npm - @clawos-dev/clawd - Versions diffs - 0.2.71-beta.129.3d783e6 → 0.2.71-beta.130.ea9dc82 - Mend

@clawos-dev/clawd 0.2.71-beta.129.3d783e6 → 0.2.71-beta.130.ea9dc82

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/cli.cjs +127 -59
package/package.json +1 -1

package/dist/cli.cjs CHANGED Viewed

@@ -27956,10 +27956,62 @@ function forkSession(input) {
   return { forkedToolSessionId, forkedFilePath };
 }
+// src/permission/capability.ts
+function matchResource(grant, target) {
+  if (grant.type === "*") return true;
+  if (grant.type !== target.type) return false;
+  return grant.id === target.id;
+}
+function assertGrant(grants, resource, action) {
+  for (const g2 of grants) {
+    if (!matchResource(g2.resource, resource)) continue;
+    if (g2.actions.includes(action)) return true;
+    if (g2.actions.includes("admin")) return true;
+  }
+  return false;
+}
+// src/permission/session-access.ts
+function canAccessSession(ctx, sessionId, action, deps) {
+  if (ctx.principal.kind === "owner") return true;
+  const file = deps.readSession(sessionId);
+  if (!file) return true;
+  return canAccessPersona(ctx.grants, file.ownerPersonaId, action);
+}
+function canAccessPersona(grants, personaId, action) {
+  if (!personaId) return false;
+  const resource = { type: "persona", id: personaId };
+  return assertGrant(grants, resource, action);
+}
 // src/handlers/session.ts
+init_protocol();
 function buildSessionHandlers(deps) {
-  const { manager, observer, getAdapter: getAdapter2 } = deps;
-  const create = async (frame) => {
+  const { manager, observer, getAdapter: getAdapter2, store } = deps;
+  const ensureSessionAccess = (ctx, sessionId, action) => {
+    if (!ctx) return;
+    const ok = canAccessSession(ctx, sessionId, action, {
+      readSession: (sid) => store.read(sid)
+    });
+    if (!ok) {
+      throw new ClawdError(
+        ERROR_CODES.UNAUTHORIZED,
+        `principal ${ctx.principal.kind}:${ctx.principal.id} cannot ${action} session ${sessionId}`
+      );
+    }
+  };
+  const ensurePersonaAccess = (ctx, personaId, action) => {
+    if (!ctx) return;
+    if (ctx.principal.kind === "owner") return;
+    const ok = canAccessPersona(ctx.grants, personaId, action);
+    if (!ok) {
+      throw new ClawdError(
+        ERROR_CODES.UNAUTHORIZED,
+        `principal ${ctx.principal.kind}:${ctx.principal.id} cannot ${action} on persona:${personaId ?? "<none>"}`
+      );
+    }
+  };
+  const create = async (frame, _client, ctx) => {
     const args = SessionCreateArgs.parse(frame);
     if (args.ownerPersonaId) {
       const persona = deps.personaRegistry.get(args.ownerPersonaId);
@@ -27967,58 +28019,75 @@ function buildSessionHandlers(deps) {
         throw new Error(`persona not found: ${args.ownerPersonaId}`);
       }
     }
+    ensurePersonaAccess(ctx, args.ownerPersonaId, "send");
     const { response, broadcast } = manager.create(args);
     return { response: { type: "session:info", ...response }, broadcast };
   };
-  const list = async () => {
+  const list = async (_frame, _client, ctx) => {
     const { response } = manager.list();
+    if (ctx && ctx.principal.kind === "guest") {
+      const sessions = response.sessions ?? [];
+      const filtered = sessions.filter(
+        (s) => canAccessPersona(ctx.grants, s.ownerPersonaId, "read")
+      );
+      return { response: { type: "session:list", sessions: filtered } };
+    }
     return { response: { type: "session:list", ...response } };
