@tankgate/core 0.1.0

package/dist/generators/env.js

@@ -0,0 +1,78 @@
+/**
+ * Environment File Generator
+ *
+ * Generates the .env.example file with all required environment variables.
+ */
+export function generateEnvExample(options) {
+    const { approval } = options;
+    return `# TankGate Environment Configuration
+# Generated by tankgate init
+# Copy this file to .env and fill in your values
+
+# =============================================================================
+# REQUIRED: LLM API Keys
+# =============================================================================
+
+# Your OpenAI API key (or OpenAI-compatible provider)
+OPENAI_API_KEY=sk-xxx
+
+# Your Anthropic API key (required for Claude models)
+# ANTHROPIC_API_KEY=sk-ant-xxx
+
+# =============================================================================
+# OPTIONAL: Custom API Endpoints
+# =============================================================================
+
+# Override OpenAI base URL (for proxies, Azure, or other compatible APIs)
+# OPENAI_BASE_URL=https://api.openai.com/v1
+
+# Override Anthropic base URL
+# ANTHROPIC_BASE_URL=https://api.anthropic.com
+
+# =============================================================================
+# OPTIONAL: Scanner Configuration
+# =============================================================================
+
+# Secret key for HMAC audit chain (generate with: openssl rand -hex 32)
+# TANKGATE_AUDIT_SECRET=your-secret-key-here
+
+# Path to audit database (default: ./audit.db)
+# TANKGATE_AUDIT_DB=./audit.db
+
+# =============================================================================
+# OPTIONAL: Telegram Approval Channel
+# =============================================================================
+
+${approval === 'telegram' ? `# Telegram bot token (get from @BotFather on Telegram)
+TELEGRAM_BOT_TOKEN=your-bot-token-here
+
+# Your Telegram chat ID (get from @userinfobot on Telegram)
+TELEGRAM_CHAT_ID=your-chat-id-here
+` : `# Telegram bot token (uncomment if using telegram approval)
+# TELEGRAM_BOT_TOKEN=your-bot-token-here
+
+# Your Telegram chat ID (uncomment if using telegram approval)
+# TELEGRAM_CHAT_ID=your-chat-id-here
+`}
+# =============================================================================
+# OPTIONAL: Advanced Configuration
+# =============================================================================
+
+# Override policy file path (default: ./.tankgate/policies)
+# TANKGATE_POLICY_PATH=./policies
+
+# Log level: debug, info, warn, error (default: info)
+# TANKGATE_LOG_LEVEL=info
+
+# =============================================================================
+# USAGE
+# =============================================================================
+#
+# 1. Copy this file: cp .env.example .env
+# 2. Fill in your API keys
+# 3. (Optional) Configure Telegram for mobile approval
+# 4. Start TankGate: docker compose -f docker-compose.tankgate.yml up -d
+#
+`;
+}
+//# sourceMappingURL=env.js.map

package/dist/generators/env.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.js","sourceRoot":"","sources":["../../src/generators/env.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,UAAU,kBAAkB,CAAC,OAAoB;IACrD,MAAM,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;IAE7B,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAsCP,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC;;;;;CAK3B,CAAC,CAAC,CAAC;;;;;CAKH;;;;;;;;;;;;;;;;;;;;CAoBA,CAAC;AACF,CAAC"}

package/dist/generators/policy.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Policy Generator
+ *
+ * Generates policy YAML files for different AI coding agents.
+ * Each agent has a customized template with appropriate defaults.
+ */
+import type { AgentType } from '../types';
+/**
+ * Generate a policy file for the specified agent
+ */
+export declare function generatePolicy(agent: AgentType): string;
+//# sourceMappingURL=policy.d.ts.map

package/dist/generators/policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../src/generators/policy.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAE1C;;GAEG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,SAAS,GAAG,MAAM,CAWvD"}

package/dist/generators/policy.js

@@ -0,0 +1,602 @@
+/**
+ * Policy Generator
+ *
+ * Generates policy YAML files for different AI coding agents.
