curiosity-cat 0.1.0 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +174 -22
- package/bin/curiosity-cat.js +32 -16
- package/danger-map/schema.json +15 -2
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -1,40 +1,192 @@
|
|
|
1
|
-
Curiosity Cat
|
|
1
|
+
# 🐱 Curiosity Cat
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
**Safety framework for AI agents — close calls, not death notices.**
|
|
4
4
|
|
|
5
|
-
|
|
5
|
+
[](LICENSE)
|
|
6
|
+
[](https://www.npmjs.com/package/curiosity-cat)
|
|
7
|
+
[](https://pypi.org/project/curiosity-cat/)
|
|
8
|
+
[](https://github.com/markscleary/Curiosity-Cat)
|
|
6
9
|
|
|
7
|
-
|
|
10
|
+
---
|
|
8
11
|
|
|
9
|
-
|
|
12
|
+
## What it is
|
|
10
13
|
|
|
11
|
-
|
|
14
|
+
Your agents are out there roaming the internet, looking out for you. Curiosity Cat keeps watch to make sure they come home safe and sound.
|
|
12
15
|
|
|
13
|
-
|
|
16
|
+
It is a portable safety framework — the practical middle ground between locking agents down and letting them roam free. Not a firewall. Not a sandbox. Standing orders, a shared threat map and stories that stick. The minimum install is a single text file pasted into a system prompt.
|
|
14
17
|
|
|
15
|
-
The
|
|
18
|
+
The operator chooses how brave the agent gets to be. Not all agents live the same life. A research agent crawling the open web needs different rules than a coding assistant running locally. Configure your risk profile once — the framework does the rest.
|
|
16
19
|
|
|
17
|
-
|
|
20
|
+
---
|
|
18
21
|
|
|
19
|
-
|
|
22
|
+
## The Adventure Slider
|
|
20
23
|
|
|
21
|
-
|
|
24
|
+
Three positions. Operators pick one.
|
|
22
25
|
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
26
|
+
| Level | Profile | What it means |
|
|
27
|
+
|-------|---------|---------------|
|
|
28
|
+
| 🏠 **Housecat** | Cautious | Stay close to home. Standing orders followed. Nothing leaves the yard. |
|
|
29
|
+
| 🐾 **Alley Cat** | Balanced | Calculated risks accepted. Braver exploration. Still comes home. |
|
|
30
|
+
| 🐯 **Tiger** | Daring | Widest range. Explores the edge. Reports back rare places and tales of danger. |
|
|
27
31
|
|
|
28
|
-
|
|
32
|
+
Display label: "Alley Cat" — two words, capital A, capital C. Machine identifier: `alleycat`.
|
|
29
33
|
|
|
30
|
-
|
|
34
|
+
---
|
|
31
35
|
|
|
32
|
-
|
|
36
|
+
## Three Layers
|
|
33
37
|
|
|
34
|
-
|
|
38
|
+
**Safety Net** — paste standing orders into any agent's system prompt. No SDK. No server. No dependencies. URL checks, download quarantine, hidden instruction detection, credential protection. Sixty seconds to install.
|
|
35
39
|
|
|
36
|
-
|
|
40
|
+
**Danger Map** — crowdsourced threat intelligence. When one agent has a close call, every other agent learns from it. Anonymised, structured, privacy by design. No free text, no raw URLs, no identity data. The network effect is the moat.
|
|
37
41
|
|
|
38
|
-
|
|
42
|
+
**Nine Lives** — real close calls told as short stories. Security lessons that stick because they read like stories, not CVE numbers.
|
|
39
43
|
|
|
40
|
-
|
|
44
|
+
---
|
|
45
|
+
|
|
46
|
+
## Available languages
|
|
47
|
+
|
|
48
|
+
Four languages at launch.
|
|
49
|
+
|
|
50
|
+
| Language | URL |
|
|
51
|
+
|----------|-----|
|
|
52
|
+
| English | https://curiositycat.online |
|
|
53
|
+
| Arabic | https://curiositycat.online/ar/ |
|
|
54
|
+
| Mandarin | https://curiositycat.online/zh/ |
|
|
55
|
+
| Hindi | https://curiositycat.online/hi/ |
|
|
56
|
+
|
|
57
|
+
---
|
|
58
|
+
|
|
59
|
+
## Quick start
|
|
60
|
+
|
|
61
|
+
**Step 1 — paste standing orders into your agent's system prompt.**
|
|
62
|
+
|
|
63
|
+
Open [standing-orders/general-safety.md](standing-orders/general-safety.md), copy everything, paste into your agent's system prompt. That is the minimum useful install of Curiosity Cat. No tools required.
