agentward-ai/agentward

v0.5.1 Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 1mo Secrets & Credentials

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Affected surfaces

auth rbac

Summary

AI summary

Adds opt‑in HMAC tamper‑evident audit logs, a Linux TTY approval channel, and per‑event principal identity.

Full changelog

Highlights

Three pre-meeting blockers from the FlowTraders deployment audit, plus the CI gate that vendor due diligence will look for.

User identity in every audit event — every JSONL line and RFC 5424 syslog frame carries a principal field, attributable per DORA Art. 17 and MiFID II RTS 6 record-keeping. Resolved from --identity CLI flag → AGENTWARD_PRINCIPAL env var → OS user → "unknown".
Tamper-evident HMAC chain on the JSONL audit log. Each entry chained to the previous via SHA-256 + HMAC-SHA-256. Verifier in agentward audit-verify walks the log, reports signed / unsigned line counts, names the first break line. Enabled by setting AGENTWARD_AUDIT_HMAC_KEY; silently disabled when not. Defense in depth on top of WORM/SIEM tier — closes the source-side tampering gap.
Linux TTY approval channel — third channel in the approval race. Single-character prompt (a allow once / s allow session / d deny) on the controlling terminal. Auto-enabled when stdin/stderr are interactive TTYs and AGENTWARD_DISABLE_TTY_APPROVAL is unset. Closes the previous Linux fail-deny gap when neither Telegram nor macOS osascript is available.
CI workflow — pytest matrix on Python 3.11/3.12/3.13 required, ruff/mypy/pip-audit/bandit advisory. Runs on every PR and push to main. The advisory tier is honest about the existing 521-finding ruff debt that needs separate paydown — paying it down later doesn't block the CI signal that vendor reviewers actually look for.

What this release is for

The release is primarily for the April 29 FlowTraders meeting. The deployment audit identified three day-1 blockers that needed to land before any regulated-EU pilot: identity in audit logs, source-side tamper evidence, and a Linux approval channel. All three are now in the codebase.

Migration notes

No breaking changes. All new functionality is opt-in or auto-detected.
Existing audit logs continue to work. Unsigned (pre-0.5.1) entries verify cleanly as unsigned lines; signed entries chain to them via genesis hash.
Existing approval flows unchanged. macOS dialog and Telegram channels race exactly as before; TTY is added as a third option.
CI workflow runs on pushes to main. Branch protection requiring CI to pass is the next step (sets up after the workflow has cached at least one successful run).

Tests

3,511 passing across 71 test files (45 new — 31 audit integrity, 14 TTY approval). No regressions.

Verification flow for FlowTraders demo

# Run the proxy with identity threading and HMAC chain
export AGENTWARD_PRINCIPAL="[email protected]"
export AGENTWARD_AUDIT_HMAC_KEY="$(openssl rand -hex 32)"
agentward inspect --policy agentward.yaml --log audit.jsonl

# In another terminal, after some traffic flows:
agentward audit-verify --log audit.jsonl

Output:

✓ Verified — 247 signed entries, chain intact.

Install

pip install agentward==0.5.1

(or pip install --upgrade agentward once the publish workflow lands.)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track agentward-ai/agentward

Get notified when new releases ship.

About agentward-ai/agentward

Permission control plane for AI agents. MCP proxy that enforces least-privilege YAML policies on every tool call, classifies sensitive data (PII/PHI), detects dangerous skill chains, and generates compliance audit trails. Supports stdio and HTTP proxy modes.

All releases →