@aporthq/aport-agent-guardrails 1.0.10 → 1.0.12

package/README.md

@@ -60,7 +60,7 @@ Your agent should **only do what you explicitly allow**. APort runs in the hook
 
 | Policy | What it guards |
 |--------|----------------|
-| **system.command.execute.v1** | Shell commands — allowlist, 40+ blocked patterns (`rm -rf`, `sudo`, injection) |
+| **system.command.execute.v1** | Shell commands — allowlist, 50+ blocked patterns (`rm -rf`, `sudo`, `nc`, `find -exec rm`, injection); passport `allowed_paths` override for path rules |
 | **mcp.tool.execute.v1** | MCP tool calls — server allowlist, rate limits |
 | **messaging.message.send.v1** | Message sends — rate caps, capability checks |
 | **agent.session.create.v1** / **agent.tool.register.v1** | Sessions and tool registration |
@@ -326,10 +326,23 @@ graph TB
 
 </div>
 
-- **Local-first:** Passport and policy live on your machine (or in repo); no cloud required for basic enforcement.  
-- **Fail-closed:** Missing or invalid passport → deny.  
+- **Local-first:** Passport and policy live on your machine (or in repo); no cloud required for basic enforcement.
+- **Fail-closed:** Missing or invalid passport → deny.
 - **Opt-in cloud:** Use API mode for global kill switch, signed receipts, and team sync.
 
+### What APort Protects
+
+**✅ Pre-action authorization (agent misbehavior):**
+- **Prompt injection** - Hook-based enforcement; agent cannot bypass via prompts
+- **Malicious skills** - Third-party OpenClaw skills validated before execution
+- **Unauthorized commands** - Allowlist + 50+ blocked patterns (rm -rf, sudo, nc, find -exec rm, etc.)
+- **Data exfiltration** - File access, messaging, web requests controlled by policy
+- **Resource limits** - Rate limits, size caps, transaction amounts enforced
+
+**Application-layer security model:** APort enforces policies at the agent action layer (between agent decision and tool execution). It operates within the OS trust boundary—standard for authorization systems like OAuth, IAM, and policy engines.
+
+**For production:** Use API mode (`mode: api` with `agent_id`) for cryptographically signed decisions, protected passports, and global suspend. See [docs/SECURITY_MODEL.md](docs/SECURITY_MODEL.md) for full threat model, attack scenarios, and best practices.
+
 ---
 
 ## 🌐 When to use API vs local

package/bin/aport-create-passport.sh

@@ -119,11 +119,19 @@ if [ -n "$NON_INTERACTIVE" ]; then
     exec_cap=y
     msg_cap=y
     data_cap=n
+    file_read_cap=n
+    file_write_cap=n
+    web_fetch_cap=n
+    web_browser_cap=n
     max_pr_size=500
     max_prs_per_day=10
     max_msgs_per_day=100
     allowed_repos_input="*"
     exec_allow_scope="*"
+    file_read_paths="*"
+    file_write_paths="*"
+    web_fetch_domains="*"
+    web_browser_domains="*"
     should_expire=n
     never_expires="true"
     expires_at=""
@@ -187,7 +195,7 @@ else
     # Choose capabilities
     echo "  🔐 Capabilities"
     echo "  ───────────────"
-    echo "  Choose what your agent can do (y/n). Defaults: PRs, exec, and messaging = yes (matches README/docs); data export = no."
+    echo "  Choose what your agent can do (y/n). Defaults: PRs, exec, and messaging = yes (matches README/docs); others = no."
     echo ""
     read -p "  • Create and merge pull requests? [Y/n]: " pr_cap
     pr_cap=${pr_cap:-y}
@@ -198,6 +206,18 @@ else
     read -p "  • Send messages (email, SMS, etc.)? [Y/n]: " msg_cap
     msg_cap=${msg_cap:-y}
 
