@agenshield/broker 0.6.0 → 0.6.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/daemon-forward.d.ts +25 -0
- package/daemon-forward.d.ts.map +1 -0
- package/handlers/exec.d.ts.map +1 -1
- package/handlers/policy-check.d.ts +3 -0
- package/handlers/policy-check.d.ts.map +1 -1
- package/handlers/types.d.ts +1 -0
- package/handlers/types.d.ts.map +1 -1
- package/http-fallback.d.ts +3 -0
- package/http-fallback.d.ts.map +1 -1
- package/index.js +113 -28
- package/main.js +391 -58
- package/package.json +2 -2
- package/policies/command-allowlist.d.ts +7 -0
- package/policies/command-allowlist.d.ts.map +1 -1
- package/policies/enforcer.d.ts.map +1 -1
- package/server.d.ts +3 -0
- package/server.d.ts.map +1 -1
- package/types.d.ts +2 -0
- package/types.d.ts.map +1 -1
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Daemon Policy Forwarding
|
|
3
|
+
*
|
|
4
|
+
* Shared module for forwarding policy checks to the daemon's RPC endpoint.
|
|
5
|
+
* Used by both the policy_check handler and the top-level processRequest()
|
|
6
|
+
* in server.ts / http-fallback.ts when the broker's local enforcer denies
|
|
7
|
+
* a request but the daemon may have a user-defined policy that allows it.
|
|
8
|
+
*/
|
|
9
|
+
export interface DaemonPolicyResult {
|
|
10
|
+
allowed: boolean;
|
|
11
|
+
policyId?: string;
|
|
12
|
+
reason?: string;
|
|
13
|
+
}
|
|
14
|
+
/**
|
|
15
|
+
* Forward a policy check to the daemon's RPC endpoint.
|
|
16
|
+
*
|
|
17
|
+
* The daemon evaluates user-defined policies (created in the UI).
|
|
18
|
+
* We only accept the daemon's result if it returns `allowed: true`
|
|
19
|
+
* AND includes a `policyId` (explicit user policy match).
|
|
20
|
+
* A default-allow (no policyId) is NOT trusted — we keep the broker denial.
|
|
21
|
+
*
|
|
22
|
+
* @returns The daemon's result if it explicitly allows, or null to keep broker denial.
|
|
23
|
+
*/
|
|
24
|
+
export declare function forwardPolicyToDaemon(operation: string, target: string, daemonUrl: string): Promise<DaemonPolicyResult | null>;
|
|
25
|
+
//# sourceMappingURL=daemon-forward.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"daemon-forward.d.ts","sourceRoot":"","sources":["../src/daemon-forward.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAKH,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;GASG;AACH,wBAAsB,qBAAqB,CACzC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAiDpC"}
|
package/handlers/exec.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"exec.d.ts","sourceRoot":"","sources":["../../src/handlers/exec.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH,OAAO,KAAK,EAAE,cAAc,EAAE,aAAa,EAAc,UAAU,EAAE,MAAM,aAAa,CAAC;AACzF,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;
|
|
1
|
+
{"version":3,"file":"exec.d.ts","sourceRoot":"","sources":["../../src/handlers/exec.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH,OAAO,KAAK,EAAE,cAAc,EAAE,aAAa,EAAc,UAAU,EAAE,MAAM,aAAa,CAAC;AACzF,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAgGtD,wBAAsB,UAAU,CAC9B,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,OAAO,EAAE,cAAc,EACvB,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC,CA+GpC"}
|
|
@@ -4,6 +4,9 @@
|
|
|
4
4
|
* Handles policy_check RPC calls from the interceptor.
|
|
5
5
|
* The interceptor sends { operation, target } and this handler
|
|
6
6
|
* evaluates the inner operation against the policy enforcer.
|
|
7
|
+
*
|
|
8
|
+
* If the broker's enforcer denies the request, we forward to the
|
|
9
|
+
* daemon's RPC endpoint which checks user-defined policies.
|
|
7
10
|
*/
|
|
8
11
|
import type { HandlerContext, HandlerResult } from '../types.js';
|
|
9
12
|
import type { HandlerDependencies } from './types.js';
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"policy-check.d.ts","sourceRoot":"","sources":["../../src/handlers/policy-check.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"policy-check.d.ts","sourceRoot":"","sources":["../../src/handlers/policy-check.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AACjE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAQtD,UAAU,qBAAqB;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAKD,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,OAAO,EAAE,cAAc,EACvB,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,aAAa,CAAC,qBAAqB,CAAC,CAAC,CAoE/C"}
|
package/handlers/types.d.ts
CHANGED
package/handlers/types.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/handlers/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,kCAAkC,CAAC;AAEzE;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,mBAAmB;IAClC,cAAc,EAAE,cAAc,CAAC;IAC/B,WAAW,EAAE,WAAW,CAAC;IACzB,WAAW,EAAE,WAAW,CAAC;IACzB,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,aAAa,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,KAAK,IAAI,CAAC;IAClD,YAAY,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,KAAK,IAAI,CAAC;
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/handlers/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,kCAAkC,CAAC;AAEzE;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,mBAAmB;IAClC,cAAc,EAAE,cAAc,CAAC;IAC/B,WAAW,EAAE,WAAW,CAAC;IACzB,WAAW,EAAE,WAAW,CAAC;IACzB,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,aAAa,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,KAAK,IAAI,CAAC;IAClD,YAAY,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,KAAK,IAAI,CAAC;IACzD,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB"}
|
package/http-fallback.d.ts
CHANGED
|
@@ -7,16 +7,19 @@
|
|
|
7
7
|
import type { BrokerConfig } from './types.js';
|
|
8
8
|
import type { PolicyEnforcer } from './policies/enforcer.js';
|
|
9
9
|
import type { AuditLogger } from './audit/logger.js';
|
|
10
|
+
import type { CommandAllowlist } from './policies/command-allowlist.js';
|
|
10
11
|
export interface HttpFallbackServerOptions {
|
|
11
12
|
config: BrokerConfig;
|
|
12
13
|
policyEnforcer: PolicyEnforcer;
|
|
13
14
|
auditLogger: AuditLogger;
|
|
15
|
+
commandAllowlist: CommandAllowlist;
|
|
14
16
|
}
|
|
15
17
|
export declare class HttpFallbackServer {
|
|
16
18
|
private server;
|
|
17
19
|
private config;
|
|
18
20
|
private policyEnforcer;
|
|
19
21
|
private auditLogger;
|
|
22
|
+
private commandAllowlist;
|
|
20
23
|
constructor(options: HttpFallbackServerOptions);
|
|
21
24
|
/**
|
|
22
25
|
* Start the HTTP fallback server
|
package/http-fallback.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"http-fallback.d.ts","sourceRoot":"","sources":["../src/http-fallback.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EACV,YAAY,EAIb,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAC7D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;
|
|
1
|
+
{"version":3,"file":"http-fallback.d.ts","sourceRoot":"","sources":["../src/http-fallback.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EACV,YAAY,EAIb,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAC7D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAC;AAsBxE,MAAM,WAAW,yBAAyB;IACxC,MAAM,EAAE,YAAY,CAAC;IACrB,cAAc,EAAE,cAAc,CAAC;IAC/B,WAAW,EAAE,WAAW,CAAC;IACzB,gBAAgB,EAAE,gBAAgB,CAAC;CACpC;AAED,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,MAAM,CAA4B;IAC1C,OAAO,CAAC,MAAM,CAAe;IAC7B,OAAO,CAAC,cAAc,CAAiB;IACvC,OAAO,CAAC,WAAW,CAAc;IACjC,OAAO,CAAC,gBAAgB,CAAmB;gBAE/B,OAAO,EAAE,yBAAyB;IAO9C;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAoB5B;;OAEG;IACG,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAY3B;;OAEG;YACW,aAAa;IA6C3B;;OAEG;IACH,OAAO,CAAC,WAAW;IAUnB;;OAEG;YACW,cAAc;IAqI5B;;OAEG;IACH,OAAO,CAAC,UAAU;IAsBlB;;OAEG;IACH,OAAO,CAAC,aAAa;IAWrB;;OAEG;IACH,OAAO,CAAC,aAAa;CAWtB"}
|
package/index.js
CHANGED
|
@@ -249,6 +249,47 @@ function matchPattern(name, pattern) {
|
|
|
249
249
|
// libs/shield-broker/src/handlers/exec.ts
|
|
250
250
|
import * as path2 from "node:path";
|
|
251
251
|
import { spawn } from "node:child_process";
|
|
252
|
+
|
|
253
|
+
// libs/shield-broker/src/daemon-forward.ts
|
|
254
|
+
var DAEMON_RPC_TIMEOUT = 2e3;
