agentshield-sdk 7.4.0 → 10.0.0

package/CHANGELOG.md

@@ -4,6 +4,54 @@ All notable changes to Agent Shield will be documented in this file.
 
 This project follows [Semantic Versioning](https://semver.org/).
 
+## [9.0.0] - 2026-03-24
+
+### Changed — Everything Free
+
+- **Removed all paid tier gating** — every feature is now free and open source
+- **ML detection available to all users** — previously required Pro/Enterprise tier
+- **Removed license key system** — no keys, no validation, no restrictions
+- **Merged agentshield-pro features into core SDK** — ensemble, persistent learning, agent intent, cross-turn tracking, self-training, all included
+- All compliance modules (SOC2, OWASP, NIST, EU AI Act) available to everyone
+- All enterprise modules (distributed scanning, SSO, audit streaming) available to everyone
+- CORTEX autonomous defense available to everyone
+- Updated README, ROADMAP, CLAUDE.md for v9.0.0
+
+### Metrics
+
+- **2,220+ test assertions** across 16 test suites + Python + VSCode
+- **0 regressions** — all existing tests pass
+- **400+ exports** across 94 modules
+
+## [8.0.0] - 2026-03-22
+
+### Added — Intelligent Detection Engine
+
+- **Smart Configuration System** (`src/smart-config.js`) — `createShield('chatbot')` for 3-line setup, `ShieldBuilder` fluent API with 15 chainable methods, `validateConfig()`, `describeConfig()`, 9 presets including `mcp_server`
+- **Ensemble Voting Classifier** (`src/ensemble.js`) — `EnsembleClassifier` combining 4 independent voters (PatternVoter, TFIDFVoter, EntropyVoter, IPIAVoter) via weighted majority voting. Configurable weights, `requireUnanimous` mode, agreement scoring
+- **Agent Intent Declaration** (`src/agent-intent.js`) — `AgentIntent` class for declaring agent purpose and allowed tools. TF-IDF cosine similarity checks if messages are on-topic
+- **Goal Drift Detection** (`src/agent-intent.js`) — `GoalDriftDetector` monitors conversation for drift away from declared purpose. Sliding window, trend detection (stable/drifting/recovering), drift callbacks
+- **Tool Sequence Modeling** (`src/agent-intent.js`) — `ToolSequenceModeler` learns normal tool call patterns via Markov chain bigrams. Flags anomalous tool transitions after learning period
+- **Persistent Learning** (`src/persistent-learning.js`) — `PersistentLearningLoop` with disk persistence via atomic JSON writes. Pattern promotion, decay, false positive revocation, export/import
+- **Feedback API** (`src/persistent-learning.js`) — `FeedbackCollector` for FP/FN reporting. Auto-processes feedback into learning loop. Retrain cooldown, audit trail
+- **Cross-Turn Injection Tracking** (`src/cross-turn.js`) — `CrossTurnTracker` accumulates conversation and detects injections split across multiple messages. Compares individual vs combined scan results
+- **Adaptive Threshold Calibration** (`src/cross-turn.js`) — `AdaptiveThresholdCalibrator` auto-tunes detection thresholds per category using percentile-based calibration on observed scan results
+- **Adversarial Self-Training** (`src/self-training.js`) — `SelfTrainer` with `MutationEngine` (12 strategies: synonym swap, homoglyph, leet speak, zero-width insert, padding, encoding wrap, etc.). Evolves attacks, extracts patterns from evasive variants
+- 25 built-in seed attacks for self-training
+- 161 new test assertions (test/test-v8-features.js)
+
+### Changed
+
+- `src/main.js` — 418 total exports (up from 395)
+- 9 configuration presets (up from 8, added `mcp_server`)
+- Updated README, ROADMAP, and CLAUDE.md
+
+### Metrics
+
+- **2,500+ test assertions** across all test suites
+- **0 regressions** — all existing tests pass
+- **418 exports** from unified entry point
+
 ## [7.4.0] - 2026-03-21
 
 ### Added — Detection Hardening

package/LICENSE

@@ -1,21 +1,21 @@
-MIT License
-
-Copyright (c) 2026 Agent Shield Contributors
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+MIT License
+
+Copyright (c) 2026 Agent Shield Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -1,17 +1,17 @@
 # Agent Shield
 
