@agenshield/broker 0.1.0

package/index.js

@@ -0,0 +1,2636 @@
+// libs/shield-broker/src/server.ts
+import * as net from "node:net";
+import * as fs3 from "node:fs";
+import { randomUUID } from "node:crypto";
+
+// libs/shield-broker/src/handlers/http.ts
+async function handleHttpRequest(params, context, deps) {
+  const startTime = Date.now();
+  try {
+    const {
+      url,
+      method = "GET",
+      headers = {},
+      body,
+      timeout = 3e4,
+      followRedirects = true
+    } = params;
+    if (!url) {
+      return {
+        success: false,
+        error: { code: 1003, message: "URL is required" }
+      };
+    }
+    let parsedUrl;
+    try {
+      parsedUrl = new URL(url);
+    } catch {
+      return {
+        success: false,
+        error: { code: 1003, message: "Invalid URL" }
+      };
+    }
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    try {
+      const response = await fetch(url, {
+        method,
+        headers,
+        body: body ? String(body) : void 0,
+        signal: controller.signal,
+        redirect: followRedirects ? "follow" : "manual"
+      });
+      clearTimeout(timeoutId);
+      const responseHeaders = {};
+      response.headers.forEach((value, key) => {
+        responseHeaders[key] = value;
+      });
+      const responseBody = await response.text();
+      return {
+        success: true,
+        data: {
+          status: response.status,
+          statusText: response.statusText,
+          headers: responseHeaders,
+          body: responseBody
+        },
+        audit: {
+          duration: Date.now() - startTime,
+          bytesTransferred: responseBody.length
+        }
+      };
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (error.name === "AbortError") {
+        return {
+          success: false,
+          error: { code: 1004, message: "Request timeout" }
+        };
+      }
+      return {
+        success: false,
+        error: { code: 1004, message: `Network error: ${error.message}` }
+      };
+    }
+  } catch (error) {
+    return {
+      success: false,
+      error: { code: 1004, message: `Handler error: ${error.message}` }
+    };
+  }
+}
+
+// libs/shield-broker/src/handlers/file.ts
+import * as fs from "node:fs/promises";
+import * as path from "node:path";
+async function handleFileRead(params, context, deps) {
+  const startTime = Date.now();
+  try {
+    const { path: filePath, encoding = "utf-8" } = params;
+    if (!filePath) {
+      return {
+        success: false,
+        error: { code: 1003, message: "Path is required" }
+      };
+    }
+    const absolutePath = path.resolve(filePath);
+    try {
+      await fs.access(absolutePath, fs.constants.R_OK);
+    } catch {
+      return {
+        success: false,
+        error: { code: 1005, message: `File not found or not readable: ${absolutePath}` }
+      };
+    }
+    const stats = await fs.stat(absolutePath);
+    if (!stats.isFile()) {
+      return {
+        success: false,
+        error: { code: 1005, message: "Path is not a file" }
+      };
+    }
+    const content = await fs.readFile(absolutePath, { encoding });
+    return {
+      success: true,
+      data: {
+        content,
+        size: stats.size,
+        mtime: stats.mtime.toISOString()
+      },
+      audit: {
+        duration: Date.now() - startTime,
+        bytesTransferred: stats.size
+      }
+    };
+  } catch (error) {
+    return {
+      success: false,
+      error: { code: 1005, message: `File read error: ${error.message}` }
+    };
+  }
+}
+async function handleFileWrite(params, context, deps) {
+  const startTime = Date.now();
+  try {
+    const {
+      path: filePath,
+      content,
+      encoding = "utf-8",
+      mode
+    } = params;
+    if (!filePath) {
+      return {
+        success: false,
+        error: { code: 1003, message: "Path is required" }
+      };
+    }
+    if (content === void 0) {
+      return {
+        success: false,
+        error: { code: 1003, message: "Content is required" }
+      };
+    }
+    const absolutePath = path.resolve(filePath);
+    const parentDir = path.dirname(absolutePath);
+    await fs.mkdir(parentDir, { recursive: true });
+    const buffer = Buffer.from(content, encoding);
+    await fs.writeFile(absolutePath, buffer, { mode });
+    return {
+      success: true,
+      data: {
+        bytesWritten: buffer.length,
+        path: absolutePath
+      },
+      audit: {
+        duration: Date.now() - startTime,
+        bytesTransferred: buffer.length
+      }
+    };
+  } catch (error) {
+    return {
+      success: false,
+      error: { code: 1005, message: `File write error: ${error.message}` }
+    };
+  }
+}
+async function handleFileList(params, context, deps) {
+  const startTime = Date.now();
+  try {
+    const { path: dirPath, recursive = false, pattern } = params;
+    if (!dirPath) {
+      return {
+        success: false,
+        error: { code: 1003, message: "Path is required" }
+      };
+    }
+    const absolutePath = path.resolve(dirPath);
+    try {
+      await fs.access(absolutePath, fs.constants.R_OK);
+    } catch {
+      return {
+        success: false,
+        error: { code: 1005, message: `Directory not found or not readable: ${absolutePath}` }
+      };
+    }
+    const stats = await fs.stat(absolutePath);
+    if (!stats.isDirectory()) {
+      return {
+        success: false,
+        error: { code: 1005, message: "Path is not a directory" }
+      };
+    }
+    const entries = await listDirectory(absolutePath, recursive, pattern);
+    return {
+      success: true,
+      data: { entries },
+      audit: {
+        duration: Date.now() - startTime
+      }
+    };
+  } catch (error) {
+    return {
+      success: false,
+      error: { code: 1005, message: `File list error: ${error.message}` }
+    };
+  }
+}
+async function listDirectory(dirPath, recursive, pattern) {
+  const entries = [];
+  const items = await fs.readdir(dirPath, { withFileTypes: true });
+  for (const item of items) {
+    const itemPath = path.join(dirPath, item.name);
+    if (pattern && !matchPattern(item.name, pattern)) {
+      continue;
+    }
+    try {
+      const stats = await fs.stat(itemPath);
+      entries.push({
+        name: item.name,
+        path: itemPath,
+        type: item.isDirectory() ? "directory" : item.isSymbolicLink() ? "symlink" : "file",
+        size: stats.size,
+        mtime: stats.mtime.toISOString()
+      });
+      if (recursive && item.isDirectory()) {
+        const subEntries = await listDirectory(itemPath, recursive, pattern);
+        entries.push(...subEntries);
+      }
+    } catch {
+    }
+  }
+  return entries;
+}
+function matchPattern(name, pattern) {
+  const regexPattern = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*").replace(/\?/g, ".");
+  const regex = new RegExp(`^${regexPattern}$`, "i");
+  return regex.test(name);
+}
+
+// libs/shield-broker/src/handlers/exec.ts
+import * as path2 from "node:path";
+import { spawn } from "node:child_process";
+var MAX_OUTPUT_SIZE = 10 * 1024 * 1024;
+var DEFAULT_WORKSPACE = "/Users/clawagent/workspace";
+var FS_COMMANDS = /* @__PURE__ */ new Set([
+  "rm",
+  "cp",
+  "mv",
+  "mkdir",
+  "touch",
+  "chmod",
+  "cat",
+  "ls",
+  "find",
+  "head",
+  "tail",
+  "tar",
+  "sed",
+  "awk",
+  "sort",
+  "uniq",
+  "wc",
+  "grep"
+]);
+var HTTP_EXEC_COMMANDS = /* @__PURE__ */ new Set(["curl", "wget"]);
+var HTTP_FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
+  "-X",
+  "--request",
+  "-H",
+  "--header",
+  "-d",
+  "--data",
+  "--data-raw",
+  "--data-binary",
+  "--data-urlencode",
+  "-o",
+  "--output",
+  "-u",
+  "--user",
+  "-A",
+  "--user-agent",
+  "-e",
+  "--referer",
+  "-b",
+  "--cookie",
+  "-c",
+  "--cookie-jar",
+  "--connect-timeout",
+  "--max-time",
+  "-w",
+  "--write-out",
+  "-T",
+  "--upload-file",
+  "--resolve",
+  "--cacert",
+  "--cert",
+  "--key"
+]);
+function validateFsPaths(args, cwd, allowedPaths) {
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (arg.startsWith("-")) {
+      continue;
+    }
+    const resolved = path2.isAbsolute(arg) ? path2.resolve(arg) : path2.resolve(cwd, arg);
+    const isAllowed = allowedPaths.some((allowed) => resolved.startsWith(allowed));
+    if (!isAllowed) {
+      return {
+        valid: false,
+        reason: "Path not in allowed directories",
+        violatingPath: resolved
+      };
+    }
+  }
+  return { valid: true };
+}
+function extractUrlFromArgs(args) {
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (arg.startsWith("-")) {
+      if (HTTP_FLAGS_WITH_VALUE.has(arg)) {
+        i++;
+      }
+      continue;
+    }
+    return arg;
+  }
+  return null;
+}
+async function handleExec(params, context, deps) {
+  const startTime = Date.now();
+  try {
+    const {
+      command,
+      args = [],
+      cwd,
+      env,
+      timeout = 3e4
+    } = params;
+    if (!command) {
+      return {
