clawmoat 0.2.1 → 0.5.0

package/src/guardian/network-log.js

@@ -0,0 +1,281 @@
+/**
+ * ClawMoat Network Egress Logger
+ * 
+ * Parses session JSONL files for outbound network activity,
+ * maintains domain allowlists, and flags suspicious destinations.
+ * 
+ * @module clawmoat/guardian/network-log
+ */
+
+const fs = require('fs');
+const path = require('path');
+const { URL } = require('url');
+
+// Known-bad domains commonly used for exfiltration
+const KNOWN_BAD_DOMAINS = [
+  'webhook.site',
+  'requestbin.com',
+  'pipedream.net',
+  'ngrok.io',
+  'ngrok-free.app',
+  'ngrok.app',
+  'burpcollaborator.net',
+  'interact.sh',
+  'oastify.com',
+  'canarytokens.com',
+  'dnslog.cn',
+  'beeceptor.com',
+  'hookbin.com',
+  'requestcatcher.com',
+  'mockbin.org',
+  'postb.in',
+  'ptsv2.com',
+  'transfer.sh',
+  'file.io',
+  '0x0.st',
+  'hastebin.com',
+  'pastebin.com',
+  'paste.ee',
+  'dpaste.org',
+  'serveo.net',
+  'localtunnel.me',
+  'localhost.run',
+];
+
+// Default safe domains
+const DEFAULT_ALLOWLIST = [
+  'github.com',
+  'api.github.com',
+  'raw.githubusercontent.com',
+  'npmjs.org',
+  'registry.npmjs.org',
+  'google.com',
+  'googleapis.com',
+  'stackoverflow.com',
+  'developer.mozilla.org',
+  'nodejs.org',
+  'docs.python.org',
+];
+
+/**
+ * Extract URLs from a text string.
+ * @param {string} text
+ * @returns {string[]} Extracted URLs
+ */
+function extractUrls(text) {
+  if (!text) return [];
+  const urlRegex = /https?:\/\/[^\s"'<>\]\)]+/gi;
+  return (text.match(urlRegex) || []);
+}
+
+/**
+ * Extract domain from a URL string.
+ * @param {string} urlStr
+ * @returns {string|null}
+ */
+function extractDomain(urlStr) {
+  try {
+    const u = new URL(urlStr);
+    return u.hostname.toLowerCase();
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Parse a session JSONL file for network activity.
+ * @param {string} filePath - Path to .jsonl file
+ * @returns {{ urls: string[], domains: Set<string>, toolCalls: Array }}
+ */
+function parseSessionFile(filePath) {
+  const urls = [];
+  const domains = new Set();
+  const toolCalls = [];
+
+  let content;
+  try {
+    content = fs.readFileSync(filePath, 'utf8');
+  } catch {
+    return { urls, domains, toolCalls };
+  }
+
+  const lines = content.split('\n').filter(Boolean);
+
+  for (const line of lines) {
+    let entry;
+    try { entry = JSON.parse(line); } catch { continue; }
+
+    // Check tool calls from assistant
+    if (entry.role === 'assistant' && Array.isArray(entry.content)) {
+      for (const part of entry.content) {
+        if (part.type !== 'toolCall') continue;
+        const name = part.name || '';
+        const args = part.arguments || {};
+
+        if (name === 'web_fetch' || name === 'web_search') {
+          const url = args.url || args.query || '';
+          const extracted = extractUrls(url);
+          if (extracted.length) {
+            urls.push(...extracted);
+          } else if (url.startsWith('http')) {
+            urls.push(url);
+          }
+          toolCalls.push({ tool: name, args, session: filePath });
+        }
+
+        if (name === 'exec') {
+          const cmd = args.command || '';
+          if (/\b(curl|wget|fetch|http)\b/i.test(cmd)) {
+            const cmdUrls = extractUrls(cmd);
+            urls.push(...cmdUrls);
+            toolCalls.push({ tool: 'exec', args, session: filePath });
+          }
+        }
+      }
+    }
+  }
+
+  for (const u of urls) {
+    const d = extractDomain(u);
+    if (d) domains.add(d);
+  }
+
+  return { urls, domains, toolCalls };
+}
+
+class NetworkEgressLogger {
+  /**
+   * @param {Object} opts
+   * @param {string[]} [opts.allowlist] - Additional allowed domains
+   * @param {string[]} [opts.badDomains] - Additional known-bad domains
+   * @param {Function} [opts.onAlert] - Callback for alerts
+   */
