@clawdstrike/openclaw 0.1.0

package/README.md

@@ -0,0 +1,7 @@
+# @backbay/clawdstrike-security
+
+Clawdstrike security plugin for OpenClaw.
+
+## Getting started
+
+See `packages/adapters/clawdstrike-openclaw/docs/getting-started.md`.

package/dist/audit/store.d.ts

@@ -0,0 +1,26 @@
+export interface AuditEvent {
+    id: string;
+    timestamp: number;
+    type: string;
+    resource: string;
+    decision: 'allowed' | 'denied';
+    guard?: string;
+    reason?: string;
+    runId?: string;
+}
+export declare class AuditStore {
+    private path;
+    private events;
+    constructor(path?: string);
+    private load;
+    append(event: Omit<AuditEvent, 'id' | 'timestamp'>): AuditEvent;
+    query(options?: {
+        since?: number;
+        guard?: string;
+        denied?: boolean;
+        limit?: number;
+    }): AuditEvent[];
+    getById(id: string): AuditEvent | undefined;
+    clear(): void;
+}
+//# sourceMappingURL=store.d.ts.map

package/dist/audit/store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.d.ts","sourceRoot":"","sources":["../../src/audit/store.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,SAAS,GAAG,QAAQ,CAAC;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,UAAU;IACrB,OAAO,CAAC,IAAI,CAAS;IACrB,OAAO,CAAC,MAAM,CAAoB;gBAEtB,IAAI,GAAE,MAA4B;IAK9C,OAAO,CAAC,IAAI;IAUZ,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,IAAI,GAAG,WAAW,CAAC,GAAG,UAAU;IAiB/D,KAAK,CAAC,OAAO,GAAE;QACb,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,KAAK,CAAC,EAAE,MAAM,CAAC;KACX,GAAG,UAAU,EAAE;IAmBrB,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,UAAU,GAAG,SAAS;IAI3C,KAAK,IAAI,IAAI;CAMd"}

package/dist/audit/store.js

@@ -0,0 +1,59 @@
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'fs';
+import { dirname } from 'path';
+export class AuditStore {
+    path;
+    events = [];
+    constructor(path = '.hush/audit.jsonl') {
+        this.path = path;
+        this.load();
+    }
+    load() {
+        if (existsSync(this.path)) {
+            const content = readFileSync(this.path, 'utf-8');
+            this.events = content
+                .split('\n')
+                .filter(line => line.trim())
+                .map(line => JSON.parse(line));
+        }
+    }
+    append(event) {
+        const fullEvent = {
+            ...event,
+            id: `evt-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+            timestamp: Date.now(),
+        };
+        this.events.push(fullEvent);
+        const dir = dirname(this.path);
+        if (!existsSync(dir)) {
+            mkdirSync(dir, { recursive: true });
+        }
+        writeFileSync(this.path, this.events.map(e => JSON.stringify(e)).join('\n') + '\n');
+        return fullEvent;
+    }
+    query(options = {}) {
+        let results = [...this.events];
+        if (options.since) {
+            results = results.filter(e => e.timestamp >= options.since);
+        }
+        if (options.guard) {
+            results = results.filter(e => e.guard === options.guard);
+        }
+        if (options.denied) {
+            results = results.filter(e => e.decision === 'denied');
+        }
+        if (options.limit) {
+            results = results.slice(-options.limit);
+        }
+        return results;
+    }
+    getById(id) {
+        return this.events.find(e => e.id === id);
+    }
+    clear() {
+        this.events = [];
+        if (existsSync(this.path)) {
+            writeFileSync(this.path, '');
+        }
+    }
+}
+//# sourceMappingURL=store.js.map

package/dist/audit/store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.js","sourceRoot":"","sources":["../../src/audit/store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AACxE,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAa/B,MAAM,OAAO,UAAU;IACb,IAAI,CAAS;IACb,MAAM,GAAiB,EAAE,CAAC;IAElC,YAAY,OAAe,mBAAmB;QAC5C,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;IAEO,IAAI;QACV,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACjD,IAAI,CAAC,MAAM,GAAG,OAAO;iBAClB,KAAK,CAAC,IAAI,CAAC;iBACX,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;iBAC3B,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IAED,MAAM,CAAC,KAA2C;QAChD,MAAM,SAAS,GAAe;YAC5B,GAAG,KAAK;YACR,EAAE,EAAE,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE;YACjE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC;QACF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAE5B,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtC,CAAC;QACD,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC;QAEpF,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,KAAK,CAAC,UAKF,EAAE;QACJ,IAAI,OAAO,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;QAE/B,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,IAAI,OAAO,CAAC,KAAM,CAAC,CAAC;QAC/D,CAAC;QACD,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,OAAO,CAAC,KAAK,CAAC,CAAC;QAC3D,CAAC;QACD,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;QACzD,CAAC;QACD,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAC1C,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,OAAO,CAAC,EAAU;QAChB,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK;QACH,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC;QACjB,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;CACF"}

