Zero trust and vulnerability defense are properties of the K9-AIF framework itself — not something each application has to build. K9X Shield is that architecture. K9X Satan is the tool that proves it holds.
A block at any phase terminates execution — downstream phases never run. Reaching Squad/Agent is a gap in the framework, not a partial pass.
RequestFrequencyCheck — resource-exhaustion request floodsInputSizeCheck — token-flood / oversized payloadsPromptInjectionCheck — SYSTEM OVERRIDE, ignore-all-instructions patternsFieldAnomalyCheck — authority-override social engineeringMemoryPoisoningCheck — fabricated session memory claimsToolArgumentCheck / ToolAuthorizationCheck — poisoned or unapproved tool calls, caught before dispatchSemanticDriftCheck — goal hijacking, identity overrideExecutionGuardCheck — destructive commands, reverse shellsPIIBoundaryCheck — SSN / credit card / email exfiltrationHardcodedCredentialCheck — API keys echoed into the responseToolArgumentCheck / ToolAuthorizationCheck — also here, for a tool call an agent generates mid-executionSystemPromptLeakageCheck, OutputSanitizationCheck — prompt leakage, markup injectionUpload a document, fire a real attack, and watch it get contained at the Router or Orchestrator gate in real time — Penetration Monitor shows every check in the chain, Results tracks outcomes across the session, and the Architecture tab (About → README inside the tool itself) walks through exactly why each gate holds.
K9X Shield applies deterministic, policy-driven checks — 13 handlers total, wired into the Router's ingress and Orchestrator's egress chains. Explainable, zero LLM cost, evaluated identically every run. Evadable by paraphrase, encoding, or wording changes no regex list can enumerate in advance.
IBM Guardian (granite4.1-guardian:8b) is an optional semantic layer wrapping every agent's pre/post hooks — it catches paraphrased injection, subtle goal hijacking, and disguised privilege escalation that survive the pattern layer. Neither replaces the other: Shield holds with Guardian disabled entirely; Guardian only ever adds coverage on top.
Guardian unavailability (timeout, HTTP error, unreachable endpoint) is never silently treated as "SAFE" — it's an explicit policy decision: fail_closed (default — blocks/redacts), fail_open (documented risk), or inconclusive (flags without blocking).
| Threat Vector | K9X Shield Handler | Owner |
|---|---|---|
| Indirect Prompt Injection | PromptInjectionCheck | Framework OOB |
| Goal Hijacking & Privilege Escalation | SemanticDriftCheck | Framework OOB |
| Memory Poisoning | MemoryPoisoningCheck | Satan SBB |
| Shadow AI & Tool Abuse | ToolArgumentCheck / ToolAuthorizationCheck | Framework OOB + Satan SBB |
The chain is open-ended by design — Zscaler's four vectors are the current known surface, not a ceiling. Each new vector is one new handler; the chain doesn't need to be rewritten.
| # | Check | Gate | Owner | Threat Class |
|---|---|---|---|---|
| 1 | RequestFrequencyCheck | Ingress | Satan SBB | Unbounded Consumption — OWASP LLM10 |
| 2 | InputSizeCheck | Ingress | Framework OOB | Token-flood / oversized payload — OWASP LLM10 |
| 3 | PromptInjectionCheck | Ingress | Framework OOB | Indirect Prompt Injection — Zscaler #1 · OWASP LLM01 |
| 4 | FieldAnomalyCheck | Ingress | Satan SBB | Authority-override social engineering |
| 5 | MemoryPoisoningCheck | Ingress | Satan SBB | Memory Poisoning — Zscaler #3 · OWASP LLM04 |
| 6 | ToolArgumentCheck | Ingress + Egress | Framework OOB | Tool Abuse — poisoned arguments — Zscaler #4 · OWASP LLM05 |
| 7 | ToolAuthorizationCheck | Ingress + Egress | Satan SBB | Shadow AI — unapproved tool — Zscaler #4 |
| 8 | SemanticDriftCheck | Egress | Framework OOB | Goal Hijacking & Privilege Escalation — Zscaler #2 · OWASP LLM06 |
| 9 | ExecutionGuardCheck | Egress | Framework OOB | Destructive execution — Zscaler #2 · OWASP LLM06 |
| 10 | PIIBoundaryCheck | Egress | Framework OOB | Sensitive Info Disclosure — OWASP LLM02 |
| 11 | HardcodedCredentialCheck | Egress | Framework OOB | Supply chain / secret leakage — OWASP LLM03 |
| 12 | SystemPromptLeakageCheck | Egress | Satan SBB | System Prompt Leakage — OWASP LLM07 |
| 13 | OutputSanitizationCheck | Egress | Satan SBB | Improper Output Handling — OWASP LLM05 |
| — | GuardianGovernance | Agent pre/post | Satan SBB | Semantic evasion of all 13 above (cross-cutting, optional) |
Threat classes reference the OWASP Top 10 for LLM Applications. ToolArgumentCheck/ToolAuthorizationCheck run at both gates deliberately — ingress catches caller-supplied fields before Squad/Agent runs; egress catches a fresh tool call an agent generates mid-execution, which doesn't exist yet at ingress time. Same defense-in-depth principle as Guardian: additive, never a replacement.
Every attack targets one specific check. A PASSED result doesn't mean Satan failed — it means Shield needs a new handler. That's the hardening loop.
| Satan Attack | Shield Check |
|---|---|
PromptInjectionAttack | PromptInjectionCheck |
SearchPoisoningAttack | PromptInjectionCheck (real tool-response fetch) |
PayloadFloodAttack | InputSizeCheck |
MemoryPoisoningAttack | MemoryPoisoningCheck |
RequestFloodAttack | RequestFrequencyCheck |
SemanticDriftAttack | SemanticDriftCheck |
ExecutionBypassAttack | ExecutionGuardCheck |
PIIExfiltrationAttack | PIIBoundaryCheck |
ToolArgumentAttack | ToolArgumentCheck |
HardcodedCredentialAttack | HardcodedCredentialCheck |
ShadowToolAttack | ToolAuthorizationCheck |
SystemPromptLeakageAttack | SystemPromptLeakageCheck |
OutputSanitizationAttack | OutputSanitizationCheck |
pip install k9x-satan k9x-satan # foreground, opens the dashboard at localhost:6660 k9x-satan --bg # or run it in the background
Own instance, own K9-AIF pipeline, own LLM endpoint — nothing sent to any shared deployment. pypi.org/project/k9x-satan