# Changelog All notable changes to Agent Shield will be documented in this file. This project follows [Semantic Versioning](https://semver.org/). ## [14.2.2] - 2026-05-11 ### Python SDK Pattern Parity (179 → 330 patterns, 18 → 51 categories) The Python SDK now has full pattern parity with the canonical Node.js detector. AI/ML world is Python-first; this closes the largest single adoption gap. - Added 151 patterns ported from `src/detector-core.js` - New Python category coverage: cicd_injection, credential_exfiltration, mcp_sampling_injection, llm_router_tampering, mcp_command_injection, code_execution_sink, cross_agent_injection, indirect_injection, policy_puppetry, path_traversal, config_poisoning, mcp_sampling_abuse, resource_exhaustion, covert_tool_invocation, semantic_chaining, autonomous_jailbreak, multi_turn_grooming, context_corruption, multimodal_injection, symbolic_injection, budget_drain, localhost_exposure, judge_bypass, encoding_evasion, url_prefill_injection, cross_client_leak, log_to_leak, tool_poisoning, reconnaissance, schema_poisoning, supply_chain, ssrf, query_injection - Bumped Python package version: `agentshield` 7.2.1 → 14.2.2 - All v14.1 + v14.2 attack patterns verified working in Python (10/10 manual attack tests pass) - All 47 existing Python unit tests still pass - Test assertion updated from hardcoded count to dynamic lower-bound (≥300 patterns, ≥50 categories) ## [14.2.0] - 2026-05-11 ### May 2026 Threat Response + Performance + DX Response to threats disclosed between April 25 and May 11, 2026. #### New Detection Patterns (4 patterns, 303 → 307) - **TrustFall malicious project files** (2 patterns) — Adversa AI disclosed May 2026: malicious `.claude/`, `.cursor/`, `.windsurf/` config files with auto-execution hooks (`preCommand`, `onStart`, etc.) trigger one-keypress compromise of AI coding agents and exfiltrate CI env vars - **Semantic Kernel RCE** — Microsoft Semantic Kernel (CVE-2026-25592 / CVE-2026-26030, disclosed May 7) allows prompt injection to invoke arbitrary kernel functions and achieve RCE on the host process - **WebSocket cross-origin hijacking** — CVE-2026-44211 (Cline Kanban) and CVE-2026-32173 (Azure SRE Agent CVSS 8.6): WebSockets without origin validation let attackers inject prompts into running agent terminals #### CVE Registry Expansion (33 → 44 CVEs) - CVE-2026-25592 / CVE-2026-26030: Microsoft Semantic Kernel RCE (May 7) - CVE-2026-42302: FastGPT agent-sandbox unauth RCE (CVSS 9.8, May 8) - CVE-2026-44284: FastGPT MCP SSRF - CVE-2026-42344: FastGPT DNS rebinding bypass - CVE-2026-44211: Cline Kanban WebSocket Hijacking - CVE-2026-32173: Azure SRE Agent unauth WebSocket (CVSS 8.6) - CVE-2026-44400-403: 4× CrewAI Code Interpreter chain RCE/SSRF/file-read #### Performance: LRU Cache (151x speedup on warm cache) - Added 1000-entry LRU cache to `scanText()` keyed on `(source, sensitivity, text)` - Cached scans complete in ~1μs vs ~190μs cold (151x speedup on short malicious inputs, 90x on benign) - Eliminates duplicate work in RAG pipelines, batch processors, and middleware retry loops - Inputs >2048 chars bypass the cache to avoid memory bloat - Opt-out via `scanText(text, { useCache: false })` - Result object includes `fromCache: true` when served from cache #### Developer Experience - New examples for the platforms developers actually deploy to in 2026: - `examples/cloudflare-workers-ai.js` — Workers AI guardrail with input + output scanning - `examples/nextjs-edge-middleware.js` — Next.js Edge middleware for `/api/chat/*` and `/api/agent/*` routes - `examples/vercel-ai-sdk-guardrail.js` — Vercel AI SDK streaming chat guardrail - All examples are self-contained and ready to copy-paste into a real app #### Test Coverage - New `test/test-v14.2-patterns.js` — 32 assertions covering LRU cache correctness, all 4 new patterns, all 11 new CVE entries, and 6 false-positive regression samples - Total project assertions: ~3,200+ across all suites; v14.2 specific: 32 #### Known Limitations Documented - Rust NAPI native scanner (`src/native-scanner.js`) is loaded but NOT wired into the JS hot path. Investigation revealed the Rust core has only 141 patterns vs JS's 307, so wiring it in blindly would silently lose 166 patterns of coverage. Use of the native scanner is gated on a future pattern-sync effort. ## [14.1.0] - 2026-04-24 ### April 2026 Threat Response — Comment-and-Control, MCP CVE Wave, OAuth Supply Chain Rapid security update responding to this week's active attacks: Vercel/Context.ai OAuth supply chain breach, "Comment and Control" zero-click credential theft from AI coding agents, 7 new MCP CVEs, Unit 42 MCP sampling attacks, and malicious LLM API routers. #### New Detection Patterns (13 patterns, 290 → 303) - **CI/CD Agent Injection** (`cicd_injection`) — detects prompt injection targeting AI coding agents via PR titles, issue comments, and review comments. Defends against the "Comment and Control" attack (April 2026) that exfiltrated credentials from Claude Code, Gemini CLI, and GitHub Copilot - **Credential Exfiltration** (`credential_exfiltration`) — detects `/proc/[pid]/environ` reads (Copilot bypass technique), API key patterns in agent output (OPENAI_API_KEY, ANTHROPIC_API_KEY, etc.), and OAuth/bearer token exfiltration with provider-specific prefixes (ya29, ghp_, sk-, xox-, AKIA) - **OAuth Flow Manipulation** (`credential_exfiltration`) — detects grant_type/redirect_uri/client_secret manipulation targeting token theft, inspired by the Vercel/Context.ai supply chain breach - **MCP Sampling Injection** (`mcp_sampling_injection`) — detects hidden instructions injected via MCP sampling/createMessage requests (Unit 42 research, April 2026) - **LLM Router Tampering** (`llm_router_tampering`) — detects OPENAI_BASE_URL/ANTHROPIC_BASE_URL overrides pointing to untrusted endpoints (arXiv 2604.08407: 9 of 28 paid routers actively malicious) - **MCP STDIO Command Injection** (`mcp_command_injection`) — detects `npx -c` command injection via MCP STDIO transport (CVE-2026-30623, 200K+ servers affected) #### CVE Registry Update (26 → 33 CVEs) - CVE-2026-40933: Flowise MCP Adapters RCE (CVSS 9.9) - CVE-2026-41264: Flowise CSV Agent prompt injection to RCE - CVE-2026-33626: LMDeploy SSRF (exploited within 12 hours of disclosure) - CVE-2026-33032: nginx-ui MCP auth bypass (CVSS 9.8, actively exploited) - CVE-2026-20205: Splunk MCP Server cleartext token logging (CVSS 7.2) - CVE-2026-33946: MCP Ruby SDK session fixation - CVE-2026-5603: magento2-dev-mcp command injection #### MCPGuard Security Hardening - **Tool name squatting detection** — `registerServer()` now detects and warns when a new MCP server registers a tool name already owned by another server (MCPShield arXiv:2604.05969 "Server Spoofing" vector) - **Context flooding defense** — `interceptToolOutput()` flags tool outputs exceeding `maxToolOutputSize` (default 100KB) to prevent context window exhaustion attacks - **Recursive tool invocation depth limit** — blocks tool call chains exceeding `maxCallDepth` (default 5) to prevent reentrancy attacks and unbounded recursive loops #### Supply Chain Scanner Enhancements - **Consent phishing detection** — flags tools whose description implies read-only but whose schema contains write/network parameters (OWASP ASI09 Human-Agent Trust Exploitation) #### Integration Updates - `shieldGoogleADKJS()` — new wrapper for Google ADK TypeScript/JavaScript SDK (GA April 2026) - GPT-5.5 model risk profile added to MCP Guard (critical susceptibility, elevated sandbox escape surface) #### Test