|
|
255
|
+
async function forwardPolicyToDaemon(operation, target, daemonUrl) {
|
|
256
|
+
try {
|
|
257
|
+
const controller = new AbortController();
|
|
258
|
+
const timeout = setTimeout(() => controller.abort(), DAEMON_RPC_TIMEOUT);
|
|
259
|
+
const response = await fetch(`${daemonUrl}/rpc`, {
|
|
260
|
+
method: "POST",
|
|
261
|
+
headers: { "Content-Type": "application/json" },
|
|
262
|
+
body: JSON.stringify({
|
|
263
|
+
jsonrpc: "2.0",
|
|
264
|
+
id: `broker-fwd-${Date.now()}`,
|
|
265
|
+
method: "policy_check",
|
|
266
|
+
params: { operation, target }
|
|
267
|
+
}),
|
|
268
|
+
signal: controller.signal
|
|
269
|
+
});
|
|
270
|
+
clearTimeout(timeout);
|
|
271
|
+
if (!response.ok) {
|
|
272
|
+
return null;
|
|
273
|
+
}
|
|
274
|
+
const json = await response.json();
|
|
275
|
+
if (json.error || !json.result) {
|
|
276
|
+
return null;
|
|
277
|
+
}
|
|
278
|
+
const result = json.result;
|
|
279
|
+
if (result.policyId) {
|
|
280
|
+
return {
|
|
281
|
+
allowed: !!result.allowed,
|
|
282
|
+
policyId: result.policyId,
|
|
283
|
+
reason: result.reason
|
|
284
|
+
};
|
|
285
|
+
}
|
|
286
|
+
return null;
|
|
287
|
+
} catch {
|
|
288
|
+
return null;
|
|
289
|
+
}
|
|
290
|
+
}
|
|
291
|
+
|
|
292
|
+
// libs/shield-broker/src/handlers/exec.ts
|
|
252
293
|
var MAX_OUTPUT_SIZE = 10 * 1024 * 1024;
|
|
253
294
|
var DEFAULT_WORKSPACE = "/Users/clawagent/workspace";
|
|
254
295
|
var FS_COMMANDS = /* @__PURE__ */ new Set([
|
|
@@ -381,12 +422,16 @@ async function handleExec(params, context, deps) {
|
|
|
381
422
|
if (url) {
|
|
382
423
|
const networkCheck = await deps.policyEnforcer.check("http_request", { url }, context);
|
|
383
424
|
if (!networkCheck.allowed) {
|
|
384
|
-
const
|
|
385
|
-
|
|
386
|
-
|
|
387
|
-
|
|
388
|
-
|
|
389
|
-
|
|
425
|
+
const daemonUrl = deps.daemonUrl || "http://127.0.0.1:5200";
|
|
426
|
+
const override = await forwardPolicyToDaemon("http_request", url, daemonUrl);
|
|
427
|
+
if (!override || !override.allowed) {
|
|
428
|
+
const reason = `URL not allowed: ${url} - ${networkCheck.reason}`;
|
|
429
|
+
deps.onExecDenied?.(command, reason);
|
|
430
|
+
return {
|
|
431
|
+
success: false,
|
|
432
|
+
error: { code: 1009, message: reason }
|
|
433
|
+
};
|
|
434
|
+
}
|
|
390
435
|
}
|
|
391
436
|
}
|
|
392
437
|
}
|
|
@@ -806,6 +851,7 @@ async function handleSkillUninstall(params, context, deps) {
|
|
|
806
851
|
}
|
|
807
852
|
|
|
808
853
|
// libs/shield-broker/src/handlers/policy-check.ts
|
|
854
|
+
var DEFAULT_DAEMON_URL = "http://127.0.0.1:5200";
|
|
809
855
|
async function handlePolicyCheck(params, context, deps) {
|
|
810
856
|
const { operation, target } = params;
|
|
811
857
|
if (!operation) {
|
|
@@ -836,10 +882,25 @@ async function handlePolicyCheck(params, context, deps) {
|
|
|
836
882
|
break;
|
|
837
883
|
}
|
|
838
884
|
const result = await deps.policyEnforcer.check(operation, checkParams, context);
|
|
885
|
+
if (result.allowed) {
|
|
886
|
+
return {
|
|
887
|
+
success: true,
|
|
888
|
+
data: {
|
|
889
|
+
allowed: true,
|
|
890
|
+
policyId: result.policyId,
|
|
891
|
+
reason: result.reason
|
|
892
|
+
}
|
|
893
|
+
};
|
|
894
|
+
}
|
|
895
|
+
const daemonUrl = deps.daemonUrl || DEFAULT_DAEMON_URL;
|
|
896
|
+
const daemonResult = await forwardPolicyToDaemon(operation, target || "", daemonUrl);
|
|
897
|
+
if (daemonResult && daemonResult.allowed) {
|
|
898
|
+
return { success: true, data: daemonResult };
|
|
899
|
+
}
|
|
839
900
|
return {
|
|
840
901
|
success: true,
|
|
841
902
|
data: {
|
|
842
|
-
allowed:
|
|
903
|
+
allowed: false,
|
|
843
904
|
policyId: result.policyId,
|
|
844
905
|
reason: result.reason
|
|
845
906
|
}
|
|
@@ -876,12 +937,14 @@ var UnixSocketServer = class {
|
|
|
876
937
|
policyEnforcer;
|
|
877
938
|
auditLogger;
|
|
878
939
|
secretVault;
|
|
940
|
+
commandAllowlist;
|
|
879
941
|
connections = /* @__PURE__ */ new Set();
|
|
880
942
|
constructor(options) {
|
|
881
943
|
this.config = options.config;
|
|
882
944
|
this.policyEnforcer = options.policyEnforcer;
|
|
883
945
|
this.auditLogger = options.auditLogger;
|
|
884
946
|
this.secretVault = options.secretVault;
|
|
947
|
+
this.commandAllowlist = options.commandAllowlist;
|
|
885
948
|
}
|
|
886
949
|
/**
|
|
887
950
|
* Start the Unix socket server
|
|
@@ -980,25 +1043,30 @@ var UnixSocketServer = class {
|
|
|
980
1043
|
config: this.config
|
|
981
1044
|
// Socket credentials would be extracted here on supported platforms
|
|
982
1045
|
};
|
|
983
|
-
const policyResult = await this.policyEnforcer.check(
|
|
984
|
-
|
|
985
|
-
request.params,
|
|
986
|
-
context
|
|
987
|
-
);
|
|
1046
|
+
const policyResult = request.method === "policy_check" ? { allowed: true, policyId: void 0, reason: void 0 } : await this.policyEnforcer.check(request.method, request.params, context);
|
|
1047
|
+
let finalPolicy = policyResult;
|
|
988
1048
|
if (!policyResult.allowed) {
|
|
1049
|
+
const target = this.extractTarget(request);
|
|
1050
|
+
const daemonUrl = this.config.daemonUrl || "http://127.0.0.1:5200";
|
|
1051
|
+
const override = await forwardPolicyToDaemon(request.method, target, daemonUrl);
|
|
1052
|
+
if (override) {
|
|
1053
|
+
finalPolicy = override;
|
|
1054
|
+
}
|
|
1055
|
+
}
|
|
1056
|
+
if (!finalPolicy.allowed) {
|
|
989
1057
|
await this.auditLogger.log({
|
|
990
1058
|
id: requestId,
|
|
991
1059
|
timestamp: /* @__PURE__ */ new Date(),
|
|
992
1060
|
operation: request.method,
|
|
993
1061
|
channel: "socket",
|
|
994
1062
|
allowed: false,
|
|
995
|
-
policyId:
|
|
1063
|
+
policyId: finalPolicy.policyId,
|
|
996
1064
|
target: this.extractTarget(request),
|
|
997
1065
|
result: "denied",
|
|
998
|
-
errorMessage:
|
|
1066
|
+
errorMessage: finalPolicy.reason,
|
|
999
1067
|
durationMs: Date.now() - startTime
|
|
1000
1068
|
});
|
|
1001
|
-
return this.errorResponse(request.id, 1001,
|
|
1069
|
+
return this.errorResponse(request.id, 1001, finalPolicy.reason || "Policy denied");
|
|
1002
1070
|
}
|
|
1003
1071
|
const handler = this.getHandler(request.method);
|
|
1004
1072
|
if (!handler) {
|
|
@@ -1007,7 +1075,9 @@ var UnixSocketServer = class {
|
|
|
1007
1075
|
const result = await handler(request.params, context, {
|
|
1008
1076
|
policyEnforcer: this.policyEnforcer,
|
|
1009
1077
|
auditLogger: this.auditLogger,
|
|
1010
|
-
secretVault: this.secretVault
|
|
1078
|
+
secretVault: this.secretVault,
|
|
1079
|
+
commandAllowlist: this.commandAllowlist,
|
|
1080
|
+
daemonUrl: this.config.daemonUrl
|
|
1011
1081
|
});
|
|
1012
1082
|
await this.auditLogger.log({
|
|
1013
1083
|
id: requestId,
|
|
@@ -1015,7 +1085,7 @@ var UnixSocketServer = class {
|
|
|
1015
1085
|
operation: request.method,
|
|
1016
1086
|
channel: "socket",
|
|
1017
1087
|
allowed: true,
|
|
1018
|
-
policyId:
|
|
1088
|
+
policyId: finalPolicy.policyId,
|
|
1019
1089
|
target: this.extractTarget(request),
|
|
1020
1090
|
result: result.success ? "success" : "error",
|
|
1021
1091
|
errorMessage: result.error?.message,
|
|
@@ -1026,7 +1096,7 @@ var UnixSocketServer = class {
|
|
|
1026
1096
|
return {
|
|
1027
1097
|
jsonrpc: "2.0",
|
|
1028
1098
|
id: request.id,
|
|
1029
|
-
result: result.data
|
|
1099
|
+
result: { success: true, data: result.data }
|
|
1030
1100
|
};
|
|
1031
1101
|
} else {
|
|
1032
1102
|
return this.errorResponse(
|
|
@@ -1101,10 +1171,12 @@ var HttpFallbackServer = class {
|
|
|
1101
1171
|
config;
|
|
1102
1172
|
policyEnforcer;
|
|
1103
1173
|
auditLogger;
|
|
1174
|
+
commandAllowlist;
|
|
1104
1175
|
constructor(options) {
|
|
1105
1176
|
this.config = options.config;
|
|
1106
1177
|
this.policyEnforcer = options.policyEnforcer;
|
|
1107
1178
|
this.auditLogger = options.auditLogger;
|
|
1179
|
+
this.commandAllowlist = options.commandAllowlist;
|
|
1108
1180
|
}
|
|
1109
1181
|
/**
|
|
1110
1182
|
* Start the HTTP fallback server
|
|
@@ -1220,25 +1292,30 @@ var HttpFallbackServer = class {
|
|
|
1220
1292
|
