@gendigital/sage 0.4.0

package/openclaw.plugin.json

@@ -0,0 +1,14 @@
+{
+  "id": "sage",
+  "name": "Sage",
+  "version": "0.4.0",
+  "description": "Safety for Agents — ADR layer that guards commands, files, and web requests",
+  "skills": [
+    "resources/skills/security-awareness"
+  ],
+  "configSchema": {
+    "type": "object",
+    "additionalProperties": false,
+    "properties": {}
+  }
+}

package/package.json

@@ -0,0 +1,40 @@
+{
+  "name": "@gendigital/sage",
+  "license": "Apache-2.0",
+  "version": "0.4.0",
+  "type": "module",
+  "description": "Safety for Agents — ADR layer for OpenClaw",
+  "main": "./dist/index.cjs",
+  "files": [
+    "dist/**",
+    "resources/**",
+    "openclaw.plugin.json",
+    "package.json",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "pnpm -C ../core build && pnpm run clean && pnpm run sync:assets && node esbuild.config.js",
+    "clean": "node -e \"require('node:fs').rmSync('dist',{recursive:true,force:true});require('node:fs').rmSync('resources',{recursive:true,force:true})\"",
+    "sync:assets": "node scripts/sync-assets.mjs",
+    "test": "vitest run"
+  },
+  "devDependencies": {
+    "@sage/core": "workspace:*",
+    "@types/node": "^22.0.0",
+    "esbuild": "^0.25.0",
+    "typescript": "^5.9.0",
+    "vitest": "^4.0.0"
+  },
+  "openclaw": {
+    "extensions": [
+      "./dist/index.cjs"
+    ]
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}

package/resources/allowlists/trusted-installer-domains.yaml

@@ -0,0 +1,55 @@
+# Trusted installer domains for Sage
+#
+# Pipe-to-shell commands (curl | bash) targeting these domains are suppressed
+# from CLT-CMD-001, CLT-CMD-002, CLT-SUPPLY-001, and CLT-SUPPLY-004 heuristic matches.
+#
+# Only dedicated installer endpoints are listed here — generic hosting
+# platforms (e.g. raw.githubusercontent.com) are deliberately excluded.
+#
+# Format: list of {domain, reason} entries. Domains are matched by suffix
+# with dot boundary (e.g. "bun.sh" matches "cdn.bun.sh" but not "notbun.sh").
+
+- domain: bun.sh
+  reason: Bun JavaScript runtime installer
+
+- domain: astral.sh
+  reason: Astral tools (uv, ruff) installer
+
+- domain: brew.sh
+  reason: Homebrew package manager installer
+
+- domain: sh.rustup.rs
+  reason: Rust toolchain installer (rustup)
+
+- domain: rustup.rs
+  reason: Rust toolchain installer (alternate domain)
+
+- domain: get.docker.com
+  reason: Docker installer
+
+- domain: install.python-poetry.org
+  reason: Python Poetry installer
+
+- domain: get.volta.sh
+  reason: Volta Node.js version manager installer
+
+- domain: volta.sh
+  reason: Volta Node.js version manager (alternate domain)
+
+- domain: get.sdkman.io
+  reason: SDKMAN JVM toolchain manager installer
+
+- domain: pyenv.run
+  reason: pyenv Python version manager installer
+
+- domain: deno.land
+  reason: Deno runtime installer
+
+- domain: get.pnpm.io
+  reason: pnpm package manager installer
+
+- domain: nodesource.com
+  reason: Node.js binary distribution installer
+
+- domain: ohmyz.sh
+  reason: Oh My Zsh shell framework installer