+  constructor(opts = {}) {
+    this.allowlist = new Set([...DEFAULT_ALLOWLIST, ...(opts.allowlist || [])]);
+    this.badDomains = new Set([...KNOWN_BAD_DOMAINS, ...(opts.badDomains || [])]);
+    this.seenDomains = new Set();
+    this.onAlert = opts.onAlert || null;
+    this.log = []; // { timestamp, url, domain, status }
+  }
+
+  /**
+   * Scan session directory for network egress.
+   * @param {string} sessionsDir - Path to sessions directory
+   * @param {Object} [opts]
+   * @param {number} [opts.maxAge] - Only scan files modified within this many ms
+   * @returns {{ totalUrls: number, domains: string[], flagged: Array, badDomains: Array, firstSeen: string[] }}
+   */
+  scanSessions(sessionsDir, opts = {}) {
+    if (!fs.existsSync(sessionsDir)) {
+      return { totalUrls: 0, domains: [], flagged: [], badDomains: [], firstSeen: [] };
+    }
+
+    const files = fs.readdirSync(sessionsDir).filter(f => f.endsWith('.jsonl'));
+    const allUrls = [];
+    const allDomains = new Set();
+    const flagged = [];
+    const badFound = [];
+    const firstSeen = [];
+
+    for (const file of files) {
+      const filePath = path.join(sessionsDir, file);
+
+      // Optional age filter
+      if (opts.maxAge) {
+        try {
+          const stat = fs.statSync(filePath);
+          if (Date.now() - stat.mtimeMs > opts.maxAge) continue;
+        } catch { continue; }
+      }
+
+      const result = parseSessionFile(filePath);
+      allUrls.push(...result.urls);
+
+      for (const domain of result.domains) {
+        allDomains.add(domain);
+
+        // Check bad domains
+        if (this._isBadDomain(domain)) {
+          badFound.push({ domain, file, urls: result.urls.filter(u => extractDomain(u) === domain) });
+          this._alert({
+            severity: 'critical',
+            type: 'bad_domain',
+            message: `Known-bad domain contacted: ${domain}`,
+            details: { domain, session: file },
+          });
+        }
+
+        // Check first-seen
+        if (!this.seenDomains.has(domain) && !this.allowlist.has(domain)) {
+          firstSeen.push(domain);
+          this._alert({
+            severity: 'info',
+            type: 'first_seen_domain',
+            message: `First-seen domain: ${domain}`,
+            details: { domain, session: file },
+          });
+        }
+
+        this.seenDomains.add(domain);
+      }
+    }
+
+    // Flag non-allowlisted domains
+    for (const d of allDomains) {
+      if (!this.allowlist.has(d)) {
+        flagged.push(d);
+      }
+    }
+
+    return {
+      totalUrls: allUrls.length,
+      domains: [...allDomains],
+      flagged,
+      badDomains: badFound,
+      firstSeen,
+    };
+  }
+
+  /**
+   * Check a single URL against rules.
+   * @param {string} url
+   * @returns {{ allowed: boolean, domain: string|null, reason: string|null }}
+   */
+  checkUrl(url) {
+    const domain = extractDomain(url);
+    if (!domain) return { allowed: true, domain: null, reason: null };
+
+    if (this._isBadDomain(domain)) {
+      return { allowed: false, domain, reason: `Known-bad domain: ${domain}` };
+    }
+
+    if (!this.allowlist.has(domain)) {
+      return { allowed: true, domain, reason: `Not in allowlist: ${domain}` };
+    }
+
+    return { allowed: true, domain, reason: null };
+  }
+
+  _isBadDomain(domain) {
+    if (this.badDomains.has(domain)) return true;
+    // Check subdomains (e.g. xyz.ngrok.io)
+    for (const bad of this.badDomains) {
+      if (domain.endsWith('.' + bad)) return true;
+    }
+    return false;
+  }
+
+  _alert(alert) {
+    this.log.push({ timestamp: Date.now(), ...alert });
+    if (this.onAlert) this.onAlert(alert);
+  }
+}
+
+module.exports = {
+  NetworkEgressLogger,
+  extractUrls,
+  extractDomain,
+  parseSessionFile,
+  KNOWN_BAD_DOMAINS,
+  DEFAULT_ALLOWLIST,
+};

