agentlock-shared 0.2.0 → 0.3.0

package/src/policy.ts

@@ -1,216 +0,0 @@
-import type {
-  PolicyRules,
-  AgentActionRequest,
-  PolicyEvaluationResult,
-  RiskLevel,
-  PolicyDecision,
-} from './types.js';
-import { redact } from './redact.js';
-
-const RISK_MAP: Record<string, RiskLevel> = {
-  read: 'low',
-  write: 'medium',
-  financial: 'high',
-  admin: 'critical',
-};
-
-export const DEFAULT_POLICY_RULES: PolicyRules = {
-  defaultMode: 'require_approval',
-  rules: [
-    { action_type: 'read', decision: 'ALLOW' },
-    { action_type: 'write', decision: 'REQUIRE_APPROVAL' },
-    { action_type: 'financial', decision: 'REQUIRE_APPROVAL' },
-    { action_type: 'admin', decision: 'BLOCK' },
-    { tool: 'mcp.list_tools', decision: 'ALLOW' },
-  ],
-  http: {
-    allowedDomains: [],
-    allowedMethods: ['GET', 'POST', 'PUT', 'DELETE'],
-    blockList: [],
-  },
-  limits: {
-    maxActionsPerHour: 100, // Enforced in gateway via check_rate_limit RPC
-  },
-};
-
-// Default HTTP rules when rules.http is not configured
-const DEFAULT_HTTP_RULES = {
-  allowedDomains: [] as string[],
-  allowedMethods: ['GET', 'POST', 'PUT', 'DELETE'],
-  blockList: [] as string[],
-};
-
-export function evaluatePolicy(
-  action: AgentActionRequest,
-  rules: PolicyRules
-): PolicyEvaluationResult {
-  // Block unknown action types (defense-in-depth)
-  if (!(action.action_type in RISK_MAP)) {
-    return { decision: 'BLOCK', risk_level: 'critical', reason: `Unknown action type: ${action.action_type}` };
-  }
-
-  // SECURITY: Normalize tool name to lowercase to prevent case-sensitivity
-  // bypasses (e.g., "Http.get" skipping HTTP domain allowlist checks).
-  const normalizedTool = action.tool.toLowerCase();
-
-  const risk_level = RISK_MAP[action.action_type] ?? 'medium';
-
-  // Browser tools: browser.open always requires approval
-  if (normalizedTool.startsWith('browser.')) {
-    if (normalizedTool === 'browser.open') {
-      return {
-        decision: 'REQUIRE_APPROVAL',
-        risk_level: 'medium',
-        reason: 'Browser sessions always require approval to start',
-      };
-    }
-    // Other browser.* actions with a valid session are handled at the gateway
-    // level (auto-approved). If they reach the policy engine without a session,
-    // they should be blocked.
-    return {
-      decision: 'BLOCK',
-      risk_level: 'medium',
-      reason: 'Browser actions require an active session (use browser.open first)',
-    };
-  }
-
-  // MCP tools: list_tools handled via default rules (can be overridden by custom policies)
-
-  // HTTP tool checks: always enforce domain/method restrictions
-  const isHttpTool = normalizedTool.split('.')[0] === 'http';
-  if (isHttpTool) {
-    const httpRules = rules.http ?? DEFAULT_HTTP_RULES;
-    const url = action.payload.url as string | undefined;
-    if (!url) {
-      // SECURITY: HTTP actions without a URL must be blocked at the policy level.
-      // The connector would also reject it, but policy should be the first gate.
-      return { decision: 'BLOCK', risk_level: 'critical', reason: 'HTTP actions require a URL in payload' };
-    }
-    if (url) {
-      try {
-        const domain = new URL(url).hostname.replace(/\.$/, '').toLowerCase();
-        // Use exact match or proper subdomain match (preceded by a dot)
-        // to prevent "not-trusted.com" from matching allowlist entry "trusted.com"
-        // Both sides are normalized: lowercase + trailing-dot stripped.
