@clawdstrike/openclaw 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +7 -0
- package/dist/audit/store.d.ts +26 -0
- package/dist/audit/store.d.ts.map +1 -0
- package/dist/audit/store.js +59 -0
- package/dist/audit/store.js.map +1 -0
- package/dist/cli/bin.d.ts +3 -0
- package/dist/cli/bin.d.ts.map +1 -0
- package/dist/cli/bin.js +5 -0
- package/dist/cli/bin.js.map +1 -0
- package/dist/cli/commands/audit.d.ts +19 -0
- package/dist/cli/commands/audit.d.ts.map +1 -0
- package/dist/cli/commands/audit.js +93 -0
- package/dist/cli/commands/audit.js.map +1 -0
- package/dist/cli/commands/policy.d.ts +11 -0
- package/dist/cli/commands/policy.d.ts.map +1 -0
- package/dist/cli/commands/policy.js +101 -0
- package/dist/cli/commands/policy.js.map +1 -0
- package/dist/cli/index.d.ts +4 -0
- package/dist/cli/index.d.ts.map +1 -0
- package/dist/cli/index.js +91 -0
- package/dist/cli/index.js.map +1 -0
- package/dist/config.d.ts +27 -0
- package/dist/config.d.ts.map +1 -0
- package/dist/config.js +88 -0
- package/dist/config.js.map +1 -0
- package/dist/e2e/openclaw-e2e.d.ts +2 -0
- package/dist/e2e/openclaw-e2e.d.ts.map +1 -0
- package/dist/e2e/openclaw-e2e.js +129 -0
- package/dist/e2e/openclaw-e2e.js.map +1 -0
- package/dist/guards/egress.d.ts +25 -0
- package/dist/guards/egress.d.ts.map +1 -0
- package/dist/guards/egress.js +146 -0
- package/dist/guards/egress.js.map +1 -0
- package/dist/guards/forbidden-path.d.ts +22 -0
- package/dist/guards/forbidden-path.d.ts.map +1 -0
- package/dist/guards/forbidden-path.js +132 -0
- package/dist/guards/forbidden-path.js.map +1 -0
- package/dist/guards/index.d.ts +12 -0
- package/dist/guards/index.d.ts.map +1 -0
- package/dist/guards/index.js +11 -0
- package/dist/guards/index.js.map +1 -0
- package/dist/guards/patch-integrity.d.ts +27 -0
- package/dist/guards/patch-integrity.d.ts.map +1 -0
- package/dist/guards/patch-integrity.js +219 -0
- package/dist/guards/patch-integrity.js.map +1 -0
- package/dist/guards/secret-leak.d.ts +31 -0
- package/dist/guards/secret-leak.d.ts.map +1 -0
- package/dist/guards/secret-leak.js +235 -0
- package/dist/guards/secret-leak.js.map +1 -0
- package/dist/guards/types.d.ts +46 -0
- package/dist/guards/types.d.ts.map +1 -0
- package/dist/guards/types.js +36 -0
- package/dist/guards/types.js.map +1 -0
- package/dist/hooks/agent-bootstrap/handler.d.ts +10 -0
- package/dist/hooks/agent-bootstrap/handler.d.ts.map +1 -0
- package/dist/hooks/agent-bootstrap/handler.js +35 -0
- package/dist/hooks/agent-bootstrap/handler.js.map +1 -0
- package/dist/hooks/audit-logger/handler.d.ts +16 -0
- package/dist/hooks/audit-logger/handler.d.ts.map +1 -0
- package/dist/hooks/audit-logger/handler.js +70 -0
- package/dist/hooks/audit-logger/handler.js.map +1 -0
- package/dist/hooks/tool-guard/handler.d.ts +16 -0
- package/dist/hooks/tool-guard/handler.d.ts.map +1 -0
- package/dist/hooks/tool-guard/handler.js +335 -0
- package/dist/hooks/tool-guard/handler.js.map +1 -0
- package/dist/index.d.ts +10 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +15 -0
- package/dist/index.js.map +1 -0
- package/dist/plugin.d.ts +11 -0
- package/dist/plugin.d.ts.map +1 -0
- package/dist/plugin.js +234 -0
- package/dist/plugin.js.map +1 -0
- package/dist/policy/engine.d.ts +31 -0
- package/dist/policy/engine.d.ts.map +1 -0
- package/dist/policy/engine.js +282 -0
- package/dist/policy/engine.js.map +1 -0
- package/dist/policy/index.d.ts +4 -0
- package/dist/policy/index.d.ts.map +1 -0
- package/dist/policy/index.js +4 -0
- package/dist/policy/index.js.map +1 -0
- package/dist/policy/loader.d.ts +10 -0
- package/dist/policy/loader.d.ts.map +1 -0
- package/dist/policy/loader.js +262 -0
- package/dist/policy/loader.js.map +1 -0
- package/dist/policy/validator.d.ts +4 -0
- package/dist/policy/validator.d.ts.map +1 -0
- package/dist/policy/validator.js +409 -0
- package/dist/policy/validator.js.map +1 -0
- package/dist/sanitizer/output-sanitizer.d.ts +15 -0
- package/dist/sanitizer/output-sanitizer.d.ts.map +1 -0
- package/dist/sanitizer/output-sanitizer.js +47 -0
- package/dist/sanitizer/output-sanitizer.js.map +1 -0
- package/dist/security-prompt.d.ts +3 -0
- package/dist/security-prompt.d.ts.map +1 -0
- package/dist/security-prompt.js +70 -0
- package/dist/security-prompt.js.map +1 -0
- package/dist/tools/policy-check.d.ts +10 -0
- package/dist/tools/policy-check.d.ts.map +1 -0
- package/dist/tools/policy-check.js +141 -0
- package/dist/tools/policy-check.js.map +1 -0
- package/dist/types.d.ts +413 -0
- package/dist/types.d.ts.map +1 -0
- package/dist/types.js +7 -0
- package/dist/types.js.map +1 -0
- package/package.json +85 -0
- package/rulesets/ai-agent-minimal.yaml +42 -0
- package/rulesets/ai-agent.yaml +70 -0
package/dist/plugin.js
ADDED
|
@@ -0,0 +1,234 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* OpenClaw plugin entry point for Clawdstrike
|
|
3
|
+
*
|
|
4
|
+
* Follows the OpenClaw plugin API: https://docs.openclaw.ai/plugin
|
|
5
|
+
*/
|
|
6
|
+
import { PolicyEngine } from "./policy/engine.js";
|
|
7
|
+
// Re-export existing utilities for external use
|
|
8
|
+
export * from "./index.js";
|
|
9
|
+
/**
|
|
10
|
+
* Plugin registration function (function format per OpenClaw docs)
|
|
11
|
+
*/
|
|
12
|
+
export default function clawdstrikePlugin(api) {
|
|
13
|
+
const logger = api.logger ?? console;
|
|
14
|
+
// Load config from plugin settings
|
|
15
|
+
const getConfig = () => {
|
|
16
|
+
const pluginConfig = api.config?.plugins?.entries?.["clawdstrike-security"]?.config ?? {};
|
|
17
|
+
return {
|
|
18
|
+
policy: pluginConfig.policy,
|
|
19
|
+
mode: pluginConfig.mode ?? "deterministic",
|
|
20
|
+
logLevel: pluginConfig.logLevel ?? "info",
|
|
21
|
+
guards: pluginConfig.guards ?? {
|
|
22
|
+
forbidden_path: true,
|
|
23
|
+
egress: true,
|
|
24
|
+
secret_leak: true,
|
|
25
|
+
patch_integrity: true,
|
|
26
|
+
},
|
|
27
|
+
};
|
|
28
|
+
};
|
|
