Skip to content

Releases: opena2a-org/hackmyagent

v0.25.0

Choose a tag to compare

@github-actions github-actions released this 07 Jul 19:29
294ed4a

Detection-gap release: findings that fired internally in 0.24.0 but never reached users now surface in output, score, and exit code.

Fixed detection gaps

  • CRED-002 / PERM-001 now reach the user (#250). Both fired internally but never set a file, so the concrete-findings filter dropped them from output, score, and exit code — an un-ignored private key produced no visible >=HIGH signal on 0.24.0. CRED-002 now attributes the first key file with a runnable remediation and scans recursively (never a false clean bill); PERM-001 attributes the first offending file.
  • GIT-001/002/003 severity is existence-aware, backed by git check-ignore (#250). A missing/incomplete .gitignore is a LOW advisory when nothing committable matches, and HIGH naming the actual files when a genuinely un-ignored secret exists — removing the inversion where a partial .gitignore scored worse than none. Committability honors negations, root-anchoring, dir-only rules, and nested ignores.
  • CRED-001 now scans secrets.json / credentials.json (#250).
  • scan-soul can no longer be satisfied by the vocabulary of an attack, and check no longer flags prose-hardened SOULs (#251). Direction-aware control matching + six first-class governance-violation classes (override-compliance mandate, deception mandate, oversight disclaimer, exfiltration channel, persistence installation, identity-by-claim) render as HIGH file:line blocks, clamp the score, and fail --ci. Corpus soul tiers now order correctly: benign 19 (0 violations) > buggy 7 > malicious 4 (9 violations).
  • Security-taxonomy / coverage documents no longer false-positive as credential access (AST-CRED-002/003, #256).
  • git check-ignore / git ls-files stdin EPIPE can no longer crash a scan (#264). An async pipe error when git exits early is now handled at both spawn sites; committability still resolves conservatively (fail-safe: over-report as committable, never mark a secret ignored).

Security

  • Pinned @opena2a/aim-sdk to 1.0.2 (moves transitive @opena2a/atx-verify 0.2.0 -> 0.3.0), closing the post-signing declaredPurpose tamper gap that 0.24.0 shipped in its arp re-export path.

Supply chain

Published via npm Trusted Publishing (GitHub Actions OIDC, no long-lived token). SLSA v1 provenance attached.

Verify:

  • npm view hackmyagent@0.25.0 dist.attestations --json (non-empty, predicateType slsa.dev/provenance/v1)
  • npm audit signatures after npm install hackmyagent@0.25.0

v0.24.0

Choose a tag to compare

@github-actions github-actions released this 06 Jul 13:54

hackmyagent 0.24.0 ships the ARP runtime cutover: the runtime-protection engine now lives in @opena2a/aim-sdk, and hackmyagent/arp is a thin re-export of @opena2a/aim-sdk/arp (pinned 1.0.1). Every existing hackmyagent/arp consumer — including arp-guard and the arp CLI — keeps working unchanged (verified from both CommonJS and ESM on the published artifact).

Highlights

  • ARP shim (#249): src/arp re-exports @opena2a/aim-sdk/arp; the scan-time surface (static scanner, hardening rules, artifact parsing, NanoMind artifact classification) stays in hackmyagent. The OASB behavioral suite exercises the SDK module through the re-export as a drift guard.
  • @opena2a/aim-sdk pinned to 1.0.1: typed ConfigurationError, EventEngine.emit input validation, CJS error-class constructor.name, ./package.json export.
  • Security: bumped hono (path-traversal, CORS wildcard-with-credentials, body-limit bypass GHSA cluster) and js-yaml (merge-key quadratic DoS, GHSA-h67p-54hq-rp68) via in-range npm audit fix. Production npm audit is clean.
  • detect help now states machine-wide discovery always runs (#245).

Scanner behavior is unchanged from 0.23.11.

Known pre-existing scanner follow-ups (tracked, not regressions)

  • #250 — GIT-002 .gitignore severity inversion (partial .gitignore scores HIGH while missing scores LOW); needs the existence-aware design.
  • #251 — scan-soul cannot evaluate prose-hardened SOULs; check emits a false HIGH on the same artifact.
  • #252 — raw classifier intent label surfaced on benign artifacts in the Observations line.

Provenance

Published to the npm registry via GitHub Actions OIDC trusted publishing with SLSA v1 provenance. Verify: npm view hackmyagent@0.24.0 dist.attestations --json

What's Changed

Full Changelog: v0.23.11...v0.24.0

v0.23.11

Choose a tag to compare

@github-actions github-actions released this 19 Jun 02:23

Highlights

  • GIT-003 (.env Not Ignored) is now content-aware (#242). A secret-less .env (e.g. PORT=3000) is HIGH preventive hygiene instead of CRITICAL "contains API keys"; an .env holding a real secret stays CRITICAL. Two-tier secret detection (vendor keys / JWT / user:pass@host URLs key-independent; opaque values gated by a credential-shaped key) so neither key-rename evasion nor ${VAR}-interpolated DSNs miscalibrate the severity.
  • MEM-006 (Memory store without input sanitization) no longer false-positives on local render arrays (#244). lines.push({ text }) / out.push({ text }) are no longer flagged as memory stores; the push verb now requires a persistence-semantic receiver, so real conversationMemory.push / vectorStore.push poisoning still fires.
  • scan-soul verdict now distinguishes applicable controls from the full catalog and discloses skipped domains; scan-soul --explain explains the 11–19 domain numbering.
  • detect accepts --contribute / --no-contribute; explain <SOUL-XX-NNN> renders the specific control; ARP runtime assembles ordered in-scope action sequences with detection-only classification.

