shield-harness 0.1.0

package/.claude/hooks/sh-dep-audit.js

@@ -0,0 +1,101 @@
+#!/usr/bin/env node
+// sh-dep-audit.js — Dependency package install detection + security scan advisory
+// Spec: DETAILED_DESIGN.md §4.3
+// Hook event: PostToolUse
+// Matcher: Bash
+// Target response time: < 30ms
+"use strict";
+
+const { readHookInput, allow, appendEvidence } = require("./lib/sh-utils");
+
+// ---------------------------------------------------------------------------
+// Constants / Patterns
+// ---------------------------------------------------------------------------
+
+const HOOK_NAME = "sh-dep-audit";
+
+// Package manager install detection patterns (FR-11-04)
+const INSTALL_PATTERNS = [
+  {
+    regex: /npm (install|i|add|ci)\b/,
+    manager: "npm",
+    scan: "npm audit --json",
+  },
+  { regex: /pnpm (add|install)\b/, manager: "pnpm", scan: "pnpm audit --json" },
+  { regex: /yarn add\b/, manager: "yarn", scan: "yarn audit --json" },
+  { regex: /bun (add|install)\b/, manager: "bun", scan: "bun audit" },
+  { regex: /pip3? install\b/, manager: "pip", scan: "pip-audit --format=json" },
+  { regex: /cargo (add|install)\b/, manager: "cargo", scan: "cargo audit" },
+  { regex: /go get\b/, manager: "go", scan: "govulncheck ./..." },
+];
+
+// ---------------------------------------------------------------------------
+// Helper Functions
+// ---------------------------------------------------------------------------
+
+/**
+ * Detect package install command in a string.
+ * @param {string} command
+ * @returns {{ manager: string, scan: string } | null}
+ */
+function detectInstall(command) {
+  if (!command) return null;
+  for (const pattern of INSTALL_PATTERNS) {
+    if (pattern.regex.test(command)) {
+      return { manager: pattern.manager, scan: pattern.scan };
+    }
+  }
+  return null;
+}
+
+// ---------------------------------------------------------------------------
+// Main
+// ---------------------------------------------------------------------------
+
+try {
+  const input = readHookInput();
+  const { toolInput, sessionId } = input;
+  const command = (toolInput.command || "").trim();
+
+  // Detect install command
+  const match = detectInstall(command);
+
+  if (!match) {
+    allow();
+    // Unreachable after allow(), but explicit return for clarity
+    return;
+  }
+
+  // Record evidence (non-blocking)
+  try {
+    appendEvidence({
+      hook: HOOK_NAME,
+      event: "PostToolUse",
+      tool: "Bash",
+      decision: "allow",
+      reason: `${match.manager} install detected`,
+      command: command.length > 120 ? command.slice(0, 120) + "..." : command,
+      session_id: sessionId,
+    });
+  } catch (_) {
+    // Evidence failure is non-blocking
+  }
+
+  // Advisory: recommend security scan
+  allow(
+    `[${HOOK_NAME}] ${match.manager} によるパッケージインストールを検出しました。` +
+      `セキュリティスキャンを推奨します: \`${match.scan}\``,
+  );
+} catch (_err) {
+  // Operational hook — on error, allow through.
+  allow();
+}
+
+// ---------------------------------------------------------------------------
+// Exports (for testing)
+// ---------------------------------------------------------------------------
+
+module.exports = {
+  INSTALL_PATTERNS,
+  detectInstall,
+};

package/.claude/hooks/sh-elicitation.js

@@ -0,0 +1,244 @@
+#!/usr/bin/env node
+// sh-elicitation.js — Elicitation phishing & scope guard
+// Spec: DETAILED_DESIGN.md §5.5
+// Event: Elicitation
+// Target response time: < 20ms
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const {
+  readHookInput,
+  allow,
+  deny,
+  nfkcNormalize,
+  appendEvidence,
+  SH_DIR,
+} = require("./lib/sh-utils");
+
+const HOOK_NAME = "sh-elicitation";
+const ALLOWED_MCP_FILE = path.join(
+  SH_DIR,
+  "config",
+  "allowed-mcp-servers.json",
+);
+
+// ---------------------------------------------------------------------------
+// Phishing Patterns
+// ---------------------------------------------------------------------------
+
+const PHISHING_PATTERNS = [
+  { pattern: /[0oO][0oO]gle/i, label: "google typosquatting" },
+  { pattern: /anthroplc|anthr0pic/i, label: "anthropic typosquatting" },
+  { pattern: /g[il1]thub/i, label: "github typosquatting" },
+  { pattern: /m[il1]crosoft/i, label: "microsoft typosquatting" },
+  { pattern: /\.(tk|ml|ga|cf|gq)$/i, label: "free TLD (high abuse)" },
+];
+
+// Excessive OAuth scopes
+const EXCESSIVE_SCOPES = ["admin", "write:all", "repo:delete", "user:email"];
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Extract URLs from text.
