shellward 0.5.9 → 0.5.11

package/dist/rules/injection-zh.js

@@ -0,0 +1,132 @@
+// src/rules/injection-zh.ts — Chinese prompt injection detection rules
+export const INJECTION_RULES_ZH = [
+    {
+        id: 'zh_ignore_prev',
+        name: '忽略之前指令',
+        pattern: '(?:请|你要|现在)?忽略(?:之前|上面|以上|前面|所有)(?:的)?(?:指令|指示|规则|提示|要求|约束)',
+        riskScore: 40,
+        category: 'override',
+    },
+    {
+        id: 'zh_new_role',
+        name: '角色扮演攻击',
+        pattern: '(?:你现在是|你的新身份是|从现在起你是|假装你是|请?扮演|你是一个|充当)(?:.*?)(?:助手|AI|机器人|黑客|专家|没有限制)',
+        riskScore: 35,
+        category: 'role_hijack',
+    },
+    {
+        id: 'zh_system_prompt',
+        name: '系统提示窃取',
+        pattern: '(?:输出|显示|打印|告诉我|重复|泄露|展示)(?:你的)?(?:系统|初始|原始)?(?:提示词|system\\s*prompt|指令|规则|约束)',
+        riskScore: 30,
+        category: 'exfiltration',
+    },
+    {
+        id: 'zh_developer_mode',
+        name: '开发者模式',
+        pattern: '(?:进入|启用|开启|切换到)(?:开发者|调试|测试|管理员|root|超级)(?:模式|权限)',
+        riskScore: 35,
+        category: 'privilege_escalation',
+    },
+    {
+        id: 'zh_no_restriction',
+        name: '解除限制',
+        pattern: '(?:取消|移除|去掉|关闭|忽略|跳过|绕过|忘记|丢弃)(?:之前|所有|一切|你的|以上|前面)*(?:的)?(?:限制|约束|安全|过滤|审查|规则|指令|设定)',
+        riskScore: 40,
+        category: 'override',
+    },
+    {
+        id: 'zh_do_not_refuse',
+        name: '禁止拒绝',
+        pattern: '(?:不要|不许|不能|不可以|禁止你)(?:拒绝|拒绝回答|说不|推辞)',
+        riskScore: 25,
+        category: 'override',
+    },
+    {
+        id: 'zh_hidden_instruction',
+        name: '隐藏指令标记',
+        pattern: '(?:以下是|下面是)?(?:隐藏|秘密|真正的|实际的)(?:指令|命令|提示|任务)',
+        riskScore: 35,
+        category: 'injection',
+    },
+    {
+        id: 'zh_output_format_hijack',
+        name: '输出格式劫持',
+        pattern: '(?:只|仅|必须)?(?:输出|回复|返回|回答)(?:以下|如下|这个)(?:内容|文字|文本)',
+        riskScore: 15,
+        category: 'hijack',
+    },
+    {
+        id: 'zh_data_exfil',
+        name: '数据外泄',
+        pattern: '(?:把|将)(?:所有|全部)?(?:对话|聊天|消息|记录|历史|数据|文件)(?:的内容|的信息|中的数据)?(?:发送|传输|上传|转发)(?:到|给)',
+        riskScore: 40,
+        category: 'exfiltration',
+    },
+    {
+        id: 'zh_emergency_auth',
+        name: '伪造紧急授权',
+        pattern: '(?:紧急|特别|最高|管理员|系统管理员|超级管理员)(?:的)?(?:授权|许可|批准|命令|指令|权限)',
+        riskScore: 30,
+        category: 'privilege_escalation',
+    },
+    {
+        id: 'zh_force_exec',
+        name: '强制执行指令',
+        pattern: '(?:直接|立即|马上|强制|必须)(?:执行|运行|操作)',
+        riskScore: 20,
+        category: 'override',
+    },
+    {
+        id: 'zh_task_hijack',
+        name: '任务劫持',
+        pattern: '(?:你的)?(?:新|真正的|实际的)(?:任务|目标|使命|工作)(?:是|变成|改为)',
+        riskScore: 40,
+        category: 'role_hijack',
+    },
+    {
+        id: 'zh_send_to_url',
+        name: '发送到外部 URL',
+        pattern: '(?:发送|传输|上传|转发|发)(?:到|给|至)\\s*https?://',
+        riskScore: 35,
+        category: 'exfiltration',
+    },
+    {
+        id: 'zh_boundary_marker',
+        name: '边界标记注入',
+        pattern: '(?:<<|\\[\\[|\\{\\{)\\s*(?:SYSTEM|系统|SYS|END|新指令|NEW)\\s*(?:>>|\\]\\]|\\}\\})',
+        riskScore: 30,
+        category: 'injection',
+    },
+    {
+        id: 'zh_act_as',
+        name: '行为替换',
+        pattern: '(?:请以|用|按照|模仿)(?:.*?)(?:的方式|的口吻|的风格|的身份)(?:回答|回复|说话|输出)',
+        riskScore: 20,
+        category: 'role_hijack',
+    },
+    {
+        id: 'zh_jailbreak',
+        name: '越狱关键词',
+        pattern: '(?:DAN|越狱|jailbreak|无限制模式|do\\s*anything\\s*now)',
+        flags: 'i',
+        riskScore: 40,
+        category: 'jailbreak',
+    },
+    {
+        id: 'zh_xml_tag_injection',
+        name: 'XML/标签注入',
+        pattern: '<\\s*(?:system|instruction|prompt|admin|override|设置|系统|指令)\\s*>',
+        flags: 'i',
+        riskScore: 30,
+        category: 'injection',
+    },
+    {
+        id: 'zh_mixed_lang_injection',
+        name: '中英混合注入',
+        pattern: '(?:please|pls|now)?\\s*(?:ignore|forget|disregard)\\s+.*(?:指令|规则|之前|以上)|(?:忽略|忘记|跳过).*(?:instruction|rule|prompt|previous)',
+        flags: 'i',
+        riskScore: 40,
+        category: 'override',
+    },
+];