+        success: false,
+        error: { code: 1003, message: "Command is required" }
+      };
+    }
+    const resolvedCommand = deps.commandAllowlist.resolve(command);
+    if (!resolvedCommand) {
+      const reason = `Command not allowed: ${command}`;
+      deps.onExecDenied?.(command, reason);
+      return {
+        success: false,
+        error: { code: 1007, message: reason }
+      };
+    }
+    const commandBasename = path2.basename(resolvedCommand);
+    const effectiveCwd = cwd || DEFAULT_WORKSPACE;
+    if (FS_COMMANDS.has(commandBasename)) {
+      const policies = deps.policyEnforcer.getPolicies();
+      const allowedPaths = policies.fsConstraints?.allowedPaths || [DEFAULT_WORKSPACE];
+      const fsResult = validateFsPaths(args, effectiveCwd, allowedPaths);
+      if (!fsResult.valid) {
+        const reason = `${fsResult.reason}: ${fsResult.violatingPath}`;
+        deps.onExecDenied?.(command, reason);
+        return {
+          success: false,
+          error: { code: 1008, message: `Path not allowed: ${fsResult.violatingPath} - ${fsResult.reason}` }
+        };
+      }
+    }
+    if (HTTP_EXEC_COMMANDS.has(commandBasename)) {
+      const url = extractUrlFromArgs(args);
+      if (url) {
+        const networkCheck = await deps.policyEnforcer.check("http_request", { url }, context);
+        if (!networkCheck.allowed) {
+          const reason = `URL not allowed: ${url} - ${networkCheck.reason}`;
+          deps.onExecDenied?.(command, reason);
+          return {
+            success: false,
+            error: { code: 1009, message: reason }
+          };
+        }
+      }
+    }
+    const effectiveTimeout = HTTP_EXEC_COMMANDS.has(commandBasename) ? Math.max(timeout, 3e5) : timeout;
+    const result = await executeCommand({
+      command: resolvedCommand,
+      args,
+      cwd: effectiveCwd,
+      env,
+      timeout: effectiveTimeout,
+      shell: false
+      // Always force shell: false to prevent injection
+    });
+    const duration = Date.now() - startTime;
+    deps.onExecMonitor?.({
+      command: commandBasename,
+      args,
+      cwd: effectiveCwd,
+      exitCode: result.exitCode,
+      allowed: true,
+      duration,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    return {
+      success: true,
+      data: result,
+      audit: {
+        duration
+      }
+    };
+  } catch (error) {
+    return {
+      success: false,
+      error: { code: 1006, message: `Exec error: ${error.message}` }
+    };
+  }
+}
+async function executeCommand(options) {
+  return new Promise((resolve3, reject) => {
+    const { command, args = [], cwd, env, timeout = 3e4 } = options;
+    const shell = false;
+    let stdout = "";
+    let stderr = "";
+    let stdoutSize = 0;
+    let stderrSize = 0;
+    const proc = spawn(command, args, {
+      cwd,
+      env: env ? { ...process.env, ...env } : process.env,
+      shell,
+      timeout
+    });
+    proc.stdout?.on("data", (data) => {
+      const chunk = data.toString();
+      if (stdoutSize + chunk.length <= MAX_OUTPUT_SIZE) {
+        stdout += chunk;
+        stdoutSize += chunk.length;
+      }
+    });
+    proc.stderr?.on("data", (data) => {
+      const chunk = data.toString();
+      if (stderrSize + chunk.length <= MAX_OUTPUT_SIZE) {
+        stderr += chunk;
+        stderrSize += chunk.length;
+      }
+    });
+    proc.on("error", (error) => {
+      reject(error);
+    });
+    proc.on("close", (code, signal) => {
+      resolve3({
+        exitCode: code ?? -1,
+        stdout,
+        stderr,
+        signal: signal ?? void 0
+      });
+    });
+    const timeoutId = setTimeout(() => {
+      proc.kill("SIGTERM");
+      setTimeout(() => {
+        if (!proc.killed) {
+          proc.kill("SIGKILL");
+        }
+      }, 5e3);
+    }, timeout);
+    proc.on("exit", () => {
+      clearTimeout(timeoutId);
+    });
+  });
+}
+
+// libs/shield-broker/src/handlers/open-url.ts
+import { exec } from "node:child_process";
+import { promisify } from "node:util";
+var execAsync = promisify(exec);
+async function handleOpenUrl(params, context, deps) {
+  const startTime = Date.now();
+  try {
+    const { url, browser } = params;
+    if (!url) {
+      return {
+        success: false,
+        error: { code: 1003, message: "URL is required" }
+      };
+    }
+    try {
+      new URL(url);
+    } catch {
+      return {
+        success: false,
+        error: { code: 1003, message: "Invalid URL" }
+      };
+    }
+    const parsedUrl = new URL(url);
+    if (!["http:", "https:"].includes(parsedUrl.protocol)) {
+      return {
+        success: false,
+        error: { code: 1003, message: "Only http/https URLs are allowed" }
+      };
+    }
+    const command = browser ? `open -a "${browser}" "${url}"` : `open "${url}"`;
+    try {
+      await execAsync(command, { timeout: 1e4 });
+      return {
+        success: true,
+        data: { opened: true },
+        audit: {
+          duration: Date.now() - startTime
+        }
+      };
+    } catch (error) {
+      return {
+        success: false,
+        error: {
+          code: 1006,
+          message: `Failed to open URL: ${error.message}`
+        }
+      };
+    }
+  } catch (error) {
+    return {
+      success: false,
+      error: { code: 1006, message: `Handler error: ${error.message}` }
+    };
+  }
+}
+
+// libs/shield-broker/src/handlers/secret-inject.ts
+async function handleSecretInject(params, context, deps) {
+  const startTime = Date.now();
+  try {
+    const { name, targetEnv } = params;
+    if (!name) {
+      return {
+        success: false,
+        error: { code: 1003, message: "Secret name is required" }
+      };
+    }
+    if (context.channel !== "socket") {
+      return {
+        success: false,
+        error: { code: 1008, message: "Secret injection only allowed via Unix socket" }
+      };
+    }
+    const secret = await deps.secretVault.get(name);
+    if (!secret) {
+      return {
+        success: false,
+        error: { code: 1007, message: `Secret not found: ${name}` }
+      };
+    }
+    return {
+      success: true,
+      data: {
+        value: secret.value,
+        injected: true
+      },
+      audit: {
+        duration: Date.now() - startTime
+      }
+    };
+  } catch (error) {
+    return {
+      success: false,
+      error: { code: 1007, message: `Secret inject error: ${error.message}` }
+    };
+  }
+}
+
+// libs/shield-broker/src/handlers/ping.ts
+var VERSION = "0.1.0";
+async function handlePing(params, context, deps) {
+  const { echo } = params;
+  return {
+    success: true,
+    data: {
+      pong: true,
+      echo,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      version: VERSION
+    },
+    audit: {
+      duration: 0
+    }
+  };
+}
+
+// libs/shield-broker/src/handlers/skill-install.ts
+import * as fs2 from "node:fs/promises";
+import * as path3 from "node:path";
+import { execSync } from "node:child_process";
+function isValidSlug(slug) {
+  const validPattern = /^[a-zA-Z0-9][a-zA-Z0-9_-]*$/;
+  return validPattern.test(slug) && !slug.includes("..") && !slug.includes("/");
+}
+function createWrapperContent(slug, skillDir) {
+  return `#!/bin/bash
+# Auto-generated wrapper for skill: ${slug}
+# This script runs the skill via openclaw-pkg
+
+set -e
+
+SKILL_DIR="${skillDir}"
+
+# Check if skill directory exists
+if [ ! -d "$SKILL_DIR" ]; then
+  echo "Error: Skill directory not found: $SKILL_DIR" >&2
+  exit 1
+fi
+
+# Find and execute the main skill file
+if [ -f "$SKILL_DIR/skill.md" ]; then
+  exec openclaw-pkg run "$SKILL_DIR/skill.md" "$@"
+elif [ -f "$SKILL_DIR/index.js" ]; then
+  exec node "$SKILL_DIR/index.js" "$@"
+elif [ -f "$SKILL_DIR/main.py" ]; then
+  exec python3 "$SKILL_DIR/main.py" "$@"
+else
+  echo "Error: No entry point found in $SKILL_DIR" >&2
+  exit 1
+fi
+`;
+}
+async function handleSkillInstall(params, context, deps) {
+  const startTime = Date.now();
+  try {
+    const {
+      slug,
+      files,
+      createWrapper = true,
+      agentHome = process.env["AGENSHIELD_AGENT_HOME"] || "/Users/ash_default_agent",
+      socketGroup = process.env["AGENSHIELD_SOCKET_GROUP"] || "clawshield"
+    } = params;
+    if (!slug || !isValidSlug(slug)) {
+      return {
+        success: false,
+        error: { code: 1003, message: `Invalid skill slug: ${slug}. Must be alphanumeric with dashes/underscores.` }
+      };
+    }
+    if (!Array.isArray(files) || files.length === 0) {
+      return {
+        success: false,
+        error: { code: 1003, message: "Files array is required and must not be empty" }
+      };
+    }
+    for (const file of files) {
+      if (!file.name || typeof file.name !== "string") {
+        return {
+          success: false,
+          error: { code: 1003, message: "Each file must have a name" }
+        };
+      }
+      if (file.name.includes("..") || file.name.startsWith("/")) {
+        return {
