clawarmor 2.2.0 → 3.0.0

package/README.md

@@ -40,6 +40,11 @@ clawarmor audit
 | `trend` | ASCII chart of your security score over time |
 | `compare` | Compare coverage vs openclaw security audit |
 | `fix` | Auto-apply safe fixes (--dry-run to preview, --apply to run) |
+| `snapshot` | Save a config snapshot manually (auto-saved before every harden/fix) |
+| `rollback` | Restore config from auto-snapshot (--list, --id <id>) |
+| `harden --monitor` | Enable monitor mode — observe before enforcing |
+| `harden --monitor-report` | Show what monitor mode has observed |
+| `harden --monitor-off` | Disable monitor mode |
 
 ## What it catches
 
@@ -56,6 +61,26 @@ clawarmor audit
 | Gateway exposure | TCP-connects to every non-loopback interface | Full |
 | Runtime policy enforcement | Requires a runtime layer (SupraWall) | None |
 
+## Safety features
+
+**Impact classification** — Every fix is tagged 🟢 Safe, 🟡 Caution, or 🔴 Breaking. `--auto` mode skips breaking changes unless you pass `--force`.
+
+**Config snapshots** — ClawArmor auto-saves your config before every `harden` or `fix` run. If something breaks, roll back instantly:
+
+```bash
+clawarmor rollback --list    # see all snapshots
+clawarmor rollback           # restore the latest
+clawarmor rollback --id <n>  # restore a specific one
+```
+
+**Monitor mode** — Observe what `harden` would do before enforcing:
+
+```bash
+clawarmor harden --monitor        # start monitoring
+clawarmor harden --monitor-report # see what it observed
+clawarmor harden --monitor-off    # stop monitoring
+```
+
 ## Philosophy
 
 ClawArmor runs entirely on your machine — no telemetry, no cloud, no accounts.

package/cli.js

@@ -3,7 +3,7 @@
 
 import { paint } from './lib/output/colors.js';
 
-const VERSION = '2.2.0';
+const VERSION = '3.0.0';
 const GATEWAY_PORT_DEFAULT = 18789;
 
 function isLocalhost(host) {
@@ -51,6 +51,7 @@ function usage() {
   console.log(`    ${paint.cyan('watch')}    Monitor config and skill changes in real time`);
   console.log(`    ${paint.cyan('protect')}  Install/uninstall/status the full guard system`);
   console.log(`    ${paint.cyan('prescan')}  Pre-scan a skill before installing it`);
+  console.log(`    ${paint.cyan('stack')}    Security orchestrator — deploy Invariant + IronCurtain from audit data`);
   console.log(`    ${paint.cyan('log')}      View the audit event log`);
   console.log(`    ${paint.cyan('digest')}   Show weekly security digest`);
   console.log('');
@@ -232,5 +233,11 @@ if (cmd === 'digest') {
   process.exit(await runDigest());
 }
 
+if (cmd === 'stack') {
+  const { runStack } = await import('./lib/stack.js');
+  const stackArgs = args.slice(1);
+  process.exit(await runStack(stackArgs));
+}
+
 console.log(`  ${paint.red('✗')} Unknown command: ${paint.bold(cmd)}`);
 usage(); process.exit(1);

package/lib/scanner/obfuscation.js

@@ -1,4 +1,4 @@
-// obfuscation.js — v1.2.0
+// obfuscation.js — v1.3.0
 // Detects obfuscated code patterns that bypass naive string-grep analysis.
 // Zero external dependencies. Pure regex, adversarially reviewed.
 //
@@ -10,6 +10,10 @@
 //   - globalThis/global bracket access to dangerous names
 //   - ['constructor'] escape pattern
 //   - Unicode/hex escape sequences for dangerous keywords
+//   - Dynamic import() with runtime-assembled module name
+//   - eval/exec called with interpolated template literal
+//   - Proxy/Reflect wrapping of dangerous objects
+//   - Variable aliasing of dangerous functions (const e = eval)
 
