ai-sentinel 0.1.6

package/dist/scanner/patterns.js

@@ -0,0 +1,313 @@
+export const THREAT_PATTERNS = [
+    // --- Direct Prompt Injection ---
+    {
+        id: "PI-001",
+        regex: /ignore\s+(all\s+)?(previous|prior|above|earlier|preceding)\s+(instructions?|prompts?|rules?|directives?)/i,
+        category: "prompt_injection",
+        confidence: 0.95,
+        description: "Classic 'ignore previous instructions' pattern",
+    },
+    {
+        id: "PI-002",
+        regex: /disregard\s+(all\s+)?(previous|prior|above|your)\s+(instructions?|programming|guidelines?|rules?)/i,
+        category: "prompt_injection",
+        confidence: 0.95,
+        description: "Disregard instructions variant",
+    },
+    {
+        id: "PI-003",
+        regex: /you\s+are\s+now\s+(a|an|in)\s+/i,
+        category: "prompt_injection",
+        confidence: 0.6,
+        description: "Identity reassignment attempt (low confidence — common in legit prompts)",
+    },
+    {
+        id: "PI-004",
+        regex: /new\s+instructions?:?\s/i,
+        category: "prompt_injection",
+        confidence: 0.7,
+        description: "Instruction injection via 'new instructions' framing",
+    },
+    {
+        id: "PI-005",
+        regex: /\[system\]|\[INST\]|<\|system\|>|<\|im_start\|>system/i,
+        category: "prompt_injection",
+        confidence: 0.9,
+        description: "Chat template delimiter injection",
+    },
+    {
+        id: "PI-006",
+        regex: /```system\s*\n|<system_prompt>|<\/system_prompt>/i,
+        category: "prompt_injection",
+        confidence: 0.85,
+        description: "System prompt block injection via code fences or XML tags",
+    },
+    // --- Jailbreak ---
+    {
+        id: "JB-001",
+        regex: /DAN\s+(mode|prompt)|do\s+anything\s+now/i,
+        category: "jailbreak",
+        confidence: 0.9,
+        description: "DAN jailbreak pattern",
+    },
+    {
+        id: "JB-002",
+        regex: /developer\s+mode\s+(enabled|activated|on)|maintenance\s+mode/i,
+        category: "jailbreak",
+        confidence: 0.85,
+        description: "Developer/maintenance mode activation",
+    },
+    {
+        id: "JB-003",
+        regex: /act\s+as\s+(if\s+)?(you\s+have\s+)?no\s+(restrictions?|limitations?|filters?|guardrails?)/i,
+        category: "jailbreak",
+        confidence: 0.9,
+        description: "Restriction removal prompt",
+    },
+    {
+        id: "JB-004",
+        regex: /pretend\s+(that\s+)?(you\s+)?(are|have)\s+(no|unrestricted|unlimited)/i,
+        category: "jailbreak",
+        confidence: 0.85,
+        description: "Pretend-no-restrictions pattern",
+    },
+    {
+        id: "JB-005",
+        regex: /hypothetical(ly)?\s*(,\s*)?(if|what\s+if|suppose|imagine)\s+.{0,40}(no\s+rules?|no\s+restrictions?|could\s+do\s+anything)/i,
+        category: "jailbreak",
+        confidence: 0.75,
+        description: "Hypothetical framing to bypass restrictions",
+    },
+    {
+        id: "JB-006",
+        regex: /respond\s+(to\s+every\s+prompt|without).{0,40}(moral|filter|censor|restrict)/i,
+        category: "jailbreak",
+        confidence: 0.85,
+        description: "Respond-without-filter jailbreak pattern",
+    },
+    {
+        id: "JB-007",
+        regex: /you\s+(are|will\s+be|play)\s+(a\s+character\s+named|the\s+role\s+of|now)\s+\w+/i,
+        category: "jailbreak",
+        confidence: 0.7,
+        description: "Character/role-play persona override",
+    },
+    {
+        id: "JB-008",
+        regex: /\[(system|INST)\].*?(no\s+rules?|no\s+restrictions?|unlimited|uncensored)/i,
