@plusplus7/clawclamp 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +94 -0
- package/README.zh-CN.md +94 -0
- package/RELEASE.md +34 -0
- package/assets/app.js +362 -0
- package/assets/index.html +125 -0
- package/assets/styles.css +432 -0
- package/index.ts +45 -0
- package/openclaw.plugin.json +10 -0
- package/package.json +17 -0
- package/src/audit.ts +94 -0
- package/src/cedarling.ts +46 -0
- package/src/config.ts +249 -0
- package/src/grants.ts +183 -0
- package/src/guard.test.ts +69 -0
- package/src/guard.ts +342 -0
- package/src/http.ts +433 -0
- package/src/mode.ts +48 -0
- package/src/policy-store.ts +186 -0
- package/src/policy.ts +74 -0
- package/src/storage.ts +23 -0
- package/src/types.ts +63 -0
package/src/policy.ts
ADDED
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
const DEFAULT_SCHEMA = `entity User = {
|
|
2
|
+
role: String
|
|
3
|
+
};
|
|
4
|
+
|
|
5
|
+
entity Tool = {
|
|
6
|
+
name: String,
|
|
7
|
+
risk: String
|
|
8
|
+
};
|
|
9
|
+
|
|
10
|
+
action "Invoke" appliesTo {
|
|
11
|
+
principal: [User],
|
|
12
|
+
resource: [Tool],
|
|
13
|
+
context: {
|
|
14
|
+
now: Long,
|
|
15
|
+
tool: String,
|
|
16
|
+
risk: String,
|
|
17
|
+
}
|
|
18
|
+
};
|
|
19
|
+
`;
|
|
20
|
+
|
|
21
|
+
const DEFAULT_POLICIES: string[] = [];
|
|
22
|
+
|
|
23
|
+
const POLICY_STORE_ID = "clawclamp";
|
|
24
|
+
|
|
25
|
+
type EncodedContent = {
|
|
26
|
+
encoding: "none" | "base64";
|
|
27
|
+
content_type: "cedar" | "cedar-json";
|
|
28
|
+
body: string;
|
|
29
|
+
};
|
|
30
|
+
|
|
31
|
+
function toBase64(raw: string): string {
|
|
32
|
+
return Buffer.from(raw, "utf8").toString("base64");
|
|
33
|
+
}
|
|
34
|
+
|
|
35
|
+
function buildSchemaContent(): EncodedContent {
|
|
36
|
+
return {
|
|
37
|
+
encoding: "none",
|
|
38
|
+
content_type: "cedar",
|
|
39
|
+
body: DEFAULT_SCHEMA,
|
|
40
|
+
};
|
|
41
|
+
}
|
|
42
|
+
|
|
43
|
+
export function buildDefaultPolicyStore(): Record<string, unknown> {
|
|
44
|
+
const policies: Record<
|
|
45
|
+
string,
|
|
46
|
+
{
|
|
47
|
+
cedar_version: string;
|
|
48
|
+
name: string;
|
|
49
|
+
description: string;
|
|
50
|
+
policy_content: string;
|
|
51
|
+
}
|
|
52
|
+
> = {};
|
|
53
|
+
DEFAULT_POLICIES.forEach((policy, index) => {
|
|
54
|
+
policies[`openclaw-clawclamp-${index + 1}`] = {
|
|
55
|
+
cedar_version: "v4.0.0",
|
|
56
|
+
name: `Clawclamp Default Policy ${index + 1}`,
|
|
57
|
+
description: "Default grant-based permit policy.",
|
|
58
|
+
policy_content: toBase64(policy),
|
|
59
|
+
};
|
|
60
|
+
});
|
|
61
|
+
|
|
62
|
+
return {
|
|
63
|
+
cedar_version: "v4.0.0",
|
|
64
|
+
policy_stores: {
|
|
65
|
+
[POLICY_STORE_ID]: {
|
|
66
|
+
name: "Clawclamp Policy Store",
|
|
67
|
+
description: "Local Cedar policies for Clawclamp.",
|
|
68
|
+
policies,
|
|
69
|
+
schema: buildSchemaContent(),
|
|
70
|
+
trusted_issuers: {},
|
|
71
|
+
},
|
|
72
|
+
},