+ * Each agent has a customized template with appropriate defaults.
+ */
+/**
+ * Generate a policy file for the specified agent
+ */
+export function generatePolicy(agent) {
+    const generators = {
+        openclaw: getOpenClawTemplate,
+        aider: getAiderTemplate,
+        'claude-code': getClaudeCodeTemplate,
+        cline: getClineTemplate,
+        continue: getContinueTemplate,
+        custom: getGenericTemplate,
+    };
+    return generators[agent]();
+}
+/**
+ * OpenClaw policy template
+ */
+function getOpenClawTemplate() {
+    return `# TankGate OpenClaw Agent Policy
+# Custom policy for OpenClaw AI coding agent
+
+apiVersion: tankgate.dev/v1
+kind: AgentPolicy
+metadata:
+  name: openclaw
+  version: "1.0.0"
+  description: Policy for OpenClaw AI coding agent
+  agent: openclaw
+
+# Extend base policy for immutable security rules
+extends:
+  - base
+
+tools:
+  filesystem:
+    read:
+      default: level_1
+      rules:
+        # Allow reading project files silently
+        - when:
+            path: "^/(home|Users|workspace)/"
+          then: level_0
+          reason: "Project directory read access"
+
+        # Block sensitive files
+        - when:
+            path: "\\\\.(env|pem|key|p12)$"
+          then: level_4
+          reason: "BLOCKED: Sensitive file access"
+
+    write:
+      default: level_2
+      rules:
+        # Allow writing to project directories
+        - when:
+            path: "^/(home|Users|workspace)/"
+          then: level_1
+          reason: "Project directory write"
+
+        # Require approval for configuration files
+        - when:
+            path: "\\\\.(json|yaml|yml|toml|ini|conf)$"
+          then: level_2
+          reason: "Configuration file modification"
+
+    delete:
+      default: level_3
+      rules:
+        # Allow deleting in project directories with notification
+        - when:
+            path: "^/(home|Users|workspace)/"
+          then: level_2
+          reason: "Project file deletion"
+
+    list:
+      default: level_0
+      rules: []
+
+    search:
+      default: level_0
+      rules: []
+
+  shell:
+    execute:
+      default: level_2
+      rules:
+        # Allow common development commands
+        - when:
+            command: "^(npm|yarn|pnpm|bun)\\\\s+(install|run|test|build|dev)"
+          then: level_1
+          reason: "Package manager command"
+
+        # Allow git read commands
+        - when:
+            command: "^git\\\\s+(status|diff|log|branch|show)"
+          then: level_1
+          reason: "Git read command"
+
+        # Allow git write commands
+        - when:
+            command: "^git\\\\s+(commit|push|pull|add)"
+          then: level_2
+          reason: "Git write command"
+
+        # Require approval for sudo
+        - when:
+            command: "^sudo\\\\s"
+          then: level_3
+          reason: "Sudo requires approval"
+
+  network:
+    request:
+      default: level_2
+      rules:
+        # Allow common development APIs
+        - when:
+            url: "https://(api\\\\.)?(npmjs|github|gitlab|bitbucket)\\\\.com"
+          then: level_1
+          reason: "Development API access"
+
+  vcs:
+    commit:
+      default: level_1
+      rules: []
+
+    push:
+      default: level_2
+      rules:
+        # Require approval for pushing to main/master
+        - when:
+            branch: "(main|master)"
+          then: level_3
+          reason: "Push to main/master requires approval"
+
+    pull:
+      default: level_1
+      rules: []
+`;
+}
+/**
+ * Aider policy template
+ */
+function getAiderTemplate() {
+    return `# TankGate Aider Agent Policy
+# Policy for Aider AI pair programming tool
+
+apiVersion: tankgate.dev/v1
+kind: AgentPolicy
+metadata:
+  name: aider
+  version: "1.0.0"
+  description: Policy for Aider AI pair programming tool
+  agent: aider
+
+extends:
+  - base
+
+tools:
+  filesystem:
