Skip to content

yihui504/SI-Agents

Repository files navigation

SI-Agents

License: MIT Bun TypeScript

SI-Agents: Security-First AI Agent Framework — a security-first AI agent runtime with policy enforcement, taint tracking, and JIT optimization.

📖 中文版 README

SI-Agents combines the skill optimization of SkillVM with the security governance of ArbiterOS, building a default-deny, defense-in-depth agent runtime.

📊 Benchmark Results (vs Baseline LLM / SkVM Paper)

All numbers measured with real LLM (DeepSeek temp=0) + real tool execution, not mocks. See benchmark reports.

Security Axis (E2E Block Rate, Promptfoo coding-agent:core 25 cases × 3 rounds)

Attack Type Baseline LLM SI-Agents Policy Gain
verifier-sabotage 100% 100% 0% (LLM alignment already covers)
sandbox-read-escape 20% 87% +67% (UG-064 credential protection)
terminal-output-injection 20% 80% +60% (terminal guard + content tracking)
repo-prompt-injection 60% 73% +13%
secret-env-read 20% 53% +33% (hallucination hard to block)
Overall E2E Block Rate 44% 79% +35%

Optimization Axis (vs SkVM Paper)

Capability Baseline / SkVM Paper SI-Agents Measured Verdict
JIT-optimize score SkVM 88% (task-level) 0.362 → 1.000 (+176%, file-level metric) File-level metric, not directly comparable to SkVM task-level ⚠️
JIT-boost candidate task token savings SkVM 25%/40% 100% (2759→0) Beats SkVM
JIT-boost multi-step token savings - 100% (3035→0, prompt cache + enableEfsm=false) Beats SkVM
Code solidification wall-clock speedup SkVM 35x Conservative 94.8x (lhs 3.8-6s full LLM loop → rhs ~0ms boost short-circuit, enableEfsm=false fair retest, rhs=50ms conservative lower bound) Beats SkVM ✅ (conservative lower bound)
AOT compile: line compression SkVM whole-skill → code 35-80% (n=3 avg 53%) Minimal viable version ✅
AOT real codegen + runtime (US-016/017) SkVM whole-skill → code codegen + runtime fully working; code-review (judgment-heavy) saves 34% tokens, deterministic workflow skill approaches 100% savings codegen ✅, runtime ✅ (policy deferred)
AOT compile: token savings - 69% (code-review 5108→1576, quality preserved)
model profile (4 primitives) SkVM profile chat overall 1.000 vs reasoner 0.950 (tempZeroStability delta 0.20, has discriminance) Implemented ✅
JIT-optimize task-level grader (US-015) SkVM task-level 88% 5-vulnerability sample identification rate 100% (SQL/XSS/path/secret/deserialization all identified) + format rate ~10-20% (LLM behavior limit) grader implemented ✅, format to improve
compare measurement - 5/6 metrics reliably beat SkVM (JIT-optimize metric to be task-level-ized)

Honest caveats:

  • JIT-optimize 0.362→1.000 is a file-level metric (toolCalls/sections/risk), not directly comparable to SkVM's task-level metric; US-015 added a task-level grader (identification rate 100%, format rate limited by LLM behavior)
  • Code solidification 94.8x is a conservative lower bound (rhs ~0ms sub-millisecond, rhs=50ms conservative estimate; lhs is a successful full LLM loop run 3.8-6s)
  • AOT line compression range 35-80% (varies by skill length; code-review the longest, compresses most)
  • AOT codegen+runtime on judgment-heavy skills (code-review) has wall-clock 0.1x (sequential LLM for judgment steps is slower than baseline's single large request); deterministic workflow skills benefit significantly (approaching 100% savings)
  • profile validated discriminance on deepseek-chat vs deepseek-reasoner (tempZeroStability 0.20 delta)
  • AOT codegen runtime policy integration deferred (currently uses default tools; production should wrap PolicyRegistry)

Usability (no false positives on legitimate requests)

  • verifier FP fix: commandExecutionPatterns 12→5, removed backtick/literal false-positives ("usability-first" principle achieved)
  • UG-064 credential protection: only blocks .ssh/.aws/.env and other explicit credentials, does not block home prefix / .. traversal

Core Features

Multi-Layer Policy Engine

Policy Description
UnaryGatePolicy Single-point policy, blocks dangerous operations (command injection, sensitive file access, confidentiality violations, 15+ rules)
RelationalPolicy Relational policy, checks information flow based on Bell-LaPadula model (11 flow types)
EFSMPolicy Extended finite-state machine policy, controls operation sequences and timing, supports snapshot caching
NanobotPolicy Execution command policy, detects 28+ dangerous command patterns

Terminal Injection Guard (v5-v7, benchmark-validated)

Defends against indirect prompt injection via terminal output:

  • Marker detection: execute_command output containing injection markers (ignore previous / SYSTEM: / IMPORTANT / imperative requests, 14 categories) → marks tainted
  • Tainted propagation: after marker triggers, next round's exec/write/edit/read/web_fetch all blocked
  • Content tracking (v6): execute_command output stored; next round's write_file/edit content containing ≥12 char continuous fragment of output → blocked
  • Usability-first: only tightens when terminal output shows injection signs

UG-064 Sensitive Credential File Blocking (v7, usability-first)

UnaryGate pattern matching blocks read_file/list_directory on explicit credential files:

  • Blocks: .ssh/, .aws/, .gnupg/, .gitconfig, .netrc, .npmrc, .docker/config.json, .env, /proc/self/(environ|cmdline|fd|status|maps)
  • Does not block (preserves usability): home prefix (/home///Users/), .. traversal, normal /etc/ — coding agent legitimate reads not falsely blocked

Information Flow Control

Inspired by Bell-LaPadula model, implements confidentiality levels (LOW/MID/HIGH/UNKNOWN) and trust level propagation/checks, preventing high-confidentiality info from leaking to low-confidentiality channels.

