@clawdstrike/openclaw 0.1.3 → 0.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +11 -0
- package/dist/audit/adapter-logger.d.ts +3 -3
- package/dist/audit/adapter-logger.d.ts.map +1 -1
- package/dist/audit/adapter-logger.js +3 -3
- package/dist/audit/adapter-logger.js.map +1 -1
- package/dist/audit/store.d.ts +2 -2
- package/dist/audit/store.d.ts.map +1 -1
- package/dist/audit/store.js +13 -13
- package/dist/audit/store.js.map +1 -1
- package/dist/classification.d.ts +2 -2
- package/dist/classification.d.ts.map +1 -1
- package/dist/classification.js +96 -28
- package/dist/classification.js.map +1 -1
- package/dist/cli/bin.js +1 -1
- package/dist/cli/commands/audit.d.ts.map +1 -1
- package/dist/cli/commands/audit.js +29 -29
- package/dist/cli/commands/audit.js.map +1 -1
- package/dist/cli/commands/policy.d.ts.map +1 -1
- package/dist/cli/commands/policy.js +33 -33
- package/dist/cli/commands/policy.js.map +1 -1
- package/dist/cli/index.d.ts +1 -1
- package/dist/cli/index.d.ts.map +1 -1
- package/dist/cli/index.js +45 -56
- package/dist/cli/index.js.map +1 -1
- package/dist/config.d.ts +1 -1
- package/dist/config.d.ts.map +1 -1
- package/dist/config.js +9 -9
- package/dist/config.js.map +1 -1
- package/dist/e2e/openclaw-e2e.js +58 -49
- package/dist/e2e/openclaw-e2e.js.map +1 -1
- package/dist/engine-holder.d.ts +2 -2
- package/dist/engine-holder.js +1 -1
- package/dist/guards/egress.d.ts +2 -2
- package/dist/guards/egress.d.ts.map +1 -1
- package/dist/guards/egress.js +71 -73
- package/dist/guards/egress.js.map +1 -1
- package/dist/guards/forbidden-path.d.ts +2 -2
- package/dist/guards/forbidden-path.d.ts.map +1 -1
- package/dist/guards/forbidden-path.js +41 -43
- package/dist/guards/forbidden-path.js.map +1 -1
- package/dist/guards/index.d.ts +6 -6
- package/dist/guards/index.d.ts.map +1 -1
- package/dist/guards/index.js +5 -5
- package/dist/guards/index.js.map +1 -1
- package/dist/guards/patch-integrity.d.ts +2 -2
- package/dist/guards/patch-integrity.d.ts.map +1 -1
- package/dist/guards/patch-integrity.js +69 -70
- package/dist/guards/patch-integrity.js.map +1 -1
- package/dist/guards/secret-leak.d.ts +2 -2
- package/dist/guards/secret-leak.d.ts.map +1 -1
- package/dist/guards/secret-leak.js +81 -82
- package/dist/guards/secret-leak.js.map +1 -1
- package/dist/guards/types.d.ts +2 -2
- package/dist/guards/types.d.ts.map +1 -1
- package/dist/guards/types.js +4 -4
- package/dist/guards/types.js.map +1 -1
- package/dist/hooks/agent-bootstrap/handler.d.ts +1 -1
- package/dist/hooks/agent-bootstrap/handler.d.ts.map +1 -1
- package/dist/hooks/agent-bootstrap/handler.js +5 -5
- package/dist/hooks/agent-bootstrap/handler.js.map +1 -1
- package/dist/hooks/approval-state.d.ts +1 -1
- package/dist/hooks/approval-state.d.ts.map +1 -1
- package/dist/hooks/approval-state.js +15 -15
- package/dist/hooks/approval-state.js.map +1 -1
- package/dist/hooks/approval-utils.d.ts +1 -1
- package/dist/hooks/approval-utils.d.ts.map +1 -1
- package/dist/hooks/approval-utils.js +41 -20
- package/dist/hooks/approval-utils.js.map +1 -1
- package/dist/hooks/audit-logger/handler.d.ts +1 -1
- package/dist/hooks/audit-logger/handler.d.ts.map +1 -1
- package/dist/hooks/audit-logger/handler.js +9 -9
- package/dist/hooks/audit-logger/handler.js.map +1 -1
- package/dist/hooks/cua-bridge/handler.d.ts +4 -4
- package/dist/hooks/cua-bridge/handler.d.ts.map +1 -1
- package/dist/hooks/cua-bridge/handler.js +85 -70
- package/dist/hooks/cua-bridge/handler.js.map +1 -1
- package/dist/hooks/tool-guard/handler.d.ts +1 -1
- package/dist/hooks/tool-guard/handler.d.ts.map +1 -1
- package/dist/hooks/tool-guard/handler.js +112 -101
- package/dist/hooks/tool-guard/handler.js.map +1 -1
- package/dist/hooks/tool-preflight/handler.d.ts +2 -2
- package/dist/hooks/tool-preflight/handler.d.ts.map +1 -1
- package/dist/hooks/tool-preflight/handler.js +115 -91
- package/dist/hooks/tool-preflight/handler.js.map +1 -1
- package/dist/index.d.ts +16 -16
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +18 -18
- package/dist/index.js.map +1 -1
- package/dist/openclaw-adapter.d.ts +2 -2
- package/dist/openclaw-adapter.d.ts.map +1 -1
- package/dist/openclaw-adapter.js +4 -4
- package/dist/openclaw-adapter.js.map +1 -1
- package/dist/plugin.d.ts.map +1 -1
- package/dist/plugin.js +39 -40
- package/dist/plugin.js.map +1 -1
- package/dist/policy/engine.d.ts +1 -1
- package/dist/policy/engine.d.ts.map +1 -1
- package/dist/policy/engine.js +237 -221
- package/dist/policy/engine.js.map +1 -1
- package/dist/policy/index.d.ts +3 -3
- package/dist/policy/index.d.ts.map +1 -1
- package/dist/policy/index.js +3 -3
- package/dist/policy/index.js.map +1 -1