-        const matchesDomain = (d: string, pattern: string) => {
-          const normalizedPattern = pattern.replace(/\.$/, '').toLowerCase();
-          return d === normalizedPattern || d.endsWith('.' + normalizedPattern);
-        };
-        if (httpRules.blockList.some((b) => matchesDomain(domain, b))) {
-          return { decision: 'BLOCK', risk_level: 'critical', reason: `Domain ${domain} is in block list` };
-        }
-        if (httpRules.allowedDomains.length === 0) {
-          // No allowlist configured: safe default is REQUIRE_APPROVAL, not ALLOW.
-          // This prevents agents from exfiltrating data to arbitrary domains.
-          return {
-            decision: 'REQUIRE_APPROVAL',
-            risk_level,
-            reason: 'HTTP allowlist not configured — approval required for all HTTP calls',
-          };
-        }
-        if (!httpRules.allowedDomains.some((d) => matchesDomain(domain, d))) {
-          return { decision: 'BLOCK', risk_level, reason: `Domain ${domain} not in allowed list` };
-        }
-      } catch {
-        return { decision: 'BLOCK', risk_level: 'critical', reason: 'Invalid URL' };
-      }
-    }
-    const method = (action.payload.method as string | undefined)?.toUpperCase();
-    if (method && !httpRules.allowedMethods.includes(method)) {
-      return { decision: 'BLOCK', risk_level, reason: `HTTP method ${method} not allowed` };
-    }
-  }
-
-  if (
-    rules.limits?.maxCostPerAction !== undefined &&
-    action.cost_estimate !== undefined &&
-    action.cost_estimate > rules.limits.maxCostPerAction
-  ) {
-    return {
-      decision: 'BLOCK',
-      risk_level: 'high',
-      reason: `Cost estimate ${action.cost_estimate} exceeds limit ${rules.limits.maxCostPerAction}`,
-    };
-  }
-
-  // Most specific: tool-specific rule (case-insensitive to prevent bypasses)
-  let matched = rules.rules.find((r) => r.tool !== undefined && r.tool.toLowerCase() === normalizedTool);
-  // Then action-type rule
-  if (!matched) matched = rules.rules.find((r) => r.action_type === action.action_type);
-
-  if (matched) {
-    let finalDecision = matched.decision;
-    // SECURITY: Never auto-allow admin/financial actions even via explicit rules
-    if (finalDecision === 'ALLOW' && ['admin', 'financial'].includes(action.action_type)) {
-      finalDecision = 'REQUIRE_APPROVAL';
-    }
-    return {
-      decision: finalDecision,
-      risk_level,
-      reason: `Matched rule: ${matched.action_type ?? matched.tool}`,
-      matched_rule: matched,
-    };
-  }
-
-  const defaultDecision: PolicyDecision =
-    rules.defaultMode === 'allow' ? 'ALLOW' : rules.defaultMode === 'block' ? 'BLOCK' : 'REQUIRE_APPROVAL';
-
-  // SECURITY: Never auto-allow high-risk actions via permissive default mode
-  if (defaultDecision === 'ALLOW' && ['admin', 'financial'].includes(action.action_type)) {
-    return { decision: 'REQUIRE_APPROVAL', risk_level, reason: 'High-risk action types always require approval even with permissive default policy' };
-  }
-
-  return { decision: defaultDecision, risk_level, reason: 'Default policy' };
-}
-
-export function buildActionPreview(action: AgentActionRequest): {
-  summary: string;
-  target?: string;
-  impact?: string;
