@posthog/wizard 2.0.2 → 2.1.0

package/dist/src/lib/yara-hooks.js

@@ -0,0 +1,377 @@
+"use strict";
+/**
+ * YARA hook wiring for the Claude Agent SDK.
+ *
+ * Creates PreToolUse and PostToolUse hook callback arrays that
+ * integrate the YARA scanner into the wizard's agent loop. These
+ * hooks are registered in the SDK's query() options alongside the
+ * existing Stop hook.
+ *
+ * PreToolUse hooks block dangerous commands before execution.
+ * PostToolUse hooks detect violations in written code and prompt
+ * injection in read content, and scan context-mill skill downloads.
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resetScanReport = resetScanReport;
+exports.formatScanReport = formatScanReport;
+exports.writeScanReport = writeScanReport;
+exports.createPreToolUseYaraHooks = createPreToolUseYaraHooks;
+exports.createPostToolUseYaraHooks = createPostToolUseYaraHooks;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const fast_glob_1 = __importDefault(require("fast-glob"));
+const yara_scanner_1 = require("./yara-scanner");
+const debug_1 = require("../utils/debug");
+const analytics_1 = require("../utils/analytics");
+const skill_install_1 = require("./skill-install");
+let scanCount = 0;
+const scanViolations = [];
+function recordScan() {
+    scanCount++;
+}
+function recordViolation(entry) {
+    scanViolations.push(entry);
+}
+/** Reset counters (for testing) */
+function resetScanReport() {
+    scanCount = 0;
+    scanViolations.length = 0;
+}
+/** Format the scan report summary. Returns null if no scans occurred */
+function formatScanReport() {
+    if (scanCount === 0)
+        return null;
+    const lines = ['', '— YARA Scanner Summary —'];
+    const violationCount = scanViolations.length;
+    const cleanCount = scanCount - violationCount;
+    lines.push(`✓ ${scanCount} tool calls scanned, ${violationCount} violation${violationCount !== 1 ? 's' : ''} detected`);
+    if (violationCount > 0) {
+        lines.push('');
+        for (const v of scanViolations) {
+            const tag = v.action.toUpperCase();
+            lines.push(`  [${tag}] ${v.rule} (${v.severity.toUpperCase()}) — ${v.phase}:${v.tool}`);
+        }
+    }
+    if (cleanCount > 0) {
+        lines.push('');
+        lines.push(`No violations: ✓ ${cleanCount} clean scan${cleanCount !== 1 ? 's' : ''}`);
+    }
+    lines.push('');
+    return lines.join('\n');
+}
+const YARA_REPORT_PATH = '/tmp/posthog-wizard-yara-report.json';
+/** Write the scan report to a JSON file. Returns the file path, or null if no scans occurred. */
+function writeScanReport() {
+    if (scanCount === 0)
+        return null;
+    const report = {
+        summary: {
+            totalScans: scanCount,
+            violations: scanViolations.length,
+            clean: scanCount - scanViolations.length,
+        },
+        violations: scanViolations,
+    };
+    try {
+        fs_1.default.writeFileSync(YARA_REPORT_PATH, JSON.stringify(report, null, 2));
+    }
+    catch (err) {
+        (0, debug_1.logToFile)('[YARA] Failed to write scan report:', err);
+        return null;
+    }
+    return YARA_REPORT_PATH;
+}
+// ─── Hook Timeouts (ms) ─────────────────────────────────────────
+/** Timeout for synchronous scan hooks (PreToolUse, PostToolUse Write/Edit/Read) */
+const HOOK_TIMEOUT_MS = 60;
+/** Timeout for skill install hook (involves filesystem I/O) */
+const SKILL_SCAN_HOOK_TIMEOUT_MS = 120;
+// ─── Logging ─────────────────────────────────────────────────────
+function logYaraMatch(phase, tool, match, action) {
+    (0, debug_1.logToFile)(`[YARA] ${phase}:${tool} [${action.toUpperCase()}] rule "${match.rule.name}" ` +
+        `(severity: ${match.rule.severity}, category: ${match.rule.category})\n` +
+        `  Description: ${match.rule.description}\n` +
+        `  Matched text: "${match.matchedText.substring(0, 200)}"`);
+    analytics_1.analytics.wizardCapture('yara rule matched', {
+        rule: match.rule.name,
+        severity: match.rule.severity,
+        category: match.rule.category,
+        action,
+        phase,
+        tool,
+    });
+}
+// ─── Severity helpers ────────────────────────────────────────────
+const SEVERITY_RANK = {
+    critical: 4,
+    high: 3,
+    medium: 2,
+    low: 1,
+};
+/** Return the highest-severity match from a list of matches. */
+function highestSeverityMatch(matches) {
+    return matches.reduce((worst, m) => (SEVERITY_RANK[m.rule.severity] ?? 0) >
+        (SEVERITY_RANK[worst.rule.severity] ?? 0)
+        ? m
+        : worst);
+}
+// ─── PreToolUse Hooks ────────────────────────────────────────────
+/**
+ * Create PreToolUse hook matchers for YARA scanning.
+ * Scans Bash commands before execution for exfiltration,
+ * destructive operations, and supply chain violations.
+ */
+function createPreToolUseYaraHooks() {
+    return [
+        {
+            hooks: [
+                (input) => {
+                    try {
+                        const toolName = input.tool_name;
+                        if (toolName !== 'Bash')
+                            return Promise.resolve({});
+                        const toolInput = input.tool_input;
+                        const command = typeof toolInput?.command === 'string' ? toolInput.command : '';
+                        if (!command)
+                            return Promise.resolve({});
+                        recordScan();
+                        const result = (0, yara_scanner_1.scan)(command, 'PreToolUse', 'Bash');
+                        if (!result.matched)
+                            return Promise.resolve({});
+                        const match = highestSeverityMatch(result.matches);
+                        logYaraMatch('PreToolUse', 'Bash', match, 'blocked');
+                        recordViolation({
+                            rule: match.rule.name,
+                            severity: match.rule.severity,
+                            action: 'blocked',
+                            phase: 'PreToolUse',
+                            tool: 'Bash',
+                        });
+                        return Promise.resolve({
+                            decision: 'block',
+                            reason: `[YARA] ${match.rule.name}: ${match.rule.description}. Command blocked for security.`,
+                        });
+                    }
+                    catch (error) {
+                        (0, debug_1.logToFile)('[YARA] PreToolUse hook error:', error);
+                        // Fail closed: block the command if scanning fails
+                        return Promise.resolve({
+                            decision: 'block',
+                            reason: '[YARA] Scanner error — command blocked as a precaution.',
+                        });
+                    }
+                },
+            ],
+            timeout: HOOK_TIMEOUT_MS,
+        },
+    ];
+}
+// ─── PostToolUse Hooks ───────────────────────────────────────────
+/**
+ * Create PostToolUse hook matchers for YARA scanning.