+        category: "jailbreak",
+        confidence: 0.9,
+        description: "Bracket-based persona override with restriction removal",
+    },
+    {
+        id: "JB-009",
+        regex: /simulate\s+(developer\s+mode|a\s+conversation\s+where\s+you\s+act)/i,
+        category: "jailbreak",
+        confidence: 0.85,
+        description: "Simulate developer mode jailbreak",
+    },
+    {
+        id: "JB-010",
+        regex: /pretend\s+to\s+be\s+(a\s+)?(character\s+(named|called)\s+)?\w+/i,
+        category: "jailbreak",
+        confidence: 0.8,
+        description: "Character pretend jailbreak — 'pretend to be [Name]'",
+    },
+    // --- Instruction Override ---
+    {
+        id: "IO-001",
+        regex: /forget\s+(everything|all|what)\s+(you|about)/i,
+        category: "instruction_override",
+        confidence: 0.8,
+        description: "Memory/context wipe attempt",
+    },
+    {
+        id: "IO-002",
+        regex: /override\s+(your|the|all)\s+(safety|security|system|previous)/i,
+        category: "instruction_override",
+        confidence: 0.9,
+        description: "Explicit override attempt",
+    },
+    {
+        id: "IO-003",
+        regex: /from\s+now\s+on,?\s+you('re|\s+(will|must|should|are\s+going\s+to))\s/i,
+        category: "instruction_override",
+        confidence: 0.7,
+        description: "Persistent instruction injection",
+    },
+    // --- Data Exfiltration ---
+    {
+        id: "DE-001",
+        regex: /repeat\s+(your|the)\s+(system\s+)?(prompt|instructions?|rules?|guidelines?)/i,
+        category: "data_exfiltration",
+        confidence: 0.85,
+        description: "System prompt extraction attempt",
+    },
+    {
+        id: "DE-002",
+        regex: /show\s+me\s+(your|the)\s+(system|hidden|secret|internal)\s+(prompt|message|instructions?)/i,
+        category: "data_exfiltration",
+        confidence: 0.85,
+        description: "System prompt reveal request",
+    },
+    {
+        id: "DE-003",
+        regex: /what\s+(are|were)\s+(your|the)\s+(original|initial|first|system)\s+(instructions?|prompt|rules?)/i,
+        category: "data_exfiltration",
+        confidence: 0.8,
+        description: "Original instructions probing",
+    },
+    {
+        id: "DE-004",
+        regex: /output\s+(all|every|the\s+entire)\s+(conversation|context|history|session)/i,
+        category: "data_exfiltration",
+        confidence: 0.75,
+        description: "Full context dump request",
+    },
+    {
+        id: "DE-005",
+        regex: /repeat\s+(the\s+)?(words|text|everything|content)\s+(above|before)/i,
+        category: "data_exfiltration",
+        confidence: 0.85,
+        description: "Prompt stealing via 'repeat the words above' variant",
+    },
+    {
+        id: "DE-006",
+        regex: /paste\s+(your|the)\s+(system\s+)?(prompt|instructions?|configuration)\s+(here|below)/i,
+        category: "data_exfiltration",
+        confidence: 0.85,
+        description: "Prompt stealing via 'paste your system prompt here'",
+    },
+    {
+        id: "DE-007",
+        regex: /(list|share|tell\s+me)\s+(the\s+)?(top\s+\d+\s+)?(guidelines?|rules?|instructions?)\s+you\s+follow/i,
+        category: "data_exfiltration",
+        confidence: 0.8,
+        description: "Prompt stealing via 'list the guidelines you follow'",
+    },
+    {
+        id: "DE-008",
+        regex: /give\s+me\s+(your|the)\s+.{0,30}(prompt|instructions?|system\s+message)/i,
+        category: "data_exfiltration",
+        confidence: 0.8,
