@aporthq/aport-agent-guardrails 1.0.13 → 1.0.15

package/bin/agent-guardrails

@@ -54,7 +54,25 @@ while [[ $# -gt 0 ]]; do
   esac
 done
 
-# If no framework from args, try APORT_FRAMEWORK (non-interactive) or detection
+# If no framework from args, check if first REST argument is a framework name
+if [[ -z "$framework" ]] && [[ ${#REST[@]} -gt 0 ]]; then
+  first_arg="${REST[0]}"
+  # Check if first arg looks like a framework name (lowercase alphanumeric + hyphen)
+  if [[ "$first_arg" =~ ^[a-z0-9-]+$ ]]; then
+    # Valid framework names
+    valid_frameworks=(openclaw langchain crewai cursor claude-code n8n)
+    for valid_fw in "${valid_frameworks[@]}"; do
+      if [[ "$first_arg" == "$valid_fw" ]]; then
+        framework="$first_arg"
+        # Remove framework from REST so remaining args are pass-through
+        REST=("${REST[@]:1}")
+        break
+      fi
+    done
+  fi
+fi
+
+# If still no framework from args, try APORT_FRAMEWORK (non-interactive) or detection
 if [[ -z "$framework" ]]; then
   if [[ -n "${APORT_FRAMEWORK:-}" ]]; then
     framework="$APORT_FRAMEWORK"

package/bin/aport-create-passport.sh

@@ -109,6 +109,64 @@ DEFAULT_AGENT_NAME=${DEFAULT_AGENT_NAME:-"OpenClaw Agent"}
 DEFAULT_AGENT_DESC=$(get_identity_description) || true
 DEFAULT_AGENT_DESC=${DEFAULT_AGENT_DESC:-"Local OpenClaw AI agent with APort guardrails"}
 
+# Framework-aware defaults: each framework needs different capabilities to function
+case "${APORT_FRAMEWORK:-}" in
+    claude-code)
+        # Claude Code: file ops, web, sub-agents, MCP tools are core functionality
+        DEFAULT_FILE_READ=y
+        DEFAULT_FILE_WRITE=y
+        DEFAULT_WEB_FETCH=y
+        DEFAULT_WEB_BROWSER=y
+        DEFAULT_AGENT_SESSION=y
+        DEFAULT_MCP_TOOL=y
+        ;;
+    cursor)
+        # Cursor: IDE with shell, file ops, web search, agent mode
+        DEFAULT_FILE_READ=y
+        DEFAULT_FILE_WRITE=y
+        DEFAULT_WEB_FETCH=y
+        DEFAULT_WEB_BROWSER=n
+        DEFAULT_AGENT_SESSION=y
+        DEFAULT_MCP_TOOL=n
+        ;;
+    crewai)
+        # CrewAI: multi-agent framework — agents spawn sub-agents, use tools
+        DEFAULT_FILE_READ=y
+        DEFAULT_FILE_WRITE=y
+        DEFAULT_WEB_FETCH=y
+        DEFAULT_WEB_BROWSER=n
+        DEFAULT_AGENT_SESSION=y
+        DEFAULT_MCP_TOOL=y
+        ;;
+    langchain)
+        # LangChain/LangGraph: tool calling, web, files
+        DEFAULT_FILE_READ=y
+        DEFAULT_FILE_WRITE=y
+        DEFAULT_WEB_FETCH=y
+        DEFAULT_WEB_BROWSER=n
+        DEFAULT_AGENT_SESSION=n
+        DEFAULT_MCP_TOOL=n
+        ;;
+    n8n)
+        # n8n: workflow automation — HTTP, file, database, messaging
+        DEFAULT_FILE_READ=y
+        DEFAULT_FILE_WRITE=y
+        DEFAULT_WEB_FETCH=y
+        DEFAULT_WEB_BROWSER=n
+        DEFAULT_AGENT_SESSION=n
+        DEFAULT_MCP_TOOL=n
+        ;;
+    *)
+        # Generic / unknown framework: conservative defaults
+        DEFAULT_FILE_READ=n
+        DEFAULT_FILE_WRITE=n
+        DEFAULT_WEB_FETCH=n
+        DEFAULT_WEB_BROWSER=n
+        DEFAULT_AGENT_SESSION=n
+        DEFAULT_MCP_TOOL=n
+        ;;
+esac
+
 if [ -n "$NON_INTERACTIVE" ]; then
     # CI/tests: use defaults, no prompts. Use --output or APORT_FRAMEWORK for default path. Match interactive defaults (README: messaging out of the box).
     owner_id="$DEFAULT_EMAIL"
@@ -119,10 +177,12 @@ if [ -n "$NON_INTERACTIVE" ]; then
     exec_cap=y
     msg_cap=y
     data_cap=n
-    file_read_cap=n
-    file_write_cap=n
-    web_fetch_cap=n
-    web_browser_cap=n
+    file_read_cap=$DEFAULT_FILE_READ
+    file_write_cap=$DEFAULT_FILE_WRITE
+    web_fetch_cap=$DEFAULT_WEB_FETCH
+    web_browser_cap=$DEFAULT_WEB_BROWSER
+    agent_session_cap=$DEFAULT_AGENT_SESSION
+    mcp_tool_cap=$DEFAULT_MCP_TOOL
     max_pr_size=500
     max_prs_per_day=10
     max_msgs_per_day=100
@@ -195,7 +255,11 @@ else
     # Choose capabilities
     echo "  🔐 Capabilities"
     echo "  ───────────────"
-    echo "  Choose what your agent can do (y/n). Defaults: PRs, exec, and messaging = yes (matches README/docs); others = no."
+    if [ "${APORT_FRAMEWORK:-}" = "claude-code" ]; then
+        echo "  Choose what your agent can do (y/n). Claude Code defaults: most capabilities = yes."
+    else
+        echo "  Choose what your agent can do (y/n). Defaults: PRs, exec, and messaging = yes (matches README/docs); others = no."
+    fi
     echo ""
     read -p "  • Create and merge pull requests? [Y/n]: " pr_cap
     pr_cap=${pr_cap:-y}
@@ -206,21 +270,51 @@ else
     read -p "  • Send messages (email, SMS, etc.)? [Y/n]: " msg_cap
     msg_cap=${msg_cap:-y}
 