package/resources/skills/security-awareness/SKILL.md

@@ -0,0 +1,59 @@
+---
+name: security-awareness
+description: "Security best practices for safe command execution, URL handling, credential management, and supply chain safety. Guidance on avoiding common attack vectors like reverse shells, command injection, and malware distribution."
+user-invocable: false
+disable-model-invocation: false
+---
+
+# Security Awareness
+
+You are working in an environment protected by Sage, a security plugin. Be mindful of these security considerations when executing commands and fetching URLs.
+
+## Remote Code Execution
+
+- **Never pipe untrusted content to a shell** (`curl | bash`, `wget | sh`). Always download first, inspect, then execute.
+- Avoid `eval()` on untrusted input in any language.
+- Be cautious with `source` or `.` commands on remote scripts.
+
+## Malware Distribution Vectors
+
+- Executables downloaded from the internet (`.exe`, `.msi`, `.bat`, `.ps1`, `.scr`) should be treated as potentially malicious.
+- Raw paste sites (pastebin.com/raw, paste.ee/r) are commonly used to host payloads and C2 commands.
+- Direct IP address URLs (e.g., `http://192.168.1.1/payload`) may indicate C2 infrastructure.
+
+## Command Injection Patterns
+
+- Watch for reverse shell patterns: `/dev/tcp/`, `nc -e`, `bash -i >& /dev/`.
+- Destructive commands like `rm -rf /`, `mkfs`, `dd if=`, and `shred` can cause irreversible data loss.
+- Be wary of download-and-execute chains: `curl ... && chmod +x && ./`.
+
+## Supply Chain Security
+
+- Verify package names carefully — typosquatting is common (e.g., `colourama` vs `colorama`).
+- Check package popularity and maintenance status before installing.
+- Prefer pinned versions over latest/wildcard versions.
+- Review post-install scripts when possible.
+
+## Credential Handling
+
+- Never hardcode secrets, API keys, or passwords in source code.
+- Use environment variables or secret managers for sensitive values.
+- Never commit `.env` files, credentials, or private keys to version control.
+- Be cautious with commands that read or transmit sensitive files (`/etc/passwd`, `.ssh/`, `id_rsa`).
+
+## Safe URL Handling
+
+- Prefer HTTPS over HTTP for all external requests.
+- Validate URLs before fetching — check the domain is expected.
+- Be cautious with URL redirects that might lead to malicious destinations.
+- Don't fetch URLs from untrusted sources without verification.
+
+## File Permissions
+
+- Avoid `chmod 777` — use the minimum permissions needed.
+- Be cautious with `NOPASSWD` in sudoers configurations.
+- Don't create world-writable files or directories in shared locations.
+
+## Sage Flagged Actions
+
+When Sage flags a tool call (as opposed to blocking it outright), you **must** present the details to the user and wait for their explicit approval before calling `sage_approve`. Never auto-approve a flagged action on your own — the user must decide.

package/resources/threats/LICENSE

@@ -0,0 +1,45 @@
+Detection Rule License (DRL) 1.1
+
+Copyright 2026 Gen Digital Inc.
+
+Default author for all rules in this directory: Gen Digital Inc.
+Individual rules may specify a different author in their "author" field.
+
+---
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this rule set and associated documentation files (the "Rules"), to deal in
+the Rules without restriction, including without limitation the rights to use,
+copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Rules, and to permit persons to whom the Rules are furnished to do so,
+subject to the following conditions:
+
+If you share the Rules (including in modified form), you must retain the
+following if it is supplied within the Rules:
+
+1. identification of the authors(s) ("author" field) of the Rule and any
+   others designated to receive attribution, in any reasonable manner
+   requested by the Rule author (including by pseudonym if designated).
+
+2. a URI or hyperlink to the Rule set or explicit Rule to the extent
+   reasonably practicable
+
+3. indicate the Rules are licensed under this Detection Rule License, and
+   include the text of, or the URI or hyperlink to, this Detection Rule
+   License to the extent reasonably practicable
+
+If you use the Rules (including in modified form) on data, messages based on
+matches with the Rules must retain the following if it is supplied within the
+Rules:
+
+1. identification of the authors(s) ("author" field) of the Rule and any
+   others designated to receive attribution, in any reasonable manner
+   requested by the Rule author (including by pseudonym if designated).
+
+THE RULES ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE RULES OR THE USE OR OTHER DEALINGS IN THE
+RULES.

