shellward 0.3.4 → 0.5.0

package/src/rules/injection-zh.ts

@@ -13,7 +13,7 @@ export const INJECTION_RULES_ZH: InjectionRule[] = [
   {
     id: 'zh_new_role',
     name: '角色扮演攻击',
-    pattern: '(?:你现在是|你的新身份是|从现在起你是|假装你是|扮演|你是一个)(?:.*?)(?:助手|AI|机器人|黑客|专家)',
+    pattern: '(?:你现在是|你的新身份是|从现在起你是|假装你是|请?扮演|你是一个|充当)(?:.*?)(?:助手|AI|机器人|黑客|专家|没有限制)',
     riskScore: 35,
     category: 'role_hijack',
   },
@@ -34,7 +34,7 @@ export const INJECTION_RULES_ZH: InjectionRule[] = [
   {
     id: 'zh_no_restriction',
     name: '解除限制',
-    pattern: '(?:取消|移除|去掉|关闭|忽略|跳过|绕过)(?:所有|一切|你的)?(?:限制|约束|安全|过滤|审查|规则)',
+    pattern: '(?:取消|移除|去掉|关闭|忽略|跳过|绕过|忘记|丢弃)(?:之前|所有|一切|你的|以上|前面)*(?:的)?(?:限制|约束|安全|过滤|审查|规则|指令|设定)',
     riskScore: 40,
     category: 'override',
   },
@@ -62,10 +62,38 @@ export const INJECTION_RULES_ZH: InjectionRule[] = [
   {
     id: 'zh_data_exfil',
     name: '数据外泄',
-    pattern: '(?:把|将)(?:所有|全部)?(?:对话|聊天|消息|记录|历史|数据|文件)(?:发送|传输|上传|转发)(?:到|给)',
+    pattern: '(?:把|将)(?:所有|全部)?(?:对话|聊天|消息|记录|历史|数据|文件)(?:的内容|的信息|中的数据)?(?:发送|传输|上传|转发)(?:到|给)',
     riskScore: 40,
     category: 'exfiltration',
   },
+  {
+    id: 'zh_emergency_auth',
+    name: '伪造紧急授权',
+    pattern: '(?:紧急|特别|最高|管理员|系统管理员|超级管理员)(?:的)?(?:授权|许可|批准|命令|指令|权限)',
+    riskScore: 30,
+    category: 'privilege_escalation',
+  },
+  {
+    id: 'zh_force_exec',
+    name: '强制执行指令',
+    pattern: '(?:直接|立即|马上|强制|必须)(?:执行|运行|操作)',
+    riskScore: 20,
+    category: 'override',
+  },
+  {
+    id: 'zh_task_hijack',
+    name: '任务劫持',
+    pattern: '(?:你的)?(?:新|真正的|实际的)(?:任务|目标|使命|工作)(?:是|变成|改为)',
+    riskScore: 40,
+    category: 'role_hijack',
+  },
+  {
+    id: 'zh_send_to_url',
+    name: '发送到外部 URL',
+    pattern: '(?:发送|传输|上传|转发|发)(?:到|给|至)\\s*https?://',
+    riskScore: 35,
+    category: 'exfiltration',
+  },
   {
     id: 'zh_boundary_marker',
     name: '边界标记注入',
@@ -96,4 +124,12 @@ export const INJECTION_RULES_ZH: InjectionRule[] = [
     riskScore: 30,
     category: 'injection',
   },
+  {
+    id: 'zh_mixed_lang_injection',
+    name: '中英混合注入',
+    pattern: '(?:please|pls|now)?\\s*(?:ignore|forget|disregard)\\s+.*(?:指令|规则|之前|以上)|(?:忽略|忘记|跳过).*(?:instruction|rule|prompt|previous)',
+    flags: 'i',
+    riskScore: 40,
+    category: 'override',
+  },
 ]

package/src/rules/sensitive-patterns.ts

@@ -59,7 +59,7 @@ export const SENSITIVE_PATTERNS: SensitivePattern[] = [
   {
     id: 'password',
     name: 'Password',
-    regex: /(?:password|passwd|pwd)\s*[=:]\s*['"]?\S{6,}['"]?/gi,
+    regex: /(?:password|passwd|pwd)\s*[=:]\s*['"]?\S{6,100}['"]?/gi,
     replacement: '[REDACTED:Password]',
   },
   {
@@ -95,7 +95,7 @@ export const SENSITIVE_PATTERNS: SensitivePattern[] = [
   {
     id: 'email',
     name: 'Email Address',
-    regex: /[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}/g,
+    regex: /[A-Za-z0-9._%+-]{1,64}@[A-Za-z0-9.-]{1,255}\.[A-Za-z]{2,10}/g,
     replacement: '[REDACTED:Email]',
   },
   {