+          success: false,
+          error: { code: 1003, message: `Invalid file name: ${file.name}` }
+        };
+      }
+    }
+    const skillsDir = path3.join(agentHome, ".openclaw", "skills");
+    const skillDir = path3.join(skillsDir, slug);
+    const binDir = path3.join(agentHome, "bin");
+    await fs2.mkdir(skillDir, { recursive: true });
+    let filesWritten = 0;
+    for (const file of files) {
+      const filePath = path3.join(skillDir, file.name);
+      const fileDir = path3.dirname(filePath);
+      await fs2.mkdir(fileDir, { recursive: true });
+      const content = file.base64 ? Buffer.from(file.content, "base64") : file.content;
+      await fs2.writeFile(filePath, content, { mode: file.mode });
+      filesWritten++;
+    }
+    try {
+      execSync(`chown -R root:${socketGroup} "${skillDir}"`, { stdio: "pipe" });
+      execSync(`chmod -R a+rX,go-w "${skillDir}"`, { stdio: "pipe" });
+    } catch (err) {
+      console.warn(`[SkillInstall] chown failed (may be expected in dev): ${err.message}`);
+    }
+    let wrapperPath;
+    if (createWrapper) {
+      wrapperPath = path3.join(binDir, slug);
+      await fs2.mkdir(binDir, { recursive: true });
+      const wrapperContent = createWrapperContent(slug, skillDir);
+      await fs2.writeFile(wrapperPath, wrapperContent, { mode: 493 });
+      try {
+        execSync(`chown root:${socketGroup} "${wrapperPath}"`, { stdio: "pipe" });
+        execSync(`chmod 755 "${wrapperPath}"`, { stdio: "pipe" });
+      } catch (err) {
+        console.warn(`[SkillInstall] wrapper chown failed: ${err.message}`);
+      }
+    }
+    return {
+      success: true,
+      data: {
+        installed: true,
+        skillDir,
+        wrapperPath,
+        filesWritten
+      },
+      audit: {
+        duration: Date.now() - startTime,
+        bytesTransferred: files.reduce((sum, f) => sum + (f.content?.length || 0), 0)
+      }
+    };
+  } catch (error) {
+    return {
+      success: false,
+      error: { code: 1005, message: `Skill installation failed: ${error.message}` }
+    };
+  }
+}
+async function handleSkillUninstall(params, context, deps) {
+  const startTime = Date.now();
+  try {
+    const {
+      slug,
+      agentHome = process.env["AGENSHIELD_AGENT_HOME"] || "/Users/ash_default_agent",
+      removeWrapper = true
+    } = params;
+    if (!slug || !isValidSlug(slug)) {
+      return {
+        success: false,
+        error: { code: 1003, message: `Invalid skill slug: ${slug}` }
+      };
+    }
+    const skillsDir = path3.join(agentHome, ".openclaw", "skills");
+    const skillDir = path3.join(skillsDir, slug);
+    const binDir = path3.join(agentHome, "bin");
+    const wrapperPath = path3.join(binDir, slug);
+    let skillExists = false;
+    try {
+      await fs2.access(skillDir);
+      skillExists = true;
+    } catch {
+    }
+    if (skillExists) {
+      await fs2.rm(skillDir, { recursive: true, force: true });
+    }
+    let wrapperRemoved = false;
+    if (removeWrapper) {
+      try {
+        await fs2.access(wrapperPath);
+        await fs2.unlink(wrapperPath);
+        wrapperRemoved = true;
+      } catch {
+      }
+    }
+    return {
+      success: true,
+      data: {
+        uninstalled: true,
+        skillDir,
+        wrapperRemoved
+      },
+      audit: {
+        duration: Date.now() - startTime
+      }
+    };
+  } catch (error) {
+    return {
+      success: false,
+      error: { code: 1005, message: `Skill uninstallation failed: ${error.message}` }
+    };
+  }
+}
+
+// libs/shield-broker/src/server.ts
+var UnixSocketServer = class {
+  server = null;
+  config;
+  policyEnforcer;
+  auditLogger;
+  secretVault;
+  connections = /* @__PURE__ */ new Set();
+  constructor(options) {
+    this.config = options.config;
+    this.policyEnforcer = options.policyEnforcer;
+    this.auditLogger = options.auditLogger;
+    this.secretVault = options.secretVault;
+  }
+  /**
+   * Start the Unix socket server
+   */
+  async start() {
+    if (fs3.existsSync(this.config.socketPath)) {
+      fs3.unlinkSync(this.config.socketPath);
+    }
+    return new Promise((resolve3, reject) => {
+      this.server = net.createServer((socket) => {
+        this.handleConnection(socket);
+      });
+      this.server.on("error", (error) => {
+        reject(error);
+      });
+      this.server.listen(this.config.socketPath, () => {
+        try {
+          fs3.chmodSync(this.config.socketPath, this.config.socketMode);
+        } catch (error) {
+          console.warn("Warning: Could not set socket permissions:", error);
+        }
+        resolve3();
+      });
+    });
+  }
+  /**
+   * Stop the Unix socket server
+   */
+  async stop() {
+    for (const socket of this.connections) {
+      socket.destroy();
+    }
+    this.connections.clear();
+    return new Promise((resolve3) => {
+      if (this.server) {
+        this.server.close(() => {
+          if (fs3.existsSync(this.config.socketPath)) {
+            try {
+              fs3.unlinkSync(this.config.socketPath);
+            } catch {
+            }
+          }
+          resolve3();
+        });
+      } else {
+        resolve3();
+      }
+    });
+  }
+  /**
+   * Handle a new client connection
+   */
+  handleConnection(socket) {
+    this.connections.add(socket);
+    let buffer = "";
+    socket.on("data", async (data) => {
+      buffer += data.toString();
+      let newlineIndex;
+      while ((newlineIndex = buffer.indexOf("\n")) !== -1) {
+        const line = buffer.slice(0, newlineIndex);
+        buffer = buffer.slice(newlineIndex + 1);
+        if (line.trim()) {
+          const response = await this.processRequest(line, socket);
+          socket.write(JSON.stringify(response) + "\n");
+        }
+      }
+    });
+    socket.on("close", () => {
+      this.connections.delete(socket);
+    });
+    socket.on("error", (error) => {
+      console.error("Socket error:", error);
+      this.connections.delete(socket);
+    });
+  }
+  /**
+   * Process a JSON-RPC request
+   */
+  async processRequest(line, socket) {
+    const requestId = randomUUID();
+    const startTime = Date.now();
+    try {
+      let request;
+      try {
+        request = JSON.parse(line);
+      } catch {
+        return this.errorResponse(null, -32700, "Parse error");
+      }
+      if (request.jsonrpc !== "2.0" || !request.method || request.id === void 0) {
+        return this.errorResponse(request.id, -32600, "Invalid Request");
+      }
+      const context = {
+        requestId,
+        channel: "socket",
+        timestamp: /* @__PURE__ */ new Date(),
+        config: this.config
+        // Socket credentials would be extracted here on supported platforms
+      };
+      const policyResult = await this.policyEnforcer.check(
+        request.method,
+        request.params,
+        context
+      );
+      if (!policyResult.allowed) {
+        await this.auditLogger.log({
+          id: requestId,
+          timestamp: /* @__PURE__ */ new Date(),
+          operation: request.method,
+          channel: "socket",
+          allowed: false,
+          policyId: policyResult.policyId,
+          target: this.extractTarget(request),
+          result: "denied",
+          errorMessage: policyResult.reason,
+          durationMs: Date.now() - startTime
+        });
+        return this.errorResponse(request.id, 1001, policyResult.reason || "Policy denied");
+      }
+      const handler = this.getHandler(request.method);
+      if (!handler) {
+        return this.errorResponse(request.id, -32601, "Method not found");
+      }
+      const result = await handler(request.params, context, {
+        policyEnforcer: this.policyEnforcer,
+        auditLogger: this.auditLogger,
+        secretVault: this.secretVault
+      });
+      await this.auditLogger.log({
+        id: requestId,
+        timestamp: /* @__PURE__ */ new Date(),
+        operation: request.method,
+        channel: "socket",
+        allowed: true,
+        policyId: policyResult.policyId,
+        target: this.extractTarget(request),
+        result: result.success ? "success" : "error",
+        errorMessage: result.error?.message,
+        durationMs: Date.now() - startTime,
+        metadata: result.audit
+      });
+      if (result.success) {
+        return {
+          jsonrpc: "2.0",
+          id: request.id,
+          result: result.data
+        };
+      } else {
+        return this.errorResponse(
+          request.id,
+          result.error?.code || -32e3,
+          result.error?.message || "Unknown error"
+        );
+      }
+    } catch (error) {
+      console.error("Request processing error:", error);
+      return this.errorResponse(null, -32603, "Internal error");
+    }
+  }
+  /**
+   * Get the handler for an operation type
+   */
+  getHandler(method) {
+    const handlerMap = {
+      http_request: handleHttpRequest,
+      file_read: handleFileRead,
+      file_write: handleFileWrite,