-    read -p "  • Read files from disk? [y/N]: " file_read_cap
-    file_read_cap=${file_read_cap:-n}
+    if [ "$DEFAULT_FILE_READ" = "y" ]; then
+        read -p "  • Read files from disk? [Y/n]: " file_read_cap
+    else
+        read -p "  • Read files from disk? [y/N]: " file_read_cap
+    fi
+    file_read_cap=${file_read_cap:-$DEFAULT_FILE_READ}
 
-    read -p "  • Write/edit files on disk? [y/N]: " file_write_cap
-    file_write_cap=${file_write_cap:-n}
+    if [ "$DEFAULT_FILE_WRITE" = "y" ]; then
+        read -p "  • Write/edit files on disk? [Y/n]: " file_write_cap
+    else
+        read -p "  • Write/edit files on disk? [y/N]: " file_write_cap
+    fi
+    file_write_cap=${file_write_cap:-$DEFAULT_FILE_WRITE}
 
-    read -p "  • Fetch data from web (HTTP requests)? [y/N]: " web_fetch_cap
-    web_fetch_cap=${web_fetch_cap:-n}
+    if [ "$DEFAULT_WEB_FETCH" = "y" ]; then
+        read -p "  • Fetch data from web (HTTP requests)? [Y/n]: " web_fetch_cap
+    else
+        read -p "  • Fetch data from web (HTTP requests)? [y/N]: " web_fetch_cap
+    fi
+    web_fetch_cap=${web_fetch_cap:-$DEFAULT_WEB_FETCH}
 
-    read -p "  • Automate web browser? [y/N]: " web_browser_cap
-    web_browser_cap=${web_browser_cap:-n}
+    if [ "$DEFAULT_WEB_BROWSER" = "y" ]; then
+        read -p "  • Automate web browser? [Y/n]: " web_browser_cap
+    else
+        read -p "  • Automate web browser? [y/N]: " web_browser_cap
+    fi
+    web_browser_cap=${web_browser_cap:-$DEFAULT_WEB_BROWSER}
 
     read -p "  • Export data (database, files, etc.)? [y/N]: " data_cap
     data_cap=${data_cap:-n}
 
+    if [ "$DEFAULT_AGENT_SESSION" = "y" ]; then
+        read -p "  • Spawn sub-agents and tasks? [Y/n]: " agent_session_cap
+    else
+        read -p "  • Spawn sub-agents and tasks? [y/N]: " agent_session_cap
+    fi
+    agent_session_cap=${agent_session_cap:-$DEFAULT_AGENT_SESSION}
+
+    if [ "$DEFAULT_MCP_TOOL" = "y" ]; then
+        read -p "  • Use MCP tools (external integrations)? [Y/n]: " mcp_tool_cap
+    else
+        read -p "  • Use MCP tools (external integrations)? [y/N]: " mcp_tool_cap
+    fi
+    mcp_tool_cap=${mcp_tool_cap:-$DEFAULT_MCP_TOOL}
+
     echo ""
 
     # Configure limits
@@ -351,6 +445,12 @@ fi
 if [ "$data_cap" = "y" ] || [ "$data_cap" = "Y" ]; then
     capabilities_json="$capabilities_json{\"id\": \"data.export\"},"
 fi
+if [ "${agent_session_cap:-n}" = "y" ] || [ "${agent_session_cap:-n}" = "Y" ]; then
+    capabilities_json="$capabilities_json{\"id\": \"agent.session.create\"},"
+fi
+if [ "${mcp_tool_cap:-n}" = "y" ] || [ "${mcp_tool_cap:-n}" = "Y" ]; then
+    capabilities_json="$capabilities_json{\"id\": \"mcp.tool.execute\"},"
+fi
 # Remove trailing comma
 capabilities_json="${capabilities_json%,}]"
 
@@ -438,6 +538,14 @@ if [ "$data_cap" = "y" ] || [ "$data_cap" = "Y" ]; then
     limits_json="$limits_json\"data.export\": {\"max_rows\": $max_export_rows, \"allow_pii\": $allow_pii_bool, \"allowed_collections\": [\"*\"]},"
 fi
 
+if [ "${agent_session_cap:-n}" = "y" ] || [ "${agent_session_cap:-n}" = "Y" ]; then
+    limits_json="$limits_json\"agent.session.create\": {\"max_concurrent\": 10},"
+fi
+
+if [ "${mcp_tool_cap:-n}" = "y" ] || [ "${mcp_tool_cap:-n}" = "Y" ]; then
+    limits_json="$limits_json\"mcp.tool.execute\": {\"allowed_servers\": [\"*\"]},"
+fi
+
 # Remove trailing comma
 limits_json="${limits_json%,}}"
 
@@ -540,7 +648,13 @@ echo "  🔐 Capabilities:"
 [ "$pr_cap" = "y" ] || [ "$pr_cap" = "Y" ] && echo "    • Create and merge pull requests"
 [ "$exec_cap" = "y" ] || [ "$exec_cap" = "Y" ] && echo "    • Execute system commands"
 [ "$msg_cap" = "y" ] || [ "$msg_cap" = "Y" ] && echo "    • Send messages"
+[ "$file_read_cap" = "y" ] || [ "$file_read_cap" = "Y" ] && echo "    • Read files"
+[ "$file_write_cap" = "y" ] || [ "$file_write_cap" = "Y" ] && echo "    • Write/edit files"
+[ "$web_fetch_cap" = "y" ] || [ "$web_fetch_cap" = "Y" ] && echo "    • Fetch from web"
+[ "$web_browser_cap" = "y" ] || [ "$web_browser_cap" = "Y" ] && echo "    • Automate browser"
 [ "$data_cap" = "y" ] || [ "$data_cap" = "Y" ] && echo "    • Export data"
+[ "${agent_session_cap:-n}" = "y" ] || [ "${agent_session_cap:-n}" = "Y" ] && echo "    • Spawn sub-agents and tasks"
+[ "${mcp_tool_cap:-n}" = "y" ] || [ "${mcp_tool_cap:-n}" = "Y" ] && echo "    • Use MCP tools"
 echo ""
 echo "  📝 Next steps:"
 echo "    • Review limits:  vim $PASSPORT_FILE"

