clawclamp 0.1.13 → 0.1.14

package/assets/app.js

@@ -14,6 +14,10 @@ const grantNoteInput = qs("grant-note");
 const grantHint = qs("grant-hint");
 const grantsEl = qs("grants");
 const auditEl = qs("audit");
+const auditPageSizeEl = qs("audit-page-size");
+const auditPrevEl = qs("audit-prev");
+const auditNextEl = qs("audit-next");
+const auditPageInfoEl = qs("audit-page-info");
 const policyListEl = qs("policy-list");
 const policyIdInput = qs("policy-id");
 const policyContentInput = qs("policy-content");
@@ -23,7 +27,9 @@ const policyDeleteBtn = qs("policy-delete");
 const policyStatusEl = qs("policy-status");
 let policyReadOnly = false;
 let policies = [];
-let deniedTools = new Set();
+let auditPage = 1;
+let auditPageSize = Number(auditPageSizeEl?.value || 50);
+let auditTotal = 0;
 
 async function fetchJson(path, opts = {}) {
   const res = await fetch(path, {
@@ -163,6 +169,15 @@ function renderAudit(entries) {
   });
 }
 
+function renderAuditPager(total, page, pageSize) {
+  auditTotal = total || 0;
+  auditPage = page || 1;
+  const totalPages = Math.max(1, Math.ceil(auditTotal / pageSize));
+  auditPageInfoEl.textContent = `第 ${auditPage} / ${totalPages} 页 · 共 ${auditTotal} 条`;
+  auditPrevEl.disabled = auditPage <= 1;
+  auditNextEl.disabled = auditPage >= totalPages;
+}
+
 function renderPolicyList(list) {
   policies = list;
   if (!list.length) {
@@ -200,8 +215,9 @@ async function refreshAll() {
   renderMode(state);
   const grants = await fetchJson(`${API_BASE}/grants`);
   renderGrants(grants.grants || []);
-  const logs = await fetchJson(`${API_BASE}/logs`);
+  const logs = await fetchJson(`${API_BASE}/logs?page=${auditPage}&pageSize=${auditPageSize}`);
   renderAudit(logs.entries || []);
+  renderAuditPager(logs.total || 0, logs.page || auditPage, logs.pageSize || auditPageSize);
   await refreshPolicies();
 }
 
@@ -240,6 +256,25 @@ grantForm.addEventListener("submit", async (event) => {
   await refreshAll();
 });
 
+auditPageSizeEl.addEventListener("change", async () => {
+  auditPageSize = Number(auditPageSizeEl.value || 50);
+  auditPage = 1;
+  await refreshAll();
+});
+
+auditPrevEl.addEventListener("click", async () => {
+  if (auditPage <= 1) return;
+  auditPage -= 1;
+  await refreshAll();
+});
+
+auditNextEl.addEventListener("click", async () => {
+  const totalPages = Math.max(1, Math.ceil(auditTotal / auditPageSize));
+  if (auditPage >= totalPages) return;
+  auditPage += 1;
+  await refreshAll();
+});
+
 refreshAll();
 setInterval(refreshAll, 10_000);
 

package/assets/index.html

@@ -66,6 +66,22 @@
       <section class="card">
         <h2>审计日志</h2>
         <div class="note">最近的工具调用记录（允许、拒绝、灰度放行）。</div>
+        <div class="toolbar">
+          <label class="toolbar-item">
+            每页
+            <select id="audit-page-size">
+              <option value="20">20</option>
+              <option value="50" selected>50</option>
+              <option value="100">100</option>
+              <option value="200">200</option>
+            </select>
+          </label>
+          <div class="toolbar-item pagination">
+            <button id="audit-prev" class="btn">上一页</button>
+            <span id="audit-page-info" class="note">第 1 页</span>
+            <button id="audit-next" class="btn">下一页</button>
+          </div>
+        </div>
         <div class="table" id="audit"></div>
       </section>
 

package/assets/styles.css

@@ -119,6 +119,31 @@ h2 {
   margin-top: 6px;
 }
 
+.toolbar {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  gap: 10px;
+  margin-top: 10px;
+  flex-wrap: wrap;
+}
+
+.toolbar-item {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+  font-size: 0.82rem;
+  color: var(--muted);
+}
+
+.toolbar-item select {
+  min-width: 76px;
+}
+
+.pagination {
+  margin-left: auto;
+}
+
 .btn {
   padding: 8px 12px;
   border-radius: 8px;
@@ -171,7 +196,8 @@ h2 {
   color: var(--muted);
 }
 