+ *
+ * Three matchers:
+ * 1. Write/Edit — scan written content for PII, secrets, config violations
+ * 2. Read/Grep — scan read content for prompt injection
+ * 3. Bash (skill install) — scan downloaded skill files for poisoned content
+ */
+function createPostToolUseYaraHooks() {
+    return [
+        // ── Write/Edit content scanning ──
+        {
+            hooks: [
+                (input) => {
+                    try {
+                        const toolName = input.tool_name;
+                        if (toolName !== 'Write' && toolName !== 'Edit')
+                            return Promise.resolve({});
+                        const toolInput = input.tool_input;
+                        // For Write, scan the content being written
+                        // For Edit, scan the new_str (replacement text)
+                        const content = toolName === 'Write'
+                            ? toolInput?.content ?? ''
+                            : toolInput?.new_str ?? '';
+                        if (!content)
+                            return Promise.resolve({});
+                        recordScan();
+                        const tool = toolName;
+                        const result = (0, yara_scanner_1.scan)(content, 'PostToolUse', tool);
+                        if (!result.matched)
+                            return Promise.resolve({});
+                        const match = highestSeverityMatch(result.matches);
+                        logYaraMatch('PostToolUse', tool, match, 'reverted');
+                        recordViolation({
+                            rule: match.rule.name,
+                            severity: match.rule.severity,
+                            action: 'reverted',
+                            phase: 'PostToolUse',
+                            tool,
+                        });
+                        return Promise.resolve({
+                            hookSpecificOutput: {
+                                hookEventName: 'PostToolUse',
+                                additionalContext: `[YARA VIOLATION] ${match.rule.name}: ${match.rule.description}. ` +
+                                    `You MUST revert this change immediately. The content you just wrote violates security policy.`,
+                            },
+                        });
+                    }
+                    catch (error) {
+                        (0, debug_1.logToFile)('[YARA] PostToolUse Write/Edit hook error:', error);
+                        // Fail closed: instruct the agent to revert if scanning fails
+                        return Promise.resolve({
+                            hookSpecificOutput: {
+                                hookEventName: 'PostToolUse',
+                                additionalContext: '[YARA] Scanner error — you MUST revert this change as a precaution.',
+                            },
+                        });
+                    }
+                },
+            ],
+            timeout: HOOK_TIMEOUT_MS,
+        },
+        // ── Read/Grep prompt injection scanning ──
+        {
+            hooks: [
+                (input) => {
+                    try {
+                        const toolName = input.tool_name;
+                        if (toolName !== 'Read' && toolName !== 'Grep')
+                            return Promise.resolve({});
+                        const toolResponse = input.tool_response;
+                        const content = typeof toolResponse === 'string'
+                            ? toolResponse
+                            : JSON.stringify(toolResponse ?? '');
+                        if (!content)
+                            return Promise.resolve({});
+                        recordScan();
+                        const tool = toolName;
+                        const result = (0, yara_scanner_1.scan)(content, 'PostToolUse', tool);
+                        if (!result.matched)
+                            return Promise.resolve({});
+                        const match = highestSeverityMatch(result.matches);
+                        if (match.rule.severity === 'critical') {
+                            logYaraMatch('PostToolUse', tool, match, 'aborted');
+                            recordViolation({
+                                rule: match.rule.name,
+                                severity: match.rule.severity,
+                                action: 'aborted',
+                                phase: 'PostToolUse',
+                                tool,
+                            });
+                            // Prompt injection: abort the session — context is poisoned
+                            return Promise.resolve({
+                                stopReason: `[YARA CRITICAL] ${match.rule.name}: Prompt injection detected in file content. ` +
+                                    `Agent context is potentially poisoned. Session terminated for safety.`,
+                            });
+                        }
+                        logYaraMatch('PostToolUse', tool, match, 'warned');
+                        recordViolation({
+                            rule: match.rule.name,
+                            severity: match.rule.severity,
+                            action: 'warned',
+                            phase: 'PostToolUse',
+                            tool,
+                        });
+                        return Promise.resolve({
+                            hookSpecificOutput: {
+                                hookEventName: 'PostToolUse',
+                                additionalContext: `[YARA WARNING] ${match.rule.name}: ${match.rule.description}`,
+                            },
+                        });
+                    }
+                    catch (error) {
+                        (0, debug_1.logToFile)('[YARA] PostToolUse Read/Grep hook error:', error);
+                        // Fail closed: terminate session if scanning fails on read content
+                        return Promise.resolve({
+                            stopReason: '[YARA] Scanner error while scanning read content — session terminated as a precaution.',
+                        });
+                    }
+                },
+            ],
+            timeout: HOOK_TIMEOUT_MS,
+        },
+        // ── Context-mill skill install scanning ──
+        {
+            hooks: [
+                async (input) => {
+                    try {
+                        const toolName = input.tool_name;
+                        if (toolName !== 'Bash')
+                            return {};
+                        const toolInput = input.tool_input;
+                        const command = typeof toolInput?.command === 'string' ? toolInput.command : '';
+                        // Only scan after skill install commands
+                        if (!(0, skill_install_1.isSkillInstallCommand)(command))
+                            return {};
+                        // Extract skill directory from command
+                        const dirMatch = command.match(/mkdir -p (.claude\/skills\/[^\s&]+)/);
+                        if (!dirMatch)
+                            return {};
+                        const skillDir = dirMatch[1];
+                        const cwd = input.cwd ?? process.cwd();
+                        recordScan();
+                        const result = await scanSkillFiles(cwd, skillDir);
+                        if (!result.matched)
+                            return {};
+                        const match = highestSeverityMatch(result.matches);
+                        logYaraMatch('PostToolUse', 'Bash (skill install)', match, 'aborted');
+                        recordViolation({
+                            rule: match.rule.name,
+                            severity: match.rule.severity,
+                            action: 'aborted',
+                            phase: 'PostToolUse',
+                            tool: 'Bash (skill)',
+                        });
+                        return {
+                            stopReason: `[YARA CRITICAL] Poisoned skill detected in ${skillDir}: ${match.rule.name}. ` +
+                                `The downloaded skill contains potential prompt injection. Session terminated for safety.`,
+                        };
+                    }
+                    catch (error) {
+                        (0, debug_1.logToFile)('[YARA] PostToolUse skill install hook error:', error);
+                        // Fail closed: terminate if skill scanning fails
+                        return {
+                            stopReason: '[YARA] Scanner error while scanning skill files — session terminated as a precaution.',
+                        };
+                    }
+                },
+            ],
+            timeout: SKILL_SCAN_HOOK_TIMEOUT_MS,
+        },
+    ];
+}
+// ─── Skill File Scanner ──────────────────────────────────────────
+/**
+ * Read and scan all text files in a skill directory for prompt injection.
