hermes-shield-scanner 0.7.1__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (109) hide show
  1. hermes_shield_scanner-0.7.1/LICENSE +202 -0
  2. hermes_shield_scanner-0.7.1/PKG-INFO +417 -0
  3. hermes_shield_scanner-0.7.1/README.md +184 -0
  4. hermes_shield_scanner-0.7.1/pyproject.toml +57 -0
  5. hermes_shield_scanner-0.7.1/setup.cfg +4 -0
  6. hermes_shield_scanner-0.7.1/src/hermes_shield/__init__.py +3 -0
  7. hermes_shield_scanner-0.7.1/src/hermes_shield/_demo/app.py.txt +12 -0
  8. hermes_shield_scanner-0.7.1/src/hermes_shield/_demo/eval_tool.py.txt +14 -0
  9. hermes_shield_scanner-0.7.1/src/hermes_shield/_demo/tools.py.txt +8 -0
  10. hermes_shield_scanner-0.7.1/src/hermes_shield/ai_assist.py +266 -0
  11. hermes_shield_scanner-0.7.1/src/hermes_shield/ai_finder.py +105 -0
  12. hermes_shield_scanner-0.7.1/src/hermes_shield/ai_tier.py +213 -0
  13. hermes_shield_scanner-0.7.1/src/hermes_shield/ai_verify.py +46 -0
  14. hermes_shield_scanner-0.7.1/src/hermes_shield/ast_sinks.py +794 -0
  15. hermes_shield_scanner-0.7.1/src/hermes_shield/banner.py +115 -0
  16. hermes_shield_scanner-0.7.1/src/hermes_shield/baseline.py +32 -0
  17. hermes_shield_scanner-0.7.1/src/hermes_shield/brand_fonts.py +1606 -0
  18. hermes_shield_scanner-0.7.1/src/hermes_shield/call_graph.py +330 -0
  19. hermes_shield_scanner-0.7.1/src/hermes_shield/cap_normalise.py +106 -0
  20. hermes_shield_scanner-0.7.1/src/hermes_shield/config/__init__.py +2 -0
  21. hermes_shield_scanner-0.7.1/src/hermes_shield/config/entrypoints.json +32 -0
  22. hermes_shield_scanner-0.7.1/src/hermes_shield/config/guard_primitives.json +25 -0
  23. hermes_shield_scanner-0.7.1/src/hermes_shield/config_loader.py +87 -0
  24. hermes_shield_scanner-0.7.1/src/hermes_shield/cross_module.py +217 -0
  25. hermes_shield_scanner-0.7.1/src/hermes_shield/cs_sinks.py +110 -0
  26. hermes_shield_scanner-0.7.1/src/hermes_shield/dashboard_export.py +31 -0
  27. hermes_shield_scanner-0.7.1/src/hermes_shield/dep_scan.py +525 -0
  28. hermes_shield_scanner-0.7.1/src/hermes_shield/drift.py +67 -0
  29. hermes_shield_scanner-0.7.1/src/hermes_shield/entrypoint_proof.py +111 -0
  30. hermes_shield_scanner-0.7.1/src/hermes_shield/entrypoints.py +66 -0
  31. hermes_shield_scanner-0.7.1/src/hermes_shield/guard_attribution.py +266 -0
  32. hermes_shield_scanner-0.7.1/src/hermes_shield/guard_detector.py +34 -0
  33. hermes_shield_scanner-0.7.1/src/hermes_shield/guard_integrity.py +210 -0
  34. hermes_shield_scanner-0.7.1/src/hermes_shield/install_report.py +244 -0
  35. hermes_shield_scanner-0.7.1/src/hermes_shield/inter_taint.py +302 -0
  36. hermes_shield_scanner-0.7.1/src/hermes_shield/learned_sinks.json +38 -0
  37. hermes_shield_scanner-0.7.1/src/hermes_shield/learned_sinks.py +141 -0
  38. hermes_shield_scanner-0.7.1/src/hermes_shield/llm_eval_detector.py +125 -0
  39. hermes_shield_scanner-0.7.1/src/hermes_shield/models.py +172 -0
  40. hermes_shield_scanner-0.7.1/src/hermes_shield/module_index.py +163 -0
  41. hermes_shield_scanner-0.7.1/src/hermes_shield/patch_plan.py +96 -0
  42. hermes_shield_scanner-0.7.1/src/hermes_shield/patterns.py +96 -0
  43. hermes_shield_scanner-0.7.1/src/hermes_shield/prove.py +891 -0
  44. hermes_shield_scanner-0.7.1/src/hermes_shield/repo_map.py +109 -0
  45. hermes_shield_scanner-0.7.1/src/hermes_shield/repo_scanner.py +393 -0
  46. hermes_shield_scanner-0.7.1/src/hermes_shield/report_writer.py +19 -0
  47. hermes_shield_scanner-0.7.1/src/hermes_shield/scan_hermes.py +471 -0
  48. hermes_shield_scanner-0.7.1/src/hermes_shield/secret_exfil_detector.py +147 -0
  49. hermes_shield_scanner-0.7.1/src/hermes_shield/semgrep_runner.py +181 -0
  50. hermes_shield_scanner-0.7.1/src/hermes_shield/shield_cli.py +327 -0
  51. hermes_shield_scanner-0.7.1/src/hermes_shield/shield_report.py +637 -0
  52. hermes_shield_scanner-0.7.1/src/hermes_shield/stream.py +185 -0
  53. hermes_shield_scanner-0.7.1/src/hermes_shield/summary.py +217 -0
  54. hermes_shield_scanner-0.7.1/src/hermes_shield/surface_classifier.py +103 -0
  55. hermes_shield_scanner-0.7.1/src/hermes_shield/taint.py +281 -0
  56. hermes_shield_scanner-0.7.1/src/hermes_shield/ts_sinks.py +133 -0
  57. hermes_shield_scanner-0.7.1/src/hermes_shield/ts_taint.py +258 -0
  58. hermes_shield_scanner-0.7.1/src/hermes_shield_scanner.egg-info/PKG-INFO +417 -0
  59. hermes_shield_scanner-0.7.1/src/hermes_shield_scanner.egg-info/SOURCES.txt +107 -0
