@clawdstrike/openclaw 0.1.2 → 0.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +88 -3
- package/dist/audit/adapter-logger.d.ts +3 -3
- package/dist/audit/adapter-logger.d.ts.map +1 -1
- package/dist/audit/adapter-logger.js +3 -3
- package/dist/audit/adapter-logger.js.map +1 -1
- package/dist/audit/store.d.ts +2 -2
- package/dist/audit/store.d.ts.map +1 -1
- package/dist/audit/store.js +13 -13
- package/dist/audit/store.js.map +1 -1
- package/dist/classification.d.ts +2 -2
- package/dist/classification.d.ts.map +1 -1
- package/dist/classification.js +96 -28
- package/dist/classification.js.map +1 -1
- package/dist/cli/bin.js +1 -1
- package/dist/cli/commands/audit.d.ts.map +1 -1
- package/dist/cli/commands/audit.js +29 -29
- package/dist/cli/commands/audit.js.map +1 -1
- package/dist/cli/commands/policy.d.ts.map +1 -1
- package/dist/cli/commands/policy.js +33 -33
- package/dist/cli/commands/policy.js.map +1 -1
- package/dist/cli/index.d.ts +1 -1
- package/dist/cli/index.d.ts.map +1 -1
- package/dist/cli/index.js +45 -56
- package/dist/cli/index.js.map +1 -1
- package/dist/config.d.ts +1 -1
- package/dist/config.d.ts.map +1 -1
- package/dist/config.js +9 -9
- package/dist/config.js.map +1 -1
- package/dist/e2e/openclaw-e2e.js +58 -49
- package/dist/e2e/openclaw-e2e.js.map +1 -1
- package/dist/engine-holder.d.ts +2 -2
- package/dist/engine-holder.js +1 -1
- package/dist/guards/egress.d.ts +2 -2
- package/dist/guards/egress.d.ts.map +1 -1
- package/dist/guards/egress.js +71 -73
- package/dist/guards/egress.js.map +1 -1
- package/dist/guards/forbidden-path.d.ts +2 -2
- package/dist/guards/forbidden-path.d.ts.map +1 -1
- package/dist/guards/forbidden-path.js +41 -43
- package/dist/guards/forbidden-path.js.map +1 -1
- package/dist/guards/index.d.ts +6 -6
- package/dist/guards/index.d.ts.map +1 -1
- package/dist/guards/index.js +5 -5
- package/dist/guards/index.js.map +1 -1
- package/dist/guards/patch-integrity.d.ts +2 -2
- package/dist/guards/patch-integrity.d.ts.map +1 -1
- package/dist/guards/patch-integrity.js +69 -70
- package/dist/guards/patch-integrity.js.map +1 -1
- package/dist/guards/secret-leak.d.ts +2 -2
- package/dist/guards/secret-leak.d.ts.map +1 -1
- package/dist/guards/secret-leak.js +81 -82
- package/dist/guards/secret-leak.js.map +1 -1
- package/dist/guards/types.d.ts +2 -2
- package/dist/guards/types.d.ts.map +1 -1
- package/dist/guards/types.js +4 -4
- package/dist/guards/types.js.map +1 -1
- package/dist/hooks/agent-bootstrap/handler.d.ts +1 -1
- package/dist/hooks/agent-bootstrap/handler.d.ts.map +1 -1
- package/dist/hooks/agent-bootstrap/handler.js +5 -5
- package/dist/hooks/agent-bootstrap/handler.js.map +1 -1
- package/dist/hooks/approval-state.d.ts +1 -1
- package/dist/hooks/approval-state.d.ts.map +1 -1
- package/dist/hooks/approval-state.js +15 -15
- package/dist/hooks/approval-state.js.map +1 -1
- package/dist/hooks/approval-utils.d.ts +1 -1
- package/dist/hooks/approval-utils.d.ts.map +1 -1
- package/dist/hooks/approval-utils.js +41 -20
- package/dist/hooks/approval-utils.js.map +1 -1
- package/dist/hooks/audit-logger/handler.d.ts +1 -1
- package/dist/hooks/audit-logger/handler.d.ts.map +1 -1
- package/dist/hooks/audit-logger/handler.js +9 -9
- package/dist/hooks/audit-logger/handler.js.map +1 -1
- package/dist/hooks/cua-bridge/handler.d.ts +4 -4
- package/dist/hooks/cua-bridge/handler.d.ts.map +1 -1
- package/dist/hooks/cua-bridge/handler.js +85 -70
- package/dist/hooks/cua-bridge/handler.js.map +1 -1
- package/dist/hooks/tool-guard/handler.d.ts +1 -1
- package/dist/hooks/tool-guard/handler.d.ts.map +1 -1
- package/dist/hooks/tool-guard/handler.js +112 -101
- package/dist/hooks/tool-guard/handler.js.map +1 -1
- package/dist/hooks/tool-preflight/handler.d.ts +2 -2
- package/dist/hooks/tool-preflight/handler.d.ts.map +1 -1
- package/dist/hooks/tool-preflight/handler.js +115 -91
- package/dist/hooks/tool-preflight/handler.js.map +1 -1
- package/dist/index.d.ts +16 -16
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +18 -18
- package/dist/index.js.map +1 -1
- package/dist/openclaw-adapter.d.ts +2 -2
- package/dist/openclaw-adapter.d.ts.map +1 -1
- package/dist/openclaw-adapter.js +4 -4
- package/dist/openclaw-adapter.js.map +1 -1
- package/dist/plugin.d.ts.map +1 -1
- package/dist/plugin.js +39 -40
- package/dist/plugin.js.map +1 -1
- package/dist/policy/engine.d.ts +1 -1
- package/dist/policy/engine.d.ts.map +1 -1
- package/dist/policy/engine.js +237 -221
- package/dist/policy/engine.js.map +1 -1
- package/dist/policy/index.d.ts +3 -3
- package/dist/policy/index.d.ts.map +1 -1
- package/dist/policy/index.js +3 -3
- package/dist/policy/index.js.map +1 -1
- package/dist/policy/loader.d.ts +1 -1
- package/dist/policy/loader.d.ts.map +1 -1
- package/dist/policy/loader.js +76 -63
- package/dist/policy/loader.js.map +1 -1
- package/dist/policy/validator.d.ts +1 -1
- package/dist/policy/validator.d.ts.map +1 -1
- package/dist/policy/validator.js +158 -151
- package/dist/policy/validator.js.map +1 -1
- package/dist/receipt/signer.d.ts +2 -2
- package/dist/receipt/signer.d.ts.map +1 -1
- package/dist/receipt/signer.js +12 -12
- package/dist/receipt/signer.js.map +1 -1
- package/dist/receipt/types.d.ts +2 -2
- package/dist/receipt/types.d.ts.map +1 -1
- package/dist/sanitizer/output-sanitizer.d.ts +1 -1
- package/dist/sanitizer/output-sanitizer.d.ts.map +1 -1
- package/dist/sanitizer/output-sanitizer.js +8 -8
- package/dist/sanitizer/output-sanitizer.js.map +1 -1
- package/dist/security-prompt.d.ts +1 -1
- package/dist/security-prompt.d.ts.map +1 -1
- package/dist/security-prompt.js +16 -12
- package/dist/security-prompt.js.map +1 -1
- package/dist/tools/policy-check.d.ts +3 -3
- package/dist/tools/policy-check.d.ts.map +1 -1
- package/dist/tools/policy-check.js +60 -52
- package/dist/tools/policy-check.js.map +1 -1
- package/dist/translator/openclaw-translator.d.ts +1 -1
- package/dist/translator/openclaw-translator.d.ts.map +1 -1
- package/dist/translator/openclaw-translator.js +100 -80
- package/dist/translator/openclaw-translator.js.map +1 -1
- package/dist/types.d.ts +11 -13
- package/dist/types.d.ts.map +1 -1
- package/package.json +9 -4
package/README.md
CHANGED
|
@@ -1,9 +1,94 @@
|
|
|
1
1
|
# @clawdstrike/openclaw
|
|
2
2
|
|
|
3
|
-
Clawdstrike security plugin for OpenClaw.
