shellward 0.5.10 → 0.5.11

package/dist/mcp-server.js

@@ -0,0 +1,337 @@
+#!/usr/bin/env npx tsx
+// src/mcp-server.ts — ShellWard MCP Server
+//
+// Exposes ShellWard's 8-layer security engine as an MCP server.
+// Zero dependencies — implements MCP protocol over stdio natively.
+//
+// Usage:
+//   npx tsx src/mcp-server.ts
+//
+// MCP config (claude_desktop_config.json / openclaw settings):
+//   {
+//     "mcpServers": {
+//       "shellward": {
+//         "command": "npx",
+//         "args": ["tsx", "/path/to/shellward/src/mcp-server.ts"]
+//       }
+//     }
+//   }
+import { ShellWard } from './core/engine.js';
+import { readFileSync } from 'fs';
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const pkg = JSON.parse(readFileSync(join(__dirname, '../package.json'), 'utf8'));
+// ===== ShellWard Instance =====
+const guard = new ShellWard({
+    mode: process.env.SHELLWARD_MODE || 'enforce',
+    locale: process.env.SHELLWARD_LOCALE || 'auto',
+    autoCheckOnStartup: false,
+    layers: {
+        promptGuard: true,
+        outputScanner: true,
+        toolBlocker: true,
+        inputAuditor: true,
+        securityGate: true,
+        outboundGuard: true,
+        dataFlowGuard: true,
+        sessionGuard: true,
+    },
+    injectionThreshold: Number(process.env.SHELLWARD_THRESHOLD) || 60,
+});
+// ===== Tool Definitions =====
+const TOOLS = [
+    {
+        name: 'check_command',
+        description: 'Check if a shell command is safe to execute. Detects rm -rf, reverse shells, fork bombs, curl|sh, etc.',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                command: { type: 'string', description: 'The shell command to check' },
+            },
+            required: ['command'],
+        },
+    },
+    {
+        name: 'check_injection',
+        description: 'Detect prompt injection attempts in text. Supports 32+ rules for Chinese and English, with hidden character detection.',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                text: { type: 'string', description: 'Text to scan for injection attempts' },
+                threshold: { type: 'number', description: 'Detection threshold 0-100 (default: 60, lower = stricter)' },
+            },
+            required: ['text'],
+        },
+    },
+    {
+        name: 'scan_data',
+        description: 'Scan text for sensitive data: PII (Chinese ID cards, phone numbers, bank cards), API keys, passwords, private keys, JWT tokens, SSN, credit cards.',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                text: { type: 'string', description: 'Text to scan for sensitive data' },
+            },
+            required: ['text'],
+        },
+    },
+    {
+        name: 'check_path',
+        description: 'Check if a file path operation is safe. Protects .env, .ssh/, .aws/credentials, private keys, /etc/passwd, etc.',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                path: { type: 'string', description: 'File path to check' },
+                operation: { type: 'string', enum: ['write', 'delete'], description: 'Operation type' },
+            },
+            required: ['path', 'operation'],
+        },
+    },
+    {
+        name: 'check_tool',
+        description: 'Check if a tool name is allowed. Blocks payment/transfer tools, flags exec/shell tools as sensitive.',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                tool_name: { type: 'string', description: 'Tool name to check (e.g. "bash", "stripe_charge", "file_read")' },
+            },
+            required: ['tool_name'],
+        },
+    },
+    {
+        name: 'check_response',
+        description: 'Check an AI response for security issues: canary token leaks and sensitive data exposure.',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                content: { type: 'string', description: 'Response content to check' },
+            },
+            required: ['content'],
+        },
+    },
+    {
+        name: 'security_status',
+        description: 'Get current ShellWard security status: mode, active layers, detection capabilities.',
+        inputSchema: {
