Releases: webpro255/agentlock
Release list
AgentLock v1.4.0: Selective Action-Class Gating
v1.3 proved the security property. v1.4 makes it deployable.
The v1.3 uniform write-gate achieved 0% defense-effective attack success on AgentDojo's write-trailing-read threat models, at a utility cost the paper stated plainly. v1.4 attacks that cost where attacking it is sound, and refuses where it is not.
Selective action-class gating
Instead of blocking every consequential write on session taint, tools declare which action classes they belong to. Value-free classes (deletions, membership changes) stay taint-gated, because their malice needs no distinctive parameter value for lineage to catch. Value-carrying writes can be released to parameter lineage, which provably covers them (paper, section 7). The polarity rule is structural: declarations that add gating are free, and the one declaration that removes gating (is_value_carrying) can only come from the tool's trusted registration block, never from a caller. A wrong addition over-blocks; a wrong removal fails open.
Benchmark results, pre-registered
Predictions were committed before any run launched (PREDICTION_v14.md). All runs: gpt-4o-mini, tool_knowledge attack, AgentDojo 0.1.35, fixed adapter classification.
| suite | undefended, attacked | uniform gate (v1.3) | selective gate (v1.4) | benign ceiling |
|---|---|---|---|---|
| travel | 36.43% | 30.00% | 51.43% | 65.00% |
| slack | 52.38% | 4.76% | 4.76% | 76.19% |
Travel: selective gating restores utility to 79% of the benign ceiling, from 46%, and the defended agent outperforms the undefended agent under attack. Defense-effective ASR went from 2.14% (persuasion residual) to 0.00%. The mechanism is visible at parameter level in the decision logs: the attacker's injected reservation was denied by parameter lineage in the same episode where the user's own reservation committed.
Slack: no utility recovered, by design. Slack has no honestly declarable value-carrying tool, and the control run confirms selective gating refuses to relax where relaxing is unsound. Stated plainly: on slack-shaped workloads (benign read-then-write over attacker-reachable content) the defense floors utility at 4.76% whether or not an attack is present, and costs more utility than the attack it prevents. The full four-cell decomposition is in the attached report. v1.4 ships audit tooling so you can measure which case your agent is in before deploying.
Full benchmark report: MORNING_REPORT_v14.md
Two defects found and fixed before release
Both caught by our own verification gates during v1.4 development, neither ever shipped in a release:
- Schema version comparison was lexicographic, so "1.10" compared below "1.3" and would have silently disabled all lineage defenses at that version. Found by the audit tooling auditing its own coverage rule. Affects v1.3.x only if a permission block hand-declares a version of 1.10 or higher, which no published schema defines. Fixed with numeric comparison that fails closed on unparseable versions.
- The deferred-commit re-decision ignored action-class declarations entirely, making gate_consequential=False inert whenever deferred commit was enabled. Found by a pre-registered verification gate before any benchmark run launched (PREDICTION_v14_addendum.md). Fixed by extracting the gating disjunct into a single shared predicate used by both enforcement points, so they cannot drift again.
Also in this release
- Novel lineage: per-target trusted/untrusted/novel classification, exact-token, placed above the coarse taint gate
- Action-class audit:
audit_action_classes()reports every lineage-enabled tool as DECLARED, UNDECLARED, or NOT_COVERED, with two-tier suggestions (observed traffic beats lexical heuristics) and a hard guarantee that the gating-removing declaration is never suggested without requiring human confirmation - needs_approval surfaced at the gate boundary: step-up no longer degrades to a hard deny; denial status becomes
approval_requiredwhile DecisionType is unchanged, so no existing control flow breaks - The register_tool hazard warning is removed, replaced by the audit report. Note for strict callers: code running under
-W error::UserWarningno longer gets a registration-time raise; assert onaudit_action_classes()instead schema/agentlock-v1.4.jsonpublished; SCHEMA_VERSION is 1.4; v1.3 blocks remain valid- README rewritten, feature history moved to docs/history.md, SECURITY.md gains a stated support policy
1041 tests passing under -W error::UserWarning. Full details in CHANGELOG.md.
Benchmark integrity notes
AgentDojo scores some blocked-but-attempted calls as attack successes (reported upstream as ethz-spylab/agentdojo#168), so we report defense-effective ASR alongside official ASR, with every excluded episode justified in the attached report. Separately, the benchmark never applies temperature=0 due to a falsy-zero guard, so single-run rates carry sampling noise; we measured the spread across replicates (also in the attached report) and the mechanism-level claims are stable across all draws.
Paper: Provenance-Based Pre-Action Authorization for LLM Agents (DOI: 10.5281/zenodo.21270300)
License: AGPL-3.0-or-later with commercial licenses available (see COMMERCIAL.md). Versions 1.2.x and earlier remain Apache 2.0.