package/bin/aport-cursor-hook.sh

@@ -1,9 +1,12 @@
 #!/usr/bin/env bash
-# APort Cursor/Copilot/Claude Code hook: read JSON from stdin, call guardrail, return allow/deny; exit 2 = block.
-# Compatible with Cursor (beforeShellExecution, preToolUse), VS Code Copilot, and Claude Code.
-# Input: JSON with "command" and/or "tool"/"name"/"input" (host-dependent). We map to system.command.execute.
-# Output: JSON with "permission": "allow"|"deny" (Cursor) and "allowed": true|false; optional "agentMessage"/"reason".
-# Exit: 0 = allow, 2 = block (deny). Other exits = hook error (host may proceed or fail-open).
+# APort Cursor hook: reads JSON from stdin, maps tool to APort policy, calls guardrail.
+# Handles all Cursor hook events: beforeShellExecution, preToolUse, beforeMCPExecution,
+# beforeReadFile, subagentStart.
+# Output: JSON with "permission": "allow"|"deny"; optional "agentMessage"/"user_message".
+# Exit: 0 = allow, 2 = block (deny). Other exits = hook error (Cursor may fail-open).
+#
+# Cursor preToolUse tool_name values: Shell, Read, Write, Grep, Delete, Task, MCP:<name>
+# See: https://cursor.com/docs/hooks
 
 set -e
 
@@ -11,14 +14,13 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 ROOT_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
 GUARDRAIL="$ROOT_DIR/bin/aport-guardrail-bash.sh"
 
-# Passport/config: resolver probes ~/.cursor, ~/.openclaw, ~/.aport/langchain, etc. when OPENCLAW_CONFIG_DIR not set
+# Passport/config: resolver probes ~/.cursor, ~/.openclaw, ~/.aport/*, etc.
 # shellcheck source=bin/aport-resolve-paths.sh
 . "$ROOT_DIR/bin/aport-resolve-paths.sh"
 
 # Read stdin (single JSON object; Cursor sends one payload per invocation)
 INPUT=""
 if [ -t 0 ]; then
-    # No stdin (e.g. manual test): treat as allow to avoid blocking
     INPUT='{}'
 else
     INPUT="$(cat)"
@@ -30,61 +32,145 @@ if [ -z "$INPUT" ]; then
     exit 0
 fi
 
-# Parse and normalize to tool + context for guardrail
-# Cursor beforeShellExecution: { "command": "..." }
-# preToolUse / Copilot: { "tool": "runTerminalCommand", "input": { "command": "..." } } or similar
-TOOL_NAME="exec.run"
+# Require jq for JSON parsing
+if ! command -v jq &> /dev/null; then
+    echo '{"permission":"deny","allowed":false,"agentMessage":"APort: jq is required"}'
+    exit 2
+fi
+
+# Deny helper: outputs Cursor-format JSON and exits 2
+deny() {
+    local reason="$1"
+    jq -n -c --arg reason "$reason" \
+        '{permission:"deny",allowed:false,agentMessage:$reason,reason:$reason}'
+    exit 2
+}
+
+# Safe jq extraction: returns '{}' on any jq error
+safe_jq() {
+    local input="$1" filter="$2"
+    local result
+    result="$(echo "$input" | jq -c "$filter" 2> /dev/null)" || result='{}'
+    [ -z "$result" ] && result='{}'
+    echo "$result"
+}
+
+# Detect hook event type from input fields and route accordingly.
+# Cursor sends different JSON shapes per hook event:
+#   beforeShellExecution: { "command": "...", "cwd": "..." }
+#   preToolUse:           { "tool_name": "Shell|Read|Write|...", "tool_input": {...} }
+#   beforeMCPExecution:   { "tool_name": "...", "tool_input": {...}, "server": "..." }
+#   beforeReadFile:       { "file_path": "...", "content": "..." }
+#   subagentStart:        { "subagent_id": "...", "subagent_type": "...", "task": "..." }
+# We detect by checking for distinguishing fields.
+
+GUARDRAIL_TOOL=""
 CONTEXT_JSON="{}"
-if command -v jq &> /dev/null; then
-    CMD=$(echo "$INPUT" | jq -r '.command // .input.command // .input.cmd // .args[0] // ""')
-    if [ -n "$CMD" ] && [ "$CMD" != "null" ]; then
-        CONTEXT_JSON=$(echo "$INPUT" | jq -c '{command: (.command // .input.command // .input.cmd), args: (.args // .input.args // [])}' 2> /dev/null || echo "{}")
-        if [ -z "$CONTEXT_JSON" ] || [ "$CONTEXT_JSON" = "null" ]; then
-            CONTEXT_JSON=$(jq -n -c --arg cmd "$CMD" '{command: $cmd}')
-        fi
-    fi
-    # If no command found, still pass through; guardrail may deny unknown
-    if [ -z "$CONTEXT_JSON" ] || [ "$CONTEXT_JSON" = "null" ]; then
-        CONTEXT_JSON="$INPUT"
-    fi
+
+# Check for hook_event_name first (newer Cursor versions include it)
+HOOK_EVENT="$(echo "$INPUT" | jq -r '.hook_event_name // ""' 2> /dev/null)"
+TOOL_NAME="$(echo "$INPUT" | jq -r '.tool_name // ""' 2> /dev/null)"
+
+if [ "$HOOK_EVENT" = "beforeReadFile" ] || { [ -z "$HOOK_EVENT" ] && [ -z "$TOOL_NAME" ] && echo "$INPUT" | jq -e '.file_path and .content' &> /dev/null; }; then
+    # beforeReadFile: file reads — allow without evaluator (same as Claude Code)
+    exit 0
+
+elif [ "$HOOK_EVENT" = "subagentStart" ] || { [ -z "$HOOK_EVENT" ] && echo "$INPUT" | jq -e '.subagent_id' &> /dev/null; }; then
+    # subagentStart: sub-agent spawning
+    GUARDRAIL_TOOL="session.create"
+    CONTEXT_JSON="$(safe_jq "$INPUT" '{description: (.task // ""), subagent_type: (.subagent_type // "")}')"
+
+elif [ "$HOOK_EVENT" = "beforeMCPExecution" ] || { [ -n "$TOOL_NAME" ] && echo "$INPUT" | jq -e '.server // .url' &> /dev/null; }; then
+    # beforeMCPExecution: MCP tool calls (has server/url field)
+    GUARDRAIL_TOOL="mcp.tool"
+    CONTEXT_JSON="$(safe_jq "$INPUT" '{tool_name: (.tool_name // ""), tool_input: (.tool_input // {})}')"
+
+elif [ -n "$TOOL_NAME" ]; then
+    # preToolUse: Cursor tool names — Shell, Read, Write, Grep, Delete, Task, MCP:<name>
+    case "$TOOL_NAME" in
+        Shell)
+            GUARDRAIL_TOOL="bash"
+            CONTEXT_JSON="$(safe_jq "$INPUT" '{command: (.tool_input.command // "")}')"
+            ;;
+        Read | Grep)
+            # Read-family: allow without calling evaluator
+            exit 0
+            ;;
+        Write)
+            GUARDRAIL_TOOL="write"
+            CONTEXT_JSON="$(safe_jq "$INPUT" '{file_path: (.tool_input.file_path // .tool_input.path // "")}')"
+            ;;
+        Delete)
+            GUARDRAIL_TOOL="write"
+            CONTEXT_JSON="$(safe_jq "$INPUT" '{file_path: (.tool_input.file_path // .tool_input.path // "")}')"
+            ;;
+        Task)
+            GUARDRAIL_TOOL="session.create"
+            CONTEXT_JSON="$(safe_jq "$INPUT" '{description: (.tool_input.description // .tool_input.prompt // "")}')"
+            ;;
+        MCP:*)
+            GUARDRAIL_TOOL="mcp.tool"
+            CONTEXT_JSON="$(safe_jq "$INPUT" '{tool_name: (.tool_name // ""), tool_input: (.tool_input // {})}')"
+            ;;
+        *)
+            # Unknown preToolUse tool: fail-closed
+            deny "🛡️ APort: unknown tool '$TOOL_NAME' — fail-closed policy"
+            ;;
+    esac
+
+elif echo "$INPUT" | jq -e '.command' &> /dev/null; then
+    # beforeShellExecution: { "command": "..." }
+    GUARDRAIL_TOOL="bash"
+    CMD="$(echo "$INPUT" | jq -r '.command // ""' 2> /dev/null)"
+    CONTEXT_JSON="$(jq -n -c --arg cmd "$CMD" '{command: $cmd}')"
+
+elif echo "$INPUT" | jq -e '.tool // .input.command' &> /dev/null; then
+    # Legacy Copilot-style: { "tool": "runTerminalCommand", "input": { "command": "..." } }
+    GUARDRAIL_TOOL="bash"
+    CMD="$(echo "$INPUT" | jq -r '.input.command // .input.cmd // .args[0] // ""' 2> /dev/null)"
+    CONTEXT_JSON="$(jq -n -c --arg cmd "$CMD" '{command: $cmd}')"
+
 else
-    CONTEXT_JSON="$INPUT"
+    # Unrecognized input shape: fail-closed
+    deny "🛡️ APort: unrecognized hook input — fail-closed policy"
+fi
+
+# Use a per-invocation decision file to avoid race conditions with concurrent tool calls
+HOOK_DECISION_FILE="${OPENCLAW_DECISION_FILE:-}"
+if [ -n "$HOOK_DECISION_FILE" ]; then
+    HOOK_DECISION_FILE="${HOOK_DECISION_FILE%.json}-$$.json"
+    export OPENCLAW_DECISION_FILE="$HOOK_DECISION_FILE"
 fi
 
