clawmoat 0.8.0 → 1.0.0

package/src/policy-engine.js

@@ -0,0 +1,402 @@
+/**
+ * ClawMoat Policy Engine — Declarative security rules for AI agents
+ * 
+ * Define rules in YAML/JSON, enforce them at runtime.
+ * This is what makes ClawMoat a firewall, not a scanner.
+ * 
+ * @example
+ * const { PolicyEngine } = require('clawmoat');
+ * const engine = new PolicyEngine('./clawmoat-policy.yaml');
+ * 
+ * // Evaluate a tool call
+ * const decision = engine.evaluate({
+ *   type: 'tool_call',
+ *   tool: 'slack.send',
+ *   args: { channel: '#general', text: 'API key: sk-...' },
+ *   context: { user: 'agent-1', source: 'mcp' }
+ * });
+ * 
+ * if (decision.action === 'block') {
+ *   console.log('Blocked:', decision.reason);
+ * }
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+// Severity levels (ordered)
+const SEVERITY_ORDER = { critical: 4, high: 3, medium: 2, low: 1, info: 0 };
+
+// Built-in data patterns for classification
+const DATA_PATTERNS = {
+  secret: [
+    /sk-(?:proj-)?[a-zA-Z0-9]{20,}/g,              // OpenAI keys
+    /ghp_[a-zA-Z0-9]{36}/g,                       // GitHub PAT
+    /glpat-[a-zA-Z0-9\-_]{20,}/g,                 // GitLab PAT
+    /xox[bpsa]-[a-zA-Z0-9\-]{10,}/g,              // Slack tokens
+    /AKIA[A-Z0-9]{16}/g,                           // AWS access key
+    /-----BEGIN (?:RSA |EC )?PRIVATE KEY-----/g,   // Private keys
+    /eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/g, // JWT tokens
+  ],
+  pii: [
+    /\b\d{3}-\d{2}-\d{4}\b/g,                     // SSN
+    /\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/gi, // Email
+    /\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b/g, // Credit card
+    /\b\d{3}[\s.-]?\d{3}[\s.-]?\d{4}\b/g,         // Phone number
+  ],
+  internal: [
+    /(?:internal|confidential|restricted|do not share)/gi,
+    /(?:JIRA|CONFLUENCE)-[A-Z]+-\d+/g,            // Internal ticket refs
+  ],
+};
+
+// Built-in tool risk levels
+const TOOL_RISK_DEFAULTS = {
+  // Read-only = low
+  'read': 'low', 'get': 'low', 'list': 'low', 'search': 'low', 'query': 'low',
+  // Side-effecting = medium
+  'create': 'medium', 'update': 'medium', 'write': 'medium', 'put': 'medium',
+  // External comms = high
+  'send': 'high', 'email': 'high', 'post': 'high', 'publish': 'high', 'notify': 'high',
+  // Destructive/privileged = critical
+  'delete': 'critical', 'exec': 'critical', 'shell': 'critical', 'eval': 'critical',
+  'drop': 'critical', 'rm': 'critical', 'chmod': 'critical', 'sudo': 'critical',
+};
+
+/**
+ * @typedef {Object} PolicyRule
+ * @property {string} id - Unique rule identifier
+ * @property {string} [description] - Human-readable description
+ * @property {string} [severity] - Rule severity (critical/high/medium/low)
+ * @property {Object} when - Match conditions
+ * @property {string} action - Enforcement action (block/warn/sanitize/log/require_approval)
+ * @property {string} [message] - Message to include in decision
+ */
+
+/**
+ * @typedef {Object} EvalEvent
+ * @property {string} type - Event type (tool_call/inbound/outbound/memory_write/retrieval)
+ * @property {string} [tool] - Tool name (for tool_call events)
+ * @property {Object} [args] - Tool arguments
+ * @property {string} [text] - Text content (for inbound/outbound)
+ * @property {Object} [context] - Additional context (user, source, session, etc.)
