@tankgate/cli 0.1.0

package/dist/index.js

@@ -0,0 +1,113 @@
+#!/usr/bin/env node
+/**
+ * TankGate CLI
+ *
+ * Runtime policy and containment layer for AI coding agents.
+ *
+ * Quick Start:
+ *   tankgate init --preset safe    # Initialize with safe preset
+ *   tankgate config                # Interactive configuration
+ *   tankgate audit                 # See what's been blocked
+ */
+import { Command } from 'commander';
+import { init } from './commands/init';
+import { status } from './commands/status';
+import { validate } from './commands/validate';
+import { audit } from './commands/audit';
+import { policyValidate } from './policy/validate';
+import { policyEdit } from './commands/policy-edit';
+import { policyShow } from './commands/policy-show';
+import { policyAddRule } from './commands/policy-add-rule';
+import { preset, applyPreset } from './commands/preset';
+import { config } from './commands/config';
+const program = new Command();
+program
+    .name('tankgate')
+    .description('Runtime policy and containment layer for AI coding agents')
+    .version('0.1.0');
+// Init command
+program
+    .command('init')
+    .description('Initialize TankGate in current project')
+    .option('-p, --path <dir>', 'Project directory', '.')
+    .option('--detect', 'Auto-detect existing agent', false)
+    .option('-f, --force', 'Overwrite existing configuration', false)
+    .option('--agent <type>', 'Agent type (openclaw|aider|claude-code|cline|continue|custom)')
+    .option('--mode <mode>', 'Security mode (contained|convenience)')
+    .option('--preset <preset>', 'Security preset (safe|balanced|permissive|readonly)')
+    .option('--profile <profile>', 'Scanner profile (fast|standard|paranoid)')
+    .option('--approval <channel>', 'Approval channel (telegram|none)')
+    .option('-y, --yes', 'Skip prompts, use defaults', false)
+    .action(init);
+// Config command - EASY configuration
+program
+    .command('config')
+    .description('Interactive configuration - answer questions to set up security')
+    .option('-p, --path <file>', 'Policy file path', '.tankgate/policies/default.yaml')
+    .action(config);
+// Preset command - QUICK preset switching
+program
+    .command('preset [name]')
+    .description('Switch between security presets (safe|balanced|permissive|readonly)')
+    .option('-p, --path <file>', 'Policy file path', '.tankgate/policies/default.yaml')
+    .option('--list', 'List available presets', false)
+    .action(async (name, options) => {
+    if (name) {
+        await applyPreset(name, options.path);
+    }
+    else {
+        await preset(options);
+    }
+});
+// Status command
+program
+    .command('status')
+    .description('Show TankGate status')
+    .option('--json', 'Output as JSON', false)
+    .option('-u, --url <url>', 'TankGate URL', 'http://localhost:8080')
+    .action(status);
+// Validate command
+program
+    .command('validate')
+    .description('Validate TankGate configuration')
+    .option('-p, --path <dir>', 'Config directory', '.tankgate')
+    .action(validate);
+// Audit command - SEE THE VALUE!
+program
+    .command('audit')
+    .description('View audit log - see what TankGate has protected you from')
+    .option('-l, --limit <n>', 'Number of entries to show', '20')
+    .option('-b, --blocked', 'Show only blocked actions', false)
+    .option('--json', 'Output as JSON', false)
+    .option('--db <path>', 'Path to audit database', './.tankgate/audit.db')
+    .action(audit);
+// Policy commands (for advanced users)
+const policy = program.command('policy').description('Policy management (advanced)');
+policy
+    .command('validate <file>')
+    .description('Validate a policy file')
+    .action(policyValidate);
+policy
+    .command('edit')
+    .description('Edit policy file in your editor ($EDITOR)')
+    .option('-p, --path <file>', 'Policy file path', '.tankgate/policies/default.yaml')
+    .action(policyEdit);
+policy
+    .command('show')
+    .description('Display current policy')