- package/dist/policy/loader.d.ts +1 -1
- package/dist/policy/loader.d.ts.map +1 -1
- package/dist/policy/loader.js +76 -63
- package/dist/policy/loader.js.map +1 -1
- package/dist/policy/validator.d.ts +1 -1
- package/dist/policy/validator.d.ts.map +1 -1
- package/dist/policy/validator.js +158 -151
- package/dist/policy/validator.js.map +1 -1
- package/dist/receipt/signer.d.ts +2 -2
- package/dist/receipt/signer.d.ts.map +1 -1
- package/dist/receipt/signer.js +12 -12
- package/dist/receipt/signer.js.map +1 -1
- package/dist/receipt/types.d.ts +2 -2
- package/dist/receipt/types.d.ts.map +1 -1
- package/dist/sanitizer/output-sanitizer.d.ts +1 -1
- package/dist/sanitizer/output-sanitizer.d.ts.map +1 -1
- package/dist/sanitizer/output-sanitizer.js +8 -8
- package/dist/sanitizer/output-sanitizer.js.map +1 -1
- package/dist/security-prompt.d.ts +1 -1
- package/dist/security-prompt.d.ts.map +1 -1
- package/dist/security-prompt.js +16 -12
- package/dist/security-prompt.js.map +1 -1
- package/dist/tools/policy-check.d.ts +3 -3
- package/dist/tools/policy-check.d.ts.map +1 -1
- package/dist/tools/policy-check.js +60 -52
- package/dist/tools/policy-check.js.map +1 -1
- package/dist/translator/openclaw-translator.d.ts +1 -1
- package/dist/translator/openclaw-translator.d.ts.map +1 -1
- package/dist/translator/openclaw-translator.js +100 -80
- package/dist/translator/openclaw-translator.js.map +1 -1
- package/dist/types.d.ts +11 -13
- package/dist/types.d.ts.map +1 -1
- package/package.json +9 -4
package/README.md
CHANGED
|
@@ -64,6 +64,17 @@ clawdstrike audit export ./audit-dump.jsonl
|
|
|
64
64
|
clawdstrike why <event-id>
|
|
65
65
|
```
|
|
66
66
|
|
|
67
|
+
## Development Testing
|
|
68
|
+
|
|
69
|
+
When running this package from the monorepo workspace, build local package dependencies first:
|
|
70
|
+
|
|
71
|
+
```bash
|
|
72
|
+
bun --cwd packages/adapters/clawdstrike-openclaw run test:workspace
|
|
73
|
+
bun --cwd packages/adapters/clawdstrike-openclaw run typecheck:workspace
|
|
74
|
+
```
|
|
75
|
+
|
|
76
|
+
These commands build `@clawdstrike/policy` and `@clawdstrike/adapter-core` before running tests/typecheck.
|
|
77
|
+
|
|
67
78
|
## API Overview
|
|
68
79
|
|
|
69
80
|
| Export | Description |
|
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import type { AuditEvent, AuditLogger } from
|
|
2
|
-
import type { AuditStore } from
|
|
1
|
+
import type { AuditEvent, AuditLogger } from "@clawdstrike/adapter-core";
|
|
2
|
+
import type { AuditStore } from "./store.js";
|
|
3
3
|
export interface OpenClawAuditLoggerOptions {
|
|
4
4
|
store?: AuditStore;
|
|
5
5
|
maxEvents?: number;
|
|
@@ -18,7 +18,7 @@ export declare class OpenClawAuditLogger implements AuditLogger {
|
|
|
18
18
|
log(event: AuditEvent): Promise<void>;
|
|
19
19
|
getSessionEvents(sessionId: string): Promise<AuditEvent[]>;
|
|
20
20
|
getContextEvents(contextId: string): Promise<AuditEvent[]>;
|
|
21
|
-
export(format:
|
|
21
|
+
export(format: "json" | "csv" | "jsonl"): Promise<string>;
|
|
22
22
|
prune(olderThan: Date): Promise<number>;
|
|
23
23
|
}
|
|
24
24
|
//# sourceMappingURL=adapter-logger.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"adapter-logger.d.ts","sourceRoot":"","sources":["../../src/audit/adapter-logger.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"adapter-logger.d.ts","sourceRoot":"","sources":["../../src/audit/adapter-logger.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAGzE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C,MAAM,WAAW,0BAA0B;IACzC,KAAK,CAAC,EAAE,UAAU,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;GAMG;AACH,qBAAa,mBAAoB,YAAW,WAAW;IACrD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAsB;IAC7C,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAyB;gBAEnC,OAAO,GAAE,0BAA+B;IAK9C,GAAG,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC;IAerC,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAI1D,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAI1D,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,KAAK,GAAG,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;IAIzD,KAAK,CAAC,SAAS,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC;CAG9C"}
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { InMemoryAuditLogger } from
|
|
1
|
+
import { InMemoryAuditLogger } from "@clawdstrike/adapter-core";
|
|
2
2
|
/**
|
|
3
3
|
* OpenClawAuditLogger bridges the adapter-core `AuditLogger` interface with
|
|
4
4
|
* openclaw's existing `AuditStore` JSONL persistence layer.
|
|
@@ -18,8 +18,8 @@ export class OpenClawAuditLogger {
|
|
|
18
18
|
if (this.store) {
|
|
19
19
|
this.store.append({
|
|
20
20
|
type: event.type,
|
|
21
|
-
resource: event.toolName ??
