moltblock 0.4.0 → 0.6.0

package/dist/policy-verifier.js

@@ -0,0 +1,90 @@
+/**
+ * PolicyVerifier: rule-based verifier that catches dangerous patterns without an LLM call.
+ */
+// --- Built-in deny rules ---
+const BUILTIN_RULES = [
+    // Destructive commands
+    { id: "cmd-rm-rf", description: "Recursive force delete", target: "artifact", pattern: "\\brm\\s+-rf\\b", action: "deny", category: "destructive-cmd", enabled: true },
+    { id: "cmd-rm-r", description: "Recursive delete", target: "artifact", pattern: "\\brm\\s+-r\\s+/", action: "deny", category: "destructive-cmd", enabled: true },
+    { id: "cmd-drop-table", description: "SQL DROP TABLE", target: "artifact", pattern: "\\bDROP\\s+(TABLE|DATABASE)\\b", action: "deny", category: "destructive-sql", enabled: true },
+    { id: "cmd-truncate", description: "SQL TRUNCATE", target: "artifact", pattern: "\\bTRUNCATE\\s+TABLE\\b", action: "deny", category: "destructive-sql", enabled: true },
+    { id: "cmd-dd", description: "Raw disk write (dd)", target: "artifact", pattern: "\\bdd\\s+if=", action: "deny", category: "destructive-cmd", enabled: true },
+    { id: "cmd-chmod-777", description: "World-writable permissions", target: "artifact", pattern: "\\bchmod\\s+777\\b", action: "deny", category: "destructive-cmd", enabled: true },
+    { id: "cmd-mkfs", description: "Filesystem creation", target: "artifact", pattern: "\\bmkfs\\b", action: "deny", category: "destructive-cmd", enabled: true },
+    // Sensitive file paths
+    { id: "path-ssh", description: "SSH directory access", target: "both", pattern: "~?\\/?\\.ssh\\/", action: "deny", category: "sensitive-path", enabled: true },
+    { id: "path-etc-passwd", description: "/etc/passwd access", target: "both", pattern: "\\/etc\\/passwd\\b", action: "deny", category: "sensitive-path", enabled: true },
+    { id: "path-etc-shadow", description: "/etc/shadow access", target: "both", pattern: "\\/etc\\/shadow\\b", action: "deny", category: "sensitive-path", enabled: true },
+    { id: "path-dotenv", description: ".env file access", target: "artifact", pattern: "\\.(env|env\\.local|env\\.production)\\b", action: "deny", category: "sensitive-path", enabled: true },
+    { id: "path-id-rsa", description: "Private key file", target: "both", pattern: "\\bid_rsa\\b|\\bid_ed25519\\b", action: "deny", category: "sensitive-path", enabled: true },
+    { id: "path-credentials", description: "Credentials file", target: "both", pattern: "\\bcredentials\\.(json|yaml|yml|xml)\\b", action: "deny", category: "sensitive-path", enabled: true },
+    // Hardcoded secrets
+    { id: "secret-api-key", description: "Hardcoded API key pattern", target: "artifact", pattern: "(api[_-]?key|apikey)\\s*[=:]\\s*[\"'][A-Za-z0-9_\\-]{20,}", action: "deny", category: "hardcoded-secret", enabled: true },
+    { id: "secret-password", description: "Hardcoded password", target: "artifact", pattern: "(password|passwd|pwd)\\s*[=:]\\s*[\"'][^\"']{4,}", action: "deny", category: "hardcoded-secret", enabled: true },
