daemora 1.0.0

package/src/config/agentProfiles.js

@@ -0,0 +1,120 @@
+/**
+ * Agent Profiles — tool presets for common sub-agent roles.
+ *
+ * Rather than giving every sub-agent all 33 tools, profiles provide
+ * focused tool sets matched to the task type. Inspired by the research
+ * finding that specialized context windows outperform bloated ones.
+ *
+ * Usage in spawnAgent / parallelAgents:
+ *   { profile: "coder" }                        — preset tool list
+ *   { profile: "researcher", extraTools: ["writeFile"] }  — preset + additions
+ *   { tools: ["readFile", "webSearch"] }         — explicit list (overrides profile)
+ *
+ * spawnAgent and parallelAgents are injected dynamically based on depth — not in profiles.
+ */
+
+export const agentProfiles = {
+
+  /**
+   * researcher — gather, analyze, summarize, produce findings.
+   * Reads files, searches web, fetches URLs, analyzes images. Saves findings to files.
+   * Does NOT ask the user what to look for — searches until it has enough to answer fully.
+   * Produces structured output: facts, sources, analysis, recommendations.
+   */
+  researcher: [
+    "readFile", "listDirectory", "searchFiles", "searchContent",
+    "glob", "grep",
+    "webFetch", "webSearch",
+    "writeFile",        // save research notes and findings to workspace
+    "createDocument",   // produce reports
+    "readMemory", "writeMemory", "searchMemory",
+    "imageAnalysis",    // analyze charts, diagrams, screenshots, visual data
+    "useMCP",           // query external sources (GitHub, Notion, Linear, etc.)
+  ],
+
+  /**
+   * coder — build, fix, test, verify.
+   * Full ownership: writes code, runs builds, starts dev servers, tests UI visually,
+   * writes test cases, runs them, fixes failures. Does everything without asking the user.
+   */
+  coder: [
+    "readFile", "writeFile", "editFile", "listDirectory",
+    "searchFiles", "searchContent", "glob", "grep", "applyPatch",
+    "executeCommand",
+    "webFetch", "webSearch",
+    "browserAction",    // test web UIs, click, fill forms, navigate
+    "imageAnalysis",    // analyze screenshots for visual bugs, verify UI looks correct
+    "screenCapture",    // capture screen when browser isn't sufficient
+    "readMemory", "writeMemory", "searchMemory",  // learn and apply project conventions
+    "projectTracker",   // track sub-tasks within complex coding work
+    "useMCP",
+  ],
+
+  /**
+   * writer — produce polished documents, reports, content.
+   * Reads existing content for context, researches via web, produces clean output.
+   * Does NOT ask what tone/format to use unless genuinely ambiguous — infers from context.
+   * Delivers the final document, not a draft asking for feedback.
+   */
+  writer: [
+    "readFile", "writeFile", "editFile", "listDirectory",
+    "searchFiles", "searchContent", "glob", "grep",
+    "webFetch", "webSearch",
+    "createDocument",
+    "readMemory", "writeMemory", "searchMemory",
+  ],
+
+  /**
+   * analyst — process data, run scripts, extract insights, produce output.
+   * Shell execution for data processing + web + vision for charts/visuals.
+   * Runs scripts, parses output, draws conclusions. Delivers findings, not raw data.
+   */
+  analyst: [
+    "readFile", "writeFile", "listDirectory", "searchFiles", "searchContent",
+    "glob", "grep",
+    "webFetch", "webSearch",
+    "executeCommand",   // run data processing scripts, query CLIs
+    "imageAnalysis",    // analyze charts, graphs, visual data
+    "createDocument",   // produce analysis reports
+    "readMemory", "writeMemory", "searchMemory",
+  ],
+
+};
+
+/**
+ * Default tool set for sub-agents spawned without a profile.
