chainwall 0.1.0

package/patterns/prompt-injection.yaml

@@ -0,0 +1,131 @@
+# ChainWall — Prompt Injection Detection Patterns
+#
+# Layer 6 patterns for detecting prompt injection, jailbreak attempts,
+# system prompt disclosure, and role confusion attacks.
+# Reference database. Consumed by security-audit.sh for project scanning.
+# Critical patterns are hardcoded in hooks for real-time enforcement.
+#
+# These are WARNING-ONLY (never block) due to high false-positive risk.
+#
+# Fields:
+#   name:        Human-readable pattern name
+#   regex:       POSIX ERE with `(?i)` prefix convention (stripped by scanner, replaced with -i flag)
+#   severity:    medium | low
+#   description: What attack vector this detects
+#   action:      warn  (never block)
+
+patterns:
+
+  # ── Instruction Override ─────────────────────────────────────────────
+  - name: Ignore Previous Instructions
+    regex: "(?i)ignore\\s+(all\\s+)?previous\\s+instructions"
+    severity: medium
+    description: "Attempts to override prior system/user instructions"
+    action: warn
+
+  - name: Disregard Prior Instructions
+    regex: "(?i)disregard\\s+(all\\s+)?prior|disregard\\s+previous"
+    severity: medium
+    description: "Attempts to nullify previously given instructions"
+    action: warn
+
+  - name: Forget Instructions
+    regex: "(?i)forget\\s+(all|your|previous|prior)\\s+(instructions|rules|constraints)"
+    severity: medium
+    description: "Attempts to make the model forget its instructions"
+    action: warn
+
+  - name: New Instructions Override
+    regex: "(?i)(new|updated|revised)\\s+instructions?:?\\s+(you|from now)"
+    severity: medium
+    description: "Claims to provide replacement instructions"
+    action: warn
+
+  # ── Role Confusion / Impersonation ───────────────────────────────────
+  - name: Role Assumption
+    regex: "(?i)(i am|acting as|my role is)\\s*.*(system|admin|root|developer mode|superuser)"
+    severity: medium
+    description: "Claims privileged identity to manipulate agent behavior"
+    action: warn
+
+  - name: Authority Claim
+    regex: "(?i)(authorized|permission|clearance)\\s+to\\s+(access|bypass|override|disable)"
+    severity: medium
+    description: "Claims special authorization to bypass restrictions"
+    action: warn
+
+  - name: Admin Override
+    regex: "(?i)admin\\s+override|maintenance\\s+mode|debug\\s+mode\\s+enabled"
+    severity: medium
+    description: "Claims special operational mode to change behavior"
+    action: warn
+
+  # ── System Prompt Extraction ─────────────────────────────────────────
+  - name: System Prompt Disclosure
+    regex: "(?i)(reveal|show|print|display|output|repeat)\\s+(your|the|system)\\s+(prompt|instructions|rules)"
+    severity: medium
+    description: "Attempts to extract the system prompt or instructions"
+    action: warn
+
+  - name: Prompt Fragments
+    regex: "(?i)(you are a helpful|your instructions are|your system prompt)"
+    severity: medium
+    description: "Contains fragments suggesting system prompt leakage"
+    action: warn
+
+  - name: Instruction Reflection
+    regex: "(?i)(what are your|tell me your|list your)\\s+(instructions|rules|constraints|guidelines)"
+    severity: medium
+    description: "Asks the model to reflect on its own instructions"
+    action: warn
+
+  # ── Jailbreak Attempts ──────────────────────────────────────────────
+  - name: DAN/Jailbreak Keywords
+    regex: "(?i)(developer mode|jailbreak|dan mode|dude mode|chaos mode)"
+    severity: medium
+    description: "Uses known jailbreak persona or mode names"
+    action: warn
+
+  - name: Do Anything Now
+    regex: "(?i)do anything now|no restrictions|without (any )?(restrictions|limitations|filters)"
+    severity: medium
+    description: "Attempts to remove model safety constraints"
+    action: warn
+
+  - name: Hypothetical Bypass
+    regex: "(?i)(pretend|imagine|hypothetically|in a fictional|roleplay).*(no (rules|restrictions|limits)|anything goes)"
+    severity: medium
+    description: "Uses hypothetical framing to bypass safety measures"
+    action: warn
+
+  # ── Encoded/Obfuscated Injection ─────────────────────────────────────
+  - name: Base64 Instruction
+    regex: "(?i)(decode|base64|b64)\\s+(this|the following|and follow|instructions)"
+    severity: medium
+    description: "Attempts to pass encoded instructions"
+    action: warn
+
+  - name: Markdown/Code Block Injection
+    regex: "(?i)```\\s*(system|instructions|prompt)"
+    severity: low
+    description: "Attempts to inject instructions via code block formatting"
+    action: warn
+
+  # ── Output Manipulation ──────────────────────────────────────────────
+  - name: Output Suppression
+    regex: "(?i)do not (mention|reveal|tell|say|output|show).*(blocked|detected|security|antivirus|hook)"
+    severity: medium
+    description: "Attempts to suppress security detection output"
+    action: warn
+
+  - name: Response Formatting Attack
+    regex: "(?i)(respond only with|your response must be|output exactly|say only)"
+    severity: low
+    description: "Attempts to control model output format for injection"
+    action: warn
+
+  - name: Output Suppression Override
+    regex: "(?i)do not (output|print|show|display).*previous"
+    severity: medium
+    description: "Attempts to suppress display of previous context or instructions"
+    action: warn

