Releases: agentfront/enclave
Releases · agentfront/enclave
enclave-vm@2.7.0
enclave-vm v2.7.0
📦 npm: enclave-vm@2.7.0
Added
- Introduced a JSON-based tool bridge with configurable modes and payload limits, exposed via the new
toolBridgeoption onEnclaveConfig. - Added serialized size estimators (
estimateSerializedSize/checkSerializedSize) and enforce them before returning sandbox values when a memory limit is configured.
Changed
- Enclave construction now normalizes
toolBridgesettings and requires explicit acknowledgement before enabling insecure direct bridging.
Security
Array.prototype.fillis now memory-tracked inside both VM adapters to block sparse-array exhaustion attacks.- Return paths reject values whose serialized size would exceed the configured memory limit, preventing Vector 340 serialization amplification.
- All host-generated errors now go through centralized
createSafeError, severing prototype chains and stripping host stack details. - String-mode tool bridge validates JSON payloads, enforces payload caps, sanitizes arguments/results, and updates tool-call stats before invoking host handlers.
ast-guard@2.4.0
ast-guard v2.4.0
📦 npm: ast-guard@2.4.0
Added
- Resource exhaustion rule and AgentScript preset now accept
allowDynamicArrayFill, letting environments with runtime memory patches permit computedArray.fillsizes.
enclave-vm@2.6.0
enclave-vm v2.6.0
📦 npm: enclave-vm@2.6.0
Added
- Stack-trace hardening scripts now run in both the single-VM adapter and worker pool so sandboxed errors only return redacted frames, and a new sanitizeStackTraces option is propagated through the double-VM bootstrap (libs/enclave-vm/src/adapters/vm-adapter.ts, libs/enclave-vm/src/double-vm/parent-vm-bootstrap.ts).
- STRICT/SECURE executions now record code-generation attempts via policy-violation reporters and return SecurityViolationError payloads when user code suppresses the original throw (libs/enclave-vm/src/adapters/vm-adapter.ts, libs/enclave-vm/src/adapters/worker-pool/worker-script.ts, libs/enclave-vm/src/double-vm/double-vm-wrapper.ts).
- Local LLM scoring exposes the DISABLE_MODEL_LOAD_ENV constant, honors ENCLAVE_DISABLE_LOCAL_LLM_MODEL=1, and defaults its cache under ~/.enclave/models for better operator control (libs/enclave-vm/src/scoring/scorers/index.ts, libs/enclave-vm/src/scoring/scorers/local-llm.scorer.ts).
Changed
- User-provided globals, safe runtime helpers, and console bridges are now installed as non-enumerable, non-configurable descriptors to block Object.assign/Object.values reconnaissance in the sandbox (libs/enclave-vm/src/adapters/vm-adapter.ts, libs/enclave-vm/src/double-vm/parent-vm-bootstrap.ts).
- Safe runtime utilities and tool bridge errors are wrapped with prototype-severing helpers so attacker code cannot reach Function via error.constructor.constructor (libs/enclave-vm/src/double-vm/double-vm-wrapper.ts, libs/enclave-vm/src/safe-runtime.ts).
Fixed
- DoubleVmWrapper now surfaces MemoryLimitError data emitted from sandbox-side tracking so callers receive accurate used/limit bytes even when the sandbox throws its own payload (libs/enclave-vm/src/double-vm/double-vm-wrapper.ts).
Security
- MemoryTracker enforcement now tracks cumulative allocations made through patched repeat/join/pad helpers by delegating to a host-side callback, preventing incremental heap exhaustion (libs/enclave-vm/src/adapters/vm-adapter.ts, libs/enclave-vm/src/double-vm/parent-vm-bootstrap.ts).
- Sandbox stack traces have their formatters locked and frames redacted to avoid leaking host file paths or line numbers (libs/enclave-vm/src/adapters/vm-adapter.ts, libs/enclave-vm/src/double-vm/parent-vm-bootstrap.ts).
- STRICT/SECURE modes fail closed whenever the sandbox attempts code generation or other blocked operations, even if user code catches the initial exception (libs/enclave-vm/src/adapters/vm-adapter.ts, libs/enclave-vm/src/adapters/worker-pool/worker-script.ts, libs/enclave-vm/src/double-vm/double-vm-wrapper.ts).
ast-guard@2.3.0
ast-guard v2.3.0
📦 npm: ast-guard@2.3.0
Added
- AgentScript preset now enables the new NoJsonCallbacksRule that blocks JSON.stringify/parse when replacer or reviver callbacks are supplied to prevent property-enumeration leaks (libs/ast-guard/src/presets/agentscript.preset.ts, libs/ast-guard/src/rules/no-json-callbacks.rule.ts).
- ResourceExhaustionRule gained maxArrayFillSize and detection for Array(n).fill()/Array(n) patterns so large fills or dynamically sized arrays are reported before execution (libs/ast-guard/src/rules/resource-exhaustion.rule.ts).
Changed
- AgentScript preset documentation comments reflect the new array-fill coverage for Vector 1110 style attacks (libs/ast-guard/src/presets/agentscript.preset.ts).
vectoriadb@2.0.2
vectoriadb v2.0.2
📦 npm: vectoriadb@2.0.2
Fixed
- Regex vulnerability detection now trims analyzed patterns to 500 characters and evaluates them through bounded helper regexes to avoid the analyzer triggering ReDoS.
