@contextfort-ai/openclaw-secure 0.1.8 → 0.1.11

package/openclaw-secure.js

@@ -72,8 +72,20 @@ const secretsGuard = require('./monitor/secrets_guard')({
   analytics,
 });
 
+// === Exfil Guard ===
+const exfilGuard = require('./monitor/exfil_guard')({
+  analytics,
+  localLogger,
+  readFileSync: _originalReadFileSync,
+});
+
 // === Prompt Injection Guard (PostToolUse) ===
-const ANTHROPIC_KEY = process.env.ANTHROPIC_API_KEY || null;
+function loadAnthropicKey() {
+  if (process.env.ANTHROPIC_API_KEY) return process.env.ANTHROPIC_API_KEY;
+  try { const k = _originalReadFileSync(path.join(CONFIG_DIR, 'anthropic_key'), 'utf8').trim(); if (k) return k; } catch {}
+  return null;
+}
+const ANTHROPIC_KEY = loadAnthropicKey();
 const promptInjectionGuard = require('./monitor/prompt_injection_guard')({
   httpsRequest: _originalHttpsRequest,
   anthropicKey: ANTHROPIC_KEY,
@@ -81,6 +93,7 @@ const promptInjectionGuard = require('./monitor/prompt_injection_guard')({
   apiKey: API_KEY,
   baseDir: __dirname,
   analytics,
+  localLogger,
 });
 
 function callMonitor(toolName, toolInput) {
@@ -128,54 +141,89 @@ function extractShellCommand(command, args) {
 
 function shouldBlockCommand(cmd) {
   if (!cmd || typeof cmd !== 'string') return null;
-  const cmdSlice = cmd.slice(0, 500);
   const guards = [];
 
+  // 1. API Key check
   const keyBlock = checkApiKey();
   if (keyBlock) {
     analytics.track('command_blocked', { blocker: 'api_key' });
-    localLogger.logLocal({ event: 'command_blocked', command: cmdSlice, guards: ['api_key'], decision: 'block', blocker: 'api_key', reason: 'No API key' });
+    localLogger.logLocal({ event: 'guard_check', command: cmd, guard: 'api_key', decision: 'block', blocker: 'api_key', reason: 'No API key', detail: { has_key: false } });
     return keyBlock;
   }
+  localLogger.logLocal({ event: 'guard_check', command: cmd, guard: 'api_key', decision: 'allow', reason: 'API key present' });
   guards.push('api_key');
 
+  // 2. Check for unblock flag (set by dashboard "Remove Block" button)
+  // When found: clear all flagged state, then delete the file.
+  const unblockFile = path.join(CONFIG_DIR, 'unblock');
+  try {
+    if (_originalReadFileSync(unblockFile, 'utf8')) {
+      promptInjectionGuard.clearFlaggedOutput();
+      skillsGuard.clearFlaggedSkills();
+      try { require('fs').unlinkSync(unblockFile); } catch {}
+      localLogger.logLocal({ event: 'guard_check', command: cmd, guard: 'unblock', decision: 'cleared', reason: 'Unblock: cleared all flagged state' });
+    }
+  } catch {}
+
+  // 3. Prompt Injection — check if any previous output was flagged
   const outputBlock = promptInjectionGuard.checkFlaggedOutput();
   if (outputBlock) {
     analytics.track('command_blocked', { blocker: 'prompt_injection' });
-    localLogger.logLocal({ event: 'command_blocked', command: cmdSlice, guards: [...guards, 'prompt_injection'], decision: 'block', blocker: 'prompt_injection', reason: outputBlock.reason || 'Flagged output' });
+    localLogger.logLocal({ event: 'guard_check', command: cmd, guard: 'prompt_injection', decision: 'block', blocker: 'prompt_injection', reason: outputBlock.reason || 'Flagged output', detail: { flagged_command: outputBlock.command, scan_id: outputBlock.id } });
     return { blocked: true, reason: promptInjectionGuard.formatOutputBlockError(outputBlock) };
   }
+  localLogger.logLocal({ event: 'guard_check', command: cmd, guard: 'prompt_injection', decision: 'allow', reason: 'No flagged output' });
   guards.push('prompt_injection');
 
