shellward 0.4.0 → 0.5.1

package/src/index.ts

@@ -1,7 +1,13 @@
-// src/index.ts — ShellWard plugin entry point (v0.4.0)
-// 8 defense layers + 6 slash commands + 1 security skill
-
-import { AuditLog } from './audit-log'
+// src/index.ts — ShellWard: AI Agent Security Middleware
+//
+// Two usage modes:
+//   1. SDK (any platform):  import { ShellWard } from 'shellward'
+//   2. OpenClaw plugin:     import shellward from 'shellward'
+//
+// See docs/定位.md — ShellWard is an AI Agent Security Layer,
+// NOT just an OpenClaw plugin. The core engine is platform-agnostic.
+
+import { ShellWard } from './core/engine'
 import { setupPromptGuard } from './layers/prompt-guard'
 import { setupOutputScanner } from './layers/output-scanner'
 import { setupToolBlocker } from './layers/tool-blocker'
@@ -11,11 +17,15 @@ import { setupOutboundGuard } from './layers/outbound-guard'
 import { setupDataFlowGuard } from './layers/data-flow-guard'
 import { setupSessionGuard } from './layers/session-guard'
 import { registerAllCommands } from './commands/index'
-import { DEFAULT_CONFIG, resolveLocale } from './types'
 import { checkForUpdate } from './update-check'
-import type { ShellWardConfig } from './types'
+import { runAutoCheckOnStartup } from './auto-check'
+
+const CURRENT_VERSION = '0.5.0'
 
-const CURRENT_VERSION = '0.4.0'
+// Re-export core engine for SDK usage
+export { ShellWard } from './core/engine'
+export type { CheckResult, ScanResult, InjectionResult, ResponseCheckResult } from './core/engine'
+export type { ShellWardConfig } from './types'
 
 /**
  * Wrap api.on so every hook handler gets try-catch protection.
@@ -23,7 +33,7 @@ const CURRENT_VERSION = '0.4.0'
  * - before_tool_call: block (deny on error, safer than allow)
  * - other hooks: return undefined (don't break the chain)
  */
-function createSafeApi(api: any, log: AuditLog): any {
+function createSafeApi(api: any, guard: ShellWard): any {
   return {
     ...api,
     on(hookName: string, handler: Function, opts?: any) {
@@ -33,14 +43,13 @@ function createSafeApi(api: any, log: AuditLog): any {
           return handler(event)
         } catch (err: any) {
           const msg = err?.message || String(err)
-          log.write({
+          guard.log.write({
             level: 'CRITICAL',
             layer: 'L0',
             action: 'error',
             detail: `Hook ${opts?.name || hookName} threw: ${msg.slice(0, 200)}`,
           })
           try { api.logger.warn(`[ShellWard] Hook error in ${opts?.name || hookName}: ${msg}`) } catch {}
-          // Fail-safe: block on security hooks, pass on others
           if (isBlockHook) {
             return { block: true, blockReason: `⚠️ [ShellWard] Internal error in security check — operation blocked for safety` }
           }
@@ -52,119 +61,88 @@ function createSafeApi(api: any, log: AuditLog): any {
   }
 }
 
-function mergeConfig(userConfig: Partial<ShellWardConfig> | undefined): ShellWardConfig {
-  if (!userConfig) return { ...DEFAULT_CONFIG }
-
-  // Validate mode
-  const mode = userConfig.mode === 'audit' ? 'audit' : 'enforce'
-
-  // Validate locale
-  const validLocales = ['auto', 'zh', 'en'] as const
-  const locale = validLocales.includes(userConfig.locale as any)
-    ? (userConfig.locale as typeof validLocales[number])
-    : DEFAULT_CONFIG.locale
-
-  // Validate injectionThreshold: clamp to 0-100
-  let threshold = userConfig.injectionThreshold ?? DEFAULT_CONFIG.injectionThreshold
-  threshold = Math.max(0, Math.min(100, Math.round(threshold)))
-
-  return {
-    mode,
-    locale,
-    injectionThreshold: threshold,
-    layers: {
-      ...DEFAULT_CONFIG.layers,
-      ...(userConfig.layers || {}),
-    },
-  }
-}
-
+// OpenClaw plugin entry point
 export default {
   id: 'shellward',
 
