@s-gw/s-gw 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.codex-plugin/plugin.json +35 -0
- package/.mcp.json +16 -0
- package/LICENSE +201 -0
- package/NOTICE +7 -0
- package/README.md +197 -0
- package/TRADEMARKS.md +9 -0
- package/assets/icons/aws-ec2.png +0 -0
- package/assets/icons/lucide/bot.svg +8 -0
- package/assets/icons/lucide/monitor.svg +5 -0
- package/assets/icons/lucide/server.svg +6 -0
- package/assets/icons/lucide/terminal.svg +4 -0
- package/assets/icons/s-gw-128.png +0 -0
- package/assets/icons/s-gw-16.png +0 -0
- package/assets/icons/s-gw-180.png +0 -0
- package/assets/icons/s-gw-192.png +0 -0
- package/assets/icons/s-gw-32.png +0 -0
- package/assets/icons/s-gw-64.png +0 -0
- package/assets/icons/s-gw-menu-bar-template.png +0 -0
- package/dist/agent-context.d.ts +17 -0
- package/dist/agent-context.js +207 -0
- package/dist/agents.d.ts +64 -0
- package/dist/agents.js +763 -0
- package/dist/cli.d.ts +2 -0
- package/dist/cli.js +1385 -0
- package/dist/command-suggest.d.ts +3 -0
- package/dist/command-suggest.js +131 -0
- package/dist/console-server.d.ts +16 -0
- package/dist/console-server.js +978 -0
- package/dist/console-ui/assets/codex-DYTPdPxi.png +0 -0
- package/dist/console-ui/assets/cursor-CBrUTJD-.png +0 -0
- package/dist/console-ui/assets/geist-cyrillic-ext-wght-normal-DjL33-gN.woff2 +0 -0
- package/dist/console-ui/assets/geist-cyrillic-wght-normal-BEAKL7Jp.woff2 +0 -0
- package/dist/console-ui/assets/geist-latin-ext-wght-normal-DC-KSUi6.woff2 +0 -0
- package/dist/console-ui/assets/geist-latin-wght-normal-BgDaEnEv.woff2 +0 -0
- package/dist/console-ui/assets/geist-vietnamese-wght-normal-6IgcOCM7.woff2 +0 -0
- package/dist/console-ui/assets/hermes-B8hNbJPm.png +0 -0
- package/dist/console-ui/assets/index-BxUf0Sye.js +96 -0
- package/dist/console-ui/assets/index-CmTiBR_w.css +2 -0
- package/dist/console-ui/assets/omnigent-Cxa4p2Mq.png +0 -0
- package/dist/console-ui/assets/openclaw-C5wL4ZVW.png +0 -0
- package/dist/console-ui/assets/opencode-D_wFATSC.png +0 -0
- package/dist/console-ui/assets/openhands-DnrlGgev.svg +9 -0
- package/dist/console-ui/assets/s-gw-64-ByMUGQ3K.png +0 -0
- package/dist/console-ui/assets/vscode-Bdtr9eyf.png +0 -0
- package/dist/console-ui/assets/zeptoclaw-DztQW8Sw.png +0 -0
- package/dist/console-ui/index.html +13 -0
- package/dist/crypto.d.ts +6 -0
- package/dist/crypto.js +53 -0
- package/dist/executor.d.ts +7 -0
- package/dist/executor.js +297 -0
- package/dist/gateway.d.ts +31 -0
- package/dist/gateway.js +114 -0
- package/dist/guard.d.ts +61 -0
- package/dist/guard.js +247 -0
- package/dist/install.d.ts +146 -0
- package/dist/install.js +629 -0
- package/dist/mcp-server.d.ts +2 -0
- package/dist/mcp-server.js +119 -0
- package/dist/native/s-gw-core +0 -0
- package/dist/native/s-gw-keychain-helper +0 -0
- package/dist/onepassword.d.ts +48 -0
- package/dist/onepassword.js +412 -0
- package/dist/paths.d.ts +4 -0
- package/dist/paths.js +22 -0
- package/dist/s-gw Menu Bar.app/Contents/Info.plist +28 -0
- package/dist/s-gw Menu Bar.app/Contents/MacOS/s-gw-menu-bar-helper +0 -0
- package/dist/s-gw Menu Bar.app/Contents/Resources/AppIcon.icns +0 -0
- package/dist/s-gw Menu Bar.app/Contents/Resources/AwsEc2.png +0 -0
- package/dist/s-gw Menu Bar.app/Contents/Resources/Lucide-bot.svg +8 -0
- package/dist/s-gw Menu Bar.app/Contents/Resources/Lucide-monitor.svg +5 -0
- package/dist/s-gw Menu Bar.app/Contents/Resources/Lucide-server.svg +6 -0
- package/dist/s-gw Menu Bar.app/Contents/Resources/Lucide-terminal.svg +4 -0
