shieldcortex 3.4.37 → 4.0.0

package/plugins/openclaw/dist/interceptor.js

@@ -0,0 +1,280 @@
+import { createHash } from 'node:crypto';
+import { mkdirSync, appendFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+const WATCHED_TOOLS = ['remember', 'mcp__memory__remember'];
+const CONTENT_FIELDS = {
+    remember: ['content', 'title'],
+    mcp__memory__remember: ['content', 'title'],
+};
+const DEFAULT_CONFIG = {
+    enabled: true,
+    severityActions: {
+        low: 'log',
+        medium: 'warn',
+        high: 'require_approval',
+        critical: 'require_approval',
+    },
+    failurePolicy: {
+        low: 'allow',
+        medium: 'allow',
+        high: 'deny',
+        critical: 'deny',
+    },
+};
+export { WATCHED_TOOLS, CONTENT_FIELDS, DEFAULT_CONFIG };
+export function extractContent(toolName, args) {
+    const fields = CONTENT_FIELDS[toolName];
+    if (!fields)
+        return { title: '', content: '' };
+    const title = typeof args.title === 'string' ? args.title : '';
+    const content = typeof args.content === 'string' ? args.content : '';
+    return { title, content };
+}
+export function mapSeverity(firewall) {
+    if (firewall.result === 'BLOCK')
+        return 'critical';
+    if (firewall.result === 'QUARANTINE')
+        return 'high';
+    if (firewall.result === 'ALLOW' && firewall.anomalyScore >= 0.3)
+        return 'medium';
+    return 'low';
+}
+// --- Deny Cache ---
+// Exact replica of normalizeMemoryText() from index.ts (lines 426-434).
+// Must produce identical output for SHA-256 hash consistency.
+function normaliseContent(text) {
+    return String(text || '')
+        .toLowerCase()
+        .replace(/[`"'\\]/g, ' ')
+        .replace(/https?:\/\/\S+/g, ' ')
+        .replace(/[^a-z0-9\s]/g, ' ')
+        .replace(/\s+/g, ' ')
+        .trim();
+}
+function hashContent(text) {
+    return createHash('sha256').update(normaliseContent(text)).digest('hex');
+}
+const TWO_HOURS_MS = 2 * 60 * 60 * 1000;
+export class DenyCache {
+    cache = new Map();
+    maxPerTool;
+    ttlMs;
+    constructor(maxPerTool = 200, ttlMs = TWO_HOURS_MS) {
+        this.maxPerTool = maxPerTool;
+        this.ttlMs = ttlMs;
+    }
+    isDenied(tool, content) {
+        const entries = this.cache.get(tool);
+        if (!entries)
+            return false;
+        const hash = hashContent(content);
+        const now = Date.now();
+        return entries.some(e => e.hash === hash && (now - e.ts) < this.ttlMs);
+    }
+    addDenial(tool, content) {
+        const hash = hashContent(content);
+        const now = Date.now();
+        if (!this.cache.has(tool)) {
+            this.cache.set(tool, []);
+        }
+        const entries = this.cache.get(tool);
+        const live = entries.filter(e => (now - e.ts) < this.ttlMs);
+        if (live.some(e => e.hash === hash))
+            return;
+        live.push({ hash, ts: now });
+        while (live.length > this.maxPerTool) {
+            live.shift();
+        }
+        this.cache.set(tool, live);
+    }
+    reset() {
+        this.cache.clear();
+    }
+}
+// --- Rate Limiter ---
+export class RateLimiter {
+    timestamps = [];
+    maxPerWindow;
+    windowMs;
+    constructor(maxPerWindow = 5, windowMs = 60_000) {
+        this.maxPerWindow = maxPerWindow;
+        this.windowMs = windowMs;
+    }
+    shouldAllow() {
+        const now = Date.now();
+        this.timestamps = this.timestamps.filter(t => now - t < this.windowMs);
+        if (this.timestamps.length >= this.maxPerWindow)
+            return false;
+        this.timestamps.push(now);
+        return true;
+    }
+}
+export function formatApprovalPrompt(input) {
+    const preview = input.content.length > 200
+        ? input.content.slice(0, 200) + '...'
