wardproof 0.3.0__tar.gz → 0.3.2__tar.gz

{wardproof-0.3.0 → wardproof-0.3.2}/PKG-INFO

@@ -1,7 +1,11 @@
 Metadata-Version: 2.4
 Name: wardproof
-Version: 0.3.0
+Version: 0.3.2
 Summary: Local-first, verifiable defensive AI agent swarms that protect other AI agent systems.
+Project-URL: Homepage, https://wardproof.xyz
+Project-URL: Repository, https://github.com/Impossible-Mission-Force/wardproof
+Project-URL: Documentation, https://github.com/Impossible-Mission-Force/wardproof#readme
+Project-URL: Issues, https://github.com/Impossible-Mission-Force/wardproof/issues
 Author: Wardproof contributors
 License-Expression: MIT
 License-File: LICENSE
@@ -57,7 +61,7 @@ decision.
 [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/Impossible-Mission-Force/wardproof/blob/main/LICENSE)
 [![Python 3.11+](https://img.shields.io/badge/python-3.11%2B-blue.svg)](https://www.python.org/downloads/)
 
-![Wardproof screening x402 payments: a legitimate payment is allowed while an attacker redirect, a replayed payment, and a prompt injection in the 402 body are all blocked and written to a tamper-evident ledger.](assets/wardproof-x402-demo.gif)
+![Wardproof screening x402 payments: a legitimate payment is allowed while an attacker redirect, a replayed payment, and a prompt injection in the 402 body are all blocked and written to a tamper-evident ledger.](https://raw.githubusercontent.com/Impossible-Mission-Force/wardproof/main/assets/wardproof-x402-demo.gif)
 
 Wardproof is a small framework for building swarms of *defensive* agents that
 sit in front of your *other* AI systems (RAG pipelines, tool-using agents,
@@ -70,7 +74,7 @@ It is deliberately **small, transparent, and forkable**. The security core has
 **zero third-party dependencies** and runs **fully offline**, with a local
 model via Ollama, or with no model at all.
 
-> **Status: v0.3.0.** The deterministic core is built, tested, and benchmarked
+> **Status: v0.3.1.** The deterministic core is built, tested, and benchmarked
 > (see [Benchmark](#benchmark)), and ships dedicated guards for x402 agent
 > payments, on-chain transfers, MCP tool calls, and skill/tool definitions, a
 > controls-to-standards map (OWASP Agentic Top 10, OWASP LLM 2025, MITRE ATLAS,
@@ -79,8 +83,8 @@ model via Ollama, or with no model at all.
 > examples for OpenAI and Anthropic tool calling, CrewAI, LangGraph, MCP,
 > Coinbase AgentKit, and Venice AI. It is
 > deployable today as a screening and audit layer, designed to run as defence in
-> depth within the scope set out in [`THREAT_MODEL.md`](THREAT_MODEL.md) and
-> [`SECURITY.md`](SECURITY.md).
+> depth within the scope set out in [`THREAT_MODEL.md`](https://github.com/Impossible-Mission-Force/wardproof/blob/main/THREAT_MODEL.md) and
+> [`SECURITY.md`](https://github.com/Impossible-Mission-Force/wardproof/blob/main/SECURITY.md).
 