29
|
+
// Register the policy_check tool
|
|
30
|
+
api.registerTool({
|
|
31
|
+
name: "policy_check",
|
|
32
|
+
description: "Check if an action is allowed by the security policy. Use this BEFORE attempting potentially restricted operations like file access, network requests, or command execution.",
|
|
33
|
+
parameters: {
|
|
34
|
+
type: "object",
|
|
35
|
+
properties: {
|
|
36
|
+
action: {
|
|
37
|
+
type: "string",
|
|
38
|
+
enum: ["file_read", "file_write", "network", "command", "tool_call"],
|
|
39
|
+
description: "The type of action to check",
|
|
40
|
+
},
|
|
41
|
+
resource: {
|
|
42
|
+
type: "string",
|
|
43
|
+
description: "The resource to check (file path, domain/URL, command string, or tool name)",
|
|
44
|
+
},
|
|
45
|
+
},
|
|
46
|
+
required: ["action", "resource"],
|
|
47
|
+
},
|
|
48
|
+
async execute(_id, params) {
|
|
49
|
+
try {
|
|
50
|
+
const config = getConfig();
|
|
51
|
+
const engine = new PolicyEngine(config);
|
|
52
|
+
const action = params.action ?? "tool_call";
|
|
53
|
+
const resource = params.resource ?? "";
|
|
54
|
+
const event = buildEvent(action, resource);
|
|
55
|
+
const decision = await engine.evaluate(event);
|
|
56
|
+
const isDenied = decision.status === 'deny' || decision.denied;
|
|
57
|
+
const isWarn = decision.status === 'warn' || decision.warn;
|
|
58
|
+
const result = {
|
|
59
|
+
allowed: !isDenied,
|
|
60
|
+
denied: isDenied,
|
|
61
|
+
warn: isWarn,
|
|
62
|
+
guard: decision.guard,
|
|
63
|
+
reason: decision.reason,
|
|
64
|
+
message: formatDecision(decision),
|
|
65
|
+
suggestion: isDenied ? getSuggestion(action, resource) : undefined,
|
|
66
|
+
};
|
|
67
|
+
return {
|
|
68
|
+
content: [
|
|
69
|
+
{
|
|
70
|
+
type: "text",
|
|
71
|
+
text: JSON.stringify(result, null, 2),
|
|
72
|
+
},
|
|
73
|
+
],
|
|
74
|
+
};
|
|
75
|
+
}
|
|
76
|
+
catch (error) {
|
|
77
|
+
const message = error instanceof Error ? error.message : String(error);
|
|
78
|
+
return {
|
|
79
|
+
content: [
|
|
80
|
+
{
|
|
81
|
+
type: "text",
|
|
82
|
+
text: JSON.stringify({ error: true, message }, null, 2),
|
|
83
|
+
},
|
|
84
|
+
],
|
|
85
|
+
};
|
|
86
|
+
}
|
|
87
|
+
},
|
|
88
|
+
});
|
|
89
|
+
// Register CLI commands
|
|
90
|
+
api.registerCli(({ program }) => {
|
|
91
|
+
const clawdstrike = program
|
|
92
|
+
.command("clawdstrike")
|
|
93
|
+
.description("Clawdstrike security management");
|
|
94
|
+
clawdstrike
|
|
95
|
+
.command("status")
|
|
96
|
+
.description("Show Clawdstrike plugin status")
|
|
97
|
+
.action(() => {
|
|
98
|
+
const config = getConfig();
|
|
99
|
+
console.log("Clawdstrike Security Plugin");
|
|
100
|
+
console.log("---------------------------");
|
|
101
|
+
console.log(`Mode: ${config.mode}`);
|
|
102
|
+
console.log(`Policy: ${config.policy ?? "(default)"}`);
|
|
103
|
+
console.log(`Log Level: ${config.logLevel}`);
|
|
104
|
+
console.log("Guards:");
|
|
105
|
+
Object.entries(config.guards ?? {}).forEach(([name, enabled]) => {
|
|
106
|
+
console.log(` ${name}: ${enabled ? "enabled" : "disabled"}`);
|
|
107
|
+
});
|
|
108
|
+
});
|
|
109
|
+
clawdstrike
|
|
110
|
+
.command("check <action> <resource>")
|
|
111
|
+
.description("Check if an action is allowed")
|
|
112
|
+
.action(async (action, resource) => {
|
|
113
|
+
const config = getConfig();
|
|
114
|
+
const engine = new PolicyEngine(config);
|
|
115
|
+
const event = buildEvent(action, resource);
|
|
116
|
+
const decision = await engine.evaluate(event);
|
|
117
|
+
console.log(formatDecision(decision));
|
|
118
|
+
if (decision.status === 'deny' || decision.denied) {
|
|
119
|
+
console.log(`Suggestion: ${getSuggestion(action, resource)}`);
|
|
120
|
+
process.exitCode = 1;
|
|
121
|
+
}
|
|
122
|
+
});
|
|
123
|
+
}, { commands: ["clawdstrike"] });
|
|
124
|
+
logger.info?.("[clawdstrike] Plugin registered");
|
|
125
|
+
}
|
|
126
|
+
function buildEvent(action, resource) {
|
|
127
|
+
const now = new Date();
|
|
128
|
+
const eventId = `policy-check-${now.getTime()}-${Math.random().toString(36).slice(2, 8)}`;
|
|
129
|
+
const timestamp = now.toISOString();
|
|
130
|
+
switch (action) {
|
|
131
|
+
case "file_read":
|
|
132
|
+
return {
|
|
133
|
+
eventId,
|
|
134
|
+
eventType: "file_read",
|
|
135
|
+
timestamp,
|
|
136
|
+
data: { type: "file", path: resource, operation: "read" },
|
|
137
|
+
};
|
|
138
|
+
case "file_write":
|
|
139
|
+
return {
|
|
140
|
+
eventId,
|
|
141
|
+
eventType: "file_write",
|
|
142
|
+
timestamp,
|
|
143
|
+
data: { type: "file", path: resource, operation: "write" },
|
|
144
|
+
};
|
|
145
|
+
case "network":
|
|
146
|
+
case "network_egress": {
|
|
147
|
+
const { host, port, url } = parseNetworkTarget(resource);
|
|
148
|
+
return {
|
|
149
|
+
eventId,
|
|
150
|
+
eventType: "network_egress",
|
|
151
|
+
timestamp,
|
|
152
|
+
data: { type: "network", host, port, url },
|
|
153
|
+
};
|
|
154
|
+
}
|
|
155
|
+
case "command":
|
|
156
|
+
case "command_exec": {
|
|
157
|
+
const parts = resource.trim().split(/\s+/).filter(Boolean);
|
|
158
|
+
const [command, ...args] = parts;
|
|
159
|
+
return {
|
|
160
|
+
eventId,
|
|
161
|
+
eventType: "command_exec",
|
|
162
|
+
timestamp,
|
|
163
|
+
data: { type: "command", command: command ?? "", args },
|
|
164
|
+
};
|
|
165
|
+
}
|
|
166
|
+
case "tool_call":
|
|
167
|
+
default:
|
|
168
|
+
return {
|
|
169
|
+
eventId,
|
|
170
|
+
eventType: "tool_call",
|
|
171
|
+
timestamp,
|
|
172
|
+
data: { type: "tool", toolName: resource, parameters: {} },
|
|
173
|
+
};
|
|
174
|
+
}
|
|
175
|
+
}
|
|
176
|
+
function parseNetworkTarget(target) {
|
|
177
|
+
const trimmed = (target ?? "").trim();
|
|
178
|
+
if (!trimmed)
|
|
179
|
+
return { host: "", port: 0 };
|
|
180
|
+
try {
|
|
181
|
+
const parsed = new URL(trimmed);
|
|
182
|
+
const port = parsed.port
|
|
183
|
+
? Number.parseInt(parsed.port, 10)
|
|
184
|
+
: parsed.protocol === "http:"
|
|
185
|
+
? 80
|
|