|
|
22
|
-
decision: event.decision?.status ===
|
|
21
|
+
resource: event.toolName ?? "",
|
|
22
|
+
decision: event.decision?.status === "deny" ? "denied" : "allowed",
|
|
23
23
|
guard: event.decision?.guard,
|
|
24
24
|
reason: event.decision?.reason ?? event.decision?.message,
|
|
25
25
|
runId: event.sessionId,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"adapter-logger.js","sourceRoot":"","sources":["../../src/audit/adapter-logger.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"adapter-logger.js","sourceRoot":"","sources":["../../src/audit/adapter-logger.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAShE;;;;;;GAMG;AACH,MAAM,OAAO,mBAAmB;IACb,MAAM,CAAsB;IAC5B,KAAK,CAAyB;IAE/C,YAAY,UAAsC,EAAE;QAClD,IAAI,CAAC,MAAM,GAAG,IAAI,mBAAmB,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACzD,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,KAAiB;QACzB,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAE7B,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC;gBAChB,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,EAAE;gBAC9B,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;gBAClE,KAAK,EAAE,KAAK,CAAC,QAAQ,EAAE,KAAK;gBAC5B,MAAM,EAAE,KAAK,CAAC,QAAQ,EAAE,MAAM,IAAI,KAAK,CAAC,QAAQ,EAAE,OAAO;gBACzD,KAAK,EAAE,KAAK,CAAC,SAAS;aACvB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,SAAiB;QACtC,OAAO,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,SAAiB;QACtC,OAAO,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,MAAgC;QAC3C,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,SAAe;QACzB,OAAO,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IACtC,CAAC;CACF"}
|
package/dist/audit/store.d.ts
CHANGED
|
@@ -3,7 +3,7 @@ export interface AuditEvent {
|
|
|
3
3
|
timestamp: number;
|
|
4
4
|
type: string;
|
|
5
5
|
resource: string;
|
|
6
|
-
decision:
|
|
6
|
+
decision: "allowed" | "denied";
|
|
7
7
|
guard?: string;
|
|
8
8
|
reason?: string;
|
|
9
9
|
runId?: string;
|
|
@@ -13,7 +13,7 @@ export declare class AuditStore {
|
|
|
13
13
|
private events;
|
|
14
14
|
constructor(path?: string);
|
|
15
15
|
private load;
|
|
16
|
-
append(event: Omit<AuditEvent,
|
|
16
|
+
append(event: Omit<AuditEvent, "id" | "timestamp">): AuditEvent;
|
|
17
17
|
query(options?: {
|
|
18
18
|
since?: number;
|
|
19
19
|
guard?: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"store.d.ts","sourceRoot":"","sources":["../../src/audit/store.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,SAAS,GAAG,QAAQ,CAAC;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,UAAU;IACrB,OAAO,CAAC,IAAI,CAAS;IACrB,OAAO,CAAC,MAAM,CAAoB;gBAEtB,IAAI,GAAE,MAA4B;IAK9C,OAAO,CAAC,IAAI;IAUZ,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,IAAI,GAAG,WAAW,CAAC,GAAG,UAAU;IAiB/D,KAAK,
|
|
1
|
+
{"version":3,"file":"store.d.ts","sourceRoot":"","sources":["../../src/audit/store.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,SAAS,GAAG,QAAQ,CAAC;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,UAAU;IACrB,OAAO,CAAC,IAAI,CAAS;IACrB,OAAO,CAAC,MAAM,CAAoB;gBAEtB,IAAI,GAAE,MAA4B;IAK9C,OAAO,CAAC,IAAI;IAUZ,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,IAAI,GAAG,WAAW,CAAC,GAAG,UAAU;IAiB/D,KAAK,CACH,OAAO,GAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAO,GACjF,UAAU,EAAE;IAmBf,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,UAAU,GAAG,SAAS;IAI3C,KAAK,IAAI,IAAI;CAMd"}
|
package/dist/audit/store.js
CHANGED
|
@@ -1,19 +1,19 @@
|
|
|
1
|
-
import {
|
|
2
|
-
import { dirname } from
|
|
1
|
+
import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
|
|
2
|
+
import { dirname } from "path";
|
|
3
3
|
export class AuditStore {
|
|
4
4
|
path;
|
|
5
5
|
events = [];
|
|
6
|
-
constructor(path =
|
|
6
|
+
constructor(path = ".hush/audit.jsonl") {
|
|
7
7
|
this.path = path;
|
|
8
8
|
this.load();
|
|
9
9
|
}
|
|
10
10
|
load() {
|
|
11
11
|
if (existsSync(this.path)) {
|
|
12
|
-
const content = readFileSync(this.path,
|
|
12
|
+
const content = readFileSync(this.path, "utf-8");
|
|
13
13
|
this.events = content
|
|
14
|
-
.split(
|
|
15
|
-
.filter(line => line.trim())
|
|
16
|
-
.map(line => JSON.parse(line));
|
|
14
|
+
.split("\n")
|
|
15
|
+
.filter((line) => line.trim())
|
|
16
|
+
.map((line) => JSON.parse(line));
|
|
17
17
|
}
|
|
18
18
|
}
|
|
19
19
|
append(event) {
|
|
@@ -27,19 +27,19 @@ export class AuditStore {
|
|
|
27
27
|
if (!existsSync(dir)) {
|
|
28
28
|
mkdirSync(dir, { recursive: true });
|
|
29
29
|
}
|
|
30
|
-
writeFileSync(this.path, this.events.map(e => JSON.stringify(e)).join(
|
|
30
|
+
writeFileSync(this.path, this.events.map((e) => JSON.stringify(e)).join("\n") + "\n");
|
|
31
31
|
return fullEvent;
|
|
32
32
|
}
|
|
33
33
|
query(options = {}) {
|
|
34
34
|
let results = [...this.events];
|
|
35
35
|
if (options.since) {
|
|
36
|
-
results = results.filter(e => e.timestamp >= options.since);
|
|
36
|
+
results = results.filter((e) => e.timestamp >= options.since);
|
|
37
37
|
}
|
|
38
38
|
if (options.guard) {
|
|
39
|
-
results = results.filter(e => e.guard === options.guard);
|
|
39
|
+
results = results.filter((e) => e.guard === options.guard);
|
|
40
40
|
}
|
|
41
41
|
if (options.denied) {
|
|
42
|
-
results = results.filter(e => e.decision ===
|
|
42
|
+
results = results.filter((e) => e.decision === "denied");
|
|
43
43
|
}
|
|
44
44
|
if (options.limit) {
|
|
45
45
|
results = results.slice(-options.limit);
|
|
@@ -47,12 +47,12 @@ export class AuditStore {
|
|
|
47
47
|
return results;
|
|
48
48
|
}
|
|
49
49
|
getById(id) {
|
|
50
|
-
return this.events.find(e => e.id === id);
|
|
50
|
+
return this.events.find((e) => e.id === id);
|
|
51
51
|
}
|
|
52
52
|
clear() {
|
|
53
53
|
this.events = [];
|
|
54
54
|
if (existsSync(this.path)) {
|
|
55
|
-
writeFileSync(this.path,
|
|
55
|
+
writeFileSync(this.path, "");
|
|
56
56
|
}
|
|
57
57
|
}
|
|
58
58
|
}
|
package/dist/audit/store.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"store.js","sourceRoot":"","sources":["../../src/audit/store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"store.js","sourceRoot":"","sources":["../../src/audit/store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,IAAI,CAAC;AACxE,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAa/B,MAAM,OAAO,UAAU;IACb,IAAI,CAAS;IACb,MAAM,GAAiB,EAAE,CAAC;IAElC,YAAY,OAAe,mBAAmB;QAC5C,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;IAEO,IAAI;QACV,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACjD,IAAI,CAAC,MAAM,GAAG,OAAO;iBAClB,KAAK,CAAC,IAAI,CAAC;iBACX,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;iBAC7B,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IAED,MAAM,CAAC,KAA2C;QAChD,MAAM,SAAS,GAAe;YAC5B,GAAG,KAAK;YACR,EAAE,EAAE,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE;YACjE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC;QACF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAE5B,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtC,CAAC;QACD,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC;QAEtF,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,KAAK,CACH,UAAgF,EAAE;QAElF,IAAI,OAAO,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;QAE/B,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,IAAI,OAAO,CAAC,KAAM,CAAC,CAAC;QACjE,CAAC;QACD,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,OAAO,CAAC,KAAK,CAAC,CAAC;QAC7D,CAAC;QACD,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;QAC3D,CAAC;QACD,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAC1C,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,OAAO,CAAC,EAAU;QAChB,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;IAC9C,CAAC;IAED,KAAK;QACH,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC;QACjB,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;CACF"}
|
package/dist/classification.d.ts
CHANGED
|
@@ -5,7 +5,7 @@
|
|
|
5
5
|
* and tool-guard hooks. This module is self-contained — it only depends on
|
|
6
6
|
* the EventType type from the package's own types module.