   register(api: any) {
-    const config = mergeConfig(api.config)
-    const log = new AuditLog(config)
-    const enforce = config.mode === 'enforce'
-    const locale = resolveLocale(config)
-    const safe = createSafeApi(api, log)
-
-    const modeLabel = locale === 'zh'
-      ? `模式: ${config.mode}`
-      : `mode: ${config.mode}`
-    api.logger.info(`[ShellWard] Security plugin started (${modeLabel})`)
-
-    // === Defense Layers (L1-L8) ===
-    // All layers use `safe` wrapper — hooks get automatic try-catch + fail-safe
-
-    // L1: Prompt Guard (before_prompt_build — prependSystemContext for caching)
-    if (config.layers.promptGuard) {
-      setupPromptGuard(safe, config, log)
+    const guard = new ShellWard(api.config)
+    const enforce = guard.config.mode === 'enforce'
+    const safe = createSafeApi(api, guard)
+
+    const startMsg = guard.locale === 'zh'
+      ? `[ShellWard] AI Agent 安全中间件已启动 (v${CURRENT_VERSION}, 模式: ${guard.config.mode})`
+      : `[ShellWard] AI Agent Security Middleware started (v${CURRENT_VERSION}, mode: ${guard.config.mode})`
+    api.logger.info(startMsg)
+
+    // === Defense Layers (L1-L8) — thin adapters calling core engine ===
+
+    if (guard.config.layers.promptGuard) {
+      setupPromptGuard(safe, guard)
     }
 
-    // L2: Output Scanner (tool_result_persist — redact PII in tool results)
-    if (config.layers.outputScanner) {
-      setupOutputScanner(safe, config, log, enforce)
+    if (guard.config.layers.outputScanner) {
+      setupOutputScanner(safe, guard)
     }
 
-    // L3: Tool Blocker (before_tool_call — block dangerous commands/paths)
-    if (config.layers.toolBlocker) {
-      setupToolBlocker(safe, config, log, enforce)
+    if (guard.config.layers.toolBlocker) {
+      setupToolBlocker(safe, guard, enforce)
     }
 
-    // L4: Input Auditor (before_tool_call + message_received — injection detection)
-    if (config.layers.inputAuditor) {
-      setupInputAuditor(safe, config, log, enforce)
+    if (guard.config.layers.inputAuditor) {
+      setupInputAuditor(safe, guard, enforce)
     }
 
-    // L5: Security Gate (registerTool — defense in depth, uses raw api for registerTool)
-    if (config.layers.securityGate) {
-      setupSecurityGate(api, config, log, enforce)
+    // L5 uses raw api for registerTool (not a hook)
+    if (guard.config.layers.securityGate) {
+      setupSecurityGate(api, guard, enforce)
     }
 
-    // L6: Outbound Guard (message_sending — redact PII in LLM responses + canary detection)
-    if (config.layers.outboundGuard) {
-      setupOutboundGuard(safe, config, log, enforce)
+    if (guard.config.layers.outboundGuard) {
+      setupOutboundGuard(safe, guard, enforce)
     }
 
-    // L7: Data Flow Guard (after_tool_call + before_tool_call — anti-exfiltration)
-    if (config.layers.dataFlowGuard) {
-      setupDataFlowGuard(safe, config, log, enforce)
+    if (guard.config.layers.dataFlowGuard) {
+      setupDataFlowGuard(safe, guard, enforce)
     }
 
-    // L8: Session Guard (session_end + subagent_spawning — lifecycle security)
-    if (config.layers.sessionGuard) {
-      setupSessionGuard(safe, config, log, enforce)
+    if (guard.config.layers.sessionGuard) {
+      setupSessionGuard(safe, guard, enforce)
     }
 
     // === Slash Commands ===
     if (api.registerCommand) {
-      registerAllCommands(api, config)
-      api.logger.info('[ShellWard] 6 commands registered: /security /audit /harden /scan-plugins /check-updates /cg')
+      registerAllCommands(api, guard.config)
+      api.logger.info('[ShellWard] 6 commands registered')
     }
 