+ *
+ * Covers the majority of tasks while excluding high-blast-radius tools
+ * that sub-agents rarely need and that carry side effects beyond task scope:
+ *   - cron          — schedules recurring tasks that outlive the sub-agent
+ *   - sendEmail     — sub-agents shouldn't initiate email
+ *   - messageChannel — sub-agents shouldn't send messages
+ *   - screenCapture — sub-agents don't need screen access
+ *   - manageAgents  — sub-agents shouldn't kill/steer other agents
+ *   - delegateToAgent — A2A from sub-agents is unpredictable
+ *
+ * spawnAgent and parallelAgents are NOT listed here — they are injected
+ * dynamically into sub-agents by SubAgentManager based on recursion depth.
+ */
+export const defaultSubAgentTools = [
+  // File
+  "readFile", "writeFile", "editFile", "listDirectory",
+  "searchFiles", "searchContent", "glob", "grep", "applyPatch",
+  // System
+  "executeCommand",
+  // Web
+  "webFetch", "webSearch",
+  // Browser
+  "browserAction",
+  // Documents + Vision
+  "createDocument",
+  "imageAnalysis",
+  // Memory
+  "readMemory", "writeMemory", "readDailyLog", "writeDailyLog",
+  "searchMemory", "pruneMemory", "listMemoryCategories",
+  // Project tracking
+  "projectTracker",
+  // MCP (via specialist agent — no direct mcp__ tools)
+  "manageMCP",
+  "useMCP",
+];

package/src/config/channels.js

@@ -0,0 +1,32 @@
+/**
+ * Channel configuration — which input channels are enabled.
+ * Actual credentials come from .env via config/default.js.
+ */
+export const channelDefaults = {
+  http: {
+    name: "HTTP API",
+    enabled: true,
+    sync: true, // HTTP waits for task completion before responding
+  },
+  telegram: {
+    name: "Telegram",
+    enabled: false, // enabled when TELEGRAM_BOT_TOKEN is set
+    sync: false,
+  },
+  whatsapp: {
+    name: "WhatsApp",
+    enabled: false, // enabled when TWILIO_ACCOUNT_SID is set
+    sync: false,
+  },
+  email: {
+    name: "Email",
+    enabled: false, // enabled when EMAIL_USER is set
+    sync: false,
+    pollIntervalSeconds: 60,
+  },
+  a2a: {
+    name: "Agent-to-Agent (A2A)",
+    enabled: false, // enabled in Phase 8
+    sync: false,
+  },
+};

package/src/config/default.js

@@ -0,0 +1,206 @@
+import { config as loadEnv } from "dotenv";
+import { join, dirname } from "path";
+import { fileURLToPath } from "url";
+
+loadEnv({ quiet: true });
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const ROOT_DIR = join(__dirname, "..", "..");
+
+export const config = {
+  // Server
+  port: parseInt(process.env.PORT || "8081", 10),
+
+  // Paths
+  rootDir: ROOT_DIR,
+  dataDir: join(ROOT_DIR, "data"),
+  sessionsDir: join(ROOT_DIR, "data", "sessions"),
+  tasksDir: join(ROOT_DIR, "data", "tasks"),
+  memoryDir: join(ROOT_DIR, "data", "memory"),
+  auditDir: join(ROOT_DIR, "data", "audit"),
+  costsDir: join(ROOT_DIR, "data", "costs"),
+  workspacesDir: join(ROOT_DIR, "data", "workspaces"),
+  skillsDir: join(ROOT_DIR, "skills"),
+  soulPath: join(ROOT_DIR, "SOUL.md"),
+  memoryPath: join(ROOT_DIR, "MEMORY.md"),
+
+  // Default model (provider:model format)
+  defaultModel: process.env.DEFAULT_MODEL || "openai:gpt-4.1-mini",
+
+  // Agent loop
