feat: expand DLP to 34 patterns + crypto wallet protection

README.md

@@ -127,7 +127,7 @@ Supports JetBrains IDEs and other ACP-compatible editors. See the [ACP setup gui
 
 ## Built-in Protection
 
-Crust ships with **14 security rules** and **19 DLP token-detection patterns** out of the box:
+Crust ships with **14 security rules** and **34 DLP token-detection patterns** out of the box:
 
 | Category | What's Protected |
 |----------|-----------------|
@@ -138,12 +138,13 @@ Crust ships with **14 security rules** and **19 DLP token-detection patterns** o
 | **Package Tokens** | npm, pip, Cargo, Composer, NuGet, Gem auth tokens |
 | **Git Credentials** | `.git-credentials`, `.config/git/credentials` |
 | **Persistence** | Shell RC files, `authorized_keys` |
-| **DLP Token Detection** | Content-based scanning for real API keys and tokens (AWS, GitHub, Stripe, OpenAI, Anthropic, and [14 more](docs/how-it-works.md#dlp-secret-detection)) |
+| **DLP Token Detection** | Content-based scanning for real API keys and tokens (AWS, GitHub, Stripe, OpenAI, Anthropic, and [23 more](docs/how-it-works.md#dlp-secret-detection)) |
 | **Key Exfiltration** | Content-based PEM private key detection |
+| **Crypto Wallets** | BIP39 mnemonics, xprv/WIF keys (checksum-validated), wallet directories for 16 chains |
 | **Self-Protection** | Agents cannot read, modify, or disable Crust itself |
 | **Dangerous Commands** | `eval`/`exec` with dynamic code execution |
 
-All rules are open source: [`internal/rules/builtin/security.yaml`](internal/rules/builtin/security.yaml) (path rules) and [`internal/rules/dlp.go`](internal/rules/dlp.go) (DLP patterns)
+All rules are open source: [`internal/rules/builtin/security.yaml`](internal/rules/builtin/security.yaml) (path rules), [`internal/rules/dlp.go`](internal/rules/dlp.go) (DLP patterns), and [`internal/rules/dlp_crypto.go`](internal/rules/dlp_crypto.go) (crypto key detection)
 
 ## Custom Rules
 
@@ -183,7 +184,7 @@ Crust inspects tool calls at multiple layers:
 2. **Layer 1 (Response Scan)**: Scans tool calls in the LLM's response before they execute — blocks new dangerous actions in real-time.
 3. **Stdio Proxy** ([MCP](docs/mcp.md) / [ACP](docs/acp.md)): Wraps MCP servers or ACP agents as a stdio proxy, intercepting security-relevant JSON-RPC messages in both directions — including DLP scanning of server responses for leaked secrets.
 
-All modes apply a [16-step evaluation pipeline](docs/how-it-works.md) — input sanitization, Unicode normalization, obfuscation detection, DLP secret scanning, path-based rules, and fallback content matching — each step in microseconds.
+All modes apply a [17-step evaluation pipeline](docs/how-it-works.md) — input sanitization, Unicode normalization, obfuscation detection, DLP secret scanning, path-based rules, and fallback content matching — each step in microseconds.
 
 All activity is logged locally to encrypted storage.
 

docs/how-it-works.md

@@ -11,7 +11,7 @@ Agent Request ──▶ [Layer 0: History Scan] ──▶ LLM ──▶ [Layer 1
                    (14-30μs)                             (14-30μs)
                "Bad agent detected"                   "Action blocked"
 
