safemode 2.0.19 → 2.1.0

package/README.md

@@ -12,12 +12,14 @@ Works with **Claude Code**, **Cursor**, and **Windsurf**. Free and open source (
 
 ## What it blocks
 
-- `rm -rf /` and other destructive shell commands
+- `rm -rf /` and other destructive shell commands (hardcoded, cannot be disabled)
+- Firewall evasion: base64-decoded pipes to shell, hex escapes, python/perl system() one-liners
 - Secrets and API keys leaving your machine
 - PII in tool call parameters
 - Unauthorized git pushes, force operations
 - Package installs with known vulnerabilities
 - Prompt injection attempts in tool outputs
+- Jailbreak attempts to bypass safety controls
 - Runaway loops and cost spikes
 
 ## How it works
@@ -28,10 +30,15 @@ Your prompt → AI Agent → Tool Call → Safe Mode → Allow/Block → System
 
 Every tool call passes through a governance pipeline:
 
-1. **CET Classification** — categorizes the action (read/write/delete/execute/network)
+1. **CET Classification** — decomposes the action into category, action, scope, and risk level
 2. **Rules Engine** — custom rules from your config
-3. **Knob Gate** — preset-based permission checks (19 knob categories)
-4. **15 Detection Engines** — loop detection, secrets scanning, PII detection, command firewall, budget caps, and more
+3. **Knob Gate** — preset-based permission checks (19 categories, 100+ knobs)
+4. **15 Detection Engines** — loop detection, secrets scanning, PII detection, command firewall, prompt injection, jailbreak detection, budget caps, and more
+
+Risk-based engine routing:
+- **Low risk** (reads, ls, git status): 8 counter engines (~2ms)
+- **Medium risk** (npm run, curl, pip install): all 15 engines (~5ms)
+- **High/Critical risk** (rm -rf, sudo, terraform destroy): all 15 engines, sequential with early-stop (~10ms)
 
 The hook runs as an esbuild bundle. Cold start is ~50ms. You won't notice it.
 
@@ -58,7 +65,7 @@ safemode preset <name>
 | Preset | Description |
 |--------|-------------|
 | `yolo` | Log everything, block nothing |
-| `coding` | Block destructive ops, allow reads/writes (default) |
+| `coding` | Block destructive ops, approve file deletes and package installs (default) |
 | `personal` | Block secrets, PII, and destructive ops |
 | `trading` | Strict financial safety — block network, packages, git |
 | `strict` | Block everything that isn't a read |
@@ -79,10 +86,34 @@ safemode phone --telegram      # Set up block notifications
 safemode uninstall             # Remove hooks and restore configs
 ```
 
+## CET Classification
+
+Every shell command is deeply classified, not treated as a black box:
+
+| Command | Category | Action | Risk |
+|---------|----------|--------|------|
+| `ls`, `cat`, `grep` | terminal | read | low |
+| `echo "data" > file.txt` | filesystem | write | medium |
+| `rm file.txt` | filesystem | delete | medium |
+| `rm -rf dist/` | terminal | delete | high |
+| `git status`, `git log` | git | read | low |
+| `git push --force` | git | delete | critical |
+| `npm install lodash` | package | create | medium |
+| `docker run nginx` | container | execute | high |
+| `docker ps` | container | read | low |
+| `kubectl delete pod` | cloud | delete | high |
+| `terraform destroy` | cloud | delete | critical |
+| `terraform plan` | cloud | read | low |
+| `ssh user@host` | network | execute | high |
+| `eval "..."` | terminal | execute | critical |
+| `sudo apt install` | terminal | execute | critical |
+
+Infrastructure tools (Docker, kubectl, Terraform) are differentiated by subcommand — `docker ps` (low) is treated differently from `docker run` (high).
+
 ## False positive? One command.
 
 ```bash
-safemode allow <action> --once     # Allow for this session
+safemode allow <action> --once     # Allow for this session (5 min)
 safemode allow <action> --always   # Allow permanently
 ```
 
@@ -141,10 +172,41 @@ safemode phone --test        # Send a test notification
 | 10 | Secrets Scanner | AWS keys, tokens, passwords |
 | 11 | Prompt Injection | Injection attempts in tool outputs |
 | 12 | Jailbreak | Attempts to bypass safety controls |
-| 13 | Command Firewall | Dangerous shell commands (rm -rf, chmod 777, etc.) |
+| 13 | Command Firewall | Dangerous shell commands (hardcoded, cannot be disabled) |
 | 14 | Budget Cap | Hard estimated spending limit |
 | 15 | Action-Label Mismatch | Tool says "read" but actually writes |
 
+### Command Firewall (Engine 13)
+
+Hardcoded patterns that cannot be disabled by any preset or override:
+
+- Disk destruction: `rm -rf /`, `rm -rf ~/`, `mkfs`, `dd if=/dev/zero`
+- System directories: `rm -rf /usr`, `/var`, `/etc`, `/bin`, `/boot`
+- Fork bombs: `:(){ :|:& };:`
+- Pipe to shell: `curl | bash`, `wget | sh`
+- Permission abuse: `chmod -R 777 /`, `chown -R root:root /`
+- Raw device access: `> /dev/sda`, `> /dev/mem`
+- System file tampering: `> /etc/passwd`, `> /etc/shadow`
+- Reverse shells: `nc -le /bin/bash`, `python -c "import socket"`
+- Evasion attempts: `base64 -d | bash`, `$'\x72\x6d'`, `xxd -r | sh`
+- Dangerous eval: `eval "rm -rf /"`, `eval "curl | bash"`
+- Python/Perl system exec: `python -c "os.system()"`, `perl -e "system()"`
+
+## Scope detection
+
+File paths are classified into scopes that affect risk level:
+
+| Path | Scope | Why |
+|------|-------|-----|
+| `./src/index.ts` | project | Relative path |
+| `/Users/me/project/file.ts` | project | Within project directory |
+| `~/Documents/secret.txt` | user_home | Home directory |
+| `/etc/hosts` | system | System path |
+| `/tmp/scratch.txt` | system | Temp directory |
+| `https://api.example.com` | network | URL |
+
+Writing to `system` scope escalates risk (write → high, delete → critical).
+
 ## Config
 
 Personal config: `~/.safemode/config.yaml`