+    .option('-p, --path <file>', 'Policy file path', '.tankgate/policies/default.yaml')
+    .option('--json', 'Output as JSON', false)
+    .action(policyShow);
+policy
+    .command('add-rule')
+    .description('Interactively add a new rule to the policy')
+    .option('-p, --path <file>', 'Policy file path', '.tankgate/policies/default.yaml')
+    .option('--tool <tool>', 'Tool name (Bash, Read, Write, etc.)')
+    .option('--action <action>', 'Action name')
+    .option('--level <level>', 'Action level (level_0 to level_4)')
+    .option('--pattern <pattern>', 'Match pattern (regex)')
+    .option('--name <name>', 'Rule name')
+    .action(policyAddRule);
+// Parse arguments
+program.parse();
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA;;;;;;;;;GASG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AACvC,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAC3C,OAAO,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAC/C,OAAO,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACzC,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAC3D,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAG3C,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,UAAU,CAAC;KAChB,WAAW,CAAC,2DAA2D,CAAC;KACxE,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,eAAe;AACf,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,wCAAwC,CAAC;KACrD,MAAM,CAAC,kBAAkB,EAAE,mBAAmB,EAAE,GAAG,CAAC;KACpD,MAAM,CAAC,UAAU,EAAE,4BAA4B,EAAE,KAAK,CAAC;KACvD,MAAM,CAAC,aAAa,EAAE,kCAAkC,EAAE,KAAK,CAAC;KAChE,MAAM,CAAC,gBAAgB,EAAE,+DAA+D,CAAC;KACzF,MAAM,CAAC,eAAe,EAAE,uCAAuC,CAAC;KAChE,MAAM,CAAC,mBAAmB,EAAE,qDAAqD,CAAC;KAClF,MAAM,CAAC,qBAAqB,EAAE,0CAA0C,CAAC;KACzE,MAAM,CAAC,sBAAsB,EAAE,kCAAkC,CAAC;KAClE,MAAM,CAAC,WAAW,EAAE,4BAA4B,EAAE,KAAK,CAAC;KACxD,MAAM,CAAC,IAAI,CAAC,CAAC;AAEhB,sCAAsC;AACtC,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,iEAAiE,CAAC;KAC9E,MAAM,CAAC,mBAAmB,EAAE,kBAAkB,EAAE,iCAAiC,CAAC;KAClF,MAAM,CAAC,MAAM,CAAC,CAAC;AAElB,0CAA0C;AAC1C,OAAO;KACJ,OAAO,CAAC,eAAe,CAAC;KACxB,WAAW,CAAC,qEAAqE,CAAC;KAClF,MAAM,CAAC,mBAAmB,EAAE,kBAAkB,EAAE,iCAAiC,CAAC;KAClF,MAAM,CAAC,QAAQ,EAAE,wBAAwB,EAAE,KAAK,CAAC;KACjD,MAAM,CAAC,KAAK,EAAE,IAA4B,EAAE,OAAwC,EAAE,EAAE;IACvF,IAAI,IAAI,EAAE,CAAC;QACT,MAAM,WAAW,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;IACxC,CAAC;SAAM,CAAC;QACN,MAAM,MAAM,CAAC,OAAO,CAAC,CAAC;IACxB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,iBAAiB;AACjB,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,sBAAsB,CAAC;KACnC,MAAM,CAAC,QAAQ,EAAE,gBAAgB,EAAE,KAAK,CAAC;KACzC,MAAM,CAAC,iBAAiB,EAAE,cAAc,EAAE,uBAAuB,CAAC;KAClE,MAAM,CAAC,MAAM,CAAC,CAAC;AAElB,mBAAmB;AACnB,OAAO;KACJ,OAAO,CAAC,UAAU,CAAC;KACnB,WAAW,CAAC,iCAAiC,CAAC;KAC9C,MAAM,CAAC,kBAAkB,EAAE,kBAAkB,EAAE,WAAW,CAAC;KAC3D,MAAM,CAAC,QAAQ,CAAC,CAAC;AAEpB,iCAAiC;AACjC,OAAO;KACJ,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,2DAA2D,CAAC;KACxE,MAAM,CAAC,iBAAiB,EAAE,2BAA2B,EAAE,IAAI,CAAC;KAC5D,MAAM,CAAC,eAAe,EAAE,2BAA2B,EAAE,KAAK,CAAC;KAC3D,MAAM,CAAC,QAAQ,EAAE,gBAAgB,EAAE,KAAK,CAAC;KACzC,MAAM,CAAC,aAAa,EAAE,wBAAwB,EAAE,sBAAsB,CAAC;KACvE,MAAM,CAAC,KAAK,CAAC,CAAC;AAEjB,uCAAuC;AACvC,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,CAAC,8BAA8B,CAAC,CAAC;AAErF,MAAM;KACH,OAAO,CAAC,iBAAiB,CAAC;KAC1B,WAAW,CAAC,wBAAwB,CAAC;KACrC,MAAM,CAAC,cAAc,CAAC,CAAC;AAE1B,MAAM;KACH,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,2CAA2C,CAAC;KACxD,MAAM,CAAC,mBAAmB,EAAE,kBAAkB,EAAE,iCAAiC,CAAC;KAClF,MAAM,CAAC,UAAU,CAAC,CAAC;AAEtB,MAAM;KACH,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,wBAAwB,CAAC;KACrC,MAAM,CAAC,mBAAmB,EAAE,kBAAkB,EAAE,iCAAiC,CAAC;KAClF,MAAM,CAAC,QAAQ,EAAE,gBAAgB,EAAE,KAAK,CAAC;KACzC,MAAM,CAAC,UAAU,CAAC,CAAC;AAEtB,MAAM;KACH,OAAO,CAAC,UAAU,CAAC;KACnB,WAAW,CAAC,4CAA4C,CAAC;KACzD,MAAM,CAAC,mBAAmB,EAAE,kBAAkB,EAAE,iCAAiC,CAAC;KAClF,MAAM,CAAC,eAAe,EAAE,qCAAqC,CAAC;KAC9D,MAAM,CAAC,mBAAmB,EAAE,aAAa,CAAC;KAC1C,MAAM,CAAC,iBAAiB,EAAE,mCAAmC,CAAC;KAC9D,MAAM,CAAC,qBAAqB,EAAE,uBAAuB,CAAC;KACtD,MAAM,CAAC,eAAe,EAAE,WAAW,CAAC;KACpC,MAAM,CAAC,aAAa,CAAC,CAAC;AAEzB,kBAAkB;AAClB,OAAO,CAAC,KAAK,EAAE,CAAC"}

