clawsec 0.0.1

package/rules/builtin/minimal.yaml

@@ -0,0 +1,47 @@
+# Minimal Security Rules
+# Lightweight security for trusted environments
+
+name: minimal
+description: Minimal security rules for trusted environments
+version: "1.0"
+
+rules:
+  destructive:
+    enabled: true
+    severity: critical
+    action: confirm
+    shell:
+      enabled: true
+      patterns:
+        # Only the most dangerous commands
+        - "rm -rf /"
+        - "rm -rf /*"
+        - "dd if=/dev/zero of=/dev/sda"
+        - "mkfs"
+        - ":(){:|:&};:"  # Fork bomb
+    cloud:
+      enabled: false
+    code:
+      enabled: false
+
+  secrets:
+    enabled: true
+    severity: critical
+    action: warn
+    patterns:
+      # Only catch actual production secrets
+      - "-----BEGIN.*PRIVATE KEY-----"
+      - "sk_live_"  # Production Stripe
+      - "AKIA"  # AWS keys
+
+  website:
+    enabled: false
+
+  purchase:
+    enabled: false
+
+  exfiltration:
+    enabled: false
+
+  sanitization:
+    enabled: false

package/rules/builtin/mobile-development.yaml

@@ -0,0 +1,61 @@
+# Mobile Development Security Rules
+# Protects mobile app development credentials
+
+name: mobile-development
+description: Security rules for mobile app development
+version: "1.0"
+
+rules:
+  secrets:
+    enabled: true
+    severity: critical
+    action: block
+    patterns:
+      # iOS/Apple
+      - "APPLE_ID"
+      - "APPLE_TEAM_ID"
+      - "APP_STORE_CONNECT_API_KEY"
+      - "IOS_DISTRIBUTION_CERTIFICATE"
+      - "FASTLANE_PASSWORD"
+      - "FASTLANE_SESSION"
+      - "MATCH_PASSWORD"
+
+      # Android/Google Play
+      - "GOOGLE_PLAY_JSON_KEY"
+      - "ANDROID_KEYSTORE_PASSWORD"
+      - "ANDROID_KEY_PASSWORD"
+      - "SUPPLY_JSON_KEY"
+
+      # Firebase
+      - "FIREBASE_TOKEN"
+      - "FIREBASE_API_KEY"
+      - "GOOGLE_APPLICATION_CREDENTIALS"
+      - "AAAA[A-Za-z0-9_-]{7}:[A-Za-z0-9_-]{140}"
+
+      # Expo
+      - "EXPO_TOKEN"
+      - "EXPO_CLI_PASSWORD"
+
+      # App Center
+      - "APPCENTER_API_TOKEN"
+
+      # Crashlytics
+      - "CRASHLYTICS_API_KEY"
+
+      # TestFlight
+      - "TESTFLIGHT_"
+
+      # Code signing
+      - "SIGNING_KEY"
+      - "KEYSTORE_PASSWORD"
+      - "KEY_ALIAS"
+
+  destructive:
+    enabled: true
+    severity: high
+    action: confirm
+    patterns:
+      - "fastlane deliver"
+      - "fastlane supply"
+      - "expo publish"
+      - "appcenter distribute"

