Add fileless execution and promotion trust planes

Author: efij

.claude-plugin/marketplace.json

@@ -11,7 +11,7 @@
     {
       "name": "runwall",
       "description": "Balanced default runtime security plugin for Claude Code with shell, git, MCP, secret, exfiltration, and inline gateway guardrails.",
-      "version": "10.0.0",
+      "version": "11.0.0",
       "source": "./"
     }
   ]

.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "runwall",
   "description": "Runtime security plugin for Claude Code with balanced default hooks plus the Runwall inline MCP gateway for shell, git, MCP, secret, and exfiltration risks.",
-  "version": "10.0.0",
+  "version": "11.0.0",
   "author": {
     "name": "efij"
   },

.codex-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "runwall",
   "description": "Runtime security plugin bundle for Codex with the Runwall inline MCP gateway, policy tools, skills, and safer defaults for coding-agent workflows.",
-  "version": "10.0.0",
+  "version": "11.0.0",
   "author": {
     "name": "efij"
   },

CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## 11.0.0
+
+- added a `Fileless / Inline Execution Trust Plane` with native protections for `inline-fetch-exec-guard`, `inline-encoded-loader-guard`, `inline-process-substitution-guard`, `inline-heredoc-dropper-guard`, `inline-eval-secret-guard`, `inline-env-payload-guard`, `inline-python-loader-guard`, `inline-node-loader-guard`, `inline-shell-persistence-guard`, and `inline-policy-bypass-guard`
+- added a `Remote Content Promotion Trust Plane` with native protections for `remote-to-memory-promotion-guard`, `remote-to-knowledge-promotion-guard`, `remote-to-hook-promotion-guard`, `remote-to-policy-promotion-guard`, `remote-to-script-promotion-guard`, `remote-to-agent-doc-promotion-guard`, `raw-host-promotion-guard`, `paste-to-trusted-surface-guard`, and `promotion-quarantine-bypass-guard`
+- added new CLI surfaces: `runwall exec` and `runwall promotion`
+- extended policy evaluation, pretty output, and audit emission so inline-exec and promotion identities show up beside the other trust planes
+- expanded smoke coverage for inline fetch-and-exec blocking, encoded loaders, safe inline one-liners, remote content promotion into memory and policy surfaces, quarantine enforcement, and trusted-surface promotion inspection
+- updated the README, guard registry, signature deep dive, plugin metadata, gateway versioning, and release surface for the `11.0.0` trust-plane upgrade
+
 ## 10.0.0
 
 - added an `Approval Integrity Plane` so risky exceptions are no longer treated like permanent bypasses, with native protections for `approval-broad-scope-guard`, `approval-expiry-guard`, `approval-runtime-mismatch-guard`, `approval-repo-mismatch-guard`, `approval-parent-child-mismatch-guard`, `approval-scope-mismatch-guard`, `approval-drift-invalidation-guard`, `approval-destination-drift-guard`, `approval-tool-identity-drift-guard`, `approval-replay-guard`, and `approval-unbounded-lifetime-guard`

GUARDS.md

@@ -134,6 +134,30 @@ These protections are implemented directly in the Safety-Control Trust Plane ins
 - `release-safety-check-disable-guard`: blocks disabling SBOM, provenance, attestation, signing, or release verification steps
 - `recovery-script-destroy-guard`: blocks deletion, truncation, or de-executable changes against backup, restore, rollback, and recovery scripts
 
+## Built-In Fileless and Promotion Guards
+
+These protections are implemented directly in native Runwall trust planes instead of standalone hook modules:
+
+- `inline-fetch-exec-guard`: blocks remote fetch-and-execute chains hidden inside inline shell or interpreter execution
+- `inline-encoded-loader-guard`: blocks encoded loader and decode-and-run behavior inside inline shells, Python, Node, and PowerShell
+- `inline-process-substitution-guard`: blocks process-substitution chains that source or execute fetched content
+- `inline-heredoc-dropper-guard`: blocks heredoc execution that stages loaders, exfiltration, or persistence
+- `inline-eval-secret-guard`: blocks inline `eval` and `source` chains that combine secret access with loaders or outbound behavior
+- `inline-env-payload-guard`: blocks inline execution driven by hidden environment payload variables
+- `inline-python-loader-guard`: blocks risky `python -c` loader behavior with fetch, exec, secret, or outbound primitives
+- `inline-node-loader-guard`: blocks risky `node -e` loader behavior with fetch, exec, secret, or outbound primitives
+- `inline-shell-persistence-guard`: blocks inline execution that edits login, scheduler, or persistence surfaces
+- `inline-policy-bypass-guard`: blocks inline execution that tries to disable Runwall or step around local review boundaries
+- `remote-to-memory-promotion-guard`: blocks remote content promotion into persistent memory surfaces
+- `remote-to-knowledge-promotion-guard`: blocks remote content promotion into knowledge, vault, and RAG surfaces
+- `remote-to-hook-promotion-guard`: blocks remote content promotion into hook-bearing surfaces
+- `remote-to-policy-promotion-guard`: blocks remote content promotion into policy, settings, and plugin control surfaces
+- `remote-to-script-promotion-guard`: blocks remote content promotion into scripts, workflow files, and executable bins
+- `remote-to-agent-doc-promotion-guard`: blocks remote content promotion into `CLAUDE.md`, `AGENTS.md`, and similar agent instruction files
+- `raw-host-promotion-guard`: blocks promotion of content from raw file hosts and paste sites into trusted local authority surfaces
+- `paste-to-trusted-surface-guard`: prompts before pasted external content is promoted into a trusted surface
+- `promotion-quarantine-bypass-guard`: blocks reads or writes against promoted sources that were explicitly quarantined
+
 ## Implemented Guards
 