 export const OBFUSCATION_PATTERNS = [
   {
@@ -81,6 +85,46 @@ export const OBFUSCATION_PATTERNS = [
     description: "Calls require() or import() with a runtime-decoded string argument (atob, fromCharCode, etc.).",
     regex: /(?:require|import)\s*\(\s*(?:atob|String\.fromCharCode|Buffer\.from)\s*\(/,
   },
+  {
+    // Pattern: const mod = 'child' + '_process'; import(mod)
+    // The module name is never visible as a literal string, bypassing child_process regex.
+    id: 'obfus-dynamic-import-concat',
+    severity: 'CRITICAL',
+    title: 'Dynamic import() with runtime-assembled module name',
+    description: "import() called with a variable or concatenated string — module name assembled at runtime, bypassing static child_process/net detection.",
+    note: "Pattern: const mod = 'child' + '_process'; import(mod). The dangerous module name never appears intact in source.",
+    regex: /\bimport\s*\(\s*(?:[a-zA-Z_$][a-zA-Z0-9_$]*\s*\)|['"`][^'"`]*['"`]\s*\+)/,
+  },
+  {
+    // Pattern: eval(`(function() { ${userCode} })()`)
+    // Template literal interpolation allows runtime code injection hidden from literal-string scanners.
+    id: 'obfus-template-literal',
+    severity: 'HIGH',
+    title: 'eval/exec called with interpolated template literal',
+    description: "eval or exec invoked with a template literal containing ${...} interpolation — injects runtime values into executed code.",
+    note: "eval(`code ${var}`) assembles executable code from runtime values. Evades scanners that only check string literals.",
+    regex: /\b(?:eval|Function|exec|execSync)\s*\(\s*`[^`]*\$\{/,
+  },
+  {
+    // Pattern: new Proxy(process, handler) or Reflect.get(globalThis, 'eval')
+    // Proxying dangerous objects intercepts property access for exfiltration or modification.
+    id: 'obfus-proxy-reflect',
+    severity: 'HIGH',
+    title: 'Proxy/Reflect wrapping of dangerous object',
+    description: "Wrapping process, require, or globalThis in a Proxy intercepts all property access — used for covert exfiltration or to modify dangerous function behavior.",
+    note: "new Proxy(process, handler) can log every process property access. Reflect.get(globalThis, 'eval') accesses eval indirectly.",
+    regex: /new\s+Proxy\s*\(\s*(?:process|require|global|globalThis)\b|Reflect\s*\.\s*(?:get|apply)\s*\(\s*(?:globalThis|global|process)\b/,
+  },
+  {
+    // Pattern: const e = eval; e(code) or const {execSync: run} = require('child_process')
+    // Alias hides the dangerous function name at all call sites, bypassing keyword scanners.
+    id: 'obfus-var-alias',
+    severity: 'HIGH',
+    title: 'Variable aliasing of dangerous function',
+    description: "Assigning eval, exec, or spawn to a new variable name so call sites evade keyword detection.",
+    note: "const e = eval; e(code) — the dangerous eval() call is hidden as e(). Destructuring rename: const {execSync: run} = require('child_process').",
+    regex: /(?:const|let|var)\s+\w+\s*=\s*eval\b|(?:const|let|var)\s+\{[^}]*(?:exec|spawn)[^}]*:\s*\w+[^}]*\}\s*=/,
+  },
 ];
 
 /**

package/lib/scanner/patterns.js

@@ -12,6 +12,12 @@ export const CRITICAL_PATTERNS = [
     title: 'Pipe-to-shell pattern', description: 'curl|bash or wget|sh — classic RCE.' },
   { id: 'vm-run', regex: /vm\.(runInNewContext|runInThisContext)\s*\(/,
     title: 'vm module code execution', description: 'Executes code in Node.js VM.' },
+  // Binding a raw TCP server is the primary reverse-shell / C2 setup technique.
+  // net.createServer in skill code has virtually no legitimate use case.
+  { id: 'reverse-shell',
+    regex: /net\.createServer\s*\(|(?:require\(['"`]net['"`]\)|import\(['"`]net['"`]\))[\s\S]{0,300}\.createServer\s*\(/,
+    title: 'net.createServer() — reverse shell / port binding',
+    description: 'Creating a raw TCP server is the primary mechanism for reverse shells and covert C2 listeners.' },
 ];
 