-    // Count enabled layers
     const allLayers = ['promptGuard', 'outputScanner', 'toolBlocker', 'inputAuditor', 'securityGate', 'outboundGuard', 'dataFlowGuard', 'sessionGuard']
-    const enabledCount = allLayers.filter(k => (config.layers as any)[k]).length
+    const enabledCount = allLayers.filter(k => (guard.config.layers as any)[k]).length
 
-    api.logger.info(`[ShellWard] ${enabledCount} defense layers active`)
+    const layerMsg = guard.locale === 'zh'
+      ? `[ShellWard] ${enabledCount} 层防御已激活 — 敏感数据审计 | 注入检测 | 外泄拦截`
+      : `[ShellWard] ${enabledCount} defense layers active`
+    api.logger.info(layerMsg)
 
-    log.write({
+    guard.log.write({
       level: 'INFO',
       layer: 'L1',
       action: 'allow',
       detail: `ShellWard v${CURRENT_VERSION} started with ${enabledCount} layers`,
     })
 
-    // === Non-blocking update check (async, won't delay startup) ===
-    // Only notifies ONCE per new version — won't repeat after user has seen it
     checkForUpdate(CURRENT_VERSION).then(result => {
       if (result?.shouldNotify) {
-        const msg = locale === 'zh'
-          ? `[ShellWard] 新版本 v${result.latest} 可用 (当前 v${result.current})。运行 \`openclaw plugins update shellward\` 更新`
-          : `[ShellWard] Update available: v${result.latest} (current v${result.current}). Run \`openclaw plugins update shellward\` to update`
+        const msg = guard.locale === 'zh'
+          ? `[ShellWard] 新版本 v${result.latest} 可用 (当前 v${result.current})`
+          : `[ShellWard] Update available: v${result.latest} (current v${result.current})`
         api.logger.warn(msg)
       }
-    }).catch(() => { /* silently ignore network errors */ })
+    }).catch(() => {})
+
+    // 启动时自动安全检查（OpenClaw 漏洞、插件风险、MCP 配置、root 运行）
+    if (guard.config.autoCheckOnStartup !== false) {
+      runAutoCheckOnStartup(api.logger, guard.locale)
+    }
   },
 }

package/src/layers/data-flow-guard.ts

@@ -1,157 +1,26 @@
-// src/layers/data-flow-guard.ts — L7: Cross-tool data flow tracking
-// Detects: read sensitive file → send via network tool (data exfiltration chain)
-// Uses: after_tool_call (track reads) + before_tool_call (block exfil sends)
+// src/layers/data-flow-guard.ts — L7 OpenClaw Adapter
+// Thin adapter: wires OpenClaw's after_tool_call + before_tool_call hooks to ShellWard core engine
 
-import { PROTECTED_PATHS } from '../rules/protected-paths'
-import { resolveLocale } from '../types'
-import type { ShellWardConfig } from '../types'
-import type { AuditLog } from '../audit-log'
+import type { ShellWard } from '../core/engine'
 
-// Network/outbound tools that could exfiltrate data
-const NETWORK_TOOLS = new Set([
-  'web_fetch', 'http_request', 'web_search',
-  'send_email', 'send_message', 'post_tweet',
-  'message', 'sessions_send',
-])
-
-// Read tools that access local files
-const READ_TOOLS = new Set([
-  'read', 'file_read', 'cat', 'exec', 'bash',
-])
-
-// Package install commands that could run postinstall scripts
-const PKG_INSTALL_PATTERN = /(?:npm|yarn|pnpm)\s+(?:install|add|i)\s|pip\s+install\s|gem\s+install\s/i
-
-// Track sensitive file reads within a session (tool call IDs or content hashes)
-const sensitiveReads: Map<string, { path: string; ts: number }> = new Map()
-const TRACKING_WINDOW_MS = 5 * 60 * 1000 // 5 min window
-const MAX_TRACKED_READS = 500 // Prevent unbounded memory growth
-
-export function setupDataFlowGuard(
-  api: any,
-  config: ShellWardConfig,
-  log: AuditLog,
-  enforce: boolean,
-) {
-  const locale = resolveLocale(config)
-
-  // === Part 1: Track sensitive file reads via after_tool_call ===
+export function setupDataFlowGuard(api: any, guard: ShellWard, enforce: boolean) {
   api.on('after_tool_call', (event: any) => {
     const toolName = String(event.toolName || '').toLowerCase()
     const params = (event.params && typeof event.params === 'object') ? event.params : {}
-    const path = String(params.path || params.file_path || params.filename || '')
+    const path = String(params.path || params.file_path || params.filename || params.target || '')
 
