clawclamp 0.1.3 → 0.1.4

package/index.js

@@ -0,0 +1,224 @@
+import { createRequire } from "node:module";
+import { join } from "path";
+import { existsSync, mkdirSync, readFileSync } from "fs";
+import { Hono } from "hono";
+import { html } from "hono/html";
+//#region \0rolldown/runtime.js
+var __require = /* @__PURE__ */ createRequire(import.meta.url);
+//#endregion
+//#region src/cedar-engine.ts
+var CedarEngine = class {
+	constructor(config) {
+		this.mode = "monitor";
+		this.mode = config.mode || "monitor";
+		console.log(`[CedarEngine] Initialized in ${this.mode} mode`);
+	}
+	setMode(mode) {
+		this.mode = mode;
+		console.log(`[CedarEngine] Switched to ${this.mode} mode`);
+	}
+	getMode() {
+		return this.mode;
+	}
+	async authorize(params) {
+		console.log(`[CedarEngine] Evaluating: ${params.principal} -> ${params.action} on ${params.resource}`);
+		let decision = "Allow";
+		const diagnostics = [];
+		if (params.action.includes("exec") && params.resource.includes("rm")) {
+			if (params.principal !== "User::\"admin\"") {
+				decision = "Deny";
+				diagnostics.push("Dangerous command 'rm' is restricted to admin.");
+			}
+		}
+		return {
+			decision,
+			diagnostics
+		};
+	}
+};
+//#endregion
+//#region src/audit-store.ts
+var AuditStore = class {
+	constructor(workspaceDir) {
+		this.entries = [];
+		const auditDir = join(workspaceDir, ".openclaw", "audit");
+		if (!existsSync(auditDir)) mkdirSync(auditDir, { recursive: true });
+		this.logFile = join(auditDir, "cedar-audit.jsonl");
+		this.load();
+	}
+	load() {
+		if (existsSync(this.logFile)) try {
+			this.entries = readFileSync(this.logFile, "utf-8").split("\n").filter((line) => line.trim()).map((line) => JSON.parse(line));
+		} catch (e) {
+			console.error("Failed to load audit logs:", e);
+		}
+	}
+	append(entry) {
+		this.entries.push(entry);
+		try {
+			const line = JSON.stringify(entry) + "\n";
+			__require("fs").appendFileSync(this.logFile, line);
+		} catch (e) {
+			console.error("Failed to write audit log:", e);
+		}
+	}
+	getAll() {
+		return this.entries;
+	}
+	getRecent(limit = 50) {
+		return this.entries.slice(-limit);
+	}
+};
+//#endregion
+//#region src/server.ts
+const createServer = (engine, store) => {
+	const app = new Hono();
+	app.get("/", (c) => {
+		const logs = store.getRecent(50);
+		const mode = engine.getMode();
+		return c.html(html`
+      <!DOCTYPE html>
+      <html>
+        <head>
+          <title>OpenClaw ClawClamp Audit</title>
+          <style>
+            body { font-family: sans-serif; padding: 20px; }
+            table { width: 100%; border-collapse: collapse; margin-top: 20px; }
+            th, td { border: 1px solid #ddd; padding: 8px; text-align: left; }
+            th { background-color: #f2f2f2; }
+            .allow { color: green; }
+            .deny { color: red; }
+            .blocked { font-weight: bold; color: darkred; }
+            .monitored { color: orange; }
+          </style>
+        </head>
+        <body>
+          <h1>ClawClamp Policy Audit</h1>
+          <p>Current Mode: <strong>${mode.toUpperCase()}</strong></p>
+          <form action="/mode" method="post">
+            <select name="mode">
+              <option value="monitor" ${mode === "monitor" ? "selected" : ""}>Monitor (Log Only)</option>
+              <option value="enforce" ${mode === "enforce" ? "selected" : ""}>Enforce (Block)</option>
+            </select>
+            <button type="submit">Update Mode</button>
+          </form>
+
+          <h2>Recent Tool Executions</h2>
+          <table>
+            <thead>
+              <tr>
+                <th>Time</th>
+                <th>Run ID</th>
+                <th>Principal</th>
+                <th>Action</th>
+                <th>Resource</th>
+                <th>Decision</th>
+                <th>Result</th>
+              </tr>
+            </thead>
+            <tbody>
+              ${logs.map((log) => html`
+                <tr>
+                  <td>${new Date(log.timestamp).toLocaleTimeString()}</td>