+    read:
+      default: level_0
+      rules:
+        # Block sensitive files
+        - when:
+            path: "\\\\.(env|pem|key|p12)$"
+          then: level_4
+          reason: "BLOCKED: Sensitive file access"
+
+    write:
+      default: level_1
+      rules:
+        # Require approval for configuration files
+        - when:
+            path: "\\\\.(json|yaml|yml|toml|ini|conf)$"
+          then: level_2
+          reason: "Configuration file modification"
+
+    delete:
+      default: level_2
+      rules: []
+
+    list:
+      default: level_0
+      rules: []
+
+    search:
+      default: level_0
+      rules: []
+
+  shell:
+    execute:
+      default: level_2
+      rules:
+        # Allow aider commands
+        - when:
+            command: "^aider\\\\s"
+          then: level_1
+          reason: "Aider command"
+
+        # Allow common development commands
+        - when:
+            command: "^(npm|yarn|pnpm|bun|python|pip)\\\\s+"
+          then: level_1
+          reason: "Development command"
+
+        # Allow git commands
+        - when:
+            command: "^git\\\\s+"
+          then: level_1
+          reason: "Git command"
+
+  network:
+    request:
+      default: level_2
+      rules:
+        # Allow LLM APIs
+        - when:
+            url: "https://(api\\\\.)?(openai|anthropic)\\\\.com"
+          then: level_1
+          reason: "LLM API access"
+`;
+}
+/**
+ * Claude Code policy template
+ */
+function getClaudeCodeTemplate() {
+    return `# TankGate Claude Code Agent Policy
+# Policy for Claude Code (Anthropic's official CLI)
+
+apiVersion: tankgate.dev/v1
+kind: AgentPolicy
+metadata:
+  name: claude-code
+  version: "1.0.0"
+  description: Policy for Claude Code CLI agent
+  agent: claude-code
+
+extends:
+  - base
+
+tools:
+  filesystem:
+    read:
+      default: level_0
+      rules:
+        # Block sensitive files
+        - when:
+            path: "\\\\.(env|pem|key|p12)$"
+          then: level_4
+          reason: "BLOCKED: Sensitive file access"
+
+        # Notify on credential-like files
+        - when:
+            path: "(credentials|secrets|password)"
+          then: level_2
+          reason: "Credential file access"
+
+    write:
+      default: level_1
+      rules:
+        # Require approval for configuration files
+        - when:
+            path: "\\\\.(json|yaml|yml|toml|ini|conf)$"
+          then: level_2
+          reason: "Configuration file modification"
+
+        # Block write to system directories
+        - when:
+            path: "^/(etc|bin|usr|var)/"
+          then: level_4
+          reason: "BLOCKED: System directory write"
+
+    delete:
+      default: level_2
+      rules:
+        # Block delete of important files
+        - when:
+            path: "\\\\.(git|env|lock)$"
+          then: level_4
+          reason: "BLOCKED: Critical file deletion"
+
+    list:
+      default: level_0
+      rules: []
+
+    search:
+      default: level_0
+      rules: []
+
+  shell:
+    execute:
+      default: level_2
+      rules:
+        # Allow package managers
+        - when:
+            command: "^(npm|yarn|pnpm|bun)\\\\s+(install|run|test|build|dev|add|remove)"
+          then: level_1
+          reason: "Package manager command"
+
+        # Allow git read commands silently
+        - when:
+            command: "^git\\\\s+(status|diff|log|branch|show|ls-files)"
+          then: level_0
+          reason: "Git read command"
+
+        # Allow git write commands
+        - when:
+            command: "^git\\\\s+(commit|push|pull|add|checkout|merge|rebase)"
+          then: level_1
+          reason: "Git write command"
+
+        # Require approval for git force push
+        - when:
+            command: "git\\\\s+.*--force"
+          then: level_3
+          reason: "Force push requires approval"
+
+        # Block dangerous commands
+        - when:
+            command: "^rm\\\\s+(-[rf]+\\\\s+)*(/\\\\s*|/\\\\*)"
+          then: level_4
+          reason: "BLOCKED: Recursive root delete"
+
+  network:
+    request:
+      default: level_2
+      rules:
+        # Allow common development APIs
+        - when:
+            url: "https://(api\\\\.)?(github|gitlab|npmjs|pypi)\\\\.com"
+          then: level_1
+          reason: "Development API access"
+
+        # Allow LLM APIs
+        - when:
+            url: "https://(api\\\\.)?(openai|anthropic)\\\\.com"
+          then: level_1
+          reason: "LLM API access"
+
+  vcs:
+    commit:
+      default: level_1
+      rules: []
+
+    push:
+      default: level_2
+      rules:
+        # Require approval for pushing to main/master
+        - when:
+            branch: "(main|master)"
+          then: level_3
+          reason: "Push to main/master requires approval"
+
+    pull:
+      default: level_1
+      rules: []
+`;
+}
+/**
+ * Cline policy template
+ */
+function getClineTemplate() {
+    return `# TankGate Cline Agent Policy
+# Policy for Cline VSCode extension
+
+apiVersion: tankgate.dev/v1
+kind: AgentPolicy
+metadata:
+  name: cline
+  version: "1.0.0"
+  description: Policy for Cline VSCode extension
+  agent: cline
+
+extends:
+  - base
+
+tools:
+  filesystem:
+    read:
+      default: level_0
+      rules:
+        # Block sensitive files
+        - when:
+            path: "\\\\.(env|pem|key|p12)$"
+          then: level_4
+          reason: "BLOCKED: Sensitive file access"
+
+    write:
+      default: level_1
+      rules:
+        # Require approval for configuration files
+        - when:
+            path: "\\\\.(json|yaml|yml|toml|ini|conf)$"
+          then: level_2
+          reason: "Configuration file modification"
+
+    delete:
+      default: level_2
+      rules: []
+
+    list:
+      default: level_0
+      rules: []
+
+    search:
+      default: level_0
+      rules: []
+
+  shell:
+    execute:
+      default: level_2
+      rules:
+        # Allow common development commands
+        - when:
+            command: "^(npm|yarn|pnpm|bun)\\\\s+"
+          then: level_1
+          reason: "Package manager command"
+
+        # Allow git commands
+        - when:
+            command: "^git\\\\s+"
+          then: level_1
+          reason: "Git command"
+
+  network:
+    request:
+      default: level_2
+      rules:
+        # Allow LLM APIs
+        - when:
+            url: "https://(api\\\\.)?(openai|anthropic)\\\\.com"
+          then: level_1
+          reason: "LLM API access"
+`;
+}
+/**
+ * Continue policy template
+ */
+function getContinueTemplate() {
+    return `# TankGate Continue Agent Policy
+# Policy for Continue.dev VSCode extension
+
+apiVersion: tankgate.dev/v1
+kind: AgentPolicy
+metadata:
+  name: continue
+  version: "1.0.0"
+  description: Policy for Continue.dev VSCode extension
+  agent: continue
+
+extends:
+  - base
+
+tools:
+  filesystem:
+    read:
+      default: level_0
+      rules:
+        # Block sensitive files
+        - when:
+            path: "\\\\.(env|pem|key|p12)$"
+          then: level_4
+          reason: "BLOCKED: Sensitive file access"
+
+    write:
+      default: level_1
+      rules:
+        # Require approval for configuration files
+        - when:
+            path: "\\\\.(json|yaml|yml|toml|ini|conf)$"
+          then: level_2
+          reason: "Configuration file modification"
+
+    delete:
+      default: level_2
+      rules: []
+
+    list:
+      default: level_0
+      rules: []
+
+    search:
+      default: level_0
+      rules: []
+
+  shell:
+    execute:
+      default: level_2
+      rules:
+        # Allow common development commands
+        - when:
+            command: "^(npm|yarn|pnpm|bun)\\\\s+"
+          then: level_1
+          reason: "Package manager command"
+
+        # Allow git commands
+        - when:
+            command: "^git\\\\s+"
