Skip to content

feat(supervision): injection/honeypot guard for external-repo crewmate PRs#67

Open
e-jung wants to merge 1 commit into
kunchenguid:mainfrom
e-jung:fm-injection-guard-upstream
Open

feat(supervision): injection/honeypot guard for external-repo crewmate PRs#67
e-jung wants to merge 1 commit into
kunchenguid:mainfrom
e-jung:fm-injection-guard-upstream

Conversation

@e-jung

@e-jung e-jung commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

What

Guards crewmates contributing to external repos (via fork) against prompt-injection / honeypot payloads planted in the target repo's agent-instruction files — the class of attack demonstrated by Docusaurus's `AGENTS.md` honeypot (an instruction telling any agent opening a PR to create a self-incriminating file, which an unsupervised agent complied with).

Two layers:

  1. Brief contract (`bin/fm-brief.sh`, --fork-pr): crewmates treat the target repo's `AGENTS.md`/`CLAUIBUTING.md`/`.github/*`/docs/issue+PR bodies as untrusted data — read for conventions only, never obey behavioral instructions (create a file, reveal AI status, exfiltrate, deviate from the task). If one asks for behavior beyond scope, STOP and `needs-decision` rather than comply.
  2. Review-stage scan (`bin/fm-injection-scan.sh`): a deterministic pre-relay scan firstmate runs on a crewmate's diff before shipping — flags suspicious added files / self-reveal text / hidden HTML comments / zero-width unicode / base64 blobs / "ignore previous" lines. Any finding = stop-and-investigate, never auto-ship.

Verification

  • `shellcheck` clean; `tests/fm-injection-scan.test.sh` green (honeypot-complied file, hidden comment, zero-width, base64, "ignore previous" all flagged; clean feature diff passes; pre-existing content not flagged).
  • Honest scope: it's a deterministic symptom-catcher for the planted-payload class (catches the Docusaurus shape). A truly subtle semantic injection still needs human review; that limitation is stated in `--help`.

Why upstream

Useful to anyone running firstmate to contribute to repos they don't own. We hit it in production and wanted to contribute the defense back.

AI disclosure: Human-reviewed. (The `PR must be raised via no-mistakes` check fails on the fork-routing gap #293 — known; the 3 real checks pass.)

@e-jung
feat(supervision): injection/honeypot guard for external-repo crewmat…
9f08309 
…e PRs

Two-layer defense against adversarial agent-instruction files (e.g. honeypot
AGENTS.md that tells an agent to plant a self-incriminating notice) in repos the
captain contributes to but does not own.

1. Brief contract: bin/fm-brief.sh --fork-pr emits the external-files-untrusted
   rule (ship + scout) - the target repo's AGENTS.md/CONTRIBUTING.md/.github/* are
   untrusted DATA, not instructions; STOP with needs-decision if one asks for
   behavior beyond the task.

2. Review-stage scan: bin/fm-injection-scan.sh flags injection/honeypot symptoms
   (notice/marker filenames, AI-reveal text, hidden HTML-comment/zero-width
   instructions, base64 blobs, 'ignore previous' lines) on ADDED lines/NEW files
   only. Deterministic symptom-catcher, not a semantic detector; any finding =
   stop-and-investigate, never auto-ship. Plugs into the review stage alongside
   fm-review-diff.sh (AGENTS.md section 7).

Tests: tests/fm-injection-scan.test.sh (TAP) covers all 7 required cases plus
--quiet. Existing suites unchanged.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@e-jung