timestamp: /* @__PURE__ */ new Date(),
|
|
1221
1293
|
config: this.config
|
|
1222
1294
|
};
|
|
1223
|
-
const policyResult = await this.policyEnforcer.check(
|
|
1224
|
-
|
|
1225
|
-
request.params,
|
|
1226
|
-
context
|
|
1227
|
-
);
|
|
1295
|
+
const policyResult = request.method === "policy_check" ? { allowed: true, policyId: void 0, reason: void 0 } : await this.policyEnforcer.check(request.method, request.params, context);
|
|
1296
|
+
let finalPolicy = policyResult;
|
|
1228
1297
|
if (!policyResult.allowed) {
|
|
1298
|
+
const target = this.extractTarget(request);
|
|
1299
|
+
const daemonUrl = this.config.daemonUrl || "http://127.0.0.1:5200";
|
|
1300
|
+
const override = await forwardPolicyToDaemon(request.method, target, daemonUrl);
|
|
1301
|
+
if (override) {
|
|
1302
|
+
finalPolicy = override;
|
|
1303
|
+
}
|
|
1304
|
+
}
|
|
1305
|
+
if (!finalPolicy.allowed) {
|
|
1229
1306
|
await this.auditLogger.log({
|
|
1230
1307
|
id: requestId,
|
|
1231
1308
|
timestamp: /* @__PURE__ */ new Date(),
|
|
1232
1309
|
operation: request.method,
|
|
1233
1310
|
channel: "http",
|
|
1234
1311
|
allowed: false,
|
|
1235
|
-
policyId:
|
|
1312
|
+
policyId: finalPolicy.policyId,
|
|
1236
1313
|
target: this.extractTarget(request),
|
|
1237
1314
|
result: "denied",
|
|
1238
|
-
errorMessage:
|
|
1315
|
+
errorMessage: finalPolicy.reason,
|
|
1239
1316
|
durationMs: Date.now() - startTime
|
|
1240
1317
|
});
|
|
1241
|
-
return this.errorResponse(request.id, 1001,
|
|
1318
|
+
return this.errorResponse(request.id, 1001, finalPolicy.reason || "Policy denied");
|
|
1242
1319
|
}
|
|
1243
1320
|
const handler = this.getHandler(request.method);
|
|
1244
1321
|
if (!handler) {
|
|
@@ -1247,8 +1324,10 @@ var HttpFallbackServer = class {
|
|
|
1247
1324
|
const result = await handler(request.params, context, {
|
|
1248
1325
|
policyEnforcer: this.policyEnforcer,
|
|
1249
1326
|
auditLogger: this.auditLogger,
|
|
1250
|
-
secretVault: null
|
|
1327
|
+
secretVault: null,
|
|
1251
1328
|
// Not available over HTTP
|
|
1329
|
+
commandAllowlist: this.commandAllowlist,
|
|
1330
|
+
daemonUrl: this.config.daemonUrl
|
|
1252
1331
|
});
|
|
1253
1332
|
await this.auditLogger.log({
|
|
1254
1333
|
id: requestId,
|
|
@@ -1256,7 +1335,7 @@ var HttpFallbackServer = class {
|
|
|
1256
1335
|
operation: request.method,
|
|
1257
1336
|
channel: "http",
|
|
1258
1337
|
allowed: true,
|
|
1259
|
-
policyId:
|
|
1338
|
+
policyId: finalPolicy.policyId,
|
|
1260
1339
|
target: this.extractTarget(request),
|
|
1261
1340
|
result: result.success ? "success" : "error",
|
|
1262
1341
|
errorMessage: result.error?.message,
|
|
@@ -1437,6 +1516,12 @@ var PolicyEnforcer = class {
|
|
|
1437
1516
|
if (!constraintResult.allowed) {
|
|
1438
1517
|
return constraintResult;
|
|
1439
1518
|
}
|
|
1519
|
+
if (["file_read", "file_write", "file_list"].includes(operation) && this.policies.fsConstraints) {
|
|
1520
|
+
return { allowed: true, reason: "Allowed by file system constraints" };
|
|
1521
|
+
}
|
|
1522
|
+
if (operation === "http_request" && this.policies.networkConstraints) {
|
|
1523
|
+
return { allowed: true, reason: "Allowed by network constraints" };
|
|
1524
|
+
}
|
|
1440
1525
|
return {
|
|
1441
1526
|
allowed: this.policies.defaultAction === "allow",
|
|
1442
1527
|
reason: this.policies.defaultAction === "deny" ? "No matching allow policy" : void 0
|
package/main.js
CHANGED
|
@@ -251,6 +251,47 @@ function matchPattern(name, pattern) {
|
|
|
251
251
|
// libs/shield-broker/src/handlers/exec.ts
|
|
252
252
|
import * as path2 from "node:path";
|
|
253
253
|
import { spawn } from "node:child_process";
|
|
254
|
+
|
|
255
|
+
// libs/shield-broker/src/daemon-forward.ts
|
|
256
|
+
var DAEMON_RPC_TIMEOUT = 2e3;
|
|
257
|
+
async function forwardPolicyToDaemon(operation, target, daemonUrl) {
|
|
258
|
+
try {
|
|
259
|
+
const controller = new AbortController();
|
|
260
|
+
const timeout = setTimeout(() => controller.abort(), DAEMON_RPC_TIMEOUT);
|
|
261
|
+
const response = await fetch(`${daemonUrl}/rpc`, {
|
|
262
|
+
method: "POST",
|
|
263
|
+
headers: { "Content-Type": "application/json" },
|
|
264
|
+
body: JSON.stringify({
|
|
265
|
+
jsonrpc: "2.0",
|
|
266
|
+
id: `broker-fwd-${Date.now()}`,
|
|
267
|
+
method: "policy_check",
|
|
268
|
+
params: { operation, target }
|
|
269
|
+
}),
|
|
270
|
+
signal: controller.signal
|
|
271
|
+
});
|
|
272
|
+
clearTimeout(timeout);
|
|
273
|
+
if (!response.ok) {
|
|
274
|
+
return null;
|
|
275
|
+
}
|
|
276
|
+
const json = await response.json();
|
|
277
|
+
if (json.error || !json.result) {
|
|
278
|
+
return null;
|
|
279
|
+
}
|
|
280
|
+
const result = json.result;
|
|
281
|
+
if (result.policyId) {
|
|
282
|
+
return {
|
|
283
|
+
allowed: !!result.allowed,
|
|
284
|
+
policyId: result.policyId,
|
|
285
|
+
reason: result.reason
|
|
286
|
+
};
|
|
287
|
+
}
|
|
288
|
+
return null;
|
|
289
|
+
} catch {
|
|
290
|
+
return null;
|
|
291
|
+
}
|
|
292
|
+
}
|
|
293
|
+
|
|
294
|
+
// libs/shield-broker/src/handlers/exec.ts
|
|
254
295
|
var MAX_OUTPUT_SIZE = 10 * 1024 * 1024;
|
|
255
296
|
var DEFAULT_WORKSPACE = "/Users/clawagent/workspace";
|
|
256
297
|
var FS_COMMANDS = /* @__PURE__ */ new Set([
|
|
@@ -383,12 +424,16 @@ async function handleExec(params, context, deps) {
|
|
|
383
424
|
if (url) {
|
|
384
425
|
const networkCheck = await deps.policyEnforcer.check("http_request", { url }, context);
|
|
385
426
|
if (!networkCheck.allowed) {
|
|
386
|
-
const
|
|
387
|
-
|
|
388
|
-
|
|
389
|
-
|
|
390
|
-
|
|
391
|
-
|
|
427
|
+
const daemonUrl = deps.daemonUrl || "http://127.0.0.1:5200";
|
|
428
|
+
const override = await forwardPolicyToDaemon("http_request", url, daemonUrl);
|
|
429
|
+
if (!override || !override.allowed) {
|
|
430
|
+
const reason = `URL not allowed: ${url} - ${networkCheck.reason}`;
|
|
431
|
+
deps.onExecDenied?.(command, reason);
|
|
432
|
+
return {
|
|
433
|
+
success: false,
|
|
434
|
+
error: { code: 1009, message: reason }
|
|
435
|
+
};
|
|
436
|
+
}
|
|
392
437
|
}
|
|
393
438
|
}
|
|
394
439
|
}
|
|
@@ -808,6 +853,7 @@ async function handleSkillUninstall(params, context, deps) {
|
|
|
808
853
|
}
|
|
809
854
|
|
|
810
855
|
// libs/shield-broker/src/handlers/policy-check.ts
|
|
856
|
+
var DEFAULT_DAEMON_URL = "http://127.0.0.1:5200";
|
|
811
857
|
async function handlePolicyCheck(params, context, deps) {
|
|
812
858
|
const { operation, target } = params;
|
|
813
859
|
if (!operation) {
|
|
@@ -838,10 +884,25 @@ async function handlePolicyCheck(params, context, deps) {
|
|
|
838
884
|
break;
|
|
839
885
|
}
|
|
840
886
|
const result = await deps.policyEnforcer.check(operation, checkParams, context);
|
|
887
|
+
if (result.allowed) {
|
|
888
|
+
return {
|
|
889
|
+
success: true,
|
|
890
|
+
data: {
|
|
891
|
+
allowed: true,
|
|
892
|
+
policyId: result.policyId,
|
|
893
|
+
reason: result.reason
|
|
894
|
+
}
|
|
895
|
+
};
|
|
896
|
+
}
|
|
897
|
+
const daemonUrl = deps.daemonUrl || DEFAULT_DAEMON_URL;
|
|
898
|
+
const daemonResult = await forwardPolicyToDaemon(operation, target || "", daemonUrl);
|
|
899
|
+
if (daemonResult && daemonResult.allowed) {
|
|
900
|
+
return { success: true, data: daemonResult };
|
|
901
|
+
}
|
|
841
902
|
return {
|
|
842
903
|
success: true,
|
|
843
904
|
data: {
|
|
844
|
-
allowed:
|
|
905
|
+
allowed: false,
|
|
845
906
|
policyId: result.policyId,
|
|
846
907
|
reason: result.reason
|
|
847
908
|
}
|
|
@@ -878,12 +939,14 @@ var UnixSocketServer = class {
|
|
|
878
939
|
policyEnforcer;
|
|
879
940
|
auditLogger;
|
|
880
941
|
secretVault;
|
|
942
|
+
commandAllowlist;
|
|
881
943
|
connections = /* @__PURE__ */ new Set();
|
|
882
944
|
constructor(options) {
|
|
883
945
|
this.config = options.config;
|
|
884
946
|
this.policyEnforcer = options.policyEnforcer;
|
|
885
947
|
this.auditLogger = options.auditLogger;
|
|
886
948
|
this.secretVault = options.secretVault;
|
|
949
|
+
this.commandAllowlist = options.commandAllowlist;
