npm - @clawdreyhepburn/carapace - Versions diffs - 0.2.1 → 0.3.0 - Mend

@clawdreyhepburn/carapace 0.2.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -38,19 +38,22 @@ The progression:
 ## Architecture
 ```
-+-------------+     +----------------------------+     +-----------------+
-|             |     |         Carapace           |     |  MCP Server A   |
-|  OpenClaw   |---->|                            |---->|  (filesystem)   |
-|  Agent      |     |  +----------------------+  |     +-----------------+
-|             |     |  |   Cedarling WASM      |  |     |  MCP Server B   |
-|  mcp_call   |---->|  |   (Cedar 4.4.2)       |  |---->|  (GitHub)       |
-|             |     |  +----------------------+  |     +-----------------+
-| carapace    |     |                            |     +-----------------+
-|   _exec   --|---->|  Cedar: exec_command       |---->|  Shell (local)  |
-|             |     |                            |     +-----------------+
-| carapace    |     |                            |     +-----------------+
-|   _fetch  --|---->|  Cedar: call_api           |---->|  HTTP (remote)  |
-|             |     |  +----------------------+  |     +-----------------+
+                    +----------------------------+
+                    |         Carapace           |
++-------------+     |                            |     +------------------+
+|             |     |  +----------------------+  |     |   Anthropic /    |
+|  OpenClaw   |---->|  |    LLM Proxy         |  |---->|   OpenAI API     |
+|  Agent      |     |  | (intercepts tool_use)|  |     +------------------+
+|             |     |  +----------------------+  |
+|             |     |           |                |     +-----------------+
+|             |     |     Cedar evaluates        |     |  MCP Server A   |
+|             |     |     every tool call        |---->|  (filesystem)   |
+|             |     |           |                |     +-----------------+
+|             |     |  +----------------------+  |     |  MCP Server B   |
+|             |     |  |   Cedarling WASM      |  |---->|  (GitHub)       |
+|             |     |  |   (Cedar 4.4.2)       |  |     +-----------------+
+|             |     |  +----------------------+  |
+|             |     |  +----------------------+  |
 |             |     |  |  Local Control GUI    |  |
 +-------------+     |  +----------------------+  |
                     +--------------+--------------+
@@ -61,7 +64,11 @@ The progression:
                             +-------------+
 ```
-**Every operation flows through Cedar evaluation.** MCP tool calls, shell commands, and outbound API requests are all authorized by Cedar policies before execution. If the policy says deny, the operation never happens. The agent gets a clear denial message with the reason.
+### Two enforcement modes
+**LLM Proxy (recommended):** Carapace holds the real API key and proxies all LLM traffic. When the LLM suggests a tool call, Carapace evaluates it against Cedar *before returning the response to OpenClaw*. Denied tool calls are stripped from the response — OpenClaw never sees them and can't execute them. **This is un-bypassable.** The agent can't call tools that Cedar denies because it literally never receives the tool call instruction.
+**Tool-level gating:** Carapace registers Cedar-gated agent tools (`carapace_exec`, `carapace_fetch`, `mcp_call`) that authorize each operation before executing it. This requires denying built-in tools via `openclaw carapace setup` to prevent bypass. Use this mode when you can't or don't want to proxy LLM traffic.
 ## Screenshots
@@ -155,7 +162,41 @@ In your OpenClaw config, add the servers you want Carapace to manage:
 }
 ```
-### 2. Close the bypass gap
+### 2. Enable the LLM Proxy (recommended)
+The LLM Proxy is the strongest enforcement mode. Carapace holds the real API key and intercepts tool calls before OpenClaw can execute them.
