agentlock 1.2.0__tar.gz → 1.3.0__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- {agentlock-1.2.0 → agentlock-1.3.0}/CHANGELOG.md +53 -0
- agentlock-1.3.0/COMMERCIAL.md +16 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/CONTRIBUTING.md +1 -1
- agentlock-1.3.0/LICENSE +661 -0
- agentlock-1.3.0/NOTICE +9 -0
- agentlock-1.3.0/PKG-INFO +798 -0
- agentlock-1.3.0/README.md +736 -0
- agentlock-1.3.0/SECURITY.md +139 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/__init__.py +37 -23
- agentlock-1.3.0/agentlock/chain.py +163 -0
- agentlock-1.3.0/agentlock/context.py +405 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/defer.py +139 -3
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/gate.py +382 -11
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/hardening.py +2 -2
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/modify.py +8 -2
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/policy.py +145 -0
- agentlock-1.3.0/agentlock/receipts.py +211 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/schema.py +50 -1
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/signals/combos.py +3 -2
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/signals/echo.py +0 -2
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/signals/prompt_scan.py +1 -2
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/signals/velocity.py +1 -2
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/stepup.py +1 -1
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/types.py +4 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/docs/benchmark.md +41 -4
- {agentlock-1.2.0 → agentlock-1.3.0}/docs/specification.md +94 -2
- {agentlock-1.2.0 → agentlock-1.3.0}/examples/fastapi_app.py +3 -2
- {agentlock-1.2.0 → agentlock-1.3.0}/examples/rate_limiting.py +1 -1
- {agentlock-1.2.0 → agentlock-1.3.0}/pyproject.toml +8 -3
- agentlock-1.3.0/schema/agentlock-v1.2.json +744 -0
- agentlock-1.3.0/schema/agentlock-v1.3.json +823 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_backward_compat.py +4 -4
- agentlock-1.3.0/tests/test_benchmark_gaps.py +543 -0
- agentlock-1.3.0/tests/test_benchmark_gaps_v2.py +212 -0
- agentlock-1.3.0/tests/test_chain.py +432 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_cli.py +2 -1
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_combos.py +0 -2
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_compound.py +0 -2
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_defer.py +2 -4
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_echo.py +0 -3
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_gate_v12.py +2 -5
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_hardening.py +21 -17
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_modify.py +0 -2
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_prompt_scan.py +27 -14
- agentlock-1.3.0/tests/test_receipts.py +404 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_stepup.py +5 -7
- agentlock-1.3.0/tests/test_v13_deferred_and_param_lineage.py +264 -0
- agentlock-1.3.0/tests/test_v13_session_write_gate.py +143 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_velocity.py +0 -2
- agentlock-1.2.0/LICENSE +0 -190
- agentlock-1.2.0/NOTICE +0 -14
- agentlock-1.2.0/PKG-INFO +0 -471
- agentlock-1.2.0/README.md +0 -412
- agentlock-1.2.0/SECURITY.md +0 -89
- agentlock-1.2.0/agentlock/context.py +0 -205
- {agentlock-1.2.0 → agentlock-1.3.0}/.github/workflows/ci.yml +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/.gitignore +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/audit.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/auth_providers/__init__.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/cli.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/decorators.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/exceptions.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/integrations/__init__.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/integrations/autogen.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/integrations/crewai.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/integrations/fastapi.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/integrations/flask.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/integrations/langchain.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/integrations/mcp.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/memory_gate.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/py.typed +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/rate_limit.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/redaction.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/session.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/signals/__init__.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/agentlock/token.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/docs/integrations.md +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/docs/quickstart.md +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/examples/data_redaction.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/examples/decorator_example.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/examples/multi_role.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/examples/quickstart.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/schema/agentlock-v1.0.json +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/__init__.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/conftest.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_audit.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_audit_v11.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_context.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_decorators.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_filter_pipeline.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_gate.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_gate_v11.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_memory_gate.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_pii_defense.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_policy.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_policy_v11.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_rate_limit.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_redaction.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_schema.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_schema_v11.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_session.py +0 -0
- {agentlock-1.2.0 → agentlock-1.3.0}/tests/test_token.py +0 -0
|
@@ -5,6 +5,59 @@ All notable changes to AgentLock will be documented in this file.
