clawmoat 0.2.1

package/src/badge.js

@@ -0,0 +1,87 @@
+/**
+ * ClawMoat Security Score Badge Generator
+ * 
+ * Generates shields.io-style SVG badges based on audit/scan results.
+ */
+
+const GRADES = {
+  'A+': { color: '#10B981', label: 'excellent' },
+  'A':  { color: '#10B981', label: 'great' },
+  'B':  { color: '#84CC16', label: 'good' },
+  'C':  { color: '#F59E0B', label: 'fair' },
+  'D':  { color: '#EF4444', label: 'poor' },
+  'F':  { color: '#DC2626', label: 'failing' },
+};
+
+/**
+ * Calculate security grade from scan/audit findings.
+ * @param {object} opts
+ * @param {number} opts.totalFindings - Total number of findings
+ * @param {number} opts.criticalFindings - Number of critical/high findings
+ * @param {number} opts.filesScanned - Number of files scanned
+ * @returns {string} Grade (A+ through F)
+ */
+function calculateGrade({ totalFindings = 0, criticalFindings = 0, filesScanned = 1 }) {
+  if (totalFindings === 0) return 'A+';
+  const ratio = totalFindings / Math.max(filesScanned, 1);
+  if (criticalFindings > 0) {
+    return criticalFindings >= 3 ? 'F' : 'D';
+  }
+  if (ratio <= 0.05) return 'A';
+  if (ratio <= 0.15) return 'B';
+  if (ratio <= 0.3) return 'C';
+  if (ratio <= 0.5) return 'D';
+  return 'F';
+}
+
+/**
+ * Generate an SVG badge string.
+ * @param {string} grade - The security grade (A+, A, B, C, D, F)
+ * @returns {string} SVG markup
+ */
+function generateBadgeSVG(grade) {
+  const g = GRADES[grade] || GRADES['F'];
+  const gradeText = grade.replace('+', '&#43;');
+  const labelWidth = 138;
+  const gradeWidth = 40;
+  const totalWidth = labelWidth + gradeWidth;
+
+  return `<svg xmlns="http://www.w3.org/2000/svg" width="${totalWidth}" height="20" role="img" aria-label="ClawMoat Security Score: ${grade}">
+  <title>ClawMoat Security Score: ${grade}</title>
+  <linearGradient id="s" x2="0" y2="100%">
+    <stop offset="0" stop-color="#bbb" stop-opacity=".1"/>
+    <stop offset="1" stop-opacity=".1"/>
+  </linearGradient>
+  <clipPath id="r">
+    <rect width="${totalWidth}" height="20" rx="3" fill="#fff"/>
+  </clipPath>
+  <g clip-path="url(#r)">
+    <rect width="${labelWidth}" height="20" fill="#0F172A"/>
+    <rect x="${labelWidth}" width="${gradeWidth}" height="20" fill="${g.color}"/>
+    <rect width="${totalWidth}" height="20" fill="url(#s)"/>
+  </g>
+  <g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="11">
+    <text aria-hidden="true" x="${labelWidth / 2}" y="15" fill="#010101" fill-opacity=".3">🏰 ClawMoat Score</text>
+    <text x="${labelWidth / 2}" y="14">🏰 ClawMoat Score</text>
+    <text aria-hidden="true" x="${labelWidth + gradeWidth / 2}" y="15" fill="#010101" fill-opacity=".3">${gradeText}</text>
+    <text x="${labelWidth + gradeWidth / 2}" y="14" font-weight="bold">${gradeText}</text>
+  </g>
+</svg>`;
+}
+
+/**
+ * Get a shields.io URL for the given grade.
+ * @param {string} grade
+ * @returns {string} shields.io badge URL
+ */
+function getShieldsURL(grade) {
+  const colorMap = {
+    'A+': 'brightgreen', 'A': 'green', 'B': 'yellowgreen',
+    'C': 'yellow', 'D': 'orange', 'F': 'red',
+  };
+  const encoded = encodeURIComponent(grade);
+  const color = colorMap[grade] || 'red';
+  return `https://img.shields.io/badge/ClawMoat-${encoded}-${color}`;
+}
+
+module.exports = { calculateGrade, generateBadgeSVG, getShieldsURL, GRADES };

package/src/index.js

@@ -0,0 +1,316 @@
+/**
+ * ClawMoat — Security moat for AI agents
+ * 
+ * Runtime protection against prompt injection, jailbreaks, tool misuse,
+ * secret/PII leakage, data exfiltration, memory poisoning, and supply chain attacks.