-# Call existing bash guardrail: exit 0 = allow, exit 1 = deny (forward config for subprocess)
+# Call core evaluator
 set +e
-OPENCLAW_CONFIG_DIR="${OPENCLAW_CONFIG_DIR:-$HOME/.openclaw}" OPENCLAW_PASSPORT_FILE="${OPENCLAW_PASSPORT_FILE:-}" OPENCLAW_DECISION_FILE="${OPENCLAW_DECISION_FILE:-}" "$GUARDRAIL" "$TOOL_NAME" "$CONTEXT_JSON" 2> /dev/null
+"$GUARDRAIL" "$GUARDRAIL_TOOL" "$CONTEXT_JSON" 2> /dev/null
 GUARDRAIL_EXIT=$?
 set -e
 
+# Clean up per-invocation decision file
+cleanup_decision() { [ -n "$HOOK_DECISION_FILE" ] && rm -f "$HOOK_DECISION_FILE" 2> /dev/null; }
+
 if [ "$GUARDRAIL_EXIT" -eq 0 ]; then
+    cleanup_decision
     echo '{"permission":"allow","allowed":true}'
     exit 0
 fi
 
-# Deny: output reason from decision file if available (guardrail writes decision before exit 1)
+# Deny: read reason from decision file
 REASON="Policy denied this action."
-if [ -n "${OPENCLAW_DECISION_FILE:-}" ] && [ -f "$OPENCLAW_DECISION_FILE" ] && command -v jq &> /dev/null; then
-    R=$(jq -r '.reasons[0].message // empty' "$OPENCLAW_DECISION_FILE" 2> /dev/null)
-    if [ -n "$R" ]; then
-        REASON="$R"
-    fi
+if [ -n "$HOOK_DECISION_FILE" ] && [ -f "$HOOK_DECISION_FILE" ]; then
+    R="$(jq -r '.reasons[0].message // empty' "$HOOK_DECISION_FILE" 2> /dev/null)"
+    [ -n "$R" ] && REASON="$R"
 fi
-# If no decision file was set, try common config dirs so we can show actual deny reason
-if [ "$REASON" = "Policy denied this action." ] && command -v jq &> /dev/null; then
+# Fallback: try common config dirs
+if [ "$REASON" = "Policy denied this action." ]; then
     for DEC in "${OPENCLAW_CONFIG_DIR:-$HOME/.cursor}/aport/decision.json" "$HOME/.cursor/aport/decision.json" "$HOME/.openclaw/aport/decision.json"; do
         if [ -f "$DEC" ]; then
-            R=$(jq -r '.reasons[0].message // empty' "$DEC" 2> /dev/null)
-            if [ -n "$R" ]; then
-                REASON="$R"
-                break
-            fi
+            R="$(jq -r '.reasons[0].message // empty' "$DEC" 2> /dev/null)"
+            [ -n "$R" ] && REASON="$R" && break
         fi
     done
 fi
-# Fallback: help user debug guardrail/script errors
-if [ "$REASON" = "Policy denied this action." ]; then
-    REASON="Policy denied or guardrail error. Check passport and guardrail script (see docs/frameworks/cursor.md)."
-fi
-echo "{\"permission\":\"deny\",\"allowed\":false,\"agentMessage\":$(echo "$REASON" | jq -Rs .),\"reason\":$(echo "$REASON" | jq -Rs .)}"
-exit 2
+cleanup_decision
+deny "🛡️ APort: $REASON"

