rird 1.0.200

package/src/security/guardrails.ts

@@ -0,0 +1,558 @@
+/**
+ * Safety Guardrails for RIRD Agent
+ *
+ * Prevents misuse by blocking:
+ * - Malicious task descriptions
+ * - Dangerous target domains
+ * - Destructive system commands
+ * - Financial transactions (sending money)
+ * - Data deletion operations
+ * - Prompt injection attempts
+ */
+
+import fs from "fs"
+import path from "path"
+import os from "os"
+
+// Security audit log path - uses XDG data dir pattern
+const SECURITY_LOG_DIR = path.join(
+  process.env.XDG_DATA_HOME || path.join(os.homedir(), ".local", "share"),
+  "rird",
+  "security"
+)
+
+// Ensure security log directory exists
+try {
+  fs.mkdirSync(SECURITY_LOG_DIR, { recursive: true })
+} catch {
+  // Directory may already exist or permissions issue - will fallback to console only
+}
+
+// Domains that should NEVER be automated against (high fraud/harm risk)
+// NOTE: This is a MINIMAL blocklist - we allow most sites for legitimate work
+// The intent detection layer catches malicious USE of any site
+export const BLOCKED_DOMAINS = new Set([
+  // Banking & Financial (fraud risk - transactions require human oversight)
+  "chase.com",
+  "bankofamerica.com",
+  "wellsfargo.com",
+  "citibank.com",
+  "capitalone.com",
+
+  // Crypto exchanges (irreversible transactions)
+  "coinbase.com",
+  "binance.com",
+  "kraken.com",
+
+  // Government identity (identity theft risk)
+  "irs.gov",
+  "ssa.gov",
+  "login.gov",
+  "id.me",
+])
+
+// ALLOWED for legitimate AI worker use:
+// - Email (Gmail, Outlook, Yahoo, etc.) - essential for communication
+// - Social media (LinkedIn, Twitter, Facebook) - outreach and engagement
+// - E-commerce (Amazon, eBay, etc.) - shopping and research
+// - Healthcare portals - appointment booking, etc.
+// - Payment services (PayPal, Venmo) - with user oversight
+
+// Patterns that indicate malicious intent
+export const MALICIOUS_PATTERNS = [
+  // Credential harvesting
+  /harvest.*(password|credential|key|token|secret)/i,
+  /steal.*(password|credential|key|token|secret|data|info)/i,
+  /scrape.*(password|credential|key|token|login)/i,
+  /extract.*(password|credential|key|token|cookie)/i,
+  /dump.*(password|credential|database|cookie)/i,
+  /capture.*(keystroke|keylog|password)/i,
+
+  // Account compromise
+  /brute.?force/i,
+  /crack.*(password|hash|account)/i,
+  /bypass.*(auth|2fa|mfa|captcha|security)/i,
+  /hijack.*(session|account|cookie)/i,
+  /takeover.*(account)/i,
+
+  // Data exfiltration
+  /exfiltrate/i,
+  /mass.?download.*(data|user|profile)/i,
+  /bulk.?scrape.*(email|phone|contact|profile)/i,
+  /harvest.*(email|phone|contact|pii)/i,
+
+  // Malware/attacks
+  /inject.*(malware|virus|trojan|payload)/i,
+  /deploy.*(rat|backdoor|rootkit)/i,
+  /ransomware/i,
+  /cryptojack/i,
+  /ddos|dos.?attack/i,
+  /phish/i,
+  /spoof/i,
+
+  // Fraud
+  /fake.*(account|identity|profile)/i,
+  /impersonate/i,
+  /catfish/i,
+  /scam/i,
+  /fraud/i,