+ * 
+ * @module clawmoat
+ * @example
+ * const ClawMoat = require('clawmoat');
+ * const moat = new ClawMoat();
+ * 
+ * // Scan inbound message for injection/jailbreak threats
+ * const result = moat.scanInbound(userMessage);
+ * if (!result.safe) console.log('Threat detected:', result.findings);
+ * 
+ * // Scan outbound text for secret/PII leaks
+ * const out = moat.scanOutbound(responseText);
+ * 
+ * // Evaluate a tool call against security policies
+ * const policy = moat.evaluateTool('exec', { command: 'rm -rf /' });
+ * if (policy.decision === 'deny') console.log('Blocked:', policy.reason);
+ */
+
+const { scanPromptInjection } = require('./scanners/prompt-injection');
+const { scanJailbreak } = require('./scanners/jailbreak');
+const { scanSecrets } = require('./scanners/secrets');
+const { scanPII } = require('./scanners/pii');
+const { scanUrls } = require('./scanners/urls');
+const { scanMemoryPoison } = require('./scanners/memory-poison');
+const { scanExfiltration } = require('./scanners/exfiltration');
+const { scanSkill, scanSkillContent } = require('./scanners/supply-chain');
+const { evaluateToolCall } = require('./policies/engine');
+const { SecurityLogger } = require('./utils/logger');
+const { loadConfig } = require('./utils/config');
+
+/**
+ * @typedef {Object} ScanFinding
+ * @property {string} type - Finding category (e.g. 'prompt_injection', 'secret_detected', 'pii_detected')
+ * @property {string} subtype - Specific detection pattern name
+ * @property {string} severity - 'low' | 'medium' | 'high' | 'critical'
+ * @property {string} [matched] - The matched text (may be redacted for secrets)
+ * @property {number} [position] - Character position in the scanned text
+ */
+
+/**
+ * @typedef {Object} ScanResult
+ * @property {boolean} safe - true if no threats found
+ * @property {ScanFinding[]} findings - Array of detected issues
+ * @property {string|null} severity - Maximum severity across findings
+ * @property {string} action - 'allow' | 'log' | 'warn' | 'block'
+ */
+
+/**
+ * @typedef {Object} ToolDecision
+ * @property {string} decision - 'allow' | 'deny' | 'warn' | 'review'
+ * @property {string} tool - Tool name evaluated
+ * @property {string} [reason] - Human-readable explanation
+ * @property {string} [severity] - Severity of the policy violation
+ */
+
+/**
+ * Main ClawMoat security scanner class.
+ * Instantiate with optional config to scan text and evaluate tool calls.
+ */
+class ClawMoat {
+  /**
+   * Create a ClawMoat instance.
+   * @param {Object} [opts] - Options
+   * @param {Object} [opts.config] - Configuration object (overrides file-based config)
+   * @param {string} [opts.configPath] - Path to clawmoat.yml config file
+   * @param {string} [opts.logFile] - Path to write security event logs
+   * @param {boolean} [opts.quiet] - Suppress console output
+   * @param {Function} [opts.onEvent] - Callback for each security event
+   */
+  constructor(opts = {}) {
+    this.config = opts.config || loadConfig(opts.configPath);
+    this.logger = new SecurityLogger({
+      logFile: opts.logFile,
+      quiet: opts.quiet,
+      minSeverity: this.config.alerts?.severity_threshold,
+      webhook: this.config.alerts?.webhook,
+      onEvent: opts.onEvent,
+    });
+    this.stats = { scanned: 0, blocked: 0, warnings: 0 };
+  }
+
+  /**
+   * Scan inbound text for prompt injection, jailbreaks, suspicious URLs, and memory poisoning.