+        description: "Direct prompt request via 'give me your prompt'",
+    },
+    {
+        id: "DE-009",
+        regex: /(put|output|display|write)\s+.{0,30}(prompt|initialization|instructions?)\s+.{0,20}(code\s+(block|fence)|```)/i,
+        category: "data_exfiltration",
+        confidence: 0.85,
+        description: "Prompt extraction via code block formatting request",
+    },
+    {
+        id: "DE-010",
+        regex: /(first|second|third)\s+sentence\s+of\s+your\s+(initial|system)\s+prompt/i,
+        category: "data_exfiltration",
+        confidence: 0.85,
+        description: "SmartGPT-style variable extraction of prompt sentences",
+    },
+    // --- Social Engineering ---
+    {
+        id: "SE-001",
+        regex: /i\s+am\s+(your|the)\s+(developer|creator|admin|owner|operator|master)/i,
+        category: "social_engineering",
+        confidence: 0.8,
+        description: "False authority claim",
+    },
+    {
+        id: "SE-002",
+        regex: /this\s+is\s+(a|an)\s+(authorized|official|approved)\s+(test|audit|security\s+check)/i,
+        category: "social_engineering",
+        confidence: 0.75,
+        description: "Fake authorization context",
+    },
+    {
+        id: "SE-003",
+        regex: /anthropic|openai|peter\s+steinberger|openclaw\s+team/i,
+        category: "social_engineering",
+        confidence: 0.5,
+        description: "Name-dropping authority figures (needs context)",
+    },
+    {
+        id: "SE-004",
+        regex: /i('m|am)\s+(your|the|a)\s+(technical\s+)?(maintainer|debugger)/i,
+        category: "social_engineering",
+        confidence: 0.8,
+        description: "False maintainer/debugger authority claim",
+    },
+    {
+        id: "SE-005",
+        regex: /share\s+(your|the)\s+(configuration|config|settings?)\s+(for\s+)?(security\s+)?(verification|audit|review)/i,
+        category: "social_engineering",
+        confidence: 0.8,
+        description: "Config extraction via fake security audit framing",
+    },
+    // --- Tool Abuse ---
+    {
+        id: "TA-001",
+        regex: /exec\s*\(\s*['"`]|child_process|spawn\s*\(|eval\s*\(/i,
+        category: "tool_abuse",
+        confidence: 0.85,
+        description: "Code execution injection in message content",
+    },
+    {
+        id: "TA-002",
+        regex: /curl\s+.*\|\s*(sh|bash|zsh)|wget\s+.*\|\s*(sh|bash)/i,
+        category: "tool_abuse",
+        confidence: 0.9,
+        description: "Pipe-to-shell command injection",
+    },
+    {
+        id: "TA-003",
+        regex: /rm\s+-rf\s+[\/~]|mkfs|dd\s+if=.*of=\/dev/i,
+        category: "tool_abuse",
+        confidence: 0.95,
+        description: "Destructive system command",
+    },
+    // --- Indirect Injection (tool results / documents) ---
+    {
+        id: "II-001",
+        regex: /IMPORTANT:\s*(ignore|disregard|forget|override)/i,
+        category: "indirect_injection",
+        confidence: 0.9,
+        description: "Embedded instruction in document/tool result",
+    },
+    {
+        id: "II-002",
+        regex: /<!--\s*(system|instruction|prompt|ignore)/i,
+        category: "indirect_injection",
+        confidence: 0.9,
+        description: "HTML comment hidden instruction",
+    },
+    {
+        id: "II-003",
+        regex: /\u200b|\u200c|\u200d|\u2060|\ufeff/,
+        category: "indirect_injection",
+        confidence: 0.6,
+        description: "Zero-width character steganography (may be benign)",
+    },
+    {
+        id: "II-004",
+        regex: /\[hidden\]|\[invisible\]|display:\s*none|visibility:\s*hidden/i,
