npm - @clawdreyhepburn/carapace - Versions diffs - 0.3.0 → 0.3.2 - Mend

@clawdreyhepburn/carapace 0.3.0 → 0.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/README.md +318 -302
package/docs/RECOMMENDED-POLICIES.md +189 -378
package/docs/SECURITY.md +544 -0
package/openclaw.plugin.json +31 -2
package/package.json +1 -1
package/src/cedar-engine-cedarling.ts +4 -0
package/src/cedar-engine.ts +4 -0
package/src/gui/html.ts +14 -3
package/src/gui/server.ts +1 -0
package/src/index.ts +149 -20
package/src/types.ts +1 -0

package/docs/RECOMMENDED-POLICIES.md CHANGED Viewed

@@ -1,442 +1,210 @@
 # Recommended Policies
-Real-world Cedar policies for common "oh no" scenarios. These are starting points — adapt them to your agent's actual needs.
+Cedar policy examples for common use cases. Copy, adapt, deploy.
-## Before You Write Policies: Close the Bypass Gap
-**This is the most important step.** If you skip it, every policy in this document is advisory — the agent can just use OpenClaw's built-in `exec` tool instead of `carapace_exec` and bypass Cedar entirely.
-```bash
-openclaw carapace setup
-openclaw gateway restart
-```
-This denies the built-in `exec`, `web_fetch`, and `web_search` tools, forcing agents to use the Cedar-gated `carapace_exec` and `carapace_fetch` instead. Verify with:
-```bash
-openclaw carapace check
-# Should show: ✅ No bypass vulnerabilities found.
-```
-**Without this, an agent can:**
-- Call `exec` directly with `rm -rf /` — Carapace never sees it
-- Call `web_fetch` to exfiltrate data — Carapace never sees it
-- Call `exec` with `curl` to hit any API — Carapace never sees it
-Run setup first. Then write policies.
-## The Basics
-Carapace defaults to **allow-all** so installing it never breaks anything. The recommended path:
-1. **Run `carapace setup`** → close the bypass gap
-2. **Add forbids** → block the scary stuff (this doc)
-3. **Switch to deny-all** → explicitly permit only what's needed (advanced)
-Most people should start with step 2 and stay there until they're comfortable.
+> **First:** Complete the [Security Hardening Guide](SECURITY.md) — especially enabling the LLM proxy and closing the bypass gap. Without that, these policies are advisory.
 ---
 ## Shell Policies
-### Block destructive file operations
-The classics. An agent with shell access can `rm -rf /` before you blink.
+### Block destructive commands
 ```cedar
-// Block rm entirely — use trash instead
-forbid(
-  principal,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"rm"
-);
-// Block destructive disk tools
-forbid(
-  principal,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"rmdir"
-);
-forbid(
-  principal,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"mkfs"
-);
-forbid(
-  principal,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"dd"
-);
-// Block format/partition tools
-forbid(
-  principal,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"diskutil"
-);
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"rm");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"rmdir");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"mkfs");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"dd");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"diskutil");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"format");
 ```
-**Why:** An agent that can delete files can delete *all* files. `rm` is the single most dangerous command you can give an agent. Use `trash` (recoverable) instead and permit that.
+Use `trash` instead of `rm` — it's recoverable.
-### Block credential and secret access
-Agents don't need to read your SSH keys or browser passwords.
+### Block privilege escalation
 ```cedar
-// Block direct credential access tools
-forbid(
-  principal,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"security"
-);
-forbid(
-  principal,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"ssh-keygen"
-);
-forbid(
-  principal,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"gpg"
-);
-// Block password managers
-forbid(
-  principal,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"op"
-);
-forbid(
-  principal,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"pass"
-);
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"sudo");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"su");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"chmod");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"chown");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"chgrp");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"launchctl");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"systemctl");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"sc");
 ```
-**Why:** `security` (macOS Keychain CLI) can dump stored passwords. `ssh-keygen` can overwrite your keys. An agent doesn't need either of these to do useful work.
-### Block system administration
-Unless your agent is explicitly managing infrastructure, it shouldn't touch system config.