- package/dist/s-gw Menu Bar.app/Contents/Resources/MenuBarTemplate.png +0 -0
- package/dist/s-gw Menu Bar.app/Contents/_CodeSignature/CodeResources +194 -0
- package/dist/s-gw.app/Contents/Info.plist +28 -0
- package/dist/s-gw.app/Contents/MacOS/s-gw +0 -0
- package/dist/s-gw.app/Contents/Resources/AppIcon.icns +0 -0
- package/dist/s-gw.app/Contents/Resources/MenuBarTemplate.png +0 -0
- package/dist/s-gw.app/Contents/_CodeSignature/CodeResources +139 -0
- package/dist/scanner.d.ts +9 -0
- package/dist/scanner.js +437 -0
- package/dist/ssh.d.ts +31 -0
- package/dist/ssh.js +286 -0
- package/dist/store.d.ts +131 -0
- package/dist/store.js +1611 -0
- package/dist/types.d.ts +196 -0
- package/dist/types.js +2 -0
- package/dist/unlock.d.ts +29 -0
- package/dist/unlock.js +274 -0
- package/dist/windows/VERSION.txt +1 -0
- package/dist/windows/s-gw-client.cmd +4 -0
- package/dist/windows/s-gw-client.ps1 +106 -0
- package/dist/windows/s-gw-credential.cmd +4 -0
- package/dist/windows/s-gw-credential.ps1 +167 -0
- package/dist/windows/s-gw-helper.cmd +4 -0
- package/dist/windows/s-gw-helper.ps1 +180 -0
- package/docs/README.md +23 -0
- package/docs/agents.md +160 -0
- package/docs/architecture.md +72 -0
- package/docs/deployment.md +447 -0
- package/docs/detection.md +44 -0
- package/docs/images/s-gw-overview.png +0 -0
- package/docs/integrations.md +195 -0
- package/docs/keychain.md +39 -0
- package/docs/onepassword.md +84 -0
- package/docs/quickstart.md +104 -0
- package/docs/threat-model.md +100 -0
- package/docs/ui/THIRD_PARTY_NOTICES.md +111 -0
- package/docs/ui/apple-touch-icon.png +0 -0
- package/docs/ui/favicon-32.png +0 -0
- package/docs/ui/local-console.html +4477 -0
- package/docs/ui/vendor/d3-sankey/d3-array.LICENSE.txt +27 -0
- package/docs/ui/vendor/d3-sankey/d3-array.min.js +2 -0
- package/docs/ui/vendor/d3-sankey/d3-path.LICENSE.txt +27 -0
- package/docs/ui/vendor/d3-sankey/d3-path.min.js +2 -0
- package/docs/ui/vendor/d3-sankey/d3-sankey.LICENSE.txt +27 -0
- package/docs/ui/vendor/d3-sankey/d3-sankey.min.js +2 -0
- package/docs/ui/vendor/d3-sankey/d3-shape.LICENSE.txt +27 -0
- package/docs/ui/vendor/d3-sankey/d3-shape.min.js +2 -0
- package/docs/ui/vendor/sankeymatic/LICENSE.txt +17 -0
- package/docs/ui/vendor/sankeymatic/sankey.js +897 -0
- package/package.json +117 -0
- package/skills/s-gw/SKILL.md +19 -0
package/docs/keychain.md
ADDED
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
# OS Credential Store Backend
|
|
2
|
+
|
|
3
|
+
s-gw can store credential values in the local OS credential store: macOS Keychain on macOS and Windows Credential Manager on Windows preview builds. Agents still receive only handles such as `s-gw:api-token:...`; the raw value is read from the local store only after s-gw has an approved local request to execute.
|
|
4
|
+
|
|
5
|
+
## Add A Credential-Store-Backed Handle
|
|
6
|
+
|
|
7
|
+
```bash
|
|
8
|
+
printf '%s' "$MY_API_TOKEN" | s-gw secret add-keychain \
|
|
9
|
+
--name prod-api-token \
|
|
10
|
+
--type api-token \
|
|
11
|
+
--value-stdin \
|
|
12
|
+
--inject-env API_TOKEN \
|
|
13
|
+
--allow-command "$(command -v node)"
|
|
14
|
+
```
|
|
15
|
+
|
|
16
|
+
The raw credential is written through the bundled helper on stdin. The encrypted s-gw ledger keeps only handle metadata and an encrypted credential-store pointer:
|
|
17
|
+
|
|
18
|
+
```json
|
|
19
|
+
{
|
|
20
|
+
"service": "com.s-gw.sgw.secret",
|
|
21
|
+
"account": "s-gw:api-token:..."