|
|
7
7
|
*/
|
|
8
|
-
import type { EventType } from
|
|
8
|
+
import type { EventType } from "./types.js";
|
|
9
9
|
/** Read-only tokens: if ANY token matches and no destructive token is present, tool is read-only */
|
|
10
10
|
export declare const READ_ONLY_TOKENS: Set<string>;
|
|
11
11
|
/** Destructive tokens: if ANY token matches, tool is destructive */
|
|
@@ -21,7 +21,7 @@ export declare const NETWORK_TOKENS: Set<string>;
|
|
|
21
21
|
* Tokenize a tool name by splitting on common delimiters and camel-case boundaries.
|
|
22
22
|
*/
|
|
23
23
|
export declare function tokenize(toolName: string): string[];
|
|
24
|
-
export type ToolClassification =
|
|
24
|
+
export type ToolClassification = "read_only" | "destructive" | "unknown";
|
|
25
25
|
/**
|
|
26
26
|
* Classify a tool based on its name tokens.
|
|
27
27
|
* - If ANY token is destructive -> destructive
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"classification.d.ts","sourceRoot":"","sources":["../src/classification.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAI5C,oGAAoG;AACpG,eAAO,MAAM,gBAAgB,
|
|
1
|
+
{"version":3,"file":"classification.d.ts","sourceRoot":"","sources":["../src/classification.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAI5C,oGAAoG;AACpG,eAAO,MAAM,gBAAgB,aA0B3B,CAAC;AAEH,oEAAoE;AACpE,eAAO,MAAM,kBAAkB,aAqC7B,CAAC;AAEH,0EAA0E;AAC1E,eAAO,MAAM,qBAAqB,EAAE,aAAa,CAAC;IAAE,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAAC,SAAS,EAAE,SAAS,CAAA;CAAE,CAW9F,CAAC;AAEF,+CAA+C;AAC/C,eAAO,MAAM,cAAc,aAUzB,CAAC;AAIH;;GAEG;AACH,wBAAgB,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE,CAUnD;AAID,MAAM,MAAM,kBAAkB,GAAG,WAAW,GAAG,aAAa,GAAG,SAAS,CAAC;AAEzE;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,kBAAkB,CAgBjE;AAID;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CAAC,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,CA2BzE"}
|
package/dist/classification.js
CHANGED
|
@@ -8,40 +8,108 @@
|
|
|
8
8
|
// ── Token Sets ───────────────────────────────────────────────────────
|
|
9
9
|
/** Read-only tokens: if ANY token matches and no destructive token is present, tool is read-only */
|
|
10
10
|
export const READ_ONLY_TOKENS = new Set([
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
11
|
+
"read",
|
|
12
|
+
"list",
|
|
13
|
+
"get",
|
|
14
|
+
"search",
|
|
15
|
+
"view",
|
|
16
|
+
"show",
|
|
17
|
+
"find",
|
|
18
|
+
"describe",
|
|
19
|
+
"info",
|
|
20
|
+
"status",
|
|
21
|
+
"check",
|
|
22
|
+
"ls",
|
|
23
|
+
"cat",
|
|
24
|
+
"head",
|
|
25
|
+
"tail",
|
|
26
|
+
"which",
|
|
27
|
+
"echo",
|
|
28
|
+
"pwd",
|
|
29
|
+
"env",
|
|
30
|
+
"whoami",
|
|
31
|
+
"hostname",
|
|
32
|
+
"uname",
|
|
33
|
+
"date",
|
|
34
|
+
"glob",
|
|
35
|
+
"grep",
|
|
15
36
|
]);
|
|
16
37
|
/** Destructive tokens: if ANY token matches, tool is destructive */
|
|
17
38
|
export const DESTRUCTIVE_TOKENS = new Set([
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
39
|
+
"write",
|
|
40
|
+
"delete",
|
|
41
|
+
"remove",
|
|
42
|
+
"rm",
|
|
43
|
+
"kill",
|
|
44
|
+
"exec",
|
|
45
|
+
"run",
|
|
46
|
+
"install",
|
|
47
|
+
"uninstall",
|
|
48
|
+
"create",
|
|
49
|
+
"update",
|
|
50
|
+
"modify",
|
|
51
|
+
"patch",
|
|
52
|
+
"put",
|
|
53
|
+
"post",
|
|
54
|
+
"move",
|
|
55
|
+
"mv",
|
|
56
|
+
"rename",
|
|
57
|
+
"chmod",
|
|
58
|
+
"chown",
|
|
59
|
+
"drop",
|
|
60
|
+
"truncate",
|
|
61
|
+
"edit",
|
|
62
|
+
"command",
|
|
63
|
+
"bash",
|
|
64
|
+
"save",
|
|
65
|
+
"overwrite",
|
|
66
|
+
"unlink",
|
|
67
|
+
"terminal",
|
|
68
|
+
"append",
|
|
69
|
+
"replace",
|
|
70
|
+
"deploy",
|
|
71
|
+
"push",
|
|
72
|
+
"send",
|
|
73
|
+
"publish",
|
|
74
|
+
"upload",
|
|
23
75
|