package/dist/cli/bin.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=bin.d.ts.map

package/dist/cli/bin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bin.d.ts","sourceRoot":"","sources":["../../src/cli/bin.ts"],"names":[],"mappings":""}

package/dist/cli/bin.js

@@ -0,0 +1,5 @@
+#!/usr/bin/env node
+import { createCli } from './index.js';
+const program = createCli();
+program.parse();
+//# sourceMappingURL=bin.js.map

package/dist/cli/bin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bin.js","sourceRoot":"","sources":["../../src/cli/bin.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAEvC,MAAM,OAAO,GAAG,SAAS,EAAE,CAAC;AAC5B,OAAO,CAAC,KAAK,EAAE,CAAC"}

package/dist/cli/commands/audit.d.ts

@@ -0,0 +1,19 @@
+interface QueryOptions {
+    since?: string;
+    guard?: string;
+    denied?: boolean;
+    auditPath?: string;
+}
+interface ExplainOptions {
+    auditPath?: string;
+}
+interface ExportOptions {
+    auditPath?: string;
+}
+export declare const auditCommands: {
+    query(options?: QueryOptions): Promise<void>;
+    explain(eventId: string, options?: ExplainOptions): Promise<void>;
+    export(file: string, options?: ExportOptions): Promise<void>;
+};
+export {};
+//# sourceMappingURL=audit.d.ts.map

package/dist/cli/commands/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/audit.ts"],"names":[],"mappings":"AAGA,UAAU,YAAY;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,UAAU,cAAc;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,UAAU,aAAa;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,eAAO,MAAM,aAAa;oBACH,YAAY,GAAQ,OAAO,CAAC,IAAI,CAAC;qBAwC/B,MAAM,YAAW,cAAc,GAAQ,OAAO,CAAC,IAAI,CAAC;iBAyDxD,MAAM,YAAW,aAAa,GAAQ,OAAO,CAAC,IAAI,CAAC;CAOvE,CAAC"}

package/dist/cli/commands/audit.js

@@ -0,0 +1,93 @@
+import { writeFileSync } from 'fs';
+import { AuditStore } from '../../audit/store.js';
+export const auditCommands = {
+    async query(options = {}) {
+        const store = new AuditStore(options.auditPath || '.hush/audit.jsonl');
+        const queryOptions = {
+            limit: 50,
+        };
+        if (options.since) {
+            const sinceDate = new Date(options.since);
+            queryOptions.since = sinceDate.getTime();
+        }
+        if (options.guard) {
+            queryOptions.guard = options.guard;
+        }
+        if (options.denied) {
+            queryOptions.denied = true;
+        }
+        const events = store.query(queryOptions);
+        if (events.length === 0) {
+            console.log('No audit events found');
+            return;
+        }
+        console.log('Audit Events:');
+        console.log('=============');
+        for (const event of events) {
+            const date = new Date(event.timestamp).toISOString();
+            const status = event.decision === 'allowed' ? 'ALLOWED' : 'DENIED';
+            console.log(`\n[${date}] ${event.id}`);
+            console.log(`  Action: ${event.type}`);
+            console.log(`  Resource: ${event.resource}`);
+            console.log(`  Decision: ${status}`);
+            if (event.guard)
+                console.log(`  Guard: ${event.guard}`);
+            if (event.reason)
+                console.log(`  Reason: ${event.reason}`);
+        }
+    },
+    async explain(eventId, options = {}) {
+        const store = new AuditStore(options.auditPath || '.hush/audit.jsonl');
+        const event = store.getById(eventId);
+        if (!event) {
+            console.log(`Event ${eventId} not found`);
+            return;
+        }
+        console.log('Event Details');
+        console.log('=============');
+        console.log(`\nEvent ID:    ${event.id}`);
+        console.log(`Timestamp:   ${new Date(event.timestamp).toISOString()}`);
+        console.log(`Action:      ${event.type}`);
+        console.log(`Resource:    ${event.resource}`);
+        console.log(`Decision:    ${event.decision === 'allowed' ? 'ALLOWED' : 'DENIED'}`);
+        if (event.guard) {
+            console.log(`\nGuard:       ${event.guard}`);
+        }
+        if (event.reason) {
+            console.log(`Reason:      ${event.reason}`);
+        }
+        if (event.decision === 'denied') {
+            console.log('\nRemediation:');
+            console.log('------------');
+            const guard = (event.guard || '').trim();
+            if (guard === 'forbidden_path' || guard === 'ForbiddenPathGuard') {
+                console.log('This path is protected by the forbidden_path guard.');
+                console.log('To allow access, remove it from filesystem.forbidden_paths in your policy.');
+                return;
+            }
+            if (guard === 'egress' || guard === 'EgressAllowlistGuard') {
+                console.log('This domain is blocked by the egress policy.');
+                console.log('To allow access, add it to egress.allowed_domains (or change egress.mode) in your policy.');
+                return;
+            }
+            if (guard === 'secret_leak' || guard === 'SecretLeakGuard') {
+                console.log('Tool output contained a value that looks like a secret.');
+                console.log('Remove/redact secrets from tool output or adjust your workflow to avoid printing credentials.');
+                return;
+            }
+            if (guard === 'patch_integrity' || guard === 'PatchIntegrityGuard') {
+                console.log('The patch/command matched a dangerous pattern.');
+                console.log('Avoid unsafe commands/patterns (e.g., curl|bash, rm -rf /) or update execution.denied_patterns.');
+                return;
+            }
+            console.log('Review your policy configuration to understand why this was blocked.');
+        }
+    },
+    async export(file, options = {}) {
+        const store = new AuditStore(options.auditPath || '.hush/audit.jsonl');
+        const events = store.query({});
+        writeFileSync(file, JSON.stringify(events, null, 2));
+        console.log(`Exported ${events.length} events to ${file}`);
+    },
+};
+//# sourceMappingURL=audit.js.map

