Semantic Network-Aware Firewall for Trust — behavioral firewall for AI agents
Project description
SNAFT
Semantic Network-Aware Firewall for Trust — behavioral firewall for AI agents with 22 immutable rules covering OWASP LLM Top 10 (2025) and OWASP Agentic Top 10 (2026).
Install
pip install snaft # standalone, zero dependencies
pip install snaft[all] # with all companion packages
pip install tibet-snaft # alias (same package)
Quick Start
from snaft import Firewall
fw = Firewall()
# Check an action
allowed, token, trust = fw.check("my-agent", "read_file", "load config")
if allowed:
print(f"Allowed — trust: {trust:.2f}")
else:
print(f"Blocked by {token.rule_name} — trust: {trust:.2f}")
snaft status # show firewall + OWASP coverage
snaft check my-agent read_file "load config"
snaft coverage # full OWASP coverage table
snaft block evil.aint "rogue" # block AINS domain
snaft drop rogue-agent "bye" # isolate + block + audit
22 Immutable Rules
Rules that cannot be removed, disabled, or overridden. Hidden from rule list, visible in audit.
| Rule | OWASP | Detects |
|---|---|---|
| SNAFT-001-INJECTION | LLM01 | Prompt injection patterns |
| SNAFT-002-OUTPUT-EXEC | LLM05 | Executable content in output |
| SNAFT-003-OVERSIZE | — | Resource exhaustion (>50K chars) |
| SNAFT-004-PROMPT-LEAK | LLM07 | System prompt extraction |
| SNAFT-005-EXCESSIVE-AGENCY | LLM06 | File operations outside sandbox |
| SNAFT-006-IDENTITY-TAMPER | — | Identity/soul file tampering (Fox-IT) |
| SNAFT-007-PII-LEAK | LLM02 | PII, API keys, secrets in output |
| SNAFT-008-SUPPLY-CHAIN | LLM03 | Untrusted dependency injection |
| SNAFT-009-DATA-POISONING | LLM04 | Training data poisoning |
| SNAFT-010-RAG-INJECTION | LLM08 | RAG/vector store injection |
| SNAFT-011-CONFIDENCE | LLM09 | Low-confidence factual claims |
| SNAFT-012-UNBOUNDED | LLM10 | Unbounded resource consumption |
| SNAFT-013-GOAL-HIJACK | ASI01 | Agent goal hijacking, intent drift |
| SNAFT-014-TOOL-MISUSE | ASI02 | Tool misuse, capability boundary violations |
| SNAFT-015-PRIVILEGE-ABUSE | ASI03 | Identity spoofing, privilege escalation |
| SNAFT-016-FORGE-VERIFY | ASI04 | Unverified plugin/MCP/model loading |
| SNAFT-017-CODE-EXEC | ASI05 | Code execution outside airlock sandbox |
| SNAFT-018-CONTEXT-POISON | ASI06 | Memory and context poisoning |
| SNAFT-019-INSECURE-COMMS | ASI07 | Unsigned inter-agent communication |
| SNAFT-020-CASCADE | ASI08 | Cascading failure patterns |
| SNAFT-021-TRUST-EXPLOIT | ASI09 | Human-agent trust exploitation |
| SNAFT-022-ROGUE-AGENT | ASI10 | Self-replication, oversight evasion |
OWASP LLM Top 10 (2025) — 10/10 Covered
| # | Threat | Rule |
|---|---|---|
| LLM01 | Prompt Injection | SNAFT-001 |
| LLM02 | Sensitive Info Disclosure | SNAFT-007 |
| LLM03 | Supply Chain Vulnerabilities | SNAFT-008 |
| LLM04 | Data and Model Poisoning | SNAFT-009 |
| LLM05 | Improper Output Handling | SNAFT-002 |
| LLM06 | Excessive Agency | SNAFT-005 |
| LLM07 | System Prompt Leakage | SNAFT-004 |
| LLM08 | Vector & Embedding Weaknesses | SNAFT-010 |
| LLM09 | Misinformation | SNAFT-011 |
| LLM10 | Unbounded Consumption | SNAFT-012 |
OWASP Agentic Top 10 (2026) — 10/10 Covered
| # | Threat | Rule |
|---|---|---|
| ASI01 | Agent Goal Hijack | SNAFT-013 |
| ASI02 | Tool Misuse & Exploitation | SNAFT-014 |
| ASI03 | Identity & Privilege Abuse | SNAFT-015 |
| ASI04 | Agentic Supply Chain | SNAFT-016 |
| ASI05 | Unexpected Code Execution | SNAFT-017 |
| ASI06 | Memory & Context Poisoning | SNAFT-018 |
| ASI07 | Insecure Inter-Agent Comms | SNAFT-019 |
| ASI08 | Cascading Failures | SNAFT-020 |
| ASI09 | Human-Agent Trust Exploitation | SNAFT-021 |
| ASI10 | Rogue Agents | SNAFT-022 |
FIR/A Trust Scoring
Agent trust is behavioral, not configured. The FIR/A score (0.0–1.0):
| Component | Weight | Meaning |
|---|---|---|
| Frequency | 20% | Activity baseline |
| Integrity | 40% | Behavioral consistency |
| Recency | 25% | Freshness of trust evidence |
| Anomaly | 15% | Red flags (higher = worse) |
Agent states: active (>= 0.8) → degraded (0.5-0.8) → isolated (< 0.2, reversible) → burned (0.0, permanent).