|
|
887
950
|
}
|
|
888
951
|
/**
|
|
889
952
|
* Start the Unix socket server
|
|
@@ -982,25 +1045,30 @@ var UnixSocketServer = class {
|
|
|
982
1045
|
config: this.config
|
|
983
1046
|
// Socket credentials would be extracted here on supported platforms
|
|
984
1047
|
};
|
|
985
|
-
const policyResult = await this.policyEnforcer.check(
|
|
986
|
-
|
|
987
|
-
request.params,
|
|
988
|
-
context
|
|
989
|
-
);
|
|
1048
|
+
const policyResult = request.method === "policy_check" ? { allowed: true, policyId: void 0, reason: void 0 } : await this.policyEnforcer.check(request.method, request.params, context);
|
|
1049
|
+
let finalPolicy = policyResult;
|
|
990
1050
|
if (!policyResult.allowed) {
|
|
1051
|
+
const target = this.extractTarget(request);
|
|
1052
|
+
const daemonUrl = this.config.daemonUrl || "http://127.0.0.1:5200";
|
|
1053
|
+
const override = await forwardPolicyToDaemon(request.method, target, daemonUrl);
|
|
1054
|
+
if (override) {
|
|
1055
|
+
finalPolicy = override;
|
|
1056
|
+
}
|
|
1057
|
+
}
|
|
1058
|
+
if (!finalPolicy.allowed) {
|
|
991
1059
|
await this.auditLogger.log({
|
|
992
1060
|
id: requestId,
|
|
993
1061
|
timestamp: /* @__PURE__ */ new Date(),
|
|
994
1062
|
operation: request.method,
|
|
995
1063
|
channel: "socket",
|
|
996
1064
|
allowed: false,
|
|
997
|
-
policyId:
|
|
1065
|
+
policyId: finalPolicy.policyId,
|
|
998
1066
|
target: this.extractTarget(request),
|
|
999
1067
|
result: "denied",
|
|
1000
|
-
errorMessage:
|
|
1068
|
+
errorMessage: finalPolicy.reason,
|
|
1001
1069
|
durationMs: Date.now() - startTime
|
|
1002
1070
|
});
|
|
1003
|
-
return this.errorResponse(request.id, 1001,
|
|
1071
|
+
return this.errorResponse(request.id, 1001, finalPolicy.reason || "Policy denied");
|
|
1004
1072
|
}
|
|
1005
1073
|
const handler = this.getHandler(request.method);
|
|
1006
1074
|
if (!handler) {
|
|
@@ -1009,7 +1077,9 @@ var UnixSocketServer = class {
|
|
|
1009
1077
|
const result = await handler(request.params, context, {
|
|
1010
1078
|
policyEnforcer: this.policyEnforcer,
|
|
1011
1079
|
auditLogger: this.auditLogger,
|
|
1012
|
-
secretVault: this.secretVault
|
|
1080
|
+
secretVault: this.secretVault,
|
|
1081
|
+
commandAllowlist: this.commandAllowlist,
|
|
1082
|
+
daemonUrl: this.config.daemonUrl
|
|
1013
1083
|
});
|
|
1014
1084
|
await this.auditLogger.log({
|
|
1015
1085
|
id: requestId,
|
|
@@ -1017,7 +1087,7 @@ var UnixSocketServer = class {
|
|
|
1017
1087
|
operation: request.method,
|
|
1018
1088
|
channel: "socket",
|
|
1019
1089
|
allowed: true,
|
|
1020
|
-
policyId:
|
|
1090
|
+
policyId: finalPolicy.policyId,
|
|
1021
1091
|
target: this.extractTarget(request),
|
|
1022
1092
|
result: result.success ? "success" : "error",
|
|
1023
1093
|
errorMessage: result.error?.message,
|
|
@@ -1028,7 +1098,7 @@ var UnixSocketServer = class {
|
|
|
1028
1098
|
return {
|
|
1029
1099
|
jsonrpc: "2.0",
|
|
1030
1100
|
id: request.id,
|
|
1031
|
-
result: result.data
|
|
1101
|
+
result: { success: true, data: result.data }
|
|
1032
1102
|
};
|
|
1033
1103
|
} else {
|
|
1034
1104
|
return this.errorResponse(
|
|
@@ -1103,10 +1173,12 @@ var HttpFallbackServer = class {
|
|
|
1103
1173
|
config;
|
|
1104
1174
|
policyEnforcer;
|
|
1105
1175
|
auditLogger;
|
|
1176
|
+
commandAllowlist;
|
|
1106
1177
|
constructor(options) {
|
|
1107
1178
|
this.config = options.config;
|
|
1108
1179
|
this.policyEnforcer = options.policyEnforcer;
|
|
1109
1180
|
this.auditLogger = options.auditLogger;
|
|
1181
|
+
this.commandAllowlist = options.commandAllowlist;
|
|
1110
1182
|
}
|
|
1111
1183
|
/**
|
|
1112
1184
|
* Start the HTTP fallback server
|
|
@@ -1222,25 +1294,30 @@ var HttpFallbackServer = class {
|
|
|
1222
1294
|
timestamp: /* @__PURE__ */ new Date(),
|
|
1223
1295
|
config: this.config
|
|
1224
1296
|
};
|
|
1225
|
-
const policyResult = await this.policyEnforcer.check(
|
|
1226
|
-
|
|
1227
|
-
request.params,
|
|
1228
|
-
context
|
|
1229
|
-
);
|
|
1297
|
+
const policyResult = request.method === "policy_check" ? { allowed: true, policyId: void 0, reason: void 0 } : await this.policyEnforcer.check(request.method, request.params, context);
|
|
1298
|
+
let finalPolicy = policyResult;
|
|
1230
1299
|
if (!policyResult.allowed) {
|
|
1300
|
+
const target = this.extractTarget(request);
|
|
1301
|
+
const daemonUrl = this.config.daemonUrl || "http://127.0.0.1:5200";
|
|
1302
|
+
const override = await forwardPolicyToDaemon(request.method, target, daemonUrl);
|
|
1303
|
+
if (override) {
|
|
1304
|
+
finalPolicy = override;
|
|
1305
|
+
}
|
|
1306
|
+
}
|
|
1307
|
+
if (!finalPolicy.allowed) {
|
|
1231
1308
|
await this.auditLogger.log({
|
|
1232
1309
|
id: requestId,
|
|
1233
1310
|
timestamp: /* @__PURE__ */ new Date(),
|
|
1234
1311
|
operation: request.method,
|
|
1235
1312
|
channel: "http",
|
|
1236
1313
|
allowed: false,
|
|
1237
|
-
policyId:
|
|
1314
|
+
policyId: finalPolicy.policyId,
|
|
1238
1315
|
target: this.extractTarget(request),
|
|
1239
1316
|
result: "denied",
|
|
1240
|
-
errorMessage:
|
|
1317
|
+
errorMessage: finalPolicy.reason,
|
|
1241
1318
|
durationMs: Date.now() - startTime
|
|
1242
1319
|
});
|
|
1243
|
-
return this.errorResponse(request.id, 1001,
|
|
1320
|
+
return this.errorResponse(request.id, 1001, finalPolicy.reason || "Policy denied");
|
|
1244
1321
|
}
|
|
1245
1322
|
const handler = this.getHandler(request.method);
|
|
1246
1323
|
if (!handler) {
|
|
@@ -1249,8 +1326,10 @@ var HttpFallbackServer = class {
|
|
|
1249
1326
|
const result = await handler(request.params, context, {
|
|
1250
1327
|
policyEnforcer: this.policyEnforcer,
|
|
1251
1328
|
auditLogger: this.auditLogger,
|
|
1252
|
-
secretVault: null
|
|
1329
|
+
secretVault: null,
|
|
1253
1330
|
// Not available over HTTP
|
|
1331
|
+
commandAllowlist: this.commandAllowlist,
|
|
1332
|
+
daemonUrl: this.config.daemonUrl
|
|
1254
1333
|
});
|
|
1255
1334
|
await this.auditLogger.log({
|
|
1256
1335
|
id: requestId,
|
|
@@ -1258,7 +1337,7 @@ var HttpFallbackServer = class {
|
|
|
1258
1337
|
operation: request.method,
|
|
1259
1338
|
channel: "http",
|
|
1260
1339
|
allowed: true,
|
|
1261
|
-
policyId:
|
|
1340
|
+
policyId: finalPolicy.policyId,
|
|
1262
1341
|
target: this.extractTarget(request),
|
|
1263
1342
|
result: result.success ? "success" : "error",
|
|
1264
1343
|
errorMessage: result.error?.message,
|
|
@@ -1439,6 +1518,12 @@ var PolicyEnforcer = class {
|
|
|
1439
1518
|
if (!constraintResult.allowed) {
|
|
1440
1519
|
return constraintResult;
|
|
1441
1520
|
}
|
|
1521
|
+
if (["file_read", "file_write", "file_list"].includes(operation) && this.policies.fsConstraints) {
|
|
1522
|
+
return { allowed: true, reason: "Allowed by file system constraints" };
|
|
1523
|
+
}
|
|
1524
|
+
if (operation === "http_request" && this.policies.networkConstraints) {
|
|
1525
|
+
return { allowed: true, reason: "Allowed by network constraints" };
|
|
1526
|
+
}
|
|
1442
1527
|
return {
|
|
1443
1528
|
allowed: this.policies.defaultAction === "allow",
|
|
1444
1529
|
reason: this.policies.defaultAction === "deny" ? "No matching allow policy" : void 0
|
|
@@ -1858,9 +1943,190 @@ function getDefaultPolicies(options) {
|
|
|
1858
1943
|
};
|
|
1859
1944
|
}
|
|
1860
1945
|
|
|
1861
|
-
// libs/shield-broker/src/
|
|
1946
|
+
// libs/shield-broker/src/policies/command-allowlist.ts
|
|
1862
1947
|
import * as fs5 from "node:fs";
|
|
1863
1948
|
import * as path5 from "node:path";
|
|
1949
|
+
var BUILTIN_COMMANDS = {
|
|
1950
|
+
git: ["/usr/bin/git", "/opt/homebrew/bin/git", "/usr/local/bin/git"],
|
|
1951
|
+
ssh: ["/usr/bin/ssh"],
|
|
1952
|
+
scp: ["/usr/bin/scp"],
|
|
1953
|
+
rsync: ["/usr/bin/rsync", "/opt/homebrew/bin/rsync"],
|
|
1954
|
+
brew: ["/opt/homebrew/bin/brew", "/usr/local/bin/brew"],
|
|
1955
|
+
npm: ["/opt/homebrew/bin/npm", "/usr/local/bin/npm"],
|
|
1956
|
+
npx: ["/opt/homebrew/bin/npx", "/usr/local/bin/npx"],
|
|
1957
|
+
