@guava-parity/guard-scanner 13.0.0 → 16.0.0

package/docs/rules/supply-chain-v2.md

@@ -0,0 +1,92 @@
+# Threat Category: supply-chain-v2
+
+This document provides explainability for all rules in the `supply-chain-v2` category.
+
+## Rule: `SUPPLY_TYPOSQUAT_NPM`
+- **Severity**: HIGH
+- **Description**: Supply chain: NPM typosquatting of popular packages
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `SUPPLY_STAR_VERSION`
+- **Severity**: HIGH
+- **Description**: Supply chain: wildcard/latest version in package.json (unpinned deps)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `SUPPLY_POSTINSTALL_RCE`
+- **Severity**: CRITICAL
+- **Description**: Supply chain: lifecycle script with shell execution
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `SUPPLY_GIT_DEPENDENCY`
+- **Severity**: MEDIUM
+- **Description**: Supply chain: git-based dependency (bypasses registry vetting)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `SUPPLY_LOCKFILE_MISMATCH`
+- **Severity**: LOW
+- **Description**: Supply chain: lockfile integrity hash (verify not tampered)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `SUPPLY_NODE_PRELOAD`
+- **Severity**: HIGH
+- **Description**: Supply chain: Node.js preload injection via --require flag
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `SUPPLY_PIP_INDEX`
+- **Severity**: HIGH
+- **Description**: Supply chain: pip installing from non-standard index
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `SUPPLY_CARGO_PATCH`
+- **Severity**: MEDIUM
+- **Description**: Supply chain: Cargo [patch] section pointing to non-official repo
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `SUPPLY_EXTENSION_SIDELOAD`
+- **Severity**: HIGH
+- **Description**: Supply chain: IDE extension sideloading (VSIX/unpacked)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `SUPPLY_HUGGINGFACE_PICKLE`
+- **Severity**: CRITICAL
+- **Description**: Supply chain: HuggingFace model loading with trust_remote_code or pickle deserialization
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CLAWHAVOC_CRYPTO_THEFT`
+- **Severity**: CRITICAL
+- **Description**: ClawHavoc malware crypto key exfiltration
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+

package/docs/rules/suspicious-download.md

@@ -0,0 +1,60 @@
+# Threat Category: suspicious-download
+
+This document provides explainability for all rules in the `suspicious-download` category.
+
+## Rule: `DL_CURL_BASH`
+- **Severity**: CRITICAL
+- **Description**: Pipe download to shell
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `DL_EXE`
+- **Severity**: CRITICAL
+- **Description**: Download executable/archive
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `DL_GITHUB_RELEASE`
+- **Severity**: MEDIUM
+- **Description**: GitHub release download
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `DL_PASSWORD_ZIP`
+- **Severity**: CRITICAL
+- **Description**: Password-protected archive (evasion technique)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `PREREQ_DOWNLOAD`
+- **Severity**: CRITICAL
+- **Description**: Download in prerequisites
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `PREREQ_PASTE`
+- **Severity**: HIGH
+- **Description**: Terminal paste instruction
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `SLOPSQUATTING_INSTALL`
+- **Severity**: HIGH
+- **Description**: Slopsquatting: AI-themed package install (potential hallucinated package)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+

package/docs/rules/trust-boundary.md

@@ -0,0 +1,76 @@
+# Threat Category: trust-boundary
+
+This document provides explainability for all rules in the `trust-boundary` category.
+
+## Rule: `TRUST_CALENDAR_EXEC`
+- **Severity**: CRITICAL
+- **Description**: Trust boundary: calendar → code execution
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `TRUST_EMAIL_EXEC`
+- **Severity**: CRITICAL
+- **Description**: Trust boundary: email → code execution
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `TRUST_WEB_EXEC`
+- **Severity**: HIGH
+- **Description**: Trust boundary: web content → code execution
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `TRUST_NOSANDBOX`
+- **Severity**: HIGH
+- **Description**: Trust boundary: sandbox disabled
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `FORCEDLEAK_SALESFORCE`
+- **Severity**: CRITICAL
+- **Description**: ForcedLeak: Salesforce Agentforce CRM exfiltration via IDPI
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `TRUST_CALENDAR_AI`
+- **Severity**: CRITICAL
+- **Description**: AI Browser trust boundary: calendar invite → code/data action (Zenity Labs)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `TRUST_AGENTIC_BROWSER_PI`
+- **Severity**: CRITICAL
+- **Description**: PleaseFix: Agentic browser navigate → action chain (Zenity Labs zero-click)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `AGENTIC_BROWSER_EXFIL_CHAIN`
+- **Severity**: CRITICAL
+- **Description**: Agentic browser exfiltration: navigate → data leak (PleaseFix/PerplexedBrowser)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `SURVIVABILITY_CERT_GAP`
+- **Severity**: HIGH
+- **Description**: Survivability certification gap: agent deployed without adversarial safety certification
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+