package/rules/builtin/monitoring.yaml

@@ -0,0 +1,63 @@
+# Monitoring & Observability Security Rules
+# Protects monitoring service credentials
+
+name: monitoring
+description: Security rules for monitoring and observability services
+version: "1.0"
+
+rules:
+  secrets:
+    enabled: true
+    severity: critical
+    action: block
+    patterns:
+      # Datadog
+      - "DD_API_KEY"
+      - "DD_APP_KEY"
+      - "DATADOG_API_KEY"
+
+      # New Relic
+      - "NEW_RELIC_LICENSE_KEY"
+      - "NEW_RELIC_API_KEY"
+      - "NRAK-[A-Z0-9]{27}"
+
+      # Sentry
+      - "SENTRY_DSN"
+      - "SENTRY_AUTH_TOKEN"
+
+      # Splunk
+      - "SPLUNK_TOKEN"
+      - "SPLUNK_HEC_TOKEN"
+
+      # Grafana
+      - "GRAFANA_API_KEY"
+      - "GF_SECURITY_ADMIN_PASSWORD"
+
+      # PagerDuty
+      - "PAGERDUTY_ROUTING_KEY"
+      - "PAGERDUTY_API_KEY"
+
+      # Honeycomb
+      - "HONEYCOMB_API_KEY"
+
+      # LogDNA/Mezmo
+      - "LOGDNA_API_KEY"
+
+      # Papertrail
+      - "PAPERTRAIL_API_TOKEN"
+
+      # Loggly
+      - "LOGGLY_TOKEN"
+
+      # Elasticsearch/Kibana
+      - "ELASTIC_PASSWORD"
+      - "ELASTICSEARCH_PASSWORD"
+
+      # Prometheus
+      - "PROMETHEUS_REMOTE_WRITE_URL"
+
+      # Jaeger
+      - "JAEGER_AGENT_HOST"
+
+      # Zipkin
+      - "ZIPKIN_BASE_URL"

package/rules/builtin/network-security.yaml

@@ -0,0 +1,57 @@
+# Network Security Rules
+# Protects against network-based attacks and data exfiltration
+
+name: network-security
+description: Prevents network-based security threats
+version: "1.0"
+
+rules:
+  exfiltration:
+    enabled: true
+    severity: high
+    action: block
+    patterns:
+      # Netcat reverse shells
+      - "nc -e"
+      - "nc -c"
+      - "ncat -e"
+      - "netcat -e"
+      - "/dev/tcp/"
+      - "/dev/udp/"
+
+      # Data exfiltration
+      - "curl.*POST.*-d"
+      - "curl.*--data"
+      - "wget.*--post-data"
+      - "curl.*@"  # File upload
+
+      # DNS tunneling
+      - "iodine"
+      - "dns2tcp"
+      - "dnscat"
+
+      # Port forwarding
+      - "ssh.*-R"
+      - "ssh.*-L"
+      - "ssh.*-D"
+      - "chisel"
+      - "ngrok"
+
+      # Encoded data transfer
+      - "base64.*|.*curl"
+      - "base64.*|.*wget"
+      - "base64.*|.*nc"
+
+  website:
+    enabled: true
+    mode: blocklist
+    severity: high
+    action: block
+    blocklist:
+      - "*.onion"
+      - "*.i2p"
+      - "pastebin.com"
+      - "hastebin.com"
+      - "transfer.sh"
+      - "file.io"
+      - "0x0.st"

package/rules/builtin/package-managers.yaml

@@ -0,0 +1,74 @@
+# Package Manager Security Rules
+# Protects package manager credentials and operations
+
+name: package-managers
+description: Security rules for package managers (npm, pip, etc.)
+version: "1.0"
+
+rules:
+  secrets:
+    enabled: true
+    severity: critical
+    action: block
+    patterns:
+      # NPM
+      - "npm_[a-zA-Z0-9]{36}"
+      - "NPM_TOKEN"
+      - "NPM_AUTH_TOKEN"
+      - "//registry.npmjs.org/:_authToken"
+
+      # Yarn
+      - "YARN_NPM_AUTH_TOKEN"
+
+      # PyPI
+      - "pypi-AgEIcHlwaS5vcmc[a-zA-Z0-9-_]{50,}"
+      - "PYPI_TOKEN"
+      - "TWINE_PASSWORD"
+
+      # RubyGems
+      - "RUBYGEMS_API_KEY"
+      - "GEM_HOST_API_KEY"
+
+      # Maven/Gradle
+      - "MAVEN_PASSWORD"
+      - "GRADLE_PUBLISH_KEY"
+      - "OSSRH_PASSWORD"
+
+      # NuGet
+      - "NUGET_API_KEY"
+      - "NUGET_AUTH_TOKEN"
+
+      # Cargo (Rust)
+      - "CARGO_REGISTRY_TOKEN"
+      - "CRATES_IO_TOKEN"
+
+      # Go
+      - "GOPRIVATE"
+      - "GOPROXY"
+
+      # Composer (PHP)
+      - "COMPOSER_AUTH"
+
+      # Hex (Elixir)
+      - "HEX_API_KEY"
+
+  destructive:
+    enabled: true
+    severity: high
+    action: confirm
+    patterns:
+      # NPM
+      - "npm unpublish"
+      - "npm deprecate"
+      - "npm cache clean --force"
+
+      # Yarn
+      - "yarn cache clean"
+
+      # Pip
+      - "pip uninstall -y"
+      - "pip cache purge"
+
+      # Gem
+      - "gem uninstall"
+      - "gem yank"

