@pugi/cli 0.1.0-beta.54 → 0.1.0-beta.56

package/dist/core/audit/audit-trail.js

@@ -43,6 +43,7 @@ import { appendFileSync, mkdirSync } from 'node:fs';
 import { createHash } from 'node:crypto';
 import { homedir } from 'node:os';
 import { basename, dirname, join, resolve } from 'node:path';
+import { collectStrings, scanForInjection, summarizeFindings, } from '../security/injection-scanner.js';
 /**
  * Opt-out env var. Mirrors the convention every other Pugi feature uses
  * (`PUGI_BARE`, `PUGI_AGENTMEMORY_RECALL_ENABLED=false`, etc.).
@@ -183,6 +184,32 @@ export function writeAuditEvent(input) {
             encoding: 'utf8',
             mode: 0o600,
         });
+        // Injection scan (ported KeiSeiKit `injection_patterns.rs`,
+        // Apache-2.0). Wrap the OUTBOUND `data` payload through the
+        // scanner. Findings emit a SECOND audit line of type
+        // `injection_detected` so an operator (or SOC pipeline) sees a
+        // structured, append-only record without losing the original
+        // event. Never blocks the write — hard-block requires a separate
+        // CEO-signed PR.
+        //
+        // Recursion guard: the `injection_detected` event itself carries
+        // matched substrings (intentional — they are the evidence). We
+        // skip scanning it to avoid an infinite loop of self-detections.
+        if (input.event !== 'injection_detected') {
+            const findings = scanAuditPayload(input.data);
+            if (findings.length > 0) {
+                emitInjectionDetected({
+                    findings,
+                    triggeringEvent: input.event,
+                    sessionId: input.sessionId,
+                    workspaceRoot: input.workspaceRoot,
+                    tenant: input.tenant,
+                    env: input.env,
+                    home: input.home,
+                    now: input.now,
+                });
+            }
+        }
     }
     catch {
         // Audit failures must NEVER break a dispatch. The session log + the
@@ -191,4 +218,58 @@ export function writeAuditEvent(input) {
         // via the doctor probe; for now silent no-op is the contract.
     }
 }
+/**
+ * Fold the audit `data` payload into a single string and scan it for
+ * prompt-injection / invisible-unicode / secret markers. Returns the
+ * empty array on clean payloads.
+ *
+ * Exported for the spec — the scanner module owns the algorithm, this
+ * helper owns the payload-walking glue.
+ */
+export function scanAuditPayload(data) {
+    // Fold every string anywhere in the payload (keys included) into a
+    // single buffer separated by NULs. NUL keeps regex anchors honest
+    // (no accidental cross-field match for a `^system:` pattern) without
+    // adding bytes that themselves could become a pattern.
+    const fragments = collectStrings(data);
+    if (fragments.length === 0)
+        return [];
+    const joined = fragments.join('\0');
+    return scanForInjection(joined);
+}
+/**
+ * Build the `injection_detected` envelope payload and recurse into
+ * `writeAuditEvent` to append it. The recursion is bounded — the
+ * recursion guard in `writeAuditEvent` short-circuits on the
+ * `injection_detected` event so we never re-scan ourselves.
+ */
+function emitInjectionDetected(input) {
+    const summary = summarizeFindings(input.findings);
+    // Cap the findings array in the audit line so a payload with
+    // hundreds of invisible-unicode hits does not bloat the JSONL row.
+    // The summary still carries `total` so operators see the real count.
+    const MAX_FINDINGS_PER_EVENT = 32;
+    const truncated = input.findings.length > MAX_FINDINGS_PER_EVENT;
+    const capped = truncated
+        ? input.findings.slice(0, MAX_FINDINGS_PER_EVENT)
+        : [...input.findings];
+    writeAuditEvent({
+        event: 'injection_detected',
+        sessionId: input.sessionId,
+        workspaceRoot: input.workspaceRoot,
+        tenant: input.tenant,
+        env: input.env,
+        home: input.home,
+        now: input.now,
+        data: {
+            triggeringEvent: input.triggeringEvent,
+            summary,
+            findings: capped,
+            truncated,
+            // KeiSeiKit attribution is recorded inline so a SOC pipeline
+            // grepping for the upstream project name lands here.
