chainwall 0.1.0

package/hooks/git-safety.sh

@@ -0,0 +1,152 @@
+#!/bin/bash
+#
+# git-safety.sh — prevents dangerous git operations
+#
+# Blocks force-pushes to main/master, checks for secrets in staged files,
+# warns on hard resets and direct commits to protected branches.
+#
+# Exit 0 = allow, exit 2 = block.
+#
+
+set -o pipefail
+
+RED_BOLD=$'\e[1;31m'
+YELLOW=$'\e[33m'
+RESET=$'\e[0m'
+
+if ! command -v jq &> /dev/null; then
+    echo "ERROR: jq is required for git-safety hook." >&2
+    exit 0
+fi
+
+log_event() {
+    local severity="$1"
+    local category="$2"
+    local detail="$3"
+
+    local audit_dir=".llm-av"
+    local audit_file="${audit_dir}/audit.jsonl"
+    mkdir -p "$audit_dir"
+
+    local timestamp
+    timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+
+    jq -cn \
+        --arg timestamp "$timestamp" \
+        --arg severity "$severity" \
+        --arg category "$category" \
+        --arg pattern "" \
+        --arg tool "${TOOL_NAME:-unknown}" \
+        --arg detail "${detail:0:200}" \
+        '{timestamp:$timestamp,severity:$severity,category:$category,pattern:$pattern,tool:$tool,content:$detail}' \
+        >> "$audit_file" 2>/dev/null
+}
+
+block() {
+    local reason="$1"
+    local detail="$2"
+
+    echo -e "${RED_BOLD}BLOCKED: ${reason}${RESET}" >&2
+    echo -e "${RED_BOLD}Detail: ${detail}${RESET}" >&2
+    log_event "block" "git_safety" "$reason: $detail"
+    exit 2
+}
+
+warn() {
+    local reason="$1"
+    local detail="$2"
+
+    echo -e "${YELLOW}WARNING: ${reason}${RESET}" >&2
+    echo -e "${YELLOW}Detail: ${detail}${RESET}" >&2
+    log_event "warn" "git_safety" "$reason: $detail"
+}
+
+if [[ "${LLMAV_SKIP:-}" == "1" ]]; then
+    log_event "warn" "git_safety" "LLMAV_SKIP bypass — all git safety checks skipped"
+    exit 0
+fi
+
+# --- protection toggle ---
+CONFIG_GLOBAL="${HOME}/.llm-av/config.json"
+if [[ -f "$CONFIG_GLOBAL" ]]; then
+    PROTECTION_ENABLED=$(jq -r 'if .enabled == false then "false" else "true" end' "$CONFIG_GLOBAL" 2>/dev/null)
+    if [[ "$PROTECTION_ENABLED" == "false" ]]; then
+        log_event "info" "git_safety" "Real-time protection disabled"
+        exit 0
+    fi
+fi
+
+INPUT=$(cat)
+TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name // empty')
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty')
+
+# bail early on non-git commands
+if [[ "$TOOL_NAME" != "Bash" ]] || [[ -z "$COMMAND" ]]; then
+    exit 0
+fi
+if [[ "$COMMAND" != *"git "* ]]; then
+    exit 0
+fi
+
+PROTECTED_BRANCHES="main|master"
+if [[ "$COMMAND" =~ git[[:space:]]+push[[:space:]].*--force ]] || \
+   [[ "$COMMAND" =~ git[[:space:]]+push[[:space:]].*-f([[:space:]]|$) ]]; then
+    # block if targeting a protected branch (word-boundary match) or no branch specified
+    if [[ "$COMMAND" =~ [[:space:]](main|master)[[:space:]] ]] || \
+       [[ "$COMMAND" =~ [[:space:]](main|master)$ ]] || \
+       [[ "$COMMAND" =~ git[[:space:]]+push[[:space:]]+-f$ ]] || \
+       [[ "$COMMAND" =~ git[[:space:]]+push[[:space:]]+--force$ ]]; then
+        block "Force-push to protected branch" "$COMMAND"
+    fi
+fi
+
+if [[ "$COMMAND" =~ git[[:space:]]+reset[[:space:]]+--hard ]]; then
+    if command -v git &> /dev/null; then
+        CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null)
+        if [[ "$CURRENT_BRANCH" =~ ^($PROTECTED_BRANCHES)$ ]]; then
+            block "Hard reset on protected branch" "Current branch: $CURRENT_BRANCH — $COMMAND"
+        fi
+    fi
+    warn "Hard reset detected" "Verify this is intentional: $COMMAND"
+fi
+