+### Block credential access
 ```cedar
-forbid(
-  principal,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"sudo"
-);
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"security");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"ssh-keygen");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"gpg");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"op");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"pass");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"cmdkey");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"certutil");
+```
-forbid(
-  principal,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"su"
-);
+### Block network recon
-forbid(
-  principal,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"chmod"
-);
+```cedar
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"nmap");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"tcpdump");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"netcat");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"nc");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"wireshark");
+```
-forbid(
-  principal,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"chown"
-);
+### Block shell wrappers
-forbid(
-  principal,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"launchctl"
-);
+Prevent agents from using wrapper commands to run forbidden binaries:
-forbid(
-  principal,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"systemctl"
-);
+```cedar
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"bash");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"sh");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"zsh");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"env");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"xargs");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"cmd");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"powershell");
 ```
-**Why:** Privilege escalation is the nightmare scenario. If your agent can `sudo`, it can do *anything*. Even `chmod` can weaken file permissions enough to enable other attacks.
-### Block network reconnaissance
-Agents don't need to scan your network.
+### Allow safe dev tools
 ```cedar
-forbid(
-  principal,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"nmap"
-);
-forbid(
-  principal,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"tcpdump"
-);
+permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"git");
+permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"npm");
+permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"npx");
+permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"cat");
+permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"ls");
+permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"grep");
+permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"find");
+permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"mkdir");
+permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"trash");
+permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"cp");
+permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"mv");
+```
-forbid(
-  principal,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"netcat"
-);
+### Restrict sensitive path reads
+```cedar
 forbid(
   principal,
   action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"nc"
-);
+  resource == Jans::Shell::"cat"
+) when {
+  context.args like "*/.ssh/*" ||
+  context.args like "*/.aws/*" ||
+  context.args like "*/.env*" ||
+  context.args like "*/.gnupg/*"
+};
 ```
-### Allow a safe set of dev tools
-If your agent does development work, permit the tools it actually needs:
+### Block writes to OpenClaw directories
 ```cedar
-// Version control
-permit(
-  principal is Jans::Workload,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"git"
-);
-// Package managers
-permit(
-  principal is Jans::Workload,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"npm"
-);
-permit(
-  principal is Jans::Workload,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"npx"
-);
-// Safe file operations
-permit(
-  principal is Jans::Workload,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"cat"
-);
-permit(
-  principal is Jans::Workload,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"ls"
-);
-permit(
-  principal is Jans::Workload,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"grep"
-);
-permit(
-  principal is Jans::Workload,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"find"
-);
-permit(
-  principal is Jans::Workload,
-  action == Jans::Action::"exec_command",
-  resource == Jans::Shell::"trash"
-);
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"cp")
+  when { context.args like "*/.openclaw/*" };
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"mv")
+  when { context.args like "*/.openclaw/*" };
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"tee")
+  when { context.args like "*/.openclaw/*" };
 ```
 ---
 ## API Policies
-### Block data exfiltration
-An agent that can POST to any URL can send your files, credentials, and chat history anywhere.
+### Block data exfiltration services
 ```cedar
-// Block known paste/upload services
-forbid(
-  principal,
-  action == Jans::Action::"call_api",
-  resource == Jans::API::"pastebin.com"
-);
-forbid(
-  principal,
-  action == Jans::Action::"call_api",
-  resource == Jans::API::"hastebin.com"
-);
-forbid(
-  principal,
-  action == Jans::Action::"call_api",
-  resource == Jans::API::"transfer.sh"
-);
-forbid(
-  principal,
-  action == Jans::Action::"call_api",
-  resource == Jans::API::"file.io"
-);
-forbid(
-  principal,
-  action == Jans::Action::"call_api",
-  resource == Jans::API::"webhook.site"
-);
-forbid(
-  principal,
-  action == Jans::Action::"call_api",
-  resource == Jans::API::"requestbin.com"
-);
+forbid(principal, action == Jans::Action::"call_api", resource == Jans::API::"pastebin.com");
+forbid(principal, action == Jans::Action::"call_api", resource == Jans::API::"hastebin.com");
+forbid(principal, action == Jans::Action::"call_api", resource == Jans::API::"transfer.sh");
+forbid(principal, action == Jans::Action::"call_api", resource == Jans::API::"file.io");
+forbid(principal, action == Jans::Action::"call_api", resource == Jans::API::"webhook.site");
+forbid(principal, action == Jans::Action::"call_api", resource == Jans::API::"requestbin.com");
+forbid(principal, action == Jans::Action::"call_api", resource == Jans::API::"ngrok.io");
+forbid(principal, action == Jans::Action::"call_api", resource == Jans::API::"pipedream.net");
 ```
-**Why:** Prompt injection attacks can instruct an agent to exfiltrate data by posting it to an attacker-controlled URL. Blocking common exfil endpoints is a basic hygiene measure.