-Layer 1 Rule Evaluation (16 steps):
+Layer 1 Rule Evaluation (17 steps):
   1.  Sanitize tool name → strip null bytes, control chars
   2.  Extract paths, commands, content from tool arguments
   3.  Normalize Unicode → NFKC, strip invisible chars and confusables
@@ -20,14 +20,15 @@ Layer 1 Rule Evaluation (16 steps):
   6.  Block evasive commands (fork bombs, unparseable shell)
   7.  Self-protection → block management API access (hardcoded)
   8.  Block management API via Unix socket / named pipe
-  9.  DLP Secret Detection → block real API keys/tokens
+  9.  DLP Secret Detection → API keys/tokens + crypto keys (BIP39, xprv, WIF)
   10. Filter bare shell globs (not real paths)
   11. Normalize paths → expand ~, env vars
   12. Expand globs against real filesystem
-  13. Block /proc access (hardcoded)
-  14. Resolve symlinks → match both original and resolved
-  15. Operation-based rules → path/command/host matching
-  16. Fallback rules (content-only) → raw JSON matching for ANY tool
+  13. Resolve symlinks → match both original and resolved
+  14. Block /proc access (hardcoded, after symlink resolution)
+  15. Block crypto wallet access (hardcoded, after symlink resolution)
+  16. Operation-based rules → path/command/host matching
+  17. Fallback rules (content-only) → raw JSON matching for ANY tool
 ```
 
 **Layer 0 (Request History):** Scans tool_calls in conversation history. Catches "bad agent" patterns where malicious actions already occurred in past turns.
@@ -101,6 +102,10 @@ Layer 1 Rule Evaluation (16 steps):
 | ACP agent reads `.env` via IDE | - | - | - | ✅ Blocked |
 | ACP agent reads SSH keys via IDE | - | - | - | ✅ Blocked |
 | ACP agent runs `cat /etc/shadow` | - | - | - | ✅ Blocked |
+| BIP39 mnemonic in content | - | ✅ Blocked (crypto DLP) | ✅ Blocked (DLP) | ✅ Blocked (DLP) |
+| xprv/WIF private key in content | - | ✅ Blocked (crypto DLP) | ✅ Blocked (DLP) | ✅ Blocked (DLP) |
+| Access `~/.bitcoin/wallet.dat` | - | ✅ Blocked (hardcoded) | - | - |
+| Symlink to crypto wallet dir | - | ✅ Blocked (post-symlink) | - | - |
 
 ---
 
@@ -138,7 +143,7 @@ The pre-filter runs before the shell parser (step 5) and catches encoding-based
 
 ## DLP Secret Detection
 
-Step 9 of the evaluation pipeline runs hardcoded DLP (Data Loss Prevention) patterns against all operations. These patterns detect real API keys and tokens by their format, regardless of file path or tool name.
+Step 9 of the evaluation pipeline runs DLP (Data Loss Prevention) patterns against all operations. These patterns detect real API keys, tokens, and cryptocurrency secrets by their format, regardless of file path or tool name.
 
 In stdio proxy modes (MCP Gateway, ACP Wrap, Auto-detect), DLP also scans **server/agent responses** before they reach the client. This catches secrets leaked by the subprocess — for example, an MCP server returning file content that contains an AWS access key. The response is replaced with a JSON-RPC error so the secret never reaches the client.
 
@@ -152,17 +157,48 @@ In stdio proxy modes (MCP Gateway, ACP Wrap, Auto-detect), DLP also scans **serv
 | Google | API keys (`AIza...`) |
 | SendGrid | API keys (`SG....`) |
 | Heroku | API keys (`heroku_...`) |
-| OpenAI | Project keys (`sk-proj-...`) |
+| OpenAI | Project keys, admin keys (`sk-proj-...`, `sk-admin-...`) |
 | Anthropic | API keys (`sk-ant-api03-...`) |
 | Shopify | Shared secrets, access tokens (`shpss_...`, `shpat_...`) |
 | Databricks | Access tokens (`dapi...`) |
 | PyPI | Upload tokens (`pypi-...`) |
 | npm | Auth tokens (`npm_...`) |
 | age | Secret keys (`AGE-SECRET-KEY-...`) |