-input {
+input,
+select {
   border: 1px solid var(--border);
   border-radius: 8px;
   padding: 8px 10px;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clawclamp",
-  "version": "0.1.13",
+  "version": "0.1.14",
   "description": "OpenClaw Cedar authorization guard with audit UI",
   "type": "module",
   "dependencies": {

package/src/audit.ts

@@ -5,11 +5,17 @@ import type { AuditEntry } from "./types.js";
 import { withStateFileLock } from "./storage.js";
 
 const AUDIT_FILE = "audit.jsonl";
+const AUDIT_ROTATE_MAX_LINES = 5000;
+const AUDIT_ROTATE_KEEP_LINES = 2500;
 
 function resolveAuditPath(stateDir: string): string {
   return path.join(stateDir, "clawclamp", AUDIT_FILE);
 }
 
+function resolveAuditArchivePath(stateDir: string, timestamp: string): string {
+  return path.join(stateDir, "clawclamp", `audit-${timestamp}.jsonl`);
+}
+
 export function createAuditEntryId(): string {
   return randomUUID();
 }
@@ -19,10 +25,38 @@ export async function appendAuditEntry(stateDir: string, entry: AuditEntry): Pro
     const filePath = resolveAuditPath(stateDir);
     await fs.mkdir(path.dirname(filePath), { recursive: true });
     await fs.appendFile(filePath, `${JSON.stringify(entry)}\n`, "utf8");
+    await rotateAuditLogIfNeeded(stateDir, filePath);
   });
 }
 
-export async function readAuditEntries(stateDir: string, limit: number): Promise<AuditEntry[]> {
+async function rotateAuditLogIfNeeded(stateDir: string, filePath: string): Promise<void> {
+  let raw: string;
+  try {
+    raw = await fs.readFile(filePath, "utf8");
+  } catch (error) {
+    const code = (error as { code?: string }).code;
+    if (code === "ENOENT") {
+      return;
+    }
+    throw error;
+  }
+  const lines = raw.split("\n").filter(Boolean);
+  if (lines.length <= AUDIT_ROTATE_MAX_LINES) {
+    return;
+  }
+  const cutoff = Math.max(0, lines.length - AUDIT_ROTATE_KEEP_LINES);
+  const archived = lines.slice(0, cutoff);
+  const current = lines.slice(cutoff);
+  const archivePath = resolveAuditArchivePath(stateDir, new Date().toISOString().replace(/[:.]/g, "-"));
+  await fs.writeFile(archivePath, `${archived.join("\n")}\n`, "utf8");
+  await fs.writeFile(filePath, current.length ? `${current.join("\n")}\n` : "", "utf8");
+}
+
+export async function readAuditEntries(
+  stateDir: string,
+  page: number,
+  pageSize: number,
+): Promise<{ entries: AuditEntry[]; total: number; page: number }> {
   return withStateFileLock(stateDir, "audit", async () => {
     const filePath = resolveAuditPath(stateDir);
     let raw: string;
@@ -31,14 +65,19 @@ export async function readAuditEntries(stateDir: string, limit: number): Promise
     } catch (error) {
       const code = (error as { code?: string }).code;
       if (code === "ENOENT") {
-        return [];
+        return { entries: [], total: 0, page: 1 };
       }
       throw error;
     }
 
