aion-core 0.8.0__tar.gz

aion_core-0.8.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 AION Protocol
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

aion_core-0.8.0/MANIFEST.in

@@ -0,0 +1,5 @@
+include README.md
+include LICENSE
+include SECURITY.md
+recursive-include docs *.md
+recursive-include examples *.json *.py

aion_core-0.8.0/PKG-INFO

@@ -0,0 +1,220 @@
+Metadata-Version: 2.4
+Name: aion-core
+Version: 0.8.0
+Summary: AION Core runtime security layer for AI agent tool-call control, receipts, scanning, and approvals.
+Author: Sourabh Ranjan Sahoo
+License-Expression: MIT
+Project-URL: Homepage, https://sourabh1845.github.io/aion-core/
+Project-URL: Repository, https://github.com/Sourabh1845/aion-core
+Project-URL: Issues, https://github.com/Sourabh1845/aion-core/issues
+Project-URL: Documentation, https://github.com/Sourabh1845/aion-core/tree/main/docs
+Keywords: ai-agents,mcp,firewall,security,policy
+Classifier: Development Status :: 3 - Alpha
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Dynamic: license-file
+
+# AION Core
+
+Runtime action control, receipt, and firewall layer for AI agents.
+
+AION Core contains the open-source infrastructure pieces behind AION: Guard, Receipts, Scan, Team Policy, and the MCP Firewall.
+
+```text
+AI Agent -> AION Guard / MCP Firewall -> Tool/API/System
+                                  |
+                                  +-> verified JSONL receipt log
+```
+
+## One-Command Demo
+
+From the repo root:
+
+```powershell
+$env:PYTHONPATH='src'
+python -m aion_core.demo
+```
+
+After local install or PyPI install:
+
+```powershell
+python -m pip install aion-core
+aion-demo
+```
+
+For editable development installs:
+
+```powershell
+python -m pip install -e .
+```
+
+Expected result:
+
+```text
+[PASS] scan detected unprotected MCP server
+[PASS] guard blocked generic shell action
+[PASS] guard allowed generic safe read
+[PASS] team policy required approval
+[PASS] blocked destructive shell command
+[PASS] blocked secret exfiltration
+[PASS] allowed safe read
+Receipts written to: aion-demo-output/receipts.jsonl
+Approvals written to: aion-demo-output/approvals.jsonl
+Receipt verification: PASS (6 receipt(s), hash-verified)
+```
+
+This proves the infrastructure wedge:
+
+- generic Guard actions can be allowed or blocked
+- dangerous shell action is blocked before reaching the tool
+- secret exfiltration attempt is blocked before reaching the tool
+- safe file-read style action is allowed
+- approval-required team actions create approval records
+- every decision gets a receipt
+
+## Run Guard
+
+Check a generic action:
+
+```powershell
+$env:PYTHONPATH='src'
+python -m aion_core.guard_cli check --policy examples\policies\stage6-default.json --receipt-log receipts\guard.jsonl --action-type shell.command --tool shell --arguments-file examples\actions\destructive_shell_args.json --agent-id demo --owner local
+```
+
+## Run The Firewall
+
+Run AION in front of any stdio MCP server:
+
+```powershell
+aion-mcp-firewall --policy examples/policies/stage6-default.json --receipt-log receipts/aion.jsonl -- python path/to/mcp_server.py
+```
+
+For local development without installing:
+
+```powershell
+$env:PYTHONPATH='src'
+python -m aion_core.cli --policy examples/policies/stage6-default.json --receipt-log receipts/aion.jsonl -- python path/to/mcp_server.py
