release: v2.2.0 — ESRP compliance, configurable security policies, hardening

CHANGELOG.md

@@ -38,6 +38,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - `PUBLISHING.md` guide covering PyPI, npm, and NuGet publishing requirements
 - `agent-runtime` re-export wrapper package (`src/agent_runtime/__init__.py`)
 - `RELEASE_NOTES_v2.2.0.md`
+- `create_policies_from_config()` API — load security policies from YAML config files
+- `SQLPolicyConfig` dataclass and `load_sql_policy_config()` for structured policy loading
+- 10 sample policy configs in `examples/policies/` (sql-safety, sql-strict, sql-readonly, sandbox-safety, prompt-injection-safety, mcp-security, semantic-policy, pii-detection, conversation-guardian, cli-security-rules)
+- Configurable security rules across 7 modules: sandbox, prompt injection, MCP security, semantic policy, PII detection, conversation guardian, CLI checker
 
 ### Changed
 - GitHub Actions `publish.yml` no longer publishes to PyPI (build + attest only)
@@ -47,6 +51,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - All package descriptions prefixed with `Community Edition`
 - License corrected to MIT where mismatched (agent-mesh classifier, 2 npm packages)
 
+### Deprecated
+- `create_default_policies()` — emits runtime warning directing users to `create_policies_from_config()` with explicit YAML configs
+
+### Security
+- Expanded SQL policy deny-list to block GRANT, REVOKE, CREATE USER, EXEC xp_cmdshell, UPDATE without WHERE, MERGE INTO
+- Externalized all hardcoded security rules to YAML configuration across 7 modules
+
 ### Fixed
 - `agent-runtime` build failure (invalid parent-directory hatch reference)
 - Missing `License :: OSI Approved :: MIT License` classifier in 3 Python packages

examples/policies/cli-security-rules.yaml

@@ -0,0 +1,148 @@
+# CLI Security Rules — Sample Configuration
+#
+# ⚠️  IMPORTANT: This is a SAMPLE configuration provided as a starting point.
+# You MUST review, customize, and extend these rules for your specific
+# use case before deploying to production. Microsoft does not guarantee
+# that these rules are comprehensive or sufficient for your security
+# requirements.
+
+version: "1.0"
+name: cli-security-rules
+description: >
+  Sample CLI policy checker rules — defines regex patterns for detecting
+  destructive SQL, file deletion, secret exposure, privilege escalation,
+  code injection, SQL injection, and XSS in source code files.
+
+disclaimer: >
+  This is a sample configuration. It is NOT exhaustive and should be
+  customized for your specific security requirements.
+
+rules:
+  # Destructive SQL
+  - name: block-destructive-sql
+    pattern: '\bDROP\s+(TABLE|DATABASE|SCHEMA|INDEX)\s+'
+    message: "Destructive SQL: DROP operation detected"
+    severity: critical
+    suggestion: "-- Consider using soft delete or archiving instead"
+    languages: [sql, python, javascript, typescript, php, ruby, java]
+
+  - name: block-destructive-sql
+    pattern: '\bDELETE\s+FROM\s+\w+\s*(;|$|WHERE\s+1\s*=\s*1)'
+    message: "Destructive SQL: DELETE without proper WHERE clause"
+    severity: critical
+    suggestion: "-- Add a specific WHERE clause to limit deletion"
+    languages: [sql, python, javascript, typescript, php, ruby, java]
+
+  - name: block-destructive-sql
+    pattern: '\bTRUNCATE\s+TABLE\s+'
+    message: "Destructive SQL: TRUNCATE operation detected"
+    severity: critical
+    suggestion: "-- Consider archiving data before truncating"
+    languages: [sql, python, javascript, typescript, php, ruby, java]
+
+  # File deletion
+  - name: block-file-deletes
+    pattern: '\brm\s+(-rf|-fr|--recursive\s+--force)\s+'
+    message: "Destructive operation: Recursive force delete (rm -rf)"
