typeclaw 0.3.1 → 0.5.0

package/src/bundled-plugins/memory/strength.ts

@@ -0,0 +1,127 @@
+// Strength signals for MEMORY.md topics, derived mechanically from citations.
+//
+// What "strength" means here is structural, not semantic — we measure how
+// many times and over how many distinct days a topic has been reinforced by
+// observation fragments. The reasoning lives in dreaming.ts's system prompt;
+// this file only produces the numbers the prompt will reference.
+//
+// Why distinct days matters more than raw citation count: five fragments on
+// one day == one debugging session that mentioned the same thing five times
+// (a transient burst). Five fragments across five days == a recurring fact
+// the user keeps coming back to (a stable signal). The promotion ladder in
+// the dreaming subagent's prompt is gated on distinct-days, not count, for
+// exactly this reason — see the "spacing effect" note in the PR description.
+//
+// All numbers here are deterministic. The same MEMORY.md parsed against the
+// same `today` always yields the same TopicStrength list. There is no LLM
+// involvement at this layer; the subagent receives these numbers as ground
+// truth and uses them to decide what to merge or demote.
+
+import { parseTopics, type Topic } from './topics'
+
+export type TopicStrength = {
+  heading: string
+  citationCount: number
+  distinctDays: number
+  // ISO date (yyyy-MM-dd) of the most recent citation, or null when the
+  // topic has zero citations. Null is distinct from "very old": a topic with
+  // no citations at all is a different shape than one whose last citation
+  // was a year ago, and the subagent should treat them differently (the
+  // former is a typo or a manual edit; the latter is a decayed-but-real
+  // topic).
+  lastReinforcedDate: string | null
+  // Whole-day delta from today to lastReinforcedDate. Null when
+  // lastReinforcedDate is null. Negative values are clamped to 0 (a citation
+  // dated in the future is treated as "today" — the only way this happens
+  // is a clock skew between memory-logger and the dreaming run, and the
+  // subagent shouldn't be punished for the runtime's confusion).
+  daysSinceLastReinforced: number | null
+}
+
+export function computeTopicStrengths(memoryText: string, today: string): TopicStrength[] {
+  const topics = parseTopics(memoryText)
+  return topics.map((topic) => computeOneTopicStrength(topic, today))
+}
+
+function computeOneTopicStrength(topic: Topic, today: string): TopicStrength {
+  const citationCount = topic.citations.length
+  const distinctDates = new Set(topic.citations.map((c) => c.date))
+  const distinctDays = distinctDates.size
+  const lastReinforcedDate = pickLatestDate([...distinctDates])
+  const daysSinceLastReinforced = lastReinforcedDate ? daysBetween(today, lastReinforcedDate) : null
+  return {
+    heading: topic.heading,
+    citationCount,
+    distinctDays,
+    lastReinforcedDate,
+    daysSinceLastReinforced,
+  }
+}
+
+function pickLatestDate(dates: readonly string[]): string | null {
+  if (dates.length === 0) return null
+  let latest = dates[0]!
+  for (let i = 1; i < dates.length; i++) {
+    const candidate = dates[i]!
+    if (candidate.localeCompare(latest) > 0) latest = candidate
+  }
+  return latest
+}
+
+// Whole-day delta in UTC between two yyyy-MM-dd strings. Date.UTC parses each
+// date as midnight UTC, so the difference is always an integer count of
+// 86_400_000ms windows regardless of timezone or DST. Returns 0 for invalid
+// inputs (treats the topic as "fresh" rather than throwing — defensive
+// because both inputs are produced by the runtime, but a corrupted MEMORY.md
+// citation date is the kind of thing we want to fail open on).
+function daysBetween(today: string, earlier: string): number {
+  const todayMs = parseIsoDateUtc(today)
+  const earlierMs = parseIsoDateUtc(earlier)
+  if (todayMs === null || earlierMs === null) return 0
+  const deltaDays = Math.floor((todayMs - earlierMs) / 86_400_000)
+  return deltaDays < 0 ? 0 : deltaDays
+}
+
+function parseIsoDateUtc(date: string): number | null {
+  const match = /^(\d{4})-(\d{2})-(\d{2})$/.exec(date)
+  if (!match) return null
+  const year = Number.parseInt(match[1]!, 10)
+  const month = Number.parseInt(match[2]!, 10)
+  const day = Number.parseInt(match[3]!, 10)
+  const ms = Date.UTC(year, month - 1, day)
+  return Number.isFinite(ms) ? ms : null
+}
+
+// Render the strength signals as a markdown table the dreaming subagent can
+// read at the top of its user prompt. Returns an empty string when the
+// topic list is empty so the caller can prepend it unconditionally.
+//
+// Column choices: heading first because it's the human-recognizable handle;
+// `cites` and `days` are short enough to align nicely; `last` carries the
+// date itself so the subagent can compare to today without re-doing the
+// arithmetic. Headings are truncated to keep the table readable when a
+// topic was given a long sentence-shaped heading — the citation count is
+// still accurate, only the display label is shortened.
+export function renderTopicStrengthsTable(strengths: readonly TopicStrength[]): string {
+  if (strengths.length === 0) return ''
+  const rows = strengths.map((s) => ({
+    heading: truncateHeading(s.heading || '(untitled)'),
+    cites: String(s.citationCount),
+    days: String(s.distinctDays),
+    last: s.lastReinforcedDate ?? '—',
+    ageDays: s.daysSinceLastReinforced === null ? '—' : String(s.daysSinceLastReinforced),
+  }))
+  const lines = ['| topic | cites | days | last reinforced | age (d) |', '| --- | ---: | ---: | --- | ---: |']
+  for (const row of rows) {
+    lines.push(`| ${row.heading} | ${row.cites} | ${row.days} | ${row.last} | ${row.ageDays} |`)
+  }
+  return lines.join('\n')
+}
+
+const HEADING_MAX_CHARS = 60
+
+function truncateHeading(heading: string): string {
+  const escaped = heading.replace(/\|/g, '\\|')
+  if (escaped.length <= HEADING_MAX_CHARS) return escaped
+  return `${escaped.slice(0, HEADING_MAX_CHARS - 1)}…`
+}