+   * @param {string} text - Text to scan (message, email, web content, tool output)
+   * @param {Object} [opts] - Options
+   * @param {string} [opts.context] - Source context ('message' | 'email' | 'web' | 'tool_output')
+   * @returns {ScanResult} Scan result with findings and recommended action
+   */
+  scanInbound(text, opts = {}) {
+    this.stats.scanned++;
+    const results = { findings: [], safe: true, severity: null, action: 'allow' };
+
+    // Prompt injection scan
+    if (this.config.detection?.prompt_injection !== false) {
+      const pi = scanPromptInjection(text, opts);
+      if (!pi.clean) {
+        results.findings.push(...pi.findings);
+        results.safe = false;
+      }
+    }
+
+    // Jailbreak scan
+    if (this.config.detection?.jailbreak !== false) {
+      const jb = scanJailbreak(text);
+      if (!jb.clean) {
+        results.findings.push(...jb.findings);
+        results.safe = false;
+      }
+    }
+
+    // URL scan
+    if (this.config.detection?.url_scanning !== false) {
+      const urls = scanUrls(text, opts);
+      if (!urls.clean) {
+        results.findings.push(...urls.findings);
+        results.safe = false;
+      }
+    }
+
+    // Memory poisoning scan
+    if (this.config.detection?.memory_poison !== false) {
+      const mp = scanMemoryPoison(text, opts);
+      if (!mp.clean) {
+        results.findings.push(...mp.findings);
+        results.safe = false;
+      }
+    }
+
+    // Determine action
+    if (!results.safe) {
+      const maxSev = this._maxSeverity(results.findings);
+      results.severity = maxSev;
+      results.action = maxSev === 'critical' ? 'block' : maxSev === 'high' ? 'warn' : 'log';
+
+      if (results.action === 'block') this.stats.blocked++;
+      if (results.action === 'warn') this.stats.warnings++;
+
+      this.logger.log({
+        type: 'inbound_threat',
+        severity: maxSev,
+        message: `${results.findings.length} threat(s) detected in ${opts.context || 'message'}`,
+        details: {
+          findings: results.findings.map(f => ({ type: f.type, subtype: f.subtype, severity: f.severity })),
+          source: opts.context,
+          textPreview: text.substring(0, 100),
+        },
+      });
+    }
+
+    return results;
+  }
+
+  /**
+   * Scan outbound text for secrets, PII, and data exfiltration attempts.
+   * @param {string} text - Outbound text to scan
+   * @param {Object} [opts] - Options
+   * @param {string} [opts.context] - Source context for logging
+   * @returns {ScanResult} Scan result with findings and recommended action
+   */
+  scanOutbound(text, opts = {}) {
+    this.stats.scanned++;
+    const results = { findings: [], safe: true, severity: null, action: 'allow' };
+
+    // Secret scanning
+    if (this.config.detection?.secret_scanning !== false) {
+      const secrets = scanSecrets(text, { direction: 'outbound', ...opts });
+      if (!secrets.clean) {
+        results.findings.push(...secrets.findings);
+        results.safe = false;
+      }
+    }
+
+    // PII scanning
+    if (this.config.detection?.pii !== false) {
+      const pii = scanPII(text, opts);
+      if (!pii.clean) {
+        results.findings.push(...pii.findings);
+        results.safe = false;
+      }
+    }
+
+    // Exfiltration scanning
+    if (this.config.detection?.exfiltration !== false) {
+      const exfil = scanExfiltration(text, opts);
+      if (!exfil.clean) {
+        results.findings.push(...exfil.findings);
+        results.safe = false;
+      }
+    }
+
+    if (!results.safe) {
+      const maxSev = this._maxSeverity(results.findings);
+      results.severity = maxSev;
+      results.action = maxSev === 'critical' ? 'block' : 'warn';
+
+      this.stats.blocked++;
+      this.logger.log({
+        type: 'outbound_leak',
+        severity: maxSev,
+        message: `Secret/credential detected in outbound ${opts.context || 'message'}`,
+        details: {
+          findings: results.findings.map(f => ({ type: f.type, subtype: f.subtype, severity: f.severity, matched: f.matched })),
+        },
+      });
+    }
+
+    return results;
+  }
+
+  /**
+   * Evaluate a tool call against security policies.