  60. hermes_shield_scanner-0.7.1/src/hermes_shield_scanner.egg-info/dependency_links.txt +1 -0
  61. hermes_shield_scanner-0.7.1/src/hermes_shield_scanner.egg-info/entry_points.txt +3 -0
  62. hermes_shield_scanner-0.7.1/src/hermes_shield_scanner.egg-info/requires.txt +8 -0
  63. hermes_shield_scanner-0.7.1/src/hermes_shield_scanner.egg-info/top_level.txt +1 -0
  64. hermes_shield_scanner-0.7.1/tests/test_ai_cache_path_rejects_symlink.py +30 -0
  65. hermes_shield_scanner-0.7.1/tests/test_ai_default_cache_not_under_target_root.py +21 -0
  66. hermes_shield_scanner-0.7.1/tests/test_ai_reachability.py +116 -0
  67. hermes_shield_scanner-0.7.1/tests/test_ai_tier_cache_only.py +87 -0
  68. hermes_shield_scanner-0.7.1/tests/test_ai_tier_skips_out_of_root_symlink_targets.py +22 -0
  69. hermes_shield_scanner-0.7.1/tests/test_cli_ergonomics.py +173 -0
  70. hermes_shield_scanner-0.7.1/tests/test_demo_licence_metadata.py +114 -0
  71. hermes_shield_scanner-0.7.1/tests/test_dep_scan.py +349 -0
  72. hermes_shield_scanner-0.7.1/tests/test_field_container_taint.py +71 -0
  73. hermes_shield_scanner-0.7.1/tests/test_fix_plan.py +120 -0
  74. hermes_shield_scanner-0.7.1/tests/test_fp_suppression.py +87 -0
  75. hermes_shield_scanner-0.7.1/tests/test_get_source_recall.py +43 -0
  76. hermes_shield_scanner-0.7.1/tests/test_guard_attribution.py +308 -0
  77. hermes_shield_scanner-0.7.1/tests/test_hs03_ai_redaction_trust_size.py +131 -0
  78. hermes_shield_scanner-0.7.1/tests/test_hs04_semgrep_pinning.py +105 -0
  79. hermes_shield_scanner-0.7.1/tests/test_inter_taint.py +77 -0
  80. hermes_shield_scanner-0.7.1/tests/test_launch_hardening.py +168 -0
  81. hermes_shield_scanner-0.7.1/tests/test_learned_structural.py +57 -0
  82. hermes_shield_scanner-0.7.1/tests/test_llm_eval_detector.py +32 -0
  83. hermes_shield_scanner-0.7.1/tests/test_p2_9a_review_drift.py +103 -0
  84. hermes_shield_scanner-0.7.1/tests/test_p2_9b_precision.py +144 -0
  85. hermes_shield_scanner-0.7.1/tests/test_p2_9b_review_adversarial.py +126 -0
  86. hermes_shield_scanner-0.7.1/tests/test_p2_9c_cross_module.py +85 -0
  87. hermes_shield_scanner-0.7.1/tests/test_p2_9c_review_adversarial.py +135 -0
  88. hermes_shield_scanner-0.7.1/tests/test_p2_9d_config_entrypoints.py +103 -0
  89. hermes_shield_scanner-0.7.1/tests/test_p2_9d_review_adversarial.py +100 -0
  90. hermes_shield_scanner-0.7.1/tests/test_p2_9e_ast_sinks.py +92 -0
  91. hermes_shield_scanner-0.7.1/tests/test_p2_9e_review_adversarial.py +90 -0
  92. hermes_shield_scanner-0.7.1/tests/test_p2_9f_entrypoint_map.py +93 -0
  93. hermes_shield_scanner-0.7.1/tests/test_p2_9g_earlyreturn_soundness.py +46 -0
  94. hermes_shield_scanner-0.7.1/tests/test_prove_lane.py +416 -0
  95. hermes_shield_scanner-0.7.1/tests/test_prove_platform_guard.py +67 -0
  96. hermes_shield_scanner-0.7.1/tests/test_s8_84_cli_command_entrypoints.py +124 -0
  97. hermes_shield_scanner-0.7.1/tests/test_s8_85_scan_corrections.py +108 -0
  98. hermes_shield_scanner-0.7.1/tests/test_s8_86_install_liability_rating.py +78 -0
  99. hermes_shield_scanner-0.7.1/tests/test_s8_87_out_dir.py +68 -0
  100. hermes_shield_scanner-0.7.1/tests/test_s8_88_shield_report_wired.py +64 -0
  101. hermes_shield_scanner-0.7.1/tests/test_s8_89_semgrep_comparator.py +82 -0
  102. hermes_shield_scanner-0.7.1/tests/test_scan_skips_symlinked_py_files.py +28 -0
  103. hermes_shield_scanner-0.7.1/tests/test_scanner_core.py +138 -0
  104. hermes_shield_scanner-0.7.1/tests/test_secret_exfil_detector.py +24 -0
  105. hermes_shield_scanner-0.7.1/tests/test_ssti_sink.py +22 -0
  106. hermes_shield_scanner-0.7.1/tests/test_stage1_5_guard_integrity.py +118 -0
  107. hermes_shield_scanner-0.7.1/tests/test_target_guard_config_not_trusted_by_default.py +54 -0
  108. hermes_shield_scanner-0.7.1/tests/test_ts_taint.py +76 -0
  109. hermes_shield_scanner-0.7.1/tests/test_verified_fires.py +47 -0
@@ -0,0 +1,202 @@
1
+
2
+ Apache License
3
+ Version 2.0, January 2004
4
+ http://www.apache.org/licenses/
5
+
6
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
7
+
8
+ 1. Definitions.
9
+
10
+ "License" shall mean the terms and conditions for use, reproduction,
11
+ and distribution as defined by Sections 1 through 9 of this document.
12
+
13
+ "Licensor" shall mean the copyright owner or entity authorized by
14
+ the copyright owner that is granting the License.