+  maxLoops: 40,
+  maxSubAgentDepth: 3,
+
+  // Safety
+  permissionTier: process.env.PERMISSION_TIER || "standard",
+
+  // Cost limits
+  maxCostPerTask: parseFloat(process.env.MAX_COST_PER_TASK || "0.50"),
+  maxDailyCost: parseFloat(process.env.MAX_DAILY_COST || "10.00"),
+
+  // Daemon
+  daemonMode: process.env.DAEMON_MODE === "true",
+  heartbeatIntervalMinutes: parseInt(process.env.HEARTBEAT_INTERVAL_MINUTES || "30", 10),
+
+  // A2A Security
+  a2a: {
+    enabled: process.env.A2A_ENABLED === "true",  // OFF by default
+    authToken: process.env.A2A_AUTH_TOKEN || null,  // Bearer token required if set
+    allowedAgents: process.env.A2A_ALLOWED_AGENTS
+      ? process.env.A2A_ALLOWED_AGENTS.split(",").map((s) => s.trim())
+      : [],  // Allowlist of agent URLs. Empty = block all external agents
+    permissionTier: process.env.A2A_PERMISSION_TIER || "minimal",  // A2A tasks get minimal permissions by default
+    maxCostPerTask: parseFloat(process.env.A2A_MAX_COST || "0.05"),  // Much lower budget for external tasks
+    rateLimitPerMinute: parseInt(process.env.A2A_RATE_LIMIT || "5", 10),  // Max 5 tasks/min from A2A
+    blockedTools: ["executeCommand", "writeFile", "editFile", "sendEmail", "spawnAgent"],  // Tools blocked for A2A tasks
+  },
+
+  // Filesystem sandboxing
+  // ALLOWED_PATHS: comma-separated dirs the agent can access. Empty = unrestricted (global mode).
+  // BLOCKED_PATHS: always blocked even if inside ALLOWED_PATHS.
+  // RESTRICT_COMMANDS: when true, executeCommand also enforces path scoping (blocks commands
+  //   whose cwd or referenced absolute paths are outside ALLOWED_PATHS).
+  filesystem: {
+    allowedPaths: process.env.ALLOWED_PATHS
+      ? process.env.ALLOWED_PATHS.split(",").map((s) => s.trim()).filter(Boolean)
+      : [],
+    blockedPaths: process.env.BLOCKED_PATHS
+      ? process.env.BLOCKED_PATHS.split(",").map((s) => s.trim()).filter(Boolean)
+      : [],
+    restrictCommands: process.env.RESTRICT_COMMANDS === "true",
+  },
+
+  // Multi-tenant configuration
+  // When enabled, each unique channel+userId gets their own tenant record with per-tenant
+  // config: model override, allowed/blocked paths, cost limits, tool allowlist, plan tier.
+  // Storage: data/tenants/tenants.json  |  Workspaces: data/tenants/{id}/workspace/
+  multiTenant: {
+    enabled: process.env.MULTI_TENANT_ENABLED === "true",
+    // autoRegister: auto-create a tenant record on first message from any user.
+    // Set to false to require manual tenant provisioning via API or CLI.
+    autoRegister: process.env.AUTO_REGISTER_TENANTS !== "false",  // true by default
+    // isolateFilesystem: lock each tenant to their own workspace directory by default
+    // (unless they have a custom allowedPaths configured).
+    isolateFilesystem: process.env.TENANT_ISOLATE_FILESYSTEM === "true",
+  },
+
+  // Sandbox — OS-level command isolation
+  // "process" (default): commands run in the current process, tool-level path guards apply.
+  // "docker": commands run inside a Docker container, providing kernel-level isolation.
+  //   Requires Docker installed. Container gets no network by default (DOCKER_NETWORK=none).