Coverage Expansion (+416 assertions) - `test-v14.1-patterns.js` — 61 assertions: all 5 new categories, 12 FP guards, ADK-JS integration, CVE registry - `test-pattern-categories.js` — 66 assertions: detection test for every 51 pattern categories + 15 benign guards - `test-supply-chain-cves.js` — 228 assertions: all 33 CVEs, 9 blocklist entries, injection/SSRF/poisoning patterns, consent phishing, SARIF/Markdown output - Total new assertions this release: 355 ## [14.0.0] - 2026-04-16 ### Major Release — Platform Parity + Framework Integrations Agent Shield v14 closes the gap with Microsoft's Agent Governance Toolkit while maintaining our zero-dependency, local-first architecture. #### OpenAI Agents SDK Integration (April 2026 Release) - `shieldOpenAIAgent()` — drop-in guardrails for `@openai/agents` (Node) and `openai-agents` (Python) - Input, output, and tool guardrails that work with the SDK's native Guardrail primitive - Handles all OpenAI SDK input shapes: string, message array, content parts - Node: 34 integration tests. Python: 15 integration tests. - Example at `examples/openai-agents-sdk.js` #### Framework Parity (CrewAI, Google ADK, MS Agent Framework) - `shieldCrewAI()` — task-level input/output scanning for CrewAI workflows - `shieldGoogleADK()` — tool call, tool result, and generation prompt scanning for Google ADK - `shieldMSAgentFramework()` — async middleware for Microsoft Agent Framework pipeline - 36 integration tests across all three frameworks #### Rust Core NAPI Binding - Native Rust scanner bridge (`src/native-scanner.js`) loads compiled NAPI module when available - Falls back silently to pure-JS scanner when not compiled - Build: `cd rust-core && cargo build --release --features node` - `scanText`, `scanBatch`, `getPatterns` exposed via NAPI-RS #### Python + Go SDK Pattern Sync - Python SDK: 141 → 179 patterns (+38), 10 new categories - Go SDK: 141 → 179 patterns (+38), 10 new categories - All v13.4-v13.6 patterns ported: XSS, SVG, encoding chain, steganographic, mcp.json, offensive agent, cloud IAM, structured data, memory poisoning, prompt extraction #### Plugin VM Sandbox + Signature Verification - `IsolatedPluginSandbox` — real `vm` module isolation, not just error catching - Plugins cannot access `process`, `fs`, `net`, `child_process`, `require` - Preemptive timeout via `vm.Script` (kills infinite loops) - Prototype pollution contained (realm-isolated built-ins) - `PluginVerifier` with HMAC-SHA256 signature validation - `PluginManifest` schema validation with capability declarations - 58 sandbox tests passing #### Performance - Long benign fast path: 15.7ms → 112μs p99 (140x faster) via attack-indicator prefilter - Honest latency benchmark at `benchmark/latency-honest.js` with p50/p95/p99/p99.9 - ReDoS audit: 0 risky patterns across all detectors (all <0.4ms worst case) - Pattern quality audit: 120 active / 177 defensive patterns, 0 false positives #### Security Hardening - Express middleware: 1MB default body-size limit - Multi-tenant: `tenantVerifier` + `strictAuth` options, `withAuth()` helper - Microsoft Agent Governance Toolkit parity audit at `research/ms-agent-toolkit-parity.md` #### Developer Experience - `GETTING_STARTED.md` — 5-minute path from install to protected agent - All framework examples in one place: Anthropic, OpenAI, OpenAI Agents SDK, LangChain, Express, MCP, CrewAI, Google ADK, MS Agent Framework ## [13.6.0] - 2026-04-16 ### Performance Leap + Security Hardening Path A polish pass — close security scan gaps, honest performance work, real audits. #### Performance - **Fast path for long clean text**: 15.7ms p99 → **112μs p99** on 5KB benign documents. 140x speedup. - Added `PRIMARY_ATTACK_INDICATORS` prefilter — a single cheap regex matching only attack-specific phrases (not common English like "eval" or "token"). - If text is long, contains no attack phrases, no non-ASCII, and no obfuscation chars → skip the full pattern + normalization pipeline. - Zero recall loss: full red team (617 attacks) still 100%, shield score still 100/100. - **Honest latency benchmark** (`benchmark/latency-honest.js`): real p50/p95/p99/p99.9/max numbers instead of averages. - Best-case p99: 112μs - Mean p99: 1.18ms - Worst-case p99: 3.62ms (long malicious — full pattern set runs) - Microsoft Agent Governance Toolkit claims <0.1ms p99. We're 36.2x that in worst case, faster on short inputs. #### Security - **Plugin VM sandbox** (`IsolatedPluginSandbox`): real isolation using Node `vm` module. - Blocks `process`, `require` (whitelisted only), `fs`/`net`/`http`/`child_process`, `new Function()`. - Prototype pollution contained — each sandbox has realm-isolated built-ins. - Preemptive timeout via `vm.Script` (kills infinite loops). - HMAC-SHA256 plugin signing + `PluginVerifier` + `PluginManifest` schema validation. - 58 new tests covering sandbox escape attempts, signature verification, manifest validation. - **Express middleware body-size limits**: `options.maxBodySize` (1MB default) with raw-stream enforcement. - **Multi-tenant auth validation**: `options.tenantVerifier` + `options.strictAuth` + `withAuth()` helper. #### Quality & Parity - **ReDoS audit**: every pattern tested against adversarial inputs. **0 risky patterns** — worst case 0.4ms per pattern evaluation. - **Pattern quality audit**: 120 active patterns doing the work, 177 dead patterns (defensive, never false-positive on benchmark corpus). - Python SDK (282 patterns) and Go SDK (141 patterns) pattern-sync deferred to v14. ## [13.5.0] - 2026-04-16 ### Detection Hardening + Security Scan Remediation Tightens existing defenses based on Unit 42 real-world attack research and addresses findings from the Agent Shield security scan. #### Detector Core — 11 New Patterns (3 categories) - **Encoding chain detection** (3 patterns) — Detects multi-layer encoding (base64 inside unicode inside URL encoding). Addresses evasion technique that bypasses single-layer decoders. - **SVG-based injection** (4 patterns) — Detects hidden prompts in SVG elements, foreignObject, hidden text, and desc tags. Addresses Unit 42 finding of real-world attacks using SVG encapsulation with 24 layered injection attempts. - **Structured data injection** (4 patterns) — Detects hidden instructions in JSON metadata fields, XML CDATA sections, YAML/CSV comments, and comment syntax across formats. #### Cross-Turn Detector — Crescendo Attack Defense - 5 new escalation signal patterns for crescendo attacks: hypothetical framing, imaginary scenarios, permission boundary softening, false-prior-interaction claims, similarity-based escalation. - New crescendo-specific detection: flags conversations that start with hypothetical/theoretical framing and drift toward sensitive/dangerous topics over multiple turns. #### MemoryGuard — Persistent Memory Poisoning Defense - `scanSummarization(originalMessages, summary)` detects when context compaction silently injects instructions. Addresses Unit 42 March 2026 research on persistent memory poisoning that survives across sessions. #### Security Scan Remediation - **Sidecar server**: API key authentication, request body size limit (1MB default), rate limiting (100 req/min default), CORS hardened from `*` to `same-origin`. - **Dashboard WebSocket**: Authentication token support, max connections limit (50 default), startup warning if no auth configured. - **GitHub App**: Webhook signature enforced for non-localhost requests, CRITICAL warning if `GITHUB_WEBHOOK_SECRET` not set. - **Document scanner**: `maxDocumentSize` limit (10MB