thumbgate 0.9.10

package/scripts/prompt-dlp.js

@@ -0,0 +1,221 @@
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * Prompt-Level DLP — real-time PII/secret scanning for agent tool call inputs.
+ *
+ * "Block the prompt, not the work" — scans the agent's proposed action
+ * BEFORE it executes. If PII or secrets are detected in the tool call input,
+ * the action is blocked or the content is redacted before reaching the tool.
+ *
+ * Integrates with PreToolUse hooks and the existing PII scanner.
+ */
+
+const { scanForPii, redactPii, sensitivityRank } = require('./pii-scanner');
+const { SECRET_PATTERNS } = require('./secret-scanner');
+const fs = require('fs');
+const path = require('path');
+const { resolveFeedbackDir } = require('./feedback-paths');
+
+const DLP_LOG_FILE = 'dlp-events.jsonl';
+const DEFAULT_MAX_SENSITIVITY = 'internal'; // block sensitive + restricted
+
+function getDlpLogPath() {
+  return path.join(resolveFeedbackDir(), DLP_LOG_FILE);
+}
+
+function ensureDir(fp) { const d = path.dirname(fp); if (!fs.existsSync(d)) fs.mkdirSync(d, { recursive: true }); }
+
+/**
+ * Scan a tool call input for PII and secrets before execution.
+ * Returns { allowed, findings, action, redactedInput }.
+ *
+ * @param {Object} opts
+ * @param {string} opts.toolName - Name of the tool being called
+ * @param {string} opts.input - The tool call input/arguments
+ * @param {string} [opts.agentId] - Agent making the call
+ * @param {string} [opts.maxSensitivity] - Max allowed sensitivity level
+ */
+function scanToolCallInput({ toolName, input, agentId, maxSensitivity } = {}) {
+  const inputStr = typeof input === 'string' ? input : JSON.stringify(input || '');
+  const maxSens = maxSensitivity || DEFAULT_MAX_SENSITIVITY;
+
+  // Scan for PII
+  const piiScan = scanForPii(inputStr);
+
+  // Scan for secrets
+  const secretFindings = [];
+  for (const pattern of SECRET_PATTERNS) {
+    pattern.regex.lastIndex = 0;
+    const matches = inputStr.match(pattern.regex);
+    if (matches && matches.length > 0) {
+      secretFindings.push({ id: pattern.id, label: pattern.label, matchCount: matches.length, sensitivity: 'restricted' });
+    }
+  }
+
+  const allFindings = [...piiScan.findings, ...secretFindings];
+  const highestSensitivity = allFindings.length > 0
+    ? allFindings.reduce((max, f) => sensitivityRank(f.sensitivity) > sensitivityRank(max) ? f.sensitivity : max, 'public')
+    : 'public';
+
+  const blocked = sensitivityRank(highestSensitivity) > sensitivityRank(maxSens);
+  const action = blocked ? 'block' : allFindings.length > 0 ? 'redact' : 'allow';
+
+  const event = {
+    id: `dlp_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+    timestamp: new Date().toISOString(),
+    toolName: toolName || 'unknown',
+    agentId: agentId || 'unknown',
+    action,
+    findingCount: allFindings.length,
+    highestSensitivity,
+    maxSensitivity: maxSens,
+    findings: allFindings.map((f) => ({ id: f.id, label: f.label, sensitivity: f.sensitivity })),
+  };
+
+  // Log the event
+  const logPath = getDlpLogPath();
+  ensureDir(logPath);
+  fs.appendFileSync(logPath, JSON.stringify(event) + '\n');
+
+  return {
+    allowed: !blocked,
+    action,
+    findings: allFindings,
+    findingCount: allFindings.length,
+    highestSensitivity,
+    redactedInput: allFindings.length > 0 ? redactPii(inputStr) : inputStr,
+    event,
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Shadow Tool Detection
+// ---------------------------------------------------------------------------
+
+const KNOWN_GATED_TOOLS = new Set([
+  'Bash', 'Edit', 'Write', 'Read', 'Glob', 'Grep',
+  'capture_feedback', 'recall', 'search_lessons', 'prevention_rules',
+  'feedback_stats', 'construct_context_pack', 'evaluate_context_pack',
+]);
+
+const SHADOW_LOG_FILE = 'shadow-actions.jsonl';
+
+function getShadowLogPath() {
+  return path.join(resolveFeedbackDir(), SHADOW_LOG_FILE);
+}
+
+/**
+ * Check if a tool call is going through a gated path or is a "shadow" action.
+ */
+function detectShadowAction({ toolName, source, agentId } = {}) {
+  const isGated = KNOWN_GATED_TOOLS.has(toolName);
+  const isShadow = !isGated && source !== 'mcp';
+
+  if (isShadow) {
+    const event = {
+      id: `shadow_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+      timestamp: new Date().toISOString(),
+      toolName: toolName || 'unknown',
+      source: source || 'unknown',
+      agentId: agentId || 'unknown',
+      gated: false,
+    };
+    const logPath = getShadowLogPath();
+    ensureDir(logPath);
+    fs.appendFileSync(logPath, JSON.stringify(event) + '\n');
+    return { isShadow: true, event };
+  }
+
+  return { isShadow: false, event: null };
+}
+
+/**
+ * Get shadow action stats.
+ */
+function getShadowStats({ periodHours = 24 } = {}) {
+  const logPath = getShadowLogPath();
+  if (!fs.existsSync(logPath)) return { total: 0, byTool: {}, byAgent: {} };
+  const raw = fs.readFileSync(logPath, 'utf-8').trim();
+  if (!raw) return { total: 0, byTool: {}, byAgent: {} };
+  const cutoff = Date.now() - periodHours * 60 * 60 * 1000;
+  const entries = raw.split('\n').map((l) => { try { return JSON.parse(l); } catch { return null; } }).filter(Boolean)
+    .filter((e) => new Date(e.timestamp).getTime() > cutoff);
+
+  const byTool = {};
+  const byAgent = {};
+  for (const e of entries) {
+    byTool[e.toolName] = (byTool[e.toolName] || 0) + 1;
+    byAgent[e.agentId] = (byAgent[e.agentId] || 0) + 1;
+  }
+  return { total: entries.length, byTool, byAgent };
+}
+
+// ---------------------------------------------------------------------------
+// Governance Score
+// ---------------------------------------------------------------------------
+
+/**
+ * Compute a governance score for an agent session.
+ * Aggregates: gate decisions, DLP scans, access checks, shadow actions.
+ * Returns 0-100 score.
+ */
+function computeGovernanceScore({ gateDecisions = [], dlpEvents = [], shadowActions = 0, accessAttempts = { authorized: 0, failed: 0 } } = {}) {
+  let score = 100;
+
+  // Gate decisions: each block = -2, each warn = -1
+  const blocks = gateDecisions.filter((d) => d === 'deny' || d === 'block').length;
+  const warns = gateDecisions.filter((d) => d === 'warn').length;
+  score -= blocks * 2;
+  score -= warns * 1;
+
+  // DLP events: each blocked finding = -5, each redacted = -1
+  const dlpBlocks = dlpEvents.filter((e) => e.action === 'block').length;
+  const dlpRedacts = dlpEvents.filter((e) => e.action === 'redact').length;
+  score -= dlpBlocks * 5;
+  score -= dlpRedacts * 1;
+
+  // Shadow actions: each = -3
+  score -= shadowActions * 3;
+
+  // Failed access: each = -2
+  score -= (accessAttempts.failed || 0) * 2;
+
+  return {
+    score: Math.max(0, Math.min(100, score)),
+    breakdown: {
+      gateBlocks: blocks,
+      gateWarns: warns,
+      dlpBlocks,
+      dlpRedacts,
+      shadowActions,
+      failedAccess: accessAttempts.failed || 0,
+    },
+    grade: score >= 90 ? 'A' : score >= 80 ? 'B' : score >= 70 ? 'C' : score >= 60 ? 'D' : 'F',
+  };
+}
+
+/**
+ * Get DLP event stats for a time period.
