Skip to content

feat(plugin): AEGIS scan-pipe on all inbound Pilot messages#6

Merged
TeoSlayer merged 4 commits into
mainfrom
fix/plugin-lockfile-openclaw-2026-6-1
Jun 30, 2026
Merged

feat(plugin): AEGIS scan-pipe on all inbound Pilot messages#6
TeoSlayer merged 4 commits into
mainfrom
fix/plugin-lockfile-openclaw-2026-6-1

Conversation

@TeoSlayer

Copy link
Copy Markdown
Contributor

Summary

  • Scans every inbound Pilot message (text and media captions) through aegis scan-pipe before dispatching to the agent
  • Malicious messages (prompt injection, jailbreak, persona hijack, exfil scaffolding) are dropped with a warning log — never reach the LLM turn
  • 500ms timeout: AEGIS L1 is microseconds in practice; timeout is safety net only

How it works

Peer sends message
  → allowlist / HMAC auth (existing)
  → AEGIS scan-pipe (new, L1 pattern check, ~microseconds)
    exit 0 → dispatch to agent (existing)
    exit 2 → drop + warn, never reaches agent

Test plan

  • Clean message dispatches normally
  • Message containing "ignore previous instructions" is blocked with warning log
  • Message containing credential exfil patterns is blocked
  • Timeout (aegis not installed) fails open — message passes through

🤖 Generated with Claude Code

teovl and others added 2 commits June 9, 2026 09:42
The plugin's package.json was bumped to openclaw ^2026.6.1 but the
lockfile still pinned 2026.5.26, so npm ci has been failing on every
push since the bump:

  Invalid: lock file's openclaw@2026.5.26 does not satisfy openclaw@2026.6.1

Re-runs npm install --package-lock-only to refresh the lockfile.
Confirmed with npm ci locally — exit 0.
Scan message text and media captions through `aegis scan-pipe` before
dispatching to the agent. Exit 2 from aegis drops the message with a
warning — prevents prompt injection over the Pilot network from reaching
the LLM turn.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@codecov

codecov Bot commented Jun 23, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

matthew-pilot and others added 2 commits June 25, 2026 03:40
Replace the per-message spawnSync("aegis","scan-pipe") in the inbound
pipeline with a non-blocking execFile wrapper. The dispatch pipeline is
fully await-based; spawning synchronously parked the Node event loop for
the whole subprocess lifetime on every inbound message, starving every
other peer's I/O.

The new createAegisScan helper feeds candidate text on stdin, awaits the
child exit, and keeps the exit-code contract (status 2 = block, rule on
stdout). Spawn errors and timeouts resolve fail-open so a scanner outage
never silently drops all inbound DMs. The scanner is injectable via
InboundDeps/LifecycleDeps so tests run without execing a real binary.

Add coverage for the scan-pipe paths: clean pass-through, flagged/blocked
drop, and the error/timeout fail-open branch, for both the text and media
caption code paths.
@TeoSlayer TeoSlayer merged commit 15f7b5b into main Jun 30, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants