🛰️ export standalone-repo assets (c86caab7)

interception-flow.svg

@@ -0,0 +1,72 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 720 480" width="720" height="480" font-family="system-ui, -apple-system, sans-serif" font-size="11">
+  <rect x="0" y="0" width="720" height="480" rx="8" fill="#f8f9fa"/>
+  <text x="360" y="24" text-anchor="middle" font-size="13" font-weight="bold" fill="#1a1a2e">How fermata intercepts</text>
+  <!-- Agent request -->
+  <rect x="60" y="42" width="280" height="32" rx="6" fill="#dfe6e9" stroke="#636e72" stroke-width="1"/>
+  <text x="200" y="62" text-anchor="middle" fill="#2d3436" font-size="11" font-weight="600">Agent requests a tool call</text>
+  <!-- Arrow down -->
+  <line x1="200" y1="74" x2="200" y2="92" stroke="#666" stroke-width="1.5"/>
+  <polygon points="200,96 195,88 205,88" fill="#666"/>
+  <!-- PreToolUse -->
+  <rect x="60" y="98" width="280" height="56" rx="6" fill="#e8f8f0" stroke="#1e8449" stroke-width="1.5"/>
+  <text x="70" y="116" fill="#1e8449" font-size="11" font-weight="bold">PreToolUse — policy gate</text>
+  <text x="70" y="131" fill="#196f3d" font-size="10">.botignore blocks reads, writes, commands</text>
+  <text x="70" y="144" fill="#196f3d" font-size="10">Blocked? Operation never executes.</text>
+  <!-- Block branch right — DENIED box -->
+  <line x1="340" y1="126" x2="370" y2="126" stroke="#c0392b" stroke-width="1.5"/>
+  <polygon points="374,126 366,121 366,131" fill="#c0392b"/>
+  <rect x="378" y="112" width="100" height="28" rx="4" fill="#fdecea" stroke="#c0392b" stroke-width="1"/>
+  <text x="428" y="130" text-anchor="middle" font-size="10" font-weight="bold" fill="#c0392b">DENIED</text>
+  <!-- Arrow down (allowed) -->
+  <line x1="200" y1="154" x2="200" y2="170" stroke="#1e8449" stroke-width="1.5"/>
+  <polygon points="200,174 195,166 205,166" fill="#1e8449"/>
+  <text x="215" y="168" fill="#1e8449" font-size="9">allowed</text>
+  <!-- Tool executes -->
+  <rect x="60" y="176" width="280" height="32" rx="6" fill="#fff" stroke="#636e72" stroke-width="1"/>
+  <text x="200" y="196" text-anchor="middle" fill="#2d3436" font-size="11">Tool executes (Read, Bash, Edit, Write)</text>
+  <!-- Arrow down -->
+  <line x1="200" y1="208" x2="200" y2="224" stroke="#666" stroke-width="1.5"/>
+  <polygon points="200,228 195,220 205,220" fill="#666"/>
+  <!-- PostToolUse -->
+  <rect x="60" y="230" width="280" height="70" rx="6" fill="#e8f0f8" stroke="#2471a3" stroke-width="1.5"/>
+  <text x="70" y="248" fill="#2471a3" font-size="11" font-weight="bold">PostToolUse — secret redaction</text>
+  <text x="70" y="263" fill="#1a5276" font-size="10">.botsecrets known values → *****</text>
+  <text x="70" y="278" fill="#1a5276" font-size="10">Heuristic patterns → flagged/redacted</text>
+  <text x="70" y="291" fill="#1a5276" font-size="9">Aho-Corasick automaton, sub-millisecond</text>
+  <!-- Arrow down -->
+  <line x1="200" y1="300" x2="200" y2="316" stroke="#666" stroke-width="1.5"/>
+  <polygon points="200,320 195,312 205,312" fill="#666"/>
+  <!-- Clean output -->
+  <rect x="60" y="322" width="280" height="32" rx="6" fill="#dfe6e9" stroke="#636e72" stroke-width="1"/>
+  <text x="200" y="342" text-anchor="middle" fill="#2d3436" font-size="11" font-weight="600">Clean output enters LLM context</text>
+  <!-- Right column: examples — aligned to flow steps, below DENIED box -->
+  <text x="500" y="62" text-anchor="middle" fill="#636e72" font-size="10" font-weight="600">WHAT GETS CAUGHT</text>
+  <!-- PreToolUse examples — starts below DENIED box -->
+  <rect x="490" y="74" width="200" height="72" rx="6" fill="#e8f8f0" stroke="#1e8449" stroke-width="1" stroke-dasharray="4,2"/>
+  <text x="500" y="91" fill="#1e8449" font-size="10" font-weight="600">PreToolUse</text>
+  <text x="500" y="106" fill="#333" font-size="9">Read .env → blocked</text>
+  <text x="500" y="119" fill="#333" font-size="9">rm -rf / → denied</text>
+  <text x="500" y="132" fill="#333" font-size="9">cat secrets/db.env → blocked</text>
+  <!-- PostToolUse examples — aligned with PostToolUse box -->
+  <rect x="390" y="230" width="300" height="70" rx="6" fill="#e8f0f8" stroke="#2471a3" stroke-width="1" stroke-dasharray="4,2"/>
+  <text x="400" y="247" fill="#2471a3" font-size="10" font-weight="600">PostToolUse</text>
+  <text x="400" y="262" fill="#333" font-size="10">DB_PASSWORD=hunter2 → DB_PASSWORD=*****</text>
+  <text x="400" y="275" fill="#333" font-size="10">AKIA1234567890ABCDEF → ***** (heuristic)</text>
+  <text x="400" y="288" fill="#333" font-size="10">docker-compose config → 2 values scrubbed</text>
+  <!-- Beyond fermata — aligned with clean output -->
+  <rect x="390" y="322" width="300" height="32" rx="6" fill="#fdecea" stroke="#c0392b" stroke-width="1" stroke-dasharray="4,2"/>
+  <text x="400" y="342" fill="#c0392b" font-size="10" font-weight="600">Beyond fermata — </text>
+  <text x="510" y="342" fill="#a93226" font-size="9">network exfil, kernel access → sandbox</text>
+  <!-- Performance -->
+  <rect x="390" y="170" width="300" height="42" rx="6" fill="#fff" stroke="#ddd" stroke-width="1"/>
+  <text x="400" y="187" fill="#333" font-size="10" font-weight="600">Performance</text>
+  <text x="400" y="202" fill="#666" font-size="10">~1-5ms per tool call. Cold start ~10-20ms.</text>
+  <!-- Key insight box -->
+  <rect x="60" y="375" width="630" height="44" rx="6" fill="#fff3cd" stroke="#d4a017" stroke-width="1"/>
+  <text x="75" y="393" fill="#7d6608" font-size="10" font-weight="bold">Key insight</text>
+  <text x="75" y="409" fill="#7d6608" font-size="10">source .env &amp;&amp; echo $DB_PASSWORD is caught — no file read was blocked, but the secret value is scrubbed from output.</text>
+  <!-- Delivery modes -->
+  <rect x="60" y="430" width="630" height="38" rx="6" fill="#fff" stroke="#ddd" stroke-width="1"/>
+  <text x="75" y="448" fill="#333" font-size="10" font-weight="600">Same engine, different wiring:</text>
+  <text x="265" y="448" fill="#666" font-size="10">Hook script (Claude Code, Codex) · MCP proxy (planned) · Library API (in-process)</text>
+</svg>