Skip to content

What's New in Nullafi Shield v3.9.0

v3.9.0Released: June 10, 2026  ·  Container image: public.ecr.aws/nullafi/shield:v3.9.0


Overview

  • 6

    New Features

  • 4

    Improvements

  • 1

    Bug Fix

  • 0

    Security Fixes

Version 3.9.0 extends Shield's data protection reach into AI-generated content streams and agentic workflows, while adding new masking capabilities, configuration portability, and operational visibility tools for administrators.


New Features

Theme: AI-Ready Data Protection & Operational Visibility.

  • Cipher Mask Format (Reversible Encryption)


    Shield now supports a reversible encryption mask format — Cipher — that protects sensitive data in transit while allowing authorized parties to recover the original values when needed. Unlike permanent redaction, Cipher enables workflows that require access to the underlying data downstream without exposing it to unauthorized viewers.

    Policy

  • Streaming Redaction for Snowflake Intelligence


    Shield can now inspect and redact sensitive data within Server-Sent Event (SSE) streams, including real-time output from Snowflake Intelligence.

    Policy Deployment

  • Agent API Endpoints


    New API endpoints are available for policy retrieval, settings management, and activity reporting, enabling programmatic and automated interaction with Shield's core functions. These endpoints are designed to support agentic workflows and system integrations requiring machine-to-machine access.

    Developers

  • Agent Permission for API Keys


    A new Agent permission scope has been added to Shield's API key management. Administrators can now issue API keys scoped specifically to agentic access, ensuring automated integrations operate with the minimum privileges required.

    Policy Developers

  • Container Status Dashboard


    A new page in the Shield dashboard displays the real-time health and role of every service in a Shield deployment — including enforcement nodes, the alert manager, Redis, and Elasticsearch/OpenSearch. The view supports both all-in-one and split-role deployment topologies and refreshes automatically, giving administrators immediate visibility into deployment health.

    Deployment

  • Configuration Import & Export


    Shield policies and configuration can now be exported and imported through the dashboard. This enables teams to back up their configuration, migrate settings between environments (e.g., staging to production), and share policy baselines across Shield instances.

    Policy Deployment

Example · Cipher Mask in practice

Before Sensitive values such as account numbers or SSNs must be permanently redacted before reaching unauthorized viewers. Downstream systems that legitimately need the original value — for processing, reconciliation, or billing — are broken because the data is gone and cannot be recovered.

After Shield applies the Cipher mask, replacing the sensitive value with an encrypted token. Unauthorized viewers see only the token. Authorized downstream systems use Shield's decipher capability to recover the original value on demand — data protection and data utility are no longer in conflict.


Policy

Compliance requirements, data governance changes, and policy updates that take effect with this release.

Policy & Compliance

Cipher Mask Format — Reversible Data Protection The new Cipher mask type introduces a reversible encryption option for sensitive data handling. Organizations should review their data governance policies to determine when Cipher is appropriate versus permanent redaction — particularly in workflows where authorized downstream systems require access to original values. All existing redaction behavior is unchanged.

Request Modification Scanning — Enabled by Default on Fresh Installs New Shield deployments will have request modification enabled out of the box. Existing deployments are not affected — your current configuration is preserved on upgrade. If you are performing a fresh installation and wish to disable this feature, it can be toggled in the Shield settings (under Configuration >> General).

Policy documentation


Developers

API changes, deprecations, SDK updates, and integration notes.

Developers & Integrators

New Agent API Endpoints Three categories of new endpoints have been added: policy retrieval, settings management, and activity reporting. These endpoints are intended for programmatic and agentic access patterns. Refer to the API documentation for full endpoint details and authentication requirements.

Agent Permission Scope for API Keys API keys can now be issued with an Agent permission scope, providing a dedicated access level for automated integrations. Existing API keys and their permission levels are unaffected. New integrations targeting the Agent API endpoints should use keys issued with this scope.

API changelog & docs


Improvements & Bug Fixes

Full list of resolved issues and quality improvements in this release.

Type Description ID
Improvement Shield now re-sizes replacement text when redacting content from PDFs, preventing layout disruption when the redaction replacement differs from the original content. NS-646
Improvement URL handling in ICAP request processing has been improved to support a broader range of request formats, increasing compatibility with diverse proxy and gateway configurations. NS-648
Improvement Content type detection for file attachments transmitted via ICAP has been enhanced, improving Shield's ability to correctly identify and process a wider variety of file types. NS-649
Improvement Request modification — which allows Shield to modify requests and uploads — is now enabled by default on fresh deployments. NS-647
Fix Resolved an issue where text surrounding redacted regions in PDFs was not preserved correctly, which could cause content loss adjacent to redaction zones. NS-650

Upgrade Instructions

Follow these steps before upgrading in production. Estimated time: 10 minutes.

  1. Back up your database and configuration files Take a full snapshot of your database and export your current configuration — including your .env and any custom policy files. Store backups off-instance before proceeding.

  2. Review request modification logging behavior If you are performing a fresh installation, the request modification log will be enabled by default. If your deployment standards require this to be disabled, configure it in Shield settings after deployment.

  3. Pull and deploy the updated container image

    docker pull public.ecr.aws/nullafi/shield:v3.9.0
    

    Configure your container runtime scripts or commands to use the new image. (If using Nullafi's sample Docker Compose files, modify the .env file so that SHIELD_IMAGE points to the new image.) Restart the Shield service after pulling the updated image.


nullafi.com  ·  docs.nullafi.com  ·  support@nullafi.com  ·  Previous releases