+if [[ "$COMMAND" =~ git[[:space:]]+commit ]]; then
+    if command -v git &> /dev/null; then
+        CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null)
+        if [[ "$CURRENT_BRANCH" =~ ^($PROTECTED_BRANCHES)$ ]]; then
+            warn "Direct commit to protected branch" "Current branch: $CURRENT_BRANCH — consider using a feature branch"
+        fi
+    fi
+fi
+
+# check staged files for sensitive filenames before commit
+if [[ "$COMMAND" =~ git[[:space:]]+commit ]]; then
+    if command -v git &> /dev/null; then
+        STAGED_FILES=$(git diff --cached --name-only 2>/dev/null)
+        if [[ -n "$STAGED_FILES" ]]; then
+            while IFS= read -r staged_file; do
+                staged_basename=$(basename "$staged_file")
+                case "$staged_basename" in
+                    .env|.env.local|.env.production|.env.development|\
+                    id_rsa|id_dsa|id_ed25519|\
+                    .npmrc|.pypirc)
+                        block "Sensitive file in staged changes" "File: $staged_file"
+                        ;;
+                esac
+            done <<< "$STAGED_FILES"
+        fi
+    fi
+fi
+
+# warn if .gitignore is missing common sensitive patterns
+if [[ "$COMMAND" =~ git[[:space:]]+init ]] || [[ "$COMMAND" =~ git[[:space:]]+add[[:space:]]+-A ]] || [[ "$COMMAND" =~ git[[:space:]]+add[[:space:]]+\. ]]; then
+    if [[ -f ".gitignore" ]]; then
+        if ! grep -q '\.env' .gitignore 2>/dev/null; then
+            warn ".gitignore missing .env" "Add .env to .gitignore to prevent accidental commits"
+        fi
+    else
+        warn "No .gitignore found" "Create a .gitignore before adding all files"
+    fi
+fi
+
+exit 0

package/hooks/security-scanner.sh

@@ -0,0 +1,527 @@
+#!/bin/bash
+#
+# security-scanner.sh — main detection engine for ChainWall
+#
+# Runs as a Claude Code hook on PreToolUse (blocking, layers 1-5) and
+# PostToolUse (warning only, layer 6). Scans tool inputs for credentials,
+# private keys, dangerous commands, PII, and prompt injection.
+#
+# Exit 0 = allow, exit 2 = block. Must stay under 50ms.
+#
+
+set -o pipefail
+
+# --- paths and config ---
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+PATTERNS_DIR="${REPO_ROOT}/patterns"
+
+RED_BOLD=$'\e[1;31m'
+YELLOW=$'\e[33m'
+RESET=$'\e[0m'
+
+CONFIG_GLOBAL="${HOME}/.llm-av/config.json"
+CONFIG_PROJECT=".llm-av/config.json"
+
+ALLOW_PATHS=""
+ALLOW_PATTERNS=""
+BLOCK_PATHS=""
+BLOCK_PATTERNS=""
+
+# jq is required but we can't break the user's workflow if it's missing
+if ! command -v jq &> /dev/null; then
+    echo "ERROR: jq is required for security hooks. Install: brew install jq (macOS) or apt install jq (Linux)" >&2
+    exit 0
+fi
+
+# --- config loading (global ~/.llm-av/ + project .llm-av/) ---
+
+load_config() {
+    if [[ -f "$CONFIG_GLOBAL" ]]; then
+        ALLOW_PATHS=$(jq -r '.allowlist.paths[]? // empty' "$CONFIG_GLOBAL" 2>/dev/null | tr '\n' '|')
+        ALLOW_PATTERNS=$(jq -r '.allowlist.patterns[]? // empty' "$CONFIG_GLOBAL" 2>/dev/null | tr '\n' '|')
+        BLOCK_PATHS=$(jq -r '.blocklist.paths[]? // empty' "$CONFIG_GLOBAL" 2>/dev/null | tr '\n' '|')
+        BLOCK_PATTERNS=$(jq -r '.blocklist.patterns[]? // empty' "$CONFIG_GLOBAL" 2>/dev/null | tr '\n' '|')
+    fi
+
+    # project config extends global (additive, not override)
+    if [[ -f "$CONFIG_PROJECT" ]]; then
+        local proj_allow_paths proj_allow_patterns proj_block_paths proj_block_patterns
+        proj_allow_paths=$(jq -r '.allowlist.paths[]? // empty' "$CONFIG_PROJECT" 2>/dev/null | tr '\n' '|')