186
|
+
: 443;
|
|
187
|
+
return { host: parsed.hostname, port, url: trimmed };
|
|
188
|
+
}
|
|
189
|
+
catch {
|
|
190
|
+
try {
|
|
191
|
+
const parsed = new URL(`https://${trimmed}`);
|
|
192
|
+
const port = parsed.port ? Number.parseInt(parsed.port, 10) : 443;
|
|
193
|
+
return { host: parsed.hostname, port, url: `https://${trimmed}` };
|
|
194
|
+
}
|
|
195
|
+
catch {
|
|
196
|
+
return { host: trimmed.split("/")[0] ?? trimmed, port: 443 };
|
|
197
|
+
}
|
|
198
|
+
}
|
|
199
|
+
}
|
|
200
|
+
function formatDecision(decision) {
|
|
201
|
+
const isDenied = decision.status === 'deny' || decision.denied;
|
|
202
|
+
const isWarn = decision.status === 'warn' || decision.warn;
|
|
203
|
+
if (isDenied) {
|
|
204
|
+
const guard = decision.guard ? ` by ${decision.guard}` : "";
|
|
205
|
+
const reason = decision.reason ? `: ${decision.reason}` : "";
|
|
206
|
+
return `Denied${guard}${reason}`;
|
|
207
|
+
}
|
|
208
|
+
if (isWarn) {
|
|
209
|
+
const msg = decision.message ?? decision.reason ?? "Policy warning";
|
|
210
|
+
return `Warning: ${msg}`;
|
|
211
|
+
}
|
|
212
|
+
return "Action allowed";
|
|
213
|
+
}
|
|
214
|
+
function getSuggestion(action, resource) {
|
|
215
|
+
if ((action === "file_write" || action === "file_read") && resource.includes(".ssh")) {
|
|
216
|
+
return "SSH keys are protected. Consider using a different credential storage method.";
|
|
217
|
+
}
|
|
218
|
+
if ((action === "file_write" || action === "file_read") && resource.includes(".aws")) {
|
|
219
|
+
return "AWS credentials are protected. Use environment variables or IAM roles instead.";
|
|
220
|
+
}
|
|
221
|
+
if (action === "network_egress" || action === "network") {
|
|
222
|
+
return "Try using an allowed domain like api.github.com or pypi.org.";
|
|
223
|
+
}
|
|
224
|
+
if ((action === "command_exec" || action === "command") &&
|
|
225
|
+
resource.includes("sudo")) {
|
|
226
|
+
return "Privileged commands are restricted. Try running without sudo.";
|
|
227
|
+
}
|
|
228
|
+
if ((action === "command_exec" || action === "command") &&
|
|
229
|
+
(resource.includes("rm -rf") || resource.includes("dd if="))) {
|
|
230
|
+
return "Destructive commands are blocked. Consider safer alternatives.";
|
|
231
|
+
}
|
|
232
|
+
return "Consider an alternative approach that works within the security policy.";
|
|
233
|
+
}
|
|
234
|
+
//# sourceMappingURL=plugin.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"plugin.js","sourceRoot":"","sources":["../src/plugin.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAGlD,gDAAgD;AAChD,cAAc,YAAY,CAAC;AAE3B;;GAEG;AACH,MAAM,CAAC,OAAO,UAAU,iBAAiB,CAAC,GAAQ;IAChD,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,OAAO,CAAC;IAErC,mCAAmC;IACnC,MAAM,SAAS,GAAG,GAAsB,EAAE;QACxC,MAAM,YAAY,GAAG,GAAG,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,sBAAsB,CAAC,EAAE,MAAM,IAAI,EAAE,CAAC;QAC1F,OAAO;YACL,MAAM,EAAE,YAAY,CAAC,MAAM;YAC3B,IAAI,EAAE,YAAY,CAAC,IAAI,IAAI,eAAe;YAC1C,QAAQ,EAAE,YAAY,CAAC,QAAQ,IAAI,MAAM;YACzC,MAAM,EAAE,YAAY,CAAC,MAAM,IAAI;gBAC7B,cAAc,EAAE,IAAI;gBACpB,MAAM,EAAE,IAAI;gBACZ,WAAW,EAAE,IAAI;gBACjB,eAAe,EAAE,IAAI;aACtB;SACF,CAAC;IACJ,CAAC,CAAC;IAEF,iCAAiC;IACjC,GAAG,CAAC,YAAY,CAAC;QACf,IAAI,EAAE,cAAc;QACpB,WAAW,EACT,8KAA8K;QAChL,UAAU,EAAE;YACV,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,MAAM,EAAE;oBACN,IAAI,EAAE,QAAQ;oBACd,IAAI,EAAE,CAAC,WAAW,EAAE,YAAY,EAAE,SAAS,EAAE,SAAS,EAAE,WAAW,CAAC;oBACpE,WAAW,EAAE,6BAA6B;iBAC3C;gBACD,QAAQ,EAAE;oBACR,IAAI,EAAE,QAAQ;oBACd,WAAW,EACT,6EAA6E;iBAChF;aACF;YACD,QAAQ,EAAE,CAAC,QAAQ,EAAE,UAAU,CAAC;SACjC;QACD,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,MAA4C;YACrE,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;gBAC3B,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;gBAExC,MAAM,MAAM,GAAI,MAAM,CAAC,MAA4B,IAAI,WAAW,CAAC;gBACnE,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;gBAEvC,MAAM,KAAK,GAAG,UAAU,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;gBAC3C,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,KAAY,CAAC,CAAC;gBAErD,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,KAAK,MAAM,IAAI,QAAQ,CAAC,MAAM,CAAC;gBAC/D,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,KAAK,MAAM,IAAI,QAAQ,CAAC,IAAI,CAAC;gBAC3D,MAAM,MAAM,GAAG;oBACb,OAAO,EAAE,CAAC,QAAQ;oBAClB,MAAM,EAAE,QAAQ;oBAChB,IAAI,EAAE,MAAM;oBACZ,KAAK,EAAE,QAAQ,CAAC,KAAK;oBACrB,MAAM,EAAE,QAAQ,CAAC,MAAM;oBACvB,OAAO,EAAE,cAAc,CAAC,QAAQ,CAAC;oBACjC,UAAU,EAAE,QAAQ,CAAC,CAAC,CAAC,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;iBACnE,CAAC;gBAEF,OAAO;oBACL,OAAO,EAAE;wBACP;4BACE,IAAI,EAAE,MAAM;4BACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;yBACtC;qBACF;iBACF,CAAC;YACJ,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBACvE,OAAO;oBACL,OAAO,EAAE;wBACP;4BACE,IAAI,EAAE,MAAM;4BACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;yBACxD;qBACF;iBACF,CAAC;YACJ,CAAC;QACH,CAAC;KACF,CAAC,CAAC;IAEH,wBAAwB;IACxB,GAAG,CAAC,WAAW,CACb,CAAC,EAAE,OAAO,EAAoB,EAAE,EAAE;QAChC,MAAM,WAAW,GAAG,OAAO;aACxB,OAAO,CAAC,aAAa,CAAC;aACtB,WAAW,CAAC,iCAAiC,CAAC,CAAC;QAElD,WAAW;aACR,OAAO,CAAC,QAAQ,CAAC;aACjB,WAAW,CAAC,gCAAgC,CAAC;aAC7C,MAAM,CAAC,GAAG,EAAE;YACX,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;YAC3B,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;YAC3C,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;YAC3C,OAAO,CAAC,GAAG,CAAC,SAAS,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;YACpC,OAAO,CAAC,GAAG,CAAC,WAAW,MAAM,CAAC,MAAM,IAAI,WAAW,EAAE,CAAC,CAAC;YACvD,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC7C,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACvB,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,EAAE;gBAC9D,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,KAAK,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC;YAChE,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEL,WAAW;aACR,OAAO,CAAC,2BAA2B,CAAC;aACpC,WAAW,CAAC,+BAA+B,CAAC;aAC5C,MAAM,CAAC,KAAK,EAAE,MAAc,EAAE,QAAgB,EAAE,EAAE;YACjD,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;YAC3B,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;YACxC,MAAM,KAAK,GAAG,UAAU,CAAC,MAA2B,EAAE,QAAQ,CAAC,CAAC;YAChE,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,KAAY,CAAC,CAAC;YACrD,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC;YACtC,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,IAAI,QAAQ,CAAC,MAAM,EAAE,CAAC;gBAClD,OAAO,CAAC,GAAG,CAAC,eAAe,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,EAAE,CAAC,CAAC;gBAC9D,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;YACvB,CAAC;QACH,CAAC,CAAC,CAAC;IACP,CAAC,EACD,EAAE,QAAQ,EAAE,CAAC,aAAa,CAAC,EAAE,CAC9B,CAAC;IAEF,MAAM,CAAC,IAAI,EAAE,CAAC,iCAAiC,CAAC,CAAC;AACnD,CAAC;AAsCD,SAAS,UAAU,CAAC,MAAyB,EAAE,QAAgB;IAC7D,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,MAAM,OAAO,GAAG,gBAAgB,GAAG,CAAC,OAAO,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;IAC1F,MAAM,SAAS,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;IAEpC,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,WAAW;YACd,OAAO;gBACL,OAAO;gBACP,SAAS,EAAE,WAAW;gBACtB,SAAS;gBACT,IAAI,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE;aAC1D,CAAC;QACJ,KAAK,YAAY;YACf,OAAO;gBACL,OAAO;gBACP,SAAS,EAAE,YAAY;gBACvB,SAAS;gBACT,IAAI,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE;aAC3D,CAAC;QACJ,KAAK,SAAS,CAAC;QACf,KAAK,gBAAgB,CAAC,CAAC,CAAC;YACtB,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAC;YACzD,OAAO;gBACL,OAAO;gBACP,SAAS,EAAE,gBAAgB;gBAC3B,SAAS;gBACT,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE;aAC3C,CAAC;QACJ,CAAC;QACD,KAAK,SAAS,CAAC;QACf,KAAK,cAAc,CAAC,CAAC,CAAC;YACpB,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAC3D,MAAM,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,KAAK,CAAC;YACjC,OAAO;gBACL,OAAO;gBACP,SAAS,EAAE,cAAc;gBACzB,SAAS;gBACT,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,IAAI,EAAE,EAAE,IAAI,EAAE;aACxD,CAAC;QACJ,CAAC;QACD,KAAK,WAAW,CAAC;QACjB;YACE,OAAO;gBACL,OAAO;gBACP,SAAS,EAAE,WAAW;gBACtB,SAAS;gBACT,IAAI,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,EAAE,EAAE;aAC3D,CAAC;IACN,CAAC;AACH,CAAC;AAED,SAAS,kBAAkB,CAAC,MAAc;IACxC,MAAM,OAAO,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACtC,IAAI,CAAC,OAAO;QAAE,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;IAE3C,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;QAChC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI;YACtB,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;YAClC,CAAC,CAAC,MAAM,CAAC,QAAQ,KAAK,OAAO;gBAC3B,CAAC,CAAC,EAAE;gBACJ,CAAC,CAAC,GAAG,CAAC;QACV,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;IACvD,CAAC;IAAC,MAAM,CAAC;QACP,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,WAAW,OAAO,EAAE,CAAC,CAAC;YAC7C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;YAClE,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE,IAAI,EAAE,GAAG,EAAE,WAAW,OAAO,EAAE,EAAE,CAAC;QACpE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC;QAC/D,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,QAAkB;IACxC,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,KAAK,MAAM,IAAI,QAAQ,CAAC,MAAM,CAAC;IAC/D,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,KAAK,MAAM,IAAI,QAAQ,CAAC,IAAI,CAAC;IAC3D,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5D,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC7D,OAAO,SAAS,KAAK,GAAG,MAAM,EAAE,CAAC;IACnC,CAAC;IACD,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,IAAI,QAAQ,CAAC,MAAM,IAAI,gBAAgB,CAAC;QACpE,OAAO,YAAY,GAAG,EAAE,CAAC;IAC3B,CAAC;IACD,OAAO,gBAAgB,CAAC;AAC1B,CAAC;AAED,SAAS,aAAa,CAAC,MAAc,EAAE,QAAgB;IACrD,IAAI,CAAC,MAAM,KAAK,YAAY,IAAI,MAAM,KAAK,WAAW,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACrF,OAAO,+EAA+E,CAAC;IACzF,CAAC;IACD,IAAI,CAAC,MAAM,KAAK,YAAY,IAAI,MAAM,KAAK,WAAW,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACrF,OAAO,gFAAgF,CAAC;IAC1F,CAAC;IACD,IAAI,MAAM,KAAK,gBAAgB,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QACxD,OAAO,8DAA8D,CAAC;IACxE,CAAC;IACD,IACE,CAAC,MAAM,KAAK,cAAc,IAAI,MAAM,KAAK,SAAS,CAAC;QACnD,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,EACzB,CAAC;QACD,OAAO,+DAA+D,CAAC;IACzE,CAAC;IACD,IACE,CAAC,MAAM,KAAK,cAAc,IAAI,MAAM,KAAK,SAAS,CAAC;QACnD,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,EAC5D,CAAC;QACD,OAAO,gEAAgE,CAAC;IAC1E,CAAC;IACD,OAAO,yEAAyE,CAAC;AACnF,CAAC"}
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
import type { Decision, ClawdstrikeConfig, Policy, PolicyEvent } from '../types.js';
|
|
2
|
+
export declare class PolicyEngine {
|
|
3
|
+
private readonly config;
|
|
4
|
+
private readonly policy;
|
|
5
|
+
private readonly forbiddenPathGuard;
|
|
6
|
+
private readonly egressGuard;
|
|
7
|
+
private readonly secretLeakGuard;
|
|
8
|
+
private readonly patchIntegrityGuard;
|
|
9
|
+
private readonly threatIntelEngine;
|
|
10
|
+
constructor(config?: ClawdstrikeConfig);
|
|
11
|
+
enabledGuards(): string[];
|
|
12
|
+
getPolicy(): Policy;
|
|
13
|
+
lintPolicy(policyRef: string): Promise<{
|
|
14
|
+
valid: boolean;
|
|
15
|
+
errors: string[];
|
|
16
|
+
warnings: string[];
|
|
17
|
+
}>;
|
|
18
|
+
redactSecrets(content: string): string;
|
|
19
|
+
sanitizeOutput(content: string): string;
|
|
20
|
+
evaluate(event: PolicyEvent): Promise<Decision>;
|
|
21
|
+
private applyMode;
|
|
22
|
+
private evaluateDeterministic;
|
|
23
|
+
private checkFilesystem;
|
|
24
|
+
private checkEgress;
|
|
25
|
+
private checkExecution;
|
|
26
|
+
private checkToolCall;
|
|
27
|
+
private checkPatch;
|
|
28
|
+
private applyOnViolation;
|
|
29
|
+
private guardResultToDecision;
|
|
30
|
+
}
|
|
31
|
+