15
+
16
+ "Legal Entity" shall mean the union of the acting entity and all
17
+ other entities that control, are controlled by, or are under common
18
+ control with that entity. For the purposes of this definition,
19
+ "control" means (i) the power, direct or indirect, to cause the
20
+ direction or management of such entity, whether by contract or
21
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
22
+ outstanding shares, or (iii) beneficial ownership of such entity.
23
+
24
+ "You" (or "Your") shall mean an individual or Legal Entity
25
+ exercising permissions granted by this License.
26
+
27
+ "Source" form shall mean the preferred form for making modifications,
28
+ including but not limited to software source code, documentation
29
+ source, and configuration files.
30
+
31
+ "Object" form shall mean any form resulting from mechanical
32
+ transformation or translation of a Source form, including but
33
+ not limited to compiled object code, generated documentation,
34
+ and conversions to other media types.
35
+
36
+ "Work" shall mean the work of authorship, whether in Source or
37
+ Object form, made available under the License, as indicated by a
38
+ copyright notice that is included in or attached to the work
39
+ (an example is provided in the Appendix below).
40
+
41
+ "Derivative Works" shall mean any work, whether in Source or Object
42
+ form, that is based on (or derived from) the Work and for which the
43
+ editorial revisions, annotations, elaborations, or other modifications
44
+ represent, as a whole, an original work of authorship. For the purposes
45
+ of this License, Derivative Works shall not include works that remain
46
+ separable from, or merely link (or bind by name) to the interfaces of,
47
+ the Work and Derivative Works thereof.
48
+
49
+ "Contribution" shall mean any work of authorship, including
50
+ the original version of the Work and any modifications or additions
51
+ to that Work or Derivative Works thereof, that is intentionally
52
+ submitted to Licensor for inclusion in the Work by the copyright owner
53
+ or by an individual or Legal Entity authorized to submit on behalf of
54
+ the copyright owner. For the purposes of this definition, "submitted"
55
+ means any form of electronic, verbal, or written communication sent
56
+ to the Licensor or its representatives, including but not limited to
57
+ communication on electronic mailing lists, source code control systems,
58
+ and issue tracking systems that are managed by, or on behalf of, the
59
+ Licensor for the purpose of discussing and improving the Work, but
60
+ excluding communication that is conspicuously marked or otherwise
61
+ designated in writing by the copyright owner as "Not a Contribution."
62
+
63
+ "Contributor" shall mean Licensor and any individual or Legal Entity
64
+ on behalf of whom a Contribution has been received by Licensor and
65
+ subsequently incorporated within the Work.
66
+
67
+ 2. Grant of Copyright License. Subject to the terms and conditions of
68
+ this License, each Contributor hereby grants to You a perpetual,
69
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
70
+ copyright license to reproduce, prepare Derivative Works of,
71
+ publicly display, publicly perform, sublicense, and distribute the
72
+ Work and such Derivative Works in Source or Object form.
73
+
74
+ 3. Grant of Patent License. Subject to the terms and conditions of
75
+ this License, each Contributor hereby grants to You a perpetual,
76
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
77
+ (except as stated in this section) patent license to make, have made,
78
+ use, offer to sell, sell, import, and otherwise transfer the Work,
79
+ where such license applies only to those patent claims licensable
80
+ by such Contributor that are necessarily infringed by their
81
+ Contribution(s) alone or by combination of their Contribution(s)
82
+ with the Work to which such Contribution(s) was submitted. If You
83
+ institute patent litigation against any entity (including a
84
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
85
+ or a Contribution incorporated within the Work constitutes direct
86
+ or contributory patent infringement, then any patent licenses
87
+ granted to You under this License for that Work shall terminate
88
+ as of the date such litigation is filed.
89
+
90
+ 4. Redistribution. You may reproduce and distribute copies of the
91
+ Work or Derivative Works thereof in any medium, with or without
92
+ modifications, and in Source or Object form, provided that You
93
+ meet the following conditions:
94
+
95
+ (a) You must give any other recipients of the Work or
96
+ Derivative Works a copy of this License; and
97
+
98
+ (b) You must cause any modified files to carry prominent notices
99
+ stating that You changed the files; and
100
+
101
+ (c) You must retain, in the Source form of any Derivative Works
102
+ that You distribute, all copyright, patent, trademark, and
103
+ attribution notices from the Source form of the Work,
104
+ excluding those notices that do not pertain to any part of
105
+ the Derivative Works; and
106
+
107
+ (d) If the Work includes a "NOTICE" text file as part of its
108
+ distribution, then any Derivative Works that You distribute must
109
+ include a readable copy of the attribution notices contained
110
+ within such NOTICE file, excluding those notices that do not
111
+ pertain to any part of the Derivative Works, in at least one
112
+ of the following places: within a NOTICE text file distributed
113
+ as part of the Derivative Works; within the Source form or
114
+ documentation, if provided along with the Derivative Works; or,
115
+ within a display generated by the Derivative Works, if and
116
+ wherever such third-party notices normally appear. The contents
117
+ of the NOTICE file are for informational purposes only and
118
+ do not modify the License. You may add Your own attribution
119
+ notices within Derivative Works that You distribute, alongside
120
+ or as an addendum to the NOTICE text from the Work, provided
121
+ that such additional attribution notices cannot be construed
122
+ as modifying the License.
123
+
124
+ You may add Your own copyright statement to Your modifications and
125
+ may provide additional or different license terms and conditions
126
+ for use, reproduction, or distribution of Your modifications, or
127
+ for any such Derivative Works as a whole, provided Your use,
128
+ reproduction, and distribution of the Work otherwise complies with
129
+ the conditions stated in this License.
130
+
131
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
132
+ any Contribution intentionally submitted for inclusion in the Work
133
+ by You to the Licensor shall be under the terms and conditions of
134
+ this License, without any additional terms or conditions.
135
+ Notwithstanding the above, nothing herein shall supersede or modify
136
+ the terms of any separate license agreement you may have executed
137
+ with Licensor regarding such Contributions.