|
|
3
|
+
Clawdstrike security plugin for OpenClaw. Provides tool-layer guardrails (preflight policy checks + post-action output blocking/redaction) for AI agents running in OpenClaw.
|
|
4
4
|
|
|
5
5
|
See [Enforcement Tiers & Integration Contract](https://github.com/backbay-labs/clawdstrike/blob/main/docs/src/concepts/enforcement-tiers.md) for what is enforceable at the tool boundary (and what requires a sandbox/broker).
|
|
6
6
|
|
|
7
|
-
##
|
|
7
|
+
## Installation
|
|
8
8
|
|
|
9
|
-
|
|
9
|
+
```bash
|
|
10
|
+
npm install @clawdstrike/openclaw
|
|
11
|
+
```
|
|
12
|
+
|
|
13
|
+
## Getting Started
|
|
14
|
+
|
|
15
|
+
See the [OpenClaw adapter getting-started guide](https://github.com/backbay-labs/clawdstrike/blob/main/packages/adapters/clawdstrike-openclaw/docs/getting-started.md) for full setup instructions.
|
|
16
|
+
|
|
17
|
+
## Usage
|
|
18
|
+
|
|
19
|
+
### FrameworkAdapter API
|
|
20
|
+
|
|
21
|
+
```ts
|
|
22
|
+
import { OpenClawAdapter, PolicyEngine } from '@clawdstrike/openclaw';
|
|
23
|
+
|
|
24
|
+
const engine = new PolicyEngine({ policy: 'strict' });
|
|
25
|
+
const adapter = new OpenClawAdapter(engine);
|
|
26
|
+
|
|
27
|
+
const ctx = adapter.createContext({ userId: 'user-1' });
|
|
28
|
+
const result = await adapter.interceptToolCall(ctx, {
|
|
29
|
+
name: 'bash',
|
|
30
|
+
parameters: { cmd: 'echo hello' },
|
|
31
|
+
});
|
|
32
|
+
|
|
33
|
+
if (!result.proceed) {
|
|
34
|
+
console.error('Blocked:', result.decision.message);
|
|
35
|
+
}
|
|
36
|
+
```
|
|
37
|
+
|
|
38
|
+
### Policy checking
|
|
39
|
+
|
|
40
|
+
```ts
|
|
41
|
+
import { checkPolicy } from '@clawdstrike/openclaw';
|
|
42
|
+
import type { ClawdstrikeConfig } from '@clawdstrike/openclaw';
|
|
43
|
+
|
|
44
|
+
const config: ClawdstrikeConfig = { policy: 'default' };
|
|
45
|
+
const decision = await checkPolicy(config, 'file_read', '~/.ssh/id_rsa');
|
|
46
|
+
console.log(decision.status); // "deny"
|
|
47
|
+
```
|
|
48
|
+
|
|
49
|
+
### OpenClaw plugin hooks
|
|
50
|
+
|
|
51
|
+
The package exports hook handlers for direct OpenClaw integration:
|
|
52
|
+
|
|
53
|
+
- `agentBootstrapHandler` -- Injects security prompt at session start
|
|
54
|
+
- `toolPreflightHandler` -- Preflight policy check before tool execution
|
|
55
|
+
- `cuaBridgeHandler` -- Computer-use agent bridge with CUA-specific checks
|
|
56
|
+
|
|
57
|
+
### CLI
|
|
58
|
+
|
|
59
|
+
```bash
|
|
60
|
+
# Installed via the bin entry
|
|
61
|
+
clawdstrike policy lint ./policy.yaml
|
|
62
|
+
clawdstrike audit query --denied
|
|
63
|
+
clawdstrike audit export ./audit-dump.jsonl
|
|
64
|
+
clawdstrike why <event-id>
|
|
65
|
+
```
|
|
66
|
+
|
|
67
|
+
## Development Testing
|
|
68
|
+
|
|
69
|
+
When running this package from the monorepo workspace, build local package dependencies first:
|
|
70
|
+
|
|
71
|
+
```bash
|
|
72
|
+
bun --cwd packages/adapters/clawdstrike-openclaw run test:workspace
|
|
73
|
+
bun --cwd packages/adapters/clawdstrike-openclaw run typecheck:workspace
|
|
74
|
+
```
|
|
75
|
+
|
|
76
|
+
These commands build `@clawdstrike/policy` and `@clawdstrike/adapter-core` before running tests/typecheck.