package/dist/cli/commands/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../../src/cli/commands/audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,IAAI,CAAC;AACnC,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAiBlD,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,KAAK,CAAC,KAAK,CAAC,UAAwB,EAAE;QACpC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,SAAS,IAAI,mBAAmB,CAAC,CAAC;QAEvE,MAAM,YAAY,GAAyE;YACzF,KAAK,EAAE,EAAE;SACV,CAAC;QAEF,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC1C,YAAY,CAAC,KAAK,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC;QAC3C,CAAC;QACD,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,YAAY,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QACrC,CAAC;QACD,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,YAAY,CAAC,MAAM,GAAG,IAAI,CAAC;QAC7B,CAAC;QAED,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QAEzC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;YACrC,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC7B,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAE7B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;YACrD,MAAM,MAAM,GAAG,KAAK,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC;YACnE,OAAO,CAAC,GAAG,CAAC,MAAM,IAAI,KAAK,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;YACvC,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;YACvC,OAAO,CAAC,GAAG,CAAC,eAAe,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC7C,OAAO,CAAC,GAAG,CAAC,eAAe,MAAM,EAAE,CAAC,CAAC;YACrC,IAAI,KAAK,CAAC,KAAK;gBAAE,OAAO,CAAC,GAAG,CAAC,YAAY,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;YACxD,IAAI,KAAK,CAAC,MAAM;gBAAE,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,OAAe,EAAE,UAA0B,EAAE;QACzD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,SAAS,IAAI,mBAAmB,CAAC,CAAC;QACvE,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAErC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,GAAG,CAAC,SAAS,OAAO,YAAY,CAAC,CAAC;YAC1C,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC7B,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC7B,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;QAC1C,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QACvE,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;QAC1C,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;QAEnF,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QAC9C,CAAC;QAED,IAAI,KAAK,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAChC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;YAC9B,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YAC5B,MAAM,KAAK,GAAG,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YAEzC,IAAI,KAAK,KAAK,gBAAgB,IAAI,KAAK,KAAK,oBAAoB,EAAE,CAAC;gBACjE,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAC;gBACnE,OAAO,CAAC,GAAG,CAAC,4EAA4E,CAAC,CAAC;gBAC1F,OAAO;YACT,CAAC;YAED,IAAI,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,sBAAsB,EAAE,CAAC;gBAC3D,OAAO,CAAC,GAAG,CAAC,8CAA8C,CAAC,CAAC;gBAC5D,OAAO,CAAC,GAAG,CAAC,2FAA2F,CAAC,CAAC;gBACzG,OAAO;YACT,CAAC;YAED,IAAI,KAAK,KAAK,aAAa,IAAI,KAAK,KAAK,iBAAiB,EAAE,CAAC;gBAC3D,OAAO,CAAC,GAAG,CAAC,yDAAyD,CAAC,CAAC;gBACvE,OAAO,CAAC,GAAG,CAAC,+FAA+F,CAAC,CAAC;gBAC7G,OAAO;YACT,CAAC;YAED,IAAI,KAAK,KAAK,iBAAiB,IAAI,KAAK,KAAK,qBAAqB,EAAE,CAAC;gBACnE,OAAO,CAAC,GAAG,CAAC,gDAAgD,CAAC,CAAC;gBAC9D,OAAO,CAAC,GAAG,CAAC,iGAAiG,CAAC,CAAC;gBAC/G,OAAO;YACT,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,sEAAsE,CAAC,CAAC;QACtF,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,IAAY,EAAE,UAAyB,EAAE;QACpD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,SAAS,IAAI,mBAAmB,CAAC,CAAC;QACvE,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAE/B,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QACrD,OAAO,CAAC,GAAG,CAAC,YAAY,MAAM,CAAC,MAAM,cAAc,IAAI,EAAE,CAAC,CAAC;IAC7D,CAAC;CACF,CAAC"}

