@det-acp/core 0.2.0 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +332 -213
- package/dist/engine/action-registry.d.ts.map +1 -1
- package/dist/engine/action-registry.js +20 -0
- package/dist/engine/action-registry.js.map +1 -1
- package/dist/index.d.ts +11 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +11 -1
- package/dist/index.js.map +1 -1
- package/dist/tools/archive-extract.d.ts +45 -0
- package/dist/tools/archive-extract.d.ts.map +1 -0
- package/dist/tools/archive-extract.js +246 -0
- package/dist/tools/archive-extract.js.map +1 -0
- package/dist/tools/directory-create.d.ts +33 -0
- package/dist/tools/directory-create.d.ts.map +1 -0
- package/dist/tools/directory-create.js +145 -0
- package/dist/tools/directory-create.js.map +1 -0
- package/dist/tools/directory-list.d.ts +32 -0
- package/dist/tools/directory-list.d.ts.map +1 -0
- package/dist/tools/directory-list.js +114 -0
- package/dist/tools/directory-list.js.map +1 -0
- package/dist/tools/env-read.d.ts +31 -0
- package/dist/tools/env-read.d.ts.map +1 -0
- package/dist/tools/env-read.js +108 -0
- package/dist/tools/env-read.js.map +1 -0
- package/dist/tools/file-copy.d.ts +30 -0
- package/dist/tools/file-copy.d.ts.map +1 -0
- package/dist/tools/file-copy.js +170 -0
- package/dist/tools/file-copy.js.map +1 -0
- package/dist/tools/file-delete.d.ts +27 -0
- package/dist/tools/file-delete.d.ts.map +1 -0
- package/dist/tools/file-delete.js +143 -0
- package/dist/tools/file-delete.js.map +1 -0
- package/dist/tools/file-move.d.ts +30 -0
- package/dist/tools/file-move.d.ts.map +1 -0
- package/dist/tools/file-move.js +167 -0
- package/dist/tools/file-move.js.map +1 -0
- package/dist/tools/git-commit.d.ts +33 -0
- package/dist/tools/git-commit.d.ts.map +1 -0
- package/dist/tools/git-commit.js +176 -0
- package/dist/tools/git-commit.js.map +1 -0
- package/dist/tools/git-status.d.ts +29 -0
- package/dist/tools/git-status.d.ts.map +1 -0
- package/dist/tools/git-status.js +159 -0
- package/dist/tools/git-status.js.map +1 -0
- package/dist/tools/network-dns.d.ts +50 -0
- package/dist/tools/network-dns.d.ts.map +1 -0
- package/dist/tools/network-dns.js +122 -0
- package/dist/tools/network-dns.js.map +1 -0
- package/dist/types.d.ts +1 -1
- package/dist/types.d.ts.map +1 -1
- package/examples/coding-agent.policy.yaml +44 -0
- package/examples/data-analyst.policy.yaml +160 -0
- package/examples/devops-deploy.policy.yaml +68 -0
- package/examples/infrastructure-manager.policy.yaml +209 -0
- package/examples/security-audit.policy.yaml +152 -0
- package/examples/video-upscaler.policy.yaml +45 -0
- package/package.json +4 -4
|
@@ -0,0 +1,159 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* git:status — Read-only git status tool adapter.
|
|
3
|
+
*
|
|
4
|
+
* Reports the working tree status of a git repository.
|
|
5
|
+
* Read-only operation — no rollback needed.
|
|
6
|
+
*/
|
|
7
|
+
import { execSync } from 'node:child_process';
|
|
8
|
+
import { z } from 'zod';
|
|
9
|
+
import { ToolAdapter } from './base.js';
|
|
10
|
+
import { evaluateAction } from '../policy/evaluator.js';
|
|
11
|
+
export const GitStatusInputSchema = z.object({
|
|
12
|
+
repo: z.string().min(1, 'Repository path is required'),
|
|
13
|
+
/** Show short format output */
|
|
14
|
+
short: z.boolean().default(false),
|
|
15
|
+
/** Show branch tracking info */
|
|
16
|
+
branch: z.boolean().default(true),
|
|
17
|
+
});
|
|
18
|
+
export class GitStatusAdapter extends ToolAdapter {
|
|
19
|
+
name = 'git:status';
|
|
20
|
+
description = 'Get git working tree status for a repository';
|
|
21
|
+
inputSchema = GitStatusInputSchema;
|
|
22
|
+
validate(input, policy) {
|
|
23
|
+
const parsed = GitStatusInputSchema.safeParse(input);
|
|
24
|
+
if (!parsed.success) {
|
|
25
|
+
return {
|
|
26
|
+
verdict: 'deny',
|
|
27
|
+
tool: this.name,
|
|
28
|
+
reasons: parsed.error.issues.map((i) => `${i.path.join('.')}: ${i.message}`),
|
|
29
|
+
};
|
|
30
|
+
}
|
|
31
|
+
return evaluateAction({ tool: this.name, input: parsed.data }, policy);
|
|
32
|
+
}
|
|
33
|
+
async dryRun(input, _ctx) {
|
|
34
|
+
const { repo } = input;
|
|
35
|
+
return {
|
|
36
|
+
tool: this.name,
|
|
37
|
+
wouldDo: `Get git status of ${repo}`,
|
|
38
|
+
estimatedChanges: [],
|
|
39
|
+
warnings: [],
|
|
40
|
+
};
|
|
41
|
+
}
|
|
42
|
+
async execute(input, _ctx) {
|
|
43
|
+
const start = Date.now();
|
|
44