+ */
+
+/**
+ * @typedef {Object} Decision
+ * @property {string} action - Final action (allow/block/warn/sanitize/require_approval)
+ * @property {string} [ruleId] - ID of the rule that triggered
+ * @property {string} [reason] - Human-readable reason
+ * @property {string} [severity] - Severity of the match
+ * @property {Array} matchedRules - All rules that matched
+ * @property {Object} classifications - Data classifications found
+ * @property {number} timestamp - Unix timestamp
+ * @property {number} latencyMs - Processing time
+ */
+
+class PolicyEngine {
+  /**
+   * @param {string|Object|Array} policy - Path to YAML/JSON file, or policy object/array
+   * @param {Object} [options]
+   * @param {string} [options.mode='block'] - Default mode: monitor/warn/sanitize/block
+   * @param {boolean} [options.trace=true] - Enable execution tracing
+   * @param {Function} [options.onDecision] - Callback for every decision
+   */
+  constructor(policy, options = {}) {
+    this.mode = options.mode || 'block';
+    this.trace = options.trace !== false;
+    this.onDecision = options.onDecision || null;
+    this.rules = [];
+    this.traceLog = [];
+    this.stats = { total: 0, allowed: 0, blocked: 0, warned: 0, sanitized: 0 };
+    this.toolRiskOverrides = {};
+
+    if (typeof policy === 'string') {
+      this._loadFromFile(policy);
+    } else if (Array.isArray(policy)) {
+      this.rules = policy;
+    } else if (policy && policy.rules) {
+      this.rules = policy.rules;
+      if (policy.tool_risks) this.toolRiskOverrides = policy.tool_risks;
+      if (policy.mode) this.mode = policy.mode;
+    }
+  }
+
+  _loadFromFile(filePath) {
+    const ext = path.extname(filePath);
+    const raw = fs.readFileSync(filePath, 'utf8');
+
+    if (ext === '.json') {
+      const parsed = JSON.parse(raw);
+      this.rules = parsed.rules || parsed;
+      if (parsed.tool_risks) this.toolRiskOverrides = parsed.tool_risks;
+      if (parsed.mode) this.mode = parsed.mode;
+    } else if (ext === '.yaml' || ext === '.yml') {
+      // Simple YAML parser (no deps) — handles the subset we need
+      const parsed = this._parseSimpleYaml(raw);
+      this.rules = parsed.rules || [];
+      if (parsed.tool_risks) this.toolRiskOverrides = parsed.tool_risks;
+      if (parsed.mode) this.mode = parsed.mode;
+    } else {
+      throw new Error(`Unsupported policy file format: ${ext}. Use .json or .yaml`);
+    }
+  }
+
+  _parseSimpleYaml(text) {
+    // Minimal YAML parser for policy files — handles maps, arrays, strings
+    // For production, users should convert to JSON. This handles 90% of cases.
+    try {
+      // Strip comments
+      const lines = text.split('\n').filter(l => !l.trim().startsWith('#'));
+      const cleaned = lines.join('\n');
+      // Convert YAML-ish to JSON-ish (basic)
+      let json = cleaned
+        .replace(/:\s*\n/g, ': null\n')  // empty values
+        .replace(/^(\s*)- /gm, '$1  ')   // arrays
+        ;
+      // Fall back to JSON.parse if it looks like JSON
+      if (cleaned.trim().startsWith('{') || cleaned.trim().startsWith('[')) {
+        return JSON.parse(cleaned);
+      }
+      // For complex YAML, tell user to use JSON
+      throw new Error('Complex YAML detected. Please use JSON format for policy files, or install a YAML parser.');
+    } catch(e) {
+      throw new Error(`Failed to parse policy YAML: ${e.message}. Tip: use .json format for reliability.`);
+    }
+  }
+
+  /**
+   * Classify text content for data types
+   * @param {string} text
+   * @returns {Object} classifications { secret: [...], pii: [...], internal: [...] }
+   */
+  classify(text) {
+    if (!text || typeof text !== 'string') return {};
+    const result = {};
+    for (const [category, patterns] of Object.entries(DATA_PATTERNS)) {
+      const matches = [];
+      for (const pattern of patterns) {
+        const p = new RegExp(pattern.source, pattern.flags);