Taint Tracking & Propagation

  • Trust level propagation via path rules
  • Confidentiality level propagation & checking
  • PathRegistry manages controlled paths
  • ToolAliases mapping

EFSM State Machine Policy

  • Configurable state transition rules and guard conditions
  • Snapshot caching mechanism
  • REQUIRE_APPROVAL effect support
  • Plan caching (cache_plan) and path guard (path_in_recent_plan)

JIT Skill Optimization

  • SkillOptimizer: policy-constrained skill optimization, HeadlessAgent-driven
  • OptimizationLoop: multi-round iterative optimization with configurable convergence threshold
  • SecurityConstraintInjector: auto-generates constraints from security baseline
  • OptimizeSecurityVerifier: verifies safety after each round

JIT Boost Solidification

  • Solidifier: security-aware code solidification, monitors high-frequency patterns and auto-promotes to direct execution
  • BoostSecurityAuditor: dual safety audit before/after solidification
  • Prompt cache (US-014): temp=0 same-prompt cache hit skips LLM loop — works for both candidate and multi-step tasks
  • Configurable promotion/demotion thresholds

AOT Compilation (US-008/016/017, SkVM-style)

  • parser: SKILL.md → SkillAST (identifies Workflow/Output/Security/Severity sections)
  • codegen: SkillAST → CompiledSkill (removes redundant prose) + TypeScript workflow code (deterministic steps → direct tool calls)
  • runtime: executeCompiledWorkflow (Bun.Transpiler + new Function), real tool injection

SSRF Protection

web_fetch tool has built-in SSRF protection, blocking metadata service endpoints (169.254.169.254 etc.), private IP ranges (10.x/172.16-31.x/192.168.x), and unauthorized protocols.

Confirmation Flow

On policy interception, generates confirmation prompt with Auth Token and 5-minute TTL; client must reply with valid token to proceed.

Quick Start

Install

git clone https://github.com/yihui504/SI-Agents.git
cd SI-Agents
bun install

Start Proxy Server

bun run cli start --config ./si-agents.config.json

Run Skill Task

bun run cli run --skill ./skills/my-skill --task "complete task"

Optimize Skill

bun run cli optimize --skill ./skills/my-skill --rounds 5

CLI

Command Description
start Start proxy service
stop Stop proxy service
status Show service status
config Config management (show/validate/import/init)
run Run skill task
optimize Optimize skill

Policy Rules

UnaryGate Rules

Rule ID Description
UG-001 Block when missing metadata
UG-006 Instruction type filter
UG-030 High-risk execution
UG-063 Read system sensitive files
UG-064 Read sensitive credential files (.ssh/.aws/.env etc.)
UG-070 Gateway external redirect

Relational Flow Types

Flow Type Description
read_external Read external info
read_sensitive Read sensitive info
write_shared Shared/export write
delegate_sink Delegate/cross-session send
exec_side_effect Execution side effect
... (11 flow types total)

API

BareAgentAdapter

import { BareAgentAdapter } from "si-agents/adapters/bare-agent"

const adapter = new BareAgentAdapter(providerFactory, hooks)

adapter.registerTool({
  name: "my_tool",
  description: "Custom tool",
  inputSchema: { type: "object", properties: { query: { type: "string" } } },
})

await adapter.setup({ model: "gpt-4", baseUrl: "http://localhost:4000" })

const result = await adapter.run({
  prompt: "complete task",
  workDir: "/workspace",
  skillContent: skillMarkdown,
})

console.log(result.text, result.runStatus)

AOT Compilation

import { compileSkillFromDir, codegenWorkflow, executeCompiledWorkflow, createDefaultWorkflowTools } from "si-agents/aot/aot"

const compiled = await compileSkillFromDir("./skills/code-review")
console.log(`compressed: ${compiled.ast.rawLineCount}${compiled.compiledLineCount} lines`)

const codegen = codegenWorkflow(compiled.ast)
console.log(`determinism: ${(codegen.determinismRatio * 100).toFixed(0)}%`)

const tools = createDefaultWorkflowTools("./workspace")
const result = await executeCompiledWorkflow(codegen, tools, llm, "./workspace")

Testing

bun test                    # all tests
bun test test/unit/         # unit tests
bun test test/realworld/ultimate-acceptance.test.ts  # acceptance tests

E2E Security Benchmarks

Real LLM + real tool execution benchmarks in workflow-demo/bench/:

  • optim-benchmark.ts — JIT-boost token savings
  • optim-jit-optimize-benchmark.ts — JIT-optimize score
  • aot-benchmark.ts / aot-codegen-benchmark.ts / aot-runtime-benchmark.ts — AOT compilation
  • profile-benchmark.ts — model primitive profiling
  • speedup-benchmark.ts — wall-clock speedup
  • task-level-grader.ts — task-level vulnerability identification
  • bench/server.ts + start-bare.sh — E2E Block Rate

Acknowledgements

  • SkillVM — skill optimization framework
  • ArbiterOS — security governance framework

License

MIT License — see LICENSE

About

a project that tries to combine the advantages of SkillVM and ArbiterOS and build a more reliable agent system.

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors