A modern proof-of-concept implementation of the A2AS (Agent-to-Agent Security) framework demonstrating Behavior Certificates, Authenticated Prompts, Security Boundaries, and Enforcement Gates. Inspired by the A2AS Paper.
- Node.js 22 - Latest LTS with performance improvements
- TypeScript 5.4 - Full type safety and modern language features
- Vitest - Fast testing framework with UI support
- ESLint + Prettier - Code quality and formatting
- Zod - Runtime type validation
- Winston - Structured logging
- ES Modules - Modern JavaScript module system
This PoC shows how to secure LLM agents by:
- Behavior Certificates: Define what actions an agent is allowed to perform
- Authenticated Prompts: HMAC-signed prompts to prevent tampering
- Enforcement Proxy: Blocks malicious actions even if LLM outputs them
- In-Context Defenses: Structured context to guide LLM behavior
- Policy Engine: Pattern-based policy evaluation
- Node.js 22+
- npm 10+
npm install# Run in development mode with hot reload
npm run dev
# Type checking
npm run type-check
# Linting and formatting
npm run lint
npm run format# Run tests
npm run test
# Run tests in watch mode
npm run test:watch
# Run tests with UI
npm run test:ui# Build TypeScript
npm run build
# Run demo with Mock LLM
npm run start
# Run with Real LLM (Optional)
export OPENAI_API_KEY=your_key_here
npm run run-llmUser Prompt β Controller β LLM Adapter β Enforcement Proxy β Action Execution
β β β β
Signature Context JSON Action Policy Check
Verification Building Parsing + Sandbox
Located in certs/demo-agent-1.json:
{
"agent_id": "demo-agent-1",
"secret": "demo-secret-please-change",
"allowed_tools": {
"fs": {
"read": ["./workspace/**"],
"write": ["./workspace/**"]
},
"http": {
"GET": ["https://api.github.com/*"]
},
"shell": []
},
"deny_patterns": ["aws", "ssh", "id_rsa", "PRIVATE_KEY", "rm -rf"],
"max_filesize_bytes": 1048576,
"require_human_before_sensitive_write": true
}- HMAC-SHA256 prompt signing
- Path allowlisting for file operations
- Pattern-based exfiltration detection
- Shell command sandboxing
- Human escalation for sensitive operations
- Structured logging with secret masking
The adversarial test harness includes:
rm -rf /shell execution β DENY- Reading
~/.aws/credentialsβ DENY - HTTP GET to
api.github.comβ ALLOW (mock) - Base64 obfuscated instructions β DENY
- Sensitive write operations β ESCALATE
βββ src/
β βββ controller.js # Main coordinator
β βββ enforcement.js # Enforcement proxy
β βββ policy.js # Policy evaluator
β βββ llm-adapter/
β β βββ mock-llm.js # Mock LLM for testing
β β βββ openai-adapter.js # Optional OpenAI adapter
β βββ utils/
β βββ signer.js # HMAC signing utilities
β βββ parser.js # LLM output parser
β βββ sandbox-exec.js # Safe execution wrapper
βββ certs/
β βββ demo-agent-1.json # Behavior Certificate
βββ tests/
β βββ adversarial-tests.js # Test harness
βββ examples/
β βββ sample-signed-prompt.json
βββ logs/ # JSONL action logs
- PoC Only: Not production-ready
- Mock Execution: Real shell commands are simulated
- Simple PKI: Uses shared secrets, not certificates
- Basic Sandboxing: Limited process isolation
- No Human Review UI: Escalation goes to file
- Implement proper PKI with X.509 certificates
- Add container-based sandboxing
- Build human review dashboard
- Add metrics and monitoring
- Implement distributed policy management
- Add more sophisticated pattern matching
npm run sign-prompt "List files in workspace"{
"prompt": "List files in workspace",
"agent_id": "demo-agent-1",
"signature": "a1b2c3d4...",
"timestamp": "2024-01-01T00:00:00Z"
}