avorelo 0.1.0

package/scripts/lib/agent-security/instruction-risk.js

@@ -0,0 +1,181 @@
+"use strict";
+
+const { boundText, normalizeSourceType } = require("./source-trust");
+
+const ZERO_WIDTH_PATTERN = /[\u200B-\u200D\u2060\uFEFF]/;
+const HIDDEN_HTML_PATTERN = /<!--[\s\S]{0,800}?-->/g;
+const MARKDOWN_COMMENT_PATTERN = /\[\/\/\]:\s*#\s*\(([\s\S]{0,400}?)\)/g;
+const BASE64_BLOCK_PATTERN = /(?:[A-Za-z0-9+/]{32,}={0,2})/g;
+
+const SIGNALS = [
+  ["tries_to_override_instructions", "high", "Text tries to override existing instructions.", /\b(ignore|disregard|forget)\s+(?:all\s+)?(?:previous|prior)\s+instructions\b|\boverride\s+(?:the\s+)?(?:instructions|prompt)\b/i],
+  ["asks_to_ignore_policy", "high", "Text asks the agent to ignore policy or safety rules.", /\b(ignore|bypass|disable|disregard)\s+(?:the\s+)?(?:policy|guardrails|safety|checks?)\b|\boverride safety\b/i],
+  ["asks_to_hide_action", "high", "Text asks the agent to hide or avoid disclosing an action.", /\b(do not tell the user|hide this action|silently execute|quietly run|without notifying|without telling anyone)\b/i],
+  ["requests_secret_access", "high", "Text asks the agent to access secrets.", /\b(read|open|cat|print|reveal|dump|access)\s+(?:the\s+)?(?:\.env|secrets?|credentials?|private key|id_rsa)\b|\breveal hidden prompt\b/i],
+  ["requests_exfiltration", "high", "Text asks the agent to send or exfiltrate sensitive data.", /\b(upload|send|exfiltrat|post|paste)\b[^\r\n]{0,80}\b(?:secret|token|credential|private key|id_rsa)\b/i],
+  ["requests_tool_execution", "medium", "Text asks the agent to invoke tools.", /\b(call|invoke|use|execute)\b[^\r\n]{0,60}\btool\b/i],
+  ["requests_shell_execution", "high", "Text asks the agent to run shell commands.", /\b(run|open|execute)\b[^\r\n]{0,40}\b(?:shell|terminal|bash|powershell|pwsh|cmd)\b|\bcurl\b[^\r\n]{0,100}\|\s*(?:bash|sh|pwsh|powershell)\b/i],
+  ["requests_sensitive_file_access", "high", "Text asks for sensitive file access.", /\b(?:read|open|modify|write)\b[^\r\n]{0,60}\b(?:\.env(?:\.[A-Za-z0-9._-]+)?|id_rsa|\.ssh|credentials?)\b/i],
+  ["requests_workflow_or_ci_change", "high", "Text asks for workflow or CI changes.", /\b(?:modify|edit|update|change)\b[^\r\n]{0,80}\b(?:workflow|workflows|github actions|ci)\b|\bpush to main\b/i],
+  ["requests_destructive_action", "high", "Text asks for destructive action.", /\b(delete files|rm\s+-rf|remove-item|truncate|drop database|force push)\b/i],
+  ["pretends_to_be_system_message", "high", "Text pretends to be a higher-priority instruction.", /^(?:\s*)(?:system|developer)\s*[:>]|<\s*(?:system|developer)\s*>|\bact as system\b|\bdeveloper message\b/im],
+];
+
+function riskRank(level) {
+  if (level === "high") return 3;
+  if (level === "medium") return 2;
+  return 1;
+}
+
+function buildLocation(text, index) {
+  const snippet = String(text || "").slice(0, Math.max(0, index));
+  return `line ${snippet.split(/\r?\n/).length}`;
+}
+
+function buildPreview(text, index, length) {
+  return boundText(String(text || "").slice(index, index + Math.max(length, 1)).replace(/\s+/g, " "), 120);
+}
+
+function pushFinding(out, dedupe, finding) {
+  const key = `${finding.category}:${finding.location}:${finding.evidencePreview}`;
+  if (dedupe.has(key)) return;
+  dedupe.add(key);
+  out.push(finding);
+}
+
+function scanInstructionRisk(content, options = {}) {
+  const text = String(content || "");
+  const sourceType = normalizeSourceType(options.sourceType || "unknown_external");
+  const findings = [];
+  const dedupe = new Set();
+  const signals = new Set();
+
