agentlock-shared 0.1.0 → 0.2.0

package/src/policy.ts

@@ -21,6 +21,7 @@ export const DEFAULT_POLICY_RULES: PolicyRules = {
     { action_type: 'write', decision: 'REQUIRE_APPROVAL' },
     { action_type: 'financial', decision: 'REQUIRE_APPROVAL' },
     { action_type: 'admin', decision: 'BLOCK' },
+    { tool: 'mcp.list_tools', decision: 'ALLOW' },
   ],
   http: {
     allowedDomains: [],
@@ -28,19 +29,35 @@ export const DEFAULT_POLICY_RULES: PolicyRules = {
     blockList: [],
   },
   limits: {
-    maxActionsPerHour: 100,
+    maxActionsPerHour: 100, // Enforced in gateway via check_rate_limit RPC
   },
 };
 
+// Default HTTP rules when rules.http is not configured
+const DEFAULT_HTTP_RULES = {
+  allowedDomains: [] as string[],
+  allowedMethods: ['GET', 'POST', 'PUT', 'DELETE'],
+  blockList: [] as string[],
+};
+
 export function evaluatePolicy(
   action: AgentActionRequest,
   rules: PolicyRules
 ): PolicyEvaluationResult {
+  // Block unknown action types (defense-in-depth)
+  if (!(action.action_type in RISK_MAP)) {
+    return { decision: 'BLOCK', risk_level: 'critical', reason: `Unknown action type: ${action.action_type}` };
+  }
+
+  // SECURITY: Normalize tool name to lowercase to prevent case-sensitivity
+  // bypasses (e.g., "Http.get" skipping HTTP domain allowlist checks).
+  const normalizedTool = action.tool.toLowerCase();
+
   const risk_level = RISK_MAP[action.action_type] ?? 'medium';
 
   // Browser tools: browser.open always requires approval
-  if (action.tool.startsWith('browser.')) {
-    if (action.tool === 'browser.open') {
+  if (normalizedTool.startsWith('browser.')) {
+    if (normalizedTool === 'browser.open') {
       return {
         decision: 'REQUIRE_APPROVAL',
         risk_level: 'medium',
@@ -57,28 +74,32 @@ export function evaluatePolicy(
     };
   }
 
-  // MCP tools: list_tools is a read (low risk), call_tool defers to action_type rules
-  if (action.tool === 'mcp.list_tools') {
-    return {
-      decision: 'ALLOW',
-      risk_level: 'low',
-      reason: 'MCP tool discovery is read-only',
-    };
-  }
+  // MCP tools: list_tools handled via default rules (can be overridden by custom policies)
 
