Skip to main content
ReleaseSecurityMCPShieldDungeon

Shield v1.1: 18 Security Fixes, MCP Servers, and License Metering

Oubliette Security ·

We just shipped the biggest update to Oubliette Shield since v1.0. Here’s what changed and why.

We Red Teamed Ourselves

Before asking anyone else to trust our code, we ran a full adversarial assessment against our own codebase. The result: 31 findings across Critical, High, and Medium severity. This release addresses 18 of them.

Critical Fixes

Auth bypass in production mode. If you deployed Shield without setting OUBLIETTE_API_KEY, the API was wide open. Now Shield refuses to start in production mode without authentication configured. No more silent fail-open.

Tenant API key hashing upgraded. We replaced unsalted SHA-256 with PBKDF2-HMAC-SHA256 (600K iterations, random salt). Existing keys are auto-migrated on first verification.

ReDoS in the sanitizer. Several regex patterns in the input sanitizer were vulnerable to catastrophic backtracking. We rewrote all patterns with bounded quantifiers and pre-compiled them. A payload that previously could hang the process now completes in under 1ms.

High-Severity Fixes

  • Session fixation — Session IDs are now always server-generated UUIDs. Client-supplied values are rejected.
  • Memory exhaustion — Interaction history is capped at 200 entries per session, with input truncated to 500 chars.
  • Honey tool OOM — The trigger log now uses a bounded deque (max 1,000 entries) instead of an unbounded list.
  • Log injection — All user input in log statements is sanitized (control chars, ANSI escapes, newlines stripped).
  • Path traversal in DriftMonitorload_reference() now validates paths against a configurable base directory.

Medium-Severity Fixes

  • CSRF protection via SameSite=Strict cookies and Origin header validation
  • Removed |safe template filter on user-derived content
  • Changed default behavior to fail-closed (return MALICIOUS) when both ML and LLM classifiers are unavailable
  • SQLite schema DDL runs once per database path instead of on every thread connection
  • Detection telemetry (ml_score, llm_verdict) removed from client-facing API responses
  • User input truncated and redacted in logs (API keys, passwords detected and masked)
  • SSL verification forced in production mode for SOAR integrations
  • Unicode NFKD normalization applied before all pattern matching to prevent homoglyph bypasses
  • Docker Compose ports bound to 127.0.0.1 instead of 0.0.0.0

All 406 tests pass after these changes.

MCP Server Integration

Both Shield and Dungeon now ship with standalone MCP (Model Context Protocol) server packages. This means you can run security analysis and adversarial testing directly from Claude Desktop, Claude Code, or any MCP-compatible client.

Shield MCP Server

Install with pip install oubliette-shield-mcp and get 6 tools:

ToolWhat It Does
analyzeScan text for prompt injection and jailbreak attempts
validate_tool_callValidate MCP tool call arguments for injection
scan_outputScan LLM output for leaked secrets, PII, and URLs
get_sessionRetrieve session state and attack history
list_honey_toolsBrowse available deception tool definitions
export_threat_intelExport STIX 2.1 threat intel bundle

Plus two resources: attack-patterns (MITRE ATLAS catalog) and detection-stats (live metrics).

Dungeon MCP Server

Install with pip install oubliette-dungeon-mcp and get 6 tools:

ToolWhat It Does
list_scenariosBrowse and filter 57 attack scenarios
run_scenarioExecute a single attack against any target
run_categoryRun all attacks in a category
get_resultsQuery historical test results
get_metricsCompute detection rates and security metrics
export_reportGenerate JSON or HTML reports

Now you can say “run all jailbreak scenarios against my staging endpoint” in Claude Desktop and get results without touching the CLI.

License and Metering Layer

Shield’s open source core remains free under Apache 2.0. This release adds a soft license/metering layer that enables Pro tier features:

  • Free tier: Full detection pipeline, ML classifier, all LLM backends, deception modes, CEF logging. No hard limits.
  • Pro tier: Adds output scanning, drift monitoring, webhooks, STIX export, MCP Guard, agent policy enforcement, multi-tenant isolation, RBAC, and usage metering.
  • Enterprise tier: Everything, plus air-gap deployment support, custom SLA, and federal procurement assistance.

The metering is soft enforcement — Pro features log a warning if used without a license key but don’t hard-block. Usage is tracked per month with configurable soft quotas and warnings at 80% and 100% thresholds. Check your usage at /shield/usage.

What’s Next

  • SBA VetCert (SDVOSB) certification in progress
  • SBIR Phase I proposals targeting DoD and DHS
  • Pilot deployments with 3-5 early adopters
  • Community launch on Reddit, Hacker News, and LinkedIn

If you’re securing LLM applications in production, install Shield from PyPI and try Dungeon against it. File issues on GitHub. We read every one.

← Back to blog