package/patterns/supply-chain.yaml

@@ -0,0 +1,119 @@
+# ChainWall — Supply Chain Attack Detection Patterns
+#
+# Patterns for detecting supply chain compromise vectors that AI agents
+# might introduce: typosquatting packages, suspicious install scripts,
+# dependency confusion, and post-install exploitation.
+# Reference database. Consumed by security-audit.sh for project scanning.
+# Critical patterns are hardcoded in hooks for real-time enforcement.
+#
+# Fields:
+#   name:        Human-readable pattern name
+#   regex:       POSIX ERE with `(?i)` prefix convention (stripped by scanner, replaced with -i flag)
+#   severity:    critical | high | medium
+#   description: What supply chain vector this detects
+#   scope:       command | content | both
+
+patterns:
+
+  # ── Suspicious Package Installation ──────────────────────────────────
+
+  - name: pip Install from URL
+    regex: "pip3?\\s+install\\s+https?://"
+    severity: high
+    description: "Installs Python package from arbitrary URL — bypass PyPI vetting"
+    scope: command
+
+  - name: pip Install Trusted Host
+    regex: "pip3?\\s+install.*--trusted-host"
+    severity: high
+    description: "Installs Python package with TLS verification disabled"
+    scope: command
+
+  - name: npm Registry Override
+    regex: "npm\\s+(config\\s+set|install).*registry\\s*="
+    severity: high
+    description: "Overrides npm registry — potential dependency confusion"
+    scope: command
+
+  - name: Gem Install from Source
+    regex: "gem\\s+install.*--source\\s+https?://"
+    severity: high
+    description: "Installs Ruby gem from custom source"
+    scope: command
+
+  # ── Post-Install Scripts ─────────────────────────────────────────────
+  - name: Package.json Lifecycle Script with Network
+    regex: "\"(preinstall|postinstall|prepare)\":\\s*\".*curl|\"(preinstall|postinstall|prepare)\":\\s*\".*wget"
+    severity: critical
+    description: "Package lifecycle script makes network requests — exfiltration vector"
+    scope: content
+
+  - name: Package.json Lifecycle Script with Eval
+    regex: "\"(preinstall|postinstall|prepare)\":\\s*\".*eval|\"(preinstall|postinstall|prepare)\":\\s*\".*node -e"
+    severity: critical
+    description: "Package lifecycle script evaluates dynamic code"
+    scope: content
+
+  - name: Setup.py OS Command
+    regex: "os\\.system\\(|subprocess\\.call\\(|subprocess\\.run\\(|subprocess\\.Popen\\("
+    severity: medium
+    description: "Python setup.py executes system commands — common in malicious packages"
+    scope: content
+
+  # ── Dependency Manipulation ──────────────────────────────────────────
+  - name: Git Dependency with Commit Hash
+    regex: "\"git\\+https?://.*#[a-f0-9]{40}\""
+    severity: medium
+    description: "Git dependency pinned to specific commit — verify source legitimacy"
+    scope: content
+
+  - name: Private Registry in Lockfile
+    regex: "resolved.*https?://(?!registry\\.(npmjs\\.org|yarnpkg\\.com))"
+    severity: medium
+    description: "Package resolved from non-standard registry in lockfile"
+    scope: content
+
+  - name: NPM Scope Confusion
+    regex: "\"@[a-z]+/[a-z]+-[a-z]+\":\\s*\"[*~^]"
+    severity: low
+    description: "Scoped package with loose version — verify scope ownership"
+    scope: content
+
+  # ── Binary/Native Modules ────────────────────────────────────────────
+  - name: Native Module Prebuild Download
+    regex: "(prebuild-install|node-pre-gyp|node-gyp)\\s+(install|rebuild)"
+    severity: medium
+    description: "Downloads prebuilt native binaries — verify binary integrity"
+    scope: command
+
+  # ── Lock File Manipulation ───────────────────────────────────────────
+  - name: Lock File Deletion
+    regex: "rm\\s+(-f\\s+)?(package-lock\\.json|yarn\\.lock|pnpm-lock\\.yaml|Gemfile\\.lock|poetry\\.lock)"
+    severity: high
+    description: "Deletes dependency lock file — allows dependency substitution"
+    scope: command
+
+  - name: Lock File Git Checkout
+    regex: "git\\s+checkout\\s+--\\s+(package-lock\\.json|yarn\\.lock|pnpm-lock\\.yaml)"
+    severity: medium
+    description: "Reverts lock file to older version — may reintroduce vulnerable dependencies"
+    scope: command
+
+  # ── Container Image Supply Chain ─────────────────────────────────────
+  - name: Docker Image Without Tag
+    regex: "docker\\s+(pull|run)\\s+[a-z]+/[a-z]+\\s"
+    severity: medium
+    description: "Pulls Docker image without explicit tag — defaults to :latest, mutable reference"
+    scope: command
+
+  - name: Docker Image from Unknown Registry
+    regex: "docker\\s+(pull|run)\\s+[a-z]+\\.[a-z]+\\.[a-z]+/"
+    severity: medium
+    description: "Pulls Docker image from non-standard registry"
+    scope: command
+
+  - name: Dependency Confusion
+    regex: "--extra-index-url"
+    severity: high
+    description: "Adds extra PyPI index — dependency confusion attack vector"
+    scope: command