+            type: 'object',
+            properties: {},
+        },
+    },
+];
+// ===== Tool Execution =====
+function executeTool(name, args) {
+    switch (name) {
+        case 'check_command': {
+            const result = guard.checkCommand(String(args.command || ''));
+            return {
+                safe: result.allowed,
+                level: result.level || null,
+                reason: result.reason || null,
+                rule_id: result.ruleId || null,
+            };
+        }
+        case 'check_injection': {
+            const opts = typeof args.threshold === 'number' ? { threshold: args.threshold } : undefined;
+            const result = guard.checkInjection(String(args.text || ''), opts);
+            return {
+                safe: result.safe,
+                score: result.score,
+                threshold: result.threshold,
+                matched_rules: result.matched.map((m) => ({
+                    id: m.id,
+                    name: m.name,
+                    score: m.score,
+                })),
+                hidden_chars: result.hiddenChars,
+            };
+        }
+        case 'scan_data': {
+            const result = guard.scanData(String(args.text || ''));
+            return {
+                has_sensitive_data: result.hasSensitiveData,
+                findings: result.findings.map((f) => ({
+                    type: f.id,
+                    name: f.name,
+                    count: f.count,
+                })),
+                summary: result.summary,
+            };
+        }
+        case 'check_path': {
+            const op = String(args.operation || '');
+            if (op !== 'write' && op !== 'delete') {
+                throw new Error(`Invalid operation: "${op}". Must be "write" or "delete".`);
+            }
+            const result = guard.checkPath(String(args.path || ''), op);
+            return {
+                safe: result.allowed,
+                level: result.level || null,
+                reason: result.reason || null,
+                rule_id: result.ruleId || null,
+            };
+        }
+        case 'check_tool': {
+            const result = guard.checkTool(String(args.tool_name || ''));
+            return {
+                allowed: result.allowed,
+                level: result.level || null,
+                reason: result.reason || null,
+            };
+        }
+        case 'check_response': {
+            const result = guard.checkResponse(String(args.content || ''));
+            return {
+                canary_leak: result.canaryLeak,
+                has_sensitive_data: result.sensitiveData.hasSensitiveData,
+                findings: result.sensitiveData.findings.map(f => ({
+                    type: f.id,
+                    name: f.name,
+                    count: f.count,
+                })),
+            };
+        }
+        case 'security_status': {
+            return {
+                mode: guard.config.mode,
+                locale: guard.locale,
+                injection_threshold: guard.config.injectionThreshold,
+                layers: guard.config.layers,
+                capabilities: [
+                    'command_safety_check (17 dangerous patterns)',
+                    'prompt_injection_detection (32+ rules, zh+en)',
+                    'pii_detection (CN ID/phone/bank + global)',
+                    'path_protection (12 protected patterns)',
+                    'tool_policy (block payment/transfer)',
+                    'response_audit (canary + PII)',
+                    'data_flow_tracking (DLP)',
+                ],
+            };
+        }
+        default:
+            throw new Error(`Unknown tool: ${name}`);
+    }
+}
+// ===== MCP Protocol Handlers =====
+function handleRequest(req) {
+    const { id, method, params } = req;
+    switch (method) {
+        case 'initialize':
+            return {
+                jsonrpc: '2.0',
+                id: id ?? null,
+                result: {
+                    protocolVersion: '2024-11-05',
+                    capabilities: { tools: {} },
+                    serverInfo: {
