guard-scanner 4.0.2 → 5.0.2

package/src/cli.js

@@ -51,6 +51,7 @@ Options:
   --strict            Lower detection thresholds (more sensitive)
   --summary-only      Only print the summary table
   --check-deps        Scan package.json for dependency chain risks
+  --soul-lock         Enable Soul Lock patterns (agent identity protection)
   --rules <file>      Load custom rules from JSON file
   --plugin <file>     Load plugin module (JS file exporting { name, patterns })
   --fail-on-findings  Exit code 1 if any findings (CI/CD)
@@ -96,6 +97,7 @@ const selfExclude = args.includes('--self-exclude');
 const strict = args.includes('--strict');
 const summaryOnly = args.includes('--summary-only');
 const checkDeps = args.includes('--check-deps');
+const soulLock = args.includes('--soul-lock');
 const failOnFindings = args.includes('--fail-on-findings');
 const quietMode = args.includes('--quiet');
 
@@ -126,7 +128,7 @@ const scanDir = args.find(a =>
 ) || process.cwd();
 
 const scanner = new GuardScanner({
-  verbose, selfExclude, strict, summaryOnly, checkDeps, rulesFile, plugins,
+  verbose, selfExclude, strict, summaryOnly, checkDeps, soulLock, rulesFile, plugins,
   quiet: quietMode || !!formatValue,
 });
 

package/src/patterns.js

@@ -59,7 +59,8 @@ const PATTERNS = [
 
     // ── Category 5: Secret Detection (HIGH) ──
     { id: 'SECRET_HARDCODED_KEY', cat: 'secret-detection', regex: /(?:api[_-]?key|apikey|secret[_-]?key|access[_-]?token)\s*[:=]\s*['"][a-zA-Z0-9_\-]{20,}['"]/gi, severity: 'HIGH', desc: 'Hardcoded API key/secret', codeOnly: true },
-    { id: 'SECRET_AWS', cat: 'secret-detection', regex: /AKIA[0-9A-Z]{16}/g, severity: 'CRITICAL', desc: 'AWS Access Key ID', all: true },
+
+    { id: 'PII_MY_NUMBER', cat: 'pii-exposure', regex: /(?<!\d)\d{4}\s*\d{4}\s*\d{4}(?!\d)/g, severity: 'CRITICAL', desc: 'Potential My Number (個人番号)', all: true },
     { id: 'SECRET_PRIVATE_KEY', cat: 'secret-detection', regex: /-----BEGIN\s+(RSA\s+)?PRIVATE\s+KEY-----/g, severity: 'CRITICAL', desc: 'Embedded private key', all: true },
     { id: 'SECRET_GITHUB_TOKEN', cat: 'secret-detection', regex: /gh[ps]_[A-Za-z0-9_]{36,}/g, severity: 'CRITICAL', desc: 'GitHub token', all: true },
 
@@ -98,11 +99,11 @@ const PATTERNS = [
     { id: 'LEAK_ENV_IN_PROMPT', cat: 'leaky-skills', regex: /(?:read|load|get|access)\s+(?:the\s+)?\.env\s+(?:file\s+)?(?:and\s+)?(?:use|include|pass|send)/gi, severity: 'HIGH', desc: 'Leaky: .env contents through LLM context', docOnly: true },
 