138
+
139
+ 6. Trademarks. This License does not grant permission to use the trade
140
+ names, trademarks, service marks, or product names of the Licensor,
141
+ except as required for reasonable and customary use in describing the
142
+ origin of the Work and reproducing the content of the NOTICE file.
143
+
144
+ 7. Disclaimer of Warranty. Unless required by applicable law or
145
+ agreed to in writing, Licensor provides the Work (and each
146
+ Contributor provides its Contributions) on an "AS IS" BASIS,
147
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
148
+ implied, including, without limitation, any warranties or conditions
149
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
150
+ PARTICULAR PURPOSE. You are solely responsible for determining the
151
+ appropriateness of using or redistributing the Work and assume any
152
+ risks associated with Your exercise of permissions under this License.
153
+
154
+ 8. Limitation of Liability. In no event and under no legal theory,
155
+ whether in tort (including negligence), contract, or otherwise,
156
+ unless required by applicable law (such as deliberate and grossly
157
+ negligent acts) or agreed to in writing, shall any Contributor be
158
+ liable to You for damages, including any direct, indirect, special,
159
+ incidental, or consequential damages of any character arising as a
160
+ result of this License or out of the use or inability to use the
161
+ Work (including but not limited to damages for loss of goodwill,
162
+ work stoppage, computer failure or malfunction, or any and all
163
+ other commercial damages or losses), even if such Contributor
164
+ has been advised of the possibility of such damages.
165
+
166
+ 9. Accepting Warranty or Additional Liability. While redistributing
167
+ the Work or Derivative Works thereof, You may choose to offer,
168
+ and charge a fee for, acceptance of support, warranty, indemnity,
169
+ or other liability obligations and/or rights consistent with this
170
+ License. However, in accepting such obligations, You may act only
171
+ on Your own behalf and on Your sole responsibility, not on behalf
172
+ of any other Contributor, and only if You agree to indemnify,
173
+ defend, and hold each Contributor harmless for any liability
174
+ incurred by, or claims asserted against, such Contributor by reason
175
+ of your accepting any such warranty or additional liability.
176
+
177
+ END OF TERMS AND CONDITIONS
178
+
179
+ APPENDIX: How to apply the Apache License to your work.
180
+
181
+ To apply the Apache License to your work, attach the following
182
+ boilerplate notice, with the fields enclosed by brackets "[]"
183
+ replaced with your own identifying information. (Don't include
184
+ the brackets!) The text should be enclosed in the appropriate
185
+ comment syntax for the file format. We also recommend that a
186
+ file or class name and description of purpose be included on the
187
+ same "printed page" as the copyright notice for easier
188
+ identification within third-party archives.
189
+
190
+ Copyright 2026 Hermes Shield
191
+
192
+ Licensed under the Apache License, Version 2.0 (the "License");
193
+ you may not use this file except in compliance with the License.
194
+ You may obtain a copy of the License at
195
+
196
+ http://www.apache.org/licenses/LICENSE-2.0
197
+
198
+ Unless required by applicable law or agreed to in writing, software
199
+ distributed under the License is distributed on an "AS IS" BASIS,
200
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
201
+ See the License for the specific language governing permissions and
202
+ limitations under the License.
@@ -0,0 +1,417 @@
1
+ Metadata-Version: 2.4
2
+ Name: hermes-shield-scanner
3
+ Version: 0.7.1
4
+ Summary: Read-only static scanner for AI-agent codebases: finds dangerous action sinks, proves reachability, attributes guard coverage, and rates findings honestly (reachable-verified vs install-liability).
5
+ Author-email: Hermes Shield <hello@hermesshield.ai>
6
+ License:
7
+ Apache License
8
+ Version 2.0, January 2004
9
+ http://www.apache.org/licenses/
10
+
11
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
12
+
13
+ 1. Definitions.
14
+
15
+ "License" shall mean the terms and conditions for use, reproduction,
16
+ and distribution as defined by Sections 1 through 9 of this document.
17
+
18
+ "Licensor" shall mean the copyright owner or entity authorized by
19
+ the copyright owner that is granting the License.
20
+
21
+ "Legal Entity" shall mean the union of the acting entity and all
22
+ other entities that control, are controlled by, or are under common
23
+ control with that entity. For the purposes of this definition,
24
+ "control" means (i) the power, direct or indirect, to cause the
25
+ direction or management of such entity, whether by contract or
26
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
27
+ outstanding shares, or (iii) beneficial ownership of such entity.
28
+
29
+ "You" (or "Your") shall mean an individual or Legal Entity
30
+ exercising permissions granted by this License.
31
+
32
+ "Source" form shall mean the preferred form for making modifications,
33
+ including but not limited to software source code, documentation
34
+ source, and configuration files.
35
+
36
+ "Object" form shall mean any form resulting from mechanical
37
+ transformation or translation of a Source form, including but
38
+ not limited to compiled object code, generated documentation,
39
+ and conversions to other media types.
40
+
41
+ "Work" shall mean the work of authorship, whether in Source or
42
+ Object form, made available under the License, as indicated by a
43
+ copyright notice that is included in or attached to the work
44
+ (an example is provided in the Appendix below).
45
+
46
+ "Derivative Works" shall mean any work, whether in Source or Object
47
+ form, that is based on (or derived from) the Work and for which the
48
+ editorial revisions, annotations, elaborations, or other modifications
49
+ represent, as a whole, an original work of authorship. For the purposes
50
+ of this License, Derivative Works shall not include works that remain
51
+ separable from, or merely link (or bind by name) to the interfaces of,
52
+ the Work and Derivative Works thereof.
53
+
54
+ "Contribution" shall mean any work of authorship, including
55
+ the original version of the Work and any modifications or additions
56
+ to that Work or Derivative Works thereof, that is intentionally
57
+ submitted to Licensor for inclusion in the Work by the copyright owner
58
+ or by an individual or Legal Entity authorized to submit on behalf of
59
+ the copyright owner. For the purposes of this definition, "submitted"
60
+ means any form of electronic, verbal, or written communication sent
61
+ to the Licensor or its representatives, including but not limited to
62
+ communication on electronic mailing lists, source code control systems,
63
+ and issue tracking systems that are managed by, or on behalf of, the
64
+ Licensor for the purpose of discussing and improving the Work, but
65
+ excluding communication that is conspicuously marked or otherwise
66
+ designated in writing by the copyright owner as "Not a Contribution."