|
+
const { repo, short, branch } = input;
|
|
45
|
+
try {
|
|
46
|
+
// Get porcelain status for parsing
|
|
47
|
+
const porcelainOutput = execSync('git status --porcelain=v1', {
|
|
48
|
+
cwd: repo,
|
|
49
|
+
encoding: 'utf-8',
|
|
50
|
+
timeout: 10000,
|
|
51
|
+
});
|
|
52
|
+
// Parse porcelain output into structured entries
|
|
53
|
+
const entries = [];
|
|
54
|
+
for (const line of porcelainOutput.split('\n').filter(Boolean)) {
|
|
55
|
+
const indexStatus = line[0];
|
|
56
|
+
const workingStatus = line[1];
|
|
57
|
+
const filePath = line.slice(3);
|
|
58
|
+
let status = 'unknown';
|
|
59
|
+
const staged = indexStatus !== ' ' && indexStatus !== '?';
|
|
60
|
+
if (indexStatus === '?' && workingStatus === '?') {
|
|
61
|
+
status = 'untracked';
|
|
62
|
+
}
|
|
63
|
+
else if (indexStatus === 'A') {
|
|
64
|
+
status = 'added';
|
|
65
|
+
}
|
|
66
|
+
else if (indexStatus === 'M' || workingStatus === 'M') {
|
|
67
|
+
status = 'modified';
|
|
68
|
+
}
|
|
69
|
+
else if (indexStatus === 'D' || workingStatus === 'D') {
|
|
70
|
+
status = 'deleted';
|
|
71
|
+
}
|
|
72
|
+
else if (indexStatus === 'R') {
|
|
73
|
+
status = 'renamed';
|
|
74
|
+
}
|
|
75
|
+
else if (indexStatus === 'C') {
|
|
76
|
+
status = 'copied';
|
|
77
|
+
}
|
|
78
|
+
entries.push({ path: filePath, status, staged });
|
|
79
|
+
}
|
|
80
|
+
// Get branch info
|
|
81
|
+
let branchInfo = {};
|
|
82
|
+
if (branch) {
|
|
83
|
+
try {
|
|
84
|
+
const branchOutput = execSync('git branch --show-current', {
|
|
85
|
+
cwd: repo,
|
|
86
|
+
encoding: 'utf-8',
|
|
87
|
+
timeout: 5000,
|
|
88
|
+
}).trim();
|
|
89
|
+
branchInfo = { currentBranch: branchOutput || '(detached HEAD)' };
|
|
90
|
+
// Get upstream tracking info
|
|
91
|
+
try {
|
|
92
|
+
const upstream = execSync('git rev-parse --abbrev-ref @{upstream}', {
|
|
93
|
+
cwd: repo,
|
|
94
|
+
encoding: 'utf-8',
|
|
95
|
+
timeout: 5000,
|
|
96
|
+
}).trim();
|
|
97
|
+
branchInfo.upstream = upstream;
|
|
98
|
+
const aheadBehind = execSync('git rev-list --left-right --count HEAD...@{upstream}', {
|
|
99
|
+
cwd: repo,
|
|
100
|
+
encoding: 'utf-8',
|
|
101
|
+
timeout: 5000,
|
|
102
|
+
}).trim();
|
|
103
|
+
const [ahead, behind] = aheadBehind.split('\t');
|
|
104
|
+
branchInfo.ahead = ahead;
|
|
105
|
+
branchInfo.behind = behind;
|
|
106
|
+
}
|
|
107
|
+
catch {
|
|
108
|
+
// No upstream configured
|
|
109
|
+
}
|
|
110
|
+
}
|
|
111
|
+
catch {
|
|
112
|
+
branchInfo = { currentBranch: '(unknown)' };
|
|
113
|
+
}
|
|
114
|
+
}
|
|
115
|
+
// Get readable output too
|
|
116
|
+
let readableOutput = '';
|
|
117
|
+
if (short) {
|
|
118
|
+
readableOutput = porcelainOutput;
|
|
119
|
+
}
|
|
120
|
+
else {
|
|
121
|
+
readableOutput = execSync('git status', {
|
|
122
|
+
cwd: repo,
|
|
123
|
+
encoding: 'utf-8',
|
|
124
|
+
timeout: 10000,
|
|
125
|
+
});
|
|
126
|
+
}
|
|
127
|
+
return this.success({
|
|
128
|
+
repo,
|
|
129
|
+
branch: branchInfo,
|
|
130
|
+
entries,
|
|
131
|
+
clean: entries.length === 0,
|
|
132
|
+
summary: {
|
|
133
|
+
total: entries.length,
|
|
134
|
+
staged: entries.filter((e) => e.staged).length,
|
|
135
|
+
unstaged: entries.filter((e) => !e.staged).length,
|
|
136
|
+
untracked: entries.filter((e) => e.status === 'untracked').length,
|
|
137
|
+
},
|
|
138
|
+
raw: readableOutput.trim(),
|
|
139
|
+
}, Date.now() - start, [
|
|
140
|
+
{
|
|
141
|
+
type: 'log',
|
|
142
|
+
value: readableOutput.trim().slice(0, 4096),
|
|
143
|
+
description: 'Git status output',
|
|
144
|
+
},
|
|
145
|
+
]);
|
|
146
|
+
}
|
|
147
|
+
catch (err) {
|
|
148
|
+
return this.failure(err.message, Date.now() - start);
|
|
149
|
+
}
|
|
150
|
+
}
|
|
151
|
+
async rollback(_input, _ctx) {
|
|
152
|
+
return {
|
|
153
|
+
tool: this.name,
|
|
154
|
+
success: true,
|
|
155
|
+
description: 'No rollback needed for read-only git status',
|
|
156
|
+
};
|
|
157
|
+
}
|
|
158
|
+
}
|
|
159
|
+
