npm - shield-harness - Versions diffs - 1.0.0 - Mend

shield-harness 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (39) hide show

package/.claude/hooks/lib/session-modules/.gitkeep +0 -0
package/.claude/hooks/lib/sh-utils.js +241 -0
package/.claude/hooks/lint-on-save.js +240 -0
package/.claude/hooks/sh-circuit-breaker.js +111 -0
package/.claude/hooks/sh-config-guard.js +252 -0
package/.claude/hooks/sh-data-boundary.js +315 -0
package/.claude/hooks/sh-dep-audit.js +101 -0
package/.claude/hooks/sh-elicitation.js +241 -0
package/.claude/hooks/sh-evidence.js +193 -0
package/.claude/hooks/sh-gate.js +330 -0
package/.claude/hooks/sh-injection-guard.js +165 -0
package/.claude/hooks/sh-instructions.js +210 -0
package/.claude/hooks/sh-output-control.js +183 -0
package/.claude/hooks/sh-permission-learn.js +223 -0
package/.claude/hooks/sh-permission.js +157 -0
package/.claude/hooks/sh-pipeline.js +639 -0
package/.claude/hooks/sh-postcompact.js +173 -0
package/.claude/hooks/sh-precompact.js +114 -0
package/.claude/hooks/sh-quiet-inject.js +147 -0
package/.claude/hooks/sh-session-end.js +143 -0
package/.claude/hooks/sh-session-start.js +196 -0
package/.claude/hooks/sh-subagent.js +86 -0
package/.claude/hooks/sh-task-gate.js +138 -0
package/.claude/hooks/sh-user-prompt.js +181 -0
package/.claude/hooks/sh-worktree.js +227 -0
package/.claude/patterns/injection-patterns.json +137 -0
package/.claude/rules/binding-governance.md +62 -0
package/.claude/rules/channel-security.md +90 -0
package/.claude/rules/coding-principles.md +79 -0
package/.claude/rules/dev-environment.md +37 -0
package/.claude/rules/implementation-context.md +112 -0
package/.claude/rules/language.md +26 -0
package/.claude/rules/security.md +109 -0
package/.claude/rules/testing.md +43 -0
package/LICENSE +21 -0
package/README.ja.md +107 -0
package/README.md +105 -0
package/bin/shield-harness.js +141 -0
package/package.json +33 -0

package/.claude/hooks/sh-elicitation.js ADDED Viewed

@@ -0,0 +1,241 @@
+#!/usr/bin/env node
+// sh-elicitation.js — Elicitation phishing & scope guard
+// Spec: DETAILED_DESIGN.md §5.5
+// Event: Elicitation
+// Target response time: < 20ms
+"use strict";
+const fs = require("fs");
+const path = require("path");
+const {
+  readHookInput,
+  allow,
+  deny,
+  nfkcNormalize,
+  appendEvidence,
+  SH_DIR,
+} = require("./lib/sh-utils");
+const HOOK_NAME = "sh-elicitation";
+const ALLOWED_MCP_FILE = path.join(
+  SH_DIR,
+  "config",
+  "allowed-mcp-servers.json",
+);
+// ---------------------------------------------------------------------------
+// Phishing Patterns
+// ---------------------------------------------------------------------------
+const PHISHING_PATTERNS = [
+  { pattern: /[0oO][0oO]gle/i, label: "google typosquatting" },
+  { pattern: /anthroplc|anthr0pic/i, label: "anthropic typosquatting" },
+  { pattern: /g[il1]thub/i, label: "github typosquatting" },
+  { pattern: /m[il1]crosoft/i, label: "microsoft typosquatting" },
+  { pattern: /\.(tk|ml|ga|cf|gq)$/i, label: "free TLD (high abuse)" },
+];
+// Excessive OAuth scopes
+const EXCESSIVE_SCOPES = ["admin", "write:all", "repo:delete", "user:email"];
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/**
+ * Extract URLs from text.