|
|
77
|
+
|
|
78
|
+
## API Overview
|
|
79
|
+
|
|
80
|
+
| Export | Description |
|
|
81
|
+
|--------|-------------|
|
|
82
|
+
| `PolicyEngine` | Core policy evaluation engine |
|
|
83
|
+
| `OpenClawAdapter` | Standard `FrameworkAdapter` implementation |
|
|
84
|
+
| `loadPolicy` / `validatePolicy` | Policy loading and validation |
|
|
85
|
+
| `checkPolicy` / `policyCheckTool` | Policy check utilities |
|
|
86
|
+
| `AuditStore` / `OpenClawAuditLogger` | Audit event storage and logging |
|
|
87
|
+
| `ReceiptSigner` | Decision receipt signing |
|
|
88
|
+
| `generateSecurityPrompt` | Security system prompt generation |
|
|
89
|
+
| `openclawTranslator` | OpenClaw config translation |
|
|
90
|
+
| `registerCli` / `createCli` | CLI registration helpers |
|
|
91
|
+
|
|
92
|
+
## License
|
|
93
|
+
|
|
94
|
+
Apache-2.0
|
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import type { AuditEvent, AuditLogger } from
|
|
2
|
-
import type { AuditStore } from
|
|
1
|
+
import type { AuditEvent, AuditLogger } from "@clawdstrike/adapter-core";
|
|
2
|
+
import type { AuditStore } from "./store.js";
|
|
3
3
|
export interface OpenClawAuditLoggerOptions {
|
|
4
4
|
store?: AuditStore;
|
|
5
5
|
maxEvents?: number;
|
|
@@ -18,7 +18,7 @@ export declare class OpenClawAuditLogger implements AuditLogger {
|
|
|
18
18
|
log(event: AuditEvent): Promise<void>;
|
|
19
19
|
getSessionEvents(sessionId: string): Promise<AuditEvent[]>;
|
|
20
20
|
getContextEvents(contextId: string): Promise<AuditEvent[]>;
|
|
21
|
-
export(format:
|
|
21
|
+
export(format: "json" | "csv" | "jsonl"): Promise<string>;
|
|
22
22
|
prune(olderThan: Date): Promise<number>;
|
|
23
23
|
}
|
|
24
24
|
//# sourceMappingURL=adapter-logger.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"adapter-logger.d.ts","sourceRoot":"","sources":["../../src/audit/adapter-logger.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"adapter-logger.d.ts","sourceRoot":"","sources":["../../src/audit/adapter-logger.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAGzE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C,MAAM,WAAW,0BAA0B;IACzC,KAAK,CAAC,EAAE,UAAU,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;GAMG;AACH,qBAAa,mBAAoB,YAAW,WAAW;IACrD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAsB;IAC7C,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAyB;gBAEnC,OAAO,GAAE,0BAA+B;IAK9C,GAAG,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC;IAerC,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAI1D,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAI1D,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,KAAK,GAAG,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;IAIzD,KAAK,CAAC,SAAS,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC;CAG9C"}
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { InMemoryAuditLogger } from
|
|
1
|
+
import { InMemoryAuditLogger } from "@clawdstrike/adapter-core";
|
|
2
2
|
/**
|
|
3
3
|
* OpenClawAuditLogger bridges the adapter-core `AuditLogger` interface with
|
|
4
4
|
* openclaw's existing `AuditStore` JSONL persistence layer.
|
|
@@ -18,8 +18,8 @@ export class OpenClawAuditLogger {
|
|
|
18
18
|
if (this.store) {
|
|
19
19
|
this.store.append({
|
|
20
20
|
type: event.type,
|
|
21
|
-
resource: event.toolName ??
|
|
22
|
-
decision: event.decision?.status ===
|
|
21
|
+
resource: event.toolName ?? "",
|
|
22
|
+
decision: event.decision?.status === "deny" ? "denied" : "allowed",
|
|
23
23
|
guard: event.decision?.guard,
|
|
24
24
|
reason: event.decision?.reason ?? event.decision?.message,
|
|
25
25
|
runId: event.sessionId,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"adapter-logger.js","sourceRoot":"","sources":["../../src/audit/adapter-logger.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"adapter-logger.js","sourceRoot":"","sources":["../../src/audit/adapter-logger.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAShE;;;;;;GAMG;AACH,MAAM,OAAO,mBAAmB;IACb,MAAM,CAAsB;IAC5B,KAAK,CAAyB;IAE/C,YAAY,UAAsC,EAAE;QAClD,IAAI,CAAC,MAAM,GAAG,IAAI,mBAAmB,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACzD,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,KAAiB;QACzB,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAE7B,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC;gBAChB,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,EAAE;gBAC9B,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;gBAClE,KAAK,EAAE,KAAK,CAAC,QAAQ,EAAE,KAAK;gBAC5B,MAAM,EAAE,KAAK,CAAC,QAAQ,EAAE,MAAM,IAAI,KAAK,CAAC,QAAQ,EAAE,OAAO;gBACzD,KAAK,EAAE,KAAK,CAAC,SAAS;aACvB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,SAAiB;QACtC,OAAO,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,SAAiB;QACtC,OAAO,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,MAAgC;QAC3C,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,SAAe;QACzB,OAAO,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IACtC,CAAC;CACF"}
|
package/dist/audit/store.d.ts
CHANGED
|
@@ -3,7 +3,7 @@ export interface AuditEvent {
|
|
|
3
3
|
timestamp: number;
|
|
4
4
|
type: string;
|
|
5
5
|
resource: string;
|
|
6
|
-
decision:
|
|
6
|
+
decision: "allowed" | "denied";
|
|
7
7
|
guard?: string;
|
|
8
8
|
reason?: string;
|
|
9
9
|
runId?: string;
|
|
@@ -13,7 +13,7 @@ export declare class AuditStore {
|
|
|
13
13
|
private events;
|
|
14
14
|
constructor(path?: string);
|
|
15
15
|
private load;
|
|
16
|
-
append(event: Omit<AuditEvent,
|
|
16
|
+
append(event: Omit<AuditEvent, "id" | "timestamp">): AuditEvent;
|
|
17
17
|
query(options?: {
|
|
18
18
|
since?: number;
|
|
19
19
|
guard?: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"store.d.ts","sourceRoot":"","sources":["../../src/audit/store.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,SAAS,GAAG,QAAQ,CAAC;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,UAAU;IACrB,OAAO,CAAC,IAAI,CAAS;IACrB,OAAO,CAAC,MAAM,CAAoB;gBAEtB,IAAI,GAAE,MAA4B;IAK9C,OAAO,CAAC,IAAI;IAUZ,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,IAAI,GAAG,WAAW,CAAC,GAAG,UAAU;IAiB/D,KAAK,