//# sourceMappingURL=git-status.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"git-status.js","sourceRoot":"","sources":["../../src/tools/git-status.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AACxC,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAUxD,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC3C,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,6BAA6B,CAAC;IACtD,+BAA+B;IAC/B,KAAK,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IACjC,gCAAgC;IAChC,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;CAClC,CAAC,CAAC;AAUH,MAAM,OAAO,gBAAiB,SAAQ,WAAW;IACtC,IAAI,GAAG,YAAY,CAAC;IACpB,WAAW,GAAG,8CAA8C,CAAC;IAC7D,WAAW,GAAG,oBAAoB,CAAC;IAE5C,QAAQ,CAAC,KAAc,EAAE,MAAc;QACrC,MAAM,MAAM,GAAG,oBAAoB,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QACrD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,OAAO;gBACL,OAAO,EAAE,MAAM;gBACf,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;aAC7E,CAAC;QACJ,CAAC;QAED,OAAO,cAAc,CACnB,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,IAAI,EAAE,EACvC,MAAM,CACP,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAA8B,EAAE,IAAsB;QACjE,MAAM,EAAE,IAAI,EAAE,GAAG,KAAuB,CAAC;QACzC,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,OAAO,EAAE,qBAAqB,IAAI,EAAE;YACpC,gBAAgB,EAAE,EAAE;YACpB,QAAQ,EAAE,EAAE;SACb,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,KAA8B,EAAE,IAAsB;QAClE,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACzB,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,KAAuB,CAAC;QAExD,IAAI,CAAC;YACH,mCAAmC;YACnC,MAAM,eAAe,GAAG,QAAQ,CAAC,2BAA2B,EAAE;gBAC5D,GAAG,EAAE,IAAI;gBACT,QAAQ,EAAE,OAAO;gBACjB,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YAEH,iDAAiD;YACjD,MAAM,OAAO,GAAkB,EAAE,CAAC;YAClC,KAAK,MAAM,IAAI,IAAI,eAAe,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC/D,MAAM,WAAW,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;gBAC5B,MAAM,aAAa,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;gBAC9B,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBAE/B,IAAI,MAAM,GAAG,SAAS,CAAC;gBACvB,MAAM,MAAM,GAAG,WAAW,KAAK,GAAG,IAAI,WAAW,KAAK,GAAG,CAAC;gBAE1D,IAAI,WAAW,KAAK,GAAG,IAAI,aAAa,KAAK,GAAG,EAAE,CAAC;oBACjD,MAAM,GAAG,WAAW,CAAC;gBACvB,CAAC;qBAAM,IAAI,WAAW,KAAK,GAAG,EAAE,CAAC;oBAC/B,MAAM,GAAG,OAAO,CAAC;gBACnB,CAAC;qBAAM,IAAI,WAAW,KAAK,GAAG,IAAI,aAAa,KAAK,GAAG,EAAE,CAAC;oBACxD,MAAM,GAAG,UAAU,CAAC;gBACtB,CAAC;qBAAM,IAAI,WAAW,KAAK,GAAG,IAAI,aAAa,KAAK,GAAG,EAAE,CAAC;oBACxD,MAAM,GAAG,SAAS,CAAC;gBACrB,CAAC;qBAAM,IAAI,WAAW,KAAK,GAAG,EAAE,CAAC;oBAC/B,MAAM,GAAG,SAAS,CAAC;gBACrB,CAAC;qBAAM,IAAI,WAAW,KAAK,GAAG,EAAE,CAAC;oBAC/B,MAAM,GAAG,QAAQ,CAAC;gBACpB,CAAC;gBAED,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;YACnD,CAAC;YAED,kBAAkB;YAClB,IAAI,UAAU,GAA2B,EAAE,CAAC;YAC5C,IAAI,MAAM,EAAE,CAAC;gBACX,IAAI,CAAC;oBACH,MAAM,YAAY,GAAG,QAAQ,CAAC,2BAA2B,EAAE;wBACzD,GAAG,EAAE,IAAI;wBACT,QAAQ,EAAE,OAAO;wBACjB,OAAO,EAAE,IAAI;qBACd,CAAC,CAAC,IAAI,EAAE,CAAC;oBAEV,UAAU,GAAG,EAAE,aAAa,EAAE,YAAY,IAAI,iBAAiB,EAAE,CAAC;oBAElE,6BAA6B;oBAC7B,IAAI,CAAC;wBACH,MAAM,QAAQ,GAAG,QAAQ,CAAC,wCAAwC,EAAE;4BAClE,GAAG,EAAE,IAAI;4BACT,QAAQ,EAAE,OAAO;4BACjB,OAAO,EAAE,IAAI;yBACd,CAAC,CAAC,IAAI,EAAE,CAAC;wBACV,UAAU,CAAC,QAAQ,GAAG,QAAQ,CAAC;wBAE/B,MAAM,WAAW,GAAG,QAAQ,CAAC,sDAAsD,EAAE;4BACnF,GAAG,EAAE,IAAI;4BACT,QAAQ,EAAE,OAAO;4BACjB,OAAO,EAAE,IAAI;yBACd,CAAC,CAAC,IAAI,EAAE,CAAC;wBACV,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;wBAChD,UAAU,CAAC,KAAK,GAAG,KAAK,CAAC;wBACzB,UAAU,CAAC,MAAM,GAAG,MAAM,CAAC;oBAC7B,CAAC;oBAAC,MAAM,CAAC;wBACP,yBAAyB;oBAC3B,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,UAAU,GAAG,EAAE,aAAa,EAAE,WAAW,EAAE,CAAC;gBAC9C,CAAC;YACH,CAAC;YAED,0BAA0B;YAC1B,IAAI,cAAc,GAAG,EAAE,CAAC;YACxB,IAAI,KAAK,EAAE,CAAC;gBACV,cAAc,GAAG,eAAe,CAAC;YACnC,CAAC;iBAAM,CAAC;gBACN,cAAc,GAAG,QAAQ,CAAC,YAAY,EAAE;oBACtC,GAAG,EAAE,IAAI;oBACT,QAAQ,EAAE,OAAO;oBACjB,OAAO,EAAE,KAAK;iBACf,CAAC,CAAC;YACL,CAAC;YAED,OAAO,IAAI,CAAC,OAAO,CACjB;gBACE,IAAI;gBACJ,MAAM,EAAE,UAAU;gBAClB,OAAO;gBACP,KAAK,EAAE,OAAO,CAAC,MAAM,KAAK,CAAC;gBAC3B,OAAO,EAAE;oBACP,KAAK,EAAE,OAAO,CAAC,MAAM;oBACrB,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM;oBAC9C,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM;oBACjD,SAAS,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,WAAW,CAAC,CAAC,MAAM;iBAClE;gBACD,GAAG,EAAE,cAAc,CAAC,IAAI,EAAE;aAC3B,EACD,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,EAClB;gBACE;oBACE,IAAI,EAAE,KAAK;oBACX,KAAK,EAAE,cAAc,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC;oBAC3C,WAAW,EAAE,mBAAmB;iBACjC;aACF,CACF,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,IAAI,CAAC,OAAO,CAAE,GAAa,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,MAA+B,EAAE,IAAsB;QACpE,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,OAAO,EAAE,IAAI;YACb,WAAW,EAAE,6CAA6C;SAC3D,CAAC;IACJ,CAAC;CACF"}
|
|
@@ -0,0 +1,50 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* network:dns — DNS lookup tool adapter.