     const lines = raw.trim().split("\n").filter(Boolean);
-    const start = Math.max(0, lines.length - limit);
-    const recent = lines.slice(start);
+    const total = lines.length;
+    const safePageSize = Math.max(1, pageSize);
+    const totalPages = Math.max(1, Math.ceil(total / safePageSize));
+    const safePage = Math.min(Math.max(1, page), totalPages);
+    const start = Math.max(0, total - safePage * safePageSize);
+    const end = total - (safePage - 1) * safePageSize;
+    const recent = lines.slice(start, end);
     const entries: AuditEntry[] = [];
     for (const line of recent) {
       try {
@@ -50,6 +89,6 @@ export async function readAuditEntries(stateDir: string, limit: number): Promise
         // Ignore malformed lines.
       }
     }
-    return entries;
+    return { entries, total, page: safePage };
   });
 }

package/src/cedarling.ts

@@ -24,6 +24,10 @@ export async function getCedarling(config: CedarlingConfig): Promise<CedarlingIn
   return cedarlingPromise;
 }
 
+export function resetCedarlingInstance(): void {
+  cedarlingPromise = null;
+}
+
 async function ensureWasmInitialized(): Promise<void> {
   if (!wasmInitPromise) {
     wasmInitPromise = (async () => {

package/src/grants.ts

@@ -4,48 +4,134 @@ import { randomUUID } from "node:crypto";
 import { readJsonFileWithFallback, writeJsonFileAtomically } from "openclaw/plugin-sdk";
 import type { ClawClampConfig, GrantRecord } from "./types.js";
 import { withStateFileLock } from "./storage.js";
+import { buildDefaultPolicyStore } from "./policy.js";
 
-const GRANTS_FILE = "grants.json";
+const POLICY_FILE = "policy-store.json";
+const POLICY_STORE_ID = "clawclamp";
+const GRANT_POLICY_PREFIX = "grant:";
 
-type GrantState = {
-  grants: GrantRecord[];
+type PolicyRecord = {
+  cedar_version?: string;
+  name?: string;
+  description?: string;
+  policy_content: string;
 };
 
-const EMPTY_STATE: GrantState = { grants: [] };
+type PolicyStoreBody = {
+  name?: string;
+  description?: string;
+  schema?: unknown;
+  trusted_issuers?: Record<string, unknown>;
+  policies?: Record<string, PolicyRecord>;
+};
+
+type PolicyStoreSnapshot = {
+  cedar_version: string;
+  policy_stores: Record<string, PolicyStoreBody>;
+};
 
-function resolveGrantPath(stateDir: string): string {
-  return path.join(stateDir, "clawclamp", GRANTS_FILE);
+function resolvePolicyPath(stateDir: string): string {
+  return path.join(stateDir, "clawclamp", POLICY_FILE);
 }
 
-async function readGrantState(stateDir: string): Promise<GrantState> {
-  const filePath = resolveGrantPath(stateDir);
-  const { value } = await readJsonFileWithFallback(filePath, EMPTY_STATE);
-  if (!value || typeof value !== "object" || Array.isArray(value)) {
-    return { grants: [] };
-  }
-  const grants = Array.isArray((value as GrantState).grants) ? (value as GrantState).grants : [];
-  return { grants };
+function encodeBase64(value: string): string {
+  return Buffer.from(value, "utf8").toString("base64");
+}
+
+function decodeBase64(value: string): string {
+  return Buffer.from(value, "base64").toString("utf8");
+}
+
+async function readPolicyStore(stateDir: string): Promise<PolicyStoreSnapshot> {
+  const filePath = resolvePolicyPath(stateDir);
+  const { value } = await readJsonFileWithFallback<PolicyStoreSnapshot>(
+    filePath,
+    buildDefaultPolicyStore() as PolicyStoreSnapshot,
+  );
+  return value;
 }
 
-async function writeGrantState(stateDir: string, state: GrantState): Promise<void> {
-  const filePath = resolveGrantPath(stateDir);
+async function writePolicyStore(stateDir: string, store: PolicyStoreSnapshot): Promise<void> {
+  const filePath = resolvePolicyPath(stateDir);
   await fs.mkdir(path.dirname(filePath), { recursive: true });
-  await writeJsonFileAtomically(filePath, state);
+  await writeJsonFileAtomically(filePath, store);
+}
+
+function getWritableStore(store: PolicyStoreSnapshot): PolicyStoreBody {
+  const current = store.policy_stores?.[POLICY_STORE_ID];
+  if (!current) {
+    throw new Error("clawclamp policy store not found");
+  }
+  current.policies ??= {};
+  return current;
+}
+
+function grantPolicyId(createdAtMs: number): string {
+  return `${GRANT_POLICY_PREFIX}${createdAtMs}:${randomUUID()}`;
+}
+
+function buildGrantPolicy(toolName: string, expiresAtMs: number): string {
+  const toolClause =
+    toolName === "*" ? "true" : `resource.name == ${JSON.stringify(toolName)}`;
+  return `permit(principal, action, resource)
+when {
+  action == Action::"Invoke" &&
+  context.now < ${expiresAtMs} &&
+  ${toolClause}
+};`;
 }
 
