@agenshield/broker 0.5.0 → 0.6.1

package/main.js

@@ -251,6 +251,47 @@ function matchPattern(name, pattern) {
 // libs/shield-broker/src/handlers/exec.ts
 import * as path2 from "node:path";
 import { spawn } from "node:child_process";
+
+// libs/shield-broker/src/daemon-forward.ts
+var DAEMON_RPC_TIMEOUT = 2e3;
+async function forwardPolicyToDaemon(operation, target, daemonUrl) {
+  try {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), DAEMON_RPC_TIMEOUT);
+    const response = await fetch(`${daemonUrl}/rpc`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        jsonrpc: "2.0",
+        id: `broker-fwd-${Date.now()}`,
+        method: "policy_check",
+        params: { operation, target }
+      }),
+      signal: controller.signal
+    });
+    clearTimeout(timeout);
+    if (!response.ok) {
+      return null;
+    }
+    const json = await response.json();
+    if (json.error || !json.result) {
+      return null;
+    }
+    const result = json.result;
+    if (result.policyId) {
+      return {
+        allowed: !!result.allowed,
+        policyId: result.policyId,
+        reason: result.reason
+      };
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+// libs/shield-broker/src/handlers/exec.ts
 var MAX_OUTPUT_SIZE = 10 * 1024 * 1024;
 var DEFAULT_WORKSPACE = "/Users/clawagent/workspace";
 var FS_COMMANDS = /* @__PURE__ */ new Set([
@@ -383,12 +424,16 @@ async function handleExec(params, context, deps) {
       if (url) {
         const networkCheck = await deps.policyEnforcer.check("http_request", { url }, context);
         if (!networkCheck.allowed) {
-          const reason = `URL not allowed: ${url} - ${networkCheck.reason}`;
-          deps.onExecDenied?.(command, reason);
-          return {
-            success: false,
-            error: { code: 1009, message: reason }
-          };
+          const daemonUrl = deps.daemonUrl || "http://127.0.0.1:5200";
+          const override = await forwardPolicyToDaemon("http_request", url, daemonUrl);
+          if (!override || !override.allowed) {
+            const reason = `URL not allowed: ${url} - ${networkCheck.reason}`;
+            deps.onExecDenied?.(command, reason);
+            return {
+              success: false,
+              error: { code: 1009, message: reason }
+            };
+          }
         }
       }
     }
@@ -807,6 +852,86 @@ async function handleSkillUninstall(params, context, deps) {
   }
 }
 
+// libs/shield-broker/src/handlers/policy-check.ts
+var DEFAULT_DAEMON_URL = "http://127.0.0.1:5200";
+async function handlePolicyCheck(params, context, deps) {
+  const { operation, target } = params;
+  if (!operation) {
+    return {
+      success: false,
+      error: { code: -32602, message: "Missing required parameter: operation" }
+    };
+  }
+  let checkParams;
+  switch (operation) {
+    case "http_request":
+    case "open_url":
+      checkParams = { url: target || "" };
+      break;
+    case "file_read":
+    case "file_write":
+    case "file_list":
+      checkParams = { path: target || "" };
+      break;
+    case "exec":
+      checkParams = { command: target || "" };
+      break;
+    case "secret_inject":
+      checkParams = { name: target || "" };
+      break;
+    default:
+      checkParams = { target: target || "" };
+      break;
+  }
+  const result = await deps.policyEnforcer.check(operation, checkParams, context);
+  if (result.allowed) {
+    return {
+      success: true,
+      data: {
+        allowed: true,
+        policyId: result.policyId,
+        reason: result.reason
+      }
+    };
+  }
+  const daemonUrl = deps.daemonUrl || DEFAULT_DAEMON_URL;
+  const daemonResult = await forwardPolicyToDaemon(operation, target || "", daemonUrl);
+  if (daemonResult && daemonResult.allowed) {
+    return { success: true, data: daemonResult };
+  }
+  return {
+    success: true,
+    data: {
+      allowed: false,
+      policyId: result.policyId,
+      reason: result.reason
+    }
+  };
+}
+
+// libs/shield-broker/src/handlers/events-batch.ts
+async function handleEventsBatch(params, context, deps) {
+  const { events } = params;
