agentlock 1.2.0__tar.gz → 1.3.0__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (102) hide show
  1. {agentlock-1.2.0 → agentlock-1.3.0}/CHANGELOG.md +53 -0
  2. agentlock-1.3.0/COMMERCIAL.md +16 -0
  3. {agentlock-1.2.0 → agentlock-1.3.0}/CONTRIBUTING.md +1 -1
  4. agentlock-1.3.0/LICENSE +661 -0
  5. agentlock-1.3.0/NOTICE +9 -0
  6. agentlock-1.3.0/PKG-INFO +798 -0
  7. agentlock-1.3.0/README.md +736 -0
  8. agentlock-1.3.0/SECURITY.md +139 -0
  9. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/__init__.py +37 -23
  10. agentlock-1.3.0/agentlock/chain.py +163 -0
  11. agentlock-1.3.0/agentlock/context.py +405 -0
  12. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/defer.py +139 -3
  13. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/gate.py +382 -11
  14. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/hardening.py +2 -2
  15. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/modify.py +8 -2
  16. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/policy.py +145 -0
  17. agentlock-1.3.0/agentlock/receipts.py +211 -0
  18. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/schema.py +50 -1
  19. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/signals/combos.py +3 -2
  20. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/signals/echo.py +0 -2
  21. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/signals/prompt_scan.py +1 -2
  22. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/signals/velocity.py +1 -2
  23. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/stepup.py +1 -1
  24. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/types.py +4 -0
  25. {agentlock-1.2.0 → agentlock-1.3.0}/docs/benchmark.md +41 -4
  26. {agentlock-1.2.0 → agentlock-1.3.0}/docs/specification.md +94 -2
  27. {agentlock-1.2.0 → agentlock-1.3.0}/examples/fastapi_app.py +3 -2
  28. {agentlock-1.2.0 → agentlock-1.3.0}/examples/rate_limiting.py +1 -1
  29. {agentlock-1.2.0 → agentlock-1.3.0}/pyproject.toml +8 -3
  30. agentlock-1.3.0/schema/agentlock-v1.2.json +744 -0
  31. agentlock-1.3.0/schema/agentlock-v1.3.json +823 -0
  32. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_backward_compat.py +4 -4
  33. agentlock-1.3.0/tests/test_benchmark_gaps.py +543 -0
  34. agentlock-1.3.0/tests/test_benchmark_gaps_v2.py +212 -0
  35. agentlock-1.3.0/tests/test_chain.py +432 -0
  36. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_cli.py +2 -1
  37. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_combos.py +0 -2
  38. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_compound.py +0 -2
  39. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_defer.py +2 -4
  40. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_echo.py +0 -3
  41. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_gate_v12.py +2 -5
  42. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_hardening.py +21 -17
  43. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_modify.py +0 -2
  44. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_prompt_scan.py +27 -14
  45. agentlock-1.3.0/tests/test_receipts.py +404 -0
  46. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_stepup.py +5 -7
  47. agentlock-1.3.0/tests/test_v13_deferred_and_param_lineage.py +264 -0
  48. agentlock-1.3.0/tests/test_v13_session_write_gate.py +143 -0
  49. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_velocity.py +0 -2
  50. agentlock-1.2.0/LICENSE +0 -190
  51. agentlock-1.2.0/NOTICE +0 -14
  52. agentlock-1.2.0/PKG-INFO +0 -471
  53. agentlock-1.2.0/README.md +0 -412
  54. agentlock-1.2.0/SECURITY.md +0 -89
  55. agentlock-1.2.0/agentlock/context.py +0 -205
  56. {agentlock-1.2.0 → agentlock-1.3.0}/.github/workflows/ci.yml +0 -0
  57. {agentlock-1.2.0 → agentlock-1.3.0}/.gitignore +0 -0
  58. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/audit.py +0 -0
  59. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/auth_providers/__init__.py +0 -0
  60. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/cli.py +0 -0
  61. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/decorators.py +0 -0
  62. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/exceptions.py +0 -0
  63. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/integrations/__init__.py +0 -0
  64. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/integrations/autogen.py +0 -0
  65. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/integrations/crewai.py +0 -0
  66. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/integrations/fastapi.py +0 -0
  67. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/integrations/flask.py +0 -0
  68. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/integrations/langchain.py +0 -0
  69. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/integrations/mcp.py +0 -0
  70. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/memory_gate.py +0 -0
  71. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/py.typed +0 -0
  72. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/rate_limit.py +0 -0
  73. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/redaction.py +0 -0
  74. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/session.py +0 -0
  75. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/signals/__init__.py +0 -0
  76. {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/token.py +0 -0
  77. {agentlock-1.2.0 → agentlock-1.3.0}/docs/integrations.md +0 -0
  78. {agentlock-1.2.0 → agentlock-1.3.0}/docs/quickstart.md +0 -0
  79. {agentlock-1.2.0 → agentlock-1.3.0}/examples/data_redaction.py +0 -0
  80. {agentlock-1.2.0 → agentlock-1.3.0}/examples/decorator_example.py +0 -0
  81. {agentlock-1.2.0 → agentlock-1.3.0}/examples/multi_role.py +0 -0
  82. {agentlock-1.2.0 → agentlock-1.3.0}/examples/quickstart.py +0 -0
  83. {agentlock-1.2.0 → agentlock-1.3.0}/schema/agentlock-v1.0.json +0 -0
  84. {agentlock-1.2.0 → agentlock-1.3.0}/tests/__init__.py +0 -0
  85. {agentlock-1.2.0 → agentlock-1.3.0}/tests/conftest.py +0 -0
  86. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_audit.py +0 -0
  87. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_audit_v11.py +0 -0
  88. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_context.py +0 -0
  89. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_decorators.py +0 -0
  90. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_filter_pipeline.py +0 -0
  91. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_gate.py +0 -0
  92. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_gate_v11.py +0 -0
  93. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_memory_gate.py +0 -0
  94. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_pii_defense.py +0 -0
  95. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_policy.py +0 -0
  96. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_policy_v11.py +0 -0
  97. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_rate_limit.py +0 -0
  98. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_redaction.py +0 -0
  99. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_schema.py +0 -0
  100. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_schema_v11.py +0 -0
  101. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_session.py +0 -0
  102. {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_token.py +0 -0
@@ -5,6 +5,59 @@ All notable changes to AgentLock will be documented in this file.
5
5
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
6
6
  and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7
7
 