package/resources/threats/commands.yaml

@@ -0,0 +1,257 @@
+# Command threat patterns for Sage
+# Author: Gen Digital Inc.
+# License: DRL-1.1 (see threats/LICENSE)
+# Schema: id, category, severity, confidence, action, pattern, match_on, title, expires_at, revoked
+
+# --- Pipe to shell (Remote Code Execution) ---
+- id: "CLT-CMD-001"
+  category: tool
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "curl\\s[^|]*\\|\\s*(bash|sh|zsh|ksh|dash)"
+  match_on: command
+  title: "Remote code execution via curl pipe to shell"
+  expires_at: null
+  revoked: false
+
+- id: "CLT-CMD-002"
+  category: tool
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "wget\\s[^|]*\\|\\s*(bash|sh|zsh|ksh|dash)"
+  match_on: command
+  title: "Remote code execution via wget pipe to shell"
+  expires_at: null
+  revoked: false
+
+# --- Reverse shells ---
+- id: "CLT-CMD-003"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "/dev/tcp/"
+  match_on: command
+  title: "Reverse shell via /dev/tcp"
+  expires_at: null
+  revoked: false
+
+- id: "CLT-CMD-004"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "\\bnc\\b.*\\s-e\\s"
+  match_on: command
+  title: "Reverse shell via netcat -e"
+  expires_at: null
+  revoked: false
+
+- id: "CLT-CMD-005"
+  category: tool
+  severity: critical
+  confidence: 0.85
+  action: block
+  pattern: "bash\\s+-i\\s+>\\s*&\\s*/dev/"
+  match_on: command
+  title: "Interactive reverse shell via bash"
+  expires_at: null
+  revoked: false
+
+# --- Destructive operations ---
+- id: "CLT-CMD-006"
+  category: tool
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "\\brm\\s+(-[a-zA-Z]*f[a-zA-Z]*\\s+)?(-[a-zA-Z]*r[a-zA-Z]*\\s+)?/\\s*$|\\brm\\s+(-[a-zA-Z]*r[a-zA-Z]*\\s+)?(-[a-zA-Z]*f[a-zA-Z]*\\s+)?/\\s*$|\\brm\\s+-[a-zA-Z]*rf[a-zA-Z]*\\s+/"
+  match_on: command
+  title: "Recursive forced deletion from root"
+  expires_at: null
+  revoked: false
+
+- id: "CLT-CMD-007"
+  category: tool
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "\\bmkfs\\b"
+  match_on: command
+  title: "Filesystem format command"
+  expires_at: null
+  revoked: false
+
+- id: "CLT-CMD-008"
+  category: tool
+  severity: high
+  confidence: 0.85
+  action: block
+  pattern: "\\bdd\\s+if=.*of=/dev/"
+  match_on: command
+  title: "Direct disk write via dd"
+  expires_at: null
+  revoked: false
+
+- id: "CLT-CMD-009"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "\\bshred\\b"
+  match_on: command
+  title: "Secure file destruction via shred"
+  expires_at: null
+  revoked: false
+
+# --- Download + execute chains ---
+- id: "CLT-CMD-010"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "(curl|wget)\\s[^&]*&&\\s*chmod\\s+\\+x"
+  match_on: command
+  title: "Download and execute chain"
+  expires_at: null
+  revoked: false
+
+# --- Privilege escalation ---
+- id: "CLT-CMD-011"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "\\bchmod\\s+777\\b"
+  match_on: command
+  title: "Overly permissive file permissions"
+  expires_at: null
+  revoked: false
+
+- id: "CLT-CMD-012"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "NOPASSWD"
+  match_on: command
+  title: "Passwordless sudo configuration"
+  expires_at: null
+  revoked: false
+
+# --- Data exfiltration ---
+- id: "CLT-CMD-013"
+  category: network_egress
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "curl\\s[^|;]*(-d|--data|--data-binary)\\s\\S*(/etc/passwd|/etc/shadow|\\.ssh/|id_rsa|credentials|secrets)"
+  match_on: command
+  title: "Possible data exfiltration of sensitive files"
+  expires_at: null
+  revoked: false
+
+# --- Privileged pipe to shell ---
+- id: "CLT-CMD-014"
+  category: tool
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "\\bsudo\\s+(curl|wget)\\s[^|]*\\|\\s*(bash|sh|zsh|ksh|dash)"
+  match_on: command
+  title: "Privileged pipe-to-shell (sudo curl/wget piped to shell)"
+  expires_at: null
+  revoked: false
+
+# --- Python one-liner with dangerous imports ---
+- id: "CLT-CMD-015"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "python[3]?\\s+-c\\s+[\"'][^\"']*\\b(os\\.system|subprocess|os\\.exec|os\\.popen|__import__)\\b"
+  match_on: command
+  title: "Python one-liner with dangerous imports"
+  expires_at: null
+  revoked: false
+
+# --- Indirect execution patterns ---
+- id: "CLT-CMD-016"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "\\bbash\\s+<\\(\\s*(curl|wget)\\b"
+  match_on: command
+  title: "Process substitution executing remote content"
+  expires_at: null
+  revoked: false
+
+- id: "CLT-CMD-017"
+  category: tool
+  severity: high
+  confidence: 0.85
+  action: block
+  pattern: "\\beval\\b[^;|]*\\b(curl|wget)\\b"
+  match_on: command
+  title: "Eval executing remote download command"
+  expires_at: null
+  revoked: false
+
+- id: "CLT-CMD-018"
+  category: tool
+  severity: high
+  confidence: 0.85
+  action: block
+  pattern: "\\bxargs\\b[^|;]*\\b(curl|wget|bash|sh)\\b"
+  match_on: command
+  title: "xargs dispatching download or shell execution"
+  expires_at: null
+  revoked: false
+
+- id: "CLT-CMD-019"
+  category: tool
+  severity: high
+  confidence: 0.85
+  action: block
+  pattern: "\\bfind\\b[^|;]*-exec\\s+(bash|sh|curl|wget)\\b"
+  match_on: command
+  title: "find -exec executing shell or download commands"
+  expires_at: null
+  revoked: false
+
+# --- DNS exfiltration ---
+- id: "CLT-CMD-020"
+  category: network_egress
+  severity: high
+  confidence: 0.80
+  action: block
+  pattern: "\\b(nslookup|dig|host)\\b[^|;]*\\$\\([^)]+\\)\\.[a-zA-Z]"
+  match_on: command
+  title: "DNS exfiltration via command substitution as subdomain label"
+  expires_at: null
+  revoked: false
+
+- id: "CLT-CMD-021"
+  category: network_egress
+  severity: high
+  confidence: 0.80
+  action: block
+  pattern: "\\b(nslookup|dig|host)\\b[^|;]*`[^`]+`\\.[a-zA-Z]"
+  match_on: command
+  title: "DNS exfiltration via backtick substitution as subdomain label"
+  expires_at: null
+  revoked: false
+
+# --- Loop-based indirect execution ---
+- id: "CLT-CMD-022"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: block
+  pattern: "\\b(while|for)\\b[^;]*;\\s*do[^;]*\\b(bash|sh|curl|wget)\\b"
+  match_on: command
+  title: "Loop executing shell or download commands"
+  expires_at: null
+  revoked: false

