fix(v1.3.1): 5 security fixes for capabilities, AEP, and safety verifier

Critical:
- enforcer.py: case-insensitive tool name mapping — Claude Code
  PascalCase tools (Bash, Read, Write etc) now resolve correctly
  instead of falling through to generic tool:{Name}

High:
- enforcer.py: mcp:tool_call added to CONTROL_FLOW_RESOURCES,
  blocking MCP tools when data provenance is UNTRUSTED
- vaporizer.py: symlinks removed without following, preventing
  overwrite of files outside sandbox work directory
- sandbox.py: process group kill on timeout via start_new_session
  (Unix) / CREATE_NEW_PROCESS_GROUP (Windows) prevents orphaned
  child processes

Medium:
- verifier.py: path traversal normalization (subdir/../.env -> .env)
  before scope matching in verify()

All 532 tests pass.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: killertcell428

CHANGELOG.md

@@ -5,6 +5,27 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.3.1] - 2026-04-10
+
+### Fixed
+- **[Critical] Tool name case-insensitive mapping** — `enforcer.py` now resolves
+  Claude Code PascalCase tool names (`Bash`, `Read`, `Write`, `Edit`, `Agent`,
+  `Glob`, `Grep`, `WebFetch`, `NotebookEdit`, `Skill`) correctly. Previously all
+  PascalCase names fell through to `tool:{Name}`, bypassing capability enforcement.
+- **[High] MCP tools added to control-flow-sensitive set** — `mcp:tool_call` is
+  now in `_CONTROL_FLOW_RESOURCES`, blocking MCP tool execution when data
+  provenance is UNTRUSTED. Also handles `mcp__*` prefixed tool names.
+- **[High] Symlink traversal in Vaporizer** — `vaporizer.py` now detects symlinks
+  and removes them without following, preventing overwrite of files outside the
+  sandbox work directory.
+- **[High] Orphaned child process prevention** — `ProcessSandbox` now uses
+  `start_new_session` (Unix) / `CREATE_NEW_PROCESS_GROUP` (Windows) and kills the
+  entire process group on timeout, preventing background processes from outliving
+  the sandbox.
+- **[Medium] Path traversal normalization in SafetyVerifier** — `verify()` now
+  normalizes `..` segments in target paths before scope matching, so
+  `subdir/../.env` correctly matches the `.env*` forbidden scope.
+
 ## [1.3.0] - 2026-04-10
 
 ### Added — Three new architectural layers for provable security guarantees

ai_guardian/__init__.py

@@ -56,4 +56,4 @@
     # Similarity / semantic layer
     "check_similarity",
 ]
-__version__ = "1.3.0"
+__version__ = "1.3.1"

ai_guardian/aep/sandbox.py

@@ -109,24 +109,36 @@ def execute(
         safe_env = self._build_env(env)
         shell_cmd = self._shell_command(code)
 
+        # Use start_new_session (Unix) / CREATE_NEW_PROCESS_GROUP (Windows)
+        # so we can kill the entire process group on timeout, preventing
+        # child processes from outliving the sandbox.
+        is_win = platform.system() == "Windows"
+        popen_kwargs: dict = {
+            "cwd": str(work_dir),
+            "env": safe_env,
+            "stdout": subprocess.PIPE,
+            "stderr": subprocess.PIPE,
+        }
+        if not is_win:
+            popen_kwargs["start_new_session"] = True
+        else:
+            popen_kwargs["creationflags"] = subprocess.CREATE_NEW_PROCESS_GROUP
+
         t0 = time.perf_counter()
+        proc_obj = subprocess.Popen(shell_cmd, **popen_kwargs)
         try:
-            proc = subprocess.run(
-                shell_cmd,
-                capture_output=True,
-                text=True,
-                timeout=timeout,
-                cwd=str(work_dir),
-                env=safe_env,
-            )
+            stdout_b, stderr_b = proc_obj.communicate(timeout=timeout)
             elapsed_ms = (time.perf_counter() - t0) * 1000.0
-            stdout = proc.stdout
-            stderr = proc.stderr
-            exit_code = proc.returncode
-        except subprocess.TimeoutExpired as exc:
+            stdout = stdout_b.decode(errors="replace")
+            stderr = stderr_b.decode(errors="replace")
+            exit_code = proc_obj.returncode
+        except subprocess.TimeoutExpired:
+            # Kill the entire process group to prevent orphaned children
+            self._kill_process_tree(proc_obj, is_win)
+            stdout_b, stderr_b = proc_obj.communicate(timeout=5)
             elapsed_ms = (time.perf_counter() - t0) * 1000.0
-            stdout = (exc.stdout or b"").decode(errors="replace") if isinstance(exc.stdout, bytes) else (exc.stdout or "")
-            stderr = (exc.stderr or b"").decode(errors="replace") if isinstance(exc.stderr, bytes) else (exc.stderr or "")
+            stdout = stdout_b.decode(errors="replace") if stdout_b else ""
+            stderr = stderr_b.decode(errors="replace") if stderr_b else ""
             exit_code = -1
 