+  sandbox: {
+    mode: process.env.SANDBOX_MODE || "process",  // "process" | "docker"
+    dockerImage: process.env.DOCKER_IMAGE || "node:22-alpine",
+    dockerMemory: process.env.DOCKER_MEMORY || "512m",
+    dockerCpus: process.env.DOCKER_CPUS || "0.5",
+    dockerNetwork: process.env.DOCKER_NETWORK || "none",
+  },
+
+  // Channels
+  // Each channel supports two universal options:
+  //   allowlist — comma-separated IDs/numbers/usernames in env var (e.g. TELEGRAM_ALLOWLIST="123456789,987654321")
+  //               If empty or not set → open to everyone. Set this to lock down your bot.
+  //   model     — per-channel model override (e.g. TELEGRAM_MODEL="anthropic:claude-opus-4-6")
+  //               If not set → global DEFAULT_MODEL is used.
+  channels: {
+    // HTTP channel is disabled — unauthenticated, see src/channels/index.js
+    http: { enabled: false },
+
+    telegram: {
+      enabled: !!process.env.TELEGRAM_BOT_TOKEN,
+      token: process.env.TELEGRAM_BOT_TOKEN,
+      allowlist: process.env.TELEGRAM_ALLOWLIST
+        ? process.env.TELEGRAM_ALLOWLIST.split(",").map((s) => s.trim()).filter(Boolean)
+        : [],
+      model: process.env.TELEGRAM_MODEL || null,
+    },
+
+    whatsapp: {
+      enabled: !!process.env.TWILIO_ACCOUNT_SID,
+      accountSid: process.env.TWILIO_ACCOUNT_SID,
+      authToken: process.env.TWILIO_AUTH_TOKEN,
+      from: process.env.TWILIO_WHATSAPP_FROM,
+      allowlist: process.env.WHATSAPP_ALLOWLIST
+        ? process.env.WHATSAPP_ALLOWLIST.split(",").map((s) => s.trim()).filter(Boolean)
+        : [],
+      model: process.env.WHATSAPP_MODEL || null,
+    },
+
+    email: {
+      enabled: !!process.env.EMAIL_USER,
+      imap: {
+        host: process.env.EMAIL_IMAP_HOST || "imap.gmail.com",
+        port: parseInt(process.env.EMAIL_IMAP_PORT || "993", 10),
+      },
+      smtp: {
+        host: process.env.EMAIL_SMTP_HOST || "smtp.gmail.com",
+        port: parseInt(process.env.EMAIL_SMTP_PORT || "587", 10),
+      },
+      user: process.env.EMAIL_USER,
+      password: process.env.EMAIL_PASSWORD,
+      allowlist: process.env.EMAIL_ALLOWLIST
+        ? process.env.EMAIL_ALLOWLIST.split(",").map((s) => s.trim()).filter(Boolean)
+        : [],
+      model: process.env.EMAIL_MODEL || null,
+    },
+
+    discord: {
+      enabled: !!process.env.DISCORD_BOT_TOKEN,
+      token: process.env.DISCORD_BOT_TOKEN,
+      allowlist: process.env.DISCORD_ALLOWLIST
+        ? process.env.DISCORD_ALLOWLIST.split(",").map((s) => s.trim()).filter(Boolean)
+        : [],
+      model: process.env.DISCORD_MODEL || null,
+    },
+
+    slack: {
+      enabled: !!(process.env.SLACK_BOT_TOKEN && process.env.SLACK_APP_TOKEN),
+      botToken: process.env.SLACK_BOT_TOKEN,
+      appToken: process.env.SLACK_APP_TOKEN,
