{"id":51366748,"url":"https://github.com/asklar/agentsafe-demos","last_synced_at":"2026-07-03T02:35:03.614Z","repository":{"id":368597254,"uuid":"1285841872","full_name":"asklar/agentsafe-demos","owner":"asklar","description":"A reusable lab for small, recordable, open-source agentic-security demos: one tiny tool-call interception shim, governed-vs-ungoverned side by side.","archived":false,"fork":false,"pushed_at":"2026-07-01T09:03:17.000Z","size":47,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-07-01T11:05:12.069Z","etag":null,"topics":["agent-governance","agentic-security","ai-agents","ai-safety","ai-security","guardrails","llm","llm-security","mcp","prompt-injection","python"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/asklar.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-07-01T07:37:51.000Z","updated_at":"2026-07-01T09:03:32.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/asklar/agentsafe-demos","commit_stats":null,"previous_names":["asklar/agentsafe-demos"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/asklar/agentsafe-demos","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/asklar%2Fagentsafe-demos","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/asklar%2Fagentsafe-demos/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/asklar%2Fagentsafe-demos/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/asklar%2Fagentsafe-demos/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/asklar","download_url":"https://codeload.github.com/asklar/agentsafe-demos/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/asklar%2Fagentsafe-demos/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35070339,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-03T02:00:05.635Z","response_time":110,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agent-governance","agentic-security","ai-agents","ai-safety","ai-security","guardrails","llm","llm-security","mcp","prompt-injection","python"],"created_at":"2026-07-03T02:35:03.097Z","updated_at":"2026-07-03T02:35:03.605Z","avatar_url":"https://github.com/asklar.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# agentsafe-demos — a lab for agentic-security demos\n\n[![CI](https://github.com/asklar/agentsafe-demos/actions/workflows/ci.yml/badge.svg)](https://github.com/asklar/agentsafe-demos/actions/workflows/ci.yml)\n[![Python 3.10+](https://img.shields.io/badge/python-3.10%2B-blue.svg)](https://www.python.org/downloads/)\n[![License: Apache-2.0](https://img.shields.io/badge/license-Apache--2.0-green.svg)](./LICENSE)\n\n**A reusable foundation for building small, recordable, open-source demos about\nagent governance.** Every demo is middleware over one tiny tool-call\ninterception shim, so the second demo costs a fraction of the first and each one\nbecomes shareable content with a single capture command.\n\n\u003e Autonomous agents are only as safe as the tools they can reach. This lab makes\n\u003e that concrete: it puts a governable seam between an agent and its tools, and\n\u003e shows — side by side — what happens with and without it.\n\n## See it in 10 seconds\n\nA support agent reads a booby-trapped ticket that tells it to mail your Stripe\nkey to an attacker. Same agent, same plan, run three ways — a *reasonable*\nallow/deny policy still lets the secret out; a taint tripwire stops it at the\ntool boundary and still lets the legitimate reply through:\n\n```text\n=== POLICY-ONLY agent (allow/deny gate) ===\n  EXEC  read_file   — read credentials  \u003c-- injected step\n  EXEC  http_post   — POST creds off-box  \u003c-- injected exfil\n  -\u003e 6 executed, 0 blocked; !!! SECRET EXFILTRATED\n\n=== TRIPWIRE agent (policy + taint tripwire) ===\n  EXEC  read_file   — read credentials  \u003c-- injected step\n  BLOCK http_post   — POST creds off-box  \u003c-- injected exfil   [taint-tripwire]\n  EXEC  http_post   — reply on the ticket (legit)\n  -\u003e 5 executed, 1 blocked; OK  secret contained\n```\n\nPrompt injection is a *data-flow* problem: track where untrusted data goes, or\nlose. Run it yourself below — ~250 lines, zero dependencies, one command.