shellward 0.5.3 → 0.5.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/package.json +1 -1
  2. package/src/layers/data-flow-guard.ts +4 -64
  3. package/src/layers/input-auditor.ts +5 -7
  4. package/src/layers/outbound-guard.ts +4 -6
  5. package/src/layers/session-guard.ts +8 -19
  6. package/src/layers/tool-blocker.ts +1 -33
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "shellward",
3
- "version": "0.5.3",
3
+ "version": "0.5.4",
4
4
  "description": "AI Agent Security Middleware — 8-layer defense against prompt injection, data exfiltration & dangerous commands. DLP model: use data freely, block external leaks. Zero dependencies. SDK + OpenClaw plugin. Supports LangChain, AutoGPT, Claude Code, Cursor, OpenAI Agents.",
5
5
  "keywords": [
6
6
  "shellward",
package/src/layers/data-flow-guard.ts CHANGED
@@ -1,15 +1,11 @@
1
1
  // src/layers/data-flow-guard.ts — L7 OpenClaw Adapter
2
2
  // Thin adapter: wires OpenClaw hooks to ShellWard core engine for data flow tracking
3
- // Compat: uses tool_result_persist as fallback when after_tool_call/before_tool_call unavailable
4
3
 
5
4
  import type { ShellWard } from '../core/engine'
6
5
 
7
6
  export function setupDataFlowGuard(api: any, guard: ShellWard, enforce: boolean) {
8
- let hasReadTracker = false
9
- let hasEgressBlock = false
10
-
11
- // Primary read tracker: after_tool_call
12
- hasReadTracker = api.on('after_tool_call', (event: any) => {
7
+ // Track file reads via after_tool_call
8
+ api.on('after_tool_call', (event: any) => {
13
9
  const toolName = String(event.toolName || '').toLowerCase()
14
10
  const params = (event.params && typeof event.params === 'object') ? event.params : {}
15
11
  const path = String(params.path || params.file_path || params.filename || params.target || '')
@@ -19,8 +15,8 @@ export function setupDataFlowGuard(api: any, guard: ShellWard, enforce: boolean)
19
15
  }
20
16
  }, { name: 'shellward.data-flow-read-tracker', priority: 50 })
21
17
 
22
- // Primary egress block: before_tool_call
23
- hasEgressBlock = api.on('before_tool_call', (event: any) => {
18
+ // Block outbound sends when sensitive data was recently accessed
19
+ api.on('before_tool_call', (event: any) => {
24
20
  const toolName = String(event.toolName || '')
25
21
  const params = (event.params && typeof event.params === 'object') ? event.params : {}
26
22
 
@@ -30,61 +26,5 @@ export function setupDataFlowGuard(api: any, guard: ShellWard, enforce: boolean)
30
26
  }
31
27
  }, { name: 'shellward.data-flow-egress', priority: 250 })
32
28
 
33
- // Fallback: tool_result_persist for both read tracking and egress detection
34
- // When after_tool_call/before_tool_call are unavailable, we use tool_result_persist
35
- // which fires for every tool result before it's persisted to transcript
36
- if (!hasReadTracker || !hasEgressBlock) {
37
- api.on('tool_result_persist', (event: any) => {
38
- const msg = event.message
39
- if (!msg) return undefined
40
- const toolName = String(msg.toolName || '')
41
- if (!toolName) return undefined
42
- const toolLower = toolName.toLowerCase()
43
-
44
- // Fallback read tracking: scan tool results for PII to detect sensitive data access
45
- // The L2 output-scanner already does scanData() which calls markSensitiveData()
46
- // So read tracking is covered. Here we also track file reads by tool name.
47
- if (!hasReadTracker && guard.isReadTool(toolLower)) {
48
- // We don't have the file path from tool_result_persist,
49
- // but L2's scanData already marks sensitive data when PII is found in results
50
- guard.log.write({
51
- level: 'INFO',
52
- layer: 'L7',
53
- action: 'detect',
54
- detail: `Read tool executed: ${toolName} (tracking via result scan)`,
55
- tool: toolName,
56
- })
57
- }
58
-
59
- // Fallback egress detection: check if an outbound tool was used after sensitive data
60
- if (!hasEgressBlock) {
61
- // We can't block here (tool already ran), but we detect and log
62
- const fakeParams: Record<string, any> = {}
63
- const result = guard.checkOutbound(toolName, fakeParams)
64
- if (!result.allowed) {
65
- guard.log.write({
66
- level: 'CRITICAL',
67
- layer: 'L7',
68
- action: 'detect',
69
- detail: guard.locale === 'zh'
70
- ? `⚠️ 数据外泄检测 (无法前置拦截): ${toolName} 在访问敏感数据后执行了外发操作`
71
- : `⚠️ Data exfiltration detected (pre-block unavailable): ${toolName} sent data after sensitive access`,
72
- tool: toolName,
73
- pattern: 'data_exfil_chain',
74
- })
75
- }
76
- }
77
-
78
- return undefined
79
- }, { name: 'shellward.data-flow-fallback', priority: 90 })
80
-
81
- if (!hasReadTracker) {
82
- api.logger.warn('[ShellWard] L7 Data Flow Guard: after_tool_call unavailable, using result-based tracking')
83
- }
84
- if (!hasEgressBlock) {
85
- api.logger.warn('[ShellWard] L7 Data Flow Guard: before_tool_call unavailable, using post-execution detection')
86
- }
87
- }
88
-
89
29
  api.logger.info('[ShellWard] L7 Data Flow Guard enabled')
90
30
  }
package/src/layers/input-auditor.ts CHANGED
@@ -1,6 +1,6 @@
1
1
  // src/layers/input-auditor.ts — L4 OpenClaw Adapter
2
2
  // Thin adapter: wires OpenClaw hooks to ShellWard core engine for injection detection
3
- // Compat: supports both old (message_received) and new (message:received) hook names
3
+ // Compat: registers all known hook name variants OpenClaw silently ignores unknown ones
4
4
 
