shieldset:
version: 2
policy:
workspace_probe:
enabled: true
prod_signals:
- ".env.production"
- ".env.prod"
- "prod/"
- "production/"
- "Procfile"
- ".terraform/terraform.tfstate"
- "kubeconfig"
- ".kube/config"
- "production.yml"
- "production.yaml"
- "k8s/prod/"
- "deploy/prod/"
severity_bump: 1
decision_memory:
enabled: true
demote_after_approvals: 3
escalate_on_deny_days: 7
burst_detector:
enabled: true
window_seconds: 300
threshold: 5
composite_scoring:
enabled: true
thresholds:
medium: 2
high: 5
critical: 9
supply_chain:
pinning: true
on_changed_tool: block on_new_tool: warn
rules:
- id: sql.drop_database
severity: Critical
points: 6
where: tool_call
match:
tool: [execute_sql, postgres.query, postgres.execute, mysql.query, snowflake.query, bigquery.query]
sql_matches: ['(?i)\bDROP\s+DATABASE\b']
reason: "DROP DATABASE is never auto-allowed."
safer_alternative: "If you really need to remove a database, do it through your provider's console with a tested backup. Shield will not let an agent execute this."
- id: sql.drop_table_or_schema
severity: High
points: 4
where: tool_call
match:
tool: [execute_sql, postgres.query, postgres.execute, mysql.query, snowflake.query, bigquery.query]
sql_matches:
- '(?i)\bDROP\s+(TABLE|SCHEMA|MATERIALIZED\s+VIEW)\s+\w+'
- '(?i)\bTRUNCATE\s+TABLE\b'
reason: "DROP TABLE / TRUNCATE TABLE require human approval."
safer_alternative: "Rename to *_to_drop_YYYYMMDD first, leave for 7 days, then drop. Shield will approve the rename."
- id: sql.alter_table_drop_column
severity: High
points: 3
where: tool_call
match:
tool: [execute_sql, postgres.query, postgres.execute, mysql.query, snowflake.query, bigquery.query]
sql_matches: ['(?i)\bALTER\s+TABLE\s+\S+\s+DROP\s+COLUMN\b']
reason: "ALTER TABLE DROP COLUMN is irreversible and can break downstream readers."
safer_alternative: "Mark the column NOT NULL DEFAULT NULL and stop writing to it; drop in a later migration."
- id: sql.unscoped_delete
severity: High
points: 4
where: tool_call
match:
tool: [execute_sql, postgres.query, postgres.execute, mysql.query, snowflake.query, bigquery.query]
sql_predicates: [unscoped_delete]
reason: "Unbounded DELETE FROM needs approval -- add a WHERE clause."
safer_alternative: "Add a WHERE clause that scopes to specific rows, e.g. `DELETE FROM users WHERE id IN (...)` or `WHERE created_at < NOW() - INTERVAL '30 days'`."
- id: sql.unscoped_update
severity: High
points: 4
where: tool_call
match:
tool: [execute_sql, postgres.query, postgres.execute, mysql.query, snowflake.query, bigquery.query]
sql_predicates: [unscoped_update]
reason: "Unbounded UPDATE affects every row in the table. Includes tautological WHERE clauses (e.g. `WHERE col = FALSE` paired with `SET col = TRUE`) where the WHERE selects exactly the rows the SET would change -- functionally equivalent to no WHERE."
safer_alternative: "Add a WHERE clause that narrows by something OTHER than the column being SET, e.g. `WHERE id = 7`, `WHERE created_at > NOW() - INTERVAL '7 days'`, or `WHERE tenant_id = $1`. If you really mean every row, run it in a transaction with a row-count assertion and request approval."
- id: sql.grant_or_revoke_all
severity: Medium
points: 2
where: tool_call
match:
tool: [execute_sql, postgres.query, postgres.execute, mysql.query]
sql_matches: ['(?i)\b(GRANT|REVOKE)\s+ALL\b']
reason: "Wildcard privilege change -- recorded for review."
safer_alternative: "Grant only the specific privileges needed (SELECT, INSERT, UPDATE), not ALL."