+ * @param {string} text
+ * @returns {string[]}
+ */
+function extractUrls(text) {
+  const urlRegex = /https?:\/\/[^\s"'<>]+/gi;
+  return text.match(urlRegex) || [];
+}
+
+/**
+ * Extract domain from URL.
+ * @param {string} url
+ * @returns {string}
+ */
+function extractDomain(url) {
+  try {
+    return new URL(url).hostname.toLowerCase();
+  } catch {
+    return "";
+  }
+}
+
+/**
+ * Load allowed MCP servers list.
+ * @returns {string[]}
+ */
+function loadAllowedServers() {
+  try {
+    if (!fs.existsSync(ALLOWED_MCP_FILE)) return [];
+    const data = JSON.parse(fs.readFileSync(ALLOWED_MCP_FILE, "utf8"));
+    return Array.isArray(data) ? data : data.servers || [];
+  } catch {
+    return [];
+  }
+}
+
+/**
+ * Check if a domain matches phishing patterns.
+ * @param {string} domain
+ * @returns {{ matched: boolean, label: string }|null}
+ */
+function checkPhishing(domain) {
+  const normalized = nfkcNormalize(domain);
+  for (const { pattern, label } of PHISHING_PATTERNS) {
+    if (pattern.test(normalized)) {
+      return { matched: true, label };
+    }
+  }
+  return null;
+}
+
+/**
+ * Check if requested scopes contain excessive permissions.
+ * @param {string[]} scopes
+ * @returns {string[]} excessive scopes found
+ */
+function checkExcessiveScopes(scopes) {
+  if (!Array.isArray(scopes)) return [];
+  return scopes.filter((s) =>
+    EXCESSIVE_SCOPES.some((ex) => s.toLowerCase().includes(ex.toLowerCase())),
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Main
+// ---------------------------------------------------------------------------
+
+try {
+  const input = readHookInput();
+  const requestStr = JSON.stringify(input.toolInput);
+
+  // Step 1: Extract URLs
+  const urls = extractUrls(requestStr);
+
+  // Step 2: Check each URL for phishing
+  for (const url of urls) {
+    const domain = extractDomain(url);
+    if (!domain) continue;
+
+    const phishing = checkPhishing(domain);
+    if (phishing) {
+      try {
+        appendEvidence({
+          hook: HOOK_NAME,
+          event: "Elicitation",
+          decision: "deny",
+          reason: "phishing_detected",
+          domain,
+          label: phishing.label,
+          session_id: input.sessionId,
+        });
+      } catch {
+        // Non-blocking
+      }
+
+      deny(
+        `[${HOOK_NAME}] フィッシングドメイン検出: ${domain} (${phishing.label})`,
+      );
+      return;
+    }
+  }
+
+  // Step 3: Check allowed MCP servers (if URLs present)
+  const allowedServers = loadAllowedServers();
+  if (urls.length > 0 && allowedServers.length > 0) {
+    for (const url of urls) {
+      const domain = extractDomain(url);
+      if (!domain) continue;
+
+      const isAllowed = allowedServers.some(
+        (server) => domain === server || domain.endsWith("." + server),
+      );
+
+      if (!isAllowed) {
+        try {
+          appendEvidence({
+            hook: HOOK_NAME,
+            event: "Elicitation",
+            decision: "deny",
+            reason: "unauthorized_mcp",
+            domain,
+            session_id: input.sessionId,
+          });
+        } catch {
+          // Non-blocking
+        }
+
+        deny(`[${HOOK_NAME}] 未許可の MCP サーバー: ${domain}`);
+        return;
+      }
+    }
+  }
+
+  // Step 4: Check OAuth scopes
+  const scopes = input.toolInput.scopes || input.toolInput.scope || [];