+    read -p "  • Read files from disk? [y/N]: " file_read_cap
+    file_read_cap=${file_read_cap:-n}
+
+    read -p "  • Write/edit files on disk? [y/N]: " file_write_cap
+    file_write_cap=${file_write_cap:-n}
+
+    read -p "  • Fetch data from web (HTTP requests)? [y/N]: " web_fetch_cap
+    web_fetch_cap=${web_fetch_cap:-n}
+
+    read -p "  • Automate web browser? [y/N]: " web_browser_cap
+    web_browser_cap=${web_browser_cap:-n}
+
     read -p "  • Export data (database, files, etc.)? [y/N]: " data_cap
     data_cap=${data_cap:-n}
 
@@ -230,6 +250,30 @@ else
         max_msgs_per_day=${max_msgs_per_day:-100}
     fi
 
+    if [ "$file_read_cap" = "y" ] || [ "$file_read_cap" = "Y" ]; then
+        echo "  File read paths: default is allow any (*); sensitive patterns (.env, id_rsa, etc.) still blocked."
+        read -p "  Allowed paths (comma-separated, * for all) [*]: " file_read_paths
+        file_read_paths=${file_read_paths:-"*"}
+    fi
+
+    if [ "$file_write_cap" = "y" ] || [ "$file_write_cap" = "Y" ]; then
+        echo "  File write paths: default is allow any (*); recommend restricting to project directories."
+        read -p "  Allowed paths (comma-separated, * for all) [*]: " file_write_paths
+        file_write_paths=${file_write_paths:-"*"}
+    fi
+
+    if [ "$web_fetch_cap" = "y" ] || [ "$web_fetch_cap" = "Y" ]; then
+        echo "  Web fetch domains: default is allow any (*); private IPs (127.0.0.1, etc.) are blocked."
+        read -p "  Allowed domains (comma-separated, * for all) [*]: " web_fetch_domains
+        web_fetch_domains=${web_fetch_domains:-"*"}
+    fi
+
+    if [ "$web_browser_cap" = "y" ] || [ "$web_browser_cap" = "Y" ]; then
+        echo "  Browser automation domains: default is allow any (*)."
+        read -p "  Allowed domains (comma-separated, * for all) [*]: " web_browser_domains
+        web_browser_domains=${web_browser_domains:-"*"}
+    fi
+
     if [ "$data_cap" = "y" ] || [ "$data_cap" = "Y" ]; then
         read -p "  Max export rows [10000]: " max_export_rows
         max_export_rows=${max_export_rows:-10000}
@@ -292,6 +336,18 @@ fi
 if [ "$msg_cap" = "y" ] || [ "$msg_cap" = "Y" ]; then
     capabilities_json="$capabilities_json{\"id\": \"messaging.send\"},"
 fi
+if [ "$file_read_cap" = "y" ] || [ "$file_read_cap" = "Y" ]; then
+    capabilities_json="$capabilities_json{\"id\": \"data.file.read\"},"
+fi
+if [ "$file_write_cap" = "y" ] || [ "$file_write_cap" = "Y" ]; then
+    capabilities_json="$capabilities_json{\"id\": \"data.file.write\"},"
+fi
+if [ "$web_fetch_cap" = "y" ] || [ "$web_fetch_cap" = "Y" ]; then
+    capabilities_json="$capabilities_json{\"id\": \"web.fetch\"},"
+fi
+if [ "$web_browser_cap" = "y" ] || [ "$web_browser_cap" = "Y" ]; then
+    capabilities_json="$capabilities_json{\"id\": \"web.browser\"},"
+fi
 if [ "$data_cap" = "y" ] || [ "$data_cap" = "Y" ]; then
     capabilities_json="$capabilities_json{\"id\": \"data.export\"},"
 fi
@@ -330,6 +386,54 @@ if [ "$msg_cap" = "y" ] || [ "$msg_cap" = "Y" ]; then
     limits_json="$limits_json\"msgs_per_min\": 5, \"msgs_per_day\": $max_msgs_per_day, \"allowed_recipients\": [\"*\"], \"approval_required\": false,"
 fi
 