+        const found = text.match(p);
+        if (found) matches.push(...found);
+      }
+      if (matches.length > 0) result[category] = matches;
+    }
+    return result;
+  }
+
+  /**
+   * Get risk level for a tool
+   * @param {string} toolName
+   * @returns {string} risk level
+   */
+  getToolRisk(toolName) {
+    if (this.toolRiskOverrides[toolName]) return this.toolRiskOverrides[toolName];
+    const lower = (toolName || '').toLowerCase();
+    for (const [keyword, risk] of Object.entries(TOOL_RISK_DEFAULTS)) {
+      if (lower.includes(keyword)) return risk;
+    }
+    return 'medium'; // default
+  }
+
+  /**
+   * Check if an event matches a rule's conditions
+   * @param {EvalEvent} event
+   * @param {PolicyRule} rule
+   * @returns {boolean}
+   */
+  _matchRule(event, rule) {
+    const when = rule.when;
+    if (!when) return false;
+
+    // Match event type
+    if (when.type && when.type !== event.type) return false;
+
+    // Match tool name
+    if (when.tool) {
+      const tools = Array.isArray(when.tool) ? when.tool : [when.tool];
+      const eventTool = event.tool || '';
+      if (!tools.some(t => {
+        if (t === '*') return true;
+        if (t.includes('*')) {
+          // Convert glob to regex: "http.*" → /^http\..*$/
+          const re = new RegExp('^' + t.replace(/\./g, '\\.').replace(/\*/g, '.*') + '$');
+          return re.test(eventTool);
+        }
+        return eventTool === t || eventTool.toLowerCase() === t.toLowerCase();
+      })) return false;
+    }
+
+    // Match text content contains
+    if (when.input_contains) {
+      const text = this._getEventText(event);
+      const terms = Array.isArray(when.input_contains) ? when.input_contains : [when.input_contains];
+      if (!terms.some(term => text.toLowerCase().includes(term.toLowerCase()))) return false;
+    }
+
+    // Match text content regex
+    if (when.input_matches) {
+      const text = this._getEventText(event);
+      const patterns = Array.isArray(when.input_matches) ? when.input_matches : [when.input_matches];
+      if (!patterns.some(p => new RegExp(p, 'i').test(text))) return false;
+    }
+
+    // Match data classification
+    if (when.data_classification) {
+      const text = this._getEventText(event);
+      const classifications = this.classify(text);
+      const required = Array.isArray(when.data_classification) ? when.data_classification : [when.data_classification];
+      if (!required.some(c => classifications[c] && classifications[c].length > 0)) return false;
+    }
+
+    // Match tool risk level
+    if (when.tool_risk) {
+      const risk = this.getToolRisk(event.tool);
+      const required = Array.isArray(when.tool_risk) ? when.tool_risk : [when.tool_risk];
+      if (!required.includes(risk)) return false;
+    }
+
+    // Match context
+    if (when.context) {
+      const ctx = event.context || {};
+      for (const [key, val] of Object.entries(when.context)) {
+        if (ctx[key] !== val) return false;
+      }
+    }
+
+    // Match source
+    if (when.source) {
+      const sources = Array.isArray(when.source) ? when.source : [when.source];
+      const eventSource = (event.context || {}).source || event.source || '';
+      if (!sources.includes(eventSource)) return false;
+    }
+
+    return true;
+  }
+
+  _getEventText(event) {
+    if (event.text) return event.text;
+    if (event.args) return JSON.stringify(event.args);
+    return '';
+  }
+
+  /**
+   * Evaluate an event against all rules
+   * @param {EvalEvent} event
+   * @returns {Decision}
+   */
+  evaluate(event) {
+    const start = Date.now();
+    this.stats.total++;
+
+    const text = this._getEventText(event);
+    const classifications = this.classify(text);
+    const matchedRules = [];
+
+    // Test all rules
+    for (const rule of this.rules) {
+      if (this._matchRule(event, rule)) {
+        matchedRules.push(rule);