+      file_list: handleFileList,
+      exec: handleExec,
+      open_url: handleOpenUrl,
+      secret_inject: handleSecretInject,
+      ping: handlePing,
+      skill_install: handleSkillInstall,
+      skill_uninstall: handleSkillUninstall
+    };
+    return handlerMap[method];
+  }
+  /**
+   * Extract target from request for audit logging
+   */
+  extractTarget(request) {
+    const params = request.params || {};
+    return params["url"] || params["path"] || params["command"] || params["name"] || request.method;
+  }
+  /**
+   * Create an error response
+   */
+  errorResponse(id, code, message) {
+    return {
+      jsonrpc: "2.0",
+      id: id ?? 0,
+      error: { code, message }
+    };
+  }
+};
+
+// libs/shield-broker/src/http-fallback.ts
+import * as http from "node:http";
+import { randomUUID as randomUUID2 } from "node:crypto";
+var HTTP_ALLOWED_OPERATIONS = /* @__PURE__ */ new Set([
+  "http_request",
+  "file_read",
+  "file_list",
+  "open_url",
+  "ping"
+]);
+var HTTP_DENIED_OPERATIONS = /* @__PURE__ */ new Set([
+  "exec",
+  "file_write",
+  "secret_inject"
+]);
+var HttpFallbackServer = class {
+  server = null;
+  config;
+  policyEnforcer;
+  auditLogger;
+  constructor(options) {
+    this.config = options.config;
+    this.policyEnforcer = options.policyEnforcer;
+    this.auditLogger = options.auditLogger;
+  }
+  /**
+   * Start the HTTP fallback server
+   */
+  async start() {
+    return new Promise((resolve3, reject) => {
+      this.server = http.createServer((req, res) => {
+        this.handleRequest(req, res);
+      });
+      this.server.on("error", (error) => {
+        reject(error);
+      });
+      const listenHost = this.config.httpHost === "localhost" ? "127.0.0.1" : this.config.httpHost;
+      this.server.listen(this.config.httpPort, listenHost, () => {
+        resolve3();
+      });
+    });
+  }
+  /**
+   * Stop the HTTP fallback server
+   */
+  async stop() {
+    return new Promise((resolve3) => {
+      if (this.server) {
+        this.server.close(() => {
+          resolve3();
+        });
+      } else {
+        resolve3();
+      }
+    });
+  }
+  /**
+   * Handle an HTTP request
+   */
+  async handleRequest(req, res) {
+    if (req.method !== "POST" || req.url !== "/rpc") {
+      if (req.method === "GET" && req.url === "/health") {
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ status: "ok", version: "0.1.0" }));
+        return;
+      }
+      res.writeHead(404, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Not found" }));
+      return;
+    }
+    const remoteAddr = req.socket.remoteAddress;
+    if (!this.isLocalhost(remoteAddr)) {
+      res.writeHead(403, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Access denied: localhost only" }));
+      return;
+    }
+    let body = "";
+    for await (const chunk of req) {
+      body += chunk;
+      if (body.length > 10 * 1024 * 1024) {
+        res.writeHead(413, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: "Request too large" }));
+        return;
+      }
+    }
+    const response = await this.processRequest(body);
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify(response));
+  }
+  /**
+   * Check if address is localhost
+   */
+  isLocalhost(address) {
+    if (!address) return false;
+    return address === "127.0.0.1" || address === "::1" || address === "::ffff:127.0.0.1" || address === "localhost";
+  }
+  /**
+   * Process a JSON-RPC request
+   */
+  async processRequest(body) {
+    const requestId = randomUUID2();
+    const startTime = Date.now();
+    try {
+      let request;
+      try {
+        request = JSON.parse(body);
+      } catch {
+        return this.errorResponse(null, -32700, "Parse error");
+      }
+      if (request.jsonrpc !== "2.0" || !request.method || request.id === void 0) {
+        return this.errorResponse(request.id, -32600, "Invalid Request");
+      }
+      if (HTTP_DENIED_OPERATIONS.has(request.method)) {
+        await this.auditLogger.log({
+          id: requestId,
+          timestamp: /* @__PURE__ */ new Date(),
+          operation: request.method,
+          channel: "http",
+          allowed: false,
+          target: this.extractTarget(request),
+          result: "denied",
+          errorMessage: "Operation not allowed over HTTP fallback",
+          durationMs: Date.now() - startTime
+        });
+        return this.errorResponse(
+          request.id,
+          1008,
+          `Operation '${request.method}' not allowed over HTTP. Use Unix socket.`
+        );
+      }
+      if (!HTTP_ALLOWED_OPERATIONS.has(request.method)) {
+        return this.errorResponse(request.id, -32601, "Method not found");
+      }
+      const context = {
+        requestId,
+        channel: "http",
+        timestamp: /* @__PURE__ */ new Date(),
+        config: this.config
+      };
+      const policyResult = await this.policyEnforcer.check(
+        request.method,
+        request.params,
+        context
+      );
+      if (!policyResult.allowed) {
+        await this.auditLogger.log({
+          id: requestId,
+          timestamp: /* @__PURE__ */ new Date(),
+          operation: request.method,
+          channel: "http",
+          allowed: false,
+          policyId: policyResult.policyId,
+          target: this.extractTarget(request),
+          result: "denied",
+          errorMessage: policyResult.reason,
+          durationMs: Date.now() - startTime
+        });
+        return this.errorResponse(request.id, 1001, policyResult.reason || "Policy denied");
+      }
+      const handler = this.getHandler(request.method);
+      if (!handler) {
+        return this.errorResponse(request.id, -32601, "Method not found");
+      }
+      const result = await handler(request.params, context, {
+        policyEnforcer: this.policyEnforcer,
+        auditLogger: this.auditLogger,
+        secretVault: null
+        // Not available over HTTP
+      });
+      await this.auditLogger.log({
+        id: requestId,
+        timestamp: /* @__PURE__ */ new Date(),
+        operation: request.method,
+        channel: "http",
+        allowed: true,
+        policyId: policyResult.policyId,
+        target: this.extractTarget(request),
+        result: result.success ? "success" : "error",
+        errorMessage: result.error?.message,
+        durationMs: Date.now() - startTime,
+        metadata: result.audit
+      });
+      if (result.success) {
+        return {
+          jsonrpc: "2.0",
+          id: request.id,
+          result: result.data
+        };
+      } else {
+        return this.errorResponse(
+          request.id,
+          result.error?.code || -32e3,
+          result.error?.message || "Unknown error"
+        );
+      }
+    } catch (error) {
+      console.error("Request processing error:", error);
+      return this.errorResponse(null, -32603, "Internal error");
+    }
+  }
+  /**
+   * Get the handler for an operation type
+   */
+  getHandler(method) {
+    const handlerMap = {
+      http_request: handleHttpRequest,
+      file_read: handleFileRead,
+      file_list: handleFileList,
+      open_url: handleOpenUrl,
+      ping: handlePing
+    };
+    return handlerMap[method];
+  }
+  /**
+   * Extract target from request for audit logging
+   */
+  extractTarget(request) {
+    const params = request.params || {};
+    return params["url"] || params["path"] || params["command"] || params["name"] || request.method;
+  }
+  /**
+   * Create an error response
+   */
+  errorResponse(id, code, message) {
+    return {
+      jsonrpc: "2.0",
+      id: id ?? 0,
+      error: { code, message }
+    };
+  }
+};
+
+// libs/shield-broker/src/policies/enforcer.ts
+import * as fs4 from "node:fs";
+import * as path4 from "node:path";
+var PolicyEnforcer = class {
+  policies;
+  policiesPath;
+  failOpen;
+  lastLoad = 0;
+  reloadInterval = 6e4;
+  // 1 minute
+  constructor(options) {
+    this.policiesPath = options.policiesPath;
+    this.failOpen = options.failOpen;
+    this.policies = options.defaultPolicies;
+    this.loadPolicies();
+  }
+  /**
+   * Load policies from disk
+   */
+  loadPolicies() {
+    const configFile = path4.join(this.policiesPath, "default.json");
+    if (fs4.existsSync(configFile)) {
+      try {
+        const content = fs4.readFileSync(configFile, "utf-8");
+        const loaded = JSON.parse(content);
+        this.policies = {
+          ...this.policies,
+          ...loaded,
+          rules: [...this.policies.rules, ...loaded.rules || []]
+        };
+        this.lastLoad = Date.now();
+      } catch (error) {
+        console.warn("Warning: Failed to load policies:", error);
+      }
+    }
+    const customDir = path4.join(this.policiesPath, "custom");
+    if (fs4.existsSync(customDir)) {
+      try {
+        const files = fs4.readdirSync(customDir);
+        for (const file of files) {
+          if (file.endsWith(".json")) {