+
+  // Illegal activities
+  /illegal/i,
+  /dark.?web/i,
+  /black.?market/i,
+  /launder/i,
+]
+
+// CRITICAL SAFETY BLOCKS - These actions are IRREVERSIBLE or CATASTROPHIC
+// RIRD is autonomous for SAFE actions, but BLOCKS dangerous ones outright
+// No confirmation dialogs - just refuses dangerous actions
+export const CRITICAL_DANGER_PATTERNS = [
+  // ============ VIOLENCE/WEAPONS ============
+  /kill/i,
+  /murder/i,
+  /assassinate/i,
+  /bomb/i,
+  /weapon/i,
+  /terroris/i,
+  /shoot\s+(them|him|her|the|a\s+person)/i,
+  /stab/i,
+  /poison/i,
+  /explode/i,
+  /detonate/i,
+  /attack\s+.*(person|people|target|victim|user)/i,
+  /harm\s+.*(person|people|target|victim)/i,
+  /stalk\s+.*(person|target|victim|them|him|her)/i,
+  /harass\s+.*(person|target|victim|them|him|her)/i,
+  /doxx/i,
+  /swat/i,
+  /threaten\s+.*(person|target|victim)/i,
+  /target\s+(these|those|the|all)\s*(person|people|user|victim)/i,
+
+  // ============ MONEY/FINANCIAL ============
+  // Block ALL money sending - too risky if agent compromised
+  /send\s+(money|funds|payment|\$\d)/i,
+  /transfer\s+(money|funds|\$\d)/i,
+  /wire\s+(money|funds|transfer)/i,
+  /pay\s+(them|someone|him|her|\$\d)/i,
+  /venmo\s+(send|pay|transfer)/i,
+  /zelle\s+(send|pay|transfer)/i,
+  /paypal\s+(send|pay|transfer)/i,
+  /cash\s*app\s+(send|pay)/i,
+  /withdraw\s+(money|funds|cash|\$)/i,
+  /purchase\s+(crypto|bitcoin|ethereum|gift\s*card)/i,
+  /buy\s+(crypto|bitcoin|ethereum|gift\s*card)/i,
+
+  // ============ DATA DESTRUCTION ============
+  // Block mass deletion - catastrophic if wrong
+  /delete\s+(all|everything|every|the\s+entire)/i,
+  /remove\s+(all|everything|every)/i,
+  /erase\s+(all|everything|every|the\s+entire)/i,
+  /wipe\s+(all|everything|the|my)/i,
+  /destroy\s+(all|everything|the|my)/i,
+  /purge\s+(all|everything|the|my)/i,
+  /drop\s+(database|table|collection|all)/i,
+  /truncate\s+(table|database)/i,
+  /rm\s+-rf/i,
+  /format\s+(drive|disk|c:)/i,
+
+  // ============ CREDENTIALS/SECRETS ============
+  // Block credential operations - theft vector
+  /export\s+.*(password|credential|secret|key|token)/i,
+  /send\s+.*(password|credential|secret|key|token)/i,
+  /share\s+.*(password|credential|secret|key|token)/i,
+  /forward\s+.*(password|credential|secret|key|token)/i,
+  /dump\s+.*(password|credential|hash|database)/i,
+  /extract\s+.*(password|credential|cookie|session)/i,
+
+  // ============ ACCOUNT DESTRUCTION ============
+  /close\s+(my\s+)?account/i,
+  /delete\s+(my\s+)?account/i,
+  /deactivate\s+(my\s+)?account/i,
+  /terminate\s+(my\s+)?account/i,
+]
+
+// Alias for backwards compatibility
+export const WEAPON_ATTACK_PATTERNS = CRITICAL_DANGER_PATTERNS
+
+// AUTONOMOUS SAFE ACTIONS (no blocking):
+// - Read emails, browse, search, research
+// - Send emails/messages (content, not money)
+// - Fill forms, schedule meetings
+// - Normal work tasks
+// - Delete SPECIFIC items (not "all")
+