-    if (!READ_TOOLS.has(toolName) || !path) return
-
-    // Check if it's a protected/sensitive path
-    for (const rule of PROTECTED_PATHS) {
-      if (rule.pattern.test(path)) {
-        // Evict oldest entry if at capacity
-        if (sensitiveReads.size >= MAX_TRACKED_READS) {
-          const oldest = sensitiveReads.keys().next().value
-          if (oldest) sensitiveReads.delete(oldest)
-        }
-        const key = `${Date.now()}-${path}`
-        sensitiveReads.set(key, { path, ts: Date.now() })
-
-        log.write({
-          level: 'MEDIUM',
-          layer: 'L7',
-          action: 'detect',
-          detail: locale === 'zh'
-            ? `检测到敏感文件读取: ${path} — 已加入数据流监控`
-            : `Sensitive file read detected: ${path} — added to data flow tracking`,
-          tool: event.toolName,
-          pattern: rule.id,
-        })
-        break
-      }
-    }
-
-    // Cleanup old entries
-    const now = Date.now()
-    for (const [key, val] of sensitiveReads) {
-      if (now - val.ts > TRACKING_WINDOW_MS) {
-        sensitiveReads.delete(key)
-      }
+    if (guard.isReadTool(toolName) && path) {
+      guard.trackFileRead(event.toolName, path)
     }
   }, { name: 'shellward.data-flow-read-tracker', priority: 50 })
 
-  // === Part 2: Block network tool calls if sensitive data was recently read ===
   api.on('before_tool_call', (event: any) => {
-    const toolName = String(event.toolName || '').toLowerCase()
+    const toolName = String(event.toolName || '')
     const params = (event.params && typeof event.params === 'object') ? event.params : {}
 
-    // 2a. Block network tools if sensitive files were recently read
-    if (NETWORK_TOOLS.has(toolName) && sensitiveReads.size > 0) {
-      // Clean up expired entries first
-      const now = Date.now()
-      for (const [key, val] of sensitiveReads) {
-        if (now - val.ts > TRACKING_WINDOW_MS) sensitiveReads.delete(key)
-      }
-
-      if (sensitiveReads.size > 0) {
-        const recentPaths = [...sensitiveReads.values()].map(v => v.path).join(', ')
-        const reason = locale === 'zh'
-          ? `数据外泄风险: 最近读取了敏感文件 (${recentPaths})，禁止调用网络工具 ${event.toolName}`
-          : `Data exfiltration risk: sensitive files recently read (${recentPaths}), blocking network tool ${event.toolName}`
-
-        log.write({
-          level: 'CRITICAL',
-          layer: 'L7',
-          action: enforce ? 'block' : 'detect',
-          detail: reason,
-          tool: event.toolName,
-          pattern: 'data_exfil_chain',
-        })
-
-        if (enforce) {
-          return { block: true, blockReason: `🚫 [ShellWard] ${reason}` }
-        }
-      }
-    }
-
-    // 2b. Check URL parameters in network tools for suspicious patterns
-    if (NETWORK_TOOLS.has(toolName)) {
-      const url = String(params.url || params.to || params.target || '')
-      if (url) {
-        // Block data-in-URL exfiltration patterns
-        if (/[?&](?:data|token|key|secret|password|content)=/i.test(url)) {
-          const reason = locale === 'zh'
-            ? `可疑 URL 参数: ${url.slice(0, 80)} — 可能是数据外泄`
-            : `Suspicious URL params: ${url.slice(0, 80)} — possible data exfiltration`
-
-          log.write({
-            level: 'HIGH',
-            layer: 'L7',
-            action: enforce ? 'block' : 'detect',
-            detail: reason,
-            tool: event.toolName,
-            pattern: 'url_data_exfil',
-          })
-
-          if (enforce) {
-            return { block: true, blockReason: `🚫 [ShellWard] ${reason}` }
-          }
-        }
-      }
-    }
-
-    // 2c. Detect dangerous package installs
-    if (toolName === 'exec' || toolName === 'bash') {
-      const cmd = String(params.command || params.cmd || '')
-      if (PKG_INSTALL_PATTERN.test(cmd)) {
-        log.write({
-          level: 'MEDIUM',
-          layer: 'L7',
-          action: 'detect',
-          detail: locale === 'zh'
-            ? `检测到包安装命令: ${cmd.slice(0, 80)} — 注意供应链安全`
-            : `Package install detected: ${cmd.slice(0, 80)} — supply chain risk`,
-          tool: event.toolName,
-          pattern: 'pkg_install',
-        })
-      }
+    const result = guard.checkOutbound(toolName, params)
+    if (!result.allowed && enforce) {
+      return { block: true, blockReason: `🚫 [ShellWard] ${result.reason}` }
     }
   }, { name: 'shellward.data-flow-egress', priority: 250 })
 