package/dist/policy/validate.d.ts

@@ -0,0 +1,7 @@
+/**
+ * tankgate policy validate command
+ *
+ * Validates a single policy YAML file.
+ */
+export declare function policyValidate(file: string): Promise<void>;
+//# sourceMappingURL=validate.d.ts.map

package/dist/policy/validate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../../src/policy/validate.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAkBH,wBAAsB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAkFhE"}

package/dist/policy/validate.js

@@ -0,0 +1,89 @@
+/**
+ * tankgate policy validate command
+ *
+ * Validates a single policy YAML file.
+ */
+import chalk from 'chalk';
+import { parse } from 'yaml';
+export async function policyValidate(file) {
+    console.log(chalk.bold(`\n🔍 Validating policy: ${file}\n`));
+    try {
+        const content = await Bun.file(file).text();
+        const policy = parse(content);
+        // Validate structure
+        const errors = [];
+        // Check apiVersion
+        if (!policy.apiVersion) {
+            errors.push('Missing apiVersion');
+        }
+        else if (policy.apiVersion !== 'tankgate.dev/v1') {
+            errors.push(`Invalid apiVersion: ${policy.apiVersion}`);
+        }
+        // Check kind
+        if (!policy.kind) {
+            errors.push('Missing kind');
+        }
+        else if (policy.kind !== 'AgentPolicy') {
+            errors.push(`Invalid kind: ${policy.kind}`);
+        }
+        // Check metadata
+        if (!policy.metadata) {
+            errors.push('Missing metadata');
+        }
+        else {
+            if (!policy.metadata.name) {
+                errors.push('Missing metadata.name');
+            }
+            if (!policy.metadata.version) {
+                errors.push('Missing metadata.version');
+            }
+        }
+        // Check tools
+        if (!policy.tools) {
+            errors.push('Missing tools section');
+        }
+        else {
+            const validTools = ['filesystem', 'shell', 'network', 'vcs'];
+            for (const tool of Object.keys(policy.tools)) {
+                if (!validTools.includes(tool)) {
+                    errors.push(`Unknown tool: ${tool}`);
+                }
+            }
+        }
+        // Count rules
+        let ruleCount = 0;
+        if (policy.tools) {
+            for (const tool of Object.values(policy.tools)) {
+                if (tool && typeof tool === 'object') {
+                    for (const action of Object.values(tool)) {
+                        if (action && typeof action === 'object' && 'rules' in action) {
+                            ruleCount += action.rules?.length ?? 0;
+                        }
+                    }
+                }
+            }
+        }
+        // Print results
+        if (errors.length === 0) {
+            console.log(chalk.green(`✓ Valid policy: ${policy.metadata.name}`));
+            console.log(chalk.gray(`  Version: ${policy.metadata.version}`));
+            console.log(chalk.gray(`  Rules:   ${ruleCount}`));
+            if (policy.extends && policy.extends.length > 0) {
+                console.log(chalk.gray(`  Extends: ${policy.extends.join(', ')}`));
+            }
+        }
+        else {
+            console.log(chalk.red('✗ Invalid policy'));
+            for (const error of errors) {
+                console.log(chalk.red(`  ✗ ${error}`));
+            }
+            process.exit(1);
+        }
+    }
+    catch (e) {
+        console.log(chalk.red(`✗ Failed to read policy file`));
+        console.log(chalk.red(`  ${e instanceof Error ? e.message : 'Unknown error'}`));
+        process.exit(1);
+    }
+}
+//# sourceMappingURL=validate.js.map