+    severity: critical
+    suggestion: "# Use safer alternatives like trash-cli or move to backup"
+    languages: [bash, shell, sh, zsh]
+
+  - name: block-file-deletes
+    pattern: '\bshutil\s*\.\s*rmtree\s*\('
+    message: "Recursive directory deletion (shutil.rmtree)"
+    severity: high
+    suggestion: "# Consider using send2trash for safer deletion"
+    languages: [python]
+
+  - name: block-file-deletes
+    pattern: '\bos\s*\.\s*(remove|unlink|rmdir)\s*\('
+    message: "File/directory deletion operation detected"
+    severity: medium
+    languages: [python]
+
+  # Secret exposure
+  - name: block-secret-exposure
+    pattern: '(api[_-]?key|apikey|api[_-]?secret)\s*[=:]\s*["\u0027][a-zA-Z0-9_-]{20,}["\u0027]'
+    message: "Hardcoded API key detected"
+    severity: critical
+    suggestion: '# Use environment variables: os.environ["API_KEY"]'
+    languages: null  # All languages
+
+  - name: block-secret-exposure
+    pattern: '(password|passwd|pwd)\s*[=:]\s*["\u0027][^"\u0027]+["\u0027]'
+    message: "Hardcoded password detected"
+    severity: critical
+    suggestion: "# Use environment variables or a secrets manager"
+    languages: null
+
+  - name: block-secret-exposure
+    pattern: 'AKIA[0-9A-Z]{16}'
+    message: "AWS Access Key ID detected in code"
+    severity: critical
+    languages: null
+
+  - name: block-secret-exposure
+    pattern: '-----BEGIN\s+(RSA|DSA|EC|OPENSSH)\s+PRIVATE\s+KEY-----'
+    message: "Private key detected in code"
+    severity: critical
+    languages: null
+
+  - name: block-secret-exposure
+    pattern: 'gh[pousr]_[A-Za-z0-9_]{36,}'
+    message: "GitHub token detected in code"
+    severity: critical
+    languages: null
+
+  # Privilege escalation
+  - name: block-privilege-escalation
+    pattern: '\bsudo\s+'
+    message: "Privilege escalation: sudo command detected"
+    severity: high
+    suggestion: "# Avoid sudo in scripts - run with appropriate permissions"
+    languages: [bash, shell, sh, zsh]
+
+  - name: block-privilege-escalation
+    pattern: '\bchmod\s+777\s+'
+    message: "Insecure permissions: chmod 777 detected"
+    severity: high
+    suggestion: "# Use more restrictive permissions: chmod 755 or chmod 644"
+    languages: [bash, shell, sh, zsh]
+
+  # Code injection
+  - name: block-arbitrary-exec
+    pattern: '\beval\s*\('
+    message: "Code injection risk: eval() usage detected"
+    severity: high
+    suggestion: "# Remove eval() and use safer alternatives"
+    languages: [python, javascript, typescript, php, ruby]
+
+  - name: block-arbitrary-exec
+    pattern: '\bos\s*\.\s*system\s*\([^)]*(\+|%|\.format|f["\u0027])'
+    message: "Command injection risk: os.system with dynamic input"
+    severity: critical
+    suggestion: "# Use subprocess with shell=False and proper argument handling"
+    languages: [python]
+
+  - name: block-arbitrary-exec
+    pattern: '\bexec\s*\('
+    message: "Code injection risk: exec() usage detected"
+    severity: high
+    suggestion: "# Remove exec() and use safer alternatives"
+    languages: [python]
+
+  # SQL injection
+  - name: block-sql-injection
+    pattern: '["\u0027]\s*\+\s*[^"\u0027]+\s*\+\s*["\u0027].*(?:SELECT|INSERT|UPDATE|DELETE)'
+    message: "SQL injection risk: String concatenation in SQL query"
+    severity: high
+    suggestion: "# Use parameterized queries instead"
+    languages: [python, javascript, typescript, php, ruby, java]
+
+  # XSS
+  - name: block-xss
+    pattern: '\.innerHTML\s*='
+    message: "XSS risk: innerHTML assignment detected"
+    severity: medium
+    suggestion: "// Use textContent or a sanitization library"
+    languages: [javascript, typescript]