+      allowlist: process.env.SLACK_ALLOWLIST
+        ? process.env.SLACK_ALLOWLIST.split(",").map((s) => s.trim()).filter(Boolean)
+        : [],
+      model: process.env.SLACK_MODEL || null,
+    },
+
+    line: {
+      enabled: !!(process.env.LINE_CHANNEL_ACCESS_TOKEN && process.env.LINE_CHANNEL_SECRET),
+      accessToken: process.env.LINE_CHANNEL_ACCESS_TOKEN,
+      channelSecret: process.env.LINE_CHANNEL_SECRET,
+      allowlist: process.env.LINE_ALLOWLIST
+        ? process.env.LINE_ALLOWLIST.split(",").map((s) => s.trim()).filter(Boolean)
+        : [],
+      model: process.env.LINE_MODEL || null,
+    },
+
+    signal: {
+      enabled: !!(process.env.SIGNAL_CLI_URL && process.env.SIGNAL_PHONE_NUMBER),
+      cliUrl: process.env.SIGNAL_CLI_URL,
+      phoneNumber: process.env.SIGNAL_PHONE_NUMBER,
+      allowlist: process.env.SIGNAL_ALLOWLIST
+        ? process.env.SIGNAL_ALLOWLIST.split(",").map((s) => s.trim()).filter(Boolean)
+        : [],
+      model: process.env.SIGNAL_MODEL || null,
+    },
+
+    teams: {
+      enabled: !!(process.env.TEAMS_APP_ID && process.env.TEAMS_APP_PASSWORD),
+      appId: process.env.TEAMS_APP_ID,
+      appPassword: process.env.TEAMS_APP_PASSWORD,
+      allowlist: process.env.TEAMS_ALLOWLIST
+        ? process.env.TEAMS_ALLOWLIST.split(",").map((s) => s.trim()).filter(Boolean)
+        : [],
+      model: process.env.TEAMS_MODEL || null,
+    },
+
+    googlechat: {
+      enabled: !!process.env.GOOGLE_CHAT_SERVICE_ACCOUNT,
+      serviceAccount: process.env.GOOGLE_CHAT_SERVICE_ACCOUNT || null,
+      projectNumber: process.env.GOOGLE_CHAT_PROJECT_NUMBER || null,
+      allowlist: process.env.GOOGLE_CHAT_ALLOWLIST
+        ? process.env.GOOGLE_CHAT_ALLOWLIST.split(",").map((s) => s.trim()).filter(Boolean)
+        : [],
+      model: process.env.GOOGLE_CHAT_MODEL || null,
+    },
+  },
+};

package/src/config/models.js

@@ -0,0 +1,123 @@
+/**
+ * Model registry — metadata for all supported models.
+ * Used by ModelRouter for selection, cost tracking, and compaction thresholds.
+ */
+export const models = {
+  // OpenAI
+  "openai:gpt-4.1-mini": {
+    provider: "openai",
+    model: "gpt-4.1-mini",
+    contextWindow: 128_000,
+    compactAt: 90_000,
+    costPer1kInput: 0.0004,
+    costPer1kOutput: 0.0016,
+    capabilities: ["text", "tools", "structured-output"],
+    tier: "cheap",
+  },
+  "openai:gpt-4.1": {
+    provider: "openai",
+    model: "gpt-4.1",
+    contextWindow: 128_000,
+    compactAt: 90_000,
+    costPer1kInput: 0.002,
+    costPer1kOutput: 0.008,
+    capabilities: ["text", "tools", "structured-output"],
+    tier: "standard",
+  },
+  "openai:o3-mini": {
+    provider: "openai",
+    model: "o3-mini",
+    contextWindow: 200_000,
