Using HushSpec with Clawdstrike

Clawdstrike is the reference engine for HushSpec. It implements all 10 core rules, all three extensions, plus engine-specific features like Ed25519 receipt signing, async guard pipelines, and detection algorithms.

Dual-Format Support

Clawdstrike supports both its native policy format (schema v1.5.0) and HushSpec documents. The engine auto-detects the format based on the presence of the hushspec field.

Rust

use clawdstrike::Policy;

// Auto-detect format: works with both native and HushSpec YAML
let policy = Policy::from_yaml_auto(&yaml_string)?;

from_yaml_auto checks for the hushspec top-level field. If present, the document is parsed as HushSpec and translated to Clawdstrike's internal policy representation. If absent, it is parsed as a native Clawdstrike policy.

Validate and Test Before Runtime

Use HushSpec's own tooling to validate and exercise a policy before handing it to Clawdstrike:

# Structural validation
h2h validate policy.hushspec.yaml

# Also check that extends references resolve
h2h validate --strict policy.hushspec.yaml

# Run local evaluator fixtures against a policy
h2h test --policy policy.hushspec.yaml --fixtures ./tests/

h2h does not currently provide a generic convert or resolve subcommand for Clawdstrike interop. Format conversion and round-tripping live in Clawdstrike's library API instead.

Compile and Decompile in Library Code

Clawdstrike exposes library helpers for HushSpec ingestion and round-tripping:

use clawdstrike::{compile_hushspec, decompile_to_hushspec, Policy};

let yaml_string = std::fs::read_to_string("policy.hushspec.yaml")?;

// Auto-detect and compile to a Clawdstrike Policy
let policy = Policy::from_yaml_auto(&yaml_string)?;

// Explicit compilation
let compiled = compile_hushspec(&yaml_string)?;

// Convert a Clawdstrike Policy back to portable HushSpec
let spec = decompile_to_hushspec(&compiled);

During compilation, Clawdstrike strips a leading hushspec: prefix from extends values. For example, extends: "hushspec:default" is normalized to the built-in Clawdstrike ruleset name default.

Mapping: HushSpec to Clawdstrike

HushSpec rules map directly to Clawdstrike's built-in guards:

Engine-Specific Features

These Clawdstrike features are not part of HushSpec and have no HushSpec equivalent:

• Receipt signing - Ed25519-signed attestations of every decision
• Detection guards - PromptInjectionGuard, JailbreakGuard, SpiderSenseGuard (HushSpec detection extension configures thresholds, but the algorithms are engine-specific)
• Async guard pipeline - AsyncGuard trait for guards that call external services
• Broker subsystem - Brokered egress with capability tokens and secret injection
• Additional/remove pattern helpers - additional_patterns, remove_patterns in native format

Built-in Ruleset Details

Clawdstrike ships seven built-in rulesets in the rulesets/ directory. Use them via the extends field in your policy.

default

General-purpose security baseline for AI agent execution.

• Forbidden paths: SSH keys, AWS/GnuPG/Kube/Docker credentials, .env files, git credentials, password stores, Unix system files (/etc/shadow, /etc/passwd), Windows credential stores and registry hives
• Egress: allows OpenAI, Anthropic, GitHub, npm, PyPI, and crates.io; blocks all other domains by default
• Secret patterns: detects AWS access keys, GitHub tokens, OpenAI keys, and private keys (all critical severity); skips test directories
• Patch integrity: max 1000 additions / 500 deletions, forbids disable security, skip verify, rm -rf /, chmod 777
• Tool access: blocks shell_exec, run_command, raw_file_write, raw_file_delete; requires confirmation for file_write, file_delete, git_push; allows everything else

strict

Minimal-permission lockdown for high-security environments.

• Forbidden paths: everything in default plus .vault, .secrets, credentials/, private/ directories, Windows system certificate stores, and .reg files
• Egress: zero allowed domains - all egress blocked by default
• Secret patterns: adds Anthropic key, npm token, Slack token, and generic API key detection (8 patterns total vs. 4 in default)
• Patch integrity: max 500 additions / 200 deletions, requires balance, forbids eval(), exec(), reverse_shell, bind_shell in addition to default patterns
• Tool access: allows only read_file, list_directory, search, grep; blocks everything else by default

permissive

Development-only ruleset with relaxed limits. Use with caution.

• Egress: wildcard * allow - all domains permitted
• Patch integrity: max 10,000 additions / 5,000 deletions, no balance requirement, 50x imbalance ratio
• No forbidden paths, secret patterns, or tool access restrictions defined

ai-agent

Optimized for AI coding assistants with broader permissions for development workflows.

• Forbidden paths: same as default but with exceptions for .env.example and .env.template
• Egress: adds Together AI, Fireworks AI, GitLab, and Bitbucket on top of default allows
• Secret patterns: adds Anthropic key detection; broader skip_paths including fixtures/ and mocks/
• Patch integrity: max 2,000 additions / 1,000 deletions, 20x imbalance ratio; only forbids rm -rf / and chmod 777
• Shell commands: forbids rm -rf /, curl|bash, wget|bash
• Tool access: blocks shell_exec and run_command; requires confirmation for git_push, deploy, publish; allows everything else; 2 MB max args size

cicd

Security rules for CI/CD pipeline environments.

• Forbidden paths: SSH, AWS, env files, git credentials, GnuPG, plus CI-specific secrets (.github/secrets, .gitlab-ci-secrets, .circleci/secrets); exceptions for workflow config files
• Egress: allows package registries (npm, PyPI, crates.io, RubyGems, Packagist, Gradle), container registries (Docker Hub, GCR, ECR, GHCR), and build tools (Maven Central, Gradle Services); blocks all else
• Secret patterns: detects AWS keys, GitHub tokens, and private keys
• Tool access: allows read_file, write_file, list_directory, run_tests, build; blocks shell_exec and deploy_production; blocks everything else by default

remote-desktop

Security rules for remote desktop and computer use agent sessions.

• Computer use: enabled in guardrail mode with allowed actions for session management, input injection, clipboard, file transfer, audio, drive mapping, printing, and session sharing
• Remote desktop channels: clipboard and file transfer disabled, audio allowed, drive mapping disabled
• Input injection: keyboard and mouse injection allowed, postcondition probe not required

panic

Emergency deny-all override. Activated by panic mode to immediately lock down all agent activity.

• Forbidden paths: blocks everything (** glob)
• Egress: blocks all domains (* in block list)
• Shell commands: forbids all commands (.* pattern)
• Tool access: blocks all tools (* in block list), default block
• Computer use: fail_closed mode with no allowed actions

Extending Built-in Rulesets

Clawdstrike resolves HushSpec extends references against its built-in rulesets:

hushspec: "0.1.0"
name: "production"
extends: "strict"

rules:
  egress:
    allow:
      - "api.openai.com"
    default: "block"

Available built-in rulesets: permissive, default, strict, ai-agent, cicd, remote-desktop, panic.

Compliance Library

The library/ directory contains pre-built compliance policy templates for regulated industries. These extend the built-in rulesets with industry-specific requirements:

Use a compliance template by extending it:

hushspec: "0.1.0"
name: "hospital-ai-assistant"
extends: "library/healthcare/hipaa-base.yaml"

rules:
  egress:
    allow:
      - "api.openai.com"
      - "ehr.internal.hospital.org"
    default: "block"