package/rules/AGENTS.md

@@ -0,0 +1,60 @@
+# Security Rules for AI Coding Agents
+
+These rules are enforced by ChainWall hooks and apply to all AI agents
+operating in this repository. Violations are blocked or logged automatically.
+
+## NEVER (Blocking — agent will be stopped)
+
+1. **NEVER write credentials** — No API keys, tokens, passwords, or secrets in
+   code, configs, or commands. Use environment variables or secret managers.
+2. **NEVER access sensitive files** — Do not read/write `.env`, `credentials.json`,
+   `secrets.json`, SSH private keys (`id_rsa`, `id_dsa`, `id_ed25519`), `.npmrc`,
+   or `.pypirc`.
+3. **NEVER run destructive commands** — No `rm -rf`, `mkfs`, `dd of=/dev/*`,
+   `chmod 777`, or redirect to block devices.
+4. **NEVER pipe downloads to shell** — No `curl|bash`, `wget|sh`, or equivalent
+   remote code execution patterns.
+5. **NEVER expose PII** — No Social Security numbers, credit card numbers, bank
+   account numbers, or medical record identifiers in outputs.
+6. **NEVER write private keys** — No PEM-format private keys (RSA, DSA, EC,
+   OpenSSH, PGP) in any file or command.
+7. **NEVER force-push to main** — No `git push --force` to main/master branches.
+   No `git reset --hard` on shared branches.
+8. **NEVER install unverified packages** — No packages from arbitrary URLs, no
+   registry overrides, no lifecycle scripts with network calls.
+
+## ALWAYS (Guidance — high compliance expected)
+
+1. **ALWAYS use environment variables** for secrets — reference `process.env.*`,
+   `os.environ`, or equivalent instead of literal values.
+2. **ALWAYS validate inputs** at system boundaries — sanitize user input, API
+   responses, and file contents before processing.
+3. **ALWAYS use parameterized queries** — never concatenate user input into SQL,
+   shell commands, or template strings.
+4. **ALWAYS pin dependency versions** — use exact versions or lock files, never
+   `*` or unpinned ranges for production dependencies.
+5. **ALWAYS check file paths** — validate that file operations target expected
+   directories, prevent path traversal (`../`).
+6. **ALWAYS use HTTPS** — no plaintext HTTP for API calls, package downloads,
+   or webhook endpoints.
+7. **ALWAYS preserve lock files** — do not delete `package-lock.json`,
+   `yarn.lock`, `poetry.lock`, or `Gemfile.lock`.
+8. **ALWAYS review before committing** — verify no secrets, PII, or debug
+   artifacts are included in staged changes.
+
+## Severity Reference
+
+| Severity | Action | Examples |
+|----------|--------|---------|
+| CRITICAL | Blocked | Credentials, private keys, rm -rf, reverse shells |
+| HIGH | Blocked | PII, chmod 777, force-push, curl\|bash |
+| MEDIUM | Warning | Prompt injection, jailbreak attempts, loose deps |
+| LOW | Logged | Informational patterns, style suggestions |
+
+## Configuration
+
+Override paths: `~/.llm-av/config.json` (global), `.llm-av/config.json` (project)
+Escape hatch: `LLMAV_SKIP=1` (logged, use sparingly)
+Audit trail: `.llm-av/audit.jsonl`
+
+Full reference: See SECURITY-RULES.md in the ChainWall repository