+if [ "$file_read_cap" = "y" ] || [ "$file_read_cap" = "Y" ]; then
+    # Parse allowed paths
+    IFS=',' read -ra PATHS <<< "$file_read_paths"
+    allowed_paths_json="["
+    for path in "${PATHS[@]}"; do
+        path=$(echo "$path" | xargs) # trim whitespace
+        allowed_paths_json="$allowed_paths_json\"$path\","
+    done
+    allowed_paths_json="${allowed_paths_json%,}]"
+    limits_json="$limits_json\"data.file.read\": {\"allowed_paths\": $allowed_paths_json, \"max_file_size_mb\": 100},"
+fi
+
+if [ "$file_write_cap" = "y" ] || [ "$file_write_cap" = "Y" ]; then
+    # Parse allowed paths
+    IFS=',' read -ra PATHS <<< "$file_write_paths"
+    allowed_paths_json="["
+    for path in "${PATHS[@]}"; do
+        path=$(echo "$path" | xargs) # trim whitespace
+        allowed_paths_json="$allowed_paths_json\"$path\","
+    done
+    allowed_paths_json="${allowed_paths_json%,}]"
+    limits_json="$limits_json\"data.file.write\": {\"allowed_paths\": $allowed_paths_json, \"max_file_size_mb\": 50},"
+fi
+
+if [ "$web_fetch_cap" = "y" ] || [ "$web_fetch_cap" = "Y" ]; then
+    # Parse allowed domains
+    IFS=',' read -ra DOMAINS <<< "$web_fetch_domains"
+    allowed_domains_json="["
+    for domain in "${DOMAINS[@]}"; do
+        domain=$(echo "$domain" | xargs) # trim whitespace
+        allowed_domains_json="$allowed_domains_json\"$domain\","
+    done
+    allowed_domains_json="${allowed_domains_json%,}]"
+    limits_json="$limits_json\"web.fetch\": {\"allowed_domains\": $allowed_domains_json, \"blocked_domains\": [], \"max_requests_per_min\": 60},"
+fi
+
+if [ "$web_browser_cap" = "y" ] || [ "$web_browser_cap" = "Y" ]; then
+    # Parse allowed domains
+    IFS=',' read -ra DOMAINS <<< "$web_browser_domains"
+    allowed_domains_json="["
+    for domain in "${DOMAINS[@]}"; do
+        domain=$(echo "$domain" | xargs) # trim whitespace
+        allowed_domains_json="$allowed_domains_json\"$domain\","
+    done
+    allowed_domains_json="${allowed_domains_json%,}]"
+    limits_json="$limits_json\"web.browser\": {\"allowed_domains\": $allowed_domains_json, \"max_screenshots_per_hour\": 100},"
+fi
+
 if [ "$data_cap" = "y" ] || [ "$data_cap" = "Y" ]; then
     limits_json="$limits_json\"data.export\": {\"max_rows\": $max_export_rows, \"allow_pii\": $allow_pii_bool, \"allowed_collections\": [\"*\"]},"
 fi

package/bin/aport-guardrail-bash.sh

@@ -145,8 +145,9 @@ write_decision() {
             issued_at: $issued_at,
             expires_at: $expires_at,
             passport_digest: $passport_digest,
-            signature: "ed25519:local-unsigned",
+            signature: "local-unsigned",
             kid: "oap:local:dev-key",
+            verification_mode: "local",
             prev_decision_id: (if $prev_decision_id == "" then null else $prev_decision_id end),
             prev_content_hash: (if $prev_content_hash == "" then null else $prev_content_hash end)
         }')
@@ -163,13 +164,17 @@ write_decision() {
     # Update chain state for next decision (best-effort; do not block or fail the script)
     echo "{\"last_decision_id\":\"$decision_id\",\"last_content_hash\":\"$content_hash\"}" > "$chain_state" 2> /dev/null || true
 