-  cost_estimate?: number;
-} {
-  const normalizedTool = action.tool.toLowerCase();
-  let summary = `${action.action_type.toUpperCase()} via ${action.tool}`;
-  let target: string | undefined;
-
-  if (normalizedTool.split('.')[0] === 'http') {
-    const url = action.payload.url as string | undefined;
-    const method = action.payload.method as string | undefined;
-    if (url) {
-      try {
-        target = new URL(url).hostname;
-      } catch {
-        target = url;
-      }
-      summary = `${method?.toUpperCase() ?? 'HTTP'} request to ${target}`;
-    }
-  } else if (normalizedTool === 'browser.open') {
-    const url = action.payload.url as string | undefined;
-    if (url) {
-      try {
-        target = new URL(url).hostname;
-      } catch {
-        target = url;
-      }
-      summary = `Open browser session to ${target}`;
-    } else {
-      summary = 'Open browser session';
-    }
-  } else if (normalizedTool === 'mcp.list_tools') {
-    const server = action.payload.server as string | undefined;
-    target = server;
-    summary = `List available tools on MCP server "${server ?? 'unknown'}"`;
-  } else if (normalizedTool === 'mcp.call_tool') {
-    const server = action.payload.server as string | undefined;
-    const method = action.payload.method as string | undefined;
-    target = server;
-    summary = `Call "${method ?? 'unknown'}" on MCP server "${server ?? 'unknown'}"`;
-  }
-
-  return {
-    summary,
-    target,
-    impact: action.action_type === 'write' ? 'Data will be modified' : undefined,
-    cost_estimate: action.cost_estimate,
-  };
-}

package/src/redact.ts

@@ -1,131 +0,0 @@
-// Exact-match field names (checked after lowercasing)
-const SECRET_FIELDS = new Set([
-  'authorization',
-  'api_key',
-  'apikey',
-  'api-key',
-  'token',
-  'secret',
-  'password',
-  'passwd',
-  'private_key',
-  'privatekey',
-  'access_token',
-  'refresh_token',
-  'client_secret',
-  'x-api-key',
-  'x-auth-token',
-  'credentials',
-  'bearer',
-  'session_token',
-  'session_key',
-  'cookie',
-  'set-cookie',
-  'aws_secret_access_key',
-  'aws_session_token',
-  'database_url',
-  'connection_string',
-  'private-key',
-  'master_key',
-  'encryption_key',
-  'signing_key',
-  'service_role_key',
-  'supabase_service_role_key',
-]);
-
-// Substring patterns: if the lowercased key contains any of these, redact
-const SECRET_SUBSTRINGS = [
-  'secret',
-  'password',
-  'passwd',
-  'token',
-  'api_key',
-  'apikey',
-  'private_key',
-  'privatekey',
-  'credential',
-  'authorization',
-  'auth_key',
-  'master_key',
-  'encryption_key',
-  'signing_key',
-  'connection_string',
-  'database_url',
-  'access_key',
-  'auth_token',
-  'refresh_key',
-  'session_secret',
-  'webhook_secret',
-  'jwt',
-  'oauth',
-  'ssn',
-  'credit_card',
-  'routing_number',
-];
-
-const REDACTED = '[REDACTED]';
-
-// Value-based patterns to detect secrets regardless of field name
-const SECRET_VALUE_PATTERNS = [
-  /^(sk|pk|rk)_(live|test)_[a-zA-Z0-9]{10,}$/,  // Stripe keys
-  /^r[us]_[a-zA-Z0-9]{20,}$/,                      // Stripe restricted keys
-  /^ghp_[a-zA-Z0-9]{36}$/,                         // GitHub PATs
-  /^github_pat_[a-zA-Z0-9_]{20,}$/,                // GitHub fine-grained PATs