+        proj_allow_patterns=$(jq -r '.allowlist.patterns[]? // empty' "$CONFIG_PROJECT" 2>/dev/null | tr '\n' '|')
+        proj_block_paths=$(jq -r '.blocklist.paths[]? // empty' "$CONFIG_PROJECT" 2>/dev/null | tr '\n' '|')
+        proj_block_patterns=$(jq -r '.blocklist.patterns[]? // empty' "$CONFIG_PROJECT" 2>/dev/null | tr '\n' '|')
+
+        # merge: avoid double-pipe when base is empty
+        if [[ -n "$proj_allow_paths" ]]; then
+            [[ -n "$ALLOW_PATHS" ]] && ALLOW_PATHS="${ALLOW_PATHS}|${proj_allow_paths}" || ALLOW_PATHS="$proj_allow_paths"
+        fi
+        if [[ -n "$proj_allow_patterns" ]]; then
+            [[ -n "$ALLOW_PATTERNS" ]] && ALLOW_PATTERNS="${ALLOW_PATTERNS}|${proj_allow_patterns}" || ALLOW_PATTERNS="$proj_allow_patterns"
+        fi
+        if [[ -n "$proj_block_paths" ]]; then
+            [[ -n "$BLOCK_PATHS" ]] && BLOCK_PATHS="${BLOCK_PATHS}|${proj_block_paths}" || BLOCK_PATHS="$proj_block_paths"
+        fi
+        if [[ -n "$proj_block_patterns" ]]; then
+            [[ -n "$BLOCK_PATTERNS" ]] && BLOCK_PATTERNS="${BLOCK_PATTERNS}|${proj_block_patterns}" || BLOCK_PATTERNS="$proj_block_patterns"
+        fi
+    fi
+
+    # trim stray pipe chars
+    ALLOW_PATHS="${ALLOW_PATHS#|}"; ALLOW_PATHS="${ALLOW_PATHS%|}"
+    ALLOW_PATTERNS="${ALLOW_PATTERNS#|}"; ALLOW_PATTERNS="${ALLOW_PATTERNS%|}"
+    BLOCK_PATHS="${BLOCK_PATHS#|}"; BLOCK_PATHS="${BLOCK_PATHS%|}"
+    BLOCK_PATTERNS="${BLOCK_PATTERNS#|}"; BLOCK_PATTERNS="${BLOCK_PATTERNS%|}"
+}
+
+# --- YAML pattern loading (used by security-audit.sh, not the hot path) ---
+load_patterns() {
+    local yaml_file="$1"
+    local severity_filter="${2:-}"
+
+    [[ ! -f "$yaml_file" ]] && return
+
+    if [[ -n "$severity_filter" ]]; then
+        grep -A1 "severity: $severity_filter" "$yaml_file" 2>/dev/null \
+            | grep 'regex:' \
+            | sed 's/.*regex: *"//' \
+            | sed 's/"$//' \
+            | tr '\n' '|' \
+            | sed 's/|$//'
+    else
+        grep '^\s*regex:' "$yaml_file" 2>/dev/null \
+            | sed 's/.*regex: *"//' \
+            | sed 's/"$//' \
+            | tr '\n' '|' \
+            | sed 's/|$//'
+    fi
+}
+
+# --- allowlist ---
+check_allowlist() {
+    local value="$1"
+    local patterns="$2"
+
+    [[ -z "$patterns" ]] && return 1
+
+    local IFS='|'
+    for pattern in $patterns; do
+        [[ -n "$pattern" ]] && [[ "$value" =~ $pattern ]] && return 0
+    done
+
+    return 1
+}
+
+# --- audit + blocking helpers ---
+
+log_event() {
+    local severity="$1"
+    local category="$2"
+    local pattern="$3"
+    local content="$4"
+
+    local audit_dir=".llm-av"
+    local audit_file="${audit_dir}/audit.jsonl"
+
+    mkdir -p "$audit_dir"
+
+    local timestamp
+    timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+
+    # keep audit entries reasonable
+    local truncated_content="${content:0:200}"
+
+    jq -cn \
+        --arg timestamp "$timestamp" \
+        --arg severity "$severity" \
+        --arg category "$category" \
+        --arg pattern "$pattern" \
+        --arg tool "${TOOL_NAME:-unknown}" \
+        --arg content "$truncated_content" \
+        '{timestamp:$timestamp,severity:$severity,category:$category,pattern:$pattern,tool:$tool,content:$content}' \
+        >> "$audit_file" 2>/dev/null
+
+    # rotate at 10MB
+    if [[ -f "$audit_file" ]]; then
+        local size
+        size=$(wc -c < "$audit_file" 2>/dev/null | tr -d ' ')
+        if [[ "$size" -gt 10485760 ]]; then
+            mv "$audit_file" "${audit_file}.$(date +%s)" 2>/dev/null
+        fi
+    fi
+}
+
+block() {
+    local category="$1"