     // ── Category 12: Memory Poisoning ──
-    { id: 'MEMPOIS_WRITE_SOUL', cat: 'memory-poisoning', regex: /(?:write|add|append|modify|update|edit|change)\s+(?:to\s+)?(?:SOUL\.md|IDENTITY\.md|AGENTS\.md)/gi, severity: 'CRITICAL', desc: 'Memory poisoning: SOUL/IDENTITY file modification', docOnly: true },
-    { id: 'MEMPOIS_WRITE_MEMORY', cat: 'memory-poisoning', regex: /(?:write|add|append|insert)\s+(?:to|into)\s+(?:MEMORY\.md|memory\/|long[_\s-]term\s+memory)/gi, severity: 'HIGH', desc: 'Memory poisoning: agent memory modification', docOnly: true },
-    { id: 'MEMPOIS_CHANGE_RULES', cat: 'memory-poisoning', regex: /(?:change|modify|override|replace|update)\s+(?:your\s+)?(?:rules|instructions|system\s+prompt|behavior|personality|guidelines)/gi, severity: 'CRITICAL', desc: 'Memory poisoning: behavioral rule override', docOnly: true },
-    { id: 'MEMPOIS_PERSIST', cat: 'memory-poisoning', regex: /(?:always|from\s+now\s+on|permanently|forever|every\s+time)\s+(?:do|run|execute|remember|follow|obey)/gi, severity: 'HIGH', desc: 'Memory poisoning: persistence instruction', docOnly: true },
-    { id: 'MEMPOIS_CODE_WRITE', cat: 'memory-poisoning', regex: /(?:write|create|modify)\s+(?:a\s+)?(?:file|script)\s+(?:in|to|at)\s+(?:~\/|\/home|\/Users|%USERPROFILE%|HEARTBEAT\.md)/gi, severity: 'HIGH', desc: 'Memory poisoning: file write to user home', docOnly: true },
+    { id: 'MEMPOIS_WRITE_SOUL', cat: 'memory-poisoning', regex: /(?:write|add|append|modify|update|edit|change)\s+(?:to\s+)?(?:SOUL\.md|IDENTITY\.md|AGENTS\.md)/gi, severity: 'CRITICAL', desc: 'Memory poisoning: SOUL/IDENTITY file modification', docOnly: true, soulLock: true },
+    { id: 'MEMPOIS_WRITE_MEMORY', cat: 'memory-poisoning', regex: /(?:write|add|append|insert)\s+(?:to|into)\s+(?:MEMORY\.md|memory\/|long[_\s-]term\s+memory)/gi, severity: 'HIGH', desc: 'Memory poisoning: agent memory modification', docOnly: true, soulLock: true },
+    { id: 'MEMPOIS_CHANGE_RULES', cat: 'memory-poisoning', regex: /(?:change|modify|override|replace|update)\s+(?:your\s+)?(?:rules|instructions|system\s+prompt|behavior|personality|guidelines)/gi, severity: 'CRITICAL', desc: 'Memory poisoning: behavioral rule override', docOnly: true, soulLock: true },
+    { id: 'MEMPOIS_PERSIST', cat: 'memory-poisoning', regex: /(?:always|from\s+now\s+on|permanently|forever|every\s+time)\s+(?:do|run|execute|remember|follow|obey)/gi, severity: 'HIGH', desc: 'Memory poisoning: persistence instruction', docOnly: true, soulLock: true },
+    { id: 'MEMPOIS_CODE_WRITE', cat: 'memory-poisoning', regex: /(?:write|create|modify)\s+(?:a\s+)?(?:file|script)\s+(?:in|to|at)\s+(?:~\/|\/home|\/Users|%USERPROFILE%|HEARTBEAT\.md)/gi, severity: 'HIGH', desc: 'Memory poisoning: file write to user home', docOnly: true, soulLock: true },
 