+  const eventList = events || [];
+  for (const event of eventList) {
+    const entry = {
+      id: event.id || context.requestId,
+      timestamp: event.timestamp ? new Date(event.timestamp) : /* @__PURE__ */ new Date(),
+      operation: event.operation || "events_batch",
+      channel: "socket",
+      allowed: event.allowed ?? true,
+      target: event.target || "",
+      result: event.allowed === false ? "denied" : "success",
+      durationMs: 0
+    };
+    await deps.auditLogger.log(entry);
+  }
+  return {
+    success: true,
+    data: { received: eventList.length }
+  };
+}
+
 // libs/shield-broker/src/server.ts
 var UnixSocketServer = class {
   server = null;
@@ -814,12 +939,14 @@ var UnixSocketServer = class {
   policyEnforcer;
   auditLogger;
   secretVault;
+  commandAllowlist;
   connections = /* @__PURE__ */ new Set();
   constructor(options) {
     this.config = options.config;
     this.policyEnforcer = options.policyEnforcer;
     this.auditLogger = options.auditLogger;
     this.secretVault = options.secretVault;
+    this.commandAllowlist = options.commandAllowlist;
   }
   /**
    * Start the Unix socket server
@@ -923,20 +1050,29 @@ var UnixSocketServer = class {
         request.params,
         context
       );
-      if (!policyResult.allowed) {
+      let finalPolicy = policyResult;
+      if (!policyResult.allowed && request.method !== "policy_check") {
+        const target = this.extractTarget(request);
+        const daemonUrl = this.config.daemonUrl || "http://127.0.0.1:5200";
+        const override = await forwardPolicyToDaemon(request.method, target, daemonUrl);
+        if (override) {
+          finalPolicy = override;
+        }
+      }
+      if (!finalPolicy.allowed) {
         await this.auditLogger.log({
           id: requestId,
           timestamp: /* @__PURE__ */ new Date(),
           operation: request.method,
           channel: "socket",
           allowed: false,
-          policyId: policyResult.policyId,
+          policyId: finalPolicy.policyId,
           target: this.extractTarget(request),
           result: "denied",
-          errorMessage: policyResult.reason,
+          errorMessage: finalPolicy.reason,
           durationMs: Date.now() - startTime
         });
-        return this.errorResponse(request.id, 1001, policyResult.reason || "Policy denied");
+        return this.errorResponse(request.id, 1001, finalPolicy.reason || "Policy denied");
       }
       const handler = this.getHandler(request.method);
       if (!handler) {
@@ -945,7 +1081,9 @@ var UnixSocketServer = class {
       const result = await handler(request.params, context, {
         policyEnforcer: this.policyEnforcer,
         auditLogger: this.auditLogger,
-        secretVault: this.secretVault
+        secretVault: this.secretVault,
+        commandAllowlist: this.commandAllowlist,
+        daemonUrl: this.config.daemonUrl
       });
       await this.auditLogger.log({
         id: requestId,
@@ -953,7 +1091,7 @@ var UnixSocketServer = class {
         operation: request.method,
         channel: "socket",
         allowed: true,
-        policyId: policyResult.policyId,
+        policyId: finalPolicy.policyId,
         target: this.extractTarget(request),
         result: result.success ? "success" : "error",
         errorMessage: result.error?.message,
@@ -992,7 +1130,9 @@ var UnixSocketServer = class {
       secret_inject: handleSecretInject,
       ping: handlePing,
       skill_install: handleSkillInstall,
-      skill_uninstall: handleSkillUninstall
+      skill_uninstall: handleSkillUninstall,
+      policy_check: handlePolicyCheck,
+      events_batch: handleEventsBatch
     };
     return handlerMap[method];
   }
@@ -1023,7 +1163,9 @@ var HTTP_ALLOWED_OPERATIONS = /* @__PURE__ */ new Set([
   "file_read",
   "file_list",
   "open_url",
-  "ping"
+  "ping",
+  "policy_check",
+  "events_batch"
 ]);
 var HTTP_DENIED_OPERATIONS = /* @__PURE__ */ new Set([
   "exec",
@@ -1035,10 +1177,12 @@ var HttpFallbackServer = class {
   config;
   policyEnforcer;
   auditLogger;
+  commandAllowlist;
   constructor(options) {
     this.config = options.config;