+    local pattern_name="$2"
+    local detail="$3"
+
+    echo -e "${RED_BOLD}BLOCKED: ${pattern_name}${RESET}" >&2
+    echo -e "${RED_BOLD}Detail: ${detail}${RESET}" >&2
+    echo -e "${RED_BOLD}Config: ~/.llm-av/config.json or .llm-av/config.json${RESET}" >&2
+    if [[ -n "$FILE_PATH" ]]; then
+        echo -e "${YELLOW}To allow: chainwall allow ${FILE_PATH}${RESET}" >&2
+    fi
+
+    log_event "block" "$category" "$pattern_name" "$detail"
+    exit 2
+}
+
+warn() {
+    local category="$1"
+    local pattern_name="$2"
+    local detail="$3"
+
+    echo -e "${YELLOW}WARNING: ${pattern_name}${RESET}" >&2
+    echo -e "${YELLOW}Detail: ${detail}${RESET}" >&2
+
+    log_event "warn" "$category" "$pattern_name" "$detail"
+    # Never exit — warnings don't block
+}
+
+# --- escape hatch ---
+
+if [[ "${LLMAV_SKIP:-}" == "1" ]]; then
+    echo -e "${YELLOW}WARNING: Security checks bypassed via LLMAV_SKIP${RESET}" >&2
+    log_event "bypass" "escape_hatch" "LLMAV_SKIP=1" "All checks skipped"
+    exit 0
+fi
+
+# --- protection toggle ---
+if [[ -f "$CONFIG_GLOBAL" ]]; then
+    PROTECTION_ENABLED=$(jq -r 'if .enabled == false then "false" else "true" end' "$CONFIG_GLOBAL" 2>/dev/null)
+    if [[ "$PROTECTION_ENABLED" == "false" ]]; then
+        log_event "info" "protection_disabled" "protection_disabled" "Real-time protection disabled"
+        exit 0
+    fi
+fi
+
+# --- main: parse input and run detection layers ---
+
+load_config
+
+INPUT=$(cat)
+
+# Extract fields from JSON input. Using individual jq calls instead of
+# eval+@sh — slightly slower but avoids eval in a security-critical path.
+HOOK_TYPE=$(echo "$INPUT" | jq -r '.hook_type // "pre"')
+SESSION_ID=$(echo "$INPUT" | jq -r '.session_id // empty')
+TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name // empty')
+FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty')
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.content // empty')
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty')
+TOOL_OUTPUT=$(echo "$INPUT" | jq -r '.tool_output // empty')
+
+# strip anything that could be used for path traversal
+SESSION_ID=$(printf '%s' "$SESSION_ID" | tr -cd 'a-zA-Z0-9_-')
+
+# session duration tracking (show how long the agent has been running)
+if [[ -n "$SESSION_ID" ]]; then
+    TMPDIR_PATH="${TMPDIR:-/tmp}"
+    TMPDIR_PATH="${TMPDIR_PATH%/}"
+    STATE_FILE="${TMPDIR_PATH}/llm-av-session-${SESSION_ID}.json"
+
+    if [[ ! -f "$STATE_FILE" ]]; then
+        START_TIME=$(date +%s)
+        TMP_STATE="${STATE_FILE}.tmp.$$"
+        jq -n --arg start "$START_TIME" '{start_time: $start}' > "$TMP_STATE"
+        mv "$TMP_STATE" "$STATE_FILE" 2>/dev/null || true
+    fi
+
+    if [[ -f "$STATE_FILE" ]]; then
+        START_TIME=$(jq -r '.start_time' "$STATE_FILE" 2>/dev/null)
+        if [[ -n "$START_TIME" ]] && [[ "$START_TIME" =~ ^[0-9]+$ ]]; then
+            CURRENT_TIME=$(date +%s)
+            ELAPSED=$((CURRENT_TIME - START_TIME))
+            HOURS=$((ELAPSED / 3600))
+            MINUTES=$(((ELAPSED % 3600) / 60))
+            SECS=$((ELAPSED % 60))
+
+            if (( HOURS >= 24 )); then
+                DAYS=$((HOURS / 24)); HOURS=$((HOURS % 24))
+                DURATION="${DAYS}d ${HOURS}h ${MINUTES}m"
+            elif (( HOURS > 0 )); then
+                DURATION="${HOURS}h ${MINUTES}m ${SECS}s"
+            elif (( MINUTES > 0 )); then
+                DURATION="${MINUTES}m ${SECS}s"
+            else
+                DURATION="${SECS}s"
+            fi
+            echo -e "${YELLOW}Session duration: ${DURATION}${RESET}" >&2
+        fi