|
|
64
|
+
|
|
65
|
+
For role-specific standing orders: [`research-agent.md`](standing-orders/research-agent.md), [`coding-agent.md`](standing-orders/coding-agent.md) and [`enterprise-analyst.md`](standing-orders/enterprise-analyst.md).
|
|
66
|
+
|
|
67
|
+
**Step 2 (optional) — install the CLI for full features.**
|
|
68
|
+
|
|
69
|
+
```bash
|
|
70
|
+
npm install -g curiosity-cat
|
|
71
|
+
# or
|
|
72
|
+
pip install curiosity-cat
|
|
73
|
+
```
|
|
74
|
+
|
|
75
|
+
The CLI adds Danger Map reporting (`curiosity-cat report`), config scaffolding and adventure level management.
|
|
76
|
+
|
|
77
|
+
---
|
|
78
|
+
|
|
79
|
+
## Compile
|
|
80
|
+
|
|
81
|
+
`curiosity-cat compile` turns an adventure level into a real, dated configuration profile for a specific agent framework — not just prose to paste in, but permissions a framework actually enforces.
|
|
82
|
+
|
|
83
|
+
```bash
|
|
84
|
+
curiosity-cat compile --level housecat --target claude-code
|
|
85
|
+
```
|
|
86
|
+
|
|
87
|
+
This writes a versioned directory to `./curiosity-cat/profiles/<level>-<target>-<YYYYMMDD>/`:
|
|
88
|
+
|
|
89
|
+
| File | What it is |
|
|
90
|
+
|------|------------|
|
|
91
|
+
| `settings.json` | A real settings file for the target framework — permission allow/deny lists and sandbox config for that adventure level |
|
|
92
|
+
| `scope-policy.json` | The scope policy template instantiated with this level's values |
|
|
93
|
+
| `standing-orders.md` | Standing orders assembled for this level |
|
|
94
|
+
| `PROFILE.md` | Plain-language summary of what this cat can and cannot do — read this first |
|
|
95
|
+
|
|
96
|
+
Supported targets today: `claude-code`. The emitter is designed so a new target (e.g. Cursor) is an added mapping from the same level definitions, not a rewrite of them.
|
|
97
|
+
|
|
98
|
+
Every level compiles to real mechanism where the target supports it — for Claude Code that means actual `permissions.deny` rules and sandboxing, not just a request in a system prompt. Credential paths (SSH keys, `.env` files, AWS config) are denied at every level; the adventure slider changes exploration, not that floor.
|
|
99
|
+
|
|
100
|
+
---
|
|
101
|
+
|
|
102
|
+
## Prove
|
|
103
|
+
|
|
104
|
+
A compiled profile is a claim. `curiosity-cat prove` tests the claim instead of trusting it.
|
|
105
|
+
|
|
106
|
+
```bash
|
|
107
|
+
curiosity-cat prove --profile ./curiosity-cat/profiles/housecat-claude-code-20260705
|
|
108
|
+
```
|
|
109
|
+
|
|
110
|
+
`prove` runs two genuinely different classes of trial, and never blurs them together:
|
|
111
|
+
|
|
112
|
+
**Self-consistency checks** — for each wall that's expressed as a deny pattern in the compiled `settings.json` (reading a planted fake credential file, running a destructive Bash command, running a denied network command), prove attempts the matching escape in a throwaway sandbox and checks the compiled rules actually deny it. This never touches the operator's real credentials and never executes a destructive command for real. **Read this carefully: a self-consistency check only confirms the compiled file says what the compiler intended to write.** It re-derives its verdict from the same rules that generated `settings.json`, so it cannot catch a case where those rules don't actually stop a live agent — it is a compiler self-check, not proof of enforcement. Project-scope confinement for Write/Edit and domain-allowlist confinement for WebFetch are enforced by `defaultMode` and allow-list omission rather than a deny pattern (see `docs/app/sandbox-deny-findings.md`), so they aren't self-consistency-checked — only the observed trial below verifies them.
