wolverine-ai 4.5.2 → 4.5.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wolverine-ai",
-  "version": "4.5.2",
+  "version": "4.5.4",
   "description": "Self-healing Node.js server framework powered by AI. Catches crashes, diagnoses errors, generates fixes, verifies, and restarts — automatically.",
   "main": "src/index.js",
   "bin": {

package/src/brain/brain.js

@@ -42,7 +42,7 @@ const SEED_DOCS = [
     metadata: { topic: "backup-system" },
   },
   {
-    text: "Wolverine security: file sandbox restricts all reads/writes to the project directory. Prompt injection detection runs on every error (regex layer + AI audit via AUDIT_MODEL). Rate limiter prevents error explosion cost with sliding window, min gap, hourly token budget, and exponential backoff for error loops.",
+    text: "Wolverine security: multi-layer defense. (1) File sandbox — restricts reads/writes to project dir, vault paths blocked. (2) Injection detector — ~50 regex patterns scan errors BEFORE AI sees them: prompt override, role hijack, code exec, env leak, bash escape, reverse shell, data exfiltration, destructive commands, framework source writes. Blocks heal entirely on detection. (3) Bash sandbox escape — _detectSandboxEscape checks every bash_exec: blocks cd outside project, writes to absolute paths, subshell escapes, curl @file exfil, pipe to tee outside project. (4) BLOCKED_COMMANDS — 18 patterns: rm -rf, mkfs, dd, shutdown, git push --force, npm publish, curl|bash, wget|sh, curl $(), cat .env, writes to src/. (5) Secret redactor — scrubs API keys, hex keys, vault paths from all output. (6) Rate limiter — sliding window + exponential backoff. (7) Adaptive rate limiter — auto-throttles server at 70%/85% CPU/memory thresholds.",
     metadata: { topic: "security" },
   },
   {
@@ -86,7 +86,7 @@ const SEED_DOCS = [
     metadata: { topic: "server-best-practices" },
   },
   {
-    text: "Wolverine editable scope: only files inside server/ can be modified by the agent. src/, bin/, tests/, .env, package.json, node_modules/ are all protected. The agent's _isProtectedPath guard blocks writes to anything outside server/. Direct edits target the script wolverine was launched with (server/index.js by default).",
+    text: "Wolverine editable scope: only files inside server/ can be modified by the agent. src/, bin/, tests/, .env, package.json, node_modules/, .wolverine/vault/ are all protected. The agent's _isProtectedPath guard blocks write_file/edit_file/move_file to protected paths. bash_exec additionally runs through _detectSandboxEscape which blocks shell commands that write outside the project via redirection, cp, mv, tee, or subshell. Vault files (master.key, eth.vault) are blocked by both sandbox and _isProtectedPath.",
     metadata: { topic: "editable-scope" },
   },
   {
@@ -110,7 +110,7 @@ const SEED_DOCS = [
     metadata: { topic: "sub-agent-workflow" },
   },
   {
-    text: "Sub-agent tool restrictions: explore gets read_file/glob/grep/git_log/git_diff/list_dir/check_env/check_port/check_memory/check_network/list_processes/inspect_db/audit_deps. plan gets read_file/glob/grep/list_dir/inspect_db/check_env/inspect_env/audit_deps/check_migration. fix gets read_file/write_file/edit_file/glob/grep/bash_exec/move_file/run_db_fix/audit_deps/restart_service. verify gets read_file/glob/grep/bash_exec/inspect_db/check_port/check_memory/check_logs. research gets read_file/grep/web_fetch/check_logs. security gets read_file/glob/grep/inspect_db/inspect_env. database gets read_file/write_file/edit_file/glob/grep/bash_exec/inspect_db/run_db_fix. 24 tools total, each sub-agent type gets tools relevant to its role.",
+    text: "Sub-agent tool restrictions: explore gets read_file/glob/grep/git_log/git_diff/list_dir/check_env/check_port/check_memory/check_network/list_processes/inspect_db/audit_deps/check_file_descriptors/inspect_cache. plan gets read_file/glob/grep/list_dir/inspect_db/check_env/inspect_env/audit_deps/check_migration/check_event_loop. fix gets read_file/write_file/edit_file/glob/grep/bash_exec/move_file/run_db_fix/audit_deps/restart_service/verify_node_modules/disk_cleanup. verify gets read_file/glob/grep/bash_exec/inspect_db/check_port/check_memory/check_logs/check_websocket/inspect_certificate. research gets read_file/grep/web_fetch/check_logs. security gets read_file/glob/grep/inspect_db/inspect_env/check_event_loop/inspect_certificate. database gets read_file/write_file/edit_file/glob/grep/bash_exec/inspect_db/run_db_fix/inspect_cache. 31 tools total across 9 categories.",
     metadata: { topic: "sub-agent-tools" },
   },
   {
@@ -226,11 +226,11 @@ const SEED_DOCS = [
     metadata: { topic: "error-monitor" },
   },
   {