]);
|
|
24
76
|
/** Destructive token-to-event-type mapping for specific policy routing */
|
|
25
77
|
export const DESTRUCTIVE_EVENT_MAP = [
|
|
26
|
-
{
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
78
|
+
{
|
|
79
|
+
tokens: new Set(["write", "edit", "create", "save", "overwrite", "append", "replace"]),
|
|
80
|
+
eventType: "file_write",
|
|
81
|
+
},
|
|
82
|
+
{ tokens: new Set(["delete", "remove", "unlink", "rm"]), eventType: "file_write" },
|
|
83
|
+
{
|
|
84
|
+
tokens: new Set(["shell", "bash", "exec", "command", "terminal", "run"]),
|
|
85
|
+
eventType: "command_exec",
|
|
86
|
+
},
|
|
87
|
+
{ tokens: new Set(["patch", "diff"]), eventType: "patch_apply" },
|
|
30
88
|
];
|
|
31
89
|
/** Network tokens for egress classification */
|
|
32
|
-
export const NETWORK_TOKENS = new Set([
|
|
90
|
+
export const NETWORK_TOKENS = new Set([
|
|
91
|
+
"fetch",
|
|
92
|
+
"http",
|
|
93
|
+
"web",
|
|
94
|
+
"curl",
|
|
95
|
+
"request",
|
|
96
|
+
"api",
|
|
97
|
+
"download",
|
|
98
|
+
"socket",
|
|
99
|
+
"connect",
|
|
100
|
+
]);
|
|
33
101
|
// ── Tokenizer ────────────────────────────────────────────────────────
|
|
34
102
|
/**
|
|
35
103
|
* Tokenize a tool name by splitting on common delimiters and camel-case boundaries.
|
|
36
104
|
*/
|
|
37
105
|
export function tokenize(toolName) {
|
|
38
|
-
return toolName
|
|
106
|
+
return (toolName
|
|
39
107
|
// Split `fooBar` -> `foo Bar`, `HTTPFetch` -> `HTTP Fetch`
|
|
40
|
-
.replace(/([a-z0-9])([A-Z])/g,
|
|
41
|
-
.replace(/([A-Z])([A-Z][a-z])/g,
|
|
108
|
+
.replace(/([a-z0-9])([A-Z])/g, "$1 $2")
|
|
109
|
+
.replace(/([A-Z])([A-Z][a-z])/g, "$1 $2")
|
|
42
110
|
.toLowerCase()
|
|
43
111
|
.split(/[_\-/\s.]+/)
|
|
44
|
-
.filter(Boolean);
|
|
112
|
+
.filter(Boolean));
|
|
45
113
|
}
|
|
46
114
|
/**
|
|
47
115
|
* Classify a tool based on its name tokens.
|
|
@@ -61,10 +129,10 @@ export function classifyTool(tokens) {
|
|
|
61
129
|
}
|
|
62
130
|
}
|
|
63
131
|
if (hasDestructive)
|
|
64
|
-
return
|
|
132
|
+
return "destructive";
|
|
65
133
|
if (hasReadOnly)
|
|
66
|
-
return
|
|
67
|
-
return
|
|
134
|
+
return "read_only";
|
|
135
|
+
return "unknown";
|
|
68
136
|
}
|
|
69
137
|
// ── Event Type Inference (name-only) ─────────────────────────────────
|
|
70
138
|
/**
|
|
@@ -78,22 +146,22 @@ export function classifyTool(tokens) {
|
|
|
78
146
|
export function inferEventTypeFromName(toolName) {
|
|
79
147
|
const tokens = tokenize(toolName);
|
|
80
148
|
const classification = classifyTool(tokens);
|
|
81
|
-
if (classification ===
|
|
149
|
+
if (classification === "read_only") {
|
|
82
150
|
// Read-only tools may still perform network egress (e.g. web_search, http_get).
|
|
83
|
-
if (tokens.some(t => NETWORK_TOKENS.has(t))) {
|
|
84
|
-
return
|
|
151
|
+
if (tokens.some((t) => NETWORK_TOKENS.has(t))) {
|
|
152
|
+
return "network_egress";
|
|
85
153
|
}
|
|
86
|
-
return
|
|
154
|
+
return "file_read";
|
|
87
155
|
}
|
|
88
156
|
// Check specific destructive event types via DESTRUCTIVE_EVENT_MAP.
|
|
89
157
|
for (const { tokens: matchTokens, eventType } of DESTRUCTIVE_EVENT_MAP) {
|
|
90
|
-
if (tokens.some(t => matchTokens.has(t))) {
|
|
158
|
+
if (tokens.some((t) => matchTokens.has(t))) {
|
|
91
159
|
return eventType;
|
|
92
160
|
}
|
|
93
161
|
}
|
|
94
162
|
// Check network tokens.
|
|
95
|
-
if (tokens.some(t => NETWORK_TOKENS.has(t))) {
|
|
96
|
-
return
|
|
163
|
+
if (tokens.some((t) => NETWORK_TOKENS.has(t))) {
|
|
164
|
+
return "network_egress";
|
|
97
165
|
}
|
|
98
166
|
// No confident classification — return null so callers can apply their
|
|
99
167
|
// own fallback logic (e.g. parameter inspection).