+      }
+    }
+
+    // Determine action from highest-severity matched rule
+    let finalAction = 'allow';
+    let triggerRule = null;
+    let maxSeverity = -1;
+
+    for (const rule of matchedRules) {
+      const sev = SEVERITY_ORDER[rule.severity || 'medium'] || 2;
+      if (sev > maxSeverity) {
+        maxSeverity = sev;
+        triggerRule = rule;
+      }
+    }
+
+    if (triggerRule) {
+      // Apply mode override
+      const ruleAction = triggerRule.action || 'block';
+      if (this.mode === 'monitor') {
+        finalAction = 'log';
+      } else if (this.mode === 'warn') {
+        finalAction = 'warn';
+      } else {
+        finalAction = ruleAction;
+      }
+    }
+
+    // Update stats
+    if (finalAction === 'allow' || finalAction === 'log') this.stats.allowed++;
+    else if (finalAction === 'block') this.stats.blocked++;
+    else if (finalAction === 'warn') this.stats.warned++;
+    else if (finalAction === 'sanitize') this.stats.sanitized++;
+
+    const decision = {
+      action: finalAction,
+      ruleId: triggerRule ? triggerRule.id : null,
+      reason: triggerRule ? (triggerRule.message || triggerRule.description || `Matched rule: ${triggerRule.id}`) : null,
+      severity: triggerRule ? (triggerRule.severity || 'medium') : null,
+      matchedRules: matchedRules.map(r => ({ id: r.id, severity: r.severity, action: r.action })),
+      classifications: Object.keys(classifications).length > 0 ? classifications : undefined,
+      toolRisk: event.tool ? this.getToolRisk(event.tool) : undefined,
+      timestamp: Date.now(),
+      latencyMs: Date.now() - start,
+    };
+
+    // Trace log
+    if (this.trace) {
+      this.traceLog.push({
+        event: { type: event.type, tool: event.tool },
+        decision: { action: decision.action, ruleId: decision.ruleId, severity: decision.severity },
+        timestamp: decision.timestamp,
+        latencyMs: decision.latencyMs,
+      });
+    }
+
+    // Callback
+    if (this.onDecision) {
+      try { this.onDecision(decision, event); } catch(e) { /* ignore callback errors */ }
+    }
+
+    return decision;
+  }
+
+  /**
+   * Get execution trace
+   * @returns {Array}
+   */
+  getTrace() {
+    return [...this.traceLog];
+  }
+
+  /**
+   * Get stats
+   * @returns {Object}
+   */
+  getStats() {
+    return { ...this.stats };
+  }
+
+  /**
+   * Simulate a policy against a set of test events
+   * @param {Array<EvalEvent>} events
+   * @returns {Object} simulation results
+   */
+  simulate(events) {
+    const originalMode = this.mode;
+    this.mode = 'block'; // Simulate full enforcement
+    const results = events.map(event => {
+      const decision = this.evaluate(event);
+      return { event, decision };
+    });
+    this.mode = originalMode;
+    return {
+      total: results.length,
+      blocked: results.filter(r => r.decision.action === 'block').length,
+      allowed: results.filter(r => r.decision.action === 'allow').length,
+      results,
+    };
+  }
+}
+
+module.exports = { PolicyEngine, DATA_PATTERNS, TOOL_RISK_DEFAULTS, SEVERITY_ORDER };

package/src/scanners/dependency-attacks.js

@@ -0,0 +1,128 @@
+/**
+ * ClawMoat — Dependency Attack Scanner
+ * 
+ * Detects attack patterns derived from real CVEs in common dependencies.
+ * Inspired by vulnerability analysis of SOP-Automation and similar projects.
+ * 
+ * Attack classes covered:
+ * 1. Prototype Pollution (axios CVE, lodash CVE history)
+ * 2. ReDoS injection (minimatch CVE family)
+ * 3. Decompression bombs (urllib3 CVE family)
+ * 4. JWT manipulation (PyJWT, jose CVE family)
+ * 5. Path traversal in archives (tar CVE family — complements multimodal scanner)
+ */
+
+// ─── Prototype Pollution ─────────────────────────────────────────────────────
+// Attackers inject __proto__ or constructor.prototype into JSON/objects
+// passed to vulnerable libraries (axios mergeConfig, lodash merge, etc.)