     this.policyEnforcer = options.policyEnforcer;
     this.auditLogger = options.auditLogger;
+    this.commandAllowlist = options.commandAllowlist;
   }
   /**
    * Start the HTTP fallback server
@@ -1159,20 +1303,29 @@ var HttpFallbackServer = class {
         request.params,
         context
       );
-      if (!policyResult.allowed) {
+      let finalPolicy = policyResult;
+      if (!policyResult.allowed && request.method !== "policy_check") {
+        const target = this.extractTarget(request);
+        const daemonUrl = this.config.daemonUrl || "http://127.0.0.1:5200";
+        const override = await forwardPolicyToDaemon(request.method, target, daemonUrl);
+        if (override) {
+          finalPolicy = override;
+        }
+      }
+      if (!finalPolicy.allowed) {
         await this.auditLogger.log({
           id: requestId,
           timestamp: /* @__PURE__ */ new Date(),
           operation: request.method,
           channel: "http",
           allowed: false,
-          policyId: policyResult.policyId,
+          policyId: finalPolicy.policyId,
           target: this.extractTarget(request),
           result: "denied",
-          errorMessage: policyResult.reason,
+          errorMessage: finalPolicy.reason,
           durationMs: Date.now() - startTime
         });
-        return this.errorResponse(request.id, 1001, policyResult.reason || "Policy denied");
+        return this.errorResponse(request.id, 1001, finalPolicy.reason || "Policy denied");
       }
       const handler = this.getHandler(request.method);
       if (!handler) {
@@ -1181,8 +1334,10 @@ var HttpFallbackServer = class {
       const result = await handler(request.params, context, {
         policyEnforcer: this.policyEnforcer,
         auditLogger: this.auditLogger,
-        secretVault: null
+        secretVault: null,
         // Not available over HTTP
+        commandAllowlist: this.commandAllowlist,
+        daemonUrl: this.config.daemonUrl
       });
       await this.auditLogger.log({
         id: requestId,
@@ -1190,7 +1345,7 @@ var HttpFallbackServer = class {
         operation: request.method,
         channel: "http",
         allowed: true,
-        policyId: policyResult.policyId,
+        policyId: finalPolicy.policyId,
         target: this.extractTarget(request),
         result: result.success ? "success" : "error",
         errorMessage: result.error?.message,
@@ -1224,7 +1379,9 @@ var HttpFallbackServer = class {
       file_read: handleFileRead,
       file_list: handleFileList,
       open_url: handleOpenUrl,
-      ping: handlePing
+      ping: handlePing,
+      policy_check: handlePolicyCheck,
+      events_batch: handleEventsBatch
     };
     return handlerMap[method];
   }
@@ -1263,6 +1420,34 @@ var PolicyEnforcer = class {
     this.policies = options.defaultPolicies;
     this.loadPolicies();
   }
+  /**
+   * Normalize a policy rule — infer operations from target when missing,
+   * default priority to 0.
+   */
+  normalizeRule(rule) {
+    const normalized = { ...rule };
+    if (!normalized.priority && normalized.priority !== 0) {
+      normalized.priority = 0;
+    }
+    if (normalized.operations && normalized.operations.length > 0) {
+      return normalized;
+    }
+    switch (normalized.target) {
+      case "url":
+        normalized.operations = ["http_request", "open_url"];
+        break;
+      case "command":
+        normalized.operations = ["exec"];
+        break;
+      case "skill":
+        normalized.operations = ["skill_install", "skill_uninstall"];
+        break;
+      default:
+        normalized.operations = ["*"];
+        break;
+    }
+    return normalized;
+  }
   /**
    * Load policies from disk
    */
@@ -1275,7 +1460,7 @@ var PolicyEnforcer = class {
         this.policies = {
           ...this.policies,
           ...loaded,
-          rules: [...this.policies.rules, ...loaded.rules || []]
+          rules: [...this.policies.rules, ...(loaded.rules || []).map((r) => this.normalizeRule(r))]
         };
         this.lastLoad = Date.now();
       } catch (error) {
@@ -1291,7 +1476,7 @@ var PolicyEnforcer = class {
