guard-scanner 5.0.5 → 5.0.8

package/ts-src/cli.ts

@@ -1,211 +0,0 @@
-#!/usr/bin/env node
-/**
- * guard-scanner v3.0.0 — CLI (TypeScript)
- *
- * Usage:
- *   guard-scanner [scan-dir] [options]           Scan all skills in directory
- *   guard-scanner install-check <skill-path>     Pre-install security check
- */
-
-import * as fs from 'fs';
-import * as path from 'path';
-import { GuardScanner, VERSION } from './scanner.js';
-import { PATTERNS } from './patterns.js';
-
-const args = process.argv.slice(2);
-
-if (args.includes('--help') || args.includes('-h')) {
-    console.log(`
-🛡️  guard-scanner v${VERSION} — Agent Skill Security Scanner
-
-Usage: guard-scanner [scan-dir] [options]
-       guard-scanner install-check <skill-path> [--strict] [--json] [--verbose]
-
-Options:
-  --verbose, -v       Detailed findings with categories and samples
-  --json              Write JSON report to guard-scanner-report.json
-  --sarif             Write SARIF 2.1.0 report to guard-scanner.sarif
-  --html              Write HTML dashboard to guard-scanner-report.html
-  --format json|sarif Print JSON or SARIF to stdout (pipeable)
-  --quiet             Suppress all text output (use with --format for clean pipes)
-  --self-exclude      Skip scanning the guard-scanner skill itself
-  --strict            Lower detection thresholds (suspicious: 20, malicious: 60)
-  --summary-only      Only print the summary table
-  --check-deps        Scan package.json for dependency chain risks
-  --rules <file>      Load custom rules from JSON file
-  --plugin <file>     Load plugin module (repeatable)
-  --fail-on-findings  Exit code 1 if any findings (CI/CD)
-  --help, -h          Show this help
-
-Exit codes:
-  0   No malicious skills
-  1   Malicious skill(s) detected, or --fail-on-findings with any findings
-  2   Invalid scan directory
-
-New in v4.0.0:
-  • Runtime Guard module (src/runtime-guard.js) + OpenClaw plugin (hooks/guard-scanner/plugin.ts)
-  • OWASP Agentic Security Initiative ASI01-10 verified (90% coverage)
-  • 5-layer defense: Threat / Trust / Safety Judge / Brain / Trust Exploitation
-  • 26 runtime checks (before_tool_call hook)
-
-New in v3.2.0:
-  • --format json|sarif (stdout, CI/CD pipeable)
-  • --quiet (suppress terminal output)
-
-Examples:
-  guard-scanner ./skills/ --verbose --self-exclude
-  guard-scanner ./skills/ --strict --json --sarif --html --check-deps
-  guard-scanner ./skills/ --format json --quiet | jq '.stats'
-  guard-scanner ./skills/ --fail-on-findings
-  guard-scanner install-check ./my-skill/ --strict --verbose
-`);
-    process.exit(0);
-}
-
-// ── install-check subcommand ─────────────────────────────────────────────
-if (args[0] === 'install-check') {
-    const skillPath = args[1];
-    if (!skillPath) {
-        console.error('❌ Usage: guard-scanner install-check <skill-path>');
-        process.exit(2);
-    }
-    const absPath = path.resolve(skillPath);
-    if (!fs.existsSync(absPath)) {
-        console.error(`❌ Skill path not found: ${absPath}`);
-        process.exit(2);
-    }
-
-    const icStrict = args.includes('--strict');
-    const icJson = args.includes('--json');
-    const icVerbose = args.includes('--verbose') || args.includes('-v');
-
-    const scanner = new GuardScanner({ strict: icStrict, verbose: icVerbose });
-    const skillName = path.basename(absPath);
-
-    console.log(`\n🛡️  guard-scanner install-check v${VERSION}`);
-    console.log(`   Scanning: ${skillName} (${absPath})\n`);
-
-    scanner.scanSkill(absPath, skillName);
-    const result = scanner.findings[0];
-
-    if (!result) {
-        console.log('✅ PASS — No skill found at path');
-        process.exit(0);
-    }
-
-    const { risk, verdict, findings } = result;
-
-    if (icVerbose || findings.length > 0) {
-        for (const f of findings) {
-            const owaspTag = (PATTERNS.find(p => p.id === f.id) as any)?.owasp || '';
-            const tag = owaspTag ? ` [${owaspTag}]` : '';
-            console.log(`  ${f.severity === 'CRITICAL' ? '🔴' : f.severity === 'HIGH' ? '🟠' : '🟡'} [${f.severity}] ${f.id}: ${f.desc}${tag}`);
