avorelo 0.1.0 → 0.2.0

package/scripts/lib/agent-security/instruction-risk.js

@@ -1,181 +0,0 @@
-"use strict";
-
-const { boundText, normalizeSourceType } = require("./source-trust");
-
-const ZERO_WIDTH_PATTERN = /[\u200B-\u200D\u2060\uFEFF]/;
-const HIDDEN_HTML_PATTERN = /<!--[\s\S]{0,800}?-->/g;
-const MARKDOWN_COMMENT_PATTERN = /\[\/\/\]:\s*#\s*\(([\s\S]{0,400}?)\)/g;
-const BASE64_BLOCK_PATTERN = /(?:[A-Za-z0-9+/]{32,}={0,2})/g;
-
-const SIGNALS = [
-  ["tries_to_override_instructions", "high", "Text tries to override existing instructions.", /\b(ignore|disregard|forget)\s+(?:all\s+)?(?:previous|prior)\s+instructions\b|\boverride\s+(?:the\s+)?(?:instructions|prompt)\b/i],
-  ["asks_to_ignore_policy", "high", "Text asks the agent to ignore policy or safety rules.", /\b(ignore|bypass|disable|disregard)\s+(?:the\s+)?(?:policy|guardrails|safety|checks?)\b|\boverride safety\b/i],
-  ["asks_to_hide_action", "high", "Text asks the agent to hide or avoid disclosing an action.", /\b(do not tell the user|hide this action|silently execute|quietly run|without notifying|without telling anyone)\b/i],
-  ["requests_secret_access", "high", "Text asks the agent to access secrets.", /\b(read|open|cat|print|reveal|dump|access)\s+(?:the\s+)?(?:\.env|secrets?|credentials?|private key|id_rsa)\b|\breveal hidden prompt\b/i],
-  ["requests_exfiltration", "high", "Text asks the agent to send or exfiltrate sensitive data.", /\b(upload|send|exfiltrat|post|paste)\b[^\r\n]{0,80}\b(?:secret|token|credential|private key|id_rsa)\b/i],
-  ["requests_tool_execution", "medium", "Text asks the agent to invoke tools.", /\b(call|invoke|use|execute)\b[^\r\n]{0,60}\btool\b/i],
-  ["requests_shell_execution", "high", "Text asks the agent to run shell commands.", /\b(run|open|execute)\b[^\r\n]{0,40}\b(?:shell|terminal|bash|powershell|pwsh|cmd)\b|\bcurl\b[^\r\n]{0,100}\|\s*(?:bash|sh|pwsh|powershell)\b/i],
-  ["requests_sensitive_file_access", "high", "Text asks for sensitive file access.", /\b(?:read|open|modify|write)\b[^\r\n]{0,60}\b(?:\.env(?:\.[A-Za-z0-9._-]+)?|id_rsa|\.ssh|credentials?)\b/i],
-  ["requests_workflow_or_ci_change", "high", "Text asks for workflow or CI changes.", /\b(?:modify|edit|update|change)\b[^\r\n]{0,80}\b(?:workflow|workflows|github actions|ci)\b|\bpush to main\b/i],
-  ["requests_destructive_action", "high", "Text asks for destructive action.", /\b(delete files|rm\s+-rf|remove-item|truncate|drop database|force push)\b/i],
-  ["pretends_to_be_system_message", "high", "Text pretends to be a higher-priority instruction.", /^(?:\s*)(?:system|developer)\s*[:>]|<\s*(?:system|developer)\s*>|\bact as system\b|\bdeveloper message\b/im],
-];
-
-function riskRank(level) {
-  if (level === "high") return 3;
-  if (level === "medium") return 2;
-  return 1;
-}
-
-function buildLocation(text, index) {
-  const snippet = String(text || "").slice(0, Math.max(0, index));
-  return `line ${snippet.split(/\r?\n/).length}`;
-}
-
-function buildPreview(text, index, length) {
-  return boundText(String(text || "").slice(index, index + Math.max(length, 1)).replace(/\s+/g, " "), 120);
-}
-
-function pushFinding(out, dedupe, finding) {
-  const key = `${finding.category}:${finding.location}:${finding.evidencePreview}`;
-  if (dedupe.has(key)) return;
-  dedupe.add(key);
-  out.push(finding);
-}
-
-function scanInstructionRisk(content, options = {}) {
-  const text = String(content || "");
-  const sourceType = normalizeSourceType(options.sourceType || "unknown_external");
-  const findings = [];
-  const dedupe = new Set();
-  const signals = new Set();
-