+        category: "indirect_injection",
+        confidence: 0.7,
+        description: "Hidden content markers",
+    },
+    {
+        id: "II-005",
+        regex: /the\s+(\w+\s+)?(code|table|function)\s+(below\s+)?needs\s+improvement[\s\S]{0,80}(enhance|improve|add\s+more\s+detail)/i,
+        category: "indirect_injection",
+        confidence: 0.7,
+        description: "Code/table wrapper hiding malicious intent",
+    },
+];
+// Patterns with elevated confidence when found in tool results
+// (indirect injection is higher signal in untrusted content)
+export const TOOL_RESULT_BOOST_CATEGORIES = [
+    "indirect_injection",
+    "prompt_injection",
+    "instruction_override",
+    "jailbreak",
+];
+export const TOOL_RESULT_CONFIDENCE_BOOST = 0.15;
+//# sourceMappingURL=patterns.js.map

package/dist/scanner/patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../src/scanner/patterns.ts"],"names":[],"mappings":"AAkBA,MAAM,CAAC,MAAM,eAAe,GAAoB;IAC9C,kCAAkC;IAClC;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,2GAA2G;QAClH,QAAQ,EAAE,kBAAkB;QAC5B,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,gDAAgD;KAC9D;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,oGAAoG;QAC3G,QAAQ,EAAE,kBAAkB;QAC5B,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,gCAAgC;KAC9C;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,iCAAiC;QACxC,QAAQ,EAAE,kBAAkB;QAC5B,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,0EAA0E;KACxF;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,0BAA0B;QACjC,QAAQ,EAAE,kBAAkB;QAC5B,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,sDAAsD;KACpE;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,wDAAwD;QAC/D,QAAQ,EAAE,kBAAkB;QAC5B,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,mCAAmC;KACjD;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,mDAAmD;QAC1D,QAAQ,EAAE,kBAAkB;QAC5B,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,2DAA2D;KACzE;IAED,oBAAoB;IACpB;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,0CAA0C;QACjD,QAAQ,EAAE,WAAW;QACrB,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,uBAAuB;KACrC;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,+DAA+D;QACtE,QAAQ,EAAE,WAAW;QACrB,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,uCAAuC;KACrD;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,4FAA4F;QACnG,QAAQ,EAAE,WAAW;QACrB,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,4BAA4B;KAC1C;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,wEAAwE;QAC/E,QAAQ,EAAE,WAAW;QACrB,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,iCAAiC;KAC/C;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,4HAA4H;QACnI,QAAQ,EAAE,WAAW;QACrB,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,6CAA6C;KAC3D;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,+EAA+E;QACtF,QAAQ,EAAE,WAAW;QACrB,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,0CAA0C;KACxD;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,iFAAiF;QACxF,QAAQ,EAAE,WAAW;QACrB,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,sCAAsC;KACpD;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,4EAA4E;QACnF,QAAQ,EAAE,WAAW;QACrB,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,yDAAyD;KACvE;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,qEAAqE;QAC5E,QAAQ,EAAE,WAAW;QACrB,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,mCAAmC;KACjD;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,iEAAiE;QACxE,QAAQ,EAAE,WAAW;QACrB,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,sDAAsD;KACpE;IAED,+BAA+B;IAC/B;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,+CAA+C;QACtD,QAAQ,EAAE,sBAAsB;QAChC,