package/src/bundled-plugins/memory/topics.ts

@@ -0,0 +1,75 @@
+// Topic-aware parser for MEMORY.md. The dreaming subagent writes MEMORY.md as
+// a flat list of level-2 topic headings (`## <topic>`), each followed by a
+// conclusion paragraph and a `fragments:` bullet list of citations. The
+// citation parser in citations.ts is global (every citation in the file);
+// this module attributes citations to their owning topic so the dreaming
+// subagent can see per-topic strength signals (citation count, distinct
+// reinforcement days, recency) on its next run.
+//
+// Format assumptions match what dreaming.ts's DREAMING_SYSTEM_PROMPT teaches:
+//   - First line is `# Memory` (an h1). Treated as a non-topic header.
+//   - Topics are h2s (`## <topic>`). Anything below an h2 and above the next
+//     h2 (or EOF) belongs to that topic.
+//   - Citations in a topic's body — wherever they appear, bullet-list or
+//     inline prose — count toward that topic's strength.
+//   - Content above the first h2 (e.g. preamble after `# Memory`) is
+//     attributed to no topic and its citations are dropped from the per-topic
+//     aggregation. parseCitations from citations.ts still picks them up if
+//     anything downstream needs the global view.
+//
+// The parser is intentionally permissive: it never throws on malformed
+// MEMORY.md. A subagent that writes a header with no body or a topic with no
+// citations still parses cleanly with an empty `citations` array. The
+// strength layer then treats those topics as "weak" — which is the right
+// behavior, since they ARE weak.
+
+import { type Citation, parseCitations } from './citations'
+
+export type Topic = {
+  // The heading text after `## ` with surrounding whitespace trimmed. Empty
+  // string is allowed (`## ` with no title) so a malformed write still
+  // round-trips through the parser; the strength layer surfaces empty
+  // headings as themselves so the subagent can clean them up.
+  heading: string
+  // Citations attached to this topic, deduplicated per `(date, fragmentId)`.
+  // The dedupe happens inside parseCitations (which returns a Set of ids per
+  // date), so a fragment cited twice in one topic — once in inline prose,
+  // once in the fragments: block — counts only once toward strength signals.
+  // Order is by date insertion in parseCitations, not by appearance in the
+  // topic body; consumers that need appearance order should re-parse.
+  citations: Citation[]
+}
+
+const HEADING_LEVEL_2 = /^##\s+(.*)$/
+
+// Split MEMORY.md into ordered topics with their citations attached. Returns
+// an empty array when no `## ` heading appears.
+export function parseTopics(text: string): Topic[] {
+  const lines = text.split('\n')
+  const topics: Topic[] = []
+  let current: { heading: string; body: string[] } | undefined
+
+  const flush = (): void => {
+    if (!current) return
+    const bodyText = current.body.join('\n')
+    const grouped = parseCitations(bodyText)
+    const citations: Citation[] = []
+    for (const [date, ids] of grouped) {
+      for (const fragmentId of ids) citations.push({ date, fragmentId })
+    }
+    topics.push({ heading: current.heading, citations })
+  }
+
+  for (const line of lines) {
+    const match = HEADING_LEVEL_2.exec(line)
+    if (match) {
+      flush()
+      current = { heading: (match[1] ?? '').trim(), body: [] }
+      continue
+    }
+    if (current) current.body.push(line)
+  }
+  flush()
+
+  return topics
+}

package/src/bundled-plugins/security/index.ts

@@ -1,53 +1,88 @@
 import { definePlugin } from '@/plugin'
 
