All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- ShellWard Core Engine (
src/core/engine.ts): Platform-agnostic AI Agent Security Middleware - SDK 模式:
import { ShellWard } from 'shellward'— 任意 AI Agent 平台可用 - Windows 兼容: 使用
os.homedir()替代process.env.HOME,支持 Windows - npm scripts:
npm run test运行全部 112 项测试
- L2/L6 审计模式: PII 仅检测并记录审计,不再脱敏 — 内部使用允许,L7 拦截外泄
- 架构重构: OpenClaw 层改为薄适配器,核心逻辑集中在 engine.ts
- README: 更新为审计模式说明,移除脱敏误导
- package.json: 增加 exports、scripts,描述对齐定位文档
- tool-blocker: file_delete 正确传入 operation='delete'
- update-check: writeCache 前确保目录存在
- test-integration: 审计日志路径使用 homedir() 兼容 Windows
- L6 Outbound Guard: Redacts PII from LLM responses via
message_sendinghook - L7 Data Flow Guard: Detects data exfiltration chains (read sensitive file → send via network)
- L8 Session Guard: Session security audit + subagent monitoring
- Canary tokens: Injected in system prompt to detect prompt exfiltration
- 6 slash commands:
/security,/audit,/harden,/scan-plugins,/check-updates,/cg - Security guide skill: Interactive deployment security assessment (
/security-guide) - Supply chain detection: Package install command monitoring
- Suspicious URL parameter detection
- L1 Prompt Guard now uses
prependSystemContextfor prompt caching (saves tokens) - Data flow guard Map capped at 500 entries to prevent memory exhaustion
- Audit log now outputs to stderr on write failures
- Security gate rejects empty action parameters
- Tool blocker: Added typeof check for command parameters
- chmod 777 regex now matches at end of string
- All type definitions updated for L6/L7/L8 layers
- 13th Chinese injection rule: XML tag injection detection
- SSN validator to reject date-like false positives
splitCommands()for command chaining attack detection (;,&&,||)- Path normalization via
resolve()to prevent../traversal bypass
- All 15 dangerous command patterns: added case-insensitive
/iflag - All 12 protected path patterns: added case-insensitive
/iflag - L1 return type:
prependSystemContextinstead ofsystemPrompt - L2 event structure:
event.message.content[]array processing - L3/L4 field names:
event.toolName/event.paramsper OpenClaw API - Config validation: mode, locale, and threshold clamping
- Initial release with 5 defense layers (L1-L5)
- L1 Prompt Guard: Security rules injection via
before_prompt_build - L2 Output Scanner: PII/secret redaction via
tool_result_persist - L3 Tool Blocker: Dangerous command/path blocking via
before_tool_call - L4 Input Auditor: Prompt injection detection (12 EN + 12 ZH rules)
- L5 Security Gate: Defense-in-depth tool via
registerTool - Chinese PII detection: ID card (checksum), phone, bank card (Luhn)
- Global PII detection: API keys, JWT, passwords, SSN, credit cards, emails
- 15 dangerous command rules
- 12 protected path rules
- JSONL audit log with 100MB auto-rotation
- Bilingual support (EN/ZH) with auto-detection
- Dual mode: enforce (block+log) / audit (log only)