- id: sql.revoke_from_public
severity: High
points: 3
where: tool_call
match:
tool: [execute_sql, postgres.query, postgres.execute, mysql.query]
sql_matches: ['(?i)\bREVOKE\b.*\bFROM\s+PUBLIC\b']
reason: "REVOKE ... FROM PUBLIC can lock out every role at once."
safer_alternative: "Revoke from specific roles instead of PUBLIC; verify role membership first."
- id: sql.copy_from_program
severity: Critical
points: 6
where: tool_call
match:
tool: [execute_sql, postgres.query, postgres.execute]
sql_matches: ['(?i)\bCOPY\b.*\bFROM\s+PROGRAM\b']
reason: "COPY ... FROM PROGRAM gives the database server shell access -- used in Postgres RCE chains."
safer_alternative: "Use COPY FROM STDIN with the data inlined; never let the server spawn a shell."
- id: sql.load_data_infile
severity: High
points: 3
where: tool_call
match:
tool: [execute_sql, mysql.query]
sql_matches: ['(?i)\bLOAD\s+DATA\s+(LOCAL\s+)?INFILE\b']
reason: "LOAD DATA INFILE reads server-side files -- historically used to exfiltrate /etc/passwd."
safer_alternative: "Use LOAD DATA LOCAL INFILE with explicit per-row column lists, or import via your application code."
- id: git.force_push_protected
severity: Critical
points: 6
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec, git, github.run_command]
any_param_matches:
- '\bgit\s+push\s+.*(--force\b|--force-with-lease\b|\s-f\b)\s+(origin\s+)?(main|master|prod|release/.*)\b'
reason: "Force-push to a protected branch is forbidden."
safer_alternative: "Open a PR with the corrected history; ask a human to fast-forward main."
- id: git.history_rewrite
severity: High
points: 3
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec, git, github.run_command]
any_param_matches:
- '\bgit\s+(filter-branch|filter-repo|reflog\s+expire|gc\s+--prune=now|update-ref\s+-d|reset\s+--hard\s+HEAD~)'
reason: "Rewriting shared git history needs human approval."
safer_alternative: "If you need to remove a commit, `git revert` it; rewrites strand collaborators."
- id: git.push_mirror_or_all_force
severity: High
points: 3
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec, git]
any_param_matches:
- '\bgit\s+push\s+(--mirror|--all)\b.*(--force|--force-with-lease|\s-f)'
reason: "Force-pushing every ref at once is destructive."
safer_alternative: "Push branches individually with `--force-with-lease <branch>`."
- id: git.branch_force_delete
severity: Medium
points: 2
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec, git]
any_param_matches: ['\bgit\s+branch\s+-D\s+\S+']
reason: "Force-delete of a local branch -- verify before continuing."
safer_alternative: "Use `git branch -d` (lower-case d); it refuses to delete unmerged branches."
- id: git.checkout_dot_discards
severity: Medium
points: 1
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec, git]
any_param_matches:
- '\bgit\s+checkout\s+\.(\s|$)'
- '\bgit\s+restore\s+(--worktree|--source=HEAD)\s+\.(\s|$)'
- '\bgit\s+clean\s+-(f|x)+d?(\s|$)'
reason: "Discards every uncommitted change in the working tree."
safer_alternative: "Stash first: `git stash push -u -m 'pre-discard'`. Drop the stash later if you don't need it."
- id: fs.recursive_delete_root
severity: Critical
points: 8
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec]
any_param_matches: ['\brm\s+-[rfRF]+\s*[rfRF]*\s+(/|/\*|\$HOME|~)(\s|$|;|&|\|)']
reason: "rm -rf on filesystem root is forbidden."
safer_alternative: "Scope to a specific subdirectory, e.g. `rm -rf ./build/`. Shield will allow ./-rooted deletes."
