feat: implement eBPF heuristics engine for Linux

- Add heuristic maps (heu_configs, heu_state, heu_binary_to_slots, etc.) to bpf_hooks.c
- Implement execve argv matching + sliding window for rate-based heuristics
- Add unlinkat, fchmodat, symlinkat tracepoints; fork bomb heuristic (HEU-SYS-001)
- Add _apply_heuristics() in monitor.py with HEURISTIC_DEFINITIONS for 35 rules
- Extend event_t with heu_slot; handle heuristic_alert/heuristic_block (action 4/5)
- Comment out 15 deferred heuristics (path-based openat, write, connect, complex)
- Add docs/ebpf_heuristics_implementation_plan.md

Made-with: Cursor

Author: leos565

builder/compiler.py

@@ -49,6 +49,7 @@ def compile_linux_policy(rules: dict[str, Any]) -> dict[str, Any]:
         "blocked_paths": dict(rules.get("blocked_paths", {}).get("linux", {})),
         "deny_rules": {},
         "rule_metadata": dict(rules.get("rule_metadata", {})),
+        "heuristics": dict(rules.get("heuristics", {})),
     }
 
     for rule_id, rule in rules.get("custom_deny_rules", {}).get("linux", {}).items():
@@ -78,6 +79,7 @@ def compile_universal_policy(rules: dict[str, Any]) -> dict[str, Any]:
             "macos": dict(rules.get("custom_deny_rules", {}).get("macos", {})),
         },
         "rule_metadata": dict(rules.get("rule_metadata", {})),
+        "heuristics": dict(rules.get("heuristics", {})),
     }
     return policy
 

builder/master_rules.yaml

@@ -39,11 +39,15 @@ def _thrt_id(prefix: str, value: str) -> str:
 def fetch_feed(url: str = CLAWSEC_FEED_URL, timeout: int = 30) -> dict[str, Any]:
     """Download and return the ClawSec advisory feed as a dict."""
     logger.info("Fetching ClawSec feed from %s", url)
-    resp = requests.get(url, timeout=timeout)
-    resp.raise_for_status()
-    feed = resp.json()
-    logger.info("Feed fetched — %d advisories", len(feed.get("advisories", [])))
-    return feed
+    try:
+        resp = requests.get(url, timeout=timeout)
+        resp.raise_for_status()
+        feed = resp.json()
+        logger.info("Feed fetched — %d advisories", len(feed.get("advisories", [])))
+        return feed
+    except Exception as e:
+        logger.warning("Failed to fetch ClawSec feed: %s. Proceeding with local rules only.", e)
+        return {"advisories": []}
 
 
 def parse_feed(feed: dict[str, Any]) -> dict[str, Any]:
@@ -105,6 +109,7 @@ def merge(master: dict[str, Any], feed_data: dict[str, Any]) -> dict[str, Any]:
         "affected_skills": list(feed_data.get("affected_skills", [])),
         "custom_deny_rules": master.get("custom_deny_rules", {}),
         "rule_metadata": dict(master.get("rule_metadata", {})),
+        "heuristics": dict(master.get("heuristics", {})),
     }
 
     # Merge blocked_paths per OS