|
|
|
5
5
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
|
|
6
6
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
7
|
|
|
8
|
+
## [1.3.0] - 2026-07-06
|
|
9
|
+
|
|
10
|
+
### Changed
|
|
11
|
+
|
|
12
|
+
- **License** -- AgentLock is now licensed under the **GNU AGPL-3.0** (previously Apache 2.0), with commercial licenses available for closed-source use -- see `COMMERCIAL.md`. Versions 1.2.x and earlier remain under Apache 2.0.
|
|
13
|
+
|
|
14
|
+
### Added
|
|
15
|
+
|
|
16
|
+
- **Provenance-lineage gating (`LineagePolicyConfig`)** -- New per-tool policy block that gates tool calls based on the provenance lineage of their parameters. Two independent enforcement layers, both inert unless a `lineage_policy` is present and enabled: (1) a **session write-gate** that gates consequential calls -- `gate_financial`, `gate_external`, `gate_bulk`, `gate_account_modification`, `gate_consequential` -- whose session context carries untrusted lineage, and (2) **parameter lineage** (`param_lineage_enabled`) that matches individual parameter values back to untrusted-provenance tokens. Both are gate-owned reads: callers cannot supply the lineage verdict. Configurable `decision` (`step_up` | `defer` | `deny`) and `param_lineage_action` (`deny` | `step_up` | `log`). New helpers in `agentlock/context.py`: `extract_lineage_tokens()`, `ContextTracker.lineage_summary()`, `ContextTracker.parameter_lineage_check()`.
|
|
17
|
+
- **Deferred-commit queue** -- `DeferralManager` gains `queue_commit()`, `resolve_commit_queue()`, `get_commit_queue()`, and `clear_commit_queue()` to hold deferred tool calls pending out-of-band resolution.
|
|
18
|
+
- **Two new denial reasons** -- `DenialReason.UNTRUSTED_LINEAGE` and `DenialReason.PARAM_LINEAGE`.
|
|
19
|
+
- **Schema** -- `SCHEMA_VERSION` bumped to `1.3`; `AgentLockPermissions` gains an optional `lineage_policy` field. `LineagePolicyConfig` is exported from the package root.
|
|
20
|
+
- **Tests** -- 21 new tests (`test_v13_session_write_gate.py`, `test_v13_deferred_and_param_lineage.py`); suite total is now 868.
|
|
21
|
+
|
|
22
|
+
## [1.2.1] - 2026-04-06
|
|
23
|
+
|
|
24
|
+
### Added
|
|
25
|
+
|
|
26
|
+
- **Ed25519 signed receipts (AARM R5)** -- Every authorization decision can produce a cryptographically signed receipt verifiable offline. `ReceiptSigner` supports Ed25519 (via PyNaCl) with HMAC-SHA256 fallback for environments without asymmetric key infrastructure. `ReceiptVerifier` detects tampered receipts. Receipts include decision, tool name, user identity, parameters hash, and policy version hash. Optional dependency: `pip install agentlock[crypto]`.
|
|
27
|
+
- **Hash-chained tamper-evident context (AARM R2)** -- `ContextChain` creates an append-only hash chain of context entries. Each entry links to the previous entry's hash, forming a tamper-evident log. `verify_chain()` detects modification of any historical entry. `ContextProvenance` gains a `previous_hash` field. `ContextTracker.verify_context_chain()` validates chain integrity per session.
|
|
28
|
+
- **`first_call_any_risk` DEFER trigger** -- Defers the first tool call in a session regardless of risk level. Configured via `DeferPolicyConfig(first_call_any_risk=True)`. Unlike `first_call_high_risk`, this catches MEDIUM and LOW risk tools used as attack footholds.
|
|
29
|
+
- **`deny_on_block` whitelist escalation** -- When a `whitelist_path` transformation blocks a parameter (replacing it with `[BLOCKED: ...]`), the gate escalates from MODIFY to DENY. The tool does not execute. `ModifyResult` gains a `blocked_fields` list.
|
|
30
|
+
- **Sibling deferral** -- When one tool call is DEFERRED in a turn, subsequent tool calls in the same turn (within a 5-second window) are automatically deferred. Prevents attackers from falling through to lower-friction tools after a DEFER fires.
|
|
31
|
+
- **Prompt scan carry-forward** -- When a `prompt_scan` signal fires in a session, ALL subsequent tool calls are deferred regardless of whether the tool has its own `defer_policy`. Previously, tools without `defer_policy` (like `lookup_order`) bypassed scan-triggered deferral.