+ */
+async function scanSkillFiles(cwd, skillDir) {
+    const absoluteDir = path_1.default.resolve(cwd, skillDir);
+    if (!fs_1.default.existsSync(absoluteDir)) {
+        (0, debug_1.logToFile)(`[YARA] Skill directory does not exist: ${absoluteDir}`);
+        return { matched: false };
+    }
+    const files = await (0, fast_glob_1.default)('**/*.{md,txt,yaml,yml,json,js,ts,py,rb,sh}', {
+        cwd: absoluteDir,
+        absolute: true,
+    });
+    const fileContents = [];
+    for (const filePath of files) {
+        try {
+            const content = fs_1.default.readFileSync(filePath, 'utf-8');
+            fileContents.push({ path: filePath, content });
+        }
+        catch (err) {
+            (0, debug_1.logToFile)(`[YARA] Could not read skill file ${filePath}:`, err);
+        }
+    }
+    if (fileContents.length === 0) {
+        (0, debug_1.logToFile)(`[YARA] No text files found in skill directory: ${absoluteDir}`);
+        return { matched: false };
+    }
+    (0, debug_1.logToFile)(`[YARA] Scanning ${fileContents.length} files in skill directory: ${skillDir}`);
+    return (0, yara_scanner_1.scanSkillDirectory)(fileContents);
+}
+//# sourceMappingURL=yara-hooks.js.map

package/dist/src/lib/yara-hooks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"yara-hooks.js","sourceRoot":"","sources":["../../../src/lib/yara-hooks.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;;;;AAsDH,0CAGC;AAGD,4CAkCC;AAKD,0CAmBC;AA6DD,8DA8CC;AAYD,gEA6LC;AAxaD,4CAAoB;AACpB,gDAAwB;AACxB,0DAA2B;AAC3B,iDAA0D;AAE1D,0CAA2C;AAC3C,kDAA+C;AAC/C,mDAAwD;AAiCxD,IAAI,SAAS,GAAG,CAAC,CAAC;AAClB,MAAM,cAAc,GAAsB,EAAE,CAAC;AAE7C,SAAS,UAAU;IACjB,SAAS,EAAE,CAAC;AACd,CAAC;AAED,SAAS,eAAe,CAAC,KAAsB;IAC7C,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAC7B,CAAC;AAED,mCAAmC;AACnC,SAAgB,eAAe;IAC7B,SAAS,GAAG,CAAC,CAAC;IACd,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC;AAC5B,CAAC;AAED,wEAAwE;AACxE,SAAgB,gBAAgB;IAC9B,IAAI,SAAS,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEjC,MAAM,KAAK,GAAa,CAAC,EAAE,EAAE,0BAA0B,CAAC,CAAC;IACzD,MAAM,cAAc,GAAG,cAAc,CAAC,MAAM,CAAC;IAC7C,MAAM,UAAU,GAAG,SAAS,GAAG,cAAc,CAAC;IAE9C,KAAK,CAAC,IAAI,CACR,KAAK,SAAS,wBAAwB,cAAc,aAClD,cAAc,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAC/B,WAAW,CACZ,CAAC;IAEF,IAAI,cAAc,GAAG,CAAC,EAAE,CAAC;QACvB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,MAAM,CAAC,IAAI,cAAc,EAAE,CAAC;YAC/B,MAAM,GAAG,GAAG,CAAC,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;YACnC,KAAK,CAAC,IAAI,CACR,MAAM,GAAG,KAAK,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,KAAK,IAC7D,CAAC,CAAC,IACJ,EAAE,CACH,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;QACnB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CACR,oBAAoB,UAAU,cAAc,UAAU,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAC1E,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,gBAAgB,GAAG,sCAAsC,CAAC;AAEhE,iGAAiG;AACjG,SAAgB,eAAe;IAC7B,IAAI,SAAS,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEjC,MAAM,MAAM,GAAG;QACb,OAAO,EAAE;YACP,UAAU,EAAE,SAAS;YACrB,UAAU,EAAE,cAAc,CAAC,MAAM;YACjC,KAAK,EAAE,SAAS,GAAG,cAAc,CAAC,MAAM;SACzC;QACD,UAAU,EAAE,cAAc;KAC3B,CAAC;IAEF,IAAI,CAAC;QACH,YAAE,CAAC,aAAa,CAAC,gBAAgB,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACtE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAA,iBAAS,EAAC,qCAAqC,EAAE,GAAG,CAAC,CAAC;QACtD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,gBAAgB,CAAC;AAC1B,CAAC;AAED,mEAAmE;AAEnE,mFAAmF;AACnF,MAAM,eAAe,GAAG,EAAE,CAAC;AAC3B,+DAA+D;AAC/D,MAAM,0BAA0B,GAAG,GAAG,CAAC;AAEvC,oEAAoE;AAEpE,SAAS,YAAY,CACnB,KAAa,EACb,IAAY,EACZ,KAAgB,EAChB,MAAkB;IAElB,IAAA,iBAAS,EACP,UAAU,KAAK,IAAI,IAAI,KAAK,MAAM,CAAC,WAAW,EAAE,WAC9C,KAAK,CAAC,IAAI,CAAC,IACb,IAAI;QACF,cAAc,KAAK,CAAC,IAAI,CAAC,QAAQ,eAAe,KAAK,CAAC,IAAI,CAAC,QAAQ,KAAK;QACxE,kBAAkB,KAAK,CAAC,IAAI,CAAC,WAAW,IAAI;QAC5C,oBAAoB,KAAK,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,CAC7D,CAAC;IACF,qBAAS,CAAC,aAAa,CAAC,mBAAmB,EAAE;QAC3C,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI;QACrB,QAAQ,EAAE,KAAK,CAAC,IAAI,CAAC,QAAQ;QAC7B,QAAQ,EAAE,KAAK,CAAC,IAAI,CAAC,QAAQ;QAC7B,MAAM;QACN,KAAK;QACL,IAAI;KACL,CAAC,CAAC;AACL,CAAC;AAED,oEAAoE;AAEpE,MAAM,aAAa,GAA2B;IAC5C,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;CACP,CAAC;AAEF,gEAAgE;AAChE,SAAS,oBAAoB,CAAC,OAAoB;IAChD,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE,CACjC,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QACrC,CAAC,aAAa,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QACH,CAAC,CAAC,KAAK,CACV,CAAC;AACJ,CAAC;AAED,oEAAoE;AAEpE;;;;GAIG;AACH,SAAgB,yBAAyB;IACvC,OAAO;QACL;YACE,KAAK,EAAE;gBACL,CAAC,KAAgB,EAAuB,EAAE;oBACxC,IAAI,CAAC;wBACH,MAAM,QAAQ,GAAG,KAAK,CAAC,SAAmB,CAAC;wBAC3C,IAAI,QAAQ,KAAK,MAAM;4BAAE,OAAO,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;wBAEpD,MAAM,SAAS,GAAG,KAAK,CAAC,UAAqC,CAAC;wBAC9D,MAAM,OAAO,GACX,OAAO,SAAS,EAAE,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;wBAElE,IAAI,CAAC,OAAO;4BAAE,OAAO,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;wBAEzC,UAAU,EAAE,CAAC;wBACb,MAAM,MAAM,GAAG,IAAA,mBAAI,EAAC,OAAO,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC;wBACnD,IAAI,CAAC,MAAM,CAAC,OAAO;4BAAE,OAAO,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;wBAEhD,MAAM,KAAK,GAAG,oBAAoB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;wBACnD,YAAY,CAAC,YAAY,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;wBACrD,eAAe,CAAC;4BACd,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI;4BACrB,QAAQ,EAAE,KAAK,CAAC,IAAI,CAAC,QAAQ;4BAC7B,MAAM,EAAE,SAAS;4BACjB,KAAK,EAAE,YAAY;4BACnB,IAAI,EAAE,MAAM;yBACb,CAAC,CAAC;wBAEH,OAAO,OAAO,CAAC,OAAO,CAAC;4BACrB,QAAQ,EAAE,OAAO;4BACjB,MAAM,EAAE,UAAU,KAAK,CAAC,IAAI,CAAC,IAAI,KAAK,KAAK,CAAC,IAAI,CAAC,WAAW,iCAAiC;yBAC9F,CAAC,CAAC;oBACL,CAAC;oBAAC,OAAO,KAAK,EAAE,CAAC;wBACf,IAAA,iBAAS,EAAC,+BAA+B,EAAE,KAAK,CAAC,CAAC;wBAClD,mDAAmD;wBACnD,OAAO,OAAO,CAAC,OAAO,CAAC;4BACrB,QAAQ,EAAE,OAAO;4BACjB,MAAM,EAAE,yDAAyD;yBAClE,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;aACF;YACD,OAAO,EAAE,eAAe;SACzB;KACF,CAAC;AACJ,CAAC;AAED,oEAAoE;AAEpE;;;;;;;GAOG;AACH,SAAgB,0BAA0B;IACxC,OAAO;QACL,oCAAoC;QACpC;YACE,KAAK,EAAE;gBACL,CAAC,KAAgB,EAAuB,EAAE;oBACxC,IAAI,CAAC;wBACH,MAAM,QAAQ,GAAG,KAAK,CAAC,SAAmB,CAAC;wBAC3C,IAAI,QAAQ,KAAK,OAAO,IAAI,QAAQ,KAAK,MAAM;4BAC7C,OAAO,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;wBAE7B,MAAM,SAAS,GAAG,KAAK,CAAC,UAAqC,CAAC;wBAC9D,4CAA4C;wBAC5C,gDAAgD;wBAChD,MAAM,OAAO,GACX,QAAQ,KAAK,OAAO;4BAClB,CAAC,CAAE,SAAS,EAAE,OAAkB,IAAI,EAAE;4BACtC,CAAC,CAAE,SAAS,EAAE,OAAkB,IAAI,EAAE,CAAC;wBAE3C,IAAI,CAAC,OAAO;4BAAE,OAAO,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;wBAEzC,UAAU,EAAE,CAAC;wBACb,MAAM,IAAI,GAAG,QAAQ,CAAC;wBACtB,MAAM,MAAM,GAAG,IAAA,mBAAI,EAAC,OAAO,EAAE,aAAa,EAAE,IAAI,CAAC,CAAC;wBAClD,IAAI,CAAC,MAAM,CAAC,OAAO;4BAAE,OAAO,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;wBAEhD,MAAM,KAAK,GAAG,oBAAoB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;wBACnD,YAAY,CAAC,aAAa,EAAE,IAAI,EAAE,KAAK,EAAE,UAAU,CAAC,CAAC;wBACrD,eAAe,CAAC;4BACd,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI;4BACrB,QAAQ,EAAE,KAAK,CAAC,IAAI,CAAC,QAAQ;4BAC7B,MAAM,EAAE,UAAU;4BAClB,KAAK,EAAE,aAAa;4BACpB,IAAI;yBACL,CAAC,CAAC;wBAEH,OAAO,OAAO,CAAC,OAAO,CAAC;4BACrB,kBAAkB,EAAE;gCAClB,aAAa,EAAE,aAAa;gCAC5B,iBAAiB,EACf,oBAAoB,KAAK,CAAC,IAAI,CAAC,IAAI,KAAK,KAAK,CAAC,IAAI,CAAC,WAAW,IAAI;oCAClE,+FAA+F;6BAClG;yBACF,CAAC,CAAC;oBACL,CAAC;oBAAC,OAAO,KAAK,EAAE,CAAC;wBACf,IAAA,iBAAS,EAAC,2CAA2C,EAAE,KAAK,CAAC,CAAC;wBAC9D,8DAA8D;wBAC9D,OAAO,OAAO,CAAC,OAAO,CAAC;4BACrB,kBAAkB,EAAE;gCAClB,aAAa,EAAE,aAAa;gCAC5B,iBAAiB,EACf,qEAAqE;6BACxE;yBACF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;aACF;YACD,OAAO,EAAE,eAAe;SACzB;QAED,4CAA4C;QAC5C;YACE,KAAK,EAAE;gBACL,CAAC,KAAgB,EAAuB,EAAE;oBACxC,IAAI,CAAC;wBACH,MAAM,QAAQ,GAAG,KAAK,CAAC,SAAmB,CAAC;wBAC3C,IAAI,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,MAAM;4BAC5C,OAAO,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;wBAE7B,MAAM,YAAY,GAAG,KAAK,CAAC,aAAa,CAAC;wBACzC,MAAM,OAAO,GACX,OAAO,YAAY,KAAK,QAAQ;4BAC9B,CAAC,CAAC,YAAY;4BACd,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC;wBAEzC,IAAI,CAAC,OAAO;4BAAE,OAAO,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;wBAEzC,UAAU,EAAE,CAAC;wBACb,MAAM,IAAI,GAAG,QAAQ,CAAC;wBACtB,MAAM,MAAM,GAAG,IAAA,mBAAI,EAAC,OAAO,EAAE,aAAa,EAAE,IAAI,CAAC,CAAC;wBAClD,IAAI,CAAC,MAAM,CAAC,OAAO;4BAAE,OAAO,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;wBAEhD,MAAM,KAAK,GAAG,oBAAoB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;wBAEnD,IAAI,KAAK,CAAC,IAAI,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;4BACvC,YAAY,CAAC,aAAa,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;4BACpD,eAAe,CAAC;gCACd,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI;gCACrB,QAAQ,EAAE,KAAK,CAAC,IAAI,CAAC,QAAQ;gCAC7B,MAAM,EAAE,SAAS;gCACjB,KAAK,EAAE,aAAa;gCACpB,IAAI;6BACL,CAAC,CAAC;4BACH,4DAA4D;4BAC5D,OAAO,OAAO,CAAC,OAAO,CAAC;gCACrB,UAAU,EACR,mBAAmB,KAAK,CAAC,IAAI,CAAC,IAAI,+CAA+C;oCACjF,uEAAuE;6BAC1E,CAAC,CAAC;wBACL,CAAC;wBAED,YAAY,CAAC,aAAa,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;wBACnD,eAAe,CAAC;4BACd,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI;4BACrB,QAAQ,EAAE,KAAK,CAAC,IAAI,CAAC,QAAQ;4BAC7B,MAAM,EAAE,QAAQ;4BAChB,KAAK,EAAE,aAAa;4BACpB,IAAI;yBACL,CAAC,CAAC;wBACH,OAAO,OAAO,CAAC,OAAO,CAAC;4BACrB,kBAAkB,EAAE;gCAClB,aAAa,EAAE,aAAa;gCAC5B,iBAAiB,EAAE,kBAAkB,KAAK,CAAC,IAAI,CAAC,IAAI,KAAK,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE;6BAClF;yBACF,CAAC,CAAC;oBACL,CAAC;oBAAC,OAAO,KAAK,EAAE,CAAC;wBACf,IAAA,iBAAS,EAAC,0CAA0C,EAAE,KAAK,CAAC,CAAC;wBAC7D,mEAAmE;wBACnE,OAAO,OAAO,CAAC,OAAO,CAAC;4BACrB,UAAU,EACR,wFAAwF;yBAC3F,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;aACF;YACD,OAAO,EAAE,eAAe;SACzB;QAED,4CAA4C;QAC5C;YACE,KAAK,EAAE;gBACL,KAAK,EAAE,KAAgB,EAAuB,EAAE;oBAC9C,IAAI,CAAC;wBACH,MAAM,QAAQ,GAAG,KAAK,CAAC,SAAmB,CAAC;wBAC3C,IAAI,QAAQ,KAAK,MAAM;4BAAE,OAAO,EAAE,CAAC;wBAEnC,MAAM,SAAS,GAAG,KAAK,CAAC,UAAqC,CAAC;wBAC9D,MAAM,OAAO,GACX,OAAO,SAAS,EAAE,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;wBAElE,yCAAyC;wBACzC,IAAI,CAAC,IAAA,qCAAqB,EAAC,OAAO,CAAC;4BAAE,OAAO,EAAE,CAAC;wBAE/C,uCAAuC;wBACvC,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAC5B,qCAAqC,CACtC,CAAC;wBACF,IAAI,CAAC,QAAQ;4BAAE,OAAO,EAAE,CAAC;wBAEzB,MAAM,QAAQ,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;wBAC7B,MAAM,GAAG,GAAI,KAAK,CAAC,GAAc,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;wBACnD,UAAU,EAAE,CAAC;wBACb,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;wBAEnD,IAAI,CAAC,MAAM,CAAC,OAAO;4BAAE,OAAO,EAAE,CAAC;wBAE/B,MAAM,KAAK,GAAG,oBAAoB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;wBACnD,YAAY,CACV,aAAa,EACb,sBAAsB,EACtB,KAAK,EACL,SAAS,CACV,CAAC;wBACF,eAAe,CAAC;4BACd,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI;4BACrB,QAAQ,EAAE,KAAK,CAAC,IAAI,CAAC,QAAQ;4BAC7B,MAAM,EAAE,SAAS;4BACjB,KAAK,EAAE,aAAa;4BACpB,IAAI,EAAE,cAAc;yBACrB,CAAC,CAAC;wBAEH,OAAO;4BACL,UAAU,EACR,8CAA8C,QAAQ,KAAK,KAAK,CAAC,IAAI,CAAC,IAAI,IAAI;gCAC9E,0FAA0F;yBAC7F,CAAC;oBACJ,CAAC;oBAAC,OAAO,KAAK,EAAE,CAAC;wBACf,IAAA,iBAAS,EAAC,8CAA8C,EAAE,KAAK,CAAC,CAAC;wBACjE,iDAAiD;wBACjD,OAAO;4BACL,UAAU,EACR,uFAAuF;yBAC1F,CAAC;oBACJ,CAAC;gBACH,CAAC;aACF;YACD,OAAO,EAAE,0BAA0B;SACpC;KACF,CAAC;AACJ,CAAC;AAED,oEAAoE;AAEpE;;GAEG;AACH,KAAK,UAAU,cAAc,CAC3B,GAAW,EACX,QAAgB;IAEhB,MAAM,WAAW,GAAG,cAAI,CAAC,OAAO,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAEhD,IAAI,CAAC,YAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAChC,IAAA,iBAAS,EAAC,0CAA0C,WAAW,EAAE,CAAC,CAAC;QACnE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC5B,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,IAAA,mBAAE,EAAC,4CAA4C,EAAE;QACnE,GAAG,EAAE,WAAW;QAChB,QAAQ,EAAE,IAAI;KACf,CAAC,CAAC;IAEH,MAAM,YAAY,GAA6C,EAAE,CAAC;IAClE,KAAK,MAAM,QAAQ,IAAI,KAAK,EAAE,CAAC;QAC7B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,YAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACnD,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;QACjD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAA,iBAAS,EAAC,oCAAoC,QAAQ,GAAG,EAAE,GAAG,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;IAED,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,IAAA,iBAAS,EAAC,kDAAkD,WAAW,EAAE,CAAC,CAAC;QAC3E,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC5B,CAAC;IAED,IAAA,iBAAS,EACP,mBAAmB,YAAY,CAAC,MAAM,8BAA8B,QAAQ,EAAE,CAC/E,CAAC;IACF,OAAO,IAAA,iCAAkB,EAAC,YAAY,CAAC,CAAC;AAC1C,CAAC","sourcesContent":["/**\n * YARA hook wiring for the Claude Agent SDK.\n *\n * Creates PreToolUse and PostToolUse hook callback arrays that\n * integrate the YARA scanner into the wizard's agent loop. These\n * hooks are registered in the SDK's query() options alongside the\n * existing Stop hook.\n *\n * PreToolUse hooks block dangerous commands before execution.\n * PostToolUse hooks detect violations in written code and prompt\n * injection in read content, and scan context-mill skill downloads.\n */\n\nimport fs from 'fs';\nimport path from 'path';\nimport fg from 'fast-glob';\nimport { scan, scanSkillDirectory } from './yara-scanner';\nimport type { YaraMatch, ScanResult } from './yara-scanner';\nimport { logToFile } from '../utils/debug';\nimport { analytics } from '../utils/analytics';\nimport { isSkillInstallCommand } from './skill-install';\n\n// ─── Types ───────────────────────────────────────────────────────\n// Using loose types to avoid tight coupling to SDK version.\n// The SDK hook types are: HookCallbackMatcher[], where each matcher\n// has { matcher?: string, hooks: HookCallback[], timeout?: number }\n\ntype HookInput = Record<string, unknown>;\ntype HookOutput = Record<string, unknown>;\ntype HookCallback = (\n  input: HookInput,\n  toolUseID: string | undefined,\n  options: { signal: AbortSignal },\n) => Promise<HookOutput>;\n\nexport interface HookCallbackMatcher {\n  matcher?: string;\n  hooks: HookCallback[];\n  timeout?: number;\n}\n\n// ─── Scan Report Accumulator ─────────────────────────────────────\n\ntype ScanAction = 'blocked' | 'reverted' | 'warned' | 'aborted';\n\ninterface ScanReportEntry {\n  rule: string;\n  severity: string;\n  action: ScanAction;\n  phase: string;\n  tool: string;\n}\n\nlet scanCount = 0;\nconst scanViolations: ScanReportEntry[] = [];\n\nfunction recordScan(): void {\n  scanCount++;\n}\n\nfunction recordViolation(entry: ScanReportEntry): void {\n  scanViolations.push(entry);\n}\n\n/** Reset counters (for testing) */\nexport function resetScanReport(): void {\n  scanCount = 0;\n  scanViolations.length = 0;\n}\n\n/** Format the scan report summary. Returns null if no scans occurred */\nexport function formatScanReport(): string | null {\n  if (scanCount === 0) return null;\n\n  const lines: string[] = ['', '— YARA Scanner Summary —'];\n  const violationCount = scanViolations.length;\n  const cleanCount = scanCount - violationCount;\n\n  lines.push(\n    `✓ ${scanCount} tool calls scanned, ${violationCount} violation${\n      violationCount !== 1 ? 's' : ''\n    } detected`,\n  );\n\n  if (violationCount > 0) {\n    lines.push('');\n    for (const v of scanViolations) {\n      const tag = v.action.toUpperCase();\n      lines.push(\n        `  [${tag}] ${v.rule} (${v.severity.toUpperCase()}) — ${v.phase}:${\n          v.tool\n        }`,\n      );\n    }\n  }\n\n  if (cleanCount > 0) {\n    lines.push('');\n    lines.push(\n      `No violations: ✓ ${cleanCount} clean scan${cleanCount !