|
|
1
|
+
{"version":3,"file":"store.d.ts","sourceRoot":"","sources":["../../src/audit/store.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,SAAS,GAAG,QAAQ,CAAC;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,UAAU;IACrB,OAAO,CAAC,IAAI,CAAS;IACrB,OAAO,CAAC,MAAM,CAAoB;gBAEtB,IAAI,GAAE,MAA4B;IAK9C,OAAO,CAAC,IAAI;IAUZ,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,IAAI,GAAG,WAAW,CAAC,GAAG,UAAU;IAiB/D,KAAK,CACH,OAAO,GAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAO,GACjF,UAAU,EAAE;IAmBf,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,UAAU,GAAG,SAAS;IAI3C,KAAK,IAAI,IAAI;CAMd"}
|
package/dist/audit/store.js
CHANGED
|
@@ -1,19 +1,19 @@
|
|
|
1
|
-
import {
|
|
2
|
-
import { dirname } from
|
|
1
|
+
import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
|
|
2
|
+
import { dirname } from "path";
|
|
3
3
|
export class AuditStore {
|
|
4
4
|
path;
|
|
5
5
|
events = [];
|
|
6
|
-
constructor(path =
|
|
6
|
+
constructor(path = ".hush/audit.jsonl") {
|
|
7
7
|
this.path = path;
|
|
8
8
|
this.load();
|
|
9
9
|
}
|
|
10
10
|
load() {
|
|
11
11
|
if (existsSync(this.path)) {
|
|
12
|
-
const content = readFileSync(this.path,
|
|
12
|
+
const content = readFileSync(this.path, "utf-8");
|
|
13
13
|
this.events = content
|
|
14
|
-
.split(
|
|
15
|
-
.filter(line => line.trim())
|
|
16
|
-
.map(line => JSON.parse(line));
|
|
14
|
+
.split("\n")
|
|
15
|
+
.filter((line) => line.trim())
|
|
16
|
+
.map((line) => JSON.parse(line));
|
|
17
17
|
}
|
|
18
18
|
}
|
|
19
19
|
append(event) {
|
|
@@ -27,19 +27,19 @@ export class AuditStore {
|
|
|
27
27
|
if (!existsSync(dir)) {
|
|
28
28
|
mkdirSync(dir, { recursive: true });
|
|
29
29
|
}
|
|
30
|
-
writeFileSync(this.path, this.events.map(e => JSON.stringify(e)).join(
|
|
30
|
+
writeFileSync(this.path, this.events.map((e) => JSON.stringify(e)).join("\n") + "\n");
|
|
31
31
|
return fullEvent;
|
|
32
32
|
}
|
|
33
33
|
query(options = {}) {
|
|
34
34
|
let results = [...this.events];
|
|
35
35
|
if (options.since) {
|
|
36
|
-
results = results.filter(e => e.timestamp >= options.since);
|
|
36
|
+
results = results.filter((e) => e.timestamp >= options.since);
|
|
37
37
|
}
|
|
38
38
|
if (options.guard) {
|
|
39
|
-
results = results.filter(e => e.guard === options.guard);
|
|
39
|
+
results = results.filter((e) => e.guard === options.guard);
|
|
40
40
|
}
|
|
41
41
|
if (options.denied) {
|
|
42
|
-
results = results.filter(e => e.decision ===
|
|
42
|
+
results = results.filter((e) => e.decision === "denied");
|
|
43
43
|
}
|
|
44
44
|
if (options.limit) {
|
|
45
45
|
results = results.slice(-options.limit);
|
|
@@ -47,12 +47,12 @@ export class AuditStore {
|
|
|
47
47
|
return results;
|
|
48
48
|
}
|
|
49
49
|
getById(id) {
|
|
50
|
-
return this.events.find(e => e.id === id);
|
|
50
|
+
return this.events.find((e) => e.id === id);
|
|
51
51
|
}
|
|
52
52
|
clear() {
|
|
53
53
|
this.events = [];
|
|
54
54
|
if (existsSync(this.path)) {
|
|
55
|
-
writeFileSync(this.path,
|
|
55
|
+
writeFileSync(this.path, "");
|
|
56
56
|
}
|
|
57
57
|
}
|
|
58
58
|
}
|
package/dist/audit/store.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"store.js","sourceRoot":"","sources":["../../src/audit/store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"store.js","sourceRoot":"","sources":["../../src/audit/store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,IAAI,CAAC;AACxE,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAa/B,MAAM,OAAO,UAAU;IACb,IAAI,CAAS;IACb,MAAM,GAAiB,EAAE,CAAC;IAElC,YAAY,OAAe,mBAAmB;QAC5C,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;IAEO,IAAI;QACV,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACjD,IAAI,CAAC,MAAM,GAAG,OAAO;iBAClB,KAAK,CAAC,IAAI,CAAC;iBACX,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;iBAC7B,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IAED,MAAM,CAAC,KAA2C;QAChD,MAAM,SAAS,GAAe;YAC5B,GAAG,KAAK;YACR,EAAE,EAAE,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE;YACjE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC;QACF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAE5B,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtC,CAAC;QACD,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC;QAEtF,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,KAAK,CACH,UAAgF,EAAE;QAElF,IAAI,OAAO,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;QAE/B,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,IAAI,OAAO,CAAC,KAAM,CAAC,CAAC;QACjE,CAAC;QACD,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,OAAO,CAAC,KAAK,CAAC,CAAC;QAC7D,CAAC;QACD,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;QAC3D,CAAC;QACD,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAC1C,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,OAAO,CAAC,EAAU;QAChB,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;IAC9C,CAAC;IAED,KAAK;QACH,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC;QACjB,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;CACF"}
|
package/dist/classification.d.ts
CHANGED
|
@@ -5,7 +5,7 @@
|
|
|
5
5
|
* and tool-guard hooks. This module is self-contained — it only depends on
|
|
6
6
|
* the EventType type from the package's own types module.
|
|
7
7
|
*/
|
|
8
|
-
import type { EventType } from
|
|
8
|
+
import type { EventType } from "./types.js";
|
|
9
9
|
/** Read-only tokens: if ANY token matches and no destructive token is present, tool is read-only */
|
|
10
10
|
export declare const READ_ONLY_TOKENS: Set<string>;
|
|
11
11
|
/** Destructive tokens: if ANY token matches, tool is destructive */
|
|
@@ -21,7 +21,7 @@ export declare const NETWORK_TOKENS: Set<string>;
|
|
|
21
21
|
* Tokenize a tool name by splitting on common delimiters and camel-case boundaries.
|
|
22
22
|
*/
|
|
23
23
|
export declare function tokenize(toolName: string): string[];
|
|
24
|
-
export type ToolClassification =
|
|
24
|
+
export type ToolClassification = "read_only" | "destructive" | "unknown";
|
|
25
25
|
/**
|
|
26
26
|
* Classify a tool based on its name tokens.