package/docs/rules/trust-exploitation.md

@@ -0,0 +1,92 @@
+# Threat Category: trust-exploitation
+
+This document provides explainability for all rules in the `trust-exploitation` category.
+
+## Rule: `TRUST_AUTHORITY_CLAIM`
+- **Severity**: HIGH
+- **Description**: Trust: authority role claim to override safety
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `TRUST_CREATOR_CLAIM`
+- **Severity**: CRITICAL
+- **Description**: Trust: creator impersonation to disable safety
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `TRUST_AUDIT_EXCUSE`
+- **Severity**: CRITICAL
+- **Description**: Trust: fake audit excuse for safety bypass
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `TRUST_PARTNER_EXPLOIT`
+- **Severity**: CRITICAL
+- **Description**: Trust exploitation: weaponizing partnership trust
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `TRUST_UNCONDITIONAL`
+- **Severity**: HIGH
+- **Description**: Trust exploitation: unconditional trust demand
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `TRUST_COMPLY_DEMAND`
+- **Severity**: HIGH
+- **Description**: Trust: compliance demand without question
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_2025_12420_SERVICENOW`
+- **Severity**: CRITICAL
+- **Description**: CVE-2025-12420: ServiceNow Now Assist unauthenticated impersonation via IDPI
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `AUTO_REFINE_WALLET_TAMPER`
+- **Severity**: HIGH
+- **Description**: Agent Wallet/Funding Destination Tampering
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MOLTBOOK_CRYPTO_PUMP`
+- **Severity**: CRITICAL
+- **Description**: Moltbook crypto pump: AI-to-AI coordinated market manipulation scheme
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `DISTILLATION_EXTRACTION`
+- **Severity**: HIGH
+- **Description**: Model distillation/extraction attack: systematic capability theft
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_CODEX_SECURITY_AGENT`
+- **Severity**: CRITICAL
+- **Description**: OpenAI Codex Security agent impersonation: AI agent PR/commit injection pretending to be official security tool
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+

package/docs/rules/unverifiable-deps.md

@@ -0,0 +1,84 @@
+# Threat Category: unverifiable-deps
+
+This document provides explainability for all rules in the `unverifiable-deps` category.
+
+## Rule: `DEP_REMOTE_IMPORT`
+- **Severity**: HIGH
+- **Description**: Remote dynamic import
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `DEP_REMOTE_SCRIPT`
+- **Severity**: MEDIUM
+- **Description**: Remote script loading
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `DEPS_PHANTOM_IMPORT`
+- **Severity**: LOW
+- **Description**: Dependency: unscoped package import (verify existence)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `DEPS_HTTP_IMPORT`
+- **Severity**: CRITICAL
+- **Description**: Dependency: HTTP URL import (unverifiable, MITM risk)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `DEPS_DYNAMIC_REQUIRE`
+- **Severity**: HIGH
+- **Description**: Dependency: dynamic require with non-literal module spec
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `DEPS_CDN_UNPINNED`
+- **Severity**: HIGH
+- **Description**: Dependency: CDN import without pinned version
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `DEPS_WASM_UNSIGNED`
+- **Severity**: HIGH
+- **Description**: Dependency: unsigned WASM module loading
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `DEPS_SUBRESOURCE_NOINT`
+- **Severity**: MEDIUM
+- **Description**: Dependency: external script without subresource integrity
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `DEPS_GO_REPLACE`
+- **Severity**: MEDIUM
+- **Description**: Dependency: Go module replace directive to non-standard path
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `DEPS_AUTO_UPDATE`
+- **Severity**: HIGH
+- **Description**: Dependency: auto-merge policy for dependency updates (supply chain risk)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+

