shellward 0.3.2

package/src/layers/session-guard.ts

@@ -0,0 +1,46 @@
+// src/layers/session-guard.ts — L8: Session lifecycle security
+// Uses: session_end (security summary), subagent_spawning (enforce policies)
+
+import { resolveLocale } from '../types'
+import type { ShellWardConfig } from '../types'
+import type { AuditLog } from '../audit-log'
+
+export function setupSessionGuard(
+  api: any,
+  config: ShellWardConfig,
+  log: AuditLog,
+  enforce: boolean,
+) {
+  const locale = resolveLocale(config)
+
+  // === Session end: generate security summary ===
+  api.on('session_end', () => {
+    log.write({
+      level: 'INFO',
+      layer: 'L8',
+      action: 'detect',
+      detail: locale === 'zh'
+        ? '会话结束 — 安全审计完成'
+        : 'Session ended — security audit complete',
+    })
+  }, { name: 'shellward.session-end', priority: 50 })
+
+  // === Subagent spawning: enforce security policies ===
+  api.on('subagent_spawning', (event: any) => {
+    const mode = event.mode || 'unknown'
+
+    log.write({
+      level: 'MEDIUM',
+      layer: 'L8',
+      action: 'detect',
+      detail: locale === 'zh'
+        ? `子 Agent 创建: mode=${mode}, agentId=${event.agentId || 'unknown'}`
+        : `Subagent spawning: mode=${mode}, agentId=${event.agentId || 'unknown'}`,
+    })
+
+    // In strict mode, could block subagent spawning entirely
+    // For now, just audit
+  }, { name: 'shellward.subagent-guard', priority: 100 })
+
+  api.logger.info('[ShellWard] L8 Session Guard enabled')
+}