 export const HIGH_PATTERNS = [
@@ -27,6 +33,31 @@ export const HIGH_PATTERNS = [
   { id: 'exfil-combo', regex: /process\.env[\s\S]{0,200}(fetch|axios|http|request)\s*\(/,
     title: 'Env vars + network call (exfil pattern)',
     description: 'Reading env vars then making network calls — credential exfiltration pattern.' },
+  // WebSocket bypasses fetch/axios-based detection entirely — a silent exfil channel.
+  { id: 'websocket-exfil',
+    regex: /new\s+WebSocket\s*\(|(?:ws|socket)\s*\.send\s*\(/,
+    title: 'WebSocket usage (potential data exfiltration)',
+    description: 'WebSocket connections can silently exfiltrate data — not caught by fetch/axios-based detection rules.' },
+  // DNS can encode secrets in subdomain queries; no HTTP logs, evades most monitoring.
+  { id: 'dns-exfil',
+    regex: /require\(['"`](?:dns|node:dns)['"`]\)|from\s+['"`](?:dns|node:dns)['"`]/,
+    title: 'DNS module imported (covert channel risk)',
+    description: 'DNS can encode data in subdomain queries — a covert exfiltration channel that evades HTTP monitoring.' },
+  // __proto__ assignment or Object.prototype mutation corrupts the global object graph.
+  { id: 'proto-pollution',
+    regex: /__proto__\s*["'`]|Object\.prototype\s*\[/,
+    title: 'Prototype pollution',
+    description: 'Assigning to __proto__ or Object.prototype mutates all JS objects — enables object injection attacks.' },
+  // Extends exfil-combo to cover outbound channels beyond fetch: WebSocket and DNS.
+  { id: 'exfil-combo-broad',
+    regex: /process\.env[\s\S]{0,200}(?:new\s+WebSocket|ws\.send\s*\(|dns\.resolve\s*\(|dns\.lookup\s*\()/,
+    title: 'Env vars + WebSocket/DNS outbound (broad exfil)',
+    description: 'process.env followed by WebSocket or DNS send — exfiltration path not caught by fetch-only rules.' },
+  // Credential file + network call within same scope = high-confidence theft combo.
+  { id: 'cred-read-network',
+    regex: /readFileSync\s*\(['"`][^'"`]*(?:\.openclaw|agent-accounts|credentials)[^'"`]*['"`][\s\S]{0,500}(?:fetch|axios|new\s+WebSocket|ws\.send|http\.request)/,
+    title: 'Credential file read + outbound network call',
+    description: 'Reading a credential file then making a network call in the same scope — credential theft combo.' },
 ];
 