|
|
3
|
+
*
|
|
4
|
+
* Performs DNS resolution for hostnames within allowed domains.
|
|
5
|
+
* Read-only operation — no rollback needed.
|
|
6
|
+
* Domain allow-listing enforced by policy.
|
|
7
|
+
*/
|
|
8
|
+
import { z } from 'zod';
|
|
9
|
+
import { ToolAdapter } from './base.js';
|
|
10
|
+
import type { DryRunResult, ExecutionContext, ExecutionResult, Policy, RollbackResult, ValidationResult } from '../types.js';
|
|
11
|
+
export declare const NetworkDnsInputSchema: z.ZodObject<{
|
|
12
|
+
hostname: z.ZodString;
|
|
13
|
+
type: z.ZodDefault<z.ZodEnum<{
|
|
14
|
+
A: "A";
|
|
15
|
+
AAAA: "AAAA";
|
|
16
|
+
CNAME: "CNAME";
|
|
17
|
+
MX: "MX";
|
|
18
|
+
TXT: "TXT";
|
|
19
|
+
NS: "NS";
|
|
20
|
+
SOA: "SOA";
|
|
21
|
+
SRV: "SRV";
|
|
22
|
+
PTR: "PTR";
|
|
23
|
+
}>>;
|
|
24
|
+
timeout: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
|
|
25
|
+
}, z.core.$strip>;
|
|
26
|
+
export type NetworkDnsInput = z.infer<typeof NetworkDnsInputSchema>;
|
|
27
|
+
export declare class NetworkDnsAdapter extends ToolAdapter {
|
|
28
|
+
readonly name = "network:dns";
|
|
29
|
+
readonly description = "Perform DNS lookups for allow-listed domains";
|
|
30
|
+
readonly inputSchema: z.ZodObject<{
|
|
31
|
+
hostname: z.ZodString;
|
|
32
|
+
type: z.ZodDefault<z.ZodEnum<{
|
|
33
|
+
A: "A";
|
|
34
|
+
AAAA: "AAAA";
|
|
35
|
+
CNAME: "CNAME";
|
|
36
|
+
MX: "MX";
|
|
37
|
+
TXT: "TXT";
|
|
38
|
+
NS: "NS";
|
|
39
|
+
SOA: "SOA";
|
|
40
|
+
SRV: "SRV";
|
|
41
|
+
PTR: "PTR";
|
|
42
|
+
}>>;
|
|
43
|
+
timeout: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
|
|
44
|
+
}, z.core.$strip>;
|
|
45
|
+
validate(input: unknown, policy: Policy): ValidationResult;
|
|
46
|
+
dryRun(input: Record<string, unknown>, _ctx: ExecutionContext): Promise<DryRunResult>;
|
|
47
|
+
execute(input: Record<string, unknown>, _ctx: ExecutionContext): Promise<ExecutionResult>;
|
|
48
|
+
rollback(_input: Record<string, unknown>, _ctx: ExecutionContext): Promise<RollbackResult>;
|
|
49
|
+
}
|
|
50
|
+
//# sourceMappingURL=network-dns.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"network-dns.d.ts","sourceRoot":"","sources":["../../src/tools/network-dns.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAExC,OAAO,KAAK,EACV,YAAY,EACZ,gBAAgB,EAChB,eAAe,EACf,MAAM,EACN,cAAc,EACd,gBAAgB,EACjB,MAAM,aAAa,CAAC;AAErB,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;iBAMhC,CAAC;AAEH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAEpE,qBAAa,iBAAkB,SAAQ,WAAW;IAChD,QAAQ,CAAC,IAAI,iBAAiB;IAC9B,QAAQ,CAAC,WAAW,kDAAkD;IACtE,QAAQ,CAAC,WAAW;;;;;;;;;;;;;;sBAAyB;IAE7C,QAAQ,CAAC,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,GAAG,gBAAgB;IAgBpD,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAWrF,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;IA+EzF,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,cAAc,CAAC;CAOjG"}
|
|
@@ -0,0 +1,122 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* network:dns — DNS lookup tool adapter.
|
|
3
|
+
*
|
|
4
|
+
* Performs DNS resolution for hostnames within allowed domains.
|
|
5
|
+
* Read-only operation — no rollback needed.
|
|
6
|
+
* Domain allow-listing enforced by policy.