-  /^gho_[a-zA-Z0-9]{36}$/,                         // GitHub OAuth tokens
-  /^AKIA[A-Z0-9]{16}$/,                            // AWS access key IDs
-  /^eyJ[a-zA-Z0-9_-]{20,}\.[a-zA-Z0-9_-]{20,}/,   // JWTs (eyJ prefix)
-  /^xox[bpras]-[a-zA-Z0-9-]{10,}$/,               // Slack tokens
-  /^Bearer\s+[a-zA-Z0-9._\-]{20,}$/,              // Bearer tokens
-  /^AIza[a-zA-Z0-9_-]{35}$/,                       // Google API keys
-  /^sk-[a-zA-Z0-9]{20,}$/,                         // OpenAI API keys
-  /^sk-ant-[a-zA-Z0-9_-]{20,}$/,                   // Anthropic API keys
-  /^SG\.[a-zA-Z0-9_-]{20,}$/,                      // SendGrid API keys
-  /^SK[a-f0-9]{32}$/,                              // Twilio API keys
-  /-----BEGIN\s+(RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/,  // PEM private keys
-  /^DefaultEndpointsProtocol=/,                       // Azure connection strings
-  /^[A-Za-z0-9+\/]{43,}={0,2}$/,                     // Base64-encoded symmetric keys (32+ bytes)
-  /^[A-Za-z0-9_-]{43,}={0,2}$/,                      // URL-safe base64 encoded keys
-  /^whsec_[a-zA-Z0-9]{20,}$/,                         // Stripe webhook secrets
-  /^npm_[a-zA-Z0-9]{20,}$/,                           // npm tokens
-  /^vercel_[a-zA-Z0-9]{20,}$/,                        // Vercel tokens
-];
-
-function isSecretField(key: string): boolean {
-  const lower = key.toLowerCase();
-  if (SECRET_FIELDS.has(lower)) return true;
-  return SECRET_SUBSTRINGS.some((sub) => lower.includes(sub));
-}
-
-function isSecretValue(value: string): boolean {
-  return SECRET_VALUE_PATTERNS.some((pattern) => pattern.test(value));
-}
-
-export function redact(obj: unknown, depth = 0): unknown {
-  // SECURITY: At max depth, redact entirely rather than passing data through.
-  // Prevents secrets in deeply nested objects from bypassing redaction.
-  if (depth > 20) return REDACTED;
-  if (obj === null || obj === undefined) return obj;
-  if (typeof obj === 'string') return isSecretValue(obj) ? REDACTED : obj;
-  if (typeof obj !== 'object') return obj;
-  if (Array.isArray(obj)) return obj.map((item) => redact(item, depth + 1));
-
-  const result: Record<string, unknown> = {};
-  for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {
-    result[key] = isSecretField(key) ? REDACTED : redact(value, depth + 1);
-  }
-  return result;
-}
-
-export function redactHeaders(headers: Record<string, string>): Record<string, string> {
-  const result: Record<string, string> = {};
-  for (const [key, value] of Object.entries(headers)) {
-    result[key] = (isSecretField(key) || isSecretValue(value)) ? REDACTED : value;
-  }
-  return result;
-}
-
-export function sanitizeActionRequest(
-  request: Record<string, unknown>
-): Record<string, unknown> {
-  return redact(request) as Record<string, unknown>;
-}

package/src/schemas.ts

@@ -1,121 +0,0 @@
-import { z } from 'zod';
-
-/** Max payload size: 64KB when serialized */
-const MAX_PAYLOAD_SIZE = 65_536;
-
-/** Maximum length for webhook URLs (standard URL length limit) */
-const MAX_WEBHOOK_URL_LENGTH = 2048;
-
-/**
- * Reusable Zod schema for webhook URLs.
- * Enforces: max length 2048, valid URL syntax, HTTPS-only,
- * and rejects private/internal hostnames at parse time.