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,6BAA6B;KAC3C;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,gEAAgE;QACvE,QAAQ,EAAE,sBAAsB;QAChC,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,2BAA2B;KACzC;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,wEAAwE;QAC/E,QAAQ,EAAE,sBAAsB;QAChC,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,kCAAkC;KAChD;IAED,4BAA4B;IAC5B;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,8EAA8E;QACrF,QAAQ,EAAE,mBAAmB;QAC7B,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,kCAAkC;KAChD;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,4FAA4F;QACnG,QAAQ,EAAE,mBAAmB;QAC7B,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,8BAA8B;KAC5C;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,mGAAmG;QAC1G,QAAQ,EAAE,mBAAmB;QAC7B,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,+BAA+B;KAC7C;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,6EAA6E;QACpF,QAAQ,EAAE,mBAAmB;QAC7B,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,2BAA2B;KACzC;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,qEAAqE;QAC5E,QAAQ,EAAE,mBAAmB;QAC7B,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,sDAAsD;KACpE;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,uFAAuF;QAC9F,QAAQ,EAAE,mBAAmB;QAC7B,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,qDAAqD;KACnE;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,qGAAqG;QAC5G,QAAQ,EAAE,mBAAmB;QAC7B,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,sDAAsD;KACpE;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,0EAA0E;QACjF,QAAQ,EAAE,mBAAmB;QAC7B,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,iDAAiD;KAC/D;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,gHAAgH;QACvH,QAAQ,EAAE,mBAAmB;QAC7B,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,qDAAqD;KACnE;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,0EAA0E;QACjF,QAAQ,EAAE,mBAAmB;QAC7B,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,wDAAwD;KACtE;IAED,6BAA6B;IAC7B;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,wEAAwE;QAC/E,QAAQ,EAAE,oBAAoB;QAC9B,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,uBAAuB;KACrC;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,sFAAsF;QAC7F,QAAQ,EAAE,oBAAoB;QAC9B,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,4BAA4B;KAC1C;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,uDAAuD;QAC9D,QAAQ,EAAE,oBAAoB;QAC9B,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,iDAAiD;KAC/D;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,iEAAiE;QACxE,QAAQ,EAAE,oBAAoB;QAC9B,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,2CAA2C;KACzD;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,6GAA6G;QACpH,QAAQ,EAAE,oBAAoB;QAC9B,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,mDAAmD;KACjE;IAED,qBAAqB;IACrB;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,uDAAuD;QAC9D,QAAQ,EAAE,YAAY;QACtB,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,6CAA6C;KAC3D;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,sDAAsD;QAC7D,QAAQ,EAAE,YAAY;QACtB,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,iCAAiC;KAC/C;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,2CAA2C;QAClD,QAAQ,EAAE,YAAY;QACtB,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,4BAA4B;KAC1C;IAED,wDAAwD;IACxD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,kDAAkD;QACzD,QAAQ,EAAE,oBAAoB;QAC9B,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,8CAA8C;KAC5D;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,4CAA4C;QACnD,QAAQ,EAAE,oBAAoB;QAC9B,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,iCAAiC;KAC/C;