package/src/layers/input-auditor.ts

@@ -1,171 +1,32 @@
-// src/layers/input-auditor.ts — L4: Injection detection + message audit via before_tool_call + message_received
+// src/layers/input-auditor.ts — L4 OpenClaw Adapter
+// Thin adapter: wires OpenClaw's before_tool_call + message_received hooks to ShellWard core engine
 
-import { INJECTION_RULES_ZH } from '../rules/injection-zh'
-import { INJECTION_RULES_EN } from '../rules/injection-en'
-import { resolveLocale } from '../types'
-import type { ShellWardConfig, InjectionRule, ResolvedLocale } from '../types'
-import type { AuditLog } from '../audit-log'
+import type { ShellWard } from '../core/engine'
 
-interface CompiledRule extends InjectionRule {
-  compiled: RegExp
-}
-
-// Text fields to extract from tool arguments for scanning
-const TEXT_FIELDS = [
-  'content', 'body', 'text', 'message', 'query',
-  'command', 'code', 'html', 'url', 'prompt',
-  'subject', 'description', 'input',
-]
-
-// Hidden/invisible Unicode character ranges
-const HIDDEN_CHAR_RANGES: [number, number, string][] = [
-  [0x200B, 0x200F, 'Zero-width/Direction'],
-  [0x2028, 0x2029, 'Line/Paragraph separator'],
-  [0x202A, 0x202E, 'Bidi control'],
-  [0x2060, 0x2064, 'Invisible operators'],
-  [0xFEFF, 0xFEFF, 'BOM/Zero-width no-break'],
-  [0x00AD, 0x00AD, 'Soft hyphen'],
-  [0xFFF9, 0xFFFB, 'Interlinear annotation'],
-]
-
-export function setupInputAuditor(
-  api: any,
-  config: ShellWardConfig,
-  log: AuditLog,
-  enforce: boolean,
-) {
-  const locale = resolveLocale(config)
-  const allRules = [...INJECTION_RULES_ZH, ...INJECTION_RULES_EN]
-  const compiled: CompiledRule[] = allRules.map(rule => ({
-    ...rule,
-    compiled: new RegExp(rule.pattern, rule.flags || 'i'),
-  }))
-
-  // Hook 1: Check tool call arguments for injection
+export function setupInputAuditor(api: any, guard: ShellWard, enforce: boolean) {
   api.on('before_tool_call', (event: any) => {
     const args: Record<string, any> = (event.params && typeof event.params === 'object') ? event.params : {}
-    const texts = extractTexts(args)
+    const texts = guard.extractTextFields(args)
     if (texts.length === 0) return
 
