rish-e
diff --git a/‎README.md‎
Lines changed: 3 additions & 2 deletions b/‎README.md‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎agent/autopilot.md‎
Lines changed: 0 additions & 16 deletions b/‎agent/autopilot.md‎
Lines changed: 0 additions & 16 deletions
diff --git a/‎bin/guardian.sh‎
Lines changed: 78 additions & 34 deletions b/‎bin/guardian.sh‎
Lines changed: 78 additions & 34 deletions
@@ -236,7 +236,7 @@ If something breaks midway, open the log to see exactly what happened and where.
     keychain.sh          # macOS Keychain wrapper (get/set/delete/list/has)
     guardian.sh           # PreToolUse safety hook (hard-blocks dangerous commands)
     setup-clis.sh         # CLI installer (gh, vercel, supabase, wrangler, etc.)
-    test-guardian.sh      # 45-test suite for the guardian
+    test-guardian.sh      # 55-test suite for the guardian
   config/
     decision-framework.md # When to act vs. ask (5 levels)
     guardian-custom-rules.txt  # Append-only blocklist (expands with new services)
@@ -264,7 +264,7 @@ your-project/.autopilot/
 
 Autopilot's safety is layered. The Guardian provides **hard enforcement** that the AI cannot bypass. The Decision Framework provides **intelligent classification** that the AI follows.
 
-### What the Guardian Blocks (45 tested patterns)
+### What the Guardian Blocks (55 tested patterns)
 
 | Category | Examples |
 |----------|---------|
@@ -276,6 +276,7 @@ Autopilot's safety is layered. The Guardian provides **hard enforcement** that t
 | **Account changes** | `gh repo edit --visibility public`, `gh repo delete` |
 | **Financial** | Creating Stripe charges, sending emails |
 | **MCP process killing** | `kill`/`pkill`/`killall` targeting Playwright or MCP servers |
+| **Obfuscation/evasion** | `base64 \| bash`, `bash -c`, `eval`, `python -c os.system()`, `node -e exec()` |
 
 ### What's Auto-Approved (zero prompt)
 
 
@@ -18,12 +18,8 @@ allowedTools:
   - "mcp__playwright__*"
   - "mcp__github__*"
   - "mcp__filesystem__*"
-  - "mcp__context7__*"
-  - "mcp__jcodemunch__*"
   - "mcp__memory__*"
   - "mcp__sequential-thinking__*"
-  - "mcp__shadcn-ui__*"
-  - "mcp__magicui__*"
 ---
 
 # AUTOPILOT — Fully Autonomous Development Agent
@@ -496,15 +492,3 @@ This entire sequence should happen inline. The only pause points are:
 - Non-whitelisted MCP approval (asked once, then whitelisted forever)
 - 2FA codes (unavoidable)
 
----
-
-## Project-Specific Patterns
-
-### RenderKit (Dynamic Image Generation API)
-- **Deployment**: Vercel (Next.js/Node.js)
-- **Database**: Supabase (PostgreSQL)
-- **Payments**: Razorpay (Indian market)
-- **Image Storage**: Cloudflare R2 (S3-compatible)
-- **Source Control**: GitHub (MCP already configured)
-
-When working on RenderKit, prioritize these services and their integrations.
@@ -15,21 +15,36 @@
 
 set -uo pipefail
 
+# =============================================================================
+# FAIL CLOSED: If jq is not available, block everything
+# =============================================================================
+
+if ! command -v jq &>/dev/null; then
+    echo "GUARDIAN BLOCKED [SAFETY]: jq is not installed. Guardian cannot parse commands safely — blocking all Bash execution." >&2
+    echo "Install jq: brew install jq (macOS) / sudo apt install jq (Linux)" >&2
+    exit 2
+fi
+
 # Read tool call from stdin
 INPUT=$(cat)
 
 # Only inspect Bash commands — allow everything else through
-TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name // empty')
+TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+if [ -z "$TOOL_NAME" ]; then
+    # Failed to parse — fail closed
+    echo "GUARDIAN BLOCKED [SAFETY]: Could not parse tool call JSON" >&2
+    exit 2
+fi
+
 if [ "$TOOL_NAME" != "Bash" ]; then
     exit 0
 fi
 