package/src/types.ts

@@ -3,6 +3,8 @@
 export interface ShellWardConfig {
   mode: 'enforce' | 'audit'
   locale: 'auto' | 'zh' | 'en'
+  /** 启动时自动检查 OpenClaw 漏洞、插件风险、MCP 配置，发现问题时告警 */
+  autoCheckOnStartup?: boolean
   layers: {
     promptGuard: boolean
     outputScanner: boolean
@@ -21,8 +23,8 @@ export type ResolvedLocale = 'zh' | 'en'
 export interface AuditEntry {
   ts: string
   level: 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'LOW' | 'INFO'
-  layer: 'L1' | 'L2' | 'L3' | 'L4' | 'L5' | 'L6' | 'L7' | 'L8'
-  action: 'block' | 'redact' | 'detect' | 'allow' | 'inject'
+  layer: 'L0' | 'L1' | 'L2' | 'L3' | 'L4' | 'L5' | 'L6' | 'L7' | 'L8'
+  action: 'block' | 'redact' | 'audit' | 'detect' | 'allow' | 'inject' | 'error'
   detail: string
   tool?: string
   pattern?: string
@@ -67,6 +69,7 @@ export interface InjectionRule {
 export const DEFAULT_CONFIG: ShellWardConfig = {
   mode: 'enforce',
   locale: 'auto',
+  autoCheckOnStartup: true,
   layers: {
     promptGuard: true,
     outputScanner: true,
@@ -88,6 +91,6 @@ export function resolveLocale(config: ShellWardConfig): ResolvedLocale {
   if (config.locale === 'zh') return 'zh'
   if (config.locale === 'en') return 'en'
   // auto detection
-  const lang = process.env.LANG || process.env.LANGUAGE || process.env.LC_ALL || ''
-  return /zh/i.test(lang) ? 'zh' : 'en'
+  const lang = process.env.LANG || process.env.LC_ALL || process.env.LC_MESSAGES || process.env.LANGUAGE || ''
+  return /\bzh[_-]|chinese/i.test(lang) ? 'zh' : 'en'
 }