|
|
22
|
+
}
|
|
23
|
+
```
|
|
24
|
+
|
|
25
|
+
Use `--service SERVICE` or `SGW_SECRET_KEYCHAIN_SERVICE` when you want a separate credential-store namespace for testing, work, or isolated profiles.
|
|
26
|
+
|
|
27
|
+
Automatic capture paths, including guard mode and the local console API, prefer the OS credential store on macOS and Windows. Set `SGW_SECRET_BACKEND=local` only for compatibility testing or environments without the native helper.
|
|
28
|
+
|
|
29
|
+
## Local Execution Flow
|
|
30
|
+
|
|
31
|
+
1. An agent sees a tokenized handle, not the credential.
|
|
32
|
+
2. The agent asks s-gw to use the handle for a concrete action.
|
|
33
|
+
3. s-gw applies policy and asks for approval when required.
|
|
34
|
+
4. During approved execution, s-gw reads the credential from the local store and injects it into the local child process.
|
|
35
|
+
5. Command output is sanitized back to handles before it is returned.
|
|
36
|
+
|
|
37
|
+
## 1Password Migration Later
|
|
38
|
+
|
|
39
|
+
Do not read or migrate real 1Password values as part of normal setup. The safe migration path should be an explicit user-approved command that reads selected `op://...` references, writes those values into credential-store-backed handles, updates the encrypted ledger pointers, and leaves an audit event for each migrated handle.
|
|
@@ -0,0 +1,84 @@
|
|
|
1
|
+
# 1Password Integration
|
|
2
|
+
|
|
3
|
+
s-gw can use 1Password as an optional local secret backend or migration source. The s-gw ledger stores an encrypted `op://...` reference, not the raw secret value. After the user grants reusable approval, the first approved execution reads the value from the local 1Password CLI, stores an encrypted copy in the s-gw keystore for the approval TTL, and injects that value only into approved local child processes.
|
|
4
|
+
|
|
5
|
+
Agents still see typed handles such as `s-gw:api-token:...`; they never receive the raw value. One-time approvals read 1Password for that single execution. Timed, login-session, and unlimited approvals reuse the encrypted s-gw keystore copy until the approval expires or is revoked.
|
|
6
|
+
|
|
7
|
+
## Requirements
|
|
8
|
+
|
|
9
|
+
- Install and configure the 1Password CLI as `op`.
|
|
10
|
+
- Use a 1Password secret reference:
|
|
11
|
+
|
|
12
|
+
```text
|
|
13
|
+
op://vault-name/item-name/[section-name/]field-name
|
|
14
|
+
```
|
|
15
|
+
|
|
16
|
+
The 1Password CLI also supports service-account use through `OP_SERVICE_ACCOUNT_TOKEN`; that is useful for team automation, while desktop users can rely on the normal 1Password app approval flow.
|
|
17
|
+
|
|
18
|
+
## Add A 1Password-Backed Handle
|
|
19
|
+
|
|
20
|
+
```bash
|
|
21
|
+
s-gw onepassword status
|
|
22
|
+
|
|
23
|
+
s-gw secret add-1password \
|
|
24
|
+
--name openai-prod \
|
|
25
|
+
--type api-token \
|
|
26
|
+
--ref 'op://Example/OpenAI/credential' \
|
|
27
|
+
--inject-env OPENAI_API_KEY \
|
|
28
|
+
--allow-command "$(command -v node)"
|
|
29
|
+
```
|
|
30
|
+
|
|
31
|
+
Use `--verify` when you want s-gw to call `op read` immediately and fail early if the reference is wrong or 1Password is locked:
|
|
32
|
+
|
|
33
|
+
```bash
|
|
34
|
+
s-gw secret add-1password \
|
|
35
|
+
--name openai-prod \
|
|
36
|
+
--type api-token \
|
|
37
|
+
--ref 'op://Example/OpenAI/credential' \
|
|
38
|
+
--inject-env OPENAI_API_KEY \
|
|
39
|
+
--allow-command "$(command -v node)" \
|
|
40
|
+
--verify
|
|
41
|
+
```
|
|
42
|
+
|
|
43
|
+
Without `--verify`, s-gw stores the encrypted reference and resolves it later, when the approved command actually runs.