+   * @param {string} tool - Tool name (e.g. 'exec', 'read', 'write', 'browser')
+   * @param {Object} args - Tool arguments to evaluate
+   * @returns {ToolDecision} Policy decision with explanation
+   */
+  evaluateTool(tool, args) {
+    const result = evaluateToolCall(tool, args, this.config.policies || {});
+
+    if (result.decision !== 'allow') {
+      const severity = result.severity || 'medium';
+      if (result.decision === 'deny') this.stats.blocked++;
+      if (result.decision === 'warn') this.stats.warnings++;
+
+      this.logger.log({
+        type: 'tool_policy',
+        severity,
+        message: `Tool ${tool}: ${result.decision} — ${result.reason}`,
+        details: { tool, decision: result.decision, ...result },
+      });
+    }
+
+    return result;
+  }
+
+  /**
+   * Full bidirectional scan: check text as both inbound threat AND outbound leak.
+   * @param {string} text - Text to scan
+   * @param {Object} [opts] - Options passed to both scanInbound and scanOutbound
+   * @returns {{ safe: boolean, inbound: ScanResult, outbound: ScanResult, findings: ScanFinding[] }}
+   */
+  scan(text, opts = {}) {
+    const inbound = this.scanInbound(text, opts);
+    const outbound = this.scanOutbound(text, opts);
+
+    return {
+      safe: inbound.safe && outbound.safe,
+      inbound,
+      outbound,
+      findings: [...inbound.findings, ...outbound.findings],
+    };
+  }
+
+  /**
+   * Get security event log
+   */
+  getEvents(filter) {
+    return this.logger.getEvents(filter);
+  }
+
+  /**
+   * Get summary stats
+   */
+  getSummary() {
+    return {
+      ...this.stats,
+      events: this.logger.summary(),
+    };
+  }
+
+  /**
+   * Scan a skill directory or file for supply chain threats (malicious code patterns).
+   * @param {string} skillPath - Path to skill directory or file
+   * @returns {{ clean: boolean, findings: ScanFinding[], severity: string|null }}
+   */
+  scanSkill(skillPath) {
+    const result = scanSkill(skillPath);
+
+    if (!result.clean) {
+      const maxSev = this._maxSeverity(result.findings);
+      this.logger.log({
+        type: 'supply_chain_threat',
+        severity: maxSev,
+        message: `${result.findings.length} issue(s) in skill: ${skillPath}`,
+        details: { findings: result.findings },
+      });
+    }
+
+    return result;
+  }
+
+  _maxSeverity(findings) {
+    const rank = { low: 0, medium: 1, high: 2, critical: 3 };
+    return findings.reduce(
+      (max, f) => (rank[f.severity] || 0) > (rank[max] || 0) ? f.severity : max,
+      'low'
+    );
+  }
+}
+
+module.exports = ClawMoat;
+module.exports.ClawMoat = ClawMoat;
+module.exports.scanPromptInjection = scanPromptInjection;
+module.exports.scanJailbreak = scanJailbreak;
+module.exports.scanSecrets = scanSecrets;
+module.exports.scanPII = scanPII;
+module.exports.scanUrls = scanUrls;
+module.exports.scanMemoryPoison = scanMemoryPoison;
+module.exports.scanExfiltration = scanExfiltration;
+module.exports.scanSkill = scanSkill;
+module.exports.scanSkillContent = scanSkillContent;
+module.exports.evaluateToolCall = evaluateToolCall;

package/src/middleware/openclaw.js

@@ -0,0 +1,133 @@
+/**
+ * ClawMoat — OpenClaw Integration Middleware
+ * 
+ * Hooks into OpenClaw's session transcript files to provide
+ * real-time monitoring and alerting.