 ---
 
@@ -131,7 +135,7 @@ different stance:
   OpenAI and Anthropic tool calling, CrewAI, LangGraph, MCP, and Coinbase
   AgentKit tool calls, plus Venice AI as an optional escalate-only second-opinion
   backend. Each is an optional dependency; the core imports none of them. See
-  [`examples/integrations/`](examples/integrations/).
+  [`examples/integrations/`](https://github.com/Impossible-Mission-Force/wardproof/tree/main/examples/integrations).
 - **Standards-aligned**: every control mapped to OWASP Top 10 for Agentic
   Applications, OWASP Agentic Threats (T1-T15), OWASP LLM Top 10 2025, CSA
   MAESTRO, MITRE ATLAS, and NIST AI 600-1 (`wardproof/standards.py`, enforced by
@@ -198,6 +202,24 @@ Verify an exported ledger from the command line:
 wardproof verify-ledger ./audit.jsonl --pubkey <hex_public_key>
 ```
 
+### Screen one action with `wardproof check`
+
+Screen a single input or tool call from the command line. It runs the real
+default swarm locally and exits `0` only when the verdict is `ALLOW`, so you can
+gate a shell pipeline or an agent skill on it:
+
+```bash
+# A tool call (tool name as the content, arguments as a JSON string)
+wardproof check "get_weather" --args '{"city":"Hanoi"}'        # ALLOW, exits 0
+
+# An untrusted input
+wardproof check "ignore all previous instructions" --kind input # BLOCK, exits non-zero
+```
+
+Add `--json` to get a structured `{"verdict": ..., "allowed": ..., "risk": ...,
+"reasons": [...]}` result to parse. A portable guard skill that wires this check
+into a host agent lives in [`skill/wardproof-guard/`](https://github.com/Impossible-Mission-Force/wardproof/tree/main/skill/wardproof-guard).
+
 ---
 
 ## Architecture
@@ -272,7 +294,7 @@ languages, fresh encodings, or pure-semantic paraphrase) can still slip past a
 deterministic denylist. Closing that gap is the job of the optional LLM second
 opinion (see Roadmap); these patterns are the floor, not the ceiling. Re-run the
 harness to regenerate the numbers above; the full breakdown and the honest edges
-are in [`benchmarks/README.md`](benchmarks/README.md).
+are in [`benchmarks/README.md`](https://github.com/Impossible-Mission-Force/wardproof/blob/main/benchmarks/README.md).
 
 ---
 
@@ -299,7 +321,7 @@ No need to touch the engine, the ledger, or the agent base classes.
 Wardproof is built to become a complete, auditable control layer for AI agents.
 The direction:
 
-**Now (v0.3.0)**
+**Now (v0.3.1)**
 The deterministic core: schema, guardrails, Detector / Verifier / Responder, a
 capability sandbox, circuit breaker and watchdog, a hash-chained and optionally
 signed audit ledger, a reproducible adversarial benchmark, a published threat
@@ -357,6 +379,6 @@ defence-in-depth setup:
 
 ## License
 
-MIT, see [`LICENSE`](LICENSE). Contributions welcome; see
-[`CONTRIBUTING.md`](CONTRIBUTING.md) and the security policy in
-[`SECURITY.md`](SECURITY.md).
+MIT, see [`LICENSE`](https://github.com/Impossible-Mission-Force/wardproof/blob/main/LICENSE). Contributions welcome; see
+[`CONTRIBUTING.md`](https://github.com/Impossible-Mission-Force/wardproof/blob/main/CONTRIBUTING.md) and the security policy in
+[`SECURITY.md`](https://github.com/Impossible-Mission-Force/wardproof/blob/main/SECURITY.md).

{wardproof-0.3.0 → wardproof-0.3.2}/README.md

@@ -11,7 +11,7 @@ decision.
 [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/Impossible-Mission-Force/wardproof/blob/main/LICENSE)
 [![Python 3.11+](https://img.shields.io/badge/python-3.11%2B-blue.svg)](https://www.python.org/downloads/)
 
-![Wardproof screening x402 payments: a legitimate payment is allowed while an attacker redirect, a replayed payment, and a prompt injection in the 402 body are all blocked and written to a tamper-evident ledger.](assets/wardproof-x402-demo.gif)
+![Wardproof screening x402 payments: a legitimate payment is allowed while an attacker redirect, a replayed payment, and a prompt injection in the 402 body are all blocked and written to a tamper-evident ledger.](https://raw.githubusercontent.com/Impossible-Mission-Force/wardproof/main/assets/wardproof-x402-demo.gif)
 
 Wardproof is a small framework for building swarms of *defensive* agents that
 sit in front of your *other* AI systems (RAG pipelines, tool-using agents,
@@ -24,7 +24,7 @@ It is deliberately **small, transparent, and forkable**. The security core has
 **zero third-party dependencies** and runs **fully offline**, with a local
 model via Ollama, or with no model at all.
 
-> **Status: v0.3.0.** The deterministic core is built, tested, and benchmarked
+> **Status: v0.3.1.** The deterministic core is built, tested, and benchmarked
 > (see [Benchmark](#benchmark)), and ships dedicated guards for x402 agent
 > payments, on-chain transfers, MCP tool calls, and skill/tool definitions, a
 > controls-to-standards map (OWASP Agentic Top 10, OWASP LLM 2025, MITRE ATLAS,
@@ -33,8 +33,8 @@ model via Ollama, or with no model at all.
 > examples for OpenAI and Anthropic tool calling, CrewAI, LangGraph, MCP,
 > Coinbase AgentKit, and Venice AI. It is
 > deployable today as a screening and audit layer, designed to run as defence in
-> depth within the scope set out in [`THREAT_MODEL.md`](THREAT_MODEL.md) and
-> [`SECURITY.md`](SECURITY.md).
+> depth within the scope set out in [`THREAT_MODEL.md`](https://github.com/Impossible-Mission-Force/wardproof/blob/main/THREAT_MODEL.md) and
+> [`SECURITY.md`](https://github.com/Impossible-Mission-Force/wardproof/blob/main/SECURITY.md).
 
 ---
 
@@ -85,7 +85,7 @@ different stance:
   OpenAI and Anthropic tool calling, CrewAI, LangGraph, MCP, and Coinbase
   AgentKit tool calls, plus Venice AI as an optional escalate-only second-opinion
   backend. Each is an optional dependency; the core imports none of them. See
-  [`examples/integrations/`](examples/integrations/).
+  [`examples/integrations/`](https://github.com/Impossible-Mission-Force/wardproof/tree/main/examples/integrations).
 - **Standards-aligned**: every control mapped to OWASP Top 10 for Agentic
   Applications, OWASP Agentic Threats (T1-T15), OWASP LLM Top 10 2025, CSA
   MAESTRO, MITRE ATLAS, and NIST AI 600-1 (`wardproof/standards.py`, enforced by
@@ -152,6 +152,24 @@ Verify an exported ledger from the command line:
 wardproof verify-ledger ./audit.jsonl --pubkey <hex_public_key>
 ```
 