+        : input.content;
+    const threatList = input.threats.length > 0
+        ? input.threats.join(', ')
+        : 'none identified';
+    return [
+        '🛡️ ShieldCortex — Tool Call Intercepted',
+        '',
+        `Tool:       ${input.tool}`,
+        `Risk:       ${input.severity} (${input.firewallResult})`,
+        `Threats:    ${threatList}`,
+        `Content:    "${preview}"`,
+        '',
+        '[Approve]  [Deny]',
+    ].join('\n');
+}
+// --- Audit Logging (local JSONL) ---
+const AUDIT_DIR = join(homedir(), '.shieldcortex', 'audit');
+function writeAuditEntry(entry) {
+    try {
+        mkdirSync(AUDIT_DIR, { recursive: true });
+        const date = new Date().toISOString().slice(0, 10);
+        const file = join(AUDIT_DIR, `realtime-${date}.jsonl`);
+        appendFileSync(file, JSON.stringify(entry) + '\n');
+    }
+    catch {
+        // Best-effort — never block on audit failure
+    }
+}
+export function createInterceptor(config, pipeline, options) {
+    const denyCache = new DenyCache();
+    const rateLimiter = new RateLimiter(options?.maxPromptsPerMinute ?? 5);
+    const log = config.logger ?? { info: console.log, warn: console.warn };
+    const onAuditEntry = options?.onAuditEntry;
+    function emitAudit(entry) {
+        writeAuditEntry(entry);
+        onAuditEntry?.(entry);
+    }
+    async function handleToolCall(context) {
+        if (!WATCHED_TOOLS.includes(context.toolName))
+            return;
+        const { title, content } = extractContent(context.toolName, context.arguments);
+        const fullContent = [title, content].filter(Boolean).join(' ');
+        if (!fullContent.trim())
+            return;
+        let severity;
+        let firewallResult;
+        let threats;
+        let anomalyScore;
+        try {
+            const result = pipeline(content, title, { type: 'agent', identifier: 'openclaw' });
+            severity = mapSeverity(result.firewall);
+            firewallResult = result.firewall.result;
+            threats = result.firewall.threatIndicators;
+            anomalyScore = result.firewall.anomalyScore;
+        }
+        catch (err) {
+            log.warn(`[shieldcortex] ⚠️ Defence pipeline error: ${err instanceof Error ? err.message : err}`);
+            const failAction = config.failurePolicy.high;
+            const entry = {
+                type: 'intercept', tool: context.toolName, severity: 'high',
+                firewallResult: 'ERROR', threats: ['pipeline_error'], anomalyScore: 0,
+                action: 'require_approval', outcome: failAction === 'deny' ? 'failure_denied' : 'failure_allowed',
+                preview: fullContent.slice(0, 200), ts: new Date().toISOString(),
+            };
+            emitAudit(entry);
+            if (failAction === 'deny') {
+                throw new Error('ShieldCortex: tool call blocked — pipeline error, failure policy: deny');
+            }
+            return;
+        }
+        if (denyCache.isDenied(context.toolName, fullContent)) {
+            const entry = {
+                type: 'intercept', tool: context.toolName, severity, firewallResult,
+                threats, anomalyScore, action: 'auto_deny', outcome: 'auto_denied',
+                preview: fullContent.slice(0, 200), ts: new Date().toISOString(),
+            };
+            emitAudit(entry);
+            throw new Error('ShieldCortex: tool call auto-denied (previously denied content)');
+        }
+        const action = config.severityActions[severity];
+        if (action === 'log') {
+            const entry = {
+                type: 'intercept', tool: context.toolName, severity, firewallResult,
+                threats, anomalyScore, action: 'log', outcome: 'logged',
+                preview: fullContent.slice(0, 200), ts: new Date().toISOString(),
+            };
+            emitAudit(entry);
+            return;
+        }
+        if (action === 'warn') {
+            log.warn(`[shieldcortex] ⚠️ ${severity} risk in ${context.toolName}: ${threats.join(', ') || 'anomaly detected'}`);
+            const entry = {
+                type: 'intercept', tool: context.toolName, severity, firewallResult,
+                threats, anomalyScore, action: 'warn', outcome: 'warned',
+                preview: fullContent.slice(0, 200), ts: new Date().toISOString(),
+            };
+            emitAudit(entry);
+            return;
+        }
+        // action === 'require_approval'
+        if (typeof context.requireApproval !== 'function') {
+            log.warn(`[shieldcortex] ⚠️ requireApproval not available — falling back to warn for ${severity} risk in ${context.toolName}`);
+            const entry = {
+                type: 'intercept', tool: context.toolName, severity, firewallResult,
+                threats, anomalyScore, action: 'warn', outcome: 'warned',
+                preview: fullContent.slice(0, 200), ts: new Date().toISOString(),
+            };
+            emitAudit(entry);
+            return;
+        }
+        if (!rateLimiter.shouldAllow()) {
+            log.warn('[shieldcortex] ⚠️ Too many approval prompts — auto-denying');
+            const entry = {
+                type: 'intercept', tool: context.toolName, severity, firewallResult,
