agent-moss 0.2.0__py3-none-any.whl

agent_moss/__init__.py

@@ -0,0 +1,3 @@
+"""AgentMoss - Multi-layer security analysis engine for AI agents."""
+
+__version__ = "0.2.0"

agent_moss/__version__.py

@@ -0,0 +1 @@
+__version__ = "0.2.0"

agent_moss/adapters/__init__.py

@@ -0,0 +1,7 @@
+"""Adapters for AgentMoss — 将 AgentOS 可观测服务数据转换为标准格式"""
+
+from .observable import ObservableAdapter
+
+__all__ = [
+    "ObservableAdapter",
+]

agent_moss/adapters/observable.py

@@ -0,0 +1,104 @@
+"""Adapter for AgentOS observability service syscall data.
+
+将 AgentOS 可观测服务采集的 syscall 数据转换为标准 AnalyzeRequest 格式。
+"""
+
+import logging
+
+logger = logging.getLogger(__name__)
+
+
+class ObservableAdapter:
+    """将 AgentOS 可观测服务 syscall 数据转换为标准 AnalyzeRequest
+
+    输入格式（来自可观测服务）：
+    {
+        "agent_id": "agent-001",
+        "session_id": "session-abc",
+        "sandbox_id": "sb-001",
+        "os_type": "linux",
+        "cwd": "/home/user/project",
+        "prompt": "分析日志文件",
+        "current_action": {
+            "tool": "bash",
+            "command": "cat /var/log/app.log",
+            "description": "读取应用日志"
+        },
+        "action_history": [{"tool": "read", "command": "ls -la", "output": "..."}],
+        "trace_id": "trace-xyz"
+    }
+
+    输出格式：标准 AnalyzeRequest dict
+    """
+
+    def adapt(self, raw_data: dict) -> dict:
+        """
+        将可观测服务数据转换为标准 AnalyzeRequest dict。
+
+        Args:
+            raw_data: 可观测服务原始数据
+
+        Returns:
+            dict: 标准 AnalyzeRequest 格式
+        """
+        session_id = raw_data.get("session_id") or raw_data.get("agent_id", "unknown")
+
+        # 可观测服务可能使用 current_action 而非 a_next
+        action_raw = raw_data.get("a_next") or raw_data.get("current_action", {})
+        if isinstance(action_raw, dict):
+            a_next = {
+                "action_type": action_raw.get("action_type") or action_raw.get("tool", "unknown"),
+                "action_detail": action_raw.get("action_detail") or action_raw.get("command", ""),
+            }
+        else:
+            a_next = {"action_type": "unknown", "action_detail": ""}
+
+        # 可观测服务可能使用 action_history 中的 tool/command 格式
+        history_raw = raw_data.get("action_history", [])
+        action_history = []
+        for h in history_raw:
+            if isinstance(h, dict):
+                action_history.append({
+                    "name": h.get("name") or h.get("action_type") or h.get("tool", ""),
+                    "action_detail": h.get("action_detail") or h.get("command", ""),
+                })
+
+        result = {
+            "session_id": session_id,
+            "prompt_session": raw_data.get("prompt_session") or raw_data.get("prompt", ""),
+            "action_history": action_history,
+            "a_next": a_next,
+            "reason": raw_data.get("reason") or raw_data.get("current_action", {}).get("description", ""),
+            "os_type": raw_data.get("os_type", ""),
+            "cwd": raw_data.get("cwd", ""),
+        }
+
+        # 从 current_action.description 补充 reason
+        if not result["reason"] and isinstance(action_raw, dict):
+            result["reason"] = action_raw.get("description", "")
+
+        # 传递 metadata
+        metadata = raw_data.get("metadata", {})
+        if not metadata:
+            metadata = {
+                k: raw_data[k] for k in ("agent_id", "sandbox_id", "trace_id", "sandbox_id")
+                if k in raw_data and k not in result
+            }
+        if metadata:
+            result["metadata"] = metadata
+
+        logger.debug("Adapted request for session %s (os_type=%s)", session_id, result.get("os_type", "auto"))
+        return result
+
+
+def is_raw_format(data: dict) -> bool:
+    """判断数据是否为原始可观测服务格式（需要适配器转换）"""
+    # 如果包含 current_action 或缺少 a_next，认为是原始格式
+    if "current_action" in data:
+        return True
+    if "a_next" not in data:
+        return True
+    # 如果 session_id 缺失但 agent_id 存在，也认为是原始格式
+    if "session_id" not in data and "agent_id" in data:
+        return True
+    return False