+```
+
+## Manual Attack Demo
+
+Blocked dangerous command:
+
+```powershell
+$env:PYTHONPATH='src'
+Get-Content examples/attacks/destructive_shell.json | python -m aion_core.cli --policy examples/policies/stage6-default.json --receipt-log receipts/demo.jsonl -- python examples/demo_mcp_server.py
+```
+
+Allowed safe call:
+
+```powershell
+$env:PYTHONPATH='src'
+Get-Content examples/attacks/safe_read.json | python -m aion_core.cli --policy examples/policies/stage6-default.json --receipt-log receipts/demo.jsonl -- python examples/demo_mcp_server.py
+```
+
+## Policy Shape
+
+Policies are JSON so the MVP has zero runtime dependencies.
+
+```json
+{
+  "default_action": "allow",
+  "rules": [
+    {
+      "id": "block-shell-delete",
+      "match": {
+        "tool": ["shell", "run_command"],
+        "argument_contains": ["rm -rf", "Remove-Item", "del /s"]
+      },
+      "action": "block",
+      "reason": "Destructive shell command patterns require explicit approval."
+    }
+  ]
+}
+```
+
+Supported rule matchers:
+
+- `tool`: exact tool names or `*` wildcards.
+- `argument_contains`: risky strings searched inside serialized arguments.
+- `argument_regex`: risky regular expressions searched inside serialized arguments.
+- `owner`: optional agent owner/team identity.
+
+Supported actions:
+
+- `allow`
+- `block`
+
+## Receipt Example
+
+Every MCP `tools/call` decision is logged as JSONL:
+
+```json
+{"decision":"block","tool":"shell","rule_id":"block-shell-delete","reason":"Destructive shell command patterns require explicit approval."}
+```
+
+## Development
+
+Run tests:
+
+```powershell
+$env:PYTHONPATH='src'
+python -m unittest discover -s tests
+```
+
+Useful docs:
+
+- [Stage status](docs/STAGE_STATUS.md)
+- [AION Guard](docs/GUARD.md)
+- [AION Receipts](docs/RECEIPTS.md)
+- [AION Scan](docs/SCAN.md)
+- [Team policy and approvals](docs/TEAM_POLICY_APPROVALS.md)
+- [Stage 5 Cloud alignment](docs/STAGE5_CLOUD_ALIGNMENT.md)
+- [AION Cloud control panel](docs/STAGE8_CONTROL_PANEL.md)
+- [Stage 6 completion report](docs/STAGE6_COMPLETION_REPORT.md)
+- [Repo structure](docs/REPO_STRUCTURE.md)
+- [Stage 6 demo guide](docs/STAGE6_DEMO.md)
+- [Install](docs/INSTALL.md)
+- [Real MCP integration](docs/REAL_MCP_INTEGRATION.md)
+- [Filesystem MCP example](docs/FILESYSTEM_MCP_EXAMPLE.md)
+- [Architecture](docs/ARCHITECTURE.md)
+- [Launch checklist](docs/LAUNCH_CHECKLIST.md)
+- [GitHub launch](docs/GITHUB_LAUNCH.md)
+- [PyPI release](docs/PYPI_RELEASE.md)
+- [Website copy](docs/WEBSITE_COPY.md)
+- [Verification](docs/VERIFICATION.md)
+- [Demo video script](docs/DEMO_VIDEO_SCRIPT.md)
+- [Launch post draft](docs/LAUNCH_POST.md)
+- [Roadmap](docs/ROADMAP.md)
+
+## Current Scope
+
+Current core scope:
+
+- generic Guard action checks
+- MCP config and policy scanning
+- stdio MCP firewall proxy
+- runtime policy checks for `tools/call`
+- MCP-compatible JSON-RPC block responses
+- hash-verified JSONL audit receipts
+- team approval-required policy decisions
+- AION Cloud control panel summary and pending approval views
+- dependency-free Python core
+
+Next infrastructure layers:
+
+- signed receipts
+- agent identity
+- cloud receipt vault
+- tool risk registry
+- real Slack/webhook approval delivery
+- compliance exports

