matimo 0.1.0-alpha.9 → 0.1.1

package/packages/core/dist/policy/approval-manifest.js

@@ -0,0 +1,197 @@
+/**
+ * Approval Manifest for Matimo.
+ *
+ * Manages HMAC-signed approval records for agent-created tools.
+ * Prevents agent forgery of approvals via cryptographic verification.
+ */
+import { createHmac, randomUUID, createHash } from 'crypto';
+import fs from 'fs';
+import path from 'path';
+import { MatimoError, ErrorCode } from '../errors/matimo-error';
+import { getGlobalMatimoLogger } from '../logging';
+export class ApprovalManifest {
+    /**
+     * @param approvalDir - Directory where `.matimo-approvals.json` lives
+     * @param secret - HMAC secret. If not provided, reads `MATIMO_APPROVAL_SECRET`
+     *   from env. If that's also missing, generates one and logs it.
+     * @param ttlSeconds - Optional TTL in seconds. Approvals older than this are treated as expired.
+     */
+    constructor(approvalDir, secret, ttlSeconds) {
+        this.cache = new Map();
+        this.pendingSet = new Set();
+        this.ttlSeconds = ttlSeconds;
+        this.manifestPath = path.join(approvalDir, '.matimo-approvals.json');
+        if (secret) {
+            this.secret = secret;
+        }
+        else if (process.env.MATIMO_APPROVAL_SECRET) {
+            this.secret = process.env.MATIMO_APPROVAL_SECRET;
+        }
+        else {
+            if (process.env.NODE_ENV === 'production' || process.env.MATIMO_ENV === 'production') {
+                throw new MatimoError('MATIMO_APPROVAL_SECRET is required in production environments. ' +
+                    'Set it to a stable, securely generated value (e.g. from a secrets manager).', ErrorCode.AUTH_FAILED);
+            }
+            this.secret = randomUUID();
+            const logger = getGlobalMatimoLogger();
+            // Create a non-sensitive fingerprint for debugging (first 4 chars only)
+            const fingerprint = this.secret.substring(0, 4);
+            logger.warn('No MATIMO_APPROVAL_SECRET set. An ephemeral secret was auto-generated ' +
+                '(fingerprint: ' +
+                fingerprint +
+                '...) ' +
+                'for this process. Approvals may not persist across restarts. ' +
+                'To persist approvals, set MATIMO_APPROVAL_SECRET to a stable, securely ' +
+                'generated value in the environment.');
+        }
+        this.loadFromDisk();
+    }
+    /**
+     * Compute the HMAC signature for a tool approval.
+     */
+    sign(toolName, yamlHash) {
+        return createHmac('sha256', this.secret).update(`${toolName}:${yamlHash}`).digest('hex');
+    }
+    /**
+     * Compute SHA-256 hash of content.
+     */
+    computeHash(content) {
+        return createHash('sha256').update(content, 'utf8').digest('hex');
+    }
+    /**
+     * Verify that an approval record has a valid HMAC signature and
+     * the stored hash matches the current YAML content hash.
+     */
+    isApproved(toolName, currentYamlHash) {
+        const record = this.cache.get(toolName);
+        if (!record)
+            return false;
+        // Hash mismatch = YAML was modified after approval → revoked
+        if (record.hash !== currentYamlHash)
+            return false;
+        // TTL check — if configured, reject approvals older than ttlSeconds
+        if (this.ttlSeconds !== undefined) {
+            // Fail closed if timestamp is missing or unparsable
+            if (!record.approvedAt)
+                return false;
+            const approvedAt = new Date(record.approvedAt).getTime();
+            if (!Number.isFinite(approvedAt))
+                return false;
+            const ageMs = Date.now() - approvedAt;
+            if (ageMs > this.ttlSeconds * 1000)
+                return false;
+        }
+        // Verify HMAC to detect manifest tampering
+        const expectedSig = this.sign(toolName, record.hash);
+        return record.signature === expectedSig;
+    }
+    /**
+     * Approve a tool. Creates an HMAC-signed record in the manifest.
+     */
+    approve(toolName, yamlHash, approvedBy) {
+        const signature = this.sign(toolName, yamlHash);
+        const record = {
+            name: toolName,
+            hash: yamlHash,
+            signature,
+            approvedAt: new Date().toISOString(),
+            approvedBy,
+        };
+        this.cache.set(toolName, record);
+        this.saveToDisk();
+    }
+    /**
+     * Revoke a tool's approval. Removes from both cache and pendingSet
+     * to ensure consistent state (tool no longer tracked as approved or pending).
+     */
+    revoke(toolName) {
+        const cacheDeleted = this.cache.delete(toolName);
+        const pendingDeleted = this.pendingSet.delete(toolName);
+        if (cacheDeleted || pendingDeleted) {
+            this.saveToDisk();
+        }
+        return cacheDeleted || pendingDeleted;
+    }
+    /**
+     * Get the approval record for a tool.
+     */
+    getApproval(toolName) {
+        return this.cache.get(toolName);
+    }
+    /**
+     * List all approved tool names.
+     */
+    listApproved() {
+        return Array.from(this.cache.keys());
+    }
+    /**
+     * Mark a tool as pending approval. Called by matimo_create_tool after writing to disk.
+     */
+    markPending(toolName) {
+        this.pendingSet.add(toolName);
+        this.saveToDisk();
+    }
+    /**
+     * Return all tool names that have been proposed (written to disk) but not yet approved.
+     */
+    getPendingTools() {
+        return Array.from(this.pendingSet).filter((name) => !this.cache.has(name));
+    }
+    /**
+     * Load the manifest file from disk.
+     */
+    loadFromDisk() {
+        try {
+            if (!fs.existsSync(this.manifestPath))
+                return;
+            const raw = fs.readFileSync(this.manifestPath, 'utf-8');
+            const data = JSON.parse(raw);
+            if (data.version !== '1' || !Array.isArray(data.approvals))
+                return;
+            this.cache.clear();
+            for (const record of data.approvals) {
+                if (record.name && record.hash && record.signature) {
+                    this.cache.set(record.name, record);
+                }
+            }
+            this.pendingSet.clear();
+            if (Array.isArray(data.pending)) {
+                for (const name of data.pending) {
+                    if (typeof name === 'string')
+                        this.pendingSet.add(name);
+                }
+            }
+        }
+        catch {
+            // Corrupted manifest — start fresh
+            const logger = getGlobalMatimoLogger();
+            logger.warn('Failed to load approval manifest, starting fresh', {
+                path: this.manifestPath,
+            });
+            this.cache.clear();
+            this.pendingSet.clear();
+        }
+    }
+    /**
+     * Save current approvals to disk using atomic write pattern.
+     * Writes to a temporary file first, then atomically renames it.
+     * This prevents data corruption if the process crashes mid-write.
+     */
+    saveToDisk() {
+        const data = {
+            version: '1',
+            approvals: Array.from(this.cache.values()),
+            pending: Array.from(this.pendingSet).filter((name) => !this.cache.has(name)),
+        };
+        const dir = path.dirname(this.manifestPath);
+        if (!fs.existsSync(dir)) {
+            fs.mkdirSync(dir, { recursive: true });
+        }
+        // Atomic write: write to temp file, then rename
+        const json = JSON.stringify(data, null, 2);
+        const tempPath = path.join(dir, `${path.basename(this.manifestPath)}.tmp-${process.pid}-${Date.now()}`);
+        fs.writeFileSync(tempPath, json, 'utf-8');
+        fs.renameSync(tempPath, this.manifestPath);
+    }
+}
+//# sourceMappingURL=approval-manifest.js.map