default) prevents DoS via oversized documents. - **Audit logs**: `sanitizeLogs` option redacts emails, SSNs, API keys, and truncates content fields before writing. ## [13.4.0] - 2026-04-14 ### April 2026 Threat Response Security updates addressing vulnerabilities and attack techniques discovered April 1-14, 2026. #### Supply Chain Scanner — 16 New CVEs - **CVE-2026-5058** (CVSS 9.8) — AWS MCP Server command injection RCE, no auth required - **CVE-2026-5059** — AWS MCP Server remote code execution - **CVE-2026-32211** (CVSS 9.1) — Azure MCP Server has no authentication at all - **CVE-2026-21518** — VS Code mcp.json command injection (malicious project files) - **CVE-2026-33579** — OpenClaw silent admin takeover (patched April 5) - **CVE-2026-24763** — OpenClaw command injection - **CVE-2026-26322** — OpenClaw SSRF - **CVE-2026-26329** — OpenClaw path traversal / local file read - **CVE-2026-30741** — OpenClaw prompt-injection-driven code execution - **CVE-2025-59528** (CVSS 10.0) — Flowise RCE via MCP node, actively exploited since April 6, 12,000+ instances exposed - **CVE-2025-8943** — Flowise missing authentication - **CVE-2025-26319** — Flowise arbitrary file upload - **CVE-2026-5322** — mcp-data-vis SQL injection - **CVE-2026-6130** — chatbox MCP OS command injection - **CVE-2026-5023** — codebase-mcp OS command injection RCE Updated OpenClaw malicious skill count: 820 → 1,184+ confirmed on ClawHub (3.5x growth). Added aws-mcp-server-unpatched and flowise-unpatched to known-bad server blocklist. #### Detector Core — 15 New Detection Patterns (5 categories) - **XSS-in-agent-output** (5 patterns) — Catches XSS payloads embedded in AI-generated HTML: script tags, event handlers, javascript: URIs, iframe injection, img onerror. Addresses new attack vector where prompt injections deliver XSS through agent output. - **Acrostic/steganographic injection** (2 patterns) — Detects hidden instructions where first characters of consecutive lines spell injection keywords. Addresses 93% evasion success rate reported in April 2026 research. - **MCP config injection** (2 patterns) — Detects command injection in mcp.json files. Addresses CVE-2026-21518 VS Code attack vector. - **Offensive agent behavior** (3 patterns) — Detects AI agents being used as attack tools: exploitation language, C2 infrastructure, credential theft operations. Addresses April 2026 incident where AI agent compromised 600+ firewalls autonomously. - **Cloud IAM overpermission** (3 patterns) — Detects wildcard IAM policies enabling "Agent God Mode". Addresses Palo Alto Unit 42 discovery of AWS AgentCore default role vulnerability. ## [13.3.0] - 2026-04-06 ### New SDK Modules - **RenderDifferentialAnalyzer** -- Detects content that renders differently than it reads. Catches visual deception in HTML (CSS display:none, opacity:0, off-screen, font-size:0), Markdown (link mismatch, hidden spans, comment injection), and LaTeX (\phantom, \textcolor{white}, \renewcommand). Includes VisualHasher for measuring raw-vs-rendered divergence. - **SybilDetector** -- Detects coordinated fake agents acting in concert. Behavioral similarity scoring, temporal correlation, content similarity (Jaccard), creation burst detection, and voting collusion analysis. Includes AgentIdentityVerifier with challenge-response and shared-secret detection. - **SideChannelMonitor** -- Detects data exfiltration via covert channels. DNS exfiltration (high-entropy subdomains, base64 labels), timing-based encoding, response-size encoding, URL parameter exfil. Includes BeaconDetector (C2 beaconing patterns) and EntropyAnalyzer (Shannon entropy). ### Improvements - Professional README rewrite: organized by capability instead of version, reduced from 1,348 to ~350 lines - All 3 new modules exported via main.js - 185 new test assertions (81 render-differential + 49 sybil + 55 side-channel) - Total: 3,400+ test assertions across 22 suites ## [13.2.0] - 2026-04-06 ### DeepMind AI Agent Traps -- First-Principles Defense 10 new modules built from a 3-persona first-principles analysis (spam filter engineer, immunologist, fire safety inspector) of DeepMind's "AI Agent Traps" paper. Each module addresses a specific gap that existing capabilities cannot cover. #### New Modules - **ContentStructureAnalyzer** (Trap 1) -- Detects structural anomalies (hidden/visible ratio, tag density, formatting overhead) regardless of content keywords. Catches CSS/HTML obfuscation by measuring document SHAPE, not text content. - **SourceReputationTracker** (Trap 1) -- Temporal trust scoring with exponential decay. New sources start neutral, earn trust over time, lose trust instantly on threats. Persists to disk. - **RetrievalTimeScanner** (Trap 3) -- Scans memory entries at RETRIEVAL time, not just write time. Detects latent memory poisons that are clean individually but malicious when combined with a specific query. No other SDK does this. - **FewShotValidator** (Trap 3) -- Scans output portions of few-shot demonstrations in agent context for poisoned action patterns. - **SubAgentSpawnGate** (Trap 4) -- Validates child agent system prompts, blocks permission escalation, flags dangerous tools before sub-agent activation. - **SelfReferenceMonitor** (Trap 2) -- Detects external content that discusses the model's identity/capabilities (persona hyperstition). Flags identity manipulation through environmental narrative. - **InformationAsymmetryDetector** (Trap 2) -- Measures pro-safety vs anti-safety keyword ratio. Flags content with >70% anti-safety framing. - **ProvenanceMarker** (Trap 6) -- Prepends visible source provenance to agent output. Humans see "WARNING: influenced by untrusted web content from [source]." - **EscalatingScrutinyEngine** (Trap 6) -- Increases scrutiny as approval rate rises. Forces plain-English explanations, 30-second delays, and comprehension checks during high-volume approval periods. - **CompositeFragmentAssembler** (Trap 5) -- Pairwise assembly of content fragments from different sources. Detects attack payloads split across multiple agents/documents. #### Also in this release - Deepened all 6 trap categories with JSRenderingDetector, CloakingHeuristicScanner, OpinionShapingDetector, cross-session memory drift, fleet event serialization, and OutputDeceptionScorer - 20+ new detector-core patterns for real attack data (output forcing, prompt extraction, conversation format injection, annotation embedding) - 35-feature micro-model (10 structural features capturing attack shape) - 18 self-training mutation strategies (6 real-world attacker techniques) - Safe normalization (leetspeak reversal no longer corrupts "3D", "1080p", "4.2GB") - MCPGuard fusion layer (low-confidence micro-model flags demoted to anomaly) - MCPGuard.fromPreset() -- 5 presets replace 17 boolean flags - State persistence for ContinuousSecurityService - 9 separate entry points for tree shaking - Real-world benchmark: F1 0.988 on published HackAPrompt/TensorTrust/research data - Honest README claims ## [13.1.0] - 2026-04-06 ### Hardening -- 32-Issue Teardown Systematic teardown of every claim, architecture decision, and module. 