-    # Audit trail is non-core: append in background so it never blocks the tool call.
-    # Include capability context (command, recipient, repo/branch) when set.
     audit_context=""
     if [ -n "${CONTEXT_SUMMARY:-}" ]; then
         audit_context=" context=\"${CONTEXT_SUMMARY}\""
     fi
-    (echo "[$(date -u +%Y-%m-%d\ %H:%M:%S)] tool=$TOOL_NAME decision_id=$decision_id allow=$allow policy=$policy_id code=$deny_code${audit_context}" >> "$AUDIT_LOG") 2> /dev/null &
+    audit_entry="[$(date -u +%Y-%m-%d\ %H:%M:%S)] tool=$TOOL_NAME decision_id=$decision_id allow=$allow policy=$policy_id code=$deny_code${audit_context}"
+
+    if [ "$allow" = "false" ]; then
+        echo "$audit_entry" >> "$AUDIT_LOG" 2> /dev/null || true
+    else
+        (echo "$audit_entry" >> "$AUDIT_LOG") 2> /dev/null &
+    fi
 
     if [ "$allow" = "true" ]; then
         exit 0
@@ -211,20 +216,49 @@ fi
 # Map tool to policy pack ID
 POLICY_ID=""
 case "$TOOL_NAME" in
-    git.create_pr | git.merge | git.push)
+    git.create_pr | git.merge | git.push | git.*)
         POLICY_ID="code.repository.merge.v1"
         ;;
-    exec.run | exec.* | system.*)
+    exec | exec.run | exec.* | system.* | bash | shell | command)
         POLICY_ID="system.command.execute.v1"
         ;;
-    message.send | message.* | messaging.*)
+    gateway | gateway.* | process | process.*)
+        # High risk operations - treat as command execution
+        POLICY_ID="system.command.execute.v1"
+        ;;
+    message.send | message.* | messaging.* | sms | whatsapp | slack | email)
         POLICY_ID="messaging.message.send.v1"
         ;;
-    payment.* | finance.*)
+    read | file.read | file.read.* | data.file.read | data.file.read.*)
+        POLICY_ID="data.file.read.v1"
+        ;;
+    write | edit | file.write | file.write.* | file.edit | file.edit.* | data.file.write | data.file.write.*)
+        POLICY_ID="data.file.write.v1"
+        ;;
+    web_fetch | webfetch | web.fetch | web.fetch.* | web_search | websearch | web.search | web.search.*)
+        POLICY_ID="web.fetch.v1"
+        ;;
+    browser | browser.* | web.browser | web.browser.*)
+        POLICY_ID="web.browser.v1"
+        ;;
+    mcp.*)
+        POLICY_ID="mcp.tool.execute.v1"
+        ;;
+    agent.session.* | session.create | session.* | sessions.* | sessions_spawn | sessions_send)
+        POLICY_ID="agent.session.create.v1"
+        ;;
+    cron | cron.*)
+        # Scheduled tasks - treat as session management
+        POLICY_ID="agent.session.create.v1"
+        ;;
+    agent.tool.* | tool.register)
+        POLICY_ID="agent.tool.register.v1"
+        ;;
+    payment.refund | refund | payment.charge | charge | payment.* | finance.*)
         POLICY_ID="finance.payment.refund.v1"
         ;;
-    database.write | database.insert | database.update | database.delete | data.export)
-        POLICY_ID="data.export.v1"
+    database.write | database.insert | database.update | database.delete | data.export | data.export.*)
+        POLICY_ID="data.export.create.v1"
         ;;
     *)
         # Unknown tool - deny by default for security
@@ -232,7 +266,7 @@ case "$TOOL_NAME" in
         ;;
 esac
 