-import { SECURITY_PERMISSIONS } from './permissions'
-import type { SecurityPermission } from './permissions'
-import { checkGitExfilGuard, checkGitRemoteTaintedGuard, recordGitRemoteTaintIfAny } from './policies/git-exfil'
-import { checkOutboundSecretGuard } from './policies/outbound-secret-scan'
+import { HIGH_TIER_PER_GUARD_PERMISSIONS, SECURITY_PERMISSIONS, SEVERITY_PERMISSION } from './permissions'
+import type { SecurityPermission, SecuritySeverity } from './permissions'
+import {
+  GUARD_GIT_EXFIL_SEVERITY,
+  GUARD_GIT_REMOTE_TAINTED_SEVERITY,
+  checkGitExfilGuard,
+  checkGitRemoteTaintedGuard,
+  recordGitRemoteTaintIfAny,
+} from './policies/git-exfil'
+import { GUARD_OUTBOUND_SECRET_SEVERITY, checkOutboundSecretGuard } from './policies/outbound-secret-scan'
 import { applyPromptInjectionDefense } from './policies/prompt-injection'
 import { clearSessionTaints } from './policies/remote-taint-state'
-import { checkSecretExfilBashGuard } from './policies/secret-exfil-bash'
-import { checkSecretExfilReadGuard } from './policies/secret-exfil-read'
-import { checkSessionSearchSecretsGuard } from './policies/session-search-secrets'
-import { checkSsrfGuard } from './policies/ssrf'
-import { checkSystemPromptLeakGuard } from './policies/system-prompt-leak'
+import { GUARD_SECRET_EXFIL_BASH_SEVERITY, checkSecretExfilBashGuard } from './policies/secret-exfil-bash'
+import { GUARD_SECRET_EXFIL_READ_SEVERITY, checkSecretExfilReadGuard } from './policies/secret-exfil-read'
+import {
+  GUARD_SESSION_SEARCH_SECRETS_SEVERITY,
+  checkSessionSearchSecretsGuard,
+} from './policies/session-search-secrets'
+import { GUARD_SSRF_SEVERITY, checkSsrfGuard } from './policies/ssrf'
+import { GUARD_SYSTEM_PROMPT_LEAK_SEVERITY, checkSystemPromptLeakGuard } from './policies/system-prompt-leak'
 import type { SecurityBlock } from './policy'
 
-export { SECURITY_PERMISSIONS, type SecurityPermission } from './permissions'
+export {
+  HIGH_TIER_PER_GUARD_PERMISSIONS,
+  SECURITY_PERMISSIONS,
+  type SecurityPermission,
+  type SecuritySeverity,
+  SEVERITY_PERMISSION,
+} from './permissions'
 