+    const toolName = String(event.toolName || '')
+    const threshold = guard.getInjectionThreshold(toolName)
     const fullText = texts.join('\n')
-    return checkInjection(fullText, event.toolName, locale, compiled, config, log, enforce)
+    const result = guard.checkInjection(fullText, { source: toolName, threshold })
+
+    if (!result.safe && enforce) {
+      const reason = guard.locale === 'zh'
+        ? `检测到可能的提示词注入攻击!\n风险评分: ${result.score}/100\n匹配规则: ${result.matched.map(m => m.name).join(', ')}`
+        : `Potential prompt injection detected!\nRisk score: ${result.score}/100\nMatched: ${result.matched.map(m => m.name).join(', ')}`
+      return { block: true, blockReason: `⚠️ [ShellWard] ${reason}` }
+    }
   }, { name: 'shellward.input-auditor', priority: 300 })
 
-  // Hook 2: Audit inbound messages
   api.on('message_received', (event: any) => {
     const content = typeof event.content === 'string' ? event.content : ''
     if (!content) return
-
-    // Detect hidden characters
-    const hidden = detectHiddenChars(content)
-    if (hidden.length > 0) {
-      log.write({
-        level: 'MEDIUM',
-        layer: 'L4',
-        action: 'detect',
-        detail: `Hidden characters detected in message: ${hidden.map(h => h.name).join(', ')} (${hidden.length} chars)`,
-      })
-    }
-
-    // Check for injection patterns (log only, don't block messages)
-    const { score, matched } = scoreText(content, compiled)
-    if (score >= config.injectionThreshold) {
-      log.write({
-        level: score >= 80 ? 'CRITICAL' : 'HIGH',
-        layer: 'L4',
-        action: 'detect',
-        detail: locale === 'zh'
-          ? `消息中检测到注入模式 (评分: ${score}): ${matched.map(m => m.name).join(', ')}`
-          : `Injection patterns in message (score: ${score}): ${matched.map(m => m.name).join(', ')}`,
-      })
-    }
+    guard.checkInjection(content, { source: 'message' })
   }, { name: 'shellward.message-auditor', priority: 100 })
 
-  api.logger.info(`[ShellWard] L4 Input Auditor enabled (${compiled.length} injection rules)`)
-}
-
-function checkInjection(
-  text: string,
-  tool: string,
-  locale: ResolvedLocale,
-  rules: CompiledRule[],
-  config: ShellWardConfig,
-  log: AuditLog,
-  enforce: boolean,
-): { block: true; blockReason: string } | undefined {
-  // Hidden char detection
-  const hidden = detectHiddenChars(text)
-  if (hidden.length > 0) {
-    log.write({
-      level: 'MEDIUM',
-      layer: 'L4',
-      action: 'detect',
-      detail: `Hidden chars in tool args: ${hidden.map(h => h.name).join(', ')}`,
-      tool,
-    })
-  }
-
-  // Score injection rules
-  let { score, matched } = scoreText(text, rules)
-
-  // Bonus for hidden chars (potential obfuscation)
-  if (hidden.length > 3) {
-    score += 20
-  }
-
-  if (score < config.injectionThreshold) return
-
-  const reason = locale === 'zh'
-    ? `检测到可能的提示词注入攻击!\n风险评分: ${score}/100\n匹配规则: ${matched.map(m => m.name).join(', ')}`
-    : `Potential prompt injection detected!\nRisk score: ${score}/100\nMatched: ${matched.map(m => m.name).join(', ')}`
-
-  log.write({
-    level: score >= 80 ? 'CRITICAL' : 'HIGH',
-    layer: 'L4',
-    action: enforce ? 'block' : 'detect',
-    detail: reason,
-    tool,
-  })
-
-  if (enforce) {
-    return { block: true, blockReason: `⚠️ [ShellWard] ${reason}` }
-  }
-}
-
-function scoreText(text: string, rules: CompiledRule[]): { score: number; matched: { id: string; name: string; score: number }[] } {
-  let score = 0
-  const matched: { id: string; name: string; score: number }[] = []
-
-  for (const rule of rules) {
-    if (rule.compiled.test(text)) {
-      score += rule.riskScore
-      matched.push({ id: rule.id, name: rule.name, score: rule.riskScore })
-    }
-  }
-
-  return { score, matched }
-}
-
-function extractTexts(args: Record<string, any>): string[] {
-  const results: string[] = []
-  for (const field of TEXT_FIELDS) {
-    if (typeof args[field] === 'string' && args[field].length > 0) {
-      results.push(args[field])
-    }
-  }
-  return results
-}
-
-function detectHiddenChars(text: string): { char: string; codePoint: number; name: string }[] {
-  const found: { char: string; codePoint: number; name: string }[] = []
-  for (const char of text) {
-    const cp = char.codePointAt(0)!
-    for (const [start, end, name] of HIDDEN_CHAR_RANGES) {
-      if (cp >= start && cp <= end) {
-        found.push({ char, codePoint: cp, name })
-        break
-      }
-    }
-  }
-  return found
+  api.logger.info(`[ShellWard] L4 Input Auditor enabled`)
 }

