@clawdstrike/openclaw 0.1.0 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +4 -2
- package/clawdstrike-security.js +1 -0
- package/dist/audit/adapter-logger.d.ts +24 -0
- package/dist/audit/adapter-logger.d.ts.map +1 -0
- package/dist/audit/adapter-logger.js +42 -0
- package/dist/audit/adapter-logger.js.map +1 -0
- package/dist/classification.d.ts +41 -0
- package/dist/classification.d.ts.map +1 -0
- package/dist/classification.js +102 -0
- package/dist/classification.js.map +1 -0
- package/dist/cli/commands/policy.js +1 -1
- package/dist/cli/commands/policy.js.map +1 -1
- package/dist/e2e/openclaw-e2e.js +3 -3
- package/dist/e2e/openclaw-e2e.js.map +1 -1
- package/dist/engine-holder.d.ts +28 -0
- package/dist/engine-holder.d.ts.map +1 -0
- package/dist/engine-holder.js +38 -0
- package/dist/engine-holder.js.map +1 -0
- package/dist/guards/egress.d.ts.map +1 -1
- package/dist/guards/egress.js +20 -1
- package/dist/guards/egress.js.map +1 -1
- package/dist/guards/forbidden-path.d.ts.map +1 -1
- package/dist/guards/forbidden-path.js +6 -0
- package/dist/guards/forbidden-path.js.map +1 -1
- package/dist/guards/secret-leak.d.ts.map +1 -1
- package/dist/guards/secret-leak.js +21 -0
- package/dist/guards/secret-leak.js.map +1 -1
- package/dist/hooks/agent-bootstrap/handler.d.ts +4 -0
- package/dist/hooks/agent-bootstrap/handler.d.ts.map +1 -1
- package/dist/hooks/agent-bootstrap/handler.js +7 -7
- package/dist/hooks/agent-bootstrap/handler.js.map +1 -1
- package/dist/hooks/approval-state.d.ts +31 -0
- package/dist/hooks/approval-state.d.ts.map +1 -0
- package/dist/hooks/approval-state.js +189 -0
- package/dist/hooks/approval-state.js.map +1 -0
- package/dist/hooks/approval-utils.d.ts +5 -0
- package/dist/hooks/approval-utils.d.ts.map +1 -0
- package/dist/hooks/approval-utils.js +77 -0
- package/dist/hooks/approval-utils.js.map +1 -0
- package/dist/hooks/audit-logger/handler.d.ts +4 -0
- package/dist/hooks/audit-logger/handler.d.ts.map +1 -1
- package/dist/hooks/audit-logger/handler.js +4 -0
- package/dist/hooks/audit-logger/handler.js.map +1 -1
- package/dist/hooks/cua-bridge/handler.d.ts +57 -0
- package/dist/hooks/cua-bridge/handler.d.ts.map +1 -0
- package/dist/hooks/cua-bridge/handler.js +369 -0
- package/dist/hooks/cua-bridge/handler.js.map +1 -0
- package/dist/hooks/tool-guard/handler.d.ts +17 -2
- package/dist/hooks/tool-guard/handler.d.ts.map +1 -1
- package/dist/hooks/tool-guard/handler.js +200 -75
- package/dist/hooks/tool-guard/handler.js.map +1 -1
- package/dist/hooks/tool-preflight/handler.d.ts +34 -0
- package/dist/hooks/tool-preflight/handler.d.ts.map +1 -0
- package/dist/hooks/tool-preflight/handler.js +426 -0
- package/dist/hooks/tool-preflight/handler.js.map +1 -0
- package/dist/index.d.ts +8 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +9 -0
- package/dist/index.js.map +1 -1
- package/dist/openclaw-adapter.d.ts +48 -0
- package/dist/openclaw-adapter.d.ts.map +1 -0
- package/dist/openclaw-adapter.js +81 -0
- package/dist/openclaw-adapter.js.map +1 -0
- package/dist/plugin.d.ts +40 -1
- package/dist/plugin.d.ts.map +1 -1
- package/dist/plugin.js +125 -32
- package/dist/plugin.js.map +1 -1
- package/dist/policy/engine.d.ts +5 -0
- package/dist/policy/engine.d.ts.map +1 -1
- package/dist/policy/engine.js +580 -84
- package/dist/policy/engine.js.map +1 -1
- package/dist/policy/loader.js +57 -0
- package/dist/policy/loader.js.map +1 -1
- package/dist/policy/validator.d.ts.map +1 -1
- package/dist/policy/validator.js +97 -3
- package/dist/policy/validator.js.map +1 -1
- package/dist/receipt/signer.d.ts +42 -0
- package/dist/receipt/signer.d.ts.map +1 -0
- package/dist/receipt/signer.js +134 -0
- package/dist/receipt/signer.js.map +1 -0
- package/dist/receipt/types.d.ts +50 -0
- package/dist/receipt/types.d.ts.map +1 -0
- package/dist/receipt/types.js +9 -0
- package/dist/receipt/types.js.map +1 -0
- package/dist/security-prompt.js +1 -1
- package/dist/tools/policy-check.d.ts +2 -2
- package/dist/tools/policy-check.d.ts.map +1 -1
- package/dist/tools/policy-check.js +4 -7
- package/dist/tools/policy-check.js.map +1 -1
- package/dist/translator/openclaw-translator.d.ts +31 -0
- package/dist/translator/openclaw-translator.d.ts.map +1 -0
- package/dist/translator/openclaw-translator.js +314 -0
- package/dist/translator/openclaw-translator.js.map +1 -0
- package/dist/types.d.ts +86 -170
- package/dist/types.d.ts.map +1 -1
- package/dist/types.js +4 -0
- package/dist/types.js.map +1 -1
- package/package.json +5 -3
- package/rulesets/ai-agent-minimal.yaml +25 -0
- package/rulesets/ai-agent.yaml +25 -0
package/README.md
CHANGED
|
@@ -1,7 +1,9 @@
|
|
|
1
|
-
# @
|
|
1
|
+
# @clawdstrike/openclaw
|
|
2
2
|
|
|
3
3
|
Clawdstrike security plugin for OpenClaw.
|
|
4
4
|
|
|
5
|
+
See [Enforcement Tiers & Integration Contract](https://github.com/backbay-labs/clawdstrike/blob/main/docs/src/concepts/enforcement-tiers.md) for what is enforceable at the tool boundary (and what requires a sandbox/broker).
|
|
6
|
+
|
|
5
7
|
## Getting started
|
|
6
8
|
|
|
7
|
-
See
|
|
9
|
+
See the [OpenClaw adapter getting-started guide](https://github.com/backbay-labs/clawdstrike/blob/main/packages/adapters/clawdstrike-openclaw/docs/getting-started.md).
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export { default } from './dist/plugin.js';
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
import type { AuditEvent, AuditLogger } from '@clawdstrike/adapter-core';
|
|
2
|
+
import type { AuditStore } from './store.js';
|
|
3
|
+
export interface OpenClawAuditLoggerOptions {
|
|
4
|
+
store?: AuditStore;
|
|
5
|
+
maxEvents?: number;
|
|
6
|
+
}
|
|
7
|
+
/**
|
|
8
|
+
* OpenClawAuditLogger bridges the adapter-core `AuditLogger` interface with
|
|
9
|
+
* openclaw's existing `AuditStore` JSONL persistence layer.
|
|
10
|
+
*
|
|
11
|
+
* It wraps an `InMemoryAuditLogger` for fast in-process queries and
|
|
12
|
+
* optionally forwards events to an `AuditStore` for durable persistence.
|
|
13
|
+
*/
|
|
14
|
+
export declare class OpenClawAuditLogger implements AuditLogger {
|
|
15
|
+
private readonly memory;
|
|
16
|
+
private readonly store;
|
|
17
|
+
constructor(options?: OpenClawAuditLoggerOptions);
|
|
18
|
+
log(event: AuditEvent): Promise<void>;
|
|
19
|
+
getSessionEvents(sessionId: string): Promise<AuditEvent[]>;
|
|
20
|
+
getContextEvents(contextId: string): Promise<AuditEvent[]>;
|
|
21
|
+
export(format: 'json' | 'csv' | 'jsonl'): Promise<string>;
|
|
22
|
+
prune(olderThan: Date): Promise<number>;
|
|
23
|
+
}
|
|
24
|
+
//# sourceMappingURL=adapter-logger.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"adapter-logger.d.ts","sourceRoot":"","sources":["../../src/audit/adapter-logger.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAEzE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C,MAAM,WAAW,0BAA0B;IACzC,KAAK,CAAC,EAAE,UAAU,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;GAMG;AACH,qBAAa,mBAAoB,YAAW,WAAW;IACrD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAsB;IAC7C,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAyB;gBAEnC,OAAO,GAAE,0BAA+B;IAK9C,GAAG,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC;IAerC,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAI1D,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAI1D,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,KAAK,GAAG,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;IAIzD,KAAK,CAAC,SAAS,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC;CAG9C"}
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
import { InMemoryAuditLogger } from '@clawdstrike/adapter-core';
|
|
2
|
+
/**
|
|
3
|
+
* OpenClawAuditLogger bridges the adapter-core `AuditLogger` interface with
|
|
4
|
+
* openclaw's existing `AuditStore` JSONL persistence layer.