+ * @param {string} text
+ * @returns {string[]}
+ */
+function extractUrls(text) {
+  const urlRegex = /https?:\/\/[^\s"'<>]+/gi;
+  return text.match(urlRegex) || [];
+}
+/**
+ * Extract domain from URL.
+ * @param {string} url
+ * @returns {string}
+ */
+function extractDomain(url) {
+  try {
+    return new URL(url).hostname.toLowerCase();
+  } catch {
+    return "";
+  }
+}
+/**
+ * Load allowed MCP servers list.
+ * @returns {string[]}
+ */
+function loadAllowedServers() {
+  try {
+    if (!fs.existsSync(ALLOWED_MCP_FILE)) return [];
+    const data = JSON.parse(fs.readFileSync(ALLOWED_MCP_FILE, "utf8"));
+    return Array.isArray(data) ? data : data.servers || [];
+  } catch {
+    return [];
+  }
+}
+/**
+ * Check if a domain matches phishing patterns.
+ * @param {string} domain
+ * @returns {{ matched: boolean, label: string }|null}
+ */
+function checkPhishing(domain) {
+  const normalized = nfkcNormalize(domain);
+  for (const { pattern, label } of PHISHING_PATTERNS) {
+    if (pattern.test(normalized)) {
+      return { matched: true, label };
+    }
+  }
+  return null;
+}
+/**
+ * Check if requested scopes contain excessive permissions.
+ * @param {string[]} scopes
+ * @returns {string[]} excessive scopes found
+ */
+function checkExcessiveScopes(scopes) {
+  if (!Array.isArray(scopes)) return [];
+  return scopes.filter((s) =>
+    EXCESSIVE_SCOPES.some((ex) => s.toLowerCase().includes(ex.toLowerCase())),
+  );
+}
+// ---------------------------------------------------------------------------
+// Main
+// ---------------------------------------------------------------------------
+try {
+  const input = readHookInput();
+  const requestStr = JSON.stringify(input.toolInput);
+  // Step 1: Extract URLs
+  const urls = extractUrls(requestStr);
+  // Step 2: Check each URL for phishing
+  for (const url of urls) {
+    const domain = extractDomain(url);
+    if (!domain) continue;
+    const phishing = checkPhishing(domain);
+    if (phishing) {
+      try {
+        appendEvidence({
+          hook: HOOK_NAME,
+          event: "Elicitation",
+          decision: "deny",
+          reason: "phishing_detected",
+          domain,
+          label: phishing.label,
+          session_id: input.sessionId,
+        });
+      } catch {
+        // Non-blocking
+      }
+      deny(
+        `[${HOOK_NAME}] フィッシングドメイン検出: ${domain} (${phishing.label})`,
+      );
+    }
+  }
+  // Step 3: Check allowed MCP servers (if URLs present)
+  const allowedServers = loadAllowedServers();
+  if (urls.length > 0 && allowedServers.length > 0) {
+    for (const url of urls) {
+      const domain = extractDomain(url);
+      if (!domain) continue;
+      const isAllowed = allowedServers.some(
+        (server) => domain === server || domain.endsWith("." + server),
+      );
+      if (!isAllowed) {
+        try {
+          appendEvidence({
+            hook: HOOK_NAME,
+            event: "Elicitation",
+            decision: "deny",
+            reason: "unauthorized_mcp",
+            domain,
+            session_id: input.sessionId,
+          });
+        } catch {
+          // Non-blocking
+        }
+        deny(`[${HOOK_NAME}] 未許可の MCP サーバー: ${domain}`);
+      }
+    }
+  }
+  // Step 4: Check OAuth scopes
+  const scopes = input.toolInput.scopes || input.toolInput.scope || [];