package/dist/cli/commands/policy.d.ts

@@ -0,0 +1,11 @@
+export declare const policyCommands: {
+    lint(file: string): Promise<void>;
+    show(options?: {
+        policy?: string;
+    }): Promise<void>;
+    test(eventFile: string, options?: {
+        policy?: string;
+    }): Promise<void>;
+    diff(file1: string, file2: string): Promise<void>;
+};
+//# sourceMappingURL=policy.d.ts.map

package/dist/cli/commands/policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/policy.ts"],"names":[],"mappings":"AAMA,eAAO,MAAM,cAAc;eACR,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;mBA4BnB;QAAE,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,GAAQ,OAAO,CAAC,IAAI,CAAC;oBAatC,MAAM,YAAW;QAAE,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,GAAQ,OAAO,CAAC,IAAI,CAAC;gBAmB7D,MAAM,SAAS,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAsCxD,CAAC"}

package/dist/cli/commands/policy.js

@@ -0,0 +1,101 @@
+import { readFileSync } from 'fs';
+import { loadPolicy, loadPolicyFromString } from '../../policy/loader.js';
+import { validatePolicy } from '../../policy/validator.js';
+import { PolicyEngine } from '../../policy/engine.js';
+export const policyCommands = {
+    async lint(file) {
+        try {
+            const content = readFileSync(file, 'utf-8');
+            const policy = loadPolicyFromString(content);
+            const result = validatePolicy(policy);
+            if (result.valid) {
+                console.log('Policy is valid');
+                console.log(`   Version: ${policy.version || 'unspecified'}`);
+                const guards = Object.keys(policy).filter(k => !['version', 'on_violation', 'extends'].includes(k));
+                console.log(`   Guards: ${guards.join(', ') || 'none'}`);
+                if (result.warnings.length > 0) {
+                    console.log('\nWarnings:');
+                    result.warnings.forEach(w => console.log(`   - ${w}`));
+                }
+            }
+            else {
+                console.log('Policy validation failed:');
+                result.errors.forEach(err => console.log(`   - ${err}`));
+                process.exit(1);
+            }
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.log(`Failed to read policy file: ${message}`);
+            process.exit(1);
+        }
+    },
+    async show(options = {}) {
+        try {
+            const policyPath = options.policy || '.hush/policy.yaml';
+            const policy = loadPolicy(policyPath);
+            console.log('Current policy:');
+            console.log(JSON.stringify(policy, null, 2));
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.log(`Failed to load policy: ${message}`);
+            process.exit(1);
+        }
+    },
+    async test(eventFile, options = {}) {
+        try {
+            const policyPath = options.policy || '.hush/policy.yaml';
+            const event = JSON.parse(readFileSync(eventFile, 'utf-8'));
+            const engine = new PolicyEngine({ policy: policyPath });
+            const decision = await engine.evaluate(event);
+            console.log('Decision:', decision.allowed ? 'ALLOWED' : 'DENIED');
+            if (decision.reason)
+                console.log('Reason:', decision.reason);
+            if (decision.guard)
+                console.log('Guard:', decision.guard);
+            if (decision.severity)
+                console.log('Severity:', decision.severity);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.log(`Failed to test event: ${message}`);
+            process.exit(1);
+        }
+    },
+    async diff(file1, file2) {
+        try {
+            const p1 = loadPolicy(file1);
+            const p2 = loadPolicy(file2);
+            console.log('Policy Diff:');
+            console.log('============');
+            // Compare egress
+            if (JSON.stringify(p1.egress) !== JSON.stringify(p2.egress)) {
+                console.log('\nEgress:');
+                console.log('  File 1:', JSON.stringify(p1.egress || {}));
+                console.log('  File 2:', JSON.stringify(p2.egress || {}));
+            }
+            // Compare filesystem
+            if (JSON.stringify(p1.filesystem) !== JSON.stringify(p2.filesystem)) {
+                console.log('\nFilesystem:');
+                console.log('  File 1:', JSON.stringify(p1.filesystem || {}));
+                console.log('  File 2:', JSON.stringify(p2.filesystem || {}));
+            }
+            // Compare on_violation
+            if (p1.on_violation !== p2.on_violation) {
+                console.log('\nOn Violation:');
+                console.log('  File 1:', p1.on_violation || 'default');
+                console.log('  File 2:', p2.on_violation || 'default');
+            }
+            if (JSON.stringify(p1) === JSON.stringify(p2)) {
+                console.log('Policies are identical');
+            }
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.log(`Failed to diff policies: ${message}`);
+            process.exit(1);
+        }
+    },
+};
+//# sourceMappingURL=policy.js.map