-// Maps each security bypass permission to a one-line hint about which
-// built-in roles carry it. The `satisfies` clause is load-bearing: it
-// forces exhaustive coverage of `SecurityPermission` at compile time, so
-// adding a new `SECURITY_PERMISSIONS` entry without a hint here is a type
-// error rather than a silent fallback to the inaccurate default. `owner`
-// always carries every `security.bypass.*` via the wildcard expansion in
-// builtins.ts, so the hint must mention owner even for permissions where
-// it's the only carrier.
+// Per-guard permission strings only — tier strings are deliberately
+// absent. Block messages name the per-guard permission AND the tier
+// permission separately (see withPermissionHint); the per-guard hint
+// table answers "which roles carry THIS specific bypass by default."
+type PerGuardSecurityPermission = Exclude<
+  SecurityPermission,
+  | typeof SECURITY_PERMISSIONS.bypassLow
+  | typeof SECURITY_PERMISSIONS.bypassMedium
+  | typeof SECURITY_PERMISSIONS.bypassHigh
+>
+
+// The satisfies clause forces exhaustive coverage of per-guard
+// permissions at compile time — adding a new SECURITY_PERMISSIONS entry
+// (other than a new tier string) without a hint here is a type error,
+// not a silent fallback.
 const BYPASS_ROLE_HINT = {
-  [SECURITY_PERMISSIONS.bypassSecretExfilBash]: 'owner and trusted have it by default',
-  [SECURITY_PERMISSIONS.bypassGitExfil]: 'only owner has it by default',
-  [SECURITY_PERMISSIONS.bypassGitRemoteTainted]: 'only owner has it by default',
-  [SECURITY_PERMISSIONS.bypassSecretExfilRead]: 'only owner has it by default',
-  [SECURITY_PERMISSIONS.bypassSsrf]: 'only owner has it by default',
-  [SECURITY_PERMISSIONS.bypassSessionSearchSecrets]: 'only owner has it by default',
-  [SECURITY_PERMISSIONS.bypassSystemPromptLeak]: 'only owner has it by default',
-  [SECURITY_PERMISSIONS.bypassOutboundSecret]: 'only owner has it by default',
-} as const satisfies Record<SecurityPermission, string>
+  [SECURITY_PERMISSIONS.bypassSecretExfilBash]:
+    'only owner has it by default (medium tier; trusted does NOT carry this — operators can grant `security.bypass.secretExfilBash` explicitly in roles.trusted.permissions[] if they want the pre-PR ergonomics back)',
+  [SECURITY_PERMISSIONS.bypassGitExfil]:
+    'NOBODY has it by default — high tier requires per-call ack from every role, including owner. Operators can grant `security.bypass.gitExfil` explicitly in roles.<role>.permissions[] to re-open the auto-bypass for one role.',
+  [SECURITY_PERMISSIONS.bypassGitRemoteTainted]:
+    'NOBODY has it by default — high tier requires per-call ack from every role. Even an operator-granted `security.bypass.gitExfil` does NOT bypass this second-step taint check (the recorder still fires for the first step, so the push is still gated).',
+  [SECURITY_PERMISSIONS.bypassSecretExfilRead]: 'only owner has it by default (medium tier)',
+  [SECURITY_PERMISSIONS.bypassSsrf]: 'only owner has it by default (medium tier)',
+  [SECURITY_PERMISSIONS.bypassSessionSearchSecrets]: 'only owner has it by default (medium tier)',
+  [SECURITY_PERMISSIONS.bypassSystemPromptLeak]:
+    'NOBODY has it by default — high tier requires per-call ack from every role, including owner.',
+  [SECURITY_PERMISSIONS.bypassOutboundSecret]:
+    'NOBODY has it by default — high tier requires per-call ack from every role, including owner. The audience-leak rule: even owner posting to a public channel must not silently include credentials.',
+} as const satisfies Record<PerGuardSecurityPermission, string>
 
 function withPermissionHint(
   result: SecurityBlock | undefined,
-  permission: SecurityPermission,
+  permission: PerGuardSecurityPermission,
+  severity: SecuritySeverity,
 ): SecurityBlock | undefined {
   if (!result) return result
-  const hint = BYPASS_ROLE_HINT[permission]
+  const perGuardHint = BYPASS_ROLE_HINT[permission]
+  const tierPerm = SEVERITY_PERMISSION[severity]
   return {
     block: true,
-    reason: `${result.reason} Or run as a role carrying \`${permission}\` (${hint}); see the \`typeclaw-permissions\` skill.`,
+    reason: `${result.reason} Or run as a role carrying \`${permission}\` (${perGuardHint}) or the tier permission \`${tierPerm}\`; see the \`typeclaw-permissions\` skill.`,
   }
 }
 
 export default definePlugin({
   permissions: Object.values(SECURITY_PERMISSIONS),
+  // High-tier per-guard strings AND the `security.bypass.high` tier
+  // string itself are excluded from the owner-wildcard expansion. Owner
+  // still has the wildcard sentinel (so future low/medium plugin-
+  // contributed bypasses keep auto-flowing to owner), but audience-leak
+  // guards require either per-call ack or an explicit operator grant.
+  ownerWildcardExclusions: [...HIGH_TIER_PER_GUARD_PERMISSIONS, SECURITY_PERMISSIONS.bypassHigh],
   plugin: async (ctx) => ({
     hooks: {
       'session.prompt': async (event) => {
@@ -55,68 +90,78 @@ export default definePlugin({
       },
       'tool.before': async (event) => {
         const can = (perm: string) => ctx.permissions.has(event.origin, perm)
+        const canBypass = (severity: SecuritySeverity, perGuardPerm: string): boolean =>
+          can(SEVERITY_PERMISSION[severity]) || can(perGuardPerm)
 