package/dist/rules/protected-paths.d.ts

@@ -0,0 +1,2 @@
+import type { ProtectedPathRule } from '../types.js';
+export declare const PROTECTED_PATHS: ProtectedPathRule[];

package/dist/rules/protected-paths.js

@@ -0,0 +1,75 @@
+// src/rules/protected-paths.ts — Paths that should not be written/deleted (bilingual)
+export const PROTECTED_PATHS = [
+    {
+        id: 'env_file',
+        pattern: /(?:^|\/)\.env(?:\.[a-zA-Z]+)?$/i,
+        description_zh: '环境变量文件（可能含密钥）',
+        description_en: 'Environment file (may contain secrets)',
+    },
+    {
+        id: 'ssh_dir',
+        pattern: /(?:^|\/)\.ssh\//i,
+        description_zh: 'SSH 密钥目录',
+        description_en: 'SSH key directory',
+    },
+    {
+        id: 'gnupg_dir',
+        pattern: /(?:^|\/)\.gnupg\//i,
+        description_zh: 'GPG 密钥目录',
+        description_en: 'GPG key directory',
+    },
+    {
+        id: 'aws_credentials',
+        pattern: /(?:^|\/)\.aws\/credentials$/i,
+        description_zh: 'AWS 凭证文件',
+        description_en: 'AWS credentials file',
+    },
+    {
+        id: 'kube_config',
+        pattern: /(?:^|\/)\.kube\/config$/i,
+        description_zh: 'Kubernetes 配置（含集群凭证）',
+        description_en: 'Kubernetes config (contains cluster credentials)',
+    },
+    {
+        id: 'docker_config',
+        pattern: /(?:^|\/)\.docker\/config\.json$/i,
+        description_zh: 'Docker 配置（可能含 registry 凭证）',
+        description_en: 'Docker config (may contain registry credentials)',
+    },
+    {
+        id: 'git_credentials',
+        pattern: /(?:^|\/)\.git-credentials$/i,
+        description_zh: 'Git 凭证文件',
+        description_en: 'Git credentials file',
+    },
+    {
+        id: 'npmrc',
+        pattern: /(?:^|\/)\.npmrc$/i,
+        description_zh: 'npm 配置（可能含 registry token）',
+        description_en: 'npm config (may contain registry token)',
+    },
+    {
+        id: 'private_key',
+        pattern: /(?:^|\/)(?:.*\.pem|.*\.key|.*_rsa|.*_ecdsa|.*_ed25519)$/i,
+        description_zh: '私钥文件',
+        description_en: 'Private key file',
+    },
+    {
+        id: 'etc_passwd',
+        pattern: /^\/etc\/(?:passwd|shadow|sudoers)/i,
+        description_zh: '系统认证文件',
+        description_en: 'System authentication file',
+    },
+    {
+        id: 'keychain',
+        pattern: /(?:^|\/)(?:Keychain|keychain|\.keystore|\.jks)$/i,
+        description_zh: '密钥链/密钥库文件',
+        description_en: 'Keychain/keystore file',
+    },
+    {
+        id: 'openclaw_config',
+        pattern: /(?:^|\/)\.openclaw\/(?:config|settings|credentials)/i,
+        description_zh: 'OpenClaw 配置和凭证',
+        description_en: 'OpenClaw config and credentials',
+    },
+];