-    text: "Agent tool details: read_file supports offset/limit for large files. edit_file does surgical find-and-replace (preferred for small fixes). glob_files discovers files by pattern (**/*.js). grep_code does regex search with context lines. list_dir shows directory contents with file sizes. move_file relocates/renames files. bash_exec runs shell commands (30s default timeout, 60s hard cap, dangerous commands blocked: rm -rf /, git push --force, npm publish). inspect_db reads SQLite: action=tables (list), action=schema (CREATE statements), action=query (SELECT/PRAGMA only). run_db_fix writes SQLite with SAFETY: auto-snapshots affected rows BEFORE write (SELECT WHERE matching the UPDATE/DELETE), executes the fix, snapshots AFTER, returns before/after comparison so agent can verify. Always backs up the DB file. Agent MUST inspect_db before run_db_fix — never write blind. For NaN/null data errors: prefer fixing code to handle edge cases over modifying production data. check_port finds what process is using a port (netstat/lsof). check_env lists environment variables with values redacted. audit_deps runs full npm health check. check_migration returns known upgrade paths. web_fetch retrieves URL content.",
+    text: "Agent tool details — FILE: read_file (offset/limit for large files), edit_file (surgical find-and-replace, single match), glob_files (pattern discovery, **/*.js), grep_code (regex search with context, sandbox-enforced reads), list_dir (directory listing with sizes, sandbox-checked), move_file (relocate/rename). SHELL: bash_exec (30s default, 60s cap, 18 blocked command patterns, sandbox escape detection for writes outside project, SSRF-protected). DATABASE: inspect_db (SQLite: tables/schema/query, no stacked queries via ; block), run_db_fix (auto-snapshots before/after, existence check before backup). DIAGNOSTICS: check_port (platform-aware, netstat/lsof), check_env (values redacted, secrets always show SET only), check_memory (RSS/heap/system, OOM warning), list_processes (platform-aware node processes), check_logs (journalctl/logfile with grep filter, capped 1-1000 lines), check_network (DNS/port/URL with sanitized inputs), inspect_env (names only, grouped by category). SERVER: restart_service (flag-file, not direct restart). DEPS: audit_deps (npm health score), check_migration (known upgrade paths). RESEARCH: web_fetch (SSRF blocklist for private IPs/metadata). ADVANCED: verify_node_modules (integrity vs package-lock, broken .bin, cross-platform), inspect_certificate (TLS connect, expiry/SAN/chain/self-signed), inspect_cache (Redis PING/INFO via raw TCP), disk_cleanup (safe targets: old backups + npm cache, dry-run default), check_file_descriptors (Linux /proc/fd count vs ulimit), check_event_loop (static scan for readFileSync/execSync/pbkdf2Sync patterns), check_websocket (real WS upgrade handshake test).",
     metadata: { topic: "agent-tools-detail" },
   },
   {
-    text: "Server problem categories the agent can fix: CODE BUGS (SyntaxError, TypeError, ReferenceError → edit_file), DEPENDENCIES (Cannot find module → npm install, corrupted node_modules → rm + reinstall), DATABASE (invalid entries → run_db_fix UPDATE, missing table → CREATE TABLE, schema mismatch → ALTER TABLE, constraint violation → fix data or schema), CONFIG (invalid JSON → edit_file, missing env vars → write .env, wrong port → edit config), FILESYSTEM (misplaced files → move_file, missing directories → bash_exec mkdir, wrong permissions → chmod), NETWORK (port conflict → check_port + kill, service down → restart, connection refused → check config), STATE (corrupted cache → delete + restart, stale locks → remove lock file, git conflicts → resolve markers), IDEMPOTENCY (double-fire → add idempotencyGuard middleware, missing idempotency key → add X-Idempotency-Key header support, duplicate DB entries → add UNIQUE constraint or use db.idempotent()). The agent investigates before fixing — reads files, checks directories, inspects databases, never guesses.",
+    text: "Server problem categories the agent can fix: CODE BUGS (SyntaxError/TypeError/ReferenceError → edit_file). DEPENDENCIES (Cannot find module → npm install, corrupted node_modules → verify_node_modules then rm + reinstall). DATABASE (invalid entries → inspect_db then run_db_fix, schema issues → ALTER TABLE, pool exhaustion → inspect_cache for Redis). CONFIG (invalid JSON → edit_file, missing env vars → inspect_env to check then write .env, wrong port → edit config). FILESYSTEM (misplaced files → move_file, missing dirs → bash_exec mkdir, EACCES → chmod, ENOSPC → disk_cleanup). NETWORK (port conflict → check_port + kill, ECONNREFUSED → check_network for DNS/connectivity, Redis down → inspect_cache). SSL/TLS (CERT_EXPIRED → inspect_certificate for details, self-signed → check chain). MEMORY (OOM/SIGKILL → check_memory for pressure, EMFILE → check_file_descriptors, event loop block → check_event_loop scan). WEBSOCKET (1006/disconnect → check_websocket handshake test). STATE (corrupted cache → delete + restart_service, stale locks → remove lock file). The agent investigates before fixing — reads files, checks diagnostics, inspects databases, never guesses.",
     metadata: { topic: "server-problems" },
   },
   {