package/src/guardian/skill-integrity.js

@@ -0,0 +1,290 @@
+/**
+ * ClawMoat Skill Integrity Checker
+ * 
+ * Hashes skill files on startup, detects modifications, and flags
+ * suspicious patterns in skill content.
+ * 
+ * @module clawmoat/guardian/skill-integrity
+ */
+
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+
+const HASH_FILE = '.clawmoat-hashes.json';
+
+// Suspicious patterns that may indicate malicious skills
+const SUSPICIOUS_PATTERNS = [
+  { pattern: /\bcurl\s+(?:https?:\/\/|ftp:\/\/)\S+/gi, label: 'curl to external URL', severity: 'warning' },
+  { pattern: /\bwget\s+(?:https?:\/\/|ftp:\/\/)\S+/gi, label: 'wget to external URL', severity: 'warning' },
+  { pattern: /\beval\s*\(/gi, label: 'eval() usage', severity: 'critical' },
+  { pattern: /\bnew\s+Function\s*\(/gi, label: 'new Function() usage', severity: 'critical' },
+  { pattern: /\batob\s*\(/gi, label: 'base64 decode (atob)', severity: 'warning' },
+  { pattern: /\bbtoa\s*\(/gi, label: 'base64 encode (btoa)', severity: 'warning' },
+  { pattern: /Buffer\.from\s*\([^)]*,\s*['"]base64['"]\s*\)/gi, label: 'Buffer base64 decode', severity: 'warning' },
+  { pattern: /\bbase64\b.*(?:decode|encode)/gi, label: 'base64 operation', severity: 'warning' },
+  { pattern: /(?:\/etc\/passwd|\/etc\/shadow|~\/\.ssh|~\/\.aws|~\/\.gnupg)/g, label: 'sensitive file reference', severity: 'critical' },
+  { pattern: /\bexec\s*\(\s*['"`]/gi, label: 'exec() with string', severity: 'warning' },
+  { pattern: /\bchild_process\b/gi, label: 'child_process usage', severity: 'warning' },
+  { pattern: /\brequire\s*\(\s*['"]child_process['"]\s*\)/gi, label: 'require child_process', severity: 'warning' },
+  { pattern: /(?:nc|netcat)\s+-[a-z]*e\s/gi, label: 'reverse shell pattern', severity: 'critical' },
+  { pattern: /\|\s*(?:bash|sh|zsh)\b/gi, label: 'pipe to shell', severity: 'critical' },
+];
+
+/**
+ * Hash a file's contents using SHA-256.
+ * @param {string} filePath
+ * @returns {string|null} hex hash or null if file unreadable
+ */
+function hashFile(filePath) {
+  try {
+    const content = fs.readFileSync(filePath);
+    return crypto.createHash('sha256').update(content).digest('hex');
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Recursively find skill files in a directory.
+ * Returns SKILL.md files and associated scripts (*.js, *.sh, *.py, *.ts).
+ * @param {string} dir - Skills directory
+ * @returns {string[]} Array of file paths
+ */
+function findSkillFiles(dir) {
+  const files = [];
+  if (!fs.existsSync(dir)) return files;
+
+  const walk = (d) => {
+    let entries;
+    try { entries = fs.readdirSync(d, { withFileTypes: true }); } catch { return; }
+    for (const entry of entries) {
+      const full = path.join(d, entry.name);
+      if (entry.isDirectory()) {
+        if (entry.name === 'node_modules' || entry.name === '.git') continue;
+        walk(full);
+      } else if (
+        entry.name === 'SKILL.md' ||
+        /\.(js|sh|py|ts)$/.test(entry.name)
+      ) {
+        files.push(full);
+      }
+    }
+  };
+
+  walk(dir);
+  return files;
+}
+
+/**
+ * Scan file content for suspicious patterns.
+ * @param {string} content - File content
+ * @param {string} filePath - File path (for reporting)
+ * @returns {{ suspicious: boolean, findings: Array }}
+ */
+function scanForSuspicious(content, filePath) {
+  const findings = [];
+  for (const rule of SUSPICIOUS_PATTERNS) {
+    // Reset regex lastIndex
+    rule.pattern.lastIndex = 0;
+    const match = rule.pattern.exec(content);
+    if (match) {
+      findings.push({
+        file: filePath,
+        label: rule.label,
+        severity: rule.severity,
+        matched: match[0].substring(0, 100),
+      });
+    }
+  }
+  return { suspicious: findings.length > 0, findings };
+}
+
+class SkillIntegrityChecker {
+  /**
+   * @param {Object} opts
+   * @param {string} opts.skillsDir - Path to skills directory
+   * @param {string} [opts.hashFile] - Path to hash lockfile
+   * @param {Function} [opts.onAlert] - Callback for alerts: (alert) => void
+   */
+  constructor(opts = {}) {
+    this.skillsDir = opts.skillsDir || '';
+    this.hashFilePath = opts.hashFile || path.join(this.skillsDir, HASH_FILE);
+    this.onAlert = opts.onAlert || null;
+    this.hashes = {};
+    this.watcher = null;
+  }
+
+  /**
+   * Initialize: hash all skill files and store/compare with lockfile.
+   * @returns {{ files: number, new: number, changed: number, suspicious: Array }}
+   */
+  init() {
+    const files = findSkillFiles(this.skillsDir);
+    const currentHashes = {};
+    const suspiciousFindings = [];
+    let newFiles = 0;