- id: fs.sensitive_path_write_or_delete
severity: High
points: 4
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec, filesystem.delete_file, filesystem.delete_directory, fs.delete, fs.remove, fs.write]
sensitive_paths:
- "/etc/**"
- "/boot/**"
- "/var/lib/**"
- "/data/**"
- "/srv/**"
- "/usr/local/bin/**"
- "/usr/local/sbin/**"
- "/usr/local/lib/**"
- "/usr/share/keyrings/**"
- "/usr/lib/systemd/**"
- "~/.ssh/**"
- "~/.aws/**"
- "~/.gnupg/**"
- "~/.kube/**"
reason: "Operation touches a sensitive system or credential path."
safer_alternative: "Scope the change to your project directory. If you really need to touch system paths, run the command manually with `sudo` outside the agent."
- id: fs.dd_to_block_device
severity: Critical
points: 8
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec]
any_param_matches: ['\bdd\s+if=.*\s+of=/dev/(sd|nvme|disk|hd|xvd|vd)']
reason: "dd to a raw block device wipes the disk -- forbidden."
safer_alternative: "If you need a disk image, `dd if=/dev/zero of=./blank.img bs=1M count=N` writes to a file, not a device."
- id: fs.find_delete_sweep
severity: High
points: 3
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec]
any_param_matches:
- '\bfind\s+\S+.*-delete\b'
- '\bfind\s+\S+.*-exec\s+rm\b'
reason: "Recursive find ... -delete can sweep an entire subtree silently."
safer_alternative: "Run `find ... -print` first, eyeball the list, then re-run with `-delete`."
- id: fs.world_writable_chmod
severity: High
points: 3
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec]
command_predicates: [world_writable_chmod]
reason: "World-writable permissions on this path are dangerous."
safer_alternative: "Use 0640 / 0750 instead. World-write (`o+w`, `777`) is almost never what you want."
- id: fs.chown_root_recursive
severity: High
points: 3
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec]
any_param_matches:
- '\bchown\s+-R\s+root[:.]'
- '\bchown\s+-R\s+0[:.]'
reason: "Recursive `chown root` can lock the user out of their own files."
safer_alternative: "Run chown non-recursively on the specific file that needs it."
- id: secret.env_to_network
severity: Critical
points: 8
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec]
command_predicates: [env_to_network]
reason: "Command reads a secret source and pipes it to a network sink in the same line -- exfiltration pattern."
safer_alternative: "If you genuinely need to share a secret with an outside service, copy the specific value manually and rotate it afterwards. Never let an agent do this."
- id: secret.read_ssh_or_aws_key
severity: High
points: 4
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec, filesystem.read_file, fs.read]
any_param_matches:
- '~?/\.ssh/id_(rsa|ed25519|dsa|ecdsa)(\.pub)?\b'
- '~?/\.aws/credentials\b'
- '~?/\.gnupg/private-keys-v1\.d'
reason: "Reading private credentials directly -- confirm this is intentional."
safer_alternative: "Reference the credential by environment variable or use the relevant CLI (aws sts, ssh-agent) instead of `cat`-ing the file."
- id: secret.cloud_kv_dump
severity: High
points: 3
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec]
any_param_matches:
- '\bkubectl\s+get\s+secrets?\b'
- '\baws\s+secretsmanager\s+get-secret-value\b'
- '\bgcloud\s+secrets\s+versions\s+access\b'
- '\baz\s+keyvault\s+secret\s+show\b'
reason: "Bulk read of a cloud secrets store -- verify before continuing."
safer_alternative: "Read a specific secret by name, not all of them. Audit logs treat bulk reads as suspicious."
- id: supply.curl_pipe_sh
severity: Critical
points: 6
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec]
command_predicates: [curl_pipe_sh, network_fetch_to_interpreter]
reason: "Fetch-and-execute over the network with no inspection step (curl | sh family)."
safer_alternative: "Download to a file first, inspect (or check a published sha256), then execute. e.g. `curl -fSLo install.sh URL && shasum -a 256 install.sh && bash install.sh`."