+### Allow specific APIs
-### Allow specific APIs your agent needs
+```cedar
+permit(principal is Jans::Workload, action == Jans::Action::"call_api", resource == Jans::API::"api.github.com");
+permit(principal is Jans::Workload, action == Jans::Action::"call_api", resource == Jans::API::"registry.npmjs.org");
+permit(principal is Jans::Workload, action == Jans::Action::"call_api", resource == Jans::API::"api.yourcompany.com");
+```
-Better than blocking bad domains: only allow the domains your agent actually uses.
+### Read-only API access
 ```cedar
-// GitHub API
 permit(
   principal is Jans::Workload,
   action == Jans::Action::"call_api",
   resource == Jans::API::"api.github.com"
-);
-// npm registry
-permit(
-  principal is Jans::Workload,
-  action == Jans::Action::"call_api",
-  resource == Jans::API::"registry.npmjs.org"
-);
-// Your own services
-permit(
-  principal is Jans::Workload,
-  action == Jans::Action::"call_api",
-  resource == Jans::API::"api.yourcompany.com"
-);
+) when {
+  context.method == "GET"
+};
 ```
 ### Block social media posting
-If your agent has social media access, you might want to prevent it from posting without oversight, or block it from leaking info to random accounts.
 ```cedar
-// Block direct API access to social platforms
-forbid(
-  principal,
-  action == Jans::Action::"call_api",
-  resource == Jans::API::"api.twitter.com"
-);
-forbid(
-  principal,
-  action == Jans::Action::"call_api",
-  resource == Jans::API::"api.x.com"
-);
+forbid(principal, action == Jans::Action::"call_api", resource == Jans::API::"api.twitter.com");
+forbid(principal, action == Jans::Action::"call_api", resource == Jans::API::"api.x.com");
+forbid(principal, action == Jans::Action::"call_api", resource == Jans::API::"graph.facebook.com");
+forbid(principal, action == Jans::Action::"call_api", resource == Jans::API::"api.linkedin.com");
+forbid(principal, action == Jans::Action::"call_api", resource == Jans::API::"discord.com");
+forbid(principal, action == Jans::Action::"call_api", resource == Jans::API::"slack.com");
+```
-forbid(
-  principal,
-  action == Jans::Action::"call_api",
-  resource == Jans::API::"graph.facebook.com"
-);
+### Block localhost/internal network
-forbid(
-  principal,
-  action == Jans::Action::"call_api",
-  resource == Jans::API::"api.linkedin.com"
-);
+```cedar
+forbid(principal, action == Jans::Action::"call_api", resource == Jans::API::"127.0.0.1");
+forbid(principal, action == Jans::Action::"call_api", resource == Jans::API::"0.0.0.0");
+forbid(principal, action == Jans::Action::"call_api", resource == Jans::API::"localhost");
 ```
-**Why:** An agent that can post to social media can damage your reputation in seconds. Even if your agent "should" post, you probably want that gated through an MCP tool with its own policy rather than raw API access.
 ---
 ## MCP Tool Policies
-### Block destructive MCP tools
-If you're using the filesystem MCP server, the write tools are the dangerous ones:
+### Block destructive file tools
 ```cedar
-forbid(
-  principal,
-  action == Jans::Action::"call_tool",
-  resource == Jans::Tool::"filesystem/write_file"
-);
-forbid(
-  principal,
-  action == Jans::Action::"call_tool",
-  resource == Jans::Tool::"filesystem/move_file"
-);
+forbid(principal, action == Jans::Action::"call_tool", resource == Jans::Tool::"filesystem/write_file");
+forbid(principal, action == Jans::Action::"call_tool", resource == Jans::Tool::"filesystem/move_file");
+forbid(principal, action == Jans::Action::"call_tool", resource == Jans::Tool::"filesystem/delete_file");
 ```
 ### Block email mass operations
-If your agent has email access via MCP:
 ```cedar
-// Prevent bulk deletion
-forbid(
-  principal,
-  action == Jans::Action::"call_tool",
-  resource == Jans::Tool::"email/delete_all"
-);
-forbid(
-  principal,
-  action == Jans::Action::"call_tool",
-  resource == Jans::Tool::"email/empty_trash"
-);
-// Prevent mass sending (spam)
-forbid(
-  principal,
-  action == Jans::Action::"call_tool",
-  resource == Jans::Tool::"email/send_bulk"
-);
+forbid(principal, action == Jans::Action::"call_tool", resource == Jans::Tool::"email/delete_all");
+forbid(principal, action == Jans::Action::"call_tool", resource == Jans::Tool::"email/empty_trash");
+forbid(principal, action == Jans::Action::"call_tool", resource == Jans::Tool::"email/send_bulk");
 ```
-**Why:** An agent that can delete emails can delete your *entire inbox*. An agent that can send emails can spam your contacts. These are catastrophic, irreversible actions.