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"classification.js","sourceRoot":"","sources":["../src/classification.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,wEAAwE;AAExE,oGAAoG;AACpG,MAAM,CAAC,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IACtC,MAAM,
|
|
1
|
+
{"version":3,"file":"classification.js","sourceRoot":"","sources":["../src/classification.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,wEAAwE;AAExE,oGAAoG;AACpG,MAAM,CAAC,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IACtC,MAAM;IACN,MAAM;IACN,KAAK;IACL,QAAQ;IACR,MAAM;IACN,MAAM;IACN,MAAM;IACN,UAAU;IACV,MAAM;IACN,QAAQ;IACR,OAAO;IACP,IAAI;IACJ,KAAK;IACL,MAAM;IACN,MAAM;IACN,OAAO;IACP,MAAM;IACN,KAAK;IACL,KAAK;IACL,QAAQ;IACR,UAAU;IACV,OAAO;IACP,MAAM;IACN,MAAM;IACN,MAAM;CACP,CAAC,CAAC;AAEH,oEAAoE;AACpE,MAAM,CAAC,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACxC,OAAO;IACP,QAAQ;IACR,QAAQ;IACR,IAAI;IACJ,MAAM;IACN,MAAM;IACN,KAAK;IACL,SAAS;IACT,WAAW;IACX,QAAQ;IACR,QAAQ;IACR,QAAQ;IACR,OAAO;IACP,KAAK;IACL,MAAM;IACN,MAAM;IACN,IAAI;IACJ,QAAQ;IACR,OAAO;IACP,OAAO;IACP,MAAM;IACN,UAAU;IACV,MAAM;IACN,SAAS;IACT,MAAM;IACN,MAAM;IACN,WAAW;IACX,QAAQ;IACR,UAAU;IACV,QAAQ;IACR,SAAS;IACT,QAAQ;IACR,MAAM;IACN,MAAM;IACN,SAAS;IACT,QAAQ;CACT,CAAC,CAAC;AAEH,0EAA0E;AAC1E,MAAM,CAAC,MAAM,qBAAqB,GAAiE;IACjG;QACE,MAAM,EAAE,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;QACtF,SAAS,EAAE,YAAY;KACxB;IACD,EAAE,MAAM,EAAE,IAAI,GAAG,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC,EAAE,SAAS,EAAE,YAAY,EAAE;IAClF;QACE,MAAM,EAAE,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC;QACxE,SAAS,EAAE,cAAc;KAC1B;IACD,EAAE,MAAM,EAAE,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,EAAE,SAAS,EAAE,aAAa,EAAE;CACjE,CAAC;AAEF,+CAA+C;AAC/C,MAAM,CAAC,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC;IACpC,OAAO;IACP,MAAM;IACN,KAAK;IACL,MAAM;IACN,SAAS;IACT,KAAK;IACL,UAAU;IACV,QAAQ;IACR,SAAS;CACV,CAAC,CAAC;AAEH,wEAAwE;AAExE;;GAEG;AACH,MAAM,UAAU,QAAQ,CAAC,QAAgB;IACvC,OAAO,CACL,QAAQ;QACN,2DAA2D;SAC1D,OAAO,CAAC,oBAAoB,EAAE,OAAO,CAAC;SACtC,OAAO,CAAC,sBAAsB,EAAE,OAAO,CAAC;SACxC,WAAW,EAAE;SACb,KAAK,CAAC,YAAY,CAAC;SACnB,MAAM,CAAC,OAAO,CAAC,CACnB,CAAC;AACJ,CAAC;AAMD;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,MAAgB;IAC3C,IAAI,WAAW,GAAG,KAAK,CAAC;IACxB,IAAI,cAAc,GAAG,KAAK,CAAC;IAE3B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,kBAAkB,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YAClC,cAAc,GAAG,IAAI,CAAC;QACxB,CAAC;QACD,IAAI,gBAAgB,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YAChC,WAAW,GAAG,IAAI,CAAC;QACrB,CAAC;IACH,CAAC;IAED,IAAI,cAAc;QAAE,OAAO,aAAa,CAAC;IACzC,IAAI,WAAW;QAAE,OAAO,WAAW,CAAC;IACpC,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,wEAAwE;AAExE;;;;;;;GAOG;AACH,MAAM,UAAU,sBAAsB,CAAC,QAAgB;IACrD,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAClC,MAAM,cAAc,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IAE5C,IAAI,cAAc,KAAK,WAAW,EAAE,CAAC;QACnC,gFAAgF;QAChF,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9C,OAAO,gBAAgB,CAAC;QAC1B,CAAC;QACD,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,oEAAoE;IACpE,KAAK,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,IAAI,qBAAqB,EAAE,CAAC;QACvE,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC3C,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAED,wBAAwB;IACxB,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9C,OAAO,gBAAgB,CAAC;IAC1B,CAAC;IAED,uEAAuE;IACvE,kDAAkD;IAClD,OAAO,IAAI,CAAC;AACd,CAAC"}
|
package/dist/cli/bin.js
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/audit.ts"],"names":[],"mappings":"AAGA,UAAU,YAAY;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,UAAU,cAAc;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,UAAU,aAAa;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,eAAO,MAAM,aAAa;oBACH,YAAY,GAAQ,OAAO,CAAC,IAAI,CAAC;qBAwC/B,MAAM,YAAW,cAAc,GAAQ,OAAO,CAAC,IAAI,CAAC;
|
|
1
|
+
{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/audit.ts"],"names":[],"mappings":"AAGA,UAAU,YAAY;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,UAAU,cAAc;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,UAAU,aAAa;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,eAAO,MAAM,aAAa;oBACH,YAAY,GAAQ,OAAO,CAAC,IAAI,CAAC;qBAwC/B,MAAM,YAAW,cAAc,GAAQ,OAAO,CAAC,IAAI,CAAC;iBA+DxD,MAAM,YAAW,aAAa,GAAQ,OAAO,CAAC,IAAI,CAAC;CAOvE,CAAC"}
|
|
@@ -1,8 +1,8 @@
|
|
|
1
|
-
import { writeFileSync } from
|
|
2
|
-
import { AuditStore } from
|
|
1
|
+
import { writeFileSync } from "fs";
|
|
2
|
+
import { AuditStore } from "../../audit/store.js";
|
|
3
3
|
export const auditCommands = {
|
|
4
4
|
async query(options = {}) {
|
|
5
|
-
const store = new AuditStore(options.auditPath ||
|
|
5
|
+
const store = new AuditStore(options.auditPath || ".hush/audit.jsonl");
|
|
6
6
|
const queryOptions = {
|
|
7
7
|
limit: 50,
|
|
8
8
|
};
|
|
@@ -18,14 +18,14 @@ export const auditCommands = {
|
|
|
18
18
|
}
|
|
19
19
|
const events = store.query(queryOptions);
|
|
20
20
|
if (events.length === 0) {
|
|
21
|
-
console.log(
|
|
21
|
+
console.log("No audit events found");
|
|
22
22
|
return;
|
|
23
23
|
}
|
|
24
|
-
console.log(
|
|
25
|
-
console.log(
|
|
24
|
+
console.log("Audit Events:");
|
|
25
|
+
console.log("=============");
|
|
26
26
|
for (const event of events) {
|
|
27
27
|
const date = new Date(event.timestamp).toISOString();
|
|
28
|
-
const status = event.decision ===
|
|
28
|
+
const status = event.decision === "allowed" ? "ALLOWED" : "DENIED";
|
|
29
29
|
console.log(`\n[${date}] ${event.id}`);