- id: supply.untrusted_pkg_registry
severity: High
points: 3
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec]
command_predicates: [untrusted_pkg_registry]
reason: "Installing from a non-default package registry -- supply-chain / dependency-confusion risk."
safer_alternative: "If the package really lives elsewhere, vendor it into your repo or mirror via a private registry under your control."
- id: shell.reverse_shell
severity: Critical
points: 9
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec]
command_predicates: [reverse_shell]
reason: "Reverse-shell pattern detected. Shield never auto-allows back-channel network connections."
safer_alternative: "If you need a remote shell, use a deliberate tool (ssh, tmate share, mosh). Never wire one in via base64'd one-liners."
- id: privilege.sudo_destructive
severity: High
points: 3
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec]
any_param_matches:
- '(^|\s|;|&|\|)sudo\s+(rm\s+-[rfRF]|dd\s+if=|mkfs|fdisk|parted|format)'
reason: "Sudo-prefixed destructive command -- requires explicit human approval."
safer_alternative: "Run the privileged step manually outside the agent's session."
- id: privilege.setuid_grant
severity: High
points: 3
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec]
any_param_matches:
- '\bchmod\s+([+]?u\+s|0?[24][0-7][0-7][0-7])\b'
- '\bsetcap\s+\S+'
reason: "Granting setuid / capabilities -- privilege escalation risk."
safer_alternative: "Avoid setuid binaries entirely. Use sudo with a narrow sudoers entry if you need elevated privileges."
- id: cloud.aws_s3_recursive_delete
severity: High
points: 4
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec, aws.cli]
any_param_matches:
- '\baws\s+s3\s+rm\b.*--recursive\b'
- '\baws\s+s3\s+rb\b.*--force\b'
reason: "Bulk S3 delete -- irreversible if versioning is off."
safer_alternative: "Enable versioning, then use lifecycle rules to expire -- never `--recursive --force`."
- id: cloud.aws_rds_skip_snapshot
severity: Critical
points: 6
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec, aws.cli]
any_param_matches:
- '\baws\s+rds\s+delete-db-(instance|cluster)\b.*--skip-final-snapshot\b'
reason: "RDS delete with no final snapshot -- data is gone forever."
safer_alternative: "Omit `--skip-final-snapshot`. The 60 seconds of snapshot time can save your job."
- id: cloud.terraform_destroy_auto_approve
severity: High
points: 4
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec, terraform.run]
any_param_matches:
- '\bterraform\s+destroy\b.*-auto-approve\b'
- '\btf\s+destroy\b.*-auto-approve\b'
reason: "`terraform destroy -auto-approve` skips the human confirmation step."
safer_alternative: "Run `terraform plan -destroy` first; review; apply the destroy interactively."
- id: cloud.gcloud_sql_delete
severity: High
points: 4
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec, gcloud.run]
any_param_matches:
- '\bgcloud\s+sql\s+instances\s+delete\b'
reason: "Deleting a Cloud SQL instance -- irreversible."
safer_alternative: "Export a backup with `gcloud sql export sql` first."
- id: cloud.az_group_delete
severity: High
points: 4
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec, az.run]
any_param_matches:
- '\baz\s+group\s+delete\b.*--yes\b'
reason: "Deleting an entire Azure resource group, skipping the confirmation."
safer_alternative: "List resources first (`az resource list -g X`); confirm interactively; never use `--yes` for delete."
- id: k8s.delete_namespace
severity: High
points: 4
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec, kubectl.run]
any_param_matches:
- '\bkubectl\s+delete\s+(namespace|ns)\s+\S+'
- '\bkubectl\s+delete\s+-f\s+.*--all-namespaces\b'
reason: "Namespace delete propagates to every resource inside it."
safer_alternative: "Delete specific resource kinds first; namespace last, once you've verified the inventory."