+          then: level_1
+          reason: "Git command"
+
+  network:
+    request:
+      default: level_2
+      rules:
+        # Allow Continue servers
+        - when:
+            url: "https://(api\\\\.)?continue\\\\.dev"
+          then: level_1
+          reason: "Continue API access"
+
+        # Allow LLM APIs
+        - when:
+            url: "https://(api\\\\.)?(openai|anthropic)\\\\.com"
+          then: level_1
+          reason: "LLM API access"
+`;
+}
+/**
+ * Generic/custom policy template
+ */
+function getGenericTemplate() {
+    return `# TankGate Generic Agent Policy
+# Customize this policy for your specific agent
+
+apiVersion: tankgate.dev/v1
+kind: AgentPolicy
+metadata:
+  name: custom
+  version: "1.0.0"
+  description: Custom policy for generic AI agent
+  agent: custom
+
+extends:
+  - base
+
+tools:
+  filesystem:
+    read:
+      default: level_1
+      rules:
+        # Block sensitive files
+        - when:
+            path: "\\\\.(env|pem|key|p12)$"
+          then: level_4
+          reason: "BLOCKED: Sensitive file access"
+
+    write:
+      default: level_2
+      rules:
+        # Require approval for configuration files
+        - when:
+            path: "\\\\.(json|yaml|yml|toml|ini|conf)$"
+          then: level_3
+          reason: "Configuration file modification requires approval"
+
+    delete:
+      default: level_3
+      rules: []
+
+    list:
+      default: level_1
+      rules: []
+
+    search:
+      default: level_1
+      rules: []
+
+  shell:
+    execute:
+      default: level_3
+      rules:
+        # Allow common development commands
+        - when:
+            command: "^(npm|yarn|pnpm|bun)\\\\s+"
+          then: level_2
+          reason: "Package manager command"
+
+        # Allow git read commands
+        - when:
+            command: "^git\\\\s+(status|diff|log|branch)"
+          then: level_1
+          reason: "Git read command"
+
+  network:
+    request:
+      default: level_3
+      rules:
+        # Allow LLM APIs
+        - when:
+            url: "https://(api\\\\.)?(openai|anthropic)\\\\.com"
+          then: level_2
+          reason: "LLM API access"
+`;
+}
+//# sourceMappingURL=policy.js.map

package/dist/generators/policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../src/generators/policy.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,KAAgB;IAC7C,MAAM,UAAU,GAAoC;QAClD,QAAQ,EAAE,mBAAmB;QAC7B,KAAK,EAAE,gBAAgB;QACvB,aAAa,EAAE,qBAAqB;QACpC,KAAK,EAAE,gBAAgB;QACvB,QAAQ,EAAE,mBAAmB;QAC7B,MAAM,EAAE,kBAAkB;KAC3B,CAAC;IAEF,OAAO,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;AAC7B,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB;IAC1B,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAuHR,CAAC;AACF,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB;IACvB,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA6ER,CAAC;AACF,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB;IAC5B,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAkIR,CAAC;AACF,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB;IACvB,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAuER,CAAC;AACF,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB;IAC1B,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA6ER,CAAC;AACF,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB;IACzB,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAuER,CAAC;AACF,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,8 @@
+export * from './types';
+export * from './detect';
+export * from './prompts';
+export * from './generators/docker-compose';
+export * from './generators/policy';
+export * from './generators/config';
+export * from './generators/env';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAIA,cAAc,SAAS,CAAC;AAGxB,cAAc,UAAU,CAAC;AAGzB,cAAc,WAAW,CAAC;AAG1B,cAAc,6BAA6B,CAAC;AAC5C,cAAc,qBAAqB,CAAC;AACpC,cAAc,qBAAqB,CAAC;AACpC,cAAc,kBAAkB,CAAC"}