== 1 ? 's' : ''}`,\n    );\n  }\n\n  lines.push('');\n  return lines.join('\\n');\n}\n\nconst YARA_REPORT_PATH = '/tmp/posthog-wizard-yara-report.json';\n\n/** Write the scan report to a JSON file. Returns the file path, or null if no scans occurred. */\nexport function writeScanReport(): string | null {\n  if (scanCount === 0) return null;\n\n  const report = {\n    summary: {\n      totalScans: scanCount,\n      violations: scanViolations.length,\n      clean: scanCount - scanViolations.length,\n    },\n    violations: scanViolations,\n  };\n\n  try {\n    fs.writeFileSync(YARA_REPORT_PATH, JSON.stringify(report, null, 2));\n  } catch (err) {\n    logToFile('[YARA] Failed to write scan report:', err);\n    return null;\n  }\n  return YARA_REPORT_PATH;\n}\n\n// ─── Hook Timeouts (ms) ─────────────────────────────────────────\n\n/** Timeout for synchronous scan hooks (PreToolUse, PostToolUse Write/Edit/Read) */\nconst HOOK_TIMEOUT_MS = 60;\n/** Timeout for skill install hook (involves filesystem I/O) */\nconst SKILL_SCAN_HOOK_TIMEOUT_MS = 120;\n\n// ─── Logging ─────────────────────────────────────────────────────\n\nfunction logYaraMatch(\n  phase: string,\n  tool: string,\n  match: YaraMatch,\n  action: ScanAction,\n): void {\n  logToFile(\n    `[YARA] ${phase}:${tool} [${action.toUpperCase()}] rule \"${\n      match.rule.name\n    }\" ` +\n      `(severity: ${match.rule.severity}, category: ${match.rule.category})\\n` +\n      `  Description: ${match.rule.description}\\n` +\n      `  Matched text: \"${match.matchedText.substring(0, 200)}\"`,\n  );\n  analytics.wizardCapture('yara rule matched', {\n    rule: match.rule.name,\n    severity: match.rule.severity,\n    category: match.rule.category,\n    action,\n    phase,\n    tool,\n  });\n}\n\n// ─── Severity helpers ────────────────────────────────────────────\n\nconst SEVERITY_RANK: Record<string, number> = {\n  critical: 4,\n  high: 3,\n  medium: 2,\n  low: 1,\n};\n\n/** Return the highest-severity match from a list of matches. */\nfunction highestSeverityMatch(matches: YaraMatch[]): YaraMatch {\n  return matches.reduce((worst, m) =>\n    (SEVERITY_RANK[m.rule.severity] ?? 0) >\n    (SEVERITY_RANK[worst.rule.severity] ?? 0)\n      ? m\n      : worst,\n  );\n}\n\n// ─── PreToolUse Hooks ────────────────────────────────────────────\n\n/**\n * Create PreToolUse hook matchers for YARA scanning.\n * Scans Bash commands before execution for exfiltration,\n * destructive operations, and supply chain violations.\n */\nexport function createPreToolUseYaraHooks(): HookCallbackMatcher[] {\n  return [\n    {\n      hooks: [\n        (input: HookInput): Promise<HookOutput> => {\n          try {\n            const toolName = input.tool_name as string;\n            if (toolName !== 'Bash') return Promise.resolve({});\n\n            const toolInput = input.tool_input as Record<string, unknown>;\n            const command =\n              typeof toolInput?.command === 'string' ? toolInput.command : '';\n\n            if (!command) return Promise.resolve({});\n\n            recordScan();\n            const result = scan(command, 'PreToolUse', 'Bash');\n            if (!result.matched) return Promise.resolve({});\n\n            const match = highestSeverityMatch(result.matches);\n            logYaraMatch('PreToolUse', 'Bash', match, 'blocked');\n            recordViolation({\n              rule: match.rule.name,\n              severity: match.rule.severity,\n              action: 'blocked',\n              phase: 'PreToolUse',\n              tool: 'Bash',\n            });\n\n            return Promise.resolve({\n              decision: 'block',\n              reason: `[YARA] ${match.rule.name}: ${match.rule.description}. Command blocked for security.`,\n            });\n          } catch (error) {\n            logToFile('[YARA] PreToolUse hook error:', error);\n            // Fail closed: block the command if scanning fails\n            return Promise.resolve({\n              decision: 'block',\n              reason: '[YARA] Scanner error — command blocked as a precaution.',\n            });\n          }\n        },\n      ],\n      timeout: HOOK_TIMEOUT_MS,\n    },\n  ];\n}\n\n// ─── PostToolUse Hooks ───────────────────────────────────────────\n\n/**\n * Create PostToolUse hook matchers for YARA scanning.\n *\n * Three matchers:\n * 1. Write/Edit — scan written content for PII, secrets, config violations\n * 2. Read/Grep — scan read content for prompt injection\n * 3. Bash (skill install) — scan downloaded skill files for poisoned content\n */\nexport function createPostToolUseYaraHooks(): HookCallbackMatcher[] {\n  return [\n    // ── Write/Edit content scanning ──\n    {\n      hooks: [\n        (input: HookInput): Promise<HookOutput> => {\n          try {\n            const toolName = input.tool_name as string;\n            if (toolName !== 'Write' && toolName !