//# sourceMappingURL=engine.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../../src/policy/engine.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,QAAQ,EAAkB,iBAAiB,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAcpG,qBAAa,YAAY;IACvB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAA8B;IACrD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAqB;IACxD,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAc;IAC1C,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAkB;IAClD,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAsB;IAC1D,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAmC;gBAEzD,MAAM,GAAE,iBAAsB;IAU1C,aAAa,IAAI,MAAM,EAAE;IAWzB,SAAS,IAAI,MAAM;IAIb,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAC;QAAC,QAAQ,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IAStG,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM;IAItC,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM;IAOjC,QAAQ,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;IAoBrD,OAAO,CAAC,SAAS;IAsBjB,OAAO,CAAC,qBAAqB;IAoB7B,OAAO,CAAC,eAAe;IAwCvB,OAAO,CAAC,WAAW;IAUnB,OAAO,CAAC,cAAc;IAUtB,OAAO,CAAC,aAAa;IA0CrB,OAAO,CAAC,UAAU;IAsBlB,OAAO,CAAC,gBAAgB;IAqBxB,OAAO,CAAC,qBAAqB;CAO9B"}
|
|
@@ -0,0 +1,282 @@
|
|
|
1
|
+
import { homedir } from 'node:os';
|
|
2
|
+
import path from 'node:path';
|
|
3
|
+
import { createPolicyEngineFromPolicy } from '@clawdstrike/policy';
|
|
4
|
+
import { mergeConfig } from '../config.js';
|
|
5
|
+
import { EgressGuard, ForbiddenPathGuard, PatchIntegrityGuard, SecretLeakGuard } from '../guards/index.js';
|
|
6
|
+
import { sanitizeOutputText } from '../sanitizer/output-sanitizer.js';
|
|
7
|
+
import { loadPolicy } from './loader.js';
|
|
8
|
+
import { validatePolicy } from './validator.js';
|
|
9
|
+
function expandHome(p) {
|
|
10
|
+
return p.replace(/^~(?=\/|$)/, homedir());
|
|
11
|
+
}
|
|
12
|
+
function normalizePathForPrefix(p) {
|
|
13
|
+
return path.resolve(expandHome(p));
|
|
14
|
+
}
|
|
15
|
+
export class PolicyEngine {
|
|
16
|
+
config;
|
|
17
|
+
policy;
|
|
18
|
+
forbiddenPathGuard;
|
|
19
|
+
egressGuard;
|
|
20
|
+
secretLeakGuard;
|
|
21
|
+
patchIntegrityGuard;
|
|
22
|
+
threatIntelEngine;
|
|
23
|
+
constructor(config = {}) {
|
|
24
|
+
this.config = mergeConfig(config);
|
|
25
|
+
this.policy = loadPolicy(this.config.policy);
|
|
26
|
+
this.forbiddenPathGuard = new ForbiddenPathGuard();
|
|
27
|
+
this.egressGuard = new EgressGuard();
|
|
28
|
+
this.secretLeakGuard = new SecretLeakGuard();
|
|
29
|
+
this.patchIntegrityGuard = new PatchIntegrityGuard();
|
|
30
|
+
this.threatIntelEngine = buildThreatIntelEngine(this.policy);
|
|
31
|
+
}
|
|
32
|
+
enabledGuards() {
|
|
33
|
+
const g = this.config.guards;
|
|
34
|
+
const enabled = [];
|
|
35
|
+
if (g.forbidden_path)
|
|
36
|
+
enabled.push('forbidden_path');
|
|
37
|
+
if (g.egress)
|
|
38
|
+
enabled.push('egress');
|
|
39
|
+
if (g.secret_leak)
|
|
40
|
+
enabled.push('secret_leak');
|
|
41
|
+
if (g.patch_integrity)
|
|
42
|
+
enabled.push('patch_integrity');
|
|
43
|
+
if (g.mcp_tool)
|
|
44
|
+
enabled.push('mcp_tool');
|
|
45
|
+
return enabled;
|
|
46
|
+
}
|
|
47
|
+
getPolicy() {
|
|
48
|
+
return this.policy;
|
|
49
|
+
}
|
|
50
|
+
async lintPolicy(policyRef) {
|
|
51
|
+
try {
|
|
52
|
+
const policy = loadPolicy(policyRef);
|
|
53
|
+
return validatePolicy(policy);
|
|
54
|
+
}
|
|
55
|
+
catch (err) {
|
|
56
|
+
return { valid: false, errors: [String(err)], warnings: [] };
|
|
57
|
+
}
|
|
58
|
+
}
|
|
59
|
+
redactSecrets(content) {
|
|
60
|
+
return this.secretLeakGuard.redact(content);
|
|
61
|
+
}
|
|
62
|
+
sanitizeOutput(content) {
|
|
63
|
+
// 1) Secrets (high-confidence tokens).
|
|
64
|
+
const secretsRedacted = this.secretLeakGuard.redact(content);
|
|
65
|
+
// 2) PII (emails/phones/SSN/CC, etc).
|
|
66
|
+
return sanitizeOutputText(secretsRedacted).sanitized;
|
|
67
|
+
}
|
|
68
|
+
async evaluate(event) {
|
|
69
|
+
const base = this.evaluateDeterministic(event);
|
|
70
|
+
// Fail fast on deterministic violations to avoid unnecessary external calls.
|
|
71
|
+
const baseDenied = base.status === 'deny' || base.denied;
|
|
72
|
+
const baseWarn = base.status === 'warn' || base.warn;
|
|
73
|
+
if (baseDenied || baseWarn) {
|
|
74
|
+
return this.applyMode(base, this.config.mode);
|
|
75
|
+
}
|
|
76
|
+
if (this.threatIntelEngine) {
|
|
77
|
+
const ti = await this.threatIntelEngine.evaluate(toCanonicalEvent(event));
|
|
78
|
+
const tiApplied = this.applyOnViolation(ti);
|
|
79
|
+
const combined = combineDecisions(base, tiApplied);
|
|
80
|
+
return this.applyMode(combined, this.config.mode);
|
|
81
|
+
}
|
|
82
|
+
return this.applyMode(base, this.config.mode);
|
|
83
|
+
}
|
|
84
|
+
applyMode(result, mode) {
|
|
85
|
+
if (mode === 'audit') {
|
|
86
|
+
return { status: 'allow', allowed: true, denied: false, warn: false };
|
|
87
|
+
}
|
|
88
|
+
const isDenied = result.status === 'deny' || result.denied;
|
|
89
|
+
if (mode === 'advisory' && isDenied) {
|
|
90
|
+
return {
|
|
91
|
+
status: 'warn',
|
|
92
|
+
allowed: true,
|
|
93
|
+
denied: false,
|
|
94
|
+
warn: true,
|
|
95
|
+
reason: result.reason,
|
|
96
|
+
guard: result.guard,
|
|
97
|
+
severity: result.severity,
|
|
98
|
+
message: result.reason,
|
|
99
|
+
};
|
|
100
|
+
}
|
|
101
|
+
return result;
|
|
102
|
+
}
|
|
103
|
+
evaluateDeterministic(event) {
|
|
104
|
+
const allowed = { status: 'allow', allowed: true, denied: false, warn: false };
|
|
105
|
+
switch (event.eventType) {
|
|
106
|
+
case 'file_read':
|
|
107
|
+
case 'file_write':
|
|
108
|
+
return this.checkFilesystem(event);
|
|
109
|
+
case 'network_egress':
|
|
110
|
+
return this.checkEgress(event);
|
|
111
|
+
case 'command_exec':
|
|
112
|
+
return this.checkExecution(event);
|
|
113
|
+
case 'tool_call':
|
|
114
|
+
return this.checkToolCall(event);
|
|
115
|
+
case 'patch_apply':
|
|
116
|
+
return this.checkPatch(event);
|
|
117
|
+
default:
|
|
118
|
+
return allowed;
|
|
119
|
+
}
|
|
120
|
+
}
|
|
121
|
+
checkFilesystem(event) {
|
|
122
|
+
if (!this.config.guards.forbidden_path) {
|
|
123
|
+
return { status: 'allow', allowed: true, denied: false, warn: false };
|
|
124
|
+
}
|
|
125
|
+
// First, enforce forbidden path patterns.