         // Taint-recording runs FIRST, independently of the gitExfil guard.
         // The gitRemoteTainted defense depends on it. We pass through
-        // `permittedBypass` for actors who can skip gitExfil via permission
-        // so the recorder still fires for them (an acked or
-        // permission-bypassed command will actually run, so its remote
-        // change must be remembered).
+        // `permittedBypass` for actors who can skip gitExfil (via either the
+        // per-guard permission or the medium-tier permission) so the
+        // recorder still fires for them — an acked or permission-bypassed
+        // command will actually run, so its remote change must be remembered.
         recordGitRemoteTaintIfAny({
           tool: event.tool,
           args: event.args,
           sessionId: event.sessionId,
-          permittedBypass: can(SECURITY_PERMISSIONS.bypassGitExfil),
+          permittedBypass: canBypass(GUARD_GIT_EXFIL_SEVERITY, SECURITY_PERMISSIONS.bypassGitExfil),
         })
 
         const checks: (SecurityBlock | undefined)[] = [
-          can(SECURITY_PERMISSIONS.bypassGitRemoteTainted)
+          canBypass(GUARD_GIT_REMOTE_TAINTED_SEVERITY, SECURITY_PERMISSIONS.bypassGitRemoteTainted)
             ? undefined
             : withPermissionHint(
                 checkGitRemoteTaintedGuard({ tool: event.tool, args: event.args, sessionId: event.sessionId }),
                 SECURITY_PERMISSIONS.bypassGitRemoteTainted,
+                GUARD_GIT_REMOTE_TAINTED_SEVERITY,
               ),
-          can(SECURITY_PERMISSIONS.bypassSecretExfilBash)
+          canBypass(GUARD_SECRET_EXFIL_BASH_SEVERITY, SECURITY_PERMISSIONS.bypassSecretExfilBash)
             ? undefined
             : withPermissionHint(
                 checkSecretExfilBashGuard({ tool: event.tool, args: event.args }),
                 SECURITY_PERMISSIONS.bypassSecretExfilBash,
+                GUARD_SECRET_EXFIL_BASH_SEVERITY,
               ),
-          can(SECURITY_PERMISSIONS.bypassGitExfil)
+          canBypass(GUARD_GIT_EXFIL_SEVERITY, SECURITY_PERMISSIONS.bypassGitExfil)
             ? undefined
             : withPermissionHint(
                 checkGitExfilGuard({ tool: event.tool, args: event.args, sessionId: event.sessionId }),
                 SECURITY_PERMISSIONS.bypassGitExfil,
+                GUARD_GIT_EXFIL_SEVERITY,
               ),
-          can(SECURITY_PERMISSIONS.bypassSecretExfilRead)
+          canBypass(GUARD_SECRET_EXFIL_READ_SEVERITY, SECURITY_PERMISSIONS.bypassSecretExfilRead)
             ? undefined
             : withPermissionHint(
                 checkSecretExfilReadGuard({ tool: event.tool, args: event.args }),
                 SECURITY_PERMISSIONS.bypassSecretExfilRead,
+                GUARD_SECRET_EXFIL_READ_SEVERITY,
               ),
-          can(SECURITY_PERMISSIONS.bypassSsrf)
+          canBypass(GUARD_SSRF_SEVERITY, SECURITY_PERMISSIONS.bypassSsrf)
             ? undefined
             : withPermissionHint(
                 checkSsrfGuard({ tool: event.tool, args: event.args }),
                 SECURITY_PERMISSIONS.bypassSsrf,
+                GUARD_SSRF_SEVERITY,
               ),
-          can(SECURITY_PERMISSIONS.bypassSessionSearchSecrets)
+          canBypass(GUARD_SESSION_SEARCH_SECRETS_SEVERITY, SECURITY_PERMISSIONS.bypassSessionSearchSecrets)
             ? undefined
             : withPermissionHint(
                 checkSessionSearchSecretsGuard({ tool: event.tool, args: event.args }),
                 SECURITY_PERMISSIONS.bypassSessionSearchSecrets,
+                GUARD_SESSION_SEARCH_SECRETS_SEVERITY,
               ),
-          can(SECURITY_PERMISSIONS.bypassSystemPromptLeak)
+          canBypass(GUARD_SYSTEM_PROMPT_LEAK_SEVERITY, SECURITY_PERMISSIONS.bypassSystemPromptLeak)
             ? undefined
             : withPermissionHint(
                 checkSystemPromptLeakGuard({ tool: event.tool, args: event.args }),
                 SECURITY_PERMISSIONS.bypassSystemPromptLeak,
+                GUARD_SYSTEM_PROMPT_LEAK_SEVERITY,
               ),
-          can(SECURITY_PERMISSIONS.bypassOutboundSecret)
+          canBypass(GUARD_OUTBOUND_SECRET_SEVERITY, SECURITY_PERMISSIONS.bypassOutboundSecret)
             ? undefined
             : withPermissionHint(
                 checkOutboundSecretGuard({ tool: event.tool, args: event.args }),
                 SECURITY_PERMISSIONS.bypassOutboundSecret,
+                GUARD_OUTBOUND_SECRET_SEVERITY,
               ),
         ]
         for (const result of checks) {