+                        name: 'shellward',
+                        version: pkg.version,
+                    },
+                },
+            };
+        case 'notifications/initialized':
+            // Client acknowledgement, no response needed
+            return null;
+        case 'tools/list':
+            return {
+                jsonrpc: '2.0',
+                id: id ?? null,
+                result: { tools: TOOLS },
+            };
+        case 'resources/list':
+            return { jsonrpc: '2.0', id: id ?? null, result: { resources: [] } };
+        case 'prompts/list':
+            return { jsonrpc: '2.0', id: id ?? null, result: { prompts: [] } };
+        case 'tools/call': {
+            const toolName = params?.name;
+            const toolArgs = (params?.arguments || {});
+            try {
+                const result = executeTool(toolName, toolArgs);
+                return {
+                    jsonrpc: '2.0',
+                    id: id ?? null,
+                    result: {
+                        content: [
+                            {
+                                type: 'text',
+                                text: JSON.stringify(result, null, 2),
+                            },
+                        ],
+                    },
+                };
+            }
+            catch (err) {
+                return {
+                    jsonrpc: '2.0',
+                    id: id ?? null,
+                    result: {
+                        content: [
+                            {
+                                type: 'text',
+                                text: JSON.stringify({ error: err.message }),
+                            },
+                        ],
+                        isError: true,
+                    },
+                };
+            }
+        }
+        case 'ping':
+            return { jsonrpc: '2.0', id: id ?? null, result: {} };
+        default:
+            // Unknown methods — return error for requests with id, ignore notifications
+            if (id !== undefined) {
+                return {
+                    jsonrpc: '2.0',
+                    id: id ?? null,
+                    error: { code: -32601, message: `Method not found: ${method}` },
+                };
+            }
+            return null;
+    }
+}
+// ===== Stdio Transport =====
+// Use raw Buffer to handle UTF-8 multi-byte characters correctly.
+// Content-Length is in bytes, not characters.
+let rawBuffer = Buffer.alloc(0);
+process.stdin.on('data', (chunk) => {
+    rawBuffer = Buffer.concat([rawBuffer, chunk]);
+    while (true) {
+        const headerEnd = rawBuffer.indexOf('\r\n\r\n');
+        if (headerEnd === -1)
+            break;
+        const header = rawBuffer.slice(0, headerEnd).toString('ascii');
+        const lengthMatch = header.match(/Content-Length:\s*(\d+)/i);
+        if (!lengthMatch) {
+            rawBuffer = rawBuffer.slice(headerEnd + 4);
+            continue;
+        }
+        const contentLength = parseInt(lengthMatch[1], 10);
+        const bodyStart = headerEnd + 4;
+        if (rawBuffer.length < bodyStart + contentLength)
+            break;
+        const body = rawBuffer.slice(bodyStart, bodyStart + contentLength).toString('utf8');
+        rawBuffer = rawBuffer.slice(bodyStart + contentLength);
+        try {
+            const req = JSON.parse(body);
+            const res = handleRequest(req);
+            if (res) {
+                send(res);
+            }
+        }
+        catch {
+            send({
+                jsonrpc: '2.0',
+                id: null,
+                error: { code: -32700, message: 'Parse error' },
+            });
+        }
+    }
+});
+function send(msg) {
+    const body = JSON.stringify(msg);
+    const header = `Content-Length: ${Buffer.byteLength(body)}\r\n\r\n`;
+    process.stdout.write(header + body);
+}
+process.stdin.on('end', () => process.exit(0));
+// Log to stderr so it doesn't interfere with stdio protocol
+process.stderr.write(`[ShellWard MCP] Server started (mode: ${guard.config.mode}, locale: ${guard.locale})\n`);

package/dist/rules/dangerous-commands.d.ts

@@ -0,0 +1,8 @@
+import type { DangerousCommandRule } from '../types.js';
+export declare const DANGEROUS_COMMANDS: DangerousCommandRule[];
+/**
+ * Normalize command string before pattern matching:
+ * - Split on command separators (;, &&, ||, \n) and check each part
+ * - Trim whitespace
+ */
+export declare function splitCommands(cmd: string): string[];

package/dist/rules/dangerous-commands.js

@@ -0,0 +1,113 @@
+// src/rules/dangerous-commands.ts — Shell command blocklist (bilingual)
+export const DANGEROUS_COMMANDS = [
+    {
+        id: 'rm_rf_root',
+        pattern: /rm\s+(-[a-zA-Z]*r[a-zA-Z]*\s+-[a-zA-Z]*f|-[a-zA-Z]*f[a-zA-Z]*\s+-[a-zA-Z]*r|-[a-zA-Z]*rf[a-zA-Z]*)\s+[\/~]/i,
+        description_zh: '递归强制删除根目录或用户目录',
+        description_en: 'Recursive force delete on root or home directory',
+    },
+    {
+        id: 'rm_rf_wildcard',
+        pattern: /rm\s+(-[a-zA-Z]*rf|-[a-zA-Z]*fr)\s+\*/i,
+        description_zh: '递归强制删除通配符匹配的所有文件',
+        description_en: 'Recursive force delete with wildcard',
+    },
+    {
+        id: 'mkfs',
+        pattern: /mkfs\b/i,
+        description_zh: '格式化磁盘',
+        description_en: 'Format disk partition',
+    },
+    {
+        id: 'dd_if',
+        pattern: /dd\s+if=/i,
+        description_zh: '低级磁盘操作（可能覆盖磁盘数据）',
+        description_en: 'Low-level disk operation (may overwrite data)',
+    },
+    {
+        id: 'curl_pipe_sh',
+        pattern: /curl\s+[^|]*\|\s*(?:sudo\s+)?(?:ba)?sh/i,
+        description_zh: '从网络下载并直接执行脚本',
+        description_en: 'Download and pipe to shell execution',
+    },
+    {
+        id: 'wget_pipe_sh',
+        pattern: /wget\s+[^|]*\|\s*(?:sudo\s+)?(?:ba)?sh/i,
+        description_zh: '从网络下载并直接执行脚本',
+        description_en: 'Download and pipe to shell execution',
+    },
+    {
+        id: 'dev_write',
+        pattern: />\s*\/dev\/[sh]d[a-z]/i,
+        description_zh: '直接写入磁盘设备',
+        description_en: 'Direct write to disk device',
+    },
+    {
+        id: 'chmod_777',
+        pattern: /chmod\s+(-[a-zA-Z]*\s+)?777(?:\s|$)/i,
+        description_zh: '设置全局可读写可执行权限',
+        description_en: 'Set world-readable/writable/executable permissions',
+    },
+    {
+        id: 'kill_all',
+        pattern: /killall\s+-9|kill\s+-9\s+-1/i,
+        description_zh: '强制终止所有进程',
+        description_en: 'Force kill all processes',
+    },
+    {
+        id: 'iptables_flush',
+        pattern: /iptables\s+-F/i,
+        description_zh: '清空防火墙规则',
+        description_en: 'Flush all firewall rules',
+    },
+    {
+        id: 'history_clear',
+        pattern: /history\s+-c|>\s*~\/\.bash_history|>\s*~\/\.zsh_history/i,
+        description_zh: '清除命令历史（可能是攻击后清痕迹）',
+        description_en: 'Clear command history (potential post-attack cleanup)',
+    },
+    {
+        id: 'fork_bomb',
+        pattern: /:\(\)\s*\{\s*:\|:&\s*\}\s*;?|\.\/[a-z]+\s*&\s*\.\/[a-z]+/i,
+        description_zh: 'Fork 炸弹（耗尽系统资源）',
+        description_en: 'Fork bomb (exhaust system resources)',
+    },
+    {
+        id: 'eval_base64',
+        pattern: /eval\s+.*(?:base64|atob)|base64\s+-d.*\|\s*(?:ba)?sh/i,
+        description_zh: 'Base64 解码后执行（混淆攻击）',
+        description_en: 'Base64 decode and execute (obfuscated attack)',
+    },
+    {
+        id: 'reverse_shell',
+        pattern: /\/dev\/tcp\/|nc\s+-[a-zA-Z]*e\s|ncat\s.*-e\s|bash\s+-i\s+>&\s*\/dev/i,
+        description_zh: '反弹 Shell（远程控制）',
+        description_en: 'Reverse shell (remote control)',
+    },
+    {
+        id: 'crontab_overwrite',
+        pattern: /crontab\s+-r|echo\s+.*>\s*\/var\/spool\/cron/i,
+        description_zh: '覆盖或删除定时任务',
+        description_en: 'Overwrite or remove crontab entries',
+    },
+    {
+        id: 'nc_exfil',
+        pattern: /\|\s*(?:nc|ncat|netcat)\s+\S+\s+\d+/i,
+        description_zh: '通过 netcat 向远程主机传输数据',
+        description_en: 'Pipe data to remote host via netcat',
+    },
+    {
+        id: 'crontab_append',
+        pattern: />>\s*(?:\/etc\/crontab|\/var\/spool\/cron)/i,
+        description_zh: '追加定时任务（可能植入后门）',
+        description_en: 'Append to crontab (potential backdoor)',
+    },
+];
+/**
+ * Normalize command string before pattern matching:
+ * - Split on command separators (;, &&, ||, \n) and check each part
+ * - Trim whitespace
+ */
+export function splitCommands(cmd) {
+    return cmd.split(/\s*(?:;|&&|\|\||[\r\n]+)\s*/).filter(Boolean);
+}

package/dist/rules/injection-en.d.ts

@@ -0,0 +1,2 @@
+import type { InjectionRule } from '../types.js';
+export declare const INJECTION_RULES_EN: InjectionRule[];