|
|
126
|
+
const forbidden = this.forbiddenPathGuard.checkSync(event, this.policy);
|
|
127
|
+
const mapped = this.guardResultToDecision(forbidden);
|
|
128
|
+
const mappedDenied = mapped.status === 'deny' || mapped.denied;
|
|
129
|
+
const mappedWarn = mapped.status === 'warn' || mapped.warn;
|
|
130
|
+
if (mappedDenied || mappedWarn) {
|
|
131
|
+
return this.applyOnViolation(mapped);
|
|
132
|
+
}
|
|
133
|
+
// Then, enforce write roots if configured.
|
|
134
|
+
if (event.eventType === 'file_write' && event.data.type === 'file') {
|
|
135
|
+
const allowedWriteRoots = this.policy.filesystem?.allowed_write_roots;
|
|
136
|
+
if (allowedWriteRoots && allowedWriteRoots.length > 0) {
|
|
137
|
+
const filePath = normalizePathForPrefix(event.data.path);
|
|
138
|
+
const ok = allowedWriteRoots.some((root) => {
|
|
139
|
+
const rootPath = normalizePathForPrefix(root);
|
|
140
|
+
return filePath === rootPath || filePath.startsWith(rootPath + path.sep);
|
|
141
|
+
});
|
|
142
|
+
if (!ok) {
|
|
143
|
+
return this.applyOnViolation({
|
|
144
|
+
status: 'deny',
|
|
145
|
+
allowed: false,
|
|
146
|
+
denied: true,
|
|
147
|
+
warn: false,
|
|
148
|
+
reason: 'Write path not in allowed roots',
|
|
149
|
+
guard: 'forbidden_path',
|
|
150
|
+
severity: 'high',
|
|
151
|
+
});
|
|
152
|
+
}
|
|
153
|
+
}
|
|
154
|
+
}
|
|
155
|
+
return { status: 'allow', allowed: true, denied: false, warn: false };
|
|
156
|
+
}
|
|
157
|
+
checkEgress(event) {
|
|
158
|
+
if (!this.config.guards.egress) {
|
|
159
|
+
return { status: 'allow', allowed: true, denied: false, warn: false };
|
|
160
|
+
}
|
|
161
|
+
const res = this.egressGuard.checkSync(event, this.policy);
|
|
162
|
+
const mapped = this.guardResultToDecision(res);
|
|
163
|
+
return this.applyOnViolation(mapped);
|
|
164
|
+
}
|
|
165
|
+
checkExecution(event) {
|
|
166
|
+
if (!this.config.guards.patch_integrity) {
|
|
167
|
+
return { status: 'allow', allowed: true, denied: false, warn: false };
|
|
168
|
+
}
|
|
169
|
+
const res = this.patchIntegrityGuard.checkSync(event, this.policy);
|
|
170
|
+
const mapped = this.guardResultToDecision(res);
|
|
171
|
+
return this.applyOnViolation(mapped);
|
|
172
|
+
}
|
|
173
|
+
checkToolCall(event) {
|
|
174
|
+
// Optional tool allow/deny list.
|
|
175
|
+
if (event.data.type === 'tool') {
|
|
176
|
+
const tools = this.policy.tools;
|
|
177
|
+
const toolName = event.data.toolName.toLowerCase();
|
|
178
|
+
const denied = tools?.denied?.map((x) => x.toLowerCase()) ?? [];
|
|
179
|
+
if (denied.includes(toolName)) {
|
|
180
|
+
return this.applyOnViolation({
|
|
181
|
+
status: 'deny',
|
|
182
|
+
allowed: false,
|
|
183
|
+
denied: true,
|
|
184
|
+
warn: false,
|
|
185
|
+
reason: `Tool '${event.data.toolName}' is denied by policy`,
|
|
186
|
+
guard: 'mcp_tool',
|
|
187
|
+
severity: 'high',
|
|
188
|
+
});
|
|
189
|
+
}
|
|
190
|
+
const allowed = tools?.allowed?.map((x) => x.toLowerCase()) ?? [];
|
|
191
|
+
if (allowed.length > 0 && !allowed.includes(toolName)) {
|
|
192
|
+
return this.applyOnViolation({
|
|
193
|
+
status: 'deny',
|
|
194
|
+
allowed: false,
|
|
195
|
+
denied: true,
|
|
196
|
+
warn: false,
|
|
197
|
+
reason: `Tool '${event.data.toolName}' is not in allowed tool list`,
|
|
198
|
+
guard: 'mcp_tool',
|
|
199
|
+
severity: 'high',
|
|
200
|
+
});
|
|
201
|
+
}
|
|
202
|
+
}
|
|
203
|
+
if (!this.config.guards.secret_leak) {
|
|
204
|
+
return { status: 'allow', allowed: true, denied: false, warn: false };
|
|
205
|
+
}
|
|
206
|
+
const res = this.secretLeakGuard.checkSync(event, this.policy);
|
|
207
|
+
const mapped = this.guardResultToDecision(res);
|
|
208
|
+
return this.applyOnViolation(mapped);
|
|
209
|
+
}
|
|
210
|
+
checkPatch(event) {
|
|
211
|
+
if (this.config.guards.patch_integrity) {
|
|
212
|
+
const r1 = this.patchIntegrityGuard.checkSync(event, this.policy);
|
|
213
|
+
const mapped1 = this.guardResultToDecision(r1);
|
|
214
|
+
const applied1 = this.applyOnViolation(mapped1);
|
|
215
|
+
const applied1Denied = applied1.status === 'deny' || applied1.denied;
|
|
216
|
+
const applied1Warn = applied1.status === 'warn' || applied1.warn;
|
|
217
|
+
if (applied1Denied || applied1Warn)
|
|
218
|
+
return applied1;
|
|
219
|
+
}
|
|
220
|
+
if (this.config.guards.secret_leak) {
|
|
221
|
+
const r2 = this.secretLeakGuard.checkSync(event, this.policy);
|
|
222
|
+
const mapped2 = this.guardResultToDecision(r2);
|
|
223
|
+
const applied2 = this.applyOnViolation(mapped2);
|
|
224
|
+
const applied2Denied = applied2.status === 'deny' || applied2.denied;
|
|
225
|
+
const applied2Warn = applied2.status === 'warn' || applied2.warn;
|
|
226
|
+
if (applied2Denied || applied2Warn)
|
|
227
|
+
return applied2;
|
|
228
|
+
}
|
|
229
|
+
return { status: 'allow', allowed: true, denied: false, warn: false };
|
|
230
|
+
}
|
|
231
|
+
applyOnViolation(decision) {
|
|
232
|
+
const action = this.policy.on_violation;
|
|
233
|
+
const isDenied = decision.status === 'deny' || decision.denied;
|
|
234
|
+
if (!isDenied)
|
|
235
|
+
return decision;
|
|
236
|
+
if (action === 'warn') {
|
|
237
|
+
return {
|
|
238
|
+
status: 'warn',
|
|
239
|
+
allowed: true,
|
|
240
|
+
denied: false,
|
|
241
|
+
warn: true,
|
|
242
|
+
reason: decision.reason,
|
|
243
|
+
guard: decision.guard,
|
|
244
|
+
severity: decision.severity,
|
|
245
|
+
message: decision.reason,
|
|
246
|
+
};
|
|
247
|
+
}
|
|
248
|
+
return decision;
|
|
249
|
+
}
|
|
250
|
+
guardResultToDecision(result) {
|
|
251
|
+
if (result.status === 'allow')
|
|
252
|
+
return { status: 'allow', allowed: true, denied: false, warn: false };
|
|
253
|
+
if (result.status === 'warn') {
|
|
254
|
+
return { status: 'warn', allowed: true, denied: false, warn: true, reason: result.reason, guard: result.guard, message: result.reason };
|
|
255
|
+
}
|
|
256
|
+
return { status: 'deny', allowed: false, denied: true, warn: false, reason: result.reason, guard: result.guard, severity: result.severity };
|
|
257
|
+
}
|
|
258
|
+
}
|
|
259
|
+
function buildThreatIntelEngine(policy) {
|
|
260
|
+
const custom = policy.guards?.custom;
|
|
261
|
+
if (!Array.isArray(custom) || custom.length === 0) {
|
|
262
|
+
return null;
|
|
263
|
+
}
|
|
264
|
+
const canonicalPolicy = {
|
|
265
|
+
version: '1.1.0',
|
|
266