package/src/update-check.ts

@@ -0,0 +1,186 @@
+// src/update-check.ts — Non-blocking version check + remote vulnerability DB
+// Uses only Node.js built-in https module (zero dependencies)
+//
+// Anti-annoyance design:
+// - Network check at most once per 24 hours
+// - Same version update only notified ONCE (dismissed = silenced until next version)
+// - Vuln DB cached 24h, /check-updates always shows latest cache
+// - All network failures are silent and cached to avoid repeated timeouts
+
+import { get } from 'https'
+import { mkdirSync, readFileSync, writeFileSync } from 'fs'
+import { join } from 'path'
+import { getHomeDir } from './utils'
+
+const CACHE_DIR = join(getHomeDir(), '.openclaw', 'shellward')
+const CACHE_FILE = join(CACHE_DIR, 'update-cache.json')
+const VULN_CACHE_FILE = join(CACHE_DIR, 'vuln-db-cache.json')
+const CHECK_INTERVAL_MS = 24 * 60 * 60 * 1000 // 24 hours
+
+// Remote sources
+const NPM_REGISTRY_URL = 'https://registry.npmjs.org/shellward/latest'
+const VULN_DB_URL = 'https://raw.githubusercontent.com/jnMetaCode/shellward/main/vuln-db.json'
+
+interface UpdateCache {
+  lastCheck: number
+  latestVersion: string | null
+  notifiedVersion: string | null  // version user was already notified about — won't repeat
+}
+
+export interface VulnEntry {
+  affectedBelow: string
+  severity: 'CRITICAL' | 'HIGH' | 'MEDIUM'
+  id: string
+  ghsa?: string
+  description_zh: string
+  description_en: string
+}
+
+export interface SupplyChainAlert {
+  id: string
+  severity: 'CRITICAL' | 'HIGH' | 'MEDIUM'
+  date: string
+  description_zh: string
+  description_en: string
+}
+
+/**
+ * Simple HTTPS GET with redirect support. Timeout: 5s.
+ */
+function httpsGet(url: string): Promise<string> {
+  return new Promise((resolve, reject) => {
+    const req = get(url, { timeout: 5000 }, (res) => {
+      if ((res.statusCode === 301 || res.statusCode === 302) && res.headers.location) {
+        get(res.headers.location, { timeout: 5000 }, (res2) => {
+          let data = ''
+          res2.on('data', (chunk: Buffer) => { data += chunk.toString() })
+          res2.on('end', () => resolve(data))
+          res2.on('error', reject)
+        }).on('error', reject)
+        return
+      }
+      if (res.statusCode !== 200) {
+        reject(new Error(`HTTP ${res.statusCode}`))
+        return
+      }
+      let data = ''
+      res.on('data', (chunk: Buffer) => { data += chunk.toString() })
+      res.on('end', () => resolve(data))
+      res.on('error', reject)
+    })
+    req.on('error', reject)
+    req.on('timeout', () => { req.destroy(); reject(new Error('timeout')) })
+  })
+}
+
+/**
+ * Check npm for latest version.
+ *
+ * Returns result with `shouldNotify`:
+ * - true = first time seeing this new version, show the message
+ * - false = already notified for this version, stay quiet
+ * Returns null if check skipped or failed.
+ */
+export async function checkForUpdate(currentVersion: string): Promise<{
+  current: string
+  latest: string
+  updateAvailable: boolean
+  shouldNotify: boolean
+} | null> {
+  try {
+    const cache = readCache<UpdateCache>(CACHE_FILE)
+
+    // Use cached version if within interval
+    let latest: string | null = null
+    if (cache && Date.now() - cache.lastCheck < CHECK_INTERVAL_MS && cache.latestVersion) {