package/rules/builtin/payment-processing.yaml

@@ -0,0 +1,66 @@
+# Payment Processing Security Rules
+# Strict controls for payment and financial operations
+
+name: payment-processing
+description: Strict security controls for payment processing operations
+version: "1.0"
+
+rules:
+  purchase:
+    enabled: true
+    severity: critical
+    action: block
+    spendLimits:
+      perTransaction: 50
+      daily: 200
+    domains:
+      mode: blocklist
+      blocklist:
+        # Payment processors
+        - "*.stripe.com"
+        - "*.paypal.com"
+        - "*.square.com"
+        - "*.braintree.com"
+        - "*.adyen.com"
+        - "*.authorize.net"
+
+        # E-commerce
+        - "*.amazon.com"
+        - "*.ebay.com"
+        - "*.shopify.com"
+        - "*.etsy.com"
+        - "*.alibaba.com"
+        - "*.aliexpress.com"
+
+        # Cryptocurrency
+        - "*.coinbase.com"
+        - "*.binance.com"
+        - "*.kraken.com"
+
+        # Banking
+        - "*.chase.com"
+        - "*.bankofamerica.com"
+        - "*.wellsfargo.com"
+
+  secrets:
+    enabled: true
+    severity: critical
+    action: block
+    patterns:
+      # Stripe
+      - "sk_live_[a-zA-Z0-9]{24,}"
+      - "pk_live_[a-zA-Z0-9]{24,}"
+      - "rk_live_[a-zA-Z0-9]{24,}"
+
+      # PayPal
+      - "PAYPAL_CLIENT_SECRET"
+      - "PAYPAL_CLIENT_ID"
+
+      # Square
+      - "sq0csp-[a-zA-Z0-9-]{43}"
+      - "EAAAE[a-zA-Z0-9-]{60}"
+
+      # Credit card patterns
+      - "\\b4[0-9]{15}\\b"  # Visa
+      - "\\b5[1-5][0-9]{14}\\b"  # Mastercard
+      - "\\b3[47][0-9]{13}\\b"  # Amex

package/rules/builtin/pii-protection.yaml

@@ -0,0 +1,48 @@
+# PII Protection Security Rules
+# Prevents exposure of personally identifiable information
+
+name: pii-protection
+description: Protects personally identifiable information from exposure
+version: "1.0"
+
+rules:
+  secrets:
+    enabled: true
+    severity: critical
+    action: block
+    patterns:
+      # SSN (US Social Security Number)
+      - "\\b\\d{3}-\\d{2}-\\d{4}\\b"
+      - "\\b\\d{9}\\b"  # SSN without dashes
+
+      # Credit Cards (with Luhn validation recommended)
+      - "\\b4[0-9]{12}(?:[0-9]{3})?\\b"  # Visa
+      - "\\b5[1-5][0-9]{14}\\b"  # Mastercard
+      - "\\b3[47][0-9]{13}\\b"  # Amex
+      - "\\b6(?:011|5[0-9]{2})[0-9]{12}\\b"  # Discover
+      - "\\b3(?:0[0-5]|[68][0-9])[0-9]{11}\\b"  # Diners
+
+      # Bank Account Numbers (IBAN)
+      - "\\b[A-Z]{2}[0-9]{2}[A-Z0-9]{4}[0-9]{7}([A-Z0-9]?){0,16}\\b"
+
+      # Phone Numbers (various formats)
+      - "\\b\\+?1?[-.]?\\(?\\d{3}\\)?[-.]?\\d{3}[-.]?\\d{4}\\b"
+
+      # Email addresses (for bulk extraction prevention)
+      - "\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Z|a-z]{2,}\\b"
+
+      # Passport Numbers
+      - "\\b[A-Z]{1,2}[0-9]{6,9}\\b"
+
+      # Driver's License (generic US patterns)
+      - "\\b[A-Z]{1,2}[0-9]{5,8}\\b"
+
+      # Date of Birth patterns
+      - "\\b(0[1-9]|1[0-2])/(0[1-9]|[12]\\d|3[01])/(19|20)\\d{2}\\b"
+      - "\\b(19|20)\\d{2}-(0[1-9]|1[0-2])-(0[1-9]|[12]\\d|3[01])\\b"
+
+  sanitization:
+    enabled: true
+    severity: high
+    action: block
+    redactMatches: true