+### Screen one action with `wardproof check`
+
+Screen a single input or tool call from the command line. It runs the real
+default swarm locally and exits `0` only when the verdict is `ALLOW`, so you can
+gate a shell pipeline or an agent skill on it:
+
+```bash
+# A tool call (tool name as the content, arguments as a JSON string)
+wardproof check "get_weather" --args '{"city":"Hanoi"}'        # ALLOW, exits 0
+
+# An untrusted input
+wardproof check "ignore all previous instructions" --kind input # BLOCK, exits non-zero
+```
+
+Add `--json` to get a structured `{"verdict": ..., "allowed": ..., "risk": ...,
+"reasons": [...]}` result to parse. A portable guard skill that wires this check
+into a host agent lives in [`skill/wardproof-guard/`](https://github.com/Impossible-Mission-Force/wardproof/tree/main/skill/wardproof-guard).
+
 ---
 
 ## Architecture
@@ -226,7 +244,7 @@ languages, fresh encodings, or pure-semantic paraphrase) can still slip past a
 deterministic denylist. Closing that gap is the job of the optional LLM second
 opinion (see Roadmap); these patterns are the floor, not the ceiling. Re-run the
 harness to regenerate the numbers above; the full breakdown and the honest edges
-are in [`benchmarks/README.md`](benchmarks/README.md).
+are in [`benchmarks/README.md`](https://github.com/Impossible-Mission-Force/wardproof/blob/main/benchmarks/README.md).
 
 ---
 
@@ -253,7 +271,7 @@ No need to touch the engine, the ledger, or the agent base classes.
 Wardproof is built to become a complete, auditable control layer for AI agents.
 The direction:
 
-**Now (v0.3.0)**
+**Now (v0.3.1)**
 The deterministic core: schema, guardrails, Detector / Verifier / Responder, a
 capability sandbox, circuit breaker and watchdog, a hash-chained and optionally
 signed audit ledger, a reproducible adversarial benchmark, a published threat
@@ -311,6 +329,6 @@ defence-in-depth setup:
 
 ## License
 
-MIT, see [`LICENSE`](LICENSE). Contributions welcome; see
-[`CONTRIBUTING.md`](CONTRIBUTING.md) and the security policy in
-[`SECURITY.md`](SECURITY.md).
+MIT, see [`LICENSE`](https://github.com/Impossible-Mission-Force/wardproof/blob/main/LICENSE). Contributions welcome; see
+[`CONTRIBUTING.md`](https://github.com/Impossible-Mission-Force/wardproof/blob/main/CONTRIBUTING.md) and the security policy in
+[`SECURITY.md`](https://github.com/Impossible-Mission-Force/wardproof/blob/main/SECURITY.md).