|
|
44
|
+
|
|
45
|
+
## Capture Text Into 1Password
|
|
46
|
+
|
|
47
|
+
When a local agent or UI hands s-gw text that contains a credential, capture it through stdin so the value never appears in shell history:
|
|
48
|
+
|
|
49
|
+
```bash
|
|
50
|
+
s-gw onepassword capture \
|
|
51
|
+
--vault Dev \
|
|
52
|
+
--name "captured ssh credential" \
|
|
53
|
+
--text-stdin \
|
|
54
|
+
--inject-env SGW_SSH_PASSWORD \
|
|
55
|
+
--allow-command "$(command -v ssh)"
|
|
56
|
+
```
|
|
57
|
+
|
|
58
|
+
The command scans the supplied text, creates a 1Password item in the `Dev` vault for each detected secret, stores only an encrypted `op://...` reference in the s-gw ledger, and returns tokenized text containing `<<SGW_SECRET:...>>` handles.
|
|
59
|
+
|
|
60
|
+
## Approved Execution
|
|
61
|
+
|
|
62
|
+
```bash
|
|
63
|
+
HANDLE="s-gw:api-token:..."
|
|
64
|
+
|
|
65
|
+
s-gw request env-command "$HANDLE" \
|
|
66
|
+
--command "$(command -v node)" \
|
|
67
|
+
--inject-env OPENAI_API_KEY \
|
|
68
|
+
--arg -e \
|
|
69
|
+
--arg 'console.log(process.env.OPENAI_API_KEY)'
|
|
70
|
+
|
|
71
|
+
s-gw approve req_...
|
|
72
|
+
s-gw execute req_...
|
|
73
|
+
```
|
|
74
|
+
|
|
75
|
+
If the child process prints the secret, s-gw sanitizes it back to the handle token before returning output to the agent.
|
|
76
|
+
|
|
77
|
+
## Operational Notes
|
|
78
|
+
|
|
79
|
+
- The `op://...` reference is encrypted in the local s-gw store.
|
|
80
|
+
- For reusable approvals, the raw value is read from 1Password once, then cached encrypted in the s-gw keystore until the approval TTL, login session, unlimited grant, revoke, clear, or credential deletion ends it.
|
|
81
|
+
- For one-time approvals, s-gw does not keep a cached value after the execution.
|
|
82
|
+
- `SGW_OP_CLI=/path/to/op` can point s-gw at a non-default CLI path.
|
|
83
|
+
- `SGW_ONEPASSWORD_TIMEOUT_MS=60000` can extend the approval/read timeout.
|
|
84
|
+
- For service-account automation, provide `OP_SERVICE_ACCOUNT_TOKEN` to the local environment that runs the s-gw daemon or CLI.
|
|
@@ -0,0 +1,104 @@
|
|
|
1
|
+
# Quick Start
|
|
2
|
+
|
|
3
|
+
This guide builds s-gw from source and exercises its approval boundary with disposable data. It does not require a real credential.
|
|
4
|
+
|
|
5
|
+
Building from source requires Node.js 20 or newer and the Rust toolchain pinned by `rust-toolchain.toml`.
|
|
6
|
+
|
|
7
|
+
## Build
|
|
8
|
+
|
|
9
|
+
```bash
|
|
10
|
+
git clone https://github.com/sgateway/s-gw.git
|
|
11
|
+
cd s-gw
|
|
12
|
+
npm ci
|
|
13
|
+
npm run build
|
|
14
|
+
npm link
|
|
15
|
+
```
|
|
16
|
+
|
|
17
|
+
For normal use, run `s-gw setup`. The demonstration below instead uses a temporary home and an environment-provided passphrase so it leaves the operating system credential store untouched.