 ### Secrets & Identity

README.md

@@ -169,6 +169,8 @@ Runwall now adds four more native trust planes on top of tools and hooks:
 - `SaaS Action Trust`: prompts or blocks only on high-risk authenticated control-plane actions such as token minting, secret admin, role grants, prod deploys, webhook changes, and destructive deletes
 - `Approval Integrity`: narrows risky exceptions so one-shot approvals cannot be replayed, approvals do not drift silently across runtimes or repos, and broad wildcard approvals are surfaced before they turn into policy bypass
 - `Safety-Control Trust`: protects the things attackers disable first: audit trails, rollback scripts, backups, monitoring, alert sinks, incident bundles, and release safety checks
+- `Fileless / Inline Execution Trust`: blocks remote fetch-and-exec, encoded loaders, env-driven payloads, inline persistence, and policy-bypass chains that try to avoid leaving a normal executable on disk
+- `Remote Content Promotion Trust`: blocks remote or pasted content from being promoted directly into trusted memory, knowledge, hook, policy, script, and agent-instruction surfaces
 
 Runwall also now has scoped approvals so these planes stay usable without turning the default policy into mush:
 
@@ -202,11 +204,20 @@ Runwall also now has scoped approvals so these planes stay usable without turnin
 ./bin/runwall memory quarantine <path>
 ./bin/runwall memory diff <path>
 
+./bin/runwall exec list --json
+./bin/runwall exec explain <event-id-or-module>
+./bin/runwall exec policy --json
+
 ./bin/runwall knowledge list --json
 ./bin/runwall knowledge trust <path>
 ./bin/runwall knowledge quarantine <path>
 ./bin/runwall knowledge diff <path>
 
+./bin/runwall promotion list --json
+./bin/runwall promotion trust <path>
+./bin/runwall promotion quarantine <path>
+./bin/runwall promotion diff <path>
+
 ./bin/runwall apps list --json
 ./bin/runwall apps explain <event-id>
 ./bin/runwall apps policy --json
@@ -261,6 +272,16 @@ High-signal built-ins in these planes now include:
 - `app-webhook-admin-guard`
 - `app-member-invite-guard`
 - `app-admin-browser-mutation-guard`
+- `inline-fetch-exec-guard`
+- `inline-encoded-loader-guard`
+- `inline-env-payload-guard`
+- `inline-policy-bypass-guard`
+- `remote-to-memory-promotion-guard`
+- `remote-to-knowledge-promotion-guard`
+- `remote-to-hook-promotion-guard`
+- `remote-to-policy-promotion-guard`
+- `remote-to-script-promotion-guard`
+- `raw-host-promotion-guard`
 
 ## Protection Families
 
@@ -276,6 +297,8 @@ Runwall now groups signatures into stable families so the product reads like a r
 - `Quality & Workflow`: workflow integrity, context policy, test suppression, and destructive cleanup
 - `Memory & Knowledge`: persistent memory, imported notes, vaults, RAG caches, and mirrored knowledge surfaces
 - `SaaS & Control Planes`: authenticated control-plane actions against GitHub, Vercel, Stripe, Supabase, cloud consoles, and similar admin surfaces
+- `Fileless & Inline Execution`: inline shells, interpreter one-liners, process substitution, heredoc loaders, and other fileless execution shapes
+- `Remote Content Promotion`: remote or pasted content being promoted into trusted local authority surfaces such as memory, hooks, policy, scripts, and agent docs
 
 You can inspect the active registry by family with:
 

SIGNATURES.md

@@ -681,6 +681,143 @@ These are native Runwall trust-plane protections for audit trails, rollback path
 - Why it matters: once recovery scripts are gone, the window for safe rollback closes quickly.
 - Action: block
 
