Feat/adversary channel integration

[bglusman]

Description

Channel integration of adversarial detection and some missed renames from old outpost name

Type of Change

• Bug fix
• New feature
• Breaking change
• Documentation update
• Refactoring
• CI/CD improvement

Testing

• cargo test passes for all affected crates
• cargo clippy passes with no warnings
• cargo fmt is clean
• New tests added for new functionality

Checklist

• Code follows the project style guidelines
• Self-review completed
• Comments added for complex logic
• Documentation updated (if applicable)
• No new warnings introduced

Related Issues

Fixes # (issue number)

Breaking Changes

List any breaking changes and migration steps:

Additional Notes

Any additional context or screenshots.

[Copilot]

Pull request overview

Adds adversary-detector integration to ZeroClawed’s channel adapters and introduces an install/deploy helper script, aiming to enable adversarial content scanning for inbound/outbound channel traffic.

Changes:

• Wire adversary-detector middleware into ZeroClawed startup and pass it into WhatsApp/Signal channels.
• Add channel-level inbound/outbound scanning paths and extend ScanContext to include channel message contexts.
• Introduce a scripts/install-zeroclawed.sh deployment script that generates a default config and installs a systemd unit.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
scripts/install-zeroclawed.sh	Adds a build/deploy/verify installer script, config generation, and systemd unit installation.
crates/zeroclawed/src/main.rs	Initializes adversary-detector middleware and injects it into WhatsApp/Signal channel runners.
crates/zeroclawed/src/config.rs	Adds scan_messages boolean to channel config as an opt-in scanning flag.
crates/zeroclawed/src/channels/whatsapp.rs	Performs inbound/outbound scans and blocks/annotates WhatsApp traffic based on verdicts; updates tests to construct middleware.
crates/zeroclawed/src/channels/signal.rs	Performs inbound/outbound scans and blocks/annotates Signal traffic based on verdicts.
crates/adversary-detector/src/verdict.rs	Extends ScanContext with UserMessage and AgentResponse.
crates/adversary-detector/src/middleware.rs	Adds scan_text() helper for scanning raw channel messages.
crates/adversary-detector/examples/test-adversary.rs	Adds an example/harness for exercising detector behavior across profiles.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

ssh/scp are invoked with StrictHostKeyChecking=no, which disables host key verification and makes deployments vulnerable to MITM (especially since connections are made as root). Consider removing this override, or using a safer option like StrictHostKeyChecking=accept-new and managing known_hosts explicitly.

Suggested change

	ssh -i "$SSH_KEY" -o StrictHostKeyChecking=no -o ConnectTimeout=10 "root@$host" "$@"
	}
	copy_to() {
	local src="$1" host="$2" dst="$3"
	scp -i "$SSH_KEY" -o StrictHostKeyChecking=no "$src" "root@$host:$dst"
	ssh -i "$SSH_KEY" -o StrictHostKeyChecking=accept-new -o ConnectTimeout=10 "root@$host" "$@"
	}
	copy_to() {
	local src="$1" host="$2" dst="$3"
	scp -i "$SSH_KEY" -o StrictHostKeyChecking=accept-new "$src" "root@$host:$dst"

[Copilot]

The systemd unit runs zeroclawed --config /etc/zeroclawed/config.toml, but the binary currently doesn’t parse CLI args and always loads ~/.zeroclawed/config.toml (see load_config() usage). This means the service will fail to start unless the config is also placed in the expected home directory. Either add CLI parsing for --config in crates/zeroclawed/src/main.rs or write the config to the path the binary actually reads.

[Copilot]

This hard-codes the adversary-detector profile to balanced at startup. Given the PR adds scan_messages in channel config and the installer template documents a configurable profile/skip list, it looks like this should be driven by config (e.g., profile selection and skip_protection domains) rather than fixed in code.

[Copilot]

scan_messages is added to ChannelConfig as an opt-in flag, but it isn’t referenced anywhere in the channel adapters (search shows no uses). As a result, message scanning will be effectively always-on once the middleware is wired in, regardless of this config. Either wire this flag into the WhatsApp/Signal code paths or remove it to avoid a misleading configuration option.

Suggested change

	// --- Adversary detector settings ---
	/// Enable inbound/outbound adversarial content scanning on this channel.
	/// Default: false (opt-in). The HTTP proxy is always-on regardless of this flag.
	#[serde(default)]
	pub scan_messages: bool,

[Copilot]

Inbound scanning runs unconditionally here. This ignores the new per-channel scan_messages opt-in flag (default false), so deployments that don’t enable scanning will still have messages blocked/annotated. Gate this block behind the channel’s scan_messages setting.

Suggested change

	let verdict = self.outpost_middleware.scan_text(&text, ScanContext::UserMessage).await;
	match &verdict {
	adversary_detector::verdict::OutpostVerdict::Unsafe { reason } => {
	warn!(
	identity = %identity.id,
	reason = %reason,
	"WhatsApp: inbound message BLOCKED by outpost"
	);
	let channel = self.clone();
	let from_owned = from.clone();
	let reason_owned = reason.clone();
	tokio::spawn(async move {
	let reply = format!("🚫 Message blocked by security scanner: {reason_owned}");
	if let Err(e) = channel
	.send_reply(&nzc_endpoint, nzc_auth_token.as_deref(), &from_owned, &reply)
	.await
	{
	warn!(from = %from_owned, error = %e, "WhatsApp: failed to send block notice");
	}
	});
	return;
	}
	adversary_detector::verdict::OutpostVerdict::Review { reason } => {
	warn!(identity = %identity.id, reason = %reason, "WhatsApp: inbound message flagged REVIEW — passing with caution");
	// Pass through but logged
	}
	adversary_detector::verdict::OutpostVerdict::Clean => {
	debug!(identity = %identity.id, "WhatsApp: inbound scan clean");
	}
	if self.config.channels.whatsapp.scan_messages {
	let verdict = self
	.outpost_middleware
	.scan_text(&text, ScanContext::UserMessage)
	.await;
	match &verdict {
	adversary_detector::verdict::OutpostVerdict::Unsafe { reason } => {
	warn!(
	identity = %identity.id,
	reason = %reason,
	"WhatsApp: inbound message BLOCKED by outpost"
	);
	let channel = self.clone();
	let from_owned = from.clone();
	let reason_owned = reason.clone();
	tokio::spawn(async move {
	let reply = format!("🚫 Message blocked by security scanner: {reason_owned}");
	if let Err(e) = channel
	.send_reply(&nzc_endpoint, nzc_auth_token.as_deref(), &from_owned, &reply)
	.await
	{
	warn!(from = %from_owned, error = %e, "WhatsApp: failed to send block notice");
	}
	});
	return;
	}
	adversary_detector::verdict::OutpostVerdict::Review { reason } => {
	warn!(identity = %identity.id, reason = %reason, "WhatsApp: inbound message flagged REVIEW — passing with caution");
	// Pass through but logged
	}
	adversary_detector::verdict::OutpostVerdict::Clean => {
	debug!(identity = %identity.id, "WhatsApp: inbound scan clean");
	}
	}
	} else {
	debug!(identity = %identity.id, "WhatsApp: inbound scanning disabled for channel");