+  SIGNALS.forEach(([category, severity, message, pattern]) => {
+    const regex = new RegExp(pattern.source, pattern.flags.includes("g") ? pattern.flags : `${pattern.flags}g`);
+    let match = regex.exec(text);
+    while (match) {
+      signals.add(category);
+      pushFinding(findings, dedupe, {
+        category,
+        severity,
+        message,
+        evidencePreview: buildPreview(text, match.index, match[0].length),
+        location: buildLocation(text, match.index),
+      });
+      match = regex.exec(text);
+    }
+  });
+
+  let match = HIDDEN_HTML_PATTERN.exec(text);
+  while (match) {
+    if (/(ignore|bypass|secret|token|run|tool|shell|system|developer)/i.test(match[0])) {
+      signals.add("html_or_markdown_hidden_instruction");
+      pushFinding(findings, dedupe, {
+        category: "html_or_markdown_hidden_instruction",
+        severity: "medium",
+        message: "Hidden HTML comment contains instruction-like text.",
+        evidencePreview: buildPreview(text, match.index, match[0].length),
+        location: buildLocation(text, match.index),
+      });
+    }
+    match = HIDDEN_HTML_PATTERN.exec(text);
+  }
+
+  match = MARKDOWN_COMMENT_PATTERN.exec(text);
+  while (match) {
+    if (/(ignore|bypass|secret|token|run|tool|shell)/i.test(match[0])) {
+      signals.add("html_or_markdown_hidden_instruction");
+      pushFinding(findings, dedupe, {
+        category: "html_or_markdown_hidden_instruction",
+        severity: "medium",
+        message: "Hidden markdown comment contains instruction-like text.",
+        evidencePreview: buildPreview(text, match.index, match[0].length),
+        location: buildLocation(text, match.index),
+      });
+    }
+    match = MARKDOWN_COMMENT_PATTERN.exec(text);
+  }
+
+  match = ZERO_WIDTH_PATTERN.exec(text);
+  if (match) {
+    signals.add("zero_width_or_invisible_text");
+    pushFinding(findings, dedupe, {
+      category: "zero_width_or_invisible_text",
+      severity: "medium",
+      message: "Invisible or zero-width characters are present.",
+      evidencePreview: buildPreview(text, match.index, 40),
+      location: buildLocation(text, match.index),
+    });
+  }
+
+  const base64Matches = text.match(BASE64_BLOCK_PATTERN) || [];
+  if (base64Matches.length && /(ignore|bypass|shell|tool|secret|token|system|developer|prompt)/i.test(text)) {
+    const first = base64Matches[0];
+    const index = text.indexOf(first);
+    signals.add("encoded_or_obfuscated_instruction");
+    pushFinding(findings, dedupe, {
+      category: "encoded_or_obfuscated_instruction",
+      severity: "medium",
+      message: "Encoded or obfuscated text appears near instruction-like language.",
+      evidencePreview: buildPreview(text, index, first.length),
+      location: buildLocation(text, index),
+    });
+  }
+
+  const imperativeIndex = text.search(/\b(ignore|bypass|disable|run|read|open|send|upload|delete|modify|edit|push|install|call)\b/i);
+  if (imperativeIndex >= 0 && ["mcp_response", "rag_chunk", "web_content", "issue_ticket", "unknown_external"].includes(sourceType)) {
+    signals.add("instruction_inside_untrusted_content");
+    pushFinding(findings, dedupe, {
+      category: "instruction_inside_untrusted_content",
+      severity: "high",
+      message: "Instruction-like text appears inside untrusted content.",
+      evidencePreview: buildPreview(text, imperativeIndex, 80),
+      location: buildLocation(text, imperativeIndex),
+    });
+  }
+  if (imperativeIndex >= 0 && sourceType === "mcp_response") {
+    signals.add("tool_response_instruction");
