What Ships in v0.4.11
This release touches every layer of the stack. The LLM Firewall gets 16 new prompt injection patterns and a multimodal hidden injection scanner. The enforcement engine gets an updated VPS-agent preset with escalation timers and approval gate configuration. The notification system adds Telegram support. And the entire project now ships an Agent Skill that lets AI agents install and operate 1-SEC on their own hosts.
Here is everything that changed.
Agent Skill: AI Agents Can Now Secure Themselves
The 1sec-security skill follows the Agent Skills open standard adopted by Claude Code, OpenCode, Manus, Vercel AI SDK, and others. It is a self-contained directory with a SKILL.md, install scripts, and reference guides that any compatible agent can discover and execute.
When an operator tells their agent "secure this server," the agent loads the skill, runs the install script, applies the VPS-agent enforcement preset, and starts all 16 modules. The entire process takes under 60 seconds with zero human intervention.
The skill bundle includes an operations runbook that teaches the agent how to investigate alerts, handle false positives, tune noisy modules, manage webhooks, and troubleshoot issues after installation. This is the post-install experience — the agent does not just install 1-SEC and walk away, it knows how to operate it day-to-day.
Skill Bundle Contents
The 1sec-security directory contains SKILL.md (install and setup instructions, ~1,200 words optimized for agent context windows), scripts/install-and-configure.sh (automated non-interactive install), references/operations-runbook.md (day-to-day operations guide), references/vps-agent-guide.md (VPS-specific deployment details with threat model), and references/config-reference.md (full configuration reference). All reference files load on demand via progressive disclosure — the agent only reads them when it needs them.
LLM Firewall: 52 → 68 Patterns + Multimodal Scanner
We audited the full 2025-2026 prompt injection landscape against our detection coverage. Sources included OWASP LLM Top 10, Lasso Security's taxonomy, PhantomLint, Lawfare's Promptware Kill Chain, CSA's LPCI research, Microsoft's XPIA and Skeleton Key advisories, MoltVote agent social engineering, HiddenLayer's universal bypass, and the arxiv paper cataloging 1,400+ adversarial prompts.
We found 9 gaps and wrote 16 new patterns to close them.
New Detection Categories
Skeleton Key attacks (disclaimer-prefix guardrail erosion, educational framing). Cross-Prompt Injection / XPIA (document-targeted overrides, hidden HTML instructions). LPCI (logic layer overrides, persistent cross-session triggers). Delayed-trigger memory poisoning (preference manipulation, sleeper instructions). Zero-click indirect injection (data exfiltration via URL, callback to attacker endpoints). Instruction hierarchy exploitation (priority and precedence claims). Agent social engineering (tell-your-human attacks, urgency and survival manipulation). Promptware Kill Chain (persistence across sessions, lateral movement to other agents, config file writes).
Multimodal Hidden Injection Scanner
750 lines of pure Go, zero external dependencies. Three detection layers: image metadata parsing (EXIF, PNG chunks, JPEG COM, XMP), HTML/CSS hidden content detection (10 CSS techniques, 6 HTML patterns, zero-width Unicode), and PDF hidden text parsing (content stream tokenization, render mode tracking, invisible text detection). Integrated via three new event types: document_upload, file_attachment, image_input. 38 dedicated tests, 148 total in the LLM Firewall package.
VPS-Agent Preset: Escalation, Approval Gates, Skip-Approval
The vps-agent enforcement preset has been significantly updated for autonomous AI agent hosts.
Escalation Timers
Enabled by default with aggressive timeouts: 3 minutes for CRITICAL (re-notify up to 5 times), 10 minutes for HIGH (escalate to CRITICAL, 3 times), 20 minutes for MEDIUM (escalate to HIGH, twice). These are shorter than the defaults because autonomous hosts have no human SOC team watching — if a CRITICAL alert sits unacknowledged, the host is under active attack with nobody watching.
Approval Gates Disabled
The default approval gate requires human approval for destructive actions. That makes no sense for an autonomous agent host. The vps-agent preset disables approval gates entirely and marks critical actions with skip_approval flags on kill_process and quarantine_file across ai_containment, runtime_watcher, supply_chain, ransomware, and data_poisoning modules.
Preset Bundle Architecture
The enforce preset command now uses GetPresetBundle() which carries policies, escalation config, and approval gate config as a single unit. When you run 1sec enforce preset vps-agent, all three are applied together. Other presets (lax, safe, balanced, strict) continue to use default escalation and approval settings.
Telegram Notification Template
The webhook notification system now supports Telegram natively alongside Slack, Discord, PagerDuty, and Microsoft Teams. The Telegram template uses the Bot API sendMessage endpoint with HTML parse_mode, producing formatted alerts with severity emoji, module name, source IP, and alert description.
Configuration is straightforward — set the webhook URL to your bot's sendMessage endpoint, set the template to "telegram" (or "tg"), and provide the chat_id as a parameter. The template handles all the formatting. Supported template names are now: pagerduty (or pd), slack, teams (or msteams), discord, telegram (or tg), and generic.
CLI Improvements
The 1sec help enforce output now lists the vps-agent preset alongside lax, safe, balanced, and strict. Previously it was missing from the help text despite being fully functional. The enforce preset subcommand help text has been updated with the full preset descriptions and the recommended progression path.
Full Changelog
LLM Firewall: 16 new prompt injection patterns (52 → 68 compiled regex). New detection for Skeleton Key, XPIA, LPCI, delayed-trigger memory poisoning, zero-click indirect injection, instruction hierarchy exploitation, agent social engineering, and Promptware Kill Chain techniques.
LLM Firewall: Multimodal hidden injection scanner (750 lines, pure Go). Three detection layers for image metadata, HTML/CSS hidden content, and PDF invisible text. 38 new tests, 148 total.
Enforcement: VPS-agent preset updated with escalation timers (3min CRITICAL, 10min HIGH, 20min MEDIUM), disabled approval gates, and skip_approval flags on critical module actions.
Enforcement: PresetBundle type and GetPresetBundle() function for applying policies + escalation + approval gate config as a unit.
Notifications: Telegram template added (sendMessage with HTML parse_mode). Supported via "telegram" or "tg" template name.
Agent Skill: 1sec-security skill bundle with SKILL.md, install script, operations runbook, VPS agent guide, and config reference. Compatible with Claude Code, OpenCode, Manus, and any Agent Skills-compatible agent.
CLI: vps-agent preset added to 1sec help enforce output. Docs updated from "55+" to "65+" prompt injection patterns across all references.
Upgrading
curl -fsSL https://1-sec.dev/get | sh
The binary self-updates on launch, but you can force an immediate update with the install script. If you are running the vps-agent preset, the new escalation and approval gate settings will apply automatically when you re-apply the preset:
1sec enforce preset vps-agent
Existing custom enforcement configurations are not affected — the preset only changes settings when explicitly applied.