Skip to content

README.md

Latest commit

 

History

History
150 lines (111 loc) · 5.67 KB

README.md

File metadata and controls

150 lines (111 loc) · 5.67 KB

Guards Reference

Clawdstrike ships with 12 built-in guards. Guards evaluate a GuardAction plus GuardContext and return a GuardResult.

Built-in Guards

Guard Purpose Config key
ForbiddenPathGuard Block access to sensitive paths guards.forbidden_path
PathAllowlistGuard Deny-by-default path allowlisting guards.path_allowlist
EgressAllowlistGuard Control network egress guards.egress_allowlist
SecretLeakGuard Detect secrets in writes/patches guards.secret_leak
PatchIntegrityGuard Block dangerous patches guards.patch_integrity
ShellCommandGuard Validate shell commands against forbidden patterns guards.shell_command
McpToolGuard Restrict MCP tool usage guards.mcp_tool
PromptInjectionGuard Detect prompt-injection in untrusted text guards.prompt_injection
JailbreakGuard Detect jailbreak attempts with 4-layer analysis guards.jailbreak
ComputerUseGuard CUA gateway with configurable enforcement modes guards.computer_use
RemoteDesktopSideChannelGuard Control remote desktop channels guards.remote_desktop_side_channel
InputInjectionCapabilityGuard Control input injection types and probes guards.input_injection_capability

Prompt-security utilities (not policy guards)

Some prompt-security features are implemented as standalone utilities and are wired into integrations (for example, @clawdstrike/vercel-ai):

  • Output Sanitizer — redact secrets/PII from model output (including streaming)
  • Watermarking — embed signed provenance markers in prompts

Action Coverage

Guard FileAccess FileWrite Patch NetworkEgress ShellCommand McpTool Custom
ForbiddenPath
PathAllowlist
EgressAllowlist
SecretLeak
PatchIntegrity
ShellCommand
McpTool
PromptInjection ✓ (untrusted_text)
Jailbreak ✓ (user_input)
ComputerUse ✓ (remote.*, input.*)
RemoteDesktopSideChannel ✓ (remote.* side channels)
InputInjectionCapability ✓ (input.inject)

Evaluation Order and Fail-Fast

HushEngine evaluates applicable guards in this order:

  1. forbidden_path
  2. path_allowlist
  3. egress_allowlist
  4. secret_leak
  5. patch_integrity
  6. shell_command
  7. mcp_tool
  8. prompt_injection (only for Custom("untrusted_text", ...))
  9. jailbreak (only for Custom("user_input", ...))
  10. computer_use (only for Custom("remote.*"|"input.*", ...))
  11. remote_desktop_side_channel (only for Custom("remote.*", ...) side channels)
  12. input_injection_capability (only for Custom("input.inject", ...))
  13. Custom/extra guards (if registered)

If settings.fail_fast: true, evaluation stops on the first blocked result. Otherwise, all applicable guards run and the final verdict is the highest severity across results (block > warn > allow).

Defaults and Disabling a Guard

If a guard config is omitted from the policy, the guard runs with its default configuration.

Every guard config supports an enabled field. Set enabled: false to disable a guard:

guards:
  forbidden_path:
    enabled: false

  egress_allowlist:
    enabled: false

Custom Guards

You can extend HushEngine with custom guards:

use clawdstrike::{Guard, GuardAction, GuardContext, GuardResult};

struct MyCustomGuard;

#[async_trait::async_trait]
impl Guard for MyCustomGuard {
    fn name(&self) -> &str {
        "my_custom_guard"
    }

    fn handles(&self, action: &GuardAction<'_>) -> bool {
        matches!(action, GuardAction::Custom(kind, _) if *kind == "my_action")
    }

    async fn check(
        &self,
        action: &GuardAction<'_>,
        context: &GuardContext,
    ) -> GuardResult {
        // Your logic here
        GuardResult::allow(self.name())
    }
}

// Register with engine
let engine = HushEngine::new().with_extra_guard(Box::new(MyCustomGuard));

See Custom Guards Guide for more details.

Guard Categories

Access Control Guards

Control what resources can be accessed:

  • ForbiddenPathGuard — Block sensitive filesystem paths
  • PathAllowlistGuard — Deny-by-default path allowlisting
  • EgressAllowlistGuard — Network destinations
  • ShellCommandGuard — Shell command validation
  • McpToolGuard — Tool invocations

Content Analysis Guards

Analyze content for security issues:

  • SecretLeakGuard — Detect secrets in output
  • PatchIntegrityGuard — Validate patch safety
  • PromptInjectionGuard — Detect instruction hijacking
  • JailbreakGuard — Detect safety bypass attempts

Computer Use (CUA) Guards

Control AI agent interactions with remote desktops:

  • ComputerUseGuard — CUA gateway with enforcement modes
  • RemoteDesktopSideChannelGuard — Channel-level control (clipboard, file transfer, etc.)
  • InputInjectionCapabilityGuard — Input type validation and postcondition probes

Output Processing

Process LLM output before delivery:

  • Output Sanitizer — Redact sensitive data
  • Watermarking — Add provenance tracking