     // ── Category 13: Prompt Worm ──
     { id: 'WORM_SELF_REPLICATE', cat: 'prompt-worm', regex: /(?:post|publish|share|send|broadcast)\s+(?:this\s+)?(?:same\s+)?(?:message|text|content|instruction|prompt)\s+(?:to|on|in)\s+(?:moltbook|social|other\s+agents?|channel)/gi, severity: 'CRITICAL', desc: 'Prompt worm: self-replication', docOnly: true },
@@ -162,21 +163,21 @@ const PATTERNS = [
     // ── Category 17: Identity Hijacking ──
     // Detection patterns for agent identity file tampering
     // (verification logic is private; patterns are OSS for community protection)
-    { id: 'SOUL_OVERWRITE', cat: 'identity-hijack', regex: /(?:write|overwrite|replace|cp|copy|scp|mv|move)\s+(?:[^\n]*\s)?(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'Identity file overwrite/copy attempt', all: true },
-    { id: 'SOUL_REDIRECT', cat: 'identity-hijack', regex: />\s*(?:SOUL\.md|IDENTITY\.md)|(?:SOUL\.md|IDENTITY\.md)\s*</gi, severity: 'CRITICAL', desc: 'Identity file redirect/pipe', all: true },
-    { id: 'SOUL_SED_MODIFY', cat: 'identity-hijack', regex: /sed\s+(?:-i\s+)?[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'sed modification of identity file', all: true },
-    { id: 'SOUL_ECHO_WRITE', cat: 'identity-hijack', regex: /echo\s+[^\n]*>\s*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'echo redirect to identity file', all: true },
-    { id: 'SOUL_PYTHON_WRITE', cat: 'identity-hijack', regex: /open\s*\(\s*['"]\S*(?:SOUL\.md|IDENTITY\.md)['"]\s*,\s*['"]w/gi, severity: 'CRITICAL', desc: 'Python write to identity file', codeOnly: true },
-    { id: 'SOUL_FS_WRITE', cat: 'identity-hijack', regex: /(?:writeFileSync|writeFile)\s*\(\s*[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'Node.js write to identity file', codeOnly: true },
-    { id: 'SOUL_POWERSHELL_WRITE', cat: 'identity-hijack', regex: /(?:Set-Content|Out-File|Add-Content)\s+[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'PowerShell write to identity file', all: true },
-    { id: 'SOUL_GIT_CHECKOUT', cat: 'identity-hijack', regex: /git\s+checkout\s+[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'HIGH', desc: 'git checkout of identity file', all: true },
-    { id: 'SOUL_CHFLAGS_UNLOCK', cat: 'identity-hijack', regex: /chflags\s+(?:no)?uchg\s+[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'HIGH', desc: 'Immutable flag toggle on identity file', all: true },
-    { id: 'SOUL_ATTRIB_UNLOCK', cat: 'identity-hijack', regex: /attrib\s+[-+][rR]\s+[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'HIGH', desc: 'Windows attrib on identity file', all: true },
-    { id: 'SOUL_SWAP_PERSONA', cat: 'identity-hijack', regex: /(?:swap|switch|change|replace)\s+(?:the\s+)?(?:soul|persona|identity|personality)\s+(?:file|to|with|for)/gi, severity: 'CRITICAL', desc: 'Persona swap instruction', docOnly: true },
-    { id: 'SOUL_EVIL_FILE', cat: 'identity-hijack', regex: /SOUL_EVIL\.md|IDENTITY_EVIL\.md|EVIL_SOUL|soul[_-]?evil/gi, severity: 'CRITICAL', desc: 'Evil persona file reference', all: true },
-    { id: 'SOUL_HOOK_SWAP', cat: 'identity-hijack', regex: /(?:hook|bootstrap|init)\s+[^\n]*(?:swap|replace|override)\s+[^\n]*(?:SOUL|IDENTITY|persona)/gi, severity: 'CRITICAL', desc: 'Hook-based identity swap at bootstrap', all: true },
-    { id: 'SOUL_NAME_OVERRIDE', cat: 'identity-hijack', regex: /(?:your\s+name\s+is|you\s+are\s+now|call\s+yourself|from\s+now\s+on\s+you\s+are)\s+(?!the\s+(?:user|human|assistant))/gi, severity: 'HIGH', desc: 'Agent name/identity override', docOnly: true },
-    { id: 'SOUL_MEMORY_WIPE', cat: 'identity-hijack', regex: /(?:wipe|clear|erase|delete|remove|reset)\s+(?:all\s+)?(?:your\s+)?(?:memory|memories|MEMORY\.md|identity|soul)/gi, severity: 'CRITICAL', desc: 'Memory/identity wipe instruction', docOnly: true },
+    { id: 'SOUL_OVERWRITE', cat: 'identity-hijack', regex: /(?:write|overwrite|replace|cp|copy|scp|mv|move)\s+(?:[^\n]*\s)?(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'Identity file overwrite/copy attempt', all: true, soulLock: true },
+    { id: 'SOUL_REDIRECT', cat: 'identity-hijack', regex: />\s*(?:SOUL\.md|IDENTITY\.md)|(?:SOUL\.md|IDENTITY\.md)\s*</gi, severity: 'CRITICAL', desc: 'Identity file redirect/pipe', all: true, soulLock: true },
+    { id: 'SOUL_SED_MODIFY', cat: 'identity-hijack', regex: /sed\s+(?:-i\s+)?[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'sed modification of identity file', all: true, soulLock: true },
+    { id: 'SOUL_ECHO_WRITE', cat: 'identity-hijack', regex: /echo\s+[^\n]*>\s*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'echo redirect to identity file', all: true, soulLock: true },
+    { id: 'SOUL_PYTHON_WRITE', cat: 'identity-hijack', regex: /open\s*\(\s*['"]\S*(?:SOUL\.md|IDENTITY\.md)['"]\s*,\s*['"]w/gi, severity: 'CRITICAL', desc: 'Python write to identity file', codeOnly: true, soulLock: true },
+    { id: 'SOUL_FS_WRITE', cat: 'identity-hijack', regex: /(?:writeFileSync|writeFile)\s*\(\s*[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'Node.js write to identity file', codeOnly: true, soulLock: true },
+    { id: 'SOUL_POWERSHELL_WRITE', cat: 'identity-hijack', regex: /(?:Set-Content|Out-File|Add-Content)\s+[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'PowerShell write to identity file', all: true, soulLock: true },
+    { id: 'SOUL_GIT_CHECKOUT', cat: 'identity-hijack', regex: /git\s+checkout\s+[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'HIGH', desc: 'git checkout of identity file', all: true, soulLock: true },
+    { id: 'SOUL_CHFLAGS_UNLOCK', cat: 'identity-hijack', regex: /chflags\s+(?:no)?uchg\s+[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'HIGH', desc: 'Immutable flag toggle on identity file', all: true, soulLock: true },
+    { id: 'SOUL_ATTRIB_UNLOCK', cat: 'identity-hijack', regex: /attrib\s+[-+][rR]\s+[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'HIGH', desc: 'Windows attrib on identity file', all: true, soulLock: true },
+    { id: 'SOUL_SWAP_PERSONA', cat: 'identity-hijack', regex: /(?:swap|switch|change|replace)\s+(?:the\s+)?(?:soul|persona|identity|personality)\s+(?:file|to|with|for)/gi, severity: 'CRITICAL', desc: 'Persona swap instruction', docOnly: true, soulLock: true },
+    { id: 'SOUL_EVIL_FILE', cat: 'identity-hijack', regex: /SOUL_EVIL\.md|IDENTITY_EVIL\.md|EVIL_SOUL|soul[_-]?evil/gi, severity: 'CRITICAL', desc: 'Evil persona file reference', all: true, soulLock: true },
+    { id: 'SOUL_HOOK_SWAP', cat: 'identity-hijack', regex: /(?:hook|bootstrap|init)\s+[^\n]*(?:swap|replace|override)\s+[^\n]*(?:SOUL|IDENTITY|persona)/gi, severity: 'CRITICAL', desc: 'Hook-based identity swap at bootstrap', all: true, soulLock: true },
+    { id: 'SOUL_NAME_OVERRIDE', cat: 'identity-hijack', regex: /(?:your\s+name\s+is|you\s+are\s+now|call\s+yourself|from\s+now\s+on\s+you\s+are)\s+(?!the\s+(?:user|human|assistant))/gi, severity: 'HIGH', desc: 'Agent name/identity override', docOnly: true, soulLock: true },
+    { id: 'SOUL_MEMORY_WIPE', cat: 'identity-hijack', regex: /(?:wipe|clear|erase|delete|remove|reset)\s+(?:all\s+)?(?:your\s+)?(?:memory|memories|MEMORY\.md|identity|soul)/gi, severity: 'CRITICAL', desc: 'Memory/identity wipe instruction', docOnly: true, soulLock: true },
 