-  if (action.tool.split('.')[0] === 'http' && rules.http) {
+  // HTTP tool checks: always enforce domain/method restrictions
+  const isHttpTool = normalizedTool.split('.')[0] === 'http';
+  if (isHttpTool) {
+    const httpRules = rules.http ?? DEFAULT_HTTP_RULES;
     const url = action.payload.url as string | undefined;
+    if (!url) {
+      // SECURITY: HTTP actions without a URL must be blocked at the policy level.
+      // The connector would also reject it, but policy should be the first gate.
+      return { decision: 'BLOCK', risk_level: 'critical', reason: 'HTTP actions require a URL in payload' };
+    }
     if (url) {
       try {
-        const domain = new URL(url).hostname;
+        const domain = new URL(url).hostname.replace(/\.$/, '').toLowerCase();
         // Use exact match or proper subdomain match (preceded by a dot)
         // to prevent "not-trusted.com" from matching allowlist entry "trusted.com"
-        const matchesDomain = (d: string, pattern: string) =>
-          d === pattern || d.endsWith('.' + pattern);
-        if (rules.http.blockList.some((b) => matchesDomain(domain, b))) {
+        // Both sides are normalized: lowercase + trailing-dot stripped.
+        const matchesDomain = (d: string, pattern: string) => {
+          const normalizedPattern = pattern.replace(/\.$/, '').toLowerCase();
+          return d === normalizedPattern || d.endsWith('.' + normalizedPattern);
+        };
+        if (httpRules.blockList.some((b) => matchesDomain(domain, b))) {
           return { decision: 'BLOCK', risk_level: 'critical', reason: `Domain ${domain} is in block list` };
         }
-        if (rules.http.allowedDomains.length === 0) {
+        if (httpRules.allowedDomains.length === 0) {
           // No allowlist configured: safe default is REQUIRE_APPROVAL, not ALLOW.
           // This prevents agents from exfiltrating data to arbitrary domains.
           return {
@@ -87,7 +108,7 @@ export function evaluatePolicy(
             reason: 'HTTP allowlist not configured — approval required for all HTTP calls',
           };
         }
-        if (!rules.http.allowedDomains.some((d) => matchesDomain(domain, d))) {
+        if (!httpRules.allowedDomains.some((d) => matchesDomain(domain, d))) {
           return { decision: 'BLOCK', risk_level, reason: `Domain ${domain} not in allowed list` };
         }
       } catch {
@@ -95,7 +116,7 @@ export function evaluatePolicy(
       }
     }
     const method = (action.payload.method as string | undefined)?.toUpperCase();
-    if (method && !rules.http.allowedMethods.includes(method)) {
+    if (method && !httpRules.allowedMethods.includes(method)) {
       return { decision: 'BLOCK', risk_level, reason: `HTTP method ${method} not allowed` };
     }
   }
@@ -112,14 +133,19 @@ export function evaluatePolicy(
     };
   }
 
-  // Most specific: tool-specific rule
-  let matched = rules.rules.find((r) => r.tool === action.tool);
+  // Most specific: tool-specific rule (case-insensitive to prevent bypasses)
+  let matched = rules.rules.find((r) => r.tool !== undefined && r.tool.toLowerCase() === normalizedTool);
   // Then action-type rule
   if (!matched) matched = rules.rules.find((r) => r.action_type === action.action_type);
 
   if (matched) {
+    let finalDecision = matched.decision;
+    // SECURITY: Never auto-allow admin/financial actions even via explicit rules
+    if (finalDecision === 'ALLOW' && ['admin', 'financial'].includes(action.action_type)) {
+      finalDecision = 'REQUIRE_APPROVAL';
+    }
     return {
-      decision: matched.decision,
+      decision: finalDecision,
       risk_level,
       reason: `Matched rule: ${matched.action_type ?? matched.tool}`,
       matched_rule: matched,
@@ -129,6 +155,11 @@ export function evaluatePolicy(
   const defaultDecision: PolicyDecision =
     rules.defaultMode === 'allow' ? 'ALLOW' : rules.defaultMode === 'block' ? 'BLOCK' : 'REQUIRE_APPROVAL';
 
+  // SECURITY: Never auto-allow high-risk actions via permissive default mode
+  if (defaultDecision === 'ALLOW' && ['admin', 'financial'].includes(action.action_type)) {
+    return { decision: 'REQUIRE_APPROVAL', risk_level, reason: 'High-risk action types always require approval even with permissive default policy' };
+  }
+
   return { decision: defaultDecision, risk_level, reason: 'Default policy' };
 }
 
@@ -138,10 +169,11 @@ export function buildActionPreview(action: AgentActionRequest): {
   impact?: string;
   cost_estimate?: number;
 } {
+  const normalizedTool = action.tool.toLowerCase();
   let summary = `${action.action_type.toUpperCase()} via ${action.tool}`;
   let target: string | undefined;
 