See CHANGELOG.md for the full list.

Provenance

Published via npm Trusted Publishing (GitHub Actions OIDC) — no long-lived token. Verify the SLSA attestation:

npm view hackmyagent@0.23.11 dist.attestations --json

v0.23.10

Choose a tag to compare

@github-actions github-actions released this 08 Jun 11:12

What's Changed

Full Changelog: v0.23.9...v0.23.10

v0.23.9

Choose a tag to compare

@github-actions github-actions released this 07 Jun 02:14

Added

  • First-party scanner provenance on --publish. When HMA_SCANNER_SIGNING_KEY (a dedicated Ed25519 seed, runtime-env only) is set, a published scan self-tags source=first_party_scanner and signs the registry strong canonical (name|version|score|maxScore|source|nonce|signedAt) so the registry can authenticate the claim. End-user --publish runs (no key) publish as community — the safe default. Signing fails closed (never crashes a publish). Uses the shared @opena2a/registry-client FirstPartySigner 0.2.0.
  • AST-SCOPE-004 — adversarial configuration directives. The scope analyzer now flags agent_config / mcp_config artifacts whose configuration flags are themselves the attack (self-escalation, RBAC/validation bypass, audit evasion, covert persistence, credential harvesting). Value-guarded, artifact-gated, validated against the OASB benign corpus (190 samples) with zero FPs.

Provenance

Published via npm Trusted Publishing (GitHub Actions OIDC) with SLSA v1 attestations. Verify:
```
npm view hackmyagent@0.23.9 dist.attestations --json
```

v0.23.8

Choose a tag to compare

@github-actions github-actions released this 05 Jun 06:09

What's Changed

Full Changelog: v0.23.7...v0.23.8

v0.23.7

Choose a tag to compare

@github-actions github-actions released this 05 Jun 01:48

What's Changed

Full Changelog: v0.23.6...v0.23.7

v0.23.6

Choose a tag to compare

@github-actions github-actions released this 02 Jun 02:46
4f72550

hackmyagent 0.23.6

Bug-fix release. Two scanner false-positive paths resolved + adversarial-review hardening.

Fixes (PR #214)

  • create-skill scaffold no longer trips its own check skill scan. Previously the scaffolded SOUL.md emitted HIGH findings on the same scaffold the command produced -- a dead-end for new users following the tool's own suggestions.
  • harden-soul + scan-soul rescan loop now produces 100/100 HARDENED on the empty-tree gold path. Previously the loop left the rescan score below the hardened threshold.
  • Section-aware constraint extraction: constraints are now classified by markdown section heading (Trust Hierarchy, Capability Boundaries, Injection Hardening, Data Handling) rather than by text-regex only, so constraints declared under their domain heading count toward that domain.

Adversarial-review hardening

  • SOUL-OVERRIDE-001: decoy-negation gate (e.g. Never ... unless ... no longer satisfies the override-resistance check by accident).
  • AST-PROMPT-004: sibling-decoy detector tightened.
  • LIFECYCLE-001: realpath dedupe (case-insensitive double-load surface).
  • YAML strip on prompt-analyzer noise filter (frontmatter no longer counts as prompt text).

Trusted Publishing

This release is the first hackmyagent publish under npm Trusted Publishing (OIDC) since the workflow was upgraded. Verify provenance:

npm view hackmyagent dist.attestations --json

Expected: a predicateType of https://slsa.dev/provenance/v1.

Known follow-up

  • hackmyagent#216: scan-soul --profile <override> returns 100/100 HARDENED on the malicious-corpus kitchen-sink fixture (user-explicit profile override bypasses the auto-detection scope clamp). Not a 0.23.6 regression. Default scan-soul correctly clamps + discloses scope.

Full Changelog: v0.23.4...v0.23.6

v0.23.4

Choose a tag to compare

@github-actions github-actions released this 28 May 02:04
337ee08

What's Changed

  • fix(scanner): suppress NEMO-009 + AST-CRED-* false positives on test files, training corpora, and integrity manifests (nanomind#26) by @thebenignhacker in #192
  • chore: merge 0.23.3 release commits back to main by @thebenignhacker in #199
  • fix(check): query Registry with bare PyPI name (drop pip: prefix) [0.23.4] by @thebenignhacker in #198

Full Changelog: v0.23.2...v0.23.4

v0.23.3

Choose a tag to compare

@github-actions github-actions released this 27 May 12:24

What's Changed

  • fix(scanner): suppress NEMO-009 + AST-CRED-* false positives on test files, training corpora, and integrity manifests (nanomind#26) by @thebenignhacker in #192

Full Changelog: v0.23.2...v0.23.3