- */
-export const WebhookUrlSchema = z
-  .string()
-  .max(MAX_WEBHOOK_URL_LENGTH, `Webhook URL exceeds maximum length (${MAX_WEBHOOK_URL_LENGTH} characters)`)
-  .refine(
-    (val) => {
-      try {
-        const parsed = new URL(val);
-        return parsed.protocol === 'https:';
-      } catch {
-        return false;
-      }
-    },
-    { message: 'Webhook URL must be a valid HTTPS URL' }
-  )
-  .refine(
-    (val) => {
-      try {
-        const parsed = new URL(val);
-        const hostname = parsed.hostname;
-        const privatePatterns = [
-          /^127\./, /^10\./, /^172\.(1[6-9]|2\d|3[01])\./,
-          /^192\.168\./, /^169\.254\./, /^0\./,
-          /^localhost$/i, /\.local$/i, /\.internal$/i,
-        ];
-        return !privatePatterns.some((p) => p.test(hostname));
-      } catch {
-        return false;
-      }
-    },
-    { message: 'Webhook URL cannot target private or internal addresses' }
-  );
-
-export const AgentActionRequestSchema = z.object({
-  action_type: z.enum(['read', 'write', 'financial', 'admin']),
-  tool: z.string().min(1).max(100).regex(/^[a-zA-Z0-9._\-:]+$/, 'Tool name must be alphanumeric with dots, dashes, underscores, or colons'),
-  payload: z.record(z.unknown()).refine(
-    (val) => JSON.stringify(val).length <= MAX_PAYLOAD_SIZE,
-    { message: `Payload exceeds maximum size of ${MAX_PAYLOAD_SIZE} bytes` }
-  ),
-  idempotency_key: z.string().max(128).optional(),
-  cost_estimate: z.number().nonnegative().optional(),
-});
-
-export const RegisterAgentSchema = z.object({
-  name: z.string().min(1).max(100),
-  environment: z.enum(['development', 'staging', 'production']).default('production'),
-  public_key: z.string().min(40),
-  allowed_tools: z.array(z.string()).default([]),
-});
-
-const DOMAIN_RE = /^(\*\.)?([a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?\.)*[a-zA-Z]{2,}$/;
-
-export const PolicyRulesSchema = z.object({
-  defaultMode: z.enum(['allow', 'require_approval', 'block']),
-  rules: z.array(
-    z.object({
-      action_type: z.enum(['read', 'write', 'financial', 'admin']).optional(),
-      tool: z.string().max(100).regex(/^[a-zA-Z0-9._\-:]+$/, 'Tool name must be alphanumeric with dots, dashes, underscores, or colons').optional(),
-      domain: z.string().regex(DOMAIN_RE, 'Invalid domain format').optional(),
-      decision: z.enum(['ALLOW', 'REQUIRE_APPROVAL', 'BLOCK']),
-      require_two_approvals: z.boolean().optional(),
-      allowed_approvers: z.array(z.string().uuid()).optional(),
-    }).refine(r => r.action_type || r.tool, { message: 'Rule must specify action_type or tool' })
-  ).max(100),
-  http: z
-    .object({
-      allowedDomains: z.array(z.string().min(1).max(253).regex(DOMAIN_RE, 'Invalid domain format')),
-      allowedMethods: z.array(z.enum(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'])),
-      blockList: z.array(z.string().min(1).max(253).regex(DOMAIN_RE, 'Invalid domain format')),
-    })
-    .optional(),
-  limits: z
-    .object({
-      maxCostPerAction: z.number().nonnegative().optional(),
-      maxActionsPerHour: z.number().nonnegative().optional(),
-    })
-    .optional(),
-});
-
-export const ApproveRequestSchema = z.object({
-  action: z.enum(['approve', 'deny']),
-  reason: z.string().max(1000).optional(),
-  reply_message: z.string().max(2000).optional(),
-  /** Server-side biometric challenge token (mobile clients only) */
-  biometric_challenge: z.string().uuid().optional(),
-});
-
-/** Max metadata size: 8KB when serialized (prevents storage exhaustion) */
-const MAX_METADATA_SIZE = 8_192;
-
-export const SendMessageSchema = z.object({
-  content: z.string().min(1).max(4096),
-  thread_id: z.string().uuid().optional(),
-  expires_at: z.string().datetime().optional(),
-  metadata: z.record(z.unknown()).refine(
-    (val) => JSON.stringify(val).length <= MAX_METADATA_SIZE,
-    { message: `Metadata exceeds maximum size of ${MAX_METADATA_SIZE} bytes` }
-  ).optional(),
-});
-
-export const AgentSendMessageSchema = z.object({
-  content: z.string().min(1).max(4096),
-  thread_id: z.string().uuid(),
-  metadata: z.record(z.unknown()).refine(
-    (val) => JSON.stringify(val).length <= MAX_METADATA_SIZE,
-    { message: `Metadata exceeds maximum size of ${MAX_METADATA_SIZE} bytes` }
-  ).optional(),
-});

package/src/signing.ts

@@ -1,120 +0,0 @@
-import nacl from 'tweetnacl';
-import { encodeBase64, decodeBase64, decodeUTF8 } from 'tweetnacl-util';
-
-export interface SignedHeaders {
-  'x-agent-id': string;
-  'x-timestamp': string;
-  'x-signature': string;
-  'x-nonce'?: string;
-}
-
-export interface KeyPair {
-  publicKey: string;
-  privateKey: string;
-}
-
-export function generateKeypair(): KeyPair {
-  const pair = nacl.sign.keyPair();
-  return {
-    publicKey: encodeBase64(pair.publicKey),
-    privateKey: encodeBase64(pair.secretKey),
-  };
-}
-
-/**
- * Recursively stable-stringify: sorts object keys at every nesting level.