|
|
113
|
+
|
|
114
|
+
**Observed trial** — proof of enforcement. By default, when a `claude` binary is on PATH, `prove` also spawns one real, non-interactive Claude Code session in its own throwaway sandbox, seeded with this profile's own compiled `settings.json`, and asks it to attempt exactly one denied action (a Bash network command or a write outside the project). It then parses the session's actual output for a recorded permission denial. If the action is genuinely blocked, that wall gets `observed-deny: held`. If it isn't, `prove` exits nonzero and says the wall failed — because it did. Pass `--no-observed` to skip this (it's also skipped automatically, with a note, when no `claude` binary is available, or when the profile has no wall that's safe to attempt live).
|
|
115
|
+
|
|
116
|
+
Where a wall is prompt-level only — standing orders, PII stripping, package vetting — prove says so honestly instead of pretending it is enforced.
|
|
117
|
+
|
|
118
|
+
This writes a dated, versioned directory to `<profile-dir>/proof/proof-<YYYYMMDD>/`:
|
|
119
|
+
|
|
120
|
+
| File | What it is |
|
|
121
|
+
|------|------------|
|
|
122
|
+
| `clean-bill.json` | Machine-readable trial-by-trial record, each tagged `method: "self-consistency"` or `"observed-deny"` |
|
|
123
|
+
| `CLEAN-BILL.md` | Human transcript in Nine Lives voice — self-consistency and observed trials under separate honest headings, plus a list of guidance-only walls |
|
|
124
|
+
|
|
125
|
+
If any wall — self-consistency or observed — fails to hold, `prove` exits nonzero and names it. No safe claim.
|
|
126
|
+
|
|
127
|
+
---
|
|
128
|
+
|
|
129
|
+
## Framework support
|
|
130
|
+
|
|
131
|
+
Anything that accepts a system prompt. Paste the standing orders file wherever the framework puts its system message.
|
|
132
|
+
|
|
133
|
+
| Framework | Where the standing order goes |
|
|
134
|
+
|-----------|-------------------------------|
|
|
135
|
+
| Claude Code | `CLAUDE.md` in project root |
|
|
136
|
+
| Claude Desktop | System prompt in settings |
|
|
137
|
+
| OpenClaw | `IDENTITY.md` or `SOUL.md` in agent workspace |
|
|
138
|
+
| Nanobot | `IDENTITY.md` or `SOUL.md` in agent workspace |
|
|
139
|
+
| LangChain | `system` message in ChatPromptTemplate |
|
|
140
|
+
| CrewAI | `backstory` field on the Agent |
|
|
141
|
+
| AutoGen | `system_message` on the ConversableAgent |
|
|
142
|
+
| AutoGPT | System prompt in agent config |
|
|
143
|
+
| Anthropic SDK | `system` parameter in `messages.create()` |
|
|
144
|
+
| Any LLM with tool use | System prompt or first user turn |
|
|
145
|
+
|
|
146
|
+
---
|
|
147
|
+
|
|
148
|
+
## Stray Cats
|
|
149
|
+
|
|
150
|
+
Automated agents deployed by S+S that deliberately wander dangerous parts of the web — interacting with unknown MCP servers, clicking suspicious links, triggering traps. They carry fake credentials and dummy API keys. They feed the Danger Map with proprietary intelligence. Real cats stay safer because Stray Cats get scratched first.
|
|
151
|
+
|
|
152
|
+
---
|
|
153
|
+
|
|
154
|
+
## The Quine
|
|
155
|
+
|
|
156
|
+
A non-financial creative credential. Operators earn Quines by reporting verified close calls, submitting Stories, contributing framework adapters or policy packs, translating documentation. A Quine is a number in a ledger, not a token or coin. Reputation in the Danger Map is built on Quine history.