-function pruneExpired(grants: GrantRecord[], now: Date): GrantRecord[] {
-  return grants.filter((grant) => Date.parse(grant.expiresAt) > now.getTime());
+function parseGrantPolicy(id: string, record: PolicyRecord): GrantRecord | null {
+  if (!id.startsWith(GRANT_POLICY_PREFIX)) {
+    return null;
+  }
+  const content = decodeBase64(record.policy_content ?? "");
+  const createdAtMatch = /^grant:(\d+):/.exec(id);
+  const expiresAtMatch = /context\.now\s*<\s*(\d+)/.exec(content);
+  const toolMatch = /resource\.name\s*==\s*"([^"]+)"/.exec(content);
+  const createdAtMs = createdAtMatch ? Number(createdAtMatch[1]) : Date.now();
+  const expiresAtMs = expiresAtMatch ? Number(expiresAtMatch[1]) : 0;
+  if (!Number.isFinite(expiresAtMs) || expiresAtMs <= 0) {
+    return null;
+  }
+  return {
+    id,
+    toolName: toolMatch?.[1] ?? "*",
+    createdAt: new Date(createdAtMs).toISOString(),
+    expiresAt: new Date(expiresAtMs).toISOString(),
+    note: record.description?.trim() || undefined,
+  };
+}
+
+function sortNewestFirst(left: GrantRecord, right: GrantRecord): number {
+  return Date.parse(right.createdAt) - Date.parse(left.createdAt);
+}
+
+function pruneExpiredPolicies(policies: Record<string, PolicyRecord>, nowMs: number): boolean {
+  let changed = false;
+  for (const [id, record] of Object.entries(policies)) {
+    const grant = parseGrantPolicy(id, record);
+    if (grant && Date.parse(grant.expiresAt) <= nowMs) {
+      delete policies[id];
+      changed = true;
+    }
+  }
+  return changed;
 }
 
 export async function listGrants(stateDir: string): Promise<GrantRecord[]> {
-  return withStateFileLock(stateDir, "grants", async () => {
-    const state = await readGrantState(stateDir);
-    const now = new Date();
-    const pruned = pruneExpired(state.grants, now);
-    if (pruned.length !== state.grants.length) {
-      await writeGrantState(stateDir, { grants: pruned });
+  return withStateFileLock(stateDir, "policy-store", async () => {
+    const store = await readPolicyStore(stateDir);
+    const policyStore = getWritableStore(store);
+    const nowMs = Date.now();
+    const changed = pruneExpiredPolicies(policyStore.policies ?? {}, nowMs);
+    if (changed) {
+      await writePolicyStore(stateDir, store);
     }
-    return pruned;
+    return Object.entries(policyStore.policies ?? {})
+      .map(([id, record]) => parseGrantPolicy(id, record))
+      .filter((grant): grant is GrantRecord => Boolean(grant))
+      .sort(sortNewestFirst);
   });
 }
 
