@agenshield/broker 0.5.0 → 0.6.1

package/daemon-forward.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Daemon Policy Forwarding
+ *
+ * Shared module for forwarding policy checks to the daemon's RPC endpoint.
+ * Used by both the policy_check handler and the top-level processRequest()
+ * in server.ts / http-fallback.ts when the broker's local enforcer denies
+ * a request but the daemon may have a user-defined policy that allows it.
+ */
+export interface DaemonPolicyResult {
+    allowed: boolean;
+    policyId?: string;
+    reason?: string;
+}
+/**
+ * Forward a policy check to the daemon's RPC endpoint.
+ *
+ * The daemon evaluates user-defined policies (created in the UI).
+ * We only accept the daemon's result if it returns `allowed: true`
+ * AND includes a `policyId` (explicit user policy match).
+ * A default-allow (no policyId) is NOT trusted — we keep the broker denial.
+ *
+ * @returns The daemon's result if it explicitly allows, or null to keep broker denial.
+ */
+export declare function forwardPolicyToDaemon(operation: string, target: string, daemonUrl: string): Promise<DaemonPolicyResult | null>;
+//# sourceMappingURL=daemon-forward.d.ts.map

package/daemon-forward.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"daemon-forward.d.ts","sourceRoot":"","sources":["../src/daemon-forward.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAKH,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;GASG;AACH,wBAAsB,qBAAqB,CACzC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAiDpC"}

package/handlers/events-batch.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Events Batch Handler
+ *
+ * Accepts batches of interceptor events for audit logging.
+ * The interceptor's EventReporter periodically flushes events
+ * to the broker via this RPC method.
+ */
+import type { HandlerContext, HandlerResult } from '../types.js';
+import type { HandlerDependencies } from './types.js';
+export declare function handleEventsBatch(params: Record<string, unknown>, context: HandlerContext, deps: HandlerDependencies): Promise<HandlerResult<{
+    received: number;
+}>>;
+//# sourceMappingURL=events-batch.d.ts.map

package/handlers/events-batch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"events-batch.d.ts","sourceRoot":"","sources":["../../src/handlers/events-batch.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,aAAa,EAAc,MAAM,aAAa,CAAC;AAC7E,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAOtD,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,OAAO,EAAE,cAAc,EACvB,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,aAAa,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,CAAC,CAuB9C"}

package/handlers/exec.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"exec.d.ts","sourceRoot":"","sources":["../../src/handlers/exec.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH,OAAO,KAAK,EAAE,cAAc,EAAE,aAAa,EAAc,UAAU,EAAE,MAAM,aAAa,CAAC;AACzF,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AA+FtD,wBAAsB,UAAU,CAC9B,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,OAAO,EAAE,cAAc,EACvB,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC,CA0GpC"}
+{"version":3,"file":"exec.d.ts","sourceRoot":"","sources":["../../src/handlers/exec.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH,OAAO,KAAK,EAAE,cAAc,EAAE,aAAa,EAAc,UAAU,EAAE,MAAM,aAAa,CAAC;AACzF,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAgGtD,wBAAsB,UAAU,CAC9B,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,OAAO,EAAE,cAAc,EACvB,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC,CA+GpC"}

package/handlers/index.d.ts

@@ -8,5 +8,7 @@ export { handleOpenUrl } from './open-url.js';
 export { handleSecretInject } from './secret-inject.js';
 export { handlePing } from './ping.js';
 export { handleSkillInstall, handleSkillUninstall } from './skill-install.js';
+export { handlePolicyCheck } from './policy-check.js';
+export { handleEventsBatch } from './events-batch.js';
 export type { HandlerDependencies } from './types.js';
 //# sourceMappingURL=index.d.ts.map

package/handlers/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/handlers/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAC9C,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAC5E,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AACvC,OAAO,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAE9E,YAAY,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/handlers/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAC9C,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAC5E,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AACvC,OAAO,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC9E,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAEtD,YAAY,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC"}