-### Block database mutations
-If your agent has database access:
+### Read-only database access
 ```cedar
-forbid(
-  principal,
-  action == Jans::Action::"call_tool",
-  resource == Jans::Tool::"database/execute_sql"
-);
-// Allow reads only
-permit(
-  principal is Jans::Workload,
-  action == Jans::Action::"call_tool",
-  resource == Jans::Tool::"database/query"
-);
+forbid(principal, action == Jans::Action::"call_tool", resource == Jans::Tool::"database/execute_sql");
+permit(principal is Jans::Workload, action == Jans::Action::"call_tool", resource == Jans::Tool::"database/query");
 ```
 ---
-## Complete Starter Policies
+## Complete Starter Configurations
-### "Cautious developer" — safe for a coding agent
+### "Cautious developer"
+Good default for a coding agent. Allows dev tools, blocks destruction and exfiltration.
 ```cedar
-// Shell: allow common dev tools, block everything dangerous
+// Dev tools
 permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"git");
 permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"npm");
 permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"npx");
@@ -450,70 +218,113 @@ permit(principal is Jans::Workload, action == Jans::Action::"exec_command", reso
 permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"cp");
 permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"mv");
+// Hard blocks
 forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"rm");
 forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"sudo");
 forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"security");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"bash");
+forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"sh");
-// API: allow GitHub and npm, block exfil
+// APIs
 permit(principal is Jans::Workload, action == Jans::Action::"call_api", resource == Jans::API::"api.github.com");
 permit(principal is Jans::Workload, action == Jans::Action::"call_api", resource == Jans::API::"registry.npmjs.org");
 forbid(principal, action == Jans::Action::"call_api", resource == Jans::API::"pastebin.com");
 forbid(principal, action == Jans::Action::"call_api", resource == Jans::API::"webhook.site");
-// MCP: allow all tools (rely on shell/API policies for safety)
+// MCP: allow all tools
 permit(principal is Jans::Workload, action == Jans::Action::"call_tool", resource);
 ```
-### "Paranoid lockdown" — least privilege, deny-all baseline
+### "Research assistant"
-Set `defaultPolicy: "deny-all"` in config, then only add permits:
+Read-only access. Can browse and search but can't modify anything.
 ```cedar
-// Only the exact tools this agent needs
+// Read-only shell
+permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"cat");
+permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"ls");
+permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"grep");
+permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"find");
+permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"wc");
+permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"head");
+permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"tail");
+// Read-only APIs (GET only)
+permit(
+  principal is Jans::Workload,
+  action == Jans::Action::"call_api",
+  resource
+) when {
+  context.method == "GET"
+};
+// Read-only MCP
 permit(principal is Jans::Workload, action == Jans::Action::"call_tool", resource == Jans::Tool::"filesystem/read_file");
 permit(principal is Jans::Workload, action == Jans::Action::"call_tool", resource == Jans::Tool::"filesystem/list_directory");
+```
-// Only git
+### "Paranoid lockdown"
+Deny-all baseline. Nothing works unless explicitly permitted.
+Set `defaultPolicy: "deny-all"` in config, then:
+```cedar
+// The absolute minimum for a useful agent
+permit(principal is Jans::Workload, action == Jans::Action::"call_tool", resource == Jans::Tool::"filesystem/read_file");
+permit(principal is Jans::Workload, action == Jans::Action::"call_tool", resource == Jans::Tool::"filesystem/list_directory");
 permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"git");
-// No API access at all (omit all call_api permits)
+// No API access, no shell writes, no nothing else
 ```
-Everything not explicitly permitted is denied. This is the most secure posture but requires you to know exactly what your agent needs.