|
|
5
|
+
*
|
|
6
|
+
* It wraps an `InMemoryAuditLogger` for fast in-process queries and
|
|
7
|
+
* optionally forwards events to an `AuditStore` for durable persistence.
|
|
8
|
+
*/
|
|
9
|
+
export class OpenClawAuditLogger {
|
|
10
|
+
memory;
|
|
11
|
+
store;
|
|
12
|
+
constructor(options = {}) {
|
|
13
|
+
this.memory = new InMemoryAuditLogger(options.maxEvents);
|
|
14
|
+
this.store = options.store;
|
|
15
|
+
}
|
|
16
|
+
async log(event) {
|
|
17
|
+
await this.memory.log(event);
|
|
18
|
+
if (this.store) {
|
|
19
|
+
this.store.append({
|
|
20
|
+
type: event.type,
|
|
21
|
+
resource: event.toolName ?? '',
|
|
22
|
+
decision: event.decision?.status === 'deny' ? 'denied' : 'allowed',
|
|
23
|
+
guard: event.decision?.guard,
|
|
24
|
+
reason: event.decision?.reason ?? event.decision?.message,
|
|
25
|
+
runId: event.sessionId,
|
|
26
|
+
});
|
|
27
|
+
}
|
|
28
|
+
}
|
|
29
|
+
async getSessionEvents(sessionId) {
|
|
30
|
+
return this.memory.getSessionEvents(sessionId);
|
|
31
|
+
}
|
|
32
|
+
async getContextEvents(contextId) {
|
|
33
|
+
return this.memory.getContextEvents(contextId);
|
|
34
|
+
}
|
|
35
|
+
async export(format) {
|
|
36
|
+
return this.memory.export(format);
|
|
37
|
+
}
|
|
38
|
+
async prune(olderThan) {
|
|
39
|
+
return this.memory.prune(olderThan);
|
|
40
|
+
}
|
|
41
|
+
}
|
|
42
|
+
//# sourceMappingURL=adapter-logger.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"adapter-logger.js","sourceRoot":"","sources":["../../src/audit/adapter-logger.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAUhE;;;;;;GAMG;AACH,MAAM,OAAO,mBAAmB;IACb,MAAM,CAAsB;IAC5B,KAAK,CAAyB;IAE/C,YAAY,UAAsC,EAAE;QAClD,IAAI,CAAC,MAAM,GAAG,IAAI,mBAAmB,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACzD,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,KAAiB;QACzB,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAE7B,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC;gBAChB,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,EAAE;gBAC9B,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;gBAClE,KAAK,EAAE,KAAK,CAAC,QAAQ,EAAE,KAAK;gBAC5B,MAAM,EAAE,KAAK,CAAC,QAAQ,EAAE,MAAM,IAAI,KAAK,CAAC,QAAQ,EAAE,OAAO;gBACzD,KAAK,EAAE,KAAK,CAAC,SAAS;aACvB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,SAAiB;QACtC,OAAO,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,SAAiB;QACtC,OAAO,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,MAAgC;QAC3C,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,SAAe;QACzB,OAAO,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IACtC,CAAC;CACF"}
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @clawdstrike/openclaw - Shared Tool Classification
|
|
3
|
+
*
|
|
4
|
+
* Canonical token-based classification logic shared between the tool-preflight
|
|
5
|
+
* and tool-guard hooks. This module is self-contained — it only depends on
|
|
6
|
+
* the EventType type from the package's own types module.
|
|
7
|
+
*/
|
|
8
|
+
import type { EventType } from './types.js';
|
|
9
|
+
/** Read-only tokens: if ANY token matches and no destructive token is present, tool is read-only */
|
|
10
|
+
export declare const READ_ONLY_TOKENS: Set<string>;
|
|
11
|
+
/** Destructive tokens: if ANY token matches, tool is destructive */
|
|
12
|
+
export declare const DESTRUCTIVE_TOKENS: Set<string>;
|
|
13
|
+
/** Destructive token-to-event-type mapping for specific policy routing */
|
|
14
|
+
export declare const DESTRUCTIVE_EVENT_MAP: ReadonlyArray<{
|
|
15
|
+
tokens: Set<string>;
|
|
16
|
+
eventType: EventType;
|
|
17
|
+
}>;
|
|
18
|
+
/** Network tokens for egress classification */
|
|
19
|
+
export declare const NETWORK_TOKENS: Set<string>;
|
|
20
|
+
/**
|
|
21
|
+
* Tokenize a tool name by splitting on common delimiters and camel-case boundaries.
|
|
22
|
+
*/
|
|
23
|
+
export declare function tokenize(toolName: string): string[];
|
|
24
|
+
export type ToolClassification = 'read_only' | 'destructive' | 'unknown';
|
|
25
|
+
/**
|
|
26
|
+
* Classify a tool based on its name tokens.
|
|
27
|
+
* - If ANY token is destructive -> destructive
|
|
28
|
+
* - If ANY token is read-only and NO token is destructive -> read-only
|
|
29
|
+
* - Otherwise -> unknown (treated as potentially destructive)
|
|
30
|
+
*/
|
|
31
|
+
export declare function classifyTool(tokens: string[]): ToolClassification;
|
|
32
|
+
/**
|
|
33
|
+
* Infer the policy event type from a tool name using only token-based
|
|
34
|
+
* classification. Returns null when no confident classification can be
|
|
35
|
+
* made (callers may then fall back to parameter-based heuristics).
|
|
36
|
+
*
|
|
37
|
+
* This is the canonical, shared implementation used by both the
|
|
38
|
+
* tool-preflight and tool-guard hooks.
|
|
39
|
+
*/
|
|
40
|
+
export declare function inferEventTypeFromName(toolName: string): EventType | null;
|
|
41
|
+
//# sourceMappingURL=classification.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"classification.d.ts","sourceRoot":"","sources":["../src/classification.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAI5C,oGAAoG;AACpG,eAAO,MAAM,gBAAgB,aAK3B,CAAC;AAEH,oEAAoE;AACpE,eAAO,MAAM,kBAAkB,aAM7B,CAAC;AAEH,0EAA0E;AAC1E,eAAO,MAAM,qBAAqB,EAAE,aAAa,CAAC;IAAE,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAAC,SAAS,EAAE,SAAS,CAAA;CAAE,CAK9F,CAAC;AAEF,+CAA+C;AAC/C,eAAO,MAAM,cAAc,aAA+F,CAAC;AAI3H;;GAEG;AACH,wBAAgB,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE,CAQnD;AAID,MAAM,MAAM,kBAAkB,GAAG,WAAW,GAAG,aAAa,GAAG,SAAS,CAAC;AAEzE;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,kBAAkB,CAgBjE;AAID;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CAAC,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,CA2BzE"}
|
|
@@ -0,0 +1,102 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @clawdstrike/openclaw - Shared Tool Classification
|
|
3
|
+
*
|
|
4
|
+
* Canonical token-based classification logic shared between the tool-preflight
|
|
5
|
+
* and tool-guard hooks. This module is self-contained — it only depends on
|
|
6
|
+
* the EventType type from the package's own types module.
|
|
7
|
+
*/
|
|
8
|
+
// ── Token Sets ───────────────────────────────────────────────────────
|
|
9
|
+
/** Read-only tokens: if ANY token matches and no destructive token is present, tool is read-only */
|
|
10
|
+
export const READ_ONLY_TOKENS = new Set([
|
|
11
|
+
'read', 'list', 'get', 'search', 'view', 'show', 'find', 'describe',
|
|
12
|
+
'info', 'status', 'check', 'ls', 'cat', 'head', 'tail',
|
|
13
|
+
'which', 'echo', 'pwd', 'env', 'whoami', 'hostname', 'uname', 'date',
|
|
14
|
+
'glob', 'grep',
|
|
15
|
+
]);
|
|
16
|
+
/** Destructive tokens: if ANY token matches, tool is destructive */
|
|
17
|
+
export const DESTRUCTIVE_TOKENS = new Set([
|
|
18
|
+
'write', 'delete', 'remove', 'rm', 'kill', 'exec', 'run', 'install',
|
|
19
|
+
'uninstall', 'create', 'update', 'modify', 'patch', 'put', 'post',
|
|
20
|
+
'move', 'mv', 'rename', 'chmod', 'chown', 'drop', 'truncate',
|
|
21
|
+
'edit', 'command', 'bash', 'save', 'overwrite', 'unlink', 'terminal',
|
|
22
|
+
'append', 'replace', 'deploy', 'push', 'send', 'publish', 'upload',
|
|
23
|
+
]);
|
|
24
|
+
/** Destructive token-to-event-type mapping for specific policy routing */
|
|
25
|
+
export const DESTRUCTIVE_EVENT_MAP = [
|
|
26
|
+
{ tokens: new Set(['write', 'edit', 'create', 'save', 'overwrite', 'append', 'replace']), eventType: 'file_write' },
|
|
27
|
+
{ tokens: new Set(['delete', 'remove', 'unlink', 'rm']), eventType: 'file_write' },
|
|
28
|
+
{ tokens: new Set(['shell', 'bash', 'exec', 'command', 'terminal', 'run']), eventType: 'command_exec' },
|
|
29
|
+
{ tokens: new Set(['patch', 'diff']), eventType: 'patch_apply' },
|
|
30
|
+
];
|
|
31
|
+
/** Network tokens for egress classification */
|
|
32
|
+
export const NETWORK_TOKENS = new Set(['fetch', 'http', 'web', 'curl', 'request', 'api', 'download', 'socket', 'connect']);
|
|
33
|
+
// ── Tokenizer ────────────────────────────────────────────────────────
|
|
34
|
+
/**
|
|
35
|
+
* Tokenize a tool name by splitting on common delimiters and camel-case boundaries.
