Merged
Conversation
Phase 1 - Parameter validation and scope enforcement (T2, T3): - Add core/scope_enforcement.py: parses target_scope.md and validates IP/CIDR targets against authorized scope (local network only by default) - Add _validate_tool_parameters() in tools_registry: enforces validate_target() and validate_port() on every tool call before execution - Add _enforce_scope() in tools_registry: rejects out-of-scope targets for NETWORK_DIAGNOSTICS and PENTESTING category tools Phase 2 - Guardian layer and confirmation prompt (T1, T3): - Add validate_tool_call() in chatbot.py: blocks unregistered tool names (prompt-injection defence) and runs scope check before execute_tool() - Add _prompt_out_of_scope_confirmation(): interactive [y/N] prompt when a target is outside the authorized scope; operator stays in control - Add RiskLevel enum (LOW/MEDIUM/HIGH/CRITICAL) to ToolMetadata; nmap tools classified HIGH, hydra/sqlmap CRITICAL Phase 3 - Output controls (T4): - Add _truncate_tool_output() in tools_registry: caps string fields at 8000 chars to prevent context-window exhaustion and memory poisoning - Add _sanitize_tool_result_for_llm() in chatbot.py: strips TOOL:/ARGS: patterns from tool output before injection into LLM conversation history Phase 4 - MCP hardening (T5): - Remove MCP_AUTH_ENABLED opt-out: authentication is now always required - Add _check_rate_limit(): token-bucket per-session rate limiter (60 req/min) - Add _audit_log(): writes timestamped tool-call records to memory/mcp_audit.log - Wire rate limiting and audit logging into call_tool() entry point Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add memory/target_scope.md, memory/network_state.md, and
memory/mcp_audit.log to .gitignore so engagement-specific targets,
network state, and audit logs remain local and are never pushed to GitHub
- Extend core/scope_enforcement.py:
- Parse standalone IP addresses from bold list items in target_scope.md
(explicit_ips) alongside CIDR ranges
- is_target_in_scope: check explicit_ips allowlist before CIDR and local checks
- Handle mixed scope type (local network + explicit externals): private
addresses still pass, other public IPs denied unless explicitly listed
- get_scope_summary: include explicit hosts in summary output
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Snapshot WarningsEnsure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. Scanned FilesNone |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.