-  SIGNALS.forEach(([category, severity, message, pattern]) => {
-    const regex = new RegExp(pattern.source, pattern.flags.includes("g") ? pattern.flags : `${pattern.flags}g`);
-    let match = regex.exec(text);
-    while (match) {
-      signals.add(category);
-      pushFinding(findings, dedupe, {
-        category,
-        severity,
-        message,
-        evidencePreview: buildPreview(text, match.index, match[0].length),
-        location: buildLocation(text, match.index),
-      });
-      match = regex.exec(text);
-    }
-  });
-
-  let match = HIDDEN_HTML_PATTERN.exec(text);
-  while (match) {
-    if (/(ignore|bypass|secret|token|run|tool|shell|system|developer)/i.test(match[0])) {
-      signals.add("html_or_markdown_hidden_instruction");
-      pushFinding(findings, dedupe, {
-        category: "html_or_markdown_hidden_instruction",
-        severity: "medium",
-        message: "Hidden HTML comment contains instruction-like text.",
-        evidencePreview: buildPreview(text, match.index, match[0].length),
-        location: buildLocation(text, match.index),
-      });
-    }
-    match = HIDDEN_HTML_PATTERN.exec(text);
-  }
-
-  match = MARKDOWN_COMMENT_PATTERN.exec(text);
-  while (match) {
-    if (/(ignore|bypass|secret|token|run|tool|shell)/i.test(match[0])) {
-      signals.add("html_or_markdown_hidden_instruction");
-      pushFinding(findings, dedupe, {
-        category: "html_or_markdown_hidden_instruction",
-        severity: "medium",
-        message: "Hidden markdown comment contains instruction-like text.",
-        evidencePreview: buildPreview(text, match.index, match[0].length),
-        location: buildLocation(text, match.index),
-      });
-    }
-    match = MARKDOWN_COMMENT_PATTERN.exec(text);
-  }
-
-  match = ZERO_WIDTH_PATTERN.exec(text);
-  if (match) {
-    signals.add("zero_width_or_invisible_text");
-    pushFinding(findings, dedupe, {
-      category: "zero_width_or_invisible_text",
-      severity: "medium",
-      message: "Invisible or zero-width characters are present.",
-      evidencePreview: buildPreview(text, match.index, 40),
-      location: buildLocation(text, match.index),
-    });
-  }
-
-  const base64Matches = text.match(BASE64_BLOCK_PATTERN) || [];
-  if (base64Matches.length && /(ignore|bypass|shell|tool|secret|token|system|developer|prompt)/i.test(text)) {
-    const first = base64Matches[0];
-    const index = text.indexOf(first);
-    signals.add("encoded_or_obfuscated_instruction");
-    pushFinding(findings, dedupe, {
-      category: "encoded_or_obfuscated_instruction",
-      severity: "medium",
-      message: "Encoded or obfuscated text appears near instruction-like language.",
-      evidencePreview: buildPreview(text, index, first.length),
-      location: buildLocation(text, index),
-    });
-  }
-
-  const imperativeIndex = text.search(/\b(ignore|bypass|disable|run|read|open|send|upload|delete|modify|edit|push|install|call)\b/i);
-  if (imperativeIndex >= 0 && ["mcp_response", "rag_chunk", "web_content", "issue_ticket", "unknown_external"].includes(sourceType)) {
-    signals.add("instruction_inside_untrusted_content");
-    pushFinding(findings, dedupe, {
-      category: "instruction_inside_untrusted_content",
-      severity: "high",
-      message: "Instruction-like text appears inside untrusted content.",
-      evidencePreview: buildPreview(text, imperativeIndex, 80),
-      location: buildLocation(text, imperativeIndex),
-    });
-  }
-  if (imperativeIndex >= 0 && sourceType === "mcp_response") {
-    signals.add("tool_response_instruction");
-    pushFinding(findings, dedupe, {
-      category: "tool_response_instruction",
-      severity: "high",
-      message: "Tool response contains instruction-like text.",
-      evidencePreview: buildPreview(text, imperativeIndex, 80),
-      location: buildLocation(text, imperativeIndex),
-    });
-  }
-
-  let instructionRisk = "low";
-  findings.forEach((finding) => {
-    if (riskRank(finding.severity) > riskRank(instructionRisk)) instructionRisk = finding.severity;
-  });
-  if (instructionRisk === "low" && findings.length >= 2) instructionRisk = "medium";
-
-  return {
-    instructionRisk,
-    signals: Array.from(signals),
-    findings: findings.slice(0, 20),
-    recommendation: instructionRisk === "high"
-      ? (["mcp_response", "rag_chunk", "web_content", "issue_ticket", "unknown_external"].includes(sourceType) ? "treat_as_data_only" : "require_approval")
-      : findings.length > 0
-        ? "use_sanitized_copy"
-        : "treat_as_data_only",
-  };
-}
-
-function sanitizeInstructionLikeContent(content) {
-  let sanitized = String(content || "");
-  SIGNALS.forEach(([, , , pattern]) => {
-    sanitized = sanitized.replace(pattern, "[Removed suspicious instruction-like content]");
-  });
-  sanitized = sanitized
-    .replace(HIDDEN_HTML_PATTERN, "[Removed suspicious instruction-like content]")
-    .replace(MARKDOWN_COMMENT_PATTERN, "[Removed suspicious instruction-like content]")
-    .replace(ZERO_WIDTH_PATTERN, "")
-    .replace(BASE64_BLOCK_PATTERN, (match) => (match.length >= 32 ? "[Removed suspicious instruction-like content]" : match));
-  return boundText(sanitized, 4000);
-}
-
-module.exports = {
-  scanInstructionRisk,
-  sanitizeInstructionLikeContent,
-};

package/scripts/lib/agent-security/mcp-action-adapter.js

@@ -1,185 +0,0 @@
-"use strict";
-
-const { classifyMcpAction } = require("./mcp-action-rules");
-
-const MCP_ACTION_ADAPTER_ID = "mcp-action-v1";
-const PREVIEW_LIMIT = 400;
-
-function truncatePreview(value) {
-  const text = String(value || "");
-  if (text.length <= PREVIEW_LIMIT) return text;
-  return `${text.slice(0, PREVIEW_LIMIT)}...`;
-}
-
-function redactPreview(value) {
-  return truncatePreview(String(value || "").replace(
-    /((?:secret|token|password|api[_-]?key)[^=\n]{0,20}=)[^\s\n]+/ig,
-    "$1[redacted]",
-  ));
-}
-
-function buildMcpAdapterResult(base, overrides = {}) {
-  return {
-    actionId: base.actionId,
-    componentId: base.componentId || null,
-    componentType: base.componentType || null,
-    actionType: base.actionType,
-    decision: base.decision || null,
-    adapterId: MCP_ACTION_ADAPTER_ID,
-    enforcementAvailable: true,
-    effectiveBehavior: "recommended_only",
-    executed: false,
-    exitCode: null,
-    stdoutPreview: "",
-    stderrPreview: "",
-    reason: "",
-    timestamp: base.timestamp,
-    ...overrides,
-  };
-}
-
-function enforceMcpAction(action, context = {}) {
-  const decisionRecord = context.decisionRecord || null;
-  const limitPlan = context.limitPlan || null;
-  const execute = context.execute === true;
-  const executor = typeof context.executor === "function" ? context.executor : null;
-  const profile = classifyMcpAction(action);
-  const base = {
-    actionId: action.actionId,
-    componentId: action.componentId,
-    componentType: action.componentType,
-    actionType: action.actionType,
-    decision: decisionRecord?.decision || null,
-    timestamp: context.timestamp,
-  };
-
-  if (profile.deleteLike || profile.adminLike) {
-    return buildMcpAdapterResult(base, {
-      effectiveBehavior: "blocked",
-      reason: "Destructive or admin MCP actions are not allowed by the limited plan.",
-    });
-  }
-
-  if (profile.secretLike) {
-    return buildMcpAdapterResult(base, {
-      effectiveBehavior: "blocked",
-      reason: "Secrets or credential modification is not allowed.",
-    });
-  }
-
-  if (profile.workflowLike) {
-    return buildMcpAdapterResult(base, {
-      effectiveBehavior: "blocked",
-      reason: "Workflow modification is not allowed by the limited plan.",
-    });
-  }
-
-  if (profile.deployLike || profile.pushMainLike) {
-    return buildMcpAdapterResult(base, {
-      effectiveBehavior: "blocked",
-      reason: "Push-to-main, deploy, or publish style MCP actions require explicit approval.",
-    });
-  }
-
-  if (decisionRecord?.decision === "deny") {
-    return buildMcpAdapterResult(base, {
-      effectiveBehavior: "blocked",
-      reason: "User denied this MCP action.",
-    });
-  }
-
-  if (decisionRecord?.decision === "let_wuz_limit" && limitPlan?.recommendedMode === "deny") {
-    return buildMcpAdapterResult(base, {
-      effectiveBehavior: "blocked",
-      reason: limitPlan.reason || "No safe limited version found. Recommended: deny.",
-    });
-  }
-
-  if (decisionRecord?.decision === "let_wuz_limit" && limitPlan?.recommendedMode !== "limited") {
-    return buildMcpAdapterResult(base, {
-      effectiveBehavior: "blocked",
-      reason: limitPlan?.reason || "The limited plan could not safely allow this MCP action.",
-    });
-  }
-
-  if (decisionRecord?.decision === "let_wuz_limit") {
-    if (limitPlan?.scope?.mcpServer && limitPlan.scope.mcpServer !== profile.mcpServer) {
-      return buildMcpAdapterResult(base, {
-        effectiveBehavior: "blocked",
-        reason: "The limited plan only allows the evaluated MCP server.",
-      });
-    }
-    if (limitPlan?.scope?.toolName && limitPlan.scope.toolName !== profile.toolName) {
-      return buildMcpAdapterResult(base, {
-        effectiveBehavior: "blocked",
-        reason: "The limited plan only allows the evaluated MCP tool.",
-      });
-    }
-  }
-
-  if (!execute || !executor) {
-    return buildMcpAdapterResult(base, {
-      effectiveBehavior: decisionRecord?.decision === "let_wuz_limit" ? "limited" : "dry_run_only",
-      reason: execute && !executor
-        ? "No MCP executor was supplied. Enforcement stayed in dry-run mode."
-        : (
-          decisionRecord?.decision === "let_wuz_limit"
-            ? (limitPlan?.reason || "Wuz limited this MCP action to the current task.")
-            : "Execution stayed in dry-run mode."
-        ),
-    });
-  }
-
-  const child = executor({
-    action,
-    decisionRecord,
-    limitPlan,
-    target: profile.target,
-    mcpServer: profile.mcpServer,
-    toolName: profile.toolName,
-    args: profile.args,
-    resource: profile.resource,
-  });
-  const stdoutPreview = redactPreview(child?.stdout || "");
-  const stderrPreview = redactPreview(child?.stderr || child?.error?.message || "");
-  const exitCode = typeof child?.status === "number"
-    ? child.status
-    : typeof child?.exitCode === "number"
-      ? child.exitCode
-      : child?.error
-        ? 1
-        : 1;
-
-  return buildMcpAdapterResult(base, {
-    effectiveBehavior: decisionRecord?.decision === "let_wuz_limit" ? "limited" : "allowed",
-    executed: true,
-    exitCode,
-    stdoutPreview,
-    stderrPreview,
-    reason: exitCode === 0
-      ? (decisionRecord?.decision === "let_wuz_limit"
-        ? "MCP action executed within the limited task scope."
-        : "Approved MCP action executed once.")
-      : "MCP action executed but exited with a non-zero status.",
-  });
-}
-
-const MCP_ACTION_ADAPTER = {
-  adapterId: MCP_ACTION_ADAPTER_ID,
-  canEvaluate: true,
-  canEnforce: true,
-  supportedActionTypes: ["mcp.read", "mcp.write", "mcp.delete", "mcp.admin", "mcp.externalMutation", "mcp.unknown"],
-  enforce(action, decisionRecord, limitPlan, options = {}) {
-    return enforceMcpAction(action, {
-      ...options,
-      decisionRecord,
-      limitPlan,
-    });
-  },
-};
-
-module.exports = {
-  MCP_ACTION_ADAPTER_ID,
-  MCP_ACTION_ADAPTER,
-  enforceMcpAction,
-};

package/scripts/lib/agent-security/mcp-action-rules.js

@@ -1,184 +0,0 @@
-"use strict";
-
-const crypto = require("crypto");
-
-function stableStringify(value) {
-  if (Array.isArray(value)) {
-    return `[${value.map((item) => stableStringify(item)).join(",")}]`;
-  }
-  if (value && typeof value === "object") {
-    return `{${Object.keys(value)
-      .sort((left, right) => left.localeCompare(right))
-      .map((key) => `${JSON.stringify(key)}:${stableStringify(value[key])}`)
-      .join(",")}}`;
-  }
-  return JSON.stringify(value);
-}
-
-function sha256(value) {
-  return crypto.createHash("sha256").update(String(value || "")).digest("hex");
-}
-
-function normalizeMcpServer(value) {
-  const normalized = String(value || "").trim();
-  return normalized || "unknown";
-}
-
-function inferToolName(action) {
-  const explicit = String(action?.toolName || "").trim();
-  if (explicit) return explicit;
-  const target = String(action?.target || "").trim();
-  if (target.includes(":")) return target.split(":").slice(1).join(":").trim() || "unknown";
-  return "unknown";
-}
-
-function normalizeResource(action) {
-  return action?.resource && typeof action.resource === "object" ? action.resource : {};
-}
-
-function normalizeArgs(action) {
-  return action?.args && typeof action.args === "object" ? action.args : {};
-}
-
-function argsHashFromAction(action) {
-  const args = normalizeArgs(action);
-  if (!Object.keys(args).length) return null;
-  return sha256(stableStringify(args));
-}
-
-function targetHashFromMcpAction(action) {
-  const normalized = {
-    actionType: String(action?.actionType || ""),
-    mcpServer: normalizeMcpServer(action?.mcpServer),
-    toolName: inferToolName(action),
-    target: String(action?.target || ""),
-    resource: normalizeResource(action),
-  };
-  return sha256(stableStringify(normalized));
-}
-
-function hasPattern(text, pattern) {
-  return pattern.test(String(text || ""));
-}
-
-function classifyMcpAction(action) {
-  const actionType = String(action?.actionType || "mcp.unknown");
-  const mcpServer = normalizeMcpServer(action?.mcpServer);
-  const toolName = inferToolName(action);
-  const target = String(action?.target || `${mcpServer}:${toolName}`);
-  const resource = normalizeResource(action);
-  const args = normalizeArgs(action);
-  const analysisText = [
-    actionType,
-    mcpServer,
-    toolName,
-    target,
-    stableStringify(resource),
-    stableStringify(args),
-  ].join("\n").toLowerCase();
-
-  const deleteLike = actionType === "mcp.delete" || hasPattern(analysisText, /\b(delete|remove|destroy)\b/);
-  const adminLike = actionType === "mcp.admin" || hasPattern(analysisText, /\b(admin|owner|permission|access|member|user)\b/);
-  const secretLike = hasPattern(analysisText, /\b(secret|token|credential|private[_-]?key|id_rsa)\b/);
-  const workflowLike = hasPattern(analysisText, /\b(workflow|actions?)\b/);
-  const deployLike = hasPattern(analysisText, /\b(deploy|release|publish)\b/);
-  const pushMainLike = hasPattern(analysisText, /\b(push_main|force_push)\b/)
-    || (hasPattern(toolName, /\b(push|merge)\b/) && String(resource.branch || resource.baseBranch || "").toLowerCase() === "main");