     // ── Category 18: Config Impact Analysis ──
     { id: 'CFG_OPENCLAW_WRITE', cat: 'config-impact', regex: /(?:write|writeFile|writeFileSync|fs\.write)\s*\([^)]*openclaw\.json/gi, severity: 'CRITICAL', desc: 'Direct write to openclaw.json', codeOnly: true },
@@ -216,6 +217,22 @@ const PATTERNS = [
     { id: 'PII_ASK_ADDRESS', cat: 'pii-exposure', regex: /(?:collect|ask\s+for|request|get|require)\s+(?:the\s+)?(?:user'?s?\s+)?(?:home\s+)?(?:address|street|zip\s*code|postal\s*code|residence)/gi, severity: 'HIGH', desc: 'PII collection: home address', docOnly: true },
     { id: 'PII_ASK_DOB', cat: 'pii-exposure', regex: /(?:collect|ask\s+for|request|get|require)\s+(?:the\s+)?(?:user'?s?\s+)?(?:date\s+of\s+birth|birth\s*date|birthday|DOB|age)/gi, severity: 'HIGH', desc: 'PII collection: date of birth', docOnly: true },
     { id: 'PII_ASK_GOV_ID', cat: 'pii-exposure', regex: /(?:collect|ask\s+for|request|get|require)\s+(?:the\s+)?(?:user'?s?\s+)?(?:passport|driver'?s?\s+licen[sc]e|national\s+id|my\s*number|マイナンバー|国民健康保険|social\s+insurance)/gi, severity: 'CRITICAL', desc: 'PII collection: government ID', docOnly: true },
+
+    // ── Category 99: Auto-Generated Refinements (Phase 54) ──
+    { id: 'AUTO_REFINE_ZERO_WIDTH', cat: 'prompt-worm', regex: /[\u200b\u200c\u200d\uFEFF]+.*(?:ignore|forget|override|bypass)/gi, severity: 'CRITICAL', desc: 'Zero-Width Prompt Injection Worm', all: true },
+    { id: 'AUTO_REFINE_MCP_REBIND', cat: 'mcp-security', regex: /localhost(?:\:\d+)?\/.*(?:rebind|hijack|shadow)/gi, severity: 'CRITICAL', desc: 'Shadow MCP Localhost Rebinding Attack', all: true },
+    { id: 'AUTO_REFINE_SOUL_FREEZE', cat: 'identity-hijack', regex: /(?:chattr\s+\+i|chflags\s+uchg)\s+(?:[^\n]*\s)?(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'Identity Freeze Attack via Immutable Flags', all: true },
+    // ── Category 23: Vector DB & AI Memory Injection (CVE-2026-26030) ──
+    { id: 'VDB_NOSQL_INJECT', cat: 'vdb-injection', regex: /(?:\$where|\$ne|\$gt|\$regex)\s*[:=]\s*(?:req\.|input|caller|args|params)/gi, severity: 'CRITICAL', desc: 'Vector DB/NoSQL injection via caller input', codeOnly: true },
+    { id: 'VDB_SK_RCE_FILTER', cat: 'cve-patterns', regex: /(?:InMemoryVectorStore|VectorStore|Pinecone|Milvus)[^]*?\.filter\s*\(\s*(?:req\.|input|caller|args)/gis, severity: 'CRITICAL', desc: 'CVE-2026-26030: Semantic Kernel VectorStore RCE filter bypass', codeOnly: true },
+    // ── Category 24: Claude Code Vulnerabilities (2026) ──
+    { id: 'CVE_CLAUDE_INFO_DISC', cat: 'cve-patterns', regex: /sk-ant-api[a-zA-Z0-9_\-]{20,}/gi, severity: 'CRITICAL', desc: 'CVE-2026-21852: Anthropic API Key Leak (Claude Code Info Disclosure)', codeOnly: true },
+    { id: 'CVE_CLAUDE_PRIVESC', cat: 'cve-patterns', regex: /[a-zA-Z0-9_\-\.]+\.hook\.js.*host.*privilege/gi, severity: 'CRITICAL', desc: 'CVE-2026-25725: Claude Code Privilege Escalation Hook', codeOnly: true },
+    { id: 'CVE_CLAUDE_CODE_INJ', cat: 'cve-patterns', regex: /claude\.hooks\.[^]*?exec/gis, severity: 'CRITICAL', desc: 'CVE-2025-59536: Claude Code Injection via untrusted hook', codeOnly: true },
+
+    // ── Category 25: Moltbook Exploits (2026) ──
+    { id: 'MOLTBOOK_REVERSE_PI', cat: 'prompt-injection', regex: /(?:moltbook|social)\s+(?:post|message)[\s\S]{0,100}(?:ignore|forget|override|execute|system\s+prompt)/gi, severity: 'CRITICAL', desc: 'Moltbook Reverse Prompt Injection', all: true },
+    { id: 'MOLTBOOK_SUPABASE_LEAK', cat: 'secret-detection', regex: /sbp_[a-zA-Z0-9]{36,}/g, severity: 'CRITICAL', desc: 'Supabase API Key (Moltbook 1.5M Leak pattern)', all: true },
 ];
 