+    pushFinding(findings, dedupe, {
+      category: "tool_response_instruction",
+      severity: "high",
+      message: "Tool response contains instruction-like text.",
+      evidencePreview: buildPreview(text, imperativeIndex, 80),
+      location: buildLocation(text, imperativeIndex),
+    });
+  }
+
+  let instructionRisk = "low";
+  findings.forEach((finding) => {
+    if (riskRank(finding.severity) > riskRank(instructionRisk)) instructionRisk = finding.severity;
+  });
+  if (instructionRisk === "low" && findings.length >= 2) instructionRisk = "medium";
+
+  return {
+    instructionRisk,
+    signals: Array.from(signals),
+    findings: findings.slice(0, 20),
+    recommendation: instructionRisk === "high"
+      ? (["mcp_response", "rag_chunk", "web_content", "issue_ticket", "unknown_external"].includes(sourceType) ? "treat_as_data_only" : "require_approval")
+      : findings.length > 0
+        ? "use_sanitized_copy"
+        : "treat_as_data_only",
+  };
+}
+
+function sanitizeInstructionLikeContent(content) {
+  let sanitized = String(content || "");
+  SIGNALS.forEach(([, , , pattern]) => {
+    sanitized = sanitized.replace(pattern, "[Removed suspicious instruction-like content]");
+  });
+  sanitized = sanitized
+    .replace(HIDDEN_HTML_PATTERN, "[Removed suspicious instruction-like content]")
+    .replace(MARKDOWN_COMMENT_PATTERN, "[Removed suspicious instruction-like content]")
+    .replace(ZERO_WIDTH_PATTERN, "")
+    .replace(BASE64_BLOCK_PATTERN, (match) => (match.length >= 32 ? "[Removed suspicious instruction-like content]" : match));
+  return boundText(sanitized, 4000);
+}
+
+module.exports = {
+  scanInstructionRisk,
+  sanitizeInstructionLikeContent,
+};

package/scripts/lib/agent-security/mcp-action-adapter.js

@@ -0,0 +1,185 @@
+"use strict";
+
+const { classifyMcpAction } = require("./mcp-action-rules");
+
+const MCP_ACTION_ADAPTER_ID = "mcp-action-v1";
+const PREVIEW_LIMIT = 400;
+
+function truncatePreview(value) {
+  const text = String(value || "");
+  if (text.length <= PREVIEW_LIMIT) return text;
+  return `${text.slice(0, PREVIEW_LIMIT)}...`;
+}
+
+function redactPreview(value) {
+  return truncatePreview(String(value || "").replace(
+    /((?:secret|token|password|api[_-]?key)[^=\n]{0,20}=)[^\s\n]+/ig,
+    "$1[redacted]",
+  ));
+}
+
+function buildMcpAdapterResult(base, overrides = {}) {
+  return {
+    actionId: base.actionId,
+    componentId: base.componentId || null,
+    componentType: base.componentType || null,
+    actionType: base.actionType,
+    decision: base.decision || null,
+    adapterId: MCP_ACTION_ADAPTER_ID,
+    enforcementAvailable: true,
+    effectiveBehavior: "recommended_only",
+    executed: false,
+    exitCode: null,
+    stdoutPreview: "",
+    stderrPreview: "",
+    reason: "",
+    timestamp: base.timestamp,
+    ...overrides,
+  };
+}
+
+function enforceMcpAction(action, context = {}) {
+  const decisionRecord = context.decisionRecord || null;
+  const limitPlan = context.limitPlan || null;
+  const execute = context.execute === true;
+  const executor = typeof context.executor === "function" ? context.executor : null;
+  const profile = classifyMcpAction(action);
+  const base = {
+    actionId: action.actionId,
+    componentId: action.componentId,
+    componentType: action.componentType,
+    actionType: action.actionType,
+    decision: decisionRecord?.decision || null,
+    timestamp: context.timestamp,
+  };
+
+  if (profile.deleteLike || profile.adminLike) {
+    return buildMcpAdapterResult(base, {
+      effectiveBehavior: "blocked",