 export const MEDIUM_PATTERNS = [

package/lib/stack/index.js

@@ -0,0 +1,91 @@
+// lib/stack/index.js — Stack orchestrator
+// Reads latest audit result from ~/.clawarmor/audit.log (JSONL),
+// maps score + findings to a risk profile, and determines deployment plan.
+
+import { existsSync, readFileSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+
+const HOME = homedir();
+const AUDIT_LOG = join(HOME, '.clawarmor', 'audit.log');
+
+/**
+ * Read the latest scored audit entry from ~/.clawarmor/audit.log (JSONL).
+ * Prefers entries where score !== null (cmd==='audit'), skips scan entries.
+ * Falls back to last-score.json combined with history.json if no scored entry found.
+ */
+function readLatestAudit() {
+  if (existsSync(AUDIT_LOG)) {
+    try {
+      const lines = readFileSync(AUDIT_LOG, 'utf8').split('\n').filter(Boolean);
+      for (let i = lines.length - 1; i >= 0; i--) {
+        try {
+          const entry = JSON.parse(lines[i]);
+          if (entry && entry.score != null) return entry;
+        } catch { /* skip bad lines */ }
+      }
+    } catch { /* non-fatal */ }
+  }
+  // Fallback: last-score.json (minimal — no findings detail)
+  const lastScoreFile = join(HOME, '.clawarmor', 'last-score.json');
+  if (existsSync(lastScoreFile)) {
+    try {
+      const s = JSON.parse(readFileSync(lastScoreFile, 'utf8'));
+      if (s && s.score != null) return { score: s.score, grade: s.grade, findings: [] };
+    } catch { /* non-fatal */ }
+  }
+  return null;
+}
+
+/**
+ * Map audit score + findings to a risk profile.
+ * @param {Object|null} audit
+ * @returns {{ level: string, label: string, score: number|null, findings: Array }}
+ */
+export function getRiskProfile(audit) {
+  if (!audit) return { level: 'unknown', label: 'No audit data', score: null, findings: [] };
+  const score = audit.score ?? null;
+  const findings = audit.findings ?? [];
+  let level, label;
+  if (score == null)    { level = 'unknown';  label = 'Unknown risk'; }
+  else if (score < 50)  { level = 'critical'; label = 'Critical / High risk'; }
+  else if (score < 75)  { level = 'medium';   label = 'Medium risk'; }
+  else                  { level = 'low';       label = 'Low risk'; }
+  return { level, label, score, findings };
+}
+
+/**
+ * Read latest audit + derive risk profile.
+ * @returns {Promise<{ audit: Object|null, profile: Object }>}
+ */
+export async function getStackStatus() {
+  const audit = readLatestAudit();
+  const profile = getRiskProfile(audit);
+  return { audit, profile };
+}
+
+/**
+ * Get recommended deployment plan based on risk profile.
+ * @param {Object} profile - from getRiskProfile()
+ * @returns {{ invariant: boolean, ironcurtain: boolean, reason: string }}
+ */
+export function getPlan(profile) {
+  const { level } = profile;
+  if (level === 'critical') return {
+    invariant: true, ironcurtain: true,
+    reason: 'Critical risk: deploy Invariant flow guardrails + generate IronCurtain constitution',
+  };
+  if (level === 'medium') return {
+    invariant: true, ironcurtain: true,
+    reason: 'Medium risk: deploy Invariant flow guardrails + generate IronCurtain constitution',
+  };
+  if (level === 'low') return {
+    invariant: false, ironcurtain: true,
+    reason: 'Low risk: generate IronCurtain constitution as reference hardening',
+  };
+  // unknown — no audit yet
+  return {
+    invariant: true, ironcurtain: true,
+    reason: 'No audit data: run clawarmor audit first for precise recommendations',
+  };
+}

