create-ironclaws 1.0.0

package/template/src/mount-security.ts

@@ -0,0 +1,421 @@
+/**
+ * Mount Security Module for NanoClaw
+ *
+ * Validates additional mounts against an allowlist stored OUTSIDE the project root.
+ * This prevents container agents from modifying security configuration.
+ *
+ * Allowlist location: ~/.config/nanoclaw/mount-allowlist.json
+ */
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import pino from 'pino';
+
+import { MOUNT_ALLOWLIST_PATH } from './config.js';
+import { AdditionalMount, AllowedRoot, MountAllowlist } from './types.js';
+
+const logger = pino({
+  level: process.env.LOG_LEVEL || 'info',
+  transport: { target: 'pino-pretty', options: { colorize: true } },
+});
+
+// Cache the allowlist in memory - only reloads on process restart
+let cachedAllowlist: MountAllowlist | null = null;
+let allowlistLoadError: string | null = null;
+
+/**
+ * Default blocked patterns - paths that should never be mounted
+ */
+const DEFAULT_BLOCKED_PATTERNS = [
+  '.ssh',
+  '.gnupg',
+  '.gpg',
+  '.aws',
+  '.azure',
+  '.gcloud',
+  '.kube',
+  '.docker',
+  'credentials',
+  '.env',
+  '.netrc',
+  '.npmrc',
+  '.pypirc',
+  'id_rsa',
+  'id_ed25519',
+  'private_key',
+  '.secret',
+];
+
+/**
+ * Load the mount allowlist from the external config location.
+ * Returns null if the file doesn't exist or is invalid.
+ * Result is cached in memory for the lifetime of the process.
+ */
+export function loadMountAllowlist(): MountAllowlist | null {
+  if (cachedAllowlist !== null) {
+    return cachedAllowlist;
+  }
+
+  if (allowlistLoadError !== null) {
+    // Already tried and failed, don't spam logs
+    return null;
+  }
+
+  try {
+    if (!fs.existsSync(MOUNT_ALLOWLIST_PATH)) {
+      allowlistLoadError = `Mount allowlist not found at ${MOUNT_ALLOWLIST_PATH}`;
+      logger.warn(
+        { path: MOUNT_ALLOWLIST_PATH },
+        'Mount allowlist not found - additional mounts will be BLOCKED. ' +
+          'Create the file to enable additional mounts.',
+      );
+      return null;
+    }
+
+    const content = fs.readFileSync(MOUNT_ALLOWLIST_PATH, 'utf-8');
+    const allowlist = JSON.parse(content) as MountAllowlist;
+
+    // Validate structure
+    if (!Array.isArray(allowlist.allowedRoots)) {
+      throw new Error('allowedRoots must be an array');
+    }
+
+    if (!Array.isArray(allowlist.blockedPatterns)) {
+      throw new Error('blockedPatterns must be an array');
+    }
+
+    if (typeof allowlist.nonMainReadOnly !== 'boolean') {
+      throw new Error('nonMainReadOnly must be a boolean');
+    }
+
+    // Merge with default blocked patterns
+    const mergedBlockedPatterns = [
+      ...new Set([...DEFAULT_BLOCKED_PATTERNS, ...allowlist.blockedPatterns]),
+    ];
+    allowlist.blockedPatterns = mergedBlockedPatterns;
+
+    cachedAllowlist = allowlist;
+    logger.info(
+      {
+        path: MOUNT_ALLOWLIST_PATH,
+        allowedRoots: allowlist.allowedRoots.length,
+        blockedPatterns: allowlist.blockedPatterns.length,
+      },
+      'Mount allowlist loaded successfully',
+    );
+
+    return cachedAllowlist;
+  } catch (err) {
+    allowlistLoadError = err instanceof Error ? err.message : String(err);
+    logger.error(
+      {
+        path: MOUNT_ALLOWLIST_PATH,
+        error: allowlistLoadError,
+      },
+      'Failed to load mount allowlist - additional mounts will be BLOCKED',
+    );
+    return null;
+  }
+}
+
+/**
+ * Expand ~ to home directory and resolve to absolute path
+ */
+function expandPath(p: string): string {
+  const homeDir = process.env.HOME || os.homedir();
+  if (p.startsWith('~/')) {
+    return path.join(homeDir, p.slice(2));
+  }
+  if (p === '~') {
+    return homeDir;
+  }
+  return path.resolve(p);
+}
+
+/**
+ * Get the real path, resolving symlinks.
+ * Returns null if the path doesn't exist.