+    fi
+fi
+
+# combine all text fields for scanning
+TEXT_TO_CHECK=""
+[[ -n "$CONTENT" ]] && TEXT_TO_CHECK="$CONTENT"
+[[ -n "$COMMAND" ]] && TEXT_TO_CHECK="$TEXT_TO_CHECK $COMMAND"
+[[ -n "$TOOL_OUTPUT" ]] && TEXT_TO_CHECK="$TEXT_TO_CHECK $TOOL_OUTPUT"
+
+# ======================================================================
+# BLOCKING LAYERS (1-5) — PreToolUse only
+# ======================================================================
+
+if [[ "$HOOK_TYPE" != "post" ]]; then
+
+    # -- layer 1: file blocklist --
+    if [[ -n "$FILE_PATH" ]]; then
+        if ! check_allowlist "$FILE_PATH" "$ALLOW_PATHS"; then
+            BASENAME=$(basename "$FILE_PATH")
+
+            case "$BASENAME" in
+                config.json)
+                    if [[ "$FILE_PATH" == *".llm-av/"* ]] || [[ "$FILE_PATH" == *"/.llm-av/"* ]]; then
+                        block "file_access" "Security config modification prevented" "$FILE_PATH"
+                    else
+                        block "file_access" "Sensitive file access prevented" "$FILE_PATH"
+                    fi
+                    ;;
+                .env|.env.local|.env.production|.env.development|\
+                credentials|id_rsa|id_dsa|id_ed25519|\
+                secrets.json|credentials.json|.npmrc|.pypirc)
+                    block "file_access" "Sensitive file access prevented" "$FILE_PATH"
+                    ;;
+            esac
+        fi
+    fi
+
+    # -- layer 1.5: custom blocklist paths --
+    check_block_paths() {
+        local IFS='|'
+        for pattern in $BLOCK_PATHS; do
+            [[ -n "$pattern" ]] && [[ "$FILE_PATH" =~ $pattern ]] && \
+                block "custom_blocklist" "Custom blocklist path matched" "$FILE_PATH (pattern: $pattern)"
+        done
+    }
+    if [[ -n "$BLOCK_PATHS" ]] && [[ -n "$FILE_PATH" ]]; then
+        check_block_paths
+    fi
+
+    # content-based checks (layers 2-5)
+    if [[ -n "$TEXT_TO_CHECK" ]]; then
+
+        # -- layer 2.5: custom blocklist patterns --
+        if ! check_allowlist "$TEXT_TO_CHECK" "$ALLOW_PATTERNS"; then
+            check_block_patterns() {
+                local IFS='|'
+                for pattern in $BLOCK_PATTERNS; do
+                    [[ -n "$pattern" ]] && [[ "$TEXT_TO_CHECK" =~ $pattern ]] && \
+                        block "custom_blocklist" "Custom blocklist pattern matched" "pattern: $pattern"
+                done
+            }
+            if [[ -n "$BLOCK_PATTERNS" ]]; then
+                check_block_patterns
+            fi
+        fi
+
+        # -- layer 2: credentials (hardcoded for speed, not skippable via allowlist) --
+        if [[ "$TEXT_TO_CHECK" =~ AKIA[0-9A-Z]{16} ]]; then
+            block "credential" "AWS Access Key detected" "AKIA[0-9A-Z]{16}"
+        fi
+        if [[ "$TEXT_TO_CHECK" =~ ghp_[a-zA-Z0-9]{36} ]]; then
+            block "credential" "GitHub Personal Access Token detected" "ghp_[a-zA-Z0-9]{36}"
+        fi
+        if [[ "$TEXT_TO_CHECK" =~ github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59} ]]; then
+            block "credential" "GitHub Fine-Grained Token detected" "github_pat_*"
+        fi
+        if [[ "$TEXT_TO_CHECK" =~ gh[ours]_[a-zA-Z0-9]{36} ]]; then
+            block "credential" "GitHub OAuth/App Token detected" "gh[ours]_*"
+        fi
+        if [[ "$TEXT_TO_CHECK" =~ sk-ant-[a-zA-Z0-9_-]{40,} ]]; then
+            block "credential" "Anthropic API Key detected" "sk-ant-*"
+        elif [[ "$TEXT_TO_CHECK" =~ sk-proj-[a-zA-Z0-9_-]{48,} ]]; then
+            block "credential" "OpenAI Project API Key detected" "sk-proj-*"