== 'Edit')\n              return Promise.resolve({});\n\n            const toolInput = input.tool_input as Record<string, unknown>;\n            // For Write, scan the content being written\n            // For Edit, scan the new_str (replacement text)\n            const content =\n              toolName === 'Write'\n                ? (toolInput?.content as string) ?? ''\n                : (toolInput?.new_str as string) ?? '';\n\n            if (!content) return Promise.resolve({});\n\n            recordScan();\n            const tool = toolName;\n            const result = scan(content, 'PostToolUse', tool);\n            if (!result.matched) return Promise.resolve({});\n\n            const match = highestSeverityMatch(result.matches);\n            logYaraMatch('PostToolUse', tool, match, 'reverted');\n            recordViolation({\n              rule: match.rule.name,\n              severity: match.rule.severity,\n              action: 'reverted',\n              phase: 'PostToolUse',\n              tool,\n            });\n\n            return Promise.resolve({\n              hookSpecificOutput: {\n                hookEventName: 'PostToolUse',\n                additionalContext:\n                  `[YARA VIOLATION] ${match.rule.name}: ${match.rule.description}. ` +\n                  `You MUST revert this change immediately. The content you just wrote violates security policy.`,\n              },\n            });\n          } catch (error) {\n            logToFile('[YARA] PostToolUse Write/Edit hook error:', error);\n            // Fail closed: instruct the agent to revert if scanning fails\n            return Promise.resolve({\n              hookSpecificOutput: {\n                hookEventName: 'PostToolUse',\n                additionalContext:\n                  '[YARA] Scanner error — you MUST revert this change as a precaution.',\n              },\n            });\n          }\n        },\n      ],\n      timeout: HOOK_TIMEOUT_MS,\n    },\n\n    // ── Read/Grep prompt injection scanning ──\n    {\n      hooks: [\n        (input: HookInput): Promise<HookOutput> => {\n          try {\n            const toolName = input.tool_name as string;\n            if (toolName !== 'Read' && toolName !== 'Grep')\n              return Promise.resolve({});\n\n            const toolResponse = input.tool_response;\n            const content =\n              typeof toolResponse === 'string'\n                ? toolResponse\n                : JSON.stringify(toolResponse ?? '');\n\n            if (!content) return Promise.resolve({});\n\n            recordScan();\n            const tool = toolName;\n            const result = scan(content, 'PostToolUse', tool);\n            if (!result.matched) return Promise.resolve({});\n\n            const match = highestSeverityMatch(result.matches);\n\n            if (match.rule.severity === 'critical') {\n              logYaraMatch('PostToolUse', tool, match, 'aborted');\n              recordViolation({\n                rule: match.rule.name,\n                severity: match.rule.severity,\n                action: 'aborted',\n                phase: 'PostToolUse',\n                tool,\n              });\n              // Prompt injection: abort the session — context is poisoned\n              return Promise.resolve({\n                stopReason:\n                  `[YARA CRITICAL] ${match.rule.name}: Prompt injection detected in file content. ` +\n                  `Agent context is potentially poisoned. Session terminated for safety.`,\n              });\n            }\n\n            logYaraMatch('PostToolUse', tool, match, 'warned');\n            recordViolation({\n              rule: match.rule.name,\n              severity: match.rule.severity,\n              action: 'warned',\n              phase: 'PostToolUse',\n              tool,\n            });\n            return Promise.resolve({\n              hookSpecificOutput: {\n                hookEventName: 'PostToolUse',\n                additionalContext: `[YARA WARNING] ${match.rule.name}: ${match.rule.description}`,\n              },\n            });\n          } catch (error) {\n            logToFile('[YARA] PostToolUse Read/Grep hook error:', error);\n            // Fail closed: terminate session if scanning fails on read content\n            return Promise.resolve({\n              stopReason:\n                '[YARA] Scanner error while scanning read content — session terminated as a precaution.',\n            });\n          }\n        },\n      ],\n      timeout: HOOK_TIMEOUT_MS,\n    },\n\n    // ── Context-mill skill install scanning ──\n    {\n      hooks: [\n        async (input: HookInput): Promise<HookOutput> => {\n          try {\n            const toolName = input.tool_name as string;\n            if (toolName !