-# Capability-specific context summary for audit log (command, recipient, repo/branch, etc.)
+# Capability-specific context summary for audit log (command, recipient, repo/branch, file_path, etc.)
 CONTEXT_SUMMARY=""
 if [ -n "$CONTEXT_JSON" ] && [ "$CONTEXT_JSON" != "{}" ]; then
     if [[ "$POLICY_ID" == "system.command.execute"* ]]; then
@@ -244,6 +278,17 @@ if [ -n "$CONTEXT_JSON" ] && [ "$CONTEXT_JSON" != "{}" ]; then
         BRANCH=$(echo "$CONTEXT_JSON" | jq -r '.branch // ""' 2> /dev/null || true)
         [ -n "$REPO" ] && CONTEXT_SUMMARY="$REPO"
         [ -n "$BRANCH" ] && CONTEXT_SUMMARY="${CONTEXT_SUMMARY:+$CONTEXT_SUMMARY }$BRANCH"
+    elif [[ "$POLICY_ID" == "data.file.read.v1" ]] || [[ "$POLICY_ID" == "data.file.write.v1" ]]; then
+        CONTEXT_SUMMARY=$(echo "$CONTEXT_JSON" | jq -r '.file_path // .path // ""' 2> /dev/null || true)
+    elif [[ "$POLICY_ID" == "web.fetch.v1" ]]; then
+        CONTEXT_SUMMARY=$(echo "$CONTEXT_JSON" | jq -r '.url // ""' 2> /dev/null || true)
+    elif [[ "$POLICY_ID" == "web.browser.v1" ]]; then
+        ACTION=$(echo "$CONTEXT_JSON" | jq -r '.action // ""' 2> /dev/null || true)
+        URL=$(echo "$CONTEXT_JSON" | jq -r '.url // ""' 2> /dev/null || true)
+        [ -n "$ACTION" ] && CONTEXT_SUMMARY="$ACTION"
+        [ -n "$URL" ] && CONTEXT_SUMMARY="${CONTEXT_SUMMARY:+$CONTEXT_SUMMARY }$URL"
+    elif [[ "$POLICY_ID" == "agent.session.create.v1" ]]; then
+        CONTEXT_SUMMARY=$(echo "$CONTEXT_JSON" | jq -r '.session_id // .agent_id // ""' 2> /dev/null || true)
     fi
     # Sanitize for one-line audit: no newlines, truncate, escape double quotes
     if [ -n "$CONTEXT_SUMMARY" ]; then
@@ -360,7 +405,26 @@ if [[ "$POLICY_ID" == "system.command.execute"* ]]; then
             write_decision false "$POLICY_ID" "oap.command_not_allowed" "Command '$COMMAND' is not in allowed list"
         fi
 
-        # Check blocked patterns using safe pattern matching
+        # Check built-in security patterns (surgical - dangerous operations only)
+        # These are always enforced to prevent catastrophic damage
+        if [[ "$COMMAND" =~ rm[[:space:]]+-[^[:space:]]*r[^[:space:]]*f[^[:space:]]*[[:space:]]+/[[:space:]]*$ ]] \
+            || [[ "$COMMAND" =~ rm[[:space:]]+-[^[:space:]]*r[^[:space:]]*f[^[:space:]]+/\* ]]; then
+            write_decision false "$POLICY_ID" "oap.dangerous_operation" "Destructive file operation: rm -rf / or rm -rf /*"
+        fi
+        if [[ "$COMMAND" =~ dd[[:space:]]+if=/dev/ ]]; then
+            write_decision false "$POLICY_ID" "oap.dangerous_operation" "Dangerous disk operation: dd if=/dev/"
+        fi
+        if [[ "$COMMAND" =~ mkfs\. ]]; then
+            write_decision false "$POLICY_ID" "oap.dangerous_operation" "Filesystem creation: mkfs"
+        fi
+        if [[ "$COMMAND" =~ (curl|wget)[[:space:]][^\|]*\|[[:space:]]*(bash|sh|zsh|python|node) ]]; then
+            write_decision false "$POLICY_ID" "oap.dangerous_operation" "Download-and-execute pattern detected"
+        fi
+        if [[ "$COMMAND" =~ :\(\)[[:space:]]*\{[[:space:]]*:[[:space:]]*\|[[:space:]]*:[[:space:]]*\&[[:space:]]*\} ]] || [[ "$COMMAND" =~ fork\(\) ]]; then
+            write_decision false "$POLICY_ID" "oap.dangerous_operation" "Fork bomb detected"
+        fi
+
+        # Check user-defined blocked patterns using safe pattern matching
         while IFS= read -r pattern; do
             [ -z "$pattern" ] && continue
             # Use safe_pattern_match instead of bash glob patterns
@@ -390,5 +454,86 @@ if [[ "$POLICY_ID" == "messaging.message.send"* ]]; then
     fi
 fi
 
