AKIOS v1.0.7 delivers cryptographic audit proofs that actually work, workflow validation before execution, ablation benchmarking, and secure data erasure controls. This release also includes all v1.0.6 security hardening.

What Changed: v1.0.5 → v1.0.7

Areav1.0.5v1.0.7
PII Patterns 43 patterns 53 patterns (ITIN, MBI, VIN, IPv6, AWS key, JWT, GitHub token, etc.)
Audit Proofs Placeholder stubs Real O(log n) Merkle proofs with SHA-256 root recomputation
PII Fail-Safe Silent passthrough on module failure Blocks data with [PII_REDACTION_UNAVAILABLE] — never leaks
HTTPS HTTP allowed in sandbox Plain http:// blocked when sandbox active
Workflow Validation Runtime errors only akios workflow validate — pre-flight schema check
Audit Management Manual log inspection akios audit stats + akios audit rotate
Data Erasure Default wipe cage down --passes N + --fast options
Compliance Binary pass/fail Weighted scoring (PII 30%, Audit 25%, Security 25%, Config 20%)
Benchmarking Not possible cage up --no-pii --no-audit --no-budget ablation flags

v1.0.7 — New Features

Audit Stats and Rotation

Inspect your audit ledger without parsing raw JSONL:

akios audit stats
# Event count, ledger size, archive segments, Merkle root hash

akios audit rotate
# Archive current ledger, start fresh with Merkle chain linkage

akios audit stats --json  # Machine-readable output

Automatic rotation at 50K events with cryptographic chain linkage between segments.

Workflow Validation

Catch errors before execution — no more wasted API calls on malformed YAML:

akios workflow validate my-workflow.yml
# Checks: YAML syntax, required fields, agent/action existence, step schema

akios workflow validate my-workflow.yml --json  # CI/CD integration

Ablation Benchmarking

Measure the overhead of each security layer independently:

# Disable specific protections for controlled benchmarking
akios cage up --no-pii       # Skip PII redaction
akios cage up --no-audit     # Skip audit logging
akios cage up --no-budget    # Skip cost enforcement

# Combine flags
akios cage up --no-pii --no-audit --no-budget  # Raw performance baseline

Secure Data Erasure Controls

Configure how thoroughly cage down destroys session data:

akios cage down              # Default: 1-pass secure overwrite
akios cage down --passes 3   # 3-pass overwrite (higher security)
akios cage down --fast        # Skip overwrite (speed over security)

Each pass: random bytes → fsync → zeros → fsync → unlink.

Real Compliance Scoring

akios compliance report now uses weighted scoring instead of binary pass/fail:

CategoryWeight
PII Protection30%
Audit Integrity25%
Security Controls25%
Configuration20%

Smarter PII Detection

Context keywords on ambiguous patterns reduce false positives. Routing numbers now require context prefix (routing, aba, transit) instead of matching any bare 9-digit number.

v1.0.6 — Security Hardening

Merkle Proof System — Complete Rewrite

The previous Merkle proof implementation was a stub. v1.0.6 replaced it entirely:

  • get_proof() generates proper O(log n) sibling-hash proof paths
  • verify_proof() performs real SHA-256 cryptographic root recomputation
  • akios audit verify compares recomputed root against stored Merkle root hash
  • Root persisted to merkle_root.hash sidecar file on every flush

PII Fail-Safe Hardening

All 4 agents now block data if the PII module fails to load:

  • Before: Silent passthrough of raw content (data leak risk)
  • After: Returns [PII_REDACTION_UNAVAILABLE] — data never passes through unredacted
  • Filesystem agent PII timeout: returns [CONTENT_REDACTED_TIMEOUT]
  • CRITICAL log warning emitted when PII module fails

HTTPS Enforcement

The HTTP agent now blocks plain http:// URLs when sandbox is enabled. Only HTTPS permitted in sandboxed mode. LLM provider APIs always allowed.

53 PII Patterns (was 43)

10 new digital identity patterns:

PatternCategory
ITINPersonal
Medicare MBIHealth
VINPersonal
IPv6 AddressDigital
AWS Access KeyDigital
Generic API KeyDigital
JWT TokenDigital
Private Key HeaderDigital
GitHub TokenDigital
Password in URLDigital

ICD-10 False Positives Fixed

License plate pattern changed from [A-Z]{1,3} to [A-Z]{2,3} — medical codes like E11.9 no longer misclassified.

Installation

pip install akios==1.0.15

Or with Docker:

docker pull akiosai/akios:v1.0.15

Links