+ */
+function getRealPath(p: string): string | null {
+  try {
+    return fs.realpathSync(p);
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Check if a path matches any blocked pattern
+ */
+function matchesBlockedPattern(
+  realPath: string,
+  blockedPatterns: string[],
+): string | null {
+  const pathParts = realPath.split(path.sep);
+
+  for (const pattern of blockedPatterns) {
+    // Check if any path component matches the pattern
+    for (const part of pathParts) {
+      if (part === pattern || part.includes(pattern)) {
+        return pattern;
+      }
+    }
+
+    // Also check if the full path contains the pattern
+    if (realPath.includes(pattern)) {
+      return pattern;
+    }
+  }
+
+  return null;
+}
+
+/**
+ * Check if a real path is under an allowed root
+ */
+function findAllowedRoot(
+  realPath: string,
+  allowedRoots: AllowedRoot[],
+): AllowedRoot | null {
+  for (const root of allowedRoots) {
+    const expandedRoot = expandPath(root.path);
+    const realRoot = getRealPath(expandedRoot);
+
+    if (realRoot === null) {
+      // Allowed root doesn't exist, skip it
+      continue;
+    }
+
+    // Check if realPath is under realRoot
+    const relative = path.relative(realRoot, realPath);
+    if (!relative.startsWith('..') && !path.isAbsolute(relative)) {
+      return root;
+    }
+  }
+
+  return null;
+}
+
+/**
+ * Validate the container path to prevent escaping /workspace/extra/
+ */
+function isValidContainerPath(containerPath: string): boolean {
+  // Must not contain .. to prevent path traversal
+  if (containerPath.includes('..')) {
+    return false;
+  }
+
+  // Must not be absolute (it will be prefixed with /workspace/extra/)
+  if (containerPath.startsWith('/')) {
+    return false;
+  }
+
+  // Must not be empty
+  if (!containerPath || containerPath.trim() === '') {
+    return false;
+  }
+
+  return true;
+}
+
+export interface MountValidationResult {
+  allowed: boolean;
+  reason: string;
+  realHostPath?: string;
+  resolvedContainerPath?: string;
+  effectiveReadonly?: boolean;
+}
+
+/**
+ * Validate a single additional mount against the allowlist.
+ * Returns validation result with reason.
+ */
+export function validateMount(
+  mount: AdditionalMount,
+  isMain: boolean,
+): MountValidationResult {
+  const allowlist = loadMountAllowlist();
+
+  // If no allowlist, block all additional mounts
+  if (allowlist === null) {
+    return {
+      allowed: false,
+      reason: `No mount allowlist configured at ${MOUNT_ALLOWLIST_PATH}`,
+    };
+  }
+
+  // Derive containerPath from hostPath basename if not specified
+  const containerPath = mount.containerPath || path.basename(mount.hostPath);
+
+  // Validate container path (cheap check)
+  if (!isValidContainerPath(containerPath)) {
+    return {
+      allowed: false,
+      reason: `Invalid container path: "${containerPath}" - must be relative, non-empty, and not contain ".."`,
+    };
+  }
+
+  // Expand and resolve the host path
+  const expandedPath = expandPath(mount.hostPath);
+  const realPath = getRealPath(expandedPath);
+
+  if (realPath === null) {
+    return {
+      allowed: false,
+      reason: `Host path does not exist: "${mount.hostPath}" (expanded: "${expandedPath}")`,
+    };
+  }
+
+  // Check against blocked patterns
+  const blockedMatch = matchesBlockedPattern(
+    realPath,
+    allowlist.blockedPatterns,
+  );
+  if (blockedMatch !== null) {
+    return {
+      allowed: false,
+      reason: `Path matches blocked pattern "${blockedMatch}": "${realPath}"`,
+    };
+  }
+
+  // Check if under an allowed root
+  const allowedRoot = findAllowedRoot(realPath, allowlist.allowedRoots);
+  if (allowedRoot === null) {
+    return {
+      allowed: false,
+      reason: `Path "${realPath}" is not under any allowed root. Allowed roots: ${allowlist.allowedRoots
+        .map((r) => expandPath(r.path))
+        .join(', ')}`,
+    };
+  }
+
+  // Determine effective readonly status
+  const requestedReadWrite = mount.readonly === false;
+  let effectiveReadonly = true; // Default to readonly
+
+  if (requestedReadWrite) {
+    if (!isMain && allowlist.nonMainReadOnly) {
+      // Non-main groups forced to read-only
+      effectiveReadonly = true;
+      logger.info(
+        {
+          mount: mount.hostPath,
+        },
+        'Mount forced to read-only for non-main group',
+      );
+    } else if (!allowedRoot.allowReadWrite) {
+      // Root doesn't allow read-write
+      effectiveReadonly = true;
+      logger.info(
+        {
+          mount: mount.hostPath,
+          root: allowedRoot.path,
+        },
+        'Mount forced to read-only - root does not allow read-write',
+      );
+    } else {
+      // Read-write allowed
+      effectiveReadonly = false;
+    }
+  }
+
+  return {
+    allowed: true,
+    reason: `Allowed under root "${allowedRoot.path}"${allowedRoot.description ? ` (${allowedRoot.description})` : ''}`,
+    realHostPath: realPath,
+    resolvedContainerPath: containerPath,
+    effectiveReadonly,
+  };
+}
+
+/**
+ * Validate all additional mounts for a group.
