docs/architecture/agentshield-enterprise-research-roadmap.md
Generated: 2026-05-12; refreshed with May 18 AgentShield fleet-ticket and Mini Shai-Hulud IOC evidence.
This is a planning artifact for the next AgentShield enterprise iteration. It does not modify AgentShield code. The goal is to turn the current scanner, policy gate, corpus, and reporting surface into a security control plane for teams running AI coding agents across multiple harnesses.
Current AgentShield repository state:
main.README.md, API.md, package.json, .github/workflows/*, and
src//tests/ module layout.agentshield scan, agentshield init,
agentshield miniclaw start, scanner JSON, MiniClaw API, GitHub Action,
HTML, SARIF, markdown, terminal, and JSON reports.External references checked from official GitHub repos or README sources:
Local Claude Code source inspection:
tools/, utils/permissions/, utils/mcp/,
utils/hooks/, utils/plugins/, types/permissions.ts,
types/plugin.ts, remote/, tasks/, assistant/sessionHistory.ts,
and session/history utilities..claude/ tree as the only
source of truth.AgentShield is already more than a static lint tool:
runtimeConfidence, template/example weighting,
docs-example downgrades, installed Claude plugin-cache confidence,
hook-manifest resolution, false-positive audit guidance, and corpus readiness.agentshield evidence-pack inspect verifies a bundle and emits compact
JSON/text summaries for report score, finding counts, runtime confidence,
policy, baseline, supply-chain, CI context, remediation, and malformed
artifact errors.agentshield evidence-pack fleet <dirs...> [--json] aggregates multiple
inspected bundles into ready, security-blocker, policy-review,
baseline-regression, supply-chain-review, and invalid routes.agentshield-evidence/fleet-summary.json routes invalid packs, security
blockers, policy reviews, baseline regressions, and supply-chain reviews into
hosted findings.May 16 update: AgentShield PR #87 merged as
26bb44650663816d07180e0d20c1895e431a326c. It classifies installed Claude
plugin cache content as runtimeConfidence: plugin-cache, keeps non-secret
plugin-cache score impact at 0.5x, avoids downgrading repository-local
non-Claude plugins/cache paths, and makes plugin-cache classification win
before cached hook implementations would otherwise appear as active hook-code.
AgentShield PR #88 merged as
65ed6e2a87545dc99d962b58413f49096a4d70ec. It adds
agentshield evidence-pack inspect <dir> [--json], validates the bundle before
readback, summarizes every consumer-facing evidence artifact, and keeps
malformed-but-valid JSON artifacts from crashing inspection.
AgentShield PR #89 merged as
521ada9091bb6d818511ab8589ae675b920c106a. It adds
agentshield evidence-pack fleet <dirs...> [--json], verifies each pack through
the inspect path, aggregates finding, policy, baseline, supply-chain, and
remediation totals, and assigns each pack to a deterministic fleet route.
AgentShield commit 840952a7a07f820f24081c43df656d7f7295f23b adds
Linear/operator-ready fleet review ticket payloads with priority, labels,
titles, and Markdown bodies. The same commit expands current Mini
Shai-Hulud/TanStack IOC coverage for the in-cluster Vault endpoint and
temporary lockfile breadcrumb, with local typecheck, lint, full tests,
git diff --check, and GitHub CI/Self-Scan/Action-test evidence.
The next iteration after fleet routing should not be "add more regex rules" by
default. ECC-Tools follow-up routing now consumes fleet summaries and surfaces
source evidence paths in hosted findings, and the first cross-harness policy
slice now links AgentShield fleet route target paths to harness-owner review.
AgentShield fleet output now also emits reviewItems with source evidence paths
and owner-ready recommendations plus copy-ready ticket payloads for routed
packs. The higher leverage move is durable operator approval/readback and
workflow automation for routed fleet findings.
Enterprise buyers need to know whether a repo, team, or agent fleet is getting
safer or riskier over time. AgentShield has scan logs and baseline comparison
modules, and PR #63 now exposes that drift through GitHub Action inputs,
outputs, annotations, and job-summary evidence. PR #64 adds first-class
baseline snapshot creation through agentshield baseline write. The remaining
product surface should make CLI drift summaries, evidence packs, and
owner-ready deltas explicit.
Target capability:
agentshield baseline write --path .claude --output agentshield-baseline.jsonagentshield scan --baseline agentshield-baseline.jsonThe market is moving toward many parallel agent harnesses, not one tool. Orca, Superset, dmux, OpenCode, Claude Code, Codex, Gemini, Zed, and terminal multiplexers all create different security surfaces.
Target capability:
claude-code, opencode, codex, gemini,
zed, dmux, orca, superset, and generic-terminal.Worktree-native orchestrators change the risk model. A team can run many agents in parallel, each with its own branch, shell, MCP config, and local state.
Target capability:
HTML reports are the right buyer-facing artifact today; native PDF is deferred. The deeper need is a portable evidence bundle that can be attached to audits, security reviews, and customer questionnaires.
Target capability:
agentshield scan --evidence-pack out/agentshield-evidenceMeta-Harness and Autocontext point to the same lesson: improvements need scored scenarios, traces, and playbooks. AgentShield already has a corpus benchmark, but enterprise trust needs a curated reference set for false positives, false negatives, and policy regressions.
Target capability:
Security tools become enterprise-grade when they turn findings into accountable work without flooding maintainers.
Target capability:
Agent security depends on MCP packages, plugin repositories, action bundles, and rapidly changing CLI ecosystems. Static checks need a maintained external reputation layer.
Target capability:
AgentShield is already connected conceptually to the ECC Tools GitHub App. Native GitHub payments make the product path more concrete: free local scans, paid org policy gates, paid evidence bundles, and paid drift/history.
Target capability:
Implement the smallest enterprise control-plane primitive: compare this scan to the last accepted baseline.
Artifacts:
Why first:
Bundle the existing machine and human reports into a portable audit artifact.
Artifacts:
--evidence-pack <dir> CLI flag.Why second:
Make harness support explicit instead of implicit.
Artifacts:
Why third:
Promote the corpus from a benchmark into a release gate.
Artifacts:
Why fourth:
Connect AgentShield findings to ECC-Tools follow-up routing.
Artifacts:
Why fifth:
The AgentShield enterprise iteration is not complete until these are true:
npm run typecheck, npm run lint, npm test, and npm run build
pass from the AgentShield repository root.