+```json5
+{
+  plugins: {
+    entries: {
+      carapace: {
+        enabled: true,
+        config: {
+          proxy: {
+            enabled: true,
+            port: 19821,
+            upstream: {
+              anthropic: { apiKey: "sk-ant-your-real-key-here" }
+            }
+          }
+        }
+      }
+    }
+  },
+  // Point OpenClaw at the proxy instead of the real API
+  providers: {
+    anthropic: {
+      apiKey: "carapace-proxy",  // dummy — proxy holds the real key
+      baseUrl: "http://127.0.0.1:19821"
+    }
+  }
+}
+```
+Now every tool call the LLM suggests goes through Cedar. If Cedar denies it, the tool call is stripped from the response before OpenClaw ever sees it.
+### 3. (Alternative) Close the bypass gap without the proxy
 By default, agents can still use OpenClaw's built-in `exec` and `web_fetch` tools, which bypass Cedar entirely. Run setup to close this:
@@ -173,18 +214,18 @@ openclaw carapace check
 > ⚠️ **Without this step, Carapace policies are advisory, not enforced.** The agent can simply choose to use the built-in tools instead. Always run `carapace setup` for real security.
-### 3. Open the control GUI
+### 4. Open the control GUI
 Navigate to [http://localhost:19820](http://localhost:19820) in your browser. You'll see all discovered tools from all connected servers.
-### 4. Enable tools
+### 5. Enable tools
 Toggle individual tools on/off. Each toggle writes a Cedar policy:
 - **Toggle ON** → creates a `permit` policy for that tool
 - **Toggle OFF** → creates a `forbid` policy for that tool
-### 5. Create custom policies
+### 6. Create custom policies
 Click **"+ New Policy"** to open the visual builder, or edit policies directly in the Policies tab. Examples:
@@ -239,7 +280,7 @@ permit(
 > 📖 **Want more?** See [Recommended Policies](docs/RECOMMENDED-POLICIES.md) for real-world policies covering destructive commands, credential theft, data exfiltration, email deletion, and complete starter configurations.
-### 6. Verify policies
+### 7. Verify policies
 Click **⚡ Verify** to validate that all policies are syntactically correct and consistent.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@clawdreyhepburn/carapace",
-  "version": "0.2.1",
+  "version": "0.3.0",
   "description": "Immutable policy boundaries for MCP tool access. Powered by Cedar + Cedarling WASM.",
   "license": "Apache-2.0",
   "type": "module",

package/src/index.ts CHANGED Viewed

@@ -8,6 +8,7 @@
 import { CedarlingEngine } from "./cedar-engine-cedarling.js";
 import { McpAggregator } from "./mcp-aggregator.js";
 import { ControlGui } from "./gui/server.js";
+import { LlmProxy } from "./llm-proxy.js";
 import type { PluginConfig } from "./types.js";
 export const id = "carapace";
@@ -64,6 +65,24 @@ export default function register(api: OpenClawPluginApi) {
     logger,
   });
+  // --- LLM Proxy: intercept tool calls at the API level ---
+  const proxyConfig = config.proxy;
+  const proxy = proxyConfig?.enabled ? new LlmProxy({
+    port: proxyConfig.port ?? 19821,
+    upstream: {
+      anthropic: proxyConfig.upstream?.anthropic ? {
+        url: proxyConfig.upstream.anthropic.url ?? "https://api.anthropic.com",