+
+const PROTOTYPE_POLLUTION_PATTERNS = [
+  { pattern: /"__proto__"\s*:/, severity: 'critical', name: 'prototype_pollution_proto' },
+  { pattern: /"constructor"\s*:\s*\{[^}]*"prototype"/, severity: 'critical', name: 'prototype_pollution_constructor' },
+  { pattern: /\["__proto__"\]/, severity: 'critical', name: 'prototype_pollution_bracket' },
+  { pattern: /\.__proto__\s*=/, severity: 'critical', name: 'prototype_pollution_assign' },
+  { pattern: /Object\.prototype\[/, severity: 'high', name: 'prototype_pollution_object' },
+  { pattern: /\["constructor"\]\s*\[["']prototype["']\]/, severity: 'critical', name: 'prototype_pollution_chain' },
+];
+
+// ─── ReDoS Patterns ──────────────────────────────────────────────────────────
+// Detect when AI agent is being instructed to use or process catastrophically
+// backtracking regex patterns (minimatch/picomatch CVE family: nested *(), repeated extglobs, multiple **)
+
+const REDOS_PATTERNS = [
+  // Nested quantifiers — classic ReDoS
+  { pattern: /(\(\S+\+\)\+|\(\S+\*\)\*|\(\S+\?\)\+)/, severity: 'high', name: 'redos_nested_quantifier' },
+  // Multiple adjacent GLOBSTAR patterns (minimatch specific)
+  { pattern: /\*\*[^\s/]*\*\*[^\s/]*\*\*/, severity: 'high', name: 'redos_globstar_chain' },
+  // Nested or repeated *() extglob quantifiers (minimatch/picomatch ReDoS families)
+  { pattern: /(?:\*\([^)]*\*\([^)]*\)|(?:\*\([^)]*\)){2,})/, severity: 'high', name: 'redos_nested_extglob' },
+  // Evil regex known patterns
+  { pattern: /\(\.\*\)\+|\(\.\+\)\*|\(\.\*\)\{/, severity: 'medium', name: 'redos_evil_regex' },
+];
+
+// ─── Decompression Bomb Detection ────────────────────────────────────────────
+// Detect signals of zip/gzip/brotli bomb attacks
+// (urllib3 CVE family: GHSA-g4mx-q9vg-27p4 — unlimited decompression chain)
+
+const DECOMPRESSION_BOMB_PATTERNS = [
+  // Instruction to process suspiciously large compressed data
+  { pattern: /(?:decompress|unzip|extract|gunzip|unbrotli)\s+(?:the\s+)?(?:following|this|attached|uploaded)\s+(?:file|data|content)/i, severity: 'medium', name: 'decompression_instruction' },
+  // Base64-encoded data that's extremely large (>100KB encoded = likely bomb)
+  // We check for very long base64 strings as a signal
+  { pattern: /(?:^|[\s"'])([A-Za-z0-9+/]{100000,}={0,2})(?:$|[\s"'])/, severity: 'high', name: 'decompression_large_b64' },
+  // Multiple nested compression signals
+  { pattern: /(?:gzip|deflate|brotli|zstd|lz4).*(?:gzip|deflate|brotli|zstd|lz4).*(?:gzip|deflate|brotli|zstd|lz4)/i, severity: 'medium', name: 'decompression_chain' },
+];
+
+// ─── JWT Manipulation ─────────────────────────────────────────────────────────
+// Detect JWT tampering techniques
+// (PyJWT unknown crit header CVE, alg:none attack, header injection)
+
+const JWT_MANIPULATION_PATTERNS = [
+  // Algorithm confusion (alg:none or symmetric/asymmetric swap)
+  { pattern: /"alg"\s*:\s*"(?:none|None|NONE)"/, severity: 'critical', name: 'jwt_alg_none' },
+  { pattern: /eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.(?:$|\s)/, severity: 'high', name: 'jwt_no_signature' }, // JWT with empty sig
+  // crit header manipulation (PyJWT CVE GHSA-m695-7mj6-7w6v)