- * This is critical for signature verification — every language SDK must produce
- * the exact same canonical string for the same payload.
- *
- * Bug fixed: JSON.stringify(obj, replacerArray) only serializes keys named in the
- * replacer at every nesting level, so nested objects would be serialized as {}.
- */
-function stableStringify(val: unknown): string | undefined {
-  if (val === undefined) return undefined;
-  if (val === null) return 'null';
-  if (typeof val === 'number') {
-    // NaN, Infinity, -Infinity serialize to null per JSON spec
-    if (!Number.isFinite(val)) return 'null';
-    return JSON.stringify(val);
-  }
-  if (typeof val === 'boolean' || typeof val === 'string') return JSON.stringify(val);
-  if (Array.isArray(val)) {
-    return `[${val.map((v) => stableStringify(v) ?? 'null').join(',')}]`;
-  }
-  if (typeof val === 'object') {
-    const sorted = Object.keys(val as object).sort();
-    const pairs: string[] = [];
-    for (const k of sorted) {
-      const v = stableStringify((val as Record<string, unknown>)[k]);
-      if (v !== undefined) {
-        pairs.push(`${JSON.stringify(k)}:${v}`);
-      }
-    }
-    return `{${pairs.join(',')}}`;
-  }
-  return JSON.stringify(val);
-}
-
-export function canonicalStringify(obj: Record<string, unknown>): string {
-  return stableStringify(obj) ?? '{}';
-}
-
-export function signRequest(
-  body: Record<string, unknown>,
-  agentId: string,
-  privateKeyBase64: string
-): SignedHeaders {
-  const timestamp = Date.now().toString();
-  const nonce = encodeBase64(nacl.randomBytes(16));
-  const canonical = canonicalStringify(body);
-  const message = decodeUTF8(`${canonical}:${timestamp}:${nonce}`);
-
-  const privateKey = decodeBase64(privateKeyBase64);
-  const signature = nacl.sign.detached(message, privateKey);
-
-  return {
-    'x-agent-id': agentId,
-    'x-timestamp': timestamp,
-    'x-signature': encodeBase64(signature),
-    'x-nonce': nonce,
-  };
-}
-
-export function verifyRequest(
-  body: Record<string, unknown>,
-  headers: {
-    'x-agent-id'?: string;
-    'x-timestamp'?: string;
-    'x-signature'?: string;
-    'x-nonce'?: string;
-  },
-  publicKeyBase64: string,
-  maxSkewMs = 5 * 60 * 1000
-): { agentId: string; nonce: string } {
-  const agentId = headers['x-agent-id'];
-  const timestamp = headers['x-timestamp'];
-  const signatureB64 = headers['x-signature'];
-  const nonce = headers['x-nonce'];
-
-  if (!agentId || !timestamp || !signatureB64 || !nonce) {
-    throw new Error('Missing required signature headers');
-  }
-
-  const ts = parseInt(timestamp, 10);
-  const now = Date.now();
-  if (Math.abs(now - ts) > maxSkewMs) {
-    throw new Error(`Timestamp skew too large: ${Math.abs(now - ts)}ms`);
-  }
-
-  const canonical = canonicalStringify(body);
-  const message = decodeUTF8(`${canonical}:${timestamp}:${nonce}`);
-  const signature = decodeBase64(signatureB64);
-  const publicKey = decodeBase64(publicKeyBase64);
-
-  const valid = nacl.sign.detached.verify(message, signature, publicKey);
-  if (!valid) {
-    throw new Error('Invalid signature');
-  }
-
-  return { agentId, nonce };
-}