hydra-audit-trail

Hydra

An @enchanter-ai product — algorithm-driven, agent-managed, self-learning.

15 plugins (+ 1 meta-installer). 5 agents. 1,844 patterns. 8 algorithms. 98 CWEs. 20 attack databases. Zero dependencies.

Plugin count breakdown: 5 scanner plugins (each with a Sonnet/Haiku agent), 4 advisory hook plugins, 2 compliance plugins, 4 opt-in / post-filter plugins (capability-shield, egress-shield, reach-filter, state-integrity), and 1 meta-installer (full). Of the 16 directories under plugins/, the full plugin contains no logic of its own — it exists only to install the other 15 as dependencies.

Built from blood — every pattern traces back to a real CVE, a real breach, or a real research paper.

Clone a malicious repo. Open it in Claude Code.

Before you type a single command, config-shield has already flagged the hidden postinstall script in package.json, the API-key-stealing hook in .claude/settings.json, and the Unicode-obfuscated backdoor in .cursorrules.

You start coding. Hydra catches the PostgreSQL connection string on line 12, flags the pickle.loads() as CWE-502, spots the JWT signed with alg: "none", blocks the rm -rf /tmp/*, and quarantines a typosquatted npm package — all before you finish your coffee.

End of session: 6 secrets masked, 4 vulns mapped to CWEs, 1 command blocked, 2 phantom dependencies caught, 0 incidents. Dark-themed HTML report generated.

Total overhead: < 50ms per file write. You didn't notice it running.

TL;DR

In plain English: Your AI just typed an AWS key into a committed file, ran rm -rf ~/, and pip-installed a typosquatted package. Hydra blocks each one before it lands.

Technically: R1 Aho-Corasick pattern engine scans 1,844 patterns across 20 databases (310 secret patterns + 156 OWASP/CWE-mapped vulns + 105 dangerous-ops + more) on every Write/Edit; R2 Shannon entropy analysis catches high-entropy strings that evade regex; R4 Markov Action Classification classifies Bash subcommands and surfaces dangerous ops at PreToolUse via advisory injection (exit 0 + stderr per ../vis/packages/core/conduct/hooks.md). Every finding is keyed to a real CVE or CWE; no finding is fabricated from heuristics alone.

---

Origin

Hydra takes its name from Twilight Forest — the swamp-dwelling multi-headed boss whose heads regenerate faster than they can be severed, forcing the player to strike every weak point at once. Security vulnerabilities work the same way: suppress one surface and two more emerge. Hydra finds them before they find you.

The question this plugin answers: Is it safe?

Who this is for

• Teams who've accepted that AI-assisted development opens attack surfaces traditional scanners don't cover — poisoned .claude/settings.json hooks, prompt-injection-to-RCE chains, typosquatted deps the agent pulled in.
• Security-conscious developers who want findings keyed to real CVEs and CWEs, not vendor branding.
• Engineers running in environments where cloud security SaaS isn't an option — Hydra is bash + jq, no dependencies, no outbound calls.

Not for:

• Replacing your language-native linter / type-checker — Hydra complements them, doesn't duplicate them.
• Environments where advisory warnings are insufficient — Hydra's hooks inform, they don't silently block (see ../vis/packages/core/conduct/hooks.md).

Contents