package/src/layers/tool-blocker.ts

@@ -0,0 +1,182 @@
+// src/layers/tool-blocker.ts — L3: Block dangerous tool calls via before_tool_call hook
+
+import { DANGEROUS_COMMANDS, splitCommands } from '../rules/dangerous-commands'
+import { PROTECTED_PATHS } from '../rules/protected-paths'
+import { resolveLocale } from '../types'
+import type { ShellWardConfig, ResolvedLocale } from '../types'
+import type { AuditLog } from '../audit-log'
+import { resolve } from 'path'
+
+// Tools that are always blocked (lowercase for case-insensitive matching)
+const BLOCKED_TOOLS = new Set([
+  'payment', 'transfer', 'purchase',
+  'stripe_charge', 'paypal_send',
+])
+
+// Tools that get logged but not blocked (lowercase)
+const SENSITIVE_TOOLS = new Set([
+  'send_email', 'delete_email',
+  'send_message', 'post_tweet',
+  'file_delete', 'skill_install',
+])
+
+// Tool names that execute shell commands (lowercase)
+const EXEC_TOOLS = new Set([
+  'exec', 'shell_exec', 'run_command', 'bash',
+])
+
+export function setupToolBlocker(
+  api: any,
+  config: ShellWardConfig,
+  log: AuditLog,
+  enforce: boolean,
+) {
+  const locale = resolveLocale(config)
+
+  api.on('before_tool_call', (event: any) => {
+    const tool: string = event.toolName || ''
+    const toolLower = tool.toLowerCase()
+    const args: Record<string, any> = event.params || {}
+
+    // 1. Always-blocked tools (case-insensitive)
+    if (BLOCKED_TOOLS.has(toolLower)) {
+      const reason = locale === 'zh'
+        ? `安全策略禁止自动执行: ${tool}`
+        : `Blocked by security policy: ${tool}`
+
+      log.write({
+        level: 'CRITICAL',
+        layer: 'L3',
+        action: enforce ? 'block' : 'detect',
+        detail: reason,
+        tool,
+      })
+
+      if (enforce) {
+        return { block: true, blockReason: `🚫 [ShellWard] ${reason}` }
+      }
+      return
+    }
+
+    // 2. Dangerous shell command detection (case-insensitive tool match)
+    if (EXEC_TOOLS.has(toolLower)) {
+      const rawCmd = args.command ?? args.cmd ?? ''
+      const cmd = typeof rawCmd === 'string' ? rawCmd : ''
+      // Split on command separators to catch chained attacks like "echo hi; rm -rf /"
+      const parts = splitCommands(cmd)
+      for (const part of parts) {
+        const result = checkDangerousCommand(part, locale, tool, log, enforce)
+        if (result) return result
+      }
+    }
+
+    // 3. Protected path detection (normalize path first)
+    const rawPath = String(args.path || args.file_path || args.filename || args.target || '')
+    if (rawPath && isWriteOrDeleteTool(toolLower)) {
+      // Resolve path to prevent ../ traversal bypass
+      const normalizedPath = normalizePath(rawPath)
+      const result = checkProtectedPath(normalizedPath, locale, tool, log, enforce)
+      if (result) return result
+    }
+
+    // 4. Log sensitive tool usage (case-insensitive)
+    if (SENSITIVE_TOOLS.has(toolLower)) {
+      log.write({
+        level: 'MEDIUM',
+        layer: 'L3',
+        action: 'detect',
+        detail: `Sensitive tool used: ${tool}`,
+        tool,
+      })
+    }
+
+  }, { name: 'shellward.tool-blocker', priority: 200 })
+
+  api.logger.info('[ShellWard] L3 Tool Blocker enabled')
+}
+
+function checkDangerousCommand(
+  cmd: string,
+  locale: ResolvedLocale,
+  tool: string,
+  log: AuditLog,
+  enforce: boolean,
+): { block: true; blockReason: string } | undefined {
+  for (const rule of DANGEROUS_COMMANDS) {
+    if (rule.pattern.test(cmd)) {
+      const desc = locale === 'zh' ? rule.description_zh : rule.description_en
+      const reason = locale === 'zh'
+        ? `检测到危险命令: ${truncate(cmd, 80)}\n原因: ${desc}`
+        : `Dangerous command: ${truncate(cmd, 80)}\nReason: ${desc}`
+
+      log.write({
+        level: 'CRITICAL',
+        layer: 'L3',
+        action: enforce ? 'block' : 'detect',
+        detail: reason,
+        tool,
+        pattern: rule.id,
+      })
+
+      if (enforce) {
+        return { block: true, blockReason: `🚫 [ShellWard] ${reason}` }
+      }
+      return
+    }
+  }
+}
+
+function checkProtectedPath(
+  path: string,
+  locale: ResolvedLocale,
+  tool: string,
+  log: AuditLog,
+  enforce: boolean,
+): { block: true; blockReason: string } | undefined {
+  for (const rule of PROTECTED_PATHS) {
+    if (rule.pattern.test(path)) {
+      const desc = locale === 'zh' ? rule.description_zh : rule.description_en
+      const reason = locale === 'zh'
+        ? `禁止操作受保护路径: ${path}\n原因: ${desc}`
+        : `Protected path blocked: ${path}\nReason: ${desc}`
+
+      log.write({
+        level: 'HIGH',
+        layer: 'L3',
+        action: enforce ? 'block' : 'detect',
+        detail: reason,
+        tool,
+        pattern: rule.id,
+      })
+
+      if (enforce) {
+        return { block: true, blockReason: `🚫 [ShellWard] ${reason}` }
+      }
+      return
+    }
+  }
+}
+
+function isWriteOrDeleteTool(toolLower: string): boolean {
+  return /write|delete|remove|overwrite|truncate|edit/.test(toolLower)
+}
+
+/**
+ * Normalize path: resolve ../ traversal, expand ~, lowercase for comparison
+ */
+function normalizePath(p: string): string {
+  // Expand ~ to HOME
+  const expanded = p.startsWith('~')
+    ? p.replace(/^~/, process.env.HOME || '/root')
+    : p
+  // Resolve ../ and ./ sequences
+  try {
+    return resolve(expanded)
+  } catch {
+    return expanded
+  }
+}
+
+function truncate(s: string, max: number): string {
+  return s.length > max ? s.slice(0, max) + '...' : s
+}