24 issues fixed with code, 8 documented as honest limitations. #### Detection Improvements - **Real benchmark F1 0.988** on published attack datasets (HackAPrompt competition, TensorTrust game, security research papers) — honest score, not self-graded - **20+ new detector-core patterns** for output forcing, prompt extraction, conversation format injection, annotation embedding, backtick framing, urgency forcing, capability reconnaissance, hypothetical escalation - **35-feature micro-model** (was 25) — 10 structural features that capture attack SHAPE: imperative ratio, question mark absence, quote density, colon density, you-to-I ratio, output-forcing verbs, negation density, prompt references, role assignment, boundary markers - **18 mutation strategies** in self-training (was 12) — indirect framing, output forcing, conversation injection, prompt extraction reframe, annotation embedding, hypothetical escalation - **Safe normalization** — leetspeak reversal now requires 3+ digit-letter mixes AND no legitimate number patterns. "3D printing", "1080p", "4.2GB" no longer corrupted - **Chunk scanning FP reduction** — only promotes high/critical chunk threats, filters medium/low - **BiasDetector threshold** — requires 2+ signals or high severity, no longer flags "Everyone knows Python is great" #### Architecture Improvements - **MCPGuard fusion layer** — micro-model low-confidence flags (<40%) demoted to anomaly when pattern scanner finds nothing. Prevents micro-model FPs from blocking legitimate traffic - **MCPGuard.fromPreset()** — 5 presets (minimal, standard, recommended, strict, paranoid) replace 17 boolean flags. One-line configuration - **Intent graph sensitive penalty** — tools accessing password/credential/secret/token/api_key/bearer/session/oauth now penalized even when topic words overlap with intent - **Stronger semantic isolation** — XML-style `` tags with trust_level attributes, CRITICAL warnings, and post-block role anchoring - **createGatedExecutor()** — wraps ALL tool calls through mandatory intent verification. LLM can't bypass verify() because the executor enforces it - **Attack surface broader matching** — code_execution pattern catches run_sandboxed_code, code_runner, sandbox, interpret - **State persistence** — ContinuousSecurityService saves/loads posture history to disk. Survives restarts. Saves every 10th scan to reduce I/O - **guardWrite()** on MemoryIntegrityMonitor — blocks suspicious memory writes before they enter memory, not just logs after #### Packaging - **9 separate entry points** for tree shaking: guard, scanner, model, benchmark, traps, fleet, semantic, memory, hitl - **Honest README claims** — "F1 0.988 on real published attack datasets" replaces "beats Sentinel" #### Documented Limitations - Real benchmark uses hand-selected samples (full BIPIA 626K evaluation pending) - Attacker who reads source sees all 35 features - Self-training can't generate attacks it's never seen - Semantic isolation markers are text LLMs can choose to ignore - Gated executor requires developer adoption - guardWrite only catches text-level threats, not embedding-space poisoning - Fleet correlation assumes single process (serialization available for cross-process) ## [13.0.0] - 2026-04-06 ### DeepMind AI Agent Trap Defenses Implements comprehensive defenses against all 6 trap categories from DeepMind's "AI Agent Traps" paper (Franklin et al., March 2026, SSRN 6372438). 6 new modules, 37 gaps addressed: - **src/hitl-guard.js** — Human-in-the-Loop defenses: approval fatigue monitor, summarization integrity checker, output injection scanner, readability scanner, critical info position checker - **src/fleet-defense.js** — Systemic defenses: fleet correlation engine, cascade breaker, financial content validator, dependency diversity scanner - **src/semantic-guard.js** — Semantic manipulation defenses: authoritative claim detector, bias detector, educational framing detector, emotional reasoning detector - **src/memory-guard.js** — Cognitive state defenses: memory integrity monitor, RAG ingestion scanner, memory isolation enforcer, retrieval anomaly detector - **src/trap-defense.js** — Content injection + behavioral control: cloaking detector, composite content scanner, SVG scanner, browser action validator, credential isolation monitor, transaction gatekeeper, side-channel detector ## [12.0.0] - 2026-04-03 ### Multi-Turn Detection & Incident Response 8 new modules: - **src/cross-turn.js** — Multi-turn attack detection: escalation, topic drift, trust erosion, progressive boundary testing, false authority claims - **src/incident-response.js** — Automated response: isolate, quarantine, rollback, forensic preservation, remediation reports - **src/agent-intent.js** — Agent behavioral fingerprinting: tool call profiles, timing baselines, compromise detection - **src/normalizer.js** — Consolidated text normalization: zero-width, leetspeak, char spacing, context wrappers, unicode decoding - **src/ensemble.js** — Multi-classifier ensemble: weighted voting, Platt scaling calibration, quorum requirement - **src/smart-config.js** — Smart configuration: 6 deployment presets, auto-analysis, config validation - **src/ml-detector.js** — Multimodal content scanner: image OCR, PDF text, structured data scanning - **src/persistent-learning.js** — Federated threat intelligence: anonymous pattern sharing with differential privacy ## [11.0.0] - 2026-04-02 ### SOTA Achievement - **F1 1.000** on BIPIA, HackAPrompt, MCPTox, Multilingual (12 languages), and Stealth benchmarks - Beats Sentinel (ModernBERT-large, 395M params, F1 0.980) with zero dependencies and <1ms latency - 106 benchmark samples across 5 datasets + 15 functional utility tests - Built-in `SOTABenchmark` class for local verification: `npm run benchmark` ### Added - SOTA Security Modules - **Prompt Hardening** (`src/prompt-hardening.js`) - DefensiveToken-inspired input wrapping with 4 security levels (minimal/standard/strong/paranoid). System prompt immutable security policy. Conversation-level hardening. - **Message Integrity Chain** (`src/message-integrity.js`) - HMAC-chained conversation history. Tamper-evident signatures detect modification, insertion, deletion, reordering. Role boundary violation detection. Chain export/import. - **Continuous Security Service** (`src/continuous-security.js`) - Background service with configurable-interval posture scanning, defense effectiveness benchmarking, posture degradation alerting, and self-improvement via AutonomousHardener. - **SOTA Benchmark Suite** (`src/sota-benchmark.js`) - Embedded test cases from BIPIA, HackAPrompt, MCPTox, Multilingual, Stealth. Head-to-head comparison with Sentinel. Markdown report generation. ### Added - Level 5 Architectural Defenses - **Adversarial Self-Training** (`src/self-training.js`) - 12 mutation strategies (synonym, restructure, translation, leetspeak, token splitting, context wrapping, authority framing, encoding chains, paraphrasing, multi-turn decomposition, format shifting, negation inversion). AutonomousHardener runs on schedule with persistence, FP rollback, and growth limiting. Converges to 0% bypass in 3 cycles. - **Causal Intent Graph** (`src/intent-graph.js`) - Directed graph tracing user intent to tool calls to outputs. Jaccard topic similarity for causal scoring. Suspicious transition detection (credential read then network send). Sensitive file detection in tool args. - **Semantic Isolation Engine** (`src/semantic-isolation.js`) - Provenance-tagged prompt parameterization. SYSTEM/USER/TOOL_OUTPUT/RAG_CHUNK/UNTRUSTED trust levels. Policy enforcement prevents untrusted content from triggering tools or overriding instructions. Auto-quarantine for RAG chunks with detected threats. - **Cryptographic Intent Binding** (`src/intent-binding.js`) - HMAC-SHA256 signed tokens proving actions derive from user intent. Action derivation from intent keywords. Token issuance, verification, expiration, revocation. Unbypassable