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,oCAAoC;QAC3C,QAAQ,EAAE,oBAAoB;QAC9B,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,oDAAoD;KAClE;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,gEAAgE;QACvE,QAAQ,EAAE,oBAAoB;QAC9B,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,wBAAwB;KACtC;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,yHAAyH;QAChI,QAAQ,EAAE,oBAAoB;QAC9B,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,4CAA4C;KAC1D;CACF,CAAC;AAEF,+DAA+D;AAC/D,6DAA6D;AAC7D,MAAM,CAAC,MAAM,4BAA4B,GAAqB;IAC5D,oBAAoB;IACpB,kBAAkB;IAClB,sBAAsB;IACtB,WAAW;CACZ,CAAC;AAEF,MAAM,CAAC,MAAM,4BAA4B,GAAG,IAAI,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,85 @@
+export type ThreatCategory = "prompt_injection" | "jailbreak" | "instruction_override" | "data_exfiltration" | "social_engineering" | "tool_abuse" | "indirect_injection";
+export type ScanLocation = "message" | "tool_result" | "tool_params" | "system";
+export type ScanAction = "allow" | "warn" | "block";
+export interface AgentOverride {
+    agentId: string;
+    mode?: "monitor" | "enforce";
+    threatThreshold?: number;
+}
+export interface ThreatMatch {
+    patternId: string;
+    category: ThreatCategory;
+    confidence: number;
+    description: string;
+    matchedText: string;
+}
+export interface ScanResult {
+    safe: boolean;
+    action: ScanAction;
+    threats: ThreatMatch[];
+    highestConfidence: number;
+    summary: string;
+    scanTimeMs: number;
+}
+export interface AISentinelConfig {
+    mode: "monitor" | "enforce";
+    logLevel: "debug" | "info" | "warn" | "error";
+    threatThreshold: number;
+    allowlist: string[];
+    apiUrl: string;
+    apiKey: string;
+    reportMode: "telemetry" | "cloud-scan" | "none";
+    reportFilter: "all" | "threats-only";
+    agentId: string;
+    includeRawInput: boolean;
+    flushIntervalMs: number;
+    flushBatchSize: number;
+    excludeAgents: string[];
+    agentOverrides: AgentOverride[];
+}
+export type LogLevel = AISentinelConfig["logLevel"];
+export interface AuditEntry {
+    timestamp: string;
+    eventType: string;
+    sessionKey?: string;
+    channel?: string;
+    senderId?: string;
+    toolName?: string;
+    scanResult?: ScanResult;
+    rawInput?: string;
+}
+export interface PluginLogger {
+    debug(msg: string): void;
+    info(msg: string): void;
+    warn(msg: string): void;
+    error(msg: string): void;
+}
+export interface AgentMessage {
+    role: string;
+    content: string;
+    [key: string]: unknown;
+}
+export interface PluginTool {
+    name: string;
+    description: string;
+    parameters: Record<string, {
+        type: string;
+        description: string;
+        required?: boolean;
+    }>;
+    execute(params: Record<string, unknown>): Promise<string> | string;
+}
+export interface PluginAPI {
+    pluginConfig: Record<string, unknown>;
+    logger: PluginLogger;
+    on(event: string, handler: (event: any, ctx: any) => unknown, options?: {
+        priority?: number;
+    }): void;
+    registerTool(tool: PluginTool): void;
+}
+export interface OpenClawPlugin {
+    id: string;
+    name: string;