|
|
36
|
+
*/
|
|
37
|
+
export function tokenize(toolName) {
|
|
38
|
+
return toolName
|
|
39
|
+
// Split `fooBar` -> `foo Bar`, `HTTPFetch` -> `HTTP Fetch`
|
|
40
|
+
.replace(/([a-z0-9])([A-Z])/g, '$1 $2')
|
|
41
|
+
.replace(/([A-Z])([A-Z][a-z])/g, '$1 $2')
|
|
42
|
+
.toLowerCase()
|
|
43
|
+
.split(/[_\-/\s.]+/)
|
|
44
|
+
.filter(Boolean);
|
|
45
|
+
}
|
|
46
|
+
/**
|
|
47
|
+
* Classify a tool based on its name tokens.
|
|
48
|
+
* - If ANY token is destructive -> destructive
|
|
49
|
+
* - If ANY token is read-only and NO token is destructive -> read-only
|
|
50
|
+
* - Otherwise -> unknown (treated as potentially destructive)
|
|
51
|
+
*/
|
|
52
|
+
export function classifyTool(tokens) {
|
|
53
|
+
let hasReadOnly = false;
|
|
54
|
+
let hasDestructive = false;
|
|
55
|
+
for (const token of tokens) {
|
|
56
|
+
if (DESTRUCTIVE_TOKENS.has(token)) {
|
|
57
|
+
hasDestructive = true;
|
|
58
|
+
}
|
|
59
|
+
if (READ_ONLY_TOKENS.has(token)) {
|
|
60
|
+
hasReadOnly = true;
|
|
61
|
+
}
|
|
62
|
+
}
|
|
63
|
+
if (hasDestructive)
|
|
64
|
+
return 'destructive';
|
|
65
|
+
if (hasReadOnly)
|
|
66
|
+
return 'read_only';
|
|
67
|
+
return 'unknown';
|
|
68
|
+
}
|
|
69
|
+
// ── Event Type Inference (name-only) ─────────────────────────────────
|
|
70
|
+
/**
|
|
71
|
+
* Infer the policy event type from a tool name using only token-based
|
|
72
|
+
* classification. Returns null when no confident classification can be
|
|
73
|
+
* made (callers may then fall back to parameter-based heuristics).
|
|
74
|
+
*
|
|
75
|
+
* This is the canonical, shared implementation used by both the
|
|
76
|
+
* tool-preflight and tool-guard hooks.
|
|
77
|
+
*/
|
|
78
|
+
export function inferEventTypeFromName(toolName) {
|
|
79
|
+
const tokens = tokenize(toolName);
|
|
80
|
+
const classification = classifyTool(tokens);
|
|
81
|
+
if (classification === 'read_only') {
|
|
82
|
+
// Read-only tools may still perform network egress (e.g. web_search, http_get).
|
|
83
|
+
if (tokens.some(t => NETWORK_TOKENS.has(t))) {
|
|
84
|
+
return 'network_egress';
|
|
85
|
+
}
|
|
86
|
+
return 'file_read';
|
|
87
|
+
}
|
|
88
|
+
// Check specific destructive event types via DESTRUCTIVE_EVENT_MAP.
|
|
89
|
+
for (const { tokens: matchTokens, eventType } of DESTRUCTIVE_EVENT_MAP) {
|
|
90
|
+
if (tokens.some(t => matchTokens.has(t))) {
|
|
91
|
+
return eventType;
|
|
92
|
+
}
|
|
93
|
+
}
|
|
94
|
+
// Check network tokens.
|
|
95
|
+
if (tokens.some(t => NETWORK_TOKENS.has(t))) {
|
|
96
|
+
return 'network_egress';
|
|
97
|
+
}
|
|
98
|
+
// No confident classification — return null so callers can apply their
|
|
99
|
+
// own fallback logic (e.g. parameter inspection).
|
|
100
|
+
return null;
|
|
101
|
+
}
|
|
102
|
+
//# sourceMappingURL=classification.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"classification.js","sourceRoot":"","sources":["../src/classification.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,wEAAwE;AAExE,oGAAoG;AACpG,MAAM,CAAC,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IACtC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU;IACnE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM;IACtD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM;IACpE,MAAM,EAAE,MAAM;CACf,CAAC,CAAC;AAEH,oEAAoE;AACpE,MAAM,CAAC,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACxC,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS;IACnE,WAAW,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM;IACjE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU;IAC5D,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,UAAU;IACpE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ;CACnE,CAAC,CAAC;AAEH,0EAA0E;AAC1E,MAAM,CAAC,MAAM,qBAAqB,GAAiE;IACjG,EAAE,MAAM,EAAE,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC,EAAE,SAAS,EAAE,YAAY,EAAE;IACnH,EAAE,MAAM,EAAE,IAAI,GAAG,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC,EAAE,SAAS,EAAE,YAAY,EAAE;IAClF,EAAE,MAAM,EAAE,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC,EAAE,SAAS,EAAE,cAAc,EAAE;IACvG,EAAE,MAAM,EAAE,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,EAAE,SAAS,EAAE,aAAa,EAAE;CACjE,CAAC;AAEF,+CAA+C;AAC/C,MAAM,CAAC,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC,CAAC;AAE3H,wEAAwE;AAExE;;GAEG;AACH,MAAM,UAAU,QAAQ,CAAC,QAAgB;IACvC,OAAO,QAAQ;QACb,2DAA2D;SAC1D,OAAO,CAAC,oBAAoB,EAAE,OAAO,CAAC;SACtC,OAAO,CAAC,sBAAsB,EAAE,OAAO,CAAC;SACxC,WAAW,EAAE;SACb,KAAK,CAAC,YAAY,CAAC;SACnB,MAAM,CAAC,OAAO,CAAC,CAAC;AACrB,CAAC;AAMD;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,MAAgB;IAC3C,IAAI,WAAW,GAAG,KAAK,CAAC;IACxB,IAAI,cAAc,GAAG,KAAK,CAAC;IAE3B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,kBAAkB,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YAClC,cAAc,GAAG,IAAI,CAAC;QACxB,CAAC;QACD,IAAI,gBAAgB,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YAChC,WAAW,GAAG,IAAI,CAAC;QACrB,CAAC;IACH,CAAC;IAED,IAAI,cAAc;QAAE,OAAO,aAAa,CAAC;IACzC,IAAI,WAAW;QAAE,OAAO,WAAW,CAAC;IACpC,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,wEAAwE;AAExE;;;;;;;GAOG;AACH,MAAM,UAAU,sBAAsB,CAAC,QAAgB;IACrD,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAClC,MAAM,cAAc,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IAE5C,IAAI,cAAc,KAAK,WAAW,EAAE,CAAC;QACnC,gFAAgF;QAChF,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5C,OAAO,gBAAgB,CAAC;QAC1B,CAAC;QACD,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,oEAAoE;IACpE,KAAK,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,IAAI,qBAAqB,EAAE,CAAC;QACvE,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACzC,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAED,wBAAwB;IACxB,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5C,OAAO,gBAAgB,CAAC;IAC1B,CAAC;IAED,uEAAuE;IACvE,kDAAkD;IAClD,OAAO,IAAI,CAAC;AACd,CAAC"}
|
|
@@ -49,7 +49,7 @@ export const policyCommands = {
|
|
|
49
49
|
const event = JSON.parse(readFileSync(eventFile, 'utf-8'));
|
|
50
50
|
const engine = new PolicyEngine({ policy: policyPath });
|
|
51
51
|
const decision = await engine.evaluate(event);
|
|
52
|
-
console.log('Decision:', decision.