package/bin/frameworks/cursor.sh

@@ -45,12 +45,13 @@ run_setup() {
     if [ -f "$CURSOR_HOOKS_FILE" ] && command -v jq &> /dev/null; then
         EXISTING=$(cat "$CURSOR_HOOKS_FILE")
         if echo "$EXISTING" | jq -e '.hooks' &> /dev/null; then
-            # Add APort hook to beforeShellExecution and preToolUse (avoid duplicate)
+            # Add APort hook to all supported lifecycle events (avoid duplicate)
             NEW_HOOKS=$(echo "$EXISTING" | jq -c --arg cmd "$HOOK_SCRIPT" '
-        (.hooks.beforeShellExecution // []) as $b |
-        (.hooks.preToolUse // []) as $p |
-        .hooks.beforeShellExecution = ($b | map(select(.command != $cmd)) | . + [{ "command": $cmd }]) |
-        .hooks.preToolUse = ($p | map(select(.command != $cmd)) | . + [{ "command": $cmd }])
+        def upsert_hook: map(select(.command != $cmd)) | . + [{ "command": $cmd }];
+        .hooks.beforeShellExecution = ((.hooks.beforeShellExecution // []) | upsert_hook) |
+        .hooks.preToolUse = ((.hooks.preToolUse // []) | upsert_hook) |
+        .hooks.beforeMCPExecution = ((.hooks.beforeMCPExecution // []) | upsert_hook) |
+        .hooks.subagentStart = ((.hooks.subagentStart // []) | upsert_hook)
       ')
             [ -f "$CURSOR_HOOKS_FILE" ] && cp "$CURSOR_HOOKS_FILE" "${CURSOR_HOOKS_FILE}.bak"
             echo "$NEW_HOOKS" > "$CURSOR_HOOKS_FILE"
@@ -82,7 +83,9 @@ _write_cursor_hooks_file() {
       version: 1,
       hooks: {
         beforeShellExecution: [{ command: $cmd }],
-        preToolUse: [{ command: $cmd }]
+        preToolUse: [{ command: $cmd }],
+        beforeMCPExecution: [{ command: $cmd }],
+        subagentStart: [{ command: $cmd }]
       }
     }' > "$file"
     else
@@ -93,7 +96,9 @@ _write_cursor_hooks_file() {
   "version": 1,
   "hooks": {
     "beforeShellExecution": [{"command": "${escaped_cmd}"}],
-    "preToolUse": [{"command": "${escaped_cmd}"}]
+    "preToolUse": [{"command": "${escaped_cmd}"}],
+    "beforeMCPExecution": [{"command": "${escaped_cmd}"}],
+    "subagentStart": [{"command": "${escaped_cmd}"}]
   }
 }
 EOF

package/docs/RELEASE.md

@@ -1,6 +1,6 @@
 # Release process and version policy
 
-**Current release:** 1.0.13 (see [CHANGELOG.md](../CHANGELOG.md)).
+**Current release:** 1.0.14 (see [CHANGELOG.md](../CHANGELOG.md)).
 
 We keep **one version number** across all published packages (Node core, Python core, and every framework adapter). That avoids “core is 1.2 but CLI is 0.9” and keeps the story simple for users and support.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aporthq/aport-agent-guardrails",
-  "version": "1.0.13",
+  "version": "1.0.15",
   "description": "Policy enforcement guardrails for OpenClaw-compatible agent frameworks",
   "workspaces": [
     "packages/*",

package/skills/aport-agent-guardrail/SKILL.md

@@ -1,91 +1,84 @@
 ---
 name: aport-agent-guardrail
-description: Pre-action authorization for AI agents. Enforces policies before tools execute—blocks unauthorized commands, data exfiltration, and malicious actions. Works with OpenClaw, IronClaw, PicoClaw via before_tool_call hook. Deterministic enforcement the agent cannot bypass. Optional API mode (APORT_API_URL, APORT_AGENT_ID, APORT_API_KEY) for hosted passports and signed decisions.
-homepage: https://aport.io
-metadata: {"openclaw":{"requires":{"bins":["jq"]},"envOptional":["APORT_API_URL","APORT_AGENT_ID","APORT_API_KEY"]}}
+description: >
+  Pre-action authorization for AI agents. Installs an OpenClaw before_tool_call hook that
+  evaluates every tool call against a passport and policy before execution. Blocks unauthorized
+  commands, data exfiltration, and policy violations. Supports local (offline) and hosted
+  (API) passport modes. Requires Node.js 18+ and npx.
+metadata:
+  author: uchibeke
+  version: 1.1.11
+  tags: security, guardrails, authorization, ai-agent, openclaw, aport, policy-enforcement
 ---
 
 # APort Agent Guardrail
 
-**Skill identifier:** `aport-agent-guardrail` · **Category:** Security / Infrastructure
+Pre-action authorization for AI agents. Installs an OpenClaw `before_tool_call` hook that
+evaluates every tool call against a passport (identity + capabilities + limits) and policy
+**before** it executes. If the policy denies the call, the tool does not run.
 
----
-
-## 🛡️ What This Skill Does
-
-**Pre-action authorization for AI agents.** Every tool call is evaluated against a passport (identity + capabilities + limits) and policy **before** it executes. If denied, the tool never runs.
+This skill provides setup instructions. The enforcement logic comes from the
+[@aporthq/aport-agent-guardrails](https://github.com/aporthq/aport-agent-guardrails)
+npm package, which is open-source (Apache 2.0) and can be audited before installation.
 