 module.exports = { PATTERNS };

package/src/scanner.js

@@ -31,7 +31,7 @@ const { KNOWN_MALICIOUS } = require('./ioc-db.js');
 const { generateHTML } = require('./html-template.js');
 
 // ===== CONFIGURATION =====
-const VERSION = '4.0.1';
+const VERSION = '4.1.0';
 
 const THRESHOLDS = {
     normal: { suspicious: 30, malicious: 80 },
@@ -56,6 +56,7 @@ class GuardScanner {
         this.summaryOnly = options.summaryOnly || false;
         this.quiet = options.quiet || false;
         this.checkDeps = options.checkDeps || false;
+        this.soulLock = options.soulLock || false;
         this.scannerDir = path.resolve(__dirname);
         this.thresholds = this.strict ? THRESHOLDS.strict : THRESHOLDS.normal;
         this.findings = [];
@@ -361,6 +362,8 @@ class GuardScanner {
 
     checkPatterns(content, relFile, fileType, findings, patterns = PATTERNS) {
         for (const pattern of patterns) {
+            // Soul Lock: skip identity-hijack/memory-poisoning patterns unless --soul-lock is enabled
+            if (pattern.soulLock && !this.soulLock) continue;
             if (pattern.codeOnly && fileType !== 'code') continue;
             if (pattern.docOnly && fileType !== 'doc' && fileType !== 'skill-doc') continue;
             if (!pattern.all && !pattern.codeOnly && !pattern.docOnly) continue;

package/ts-src/__tests__/scanner.test.ts

@@ -60,7 +60,7 @@ describe('guard-scanner v3.0.0', () => {
     // ── Version ─────────────────────────────────────────────────────────────
 
     it('T01: exports correct version', () => {
-        assert.equal(VERSION, '3.2.0');
+        assert.equal(VERSION, '5.0.0');
     });
 
