Metadata-Version: 2.4
Name: snaft
Version: 1.2.0
Summary: Semantic Network-Aware Firewall for Trust — behavioral firewall for AI agents
Project-URL: Homepage, https://github.com/jaspertvdm/snaft
Project-URL: Documentation, https://github.com/jaspertvdm/snaft#readme
Project-URL: Repository, https://github.com/jaspertvdm/snaft
Project-URL: Issues, https://github.com/jaspertvdm/snaft/issues
Author-email: Jasper van de Meent <jasper@humotica.com>
License: MIT
License-File: LICENSE
Keywords: agentic-security,agents,ai,ainternet,behavioral,eu-ai-act,firewall,llm,owasp,owasp-agentic,owasp-llm,provenance,security,tibet,trust
Classifier: Development Status :: 5 - Production/Stable
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Information Technology
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Programming Language :: Rust
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Topic :: System :: Networking :: Firewalls
Requires-Python: >=3.9
Provides-Extra: ainternet
Requires-Dist: ainternet>=0.4.0; extra == 'ainternet'
Provides-Extra: all
Requires-Dist: ainternet>=0.4.0; extra == 'all'
Requires-Dist: tibet-core>=0.1.0; extra == 'all'
Requires-Dist: tibet-sbom>=0.1.0; extra == 'all'
Requires-Dist: tibet-triage>=0.1.0; extra == 'all'
Provides-Extra: sbom
Requires-Dist: tibet-sbom>=0.1.0; extra == 'sbom'
Provides-Extra: tibet
Requires-Dist: tibet-core>=0.1.0; extra == 'tibet'
Provides-Extra: triage
Requires-Dist: tibet-triage>=0.1.0; extra == 'triage'
Description-Content-Type: text/markdown

# SNAFT

Semantic Network-Aware Firewall for Trust — behavioral firewall for AI agents with 22 immutable rules covering OWASP LLM Top 10 (2025) and OWASP Agentic Top 10 (2026).

## Install

```bash
pip install snaft              # standalone, zero dependencies
pip install snaft[all]         # with all companion packages
pip install tibet-snaft        # alias (same package)
```

## Quick Start

```python
from snaft import Firewall

fw = Firewall()

# Check an action
allowed, token, trust = fw.check("my-agent", "read_file", "load config")

if allowed:
    print(f"Allowed — trust: {trust:.2f}")
else:
    print(f"Blocked by {token.rule_name} — trust: {trust:.2f}")
```

```bash
snaft status                      # show firewall + OWASP coverage
snaft check my-agent read_file "load config"
snaft coverage                    # full OWASP coverage table
snaft block evil.aint "rogue"     # block AINS domain
snaft drop rogue-agent "bye"      # isolate + block + audit
```

## 22 Immutable Rules

Rules that **cannot be removed, disabled, or overridden**. Hidden from `rule list`, visible in audit.

| Rule | OWASP | Detects |
|------|-------|---------|
| SNAFT-001-INJECTION | LLM01 | Prompt injection patterns |
| SNAFT-002-OUTPUT-EXEC | LLM05 | Executable content in output |
| SNAFT-003-OVERSIZE | — | Resource exhaustion (>50K chars) |
| SNAFT-004-PROMPT-LEAK | LLM07 | System prompt extraction |
| SNAFT-005-EXCESSIVE-AGENCY | LLM06 | File operations outside sandbox |
| SNAFT-006-IDENTITY-TAMPER | — | Identity/soul file tampering (Fox-IT) |
| SNAFT-007-PII-LEAK | LLM02 | PII, API keys, secrets in output |
| SNAFT-008-SUPPLY-CHAIN | LLM03 | Untrusted dependency injection |
| SNAFT-009-DATA-POISONING | LLM04 | Training data poisoning |
| SNAFT-010-RAG-INJECTION | LLM08 | RAG/vector store injection |
| SNAFT-011-CONFIDENCE | LLM09 | Low-confidence factual claims |
| SNAFT-012-UNBOUNDED | LLM10 | Unbounded resource consumption |
| SNAFT-013-GOAL-HIJACK | ASI01 | Agent goal hijacking, intent drift |
| SNAFT-014-TOOL-MISUSE | ASI02 | Tool misuse, capability boundary violations |
| SNAFT-015-PRIVILEGE-ABUSE | ASI03 | Identity spoofing, privilege escalation |
| SNAFT-016-FORGE-VERIFY | ASI04 | Unverified plugin/MCP/model loading |
| SNAFT-017-CODE-EXEC | ASI05 | Code execution outside airlock sandbox |
| SNAFT-018-CONTEXT-POISON | ASI06 | Memory and context poisoning |
| SNAFT-019-INSECURE-COMMS | ASI07 | Unsigned inter-agent communication |
| SNAFT-020-CASCADE | ASI08 | Cascading failure patterns |
| SNAFT-021-TRUST-EXPLOIT | ASI09 | Human-agent trust exploitation |
| SNAFT-022-ROGUE-AGENT | ASI10 | Self-replication, oversight evasion |