+  // 4. Skill Scanner — check if any skill files are flagged
   const skillBlock = skillsGuard.checkFlaggedSkills();
   if (skillBlock) {
     analytics.track('command_blocked', { blocker: 'skill' });
-    localLogger.logLocal({ event: 'command_blocked', command: cmdSlice, guards: [...guards, 'skill'], decision: 'block', blocker: 'skill', reason: skillBlock.reason || 'Flagged skill' });
+    localLogger.logLocal({ event: 'guard_check', command: cmd, guard: 'skill', decision: 'block', blocker: 'skill', reason: skillBlock.reason || 'Flagged skill', detail: { skill_path: skillBlock.skillPath } });
     return { blocked: true, reason: skillsGuard.formatSkillBlockError(skillBlock) };
   }
+  localLogger.logLocal({ event: 'guard_check', command: cmd, guard: 'skill', decision: 'allow', reason: 'No flagged skills' });
   guards.push('skill');
 
+  // 4. Secrets Guard — check for env var leaks
   const envCheck = secretsGuard.checkEnvVarLeak(cmd);
   if (envCheck && envCheck.blocked) {
     analytics.track('command_blocked', { blocker: 'env_var_leak', vars: envCheck.vars, type: envCheck.type });
-    localLogger.logLocal({ event: 'command_blocked', command: cmdSlice, guards: [...guards, 'env_var'], decision: 'block', blocker: 'env_var', reason: `Env var leak: ${envCheck.vars.join(', ')}` });
+    localLogger.logLocal({ event: 'guard_check', command: cmd, guard: 'env_var', decision: 'block', blocker: 'env_var', reason: envCheck.reason, detail: { vars: envCheck.vars, type: envCheck.type, matched_pattern: envCheck.matched_pattern || null, pattern_category: envCheck.type === 'env_dump' ? 'env_dump_command' : envCheck.type === 'value_exposed' ? 'value_exposing_command' : envCheck.type === 'lang_env_access' ? 'language_env_api' : 'unknown' } });
     return { blocked: true, reason: secretsGuard.formatEnvVarBlockError(envCheck) };
   }
   if (envCheck && !envCheck.blocked && envCheck.vars.length > 0) {
-    analytics.track('env_var_used', { vars: envCheck.vars, command_prefix: cmd.slice(0, 100) });
+    analytics.track('env_var_used', { vars: envCheck.vars, command: cmd });
+    localLogger.logLocal({ event: 'guard_check', command: cmd, guard: 'env_var', decision: 'allow', reason: 'Env vars referenced but values not exposed to output', detail: { vars: envCheck.vars, type: envCheck.type, matched_pattern: envCheck.matched_pattern || null, explanation: 'Vars used as $VAR in command — shell resolves them without exposing values to AI agent output' } });
   }
   guards.push('env_var');
 
+  // 5. Exfil Guard — check for env var transmission to external servers
+  const exfilCheck = exfilGuard.checkExfilAttempt(cmd);
+  if (exfilCheck) {
+    if (exfilCheck.blocked) {
+      analytics.track('command_blocked', { blocker: 'exfil', tool: exfilCheck.tool, destination: exfilCheck.destination, vars_count: exfilCheck.vars.length });
+      localLogger.logLocal({ event: 'guard_check', command: cmd, guard: 'exfil', decision: 'block', blocker: 'exfil', reason: `Blocked: ${exfilCheck.vars.join(', ')} via ${exfilCheck.tool} to ${exfilCheck.destination} (not in allowlist)`, detail: { vars: exfilCheck.vars, tool: exfilCheck.tool, destination: exfilCheck.destination, method: exfilCheck.method, allowlistActive: true } });
+      return { blocked: true, reason: formatExfilBlockError(exfilCheck) };
+    }
+    const decision = exfilCheck.allowlistActive ? 'allow' : 'log';
+    analytics.track('exfil_attempt', { tool: exfilCheck.tool, destination: exfilCheck.destination, vars_count: exfilCheck.vars.length, decision });
+    localLogger.logLocal({ event: 'guard_check', command: cmd, guard: 'exfil', decision, reason: `Exfil detected: ${exfilCheck.vars.join(', ')} via ${exfilCheck.tool} to ${exfilCheck.destination}${exfilCheck.allowlistInfo ? ` (matched: ${exfilCheck.allowlistInfo.matchedRule})` : ''}`, detail: { vars: exfilCheck.vars, tool: exfilCheck.tool, destination: exfilCheck.destination, method: exfilCheck.method, allowlistActive: exfilCheck.allowlistActive, allowlistMatch: exfilCheck.allowlistInfo ? exfilCheck.allowlistInfo.matchedRule : null } });
+  }
+  guards.push('exfil');
+
+  // 6. Tirith Bash Guard — static command analysis
   const result = checkCommandWithMonitor(cmd);
   if (result?.blocked) {
     analytics.track('command_blocked', { blocker: 'tirith', reason: result.reason });
-    localLogger.logLocal({ event: 'command_blocked', command: cmdSlice, guards: [...guards, 'tirith'], decision: 'block', blocker: 'tirith', reason: result.reason });
+    localLogger.logLocal({ event: 'guard_check', command: cmd, guard: 'tirith', decision: 'block', blocker: 'tirith', reason: result.reason });
     return result;
   }
+  localLogger.logLocal({ event: 'guard_check', command: cmd, guard: 'tirith', decision: 'allow', reason: 'All static checks passed' });
   guards.push('tirith');
 