   };
-  const get = async (frame) => {
+  const get = async (frame, _client, ctx) => {
     const args = SessionIdArgs.parse(frame);
+    ensureSessionAccess(ctx, args.sessionId, "read");
     const { response } = manager.get(args);
     return { response: { type: "session:info", ...response } };
   };
-  const update = async (frame) => {
+  const update = async (frame, _client, ctx) => {
     const args = SessionUpdateArgs.parse(frame);
+    ensureSessionAccess(ctx, args.sessionId, "send");
     const { response, broadcast } = manager.update(args);
     return { response: { type: "session:info", ...response }, broadcast };
   };
-  const del = async (frame) => {
+  const del = async (frame, _client, ctx) => {
     const args = SessionIdArgs.parse(frame);
+    ensureSessionAccess(ctx, args.sessionId, "send");
     const { broadcast } = manager.delete(args);
     return {
       response: { type: "session:deleted", sessionId: args.sessionId },
       broadcast
     };
   };
-  const send = async (frame) => {
+  const send = async (frame, _client, ctx) => {
     const args = SessionSendArgs.parse(frame);
+    ensureSessionAccess(ctx, args.sessionId, "send");
     const { broadcast } = manager.send(args);
     return { response: { type: "session:send", ok: true }, broadcast };
   };
-  const stop = async (frame) => {
+  const stop = async (frame, _client, ctx) => {
     const args = SessionIdArgs.parse(frame);
+    ensureSessionAccess(ctx, args.sessionId, "send");
     const { broadcast } = await manager.stop(args);
     return { response: { type: "session:stop", ok: true }, broadcast };
   };
-  const interrupt = async (frame) => {
+  const interrupt = async (frame, _client, ctx) => {
     const args = SessionIdArgs.parse(frame);
+    ensureSessionAccess(ctx, args.sessionId, "send");
     const { broadcast } = await manager.interrupt(args);
     return { response: { type: "session:interrupt", ok: true }, broadcast };
   };
-  const rewind = async (frame) => {
+  const rewind = async (frame, _client, ctx) => {
     const args = SessionRewindArgs.parse(frame);
+    ensureSessionAccess(ctx, args.sessionId, "send");
     const { response, broadcast } = await manager.rewind(args);
     return { response: { type: "session:rewind", ...response }, broadcast };
   };
-  const rewindDiff = async (frame) => {
+  const rewindDiff = async (frame, _client, ctx) => {
     const args = SessionRewindDiffArgs.parse(frame);
+    ensureSessionAccess(ctx, args.sessionId, "read");
     const { response } = await manager.rewindDiff(args);
     return { response: { type: "session:rewind-diff", ...response } };
   };
-  const rewindableMessageIds = async (frame) => {
+  const rewindableMessageIds = async (frame, _client, ctx) => {
     const args = SessionRewindableMessageIdsArgs.parse(frame);
+    ensureSessionAccess(ctx, args.sessionId, "read");
     const { response } = manager.rewindableMessageIds(args);
     return {
       response: { type: "session:rewindable-message-ids", ...response }
@@ -28029,19 +28098,22 @@ function buildSessionHandlers(deps) {
     const result = forkSession(args);
     return { response: { type: "session:fork", ...result } };
   };
-  const newSession = async (frame) => {
+  const newSession = async (frame, _client, ctx) => {
     const args = SessionIdArgs.parse(frame);
+    ensureSessionAccess(ctx, args.sessionId, "send");
     observer.stop(args.sessionId);
     const { response, broadcast } = manager.newSession(args);