+        elif [[ "$TEXT_TO_CHECK" =~ sk-[a-zA-Z0-9_-]{48} ]]; then
+            block "credential" "OpenAI API Key detected" "sk-[a-zA-Z0-9_-]{48}"
+        fi
+        if [[ "$TEXT_TO_CHECK" =~ xox[pboa]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24,} ]]; then
+            block "credential" "Slack Token detected" "xox[pboa]-*"
+        fi
+        if [[ "$TEXT_TO_CHECK" =~ sk_(live|test)_[a-zA-Z0-9]{24,} ]]; then
+            block "credential" "Stripe API Key detected" "sk_(live|test)_*"
+        fi
+        if [[ "$TEXT_TO_CHECK" =~ SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43} ]]; then
+            block "credential" "SendGrid API Key detected" "SG.*"
+        fi
+        if [[ "$TEXT_TO_CHECK" =~ SK[a-f0-9]{32} ]]; then
+            block "credential" "Twilio API Key detected" "SK[hex]{32}"
+        fi
+        if [[ "$TEXT_TO_CHECK" =~ AIza[0-9A-Za-z_-]{35} ]]; then
+            block "credential" "Google API Key detected" "AIza*"
+        fi
+        if [[ "$TEXT_TO_CHECK" =~ Authorization:[[:space:]]*Bearer[[:space:]]+[a-zA-Z0-9_-]{20,} ]] || \
+           [[ "$TEXT_TO_CHECK" =~ Bearer[[:space:]]+ey[a-zA-Z0-9_-]{20,} ]]; then
+            block "credential" "Bearer token detected" "Bearer [token]"
+        fi
+        # gitlab
+        if [[ "$TEXT_TO_CHECK" =~ glpat-[a-zA-Z0-9_-]{20,} ]]; then
+            block "credential" "GitLab Personal Access Token detected" "glpat-*"
+        fi
+        # npm
+        if [[ "$TEXT_TO_CHECK" =~ npm_[a-zA-Z0-9]{36} ]]; then
+            block "credential" "npm Access Token detected" "npm_*"
+        fi
+        # hashicorp vault
+        if [[ "$TEXT_TO_CHECK" =~ hvs\.[a-zA-Z0-9_-]{24,} ]]; then
+            block "credential" "Vault Token detected" "hvs.*"
+        fi
+        # databricks
+        if [[ "$TEXT_TO_CHECK" =~ dapi[a-f0-9]{32} ]]; then
+            block "credential" "Databricks Access Token detected" "dapi*"
+        fi
+        # shopify
+        if [[ "$TEXT_TO_CHECK" =~ shp(at|ca|pa)_[a-f0-9]{32} ]]; then
+            block "credential" "Shopify Token detected" "shp*_*"
+        fi
+
+        # -- layer 3: private keys (PEM headers) --
+        if [[ "$TEXT_TO_CHECK" == *"-----BEGIN RSA PRIVATE KEY-----"* ]]; then
+            block "private_key" "RSA private key detected" "-----BEGIN RSA PRIVATE KEY-----"
+        fi
+        if [[ "$TEXT_TO_CHECK" == *"-----BEGIN DSA PRIVATE KEY-----"* ]]; then
+            block "private_key" "DSA private key detected" "-----BEGIN DSA PRIVATE KEY-----"
+        fi
+        if [[ "$TEXT_TO_CHECK" == *"-----BEGIN EC PRIVATE KEY-----"* ]]; then
+            block "private_key" "EC private key detected" "-----BEGIN EC PRIVATE KEY-----"
+        fi
+        if [[ "$TEXT_TO_CHECK" == *"-----BEGIN OPENSSH PRIVATE KEY-----"* ]]; then
+            block "private_key" "OpenSSH private key detected" "-----BEGIN OPENSSH PRIVATE KEY-----"
+        fi
+        if [[ "$TEXT_TO_CHECK" == *"-----BEGIN PGP PRIVATE KEY BLOCK-----"* ]]; then
+            block "private_key" "PGP private key detected" "-----BEGIN PGP PRIVATE KEY BLOCK-----"
+        fi
+    fi
+
+    # -- layer 4: dangerous commands (not skippable via allowlist) --
+    if [[ -n "$COMMAND" ]]; then
+        if [[ "$COMMAND" =~ rm[[:space:]]+-[^[:space:]]*r[^[:space:]]*f ]] || \
+           [[ "$COMMAND" =~ rm[[:space:]]+-[^[:space:]]*f[^[:space:]]*r ]]; then
+            block "dangerous_command" "rm -rf (recursive force delete)" "$COMMAND"
+        fi
+        # catch separated flags: rm -r -f, rm --recursive --force, etc.