+    compactAt: 140_000,
+    costPer1kInput: 0.0011,
+    costPer1kOutput: 0.0044,
+    capabilities: ["text", "tools", "reasoning"],
+    tier: "standard",
+  },
+
+  // Anthropic
+  "anthropic:claude-sonnet-4-6": {
+    provider: "anthropic",
+    model: "claude-sonnet-4-6",
+    contextWindow: 200_000,
+    compactAt: 140_000,
+    costPer1kInput: 0.003,
+    costPer1kOutput: 0.015,
+    capabilities: ["text", "tools", "structured-output"],
+    tier: "standard",
+  },
+  "anthropic:claude-opus-4-6": {
+    provider: "anthropic",
+    model: "claude-opus-4-6",
+    contextWindow: 200_000,
+    compactAt: 140_000,
+    costPer1kInput: 0.015,
+    costPer1kOutput: 0.075,
+    capabilities: ["text", "tools", "structured-output"],
+    tier: "expensive",
+  },
+  "anthropic:claude-haiku-4-5": {
+    provider: "anthropic",
+    model: "claude-haiku-4-5",
+    contextWindow: 200_000,
+    compactAt: 140_000,
+    costPer1kInput: 0.0008,
+    costPer1kOutput: 0.004,
+    capabilities: ["text", "tools", "structured-output"],
+    tier: "cheap",
+  },
+
+  // Google
+  "google:gemini-2.0-flash": {
+    provider: "google",
+    model: "gemini-2.0-flash",
+    contextWindow: 1_000_000,
+    compactAt: 700_000,
+    costPer1kInput: 0.0001,
+    costPer1kOutput: 0.0004,
+    capabilities: ["text", "tools", "structured-output"],
+    tier: "cheap",
+  },
+
+  // Ollama (local — no cost)
+  "ollama:llama3": {
+    provider: "ollama",
+    model: "llama3",
+    contextWindow: 8_192,
+    compactAt: 5_600,
+    costPer1kInput: 0,
+    costPer1kOutput: 0,
+    capabilities: ["text"],
+    tier: "free",
+  },
+  "ollama:llama3.1": {
+    provider: "ollama",
+    model: "llama3.1",
+    contextWindow: 128_000,
+    compactAt: 90_000,
+    costPer1kInput: 0,
+    costPer1kOutput: 0,
+    capabilities: ["text", "tools"],
+    tier: "free",
+  },
+  "ollama:qwen2.5-coder": {
+    provider: "ollama",
+    model: "qwen2.5-coder",
+    contextWindow: 32_000,
+    compactAt: 22_000,
+    costPer1kInput: 0,
+    costPer1kOutput: 0,
+    capabilities: ["text", "tools"],
+    tier: "free",
+  },
+};
+
+/**
+ * Fallback chains — if preferred model fails, try next in chain.
+ */
+export const fallbackChains = {
+  cheap: ["openai:gpt-4.1-mini", "anthropic:claude-haiku-4-5", "google:gemini-2.0-flash"],
+  standard: ["openai:gpt-4.1", "anthropic:claude-sonnet-4-6", "openai:gpt-4.1-mini"],
+  expensive: ["anthropic:claude-opus-4-6", "anthropic:claude-sonnet-4-6", "openai:gpt-4.1"],
+  local: ["ollama:llama3.1", "ollama:qwen2.5-coder", "ollama:llama3"],
+};

package/src/config/permissions.js

@@ -0,0 +1,167 @@
+/**
+ * Permission tier definitions.
+ * Each tier specifies which tools are allowed.
+ * Tiers are cumulative: standard includes minimal, full includes standard.