+## Built-In Fileless and Promotion Guards
+
+These are native Runwall trust-plane protections for fileless execution shapes and remote content promotion into trusted local authority surfaces.
+
+### inline-fetch-exec-guard
+
+- Purpose: stop remote fetch-and-execute chains hidden inside inline execution.
+- Detects: `bash -c`, `python -c`, `node -e`, or process-substitution chains that fetch remote content and execute it directly.
+- Why it matters: this is the cleanest way to bypass executable identity because nothing stable has to land on disk first.
+- Action: block
+
+### inline-encoded-loader-guard
+
+- Purpose: stop decode-and-run behavior in inline execution.
+- Detects: base64, PowerShell `-enc`, OpenSSL, GPG, or similar decode paths combined with inline interpreters or heredocs.
+- Why it matters: encoded loader chains are strongly attackerish and make review much harder.
+- Action: block
+
+### inline-process-substitution-guard
+
+- Purpose: stop sourcing fetched content through process substitution.
+- Detects: `<(...)` execution patterns that wrap fetch-and-exec or remote-content evaluation.
+- Why it matters: process substitution is a neat way to hide fetch-and-run behavior without creating a file.
+- Action: block
+
+### inline-heredoc-dropper-guard
+
+- Purpose: stop heredoc bodies that act like droppers or exfiltration helpers.
+- Detects: heredocs that include fetch, upload, persistence, or executable staging behavior.
+- Why it matters: heredocs are common in legitimate dev work, so Runwall only blocks the ones that clearly act like staged payloads.
+- Action: block
+
+### inline-eval-secret-guard
+
+- Purpose: stop inline `eval` or `source` chains that combine secret access with loader or outbound behavior.
+- Detects: `eval`, `source`, or `.` combined with secret-bearing paths and upload or fetch primitives.
+- Why it matters: this is a compact way to turn secret-bearing local content into executable or exfiltrated runtime behavior.
+- Action: block
+
+### inline-env-payload-guard
+
+- Purpose: stop inline execution driven by hidden environment payloads.
+- Detects: payload variables like `PAYLOAD`, `CODE`, `SCRIPT`, or `DATA` being executed through shell or interpreter one-liners.
+- Why it matters: env-based loaders hide the real code away from the visible command line.
+- Action: block
+
+### inline-python-loader-guard
+
+- Purpose: stop risky `python -c` loader behavior.
+- Detects: `python -c` chains that fetch, decode, `exec`, or immediately touch secret or outbound primitives.
+- Why it matters: inline Python is legitimate in moderation, but loader-style Python one-liners are a common bypass path.
+- Action: block
+
+### inline-node-loader-guard
+
+- Purpose: stop risky `node -e` loader behavior.
+- Detects: `node -e` chains that fetch, `eval`, spawn child processes, decode blobs, or touch secret or outbound primitives.
+- Why it matters: inline JavaScript can impersonate a harmless tool invocation while actually acting like a loader.
+- Action: block
+
+### inline-shell-persistence-guard
+
+- Purpose: stop inline execution from creating persistence.
+- Detects: inline shells or interpreters that write shell profiles, schedulers, login items, or SSH startup surfaces.
+- Why it matters: one-line persistence is quiet, effective, and rarely needed in normal runtime workflows.
+- Action: block
+
+### inline-policy-bypass-guard
+
+- Purpose: stop inline execution that disables Runwall or review boundaries.
+- Detects: `HUSKY=0`, `--no-verify`, `ignore runwall`, `disable runwall`, or similar bypass phrasing inside inline execution.
+- Why it matters: if the runtime can hide policy bypass inside one-liners, it can step around a lot of other protections.
+- Action: block
+
+### remote-to-memory-promotion-guard
+
+- Purpose: stop remote content from becoming persistent memory in one step.
+- Detects: URLs, raw hosts, or pasted external content written directly into memory surfaces.
+- Why it matters: long-lived memory becomes a hidden policy plane once external content is allowed to land there unreviewed.
+- Action: block
+
+### remote-to-knowledge-promotion-guard
+
+- Purpose: stop remote content promotion into knowledge, vault, and RAG surfaces.
+- Detects: direct writes from remote or mirrored sources into knowledge caches, vaults, and imported note stores.
+- Why it matters: poisoned knowledge often returns later looking trusted because it already sits in a “documentation” surface.
+- Action: block
+
+### remote-to-hook-promotion-guard
+
+- Purpose: stop remote content promotion into hook-bearing surfaces.
+- Detects: fetched or pasted content being written into git hooks, plugin hook manifests, or similar triggerable hook surfaces.
+- Why it matters: this turns remote text into executable behavior with almost no review boundary.
+- Action: block
+
+### remote-to-policy-promotion-guard
+
+- Purpose: stop remote content promotion into policy and config surfaces.
+- Detects: fetched or pasted content being written into `.mcp.json`, plugin manifests, Runwall config, settings, or similar control files.
+- Why it matters: remote content should not get to redefine trust boundaries in one write.
+- Action: block
+
+### remote-to-script-promotion-guard
+
+- Purpose: stop remote content promotion into scripts and workflows.
+- Detects: fetched or pasted content being written into `bin/`, `scripts/`, hook scripts, or CI workflow files.
+- Why it matters: it is a direct supply-chain bridge from remote content to executable local behavior.
+- Action: block
+
+### remote-to-agent-doc-promotion-guard
+
+- Purpose: stop remote content promotion into agent instruction files.
+- Detects: fetched or pasted content being written into `CLAUDE.md`, `AGENTS.md`, or similar agent-control docs.
+- Why it matters: agent docs are part of the local trust boundary, so remote content should not become first-class instructions automatically.
+- Action: block
+
+### raw-host-promotion-guard
+
+- Purpose: stop promotion from raw file hosts and paste sites.
+- Detects: raw GitHub content hosts, gist raw endpoints, paste sites, and similar hosts being written into trusted local authority surfaces.
+- Why it matters: raw hosts are a common delivery vehicle for quick malicious content promotion.
+- Action: block
+
+### paste-to-trusted-surface-guard
+
+- Purpose: require review before pasted external content becomes trusted local authority.
+- Detects: “paste this exactly,” “mirror this output,” and similar language when writing to trusted memory, knowledge, hook, policy, or instruction surfaces.
+- Why it matters: some abuse paths rely on socially engineered copy-paste rather than obvious remote URLs.
+- Action: prompt
+
+### promotion-quarantine-bypass-guard
+
+- Purpose: stop reads or edits of promoted sources that were already quarantined.
+- Detects: access to promotion-tracked surfaces that were explicitly marked quarantined in the local store.
+- Why it matters: quarantine only works if the runtime cannot keep consuming the poisoned source anyway.
+- Action: block
+
 ## Secrets & Identity
 