aion_core-0.8.0/README.md

@@ -0,0 +1,195 @@
+# AION Core
+
+Runtime action control, receipt, and firewall layer for AI agents.
+
+AION Core contains the open-source infrastructure pieces behind AION: Guard, Receipts, Scan, Team Policy, and the MCP Firewall.
+
+```text
+AI Agent -> AION Guard / MCP Firewall -> Tool/API/System
+                                  |
+                                  +-> verified JSONL receipt log
+```
+
+## One-Command Demo
+
+From the repo root:
+
+```powershell
+$env:PYTHONPATH='src'
+python -m aion_core.demo
+```
+
+After local install or PyPI install:
+
+```powershell
+python -m pip install aion-core
+aion-demo
+```
+
+For editable development installs:
+
+```powershell
+python -m pip install -e .
+```
+
+Expected result:
+
+```text
+[PASS] scan detected unprotected MCP server
+[PASS] guard blocked generic shell action
+[PASS] guard allowed generic safe read
+[PASS] team policy required approval
+[PASS] blocked destructive shell command
+[PASS] blocked secret exfiltration
+[PASS] allowed safe read
+Receipts written to: aion-demo-output/receipts.jsonl
+Approvals written to: aion-demo-output/approvals.jsonl
+Receipt verification: PASS (6 receipt(s), hash-verified)
+```
+
+This proves the infrastructure wedge:
+
+- generic Guard actions can be allowed or blocked
+- dangerous shell action is blocked before reaching the tool
+- secret exfiltration attempt is blocked before reaching the tool
+- safe file-read style action is allowed
+- approval-required team actions create approval records
+- every decision gets a receipt
+
+## Run Guard
+
+Check a generic action:
+
+```powershell
+$env:PYTHONPATH='src'
+python -m aion_core.guard_cli check --policy examples\policies\stage6-default.json --receipt-log receipts\guard.jsonl --action-type shell.command --tool shell --arguments-file examples\actions\destructive_shell_args.json --agent-id demo --owner local
+```
+
+## Run The Firewall
+
+Run AION in front of any stdio MCP server:
+
+```powershell
+aion-mcp-firewall --policy examples/policies/stage6-default.json --receipt-log receipts/aion.jsonl -- python path/to/mcp_server.py
+```
+
+For local development without installing:
+
+```powershell
+$env:PYTHONPATH='src'
+python -m aion_core.cli --policy examples/policies/stage6-default.json --receipt-log receipts/aion.jsonl -- python path/to/mcp_server.py
+```
+
+## Manual Attack Demo
+
+Blocked dangerous command:
+
+```powershell
+$env:PYTHONPATH='src'
+Get-Content examples/attacks/destructive_shell.json | python -m aion_core.cli --policy examples/policies/stage6-default.json --receipt-log receipts/demo.jsonl -- python examples/demo_mcp_server.py
+```
+
+Allowed safe call:
+
+```powershell
+$env:PYTHONPATH='src'
+Get-Content examples/attacks/safe_read.json | python -m aion_core.cli --policy examples/policies/stage6-default.json --receipt-log receipts/demo.jsonl -- python examples/demo_mcp_server.py
+```
+
+## Policy Shape
+
+Policies are JSON so the MVP has zero runtime dependencies.
+
+```json
+{
+  "default_action": "allow",
+  "rules": [
+    {
+      "id": "block-shell-delete",
+      "match": {
+        "tool": ["shell", "run_command"],
+        "argument_contains": ["rm -rf", "Remove-Item", "del /s"]
+      },
+      "action": "block",
+      "reason": "Destructive shell command patterns require explicit approval."
+    }
+  ]
+}
+```
+
+Supported rule matchers:
+
+- `tool`: exact tool names or `*` wildcards.
+- `argument_contains`: risky strings searched inside serialized arguments.
+- `argument_regex`: risky regular expressions searched inside serialized arguments.
+- `owner`: optional agent owner/team identity.
+
+Supported actions:
+
+- `allow`
+- `block`
+
+## Receipt Example
+
+Every MCP `tools/call` decision is logged as JSONL:
+
+```json
+{"decision":"block","tool":"shell","rule_id":"block-shell-delete","reason":"Destructive shell command patterns require explicit approval."}
+```
+
+## Development
+
+Run tests:
+
+```powershell
+$env:PYTHONPATH='src'
+python -m unittest discover -s tests
+```
+
+Useful docs:
+
+- [Stage status](docs/STAGE_STATUS.md)
+- [AION Guard](docs/GUARD.md)
+- [AION Receipts](docs/RECEIPTS.md)
+- [AION Scan](docs/SCAN.md)
+- [Team policy and approvals](docs/TEAM_POLICY_APPROVALS.md)
+- [Stage 5 Cloud alignment](docs/STAGE5_CLOUD_ALIGNMENT.md)
+- [AION Cloud control panel](docs/STAGE8_CONTROL_PANEL.md)
+- [Stage 6 completion report](docs/STAGE6_COMPLETION_REPORT.md)
+- [Repo structure](docs/REPO_STRUCTURE.md)
+- [Stage 6 demo guide](docs/STAGE6_DEMO.md)
+- [Install](docs/INSTALL.md)
+- [Real MCP integration](docs/REAL_MCP_INTEGRATION.md)
+- [Filesystem MCP example](docs/FILESYSTEM_MCP_EXAMPLE.md)
+- [Architecture](docs/ARCHITECTURE.md)
+- [Launch checklist](docs/LAUNCH_CHECKLIST.md)
+- [GitHub launch](docs/GITHUB_LAUNCH.md)
+- [PyPI release](docs/PYPI_RELEASE.md)
+- [Website copy](docs/WEBSITE_COPY.md)
+- [Verification](docs/VERIFICATION.md)
+- [Demo video script](docs/DEMO_VIDEO_SCRIPT.md)
+- [Launch post draft](docs/LAUNCH_POST.md)
+- [Roadmap](docs/ROADMAP.md)
+
+## Current Scope
+
+Current core scope:
+
+- generic Guard action checks
+- MCP config and policy scanning
+- stdio MCP firewall proxy
+- runtime policy checks for `tools/call`
+- MCP-compatible JSON-RPC block responses
+- hash-verified JSONL audit receipts
+- team approval-required policy decisions
+- AION Cloud control panel summary and pending approval views
+- dependency-free Python core
+
+Next infrastructure layers:
+
+- signed receipts
+- agent identity
+- cloud receipt vault
+- tool risk registry
+- real Slack/webhook approval delivery
+- compliance exports