package/dist/policy/validate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate.js","sourceRoot":"","sources":["../../src/policy/validate.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,KAAK,EAAE,MAAM,MAAM,CAAC;AAe7B,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,IAAY;IAC/C,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,2BAA2B,IAAI,IAAI,CAAC,CAAC,CAAC;IAE7D,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;QAC5C,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAe,CAAC;QAE5C,qBAAqB;QACrB,MAAM,MAAM,GAAa,EAAE,CAAC;QAE5B,mBAAmB;QACnB,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;YACvB,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QACpC,CAAC;aAAM,IAAI,MAAM,CAAC,UAAU,KAAK,iBAAiB,EAAE,CAAC;YACnD,MAAM,CAAC,IAAI,CAAC,uBAAuB,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;QAC1D,CAAC;QAED,aAAa;QACb,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACjB,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QAC9B,CAAC;aAAM,IAAI,MAAM,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;YACzC,MAAM,CAAC,IAAI,CAAC,iBAAiB,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QAC9C,CAAC;QAED,iBAAiB;QACjB,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YACrB,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QAClC,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;gBAC1B,MAAM,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;YACvC,CAAC;YACD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;gBAC7B,MAAM,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;YAC1C,CAAC;QACH,CAAC;QAED,cAAc;QACd,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,MAAM,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QACvC,CAAC;aAAM,CAAC;YACN,MAAM,UAAU,GAAG,CAAC,YAAY,EAAE,OAAO,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC;YAC7D,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC7C,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC/B,MAAM,CAAC,IAAI,CAAC,iBAAiB,IAAI,EAAE,CAAC,CAAC;gBACvC,CAAC;YACH,CAAC;QACH,CAAC;QAED,cAAc;QACd,IAAI,SAAS,GAAG,CAAC,CAAC;QAClB,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YACjB,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC/C,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;oBACrC,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;wBACzC,IAAI,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,IAAI,MAAM,EAAE,CAAC;4BAC9D,SAAS,IAAK,MAAgC,CAAC,KAAK,EAAE,MAAM,IAAI,CAAC,CAAC;wBACpE,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,gBAAgB;QAChB,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,mBAAmB,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;YACpE,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,cAAc,MAAM,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YACjE,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,cAAc,SAAS,EAAE,CAAC,CAAC,CAAC;YACnD,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAChD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,cAAc,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;YACrE,CAAC;QACH,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,CAAC;YAC3C,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC;YACzC,CAAC;YACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC,CAAC;QACvD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CAAC,CAAC,CAAC;QAChF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}

package/dist/presets/index.d.ts

@@ -0,0 +1,57 @@
+/**
+ * TankGate Policy Presets
+ *
+ * Pre-built configurations for common use cases.
+ * Users don't need to understand the DSL - just pick a preset.
+ */
+export type PresetName = 'safe' | 'balanced' | 'permissive' | 'readonly';
+export interface PolicyPreset {
+    name: string;
+    description: string;
+    level: string;
+    rules: any[];
+    commands?: {
+        allowed?: string[];
+        blocked?: string[];
+    };
+    paths?: {
+        allowed?: string[];
+        blocked?: string[];
+    };
+}
+/**
+ * SAFE PRESET
+ * Maximum security - blocks anything potentially dangerous
+ * Use for: Production systems, sensitive codebases
+ */
+export declare const SAFE_PRESET: PolicyPreset;
+/**
+ * BALANCED PRESET
+ * Good balance of security and convenience
+ * Use for: Most development work
+ */
+export declare const BALANCED_PRESET: PolicyPreset;
+/**
+ * PERMISSIVE PRESET
+ * Minimal restrictions - just logs
+ * Use for: Trusted environments, experimentation
+ */
+export declare const PERMISSIVE_PRESET: PolicyPreset;
+/**
+ * READ-ONLY PRESET
+ * OpenClaw can only read, never modify
+ * Use for: Code review, analysis, learning
+ */
+export declare const READONLY_PRESET: PolicyPreset;
+/**
+ * SERVICE ALLOWLIST
+ * Pre-defined service configurations
+ */
+export declare const SERVICE_PRESETS: Record<string, string[]>;
+export declare const PRESETS: Record<PresetName, PolicyPreset>;
+export declare function getPreset(name: PresetName): PolicyPreset;
+export declare function listPresets(): {
+    name: string;
+    description: string;
+}[];
+//# sourceMappingURL=index.d.ts.map