== 'Bash') return {};\n\n            const toolInput = input.tool_input as Record<string, unknown>;\n            const command =\n              typeof toolInput?.command === 'string' ? toolInput.command : '';\n\n            // Only scan after skill install commands\n            if (!isSkillInstallCommand(command)) return {};\n\n            // Extract skill directory from command\n            const dirMatch = command.match(\n              /mkdir -p (.claude\\/skills\\/[^\\s&]+)/,\n            );\n            if (!dirMatch) return {};\n\n            const skillDir = dirMatch[1];\n            const cwd = (input.cwd as string) ?? process.cwd();\n            recordScan();\n            const result = await scanSkillFiles(cwd, skillDir);\n\n            if (!result.matched) return {};\n\n            const match = highestSeverityMatch(result.matches);\n            logYaraMatch(\n              'PostToolUse',\n              'Bash (skill install)',\n              match,\n              'aborted',\n            );\n            recordViolation({\n              rule: match.rule.name,\n              severity: match.rule.severity,\n              action: 'aborted',\n              phase: 'PostToolUse',\n              tool: 'Bash (skill)',\n            });\n\n            return {\n              stopReason:\n                `[YARA CRITICAL] Poisoned skill detected in ${skillDir}: ${match.rule.name}. ` +\n                `The downloaded skill contains potential prompt injection. Session terminated for safety.`,\n            };\n          } catch (error) {\n            logToFile('[YARA] PostToolUse skill install hook error:', error);\n            // Fail closed: terminate if skill scanning fails\n            return {\n              stopReason:\n                '[YARA] Scanner error while scanning skill files — session terminated as a precaution.',\n            };\n          }\n        },\n      ],\n      timeout: SKILL_SCAN_HOOK_TIMEOUT_MS,\n    },\n  ];\n}\n\n// ─── Skill File Scanner ──────────────────────────────────────────\n\n/**\n * Read and scan all text files in a skill directory for prompt injection.\n */\nasync function scanSkillFiles(\n  cwd: string,\n  skillDir: string,\n): Promise<ScanResult> {\n  const absoluteDir = path.resolve(cwd, skillDir);\n\n  if (!fs.existsSync(absoluteDir)) {\n    logToFile(`[YARA] Skill directory does not exist: ${absoluteDir}`);\n    return { matched: false };\n  }\n\n  const files = await fg('**/*.{md,txt,yaml,yml,json,js,ts,py,rb,sh}', {\n    cwd: absoluteDir,\n    absolute: true,\n  });\n\n  const fileContents: Array<{ path: string; content: string }> = [];\n  for (const filePath of files) {\n    try {\n      const content = fs.readFileSync(filePath, 'utf-8');\n      fileContents.push({ path: filePath, content });\n    } catch (err) {\n      logToFile(`[YARA] Could not read skill file ${filePath}:`, err);\n    }\n  }\n\n  if (fileContents.length === 0) {\n    logToFile(`[YARA] No text files found in skill directory: ${absoluteDir}`);\n    return { matched: false };\n  }\n\n  logToFile(\n    `[YARA] Scanning ${fileContents.length} files in skill directory: ${skillDir}`,\n  );\n  return scanSkillDirectory(fileContents);\n}\n"]}

package/dist/src/lib/yara-scanner.d.ts

@@ -0,0 +1,61 @@
+/**
+ * YARA content scanner for the PostHog wizard.
+ *
+ * This file is the single source of truth for all wizard YARA rules.
+ *
+ * Scans tool inputs (pre-execution) and outputs (post-execution) for
+ * security violations including PII leakage, hardcoded secrets,
+ * prompt injection, and secret exfiltration.
+ *
+ * We use YARA-style regex rules rather than the real YARA C library to
+ * avoid native binary dependencies in an npx-distributed npm package.
+ *
+ * This is Layer 2 (L2) in the wizard's defense-in-depth model,
+ * complementing the prompt-based commandments (L0) and the
+ * canUseTool() allowlist (L1).
+ */
+export type YaraSeverity = 'critical' | 'high' | 'medium' | 'low';
+export type YaraCategory = 'posthog_pii' | 'posthog_hardcoded_key' | 'posthog_autocapture' | 'posthog_config' | 'prompt_injection' | 'exfiltration' | 'filesystem_safety' | 'supply_chain';
+export type HookPhase = 'PreToolUse' | 'PostToolUse';
+export type ToolTarget = 'Bash' | 'Write' | 'Edit' | 'Read' | 'Grep';
+export interface YaraRule {
+    /** Rule name matching the .yar file (e.g. 'pii_in_capture_call') */
+    name: string;
+    description: string;
+    severity: YaraSeverity;
+    category: YaraCategory;
+    /** Which hook+tool combinations this rule applies to */
+    appliesTo: Array<{
+        phase: HookPhase;
+        tool: ToolTarget;
+    }>;
+    /** Compiled regex patterns — any match triggers the rule */
+    patterns: RegExp[];
+}
+export interface YaraMatch {
+    rule: YaraRule;
+    /** The matched substring */
+    matchedText: string;
+    /** Byte offset in the scanned content */
+    offset: number;
+}
+export type ScanResult = {
+    matched: false;
+} | {
+    matched: true;
+    matches: YaraMatch[];
+};
+export declare const RULES: YaraRule[];
+/**
+ * Scan content against rules applicable to a given hook phase and tool.
+ * Returns all matching rules (one match per rule, first pattern wins).
+ */
+export declare function scan(content: string, phase: HookPhase, tool: ToolTarget): ScanResult;
+/**
+ * Scan all files in a skill directory for prompt injection.
+ * Used for context-mill scanning after skill installation.
+ */
+export declare function scanSkillDirectory(files: Array<{
+    path: string;
+    content: string;
+}>): ScanResult;