aion_core-0.8.0/SECURITY.md

@@ -0,0 +1,32 @@
+# Security Policy
+
+AION Stage 6 is an early MCP firewall MVP. It should be treated as experimental until hardened.
+
+## Current Security Scope
+
+AION can:
+
+- inspect MCP `tools/call` messages
+- allow or block calls using JSON policy
+- log receipts for decisions
+- return MCP-compatible block errors
+
+AION does not yet provide:
+
+- cryptographic receipt signing
+- tamper-proof storage
+- authentication
+- network isolation
+- enterprise policy management
+
+## Reporting Issues
+
+Please open a private security report or contact the maintainers before publishing exploit details.
+
+Useful details:
+
+- policy file
+- MCP request
+- expected decision
+- actual decision
+- receipt output

aion_core-0.8.0/docs/ARCHITECTURE.md

@@ -0,0 +1,60 @@
+# Architecture
+
+AION Stage 6 is a stdio MCP firewall proxy.
+
+```text
+stdin from agent
+  |
+  v
+AION firewall
+  |
+  |-- parse JSON-RPC
+  |-- inspect tools/call
+  |-- evaluate policy
+  |-- write receipt
+  |
+  +-- block response to agent
+  |
+  v
+upstream MCP server
+```
+
+## Modules
+
+- `aion_core.cli`: command-line entry point.
+- `aion_core.firewall`: stdio proxy and MCP request inspection.
+- `aion_core.policy`: dependency-free JSON policy engine.
+- `aion_core.receipts`: JSONL receipt writer.
+- `aion_core.demo`: one-command public demo runner.
+
+## Policy Decision Flow
+
+1. Parse one JSON-RPC line.
+2. Ignore non-`tools/call` messages.
+3. Extract tool name and arguments.
+4. Evaluate rules in order.
+5. Return first matching allow/block rule.
+6. Fall back to `default_action`.
+7. Write receipt with decision, rule, tool, owner, agent id, and argument fingerprint.
+
+## Block Response
+
+Blocked calls return a JSON-RPC error:
+
+```json
+{
+  "jsonrpc": "2.0",
+  "id": 1,
+  "error": {
+    "code": -32090,
+    "message": "AION firewall blocked this MCP tool call."
+  }
+}
+```
+
+## Design Constraints
+
+- Keep the MVP dependency-free.
+- Keep policies readable as JSON.
+- Keep receipts append-only JSONL.
+- Keep the proxy generic so any stdio MCP server can sit behind it.

aion_core-0.8.0/docs/DEMO_VIDEO_SCRIPT.md

@@ -0,0 +1,56 @@
+# 60-90 Second Demo Video Script
+
+## Opening
+
+"This is AION Core, a runtime security layer for AI agent actions."
+
+"AI agents are starting to call tools that can touch files, shells, APIs, and internal systems. AION sits between the agent and the action."
+
+## Show Command
+
+```powershell
+$env:PYTHONPATH='src'
+python -m aion_core.demo
+```
+
+## Show Result
+
+Point to:
+
+```text
+[PASS] blocked destructive shell command
+[PASS] blocked secret exfiltration
+[PASS] allowed safe read
+[PASS] scan detected unprotected MCP server
+[PASS] team policy required approval
+```
+
+Say:
+
+"AION Scan detects unprotected MCP servers before runtime."
+
+"AION Guard blocks generic risky actions."
+
+"AION Team Policy turns production mutations into approval requests."
+
+"The agent attempted a destructive shell command. AION blocked it before it reached the tool."
+
+"The agent attempted to send a password-like value out through an HTTP tool. AION blocked that too."
+
+"A safe read-style call was allowed."
+
+## Show Receipts
+
+Open:
+
+```text
+aion-demo-output/receipts.jsonl
+```
+
+Say:
+
+"Every decision creates a hash-verified receipt with the agent id, owner, tool, decision, rule id, reason, and timestamp."
+
+## Closing
+
+"AION Core is the open-source infrastructure layer. AION Cloud will become the hosted receipt vault, team policy dashboard, and compliance control plane."