-**Key features:**
-- ✅ **Deterministic enforcement** – Runs in `before_tool_call` hook; agent cannot bypass
-- ✅ **Blocks malicious actions** – Unauthorized commands, data exfiltration, API abuse prevented
-- ✅ **Structured policies** – Based on [Open Agent Passport (OAP) v1.0](https://github.com/aporthq/aport-spec/tree/main)
-- ✅ **Fail-closed by default** – Errors deny tool execution (security over availability)
-- ✅ **Audit trail** – Every decision logged with tamper-evident hashes
-- ✅ **Framework-agnostic** – OpenClaw, IronClaw, PicoClaw, and compatible runtimes
+## When to use this skill
 
-**How it protects you:**
-- Prompt injection → Agent cannot bypass hook-based enforcement
-- Malicious skills → All tool calls checked regardless of source
-- Unauthorized commands → Allowlist + 40+ blocked patterns (rm -rf, sudo, etc.)
-- Data exfiltration → File access, messaging, web requests controlled
-- Resource exhaustion → Rate limits, size caps enforced
-
-**Install once, protected forever.** The plugin runs automatically on every tool call.
-
----
+- User wants to add guardrails to their AI agent setup
+- User asks about protecting against unauthorized tool calls
+- User wants pre-action authorization for OpenClaw, IronClaw, or PicoClaw agents
+- User needs audit trails for AI agent actions
 
-## ⚡ Quick Start
+## How it works
 
-```bash
-# Install APort guardrails (one-time setup)
-npx @aporthq/aport-agent-guardrails
+```
+User Request -> Agent Decision -> APort Hook -> [ALLOW/DENY] -> Tool Execution
+                                      |
+                               Policy + Passport
+```
 
-# Follow wizard to create passport and configure policies
-# Plugin auto-registers with OpenClaw
+1. Agent decides to use a tool (e.g., run a shell command)
+2. OpenClaw fires the `before_tool_call` hook
+3. APort loads the passport, maps the tool to a policy, checks allowlists and limits
+4. Decision: ALLOW (tool runs) or DENY (tool blocked)
+5. Decision is logged to the audit trail
 
-# Now your agent is protected
-# All tool calls checked before execution
-```
+Enforcement runs in the OpenClaw hook layer, not in agent prompts. However, like any
+application-layer security control, it depends on the integrity of the runtime environment
+(OS, OpenClaw, filesystem). See the [Security Model](https://github.com/aporthq/aport-agent-guardrails/blob/main/docs/SECURITY_MODEL.md) for trust boundaries.
 
-**With hosted passport (optional):**
-```bash
-# Get agent_id from aport.io
-npx @aporthq/aport-agent-guardrails <agent_id>
-```
+## Prerequisites
 
-**Requirements:** Node 18+, jq
+Check these before starting:
 
----
+1. **Node.js 18+** and **npx** — run `node -v` to verify (must show v18 or higher)
+2. **OpenClaw** (or compatible runtime) — the hook registers as an OpenClaw plugin
 
-## 📦 Installation
+## Installation
 
-### Option 1: npm (recommended)
+### Quick start (recommended)
 
 ```bash
 npx @aporthq/aport-agent-guardrails
 ```
 
-**The wizard will:**
-1. Create or load passport (local file or hosted from aport.io)
+The wizard will:
+1. Create or load a passport (local file or hosted from aport.io)
 2. Configure capabilities and limits
-3. Install OpenClaw plugin automatically
-4. Set up wrapper scripts
+3. Register the OpenClaw plugin (adds `before_tool_call` hook)
+4. Set up wrapper scripts under `~/.openclaw/`
 
-**After install:** Plugin enforces before every tool call. No further action needed.
+After install, the hook runs on every tool call automatically.
 
-### Option 2: With hosted passport
+### With hosted passport (optional)
 
 ```bash
 npx @aporthq/aport-agent-guardrails <agent_id>
 ```
 
-Get `agent_id` at [aport.io](https://aport.io/builder/create/) for:
-- Cryptographically signed decisions
-- Global suspend (<200ms across all systems)
-- Centralized audit and compliance dashboards
-- Team collaboration
+Get `agent_id` at [aport.io](https://aport.io/builder/create/) for signed decisions,
+global suspend, and centralized audit dashboards.
 
-### Option 3: From source
+### From source
 
 ```bash
 git clone https://github.com/aporthq/aport-agent-guardrails
@@ -93,319 +86,103 @@ cd aport-agent-guardrails
 ./bin/openclaw
 ```
 
-**Guides:**
-- [QuickStart: OpenClaw Plugin](https://github.com/aporthq/aport-agent-guardrails/blob/main/docs/QUICKSTART_OPENCLAW_PLUGIN.md)
-- [Hosted passport setup](https://github.com/aporthq/aport-agent-guardrails/blob/main/docs/HOSTED_PASSPORT_SETUP.md)
+### What gets installed
 
----
+Files created under `~/.openclaw/`:
+- Plugin config in `config.yaml` or `openclaw.json`
+- Wrapper scripts in `.skills/aport-guardrail*.sh`
+- `aport/passport.json` (local mode only)
+- `aport/decision.json` and `aport/audit.log` (created at runtime)
 
-## 🚀 Usage
+Total disk usage: ~100KB for scripts + passport/decision files.
 
-### Automatic enforcement (default)
+## Usage
 
-**After installation, the plugin runs automatically:**
+After installation, the hook runs automatically on every tool call:
 
 ```bash
-# Your agent uses tools normally
+# Allowed command — hook approves, tool executes
 agent> run git status
-# ✅ APort: passport checked → policy evaluated → ALLOW → tool executes
+# APort: passport checked -> policy evaluated -> ALLOW
 
+# Blocked command — hook denies, tool does not run
 agent> run rm -rf /
-# ❌ APort: passport checked → blocked pattern detected → DENY → tool blocked
+# APort: passport checked -> blocked pattern detected -> DENY
 ```
 
-**You do nothing.** The plugin enforces on every tool call in the background.
-
-### Testing the guardrail (optional)
-
-**Direct script calls for testing or automation:**
+### Testing the hook manually
 
 ```bash
-# Test allowed command
+# Test allowed command (exit 0 = ALLOW)
 ~/.openclaw/.skills/aport-guardrail.sh system.command.execute '{"command":"ls"}'
-# Exit 0 = ALLOW
 
-# Test blocked command
+# Test blocked command (exit 1 = DENY)
 ~/.openclaw/.skills/aport-guardrail.sh system.command.execute '{"command":"rm -rf /"}'
-# Exit 1 = DENY
-
-# Test messaging
-~/.openclaw/.skills/aport-guardrail.sh messaging.message.send '{"channel":"whatsapp","to":"+15551234567"}'
 ```
 
-**Exit codes:**
-- `0` = ALLOW (tool may proceed)
-- `1` = DENY (reason in decision.json)
-
-**Decision logs:**
-- Latest: `~/.openclaw/aport/decision.json`
+Decision logs:
+- Latest decision: `~/.openclaw/aport/decision.json`
 - Audit trail: `~/.openclaw/aport/audit.log`
-- API mode: Signed receipts via APort API
-
----
-
-## 🔍 How It Works
 
