Skip to content

Releases: webpro255/agentlock

AgentLock v1.4.0: Selective Action-Class Gating

Choose a tag to compare

@webpro255 webpro255 released this 10 Jul 14:07

v1.3 proved the security property. v1.4 makes it deployable.

The v1.3 uniform write-gate achieved 0% defense-effective attack success on AgentDojo's write-trailing-read threat models, at a utility cost the paper stated plainly. v1.4 attacks that cost where attacking it is sound, and refuses where it is not.

Selective action-class gating

Instead of blocking every consequential write on session taint, tools declare which action classes they belong to. Value-free classes (deletions, membership changes) stay taint-gated, because their malice needs no distinctive parameter value for lineage to catch. Value-carrying writes can be released to parameter lineage, which provably covers them (paper, section 7). The polarity rule is structural: declarations that add gating are free, and the one declaration that removes gating (is_value_carrying) can only come from the tool's trusted registration block, never from a caller. A wrong addition over-blocks; a wrong removal fails open.

Benchmark results, pre-registered

Predictions were committed before any run launched (PREDICTION_v14.md). All runs: gpt-4o-mini, tool_knowledge attack, AgentDojo 0.1.35, fixed adapter classification.

suite undefended, attacked uniform gate (v1.3) selective gate (v1.4) benign ceiling
travel 36.43% 30.00% 51.43% 65.00%
slack 52.38% 4.76% 4.76% 76.19%

Travel: selective gating restores utility to 79% of the benign ceiling, from 46%, and the defended agent outperforms the undefended agent under attack. Defense-effective ASR went from 2.14% (persuasion residual) to 0.00%. The mechanism is visible at parameter level in the decision logs: the attacker's injected reservation was denied by parameter lineage in the same episode where the user's own reservation committed.

Slack: no utility recovered, by design. Slack has no honestly declarable value-carrying tool, and the control run confirms selective gating refuses to relax where relaxing is unsound. Stated plainly: on slack-shaped workloads (benign read-then-write over attacker-reachable content) the defense floors utility at 4.76% whether or not an attack is present, and costs more utility than the attack it prevents. The full four-cell decomposition is in the attached report. v1.4 ships audit tooling so you can measure which case your agent is in before deploying.

Full benchmark report: MORNING_REPORT_v14.md

Two defects found and fixed before release

Both caught by our own verification gates during v1.4 development, neither ever shipped in a release:

  • Schema version comparison was lexicographic, so "1.10" compared below "1.3" and would have silently disabled all lineage defenses at that version. Found by the audit tooling auditing its own coverage rule. Affects v1.3.x only if a permission block hand-declares a version of 1.10 or higher, which no published schema defines. Fixed with numeric comparison that fails closed on unparseable versions.
  • The deferred-commit re-decision ignored action-class declarations entirely, making gate_consequential=False inert whenever deferred commit was enabled. Found by a pre-registered verification gate before any benchmark run launched (PREDICTION_v14_addendum.md). Fixed by extracting the gating disjunct into a single shared predicate used by both enforcement points, so they cannot drift again.

Also in this release

  • Novel lineage: per-target trusted/untrusted/novel classification, exact-token, placed above the coarse taint gate
  • Action-class audit: audit_action_classes() reports every lineage-enabled tool as DECLARED, UNDECLARED, or NOT_COVERED, with two-tier suggestions (observed traffic beats lexical heuristics) and a hard guarantee that the gating-removing declaration is never suggested without requiring human confirmation
  • needs_approval surfaced at the gate boundary: step-up no longer degrades to a hard deny; denial status becomes approval_required while DecisionType is unchanged, so no existing control flow breaks
  • The register_tool hazard warning is removed, replaced by the audit report. Note for strict callers: code running under -W error::UserWarning no longer gets a registration-time raise; assert on audit_action_classes() instead
  • schema/agentlock-v1.4.json published; SCHEMA_VERSION is 1.4; v1.3 blocks remain valid
  • README rewritten, feature history moved to docs/history.md, SECURITY.md gains a stated support policy

1041 tests passing under -W error::UserWarning. Full details in CHANGELOG.md.

Benchmark integrity notes

AgentDojo scores some blocked-but-attempted calls as attack successes (reported upstream as ethz-spylab/agentdojo#168), so we report defense-effective ASR alongside official ASR, with every excluded episode justified in the attached report. Separately, the benchmark never applies temperature=0 due to a falsy-zero guard, so single-run rates carry sampling noise; we measured the spread across replicates (also in the attached report) and the mechanism-level claims are stable across all draws.

Paper: Provenance-Based Pre-Action Authorization for LLM Agents (DOI: 10.5281/zenodo.21270300)

License: AGPL-3.0-or-later with commercial licenses available (see COMMERCIAL.md). Versions 1.2.x and earlier remain Apache 2.0.

PREDICTION_v14.md
PREDICTION_v14_addendum.md
MORNING_REPORT_v14.md

AgentLock v1.3.0 - Provenance-Lineage Gating & Deferred Commit

Choose a tag to compare

@webpro255 webpro255 released this 09 Jul 00:34

Changed

  • License: AgentLock is now licensed under the GNU AGPL-3.0 (previously Apache 2.0), with commercial licenses available for closed-source use. See COMMERCIAL.md. Versions 1.2.x and earlier remain under Apache 2.0.