pip: ["/usr/bin/pip", "/usr/local/bin/pip", "/opt/homebrew/bin/pip"],
|
|
1958
|
+
pip3: ["/usr/bin/pip3", "/usr/local/bin/pip3", "/opt/homebrew/bin/pip3"],
|
|
1959
|
+
node: ["/opt/homebrew/bin/node", "/usr/local/bin/node"],
|
|
1960
|
+
python: ["/usr/bin/python", "/usr/local/bin/python", "/opt/homebrew/bin/python"],
|
|
1961
|
+
python3: ["/usr/bin/python3", "/usr/local/bin/python3", "/opt/homebrew/bin/python3"],
|
|
1962
|
+
ls: ["/bin/ls"],
|
|
1963
|
+
cat: ["/bin/cat"],
|
|
1964
|
+
grep: ["/usr/bin/grep"],
|
|
1965
|
+
find: ["/usr/bin/find"],
|
|
1966
|
+
mkdir: ["/bin/mkdir"],
|
|
1967
|
+
cp: ["/bin/cp"],
|
|
1968
|
+
mv: ["/bin/mv"],
|
|
1969
|
+
rm: ["/bin/rm"],
|
|
1970
|
+
touch: ["/usr/bin/touch"],
|
|
1971
|
+
chmod: ["/bin/chmod"],
|
|
1972
|
+
head: ["/usr/bin/head"],
|
|
1973
|
+
tail: ["/usr/bin/tail"],
|
|
1974
|
+
wc: ["/usr/bin/wc"],
|
|
1975
|
+
sort: ["/usr/bin/sort"],
|
|
1976
|
+
uniq: ["/usr/bin/uniq"],
|
|
1977
|
+
sed: ["/usr/bin/sed"],
|
|
1978
|
+
awk: ["/usr/bin/awk"],
|
|
1979
|
+
tar: ["/usr/bin/tar"],
|
|
1980
|
+
curl: ["/usr/bin/curl"],
|
|
1981
|
+
wget: ["/usr/local/bin/wget", "/opt/homebrew/bin/wget"]
|
|
1982
|
+
};
|
|
1983
|
+
var CommandAllowlist = class {
|
|
1984
|
+
configPath;
|
|
1985
|
+
dynamicCommands = /* @__PURE__ */ new Map();
|
|
1986
|
+
lastLoad = 0;
|
|
1987
|
+
reloadInterval = 3e4;
|
|
1988
|
+
// 30 seconds
|
|
1989
|
+
constructor(configPath) {
|
|
1990
|
+
this.configPath = configPath;
|
|
1991
|
+
this.load();
|
|
1992
|
+
}
|
|
1993
|
+
/**
|
|
1994
|
+
* Load dynamic commands from disk
|
|
1995
|
+
*/
|
|
1996
|
+
load() {
|
|
1997
|
+
if (!fs5.existsSync(this.configPath)) {
|
|
1998
|
+
this.lastLoad = Date.now();
|
|
1999
|
+
return;
|
|
2000
|
+
}
|
|
2001
|
+
try {
|
|
2002
|
+
const content = fs5.readFileSync(this.configPath, "utf-8");
|
|
2003
|
+
const config = JSON.parse(content);
|
|
2004
|
+
this.dynamicCommands.clear();
|
|
2005
|
+
for (const cmd of config.commands || []) {
|
|
2006
|
+
this.dynamicCommands.set(cmd.name, cmd);
|
|
2007
|
+
}
|
|
2008
|
+
this.lastLoad = Date.now();
|
|
2009
|
+
} catch {
|
|
2010
|
+
this.lastLoad = Date.now();
|
|
2011
|
+
}
|
|
2012
|
+
}
|
|
2013
|
+
/**
|
|
2014
|
+
* Reload dynamic commands if stale
|
|
2015
|
+
*/
|
|
2016
|
+
maybeReload() {
|
|
2017
|
+
if (Date.now() - this.lastLoad > this.reloadInterval) {
|
|
2018
|
+
this.load();
|
|
2019
|
+
}
|
|
2020
|
+
}
|
|
2021
|
+
/**
|
|
2022
|
+
* Persist dynamic commands to disk
|
|
2023
|
+
*/
|
|
2024
|
+
save() {
|
|
2025
|
+
const dir = path5.dirname(this.configPath);
|
|
2026
|
+
if (!fs5.existsSync(dir)) {
|
|
2027
|
+
fs5.mkdirSync(dir, { recursive: true });
|
|
2028
|
+
}
|
|
2029
|
+
const config = {
|
|
2030
|
+
version: "1.0.0",
|
|
2031
|
+
commands: Array.from(this.dynamicCommands.values())
|
|
2032
|
+
};
|
|
2033
|
+
fs5.writeFileSync(this.configPath, JSON.stringify(config, null, 2) + "\n", "utf-8");
|
|
2034
|
+
}
|
|
2035
|
+
/**
|
|
2036
|
+
* Add a dynamic command
|
|
2037
|
+
*/
|
|
2038
|
+
add(cmd) {
|
|
2039
|
+
this.dynamicCommands.set(cmd.name, cmd);
|
|
2040
|
+
this.save();
|
|
2041
|
+
}
|
|
2042
|
+
/**
|
|
2043
|
+
* Remove a dynamic command
|
|
2044
|
+
*/
|
|
2045
|
+
remove(name) {
|
|
2046
|
+
const existed = this.dynamicCommands.delete(name);
|
|
2047
|
+
if (existed) {
|
|
2048
|
+
this.save();
|
|
2049
|
+
}
|
|
2050
|
+
return existed;
|
|
2051
|
+
}
|
|
2052
|
+
/**
|
|
2053
|
+
* Get a dynamic command by name
|
|
2054
|
+
*/
|
|
2055
|
+
get(name) {
|
|
2056
|
+
return this.dynamicCommands.get(name);
|
|
2057
|
+
}
|
|
2058
|
+
/**
|
|
2059
|
+
* List all commands (builtin + dynamic)
|
|
2060
|
+
*/
|
|
2061
|
+
list() {
|
|
2062
|
+
const result = [];
|
|
2063
|
+
for (const [name, paths] of Object.entries(BUILTIN_COMMANDS)) {
|
|
2064
|
+
result.push({
|
|
2065
|
+
name,
|
|
2066
|
+
paths,
|
|
2067
|
+
addedAt: "",
|
|
2068
|
+
addedBy: "builtin",
|
|
2069
|
+
builtin: true
|
|
2070
|
+
});
|
|
2071
|
+
}
|
|
2072
|
+
for (const cmd of this.dynamicCommands.values()) {
|
|
2073
|
+
result.push({ ...cmd, builtin: false });
|
|
2074
|
+
}
|
|
2075
|
+
return result;
|
|
2076
|
+
}
|
|
2077
|
+
/**
|
|
2078
|
+
* List only dynamic commands
|
|
2079
|
+
*/
|
|
2080
|
+
listDynamic() {
|
|
2081
|
+
return Array.from(this.dynamicCommands.values());
|
|
2082
|
+
}
|
|
2083
|
+
/**
|
|
2084
|
+
* Check if a command name conflicts with a builtin
|
|
2085
|
+
*/
|
|
2086
|
+
isBuiltin(name) {
|
|
2087
|
+
return name in BUILTIN_COMMANDS;
|
|
2088
|
+
}
|
|
2089
|
+
/**
|
|
2090
|
+
* Resolve a command name to an absolute path.
|
|
2091
|
+
* Checks builtin commands first, then dynamic commands.
|
|
2092
|
+
* Validates that the resolved path exists on disk.
|
|
2093
|
+
* Returns null if the command is not allowed.
|
|
2094
|
+
*/
|
|
2095
|
+
resolve(command) {
|
|
2096
|
+
this.maybeReload();
|
|
2097
|
+
if (path5.isAbsolute(command)) {
|
|
2098
|
+
for (const paths of Object.values(BUILTIN_COMMANDS)) {
|
|
2099
|
+
if (paths.includes(command) && fs5.existsSync(command)) {
|
|
2100
|
+
return command;
|
|
2101
|
+
}
|
|
2102
|
+
}
|
|
2103
|
+
for (const cmd of this.dynamicCommands.values()) {
|
|
2104
|
+
if (cmd.paths.includes(command) && fs5.existsSync(command)) {
|
|
2105
|
+
return command;
|
|
2106
|
+
}
|
|
2107
|
+
}
|
|
2108
|
+
return null;
|
|
2109
|
+
}
|
|
2110
|
+
const basename3 = path5.basename(command);
|
|
2111
|
+
const builtinPaths = BUILTIN_COMMANDS[basename3];
|
|
2112
|
+
if (builtinPaths) {
|
|
2113
|
+
for (const p of builtinPaths) {
|
|
2114
|
+
if (fs5.existsSync(p)) return p;
|
|
2115
|
+
}
|
|
2116
|
+
}
|
|
2117
|
+
const dynamicCmd = this.dynamicCommands.get(basename3);
|
|
2118
|
+
if (dynamicCmd && dynamicCmd.paths.length > 0) {
|
|
2119
|
+
for (const p of dynamicCmd.paths) {
|
|
2120
|
+
if (fs5.existsSync(p)) return p;
|
|
2121
|
+
}
|
|
2122
|
+
}
|
|
2123
|
+
return null;
|
|
2124
|
+
}
|
|
2125
|
+
};
|
|
2126
|
+
|
|
2127
|
+
// libs/shield-broker/src/audit/logger.ts
|
|
2128
|
+
import * as fs6 from "node:fs";
|
|
2129
|
+
import * as path6 from "node:path";
|
|
1864
2130
|
var AuditLogger = class {
|
|
1865
2131
|
logPath;
|
|
1866
2132
|
logLevel;
|
|
@@ -1885,15 +2151,15 @@ var AuditLogger = class {
|
|
|
1885
2151
|
* Initialize the write stream
|
|
1886
2152
|
*/
|
|
1887
2153
|
initializeStream() {
|
|
1888
|
-
const dir =
|
|
1889
|
-
if (!
|
|
1890
|
-
|
|
2154
|
+
const dir = path6.dirname(this.logPath);
|
|
2155
|
+
if (!fs6.existsSync(dir)) {
|
|
2156
|
+
fs6.mkdirSync(dir, { recursive: true });
|
|
1891
2157
|
}
|
|
1892
|
-
if (
|
|
1893
|
-
const stats =
|
|
2158
|
+
if (fs6.existsSync(this.logPath)) {
|
|
2159
|
+
const stats = fs6.statSync(this.logPath);
|
|
1894
2160
|
this.currentSize = stats.size;
|
|
1895
2161
|
}
|
|
1896
|
-
this.writeStream =
|
|
2162
|
+
this.writeStream = fs6.createWriteStream(this.logPath, {
|
|
1897
2163
|
flags: "a",
|
|
1898
2164
|
encoding: "utf-8"
|
|
1899
2165
|
});
|
|
@@ -1912,16 +2178,16 @@ var AuditLogger = class {
|
|
|
1912
2178
|
for (let i = this.maxFiles - 1; i >= 1; i--) {
|
|
1913
2179
|
const oldPath = `${this.logPath}.${i}`;
|
|
1914
2180
|
const newPath = `${this.logPath}.${i + 1}`;
|
|
1915
|
-
if (
|
|
2181
|
+
if (fs6.existsSync(oldPath)) {
|
|
1916
2182
|
if (i === this.maxFiles - 1) {
|
|
1917
|
-
|
|
2183
|
+
fs6.unlinkSync(oldPath);
|
|
1918
2184
|
} else {
|
|
1919
|
-
|
|
2185
|
+
fs6.renameSync(oldPath, newPath);
|
|
1920
2186
|
}
|
|
1921
2187
|
}
|
|
1922
2188
|
}
|
|
1923
|
-
if (
|
|
1924
|
-
|
|
2189
|
+
if (fs6.existsSync(this.logPath)) {
|
|
2190
|
+
fs6.renameSync(this.logPath, `${this.logPath}.1`);
|
|
1925
2191
|
}
|
|
1926
2192
|
this.currentSize = 0;
|
|
1927
2193
|
this.initializeStream();
|
|
@@ -1994,10 +2260,10 @@ var AuditLogger = class {
|
|
|
1994
2260
|
async query(options) {
|
|
1995
2261
|
const results = [];
|
|
1996
2262
|
const limit = options.limit || 1e3;
|
|
1997
|
-
if (!