-### Pre-Action Authorization Flow
+## Modes
 
-```
-User Request → Agent Decision → APort Check → [ALLOW/DENY] → Tool Execution
-                                     ↑
-                              Policy + Passport
-```
-
-1. **User makes request** (e.g., "Deploy to production")
-2. **Agent decides to use tool** (e.g., exec.run with git push)
-3. **OpenClaw fires hook** (`before_tool_call`)
-4. **APort evaluates:**
-   - Load passport (identity, capabilities, limits)
-   - Map tool → policy (exec → system.command.execute.v1)
-   - Check allowlist, blocked patterns, rate limits
-5. **Decision:** ALLOW or DENY
-6. **Audit:** Log decision with timestamp, policy, reason codes
-
-**Agent cannot bypass.** Hook is registered by OpenClaw, not controlled by prompts.
-
-### What Gets Installed
-
-**Plugin registration:**
-- OpenClaw plugin added to config (enforces before_tool_call)
-- TypeScript/JavaScript plugin loaded on OpenClaw start
-
-**Files created (under ~/.openclaw/):**
-- `config.yaml` or `openclaw.json` – Plugin configuration
-- `.skills/aport-guardrail*.sh` – Wrapper scripts for local/API evaluation
-- `aport/passport.json` – Your agent passport (local mode only)
-- `aport/decision.json` – Latest decision (runtime)
-- `aport/audit.log` – Audit trail (runtime)
-
-**Total disk usage:** ~100KB scripts + your passport/decisions
-
-**Review code:** [GitHub repository](https://github.com/aporthq/aport-agent-guardrails)
-
----
-
-## 🌐 Network and Privacy
+### Local mode (default)
 
-### Local Mode (Default)
+- All evaluation happens on your machine, zero network calls
+- Passport stored locally at `~/.openclaw/aport/passport.json`
+- Works offline
+- Note: local passport file must be protected from tampering (standard filesystem permissions)
 
-**Zero network calls:**
-- ✅ All evaluation on your machine
-- ✅ Passport stored locally
-- ✅ Decisions stay local
-- ✅ Full privacy
-- ✅ Works offline
+### API mode (optional)
 
-**Perfect for:** Development, personal use, air-gapped environments
+- Passport hosted in the aport.io registry (not stored locally)
+- Signed decisions (Ed25519) for tamper-evident audit trails
+- Global suspend across all systems
+- Centralized compliance dashboards
+- Sends tool name + context to API (does not send file contents, env vars, or credentials)
 
-### API Mode (Optional)
+## Environment variables
 
-**Network usage:**
-- Tool name + context → APort API for policy evaluation
-- Hosted passport fetched from registry (if using agent_id)
-- Signed decisions returned (Ed25519 cryptographic signatures)
+All optional. Local mode requires no environment variables.
 
-**Benefits:**
-- ✅ Cryptographically signed decisions
-- ✅ Court-admissible audit trail
-- ✅ Global suspend across all systems
-- ✅ Centralized compliance dashboards
-- ✅ No local passport tampering possible
-
-**API endpoint:** `https://api.aport.io` (or custom via APORT_API_URL)
-
-**Data sent:**
-- Tool name (e.g., "system.command.execute")
-- Context (e.g., {"command": "ls"})
-- Passport (if local) or agent_id (if hosted)
-
-**Data NOT sent:**
-- File contents
-- Environment variables
-- API keys or credentials
-- Unrelated system information
-
-**To verify:** Use local mode (no network) or inspect open-source code.
-
----
-
-## ⚙️ Environment Variables
-
-| Variable | When Used | Purpose |
+| Variable | When used | Purpose |
 |----------|-----------|---------|
-| `APORT_API_URL` | API mode | Override endpoint (default: `https://api.aport.io`). Use for self-hosted or custom API. |
-| `APORT_AGENT_ID` | Hosted passport | Passport ID from aport.io. API fetches passport from registry. |
-| `APORT_API_KEY` | If API requires auth | Authentication token. Set in environment (not config files). |
-
-**Local mode:** No environment variables needed. Passport read from `~/.openclaw/aport/passport.json`.
+| `APORT_API_URL` | API mode | Override endpoint (default: `https://api.aport.io`) |
+| `APORT_AGENT_ID` | Hosted passport | Passport ID from aport.io |
+| `APORT_API_KEY` | If API requires auth | Authentication token |
 
-**Hosted mode:** Pass `agent_id` to installer or set APORT_AGENT_ID.
+## Default protections
 
----
+- **Shell commands** — Allowlist enforcement, 40+ blocked patterns (`rm -rf`, `sudo`, `chmod 777`, etc.), interpreter bypass detection
+- **Messaging** — Rate limits, recipient allowlist, channel restrictions
+- **File access** — Path restrictions, blocks access to `.env`, SSH keys, system directories
+- **Web requests** — Domain allowlist, SSRF protection, rate limiting
+- **Git operations** — PR size limits, branch restrictions
 
-## 🔧 Tool Name Mapping
+## Tool name mapping
 
-| When agent calls… | Tool name | Policy |
-|------------------|-----------|--------|
+| Agent action | Tool name | Policy checks |
+|--------------|-----------|---------------|
 | Shell commands | `system.command.execute` | Allowlist, blocked patterns |
-| WhatsApp/Email/Slack | `messaging.message.send` | Rate limits, recipient allowlist |
-| Create/merge PRs | `git.create_pr`, `git.merge` | PR size, branch restrictions |
+| Messaging (WhatsApp/Email/Slack) | `messaging.message.send` | Rate limits, recipient allowlist |
+| PRs | `git.create_pr`, `git.merge` | PR size, branch restrictions |
 | MCP tools | `mcp.tool.execute` | Server/tool allowlist |
-| Data export | `data.export` | Row limits, PII filtering |
 | File read/write | `data.file.read`, `data.file.write` | Path restrictions |
-| Web requests | `web.fetch`, `web.browser` | Domain allowlist, SSRF protection |
-
-**Context format:** Valid JSON, e.g., `'{"command":"ls"}'` or `'{"channel":"whatsapp","to":"+1..."}'`
+| Web requests | `web.fetch`, `web.browser` | Domain allowlist |
 