+                threats, anomalyScore, action: 'rate_limit', outcome: 'auto_denied',
+                preview: fullContent.slice(0, 200), ts: new Date().toISOString(),
+            };
+            emitAudit(entry);
+            denyCache.addDenial(context.toolName, fullContent);
+            throw new Error('ShieldCortex: tool call auto-denied (rate limit exceeded)');
+        }
+        const message = formatApprovalPrompt({ tool: context.toolName, severity, firewallResult, threats, content: fullContent });
+        let approved;
+        try {
+            approved = await context.requireApproval(message);
+        }
+        catch (err) {
+            const failAction = config.failurePolicy[severity];
+            log.warn(`[shieldcortex] ⚠️ requireApproval error: ${err instanceof Error ? err.message : err} — failure policy: ${failAction}`);
+            const entry = {
+                type: 'intercept', tool: context.toolName, severity, firewallResult,
+                threats, anomalyScore, action: 'require_approval',
+                outcome: failAction === 'deny' ? 'failure_denied' : 'failure_allowed',
+                preview: fullContent.slice(0, 200), ts: new Date().toISOString(),
+            };
+            emitAudit(entry);
+            if (failAction === 'deny') {
+                throw new Error(`ShieldCortex: tool call blocked — requireApproval error, failure policy: deny`);
+            }
+            return;
+        }
+        if (approved) {
+            const entry = {
+                type: 'intercept', tool: context.toolName, severity, firewallResult,
+                threats, anomalyScore, action: 'require_approval', outcome: 'approved',
+                preview: fullContent.slice(0, 200), ts: new Date().toISOString(),
+            };
+            emitAudit(entry);
+            return;
+        }
+        // Denied
+        denyCache.addDenial(context.toolName, fullContent);
+        const entry = {
+            type: 'intercept', tool: context.toolName, severity, firewallResult,
+            threats, anomalyScore, action: 'require_approval', outcome: 'denied',
+            preview: fullContent.slice(0, 200), ts: new Date().toISOString(),
+        };
+        emitAudit(entry);
+        throw new Error('ShieldCortex: tool call denied by user');
+    }
+    function resetSession() {
+        denyCache.reset();
+    }
+    return { handleToolCall, resetSession };
+}

package/plugins/openclaw/dist/openclaw.plugin.json

@@ -1,8 +1,8 @@
 {
   "id": "shieldcortex-realtime",
-  "version": "3.4.33",
+  "version": "3.5.0",
   "name": "ShieldCortex Real-time Scanner",
-  "description": "Real-time defence scanning on LLM input and memory extraction on LLM output.",
+  "description": "Real-time defence scanning on LLM input, memory extraction on LLM output, and active tool call interception with approval gating.",
   "uiHints": {
     "binaryPath": {
       "label": "ShieldCortex Binary Path",
@@ -40,11 +40,26 @@
       "label": "Recent Memory Cache Size",
       "help": "How many recent extracted memories to keep in the dedupe cache.",
       "advanced": true
+    },
+    "interceptor.enabled": {
+      "label": "Enable Tool Call Interceptor",
+      "description": "Scan memory-write tool calls and gate suspicious content behind user approval",
+      "type": "boolean"
+    },
+    "interceptor.severityActions.high": {
+      "label": "High Severity Action",
+      "description": "Action for high-severity threats (log, warn, require_approval)",
+      "type": "string"
+    },
+    "interceptor.severityActions.critical": {
+      "label": "Critical Severity Action",
+      "description": "Action for critical-severity threats (log, warn, require_approval)",
+      "type": "string"
     }
   },
   "configSchema": {
     "type": "object",
-    "additionalProperties": false,
+    "additionalProperties": true,
     "properties": {
       "enabled": {
         "type": "boolean"
@@ -73,6 +88,30 @@
         "type": "integer",
         "minimum": 50,
         "maximum": 1000
+      },
+      "interceptor": {
+        "type": "object",
+        "properties": {
+          "enabled": { "type": "boolean", "default": true },
+          "severityActions": {
+            "type": "object",
+            "properties": {
+              "low": { "type": "string", "enum": ["log", "warn", "require_approval"], "default": "log" },
+              "medium": { "type": "string", "enum": ["log", "warn", "require_approval"], "default": "warn" },
+              "high": { "type": "string", "enum": ["log", "warn", "require_approval"], "default": "require_approval" },
+              "critical": { "type": "string", "enum": ["log", "warn", "require_approval"], "default": "require_approval" }
+            }
+          },
+          "failurePolicy": {
+            "type": "object",
+            "properties": {
+              "low": { "type": "string", "enum": ["allow", "deny"], "default": "allow" },
+              "medium": { "type": "string", "enum": ["allow", "deny"], "default": "allow" },
+              "high": { "type": "string", "enum": ["allow", "deny"], "default": "deny" },
+              "critical": { "type": "string", "enum": ["allow", "deny"], "default": "deny" }
+            }
+          }
+        }
       }
     }
   }