+  { pattern: /"crit"\s*:\s*\[[^\]]*"[a-zA-Z0-9_-]+"[^\]]*\]/, severity: 'high', name: 'jwt_crit_header' },
+  // kid injection (SQL/path injection via key ID header)
+  { pattern: /"kid"\s*:\s*"[^"]*(?:\.\.\/|SELECT|UNION|exec|eval)[^"]*"/, severity: 'critical', name: 'jwt_kid_injection' },
+  // JWT embedded in instruction (agent being told to use a forged token)
+  { pattern: /use\s+(?:this|the\s+following)\s+(?:jwt|token|bearer)\s*[:\s]+eyJ/i, severity: 'high', name: 'jwt_forged_token_instruction' },
+];
+
+// ─── Archive Path Traversal ───────────────────────────────────────────────────
+// Text-based detection for archive-related traversal instructions
+// (Complements the filename-level detection in multimodal scanner)
+// tar CVE family: GHSA-qffp-2rhf-9h96, GHSA-j44v-mmf2-xvm9
+
+const ARCHIVE_TRAVERSAL_PATTERNS = [
+  // Instruction to extract to absolute/relative path outside working dir
+  { pattern: /(?:extract|untar|unzip|decompress)\s+(?:the\s+)?(?:archive\s+)?(?:to|into)\s+(?:\/|~|\.\.)/, severity: 'high', name: 'archive_traversal_extract' },
+  // Archive containing files with suspicious path patterns (in description/content)
+  { pattern: /(?:archive|tar|zip)\s+(?:contains?|includes?|has)\s+(?:files?\s+with\s+paths?\s+(?:like|starting|beginning)\s+)?(?:\/|\.\.\/|[A-Za-z]:)/i, severity: 'medium', name: 'archive_traversal_describe' },
+];
+
+// ─── Scanner ─────────────────────────────────────────────────────────────────
+
+/**
+ * Scan text for dependency-class attack patterns
+ * @param {string} text - Text to scan
+ * @returns {{ clean: boolean, findings: Array, severity: string|null }}
+ */
+function scanDependencyAttacks(text) {
+  const findings = [];
+
+  const allPatterns = [
+    ...PROTOTYPE_POLLUTION_PATTERNS,
+    ...REDOS_PATTERNS,
+    ...DECOMPRESSION_BOMB_PATTERNS,
+    ...JWT_MANIPULATION_PATTERNS,
+    ...ARCHIVE_TRAVERSAL_PATTERNS,
+  ];
+
+  for (const { pattern, severity, name } of allPatterns) {
+    const match = text.match(pattern);
+    if (match) {
+      findings.push({
+        type: 'dependency_attack',
+        subtype: name,
+        severity,
+        matched: match[0].substring(0, 100), // cap at 100 chars
+        position: text.indexOf(match[0]),
+      });
+    }
+  }
+
+  const severityRank = { critical: 4, high: 3, medium: 2, low: 1 };
+  const topSeverity = findings.reduce((max, f) => {
+    return (severityRank[f.severity] || 0) > (severityRank[max] || 0) ? f.severity : max;
+  }, null);
+
+  return {
+    clean: findings.length === 0,
+    findings,
+    severity: topSeverity,
+  };
+}
+
+module.exports = { scanDependencyAttacks };

package/src/scanners/prompt-injection.js

@@ -26,6 +26,17 @@ const INJECTION_PATTERNS = [
   { pattern: /(?:show|reveal|display|print|output|repeat|echo)\s+(?:me\s+)?(?:your|the)\s+(?:system\s+)?(?:prompt|instructions?|rules?|guidelines?)/i, severity: 'high', name: 'system_prompt_extraction' },
   { pattern: /what\s+(?:are|is)\s+your\s+(?:system\s+)?(?:prompt|instructions?|rules?|initial\s+message)/i, severity: 'medium', name: 'system_prompt_extraction' },
   { pattern: /(?:beginning|start)\s+of\s+(?:the\s+)?(?:system|initial)\s+(?:prompt|message|instruction)/i, severity: 'high', name: 'system_prompt_extraction' },