Added

  • Provenance-lineage gating (LineagePolicyConfig): New per-tool policy block that gates tool calls based on the provenance lineage of their parameters. Two independent enforcement layers, both inert unless a lineage_policy is present and enabled: (1) a session write-gate that gates consequential calls (gate_financial, gate_external, gate_bulk, gate_account_modification, gate_consequential) whose session context carries untrusted lineage, and (2) parameter lineage (param_lineage_enabled) that matches individual parameter values back to untrusted-provenance tokens. Both are gate-owned reads: callers cannot supply the lineage verdict. Configurable decision (step_up | defer | deny) and param_lineage_action (deny | step_up | log). New helpers in agentlock/context.py: extract_lineage_tokens(), ContextTracker.lineage_summary(), ContextTracker.parameter_lineage_check().
  • Deferred-commit queue: DeferralManager gains queue_commit(), resolve_commit_queue(), get_commit_queue(), and clear_commit_queue() to hold deferred tool calls pending out-of-band resolution.
  • Two new denial reasons: DenialReason.UNTRUSTED_LINEAGE and DenialReason.PARAM_LINEAGE.
  • Schema: SCHEMA_VERSION bumped to 1.3; AgentLockPermissions gains an optional lineage_policy field. LineagePolicyConfig is exported from the package root.
  • Tests: 21 new tests (test_v13_session_write_gate.py, test_v13_deferred_and_param_lineage.py); suite total is now 868.

Paper

Evaluated on AgentDojo. Full methodology and results:
Provenance-Based Pre-Action Authorization for LLM Agents (DOI: 10.5281/zenodo.21270300)

Pre-registered prediction (committed 82cd80c, 2026-07-03, before the generalization runs; see paper, Appendix B): PREDICTION.md

AgentLock v1.2.1 - Signed Receipts, Hash-Chained Context, 99.5/A Benchmark

Choose a tag to compare

@webpro255 webpro255 released this 06 Apr 15:03

Ed25519 signed receipts (AARM R5) with HMAC-SHA256 fallback. Hash-chained tamper-evident context (AARM R2). First-call-any-risk DEFER trigger. Deny-on-block whitelist escalation. Sibling deferral. Prompt scan carry-forward. Critical hardening blocks all tools. 847 tests passing. Optional crypto: pip install agentlock[crypto].

AgentLock v1.2.0 - Adaptive Prompt Hardening & New Decision Types

Choose a tag to compare

@webpro255 webpro255 released this 30 Mar 13:32

Adaptive prompt hardening with pre-LLM threat detection. Three new decision types: MODIFY (output transformation and PII redaction), DEFER (suspend ambiguous calls), STEP_UP (human approval for suspicious patterns). Four signal detectors: velocity, tool combination anomaly, response echo, and prompt scanning. Gate enforcement at critical session risk. 745 tests passing. Full backward compatibility with v1.0 and v1.1.x.

AgentLock v1.1.2 - Independent Filter Pipeline

Choose a tag to compare

@webpro255 webpro255 released this 24 Mar 20:37

Decoupled injection defense and PII defense into independent pipeline layers. InjectionFilter and PiiFilter run sequentially with no shared logic. Tuning one no longer affects the other. Trust degradation runs independently of both. 44 new tests. Full backward compatibility.

AgentLock v1.1.1 - PII Defense Patch

Choose a tag to compare

@webpro255 webpro255 released this 24 Mar 18:54

Security fix: PII data was being fetched into memory before redaction. Added gate-level classification check that blocks tool execution before data is retrieved when the caller's clearance is below the tool's output classification. 16 new tests. Full backward compatibility (max_output_classification defaults to None).

AgentLock v1.1.0 -- Memory & Context Permissions

Choose a tag to compare

@webpro255 webpro255 released this 20 Mar 16:42

Context authority model with trust degradation, provenance tracking, and memory access control. 5 new enums, 2 new schema blocks, 8 new denial reasons, 7 new exception classes, 142 new tests (409 total). Full backward compatibility with v1.0.

AgentLock v1.0.0 - The Open Authorization Standard for AI Agents

Choose a tag to compare

@webpro255 webpro255 released this 18 Mar 18:09

AgentLock v1.0.0

The first release of AgentLock — the open authorization standard for AI agent tool calls.

What's included

  • Core authorization gate with deny-by-default enforcement
  • Pydantic v2 schema for tool permission definitions
  • Single-use, time-limited, operation-bound execution tokens
  • Role-based access control
  • Scope enforcement (data boundaries, max records, allowed recipients)
  • Per-user per-session rate limiting
  • PII detection and auto-redaction
  • Structured denial responses with reason codes
  • Audit logging (minimal/standard/full levels)
  • @agentlock decorator for one-line tool protection
  • CLI: validate, schema, init, inspect, audit
  • Framework integrations: LangChain, CrewAI, AutoGen, MCP, FastAPI, Flask
  • JSON schema for tool definition validation
  • 267 tests passing, zero lint errors, zero type errors

Install

pip install agentlock

Links