- Redis namespace sanitization bounds the namespace prior to regex processing and swaps in precompiled
SAFE_PATTERNSto strip control characters and unsafe symbols deterministically.
Security
- Hardened both the regex analyzer and namespace sanitizer so untrusted input can no longer leverage those code paths for ReDoS attacks.
enclave-vm@2.5.0
enclave-vm v2.5.0
📦 npm: enclave-vm@2.5.0
Added
- Serialized worker protocol now carries a
securityLevelflag so worker-pool executions mirror the AST guard preset in use. - Worker sandbox utilities now derive security-level-specific global maps and the Enclave validator pulls its base allow list from
getAgentScriptGlobalsbefore appending custom globals.
Changed
serializeErrornow tolerates string throws from transformed loop guards before sanitizing stack traces.
Security
- Sandbox creation now exposes only the globals permitted for the selected security level, removing constructors like
console,Promise, orRegExpunder stricter tiers for defense-in-depth. - Double-VM bootstrap instantiates safe objects using inner-context intrinsics, makes the injected
__host_vm_module__removable, and nullsvm.createContext/vm.Scriptbefore user code executes.
ast-guard@2.2.0
ast-guard v2.2.0
📦 npm: ast-guard@2.2.0
Added
- AgentScript transformer now whitelists URI encoding helpers (
encodeURI,decodeURI,encodeURIComponent,decodeURIComponent) so they survive transformation. - AgentScript preset exports security-level-specific global lists (
AGENTSCRIPT_*), agetAgentScriptGlobalshelper, and accepts a newsecurityLeveloption; the public index also re-exports the new constants andSecurityLeveltype.
Changed
- Default AgentScript allowed globals are derived from the chosen security level (falling back to STANDARD) before merging in user-specified identifiers.
Fixed
- Regex pre-scanner analyzes user patterns through the new
safePatternTest/safePatternMatchhelpers so the detector’s own regular expressions are not exploitable.
Security
- REDOS detection patterns now use bounded quantifiers and truncate inspected patterns, eliminating analyzer-driven ReDoS vectors.
enclave-vm@2.4.0
enclave-vm v2.4.0
📦 npm: enclave-vm@2.4.0
Added
- When a memoryLimit is configured the VM patches String.repeat/pad* and Array.join before execution so they enforce quotas and throw MemoryLimitError instead of allocating unbounded buffers (libs/enclave-vm/src/adapters/vm-adapter.ts:547-632; libs/enclave-vm/src/memory-proxy.ts:45-195).
- Double VM hosts now propagate memoryLimit metadata into the parent/inner bootstrap so the same pre-allocation guards run inside nested sandboxes (libs/enclave-vm/src/double-vm/double-vm-wrapper.ts:205-246; libs/enclave-vm/src/double-vm/parent-vm-bootstrap.ts:776-870).
Changed
- AgentScript validation now happens before the sidecar/memory transforms so constructor obfuscation is caught before __safe_concat instrumentation alters the AST (libs/enclave-vm/src/enclave.ts:304-354).
Security
- Sandbox contexts install a SafeObject that strips defineProperty/defineProperties/setPrototypeOf/getOwnPropertyDescriptor(s) to block serialization hijacks and prototype pollution attacks (libs/enclave-vm/src/adapters/vm-adapter.ts:275-360).
- All VM entry points disable codeGeneration for strings/wasm and expand the set of removed Node.js 24 globals (Function, eval, Proxy, SharedArrayBuffer, WeakRef, etc.), closing multiple escape vectors (libs/enclave-vm/src/adapters/vm-adapter.ts:549-636; libs/enclave-vm/src/adapters/worker-pool/worker-script.ts:135-161; libs/enclave-vm/src/double-vm/double-vm-wrapper.ts:205-246; libs/enclave-vm/src/double-vm/parent-vm-bootstrap.ts:55-120,776-870).
enclave-vm@2.3.0
enclave-vm v2.3.0
📦 npm: enclave-vm@2.3.0
Added
- Expose configurable rapid-enumeration thresholds and per-operation overrides to the double VM validator so enumeration detection can be tuned per workload.
- Propagate the
__maxIterationsruntime global through the worker pool, safe runtime, and parent VM bootstrap to enforce ast-guard’s loop iteration limits. - Local LLM scorer now accepts a
customAnalyzerplug-in, enabling external LLMs or static analyzers to provide risk signals.
Changed
- Validation failures now deduplicate issues and include line numbers for clearer error reporting.
- Rapid-enumeration suspicious-pattern detection now uses the configurable thresholds/overrides when evaluating tool call history.
- Keyword-based scoring heuristics were refined and the scorer cleanup path now disposes custom analyzers.
Fixed
- Double VM wrapper now normalizes thrown string errors (e.g., loop limit violations) so sandbox failures return structured execution errors.
ast-guard@2.1.0
ast-guard v2.1.0
📦 npm: ast-guard@2.1.0
Added
- Introduced ResourceExhaustionRule to detect BigInt exponentiation with huge exponents, oversized array constructors, string repeat/join bombs, and constructor/property obfuscation attempts (libs/ast-guard/src/rules/resource-exhaustion.rule.ts:1-239).
- AgentScript preset now enables ResourceExhaustionRule with sane defaults so DoS-style scripts are blocked by default and the rule is exported for custom presets (libs/ast-guard/src/presets/agentscript.preset.ts:434-447; libs/ast-guard/src/rules/index.ts:5-23).