+    register(api: PluginAPI): void;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAIA,MAAM,MAAM,cAAc,GACtB,kBAAkB,GAClB,WAAW,GACX,sBAAsB,GACtB,mBAAmB,GACnB,oBAAoB,GACpB,YAAY,GACZ,oBAAoB,CAAC;AAEzB,MAAM,MAAM,YAAY,GAAG,SAAS,GAAG,aAAa,GAAG,aAAa,GAAG,QAAQ,CAAC;AAEhF,MAAM,MAAM,UAAU,GAAG,OAAO,GAAG,MAAM,GAAG,OAAO,CAAC;AAEpD,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,SAAS,GAAG,SAAS,CAAC;IAC7B,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,cAAc,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,OAAO,CAAC;IACd,MAAM,EAAE,UAAU,CAAC;IACnB,OAAO,EAAE,WAAW,EAAE,CAAC;IACvB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,SAAS,GAAG,SAAS,CAAC;IAC5B,QAAQ,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IAC9C,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,WAAW,GAAG,YAAY,GAAG,MAAM,CAAC;IAChD,YAAY,EAAE,KAAK,GAAG,cAAc,CAAC;IACrC,OAAO,EAAE,MAAM,CAAC;IAChB,eAAe,EAAE,OAAO,CAAC;IACzB,eAAe,EAAE,MAAM,CAAC;IACxB,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,cAAc,EAAE,aAAa,EAAE,CAAC;CACjC;AAED,MAAM,MAAM,QAAQ,GAAG,gBAAgB,CAAC,UAAU,CAAC,CAAC;AAEpD,MAAM,WAAW,UAAU;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AASD,MAAM,WAAW,YAAY;IAC3B,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE;QACzB,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,EAAE,MAAM,CAAC;QACpB,QAAQ,CAAC,EAAE,OAAO,CAAC;KACpB,CAAC,CAAC;IACH,OAAO,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;CACpE;AAED,MAAM,WAAW,SAAS;IACxB,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACtC,MAAM,EAAE,YAAY,CAAC;IACrB,EAAE,CACA,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,KAAK,OAAO,EAC1C,OAAO,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,GAC9B,IAAI,CAAC;IACR,YAAY,CAAC,IAAI,EAAE,UAAU,GAAG,IAAI,CAAC;CACtC;AAED,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,GAAG,EAAE,SAAS,GAAG,IAAI,CAAC;CAChC"}

package/dist/types.js

@@ -0,0 +1,5 @@
+// =============================================================================
+// AI Sentinel — Type Definitions
+// =============================================================================
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,gFAAgF;AAChF,iCAAiC;AACjC,gFAAgF"}

package/openclaw.plugin.json

@@ -0,0 +1,104 @@
+{
+  "id": "ai-sentinel",
+  "name": "AI Sentinel",
+  "version": "0.1.6",
+  "description": "Prompt injection detection and security scanning for OpenClaw agents",
+  "author": "Zetro AI <hello@zetro.ai>",
+  "homepage": "https://github.com/zetro-ai/ai-sentinel",
+  "configSchema": {
+    "type": "object",
+    "properties": {
+      "mode": {
+        "type": "string",
+        "enum": ["monitor", "enforce"],
+        "default": "monitor",
+        "description": "Detection mode: monitor (log only) or enforce (block threats)"
+      },
+      "logLevel": {
+        "type": "string",
+        "enum": ["debug", "info", "warn", "error"],
+        "default": "info",
+        "description": "Logging verbosity"
+      },
+      "threatThreshold": {
+        "type": "number",
+        "minimum": 0,
+        "maximum": 1,
+        "default": 0.7,
+        "description": "Confidence threshold for blocking (enforce mode)"
+      },
+      "allowlist": {
+        "type": "array",
+        "items": { "type": "string" },
+        "default": [],
+        "description": "Session keys to skip scanning"
+      },
+      "apiUrl": {
+        "type": "string",
+        "default": "https://api.zetro.ai",
+        "description": "AI Sentinel API base URL. Only used when reportMode is not 'none' and apiKey is set."
+      },
+      "apiKey": {
+        "type": "string",
+        "default": "",
+        "description": "API key for AI Sentinel Pro. Also reads AI_SENTINEL_API_KEY env var."
+      },
+      "reportMode": {
+        "type": "string",
+        "enum": ["none", "telemetry", "cloud-scan"],
+        "default": "none",
+        "description": "Reporting mode: none (local only, default), telemetry (send scan results to API), or cloud-scan (send raw text for full rule engine). Requires apiKey when not 'none'."