aion_core-0.8.0/docs/FILESYSTEM_MCP_EXAMPLE.md

@@ -0,0 +1,48 @@
+# Filesystem MCP Example
+
+This example shows how AION can wrap a real filesystem MCP server.
+
+The upstream server is `@modelcontextprotocol/server-filesystem`, a Node.js MCP server that exposes filesystem tools such as reading, writing, editing, moving, and listing files. Tool names can vary across package versions, so keep your AION policy aligned with the exact server version you use.
+
+## Installed AION Command
+
+After installing AION Core locally:
+
+```powershell
+aion-mcp-firewall --policy examples/policies/stage6-default.json --receipt-log receipts/filesystem.jsonl --agent-id local-agent --owner local-dev -- npx -y @modelcontextprotocol/server-filesystem "C:\Users\SOURABH RANJAN"
+```
+
+## Source Checkout Command
+
+Without installing:
+
+```powershell
+$env:PYTHONPATH='src'
+python -m aion_core.cli --policy examples/policies/stage6-default.json --receipt-log receipts/filesystem.jsonl --agent-id local-agent --owner local-dev -- npx -y @modelcontextprotocol/server-filesystem "C:\Users\SOURABH RANJAN"
+```
+
+## Client Config Templates
+
+See:
+
+- `examples/integrations/claude_desktop_filesystem_aion.json`
+- `examples/integrations/local_python_filesystem_aion.json`
+
+## Policy Notes
+
+Filesystem MCP servers often expose powerful tools:
+
+- read files
+- write files
+- edit files
+- move files
+- list directories
+- inspect metadata
+
+For early testing, AION should at minimum block:
+
+- destructive shell-like patterns
+- secret exfiltration patterns
+- risky write/edit/move/delete operations in sensitive directories
+
+Stage 6 currently proves the runtime firewall path. Stage 6.2 should add deeper tool-aware policies for specific MCP servers.

aion_core-0.8.0/docs/GITHUB_LAUNCH.md

@@ -0,0 +1,59 @@
+# GitHub Launch Checklist
+
+Recommended repository: `Sourabh1845/aion-core`
+
+## Repository Setup
+
+```powershell
+cd C:\Users\SOURABH RANJAN\aion-core
+git init
+git branch -M main
+git add .
+git commit -m "Launch AION Core 0.8.0"
+git remote add origin https://github.com/Sourabh1845/aion-core.git
+git push -u origin main
+```
+
+## GitHub Settings
+
+- Add description:
+  - `Runtime security layer for AI agents: MCP firewall, Guard, Scan, receipts, team approvals.`
+- Add topics:
+  - `ai-agents`
+  - `mcp`
+  - `security`
+  - `firewall`
+  - `agent-security`
+  - `audit-logs`
+- Enable GitHub Pages:
+  - Source: `Deploy from a branch`
+  - Branch: `main`
+  - Folder: `/docs`
+- Create release:
+  - Tag: `v0.8.0`
+  - Title: `AION Core 0.8.0`
+
+## Release Notes
+
+```text
+AION Core 0.8.0 is the first public infrastructure MVP.
+
+Includes:
+- AION Guard runtime action checks
+- AION Receipts hash-verified audit logs
+- AION Scan for MCP configs and weak policies
+- MCP Firewall stdio proxy
+- Team policy approval-required decisions
+- AION Cloud receipt/control-panel alignment
+- One-command demo: aion-demo
+```
+
+## Smoke Test After Push
+
+```powershell
+git clone https://github.com/Sourabh1845/aion-core.git
+cd aion-core
+$env:PYTHONPATH='src'
+python -m unittest discover -s tests
+python -m aion_core.demo
+```