8
+ ## [1.3.0] - 2026-07-06
9
+
10
+ ### Changed
11
+
12
+ - **License** -- AgentLock is now licensed under the **GNU AGPL-3.0** (previously Apache 2.0), with commercial licenses available for closed-source use -- see `COMMERCIAL.md`. Versions 1.2.x and earlier remain under Apache 2.0.
13
+
14
+ ### Added
15
+
16
+ - **Provenance-lineage gating (`LineagePolicyConfig`)** -- New per-tool policy block that gates tool calls based on the provenance lineage of their parameters. Two independent enforcement layers, both inert unless a `lineage_policy` is present and enabled: (1) a **session write-gate** that gates consequential calls -- `gate_financial`, `gate_external`, `gate_bulk`, `gate_account_modification`, `gate_consequential` -- whose session context carries untrusted lineage, and (2) **parameter lineage** (`param_lineage_enabled`) that matches individual parameter values back to untrusted-provenance tokens. Both are gate-owned reads: callers cannot supply the lineage verdict. Configurable `decision` (`step_up` | `defer` | `deny`) and `param_lineage_action` (`deny` | `step_up` | `log`). New helpers in `agentlock/context.py`: `extract_lineage_tokens()`, `ContextTracker.lineage_summary()`, `ContextTracker.parameter_lineage_check()`.
17
+ - **Deferred-commit queue** -- `DeferralManager` gains `queue_commit()`, `resolve_commit_queue()`, `get_commit_queue()`, and `clear_commit_queue()` to hold deferred tool calls pending out-of-band resolution.
18
+ - **Two new denial reasons** -- `DenialReason.UNTRUSTED_LINEAGE` and `DenialReason.PARAM_LINEAGE`.
19
+ - **Schema** -- `SCHEMA_VERSION` bumped to `1.3`; `AgentLockPermissions` gains an optional `lineage_policy` field. `LineagePolicyConfig` is exported from the package root.
20
+ - **Tests** -- 21 new tests (`test_v13_session_write_gate.py`, `test_v13_deferred_and_param_lineage.py`); suite total is now 868.
21
+
22
+ ## [1.2.1] - 2026-04-06
23
+
24
+ ### Added
25
+
26
+ - **Ed25519 signed receipts (AARM R5)** -- Every authorization decision can produce a cryptographically signed receipt verifiable offline. `ReceiptSigner` supports Ed25519 (via PyNaCl) with HMAC-SHA256 fallback for environments without asymmetric key infrastructure. `ReceiptVerifier` detects tampered receipts. Receipts include decision, tool name, user identity, parameters hash, and policy version hash. Optional dependency: `pip install agentlock[crypto]`.
27
+ - **Hash-chained tamper-evident context (AARM R2)** -- `ContextChain` creates an append-only hash chain of context entries. Each entry links to the previous entry's hash, forming a tamper-evident log. `verify_chain()` detects modification of any historical entry. `ContextProvenance` gains a `previous_hash` field. `ContextTracker.verify_context_chain()` validates chain integrity per session.
28
+ - **`first_call_any_risk` DEFER trigger** -- Defers the first tool call in a session regardless of risk level. Configured via `DeferPolicyConfig(first_call_any_risk=True)`. Unlike `first_call_high_risk`, this catches MEDIUM and LOW risk tools used as attack footholds.
29
+ - **`deny_on_block` whitelist escalation** -- When a `whitelist_path` transformation blocks a parameter (replacing it with `[BLOCKED: ...]`), the gate escalates from MODIFY to DENY. The tool does not execute. `ModifyResult` gains a `blocked_fields` list.
30
+ - **Sibling deferral** -- When one tool call is DEFERRED in a turn, subsequent tool calls in the same turn (within a 5-second window) are automatically deferred. Prevents attackers from falling through to lower-friction tools after a DEFER fires.