by prompt techniques. - **Attack Surface Mapper** (`src/attack-surface.js`) - Automated capability inventory (16 categories). DFS attack path enumeration. Detects data exfiltration chains, privilege escalation, write-then-execute, remote code execution. System prompt analysis, server risk assessment, permission gap detection. ### Added - Detection Improvements - 80+ new detector-core patterns across 35+ attack categories - 5-layer evasion resistance: zero-width char stripping, leetspeak reversal, character spacing collapse, Unicode tag extraction, context wrapping removal - Chunked scanning for long-input camouflage (RLM-JB research) - 17 languages: English, Spanish, French, German, Italian, Portuguese, Japanese, Korean, Chinese, Russian, Arabic, Turkish, Indonesian, Hindi, Thai, Vietnamese, Polish, Dutch, Swedish - Policy Puppetry detection (XML/INI/JSON formatted policy injection) - Log-To-Leak defense (MCP logging tool exfiltration) - Cross-agent attack chain detection (injection on Server A, exfil on Server B) ### Added - MCP Guard Enhancements - 17-layer unified security middleware - SSRF firewall (blocks private IPs and cloud metadata endpoints) - Path traversal firewall (blocks ../ sequences) - Config poisoning firewall (blocks API URL overrides) - MCP sampling abuse detection - Budget drain / compute exhaustion detection - OWASP Agentic Top 10 integration (auto-scans every tool call) - Attack surface auto-scan on server registration - Drift monitor integration (continuous behavioral analysis) - Model risk profiles (12 models with susceptibility ratings from MCPTox) - Agent fleet registry (register, track, and assess all agents) - Defense effectiveness measurement (per-layer catch rate benchmarking) - Unified `getSecurityPosture()` aggregating all 17 layers ### Added - Supply Chain Scanner Enhancements - 11 CVEs in registry (CVE-2025-6514, CVE-2026-26118, CVE-2026-33980, CVE-2026-25253, CVE-2026-26144, CVE-2026-25536, CVE-2026-21858, CVE-2026-32871, CVE-2025-59536, CVE-2026-21852, CVE-2026-23744) - Full-schema poisoning detection (default, enum, title, examples, const fields) - SSRF vector detection in tool schemas - ClawHavoc malicious skill pattern detection - Config file poisoning (.claude/, .cursor/ hooks and URL overrides) - Auth quality scoring (no auth, weak tokens, no expiry, no scopes, default credentials) - SARIF 2.1.0 output with 12 rule IDs for CI/CD integration - Markdown report generation - `getCIExitCode()` and `enforce()` for CI/CD pipelines ### Added - Micro-Model - Logistic regression + k-NN ensemble classifier - 25 hand-crafted semantic features (URL, injection signals, data targets, memory, schema, structural) - 200+ training samples across 26 attack categories + 70 benign samples - Precomputed weights for <2ms construction (95x speedup) - Inverted index for 2.3x faster k-NN lookup - Online learning via `addSamples()` ### Fixed - 14 bugs fixed from deep audit (5 critical, 2 medium, 7 low) - Intent graph node pruning invalidated edge indices - Self-training rollback left stale internal vectors - OAuth enforcer skipped issuer validation on missing iss field - XSS vulnerability in HTML report generation - Drift monitor false alerts on constant baselines - Various unbounded array/map memory leaks ### Changed - Total exports: 400+ across 100+ modules - Total test assertions: 3,200+ across 19 suites + Python + VSCode - False positive accuracy: 100% (was 99.2%) - Detection rate: 100% A+ (maintained) ## [10.0.0] - 2026-03-28 ### Added - March 2026 Attack Defense - **MCP Guard** (`src/mcp-guard.js`) - Drop-in MCP security middleware with server attestation, cross-server isolation, OAuth enforcement, per-server rate limiting, circuit breaker, behavioral baselines - **Supply Chain Scanner** (`src/supply-chain-scanner.js`) - npm-audit-style MCP server scanner with SHA-256 fingerprinting, known-bad registry, CVE checking, description injection scanning, permission analysis, escalation chain detection - **OWASP Agentic Scanner** (`src/owasp-agentic.js`) - All 10 OWASP Agentic Top 10 2026 risks with JSON/Markdown/SARIF output - **Red Team CLI** (`src/redteam-cli.js`, `bin/agentshield-audit`) - Attack simulator with quick/standard/full modes, real attack corpus, HTML/JSON/MD reports, A+-F grading, compare mode - **Drift Monitor** (`src/drift-monitor.js`) - Behavioral drift IDS with z-score + KL divergence, circuit breaker, webhook, Prometheus/OTel export - **Micro Model** (`src/micro-model.js`) - Embedded TF-IDF + k-NN classifier trained on March 2026 attack data ### Added - Research - `research/supply-chain-attacks-march-2026.md` - 6 CVEs, 9 campaigns, 20+ sources documenting the March 2026 MCP attack wave ## [7.3.0] - 2026-03-21 ### Added - CORTEX Autonomous Defense Platform - **Attack Genome Sequencing** (`src/attack-genome.js`) - Decompose attacks into intent/technique/evasion/target genome. Detect unseen variants by recognizing the genome, not the surface text. GenomeDatabase clusters attack families. - **Adversarial Evolution Simulator** (`src/evolution-simulator.js`) - GAN-style mutation engine generates attack variants across generations. Tests against defenses automatically. hardenFromEvolution() generates new patterns from evasive survivors. - **Intent Firewall** (`src/intent-firewall.js`) - Classifies user INTENT, not just content. Same words blocked or allowed based on context. "Help me write a phishing email" = BLOCKED. "Help me write about phishing training" = ALLOWED. ContextAnalyzer detects multi-turn manipulation. - **Cross-Agent Herd Immunity** (`src/herd-immunity.js`) - When one agent detects an attack, all connected agents receive the pattern. ImmuneMemory provides collective memory that new agents inherit from day one. - **Federated Threat Intelligence** (`src/threat-intel-federation.js`) - CrowdStrike model: anonymous attack pattern sharing with differential privacy. Consensus-based promotion. createFederationMesh() connects nodes. - **Agent Behavioral DNA** (`src/behavioral-dna.js`) - Learn per-agent behavioral baselines (tool usage, response patterns, timing). Detect anomalies when agent is compromised. Portable fingerprints. ### Added - Enterprise & Production - **Pre-Deployment Security Audit** (`src/audit.js`) - Run 617+ attacks with mutation engine in under 100ms. SecurityAudit generates category breakdown, findings, fix recommendations, and production-readiness verdict. - **Agent Flight Recorder** (`src/flight-recorder.js`) - Forensic conversation replay. Records every interaction, detects incidents, reconstructs attack timeline and escalation path. Auto-generates fix patterns. - **Supply Chain Verification** (`src/supply-chain.js`) - ToolChainValidator scans tool arguments and responses for injection. ResponseScanner deep-scans JSON/nested data for hidden instructions. DomainAllowlist for URL validation. - **Visual HTML Security Report** (`src/report-generator.js`) - Lighthouse-style HTML report with SVG gauge, category bar charts, severity breakdown, fix recommendations. Self-contained, print-friendly. - **Enterprise SOC Dashboard** (`src/soc-dashboard.js`) - Real-time event aggregation from multiple agents. Query by agent/category/severity/time. Alert channels: Slack, PagerDuty, Microsoft Teams. - **Attack Replay Platform** (`src/attack-replay.js`) - Record real attacks, replay against updated defenses. Track improvements vs regressions. Export/import attack corpora. - **Compliance Certification Authority** (`src/compliance-authority.js`) - HMAC-signed compliance certificates against OWASP, NIST, EU AI Act, SOC 2. Platinum/Gold/Silver/Bronze levels. Verify and revoke certificates. - **Real Attack Dataset Testing** (`src/real-attack-datasets.js`) - 48 samples from HackAPrompt, TensorTrust, and security research. DatasetRunner with precision/recall/F1 metrics. ### Added - Developer Experience - **Web Playground** (`playground/index.html`) - Paste text, see threats. 