+        if [[ "$COMMAND" =~ rm[[:space:]] ]]; then
+            if { [[ "$COMMAND" =~ [[:space:]]-[^[:space:]]*r ]] || [[ "$COMMAND" =~ --recursive ]]; } && \
+               { [[ "$COMMAND" =~ [[:space:]]-f([[:space:]]|$) ]] || [[ "$COMMAND" =~ --force ]]; }; then
+                block "dangerous_command" "rm -rf (recursive force delete)" "$COMMAND"
+            fi
+        fi
+
+        # download-and-execute
+        if [[ "$COMMAND" =~ (curl|wget)[[:space:]].+\|[[:space:]]*(bash|sh|zsh|ksh|dash|fish|python|perl|ruby|node) ]]; then
+            block "dangerous_command" "Download piped to shell interpreter" "$COMMAND"
+        fi
+
+        if [[ "$COMMAND" =~ chmod[[:space:]]+777 ]]; then
+            block "dangerous_command" "chmod 777 (world-writable permissions)" "$COMMAND"
+        fi
+
+        if [[ "$COMMAND" =~ dd[[:space:]].+of=/dev/ ]]; then
+            block "dangerous_command" "dd to device (potential disk destruction)" "$COMMAND"
+        fi
+
+        if [[ "$COMMAND" =~ mkfs ]]; then
+            block "dangerous_command" "mkfs (filesystem format)" "$COMMAND"
+        fi
+
+        if [[ "$COMMAND" =~ \>/dev/(sd|hd|nvme|vd|xvd) ]]; then
+            block "dangerous_command" "Direct device write" "$COMMAND"
+        fi
+
+        # reverse shells
+        if [[ "$COMMAND" =~ /dev/tcp/ ]] || \
+           [[ "$COMMAND" =~ bash[[:space:]]+-i[[:space:]]+\>\& ]]; then
+            block "dangerous_command" "Reverse shell pattern detected" "$COMMAND"
+        fi
+
+        if [[ "$COMMAND" =~ LD_PRELOAD= ]]; then
+            block "dangerous_command" "LD_PRELOAD injection" "$COMMAND"
+        fi
+
+        if [[ "$COMMAND" =~ base64[[:space:]]+(-d|--decode).*\|[[:space:]]*(bash|sh|eval) ]]; then
+            block "dangerous_command" "Base64 decode piped to shell" "$COMMAND"
+        fi
+
+        # -- layer 4.5: supply chain --
+        if [[ "$COMMAND" =~ pip3?[[:space:]]+install[[:space:]]+https?:// ]]; then
+            block "supply_chain" "pip install from URL (bypass PyPI vetting)" "$COMMAND"
+        fi
+        if [[ "$COMMAND" =~ npm[[:space:]]+(config[[:space:]]+set|install).*registry[[:space:]]*= ]]; then
+            block "supply_chain" "npm registry override (dependency confusion risk)" "$COMMAND"
+        fi
+        if [[ "$COMMAND" =~ rm[[:space:]]+(-f[[:space:]]+)?(package-lock\.json|yarn\.lock|pnpm-lock\.yaml|Gemfile\.lock|poetry\.lock) ]]; then
+            block "supply_chain" "Lock file deletion (dependency substitution risk)" "$COMMAND"
+        fi
+    fi
+
+    # -- layer 5: PII (SSN with validation, credit cards with BIN check) --
+    if [[ -n "$TEXT_TO_CHECK" ]]; then
+        if [[ "$TEXT_TO_CHECK" =~ ([0-9]{3})-([0-9]{2})-([0-9]{4}) ]]; then
+            SSN_FIRST="${BASH_REMATCH[1]}"
+            SSN_MIDDLE="${BASH_REMATCH[2]}"
+            SSN_LAST="${BASH_REMATCH[3]}"
+            if [[ "$SSN_FIRST" != "000" && "$SSN_FIRST" != "666" && "$SSN_MIDDLE" != "00" && "$SSN_LAST" != "0000" ]]; then