+ */
+function getDlpStats({ periodHours = 24 } = {}) {
+  const logPath = getDlpLogPath();
+  if (!fs.existsSync(logPath)) return { total: 0, blocked: 0, redacted: 0, allowed: 0 };
+  const raw = fs.readFileSync(logPath, 'utf-8').trim();
+  if (!raw) return { total: 0, blocked: 0, redacted: 0, allowed: 0 };
+  const cutoff = Date.now() - periodHours * 60 * 60 * 1000;
+  const entries = raw.split('\n').map((l) => { try { return JSON.parse(l); } catch { return null; } }).filter(Boolean)
+    .filter((e) => new Date(e.timestamp).getTime() > cutoff);
+  return {
+    total: entries.length,
+    blocked: entries.filter((e) => e.action === 'block').length,
+    redacted: entries.filter((e) => e.action === 'redact').length,
+    allowed: entries.filter((e) => e.action === 'allow').length,
+  };
+}
+
+module.exports = {
+  scanToolCallInput, detectShadowAction, getShadowStats,
+  computeGovernanceScore, getDlpStats, getDlpLogPath, getShadowLogPath,
+  KNOWN_GATED_TOOLS, DEFAULT_MAX_SENSITIVITY,
+};

package/scripts/prompt-guard.js

@@ -0,0 +1,83 @@
+#!/usr/bin/env node
+'use strict';
+
+const { scanText, buildSafeSummary, redactText } = require('./secret-scanner');
+
+function getFeedbackLoopModule() {
+  try {
+    return require('./feedback-loop');
+  } catch {
+    return null;
+  }
+}
+
+function buildPromptGuardOutput(scanResult) {
+  return {
+    continue: false,
+    suppressOutput: true,
+    stopReason: buildSafeSummary(
+      scanResult.findings,
+      'Prompt blocked because it appears to contain secret material'
+    ),
+  };
+}
+
+function evaluatePromptGuard(prompt, options = {}) {
+  const text = String(prompt || '');
+  if (!text.trim()) {
+    return null;
+  }
+
+  const scanResult = scanText(text, { provider: options.provider, source: 'prompt' });
+  if (!scanResult.detected) {
+    return null;
+  }
+
+  const feedbackLoop = getFeedbackLoopModule();
+  if (feedbackLoop && typeof feedbackLoop.appendDiagnosticRecord === 'function') {
+    feedbackLoop.appendDiagnosticRecord({
+      source: 'secret_guard',
+      step: 'user_prompt_submit',
+      context: redactText(text).slice(0, 400),
+      metadata: {
+        provider: scanResult.provider,
+        promptLength: text.length,
+      },
+      diagnosis: {
+        diagnosed: true,
+        rootCauseCategory: 'guardrail_triggered',
+        criticalFailureStep: 'user_prompt_submit',
+        violations: scanResult.findings.map((finding) => ({
+          constraintId: `security:${finding.id || 'secret_exfiltration'}`,
+          description: finding.reason || finding.label || 'Secret exposure blocked',
+          metadata: {
+            label: finding.label || finding.id || 'secret',
+            line: finding.line || null,
+            source: finding.source || null,
+          },
+        })),
+        evidence: scanResult.findings.map((finding) => finding.label || finding.id || 'secret'),
+      },
+    });
+  }
+
+  return buildPromptGuardOutput(scanResult);
+}
+
+function main() {
+  const prompt = process.env.CLAUDE_USER_PROMPT || process.env.THUMBGATE_USER_PROMPT || '';
+  const result = evaluatePromptGuard(prompt);
+  if (!result) {
+    return;
+  }
+  process.stdout.write(`${JSON.stringify(result)}\n`);
+}
+
+if (require.main === module) {
+  main();
+}
+
+module.exports = {
+  buildPromptGuardOutput,
+  evaluatePromptGuard,
+};