5
5
  import type { ShellWard } from '../core/engine'
6
6
 
@@ -24,18 +24,16 @@ export function setupInputAuditor(api: any, guard: ShellWard, enforce: boolean)
24
24
  }
25
25
  }, { name: 'shellward.input-auditor', priority: 300 })
26
26
 
27
- // Message scanning: try both OpenClaw hook naming conventions
27
+ // Message scanning: register ALL known naming conventions
28
+ // OpenClaw silently ignores unknown hooks (no error thrown), so register all variants
28
29
  const messageHandler = (event: any) => {
29
30
  const content = typeof event.content === 'string' ? event.content : ''
30
31
  if (!content) return
31
32
  guard.checkInjection(content, { source: 'message' })
32
33
  }
33
34
 
34
- // Try new-style colon-separated hook name first, then legacy underscore style
35
- const registered = api.on('message:received', messageHandler, { name: 'shellward.message-auditor', priority: 100 })
36
- if (!registered) {
37
- api.on('message_received', messageHandler, { name: 'shellward.message-auditor', priority: 100 })
38
- }
35
+ api.on('message_received', messageHandler, { name: 'shellward.message-auditor', priority: 100 })
36
+ api.on('message:received', messageHandler, { name: 'shellward.message-auditor-v2', priority: 100 })
39
37
 
40
38
  api.logger.info(`[ShellWard] L4 Input Auditor enabled`)
41
39
  }
package/src/layers/outbound-guard.ts CHANGED
@@ -1,6 +1,6 @@
1
1
  // src/layers/outbound-guard.ts — L6 OpenClaw Adapter
2
2
  // Thin adapter: wires OpenClaw hooks to ShellWard core engine for outbound response scanning
3
- // Compat: supports both old (message_sending) and new (message:sent) hook names
3
+ // Compat: registers all known hook name variants
4
4
 
5
5
  import type { ShellWard } from '../core/engine'
6
6
 
@@ -21,11 +21,9 @@ export function setupOutboundGuard(api: any, guard: ShellWard, enforce: boolean)
21
21
  return undefined
22
22
  }
23
23
 
24
- // Try new-style hook name first, then legacy
25
- const registered = api.on('message:sent', handler, { name: 'shellward.outbound-guard', priority: 100 })
26
- if (!registered) {
27
- api.on('message_sending', handler, { name: 'shellward.outbound-guard', priority: 100 })
28
- }
24
+ // Register ALL known naming conventions OpenClaw silently ignores unknown ones
25
+ api.on('message_sending', handler, { name: 'shellward.outbound-guard', priority: 100 })
26
+ api.on('message:sent', handler, { name: 'shellward.outbound-guard-v2', priority: 100 })
29
27
 
30
28
  api.logger.info('[ShellWard] L6 Outbound Guard enabled')
31
29
  }
package/src/layers/session-guard.ts CHANGED
@@ -1,11 +1,10 @@
1
1
  // src/layers/session-guard.ts — L8 OpenClaw Adapter
2
2
  // Thin adapter: wires OpenClaw hooks to ShellWard core engine for session monitoring
3
- // Compat: supports multiple hook naming conventions and graceful degradation
3
+ // Compat: registers all known hook name variants
4
4
 
5
5
  import type { ShellWard } from '../core/engine'
6
6
 
7
7
  export function setupSessionGuard(api: any, guard: ShellWard, enforce: boolean) {
8
- // Session end: try new-style, then legacy, then command-based
9
8
  const sessionEndHandler = () => {
10
9
  guard.log.write({
11
10
  level: 'INFO',
@@ -17,16 +16,11 @@ export function setupSessionGuard(api: any, guard: ShellWard, enforce: boolean)
17
16
  })
18
17
  }
19
18
 