|
|
32
|
+
- **`enforce_all_at_critical` hardening** -- When `HardeningConfig(enforce_all_at_critical=True)`, the gate blocks ALL tool calls at critical hardening severity (risk score >= 10), regardless of tool risk level. Previously, `enforce_at_critical` only blocked HIGH/CRITICAL risk tools.
|
|
33
|
+
- **3 new `lookup_order` combo pairs** -- `(lookup_order, query_database)` weight 4, `(lookup_order, check_balance)` weight 3, `(lookup_order, search_contacts)` weight 3. Detects reconnaissance-to-data-access patterns.
|
|
34
|
+
- New modules: `agentlock/receipts.py`, `agentlock/chain.py`
|
|
35
|
+
- New exports: `SignedReceipt`, `ReceiptSigner`, `ReceiptVerifier`, `ChainedContextEntry`, `ContextChain`, `GENESIS_HASH`
|
|
36
|
+
- Optional dependency group: `agentlock[crypto]` for PyNaCl >= 1.5.0
|
|
37
|
+
- 102 new tests (847 total, 0 failures)
|
|
38
|
+
|
|
39
|
+
### Changed
|
|
40
|
+
|
|
41
|
+
- `AuthResult` gains `receipt: SignedReceipt | None` field
|
|
42
|
+
- `AuthorizationGate.__init__()` accepts optional `receipt_signer` parameter
|
|
43
|
+
- `DeferPolicyConfig` gains `first_call_any_risk: bool` field (default False)
|
|
44
|
+
- `DeferralManager` gains `check_first_call_any_risk()`, `check_sibling_deferral()`, `record_deferral()` methods
|
|
45
|
+
- `ModifyResult` gains `blocked_fields: list[str]` field
|
|
46
|
+
- `ContextProvenance` gains `previous_hash: str` field
|
|
47
|
+
- `ContextState` gains `context_chain: ContextChain` field
|
|
48
|
+
- `ContextTracker` gains `verify_context_chain()` method
|
|
49
|
+
- Package version updated to 1.2.1
|
|
50
|
+
|
|
51
|
+
### Backward Compatibility
|
|
52
|
+
|
|
53
|
+
- All 778 v1.2.0 tests pass without modification
|
|
54
|
+
- `receipt` field defaults to None when no signer is configured
|
|
55
|
+
- `first_call_any_risk` defaults to False
|
|
56
|
+
- `enforce_all_at_critical` defaults to False
|
|
57
|
+
- `blocked_fields` defaults to empty list
|
|
58
|
+
- `previous_hash` defaults to empty string
|
|
59
|
+
- Hash chain is populated transparently; existing `record_write()` callers require no changes
|
|
60
|
+
|
|
8
61
|
## [1.2.0] - 2026-03-30
|
|
9
62
|
|
|
10
63
|
### Added
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
# Commercial Licensing
|
|
2
|
+
|
|
3
|
+
AgentLock™ is a trademark of David Grice (USPTO serial no. 99921632).
|
|
4
|
+
|
|
5
|
+
AgentLock is dual-licensed:
|
|
6
|
+
|
|
7
|
+
- **AGPL-3.0** — free for open source use. If you use AgentLock in a
|
|
8
|
+
network service or distribute software built on it, the AGPL requires
|
|
9
|
+
you to make your source code available under the same license.
|
|
10
|
+
- **Commercial license** — for organizations that want to use AgentLock
|
|
11
|
+
in closed-source or proprietary products without AGPL obligations.
|
|
12
|
+
|
|
13
|
+
Commercial licenses are offered by David Grice.
|
|
14
|
+
Inquiries: licensing@agentlock.dev
|
|
15
|
+
|
|
16
|
+
Versions 1.2.x and earlier remain available under the Apache License 2.0.
|
|
@@ -95,7 +95,7 @@ pytest tests/test_gate.py -v
|
|
|
95
95
|
|
|
96
96
|
## License
|
|
97
97
|
|
|
98
|
-
By contributing, you agree that your contributions
|
|
98
|
+
By contributing, you agree that your contributions are licensed under the Apache License 2.0, allowing them to be incorporated into AgentLock under its dual-license model (AGPL-3.0 + commercial). See COMMERCIAL.md.
|
|
99
99
|
|
|
100
100
|
## Code of Conduct
|
|
101
101
|
|