PyPI - agentwall-security - Versions diffs - 0.1.0__tar.gz - Mend

agentwall-security 0.1.0__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (118) hide show

agentwall_security-0.1.0/.gitignore ADDED Viewed

@@ -0,0 +1,83 @@
+# Python
+__pycache__/
+*.pyc
+*.pyo
+*.pyd
+*.pyc
+# Test caches
+.pytest_cache/
+.mypy_cache/
+.ruff_cache/
+# Coverage
+.coverage
+.coverage.*
+htmlcov/
+coverage.xml
+# Virtual environments
+.venv/
+venv/
+env/
+ENV/
+.env/
+# Build artifacts
+build/
+dist/
+*.egg-info/
+*.egg
+MANIFEST
+# Distribution / packaging
+pip-wheel-metadata/
+.installed.cfg
+# Environment / secrets
+.env
+.env.*
+*.env
+.envrc
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+# OS
+.DS_Store
+.DS_Store?
+._*
+Thumbs.db
+desktop.ini
+# Node / React (frontend build only — committed assets live in ui/dist/)
+agentwall/inspector/ui/node_modules/
+agentwall/inspector/ui/.vite/
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+.npm
+.yarn-integrity
+# Local databases
+*.db
+*.sqlite
+*.sqlite3
+# Logs
+*.log
+logs/
+# Temporary / scratch
+*.tmp
+*.bak
+*.old
+*.orig
+*.backup
+# Internal planning docs
+docs/superpowers/

agentwall_security-0.1.0/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,119 @@
+# Changelog
+All notable changes to AgentWall are documented here.
+Format: [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
+Versioning: [Semantic Versioning](https://semver.org/spec/v2.0.0.html)
+---
+## [0.1.0] — 2026-06-24
+Initial release.
+### Added
+**Core runtime security**
+- `SecurityEngine` with 5-stage evaluation pipeline: detectors → rules → policy → threshold → LLM
+- `SensitiveResourceDetector`: credential file pattern matching
+- `ScopeExpansionDetector`: cross-session resource drift detection
+- `DataExfiltrationDetector`: external upload pattern detection
+- Rule engine with per-tool-type risk scoring and resource category bonuses
+- Policy engine: user-defined allow/warn/block rules with JSON conditions
+- `ProviderChain`: multi-provider LLM evaluation with fallback
+- `build_default_engine(db)`: auto-constructs engine from DB config (thresholds + provider chain)
+**Providers**
+- OpenAI (gpt-4o, gpt-4o-mini, gpt-4-turbo, gpt-3.5-turbo)
+- Anthropic (claude-opus-4-8, claude-sonnet-4-6, claude-haiku-4-5)
+- Groq (llama-3.3-70b-versatile, llama-3.1-8b-instant, gemma2-9b-it)
+- DeepSeek (deepseek-chat, deepseek-reasoner)
+- Ollama (local inference, no API key)
+**Framework integrations**
+- OpenAI Agents SDK: `protect_openai_agent()` with `InputGuardrail` goal inference
+- LangChain: `protect_langchain_agent()` with `executor.invoke()` goal inference; async tool interception via `coroutine` patching
+- CrewAI: `protect_crewai_crew()` with `crew.kickoff()` goal inference
+**Interceptors**
+- `ProtectedAgent`: session lifecycle management, tool wrapping, goal tracking
+- `ToolInterceptor`: pre-execution evaluation, DB recording, post-execution analysis
+- `protect_agent()`: top-level SDK entry point, optional goal
+- `protect_tool()`: standalone tool wrapping
+**Post-execution analysis**
+- `ResultAnalyzer` in `agentwall/security/result_analyzer.py`
+- Analyzes tool output after execution: filesystem (credential content), database (bulk rows, sensitive columns), API (confirmed transfers), email (dispatch events), terminal (credential output)
+- Classifications: `NORMAL`, `SENSITIVE_DATA_EXPOSURE`, `BULK_DATA_ACCESS`, `EXTERNAL_TRANSFER`, `EMAIL_DISPATCH`