             const content = fs4.readFileSync(path4.join(customDir, file), "utf-8");
             const custom = JSON.parse(content);
             if (custom.rules) {
-              this.policies.rules.push(...custom.rules);
+              this.policies.rules.push(...custom.rules.map((r) => this.normalizeRule(r)));
             }
           }
         }
@@ -1341,6 +1526,12 @@ var PolicyEnforcer = class {
       if (!constraintResult.allowed) {
         return constraintResult;
       }
+      if (["file_read", "file_write", "file_list"].includes(operation) && this.policies.fsConstraints) {
+        return { allowed: true, reason: "Allowed by file system constraints" };
+      }
+      if (operation === "http_request" && this.policies.networkConstraints) {
+        return { allowed: true, reason: "Allowed by network constraints" };
+      }
       return {
         allowed: this.policies.defaultAction === "allow",
         reason: this.policies.defaultAction === "deny" ? "No matching allow policy" : void 0
@@ -1520,6 +1711,28 @@ var BuiltinPolicies = [
     enabled: true,
     priority: 1e3
   },
+  // Allow interceptor policy checks (internal RPC — must not be subject to policy gate)
+  {
+    id: "builtin-allow-policy-check",
+    name: "Allow interceptor policy checks",
+    action: "allow",
+    target: "command",
+    operations: ["policy_check"],
+    patterns: ["*"],
+    enabled: true,
+    priority: 1e3
+  },
+  // Allow interceptor event reporting (internal RPC)
+  {
+    id: "builtin-allow-events-batch",
+    name: "Allow interceptor event reporting",
+    action: "allow",
+    target: "command",
+    operations: ["events_batch"],
+    patterns: ["*"],
+    enabled: true,
+    priority: 1e3
+  },
   // Allow skill installation/uninstallation (daemon management operations)
   {
     id: "builtin-allow-skill-management",
@@ -1540,9 +1753,13 @@ var BuiltinPolicies = [
     operations: ["http_request"],
     patterns: [
       "http://localhost:*",
+      "http://localhost:*/**",
       "http://127.0.0.1:*",
+      "http://127.0.0.1:*/**",
       "https://localhost:*",
-      "https://127.0.0.1:*"
+      "https://localhost:*/**",
+      "https://127.0.0.1:*",
+      "https://127.0.0.1:*/**"
     ],
     enabled: true,
     priority: 100
@@ -1642,10 +1859,15 @@ var BuiltinPolicies = [
     target: "url",
     operations: ["http_request"],
     patterns: [
+      "https://api.anthropic.com",
       "https://api.anthropic.com/**",
+      "https://api.openai.com",
       "https://api.openai.com/**",
+      "https://api.cohere.ai",
       "https://api.cohere.ai/**",
+      "https://generativelanguage.googleapis.com",
       "https://generativelanguage.googleapis.com/**",
+      "https://api.mistral.ai",
       "https://api.mistral.ai/**"
     ],
     enabled: true,
@@ -1659,10 +1881,15 @@ var BuiltinPolicies = [
     target: "url",
     operations: ["http_request"],
     patterns: [
+      "https://registry.npmjs.org",
       "https://registry.npmjs.org/**",
+      "https://pypi.org",
       "https://pypi.org/**",
+      "https://files.pythonhosted.org",
       "https://files.pythonhosted.org/**",
+      "https://crates.io",
       "https://crates.io/**",
+      "https://rubygems.org",
       "https://rubygems.org/**"
     ],
     enabled: true,
@@ -1676,23 +1903,28 @@ var BuiltinPolicies = [
     target: "url",
     operations: ["http_request"],
     patterns: [
+      "https://github.com",
       "https://github.com/**",
+      "https://api.github.com",
       "https://api.github.com/**",
+      "https://raw.githubusercontent.com",
       "https://raw.githubusercontent.com/**",
+      "https://gist.github.com",
       "https://gist.github.com/**"
     ],
     enabled: true,
     priority: 50
   }
 ];
-function getDefaultPolicies() {
+function getDefaultPolicies(options) {
+  const agentHome = options?.agentHome || process.env["AGENSHIELD_AGENT_HOME"] || "/Users/clawagent";
   return {
     version: "1.0.0",
     defaultAction: "deny",
     rules: [...BuiltinPolicies],
     fsConstraints: {
       allowedPaths: [
-        "/Users/clawagent/workspace",
+        agentHome,