|
|
18
|
+
|
|
19
|
+
## Run The Trust Loop
|
|
20
|
+
|
|
21
|
+
Create a disposable store:
|
|
22
|
+
|
|
23
|
+
```bash
|
|
24
|
+
export SGW_HOME="$(mktemp -d)/home"
|
|
25
|
+
PASS="$(openssl rand -base64 32)"
|
|
26
|
+
printf -v SGW_MASTER_PASSPHRASE '%s' "$PASS"
|
|
27
|
+
export SGW_MASTER_PASSPHRASE
|
|
28
|
+
s-gw init
|
|
29
|
+
```
|
|
30
|
+
|
|
31
|
+
Enroll a fake value and permit only the local `printenv` executable to receive it:
|
|
32
|
+
|
|
33
|
+
```bash
|
|
34
|
+
printf '%s' "demo-token-value" | s-gw secret add \
|
|
35
|
+
--name demo-token \
|
|
36
|
+
--type api-token \
|
|
37
|
+
--value-stdin \
|
|
38
|
+
--inject-env DEMO_TOKEN \
|
|
39
|
+
--allow-command "$(command -v printenv)"
|
|
40
|
+
```
|
|
41
|
+
|
|
42
|
+
Get the generated handle. The list contains metadata, not the credential value:
|
|
43
|
+
|
|
44
|
+
```bash
|
|
45
|
+
HANDLE=$(s-gw secret list | node -e '
|
|
46
|
+
let data = "";
|
|
47
|
+
process.stdin.on("data", chunk => data += chunk);
|
|
48
|
+
process.stdin.on("end", () => console.log(JSON.parse(data)[0].handle));
|
|
49
|
+
')
|
|
50
|
+
```
|
|
51
|
+
|
|
52
|
+
Create a request as an agent would:
|
|
53
|
+
|
|
54
|
+
```bash
|
|
55
|
+
REQUEST=$(s-gw request env-command "$HANDLE" \
|
|
56
|
+
--command "$(command -v printenv)" \
|
|
57
|
+
--arg DEMO_TOKEN \
|
|
58
|
+
--inject-env DEMO_TOKEN \
|
|
59
|
+
--reason "Read the disposable token")
|
|
60
|
+
|
|
61
|
+
REQUEST_ID=$(printf '%s' "$REQUEST" | node -e '
|
|
62
|
+
let data = "";
|
|
63
|
+
process.stdin.on("data", chunk => data += chunk);
|
|
64
|
+
process.stdin.on("end", () => console.log(JSON.parse(data).id));
|
|
65
|
+
')
|
|
66
|
+
```
|
|
67
|
+
|
|
68
|
+
Execution is refused while the request is pending:
|
|
69
|
+
|
|
70
|
+
```bash
|
|
71
|
+
s-gw execute "$REQUEST_ID"
|
|
72
|
+
```
|
|
73
|
+
|
|
74
|
+
Approve it locally, then execute it:
|
|
75
|
+
|
|
76
|
+
```bash
|
|
77
|
+
s-gw approve "$REQUEST_ID"
|
|
78
|
+
s-gw execute "$REQUEST_ID"
|
|
79
|
+
```
|
|
80
|
+
|
|
81
|
+
The child process reads `demo-token-value`, but the returned output contains an s-gw handle:
|
|
82
|
+
|
|
83
|
+
```json
|
|
84
|
+
{
|
|
85
|
+
"exitCode": 0,
|
|
86
|
+
"stdout": "<<SGW_SECRET:s-gw:api-token:...>>\n",
|
|
87
|
+
"proof": "s-gw-proof:req_...",
|
|
88
|
+
"sanitized": true
|
|
89
|
+
}
|
|
90
|
+
```
|
|
91
|
+
|
|
92
|
+
Remove the disposable store:
|
|
93
|
+
|
|
94
|
+
```bash
|
|
95
|
+
rm -rf "$SGW_HOME"
|
|
96
|
+
unset SGW_HOME SGW_MASTER_PASSPHRASE HANDLE REQUEST REQUEST_ID
|
|
97
|
+
```
|
|
98
|
+
|
|
99
|
+
## Next Steps
|
|
100
|
+
|
|
101
|
+
- Run `s-gw setup` for a persistent local installation.
|
|
102
|
+
- Use `s-gw agent mcp-snippet <agent>` to configure a supported client.
|
|
103
|
+
- Read the [threat model](threat-model.md) before enrolling sensitive credentials.
|
|
104
|
+
- Open the native app with `s-gw app open` or the fallback console with `s-gw console`.
|
|
@@ -0,0 +1,100 @@
|
|
|
1
|
+
# Threat Model
|
|
2
|
+
|
|
3
|
+
## Purpose
|
|
4
|
+
|
|
5
|
+
s-gw reduces the chance that raw credentials are exposed to coding agents, model context, chat transcripts, tool results, or routine shell arguments. It keeps credential redemption and approval on the user's machine.
|
|
6
|
+
|
|
7
|
+
This document describes the intended security boundary for the current preview. It is not a claim of formal verification or independent audit.