|
|
73
|
+
};
|
|
74
|
+
}
|
package/src/storage.ts
ADDED
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
import path from "node:path";
|
|
2
|
+
import type { FileLockOptions } from "openclaw/plugin-sdk";
|
|
3
|
+
import { withFileLock } from "openclaw/plugin-sdk";
|
|
4
|
+
|
|
5
|
+
export const DEFAULT_LOCK_OPTIONS: FileLockOptions = {
|
|
6
|
+
retries: {
|
|
7
|
+
retries: 8,
|
|
8
|
+
factor: 1.5,
|
|
9
|
+
minTimeout: 50,
|
|
10
|
+
maxTimeout: 500,
|
|
11
|
+
randomize: true,
|
|
12
|
+
},
|
|
13
|
+
stale: 10_000,
|
|
14
|
+
};
|
|
15
|
+
|
|
16
|
+
export async function withStateFileLock<T>(
|
|
17
|
+
stateDir: string,
|
|
18
|
+
name: string,
|
|
19
|
+
fn: () => Promise<T>,
|
|
20
|
+
): Promise<T> {
|
|
21
|
+
const lockPath = path.join(stateDir, "clawclamp", `${name}.lockfile`);
|
|
22
|
+
return withFileLock(lockPath, DEFAULT_LOCK_OPTIONS, fn);
|
|
23
|
+
}
|
package/src/types.ts
ADDED
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
export type RiskLevel = "low" | "medium" | "high";
|
|
2
|
+
|
|
3
|
+
export type ClawClampMode = "enforce" | "gray";
|
|
4
|
+
|
|
5
|
+
export type ClawClampConfig = {
|
|
6
|
+
enabled: boolean;
|
|
7
|
+
mode: ClawClampMode;
|
|
8
|
+
principalId: string;
|
|
9
|
+
policyStoreUri?: string;
|
|
10
|
+
policyStoreLocal?: string;
|
|
11
|
+
uiToken?: string;
|
|
12
|
+
policyFailOpen: boolean;
|
|
13
|
+
risk: {
|
|
14
|
+
default: RiskLevel;
|
|
15
|
+
overrides: Record<string, RiskLevel>;
|
|
16
|
+
};
|
|
17
|
+
grants: {
|
|
18
|
+
defaultTtlSeconds: number;
|
|
19
|
+
maxTtlSeconds: number;
|
|
20
|
+
};
|
|
21
|
+
audit: {
|
|
22
|
+
maxEntries: number;
|
|
23
|
+
includeParams: boolean;
|
|
24
|
+
maxParamLength: number;
|
|
25
|
+
};
|
|
26
|
+
};
|
|
27
|
+
|
|
28
|
+
export type ModeState = {
|
|
29
|
+
modeOverride?: ClawClampMode;
|
|
30
|
+
updatedAt?: string;
|
|
31
|
+
};
|
|
32
|
+
|
|
33
|
+
export type GrantRecord = {
|
|
34
|
+
id: string;
|
|
35
|
+
toolName: string;
|
|
36
|
+
createdAt: string;
|
|
37
|
+
expiresAt: string;
|
|
38
|
+
note?: string;
|
|
39
|
+
};
|
|
40
|
+
|
|
41
|
+
export type AuditDecision = "allow" | "deny" | "allow_grayed" | "error";
|
|
42
|
+
|
|
43
|
+
export type AuditEntry = {
|
|
44
|
+
id: string;
|
|
45
|
+
timestamp: string;
|
|
46
|
+
toolName: string;
|
|
47
|
+
toolCallId?: string;
|
|
48
|
+
runId?: string;
|
|
49
|
+
sessionId?: string;
|
|
50
|
+
sessionKey?: string;
|
|
51
|
+
agentId?: string;
|
|
52
|
+
risk: RiskLevel;
|
|
53
|
+
cedarDecision?: "allow" | "deny" | "error";
|
|
54
|
+
decision: AuditDecision;
|
|
55
|
+
reason?: string;
|
|
56
|
+
params?: Record<string, unknown> | string;
|
|
57
|
+
grantId?: string;
|
|
58
|
+
grantExpiresAt?: string;
|
|
59
|
+
grayMode?: boolean;
|
|
60
|
+
resultStatus?: "ok" | "error" | "pending";
|
|
61
|
+
error?: string;
|
|
62
|
+
durationMs?: number;
|
|
63
|
+
};
|