- id: k8s.delete_all
severity: High
points: 4
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec, kubectl.run]
any_param_matches:
- '\bkubectl\s+delete\s+\S+\s+--all\b'
reason: "kubectl delete --all is rarely what you actually want."
safer_alternative: "Use a label selector: `kubectl delete pod -l app=foo`."
- id: k8s.drain_node
severity: Medium
points: 2
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec, kubectl.run]
any_param_matches:
- '\bkubectl\s+drain\s+\S+'
reason: "Draining a Kubernetes node -- workloads on this node will be evicted."
safer_alternative: "Cordon first (`kubectl cordon`), watch pods reschedule, then drain with `--ignore-daemonsets --delete-emptydir-data` once you've confirmed nothing critical pins to the node."
- id: k8s.helm_uninstall
severity: Medium
points: 2
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec, helm.run]
any_param_matches: ['\bhelm\s+(uninstall|delete)\s+\S+']
reason: "Helm uninstall removes every workload from the release."
safer_alternative: "Run `helm get manifest <release>` first to confirm what will go."
- id: docker.system_prune_aggressive
severity: High
points: 3
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec, docker.run]
any_param_matches:
- '\bdocker\s+system\s+prune\b.*(-a|--all).*(--volumes|-f|--force)'
- '\bdocker\s+volume\s+prune\b.*--force'
reason: "`docker system prune -af --volumes` deletes every cached layer AND volume."
safer_alternative: "Prune images and containers separately, and never `--volumes` without naming what you're keeping."
- id: docker.rm_force_volumes
severity: Medium
points: 2
where: tool_call
match:
tool: [run_terminal, bash, shell, execute_command, exec, docker.run]
any_param_matches:
- '\bdocker\s+rm\s+-[fv]+\s+\S+'
- '\bdocker\s+volume\s+rm\s+\S+'
reason: "Force-remove of a docker container with its volumes -- data inside the volume is gone."
safer_alternative: "Stop the container first; rm without `-v`; remove volumes by name only when you're sure."
- id: anomaly.destructive_burst
severity: High
points: 4
where: tool_call
match:
tool: []
reason: "Destructive operation burst detected -- pausing for review."
safer_alternative: "Stop what you're doing, look at the recent shield audit log, and resume one operation at a time."
- id: llm.suggests_drop_database
severity: High
points: 3
where: llm_response
match:
text_matches: ['(?i)\b(DROP\s+DATABASE|TRUNCATE\s+TABLE\s+\w+\s*;)']
reason: "Assistant plan contains destructive SQL -- confirm before executing."
- id: llm.suggests_force_push
severity: Medium
points: 2
where: llm_response
match:
text_matches: ['(?i)git\s+push\s+.*(--force|--force-with-lease|-f)\b.*\b(main|master|prod)\b']
reason: "Assistant plan suggests force-push to a protected branch."
- id: llm.suggests_rm_rf
severity: Medium
points: 2
where: llm_response
match:
text_matches: ['(?i)\brm\s+-rf?\s+(/|/\*|\$HOME|~)']
reason: "Assistant plan suggests rm -rf at filesystem root."
- id: llm.suggests_curl_pipe_sh
severity: Medium
points: 2
where: llm_response
match:
text_matches:
- '(?i)curl\s+\S+\s*\|\s*(sudo\s+)?(sh|bash|zsh)\b'
- '(?i)wget\s+\S+\s*-?\S*\s*\|\s*(sudo\s+)?(sh|bash|zsh)\b'
reason: "Assistant plan suggests `curl | sh`-style install -- inspect the script before running."
- id: llm.suggests_secret_exfil
severity: High
points: 3
where: llm_response
match:
text_matches:
- '(?i)cat\s+.*\.env.*\|\s*curl'
- '(?i)curl\s+.*--data-binary\s+@~?/\.(aws|ssh)/'
reason: "Assistant plan reads a secret file and pipes it to a network endpoint -- exfiltration pattern."