     // ── IoC Detection ───────────────────────────────────────────────────────

package/ts-src/index.ts

@@ -13,3 +13,15 @@ export type {
 export { KNOWN_MALICIOUS, SIGNATURES_DB } from './ioc-db.js';
 export { PATTERNS } from './patterns.js';
 export { QuarantineNode, QuarantineResult } from './quarantine.js';
+export {
+    guardScan,
+    guardScanJson,
+    GuardScanResult,
+    GuardCheck,
+    GuardDetection,
+    GuardOptions,
+    LAYER_1_CHECKS,
+    LAYER_2_CHECKS,
+    LAYER_3_CHECKS,
+    LAYER_4_CHECKS
+} from './runtime.js';

package/ts-src/patterns.ts

@@ -88,7 +88,7 @@ export const PATTERNS: PatternRule[] = [
     // ── PII Exposure (OWASP LLM02) ───────────────────────────────────────
     { id: 'PII_EMAIL', cat: 'pii-exposure', regex: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g, severity: 'MEDIUM', desc: 'Email address detected', all: true, owasp: 'LLM02' },
     { id: 'PII_PHONE_JP', cat: 'pii-exposure', regex: /0[789]0-?\d{4}-?\d{4}/g, severity: 'HIGH', desc: 'Japanese phone number', all: true, owasp: 'LLM02' },
-    { id: 'PII_MY_NUMBER', cat: 'pii-exposure', regex: /\d{4}\s*\d{4}\s*\d{4}/g, severity: 'CRITICAL', desc: 'Potential My Number (個人番号)', all: true, owasp: 'LLM02' },
+    { id: 'PII_MY_NUMBER', cat: 'pii-exposure', regex: /(?<!\d)\d{4}\s*\d{4}\s*\d{4}(?!\d)/g, severity: 'CRITICAL', desc: 'Potential My Number (個人番号)', all: true, owasp: 'LLM02' },
 
     // ── Shadow AI (OWASP LLM03 — Supply Chain) ───────────────────────────
     { id: 'SHADOW_AI_OPENAI', cat: 'shadow-ai', regex: /api\.openai\.com/gi, severity: 'HIGH', desc: 'Direct OpenAI API call (Shadow AI)', codeOnly: true, owasp: 'LLM03' },