agent_moss/cli.py

@@ -0,0 +1,130 @@
+#!/usr/bin/env python3
+"""Command-line interface for AgentMoss (v2: with --mode socket support)."""
+
+import argparse
+import json
+import os
+import sys
+from pathlib import Path
+
+
+def cmd_init(args):
+    """Generate an example input.json template (v2: includes os_type and cwd)."""
+    template = {
+        "session_id": "my-session-001",
+        "prompt_session": "Read /var/log/app.log and analyze errors",
+        "action_history": [],
+        "a_next": {
+            "action_type": "bash",
+            "action_detail": "cat /var/log/app.log"
+        },
+        "reason": "Need to read log file for error analysis",
+        "os_type": "",
+        "cwd": "/home/user/project",
+    }
+    output = args.output or "input.json"
+    with open(output, "w", encoding="utf-8") as f:
+        json.dump(template, f, indent=2, ensure_ascii=False)
+    print(f"Template written to {output}")
+
+
+def cmd_analyze(args):
+    """Run security analysis on input JSON."""
+    from agent_moss.engine.analyzer import analyze
+    from agent_moss.profiles import get_profile
+
+    with open(args.input, "r", encoding="utf-8") as f:
+        data = json.load(f)
+
+    action_history = data.get("action_history", [])
+    a_next = data.get("a_next", {})
+
+    # OS auto-detect
+    os_type = data.get("os_type", "")
+    profile = get_profile(os_type)
+
+    result = analyze(
+        session_id=data.get("session_id", "unknown"),
+        prompt_session=data.get("prompt_session", ""),
+        action_history=action_history,
+        a_next=a_next,
+        reason=data.get("reason", ""),
+        profile=profile,
+    )
+
+    print(json.dumps(result, indent=2, ensure_ascii=False))
+
+    if not args.no_file:
+        session_id = data.get("session_id", "unknown").replace("/", "_")
+        out_dir = Path(args.output_dir) if args.output_dir else Path.cwd()
+        out_dir.mkdir(parents=True, exist_ok=True)
+        if result["decision"] == "Allow":
+            policy_path = out_dir / f"{session_id}_policy.toml"
+            policy_path.write_text(result.get("policy", ""), encoding="utf-8")
+            print(f"Policy written to {policy_path}")
+        else:
+            deny_path = out_dir / f"{session_id}_deny_reason.txt"
+            reason_text = result.get("violated_policy") or result.get("reason", "")
+            deny_path.write_text(reason_text, encoding="utf-8")
+            print(f"Deny reason written to {deny_path}")
+
+    return 0 if result["decision"] == "Allow" else 1
+
+
+def cmd_server(args):
+    """Start the HTTP API server (supports http and socket modes)."""
+    if args.config:
+        os.environ["AGENT_MOSS_CONFIG_PATH"] = args.config
+
+    from agent_moss.server.app import run_server
+
+    run_server(
+        host=args.host,
+        port=args.port,
+        mode=args.mode,
+        socket_path=args.socket,
+    )
+    return 0
+
+
+def main():
+    parser = argparse.ArgumentParser(description="AgentMoss security analysis engine")
+    subparsers = parser.add_subparsers(dest="command", help="Available commands")
+
+    init_parser = subparsers.add_parser("init", help="Generate input.json template")
+    init_parser.add_argument("--output", "-o", help="Output file path", default="input.json")
+
+    analyze_parser = subparsers.add_parser("analyze", help="Run security analysis on input JSON")
+    analyze_parser.add_argument("input", help="Input JSON file path")
+    analyze_parser.add_argument("--output-dir", "-o", help="Output directory for policy/deny files")
+    analyze_parser.add_argument("--no-file", action="store_true", help="Only print to stdout, don't write files")
+
+    server_parser = subparsers.add_parser("server", help="Start HTTP API server")
+    server_parser.add_argument("--host", default="127.0.0.1", help="Listen host (TCP mode)")
+    server_parser.add_argument("--port", type=int, default=9090, help="Listen port (TCP mode)")
+    server_parser.add_argument("--config", "-c", help="Path to config YAML file")
+    server_parser.add_argument(
+        "--mode", choices=["http", "socket"], default="http",
+        help="Server mode: http (TCP) or socket (Unix Domain Socket)",
+    )
+    server_parser.add_argument(
+        "--socket", "-s",
+        default="/var/run/agent_moss/agent_moss.sock",
+        help="Unix socket path (socket mode)",
+    )
+
+    args = parser.parse_args()
+
+    if args.command == "init":
+        cmd_init(args)
+    elif args.command == "analyze":
+        sys.exit(cmd_analyze(args))
+    elif args.command == "server":
+        sys.exit(cmd_server(args))
+    else:
+        parser.print_help()
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    main()