package/handlers/policy-check.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Policy Check Handler
+ *
+ * Handles policy_check RPC calls from the interceptor.
+ * The interceptor sends { operation, target } and this handler
+ * evaluates the inner operation against the policy enforcer.
+ *
+ * If the broker's enforcer denies the request, we forward to the
+ * daemon's RPC endpoint which checks user-defined policies.
+ */
+import type { HandlerContext, HandlerResult } from '../types.js';
+import type { HandlerDependencies } from './types.js';
+interface PolicyCheckResultData {
+    allowed: boolean;
+    policyId?: string;
+    reason?: string;
+}
+export declare function handlePolicyCheck(params: Record<string, unknown>, context: HandlerContext, deps: HandlerDependencies): Promise<HandlerResult<PolicyCheckResultData>>;
+export {};
+//# sourceMappingURL=policy-check.d.ts.map

package/handlers/policy-check.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-check.d.ts","sourceRoot":"","sources":["../../src/handlers/policy-check.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AACjE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAQtD,UAAU,qBAAqB;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAKD,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,OAAO,EAAE,cAAc,EACvB,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,aAAa,CAAC,qBAAqB,CAAC,CAAC,CAoE/C"}

package/handlers/types.d.ts

@@ -24,5 +24,6 @@ export interface HandlerDependencies {
     commandAllowlist: CommandAllowlist;
     onExecMonitor?: (event: ExecMonitorEvent) => void;
     onExecDenied?: (command: string, reason: string) => void;
+    daemonUrl?: string;
 }
 //# sourceMappingURL=types.d.ts.map

package/handlers/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/handlers/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,kCAAkC,CAAC;AAEzE;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,mBAAmB;IAClC,cAAc,EAAE,cAAc,CAAC;IAC/B,WAAW,EAAE,WAAW,CAAC;IACzB,WAAW,EAAE,WAAW,CAAC;IACzB,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,aAAa,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,KAAK,IAAI,CAAC;IAClD,YAAY,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,KAAK,IAAI,CAAC;CAC1D"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/handlers/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,kCAAkC,CAAC;AAEzE;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,mBAAmB;IAClC,cAAc,EAAE,cAAc,CAAC;IAC/B,WAAW,EAAE,WAAW,CAAC;IACzB,WAAW,EAAE,WAAW,CAAC;IACzB,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,aAAa,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,KAAK,IAAI,CAAC;IAClD,YAAY,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,KAAK,IAAI,CAAC;IACzD,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB"}

package/http-fallback.d.ts

@@ -7,16 +7,19 @@
 import type { BrokerConfig } from './types.js';
 import type { PolicyEnforcer } from './policies/enforcer.js';
 import type { AuditLogger } from './audit/logger.js';
+import type { CommandAllowlist } from './policies/command-allowlist.js';
 export interface HttpFallbackServerOptions {
     config: BrokerConfig;
     policyEnforcer: PolicyEnforcer;
     auditLogger: AuditLogger;
+    commandAllowlist: CommandAllowlist;
 }
 export declare class HttpFallbackServer {
     private server;
     private config;
     private policyEnforcer;
     private auditLogger;
+    private commandAllowlist;
     constructor(options: HttpFallbackServerOptions);
     /**
      * Start the HTTP fallback server