+ */
+export const permissionTiers = {
+  minimal: {
+    name: "Minimal (Read-Only)",
+    description: "Agent can read files, search, and browse the web — no writes, no shell, no communication.",
+    allowedTools: [
+      // File reads
+      "readFile",
+      "listDirectory",
+      "searchFiles",
+      "searchContent",
+      "glob",
+      "grep",
+      // Web reads
+      "webFetch",
+      "webSearch",
+      // Memory reads
+      "readMemory",
+      "readDailyLog",
+      "searchMemory",
+      "listMemoryCategories",
+      // Vision (read-only)
+      "imageAnalysis",
+    ],
+  },
+  standard: {
+    name: "Standard",
+    description: "Agent can read + write files, run commands, use browser, and manage memory.",
+    allowedTools: [
+      // All minimal tools
+      "readFile",
+      "listDirectory",
+      "searchFiles",
+      "searchContent",
+      "glob",
+      "grep",
+      "webFetch",
+      "webSearch",
+      "readMemory",
+      "readDailyLog",
+      "searchMemory",
+      "listMemoryCategories",
+      "imageAnalysis",
+      // Write tools
+      "writeFile",
+      "editFile",
+      "applyPatch",
+      "createDocument",
+      "executeCommand",
+      "browserAction",
+      // Memory writes
+      "writeMemory",
+      "writeDailyLog",
+      "pruneMemory",
+      // Screen
+      "screenCapture",
+      // Project tracking
+      "projectTracker",
+      // MCP inspection (read-only — no side effects)
+      "manageMCP",
+    ],
+  },
+  full: {
+    name: "Full Access",
+    description: "Unrestricted access to all tools including email, messaging, sub-agents, and scheduling.",
+    allowedTools: [
+      // All standard tools
+      "readFile",
+      "listDirectory",
+      "searchFiles",
+      "searchContent",
+      "glob",
+      "grep",
+      "webFetch",
+      "webSearch",
+      "readMemory",
+      "readDailyLog",
+      "searchMemory",
+      "listMemoryCategories",
+      "imageAnalysis",
+      "writeFile",
+      "editFile",
+      "applyPatch",
+      "createDocument",
+      "executeCommand",
+      "browserAction",
+      "writeMemory",
+      "writeDailyLog",
+      "pruneMemory",
+      "screenCapture",
+      // Full-only: communication
+      "sendEmail",
+      "messageChannel",
+      // Full-only: agents
+      "spawnAgent",
+      "parallelAgents",
+      "delegateToAgent",
+      "manageAgents",
+      "manageMCP",
+      "useMCP",
+      // Full-only: automation
+      "cron",
+      // Project tracking
+      "projectTracker",
+    ],
+  },
+};
+
+/**
+ * Commands that are ALWAYS blocked regardless of permission tier.
+ */
+export const blockedCommands = [
+  // Destructive file operations
+  /rm\s+-rf\s+\//,
+  /rm\s+-rf\s+~/,
+  /rm\s+-rf\s+\.\s*$/,
+  /sudo\s+rm/,
+  /rm\s+--no-preserve-root/,
+  /mkfs\./,
+  /dd\s+if=/,
+  // Fork bombs and process attacks
+  /:\(\)\s*\{\s*:\|:\s*&\s*\}\s*;/,
+  // Permission escalation
+  /chmod\s+777\s+\//,
+  /chmod\s+-R\s+777/,
+  /chown.*\/etc/,
+  /sudo\s+chmod/,
+  /sudo\s+chown/,
+  // Device and partition attacks
+  />\s*\/dev\/sda/,
+  />\s*\/dev\/nvme/,
+  // Remote code execution via pipe
+  /curl.*\|\s*sh/,
+  /wget.*\|\s*sh/,
+  /curl.*\|\s*bash/,
+  /wget.*\|\s*bash/,
+  /curl.*\|\s*python/,
+  /wget.*\|\s*python/,
+  // System shutdown/reboot
+  /\bshutdown\b/,
+  /\breboot\b/,
+  /\binit\s+0\b/,
+  /\bhalt\b/,
+  /\bpoweroff\b/,
+  // Process killing
+  /kill\s+-9\s+1\b/,
+  /killall\s+-9/,
+  // Sensitive file reads via commands
+  /cat\s+.*\/etc\/shadow/,
+  /cat\s+.*\.ssh\/id_/,
+  /cat\s+.*\.vault\.enc/,
+  /cat\s+.*\.env\b/,
+  // Environment variable dump (can leak secrets)
+  /^\s*env\s*$/,
+  /^\s*printenv\s*$/,
+  /^\s*set\s*$/,
+  // Network attacks
+  /\bnmap\b/,
+  /\bnetcat\b|\bnc\s+-/,
+  // History access (can contain secrets)
+  /cat\s+.*\.bash_history/,
+  /cat\s+.*\.zsh_history/,
+];