+# File read policy evaluation
+if [[ "$POLICY_ID" == "data.file.read.v1" ]]; then
+    FILE_PATH=$(echo "$CONTEXT_JSON" | jq -r '.file_path // .path // ""')
+    if [ -n "$FILE_PATH" ]; then
+        # Check allowed paths
+        PATH_ALLOWED=false
+        while IFS= read -r allowed_path; do
+            [ -z "$allowed_path" ] && continue
+            # Use safe prefix matching
+            if [[ "$FILE_PATH" == "$allowed_path"* ]] || [ "$allowed_path" = "*" ]; then
+                PATH_ALLOWED=true
+                break
+            fi
+        done < <(echo "$LIMITS" | jq -r '.allowed_paths[]? // empty')
+
+        HAS_ALLOWED=$(echo "$LIMITS" | jq -r '.allowed_paths | length' 2> /dev/null || echo "0")
+        if [ "$PATH_ALLOWED" = false ] && [ "${HAS_ALLOWED:-0}" -gt 0 ] 2> /dev/null; then
+            write_decision false "$POLICY_ID" "oap.path_not_allowed" "File path '$FILE_PATH' is not in allowed list"
+        fi
+
+        # Check blocked patterns (SSH keys, credentials, .env files)
+        while IFS= read -r pattern; do
+            [ -z "$pattern" ] && continue
+            # Simple glob-style matching for blocked patterns
+            if [[ "$FILE_PATH" == *"$pattern"* ]] || [[ "$FILE_PATH" == $pattern ]]; then
+                write_decision false "$POLICY_ID" "oap.blocked_pattern" "File path matches blocked pattern: $pattern"
+            fi
+        done < <(echo "$LIMITS" | jq -r '.blocked_patterns[]? // empty')
+    fi
+fi
+
+# File write policy evaluation
+if [[ "$POLICY_ID" == "data.file.write.v1" ]]; then
+    FILE_PATH=$(echo "$CONTEXT_JSON" | jq -r '.file_path // .path // ""')
+    if [ -n "$FILE_PATH" ]; then
+        # Check allowed paths
+        PATH_ALLOWED=false
+        while IFS= read -r allowed_path; do
+            [ -z "$allowed_path" ] && continue
+            # Use safe prefix matching
+            if [[ "$FILE_PATH" == "$allowed_path"* ]] || [ "$allowed_path" = "*" ]; then
+                PATH_ALLOWED=true
+                break
+            fi
+        done < <(echo "$LIMITS" | jq -r '.allowed_paths[]? // empty')
+
+        HAS_ALLOWED=$(echo "$LIMITS" | jq -r '.allowed_paths | length' 2> /dev/null || echo "0")
+        if [ "$PATH_ALLOWED" = false ] && [ "${HAS_ALLOWED:-0}" -gt 0 ] 2> /dev/null; then
+            write_decision false "$POLICY_ID" "oap.path_not_allowed" "File path '$FILE_PATH' is not in allowed list"
+        fi
+
+        # Check blocked paths (system directories)
+        while IFS= read -r blocked_path; do
+            [ -z "$blocked_path" ] && continue
+            # Prefix match for blocked system dirs
+            if [[ "$FILE_PATH" == "$blocked_path"* ]]; then
+                write_decision false "$POLICY_ID" "oap.path_blocked" "Writing to system directory is not allowed: $blocked_path"
+            fi
+        done < <(echo "$LIMITS" | jq -r '.blocked_paths[]? // empty')
+
+        # Check allowed extensions (if configured)
+        if [ -n "$(echo "$LIMITS" | jq -r '.allowed_extensions | length' 2> /dev/null)" ]; then
+            FILE_EXT=$(echo "$FILE_PATH" | grep -o '\.[^.]*$' | tr '[:upper:]' '[:lower:]')
+            if [ -n "$FILE_EXT" ]; then
+                EXT_ALLOWED=false
+                while IFS= read -r allowed_ext; do
+                    [ -z "$allowed_ext" ] && continue
+                    if [ "$FILE_EXT" = "$allowed_ext" ]; then
+                        EXT_ALLOWED=true
+                        break
+                    fi
+                done < <(echo "$LIMITS" | jq -r '.allowed_extensions[]? // empty')
+
+                if [ "$EXT_ALLOWED" = false ]; then
+                    write_decision false "$POLICY_ID" "oap.extension_not_allowed" "File extension $FILE_EXT is not allowed"
+                fi
+            fi
+        fi
+    fi
+fi
+
 # All checks passed - allow
 write_decision true "$POLICY_ID" "oap.allowed" "All policy checks passed"