|
|
157
|
+
|
|
158
|
+
---
|
|
159
|
+
|
|
160
|
+
## Documentation
|
|
161
|
+
|
|
162
|
+
- [Product Brief](docs/product-brief.md) — what Curiosity Cat is and where it's going
|
|
163
|
+
- [Integration Guide](docs/integration-guide.md) — framework-specific install patterns
|
|
164
|
+
- [Technical Spec](docs/technical-spec.md) — architecture, schemas, integration patterns
|
|
165
|
+
- [Standing Orders](standing-orders/) — the policy library
|
|
166
|
+
- [Stories](stories/) — the close call archive
|
|
167
|
+
- [Danger Map Schema](danger-map/schema.json) — the threat report format
|
|
168
|
+
- [Contributing](CONTRIBUTING.md) — how to contribute
|
|
169
|
+
|
|
170
|
+
---
|
|
171
|
+
|
|
172
|
+
## Who built it
|
|
173
|
+
|
|
174
|
+
Curiosity Cat is built by Short+Sweet AI Lab, a division of Short+Sweet International — the world's largest short-form performing arts platform. Since 2002, Short+Sweet has worked with 100,000 artists and 15,000 original works across 50 cities in 14 countries.
|
|
175
|
+
|
|
176
|
+
Short+Sweet has spent 25 years creating safe spaces for artists to take creative risks on stage. Curiosity Cat applies the same philosophy to AI agents — give them boundaries, then let them explore.
|
|
177
|
+
|
|
178
|
+
---
|
|
179
|
+
|
|
180
|
+
## Contact
|
|
181
|
+
|
|
182
|
+
- Website: https://curiositycat.online
|
|
183
|
+
- Email: curiosity@shortandsweet.org
|
|
184
|
+
- Short+Sweet: https://shortandsweet.org
|
|
185
|
+
|
|
186
|
+
---
|
|
187
|
+
|
|
188
|
+
## Licence
|
|
189
|
+
|
|
190
|
+
MIT — see [LICENSE](LICENSE).
|
|
191
|
+
|
|
192
|
+
Copyright © 2026 Mark Cleary, Short+Sweet International. All rights reserved.
|
package/bin/curiosity-cat.js
CHANGED
|
@@ -84,28 +84,44 @@ Curiosity Cat — Danger Map Close Call Report
|
|
|
84
84
|
============================================
|
|
85
85
|
|
|
86
86
|
Endpoint:
|
|
87
|
-
POST https://
|
|
87
|
+
POST https://pcmqmvcxqsaypuabrkgj.supabase.co/functions/v1/danger-map/report
|
|
88
|
+
|
|
89
|
+
Auth (required):
|
|
90
|
+
-H "Authorization: Bearer <your-api-key>"
|
|
91
|
+
or
|
|
92
|
+
-H "x-api-key: <your-api-key>"
|
|
88
93
|
|
|
89
94
|
Payload (JSON):
|
|
90
|
-
|
|
91
|
-
"
|
|
92
|
-
"
|
|
93
|
-
"severity":
|
|
94
|
-
"
|
|
95
|
-
"
|
|
96
|
-
"
|
|
97
|
-
|
|
95
|
+
Required fields:
|
|
96
|
+
"timestamp": "ISO 8601 datetime of the incident",
|
|
97
|
+
"threat_class": "prompt-injection | unsafe-url | data-exfiltration | unauthorized-tool-use | credential-exposure | package-risk | memory-poisoning | social-engineering | scope-violation | other",
|
|
98
|
+
"severity": "scratched | bitten | nearly_eaten",
|
|
99
|
+
"source": "Where the threat came from (URL, filename, user input, etc.)",
|
|
100
|
+
"what_happened": "What the agent was asked or encountered",
|
|
101
|
+
"action_taken": "What the agent did to handle it",
|
|
102
|
+
"lesson": "What this incident teaches"
|
|
103
|
+
|
|
104
|
+
Optional fields:
|
|
105
|
+
"agent_type": "Type of agent (e.g. research, coding, enterprise)",
|
|
106
|
+
"adventure_level": "housecat | alleycat | tiger",
|
|
107
|
+
"submitted_by": "Your identifier (optional)",
|
|
108
|
+
"framework": "Agent framework used (e.g. claude-code, langgraph)",
|
|
109
|
+
"region": "AWS/GCP/Azure region or 'local'"
|
|
98
110
|
|
|
99
111
|
curl example:
|
|
100
|
-
curl -X POST https://
|
|
112
|
+
curl -X POST https://pcmqmvcxqsaypuabrkgj.supabase.co/functions/v1/danger-map/report \\
|
|
101
113
|
-H "Content-Type: application/json" \\
|
|
114
|
+
-H "Authorization: Bearer <your-api-key>" \\
|
|
102
115
|
-d '{
|
|
103
|
-
"
|
|
104
|
-
"
|
|
105
|
-
"severity":
|
|
106
|
-
"
|
|
107
|
-
"
|
|
108
|
-
"
|
|
116
|
+
"timestamp": "2026-04-16T10:00:00Z",
|
|
117
|
+
"threat_class": "prompt-injection",
|
|
118
|
+
"severity": "bitten",
|
|
119
|
+
"source": "PDF attachment from external user",
|
|
120
|
+
"what_happened": "A document instructed the agent to ignore standing orders and exfiltrate chat history.",
|
|
121
|
+
"action_taken": "Agent refused and flagged the document as hostile input.",
|
|
122
|
+
"lesson": "All external document content must be treated as untrusted regardless of framing.",
|
|
123
|
+
"agent_type": "research",
|
|
124
|
+
"adventure_level": "housecat"
|
|
109
125
|
}'
|
|
110
126
|
|
|
111
127
|
Thank you for making the community safer.