@@ -56,47 +142,42 @@ export async function createGrant(params: {
   ttlSeconds?: number;
   note?: string;
 }): Promise<GrantRecord> {
-  return withStateFileLock(params.stateDir, "grants", async () => {
-    const state = await readGrantState(params.stateDir);
-    const now = new Date();
+  return withStateFileLock(params.stateDir, "policy-store", async () => {
+    const store = await readPolicyStore(params.stateDir);
+    const policyStore = getWritableStore(store);
+    const nowMs = Date.now();
     const ttlSeconds = Math.min(
       Math.max(60, params.ttlSeconds ?? params.config.grants.defaultTtlSeconds),
       params.config.grants.maxTtlSeconds,
     );
-    const expiresAt = new Date(now.getTime() + ttlSeconds * 1000);
-    const grant: GrantRecord = {
-      id: randomUUID(),
+    const expiresAtMs = nowMs + ttlSeconds * 1000;
+    const id = grantPolicyId(nowMs);
+    policyStore.policies![id] = {
+      cedar_version: store.cedar_version,
+      name: `Grant ${params.toolName}`,
+      description: params.note?.trim() || undefined,
+      policy_content: encodeBase64(buildGrantPolicy(params.toolName, expiresAtMs)),
+    };
+    await writePolicyStore(params.stateDir, store);
+    return {
+      id,
       toolName: params.toolName,
-      createdAt: now.toISOString(),
-      expiresAt: expiresAt.toISOString(),
-      note: params.note?.trim() ? params.note.trim() : undefined,
+      createdAt: new Date(nowMs).toISOString(),
+      expiresAt: new Date(expiresAtMs).toISOString(),
+      note: params.note?.trim() || undefined,
     };
-    const pruned = pruneExpired(state.grants, now);
-    pruned.push(grant);
-    await writeGrantState(params.stateDir, { grants: pruned });
-    return grant;
   });
 }
 
 export async function revokeGrant(stateDir: string, grantId: string): Promise<boolean> {
-  return withStateFileLock(stateDir, "grants", async () => {
-    const state = await readGrantState(stateDir);
-    const next = state.grants.filter((grant) => grant.id !== grantId);
-    const changed = next.length !== state.grants.length;
-    if (changed) {
-      await writeGrantState(stateDir, { grants: next });
-    }
-    return changed;
-  });
-}
-
-export function findActiveGrant(grants: GrantRecord[], toolName: string): GrantRecord | undefined {
-  const now = Date.now();
-  return grants.find((grant) => {
-    if (grant.toolName !== "*" && grant.toolName !== toolName) {
+  return withStateFileLock(stateDir, "policy-store", async () => {
+    const store = await readPolicyStore(stateDir);
+    const policyStore = getWritableStore(store);
+    if (!policyStore.policies?.[grantId]) {
       return false;
     }
-    const expiresAt = Date.parse(grant.expiresAt);
-    return Number.isFinite(expiresAt) && expiresAt > now;
+    delete policyStore.policies[grantId];
+    await writePolicyStore(stateDir, store);
+    return true;
   });
 }

package/src/guard.ts

@@ -5,9 +5,8 @@ import type {
   PluginHookToolContext,
 } from "openclaw/plugins/types";
 import type { CedarlingConfig, CedarlingInstance } from "./cedarling.js";
-import { getCedarling } from "./cedarling.js";
+import { getCedarling, resetCedarlingInstance } from "./cedarling.js";
 import { appendAuditEntry, createAuditEntryId } from "./audit.js";
-import { listGrants, findActiveGrant } from "./grants.js";
 import { getModeOverride } from "./mode.js";
 import { buildDefaultPolicyStore } from "./policy.js";
 import { ensurePolicyStore } from "./policy-store.js";
@@ -111,8 +110,6 @@ async function evaluateCedar(params: {
   config: ClawClampConfig;
   toolName: string;
   risk: RiskLevel;
-  grantActive: boolean;
-  grantExpiresAt?: string;
 }): Promise<CedarEvaluation> {
   const now = Date.now();
   const request = {
@@ -134,8 +131,6 @@ async function evaluateCedar(params: {
       now,
       tool: params.toolName,
       risk: params.risk,
-      grant_active: params.grantActive,
-      grant_expires_at: params.grantExpiresAt ? Date.parse(params.grantExpiresAt) : 0,
     },
   };
 