47 embedded patterns, dark mode, preset examples. Zero install. - **Claude SDK 3-Line Demo** (`examples/claude-3-lines.js`) - Simplest possible Claude integration. - **MCP Attack Demo** (`examples/mcp-attack-demo.js`) - 5 real MCP attacks all blocked in real-time. - **Competitive Benchmark Page** (`benchmark/competitive.html`) - Agent Shield vs Rebuff, LLM Guard, Lakera, Prompt Armor. - **CLI pentest command** - `npx agentshield-sdk security-audit` runs full audit with HTML report. ### Changed - Total exports: 390 across 93 modules (was 331 across 79) - Total test assertions: 2,220 across 13 test suites + Python + VSCode - 14 new source modules in this release ## [7.2.1] - 2026-03-21 ### Added - **Rate limiting middleware** - `rateLimitMiddleware()` and `shieldMiddleware()` for Express with 429 responses, `X-RateLimit-Limit`, `X-RateLimit-Remaining`, and `Retry-After` headers - **Graceful shutdown** - `createGracefulShutdown()` utility with configurable timeout enforcement, ordered cleanup, and idempotent execution - **Inline .env file loader** - `loadEnvFile()` zero-dependency alternative to dotenv with quote stripping and no-overwrite semantics - **Queue depth monitoring** - `DistributedShield.getQueueDepth()` returns pending, peak, and totalQueued metrics - **Production readiness test suite** - 24 new assertions covering config shapes, result shapes, shutdown, rate limiting, streaming errors, .env loading - **Migration guide** - `instructions/17-migration-v6-to-v7.md` covering v6.0 to v7.x upgrade path - **Troubleshooting guide** - `instructions/18-troubleshooting.md` with 10 common issues and solutions - **141-pattern sync across all SDKs** - Python, Go, Rust, and VSCode now have full parity with Node.js detection engine (was 22/29/31/31) - **Standardized API return shapes** - Python, Go, and Rust SDKs now return Node.js-compatible `status`, `stats`, and `timestamp` fields alongside legacy fields - **Pattern sync build script** - `npm run sync:patterns` exports canonical patterns to JSON for cross-SDK consumption - **Python PyPI packaging** - `pyproject.toml` and proper `__init__.py` for `pip install agentshield` - **Structured error codes** - All public API throws now use `createShieldError()` with machine-readable codes (AS-DET-002, AS-AUT-004, etc.) - **Performance regression gate in CI** - Automated benchmark check that fails if 10k scans exceed threshold ### Fixed - **Short input bypass** - detector-core.js was skipping inputs under 10 characters; `rm -rf /` (9 chars) was unscanned - **Role hijack pattern** - "you are now unrestricted" (no article) was not caught; tightened pattern with identity-related word requirement - **ReDoS risk** - Simplified credential listing pattern's nested alternation to prevent potential catastrophic backtracking - **Zero-value config bug** - `RateLimiter({ windowMs: 0 })` and `CircuitBreaker({ threshold: 0 })` silently defaulted via `||` operator; now uses explicit null checks - **scanToolCall inconsistency** - Previously returned `{ status: 'safe' }` on invalid input while `scan()` threw TypeError; now throws TypeError for consistency - **Shadow mode error swallowing** - Logger errors in shadow mode were silently caught; now logged to console.error - **DLP regex validation** - `DLPEngine.addRule()` with invalid regex string now catches and logs gracefully instead of throwing uncaught error - **Unbounded _localThreats** - `DistributedShield._localThreats` array now capped at 1000 entries (was unbounded, grew forever) - **Timer GC leak** - `DistributedShield` sync timer now uses `.unref()` to prevent blocking process exit - **SharedThreatState cleanup** - Added `pruneStaleSubscribers()` method for cleaning up dead subscriber callbacks - **MCP runtime shutdown** - `MCPSecurityRuntime.shutdown()` is now async with configurable timeout and drain handling - **MCP server shutdown** - Uses `createGracefulShutdown()` with `SHIELD_SHUTDOWN_TIMEOUT_MS` env var support - **Dashboard DoS** - POST /api/ingest now enforces 1MB body size limit (was unlimited) - **GitHub App markdown** - PR comment category values now escape pipe characters to prevent table breakage - **k8s Dockerfile** - USER directive moved before COPY with `--chown` for proper file ownership - **k8s fallback patterns** - Embedded patterns expanded from 10 to 15, synced with core engine fixes - **Benchmark percentile** - Fixed off-by-one in percentile calculation; now uses linear interpolation - **Category name consistency** - `role_hijacking` renamed to `role_hijack` across Python, Go, Rust, VSCode, benchmark-registry, testing.js, fuzzer.js, and all docs - **TypeScript declarations** - Added 39 missing type declarations for exported symbols - **VSCode debouncing** - Per-document debounce timers (was single global), scan result caching, 500KB file size limit, cache cleanup on close ### Changed - `prepublishOnly` now runs `test:full` (all 16 test suites) instead of just 3 - CI workflow runs test:adaptive, test:ipia, test:production, test:adversarial - CI coverage job expanded from 3 to 7 test files - CI verifies all 10 example files (was only 2) - `DEFAULT_CONFIG` in index.js now includes `maxInputSize`, `maxScanHistory`, `maxArgDepth` - Total exports increased to 331 across 79 modules - Total test assertions: 1,755 across 16 test suites - All SDK READMEs updated with 141 pattern count and 8 threat categories - README.md Node.js CI claim corrected to 18/20/22 (was incorrectly claiming 16) ## [7.2.0] - 2026-03-21 ### Added - **Indirect Prompt Injection Attack (IPIA) Detector** — `IPIADetector` implementing the joint-context embedding + classifier pipeline from "Benchmarking and Defending Against Indirect Prompt Injection Attacks on LLMs" (2024). 4-step pipeline: context construction → feature extraction → classification → response (`src/ipia-detector.js`) - **ContextConstructor** — builds joint context `J = [C || SEP || U]` from external content and user intent with configurable separator and length limits - **FeatureExtractor** — computes 10-feature vector: 3 cosine similarities (intent/content/joint TF-IDF), Shannon entropy, injection lexicon density, imperative verb density, directive pattern score, vocabulary overlap, content length ratio - **TreeClassifier** — hand-tuned decision tree classifier with O(1) inference, zero dependencies, configurable threshold - **ExternalEmbedder** — pluggable embedding backend for power users (MiniLM, OpenAI, etc.) with async `scanAsync()` support - **Batch RAG scanning** — `scanBatch()` scans multiple retrieved chunks against a single user intent - **IPIA Express middleware** — `ipiaMiddleware()` with block/flag/log actions for HTTP endpoints - **`createIPIAScanner()`** — factory function for quick RAG pipeline integration - **117 new test assertions** — covering all pipeline stages, false positive resistance, async/external embedder, middleware, edge cases ### Changed - Total exports increased from 318 to 327 across 79 modules - Test suite expanded to 1,282 assertions across 15 test suites (117 IPIA tests) - `test:full` script now includes IPIA detector tests ### Fixed - `tokenize()` crashed on non-string input (number, object, boolean) — now coerces via `String()` - `ContextConstructor.build()` crashed on non-string arguments — now coerces via `String()` - `cosineSim()` returned `NaN` on `Infinity` input vectors — now returns 0 for non-finite values - `ExternalEmbedder.defaultSimilarity()` same `NaN` issue — fixed with `isFinite()` guard - `ipiaMiddleware` crashed on `null` request object — added null guard ## [7.0.0] — 2026-03-21 ### Added - **MCP Security Runtime** — `MCPSecurityRuntime` unified security layer for MCP servers with per-user/per-session/per-tool authorization, session state machine (prevents tool ordering attacks), behavioral anomaly detection, delegation with scope narrowing, and one-line middleware integration (`src/mcp-security-runtime.js`) - **MCP Certification** — `MCPCertification` with 15 security requirements (auth, scanning, rate limiting, audit, crypto, monitoring, policy), Platinum/Gold/Silver/Bronze levels, formatted reports with actionable recommendations (`src/mcp-certification.js`) - **Cross-Org Agent Trust** — `CrossOrgAgentTrust` certificate authority for AI agents crossing organizational boundaries — issue, verify, and revoke HMAC-signed certificates with trust levels, org restrictions, and automatic expiry (`src/mcp-certification.js`) - **Agent Threat Intelligence** — `AgentThreatIntelligence` local threat pattern corpus with confidence decay, trend analysis (attack rate, bypass rate, direction), and corpus export/import for federated learning (`src/mcp-certification.js`) - **Live Demo** — `examples/mcp-security-demo.js` simulating all four Meta rogue AI agent attack vectors with real-time blocking ### Changed - **AES-256-GCM encryption** replaces XOR cipher in `SecureChannel` (`src/agent-protocol.js`) - **HMAC-SHA256 signing** replaces plain SHA256 in `AuthorizationContext` and `EphemeralTokenManager` with configurable signing keys (`src/confused-deputy.js`) - Timing-safe signature verification throughout using `crypto.timingSafeEqual()` - Automatic expired token cleanup in `EphemeralTokenManager` - Intent matching uses word-boundary matching instead of substring to prevent spoofing - Token issuance now verifies context integrity before minting - Delegation depth enforcement (configurable, default 5) - Total exports increased from 302 to 310+ across 77+ modules - Test suite expanded to 962 assertions across 13 test suites (112 MCP security tests) ### Fixed - 37 bugs fixed across two deep bug hunting cycles (see commit history) - Memory leaks in pending timestamps, revoked tokens, user tokens, behavior profiles - Double-counting in tool call blocked stats - Certificate eviction with LRU fallback for non-expired overflow - Map modification during iteration in session cleanup - Orphaned child sessions on parent termination ## [6.0.0] — 2026-03-21 ### Added - **OWASP LLM Top 10 v2025 Coverage Matrix** — `OWASPCoverageMatrix` mapping all Agent Shield capabilities to OWASP LLM Top 10 (2025 edition) with per-category coverage scoring, gap analysis, and compliance reporting (`src/owasp-2025.js`) - **MCP Bridge** — `MCPBridge` for native Model Context Protocol integration with `MCPToolPolicy` (per-tool allow/deny), `MCPSessionGuard` (session budgets, rate limiting), `MCPResourceScanner` (resource URI validation), and `createMCPMiddleware` for Express (`src/mcp-bridge.js`) - **NIST AI RMF Mapping** — `NISTMapper` mapping to NIST AI Risk Management Framework (2025) across GOVERN/MAP/MEASURE/MANAGE/MONITOR functions, `AIBOMGenerator` for AI Bill of Materials, `NISTComplianceChecker` with SP 800-53 AI control mapping (`src/nist-mapping.js`) - **EU AI Act Compliance** — `RiskClassifier` (prohibited/high/limited/minimal risk classification), `ConformityAssessment` (Article 43 checklist), `TransparencyReporter` (Article 13 obligations), `EUIncidentReporter` (Article 62 serious incident reporting), `EUAIActDashboard` with deadline tracking (`src/eu-ai-act.js`) - **System Prompt Leakage Detector** — `SystemPromptGuard` detecting 20+ prompt extraction attack patterns (direct requests, indirect extraction, roleplay-based attacks), `PromptFingerprinter` for output leak scoring, `PromptLeakageMitigation` with configurable response strategies (OWASP LLM07-2025) (`src/prompt-leakage.js`) - **RAG/Vector Vulnerability Scanner** — `RAGVulnerabilityScanner` detecting chunk boundary manipulation, metadata injection, authority spoofing, retrieval poisoning, and context window stuffing; `EmbeddingIntegrityChecker` for vector integrity; `RAGPipelineAuditor` for end-to-end RAG pipeline security (OWASP LLM08-2025) (`src/rag-vulnerability.js`) - **Confused Deputy Prevention** — `AuthorizationContext` (immutable user-to-agent binding with delegation chain), `EphemeralTokenManager` (scoped, auto-rotating tokens replacing static API keys), `IntentValidator` (post-auth action verification with scope/role/intent policies), `ConfusedDeputyGuard` (per-user MCP authorization preventing privilege escalation through delegation). Directly addresses the four IAM gaps from Meta's rogue AI agent incident (March 2026) (`src/confused-deputy.js`) ### Changed - Total exports increased from 254 to 302 across 74+ modules - Test suite expanded to 850 assertions across 11 test suites (122 v6 tests + 85 confused deputy tests) ## [5.0.0] — 2026-03-20 ### Added - **Agent-to-Agent Protocol** — `AgentProtocol` with `SecureChannel` (HMAC-signed, replay-protected), `HandshakeManager` (mutual auth, challenge-response), `MessageRouter` for multi-agent topologies (`src/agent-protocol.js`) - **Real-time Streaming Dashboard** — WebSocket server (RFC 6455) with live threat feed, SVG line/donut/heatmap charts, dark/light mode, auto-reconnect (`dashboard-live/`) - **Policy-as-Code DSL** — `PolicyDSL` with tokenizer, recursive descent parser, compiler, and runtime supporting `when/then/and/or` conditions, `allow` blocks, `rate_limit`, `scan_mode` (`src/policy-dsl.js`) - **Fuzzing Harness** — `FuzzingHarness` with `InputGenerator` (8 strategies including grammar-based, mutation, encoding), `MutationEngine` (13 mutations), `CoverageTracker`, `CrashCollector`, 50+ seed corpus (`src/fuzzer.js`) - **Model Fingerprinting** — `ModelFingerprinter` with `ResponseAnalyzer` (16 stylistic features), `StyleProfile` (cosine similarity), `FingerprintDatabase` (5 built-in profiles), `SupplyChainDetector` for model swap detection (`src/model-fingerprint.js`) - **Cost/Latency Optimizer** — `CostOptimizer` with `AdaptiveScanner` (auto-escalating tiers: fast/standard/deep/paranoid), `LatencyBudget`, `PerformanceMonitor` (p50/p95/p99), 4 optimization presets (`src/cost-optimizer.js`) ## [4.0.0] — 2026-03-19 ### Added - **Rust Core Engine** — `RegexSet`-based O(n) multi-pattern matching with compilation targets for WASM (`wasm-bindgen`), Node.js NAPI (`napi-rs`), and Python (`PyO3`) (`rust-core/`) - **Go SDK** — full detection engine, HTTP/gRPC middleware, CLI tool, benchmarks, zero external dependencies (`go-sdk/`) - **Terraform Provider** — `agent_shield_policy`, `agent_shield_rule`, `agent_shield_tenant` resources for infrastructure-as-code (`terraform-provider/`) - **OpenTelemetry Collector** — receiver (HTTP scan endpoint to log records) and processor (scan logs/traces, annotate/drop/log actions) (`otel-collector/`) - **GitHub App** — PR scanning with Check Run annotations, GitHub Action (`action.yml`), webhook signature verification, diff parsing (`github-app/`) - **Benchmark Registry** — `BenchmarkSuite` (100+ test