         # Detect files created during execution.
@@ -145,6 +157,26 @@ def execute(
     # Internals
     # ------------------------------------------------------------------
 
+    @staticmethod
+    def _kill_process_tree(proc: subprocess.Popen, is_win: bool) -> None:
+        """Kill the process and all its children."""
+        import signal
+
+        try:
+            if is_win:
+                # On Windows, kill the process tree via taskkill
+                subprocess.run(
+                    ["taskkill", "/F", "/T", "/PID", str(proc.pid)],
+                    capture_output=True,
+                    timeout=5,
+                )
+            else:
+                # On Unix, kill the entire process group
+                os.killpg(os.getpgid(proc.pid), signal.SIGKILL)
+        except (ProcessLookupError, OSError, subprocess.TimeoutExpired):
+            # Process already exited or group doesn't exist
+            proc.kill()
+
     def _build_env(self, extra: dict[str, str] | None) -> dict[str, str]:
         """Build a stripped environment from the current process env."""
         base = {k: v for k, v in os.environ.items() if k in self._safe_keys}

ai_guardian/aep/vaporizer.py

@@ -132,9 +132,17 @@ def verify_destruction(self, work_dir: Path, keep: list[str] | None = None) -> b
     def _secure_delete(self, path: Path) -> bool:
         """Overwrite *path* with random data, then unlink.
 
+        Symlinks are unlinked without following (we do NOT overwrite the
+        symlink target, which may reside outside the work directory).
+
         Returns ``True`` on success, ``False`` if the file could not be
         removed (e.g. locked on Windows).
         """
+        # Safety: never follow symlinks — just remove the link itself.
+        if path.is_symlink():
+            logger.warning("Removing symlink without following: %s -> %s", path, os.readlink(path))
+            return self._unlink_with_retry(path)
+
         try:
             size = path.stat().st_size
             # Overwrite with cryptographically random bytes.
@@ -203,12 +211,16 @@ def _normalise_keep(keep: list[str] | None) -> set[str]:
 
     @staticmethod
     def _list_files(directory: Path) -> set[str]:
-        """Return relative file paths (forward slashes) under *directory*."""
+        """Return relative file paths (forward slashes) under *directory*.
+
+        Includes symlinks as entries but does NOT follow them into
+        directories outside *directory* (prevents symlink traversal attacks).
+        """
         result: set[str] = set()
         if not directory.exists():
             return result
         for p in directory.rglob("*"):
-            if p.is_file():
+            if p.is_symlink() or p.is_file():
                 result.add(str(p.relative_to(directory)).replace("\\", "/"))
         return result
 