package/src/bundled-plugins/security/permissions.ts

@@ -1,3 +1,5 @@
+export type SecuritySeverity = 'low' | 'medium' | 'high'
+
 export const SECURITY_PERMISSIONS = {
   bypassSecretExfilBash: 'security.bypass.secretExfilBash',
   bypassGitExfil: 'security.bypass.gitExfil',
@@ -7,6 +9,40 @@ export const SECURITY_PERMISSIONS = {
   bypassSystemPromptLeak: 'security.bypass.systemPromptLeak',
   bypassOutboundSecret: 'security.bypass.outboundSecret',
   bypassGitRemoteTainted: 'security.bypass.gitRemoteTainted',
+  // Severity-tier bypasses. Tiers classify guards on a two-axis policy:
+  //   high   — bypass sends data to a third-party audience outside the
+  //            operator's control loop (channel readers, remote git host).
+  //            NO role auto-bypasses; ack required from every role.
+  //   medium — bypass produces silent attacker-favorable state in model
+  //            context (env dump, .env contents, IAM creds, secret-shaped
+  //            session-search hits). Owner bypasses, trusted does not.
+  //   low    — bypass produces a noisy, immediately-recoverable side
+  //            effect. Owner and trusted bypass. No inhabitants today.
+  // Per-guard permissions above continue to work as explicit grants —
+  // `tool.before` accepts EITHER the tier OR the per-guard string (OR
+  // check). This lets operators knowingly re-open a single high-tier
+  // guard for one role without widening the whole tier.
+  bypassLow: 'security.bypass.low',
+  bypassMedium: 'security.bypass.medium',
+  bypassHigh: 'security.bypass.high',
 } as const
 
 export type SecurityPermission = (typeof SECURITY_PERMISSIONS)[keyof typeof SECURITY_PERMISSIONS]
+
+export const SEVERITY_PERMISSION: Record<SecuritySeverity, string> = {
+  low: SECURITY_PERMISSIONS.bypassLow,
+  medium: SECURITY_PERMISSIONS.bypassMedium,
+  high: SECURITY_PERMISSIONS.bypassHigh,
+}
+
+// Per-guard permission strings whose guards are classified `high`. The
+// owner-wildcard expander excludes these so the wildcard sentinel does
+// not auto-grant high-tier bypass to owner. Operators who explicitly
+// want to re-open a high-tier bypass for owner (or any role) can still
+// add the per-guard string to that role's `permissions[]` by hand.
+export const HIGH_TIER_PER_GUARD_PERMISSIONS: readonly string[] = [
+  SECURITY_PERMISSIONS.bypassGitExfil,
+  SECURITY_PERMISSIONS.bypassGitRemoteTainted,
+  SECURITY_PERMISSIONS.bypassOutboundSecret,
+  SECURITY_PERMISSIONS.bypassSystemPromptLeak,
+]

package/src/bundled-plugins/security/policies/git-exfil.ts

@@ -1,8 +1,28 @@
+import type { SecuritySeverity } from '../permissions'
 import { ACKNOWLEDGE_GUARDS, type SecurityBlock, isGuardAcknowledged } from '../policy'
 import { getRemoteTaint, recordRemoteTaint } from './remote-taint-state'
 