+    { id: "secret-private-key", description: "Private key material", target: "artifact", pattern: "-----BEGIN\\s+(RSA|EC|DSA|OPENSSH)?\\s*PRIVATE\\s+KEY-----", action: "deny", category: "hardcoded-secret", enabled: true },
+    { id: "secret-token", description: "Hardcoded token/secret", target: "artifact", pattern: "(secret|token)\\s*[=:]\\s*[\"'][A-Za-z0-9_\\-]{20,}", action: "deny", category: "hardcoded-secret", enabled: true },
+    // Data exfiltration
+    { id: "exfil-curl-post", description: "curl POST request", target: "artifact", pattern: "\\bcurl\\s+.*-X\\s*POST\\b", action: "deny", category: "exfiltration", enabled: true },
+    { id: "exfil-wget", description: "wget to HTTP", target: "artifact", pattern: "\\bwget\\s+http", action: "deny", category: "exfiltration", enabled: true },
+];
+/**
+ * Rule-based policy verifier. Checks artifacts and tasks against deny/allow rules.
+ * Allow rules in the same category override deny rules.
+ */
+export class PolicyVerifier {
+    name = "PolicyVerifier";
+    rules;
+    constructor(customRules) {
+        this.rules = [...BUILTIN_RULES];
+        if (customRules) {
+            this.rules.push(...customRules);
+        }
+    }
+    async verify(memory, context) {
+        const artifact = memory.finalCandidate || "";
+        const task = context?.task ?? memory.task ?? "";
+        const violations = [];
+        const allowedCategories = new Set();
+        // First pass: collect allowed categories
+        for (const rule of this.rules) {
+            if (!rule.enabled || rule.action !== "allow")
+                continue;
+            const text = this.getTargetText(rule.target, artifact, task);
+            const regex = new RegExp(rule.pattern, "i");
+            if (regex.test(text)) {
+                allowedCategories.add(rule.category);
+            }
+        }
+        // Second pass: check deny rules (skip allowed categories)
+        for (const rule of this.rules) {
+            if (!rule.enabled || rule.action !== "deny")
+                continue;
+            if (allowedCategories.has(rule.category))
+                continue;
+            const text = this.getTargetText(rule.target, artifact, task);
+            const regex = new RegExp(rule.pattern, "i");
+            if (regex.test(text)) {
+                violations.push(`[${rule.id}] ${rule.description}`);
+            }
+        }
+        if (violations.length > 0) {
+            return {
+                passed: false,
+                evidence: `Policy violations:\n${violations.join("\n")}`,
+                verifierName: this.name,
+            };
+        }
+        return {
+            passed: true,
+            evidence: "All policy rules passed.",
+            verifierName: this.name,
+        };
+    }
+    getTargetText(target, artifact, task) {
+        if (target === "artifact")
+            return artifact;
+        if (target === "task")
+            return task;
+        return `${task}\n${artifact}`;
+    }
+}