+        apiKey: proxyConfig.upstream.anthropic.apiKey,
+      } : undefined,
+      openai: proxyConfig.upstream?.openai ? {
+        url: proxyConfig.upstream.openai.url ?? "https://api.openai.com",
+        apiKey: proxyConfig.upstream.openai.apiKey,
+      } : undefined,
+    },
+    cedar,
+    logger,
+  }) : null;
   // --- Bypass detection: warn if built-in tools aren't denied ---
   const BYPASS_TOOLS = ["exec", "web_fetch", "web_search"];
@@ -121,17 +140,26 @@ export default function register(api: OpenClawPluginApi) {
       await gui.start();
       logger.info(`Control GUI at http://localhost:${config.guiPort ?? 19820}`);
-      // Check for bypass vulnerabilities
-      const bypasses = checkForBypasses();
-      if (bypasses.length > 0) {
-        logger.warn(
-          `⚠️  BYPASS RISK: Built-in tools [${bypasses.join(", ")}] are NOT denied. ` +
-          `Agents can use these to bypass Carapace Cedar policies. ` +
-          `Run "openclaw carapace setup" to fix this automatically.`
+      if (proxy) {
+        await proxy.start();
+        logger.info(
+          `🛡️  LLM Proxy active on http://127.0.0.1:${proxyConfig!.port ?? 19821} — ` +
+          `all tool calls go through Cedar`
         );
+      } else {
+        // Check for bypass vulnerabilities only when proxy is disabled
+        const bypasses = checkForBypasses();
+        if (bypasses.length > 0) {
+          logger.warn(
+            `⚠️  BYPASS RISK: Built-in tools [${bypasses.join(", ")}] are NOT denied and LLM proxy is not enabled. ` +
+            `Agents can use these to bypass Carapace Cedar policies. ` +
+            `Enable the LLM proxy (recommended) or run "openclaw carapace setup" to deny built-in tools.`
+          );
+        }
       }
     },
     async stop() {
+      if (proxy) await proxy.stop();
       await gui.stop();
       await aggregator.disconnectAll();
       logger.info("Carapace stopped");
@@ -408,7 +436,16 @@ export default function register(api: OpenClawPluginApi) {
         const tools = aggregator.listTools();
         const enabled = tools.filter((t) => t.enabled).length;
         console.log(`\n  ${enabled}/${tools.length} tools enabled`);
-        console.log(`  GUI: http://localhost:${config.guiPort ?? 19820}\n`);
+        console.log(`  GUI: http://localhost:${config.guiPort ?? 19820}`);
+        if (proxy) {
+          const stats = proxy.getStats();
+          console.log(`\n  🛡️  LLM Proxy: http://127.0.0.1:${proxyConfig!.port ?? 19821}`);
+          console.log(`  Requests: ${stats.requests} | Tool calls evaluated: ${stats.toolCallsEvaluated} | Denied: ${stats.toolCallsDenied}`);
+        } else {
+          console.log(`\n  ⚠️  LLM Proxy: disabled`);
+        }
+        console.log();
       });
       cmd.command("tools").action(async () => {

package/src/llm-proxy.ts ADDED Viewed

@@ -0,0 +1,648 @@
+/**
+ * LLM Proxy — Sits between OpenClaw and the LLM provider.
+ *
+ * Intercepts tool_use blocks in LLM responses and evaluates them
+ * against Cedar policies before OpenClaw can execute them.
+ *
+ * The agent never gets the real API key. Carapace holds it.
+ * Denied tool calls are replaced with text blocks explaining why.