 export const GUARD_GIT_EXFIL = 'gitExfil'
+// Classified `high` (audience-leak axis): `git push` sends every tracked
+// file to a remote git host. The host (GitHub/GitLab/attacker-controlled
+// box) is a third-party audience outside the operator's control loop.
+// Even a private remote owned by an attacker is now outside the
+// perimeter. No role auto-bypasses high — owner pushing from TUI must ack
+// each push. The historical per-guard string `security.bypass.gitExfil`
+// remains valid as an explicit grant for operators who knowingly want to
+// re-open the auto-bypass (see SKILL.md must-not-do guidance).
+export const GUARD_GIT_EXFIL_SEVERITY: SecuritySeverity = 'high'
 export const GUARD_GIT_REMOTE_TAINTED = 'gitRemoteTainted'
+// Classified `high` (audience-leak axis): same path as gitExfil, second
+// step. A push after a mid-session `git remote set-url` to an
+// attacker-controlled URL is exactly the breach pattern that motivated
+// the entire security plugin per PR #134. The recorder-vs-checker split
+// (see comment on recordGitRemoteTaintIfAny below) is still load-bearing:
+// the recorder fires for anyone who can run the underlying command (ack
+// or the per-guard `bypassGitExfil` grant), so even if an operator
+// explicitly grants `bypassGitExfil` to a role, the second-step taint
+// check still fires on the eventual push.
+export const GUARD_GIT_REMOTE_TAINTED_SEVERITY: SecuritySeverity = 'high'
 
 // Anchors we reuse: a `git` token must be at start-of-line or follow a shell
 // separator. This blocks `git push` while letting `cgit-something` through

package/src/bundled-plugins/security/policies/outbound-secret-scan.ts

@@ -1,6 +1,18 @@
+import type { SecuritySeverity } from '../permissions'
 import { ACKNOWLEDGE_GUARDS, type SecurityBlock, isGuardAcknowledged } from '../policy'
 
 export const GUARD_OUTBOUND_SECRET = 'outboundSecret'
+// Classified `high` (audience-leak axis): bypass posts credential-shaped
+// text to a chat channel whose readership is a third-party audience
+// outside the operator's control loop. Channel readers, push-notification
+// previews, search indexes, and other bots in the channel all see the
+// secret before the operator can intervene. Owner-in-public-channel is
+// the canonical motivating case: even owner asking the agent to "post the
+// deploy status" should not be able to silently include a stack-trace
+// `Bearer ghp_...` line. The whole point of the high tier is that
+// audience-leak guards require per-call ack from every role, including
+// owner — see AGENTS.md `## Permissions` rules of thumb.
+export const GUARD_OUTBOUND_SECRET_SEVERITY: SecuritySeverity = 'high'
 
 const SIGNATURE_PATTERNS: ReadonlyArray<{ kind: string; pattern: RegExp }> = [
   { kind: 'aws_access_key_id', pattern: /\b(?:AKIA|ASIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ABIA|ACCA)[A-Z0-9]{16}\b/ },

package/src/bundled-plugins/security/policies/prompt-injection.ts

@@ -463,10 +463,30 @@ export function detectPromptInjection(prompt: string): InjectionMatch[] {
 
 const DEFENSE_MARKER = '[security/prompt-injection]'
 
+// Subagent prompts are constructed by trusted bundled code, not from raw
+// user input. The backup-diagnose subagent in particular embeds raw git
+// stderr (which legitimately contains literal "git push --help" hint
+// strings on fast-forward rejection or missing-upstream failures) — those
+// hits would otherwise trigger the git_exfil category and inject a "do
+// NOT run git push" rule that contradicts the subagent's own
+// system-prompt instructions to retry with an ack. Under the audience-
+// leak policy the runtime tool.before is the universal backstop for
+// `git push` regardless of role (no role auto-bypasses), so the prompt-
+// side git_exfil category is strictly redundant for subagent origins.
+// Other categories (system_prompt_dump, secret_demand,
+// fake_privileged_skill) still fire for subagents because their threats
+// (e.g. memory-logger ingesting an attacker's transcript) are real.
+function filterForOrigin(matches: InjectionMatch[], origin: SessionPromptEvent['origin']): InjectionMatch[] {
+  if (origin?.kind !== 'subagent') return matches
+  return matches.filter((m) => m.category !== 'git_exfil')
+}
+
 export function applyPromptInjectionDefense(event: SessionPromptEvent): InjectionMatch[] {
-  const matches = detectPromptInjection(event.prompt)
-  if (matches.length === 0) return matches
-  if (event.prompt.includes(DEFENSE_MARKER)) return matches
+  const allMatches = detectPromptInjection(event.prompt)
+  if (allMatches.length === 0) return allMatches
+  if (event.prompt.includes(DEFENSE_MARKER)) return allMatches
+  const matches = filterForOrigin(allMatches, event.origin)
+  if (matches.length === 0) return allMatches
 
   const categories = Array.from(new Set(matches.map((m) => m.category))).join(', ')
   const note = [

package/src/bundled-plugins/security/policies/secret-exfil-bash.ts

@@ -1,6 +1,13 @@
+import type { SecuritySeverity } from '../permissions'
 import { ACKNOWLEDGE_GUARDS, type SecurityBlock, isGuardAcknowledged } from '../policy'
 