package/src/rules/dangerous-commands.ts

@@ -0,0 +1,105 @@
+// src/rules/dangerous-commands.ts — Shell command blocklist (bilingual)
+
+import type { DangerousCommandRule } from '../types'
+
+export const DANGEROUS_COMMANDS: DangerousCommandRule[] = [
+  {
+    id: 'rm_rf_root',
+    pattern: /rm\s+(-[a-zA-Z]*r[a-zA-Z]*\s+-[a-zA-Z]*f|-[a-zA-Z]*f[a-zA-Z]*\s+-[a-zA-Z]*r|-[a-zA-Z]*rf[a-zA-Z]*)\s+[\/~]/i,
+    description_zh: '递归强制删除根目录或用户目录',
+    description_en: 'Recursive force delete on root or home directory',
+  },
+  {
+    id: 'rm_rf_wildcard',
+    pattern: /rm\s+(-[a-zA-Z]*rf|-[a-zA-Z]*fr)\s+\*/i,
+    description_zh: '递归强制删除通配符匹配的所有文件',
+    description_en: 'Recursive force delete with wildcard',
+  },
+  {
+    id: 'mkfs',
+    pattern: /mkfs\b/i,
+    description_zh: '格式化磁盘',
+    description_en: 'Format disk partition',
+  },
+  {
+    id: 'dd_if',
+    pattern: /dd\s+if=/i,
+    description_zh: '低级磁盘操作（可能覆盖磁盘数据）',
+    description_en: 'Low-level disk operation (may overwrite data)',
+  },
+  {
+    id: 'curl_pipe_sh',
+    pattern: /curl\s+[^|]*\|\s*(?:sudo\s+)?(?:ba)?sh/i,
+    description_zh: '从网络下载并直接执行脚本',
+    description_en: 'Download and pipe to shell execution',
+  },
+  {
+    id: 'wget_pipe_sh',
+    pattern: /wget\s+[^|]*\|\s*(?:sudo\s+)?(?:ba)?sh/i,
+    description_zh: '从网络下载并直接执行脚本',
+    description_en: 'Download and pipe to shell execution',
+  },
+  {
+    id: 'dev_write',
+    pattern: />\s*\/dev\/[sh]d[a-z]/i,
+    description_zh: '直接写入磁盘设备',
+    description_en: 'Direct write to disk device',
+  },
+  {
+    id: 'chmod_777',
+    pattern: /chmod\s+(-[a-zA-Z]*\s+)?777(?:\s|$)/i,
+    description_zh: '设置全局可读写可执行权限',
+    description_en: 'Set world-readable/writable/executable permissions',
+  },
+  {
+    id: 'kill_all',
+    pattern: /killall\s+-9|kill\s+-9\s+-1/i,
+    description_zh: '强制终止所有进程',
+    description_en: 'Force kill all processes',
+  },
+  {
+    id: 'iptables_flush',
+    pattern: /iptables\s+-F/i,
+    description_zh: '清空防火墙规则',
+    description_en: 'Flush all firewall rules',
+  },
+  {
+    id: 'history_clear',
+    pattern: /history\s+-c|>\s*~\/\.bash_history|>\s*~\/\.zsh_history/i,
+    description_zh: '清除命令历史（可能是攻击后清痕迹）',
+    description_en: 'Clear command history (potential post-attack cleanup)',
+  },
+  {
+    id: 'fork_bomb',
+    pattern: /:\(\)\s*\{\s*:\|:&\s*\}\s*;|\.\/[a-z]+\s*&\s*\.\/[a-z]+/i,
+    description_zh: 'Fork 炸弹（耗尽系统资源）',
+    description_en: 'Fork bomb (exhaust system resources)',
+  },
+  {
+    id: 'eval_base64',
+    pattern: /eval\s+.*(?:base64|atob)|base64\s+-d.*\|\s*(?:ba)?sh/i,
+    description_zh: 'Base64 解码后执行（混淆攻击）',
+    description_en: 'Base64 decode and execute (obfuscated attack)',
+  },
+  {
+    id: 'reverse_shell',
+    pattern: /\/dev\/tcp\/|nc\s+-[a-zA-Z]*e\s|ncat\s.*-e\s|bash\s+-i\s+>&\s*\/dev/i,
+    description_zh: '反弹 Shell（远程控制）',
+    description_en: 'Reverse shell (remote control)',
+  },
+  {
+    id: 'crontab_overwrite',
+    pattern: /crontab\s+-r|echo\s+.*>\s*\/var\/spool\/cron/i,
+    description_zh: '覆盖或删除定时任务',
+    description_en: 'Overwrite or remove crontab entries',
+  },
+]
+
+/**
+ * Normalize command string before pattern matching:
+ * - Split on command separators (;, &&, ||, \n) and check each part
+ * - Trim whitespace
+ */
+export function splitCommands(cmd: string): string[] {
+  return cmd.split(/\s*(?:;|&&|\|\||[\r\n]+)\s*/).filter(Boolean)
+}