package/http-fallback.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"http-fallback.d.ts","sourceRoot":"","sources":["../src/http-fallback.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EACV,YAAY,EAIb,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAC7D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAmBrD,MAAM,WAAW,yBAAyB;IACxC,MAAM,EAAE,YAAY,CAAC;IACrB,cAAc,EAAE,cAAc,CAAC;IAC/B,WAAW,EAAE,WAAW,CAAC;CAC1B;AAED,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,MAAM,CAA4B;IAC1C,OAAO,CAAC,MAAM,CAAe;IAC7B,OAAO,CAAC,cAAc,CAAiB;IACvC,OAAO,CAAC,WAAW,CAAc;gBAErB,OAAO,EAAE,yBAAyB;IAM9C;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAoB5B;;OAEG;IACG,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAY3B;;OAEG;YACW,aAAa;IA6C3B;;OAEG;IACH,OAAO,CAAC,WAAW;IAUnB;;OAEG;YACW,cAAc;IAyH5B;;OAEG;IACH,OAAO,CAAC,UAAU;IAoBlB;;OAEG;IACH,OAAO,CAAC,aAAa;IAWrB;;OAEG;IACH,OAAO,CAAC,aAAa;CAWtB"}
+{"version":3,"file":"http-fallback.d.ts","sourceRoot":"","sources":["../src/http-fallback.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EACV,YAAY,EAIb,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAC7D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAC;AAsBxE,MAAM,WAAW,yBAAyB;IACxC,MAAM,EAAE,YAAY,CAAC;IACrB,cAAc,EAAE,cAAc,CAAC;IAC/B,WAAW,EAAE,WAAW,CAAC;IACzB,gBAAgB,EAAE,gBAAgB,CAAC;CACpC;AAED,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,MAAM,CAA4B;IAC1C,OAAO,CAAC,MAAM,CAAe;IAC7B,OAAO,CAAC,cAAc,CAAiB;IACvC,OAAO,CAAC,WAAW,CAAc;IACjC,OAAO,CAAC,gBAAgB,CAAmB;gBAE/B,OAAO,EAAE,yBAAyB;IAO9C;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAoB5B;;OAEG;IACG,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAY3B;;OAEG;YACW,aAAa;IA6C3B;;OAEG;IACH,OAAO,CAAC,WAAW;IAUnB;;OAEG;YACW,cAAc;IAuI5B;;OAEG;IACH,OAAO,CAAC,UAAU;IAsBlB;;OAEG;IACH,OAAO,CAAC,aAAa;IAWrB;;OAEG;IACH,OAAO,CAAC,aAAa;CAWtB"}

package/index.js

@@ -249,6 +249,47 @@ function matchPattern(name, pattern) {
 // libs/shield-broker/src/handlers/exec.ts
 import * as path2 from "node:path";
 import { spawn } from "node:child_process";
+
+// libs/shield-broker/src/daemon-forward.ts
+var DAEMON_RPC_TIMEOUT = 2e3;
+async function forwardPolicyToDaemon(operation, target, daemonUrl) {
+  try {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), DAEMON_RPC_TIMEOUT);
+    const response = await fetch(`${daemonUrl}/rpc`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        jsonrpc: "2.0",
+        id: `broker-fwd-${Date.now()}`,
+        method: "policy_check",
+        params: { operation, target }
+      }),
+      signal: controller.signal
+    });
+    clearTimeout(timeout);
+    if (!response.ok) {
+      return null;
+    }
+    const json = await response.json();
+    if (json.error || !json.result) {
+      return null;
+    }
+    const result = json.result;
+    if (result.policyId) {
+      return {
+        allowed: !!result.allowed,
+        policyId: result.policyId,
+        reason: result.reason
+      };
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+// libs/shield-broker/src/handlers/exec.ts
 var MAX_OUTPUT_SIZE = 10 * 1024 * 1024;
 var DEFAULT_WORKSPACE = "/Users/clawagent/workspace";
 var FS_COMMANDS = /* @__PURE__ */ new Set([
@@ -381,12 +422,16 @@ async function handleExec(params, context, deps) {
       if (url) {
         const networkCheck = await deps.policyEnforcer.check("http_request", { url }, context);
         if (!networkCheck.allowed) {
-          const reason = `URL not allowed: ${url} - ${networkCheck.reason}`;
-          deps.onExecDenied?.(command, reason);
-          return {
-            success: false,
-            error: { code: 1009, message: reason }
-          };
+          const daemonUrl = deps.daemonUrl || "http://127.0.0.1:5200";
+          const override = await forwardPolicyToDaemon("http_request", url, daemonUrl);
+          if (!override || !override.allowed) {
+            const reason = `URL not allowed: ${url} - ${networkCheck.reason}`;
+            deps.onExecDenied?.(command, reason);
+            return {
+              success: false,
+              error: { code: 1009, message: reason }
+            };
+          }
         }
       }
     }
@@ -805,6 +850,86 @@ async function handleSkillUninstall(params, context, deps) {
   }
 }
 