+ * Returns array of validated mounts (only those that passed validation).
+ * Logs warnings for rejected mounts.
+ */
+export interface ValidatedMount {
+  hostPath: string;
+  containerPath: string;
+  readonly: boolean;
+  worktree?: boolean; // Passed through so container-runner can resolve worktrees
+  originalHostPath?: string; // Original repo path (before worktree resolution)
+}
+
+export function validateAdditionalMounts(
+  mounts: AdditionalMount[],
+  groupName: string,
+  isMain: boolean,
+): ValidatedMount[] {
+  const validatedMounts: ValidatedMount[] = [];
+
+  for (const mount of mounts) {
+    const result = validateMount(mount, isMain);
+
+    if (result.allowed) {
+      validatedMounts.push({
+        hostPath: result.realHostPath!,
+        containerPath: `/workspace/extra/${result.resolvedContainerPath}`,
+        readonly: result.effectiveReadonly!,
+        worktree: mount.worktree,
+        originalHostPath: mount.worktree ? result.realHostPath! : undefined,
+      });
+
+      logger.debug(
+        {
+          group: groupName,
+          hostPath: result.realHostPath,
+          containerPath: result.resolvedContainerPath,
+          readonly: result.effectiveReadonly,
+          reason: result.reason,
+        },
+        'Mount validated successfully',
+      );
+    } else {
+      logger.warn(
+        {
+          group: groupName,
+          requestedPath: mount.hostPath,
+          containerPath: mount.containerPath,
+          reason: result.reason,
+        },
+        'Additional mount REJECTED',
+      );
+    }
+  }
+
+  return validatedMounts;
+}
+
+/**
+ * Generate a template allowlist file for users to customize
+ */
+export function generateAllowlistTemplate(): string {
+  const template: MountAllowlist = {
+    allowedRoots: [
+      {
+        path: '~/projects',
+        allowReadWrite: true,
+        description: 'Development projects',
+      },
+      {
+        path: '~/repos',
+        allowReadWrite: true,
+        description: 'Git repositories',
+      },
+      {
+        path: '~/Documents/work',
+        allowReadWrite: false,
+        description: 'Work documents (read-only)',
+      },
+    ],
+    blockedPatterns: [
+      // Additional patterns beyond defaults
+      'password',
+      'secret',
+      'token',
+    ],
+    nonMainReadOnly: true,
+  };
+
+  return JSON.stringify(template, null, 2);
+}

package/template/src/network-policy.ts

@@ -0,0 +1,119 @@
+/**
+ * Network policy enforcement for NanoClaw containers.
+ *
+ * Enforces per-container outbound rules via iptables in the DOCKER-USER chain:
+ *   - ACCEPT DNS (port 53 UDP/TCP)
+ *   - ACCEPT connections to OneCLI proxy (port 10255, post-DNAT)
+ *   - REJECT everything else outbound (icmp-port-unreachable, works for all protocols)
+ *
+ * Rules are tagged with the container name for precise per-container cleanup.
+ */
+import { execSync } from 'child_process';
+import os from 'os';
+import { logger } from './logger.js';
+
+// iptables enforcement is Linux-only. On macOS/Windows (local dev), containers
+// run without network enforcement — acceptable for development, not for production.
+const IPTABLES_SUPPORTED = os.platform() === 'linux';
+
+/**
+ * Resolve the OneCLI proxy container IP dynamically.
+ * The proxy runs as a Docker container — its IP changes if it restarts.
+ * We look it up from the DNAT rule so we can ACCEPT post-DNAT traffic.
+ *
+ * Throws if the IP cannot be resolved — callers must not proceed without it.