|
|
30
30
|
console.log(` Action: ${event.type}`);
|
|
31
31
|
console.log(` Resource: ${event.resource}`);
|
|
@@ -37,54 +37,54 @@ export const auditCommands = {
|
|
|
37
37
|
}
|
|
38
38
|
},
|
|
39
39
|
async explain(eventId, options = {}) {
|
|
40
|
-
const store = new AuditStore(options.auditPath ||
|
|
40
|
+
const store = new AuditStore(options.auditPath || ".hush/audit.jsonl");
|
|
41
41
|
const event = store.getById(eventId);
|
|
42
42
|
if (!event) {
|
|
43
43
|
console.log(`Event ${eventId} not found`);
|
|
44
44
|
return;
|
|
45
45
|
}
|
|
46
|
-
console.log(
|
|
47
|
-
console.log(
|
|
46
|
+
console.log("Event Details");
|
|
47
|
+
console.log("=============");
|
|
48
48
|
console.log(`\nEvent ID: ${event.id}`);
|
|
49
49
|
console.log(`Timestamp: ${new Date(event.timestamp).toISOString()}`);
|
|
50
50
|
console.log(`Action: ${event.type}`);
|
|
51
51
|
console.log(`Resource: ${event.resource}`);
|
|
52
|
-
console.log(`Decision: ${event.decision ===
|
|
52
|
+
console.log(`Decision: ${event.decision === "allowed" ? "ALLOWED" : "DENIED"}`);
|
|
53
53
|
if (event.guard) {
|
|
54
54
|
console.log(`\nGuard: ${event.guard}`);
|
|
55
55
|
}
|
|
56
56
|
if (event.reason) {
|
|
57
57
|
console.log(`Reason: ${event.reason}`);
|
|
58
58
|
}
|
|
59
|
-
if (event.decision ===
|
|
60
|
-
console.log(
|
|
61
|
-
console.log(
|
|
62
|
-
const guard = (event.guard ||
|
|
63
|
-
if (guard ===
|
|
64
|
-
console.log(
|
|
65
|
-
console.log(
|
|
59
|
+
if (event.decision === "denied") {
|
|
60
|
+
console.log("\nRemediation:");
|
|
61
|
+
console.log("------------");
|
|
62
|
+
const guard = (event.guard || "").trim();
|
|
63
|
+
if (guard === "forbidden_path" || guard === "ForbiddenPathGuard") {
|
|
64
|
+
console.log("This path is protected by the forbidden_path guard.");
|
|
65
|
+
console.log("To allow access, remove it from filesystem.forbidden_paths in your policy.");
|
|
66
66
|
return;
|
|
67
67
|
}
|
|
68
|
-
if (guard ===
|
|
69
|
-
console.log(
|
|
70
|
-
console.log(
|
|
68
|
+
if (guard === "egress" || guard === "EgressAllowlistGuard") {
|
|
69
|
+
console.log("This domain is blocked by the egress policy.");
|
|
70
|
+
console.log("To allow access, add it to egress.allowed_domains (or change egress.mode) in your policy.");
|
|
71
71
|
return;
|
|
72
72
|
}
|
|
73
|
-
if (guard ===
|
|
74
|
-
console.log(
|
|
75
|
-
console.log(
|
|
73
|
+
if (guard === "secret_leak" || guard === "SecretLeakGuard") {
|
|
74
|
+
console.log("Tool output contained a value that looks like a secret.");
|
|
75
|
+
console.log("Remove/redact secrets from tool output or adjust your workflow to avoid printing credentials.");
|
|
76
76
|
return;
|
|
77
77
|
}
|
|
78
|
-
if (guard ===
|
|
79
|
-
console.log(
|
|
80
|
-
console.log(
|
|
78
|
+
if (guard === "patch_integrity" || guard === "PatchIntegrityGuard") {
|
|
79
|
+
console.log("The patch/command matched a dangerous pattern.");
|
|
80
|
+
console.log("Avoid unsafe commands/patterns (e.g., curl|bash, rm -rf /) or update execution.denied_patterns.");
|
|
81
81
|
return;
|
|
82
82
|
}
|
|
83
|
-
console.log(
|
|
83
|
+
console.log("Review your policy configuration to understand why this was blocked.");
|
|
84
84
|
}
|
|
85
85
|
},
|
|
86
86
|
async export(file, options = {}) {
|
|
87
|
-
const store = new AuditStore(options.auditPath ||
|
|
87
|
+
const store = new AuditStore(options.auditPath || ".hush/audit.jsonl");
|
|
88
88
|
const events = store.query({});
|
|
89
89
|
writeFileSync(file, JSON.stringify(events, null, 2));
|
|
90
90
|
console.log(`Exported ${events.length} events to ${file}`);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../../src/cli/commands/audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,IAAI,CAAC;AACnC,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAiBlD,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,KAAK,CAAC,KAAK,CAAC,UAAwB,EAAE;QACpC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,SAAS,IAAI,mBAAmB,CAAC,CAAC;QAEvE,MAAM,YAAY,GAAyE;YACzF,KAAK,EAAE,EAAE;SACV,CAAC;QAEF,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC1C,YAAY,CAAC,KAAK,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC;QAC3C,CAAC;QACD,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,YAAY,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QACrC,CAAC;QACD,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,YAAY,CAAC,MAAM,GAAG,IAAI,CAAC;QAC7B,CAAC;QAED,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QAEzC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;YACrC,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC7B,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAE7B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;YACrD,MAAM,MAAM,GAAG,KAAK,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC;YACnE,OAAO,CAAC,GAAG,CAAC,MAAM,IAAI,KAAK,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;YACvC,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;YACvC,OAAO,CAAC,GAAG,CAAC,eAAe,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC7C,OAAO,CAAC,GAAG,CAAC,eAAe,MAAM,EAAE,CAAC,CAAC;YACrC,IAAI,KAAK,CAAC,KAAK;gBAAE,OAAO,CAAC,GAAG,CAAC,YAAY,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;YACxD,IAAI,KAAK,CAAC,MAAM;gBAAE,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,OAAe,EAAE,UAA0B,EAAE;QACzD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,SAAS,IAAI,mBAAmB,CAAC,CAAC;QACvE,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAErC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