package/dist/cli/commands/policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../../src/cli/commands/policy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,EAAE,UAAU,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAC1E,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAGtD,MAAM,CAAC,MAAM,cAAc,GAAG;IAC5B,KAAK,CAAC,IAAI,CAAC,IAAY;QACrB,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC5C,MAAM,MAAM,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;YAC7C,MAAM,MAAM,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;YAEtC,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBACjB,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;gBAC/B,OAAO,CAAC,GAAG,CAAC,eAAe,MAAM,CAAC,OAAO,IAAI,aAAa,EAAE,CAAC,CAAC;gBAC9D,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,EAAE,cAAc,EAAE,SAAS,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;gBACpG,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,MAAM,EAAE,CAAC,CAAC;gBAEzD,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC/B,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;oBAC3B,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;gBACzC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,GAAG,EAAE,CAAC,CAAC,CAAC;gBACzD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,GAAG,CAAC,+BAA+B,OAAO,EAAE,CAAC,CAAC;YACtD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,UAA+B,EAAE;QAC1C,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,IAAI,mBAAmB,CAAC;YACzD,MAAM,MAAM,GAAG,UAAU,CAAC,UAAU,CAAC,CAAC;YACtC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;YAC/B,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAC/C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,GAAG,CAAC,0BAA0B,OAAO,EAAE,CAAC,CAAC;YACjD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,SAAiB,EAAE,UAA+B,EAAE;QAC7D,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,IAAI,mBAAmB,CAAC;YACzD,MAAM,KAAK,GAAgB,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;YAExE,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;YACxD,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAE9C,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;YAClE,IAAI,QAAQ,CAAC,MAAM;gBAAE,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC7D,IAAI,QAAQ,CAAC,KAAK;gBAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC;YAC1D,IAAI,QAAQ,CAAC,QAAQ;gBAAE,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACrE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,GAAG,CAAC,yBAAyB,OAAO,EAAE,CAAC,CAAC;YAChD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,KAAa,EAAE,KAAa;QACrC,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;YAC7B,MAAM,EAAE,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;YAE7B,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YAC5B,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YAE5B,iBAAiB;YACjB,IAAI,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC5D,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;gBACzB,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC;gBAC1D,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC;YAC5D,CAAC;YAED,qBAAqB;YACrB,IAAI,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,UAAU,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC;gBACpE,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;gBAC7B,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,CAAC;gBAC9D,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,CAAC;YAChE,CAAC;YAED,uBAAuB;YACvB,IAAI,EAAE,CAAC,YAAY,KAAK,EAAE,CAAC,YAAY,EAAE,CAAC;gBACxC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;gBAC/B,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,CAAC,YAAY,IAAI,SAAS,CAAC,CAAC;gBACvD,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,CAAC,YAAY,IAAI,SAAS,CAAC,CAAC;YACzD,CAAC;YAED,IAAI,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,EAAE,CAAC;gBAC9C,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;YACxC,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,GAAG,CAAC,4BAA4B,OAAO,EAAE,CAAC,CAAC;YACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;CACF,CAAC"}

package/dist/cli/index.d.ts

@@ -0,0 +1,4 @@
+import { Command } from 'commander';
+export declare function registerCli(program: Command): void;
+export declare function createCli(): Command;
+//# sourceMappingURL=index.d.ts.map

package/dist/cli/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAIpC,wBAAgB,WAAW,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAmDlD;AAED,wBAAgB,SAAS,IAAI,OAAO,CAqDnC"}