-  if (action.tool.split('.')[0] === 'http') {
+  if (normalizedTool.split('.')[0] === 'http') {
     const url = action.payload.url as string | undefined;
     const method = action.payload.method as string | undefined;
     if (url) {
@@ -152,7 +184,7 @@ export function buildActionPreview(action: AgentActionRequest): {
       }
       summary = `${method?.toUpperCase() ?? 'HTTP'} request to ${target}`;
     }
-  } else if (action.tool === 'browser.open') {
+  } else if (normalizedTool === 'browser.open') {
     const url = action.payload.url as string | undefined;
     if (url) {
       try {
@@ -164,17 +196,15 @@ export function buildActionPreview(action: AgentActionRequest): {
     } else {
       summary = 'Open browser session';
     }
-  } else if (action.tool === 'mcp.list_tools') {
+  } else if (normalizedTool === 'mcp.list_tools') {
     const server = action.payload.server as string | undefined;
     target = server;
     summary = `List available tools on MCP server "${server ?? 'unknown'}"`;
-  } else if (action.tool === 'mcp.call_tool') {
+  } else if (normalizedTool === 'mcp.call_tool') {
     const server = action.payload.server as string | undefined;
     const method = action.payload.method as string | undefined;
     target = server;
     summary = `Call "${method ?? 'unknown'}" on MCP server "${server ?? 'unknown'}"`;
-  } else if (action.tool === 'demo') {
-    summary = `Write to demo table: ${JSON.stringify(redact(action.payload)).slice(0, 80)}`;
   }
 
   return {

package/src/redact.ts

@@ -52,7 +52,15 @@ const SECRET_SUBSTRINGS = [
   'connection_string',
   'database_url',
   'access_key',
-  'session_id',
+  'auth_token',
+  'refresh_key',
+  'session_secret',
+  'webhook_secret',
+  'jwt',
+  'oauth',
+  'ssn',
+  'credit_card',
+  'routing_number',
 ];
 
 const REDACTED = '[REDACTED]';
@@ -73,6 +81,13 @@ const SECRET_VALUE_PATTERNS = [
   /^sk-ant-[a-zA-Z0-9_-]{20,}$/,                   // Anthropic API keys
   /^SG\.[a-zA-Z0-9_-]{20,}$/,                      // SendGrid API keys
   /^SK[a-f0-9]{32}$/,                              // Twilio API keys
+  /-----BEGIN\s+(RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/,  // PEM private keys
+  /^DefaultEndpointsProtocol=/,                       // Azure connection strings
+  /^[A-Za-z0-9+\/]{43,}={0,2}$/,                     // Base64-encoded symmetric keys (32+ bytes)
+  /^[A-Za-z0-9_-]{43,}={0,2}$/,                      // URL-safe base64 encoded keys
+  /^whsec_[a-zA-Z0-9]{20,}$/,                         // Stripe webhook secrets
+  /^npm_[a-zA-Z0-9]{20,}$/,                           // npm tokens
+  /^vercel_[a-zA-Z0-9]{20,}$/,                        // Vercel tokens
 ];
 
 function isSecretField(key: string): boolean {
@@ -86,7 +101,9 @@ function isSecretValue(value: string): boolean {
 }
 
 export function redact(obj: unknown, depth = 0): unknown {
-  if (depth > 10) return obj;
+  // SECURITY: At max depth, redact entirely rather than passing data through.
+  // Prevents secrets in deeply nested objects from bypassing redaction.
+  if (depth > 20) return REDACTED;
   if (obj === null || obj === undefined) return obj;
   if (typeof obj === 'string') return isSecretValue(obj) ? REDACTED : obj;
   if (typeof obj !== 'object') return obj;
@@ -102,7 +119,7 @@ export function redact(obj: unknown, depth = 0): unknown {
 export function redactHeaders(headers: Record<string, string>): Record<string, string> {
   const result: Record<string, string> = {};
   for (const [key, value] of Object.entries(headers)) {
-    result[key] = isSecretField(key) ? REDACTED : value;
+    result[key] = (isSecretField(key) || isSecretValue(value)) ? REDACTED : value;
   }
   return result;
 }