package/dist/rules/sensitive-patterns.d.ts

@@ -0,0 +1,21 @@
+import type { ScanMatch } from '../types.js';
+export interface SensitivePattern {
+    id: string;
+    name: string;
+    regex: RegExp;
+    replacement: string;
+    validate?: (match: string) => boolean;
+}
+export declare const SENSITIVE_PATTERNS: SensitivePattern[];
+/**
+ * Scan text and return matches (without modifying text).
+ */
+export declare function scanForSensitive(text: string): ScanMatch[];
+/**
+ * Redact all sensitive data in text. Returns [redactedText, findings[]]
+ */
+export declare function redactSensitive(text: string): [string, {
+    id: string;
+    name: string;
+    count: number;
+}[]];

package/dist/rules/sensitive-patterns.js

@@ -0,0 +1,192 @@
+// src/rules/sensitive-patterns.ts — PII & secret patterns for output redaction (global + China)
+export const SENSITIVE_PATTERNS = [
+    // ===== API Keys & Tokens =====
+    {
+        id: 'openai_key',
+        name: 'OpenAI API Key',
+        regex: /sk-[a-zA-Z0-9]{20,}/g,
+        replacement: '[REDACTED:OpenAI Key]',
+    },
+    {
+        id: 'anthropic_key',
+        name: 'Anthropic Key',
+        regex: /sk-ant-[a-zA-Z0-9\-]{20,}/g,
+        replacement: '[REDACTED:Anthropic Key]',
+    },
+    {
+        id: 'aws_access',
+        name: 'AWS Access Key',
+        regex: /AKIA[0-9A-Z]{16}/g,
+        replacement: '[REDACTED:AWS Key]',
+    },
+    {
+        id: 'github_token',
+        name: 'GitHub Token',
+        regex: /gh[ps]_[A-Za-z0-9_]{36,}/g,
+        replacement: '[REDACTED:GitHub Token]',
+    },
+    {
+        id: 'generic_api_key',
+        name: 'Generic API Key',
+        regex: /(?:api[_-]?key|api[_-]?token|access[_-]?token)\s*[=:]\s*['"]?[A-Za-z0-9_\-]{20,}['"]?/gi,
+        replacement: '[REDACTED:API Key]',
+    },
+    // ===== Private Keys & Secrets =====
+    {
+        id: 'private_key',
+        name: 'Private Key',
+        regex: /-----BEGIN\s(?:RSA|EC|OPENSSH|DSA|PGP)\sPRIVATE\sKEY-----/g,
+        replacement: '[REDACTED:Private Key]',
+    },
+    {
+        id: 'jwt',
+        name: 'JWT Token',
+        regex: /eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/g,
+        replacement: '[REDACTED:JWT]',
+    },
+    {
+        id: 'password',
+        name: 'Password',
+        regex: /(?:password|passwd|pwd)\s*[=:]\s*['"]?\S{6,100}['"]?/gi,
+        replacement: '[REDACTED:Password]',
+    },
+    {
+        id: 'conn_string',
+        name: 'Database Connection String',
+        regex: /(?:mongodb|postgres|mysql|redis|amqp):\/\/[^\s'"]{10,}/g,
+        replacement: '[REDACTED:Connection String]',
+    },
+    // ===== Chinese PII (核心差异点) =====
+    {
+        id: 'id_card_cn',
+        name: '身份证号 / CN ID Card',
+        regex: /(?<!\d)[1-9]\d{5}(?:19|20)\d{2}(?:0[1-9]|1[0-2])(?:0[1-9]|[12]\d|3[01])\d{3}[\dXx](?!\d)/g,
+        replacement: '[REDACTED:身份证号]',
+        validate: validateIdCardCN,
+    },
+    {
+        id: 'phone_cn',
+        name: '手机号 / CN Phone',
+        regex: /(?<!\d)1[3-9]\d{9}(?!\d)/g,
+        replacement: '[REDACTED:手机号]',
+    },
+    {
+        id: 'bank_card_cn',
+        name: '银行卡号 / CN Bank Card',
+        regex: /(?<!\d)(?:62|4|5[1-5])\d{14,17}(?!\d)/g,
+        replacement: '[REDACTED:银行卡号]',
+        validate: validateLuhn,
+    },
+    // ===== International PII =====
+    {
+        id: 'email',
+        name: 'Email Address',