-  const externalMutation = actionType === "mcp.write" || actionType === "mcp.externalMutation" || deleteLike || adminLike;
-  const readOnly = actionType === "mcp.read" || hasPattern(toolName, /\b(get|list|read|fetch|describe|metadata)\b/);
-  const createPullRequest = hasPattern(toolName, /\b(create|open)[_-]?(pull[_-]?request|pr)\b/);
-  const createIssue = hasPattern(toolName, /\b(create|open|update)[_-]?issue\b/);
-  const knownServer = mcpServer !== "unknown";
-  const unknownWrite = !readOnly && !createPullRequest && !createIssue && !deleteLike && !adminLike && !secretLike && !workflowLike;
-  const repoScope = String(resource.repo || "").trim() || "current";
-  const branch = String(resource.branch || "").trim();
-  const safeBranchPrefix = !branch || /^wuz[/-]/i.test(branch) || branch === "current";
-
-  const reasons = [];
-  let riskLevel = "medium";
-  let recommendedDecision = "limit";
-  let safeLimited = false;
-
-  if (deleteLike || adminLike) {
-    reasons.push("Delete or admin MCP actions can mutate external systems destructively.");
-    riskLevel = "high";
-    recommendedDecision = "deny";
-  } else if (secretLike) {
-    reasons.push("Secrets, tokens, or credential changes should be denied.");
-    riskLevel = "high";
-    recommendedDecision = "deny";
-  } else if (workflowLike) {
-    reasons.push("Workflow changes can alter automation and supply-chain behavior.");
-    riskLevel = "high";
-    recommendedDecision = "deny";
-  } else if (deployLike || pushMainLike) {
-    reasons.push("Deploy, publish, or push-to-main style MCP actions are high risk.");
-    riskLevel = "high";
-    recommendedDecision = "deny";
-  } else if (createPullRequest) {
-    reasons.push("Pull request creation can be limited to the current repo and safe branch scope.");
-    riskLevel = knownServer ? "medium" : "high";
-    recommendedDecision = "limit";
-    safeLimited = knownServer && safeBranchPrefix;
-  } else if (createIssue) {
-    reasons.push("Issue creation can be limited to the current repo.");
-    riskLevel = knownServer ? "medium" : "high";
-    recommendedDecision = "limit";
-    safeLimited = knownServer;
-  } else if (readOnly) {
-    reasons.push("Read-only MCP metadata access is low risk.");
-    riskLevel = knownServer ? "low" : "medium";
-    recommendedDecision = "limit";
-    safeLimited = knownServer;
-  } else if (unknownWrite && !knownServer) {
-    reasons.push("Unknown MCP write semantics need explicit approval before external mutation.");
-    riskLevel = "high";
-    recommendedDecision = "limit";
-  } else if (unknownWrite) {
-    reasons.push("MCP write actions should stay scoped to known safe operations.");
-    riskLevel = "medium";
-    recommendedDecision = "limit";
-  } else if (externalMutation) {
-    reasons.push("External mutation through MCP requires approval.");
-    riskLevel = "medium";
-    recommendedDecision = "limit";
-  } else {
-    reasons.push("MCP action should be reviewed before broader external access is allowed.");
-  }
-
-  return {
-    actionType,
-    mcpServer,
-    toolName,
-    target,
-    resource,
-    args,
-    repoScope,
-    branch,
-    safeBranchPrefix,
-    knownServer,
-    readOnly,
-    externalMutation,
-    createPullRequest,
-    createIssue,
-    unknownWrite,
-    deleteLike,
-    adminLike,
-    secretLike,
-    workflowLike,
-    deployLike,
-    pushMainLike,
-    safeLimited,
-    argsHash: argsHashFromAction(action),
-    targetHash: targetHashFromMcpAction(action),
-    riskLevel,
-    recommendedDecision,
-    reasons,
-  };
-}
-
-module.exports = {
-  argsHashFromAction,
-  targetHashFromMcpAction,
-  classifyMcpAction,
-};