What's New in Nullafi Shield v3.9.0
v3.9.0Released: June 10, 2026 · Container image: public.ecr.aws/nullafi/shield:v3.9.0
Overview
-
6
New Features
-
4
Improvements
-
1
Bug Fix
-
0
Security Fixes
Version 3.9.0 extends Shield's data protection reach into AI-generated content streams and agentic workflows, while adding new masking capabilities, configuration portability, and operational visibility tools for administrators.
New Features
Theme: AI-Ready Data Protection & Operational Visibility.
-
Cipher Mask Format (Reversible Encryption)
Shield now supports a reversible encryption mask format — Cipher — that protects sensitive data in transit while allowing authorized parties to recover the original values when needed. Unlike permanent redaction, Cipher enables workflows that require access to the underlying data downstream without exposing it to unauthorized viewers.
Policy
-
Streaming Redaction for Snowflake Intelligence
Shield can now inspect and redact sensitive data within Server-Sent Event (SSE) streams, including real-time output from Snowflake Intelligence.
Policy Deployment
-
Agent API Endpoints
New API endpoints are available for policy retrieval, settings management, and activity reporting, enabling programmatic and automated interaction with Shield's core functions. These endpoints are designed to support agentic workflows and system integrations requiring machine-to-machine access.
Developers
-
Agent Permission for API Keys
A new Agent permission scope has been added to Shield's API key management. Administrators can now issue API keys scoped specifically to agentic access, ensuring automated integrations operate with the minimum privileges required.
Policy Developers
-
Container Status Dashboard
A new page in the Shield dashboard displays the real-time health and role of every service in a Shield deployment — including enforcement nodes, the alert manager, Redis, and Elasticsearch/OpenSearch. The view supports both all-in-one and split-role deployment topologies and refreshes automatically, giving administrators immediate visibility into deployment health.
Deployment
-
Configuration Import & Export
Shield policies and configuration can now be exported and imported through the dashboard. This enables teams to back up their configuration, migrate settings between environments (e.g., staging to production), and share policy baselines across Shield instances.
Policy Deployment
Example · Cipher Mask in practice
Before Sensitive values such as account numbers or SSNs must be permanently redacted before reaching unauthorized viewers. Downstream systems that legitimately need the original value — for processing, reconciliation, or billing — are broken because the data is gone and cannot be recovered.
After Shield applies the Cipher mask, replacing the sensitive value with an encrypted token. Unauthorized viewers see only the token. Authorized downstream systems use Shield's decipher capability to recover the original value on demand — data protection and data utility are no longer in conflict.
Policy
Compliance requirements, data governance changes, and policy updates that take effect with this release.
Policy & Compliance
Cipher Mask Format — Reversible Data Protection The new Cipher mask type introduces a reversible encryption option for sensitive data handling. Organizations should review their data governance policies to determine when Cipher is appropriate versus permanent redaction — particularly in workflows where authorized downstream systems require access to original values. All existing redaction behavior is unchanged.
Request Modification Scanning — Enabled by Default on Fresh Installs New Shield deployments will have request modification enabled out of the box. Existing deployments are not affected — your current configuration is preserved on upgrade. If you are performing a fresh installation and wish to disable this feature, it can be toggled in the Shield settings (under Configuration >> General).
Developers
API changes, deprecations, SDK updates, and integration notes.
Developers & Integrators
New Agent API Endpoints Three categories of new endpoints have been added: policy retrieval, settings management, and activity reporting. These endpoints are intended for programmatic and agentic access patterns. Refer to the API documentation for full endpoint details and authentication requirements.
Agent Permission Scope for API Keys API keys can now be issued with an Agent permission scope, providing a dedicated access level for automated integrations. Existing API keys and their permission levels are unaffected. New integrations targeting the Agent API endpoints should use keys issued with this scope.
Improvements & Bug Fixes
Full list of resolved issues and quality improvements in this release.
| Type | Description | ID |
|---|---|---|
| Improvement | Shield now re-sizes replacement text when redacting content from PDFs, preventing layout disruption when the redaction replacement differs from the original content. | NS-646 |
| Improvement | URL handling in ICAP request processing has been improved to support a broader range of request formats, increasing compatibility with diverse proxy and gateway configurations. | NS-648 |
| Improvement | Content type detection for file attachments transmitted via ICAP has been enhanced, improving Shield's ability to correctly identify and process a wider variety of file types. | NS-649 |
| Improvement | Request modification — which allows Shield to modify requests and uploads — is now enabled by default on fresh deployments. | NS-647 |
| Fix | Resolved an issue where text surrounding redacted regions in PDFs was not preserved correctly, which could cause content loss adjacent to redaction zones. | NS-650 |
Upgrade Instructions
Follow these steps before upgrading in production. Estimated time: 10 minutes.
-
Back up your database and configuration files Take a full snapshot of your database and export your current configuration — including your
.envand any custom policy files. Store backups off-instance before proceeding. -
Review request modification logging behavior If you are performing a fresh installation, the request modification log will be enabled by default. If your deployment standards require this to be disabled, configure it in Shield settings after deployment.
-
Pull and deploy the updated container image
Configure your container runtime scripts or commands to use the new image. (If using Nullafi's sample Docker Compose files, modify the
.envfile so thatSHIELD_IMAGEpoints to the new image.) Restart the Shield service after pulling the updated image.
nullafi.com · docs.nullafi.com · support@nullafi.com · Previous releases