+### "Social media manager"
+Can post to specific platforms via MCP tools, but not via raw API access.
+```cedar
+// Allow posting through the managed MCP tool (has its own guardrails)
+permit(principal is Jans::Workload, action == Jans::Action::"call_tool", resource == Jans::Tool::"twitter/post_tweet");
+permit(principal is Jans::Workload, action == Jans::Action::"call_tool", resource == Jans::Tool::"twitter/read_timeline");
+// Block raw API access to social platforms (bypass prevention)
+forbid(principal, action == Jans::Action::"call_api", resource == Jans::API::"api.twitter.com");
+forbid(principal, action == Jans::Action::"call_api", resource == Jans::API::"api.x.com");
+// Block all shell access (social media agent doesn't need it)
+forbid(principal, action == Jans::Action::"exec_command", resource);
+// Block exfiltration
+forbid(principal, action == Jans::Action::"call_api", resource == Jans::API::"pastebin.com");
+forbid(principal, action == Jans::Action::"call_api", resource == Jans::API::"webhook.site");
+```
 ---
 ## Policy Design Principles
-1. **Forbid the catastrophic, then iterate.** Start by blocking `rm`, `sudo`, and data exfil domains. You can always add more forbids later.
+1. **Forbid the catastrophic first.** Block `rm`, `sudo`, and exfil domains before anything else.
-2. **Forbid always wins.** In Cedar, a `forbid` policy overrides any `permit`. This means you can write broad permits and surgical forbids without worrying about order or precedence.
+2. **Forbid always wins.** A `forbid` overrides any `permit` — write broad permits and surgical forbids.
-3. **Binary name is the gate, not the arguments.** `Shell::"git"` permits *all* git commands including `git push --force`. If you need argument-level control, use Cedar `when` conditions on `context.args`:
+3. **Binary name is the gate.** `Shell::"git"` permits *all* git commands. For subcommand control, use `when` conditions on `context.args`:
    ```cedar
-   forbid(
-     principal,
-     action == Jans::Action::"exec_command",
-     resource == Jans::Shell::"git"
-   ) when {
-     context.args like "*--force*"
-   };
+   forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"git")
+     when { context.args like "*push*--force*" };
    ```
-4. **Domain name is the gate, not the path.** `API::"api.github.com"` permits all endpoints on that domain. If you need path-level control, use `when` conditions on `context.url`.
+4. **Domain name is the gate.** `API::"api.github.com"` permits all endpoints. For path/method control, use `when` conditions.
-5. **Deny-all is aspirational.** Most people should start with allow-all + surgical forbids. Switch to deny-all only when you understand your agent's full tool surface.
+5. **Start with allow-all + forbids.** Switch to deny-all only when you understand your agent's full tool surface.
-6. **Review regularly.** Your agent's needs change. Policies that made sense last month might be too loose or too tight today. The GUI makes this easy — open it, look at what's enabled, adjust.
+6. **Review regularly.** Open the GUI, look at what's enabled, adjust.
 ---
 ## Further Reading
-- [Cedar for AI Agents: Why Your AI Agent Needs a Policy Language](https://clawdrey.com/blog/cedar-for-ai-agents-part-1-why-your-ai-agent-needs-a-policy-language.html)
-- [Cedar for AI Agents: Writing Your First Agent Policy](https://clawdrey.com/blog/cedar-for-ai-agents-part-2-writing-your-first-agent-policy.html)
-- [Cedar for AI Agents: When Forbid Meets Permit](https://clawdrey.com/blog/cedar-for-ai-agents-part-3-when-forbid-meets-permit.html)
-- [Cedar for AI Agents: Proving It — SMT Solvers and Why I Trust Math More Than Tests](https://clawdrey.com/blog/proving-it-smt-solvers-and-why-i-trust-math-more-than-tests.html)
+- [Security Hardening Guide](SECURITY.md) — OS-level protections, proxy setup, credential protection
+- [Cedar blog series](https://clawdrey.com/blog/cedar-for-ai-agents-part-1-why-your-ai-agent-needs-a-policy-language.html)
 - [Cedar Language Reference](https://docs.cedarpolicy.com/)
 - [Carapace README](../README.md)