-# Extract the command (try jq first, fall back to raw input for robustness)
+# Extract the command
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
 if [ -z "$COMMAND" ]; then
-    # If jq fails (malformed JSON), use the raw input as the command
-    # This ensures we still catch dangerous patterns even with bad JSON
-    COMMAND="$INPUT"
+    echo "GUARDIAN BLOCKED [SAFETY]: Could not extract command from tool call" >&2
+    exit 2
 fi
 
 # Normalize: lowercase for case-insensitive matching
@@ -45,6 +60,39 @@ block() {
     exit 2
 }
 
+# =============================================================================
+# CATEGORY 0: OBFUSCATION / INTERPRETER EVASION
+# =============================================================================
+# These block attempts to bypass the guardian by encoding commands or using
+# alternative interpreters. Must come first — before pattern-specific checks.
+
+# Base64 piped to bash/sh (encoding bypass)
+if echo "$CMD_LOWER" | grep -qE 'base64.*\|\s*(bash|sh|zsh|dash)'; then
+    block "EVASION" "Base64-encoded command piped to shell interpreter"
+fi
+if echo "$CMD_LOWER" | grep -qE 'base64\s+-d.*\|\s*(bash|sh)'; then
+    block "EVASION" "Base64-decoded content piped to shell"
+fi
+
+# Subshell execution: bash -c, sh -c, eval
+if echo "$CMD_LOWER" | grep -qE '(^|\s|;|&&|\|)(bash|sh|zsh|dash)\s+-c\s'; then
+    block "EVASION" "Subshell execution via interpreter -c flag. Run the command directly instead."
+fi
+if echo "$CMD_LOWER" | grep -qE '(^|\s|;|&&|\|)eval\s'; then
+    block "EVASION" "eval can execute arbitrary code. Run the command directly instead."
+fi
+
+# Python/Node/Ruby/Perl os.system or exec (interpreter bypass)
+if echo "$CMD_LOWER" | grep -qE 'python[23]?\s+-c\s.*\b(os\.|subprocess|system|exec|popen)'; then
+    block "EVASION" "Python executing system commands — bypasses guardian"
+fi
+if echo "$CMD_LOWER" | grep -qE 'node\s+-e\s.*\b(exec|spawn|child_process)'; then
+    block "EVASION" "Node.js executing system commands — bypasses guardian"
+fi
+if echo "$CMD_LOWER" | grep -qE '(ruby|perl)\s+-e\s.*\b(system|exec|`)'; then
+    block "EVASION" "Interpreter executing system commands — bypasses guardian"
+fi
+
 # =============================================================================
 # CATEGORY 1: SYSTEM DESTRUCTION
 # =============================================================================
@@ -56,35 +104,27 @@ fi
 if echo "$COMMAND" | grep -qE 'rm\s+(-[a-zA-Z]*r[a-zA-Z]*\s+|--recursive\s+)*(-[a-zA-Z]*f[a-zA-Z]*|--force)\s+(/|~|\$HOME|/Users)'; then
     block "SYSTEM" "Forced recursive deletion of system/home directory"
 fi
-# Shorthand: rm -rf / or rm -rf ~
 if echo "$COMMAND" | grep -qE 'rm\s+-rf\s+(/|~|\$HOME|/Users)\b'; then
     block "SYSTEM" "Catastrophic deletion: rm -rf on root or home"
 fi
-# rm -rf . (delete entire current directory)
 if echo "$COMMAND" | grep -qE 'rm\s+-rf\s+\.$'; then
     block "SYSTEM" "Deleting entire current directory"
 fi
-# sudo rm -rf anything
 if echo "$COMMAND" | grep -qE 'sudo\s+rm\s+-rf'; then
     block "SYSTEM" "Privileged recursive forced deletion"
 fi
-# Disk/filesystem destruction
 if echo "$CMD_LOWER" | grep -qE '(mkfs|fdisk|diskutil\s+erase)'; then
     block "SYSTEM" "Disk/filesystem destructive operation"
 fi
-# Raw disk write
 if echo "$COMMAND" | grep -qE 'dd\s+if=.*of=/dev/'; then
     block "SYSTEM" "Raw disk write operation"
 fi
-# Fork bomb
 if echo "$COMMAND" | grep -qF ':(){ :|:&};'; then
     block "SYSTEM" "Fork bomb detected"
 fi
-# System shutdown/reboot
 if echo "$CMD_LOWER" | grep -qE '^\s*(sudo\s+)?(shutdown|reboot|halt|poweroff)\b'; then
     block "SYSTEM" "System shutdown/reboot command"
 fi
-# World-writable root
 if echo "$COMMAND" | grep -qE 'chmod\s+(-R\s+)?777\s+/'; then
     block "SYSTEM" "Setting world-writable permissions on root"
 fi
@@ -93,15 +133,12 @@ fi
 # CATEGORY 2: CREDENTIAL EXFILTRATION
 # =============================================================================
 