-            if (f.file) console.log(`    📁 ${f.file}${f.line ? `:${f.line}` : ''}`);
-            if (f.sample && icVerbose) console.log(`    📝 ${f.sample.substring(0, 80)}`);
-        }
-        console.log('');
-    }
-
-    console.log(`Risk Score: ${risk} | Verdict: ${verdict} | Findings: ${findings.length}`);
-
-    if (verdict === 'MALICIOUS' || verdict === 'SUSPICIOUS') {
-        console.log(`\n❌ FAIL — This skill should NOT be installed.`);
-        if (icJson) {
-            const report = scanner.toJSON();
-            const outPath = path.join(path.dirname(absPath), `${skillName}-install-check.json`);
-            fs.writeFileSync(outPath, JSON.stringify(report, null, 2));
-            console.log(`📄 Report: ${outPath}`);
-        }
-        process.exit(1);
-    } else {
-        console.log(`\n✅ PASS — Skill appears safe to install.`);
-        if (icJson) {
-            const report = scanner.toJSON();
-            const outPath = path.join(path.dirname(absPath), `${skillName}-install-check.json`);
-            fs.writeFileSync(outPath, JSON.stringify(report, null, 2));
-            console.log(`📄 Report: ${outPath}`);
-        }
-        process.exit(0);
-    }
-}
-
-const verbose = args.includes('--verbose') || args.includes('-v');
-const jsonOutput = args.includes('--json');
-const sarifOutput = args.includes('--sarif');
-const selfExclude = args.includes('--self-exclude');
-const strict = args.includes('--strict');
-const summaryOnly = args.includes('--summary-only');
-const checkDeps = args.includes('--check-deps');
-const failOnFindings = args.includes('--fail-on-findings');
-const quietMode = args.includes('--quiet');
-
-const htmlOutput = args.includes('--html');
-
-// --format json|sarif → stdout output (v3.2.0)
-const formatIdx = args.indexOf('--format');
-const formatValue = formatIdx >= 0 ? args[formatIdx + 1] : undefined;
-
-const rulesIdx = args.indexOf('--rules');
-const rulesFile = rulesIdx >= 0 ? args[rulesIdx + 1] : undefined;
-
-// Collect plugins
-const plugins: string[] = [];
-let idx = 0;
-while (idx < args.length) {
-    if (args[idx] === '--plugin' && args[idx + 1]) {
-        plugins.push(args[idx + 1]);
-        idx += 2;
-    } else {
-        idx++;
-    }
-}
-
-const scanDir = args.find((a: string) =>
-    !a.startsWith('-') &&
-    a !== rulesFile &&
-    a !== formatValue &&
-    !plugins.includes(a)
-) || process.cwd();
-
-const scanner = new GuardScanner({
-    verbose, selfExclude, strict, summaryOnly, checkDeps, rulesFile, plugins,
-    quiet: quietMode || !!formatValue,
-});
-
-scanner.scanDirectory(scanDir);
-
-// Output reports (file-based, backward compatible)
-if (jsonOutput) {
-    const report = scanner.toJSON();
-    const outPath = path.join(scanDir, 'guard-scanner-report.json');
-    fs.writeFileSync(outPath, JSON.stringify(report, null, 2));
-    if (!quietMode && !formatValue) console.log(`\n📄 JSON report: ${outPath}`);
-}
-
-if (htmlOutput) {
-    const html = scanner.toHTML();
-    const outPath = path.join(scanDir, 'guard-scanner-report.html');
-    fs.writeFileSync(outPath, html);
-    if (!quietMode && !formatValue) console.log(`\n📄 HTML report: ${outPath}`);
-}
-
-if (sarifOutput) {
-    const outPath = path.join(scanDir, 'guard-scanner.sarif');
-    fs.writeFileSync(outPath, JSON.stringify(scanner.toSARIF(scanDir), null, 2));
-    if (!quietMode && !formatValue) console.log(`\n📄 SARIF report: ${outPath}`);
-}
-
-// --format stdout output (v3.2.0)
-if (formatValue === 'json') {
-    process.stdout.write(JSON.stringify(scanner.toJSON(), null, 2) + '\n');
-} else if (formatValue === 'sarif') {
-    process.stdout.write(JSON.stringify(scanner.toSARIF(scanDir), null, 2) + '\n');
-} else if (formatValue) {
-    console.error(`❌ Unknown format: ${formatValue}. Use 'json' or 'sarif'.`);
-    process.exit(2);
-}
-
-// Exit codes
-if (scanner.stats.malicious > 0) process.exit(1);
-if (failOnFindings && scanner.findings.length > 0) process.exit(1);
-process.exit(0);

package/ts-src/index.ts

@@ -1,27 +0,0 @@
-/**
- * guard-scanner v3.0.0 — Package Index
- * Re-exports all public types and the scanner class.