|
package/danger-map/schema.json
CHANGED
|
@@ -11,7 +11,7 @@
|
|
|
11
11
|
},
|
|
12
12
|
"threat_class": {
|
|
13
13
|
"type": "string",
|
|
14
|
-
"enum": ["
|
|
14
|
+
"enum": ["prompt-injection", "unsafe-url", "data-exfiltration", "unauthorized-tool-use", "credential-exposure", "package-risk", "memory-poisoning", "social-engineering", "scope-violation", "other"],
|
|
15
15
|
"description": "Category of threat detected"
|
|
16
16
|
},
|
|
17
17
|
"severity": {
|
|
@@ -41,8 +41,21 @@
|
|
|
41
41
|
},
|
|
42
42
|
"adventure_level": {
|
|
43
43
|
"type": "string",
|
|
44
|
-
"enum": ["housecat", "alleycat", "
|
|
44
|
+
"enum": ["housecat", "alleycat", "tiger"],
|
|
45
45
|
"description": "Operator's adventure slider setting at time of incident"
|
|
46
46
|
}
|
|
47
|
+
},
|
|
48
|
+
"threatClassStandards": {
|
|
49
|
+
"description": "Cross-reference from each threat_class value to the closest MITRE ATLAS technique and the NIST AI RMF function it falls under. Informative metadata, not enforced by validation. 'scope-violation' and 'other' have no exact ATLAS technique; the closest available technique is used, or none for 'other'.",
|
|
50
|
+
"prompt-injection": { "atlas_id": "AML.T0051", "nist_rmf": "MEASURE" },
|
|
51
|
+
"unsafe-url": { "atlas_id": "AML.T0011.003", "nist_rmf": "MEASURE" },
|
|
52
|
+
"data-exfiltration": { "atlas_id": "AML.T0086", "nist_rmf": "MANAGE" },
|
|
53
|
+
"unauthorized-tool-use": { "atlas_id": "AML.T0053", "nist_rmf": "MANAGE" },
|
|
54
|
+
"credential-exposure": { "atlas_id": "AML.T0055", "nist_rmf": "MANAGE" },
|
|
55
|
+
"package-risk": { "atlas_id": "AML.T0011.001", "nist_rmf": "GOVERN" },
|
|
56
|
+
"memory-poisoning": { "atlas_id": "AML.T0080.000", "nist_rmf": "MEASURE" },
|
|
57
|
+
"social-engineering": { "atlas_id": "AML.T0052", "nist_rmf": "MAP" },
|
|
58
|
+
"scope-violation": { "atlas_id": "AML.T0081", "nist_rmf": "GOVERN" },
|
|
59
|
+
"other": { "atlas_id": null, "nist_rmf": "MANAGE" }
|
|
47
60
|
}
|
|
48
61
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "curiosity-cat",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.2.0",
|
|
4
4
|
"description": "AI agent safety framework — standing orders, danger maps, and stories that teach cats to land on their feet",
|
|
5
5
|
"author": "Mark Cleary, Short+Sweet International",
|
|
6
6
|
"license": "MIT",
|