|
|
8
|
+
|
|
9
|
+
## Protected Assets
|
|
10
|
+
|
|
11
|
+
- raw credential values and local unlock material;
|
|
12
|
+
- credential-store pointers and encrypted ledger contents;
|
|
13
|
+
- approval decisions and reusable-grant scope;
|
|
14
|
+
- command, environment, working-directory, and SSH destination policy;
|
|
15
|
+
- sanitized execution output and audit records.
|
|
16
|
+
|
|
17
|
+
## Trust Boundaries
|
|
18
|
+
|
|
19
|
+
```mermaid
|
|
20
|
+
flowchart TB
|
|
21
|
+
subgraph Untrusted["Agent-controlled or externally influenced"]
|
|
22
|
+
A["Agent request"]
|
|
23
|
+
O["Command output"]
|
|
24
|
+
F["Scanned text and files"]
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
subgraph Local["Trusted local s-gw boundary"]
|
|
28
|
+
V["Manifest and policy validation"]
|
|
29
|
+
P["User approval"]
|
|
30
|
+
S["Encrypted store"]
|
|
31
|
+
B["Credential resolver and approval broker"]
|
|
32
|
+
R["Rust execution core"]
|
|
33
|
+
Z["Bounded output sanitizer"]
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
A --> V
|
|
37
|
+
F --> V
|
|
38
|
+
V --> P
|
|
39
|
+
P --> B
|
|
40
|
+
S --> B
|
|
41
|
+
B --> R
|
|
42
|
+
R --> O
|
|
43
|
+
O --> Z
|
|
44
|
+
Z --> A
|
|
45
|
+
```
|
|
46
|
+
|
|
47
|
+
The local operating system account, s-gw broker and Rust core processes, operating system credential store, approved executable, and user approval decision are trusted for an approved action. Agent input, scanned content, command arguments, destinations, and command output are treated as untrusted.
|
|
48
|
+
|
|
49
|
+
## Intended Guarantees
|
|
50
|
+
|
|
51
|
+
- Agent-facing interfaces use typed handles and metadata rather than raw values.
|
|
52
|
+
- A secret-backed action must match the handle's allowed command or owned SSH policy.
|
|
53
|
+
- Pending actions do not execute until a policy or local user decision approves them.
|
|
54
|
+
- Reusable approvals are bounded by stored request attributes and expiry or login session.
|
|
55
|
+
- Credential and unlock values entered through supported commands use stdin instead of process arguments.
|
|
56
|
+
- The loopback console requires a per-session token for state-changing operations.
|
|
57
|
+
- Known raw credential values are replaced in captured command output before it is returned to the caller.
|
|
58
|
+
- Approved environment commands run with a cleared child environment and only the allowlisted system variables plus approved credential bindings.
|
|
59
|
+
- The broker verifies that the Rust result contains no known raw credential and that its proof matches the request and sanitized output.
|
|
60
|
+
- Approval, execution, denial, failure, and policy activity is recorded locally.
|
|
61
|
+
|
|
62
|
+
## Attacker Capabilities Considered
|
|
63
|
+
|
|
64
|
+
- A coding agent may create arbitrary tool requests and misleading reasons.
|
|
65
|
+
- Repository content may contain prompt injection or request unsafe commands.
|
|
66
|
+
- A local web page may attempt to call the loopback console.
|
|
67
|
+
- A child process may print the injected credential in its output.
|
|
68
|
+
- An attacker may guess handles, request IDs, or local API routes.
|
|
69
|
+
- A request may be interrupted by process exit, sleep, or a hung command.
|
|
70
|
+
|
|
71
|
+
## Non-Goals And Residual Risk
|
|
72
|
+
|
|
73
|
+
s-gw does not protect against:
|
|
74
|
+
|
|
75
|
+
- compromise of the current operating system account, kernel, credential store, or s-gw process;
|
|
76
|
+
- a malicious or compromised executable that the user approves to receive a credential;
|
|
77
|
+
- screen capture, keylogging, debugger access, process-memory inspection, or privileged endpoint monitoring;
|
|
78
|
+
- network exfiltration performed by an approved command;
|
|
79
|
+
- every transformed, encoded, hashed, fragmented, or derived representation of a credential in output;
|
|
80
|
+
- secrets the user pastes directly into chat, source files, terminal commands, or agent configuration;
|
|
81
|
+
- credential access by tools that bypass s-gw entirely;
|
|
82
|
+
- broad prompt, file, terminal, or operating system interception solely through MCP registration;
|
|
83
|
+
- denial of service, destructive approved commands, or incorrect user approval decisions.