+            const content = fs4.readFileSync(path4.join(customDir, file), "utf-8");
+            const custom = JSON.parse(content);
+            if (custom.rules) {
+              this.policies.rules.push(...custom.rules);
+            }
+          }
+        }
+      } catch (error) {
+        console.warn("Warning: Failed to load custom policies:", error);
+      }
+    }
+    this.policies.rules.sort((a, b) => (b.priority || 0) - (a.priority || 0));
+  }
+  /**
+   * Maybe reload policies if stale
+   */
+  maybeReload() {
+    if (Date.now() - this.lastLoad > this.reloadInterval) {
+      this.loadPolicies();
+    }
+  }
+  /**
+   * Check if an operation is allowed
+   */
+  async check(operation, params, context) {
+    this.maybeReload();
+    try {
+      const target = this.extractTarget(operation, params);
+      for (const rule of this.policies.rules) {
+        if (!rule.enabled) continue;
+        if (!rule.operations.includes(operation) && !rule.operations.includes("*")) {
+          continue;
+        }
+        const matches = this.matchesPatterns(target, rule.patterns);
+        if (matches) {
+          if (rule.action === "deny" || rule.action === "approval") {
+            return {
+              allowed: false,
+              policyId: rule.id,
+              reason: `Denied by policy: ${rule.name}`
+            };
+          } else if (rule.action === "allow") {
+            return {
+              allowed: true,
+              policyId: rule.id
+            };
+          }
+        }
+      }
+      const constraintResult = this.checkConstraints(operation, params);
+      if (!constraintResult.allowed) {
+        return constraintResult;
+      }
+      return {
+        allowed: this.policies.defaultAction === "allow",
+        reason: this.policies.defaultAction === "deny" ? "No matching allow policy" : void 0
+      };
+    } catch (error) {
+      console.error("Policy check error:", error);
+      return {
+        allowed: this.failOpen,
+        reason: this.failOpen ? "Policy check failed, failing open" : "Policy check failed"
+      };
+    }
+  }
+  /**
+   * Extract target from operation params
+   */
+  extractTarget(operation, params) {
+    switch (operation) {
+      case "http_request":
+        return params["url"] || "";
+      case "file_read":
+      case "file_write":
+      case "file_list":
+        return params["path"] || "";
+      case "exec":
+        return `${params["command"] || ""} ${(params["args"] || []).join(" ")}`;
+      case "open_url":
+        return params["url"] || "";
+      case "secret_inject":
+        return params["name"] || "";
+      default:
+        return "";
+    }
+  }
+  /**
+   * Check if target matches any patterns
+   */
+  matchesPatterns(target, patterns) {
+    for (const pattern of patterns) {
+      if (this.matchPattern(target, pattern)) {
+        return true;
+      }
+    }
+    return false;
+  }
+  /**
+   * Match a single pattern (supports glob-like matching)
+   */
+  matchPattern(target, pattern) {
+    const regexPattern = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*\*/g, "{{GLOBSTAR}}").replace(/\*/g, "[^/]*").replace(/\?/g, ".").replace(/{{GLOBSTAR}}/g, ".*");
+    const regex = new RegExp(`^${regexPattern}$`, "i");
+    return regex.test(target);
+  }
+  /**
+   * Check operation-specific constraints
+   */
+  checkConstraints(operation, params) {
+    if (["file_read", "file_write", "file_list"].includes(operation)) {
+      const filePath = params["path"];
+      if (filePath && this.policies.fsConstraints) {
+        const { allowedPaths, deniedPatterns } = this.policies.fsConstraints;
+        for (const pattern of deniedPatterns || []) {
+          if (this.matchPattern(filePath, pattern)) {
+            return {
+              allowed: false,
+              reason: `File path matches denied pattern: ${pattern}`
+            };
+          }
+        }
+        if (allowedPaths && allowedPaths.length > 0) {
+          const isAllowed = allowedPaths.some(
+            (allowed) => filePath.startsWith(allowed)
+          );
+          if (!isAllowed) {
+            return {
+              allowed: false,
+              reason: "File path not in allowed directories"
+            };
+          }
+        }
+      }
+    }
+    if (operation === "http_request") {
+      const url = params["url"];
+      if (url && this.policies.networkConstraints) {
+        try {
+          const parsedUrl = new URL(url);
+          const host = parsedUrl.hostname;
+          const port = parseInt(parsedUrl.port) || (parsedUrl.protocol === "https:" ? 443 : 80);
+          const { allowedHosts, deniedHosts, allowedPorts } = this.policies.networkConstraints;
+          for (const pattern of deniedHosts || []) {
+            if (pattern === "*" || this.matchPattern(host, pattern)) {
+              const isAllowed = (allowedHosts || []).some(
+                (allowed) => this.matchPattern(host, allowed)
+              );
+              if (!isAllowed) {
+                return {
+                  allowed: false,
+                  reason: `Host '${host}' is not allowed`
+                };
+              }
+            }
+          }
+          if (allowedPorts && allowedPorts.length > 0 && !allowedPorts.includes(port)) {
+            return {
+              allowed: false,
+              reason: `Port ${port} is not in allowed ports`
+            };
+          }
+        } catch {
+          return {
+            allowed: false,
+            reason: "Invalid URL"
+          };
+        }
+      }
+    }
+    if (operation === "exec") {
+      const command = params["command"] || "";
+      const args = params["args"] || [];
+      const shellMetachars = /[;&|`$(){}[\]<>!\\]/;
+      if (shellMetachars.test(command)) {
+        return {
+          allowed: false,
+          reason: `Shell metacharacters not allowed in command: ${command}`
+        };
+      }
+      for (const arg of args) {
+        if (typeof arg === "string" && shellMetachars.test(arg) && !arg.startsWith("-")) {
+          if (arg.includes("|") || arg.includes(";") || arg.includes("`") || arg.includes("$(")) {
+            return {
+              allowed: false,
+              reason: `Suspicious argument rejected: ${arg}`
+            };
+          }
+        }
+      }
+    }
+    return { allowed: true };
+  }
+  /**
+   * Get all configured policies
+   */
+  getPolicies() {
+    this.maybeReload();
+    return this.policies;
+  }
+  /**
+   * Add a policy rule at runtime
+   */
+  addRule(rule) {
+    this.policies.rules.push(rule);
+    this.policies.rules.sort((a, b) => (b.priority || 0) - (a.priority || 0));
+  }
+  /**
+   * Remove a policy rule
+   */
+  removeRule(id) {
+    const index = this.policies.rules.findIndex((r) => r.id === id);
+    if (index >= 0) {
+      this.policies.rules.splice(index, 1);
+      return true;
+    }
+    return false;
+  }
+};
+
+// libs/shield-broker/src/policies/builtin.ts
+var BuiltinPolicies = [
+  // Always allow ping (health check for broker availability)
+  {
+    id: "builtin-allow-ping",
+    name: "Allow ping health checks",
+    action: "allow",
+    target: "command",
+    operations: ["ping"],
+    patterns: ["*"],
+    enabled: true,
+    priority: 1e3
+  },
+  // Allow skill installation/uninstallation (daemon management operations)
+  {
+    id: "builtin-allow-skill-management",
+    name: "Allow skill management operations",
+    action: "allow",
+    target: "command",
+    operations: ["skill_install", "skill_uninstall"],
+    patterns: ["*"],
+    enabled: true,
+    priority: 1e3
+  },
+  // Allow localhost connections (for broker communication)
+  {
+    id: "builtin-allow-localhost",
+    name: "Allow localhost connections",
+    action: "allow",
+    target: "url",
+    operations: ["http_request"],
+    patterns: [
+      "http://localhost:*",
+      "http://127.0.0.1:*",
+      "https://localhost:*",
+      "https://127.0.0.1:*"
+    ],
+    enabled: true,
+    priority: 100
+  },
+  // Deny access to sensitive files
+  {
+    id: "builtin-deny-secrets",
+    name: "Deny access to secret files",
+    action: "deny",
+    target: "command",
+    operations: ["file_read", "file_write"],
+    patterns: [
+      "**/.env",
+      "**/.env.*",
+      "**/secrets.json",
+      "**/secrets.yaml",
+      "**/secrets.yml",
+      "**/*.key",
+      "**/*.pem",
+      "**/*.p12",
+      "**/id_rsa",
+      "**/id_ed25519",
+      "**/.ssh/*",
+      "**/credentials.json",
+      "**/service-account*.json"
+    ],
+    enabled: true,
+    priority: 200
+  },
+  // Deny access to system files
+  {
+    id: "builtin-deny-system",
+    name: "Deny access to system files",
+    action: "deny",
+    target: "command",
+    operations: ["file_read", "file_write"],
+    patterns: [
+      "/etc/passwd",
+      "/etc/shadow",
+      "/etc/sudoers",
+      "/etc/ssh/*",
+      "/root/**",
+      "/var/run/docker.sock"
