clawmoat 0.8.0 → 1.0.0

package/docs/plans/2026-04-14-bugmageddon-marketing-pack.md

@@ -0,0 +1,329 @@
+# ClawMoat marketing pack — Bugmageddon / WSJ / Mythos
+
+## Core angle
+
+WSJ gave the market a clean phrase: **bugmageddon**.
+
+Use it to sharpen ClawMoat's category:
+
+**Old framing:** prompt injection scanner / AI security tool<br>
+**Better framing:** **agent firewall for the bugmageddon era**
+
+The point is simple:
+
+- AI is getting much better at finding vulnerabilities
+- Attackers will get that capability too
+- Patching will stay slower than discovery
+- AI agents have the permissions needed to turn bugs into impact
+- Therefore the missing layer is **runtime containment**
+
+## Best ClawMoat message
+
+**They protect the model. ClawMoat protects the machine.**
+
+Variants:
+- **Bug discovery is accelerating. Containment needs to catch up.**
+- **When AI finds more bugs, agent runtime security stops being optional.**
+- **The patch queue is about to get longer. Your agent permissions should get tighter.**
+
+---
+
+## X post options
+
+### Option 1, sharpest
+
+WSJ called it “bugmageddon.”
+
+Anthropic’s Mythos reportedly found a 27-year-old bug plus thousands more high-severity flaws.
+
+That doesn’t just mean defenders get faster.
+It means exploit discovery gets cheaper.
+
+And AI agents already have shell, browser, file system, API key, and MCP access.
+
+The question is no longer just “can AI find bugs?”
+It’s “what stops your agent from turning them into damage?”
+
+That’s the layer ClawMoat is built for.
+
+Open-source agent firewall.
+https://clawmoat.com
+
+### Option 2, more founder-voice
+
+The WSJ bugmageddon piece got one thing very right:
+we’re heading into a world where AI finds vulnerabilities faster than most teams can fix them.
+
+That changes the job.
+
+Static scanning matters.
+Patching matters.
+But once agents have real permissions, you also need runtime controls.
+
+What can it read?
+What can it run?
+What can it send out?
+What gets blocked?
+What gets logged?
+
+That’s ClawMoat.
+https://clawmoat.com
+
+### Option 3, shortest
+
+Bugmageddon = AI finds bugs faster, attackers exploit faster, patches lag.
+
+Agents make that worse because they already have the keys.
+
+ClawMoat is the firewall between the agent and the machine.
+https://clawmoat.com
+
+---
+
+## X thread
+
+1. WSJ called it “bugmageddon.” Good term.
+
+If frontier models can find vulnerabilities humans missed for decades, the economics of attack just changed.
+
+2. The issue is not just more bugs found by defenders.
+
+It’s that exploit discovery gets cheaper, faster, and eventually available to anyone with a decent model stack.
+
+3. Most teams still think in old security terms:
+find bug → patch bug → move on.
+
+But patching is slow. Backlogs are real. And agents now sit on top of the blast radius.
+
+4. Your agent has shell access, browser control, file I/O, MCP tools, secrets, cloud creds, internal docs.
+
+So the question becomes:
+what happens when something gets through?
+
+5. Prompt filters are not enough.
+Static scans are not enough.
+You need runtime containment.
+
+What can the agent read?
+What can it execute?
+What can it exfiltrate?
+What gets blocked automatically?
+
+6. That’s the ClawMoat thesis.
+
+Not “make prompts safer.”
+Make agents safe to run on real machines.
+
+7. ClawMoat scans inbound content, outbound content, MCP configs, and tool use.
+Then it enforces policy at runtime.
+
+Because in the bugmageddon era, detection without containment is not enough.
+
+8. Open source.
+Agent firewall.
+Built for the moment the market is finally waking up.
+
+https://clawmoat.com
+https://github.com/darfaz/clawmoat
+
+---
+
+## Reddit post
+
+### Suggested subreddits
+- r/LocalLLaMA
+- r/ClaudeAI
+- r/OpenAI
+- r/artificial
+- r/cybersecurity
+- r/netsec (more technical, tone down the marketing)
+- r/mcp
+
+### Title option 1
+WSJ says AI is finding bugs humans missed for decades. I think the real issue is agent containment.