|
|
84
|
+
|
|
85
|
+
Output sanitization is a last line of defense, not a data-loss-prevention guarantee. Keep allowed commands narrow, review destinations and arguments, and use low-privilege credentials with independent provider-side controls.
|
|
86
|
+
|
|
87
|
+
## Secure Use
|
|
88
|
+
|
|
89
|
+
- Enroll credentials from a local terminal or supported UI, never from agent chat.
|
|
90
|
+
- Prefer macOS Keychain or Windows Credential Manager over environment-provided unlock material.
|
|
91
|
+
- Use absolute executable paths for command grants where practical.
|
|
92
|
+
- Keep reusable approvals short and scoped to one agent when possible.
|
|
93
|
+
- Treat unlimited approvals and high-severity credentials as exceptional.
|
|
94
|
+
- Review SSH destinations, ports, and remote commands before approval.
|
|
95
|
+
- Keep the operating system, Node.js, s-gw, and credential providers updated.
|
|
96
|
+
- Review the local audit log and revoke stale policies and grants.
|
|
97
|
+
|
|
98
|
+
## Reporting
|
|
99
|
+
|
|
100
|
+
Report suspected boundary failures through the private process in [SECURITY.md](../SECURITY.md). Do not test with credentials or systems you do not own or have permission to use.
|
|
@@ -0,0 +1,111 @@
|
|
|
1
|
+
# Third-Party Notices
|
|
2
|
+
|
|
3
|
+
## Rust Execution Core
|
|
4
|
+
|
|
5
|
+
The compiled `sgw-core` runner uses crates from crates.io. Exact versions are
|
|
6
|
+
locked in `Cargo.lock`.
|
|
7
|
+
|
|
8
|
+
- `base64`, `block-buffer`, `cfg-if`, `cpufeatures`, `crypto-common`, `digest`,
|
|
9
|
+
`itoa`, `libc`, `proc-macro2`, `quote`, `serde`, `serde_core`, `serde_derive`,
|
|
10
|
+
`serde_json`, `sha2`, `syn`, `typenum`, and `version_check`: MIT or Apache-2.0
|
|
11
|
+
- `generic-array` and `zmij`: MIT
|
|
12
|
+
- `memchr`: Unlicense or MIT
|
|
13
|
+
- `unicode-ident`: MIT or Apache-2.0, with Unicode-3.0 data terms
|
|
14
|
+
|
|
15
|
+
Sources and license files are available through each package entry at
|
|
16
|
+
https://crates.io/ and in the corresponding Cargo registry source archive.
|
|
17
|
+
|
|
18
|
+
## AWS Architecture Icons
|
|
19
|
+
|
|
20
|
+
The macOS approval helper includes the Amazon EC2 service icon from the official
|
|
21
|
+
AWS Architecture Icons package. This asset is used only to identify Amazon EC2.
|
|
22
|
+
AWS and Amazon EC2 are trademarks of Amazon.com, Inc. or its affiliates.
|
|
23
|
+
|
|
24
|
+
- Source: https://aws.amazon.com/architecture/icons/
|
|
25
|
+
|
|
26
|
+
## Lucide Icons
|
|
27
|
+
|
|
28
|
+
The local console and native macOS menu helper embed selected Lucide SVG icons.
|
|
29
|
+
The helper uses Lucide for generic agent, terminal, server, and local-machine
|
|
30
|
+
concepts while retaining service-specific marks where identity matters.
|
|
31
|
+
|
|
32
|
+
- Source: https://lucide.dev/
|
|
33
|
+
- Package: `lucide-react@1.23.0`
|
|
34
|
+
- License: ISC
|
|
35
|
+
|
|
36
|
+
The selected icons are embedded directly in `local-console.html` so the local credential console works offline and does not call a CDN.
|
|
37
|
+
|
|
38
|
+
## Simple Icons
|
|
39
|
+
|
|
40
|
+
The credential provider table embeds the GitHub SVG mark from Simple Icons 16.22.0.
|
|
41
|
+
|
|
42
|
+
- Source: https://simpleicons.org/
|
|
43
|
+
- Package: `simple-icons@16.22.0`
|
|
44
|
+
- License: CC0-1.0
|
|
45
|
+
|
|
46
|
+
Simple Icons supplies brand SVGs; trademark rights remain with the respective brand owners. AWS and OpenAI remain text marks in the legacy prototype because the package used there did not include matching current SVG marks under those provider names.
|
|
47
|
+
|
|
48
|
+
The React console also uses the Claude, Google Gemini, GitHub Copilot, and
|
|
49
|
+
Windsurf marks from Simple Icons 16.22.0 to identify known coding agents.