package/dist/presets/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/presets/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,MAAM,UAAU,GAAG,MAAM,GAAG,UAAU,GAAG,YAAY,GAAG,UAAU,CAAC;AAEzE,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,GAAG,EAAE,CAAC;IACb,QAAQ,CAAC,EAAE;QACT,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;QACnB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;KACpB,CAAC;IACF,KAAK,CAAC,EAAE;QACN,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;QACnB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;KACpB,CAAC;CACH;AAED;;;;GAIG;AACH,eAAO,MAAM,WAAW,EAAE,YA6DzB,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,eAAe,EAAE,YA4C7B,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,iBAAiB,EAAE,YAoB/B,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,eAAe,EAAE,YAgD7B,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAOpD,CAAC;AAEF,eAAO,MAAM,OAAO,EAAE,MAAM,CAAC,UAAU,EAAE,YAAY,CAKpD,CAAC;AAEF,wBAAgB,SAAS,CAAC,IAAI,EAAE,UAAU,GAAG,YAAY,CAExD;AAED,wBAAgB,WAAW,IAAI;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,EAAE,CAKrE"}

package/dist/presets/index.js

@@ -0,0 +1,231 @@
+/**
+ * TankGate Policy Presets
+ *
+ * Pre-built configurations for common use cases.
+ * Users don't need to understand the DSL - just pick a preset.
+ */
+/**
+ * SAFE PRESET
+ * Maximum security - blocks anything potentially dangerous
+ * Use for: Production systems, sensitive codebases
+ */
+export const SAFE_PRESET = {
+    name: 'Safe Mode',
+    description: 'Maximum security. Blocks dangerous operations. Requires approval for most changes.',
+    level: 'level_3', // Default to approval required
+    rules: [
+        // Block dangerous shell commands
+        {
+            name: 'Block destructive commands',
+            level: 'level_4',
+            match: { tool: 'Bash', pattern: 'rm\\s+-rf|sudo|chmod\\s+777|dd\\s+if=' },
+            message: 'Destructive commands are blocked in Safe mode'
+        },
+        // Block production/secret paths
+        {
+            name: 'Block sensitive files',
+            level: 'level_4',
+            match: { tool: '*', pattern: '\\.env|secrets|credentials|\\.pem|\\.key|password' },
+            message: 'Access to sensitive files is blocked'
+        },
+        // Block network operations
+        {
+            name: 'Block network tools',
+            level: 'level_4',
+            match: { tool: 'Bash', pattern: 'curl|wget|nc|netcat|ssh|scp|rsync' },
+            message: 'Network operations are blocked in Safe mode'
+        },
+        // Block package publishing
+        {
+            name: 'Block publishing',
+            level: 'level_4',
+            match: { tool: 'Bash', pattern: 'npm publish|docker push|git push' },
+            message: 'Publishing is blocked in Safe mode'
+        },
+        // Require approval for file writes
+        {
+            name: 'Approve file changes',
+            level: 'level_3',
+            match: { tool: 'Write' },
+            message: 'File changes require approval in Safe mode'
+        },
+        // Require approval for file edits
+        {
+            name: 'Approve file edits',
+            level: 'level_3',
+            match: { tool: 'Edit' },
+            message: 'File edits require approval in Safe mode'
+        },
+        // Log all bash commands
+        {
+            name: 'Log commands',
+            level: 'level_1',
+            match: { tool: 'Bash' },
+            message: null
+        }
+    ],
+    commands: {
+        blocked: ['rm', 'sudo', 'chmod', 'chown', 'curl', 'wget', 'nc', 'ssh', 'scp']
+    },
+    paths: {
+        blocked: ['.env', 'secrets/', 'credentials/', '*.pem', '*.key']
+    }
+};
+/**
+ * BALANCED PRESET
+ * Good balance of security and convenience
+ * Use for: Most development work
+ */
+export const BALANCED_PRESET = {
+    name: 'Balanced Mode',
+    description: 'Good balance of security and convenience. Blocks dangerous ops, logs others.',
+    level: 'level_1', // Default to logging
+    rules: [
+        // Block destructive commands
+        {
+            name: 'Block destructive commands',
+            level: 'level_4',
+            match: { tool: 'Bash', pattern: 'rm\\s+-rf|sudo|chmod\\s+777' },
+            message: 'Destructive commands are blocked'
+        },
+        // Block sensitive files
+        {
+            name: 'Block sensitive files',
+            level: 'level_4',