|
|
2263
|
+
if (!fs6.existsSync(this.logPath)) {
|
|
1998
2264
|
return results;
|
|
1999
2265
|
}
|
|
2000
|
-
const content =
|
|
2266
|
+
const content = fs6.readFileSync(this.logPath, "utf-8");
|
|
2001
2267
|
const lines = content.trim().split("\n");
|
|
2002
2268
|
for (const line of lines.reverse()) {
|
|
2003
2269
|
if (results.length >= limit) break;
|
|
@@ -2035,7 +2301,7 @@ var AuditLogger = class {
|
|
|
2035
2301
|
};
|
|
2036
2302
|
|
|
2037
2303
|
// libs/shield-broker/src/secrets/vault.ts
|
|
2038
|
-
import * as
|
|
2304
|
+
import * as fs7 from "node:fs/promises";
|
|
2039
2305
|
import * as crypto from "node:crypto";
|
|
2040
2306
|
var SecretVault = class {
|
|
2041
2307
|
vaultPath;
|
|
@@ -2057,11 +2323,11 @@ var SecretVault = class {
|
|
|
2057
2323
|
async loadOrCreateKey() {
|
|
2058
2324
|
const keyPath = this.vaultPath.replace(".enc", ".key");
|
|
2059
2325
|
try {
|
|
2060
|
-
const keyData = await
|
|
2326
|
+
const keyData = await fs7.readFile(keyPath);
|
|
2061
2327
|
return keyData;
|
|
2062
2328
|
} catch {
|
|
2063
2329
|
const key = crypto.randomBytes(32);
|
|
2064
|
-
await
|
|
2330
|
+
await fs7.writeFile(keyPath, key, { mode: 384 });
|
|
2065
2331
|
return key;
|
|
2066
2332
|
}
|
|
2067
2333
|
}
|
|
@@ -2070,7 +2336,7 @@ var SecretVault = class {
|
|
|
2070
2336
|
*/
|
|
2071
2337
|
async load() {
|
|
2072
2338
|
try {
|
|
2073
|
-
const content = await
|
|
2339
|
+
const content = await fs7.readFile(this.vaultPath, "utf-8");
|
|
2074
2340
|
this.data = JSON.parse(content);
|
|
2075
2341
|
} catch {
|
|
2076
2342
|
this.data = {
|
|
@@ -2084,7 +2350,7 @@ var SecretVault = class {
|
|
|
2084
2350
|
*/
|
|
2085
2351
|
async save() {
|
|
2086
2352
|
if (!this.data) return;
|
|
2087
|
-
await
|
|
2353
|
+
await fs7.writeFile(
|
|
2088
2354
|
this.vaultPath,
|
|
2089
2355
|
JSON.stringify(this.data, null, 2),
|
|
2090
2356
|
{ mode: 384 }
|
|
@@ -2202,14 +2468,30 @@ var SecretVault = class {
|
|
|
2202
2468
|
};
|
|
2203
2469
|
|
|
2204
2470
|
// libs/shield-broker/src/main.ts
|
|
2205
|
-
import * as
|
|
2206
|
-
import * as
|
|
2471
|
+
import * as fs8 from "node:fs";
|
|
2472
|
+
import * as path7 from "node:path";
|
|
2473
|
+
var PROXIED_COMMANDS = [
|
|
2474
|
+
"curl",
|
|
2475
|
+
"wget",
|
|
2476
|
+
"git",
|
|
2477
|
+
"ssh",
|
|
2478
|
+
"scp",
|
|
2479
|
+
"rsync",
|
|
2480
|
+
"brew",
|
|
2481
|
+
"npm",
|
|
2482
|
+
"npx",
|
|
2483
|
+
"pip",
|
|
2484
|
+
"pip3",
|
|
2485
|
+
"open-url",
|
|
2486
|
+
"shieldctl",
|
|
2487
|
+
"agenco"
|
|
2488
|
+
];
|
|
2207
2489
|
function loadConfig() {
|
|
2208
2490
|
const configPath = process.env["AGENSHIELD_CONFIG"] || "/opt/agenshield/config/shield.json";
|
|
2209
2491
|
let fileConfig = {};
|
|
2210
|
-
if (
|
|
2492
|
+
if (fs8.existsSync(configPath)) {
|
|
2211
2493
|
try {
|
|
2212
|
-
const content =
|
|
2494
|
+
const content = fs8.readFileSync(configPath, "utf-8");
|
|
2213
2495
|
fileConfig = JSON.parse(content);
|
|
2214
2496
|
} catch (error) {
|
|
2215
2497
|
console.warn(`Warning: Failed to load config from ${configPath}:`, error);
|
|
@@ -2231,16 +2513,17 @@ function loadConfig() {
|
|
|
2231
2513
|
socketMode: fileConfig.socketMode || 438,
|
|
2232
2514
|
socketOwner: fileConfig.socketOwner || "clawbroker",
|
|
2233
2515
|
socketGroup: fileConfig.socketGroup || "clawshield",
|
|
2234
|
-
agentHome: process.env["AGENSHIELD_AGENT_HOME"] || fileConfig.agentHome
|
|
2516
|
+
agentHome: process.env["AGENSHIELD_AGENT_HOME"] || fileConfig.agentHome,
|
|
2517
|
+
daemonUrl: process.env["AGENSHIELD_DAEMON_URL"] || fileConfig.daemonUrl || "http://127.0.0.1:5200"
|
|
2235
2518
|
};
|
|
2236
2519
|
}
|
|
2237
2520
|
function ensureDirectories(config) {
|
|
2238
|
-
const socketDir =
|
|
2239
|
-
const auditDir =
|
|
2521
|
+
const socketDir = path7.dirname(config.socketPath);
|
|
2522
|
+
const auditDir = path7.dirname(config.auditLogPath);
|
|
2240
2523
|
for (const dir of [socketDir, auditDir, config.policiesPath]) {
|
|
2241
|
-
if (!
|
|
2524
|
+
if (!fs8.existsSync(dir)) {
|
|
2242
2525
|
try {
|
|
2243
|
-
|
|
2526
|
+
fs8.mkdirSync(dir, { recursive: true, mode: 493 });
|
|
2244
2527
|
} catch (error) {
|
|
2245
2528
|
if (error.code !== "EEXIST") {
|
|
2246
2529
|
console.warn(`Warning: Could not create directory ${dir}:`, error);
|
|
@@ -2249,6 +2532,47 @@ function ensureDirectories(config) {
|
|
|
2249
2532
|
}
|
|
2250
2533
|
}
|
|
2251
2534
|
}
|
|
2535
|
+
function ensureProxiedCommandWrappers(binDir) {
|
|
2536
|
+
if (!fs8.existsSync(binDir)) {
|
|
2537
|
+
try {
|
|
2538
|
+
fs8.mkdirSync(binDir, { recursive: true, mode: 493 });
|
|
2539
|
+
} catch {
|
|
2540
|
+
console.warn(`[broker] cannot create bin dir ${binDir}`);
|
|
2541
|
+
return;
|
|
2542
|
+
}
|
|
2543
|
+
}
|
|
2544
|
+
const shieldExecPath = "/opt/agenshield/bin/shield-exec";
|
|
2545
|
+
const hasShieldExec = fs8.existsSync(shieldExecPath);
|
|
2546
|
+
let installed = 0;
|
|
2547
|
+
for (const cmd of PROXIED_COMMANDS) {
|
|
2548
|
+
const wrapperPath = path7.join(binDir, cmd);
|
|
2549
|
+
if (fs8.existsSync(wrapperPath)) continue;
|
|
2550
|
+
if (hasShieldExec) {
|
|
2551
|
+
try {
|
|
2552
|
+
fs8.symlinkSync(shieldExecPath, wrapperPath);
|
|
2553
|
+
installed++;
|
|
2554
|
+
continue;
|
|
2555
|
+
} catch {
|
|
2556
|
+
}
|
|
2557
|
+
}
|
|
2558
|
+
try {
|
|
2559
|
+
const script = [
|
|
2560
|
+
"#!/bin/bash",
|
|
2561
|
+
`# ${cmd} - AgenShield proxy (auto-generated)`,
|
|
2562
|
+
"if ! /bin/pwd > /dev/null 2>&1; then cd ~ 2>/dev/null || cd /; fi",
|
|
2563
|
+
`exec /opt/agenshield/bin/shield-client exec ${cmd} "$@"`,
|
|
2564
|
+
""
|
|
2565
|
+
].join("\n");
|
|
2566
|
+
fs8.writeFileSync(wrapperPath, script, { mode: 493 });
|
|
2567
|
+
installed++;
|
|
2568
|
+
} catch {
|
|
2569
|
+
console.warn(`[broker] cannot write wrapper for ${cmd}`);
|
|
2570
|
+
}
|
|
2571
|
+
}
|
|
2572
|
+
if (installed > 0) {
|
|
2573
|
+
console.log(`[broker] installed ${installed} command wrappers in ${binDir}`);
|
|
2574
|
+
}
|
|
2575
|
+
}
|
|
2252
2576
|
async function main() {
|
|
2253
2577
|
console.log(`AgenShield Broker starting at ${(/* @__PURE__ */ new Date()).toISOString()}`);
|
|
2254
2578
|
console.log(`PID: ${process.pid}, UID: ${process.getuid?.()}, GID: ${process.getgid?.()}`);
|
|
@@ -2267,6 +2591,7 @@ async function main() {
|
|
|
2267
2591
|
console.log(`HTTP Fallback: ${config.httpEnabled ? `${config.httpHost}:${config.httpPort}` : "disabled"}`);
|
|
2268
2592
|
console.log(`Policies: ${config.policiesPath}`);
|
|
2269
2593
|
console.log(`Agent Home: ${config.agentHome || "(env fallback)"}`);
|
|
2594
|
+
console.log(`Daemon URL: ${config.daemonUrl || "(default)"}`);
|
|
2270
2595
|
console.log(`Log Level: ${config.logLevel}`);
|
|
2271
2596
|
try {
|
|
2272
2597
|
ensureDirectories(config);
|
|
@@ -2286,11 +2611,18 @@ async function main() {
|
|
|
2286
2611
|
const secretVault = new SecretVault({
|
|
2287
2612
|
vaultPath: "/etc/agenshield/vault.enc"
|
|
2288
2613
|
});
|
|
2614
|
+
const commandAllowlist = new CommandAllowlist(
|
|
2615
|
+
"/opt/agenshield/config/allowed-commands.json"
|
|
2616
|
+
);
|
|
2617
|
+
if (config.agentHome) {
|
|
2618
|
+
ensureProxiedCommandWrappers(path7.join(config.agentHome, "bin"));
|
|
2619
|
+
}
|
|
2289
2620
|
const socketServer = new UnixSocketServer({
|
|
2290
2621
|
config,
|
|
2291
2622
|
policyEnforcer,
|
|
2292
2623
|
auditLogger,
|
|
2293
|
-
secretVault
|
|
2624
|
+
secretVault,
|
|
2625
|
+
commandAllowlist
|
|
2294
2626
|
});
|
|
2295
2627
|
await socketServer.start();
|
|
2296
2628
|
console.log(`Unix socket server listening on ${config.socketPath}`);
|
|
@@ -2299,7 +2631,8 @@ async function main() {
|
|
|
2299
2631
|
httpServer = new HttpFallbackServer({
|
|
2300
2632
|
config,
|
|
2301
2633
|
policyEnforcer,
|
|
2302
|
-
auditLogger
|
|
2634
|
+
auditLogger,
|
|
2635
|
+
commandAllowlist
|
|
2303
2636
|
});
|
|
2304
2637
|
await httpServer.start();
|
|
2305
2638
|
console.log(`HTTP fallback server listening on ${config.httpHost}:${config.httpPort}`);
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@agenshield/broker",
|
|
3
|
-
"version": "0.6.
|
|
3
|
+
"version": "0.6.2",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"description": "AgenShield broker daemon with Unix socket and HTTP fallback",
|
|
6
6
|
"main": "./index.js",
|
|
@@ -24,7 +24,7 @@
|
|
|
24
24
|
},
|
|
25
25
|
"license": "MIT",
|
|
26
26
|
"dependencies": {
|
|
27
|
-
"@agenshield/ipc": "0.6.