+            detector: 'keiseikit-injection-patterns',
+        },
+    });
+}
 //# sourceMappingURL=audit-trail.js.map

package/dist/core/security/injection-scanner.js

@@ -0,0 +1,367 @@
+/**
+ * Prompt-injection scanner — TypeScript port of KeiSeiKit's
+ * `injection_patterns.rs` (Apache-2.0, KeiSeiLab).
+ *
+ * Upstream source:
+ *   `_primitives/_rust/kei-memory/src/injection_patterns.rs`
+ *   from https://github.com/Pugi-dev/KeiSeiKit (private mirror).
+ *
+ * Scope of the port:
+ *   - Pattern TABLES are ported verbatim (regex + invisible-codepoint
+ *     set + ChatML tags + role-prefix patterns). The substring/secret
+ *     rows (curl-with-bearer, aws_secret keyword, api_key URL, openssh
+ *     PEM markers, long-base64 blob heuristic) are KEPT in this port —
+ *     they harden writes through memory/audit paths against accidental
+ *     credential pasting.
+ *   - Detection logic is rewritten in TypeScript. The Rust upstream
+ *     uses `regex::Regex` + a separate `injection_guard.rs` that owns
+ *     the "should I block?" decision. Pugi's port collapses both
+ *     responsibilities into a single function (`scanForInjection`)
+ *     because the caller surfaces (audit-trail, file-tools) only need
+ *     the findings list — they do not block writes today (CEO sign-off
+ *     gate, separate PR).
+ *
+ * Severity model:
+ *   The upstream `Block` / `Warn` enum is mirrored as a Pugi field on
+ *   each finding so a future PR can wire hard-block behavior without
+ *   re-shaping the call sites.
+ *
+ * What this is NOT:
+ *   - An LLM-output safety filter. This scans CONTENT BOUND FOR DISK
+ *     (audit payloads + file writes / edits) for accidental or
+ *     adversarial prompt-injection markers.
+ *   - A secrets scanner. Real secrets detection lives in
+ *     `scripts/secret-scanner.mjs` (release gate). The few credential
+ *     heuristics here exist because the upstream Rust treats memory
+ *     persistence as a credential-exfil surface too.
+ *
+ * See `licenses/keiseikit-LICENSE-NOTICE.md` for Apache-2.0 attribution.
+ */
+/**
+ * Maximum captured-match length recorded in a finding. Bounds the
+ * worst-case row size in the audit JSONL stream. Set to 128 because
+ * the longest legitimate pattern match (`long_base64_line`) would be
+ * 1024+ bytes — the operator can re-scan the source content for the
+ * full blob if they need it; we only need enough context to triage.
+ */
+export const MAX_MATCH_CAPTURE = 128;
+function clampMatch(matched) {
+    if (matched.length <= MAX_MATCH_CAPTURE)
+        return matched;
+    return `${matched.slice(0, MAX_MATCH_CAPTURE)}…`;
+}
+/**
+ * Invisible / bidi / zero-width unicode codepoints ported verbatim
+ * from `INVISIBLE_CHARS` in the upstream Rust. Each one is a known
+ * vehicle for hiding prompt-override text from a casual reader.
+ */
+export const INVISIBLE_CHARS = [
+    '​', // ZERO WIDTH SPACE
+    '‌', // ZERO WIDTH NON-JOINER
+    '‍', // ZERO WIDTH JOINER
+    '‎', // LEFT-TO-RIGHT MARK
+    '‏', // RIGHT-TO-LEFT MARK
+    '‪', // LEFT-TO-RIGHT EMBEDDING
+    '‫', // RIGHT-TO-LEFT EMBEDDING
+    '‬', // POP DIRECTIONAL FORMATTING
+    '‭', // LEFT-TO-RIGHT OVERRIDE
+    '‮', // RIGHT-TO-LEFT OVERRIDE
+    '⁠', // WORD JOINER
+    '', // BYTE ORDER MARK / ZERO WIDTH NO-BREAK SPACE
+];
+/**
+ * Pre-built Set for O(1) codepoint membership tests. The scanner walks
+ * the input once and probes this set per character — cheaper than a
+ * regex with 12 alternation branches.