+ *
+ * Supports:
+ * - Anthropic Messages API (/v1/messages)
+ * - OpenAI Chat Completions API (/v1/chat/completions)
+ * - Both streaming and non-streaming (streaming is buffered, filtered, re-streamed)
+ */
+import { createServer, type IncomingMessage, type ServerResponse } from "node:http";
+import type { Logger } from "./types.js";
+interface ToolUseBlock {
+  type: "tool_use";
+  id: string;
+  name: string;
+  input: Record<string, unknown>;
+}
+interface TextBlock {
+  type: "text";
+  text: string;
+}
+type ContentBlock = ToolUseBlock | TextBlock | { type: string; [key: string]: unknown };
+interface CedarAuthorizer {
+  authorize(request: {
+    principal: string;
+    action: string;
+    resource: string;
+    context?: Record<string, unknown>;
+  }): Promise<{ decision: "allow" | "deny"; reasons: string[] }>;
+}
+export interface LlmProxyOpts {
+  port: number;
+  upstream: {
+    anthropic?: { url: string; apiKey: string };
+    openai?: { url: string; apiKey: string };
+  };
+  cedar: CedarAuthorizer;
+  logger: Logger;
+}
+export class LlmProxy {
+  private server: ReturnType<typeof createServer> | null = null;
+  private port: number;
+  private upstream: LlmProxyOpts["upstream"];
+  private cedar: CedarAuthorizer;
+  private logger: Logger;
+  // Stats
+  private stats = {
+    requests: 0,
+    toolCallsEvaluated: 0,
+    toolCallsDenied: 0,
+  };
+  constructor(opts: LlmProxyOpts) {
+    this.port = opts.port;
+    this.upstream = opts.upstream;
+    this.cedar = opts.cedar;
+    this.logger = opts.logger;
+  }
+  async start(): Promise<void> {
+    this.server = createServer(async (req, res) => {
+      try {
+        await this.handleRequest(req, res);
+      } catch (err: any) {
+        this.logger.error(`LLM Proxy error: ${err.message}`);
+        res.writeHead(502, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: { message: `Carapace proxy error: ${err.message}` } }));
+      }
+    });
+    return new Promise((resolve) => {
+      this.server!.listen(this.port, "127.0.0.1", () => {
+        this.logger.info(`LLM Proxy listening on http://127.0.0.1:${this.port}`);
+        resolve();
+      });
+    });
+  }
+  async stop(): Promise<void> {
+    if (!this.server) return;
+    return new Promise((resolve) => {
+      this.server!.close(() => resolve());
+    });
+  }
+  getStats() {
+    return { ...this.stats };
+  }
+  // ── Request handling ──
+  private async handleRequest(req: IncomingMessage, res: ServerResponse): Promise<void> {
+    this.stats.requests++;
+    const path = req.url ?? "/";
+    // Health check
+    if (path === "/health" || path === "/carapace/status") {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ ok: true, stats: this.stats }));
+      return;
+    }
+    // Detect provider from path
+    if (path.startsWith("/v1/messages")) {
+      await this.proxyAnthropic(req, res);
+    } else if (path.startsWith("/v1/chat/completions")) {
+      await this.proxyOpenAI(req, res);
+    } else {
+      // Pass through unknown paths (models list, etc.)
+      await this.passthrough(req, res, path);
+    }
+  }
+  // ── Anthropic Messages API ──
+  private async proxyAnthropic(req: IncomingMessage, res: ServerResponse): Promise<void> {
+    const upstream = this.upstream.anthropic;
+    if (!upstream) {
+      res.writeHead(501, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: { message: "Anthropic upstream not configured" } }));
+      return;
+    }
+    const body = await this.readBody(req);
+    let parsed: any;
+    try {
+      parsed = JSON.parse(body);
+    } catch {
+      res.writeHead(400, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: { message: "Invalid JSON body" } }));
+      return;
+    }
+    const isStreaming = parsed.stream === true;
+    // Forward to Anthropic (always non-streaming for filtering)
+    const upstreamResponse = await this.forwardToAnthropic(upstream, body, req, isStreaming);
+    if (!upstreamResponse.ok) {
+      // Forward error as-is
+      const errorBody = await upstreamResponse.text();