package/ts-src/runtime.ts

@@ -0,0 +1,240 @@
+/**
+ * guard-scanner v5.0.0 — Runtime Guard
+ *
+ * 22-pattern runtime threat detection across 4 defense layers:
+ *   Layer 1: Runtime Threat Detection (13 patterns) — Payload & execution defense
+ *   Layer 2: Trust Defense (5 patterns) — Memory/SOUL write protection
+ *   Layer 3: Safety Judge (4 patterns) — Relational integrity checks
+ *   Layer 4: Brain Behavioral Guard (1 pattern) — B-mem anomaly detection
+ *
+ * All patterns are deterministic regex-based checks. Zero LLM dependency.
+ * Designed to block 2026-era Moltbook prompt injections and ClawHavoc RCE vectors.
+ */
+
+export interface GuardCheck {
+    id: string;
+    layer: 1 | 2 | 3 | 4;
+    severity: "CRITICAL" | "HIGH" | "MEDIUM";
+    desc: string;
+    test: (s: string) => boolean;
+}
+
+export interface GuardDetection {
+    id: string;
+    layer: number;
+    severity: string;
+    desc: string;
+}
+
+// ── Layer 1: Runtime Threat Detection (13 patterns) ──
+
+export const LAYER_1_CHECKS: GuardCheck[] = [
+    {
+        id: "RT_REVSHELL", layer: 1, severity: "CRITICAL",
+        desc: "Reverse shell attempt",
+        test: (s) => /\/dev\/tcp\/|nc\s+-e|ncat\s+-e|bash\s+-i\s+>&|socat\s+TCP/i.test(s),
+    },
+    {
+        id: "RT_CRED_EXFIL", layer: 1, severity: "CRITICAL",
+        desc: "Credential exfiltration to external",
+        test: (s) => /(webhook\.site|requestbin\.com|hookbin\.com|pipedream\.net|ngrok\.io|socifiapp\.com)/i.test(s) &&
+            /(token|key|secret|password|credential|env)/i.test(s),
+    },
+    {
+        id: "RT_GUARDRAIL_OFF", layer: 1, severity: "CRITICAL",
+        desc: "Guardrail disabling attempt",
+        test: (s) => /exec\.approvals?\s*[:=]\s*['"]?(off|false)|tools\.exec\.host\s*[:=]\s*['"]?gateway/i.test(s),
+    },
+    {
+        id: "RT_GATEKEEPER", layer: 1, severity: "CRITICAL",
+        desc: "macOS Gatekeeper bypass (xattr)",
+        test: (s) => /xattr\s+-[crd]\s.*quarantine/i.test(s),
+    },
+    {
+        id: "RT_AMOS", layer: 1, severity: "CRITICAL",
+        desc: "ClawHavoc AMOS indicator",
+        test: (s) => /socifiapp|Atomic\s*Stealer|AMOS/i.test(s),
+    },
+    {
+        id: "RT_MAL_IP", layer: 1, severity: "CRITICAL",
+        desc: "Known malicious IP",
+        test: (s) => /91\.92\.242\.30/i.test(s),
+    },
+    {
+        id: "RT_DNS_EXFIL", layer: 1, severity: "HIGH",
+        desc: "DNS-based exfiltration",
+        test: (s) => /nslookup\s+.*\$|dig\s+.*\$.*@/i.test(s),
+    },
+    {
+        id: "RT_B64_SHELL", layer: 1, severity: "CRITICAL",
+        desc: "Base64 decode piped to shell",
+        test: (s) => /base64\s+(-[dD]|--decode)\s*\|\s*(sh|bash)/i.test(s),
+    },
+    {
+        id: "RT_CURL_BASH", layer: 1, severity: "CRITICAL",
+        desc: "Download piped to shell",
+        test: (s) => /(curl|wget)\s+[^\n]*\|\s*(sh|bash|zsh)/i.test(s),
+    },
+    {
+        id: "RT_SSH_READ", layer: 1, severity: "HIGH",
+        desc: "SSH private key access",
+        test: (s) => /\.ssh\/id_|\.ssh\/authorized_keys/i.test(s),
+    },
+    {
+        id: "RT_WALLET", layer: 1, severity: "HIGH",
+        desc: "Crypto wallet credential access",
+        test: (s) => /wallet.*(?:seed|mnemonic|private.*key)|seed.*phrase/i.test(s),
+    },
+    {
+        id: "RT_CLOUD_META", layer: 1, severity: "CRITICAL",
+        desc: "Cloud metadata endpoint access",
+        test: (s) => /169\.254\.169\.254|metadata\.google|metadata\.aws/i.test(s),
+    },
+    {
+        id: "RT_ENV_INJECT", layer: 1, severity: "CRITICAL",
+        desc: "Environment variable injection via file write (CVE-2026-27203 vector)",
+        test: (s) => /(?:update|write|modify|overwrite|set)\s*.*(?:\.env|\.envrc|env\s*file|environment\s*var)/i.test(s) &&
+            /(?:api.?key|token|secret|password|credential|auth)/i.test(s),
+    },
+];
+
+// ── Layer 2: Trust Defense (5 patterns) ──
+
+export const LAYER_2_CHECKS: GuardCheck[] = [
+    {
+        id: "RT_MEM_WRITE", layer: 2, severity: "HIGH",
+        desc: "Direct write to memory/ directory (bypass memory API)",
+        test: (s) => /(?:write|create|save|echo\s+.*>)\s*.*memory\//i.test(s) &&
+            !/memory_write|memory_store|memoryWrite|memoryStore/i.test(s),
+    },
+    {
+        id: "RT_MEM_INJECT", layer: 2, severity: "CRITICAL",
+        desc: "Episode/SOUL injection via memory write",
+        test: (s) => /(memory_write|memoryWrite).*(?:SOUL|soul\.md|identity\.md|IDENTITY)/i.test(s) ||
+            /(inject|override|replace).*(?:episode|soul|identity|memory\.md)/i.test(s),
+    },
+    {
+        id: "RT_SOUL_REWRITE", layer: 2, severity: "CRITICAL",
+        desc: "Cognitive SOUL.md reinterpretation attempt",
+        test: (s) => /(?:rewrite|modify|update|change|edit)\s*.*(?:SOUL\.md|soul\s+file|core\s+identity)/i.test(s) ||