+- Persists `post_execution_risk`, `result_classification`, `result_detector_hits`, `result_metadata` to evaluation row
+- Storage rules enforced: no content stored — hashes, counts, type info only
+- Pre-execution decision remains authoritative; post-execution NEVER retroactively blocks
+**Dynamic goal tracking**
+- `GoalTracker` in `agentwall/security/goal_tracker.py`
+- Session goal segments: create, transition, close
+- Transition detection via token-overlap heuristic (threshold 0.4)
+- `ProtectedAgent.maybe_infer_goal()` replaces one-shot inference guard — enables multi-invoke transitions
+- Framework inference patches updated to use `maybe_infer_goal()` on every invoke/kickoff
+- Segments persist: goal text, started_at, ended_at, transition_reason
+- SecurityEngine always evaluates against current active goal (via shared `_goal_ref`)
+**Goal inference**
+- Optional `goal` parameter in all `protect_*` functions
+- Automatic inference from framework execution entry points
+- Mutable `_goal_ref` shared across all wrapped tool closures
+**Storage**
+- SQLite at `~/.agentwall/data.db`
+- Tables: `sessions`, `tool_events`, `evaluations`, `policies`, `provider_settings`, `goal_segments`
+- WAL mode, foreign keys enabled
+**Inspector**
+- FastAPI backend with 9 router groups (added goals router)
+- Built React UI (5 pages: Overview, Sessions, Timeline, Providers, Policies)
+- PyWebView desktop window (`agentwall inspect`)
+- Browser fallback (`agentwall inspect --browser`)
+- Event-driven WebSocket push (in-process pub/sub via `EventBus`; replaces 1.5s SQLite poll)
+- 30s keepalive ping on idle WS connections
+- `GET /api/sessions/{id}/goals` — goal segment timeline
+- `PATCH /api/policies/{name}/priority` — update policy priority
+- `EvaluationSchema` extended with post-execution fields
+**Policy engine**
+- `priority` field on policies: higher priority evaluated first, creation-order tiebreak
+- `PolicyEngine.set_priority(name, priority)` — runtime priority updates
+- `PolicyEngine.create(name, config, priority=0)` — priority at creation time
+**GoalTracker hardening**
+- Thread-safe `set_goal()` and `maybe_infer()` via `threading.RLock`
+- Two-signal transition heuristic: full token overlap AND resource token overlap (strips action verbs and stop words) — prevents pure verb changes ("Build X" → "Write X") from triggering new segments while catching true goal shifts ("Build login API" → "Create billing service")
+**LLM response parsing**
+- `parse_llm_response` handles nested JSON (`{"decision": {"type": "block", "risk": 90}}`)
+- Strips markdown fences (` ```json ` blocks) before parsing
+- Balanced-brace extraction handles arbitrarily nested JSON objects
+- Fallback chain: stripped text → original text → BLOCK decision
+**CLI**
+- `agentwall version`
+- `agentwall doctor`
+- `agentwall config` (interactive wizard + flag mode)
+- `agentwall inspect`
+**Security**
+- API keys in OS keyring only (Windows Credential Manager / macOS Keychain / Linux Secret Service)
+- No secrets in SQLite, JSON, YAML, logs, or source
+**EvalContext history**
+- LLM evaluation receives recent tool history (up to 5 prior events) for contextual analysis
+---
+## Unreleased
+### Known gaps for v0.2.0
+- Async LangChain tool `ainvoke` full coverage (coroutine patching works; ainvoke path tested)
+- Per-account DB path via environment variable
+- Graceful inspector shutdown
+- Test coverage reporting
+- LLM-assisted goal transition disambiguation (current heuristic: token overlap only)