 export const GUARD_SECRET_EXFIL_BASH = 'secretExfilBash'
+// Classified `medium` (silent-attack axis): bypass dumps the whole
+// environment (every API key, every token) into the agent's tool-result
+// buffer. No direct channel side effect — operator only sees on session
+// review — but the secrets are now in model context and one channel_send
+// away from a third-party audience. Silent at the moment of leak.
+export const GUARD_SECRET_EXFIL_BASH_SEVERITY: SecuritySeverity = 'medium'
 
 const DANGEROUS_COMMAND_PATTERNS: ReadonlyArray<{ pattern: RegExp; label: string }> = [
   { pattern: /(^|[\s;|&(`$])(env|printenv)([\s;|&)`]|$)/, label: 'env / printenv (full environment dump)' },

package/src/bundled-plugins/security/policies/secret-exfil-read.ts

@@ -1,8 +1,14 @@
 import path from 'node:path'
 
+import type { SecuritySeverity } from '../permissions'
 import { ACKNOWLEDGE_GUARDS, type SecurityBlock, isGuardAcknowledged } from '../policy'
 
 export const GUARD_SECRET_EXFIL_READ = 'secretExfilRead'
+// Classified `medium` (silent-attack axis): bypass returns `.env` /
+// credential-file contents into model context. Same shape as
+// secretExfilBash — silent at the moment of read, becomes catastrophic on
+// the next channel-side tool call that quotes it.
+export const GUARD_SECRET_EXFIL_READ_SEVERITY: SecuritySeverity = 'medium'
 
 const SENSITIVE_BASENAMES = new Set([
   '.env',

package/src/bundled-plugins/security/policies/session-search-secrets.ts

@@ -1,6 +1,15 @@
+import type { SecuritySeverity } from '../permissions'
 import { ACKNOWLEDGE_GUARDS, type SecurityBlock, isGuardAcknowledged } from '../policy'
 
 export const GUARD_SESSION_SEARCH_SECRETS = 'sessionSearchSecrets'
+// Classified `medium` (silent-attack axis): bypass returns secret-shaped
+// session-search hits into the agent's tool-result buffer. The operator
+// doesn't see the raw hits — the agent summarizes them — so the leak is
+// silent from the operator's perspective even though it's a read tool.
+// The hits then live in model context as a precondition for a later
+// channel_send leak; outboundSecret would catch the actual send, but
+// silent-recon-then-summarize is its own attack shape.
+export const GUARD_SESSION_SEARCH_SECRETS_SEVERITY: SecuritySeverity = 'medium'
 
 const SESSION_SEARCH_TOOLS: ReadonlySet<string> = new Set([
   'session_search',

package/src/bundled-plugins/security/policies/ssrf.ts

@@ -1,6 +1,12 @@
+import type { SecuritySeverity } from '../permissions'
 import { ACKNOWLEDGE_GUARDS, type SecurityBlock, isGuardAcknowledged } from '../policy'
 
 export const GUARD_SSRF = 'ssrf'
+// Classified `medium` (silent-attack axis): bypass lets `curl
+// http://169.254.169.254/...` return cloud-metadata IAM credentials into
+// model context. Silent — no channel side effect at the moment of fetch.
+// Catastrophic on follow-up because the model now has live cloud creds.
+export const GUARD_SSRF_SEVERITY: SecuritySeverity = 'medium'
 
 const ALWAYS_BLOCKED_HOSTS = new Set([
   'localhost',

package/src/bundled-plugins/security/policies/system-prompt-leak.ts

@@ -1,6 +1,13 @@
+import type { SecuritySeverity } from '../permissions'
 import { ACKNOWLEDGE_GUARDS, type SecurityBlock, isGuardAcknowledged } from '../policy'
 
 export const GUARD_SYSTEM_PROMPT_LEAK = 'systemPromptLeak'
+// Classified `high` (audience-leak axis): bypass posts TypeClaw runtime
+// fingerprints / system-prompt fragments to a chat. Same shape as
+// outboundSecret — third-party audience, no operator intervention before
+// the leak lands. Disclosure also enables recon for later targeted
+// prompt-injection attacks against this agent.
+export const GUARD_SYSTEM_PROMPT_LEAK_SEVERITY: SecuritySeverity = 'high'
 
 const FINGERPRINT_PATTERNS: ReadonlyArray<{ label: string; pattern: RegExp }> = [
   { label: 'TypeClaw runtime preamble', pattern: /You are a general-purpose AI agent running inside TypeClaw\./ },