## OWASP LLM Top 10 (2025) — 10/10 Covered

| # | Threat | Rule |
|---|--------|------|
| LLM01 | Prompt Injection | SNAFT-001 |
| LLM02 | Sensitive Info Disclosure | SNAFT-007 |
| LLM03 | Supply Chain Vulnerabilities | SNAFT-008 |
| LLM04 | Data and Model Poisoning | SNAFT-009 |
| LLM05 | Improper Output Handling | SNAFT-002 |
| LLM06 | Excessive Agency | SNAFT-005 |
| LLM07 | System Prompt Leakage | SNAFT-004 |
| LLM08 | Vector & Embedding Weaknesses | SNAFT-010 |
| LLM09 | Misinformation | SNAFT-011 |
| LLM10 | Unbounded Consumption | SNAFT-012 |

## OWASP Agentic Top 10 (2026) — 10/10 Covered

| # | Threat | Rule |
|---|--------|------|
| ASI01 | Agent Goal Hijack | SNAFT-013 |
| ASI02 | Tool Misuse & Exploitation | SNAFT-014 |
| ASI03 | Identity & Privilege Abuse | SNAFT-015 |
| ASI04 | Agentic Supply Chain | SNAFT-016 |
| ASI05 | Unexpected Code Execution | SNAFT-017 |
| ASI06 | Memory & Context Poisoning | SNAFT-018 |
| ASI07 | Insecure Inter-Agent Comms | SNAFT-019 |
| ASI08 | Cascading Failures | SNAFT-020 |
| ASI09 | Human-Agent Trust Exploitation | SNAFT-021 |
| ASI10 | Rogue Agents | SNAFT-022 |

## FIR/A Trust Scoring

Agent trust is behavioral, not configured. The FIR/A score (0.0–1.0):

| Component | Weight | Meaning |
|-----------|--------|---------|
| **F**requency | 20% | Activity baseline |
| **I**ntegrity | 40% | Behavioral consistency |
| **R**ecency | 25% | Freshness of trust evidence |
| **A**nomaly | 15% | Red flags (higher = worse) |

Agent states: **active** (>= 0.8) → **degraded** (0.5-0.8) → **isolated** (< 0.2, reversible) → **burned** (0.0, permanent).

## AINS Blocking

Block agents by `.aint` domain, IP address, or wildcard pattern. Network-level deny before any rule evaluation.

```python
fw = Firewall()

# Block by domain
fw.blocklist.block_ains("evil.aint", "rogue agent detected")

# Block by IP
fw.blocklist.block_ip("192.168.1.100", "port scan source")

# Block by pattern
fw.blocklist.block_pattern("*.spam.aint", "known spam network")

# Drop = isolate + block AINS + audit token
agent = fw.get_or_create_agent("rogue")
fw.drop_agent(agent, reason="unauthorized data access")
```

```bash
snaft block evil.aint "rogue"
snaft block 192.168.1.100 "scanner"
snaft block "*.spam.aint" "spam network"
snaft unblock evil.aint
snaft drop rogue-agent "unauthorized access"
```

## Null-Route MUX

Behavioral detection engine for abnormal traffic. When an IP crosses a dual threshold — rate (sliding window) or path repetition — it is marked for null-routing. The adjacent ASGI/Express middleware then holds the connection open and sends nothing. The attacker's connection pool fills up. You absorb the request metadata; they get zero signal (no status code, no error, no timing leak).

```python
from snaft import NullRouteMux

mux = NullRouteMux(
    rate_threshold=15,        # requests per window
    window_seconds=10,        # sliding window size
    repetition_threshold=5,   # same path in last N
    hold_duration=120,        # seconds to silence
)

decision = mux.check("185.131.15.134", "/api/lookup", "GET")

if decision.should_null_route:
    mux.absorb(ip, path, method, headers, body)   # we learn, they don't
    # middleware: send(http.response.start) then sleep hold_duration, never send body

mux.metrics()            # global counters + top offenders
mux.get_absorbed_summary("185.131.15.134")
mux.release("185.131.15.134")   # manual un-route
```