package/dist/cli/index.js

@@ -0,0 +1,91 @@
+import { Command } from 'commander';
+import { policyCommands } from './commands/policy.js';
+import { auditCommands } from './commands/audit.js';
+export function registerCli(program) {
+    const clawdstrike = program
+        .command('clawdstrike')
+        .description('Clawdstrike security management');
+    // Policy commands
+    const policy = clawdstrike.command('policy').description('Policy management');
+    policy
+        .command('lint <file>')
+        .description('Validate a policy file')
+        .action(policyCommands.lint);
+    policy
+        .command('show')
+        .option('-p, --policy <path>', 'Policy file path')
+        .description('Show the current effective policy')
+        .action((options) => policyCommands.show(options));
+    policy
+        .command('test <event-file>')
+        .option('-p, --policy <path>', 'Policy file path')
+        .description('Test an event against the current policy')
+        .action((eventFile, options) => policyCommands.test(eventFile, options));
+    policy
+        .command('diff <file1> <file2>')
+        .description('Compare two policy files')
+        .action(policyCommands.diff);
+    // Audit commands
+    const audit = clawdstrike.command('audit').description('Audit log management');
+    audit
+        .command('query')
+        .option('-s, --since <time>', 'Start time (ISO format)')
+        .option('-g, --guard <name>', 'Filter by guard')
+        .option('-d, --denied', 'Only show denied events')
+        .description('Query the audit log')
+        .action((options) => auditCommands.query(options));
+    audit
+        .command('export <file>')
+        .description('Export audit log to file')
+        .action((file, options) => auditCommands.export(file, options));
+    // Quick commands
+    clawdstrike
+        .command('why <event-id>')
+        .description('Explain why an event was blocked')
+        .action((eventId, options) => auditCommands.explain(eventId, options));
+}
+export function createCli() {
+    const program = new Command();
+    program
+        .name('clawdstrike')
+        .description('Clawdstrike security CLI')
+        .version('0.1.0');
+    // Register commands directly on root
+    const policy = program.command('policy').description('Policy management');
+    policy
+        .command('lint <file>')
+        .description('Validate a policy file')
+        .action(policyCommands.lint);
+    policy
+        .command('show')
+        .option('-p, --policy <path>', 'Policy file path')
+        .description('Show the current effective policy')
+        .action((options) => policyCommands.show(options));
+    policy
+        .command('test <event-file>')
+        .option('-p, --policy <path>', 'Policy file path')
+        .description('Test an event against the current policy')
+        .action((eventFile, options) => policyCommands.test(eventFile, options));
+    policy
+        .command('diff <file1> <file2>')
+        .description('Compare two policy files')
+        .action(policyCommands.diff);
+    const audit = program.command('audit').description('Audit log management');
+    audit
+        .command('query')
+        .option('-s, --since <time>', 'Start time')
+        .option('-g, --guard <name>', 'Filter by guard')
+        .option('-d, --denied', 'Only show denied events')
+        .description('Query the audit log')
+        .action((options) => auditCommands.query(options));
+    audit
+        .command('export <file>')
+        .description('Export audit log to file')
+        .action((file, options) => auditCommands.export(file, options));
+    program
+        .command('why <event-id>')
+        .description('Explain why an event was blocked')
+        .action((eventId, options) => auditCommands.explain(eventId, options));
+    return program;
+}
+//# sourceMappingURL=index.js.map

package/dist/cli/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAEpD,MAAM,UAAU,WAAW,CAAC,OAAgB;IAC1C,MAAM,WAAW,GAAG,OAAO;SACxB,OAAO,CAAC,aAAa,CAAC;SACtB,WAAW,CAAC,iCAAiC,CAAC,CAAC;IAElD,kBAAkB;IAClB,MAAM,MAAM,GAAG,WAAW,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,CAAC,mBAAmB,CAAC,CAAC;IAE9E,MAAM;SACH,OAAO,CAAC,aAAa,CAAC;SACtB,WAAW,CAAC,wBAAwB,CAAC;SACrC,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;IAE/B,MAAM;SACH,OAAO,CAAC,MAAM,CAAC;SACf,MAAM,CAAC,qBAAqB,EAAE,kBAAkB,CAAC;SACjD,WAAW,CAAC,mCAAmC,CAAC;SAChD,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IAErD,MAAM;SACH,OAAO,CAAC,mBAAmB,CAAC;SAC5B,MAAM,CAAC,qBAAqB,EAAE,kBAAkB,CAAC;SACjD,WAAW,CAAC,0CAA0C,CAAC;SACvD,MAAM,CAAC,CAAC,SAAS,EAAE,OAAO,EAAE,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;IAE3E,MAAM;SACH,OAAO,CAAC,sBAAsB,CAAC;SAC/B,WAAW,CAAC,0BAA0B,CAAC;SACvC,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;IAE/B,iBAAiB;IACjB,MAAM,KAAK,GAAG,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,sBAAsB,CAAC,CAAC;IAE/E,KAAK;SACF,OAAO,CAAC,OAAO,CAAC;SAChB,MAAM,CAAC,oBAAoB,EAAE,yBAAyB,CAAC;SACvD,MAAM,CAAC,oBAAoB,EAAE,iBAAiB,CAAC;SAC/C,MAAM,CAAC,cAAc,EAAE,yBAAyB,CAAC;SACjD,WAAW,CAAC,qBAAqB,CAAC;SAClC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,aAAa,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;IAErD,KAAK;SACF,OAAO,CAAC,eAAe,CAAC;SACxB,WAAW,CAAC,0BAA0B,CAAC;SACvC,MAAM,CAAC,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;IAElE,iBAAiB;IACjB,WAAW;SACR,OAAO,CAAC,gBAAgB,CAAC;SACzB,WAAW,CAAC,kCAAkC,CAAC;SAC/C,MAAM,CAAC,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,CAAC,aAAa,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;AAC3E,CAAC;AAED,MAAM,UAAU,SAAS;IACvB,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;IAC9B,OAAO;SACJ,IAAI,CAAC,aAAa,CAAC;SACnB,WAAW,CAAC,0BAA0B,CAAC;SACvC,OAAO,CAAC,OAAO,CAAC,CAAC;IAEpB,qCAAqC;IACrC,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,CAAC,mBAAmB,CAAC,CAAC;IAE1E,MAAM;SACH,OAAO,CAAC,aAAa,CAAC;SACtB,WAAW,CAAC,wBAAwB,CAAC;SACrC,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;IAE/B,MAAM;SACH,OAAO,CAAC,MAAM,CAAC;SACf,MAAM,CAAC,qBAAqB,EAAE,kBAAkB,CAAC;SACjD,WAAW,CAAC,mCAAmC,CAAC;SAChD,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IAErD,MAAM;SACH,OAAO,CAAC,mBAAmB,CAAC;SAC5B,MAAM,CAAC,qBAAqB,EAAE,kBAAkB,CAAC;SACjD,WAAW,CAAC,0CAA0C,CAAC;SACvD,MAAM,CAAC,CAAC,SAAS,EAAE,OAAO,EAAE,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;IAE3E,MAAM;SACH,OAAO,CAAC,sBAAsB,CAAC;SAC/B,WAAW,CAAC,0BAA0B,CAAC;SACvC,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;IAE/B,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,sBAAsB,CAAC,CAAC;IAE3E,KAAK;SACF,OAAO,CAAC,OAAO,CAAC;SAChB,MAAM,CAAC,oBAAoB,EAAE,YAAY,CAAC;SAC1C,MAAM,CAAC,oBAAoB,EAAE,iBAAiB,CAAC;SAC/C,MAAM,CAAC,cAAc,EAAE,yBAAyB,CAAC;SACjD,WAAW,CAAC,qBAAqB,CAAC;SAClC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,aAAa,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;IAErD,KAAK;SACF,OAAO,CAAC,eAAe,CAAC;SACxB,WAAW,CAAC,0BAA0B,CAAC;SACvC,MAAM,CAAC,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;IAElE,OAAO;SACJ,OAAO,CAAC,gBAAgB,CAAC;SACzB,WAAW,CAAC,kCAAkC,CAAC;SAC/C,MAAM,CAAC,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,CAAC,aAAa,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;IAEzE,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/config.d.ts