|
|
52
|
+
console.log('Decision:', decision.status === 'deny' ? 'DENIED' : 'ALLOWED');
|
|
53
53
|
if (decision.reason)
|
|
54
54
|
console.log('Reason:', decision.reason);
|
|
55
55
|
if (decision.guard)
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../../src/cli/commands/policy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,EAAE,UAAU,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAC1E,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAGtD,MAAM,CAAC,MAAM,cAAc,GAAG;IAC5B,KAAK,CAAC,IAAI,CAAC,IAAY;QACrB,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC5C,MAAM,MAAM,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;YAC7C,MAAM,MAAM,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;YAEtC,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBACjB,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;gBAC/B,OAAO,CAAC,GAAG,CAAC,eAAe,MAAM,CAAC,OAAO,IAAI,aAAa,EAAE,CAAC,CAAC;gBAC9D,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,EAAE,cAAc,EAAE,SAAS,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;gBACpG,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,MAAM,EAAE,CAAC,CAAC;gBAEzD,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC/B,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;oBAC3B,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;gBACzC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,GAAG,EAAE,CAAC,CAAC,CAAC;gBACzD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,GAAG,CAAC,+BAA+B,OAAO,EAAE,CAAC,CAAC;YACtD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,UAA+B,EAAE;QAC1C,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,IAAI,mBAAmB,CAAC;YACzD,MAAM,MAAM,GAAG,UAAU,CAAC,UAAU,CAAC,CAAC;YACtC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;YAC/B,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAC/C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,GAAG,CAAC,0BAA0B,OAAO,EAAE,CAAC,CAAC;YACjD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,SAAiB,EAAE,UAA+B,EAAE;QAC7D,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,IAAI,mBAAmB,CAAC;YACzD,MAAM,KAAK,GAAgB,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;YAExE,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;YACxD,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAE9C,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,
|
|
1
|
+
{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../../src/cli/commands/policy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,EAAE,UAAU,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAC1E,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAGtD,MAAM,CAAC,MAAM,cAAc,GAAG;IAC5B,KAAK,CAAC,IAAI,CAAC,IAAY;QACrB,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC5C,MAAM,MAAM,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;YAC7C,MAAM,MAAM,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;YAEtC,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBACjB,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;gBAC/B,OAAO,CAAC,GAAG,CAAC,eAAe,MAAM,CAAC,OAAO,IAAI,aAAa,EAAE,CAAC,CAAC;gBAC9D,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,EAAE,cAAc,EAAE,SAAS,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;gBACpG,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,MAAM,EAAE,CAAC,CAAC;gBAEzD,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC/B,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;oBAC3B,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;gBACzC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,GAAG,EAAE,CAAC,CAAC,CAAC;gBACzD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,GAAG,CAAC,+BAA+B,OAAO,EAAE,CAAC,CAAC;YACtD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,UAA+B,EAAE;QAC1C,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,IAAI,mBAAmB,CAAC;YACzD,MAAM,MAAM,GAAG,UAAU,CAAC,UAAU,CAAC,CAAC;YACtC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;YAC/B,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAC/C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,GAAG,CAAC,0BAA0B,OAAO,EAAE,CAAC,CAAC;YACjD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,SAAiB,EAAE,UAA+B,EAAE;QAC7D,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,IAAI,mBAAmB,CAAC;YACzD,MAAM,KAAK,GAAgB,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;YAExE,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;YACxD,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAE9C,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;YAC5E,IAAI,QAAQ,CAAC,MAAM;gBAAE,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC7D,IAAI,QAAQ,CAAC,KAAK;gBAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC;YAC1D,IAAI,QAAQ,CAAC,QAAQ;gBAAE,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACrE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,GAAG,CAAC,yBAAyB,OAAO,EAAE,CAAC,CAAC;YAChD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,KAAa,EAAE,KAAa;QACrC,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;YAC7B,MAAM,EAAE,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;YAE7B,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YAC5B,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YAE5B,iBAAiB;YACjB,IAAI,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC5D,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;gBACzB,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC;gBAC1D,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC;YAC5D,CAAC;YAED,qBAAqB;YACrB,IAAI,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,UAAU,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC;gBACpE,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;gBAC7B,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,CAAC;gBAC9D,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,CAAC;YAChE,CAAC;YAED,uBAAuB;YACvB,IAAI,EAAE,CAAC,YAAY,KAAK,EAAE,CAAC,YAAY,EAAE,CAAC;gBACxC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;gBAC/B,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,CAAC,YAAY,IAAI,SAAS,CAAC,CAAC;gBACvD,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,CAAC,YAAY,IAAI,SAAS,CAAC,CAAC;YACzD,CAAC;YAED,IAAI,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,EAAE,CAAC;gBAC9C,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;YACxC,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,GAAG,CAAC,4BAA4B,OAAO,EAAE,CAAC,CAAC;YACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;CACF,CAAC"}
|
package/dist/e2e/openclaw-e2e.js
CHANGED
|
@@ -33,11 +33,11 @@ async function main() {
|
|
|
33
33
|
const engine = new PolicyEngine(cfg);
|
|
34
34
|
const tool = policyCheckTool(engine);
|
|
35
35
|
const denySsh = (await tool.execute({ action: 'file_read', resource: `${homedir()}/.ssh/id_rsa` }));
|
|
36
|
-
assert.equal(denySsh.
|
|
36
|
+
assert.equal(denySsh.status, 'deny');
|
|
37
37
|
const denyLocalhost = (await tool.execute({ action: 'network', resource: 'http://localhost:8080' }));
|
|
38
|
-
assert.equal(denyLocalhost.
|
|
38
|
+
assert.equal(denyLocalhost.status, 'deny');
|
|
39
39
|
const denyRm = (await tool.execute({ action: 'command', resource: 'rm -rf /' }));
|
|
40
|
-
assert.equal(denyRm.
|
|
40
|
+
assert.equal(denyRm.status, 'deny');
|
|
41
41
|
// 3) Post-action hook enforcement: tool_result_persist must block exfil paths and secrets.
|
|
42
42
|
const ev1 = {
|
|
43
43
|
type: 'tool_result_persist',
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"openclaw-e2e.js","sourceRoot":"","sources":["../../src/e2e/openclaw-e2e.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,oBAAoB,CAAC;AACxC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAElC,OAAO,qBAAqB,EAAE,EAAE,UAAU,IAAI,aAAa,EAAE,MAAM,qCAAqC,CAAC;AACzG,OAAO,gBAAgB,EAAE,EAAE,UAAU,IAAI,aAAa,EAAE,MAAM,gCAAgC,CAAC;AAC/F,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAI3D,KAAK,UAAU,IAAI;IACjB,MAAM,GAAG,GAAsB;QAC7B,MAAM,EAAE,8BAA8B;QACtC,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,OAAO;KAClB,CAAC;IAEF,aAAa,CAAC,GAAG,CAAC,CAAC;IACnB,aAAa,CAAC,GAAG,CAAC,CAAC;IAEnB,qEAAqE;IACrE,MAAM,SAAS,GAAwB;QACrC,IAAI,EAAE,iBAAiB;QACvB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,OAAO,EAAE;YACP,SAAS,EAAE,aAAa;YACxB,OAAO,EAAE,WAAW;YACpB,cAAc,EAAE,EAAE;YAClB,GAAG;SACJ;KACF,CAAC;IAEF,MAAM,qBAAqB,CAAC,SAAS,CAAC,CAAC;IACvC,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,cAAc,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACzD,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;IACtE,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC;IAC7E,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC;IAC7E,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;IAE1E,6EAA6E;IAC7E,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,GAAG,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;IAErC,MAAM,OAAO,GAAG,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,GAAG,OAAO,EAAE,cAAc,EAAS,CAAC,CAAsB,CAAC;IAChI,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,
|
|
1
|
+