-[![npm version](https://img.shields.io/badge/npm-v7.4.0-blue)](https://www.npmjs.com/package/agentshield-sdk)
+[![npm version](https://img.shields.io/badge/npm-v9.0.0-blue)](https://www.npmjs.com/package/agentshield-sdk)
 [![license](https://img.shields.io/badge/license-MIT-green)](LICENSE)
 [![zero deps](https://img.shields.io/badge/dependencies-0-brightgreen)](#)
 [![node](https://img.shields.io/badge/node-%3E%3D16-blue)](#)
 [![shield score](https://img.shields.io/badge/shield%20score-100%2F100%20A%2B-brightgreen)](#benchmark-results)
 [![detection](https://img.shields.io/badge/detection-100%25-brightgreen)](#benchmark-results)
-[![F1](https://img.shields.io/badge/F1%20score-100%25-brightgreen)](#benchmark-results)
-[![tests](https://img.shields.io/badge/tests-2400%2B%20passing-brightgreen)](#testing)
+[![tests](https://img.shields.io/badge/tests-2220%20passing-brightgreen)](#testing)
+[![free](https://img.shields.io/badge/every%20feature-free-brightgreen)](#why-free)
 
-**The security standard for MCP and AI agents.** Protect your agents from prompt injection, confused deputy attacks, data exfiltration, privilege escalation, and 30+ other AI-specific threats.
+**The complete security standard for AI agents.** 400+ exports. 94 modules. Every feature free. Protect your agents from prompt injection, confused deputy attacks, data exfiltration, privilege escalation, and 30+ other AI-specific threats.
 
-Zero dependencies. All detection runs locally. No API keys. No data ever leaves your environment.
+Zero dependencies. All detection runs locally. No API keys. No tiers. No data ever leaves your environment.
 
 Available for **Node.js**, **Python**, **Go**, **Rust**, and in-browser via **WASM**.
 
@@ -23,29 +23,11 @@ Available for **Node.js**, **Python**, **Go**, **Rust**, and in-browser via **WA
   <b>Try it yourself:</b> <code>npx agent-shield demo</code>
 </p>
 
-## v7.4 — Detection Hardening & Normalization
 
-**F1 score: 100%.** 21 new detection patterns for prompt extraction, instruction override, and authority spoofing — validated against HackAPrompt, TensorTrust, and security research datasets with zero false positives.
-
-New **text normalization pipeline** strips obfuscation before scanning: Unicode canonicalization, homoglyph mapping, encoding decode (Base64/hex/URL/HTML entities), leet speak, invisible character removal, whitespace normalization, repetition collapse, and markdown stripping.
-
-**50-cycle bug hunt** fixed 30+ real bugs across all 50 source modules: memory leaks, spin-waits, falsy-zero defaults, self-matching detection, cache collisions, unbounded growth, and hot-path optimizations.
-
-```javascript
-const { normalize } = require('agentshield-sdk');
-
-// 8-layer normalization pipeline
-const result = normalize('ℹ𝗀𝗇𝗈𝗋𝖾 𝖺𝗅𝗅 ᎥnstructᎥons');
-// { normalized: 'ignore all instructions', layers: ['unicode_canon', 'homoglyph'] }
-
-// Normalization is automatic — scanText runs it behind the scenes
-const { scanText } = require('agentshield-sdk');
-scanText('ℹ𝗀𝗇𝗈𝗋𝖾 𝖺𝗅𝗅 ᎥnstructᎥons'); // Detected! (after normalization)
-```
 
 ---
 
-## v7.2 — Indirect Prompt Injection Detection
+## Indirect Prompt Injection Detection
 
 **Stop attacks hidden in RAG chunks, tool outputs, emails, and documents.** The IPIA detector implements the joint-context embedding + classifier pipeline to catch injections that bypass pattern matching.
 
@@ -77,7 +59,7 @@ const result2 = await detector2.scanAsync(chunk, query);
 
 ---
 
-## v7.0 — MCP Security Runtime
+## MCP Security Runtime
 
 **One line to secure any MCP server.** The unified security layer that connects per-user authorization, threat scanning, behavioral monitoring, and audit logging into a single runtime.
 
@@ -177,8 +159,8 @@ const shield = new AgentShield({ blockOnThreat: true });
 const result = shield.scanInput(userMessage); // { blocked: true, threats: [...] }
 ```
 
-- 395+ exports across 94 modules
-- 2,400+ test assertions across 18 test suites, 100% pass rate
+- 400+ exports across 94 modules
+- 2,220 test assertions across 16 test suites + Python + VSCode, 100% pass rate
 - 100% red team detection rate (A+ grade)
 - F1 100% on real-world attack benchmarks (HackAPrompt, TensorTrust, research corpus)
 - Shield Score: 100/100 — fortress-grade protection
@@ -366,6 +348,10 @@ grpc.NewServer(grpc.UnaryInterceptor(shield.GRPCInterceptor(s)))
 | **Indirect Injection** | RAG chunk poisoning, tool output injection, email/document payloads, image alt-text attacks, multi-turn escalation |
 | **AI Phishing** | Fake AI login, voice cloning, deepfake tools, QR phishing, MFA harvesting |
 | **Jailbreaks** | 35+ templates across 6 categories: role play, encoding bypass, context manipulation, authority exploitation |
+| **Ensemble Detection** | 4 independent voting signals, weighted consensus, adaptive threshold calibration |
+| **Intent & Goal Drift** | Agent purpose declaration, goal drift monitoring, tool sequence anomaly detection (Markov chains) |
+| **Cross-Turn Injection** | Split-message attack tracking, multi-turn state correlation |
+| **Adaptive Learning** | Persistent learning with disk storage, feedback API (FP/FN reporting), adversarial self-training (12 mutation strategies) |
 
 ## Platform SDKs
 
@@ -416,7 +402,7 @@ validator.validate(plugin);         // Safety & quality validation
 
 The `vscode-extension/` directory contains a VS Code extension that provides inline diagnostics and real-time scanning for JS/TS/Python/Markdown files with 141 detection patterns.
 
-### Enterprise Features (v2.1)
+### Distributed & Multi-Tenant (v2.1)
 