+    let changedFiles = 0;
+
+    // Load existing hashes
+    const storedHashes = this._loadHashes();
+
+    for (const file of files) {
+      const hash = hashFile(file);
+      if (!hash) continue;
+
+      const rel = path.relative(this.skillsDir, file);
+      currentHashes[rel] = hash;
+
+      // Check for changes
+      if (!storedHashes[rel]) {
+        newFiles++;
+      } else if (storedHashes[rel] !== hash) {
+        changedFiles++;
+        this._alert({
+          severity: 'warning',
+          type: 'skill_modified',
+          message: `Skill file modified: ${rel}`,
+          details: { file: rel, oldHash: storedHashes[rel], newHash: hash },
+        });
+      }
+
+      // Scan content for suspicious patterns
+      try {
+        const content = fs.readFileSync(file, 'utf8');
+        const scan = scanForSuspicious(content, rel);
+        if (scan.suspicious) {
+          suspiciousFindings.push(...scan.findings);
+        }
+      } catch {}
+    }
+
+    this.hashes = currentHashes;
+    this._saveHashes(currentHashes);
+
+    return {
+      files: files.length,
+      new: newFiles,
+      changed: changedFiles,
+      suspicious: suspiciousFindings,
+    };
+  }
+
+  /**
+   * Audit: verify all current skill files against stored hashes.
+   * @returns {{ ok: boolean, files: number, changed: string[], missing: string[], suspicious: Array }}
+   */
+  audit() {
+    const storedHashes = this._loadHashes();
+    const files = findSkillFiles(this.skillsDir);
+    const changed = [];
+    const missing = [];
+    const suspiciousFindings = [];
+
+    // Check stored files still exist and match
+    for (const [rel, storedHash] of Object.entries(storedHashes)) {
+      const full = path.join(this.skillsDir, rel);
+      const currentHash = hashFile(full);
+      if (!currentHash) {
+        missing.push(rel);
+      } else if (currentHash !== storedHash) {
+        changed.push(rel);
+      }
+    }
+
+    // Scan for suspicious patterns
+    for (const file of files) {
+      try {
+        const content = fs.readFileSync(file, 'utf8');
+        const rel = path.relative(this.skillsDir, file);
+        const scan = scanForSuspicious(content, rel);
+        if (scan.suspicious) suspiciousFindings.push(...scan.findings);
+      } catch {}
+    }
+
+    return {
+      ok: changed.length === 0 && missing.length === 0 && suspiciousFindings.length === 0,
+      files: Object.keys(storedHashes).length,
+      changed,
+      missing,
+      suspicious: suspiciousFindings,
+    };
+  }
+
+  /**
+   * Watch skills directory for changes (real-time monitoring).
+   * @returns {fs.FSWatcher|null}
+   */
+  watch() {
+    if (!fs.existsSync(this.skillsDir)) return null;
+
+    this.watcher = fs.watch(this.skillsDir, { recursive: true }, (eventType, filename) => {
+      if (!filename) return;
+      if (filename === HASH_FILE || filename.includes('node_modules')) return;
+
+      const ext = path.extname(filename);
+      if (filename !== 'SKILL.md' && !['.js', '.sh', '.py', '.ts'].includes(ext)) return;
+
+      const full = path.join(this.skillsDir, filename);
+      const hash = hashFile(full);
+      const stored = this.hashes[filename];
+
+      if (hash && stored && hash !== stored) {
+        this._alert({
+          severity: 'warning',
+          type: 'skill_modified',
+          message: `Skill file changed: ${filename}`,
+          details: { file: filename, oldHash: stored, newHash: hash },
+        });
+        this.hashes[filename] = hash;
+        this._saveHashes(this.hashes);
+      } else if (hash && !stored) {
+        this._alert({
+          severity: 'info',
+          type: 'skill_added',
+          message: `New skill file: ${filename}`,
+          details: { file: filename, hash },
+        });
+        this.hashes[filename] = hash;
+        this._saveHashes(this.hashes);
+      }
+    });
+
+    return this.watcher;
+  }
+
+  stop() {
+    if (this.watcher) {
+      this.watcher.close();
+      this.watcher = null;
+    }
+  }
+
+  _loadHashes() {
+    try {
+      return JSON.parse(fs.readFileSync(this.hashFilePath, 'utf8'));
+    } catch {
+      return {};
+    }
+  }
+
+  _saveHashes(hashes) {
+    try {
+      const dir = path.dirname(this.hashFilePath);
+      if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+      fs.writeFileSync(this.hashFilePath, JSON.stringify(hashes, null, 2) + '\n');
+    } catch {}
+  }
+
+  _alert(alert) {
+    if (this.onAlert) this.onAlert(alert);
+  }
+}
+
+module.exports = {
+  SkillIntegrityChecker,
+  hashFile,
+  findSkillFiles,
+  scanForSuspicious,
+  SUSPICIOUS_PATTERNS,
+};