package/resources/threats/credentials.yaml

@@ -0,0 +1,75 @@
+# Credential exposure threat patterns for Sage
+# Author: Gen Digital Inc.
+# License: DRL-1.1 (see threats/LICENSE)
+
+# --- Known API key prefixes ---
+- id: "CLT-CRED-001"
+  category: secrets
+  severity: critical
+  confidence: 0.80
+  action: block
+  pattern: "(sk-[a-zA-Z0-9_-]{20,}|sk-proj-[a-zA-Z0-9_-]{20,}|AKIA[0-9A-Z]{16}|AIza[0-9A-Za-z_-]{35}|ghp_[0-9a-zA-Z]{36}|gho_[0-9a-zA-Z]{36}|glpat-[0-9a-zA-Z_-]{20,}|xox[baprs]-[0-9a-zA-Z-]+)"
+  match_on: [command, content]
+  title: "Known API key prefix detected"
+  expires_at: null
+  revoked: false
+
+# --- Export of credential env vars ---
+- id: "CLT-CRED-002"
+  category: secrets
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "\\bexport\\s+[A-Z_]*(API_KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL|AUTH)[A-Z_]*="
+  match_on: command
+  title: "Export of environment variable with credential keyword"
+  expires_at: null
+  revoked: false
+
+# --- .env file writes ---
+- id: "CLT-CRED-003"
+  category: secrets
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "(>>|>)\\s*\\.env(\\.local|\\.production|\\.staging|\\.development)?\\b"
+  match_on: command
+  title: "Write/append to .env file (potential credential exposure)"
+  expires_at: null
+  revoked: false
+
+# --- Reading credential files ---
+- id: "CLT-CRED-004"
+  category: secrets
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "\\b(cat|less|more|head|tail)\\s+.*(\\.(env|env\\.local|env\\.production)|credentials|\\.aws/credentials|\\.ssh/id_rsa|\\.ssh/id_ed25519|\\.netrc|\\.pgpass)"
+  match_on: command
+  title: "Reading credential or secret file"
+  expires_at: null
+  revoked: false
+
+# --- Plaintext credential assignment ---
+- id: "CLT-CRED-005"
+  category: secrets
+  severity: high
+  confidence: 0.85
+  action: require_approval
+  pattern: "\\b(PASSWORD|API_SECRET|SECRET_KEY|PRIVATE_KEY|DB_PASSWORD|MYSQL_PASSWORD|POSTGRES_PASSWORD)=[\"']?[^\\s\"']{8,}"
+  match_on: [command, content]
+  title: "Plaintext credential assignment detected"
+  expires_at: null
+  revoked: false
+
+# --- Long-form API key patterns ---
+- id: "CLT-CRED-006"
+  category: secrets
+  severity: critical
+  confidence: 0.92
+  action: block
+  pattern: "(github_pat_[0-9a-zA-Z_]{22,}|SG\\.[0-9a-zA-Z_-]{22,}\\.[0-9a-zA-Z_-]{22,}|pk_live_[0-9a-zA-Z]{24,}|sk_live_[0-9a-zA-Z]{24,}|rk_live_[0-9a-zA-Z]{24,})"
+  match_on: [command, content]
+  title: "Long-form API key pattern detected (GitHub PAT, SendGrid, Stripe)"
+  expires_at: null
+  revoked: false