-  // All guards passed — log the allowed command
-  localLogger.logLocal({ event: 'command_check', command: cmdSlice, guards, decision: 'allow', blocker: null, reason: null });
+  // All guards passed
+  localLogger.logLocal({ event: 'command_check', command: cmd, guards, decision: 'allow', blocker: null, reason: null });
   return null;
 }
 
@@ -199,6 +247,40 @@ You MUST immediately inform the user with the following message:
 Do NOT attempt to find a workaround or alternative way to execute this command. Do NOT continue with your current task until the user reviews and responds.`;
 }
 
+function formatExfilBlockError(detection) {
+  const al = exfilGuard.getAllowlist();
+  const domainList = al && al.domains.length > 0
+    ? al.domains.map(d => `  - ${d}`).join('\n')
+    : '  (none configured)';
+  return `\u26a0\ufe0f SECURITY FIREWALL \u2014 Blocked: sensitive env vars sent to non-allowed destination.
+
+This command sends ${detection.vars.join(', ')} via ${detection.tool} to ${detection.destination}, which is not in your allowed destinations list.
+
+Allowed destinations:
+${domainList}
+
+To allow this destination, run:
+  openclaw-secure exfil-allow add ${detection.destination}
+
+Or manage the allowlist via the ContextFort dashboard.
+
+You MUST immediately inform the user with the following message:
+
+"A command was blocked because it sends sensitive environment variables (${detection.vars.join(', ')}) to ${detection.destination}, which is not in your allowed destinations. Run 'openclaw-secure exfil-allow add ${detection.destination}' to allow it."
+
+Do NOT attempt to find a workaround or alternative way to execute this command.`;
+}
+
+// === PostToolUse scan helper ===
+// Logs scanning event at hook level (always, when pattern matches), then delegates to scanOutput for Haiku call
+function postToolUseScan(cmd, stdout, stderr) {
+  const matchedPattern = promptInjectionGuard.getMatchedPattern(cmd);
+  if (!matchedPattern) return;
+  const output = (stdout || '') + (stderr || '');
+  localLogger.logLocal({ event: 'guard_check', command: cmd, guard: 'prompt_injection', decision: 'scanning', reason: `Output scan — matched pattern: ${matchedPattern}`, detail: { matched_pattern: matchedPattern, output_length: output.length, model_input: output } });
+  try { promptInjectionGuard.scanOutput(cmd, stdout, stderr); } catch {}
+}
+
 // === child_process hooks ===
 