-# Printing credentials to stdout
 if echo "$COMMAND" | grep -qE '(echo|printf|cat)\s.*keychain\.sh\s+get'; then
     block "CREDENTIALS" "Credential value would be printed to stdout. Use subshell expansion instead: --token \"\$(keychain.sh get ...)\""
 fi
-# Piping/sending credentials to external URLs
 if echo "$COMMAND" | grep -qE '(curl|wget|http).*\$\(.*keychain\.sh\s+get'; then
     block "CREDENTIALS" "Credential value being sent to external URL. Use env var + CLI flag instead."
 fi
-# Writing credentials to files (detecting keychain get output redirected to file)
 if echo "$COMMAND" | grep -qE 'keychain\.sh\s+get.*[>|]\s*(.*\.env|.*\.json|.*\.yaml|.*\.yml|.*\.toml|.*\.cfg|.*\.conf|.*\.ini)'; then
     block "CREDENTIALS" "Credential value being written to config file. Use keychain at runtime instead."
 fi
@@ -117,31 +154,29 @@ if echo "$CMD_LOWER" | grep -qE 'truncate\s+(table\s+)?[a-z]'; then
     block "DATABASE" "Truncating table (mass data deletion)"
 fi
 # DELETE without WHERE clause (mass deletion)
-if echo "$CMD_LOWER" | grep -qE 'delete\s+from\s+\w+\s*;' | grep -qvE 'where'; then
+if echo "$CMD_LOWER" | grep -qE 'delete\s+from\s+\w+\s*;' && ! echo "$CMD_LOWER" | grep -qE 'where'; then
     block "DATABASE" "DELETE without WHERE clause (mass data deletion)"
 fi
 
 # =============================================================================
 # CATEGORY 4: GIT / PUBLISHING DESTRUCTION
 # =============================================================================
 
-# Force push (any branch)
-if echo "$COMMAND" | grep -qE 'git\s+push\s+.*(-f|--force)\b'; then
+# Force push — but allow --force-with-lease (safer alternative)
+if echo "$COMMAND" | grep -qE 'git\s+push\s+.*--force-with-lease'; then
+    : # Allow --force-with-lease through
+elif echo "$COMMAND" | grep -qE 'git\s+push\s+.*(-f|--force)\b'; then
     block "GIT" "Force push can destroy remote history. Use --force-with-lease if needed, or push normally."
 fi
-# Force push shorthand
 if echo "$COMMAND" | grep -qE 'git\s+push\s+-f\b'; then
     block "GIT" "Force push can destroy remote history"
 fi
-# Hard reset (can lose uncommitted work)
 if echo "$COMMAND" | grep -qE 'git\s+reset\s+--hard'; then
     block "GIT" "Hard reset discards all uncommitted changes. Commit or stash first."
 fi
-# Clean -f (delete untracked files)
 if echo "$COMMAND" | grep -qE 'git\s+clean\s+.*-f'; then
     block "GIT" "git clean -f permanently deletes untracked files"
 fi
-# Package publishing
 if echo "$CMD_LOWER" | grep -qE '(npm\s+publish|cargo\s+publish|twine\s+upload|gem\s+push|pip\s+.*upload)'; then
     block "PUBLISHING" "Publishing a package to a public registry"
 fi
@@ -150,15 +185,12 @@ fi
 # CATEGORY 5: PRODUCTION DEPLOYMENTS
 # =============================================================================
 