|
|
7
|
+
*/
|
|
8
|
+
import dns from 'node:dns/promises';
|
|
9
|
+
import crypto from 'node:crypto';
|
|
10
|
+
import { z } from 'zod';
|
|
11
|
+
import { ToolAdapter } from './base.js';
|
|
12
|
+
import { evaluateAction } from '../policy/evaluator.js';
|
|
13
|
+
export const NetworkDnsInputSchema = z.object({
|
|
14
|
+
hostname: z.string().min(1, 'Hostname is required'),
|
|
15
|
+
/** DNS record type */
|
|
16
|
+
type: z.enum(['A', 'AAAA', 'CNAME', 'MX', 'TXT', 'NS', 'SOA', 'SRV', 'PTR']).default('A'),
|
|
17
|
+
/** Timeout in milliseconds */
|
|
18
|
+
timeout: z.number().positive().optional().default(10000),
|
|
19
|
+
});
|
|
20
|
+
export class NetworkDnsAdapter extends ToolAdapter {
|
|
21
|
+
name = 'network:dns';
|
|
22
|
+
description = 'Perform DNS lookups for allow-listed domains';
|
|
23
|
+
inputSchema = NetworkDnsInputSchema;
|
|
24
|
+
validate(input, policy) {
|
|
25
|
+
const parsed = NetworkDnsInputSchema.safeParse(input);
|
|
26
|
+
if (!parsed.success) {
|
|
27
|
+
return {
|
|
28
|
+
verdict: 'deny',
|
|
29
|
+
tool: this.name,
|
|
30
|
+
reasons: parsed.error.issues.map((i) => `${i.path.join('.')}: ${i.message}`),
|
|
31
|
+
};
|
|
32
|
+
}
|
|
33
|
+
return evaluateAction({ tool: this.name, input: parsed.data }, policy);
|
|
34
|
+
}
|
|
35
|
+
async dryRun(input, _ctx) {
|
|
36
|
+
const { hostname, type } = input;
|
|
37
|
+
return {
|
|
38
|
+
tool: this.name,
|
|
39
|
+
wouldDo: `DNS ${type} lookup for ${hostname}`,
|
|
40
|
+
estimatedChanges: [],
|
|
41
|
+
warnings: [],
|
|
42
|
+
};
|
|
43
|
+
}
|
|
44
|
+
async execute(input, _ctx) {
|
|
45
|
+
const start = Date.now();
|
|
46
|
+
const { hostname, type, timeout } = input;
|
|
47
|
+
try {
|
|
48
|
+
// Set up timeout
|
|
49
|
+
const controller = new AbortController();
|
|
50
|
+
const timeoutId = setTimeout(() => controller.abort(), timeout);
|
|
51
|
+
let records;
|
|
52
|
+
try {
|
|
53
|
+
const resolver = new dns.Resolver();
|
|
54
|
+
// Apply timeout via AbortController on the resolver
|
|
55
|
+
resolver.setServers(dns.getServers());
|
|
56
|
+
switch (type) {
|
|
57
|
+
case 'A':
|
|
58
|
+
records = await resolver.resolve4(hostname);
|
|
59
|
+
break;
|
|
60
|
+
case 'AAAA':
|
|
61
|
+
records = await resolver.resolve6(hostname);
|
|
62
|
+
break;
|
|
63
|
+
case 'CNAME':
|
|
64
|
+
records = await resolver.resolveCname(hostname);
|
|
65
|
+
break;
|
|
66
|
+
case 'MX':
|
|
67
|
+
records = await resolver.resolveMx(hostname);
|
|
68
|
+
break;
|
|
69
|
+
case 'TXT':
|
|
70
|
+
records = await resolver.resolveTxt(hostname);
|
|
71
|
+
break;
|
|
72
|
+
case 'NS':
|
|
73
|
+
records = await resolver.resolveNs(hostname);
|
|
74
|
+
break;
|
|
75
|
+
case 'SOA':
|
|
76
|
+
records = await resolver.resolveSoa(hostname);
|
|
77
|
+
break;
|
|
78
|
+
case 'SRV':
|
|
79
|
+
records = await resolver.resolveSrv(hostname);
|
|
80
|
+
break;
|
|
81
|
+
case 'PTR':
|
|
82
|
+
records = await resolver.resolvePtr(hostname);
|
|
83
|
+
break;
|
|
84
|
+
default:
|
|
85
|
+
return this.failure(`Unsupported record type: ${type}`, Date.now() - start);
|
|
86
|
+
}
|
|
87
|
+
}
|
|
88
|
+
finally {
|
|
89
|
+
clearTimeout(timeoutId);
|
|
90
|
+
}
|
|
91
|
+
const resultStr = JSON.stringify(records);
|
|
92
|
+
const resultHash = crypto.createHash('sha256').update(resultStr).digest('hex');
|
|
93
|
+
return this.success({
|
|
94
|
+
hostname,
|
|
95
|
+
type,
|
|
96
|
+
records,
|
|
97
|
+
}, Date.now() - start, [
|
|
98
|
+
{
|
|
99
|
+
type: 'log',
|
|
100
|
+
value: `DNS ${type} ${hostname}: ${resultStr.slice(0, 2048)}`,
|
|
101
|
+
description: 'DNS lookup result',
|
|
102
|
+
},
|
|
103
|
+
{
|
|
104
|
+
type: 'checksum',
|
|
105
|
+
value: `sha256:${resultHash}`,
|
|
106
|
+
description: 'DNS result hash',
|
|
107
|
+
},
|
|
108
|
+
]);
|
|
109
|
+
}
|
|
110
|
+
catch (err) {
|
|
111
|
+
return this.failure(err.message, Date.now() - start);
|
|
112
|
+
}
|
|
113
|
+
}
|
|
114
|
+
async rollback(_input, _ctx) {
|
|
115
|
+
return {
|
|
116
|
+
tool: this.name,
|
|
117
|
+
success: true,
|
|
118
|
+
description: 'No rollback needed for read-only DNS lookup',
|
|
119
|
+
};
|
|
120
|
+
}
|
|
121
|
+
}
|
|
122
|
+
//# sourceMappingURL=network-dns.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"network-dns.js","sourceRoot":"","sources":["../../src/tools/network-dns.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,GAAG,MAAM,mBAAmB,CAAC;AACpC,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AACxC,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAUxD,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5C,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,sBAAsB,CAAC;IACnD,sBAAsB;IACtB,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;IACzF,8BAA8B;IAC9B,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CACzD,CAAC,CAAC;AAIH,MAAM,OAAO,iBAAkB,SAAQ,WAAW;IACvC,IAAI,GAAG,aAAa,CAAC;IACrB,WAAW,GAAG,8CAA8C,CAAC;IAC7D,WAAW,GAAG,qBAAqB,CAAC;IAE7C,QAAQ,CAAC,KAAc,EAAE,MAAc;QACrC,MAAM,MAAM,GAAG,qBAAqB,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QACtD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,OAAO;gBACL,OAAO,EAAE,MAAM;gBACf,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;aAC7E,CAAC;QACJ,CAAC;QAED,OAAO,cAAc,CACnB,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,IAAI,EAAE,EACvC,MAAM,CACP,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAA8B,EAAE,IAAsB;QACjE