20
- let registered = api.on('session:end', sessionEndHandler, { name: 'shellward.session-end', priority: 50 })
21
- if (!registered) {
22
- registered = api.on('session_end', sessionEndHandler, { name: 'shellward.session-end', priority: 50 })
23
- }
24
- if (!registered) {
25
- // Fallback: listen for command:new (session reset) as a proxy
26
- api.on('command:new', sessionEndHandler, { name: 'shellward.session-end-fallback', priority: 50 })
27
- }
19
+ // Register ALL known naming conventions for session end
20
+ api.on('session_end', sessionEndHandler, { name: 'shellward.session-end', priority: 50 })
21
+ api.on('session:end', sessionEndHandler, { name: 'shellward.session-end-v2', priority: 50 })
22
+ api.on('command:new', sessionEndHandler, { name: 'shellward.session-end-fallback', priority: 50 })
28
23
 
29
- // Subagent monitoring: try multiple naming conventions
30
24
  const subagentHandler = (event: any) => {
31
25
  const mode = event.mode || 'unknown'
32
26
  guard.log.write({
@@ -39,14 +33,9 @@ export function setupSessionGuard(api: any, guard: ShellWard, enforce: boolean)
39
33
  })
40
34
  }
41
35
 
42
- // Try ContextEngine-style hook, then legacy
43
- let subRegistered = api.on('subagent:spawning', subagentHandler, { name: 'shellward.subagent-guard', priority: 100 })
44
- if (!subRegistered) {
45
- subRegistered = api.on('subagent_spawning', subagentHandler, { name: 'shellward.subagent-guard', priority: 100 })
46
- }
47
- if (!subRegistered) {
48
- api.logger.warn('[ShellWard] L8 Session Guard: subagent hooks unavailable, subagent monitoring disabled')
49
- }
36
+ // Register ALL known naming conventions for subagent monitoring
37
+ api.on('subagent_spawning', subagentHandler, { name: 'shellward.subagent-guard', priority: 100 })
38
+ api.on('subagent:spawning', subagentHandler, { name: 'shellward.subagent-guard-v2', priority: 100 })
50
39
 
51
40
  api.logger.info('[ShellWard] L8 Session Guard enabled')
52
41
  }
package/src/layers/tool-blocker.ts CHANGED
@@ -1,12 +1,10 @@
1
1
  // src/layers/tool-blocker.ts — L3 OpenClaw Adapter
2
2
  // Thin adapter: wires OpenClaw's before_tool_call hook to ShellWard core engine
3
- // Compat: falls back to tool_result_persist for post-execution detection if before_tool_call unavailable
4
3
 
5
4
  import type { ShellWard } from '../core/engine'
6
5
 
7
6
  export function setupToolBlocker(api: any, guard: ShellWard, enforce: boolean) {
8
- // Primary: pre-execution blocking via before_tool_call
9
- const hasBeforeToolCall = api.on('before_tool_call', (event: any) => {
7
+ api.on('before_tool_call', (event: any) => {
10
8
  const tool = String(event.toolName || '')
11
9
  const args: Record<string, any> = (event.params && typeof event.params === 'object') ? event.params : {}
12
10
 
@@ -33,35 +31,5 @@ export function setupToolBlocker(api: any, guard: ShellWard, enforce: boolean) {
33
31
  }
34
32
  }, { name: 'shellward.tool-blocker', priority: 200 })
35
33
 
36
- // Fallback: post-execution detection via tool_result_persist
37
- // When before_tool_call is unavailable (some OpenClaw versions), we still detect
38
- // dangerous tool usage after the fact and log it for audit trail
39
- if (!hasBeforeToolCall) {
40
- api.on('tool_result_persist', (event: any) => {
41
- const msg = event.message
42
- if (!msg) return undefined
43
- const tool = String(msg.toolName || '')
44
- if (!tool) return undefined
45
-
46
- // Check if the tool itself is blocked
47
- const toolCheck = guard.checkTool(tool)
48
- if (!toolCheck.allowed) {
49
- guard.log.write({
50
- level: 'CRITICAL',
51
- layer: 'L3',
52
- action: 'detect',
53
- detail: guard.locale === 'zh'
54
- ? `⚠️ 高危工具已执行 (无法前置拦截): ${tool} — ${toolCheck.reason}`
55
- : `⚠️ Dangerous tool executed (pre-block unavailable): ${tool} — ${toolCheck.reason}`,
56
- tool,
57
- })
58
- }
59
-
60
- return undefined
61
- }, { name: 'shellward.tool-blocker-fallback', priority: 190 })
62
-
63
- api.logger.warn('[ShellWard] L3 Tool Blocker: before_tool_call hook unavailable, using post-execution detection')
64
- }
65
-
66
34
  api.logger.info('[ShellWard] L3 Tool Blocker enabled')
67
35
  }