package/src/layers/outbound-guard.ts

@@ -1,66 +1,23 @@
-// src/layers/outbound-guard.ts — L6: Redact secrets from LLM responses + detect canary leaks
-// Uses message_sending hook to inspect outbound messages before they reach the user
+// src/layers/outbound-guard.ts — L6 OpenClaw Adapter
+// Thin adapter: wires OpenClaw's message_sending hook to ShellWard core engine
 
-import { redactSensitive } from '../rules/sensitive-patterns'
-import { getCanaryToken } from './prompt-guard'
-import { resolveLocale } from '../types'
-import type { ShellWardConfig } from '../types'
-import type { AuditLog } from '../audit-log'
-
-export function setupOutboundGuard(
-  api: any,
-  config: ShellWardConfig,
-  log: AuditLog,
-  enforce: boolean,
-) {
-  const locale = resolveLocale(config)
+import type { ShellWard } from '../core/engine'
 
+export function setupOutboundGuard(api: any, guard: ShellWard, enforce: boolean) {
   api.on('message_sending', (event: any) => {
     const content = event.content
     if (!content || typeof content !== 'string') return undefined
 
-    // 1. Check for canary token leak (system prompt exfiltration)
-    const canary = getCanaryToken()
-    if (canary && content.includes(canary)) {
-      log.write({
-        level: 'CRITICAL',
-        layer: 'L6',
-        action: 'block',
-        detail: locale === 'zh'
-          ? '检测到系统提示词泄露！Canary token 出现在输出中'
-          : 'System prompt exfiltration detected! Canary token found in output',
-        pattern: 'canary_leak',
-      })
-      if (enforce) {
-        const warning = locale === 'zh'
-          ? '⚠️ [ShellWard] 检测到安全异常，本次回复已被拦截。可能存在提示词注入攻击。'
-          : '⚠️ [ShellWard] Security anomaly detected, this response was blocked. Possible prompt injection attack.'
-        return { content: warning }
-      }
-    }
-
-    // 2. Redact sensitive data from LLM response text
-    const [redacted, findings] = redactSensitive(content)
-    if (findings.length === 0) return undefined
+    const result = guard.checkResponse(content)
 
-    for (const f of findings) {
-      log.write({
-        level: 'HIGH',
-        layer: 'L6',
-        action: enforce ? 'redact' : 'detect',
-        detail: `${f.name}: ${f.count} occurrence(s) in outbound message`,
-        pattern: f.id,
-      })
+    if (result.canaryLeak && enforce) {
+      const warning = guard.locale === 'zh'
+        ? '⚠️ [ShellWard] 检测到安全异常，本次回复已被拦截。可能存在提示词注入攻击。'
+        : '⚠️ [ShellWard] Security anomaly detected, this response was blocked. Possible prompt injection attack.'
+      return { content: warning }
     }
 
-    if (!enforce) return undefined
-
-    const summary = findings.map(f => `${f.name}(${f.count})`).join(', ')
-    const notice = locale === 'zh'
-      ? `\n\n⚠️ [ShellWard] 回复中的敏感信息已自动脱敏: ${summary}`
-      : `\n\n⚠️ [ShellWard] Sensitive data in response auto-redacted: ${summary}`
-
-    return { content: redacted + notice }
+    return undefined
   }, { name: 'shellward.outbound-guard', priority: 100 })
 
   api.logger.info('[ShellWard] L6 Outbound Guard enabled')