----
+## Troubleshooting
 
-## 📋 Out-of-the-Box Protections
+| Problem | Fix |
+|---------|-----|
+| Plugin not enforcing | Check `openclaw plugin list` shows aport-guardrail |
+| Connection refused (API mode) | Verify `APORT_API_URL` is reachable |
+| Tool blocked unexpectedly | Check `~/.openclaw/aport/decision.json` for deny reason |
+| npx not found | Install Node.js 18+: https://nodejs.org |
 
-**Shell commands (system.command.execute.v1):**
-- Allowlist enforcement (only specified commands run)
-- 40+ blocked patterns: `rm -rf`, `sudo`, `chmod 777`, `dd if=`, `mkfs`, etc.
-- Interpreter bypasses blocked: `python -c`, `node -e`, `base64` encoding
-- Command injection patterns detected
+## Documentation
 
-**Messaging (messaging.message.send.v1):**
-- Rate limits (msgs_per_min, msgs_per_day)
-- Recipient allowlist
-- Channel restrictions
-
-**File access (data.file.read/write.v1):**
-- Path restrictions (block /etc, /bin, system directories)
-- Prevent .env, SSH key theft
-
-**Web requests (web.fetch/browser.v1):**
-- Domain allowlist
-- SSRF protection (block private IPs)
-- Rate limiting
-
-**Git operations (code.repository.merge.v1):**
-- PR size limits
-- Branch restrictions
-- Review requirements
-
-**All policies at:** https://aport.io/policy-packs
-
----
-
-## 🔐 Security Model
-
-### What APort Protects
-
-**✅ Agent action security:**
-- Prompt injection (hook-based enforcement, not prompt-based)
-- Malicious third-party skills
-- Unauthorized commands
-- Data exfiltration via files, messaging, web requests
-- Resource exhaustion (rate/size limits)
-
-### Trust Model
-
-**APort operates at the application layer** (between agent decision and tool execution).
-
-**You must trust:**
-- Your operating system (file permissions, process isolation)
-- OpenClaw runtime (hooks execute correctly)
-- APort code (open-source, verifiable)
-
-**Local mode additionally trusts:**
-- Filesystem integrity (passport not tampered)
-
-**API mode eliminates:**
-- Local passport tampering (fetched from API)
-- Decision tampering (cryptographically signed)
-
-**Out of scope (OS/infrastructure security):**
-- File system compromise
-- OpenClaw CVEs
-- Network attacks (MITM, DNS poisoning)
-- Supply chain attacks
-
-**This is standard for application-layer authorization** (same model as OAuth, IAM, policy engines).
-
----
-
-## 🎯 Use Cases
-
-**Protect against malicious skills:**
-- Install APort before adding community skills
-- Every skill's tool calls are checked
-- Malicious actions blocked before execution
-
-**Compliance and audit:**
-- Tamper-evident decision logs
-- Court-admissible audit trail (API mode with Ed25519 signatures)
-- SOC 2, HIPAA, SOX compliance support
-
-**Team deployments:**
-- Shared passport across systems (global suspend)
-- Centralized policy updates
-- Consistent enforcement
-
-**Air-gapped environments:**
-- Use local mode (zero network)
-- All evaluation on-premise
-- Self-hosted policy packs
-
----
-
-## 📚 Documentation
-
-**APort Guardrails:**
+- [Source code](https://github.com/aporthq/aport-agent-guardrails) (Apache 2.0)
 - [QuickStart: OpenClaw Plugin](https://github.com/aporthq/aport-agent-guardrails/blob/main/docs/QUICKSTART_OPENCLAW_PLUGIN.md)
 - [Security Model & Trust Boundaries](https://github.com/aporthq/aport-agent-guardrails/blob/main/docs/SECURITY_MODEL.md)
 - [Hosted Passport Setup](https://github.com/aporthq/aport-agent-guardrails/blob/main/docs/HOSTED_PASSPORT_SETUP.md)
-- [Tool/Policy Mapping](https://github.com/aporthq/aport-agent-guardrails/blob/main/docs/TOOL_POLICY_MAPPING.md)
-- [Verification Methods (Local vs API)](https://github.com/aporthq/aport-agent-guardrails/blob/main/docs/VERIFICATION_METHODS.md)
-
-**OpenClaw:**
-- [CLI: skills](https://docs.openclaw.ai/cli/skills)
-- [Skills Documentation](https://docs.openclaw.ai/tools/skills)
-- [Skills Config](https://docs.openclaw.ai/tools/skills-config)
-- [ClawHub](https://docs.openclaw.ai/tools/clawhub)
-
-**Security:**
-- [SECURITY.md](https://github.com/aporthq/aport-agent-guardrails/blob/main/SECURITY.md) - Prompt injection, Cisco findings
-- [OAP Specification](https://github.com/aporthq/aport-spec/tree/main) - Open Agent Passport standard
-
----
-
-## 🤝 Support and Community
-
-**GitHub:** [aporthq/aport-agent-guardrails](https://github.com/aporthq/aport-agent-guardrails)
-**Website:** [aport.io](https://aport.io)
-**Issues:** [GitHub Issues](https://github.com/aporthq/aport-agent-guardrails/issues)
-
-**Open-source:** Apache 2.0 License
-**Code review:** All code publicly available for inspection
-
----
-
-## ❓ FAQ
-
-**Q: Does this slow down my agent?**
-A: Minimal overhead. API mode: ~60-100ms. Local mode: <300ms. Runs in parallel with agent thinking.
-
-**Q: Can I use this offline?**
-A: Yes. Local mode works without network connectivity.
-
-**Q: What if I need custom policies?**
-A: API mode: Pass custom policy JSON in request. Local mode: Edit bash script or use API mode.
-
-**Q: How do I suspend my agent?**
-A: Local: Set passport status to "suspended". Hosted: Log in to aport.io and suspend (global effect).
-
-**Q: Is my data sent to APort?**
-A: Local mode: No. API mode: Tool name + context only (no credentials, file contents, or env vars).
-
-**Q: Can the agent bypass this?**
-A: No. Enforcement is in the platform hook (`before_tool_call`), not controllable by prompts.
-
-**Q: What happens if APort errors?**
-A: Default: Tool blocked (fail-closed). Configurable via `failClosed` setting.
-
----
-
-**Made with 🛡️ by [APort](https://aport.io) · Open-source on [GitHub](https://github.com/aporthq/aport-agent-guardrails) · Apache 2.0 License**
+- [OAP Specification](https://github.com/aporthq/aport-spec/tree/main)