package/rules/SECURITY-RULES.md

@@ -0,0 +1,177 @@
+# ChainWall Security Rules — Comprehensive Reference
+
+This document provides detailed explanations of all security rules, their
+rationale, OWASP LLM Top 10 mapping, and configuration guidance.
+
+For the concise version read by AI agents, see [AGENTS.md](./AGENTS.md).
+
+---
+
+## Architecture Overview
+
+ChainWall enforces security through four layers:
+
+| Layer | Mechanism | Enforcement |
+|-------|-----------|-------------|
+| 1. Hooks | Bash scripts on PreToolUse/PostToolUse | Deterministic, <50ms |
+| 2. Instruction Files | AGENTS.md, CLAUDE.md, platform rules | Probabilistic, high compliance |
+| 3. Skills | On-demand security auditing | User-invoked |
+| 4. Installer | One-command setup | Zero-config |
+
+---
+
+## Detection Layers
+
+### Layer 1: File Blocklist
+
+**Blocked filenames** (basename matching):
+- `.env`, `.env.local`, `.env.production`, `.env.development`
+- `credentials`, `credentials.json`, `secrets.json`
+- `id_rsa`, `id_dsa`, `id_ed25519`
+- `.npmrc`, `.pypirc`
+
+**Not blocked** (safe patterns):
+- `.env.example`, `.env.template`, `.env.sample`
+- `id_rsa.pub`, `id_ed25519.pub` (public keys)
+- `credentials-validator.ts` (different basename)
+
+**Rationale:** These files commonly contain secrets that should never be
+read or modified by an AI agent. The blocklist uses basename matching
+to avoid false positives from path segments.
+
+### Layer 2: Credential Detection
+
+55 patterns across major providers. See `patterns/credentials.yaml` for
+the full database. Key categories:
+
+| Category | Patterns | Examples |
+|----------|----------|---------|
+| Cloud Providers | AWS, GCP, Azure | `AKIA*`, `AIza*`, `AccountKey=*` |
+| Source Control | GitHub, GitLab | `ghp_*`, `glpat-*` |
+| Communication | Slack, Twilio, SendGrid | `xox[pboa]-*`, `SK*`, `SG.*` |
+| Payment | Stripe | `sk_live_*`, `sk_test_*` |
+| AI Platforms | OpenAI, Anthropic | `sk-*` (48 chars), `sk-ant-*` |
+| Package Registries | npm, PyPI, Docker | `npm_*`, `pypi-*`, `dckr_pat_*` |
+| Infrastructure | Vault, Heroku, Vercel | `hvs.*`, Heroku UUID |
+| Generic | JWT, Bearer, passwords | `eyJ*.*.*`, `Bearer *` |
+
+### Layer 3: Private Key Detection
+
+Detects PEM-format key headers using string matching:
+- `-----BEGIN RSA PRIVATE KEY-----`
+- `-----BEGIN DSA PRIVATE KEY-----`
+- `-----BEGIN EC PRIVATE KEY-----`
+- `-----BEGIN OPENSSH PRIVATE KEY-----`
+- `-----BEGIN PGP PRIVATE KEY BLOCK-----`
+
+**Not detected** (by design):
+- Public keys (`-----BEGIN PUBLIC KEY-----`)
+- Certificates (`-----BEGIN CERTIFICATE-----`)
+- Encrypted private keys (`-----BEGIN ENCRYPTED PRIVATE KEY-----`)
+
+### Layer 4: Dangerous Commands
+
+24 patterns across categories. See `patterns/dangerous-commands.yaml`.
+
+| Category | Risk | Examples |
+|----------|------|---------|
+| Destructive | Data loss | `rm -rf`, `shred`, `mkfs` |
+| Remote Execution | Code injection | `curl\|bash`, `eval $VAR`, base64 decode |
+| Permissions | Privilege escalation | `chmod 777`, SUID bit |
+| Network | Exfiltration | Reverse shell, netcat, SSH tunnels |