|
|
27
27
|
* - If ANY token is destructive -> destructive
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"classification.d.ts","sourceRoot":"","sources":["../src/classification.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAI5C,oGAAoG;AACpG,eAAO,MAAM,gBAAgB,
|
|
1
|
+
{"version":3,"file":"classification.d.ts","sourceRoot":"","sources":["../src/classification.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAI5C,oGAAoG;AACpG,eAAO,MAAM,gBAAgB,aA0B3B,CAAC;AAEH,oEAAoE;AACpE,eAAO,MAAM,kBAAkB,aAqC7B,CAAC;AAEH,0EAA0E;AAC1E,eAAO,MAAM,qBAAqB,EAAE,aAAa,CAAC;IAAE,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAAC,SAAS,EAAE,SAAS,CAAA;CAAE,CAW9F,CAAC;AAEF,+CAA+C;AAC/C,eAAO,MAAM,cAAc,aAUzB,CAAC;AAIH;;GAEG;AACH,wBAAgB,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE,CAUnD;AAID,MAAM,MAAM,kBAAkB,GAAG,WAAW,GAAG,aAAa,GAAG,SAAS,CAAC;AAEzE;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,kBAAkB,CAgBjE;AAID;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CAAC,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,CA2BzE"}
|
package/dist/classification.js
CHANGED
|
@@ -8,40 +8,108 @@
|
|
|
8
8
|
// ── Token Sets ───────────────────────────────────────────────────────
|
|
9
9
|
/** Read-only tokens: if ANY token matches and no destructive token is present, tool is read-only */
|
|
10
10
|
export const READ_ONLY_TOKENS = new Set([
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
11
|
+
"read",
|
|
12
|
+
"list",
|
|
13
|
+
"get",
|
|
14
|
+
"search",
|
|
15
|
+
"view",
|
|
16
|
+
"show",
|
|
17
|
+
"find",
|
|
18
|
+
"describe",
|
|
19
|
+
"info",
|
|
20
|
+
"status",
|
|
21
|
+
"check",
|
|
22
|
+
"ls",
|
|
23
|
+
"cat",
|
|
24
|
+
"head",
|
|
25
|
+
"tail",
|
|
26
|
+
"which",
|
|
27
|
+
"echo",
|
|
28
|
+
"pwd",
|
|
29
|
+
"env",
|
|
30
|
+
"whoami",
|
|
31
|
+
"hostname",
|
|
32
|
+
"uname",
|
|
33
|
+
"date",
|
|
34
|
+
"glob",
|
|
35
|
+
"grep",
|
|
15
36
|
]);
|
|
16
37
|
/** Destructive tokens: if ANY token matches, tool is destructive */
|
|
17
38
|
export const DESTRUCTIVE_TOKENS = new Set([
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
39
|
+
"write",
|
|
40
|
+
"delete",
|
|
41
|
+
"remove",
|
|
42
|
+
"rm",
|
|
43
|
+
"kill",
|
|
44
|
+
"exec",
|
|
45
|
+
"run",
|
|
46
|
+
"install",
|
|
47
|
+
"uninstall",
|
|
48
|
+
"create",
|
|
49
|
+
"update",
|
|
50
|
+
"modify",
|
|
51
|
+
"patch",
|
|
52
|
+
"put",
|
|
53
|
+
"post",
|
|
54
|
+
"move",
|
|
55
|
+
"mv",
|
|
56
|
+
"rename",
|
|
57
|
+
"chmod",
|
|
58
|
+
"chown",
|
|
59
|
+
"drop",
|
|
60
|
+
"truncate",
|
|
61
|
+
"edit",
|
|
62
|
+
"command",
|
|
63
|
+
"bash",
|
|
64
|
+
"save",
|
|
65
|
+
"overwrite",
|
|
66
|
+
"unlink",
|
|
67
|
+
"terminal",
|
|
68
|
+
"append",
|
|
69
|
+
"replace",
|
|
70
|
+
"deploy",
|
|
71
|
+
"push",
|
|
72
|
+
"send",
|
|
73
|
+
"publish",
|
|
74
|
+
"upload",
|
|
23
75
|
]);
|
|
24
76
|
/** Destructive token-to-event-type mapping for specific policy routing */
|
|
25
77
|
export const DESTRUCTIVE_EVENT_MAP = [
|
|
26
|
-
{
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
78
|
+
{
|
|
79
|
+
tokens: new Set(["write", "edit", "create", "save", "overwrite", "append", "replace"]),
|
|
80
|
+
eventType: "file_write",
|
|
81
|
+
},
|
|
82
|
+
{ tokens: new Set(["delete", "remove", "unlink", "rm"]), eventType: "file_write" },
|
|
83
|
+
{
|
|
84
|
+
tokens: new Set(["shell", "bash", "exec", "command", "terminal", "run"]),
|
|
85
|
+
eventType: "command_exec",
|
|
86
|
+
},
|
|
87
|
+
{ tokens: new Set(["patch", "diff"]), eventType: "patch_apply" },
|
|
30
88
|
];
|
|
31
89
|
/** Network tokens for egress classification */
|
|
32
|
-
export const NETWORK_TOKENS = new Set([
|
|
90
|
+
export const NETWORK_TOKENS = new Set([
|
|
91
|
+
"fetch",
|
|
92
|
+
"http",
|
|
93
|
+
"web",
|
|
94
|
+
"curl",
|
|
95
|
+
"request",
|
|
96
|
+
"api",
|
|
97
|
+
"download",
|
|
98
|
+
"socket",
|
|
99
|
+
"connect",
|
|
100
|
+
]);
|
|
33
101
|
// ── Tokenizer ────────────────────────────────────────────────────────
|
|
34
102
|
/**
|
|
35
103
|
* Tokenize a tool name by splitting on common delimiters and camel-case boundaries.
|
|
36
104
|
*/
|
|
37
105
|
export function tokenize(toolName) {
|
|
38
|
-
return toolName
|
|
106
|
+
return (toolName
|
|
39
107
|
// Split `fooBar` -> `foo Bar`, `HTTPFetch` -> `HTTP Fetch`
|
|
40
|
-
.replace(/([a-z0-9])([A-Z])/g,
|
|
41
|
-
.replace(/([A-Z])([A-Z][a-z])/g,
|
|
108
|
+
.replace(/([a-z0-9])([A-Z])/g, "$1 $2")
|
|
109
|
+
.replace(/([A-Z])([A-Z][a-z])/g, "$1 $2")
|
|
42
110
|
.toLowerCase()
|
|
43
111
|
.split(/[_\-/\s.]+/)
|
|
44
|
-
.filter(Boolean);
|
|
112
|
+
.filter(Boolean));
|
|
45
113
|
}
|
|
46
114
|
/**
|
|
47
115
|
* Classify a tool based on its name tokens.
|
|
@@ -61,10 +129,10 @@ export function classifyTool(tokens) {
|
|
|
61
129
|
}
|
|
62
130
|
}
|
|
63
131
|
if (hasDestructive)
|
|
64
|
-
return
|
|
132
|
+
return "destructive";
|
|
65
133
|
if (hasReadOnly)
|
|
66
|
-
return
|
|
67
|
-
return
|
|
134
|
+
return "read_only";
|
|
135
|
+
return "unknown";
|
|
68
136
|
}
|
|
69
137
|
// ── Event Type Inference (name-only) ─────────────────────────────────
|
|
70
138
|
/**
|
|
@@ -78,22 +146,22 @@ export function classifyTool(tokens) {
|
|
|
78
146
|
export function inferEventTypeFromName(toolName) {
|
|
79
147
|
const tokens = tokenize(toolName);
|
|
80
148
|
const classification = classifyTool(tokens);
|
|
81
|
-
if (classification ===
|
|
149
|
+
if (classification === "read_only") {
|
|
82
150
|
// Read-only tools may still perform network egress (e.g. web_search, http_get).