+  const scopeList = Array.isArray(scopes)
+    ? scopes
+    : typeof scopes === "string"
+      ? scopes.split(/[,\s]+/)
+      : [];
+  const excessive = checkExcessiveScopes(scopeList);
+
+  if (excessive.length > 0) {
+    try {
+      appendEvidence({
+        hook: HOOK_NAME,
+        event: "Elicitation",
+        decision: "allow",
+        reason: "excessive_scope_warning",
+        scopes: excessive,
+        session_id: input.sessionId,
+      });
+    } catch {
+      // Non-blocking
+    }
+
+    allow(
+      `[${HOOK_NAME}] 警告: 過剰な OAuth スコープが要求されています: ${excessive.join(", ")}。本当に必要か確認してください。`,
+    );
+    return;
+  }
+
+  // Step 5: All clean — allow
+  try {
+    appendEvidence({
+      hook: HOOK_NAME,
+      event: "Elicitation",
+      decision: "allow",
+      url_count: urls.length,
+      session_id: input.sessionId,
+    });
+  } catch {
+    // Non-blocking
+  }
+
+  allow();
+} catch (err) {
+  // SECURITY hook — fail-close
+  process.stdout.write(
+    JSON.stringify({
+      reason: `[${HOOK_NAME}] Hook error (fail-close): ${err.message}`,
+    }),
+  );
+  process.exit(2);
+}
+
+// ---------------------------------------------------------------------------
+// Exports (for testing)
+// ---------------------------------------------------------------------------
+
+module.exports = {
+  PHISHING_PATTERNS,
+  EXCESSIVE_SCOPES,
+  extractUrls,
+  extractDomain,
+  loadAllowedServers,
+  checkPhishing,
+  checkExcessiveScopes,
+};

package/.claude/hooks/sh-evidence.js

@@ -0,0 +1,193 @@
+#!/usr/bin/env node
+// sh-evidence.js — SHA-256 hash chain evidence recording
+// Spec: DETAILED_DESIGN.md §4.1
+// Hook events: PostToolUse, PostToolUseFailure, ElicitationResult, TeammateIdle, StopFailure
+// Matcher: "" (all tools)
+// Target response time: < 30ms
+"use strict";
+
+const {
+  readHookInput,
+  allow,
+  sha256,
+  appendEvidence,
+  readSession,
+  EVIDENCE_FILE,
+} = require("./lib/sh-utils");
+const fs = require("fs");
+
+// ---------------------------------------------------------------------------
+// Constants / Patterns
+// ---------------------------------------------------------------------------
+
+const HOOK_NAME = "sh-evidence";
+
+// PII detection patterns (FR-05-02)
+const PII_PATTERNS = [
+  /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/, // email
+  /\b\d{3}-\d{4}-\d{4}\b/, // JP phone
+  /\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b/, // credit card
+  /\bAIza[0-9A-Za-z_-]{35}\b/, // Google API key
+  /\bsk-[a-zA-Z0-9]{20,}\b/, // OpenAI/Anthropic key
+  /\b(AKIA|ASIA)[0-9A-Z]{16}\b/, // AWS access key
+  /\bghp_[a-zA-Z0-9]{36}\b/, // GitHub token
+];
+
+// Data leakage patterns (FR-03-03)
+const LEAKAGE_PATTERNS = [
+  /https?:\/\/[^?]+\?(.*)(password|token|secret|key|api_key)=/, // secrets in URL
+  /Authorization:\s*(Bearer|Basic)\s+[A-Za-z0-9+/=]+/, // auth headers
+  /data:.*base64,.*[A-Za-z0-9+/=]{100,}/, // large base64 blobs
+];
+
+// Tools whose output should be scanned for PII
+const PII_SCAN_TOOLS = ["Write", "Edit"];
+
+// Tools whose output should be scanned for leakage
+const LEAKAGE_SCAN_TOOLS = ["WebFetch", "Bash"];
+
+// ---------------------------------------------------------------------------
+// Helper Functions
+// ---------------------------------------------------------------------------
+
+/**
+ * Get the next sequence number from the evidence ledger.