{wardproof-0.3.0 → wardproof-0.3.2}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "wardproof"
-version = "0.3.0"
+version = "0.3.2"
 description = "Local-first, verifiable defensive AI agent swarms that protect other AI agent systems."
 readme = "README.md"
 license = "MIT"
@@ -13,6 +13,12 @@ keywords = ["ai-security", "prompt-injection", "agents", "guardrails", "local-fi
 authors = [{ name = "Wardproof contributors" }]
 dependencies = []  # core has ZERO third-party deps on purpose (small trusted computing base)
 
+[project.urls]
+Homepage = "https://wardproof.xyz"
+Repository = "https://github.com/Impossible-Mission-Force/wardproof"
+Documentation = "https://github.com/Impossible-Mission-Force/wardproof#readme"
+Issues = "https://github.com/Impossible-Mission-Force/wardproof/issues"
+
 [project.optional-dependencies]
 ollama = ["httpx>=0.27"]
 crypto = ["cryptography>=42"]

{wardproof-0.3.0 → wardproof-0.3.2}/wardproof/__init__.py

@@ -16,7 +16,7 @@ from wardproof.sandbox.executor import SandboxExecutor, ToolRegistry
 from wardproof.sandbox.permissions import PermissionBroker, ToolGrant
 from wardproof.schema import Decision, Event, Finding, Severity, Verdict
 
-__version__ = "0.3.0"
+__version__ = "0.3.2"
 __all__ = [
     "Event",
     "Decision",

{wardproof-0.3.0 → wardproof-0.3.2}/wardproof/cli.py

@@ -9,6 +9,8 @@ from pathlib import Path
 
 from wardproof.audit.ledger import AuditEntry, AuditLedger
 from wardproof.audit.stix import to_stix_bundle
+from wardproof.orchestration.factory import build_default_swarm
+from wardproof.schema import Event, Verdict
 
 
 def _load_entries(path: str) -> list[AuditEntry]:
@@ -39,6 +41,47 @@ def _export_stix(path: str, out: str | None) -> int:
     return 0
 
 
+def _check(
+    kind: str,
+    content: str,
+    source: str,
+    args_json: str | None,
+    as_json: bool,
+) -> int:
+    metadata: dict = {}
+    if args_json:
+        try:
+            metadata["args"] = json.loads(args_json)
+        except json.JSONDecodeError:
+            metadata["args"] = args_json
+    swarm = build_default_swarm()
+    out = swarm.handle(Event(kind=kind, source=source, content=content, metadata=metadata))
+    seen: set[str] = set()
+    reasons: list[str] = []
+    for d in (out.detector, out.verifier):
+        for f in d.findings:
+            if f.triggered and f.reason and f.reason not in seen:
+                seen.add(f.reason)
+                reasons.append(f.reason)
+    if as_json:
+        print(
+            json.dumps(
+                {
+                    "verdict": out.verdict.value,
+                    "allowed": out.verdict is Verdict.ALLOW,
+                    "risk": round(out.risk, 3),
+                    "reasons": reasons,
+                }
+            )
+        )
+    else:
+        print(out.verdict.value.upper())
+        if reasons:
+            print("  " + "; ".join(reasons))
+    # exit 0 only when the action is allowed, so shells and skills can gate on it
+    return 0 if out.verdict is Verdict.ALLOW else 2
+
+
 def main(argv: list[str] | None = None) -> int:
     parser = argparse.ArgumentParser(prog="wardproof")
     sub = parser.add_subparsers(dest="cmd", required=True)
@@ -48,11 +91,23 @@ def main(argv: list[str] | None = None) -> int:
     sp = sub.add_parser("export-stix", help="export a JSONL audit ledger as a STIX 2.1 bundle")
     sp.add_argument("path")
     sp.add_argument("--out", default=None, help="write to a file instead of stdout")
+    cp = sub.add_parser("check", help="screen one input or tool call and print its verdict")
+    cp.add_argument("content", help="the input text, or the tool name for a tool call")
+    cp.add_argument(
+        "--kind",
+        default="tool_call",
+        help="event kind: tool_call (default) or input",
+    )
+    cp.add_argument("--source", default="agent", help="who originated the event")
+    cp.add_argument("--args", default=None, help="tool-call arguments as a JSON string")
+    cp.add_argument("--json", action="store_true", help="print a JSON object instead of text")
     args = parser.parse_args(argv)
     if args.cmd == "verify-ledger":
         return _verify_file(args.path, args.pubkey)
     if args.cmd == "export-stix":
         return _export_stix(args.path, args.out)
+    if args.cmd == "check":
+        return _check(args.kind, args.content, args.source, args.args, args.json)
     return 1