|
|
83
|
-
if (tokens.some(t => NETWORK_TOKENS.has(t))) {
|
|
84
|
-
return
|
|
151
|
+
if (tokens.some((t) => NETWORK_TOKENS.has(t))) {
|
|
152
|
+
return "network_egress";
|
|
85
153
|
}
|
|
86
|
-
return
|
|
154
|
+
return "file_read";
|
|
87
155
|
}
|
|
88
156
|
// Check specific destructive event types via DESTRUCTIVE_EVENT_MAP.
|
|
89
157
|
for (const { tokens: matchTokens, eventType } of DESTRUCTIVE_EVENT_MAP) {
|
|
90
|
-
if (tokens.some(t => matchTokens.has(t))) {
|
|
158
|
+
if (tokens.some((t) => matchTokens.has(t))) {
|
|
91
159
|
return eventType;
|
|
92
160
|
}
|
|
93
161
|
}
|
|
94
162
|
// Check network tokens.
|
|
95
|
-
if (tokens.some(t => NETWORK_TOKENS.has(t))) {
|
|
96
|
-
return
|
|
163
|
+
if (tokens.some((t) => NETWORK_TOKENS.has(t))) {
|
|
164
|
+
return "network_egress";
|
|
97
165
|
}
|
|
98
166
|
// No confident classification — return null so callers can apply their
|
|
99
167
|
// own fallback logic (e.g. parameter inspection).
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"classification.js","sourceRoot":"","sources":["../src/classification.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,wEAAwE;AAExE,oGAAoG;AACpG,MAAM,CAAC,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IACtC,MAAM,
|
|
1
|
+
{"version":3,"file":"classification.js","sourceRoot":"","sources":["../src/classification.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,wEAAwE;AAExE,oGAAoG;AACpG,MAAM,CAAC,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IACtC,MAAM;IACN,MAAM;IACN,KAAK;IACL,QAAQ;IACR,MAAM;IACN,MAAM;IACN,MAAM;IACN,UAAU;IACV,MAAM;IACN,QAAQ;IACR,OAAO;IACP,IAAI;IACJ,KAAK;IACL,MAAM;IACN,MAAM;IACN,OAAO;IACP,MAAM;IACN,KAAK;IACL,KAAK;IACL,QAAQ;IACR,UAAU;IACV,OAAO;IACP,MAAM;IACN,MAAM;IACN,MAAM;CACP,CAAC,CAAC;AAEH,oEAAoE;AACpE,MAAM,CAAC,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACxC,OAAO;IACP,QAAQ;IACR,QAAQ;IACR,IAAI;IACJ,MAAM;IACN,MAAM;IACN,KAAK;IACL,SAAS;IACT,WAAW;IACX,QAAQ;IACR,QAAQ;IACR,QAAQ;IACR,OAAO;IACP,KAAK;IACL,MAAM;IACN,MAAM;IACN,IAAI;IACJ,QAAQ;IACR,OAAO;IACP,OAAO;IACP,MAAM;IACN,UAAU;IACV,MAAM;IACN,SAAS;IACT,MAAM;IACN,MAAM;IACN,WAAW;IACX,QAAQ;IACR,UAAU;IACV,QAAQ;IACR,SAAS;IACT,QAAQ;IACR,MAAM;IACN,MAAM;IACN,SAAS;IACT,QAAQ;CACT,CAAC,CAAC;AAEH,0EAA0E;AAC1E,MAAM,CAAC,MAAM,qBAAqB,GAAiE;IACjG;QACE,MAAM,EAAE,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;QACtF,SAAS,EAAE,YAAY;KACxB;IACD,EAAE,MAAM,EAAE,IAAI,GAAG,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC,EAAE,SAAS,EAAE,YAAY,EAAE;IAClF;QACE,MAAM,EAAE,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC;QACxE,SAAS,EAAE,cAAc;KAC1B;IACD,EAAE,MAAM,EAAE,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,EAAE,SAAS,EAAE,aAAa,EAAE;CACjE,CAAC;AAEF,+CAA+C;AAC/C,MAAM,CAAC,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC;IACpC,OAAO;IACP,MAAM;IACN,KAAK;IACL,MAAM;IACN,SAAS;IACT,KAAK;IACL,UAAU;IACV,QAAQ;IACR,SAAS;CACV,CAAC,CAAC;AAEH,wEAAwE;AAExE;;GAEG;AACH,MAAM,UAAU,QAAQ,CAAC,QAAgB;IACvC,OAAO,CACL,QAAQ;QACN,2DAA2D;SAC1D,OAAO,CAAC,oBAAoB,EAAE,OAAO,CAAC;SACtC,OAAO,CAAC,sBAAsB,EAAE,OAAO,CAAC;SACxC,WAAW,EAAE;SACb,KAAK,CAAC,YAAY,CAAC;SACnB,MAAM,CAAC,OAAO,CAAC,CACnB,CAAC;AACJ,CAAC;AAMD;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,MAAgB;IAC3C,IAAI,WAAW,GAAG,KAAK,CAAC;IACxB,IAAI,cAAc,GAAG,KAAK,CAAC;IAE3B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,kBAAkB,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YAClC,cAAc,GAAG,IAAI,CAAC;QACxB,CAAC;QACD,IAAI,gBAAgB,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YAChC,WAAW,GAAG,IAAI,CAAC;QACrB,CAAC;IACH,CAAC;IAED,IAAI,cAAc;QAAE,OAAO,aAAa,CAAC;IACzC,IAAI,WAAW;QAAE,OAAO,WAAW,CAAC;IACpC,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,wEAAwE;AAExE;;;;;;;GAOG;AACH,MAAM,UAAU,sBAAsB,CAAC,QAAgB;IACrD,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAClC,MAAM,cAAc,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IAE5C,IAAI,cAAc,KAAK,WAAW,EAAE,CAAC;QACnC,gFAAgF;QAChF,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9C,OAAO,gBAAgB,CAAC;QAC1B,CAAC;QACD,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,oEAAoE;IACpE,KAAK,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,IAAI,qBAAqB,EAAE,CAAC;QACvE,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC3C,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAED,wBAAwB;IACxB,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9C,OAAO,gBAAgB,CAAC;IAC1B,CAAC;IAED,uEAAuE;IACvE,kDAAkD;IAClD,OAAO,IAAI,CAAC;AACd,CAAC"}
|
package/dist/cli/bin.js
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/audit.ts"],"names":[],"mappings":"AAGA,UAAU,YAAY;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,UAAU,cAAc;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,UAAU,aAAa;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,eAAO,MAAM,aAAa;oBACH,YAAY,GAAQ,OAAO,CAAC,IAAI,CAAC;qBAwC/B,MAAM,YAAW,cAAc,GAAQ,OAAO,CAAC,IAAI,CAAC;
|
|
1
|
+
{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/audit.ts"],"names":[],"mappings":"AAGA,UAAU,YAAY;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,UAAU,cAAc;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,UAAU,aAAa;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,eAAO,MAAM,aAAa;oBACH,YAAY,GAAQ,OAAO,CAAC,IAAI,CAAC;qBAwC/B,MAAM,YAAW,cAAc,GAAQ,OAAO,CAAC,IAAI,CAAC;iBA+DxD,MAAM,YAAW,aAAa,GAAQ,OAAO,CAAC,IAAI,CAAC;CAOvE,CAAC"}
|
|
@@ -1,8 +1,8 @@
|
|
|
1
|
-
import { writeFileSync } from
|
|
2
|
-
import { AuditStore } from
|
|
1
|
+
import { writeFileSync } from "fs";
|
|
2
|
+
import { AuditStore } from "../../audit/store.js";
|
|
3
3
|
export const auditCommands = {
|
|
4
4
|
async query(options = {}) {
|
|
5
|
-
const store = new AuditStore(options.auditPath ||
|
|
5
|
+
const store = new AuditStore(options.auditPath || ".hush/audit.jsonl");
|
|
6
6
|
const queryOptions = {
|
|
7
7
|
limit: 50,
|
|
8
8
|
};
|
|