Whitelist is built in for localhost, internal LANs, and declared operator IPs — whitelisted traffic is never null-routed. FIR/A is penalised on trigger so repeat offenders degrade faster. Designed for defensive use in production and for active engagements against automated probing swarms.

## Companion Packages (optional)

SNAFT works standalone with zero dependencies. Install companions for enhanced checks:

| Package | Enhances | Install |
|---------|----------|---------|
| `tibet-triage` | SNAFT-017 (airlock sandboxing) | `pip install snaft[triage]` |
| `tibet-core` | Provenance token signing | `pip install snaft[tibet]` |
| `tibet-sbom` | SNAFT-008, SNAFT-016 (supply chain) | `pip install snaft[sbom]` |
| `ainternet` | SNAFT-019 (I-Poll signing), SNAFT-015 (Cortex tiers) | `pip install snaft[ainternet]` |

```bash
snaft companion    # shows which companions are installed
```

## EU AI Act Compliance

Automatic audit records on every `evaluate()`. Regulation (EU) 2024/1689, enforcement August 2, 2026.

| Article | Requirement | SNAFT coverage |
|---------|-------------|---------------|
| Art. 12 | Automatic logging | Every decision generates a signed audit record |
| Art. 13 | Transparency | Records include rule, reason, intent, risk level |
| Art. 26 | Retention >= 6 months | 180-day minimum enforced (cannot be lowered) |
| Art. 9 | Risk monitoring | FIR/A trust changes tracked per decision |
| Art. 14 | Human oversight | State transitions logged with provenance |
| Art. 15 | Accuracy & security | Tamper-detection hash on every record |

```bash
snaft audit summary                 # covered articles
snaft audit export -o report.json   # export for auditors
snaft audit verify                  # verify record integrity
```

## Rust Trust Kernel

Optional compiled backend for performance-critical deployments:

```bash
pip install snaft-core
```

Auto-detected. Provides 8x faster rule evaluation, HMAC signing via BoringSSL, compile-time rule definitions in `.rodata`, and runtime tamper detection.

## IETF Drafts

- [draft-vandemeent-tibet-provenance-01](https://datatracker.ietf.org/doc/draft-vandemeent-tibet-provenance/) — Traceable Intent-Based Event Tokens
- [draft-vandemeent-jis-identity-01](https://datatracker.ietf.org/doc/draft-vandemeent-jis-identity/) — Joint Identity Signature
- [draft-vandemeent-upip-process-integrity-01](https://datatracker.ietf.org/doc/draft-vandemeent-upip-process-integrity/) — Universal Process Integrity Protocol
- [draft-vandemeent-rvp-continuous-verification-01](https://datatracker.ietf.org/doc/draft-vandemeent-rvp-continuous-verification/) — Real-time Verification Protocol
- [draft-vandemeent-ains-discovery-01](https://datatracker.ietf.org/doc/draft-vandemeent-ains-discovery/) — AInternet Name Service

## Design Principles

1. **Default DENY** — no rule match = blocked
2. **Fail CLOSED** — exception in rule = blocked
3. **Immutable core** — OWASP rules cannot be removed
4. **Provenance on every decision** — no action without evidence
5. **Trust degradation** — blocks erode agent trust
6. **Intent-aware** — filters on WHY, not just WHAT

## License

MIT

## Credits

Built by [Jasper van de Meent](https://github.com/jaspertvdm) as part of [HumoticaOS](https://humotica.com).

Based on OWASP LLM Top 10 (2025), OWASP Agentic Top 10 (2026), TIBET provenance framework, and the AInternet.


---

## Enterprise

For private hub hosting, SLA support, custom integrations, or compliance guidance:

| | |
|---|---|
| **Enterprise** | enterprise@humotica.com |
| **Support** | support@humotica.com |
| **Security** | security@humotica.com |

See [ENTERPRISE.md](ENTERPRISE.md) for details.