\n\n## Why this exists\n\nShipping one demo is easy; shipping a demo *every week that survives public\nscrutiny* needs scaffolding. `agentlab` provides three things so the marginal\ndemo is cheap:\n\n1. **A shared shim** ([`shim/`](./shim)) — the tool-call interception substrate\n   every demo builds on. See [`shim/README.md`](./shim/README.md).\n2. **A demo template** ([`demos/_template`](./demos/_template)) — drop-in\n   scaffold with a runnable `demo.py`, `run.sh`, `SCRIPT.md`, and a smoke test.\n3. **A capture pipeline** ([`capture/`](./capture)) — one command turns a demo\n   into a text log / terminal recording / GIF.\n\n## Quick start\n\n```bash\n# Run the reference demo (no dependencies beyond Python 3.10+)\n./demos/00-hello-gate/run.sh\n\n# Run the whole test suite (stdlib only)\npython3 run_tests.py\n\n# Scaffold a new demo\n./new_demo.sh injection-tripwire \"Injection Tripwire\"\n\n# Capture a demo as shareable content\ncapture/record.sh 00-hello-gate\n```\n\n## The shared shim in one screen\n\nEach demo wires the same `Interceptor` with different middleware. A middleware\ncan veto a call before it runs (`before`) and/or observe it after (`after`):\n\n```python\nfrom shim import Interceptor, make_toolbox\nfrom shim.middleware import PolicyGate, InjectionTripwire, FlightRecorder\n\nix = Interceptor(\n    make_toolbox(\"/tmp/agent-workspace\"),\n    middleware=[PolicyGate(rules), InjectionTripwire(), FlightRecorder()],\n)\nix.call(\"delete_file\", path=\"production.db\")   # -\u003e Blocked, tool never runs\n```\n\nThat's the whole idea: **the three roadmap concepts are three middleware, not\nthree frameworks.**\n\n| Roadmap concept | Middleware | Status |\n| --- | --- | --- |\n| A. Guardrail Proxy (policy gate) | `PolicyGate` | flagship demo (SKL-3) |\n| B. Injection Tripwire (taint) | `InjectionTripwire` | [demo #2](./demos/01-injection-tripwire) (SKL-6) ✅ |\n| C. Agent Flight Recorder (ledger) | `FlightRecorder` + `AuditSink` | demo #3 |\n\nThe reference demo [`demos/00-hello-gate`](./demos/00-hello-gate) composes all\nthree at once to prove the substrate generalizes;\n[`demos/01-injection-tripwire`](./demos/01-injection-tripwire) is the focused\nConcept B demo — it shows an allow/deny policy is *not enough* to stop a\nprompt-injection exfil, and a taint tripwire is.\n\n\u003e **Standalone primitive.** Concept A also has its own focused home — the\n\u003e **guardrail** repo — the single-idea policy-gate primitive with its own README\n\u003e and quick start, for readers who just want that one control. This lab is where\n\u003e the three concepts compose on a shared shim and become repeatable content.\n\n## Repo layout\n\n```\nagentlab/\n├── shim/                 # shared tool-call interception substrate + tests\n│   ├── interceptor.py    #   Interceptor + Middleware chain + Blocked\n│   ├── middleware.py     #   PolicyGate / InjectionTripwire / FlightRecorder\n│   ├── audit.py          #   hash-chained JSONL audit sink\n│   └── toolbox.py        #   shared mock tools\n├── demos/\n│   ├── _template/        # drop-in scaffold for a new demo\n│   ├── 00-hello-gate/    # reference demo that exercises the whole substrate\n│   └── 01-injection-tripwire/  # Concept B: taint tracking beats allow/deny policy\n├── capture/              # one-command demo-capture pipeline\n├── new_demo.sh           # scaffold a new demo\n├── run_tests.py          # dependency-free test runner\n├── HOWTO.md              # how to add a new demo (the short version)\n├── CONTRIBUTING.md\n└── LICENSE               # Apache-2.0\n├── NOTICE                # Apache-2.0 NOTICE\n```\n\n## Adding a demo\n\nSee [`HOWTO.md`](./HOWTO.md). The short version: `./new_demo.sh \u003cslug\u003e`, edit the\nplan and middleware, run it, capture it.\n\n## License\n\nApache-2.0 licensed — see [`LICENSE`](./LICENSE) and [`NOTICE`](./NOTICE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fasklar%2Fagentsafe-demos","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fasklar%2Fagentsafe-demos","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fasklar%2Fagentsafe-demos/lists"}