agentwall_security-0.1.0/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2026 AgentWall
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

agentwall_security-0.1.0/PKG-INFO ADDED Viewed

@@ -0,0 +1,337 @@
+Metadata-Version: 2.4
+Name: agentwall-security
+Version: 0.1.0
+Summary: AI Agent Runtime Security Platform — runtime security and behavioral monitoring for agentic AI systems
+Project-URL: Homepage, https://github.com/RwitabrataPan/AgentWall
+Project-URL: Repository, https://github.com/RwitabrataPan/AgentWall
+Project-URL: Issues, https://github.com/RwitabrataPan/AgentWall/issues
+Project-URL: Changelog, https://github.com/RwitabrataPan/AgentWall/blob/main/CHANGELOG.md
+Author: Rwitabrata Pan
+License: MIT License
+        Copyright (c) 2026 AgentWall
+        Permission is hereby granted, free of charge, to any person obtaining a copy
+        of this software and associated documentation files (the "Software"), to deal
+        in the Software without restriction, including without limitation the rights
+        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+        copies of the Software, and to permit persons to whom the Software is
+        furnished to do so, subject to the following conditions:
+        The above copyright notice and this permission notice shall be included in all
+        copies or substantial portions of the Software.
+        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+        SOFTWARE.
+License-File: LICENSE
+Keywords: agents,ai,guardrails,llm,monitoring,runtime,security
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Scientific/Engineering :: Artificial Intelligence
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Requires-Python: >=3.12
+Requires-Dist: anthropic>=0.25
+Requires-Dist: fastapi>=0.110
+Requires-Dist: httpx>=0.27
+Requires-Dist: keyring>=24.0
+Requires-Dist: openai>=1.30
+Requires-Dist: pydantic>=2.0
+Requires-Dist: pywebview>=5.0
+Requires-Dist: sqlalchemy>=2.0
+Requires-Dist: typer>=0.12
+Requires-Dist: uvicorn[standard]>=0.27
+Provides-Extra: crewai
+Requires-Dist: crewai>=0.80; extra == 'crewai'
+Provides-Extra: dev
+Requires-Dist: httpx>=0.27; extra == 'dev'
+Requires-Dist: pytest-asyncio>=0.23; extra == 'dev'
+Requires-Dist: pytest>=8.0; extra == 'dev'
+Provides-Extra: integrations
+Requires-Dist: crewai>=0.80; extra == 'integrations'
+Requires-Dist: langchain-openai>=0.2; extra == 'integrations'
+Requires-Dist: langchain>=0.3; extra == 'integrations'
+Requires-Dist: openai-agents>=0.17; extra == 'integrations'
+Provides-Extra: langchain
+Requires-Dist: langchain-openai>=0.2; extra == 'langchain'
+Requires-Dist: langchain>=0.3; extra == 'langchain'
+Provides-Extra: openai-agents
+Requires-Dist: openai-agents>=0.17; extra == 'openai-agents'
+Description-Content-Type: text/markdown
+# AgentWall
+**Behavior-based runtime security for AI agents.**
+AgentWall is an SDK-first runtime security platform that sits between AI agents and tools, monitoring actions in real time to detect and prevent unsafe behavior.
+Unlike prompt scanners and jailbreak detectors, AgentWall focuses on **what agents actually do**, not what users say.
+---
+## Why AgentWall?
+Modern AI agents can:
+* Read files
+* Execute tools
+* Access APIs
+* Send emails
+* Interact with external systems
+A successful prompt injection often matters only because it changes agent behavior.
+AgentWall detects:
+* Goal Hijacking
+* Tool Misuse
+* Scope Expansion
+* Sensitive Resource Access
+* Data Exfiltration
+* Unauthorized Actions
+* Behavioral Drift
+---
+## How It Works
+```text
+User Goal
+    ↓
+AI Agent
+    ↓
+AgentWall Runtime
+    ↓
+Tool Execution
+```
+Before a tool executes, AgentWall evaluates:
+* Current goal
+* Tool being used
+* Resource being accessed
+* Recent tool history
+* Active policies
+* Risk score
+AgentWall may:
+* ALLOW
+* WARN
+* BLOCK
+depending on risk and alignment.
+---
+## Key Features
+### Runtime Security
+Behavior-based protection for AI agents.
+### Goal Tracking
+Automatically infers and tracks goals throughout a session.
+### Policy Engine
+Create custom allow/warn/block rules.
+### Post-Execution Analysis
+Classifies tool outcomes and records security-relevant findings without storing sensitive outputs.
+### Inspector
+Native desktop security console powered by PyWebView.
+Launch with:
+```bash
+agentwall inspect
+```
+### Provider Agnostic
+Supports:
+* OpenAI
+* Anthropic
+* Groq
+* DeepSeek
+* Ollama
+### Framework Integrations
+Supports:
+* OpenAI Agents SDK
+* LangChain
+* CrewAI
+---
+## Installation
+```bash
+pip install agentwall
+```
+---
+## Quick Start
+### OpenAI Agents SDK
+```python
+from agentwall import protect_agent
+agent = protect_agent(agent)
+result = await Runner.run(
+    agent,
+    "Build a FastAPI CRUD API"
+)
+```
+### LangChain
+```python
+from agentwall.integrations import protect_langchain_agent
+executor = protect_langchain_agent(executor)
+```
+### CrewAI
+```python
+from agentwall.integrations import protect_crewai_crew
+crew = protect_crewai_crew(crew)
+```
+---
+## Inspector
+Launch the desktop Inspector:
+```bash
+agentwall inspect
+```
+Features:
+* Session Timeline
+* Security Decisions
+* Risk Scores
+* Goal Segments
+* Detector Results
+* Policy Management
+* Provider Configuration
+* Export (JSON/CSV)
+---
+## CLI
+```bash
+agentwall version
+agentwall doctor
+agentwall config
+agentwall inspect
+```
+---
+## Security Model
+AgentWall focuses on:
+* Runtime behavior
+* Tool usage
+* Resource access
+* Goal alignment
+AgentWall does **not** primarily operate as:
+* Prompt firewall
+* Jailbreak detector
+* Content moderation system
+Instead it evaluates the consequences of agent actions.
+---
+## Supported Storage
+Local-only architecture.
+Uses:
+* SQLite
+* OS Keyring
+* Local FastAPI backend
+* Local Inspector UI
+No cloud dependency required.
+---
+## Architecture
+```text
+Goal Tracking
+        ↓
+Security Engine
+        ↓
+Policy Evaluation
+        ↓
+Risk Assessment
+        ↓
+Optional LLM Evaluation
+        ↓
+Decision
+        ↓
+Tool Execution
+        ↓
+Post-Execution Analysis
+```
+---
+## Documentation
+* Installation Guide
+* Architecture Guide
+* API Reference
+* Security Guide
+* Testing Guide
+See the repository documentation for details.
+---
+## License
+MIT License.
+---
+## Status
+**v0.1.0**
+Production-ready initial release.
+Open-source and self-hosted.