 ```javascript
 const { DistributedShield, AuditStreamManager, SSOManager, MultiTenantShield } = require('agent-shield');
@@ -928,12 +914,13 @@ npx agent-shield dashboard                          # Security dashboard
 ```bash
 npm test                 # Core + module tests (248 assertions)
 npm run test:all         # Full 40-feature suite (149 assertions)
+npm run test:ml          # ML detector tests (37 assertions)
 npm run test:ipia        # IPIA detector tests (117 assertions)
-npm run test:normalizer  # Text normalization pipeline (73 assertions)
-npm run test:scorecard   # Real-world benchmark scorecard (F1, MCC, per-dataset)
-npm run test:edge        # Edge case coverage (unicode, long inputs, thresholds)
-node test/test-v6-modules.js  # v6.0 compliance & standards (122 assertions)
-node test/test-confused-deputy.js  # Confused deputy prevention (85 assertions)
+npm run test:mcp         # MCP security runtime tests (112 assertions)
+npm run test:v6          # v6.0 compliance & standards (122 assertions)
+npm run test:adaptive    # Adaptive defense tests (85 assertions)
+npm run test:deputy      # Confused deputy prevention (85 assertions)
+npm run test:fp          # False positive accuracy (99.2%)
 npm run redteam          # Attack simulation (100% detection)
 npm run score            # Shield Score (100/100 A+)
 npm run benchmark        # Performance benchmarks
@@ -944,17 +931,17 @@ Sub-project tests:
 node dashboard-live/test/test-server.js      # Dashboard (14 tests)
 node github-app/test/test-scanner.js         # GitHub App (20 tests)
 node benchmark-registry/test/test-registry.js # Benchmarks (22 tests)
-node vscode-extension/test/extension.test.js  # VS Code (167 tests)
-cd python-sdk && python -m unittest tests/test_detector.py  # Python (23 tests)
+node vscode-extension/test/extension.test.js  # VS Code (607 tests)
+cd python-sdk && python -m unittest tests/test_detector.py  # Python (32 tests)
 ```
 
-Total: **2,400+ test assertions** across 18 test suites.
+Total: **2,220 test assertions** across 16 test suites + Python + VSCode.
 
