hydra

Real-time secret detection in written files. 200+ patterns, Shannon entropy, Aho-Corasick matching.

OWASP Top 10 and CWE-mapped vulnerability detection in code changes.

Pre-execution classification and blocking of dangerous Bash commands.

Session-start scanning for malicious repository configuration files.

Comprehensive security event logging with rotation and reporting.

Advisory PreToolUse gate on package install commands. Surfaces 5 supply-chain risk signals (existence, age, maintainer, typosquat, download-cliff) before npm/pip/etc. install runs. Always exit 0; never blocks.

Advisory PostToolUse logger for network egress. Records every WebFetch / WebSearch / Bash-network destination to an append-only NDJSON log and emits a stderr advisory on first-seen domains. Always exit 0; never blocks.

Advisory prompt-injection canary harness. PreToolUse(WebFetch) seeds a per-session high-entropy canary token into a stderr advisory; PostToolUse(*) scans every subsequent tool input/output for canary leakage. A hit indicates a successful indirect prompt injection took control of the agent. Always exit 0; never blocks.

Best-effort PreToolUse capability fence. Compares the tool being invoked against the active skill's declared allowed-tools list and emits a stderr advisory on mismatch. Observability only; cannot block. Real per-subagent runtime sandboxing requires harness/SDK changes outside plugin scope.

License compliance scanner for npm and pip dependency trees. Classifies every transitive dep against an allow/deny/warn policy (state/policy.json) using `npx license-checker` (Node) and `pip-licenses` (Python). Advisory by default; opt-in `--fail-on-deny` for release gating.

Emits CycloneDX SBOM for npm and pip projects on release.

OPT-IN BLOCKING PreToolUse egress allowlist. Pairs with hydra-egress-monitor (advisory). When state/egress-policy.json sets enabled:true, blocks WebFetch / WebSearch / Bash-network calls whose destination host is not in the allowlist by exiting 2. Default disabled (no-op). Closes audit finding F-005.

OPT-IN BLOCKING capability allowlist. Sibling of hydra-capability-fence (advisory). When state/capability-policy.json sets enabled:true, this shield blocks any tool call whose name is not in the active skill's declared allowed-tools frontmatter list. Default disabled — out of the box this shield does nothing.

Reachability-aware SCA post-filter. Consumes vuln-detector audit.jsonl findings and lich's call-graph (when available) and emits a reach-classified subset distinguishing 'reachable from entrypoint' from 'present-but-unreachable' vulnerabilities. Off by default; operator-invoked via scripts/reach-filter.py. Currently scaffolded — full integration is BLOCKED on lich exporting a persisted call-graph artifact.