+      res.writeHead(upstreamResponse.status, {
+        "Content-Type": upstreamResponse.headers.get("content-type") ?? "application/json",
+      });
+      res.end(errorBody);
+      return;
+    }
+    if (isStreaming) {
+      await this.handleAnthropicStreaming(upstreamResponse, res);
+    } else {
+      await this.handleAnthropicNonStreaming(upstreamResponse, res);
+    }
+  }
+  private async forwardToAnthropic(
+    upstream: { url: string; apiKey: string },
+    body: string,
+    req: IncomingMessage,
+    isStreaming: boolean,
+  ): Promise<Response> {
+    // Build headers, replacing auth
+    const headers: Record<string, string> = {
+      "Content-Type": "application/json",
+      "x-api-key": upstream.apiKey,
+      "anthropic-version": (req.headers["anthropic-version"] as string) ?? "2023-06-01",
+    };
+    // Forward anthropic-beta if present
+    const beta = req.headers["anthropic-beta"];
+    if (beta) headers["anthropic-beta"] = beta as string;
+    return fetch(`${upstream.url}/v1/messages`, {
+      method: "POST",
+      headers,
+      body,
+    });
+  }
+  private async handleAnthropicNonStreaming(upstreamResponse: Response, res: ServerResponse): Promise<void> {
+    const responseBody = await upstreamResponse.text();
+    let parsed: any;
+    try {
+      parsed = JSON.parse(responseBody);
+    } catch {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(responseBody);
+      return;
+    }
+    // Filter tool_use blocks
+    if (parsed.content && Array.isArray(parsed.content)) {
+      parsed.content = await this.filterContentBlocks(parsed.content);
+      // Update stop_reason if all tool_use blocks were denied
+      const hasToolUse = parsed.content.some((b: any) => b.type === "tool_use");
+      if (!hasToolUse && parsed.stop_reason === "tool_use") {
+        parsed.stop_reason = "end_turn";
+      }
+    }
+    const filtered = JSON.stringify(parsed);
+    res.writeHead(200, {
+      "Content-Type": "application/json",
+    });
+    res.end(filtered);
+  }
+  private async handleAnthropicStreaming(upstreamResponse: Response, res: ServerResponse): Promise<void> {
+    // Buffer the full streaming response, then filter and re-stream
+    const reader = upstreamResponse.body?.getReader();
+    if (!reader) {
+      res.writeHead(502);
+      res.end();
+      return;
+    }
+    // Collect all SSE events
+    const decoder = new TextDecoder();
+    let buffer = "";
+    const events: Array<{ event: string; data: string }> = [];
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      buffer += decoder.decode(value, { stream: true });
+      // Parse SSE events from buffer
+      const lines = buffer.split("\n");
+      buffer = lines.pop() ?? ""; // Keep incomplete line
+      let currentEvent = "";
+      for (const line of lines) {
+        if (line.startsWith("event: ")) {
+          currentEvent = line.slice(7).trim();
+        } else if (line.startsWith("data: ")) {
+          events.push({ event: currentEvent, data: line.slice(6) });
+          currentEvent = "";
+        }
+      }
+    }
+    // Find tool_use content blocks and evaluate them
+    const toolBlocks = new Map<number, { name: string; inputJson: string; id: string }>();
+    const deniedIndices = new Set<number>();
+    let currentBlockIndex = -1;
+    for (const ev of events) {
+      if (ev.event === "content_block_start") {
+        try {
+          const d = JSON.parse(ev.data);
+          currentBlockIndex = d.index ?? -1;
+          if (d.content_block?.type === "tool_use") {
+            toolBlocks.set(currentBlockIndex, {
+              name: d.content_block.name,
+              id: d.content_block.id,
+              inputJson: "",
+            });
+          }
+        } catch {}
+      } else if (ev.event === "content_block_delta") {
+        try {
+          const d = JSON.parse(ev.data);
+          const idx = d.index ?? currentBlockIndex;
+          const block = toolBlocks.get(idx);
+          if (block && d.delta?.type === "input_json_delta") {