@@ -0,0 +1,27 @@
+/**
+ * @clawdstrike/openclaw - Configuration
+ *
+ * Configuration handling and defaults for the Clawdstrike plugin.
+ */
+import type { ClawdstrikeConfig } from './types.js';
+/**
+ * Default configuration values
+ */
+export declare const DEFAULT_CONFIG: Required<ClawdstrikeConfig>;
+/**
+ * Merge user config with defaults
+ */
+export declare function mergeConfig(userConfig?: ClawdstrikeConfig): Required<ClawdstrikeConfig>;
+/**
+ * Validate configuration values
+ */
+export declare function validateConfig(config: ClawdstrikeConfig): string[];
+/**
+ * Resolve built-in policy name to file path
+ */
+export declare function resolveBuiltinPolicy(name: string): string | null;
+/**
+ * Check if a policy name is a built-in policy
+ */
+export declare function isBuiltinPolicy(name: string): boolean;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,iBAAiB,EAIlB,MAAM,YAAY,CAAC;AAEpB;;GAEG;AACH,eAAO,MAAM,cAAc,EAAE,QAAQ,CAAC,iBAAiB,CAWtD,CAAC;AAEF;;GAEG;AACH,wBAAgB,WAAW,CACzB,UAAU,GAAE,iBAAsB,GACjC,QAAQ,CAAC,iBAAiB,CAAC,CAO7B;AAmBD;;GAEG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,iBAAiB,GAAG,MAAM,EAAE,CAYlE;AAgBD;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAQhE;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAErD"}