         "/tmp/agenshield"
       ],
       deniedPatterns: [
@@ -1719,9 +1951,190 @@ function getDefaultPolicies() {
   };
 }
 
-// libs/shield-broker/src/audit/logger.ts
+// libs/shield-broker/src/policies/command-allowlist.ts
 import * as fs5 from "node:fs";
 import * as path5 from "node:path";
+var BUILTIN_COMMANDS = {
+  git: ["/usr/bin/git", "/opt/homebrew/bin/git", "/usr/local/bin/git"],
+  ssh: ["/usr/bin/ssh"],
+  scp: ["/usr/bin/scp"],
+  rsync: ["/usr/bin/rsync", "/opt/homebrew/bin/rsync"],
+  brew: ["/opt/homebrew/bin/brew", "/usr/local/bin/brew"],
+  npm: ["/opt/homebrew/bin/npm", "/usr/local/bin/npm"],
+  npx: ["/opt/homebrew/bin/npx", "/usr/local/bin/npx"],
+  pip: ["/usr/bin/pip", "/usr/local/bin/pip", "/opt/homebrew/bin/pip"],
+  pip3: ["/usr/bin/pip3", "/usr/local/bin/pip3", "/opt/homebrew/bin/pip3"],
+  node: ["/opt/homebrew/bin/node", "/usr/local/bin/node"],
+  python: ["/usr/bin/python", "/usr/local/bin/python", "/opt/homebrew/bin/python"],
+  python3: ["/usr/bin/python3", "/usr/local/bin/python3", "/opt/homebrew/bin/python3"],
+  ls: ["/bin/ls"],
+  cat: ["/bin/cat"],
+  grep: ["/usr/bin/grep"],
+  find: ["/usr/bin/find"],
+  mkdir: ["/bin/mkdir"],
+  cp: ["/bin/cp"],
+  mv: ["/bin/mv"],
+  rm: ["/bin/rm"],
+  touch: ["/usr/bin/touch"],
+  chmod: ["/bin/chmod"],
+  head: ["/usr/bin/head"],
+  tail: ["/usr/bin/tail"],
+  wc: ["/usr/bin/wc"],
+  sort: ["/usr/bin/sort"],
+  uniq: ["/usr/bin/uniq"],
+  sed: ["/usr/bin/sed"],
+  awk: ["/usr/bin/awk"],
+  tar: ["/usr/bin/tar"],
+  curl: ["/usr/bin/curl"],
+  wget: ["/usr/local/bin/wget", "/opt/homebrew/bin/wget"]
+};
+var CommandAllowlist = class {
+  configPath;
+  dynamicCommands = /* @__PURE__ */ new Map();
+  lastLoad = 0;
+  reloadInterval = 3e4;
+  // 30 seconds
+  constructor(configPath) {
+    this.configPath = configPath;
+    this.load();
+  }
+  /**
+   * Load dynamic commands from disk
+   */
+  load() {
+    if (!fs5.existsSync(this.configPath)) {
+      this.lastLoad = Date.now();
+      return;
+    }
+    try {
+      const content = fs5.readFileSync(this.configPath, "utf-8");
+      const config = JSON.parse(content);
+      this.dynamicCommands.clear();
+      for (const cmd of config.commands || []) {
+        this.dynamicCommands.set(cmd.name, cmd);
+      }
+      this.lastLoad = Date.now();
+    } catch {
+      this.lastLoad = Date.now();
+    }
+  }
+  /**
+   * Reload dynamic commands if stale
+   */
+  maybeReload() {
+    if (Date.now() - this.lastLoad > this.reloadInterval) {
+      this.load();
+    }
+  }
+  /**
+   * Persist dynamic commands to disk
+   */
+  save() {
+    const dir = path5.dirname(this.configPath);
+    if (!fs5.existsSync(dir)) {
+      fs5.mkdirSync(dir, { recursive: true });
+    }
+    const config = {
+      version: "1.0.0",
+      commands: Array.from(this.dynamicCommands.values())
+    };
+    fs5.writeFileSync(this.configPath, JSON.stringify(config, null, 2) + "\n", "utf-8");
+  }
+  /**
+   * Add a dynamic command
+   */
+  add(cmd) {
+    this.dynamicCommands.set(cmd.name, cmd);
+    this.save();
+  }
+  /**
+   * Remove a dynamic command
+   */
+  remove(name) {
+    const existed = this.dynamicCommands.delete(name);
+    if (existed) {
+      this.save();
+    }
+    return existed;
+  }
+  /**
+   * Get a dynamic command by name
+   */
+  get(name) {
+    return this.dynamicCommands.get(name);
+  }
+  /**
+   * List all commands (builtin + dynamic)
+   */
+  list() {
+    const result = [];
+    for (const [name, paths] of Object.entries(BUILTIN_COMMANDS)) {
+      result.push({
+        name,
+        paths,
+        addedAt: "",
+        addedBy: "builtin",
+        builtin: true
+      });
+    }
+    for (const cmd of this.dynamicCommands.values()) {
+      result.push({ ...cmd, builtin: false });
+    }
+    return result;
+  }
+  /**
+   * List only dynamic commands
+   */
+  listDynamic() {
+    return Array.from(this.dynamicCommands.values());
+  }
+  /**
+   * Check if a command name conflicts with a builtin
+   */
+  isBuiltin(name) {
+    return name in BUILTIN_COMMANDS;
+  }
+  /**
+   * Resolve a command name to an absolute path.