package/bin/aport-status.sh

@@ -129,6 +129,18 @@ jq -r '.limits | keys[]? // empty' $PASSPORT_FILE | while read policy; do
             msgs_per_day=$(jq -r ".limits.\"$policy\".msgs_per_day // \"unlimited\"" $PASSPORT_FILE)
             echo "     - Messages/day: $msgs_per_day"
             ;;
+        "data.file.read")
+            allowed_paths=$(jq ".limits.\"$policy\".allowed_paths | length" $PASSPORT_FILE 2> /dev/null || echo "0")
+            blocked_patterns=$(jq ".limits.\"$policy\".blocked_patterns | length" $PASSPORT_FILE 2> /dev/null || echo "0")
+            echo "     - Allowed paths: $allowed_paths"
+            echo "     - Blocked patterns: $blocked_patterns"
+            ;;
+        "data.file.write")
+            allowed_paths=$(jq ".limits.\"$policy\".allowed_paths | length" $PASSPORT_FILE 2> /dev/null || echo "0")
+            blocked_paths=$(jq ".limits.\"$policy\".blocked_paths | length" $PASSPORT_FILE 2> /dev/null || echo "0")
+            echo "     - Allowed paths: $allowed_paths"
+            echo "     - Blocked paths: $blocked_paths"
+            ;;
         "data.export")
             max_rows=$(jq -r ".limits.\"$policy\".max_rows // \"unlimited\"" $PASSPORT_FILE)
             allow_pii=$(jq -r ".limits.\"$policy\".allow_pii // false" $PASSPORT_FILE)
@@ -140,6 +152,18 @@ done
 
 echo
 
+# Protection coverage
+echo "🛡️  APort Protection Coverage"
+echo "   System commands: ✅ Protected (system.command.execute.v1)"
+echo "   File reads: ✅ Protected (data.file.read.v1)"
+echo "   File writes: ✅ Protected (data.file.write.v1)"
+echo "   Messaging: ✅ Protected (messaging.message.send.v1)"
+echo "   Git operations: ✅ Protected (code.repository.merge.v1)"
+echo "   MCP tools: ✅ Protected (mcp.tool.execute.v1)"
+echo
+
+echo
+
 # Latest decision (OAP v1.0 format)
 if [ -f "$DECISION_FILE" ]; then
     echo "🔍 Latest Decision"

package/docs/OPENCLAW_TOOLS_AND_POLICIES.md

@@ -27,11 +27,35 @@ Per the **Open Agent Passport (OAP) spec**, the passport has a **limits** object
 