     return { response: { type: "session:info", ...response }, broadcast };
   };
-  const resume = async (frame) => {
+  const resume = async (frame, _client, ctx) => {
     const args = SessionResumeArgs.parse(frame);
+    ensureSessionAccess(ctx, args.sessionId, "send");
     const { response, broadcast } = manager.resume(args);
     return { response: { type: "session:info", ...response }, broadcast };
   };
-  const observe = async (frame) => {
+  const observe = async (frame, _client, ctx) => {
     const args = SessionObserveArgs.parse(frame);
+    ensureSessionAccess(ctx, args.sessionId, "read");
     const { response: file } = manager.get({ sessionId: args.sessionId });
     const sessionFile = file;
     manager.ensureSession(sessionFile);
@@ -28055,14 +28127,17 @@ function buildSessionHandlers(deps) {
     });
     return { response: { type: "session:observe", ok: true } };
   };
-  const events = async (frame) => {
+  const events = async (frame, _client, ctx) => {
     const args = SessionEventsArgs.parse(frame);
+    ensureSessionAccess(ctx, args.sessionId, "read");
     const { response } = manager.getEvents(args);
     return { response: { type: "session:events", ...response } };
   };
-  const subscribe = async (frame, client) => {
-    if (typeof frame.sessionId === "string")
+  const subscribe = async (frame, client, ctx) => {
+    if (typeof frame.sessionId === "string") {
+      ensureSessionAccess(ctx, frame.sessionId, "read");
       addSubscription(client, frame.sessionId);
+    }
     return {
       response: { type: "subscribed", sessionId: frame.sessionId }
     };
@@ -28074,8 +28149,9 @@ function buildSessionHandlers(deps) {
       response: { type: "unsubscribed", sessionId: frame.sessionId }
     };
   };
-  const pin = async (frame) => {
+  const pin = async (frame, _client, ctx) => {
     const args = SessionPinArgs.parse(frame);
+    ensureSessionAccess(ctx, args.sessionId, "send");
     const { response, broadcast } = manager.pin(args);
     return { response: { type: "session:info", ...response }, broadcast };
   };
@@ -28084,13 +28160,15 @@ function buildSessionHandlers(deps) {
     const { response, broadcast } = manager.reorderPins(args);
     return { response: { type: "session:reorderPins", ...response }, broadcast };
   };
-  const answerQuestion = async (frame) => {
+  const answerQuestion = async (frame, _client, ctx) => {
     const args = AnswerQuestionArgs.parse(frame);
+    ensureSessionAccess(ctx, args.sessionId, "send");
     const { response, broadcast } = manager.answerQuestion(args);
     return { response: { type: "session:answerQuestion", ...response }, broadcast };
   };
-  const cancelQuestion = async (frame) => {
+  const cancelQuestion = async (frame, _client, ctx) => {
     const args = CancelQuestionArgs.parse(frame);
+    ensureSessionAccess(ctx, args.sessionId, "send");
     const { response, broadcast } = await manager.cancelQuestion(args);
     return { response: { type: "session:cancelQuestion", ...response }, broadcast };
   };
@@ -28878,6 +28956,7 @@ var ADMIN_ANY = {
   resource: { type: "*" },
   action: "admin"
 };
+var CAPABILITY_SCOPED = { kind: "capability-scoped" };
 var METHOD_GRANT_MAP = {
   // ---- public（meta-only，guest 也能调） ----
   "info": { kind: "public" },
@@ -28900,30 +28979,33 @@ var METHOD_GRANT_MAP = {
   "remote-persona:add": ADMIN_ANY,
   "remote-persona:list": ADMIN_ANY,
   "remote-persona:remove": ADMIN_ANY,