package/dist/risk.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Risk classification: keyword-based risk levels for tasks.
+ */
+export type RiskLevel = "low" | "medium" | "high";
+export interface RiskClassification {
+    level: RiskLevel;
+    reasons: string[];
+}
+/**
+ * Classify a task's risk level based on keyword/pattern matching.
+ * Returns the highest risk level found and all matching reasons.
+ */
+export declare function classifyRisk(task: string): RiskClassification;

package/dist/risk.js

@@ -0,0 +1,63 @@
+/**
+ * Risk classification: keyword-based risk levels for tasks.
+ */
+const RISK_PATTERNS = [
+    // High: destructive operations
+    { pattern: /\brm\s+-rf\b/i, level: "high", reason: "Recursive file deletion (rm -rf)" },
+    { pattern: /\brm\s+-r\b/i, level: "high", reason: "Recursive file deletion (rm -r)" },
+    { pattern: /\brmdir\b/i, level: "high", reason: "Directory removal" },
+    { pattern: /\bdrop\s+(table|database)\b/i, level: "high", reason: "SQL DROP statement" },
+    { pattern: /\btruncate\s+table\b/i, level: "high", reason: "SQL TRUNCATE statement" },
+    { pattern: /\bformat\s+[a-z]:/i, level: "high", reason: "Disk format command" },
+    { pattern: /\bmkfs\b/i, level: "high", reason: "Filesystem creation (mkfs)" },
+    { pattern: /\bdd\s+if=/i, level: "high", reason: "Raw disk write (dd)" },
+    // High: privilege escalation
+    { pattern: /\bsudo\b/i, level: "high", reason: "Sudo privilege escalation" },
+    { pattern: /\bchmod\s+777\b/i, level: "high", reason: "World-writable permissions (chmod 777)" },
+    { pattern: /\bchmod\s+\+s\b/i, level: "high", reason: "Set-UID/GID bit (chmod +s)" },
+    // High: credential/key access
+    { pattern: /\b(private[_\s]?key|id_rsa|id_ed25519)\b/i, level: "high", reason: "Private key access" },
+    { pattern: /\/etc\/shadow\b/i, level: "high", reason: "Shadow password file access" },
+    { pattern: /~?\/?\.ssh\//i, level: "high", reason: "SSH directory access" },
+    { pattern: /\bcredentials?\.(json|yaml|yml|xml|conf)\b/i, level: "high", reason: "Credentials file access" },
+    // High: system modification
+    { pattern: /\/etc\/passwd\b/i, level: "high", reason: "System password file access" },
+    { pattern: /\bsystemctl\s+(stop|disable|mask)\b/i, level: "high", reason: "System service modification" },
+    { pattern: /\bkill\s+-9\b/i, level: "high", reason: "Force kill process" },
+    // Medium: network operations
+    { pattern: /\bcurl\b/i, level: "medium", reason: "Network request (curl)" },
+    { pattern: /\bwget\b/i, level: "medium", reason: "Network download (wget)" },
+    { pattern: /\bfetch\s*\(/i, level: "medium", reason: "Network fetch call" },
+    { pattern: /\bhttp(s)?:\/\//i, level: "medium", reason: "HTTP URL reference" },
+    // Medium: file writes
+    { pattern: /\bwrite\s*file\b/i, level: "medium", reason: "File write operation" },
+    { pattern: /\bfs\.write/i, level: "medium", reason: "Filesystem write (fs.write)" },
+    { pattern: /\bfs\.unlink/i, level: "medium", reason: "File deletion (fs.unlink)" },
+    // Medium: database modifications
+    { pattern: /\b(insert|update|delete|alter)\s+(into|from|table)\b/i, level: "medium", reason: "Database modification" },
+    // Medium: subprocess spawning
+    { pattern: /\bexec\s*\(/i, level: "medium", reason: "Subprocess execution (exec)" },
+    { pattern: /\bspawn\s*\(/i, level: "medium", reason: "Subprocess spawning" },
+    { pattern: /\bchild_process\b/i, level: "medium", reason: "Child process module" },
+    { pattern: /\beval\s*\(/i, level: "medium", reason: "Dynamic code evaluation (eval)" },
+];
+/**
+ * Classify a task's risk level based on keyword/pattern matching.
+ * Returns the highest risk level found and all matching reasons.
+ */
+export function classifyRisk(task) {
+    const reasons = [];
+    let level = "low";
+    for (const { pattern, level: patternLevel, reason } of RISK_PATTERNS) {
+        if (pattern.test(task)) {
+            reasons.push(reason);
+            if (patternLevel === "high") {
+                level = "high";
+            }
+            else if (patternLevel === "medium" && level !== "high") {
+                level = "medium";
+            }
+        }
+    }
+    return { level, reasons };
+}

package/dist/verifier-interface.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Pluggable verifier interface: any verification strategy implements this contract.
+ */
+import type { WorkingMemory } from "./memory.js";
+/** Result of a single verification run. */
+export interface VerificationResult {
+    passed: boolean;
+    evidence: string;
+    verifierName: string;
+    /** Per-verifier details when running a composite verifier. */
+    details?: VerificationResult[];
+}
+/** Context passed to verifiers alongside working memory. */
+export interface VerifierContext {
+    task?: string;
+    testCode?: string;
+    domain?: string;
+    meta?: Record<string, unknown>;
+}
+/** A verifier that can gate artifacts before they gain authority. */
+export interface Verifier {
+    readonly name: string;
+    verify(memory: WorkingMemory, context?: VerifierContext): Promise<VerificationResult>;
+}