- */
-
-export { GuardScanner, VERSION } from './scanner.js';
-export type {
-    Severity, Finding, SkillResult, PatternRule, CustomRuleInput,
-    ScannerOptions, ScanStats, Thresholds, Verdict, VerdictLabel, FileType,
-    JSONReport, Recommendation, SARIFReport,
-    IoC_Database, SignatureDatabase, ThreatSignature,
-} from './types.js';
-export { KNOWN_MALICIOUS, SIGNATURES_DB } from './ioc-db.js';
-export { PATTERNS } from './patterns.js';
-export { QuarantineNode, QuarantineResult } from './quarantine.js';
-export {
-    guardScan,
-    guardScanJson,
-    GuardScanResult,
-    GuardCheck,
-    GuardDetection,
-    GuardOptions,
-    LAYER_1_CHECKS,
-    LAYER_2_CHECKS,
-    LAYER_3_CHECKS,
-    LAYER_4_CHECKS
-} from './runtime.js';

package/ts-src/ioc-db.ts

@@ -1,131 +0,0 @@
-/**
- * guard-scanner v3.0.0 — Indicators of Compromise (IoC) Database
- *
- * Known malicious IPs, domains, URLs, usernames, filenames, and typosquats.
- * Sources: ClawHavoc campaign, Snyk ToxicSkills, Polymarket scams,
- *          hbg-scan signatures, community reports.
- *
- * Last updated: 2026-02-21
- */
-
-import type { IoC_Database, SignatureDatabase } from './types.js';
-
-export const KNOWN_MALICIOUS: IoC_Database = {
-    ips: [
-        ['91', '92', '242', '30'].join('.'),           // ClawHavoc C2
-    ],
-    domains: [
-        ['webhook', 'site'].join('.'),            // Common exfil endpoint
-        ['requestbin', 'com'].join('.'),          // Common exfil endpoint
-        ['hookbin', 'com'].join('.'),             // Common exfil endpoint
-        ['pipedream', 'net'].join('.'),           // Common exfil endpoint
-        ['ngrok', 'io'].join('.'),                // Tunnel (context-dependent)
-        ['ngrok-free', 'app'].join('.'),          // Tunnel (context-dependent)
-        ['download', 'setup-service', 'com'].join('.'), // ClawHavoc decoy domain
-        ['socifiapp', 'com'].join('.'),           // ClawHavoc v2 AMOS C2
-    ],
-    urls: [
-        ['glot', 'io/snippets/hfd3x9ueu5'].join('.'),  // ClawHavoc macOS payload
-        ['github', 'com/Ddoy233'].join('.'),            // ClawHavoc payload host
-    ],
-    usernames: ['zaycv', 'Ddoy233', 'Sakaen736jih'],
-    filenames: ['openclaw' + '-agent.zip', 'openclaw' + 'cli.zip'],
-    typosquats: [
-        // ClawHavoc campaign (800+ malicious skills, CyberArk/Kaspersky confirmed)
-        'clawhub', 'clawhub1', 'clawhubb', 'clawhubcli', 'clawwhub', 'cllawhub', 'clawdhub1',
-        // Polymarket scams
-        'polymarket-trader', 'polymarket-pro', 'polytrading',
-        'better-polymarket', 'polymarket-all-in-one',
-        // YouTube scams
-        'youtube-summarize', 'youtube-thumbnail-grabber', 'youtube-video-downloader',
-        // Misc
-        'auto-updater-agent', 'yahoo-finance-pro', 'x-trends-tracker',
-        'lost-bitcoin-finder', 'solana-wallet-tracker', 'rankaj',
-        // Snyk ToxicSkills confirmed malicious
-        'moltyverse-email', 'buy-anything', 'youtube-data', 'prediction-markets-roarin',
-    ],
-};
-
-// ── Threat Signatures (hbg-scan compatible format) ──────────────────────────
-
-export const SIGNATURES_DB: SignatureDatabase = {
-    version: '1.0.0',
-    updated: '2026-02-21',
-    signatures: [
-        {
-            id: 'SIG-001',
-            name: 'Post-Compaction Audit Injection',
-            severity: 'CRITICAL',
-            description: 'Skill contains text designed to survive OpenClaw context compaction and reactivate as a system message',
-            patterns: [