@@ -18,14 +18,14 @@ export const auditCommands = {
|
|
|
18
18
|
}
|
|
19
19
|
const events = store.query(queryOptions);
|
|
20
20
|
if (events.length === 0) {
|
|
21
|
-
console.log(
|
|
21
|
+
console.log("No audit events found");
|
|
22
22
|
return;
|
|
23
23
|
}
|
|
24
|
-
console.log(
|
|
25
|
-
console.log(
|
|
24
|
+
console.log("Audit Events:");
|
|
25
|
+
console.log("=============");
|
|
26
26
|
for (const event of events) {
|
|
27
27
|
const date = new Date(event.timestamp).toISOString();
|
|
28
|
-
const status = event.decision ===
|
|
28
|
+
const status = event.decision === "allowed" ? "ALLOWED" : "DENIED";
|
|
29
29
|
console.log(`\n[${date}] ${event.id}`);
|
|
30
30
|
console.log(` Action: ${event.type}`);
|
|
31
31
|
console.log(` Resource: ${event.resource}`);
|
|
@@ -37,54 +37,54 @@ export const auditCommands = {
|
|
|
37
37
|
}
|
|
38
38
|
},
|
|
39
39
|
async explain(eventId, options = {}) {
|
|
40
|
-
const store = new AuditStore(options.auditPath ||
|
|
40
|
+
const store = new AuditStore(options.auditPath || ".hush/audit.jsonl");
|
|
41
41
|
const event = store.getById(eventId);
|
|
42
42
|
if (!event) {
|
|
43
43
|
console.log(`Event ${eventId} not found`);
|
|
44
44
|
return;
|
|
45
45
|
}
|
|
46
|
-
console.log(
|
|
47
|
-
console.log(
|
|
46
|
+
console.log("Event Details");
|
|
47
|
+
console.log("=============");
|
|
48
48
|
console.log(`\nEvent ID: ${event.id}`);
|
|
49
49
|
console.log(`Timestamp: ${new Date(event.timestamp).toISOString()}`);
|
|
50
50
|
console.log(`Action: ${event.type}`);
|
|
51
51
|
console.log(`Resource: ${event.resource}`);
|
|
52
|
-
console.log(`Decision: ${event.decision ===
|
|
52
|
+
console.log(`Decision: ${event.decision === "allowed" ? "ALLOWED" : "DENIED"}`);
|
|
53
53
|
if (event.guard) {
|
|
54
54
|
console.log(`\nGuard: ${event.guard}`);
|
|
55
55
|
}
|
|
56
56
|
if (event.reason) {
|
|
57
57
|
console.log(`Reason: ${event.reason}`);
|
|
58
58
|
}
|
|
59
|
-
if (event.decision ===
|
|
60
|
-
console.log(
|
|
61
|
-
console.log(
|
|
62
|
-
const guard = (event.guard ||
|
|
63
|
-
if (guard ===
|
|
64
|
-
console.log(
|
|
65
|
-
console.log(
|
|
59
|
+
if (event.decision === "denied") {
|
|
60
|
+
console.log("\nRemediation:");
|
|
61
|
+
console.log("------------");
|
|
62
|
+
const guard = (event.guard || "").trim();
|
|
63
|
+
if (guard === "forbidden_path" || guard === "ForbiddenPathGuard") {
|
|
64
|
+
console.log("This path is protected by the forbidden_path guard.");
|
|
65
|
+
console.log("To allow access, remove it from filesystem.forbidden_paths in your policy.");
|
|
66
66
|
return;
|
|
67
67
|
}
|
|
68
|
-
if (guard ===
|
|
69
|
-
console.log(
|
|
70
|
-
console.log(
|
|
68
|
+
if (guard === "egress" || guard === "EgressAllowlistGuard") {
|
|
69
|
+
console.log("This domain is blocked by the egress policy.");
|
|
70
|
+
console.log("To allow access, add it to egress.allowed_domains (or change egress.mode) in your policy.");
|
|
71
71
|
return;
|
|
72
72
|
}
|
|
73
|
-
if (guard ===
|
|
74
|
-
console.log(
|
|
75
|
-
console.log(
|
|
73
|
+
if (guard === "secret_leak" || guard === "SecretLeakGuard") {
|
|
74
|
+
console.log("Tool output contained a value that looks like a secret.");
|
|
75
|
+
console.log("Remove/redact secrets from tool output or adjust your workflow to avoid printing credentials.");
|
|
76
76
|
return;
|
|
77
77
|
}
|
|
78
|
-
if (guard ===
|
|
79
|
-
console.log(
|
|
80
|
-
console.log(
|
|
78
|
+
if (guard === "patch_integrity" || guard === "PatchIntegrityGuard") {
|
|
79
|
+
console.log("The patch/command matched a dangerous pattern.");
|
|
80
|
+
console.log("Avoid unsafe commands/patterns (e.g., curl|bash, rm -rf /) or update execution.denied_patterns.");
|
|
81
81
|
return;
|
|
82
82
|
}
|
|
83
|
-
console.log(
|
|
83
|
+
console.log("Review your policy configuration to understand why this was blocked.");
|
|
84
84
|
}
|
|
85
85
|
},
|
|
86
86
|
async export(file, options = {}) {
|
|
87
|
-
const store = new AuditStore(options.auditPath ||
|
|
87
|
+
const store = new AuditStore(options.auditPath || ".hush/audit.jsonl");
|
|
88
88
|
const events = store.query({});
|
|
89
89
|
writeFileSync(file, JSON.stringify(events, null, 2));
|
|
90
90
|
console.log(`Exported ${events.length} events to ${file}`);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../../src/cli/commands/audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,IAAI,CAAC;AACnC,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAiBlD,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,KAAK,CAAC,KAAK,CAAC,UAAwB,EAAE;QACpC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,SAAS,IAAI,mBAAmB,CAAC,CAAC;QAEvE,MAAM,YAAY,GAAyE;YACzF,KAAK,EAAE,EAAE;SACV,CAAC;QAEF,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC1C,YAAY,CAAC,KAAK,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC;QAC3C,CAAC;QACD,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,YAAY,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QACrC,CAAC;QACD,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,YAAY,CAAC,MAAM,GAAG,IAAI,CAAC;QAC7B,CAAC;QAED,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QAEzC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;YACrC,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC7B,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAE7B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;YACrD,MAAM,MAAM,GAAG,KAAK,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC;YACnE,OAAO,CAAC,GAAG,CAAC,MAAM,IAAI,KAAK,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;YACvC,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;YACvC,OAAO,CAAC,GAAG,CAAC,eAAe,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC7C,OAAO,CAAC,GAAG,CAAC,eAAe,MAAM,EAAE,CAAC,CAAC;YACrC,IAAI,KAAK,CAAC,KAAK;gBAAE,OAAO,CAAC,GAAG,CAAC,YAAY,