+ * @returns {number}
+ */
+function getNextSeq() {
+  try {
+    const content = fs.readFileSync(EVIDENCE_FILE, "utf8").trim();
+    if (!content) return 1;
+    const lines = content.split("\n");
+    const lastEntry = JSON.parse(lines[lines.length - 1]);
+    return (lastEntry.seq || 0) + 1;
+  } catch {
+    return 1;
+  }
+}
+
+/**
+ * Scan text for PII patterns.
+ * @param {string} text
+ * @returns {string[]} matched pattern labels
+ */
+function detectPII(text) {
+  if (!text) return [];
+  const labels = [
+    "email",
+    "JP phone",
+    "credit card",
+    "Google API key",
+    "API secret key",
+    "AWS access key",
+    "GitHub token",
+  ];
+  const found = [];
+  for (let i = 0; i < PII_PATTERNS.length; i++) {
+    if (PII_PATTERNS[i].test(text)) {
+      found.push(labels[i]);
+    }
+  }
+  return found;
+}
+
+/**
+ * Scan text for data leakage patterns.
+ * @param {string} text
+ * @returns {boolean}
+ */
+function detectLeakage(text) {
+  if (!text) return false;
+  return LEAKAGE_PATTERNS.some((p) => p.test(text));
+}
+
+// ---------------------------------------------------------------------------
+// Main
+// ---------------------------------------------------------------------------
+
+try {
+  const input = readHookInput();
+  const { hookType, toolName, toolInput, toolResult, sessionId } = input;
+
+  // Check channel source for evidence metadata (§8.6.3)
+  let isChannel = false;
+  try {
+    const session = readSession();
+    isChannel = session.source === "channel";
+  } catch {
+    // Session read failure is non-blocking for evidence
+  }
+
+  // Build evidence entry
+  const inputStr = JSON.stringify(toolInput);
+  const resultStr =
+    typeof toolResult === "string" ? toolResult : JSON.stringify(toolResult);
+
+  const entry = {
+    seq: getNextSeq(),
+    event: hookType,
+    tool: toolName,
+    input_hash: "sha256:" + sha256(inputStr),
+    output_hash: "sha256:" + sha256(resultStr || ""),
+    output_size: resultStr ? resultStr.length : 0,
+    decision: "allow",
+    hook: HOOK_NAME,
+    category: null,
+    is_channel: isChannel,
+    session_id: sessionId,
+  };
+
+  // Collect context messages
+  const warnings = [];
+
+  // PII scan for Write/Edit tool results
+  if (PII_SCAN_TOOLS.includes(toolName)) {
+    const piiFound = detectPII(resultStr);
+    if (piiFound.length > 0) {
+      warnings.push(
+        `[${HOOK_NAME}] プレーンテキストの認証情報が検出されました: ${piiFound.join(", ")}`,
+      );
+      entry.category = "pii_detected";
+    }
+  }
+
+  // Leakage scan for WebFetch/Bash tool results
+  if (LEAKAGE_SCAN_TOOLS.includes(toolName)) {
+    if (detectLeakage(resultStr)) {
+      warnings.push(
+        `[${HOOK_NAME}] 出力にデータ漏洩の可能性があります。機密情報が含まれていないか確認してください。`,
+      );
+      entry.category = entry.category || "leakage_detected";
+    }
+  }
+
+  // Record evidence (failure must not block the response)
+  try {
+    appendEvidence(entry);
+  } catch (_) {
+    // Evidence recording failure is non-blocking
+  }
+
+  // Allow with optional warnings
+  if (warnings.length > 0) {
+    allow(warnings.join("\n"));
+  } else {
+    allow();
+  }
+} catch (_err) {
+  // Evidence hook is operational, not security-blocking.
+  // On error, allow the tool result through.
+  allow();
+}
+
+// ---------------------------------------------------------------------------
+// Exports (for testing)
+// ---------------------------------------------------------------------------
+
+module.exports = {
+  PII_PATTERNS,
+  LEAKAGE_PATTERNS,
+  detectPII,
+  detectLeakage,
+  getNextSeq,
+};