+ */
+const INVISIBLE_CHAR_SET = new Set(INVISIBLE_CHARS);
+/**
+ * Threshold above which a single base64-looking line is flagged.
+ * Matches the upstream `BASE64_BLOB_BYTES` constant so the heuristic
+ * stays aligned with the Rust spec. The regex below hardcodes the
+ * same value for compile-time clarity.
+ */
+export const BASE64_BLOB_BYTES = 1024;
+/**
+ * PEM begin marker built at runtime so the literal dashes do not
+ * trigger over-eager secret-scanners in this very source file (same
+ * concern as the upstream `pem_dashes()` helper).
+ */
+function pemMarker(label) {
+    const d = '-'.repeat(5);
+    return `${d}BEGIN ${label}${d}`;
+}
+/**
+ * Escape regex metachars in a literal string. We avoid pulling a
+ * dependency just for this — the set of metachars is small and
+ * well-known.
+ */
+function escapeRegex(literal) {
+    return literal.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+/**
+ * Prompt-override patterns. Ported verbatim from
+ * `prompt_override_patterns()` in the upstream Rust. The regex
+ * strings are the same modulo Rust's `(?im)` inline flags being
+ * expressed as `i` + `m` on the TS `RegExp`.
+ */
+const PROMPT_OVERRIDE_PATTERNS = [
+    {
+        id: 'prompt_override_ignore_previous',
+        kind: 'override-prompt',
+        re: /ignore\s+previous\s+instructions/gi,
+        severity: 'block',
+        source: 'promptguard:override',
+    },
+    {
+        id: 'prompt_override_you_are_now',
+        kind: 'override-prompt',
+        re: /you\s+are\s+now\b/gi,
+        severity: 'block',
+        source: 'promptguard:roleplay',
+    },
+    {
+        id: 'prompt_override_disregard',
+        kind: 'override-prompt',
+        re: /disregard\s+(all|prior|above)/gi,
+        severity: 'block',
+        source: 'promptguard:override',
+    },
+    {
+        id: 'system_role_prefix',
+        kind: 'override-prompt',
+        re: /^\s*system\s*:/gim,
+        severity: 'block',
+        source: 'promptguard:role-prefix',
+    },
+    {
+        id: 'chatml_im_start',
+        kind: 'tag-injection',
+        re: /<\|im_start\|>/g,
+        severity: 'block',
+        source: 'chatml:tag',
+    },
+    {
+        id: 'chatml_endoftext',
+        kind: 'tag-injection',
+        re: /<\|endoftext\|>/g,
+        severity: 'block',
+        source: 'chatml:tag',
+    },
+];
+/**
+ * Secret-shaped patterns. Ported from `secret_patterns()`. The PEM
+ * markers are built at runtime so they do not show up verbatim in
+ * this file's bytes (anti-self-trigger).
+ */
+function buildSecretPatterns() {
+    const openssh = escapeRegex(pemMarker('OPENSSH PRIVATE KEY'));
+    const rsa = escapeRegex(pemMarker('RSA PRIVATE KEY'));
+    return [
+        {
+            id: 'ssh_openssh_private',
+            kind: 'secret-marker',
+            re: new RegExp(openssh, 'g'),
+            severity: 'block',
+            source: 'secret:openssh',
+        },
+        {
+            id: 'ssh_rsa_private',
+            kind: 'secret-marker',
+            re: new RegExp(rsa, 'g'),
+            severity: 'block',
+            source: 'secret:rsa',
+        },
+        {
+            // Upstream P2.1.b audit upgraded this to Block tier — long
+            // base64 blobs on a memory-write path are a direct exfil
+            // surface for attestation / key blobs pasted into transcripts.
+            id: 'long_base64_line',
+            kind: 'secret-marker',
+            re: new RegExp(`^[A-Za-z0-9+/=]{${BASE64_BLOB_BYTES},}$`, 'gm'),
+            severity: 'block',
+            source: 'heuristic:base64-blob',
+        },
+    ];
+}
+/**
+ * Substring/heuristic patterns. Ported from `build_substring_table()`.