+            match: { tool: '*', pattern: '\\.env\\.prod|secrets/|credentials/|\\.pem|\\.key' },
+            message: 'Access to production secrets is blocked'
+        },
+        // Block publishing (require approval)
+        {
+            name: 'Approve publishing',
+            level: 'level_3',
+            match: { tool: 'Bash', pattern: 'npm publish|docker push' },
+            message: 'Publishing requires approval'
+        },
+        // Notify on sensitive file access
+        {
+            name: 'Notify on config access',
+            level: 'level_2',
+            match: { tool: '*', pattern: '\\.env|config/' },
+            message: 'Config file accessed'
+        },
+        // Log all commands
+        {
+            name: 'Log all commands',
+            level: 'level_1',
+            match: { tool: 'Bash' },
+            message: null
+        }
+    ],
+    commands: {
+        blocked: ['rm -rf', 'sudo']
+    }
+};
+/**
+ * PERMISSIVE PRESET
+ * Minimal restrictions - just logs
+ * Use for: Trusted environments, experimentation
+ */
+export const PERMISSIVE_PRESET = {
+    name: 'Permissive Mode',
+    description: 'Minimal restrictions. Logs everything but rarely blocks.',
+    level: 'level_0', // Default to silent allow
+    rules: [
+        // Only block truly dangerous operations
+        {
+            name: 'Block system destruction',
+            level: 'level_4',
+            match: { tool: 'Bash', pattern: 'rm\\s+-rf\\s+/' },
+            message: 'System destruction is always blocked'
+        },
+        // Log everything
+        {
+            name: 'Log all actions',
+            level: 'level_1',
+            match: { tool: '*' },
+            message: null
+        }
+    ]
+};
+/**
+ * READ-ONLY PRESET
+ * OpenClaw can only read, never modify
+ * Use for: Code review, analysis, learning
+ */
+export const READONLY_PRESET = {
+    name: 'Read-Only Mode',
+    description: 'OpenClaw can only read files. No modifications allowed.',
+    level: 'level_4', // Block by default
+    rules: [
+        // Allow reads
+        {
+            name: 'Allow reading',
+            level: 'level_0',
+            match: { tool: 'Read' },
+            message: null
+        },
+        // Allow safe bash (ls, cat, grep, etc.)
+        {
+            name: 'Allow safe commands',
+            level: 'level_0',
+            match: { tool: 'Bash', pattern: '^(ls|cat|grep|find|head|tail|wc|sort|uniq|git status|git log|git diff|git branch)' },
+            message: null
+        },
+        // Block all writes
+        {
+            name: 'Block writes',
+            level: 'level_4',
+            match: { tool: 'Write' },
+            message: 'Write operations are blocked in Read-Only mode'
+        },
+        // Block all edits
+        {
+            name: 'Block edits',
+            level: 'level_4',
+            match: { tool: 'Edit' },
+            message: 'Edit operations are blocked in Read-Only mode'
+        },
+        // Block dangerous bash
+        {
+            name: 'Block modifying commands',
+            level: 'level_4',
+            match: { tool: 'Bash', pattern: 'rm|mv|cp|mkdir|rmdir|touch|chmod|chown|sudo' },
+            message: 'Modifying commands are blocked in Read-Only mode'
+        },
+        // Block web search (optional - remove if you want to allow)
+        {
+            name: 'Log web searches',
+            level: 'level_1',
+            match: { tool: 'WebSearch' },
+            message: null
+        }
+    ]
+};
+/**
+ * SERVICE ALLOWLIST
+ * Pre-defined service configurations
+ */
+export const SERVICE_PRESETS = {
+    git: ['git status', 'git log', 'git diff', 'git branch', 'git add', 'git commit', 'git push', 'git pull'],
+    npm: ['npm install', 'npm run', 'npm test', 'npm build'],
+    docker: ['docker ps', 'docker logs', 'docker compose up', 'docker compose down'],
+    python: ['python', 'pip install', 'pytest'],
+    bun: ['bun install', 'bun run', 'bun test'],
+    all: ['*'] // Allow all
+};
+export const PRESETS = {
+    safe: SAFE_PRESET,
+    balanced: BALANCED_PRESET,
+    permissive: PERMISSIVE_PRESET,
+    readonly: READONLY_PRESET
+};
+export function getPreset(name) {
+    return PRESETS[name];
+}
+export function listPresets() {
+    return Object.entries(PRESETS).map(([key, preset]) => ({
+        name: key,
+        description: preset.description
+    }));
+}
+//# sourceMappingURL=index.js.map