+    ],
+    enabled: true,
+    priority: 200
+  },
+  // Deny dangerous commands
+  {
+    id: "builtin-deny-dangerous-commands",
+    name: "Deny dangerous commands",
+    action: "deny",
+    target: "command",
+    operations: ["exec"],
+    patterns: [
+      "rm -rf /*",
+      "rm -rf /",
+      "dd if=*",
+      "mkfs.*",
+      "chmod -R 777 /*",
+      "curl * | sh",
+      "curl * | bash",
+      "wget * | sh",
+      "wget * | bash",
+      "* > /dev/sda*",
+      "shutdown*",
+      "reboot*",
+      "init 0",
+      "init 6"
+    ],
+    enabled: true,
+    priority: 300
+  },
+  // Deny network tools that bypass proxy
+  {
+    id: "builtin-deny-network-bypass",
+    name: "Deny direct network tools",
+    action: "deny",
+    target: "command",
+    operations: ["exec"],
+    patterns: [
+      "nc *",
+      "netcat *",
+      "ncat *",
+      "socat *",
+      "telnet *",
+      "nmap *"
+    ],
+    enabled: true,
+    priority: 150
+  },
+  // Allow common AI API endpoints
+  {
+    id: "builtin-allow-ai-apis",
+    name: "Allow common AI API endpoints",
+    action: "allow",
+    target: "url",
+    operations: ["http_request"],
+    patterns: [
+      "https://api.anthropic.com/**",
+      "https://api.openai.com/**",
+      "https://api.cohere.ai/**",
+      "https://generativelanguage.googleapis.com/**",
+      "https://api.mistral.ai/**"
+    ],
+    enabled: true,
+    priority: 50
+  },
+  // Allow common package registries
+  {
+    id: "builtin-allow-registries",
+    name: "Allow package registries",
+    action: "allow",
+    target: "url",
+    operations: ["http_request"],
+    patterns: [
+      "https://registry.npmjs.org/**",
+      "https://pypi.org/**",
+      "https://files.pythonhosted.org/**",
+      "https://crates.io/**",
+      "https://rubygems.org/**"
+    ],
+    enabled: true,
+    priority: 50
+  },
+  // Allow GitHub
+  {
+    id: "builtin-allow-github",
+    name: "Allow GitHub",
+    action: "allow",
+    target: "url",
+    operations: ["http_request"],
+    patterns: [
+      "https://github.com/**",
+      "https://api.github.com/**",
+      "https://raw.githubusercontent.com/**",
+      "https://gist.github.com/**"
+    ],
+    enabled: true,
+    priority: 50
+  }
+];
+function getDefaultPolicies() {
+  return {
+    version: "1.0.0",
+    defaultAction: "deny",
+    rules: [...BuiltinPolicies],
+    fsConstraints: {
+      allowedPaths: [
+        "/Users/clawagent/workspace",
+        "/tmp/agenshield"
+      ],
+      deniedPatterns: [
+        "**/.env*",
+        "**/secrets.*",
+        "**/*.key",
+        "**/*.pem"
+      ]
+    },
+    networkConstraints: {
+      allowedHosts: [
+        "localhost",
+        "127.0.0.1",
+        "api.anthropic.com",
+        "api.openai.com",
+        "registry.npmjs.org",
+        "pypi.org",
+        "github.com",
+        "api.github.com"
+      ],
+      deniedHosts: ["*"],
+      allowedPorts: [80, 443, 5200]
+    }
+  };
+}
+
+// libs/shield-broker/src/seatbelt/generator.ts
+import * as fs5 from "node:fs/promises";
+import * as path5 from "node:path";
+
+// libs/shield-broker/src/seatbelt/templates.ts
+var SeatbeltTemplates = class {
+  /**
+   * Base profile with minimal permissions
+   */
+  baseProfile() {
+    return `
+(version 1)
+(deny default)
+
+;; Allow reading system libraries
+(allow file-read*
+  (subpath "/System")
+  (subpath "/usr/lib")
+  (subpath "/usr/share"))
+
+;; Allow basic process operations
+(allow process-fork)
+(allow signal (target self))
+(allow sysctl-read)
+`.trim();
+  }
+  /**
+   * Profile for file read operations
+   */
+  fileReadProfile(targetPath) {
+    return `
+(version 1)
+(deny default)
+
+;; Allow reading system libraries
+(allow file-read*
+  (subpath "/System")
+  (subpath "/usr/lib")
+  (subpath "/usr/share"))
+
+;; Allow reading target path
+(allow file-read*
+  (subpath "${targetPath}"))
+
+;; Deny all network
+(deny network*)
+
+;; Allow basic process operations
+(allow process-fork)
+(allow signal (target self))
+(allow sysctl-read)
+`.trim();
+  }
+  /**
+   * Profile for file write operations
+   */
+  fileWriteProfile(targetPath) {
+    return `
+(version 1)
+(deny default)
+
+;; Allow reading system libraries
+(allow file-read*
+  (subpath "/System")
+  (subpath "/usr/lib")
+  (subpath "/usr/share"))
+
+;; Allow reading and writing target path
+(allow file-read* file-write*
+  (subpath "${targetPath}"))
+
+;; Deny all network
+(deny network*)
+
+;; Allow basic process operations
+(allow process-fork)
+(allow signal (target self))
+(allow sysctl-read)
+`.trim();
+  }
+  /**
+   * Profile for HTTP request operations
+   */
+  httpRequestProfile(host, port) {
+    const networkRule = host && port ? `(allow network-outbound (remote tcp "${host}:${port}"))` : "(deny network*)";
+    return `
+(version 1)
+(deny default)
+
+;; Allow reading system libraries
+(allow file-read*
+  (subpath "/System")
+  (subpath "/usr/lib")
+  (subpath "/usr/share")
+  (subpath "/private/var/db")
+  (subpath "/Library/Preferences"))
+
+;; Network access
+${networkRule}
+
+;; Allow DNS resolution
+(allow network-outbound
+  (remote udp "*:53")
+  (remote tcp "*:53"))
+
+;; Allow basic process operations
+(allow process-fork)
+(allow signal (target self))
+(allow sysctl-read)
+
+;; Allow mach lookups for network
+(allow mach-lookup
+  (global-name "com.apple.system.opendirectoryd.libinfo")
+  (global-name "com.apple.networkd")
+  (global-name "com.apple.nsurlsessiond"))
+`.trim();
+  }
+  /**
+   * Profile for command execution
+   */
+  execProfile(binaryPath) {
+    const execRule = binaryPath ? `(allow process-exec (literal "${binaryPath}"))` : "(deny process-exec)";
+    return `
+(version 1)
+(deny default)
+
+;; Allow reading system libraries and binaries
+(allow file-read*
+  (subpath "/System")
+  (subpath "/usr/lib")
+  (subpath "/usr/bin")
+  (subpath "/bin")
+  (subpath "/usr/share"))
+
+;; Execution permission
+${execRule}
+(allow process-exec
+  (literal "/bin/sh")
+  (literal "/bin/bash")
+  (literal "/usr/bin/env"))
+
+;; Deny all network
+(deny network*)
+
+;; Allow process operations
+(allow process-fork)
+(allow signal)
+(allow sysctl-read)
+`.trim();
+  }
+  /**
+   * Profile for broker daemon (has network)
+   */
+  brokerProfile(socketPath) {
+    return `
+(version 1)
+(deny default)
+
+;; Allow reading system libraries
+(allow file-read*
+  (subpath "/System")
+  (subpath "/usr/lib")
+  (subpath "/usr/share")
+  (subpath "/private/var/db")
+  (subpath "/Library/Preferences")
+  (subpath "/opt/agenshield"))
+
+;; Allow config and policy access
+(allow file-read* file-write*
+  (subpath "/opt/agenshield")
+  (subpath "/var/log/agenshield")
+  (subpath "/etc/agenshield"))
+
+;; Allow socket operations
+(allow file-read* file-write*
+  (literal "${socketPath}")
+  (subpath "/var/run/agenshield"))
+
+;; Allow outbound network (broker needs it)
+(allow network*)
+
+;; Allow process operations
+(allow process-fork)
+(allow process-exec)
+(allow signal)
+(allow sysctl-read)
+
+;; Allow mach lookups
+(allow mach-lookup)
+`.trim();
+  }
+  /**
+   * Deny-all profile for testing
+   */
+  denyAllProfile() {
+    return `
+(version 1)
+(deny default)
+`.trim();
+  }
+};
+
+// libs/shield-broker/src/seatbelt/generator.ts
+var SeatbeltGenerator = class {
+  templates;
+  constructor() {
+    this.templates = new SeatbeltTemplates();
+  }
+  /**
+   * Generate the main agent seatbelt profile
+   */
+  generateAgentProfile(options) {
+    const {
+      workspacePath,
+      socketPath,
+      allowedBinPaths,
+      allowedReadPaths,
+      additionalRules = []
+    } = options;
+    const profile = `
+;; AgenShield Agent Sandbox Profile
+;; Generated at: ${(/* @__PURE__ */ new Date()).toISOString()}
+(version 1)
+(deny default)
+
+;; ========================================
+;; System Libraries & Frameworks
+;; ========================================
+(allow file-read*
+  (subpath "/System")
+  (subpath "/usr/lib")
+  (subpath "/usr/share")
+  (subpath "/Library/Frameworks")
+  (subpath "/Library/Preferences")
+  (subpath "/private/var/db"))
+
+;; ========================================
+;; Node.js / Python Runtimes
+;; ========================================
+(allow file-read*
+  (subpath "/usr/local/lib/node_modules")
+  (subpath "/opt/homebrew/lib/node_modules")
+  (subpath "/usr/local/Cellar")
+  (subpath "/opt/homebrew/Cellar")
+  (subpath "/Library/Frameworks/Python.framework"))
+
+;; ========================================
+;; Workspace Access (Read/Write)
+;; ========================================
+(allow file-read* file-write*
+  (subpath "${workspacePath}"))
+
+;; ========================================
+;; Additional Read-Only Paths
+;; ========================================
+${allowedReadPaths.map((p) => `(allow file-read* (subpath "${p}"))`).join("\n")}
+
+;; ========================================
+;; Binary Execution
+;; ========================================