+// libs/shield-broker/src/handlers/policy-check.ts
+var DEFAULT_DAEMON_URL = "http://127.0.0.1:5200";
+async function handlePolicyCheck(params, context, deps) {
+  const { operation, target } = params;
+  if (!operation) {
+    return {
+      success: false,
+      error: { code: -32602, message: "Missing required parameter: operation" }
+    };
+  }
+  let checkParams;
+  switch (operation) {
+    case "http_request":
+    case "open_url":
+      checkParams = { url: target || "" };
+      break;
+    case "file_read":
+    case "file_write":
+    case "file_list":
+      checkParams = { path: target || "" };
+      break;
+    case "exec":
+      checkParams = { command: target || "" };
+      break;
+    case "secret_inject":
+      checkParams = { name: target || "" };
+      break;
+    default:
+      checkParams = { target: target || "" };
+      break;
+  }
+  const result = await deps.policyEnforcer.check(operation, checkParams, context);
+  if (result.allowed) {
+    return {
+      success: true,
+      data: {
+        allowed: true,
+        policyId: result.policyId,
+        reason: result.reason
+      }
+    };
+  }
+  const daemonUrl = deps.daemonUrl || DEFAULT_DAEMON_URL;
+  const daemonResult = await forwardPolicyToDaemon(operation, target || "", daemonUrl);
+  if (daemonResult && daemonResult.allowed) {
+    return { success: true, data: daemonResult };
+  }
+  return {
+    success: true,
+    data: {
+      allowed: false,
+      policyId: result.policyId,
+      reason: result.reason
+    }
+  };
+}
+
+// libs/shield-broker/src/handlers/events-batch.ts
+async function handleEventsBatch(params, context, deps) {
+  const { events } = params;
+  const eventList = events || [];
+  for (const event of eventList) {
+    const entry = {
+      id: event.id || context.requestId,
+      timestamp: event.timestamp ? new Date(event.timestamp) : /* @__PURE__ */ new Date(),
+      operation: event.operation || "events_batch",
+      channel: "socket",
+      allowed: event.allowed ?? true,
+      target: event.target || "",
+      result: event.allowed === false ? "denied" : "success",
+      durationMs: 0
+    };
+    await deps.auditLogger.log(entry);
+  }
+  return {
+    success: true,
+    data: { received: eventList.length }
+  };
+}
+
 // libs/shield-broker/src/server.ts
 var UnixSocketServer = class {
   server = null;
@@ -812,12 +937,14 @@ var UnixSocketServer = class {
   policyEnforcer;
   auditLogger;
   secretVault;
+  commandAllowlist;
   connections = /* @__PURE__ */ new Set();
   constructor(options) {
     this.config = options.config;
     this.policyEnforcer = options.policyEnforcer;
     this.auditLogger = options.auditLogger;
     this.secretVault = options.secretVault;
+    this.commandAllowlist = options.commandAllowlist;
   }
   /**
    * Start the Unix socket server
@@ -921,20 +1048,29 @@ var UnixSocketServer = class {
         request.params,
         context
       );
-      if (!policyResult.allowed) {
+      let finalPolicy = policyResult;
+      if (!policyResult.allowed && request.method !== "policy_check") {
+        const target = this.extractTarget(request);
+        const daemonUrl = this.config.daemonUrl || "http://127.0.0.1:5200";
+        const override = await forwardPolicyToDaemon(request.method, target, daemonUrl);
+        if (override) {
+          finalPolicy = override;
+        }
+      }
+      if (!finalPolicy.allowed) {
         await this.auditLogger.log({
           id: requestId,
           timestamp: /* @__PURE__ */ new Date(),
           operation: request.method,
           channel: "socket",
           allowed: false,
