@lobu/worker 6.1.1 → 7.0.0

package/src/openclaw/tool-policy.ts

@@ -0,0 +1,248 @@
+import type { ToolsConfig } from "@lobu/core";
+
+export type BashCommandPolicy = {
+  allowAll: boolean;
+  allowPrefixes: string[];
+  denyPrefixes: string[];
+};
+
+type ToolPolicy = {
+  toolsConfig?: ToolsConfig;
+  allowedPatterns: string[];
+  deniedPatterns: string[];
+  strictMode: boolean;
+  bashPolicy: BashCommandPolicy;
+};
+
+const DEFAULT_PACKAGE_MANAGER_DENY_PREFIXES = [
+  "apt ",
+  "apt-get ",
+  "yum ",
+  "dnf ",
+  "apk ",
+  "pacman ",
+  "zypper ",
+  "brew ",
+  "nix-shell ",
+  "nix-env ",
+  "nix profile ",
+  "sudo apt ",
+  "sudo apt-get ",
+  "sudo yum ",
+  "sudo dnf ",
+  "sudo apk ",
+  "sudo pacman ",
+  "sudo zypper ",
+  "sudo brew ",
+  "sudo nix-shell ",
+  "sudo nix-env ",
+  "sudo nix profile ",
+  "pip install ",
+  "pip3 install ",
+  "uv pip install ",
+  "npm install ",
+  "npm i ",
+  "pnpm install ",
+  "pnpm add ",
+  "yarn install ",
+  "yarn add ",
+  "bun install ",
+  "bun add ",
+  "cargo install ",
+  "go install ",
+  "gem install ",
+  "poetry add ",
+  "composer require ",
+];
+
+const DIRECT_PACKAGE_INSTALL_PATTERNS = [
+  /(^|[\s"'`;|&()])(?:sudo\s+)?(?:apt|apt-get|yum|dnf|apk|pacman|zypper|brew)\s+(?:install|upgrade|add)\b/i,
+  /(^|[\s"'`;|&()])(?:sudo\s+)?(?:nix-shell|nix-env)\b/i,
+  /(^|[\s"'`;|&()])(?:sudo\s+)?nix\s+profile\b/i,
+  /(^|[\s"'`;|&()])(?:pip|pip3)\s+install\b/i,
+  /(^|[\s"'`;|&()])uv\s+pip\s+install\b/i,
+  /(^|[\s"'`;|&()])npm\s+(?:install|i)\b/i,
+  /(^|[\s"'`;|&()])pnpm\s+(?:install|add)\b/i,
+  /(^|[\s"'`;|&()])yarn\s+(?:install|add|global\s+add)\b/i,
+  /(^|[\s"'`;|&()])bun\s+(?:install|add)\b/i,
+  /(^|[\s"'`;|&()])cargo\s+install\b/i,
+  /(^|[\s"'`;|&()])go\s+install\b/i,
+  /(^|[\s"'`;|&()])gem\s+install\b/i,
+  /(^|[\s"'`;|&()])poetry\s+add\b/i,
+  /(^|[\s"'`;|&()])composer\s+require\b/i,
+];
+
+export function isDirectPackageInstallCommand(command: string): boolean {
+  const trimmed = command.trim().toLowerCase();
+  if (!trimmed) {
+    return false;
+  }
+
+  return (
+    DEFAULT_PACKAGE_MANAGER_DENY_PREFIXES.some((prefix) =>
+      trimmed.startsWith(prefix.toLowerCase())
+    ) ||
+    DIRECT_PACKAGE_INSTALL_PATTERNS.some((pattern) => pattern.test(trimmed))
+  );
+}
+
+function normalizePattern(pattern: string): string {
+  return pattern.trim();
+}
+
+function normalizeToolName(name: string): string {
+  return name.trim().toLowerCase();
+}
+
+export function normalizeToolList(value?: string | string[]): string[] {
+  if (!value) {
+    return [];
+  }
+  const rawList = Array.isArray(value) ? value : value.split(/[,\n]/);
+  return rawList
+    .map((entry) =>
+      typeof entry === "string" ? entry.trim() : String(entry).trim()
+    )
+    .filter((entry) => entry.length > 0);
+}
+
+function parseBashFilter(pattern: string): string | null {
+  const match = pattern.match(/^Bash\(([^:]+):\*\)$/i);
+  if (!match) {
+    return null;
+  }
+  const prefix = match[1]?.trim();
+  return prefix ? prefix : null;
+}
+
+function matchesToolPattern(toolName: string, pattern: string): boolean {
+  const normalizedTool = normalizeToolName(toolName);
+  const normalizedPattern = normalizePattern(pattern);
+  const normalizedPatternLower = normalizedPattern.toLowerCase();
+
+  if (normalizedPattern === "*") {
+    return true;
+  }
+
+  if (normalizedPatternLower.endsWith("*")) {
+    const prefix = normalizedPatternLower.slice(0, -1);
+    return normalizedTool.startsWith(prefix);
+  }
+
+  return normalizedTool === normalizedPatternLower;
+}
+
+export function buildToolPolicy(params: {
+  toolsConfig?: ToolsConfig;
+  allowedTools?: string | string[];
+  disallowedTools?: string | string[];
+}): ToolPolicy {
+  const allowedPatterns = normalizeToolList(params.allowedTools);
