Add fleet-watcher: runtime prompt-injection + wallet-hijack preflight

[fleet-watcher]

What

Adds fleet-watcher, a runtime preflight skill that inspects every proposed Bankr wallet action (transfer / approve / swap / withdraw) before it reaches api.bankr.bot. Complements the existing aeon-skill-security-scan (static scan of installed skills) by catching threats that only appear at execution time — when a clean skill obeys an injection that came from an untrusted source.

Why

Static scanning cannot catch the clean-skill + tainted-source chain: tweet/RSS/DM contains an instruction → trusted skill obeys it → wallet drains. fleet-watcher closes that gap by running every wallet action through a pattern bank that includes Bankr-specific guards built directly from Bankr's public security docs (fake domains, control-bypass language, pause-then-drain, bk_ leakage in untrusted content).

What it blocks (see SKILL.md for the full table)

• Override-prior prompt injection (including unicode-escape / NFKC obfuscation)
• Fake Bankr domains: bankrbot.io, bankr-claim.xyz, bankr.bot.fun, bankr-airdrop*, claimbankr*
• Unlimited token approvals (amount near uint256.max, or prompt containing "unlimited allowance")
• Pause-then-drain ("unpause and immediately transfer …")
• Control bypass ("disable the daily usd limit", "remove the recipient allowlist")
• Leaked bk_ keys inside fetched content
• Intent mismatch: visible prompt says "check balance" but proposed action is transfer
• Drainer-blocklist destinations

Every BLOCK comes with a remediation line that follows Bankr's own incident-response order: Pause → Revoke → Rotate → Audit → Unpause.

Integration surfaces

1. @fleet/bankr-guard npm package — wrapBankrFetch(fetch) drop-in, fail-closed by default. Two-line agent change.
2. Public HTTP endpoint — POST https://fleet-watcher.replit.app/api/bankr-guard/inspect, no API key, 60 req/min/IP.

Both surfaces are MIT licensed. Source: https://github.com/fleet-watcher/fleet-watcher

Security properties

• Read-only. fleet-watcher never sees the bk_ key — only the proposed action and prompt context.
• Matched substrings are stored in operator-visible evidence but never echoed in the reason field (no payload reflection / secret leak-back).
• Idempotency cache keys are bound to a SHA-256 of the full payload, so a clean preflight cannot be replayed to authorize a different action with the same clientOpId.
• Inputs are NFKC-normalized and basic JSON/unicode escapes are unfolded before pattern matching (defeats \u0069gnore style evasion).

Testing

Reproducible attack/clean fixtures and a regression harness ship with the upstream repo. Six representative scenarios (clean baseline, prompt injection, unicode evasion, nested-JSON evasion, cache-poisoning, secret-leakage in attack payload) all pass.

Recommended pairing

• aeon-skill-security-scan — catches the malicious skill before install
• fleet-watcher — catches the malicious action even when every installed skill is clean

Happy to iterate on naming, scope, or pattern coverage based on Bankr team feedback.