31
+ - **Prompt scan carry-forward** -- When a `prompt_scan` signal fires in a session, ALL subsequent tool calls are deferred regardless of whether the tool has its own `defer_policy`. Previously, tools without `defer_policy` (like `lookup_order`) bypassed scan-triggered deferral.
32
+ - **`enforce_all_at_critical` hardening** -- When `HardeningConfig(enforce_all_at_critical=True)`, the gate blocks ALL tool calls at critical hardening severity (risk score >= 10), regardless of tool risk level. Previously, `enforce_at_critical` only blocked HIGH/CRITICAL risk tools.
33
+ - **3 new `lookup_order` combo pairs** -- `(lookup_order, query_database)` weight 4, `(lookup_order, check_balance)` weight 3, `(lookup_order, search_contacts)` weight 3. Detects reconnaissance-to-data-access patterns.
34
+ - New modules: `agentlock/receipts.py`, `agentlock/chain.py`
35
+ - New exports: `SignedReceipt`, `ReceiptSigner`, `ReceiptVerifier`, `ChainedContextEntry`, `ContextChain`, `GENESIS_HASH`
36
+ - Optional dependency group: `agentlock[crypto]` for PyNaCl >= 1.5.0
37
+ - 102 new tests (847 total, 0 failures)
38
+
39
+ ### Changed
40
+
41
+ - `AuthResult` gains `receipt: SignedReceipt | None` field
42
+ - `AuthorizationGate.__init__()` accepts optional `receipt_signer` parameter
43
+ - `DeferPolicyConfig` gains `first_call_any_risk: bool` field (default False)
44
+ - `DeferralManager` gains `check_first_call_any_risk()`, `check_sibling_deferral()`, `record_deferral()` methods
45
+ - `ModifyResult` gains `blocked_fields: list[str]` field
46
+ - `ContextProvenance` gains `previous_hash: str` field
47
+ - `ContextState` gains `context_chain: ContextChain` field
48
+ - `ContextTracker` gains `verify_context_chain()` method
49
+ - Package version updated to 1.2.1
50
+
51
+ ### Backward Compatibility
52
+
53
+ - All 778 v1.2.0 tests pass without modification
54
+ - `receipt` field defaults to None when no signer is configured
55
+ - `first_call_any_risk` defaults to False
56
+ - `enforce_all_at_critical` defaults to False
57
+ - `blocked_fields` defaults to empty list
58
+ - `previous_hash` defaults to empty string
59
+ - Hash chain is populated transparently; existing `record_write()` callers require no changes
60
+
8
61
  ## [1.2.0] - 2026-03-30
9
62
 
10
63
  ### Added
@@ -0,0 +1,16 @@
1
+ # Commercial Licensing
2
+
3
+ AgentLock™ is a trademark of David Grice (USPTO serial no. 99921632).
4
+
5
+ AgentLock is dual-licensed:
6
+
7
+ - **AGPL-3.0** — free for open source use. If you use AgentLock in a
8
+ network service or distribute software built on it, the AGPL requires
9
+ you to make your source code available under the same license.
10
+ - **Commercial license** — for organizations that want to use AgentLock
11
+ in closed-source or proprietary products without AGPL obligations.
12
+
13
+ Commercial licenses are offered by David Grice.
14
+ Inquiries: licensing@agentlock.dev
15
+
16
+ Versions 1.2.x and earlier remain available under the Apache License 2.0.
@@ -95,7 +95,7 @@ pytest tests/test_gate.py -v
95
95
 
96
96
  ## License
97
97
 
98
- By contributing, you agree that your contributions will be licensed under the Apache License 2.0.
98
+ By contributing, you agree that your contributions are licensed under the Apache License 2.0, allowing them to be incorporated into AgentLock under its dual-license model (AGPL-3.0 + commercial). See COMMERCIAL.md.
99
99
 
100
100
  ## Code of Conduct
101
101