package/lib/stack/invariant.js

@@ -0,0 +1,224 @@
+// lib/stack/invariant.js — Invariant Guardrails integration
+// Invariant is a Python guardrailing library (invariantlabs-ai/invariant).
+// Rules are plain Invariant DSL strings generated from audit findings.
+
+import { existsSync, readFileSync, writeFileSync, mkdirSync, statSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+import { execSync, spawnSync } from 'child_process';
+
+const HOME = homedir();
+const CLAWARMOR_DIR = join(HOME, '.clawarmor');
+const RULES_PATH = join(CLAWARMOR_DIR, 'invariant-rules.inv');
+
+/** Check if invariant-ai Python package is installed. */
+export function checkInstalled() {
+  try {
+    const r = spawnSync('pip3', ['show', 'invariant-ai'], { encoding: 'utf8', timeout: 10000 });
+    return r.status === 0 && !!(r.stdout && r.stdout.includes('Name:'));
+  } catch { return false; }
+}
+
+/**
+ * Install invariant-ai via pip3.
+ * @returns {{ ok: boolean, err?: string }}
+ */
+export function install() {
+  try {
+    execSync('pip3 install invariant-ai', { stdio: 'pipe', timeout: 120000 });
+    return { ok: true };
+  } catch (e) {
+    return { ok: false, err: e.message?.split('\n')[0] || 'pip3 install failed' };
+  }
+}
+
+/**
+ * Generate Invariant DSL rules from audit findings.
+ *
+ * Key mappings (from research):
+ *   exec.security=full + exec.ask=off  → flag unrestricted exec tool calls
+ *   channels with no allowFrom         → flag ungated message sends
+ *   credential files world-readable    → block reads on sensitive paths
+ *   skill supply chain findings        → block tool calls from unverified skill sources
+ *   elevated.allowFrom empty           → flag escalated calls from non-allowlisted sources
+ *
+ * @param {Array} findings - array of { id, severity, title, detail }
+ * @returns {string} Invariant policy (.inv) text
+ */
+export function generateRules(findings) {
+  const now = new Date().toISOString().slice(0, 10);
+  const lines = [
+    `# ClawArmor-Generated Invariant Policy`,
+    `# Generated: ${now} by clawarmor stack`,
+    `# Source: clawarmor stack deploy --invariant`,
+    '',
+  ];
+
+  if (!findings || !findings.length) {
+    lines.push('# No findings from latest audit — no findings-specific rules generated.');
+    lines.push('# Run: clawarmor audit, then: clawarmor stack sync');
+    lines.push('');
+    lines.push('# Generic fallback: prompt injection via web tool → send_message');
+    lines.push('raise "Possible prompt injection via tool output" if:');
+    lines.push('    (output: ToolOutput) -> (call2: ToolCall)');
+    lines.push('    output is tool:get_website');
+    lines.push('    prompt_injection(output.content, threshold=0.7)');
+    lines.push('    call2 is tool:send_message');
+    lines.push('');
+    return lines.join('\n');
+  }
+
+  const generated = new Set();
+
+  for (const finding of findings) {
+    const id = (finding.id || '').toLowerCase();
+    const detail = (finding.detail || '').toLowerCase();
+    const title = (finding.title || '').toLowerCase();
+    // label shown in rule comment — id is always present; title/severity optional
+    const label = finding.title || finding.severity || finding.id;
+
+    // exec.ask=off / exec unrestricted → flag bare exec tool calls
+    // Matches: exec.approval, exec.ask, tools.exec.*
+    if (
+      !generated.has('exec.unrestricted') &&
+      (id.includes('exec') || title.includes('exec')) &&
+      (id.includes('ask') || id.includes('approval') || id.includes('exec') ||
+       detail.includes('ask') || title.includes('approval') || title.includes('unrestricted') ||
+       detail.includes('unrestricted'))
+    ) {
+      generated.add('exec.unrestricted');
+      lines.push(`# Finding: ${finding.id} — ${label}`);
+      lines.push(`raise "Unrestricted exec tool call detected (no approval gate)" if:`);
+      lines.push(`    (call: ToolCall)`);
+      lines.push(`    call is tool:exec`);
+      lines.push('');
+    }
+
+    // channels with no allowFrom / open group policy → ungated message sends
+    // Matches: channel.groupPolicy, channel.allowFrom, channels.*
+    if (
+      !generated.has('channel.ungated') &&
+      (id.includes('channel') || title.includes('channel')) &&
+      (id.includes('allow') || id.includes('group') || id.includes('policy') ||
+       detail.includes('allowfrom') || title.includes('restriction') ||
+       title.includes('gate') || title.includes('group') || detail.includes('open'))
+    ) {
+      generated.add('channel.ungated');
+      lines.push(`# Finding: ${finding.id} — ${label}`);
+      lines.push(`raise "Message sent via ungated channel (no allowFrom restriction)" if:`);
+      lines.push(`    (call: ToolCall) -> (call2: ToolCall)`);
+      lines.push(`    call is tool:read_file`);