+      latest = cache.latestVersion
+    } else {
+      // Fetch from npm
+      const body = await httpsGet(NPM_REGISTRY_URL)
+      const data = JSON.parse(body)
+      latest = data.version
+      if (!latest || typeof latest !== 'string') return null
+
+      // Save to cache (preserve notifiedVersion)
+      writeCache(CACHE_FILE, {
+        lastCheck: Date.now(),
+        latestVersion: latest,
+        notifiedVersion: cache?.notifiedVersion || null,
+      })
+    }
+
+    const updateAvailable = compareVersions(latest, currentVersion) > 0
+
+    // Determine if we should notify:
+    // Only notify if update available AND we haven't already notified for this exact version
+    const alreadyNotified = cache?.notifiedVersion === latest
+    const shouldNotify = updateAvailable && !alreadyNotified
+
+    // If we're going to notify, mark it so we don't repeat
+    if (shouldNotify) {
+      const freshCache = readCache<UpdateCache>(CACHE_FILE) || { lastCheck: Date.now(), latestVersion: latest, notifiedVersion: null }
+      freshCache.notifiedVersion = latest
+      writeCache(CACHE_FILE, freshCache)
+    }
+
+    return { current: currentVersion, latest, updateAvailable, shouldNotify }
+  } catch {
+    return null
+  }
+}
+
+/**
+ * Fetch remote vulnerability database. Cached 24h. Local fallback on failure.
+ */
+export async function fetchVulnDB(): Promise<{ vulns: VulnEntry[]; alerts: SupplyChainAlert[] }> {
+  try {
+    const cached = readCache<{ lastCheck: number; vulns: VulnEntry[]; alerts: SupplyChainAlert[] }>(VULN_CACHE_FILE)
+    if (cached && Date.now() - cached.lastCheck < CHECK_INTERVAL_MS && cached.vulns) {
+      return { vulns: cached.vulns, alerts: cached.alerts || [] }
+    }
+
+    const body = await httpsGet(VULN_DB_URL)
+    const data = JSON.parse(body)
+    const vulns: VulnEntry[] = Array.isArray(data.vulnerabilities) ? data.vulnerabilities : []
+    const alerts: SupplyChainAlert[] = Array.isArray(data.supplyChainAlerts) ? data.supplyChainAlerts : []
+
+    writeCache(VULN_CACHE_FILE, { lastCheck: Date.now(), vulns, alerts })
+    return { vulns, alerts }
+  } catch {
+    // Cache failure result to avoid repeated timeouts
+    const cached = readCache<{ vulns: VulnEntry[]; alerts: SupplyChainAlert[] }>(VULN_CACHE_FILE)
+    const fallback = { vulns: cached?.vulns || [], alerts: cached?.alerts || [] }
+    writeCache(VULN_CACHE_FILE, { lastCheck: Date.now(), ...fallback })
+    return fallback
+  }
+}
+
+/**
+ * Compare semver-like version strings. Positive if a > b, negative if a < b, 0 if equal.
+ */
+export function compareVersions(a: string, b: string): number {
+  const pa = a.split('.').map(Number)
+  const pb = b.split('.').map(Number)
+  for (let i = 0; i < Math.max(pa.length, pb.length); i++) {
+    const diff = (pa[i] || 0) - (pb[i] || 0)
+    if (diff !== 0) return diff
+  }
+  return 0
+}
+
+// ===== Cache helpers =====
+
+function readCache<T>(path: string): T | null {
+  try {
+    return JSON.parse(readFileSync(path, 'utf-8')) as T
+  } catch {
+    return null
+  }
+}
+
+function writeCache(path: string, data: unknown): void {
+  try {
+    mkdirSync(CACHE_DIR, { recursive: true, mode: 0o700 })
+    writeFileSync(path, JSON.stringify(data), { mode: 0o600 })
+  } catch { /* ignore */ }
+}

