HN 표시: AI 에이전트 작업에 대한 정책을 시행하는 Rust 런타임인 Agent Armor

Zero-trust governance runtime for AI agent actions v0.3.0 • Quick Start • Community Features • Docs • Testing 0.3.0 is the current community-scope release in this repository. It ships a working open-core runtime with: - the full 8-layer governance pipeline - response scanning, rate limiting, fingerprinting, and threat intel - SQLite by default plus optional PostgreSQL support - versioned storage migrations via sqlx - structured logging with log-level control - HTTP request correlation with x-request-id - pipeline correlation with traceId - live HTTP end-to-end tests that exercise the running server It does not attempt to ship the enterprise roadmap in this release. AI agents now get shell access, file access, HTTP access, database access, and secret access. Most stacks can execute tool calls, but they do not govern them well. Agent Armor sits in front of those actions and decides: allow review block with an audit trail, risk scoring, and per-layer evidence. - 8-layer deterministic governance pipeline - MCP-aware inspection path - ACP and A2A protocol inspection with built-in envelope validation - policy evaluation with workspace thresholds - secret reference planning - human review queue - audit trail and audit export - MCP proxy mode and MCP server mode over stdio - response scanning for secrets and PII in outputs - per-agent rate limiting - behavioral fingerprinting - threat intelligence feed and checks - SSE and webhook event delivery with DLQ - SQLite storage backend - optional PostgreSQL backend behind --features postgres - versioned migrations in community/migrations/ agent-armor migrate for schema bootstrap/update- structured logging: pretty ,compact ,json - log filtering via RUST_LOG orAGENT_ARMOR_LOG_LEVEL - request/response correlation with x-request-id - governance result correlation with traceId The following community items are still missing or incomplete: - framework adapters - persistence refactors for modules that still keep runtime state in memory nhi ,session_graph ,taint ,fingerprint , and firewall stats still need a fuller storage move The dashboard is now a live operator console backed by real runtime endpoints. It supports: - live overview metrics sourced from the audit, review, session, and analytics APIs - audit browsing with client-side filtering and CSV export of visible rows - a real review queue with approve and reject actions - selected-agent drill-down backed by analytics, fingerprint, and rate-limit endpoints - runtime controls and posture panels backed by health, firewall, threat intel, telemetry, and policy verification data When the runtime is protected, the dashboard requires a valid API key and does not fall back to fake demo counters. cd community cargo build --release # Create a key before starting the server ./target/release/agent-armor gen-key --label local-dev # Start the runtime ./target/release/agent-armor serve Open http://localhost:4010 for the dashboard. docker compose up -d docker compose exec agent-armor ./agent-armor gen-key --label local-dev Protected /v1/* routes require a Bearer token. Preferred bootstrap path: cd community ./target/release/agent-armor gen-key --label local-dev ./target/release/agent-armor serve For local exploration only, you can opt into open mode: AGENT_ARMOR_OPEN_MODE=true ./target/release/agent-armor serve # Health curl http://localhost:4010/health # Inspect a safe action curl -X POST http://localhost:4010/v1/inspect \ -H "Authorization: Bearer " \ -H "Content-Type: application/json" \ -d '{ "agentId": "openclaw-builder-01", "workspaceId": "ws-demo", "framework": "openclaw", "protocol": "mcp", "action": { "type": "file_read", "toolName": "filesystem.read", "payload": { "path": "README.md", "intent": "read documentation" } } }' # Scan a tool response for leaked credentials curl -X POST http://localhost:4010/v1/response/scan \ -H "Authorization: Bearer " \ -H "Content-Type: application/json" \ -d '{ "requestId": "scan-1", "agentId": "openclaw-builder-01", "toolName": "terminal.exec", "responsePayload": { "secret": "AKIA1234567890ABCDEF" } }' # Export audit data curl "http://localhost:4010/v1/audit/export?format=csv" \ -H "Authorization: Bearer " Run the built-in MCP client example to exercise initialize , tools/list , and tools/call against agent-armor mcp-server over stdio: cd community cargo run --example mcp_stdio_client The example uses a temporary SQLite database, seeds demo policies, and prints the JSON-RPC responses for: initialize tools/list agentarmor.inspect agentarmor.response_scan All current docs for 0.3.0 are linked here. | Document | Purpose | |---|---| docs/ARCHITECTURE.md | Current runtime architecture and module boundaries | docs/DEMO.md | Demo and local walkthrough | docs/CASE_STUDY.md | Historical v2 benchmark and evaluation write-up | This README.md is the canonical summary of shipped community capabilities, verification status, and current limits. community/src/ |- main.rs # CLI entrypoint and runtime bootstrap |- core/ # Types and errors |- server/ # Axum router and shared state |- pipeline/ # 8-layer governance orchestration |- modules/ # DPI, taint, NHI, risk, sandbox, policy, firewall, telemetry |- events/ # SSE, webhooks, event bus |- auth/ # API keys and Bearer middleware |- mcp_server/ # MCP server mode |- mcp_proxy/ # MCP proxy mode |- demo/ # Seed data and demo scenarios `- storage/ |- traits.rs # Storage abstractions |- migrations.rs # sqlx migration runner |- sqlite.rs # SQLite backend `- postgres.rs # PostgreSQL backend - default backend: SQLite - optional backend: PostgreSQL - migration folders: community/migrations/sqlite/ community/migrations/postgres/ AGENT_ARMOR_LOG_FORMAT=pretty|compact|json AGENT_ARMOR_LOG_LEVEL=info|debug|warn|error RUST_LOG still supported- every HTTP response gets x-request-id - every governance decision returns traceId GET / GET /health POST /v1/inspect GET /v1/audit GET /v1/audit/export GET /v1/audit/stats GET /v1/reviews GET/POST /v1/profiles GET/PUT/DELETE /v1/profiles/:id GET/POST /v1/workspaces GET/PUT/DELETE /v1/workspaces/:id POST /v1/response/scan GET /v1/response/patterns GET /v1/rate-limit/status/:agent_id GET/POST /v1/rate-limit/config GET /v1/firewall/stats POST /v1/firewall/scan GET /v1/telemetry/spans GET /v1/events/stream GET/POST /v1/auth/keys DELETE /v1/auth/keys/:id GET /v1/nhi/identities POST /v1/nhi/challenge POST /v1/nhi/verify 0.3.0 is verified at four layers: - unit tests - property tests - direct integration tests - live HTTP end-to-end tests Current automated coverage: 99 unit tests19 property tests7 integration tests4 end-to-end HTTP tests Total: 129 tests. Run them with: cd community # Full suite cargo test # HTTP E2E only cargo test --test e2e_http_tests # PostgreSQL build verification cargo check --features postgres The HTTP E2E tests make real requests against a running Axum server and verify: - Bearer auth GET /health POST /v1/inspect POST /v1/response/scan GET /v1/audit GET /v1/audit/export?format=csv - authenticated key creation - demo scenario execution x-request-id propagationtraceId emission in governance responses Community scope is intentionally narrower than the old enterprise v3 concept. Community keeps: - runtime governance - storage backends - migrations - logging and observability basics - CLI, HTTP API, MCP proxy, dashboard, and tests Community does not currently include: - multi-tenant isolation - SSO / SAML / JWT / RBAC - SIEM integrations - ML firewall features - enterprise admin UX See CONTRIBUTING.md . Agent Armor is a governance layer, not a complete security program. Use it as part of a broader security posture.