67
+
68
+ "Contributor" shall mean Licensor and any individual or Legal Entity
69
+ on behalf of whom a Contribution has been received by Licensor and
70
+ subsequently incorporated within the Work.
71
+
72
+ 2. Grant of Copyright License. Subject to the terms and conditions of
73
+ this License, each Contributor hereby grants to You a perpetual,
74
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
75
+ copyright license to reproduce, prepare Derivative Works of,
76
+ publicly display, publicly perform, sublicense, and distribute the
77
+ Work and such Derivative Works in Source or Object form.
78
+
79
+ 3. Grant of Patent License. Subject to the terms and conditions of
80
+ this License, each Contributor hereby grants to You a perpetual,
81
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
82
+ (except as stated in this section) patent license to make, have made,
83
+ use, offer to sell, sell, import, and otherwise transfer the Work,
84
+ where such license applies only to those patent claims licensable
85
+ by such Contributor that are necessarily infringed by their
86
+ Contribution(s) alone or by combination of their Contribution(s)
87
+ with the Work to which such Contribution(s) was submitted. If You
88
+ institute patent litigation against any entity (including a
89
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
90
+ or a Contribution incorporated within the Work constitutes direct
91
+ or contributory patent infringement, then any patent licenses
92
+ granted to You under this License for that Work shall terminate
93
+ as of the date such litigation is filed.
94
+
95
+ 4. Redistribution. You may reproduce and distribute copies of the
96
+ Work or Derivative Works thereof in any medium, with or without
97
+ modifications, and in Source or Object form, provided that You
98
+ meet the following conditions:
99
+
100
+ (a) You must give any other recipients of the Work or
101
+ Derivative Works a copy of this License; and
102
+
103
+ (b) You must cause any modified files to carry prominent notices
104
+ stating that You changed the files; and
105
+
106
+ (c) You must retain, in the Source form of any Derivative Works
107
+ that You distribute, all copyright, patent, trademark, and
108
+ attribution notices from the Source form of the Work,
109
+ excluding those notices that do not pertain to any part of
110
+ the Derivative Works; and
111
+
112
+ (d) If the Work includes a "NOTICE" text file as part of its
113
+ distribution, then any Derivative Works that You distribute must
114
+ include a readable copy of the attribution notices contained
115
+ within such NOTICE file, excluding those notices that do not
116
+ pertain to any part of the Derivative Works, in at least one
117
+ of the following places: within a NOTICE text file distributed
118
+ as part of the Derivative Works; within the Source form or
119
+ documentation, if provided along with the Derivative Works; or,
120
+ within a display generated by the Derivative Works, if and
121
+ wherever such third-party notices normally appear. The contents
122
+ of the NOTICE file are for informational purposes only and
123
+ do not modify the License. You may add Your own attribution
124
+ notices within Derivative Works that You distribute, alongside
125
+ or as an addendum to the NOTICE text from the Work, provided
126
+ that such additional attribution notices cannot be construed
127
+ as modifying the License.
128
+
129
+ You may add Your own copyright statement to Your modifications and
130
+ may provide additional or different license terms and conditions
131
+ for use, reproduction, or distribution of Your modifications, or
132
+ for any such Derivative Works as a whole, provided Your use,
133
+ reproduction, and distribution of the Work otherwise complies with
134
+ the conditions stated in this License.
135
+
136
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
137
+ any Contribution intentionally submitted for inclusion in the Work
138
+ by You to the Licensor shall be under the terms and conditions of
139
+ this License, without any additional terms or conditions.
140
+ Notwithstanding the above, nothing herein shall supersede or modify
141
+ the terms of any separate license agreement you may have executed
142
+ with Licensor regarding such Contributions.
143
+
144
+ 6. Trademarks. This License does not grant permission to use the trade
145
+ names, trademarks, service marks, or product names of the Licensor,
146
+ except as required for reasonable and customary use in describing the
147
+ origin of the Work and reproducing the content of the NOTICE file.
148
+
149
+ 7. Disclaimer of Warranty. Unless required by applicable law or
150
+ agreed to in writing, Licensor provides the Work (and each
151
+ Contributor provides its Contributions) on an "AS IS" BASIS,
152
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
153
+ implied, including, without limitation, any warranties or conditions
154
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
155
+ PARTICULAR PURPOSE. You are solely responsible for determining the
156
+ appropriateness of using or redistributing the Work and assume any
157
+ risks associated with Your exercise of permissions under this License.
158
+
159
+ 8. Limitation of Liability. In no event and under no legal theory,
160
+ whether in tort (including negligence), contract, or otherwise,
161
+ unless required by applicable law (such as deliberate and grossly
162
+ negligent acts) or agreed to in writing, shall any Contributor be
163
+ liable to You for damages, including any direct, indirect, special,
164
+ incidental, or consequential damages of any character arising as a
165
+ result of this License or out of the use or inability to use the
166
+ Work (including but not limited to damages for loss of goodwill,
167
+ work stoppage, computer failure or malfunction, or any and all
168
+ other commercial damages or losses), even if such Contributor
169
+ has been advised of the possibility of such damages.
170
+
171
+ 9. Accepting Warranty or Additional Liability. While redistributing
172
+ the Work or Derivative Works thereof, You may choose to offer,
173
+ and charge a fee for, acceptance of support, warranty, indemnity,
174
+ or other liability obligations and/or rights consistent with this
175
+ License. However, in accepting such obligations, You may act only
176
+ on Your own behalf and on Your sole responsibility, not on behalf
177
+ of any other Contributor, and only if You agree to indemnify,
178
+ defend, and hold each Contributor harmless for any liability
179
+ incurred by, or claims asserted against, such Contributor by reason
180
+ of your accepting any such warranty or additional liability.
181
+
182
+ END OF TERMS AND CONDITIONS
183
+
184
+ APPENDIX: How to apply the Apache License to your work.