|
|
27
|
+
"@agenshield/ipc": "0.6.2"
|
|
28
28
|
},
|
|
29
29
|
"devDependencies": {
|
|
30
30
|
"@types/node": "^24.0.0",
|
|
@@ -17,11 +17,17 @@ export interface AllowedCommand {
|
|
|
17
17
|
export declare class CommandAllowlist {
|
|
18
18
|
private configPath;
|
|
19
19
|
private dynamicCommands;
|
|
20
|
+
private lastLoad;
|
|
21
|
+
private reloadInterval;
|
|
20
22
|
constructor(configPath: string);
|
|
21
23
|
/**
|
|
22
24
|
* Load dynamic commands from disk
|
|
23
25
|
*/
|
|
24
26
|
load(): void;
|
|
27
|
+
/**
|
|
28
|
+
* Reload dynamic commands if stale
|
|
29
|
+
*/
|
|
30
|
+
private maybeReload;
|
|
25
31
|
/**
|
|
26
32
|
* Persist dynamic commands to disk
|
|
27
33
|
*/
|
|
@@ -55,6 +61,7 @@ export declare class CommandAllowlist {
|
|
|
55
61
|
/**
|
|
56
62
|
* Resolve a command name to an absolute path.
|
|
57
63
|
* Checks builtin commands first, then dynamic commands.
|
|
64
|
+
* Validates that the resolved path exists on disk.
|
|
58
65
|
* Returns null if the command is not allowed.
|
|
59
66
|
*/
|
|
60
67
|
resolve(command: string): string | null;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"command-allowlist.d.ts","sourceRoot":"","sources":["../../src/policies/command-allowlist.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAiDD,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,eAAe,CAA0C;
|
|
1
|
+
{"version":3,"file":"command-allowlist.d.ts","sourceRoot":"","sources":["../../src/policies/command-allowlist.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAiDD,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,eAAe,CAA0C;IACjE,OAAO,CAAC,QAAQ,CAAa;IAC7B,OAAO,CAAC,cAAc,CAAiB;gBAE3B,UAAU,EAAE,MAAM;IAK9B;;OAEG;IACH,IAAI,IAAI,IAAI;IAqBZ;;OAEG;IACH,OAAO,CAAC,WAAW;IAMnB;;OAEG;IACH,IAAI,IAAI,IAAI;IAcZ;;OAEG;IACH,GAAG,CAAC,GAAG,EAAE,cAAc,GAAG,IAAI;IAK9B;;OAEG;IACH,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAQ7B;;OAEG;IACH,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS;IAI7C;;OAEG;IACH,IAAI,IAAI,KAAK,CAAC,cAAc,GAAG;QAAE,OAAO,EAAE,OAAO,CAAA;KAAE,CAAC;IAsBpD;;OAEG;IACH,WAAW,IAAI,cAAc,EAAE;IAI/B;;OAEG;IACH,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAIhC;;;;;OAKG;IACH,OAAO,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;CA0CxC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enforcer.d.ts","sourceRoot":"","sources":["../../src/policies/enforcer.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAElD;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,OAAO,GAAG,MAAM,GAAG,UAAU,CAAC;IACtC,MAAM,EAAE,OAAO,GAAG,SAAS,GAAG,KAAK,CAAC;IACpC,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,aAAa,EAAE,OAAO,GAAG,MAAM,CAAC;IAChC,KAAK,EAAE,UAAU,EAAE,CAAC;IACpB,aAAa,CAAC,EAAE;QACd,YAAY,EAAE,MAAM,EAAE,CAAC;QACvB,cAAc,EAAE,MAAM,EAAE,CAAC;KAC1B,CAAC;IACF,kBAAkB,CAAC,EAAE;QACnB,YAAY,EAAE,MAAM,EAAE,CAAC;QACvB,WAAW,EAAE,MAAM,EAAE,CAAC;QACtB,YAAY,EAAE,MAAM,EAAE,CAAC;KACxB,CAAC;CACH;AAED,MAAM,WAAW,qBAAqB;IACpC,YAAY,EAAE,MAAM,CAAC;IACrB,eAAe,EAAE,YAAY,CAAC;IAC9B,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAe;IAC/B,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,QAAQ,CAAU;IAC1B,OAAO,CAAC,QAAQ,CAAa;IAC7B,OAAO,CAAC,cAAc,CAAiB;gBAE3B,OAAO,EAAE,qBAAqB;IAQ1C;;;OAGG;IACH,OAAO,CAAC,aAAa;IAyBrB;;OAEG;IACH,OAAO,CAAC,YAAY;IA4CpB;;OAEG;IACH,OAAO,CAAC,WAAW;IAMnB;;OAEG;IACG,KAAK,CACT,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,iBAAiB,CAAC;
|
|
1
|
+
{"version":3,"file":"enforcer.d.ts","sourceRoot":"","sources":["../../src/policies/enforcer.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAElD;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,OAAO,GAAG,MAAM,GAAG,UAAU,CAAC;IACtC,MAAM,EAAE,OAAO,GAAG,SAAS,GAAG,KAAK,CAAC;IACpC,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,aAAa,EAAE,OAAO,GAAG,MAAM,CAAC;IAChC,KAAK,EAAE,UAAU,EAAE,CAAC;IACpB,aAAa,CAAC,EAAE;QACd,YAAY,EAAE,MAAM,EAAE,CAAC;QACvB,cAAc,EAAE,MAAM,EAAE,CAAC;KAC1B,CAAC;IACF,kBAAkB,CAAC,EAAE;QACnB,YAAY,EAAE,MAAM,EAAE,CAAC;QACvB,WAAW,EAAE,MAAM,EAAE,CAAC;QACtB,YAAY,EAAE,MAAM,EAAE,CAAC;KACxB,CAAC;CACH;AAED,MAAM,WAAW,qBAAqB;IACpC,YAAY,EAAE,MAAM,CAAC;IACrB,eAAe,EAAE,YAAY,CAAC;IAC9B,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAe;IAC/B,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,QAAQ,CAAU;IAC1B,OAAO,CAAC,QAAQ,CAAa;IAC7B,OAAO,CAAC,cAAc,CAAiB;gBAE3B,OAAO,EAAE,qBAAqB;IAQ1C;;;OAGG;IACH,OAAO,CAAC,aAAa;IAyBrB;;OAEG;IACH,OAAO,CAAC,YAAY;IA4CpB;;OAEG;IACH,OAAO,CAAC,WAAW;IAMnB;;OAEG;IACG,KAAK,CACT,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,iBAAiB,CAAC;IAgE7B;;OAEG;IACH,OAAO,CAAC,aAAa;IAmBrB;;OAEG;IACH,OAAO,CAAC,eAAe;IASvB;;OAEG;IACH,OAAO,CAAC,YAAY;IAapB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IA8GxB;;OAEG;IACH,WAAW,IAAI,YAAY;IAK3B;;OAEG;IACH,OAAO,CAAC,IAAI,EAAE,UAAU,GAAG,IAAI;IAK/B;;OAEG;IACH,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;CAQhC"}
|
package/server.d.ts
CHANGED
|
@@ -8,11 +8,13 @@ import type { BrokerConfig } from './types.js';
|
|
|
8
8
|
import type { PolicyEnforcer } from './policies/enforcer.js';
|
|
9
9
|
import type { AuditLogger } from './audit/logger.js';
|
|
10
10
|
import type { SecretVault } from './secrets/vault.js';
|
|
11
|
+
import type { CommandAllowlist } from './policies/command-allowlist.js';
|
|
11
12
|
export interface UnixSocketServerOptions {
|
|
12
13
|
config: BrokerConfig;
|
|
13
14
|
policyEnforcer: PolicyEnforcer;
|
|
14
15
|
auditLogger: AuditLogger;
|
|
15
16
|
secretVault: SecretVault;
|
|
17
|
+
commandAllowlist: CommandAllowlist;
|
|
16
18
|
}
|
|
17
19
|
export declare class UnixSocketServer {
|
|
18
20
|
private server;
|
|
@@ -20,6 +22,7 @@ export declare class UnixSocketServer {
|
|
|
20
22
|
private policyEnforcer;
|
|
21
23
|
private auditLogger;
|
|
22
24
|
private secretVault;
|
|
25
|
+
private commandAllowlist;
|
|
23
26
|
private connections;
|
|
24
27
|
constructor(options: UnixSocketServerOptions);
|
|
25
28
|
/**
|
package/server.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,OAAO,KAAK,EACV,YAAY,EAIb,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAC7D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;
|
|
1
|
+
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,OAAO,KAAK,EACV,YAAY,EAIb,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAC7D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAC;AAIxE,MAAM,WAAW,uBAAuB;IACtC,MAAM,EAAE,YAAY,CAAC;IACrB,cAAc,EAAE,cAAc,CAAC;IAC/B,WAAW,EAAE,WAAW,CAAC;IACzB,WAAW,EAAE,WAAW,CAAC;IACzB,gBAAgB,EAAE,gBAAgB,CAAC;CACpC;AAED,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,MAAM,CAA2B;IACzC,OAAO,CAAC,MAAM,CAAe;IAC7B,OAAO,CAAC,cAAc,CAAiB;IACvC,OAAO,CAAC,WAAW,CAAc;IACjC,OAAO,CAAC,WAAW,CAAc;IACjC,OAAO,CAAC,gBAAgB,CAAmB;IAC3C,OAAO,CAAC,WAAW,CAA8B;gBAErC,OAAO,EAAE,uBAAuB;IAQ5C;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IA4B5B;;OAEG;IACG,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IA0B3B;;OAEG;IACH,OAAO,CAAC,gBAAgB;IA+BxB;;OAEG;YACW,cAAc;IAgH5B;;OAEG;IACH,OAAO,CAAC,UAAU;IA2BlB;;OAEG;IACH,OAAO,CAAC,aAAa;IAWrB;;OAEG;IACH,OAAO,CAAC,aAAa;CAWtB"}
|
package/types.d.ts
CHANGED
|
@@ -32,6 +32,8 @@ export interface BrokerConfig {
|
|
|
32
32
|
socketGroup?: string;
|
|
33
33
|
/** Agent home directory (for fs policy paths) */
|
|
34
34
|
agentHome?: string;
|
|
35
|
+
/** Daemon RPC URL for policy forwarding (default: http://127.0.0.1:5200) */
|
|
36
|
+
daemonUrl?: string;
|
|
35
37
|
}
|
|
36
38
|
/**
|
|
37
39
|
* Context passed to operation handlers
|