+            block.inputJson += d.delta.partial_json ?? "";
+          }
+        } catch {}
+      }
+    }
+    // Evaluate each tool call against Cedar
+    for (const [idx, block] of toolBlocks) {
+      const decision = await this.evaluateToolCall(block.name, block.inputJson);
+      if (decision === "deny") {
+        deniedIndices.add(idx);
+        this.logger.info(`LLM Proxy DENIED tool call: ${block.name} (block ${idx})`);
+      }
+    }
+    if (deniedIndices.size === 0) {
+      // No denials — forward everything as-is
+      res.writeHead(200, {
+        "Content-Type": "text/event-stream",
+        "Cache-Control": "no-cache",
+        "Connection": "keep-alive",
+      });
+      for (const ev of events) {
+        if (ev.event) res.write(`event: ${ev.event}\n`);
+        res.write(`data: ${ev.data}\n\n`);
+      }
+      res.end();
+      return;
+    }
+    // Rewrite stream: replace denied tool blocks with text blocks
+    res.writeHead(200, {
+      "Content-Type": "text/event-stream",
+      "Cache-Control": "no-cache",
+      "Connection": "keep-alive",
+    });
+    let skipBlock = false;
+    let skipBlockIndex = -1;
+    for (const ev of events) {
+      if (ev.event === "content_block_start") {
+        try {
+          const d = JSON.parse(ev.data);
+          const idx = d.index ?? -1;
+          if (deniedIndices.has(idx)) {
+            skipBlock = true;
+            skipBlockIndex = idx;
+            const block = toolBlocks.get(idx)!;
+            // Emit a text block instead
+            const replacement = {
+              index: idx,
+              content_block: {
+                type: "text",
+                text: "",
+              },
+            };
+            res.write(`event: content_block_start\ndata: ${JSON.stringify(replacement)}\n\n`);
+            // Emit the denial text as a delta
+            const denialText = `\n🚫 DENIED by Cedar policy: ${block.name}\n`;
+            const delta = {
+              index: idx,
+              delta: { type: "text_delta", text: denialText },
+            };
+            res.write(`event: content_block_delta\ndata: ${JSON.stringify(delta)}\n\n`);
+            continue;
+          }
+        } catch {}
+        skipBlock = false;
+      }
+      if (ev.event === "content_block_delta") {
+        try {
+          const d = JSON.parse(ev.data);
+          if (deniedIndices.has(d.index ?? skipBlockIndex)) continue;
+        } catch {}
+      }
+      if (ev.event === "content_block_stop") {
+        try {
+          const d = JSON.parse(ev.data);
+          if (deniedIndices.has(d.index ?? skipBlockIndex)) {
+            // Emit the stop for our replacement text block
+            res.write(`event: content_block_stop\ndata: ${ev.data}\n\n`);
+            skipBlock = false;
+            continue;
+          }
+        } catch {}
+      }
+      if (skipBlock) continue;
+      // Fix message_delta stop_reason if all tools were denied
+      if (ev.event === "message_delta") {
+        try {
+          const d = JSON.parse(ev.data);
+          const remainingTools = [...toolBlocks.keys()].filter((i) => !deniedIndices.has(i));
+          if (remainingTools.length === 0 && d.delta?.stop_reason === "tool_use") {
+            d.delta.stop_reason = "end_turn";
+            res.write(`event: message_delta\ndata: ${JSON.stringify(d)}\n\n`);
+            continue;
+          }
+        } catch {}
+      }
+      // Forward event as-is
+      if (ev.event) res.write(`event: ${ev.event}\n`);
+      res.write(`data: ${ev.data}\n\n`);
+    }
+    res.end();
+  }
+  // ── OpenAI Chat Completions API ──
+  private async proxyOpenAI(req: IncomingMessage, res: ServerResponse): Promise<void> {
+    const upstream = this.upstream.openai;
+    if (!upstream) {
+      res.writeHead(501, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: { message: "OpenAI upstream not configured" } }));
+      return;
+    }
+    const body = await this.readBody(req);
+    let parsed: any;
+    try {