+  const scopeList = Array.isArray(scopes)
+    ? scopes
+    : typeof scopes === "string"
+      ? scopes.split(/[,\s]+/)
+      : [];
+  const excessive = checkExcessiveScopes(scopeList);
+  if (excessive.length > 0) {
+    try {
+      appendEvidence({
+        hook: HOOK_NAME,
+        event: "Elicitation",
+        decision: "allow",
+        reason: "excessive_scope_warning",
+        scopes: excessive,
+        session_id: input.sessionId,
+      });
+    } catch {
+      // Non-blocking
+    }
+    allow(
+      `[${HOOK_NAME}] 警告: 過剰な OAuth スコープが要求されています: ${excessive.join(", ")}。本当に必要か確認してください。`,
+    );
+  }
+  // Step 5: All clean — allow
+  try {
+    appendEvidence({
+      hook: HOOK_NAME,
+      event: "Elicitation",
+      decision: "allow",
+      url_count: urls.length,
+      session_id: input.sessionId,
+    });
+  } catch {
+    // Non-blocking
+  }
+  allow();
+} catch (err) {
+  // SECURITY hook — fail-close
+  process.stdout.write(
+    JSON.stringify({
+      reason: `[${HOOK_NAME}] Hook error (fail-close): ${err.message}`,
+    }),
+  );
+  process.exit(2);
+}
+// ---------------------------------------------------------------------------
+// Exports (for testing)
+// ---------------------------------------------------------------------------
+module.exports = {
+  PHISHING_PATTERNS,
+  EXCESSIVE_SCOPES,
+  extractUrls,
+  extractDomain,
+  loadAllowedServers,
+  checkPhishing,
+  checkExcessiveScopes,
+};

package/.claude/hooks/sh-evidence.js ADDED Viewed

@@ -0,0 +1,193 @@
+#!/usr/bin/env node
+// sh-evidence.js — SHA-256 hash chain evidence recording
+// Spec: DETAILED_DESIGN.md §4.1
+// Hook events: PostToolUse, PostToolUseFailure, ElicitationResult, TeammateIdle, StopFailure
+// Matcher: "" (all tools)
+// Target response time: < 30ms
+"use strict";
+const {
+  readHookInput,
+  allow,
+  sha256,
+  appendEvidence,
+  readSession,
+  EVIDENCE_FILE,
+} = require("./lib/sh-utils");
+const fs = require("fs");
+// ---------------------------------------------------------------------------
+// Constants / Patterns
+// ---------------------------------------------------------------------------
+const HOOK_NAME = "sh-evidence";
+// PII detection patterns (FR-05-02)
+const PII_PATTERNS = [
+  /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/, // email
+  /\b\d{3}-\d{4}-\d{4}\b/, // JP phone
+  /\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b/, // credit card
+  /\bAIza[0-9A-Za-z_-]{35}\b/, // Google API key
+  /\bsk-[a-zA-Z0-9]{20,}\b/, // OpenAI/Anthropic key
+  /\b(AKIA|ASIA)[0-9A-Z]{16}\b/, // AWS access key
+  /\bghp_[a-zA-Z0-9]{36}\b/, // GitHub token
+];
+// Data leakage patterns (FR-03-03)
+const LEAKAGE_PATTERNS = [
+  /https?:\/\/[^?]+\?(.*)(password|token|secret|key|api_key)=/, // secrets in URL
+  /Authorization:\s*(Bearer|Basic)\s+[A-Za-z0-9+/=]+/, // auth headers
+  /data:.*base64,.*[A-Za-z0-9+/=]{100,}/, // large base64 blobs
+];
+// Tools whose output should be scanned for PII
+const PII_SCAN_TOOLS = ["Write", "Edit"];
+// Tools whose output should be scanned for leakage
+const LEAKAGE_SCAN_TOOLS = ["WebFetch", "Bash"];
+// ---------------------------------------------------------------------------
+// Helper Functions
+// ---------------------------------------------------------------------------
+/**
+ * Get the next sequence number from the evidence ledger.