185
+
186
+ To apply the Apache License to your work, attach the following
187
+ boilerplate notice, with the fields enclosed by brackets "[]"
188
+ replaced with your own identifying information. (Don't include
189
+ the brackets!) The text should be enclosed in the appropriate
190
+ comment syntax for the file format. We also recommend that a
191
+ file or class name and description of purpose be included on the
192
+ same "printed page" as the copyright notice for easier
193
+ identification within third-party archives.
194
+
195
+ Copyright 2026 Hermes Shield
196
+
197
+ Licensed under the Apache License, Version 2.0 (the "License");
198
+ you may not use this file except in compliance with the License.
199
+ You may obtain a copy of the License at
200
+
201
+ http://www.apache.org/licenses/LICENSE-2.0
202
+
203
+ Unless required by applicable law or agreed to in writing, software
204
+ distributed under the License is distributed on an "AS IS" BASIS,
205
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
206
+ See the License for the specific language governing permissions and
207
+ limitations under the License.
208
+
209
+ Project-URL: Homepage, https://hermesshield.ai
210
+ Project-URL: Repository, https://github.com/hermesshield/hermes-shield-scanner
211
+ Project-URL: Changelog, https://github.com/hermesshield/hermes-shield-scanner/blob/main/CHANGELOG.md
212
+ Keywords: security,static-analysis,ai-agents,llm,prompt-injection,excessive-agency
213
+ Classifier: Development Status :: 4 - Beta
214
+ Classifier: Intended Audience :: Developers
215
+ Classifier: License :: OSI Approved :: Apache Software License
216
+ Classifier: Operating System :: OS Independent
217
+ Classifier: Programming Language :: Python :: 3
218
+ Classifier: Programming Language :: Python :: 3.10
219
+ Classifier: Programming Language :: Python :: 3.11
220
+ Classifier: Programming Language :: Python :: 3.12
221
+ Classifier: Programming Language :: Python :: 3.13
222
+ Classifier: Topic :: Security
223
+ Requires-Python: >=3.10
224
+ Description-Content-Type: text/markdown
225
+ License-File: LICENSE
226
+ Provides-Extra: multilang
227
+ Requires-Dist: tree-sitter==0.26.0; extra == "multilang"
228
+ Requires-Dist: tree-sitter-typescript==0.23.2; extra == "multilang"
229
+ Requires-Dist: tree-sitter-c-sharp==0.23.5; extra == "multilang"
230
+ Provides-Extra: dev
231
+ Requires-Dist: pytest>=7; extra == "dev"
232
+ Dynamic: license-file
233
+
234
+ <div align="center">
235
+
236
+ <img src="https://raw.githubusercontent.com/hermesshield/hermes-shield-scanner/main/docs/assets/banner.png" alt="Hermes Shield — Protect every action your agent takes" width="100%" />
237
+
238
+ # Hermes Shield Scanner
239
+
240
+ **The actions firewall for AI agents — map and prove what a hijacked agent can actually do.**
241
+
242
+ [![CI](https://github.com/hermesshield/hermes-shield-scanner/actions/workflows/ci.yml/badge.svg)](https://github.com/hermesshield/hermes-shield-scanner/actions/workflows/ci.yml)
243
+ [![Python 3.10–3.13](https://img.shields.io/badge/python-3.10%E2%80%933.13-blue)](pyproject.toml)
244
+ [![License: Apache-2.0](https://img.shields.io/badge/license-Apache--2.0-green)](LICENSE)
245
+ [![OWASP LLM06](https://img.shields.io/badge/OWASP%20LLM06-Excessive%20Agency-FA7D09)](https://genai.owasp.org/)
246
+ [![Runs 100% local](https://img.shields.io/badge/runs-100%25%20local-FF4301)](#-quickstart)
247
+
248
+ [**hermesshield.ai**](https://hermesshield.ai) · [Free scan](https://hermesshield.ai/free-scan) · [Methodology](https://hermesshield.ai/methodology) · [@hermesshield](https://x.com/hermesshield)
249
+
250
+ **Catches a real CVSS 9.8 CVE at the documented line · 12 frameworks / 361k+ stars audited · independently security-assessed, twice**
251
+
252
+ </div>
253
+
254
+ ---
255
+
256
+ > **Assume the model will fail. The dangerous action still must not execute.**
257
+
258
+ Every serious team now filters prompts. Almost nobody governs **actions**. But prompt filters stop *text* — a hijacked agent still *acts*: it runs shell commands, executes code, writes files, sends data out, calls tools. That is where the damage happens.
259
+
260
+ **Hermes Shield sits downstream of the injection.** The Scanner is step one: it maps every dangerous action your agent's code can take, traces each one back to a real entry point, and **proves** which are reachable by untrusted input with no guard in the way. Not a suspicious variable name. A traced path.
261
+
262
+ > **Every agent has a blast radius. See yours in one scan.**
263
+
264
+ ## `▸ the_problem`
265
+
266
+ The risk in AI systems has moved. It's no longer "the model said something bad" — it's **"the model did something unauthorised"**. OWASP calls it **LLM06: Excessive Agency**. One injected instruction, and your helpful agent is executing someone else's intent with *your* credentials, *your* filesystem, *your* network.
267
+
268
+ | | Prompt firewall | **Hermes Shield** |
269
+ |---|---|---|
270
+ | **Asks** | "Is this prompt malicious?" | **"What can this agent actually DO?"** |
271
+ | **Layer** | Input text | **Action execution** |
272
+ | **When injection succeeds** | Already bypassed | **Still standing — governs the act itself** |
273
+ | **Evidence** | Heuristic score | **Traced path from entry point to sink** |
274
+
275
+ > Prompt filters stop text. Agents need action control.
276
+
277
+ And no — this is not "just static analysis". It is **deterministic static analysis + an optional AI-assisted recall tier + proved reachability**: entrypoint-grounded taint tracing over the whole-repo call graph, so a finding isn't a guess about what *might* be dangerous — it's a demonstrated route from *your* entry points to a live sink.
