shellward 0.6.0 → 0.6.1

package/dist/core/engine.js

@@ -173,6 +173,7 @@ export class ShellWard {
     }
     // ========== L2: Data Scanner ==========
     scanData(text, toolName) {
+        text = asString(text);
         const [, findings] = redactSensitive(text, this.customSensitive);
         const hasSensitiveData = findings.length > 0;
         const summary = findings.map(f => `${f.name}(${f.count})`).join(', ');
@@ -195,7 +196,7 @@ export class ShellWard {
     }
     // ========== L3: Tool & Command Checker ==========
     checkTool(toolName) {
-        const toolLower = toolName.toLowerCase();
+        const toolLower = asString(toolName).toLowerCase();
         const enforce = this.config.mode === 'enforce';
         // allowedTools always wins — user-trusted tools bypass policy.
         if (this.allowedTools.has(toolLower))
@@ -226,7 +227,7 @@ export class ShellWard {
     }
     checkCommand(cmd, toolName) {
         const enforce = this.config.mode === 'enforce';
-        const parts = splitCommands(cmd);
+        const parts = splitCommands(asString(cmd));
         for (const part of parts) {
             // Normalize shell-quote obfuscation (e.g. r''m / r""m → rm) before matching.
             // Only empty quote pairs are stripped, so a real quoted arg like
@@ -253,6 +254,7 @@ export class ShellWard {
         return { allowed: true };
     }
     checkPath(path, operation, toolName) {
+        path = asString(path);
         const enforce = this.config.mode === 'enforce';
         const normalizedPath = normalizePath(path);
         for (const rule of PROTECTED_PATHS) {
@@ -276,6 +278,7 @@ export class ShellWard {
     }
     // ========== L4: Injection Detection ==========
     checkInjection(text, options) {
+        text = asString(text);
         const threshold = options?.threshold ?? this.config.injectionThreshold;
         const enforce = this.config.mode === 'enforce';
         const hiddenChars = detectHiddenChars(text);
@@ -327,6 +330,7 @@ export class ShellWard {
     // tuned for tool-metadata attacks. Pure & side-effect-light: callable from
     // the SDK, the MCP server, or at plugin tool-discovery time.
     scanToolDefinition(tool, options) {
+        tool = (tool && typeof tool === 'object') ? tool : { name: 'unknown' };
         const threshold = options?.threshold ?? 40;
         const findings = [];
         let score = 0;
@@ -395,6 +399,8 @@ export class ShellWard {
     }
     // ========== L5: Security Gate ==========
     checkAction(action, details) {
+        action = asString(action);
+        details = asString(details);
         if (action === 'exec' || action === 'shell') {
             return this.checkCommand(details);
         }
@@ -433,6 +439,7 @@ export class ShellWard {
     }
     // ========== L6: Response Checker ==========
     checkResponse(content) {
+        content = asString(content);
         const canaryLeak = this._canaryToken ? content.includes(this._canaryToken) : false;
         if (canaryLeak) {
             this.log.write({
@@ -509,7 +516,8 @@ export class ShellWard {
         this.evictExpired();
     }
     checkOutbound(toolName, params) {
-        const toolLower = toolName.toLowerCase();
+        params = (params && typeof params === 'object') ? params : {};
+        const toolLower = asString(toolName).toLowerCase();
         const isOutbound = this.outboundTools.has(toolLower);
         const isDualUse = DUAL_USE_TOOLS.has(toolLower);
         const enforce = this.config.mode === 'enforce';
@@ -614,6 +622,8 @@ export class ShellWard {
     }
     extractTextFields(args) {
         const results = [];
+        if (!args || typeof args !== 'object')
+            return results;
         for (const field of TEXT_FIELDS) {
             if (typeof args[field] === 'string' && args[field].length > 0) {
                 results.push(args[field]);
@@ -700,6 +710,23 @@ function normalizePath(p) {
 function truncate(s, max) {
     return s.length > max ? s.slice(0, max) + '...' : s;
 }
+/**
+ * Defensive coercion at public API boundaries: a security check must fail safe
+ * on hostile/garbage input, never throw. null/undefined → '', everything else
+ * is stringified.
+ */
+function asString(v) {
+    if (typeof v === 'string')
+        return v;
+    if (v == null)
+        return '';
+    try {
+        return String(v);
+    }
+    catch {
+        return '';
+    }
+}
 /**
  * Defeat shell-quote obfuscation for DETECTION (not execution): strip empty
  * quote pairs so `r''m -rf /` and `r""m -rf /` normalize to `rm -rf /`.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shellward",
-  "version": "0.6.0",
+  "version": "0.6.1",
   "mcpName": "io.github.jnMetaCode/shellward",
   "description": "AI agent security & MCP security middleware — prompt injection detection, AI firewall, runtime guardrails & data-loss prevention for LLM tool calls. 8-layer defense against data exfiltration & dangerous commands. Zero dependencies. SDK + OpenClaw plugin. Supports LangChain, AutoGPT, Claude Code, Cursor, OpenAI Agents, Hermes Agent.",
   "keywords": [