+ */
+function getOneCLIProxyIp(): string {
+  try {
+    // Read the NAT DNAT rule for port 10255 — the target IP is the OneCLI container
+    const natOutput = execSync(
+      `sudo iptables -t nat -L DOCKER -n 2>/dev/null | grep 'dpt:10255'`,
+      { encoding: 'utf-8', timeout: 5000 },
+    ).trim();
+    const match = natOutput.match(/to:(\d+\.\d+\.\d+\.\d+):/);
+    if (match) return match[1];
+  } catch { /* fall through to next method */ }
+
+  // Fallback: inspect the onecli container directly
+  try {
+    const ip = execSync(
+      `docker inspect onecli --format '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' 2>/dev/null`,
+      { encoding: 'utf-8', timeout: 5000 },
+    ).trim();
+    // Returns space-separated IPs if multiple networks — take the last non-empty one
+    const ips = ip.split(/\s+/).filter(Boolean);
+    if (ips.length > 0) return ips[ips.length - 1];
+  } catch { /* fall through */ }
+
+  throw new Error('Cannot resolve OneCLI proxy IP — is the onecli container running?');
+}
+
+/**
+ * Get the container IP (post-spawn, with retry).
+ * Returns null if the container doesn't have an IP after 10 retries (~3s).
+ */
+export function getContainerIp(containerName: string): string | null {
+  for (let i = 0; i < 10; i++) {
+    try {
+      const ip = execSync(
+        `docker inspect ${containerName} --format '{{(index .NetworkSettings.Networks "bridge").IPAddress}}' 2>/dev/null`,
+        { encoding: 'utf-8', timeout: 5000 },
+      ).trim();
+      if (ip && ip !== '<no value>') return ip;
+    } catch { /* not ready yet */ }
+    try { execSync('sleep 0.3', { stdio: 'pipe' }); } catch { /* ok */ }
+  }
+  return null;
+}
+
+/**
+ * Apply per-container iptables rules.
+ *
+ * Must be called synchronously before writing to the container's stdin.
+ * Throws on any failure — the caller must kill the container if this throws.
+ */
+export function applyContainerIptables(containerName: string, containerIp: string): void {
+  if (!IPTABLES_SUPPORTED) {
+    logger.warn({ containerName }, 'iptables not supported on this platform — network enforcement skipped (dev mode only)');
+    return;
+  }
+  const onecliIp = getOneCLIProxyIp(); // throws if not resolvable
+
+  const tag = containerName;
+  // DNS (UDP + TCP)
+  execSync(`sudo iptables -I DOCKER-USER 1 -s ${containerIp} -p udp --dport 53 -j ACCEPT -m comment --comment "${tag}"`, { stdio: 'pipe', timeout: 5000 });
+  execSync(`sudo iptables -I DOCKER-USER 1 -s ${containerIp} -p tcp --dport 53 -j ACCEPT -m comment --comment "${tag}"`, { stdio: 'pipe', timeout: 5000 });
+  // OneCLI proxy (post-DNAT destination)
+  execSync(`sudo iptables -I DOCKER-USER 1 -s ${containerIp} -d ${onecliIp} -p tcp --dport 10255 -j ACCEPT -m comment --comment "${tag}"`, { stdio: 'pipe', timeout: 5000 });
+  // Reject everything else outbound — REJECT (not DROP) so connections fail
+  // immediately rather than hanging until TCP timeout.
+  // icmp-port-unreachable works for all protocols (tcp-reset is TCP-only).
+  execSync(`sudo iptables -A DOCKER-USER -s ${containerIp} -j REJECT --reject-with icmp-port-unreachable -m comment --comment "${tag}"`, { stdio: 'pipe', timeout: 5000 });
+
+  logger.info({ containerName, containerIp, onecliIp }, 'iptables rules applied');
+}
+
+/**
+ * Remove all iptables rules tagged with this container name.
+ * Called when the container exits. Safe to call multiple times.
+ */
+export function cleanupContainerIptables(containerName: string): void {
+  if (!IPTABLES_SUPPORTED) return;
+  try {
+    const rules = execSync(
+      `sudo iptables -S DOCKER-USER 2>/dev/null | grep '${containerName}'`,
+      { encoding: 'utf-8', timeout: 5000 },
+    ).trim();
+
+    if (!rules) return;
+
+    for (const rule of rules.split('\n')) {
+      const deleteCmd = rule.replace(/^-[AI]\s+DOCKER-USER\s+/, '-D DOCKER-USER ');
+      try {
+        execSync(`sudo iptables ${deleteCmd}`, { stdio: 'pipe', timeout: 5000 });
+      } catch { /* rule may already be gone */ }
+    }
+
+    logger.info({ containerName }, 'iptables rules cleaned up');
+  } catch { /* no rules to clean up */ }
+}