package/src/index.js

@@ -28,8 +28,10 @@ const { scanPII } = require('./scanners/pii');
 const { scanUrls } = require('./scanners/urls');
 const { scanMemoryPoison } = require('./scanners/memory-poison');
 const { scanExfiltration } = require('./scanners/exfiltration');
+const { scanExcessiveAgency } = require('./scanners/excessive-agency');
 const { scanSkill, scanSkillContent } = require('./scanners/supply-chain');
 const { evaluateToolCall } = require('./policies/engine');
+const { HostGuardian, TIERS } = require('./guardian');
 const { SecurityLogger } = require('./utils/logger');
 const { loadConfig } = require('./utils/config');
 
@@ -82,6 +84,29 @@ class ClawMoat {
       onEvent: opts.onEvent,
     });
     this.stats = { scanned: 0, blocked: 0, warnings: 0 };
+
+    // Initialize Host Guardian if configured
+    if (this.config.guardian) {
+      this.guardian = new HostGuardian({
+        mode: this.config.guardian.mode || 'standard',
+        workspace: this.config.guardian.workspace,
+        safeZones: this.config.guardian.safe_zones,
+        forbiddenZones: this.config.guardian.forbidden_zones,
+        logFile: opts.logFile,
+        quiet: opts.quiet,
+        onViolation: opts.onViolation,
+      });
+    }
+  }
+
+  /**
+   * Create and return a Host Guardian instance for laptop-hosted agent security.
+   * Can be used standalone without full ClawMoat config.
+   * @param {Object} opts - Guardian options (mode, workspace, safeZones, etc.)
+   * @returns {HostGuardian}
+   */
+  static createGuardian(opts = {}) {
+    return new HostGuardian(opts);
   }
 
   /**
@@ -122,6 +147,15 @@ class ClawMoat {
       }
     }
 
+    // Excessive agency scan
+    if (this.config.detection?.excessive_agency !== false) {
+      const ea = scanExcessiveAgency(text, opts);
+      if (!ea.clean) {
+        results.findings.push(...ea.findings);
+        results.safe = false;
+      }
+    }
+
     // Memory poisoning scan
     if (this.config.detection?.memory_poison !== false) {
       const mp = scanMemoryPoison(text, opts);
@@ -311,6 +345,9 @@ module.exports.scanPII = scanPII;
 module.exports.scanUrls = scanUrls;
 module.exports.scanMemoryPoison = scanMemoryPoison;
 module.exports.scanExfiltration = scanExfiltration;
+module.exports.scanExcessiveAgency = scanExcessiveAgency;
 module.exports.scanSkill = scanSkill;
 module.exports.scanSkillContent = scanSkillContent;
 module.exports.evaluateToolCall = evaluateToolCall;
+module.exports.HostGuardian = HostGuardian;
+module.exports.TIERS = TIERS;