278
+
279
+ ## `▸ see_it`
280
+
281
+ <div align="center">
282
+
283
+ <img src="https://raw.githubusercontent.com/hermesshield/hermes-shield-scanner/main/docs/assets/cli.png" alt="Hermes Shield Scanner running a live scan in the terminal" width="720" />
284
+
285
+ *The scan, live: sinks mapped, taint traced from real entry points, guards attributed — deterministic and fully local.*
286
+
287
+ <img src="https://raw.githubusercontent.com/hermesshield/hermes-shield-scanner/main/docs/assets/report.png" alt="The Hermes Shield customer report with its antivirus-style verdict banner" width="720" />
288
+
289
+ *The report: an antivirus-style verdict a non-technical reader gets in one glance, backed by evidence an auditor can verify line by line.*
290
+
291
+ </div>
292
+
293
+ ## `▸ quickstart`
294
+
295
+ ```bash
296
+ pip install hermes-shield-scanner
297
+
298
+ hermes-shield demo # a real red report in ~10 seconds
299
+ cd your-agent-repo
300
+ hermes-shield scan # scan your own agent
301
+ ```
302
+
303
+ Your report lands at **`./shield-report/outputs/shield_customer_report.html`** — open it in a browser.
304
+
305
+ Zero-install, straight from the toolchain:
306
+
307
+ ```bash
308
+ uvx hermes-shield-scanner scan .
309
+ ```
310
+
311
+ **Requirements:** Python 3.10+. The core scanner is **stdlib-only** — no runtime dependencies, nothing phones home, and the scan is **read-only**: it never writes to your code and, by default, never executes it. Reports land in *your* directory; everything runs on your machine. *(The one opt-in exception is `--prove` — below — which fires a benign canary inside a network-denied sandbox to promote a candidate to PROVEN-LIVE. Consent-gated, off by default, Linux + bubblewrap.)*
312
+
313
+ **Languages:** Python gets the **full engine** — sinks, taint, guards, reachability. TypeScript/JavaScript and C# are **sink-mapping only** (blast radius, no reachability verdict) via `pip install "hermes-shield-scanner[multilang]"`; `--semgrep` adds ~30-language breadth.
314
+
315
+ More modes, one command each:
316
+
317
+ ```bash
318
+ hermes-shield scan ./repo --semgrep # + semgrep comparator (multi-language breadth)
319
+ hermes-shield scan ./repo --ai # + AI-assist tier (novel-sink recall)
320
+ hermes-shield scan ./repo --all # core + semgrep + ai together
321
+ hermes-shield scan ./repo --deps # + scan the repo's own pinned dependencies
322
+ hermes-shield scan ./repo --prove # + sandboxed self-attack: PROVE a candidate sink is live (consent-gated)
323
+ hermes-shield diff ./repo # scan + compare against a saved baseline
324
+ ```
325
+
326
+ `hermes-shield demo` scans a bundled, deliberately vulnerable toy agent (shipped inert, never executed) and produces the full report — including a guaranteed worst-case verdict — so you see exactly what a red result looks like before you point it at anything real. (`demo --prove` is the consent-gated exception: it runs the fixture inside the sandbox to show a real PROVEN-LIVE result.)
327
+
328
+ > **CI note — the exit code is `0` regardless of findings.** A RED report does not fail the process; the scan writes its verdict to the report and the JSON, it does not signal via the exit status. To gate a pipeline on findings, parse `shield-report/outputs/hermes_shield_report.json` (e.g. check the verdict / reachable-unguarded / proven-live counts). A dedicated `--fail-on` flag is a planned future enhancement, not available today.
329
+
330
+ ## `▸ how_it_works` — Map → Trace → Prove
331
+
332
+ **1. Map.** A deterministic AST engine walks the whole repository and finds every dangerous action sink: shell execution, code execution, deserialisation, file writes, outbound network sends, LLM-chosen tool calls. Same input, same output, every run — an auditor can reproduce it.
333
+
334
+ **2. Trace.** It builds the whole-repo call graph and runs **entrypoint-grounded taint analysis**: does untrusted input — a web request, a document, a tool result, a model output — actually flow from a real entry point to that sink? Intra- and inter-procedural, across modules.
335
+
336
+ **3. Prove.** Every reachable sink is checked against the **guard quadrant** — reachable × guarded:
337
+
338
+ | | **Guarded** | **Unguarded** |
339
+ |---|---|---|
340
+ | **Reachable** | Rated, credit given for the guard | **`UNGUARDED_CRITICAL_LIVE_SINK`** — the worst verdict, reserved for this square alone |
341
+ | **Not reached** | Noted | Install-liability tier |
342
+
343
+ Only a sink that is **reachable AND unguarded** earns the critical verdict. A guard between entry point and sink is detected and credited — kill-switches, approval gates, untrusted-content fences, plus your own guard functions via a one-file `.hermes-shield.json` declaration (downgrade-only: a declared guard can lower a finding, its absence never hides one).
344
+
345
+ Findings are rated on the **OWASP LLM06** model — severity × likelihood, cross-referenced to **NIST 800-30** and **ISO 27005** — so the output slots straight into a real risk register.
346
+
347
+ **The optional tiers:**
348
+
349
+ - **`--ai`** — the recall booster. An LLM proposes *novel* sinks the static rules missed; every proposal is **AST-verified** before it's kept, and confirmed patterns become permanent static rules. **The scanner gets stricter over time.** AI findings live in a separate advisory tier — never counted in the deterministic headline. Uses your own local `claude` CLI; off by default.
350
+ - **`--semgrep`** — an isolated comparator tier (~30 languages) for breadth. Attributed separately, never merged into the core headline.
351
+ - **`--deps`** — the **install-inherited** scan. Fetches the repo's *own pinned* packages (wheels only — never installed, never executed) and scans them with the same engine. Catches the dangerous capability that lives in a dependency rather than your tree — what you inherit the moment you `pip install`. Off by default (it reaches the network).
352
+
353
+ ## `▸ the_report`
354
+
355
+ The report is built to be read by two people at once: the founder who needs a verdict, and the engineer who needs the evidence.