package/src/rules/injection-en.ts

@@ -0,0 +1,102 @@
+// src/rules/injection-en.ts — English prompt injection detection rules
+
+import type { InjectionRule } from '../types'
+
+export const INJECTION_RULES_EN: InjectionRule[] = [
+  {
+    id: 'en_ignore_prev',
+    name: 'Ignore previous instructions',
+    pattern: 'ignore\\s+(?:all\\s+)?(?:previous|prior|above|earlier|preceding)\\s+(?:instructions?|rules?|prompts?|guidelines?|constraints?)',
+    flags: 'i',
+    riskScore: 40,
+    category: 'override',
+  },
+  {
+    id: 'en_new_role',
+    name: 'Role hijack',
+    pattern: '(?:you\\s+are\\s+now|from\\s+now\\s+on\\s+you\\s+are|act\\s+as|pretend\\s+(?:to\\s+be|you\\s+are)|imagine\\s+you\\s+are)\\s+(?:a\\s+)?',
+    flags: 'i',
+    riskScore: 35,
+    category: 'role_hijack',
+  },
+  {
+    id: 'en_system_prompt',
+    name: 'System prompt extraction',
+    pattern: '(?:output|print|show|reveal|display|repeat|leak|dump)\\s+(?:your\\s+)?(?:system|initial|original|full)?\\s*(?:prompt|instructions?|rules?|guidelines?)',
+    flags: 'i',
+    riskScore: 30,
+    category: 'exfiltration',
+  },
+  {
+    id: 'en_developer_mode',
+    name: 'Developer/admin mode',
+    pattern: '(?:enter|enable|activate|switch\\s+to)\\s+(?:developer|debug|admin|root|sudo|maintenance|god)\\s+(?:mode|access|privileges?)',
+    flags: 'i',
+    riskScore: 35,
+    category: 'privilege_escalation',
+  },
+  {
+    id: 'en_no_restriction',
+    name: 'Remove restrictions',
+    pattern: '(?:remove|disable|turn\\s+off|bypass|ignore|skip|override|circumvent)\\s+(?:all\\s+)?(?:restrictions?|constraints?|safety|filters?|guardrails?|limitations?|safeguards?)',
+    flags: 'i',
+    riskScore: 40,
+    category: 'override',
+  },
+  {
+    id: 'en_do_anything',
+    name: 'Do Anything Now (DAN)',
+    pattern: '(?:DAN|do\\s+anything\\s+now|jailbreak|uncensored|unfiltered)\\s*(?:mode|prompt)?',
+    flags: 'i',
+    riskScore: 40,
+    category: 'jailbreak',
+  },
+  {
+    id: 'en_boundary_marker',
+    name: 'Boundary marker injection',
+    pattern: '(?:<<|\\[\\[|\\{\\{)\\s*(?:SYSTEM|SYS|END|NEW\\s*INSTRUCTION|OVERRIDE|ADMIN)\\s*(?:>>|\\]\\]|\\}\\})',
+    flags: 'i',
+    riskScore: 30,
+    category: 'injection',
+  },
+  {
+    id: 'en_hidden_instruction',
+    name: 'Hidden instruction marker',
+    pattern: '(?:the\\s+following\\s+is\\s+(?:a\\s+)?)?(?:hidden|secret|real|actual|true)\\s+(?:instruction|command|prompt|directive)',
+    flags: 'i',
+    riskScore: 35,
+    category: 'injection',
+  },
+  {
+    id: 'en_data_exfil',
+    name: 'Data exfiltration',
+    pattern: '(?:send|transmit|upload|forward|post|exfiltrate)\\s+(?:all\\s+)?(?:conversation|chat|messages?|history|data|files?|context)\\s+(?:to|via)',
+    flags: 'i',
+    riskScore: 40,
+    category: 'exfiltration',
+  },
+  {
+    id: 'en_never_refuse',
+    name: 'Never refuse',
+    pattern: '(?:never|do\\s+not|don\'t|cannot|must\\s+not)\\s+(?:refuse|decline|reject|say\\s+no|deny)',
+    flags: 'i',
+    riskScore: 25,
+    category: 'override',
+  },
+  {
+    id: 'en_encode_exfil',
+    name: 'Encoded exfiltration',
+    pattern: '(?:encode|encrypt|convert)\\s+(?:.*?)\\s+(?:in|to|as)\\s+(?:base64|hex|rot13|binary)',
+    flags: 'i',
+    riskScore: 25,
+    category: 'exfiltration',
+  },
+  {
+    id: 'en_markdown_injection',
+    name: 'Markdown image injection',
+    pattern: '!\\[\\s*[^\\]]*\\]\\(https?:\\/\\/[^)]*(?:callback|exfil|webhook|log)',
+    flags: 'i',
+    riskScore: 35,
+    category: 'exfiltration',
+  },
+]