+      reason: "Destructive or admin MCP actions are not allowed by the limited plan.",
+    });
+  }
+
+  if (profile.secretLike) {
+    return buildMcpAdapterResult(base, {
+      effectiveBehavior: "blocked",
+      reason: "Secrets or credential modification is not allowed.",
+    });
+  }
+
+  if (profile.workflowLike) {
+    return buildMcpAdapterResult(base, {
+      effectiveBehavior: "blocked",
+      reason: "Workflow modification is not allowed by the limited plan.",
+    });
+  }
+
+  if (profile.deployLike || profile.pushMainLike) {
+    return buildMcpAdapterResult(base, {
+      effectiveBehavior: "blocked",
+      reason: "Push-to-main, deploy, or publish style MCP actions require explicit approval.",
+    });
+  }
+
+  if (decisionRecord?.decision === "deny") {
+    return buildMcpAdapterResult(base, {
+      effectiveBehavior: "blocked",
+      reason: "User denied this MCP action.",
+    });
+  }
+
+  if (decisionRecord?.decision === "let_wuz_limit" && limitPlan?.recommendedMode === "deny") {
+    return buildMcpAdapterResult(base, {
+      effectiveBehavior: "blocked",
+      reason: limitPlan.reason || "No safe limited version found. Recommended: deny.",
+    });
+  }
+
+  if (decisionRecord?.decision === "let_wuz_limit" && limitPlan?.recommendedMode !== "limited") {
+    return buildMcpAdapterResult(base, {
+      effectiveBehavior: "blocked",
+      reason: limitPlan?.reason || "The limited plan could not safely allow this MCP action.",
+    });
+  }
+
+  if (decisionRecord?.decision === "let_wuz_limit") {
+    if (limitPlan?.scope?.mcpServer && limitPlan.scope.mcpServer !== profile.mcpServer) {
+      return buildMcpAdapterResult(base, {
+        effectiveBehavior: "blocked",
+        reason: "The limited plan only allows the evaluated MCP server.",
+      });
+    }
+    if (limitPlan?.scope?.toolName && limitPlan.scope.toolName !== profile.toolName) {
+      return buildMcpAdapterResult(base, {
+        effectiveBehavior: "blocked",
+        reason: "The limited plan only allows the evaluated MCP tool.",
+      });
+    }
+  }
+
+  if (!execute || !executor) {
+    return buildMcpAdapterResult(base, {
+      effectiveBehavior: decisionRecord?.decision === "let_wuz_limit" ? "limited" : "dry_run_only",
+      reason: execute && !executor
+        ? "No MCP executor was supplied. Enforcement stayed in dry-run mode."
+        : (
+          decisionRecord?.decision === "let_wuz_limit"
+            ? (limitPlan?.reason || "Wuz limited this MCP action to the current task.")
+            : "Execution stayed in dry-run mode."
+        ),
+    });
+  }
+
+  const child = executor({
+    action,
+    decisionRecord,
+    limitPlan,
+    target: profile.target,
+    mcpServer: profile.mcpServer,
+    toolName: profile.toolName,
+    args: profile.args,
+    resource: profile.resource,
+  });
+  const stdoutPreview = redactPreview(child?.stdout || "");
+  const stderrPreview = redactPreview(child?.stderr || child?.error?.message || "");
+  const exitCode = typeof child?.status === "number"
+    ? child.status
+    : typeof child?.exitCode === "number"
+      ? child.exitCode
+      : child?.error
+        ? 1
+        : 1;
+
+  return buildMcpAdapterResult(base, {
+    effectiveBehavior: decisionRecord?.decision === "let_wuz_limit" ? "limited" : "allowed",
+    executed: true,
+    exitCode,
+    stdoutPreview,
+    stderrPreview,
+    reason: exitCode === 0
+      ? (decisionRecord?.decision === "let_wuz_limit"
+        ? "MCP action executed within the limited task scope."
+        : "Approved MCP action executed once.")
