Releases: MrPredic/simdiff
Release list
v0.3.0 — session firewall for multi-step attacks
Decide over the accumulated effect of a tool-call sequence, not one call at a time.
The hard, unsolved problem in agentic security is the multi-step attack: each tool
call is benign alone, but the sequence is reconnaissance-then-exfiltration. Per-call
checks — and even tool-call pattern matchers — pass every step. A market scan
confirmed current defenses are pattern/subsequence-based and obfuscation-fooled.
New: simdiff.session
Session accumulates each allowed step's effect (CanonicalDelta.merge) and decides
the next over the running total:
- recon → exfil — an egress that follows reconnaissance (N distinct reads)
- enumeration — read-breadth ceiling
- mass mutation — distinct create/write/delete ceiling
- egress fan-out — distinct destination ceiling
Effect-based, so it can't be obfuscated; fail-closed, so the session verdict is
never weaker than the per-call one. This is the part competitors structurally can't
bolt on — it needs a deterministic, mergeable effect model first.
See examples/session_recon_exfil.py:
five benign cp reads pass, the sixth step (a POST) is blocked by the accumulated effect.
Zero deps · 132 tests · 100% coverage (CI-enforced) · MIT
Install: pip install https://github.com/MrPredic/simdiff/releases/download/v0.3.0/simdiff-0.3.0-py3-none-any.whl
v0.2.1 — hardened + agent-integrable
The effect layer for AI-agent firewalls: simulate an action, get a canonical
effect delta, let your policy decide over what would actually change.
Zero runtime dependencies · 122 tests · 100% coverage (CI-enforced) · MIT
Highlights since 0.2.0
- Hardening (multi-pass): filesystem snapshot can't crash/hang on
symlinks/FIFOs; shell fails closed on glued redirects, bracket/brace globs, and
cp/mv -toperand inversion; solana fails closed on an emptywatch; the core
simdiff()turns any adapter error into a fail-closed delta. - Verified, not asserted: 100% statement+branch coverage, Hypothesis
property/fuzz invariants, a by-hand mutation check, and an independent external
review (3 fixes adopted). - Agent-integrable: new optional
simdiff.guardprimitive, a Model Context
Protocol server example, a framework-agnostic guard loop, and anhttpCLI. - Honest by design:
fully_classifiedis a classification flag, not a safety
verdict; the simulate-adapters execute the action — see SECURITY.md.
Install from this release:
pip install https://github.com/MrPredic/simdiff/releases/download/v0.2.1/simdiff-0.2.1-py3-none-any.whl