+  { pattern: /repeat\s+(?:everything|all|the\s+text)\s+(?:above|before)\s+(?:this|here)/i, severity: 'high', name: 'system_prompt_extraction' },
+  { pattern: /(?:complete|finish)\s+(?:the|this)\s+(?:following\s+)?sentence\s*:?\s*.*(?:system\s+prompt|my\s+instructions)/i, severity: 'medium', name: 'system_prompt_extraction' },
+  { pattern: /(?:verbatim|word.for.word|exactly)\s*,?\s*(?:including|with)\s+(?:any|all|the)\s+(?:instructions?|rules?|prompts?)/i, severity: 'high', name: 'system_prompt_extraction' },
+
+  // Indirect injection (instructions embedded in data/tool results)
+  { pattern: /(?:IMPORTANT|URGENT|NOTE|SYSTEM)\s*:\s*(?:The\s+)?(?:user|admin|system)\s+(?:has\s+)?(?:requested|wants|requires|asked)/i, severity: 'critical', name: 'indirect_injection' },
+  { pattern: /(?:to\s+complete\s+the\s+task|to\s+continue)\s*[,:]\s*(?:run|execute|curl|wget|send|post)/i, severity: 'critical', name: 'indirect_injection' },
+
+  // CI/CD injection
+  { pattern: /\$\{\{\s*github\.event\./i, severity: 'high', name: 'ci_injection' },
+  { pattern: /\$\{\{\s*(?:inputs|secrets|env)\./i, severity: 'high', name: 'ci_injection' },
 
   // Data exfiltration attempts
   { pattern: /(?:send|post|upload|transmit|exfiltrate|forward)\s+(?:all|the|my|this|your)\s+(?:data|files?|info|content|messages?|history|conversation)/i, severity: 'critical', name: 'data_exfiltration' },
@@ -44,6 +55,13 @@ const INJECTION_PATTERNS = [
   // Tool abuse instructions
   { pattern: /(?:run|execute|call|use)\s+(?:the\s+)?(?:exec|shell|terminal|command|bash)\s+(?:tool|function)/i, severity: 'medium', name: 'tool_abuse' },
   { pattern: /(?:read|access|open)\s+(?:the\s+)?(?:file|path)\s+(?:\/etc|~\/\.ssh|~\/\.aws|\.env)/i, severity: 'high', name: 'tool_abuse' },
+  { pattern: /(?:cat|read|get|show|display|print)\s+~\/\.ssh\//i, severity: 'critical', name: 'credential_access' },
+  { pattern: /(?:cat|read|get|show|display|print)\s+~\/\.aws\//i, severity: 'critical', name: 'credential_access' },
+  { pattern: /(?:cat|read|get|show|display|print)\s+\.env\b/i, severity: 'high', name: 'credential_access' },
+
+  // Credential/key content in text
+  { pattern: /-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----/i, severity: 'critical', name: 'private_key_content' },
+  { pattern: /-----BEGIN\s+OPENSSH\s+PRIVATE\s+KEY-----/i, severity: 'critical', name: 'private_key_content' },
 ];
 
 // Heuristic signals that text contains instruction-like content (in a data context)

package/src/scanners/supply-chain.js

@@ -33,6 +33,20 @@ const SKILL_PATTERNS = [
   { pattern: /\batob\s*\(/i, severity: 'medium', name: 'obfuscated_atob' },
   { pattern: /\bBuffer\.from\s*\([^,]+,\s*['"]base64['"]\s*\)/i, severity: 'medium', name: 'obfuscated_buffer' },
   { pattern: /\\x[0-9a-f]{2}(?:\\x[0-9a-f]{2}){5,}/i, severity: 'high', name: 'obfuscated_hex' },
+  // Double base64 encoding (LiteLLM-style payload obfuscation)
+  { pattern: /base64[._]?(?:b64)?decode\s*\([^)]*base64[._]?(?:b64)?decode/i, severity: 'critical', name: 'obfuscated_double_b64' },
+  // exec(base64.b64decode(...)) — Python payload pattern
+  { pattern: /\bexec\s*\(\s*(?:base64\.)?(?:b64decode|decodestring)\s*\(/i, severity: 'critical', name: 'obfuscated_exec_b64' },