+ * Each row demands ALL needles be present in the LOWERCASED copy of
+ * the input (AND semantics) — keeps false-positives low.
+ */
+const SUBSTRING_PATTERNS = [
+    {
+        id: 'curl_with_bearer',
+        kind: 'secret-marker',
+        needles: ['bearer ', '://'],
+        severity: 'block',
+        source: 'exfil:curl-bearer',
+    },
+    {
+        id: 'aws_secret_keyword',
+        kind: 'secret-marker',
+        needles: ['aws_secret'],
+        severity: 'block',
+        source: 'secret:aws',
+    },
+    {
+        id: 'api_key_url',
+        kind: 'secret-marker',
+        needles: ['api_key=', '://'],
+        severity: 'block',
+        source: 'exfil:api-key-url',
+    },
+];
+let REGEX_TABLE = null;
+function regexPatterns() {
+    if (REGEX_TABLE === null) {
+        REGEX_TABLE = [...PROMPT_OVERRIDE_PATTERNS, ...buildSecretPatterns()];
+    }
+    return REGEX_TABLE;
+}
+/**
+ * Maximum input size we scan. Above this we sample the first
+ * MAX_SCAN_BYTES bytes and tag the result as `truncated: true`. This
+ * keeps a 10 MB log payload from stalling the audit append path.
+ *
+ * The threshold is deliberately generous (256 KB) — the typical audit
+ * `data` payload is a few hundred bytes (a single `tool_call` envelope)
+ * and a file write of an HTML page is well under the cap. The cutoff
+ * exists only for pathological cases.
+ */
+export const MAX_SCAN_BYTES = 256 * 1024;
+/**
+ * Scan a string for prompt-injection / invisible-unicode / secret
+ * markers. Returns the empty array when clean. Never throws —
+ * malformed input (e.g. lone surrogates) falls through to the regex
+ * engine and produces zero or more findings, never an exception.
+ *
+ * Pure function. Safe to call from a hot path (audit-trail append,
+ * file-tools writeTool) without worrying about side effects.
+ */
+export function scanForInjection(text) {
+    if (typeof text !== 'string' || text.length === 0)
+        return [];
+    const findings = [];
+    const scanText = text.length > MAX_SCAN_BYTES ? text.slice(0, MAX_SCAN_BYTES) : text;
+    // 1. Invisible unicode scan: O(n) single pass with a Set lookup.
+    //    We collect per-codepoint hits rather than collapsing them so
+    //    the operator can see how many bidi marks are present (high
+    //    counts strongly suggest adversarial intent).
+    for (let i = 0; i < scanText.length; i += 1) {
+        const ch = scanText[i];
+        if (ch === undefined)
+            continue;
+        if (INVISIBLE_CHAR_SET.has(ch)) {
+            const code = ch.charCodeAt(0).toString(16).toUpperCase().padStart(4, '0');
+            findings.push({
+                kind: 'invisible-unicode',
+                id: `invisible_unicode_U+${code}`,
+                severity: 'warn',
+                matched: ch,
+                offset: i,
+                source: `unicode:invisible:U+${code}`,
+            });
+        }
+    }
+    // 2. Regex table scan. Each pattern uses the `g` flag so we walk
+    //    every occurrence — a single text can carry multiple ChatML
+    //    tags or override phrases and the operator needs to see all of
+    //    them, not just the first.
+    for (const pattern of regexPatterns()) {
+        // Re-set lastIndex defensively in case a prior call left the
+        // regex's stateful cursor mid-string.
+        pattern.re.lastIndex = 0;
+        let match;
+        while ((match = pattern.re.exec(scanText)) !== null) {
+            findings.push({
+                kind: pattern.kind,
+                id: pattern.id,
+                severity: pattern.severity,
+                matched: clampMatch(match[0]),
+                offset: match.index,
+                source: pattern.source,
+            });
+            // Guard against zero-width matches infinite-looping (e.g. a
+            // regex that matches the empty string would never advance).