+   * Checks builtin commands first, then dynamic commands.
+   * Validates that the resolved path exists on disk.
+   * Returns null if the command is not allowed.
+   */
+  resolve(command) {
+    this.maybeReload();
+    if (path5.isAbsolute(command)) {
+      for (const paths of Object.values(BUILTIN_COMMANDS)) {
+        if (paths.includes(command) && fs5.existsSync(command)) {
+          return command;
+        }
+      }
+      for (const cmd of this.dynamicCommands.values()) {
+        if (cmd.paths.includes(command) && fs5.existsSync(command)) {
+          return command;
+        }
+      }
+      return null;
+    }
+    const basename3 = path5.basename(command);
+    const builtinPaths = BUILTIN_COMMANDS[basename3];
+    if (builtinPaths) {
+      for (const p of builtinPaths) {
+        if (fs5.existsSync(p)) return p;
+      }
+    }
+    const dynamicCmd = this.dynamicCommands.get(basename3);
+    if (dynamicCmd && dynamicCmd.paths.length > 0) {
+      for (const p of dynamicCmd.paths) {
+        if (fs5.existsSync(p)) return p;
+      }
+    }
+    return null;
+  }
+};
+
+// libs/shield-broker/src/audit/logger.ts
+import * as fs6 from "node:fs";
+import * as path6 from "node:path";
 var AuditLogger = class {
   logPath;
   logLevel;
@@ -1746,15 +2159,15 @@ var AuditLogger = class {
    * Initialize the write stream
    */
   initializeStream() {
-    const dir = path5.dirname(this.logPath);
-    if (!fs5.existsSync(dir)) {
-      fs5.mkdirSync(dir, { recursive: true });
+    const dir = path6.dirname(this.logPath);
+    if (!fs6.existsSync(dir)) {
+      fs6.mkdirSync(dir, { recursive: true });
     }
-    if (fs5.existsSync(this.logPath)) {
-      const stats = fs5.statSync(this.logPath);
+    if (fs6.existsSync(this.logPath)) {
+      const stats = fs6.statSync(this.logPath);
       this.currentSize = stats.size;
     }
-    this.writeStream = fs5.createWriteStream(this.logPath, {
+    this.writeStream = fs6.createWriteStream(this.logPath, {
       flags: "a",
       encoding: "utf-8"
     });
@@ -1773,16 +2186,16 @@ var AuditLogger = class {
     for (let i = this.maxFiles - 1; i >= 1; i--) {
       const oldPath = `${this.logPath}.${i}`;
       const newPath = `${this.logPath}.${i + 1}`;
-      if (fs5.existsSync(oldPath)) {
+      if (fs6.existsSync(oldPath)) {
         if (i === this.maxFiles - 1) {
-          fs5.unlinkSync(oldPath);
+          fs6.unlinkSync(oldPath);
         } else {
-          fs5.renameSync(oldPath, newPath);
+          fs6.renameSync(oldPath, newPath);
         }
       }
     }
-    if (fs5.existsSync(this.logPath)) {
-      fs5.renameSync(this.logPath, `${this.logPath}.1`);
+    if (fs6.existsSync(this.logPath)) {
+      fs6.renameSync(this.logPath, `${this.logPath}.1`);
     }
     this.currentSize = 0;
     this.initializeStream();
@@ -1855,10 +2268,10 @@ var AuditLogger = class {
   async query(options) {
     const results = [];
     const limit = options.limit || 1e3;
-    if (!fs5.existsSync(this.logPath)) {
+    if (!fs6.existsSync(this.logPath)) {
       return results;
     }
-    const content = fs5.readFileSync(this.logPath, "utf-8");
+    const content = fs6.readFileSync(this.logPath, "utf-8");
     const lines = content.trim().split("\n");
     for (const line of lines.reverse()) {
       if (results.length >= limit) break;