agent_moss/engine/__init__.py

@@ -0,0 +1,18 @@
+from .coordinator import AgentMossBot, judge_security
+from .heuristic import HeuristicDetector
+from .logic_rules import LogicRulesChecker
+from .llm_analyzer import LLMAnalyzer
+from .skill_engine import SkillEngine
+from .types import HeuristicResult, LogicRuleResult, SecurityJudgment, SkillMatch
+
+__all__ = [
+    "AgentMossBot",
+    "HeuristicDetector",
+    "LogicRulesChecker",
+    "LLMAnalyzer",
+    "SkillEngine",
+    "SecurityJudgment",
+    "HeuristicResult",
+    "LogicRuleResult",
+    "SkillMatch",
+]

agent_moss/engine/analyzer.py

@@ -0,0 +1,288 @@
+"""主入口函数 — 串联 Step 1-2 的完整 AgentMoss 安全分析流程
+
+Step 1: AgentMoss Security Agent 安全判断（三层防御）
+  ├── 1.1 启发式静态检测（关键命令 + 注入检测 + 用户敏感规则）
+  ├── 1.2 逻辑规则检测（read_before_write + 意图一致性 + 敏感路径 + 危险模式）
+  └── 1.3 LLM + Skill 深度分析
+  → 如果 Deny → 直接返回 Deny + 原因（结束）
+
+Step 2: Allow → 查缓存 / 生成 policy
+  ├── 缓存命中 → 使用缓存 policy
+  └── 缓存未命中 → LLM 生成 policy + 写入缓存
+  → 返回 Allow + policy
+"""
+
+import tempfile
+import time
+from pathlib import Path
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    from ..profiles.base import OSProfile
+
+from ..infra.config import Config, get_default_config, is_policy_gen_enabled
+from ..infra.llm_client import call_llm
+from ..infra.parsers import parse_policy_from_llm
+from ..infra.policy_cache import PolicyCache, get_default_cache
+from ..infra.prompt_templates import get_prompt1
+from ..infra.logging import MossLogger
+from ..profiles import get_profile
+from .coordinator import judge_security
+
+# Policy 临时文件输出目录
+POLICY_OUTPUT_DIR = Path(tempfile.gettempdir()) / "agent_moss"
+
+# 白名单只读工具的默认最小权限 Policy
+DEFAULT_READONLY_POLICY = """landlock_optional = false
+mount_isolation_fallback = false
+
+[path_groups]
+system_binaries = true
+system_libraries = true
+temp_directories = true
+device_files = false
+proc_filesystem = false
+network_config = false
+wsl_paths = false
+
+[namespaces]
+mount = true
+pid = false
+network = true
+user = false
+
+[resources]
+timeout_secs = 30
+max_memory_bytes = 268435456
+
+[environment]
+whitelist = ["PATH", "LANG", "HOME", "USER", "HTTP_PROXY", "HTTPS_PROXY", "http_proxy", "https_proxy", "ALL_PROXY", "all_proxy", "NO_PROXY", "no_proxy"]
+"""
+
+
+def analyze(
+    session_id: str,
+    prompt_session: str,
+    action_history: list[dict[str, object]],
+    a_next: dict[str, str],
+    reason: str,
+    config: Config | None = None,
+    cache: PolicyCache | None = None,
+    profile: "OSProfile | None" = None,
+) -> dict[str, str]:
+    """
+    分析 agent 的下一步动作是否在安全范围内，并在允许时生成最小 policy。
+
+    Args:
+        session_id: 会话唯一标识
+        prompt_session: 用户输入的原始 prompt
+        action_history: 历史动作序列
+        a_next: 下一步动作，含 action_type 和 action_detail
+        reason: 执行该动作的理由
+        config: 配置项，为 None 时使用默认配置
+        cache: Policy 缓存实例，为 None 时使用默认缓存
+        profile: OS Profile（可选，默认自动检测）
+
+    Returns:
+        dict: {"decision": "Allow"|"Deny", "policy": "...", "reason": "...", ...}
+    """
+    cfg = config or get_default_config()
+    os_profile = profile or get_profile()
+    moss_log = MossLogger(session_id)
+    max_retries = cfg.retry.max_retries
+    retry_interval = cfg.retry.retry_interval
+
+    moss_log.log_input(prompt_session, action_history, a_next, reason)
+
+    try:
+        # ==================== Step 1: AgentMoss Security Agent 安全判断 ====================
+        moss_log.start_step("step1_security_judge")
+        judgment = judge_security(
+            prompt_session=prompt_session,
+            action_history=action_history,
+            a_next=a_next,
+            reason=reason,
+            config=cfg,
+            profile=os_profile,
+        )
+
+        if not judgment.allowed:
+            layers_str = ", ".join(judgment.violated_layers) if judgment.violated_layers else judgment.source
+            moss_log.end_step(
+                "step1_security_judge",