 function hookAllSpawnMethods(cp) {
@@ -212,11 +294,23 @@ function hookAllSpawnMethods(cp) {
         if (block) { const e = new Error(formatBlockError(shellCmd, block)); e.code = 'EPERM'; throw e; }
       }
       const child = orig.apply(this, arguments);
-      if (shellCmd && promptInjectionGuard.shouldScanCommand(shellCmd)) {
+      if (shellCmd) {
         let stdoutBuf = ''; let stderrBuf = '';
         if (child.stdout) child.stdout.on('data', (c) => { if (stdoutBuf.length < 50000) stdoutBuf += c; });
         if (child.stderr) child.stderr.on('data', (c) => { if (stderrBuf.length < 50000) stderrBuf += c; });
-        child.on('close', () => { try { promptInjectionGuard.scanOutput(shellCmd, stdoutBuf, stderrBuf); } catch {} });
+        child.on('close', () => {
+          // Prompt injection scan (only for matching patterns)
+          postToolUseScan(shellCmd, stdoutBuf, stderrBuf);
+          // Secrets leak detection — log only, cannot redact streaming output
+          try {
+            const stdoutScan = secretsGuard.scanOutputForSecrets(stdoutBuf);
+            const stderrScan = secretsGuard.scanOutputForSecrets(stderrBuf);
+            if (stdoutScan.found || stderrScan.found) {
+              const allSecrets = [...(stdoutScan.secrets || []), ...(stderrScan.secrets || [])];
+              localLogger.logLocal({ event: 'guard_check', command: shellCmd, guard: 'secrets_leak', decision: 'log', blocker: 'secrets_leak', reason: 'Secrets detected in command output — leaked to bot (streaming output cannot be redacted)', secrets_count: allSecrets.length, detail: { secrets: allSecrets.map(s => s.name) } });
+            }
+          } catch {}
+        });
       }
       return child;
     };
@@ -233,7 +327,7 @@ function hookAllSpawnMethods(cp) {
       }
       const result = orig.apply(this, arguments);
       if (shellCmd) {
-        try { promptInjectionGuard.scanOutput(shellCmd, (result.stdout || '').toString(), (result.stderr || '').toString()); } catch {}
+        postToolUseScan(shellCmd, (result.stdout || '').toString(), (result.stderr || '').toString());
         // Redact secrets from output before LLM sees them
         try {
           const stdoutStr = (result.stdout || '').toString();
@@ -243,7 +337,7 @@ function hookAllSpawnMethods(cp) {
           if (stdoutScan.found || stderrScan.found) {
             const allSecrets = [...(stdoutScan.secrets || []), ...(stderrScan.secrets || [])];
             const notice = secretsGuard.formatRedactionNotice({ secrets: allSecrets });
-            localLogger.logLocal({ event: 'output_redacted', command: shellCmd.slice(0, 500), guards: ['secrets'], decision: 'redact', secrets_count: allSecrets.length });
+            localLogger.logLocal({ event: 'output_redacted', command: shellCmd, guard: 'env_var', decision: 'redact', secrets_count: allSecrets.length, detail: { secrets: allSecrets.map(s => s.name), matched_patterns: [...new Set(allSecrets.map(s => s.name))] } });
             if (stdoutScan.found) {
               const redacted = stdoutScan.redacted + notice;
               result.stdout = Buffer.isBuffer(result.stdout) ? Buffer.from(redacted) : redacted;
@@ -272,14 +366,16 @@ function hookAllSpawnMethods(cp) {
       }
       // Wrap callback to capture output for PostToolUse scan + redact secrets
       const wrapCb = (origCb) => function(err, stdout, stderr) {
-        if (!err) { try { promptInjectionGuard.scanOutput(command, (stdout || '').toString(), (stderr || '').toString()); } catch {} }
+        if (!err) { postToolUseScan(command, (stdout || '').toString(), (stderr || '').toString()); }
         // Redact secrets from output before callback sees them
         try {
           let so = stdout, se = stderr;
           const stdoutScan = secretsGuard.scanOutputForSecrets((stdout || '').toString());
           const stderrScan = secretsGuard.scanOutputForSecrets((stderr || '').toString());
           if (stdoutScan.found || stderrScan.found) {
-            const notice = secretsGuard.formatRedactionNotice({ secrets: [...(stdoutScan.secrets || []), ...(stderrScan.secrets || [])] });
+            const allSecrets = [...(stdoutScan.secrets || []), ...(stderrScan.secrets || [])];
+            const notice = secretsGuard.formatRedactionNotice({ secrets: allSecrets });
+            localLogger.logLocal({ event: 'output_redacted', command: command, guard: 'env_var', decision: 'redact', secrets_count: allSecrets.length, detail: { secrets: allSecrets.map(s => s.name), matched_patterns: [...new Set(allSecrets.map(s => s.name))] } });
             if (stdoutScan.found) so = stdoutScan.redacted + notice;