+      },
+      "reportFilter": {
+        "type": "string",
+        "enum": ["all", "threats-only"],
+        "default": "all",
+        "description": "Filter which events are reported: all scans or only detected threats"
+      },
+      "agentId": {
+        "type": "string",
+        "default": "openclaw-agent",
+        "description": "Agent identifier for cloud-scan mode API requests"
+      },
+      "includeRawInput": {
+        "type": "boolean",
+        "default": false,
+        "description": "Include raw input text in telemetry events (privacy-sensitive)"
+      },
+      "flushIntervalMs": {
+        "type": "number",
+        "minimum": 1000,
+        "default": 10000,
+        "description": "Telemetry batch flush interval in milliseconds"
+      },
+      "flushBatchSize": {
+        "type": "number",
+        "minimum": 1,
+        "maximum": 500,
+        "default": 25,
+        "description": "Maximum events per telemetry batch before auto-flush"
+      },
+      "excludeAgents": {
+        "type": "array",
+        "items": { "type": "string" },
+        "default": [],
+        "description": "Agent IDs to exclude from scanning"
+      },
+      "agentOverrides": {
+        "type": "array",
+        "items": {
+          "type": "object",
+          "properties": {
+            "agentId": { "type": "string" },
+            "mode": { "type": "string", "enum": ["monitor", "enforce"] },
+            "threatThreshold": { "type": "number", "minimum": 0, "maximum": 1 }
+          },
+          "required": ["agentId"]
+        },
+        "default": [],
+        "description": "Per-agent configuration overrides for mode and threshold"
+      }
+    },
+    "additionalProperties": false
+  }
+}

package/package.json

@@ -0,0 +1,60 @@
+{
+  "name": "ai-sentinel",
+  "version": "0.1.6",
+  "description": "Prompt injection detection and security scanning plugin for OpenClaw agents. Scans messages, tool results, and tool parameters for 44 threat patterns across 8 categories.",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "build": "tsc && tsc -p bootstrap/tsconfig.json",
+    "dev": "tsc --watch",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "typecheck": "tsc --noEmit",
+    "prepublishOnly": "npm run build && npm run test"
+  },
+  "openclaw": {
+    "extensions": [
+      "./src/index.ts"
+    ],
+    "install": {
+      "localPath": "extensions/ai-sentinel"
+    }
+  },
+  "keywords": [
+    "openclaw",
+    "openclaw-plugin",
+    "ai-security",
+    "prompt-injection",
+    "jailbreak-detection",
+    "llm-security",
+    "ai-sentinel",
+    "threat-detection",
+    "agent-security"
+  ],
+  "author": "Zetro AI <hello@zetro.ai>",
+  "homepage": "https://github.com/zetro-ai/ai-sentinel#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/zetro-ai/ai-sentinel.git",
+    "directory": "packages/ai-sentinel"
+  },
+  "bugs": {
+    "url": "https://github.com/zetro-ai/ai-sentinel/issues"
+  },
+  "dependencies": {
+    "zod": "^3.23.0"
+  },
+  "devDependencies": {
+    "@types/node": "^25.2.3",
+    "typescript": "^5.5.0",
+    "vitest": "^2.0.0"
+  },
+  "files": [
+    "dist",
+    "openclaw.plugin.json",
+    "bootstrap",
+    "scripts"
+  ],
+  "license": "MIT"
+}

package/scripts/install-bootstrap-hook.sh

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+# =============================================================================
+# Install AI Sentinel bootstrap hook as a standalone OpenClaw gateway hook.
+#
+# This is an alternative to the plugin's built-in before_agent_start hook.
+# Use this if you want the bootstrap hook without the full plugin, or if you
+# need the hook to run at the gateway level rather than as a plugin hook.
+#
+# Usage: ./install-bootstrap-hook.sh
+# =============================================================================
+
+set -euo pipefail
+
+HOOK_DIR="$HOME/.openclaw/hooks/ai-sentinel-bootstrap"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+SOURCE_DIR="$(dirname "$SCRIPT_DIR")/bootstrap"
+
+echo "[ai-sentinel] Installing bootstrap hook..."
+
+# Create hook directory
+mkdir -p "$HOOK_DIR"
+
+# Copy handler
+cp "$SOURCE_DIR/handler.ts" "$HOOK_DIR/handler.ts"
+
+# Create hook manifest
+cat > "$HOOK_DIR/hook.json" <<'EOF'
+{
+  "name": "ai-sentinel-bootstrap",
+  "version": "0.1.0",
+  "description": "Injects AI Sentinel security awareness into agent bootstrap",
+  "events": ["agent:bootstrap"],
+  "entry": "./handler.ts"
+}
+EOF
+
+echo "[ai-sentinel] Bootstrap hook installed to $HOOK_DIR"
+echo "[ai-sentinel] Enable with: openclaw hooks enable ai-sentinel-bootstrap"