package/packages/core/dist/policy/approval-manifest.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"approval-manifest.js","sourceRoot":"","sources":["../../src/policy/approval-manifest.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAC5D,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAChE,OAAO,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAgBnD,MAAM,OAAO,gBAAgB;IAO3B;;;;;OAKG;IACH,YAAY,WAAmB,EAAE,MAAe,EAAE,UAAmB;QAV7D,UAAK,GAAgC,IAAI,GAAG,EAAE,CAAC;QAC/C,eAAU,GAAgB,IAAI,GAAG,EAAE,CAAC;QAU1C,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,wBAAwB,CAAC,CAAC;QAErE,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACvB,CAAC;aAAM,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB,EAAE,CAAC;YAC9C,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC;QACnD,CAAC;aAAM,CAAC;YACN,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,KAAK,YAAY,EAAE,CAAC;gBACrF,MAAM,IAAI,WAAW,CACnB,iEAAiE;oBAC/D,6EAA6E,EAC/E,SAAS,CAAC,WAAW,CACtB,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,MAAM,GAAG,UAAU,EAAE,CAAC;YAC3B,MAAM,MAAM,GAAG,qBAAqB,EAAE,CAAC;YACvC,wEAAwE;YACxE,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YAChD,MAAM,CAAC,IAAI,CACT,wEAAwE;gBACtE,gBAAgB;gBAChB,WAAW;gBACX,OAAO;gBACP,+DAA+D;gBAC/D,yEAAyE;gBACzE,qCAAqC,CACxC,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,YAAY,EAAE,CAAC;IACtB,CAAC;IAED;;OAEG;IACK,IAAI,CAAC,QAAgB,EAAE,QAAgB;QAC7C,OAAO,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,GAAG,QAAQ,IAAI,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC3F,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,OAAe;QACzB,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACpE,CAAC;IAED;;;OAGG;IACH,UAAU,CAAC,QAAgB,EAAE,eAAuB;QAClD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACxC,IAAI,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAE1B,6DAA6D;QAC7D,IAAI,MAAM,CAAC,IAAI,KAAK,eAAe;YAAE,OAAO,KAAK,CAAC;QAElD,oEAAoE;QACpE,IAAI,IAAI,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;YAClC,oDAAoD;YACpD,IAAI,CAAC,MAAM,CAAC,UAAU;gBAAE,OAAO,KAAK,CAAC;YACrC,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE,CAAC;YACzD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,CAAC;YACtC,IAAI,KAAK,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI;gBAAE,OAAO,KAAK,CAAC;QACnD,CAAC;QAED,2CAA2C;QAC3C,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;QACrD,OAAO,MAAM,CAAC,SAAS,KAAK,WAAW,CAAC;IAC1C,CAAC;IAED;;OAEG;IACH,OAAO,CAAC,QAAgB,EAAE,QAAgB,EAAE,UAAmB;QAC7D,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAChD,MAAM,MAAM,GAAmB;YAC7B,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,QAAQ;YACd,SAAS;YACT,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACpC,UAAU;SACX,CAAC;QACF,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACjC,IAAI,CAAC,UAAU,EAAE,CAAC;IACpB,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,QAAgB;QACrB,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACjD,MAAM,cAAc,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACxD,IAAI,YAAY,IAAI,cAAc,EAAE,CAAC;YACnC,IAAI,CAAC,UAAU,EAAE,CAAC;QACpB,CAAC;QACD,OAAO,YAAY,IAAI,cAAc,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,QAAgB;QAC1B,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAClC,CAAC;IAED;;OAEG;IACH,YAAY;QACV,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;IACvC,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,QAAgB;QAC1B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC9B,IAAI,CAAC,UAAU,EAAE,CAAC;IACpB,CAAC;IAED;;OAEG;IACH,eAAe;QACb,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;IAC7E,CAAC;IAED;;OAEG;IACK,YAAY;QAClB,IAAI,CAAC;YACH,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,CAAC;gBAAE,OAAO;YAC9C,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;YACxD,MAAM,IAAI,GAAiB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC3C,IAAI,IAAI,CAAC,OAAO,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC;gBAAE,OAAO;YAEnE,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;YACnB,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACpC,IAAI,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;oBACnD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;gBACtC,CAAC;YACH,CAAC;YAED,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;YACxB,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAChC,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;oBAChC,IAAI,OAAO,IAAI,KAAK,QAAQ;wBAAE,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBAC1D,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,mCAAmC;YACnC,MAAM,MAAM,GAAG,qBAAqB,EAAE,CAAC;YACvC,MAAM,CAAC,IAAI,CAAC,kDAAkD,EAAE;gBAC9D,IAAI,EAAE,IAAI,CAAC,YAAY;aACxB,CAAC,CAAC;YACH,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;YACnB,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;QAC1B,CAAC;IACH,CAAC;IAED;;;;OAIG;IACK,UAAU;QAChB,MAAM,IAAI,GAAiB;YACzB,OAAO,EAAE,GAAG;YACZ,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YAC1C,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;SAC7E,CAAC;QACF,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC5C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACzC,CAAC;QAED,gDAAgD;QAChD,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAC3C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CACxB,GAAG,EACH,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,OAAO,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE,CACvE,CAAC;QACF,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;QAC1C,EAAE,CAAC,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;IAC7C,CAAC;CACF"}