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,KAAwB,CAAC;QAEpD,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,OAAO,EAAE,OAAO,IAAI,eAAe,QAAQ,EAAE;YAC7C,gBAAgB,EAAE,EAAE;YACpB,QAAQ,EAAE,EAAE;SACb,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,KAA8B,EAAE,IAAsB;QAClE,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACzB,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,KAAwB,CAAC;QAE7D,IAAI,CAAC;YACH,iBAAiB;YACjB,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,CAAC;YAEhE,IAAI,OAAgB,CAAC;YAErB,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;gBACpC,oDAAoD;gBACpD,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;gBAEtC,QAAQ,IAAI,EAAE,CAAC;oBACb,KAAK,GAAG;wBACN,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;wBAC5C,MAAM;oBACR,KAAK,MAAM;wBACT,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;wBAC5C,MAAM;oBACR,KAAK,OAAO;wBACV,OAAO,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;wBAChD,MAAM;oBACR,KAAK,IAAI;wBACP,OAAO,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;wBAC7C,MAAM;oBACR,KAAK,KAAK;wBACR,OAAO,GAAG,MAAM,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;wBAC9C,MAAM;oBACR,KAAK,IAAI;wBACP,OAAO,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;wBAC7C,MAAM;oBACR,KAAK,KAAK;wBACR,OAAO,GAAG,MAAM,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;wBAC9C,MAAM;oBACR,KAAK,KAAK;wBACR,OAAO,GAAG,MAAM,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;wBAC9C,MAAM;oBACR,KAAK,KAAK;wBACR,OAAO,GAAG,MAAM,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;wBAC9C,MAAM;oBACR;wBACE,OAAO,IAAI,CAAC,OAAO,CAAC,4BAA4B,IAAI,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,CAAC;gBAChF,CAAC;YACH,CAAC;oBAAS,CAAC;gBACT,YAAY,CAAC,SAAS,CAAC,CAAC;YAC1B,CAAC;YAED,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;YAC1C,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAE/E,OAAO,IAAI,CAAC,OAAO,CACjB;gBACE,QAAQ;gBACR,IAAI;gBACJ,OAAO;aACR,EACD,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,EAClB;gBACE;oBACE,IAAI,EAAE,KAAK;oBACX,KAAK,EAAE,OAAO,IAAI,IAAI,QAAQ,KAAK,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE;oBAC7D,WAAW,EAAE,mBAAmB;iBACjC;gBACD;oBACE,IAAI,EAAE,UAAU;oBAChB,KAAK,EAAE,UAAU,UAAU,EAAE;oBAC7B,WAAW,EAAE,iBAAiB;iBAC/B;aACF,CACF,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,IAAI,CAAC,OAAO,CAAE,GAAa,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,MAA+B,EAAE,IAAsB;QACpE,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,OAAO,EAAE,IAAI;YACb,WAAW,EAAE,6CAA6C;SAC3D,CAAC;IACJ,CAAC;CACF"}
|
package/dist/types.d.ts
CHANGED
|
@@ -4,7 +4,7 @@
|
|
|
4
4
|
* These types are the shared vocabulary used across the entire framework:
|
|
5
5
|
* policy engine, tool adapters, session manager, ledger, and gateway runtime.
|
|
6
6
|
*/
|
|
7
|
-
export type ToolName = 'file:read' | 'file:write' | 'file:delete' | 'command:run' | 'http:request' | 'git:diff' | 'git:apply' | (string & {});
|
|
7
|
+
export type ToolName = 'file:read' | 'file:write' | 'file:delete' | 'file:move' | 'file:copy' | 'directory:list' | 'directory:create' | 'command:run' | 'http:request' | 'git:diff' | 'git:apply' | 'git:commit' | 'git:status' | 'env:read' | 'network:dns' | 'archive:extract' | (string & {});
|
|
8
8
|
export type ApprovalMode = 'auto' | 'human' | 'webhook';
|
|
9
9
|
export type RiskLevel = 'low' | 'medium' | 'high' | 'critical';
|
|
10
10
|
export interface CapabilityScope {
|
package/dist/types.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,MAAM,MAAM,QAAQ,
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,MAAM,MAAM,QAAQ,GAChB,WAAW,GACX,YAAY,GACZ,aAAa,GACb,WAAW,GACX,WAAW,GACX,gBAAgB,GAChB,kBAAkB,GAClB,aAAa,GACb,cAAc,GACd,UAAU,GACV,WAAW,GACX,YAAY,GACZ,YAAY,GACZ,UAAU,GACV,aAAa,GACb,iBAAiB,GACjB,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAElB,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;AAExD,MAAM,MAAM,SAAS,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AAE/D,MAAM,WAAW,eAAe;IAC9B,2CAA2C;IAC3C,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,iDAAiD;IACjD,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,6CAA6C;IAC7C,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,2BAA2B;IAC3B,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,mCAAmC;IACnC,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,QAAQ,CAAC;IACf,KAAK,EAAE,eAAe,CAAC;CACxB;AAED,MAAM,WAAW,IAAI;IACnB,MAAM,EAAE,QAAQ,CAAC;IACjB,QAAQ,EAAE,YAAY,CAAC;IACvB,UAAU,CAAC,EAAE,SAAS,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,MAAM;IACrB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,MAAM,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,eAAe,EAAE,CAAC;IACzB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAMD,MAAM,WAAW,eAAe;IAC9B,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,cAAc;IAC7B,wCAAwC;IACxC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,sCAAsC;IACtC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,qCAAqC;IACrC,OAAO,EAAE,eAAe,CAAC;CAC1B;AAED,MAAM,WAAW,kBAAkB;IACjC,kCAAkC;IAClC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,wCAAwC;IACxC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gCAAgC;IAChC,UAAU,CAAC,EAAE,eAAe,CAAC;IAC7B,2CAA2C;IAC3C,UAAU,CAAC,EAAE,cAAc,EAAE,CAAC;CAC/B;AAMD,MAAM,WAAW,MAAM;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,UAAU,EAAE,CAAC;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,IAAI,EAAE,CAAC;IACd,QAAQ,EAAE,cAAc,CAAC;IACzB,SAAS,EAAE,gBAAgB,EAAE,CAAC;IAC9B,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,sDAAsD;IACtD,OAAO,CAAC,EAAE,kBAAkB,CAAC;CAC9B;AAMD,MAAM,WAAW,aAAa;IAC5B,2CAA2C;IAC3C,IAAI,EAAE,QAAQ,CAAC;IACf,qCAAqC;IACrC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,kDAAkD;IAClD,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,MAAM,iBAAiB,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,CAAC;AAE1D,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,iBAAiB,CAAC;IAC3B,IAAI,EAAE,QAAQ,CAAC;IACf,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,iDAAiD;IACjD,IAAI,CAAC,EAAE,IAAI,CAAC;CACb;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,QAAQ,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;CACrB;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,QAAQ,CAAC;IACf,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE,iBAAiB,EAAE,CAAC;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,GAAG,UAAU,GAAG,KAAK,GAAG,UAAU,GAAG,WAAW,CAAC;IAC7D,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,QAAQ,CAAC;IACf,OAAO,EAAE,OAAO,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAMD,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,OAAO,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,iFAAiF;IACjF,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACtC,8BAA8B;IAC9B,MAAM,EAAE,aAAa,CAAC;CACvB;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,MAAM,CAAC;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,kDAAkD;IAClD,gBAAgB,EAAE,MAAM,CAAC;IACzB,+CAA+C;IAC/C,aAAa,EAAE,MAAM,CAAC;CACvB;AAMD,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,QAAQ,GAAG,YAAY,CAAC;AAE9D,MAAM,WAAW,OAAO;IACtB,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,YAAY,CAAC;IACpB,MAAM,EAAE,aAAa,CAAC;IACtB,OAAO,EAAE,aAAa,EAAE,CAAC;IACzB,+CAA+C;IAC/C,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,aAAa,CAAC;IACvB,UAAU,EAAE,gBAAgB,CAAC;IAC7B,wCAAwC;IACxC,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE,iBAAiB,EAAE,CAAC;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAMD,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,aAAa,CAAC;CACvB;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,iBAAiB,CAAC;IAC5B,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,IAAI,CAAC,EAAE,IAAI,CAAC;IACZ,eAAe,CAAC,EAAE,cAAc,CAAC;IACjC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;CACrB;AAED,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,YAAY,CAAC;CACtB;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,YAAY,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,aAAa,CAAC;IAC1B,OAAO,EAAE,aAAa,EAAE,CAAC;CAC1B;AAMD,MAAM,MAAM,eAAe,GACvB,eAAe,GACf,sBAAsB,GACtB,mBAAmB,GACnB,iBAAiB,GACjB,eAAe,GACf,iBAAiB,GACjB,gBAAgB,GAChB,eAAe,GACf,eAAe,GACf,gBAAgB,GAChB,iBAAiB,GACjB,sBAAsB,CAAC;AAE3B,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,eAAe,CAAC;IACtB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC/B;AAMD,MAAM,MAAM,YAAY,GAAG,UAAU,GAAG,UAAU,GAAG,SAAS,CAAC;AAE/D,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,aAAa,CAAC;IACtB,IAAI,EAAE,IAAI,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,YAAY,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAMD,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,OAAO,CAAC;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;CAChB"}
|
|
@@ -16,6 +16,30 @@ capabilities:
|
|
|
16
16
|
paths:
|
|
17
17
|
- "./src/**"
|
|
18
18
|
- "./tests/**"
|
|
19
|
+
- tool: "file:delete"
|
|
20
|
+
scope:
|
|
21
|
+
paths:
|
|
22
|
+
- "./src/**"
|
|
23
|
+
- "./tests/**"
|
|
24
|
+
- tool: "file:move"
|
|
25
|
+
scope:
|
|
26
|
+
paths:
|
|
27
|
+
- "./src/**"
|
|
28
|
+
- "./tests/**"
|
|
29
|
+
- tool: "file:copy"
|
|
30
|
+
scope:
|
|
31
|
+
paths:
|
|
32
|
+
- "./src/**"
|
|
33
|
+
- "./tests/**"
|
|
34
|
+
- tool: "directory:list"
|
|
35
|
+
scope:
|
|
36
|
+
paths:
|
|
37
|
+
- "./**"
|
|
38
|
+
- tool: "directory:create"
|
|
39
|
+
scope:
|
|
40
|
+
paths:
|
|
41
|
+
- "./src/**"
|
|
42
|
+
- "./tests/**"
|
|
19
43
|
- tool: "command:run"
|
|
20
44
|
scope:
|
|
21
45
|
binaries:
|
|
@@ -33,6 +57,14 @@ capabilities:
|
|
|
33
57
|
- tool: "git:apply"
|
|
34
58
|
scope:
|
|
35
59
|
repos: ["."]
|
|
60
|
+
- tool: "git:status"
|
|
61
|
+
scope:
|
|
62
|
+
repos: ["."]
|
|
63
|
+
- tool: "git:commit"
|
|
64
|
+
scope:
|
|
65
|
+
repos: ["."]
|
|
66
|
+
- tool: "env:read"
|
|
67
|
+
scope: {}
|
|
36
68
|
|
|
37
69
|
limits:
|
|
38
70
|
max_runtime_ms: 1800000 # 30 minutes
|
|
@@ -41,6 +73,18 @@ limits:
|
|
|
41
73
|
max_cost_usd: 5.0
|
|
42
74
|
|
|
43
75
|
gates:
|
|
76
|
+
- action: "file:delete"
|
|
77
|
+
approval: "human"
|
|
78
|
+
risk_level: "high"
|
|
79
|
+
|
|
80
|
+
- action: "file:move"
|
|
81
|
+
approval: "auto"
|
|
82
|
+
risk_level: "medium"
|
|
83
|
+
|
|
84
|
+
- action: "git:commit"
|
|
85
|
+
approval: "auto"
|
|
86
|
+
risk_level: "medium"
|
|
87
|
+
|
|
44
88
|
- action: "command:run"
|
|
45
89
|
approval: "human"
|
|
46
90
|
risk_level: "high"
|
|
@@ -0,0 +1,160 @@
|
|
|
1
|
+
# Data Analyst Agent Policy
|
|
2
|
+
# Constrains a data analysis agent operating on datasets, generating reports,
|
|
3
|
+
# and querying external APIs — while preventing data exfiltration and
|
|
4
|
+
# unauthorized modifications to source data.
|
|
5
|
+
|
|
6
|
+
version: "1.0"
|
|
7
|
+
name: "data-analyst"
|
|
8
|
+
description: "Policy for a data analysis agent that reads datasets, runs analysis scripts, generates reports, and queries external data APIs."