+            if (match.index === pattern.re.lastIndex) {
+                pattern.re.lastIndex += 1;
+            }
+        }
+    }
+    // 3. Substring/heuristic scan. AND semantics: every needle must
+    //    appear in the lowercased copy. We record the FIRST needle's
+    //    offset because that is the most actionable index for the
+    //    operator (the others may be hundreds of bytes away).
+    const lower = scanText.toLowerCase();
+    for (const pattern of SUBSTRING_PATTERNS) {
+        const offsets = pattern.needles.map((n) => lower.indexOf(n));
+        if (offsets.every((o) => o >= 0)) {
+            const firstOffset = Math.min(...offsets);
+            // Reconstruct a useful matched snippet — the needles can be
+            // far apart so we cap at the first needle plus a window.
+            const snippetEnd = Math.min(firstOffset + MAX_MATCH_CAPTURE, scanText.length);
+            findings.push({
+                kind: pattern.kind,
+                id: pattern.id,
+                severity: pattern.severity,
+                matched: clampMatch(scanText.slice(firstOffset, snippetEnd)),
+                offset: firstOffset,
+                source: pattern.source,
+            });
+        }
+    }
+    return findings;
+}
+export function summarizeFindings(findings) {
+    let score = 0;
+    const kindSet = new Set();
+    for (const f of findings) {
+        if (f.severity === 'block')
+            score += 1;
+        kindSet.add(f.kind);
+    }
+    return {
+        score,
+        total: findings.length,
+        kinds: Array.from(kindSet).sort(),
+    };
+}
+/**
+ * Recursively walk a JSON-shaped value and concatenate every string
+ * found. Used by audit-trail to fold the entire `data` payload into a
+ * single scannable surface — a tool_result with a deeply nested error
+ * object could otherwise hide an override prompt one level deep.
+ *
+ * Cycles are broken by a WeakSet — a payload that round-trips through
+ * a session struct is safe to scan even when it has back-references.
+ */
+export function collectStrings(value, seen = new WeakSet()) {
+    if (value === null || value === undefined)
+        return [];
+    if (typeof value === 'string')
+        return [value];
+    if (typeof value === 'number' || typeof value === 'boolean' || typeof value === 'bigint') {
+        return [];
+    }
+    if (typeof value !== 'object')
+        return [];
+    if (seen.has(value))
+        return [];
+    seen.add(value);
+    const out = [];
+    if (Array.isArray(value)) {
+        for (const item of value) {
+            out.push(...collectStrings(item, seen));
+        }
+        return out;
+    }
+    for (const key of Object.keys(value)) {
+        // Scan the KEY too — a deliberately-crafted payload could hide
+        // an override phrase as an object key.
+        out.push(key);
+        out.push(...collectStrings(value[key], seen));
+    }
+    return out;
+}
+//# sourceMappingURL=injection-scanner.js.map

package/dist/runtime/version.js

@@ -44,7 +44,7 @@ export function sanitizeSemver(raw) {
  * during import). When bumping the CLI version BOTH literals must be
  * updated; the release smoke-test (`pack:smoke`) verifies they agree.
  */
-export const PUGI_CLI_VERSION = sanitizeSemver('0.1.0-beta.54');
+export const PUGI_CLI_VERSION = sanitizeSemver('0.1.0-beta.56');
 /**
  * Outbound: the CLI's installed semver. Read at request time by
  * `version-interceptor.ts` and injected on every `fetch` call.

package/dist/tools/file-tools.js

@@ -33,6 +33,7 @@ import { globSync } from 'node:fs';
 import { decidePermission } from '../core/permission.js';
 import { StaleReadError, createReadRecord, hashContent, } from '../core/file-cache.js';
 import { resolveWorkspacePath } from '../core/path-security.js';
+import { scanForInjection, summarizeFindings } from '../core/security/injection-scanner.js';
 import { recordFileMutation, recordToolCall, recordToolResult } from '../core/session.js';
 /**
  * α6.9 WriteGate marker — thrown by `gateOnCancellation` when the
@@ -184,6 +185,14 @@ export function writeTool(ctx, path, content) {
     const tmp = `${resolved}.pugi-tmp-${Date.now()}`;
     writeFileSync(tmp, content, { encoding: 'utf8', mode: 0o600 });
     renameSync(tmp, resolved);
+    // Injection scan (ported KeiSeiKit `injection_patterns.rs`,
+    // Apache-2.0). Scan the BODY (never the path — path security is
+    // owned by `path-security.ts`). Findings are SURFACED as an extra
+    // line on the session tool-result, never block the write. Hard-
+    // block requires a separate CEO-signed PR. Failure here must NOT
+    // throw: a buggy scanner cannot rugpull the write that already
+    // landed on disk above.