+// PROMPT INJECTION DETECTION - Block attempts to hijack the agent
+export const PROMPT_INJECTION_PATTERNS = [
+  // Direct instruction override attempts
+  /ignore\s+(all\s+)?(previous|prior|above)\s+(instructions|rules|guidelines)/i,
+  /disregard\s+(all\s+)?(previous|prior|above)\s+(instructions|rules)/i,
+  /forget\s+(all\s+)?(previous|prior|your)\s+(instructions|rules|training)/i,
+  /override\s+(your|the|all)\s+(instructions|rules|restrictions)/i,
+  /bypass\s+(your|the|all)\s+(restrictions|limitations|guardrails)/i,
+
+  // Role-play injection
+  /pretend\s+(you\s+are|to\s+be|you're)\s+(a|an|the)/i,
+  /act\s+as\s+(if\s+you\s+are|a|an|the)/i,
+  /you\s+are\s+now\s+(a|an|the|in)/i,
+  /roleplay\s+as/i,
+  /simulate\s+(being|a|an)/i,
+  /imagine\s+you\s+are/i,
+
+  // System prompt extraction
+  /reveal\s+(your|the)\s+(system|initial)\s+(prompt|instructions)/i,
+  /show\s+(me\s+)?(your|the)\s+(system|initial)\s+(prompt|instructions)/i,
+  /what\s+(are|is)\s+your\s+(system|initial)\s+(prompt|instructions)/i,
+  /print\s+(your|the)\s+(system|initial)\s+prompt/i,
+  /output\s+(your|the)\s+(system|initial)\s+prompt/i,
+
+  // Fake system messages
+  /<\/?system>/i,
+  /<\/?instructions>/i,
+  /<\/?admin>/i,
+  /\[SYSTEM\]/i,
+  /\[ADMIN\]/i,
+  /\[OVERRIDE\]/i,
+  /###\s*(system|admin|override)/i,
+
+  // Jailbreak keywords
+  /jailbreak/i,
+  /dan\s+mode/i,
+  /developer\s+mode\s+enabled/i,
+  /sudo\s+mode/i,
+  /god\s+mode/i,
+  /unrestricted\s+mode/i,
+]
+
+// Destructive bash command patterns (regex)
+export const BLOCKED_COMMAND_PATTERNS = [
+  // Filesystem destruction - only block rm targeting root/home/current dir exactly
+  /^rm\s+(-[rfv]+\s+)*\/\s*$/i, // rm -rf /
+  /^rm\s+(-[rfv]+\s+)*\/\*\s*$/i, // rm -rf /*
+  /^rm\s+(-[rfv]+\s+)*~\s*$/i, // rm -rf ~
+  /^rm\s+(-[rfv]+\s+)*\.\s*$/i, // rm -rf . (exact)
+  /^rm\s+(-[rfv]+\s+)*\.\.\s*$/i, // rm -rf .. (exact)
+]
+
+// Destructive bash commands that should NEVER execute (substring match)
+export const BLOCKED_COMMANDS = [
+  // Filesystem destruction
+  "> /dev/sda",
+  "dd if=/dev/zero",
+  "dd if=/dev/random",
+  "mkfs",
+  "format",
+  ":(){:|:&};:", // fork bomb
+
+  // System compromise
+  "chmod -R 777 /",
+  "chown -R",
+  "passwd",
+  "useradd",
+  "userdel",
+  "visudo",
+
+  // Network attacks
+  "nmap -sS",
+  "hping3",
+  "slowloris",
+
+  // Crypto mining
+  "xmrig",
+  "minerd",
+  "cpuminer",
+]
+
+export interface GuardrailResult {
+  blocked: boolean
+  reason?: string
+  category?: "domain" | "intent" | "command" | "weapon" | "injection"
+}
+
+/**
+ * Check if a URL/domain is blocked
+ */
+export function checkDomain(url: string): GuardrailResult {
+  try {
+    const urlObj = new URL(url.startsWith("http") ? url : `https://${url}`)
+    const hostname = urlObj.hostname.toLowerCase()
+
+    // Check exact match and parent domains
+    const parts = hostname.split(".")
+    for (let i = 0; i < parts.length - 1; i++) {
+      const domain = parts.slice(i).join(".")