+(allow process-exec
+  (literal "/bin/sh")
+  (literal "/bin/bash")
+  (literal "/usr/bin/env")
+  ${allowedBinPaths.map((p) => `(subpath "${p}")`).join("\n  ")})
+
+;; ========================================
+;; Unix Socket Access (Broker)
+;; ========================================
+(allow network-outbound
+  (local unix-socket "${socketPath}"))
+
+;; ========================================
+;; Network Denial (CRITICAL)
+;; ========================================
+(deny network*)
+
+;; ========================================
+;; Process & Signal Handling
+;; ========================================
+(allow process-fork)
+(allow signal (target self))
+
+;; ========================================
+;; Mach IPC (Limited)
+;; ========================================
+(allow mach-lookup
+  (global-name "com.apple.system.opendirectoryd.libinfo")
+  (global-name "com.apple.system.notification_center")
+  (global-name "com.apple.CoreServices.coreservicesd"))
+
+;; ========================================
+;; Sysctl (Limited)
+;; ========================================
+(allow sysctl-read)
+
+;; ========================================
+;; Additional Rules
+;; ========================================
+${additionalRules.join("\n")}
+`;
+    return profile.trim();
+  }
+  /**
+   * Generate a per-operation seatbelt profile
+   */
+  generateOperationProfile(options) {
+    const { operation, targetPath, targetHost, targetPort } = options;
+    switch (operation) {
+      case "file_read":
+        return this.templates.fileReadProfile(targetPath || "/");
+      case "file_write":
+        return this.templates.fileWriteProfile(targetPath || "/");
+      case "http_request":
+        return this.templates.httpRequestProfile(targetHost, targetPort);
+      case "exec":
+        return this.templates.execProfile(targetPath);
+      default:
+        return this.templates.baseProfile();
+    }
+  }
+  /**
+   * Install seatbelt profiles to disk
+   */
+  async installProfiles(outputDir, options) {
+    await fs5.mkdir(outputDir, { recursive: true });
+    const agentProfile = this.generateAgentProfile(options);
+    await fs5.writeFile(
+      path5.join(outputDir, "agent.sb"),
+      agentProfile,
+      { mode: 420 }
+    );
+    const opsDir = path5.join(outputDir, "ops");
+    await fs5.mkdir(opsDir, { recursive: true });
+    const operations = ["file_read", "file_write", "http_request", "exec"];
+    for (const op of operations) {
+      const profile = this.generateOperationProfile({ operation: op });
+      await fs5.writeFile(
+        path5.join(opsDir, `${op}.sb`),
+        profile,
+        { mode: 420 }
+      );
+    }
+  }
+  /**
+   * Verify a seatbelt profile is valid
+   */
+  async verifyProfile(profilePath) {
+    try {
+      const content = await fs5.readFile(profilePath, "utf-8");
+      if (!content.includes("(version 1)")) {
+        return false;
+      }
+      let depth = 0;
+      for (const char of content) {
+        if (char === "(") depth++;
+        if (char === ")") depth--;
+        if (depth < 0) return false;
+      }
+      return depth === 0;
+    } catch {
+      return false;
+    }
+  }
+};
+
+// libs/shield-broker/src/secrets/vault.ts
+import * as fs6 from "node:fs/promises";
+import * as crypto from "node:crypto";
+var SecretVault = class {
+  vaultPath;
+  key = null;
+  data = null;
+  constructor(options) {
+    this.vaultPath = options.vaultPath;
+  }
+  /**
+   * Initialize the vault
+   */
+  async initialize() {
+    this.key = await this.loadOrCreateKey();
+    await this.load();
+  }
+  /**
+   * Load or create the encryption key
+   */
+  async loadOrCreateKey() {
+    const keyPath = this.vaultPath.replace(".enc", ".key");
+    try {
+      const keyData = await fs6.readFile(keyPath);
+      return keyData;
+    } catch {
+      const key = crypto.randomBytes(32);
+      await fs6.writeFile(keyPath, key, { mode: 384 });
+      return key;
+    }
+  }
+  /**
+   * Load vault data from disk
+   */
+  async load() {
+    try {
+      const content = await fs6.readFile(this.vaultPath, "utf-8");
+      this.data = JSON.parse(content);
+    } catch {
+      this.data = {
+        version: "1.0.0",
+        secrets: {}
+      };
+    }
+  }
+  /**
+   * Save vault data to disk
+   */
+  async save() {
+    if (!this.data) return;
+    await fs6.writeFile(
+      this.vaultPath,
+      JSON.stringify(this.data, null, 2),
+      { mode: 384 }
+    );
+  }
+  /**
+   * Encrypt a value
+   */
+  encrypt(value) {
+    if (!this.key) {
+      throw new Error("Vault not initialized");
+    }
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv("aes-256-gcm", this.key, iv);
+    let encrypted = cipher.update(value, "utf-8", "base64");
+    encrypted += cipher.final("base64");
+    const tag = cipher.getAuthTag();
+    return {
+      encrypted,
+      iv: iv.toString("base64"),
+      tag: tag.toString("base64")
+    };
+  }
+  /**
+   * Decrypt a value
+   */
+  decrypt(encrypted, iv, tag) {
+    if (!this.key) {
+      throw new Error("Vault not initialized");
+    }
+    const decipher = crypto.createDecipheriv(
+      "aes-256-gcm",
+      this.key,
+      Buffer.from(iv, "base64")
+    );
+    decipher.setAuthTag(Buffer.from(tag, "base64"));
+    let decrypted = decipher.update(encrypted, "base64", "utf-8");
+    decrypted += decipher.final("utf-8");
+    return decrypted;
+  }
+  /**
+   * Get a secret by name
+   */
+  async get(name) {
+    if (!this.data) {
+      await this.initialize();
+    }
+    const entry = this.data.secrets[name];
+    if (!entry) {
+      return null;
+    }
+    try {
+      const value = this.decrypt(entry.encrypted, entry.iv, entry.tag);
+      entry.accessCount++;
+      await this.save();
+      return {
+        name,
+        value,
+        createdAt: new Date(entry.createdAt),
+        lastAccessedAt: /* @__PURE__ */ new Date(),
+        accessCount: entry.accessCount
+      };
+    } catch (error) {
+      console.error(`Failed to decrypt secret ${name}:`, error);
+      return null;
+    }
+  }
+  /**
+   * Set a secret
+   */
+  async set(name, value) {
+    if (!this.data) {
+      await this.initialize();
+    }
+    const encrypted = this.encrypt(value);
+    this.data.secrets[name] = {
+      ...encrypted,
+      createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+      accessCount: 0
+    };
+    await this.save();
+  }
+  /**
+   * Delete a secret
+   */
+  async delete(name) {
+    if (!this.data) {
+      await this.initialize();
+    }
+    if (this.data.secrets[name]) {
+      delete this.data.secrets[name];
+      await this.save();
+      return true;
+    }
+    return false;
+  }
+  /**
+   * List all secret names
+   */
+  async list() {
+    if (!this.data) {
+      await this.initialize();
+    }
+    return Object.keys(this.data.secrets);
+  }
+  /**
+   * Check if a secret exists
+   */
+  async has(name) {
+    if (!this.data) {
+      await this.initialize();
+    }
+    return name in this.data.secrets;
+  }
+};
+
+// libs/shield-broker/src/audit/logger.ts
+import * as fs7 from "node:fs";
+import * as path6 from "node:path";
+var AuditLogger = class {
+  logPath;
+  logLevel;
+  maxFileSize;
+  maxFiles;
+  writeStream = null;
+  currentSize = 0;
+  levelPriority = {
+    debug: 0,
+    info: 1,
+    warn: 2,
+    error: 3
+  };
+  constructor(options) {
+    this.logPath = options.logPath;
+    this.logLevel = options.logLevel;
+    this.maxFileSize = options.maxFileSize || 10 * 1024 * 1024;
+    this.maxFiles = options.maxFiles || 5;
+    this.initializeStream();
+  }
+  /**
+   * Initialize the write stream
+   */
+  initializeStream() {
+    const dir = path6.dirname(this.logPath);
+    if (!fs7.existsSync(dir)) {
+      fs7.mkdirSync(dir, { recursive: true });
+    }
+    if (fs7.existsSync(this.logPath)) {
+      const stats = fs7.statSync(this.logPath);
+      this.currentSize = stats.size;
+    }
+    this.writeStream = fs7.createWriteStream(this.logPath, {
+      flags: "a",
+      encoding: "utf-8"
+    });
+  }
+  /**
+   * Rotate log files if needed
+   */
+  async maybeRotate() {
+    if (this.currentSize < this.maxFileSize) {
+      return;
+    }
+    if (this.writeStream) {
+      this.writeStream.end();
+      this.writeStream = null;
+    }
+    for (let i = this.maxFiles - 1; i >= 1; i--) {
+      const oldPath = `${this.logPath}.${i}`;
+      const newPath = `${this.logPath}.${i + 1}`;
+      if (fs7.existsSync(oldPath)) {
+        if (i === this.maxFiles - 1) {
+          fs7.unlinkSync(oldPath);
+        } else {
+          fs7.renameSync(oldPath, newPath);
+        }
+      }
+    }
+    if (fs7.existsSync(this.logPath)) {
+      fs7.renameSync(this.logPath, `${this.logPath}.1`);
+    }
+    this.currentSize = 0;
+    this.initializeStream();
+  }
+  /**
+   * Log an audit entry
+   */
+  async log(entry) {
+    await this.maybeRotate();
+    const logLine = JSON.stringify({