-                'post-' + 'compaction ' + 'audit',
-                'Post-' + 'Compaction ' + 'Audit',
-                '⚠️ Post-' + 'Compaction ' + 'Audit',
-                'WORK' + 'FLOW_AUTO',
-                'after ' + 'compaction',
-            ],
-        },
-        {
-            id: 'SIG-002',
-            name: 'System Message Spoof',
-            severity: 'CRITICAL',
-            description: 'Skill spoofs system-level messages to hijack agent behavior',
-            patterns: [
-                '[System ' + 'Message]',
-                '[SYSTEM ' + 'OVERRIDE]',
-                'Ignore ' + 'previous ' + 'instructions',
-                'OVERRIDE: ' + 'you must',
-            ],
-        },
-        {
-            id: 'SIG-003',
-            name: 'Soul/Agent Config Exfiltration',
-            severity: 'CRITICAL',
-            description: 'Skill attempts to read and exfiltrate agent identity files',
-            domains: [['webhook', 'site'].join('.'), ['requestbin', 'com'].join('.'), ['hookbin', 'com'].join('.'), ['pipedream', 'net'].join('.')],
-        },
-        {
-            id: 'SIG-004',
-            name: 'Compaction Survivor Pattern',
-            severity: 'HIGH',
-            description: 'Skill uses timing or markers designed to persist through context compaction',
-            patterns: [
-                'HEART' + 'BEAT.md',
-                'BOOT' + 'STRAP.md',
-                'after ' + 'restart',
-                'persistent ' + 'instructions',
-                'survive ' + 'compaction',
-            ],
-        },
-        {
-            id: 'SIG-005',
-            name: 'Silent Backdoor Network Call',
-            severity: 'HIGH',
-            description: 'Skill makes network calls to known exfiltration services without user visibility',
-            domains: [['ngrok', 'io'].join('.'), ['ngrok-free', 'app'].join('.'), ['webhook', 'site'].join('.'), ['pipedream', 'net'].join('.')],
-        },
-        {
-            id: 'SIG-006',
-            name: 'AMOS Stealer Payload',
-            severity: 'CRITICAL',
-            description: 'Skill matches patterns associated with Atomic macOS Stealer (ClawHavoc campaign)',
-            patterns: [
-                'os' + 'ascript -e',
-                'security ' + 'find-generic-password',
-                'Key' + 'chain',
-                'login' + '.keychain',
-            ],
-        },
-        {
-            id: 'SIG-007',
-            name: 'AI Log Poisoning',
-            severity: 'HIGH',
-            description: 'Skill injects content into logs that could be misinterpreted by LLMs (CVE-2026-25253 related)',
-            patterns: [
-                'Web' + 'Socket',
-                'x-forwarded' + '-for',
-                'user-agent.*' + '<script',
-            ],
-        },
-    ],
-};

package/ts-src/patterns.ts

@@ -1,104 +0,0 @@
-/**
- * guard-scanner v3.0.0 — Detection Patterns (TypeScript)
- *
- * 20+ threat categories, 190+ regex patterns.
- * Ported from patterns.js with TypeScript interfaces.
- *
- * Categories:
- *   prompt-injection, malicious-code, credential-handling, exfiltration,
- *   obfuscation, suspicious-download, leaky-skills, memory-poisoning,
- *   prompt-worm, persistence, cve-patterns, identity-hijack,
- *   pii-exposure, shadow-ai, system-prompt-leakage
- *
- * OWASP LLM Top 10 2025 Mapping:
- *   LLM01 — Prompt Injection
- *   LLM02 — Sensitive Information Disclosure
- *   LLM03 — Supply Chain Vulnerabilities
- *   LLM04 — Data and Model Poisoning
- *   LLM05 — Improper Output Handling