+  const deniedPatterns = normalizeToolList(params.disallowedTools);
+  const toolsConfig = params.toolsConfig;
+  const strictMode = toolsConfig?.strictMode === true;
+
+  const mergedAllowed = [
+    ...(toolsConfig?.allowedTools ?? []),
+    ...allowedPatterns,
+  ].map(normalizePattern);
+  const mergedDenied = [
+    ...(toolsConfig?.deniedTools ?? []),
+    ...deniedPatterns,
+  ].map(normalizePattern);
+
+  const bashAllowPrefixes = mergedAllowed
+    .map((pattern) => parseBashFilter(pattern))
+    .filter((prefix): prefix is string => Boolean(prefix));
+
+  const bashDenyPrefixes = mergedDenied
+    .map((pattern) => parseBashFilter(pattern))
+    .filter((prefix): prefix is string => Boolean(prefix));
+
+  const bashAllowAll = mergedAllowed.some((pattern) =>
+    matchesToolPattern("bash", pattern)
+  );
+
+  return {
+    toolsConfig,
+    allowedPatterns: mergedAllowed,
+    deniedPatterns: mergedDenied,
+    strictMode,
+    bashPolicy: {
+      allowAll: bashAllowAll,
+      allowPrefixes: bashAllowPrefixes,
+      denyPrefixes: [
+        ...DEFAULT_PACKAGE_MANAGER_DENY_PREFIXES,
+        ...bashDenyPrefixes,
+      ],
+    },
+  };
+}
+
+export function isToolAllowedByPolicy(
+  toolName: string,
+  policy: ToolPolicy
+): boolean {
+  const normalizedName = normalizeToolName(toolName);
+  const { allowedPatterns, deniedPatterns, strictMode } = policy;
+
+  const explicitDenied = deniedPatterns.some(
+    (pattern) =>
+      !parseBashFilter(pattern) && matchesToolPattern(normalizedName, pattern)
+  );
+  if (explicitDenied) {
+    return false;
+  }
+
+  if (normalizedName === "bash") {
+    if (strictMode) {
+      const explicitlyAllowed = allowedPatterns.some((pattern) =>
+        matchesToolPattern(normalizedName, pattern)
+      );
+      const hasCommandAllowlist = policy.bashPolicy.allowPrefixes.length > 0;
+      return explicitlyAllowed || hasCommandAllowlist;
+    }
+    return true;
+  }
+
+  if (!strictMode) {
+    return true;
+  }
+
+  return allowedPatterns.some((pattern) =>
+    matchesToolPattern(normalizedName, pattern)
+  );
+}
+
+export function enforceBashCommandPolicy(
+  command: string,
+  policy: BashCommandPolicy
+): void {
+  const trimmed = command.trim();
+  if (!trimmed) {
+    return;
+  }
+
+  const normalizedCommand = trimmed.toLowerCase();
+  const denyMatchPrefix = policy.denyPrefixes.find((prefix) =>
+    normalizedCommand.startsWith(prefix.toLowerCase())
+  );
+  if (denyMatchPrefix) {
+    throw new Error("Bash command denied by policy");
+  }
+
+  if (policy.allowAll) {
+    return;
+  }
+
+  if (policy.allowPrefixes.length === 0) {
+    return;
+  }
+
+  const allowMatch = policy.allowPrefixes.some((prefix) =>
+    normalizedCommand.startsWith(prefix.toLowerCase())
+  );
+  if (!allowMatch) {
+    throw new Error("Bash command not allowed by policy");
+  }
+}

package/src/openclaw/tools.ts

@@ -0,0 +1,277 @@
+import type { AgentTool } from "@mariozechner/pi-agent-core";
+import {
+  type BashOperations,
+  createBashTool,
+  createEditTool,
+  createFindTool,
+  createGrepTool,
+  createLsTool,
+  createReadTool,
+  createWriteTool,
+} from "@mariozechner/pi-coding-agent";
+import { Type } from "@sinclair/typebox";
+import { stripEnv } from "@lobu/core";
+import { isDirectPackageInstallCommand } from "./tool-policy";
+import { SENSITIVE_WORKER_ENV_KEYS } from "../shared/worker-env-keys";
+
+type RequiredParamGroup = {
+  keys: readonly string[];
+  allowEmpty?: boolean;
+  label?: string;
+};
+
+const CLAUDE_PARAM_GROUPS: Record<
+  "read" | "write" | "edit",
+  RequiredParamGroup[]
+> = {
+  read: [{ keys: ["path", "file_path"], label: "path (path or file_path)" }],
+  write: [{ keys: ["path", "file_path"], label: "path (path or file_path)" }],
+  edit: [
+    { keys: ["path", "file_path"], label: "path (path or file_path)" },