-          policyId: policyResult.policyId,
+          policyId: finalPolicy.policyId,
           target: this.extractTarget(request),
           result: "denied",
-          errorMessage: policyResult.reason,
+          errorMessage: finalPolicy.reason,
           durationMs: Date.now() - startTime
         });
-        return this.errorResponse(request.id, 1001, policyResult.reason || "Policy denied");
+        return this.errorResponse(request.id, 1001, finalPolicy.reason || "Policy denied");
       }
       const handler = this.getHandler(request.method);
       if (!handler) {
@@ -943,7 +1079,9 @@ var UnixSocketServer = class {
       const result = await handler(request.params, context, {
         policyEnforcer: this.policyEnforcer,
         auditLogger: this.auditLogger,
-        secretVault: this.secretVault
+        secretVault: this.secretVault,
+        commandAllowlist: this.commandAllowlist,
+        daemonUrl: this.config.daemonUrl
       });
       await this.auditLogger.log({
         id: requestId,
@@ -951,7 +1089,7 @@ var UnixSocketServer = class {
         operation: request.method,
         channel: "socket",
         allowed: true,
-        policyId: policyResult.policyId,
+        policyId: finalPolicy.policyId,
         target: this.extractTarget(request),
         result: result.success ? "success" : "error",
         errorMessage: result.error?.message,
@@ -990,7 +1128,9 @@ var UnixSocketServer = class {
       secret_inject: handleSecretInject,
       ping: handlePing,
       skill_install: handleSkillInstall,
-      skill_uninstall: handleSkillUninstall
+      skill_uninstall: handleSkillUninstall,
+      policy_check: handlePolicyCheck,
+      events_batch: handleEventsBatch
     };
     return handlerMap[method];
   }
@@ -1021,7 +1161,9 @@ var HTTP_ALLOWED_OPERATIONS = /* @__PURE__ */ new Set([
   "file_read",
   "file_list",
   "open_url",
-  "ping"
+  "ping",
+  "policy_check",
+  "events_batch"
 ]);
 var HTTP_DENIED_OPERATIONS = /* @__PURE__ */ new Set([
   "exec",
@@ -1033,10 +1175,12 @@ var HttpFallbackServer = class {
   config;
   policyEnforcer;
   auditLogger;
+  commandAllowlist;
   constructor(options) {
     this.config = options.config;
     this.policyEnforcer = options.policyEnforcer;
     this.auditLogger = options.auditLogger;
+    this.commandAllowlist = options.commandAllowlist;
   }
   /**
    * Start the HTTP fallback server
@@ -1157,20 +1301,29 @@ var HttpFallbackServer = class {
         request.params,
         context
       );
-      if (!policyResult.allowed) {
+      let finalPolicy = policyResult;
+      if (!policyResult.allowed && request.method !== "policy_check") {
+        const target = this.extractTarget(request);
+        const daemonUrl = this.config.daemonUrl || "http://127.0.0.1:5200";
+        const override = await forwardPolicyToDaemon(request.method, target, daemonUrl);
+        if (override) {
+          finalPolicy = override;
+        }
+      }
+      if (!finalPolicy.allowed) {
         await this.auditLogger.log({
           id: requestId,
           timestamp: /* @__PURE__ */ new Date(),
           operation: request.method,
           channel: "http",
           allowed: false,
-          policyId: policyResult.policyId,
+          policyId: finalPolicy.policyId,
           target: this.extractTarget(request),
           result: "denied",
-          errorMessage: policyResult.reason,
+          errorMessage: finalPolicy.reason,
           durationMs: Date.now() - startTime
         });
-        return this.errorResponse(request.id, 1001, policyResult.reason || "Policy denied");