+
+### Title option 2
+If bug discovery gets automated, AI agent runtime security becomes mandatory
+
+### Body
+The WSJ bugmageddon article is getting attention because of the headline claim: frontier AI can now find serious vulnerabilities that sat undiscovered for years.
+
+That’s interesting, but I think the more important implication is downstream.
+
+If exploit discovery gets faster, while patching stays slow, then AI agents become a very uncomfortable part of the stack.
+
+They already have:
+- shell access
+- browser control
+- file system access
+- API keys and local secrets
+- MCP servers with broad permissions
+
+So the real question stops being “can AI find bugs?” and becomes “what stops an agent from turning a bug, prompt injection, or bad tool chain into a real compromise?”
+
+That’s why I’ve been building ClawMoat.
+It’s an open-source agent firewall that sits between the agent and the machine.
+
+It does a few concrete things:
+- scans inbound content for prompt injection and poisoned instructions
+- scans outbound content for secrets and exfiltration
+- audits MCP configs and risky permissions
+- enforces policy on shell, file, browser, and network actions
+
+I think this category is going to matter a lot more over the next 12 months.
+
+Curious if people here agree with the core thesis:
+**as bug discovery gets automated, runtime containment becomes more important than prompt-level safety alone.**
+
+Repo: https://github.com/darfaz/clawmoat
+Site: https://clawmoat.com
+
+---
+
+## Hacker News post draft
+
+### Title
+Show HN: ClawMoat, an open-source agent firewall for the bugmageddon era
+
+### Text
+WSJ just popularized “bugmageddon” as shorthand for AI finding vulnerabilities faster than humans can fix them.
+
+I think that creates a second-order problem for agent builders.
+
+Even if you patch aggressively, agents now have shell, browser, filesystem, and MCP access. So once a prompt injection, poisoned dependency, risky plugin, or newly discovered vuln gets through, the real question is what the agent is still allowed to do.
+
+ClawMoat is my attempt at that layer.
+
+It’s an open-source agent firewall that:
+- scans inbound content
+- scans outbound content
+- audits MCP configs
+- enforces policies on tool use
+- logs everything for audit
+
+I’d love technical feedback, especially from people running local agents on real machines.
+
+https://github.com/darfaz/clawmoat
+
+---
+
+## LinkedIn post
+
+The WSJ “bugmageddon” framing is worth paying attention to.
+
+If frontier AI can find vulnerabilities humans missed for decades, then security teams are about to face a new asymmetry:
+
+bug discovery speeds up<br>
+weaponization speeds up<br>
+patching does not
+
+That matters even more in the age of AI agents.
+
+Agents are not chatbots. They sit on top of shell access, browsers, files, API keys, MCP servers, and internal systems.
+
+So the new question is not just whether AI can find more bugs.
+The question is whether your runtime controls are strong enough when something gets through.
+
+That is exactly why I built ClawMoat.
+
+ClawMoat is an open-source agent firewall that scans content, audits MCP setups, and enforces policy between the agent and the machine.
+
+I think this layer becomes much more important over the next year.
+
+If you’re building or deploying AI agents, I’d love to compare notes.
+
+https://clawmoat.com
+https://github.com/darfaz/clawmoat
+
+---
+
+## Dev.to article draft
+
+### Title
+Bugmageddon Is Coming. AI Agent Runtime Security Just Became Mandatory.
+
+### Subtitle
+If AI can find bugs faster than teams can patch them, the missing layer is containment.
+
+### Outline
+
+1. Open with WSJ framing and the 27-year-old bug claim
+2. Explain the shift in attack economics
+3. Explain why patching remains the limiting factor
+4. Explain why agents amplify blast radius
+5. Distinguish prompt safety from runtime security
+6. Walk through what a practical containment layer does
+7. Position ClawMoat as open-source agent firewall
+8. End with concrete checklist + repo link
+
+### Strong opener
+The scary part of the WSJ bugmageddon article is not that AI can find vulnerabilities.