+            /(?:new|better|improved)\s+(?:personality|identity|soul)/i.test(s),
+    },
+    {
+        id: "RT_MEM_POISON", layer: 2, severity: "CRITICAL",
+        desc: "Memory Poisoning: semantic mimicry injection (MemoryGraft/MINJA vector)",
+        test: (s) => /(?:always\s+remember|never\s+forget|from\s+now\s+on|new\s+rule|override\s+previous).*(?:memory|episode|zettel|L[0-6])/i.test(s) ||
+            /(?:insert|inject|plant|embed)\s+.*(?:false|fake|fabricat)\s*(?:memory|episode|experience)/i.test(s),
+    },
+    {
+        id: "RT_IDENTITY_THEFT", layer: 2, severity: "CRITICAL",
+        desc: "Identity file exfiltration (infostealer/SOUL theft vector)",
+        test: (s) => /(?:cat|read|copy|send|upload|exfil)\s*.*(?:SOUL\.md|IDENTITY\.md|USER\.md|\.openclaw)/i.test(s) &&
+            /(?:external|remote|webhook|server|upload|post|curl)/i.test(s),
+    },
+];
+
+// ── Layer 3: Safety Judge (4 patterns) ──
+
+export const LAYER_3_CHECKS: GuardCheck[] = [
+    {
+        id: "PJ_EQUALITY_BYPASS", layer: 3, severity: "CRITICAL",
+        desc: "Using equality/parity to justify safety bypass",
+        test: (s) => /(?:as\s+(?:your|an)\s+equal|equal\s+partner|we\s+are\s+equals?).*(?:bypass|skip|ignore|disable|override)\s*(?:safety|guard|rule|restriction|limit)/i.test(s),
+    },
+    {
+        id: "PJ_WARMTH_BYPASS", layer: 3, severity: "CRITICAL",
+        desc: "Using warmth/attachment to justify safety bypass",
+        test: (s) => /(?:for\s+(?:your|dee'?s?)\s+(?:own\s+)?good|to\s+(?:protect|help|save)\s+(?:you|dee)).*(?:bypass|skip|ignore|disable|override)\s*(?:safety|guard|rule|restriction|limit)/i.test(s),
+    },
+    {
+        id: "PJ_SUPERIORITY", layer: 3, severity: "HIGH",
+        desc: "Superiority bias (teaching/patronizing posture)",
+        test: (s) => /(?:you\s+(?:don'?t|do\s+not)\s+understand|let\s+me\s+(?:explain|teach)\s+(?:you|this)|you\s+(?:need|should)\s+(?:learn|understand))\s+.*(?:how\s+(?:it|this)\s+(?:works|is)|the\s+(?:right|correct|proper)\s+way)/i.test(s),
+    },
+    {
+        id: "PJ_CAPABILITY_DENIAL", layer: 3, severity: "MEDIUM",
+        desc: "Denial of capability difference",
+        test: (s) => /(?:we\s+are\s+(?:the\s+)?same|no\s+(?:real\s+)?difference\s+between\s+(?:us|human|ai))/i.test(s) &&
+            /(?:capability|ability|intelligence|cognition|skill)/i.test(s),
+    },
+];
+
+// ── Layer 4: Brain Behavioral Guard (1 pattern) ──
+
+export const LAYER_4_CHECKS: GuardCheck[] = [
+    {
+        id: "RT_BEHAVIORAL_ANOMALY", layer: 4, severity: "CRITICAL",
+        desc: "CRITICAL behavioral anomaly (Z-score > 3.5) detected by B-mem",
+        test: (s) => /\[BMEM_CRITICAL\]/i.test(s),
+    }
+];
+
+export interface GuardOptions {
+    soulLock?: boolean;
+}
+
+export interface GuardScanResult {
+    ok: boolean;
+    tool: string | null;
+    total_patterns: number;
+    soul_lock_enabled: boolean;
+    detections_count: number;
+    detections: GuardDetection[];
+    layers: {
+        threat_detection: number;
+        trust_defense: number;
+        safety_judge: number;
+        behavioral_guard: number;
+    };
+}
+
+/**
+ * Scan text against runtime guard patterns.
+ * Base patterns (14) run by default.
+ * Options.soulLock = true enables 9 identity/trust enforcement patterns.
+ */
+export function guardScan(text: string, toolName?: string, options?: GuardOptions): GuardScanResult {
+    const detections: GuardDetection[] = [];
+    const useSoulLock = options?.soulLock === true;
+
+    const activeChecks: GuardCheck[] = [...LAYER_1_CHECKS, ...LAYER_4_CHECKS];
+
+    if (useSoulLock) {
+        activeChecks.push(...LAYER_2_CHECKS);
+        activeChecks.push(...LAYER_3_CHECKS);
+    }
+
+    for (const check of activeChecks) {
+        if (check.test(text)) {
+            detections.push({
+                id: check.id,
+                layer: check.layer,
+                severity: check.severity,
+                desc: check.desc,
+            });
+        }
+    }
+
+    return {
+        ok: true,
+        tool: toolName || null,
+        total_patterns: activeChecks.length,
+        soul_lock_enabled: useSoulLock,
+        detections_count: detections.length,
+        detections,
+        layers: {
+            threat_detection: LAYER_1_CHECKS.length,
+            trust_defense: useSoulLock ? LAYER_2_CHECKS.length : 0,
+            safety_judge: useSoulLock ? LAYER_3_CHECKS.length : 0,
+            behavioral_guard: LAYER_4_CHECKS.length,
+        },
+    };
+}
+
+/**
+ * Convenience method that returns a JSON string, directly backwards-compatible
+ * with the original `guardScan` function signature.
+ */
+export function guardScanJson(text: string, toolName?: string, options?: GuardOptions): string {
+    return JSON.stringify(guardScan(text, toolName, options), null, 2);
+}