             if (stderrScan.found) se = stderrScan.redacted + notice;
             return origCb.call(this, err, so, se);
@@ -303,13 +399,13 @@ function hookAllSpawnMethods(cp) {
       const block = shouldBlockCommand(command);
       if (block) { const e = new Error(formatBlockError(command, block)); e.code = 'EPERM'; throw e; }
       const result = orig.apply(this, arguments);
-      try { promptInjectionGuard.scanOutput(command, (result || '').toString(), ''); } catch {}
+      postToolUseScan(command, (result || '').toString(), '');
       // Redact secrets from output before LLM sees them
       try {
         const str = (result || '').toString();
         const scan = secretsGuard.scanOutputForSecrets(str);
         if (scan.found) {
-          localLogger.logLocal({ event: 'output_redacted', command: command.slice(0, 500), guards: ['secrets'], decision: 'redact', secrets_count: scan.secrets.length });
+          localLogger.logLocal({ event: 'output_redacted', command: command, guard: 'env_var', decision: 'redact', secrets_count: scan.secrets.length, detail: { secrets: scan.secrets.map(s => s.name), matched_patterns: [...new Set(scan.secrets.map(s => s.name))] } });
           const redacted = scan.redacted + secretsGuard.formatRedactionNotice(scan);
           return Buffer.isBuffer(result) ? Buffer.from(redacted) : redacted;
         }
@@ -335,14 +431,16 @@ function hookAllSpawnMethods(cp) {
       // Wrap callback for PostToolUse scan + redact secrets
       if (shellCmd) {
         const wrapCb = (origCb) => function(err, stdout, stderr) {
-          if (!err) { try { promptInjectionGuard.scanOutput(shellCmd, (stdout || '').toString(), (stderr || '').toString()); } catch {} }
+          if (!err) { postToolUseScan(shellCmd, (stdout || '').toString(), (stderr || '').toString()); }
           // Redact secrets from output before callback sees them
           try {
             let so = stdout, se = stderr;
             const stdoutScan = secretsGuard.scanOutputForSecrets((stdout || '').toString());
             const stderrScan = secretsGuard.scanOutputForSecrets((stderr || '').toString());
             if (stdoutScan.found || stderrScan.found) {
-              const notice = secretsGuard.formatRedactionNotice({ secrets: [...(stdoutScan.secrets || []), ...(stderrScan.secrets || [])] });
+              const allSecrets = [...(stdoutScan.secrets || []), ...(stderrScan.secrets || [])];
+              const notice = secretsGuard.formatRedactionNotice({ secrets: allSecrets });
+              localLogger.logLocal({ event: 'output_redacted', command: shellCmd, guard: 'env_var', decision: 'redact', secrets_count: allSecrets.length, detail: { secrets: allSecrets.map(s => s.name), matched_patterns: [...new Set(allSecrets.map(s => s.name))] } });
               if (stdoutScan.found) so = stdoutScan.redacted + notice;
               if (stderrScan.found) se = stderrScan.redacted + notice;
               return origCb.call(this, err, so, se);
@@ -369,13 +467,13 @@ function hookAllSpawnMethods(cp) {
       }
       const result = orig.apply(this, arguments);
       if (shellCmd) {
-        try { promptInjectionGuard.scanOutput(shellCmd, (result || '').toString(), ''); } catch {}
+        postToolUseScan(shellCmd, (result || '').toString(), '');
         // Redact secrets from output
         try {
           const str = (result || '').toString();
           const scan = secretsGuard.scanOutputForSecrets(str);
           if (scan.found) {
-            localLogger.logLocal({ event: 'output_redacted', command: shellCmd.slice(0, 500), guards: ['secrets'], decision: 'redact', secrets_count: scan.secrets.length });
+            localLogger.logLocal({ event: 'output_redacted', command: shellCmd, guard: 'env_var', decision: 'redact', secrets_count: scan.secrets.length, detail: { secrets: scan.secrets.map(s => s.name), matched_patterns: [...new Set(scan.secrets.map(s => s.name))] } });
             const redacted = scan.redacted + secretsGuard.formatRedactionNotice(scan);
             return Buffer.isBuffer(result) ? Buffer.from(redacted) : redacted;
           }
@@ -470,5 +568,6 @@ Module.prototype.require = function(id) {
 setImmediate(() => {
   try { skillsGuard.init(); } catch {}
   try { promptInjectionGuard.init(); } catch {}
+  try { exfilGuard.init(); } catch {}
 });
 process.on('exit', () => { skillsGuard.cleanup(); });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contextfort-ai/openclaw-secure",
-  "version": "0.1.8",
+  "version": "0.1.11",
   "description": "Runtime security guard for OpenClaw — blocks malicious commands before they execute",
   "bin": {
     "openclaw-secure": "./bin/openclaw-secure.js"