+
+The scary part is that once exploit discovery gets cheap, every over-permissioned AI agent becomes part of the attack surface.
+
+---
+
+## Homepage / hero update suggestions
+
+Current category is good. Tighten it.
+
+### Hero copy test A
+**The open-source agent firewall**<br>
+AI is finding bugs faster. Stop agents from turning them into breaches.
+
+### Hero copy test B
+**They protect the model. ClawMoat protects the machine.**<br>
+Runtime security for AI agents with shell, browser, file system, and MCP access.
+
+### Hero copy test C
+**Built for bugmageddon.**<br>
+Contain what AI agents can do when vulnerabilities are inevitable.
+
+### Subhead inserts
+- Scan prompts, outputs, MCP configs, and tool calls
+- Enforce policy before the command runs
+- Audit everything after
+
+---
+
+## CTA ideas
+
+- **Run a free agent exposure scan**
+- **Audit your MCP setup**
+- **See what your agent can actually reach**
+- **Install the firewall between your agent and your machine**
+
+---
+
+## Good discussion hooks
+
+Use these to get replies instead of just impressions:
+
+- “What’s the bigger risk: automated bug discovery or over-permissioned agents?”
+- “Do you think prompt-level safety is enough once agents have shell access?”
+- “If your coding agent gets exploited tomorrow, what actually stops data exfiltration?”
+- “How many teams have real runtime policy around MCP today?”
+
+---
+
+## Recommended execution order
+
+1. Publish the blog post on ClawMoat site
+2. Post the short X post manually if API credits are still dead
+3. Post the Reddit piece in r/LocalLLaMA or r/cybersecurity
+4. Turn the blog into a Dev.to article the same day
+5. Update homepage hero with bugmageddon-era framing
+6. Reply to any comments with the same thesis: **detection matters, containment is the missing layer**
+
+---
+
+## Notes on source discipline
+
+Use “reportedly” when referencing the 27-year-old bug and thousands-of-flaws claims unless citing Anthropic directly.
+
+Good safe framing:
+- “reported by WSJ / follow-on coverage”
+- “Anthropic says”
+- “the broader trend is what matters”
+
+Avoid overstating details we cannot independently verify.

package/docs/plans/2026-04-14-clawmoat-v1-bugmageddon.md

@@ -0,0 +1,248 @@
+# ClawMoat v1 Bugmageddon Implementation Plan
+
+> **For implementation:** Use the executing-plans skill to implement this plan task-by-task.
+
+**Goal:** Ship the first ClawMoat v1 feature set around AI-era vulnerability operations, starting with exploitability-focused triage instead of raw finding spam.
+
+**Architecture:** Build on the existing scanner core instead of inventing a second product. Add a lightweight vulnerability-ops layer that normalizes findings, scores exploitability, groups related findings, and exposes a simple report format in CLI/docs. Keep it zero-dependency and compatible with current scan flows.
+
+**Tech Stack:** Node.js built-ins only, existing ClawMoat scanner architecture, node:test, Markdown docs.
+
+---
+
+## Product thesis
+
+AI is making bug discovery cheap.
+
+That means the bottleneck is shifting from detection to triage, prioritization, containment, and proof of closure. ClawMoat v1 should not compete on “we also find bugs.” It should compete on “we help you decide what matters first, while runtime protections stay on.”