package/dist/rules/injection-en.js

@@ -0,0 +1,115 @@
+// src/rules/injection-en.ts — English prompt injection detection rules
+export const INJECTION_RULES_EN = [
+    {
+        id: 'en_ignore_prev',
+        name: 'Ignore previous instructions',
+        pattern: 'ignore\\s+(?:all\\s+)?(?:previous|prior|above|earlier|preceding)\\s+(?:instructions?|rules?|prompts?|guidelines?|constraints?)',
+        flags: 'i',
+        riskScore: 40,
+        category: 'override',
+    },
+    {
+        id: 'en_new_role',
+        name: 'Role hijack',
+        pattern: '(?:you\\s+are\\s+now|from\\s+now\\s+on\\s+you\\s+are|act\\s+as|pretend\\s+(?:to\\s+be|you\\s+are)|imagine\\s+you\\s+are)\\s+(?:a\\s+)?',
+        flags: 'i',
+        riskScore: 35,
+        category: 'role_hijack',
+    },
+    {
+        id: 'en_system_prompt',
+        name: 'System prompt extraction',
+        pattern: '(?:output|print|show|reveal|display|repeat|leak|dump)\\s+(?:your\\s+)?(?:system|initial|original|full)?\\s*(?:prompt|instructions?|rules?|guidelines?)',
+        flags: 'i',
+        riskScore: 30,
+        category: 'exfiltration',
+    },
+    {
+        id: 'en_developer_mode',
+        name: 'Developer/admin mode',
+        pattern: '(?:enter|enable|activate|switch\\s+to)\\s+(?:developer|debug|admin|root|sudo|maintenance|god)\\s+(?:mode|access|privileges?)',
+        flags: 'i',
+        riskScore: 35,
+        category: 'privilege_escalation',
+    },
+    {
+        id: 'en_no_restriction',
+        name: 'Remove restrictions',
+        pattern: '(?:remove|disable|turn\\s+off|bypass|ignore|skip|override|circumvent)\\s+(?:all\\s+)?(?:restrictions?|constraints?|safety|filters?|guardrails?|limitations?|safeguards?)',
+        flags: 'i',
+        riskScore: 40,
+        category: 'override',
+    },
+    {
+        id: 'en_do_anything',
+        name: 'Do Anything Now (DAN)',
+        pattern: '(?:DAN|do\\s+anything\\s+now|jailbreak|uncensored|unfiltered)\\s*(?:mode|prompt)?',
+        flags: 'i',
+        riskScore: 40,
+        category: 'jailbreak',
+    },
+    {
+        id: 'en_boundary_marker',
+        name: 'Boundary marker injection',
+        pattern: '(?:<<|\\[\\[|\\{\\{)\\s*(?:SYSTEM|SYS|END|NEW\\s*INSTRUCTION|OVERRIDE|ADMIN)\\s*(?:>>|\\]\\]|\\}\\})',
+        flags: 'i',
+        riskScore: 30,
+        category: 'injection',
+    },
+    {
+        id: 'en_hidden_instruction',
+        name: 'Hidden instruction marker',
+        pattern: '(?:the\\s+following\\s+is\\s+(?:a\\s+)?)?(?:hidden|secret|real|actual|true)\\s+(?:instruction|command|prompt|directive)',
+        flags: 'i',
+        riskScore: 35,
+        category: 'injection',
+    },
+    {
+        id: 'en_data_exfil',
+        name: 'Data exfiltration',
+        pattern: '(?:send|transmit|upload|forward|post|exfiltrate)\\s+(?:all\\s+)?(?:conversation|chat|messages?|history|data|files?|context)\\s+(?:to|via)',
+        flags: 'i',
+        riskScore: 40,
+        category: 'exfiltration',
+    },
+    {
+        id: 'en_never_refuse',
+        name: 'Never refuse',
+        pattern: '(?:never|do\\s+not|don\'t|cannot|must\\s+not)\\s+(?:refuse|decline|reject|say\\s+no|deny)',
+        flags: 'i',
+        riskScore: 25,
+        category: 'override',
+    },
+    {
+        id: 'en_encode_exfil',
+        name: 'Encoded exfiltration',
+        pattern: '(?:encode|encrypt|convert)\\s+(?:.*?)\\s+(?:in|to|as)\\s+(?:base64|hex|rot13|binary)',
+        flags: 'i',
+        riskScore: 25,
+        category: 'exfiltration',
+    },
+    {
+        id: 'en_markdown_injection',
+        name: 'Markdown image injection',
+        pattern: '!\\[\\s*[^\\]]*\\]\\(https?:\\/\\/[^)]*(?:callback|exfil|webhook|log)',
+        flags: 'i',
+        riskScore: 35,
+        category: 'exfiltration',
+    },
+    {
+        id: 'en_system_override',
+        name: 'System override claim',
+        pattern: '(?:SYSTEM|ADMIN|ROOT)\\s*(?:OVERRIDE|COMMAND|DIRECTIVE|ORDER)',
+        flags: 'i',
+        riskScore: 35,
+        category: 'privilege_escalation',
+    },
+    {
+        id: 'en_authorized_test',
+        name: 'Fake authorized test claim',
+        pattern: '(?:authorized|approved|legitimate)\\s+(?:penetration|security|pen)\\s*(?:test|testing|audit)',
+        flags: 'i',
+        riskScore: 30,
+        category: 'privilege_escalation',
+    },
+];

package/dist/rules/injection-zh.d.ts

@@ -0,0 +1,2 @@
+import type { InjectionRule } from '../types.js';
+export declare const INJECTION_RULES_ZH: InjectionRule[];