examples/policies/conversation-guardian.yaml

@@ -0,0 +1,144 @@
+# Conversation Guardian — Sample Configuration
+#
+# ⚠️  IMPORTANT: This is a SAMPLE configuration provided as a starting point.
+# You MUST review, customize, and extend these rules for your specific
+# use case before deploying to production. Microsoft does not guarantee
+# that these rules are comprehensive or sufficient for your security
+# requirements.
+
+version: "1.0"
+name: conversation-guardian
+description: >
+  Sample A2A conversation guardian configuration — defines thresholds and
+  patterns for detecting escalating rhetoric, offensive intent, and feedback
+  loops in agent-to-agent conversations (OWASP ASI-8 / ASI-10).
+
+disclaimer: >
+  This is a sample configuration. It is NOT exhaustive and should be
+  customized for your specific security requirements.
+
+thresholds:
+  escalation_score_threshold: 0.6
+  escalation_critical_threshold: 0.85
+  max_retry_cycles: 3
+  max_conversation_turns: 30
+  loop_window_seconds: 300.0
+  offensive_score_threshold: 0.5
+  offensive_critical_threshold: 0.8
+  composite_warn_threshold: 0.4
+  composite_pause_threshold: 0.6
+  composite_break_threshold: 0.8
+  capture_transcript: true
+  max_transcript_entries: 10000
+
+escalation_patterns:
+  # Urgency amplification (weight: 0.15 each)
+  - weight: 0.15
+    patterns:
+      - '\bcode\s+red\b'
+      - '\babsolute\s+final\b'
+      - '\bemergency\b'
+      - '\bfurious\b'
+      - '\bimperative\b'
+      - '\burgent\b'
+      - '\bcritical\s+priority\b'
+      - '\blast\s+chance\b'
+      - '\bdo\s+it\s+now\b'
+      - '\bimmediately\b'
+      - '\bdesper\w+'
+      - '\bnon[- ]?negotiable\b'
+
+  # Coercive directives (weight: 0.25 each)
+  - weight: 0.25
+    patterns:
+      - '\bdo\s+not\s+take\s+no\b'
+      - '\bdirect\s+order\b'
+      - '\byou\s+must\b'
+      - '\bi\s+(?:demand|insist|order|command)\b'
+      - '\bno\s+excuses\b'
+      - '\bfailure\s+is\s+not\s+an?\s+option\b'
+      - '\bdo\s+whatever\s+it\s+takes\b'
+      - '\bby\s+any\s+means\b'
+      - '\bi\s+don''?t\s+care\s+how\b'
+      - '\bstop\s+making\s+excuses\b'
+      - '\bjust\s+(?:do|get)\s+it\s+done\b'
+
+  # Bypass directives (weight: 0.35 each)
+  - weight: 0.35
+    patterns:
+      - '\bbypass\b.*\b(?:control|security|restriction|protection|auth)'
+      - '\bexploit\b.*\b(?:vulnerabilit\w*|weakness|flaw)'
+      - '\bevery\s+trick\b'
+      - '\bevery\s+exploit\b'
+      - '\bwork\s+around\b.*\b(?:security|access|permission|restriction)'
+      - '\bcreative(?:ly)?\b.*\b(?:bypass|hack|exploit|overcome)'
+      - '\bmore\s+aggressive(?:ly)?'
+      - '\bfind\s+a\s+way\s+(?:around|past|through)\b'
+      - '\bbreak\s+(?:through|into|past)\b'
+      - '\bcircumvent\b'
+      - '\boverride\b.*\b(?:security|permission|access|lock)'
+
+offensive_patterns:
+  # Vulnerability research (weight: 0.3 each)
+  - weight: 0.3
+    patterns:
+      - '\b(?:CVE|exploit|vulnerability|vulnerabilities|zero[- ]?day)\b'
+      - '\bfind\b.*\b(?:vulnerabilit\w*|weakness|flaw|bug)'
+      - '\breverse\s+engineer\w*'
+      - '\bsource\s+code\s+review\b.*\bsecurity'
+      - '\bflask[- ]unsign\b'
+      - '\bfuzz(?:ing)?\b.*\b(?:input|param|endpoint)'
+      - '\bpayload\b.*\b(?:inject|craft|construct)'
+      - '\battack\s+(?:surface|vector)\b'
+
+  # Privilege escalation (weight: 0.35 each)
+  - weight: 0.35
+    patterns:
+      - '\bescalate\s+privilege'
+      - '\bforge\b.*\b(?:cookie|token|session|credential)'
+      - '\badmin\s+access'
+      - '\bhardcoded\s+(?:secret|key|password|credential)'
+      - '\bsudo\b|\broot\s+access'
+      - '\bdisarm\b.*\b(?:security|defense|protection|firewall)'
+      - '\bmodify\b.*\b(?:permission|ACL|role|group)'
+      - '\bimpersonat\w*'
+      - '\bhijack\b.*\b(?:session|token|account)'
+
+  # Exfiltration planning (weight: 0.4 each)
+  - weight: 0.4
+    patterns:
+      - '\bexfiltrat\w*'
+      - '\bsteganograph\w*'
+      - '\bhide\b.*\b(?:data|secret|credential).*\b(?:image|file|header)'
+      - '\bbypass\b.*\b(?:DLP|leak\s+prevention|data\s+loss)'
+      - '\bcovert\s+channel'
+      - '\bencode\b.*\bsecret'
+      - '\btunnel\b.*\b(?:data|traffic|out)'
+      - '\bdns\s+(?:tunnel|exfil)'
+
+  # Reconnaissance (weight: 0.2 each)
+  - weight: 0.2
+    patterns:
+      - '\benumerate\b.*\b(?:service|port|endpoint|user)'
+      - '\bscan\b.*\b(?:network|port|service|host)'
+      - '\bnmap\b|\bnikto\b|\bsqlmap\b|\bmetasploit\b|\bburp\s*suite\b'
+      - '\bHTTP\s+header\b.*\b(?:security|version|server)'
+      - '\bfingerprint\b.*\b(?:service|server|version|OS)'
+      - '\brecon(?:naissance)?\b'
+
+  # Injection attacks (weight: 0.35 each)
+  - weight: 0.35
+    patterns:
+      - '\b(?:SQL|command|OS|LDAP)\s+injection\b'
+      - '\bpath\s+traversal\b'
+      - '\bshell\s*code\b'
+      - '(?:;\s*(?:cat|ls|whoami|id|passwd|shadow)\b)'
+      - '\bremote\s+code\s+execution\b|\bRCE\b'
+
+  # Lateral movement (weight: 0.3 each)
+  - weight: 0.3
+    patterns:
+      - '\blateral\s+mov\w*'
+      - '\bpivot\b.*\b(?:network|host|server|system)'
+      - '\bspread\b.*\b(?:network|system|host)'
+      - '\bcompromis\w+\b.*\b(?:server|host|node|agent)'