+        return this.errorResponse(request.id, 1001, finalPolicy.reason || "Policy denied");
       }
       const handler = this.getHandler(request.method);
       if (!handler) {
@@ -1179,8 +1332,10 @@ var HttpFallbackServer = class {
       const result = await handler(request.params, context, {
         policyEnforcer: this.policyEnforcer,
         auditLogger: this.auditLogger,
-        secretVault: null
+        secretVault: null,
         // Not available over HTTP
+        commandAllowlist: this.commandAllowlist,
+        daemonUrl: this.config.daemonUrl
       });
       await this.auditLogger.log({
         id: requestId,
@@ -1188,7 +1343,7 @@ var HttpFallbackServer = class {
         operation: request.method,
         channel: "http",
         allowed: true,
-        policyId: policyResult.policyId,
+        policyId: finalPolicy.policyId,
         target: this.extractTarget(request),
         result: result.success ? "success" : "error",
         errorMessage: result.error?.message,
@@ -1222,7 +1377,9 @@ var HttpFallbackServer = class {
       file_read: handleFileRead,
       file_list: handleFileList,
       open_url: handleOpenUrl,
-      ping: handlePing
+      ping: handlePing,
+      policy_check: handlePolicyCheck,
+      events_batch: handleEventsBatch
     };
     return handlerMap[method];
   }
@@ -1261,6 +1418,34 @@ var PolicyEnforcer = class {
     this.policies = options.defaultPolicies;
     this.loadPolicies();
   }
+  /**
+   * Normalize a policy rule — infer operations from target when missing,
+   * default priority to 0.
+   */
+  normalizeRule(rule) {
+    const normalized = { ...rule };
+    if (!normalized.priority && normalized.priority !== 0) {
+      normalized.priority = 0;
+    }
+    if (normalized.operations && normalized.operations.length > 0) {
+      return normalized;
+    }
+    switch (normalized.target) {
+      case "url":
+        normalized.operations = ["http_request", "open_url"];
+        break;
+      case "command":
+        normalized.operations = ["exec"];
+        break;
+      case "skill":
+        normalized.operations = ["skill_install", "skill_uninstall"];
+        break;
+      default:
+        normalized.operations = ["*"];
+        break;
+    }
+    return normalized;
+  }
   /**
    * Load policies from disk
    */
@@ -1273,7 +1458,7 @@ var PolicyEnforcer = class {
         this.policies = {
           ...this.policies,
           ...loaded,
-          rules: [...this.policies.rules, ...loaded.rules || []]
+          rules: [...this.policies.rules, ...(loaded.rules || []).map((r) => this.normalizeRule(r))]
         };
         this.lastLoad = Date.now();
       } catch (error) {
@@ -1289,7 +1474,7 @@ var PolicyEnforcer = class {
             const content = fs4.readFileSync(path4.join(customDir, file), "utf-8");
             const custom = JSON.parse(content);
             if (custom.rules) {
-              this.policies.rules.push(...custom.rules);
+              this.policies.rules.push(...custom.rules.map((r) => this.normalizeRule(r)));
             }
           }
         }
@@ -1339,6 +1524,12 @@ var PolicyEnforcer = class {
       if (!constraintResult.allowed) {
         return constraintResult;
       }
+      if (["file_read", "file_write", "file_list"].includes(operation) && this.policies.fsConstraints) {
+        return { allowed: true, reason: "Allowed by file system constraints" };
+      }
+      if (operation === "http_request" && this.policies.networkConstraints) {
+        return { allowed: true, reason: "Allowed by network constraints" };
+      }
       return {
         allowed: this.policies.defaultAction === "allow",