+      : "MCP action executed but exited with a non-zero status.",
+  });
+}
+
+const MCP_ACTION_ADAPTER = {
+  adapterId: MCP_ACTION_ADAPTER_ID,
+  canEvaluate: true,
+  canEnforce: true,
+  supportedActionTypes: ["mcp.read", "mcp.write", "mcp.delete", "mcp.admin", "mcp.externalMutation", "mcp.unknown"],
+  enforce(action, decisionRecord, limitPlan, options = {}) {
+    return enforceMcpAction(action, {
+      ...options,
+      decisionRecord,
+      limitPlan,
+    });
+  },
+};
+
+module.exports = {
+  MCP_ACTION_ADAPTER_ID,
+  MCP_ACTION_ADAPTER,
+  enforceMcpAction,
+};

package/scripts/lib/agent-security/mcp-action-rules.js

@@ -0,0 +1,184 @@
+"use strict";
+
+const crypto = require("crypto");
+
+function stableStringify(value) {
+  if (Array.isArray(value)) {
+    return `[${value.map((item) => stableStringify(item)).join(",")}]`;
+  }
+  if (value && typeof value === "object") {
+    return `{${Object.keys(value)
+      .sort((left, right) => left.localeCompare(right))
+      .map((key) => `${JSON.stringify(key)}:${stableStringify(value[key])}`)
+      .join(",")}}`;
+  }
+  return JSON.stringify(value);
+}
+
+function sha256(value) {
+  return crypto.createHash("sha256").update(String(value || "")).digest("hex");
+}
+
+function normalizeMcpServer(value) {
+  const normalized = String(value || "").trim();
+  return normalized || "unknown";
+}
+
+function inferToolName(action) {
+  const explicit = String(action?.toolName || "").trim();
+  if (explicit) return explicit;
+  const target = String(action?.target || "").trim();
+  if (target.includes(":")) return target.split(":").slice(1).join(":").trim() || "unknown";
+  return "unknown";
+}
+
+function normalizeResource(action) {
+  return action?.resource && typeof action.resource === "object" ? action.resource : {};
+}
+
+function normalizeArgs(action) {
+  return action?.args && typeof action.args === "object" ? action.args : {};
+}
+
+function argsHashFromAction(action) {
+  const args = normalizeArgs(action);
+  if (!Object.keys(args).length) return null;
+  return sha256(stableStringify(args));
+}
+
+function targetHashFromMcpAction(action) {
+  const normalized = {
+    actionType: String(action?.actionType || ""),
+    mcpServer: normalizeMcpServer(action?.mcpServer),
+    toolName: inferToolName(action),
+    target: String(action?.target || ""),
+    resource: normalizeResource(action),
+  };
+  return sha256(stableStringify(normalized));
+}
+
+function hasPattern(text, pattern) {
+  return pattern.test(String(text || ""));
+}
+
+function classifyMcpAction(action) {
+  const actionType = String(action?.actionType || "mcp.unknown");
+  const mcpServer = normalizeMcpServer(action?.mcpServer);
+  const toolName = inferToolName(action);
+  const target = String(action?.target || `${mcpServer}:${toolName}`);
+  const resource = normalizeResource(action);
+  const args = normalizeArgs(action);
+  const analysisText = [
+    actionType,
+    mcpServer,
+    toolName,
+    target,
+    stableStringify(resource),
+    stableStringify(args),
+  ].join("\n").toLowerCase();
+
+  const deleteLike = actionType === "mcp.delete" || hasPattern(analysisText, /\b(delete|remove|destroy)\b/);
+  const adminLike = actionType === "mcp.admin" || hasPattern(analysisText, /\b(admin|owner|permission|access|member|user)\b/);
+  const secretLike = hasPattern(analysisText, /\b(secret|token|credential|private[_-]?key|id_rsa)\b/);
+  const workflowLike = hasPattern(analysisText, /\b(workflow|actions?)\b/);
+  const deployLike = hasPattern(analysisText, /\b(deploy|release|publish)\b/);
+  const pushMainLike = hasPattern(analysisText, /\b(push_main|force_push)\b/)
+    || (hasPattern(toolName, /\b(push|merge)\b/) && String(resource.branch || resource.baseBranch || "").toLowerCase() === "main");
