Skip to content

v1.0.0 — OAuth 2.1, Compliance Engine, Dual-Mode Auth

Latest
Latest

Choose a tag to compare

View all tags
@shivdeep1 shivdeep1 released this 13 Apr 14:18
· 2 commits to main since this release
v1.0.0
e610ae1

What's New

OAuth 2.1 Authorization Server

  • Full OAuth 2.1 authorization server in airlock/oauth/ (14 new files)
  • Client Credentials grant with private_key_jwt authentication — agents use their existing Ed25519 key as OAuth credential (no separate client_secret)
  • EdDSA-signed JWT access tokens with custom trust claims (airlock:trust_score, airlock:trust_tier)
  • RFC 8693 Token Exchange for delegation chains with scope narrowing and cascade revocation
  • Nested act claims for multi-hop delegation (Agent A → B → C), max depth configurable
  • RFC 7662 Token Introspection with live trust data lookup (not just cached token claims)
  • RFC 7591 Dynamic Client Registration for DID-based agents
  • OIDC Discovery (/.well-known/openid-configuration) and JWKS (/.well-known/jwks.json) endpoints
  • FastAPI dependency injection: require_oauth_agent(), require_scope()
  • Feature-flagged: AIRLOCK_OAUTH_ENABLED (default true)

Compliance Engine

  • New airlock/compliance/ module with agent inventory, risk classification, and incident tracking
  • Agent Inventory: thread-safe registry of all AI agents/models with compliance status tracking
  • Risk Classifier: categorizes agents by risk level (low/medium/high/critical) based on capabilities, trust score, and agent type
  • Incident Store: hash-chain integrity for tamper-evident incident records (same pattern as audit trail)
  • Compliance Report Generator: automated scoring with actionable recommendations
  • Regulatory Framework Mapper: maps Airlock features to 7 governance principles and 10 compliance recommendations
  • Bias Detector: statistical analysis of verification outcome disparity and trust score distribution
  • 8 new API endpoints under /compliance/ (inventory CRUD, reports, incidents, risk classification)
  • Feature-flagged: AIRLOCK_COMPLIANCE_ENABLED (default true)

Dual-Mode Identity Verification

  • Orchestrator's verify_signature node renamed to verify_identity
  • Accepts both Ed25519 signatures AND OAuth bearer tokens
  • OAuth validation uses conditional import — graceful fallback to Ed25519 when OAuth module absent
  • Bearer token extracted from Authorization header and threaded through event bus to orchestrator

Semantic Challenge Deprecation

  • challenge_fallback_mode default changed from "ambiguous" to "disabled"
  • When disabled, orchestrator routes directly to issue_verdict (no LLM call)
  • LiteLLM moved from required to optional dependency (pip install airlock-protocol[llm])
  • All import litellm calls guarded with try/except ImportError
  • App starts and runs without LiteLLM installed

Breaking Changes

  • challenge_fallback_mode default is now "disabled" — set AIRLOCK_CHALLENGE_FALLBACK_MODE=ambiguous to restore v0.4.0 behavior
  • litellm is no longer a required dependency — install with pip install airlock-protocol[llm] if needed
  • Orchestrator node verify_signature renamed to verify_identity — affects custom graph extensions

Stats

  • 853 tests passing (up from 760 in v0.4.0)
  • +4,187 lines across 43 files (30 new, 13 modified)
  • 93 new tests covering OAuth, compliance, dual-mode auth, and optional dependencies
  • 107 source files across the project
Assets 3
Loading