Skip to content

Release v0.4.0: — hash chain, Ed25519, OWASP, MCP, LangGraph, OpenAI Agents, EU AI Act, Plaid, telemetry

Choose a tag to compare

@AnshumanKumar14 AnshumanKumar14 released this 08 May 22:11

Features:

  • Hash-chained tamper-evident audit log (core/chain.py)
  • Optional Ed25519 signing of audit entries (core/keys.py)
  • Hardened Regex+AST scorer (core/scorer.py)
  • OWASP Agentic Top 10 coverage matrix (assessment/owasp.py)
  • MCP gateway server and in-process adapter (mcp/)
  • LangGraph ShadowAuditToolNode (framework/langgraph.py)
  • OpenAI Agents SDK wrapper (framework/openai_agents.py)
  • EU AI Act Annex IV evidence pack generator (assessment/eu_ai_act.py)
  • Plaid taxonomy pack (taxonomies/financial_plaid.json)
  • Opt-in telemetry client (telemetry/client.py)

CLI additions:

  • shadowaudit verify — audit log integrity check
  • shadowaudit owasp — OWASP coverage report
  • shadowaudit eu-ai-act — EU AI Act evidence pack

Examples:

  • 9 new runnable examples covering all v0.4.0 features
  • examples/run_all_examples.py test runner

Tests:

  • 205 tests (1 skipped), full coverage of new modules

Quality & Security fixes:

  • Constant-time signature verification (hmac.compare_digest)
  • Atomic key file writes with restricted permissions
  • Taxonomy cache poisoning fix (deep copy before mutation)
  • Regex pattern LRU caching in scorer
  • MCP Content-Length bounds checking (MAX_MESSAGE_SIZE)
  • Shared AST cache in two-pass scanner
  • Asyncio.Lock in telemetry client start/stop
  • Path traversal validation in EU AI Act output

Documentation:

  • Updated README with all shipped features and example index
  • docs/TESTING_GUIDE.md — comprehensive user testing guide
  • docs/CODE_REVIEW_WEEK13.md — full security/performance/quality review

Decoupling:

  • Cloud-tier code removed from OSS repo (shadowaudit-cloud/ ready for private repo)
  • TelemetryClient stays in OSS (opt-in, hashed metadata only)

Demo:

  • shadowaudit-demo/ realistic fintech agent for end-to-end testing