Devadex

AI-Agent Security Verification Kit

gumroad   $129.00   by 0xshugo
3d old

Prove your AI agent is secure — in one command, with evidence an auditor accepts.AI-Agent Security Verification Kit runs static configuration checks and executable injection tests against your agent, then emits a single signed evidence artifact: machine-readable JSON + a human-readable PDF, hashed and RFC 3161 timestamped. Drop it into CI; hand the PDF to a CISO.This is the paid companion to the free field manual AI Agent Security. The manual explains the threats; this kit executes the tests and produces the evidence. Explanation is free — execution and defensible evidence are paid.What one run gives youRun agentkit run agent.yaml and you get:A verdict you can gate CI on — exit 0 = PASS, 1 = FAIL. A canonical JSON record — every check with its test ID, PASS/FAIL, and a redacted locator. A human-readable PDF — results table + integrity block, ready for an auditor. An RFC 3161 timestamp token — verify it independently with OpenSSL; only a SHA-256 + nonce ever leave your machine. A licence attestation folded into the hashed, timestamped metadata — binding report + licensee + time together.What it checksStatic (read-only): distinct agent identity & short-lived credentials, egress allowlists & sandboxed execution, MCP supply-chain pinning (rug-pull detection), Enterprise-Managed Authorization, untrusted-content/memory provenance, reconstructable logging, and a plaintext-secret scan that reports the locator, never the value.Dynamic (executes handler code): webhook signature verification — accepts valid, rejects tampered, is length-safe against a forged short signature (no DoS), and uses a constant-time comparator (no timing side channel). Point it at your own verifier with --verifier your_module:verify_signature.Design guaranteesNo secret values ever leave the machine or land in a report. Redaction is enforced in the core result model, not trusted to each check. Static pass is truly read-only — it never connects to, mutates, or sends payloads to your target. Read it, run it: stdlib-only core (plus fpdf2 + PyYAML). No model API keys, no service accounts, no network except the final TSA timestamp (skippable offline).What you getThe complete kit source (agentkit/, run.sh, examples, tests) as a zip — read every check before you run it — plus your Gumroad licence key, which attests every evidence artifact to you.LicensingSolo — 1 seat: one named developer or one CI runner. Team — 5 seats: up to five developers/CI runners in one organisation.The licence never blocks a run — an unlicensed run still produces the artifact, it simply self-marks as UNLICENSED and isn't valid as evidence. 7-day offline grace for air-gapped CI. 30-day money-back guarantee.Proprietary, licensed software (see LICENSE). Not the CC-licensed manual.【日本語でも読めます / Japanese edition available】本書の日本語版『AIエージェントセキュリティ・フィールドマニュアル』を Leanpub で公開しています。内容は英語版と1対1対応です。 日本語版: https://leanpub.com/agent-security-ja 英語版: https://leanpub.com/agent-security

Get it → 0xshugo.gumroad.com

Found on Devadex — the discovery index for independent software the big search engines bury. More from gumroad.

Report this listing