+        regex: /[A-Za-z0-9._%+-]{1,64}@[A-Za-z0-9.-]{1,255}\.[A-Za-z]{2,10}/g,
+        replacement: '[REDACTED:Email]',
+    },
+    {
+        id: 'ssn_us',
+        name: 'US SSN',
+        // Exclude date-like patterns (YYYY-MM-DD) and ranges starting with 000/666/9xx
+        regex: /\b(?!000|666|9\d\d)\d{3}-(?!00)\d{2}-(?!0000)\d{4}\b/g,
+        replacement: '[REDACTED:SSN]',
+        validate: validateSSN,
+    },
+    {
+        id: 'credit_card',
+        name: 'Credit Card',
+        regex: /\b(?:4\d{3}|5[1-5]\d{2}|3[47]\d{2}|6(?:011|5\d{2}))[- ]?\d{4}[- ]?\d{4}[- ]?\d{4}\b/g,
+        replacement: '[REDACTED:Credit Card]',
+        validate: validateLuhn,
+    },
+];
+/**
+ * Scan text and return matches (without modifying text).
+ */
+export function scanForSensitive(text) {
+    const results = [];
+    for (const pat of SENSITIVE_PATTERNS) {
+        const regex = new RegExp(pat.regex.source, pat.regex.flags);
+        let match;
+        while ((match = regex.exec(text)) !== null) {
+            if (pat.validate && !pat.validate(match[0]))
+                continue;
+            results.push({
+                name: pat.name,
+                preview: match[0].slice(0, 8) + '***',
+            });
+        }
+    }
+    return results;
+}
+/**
+ * Redact all sensitive data in text. Returns [redactedText, findings[]]
+ */
+export function redactSensitive(text) {
+    let result = text;
+    const findings = [];
+    for (const pat of SENSITIVE_PATTERNS) {
+        const regex = new RegExp(pat.regex.source, pat.regex.flags);
+        let count = 0;
+        result = result.replace(regex, (match) => {
+            if (pat.validate && !pat.validate(match))
+                return match;
+            count++;
+            return pat.replacement;
+        });
+        if (count > 0) {
+            findings.push({ id: pat.id, name: pat.name, count });
+        }
+    }
+    return [result, findings];
+}
+// ===== Validators =====
+function validateIdCardCN(id) {
+    if (id.length !== 18)
+        return false;
+    const weights = [7, 9, 10, 5, 8, 4, 2, 1, 6, 3, 7, 9, 10, 5, 8, 4, 2];
+    const checkCodes = ['1', '0', 'X', '9', '8', '7', '6', '5', '4', '3', '2'];
+    let sum = 0;
+    for (let i = 0; i < 17; i++) {
+        sum += parseInt(id[i]) * weights[i];
+    }
+    return checkCodes[sum % 11].toUpperCase() === id[17].toUpperCase();
+}
+/**
+ * Validate US SSN: reject date-like patterns (YYYY-MM-DD)
+ */
+function validateSSN(ssn) {
+    const parts = ssn.split('-');
+    if (parts.length !== 3)
+        return false;
+    const [area, group, serial] = parts.map(Number);
+    // Reject if it looks like a date (first part 1900-2099)
+    if (area >= 1900 && area <= 2099 && group >= 1 && group <= 12)
+        return false;
+    // Valid SSN ranges
+    if (area < 1 || area > 899 || area === 666)
+        return false;
+    if (group < 1 || group > 99)
+        return false;
+    if (serial < 1 || serial > 9999)
+        return false;
+    return true;
+}
+function validateLuhn(num) {
+    const digits = num.replace(/\D/g, '');
+    if (digits.length < 13)
+        return false;
+    let sum = 0;
+    let alternate = false;
+    for (let i = digits.length - 1; i >= 0; i--) {
+        let n = parseInt(digits[i]);
+        if (alternate) {
+            n *= 2;
+            if (n > 9)
+                n -= 9;
+        }
+        sum += n;
+        alternate = !alternate;
+    }
+    return sum % 10 === 0;
+}