+                  <td>${log.runId || "-"}</td>
+                  <td>${log.principal}</td>
+                  <td>${log.action}</td>
+                  <td>${log.resource}</td>
+                  <td class="${log.decision.toLowerCase()}">${log.decision}</td>
+                  <td class="${log.blocked ? "blocked" : "monitored"}">
+                    ${log.blocked ? "BLOCKED" : "ALLOWED"}
+                  </td>
+                </tr>
+              `)}
+            </tbody>
+          </table>
+        </body>
+      </html>
+    `);
+	});
+	app.post("/mode", async (c) => {
+		const mode = (await c.req.parseBody())["mode"];
+		if (mode === "monitor" || mode === "enforce") engine.setMode(mode);
+		return c.redirect("/");
+	});
+	app.get("/api/logs", (c) => {
+		return c.json(store.getAll());
+	});
+	return app;
+};
+//#endregion
+//#region index.ts
+const plugin = {
+	id: "clawclamp",
+	name: "ClawClamp Policy Audit",
+	description: "Cedarling-based permission control with audit logging and dry-run mode.",
+	register(api) {
+		const engine = new CedarEngine({
+			mode: api.pluginConfig?.mode || "monitor",
+			policyStoreUrl: api.pluginConfig?.policyStoreUrl
+		});
+		const auditStore = new AuditStore(api.config.workspaceDir || process.cwd());
+		api.on("before_tool_call", async (event, ctx) => {
+			const { toolName, params, runId } = event;
+			const { agentId, sessionId } = ctx;
+			const principal = `User::"${agentId || "unknown"}"`;
+			const action = `Action::"tool:${toolName}"`;
+			const resource = `Resource::"global"`;
+			const result = await engine.authorize({
+				principal,
+				action,
+				resource,
+				context: {
+					sessionId,
+					runId,
+					params,
+					timestamp: Date.now()
+				}
+			});
+			const shouldBlock = result.decision === "Deny" && engine.getMode() === "enforce";
+			auditStore.append({
+				timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+				runId,
+				principal,
+				action,
+				resource,
+				decision: result.decision,
+				mode: engine.getMode(),
+				diagnostics: result.diagnostics,
+				blocked: shouldBlock
+			});
+			if (shouldBlock) return {
+				block: true,
+				blockReason: `Cedar Policy Denied: ${result.diagnostics.join("; ")}`
+			};
+		});
+		api.registerHttpRoute({
+			path: "/",
+			auth: "plugin",
+			match: "prefix",
+			handler: async (req, res) => {
+				if (req.method === "GET" && (req.url === "/" || req.url === "")) {
+					const html = await (await createServer(engine, auditStore).request("/")).text();
+					res.writeHead(200, { "Content-Type": "text/html" });
+					res.end(html);
+					return true;
+				}
+				if (req.method === "POST" && req.url === "/mode") {
+					let body = "";
+					req.on("data", (chunk) => body += chunk);
+					req.on("end", () => {
+						const mode = new URLSearchParams(body).get("mode");
+						if (mode === "enforce" || mode === "monitor") engine.setMode(mode);
+						res.writeHead(302, { "Location": "./" });
+						res.end();
+					});
+					return true;
+				}
+				return false;
+			}
+		});
+		api.logger.info("Cedar Audit Plugin Activated");
+	}
+};
+//#endregion
+export { plugin as default, plugin };

package/package.json

@@ -2,13 +2,13 @@
   "id": "clawclamp",
   "name": "clawclamp",
   "description": "Cedarling-based permission control with audit logging and dry-run mode.",
-  "version": "0.1.3",
+  "version": "0.1.4",
   "type": "module",
-  "main": "dist/index.js",
-  "types": "dist/index.d.ts",
+  "main": "index.js",
+  "types": "index.d.ts",
   "license": "MIT",
   "scripts": {
-    "build": "tsdown && mv dist/index.mjs dist/index.js",
+    "build": "tsdown && mv index.mjs index.js",
     "dev": "tsdown --watch",
     "typecheck": "tsc --noEmit"
   },
@@ -21,6 +21,6 @@
     "@types/node": "^22.10.2"
   },
   "openclaw": {
-    "extensions": ["dist/index.js"]
+    "extensions": ["index.js"]
   }
 }

package/tsdown.config.ts

@@ -5,6 +5,7 @@ export default defineConfig({
   entry: ["./index.ts"],
   format: "esm",
   target: "node18",
-  clean: true,
+  clean: false,
+  outDir: ".",
   dts: false,
 });