ai_guardian/capabilities/enforcer.py

@@ -18,11 +18,20 @@
     from ai_guardian.guard import Guard
 
 
-# Tools that affect control flow must never be driven by untrusted data
-_CONTROL_FLOW_RESOURCES = frozenset({"shell:exec", "agent:spawn", "code:eval"})
-
-# Mapping from tool names to (resource_type, target_key) pairs
+# Tools that affect control flow must never be driven by untrusted data.
+# MCP tool calls are included because MCP tools can execute arbitrary
+# actions on remote servers (file I/O, network, code execution).
+_CONTROL_FLOW_RESOURCES = frozenset({
+    "shell:exec",
+    "agent:spawn",
+    "code:eval",
+    "mcp:tool_call",
+})
+
+# Mapping from tool names (lowercase) to (resource_type, target_key) pairs.
+# Lookup is case-insensitive; see _map_tool().
 _TOOL_RESOURCE_MAP: dict[str, tuple[str, str]] = {
+    # Generic / SDK names
     "read_file": ("file:read", "path"),
     "write_file": ("file:write", "path"),
     "edit_file": ("file:write", "file_path"),
@@ -33,6 +42,17 @@
     "http_request": ("network:fetch", "url"),
     "fetch": ("network:fetch", "url"),
     "mcp_call": ("mcp:tool_call", "tool_name"),
+    # Claude Code tool names (PascalCase -> lowercase keys)
+    "read": ("file:read", "file_path"),
+    "write": ("file:write", "file_path"),
+    "edit": ("file:write", "file_path"),
+    "glob": ("file:search", "pattern"),
+    "grep": ("file:search", "pattern"),
+    "webfetch": ("network:fetch", "url"),
+    "websearch": ("network:search", "query"),
+    "agent": ("agent:spawn", "prompt"),
+    "notebookedit": ("file:write", "file_path"),
+    "skill": ("agent:spawn", "skill"),
 }
 
 
@@ -76,14 +96,25 @@ def __repr__(self) -> str:
 def _map_tool(tool_name: str) -> tuple[str, str]:
     """Map a tool name to its (resource_type, target_key) pair.
 
-    Falls back to a generic "tool:{name}" resource with "input" as the
-    target key for unknown tools.
+    Lookup is **case-insensitive** so both ``"Bash"`` (Claude Code) and
+    ``"bash"`` (generic) resolve to ``("shell:exec", "command")``.
+
+    MCP tools (``mcp__*``) are mapped to ``mcp:tool_call``.
+
+    Falls back to a generic ``"tool:{name}"`` resource with ``"input"``
+    as the target key for unknown tools.
     """
-    if tool_name in _TOOL_RESOURCE_MAP:
-        return _TOOL_RESOURCE_MAP[tool_name]
+    lower = tool_name.lower()
+
+    if lower in _TOOL_RESOURCE_MAP:
+        return _TOOL_RESOURCE_MAP[lower]
+
+    # MCP tools: mcp__server__tool_name -> mcp:tool_call
+    if lower.startswith("mcp__") or lower.startswith("mcp_"):
+        return "mcp:tool_call", "input"
 
     for prefix, (resource, _) in _TOOL_RESOURCE_MAP.items():
-        if tool_name.startswith(prefix):
+        if lower.startswith(prefix):
             return resource, "input"
 
     return f"tool:{tool_name}", "input"

ai_guardian/safety/verifier.py

@@ -212,6 +212,16 @@ def verify(
         """
         ctx = context or {}
 
+        # Pre-check: normalize target path to defeat traversal attacks
+        # (e.g. "subdir/../.env" -> ".env") before scope matching.
+        normalized_target = target.replace("\\", "/")
+        if ".." in normalized_target:
+            from pathlib import PurePosixPath
+
+            normalized_target = str(PurePosixPath(normalized_target))
+            # Also update target for downstream matching
+            target = normalized_target
+
         for spec in self._specs:
             violations: list[str] = []
             checked_invariants: list[dict] = []

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "aig-guardian"
-version = "1.3.0"
+version = "1.3.1"
 description = "AI agent security with provable guarantees: capability-based access control (CaMeL-inspired), atomic execution pipelines, and safety specification verification. 165+ patterns, 25 threat categories, OWASP LLM Top 10 + MITRE ATLAS. Zero-dependency core."
 readme = "README.md"
 license = { file = "LICENSE" }