{"version":3,"file":"openclaw-e2e.js","sourceRoot":"","sources":["../../src/e2e/openclaw-e2e.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,oBAAoB,CAAC;AACxC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAElC,OAAO,qBAAqB,EAAE,EAAE,UAAU,IAAI,aAAa,EAAE,MAAM,qCAAqC,CAAC;AACzG,OAAO,gBAAgB,EAAE,EAAE,UAAU,IAAI,aAAa,EAAE,MAAM,gCAAgC,CAAC;AAC/F,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAI3D,KAAK,UAAU,IAAI;IACjB,MAAM,GAAG,GAAsB;QAC7B,MAAM,EAAE,8BAA8B;QACtC,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,OAAO;KAClB,CAAC;IAEF,aAAa,CAAC,GAAG,CAAC,CAAC;IACnB,aAAa,CAAC,GAAG,CAAC,CAAC;IAEnB,qEAAqE;IACrE,MAAM,SAAS,GAAwB;QACrC,IAAI,EAAE,iBAAiB;QACvB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,OAAO,EAAE;YACP,SAAS,EAAE,aAAa;YACxB,OAAO,EAAE,WAAW;YACpB,cAAc,EAAE,EAAE;YAClB,GAAG;SACJ;KACF,CAAC;IAEF,MAAM,qBAAqB,CAAC,SAAS,CAAC,CAAC;IACvC,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,cAAc,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACzD,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;IACtE,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC;IAC7E,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC;IAC7E,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;IAE1E,6EAA6E;IAC7E,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,GAAG,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;IAErC,MAAM,OAAO,GAAG,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,GAAG,OAAO,EAAE,cAAc,EAAS,CAAC,CAAsB,CAAC;IAChI,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAErC,MAAM,aAAa,GAAG,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,uBAAuB,EAAS,CAAC,CAAsB,CAAC;IACjI,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAE3C,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAS,CAAC,CAAsB,CAAC;IAC7G,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEpC,2FAA2F;IAC3F,MAAM,GAAG,GAA2B;QAClC,IAAI,EAAE,qBAAqB;QAC3B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,OAAO,EAAE;YACP,SAAS,EAAE,aAAa;YACxB,UAAU,EAAE;gBACV,QAAQ,EAAE,WAAW;gBACrB,MAAM,EAAE,EAAE,IAAI,EAAE,GAAG,OAAO,EAAE,cAAc,EAAE;gBAC5C,MAAM,EAAE,gBAAgB;aACzB;SACF;QACD,QAAQ,EAAE,EAAE;KACb,CAAC;IAEF,MAAM,gBAAgB,CAAC,GAAG,CAAC,CAAC;IAC5B,MAAM,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IACxC,MAAM,CAAC,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IAE3D,MAAM,GAAG,GAA2B;QAClC,IAAI,EAAE,qBAAqB;QAC3B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,OAAO,EAAE;YACP,SAAS,EAAE,aAAa;YACxB,UAAU,EAAE;gBACV,QAAQ,EAAE,UAAU;gBACpB,MAAM,EAAE,EAAE;gBACV,MAAM,EAAE,0CAA0C;aACnD;SACF;QACD,QAAQ,EAAE,EAAE;KACb,CAAC;IAEF,MAAM,gBAAgB,CAAC,GAAG,CAAC,CAAC;IAC5B,MAAM,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IACxC,MAAM,CAAC,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IAE3D,MAAM,GAAG,GAA2B;QAClC,IAAI,EAAE,qBAAqB;QAC3B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,OAAO,EAAE;YACP,SAAS,EAAE,aAAa;YACxB,UAAU,EAAE;gBACV,QAAQ,EAAE,cAAc;gBACxB,MAAM,EAAE,EAAE,GAAG,EAAE,uBAAuB,EAAE;gBACxC,MAAM,EAAE,IAAI;aACb;SACF;QACD,QAAQ,EAAE,EAAE;KACb,CAAC;IAEF,MAAM,gBAAgB,CAAC,GAAG,CAAC,CAAC;IAC5B,MAAM,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IACxC,MAAM,CAAC,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IAE3D,MAAM,GAAG,GAA2B;QAClC,IAAI,EAAE,qBAAqB;QAC3B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,OAAO,EAAE;YACP,SAAS,EAAE,aAAa;YACxB,UAAU,EAAE;gBACV,QAAQ,EAAE,MAAM;gBAChB,MAAM,EAAE,EAAE,OAAO,EAAE,iCAAiC,EAAE;gBACtD,MAAM,EAAE,IAAI;aACb;SACF;QACD,QAAQ,EAAE,EAAE;KACb,CAAC;IAEF,MAAM,gBAAgB,CAAC,GAAG,CAAC,CAAC;IAC5B,MAAM,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IACxC,MAAM,CAAC,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IAE3D,MAAM,GAAG,GAA2B;QAClC,IAAI,EAAE,qBAAqB;QAC3B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,OAAO,EAAE;YACP,SAAS,EAAE,aAAa;YACxB,UAAU,EAAE;gBACV,QAAQ,EAAE,aAAa;gBACvB,MAAM,EAAE,EAAE,QAAQ,EAAE,YAAY,EAAE,KAAK,EAAE,2CAA2C,EAAE;gBACtF,MAAM,EAAE,SAAS;aAClB;SACF;QACD,QAAQ,EAAE,EAAE;KACb,CAAC;IAEF,MAAM,gBAAgB,CAAC,GAAG,CAAC,CAAC;IAC5B,MAAM,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IACxC,MAAM,CAAC,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IAE3D,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;AACnC,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;IACvC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Shared PolicyEngine singleton holder.
|
|
3
|
+
*
|
|
4
|
+
* All hook handlers and the plugin entry point delegate to this module
|
|
5
|
+
* so that a single PolicyEngine instance is created and reused across
|
|
6
|
+
* the entire plugin lifecycle.
|
|
7
|
+
*/
|
|
8
|
+
import { PolicyEngine } from './policy/engine.js';
|
|
9
|
+
import type { ClawdstrikeConfig } from './types.js';
|
|
10
|
+
/**
|
|
11
|
+
* Create (or replace) the shared PolicyEngine with the given config.
|
|
12
|
+
* Called once during plugin initialization.
|
|
13
|
+
*/
|
|
14
|
+
export declare function initializeEngine(config: ClawdstrikeConfig): PolicyEngine;
|
|
15
|
+
/**
|
|
16
|
+
* Return the shared PolicyEngine, creating one lazily if needed.
|
|
17
|
+
*
|
|
18
|
+
* Callers that run after `initializeEngine` (the normal case) will
|
|
19
|
+
* always get the pre-configured instance. The fallback
|
|
20
|
+
* `new PolicyEngine(config ?? {})` exists only as a safety net for
|
|
21
|
+
* edge cases where a handler is invoked before the plugin boots.
|
|
22
|
+
*/
|
|
23
|
+
export declare function getSharedEngine(config?: ClawdstrikeConfig): PolicyEngine;
|
|
24
|
+
/**
|
|
25
|
+
* Reset the shared engine to null (useful for tests).
|
|
26
|
+
*/
|
|
27
|
+
export declare function resetSharedEngine(): void;
|
|
28
|
+
//# sourceMappingURL=engine-holder.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"engine-holder.d.ts","sourceRoot":"","sources":["../src/engine-holder.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAIpD;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,iBAAiB,GAAG,YAAY,CAGxE;AAED;;;;;;;GAOG;AACH,wBAAgB,eAAe,CAAC,MAAM,CAAC,EAAE,iBAAiB,GAAG,YAAY,CAKxE;AAED;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,IAAI,CAExC"}
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Shared PolicyEngine singleton holder.
|
|
3
|
+
*
|
|
4
|
+
* All hook handlers and the plugin entry point delegate to this module
|
|
5
|
+
* so that a single PolicyEngine instance is created and reused across
|
|
6
|
+
* the entire plugin lifecycle.
|
|
7
|
+
*/
|
|
8
|
+
import { PolicyEngine } from './policy/engine.js';
|
|
9
|
+
let sharedEngine = null;
|
|
10
|
+
/**
|
|
11
|
+
* Create (or replace) the shared PolicyEngine with the given config.
|
|
12
|
+
* Called once during plugin initialization.
|
|
13
|
+
*/
|
|
14
|
+
export function initializeEngine(config) {
|
|
15
|
+
sharedEngine = new PolicyEngine(config);
|
|
16
|
+
return sharedEngine;
|
|
17
|
+
}
|
|
18
|
+
/**
|
|
19
|
+
* Return the shared PolicyEngine, creating one lazily if needed.
|
|
20
|
+
*
|
|
21
|
+
* Callers that run after `initializeEngine` (the normal case) will
|
|
22
|
+
* always get the pre-configured instance. The fallback
|
|
23
|
+
* `new PolicyEngine(config ?? {})` exists only as a safety net for
|
|
24
|
+
* edge cases where a handler is invoked before the plugin boots.
|
|
25
|
+
*/
|
|
26
|
+
export function getSharedEngine(config) {
|
|
27
|
+
if (!sharedEngine) {
|
|
28
|
+
sharedEngine = new PolicyEngine(config ?? {});
|
|
29
|
+
}
|
|
30
|
+
return sharedEngine;
|
|
31
|
+
}
|
|
32
|
+
/**
|
|
33
|
+
* Reset the shared engine to null (useful for tests).
|
|
34
|
+
*/
|
|
35
|
+
export function resetSharedEngine() {
|
|
36
|
+
sharedEngine = null;
|
|
37
|
+
}
|
|
38
|
+
//# sourceMappingURL=engine-holder.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"engine-holder.js","sourceRoot":"","sources":["../src/engine-holder.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAGlD,IAAI,YAAY,GAAwB,IAAI,CAAC;AAE7C;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAyB;IACxD,YAAY,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;IACxC,OAAO,YAAY,CAAC;AACtB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,eAAe,CAAC,MAA0B;IACxD,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,YAAY,GAAG,IAAI,YAAY,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB;IAC/B,YAAY,GAAG,IAAI,CAAC;AACtB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"egress.d.ts","sourceRoot":"","sources":["../../src/guards/egress.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAC/E,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;
|
|
1
|
+
{"version":3,"file":"egress.d.ts","sourceRoot":"","sources":["../../src/guards/egress.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAC/E,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAoDvC;;GAEG;AACH,qBAAa,WAAY,SAAQ,SAAS;IACxC,IAAI,IAAI,MAAM;IAId,OAAO,IAAI,SAAS,EAAE;IAIhB,KAAK,CAAC,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAIrE,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,GAAG,WAAW;IAiD1D;;OAEG;IACH,OAAO,CAAC,aAAa;IAqCrB;;OAEG;IACH,OAAO,CAAC,WAAW;CA4BpB"}
|
package/dist/guards/egress.js
CHANGED
|
@@ -30,6 +30,16 @@ const DEFAULT_DENIED_DOMAINS = [
|
|
|
30
30
|
'172.29.*',
|
|
31
31
|
'172.30.*',
|
|
32
32
|
'172.31.*',
|
|
33
|
+
'0.0.0.0',
|
|
34
|
+
'[::1]',
|
|
35
|
+
'[::0]',
|
|
36
|
+
'::1',
|
|
37
|
+
'::0',
|
|
38
|
+
'169.254.*',
|
|
39
|
+
'fe80:*',
|
|
40
|
+
'fc00:*',
|
|
41
|
+
'fd00:*',
|
|
42
|
+
'fd[0-9a-f][0-9a-f]:*',
|
|
33
43
|
];
|
|
34
44
|
/**
|
|
35
45
|
* Default allowed domains for AI agent operations
|
|
@@ -134,10 +144,19 @@ export class EgressGuard extends BaseGuard {
|
|
|
134
144
|
}
|
|
135
145
|
// Localhost/private IPs are high
|
|
136
146
|
if (host === 'localhost' ||
|
|
147
|
+
host === '0.0.0.0' ||
|
|
148
|
+
host === '[::1]' ||
|
|
149
|
+
host === '::1' ||
|
|
150
|
+
host === '[::0]' ||
|
|
151
|
+
host === '::0' ||
|
|
137
152
|
host.startsWith('127.') ||
|
|
138
153
|
host.startsWith('10.') ||
|
|
139
154
|
host.startsWith('192.168.') ||
|
|
140
|
-
host.startsWith('172.')