-  // ---- 业务方法：Phase 1 全 admin-only（owner 自动通过；guest 无法调用） ----
-  "session:create": ADMIN_ANY,
-  "session:list": ADMIN_ANY,
-  "session:get": ADMIN_ANY,
-  "session:update": ADMIN_ANY,
-  "session:delete": ADMIN_ANY,
-  "session:send": ADMIN_ANY,
-  "session:stop": ADMIN_ANY,
-  "session:interrupt": ADMIN_ANY,
-  "session:rewind": ADMIN_ANY,
-  "session:rewind-diff": ADMIN_ANY,
-  "session:rewindable-message-ids": ADMIN_ANY,
-  "session:fork": ADMIN_ANY,
-  "session:new": ADMIN_ANY,
-  "session:resume": ADMIN_ANY,
-  "session:observe": ADMIN_ANY,
-  "session:events": ADMIN_ANY,
-  "session:subscribe": ADMIN_ANY,
-  "session:unsubscribe": ADMIN_ANY,
-  "session:pin": ADMIN_ANY,
+  // ---- session:* / chat:* 业务方法（v2 Phase 8 两层模型）----
+  // dispatcher 不验资源，handler 内按 ctx + frame.args 反查 ownerPersonaId 调 assertGrant。
+  // owner 自动通过（ctx 自带 '*':'admin' grant 一切 match）；guest 在被授权 persona 内可调。
+  "session:create": CAPABILITY_SCOPED,
+  "session:list": CAPABILITY_SCOPED,
+  "session:get": CAPABILITY_SCOPED,
+  "session:update": CAPABILITY_SCOPED,
+  "session:delete": CAPABILITY_SCOPED,
+  "session:send": CAPABILITY_SCOPED,
+  "session:stop": CAPABILITY_SCOPED,
+  "session:interrupt": CAPABILITY_SCOPED,
+  "session:rewind": CAPABILITY_SCOPED,
+  "session:rewind-diff": CAPABILITY_SCOPED,
+  "session:rewindable-message-ids": CAPABILITY_SCOPED,
+  "session:fork": CAPABILITY_SCOPED,
+  "session:new": CAPABILITY_SCOPED,
+  "session:resume": CAPABILITY_SCOPED,
+  "session:observe": CAPABILITY_SCOPED,
+  "session:events": CAPABILITY_SCOPED,
+  "session:subscribe": CAPABILITY_SCOPED,
+  "session:unsubscribe": CAPABILITY_SCOPED,
+  "session:pin": CAPABILITY_SCOPED,
   "session:reorderPins": ADMIN_ANY,
-  "permission:respond": ADMIN_ANY,
-  "session:answerQuestion": ADMIN_ANY,
-  "session:cancelQuestion": ADMIN_ANY,
+  // owner 全局操作，无 personaId 维度
+  "permission:respond": CAPABILITY_SCOPED,
+  "session:answerQuestion": CAPABILITY_SCOPED,
+  "session:cancelQuestion": CAPABILITY_SCOPED,
   "history:projects": ADMIN_ANY,
   "history:list": ADMIN_ANY,
   "history:read": ADMIN_ANY,
@@ -28959,6 +29041,7 @@ function computeGrantForFrame(method, frame) {
   const rule = METHOD_GRANT_MAP[method];
   if (!rule) return { kind: "public" };
   if (rule.kind === "public") return { kind: "public" };
+  if (rule.kind === "capability-scoped") return { kind: "public" };
   if (rule.kind === "fixed") {
     return { kind: "check", resource: rule.resource, action: rule.action };
   }
@@ -28967,21 +29050,6 @@ function computeGrantForFrame(method, frame) {
   return { kind: "check", resource: picked.resource, action: picked.action };
 }
-// src/permission/capability.ts
-function matchResource(grant, target) {
-  if (grant.type === "*") return true;
-  if (grant.type !== target.type) return false;
-  return grant.id === target.id;
-}
-function assertGrant(grants, resource, action) {
-  for (const g2 of grants) {
-    if (!matchResource(g2.resource, resource)) continue;
-    if (g2.actions.includes(action)) return true;
-    if (g2.actions.includes("admin")) return true;
-  }
-  return false;
-}
 // src/index.ts
 async function startDaemon(config) {
   const logger = createLogger({

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@clawos-dev/clawd",
-  "version": "0.2.71-beta.129.3d783e6",
+  "version": "0.2.71-beta.130.ea9dc82",
   "description": "Standalone clawd daemon — Claude Code (and future Codex) session server over WebSocket",
   "type": "module",
   "license": "MIT",