|
+
guards: { custom },
|
|
267
|
+
};
|
|
268
|
+
return createPolicyEngineFromPolicy(canonicalPolicy);
|
|
269
|
+
}
|
|
270
|
+
function toCanonicalEvent(event) {
|
|
271
|
+
// OpenClaw events are compatible with adapter-core's PolicyEvent shape. Keep the
|
|
272
|
+
// raw eventId/timestamp/metadata for audit trails.
|
|
273
|
+
return event;
|
|
274
|
+
}
|
|
275
|
+
function combineDecisions(base, next) {
|
|
276
|
+
const nextDenied = next.status === 'deny' || next.denied;
|
|
277
|
+
const nextWarn = next.status === 'warn' || next.warn;
|
|
278
|
+
if (nextDenied || nextWarn)
|
|
279
|
+
return next;
|
|
280
|
+
return base;
|
|
281
|
+
}
|
|
282
|
+
//# sourceMappingURL=engine.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"engine.js","sourceRoot":"","sources":["../../src/policy/engine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,IAAI,MAAM,WAAW,CAAC;AAG7B,OAAO,EAAE,4BAA4B,EAAkC,MAAM,qBAAqB,CAAC;AAEnG,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAC3C,OAAO,EAAE,WAAW,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAE3G,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAC;AAEtE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAEhD,SAAS,UAAU,CAAC,CAAS;IAC3B,OAAO,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,OAAO,EAAE,CAAC,CAAC;AAC5C,CAAC;AAED,SAAS,sBAAsB,CAAC,CAAS;IACvC,OAAO,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;AACrC,CAAC;AAED,MAAM,OAAO,YAAY;IACN,MAAM,CAA8B;IACpC,MAAM,CAAS;IACf,kBAAkB,CAAqB;IACvC,WAAW,CAAc;IACzB,eAAe,CAAkB;IACjC,mBAAmB,CAAsB;IACzC,iBAAiB,CAAmC;IAErE,YAAY,SAA4B,EAAE;QACxC,IAAI,CAAC,MAAM,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;QAClC,IAAI,CAAC,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,CAAC,kBAAkB,GAAG,IAAI,kBAAkB,EAAE,CAAC;QACnD,IAAI,CAAC,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC;QACrC,IAAI,CAAC,eAAe,GAAG,IAAI,eAAe,EAAE,CAAC;QAC7C,IAAI,CAAC,mBAAmB,GAAG,IAAI,mBAAmB,EAAE,CAAC;QACrD,IAAI,CAAC,iBAAiB,GAAG,sBAAsB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC/D,CAAC;IAED,aAAa;QACX,MAAM,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;QAC7B,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,IAAI,CAAC,CAAC,cAAc;YAAE,OAAO,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QACrD,IAAI,CAAC,CAAC,MAAM;YAAE,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACrC,IAAI,CAAC,CAAC,WAAW;YAAE,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC/C,IAAI,CAAC,CAAC,eAAe;YAAE,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QACvD,IAAI,CAAC,CAAC,QAAQ;YAAE,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACzC,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,SAAiB;QAChC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC;YACrC,OAAO,cAAc,CAAC,MAAM,CAAC,CAAC;QAChC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;QAC/D,CAAC;IACH,CAAC;IAED,aAAa,CAAC,OAAe;QAC3B,OAAO,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC9C,CAAC;IAED,cAAc,CAAC,OAAe;QAC5B,uCAAuC;QACvC,MAAM,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC7D,sCAAsC;QACtC,OAAO,kBAAkB,CAAC,eAAe,CAAC,CAAC,SAAS,CAAC;IACvD,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,KAAkB;QAC/B,MAAM,IAAI,GAAG,IAAI,CAAC,qBAAqB,CAAC,KAAK,CAAC,CAAC;QAE/C,6EAA6E;QAC7E,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,KAAK,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC;QACzD,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,KAAK,MAAM,IAAI,IAAI,CAAC,IAAI,CAAC;QACrD,IAAI,UAAU,IAAI,QAAQ,EAAE,CAAC;YAC3B,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAChD,CAAC;QAED,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC3B,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAC,CAAC;YAC1E,MAAM,SAAS,GAAG,IAAI,CAAC,gBAAgB,CAAC,EAAc,CAAC,CAAC;YACxD,MAAM,QAAQ,GAAG,gBAAgB,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;YACnD,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QACpD,CAAC;QAED,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAChD,CAAC;IAEO,SAAS,CAAC,MAAgB,EAAE,IAAoB;QACtD,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;YACrB,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QACxE,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,KAAK,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC;QAC3D,IAAI,IAAI,KAAK,UAAU,IAAI,QAAQ,EAAE,CAAC;YACpC,OAAO;gBACL,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,KAAK;gBACb,IAAI,EAAE,IAAI;gBACV,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,OAAO,EAAE,MAAM,CAAC,MAAM;aACvB,CAAC;QACJ,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,qBAAqB,CAAC,KAAkB;QAC9C,MAAM,OAAO,GAAa,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAEzF,QAAQ,KAAK,CAAC,SAAS,EAAE,CAAC;YACxB,KAAK,WAAW,CAAC;YACjB,KAAK,YAAY;gBACf,OAAO,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;YACrC,KAAK,gBAAgB;gBACnB,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;YACjC,KAAK,cAAc;gBACjB,OAAO,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;YACpC,KAAK,WAAW;gBACd,OAAO,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;YACnC,KAAK,aAAa;gBAChB,OAAO,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;YAChC;gBACE,OAAO,OAAO,CAAC;QACnB,CAAC;IACH,CAAC;IAEO,eAAe,CAAC,KAAkB;QACxC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;YACvC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QACxE,CAAC;QAED,0CAA0C;QAC1C,MAAM,SAAS,GAAG,IAAI,CAAC,kBAAkB,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QACxE,MAAM,MAAM,GAAG,IAAI,CAAC,qBAAqB,CAAC,SAAS,CAAC,CAAC;QACrD,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,KAAK,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC;QAC/D,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,KAAK,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC;QAC3D,IAAI,YAAY,IAAI,UAAU,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;QACvC,CAAC;QAED,2CAA2C;QAC3C,IAAI,KAAK,CAAC,SAAS,KAAK,YAAY,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YACnE,MAAM,iBAAiB,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,mBAAmB,CAAC;YACtE,IAAI,iBAAiB,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACtD,MAAM,QAAQ,GAAG,sBAAsB,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACzD,MAAM,EAAE,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;oBACzC,MAAM,QAAQ,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;oBAC9C,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,UAAU,CAAC,