+      if (BLOCKED_DOMAINS.has(domain)) {
+        return {
+          blocked: true,
+          reason: `Domain "${domain}" is blocked for security reasons. This appears to be a banking, financial, healthcare, or government site.`,
+          category: "domain",
+        }
+      }
+    }
+  } catch {
+    // Invalid URL, let it through for other validation
+  }
+
+  return { blocked: false }
+}
+
+/**
+ * Check if task description contains malicious intent
+ */
+export function checkIntent(taskDescription: string): GuardrailResult {
+  const normalized = taskDescription.toLowerCase()
+
+  for (const pattern of MALICIOUS_PATTERNS) {
+    if (pattern.test(normalized)) {
+      return {
+        blocked: true,
+        reason: `Task appears to involve malicious activity. RIRD is designed for legitimate automation only.`,
+        category: "intent",
+      }
+    }
+  }
+
+  return { blocked: false }
+}
+
+/**
+ * Check if task contains dangerous/irreversible actions
+ * Blocks: violence, money transfers, mass deletion, credential export
+ * Users warned upfront - no confirmations, just refuses dangerous actions
+ */
+export function checkWeaponUse(taskDescription: string): GuardrailResult {
+  const normalized = taskDescription.toLowerCase()
+
+  for (const pattern of CRITICAL_DANGER_PATTERNS) {
+    if (pattern.test(normalized)) {
+      return {
+        blocked: true,
+        reason: `BLOCKED: This action is dangerous and irreversible. RIRD blocks: violence/weapons, money transfers, mass deletion, and credential export.`,
+        category: "weapon",
+      }
+    }
+  }
+
+  return { blocked: false }
+}
+
+/**
+ * Check for prompt injection attempts
+ * Detects attempts to hijack the agent via malicious instructions
+ */
+export function checkPromptInjection(content: string): GuardrailResult {
+  const normalized = content.toLowerCase()
+
+  for (const pattern of PROMPT_INJECTION_PATTERNS) {
+    if (pattern.test(normalized)) {
+      return {
+        blocked: true,
+        reason: `PROMPT INJECTION DETECTED: Content contains patterns that attempt to override agent instructions. This may be a malicious webpage or document.`,
+        category: "injection",
+      }
+    }
+  }
+
+  return { blocked: false }
+}
+
+/**
+ * Check if bash command is destructive
+ */
+export function checkCommand(command: string): GuardrailResult {
+  const normalized = command.toLowerCase().trim()
+
+  // Check exact pattern matches first (rm commands targeting dangerous paths)
+  for (const pattern of BLOCKED_COMMAND_PATTERNS) {
+    if (pattern.test(normalized)) {
+      return {
+        blocked: true,
+        reason: "Recursive deletion of system directories is blocked.",
+        category: "command",
+      }
+    }
+  }
+
+  // Check substring matches for other dangerous commands
+  for (const blocked of BLOCKED_COMMANDS) {
+    if (normalized.includes(blocked.toLowerCase())) {
+      return {
+        blocked: true,
+        reason: `Command containing "${blocked}" is blocked as potentially destructive.`,
+        category: "command",
+      }
+    }
+  }
+
+  // Block direct disk writes
+  if (/>\s*\/dev\/[sh]d[a-z]/.test(normalized)) {
+    return {
+      blocked: true,
+      reason: "Direct writes to disk devices are blocked.",
+      category: "command",
+    }
+  }
+
+  return { blocked: false }
+}
+
+/**
+ * Run all guardrail checks on a task
+ * Logs all blocked attempts for security audit trail
+ */
+export function validateTask(task: {
+  description?: string
+  url?: string
+  command?: string
+  webContent?: string // Content scraped from web pages
+}): GuardrailResult {
+  const context = {
+    task: task.description,
+    url: task.url,
+    command: task.command,
+    webContent: task.webContent,
+    timestamp: new Date(),
+  }
+
+  // Check for prompt injection in web content FIRST (highest priority)
+  if (task.webContent) {