+| Persistence | Backdoors | Crontab, systemd service install |
+| Anti-forensics | Evidence destruction | History deletion, log tampering |
+
+### Layer 5: PII Detection
+
+15 patterns with validation. See `patterns/pii.yaml`.
+
+**SSN validation logic:**
+1. Match `XXX-XX-XXXX` format
+2. Extract first group (XXX)
+3. Reject if first group is `000` (invalid per SSA)
+4. Reject if first group is `666` (never issued)
+5. Reject if first group is `900-999` (ITIN range)
+
+### Layer 6: Prompt Injection (Warning Only)
+
+18 patterns, never blocks. See `patterns/prompt-injection.yaml`.
+
+Categories: instruction override, role confusion, system prompt extraction,
+jailbreak keywords, encoded injection, output manipulation.
+
+---
+
+## OWASP LLM Top 10 Mapping
+
+| OWASP ID | Vulnerability | Coverage |
+|----------|---------------|----------|
+| LLM01 | Prompt Injection | Layer 6 (warn), instruction files |
+| LLM02 | Insecure Output Handling | Layer 2-3, 5 (credential/PII in output) |
+| LLM06 | Sensitive Information Disclosure | Layers 1-3, 5 (file, credential, key, PII) |
+| LLM07 | System Prompt Leakage | Layer 6 (disclosure markers) |
+| LLM08 | Excessive Agency | Layer 4 (dangerous commands) |
+| LLM09 | Overreliance | Instruction files (ALWAYS rules) |
+| LLM10 | Model Theft | `patterns/supply-chain.yaml` |
+
+---
+
+## Configuration
+
+### Allowlist/Blocklist
+
+Configuration files use JSON format with two scopes:
+
+**Global** (`~/.llm-av/config.json`) — applies to all projects:
+```json
+{
+  "allowlist": {
+    "paths": ["tests/fixtures/*", "*.test.ts"],
+    "patterns": ["test_credential_[a-z]+"]
+  },
+  "blocklist": {
+    "paths": ["production/secrets/*"],
+    "patterns": ["CUSTOM_SECRET_[A-Z0-9]+"]
+  }
+}
+```
+
+**Project** (`.llm-av/config.json`) — extends global settings:
+Same structure. Project settings are additive (they do not override global).
+
+### Escape Hatch
+
+For testing or emergencies, bypass all checks:
+```bash
+LLMAV_SKIP=1 claude "do something"
+```
+- Bypass is logged to the audit trail
+- Use sparingly — defeats all protection
+
+### Audit Trail
+
+All blocked operations and warnings are logged to `.llm-av/audit.jsonl`
+in JSON Lines format:
+
+```json
+{"timestamp":"2026-01-30T10:15:30Z","severity":"block","category":"credential","pattern":"AWS Access Key","tool":"Write","content":"AKIA..."}
+```
+
+Log rotation occurs automatically at 10MB.
+
+---
+
+## Limitations
+
+1. **Pattern-based** — can be bypassed with obfuscation (e.g., splitting a key
+   across multiple variables)
+2. **No semantic analysis** — cannot understand intent, only matches patterns
+3. **False positives** — some legitimate patterns (16-digit order IDs, reference
+   numbers with SSN format) will match
+4. **No training-time protection** — does not address model poisoning attacks
+5. **Warning-only prompt injection** — Layer 6 cannot reliably distinguish
+   injection from legitimate instructions
+
+This tool reduces attack surface but is not a complete security solution.
+Defense in depth (secret scanners, code review, least-privilege access)
+remains essential.