|
|
50
|
+
|
|
51
|
+
The React Credentials view uses the 1Password mark from Simple Icons 16.24.1
|
|
52
|
+
to make the provider immediately recognizable. The mark is bundled locally;
|
|
53
|
+
1Password remains a trademark of AgileBits, Inc.
|
|
54
|
+
|
|
55
|
+
## Installed Application Icons
|
|
56
|
+
|
|
57
|
+
The React console includes scaled application icons for Codex, Cursor, OpenCode,
|
|
58
|
+
and Visual Studio Code so approval and activity views use the product artwork
|
|
59
|
+
users already recognize. These icons are used only for product identification.
|
|
60
|
+
The products and their artwork remain trademarks of their respective owners and
|
|
61
|
+
are not licensed under s-gw's Apache-2.0 license.
|
|
62
|
+
|
|
63
|
+
- Codex: https://openai.com/codex/
|
|
64
|
+
- Cursor: https://cursor.com/
|
|
65
|
+
- OpenCode: https://github.com/anomalyco/opencode
|
|
66
|
+
- Visual Studio Code: https://github.com/microsoft/vscode
|
|
67
|
+
|
|
68
|
+
## Agent Project Artwork
|
|
69
|
+
|
|
70
|
+
The React console uses artwork from the following official project repositories
|
|
71
|
+
to identify configured agents. The artwork is used only for product
|
|
72
|
+
identification; project names and marks remain with their respective owners.
|
|
73
|
+
|
|
74
|
+
- OpenClaw: https://github.com/openclaw/openclaw (MIT)
|
|
75
|
+
- ZeptoClaw: https://github.com/qhkm/zeptoclaw (Apache-2.0)
|
|
76
|
+
- Hermes Agent: https://github.com/NousResearch/hermes-agent (MIT)
|
|
77
|
+
- OpenHands: https://github.com/OpenHands/OpenHands (MIT outside `enterprise/`)
|
|
78
|
+
- OmniGent: https://github.com/omnigent-ai/omnigent (Apache-2.0)
|
|
79
|
+
|
|
80
|
+
The Google Antigravity favicon is sourced from the official Antigravity site and
|
|
81
|
+
is used only to identify that product. Google and Antigravity are trademarks of
|
|
82
|
+
Google LLC.
|
|
83
|
+
|
|
84
|
+
- Source: https://www.antigravity.google/
|
|
85
|
+
|
|
86
|
+
## d3-sankey and d3 Modules
|
|
87
|
+
|
|
88
|
+
The Usage Flow panel uses d3-sankey for the local, offline Agent -> Credential -> Action Sankey chart. The browser bundles are vendored so the console does not call a CDN.
|
|
89
|
+
|
|
90
|
+
- Source: https://github.com/d3/d3-sankey
|
|
91
|
+
- Package: `d3-sankey@0.12.3`
|
|
92
|
+
- File: `docs/ui/vendor/d3-sankey/d3-sankey.min.js`
|
|
93
|
+
- License: BSD-3-Clause
|
|
94
|
+
|
|
95
|
+
d3-sankey's browser bundle depends on these d3 modules, also vendored locally:
|
|
96
|
+
|
|
97
|
+
- `d3-array@2.12.1`, BSD-3-Clause, `docs/ui/vendor/d3-sankey/d3-array.min.js`
|
|
98
|
+
- `d3-path@1.0.9`, BSD-3-Clause, `docs/ui/vendor/d3-sankey/d3-path.min.js`
|
|
99
|
+
- `d3-shape@1.3.7`, BSD-3-Clause, `docs/ui/vendor/d3-sankey/d3-shape.min.js`
|
|
100
|
+
|
|
101
|
+
The upstream BSD license files are included beside the bundles in `docs/ui/vendor/d3-sankey/`.
|
|
102
|
+
|
|
103
|
+
## SankeyMATIC
|
|
104
|
+
|
|
105
|
+
A legacy SankeyMATIC layout-core copy remains in the repository from an earlier prototype but is not loaded by the current Usage Flow panel.
|
|
106
|
+
|
|
107
|
+
- Source: https://github.com/nowthis/sankeymatic
|
|
108
|
+
- File: `docs/ui/vendor/sankeymatic/sankey.js`
|
|
109
|
+
- License: ISC
|
|
110
|
+
|
|
111
|
+
The upstream ISC license is included at `docs/ui/vendor/sankeymatic/LICENSE.txt`.
|
|
Binary file
|
|
Binary file
|