@@ -1896,7 +2309,7 @@ var AuditLogger = class {
 };
 
 // libs/shield-broker/src/secrets/vault.ts
-import * as fs6 from "node:fs/promises";
+import * as fs7 from "node:fs/promises";
 import * as crypto from "node:crypto";
 var SecretVault = class {
   vaultPath;
@@ -1918,11 +2331,11 @@ var SecretVault = class {
   async loadOrCreateKey() {
     const keyPath = this.vaultPath.replace(".enc", ".key");
     try {
-      const keyData = await fs6.readFile(keyPath);
+      const keyData = await fs7.readFile(keyPath);
       return keyData;
     } catch {
       const key = crypto.randomBytes(32);
-      await fs6.writeFile(keyPath, key, { mode: 384 });
+      await fs7.writeFile(keyPath, key, { mode: 384 });
       return key;
     }
   }
@@ -1931,7 +2344,7 @@ var SecretVault = class {
    */
   async load() {
     try {
-      const content = await fs6.readFile(this.vaultPath, "utf-8");
+      const content = await fs7.readFile(this.vaultPath, "utf-8");
       this.data = JSON.parse(content);
     } catch {
       this.data = {
@@ -1945,7 +2358,7 @@ var SecretVault = class {
    */
   async save() {
     if (!this.data) return;
-    await fs6.writeFile(
+    await fs7.writeFile(
       this.vaultPath,
       JSON.stringify(this.data, null, 2),
       { mode: 384 }
@@ -2063,14 +2476,30 @@ var SecretVault = class {
 };
 
 // libs/shield-broker/src/main.ts
-import * as fs7 from "node:fs";
-import * as path6 from "node:path";
+import * as fs8 from "node:fs";
+import * as path7 from "node:path";
+var PROXIED_COMMANDS = [
+  "curl",
+  "wget",
+  "git",
+  "ssh",
+  "scp",
+  "rsync",
+  "brew",
+  "npm",
+  "npx",
+  "pip",
+  "pip3",
+  "open-url",
+  "shieldctl",
+  "agenco"
+];
 function loadConfig() {
   const configPath = process.env["AGENSHIELD_CONFIG"] || "/opt/agenshield/config/shield.json";
   let fileConfig = {};
-  if (fs7.existsSync(configPath)) {
+  if (fs8.existsSync(configPath)) {
     try {
-      const content = fs7.readFileSync(configPath, "utf-8");
+      const content = fs8.readFileSync(configPath, "utf-8");
       fileConfig = JSON.parse(content);
     } catch (error) {
       console.warn(`Warning: Failed to load config from ${configPath}:`, error);
@@ -2091,16 +2520,18 @@ function loadConfig() {
     failOpen: process.env["AGENSHIELD_FAIL_OPEN"] === "true" || (fileConfig.failOpen ?? false),
     socketMode: fileConfig.socketMode || 438,
     socketOwner: fileConfig.socketOwner || "clawbroker",
-    socketGroup: fileConfig.socketGroup || "clawshield"
+    socketGroup: fileConfig.socketGroup || "clawshield",
+    agentHome: process.env["AGENSHIELD_AGENT_HOME"] || fileConfig.agentHome,
+    daemonUrl: process.env["AGENSHIELD_DAEMON_URL"] || fileConfig.daemonUrl || "http://127.0.0.1:5200"
   };
 }
 function ensureDirectories(config) {
-  const socketDir = path6.dirname(config.socketPath);
-  const auditDir = path6.dirname(config.auditLogPath);
+  const socketDir = path7.dirname(config.socketPath);
+  const auditDir = path7.dirname(config.auditLogPath);
   for (const dir of [socketDir, auditDir, config.policiesPath]) {
-    if (!fs7.existsSync(dir)) {
+    if (!fs8.existsSync(dir)) {
       try {
-        fs7.mkdirSync(dir, { recursive: true, mode: 493 });
+        fs8.mkdirSync(dir, { recursive: true, mode: 493 });
       } catch (error) {
         if (error.code !== "EEXIST") {