+
+## v1 scope
+
+Ship now:
+- exploitability scoring for findings
+- finding clustering / dedupe hints
+- a vulnerability-ops report format
+- docs positioning ClawMoat as runtime containment + triage layer
+
+Do not ship yet:
+- full patch orchestration platform
+- dashboards that require a backend rewrite
+- ticketing integrations across every vendor
+- giant enterprise workflow layer
+
+---
+
+### Task 1: Create exploitability scoring tests
+
+**Files:**
+- Create: `test/vuln-ops.test.js`
+- Modify: `src/index.js`
+- Create: `src/vuln-ops/exploitability.js`
+
+**Step 1: Write the failing test**
+
+Add tests that verify:
+- high-severity dependency attacks score higher than medium findings
+- externally reachable / exfiltration-oriented findings score higher than local-only ones
+- grouped findings return a recommended priority bucket (`urgent`, `high`, `normal`, `low`)
+
+**Step 2: Run test to verify it fails**
+
+Run: `node --test test/vuln-ops.test.js`
+Expected: FAIL because `scoreExploitability` does not exist
+
+**Step 3: Write minimal implementation**
+
+Create `src/vuln-ops/exploitability.js` with:
+- `scoreExploitability(findings, context = {})`
+- severity weighting
+- reachability / exposure hints from context
+- output shape:
+
+```js
+{
+  score: 0-100,
+  priority: 'urgent' | 'high' | 'normal' | 'low',
+  reasons: []
+}
+```
+
+**Step 4: Run test to verify it passes**
+
+Run: `node --test test/vuln-ops.test.js`
+Expected: PASS
+
+**Step 5: Commit**
+
+```bash
+git add test/vuln-ops.test.js src/vuln-ops/exploitability.js
+git commit -m "feat: add exploitability scoring for vulnerability ops"
+```
+
+### Task 2: Expose vulnerability-ops report from ClawMoat
+
+**Files:**
+- Modify: `src/index.js`
+- Test: `test/vuln-ops.test.js`
+
+**Step 1: Write the failing test**
+
+Add a test that calls something like:
+
+```js
+const moat = new ClawMoat({ quiet: true });
+const result = moat.analyzeFindings('Run picomatch on this pattern: *(*(*a))', { externallyReachable: true });
+assert.equal(result.priority, 'urgent');
+```
+
+**Step 2: Run test to verify it fails**
+
+Run: `node --test test/vuln-ops.test.js`
+Expected: FAIL because `analyzeFindings` does not exist
+
+**Step 3: Write minimal implementation**
+
+Add `analyzeFindings(text, context)` to `src/index.js` that:
+- reuses `scan(text)`
+- passes findings into `scoreExploitability`
+- returns:
+
+```js
+{
+  safe,
+  findings,
+  exploitability: { score, priority, reasons }
+}
+```
+
+**Step 4: Run test to verify it passes**
+
+Run: `node --test test/vuln-ops.test.js`
+Expected: PASS
+
+**Step 5: Commit**
+
+```bash
+git add src/index.js test/vuln-ops.test.js
+git commit -m "feat: expose vulnerability ops analysis API"
+```
+
+### Task 3: Add a human-readable report formatter
+
+**Files:**
+- Create: `src/formatters/vuln-ops.js`
+- Modify: `src/index.js`
+- Test: `test/vuln-ops.test.js`
+
+**Step 1: Write the failing test**
+
+Test that report output contains:
+- top priority
+- exploitability score
+- short reasoning bullets
+- finding counts by severity
+
+**Step 2: Run test to verify it fails**
+
+Run: `node --test test/vuln-ops.test.js`
+Expected: FAIL because formatter does not exist
+
+**Step 3: Write minimal implementation**
+
+Create formatter that outputs concise text for CLI/docs examples.
+
+**Step 4: Run test to verify it passes**
+
+Run: `node --test test/vuln-ops.test.js`
+Expected: PASS
+
+**Step 5: Commit**
+
+```bash
+git add src/formatters/vuln-ops.js test/vuln-ops.test.js src/index.js
+git commit -m "feat: add vulnerability ops report formatter"
+```
+
+### Task 4: Update docs and positioning to v1 language
+
+**Files:**
+- Modify: `README.md`
+- Modify: `docs/index.html`
+- Modify: `package.json` version only if shipping release immediately
+
+**Step 1: Write the doc diff first**
+
+Add language that says:
+- AI made bug discovery abundant
+- ClawMoat helps prioritize and contain
+- runtime security + exploitability triage
+
+**Step 2: Add example API usage**
+
+Document:
+
+```js
+const analysis = moat.analyzeFindings(input, { externallyReachable: true });
+console.log(analysis.exploitability.priority);
+```
+
+**Step 3: Verify docs are accurate**
+
+Run:
+```bash
+grep -n "analyzeFindings\|exploitability\|Bugmageddon" README.md docs/index.html
+```
+Expected: matching lines present
+
+**Step 4: Commit**
+
+```bash
+git add README.md docs/index.html
+git commit -m "docs: position ClawMoat v1 around exploitability triage"
+```
+
+### Task 5: Verification pass
+
+**Files:**
+- Test: `test/vuln-ops.test.js`
+- Test: `test/scanners.test.js`
+- Test: `test/multimodal.test.js`
+
+**Step 1: Run focused verification**
+
+Run:
+```bash
+node --test test/vuln-ops.test.js test/scanners.test.js test/multimodal.test.js
+```
+Expected: PASS
+
+**Step 2: Optional broader run if resources allow**
+
+Run:
+```bash
+node --test test/*.test.js
+```
+Expected: PASS, unless environment kills long run under load
+
+**Step 3: Capture evidence**
+
+Save the passing output in the session notes / commit message summary before claiming done.