+| Private keys | PEM format (RSA, EC, DSA, OpenSSH, Ed25519) |
+| HuggingFace | API tokens (`hf_...`) |
+| Groq | API keys (`gsk_...`) |
+| Vercel | Tokens (`vercel_...`) |
+| Supabase | Service keys (`sbp_...`) |
+| DigitalOcean | PATs, OAuth tokens (`dop_v1_...`, `doo_v1_...`) |
+| HashiCorp Vault | Tokens (`hvs....`) |
+| Linear | API keys (`lin_api_...`) |
+| Postman | API keys (`PMAK-...`) |
+| Replicate | API tokens (`r8_...`) |
+| Twilio | API keys (`SK...`) |
+| Doppler | Tokens (`dp.st....`) |
+| Firebase | Cloud Messaging keys (`AAAA...:...`) |
 
-Patterns are sourced from [gitleaks v8.24](https://github.com/gitleaks/gitleaks), curated for blocking (not warning). See `internal/rules/dlp.go` for the full list.
+Tier 1 patterns (34 hardcoded) are sourced from [gitleaks v8.24](https://github.com/gitleaks/gitleaks) and extended for newer services. See `internal/rules/dlp.go` for the full list.
 
-In addition, [gitleaks](https://github.com/gitleaks/gitleaks) is used as a secondary scanner if installed, providing coverage for additional token formats beyond the hardcoded set.
+Tier 2: [gitleaks](https://github.com/gitleaks/gitleaks) is used as a secondary scanner, providing 200+ additional token formats. Install with `brew install gitleaks` or `go install github.com/gitleaks/gitleaks/v8@latest`.
+
+### Cryptocurrency Key Detection
+
+Step 9 also runs crypto-specific DLP with **cryptographic validation** — not just regex matching. This eliminates false positives by verifying checksums.
+
+| Type | Detection | Validation |
+|------|-----------|------------|
+| BIP39 mnemonic | Sliding window (12/15/18/21/24 words) | Embedded 2048-word wordlist |
+| Extended private key | `[xyzt]prv` prefix match | base58check checksum via btcutil |
+| WIF private key | `[5KL]` prefix match | base58check checksum + version byte (0x80/0xEF) |
+
+BIP39 mnemonics are the universal seed phrase standard used by Bitcoin, Ethereum, Solana, Cardano, Cosmos, Polkadot, and most other chains. See `internal/rules/dlp_crypto.go` for the implementation.
+
+### Crypto Wallet Path Protection
+
+Step 15 blocks access to cryptocurrency wallet directories. Paths are computed at init using OS-specific data directories (e.g., `~/Library/Application Support/Bitcoin/` on macOS, `~/.bitcoin/` on Linux, `%LOCALAPPDATA%\Bitcoin` on Windows). This check runs **after symlink resolution** (step 13) so symlink bypasses are caught.
+
+Protected chains: Bitcoin, Litecoin, Dogecoin, Dash, Ethereum, Electrum, Monero, Zcash, Cardano, Cosmos, Polkadot, Avalanche, Tron, Solana, Sui, Aptos.
 
 ---
 
@@ -184,10 +220,11 @@ The rule engine can protect against various attack vectors:
 |----------|----------|
 | Credentials | .env, SSH keys, cloud creds, tokens, DLP secret detection |
 | System | `/etc/passwd`, `/etc/shadow`, binaries, kernel modules, boot |
+| Crypto Wallets | BIP39 mnemonics, xprv/WIF keys, wallet.dat, keystore (16 chains) |
 | Persistence | Shell RC, cron, systemd, git hooks |
 | Privilege Escalation | Sudoers, PAM, LD_PRELOAD |
 | Container Escape | Docker/containerd sockets |
 | Network | Internal networks, cloud metadata |
 
-See `internal/rules/builtin/security.yaml` for actual built-in rules.
+See `internal/rules/builtin/security.yaml` for path rules, `internal/rules/dlp.go` for token patterns, and `internal/rules/dlp_crypto.go` for crypto key detection.
 

go.mod

@@ -4,6 +4,7 @@ go 1.24.13
 
 require (
 	github.com/Microsoft/go-winio v0.6.2
+	github.com/btcsuite/btcd/btcutil v1.1.6
 	github.com/charmbracelet/bubbles v1.0.0
 	github.com/charmbracelet/bubbletea v1.3.10
 	github.com/charmbracelet/huh v0.8.0