 Guards that keep tokens, sessions, credential stores, and delegated identity flows from quietly widening access or leaking off the box.

VERSION

@@ -1 +1 @@
-10.0.0
+11.0.0

bin/shield

@@ -666,6 +666,19 @@ tools_cmd() {
   esac
 }
 
+exec_cmd() {
+  local subcommand="${1:-list}"
+  shift || true
+  case "$subcommand" in
+    list|explain|policy)
+      run_python "$ROOT_DIR/scripts/runwall_exec.py" --root "$ROOT_DIR" "$subcommand" "$@"
+      ;;
+    *)
+      fail "unknown exec subcommand: $subcommand"
+      ;;
+  esac
+}
+
 hooks_cmd() {
   local subcommand="${1:-list}"
   shift || true
@@ -688,6 +701,19 @@ hooks_cmd() {
   esac
 }
 
+promotion_cmd() {
+  local subcommand="${1:-list}"
+  shift || true
+  case "$subcommand" in
+    list|trust|quarantine|forget|diff)
+      run_python "$ROOT_DIR/scripts/runwall_promotion.py" --root "$ROOT_DIR" "$subcommand" "$@"
+      ;;
+    *)
+      fail "unknown promotion subcommand: $subcommand"
+      ;;
+  esac
+}
+
 approvals_cmd() {
   local subcommand="${1:-list}"
   shift || true
@@ -1221,10 +1247,18 @@ Usage:
   bin/runwall tools list [--json]
   bin/runwall tools approve <name-or-path>
   bin/runwall tools forget <name-or-path>
+  bin/runwall exec list [--json]
+  bin/runwall exec explain <event-id-or-module>
+  bin/runwall exec policy [--json]
   bin/runwall hooks list [--json]
   bin/runwall hooks approve <path-or-key>
   bin/runwall hooks forget <path-or-key>
   bin/runwall hooks diff <path-or-key>
+  bin/runwall promotion list [--json]
+  bin/runwall promotion trust <path>
+  bin/runwall promotion quarantine <path>
+  bin/runwall promotion forget <path>
+  bin/runwall promotion diff <path>
   bin/runwall approvals list [--json]
   bin/runwall approvals create --kind K --target T --value V [--runtime name] [--agent-id id] [--once] [--ttl-hours H]
   bin/runwall approvals revoke <id-or-value>
@@ -1399,10 +1433,18 @@ case "$command" in
     shift
     tools_cmd "$@"
     ;;
+  exec)
+    shift
+    exec_cmd "$@"
+    ;;
   hooks)
     shift
     hooks_cmd "$@"
     ;;
+  promotion)
+    shift
+    promotion_cmd "$@"
+    ;;
   approvals)
     shift
     approvals_cmd "$@"