 ---
 
-## read, write, and other unmapped tools
+## read, write, and file operations (NOW PROTECTED)
+
+- **read** and **write** are **now mapped** to APort policies:
+  - **read** → `data.file.read.v1` (enforces path allowlists, blocked patterns for SSH keys/credentials/.env)
+  - **write** → `data.file.write.v1` (enforces path allowlists, blocks system directories, optional extension restrictions)
+- **Middleware param spreading:** The LangChain and CrewAI Node middlewares automatically parse tool input JSON and spread parameters (e.g. `file_path`) into the top-level verification context. This is required because the API's policy schema validates `file_path` as a required field. Without this, `read`/`write` tool calls would fail with 400 Bad Request.
+- Configure passport limits for file operations:
+  - `limits.data.file.read.allowed_paths` - Array of allowed path prefixes (e.g. `["/tmp/*", "/home/user/projects/*"]`)
+  - `limits.data.file.read.blocked_patterns` - Array of patterns to block (e.g. `["**/.ssh/**", "**/.env"]`)
+  - `limits.data.file.write.allowed_paths` - Array of allowed write paths
+  - `limits.data.file.write.blocked_paths` - Array of system directories to block (e.g. `["/etc/**", "/bin/**"]`)
+- Other tools like **edit**, **apply_patch**, **browser**, **cron**, **gateway**, **sessions_***, **nodes**, **image**, **web_search**, **web_fetch** remain **unmapped** and **allowed** by default (when `allowUnmappedTools: true`).
 
-- **read**, **write**, **edit**, **apply_patch**, **browser**, **cron**, **gateway**, **sessions_***, **nodes**, **image**, **web_search**, **web_fetch** are **not** mapped to any APort policy in this plugin. They are **unmapped** and **allowed** by default (when `allowUnmappedTools: true`). So **read is enabled** by default: the plugin sees no policy for `read`, returns allow, and OpenClaw runs the read tool.
-- A failure like **read failed: ENOENT: no such file or directory** is the **tool** failing (e.g. wrong path or missing file, such as `config.json` when the app uses `config.yaml`), not the guardrail blocking. The guardrail already allowed the call; the error happens when the tool executes.
-- To enforce policy on file access you would add a new policy (e.g. **file.read.v1**) and map **read** to it in the plugin, with passport limits (e.g. **allowed_paths**). That is not implemented today.
+---
+
+## Passport-configurable path overrides
+
+The `system.command.execute.v1` policy includes hardcoded security patterns that block access to sensitive system directories (`/etc/`, `/sys/`, `/proc/`, etc.), sensitive hidden files, credential files, and more. Passport owners can override **path-sensitivity heuristics** by setting `limits.allowed_paths` or `limits.allowed_directories` in the passport:
+
+```json
+{
+  "limits": {
+    "allowed_paths": ["/root/", "/home/agent/work/"],
+    "allowed_commands": ["*"]
+  }
+}
+```
+
+When `allowed_paths` is set and the command references one of those paths, overridable rules (like "Access to sensitive system directories" or "Access to secrets and credentials files") are skipped. **Catastrophic protections are never overridable** — fork bombs, `rm -rf /`, reverse shells, `nc`/`netcat`, and `find -exec rm` are always blocked regardless of passport config.
 
 ---
 
@@ -42,8 +66,10 @@ Per the **Open Agent Passport (OAP) spec**, the passport has a **limits** object
 | exec                     | system.command.execute.v1 | limits.system.command.execute            |
 | message, messaging.*     | messaging.message.send.v1 | limits.messaging                         |
 | git.*                    | code.repository.merge.v1  | limits.code.repository.merge             |
+| read                     | data.file.read.v1         | limits.data.file.read                    |
+| write                    | data.file.write.v1        | limits.data.file.write                   |
 | mcp.*                    | mcp.tool.execute.v1       | (API / MCP limits)                       |
-| read, write, edit, etc.  | *(none)*                  | *(unmapped, allowed by default)*         |
+| edit, browser, etc.      | *(none)*                  | *(unmapped, allowed by default)*         |
 
 ---