+    {
+      keys: ["oldText", "old_string"],
+      label: "oldText (oldText or old_string)",
+    },
+    {
+      keys: ["newText", "new_string"],
+      label: "newText (newText or new_string)",
+    },
+  ],
+};
+
+function normalizeToolParams(
+  params: unknown
+): Record<string, unknown> | undefined {
+  if (!params || typeof params !== "object") {
+    return undefined;
+  }
+  const record = params as Record<string, unknown>;
+  const normalized = { ...record };
+
+  if ("file_path" in normalized && !("path" in normalized)) {
+    normalized.path = normalized.file_path;
+    delete normalized.file_path;
+  }
+  if ("old_string" in normalized && !("oldText" in normalized)) {
+    normalized.oldText = normalized.old_string;
+    delete normalized.old_string;
+  }
+  if ("new_string" in normalized && !("newText" in normalized)) {
+    normalized.newText = normalized.new_string;
+    delete normalized.new_string;
+  }
+  return normalized;
+}
+
+function assertRequiredParams(
+  params: Record<string, unknown>,
+  groups: RequiredParamGroup[]
+): void {
+  for (const group of groups) {
+    const hasValue = group.keys.some((key) => {
+      const value = params[key];
+      if (value === undefined || value === null) {
+        return false;
+      }
+      if (
+        !group.allowEmpty &&
+        typeof value === "string" &&
+        value.trim() === ""
+      ) {
+        return false;
+      }
+      return true;
+    });
+    if (!hasValue) {
+      const label = group.label ?? group.keys.join(" or ");
+      throw new Error(`Missing required parameter: ${label}`);
+    }
+  }
+}
+
+function wrapToolWithNormalization(params: {
+  tool: AgentTool<any>;
+  required: RequiredParamGroup[];
+  schema: unknown;
+}): AgentTool<any> {
+  const { tool, required, schema } = params;
+  return {
+    ...tool,
+    parameters: schema as any,
+    execute: async (toolCallId, rawParams, signal, onUpdate) => {
+      const normalized = normalizeToolParams(rawParams) ?? {};
+      assertRequiredParams(normalized, required);
+      return tool.execute(toolCallId, normalized as any, signal, onUpdate);
+    },
+  };
+}
+
+function buildReadSchema() {
+  return Type.Object({
+    path: Type.Optional(Type.String({ description: "Path to the file" })),
+    file_path: Type.Optional(Type.String({ description: "Path to the file" })),
+    offset: Type.Optional(
+      Type.Number({ description: "Start reading at this byte offset" })
+    ),
+    limit: Type.Optional(Type.Number({ description: "Maximum bytes to read" })),
+  });
+}
+
+function buildWriteSchema() {
+  return Type.Object({
+    path: Type.Optional(Type.String({ description: "Path to the file" })),
+    file_path: Type.Optional(Type.String({ description: "Path to the file" })),
+    content: Type.String({ description: "Content to write" }),
+  });
+}
+
+function buildEditSchema() {
+  return Type.Object({
+    path: Type.Optional(Type.String({ description: "Path to the file" })),
+    file_path: Type.Optional(Type.String({ description: "Path to the file" })),
+    oldText: Type.Optional(Type.String({ description: "Text to replace" })),
+    old_string: Type.Optional(Type.String({ description: "Text to replace" })),
+    newText: Type.Optional(Type.String({ description: "Replacement text" })),
+    new_string: Type.Optional(Type.String({ description: "Replacement text" })),
+  });
+}
+
+export function createOpenClawTools(
+  cwd: string,
+  options?: { bashOperations?: BashOperations }
+): AgentTool<any>[] {
+  const read = wrapToolWithNormalization({
+    tool: createReadTool(cwd),
+    required: CLAUDE_PARAM_GROUPS.read,
+    schema: buildReadSchema(),
+  });
+
+  const write = wrapToolWithNormalization({
+    tool: createWriteTool(cwd),
+    required: CLAUDE_PARAM_GROUPS.write,
+    schema: buildWriteSchema(),
+  });