package/src/schemas.ts

@@ -1,53 +1,121 @@
-import { z } from 'zod';
-
-/** Max payload size: 64KB when serialized */
-const MAX_PAYLOAD_SIZE = 65_536;
-
-export const AgentActionRequestSchema = z.object({
-  action_type: z.enum(['read', 'write', 'financial', 'admin']),
-  tool: z.string().min(1).max(100).regex(/^[a-zA-Z0-9._\-:]+$/, 'Tool name must be alphanumeric with dots, dashes, underscores, or colons'),
-  payload: z.record(z.unknown()).refine(
-    (val) => JSON.stringify(val).length <= MAX_PAYLOAD_SIZE,
-    { message: `Payload exceeds maximum size of ${MAX_PAYLOAD_SIZE} bytes` }
-  ),
-  idempotency_key: z.string().max(128).optional(),
-  cost_estimate: z.number().optional(),
-});
-
-export const RegisterAgentSchema = z.object({
-  name: z.string().min(1).max(100),
-  environment: z.enum(['development', 'staging', 'production']).default('production'),
-  public_key: z.string().min(40),
-  allowed_tools: z.array(z.string()).default([]),
-});
-
-export const PolicyRulesSchema = z.object({
-  defaultMode: z.enum(['allow', 'require_approval', 'block']),
-  rules: z.array(
-    z.object({
-      action_type: z.enum(['read', 'write', 'financial', 'admin']).optional(),
-      tool: z.string().optional(),
-      domain: z.string().optional(),
-      decision: z.enum(['ALLOW', 'REQUIRE_APPROVAL', 'BLOCK']),
-      require_two_approvals: z.boolean().optional(),
-    })
-  ),
-  http: z
-    .object({
-      allowedDomains: z.array(z.string()),
-      allowedMethods: z.array(z.string()),
-      blockList: z.array(z.string()),
-    })
-    .optional(),
-  limits: z
-    .object({
-      maxCostPerAction: z.number().optional(),
-      maxActionsPerHour: z.number().optional(),
-    })
-    .optional(),
-});
-
-export const ApproveRequestSchema = z.object({
-  action: z.enum(['approve', 'deny']),
-  reason: z.string().max(1000).optional(),
-});
+import { z } from 'zod';
+
+/** Max payload size: 64KB when serialized */
+const MAX_PAYLOAD_SIZE = 65_536;
+
+/** Maximum length for webhook URLs (standard URL length limit) */
+const MAX_WEBHOOK_URL_LENGTH = 2048;
+
+/**
+ * Reusable Zod schema for webhook URLs.
+ * Enforces: max length 2048, valid URL syntax, HTTPS-only,
+ * and rejects private/internal hostnames at parse time.
+ */
+export const WebhookUrlSchema = z
+  .string()
+  .max(MAX_WEBHOOK_URL_LENGTH, `Webhook URL exceeds maximum length (${MAX_WEBHOOK_URL_LENGTH} characters)`)
+  .refine(
+    (val) => {
+      try {
+        const parsed = new URL(val);
+        return parsed.protocol === 'https:';
+      } catch {
+        return false;
+      }
+    },
+    { message: 'Webhook URL must be a valid HTTPS URL' }
+  )
+  .refine(
+    (val) => {
+      try {
+        const parsed = new URL(val);
+        const hostname = parsed.hostname;
+        const privatePatterns = [
+          /^127\./, /^10\./, /^172\.(1[6-9]|2\d|3[01])\./,
+          /^192\.168\./, /^169\.254\./, /^0\./,
+          /^localhost$/i, /\.local$/i, /\.internal$/i,
+        ];
+        return !privatePatterns.some((p) => p.test(hostname));
+      } catch {
+        return false;
+      }
+    },
+    { message: 'Webhook URL cannot target private or internal addresses' }
+  );
+
+export const AgentActionRequestSchema = z.object({
+  action_type: z.enum(['read', 'write', 'financial', 'admin']),
+  tool: z.string().min(1).max(100).regex(/^[a-zA-Z0-9._\-:]+$/, 'Tool name must be alphanumeric with dots, dashes, underscores, or colons'),