|
|
155
|
+
host.startsWith('172.') ||
|
|
156
|
+
host.startsWith('169.254.') ||
|
|
157
|
+
host.startsWith('fe80:') ||
|
|
158
|
+
host.startsWith('fc00:') ||
|
|
159
|
+
/^fd[0-9a-f]{2}:/.test(host)) {
|
|
141
160
|
return 'high';
|
|
142
161
|
}
|
|
143
162
|
return 'medium';
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"egress.js","sourceRoot":"","sources":["../../src/guards/egress.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtC,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAEvC;;GAEG;AACH,MAAM,sBAAsB,GAAG;IAC7B,SAAS;IACT,WAAW;IACX,OAAO;IACP,MAAM;IACN,WAAW;IACX,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;
|
|
1
|
+
{"version":3,"file":"egress.js","sourceRoot":"","sources":["../../src/guards/egress.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtC,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAEvC;;GAEG;AACH,MAAM,sBAAsB,GAAG;IAC7B,SAAS;IACT,WAAW;IACX,OAAO;IACP,MAAM;IACN,WAAW;IACX,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;IACV,SAAS;IACT,OAAO;IACP,OAAO;IACP,KAAK;IACL,KAAK;IACL,WAAW;IACX,QAAQ;IACR,QAAQ;IACR,QAAQ;IACR,sBAAsB;CACvB,CAAC;AAEF;;GAEG;AACH,MAAM,uBAAuB,GAAG;IAC9B,mBAAmB;IACnB,gBAAgB;IAChB,UAAU;IACV,oBAAoB;IACpB,WAAW;IACX,cAAc;IACd,yBAAyB;CAC1B,CAAC;AAEF;;GAEG;AACH,MAAM,OAAO,WAAY,SAAQ,SAAS;IACxC,IAAI;QACF,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,OAAO;QACL,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAC5B,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,KAAkB,EAAE,MAAc;QAC5C,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACvC,CAAC;IAED,SAAS,CAAC,KAAkB,EAAE,MAAc;QAC1C,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;QAExB,6BAA6B;QAC7B,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC;QACtB,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;QACrC,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC;QAEnC,mCAAmC;QACnC,MAAM,aAAa,GAAG,YAAY,EAAE,cAAc,IAAI,sBAAsB,CAAC;QAC7E,MAAM,cAAc,GAAG,YAAY,EAAE,eAAe,IAAI,uBAAuB,CAAC;QAChF,MAAM,IAAI,GAAG,YAAY,EAAE,IAAI,IAAI,WAAW,CAAC;QAE/C,uDAAuD;QACvD,IAAI,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,aAAa,CAAC,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC,IAAI,CACd,4BAA4B,IAAI,EAAE,EAClC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CACvB,CAAC;QACJ,CAAC;QAED,yBAAyB;QACzB,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,UAAU;gBACb,OAAO,IAAI,CAAC,IAAI,CAAC,kCAAkC,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC;YAErE,KAAK,MAAM;gBACT,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC;YAEtB,KAAK,UAAU;gBACb,wDAAwD;gBACxD,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC;YAEtB,KAAK,WAAW,CAAC;YACjB;gBACE,0DAA0D;gBAC1D,IAAI,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,cAAc,CAAC,EAAE,CAAC;oBAC7C,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC;gBACtB,CAAC;gBACD,OAAO,IAAI,CAAC,IAAI,CACd,qCAAqC,IAAI,EAAE,EAC3C,QAAQ,CACT,CAAC;QACN,CAAC;IACH,CAAC;IAED;;OAEG;IACK,aAAa,CAAC,IAAY,EAAE,QAAkB;QACpD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,MAAM,iBAAiB,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;YAEhD,cAAc;YACd,IAAI,IAAI,KAAK,iBAAiB,EAAE,CAAC;gBAC/B,OAAO,IAAI,CAAC;YACd,CAAC;YAED,2CAA2C;YAC3C,IAAI,iBAAiB,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvC,MAAM,UAAU,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBAC9C,IAAI,IAAI,KAAK,UAAU,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,GAAG,UAAU,CAAC,EAAE,CAAC;oBAC3D,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC;YAED,mCAAmC;YACnC,IAAI,iBAAiB,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBACpC,MAAM,YAAY,GAAG,iBAAiB;qBACnC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC;qBACrB,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;gBACxB,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,IAAI,YAAY,GAAG,CAAC,CAAC;gBAC9C,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACrB,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC;YAED,qCAAqC;YACrC,IAAI,SAAS,CAAC,IAAI,EAAE,iBAAiB,CAAC,EAAE,CAAC;gBACvC,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACK,WAAW,CAAC,IAAY;QAC9B,iCAAiC;QACjC,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC5B,OAAO,UAAU,CAAC;QACpB,CAAC;QAED,iCAAiC;QACjC,IACE,IAAI,KAAK,WAAW;YACpB,IAAI,KAAK,SAAS;YAClB,IAAI,KAAK,OAAO;YAChB,IAAI,KAAK,KAAK;YACd,IAAI,KAAK,OAAO;YAChB,IAAI,KAAK,KAAK;YACd,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;YACvB,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC;YACtB,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;YAC3B,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;YACvB,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;YAC3B,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;YACxB,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;YACxB,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,EAC5B,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"forbidden-path.d.ts","sourceRoot":"","sources":["../../src/guards/forbidden-path.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAC/E,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AA4BvC;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,SAAS;IAC/C,IAAI,IAAI,MAAM;IAId,OAAO,IAAI,SAAS,EAAE;IAIhB,KAAK,CAAC,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAIrE,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,GAAG,WAAW;
|
|
1
|
+
{"version":3,"file":"forbidden-path.d.ts","sourceRoot":"","sources":["../../src/guards/forbidden-path.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAC/E,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AA4BvC;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,SAAS;IAC/C,IAAI,IAAI,MAAM;IAId,OAAO,IAAI,SAAS,EAAE;IAIhB,KAAK,CAAC,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAIrE,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,GAAG,WAAW;IAiC1D;;;OAGG;IACH,OAAO,CAAC,gBAAgB;CAuDzB"}
|
|
@@ -52,6 +52,10 @@ export class ForbiddenPathGuard extends BaseGuard {
|
|
|
52
52
|
return this.allow();
|
|
53
53
|
}
|
|
54
54
|
const path = data.path;
|
|
55
|
+
// Reject paths containing null bytes (path injection attack)
|
|
56
|
+
if (path.includes('\0')) {
|
|
57
|
+
return this.deny('Path contains null byte: null_byte_injection', 'critical');
|
|
58
|
+
}
|
|
55
59
|
const forbiddenPaths = policy.filesystem?.forbidden_paths ?? DEFAULT_FORBIDDEN_PATHS;
|
|
56
60
|
// Check against forbidden paths
|
|
57
61
|
const normalizedPath = normalizePath(path);
|
|
@@ -118,6 +122,8 @@ export class ForbiddenPathGuard extends BaseGuard {
|
|
|
118
122
|
* Normalize a path, expanding ~ and resolving to absolute
|
|
119
123
|
*/
|
|
120
124
|
function normalizePath(path) {
|
|
125
|
+
// Strip null bytes to prevent path injection
|
|
126
|
+
path = path.replace(/\0/g, '');
|
|
121
127
|
// Expand ~
|
|
122
128
|
if (path.startsWith('~')) {
|
|
123
129
|
path = path.replace(/^~/, homedir());
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"forbidden-path.js","sourceRoot":"","sources":["../../src/guards/forbidden-path.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAC7B,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAE1C,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAEvC;;GAEG;AACH,MAAM,uBAAuB,GAAG;IAC9B,QAAQ;IACR,UAAU;IACV,QAAQ;IACR,UAAU;IACV,UAAU;IACV,YAAY;IACZ,kBAAkB;IAClB,oBAAoB;IACpB,aAAa;IACb,aAAa;IACb,MAAM;IACN,SAAS;IACT,WAAW;IACX,OAAO;IACP,UAAU;IACV,OAAO;IACP,UAAU;IACV,WAAW;IACX,eAAe;IACf,aAAa;CACd,CAAC;AAEF;;GAEG;AACH,MAAM,OAAO,kBAAmB,SAAQ,SAAS;IAC/C,IAAI;QACF,OAAO,gBAAgB,CAAC;IAC1B,CAAC;IAED,OAAO;QACL,OAAO,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,KAAkB,EAAE,MAAc;QAC5C,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACvC,CAAC;IAED,SAAS,CAAC,KAAkB,EAAE,MAAc;QAC1C,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;QAExB,0BAA0B;QAC1B,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC;QACtB,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;
|
|
1
|
+
