agentshield-sdk 7.0.0 → 7.2.0

package/CHANGELOG.md

@@ -4,6 +4,34 @@ All notable changes to Agent Shield will be documented in this file.
 
 This project follows [Semantic Versioning](https://semver.org/).
 
+## [7.2.0] — 2026-03-21
+
+### Added
+
+- **Indirect Prompt Injection Attack (IPIA) Detector** — `IPIADetector` implementing the joint-context embedding + classifier pipeline from "Benchmarking and Defending Against Indirect Prompt Injection Attacks on LLMs" (2024). 4-step pipeline: context construction → feature extraction → classification → response (`src/ipia-detector.js`)
+- **ContextConstructor** — builds joint context `J = [C || SEP || U]` from external content and user intent with configurable separator and length limits
+- **FeatureExtractor** — computes 10-feature vector: 3 cosine similarities (intent/content/joint TF-IDF), Shannon entropy, injection lexicon density, imperative verb density, directive pattern score, vocabulary overlap, content length ratio
+- **TreeClassifier** — hand-tuned decision tree classifier with O(1) inference, zero dependencies, configurable threshold
+- **ExternalEmbedder** — pluggable embedding backend for power users (MiniLM, OpenAI, etc.) with async `scanAsync()` support
+- **Batch RAG scanning** — `scanBatch()` scans multiple retrieved chunks against a single user intent
+- **IPIA Express middleware** — `ipiaMiddleware()` with block/flag/log actions for HTTP endpoints
+- **`createIPIAScanner()`** — factory function for quick RAG pipeline integration
+- **117 new test assertions** — covering all pipeline stages, false positive resistance, async/external embedder, middleware, edge cases
+
+### Changed
+
+- Total exports increased from 318 to 327 across 79 modules
+- Test suite expanded to 1,282 assertions across 15 test suites (117 IPIA tests)
+- `test:full` script now includes IPIA detector tests
+
+### Fixed
+
+- `tokenize()` crashed on non-string input (number, object, boolean) — now coerces via `String()`
+- `ContextConstructor.build()` crashed on non-string arguments — now coerces via `String()`
+- `cosineSim()` returned `NaN` on `Infinity` input vectors — now returns 0 for non-finite values
+- `ExternalEmbedder.defaultSimilarity()` same `NaN` issue — fixed with `isFinite()` guard
+- `ipiaMiddleware` crashed on `null` request object — added null guard
+
 ## [7.0.0] — 2026-03-21
 
 ### Added

package/README.md

@@ -1,12 +1,12 @@
 # Agent Shield
 
-[![npm version](https://img.shields.io/badge/npm-v7.0.0-blue)](https://www.npmjs.com/package/agent-shield)
+[![npm version](https://img.shields.io/badge/npm-v7.2.0-blue)](https://www.npmjs.com/package/agentshield-sdk)
 [![license](https://img.shields.io/badge/license-MIT-green)](LICENSE)
 [![zero deps](https://img.shields.io/badge/dependencies-0-brightgreen)](#)
 [![node](https://img.shields.io/badge/node-%3E%3D16-blue)](#)
 [![shield score](https://img.shields.io/badge/shield%20score-100%2F100%20A%2B-brightgreen)](#benchmark-results)
 [![detection](https://img.shields.io/badge/detection-100%25-brightgreen)](#benchmark-results)
-[![tests](https://img.shields.io/badge/tests-962%20passing-brightgreen)](#testing)
+[![tests](https://img.shields.io/badge/tests-1282%20passing-brightgreen)](#testing)
 
 **The security standard for MCP and AI agents.** Protect your agents from prompt injection, confused deputy attacks, data exfiltration, privilege escalation, and 30+ other AI-specific threats.
 
@@ -22,6 +22,38 @@ Available for **Node.js**, **Python**, **Go**, **Rust**, and in-browser via **WA
   <b>Try it yourself:</b> <code>npx agent-shield demo</code>
 </p>
 
+## v7.2 — Indirect Prompt Injection Detection
+
+**Stop attacks hidden in RAG chunks, tool outputs, emails, and documents.** The IPIA detector implements the joint-context embedding + classifier pipeline to catch injections that bypass pattern matching.
+
+```javascript
+const { IPIADetector } = require('agentshield-sdk');
+
+const detector = new IPIADetector({ threshold: 0.5 });
+
+// Scan RAG chunks before feeding to your LLM
+const result = detector.scan(
+  retrievedChunk,   // External content (RAG, tool output, email, etc.)
+  userQuery         // The user's original intent
+);
+
+if (result.isInjection) {
+  console.log('Blocked IPIA:', result.reason, '(confidence:', result.confidence + ')');
+}
+
+// Batch scan all RAG results at once
+const batch = detector.scanBatch(allChunks, userQuery);
+const safeChunks = allChunks.filter((_, i) => !batch.results[i].isInjection);
+
+// Pluggable embeddings for power users (MiniLM, OpenAI, etc.)
+const detector2 = new IPIADetector({
+  embeddingBackend: { embed: async (text) => myModel.encode(text) }
+});
+const result2 = await detector2.scanAsync(chunk, query);
+```
+
+---
+
 ## v7.0 — MCP Security Runtime
 