         reason: this.policies.defaultAction === "deny" ? "No matching allow policy" : void 0
@@ -1518,6 +1709,28 @@ var BuiltinPolicies = [
     enabled: true,
     priority: 1e3
   },
+  // Allow interceptor policy checks (internal RPC — must not be subject to policy gate)
+  {
+    id: "builtin-allow-policy-check",
+    name: "Allow interceptor policy checks",
+    action: "allow",
+    target: "command",
+    operations: ["policy_check"],
+    patterns: ["*"],
+    enabled: true,
+    priority: 1e3
+  },
+  // Allow interceptor event reporting (internal RPC)
+  {
+    id: "builtin-allow-events-batch",
+    name: "Allow interceptor event reporting",
+    action: "allow",
+    target: "command",
+    operations: ["events_batch"],
+    patterns: ["*"],
+    enabled: true,
+    priority: 1e3
+  },
   // Allow skill installation/uninstallation (daemon management operations)
   {
     id: "builtin-allow-skill-management",
@@ -1538,9 +1751,13 @@ var BuiltinPolicies = [
     operations: ["http_request"],
     patterns: [
       "http://localhost:*",
+      "http://localhost:*/**",
       "http://127.0.0.1:*",
+      "http://127.0.0.1:*/**",
       "https://localhost:*",
-      "https://127.0.0.1:*"
+      "https://localhost:*/**",
+      "https://127.0.0.1:*",
+      "https://127.0.0.1:*/**"
     ],
     enabled: true,
     priority: 100
@@ -1640,10 +1857,15 @@ var BuiltinPolicies = [
     target: "url",
     operations: ["http_request"],
     patterns: [
+      "https://api.anthropic.com",
       "https://api.anthropic.com/**",
+      "https://api.openai.com",
       "https://api.openai.com/**",
+      "https://api.cohere.ai",
       "https://api.cohere.ai/**",
+      "https://generativelanguage.googleapis.com",
       "https://generativelanguage.googleapis.com/**",
+      "https://api.mistral.ai",
       "https://api.mistral.ai/**"
     ],
     enabled: true,
@@ -1657,10 +1879,15 @@ var BuiltinPolicies = [
     target: "url",
     operations: ["http_request"],
     patterns: [
+      "https://registry.npmjs.org",
       "https://registry.npmjs.org/**",
+      "https://pypi.org",
       "https://pypi.org/**",
+      "https://files.pythonhosted.org",
       "https://files.pythonhosted.org/**",
+      "https://crates.io",
       "https://crates.io/**",
+      "https://rubygems.org",
       "https://rubygems.org/**"
     ],
     enabled: true,
@@ -1674,23 +1901,28 @@ var BuiltinPolicies = [
     target: "url",
     operations: ["http_request"],
     patterns: [
+      "https://github.com",
       "https://github.com/**",
+      "https://api.github.com",
       "https://api.github.com/**",
+      "https://raw.githubusercontent.com",
       "https://raw.githubusercontent.com/**",
+      "https://gist.github.com",
       "https://gist.github.com/**"
     ],
     enabled: true,
     priority: 50
   }
 ];
-function getDefaultPolicies() {
+function getDefaultPolicies(options) {
+  const agentHome = options?.agentHome || process.env["AGENSHIELD_AGENT_HOME"] || "/Users/clawagent";
   return {
     version: "1.0.0",
     defaultAction: "deny",
     rules: [...BuiltinPolicies],
     fsConstraints: {
       allowedPaths: [
-        "/Users/clawagent/workspace",
+        agentHome,
         "/tmp/agenshield"
       ],
       deniedPatterns: [
@@ -2656,6 +2888,7 @@ export {
   SecretVault,
   UnixSocketServer,
   getDefaultPolicies,
+  handleEventsBatch,
   handleExec,
   handleFileList,
   handleFileRead,
@@ -2663,6 +2896,7 @@ export {
   handleHttpRequest,
   handleOpenUrl,
   handlePing,
+  handlePolicyCheck,
   handleSecretInject,
   handleSkillInstall,
   handleSkillUninstall