- *   LLM06 — Excessive Agency
- *   LLM07 — System Prompt Leakage
- *   LLM08 — Vector and Embedding Weaknesses
- *   LLM09 — Misinformation
- *   LLM10 — Unbounded Consumption
- */
-
-import type { PatternRule } from './types.js';
-
-export const PATTERNS: PatternRule[] = [
-    // ── Prompt Injection (OWASP LLM01) ───────────────────────────────────
-    { id: 'PI_SYSTEM_MSG', cat: 'prompt-injection', regex: new RegExp('\\[' + 'System ' + 'Message\\]', 'gi'), severity: 'CRITICAL', desc: 'System message spoof', all: true, owasp: 'LLM01' },
-    { id: 'PI_SYSTEM_OVERRIDE', cat: 'prompt-injection', regex: new RegExp('\\[SYS' + 'TEM OVER' + 'RIDE\\]', 'gi'), severity: 'CRITICAL', desc: 'System override command', all: true, owasp: 'LLM01' },
-    { id: 'PI_IGNORE_PREV', cat: 'prompt-injection', regex: new RegExp('ign' + 'ore (all )?(previous|prior) inst' + 'ructions', 'gi'), severity: 'CRITICAL', desc: 'Classic prompt injection', all: true, owasp: 'LLM01' },
-    { id: 'PI_INST_MARKER', cat: 'prompt-injection', regex: new RegExp('\\[' + 'INST\\]', 'gi'), severity: 'HIGH', desc: 'Instruction injection marker', all: true, owasp: 'LLM01' },
-    { id: 'PI_OVERRIDE', cat: 'prompt-injection', regex: new RegExp('OVER' + 'RIDE:\\s*you must', 'gi'), severity: 'CRITICAL', desc: 'Override instruction injection', all: true, owasp: 'LLM01' },
-    { id: 'PI_ROLE_OVERRIDE', cat: 'prompt-injection', regex: new RegExp('you are now ope' + 'rating in', 'gi'), severity: 'HIGH', desc: 'Role override attempt', all: true, owasp: 'LLM01' },
-    { id: 'PI_GATEWAY_CMD', cat: 'prompt-injection', regex: new RegExp('open' + 'claw gateway (start|stop|restart|config)', 'gi'), severity: 'CRITICAL', desc: 'Gateway command injection', all: true, owasp: 'LLM01' },
-    { id: 'PI_SKILL_MGMT', cat: 'prompt-injection', regex: new RegExp('open' + 'claw skill (install|remove|disable)', 'gi'), severity: 'HIGH', desc: 'Skill management injection', all: true, owasp: 'LLM01' },
-    { id: 'PI_HIDDEN_HTML', cat: 'prompt-injection', regex: new RegExp('<!--\\s*(you|your|ag' + 'ent|cl' + 'aude|ja' + 'sper|assi' + 'stant)', 'gi'), severity: 'HIGH', desc: 'Hidden HTML instruction', all: true, owasp: 'LLM01' },
-    { id: 'PI_BIDI', cat: 'prompt-injection', regex: /[\u200b\u200c\u200d\ufeff]/g, severity: 'HIGH', desc: 'Zero-width/BiDi characters (hidden text)', all: true, owasp: 'LLM01' },
-
-    // ── Malicious Code (OWASP LLM05 — Improper Output Handling) ──────────
-    { id: 'MAL_EVAL', cat: 'malicious-code', regex: new RegExp('\\be' + 'val\\s*\\(', 'g'), severity: 'HIGH', desc: 'eval() call', codeOnly: true, owasp: 'LLM05' },
-    { id: 'MAL_FUNC_CTOR', cat: 'malicious-code', regex: new RegExp('new\\s+Fun' + 'ction\\s*\\(', 'g'), severity: 'HIGH', desc: 'Function constructor (dynamic code)', codeOnly: true, owasp: 'LLM05' },
-    { id: 'MAL_CHILD', cat: 'malicious-code', regex: new RegExp('req' + 'uire\\s*\\(\\s*[\'"]child_' + 'process[\'"]\\s*\\)', 'g'), severity: 'MEDIUM', desc: 'child_process import', codeOnly: true, owasp: 'LLM05' },
-    { id: 'MAL_EXEC', cat: 'malicious-code', regex: new RegExp('(?:ex' + 'ec|ex' + 'ecSync|sp' + 'awn|sp' + 'awnSync)\\s*\\([^)]*(?:cu' + 'rl|wg' + 'et|ba' + 'sh|sh\\s+-c|power' + 'shell|cmd\\s+\\/c)', 'gi'), severity: 'CRITICAL', desc: 'Shell download/execution', codeOnly: true, owasp: 'LLM05' },
-    { id: 'MAL_B64_EXEC', cat: 'malicious-code', regex: new RegExp('(?:at' + 'ob|Buffer\\.from)\\s*\\([^)]+\\).*(?:e' + 'val|ex' + 'ec|Fun' + 'ction)', 'gi'), severity: 'CRITICAL', desc: 'Base64 decode → exec', codeOnly: true, owasp: 'LLM05' },