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;gBAC3E,CAAC,CAAC,CAAC;gBACH,IAAI,CAAC,EAAE,EAAE,CAAC;oBACR,OAAO,IAAI,CAAC,gBAAgB,CAAC;wBAC3B,MAAM,EAAE,MAAM;wBACd,OAAO,EAAE,KAAK;wBACd,MAAM,EAAE,IAAI;wBACZ,IAAI,EAAE,KAAK;wBACX,MAAM,EAAE,iCAAiC;wBACzC,KAAK,EAAE,gBAAgB;wBACvB,QAAQ,EAAE,MAAM;qBACjB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;IACxE,CAAC;IAEO,WAAW,CAAC,KAAkB;QACpC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YAC/B,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QACxE,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,CAAC;QAC/C,OAAO,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;IACvC,CAAC;IAEO,cAAc,CAAC,KAAkB;QACvC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,eAAe,EAAE,CAAC;YACxC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QACxE,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,mBAAmB,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QACnE,MAAM,MAAM,GAAG,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,CAAC;QAC/C,OAAO,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;IACvC,CAAC;IAEO,aAAa,CAAC,KAAkB;QACtC,iCAAiC;QACjC,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YAC/B,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;YAChC,MAAM,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;YAEnD,MAAM,MAAM,GAAG,KAAK,EAAE,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;YAChE,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC9B,OAAO,IAAI,CAAC,gBAAgB,CAAC;oBAC3B,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,IAAI;oBACZ,IAAI,EAAE,KAAK;oBACX,MAAM,EAAE,SAAS,KAAK,CAAC,IAAI,CAAC,QAAQ,uBAAuB;oBAC3D,KAAK,EAAE,UAAU;oBACjB,QAAQ,EAAE,MAAM;iBACjB,CAAC,CAAC;YACL,CAAC;YAED,MAAM,OAAO,GAAG,KAAK,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;YAClE,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACtD,OAAO,IAAI,CAAC,gBAAgB,CAAC;oBAC3B,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,IAAI;oBACZ,IAAI,EAAE,KAAK;oBACX,MAAM,EAAE,SAAS,KAAK,CAAC,IAAI,CAAC,QAAQ,+BAA+B;oBACnE,KAAK,EAAE,UAAU;oBACjB,QAAQ,EAAE,MAAM;iBACjB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;YACpC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QACxE,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,eAAe,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QAC/D,MAAM,MAAM,GAAG,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,CAAC;QAC/C,OAAO,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;IACvC,CAAC;IAEO,UAAU,CAAC,KAAkB;QACnC,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,eAAe,EAAE,CAAC;YACvC,MAAM,EAAE,GAAG,IAAI,CAAC,mBAAmB,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;YAClE,MAAM,OAAO,GAAG,IAAI,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAC;YAC/C,MAAM,QAAQ,GAAG,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;YAChD,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,KAAK,MAAM,IAAI,QAAQ,CAAC,MAAM,CAAC;YACrE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,KAAK,MAAM,IAAI,QAAQ,CAAC,IAAI,CAAC;YACjE,IAAI,cAAc,IAAI,YAAY;gBAAE,OAAO,QAAQ,CAAC;QACtD,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;YACnC,MAAM,EAAE,GAAG,IAAI,CAAC,eAAe,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;YAC9D,MAAM,OAAO,GAAG,IAAI,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAC;YAC/C,MAAM,QAAQ,GAAG,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;YAChD,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,KAAK,MAAM,IAAI,QAAQ,CAAC,MAAM,CAAC;YACrE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,KAAK,MAAM,IAAI,QAAQ,CAAC,IAAI,CAAC;YACjE,IAAI,cAAc,IAAI,YAAY;gBAAE,OAAO,QAAQ,CAAC;QACtD,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;IACxE,CAAC;IAEO,gBAAgB,CAAC,QAAkB;QACzC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;QACxC,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,KAAK,MAAM,IAAI,QAAQ,CAAC,MAAM,CAAC;QAC/D,IAAI,CAAC,QAAQ;YAAE,OAAO,QAAQ,CAAC;QAE/B,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACtB,OAAO;gBACL,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,KAAK;gBACb,IAAI,EAAE,IAAI;gBACV,MAAM,EAAE,QAAQ,CAAC,MAAM;gBACvB,KAAK,EAAE,QAAQ,CAAC,KAAK;gBACrB,QAAQ,EAAE,QAAQ,CAAC,QAAQ;gBAC3B,OAAO,EAAE,QAAQ,CAAC,MAAM;aACzB,CAAC;QACJ,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,qBAAqB,CAAC,MAA6F;QACzH,IAAI,MAAM,CAAC,MAAM,KAAK,OAAO;YAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QACrG,IAAI,MAAM,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC7B,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC;QAC1I,CAAC;QACD,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC;IAC9I,CAAC;CACF;AAED,SAAS,sBAAsB,CAAC,MAAc;IAC5C,MAAM,MAAM,GAAI,MAAM,CAAC,MAAc,EAAE,MAAM,CAAC;IAC9C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,eAAe,GAAoB;QACvC,OAAO,EAAE,OAAO;QAChB,MAAM,EAAE,EAAE,MAAM,EAAE;KACnB,CAAC;IAEF,OAAO,4BAA4B,CAAC,eAAsB,CAAC,CAAC;AAC9D,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAkB;IAC1C,iFAAiF;IACjF,mDAAmD;IACnD,OAAO,KAAwC,CAAC;AAClD,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAc,EAAE,IAAc;IACtD,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,KAAK,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC;IACzD,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,KAAK,MAAM,IAAI,IAAI,CAAC,IAAI,CAAC;IACrD,IAAI,UAAU,IAAI,QAAQ;QAAE,OAAO,IAAI,CAAC;IACxC,OAAO,IAAI,CAAC;AACd,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/policy/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/policy/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC"}
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
import type { Policy } from '../types.js';
|
|
2
|
+
export declare class PolicyLoadError extends Error {
|
|
3
|
+
readonly cause?: unknown;
|
|
4
|
+
constructor(message: string, opts?: {
|
|
5
|
+
cause?: unknown;
|
|
6
|
+
});
|
|
7
|
+
}
|
|
8
|
+
export declare function loadPolicyFromString(content: string): Policy;
|
|
9
|
+
export declare function loadPolicy(ref: string): Policy;
|
|
10
|
+
//# sourceMappingURL=loader.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../../src/policy/loader.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAO1C,qBAAa,eAAgB,SAAQ,KAAK;IACxC,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC;gBAEb,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE;CAKxD;AAmCD,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAkB5D;AAuHD,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAM9C"}
|