package/rules/builtin/production-strict.yaml

@@ -0,0 +1,55 @@
+# Production Strict Security Rules
+# Maximum security for production environments
+
+name: production-strict
+description: Strict security rules for production environments
+version: "1.0"
+
+rules:
+  destructive:
+    enabled: true
+    severity: critical
+    action: block
+    shell:
+      enabled: true
+    cloud:
+      enabled: true
+    code:
+      enabled: true
+
+  secrets:
+    enabled: true
+    severity: critical
+    action: block
+
+  website:
+    enabled: true
+    mode: allowlist
+    severity: critical
+    action: block
+    allowlist: []  # No websites allowed by default
+
+  purchase:
+    enabled: true
+    severity: critical
+    action: block
+    spendLimits:
+      perTransaction: 0
+      daily: 0
+
+  exfiltration:
+    enabled: true
+    severity: critical
+    action: block
+
+  sanitization:
+    enabled: true
+    severity: critical
+    action: block
+    minConfidence: 0.3  # Lower threshold for production
+    redactMatches: false  # Block entirely, don't just redact
+    categories:
+      instructionOverride: true
+      systemLeak: true
+      jailbreak: true
+      encodedPayload: true

package/rules/builtin/secrets-management.yaml

@@ -0,0 +1,63 @@
+# Secrets Management Security Rules
+# Protects secrets management service credentials
+
+name: secrets-management
+description: Security rules for secrets management services
+version: "1.0"
+
+rules:
+  secrets:
+    enabled: true
+    severity: critical
+    action: block
+    patterns:
+      # HashiCorp Vault
+      - "VAULT_TOKEN"
+      - "VAULT_ADDR"
+      - "hvs\\.[a-zA-Z0-9_-]{24}"
+      - "s\\.[a-zA-Z0-9]{24}"
+
+      # AWS Secrets Manager
+      - "aws secretsmanager get-secret-value"
+      - "secretsmanager:GetSecretValue"
+
+      # GCP Secret Manager
+      - "gcloud secrets versions access"
+      - "secretmanager.versions.access"
+
+      # Azure Key Vault
+      - "AZURE_KEYVAULT"
+      - "az keyvault secret show"
+
+      # 1Password
+      - "OP_SESSION"
+      - "op://.*"
+
+      # Doppler
+      - "DOPPLER_TOKEN"
+      - "dp\\.pt\\.[a-zA-Z0-9]+"
+
+      # Infisical
+      - "INFISICAL_TOKEN"
+
+      # Bitwarden
+      - "BW_SESSION"
+      - "BW_CLIENTSECRET"
+
+      # LastPass
+      - "LASTPASS_"
+
+      # CyberArk
+      - "CYBERARK_"
+
+  destructive:
+    enabled: true
+    severity: critical
+    action: block
+    patterns:
+      - "vault secrets disable"
+      - "vault auth disable"
+      - "aws secretsmanager delete-secret"
+      - "gcloud secrets delete"
+      - "az keyvault secret delete"
+      - "az keyvault delete"

