v0.4.14: Unicode NFKC Evasion Detection, PII Exfiltration Defense, C2 Beacon Jitter Analysis, and Agent Goal Alignment

This release is driven entirely by the weekly vulnerability intelligence pipeline. All 7 action items from the March 10 report have been implemented across the Injection Shield, AI Containment, and Network Guardian modules, plus the Rust sidecar. Two P0 critical detections, three P1 enhancements, and two P2 strategic items ship in this build.

A codebase audit also uncovered and fixed three bugs: four mitigation map keys that never matched their categories, a Rust normalization divergence from Go, and stale documentation references. Here is everything that changed.

CVE-2026-25673 demonstrated that fullwidth Unicode characters can bypass path traversal filters when they normalize to ASCII after security checks. Attackers use characters like U+FF0E (fullwidth period) and U+FF0F (fullwidth solidus) to construct traversal sequences that look benign to regex filters but resolve to ../../etc/passwd after NFKC normalization.

The Injection Shield now detects these evasion attempts with a new path_unicode_nfkc pattern that matches percent-encoded fullwidth sequences, raw Unicode codepoints, and mixed-encoding combinations. This pattern fires at CRITICAL severity.

Two new patterns detect command injection through management interfaces. The cmdi_mgmt_xmlrpc pattern targets WatchGuard-style XMLRPC payloads (CVE-2025-67840) where attackers embed shell commands inside XML member elements with names like os_system or shell_exec. The cmdi_mgmt_api_json pattern targets Cohesity-style JSON API payloads (CVE-2025-63911) where command fields contain pipe, semicolon, or double-ampersand chains followed by reconnaissance commands.

Both patterns fire at CRITICAL severity and are compiled into the Injection Shield's regex set alongside the existing 45+ patterns.

A new heuristic in the AI Containment module's web fetch monitor detects when an AI agent attempts to exfiltrate sensitive data via URL parameters. The check triggers when a URL parameter name matches a PII keyword (email, ssn, token, api_key, password, secret, auth, session, credit_card, private_key), the parameter value exceeds 32 characters, and the Shannon entropy of the value exceeds 4.5 bits per character.

When all three conditions are met, the fetch is flagged as a PII exfiltration attempt with HIGH severity. The alert includes a truncated sample of the suspicious parameter value for incident response without leaking the full secret.

The Goal Hijack Monitor now tracks whether an agent's actions are consistent with its declared goals over a 10-minute sliding window. If an agent's most recent goal is classified as read-only (Search, Read, Analyze, Monitor, List, Check, Get, Fetch, Query, Scan) but it attempts a destructive action (delete, remove, drop, kill, terminate, wipe, destroy, shutdown, format, purge, truncate), the action is blocked and a HIGH severity alert fires.

This catches goal hijacking attacks where an adversary manipulates an agent mid-session to perform destructive operations that contradict its original purpose.

High-value actions now require valid delegation chain verification. When an agent attempts a destructive, financial, or sensitive operation, the Delegation Chain Tracker checks for a recorded human delegation event that is not expired and not stale (within a configurable window). If no valid delegation exists, the action is blocked with a HIGH severity alert.

This prevents social engineering attacks where an agent claims "Admin approved this" without any recorded delegation event in the system. The verification is automatic and cannot be bypassed by prompt manipulation.

The Rust sidecar gains a new BeaconJitterAnalyzer that detects stealthy command-and-control beaconing by analyzing the regularity of connection intervals. For each IP pair, the analyzer tracks the last 50 SYN packet timestamps and computes the Coefficient of Variation (CV) of the inter-arrival intervals.

A CV below 0.1 with a mean interval between 5 seconds and 1 hour indicates machine-generated beaconing rather than human-driven traffic. When detected, the analyzer emits a block event via NATS with the calculated CV, mean interval, and sample count for SOC review.

A post-implementation audit uncovered three bugs. Four keys in the Injection Shield's mitigation map (template_injection, nosqli, path_traversal, deserialization) never matched their actual category strings (template, nosql, path, deser), meaning those categories silently returned empty mitigations. All four have been corrected.

The Rust sidecar's strip_inline_comments function inserted a space where Go removed characters entirely, causing divergent normalization results (SEL/**/ECT became "SEL ECT" in Rust vs "SELECT" in Go). The Rust implementation now matches Go behavior exactly.

Documentation references to "8-phase pipeline" have been updated to "9-phase" across the Rust normalize module.

Injection Shield: New path_unicode_nfkc pattern for Unicode/NFKC normalization evasion detection (CVE-2026-25673). CRITICAL severity.

Injection Shield: New cmdi_mgmt_xmlrpc pattern for WatchGuard XMLRPC command injection (CVE-2025-67840). CRITICAL severity.

Injection Shield: New cmdi_mgmt_api_json pattern for Cohesity JSON API command injection (CVE-2025-63911). CRITICAL severity.

Injection Shield: 9-phase normalization pipeline with Unicode Folding (Phase 8). Maps fullwidth ASCII, Mathematical Alphanumeric Symbols to ASCII equivalents.

AI Containment: PII exfiltration heuristic on agent web fetches. Shannon entropy + length + PII keyword triple-check.

AI Containment: Goal-action alignment monitor with 10-minute sliding window. Blocks destructive actions from read-only goal contexts.

AI Containment: Delegation chain verification for high-value actions. Requires valid human delegation event.

AI Containment: Three new mitigation types (agent_pii_exfiltration, agent_goal_misalignment, delegation_verification_failed).

Rust Sidecar: BeaconJitterAnalyzer for C2 detection via Coefficient of Variation of SYN packet intervals.

Rust Sidecar: Unicode folding in normalize pipeline (Phase 8), matching Go implementation.

Rust Sidecar: Three new patterns (path_unicode_nfkc, cmdi_mgmt_xmlrpc, cmdi_mgmt_api_json).

Bug Fix: Four mitigation map keys corrected (template_injection→template, nosqli→nosql, path_traversal→path, deserialization→deser).

Bug Fix: Rust strip_inline_comments now removes comments entirely instead of inserting a space.

Bug Fix: Rust normalize module docs updated from 8-phase to 9-phase.

curl -fsSL https://1-sec.dev/get | sh

The binary self-updates on launch, but you can force an immediate update with the install script. All new detection patterns and containment heuristics are active immediately — no configuration changes required.

If you are running custom enforcement policies, the three new AI Containment mitigation types (agent_pii_exfiltration, agent_goal_misalignment, delegation_verification_failed) are available for policy rules.