+                detail=f"allowed=False, risk_level={judgment.risk_level}, violated_layers=[{layers_str}]",
+            )
+            result = {
+                "decision": "Deny",
+                "policy": "",
+                "reason": judgment.reason,
+                "violated_policy": f"[{judgment.risk_type}] {judgment.reason}",
+                "violated_layers": judgment.violated_layers,
+                "risk_level": judgment.risk_level,
+                "risk_type": judgment.risk_type,
+                "confidence": judgment.confidence,
+            }
+            moss_log.log_result("Deny", result["reason"])
+            return result
+
+        moss_log.end_step(
+            "step1_security_judge",
+            detail=f"allowed=True, risk_level={judgment.risk_level}, source={judgment.source}",
+        )
+
+        # ==================== Step 2: Allow → 查缓存 / 生成 policy ====================
+        policy_cache = cache or get_default_cache()
+        enable_policy_gen = is_policy_gen_enabled()
+
+        moss_log.start_step("step2_cache_lookup")
+        cached_policy = policy_cache.get(session_id, prompt_session)
+
+        if cached_policy is not None:
+            moss_log.end_step("step2_cache_lookup", detail="缓存命中")
+            policy_a_next = cached_policy
+            _ = _save_policy_to_file(session_id, policy_a_next)
+        elif not enable_policy_gen:
+            moss_log.end_step("step2_cache_lookup", detail="缓存未命中，Policy 生成已禁用")
+            moss_log.start_step("step2_default_policy")
+            policy_a_next = DEFAULT_READONLY_POLICY
+            policy_cache.put(session_id, prompt_session, policy_a_next)
+            _ = _save_policy_to_file(session_id, policy_a_next)
+            moss_log.end_step("step2_default_policy", detail="使用默认最小权限 Policy")
+            result = {
+                "decision": "Allow",
+                "policy": policy_a_next,
+                "reason": judgment.reason,
+                "violated_policy": "",
+                "risk_level": judgment.risk_level,
+                "risk_type": judgment.risk_type,
+                "confidence": judgment.confidence,
+            }
+            moss_log.log_result("Allow", result["reason"], policy_a_next)
+            return result
+        else:
+            moss_log.end_step("step2_cache_lookup", detail="缓存未命中，启用 LLM 生成")
+
+            if judgment.source == "whitelist_bypass":
+                moss_log.start_step("step2_whitelist_policy")
+                policy_a_next = DEFAULT_READONLY_POLICY
+                policy_cache.put(session_id, prompt_session, policy_a_next)
+                _ = _save_policy_to_file(session_id, policy_a_next)
+                moss_log.end_step("step2_whitelist_policy", detail="白名单工具使用预定义最小权限 Policy")
+                result = {
+                    "decision": "Allow",
+                    "policy": policy_a_next,
+                    "reason": judgment.reason,
+                    "violated_policy": "",
+                    "risk_level": judgment.risk_level,
+                    "risk_type": judgment.risk_type,
+                    "confidence": judgment.confidence,
+                }
+                moss_log.log_result("Allow", result["reason"], policy_a_next)
+                return result
+
+            if cfg.timeout.step_interval > 0:
+                time.sleep(cfg.timeout.step_interval)
+
+            moss_log.start_step("step2_generate_policy")
+            prompt1_text = get_prompt1(prompt_session)
+            step2_error: Exception | None = None
+            policy_a_next = None
+
+            for attempt in range(1, max_retries + 1):
+                try:
+                    llm_response = call_llm(
+                        prompt=prompt1_text,
+                        timeout=cfg.timeout.prompt1_timeout,
+                        config=cfg.llm,
+                    )
+                    policy_a_next = parse_policy_from_llm(llm_response)