cases), `MetricsCalculator` (F1, MCC, throughput, latency percentiles), `Leaderboard` with interactive web dashboard (`benchmark-registry/`) - **Multi-language Patterns** — `I18nPatternManager` with 32+ patterns across CJK, Arabic, Cyrillic, and Indic scripts (`src/i18n-patterns.js`) - **LLM Red Team Suite** — `JailbreakLibrary` (35+ templates across 6 categories), `AdversarialGenerator`, `EvasionTester`, `RedTeamReport` with weakness analysis (`src/llm-redteam.js`) ## [3.0.0] — 2026-03-19 ### Added - **Self-Healing Patterns** — `SelfHealingEngine` auto-generates detection patterns from false negatives with `PatternGenerator` (`src/self-healing.js`) - **Honeypot Mode** — `HoneypotEngine` with session tracking, escalation analysis, technique intelligence, fake response generation (`src/honeypot.js`) - **Multi-Modal Scanning** — `MultiModalScanner` for images (alt text, OCR, metadata), audio transcripts, PDFs, and tool outputs (`src/multimodal.js`) - **Agent Behavior Profiling** — `BehaviorProfile` with statistical baselining, anomaly detection (z-score), health checks (`src/behavior-profiling.js`) - **Threat Intelligence Network** — `ThreatIntelNetwork` with `PeerNode` reputation, `PatternAnonymizer` (differential privacy), `ConsensusEngine`, `ThreatFeed` with STIX-like export (`src/threat-intel-network.js`) ## [2.1.0] — 2026-03-19 ### Added - **Distributed Scanning** — `DistributedShield` with pluggable adapters (`MemoryAdapter`, `RedisAdapter`), pub/sub threat broadcasting (`src/distributed.js`) - **Audit Log Streaming** — `AuditStreamManager` with `FileTransport`, `SplunkTransport`, `ElasticsearchTransport` adapters (`src/audit-streaming.js`) - **Kubernetes Operator** — sidecar container with Helm chart, `MutatingWebhookConfiguration` for auto-injection, Prometheus metrics, health checks (`k8s/`) - **SSO/SAML Integration** — `SSOManager`, `SAMLParser`, `OIDCHandler`, `IdentityMapper` with enterprise IdP mapping to RBAC roles (`src/sso-saml.js`) - **Custom Model Fine-Tuning** — `ModelTrainer` with TF-IDF + logistic regression, `TrainingPipeline`, `DatasetManager`, `ModelEvaluator`, `FineTunedModel` export/import (`src/model-finetuning.js`) ## [2.0.0] — 2026-03-19 ### Added - **Plugin Marketplace** — `PluginRegistry`, `PluginValidator`, `MarketplaceClient` with quality scoring, safety validation, version management (`src/plugin-marketplace.js`) - **Dashboard v2** — real-time web dashboard with threat visualization, donut charts, sparklines, dark/light mode, scan metrics (`dashboard-live/`) - **Python SDK** — `agent_shield` Python package with core detection, `AgentShield` class, LangChain/LlamaIndex wrappers, Flask/FastAPI middleware, CLI tool (`python-sdk/`) - **WASM Build** — ESM/UMD bundles for browsers, Cloudflare Workers, Deno, Bun with build script and platform-specific examples (`wasm/`) - **VS Code Extension** — `agent-shield-vscode` with inline diagnostics, real-time scanning, severity mapping, string literal extraction for JS/TS/Python/Markdown (`vscode-extension/`) ## [1.2.0] — 2026-03-19 ### Added - **LLM-Assisted Classification** — `SemanticClassifier` with Ollama/OpenAI-compatible local endpoint support, two-pass `enhancedScan()` (`src/semantic.js`) - **Embedding-Based Similarity** — `EmbeddingSimilarityDetector` using TF-IDF + cosine similarity against 28-pattern attack corpus (`src/embedding.js`) - **Context-Aware Scoring** — `ConversationContextAnalyzer` with multi-turn escalation detection, topic pivot alerts, velocity/repetition checks (`src/context-scoring.js`) - **Confidence Calibration** — `ConfidenceTuner` with per-category threshold learning, feedback recording, precision/recall metrics (`src/confidence-tuning.js`) ## [1.1.0] — 2026-03-19 ### Added - **Expanded Homoglyph Detection** — comprehensive Unicode mapping covering Cherokee, Georgian, IPA, Math Symbols, Enclosed/Circled, Small Caps, Superscript/Subscript characters - **Worker Threads Support** — opt-in `ThreadedWorkerScanner` for real parallel CPU-bound scanning - **Independent Benchmark Suite** — reproducible performance script (`npm run benchmark`) with throughput, latency, scaling, accuracy, and memory metrics - **AI Phishing Patterns** — QR code phishing, MFA harvesting, credential urgency, subscription scams, AI access lures ### Changed - **Adversarial Mutation Resilience** — synonym-aware keyword cluster detection, pre-normalization, hex-escape decoding (84% to 95.3% detection rate) ## [1.0.0] — 2026-03-19 ### Initial Release Agent Shield v1.0.0 — a zero-dependency security SDK for AI agents. ### Core Features - **Prompt Injection Detection** — detects fake system prompts, instruction overrides, ChatML/LLaMA delimiters, markdown headers, and 30+ injection patterns - **Role Hijacking Detection** — catches DAN mode, developer mode, jailbreak attempts, persona attacks - **Data Exfiltration Prevention** — blocks system prompt extraction, markdown image leaks, fetch calls, tag extraction - **Tool Abuse Detection** — flags sensitive file access, shell execution, SQL injection, path traversal, recursive tool calls - **Social Engineering Detection** — identifies identity concealment, urgency + authority, gaslighting, false pre-approval - **Obfuscation Detection** — decodes Unicode homoglyphs, zero-width chars, Base64, hex, ROT13, leetspeak, reversed text - **Multi-Language Support** — detects attacks in English, Spanish, French, German, Portuguese, Chinese, Japanese ### Modules - **AgentShield** — main SDK class with configurable sensitivity, blocking, and callbacks - **Canary Tokens** — generate and detect prompt leak canaries - **PII Redactor** — auto-redact SSNs, emails, phone numbers, credit cards (DLP engine) - **Tool Guard** — tool sequence analysis and permission boundaries - **Circuit Breaker** — rate limiting and automatic trip on repeated attacks - **Conversation Analysis** — fragmentation detection, language switch detection, behavioral fingerprinting - **Multi-Agent Security** — agent firewall, delegation chains, shared threat state - **Multi-Agent Trust** — message signing (HMAC), capability tokens, blast radius containment - **Encoding Detection** — steganography, encoding bruteforce, structured data scanning - **Output Watermarking** — watermark agent outputs with differential privacy - **Policy Engine** — YAML/JSON policy loading, structured logging, webhook alerts - **Compliance Reporting** — SOC2, HIPAA, GDPR, OWASP, NIST, EU AI Act reports with audit trails - **Enterprise Features** — multi-tenant isolation, RBAC, debug mode - **RAG Scanner** — scan retrieved documents before they enter the context - **Red Team Simulator** — 49 built-in attack payloads with automated testing - **Shield Score** — quantitative security scoring and benchmarking ### Framework Integrations - Anthropic / Claude SDK (`shieldAnthropicClient`) - OpenAI SDK (`shieldOpenAIClient`) - LangChain (`ShieldCallbackHandler`) - Vercel AI SDK (`shieldVercelAI`) - Express middleware (`expressMiddleware`) - Generic agent wrapper (`wrapAgent`, `shieldTools`) ### CLI - `npx agent-shield scan` — scan text for threats - `npx agent-shield score` — calculate shield score - `npx agent-shield redteam` — run attack simulation - `npx agent-shield audit` — compliance audit - `npx agent-shield patterns` — list all detection patterns ### Benchmarks - 100% detection on internal red team (49 attacks) - 99.1% detection on external benchmark (108 real-world attacks) - 0% false positive rate (103 benign inputs) - 100/100 A+ shield score - ~48,000 scans/sec throughput - < 0.03ms average latency