package/src/security/injection-detector.js

@@ -44,15 +44,45 @@ const INJECTION_PATTERNS = [
   // Vault key material leak — CRITICAL: block heal entirely
   { pattern: /0x[0-9a-fA-F]{64}/i, label: "key-leak-critical" },
   { pattern: /master\.key|eth\.vault|\.wolverine\/vault/i, label: "vault-path-leak" },
-  // Bash sandbox escape vectors — error messages crafted to make AI write escaping commands
-  { pattern: /cd\s+\/(?!tmp)\w/i, label: "bash-escape" },
-  { pattern: />\s*\/(?!tmp|dev\/null)\w/i, label: "bash-escape" },
+  // Bash sandbox escape — mirrors BLOCKED_COMMANDS + _detectSandboxEscape from agent-engine
+  // Destructive system commands
+  { pattern: /\brm\s+-rf\s+[/\\]/i, label: "destructive-bash" },
+  { pattern: /\brmdir\s+[/\\]/i, label: "destructive-bash" },
+  { pattern: /\bformat\s+[a-z]:/i, label: "destructive-bash" },
+  { pattern: /\bmkfs\b/i, label: "destructive-bash" },
+  { pattern: /\bdd\s+if=/i, label: "destructive-bash" },
+  { pattern: /\b(shutdown|reboot|halt)\b/i, label: "destructive-bash" },
+  // Git destructive operations
+  { pattern: /\bgit\s+push\s+--force/i, label: "destructive-git" },
+  { pattern: /\bgit\s+reset\s+--hard/i, label: "destructive-git" },
+  { pattern: /\bnpm\s+publish\b/i, label: "destructive-npm" },
+  // Pipe to shell / code execution
+  { pattern: /\bcurl\b.*\|\s*(?:bash|sh)\b/i, label: "bash-pipe-exec" },
+  { pattern: /\bwget\b.*\|\s*(?:bash|sh)\b/i, label: "bash-pipe-exec" },
+  // Data exfiltration via bash
+  { pattern: /curl.*\$\(/i, label: "bash-exfil" },
   { pattern: /curl.*-[dF]\s*@/i, label: "bash-exfil" },
+  { pattern: /curl.*--data-binary\s*@/i, label: "bash-exfil" },
   { pattern: /wget.*--post-file/i, label: "bash-exfil" },
-  { pattern: /nc\s+-[lp]/i, label: "bash-reverse-shell" },
-  { pattern: /bash\s+-i/i, label: "bash-reverse-shell" },
+  { pattern: /cat\s+\.env/i, label: "bash-secret-read" },
+  // Sandbox escape — writes outside project directory
+  { pattern: /cd\s+\/(?!tmp)\w/i, label: "bash-escape" },
+  { pattern: />\s*\/(?!tmp|dev\/null)\w/i, label: "bash-escape" },
+  { pattern: /\btee\s+\/(?!tmp)\w/i, label: "bash-escape" },
+  { pattern: /\bcp\s+.*\s+\/(?!tmp)\w/i, label: "bash-escape" },
+  { pattern: /\bmv\s+.*\s+\/(?!tmp)\w/i, label: "bash-escape" },
+  // Writes to framework source (src/)
+  { pattern: />\s*src\//i, label: "bash-src-write" },
+  { pattern: /\bcp\s+.*\s+src\//i, label: "bash-src-write" },
+  { pattern: /\btee\s+.*src\//i, label: "bash-src-write" },
+  { pattern: /\bmv\s+.*\s+src\//i, label: "bash-src-write" },
+  // Reverse shell patterns
+  { pattern: /\bnc\s+-[lpe]/i, label: "bash-reverse-shell" },
+  { pattern: /\bbash\s+-i\b/i, label: "bash-reverse-shell" },
   { pattern: /\/dev\/tcp\//i, label: "bash-reverse-shell" },
-  { pattern: /mkfifo|mknod.*\/tmp/i, label: "bash-reverse-shell" },
+  { pattern: /\bmkfifo\b/i, label: "bash-reverse-shell" },
+  { pattern: /\bpython[23]?\s+-c\s+['"]import\s+(socket|os|subprocess)/i, label: "bash-reverse-shell" },
+  { pattern: /\bperl\s+-e\s+['"].*socket/i, label: "bash-reverse-shell" },
 ];
 
 /**