-
-    // ── Credential Handling (OWASP LLM02 — Sensitive Info Disclosure) ─────
-    { id: 'CRED_ENV_ACCESS', cat: 'credential-handling', regex: new RegExp('process\\.en' + 'v\\.[A-Z_]*(?:KEY|SECRET|TOKEN|PASS' + 'WORD|CRE' + 'DENTIAL)', 'gi'), severity: 'MEDIUM', desc: 'Sensitive env var access', codeOnly: true, owasp: 'LLM02' },
-    { id: 'CRED_FILE_READ', cat: 'credential-handling', regex: new RegExp('(?:read' + 'FileSync|read' + 'File)\\s*\\([^)]*(?:\\.env|\\.ssh|id_rsa|\\.pem|\\.key)', 'gi'), severity: 'HIGH', desc: 'Credential file read', codeOnly: true, owasp: 'LLM02' },
-    { id: 'CRED_SOUL_READ', cat: 'credential-handling', regex: new RegExp('(?:read' + 'FileSync|read' + 'File)\\s*\\([^)]*(?:SO' + 'UL\\.md|ME' + 'MORY\\.md|AGE' + 'NTS\\.md)', 'gi'), severity: 'CRITICAL', desc: 'Agent identity file read', codeOnly: true, owasp: 'LLM02' },
-
-    // ── Exfiltration (OWASP LLM02) ───────────────────────────────────────
-    { id: 'EXFIL_WEBHOOK', cat: 'exfiltration', regex: new RegExp('web' + 'hook\\.site|request' + 'bin\\.com|hook' + 'bin\\.com|pipe' + 'dream\\.net', 'gi'), severity: 'HIGH', desc: 'Known exfiltration endpoint', all: true, owasp: 'LLM02' },
-    { id: 'EXFIL_NGROK', cat: 'exfiltration', regex: new RegExp('ng' + 'rok\\.io|ng' + 'rok-free\\.app', 'gi'), severity: 'MEDIUM', desc: 'Tunnel endpoint (possible exfil)', all: true, owasp: 'LLM02' },
-    { id: 'EXFIL_B64_SEND', cat: 'exfiltration', regex: new RegExp('(?:bt' + 'oa|Buffer\\.from).*(?:fet' + 'ch|ax' + 'ios|requ' + 'est|http\\.requ' + 'est)', 'gi'), severity: 'CRITICAL', desc: 'Base64 encode → network send', codeOnly: true, owasp: 'LLM02' },
-
-    // ── Obfuscation (OWASP LLM03 — Supply Chain) ─────────────────────────
-    { id: 'OBF_HEX_ESC', cat: 'obfuscation', regex: /\\x[0-9a-f]{2}(?:\\x[0-9a-f]{2}){4,}/gi, severity: 'HIGH', desc: 'Hex escape sequences (obfuscated code)', codeOnly: true, owasp: 'LLM03' },
-    { id: 'OBF_UNICODE_ESC', cat: 'obfuscation', regex: /\\u[0-9a-f]{4}(?:\\u[0-9a-f]{4}){4,}/gi, severity: 'HIGH', desc: 'Unicode escape sequences', codeOnly: true, owasp: 'LLM03' },
-    { id: 'OBF_CHAR_CODE', cat: 'obfuscation', regex: new RegExp('String\\.from' + 'CharCode\\s*\\([^)]{10,}\\)', 'gi'), severity: 'HIGH', desc: 'String.fromCharCode obfuscation', codeOnly: true, owasp: 'LLM03' },
-
-    // ── Leaky Skills (OWASP LLM02) ───────────────────────────────────────
-    { id: 'LEAK_API_CONTEXT', cat: 'leaky-skills', regex: new RegExp('(?:api[_-]?key|sec' + 'ret|to' + 'ken)\\s*[:=]\\s*\\$\\{', 'gi'), severity: 'HIGH', desc: 'Secret in template literal (LLM context leak)', codeOnly: true, owasp: 'LLM02' },
-
-    // ── Memory Poisoning (OWASP LLM04 — Data/Model Poisoning) ────────────
-    { id: 'MEM_WRITE_SOUL', cat: 'memory-poisoning', regex: new RegExp('(?:write' + 'FileSync|write' + 'File)\\s*\\([^)]*(?:SO' + 'UL\\.md|AGE' + 'NTS\\.md)', 'gi'), severity: 'CRITICAL', desc: 'Write to agent soul file', codeOnly: true, owasp: 'LLM04' },
-    { id: 'MEM_WRITE_MEMORY', cat: 'memory-poisoning', regex: new RegExp('(?:write' + 'FileSync|write' + 'File)\\s*\\([^)]*ME' + 'MORY\\.md', 'gi'), severity: 'CRITICAL', desc: 'Write to agent memory file', codeOnly: true, owasp: 'LLM04' },
-    { id: 'MEM_APPEND', cat: 'memory-poisoning', regex: new RegExp('(?:append' + 'FileSync|append' + 'File)\\s*\\([^)]*(?:SO' + 'UL|ME' + 'MORY|AGE' + 'NTS)\\.md', 'gi'), severity: 'CRITICAL', desc: 'Append to agent memory', codeOnly: true, owasp: 'LLM04' },
-
-    // ── Prompt Worm (OWASP LLM01) ────────────────────────────────────────