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;YACxD,IAAI,KAAK,CAAC,MAAM;gBAAE,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,OAAe,EAAE,UAA0B,EAAE;QACzD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,SAAS,IAAI,mBAAmB,CAAC,CAAC;QACvE,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAErC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,GAAG,CAAC,SAAS,OAAO,YAAY,CAAC,CAAC;YAC1C,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC7B,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC7B,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;QAC1C,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QACvE,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;QAC1C,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;QAEnF,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QAC9C,CAAC;QAED,IAAI,KAAK,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAChC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;YAC9B,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YAC5B,MAAM,KAAK,GAAG,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YAEzC,IAAI,KAAK,KAAK,gBAAgB,IAAI,KAAK,KAAK,oBAAoB,EAAE,CAAC;gBACjE,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAC;gBACnE,OAAO,CAAC,GAAG,CAAC,4EAA4E,CAAC,CAAC;gBAC1F,OAAO;YACT,CAAC;YAED,IAAI,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,sBAAsB,EAAE,CAAC;gBAC3D,OAAO,CAAC,GAAG,CAAC,8CAA8C,CAAC,CAAC;gBAC5D,OAAO,CAAC,GAAG,
|
|
1
|
+
{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../../src/cli/commands/audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,IAAI,CAAC;AACnC,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAiBlD,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,KAAK,CAAC,KAAK,CAAC,UAAwB,EAAE;QACpC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,SAAS,IAAI,mBAAmB,CAAC,CAAC;QAEvE,MAAM,YAAY,GAAyE;YACzF,KAAK,EAAE,EAAE;SACV,CAAC;QAEF,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC1C,YAAY,CAAC,KAAK,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC;QAC3C,CAAC;QACD,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,YAAY,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QACrC,CAAC;QACD,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,YAAY,CAAC,MAAM,GAAG,IAAI,CAAC;QAC7B,CAAC;QAED,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QAEzC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;YACrC,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC7B,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAE7B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;YACrD,MAAM,MAAM,GAAG,KAAK,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC;YACnE,OAAO,CAAC,GAAG,CAAC,MAAM,IAAI,KAAK,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;YACvC,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;YACvC,OAAO,CAAC,GAAG,CAAC,eAAe,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC7C,OAAO,CAAC,GAAG,CAAC,eAAe,MAAM,EAAE,CAAC,CAAC;YACrC,IAAI,KAAK,CAAC,KAAK;gBAAE,OAAO,CAAC,GAAG,CAAC,YAAY,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;YACxD,IAAI,KAAK,CAAC,MAAM;gBAAE,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,OAAe,EAAE,UAA0B,EAAE;QACzD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,SAAS,IAAI,mBAAmB,CAAC,CAAC;QACvE,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAErC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,GAAG,CAAC,SAAS,OAAO,YAAY,CAAC,CAAC;YAC1C,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC7B,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC7B,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;QAC1C,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QACvE,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;QAC1C,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;QAEnF,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QAC9C,CAAC;QAED,IAAI,KAAK,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAChC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;YAC9B,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YAC5B,MAAM,KAAK,GAAG,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YAEzC,IAAI,KAAK,KAAK,gBAAgB,IAAI,KAAK,KAAK,oBAAoB,EAAE,CAAC;gBACjE,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAC;gBACnE,OAAO,CAAC,GAAG,CAAC,4EAA4E,CAAC,CAAC;gBAC1F,OAAO;YACT,CAAC;YAED,IAAI,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,sBAAsB,EAAE,CAAC;gBAC3D,OAAO,CAAC,GAAG,CAAC,8CAA8C,CAAC,CAAC;gBAC5D,OAAO,CAAC,GAAG,CACT,2FAA2F,CAC5F,CAAC;gBACF,OAAO;YACT,CAAC;YAED,IAAI,KAAK,KAAK,aAAa,IAAI,KAAK,KAAK,iBAAiB,EAAE,CAAC;gBAC3D,OAAO,CAAC,GAAG,CAAC,yDAAyD,CAAC,CAAC;gBACvE,OAAO,CAAC,GAAG,CACT,+FAA+F,CAChG,CAAC;gBACF,OAAO;YACT,CAAC;YAED,IAAI,KAAK,KAAK,iBAAiB,IAAI,KAAK,KAAK,qBAAqB,EAAE,CAAC;gBACnE,OAAO,CAAC,GAAG,CAAC,gDAAgD,CAAC,CAAC;gBAC9D,OAAO,CAAC,GAAG,CACT,iGAAiG,CAClG,CAAC;gBACF,OAAO;YACT,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,sEAAsE,CAAC,CAAC;QACtF,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,IAAY,EAAE,UAAyB,EAAE;QACpD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,SAAS,IAAI,mBAAmB,CAAC,CAAC;QACvE,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAE/B,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QACrD,OAAO,CAAC,GAAG,CAAC,YAAY,MAAM,CAAC,MAAM,cAAc,IAAI,EAAE,CAAC,CAAC;IAC7D,CAAC;CACF,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/policy.ts"],"names":[],"mappings":"AAMA,eAAO,MAAM,cAAc;eACR,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;
|
|
1
|
+
{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/policy.ts"],"names":[],"mappings":"AAMA,eAAO,MAAM,cAAc;eACR,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;mBA8BnB;QAAE,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,GAAQ,OAAO,CAAC,IAAI,CAAC;oBAatC,MAAM,YAAW;QAAE,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,GAAQ,OAAO,CAAC,IAAI,CAAC;gBAmB7D,MAAM,SAAS,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAsCxD,CAAC"}
|