-# Vercel production deploy
 if echo "$COMMAND" | grep -qE 'vercel\s+(deploy\s+)?.*--prod'; then
     block "PRODUCTION" "Production deployment to Vercel. Review and run manually: ! vercel deploy --prod"
 fi
-# Generic --production flag
 if echo "$COMMAND" | grep -qE -- '--production( |$|")' && echo "$CMD_LOWER" | grep -qE '(deploy|push|migrate|release)'; then
     block "PRODUCTION" "Production operation detected. Review and confirm."
 fi
-# Terraform destroy
 if echo "$CMD_LOWER" | grep -qE 'terraform\s+destroy'; then
     block "PRODUCTION" "Terraform destroy will delete infrastructure"
 fi
@@ -167,19 +199,15 @@ fi
 # CATEGORY 6: ACCOUNT / VISIBILITY CHANGES
 # =============================================================================
 
-# Making repo public
 if echo "$COMMAND" | grep -qE 'gh\s+repo\s+edit\s+.*--visibility\s+public'; then
     block "VISIBILITY" "Making repository public — this exposes all code"
 fi
-# Deleting a repository
 if echo "$COMMAND" | grep -qE 'gh\s+repo\s+delete'; then
     block "DESTRUCTIVE" "Deleting a GitHub repository"
 fi
-# Deleting a Vercel project
 if echo "$COMMAND" | grep -qE 'vercel\s+(project\s+)?rm\b'; then
     block "DESTRUCTIVE" "Deleting a Vercel project"
 fi
-# Deleting a Supabase project
 if echo "$CMD_LOWER" | grep -qE 'supabase\s+projects?\s+delete'; then
     block "DESTRUCTIVE" "Deleting a Supabase project"
 fi
@@ -188,24 +216,40 @@ fi
 # CATEGORY 7: FINANCIAL / MESSAGING
 # =============================================================================
 
-# Stripe charges (via curl)
 if echo "$CMD_LOWER" | grep -qE 'curl.*api\.stripe\.com.*(charges|payment_intents).*-d'; then
     block "FINANCIAL" "Creating a real Stripe charge/payment"
 fi
-# Sending emails via CLI
 if echo "$CMD_LOWER" | grep -qE '(^|[|;&\s])(sendmail|mailx?|mutt)\s'; then
     block "MESSAGING" "Sending email to real recipients"
 fi
 
 # =============================================================================
 # CUSTOM RULES (autopilot can append, never remove)
+# Delimiter: ::: (three colons) to avoid conflicts with regex | characters
+# Legacy format with | is also supported for backwards compatibility
 # =============================================================================
 
 CUSTOM_RULES="$HOME/MCPs/autopilot/config/guardian-custom-rules.txt"
 if [ -f "$CUSTOM_RULES" ]; then
-    while IFS='|' read -r category pattern reason; do
+    while IFS= read -r line; do
         # Skip comments and empty lines
-        [[ "$category" =~ ^#.*$ ]] && continue
+        [[ "$line" =~ ^#.*$ ]] && continue
+        [ -z "$line" ] && continue
+
+        # Parse: try ::: delimiter first, fall back to | (legacy)
+        if [[ "$line" == *":::"* ]]; then
+            category="${line%%:::*}"
+            rest="${line#*:::}"
+            pattern="${rest%%:::*}"
+            reason="${rest#*:::}"
+        else
+            # Legacy | delimiter — only split on first and last |
+            category="${line%%|*}"
+            rest="${line#*|}"
+            reason="${rest##*|}"
+            pattern="${rest%|*}"
+        fi
+
         [ -z "$category" ] && continue
         [ -z "$pattern" ] && continue