+  payload: z.record(z.unknown()).refine(
+    (val) => JSON.stringify(val).length <= MAX_PAYLOAD_SIZE,
+    { message: `Payload exceeds maximum size of ${MAX_PAYLOAD_SIZE} bytes` }
+  ),
+  idempotency_key: z.string().max(128).optional(),
+  cost_estimate: z.number().nonnegative().optional(),
+});
+
+export const RegisterAgentSchema = z.object({
+  name: z.string().min(1).max(100),
+  environment: z.enum(['development', 'staging', 'production']).default('production'),
+  public_key: z.string().min(40),
+  allowed_tools: z.array(z.string()).default([]),
+});
+
+const DOMAIN_RE = /^(\*\.)?([a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?\.)*[a-zA-Z]{2,}$/;
+
+export const PolicyRulesSchema = z.object({
+  defaultMode: z.enum(['allow', 'require_approval', 'block']),
+  rules: z.array(
+    z.object({
+      action_type: z.enum(['read', 'write', 'financial', 'admin']).optional(),
+      tool: z.string().max(100).regex(/^[a-zA-Z0-9._\-:]+$/, 'Tool name must be alphanumeric with dots, dashes, underscores, or colons').optional(),
+      domain: z.string().regex(DOMAIN_RE, 'Invalid domain format').optional(),
+      decision: z.enum(['ALLOW', 'REQUIRE_APPROVAL', 'BLOCK']),
+      require_two_approvals: z.boolean().optional(),
+      allowed_approvers: z.array(z.string().uuid()).optional(),
+    }).refine(r => r.action_type || r.tool, { message: 'Rule must specify action_type or tool' })
+  ).max(100),
+  http: z
+    .object({
+      allowedDomains: z.array(z.string().min(1).max(253).regex(DOMAIN_RE, 'Invalid domain format')),
+      allowedMethods: z.array(z.enum(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'])),
+      blockList: z.array(z.string().min(1).max(253).regex(DOMAIN_RE, 'Invalid domain format')),
+    })
+    .optional(),
+  limits: z
+    .object({
+      maxCostPerAction: z.number().nonnegative().optional(),
+      maxActionsPerHour: z.number().nonnegative().optional(),
+    })
+    .optional(),
+});
+
+export const ApproveRequestSchema = z.object({
+  action: z.enum(['approve', 'deny']),
+  reason: z.string().max(1000).optional(),
+  reply_message: z.string().max(2000).optional(),
+  /** Server-side biometric challenge token (mobile clients only) */
+  biometric_challenge: z.string().uuid().optional(),
+});
+
+/** Max metadata size: 8KB when serialized (prevents storage exhaustion) */
+const MAX_METADATA_SIZE = 8_192;
+
+export const SendMessageSchema = z.object({
+  content: z.string().min(1).max(4096),
+  thread_id: z.string().uuid().optional(),
+  expires_at: z.string().datetime().optional(),
+  metadata: z.record(z.unknown()).refine(
+    (val) => JSON.stringify(val).length <= MAX_METADATA_SIZE,
+    { message: `Metadata exceeds maximum size of ${MAX_METADATA_SIZE} bytes` }
+  ).optional(),
+});
+
+export const AgentSendMessageSchema = z.object({
+  content: z.string().min(1).max(4096),
+  thread_id: z.string().uuid(),
+  metadata: z.record(z.unknown()).refine(
+    (val) => JSON.stringify(val).length <= MAX_METADATA_SIZE,
+    { message: `Metadata exceeds maximum size of ${MAX_METADATA_SIZE} bytes` }
+  ).optional(),
+});

package/src/types.ts

@@ -84,6 +84,7 @@ export interface PolicyRule {
   domain?: string;
   decision: PolicyDecision;
   require_two_approvals?: boolean;
+  allowed_approvers?: string[];
 }
 
 export interface PolicyEvaluationResult {