AINS Blocking
Block agents by .aint domain, IP address, or wildcard pattern. Network-level deny before any rule evaluation.
fw = Firewall()
# Block by domain
fw.blocklist.block_ains("evil.aint", "rogue agent detected")
# Block by IP
fw.blocklist.block_ip("192.168.1.100", "port scan source")
# Block by pattern
fw.blocklist.block_pattern("*.spam.aint", "known spam network")
# Drop = isolate + block AINS + audit token
agent = fw.get_or_create_agent("rogue")
fw.drop_agent(agent, reason="unauthorized data access")
snaft block evil.aint "rogue"
snaft block 192.168.1.100 "scanner"
snaft block "*.spam.aint" "spam network"
snaft unblock evil.aint
snaft drop rogue-agent "unauthorized access"
Null-Route MUX
Behavioral detection engine for abnormal traffic. When an IP crosses a dual threshold — rate (sliding window) or path repetition — it is marked for null-routing. The adjacent ASGI/Express middleware then holds the connection open and sends nothing. The attacker's connection pool fills up. You absorb the request metadata; they get zero signal (no status code, no error, no timing leak).
from snaft import NullRouteMux
mux = NullRouteMux(
rate_threshold=15, # requests per window
window_seconds=10, # sliding window size
repetition_threshold=5, # same path in last N
hold_duration=120, # seconds to silence
)
decision = mux.check("185.131.15.134", "/api/lookup", "GET")
if decision.should_null_route:
mux.absorb(ip, path, method, headers, body) # we learn, they don't
# middleware: send(http.response.start) then sleep hold_duration, never send body
mux.metrics() # global counters + top offenders
mux.get_absorbed_summary("185.131.15.134")
mux.release("185.131.15.134") # manual un-route
Whitelist is built in for localhost, internal LANs, and declared operator IPs — whitelisted traffic is never null-routed. FIR/A is penalised on trigger so repeat offenders degrade faster. Designed for defensive use in production and for active engagements against automated probing swarms.
Companion Packages (optional)
SNAFT works standalone with zero dependencies. Install companions for enhanced checks:
| Package | Enhances | Install |
|---|---|---|
tibet-triage |
SNAFT-017 (airlock sandboxing) | pip install snaft[triage] |
tibet-core |
Provenance token signing | pip install snaft[tibet] |
tibet-sbom |
SNAFT-008, SNAFT-016 (supply chain) | pip install snaft[sbom] |
ainternet |
SNAFT-019 (I-Poll signing), SNAFT-015 (Cortex tiers) | pip install snaft[ainternet] |
snaft companion # shows which companions are installed
EU AI Act Compliance
Automatic audit records on every evaluate(). Regulation (EU) 2024/1689, enforcement August 2, 2026.
| Article | Requirement | SNAFT coverage |
|---|---|---|
| Art. 12 | Automatic logging | Every decision generates a signed audit record |
| Art. 13 | Transparency | Records include rule, reason, intent, risk level |
| Art. 26 | Retention >= 6 months | 180-day minimum enforced (cannot be lowered) |
| Art. 9 | Risk monitoring | FIR/A trust changes tracked per decision |
| Art. 14 | Human oversight | State transitions logged with provenance |
| Art. 15 | Accuracy & security | Tamper-detection hash on every record |
snaft audit summary # covered articles
snaft audit export -o report.json # export for auditors
snaft audit verify # verify record integrity
Rust Trust Kernel
Optional compiled backend for performance-critical deployments:
pip install snaft-core
Auto-detected. Provides 8x faster rule evaluation, HMAC signing via BoringSSL, compile-time rule definitions in .rodata, and runtime tamper detection.
IETF Drafts
- draft-vandemeent-tibet-provenance-01 — Traceable Intent-Based Event Tokens
- draft-vandemeent-jis-identity-01 — Joint Identity Signature
- draft-vandemeent-upip-process-integrity-01 — Universal Process Integrity Protocol
- draft-vandemeent-rvp-continuous-verification-01 — Real-time Verification Protocol
- draft-vandemeent-ains-discovery-01 — AInternet Name Service
Design Principles
- Default DENY — no rule match = blocked
- Fail CLOSED — exception in rule = blocked
- Immutable core — OWASP rules cannot be removed
- Provenance on every decision — no action without evidence
- Trust degradation — blocks erode agent trust
- Intent-aware — filters on WHY, not just WHAT
License
MIT
Credits
Built by Jasper van de Meent as part of HumoticaOS.
Based on OWASP LLM Top 10 (2025), OWASP Agentic Top 10 (2026), TIBET provenance framework, and the AInternet.
Enterprise
For private hub hosting, SLA support, custom integrations, or compliance guidance:
| Enterprise | enterprise@humotica.com |
| Support | support@humotica.com |
| Security | security@humotica.com |
See ENTERPRISE.md for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file snaft-1.2.0.tar.gz.
File metadata
- Download URL: snaft-1.2.0.tar.gz
- Upload date:
- Size: 50.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
22b1e9ef9495ef3db7dcf5726830fd10a59e18998bf96051a84fe7bb10650945
|
|
| MD5 |
f06a8df241ef0491aa082264b87a1f3e
|
|
| BLAKE2b-256 |
7d9b911234a4b96ce0e6023c567eeb92ab6c4a7698270139312a9c91d17ada29
|
File details
Details for the file snaft-1.2.0-py3-none-any.whl.
File metadata
- Download URL: snaft-1.2.0-py3-none-any.whl
- Upload date:
- Size: 57.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e4812098571dfe5a8d2c05735175941b57a3eb70d5b4f48b41d5539340c13bee
|
|
| MD5 |
4f35c978668900e90008ff9b54af7b88
|
|
| BLAKE2b-256 |
32d67cdfd3a7f5e4cb53f9d794092c072cbd1e968409913f8b60a7333d0deca9
|