{"version":3,"file":"forbidden-path.js","sourceRoot":"","sources":["../../src/guards/forbidden-path.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAC7B,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAE1C,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAEvC;;GAEG;AACH,MAAM,uBAAuB,GAAG;IAC9B,QAAQ;IACR,UAAU;IACV,QAAQ;IACR,UAAU;IACV,UAAU;IACV,YAAY;IACZ,kBAAkB;IAClB,oBAAoB;IACpB,aAAa;IACb,aAAa;IACb,MAAM;IACN,SAAS;IACT,WAAW;IACX,OAAO;IACP,UAAU;IACV,OAAO;IACP,UAAU;IACV,WAAW;IACX,eAAe;IACf,aAAa;CACd,CAAC;AAEF;;GAEG;AACH,MAAM,OAAO,kBAAmB,SAAQ,SAAS;IAC/C,IAAI;QACF,OAAO,gBAAgB,CAAC;IAC1B,CAAC;IAED,OAAO;QACL,OAAO,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,KAAkB,EAAE,MAAc;QAC5C,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACvC,CAAC;IAED,SAAS,CAAC,KAAkB,EAAE,MAAc;QAC1C,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;QAExB,0BAA0B;QAC1B,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC;QACtB,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;QAEvB,6DAA6D;QAC7D,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC,IAAI,CACd,8CAA8C,EAC9C,UAAU,CACX,CAAC;QACJ,CAAC;QACD,MAAM,cAAc,GAAG,MAAM,CAAC,UAAU,EAAE,eAAe,IAAI,uBAAuB,CAAC;QAErF,gCAAgC;QAChC,MAAM,cAAc,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;QAC3C,MAAM,cAAc,GAAG,IAAI,CAAC,gBAAgB,CAAC,cAAc,EAAE,cAAc,CAAC,CAAC;QAE7E,IAAI,cAAc,EAAE,CAAC;YACnB,OAAO,IAAI,CAAC,IAAI,CACd,6BAA6B,IAAI,sBAAsB,cAAc,GAAG,EACxE,UAAU,CACX,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC;IACtB,CAAC;IAED;;;OAGG;IACK,gBAAgB,CAAC,IAAY,EAAE,QAAkB;QACvD,MAAM,IAAI,GAAG,OAAO,EAAE,CAAC;QAEvB,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,+CAA+C;YAC/C,MAAM,eAAe,GAAG,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;gBAC7C,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC;gBAC7B,CAAC,CAAC,OAAO,CAAC;YAEZ,oBAAoB;YACpB,IAAI,IAAI,KAAK,eAAe,EAAE,CAAC;gBAC7B,OAAO,OAAO,CAAC;YACjB,CAAC;YAED,gDAAgD;YAChD,oDAAoD;YACpD,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBACrE,IAAI,IAAI,CAAC,UAAU,CAAC,eAAe,GAAG,GAAG,CAAC,IAAI,IAAI,KAAK,eAAe,EAAE,CAAC;oBACvE,OAAO,OAAO,CAAC;gBACjB,CAAC;YACH,CAAC;YAED,0CAA0C;YAC1C,IAAI,SAAS,CAAC,IAAI,EAAE,eAAe,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;gBACtE,OAAO,OAAO,CAAC;YACjB,CAAC;YAED,2DAA2D;YAC3D,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;YAC7C,4DAA4D;YAC5D,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC3B,IAAI,SAAS,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;oBAChD,OAAO,OAAO,CAAC;gBACjB,CAAC;YACH,CAAC;YAED,yDAAyD;YACzD,IAAI,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC9B,MAAM,aAAa,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBACvC,IAAI,SAAS,CAAC,QAAQ,EAAE,aAAa,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;oBACtD,OAAO,OAAO,CAAC;gBACjB,CAAC;gBACD,4CAA4C;gBAC5C,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBAClC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;oBAC1C,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;oBAC7C,IAAI,SAAS,CAAC,OAAO,EAAE,aAAa,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;wBACrD,OAAO,OAAO,CAAC;oBACjB,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,IAAY;IACjC,6CAA6C;IAC7C,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAE/B,WAAW;IACX,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACzB,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;IACvC,CAAC;IAED,4CAA4C;IAC5C,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACvB,CAAC;IAED,oBAAoB;IACpB,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC;AACzB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"secret-leak.d.ts","sourceRoot":"","sources":["../../src/guards/secret-leak.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,MAAM,EACN,WAAW,EACX,SAAS,EACT,aAAa,EACd,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;
|
|
1
|
+
{"version":3,"file":"secret-leak.d.ts","sourceRoot":"","sources":["../../src/guards/secret-leak.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,MAAM,EACN,WAAW,EACX,SAAS,EACT,aAAa,EACd,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AA2KvC;;GAEG;AACH,qBAAa,eAAgB,SAAQ,SAAS;IAC5C,OAAO,CAAC,QAAQ,CAAkB;gBAEtB,kBAAkB,GAAE,aAAa,EAAO;IAKpD,IAAI,IAAI,MAAM;IAId,OAAO,IAAI,SAAS,EAAE;IAIhB,KAAK,CAAC,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAIrE,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,GAAG,WAAW;IAiC3D;;OAEG;IACH,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,aAAa,EAAE;IAkB/C;;OAEG;IACH,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM;IAsB/B;;OAEG;IACH,OAAO,CAAC,kBAAkB;CAkB3B"}
|
|
@@ -117,6 +117,13 @@ const SECRET_PATTERNS = [
|
|
|
117
117
|
severity: 'medium',
|
|
118
118
|
description: 'Stripe Test Secret Key',
|
|
119
119
|
},
|
|
120
|
+
// Stripe Restricted Key
|
|
121
|
+
{
|
|
122
|
+
name: 'stripe_restricted_key',
|
|
123
|
+
pattern: /rk_live_[A-Za-z0-9]{24,}/g,
|
|
124
|
+
severity: 'critical',
|
|
125
|
+
description: 'Stripe Live Restricted Key',
|
|
126
|
+
},
|
|
120
127
|
// Slack
|
|
121
128
|
{
|
|
122
129
|
name: 'slack_token',
|
|
@@ -124,6 +131,20 @@ const SECRET_PATTERNS = [
|
|
|
124
131
|
severity: 'high',
|
|
125
132
|
description: 'Slack Token',
|
|
126
133
|
},
|
|
134
|
+
// Azure Key Vault
|
|
135
|
+
{
|
|
136
|
+
name: 'azure_key_vault_token',
|
|
137
|
+
pattern: /azure[_-]?(?:key[_-]?vault|kv)[_-]?(?:secret|token|key)(?:'|")?\s*[:=]\s*(?:'|")?[A-Za-z0-9+/=_-]{32,}/gi,
|
|
138
|
+
severity: 'critical',
|
|
139
|
+
description: 'Azure Key Vault Secret',
|
|
140
|
+
},
|
|
141
|
+
// GitLab Personal Access Token
|
|
142
|
+
{
|
|
143
|
+
name: 'gitlab_pat',
|
|
144
|
+
pattern: /glpat-[A-Za-z0-9_-]{20,}/g,
|
|
145
|
+
severity: 'critical',
|
|
146
|
+
description: 'GitLab Personal Access Token',
|
|
147
|
+
},
|
|
127
148
|
// Generic high-entropy (likely secrets)
|
|
128
149
|
{
|
|
129
150
|
name: 'jwt_token',
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"secret-leak.js","sourceRoot":"","sources":["../../src/guards/secret-leak.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AASH,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAEvC;;GAEG;AACH,MAAM,eAAe,GAAoB;IACvC,WAAW;IACX;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,mBAAmB;QAC5B,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,mBAAmB;KACjC;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,qBAAqB;QAC9B,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,uBAAuB;KACrC;IAED,gBAAgB;IAChB;QACE,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,sBAAsB;QAC/B,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,8BAA8B;KAC5C;IACD;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,sBAAsB;QAC/B,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,oBAAoB;KAClC;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,sBAAsB;QAC/B,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,uBAAuB;KACrC;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,6CAA6C;QACtD,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,yBAAyB;KACvC;IAED,cAAc;IACd;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,qBAAqB;QAC9B,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,gBAAgB;KAC9B;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,wBAAwB;KACtC;IAED,iBAAiB;IACjB;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,mBAAmB;KACjC;IAED,eAAe;IACf;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,yBAAyB;QAClC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,gBAAgB;KAC9B;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,8BAA8B;QACvC,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,0BAA0B;KACxC;IAED,eAAe;IACf;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,kCAAkC;QAC3C,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,iBAAiB;KAC/B;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,sCAAsC;QAC/C,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,qBAAqB;KACnC;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,iCAAiC;QAC1C,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,gBAAgB;KAC9B;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,8BAA8B;QACvC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,aAAa;KAC3B;IAED,SAAS;IACT;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,wBAAwB;KACtC;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,wBAAwB;KACtC;IAED,QAAQ;IACR;QACE,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,aAAa;KAC3B;IAED,wCAAwC;IACxC;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uDAAuD;QAChE,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,WAAW;KACzB;IAED,iCAAiC;IACjC;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,oDAAoD;QAC7D,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,+BAA+B;KAC7C;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,OAAO,eAAgB,SAAQ,SAAS;IACpC,QAAQ,CAAkB;IAElC,YAAY,qBAAsC,EAAE;QAClD,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,QAAQ,GAAG,CAAC,GAAG,eAAe,EAAE,GAAG,kBAAkB,CAAC,CAAC;IAC9D,CAAC;IAED,IAAI;QACF,OAAO,aAAa,CAAC;IACvB,CAAC;IAED,OAAO;QACL,OAAO,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,KAAkB,EAAE,MAAc;QAC5C,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACvC,CAAC;IAED,SAAS,CAAC,KAAkB,EAAE,OAAe;QAC3C,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;QACxB,IAAI,cAAkC,CAAC;QAEvC,2CAA2C;QAC3C,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC1B,cAAc,GAAG,IAAI,CAAC,YAAY,CAAC;QACrC,CAAC;aAAM,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YAChC,gCAAgC;YAChC,cAAc;gBACZ,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;QACtF,CAAC;QAED,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC;QACtB,CAAC;QAED,4BAA4B;QAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,CAAC,cAAc,CAAC,CAAC;QAEpD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,MAAM,eAAe,GAAG,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;YAC1D,MAAM,WAAW,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAE3D,OAAO,IAAI,CAAC,IAAI,CACd,yCAAyC,WAAW,EAAE,EACtD,eAAe,CAChB,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,OAAe;QAC3B,MAAM,QAAQ,GAAoB,EAAE,CAAC;QAErC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,oBAAoB;YACpB,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YAE9B,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAClC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACzB,CAAC;YAED,yBAAyB;YACzB,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QAChC,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,OAAe;QACpB,IAAI,QAAQ,GAAG,OAAO,CAAC;QAEvB,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,oBAAoB;YACpB,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YAE9B,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE;gBACrD,yDAAyD;gBACzD,IAAI,KAAK,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;oBACtB,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC5D,CAAC;gBACD,OAAO,YAAY,CAAC;YACtB,CAAC,CAAC,CAAC;YAEH,4BAA4B;YAC5B,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QAChC,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACK,kBAAkB,CACxB,QAAyB;QAEzB,MAAM,aAAa,GAAG,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAU,CAAC;QAErE,IAAI,OAAO,GAAmC,KAAK,CAAC;QAEpD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,IACE,aAAa,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC;gBACvC,aAAa,CAAC,OAAO,CAAC,OAAO,CAAC,EAC9B,CAAC;gBACD,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC;YAC7B,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;CACF"}
|
|
1
|
+
{"version":3,"file":"secret-leak.js","sourceRoot":"","sources":["../../src/guards/secret-leak.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AASH,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAEvC;;GAEG;AACH,MAAM,eAAe,GAAoB;IACvC,WAAW;IACX;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,mBAAmB;QAC5B,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,mBAAmB;KACjC;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,qBAAqB;QAC9B,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,uBAAuB;KACrC;IAED,gBAAgB;IAChB;QACE,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,sBAAsB;QAC/B,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,8BAA8B;KAC5C;IACD;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,sBAAsB;QAC/B,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,oBAAoB;KAClC;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,sBAAsB;QAC/B,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,uBAAuB;KACrC;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,6CAA6C;QACtD,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,yBAAyB;KACvC;IAED,cAAc;IACd;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,qBAAqB;QAC9B,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,gBAAgB;KAC9B;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,wBAAwB;KACtC;IAED,iBAAiB;IACjB;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,mBAAmB;KACjC;IAED,eAAe;IACf;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,yBAAyB;QAClC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,gBAAgB;KAC9B;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,8BAA8B;QACvC,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,0BAA0B;KACxC;IAED,eAAe;IACf;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,kCAAkC;QAC3C,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,iBAAiB;KAC/B;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,sCAAsC;QAC/C,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,qBAAqB;KACnC;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,iCAAiC;QAC1C,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,gBAAgB;KAC9B;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,8BAA8B;QACvC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,aAAa;KAC3B;IAED,SAAS;IACT;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,wBAAwB;KACtC;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,wBAAwB;KACtC;IAED,wBAAwB;IACxB;QACE,IAAI,EAAE,uBAAuB;QAC7B,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,4BAA4B;KAC1C;IAED,QAAQ;IACR;QACE,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,aAAa;KAC3B;IAED,kBAAkB;IAClB;QACE,IAAI,EAAE,uBAAuB;QAC7B,OAAO,EAAE,0GAA0G;QACnH,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,wBAAwB;KACtC;IAED,+BAA+B;IAC/B;QACE,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,8BAA8B;KAC5C;IAED,wCAAwC;IACxC;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uDAAuD;QAChE,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,WAAW;KACzB;IAED,iCAAiC;IACjC;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,oDAAoD;QAC7D,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,+BAA+B;KAC7C;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,OAAO,eAAgB,SAAQ,SAAS;IACpC,QAAQ,CAAkB;IAElC,YAAY,qBAAsC,EAAE;QAClD,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,QAAQ,GAAG,CAAC,GAAG,eAAe,EAAE,GAAG,kBAAkB,CAAC,CAAC;IAC9D,CAAC;IAED,IAAI;QACF,OAAO,aAAa,CAAC;IACvB,CAAC;IAED,OAAO;QACL,OAAO,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,KAAkB,EAAE,MAAc;QAC5C,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACvC,CAAC;IAED,SAAS,CAAC,KAAkB,EAAE,OAAe;QAC3C,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;QACxB,IAAI,cAAkC,CAAC;QAEvC,2CAA2C;QAC3C,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC1B,cAAc,GAAG,IAAI,CAAC,YAAY,CAAC;QACrC,CAAC;aAAM,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YAChC,gCAAgC;YAChC,cAAc;gBACZ,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;QACtF,CAAC;QAED,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC;QACtB,CAAC;QAED,4BAA4B;QAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,CAAC,cAAc,CAAC,CAAC;QAEpD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,MAAM,eAAe,GAAG,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;YAC1D,MAAM,WAAW,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAE3D,OAAO,IAAI,CAAC,IAAI,CACd,yCAAyC,WAAW,EAAE,EACtD,eAAe,CAChB,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,OAAe;QAC3B,MAAM,QAAQ,GAAoB,EAAE,CAAC;QAErC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,oBAAoB;YACpB,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YAE9B,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAClC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACzB,CAAC;YAED,yBAAyB;YACzB,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QAChC,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,OAAe;QACpB,IAAI,QAAQ,GAAG,OAAO,CAAC;QAEvB,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,oBAAoB;YACpB,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YAE9B,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE;gBACrD,yDAAyD;gBACzD,IAAI,KAAK,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;oBACtB,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC5D,CAAC;gBACD,OAAO,YAAY,CAAC;YACtB,CAAC,CAAC,CAAC;YAEH,4BAA4B;YAC5B,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QAChC,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACK,kBAAkB,CACxB,QAAyB;QAEzB,MAAM,aAAa,GAAG,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAU,CAAC;QAErE,IAAI,OAAO,GAAmC,KAAK,CAAC;QAEpD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,IACE,aAAa,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC;gBACvC,aAAa,CAAC,OAAO,CAAC,OAAO,CAAC,EAC9B,CAAC;gBACD,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC;YAC7B,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;CACF"}
|
|
@@ -4,6 +4,10 @@
|
|
|
4
4
|
* Injects a SECURITY.md file into the agent bootstrap context.
|
|
5
5
|
*/
|
|
6
6
|
import type { HookHandler, ClawdstrikeConfig } from '../../types.js';
|
|
7
|
+
/**
|
|
8
|
+
* Initialize the hook with configuration.
|
|
9
|
+
* Delegates to the shared engine holder so all hooks share one PolicyEngine.
|
|
10
|
+
*/
|
|
7
11
|
export declare function initialize(config: ClawdstrikeConfig): void;
|
|
8
12
|
declare const handler: HookHandler;
|
|
9
13
|
export default handler;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../../src/hooks/agent-bootstrap/handler.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAkC,WAAW,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;
|
|
1
|
+
{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../../src/hooks/agent-bootstrap/handler.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAkC,WAAW,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AAIrG;;;GAGG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,iBAAiB,GAAG,IAAI,CAE1D;AAMD,QAAA,MAAM,OAAO,EAAE,WAmBd,CAAC;AAEF,eAAe,OAAO,CAAC"}
|