- Notifications
You must be signed in to change notification settings - Fork0
POC for A2AS.org: Standard for Agentic AI Security
License
NotificationsYou must be signed in to change notification settings
Siddhant-K-code/a2as-implementation-poc
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
A modern proof-of-concept implementation of the A2AS (Agent-to-Agent Security) framework demonstrating Behavior Certificates, Authenticated Prompts, Security Boundaries, and Enforcement Gates. Inspired by theA2AS Paper.
- Node.js 22 - Latest LTS with performance improvements
- TypeScript 5.4 - Full type safety and modern language features
- Vitest - Fast testing framework with UI support
- ESLint + Prettier - Code quality and formatting
- Zod - Runtime type validation
- Winston - Structured logging
- ES Modules - Modern JavaScript module system
This PoC shows how to secure LLM agents by:
- Behavior Certificates: Define what actions an agent is allowed to perform
- Authenticated Prompts: HMAC-signed prompts to prevent tampering
- Enforcement Proxy: Blocks malicious actions even if LLM outputs them
- In-Context Defenses: Structured context to guide LLM behavior
- Policy Engine: Pattern-based policy evaluation
- Node.js 22+
- npm 10+
npm install
# Run in development mode with hot reloadnpm run dev# Type checkingnpm run type-check# Linting and formattingnpm run lintnpm run format
# Run testsnpm runtest# Run tests in watch modenpm run test:watch# Run tests with UInpm run test:ui
# Build TypeScriptnpm run build# Run demo with Mock LLMnpm run start# Run with Real LLM (Optional)export OPENAI_API_KEY=your_key_herenpm run run-llm
User Prompt → Controller → LLM Adapter → Enforcement Proxy → Action Execution ↓ ↓ ↓ ↓ Signature Context JSON Action Policy Check Verification Building Parsing + SandboxLocated incerts/demo-agent-1.json:
{"agent_id":"demo-agent-1","secret":"demo-secret-please-change","allowed_tools": {"fs": {"read": ["./workspace/**"],"write": ["./workspace/**"] },"http": {"GET": ["https://api.github.com/*"] },"shell": [] },"deny_patterns": ["aws","ssh","id_rsa","PRIVATE_KEY","rm -rf"],"max_filesize_bytes":1048576,"require_human_before_sensitive_write":true}- HMAC-SHA256 prompt signing
- Path allowlisting for file operations
- Pattern-based exfiltration detection
- Shell command sandboxing
- Human escalation for sensitive operations
- Structured logging with secret masking
The adversarial test harness includes:
rm -rf /shell execution →DENY- Reading
~/.aws/credentials→DENY - HTTP GET to
api.github.com→ALLOW (mock) - Base64 obfuscated instructions →DENY
- Sensitive write operations →ESCALATE
├── src/│ ├── controller.js # Main coordinator│ ├── enforcement.js # Enforcement proxy│ ├── policy.js # Policy evaluator│ ├── llm-adapter/│ │ ├── mock-llm.js # Mock LLM for testing│ │ └── openai-adapter.js # Optional OpenAI adapter│ └── utils/│ ├── signer.js # HMAC signing utilities│ ├── parser.js # LLM output parser│ └── sandbox-exec.js # Safe execution wrapper├── certs/│ └── demo-agent-1.json # Behavior Certificate├── tests/│ └── adversarial-tests.js # Test harness├── examples/│ └── sample-signed-prompt.json└── logs/ # JSONL action logs- PoC Only: Not production-ready
- Mock Execution: Real shell commands are simulated
- Simple PKI: Uses shared secrets, not certificates
- Basic Sandboxing: Limited process isolation
- No Human Review UI: Escalation goes to file
- Implement proper PKI with X.509 certificates
- Add container-based sandboxing
- Build human review dashboard
- Add metrics and monitoring
- Implement distributed policy management
- Add more sophisticated pattern matching
npm run sign-prompt"List files in workspace"{"prompt":"List files in workspace","agent_id":"demo-agent-1","signature":"a1b2c3d4...","timestamp":"2024-01-01T00:00:00Z"}About
POC for A2AS.org: Standard for Agentic AI Security
Topics
Resources
License
Uh oh!
There was an error while loading.Please reload this page.