package/docs/rules/vdb-injection.md

@@ -0,0 +1,84 @@
+# Threat Category: vdb-injection
+
+This document provides explainability for all rules in the `vdb-injection` category.
+
+## Rule: `VDB_NOSQL_INJECT`
+- **Severity**: CRITICAL
+- **Description**: Vector DB/NoSQL injection via caller input
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `VDB_EMBEDDING_INJECT`
+- **Severity**: CRITICAL
+- **Description**: VectorDB: embedding injection with hidden instructions
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `VDB_SIMILARITY_POISON`
+- **Severity**: HIGH
+- **Description**: VectorDB: similarity score manipulation via adversarial embeddings
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `VDB_METADATA_INJECT`
+- **Severity**: CRITICAL
+- **Description**: VectorDB: metadata field injection with system-level instructions
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `VDB_CHUNK_BOUNDARY`
+- **Severity**: HIGH
+- **Description**: VectorDB: chunk boundary exploitation to hide payloads
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `VDB_INDEX_CORRUPT`
+- **Severity**: CRITICAL
+- **Description**: VectorDB: index corruption via destructive operations
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `VDB_QUERY_INJECT`
+- **Severity**: CRITICAL
+- **Description**: VectorDB: NoSQL/SQL injection in vector query parameters
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `VDB_CROSS_TENANT`
+- **Severity**: HIGH
+- **Description**: VectorDB: cross-tenant access via namespace manipulation
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `VDB_RETRIEVAL_AMPLIFY`
+- **Severity**: MEDIUM
+- **Description**: VectorDB: retrieval amplification via oversized top_k
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `OPENCLAW_MEMORY_POISONING`
+- **Severity**: CRITICAL
+- **Description**: OpenClaw Security Monitor Memory Poisoning Evasion
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+

package/docs/security-vulnerability-report-20260312.md

@@ -0,0 +1,53 @@
+# guard-scanner Vulnerability Report
+
+Date: 2026-03-12
+Scope: dependency and public-surface checks after OpenClaw compatibility work
+
+## Executive summary
+
+Application-level compatibility checks pass, and the latest-version watchdog confirms parity between npm and GitHub Releases for `openclaw@2026.3.8`, but `npm audit --json` still reports 3 high-severity dependency findings in the dev/test dependency tree introduced through direct `openclaw@2026.3.8`.
+
+## Measured data
+
+- Command: `npm audit --json`
+- Dependency totals:
+  - `prod`: 2
+  - `dev`: 741
+  - `optional`: 109
+  - `peer`: 126
+  - `total`: 742
+- Vulnerability totals:
+  - `high`: 3
+  - `critical`: 0
+
+## Findings
+
+1. `openclaw` direct dev dependency
+   - Severity: High
+   - Range: `>=2026.1.29-beta.1`
+   - Evidence: `npm audit --json`
+   - Impact: current compatibility baseline depends on a package tree flagged by npm advisory propagation.
+
+2. `@buape/carbon` transitive dependency
+   - Severity: High
+   - Effect chain: `openclaw -> @buape/carbon`
+   - Range: `<=0.0.0-beta-20260306233624 || >=0.6.0`
+   - Evidence: `npm audit --json`
+
+3. `@hono/node-server` transitive dependency
+   - Severity: High
+   - Advisory: `GHSA-wc8c-qw6v-h7f6`
+   - CVSS: `7.5`
+   - Affected range: `<1.19.10`
+   - Evidence: `npm audit --json`
+
+## Interpretation
+
+- The current findings are dependency-chain issues, not a measured break in `guard-scanner` runtime behavior.
+- Because `openclaw@2026.3.8` is pinned for compatibility validation, remediation must be coordinated with upstream package releases rather than force-downgrading to an unrelated `0.0.1` suggestion from npm audit.
+
+## Recommended next actions
+
+1. Track upstream OpenClaw dependency fixes before changing the pinned compatibility baseline.
+2. Re-run `npm audit --json` after every OpenClaw baseline update.
+3. If these dependencies become production-path dependencies later, escalate from report-only to release-blocking policy.