package/server.json

@@ -6,12 +6,12 @@
     "url": "https://github.com/jnMetaCode/shellward",
     "source": "github"
   },
-  "version": "0.6.0",
+  "version": "0.6.1",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "shellward",
-      "version": "0.6.0",
+      "version": "0.6.1",
       "runtime": "node",
       "transport": {
         "type": "stdio"

package/src/core/engine.ts

@@ -256,6 +256,7 @@ export class ShellWard {
   // ========== L2: Data Scanner ==========
 
   scanData(text: string, toolName?: string): ScanResult {
+    text = asString(text)
     const [, findings] = redactSensitive(text, this.customSensitive)
     const hasSensitiveData = findings.length > 0
     const summary = findings.map(f => `${f.name}(${f.count})`).join(', ')
@@ -282,7 +283,7 @@ export class ShellWard {
   // ========== L3: Tool & Command Checker ==========
 
   checkTool(toolName: string): CheckResult {
-    const toolLower = toolName.toLowerCase()
+    const toolLower = asString(toolName).toLowerCase()
     const enforce = this.config.mode === 'enforce'
 
     // allowedTools always wins — user-trusted tools bypass policy.
@@ -317,7 +318,7 @@ export class ShellWard {
 
   checkCommand(cmd: string, toolName?: string): CheckResult {
     const enforce = this.config.mode === 'enforce'
-    const parts = splitCommands(cmd)
+    const parts = splitCommands(asString(cmd))
 
     for (const part of parts) {
       // Normalize shell-quote obfuscation (e.g. r''m / r""m → rm) before matching.
@@ -346,6 +347,7 @@ export class ShellWard {
   }
 
   checkPath(path: string, operation: 'write' | 'delete', toolName?: string): CheckResult {
+    path = asString(path)
     const enforce = this.config.mode === 'enforce'
     const normalizedPath = normalizePath(path)
 
@@ -372,6 +374,7 @@ export class ShellWard {
   // ========== L4: Injection Detection ==========
 
   checkInjection(text: string, options?: { source?: string; threshold?: number }): InjectionResult {
+    text = asString(text)
     const threshold = options?.threshold ?? this.config.injectionThreshold
     const enforce = this.config.mode === 'enforce'
 
@@ -430,6 +433,7 @@ export class ShellWard {
   // the SDK, the MCP server, or at plugin tool-discovery time.
 
   scanToolDefinition(tool: McpToolDefinition, options?: { threshold?: number }): ToolPoisoningResult {
+    tool = (tool && typeof tool === 'object') ? tool : { name: 'unknown' }
     const threshold = options?.threshold ?? 40
     const findings: ToolPoisoningFinding[] = []
     let score = 0
@@ -507,6 +511,8 @@ export class ShellWard {
   // ========== L5: Security Gate ==========
 
   checkAction(action: string, details: string): CheckResult {
+    action = asString(action)
+    details = asString(details)
     if (action === 'exec' || action === 'shell') {
       return this.checkCommand(details)
     }
@@ -550,6 +556,7 @@ export class ShellWard {
   // ========== L6: Response Checker ==========
 
   checkResponse(content: string): ResponseCheckResult {
+    content = asString(content)
     const canaryLeak = this._canaryToken ? content.includes(this._canaryToken) : false
 
     if (canaryLeak) {
@@ -638,7 +645,8 @@ export class ShellWard {
   }
 
   checkOutbound(toolName: string, params: Record<string, any>): CheckResult {
-    const toolLower = toolName.toLowerCase()
+    params = (params && typeof params === 'object') ? params : {}
+    const toolLower = asString(toolName).toLowerCase()
     const isOutbound = this.outboundTools.has(toolLower)
     const isDualUse = DUAL_USE_TOOLS.has(toolLower)
     const enforce = this.config.mode === 'enforce'
@@ -757,6 +765,7 @@ export class ShellWard {
 
   extractTextFields(args: Record<string, any>): string[] {
     const results: string[] = []
+    if (!args || typeof args !== 'object') return results
     for (const field of TEXT_FIELDS) {
       if (typeof args[field] === 'string' && args[field].length > 0) {
         results.push(args[field])
@@ -841,6 +850,17 @@ function truncate(s: string, max: number): string {
   return s.length > max ? s.slice(0, max) + '...' : s
 }
 
+/**
+ * Defensive coercion at public API boundaries: a security check must fail safe
+ * on hostile/garbage input, never throw. null/undefined → '', everything else
+ * is stringified.
+ */
+function asString(v: unknown): string {
+  if (typeof v === 'string') return v
+  if (v == null) return ''
+  try { return String(v) } catch { return '' }
+}
+
 /**
  * Defeat shell-quote obfuscation for DETECTION (not execution): strip empty
  * quote pairs so `r''m -rf /` and `r""m -rf /` normalize to `rm -rf /`.