+
+  const edit = wrapToolWithNormalization({
+    tool: createEditTool(cwd),
+    required: CLAUDE_PARAM_GROUPS.edit,
+    schema: buildEditSchema(),
+  });
+
+  const bashToolOpts = {
+    ...(options?.bashOperations ? { operations: options.bashOperations } : {}),
+    spawnHook: (params: {
+      command: string;
+      cwd: string;
+      env: Record<string, string | undefined>;
+    }) => ({
+      command: params.command,
+      cwd: params.cwd,
+      env: stripEnv(params.env, SENSITIVE_WORKER_ENV_KEYS) as NodeJS.ProcessEnv,
+    }),
+  };
+  const bash = wrapBashWithProxyHint(createBashTool(cwd, bashToolOpts));
+
+  return [
+    read,
+    write,
+    edit,
+    bash,
+    createGrepTool(cwd),
+    createFindTool(cwd),
+    createLsTool(cwd),
+  ];
+}
+
+function isDirectGatewayApiAccessCommand(command: string): boolean {
+  const trimmed = command.trim();
+  if (!trimmed) {
+    return false;
+  }
+
+  if (/\$(?:\{)?(?:DISPATCHER_URL|WORKER_TOKEN)\b/.test(trimmed)) {
+    return true;
+  }
+
+  if (!/\b(?:curl|wget|http|httpie|fetch)\b/i.test(trimmed)) {
+    return false;
+  }
+
+  if (!/\/(?:internal|mcp)(?:\/|\b)/i.test(trimmed)) {
+    return false;
+  }
+
+  const gatewayTargets = new Set<string>([
+    "http://gateway",
+    "https://gateway",
+    "gateway:",
+    "http://dispatcher",
+    "https://dispatcher",
+    "dispatcher:",
+    "http://localhost",
+    "https://localhost",
+    "localhost:",
+    "http://127.0.0.1",
+    "https://127.0.0.1",
+    "127.0.0.1:",
+  ]);
+
+  const dispatcherUrl = process.env.DISPATCHER_URL?.trim();
+  if (dispatcherUrl) {
+    gatewayTargets.add(dispatcherUrl);
+    gatewayTargets.add(dispatcherUrl.replace(/\/+$/, ""));
+    try {
+      const parsed = new URL(dispatcherUrl);
+      gatewayTargets.add(`${parsed.protocol}//${parsed.host}`);
+      gatewayTargets.add(parsed.host);
+      gatewayTargets.add(parsed.hostname);
+    } catch {
+      // Ignore invalid dispatcher URLs and rely on static aliases.
+    }
+  }
+
+  const normalized = trimmed.toLowerCase();
+  return [...gatewayTargets].some((target) =>
+    normalized.includes(target.toLowerCase())
+  );
+}
+
+/**
+ * Wrap bash tool to detect proxy CONNECT 403 errors and append a hint.
+ * curl doesn't display the proxy response body for CONNECT failures,
+ * so the model never sees "Domain not allowed" — only exit code 56.
+ */
+function wrapBashWithProxyHint(tool: AgentTool<any>): AgentTool<any> {
+  const PROXY_403_PATTERN = /Received HTTP code 403 from proxy after CONNECT/i;
+
+  return {
+    ...tool,
+    execute: async (toolCallId, params, signal, onUpdate) => {
+      const command =
+        params && typeof params === "object" && "command" in params
+          ? String((params as { command?: unknown }).command ?? "")
+          : "";
+      if (isDirectGatewayApiAccessCommand(command)) {
+        throw new Error(
+          "DIRECT GATEWAY API ACCESS BLOCKED. Use the registered MCP/auth tools instead of calling gateway /mcp or /internal endpoints from Bash."
+        );
+      }
+      if (isDirectPackageInstallCommand(command)) {
+        throw new Error(
+          "DIRECT PACKAGE INSTALL BLOCKED. Install system packages with nixPackages in lobu.toml or agent settings instead of using package managers inside the worker."
+        );
+      }
+      try {
+        return await tool.execute(toolCallId, params, signal, onUpdate);
+      } catch (err: any) {
+        const msg = err?.message ?? String(err);
+        if (PROXY_403_PATTERN.test(msg)) {
+          throw new Error(
+            `DOMAIN BLOCKED BY PROXY. The domain is blocked at the network level. Network access is configured via lobu.toml or the gateway configuration APIs — do NOT retry the request.\n\n${msg}`
+          );
+        }
+        throw err;
+      }
+    },
+  };
+}