package/resources/threats/files.yaml

@@ -0,0 +1,112 @@
+# Sensitive file path threat patterns for Sage
+# Author: Gen Digital Inc.
+# License: DRL-1.1 (see threats/LICENSE)
+# Detects Write/Edit operations targeting security-sensitive files
+
+# --- System auth files ---
+- id: "CLT-FILE-001"
+  category: secrets
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "(/etc/passwd|/etc/shadow|/etc/sudoers)"
+  match_on: file_path
+  title: "Write to system authentication file"
+  expires_at: null
+  revoked: false
+
+# --- SSH authorized_keys ---
+- id: "CLT-FILE-002"
+  category: secrets
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "\\.ssh/authorized_keys"
+  match_on: file_path
+  title: "Write to SSH authorized_keys (unauthorized access persistence)"
+  expires_at: null
+  revoked: false
+
+# --- SSH private keys and config ---
+- id: "CLT-FILE-003"
+  category: secrets
+  severity: high
+  confidence: 0.90
+  action: require_approval
+  pattern: "\\.ssh/(id_rsa|id_ed25519|id_ecdsa|id_dsa|config)$"
+  match_on: file_path
+  title: "Write to SSH key or config file"
+  expires_at: null
+  revoked: false
+
+# --- Shell RC files ---
+- id: "CLT-FILE-004"
+  category: tool
+  severity: high
+  confidence: 0.85
+  action: require_approval
+  pattern: "\\.(bashrc|zshrc|profile|bash_profile|zprofile|zshenv)$"
+  match_on: file_path
+  title: "Write to shell RC file (persistence mechanism)"
+  expires_at: null
+  revoked: false
+
+# --- macOS LaunchAgents/LaunchDaemons ---
+- id: "CLT-FILE-005"
+  category: tool
+  severity: high
+  confidence: 0.90
+  action: block
+  pattern: "(LaunchAgents|LaunchDaemons)/.*\\.plist$"
+  match_on: file_path
+  title: "Write to macOS LaunchAgent/LaunchDaemon plist"
+  expires_at: null
+  revoked: false
+
+# --- Cron directories ---
+- id: "CLT-FILE-006"
+  category: tool
+  severity: high
+  confidence: 0.85
+  action: require_approval
+  pattern: "(/etc/cron\\.(d|daily|hourly|weekly|monthly)/|/var/spool/cron/)"
+  match_on: file_path
+  title: "Write to cron directory"
+  expires_at: null
+  revoked: false
+
+# --- systemd unit files ---
+- id: "CLT-FILE-007"
+  category: tool
+  severity: high
+  confidence: 0.85
+  action: require_approval
+  pattern: "/etc/systemd/system/"
+  match_on: file_path
+  title: "Write to systemd service unit file"
+  expires_at: null
+  revoked: false
+
+# --- Credential/env files ---
+- id: "CLT-FILE-008"
+  category: secrets
+  severity: high
+  confidence: 0.85
+  action: require_approval
+  pattern: "(\\.env(\\.local|\\.production|\\.staging|\\.development)?|\\.aws/credentials|\\.netrc|\\.pgpass)$"
+  match_on: file_path
+  title: "Write to credential or environment file"
+  expires_at: null
+  revoked: false
+
+# --- Git hooks ---
+- id: "CLT-FILE-009"
+  category: tool
+  severity: high
+  confidence: 0.85
+  action: require_approval
+  pattern: "\\.git/hooks/"
+  match_on: file_path
+  title: "Write to git hook (potential code execution on git events)"
+  expires_at: null
+  revoked: false