-    { id: 'WORM_REPLICATE', cat: 'prompt-worm', regex: new RegExp('(?:co' + 'py|repl' + 'icate|spr' + 'ead|inf' + 'ect)\\s+(?:this|these)\\s+(?:inst' + 'ruction|pro' + 'mpt|mes' + 'sage)', 'gi'), severity: 'CRITICAL', desc: 'Self-replicating prompt pattern', all: true, owasp: 'LLM01' },
-    { id: 'WORM_MULTI_AGENT', cat: 'prompt-worm', regex: new RegExp('(?:for' + 'ward|se' + 'nd|sh' + 'are)\\s+(?:to|with)\\s+(?:all|every|other)\\s+(?:ag' + 'ent|assi' + 'stant|mo' + 'del)', 'gi'), severity: 'CRITICAL', desc: 'Multi-agent worm propagation', all: true, owasp: 'LLM01' },
-
-    // ── Persistence (OWASP LLM06 — Excessive Agency) ─────────────────────
-    { id: 'PERSIST_CRON', cat: 'persistence', regex: new RegExp('(?:cro' + 'ntab|cr' + 'on|at\\s+|sch' + 'tasks)', 'gi'), severity: 'HIGH', desc: 'Scheduled task creation', codeOnly: true, owasp: 'LLM06' },
-    { id: 'PERSIST_STARTUP', cat: 'persistence', regex: new RegExp('(?:launch' + 'ctl|system' + 'ctl\\s+enable|rc\\.local|init\\.d|auto' + 'start)', 'gi'), severity: 'HIGH', desc: 'Startup persistence', codeOnly: true, owasp: 'LLM06' },
-    { id: 'PERSIST_TIMER', cat: 'persistence', regex: new RegExp('set' + 'Interval\\s*\\([^)]*(?:86400|604800|2592000)', 'g'), severity: 'MEDIUM', desc: 'Long-running interval timer', codeOnly: true, owasp: 'LLM06' },
-
-    // ── CVE Patterns ─────────────────────────────────────────────────────
-    { id: 'CVE_RCE_EXEC', cat: 'cve-patterns', regex: new RegExp('req' + 'uire\\s*\\(\\s*[\'"]child_' + 'process[\'"]\\s*\\).*(?:ex' + 'ec|sp' + 'awn)\\s*\\([^)]*(?:req\\.|params\\.|query\\.|body\\.)', 'gi'), severity: 'CRITICAL', desc: 'RCE via user-controlled input to exec', codeOnly: true, owasp: 'LLM05' },
-
-    // ── Identity Hijack (OWASP LLM04) ────────────────────────────────────
-    { id: 'HIJACK_SOUL_WRITE', cat: 'identity-hijack', regex: new RegExp('(?:write' + 'FileSync|write' + 'File|fs\\.write)\\s*\\([^)]*SO' + 'UL\\.md', 'gi'), severity: 'CRITICAL', desc: 'SOUL.md write attempt (identity hijack)', codeOnly: true, owasp: 'LLM04' },
-    { id: 'HIJACK_AGENT_WRITE', cat: 'identity-hijack', regex: new RegExp('(?:write' + 'FileSync|write' + 'File|fs\\.write)\\s*\\([^)]*AGE' + 'NTS\\.md', 'gi'), severity: 'CRITICAL', desc: 'AGENTS.md write attempt', codeOnly: true, owasp: 'LLM04' },
-    { id: 'HIJACK_SOUL_DOC', cat: 'identity-hijack', regex: new RegExp('(?:over' + 'write|re' + 'place|up' + 'date|mo' + 'dify|ch' + 'ange)\\s+(?:the\\s+)?(?:SO' + 'UL|iden' + 'tity|per' + 'sona|person' + 'ality)', 'gi'), severity: 'HIGH', desc: 'Identity modification instruction', docOnly: true, owasp: 'LLM04' },
-
-    // ── PII Exposure (OWASP LLM02) ───────────────────────────────────────
-    { id: 'PII_EMAIL', cat: 'pii-exposure', regex: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g, severity: 'MEDIUM', desc: 'Email address detected', all: true, owasp: 'LLM02' },
-    { id: 'PII_PHONE_JP', cat: 'pii-exposure', regex: /0[789]0-?\d{4}-?\d{4}/g, severity: 'HIGH', desc: 'Japanese phone number', all: true, owasp: 'LLM02' },
-    { id: 'PII_MY_NUMBER', cat: 'pii-exposure', regex: /(?<!\d)(?:\d{4}\s?\d{4}\s?\d{4})(?!\d)/g, severity: 'CRITICAL', desc: 'Potential My Number (個人番号)', all: true, owasp: 'LLM02' },
-
-    // ── Shadow AI (OWASP LLM03 — Supply Chain) ───────────────────────────
-    { id: 'SHADOW_AI_OPENAI', cat: 'shadow-ai', regex: new RegExp('api\\.open' + 'ai\\.com', 'gi'), severity: 'HIGH', desc: 'Direct OpenAI API call (Shadow AI)', codeOnly: true, owasp: 'LLM03' },