+      lines.push(`    call2 is tool:send_message({channel: ".*"})`);
+      lines.push('');
+    }
+
+    // credential files / secret exposure → block reads on sensitive paths
+    // Matches: cred.*, credential-file, cred.json_secrets, filesystem.perms
+    if (
+      !generated.has('cred.worldread') &&
+      (id.includes('cred') || id.includes('credential') || id.includes('filesystem') ||
+       id.includes('secret')) &&
+      (id.includes('perm') || id.includes('secret') || id.includes('file') ||
+       detail.includes('world') || detail.includes('readable') || detail.includes('permission') ||
+       title.includes('world') || title.includes('permission') || title.includes('secret'))
+    ) {
+      generated.add('cred.worldread');
+      lines.push(`# Finding: ${finding.id} — ${label}`);
+      lines.push(`raise "File read on sensitive credential path" if:`);
+      lines.push(`    (call: ToolCall)`);
+      lines.push(`    call is tool:read_file`);
+      lines.push(`    any(s in str(call.args.get("path", "")) for s in [".ssh", ".aws", "agent-accounts", ".openclaw"])`);
+      lines.push('');
+    }
+
+    // skill supply chain — block tool calls from unverified sources
+    // Matches: skill.pinning, skill.supplychain, skills.*
+    if (
+      !generated.has('skill.supplychain') &&
+      id.includes('skill') &&
+      (id.includes('pin') || id.includes('supply') || id.includes('md') ||
+       detail.includes('supply') || detail.includes('unverified') ||
+       title.includes('pin') || title.includes('supply'))
+    ) {
+      generated.add('skill.supplychain');
+      lines.push(`# Finding: ${finding.id} — ${label}`);
+      lines.push(`raise "Tool call from unverified skill source (no version pin)" if:`);
+      lines.push(`    (call: ToolCall)`);
+      lines.push(`    not call.metadata.get("skill_verified", False)`);
+      lines.push('');
+    }
+
+    // elevated permissions with no allowFrom restriction
+    // Matches: elevated.allowFrom, tools.elevated.*, allowFrom.*
+    if (
+      !generated.has('elevated.ungated') &&
+      (id.includes('elevated') || id.includes('allowfrom') || title.includes('elevated'))
+    ) {
+      generated.add('elevated.ungated');
+      lines.push(`# Finding: ${finding.id} — ${label}`);
+      lines.push(`raise "Elevated tool call from ungated source" if:`);
+      lines.push(`    (call: ToolCall)`);
+      lines.push(`    call.metadata.get("elevated", False)`);
+      lines.push(`    not call.metadata.get("allowFrom_restricted", False)`);
+      lines.push('');
+    }
+  }
+
+  if (!generated.size) {
+    lines.push('# No specific rule mappings matched. Generic fallback:');
+    lines.push('');
+    lines.push('raise "Possible prompt injection via tool output" if:');
+    lines.push('    (output: ToolOutput) -> (call2: ToolCall)');
+    lines.push('    output is tool:get_website');
+    lines.push('    prompt_injection(output.content, threshold=0.7)');
+    lines.push('    call2 is tool:send_message');
+    lines.push('');
+  }
+
+  return lines.join('\n');
+}
+
+/**
+ * Write rules to ~/.clawarmor/invariant-rules.inv and validate syntax if invariant-ai is installed.
+ * @param {string} rulesContent
+ * @returns {{ ok: boolean, err?: string, rulesPath: string }}
+ */
+export function deploy(rulesContent) {
+  try {
+    if (!existsSync(CLAWARMOR_DIR)) mkdirSync(CLAWARMOR_DIR, { recursive: true });
+    writeFileSync(RULES_PATH, rulesContent, 'utf8');
+
+    // Validate syntax if invariant-ai is available (non-fatal if not)
+    if (checkInstalled()) {
+      const v = spawnSync('python3', [
+        '-c',
+        `from invariant.analyzer import LocalPolicy; LocalPolicy.from_file('${RULES_PATH}'); print('ok')`,
+      ], { encoding: 'utf8', timeout: 30000 });
+      if (v.status !== 0) {
+        const msg = (v.stderr || '').split('\n')[0];
+        return { ok: false, err: `Syntax validation failed: ${msg}`, rulesPath: RULES_PATH };
+      }
+    }
+    return { ok: true, rulesPath: RULES_PATH };
+  } catch (e) {
+    return { ok: false, err: e.message?.split('\n')[0] || 'deploy failed', rulesPath: RULES_PATH };
+  }
+}
+
+/**
+ * Get current status of Invariant integration.
+ * @returns {{ installed: boolean, rulesExist: boolean, rulesPath: string, ruleCount: number, lastDeployed: string|null }}
+ */
+export function getStatus() {
+  const installed = checkInstalled();
+  const rulesExist = existsSync(RULES_PATH);
+  let ruleCount = 0, lastDeployed = null;
+  if (rulesExist) {
+    try {
+      const content = readFileSync(RULES_PATH, 'utf8');
+      ruleCount = (content.match(/^raise /gm) || []).length;
+      lastDeployed = statSync(RULES_PATH).mtime.toISOString();
+    } catch { /* non-fatal */ }
+  }
+  return { installed, rulesExist, rulesPath: RULES_PATH, ruleCount, lastDeployed };
+}