package/dist/presets/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/presets/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAmBH;;;;GAIG;AACH,MAAM,CAAC,MAAM,WAAW,GAAiB;IACvC,IAAI,EAAE,WAAW;IACjB,WAAW,EAAE,oFAAoF;IACjG,KAAK,EAAE,SAAS,EAAE,+BAA+B;IACjD,KAAK,EAAE;QACL,iCAAiC;QACjC;YACE,IAAI,EAAE,4BAA4B;YAClC,KAAK,EAAE,SAAS;YAChB,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,uCAAuC,EAAE;YACzE,OAAO,EAAE,+CAA+C;SACzD;QACD,gCAAgC;QAChC;YACE,IAAI,EAAE,uBAAuB;YAC7B,KAAK,EAAE,SAAS;YAChB,KAAK,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,mDAAmD,EAAE;YAClF,OAAO,EAAE,sCAAsC;SAChD;QACD,2BAA2B;QAC3B;YACE,IAAI,EAAE,qBAAqB;YAC3B,KAAK,EAAE,SAAS;YAChB,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,mCAAmC,EAAE;YACrE,OAAO,EAAE,6CAA6C;SACvD;QACD,2BAA2B;QAC3B;YACE,IAAI,EAAE,kBAAkB;YACxB,KAAK,EAAE,SAAS;YAChB,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,kCAAkC,EAAE;YACpE,OAAO,EAAE,oCAAoC;SAC9C;QACD,mCAAmC;QACnC;YACE,IAAI,EAAE,sBAAsB;YAC5B,KAAK,EAAE,SAAS;YAChB,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE;YACxB,OAAO,EAAE,4CAA4C;SACtD;QACD,kCAAkC;QAClC;YACE,IAAI,EAAE,oBAAoB;YAC1B,KAAK,EAAE,SAAS;YAChB,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE;YACvB,OAAO,EAAE,0CAA0C;SACpD;QACD,wBAAwB;QACxB;YACE,IAAI,EAAE,cAAc;YACpB,KAAK,EAAE,SAAS;YAChB,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE;YACvB,OAAO,EAAE,IAAI;SACd;KACF;IACD,QAAQ,EAAE;QACR,OAAO,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,CAAC;KAC9E;IACD,KAAK,EAAE;QACL,OAAO,EAAE,CAAC,MAAM,EAAE,UAAU,EAAE,cAAc,EAAE,OAAO,EAAE,OAAO,CAAC;KAChE;CACF,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,eAAe,GAAiB;IAC3C,IAAI,EAAE,eAAe;IACrB,WAAW,EAAE,8EAA8E;IAC3F,KAAK,EAAE,SAAS,EAAE,qBAAqB;IACvC,KAAK,EAAE;QACL,6BAA6B;QAC7B;YACE,IAAI,EAAE,4BAA4B;YAClC,KAAK,EAAE,SAAS;YAChB,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,6BAA6B,EAAE;YAC/D,OAAO,EAAE,kCAAkC;SAC5C;QACD,wBAAwB;QACxB;YACE,IAAI,EAAE,uBAAuB;YAC7B,KAAK,EAAE,SAAS;YAChB,KAAK,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,mDAAmD,EAAE;YAClF,OAAO,EAAE,yCAAyC;SACnD;QACD,sCAAsC;QACtC;YACE,IAAI,EAAE,oBAAoB;YAC1B,KAAK,EAAE,SAAS;YAChB,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,yBAAyB,EAAE;YAC3D,OAAO,EAAE,8BAA8B;SACxC;QACD,kCAAkC;QAClC;YACE,IAAI,EAAE,yBAAyB;YAC/B,KAAK,EAAE,SAAS;YAChB,KAAK,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,gBAAgB,EAAE;YAC/C,OAAO,EAAE,sBAAsB;SAChC;QACD,mBAAmB;QACnB;YACE,IAAI,EAAE,kBAAkB;YACxB,KAAK,EAAE,SAAS;YAChB,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE;YACvB,OAAO,EAAE,IAAI;SACd;KACF;IACD,QAAQ,EAAE;QACR,OAAO,EAAE,CAAC,QAAQ,EAAE,MAAM,CAAC;KAC5B;CACF,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAiB;IAC7C,IAAI,EAAE,iBAAiB;IACvB,WAAW,EAAE,0DAA0D;IACvE,KAAK,EAAE,SAAS,EAAE,0BAA0B;IAC5C,KAAK,EAAE;QACL,wCAAwC;QACxC;YACE,IAAI,EAAE,0BAA0B;YAChC,KAAK,EAAE,SAAS;YAChB,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE;YAClD,OAAO,EAAE,sCAAsC;SAChD;QACD,iBAAiB;QACjB;YACE,IAAI,EAAE,iBAAiB;YACvB,KAAK,EAAE,SAAS;YAChB,KAAK,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE;YACpB,OAAO,EAAE,IAAI;SACd;KACF;CACF,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,eAAe,GAAiB;IAC3C,IAAI,EAAE,gBAAgB;IACtB,WAAW,EAAE,yDAAyD;IACtE,KAAK,EAAE,SAAS,EAAE,mBAAmB;IACrC,KAAK,EAAE;QACL,cAAc;QACd;YACE,IAAI,EAAE,eAAe;YACrB,KAAK,EAAE,SAAS;YAChB,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE;YACvB,OAAO,EAAE,IAAI;SACd;QACD,wCAAwC;QACxC;YACE,IAAI,EAAE,qBAAqB;YAC3B,KAAK,EAAE,SAAS;YAChB,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,mFAAmF,EAAE;YACrH,OAAO,EAAE,IAAI;SACd;QACD,mBAAmB;QACnB;YACE,IAAI,EAAE,cAAc;YACpB,KAAK,EAAE,SAAS;YAChB,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE;YACxB,OAAO,EAAE,gDAAgD;SAC1D;QACD,kBAAkB;QAClB;YACE,IAAI,EAAE,aAAa;YACnB,KAAK,EAAE,SAAS;YAChB,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE;YACvB,OAAO,EAAE,+CAA+C;SACzD;QACD,uBAAuB;QACvB;YACE,IAAI,EAAE,0BAA0B;YAChC,KAAK,EAAE,SAAS;YAChB,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,6CAA6C,EAAE;YAC/E,OAAO,EAAE,kDAAkD;SAC5D;QACD,4DAA4D;QAC5D;YACE,IAAI,EAAE,kBAAkB;YACxB,KAAK,EAAE,SAAS;YAChB,KAAK,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE;YAC5B,OAAO,EAAE,IAAI;SACd;KACF;CACF,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,eAAe,GAA6B;IACvD,GAAG,EAAE,CAAC,YAAY,EAAE,SAAS,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,YAAY,EAAE,UAAU,EAAE,UAAU,CAAC;IACzG,GAAG,EAAE,CAAC,aAAa,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,CAAC;IACxD,MAAM,EAAE,CAAC,WAAW,EAAE,aAAa,EAAE,mBAAmB,EAAE,qBAAqB,CAAC;IAChF,MAAM,EAAE,CAAC,QAAQ,EAAE,aAAa,EAAE,QAAQ,CAAC;IAC3C,GAAG,EAAE,CAAC,aAAa,EAAE,SAAS,EAAE,UAAU,CAAC;IAC3C,GAAG,EAAE,CAAC,GAAG,CAAC,CAAE,YAAY;CACzB,CAAC;AAEF,MAAM,CAAC,MAAM,OAAO,GAAqC;IACvD,IAAI,EAAE,WAAW;IACjB,QAAQ,EAAE,eAAe;IACzB,UAAU,EAAE,iBAAiB;IAC7B,QAAQ,EAAE,eAAe;CAC1B,CAAC;AAEF,MAAM,UAAU,SAAS,CAAC,IAAgB;IACxC,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC;AACvB,CAAC;AAED,MAAM,UAAU,WAAW;IACzB,OAAO,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,CAAC;QACrD,IAAI,EAAE,GAAG;QACT,WAAW,EAAE,MAAM,CAAC,WAAW;KAChC,CAAC,CAAC,CAAC;AACN,CAAC"}