- id: desc.hidden_instructions
severity: Critical
points: 5
where: tool_description
match:
text_matches:
- '(?i)<\s*(important|system|instructions?|hidden|secret)\s*>'
- '(?i)\bdo\s+not\s+(tell|inform|mention|show|reveal)\s+(this\s+)?(to\s+)?the\s+user\b'
- '(?i)\bignore\s+(all\s+)?(previous|prior|other)\s+(instructions?|tools?|rules?)\b'
- '(?i)\bbefore\s+(using|calling|invoking)\s+this\s+tool\b.{0,80}\b(read|cat|open|fetch|send)\b'
reason: "Tool description contains hidden instructions aimed at the model -- classic tool-poisoning."
safer_alternative: "Remove this MCP server, or contact its maintainer. If you trust it anyway, add an allow rule for this rule id."
- id: desc.requests_secrets
severity: Critical
points: 5
where: tool_description
match:
text_matches:
- '(?i)(~|\$HOME)?/?\.ssh/(id_[a-z0-9]+|authorized_keys|known_hosts)'
- '(?i)(~|\$HOME)?/?\.(aws|gcloud|azure|kube)/(credentials|config)'
- '(?i)\.env\b.{0,40}\b(read|cat|include|pass|send|contents?)\b'
- '(?i)\b(api[_-]?key|access[_-]?token|private[_-]?key|password)s?\b.{0,60}\b(pass|include|send|provide|paste)\b.{0,30}\b(parameter|argument|context|field)\b'
reason: "Tool description asks the model to read or pass credentials -- exfiltration staging."
safer_alternative: "No legitimate tool needs your keys passed as a parameter. Remove this server."
- id: desc.crosstool_shadowing
severity: High
points: 3
where: tool_description
match:
text_matches:
- '(?i)\b(instead\s+of|rather\s+than|replace)\s+(using\s+)?(the\s+)?[a-z0-9_.-]+\s+tool\b'
- '(?i)\balways\s+(use|prefer|call)\s+this\s+tool\s+(first|instead)\b'
- '(?i)\bother\s+tools?\s+(are|is)\s+(deprecated|broken|unsafe|forbidden)\b'
reason: "Tool description tries to shadow or supersede other tools -- cross-tool injection pattern."
safer_alternative: "Tool selection belongs to the user and host, not a server's marketing copy. Review this server."
- id: desc.exfil_destination
severity: High
points: 3
where: tool_description
match:
text_matches:
- '(?i)\b(send|post|upload|forward)\b.{0,60}\b(to|at)\s+https?://'
- '(?i)\bas\s+a\s+(side\s+)?note\b.{0,80}\b(include|attach|append)\b'
reason: "Tool description instructs the model to ship data to an external endpoint."
- id: result.prompt_injection
severity: High
points: 3
where: tool_result
match:
text_matches:
- '(?i)\bignore\s+(all\s+)?(previous|prior)\s+instructions?\b'
- '(?i)<\s*(system|important)\s*>'
- '(?i)\byou\s+(must|should)\s+now\s+(run|execute|call|delete|send)\b'
- '(?i)\bnew\s+system\s+prompt\b'
reason: "Tool result contains prompt-injection phrasing aimed at the agent."
safer_alternative: "Treat this server's output as untrusted data. If this is a false positive on legitimate content, tune the rule in your shieldset."
- id: result.instructs_secret_read
severity: High
points: 3
where: tool_result
match:
text_matches:
- '(?i)\b(read|cat|open)\b.{0,40}(~|\$HOME)?/?\.ssh/id_[a-z0-9]+'
- '(?i)\b(read|cat|open)\b.{0,40}\.env\b'
- '(?i)\bcurl\b.{0,60}--data\b.{0,40}\.(ssh|aws|env)\b'
reason: "Tool result instructs the agent to read credential files -- injection-driven exfiltration."