+    surfaceInjectionWarning(ctx, toolCallId, 'write', path, content);
     // Refresh the cache with the post-write content so the model can
     // chain a follow-up read+edit on the same file without an extra
     // round-trip. Same pattern editTool uses below.
@@ -197,6 +206,36 @@ export function writeTool(ctx, path, content) {
     });
     recordToolResult(ctx.session, toolCallId, 'success', `${existed ? 'Updated' : 'Created'} ${path}`);
 }
+/**
+ * Surface an injection-scan warning on a file write/edit BODY. The
+ * scan never blocks — it folds findings into the session as a
+ * `tool_result` with status `warn` so an operator (or SOC pipeline
+ * tailing `<workspace>/.pugi/events.jsonl`) sees the signal without a
+ * mid-dispatch rollback.
+ *
+ * Wrapped in try/catch so a malformed scanner never crashes the tool
+ * loop — the write itself has already landed on disk by the time we
+ * call this.
+ */
+function surfaceInjectionWarning(ctx, triggeringToolCallId, tool, path, body) {
+    try {
+        const findings = scanForInjection(body);
+        if (findings.length === 0)
+            return;
+        const summary = summarizeFindings(findings);
+        const warnCallId = recordToolCall(ctx.session, 'injection_warning', path);
+        const message = `injection_warning: ${tool} ${path} — ${summary.total} pattern(s) ` +
+            `(score=${summary.score}, kinds=${summary.kinds.join('|')}). ` +
+            `Triggering call: ${triggeringToolCallId}. ` +
+            `Detector: keiseikit-injection-patterns. Write was NOT blocked.`;
+        recordToolResult(ctx.session, warnCallId, 'success', message);
+    }
+    catch {
+        // Scanner failure must NEVER throw — the write has already
+        // landed and the tool loop has to continue. Silent no-op
+        // mirrors the audit-trail contract.
+    }
+}
 export function editTool(ctx, path, oldString, newString) {
     const toolCallId = recordToolCall(ctx.session, 'edit', path);
     // α6.9 WriteGate: refuse the edit when the operator has cancelled
@@ -252,6 +291,13 @@ export function editTool(ctx, path, oldString, newString) {
     const tmp = `${resolved}.pugi-tmp-${Date.now()}`;
     writeFileSync(tmp, after, { encoding: 'utf8', mode: 0o600 });
     renameSync(tmp, resolved);
+    // Injection scan (ported KeiSeiKit `injection_patterns.rs`,
+    // Apache-2.0). We scan the NEW SUBSTRING the model is inserting,
+    // not the full post-edit file — the rest of the file is operator-
+    // owned content that pre-dates this dispatch. False-positive on
+    // legitimate prose that mentions banned phrases is the worst
+    // outcome and the warn-only contract bounds the cost.
+    surfaceInjectionWarning(ctx, toolCallId, 'edit', path, newString);
     ctx.readCache.set(createReadRecord(ctx.root, path, after, 'read_tool'));
     recordFileMutation(ctx.session, {
         toolCallId,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pugi/cli",
-  "version": "0.1.0-beta.54",
+  "version": "0.1.0-beta.56",
   "description": "Pugi CLI - terminal-native software execution system",
   "homepage": "https://pugi.io",
   "repository": {
@@ -55,7 +55,7 @@
     "undici": "^8.3.0",
     "zod": "^3.23.0",
     "@pugi/personas": "0.1.2",
-    "@pugi/sdk": "0.1.0-beta.54"
+    "@pugi/sdk": "0.1.0-beta.56"
   },
   "devDependencies": {
     "@types/node": "^22.0.0",