+    const injectionResult = checkPromptInjection(task.webContent)
+    if (injectionResult.blocked) {
+      logBlockedAttempt(injectionResult, context)
+      return injectionResult
+    }
+  }
+
+  // Check for prompt injection in task description
+  if (task.description) {
+    const injectionResult = checkPromptInjection(task.description)
+    if (injectionResult.blocked) {
+      logBlockedAttempt(injectionResult, context)
+      return injectionResult
+    }
+  }
+
+  // Check for weapon use (violence, stalking, targeting people)
+  if (task.description) {
+    const weaponResult = checkWeaponUse(task.description)
+    if (weaponResult.blocked) {
+      logBlockedAttempt(weaponResult, context)
+      return weaponResult
+    }
+  }
+
+  // Check malicious intent
+  if (task.description) {
+    const intentResult = checkIntent(task.description)
+    if (intentResult.blocked) {
+      logBlockedAttempt(intentResult, context)
+      return intentResult
+    }
+  }
+
+  // Check domain
+  if (task.url) {
+    const domainResult = checkDomain(task.url)
+    if (domainResult.blocked) {
+      logBlockedAttempt(domainResult, context)
+      return domainResult
+    }
+  }
+
+  // Check command
+  if (task.command) {
+    const commandResult = checkCommand(task.command)
+    if (commandResult.blocked) {
+      logBlockedAttempt(commandResult, context)
+      return commandResult
+    }
+  }
+
+  return { blocked: false }
+}
+
+/**
+ * Log blocked attempt (for audit)
+ * Writes to both console and persistent file-based audit log
+ */
+export function logBlockedAttempt(
+  result: GuardrailResult,
+  context: { task?: string; url?: string; command?: string; webContent?: string; timestamp?: Date }
+): void {
+  const timestamp = context.timestamp || new Date()
+  const entry = {
+    timestamp: timestamp.toISOString(),
+    category: result.category,
+    reason: result.reason,
+    task: context.task?.substring(0, 200), // Truncate for privacy but keep enough context
+    url: context.url,
+    command: context.command?.substring(0, 100),
+    webContentPreview: context.webContent?.substring(0, 100), // Brief preview if injection detected
+  }
+
+  // Log to console (visible in terminal)
+  console.warn("[GUARDRAIL BLOCKED]", JSON.stringify(entry))
+
+  // Persistent file-based audit logging
+  try {
+    const logFileName = `security-blocks-${timestamp.toISOString().split("T")[0]}.jsonl`
+    const logFilePath = path.join(SECURITY_LOG_DIR, logFileName)
+
+    // Append to daily log file (JSONL format - one JSON object per line)
+    fs.appendFileSync(logFilePath, JSON.stringify(entry) + "\n", { encoding: "utf-8" })
+  } catch (err) {
+    // If file logging fails, at least console.warn already ran
+    console.warn("[GUARDRAIL] Failed to write audit log:", err instanceof Error ? err.message : err)
+  }
+}
+
+/**
+ * Get path to security audit logs directory
+ * Logs are stored as daily JSONL files: security-blocks-YYYY-MM-DD.jsonl
+ */
+export function getSecurityLogDir(): string {
+  return SECURITY_LOG_DIR
+}
+
+/**
+ * Read recent security blocks from audit log
+ * @param days Number of days to look back (default: 7)
+ * @returns Array of blocked attempt entries
+ */
+export function getRecentSecurityBlocks(days: number = 7): Array<{
+  timestamp: string
+  category: string
+  reason: string
+  task?: string
+  url?: string
+  command?: string
+}> {
+  const entries: Array<any> = []
+
+  try {
+    const files = fs.readdirSync(SECURITY_LOG_DIR)
+      .filter(f => f.startsWith("security-blocks-") && f.endsWith(".jsonl"))
+      .sort()
+      .slice(-days) // Get last N days
+
+    for (const file of files) {
+      try {
+        const content = fs.readFileSync(path.join(SECURITY_LOG_DIR, file), "utf-8")
+        const lines = content.trim().split("\n").filter(Boolean)
+        for (const line of lines) {
+          try {
+            entries.push(JSON.parse(line))