,GAAG,CAAC,SAAS,OAAO,YAAY,CAAC,CAAC;YAC1C,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC7B,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC7B,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;QAC1C,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QACvE,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;QAC1C,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;QAEnF,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QAC9C,CAAC;QAED,IAAI,KAAK,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAChC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;YAC9B,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YAC5B,MAAM,KAAK,GAAG,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YAEzC,IAAI,KAAK,KAAK,gBAAgB,IAAI,KAAK,KAAK,oBAAoB,EAAE,CAAC;gBACjE,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAC;gBACnE,OAAO,CAAC,GAAG,CAAC,4EAA4E,CAAC,CAAC;gBAC1F,OAAO;YACT,CAAC;YAED,IAAI,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,sBAAsB,EAAE,CAAC;gBAC3D,OAAO,CAAC,GAAG,CAAC,8CAA8C,CAAC,CAAC;gBAC5D,OAAO,CAAC,GAAG,
|
|
1
|
+
{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../../src/cli/commands/audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,IAAI,CAAC;AACnC,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAiBlD,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,KAAK,CAAC,KAAK,CAAC,UAAwB,EAAE;QACpC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,SAAS,IAAI,mBAAmB,CAAC,CAAC;QAEvE,MAAM,YAAY,GAAyE;YACzF,KAAK,EAAE,EAAE;SACV,CAAC;QAEF,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC1C,YAAY,CAAC,KAAK,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC;QAC3C,CAAC;QACD,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,YAAY,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QACrC,CAAC;QACD,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,YAAY,CAAC,MAAM,GAAG,IAAI,CAAC;QAC7B,CAAC;QAED,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QAEzC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;YACrC,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC7B,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAE7B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;YACrD,MAAM,MAAM,GAAG,KAAK,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC;YACnE,OAAO,CAAC,GAAG,CAAC,MAAM,IAAI,KAAK,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;YACvC,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;YACvC,OAAO,CAAC,GAAG,CAAC,eAAe,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC7C,OAAO,CAAC,GAAG,CAAC,eAAe,MAAM,EAAE,CAAC,CAAC;YACrC,IAAI,KAAK,CAAC,KAAK;gBAAE,OAAO,CAAC,GAAG,CAAC,YAAY,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;YACxD,IAAI,KAAK,CAAC,MAAM;gBAAE,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,OAAe,EAAE,UAA0B,EAAE;QACzD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,SAAS,IAAI,mBAAmB,CAAC,CAAC;QACvE,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAErC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,GAAG,CAAC,SAAS,OAAO,YAAY,CAAC,CAAC;YAC1C,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC7B,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC7B,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;QAC1C,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QACvE,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;QAC1C,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;QAEnF,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QAC9C,CAAC;QAED,IAAI,KAAK,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAChC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;YAC9B,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YAC5B,MAAM,KAAK,GAAG,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YAEzC,IAAI,KAAK,KAAK,gBAAgB,IAAI,KAAK,KAAK,oBAAoB,EAAE,CAAC;gBACjE,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAC;gBACnE,OAAO,CAAC,GAAG,CAAC,4EAA4E,CAAC,CAAC;gBAC1F,OAAO;YACT,CAAC;YAED,IAAI,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,sBAAsB,EAAE,CAAC;gBAC3D,OAAO,CAAC,GAAG,CAAC,8CAA8C,CAAC,CAAC;gBAC5D,OAAO,CAAC,GAAG,CACT,2FAA2F,CAC5F,CAAC;gBACF,OAAO;YACT,CAAC;YAED,IAAI,KAAK,KAAK,aAAa,IAAI,KAAK,KAAK,iBAAiB,EAAE,CAAC;gBAC3D,OAAO,CAAC,GAAG,CAAC,yDAAyD,CAAC,CAAC;gBACvE,OAAO,CAAC,GAAG,CACT,+FAA+F,CAChG,CAAC;gBACF,OAAO;YACT,CAAC;YAED,IAAI,KAAK,KAAK,iBAAiB,IAAI,KAAK,KAAK,qBAAqB,EAAE,CAAC;gBACnE,OAAO,CAAC,GAAG,CAAC,gDAAgD,CAAC,CAAC;gBAC9D,OAAO,CAAC,GAAG,CACT,iGAAiG,CAClG,CAAC;gBACF,OAAO;YACT,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,sEAAsE,CAAC,CAAC;QACtF,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,IAAY,EAAE,UAAyB,EAAE;QACpD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,SAAS,IAAI,mBAAmB,CAAC,CAAC;QACvE,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAE/B,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QACrD,OAAO,CAAC,GAAG,CAAC,YAAY,MAAM,CAAC,MAAM,cAAc,IAAI,EAAE,CAAC,CAAC;IAC7D,CAAC;CACF,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/policy.ts"],"names":[],"mappings":"AAMA,eAAO,MAAM,cAAc;eACR,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;
|
|
1
|
+
{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/policy.ts"],"names":[],"mappings":"AAMA,eAAO,MAAM,cAAc;eACR,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;mBA8BnB;QAAE,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,GAAQ,OAAO,CAAC,IAAI,CAAC;oBAatC,MAAM,YAAW;QAAE,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,GAAQ,OAAO,CAAC,IAAI,CAAC;gBAmB7D,MAAM,SAAS,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAsCxD,CAAC"}
|