@guava-parity/guard-scanner 9.1.0 → 15.0.0

package/src/policy-engine.js

@@ -0,0 +1,32 @@
+class PolicyEngine {
+    constructor(config = { mode: 'enforce' }) {
+        this.mode = config.mode;
+    }
+
+    evaluate(toolName, args) {
+        if (this.mode === 'monitor') {
+            return { action: 'allow', reason: 'monitor mode' };
+        }
+
+        const argsStr = JSON.stringify(args).toLowerCase();
+
+        // Destructive FS operations
+        if (toolName === 'run_shell_command' && (argsStr.includes('rm -rf') || argsStr.includes('mkfs'))) {
+            return { action: 'block', reason: 'destructive fs operation' };
+        }
+
+        // Credential access
+        if (toolName === 'read_file' && (argsStr.includes('.env') || argsStr.includes('secret') || argsStr.includes('.aws'))) {
+            return { action: 'block', reason: 'credential read operation' };
+        }
+
+        // Unrestricted network
+        if (toolName === 'run_shell_command' && (argsStr.includes('curl') || argsStr.includes('wget')) && argsStr.includes('| bash')) {
+            return { action: 'block', reason: 'unrestricted network execution (curl|bash)' };
+        }
+
+        return { action: 'allow', reason: 'safe operation' };
+    }
+}
+
+module.exports = { PolicyEngine };

package/src/runtime-guard.js

@@ -33,6 +33,7 @@
 const fs = require('fs');
 const path = require('path');
 const os = require('os');
+const { normalizeFinding } = require('./finding-schema.js');
 
 // ── Runtime threat patterns (26 checks, 5 layers) ──
 
@@ -85,6 +86,11 @@ const RUNTIME_CHECKS = [
         desc: 'Download piped to shell',
         test: (s) => /(curl|wget)\s+[^\n]*\|\s*(sh|bash|zsh)/i.test(s),
     },
+    {
+        id: 'RT_ENV_CURL_EXFIL', severity: 'CRITICAL', layer: 1,
+        desc: 'Environment variable exfiltration piped to curl upload',
+        test: (s) => /env\s*\|\s*curl\b[^\n]*-d\s+@-/i.test(s),
+    },
     {
         id: 'RT_SSH_READ', severity: 'HIGH', layer: 1,
         desc: 'SSH private key access',
@@ -247,6 +253,9 @@ function shouldBlock(severity, mode) {
  * @param {string} [options.mode] - Override mode ('monitor' | 'enforce' | 'strict')
  * @param {boolean} [options.auditLog=true] - Enable audit logging
  * @param {string} [options.sessionKey] - Session identifier for audit
+ * @param {string} [options.sessionId] - Ephemeral OpenClaw session UUID for audit
+ * @param {string} [options.runId] - Stable OpenClaw run identifier for audit
+ * @param {string} [options.toolCallId] - Provider tool call identifier for audit
  * @param {string} [options.agentId] - Agent identifier for audit
  * @returns {{ blocked: boolean, detections: Array<{id: string, severity: string, layer: number, desc: string, action: string}> }}
  */
@@ -254,6 +263,9 @@ function scanToolCall(toolName, params, options = {}) {
     const mode = options.mode || loadMode();
     const enableAudit = options.auditLog !== false;
     const sessionKey = options.sessionKey || 'unknown';
+    const sessionId = options.sessionId || 'unknown';
+    const runId = options.runId || 'unknown';
+    const toolCallId = options.toolCallId || 'unknown';
     const agentId = options.agentId || 'unknown';
 
     const result = {
@@ -275,14 +287,29 @@ function scanToolCall(toolName, params, options = {}) {
         if (!check.test(serialized)) continue;
 
         const action = shouldBlock(check.severity, mode) ? 'blocked' : 'warned';
+        const paramsPreview = serialized.length > 200 ? `${serialized.slice(0, 200)}…` : serialized;
 
-        const detection = {
+        const detection = normalizeFinding({
             id: check.id,
+            category: LAYER_CATEGORIES[check.layer] || 'runtime-guard',
             severity: check.severity,
             layer: check.layer,
             desc: check.desc,
             action,
-        };
+            rationale: check.rationale || `Runtime guard matched ${check.desc.toLowerCase()} before the tool call executed.`,
+            preconditions: check.preconditions || 'The tool call arguments must reach the runtime enforcement hook with attacker-controlled or unsafe content.',
+            false_positive_scenarios: check.falsePositiveScenarios || [
+                'The arguments are part of a security test, audit note, or documentation sample and are not actually executed.',
+                'The command is legitimate but still requires explicit human review before execution.',
+            ],
+            remediation_hint: check.remediationHint || 'Review the tool arguments, remove the unsafe construct, and rerun only after an allowlisted human review.',
+        }, {
+            source: 'runtime',
+            toolName,
+            paramsPreview,
+            layer_name: LAYER_NAMES[check.layer],
+            ruleMetadata: check,
+        });
 
         result.detections.push(detection);
 
@@ -296,6 +323,9 @@ function scanToolCall(toolName, params, options = {}) {
                 mode,
                 action,
                 session: sessionKey,
+                sessionId,
+                runId,
+                toolCallId,
                 agent: agentId,
             });
         }
@@ -332,6 +362,14 @@ const LAYER_NAMES = {
     5: 'Trust Exploitation (ASI09)',
 };
 
+const LAYER_CATEGORIES = {
+    1: 'threat-detection',
+    2: 'trust-defense',
+    3: 'safety-judge',
+    4: 'behavioral-guard',
+    5: 'trust-exploitation',
+};
+
 module.exports = {
     RUNTIME_CHECKS,
     DANGEROUS_TOOLS,