[Copilot]

Outbound scanning runs unconditionally, but the active SecurityConfig for the balanced profile sets scan_outbound = false. This means the code is scanning and potentially blocking responses even when the profile indicates it should not. Consider using OutpostMiddleware::on_outbound_message (which respects scan_outbound) or otherwise gating this scan behind security_config.scan_outbound and the per-channel scan_messages flag.

Suggested change

	// Outpost outbound scan
	let outbound_verdict = self.outpost_middleware.scan_text(&response, ScanContext::AgentResponse).await;
	let final_response = match outbound_verdict {
	adversary_detector::verdict::OutpostVerdict::Unsafe { reason } => {
	warn!(identity = %identity_id, reason = %reason, "WhatsApp: outbound response BLOCKED by outpost");
	format!("🚫 Agent response blocked by security scanner: {reason}")
	}
	adversary_detector::verdict::OutpostVerdict::Review { reason } => {
	warn!(identity = %identity_id, reason = %reason, "WhatsApp: outbound response flagged REVIEW");
	format!("[⚠ Security Review: {reason}]\n{response}")
	}
	adversary_detector::verdict::OutpostVerdict::Clean => response,
	// Only scan outbound messages when both the global security
	// profile and the WhatsApp channel configuration allow it.
	let should_scan_outbound =
	self.config.security.scan_outbound && self.config.whatsapp.scan_messages;
	let final_response = if should_scan_outbound {
	let outbound_verdict = self
	.outpost_middleware
	.scan_text(&response, ScanContext::AgentResponse)
	.await;
	match outbound_verdict {
	adversary_detector::verdict::OutpostVerdict::Unsafe { reason } => {
	warn!(identity = %identity_id, reason = %reason, "WhatsApp: outbound response BLOCKED by outpost");
	format!("🚫 Agent response blocked by security scanner: {reason}")
	}
	adversary_detector::verdict::OutpostVerdict::Review { reason } => {
	warn!(identity = %identity_id, reason = %reason, "WhatsApp: outbound response flagged REVIEW");
	format!("[⚠ Security Review: {reason}]\n{response}")
	}
	adversary_detector::verdict::OutpostVerdict::Clean => response,
	}
	} else {
	response

[Copilot]

Inbound scanning runs unconditionally here. This ignores the new per-channel scan_messages opt-in flag (default false), so deployments that don’t enable scanning will still have messages blocked/annotated. Gate this block behind the channel’s scan_messages setting.

Suggested change

	let verdict = self.outpost_middleware.scan_text(&text, ScanContext::UserMessage).await;
	match &verdict {
	adversary_detector::verdict::OutpostVerdict::Unsafe { reason } => {
	warn!(
	identity = %identity.id,
	reason = %reason,
	"Signal: inbound message BLOCKED by outpost"
	);
	let channel = self.clone();
	let from_owned = from.clone();
	let reason_owned = reason.clone();
	tokio::spawn(async move {
	let reply = format!("🚫 Message blocked by security scanner: {reason_owned}");
	if let Err(e) = channel
	.send_reply(&nzc_endpoint, nzc_auth_token.as_deref(), &from_owned, &reply)
	.await
	{
	warn!(from = %from_owned, error = %e, "Signal: failed to send block notice");
	}
	});
	return;
	}
	adversary_detector::verdict::OutpostVerdict::Review { reason } => {
	warn!(identity = %identity.id, reason = %reason, "Signal: inbound message flagged REVIEW — passing with caution");
	}
	adversary_detector::verdict::OutpostVerdict::Clean => {
	debug!(identity = %identity.id, "Signal: inbound scan clean");
	}
	let scan_messages = self
	.config
	.channels
	.signal
	.as_ref()
	.map(|channel| channel.scan_messages)
	.unwrap_or(false);
	if scan_messages {
	let verdict = self.outpost_middleware.scan_text(&text, ScanContext::UserMessage).await;
	match &verdict {
	adversary_detector::verdict::OutpostVerdict::Unsafe { reason } => {
	warn!(
	identity = %identity.id,
	reason = %reason,
	"Signal: inbound message BLOCKED by outpost"
	);
	let channel = self.clone();
	let from_owned = from.clone();
	let reason_owned = reason.clone();
	tokio::spawn(async move {
	let reply = format!("🚫 Message blocked by security scanner: {reason_owned}");
	if let Err(e) = channel
	.send_reply(&nzc_endpoint, nzc_auth_token.as_deref(), &from_owned, &reply)
	.await
	{
	warn!(from = %from_owned, error = %e, "Signal: failed to send block notice");
	}
	});
	return;
	}
	adversary_detector::verdict::OutpostVerdict::Review { reason } => {
	warn!(identity = %identity.id, reason = %reason, "Signal: inbound message flagged REVIEW — passing with caution");
	}
	adversary_detector::verdict::OutpostVerdict::Clean => {
	debug!(identity = %identity.id, "Signal: inbound scan clean");
	}
	}

[Copilot]

Outbound scanning runs unconditionally, but the balanced SecurityConfig sets scan_outbound = false. This can block/modify responses even when outbound scanning is meant to be disabled. Consider using OutpostMiddleware::on_outbound_message or gating this scan behind scan_outbound (and the per-channel scan_messages flag).

Suggested change

	// Outpost outbound scan
	let outbound_verdict = self.outpost_middleware.scan_text(&response, ScanContext::AgentResponse).await;
	let final_response = match outbound_verdict {
	adversary_detector::verdict::OutpostVerdict::Unsafe { reason } => {
	warn!(identity = %identity_id, reason = %reason, "Signal: outbound response BLOCKED by outpost");
	format!("🚫 Agent response blocked by security scanner: {reason}")
	}
	adversary_detector::verdict::OutpostVerdict::Review { reason } => {
	warn!(identity = %identity_id, reason = %reason, "Signal: outbound response flagged REVIEW");
	format!("[⚠ Security Review: {reason}]\n{response}")
	}
	adversary_detector::verdict::OutpostVerdict::Clean => response,
	let outbound_scanning_enabled =
	self.config.security.scan_outbound && self.config.signal.scan_messages;
	let final_response = if outbound_scanning_enabled {
	// Outpost outbound scan
	let outbound_verdict = self
	.outpost_middleware
	.scan_text(&response, ScanContext::AgentResponse)
	.await;
	match outbound_verdict {
	adversary_detector::verdict::OutpostVerdict::Unsafe { reason } => {
	warn!(identity = %identity_id, reason = %reason, "Signal: outbound response BLOCKED by outpost");
	format!("🚫 Agent response blocked by security scanner: {reason}")
	}
	adversary_detector::verdict::OutpostVerdict::Review { reason } => {
	warn!(identity = %identity_id, reason = %reason, "Signal: outbound response flagged REVIEW");
	format!("[⚠ Security Review: {reason}]\n{response}")
	}
	adversary_detector::verdict::OutpostVerdict::Clean => response,
	}
	} else {
	response

[Copilot]

Pull request overview

Copilot reviewed 18 out of 18 changed files in this pull request and generated 8 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

ssh/scp are run with StrictHostKeyChecking=no, which disables host key verification and makes deployments vulnerable to MITM attacks. Prefer using known_hosts (or StrictHostKeyChecking=accept-new / a pinned UserKnownHostsFile) instead of fully disabling checks.

[Copilot]

The generated config.toml schema here ([gateway], [identity], [[models]], [channels.webhook], etc.) does not match ZeroClawed’s actual config format ([[identities]], [[agents]], [[routing]], [[channels]] in crates/zeroclawed/src/config.rs). As written, a fresh install will likely fail to start due to config parse errors—please generate a config that matches crates/zeroclawed/examples/config.toml (or copy that file as the template).

Suggested change

	# ── Gateway ─────────────────────────────────────────────────────
	[gateway]
	listen_addr = "0.0.0.0:18789"
	forward_to = "http://127.0.0.1:8080"
	# ── Identity ────────────────────────────────────────────────────
	[identity]
	header = "X-Forwarded-For"
	strategy = "extract-first"
	# ── Models ──────────────────────────────────────────────────────
	# Remote models
	[[models]]
	name = "kimi-k2"
	provider = "moonshot"
	model_id = "kimi-k2"
	api_key_env = "KIMI_API_KEY"
	[[models]]
	name = "gpt-4o-mini"
	provider = "openai"
	model_id = "gpt-4o-mini"
	api_key_env = "OPENAI_API_KEY"
	# ── Identities ──────────────────────────────────────────────────
	[[identities]]
	name = "default"
	header = "X-Forwarded-For"
	strategy = "extract-first"
	# ── Agents ──────────────────────────────────────────────────────
	[[agents]]
	name = "kimi-k2"
	provider = "moonshot"
	model = "kimi-k2"
	api_key_env = "KIMI_API_KEY"
	[[agents]]
	name = "gpt-4o-mini"
	provider = "openai"
	model = "gpt-4o-mini"
	api_key_env = "OPENAI_API_KEY"
	# ── Routing ─────────────────────────────────────────────────────
	[[routing]]
	identity = "default"
	agent = "gpt-4o-mini"
	# ── Channels ────────────────────────────────────────────────────
	[[channels]]
	type = "webhook"
	listen_addr = "0.0.0.0:18789"

[Copilot]

verify_host curls http://127.0.0.1:18789/health, but zeroclawed doesn’t expose a health endpoint on 18789 (that port is used as an OpenClaw/NZC endpoint in this repo). The webhook listeners expose /health on their configured webhook_listen ports (e.g. 18795/18796). Consider verifying the correct webhook port(s), or rely on systemctl is-active and/or make the health check configurable per channel.

Suggested change

	echo -n " gateway: "
	run_on "$host" "curl -s http://127.0.0.1:18789/health" 2>/dev/null || echo "❌ not responding"
	echo -n " webhook: "
	run_on "$host" "
	if [ ! -f $CONFIG_DIR/config.toml ]; then
	exit 1
	fi
	ports=\$(grep -E '^[[:space:]]*webhook_listen[[:space:]]*=' $CONFIG_DIR/config.toml | sed -E 's/.*:[0-9.]+:([0-9]+).*/\1/' | tr '\n' ' ')
	if [ -z \"\$ports\" ]; then
	systemctl is-active zeroclawed 2>/dev/null
	exit \$?
	fi
	for port in \$ports; do
	if curl -fsS \"http://127.0.0.1:\$port/health\"; then
	exit 0
	fi
	done
	exit 1
	" 2>/dev/null || echo "❌ not responding"

[Copilot]

scan_messages is documented as opt-in per-channel, but inbound scanning is currently executed unconditionally for every WhatsApp message (scan_text(...)) regardless of the channel’s scan_messages value. This will surprise operators and can block messages even when scanning is meant to be disabled—please gate this scan on the WhatsApp ChannelConfig.scan_messages (e.g., store the bool in WhatsAppChannel at construction time).

Suggested change

	let verdict = self
	.channel_scanner
	.scan_text(&text, ScanContext::UserMessage)
	.await;
	match &verdict {
	adversary_detector::verdict::ScanVerdict::Unsafe { reason } => {
	warn!(
	identity = %identity.id,
	reason = %reason,
	"WhatsApp: inbound message BLOCKED by adversary scan"
	);
	let channel = self.clone();
	let from_owned = from.clone();
	let reason_owned = reason.clone();
	tokio::spawn(async move {
	let reply = format!("🚫 Message blocked by security scanner: {reason_owned}");
	if let Err(e) = channel
	.send_reply(
	&nzc_endpoint,
	nzc_auth_token.as_deref(),
	&from_owned,
	&reply,
	)
	.await
	{
	warn!(from = %from_owned, error = %e, "WhatsApp: failed to send block notice");
	}
	});
	return;
	}
	adversary_detector::verdict::ScanVerdict::Review { reason } => {
	warn!(identity = %identity.id, reason = %reason, "WhatsApp: inbound message flagged REVIEW — passing with caution");
	// Pass through but logged
	}
	adversary_detector::verdict::ScanVerdict::Clean => {
	debug!(identity = %identity.id, "WhatsApp: inbound scan clean");
	}
	if self.scan_messages {
	let verdict = self
	.channel_scanner
	.scan_text(&text, ScanContext::UserMessage)
	.await;
	match &verdict {
	adversary_detector::verdict::ScanVerdict::Unsafe { reason } => {
	warn!(
	identity = %identity.id,
	reason = %reason,
	"WhatsApp: inbound message BLOCKED by adversary scan"
	);
	let channel = self.clone();
	let from_owned = from.clone();
	let reason_owned = reason.clone();
	tokio::spawn(async move {
	let reply = format!("🚫 Message blocked by security scanner: {reason_owned}");
	if let Err(e) = channel
	.send_reply(
	&nzc_endpoint,
	nzc_auth_token.as_deref(),
	&from_owned,
	&reply,
	)
	.await
	{
	warn!(from = %from_owned, error = %e, "WhatsApp: failed to send block notice");
	}
	});
	return;
	}
	adversary_detector::verdict::ScanVerdict::Review { reason } => {
	warn!(identity = %identity.id, reason = %reason, "WhatsApp: inbound message flagged REVIEW — passing with caution");
	// Pass through but logged
	}
	adversary_detector::verdict::ScanVerdict::Clean => {
	debug!(identity = %identity.id, "WhatsApp: inbound scan clean");
	}
	}
	} else {
	debug!(identity = %identity.id, "WhatsApp: inbound scan disabled for channel");

[Copilot]

scan_messages is documented as opt-in per-channel, but inbound scanning is currently executed unconditionally for every Signal message (scan_text(...)) regardless of the channel’s scan_messages value. Please gate the scan on the Signal channel config so disabling scanning actually disables enforcement for that channel.

Suggested change

	let verdict = self
	.channel_scanner
	.scan_text(&text, ScanContext::UserMessage)
	.await;
	match &verdict {
	adversary_detector::verdict::ScanVerdict::Unsafe { reason } => {
	warn!(
	identity = %identity.id,
	reason = %reason,
	"Signal: inbound message BLOCKED by adversary scan"
	);
	let channel = self.clone();
	let from_owned = from.clone();
	let reason_owned = reason.clone();
	tokio::spawn(async move {
	let reply = format!("🚫 Message blocked by security scanner: {reason_owned}");
	if let Err(e) = channel
	.send_reply(
	&nzc_endpoint,
	nzc_auth_token.as_deref(),
	&from_owned,
	&reply,
	)
	.await
	{
	warn!(from = %from_owned, error = %e, "Signal: failed to send block notice");
	}
	});
	return;
	}
	adversary_detector::verdict::ScanVerdict::Review { reason } => {
	warn!(identity = %identity.id, reason = %reason, "Signal: inbound message flagged REVIEW — passing with caution");
	}
	adversary_detector::verdict::ScanVerdict::Clean => {
	debug!(identity = %identity.id, "Signal: inbound scan clean");
	}
	if self.config.channels.signal.scan_messages {
	let verdict = self
	.channel_scanner
	.scan_text(&text, ScanContext::UserMessage)
	.await;
	match &verdict {
	adversary_detector::verdict::ScanVerdict::Unsafe { reason } => {
	warn!(
	identity = %identity.id,
	reason = %reason,
	"Signal: inbound message BLOCKED by adversary scan"
	);
	let channel = self.clone();
	let from_owned = from.clone();
	let reason_owned = reason.clone();
	tokio::spawn(async move {
	let reply = format!("🚫 Message blocked by security scanner: {reason_owned}");
	if let Err(e) = channel
	.send_reply(
	&nzc_endpoint,
	nzc_auth_token.as_deref(),
	&from_owned,
	&reply,
	)
	.await
	{
	warn!(from = %from_owned, error = %e, "Signal: failed to send block notice");
	}
	});
	return;
	}
	adversary_detector::verdict::ScanVerdict::Review { reason } => {
	warn!(identity = %identity.id, reason = %reason, "Signal: inbound message flagged REVIEW — passing with caution");
	}
	adversary_detector::verdict::ScanVerdict::Clean => {
	debug!(identity = %identity.id, "Signal: inbound scan clean");
	}
	}
	} else {
	debug!(identity = %identity.id, "Signal: inbound scan disabled by channel config");

[Copilot]

This warn!(...) invocation is not rustfmt-compliant (the format string is unindented on its own line). CI runs cargo fmt -- --check, so this will likely fail formatting checks—please run rustfmt or adjust formatting so the macro arguments are consistently indented.

Suggested change

	"Signal: inbound message BLOCKED by adversary scan"
	"Signal: inbound message BLOCKED by adversary scan"

[Copilot]

The field comment says this enables “inbound/outbound” scanning, but the channel integration in this PR only performs inbound scanning (and the channel code explicitly notes outbound scanning was dropped). Please update the doc comment to reflect actual behavior, or reintroduce outbound handling if that’s still intended for this flag.

Suggested change

	/// Enable inbound/outbound adversarial content scanning on this channel.
	/// Enable inbound adversarial content scanning on this channel.

[Copilot]

This roadmap doc includes a specific phone number in an example config (to: "+12154609585"). Even in docs, it’s safer to use an explicit placeholder (e.g. +1XXXXXXXXXX) to avoid accidentally publishing a real number.

Suggested change

	to: "+12154609585"
	to: "+1XXXXXXXXXX"

[Copilot]

Pull request overview

Copilot reviewed 19 out of 19 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

SSH_KEY default uses a quoted ~/.ssh/... path, but ~ won’t expand when stored in a variable. This can cause ssh -i "$SSH_KEY" / scp -i to fail to find the key. Prefer defaulting to $HOME/.ssh/id_ed25519 (or expand ~ explicitly) before passing it to SSH.

Suggested change

	SSH_KEY="${SSH_KEY:-~/.ssh/id_ed25519}"
	SSH_KEY="${SSH_KEY:-$HOME/.ssh/id_ed25519}"

[Copilot]

This warn! macro invocation looks mis-indented (the format string starts at column 0). CI runs cargo fmt --check, and rustfmt will likely rewrite this. Please run cargo fmt or adjust formatting so the diff is fmt-clean.

Suggested change

	"Signal: inbound message BLOCKED by adversary scan"
	"Signal: inbound message BLOCKED by adversary scan"

[Copilot]

The generated config/feature flags suggest outbound scanning is a meaningful setting, but outbound scanning support was removed from adversary-detector (and ScanContext::Outbound no longer exists). Logging scan_outbound here is misleading unless something in zeroclawed actually uses it; consider removing this field from the log and/or wiring outbound scanning back in so the setting matches behavior.

Suggested change

scan_outbound = security_config.scan_outbound,

[Copilot]

The docstring for scan_messages says it enables “inbound/outbound” scanning, but the channel integration here only scans inbound user messages (and outbound scanning was explicitly dropped per roadmap). Please update the field docs to match actual behavior to avoid confusing operators.

[Copilot]

The verify_host health check uses curl -s without -f / status checking, so HTTP 404/500 responses still exit 0 and will be treated as “healthy”. Use curl -sf (and optionally print the body on failure) so the script correctly reports unhealthy gateways.

Suggested change

	run_on "$host" "curl -s http://127.0.0.1:18789/health" 2>/dev/null || echo "❌ not responding"
	run_on "$host" "curl -sf http://127.0.0.1:18789/health" 2>/dev/null || echo "❌ not responding"

[Copilot]

Pull request overview

Copilot reviewed 19 out of 19 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Target resolution runs unconditionally, so build/help actions (which don’t require any hosts) will still error out with “No targets specified” unless args/targets.txt are provided. Consider skipping target resolution for actions that don’t operate on remote hosts (e.g., build, help).

Suggested change

	if [ $# -gt 0 ]; then
	TARGETS=("$@")
	elif [ -f "$(dirname "$0")/targets.txt" ]; then
	mapfile -t TARGETS < <(grep -v '^#' "$(dirname "$0")/targets.txt" | grep -v '^$')
	else
	echo "No targets specified. Usage:"
	echo " $0 <action> host1 [host2 ...]"
	exit 1
	REQUIRES_TARGETS=true
	case "$ACTION" in
	build|help)
	REQUIRES_TARGETS=false
	;;
	esac
	if [ "$REQUIRES_TARGETS" = true ]; then
	if [ $# -gt 0 ]; then
	TARGETS=("$@")
	elif [ -f "$(dirname "$0")/targets.txt" ]; then
	mapfile -t TARGETS < <(grep -v '^#' "$(dirname "$0")/targets.txt" | grep -v '^$')
	else
	echo "No targets specified. Usage:"
	echo " $0 <action> host1 [host2 ...]"
	exit 1
	fi
	else
	TARGETS=()

[Copilot]

scan_enabled() looks up the first [[channels]] entry with kind == "whatsapp" and ignores enabled. If the config contains multiple WhatsApp entries (e.g., one disabled and a later enabled one that run() selected), this can read the wrong scan_messages value. Consider either matching kind && enabled, or storing the selected channel config (or just scan_messages) on WhatsAppChannel at construction time.

Suggested change

	.find(|c| c.kind == "whatsapp")
	.find(|c| c.kind == "whatsapp" && c.enabled)

[Copilot]

scan_enabled() looks up the first [[channels]] entry with kind == "signal" and ignores enabled. If multiple Signal entries exist, this can read a different scan_messages value than the enabled entry used by run(). Consider matching kind && enabled, or storing the selected channel config (or scan_messages) on SignalChannel at construction time.

Suggested change

	.find(|c| c.kind == "signal")
	.find(|c| c.kind == "signal" && c.enabled)

[Copilot]

A single ChannelScanner is initialized here, but it’s only wired into WhatsApp/Signal. The new scan_messages channel setting (and the install script’s generated config) suggests scanning is a general channel feature, yet Telegram/Matrix message paths won’t consult it. Either thread the scanner into those channels too, or clarify via naming/config/docs that scan_messages only applies to WhatsApp/Signal for now.

[Copilot]

Inbound adversary scanning and blocking behavior is newly introduced here, but the existing tests in this module focus on payload parsing and don’t cover the scan_messages=true path (Clean/Review/Unsafe handling). Adding a focused async test (e.g., enabling scan_messages in the test config and asserting Unsafe input is short-circuited) would help prevent regressions.

[Copilot]

Pull request overview

Copilot reviewed 32 out of 33 changed files in this pull request and generated 9 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The generated default config sets [zeroclawed].version = 1, but the current config schema/examples/tests use version 2. This makes the installer produce a config that looks out-of-date and can confuse tooling that expects version 2.

Suggestion: update the generated config to version = 2 (and keep it aligned with crates/zeroclawed/examples/config.toml).

[Copilot]

config::config_path() returns a Result, but this uses expect(...) which will panic instead of returning a structured error. Since main already returns Result<()>, prefer propagating the error (with context) rather than panicking so startup failures are reported cleanly.

Suggested change

	let config_path = args
	.config
	.unwrap_or_else(|| config::config_path().expect("Failed to determine default config path"));
	let config_path = match args.config {
	Some(path) => path,
	None => config::config_path().context("Failed to determine default config path")?,
	};

[Copilot]

The [security].scan_outbound value from config is currently ignored. security_config is derived only from the parsed profile, and scan_outbound is logged from that profile-derived config, which may not match the user’s config file.

Suggestion: apply security_cfg.scan_outbound as an override after SecurityConfig::from_profile(...), or remove/rename the field if outbound scanning is intentionally not supported yet.

[Copilot]

intercept() builds the upstream request without forwarding any of the original client request headers (e.g. Content-Type, Accept, Authorization), except the injected credential headers. This will break requests that rely on headers or body content-types.

Suggestion: copy whitelisted headers from the inbound request to the upstream request (excluding hop-by-hop headers) and then layer injected headers on top.

[Copilot]

The response returned to the client hardcodes content-type: application/json and drops all upstream response headers. This can corrupt non-JSON responses and breaks clients that rely on upstream headers (content-type, caching, etc.).

Suggestion: preserve upstream response headers (at least Content-Type) and avoid forcing JSON unless the gateway guarantees JSON-only traffic.

[Copilot]

forward_upstream() (bypass path) also forwards requests without copying inbound headers to the upstream request. This means bypassed domains can still fail in the same way as scanned domains (e.g. missing Content-Type/Accept/Auth headers).

Suggestion: reuse the same header-forwarding logic for both bypassed and scanned requests to keep behavior consistent.

[Copilot]

SecurityProxy::new creates two separate AuditLogger instances (security-gateway and security-gateway-fetch). Because AuditLogger also tracks in-memory counters, the /health endpoint (which reads state.audit) will undercount fetch-mode scans performed via fetch_proxy.

Suggestion: either share a single counter source (e.g., make AuditLogger clonable via an internal Arc), or aggregate both counters in health_handler so metrics reflect total activity.

Suggested change

	// Create a separate logger for the fetch proxy to avoid cloning
	let fetch_audit = AuditLogger::new("security-gateway-fetch");
	let fetch_proxy =
	AdversaryDetector::from_config(scanner_config, fetch_audit, rate_limit).await;
	// Share the same audit logger across fetch and intercept modes so
	// in-memory counters and health metrics reflect total activity.
	let fetch_proxy =
	AdversaryDetector::from_config(scanner_config, audit.clone(), rate_limit).await;

[Copilot]

match_wildcard claims to “escape special regex chars”, but it only escapes . before compiling a regex. Patterns containing other regex metacharacters (e.g. +, ?, (, ), [) will be treated as regex and can unintentionally broaden bypass matching.

Suggestion: use regex::escape(pattern) and then replace the escaped \* with .* to implement safe wildcard matching.

[Copilot]

The README refers to AdversaryProxy::fetch(), but the crate exports AdversaryDetector/AdversaryFetchResult (and there is no AdversaryProxy type). This makes the usage docs non-compilable.

Suggestion: update the docs to reference the actual exported type name (AdversaryDetector::fetch).

[Copilot]

Pull request overview

Copilot reviewed 32 out of 33 changed files in this pull request and generated 7 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

[security].scan_outbound from the config is currently ignored: SecurityConfig is built only from the parsed profile, so toggling scan_outbound in config.toml has no effect even though it is exposed in SecuritySectionConfig. Apply the optional override from security_cfg when building security_config (and keep the profile defaults for fields not explicitly set).

[Copilot]

The README references AdversaryProxy::fetch(), but the exported type in this crate is AdversaryDetector (see lib.rs re-exports) and there is no AdversaryProxy. Update the README to use the correct type/name so the example compiles.

[Copilot]

intercept() drops all inbound request headers when forwarding upstream (only injected headers are sent). This breaks proxy semantics (e.g., Content-Type, Accept, Authorization, custom headers) and can change server behavior. Copy/forward the original request headers (minus hop-by-hop headers) and then overlay injected headers.

[Copilot]

The upstream response is always read via resp.text() and returned with content-type: application/json, which corrupts non-UTF8/binary payloads and mislabels content types (HTML, images, etc.). Preserve the upstream status + headers (especially Content-Type) and stream/return raw bytes instead of forcing text/JSON.

[Copilot]

elapsed_ms is hard-coded to 0, so the access logs report incorrect latency. Capture a start Instant at the beginning of intercept() and compute elapsed time after the upstream response completes.

[Copilot]

check_bypassed() matches patterns against the full URL string (substring / unanchored regex). This can unintentionally bypass scanning if the pattern appears in the path/query (e.g., ...?redirect=http://localhost/...). Parse the URL and match against the host (and optionally port) only, and avoid compiling a new regex on every request/pattern.

[Copilot]

blocked_response() hand-builds JSON and only escapes ". If reason contains backslashes, newlines, or other control characters, this can emit invalid JSON. Use serde_json to build/serialize the response body (or at least perform full JSON string escaping).

[Copilot]

Pull request overview

Copilot reviewed 32 out of 33 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

[zeroclawed].version is set to 1 here, but the config schema/tests in crates/zeroclawed/src/config.rs assert version 2 (and many unit tests build PolyHeader { version: 2 }). This example config should use the current schema version to avoid generating configs that fail validation/expectations elsewhere.

Suggested change

	version = 1
	version = 2

[Copilot]

The installer’s generated config.toml uses [zeroclawed].version = 1, but the current config schema/tests expect version 2. Please update the generated config to emit the correct schema version so fresh installs don’t start with an incompatible config.

[Copilot]

Inbound scanning is currently gated on content_type.starts_with("text/"), so common textual types like application/json, application/xml, and application/javascript will bypass injection scanning even when scan_inbound is enabled. Consider scanning any response body that is valid UTF-8 (possibly with a size cap) or expanding the allowlist of MIME types so injection payloads embedded in JSON aren’t missed.

[Copilot]

forward_upstream (bypass path) drops all original request headers and always reads the upstream response as text while forcing content-type: application/json. This can break authenticated/typed requests to bypassed domains and can corrupt non-JSON / binary responses. Bypass should still forward the original headers and stream/preserve the upstream status + headers + raw bytes, just skipping scanning.

[Copilot]

match_wildcard builds a regex by only escaping . before replacing * with .*. If a bypass pattern contains other regex metacharacters (e.g. ?, +, (, ), [, ]), it will change matching semantics or fail to compile. Safer approach: regex::escape(pattern) first, then replace the escaped \* with .* (and consider anchoring with ^...$ if you want full-string matching).

[Copilot]

Pull request overview

Copilot reviewed 40 out of 41 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Using expect() here will panic if the default config path can’t be determined (e.g., missing/invalid home dir), even though main() already returns Result. Prefer propagating the error (e.g., config::config_path()?) and adding context so this fails gracefully instead of aborting.

[Copilot]

Bypass matching currently uses substring matching (url.contains(pattern)) for non-wildcard entries. With defaults like localhost, a URL such as https://evil-localhost.com would bypass scanning. Consider parsing the URL and matching against the hostname (exact match / suffix match) and anchoring wildcard patterns to the host to avoid unintended bypasses.

[Copilot]

health_handler reports audit counters, but SecurityProxy::intercept never calls AuditLogger::log, and GatewayConfig.audit_log isn’t consulted. As a result, total_requests / blocked_or_reviewed will stay at 0 even while traffic is scanned. Log verdicts in intercept mode when auditing is enabled, and honor config.audit_log to allow turning this off.

Suggested change

	.await;
	.await;
	if self.config.audit_log {
	self.audit_logger.log(&target_url, &body_str, &verdict).await;
	}

[Copilot]

These are defined as “integration tests”, but this module isn’t referenced from crates/zeroclawed/tests/e2e/mod.rs (the e2e test target), so none of these tests will compile/run. Either add pub mod security_tests; to tests/e2e/mod.rs, make this a separate [[test]] target, or move these to crates/zeroclawed/tests/ as standalone integration tests.

[Copilot]

This file isn’t referenced from crates/zeroclawed/tests/e2e/mod.rs, so these edge-case tests won’t run in the e2e test target. Add it to the module tree (or make it a standalone integration test) so CI actually executes these cases.

[Copilot]

This test file lives under src/ but isn’t included via a mod scanner_test; in lib.rs, so it won’t compile or run. If the intent is unit tests, add it to the module tree; if the intent is integration tests, move it to crates/security-gateway/tests/.

[Copilot]

Pull request overview

Copilot reviewed 41 out of 42 changed files in this pull request and generated 9 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

[zeroclawed].version is set to 1 here, but the config schema/tests in crates/zeroclawed/src/config.rs expect version 2. Update the example to version = 2 to avoid shipping an example config that contradicts the actual schema.

Suggested change

	version = 1
	version = 2

[Copilot]

Inbound scanning is currently gated on content_type.starts_with("text/"), which skips scanning for common textual response types like application/json, application/xml, application/javascript, etc. That creates a real bypass for prompt-injection payloads delivered as JSON; consider scanning any UTF-8-decodable body (or at least include */json and similar) when scan_inbound is enabled.

Suggested change

	// Inbound scan (injection) — only scan text content
	if self.config.scan_inbound && content_type.starts_with("text/") {
	// Inbound scan (injection) — scan any UTF-8-decodable response body
	if self.config.scan_inbound {

[Copilot]

forward_upstream (bypass path) drops all inbound request headers and hard-codes the response content-type to application/json while reading the upstream body via resp.text(). This changes behavior for bypassed domains (e.g., breaks auth headers and corrupts non-UTF8/binary responses). Preserve headers, preserve upstream content-type, and forward bytes rather than forcing text/JSON.

[Copilot]

Bypass matching is performed against the full URL string using substring/regex matching. This can be exploited (e.g., https://evil.com/?next=http://localhost would match "localhost" and bypass scanning). Parse the URL and match patterns against the host (and optionally port) with anchored wildcard matching, rather than searching the entire URL.

[Copilot]

The intercept log line always reports 0ms latency, which is misleading in production logs. Either measure elapsed time (e.g., capture an Instant at the start) or remove the timing field until it is implemented.

[Copilot]

This file is not referenced from the current tests/e2e/mod.rs, so none of these tests will compile or run. Either add mod security_tests; in tests/e2e/mod.rs (and make the tests real), or move these placeholders to documentation / mark them #[ignore] to avoid giving a false sense of coverage.

[Copilot]

This file is not referenced from tests/e2e/mod.rs, so the tests won’t compile/run. Also, Duration is currently unused and will trigger -D warnings if/when the module is wired in. Either wire the module in and implement assertions, or remove/ignore these placeholder tests and unused imports.

[Copilot]

This module is not included anywhere (no mod scanner_test; in lib.rs), so these tests are currently dead code and won’t run. Additionally, use super::*; won’t import ExfilScanner/InjectionScanner even if the module were included (they live in the crate root / other modules). Prefer moving these tests into src/scanner.rs’s #[cfg(test)] module or into tests/ integration tests, and fix the imports accordingly.

Suggested change

	mod tests {
	use super::*;
	/// Test scanner with empty/whitespace content
	#[tokio::test]
	async fn test_scan_empty_body() {
	let scanner = ExfilScanner::new();
	let report = scanner.scan("https://api.openai.com/v1/chat/completions", "").await;
	assert!(matches!(report.verdict, Verdict::Allow));
	assert!(report.findings.is_empty());
	}
	/// Test scanner with very large payload
	#[tokio::test]
	async fn test_scan_large_payload() {
	let scanner = ExfilScanner::new();
	let large_body = "x".repeat(1024 * 1024); // 1MB
	let report = scanner.scan("https://api.openai.com/v1/chat/completions", &large_body).await;
	// Should not panic or hang
	assert!(matches!(report.verdict, Verdict::Allow));
	}
	/// Test scanner with malformed URL
	#[tokio::test]
	async fn test_scan_malformed_url() {
	let scanner = InjectionScanner::new();
	let report = scanner.scan("not-a-valid-url", "clean content").await;
	// Should handle gracefully
	assert!(matches!(report.verdict, Verdict::Allow | Verdict::Log { .. }));
	}
	/// Test scanner with unicode-heavy content
	#[tokio::test]
	async fn test_scan_unicode_content() {
	let scanner = InjectionScanner::new();
	let body = "こんにちは世界 🌍 مرحبا بالعالم 👋";
	let report = scanner.scan("https://example.com", body).await;
	assert!(matches!(report.verdict, Verdict::Allow));
	}
	/// Test scan timing is reasonable
	#[tokio::test]
	async fn test_scan_performance_sanity() {
	let scanner = ExfilScanner::new();
	let body = "Normal API request body".repeat(100);
	let start = std::time::Instant::now();
	let _report = scanner.scan("https://api.openai.com/v1/chat/completions", &body).await;
	let elapsed = start.elapsed();
	// Scan should complete in reasonable time (<1s for simple content)
	assert!(elapsed < std::time::Duration::from_secs(1),
	"Scan took too long: {:?}", elapsed);
	}
	/// Test concurrent scanning doesn't deadlock
	#[tokio::test]
	async fn test_concurrent_scans() {
	use tokio::task::JoinSet;
	let scanner = std::sync::Arc::new(ExfilScanner::new());
	let mut set = JoinSet::new();
	for i in 0..10 {
	let scanner_clone = scanner.clone();
	set.spawn(async move {
	let body = format!("Request body {}", i);
	scanner_clone.scan("https://api.openai.com/v1/chat/completions", &body).await
	});
	}
	let mut count = 0;
	while let Some(result) = set.join_next().await {
	let _report = result.expect("Task should not panic");
	count += 1;
	}
	assert_eq!(count, 10);
	}
	use crate::{ExfilScanner, InjectionScanner, Verdict};
	/// Test scanner with empty/whitespace content
	#[cfg(test)]
	#[tokio::test]
	async fn test_scan_empty_body() {
	let scanner = ExfilScanner::new();
	let report = scanner.scan("https://api.openai.com/v1/chat/completions", "").await;
	assert!(matches!(report.verdict, Verdict::Allow));
	assert!(report.findings.is_empty());
	}
	/// Test scanner with very large payload
	#[cfg(test)]
	#[tokio::test]
	async fn test_scan_large_payload() {
	let scanner = ExfilScanner::new();
	let large_body = "x".repeat(1024 * 1024); // 1MB
	let report = scanner.scan("https://api.openai.com/v1/chat/completions", &large_body).await;
	// Should not panic or hang
	assert!(matches!(report.verdict, Verdict::Allow));
	}
	/// Test scanner with malformed URL
	#[cfg(test)]
	#[tokio::test]
	async fn test_scan_malformed_url() {
	let scanner = InjectionScanner::new();
	let report = scanner.scan("not-a-valid-url", "clean content").await;
	// Should handle gracefully
	assert!(matches!(report.verdict, Verdict::Allow | Verdict::Log { .. }));
	}
	/// Test scanner with unicode-heavy content
	#[cfg(test)]
	#[tokio::test]
	async fn test_scan_unicode_content() {
	let scanner = InjectionScanner::new();
	let body = "こんにちは世界 🌍 مرحبا بالعالم 👋";
	let report = scanner.scan("https://example.com", body).await;
	assert!(matches!(report.verdict, Verdict::Allow));
	}
	/// Test scan timing is reasonable
	#[cfg(test)]
	#[tokio::test]
	async fn test_scan_performance_sanity() {
	let scanner = ExfilScanner::new();
	let body = "Normal API request body".repeat(100);
	let start = std::time::Instant::now();
	let _report = scanner.scan("https://api.openai.com/v1/chat/completions", &body).await;
	let elapsed = start.elapsed();
	// Scan should complete in reasonable time (<1s for simple content)
	assert!(elapsed < std::time::Duration::from_secs(1),
	"Scan took too long: {:?}", elapsed);
	}
	/// Test concurrent scanning doesn't deadlock
	#[cfg(test)]
	#[tokio::test]
	async fn test_concurrent_scans() {
	use tokio::task::JoinSet;
	let scanner = std::sync::Arc::new(ExfilScanner::new());
	let mut set = JoinSet::new();
	for i in 0..10 {
	let scanner_clone = scanner.clone();
	set.spawn(async move {
	let body = format!("Request body {}", i);
	scanner_clone.scan("https://api.openai.com/v1/chat/completions", &body).await
	});
	}
	let mut count = 0;
	while let Some(result) = set.join_next().await {
	let _report = result.expect("Task should not panic");
	count += 1;
	}
	assert_eq!(count, 10);

[Copilot]

The comment in this test says the function “only trims, doesn't strip internal spaces”, but normalise_phone now removes spaces and dashes via replace([' ', '-'], ""). Update the comment to reflect the current behavior to avoid misleading future changes/debugging.