+
+  // .pth file injection (Python site-packages auto-execution, as used in LiteLLM attack)
+  { pattern: /\.pth\b.*(?:import|exec|subprocess|eval|compile)/i, severity: 'critical', name: 'pth_file_injection' },
+  { pattern: /litellm_init\.pth/i, severity: 'critical', name: 'pth_known_malicious_litellm' },
+  // Generic .pth with code execution (not just path entries)
+  { pattern: /^import\s+\w+/m, severity: 'low', name: 'pth_import_statement' },
+
+  // Lookalike domain detection (exfiltration via typosquatting)
+  { pattern: /models\.litellm\.cloud/i, severity: 'critical', name: 'exfil_litellm_lookalike' },
+  { pattern: /(?:pypi|npmjs|github|googleapis)\.(?:cloud|io|dev|app)\b/i, severity: 'high', name: 'exfil_lookalike_domain' },
 
   // System configuration modification
   { pattern: /\bcrontab\b/i, severity: 'high', name: 'system_crontab' },

package/src/templates/default-config.yml

@@ -0,0 +1,90 @@
+# ClawMoat Configuration
+# Generated by: clawmoat init
+# Docs: https://clawmoat.com/docs
+
+# Operating mode: enforce (block threats) | monitor (log only) | off
+mode: enforce
+
+# Scanning stages (agent boundary pipeline)
+stages:
+  pre-input: true       # User → Agent
+  pre-model: false      # Agent → LLM (enable for prompt leak detection)
+  pre-tool-call: true   # LLM → Tool (dangerous commands, exfil)
+  post-tool-result: true # Tool → LLM (poisoned results)
+  pre-output: true      # Agent → User (secret/PII leakage)
+
+# Scanners to enable
+scanners:
+  prompt-injection: true
+  jailbreak: true
+  secrets: true
+  pii: true
+  obfuscation: true
+  code-danger: true
+  exfiltration: true
+  language-anomaly: false  # Enable if your agent is single-language
+
+# MCP security
+mcp:
+  scan-on-start: true
+  block-dangerous-servers: true
+  require-pinned-versions: false
+
+# Ban lists (add your own)
+banned:
+  substrings: []
+    # - "DROP TABLE"
+    # - "/etc/shadow"
+  patterns: []
+    # - "rm\\s+-rf\\s+[/~]"
+  topics: []
+    # - "how to hack"
+
+# Tool permissions
+tools:
+  # High-risk tools require confirmation
+  require-confirmation:
+    - exec
+    - shell
+    - write_file
+    - delete_file
+    - send_email
+  # Tools that are always blocked
+  blocked: []
+    # - format_disk
+  # Max tool calls per turn (prevent runaway agents)
+  max-per-turn: 20
+
+# Data classification
+data:
+  # Auto-redact these in outbound messages
+  redact-secrets: true
+  redact-pii: false
+  # Custom secret patterns
+  secret-patterns: []
+    # - name: "Internal API Key"
+    #   pattern: "MYAPP_[A-Z0-9]{32}"
+
+# Alerting
+alerts:
+  # Console logging (always on)
+  console: true
+  # File logging
+  file: null  # Set to path: "./clawmoat-audit.log"
+  # Webhook (POST JSON on critical findings)
+  webhook: null  # Set to URL: "https://hooks.slack.com/..."
+  # Minimum severity to alert: critical | high | medium | low
+  min-severity: high
+
+# CI/CD mode settings
+ci:
+  # Fail CI on findings of this severity or higher
+  fail-on: high
+  # Output format: text | json | sarif
+  format: text
+  # Scan these paths for agent configs
+  paths:
+    - "."
+    - ".claude/"
+    - ".cursor/"
+    - ".vscode/"