+ * @returns {number}
+ */
+function getNextSeq() {
+  try {
+    const content = fs.readFileSync(EVIDENCE_FILE, "utf8").trim();
+    if (!content) return 1;
+    const lines = content.split("\n");
+    const lastEntry = JSON.parse(lines[lines.length - 1]);
+    return (lastEntry.seq || 0) + 1;
+  } catch {
+    return 1;
+  }
+}
+/**
+ * Scan text for PII patterns.
+ * @param {string} text
+ * @returns {string[]} matched pattern labels
+ */
+function detectPII(text) {
+  if (!text) return [];
+  const labels = [
+    "email",
+    "JP phone",
+    "credit card",
+    "Google API key",
+    "API secret key",
+    "AWS access key",
+    "GitHub token",
+  ];
+  const found = [];
+  for (let i = 0; i < PII_PATTERNS.length; i++) {
+    if (PII_PATTERNS[i].test(text)) {
+      found.push(labels[i]);
+    }
+  }
+  return found;
+}
+/**
+ * Scan text for data leakage patterns.
+ * @param {string} text
+ * @returns {boolean}
+ */
+function detectLeakage(text) {
+  if (!text) return false;
+  return LEAKAGE_PATTERNS.some((p) => p.test(text));
+}
+// ---------------------------------------------------------------------------
+// Main
+// ---------------------------------------------------------------------------
+try {
+  const input = readHookInput();
+  const { hookType, toolName, toolInput, toolResult, sessionId } = input;
+  // Check channel source for evidence metadata (§8.6.3)
+  let isChannel = false;
+  try {
+    const session = readSession();
+    isChannel = session.source === "channel";
+  } catch {
+    // Session read failure is non-blocking for evidence
+  }
+  // Build evidence entry
+  const inputStr = JSON.stringify(toolInput);
+  const resultStr =
+    typeof toolResult === "string" ? toolResult : JSON.stringify(toolResult);
+  const entry = {
+    seq: getNextSeq(),
+    event: hookType,
+    tool: toolName,
+    input_hash: "sha256:" + sha256(inputStr),
+    output_hash: "sha256:" + sha256(resultStr || ""),
+    output_size: resultStr ? resultStr.length : 0,
+    decision: "allow",
+    hook: HOOK_NAME,
+    category: null,
+    is_channel: isChannel,
+    session_id: sessionId,
+  };
+  // Collect context messages
+  const warnings = [];
+  // PII scan for Write/Edit tool results
+  if (PII_SCAN_TOOLS.includes(toolName)) {
+    const piiFound = detectPII(resultStr);
+    if (piiFound.length > 0) {
+      warnings.push(
+        `[${HOOK_NAME}] プレーンテキストの認証情報が検出されました: ${piiFound.join(", ")}`,
+      );
+      entry.category = "pii_detected";
+    }
+  }
+  // Leakage scan for WebFetch/Bash tool results
+  if (LEAKAGE_SCAN_TOOLS.includes(toolName)) {
+    if (detectLeakage(resultStr)) {
+      warnings.push(
+        `[${HOOK_NAME}] 出力にデータ漏洩の可能性があります。機密情報が含まれていないか確認してください。`,
+      );
+      entry.category = entry.category || "leakage_detected";
+    }
+  }
+  // Record evidence (failure must not block the response)
+  try {
+    appendEvidence(entry);
+  } catch (_) {
+    // Evidence recording failure is non-blocking
+  }
+  // Allow with optional warnings
+  if (warnings.length > 0) {
+    allow(warnings.join("\n"));
+  } else {
+    allow();
+  }
+} catch (_err) {
+  // Evidence hook is operational, not security-blocking.
+  // On error, allow the tool result through.
+  allow();
+}
+// ---------------------------------------------------------------------------
+// Exports (for testing)
+// ---------------------------------------------------------------------------
+module.exports = {
+  PII_PATTERNS,
+  LEAKAGE_PATTERNS,
+  detectPII,
+  detectLeakage,
+  getNextSeq,
+};