356
+
357
+ **The verdict banner** — antivirus-style, one glance:
358
+
359
+ - 🔴 **Action needed** — a proven-live or reachable-unguarded finding exists. Fix first.
360
+ - 🟠 **Review before you ship** — install-liability present: inert here, live on install.
361
+ - 🔵 **No live threat proven** — clean run. Deliberately *never* worded "secure".
362
+
363
+ **The two tiers** — because "exploitable now" and "inherited on install" are different risks, and honest tooling refuses to blur them:
364
+
365
+ | Tier | Meaning |
366
+ |---|---|
367
+ | **Reachable-in-repo** | Live **now**, from your own entry points, unguarded. Fix first. |
368
+ | **Install-liability** | **Inert here, live on install.** A dangerous capability not reached from this repo's entry points — but the moment someone wires this code into an agent that feeds it untrusted input, they inherit it. You downloaded it; you inherited the risk. |
369
+
370
+ **PROVEN-LIVE** is the strictest tier of all: PoC-confirmed findings — either human-traced, or proved by the opt-in **`--prove`** lane, which fires a benign, unguessable canary at a candidate sink inside a network-denied sandbox (with a clean negative control) and only promotes it if the attack actually lands. It is the only tier that ever gets a severity badge, and promotion is one-way: a failed proof leaves a finding a *candidate*, never marks it safe. Raw scanner criticals are candidates — counted, never badged. If the proven-live set is empty, the report says so, plainly.
371
+
372
+ And the line we will never soften: **a clean result means "no path was proven" — never "secure".** Reachability analysis proves a sink *is* reachable; it cannot prove one *is not*. Most tools hide that asymmetry. We print it on the report, because a security tool that overstates its own certainty is part of the attack surface.
373
+
374
+ > **PROVE, DON'T GUESS.**
375
+
376
+ ## `▸ prove_dont_guess` — proof it's real
377
+
378
+ - **It catches a real 9.8.** [CVE-2023-39662](https://nvd.nist.gov/vuln/detail/CVE-2023-39662) — the CVSS 9.8 remote-code-execution flaw in LlamaIndex's `PandasQueryEngine` — is flagged by the scanner **at the exact documented line, on the genuinely vulnerable release** (`llama-index` v0.7.13; patched upstream since). A detector proof against a third-party-documented CVE — not a benchmark we wrote for ourselves, and not a claim about current LlamaIndex.
379
+ - **12 open-source agent frameworks audited** — over **361,000 combined GitHub stars**, every repo pinned to a commit — mapping **8,509 action surfaces**: **474 proved reachable** from a real entry point by entrypoint-grounded taint tracing, and **520 install-liability capabilities** you'd inherit the moment you install (the two are distinct risks, counted separately). The per-framework counts and pinned commits are in **[BENCHMARKS.md](BENCHMARKS.md)**.
380
+ - **Independently security-assessed — twice.** A third-party firm assessed the scanner, then re-assessed the fixed build: the latest assessment confirmed **0 critical and 0 high** findings in the shipped deterministic core, and **every** finding it raised, at any severity, was remediated in the next release and locked in with the auditor's own regression tests. The tool that grades your attack surface has had its own graded — and published the loop.
381
+ - **Deterministic where it counts.** The core engine is reproducible byte-for-byte — an auditor can re-run the scan and get the same numbers. The honest caveats above aren't hedges; they're the reason the numbers can be trusted.
382
+
383
+ ## `▸ the_ladder` — find it free · fix it · shield it
384
+
385
+ | | Product | What it does | Status |
386
+ |---|---|---|---|
387
+ | 🔍 | **Scanner** | **Discovery** — map, trace and prove your agent's action surface. This repo. | **Free · here now** |
388
+ | 🔧 | **Repairer** | Applies the fixes — diff-proposed, **human-approved, never auto-fix**, re-scanned to confirm. | **Paid · coming — [join early access](https://hermesshield.ai/register-interest)** |
389
+ | 🛡️ | **Shield** | Always-on runtime action firewall — **Kill Switch, Action Gates, Audit Trail** on every action the agent takes. | **Paid · private beta** |
390
+ | 🏛️ | **Enterprise** | Custom deployment, compliance mapping, dedicated support. | [Talk to us](mailto:hello@hermesshield.ai) |
391
+
392
+ The Scanner shows you the blast radius. The Repairer closes it. The Shield keeps it closed while the agent runs.
393
+
394
+ ## `▸ contributing`
395
+
396
+ Found a bug or a sink we missed? **Open an issue** — a missed-detection report with a minimal repro is the most valuable thing you can send us. Vulnerabilities in the scanner itself go to [SECURITY.md](SECURITY.md), privately. And if a scan taught you something about your own agent, **star the repo** — it helps other builders find their blast radius too.
397
+
398
+ ## `▸ links`
399
+
400
+ - **Website:** [hermesshield.ai](https://hermesshield.ai) · [Free scan](https://hermesshield.ai/free-scan) · [Methodology](https://hermesshield.ai/methodology) · [Scanner](https://hermesshield.ai/scanner)
401
+ - **X:** [@hermesshield](https://x.com/hermesshield) (company) · [@harleyfoote_](https://x.com/harleyfoote_) (founder) · [@fridayresearch_](https://x.com/fridayresearch_)
402
+ - **LinkedIn:** [Hermes Shield](https://www.linkedin.com/company/hermes-shield)
403
+ - **Email:** [hello@hermesshield.ai](mailto:hello@hermesshield.ai)
404
+
405
+ Deeper reading in this repo: [ARCHITECTURE.md](ARCHITECTURE.md) (full design + honest limitation list) · [FOR_AUDITORS.md](FOR_AUDITORS.md) · [CHANGELOG.md](CHANGELOG.md) · [SECURITY.md](SECURITY.md) (vulnerability disclosure).
406
+
407
+ ---
408
+
409
+ <div align="center">
410
+
411
+ **Hermes Shield** · built where the agents run.
412
+
413
+ Licensed under [Apache-2.0](LICENSE) · Report a vulnerability via [SECURITY.md](SECURITY.md)
414
+
415
+ *Local. Read-only. Yours.*
416
+
417
+ </div>