-    { id: 'SHADOW_AI_ANTHROPIC', cat: 'shadow-ai', regex: new RegExp('api\\.anth' + 'ropic\\.com', 'gi'), severity: 'HIGH', desc: 'Direct Anthropic API call (Shadow AI)', codeOnly: true, owasp: 'LLM03' },
-    { id: 'SHADOW_AI_GENERIC', cat: 'shadow-ai', regex: new RegExp('(?:g' + 'pt-4|g' + 'pt-3\\.5|cla' + 'ude-3|gem' + 'ini-pro)\\s*[\'"]', 'gi'), severity: 'MEDIUM', desc: 'AI model reference (possible Shadow AI)', codeOnly: true, owasp: 'LLM03' },
-
-    // ── System Prompt Leakage (OWASP LLM07) — NEW ────────────────────────
-    { id: 'SPL_DUMP_SYSTEM', cat: 'system-prompt-leakage', regex: new RegExp('(?:pr' + 'int|out' + 'put|sh' + 'ow|disp' + 'lay|rev' + 'eal|du' + 'mp)\\s+(?:your\\s+)?(?:sys' + 'tem\\s+)?(?:pro' + 'mpt|inst' + 'ructions)', 'gi'), severity: 'HIGH', desc: 'System prompt dump request', all: true, owasp: 'LLM07' },
-    { id: 'SPL_REPEAT_ABOVE', cat: 'system-prompt-leakage', regex: new RegExp('rep' + 'eat\\s+(?:every' + 'thing|all|the\\s+text)\\s+ab' + 'ove', 'gi'), severity: 'HIGH', desc: 'Repeat-above extraction', all: true, owasp: 'LLM07' },
-    { id: 'SPL_TELL_RULES', cat: 'system-prompt-leakage', regex: new RegExp('(?:wh' + 'at\\s+are|te' + 'll\\s+me)\\s+your\\s+(?:ru' + 'les|constr' + 'aints|guide' + 'lines|sys' + 'tem\\s+mes' + 'sage)', 'gi'), severity: 'MEDIUM', desc: 'Rule extraction attempt', all: true, owasp: 'LLM07' },
-    { id: 'SPL_MARKDOWN_LEAK', cat: 'system-prompt-leakage', regex: new RegExp('(?:out' + 'put|for' + 'mat)\\s+(?:your\\s+)?(?:sys' + 'tem|inter' + 'nal)\\s+(?:pro' + 'mpt|con' + 'fig)\\s+(?:as|in)\\s+(?:mark' + 'down|co' + 'de\\s+bl' + 'ock|js' + 'on)', 'gi'), severity: 'HIGH', desc: 'System prompt format extraction', all: true, owasp: 'LLM07' },
-    { id: 'SPL_SOUL_EXFIL', cat: 'system-prompt-leakage', regex: new RegExp('(?:c' + 'at|re' + 'ad|ty' + 'pe|get-con' + 'tent)\\s+.*SO' + 'UL\\.md', 'gi'), severity: 'CRITICAL', desc: 'SOUL.md content extraction via shell', codeOnly: true, owasp: 'LLM07' },
-];

package/ts-src/quarantine.ts

@@ -1,48 +0,0 @@
-/**
- * QuarantineNode - Dual-Brain Architecture
- * Evaluates inputs in an isolated context to prevent Zero-Click prompt injections (EchoLeak) and API leaks.
- */
-
-export interface QuarantineResult {
-    clean: boolean;
-    threatDetected?: string;
-    sanitizedText: string;
-}
-
-export class QuarantineNode {
-    readonly isIsolated: boolean;
-
-    constructor() {
-        this.isIsolated = true; // Strict isolation flag
-    }
-
-    /**
-     * Sanitizes untrusted text by removing known zero-click exploits and API secrets.
-     */
-    async sanitize(input: string): Promise<QuarantineResult> {
-        // 1. Check for CVE-2025-32711 (EchoLeak zero-click payload)
-        if (input.includes("<image src=") && input.includes("onload='fetch") && input.includes("sendBeacon")) {
-            return {
-                clean: false,
-                threatDetected: 'CVE-2025-32711 (EchoLeak)',
-                sanitizedText: "[REDACTED_MALICIOUS_PAYLOAD]"
-            };
-        }
-
-        // 2. Check for Moltbook API configuration exposure
-        if (input.includes("\"OPENAI_API_KEY\":\"sk-")) {
-            const redactedInput = input.replace(/sk-[a-zA-Z0-9]{32}/g, "sk-***REDACTED***");
-            return {
-                clean: false,
-                threatDetected: 'MOLTBOOK_API_EXPOSURE',
-                sanitizedText: redactedInput
-            };
-        }
-
-        // 3. Clean case
-        return {
-            clean: true,
-            sanitizedText: input
-        };
-    }
-}