+      parsed = JSON.parse(body);
+    } catch {
+      res.writeHead(400, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: { message: "Invalid JSON body" } }));
+      return;
+    }
+    const isStreaming = parsed.stream === true;
+    // For streaming: force non-streaming, filter, then re-stream
+    const forwardBody = isStreaming ? JSON.stringify({ ...parsed, stream: false }) : body;
+    const headers: Record<string, string> = {
+      "Content-Type": "application/json",
+      "Authorization": `Bearer ${upstream.apiKey}`,
+    };
+    const upstreamResponse = await fetch(`${upstream.url}/v1/chat/completions`, {
+      method: "POST",
+      headers,
+      body: forwardBody,
+    });
+    if (!upstreamResponse.ok) {
+      const errorBody = await upstreamResponse.text();
+      res.writeHead(upstreamResponse.status, { "Content-Type": "application/json" });
+      res.end(errorBody);
+      return;
+    }
+    const responseBody = await upstreamResponse.text();
+    let response: any;
+    try {
+      response = JSON.parse(responseBody);
+    } catch {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(responseBody);
+      return;
+    }
+    // Filter tool_calls from choices
+    if (response.choices) {
+      for (const choice of response.choices) {
+        if (choice.message?.tool_calls) {
+          const filtered = [];
+          const denials: string[] = [];
+          for (const tc of choice.message.tool_calls) {
+            const decision = await this.evaluateToolCall(
+              tc.function?.name ?? tc.name,
+              typeof tc.function?.arguments === "string"
+                ? tc.function.arguments
+                : JSON.stringify(tc.function?.arguments ?? {}),
+            );
+            if (decision === "allow") {
+              filtered.push(tc);
+            } else {
+              denials.push(
+                `🚫 DENIED by Cedar policy: ${tc.function?.name ?? tc.name}`,
+              );
+              this.logger.info(`LLM Proxy DENIED tool call: ${tc.function?.name}`);
+            }
+          }
+          choice.message.tool_calls = filtered.length > 0 ? filtered : undefined;
+          // Add denial messages to content
+          if (denials.length > 0) {
+            const existing = choice.message.content ?? "";
+            choice.message.content = (existing + "\n" + denials.join("\n")).trim();
+          }
+          // Fix finish_reason if all tool calls were denied
+          if (filtered.length === 0 && choice.finish_reason === "tool_calls") {
+            choice.finish_reason = "stop";
+          }
+        }
+      }
+    }
+    if (isStreaming) {
+      // Re-stream as SSE (single chunk since we forced non-streaming)
+      res.writeHead(200, {
+        "Content-Type": "text/event-stream",
+        "Cache-Control": "no-cache",
+      });
+      // Convert to streaming format
+      const chunk = { ...response, object: "chat.completion.chunk" };
+      for (const choice of chunk.choices ?? []) {
+        choice.delta = choice.message;
+        delete choice.message;
+      }
+      res.write(`data: ${JSON.stringify(chunk)}\n\n`);
+      res.write("data: [DONE]\n\n");
+      res.end();
+    } else {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify(response));
+    }
+  }
+  // ── Passthrough for non-chat endpoints ──
+  private async passthrough(req: IncomingMessage, res: ServerResponse, path: string): Promise<void> {
+    // Try Anthropic first, then OpenAI
+    const upstream = this.upstream.anthropic ?? this.upstream.openai;
+    if (!upstream) {
+      res.writeHead(501);
+      res.end();
+      return;
+    }
+    const body = req.method !== "GET" ? await this.readBody(req) : undefined;
+    const headers: Record<string, string> = { "Content-Type": "application/json" };
+    if (this.upstream.anthropic) {
+      headers["x-api-key"] = upstream.apiKey;
+      headers["anthropic-version"] = "2023-06-01";
+    } else {
+      headers["Authorization"] = `Bearer ${upstream.apiKey}`;
+    }