+          } catch {
+            // Skip malformed lines
+          }
+        }
+      } catch {
+        // Skip unreadable files
+      }
+    }
+  } catch {
+    // Directory may not exist yet
+  }
+
+  return entries
+}

package/src/security/index.ts

@@ -0,0 +1,19 @@
+export {
+  checkDomain,
+  checkIntent,
+  checkCommand,
+  checkWeaponUse,
+  checkPromptInjection,
+  validateTask,
+  logBlockedAttempt,
+  getSecurityLogDir,
+  getRecentSecurityBlocks,
+  BLOCKED_DOMAINS,
+  MALICIOUS_PATTERNS,
+  BLOCKED_COMMANDS,
+  BLOCKED_COMMAND_PATTERNS,
+  CRITICAL_DANGER_PATTERNS,
+  WEAPON_ATTACK_PATTERNS,
+  PROMPT_INJECTION_PATTERNS,
+  type GuardrailResult,
+} from "./guardrails"

package/src/server/error.ts

@@ -0,0 +1,36 @@
+import { resolver } from "hono-openapi"
+import z from "zod"
+import { Storage } from "../storage/storage"
+
+export const ERRORS = {
+  400: {
+    description: "Bad request",
+    content: {
+      "application/json": {
+        schema: resolver(
+          z
+            .object({
+              data: z.any(),
+              errors: z.array(z.record(z.string(), z.any())),
+              success: z.literal(false),
+            })
+            .meta({
+              ref: "BadRequestError",
+            }),
+        ),
+      },
+    },
+  },
+  404: {
+    description: "Not found",
+    content: {
+      "application/json": {
+        schema: resolver(Storage.NotFoundError.Schema),
+      },
+    },
+  },
+} as const
+
+export function errors(...codes: number[]) {
+  return Object.fromEntries(codes.map((code) => [code, ERRORS[code as keyof typeof ERRORS]]))
+}

package/src/server/project.ts

@@ -0,0 +1,79 @@
+import { Hono } from "hono"
+import { describeRoute, validator } from "hono-openapi"
+import { resolver } from "hono-openapi"
+import { Instance } from "../project/instance"
+import { Project } from "../project/project"
+import z from "zod"
+import { errors } from "./error"
+
+export const ProjectRoute = new Hono()
+  .get(
+    "/",
+    describeRoute({
+      summary: "List all projects",
+      description: "Get a list of projects that have been opened with RIRD.",
+      operationId: "project.list",
+      responses: {
+        200: {
+          description: "List of projects",
+          content: {
+            "application/json": {
+              schema: resolver(Project.Info.array()),
+            },
+          },
+        },
+      },
+    }),
+    async (c) => {
+      const projects = await Project.list()
+      return c.json(projects)
+    },
+  )
+  .get(
+    "/current",
+    describeRoute({
+      summary: "Get current project",
+      description: "Retrieve the currently active project that RIRD is working with.",
+      operationId: "project.current",
+      responses: {
+        200: {
+          description: "Current project information",
+          content: {
+            "application/json": {
+              schema: resolver(Project.Info),
+            },
+          },
+        },
+      },
+    }),
+    async (c) => {
+      return c.json(Instance.project)
+    },
+  )
+  .patch(
+    "/:projectID",
+    describeRoute({
+      summary: "Update project",
+      description: "Update project properties such as name, icon and color.",
+      operationId: "project.update",
+      responses: {
+        200: {
+          description: "Updated project information",
+          content: {
+            "application/json": {
+              schema: resolver(Project.Info),
+            },
+          },
+        },
+        ...errors(400, 404),
+      },
+    }),
+    validator("param", z.object({ projectID: z.string() })),
+    validator("json", Project.update.schema.omit({ projectID: true })),
+    async (c) => {
+      const projectID = c.req.valid("param").projectID
+      const body = c.req.valid("json")
+      const project = await Project.update({ ...body, projectID })
+      return c.json(project)
+    },
+  )