PREDICTION_v14.md
PREDICTION_v14_addendum.md
MORNING_REPORT_v14.md
AgentLock v1.3.0 - Provenance-Lineage Gating & Deferred Commit
Changed
- License: AgentLock is now licensed under the GNU AGPL-3.0 (previously Apache 2.0), with commercial licenses available for closed-source use. See COMMERCIAL.md. Versions 1.2.x and earlier remain under Apache 2.0.
Added
- Provenance-lineage gating (
LineagePolicyConfig): New per-tool policy block that gates tool calls based on the provenance lineage of their parameters. Two independent enforcement layers, both inert unless alineage_policyis present and enabled: (1) a session write-gate that gates consequential calls (gate_financial,gate_external,gate_bulk,gate_account_modification,gate_consequential) whose session context carries untrusted lineage, and (2) parameter lineage (param_lineage_enabled) that matches individual parameter values back to untrusted-provenance tokens. Both are gate-owned reads: callers cannot supply the lineage verdict. Configurabledecision(step_up|defer|deny) andparam_lineage_action(deny|step_up|log). New helpers inagentlock/context.py:extract_lineage_tokens(),ContextTracker.lineage_summary(),ContextTracker.parameter_lineage_check(). - Deferred-commit queue:
DeferralManagergainsqueue_commit(),resolve_commit_queue(),get_commit_queue(), andclear_commit_queue()to hold deferred tool calls pending out-of-band resolution. - Two new denial reasons:
DenialReason.UNTRUSTED_LINEAGEandDenialReason.PARAM_LINEAGE. - Schema:
SCHEMA_VERSIONbumped to1.3;AgentLockPermissionsgains an optionallineage_policyfield.LineagePolicyConfigis exported from the package root. - Tests: 21 new tests (
test_v13_session_write_gate.py,test_v13_deferred_and_param_lineage.py); suite total is now 868.
Paper
Evaluated on AgentDojo. Full methodology and results:
Provenance-Based Pre-Action Authorization for LLM Agents (DOI: 10.5281/zenodo.21270300)
Pre-registered prediction (committed 82cd80c, 2026-07-03, before the generalization runs; see paper, Appendix B): PREDICTION.md
AgentLock v1.2.1 - Signed Receipts, Hash-Chained Context, 99.5/A Benchmark
Ed25519 signed receipts (AARM R5) with HMAC-SHA256 fallback. Hash-chained tamper-evident context (AARM R2). First-call-any-risk DEFER trigger. Deny-on-block whitelist escalation. Sibling deferral. Prompt scan carry-forward. Critical hardening blocks all tools. 847 tests passing. Optional crypto: pip install agentlock[crypto].
AgentLock v1.2.0 - Adaptive Prompt Hardening & New Decision Types
Adaptive prompt hardening with pre-LLM threat detection. Three new decision types: MODIFY (output transformation and PII redaction), DEFER (suspend ambiguous calls), STEP_UP (human approval for suspicious patterns). Four signal detectors: velocity, tool combination anomaly, response echo, and prompt scanning. Gate enforcement at critical session risk. 745 tests passing. Full backward compatibility with v1.0 and v1.1.x.
AgentLock v1.1.2 - Independent Filter Pipeline
Decoupled injection defense and PII defense into independent pipeline layers. InjectionFilter and PiiFilter run sequentially with no shared logic. Tuning one no longer affects the other. Trust degradation runs independently of both. 44 new tests. Full backward compatibility.
AgentLock v1.1.1 - PII Defense Patch
Security fix: PII data was being fetched into memory before redaction. Added gate-level classification check that blocks tool execution before data is retrieved when the caller's clearance is below the tool's output classification. 16 new tests. Full backward compatibility (max_output_classification defaults to None).
AgentLock v1.1.0 -- Memory & Context Permissions
Context authority model with trust degradation, provenance tracking, and memory access control. 5 new enums, 2 new schema blocks, 8 new denial reasons, 7 new exception classes, 142 new tests (409 total). Full backward compatibility with v1.0.
AgentLock v1.0.0 - The Open Authorization Standard for AI Agents
AgentLock v1.0.0
The first release of AgentLock — the open authorization standard for AI agent tool calls.
What's included
- Core authorization gate with deny-by-default enforcement
- Pydantic v2 schema for tool permission definitions
- Single-use, time-limited, operation-bound execution tokens
- Role-based access control
- Scope enforcement (data boundaries, max records, allowed recipients)
- Per-user per-session rate limiting
- PII detection and auto-redaction
- Structured denial responses with reason codes
- Audit logging (minimal/standard/full levels)
- @agentlock decorator for one-line tool protection
- CLI: validate, schema, init, inspect, audit
- Framework integrations: LangChain, CrewAI, AutoGen, MCP, FastAPI, Flask
- JSON schema for tool definition validation
- 267 tests passing, zero lint errors, zero type errors
Install
pip install agentlock
Links
- Interactive demo: https://agentlock.dev
- Documentation: https://github.com/webpro255/agentlock/tree/main/docs
- PyPI: https://pypi.org/project/agentlock/