@clawdreyhepburn/carapace 1.0.3 → 1.0.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/openclaw.plugin.json
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
"id": "carapace",
|
|
3
3
|
"name": "Carapace",
|
|
4
4
|
"description": "Cedar policy enforcement for agent tool access via before_tool_call hook. Your agent's exoskeleton.",
|
|
5
|
-
"version": "1.0.
|
|
5
|
+
"version": "1.0.4",
|
|
6
6
|
"configSchema": {
|
|
7
7
|
"type": "object",
|
|
8
8
|
"additionalProperties": true,
|
package/package.json
CHANGED
|
@@ -627,10 +627,21 @@ export class CedarlingEngine {
|
|
|
627
627
|
let hasForbid = false;
|
|
628
628
|
const reasons: string[] = [];
|
|
629
629
|
|
|
630
|
+
const principalId = request.principal;
|
|
631
|
+
const actionId = request.action;
|
|
632
|
+
const resourceId = request.resource;
|
|
633
|
+
|
|
630
634
|
for (const [id, policy] of this.policies) {
|
|
631
|
-
//
|
|
632
|
-
const
|
|
633
|
-
|
|
635
|
+
// Parse constraints from raw policy text
|
|
636
|
+
const hasPrincipalConstraint = /principal\s*==/.test(policy.raw);
|
|
637
|
+
const hasActionConstraint = /action\s*==/.test(policy.raw);
|
|
638
|
+
const hasResourceConstraint = /resource\s*==/.test(policy.raw);
|
|
639
|
+
|
|
640
|
+
// Check if this policy matches the request
|
|
641
|
+
// Unconstrained fields match everything (Cedar semantics)
|
|
642
|
+
if (hasPrincipalConstraint && !policy.raw.includes(principalId)) continue;
|
|
643
|
+
if (hasActionConstraint && !policy.raw.includes(actionId)) continue;
|
|
644
|
+
if (hasResourceConstraint && !policy.raw.includes(resourceId)) continue;
|
|
634
645
|
|
|
635
646
|
if (policy.effect === "forbid") {
|
|
636
647
|
hasForbid = true;
|