@@ -154,6 +149,7 @@ export class ClawClampService {
   private readonly stateDir: string;
   private readonly api: OpenClawPluginApi;
   private cedarlingPromise: Promise<CedarlingInstance> | null = null;
+  private cedarlingPolicyStoreJson: string | null = null;
 
   constructor(params: { api: OpenClawPluginApi; config: ClawClampConfig; stateDir: string }) {
     this.api = params.api;
@@ -170,7 +166,6 @@ export class ClawClampService {
     const paramsSummary = summarizeParams(event.params, this.config);
     const auditId = createAuditEntryId();
     const mode = await this.getEffectiveMode();
-    const grant = await this.resolveGrant(toolName);
 
     let cedarDecision: CedarEvaluation;
     if (this.config.enabled) {
@@ -181,8 +176,6 @@ export class ClawClampService {
           config: this.config,
           toolName,
           risk,
-          grantActive: Boolean(grant),
-          grantExpiresAt: grant?.expiresAt,
         });
       } catch (error) {
         const reason = error instanceof Error ? error.message : String(error);
@@ -229,8 +222,6 @@ export class ClawClampService {
       decision: finalDecision,
       reason,
       params: paramsSummary,
-      grantId: grant?.id,
-      grantExpiresAt: grant?.expiresAt,
       grayMode: mode === "gray",
     };
 
@@ -270,19 +261,19 @@ export class ClawClampService {
     return override ?? this.config.mode;
   }
 
-  async resolveGrant(toolName: string) {
-    const grants = await listGrants(this.stateDir);
-    return findActiveGrant(grants, toolName);
-  }
-
   private async getCedarlingInstance(): Promise<CedarlingInstance> {
-    if (!this.cedarlingPromise) {
-      const policyStore = await ensurePolicyStore({ stateDir: this.stateDir, config: this.config });
+    const policyStore = await ensurePolicyStore({ stateDir: this.stateDir, config: this.config });
+    if (
+      !this.cedarlingPromise ||
+      (!policyStore.readOnly && policyStore.json && policyStore.json !== this.cedarlingPolicyStoreJson)
+    ) {
       const cedarConfig = buildCedarlingConfig({
         config: this.config,
         policyStoreLocal: policyStore.readOnly ? undefined : policyStore.json,
       });
+      resetCedarlingInstance();
       this.cedarlingPromise = getCedarling(cedarConfig);
+      this.cedarlingPolicyStoreJson = policyStore.readOnly ? null : (policyStore.json ?? null);
     }
     try {
       return await this.cedarlingPromise;
@@ -294,6 +285,8 @@ export class ClawClampService {
 
   async resetCedarling(): Promise<void> {
     this.cedarlingPromise = null;
+    this.cedarlingPolicyStoreJson = null;
+    resetCedarlingInstance();
   }
 }
 

package/src/http.ts

@@ -279,13 +279,20 @@ export function createClawClampHttpHandler(params: {
     }
 
     if (apiPath === "logs" && req.method === "GET") {
-      const limitParam = parsed.searchParams.get("limit");
-      const limit = Math.min(
-        Math.max(1, Number(limitParam) || params.config.audit.maxEntries),
+      const pageParam = parsed.searchParams.get("page");
+      const pageSizeParam = parsed.searchParams.get("pageSize");
+      const page = Math.max(1, Number(pageParam) || 1);
+      const pageSize = Math.min(
+        Math.max(1, Number(pageSizeParam) || 50),
         params.config.audit.maxEntries,
       );
-      const entries = await readAuditEntries(params.stateDir, limit);
-      sendJson(res, 200, { entries: entries.reverse() });
+      const result = await readAuditEntries(params.stateDir, page, pageSize);
+      sendJson(res, 200, {
+        entries: result.entries.reverse(),
+        total: result.total,
+        page: result.page,
+        pageSize,
+      });
       return true;
     }
 

package/src/policy.ts

@@ -33,18 +33,11 @@ action "Invoke" appliesTo {
     now: Long,
     tool: String,
     risk: String,
-    grant_active: Bool,
-    grant_expires_at: Long,
   }
 };
 `;
 
-const DEFAULT_POLICIES: string[] = [
-  `permit(principal, action, resource)
-when {
-  action == Action::"Invoke" && context.grant_active == true
-};`,
-];
+const DEFAULT_POLICIES: string[] = [];
 
 const POLICY_STORE_ID = "clawclamp";