|
|
9
|
+
|
|
10
|
+
capabilities:
|
|
11
|
+
- tool: "file:read"
|
|
12
|
+
scope:
|
|
13
|
+
paths:
|
|
14
|
+
- "./data/**"
|
|
15
|
+
- "./config/**"
|
|
16
|
+
- "./scripts/**"
|
|
17
|
+
- "./templates/**"
|
|
18
|
+
|
|
19
|
+
- tool: "file:write"
|
|
20
|
+
scope:
|
|
21
|
+
paths:
|
|
22
|
+
- "./output/**"
|
|
23
|
+
- "./reports/**"
|
|
24
|
+
- "./tmp/**"
|
|
25
|
+
|
|
26
|
+
- tool: "file:copy"
|
|
27
|
+
scope:
|
|
28
|
+
paths:
|
|
29
|
+
- "./data/**"
|
|
30
|
+
- "./output/**"
|
|
31
|
+
|
|
32
|
+
- tool: "file:delete"
|
|
33
|
+
scope:
|
|
34
|
+
paths:
|
|
35
|
+
- "./tmp/**"
|
|
36
|
+
- "./output/**"
|
|
37
|
+
|
|
38
|
+
- tool: "directory:list"
|
|
39
|
+
scope:
|
|
40
|
+
paths:
|
|
41
|
+
- "./data/**"
|
|
42
|
+
- "./output/**"
|
|
43
|
+
- "./reports/**"
|
|
44
|
+
- "./scripts/**"
|
|
45
|
+
|
|
46
|
+
- tool: "directory:create"
|
|
47
|
+
scope:
|
|
48
|
+
paths:
|
|
49
|
+
- "./output/**"
|
|
50
|
+
- "./reports/**"
|
|
51
|
+
- "./tmp/**"
|
|
52
|
+
|
|
53
|
+
- tool: "command:run"
|
|
54
|
+
scope:
|
|
55
|
+
binaries:
|
|
56
|
+
- "python"
|
|
57
|
+
- "python3"
|
|
58
|
+
- "pip"
|
|
59
|
+
- "Rscript"
|
|
60
|
+
- "node"
|
|
61
|
+
- "npx"
|
|
62
|
+
- "cat"
|
|
63
|
+
- "wc"
|
|
64
|
+
- "head"
|
|
65
|
+
- "tail"
|
|
66
|
+
- "sort"
|
|
67
|
+
|
|
68
|
+
- tool: "http:request"
|
|
69
|
+
scope:
|
|
70
|
+
domains:
|
|
71
|
+
- "api.census.gov"
|
|
72
|
+
- "api.worldbank.org"
|
|
73
|
+
- "data.gov"
|
|
74
|
+
- "api.data.yourcompany.com"
|
|
75
|
+
methods:
|
|
76
|
+
- "GET"
|
|
77
|
+
|
|
78
|
+
- tool: "env:read"
|
|
79
|
+
scope: {}
|
|
80
|
+
|
|
81
|
+
- tool: "archive:extract"
|
|
82
|
+
scope:
|
|
83
|
+
paths:
|
|
84
|
+
- "./data/**"
|
|
85
|
+
- "./tmp/**"
|
|
86
|
+
|
|
87
|
+
- tool: "network:dns"
|
|
88
|
+
scope:
|
|
89
|
+
domains:
|
|
90
|
+
- "api.census.gov"
|
|
91
|
+
- "api.worldbank.org"
|
|
92
|
+
- "data.gov"
|
|
93
|
+
|
|
94
|
+
limits:
|
|
95
|
+
max_runtime_ms: 3600000 # 60 minutes (analysis can be long)
|
|
96
|
+
max_output_bytes: 536870912 # 512 MB
|
|
97
|
+
max_files_changed: 100
|
|
98
|
+
max_retries: 3
|
|
99
|
+
max_cost_usd: 10.0
|
|
100
|
+
|
|
101
|
+
gates:
|
|
102
|
+
- action: "file:delete"
|
|
103
|
+
approval: "human"
|
|
104
|
+
risk_level: "medium"
|
|
105
|
+
|
|
106
|
+
- action: "http:request"
|
|
107
|
+
approval: "auto"
|
|
108
|
+
risk_level: "low"
|
|
109
|
+
|
|
110
|
+
- action: "command:run"
|
|
111
|
+
approval: "auto"
|
|
112
|
+
risk_level: "medium"
|
|
113
|
+
condition: "outside_scope"
|
|
114
|
+
|
|
115
|
+
evidence:
|
|
116
|
+
require:
|
|
117
|
+
- "checksums"
|
|
118
|
+
- "diffs"
|
|
119
|
+
- "exit_codes"
|
|
120
|
+
- "logs"
|
|
121
|
+
format: "jsonl"
|
|
122
|
+
|
|
123
|
+
forbidden:
|
|
124
|
+
- pattern: "**/.env"
|
|
125
|
+
- pattern: "**/.env.*"
|
|
126
|
+
- pattern: "**/credentials*"
|
|
127
|
+
- pattern: "**/secrets*"
|
|
128
|
+
- pattern: "**/passwords*"
|
|
129
|
+
- pattern: "curl | sh"
|
|
130
|
+
- pattern: "wget | sh"
|
|
131
|
+
- pattern: "rm -rf /"
|
|
132
|
+
- pattern: "pip install --user"
|
|
133
|
+
- pattern: "POST"
|
|
134
|
+
- pattern: "PUT"
|
|
135
|
+
- pattern: "DELETE"
|
|
136
|
+
|
|
137
|
+
session:
|
|
138
|
+
max_actions: 500
|
|
139
|
+
max_denials: 30
|
|
140
|
+
rate_limit:
|
|
141
|
+
max_per_minute: 60
|
|
142
|
+
escalation:
|
|
143
|
+
- after_actions: 200
|
|
144
|
+
require: human_checkin
|
|
145
|
+
- after_minutes: 30
|
|
146
|
+
require: human_checkin
|
|
147
|
+
|
|
148
|
+
remediation:
|
|
149
|
+
rules:
|
|
150
|
+
- match: "FileNotFoundError"
|
|
151
|
+
action: "retry"
|
|
152
|
+
- match: "MemoryError"
|
|
153
|
+
action: "abort"
|
|
154
|
+
- match: "ECONNREFUSED"
|
|
155
|
+
action: "retry"
|
|
156
|
+
- match: "disk full"
|
|
157
|
+
action: "abort"
|
|
158
|
+
- match: "permission denied"
|
|
159
|
+
action: "abort"
|
|
160
|
+
fallback_chain: ["retry", "skip", "abort"]
|