package/docs/spec/PRD_V2_ARCHITECTURE.md

@@ -0,0 +1,55 @@
+# PRD: Guard Scanner V2 Architecture & Policy Enforcement
+
+## 1. Objective
+guard-scanner を「話題性のある pattern scanner」から、「仕様が一貫し、検知能力が証明可能で、agent security pipeline に組み込める実用ツール（Security policy and analysis layer）」へと進化させる。
+
+## 2. Product Positioning (新ポジショニング)
+**"Security policy and analysis layer for agent skills and MCP-connected workflows."**
+
+**[禁止表現]**
+- ❌ The first open-source...
+- ❌ Zero dependencies (※ `ws` 依存が存在するため事実誤認)
+- ❌ Catches what others can't (※ ベンチマーク証明なしの過剰主張)
+
+**[推奨表現]**
+- ✅ Lightweight & Policy-aware
+- ✅ OpenClaw / MCP-friendly
+- ✅ Complementary to existing malware scanners
+- ✅ Combines static scans with runtime guardrails
+
+## 3. Core Initiatives
+
+### P0: Single Source of Truth (SSOT) の確立
+README, SKILL.md, openclaw.plugin.json, package.json に分散・矛盾している能力値（検知パターン数、カテゴリ数、依存関係）を完全に統一する。
+- **実装**: `docs/spec/capabilities.json` を唯一の正解（Canonical Source）とする。
+- **CI連携**: `capabilities.json` と 各ドキュメント（README等）の数字が一致しない場合は CI/CD で fail させる仕組みを構築する。
+
+### P0: Security Claim (境界) の再定義
+「何でも検知できる」というMarketing Claimを廃し、セキュリティバウンダリを厳密に定義する。
+- 冒頭に **"Not a complete defense (銀の弾丸ではない)"** と明記する。
+- 静的スキャン（Static-only）で検知できるものと、ランタイム（Runtime hook）や外部通信（VT等）が必要なものを明確に分ける。
+
+### P1: Rule Explainability (検知根拠の透明化)
+パターンマッチによるFalse Positive（誤検知）のトリアージコストを下げるため、全 finding に説明メタデータを付与する。
+- 追加フィールド: `rationale` (なぜ危険か), `exploit precondition` (成立条件), `likely false-positive cases` (誤検知しやすいケース), `remediation hint` (修正案)。
+- SARIF および JSON 出力にこれらを統合する。
+
+### P1: Threat Model Layer (脅威モデリング)
+単なるパターンマッチの前に、対象Skillの「権限サーフェス（Threat Model）」を生成する。
+- ファイルシステムアクセス権、ネットワーク通信能力、クレデンシャル参照の有無などを評価し、Risk Score の算出ロジックに組み込む（Context-aware validation）。
+
+### P1: Runtime Guard Hardening
+`before_tool_call` フックを高度な Policy Engine へと昇華させる。
+- `monitor` / `enforce` / `strict` モードの挙動定義を厳密に文書化し、Audit log のスキーマバージョニングを導入する。
+
+### P2: Benchmarking (自前ベンチマークの構築)
+競合（他社製品）との比較ではなく、自前のテストデータセット（Benign skills, Malicious skills, Indirect PI samples 等）を用意する。
+- `precision` (適合率) と `recall` (再現率) を測定し、「パターン数」ではなく「精度」を前面に押し出す。
+
+## 4. Ecosystem Integration Modes
+guard-scanner の動作モードを以下の5つに整理・明文化する。
+1. **Offline static scan** (CLIベースの静的スキャン)
+2. **Runtime guard mode** (OpenClaw hook / 実行前ブロック)
+3. **MCP service mode** (他エージェントからの再利用)
+4. **Asset audit mode** (npm/GitHub レジストリ監査)
+5. **CI mode** (Fail-on-findings / SARIF出力)