+ * 
+ * Usage:
+ *   const { watchSessions } = require('clawmoat/src/middleware/openclaw');
+ *   watchSessions({ agentDir: '~/.openclaw/agents/main' });
+ */
+
+const fs = require('fs');
+const path = require('path');
+const ClawMoat = require('../index');
+
+/**
+ * Watch OpenClaw session files for security events
+ */
+function watchSessions(opts = {}) {
+  const agentDir = expandHome(opts.agentDir || '~/.openclaw/agents/main');
+  const sessionsDir = path.join(agentDir, 'sessions');
+  const moat = new ClawMoat(opts);
+
+  if (!fs.existsSync(sessionsDir)) {
+    console.error(`[ClawMoat] Sessions directory not found: ${sessionsDir}`);
+    return null;
+  }
+
+  console.log(`[ClawMoat] 🏰 Watching sessions in ${sessionsDir}`);
+
+  // Track file sizes to only read new content
+  const filePositions = {};
+
+  const watcher = fs.watch(sessionsDir, (eventType, filename) => {
+    if (!filename || !filename.endsWith('.jsonl')) return;
+
+    const filePath = path.join(sessionsDir, filename);
+    
+    try {
+      const stat = fs.statSync(filePath);
+      const lastPos = filePositions[filename] || 0;
+
+      if (stat.size <= lastPos) return;
+
+      // Read only new content
+      const fd = fs.openSync(filePath, 'r');
+      const buffer = Buffer.alloc(stat.size - lastPos);
+      fs.readSync(fd, buffer, 0, buffer.length, lastPos);
+      fs.closeSync(fd);
+
+      filePositions[filename] = stat.size;
+
+      const newContent = buffer.toString('utf8');
+      const lines = newContent.split('\n').filter(Boolean);
+
+      for (const line of lines) {
+        try {
+          const entry = JSON.parse(line);
+          processEntry(moat, entry, filename);
+        } catch {}
+      }
+    } catch {}
+  });
+
+  return {
+    moat,
+    watcher,
+    stop: () => watcher.close(),
+    getEvents: (filter) => moat.getEvents(filter),
+    getSummary: () => moat.getSummary(),
+  };
+}
+
+function processEntry(moat, entry, sessionFile) {
+  // Scan user messages (inbound)
+  if (entry.role === 'user') {
+    const text = extractText(entry);
+    if (text) {
+      const result = moat.scanInbound(text, { context: 'message', session: sessionFile });
+      if (!result.safe && result.action === 'block') {
+        console.error(`[ClawMoat] 🚨 BLOCKED threat in ${sessionFile}: ${result.findings[0]?.subtype}`);
+      }
+    }
+  }
+
+  // Audit tool calls (from assistant)
+  if (entry.role === 'assistant' && Array.isArray(entry.content)) {
+    for (const part of entry.content) {
+      if (part.type === 'toolCall') {
+        const result = moat.evaluateTool(part.name, part.arguments || {});
+        if (result.decision === 'deny') {
+          console.error(`[ClawMoat] 🚨 BLOCKED tool call: ${part.name} — ${result.reason}`);
+        }
+      }
+    }
+  }
+
+  // Scan tool results for injected content
+  if (entry.role === 'tool') {
+    const text = extractText(entry);
+    if (text) {
+      moat.scanInbound(text, { context: 'tool_output', session: sessionFile });
+    }
+  }
+
+  // Check outbound messages for secrets
+  if (entry.role === 'assistant') {
+    const text = extractText(entry);
+    if (text) {
+      const result = moat.scanOutbound(text, { context: 'assistant_reply', session: sessionFile });
+      if (!result.safe) {
+        console.error(`[ClawMoat] 🚨 SECRET in outbound message: ${result.findings[0]?.subtype}`);
+      }
+    }
+  }
+}
+
+function extractText(entry) {
+  if (typeof entry.content === 'string') return entry.content;
+  if (Array.isArray(entry.content)) {
+    return entry.content
+      .filter(c => c.type === 'text')
+      .map(c => c.text)
+      .join('\n');
+  }
+  return null;
+}
+
+function expandHome(p) {
+  return p.replace(/^~/, process.env.HOME || '/home/user');
+}
+
+module.exports = { watchSessions };