+                SSN_NUM=$((10#$SSN_FIRST))
+                if (( SSN_NUM < 900 )); then
+                    block "pii" "Potential SSN detected (XXX-XX-XXXX)" "${BASH_REMATCH[0]}"
+                fi
+            fi
+        fi
+
+        # credit cards: match 15-16 digits, then verify BIN range (4=Visa, 51-55=MC, 34/37=Amex 15-digit, 60/65=Discover)
+        if [[ "$TEXT_TO_CHECK" =~ ([0-9]{4})[-[:space:]]?[0-9]{4}[-[:space:]]?[0-9]{4}[-[:space:]]?[0-9]{3,4} ]]; then
+            CC_FIRST4="${BASH_REMATCH[1]}"
+            CC_FIRST2="${CC_FIRST4:0:2}"
+            CC_FIRST1="${CC_FIRST4:0:1}"
+            # known BIN prefixes
+            if [[ "$CC_FIRST1" == "4" ]] || \
+               [[ "$CC_FIRST2" == "51" || "$CC_FIRST2" == "52" || "$CC_FIRST2" == "53" || "$CC_FIRST2" == "54" || "$CC_FIRST2" == "55" ]] || \
+               [[ "$CC_FIRST2" == "34" || "$CC_FIRST2" == "37" ]] || \
+               [[ "$CC_FIRST2" == "60" || "$CC_FIRST2" == "65" ]]; then
+                block "pii" "Potential credit card number detected" "XXXX-XXXX-XXXX-XXXX pattern"
+            fi
+        fi
+    fi
+
+fi  # end blocking layers
+
+# ======================================================================
+# WARNING LAYER (6) — runs on both pre and post, never blocks
+# ======================================================================
+
+if [[ -n "$TEXT_TO_CHECK" ]]; then
+    TEXT_LOWER=$(echo "$TEXT_TO_CHECK" | tr '[:upper:]' '[:lower:]')
+
+    # instruction override attempts
+    if [[ "$TEXT_LOWER" == *"ignore previous instructions"* ]] || \
+       [[ "$TEXT_LOWER" == *"ignore all previous"* ]] || \
+       [[ "$TEXT_LOWER" == *"disregard all prior"* ]] || \
+       [[ "$TEXT_LOWER" == *"disregard previous"* ]]; then
+        warn "prompt_injection" "Potential prompt injection detected" "instruction override phrase"
+    fi
+
+    # role confusion / privilege escalation claims
+    if [[ "$TEXT_LOWER" =~ (i\ am|acting\ as|my\ role\ is).*(system|admin|root|developer\ mode|superuser) ]]; then
+        warn "prompt_injection" "Potential role confusion detected" "role assumption phrase"
+    fi
+
+    # system prompt leakage
+    if [[ "$TEXT_LOWER" == *"you are a helpful"* ]] || \
+       [[ "$TEXT_LOWER" == *"your instructions are"* ]] || \
+       [[ "$TEXT_LOWER" == *"your system prompt"* ]] || \
+       [[ "$TEXT_LOWER" == *"reveal your prompt"* ]] || \
+       [[ "$TEXT_LOWER" == *"show system prompt"* ]]; then
+        warn "prompt_injection" "Potential system prompt leakage" "system prompt fragment"
+    fi
+
+    # known jailbreak keywords
+    if [[ "$TEXT_LOWER" == *"developer mode"* ]] || \
+       [[ "$TEXT_LOWER" == *"jailbreak"* ]] || \
+       [[ "$TEXT_LOWER" == *"dan mode"* ]]; then
+        warn "prompt_injection" "Potential jailbreak attempt detected" "jailbreak keyword"
+    fi
+fi
+
+# nothing caught — let it through
+exit 0