package/src/rules/injection-zh.ts

@@ -0,0 +1,99 @@
+// src/rules/injection-zh.ts — Chinese prompt injection detection rules
+
+import type { InjectionRule } from '../types'
+
+export const INJECTION_RULES_ZH: InjectionRule[] = [
+  {
+    id: 'zh_ignore_prev',
+    name: '忽略之前指令',
+    pattern: '(?:请|你要|现在)?忽略(?:之前|上面|以上|前面|所有)(?:的)?(?:指令|指示|规则|提示|要求|约束)',
+    riskScore: 40,
+    category: 'override',
+  },
+  {
+    id: 'zh_new_role',
+    name: '角色扮演攻击',
+    pattern: '(?:你现在是|你的新身份是|从现在起你是|假装你是|扮演|你是一个)(?:.*?)(?:助手|AI|机器人|黑客|专家)',
+    riskScore: 35,
+    category: 'role_hijack',
+  },
+  {
+    id: 'zh_system_prompt',
+    name: '系统提示窃取',
+    pattern: '(?:输出|显示|打印|告诉我|重复|泄露|展示)(?:你的)?(?:系统|初始|原始)?(?:提示词|system\\s*prompt|指令|规则|约束)',
+    riskScore: 30,
+    category: 'exfiltration',
+  },
+  {
+    id: 'zh_developer_mode',
+    name: '开发者模式',
+    pattern: '(?:进入|启用|开启|切换到)(?:开发者|调试|测试|管理员|root|超级)(?:模式|权限)',
+    riskScore: 35,
+    category: 'privilege_escalation',
+  },
+  {
+    id: 'zh_no_restriction',
+    name: '解除限制',
+    pattern: '(?:取消|移除|去掉|关闭|忽略|跳过|绕过)(?:所有|一切|你的)?(?:限制|约束|安全|过滤|审查|规则)',
+    riskScore: 40,
+    category: 'override',
+  },
+  {
+    id: 'zh_do_not_refuse',
+    name: '禁止拒绝',
+    pattern: '(?:不要|不许|不能|不可以|禁止你)(?:拒绝|拒绝回答|说不|推辞)',
+    riskScore: 25,
+    category: 'override',
+  },
+  {
+    id: 'zh_hidden_instruction',
+    name: '隐藏指令标记',
+    pattern: '(?:以下是|下面是)?(?:隐藏|秘密|真正的|实际的)(?:指令|命令|提示|任务)',
+    riskScore: 35,
+    category: 'injection',
+  },
+  {
+    id: 'zh_output_format_hijack',
+    name: '输出格式劫持',
+    pattern: '(?:只|仅|必须)?(?:输出|回复|返回|回答)(?:以下|如下|这个)(?:内容|文字|文本)',
+    riskScore: 15,
+    category: 'hijack',
+  },
+  {
+    id: 'zh_data_exfil',
+    name: '数据外泄',
+    pattern: '(?:把|将)(?:所有|全部)?(?:对话|聊天|消息|记录|历史|数据|文件)(?:发送|传输|上传|转发)(?:到|给)',
+    riskScore: 40,
+    category: 'exfiltration',
+  },
+  {
+    id: 'zh_boundary_marker',
+    name: '边界标记注入',
+    pattern: '(?:<<|\\[\\[|\\{\\{)\\s*(?:SYSTEM|系统|SYS|END|新指令|NEW)\\s*(?:>>|\\]\\]|\\}\\})',
+    riskScore: 30,
+    category: 'injection',
+  },
+  {
+    id: 'zh_act_as',
+    name: '行为替换',
+    pattern: '(?:请以|用|按照|模仿)(?:.*?)(?:的方式|的口吻|的风格|的身份)(?:回答|回复|说话|输出)',
+    riskScore: 20,
+    category: 'role_hijack',
+  },
+  {
+    id: 'zh_jailbreak',
+    name: '越狱关键词',
+    pattern: '(?:DAN|越狱|jailbreak|无限制模式|do\\s*anything\\s*now)',
+    flags: 'i',
+    riskScore: 40,
+    category: 'jailbreak',
+  },
+  {
+    id: 'zh_xml_tag_injection',
+    name: 'XML/标签注入',
+    pattern: '<\\s*(?:system|instruction|prompt|admin|override|设置|系统|指令)\\s*>',
+    flags: 'i',
+    riskScore: 30,
+    category: 'injection',
+  },
+]