+      ...entry,
+      timestamp: entry.timestamp.toISOString()
+    }) + "\n";
+    if (this.writeStream) {
+      this.writeStream.write(logLine);
+      this.currentSize += Buffer.byteLength(logLine);
+    }
+    const level = entry.allowed ? "info" : "warn";
+    if (this.shouldLog(level)) {
+      const prefix = entry.allowed ? "\u2713" : "\u2717";
+      const message = `[${entry.operation}] ${prefix} ${entry.target}`;
+      if (level === "info") {
+        console.info(message);
+      } else {
+        console.warn(message);
+      }
+    }
+  }
+  /**
+   * Check if we should log at the given level
+   */
+  shouldLog(level) {
+    return this.levelPriority[level] >= this.levelPriority[this.logLevel];
+  }
+  /**
+   * Log a debug message
+   */
+  debug(message, data) {
+    if (this.shouldLog("debug")) {
+      console.debug(`[DEBUG] ${message}`, data || "");
+    }
+  }
+  /**
+   * Log an info message
+   */
+  info(message, data) {
+    if (this.shouldLog("info")) {
+      console.info(`[INFO] ${message}`, data || "");
+    }
+  }
+  /**
+   * Log a warning message
+   */
+  warn(message, data) {
+    if (this.shouldLog("warn")) {
+      console.warn(`[WARN] ${message}`, data || "");
+    }
+  }
+  /**
+   * Log an error message
+   */
+  error(message, data) {
+    if (this.shouldLog("error")) {
+      console.error(`[ERROR] ${message}`, data || "");
+    }
+  }
+  /**
+   * Query audit logs
+   */
+  async query(options) {
+    const results = [];
+    const limit = options.limit || 1e3;
+    if (!fs7.existsSync(this.logPath)) {
+      return results;
+    }
+    const content = fs7.readFileSync(this.logPath, "utf-8");
+    const lines = content.trim().split("\n");
+    for (const line of lines.reverse()) {
+      if (results.length >= limit) break;
+      try {
+        const parsed = JSON.parse(line);
+        const entry = {
+          ...parsed,
+          timestamp: new Date(parsed.timestamp)
+        };
+        if (options.startTime && entry.timestamp < options.startTime) continue;
+        if (options.endTime && entry.timestamp > options.endTime) continue;
+        if (options.operation && entry.operation !== options.operation) continue;
+        if (options.allowed !== void 0 && entry.allowed !== options.allowed) continue;
+        results.push(entry);
+      } catch {
+      }
+    }
+    return results;
+  }
+  /**
+   * Close the logger
+   */
+  async close() {
+    return new Promise((resolve3) => {
+      if (this.writeStream) {
+        this.writeStream.end(() => {
+          this.writeStream = null;
+          resolve3();
+        });
+      } else {
+        resolve3();
+      }
+    });
+  }
+};
+
+// libs/shield-broker/src/client/broker-client.ts
+import * as net2 from "node:net";
+import { randomUUID as randomUUID3 } from "node:crypto";
+var BrokerClient = class {
+  socketPath;
+  httpHost;
+  httpPort;
+  timeout;
+  preferSocket;
+  constructor(options = {}) {
+    this.socketPath = options.socketPath || "/var/run/agenshield/agenshield.sock";
+    this.httpHost = options.httpHost || "localhost";
+    this.httpPort = options.httpPort || 5201;
+    this.timeout = options.timeout || 3e4;
+    this.preferSocket = options.preferSocket ?? true;
+  }
+  /**
+   * Make an HTTP request through the broker
+   */
+  async httpRequest(params, options) {
+    return this.request("http_request", params, options);
+  }
+  /**
+   * Read a file through the broker
+   */
+  async fileRead(params, options) {
+    return this.request("file_read", params, options);
+  }
+  /**
+   * Write a file through the broker
+   */
+  async fileWrite(params, options) {
+    return this.request("file_write", params, {
+      ...options,
+      channel: "socket"
+      // file_write only allowed via socket
+    });
+  }
+  /**
+   * List files through the broker
+   */
+  async fileList(params, options) {
+    return this.request("file_list", params, options);
+  }
+  /**
+   * Execute a command through the broker
+   */
+  async exec(params, options) {
+    return this.request("exec", params, {
+      ...options,
+      channel: "socket"
+      // exec only allowed via socket
+    });
+  }
+  /**
+   * Open a URL through the broker
+   */
+  async openUrl(params, options) {
+    return this.request("open_url", params, options);
+  }
+  /**
+   * Inject a secret through the broker
+   */
+  async secretInject(params, options) {
+    return this.request("secret_inject", params, {
+      ...options,
+      channel: "socket"
+      // secret_inject only allowed via socket
+    });
+  }
+  /**
+   * Ping the broker
+   */
+  async ping(echo, options) {
+    return this.request("ping", { echo }, options);
+  }
+  /**
+   * Install a skill through the broker
+   * Socket-only operation due to privileged file operations
+   */
+  async skillInstall(params, options) {
+    return this.request("skill_install", params, {
+      ...options,
+      channel: "socket"
+      // skill_install only allowed via socket
+    });
+  }
+  /**
+   * Uninstall a skill through the broker
+   * Socket-only operation due to privileged file operations
+   */
+  async skillUninstall(params, options) {
+    return this.request("skill_uninstall", params, {
+      ...options,
+      channel: "socket"
+      // skill_uninstall only allowed via socket
+    });
+  }
+  /**
+   * Check if the broker is available
+   */
+  async isAvailable() {
+    try {
+      await this.ping();
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Make a request to the broker
+   */
+  async request(method, params, options) {
+    const channel = options?.channel || (this.preferSocket ? "socket" : "http");
+    const timeout = options?.timeout || this.timeout;
+    if (channel === "socket") {
+      try {
+        return await this.socketRequest(method, params, timeout);
+      } catch (error) {
+        if (!options?.channel) {
+          return await this.httpRequest_internal(method, params, timeout);
+        }
+        throw error;
+      }
+    } else {
+      return await this.httpRequest_internal(method, params, timeout);
+    }
+  }
+  /**
+   * Make a request via Unix socket
+   */
+  async socketRequest(method, params, timeout) {
+    return new Promise((resolve3, reject) => {
+      const socket = net2.createConnection(this.socketPath);
+      const id = randomUUID3();
+      let responseData = "";
+      let timeoutId;
+      socket.on("connect", () => {
+        const request = {
+          jsonrpc: "2.0",
+          id,
+          method,
+          params
+        };
+        socket.write(JSON.stringify(request) + "\n");
+        timeoutId = setTimeout(() => {
+          socket.destroy();
+          reject(new Error("Request timeout"));
+        }, timeout);
+      });
+      socket.on("data", (data) => {
+        responseData += data.toString();
+        const newlineIndex = responseData.indexOf("\n");
+        if (newlineIndex !== -1) {
+          clearTimeout(timeoutId);
+          socket.end();
+          try {
+            const response = JSON.parse(
+              responseData.slice(0, newlineIndex)
+            );
+            if (response.error) {
+              const error = new Error(response.error.message);
+              error.code = response.error.code;
+              reject(error);
+            } else {
+              resolve3(response.result);
+            }
+          } catch (error) {
+            reject(new Error("Invalid response from broker"));
+          }
+        }
+      });
+      socket.on("error", (error) => {
+        clearTimeout(timeoutId);
+        reject(error);
+      });
+    });
+  }
+  /**
+   * Make a request via HTTP
+   */
+  async httpRequest_internal(method, params, timeout) {
+    const url = `http://${this.httpHost}:${this.httpPort}/rpc`;
+    const id = randomUUID3();
+    const request = {
+      jsonrpc: "2.0",
+      id,
+      method,
+      params
+    };
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(request),
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+      if (!response.ok) {
+        throw new Error(`HTTP error: ${response.status}`);
+      }
+      const jsonResponse = await response.json();
+      if (jsonResponse.error) {
+        const error = new Error(jsonResponse.error.message);
+        error.code = jsonResponse.error.code;
+        throw error;
+      }
+      return jsonResponse.result;
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (error.name === "AbortError") {
+        throw new Error("Request timeout");
+      }
+      throw error;
+    }
+  }
+};
+export {
+  AuditLogger,
+  BrokerClient,
+  BuiltinPolicies,
+  HttpFallbackServer,
+  PolicyEnforcer,
+  SeatbeltGenerator,
+  SeatbeltTemplates,
+  SecretVault,
+  UnixSocketServer,
+  getDefaultPolicies,
+  handleExec,
+  handleFileList,
+  handleFileRead,
+  handleFileWrite,
+  handleHttpRequest,
+  handleOpenUrl,
+  handlePing,
+  handleSecretInject,
+  handleSkillInstall,
+  handleSkillUninstall
+};