FEAT: Implement 5-Vector Bouncer Matrix and foundational refactor

2026-04-11 16:36:06 -04:00
parent eca6610274
commit 9fcf45d918
13 changed files with 363 additions and 490 deletions
--- a/src/bouncer.lisp
+++ b/src/bouncer.lisp
@@ -1,5 +1,66 @@
 (in-package :org-agent)

+(defun bouncer-scan-secrets (text)
+  "Returns the name of the secret found in TEXT, or NIL if clean."
+  (when (and text (stringp text))
+    (let ((found-secret nil))
+      (maphash (lambda (key val)
+                 (when (and val (stringp val) (> (length val) 5))
+                   (when (search val text)
+                     (setf found-secret key))))
+               *vault-memory*)
+      found-secret)))
+
+(defun bouncer-check-network-exfil (cmd)
+  "Returns T if the command appears to target an unwhitelisted external host."
+  (when (and cmd (stringp cmd))
+    ;; Basic check for common data exfiltration tools being used with IPs/URLs
+    (let ((network-whitelist '("api.telegram.org" "matrix.org" "googleapis.com" "openai.com" "anthropic.com")))
+      (when (cl-ppcre:scan "(http|https|ftp)://([\\w\\.-]+)" cmd)
+        (multiple-value-bind (match regs) 
+            (cl-ppcre:scan-to-strings "(http|https|ftp)://([\\w\\.-]+)" cmd)
+          (declare (ignore match))
+          (let ((domain (aref regs 1)))
+            (not (some (lambda (safe) (search safe domain)) network-whitelist))))))))
+
+(defun bouncer-check (action context)
+  "The 5-Vector security gate. Blocks or queues actions based on risk."
+  (let* ((target (getf action :target))
+         (payload (getf action :payload))
+         (text (or (getf payload :text) (getf action :text)))
+         ;; Extract cmd from direct shell or tool-mediated shell call
+         (cmd (or (getf payload :cmd)
+                  (when (and (eq target :tool) (equal (getf payload :tool) "shell"))
+                    (getf (getf payload :args) :cmd))))
+         (approved (getf action :approved)))
+    
+    (cond
+      ;; 0. Bypass for already approved actions
+      (approved action)
+
+      ;; 1. Secret Exposure Vector (Hard Block)
+      ((and text (bouncer-scan-secrets text))
+       (let ((secret-name (bouncer-scan-secrets text)))
+         (kernel-log "SECURITY VIOLATION: Blocked leak of secret ~a" secret-name)
+         `(:type :log :payload (:level :error :text ,(format nil "Action blocked: Potential exposure of ~a" secret-name)))))
+
+      ;; 2. Network Exfiltration Vector (Authorization Required)
+      ((and (or (eq target :shell) 
+                (and (eq target :tool) (equal (getf payload :tool) "shell")))
+            (bouncer-check-network-exfil cmd))
+       (kernel-log "SECURITY WARNING: External network call detected. Queuing for approval.")
+       `(:type :EVENT :payload (:sensor :approval-required :action ,action)))
+
+      ;; 3. High-Impact Target Vector (Authorization Required)
+      ((or (member target '(:shell))
+           (and (eq target :tool) (member (getf payload :tool) '("shell" "repair-file") :test #'string=))
+           (and (eq target :emacs) (eq (getf payload :action) :eval)))
+       (kernel-log "SECURITY: High-impact action ~a requires approval." (or (getf payload :tool) target))
+       `(:type :EVENT :payload (:sensor :approval-required :action ,action)))
+
+      ;; 4. Default Pass
+      (t action))))
+
 (defun bouncer-process-approvals ()
  "Scans the object store for APPROVED flight plans and re-injects their actions."
  (let ((approved-nodes (list-objects-with-attribute :TODO "APPROVED"))
@@ -11,7 +72,7 @@
          (kernel-log "BOUNCER: Found approved flight plan ~a. Re-injecting..." (org-object-id node))
          (let ((action (ignore-errors (read-from-string action-str))))
            (when action
-              ;; Add bypass flag
+              ;; Mark as approved to bypass the gate
              (setf (getf action :approved) t)
              (inject-stimulus action)
              ;; Mark as DONE