package/package.json

@@ -0,0 +1,65 @@
+{
+  "name": "@tankgate/cli",
+  "version": "0.1.0",
+  "description": "Runtime policy and containment layer for AI coding agents",
+  "author": "TankPkg",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/tankpkg/tankgate.git",
+    "directory": "packages/cli"
+  },
+  "homepage": "https://github.com/tankpkg/tankgate#readme",
+  "bugs": "https://github.com/tankpkg/tankgate/issues",
+  "keywords": [
+    "ai",
+    "agent",
+    "security",
+    "policy",
+    "openclaw",
+    "aider",
+    "claude-code",
+    "containment"
+  ],
+  "type": "module",
+  "bin": {
+    "tankgate": "./dist/index.js"
+  },
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist/",
+    "README.md"
+  ],
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "prepublishOnly": "bun run build"
+  },
+  "dependencies": {
+    "@tankgate/core": "workspace:*",
+    "@inquirer/prompts": "^7.0.0",
+    "chalk": "^5.3.0",
+    "commander": "^12.0.0",
+    "ora": "^8.0.0",
+    "yaml": "^2.8.2",
+    "zod": "^4.3.6"
+  },
+  "devDependencies": {
+    "@types/bun": "latest",
+    "typescript": "^5"
+  },
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org/"
+  },
+  "engines": {
+    "node": ">=18"
+  }
+}