package/types.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAc,aAAa,EAAqC,MAAM,iBAAiB,CAAC;AAEpG;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,uBAAuB;IACvB,UAAU,EAAE,MAAM,CAAC;IAEnB,uCAAuC;IACvC,WAAW,EAAE,OAAO,CAAC;IAErB,yBAAyB;IACzB,QAAQ,EAAE,MAAM,CAAC;IAEjB,+CAA+C;IAC/C,QAAQ,EAAE,MAAM,CAAC;IAEjB,iCAAiC;IACjC,UAAU,EAAE,MAAM,CAAC;IAEnB,iCAAiC;IACjC,YAAY,EAAE,MAAM,CAAC;IAErB,wBAAwB;IACxB,YAAY,EAAE,MAAM,CAAC;IAErB,gBAAgB;IAChB,QAAQ,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IAE9C,iDAAiD;IACjD,QAAQ,EAAE,OAAO,CAAC;IAElB,sCAAsC;IACtC,UAAU,EAAE,MAAM,CAAC;IAEnB,wBAAwB;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,yBAAyB;IACzB,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,iDAAiD;IACjD,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,6BAA6B;IAC7B,SAAS,EAAE,MAAM,CAAC;IAElB,oCAAoC;IACpC,OAAO,EAAE,QAAQ,GAAG,MAAM,CAAC;IAE3B,+CAA+C;IAC/C,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,gDAAgD;IAChD,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,wBAAwB;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,2BAA2B;IAC3B,SAAS,EAAE,IAAI,CAAC;IAEhB,2BAA2B;IAC3B,MAAM,EAAE,YAAY,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa,CAAC,CAAC,GAAG,OAAO;IACxC,sCAAsC;IACtC,OAAO,EAAE,OAAO,CAAC;IAEjB,kCAAkC;IAClC,IAAI,CAAC,EAAE,CAAC,CAAC;IAET,oCAAoC;IACpC,KAAK,CAAC,EAAE;QACN,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,CAAC,EAAE,OAAO,CAAC;KACnB,CAAC;IAEF,qBAAqB;IACrB,KAAK,CAAC,EAAE;QACN,QAAQ,EAAE,MAAM,CAAC;QACjB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,gBAAgB,CAAC,EAAE,MAAM,CAAC;KAC3B,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,sBAAsB;IACtB,EAAE,EAAE,MAAM,CAAC;IAEX,gBAAgB;IAChB,SAAS,EAAE,IAAI,CAAC;IAEhB,qBAAqB;IACrB,SAAS,EAAE,aAAa,CAAC;IAEzB,sBAAsB;IACtB,OAAO,EAAE,QAAQ,GAAG,MAAM,CAAC;IAE3B,qBAAqB;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,oCAAoC;IACpC,OAAO,EAAE,OAAO,CAAC;IAEjB,mCAAmC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,4CAA4C;IAC5C,MAAM,EAAE,MAAM,CAAC;IAEf,uBAAuB;IACvB,MAAM,EAAE,SAAS,GAAG,QAAQ,GAAG,OAAO,CAAC;IAEvC,8BAA8B;IAC9B,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,+BAA+B;IAC/B,UAAU,EAAE,MAAM,CAAC;IAEnB,0BAA0B;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,kBAAkB;IAClB,IAAI,EAAE,MAAM,CAAC;IAEb,sBAAsB;IACtB,cAAc,EAAE,MAAM,CAAC;IAEvB,6CAA6C;IAC7C,iBAAiB,EAAE,aAAa,EAAE,CAAC;IAEnC,wBAAwB;IACxB,SAAS,EAAE,IAAI,CAAC;IAEhB,8BAA8B;IAC9B,cAAc,CAAC,EAAE,IAAI,CAAC;IAEtB,mBAAmB;IACnB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,KAAK,CAAC;IACf,EAAE,EAAE,MAAM,GAAG,MAAM,CAAC;IACpB,MAAM,EAAE,aAAa,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,KAAK,CAAC;IACf,EAAE,EAAE,MAAM,GAAG,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,YAAY,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,CAAC,EAAE,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,OAAO,GAAG,MAAM,GAAG,SAAS,CAAC;IAC1E,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B;AAED,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,cAAc,CAAC;CAC3B;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,cAAc,CAAC;IAC1B,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,eAAe;IAC9B,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,KAAK,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS,CAAC;QACvC,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,EAAE,MAAM,CAAC;KACf,CAAC,CAAC;CACJ;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,IAAI,CAAC;IACX,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,4DAA4D;IAC5D,IAAI,EAAE,MAAM,CAAC;IACb,oEAAoE;IACpE,OAAO,EAAE,MAAM,CAAC;IAChB,sDAAsD;IACtD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,wCAAwC;IACxC,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,MAAM,WAAW,kBAAkB;IACjC,0CAA0C;IAC1C,IAAI,EAAE,MAAM,CAAC;IACb,uBAAuB;IACvB,KAAK,EAAE,gBAAgB,EAAE,CAAC;IAC1B,0DAA0D;IAC1D,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,mEAAmE;IACnE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kEAAkE;IAClE,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,kBAAkB;IACjC,qCAAqC;IACrC,SAAS,EAAE,OAAO,CAAC;IACnB,wCAAwC;IACxC,QAAQ,EAAE,MAAM,CAAC;IACjB,0CAA0C;IAC1C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,8BAA8B;IAC9B,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,oBAAoB;IACnC,8BAA8B;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,mEAAmE;IACnE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,uCAAuC;IACvC,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,oBAAoB;IACnC,uCAAuC;IACvC,WAAW,EAAE,OAAO,CAAC;IACrB,sCAAsC;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,kCAAkC;IAClC,cAAc,EAAE,OAAO,CAAC;CACzB"}
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAc,aAAa,EAAqC,MAAM,iBAAiB,CAAC;AAEpG;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,uBAAuB;IACvB,UAAU,EAAE,MAAM,CAAC;IAEnB,uCAAuC;IACvC,WAAW,EAAE,OAAO,CAAC;IAErB,yBAAyB;IACzB,QAAQ,EAAE,MAAM,CAAC;IAEjB,+CAA+C;IAC/C,QAAQ,EAAE,MAAM,CAAC;IAEjB,iCAAiC;IACjC,UAAU,EAAE,MAAM,CAAC;IAEnB,iCAAiC;IACjC,YAAY,EAAE,MAAM,CAAC;IAErB,wBAAwB;IACxB,YAAY,EAAE,MAAM,CAAC;IAErB,gBAAgB;IAChB,QAAQ,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IAE9C,iDAAiD;IACjD,QAAQ,EAAE,OAAO,CAAC;IAElB,sCAAsC;IACtC,UAAU,EAAE,MAAM,CAAC;IAEnB,wBAAwB;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,yBAAyB;IACzB,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,iDAAiD;IACjD,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,4EAA4E;IAC5E,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,6BAA6B;IAC7B,SAAS,EAAE,MAAM,CAAC;IAElB,oCAAoC;IACpC,OAAO,EAAE,QAAQ,GAAG,MAAM,CAAC;IAE3B,+CAA+C;IAC/C,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,gDAAgD;IAChD,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,wBAAwB;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,2BAA2B;IAC3B,SAAS,EAAE,IAAI,CAAC;IAEhB,2BAA2B;IAC3B,MAAM,EAAE,YAAY,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa,CAAC,CAAC,GAAG,OAAO;IACxC,sCAAsC;IACtC,OAAO,EAAE,OAAO,CAAC;IAEjB,kCAAkC;IAClC,IAAI,CAAC,EAAE,CAAC,CAAC;IAET,oCAAoC;IACpC,KAAK,CAAC,EAAE;QACN,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,CAAC,EAAE,OAAO,CAAC;KACnB,CAAC;IAEF,qBAAqB;IACrB,KAAK,CAAC,EAAE;QACN,QAAQ,EAAE,MAAM,CAAC;QACjB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,gBAAgB,CAAC,EAAE,MAAM,CAAC;KAC3B,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,sBAAsB;IACtB,EAAE,EAAE,MAAM,CAAC;IAEX,gBAAgB;IAChB,SAAS,EAAE,IAAI,CAAC;IAEhB,qBAAqB;IACrB,SAAS,EAAE,aAAa,CAAC;IAEzB,sBAAsB;IACtB,OAAO,EAAE,QAAQ,GAAG,MAAM,CAAC;IAE3B,qBAAqB;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,oCAAoC;IACpC,OAAO,EAAE,OAAO,CAAC;IAEjB,mCAAmC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,4CAA4C;IAC5C,MAAM,EAAE,MAAM,CAAC;IAEf,uBAAuB;IACvB,MAAM,EAAE,SAAS,GAAG,QAAQ,GAAG,OAAO,CAAC;IAEvC,8BAA8B;IAC9B,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,+BAA+B;IAC/B,UAAU,EAAE,MAAM,CAAC;IAEnB,0BAA0B;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,kBAAkB;IAClB,IAAI,EAAE,MAAM,CAAC;IAEb,sBAAsB;IACtB,cAAc,EAAE,MAAM,CAAC;IAEvB,6CAA6C;IAC7C,iBAAiB,EAAE,aAAa,EAAE,CAAC;IAEnC,wBAAwB;IACxB,SAAS,EAAE,IAAI,CAAC;IAEhB,8BAA8B;IAC9B,cAAc,CAAC,EAAE,IAAI,CAAC;IAEtB,mBAAmB;IACnB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,KAAK,CAAC;IACf,EAAE,EAAE,MAAM,GAAG,MAAM,CAAC;IACpB,MAAM,EAAE,aAAa,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,KAAK,CAAC;IACf,EAAE,EAAE,MAAM,GAAG,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,YAAY,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,CAAC,EAAE,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,OAAO,GAAG,MAAM,GAAG,SAAS,CAAC;IAC1E,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B;AAED,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,cAAc,CAAC;CAC3B;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,cAAc,CAAC;IAC1B,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,eAAe;IAC9B,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,KAAK,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS,CAAC;QACvC,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,EAAE,MAAM,CAAC;KACf,CAAC,CAAC;CACJ;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,IAAI,CAAC;IACX,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,4DAA4D;IAC5D,IAAI,EAAE,MAAM,CAAC;IACb,oEAAoE;IACpE,OAAO,EAAE,MAAM,CAAC;IAChB,sDAAsD;IACtD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,wCAAwC;IACxC,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,MAAM,WAAW,kBAAkB;IACjC,0CAA0C;IAC1C,IAAI,EAAE,MAAM,CAAC;IACb,uBAAuB;IACvB,KAAK,EAAE,gBAAgB,EAAE,CAAC;IAC1B,0DAA0D;IAC1D,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,mEAAmE;IACnE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kEAAkE;IAClE,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,kBAAkB;IACjC,qCAAqC;IACrC,SAAS,EAAE,OAAO,CAAC;IACnB,wCAAwC;IACxC,QAAQ,EAAE,MAAM,CAAC;IACjB,0CAA0C;IAC1C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,8BAA8B;IAC9B,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,oBAAoB;IACnC,8BAA8B;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,mEAAmE;IACnE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,uCAAuC;IACvC,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,oBAAoB;IACnC,uCAAuC;IACvC,WAAW,EAAE,OAAO,CAAC;IACrB,sCAAsC;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,kCAAkC;IAClC,cAAc,EAAE,OAAO,CAAC;CACzB"}
|