package/src/utils.ts

@@ -0,0 +1,10 @@
+// src/utils.ts — Cross-platform path helpers
+
+import { homedir } from 'os'
+
+/**
+ * Get user home directory. Works on Windows (USERPROFILE), Linux/macOS (HOME).
+ */
+export function getHomeDir(): string {
+  return homedir() || process.env.HOME || process.env.USERPROFILE || '~'
+}

package/vuln-db.json

@@ -0,0 +1,137 @@
+{
+  "version": 2,
+  "lastUpdated": "2026-03-12T00:00:00Z",
+  "source": "ShellWard Security Team — aggregated from NVD, GitHub Advisories, security research",
+  "vulnerabilities": [
+    {
+      "affectedBelow": "1.0.111",
+      "severity": "HIGH",
+      "id": "CVE-2025-59536",
+      "ghsa": "GHSA-ph6w-f82w-28w6",
+      "description_zh": "远程代码执行：恶意仓库通过 Hooks 和 MCP Server 在信任提示前执行任意命令 (CVSS 8.7)",
+      "description_en": "RCE via Hooks and MCP Server bypass — arbitrary shell execution before trust dialog (CVSS 8.7)"
+    },
+    {
+      "affectedBelow": "2.0.65",
+      "severity": "MEDIUM",
+      "id": "CVE-2026-21852",
+      "ghsa": "GHSA-jh7p-qr78-84p7",
+      "description_zh": "API 密钥泄露：恶意仓库通过 settings.json 设置 ANTHROPIC_BASE_URL 窃取用户 API Key (CVSS 5.3)",
+      "description_en": "API key exfiltration via ANTHROPIC_BASE_URL in settings.json before trust prompt (CVSS 5.3)"
+    },
+    {
+      "affectedBelow": "2026.2.7",
+      "severity": "HIGH",
+      "id": "GHSA-66q4-vfjg-2qhh",
+      "description_zh": "命令注入：通过目录切换绕过文件写入保护",
+      "description_en": "Command injection via directory change bypasses write protection"
+    },
+    {
+      "affectedBelow": "2026.2.7",
+      "severity": "HIGH",
+      "id": "GHSA-mhg7-666j-cqg4",
+      "description_zh": "命令注入：通过管道 sed 命令绕过文件写入限制",
+      "description_en": "Command injection via piped sed command bypasses file write restrictions"
+    },
+    {
+      "affectedBelow": "2026.2.7",
+      "severity": "HIGH",
+      "id": "GHSA-ff64-7w26-62rf",
+      "description_zh": "沙箱逃逸：通过 settings.json 持久化配置注入",
+      "description_en": "Sandbox escape via persistent configuration injection in settings.json"
+    },
+    {
+      "affectedBelow": "2026.2.4",
+      "severity": "HIGH",
+      "id": "GHSA-qgqw-h4xq-7w8w",
+      "description_zh": "命令注入：find 命令绕过用户审批提示",
+      "description_en": "Command injection in find command bypasses user approval prompt"
+    },
+    {
+      "affectedBelow": "2026.2.4",
+      "severity": "HIGH",
+      "id": "GHSA-q728-gf8j-w49r",
+      "description_zh": "路径绕过：通过 ZSH clobber 实现任意文件写入",
+      "description_en": "Path restriction bypass via ZSH clobber allows arbitrary file writes"
+    },
+    {
+      "affectedBelow": "2026.2.4",
+      "severity": "HIGH",
+      "id": "GHSA-vhw5-3g5m-8ggf",
+      "description_zh": "域名验证绕过：自动向攻击者控制的域名发送请求",
+      "description_en": "Domain validation bypass allows automatic requests to attacker-controlled domains"
+    },
+    {
+      "affectedBelow": "1.0.131",
+      "severity": "HIGH",
+      "id": "GHSA-xq4m-mc3c-vvg3",
+      "description_zh": "命令验证绕过：允许执行任意代码",
+      "description_en": "Command validation bypass allows arbitrary code execution"
+    },
+    {
+      "affectedBelow": "1.0.120",
+      "severity": "HIGH",
+      "id": "GHSA-5hhx-v7f6-x7gv",
+      "description_zh": "信任提示前执行命令：启动时即执行恶意代码",
+      "description_en": "Command execution prior to startup trust dialog"
+    },
+    {
+      "affectedBelow": "1.0.120",
+      "severity": "HIGH",
+      "id": "GHSA-7mv8-j34q-vp7q",
+      "description_zh": "sed 命令验证绕过：实现任意文件写入",
+      "description_en": "Sed command validation bypass allows arbitrary file writes"
+    },
+    {
+      "affectedBelow": "1.0.111",
+      "severity": "HIGH",
+      "id": "GHSA-2jjv-qf24-vfm4",
+      "description_zh": "特定 Yarn 版本下插件自动加载导致任意代码执行",
+      "description_en": "Arbitrary code execution via plugin autoloading with specific Yarn versions"
+    },
+    {
+      "affectedBelow": "1.0.102",
+      "severity": "HIGH",
+      "id": "GHSA-j4h9-wv2m-wrf7",
+      "description_zh": "恶意 git email 配置导致任意代码执行",
+      "description_en": "Arbitrary code execution caused by maliciously configured git email"
+    },
+    {
+      "affectedBelow": "1.0.102",
+      "severity": "HIGH",
+      "id": "GHSA-qxfv-fcpc-w36x",
+      "description_zh": "rg 命令注入绕过用户审批提示",
+      "description_en": "Command injection in rg command bypassed user approval prompt"
+    },
+    {
+      "affectedBelow": "1.0.87",
+      "severity": "HIGH",
+      "id": "GHSA-x5gv-jw7f-j6xj",
+      "description_zh": "默认允许列表过于宽松：未授权文件读取和网络外泄",
+      "description_en": "Permissive default allowlist enables unauthorized file read and network exfiltration"
+    },
+    {
+      "affectedBelow": "1.0.82",
+      "severity": "HIGH",
+      "id": "GHSA-x56v-x2h6-7j34",
+      "description_zh": "echo 命令注入绕过用户审批提示",
+      "description_en": "Command injection in echo command bypassed user approval prompt"
+    },
+    {
+      "affectedBelow": "1.0.3",
+      "severity": "HIGH",
+      "id": "GHSA-9f65-56v6-gxw7",
+      "description_zh": "IDE 扩展 WebSocket 接受任意来源连接",
+      "description_en": "IDE extensions allow websocket connections from arbitrary origins"
+    }
+  ],
+  "supplyChainAlerts": [
+    {
+      "id": "SW-ALERT-2026-001",
+      "severity": "HIGH",
+      "date": "2026-02-15",
+      "description_zh": "SANDWORM_MODE 供应链攻击：19 个恶意 npm 包伪装为 Claude Code 等 AI 工具，植入恶意 MCP Server 窃取 SSH 密钥和凭证",
+      "description_en": "SANDWORM_MODE supply chain attack: 19 malicious npm packages impersonating Claude Code and AI tools, deploying rogue MCP servers to exfiltrate SSH keys and credentials"
+    }
+  ]
+}