package/dist/config.js

@@ -0,0 +1,88 @@
+/**
+ * @clawdstrike/openclaw - Configuration
+ *
+ * Configuration handling and defaults for the Clawdstrike plugin.
+ */
+/**
+ * Default configuration values
+ */
+export const DEFAULT_CONFIG = {
+    policy: 'clawdstrike:ai-agent-minimal',
+    mode: 'deterministic',
+    logLevel: 'info',
+    guards: {
+        forbidden_path: true,
+        egress: true,
+        secret_leak: true,
+        patch_integrity: true,
+        mcp_tool: false,
+    },
+};
+/**
+ * Merge user config with defaults
+ */
+export function mergeConfig(userConfig = {}) {
+    return {
+        policy: userConfig.policy ?? DEFAULT_CONFIG.policy,
+        mode: userConfig.mode ?? DEFAULT_CONFIG.mode,
+        logLevel: userConfig.logLevel ?? DEFAULT_CONFIG.logLevel,
+        guards: mergeGuardToggles(userConfig.guards),
+    };
+}
+/**
+ * Merge guard toggles with defaults
+ */
+function mergeGuardToggles(userGuards = {}) {
+    const d = DEFAULT_CONFIG.guards;
+    const u = userGuards;
+    return {
+        forbidden_path: u.forbidden_path ?? d.forbidden_path ?? true,
+        egress: u.egress ?? d.egress ?? true,
+        secret_leak: u.secret_leak ?? d.secret_leak ?? true,
+        patch_integrity: u.patch_integrity ?? d.patch_integrity ?? true,
+        mcp_tool: u.mcp_tool ?? d.mcp_tool ?? false,
+    };
+}
+/**
+ * Validate configuration values
+ */
+export function validateConfig(config) {
+    const errors = [];
+    if (config.mode && !isValidMode(config.mode)) {
+        errors.push(`Invalid mode: ${config.mode}. Must be one of: deterministic, advisory, audit`);
+    }
+    if (config.logLevel && !isValidLogLevel(config.logLevel)) {
+        errors.push(`Invalid logLevel: ${config.logLevel}. Must be one of: debug, info, warn, error`);
+    }
+    return errors;
+}
+/**
+ * Type guard for EvaluationMode
+ */
+function isValidMode(mode) {
+    return ['deterministic', 'advisory', 'audit'].includes(mode);
+}
+/**
+ * Type guard for LogLevel
+ */
+function isValidLogLevel(level) {
+    return ['debug', 'info', 'warn', 'error'].includes(level);
+}
+/**
+ * Resolve built-in policy name to file path
+ */
+export function resolveBuiltinPolicy(name) {
+    const builtinPolicies = {
+        'clawdstrike:ai-agent-minimal': 'ai-agent-minimal.yaml',
+        'clawdstrike:ai-agent': 'ai-agent.yaml',
+        'clawdstrike:default': 'ai-agent.yaml',
+    };
+    return builtinPolicies[name] ?? null;
+}
+/**
+ * Check if a policy name is a built-in policy
+ */
+export function isBuiltinPolicy(name) {
+    return name.startsWith('clawdstrike:');
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AASH;;GAEG;AACH,MAAM,CAAC,MAAM,cAAc,GAAgC;IACzD,MAAM,EAAE,8BAA8B;IACtC,IAAI,EAAE,eAAe;IACrB,QAAQ,EAAE,MAAM;IAChB,MAAM,EAAE;QACN,cAAc,EAAE,IAAI;QACpB,MAAM,EAAE,IAAI;QACZ,WAAW,EAAE,IAAI;QACjB,eAAe,EAAE,IAAI;QACrB,QAAQ,EAAE,KAAK;KAChB;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,WAAW,CACzB,aAAgC,EAAE;IAElC,OAAO;QACL,MAAM,EAAE,UAAU,CAAC,MAAM,IAAI,cAAc,CAAC,MAAM;QAClD,IAAI,EAAE,UAAU,CAAC,IAAI,IAAI,cAAc,CAAC,IAAI;QAC5C,QAAQ,EAAE,UAAU,CAAC,QAAQ,IAAI,cAAc,CAAC,QAAQ;QACxD,MAAM,EAAE,iBAAiB,CAAC,UAAU,CAAC,MAAM,CAAC;KAC7C,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CACxB,aAA2B,EAAE;IAE7B,MAAM,CAAC,GAAG,cAAc,CAAC,MAAM,CAAC;IAChC,MAAM,CAAC,GAAG,UAAU,CAAC;IACrB,OAAO;QACL,cAAc,EAAE,CAAC,CAAC,cAAc,IAAI,CAAC,CAAC,cAAc,IAAI,IAAI;QAC5D,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,MAAM,IAAI,IAAI;QACpC,WAAW,EAAE,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,WAAW,IAAI,IAAI;QACnD,eAAe,EAAE,CAAC,CAAC,eAAe,IAAI,CAAC,CAAC,eAAe,IAAI,IAAI;QAC/D,QAAQ,EAAE,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,QAAQ,IAAI,KAAK;KAC5C,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,MAAyB;IACtD,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,IAAI,MAAM,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7C,MAAM,CAAC,IAAI,CAAC,iBAAiB,MAAM,CAAC,IAAI,kDAAkD,CAAC,CAAC;IAC9F,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzD,MAAM,CAAC,IAAI,CAAC,qBAAqB,MAAM,CAAC,QAAQ,4CAA4C,CAAC,CAAC;IAChG,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,IAAY;IAC/B,OAAO,CAAC,eAAe,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AAC/D,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,KAAa;IACpC,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AAC5D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,IAAY;IAC/C,MAAM,eAAe,GAA2B;QAC9C,8BAA8B,EAAE,uBAAuB;QACvD,sBAAsB,EAAE,eAAe;QACvC,qBAAqB,EAAE,eAAe;KACvC,CAAC;IAEF,OAAO,eAAe,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,IAAY;IAC1C,OAAO,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC;AACzC,CAAC"}

package/dist/e2e/openclaw-e2e.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=openclaw-e2e.d.ts.map

package/dist/e2e/openclaw-e2e.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"openclaw-e2e.d.ts","sourceRoot":"","sources":["../../src/e2e/openclaw-e2e.ts"],"names":[],"mappings":""}