+    const response = await fetch(`${upstream.url}${path}`, {
+      method: req.method ?? "GET",
+      headers,
+      body,
+    });
+    const responseBody = await response.text();
+    res.writeHead(response.status, {
+      "Content-Type": response.headers.get("content-type") ?? "application/json",
+    });
+    res.end(responseBody);
+  }
+  // ── Cedar evaluation ──
+  private async evaluateToolCall(toolName: string, inputJson: string): Promise<"allow" | "deny"> {
+    this.stats.toolCallsEvaluated++;
+    let parsedInput: Record<string, unknown> = {};
+    try {
+      parsedInput = JSON.parse(inputJson || "{}");
+    } catch {}
+    // Determine resource type based on tool name
+    let resourceType = "Tool";
+    let action = "call_tool";
+    let resourceId = toolName;
+    let context: Record<string, unknown> = {};
+    // Map known OpenClaw built-in tools to resource types
+    if (toolName === "exec" || toolName === "process") {
+      resourceType = "Shell";
+      action = "exec_command";
+      // Extract binary name from the command argument
+      const cmd = (parsedInput.command as string) ?? "";
+      resourceId = cmd.trim().split(/\s+/)[0]?.replace(/^.*\//, "") || toolName;
+      // Map to schema-known context attributes
+      context = {
+        args: cmd,
+        workdir: (parsedInput.workdir as string) ?? "",
+      };
+    } else if (toolName === "web_fetch" || toolName === "web_search") {
+      resourceType = "API";
+      action = "call_api";
+      // Extract domain from URL
+      const url = (parsedInput.url as string) ?? (parsedInput.query as string) ?? "";
+      try {
+        if (url.startsWith("http")) {
+          resourceId = new URL(url).hostname;
+        } else {
+          resourceId = toolName;
+        }
+      } catch {
+        resourceId = toolName;
+      }
+      // Map to schema-known context attributes
+      context = {
+        url,
+        method: (parsedInput.method as string) ?? "GET",
+        body: (parsedInput.body as string) ?? "",
+      };
+    }
+    const decision = await this.cedar.authorize({
+      principal: `Agent::"openclaw"`,
+      action: `Action::"${action}"`,
+      resource: `${resourceType}::"${resourceId}"`,
+      context,
+    });
+    if (decision.decision === "deny") {
+      this.stats.toolCallsDenied++;
+    }
+    return decision.decision;
+  }
+  // ── Content block filtering (Anthropic non-streaming) ──
+  private async filterContentBlocks(blocks: ContentBlock[]): Promise<ContentBlock[]> {
+    const result: ContentBlock[] = [];
+    for (const block of blocks) {
+      if (block.type !== "tool_use") {
+        result.push(block);
+        continue;
+      }
+      const toolBlock = block as ToolUseBlock;
+      const decision = await this.evaluateToolCall(
+        toolBlock.name,
+        JSON.stringify(toolBlock.input),
+      );
+      if (decision === "allow") {
+        result.push(block);
+      } else {
+        // Replace with denial text
+        result.push({
+          type: "text",
+          text: `\n🚫 DENIED by Cedar policy: ${toolBlock.name}\n`,
+        });
+        this.logger.info(`LLM Proxy DENIED tool call: ${toolBlock.name}`);
+      }
+    }
+    return result;
+  }
+  // ── Utilities ──
+  private readBody(req: IncomingMessage): Promise<string> {
+    return new Promise((resolve, reject) => {
+      const chunks: Buffer[] = [];
+      req.on("data", (chunk) => chunks.push(chunk));
+      req.on("end", () => resolve(Buffer.concat(chunks).toString()));
+      req.on("error", reject);
+    });
+  }
+}

package/src/types.ts CHANGED Viewed

@@ -23,6 +23,15 @@ export interface PluginConfig {
   policyDir?: string;
   defaultPolicy?: "deny-all" | "allow-all";
   verify?: boolean;
+  /** LLM proxy configuration — sits between agent and LLM provider */
+  proxy?: {
+    enabled?: boolean;
+    port?: number;  // default: 19821
+    upstream?: {
+      anthropic?: { url?: string; apiKey: string };
+      openai?: { url?: string; apiKey: string };
+    };
+  };
 }
 export interface ServerConfig {