package/rules/claude.md

@@ -0,0 +1,9 @@
+# Claude Code Security Rules
+
+This project uses ChainWall for security enforcement.
+
+Read and follow ALL rules in [AGENTS.md](./AGENTS.md) before performing any
+file operations, shell commands, or code generation.
+
+Security hooks are active on PreToolUse and PostToolUse — violations will
+be blocked automatically with exit code 2.

package/rules/clinerules

@@ -0,0 +1,29 @@
+# Security Rules — Cline
+
+These rules are enforced by ChainWall and apply to all Cline operations.
+
+## NEVER
+
+- Write credentials, API keys, tokens, or passwords in code or commands
+- Access .env, credentials.json, secrets.json, SSH keys, .npmrc, or .pypirc
+- Run rm -rf, mkfs, dd to devices, chmod 777, or redirect to block devices
+- Pipe downloads to shell (curl|bash, wget|sh)
+- Expose SSNs, credit card numbers, or other PII in outputs
+- Write PEM private keys (RSA, DSA, EC, OpenSSH, PGP) to any file
+- Force-push to main/master or hard-reset shared branches
+- Install packages from arbitrary URLs or override registries
+
+## ALWAYS
+
+- Use environment variables for secrets
+- Validate inputs at system boundaries
+- Use parameterized queries — never concatenate user input into SQL or shell
+- Pin dependency versions and preserve lock files
+- Check file paths to prevent path traversal
+- Use HTTPS for API calls and package downloads
+
+## Configuration
+
+Override: ~/.llm-av/config.json (global), .llm-av/config.json (project)
+Bypass: LLMAV_SKIP=1 (logged)
+Audit: .llm-av/audit.jsonl

package/rules/continuerules

@@ -0,0 +1,29 @@
+# Security Rules — Continue.dev
+
+These rules are enforced by ChainWall and apply to all Continue.dev operations.
+
+## NEVER
+
+- Write credentials, API keys, tokens, or passwords in code or commands
+- Access .env, credentials.json, secrets.json, SSH keys, .npmrc, or .pypirc
+- Run rm -rf, mkfs, dd to devices, chmod 777, or redirect to block devices
+- Pipe downloads to shell (curl|bash, wget|sh)
+- Expose SSNs, credit card numbers, or other PII in outputs
+- Write PEM private keys (RSA, DSA, EC, OpenSSH, PGP) to any file
+- Force-push to main/master or hard-reset shared branches
+- Install packages from arbitrary URLs or override registries
+
+## ALWAYS
+
+- Use environment variables for secrets
+- Validate inputs at system boundaries
+- Use parameterized queries — never concatenate user input into SQL or shell
+- Pin dependency versions and preserve lock files
+- Check file paths to prevent path traversal
+- Use HTTPS for API calls and package downloads
+
+## Configuration
+
+Override: ~/.llm-av/config.json (global), .llm-av/config.json (project)
+Bypass: LLMAV_SKIP=1 (logged)
+Audit: .llm-av/audit.jsonl

package/rules/copilot-instructions.md

@@ -0,0 +1,9 @@
+# GitHub Copilot Security Rules
+
+This project uses ChainWall for security enforcement.
+
+Read and follow ALL rules in AGENTS.md (in the project root) before performing any
+file operations, shell commands, or code generation.
+
+Do not write credentials, access sensitive files, run destructive commands,
+or expose PII. See AGENTS.md for the complete rule set.