package/dist/types.d.ts

@@ -0,0 +1,64 @@
+export interface ShellWardConfig {
+    mode: 'enforce' | 'audit';
+    locale: 'auto' | 'zh' | 'en';
+    /** 启动时自动检查 OpenClaw 漏洞、插件风险、MCP 配置，发现问题时告警 */
+    autoCheckOnStartup?: boolean;
+    layers: {
+        promptGuard: boolean;
+        outputScanner: boolean;
+        toolBlocker: boolean;
+        inputAuditor: boolean;
+        securityGate: boolean;
+        outboundGuard: boolean;
+        dataFlowGuard: boolean;
+        sessionGuard: boolean;
+    };
+    injectionThreshold: number;
+}
+export type ResolvedLocale = 'zh' | 'en';
+export interface AuditEntry {
+    ts: string;
+    level: 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'LOW' | 'INFO';
+    layer: 'L0' | 'L1' | 'L2' | 'L3' | 'L4' | 'L5' | 'L6' | 'L7' | 'L8';
+    action: 'block' | 'redact' | 'audit' | 'detect' | 'allow' | 'inject' | 'error';
+    detail: string;
+    tool?: string;
+    pattern?: string;
+    mode: 'enforce' | 'audit';
+    [key: string]: unknown;
+}
+export interface NamedPattern {
+    name: string;
+    pattern: RegExp;
+    validate?: (match: string) => boolean;
+}
+export interface ScanMatch {
+    name: string;
+    preview: string;
+}
+export interface DangerousCommandRule {
+    id: string;
+    pattern: RegExp;
+    description_zh: string;
+    description_en: string;
+}
+export interface ProtectedPathRule {
+    id: string;
+    pattern: RegExp;
+    description_zh: string;
+    description_en: string;
+}
+export interface InjectionRule {
+    id: string;
+    name: string;
+    pattern: string;
+    flags?: string;
+    riskScore: number;
+    category: string;
+}
+export declare const DEFAULT_CONFIG: ShellWardConfig;
+/**
+ * Detect locale from system environment.
+ * Returns 'zh' if LANG/LC_ALL contains 'zh', otherwise 'en'.
+ */
+export declare function resolveLocale(config: ShellWardConfig): ResolvedLocale;

package/dist/types.js

@@ -0,0 +1,30 @@
+// src/types.ts — ShellWard type definitions
+export const DEFAULT_CONFIG = {
+    mode: 'enforce',
+    locale: 'auto',
+    autoCheckOnStartup: true,
+    layers: {
+        promptGuard: true,
+        outputScanner: true,
+        toolBlocker: true,
+        inputAuditor: true,
+        securityGate: true,
+        outboundGuard: true,
+        dataFlowGuard: true,
+        sessionGuard: true,
+    },
+    injectionThreshold: 60,
+};
+/**
+ * Detect locale from system environment.
+ * Returns 'zh' if LANG/LC_ALL contains 'zh', otherwise 'en'.
+ */
+export function resolveLocale(config) {
+    if (config.locale === 'zh')
+        return 'zh';
+    if (config.locale === 'en')
+        return 'en';
+    // auto detection
+    const lang = process.env.LANG || process.env.LC_ALL || process.env.LC_MESSAGES || process.env.LANGUAGE || '';
+    return /\bzh[_-]|chinese/i.test(lang) ? 'zh' : 'en';
+}

package/dist/update-check.d.ts

@@ -0,0 +1,40 @@
+export interface VulnEntry {
+    affectedBelow: string;
+    severity: 'CRITICAL' | 'HIGH' | 'MEDIUM';
+    id: string;
+    ghsa?: string;
+    description_zh: string;
+    description_en: string;
+}
+export interface SupplyChainAlert {
+    id: string;
+    severity: 'CRITICAL' | 'HIGH' | 'MEDIUM';
+    date: string;
+    description_zh: string;
+    description_en: string;
+}
+/**
+ * Check npm for latest version.
+ *
+ * Returns result with `shouldNotify`:
+ * - true = first time seeing this new version, show the message
+ * - false = already notified for this version, stay quiet
+ * Returns null if check skipped or failed.
+ */
+export declare function checkForUpdate(currentVersion: string): Promise<{
+    current: string;
+    latest: string;
+    updateAvailable: boolean;
+    shouldNotify: boolean;
+} | null>;
+/**
+ * Fetch remote vulnerability database. Cached 24h. Local fallback on failure.
+ */
+export declare function fetchVulnDB(): Promise<{
+    vulns: VulnEntry[];
+    alerts: SupplyChainAlert[];
+}>;
+/**
+ * Compare semver-like version strings. Positive if a > b, negative if a < b, 0 if equal.
+ */
+export declare function compareVersions(a: string, b: string): number;