBody, rateLimitMiddleware, shieldMiddleware };
+module.exports = {
+  expressMiddleware,
+  wrapAgent,
+  shieldTools,
+  extractTextFromBody,
+  rateLimitMiddleware,
+  shieldMiddleware,
+  computeBodySize,
+  DEFAULT_MAX_BODY_SIZE
+};

package/src/native-scanner.js

@@ -0,0 +1,104 @@
+'use strict';
+
+/**
+ * Agent Shield — Native Rust Scanner Bridge
+ *
+ * Provides a transparent bridge to the Rust-core pattern matching engine
+ * compiled via NAPI-RS. When the native module is available, scans run
+ * through Rust's RegexSet for O(n) multi-pattern matching — typically
+ * 5-10x faster than the pure-JS scanner on long inputs.
+ *
+ * Falls back silently to the pure-JS scanner if the native module is
+ * not compiled or unavailable for the current platform.
+ *
+ * Build the native module:
+ *   cd rust-core && cargo build --release --features node
+ *   cp target/release/libagent_shield_core.so agent-shield-core.node  # Linux
+ *   cp target/release/libagent_shield_core.dylib agent-shield-core.node  # macOS
+ *
+ * @module native-scanner
+ */
+
+const path = require('path');
+
+let nativeModule = null;
+let nativeAvailable = false;
+
+const NATIVE_PATHS = [
+  path.join(__dirname, '..', 'rust-core', 'agent-shield-core.node'),
+  path.join(__dirname, '..', 'rust-core', 'target', 'release', 'agent-shield-core.node'),
+  path.join(__dirname, '..', 'native', 'agent-shield-core.node'),
+];
+
+for (const p of NATIVE_PATHS) {
+  try {
+    nativeModule = require(p);
+    nativeAvailable = true;
+    console.log('[Agent Shield] Native Rust scanner loaded from: ' + path.basename(p));
+    break;
+  } catch {
+    // Not available at this path, try next
+  }
+}
+
+/**
+ * Returns true if the native Rust scanner is available.
+ * @returns {boolean}
+ */
+function isNativeAvailable() {
+  return nativeAvailable;
+}
+
+/**
+ * Scan text using the native Rust engine.
+ * Returns null if native is not available (caller should fall back to JS).
+ *
+ * @param {string} text - Text to scan.
+ * @returns {object|null} ScanResult or null if native unavailable.
+ */
+function nativeScan(text) {
+  if (!nativeAvailable || !text || typeof text !== 'string') return null;
+  try {
+    const json = nativeModule.scanText(text);
+    return JSON.parse(json);
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Batch scan multiple texts using the native Rust engine.
+ *
+ * @param {string[]} texts - Array of texts to scan.
+ * @returns {object[]|null} Array of ScanResults or null if native unavailable.
+ */
+function nativeScanBatch(texts) {
+  if (!nativeAvailable || !Array.isArray(texts)) return null;
+  try {
+    const json = nativeModule.scanBatch(texts.filter(t => typeof t === 'string'));
+    return JSON.parse(json);
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Get all patterns from the native Rust engine.
+ *
+ * @returns {object[]|null} Array of patterns or null if native unavailable.
+ */
+function nativeGetPatterns() {
+  if (!nativeAvailable) return null;
+  try {
+    return JSON.parse(nativeModule.getPatterns());
+  } catch {
+    return null;
+  }
+}
+
+module.exports = {
+  isNativeAvailable,
+  nativeScan,
+  nativeScanBatch,
+  nativeGetPatterns,
+};