           console.warn(`Warning: Could not create directory ${dir}:`, error);
@@ -2109,6 +2540,47 @@ function ensureDirectories(config) {
     }
   }
 }
+function ensureProxiedCommandWrappers(binDir) {
+  if (!fs8.existsSync(binDir)) {
+    try {
+      fs8.mkdirSync(binDir, { recursive: true, mode: 493 });
+    } catch {
+      console.warn(`[broker] cannot create bin dir ${binDir}`);
+      return;
+    }
+  }
+  const shieldExecPath = "/opt/agenshield/bin/shield-exec";
+  const hasShieldExec = fs8.existsSync(shieldExecPath);
+  let installed = 0;
+  for (const cmd of PROXIED_COMMANDS) {
+    const wrapperPath = path7.join(binDir, cmd);
+    if (fs8.existsSync(wrapperPath)) continue;
+    if (hasShieldExec) {
+      try {
+        fs8.symlinkSync(shieldExecPath, wrapperPath);
+        installed++;
+        continue;
+      } catch {
+      }
+    }
+    try {
+      const script = [
+        "#!/bin/bash",
+        `# ${cmd} - AgenShield proxy (auto-generated)`,
+        "if ! /bin/pwd > /dev/null 2>&1; then cd ~ 2>/dev/null || cd /; fi",
+        `exec /opt/agenshield/bin/shield-client exec ${cmd} "$@"`,
+        ""
+      ].join("\n");
+      fs8.writeFileSync(wrapperPath, script, { mode: 493 });
+      installed++;
+    } catch {
+      console.warn(`[broker] cannot write wrapper for ${cmd}`);
+    }
+  }
+  if (installed > 0) {
+    console.log(`[broker] installed ${installed} command wrappers in ${binDir}`);
+  }
+}
 async function main() {
   console.log(`AgenShield Broker starting at ${(/* @__PURE__ */ new Date()).toISOString()}`);
   console.log(`PID: ${process.pid}, UID: ${process.getuid?.()}, GID: ${process.getgid?.()}`);
@@ -2126,6 +2598,8 @@ async function main() {
   console.log(`Socket owner: ${config.socketOwner}, group: ${config.socketGroup}`);
   console.log(`HTTP Fallback: ${config.httpEnabled ? `${config.httpHost}:${config.httpPort}` : "disabled"}`);
   console.log(`Policies: ${config.policiesPath}`);
+  console.log(`Agent Home: ${config.agentHome || "(env fallback)"}`);
+  console.log(`Daemon URL: ${config.daemonUrl || "(default)"}`);
   console.log(`Log Level: ${config.logLevel}`);
   try {
     ensureDirectories(config);
@@ -2139,17 +2613,24 @@ async function main() {
   });
   const policyEnforcer = new PolicyEnforcer({
     policiesPath: config.policiesPath,
-    defaultPolicies: getDefaultPolicies(),
+    defaultPolicies: getDefaultPolicies({ agentHome: config.agentHome }),
     failOpen: config.failOpen
   });
   const secretVault = new SecretVault({
     vaultPath: "/etc/agenshield/vault.enc"
   });
+  const commandAllowlist = new CommandAllowlist(
+    "/opt/agenshield/config/allowed-commands.json"
+  );
+  if (config.agentHome) {
+    ensureProxiedCommandWrappers(path7.join(config.agentHome, "bin"));
+  }
   const socketServer = new UnixSocketServer({
     config,
     policyEnforcer,
     auditLogger,
-    secretVault
+    secretVault,
+    commandAllowlist
   });
   await socketServer.start();
   console.log(`Unix socket server listening on ${config.socketPath}`);
@@ -2158,7 +2639,8 @@ async function main() {
     httpServer = new HttpFallbackServer({
       config,
       policyEnforcer,
-      auditLogger
+      auditLogger,
+      commandAllowlist
     });
     await httpServer.start();
     console.log(`HTTP fallback server listening on ${config.httpHost}:${config.httpPort}`);