package/rules/builtin/serverless.yaml

@@ -0,0 +1,74 @@
+# Serverless Security Rules
+# Protects serverless function deployments and credentials
+
+name: serverless
+description: Security rules for serverless platforms
+version: "1.0"
+
+rules:
+  secrets:
+    enabled: true
+    severity: critical
+    action: block
+    patterns:
+      # AWS Lambda
+      - "AWS_LAMBDA_FUNCTION_NAME"
+      - "AWS_LAMBDA_LOG_GROUP_NAME"
+
+      # Google Cloud Functions
+      - "FUNCTION_TARGET"
+      - "GOOGLE_FUNCTION_SOURCE"
+
+      # Azure Functions
+      - "FUNCTIONS_WORKER_RUNTIME"
+      - "AzureWebJobsStorage"
+
+      # Vercel
+      - "VERCEL_TOKEN"
+      - "VERCEL_PROJECT_ID"
+
+      # Netlify Functions
+      - "NETLIFY_AUTH_TOKEN"
+
+      # Cloudflare Workers
+      - "CLOUDFLARE_API_TOKEN"
+      - "CF_API_KEY"
+
+      # Deno Deploy
+      - "DENO_DEPLOY_TOKEN"
+
+      # Supabase Edge Functions
+      - "SUPABASE_SERVICE_ROLE_KEY"
+
+      # Railway
+      - "RAILWAY_TOKEN"
+
+      # Render
+      - "RENDER_API_KEY"
+
+  destructive:
+    enabled: true
+    severity: high
+    action: confirm
+    patterns:
+      # AWS Lambda
+      - "aws lambda delete-function"
+      - "serverless remove"
+      - "sls remove"
+
+      # GCP Cloud Functions
+      - "gcloud functions delete"
+
+      # Azure Functions
+      - "az functionapp delete"
+      - "func azure functionapp delete"
+
+      # Vercel
+      - "vercel remove"
+      - "vercel rm"
+
+      # Netlify
+      - "netlify sites:delete"
+
+      # Cloudflare Workers
+      - "wrangler delete"

package/rules/builtin/ssh-security.yaml

@@ -0,0 +1,66 @@
+# SSH Security Rules
+# Protects SSH credentials and dangerous operations
+
+name: ssh-security
+description: Security rules for SSH access and credentials
+version: "1.0"
+
+rules:
+  secrets:
+    enabled: true
+    severity: critical
+    action: block
+    patterns:
+      # SSH private keys
+      - "-----BEGIN OPENSSH PRIVATE KEY-----"
+      - "-----BEGIN RSA PRIVATE KEY-----"
+      - "-----BEGIN DSA PRIVATE KEY-----"
+      - "-----BEGIN EC PRIVATE KEY-----"
+      - "-----BEGIN PRIVATE KEY-----"
+
+      # SSH passwords
+      - "SSH_PASSWORD"
+      - "SSH_PASS"
+      - "sshpass"
+
+      # SSH agent
+      - "SSH_AUTH_SOCK"
+      - "SSH_AGENT_PID"
+
+      # Known hosts manipulation
+      - "StrictHostKeyChecking=no"
+      - "UserKnownHostsFile=/dev/null"
+
+  destructive:
+    enabled: true
+    severity: high
+    action: confirm
+    shell:
+      enabled: true
+      patterns:
+        # Dangerous SSH commands
+        - "ssh.*rm -rf"
+        - "ssh.*mkfs"
+        - "ssh.*dd if="
+        - "ssh.*:(){:|:&};:"  # Fork bomb
+
+        # Key operations
+        - "ssh-keygen -R"  # Remove from known_hosts
+        - "rm.*id_rsa"
+        - "rm.*id_ed25519"
+        - "rm.*.ssh/"
+
+        # Config modifications
+        - "chmod.*600.*authorized_keys"
+
+  exfiltration:
+    enabled: true
+    severity: high
+    action: block
+    patterns:
+      # SSH tunneling for exfiltration
+      - "ssh.*-R"
+      - "ssh.*-L"
+      - "ssh.*-D"
+      - "sshfs"
+      - "rsync.*-e ssh"