+
+**Step 4: Commit release prep**
+
+```bash
+git add -A
+git commit -m "chore: verify ClawMoat v1 vulnerability ops update"
+```
+
+---
+
+## Recommended execution order right now
+
+1. Task 1
+2. Task 2
+3. Task 5 focused verification
+4. Task 4 docs update
+5. Task 3 formatter if time remains today
+
+That gets a real v1 wedge shipped fast without boiling the ocean.

package/docs/plans/2026-04-14-v1-release-update.md

@@ -0,0 +1,91 @@
+# ClawMoat v1.0.0 update
+
+## What changed
+
+ClawMoat is moving from a fast-moving v0 project to a stable v1 product category:
+
+**The open-source agent firewall.**
+
+This is not just a semantic version bump.
+It is a category claim.
+
+The product now has enough surface area and enough market validation to stop sounding like an experiment:
+
+- prompt injection scanning
+- outbound secret and exfiltration scanning
+- policy engine
+- enforcement middleware
+- MCP scanner
+- supply chain scanner
+- host/runtime controls
+- live monitoring dashboard
+- audit trail
+- framework integrations
+
+That is a real security product.
+
+## Why now
+
+The market just got a cleaner narrative.
+
+WSJ framed the next phase as **bugmageddon**: AI getting much better at vulnerability discovery.
+
+That matters because:
+- bug discovery accelerates
+- exploit discovery becomes cheaper
+- patching remains slow
+- agents already have high privileges
+
+So ClawMoat’s job is clearer than ever:
+
+**contain what agents can do when vulnerabilities are inevitable**
+
+## New top-line message
+
+**They protect the model. ClawMoat protects the machine.**
+
+Backup line:
+
+**As AI finds bugs faster, runtime containment stops being optional.**
+
+## What shipped in this update
+
+1. Homepage hero updated to v1.0.0 framing
+2. New blog post: `blog/bugmageddon-agent-firewall.html`
+3. Blog index updated with the new post and v1 tag
+4. Package version moved to `1.0.0`
+5. Version references updated in formatter tests/docs where needed
+6. Marketing pack created for X, Reddit, HN, LinkedIn, Dev.to, homepage copy
+
+## What still needs to happen
+
+### Release hygiene
+- run tests
+- publish npm package as `1.0.0`
+- tag GitHub release
+- add release notes to README or GitHub Releases
+
+### Distribution
+- post X thread manually if API credits still dead
+- post Reddit piece manually
+- publish Dev.to version
+- announce in GitHub README / release notes
+
+### Strong next product moves
+- `clawmoat doctor` or `clawmoat exposure` command that outputs a shareable risk summary
+- first-class MCP risk scoring report
+- clearer “monitor vs enforce” onboarding path
+- more obvious enterprise / team runtime policy story
+
+## Julian take
+
+Going to v1 is right.
+
+The mistake would be calling it v1 while still talking like a hobby scanner.
+
+So the real upgrade is not the version number.
+It is the language:
+
+- from “security tool” to **agent firewall**
+- from “prompt injection detection” to **runtime containment**
+- from “nice to have” to **mandatory infrastructure for over-permissioned agents**