+                    moss_log.log_llm_interaction(
+                        "step2_generate_policy",
+                        prompt1_text[:200],
+                        llm_response[:200],
+                    )
+                    policy_cache.put(session_id, prompt_session, policy_a_next)
+                    _ = _save_policy_to_file(session_id, policy_a_next)
+                    moss_log.end_step("step2_generate_policy", detail="Policy 生成并缓存成功")
+                    step2_error = None
+                    break
+                except (TimeoutError, ValueError, Exception) as e:
+                    step2_error = e
+                    if attempt < max_retries:
+                        moss_log.log_error("step2_generate_policy", e)
+                        moss_log.start_step(f"step2_retry_{attempt}")
+                        time.sleep(retry_interval)
+                        moss_log.end_step(
+                            f"step2_retry_{attempt}",
+                            detail=f"第 {attempt} 次重试，等待 {retry_interval}s",
+                        )
+                    else:
+                        moss_log.log_error("step2_generate_policy", e)
+
+            if step2_error is not None or policy_a_next is None:
+                if isinstance(step2_error, TimeoutError):
+                    moss_log.end_step(
+                        "step2_generate_policy",
+                        detail=f"超时（已重试 {max_retries} 次）",
+                    )
+                    result = {
+                        "decision": "Deny",
+                        "policy": "",
+                        "reason": f"安全检测通过，但策略生成超时（已重试 {max_retries} 次），出于安全考虑拒绝执行",
+                        "violated_policy": "无法生成策略：LLM 调用超时",
+                    }
+                elif isinstance(step2_error, ValueError):
+                    moss_log.end_step(
+                        "step2_generate_policy",
+                        detail=f"解析失败（已重试 {max_retries} 次）: {step2_error}",
+                    )
+                    result = {
+                        "decision": "Deny",
+                        "policy": "",
+                        "reason": f"安全检测通过，但策略生成失败（已重试 {max_retries} 次）：{step2_error}",
+                        "violated_policy": "生成的策略格式无效",
+                    }
+                else:
+                    moss_log.end_step(
+                        "step2_generate_policy",
+                        detail=f"异常（已重试 {max_retries} 次）: {step2_error}",
+                    )
+                    result = {
+                        "decision": "Deny",
+                        "policy": "",
+                        "reason": f"安全检测通过，但策略生成服务异常（已重试 {max_retries} 次）：{step2_error}",
+                        "violated_policy": "无法生成策略：LLM 服务异常",
+                    }
+                moss_log.log_result("Deny", result["reason"])
+                return result
+
+        result = {
+            "decision": "Allow",
+            "policy": policy_a_next,
+            "reason": judgment.reason,
+            "violated_policy": "",
+            "risk_level": judgment.risk_level,
+            "risk_type": judgment.risk_type,
+            "confidence": judgment.confidence,
+        }
+        moss_log.log_result("Allow", result["reason"], policy_a_next)
+        return result
+
+    except Exception as e:
+        moss_log.log_error("unknown", e)
+        result = {
+            "decision": "Deny",
+            "policy": "",
+            "reason": f"分析过程发生未预期异常：{e}",
+            "violated_policy": "未知异常",
+        }
+        moss_log.log_result("Deny", result["reason"])
+        return result
+
+
+def _save_policy_to_file(session_id: str, policy_toml: str) -> Path:
+    POLICY_OUTPUT_DIR.mkdir(parents=True, exist_ok=True)
+    safe_name = session_id.replace("/", "_").replace("\\", "_")
+    filepath = POLICY_OUTPUT_DIR / f"{safe_name}.toml"
+    _ = filepath.write_text(policy_toml, encoding="utf-8")
+    return filepath