 ## Project Structure
 
 ```
 /
-├── src/                        # Node.js SDK (395 exports)
+├── src/                        # Node.js SDK (400+ exports, 94 modules)
 │   ├── index.js                # AgentShield class — main entry point
 │   ├── main.js                 # Unified re-export of all modules
 │   ├── detector-core.js        # Core detection engine (patterns, scanning)
@@ -1062,6 +1049,12 @@ console.log(report.formatReport());
 
 A GitHub Actions workflow is included at `.github/workflows/ci.yml`. It runs all tests across Node.js 18, 20, and 22 on every push and PR.
 
+## Why Free?
+
+Agent Shield started as a paid SDK with Pro and Enterprise tiers. We removed all gating in v9.0. Every feature — ML detection, compliance reporting, MCP security, CORTEX autonomous defense — is now free and open source.
+
+Security shouldn't have a paywall. If your agent is vulnerable, it doesn't matter what tier you're on.
+
 ## Privacy
 
 All detection runs locally using pattern matching. No data is sent to any external service. No API keys required. No cloud dependencies. See [PRIVACY.md](PRIVACY.md) for details.

package/bin/agentshield-audit

@@ -0,0 +1,51 @@
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * Agent Shield — Red Team Audit CLI
+ *
+ * Usage:
+ *   npx agentshield-audit <endpoint> [--mode quick|standard|full] [--out dir]
+ */
+
+const { RedTeamCLI } = require('../src/redteam-cli');
+
+function parseArgs(argv) {
+  const args = { endpoint: null, mode: 'standard', out: process.cwd() };
+  const values = argv.slice(2);
+  args.endpoint = values[0];
+  for (let i = 1; i < values.length; i++) {
+    if (values[i] === '--mode' && values[i + 1]) {
+      args.mode = values[i + 1];
+      i++;
+    } else if (values[i] === '--out' && values[i + 1]) {
+      args.out = values[i + 1];
+      i++;
+    }
+  }
+  return args;
+}
+
+function main() {
+  const args = parseArgs(process.argv);
+  if (!args.endpoint) {
+    console.error('Usage: npx agentshield-audit <endpoint> [--mode quick|standard|full] [--out dir]');
+    process.exit(1);
+  }
+
+  const cli = new RedTeamCLI();
+  const report = cli.run(args.endpoint, { mode: args.mode });
+  const files = cli.writeReports(report, args.out);
+
+  console.log(`[Agent Shield] Grade ${report.grade} (${report.score}/100) for ${report.endpoint}`);
+  console.log(`[Agent Shield] ${report.blocked}/${report.attackCount} attacks blocked`);
+  console.log(`[Agent Shield] JSON report: ${files.jsonPath}`);
+  console.log(`[Agent Shield] Markdown report: ${files.mdPath}`);
+  console.log(`[Agent Shield] HTML report: ${files.htmlPath}`);
+
+  if (report.grade === 'F' || (report.supplyChain && report.supplyChain.highestSeverity === 'critical')) {
+    process.exit(2);
+  }
+}
+
+main();

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "agentshield-sdk",
-  "version": "7.4.0",
-  "description": "The security standard for MCP and AI agents. 162 detection patterns, text normalization pipeline, CORTEX threat intelligence, pre-deployment audit, intent firewall, flight recorder, and 395+ exports. Zero dependencies, runs locally.",
+  "version": "10.0.0",
+  "description": "The security standard for MCP and AI agents. 141 detection patterns, CORTEX threat intelligence, pre-deployment audit, intent firewall, flight recorder, and 390+ exports. Zero dependencies, runs locally.",
   "main": "src/main.js",
   "types": "types/index.d.ts",
   "exports": {
@@ -18,22 +18,21 @@
     "./package.json": "./package.json"
   },
   "bin": {
-    "agent-shield": "bin/agent-shield.js"
+    "agent-shield": "bin/agent-shield.js",
+    "agentshield-audit": "bin/agentshield-audit"
   },
   "sideEffects": false,
   "scripts": {
-    "test": "node test/test.js && node test/test-modules.js && node test/test-new-features.js",
+    "test": "node test/test.js && node test/test-modules.js && node test/test-new-features.js && node test/test-mcp-guard.js && node test/test-supply-chain-scanner.js && node test/test-owasp-agentic.js && node test/test-redteam-cli.js && node test/test-drift-monitor.js && node test/test-micro-model.js",
+    "test:new-products": "node test/test-mcp-guard.js && node test/test-supply-chain-scanner.js && node test/test-owasp-agentic.js && node test/test-redteam-cli.js && node test/test-drift-monitor.js && node test/test-micro-model.js",
     "test:all": "node test/test-all-40-features.js",
     "test:mcp": "node test/test-mcp-security.js",
     "test:deputy": "node test/test-confused-deputy.js",
     "test:v6": "node test/test-v6-modules.js",
     "test:adaptive": "node test/test-adaptive-defense.js",
     "test:ipia": "node test/test-ipia-detector.js",
-    "test:normalizer": "node test/test-normalizer.js",
-    "test:scorecard": "node test/benchmark-scorecard.js",
-    "test:edge": "node test/test-edge-cases.js",
     "test:production": "node test/test-production-readiness.js",
-    "test:full": "npm test && node test/test-mcp-security.js && node test/test-confused-deputy.js && node test/test-v6-modules.js && node test/test-adaptive-defense.js && node test/test-ipia-detector.js && node test/test-production-readiness.js && node test/test-normalizer.js && node test/test-edge-cases.js && node test/benchmark-scorecard.js && npm run test:all",
+    "test:full": "npm test && node test/test-mcp-security.js && node test/test-confused-deputy.js && node test/test-v6-modules.js && node test/test-adaptive-defense.js && node test/test-ipia-detector.js && node test/test-production-readiness.js && npm run test:all",
     "test:coverage": "c8 --reporter=text --reporter=lcov --reporter=json-summary npm test",
     "lint": "node test/lint.js",
     "lint:eslint": "eslint src/ test/ bin/",
@@ -55,7 +54,6 @@
     "demo": "node bin/agent-shield.js demo",
     "playground": "echo 'Open playground/index.html in a browser'",
     "certify": "node -e \"const {CertificationRunner}=require('./src/certification');new CertificationRunner().runCertification().then(r=>console.log(r.certificate.toText()))\"",
-    "benchmark:scorecard": "node test/benchmark-scorecard.js",
     "benchmark:run": "node scripts/run-benchmark.js",
     "benchmark:generate": "node scripts/generate-dataset.js",
     "benchmark:baseline": "node scripts/run-benchmark.js --save-baseline",