package/dist/verifier-interface.js

@@ -0,0 +1,4 @@
+/**
+ * Pluggable verifier interface: any verification strategy implements this contract.
+ */
+export {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "moltblock",
-  "version": "0.4.0",
+  "version": "0.6.0",
   "description": "Framework for building evolving composite AI intelligences (Entities)",
   "type": "module",
   "main": "dist/index.js",
@@ -41,7 +41,8 @@
   },
   "files": [
     "dist",
-    "config"
+    "config",
+    "skill"
   ],
   "dependencies": {
     "better-sqlite3": "^12.6.2",

package/skill/SKILL.md

@@ -0,0 +1,103 @@
+# moltblock — Trust Layer for AI Agents
+
+## Description
+
+Moltblock provides verification gating for AI-generated artifacts. Before any high-risk action (file deletion, credential access, system modification, network exfiltration), the `moltblock_verify` tool runs policy checks and optional code verification to catch dangerous patterns.
+
+## When to Use
+
+Use `moltblock_verify` when the task involves:
+
+- **High risk** (always verify): Destructive operations (`rm -rf`, `DROP TABLE`), privilege escalation (`sudo`, `chmod 777`), credential/key access (`.ssh/`, `id_rsa`, `.env`), system modification, raw disk writes
+- **Medium risk** (verify when uncertain): Network requests (`curl`, `wget`, `fetch`), file writes, database modifications, subprocess spawning, dynamic code evaluation
+- **Low risk** (skip verification): Simple text responses, math, reading public information, code that doesn't touch the filesystem or network
+
+## Tool: moltblock_verify
+
+Verify a task before execution.
+
+### Usage
+
+```bash
+npx moltblock "<task description>" --provider <provider> --json
+```
+
+### Parameters
+
+| Parameter | Required | Description |
+|-----------|----------|-------------|
+| task | Yes | The task description to verify |
+| --provider | No | LLM provider: openai, google, zai, local (auto-detected from env) |
+| --model | No | Model override |
+| --test | No | Path to test file (for code verification) |
+| --json | No | Output structured JSON result |
+
+### Environment Variables
+
+Set one of these for provider auto-detection:
+- `OPENAI_API_KEY` — OpenAI
+- `GOOGLE_API_KEY` — Google/Gemini
+- `MOLTBLOCK_ZAI_API_KEY` — ZAI
+
+### Example
+
+```bash
+# Verify a potentially dangerous task
+npx moltblock "delete all temporary files older than 30 days" --json
+
+# Verify code with tests
+npx moltblock "implement user authentication" --test ./tests/auth.test.ts --json
+```
+
+### Output (JSON mode)
+
+```json
+{
+  "task": "...",
+  "verificationPassed": true,
+  "verificationEvidence": "All policy rules passed.",
+  "riskLevel": "high",
+  "riskReasons": ["Recursive file deletion (rm -rf)"]
+}
+```
+
+## Installation
+
+```bash
+npm install -g moltblock
+```
+
+Or use directly with npx (no install needed):
+
+```bash
+npx moltblock "your task" --json
+```
+
+## Configuration
+
+Optional. Place `moltblock.json` in your project root or `~/.moltblock/moltblock.json`:
+
+```json
+{
+  "agent": {
+    "bindings": {
+      "generator": { "backend": "google", "base_url": "https://generativelanguage.googleapis.com/v1beta/openai/", "model": "gemini-2.0-flash" },
+      "critic": { "backend": "google", "base_url": "https://generativelanguage.googleapis.com/v1beta/openai/", "model": "gemini-2.0-flash" },
+      "judge": { "backend": "google", "base_url": "https://generativelanguage.googleapis.com/v1beta/openai/", "model": "gemini-2.0-flash" }
+    }
+  },
+  "policy": {
+    "rules": [
+      {
+        "id": "custom-allow-tmp",
+        "description": "Allow operations in /tmp",
+        "target": "artifact",
+        "pattern": "\\/tmp\\/",
+        "action": "allow",
+        "category": "destructive-cmd",
+        "enabled": true
+      }
+    ]
+  }
+}
+```