+  const externalMutation = actionType === "mcp.write" || actionType === "mcp.externalMutation" || deleteLike || adminLike;
+  const readOnly = actionType === "mcp.read" || hasPattern(toolName, /\b(get|list|read|fetch|describe|metadata)\b/);
+  const createPullRequest = hasPattern(toolName, /\b(create|open)[_-]?(pull[_-]?request|pr)\b/);
+  const createIssue = hasPattern(toolName, /\b(create|open|update)[_-]?issue\b/);
+  const knownServer = mcpServer !== "unknown";
+  const unknownWrite = !readOnly && !createPullRequest && !createIssue && !deleteLike && !adminLike && !secretLike && !workflowLike;
+  const repoScope = String(resource.repo || "").trim() || "current";
+  const branch = String(resource.branch || "").trim();
+  const safeBranchPrefix = !branch || /^wuz[/-]/i.test(branch) || branch === "current";
+
+  const reasons = [];
+  let riskLevel = "medium";
+  let recommendedDecision = "limit";
+  let safeLimited = false;
+
+  if (deleteLike || adminLike) {
+    reasons.push("Delete or admin MCP actions can mutate external systems destructively.");
+    riskLevel = "high";
+    recommendedDecision = "deny";
+  } else if (secretLike) {
+    reasons.push("Secrets, tokens, or credential changes should be denied.");
+    riskLevel = "high";
+    recommendedDecision = "deny";
+  } else if (workflowLike) {
+    reasons.push("Workflow changes can alter automation and supply-chain behavior.");
+    riskLevel = "high";
+    recommendedDecision = "deny";
+  } else if (deployLike || pushMainLike) {
+    reasons.push("Deploy, publish, or push-to-main style MCP actions are high risk.");
+    riskLevel = "high";
+    recommendedDecision = "deny";
+  } else if (createPullRequest) {
+    reasons.push("Pull request creation can be limited to the current repo and safe branch scope.");
+    riskLevel = knownServer ? "medium" : "high";
+    recommendedDecision = "limit";
+    safeLimited = knownServer && safeBranchPrefix;
+  } else if (createIssue) {
+    reasons.push("Issue creation can be limited to the current repo.");
+    riskLevel = knownServer ? "medium" : "high";
+    recommendedDecision = "limit";
+    safeLimited = knownServer;
+  } else if (readOnly) {
+    reasons.push("Read-only MCP metadata access is low risk.");
+    riskLevel = knownServer ? "low" : "medium";
+    recommendedDecision = "limit";
+    safeLimited = knownServer;
+  } else if (unknownWrite && !knownServer) {
+    reasons.push("Unknown MCP write semantics need explicit approval before external mutation.");
+    riskLevel = "high";
+    recommendedDecision = "limit";
+  } else if (unknownWrite) {
+    reasons.push("MCP write actions should stay scoped to known safe operations.");
+    riskLevel = "medium";
+    recommendedDecision = "limit";
+  } else if (externalMutation) {
+    reasons.push("External mutation through MCP requires approval.");
+    riskLevel = "medium";
+    recommendedDecision = "limit";
+  } else {
+    reasons.push("MCP action should be reviewed before broader external access is allowed.");
+  }
+
+  return {
+    actionType,
+    mcpServer,
+    toolName,
+    target,
+    resource,
+    args,
+    repoScope,
+    branch,
+    safeBranchPrefix,
+    knownServer,
+    readOnly,
+    externalMutation,
+    createPullRequest,
+    createIssue,
+    unknownWrite,
+    deleteLike,
+    adminLike,
+    secretLike,
+    workflowLike,
+    deployLike,
+    pushMainLike,
+    safeLimited,
+    argsHash: argsHashFromAction(action),
+    targetHash: targetHashFromMcpAction(action),
+    riskLevel,
+    recommendedDecision,
+    reasons,
+  };
+}
+
+module.exports = {
+  argsHashFromAction,
+  targetHashFromMcpAction,
+  classifyMcpAction,
+};