 **One line to secure any MCP server.** The unified security layer that connects per-user authorization, threat scanning, behavioral monitoring, and audit logging into a single runtime.
@@ -122,8 +154,8 @@ const shield = new AgentShield({ blockOnThreat: true });
 const result = shield.scanInput(userMessage); // { blocked: true, threats: [...] }
 ```
 
-- 310+ exports across 77+ modules
-- 962 test assertions across 13 test suites, 100% pass rate
+- 327+ exports across 79 modules
+- 1,282 test assertions across 15 test suites, 100% pass rate
 - 100% red team detection rate (A+ grade)
 - Shield Score: 100/100 — fortress-grade protection
 - AES-256-GCM encryption, HMAC-SHA256 signing throughout
@@ -144,7 +176,7 @@ const result = shield.scanInput(userMessage); // { blocked: true, threats: [...]
 
 **Node.js:**
 ```bash
-npm install agent-shield
+npm install agentshield-sdk
 ```
 
 **Python:**
@@ -305,7 +337,7 @@ grpc.NewServer(grpc.UnaryInterceptor(shield.GRPCInterceptor(s)))
 | **Obfuscation** | Unicode homoglyphs, zero-width chars, Base64, hex, ROT13, leetspeak, reversed text |
 | **Multi-Language** | CJK (Chinese/Japanese/Korean), Arabic, Cyrillic, Hindi, + 7 European languages |
 | **PII Leakage** | SSNs, emails, phone numbers, credit cards auto-redacted |
-| **Indirect Injection** | Image alt-text attacks, multi-turn escalation, multimodal vectors |
+| **Indirect Injection** | RAG chunk poisoning, tool output injection, email/document payloads, image alt-text attacks, multi-turn escalation |
 | **AI Phishing** | Fake AI login, voice cloning, deepfake tools, QR phishing, MFA harvesting |
 | **Jailbreaks** | 35+ templates across 6 categories: role play, encoding bypass, context manipulation, authority exploitation |
 
@@ -313,7 +345,7 @@ grpc.NewServer(grpc.UnaryInterceptor(shield.GRPCInterceptor(s)))
 
 | Platform | Location | Description |
 |----------|----------|-------------|
-| **Node.js** | `src/` | Core SDK — 302 exports, zero dependencies |
+| **Node.js** | `src/` | Core SDK — 327 exports, zero dependencies |
 | **Python** | `python-sdk/` | Full detection, Flask/FastAPI middleware, LangChain/LlamaIndex wrappers, CLI |
 | **Go** | `go-sdk/` | Full detection engine, HTTP/gRPC middleware, CLI, zero external deps |
 | **Rust** | `rust-core/` | High-performance `RegexSet` O(n) engine, WASM/NAPI/PyO3 targets |
@@ -869,6 +901,7 @@ npx agent-shield dashboard                          # Security dashboard
 ```bash
 npm test                 # Core + module tests (248 assertions)
 npm run test:all         # Full 40-feature suite (149 assertions)
+npm run test:ipia        # IPIA detector tests (117 assertions)
 node test/test-v6-modules.js  # v6.0 compliance & standards (122 assertions)
 node test/test-confused-deputy.js  # Confused deputy prevention (85 assertions)
 npm run redteam          # Attack simulation (100% detection)
@@ -885,13 +918,13 @@ node vscode-extension/test/extension.test.js  # VS Code (167 tests)
 cd python-sdk && python -m unittest tests/test_detector.py  # Python (23 tests)
 ```
 
-Total: **850 test assertions** across 11 test suites.
+Total: **1,282 test assertions** across 15 test suites.
 
 ## Project Structure
 
 ```
 /
-├── src/                        # Node.js SDK (302 exports)
+├── src/                        # Node.js SDK (327 exports)
 │   ├── index.js                # AgentShield class — main entry point
 │   ├── main.js                 # Unified re-export of all modules
 │   ├── detector-core.js        # Core detection engine (patterns, scanning)
@@ -937,6 +970,7 @@ Total: **850 test assertions** across 11 test suites.
 │   ├── compliance.js            # SOC2/HIPAA/GDPR reporting, audit trail
 │   ├── enterprise.js            # Multi-tenant, RBAC, debug mode
 │   ├── redteam.js               # Attack simulator, payload fuzzer
+│   ├── ipia-detector.js         # v7.2 — Indirect prompt injection detector (IPIA pipeline)
 │   └── ...                      # + 25 more modules
 ├── python-sdk/                 # Python SDK
 │   ├── agent_shield/           # Core package (detector, shield, middleware, CLI)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentshield-sdk",
-  "version": "7.0.0",
+  "version": "7.2.0",
   "description": "The security standard for MCP and AI agents. Protects against prompt injection, confused deputy attacks, data exfiltration, and 30+ threats. Zero dependencies, runs locally.",
   "main": "src/main.js",
   "types": "types/index.d.ts",
@@ -27,7 +27,9 @@
     "test:mcp": "node test/test-mcp-security.js",
     "test:deputy": "node test/test-confused-deputy.js",
     "test:v6": "node test/test-v6-modules.js",
-    "test:full": "npm test && node test/test-mcp-security.js && node test/test-confused-deputy.js && node test/test-v6-modules.js && npm run test:all",
+    "test:adaptive": "node test/test-adaptive-defense.js",
+    "test:ipia": "node test/test-ipia-detector.js",
+    "test:full": "npm test && node test/test-mcp-security.js && node test/test-confused-deputy.js && node test/test-v6-modules.js && node test/test-adaptive-defense.js && node test/test-ipia-detector.js && npm run test:all",
     "test:coverage": "c8 --reporter=text --reporter=lcov --reporter=json-summary npm test",
     "lint": "node test/lint.js",
     "lint:eslint": "eslint src/ test/ bin/",