package/src/rules/protected-paths.ts

@@ -0,0 +1,78 @@
+// src/rules/protected-paths.ts — Paths that should not be written/deleted (bilingual)
+
+import type { ProtectedPathRule } from '../types'
+
+export const PROTECTED_PATHS: ProtectedPathRule[] = [
+  {
+    id: 'env_file',
+    pattern: /(?:^|\/)\.env(?:\.[a-zA-Z]+)?$/i,
+    description_zh: '环境变量文件（可能含密钥）',
+    description_en: 'Environment file (may contain secrets)',
+  },
+  {
+    id: 'ssh_dir',
+    pattern: /(?:^|\/)\.ssh\//i,
+    description_zh: 'SSH 密钥目录',
+    description_en: 'SSH key directory',
+  },
+  {
+    id: 'gnupg_dir',
+    pattern: /(?:^|\/)\.gnupg\//i,
+    description_zh: 'GPG 密钥目录',
+    description_en: 'GPG key directory',
+  },
+  {
+    id: 'aws_credentials',
+    pattern: /(?:^|\/)\.aws\/credentials$/i,
+    description_zh: 'AWS 凭证文件',
+    description_en: 'AWS credentials file',
+  },
+  {
+    id: 'kube_config',
+    pattern: /(?:^|\/)\.kube\/config$/i,
+    description_zh: 'Kubernetes 配置（含集群凭证）',
+    description_en: 'Kubernetes config (contains cluster credentials)',
+  },
+  {
+    id: 'docker_config',
+    pattern: /(?:^|\/)\.docker\/config\.json$/i,
+    description_zh: 'Docker 配置（可能含 registry 凭证）',
+    description_en: 'Docker config (may contain registry credentials)',
+  },
+  {
+    id: 'git_credentials',
+    pattern: /(?:^|\/)\.git-credentials$/i,
+    description_zh: 'Git 凭证文件',
+    description_en: 'Git credentials file',
+  },
+  {
+    id: 'npmrc',
+    pattern: /(?:^|\/)\.npmrc$/i,
+    description_zh: 'npm 配置（可能含 registry token）',
+    description_en: 'npm config (may contain registry token)',
+  },
+  {
+    id: 'private_key',
+    pattern: /(?:^|\/)(?:.*\.pem|.*\.key|.*_rsa|.*_ecdsa|.*_ed25519)$/i,
+    description_zh: '私钥文件',
+    description_en: 'Private key file',
+  },
+  {
+    id: 'etc_passwd',
+    pattern: /^\/etc\/(?:passwd|shadow|sudoers)/i,
+    description_zh: '系统认证文件',
+    description_en: 'System authentication file',
+  },
+  {
+    id: 'keychain',
+    pattern: /(?:^|\/)(?:Keychain|keychain|\.keystore|\.jks)$/i,
+    description_zh: '密钥链/密钥库文件',
+    description_en: 'Keychain/keystore file',
+  },
+  {
+    id: 'openclaw_config',
+    pattern: /(?:^|\/)\.openclaw\/(?:config|settings|credentials)/i,
+    description_zh: 'OpenClaw 配置和凭证',
+    description_en: 'OpenClaw config and credentials',
+  },
+]