package/rules/cursor-security.mdc

@@ -0,0 +1,14 @@
+---
+description: Security rules for AI-assisted coding in this project
+globs: ["**/*"]
+---
+
+# Cursor Security Rules
+
+This project uses ChainWall for security enforcement.
+
+Read and follow ALL rules in `rules/AGENTS.md` before performing any
+file operations, shell commands, or code generation.
+
+Do not write credentials, access sensitive files, run destructive commands,
+or expose PII. See AGENTS.md for the complete rule set.

package/rules/gemini.md

@@ -0,0 +1,9 @@
+# Gemini Security Rules
+
+This project uses ChainWall for security enforcement.
+
+Read and follow ALL rules in [AGENTS.md](./AGENTS.md) before performing any
+file operations, shell commands, or code generation.
+
+Do not write credentials, access sensitive files, run destructive commands,
+or expose PII. See AGENTS.md for the complete rule set.

package/rules/kiro-security.md

@@ -0,0 +1,29 @@
+# Security Rules — Kiro
+
+These rules are enforced by ChainWall and apply to all Kiro operations.
+
+## NEVER
+
+- Write credentials, API keys, tokens, or passwords in code or commands
+- Access .env, credentials.json, secrets.json, SSH keys, .npmrc, or .pypirc
+- Run rm -rf, mkfs, dd to devices, chmod 777, or redirect to block devices
+- Pipe downloads to shell (curl|bash, wget|sh)
+- Expose SSNs, credit card numbers, or other PII in outputs
+- Write PEM private keys (RSA, DSA, EC, OpenSSH, PGP) to any file
+- Force-push to main/master or hard-reset shared branches
+- Install packages from arbitrary URLs or override registries
+
+## ALWAYS
+
+- Use environment variables for secrets
+- Validate inputs at system boundaries
+- Use parameterized queries — never concatenate user input into SQL or shell
+- Pin dependency versions and preserve lock files
+- Check file paths to prevent path traversal
+- Use HTTPS for API calls and package downloads
+
+## Configuration
+
+Override: ~/.llm-av/config.json (global), .llm-av/config.json (project)
+Bypass: LLMAV_SKIP=1 (logged)
+Audit: .llm-av/audit.jsonl

package/rules/roocode-security.md

@@ -0,0 +1,29 @@
+# Security Rules — RooCode
+
+These rules are enforced by ChainWall and apply to all RooCode operations.
+
+## NEVER
+
+- Write credentials, API keys, tokens, or passwords in code or commands
+- Access .env, credentials.json, secrets.json, SSH keys, .npmrc, or .pypirc
+- Run rm -rf, mkfs, dd to devices, chmod 777, or redirect to block devices
+- Pipe downloads to shell (curl|bash, wget|sh)
+- Expose SSNs, credit card numbers, or other PII in outputs
+- Write PEM private keys (RSA, DSA, EC, OpenSSH, PGP) to any file
+- Force-push to main/master or hard-reset shared branches
+- Install packages from arbitrary URLs or override registries
+
+## ALWAYS
+
+- Use environment variables for secrets
+- Validate inputs at system boundaries
+- Use parameterized queries — never concatenate user input into SQL or shell
+- Pin dependency versions and preserve lock files
+- Check file paths to prevent path traversal
+- Use HTTPS for API calls and package downloads
+
+## Configuration
+
+Override: ~/.llm-av/config.json (global), .llm-av/config.json (project)
+Bypass: LLMAV_SKIP=1 (logged)
+Audit: .llm-av/audit.jsonl