package/packages/core/dist/policy/content-validator.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Content Validator for Matimo tools.
+ *
+ * Deterministic structural rules that detect malicious or unsafe patterns
+ * in agent-created tool definitions. No LLM involved.
+ */
+import type { ToolDefinition } from '../core/schema';
+import type { ValidationResult, ValidationContext } from './types';
+/**
+ * Validate a tool definition against content safety rules.
+ * Returns all violations found (does not short-circuit).
+ */
+export declare function validateToolContent(tool: ToolDefinition, context: ValidationContext): ValidationResult;
+/**
+ * Check if a URL targets an internal/metadata network (SSRF protection).
+ * Handles IPv4, IPv6, and common internal hostnames.
+ */
+export declare function isSSRFTarget(url: string): boolean;
+//# sourceMappingURL=content-validator.d.ts.map

package/packages/core/dist/policy/content-validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"content-validator.d.ts","sourceRoot":"","sources":["../../src/policy/content-validator.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,KAAK,EAAE,gBAAgB,EAAE,iBAAiB,EAAa,MAAM,SAAS,CAAC;AAM9E;;;GAGG;AACH,wBAAgB,mBAAmB,CACjC,IAAI,EAAE,cAAc,EACpB,OAAO,EAAE,iBAAiB,GACzB,gBAAgB,CAqHlB;AAkBD;;;GAGG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CA4CjD"}

package/packages/core/dist/policy/content-validator.js

@@ -0,0 +1,196 @@
+/**
+ * Content Validator for Matimo tools.
+ *
+ * Deterministic structural rules that detect malicious or unsafe patterns
+ * in agent-created tool definitions. No LLM involved.
+ */
+import { extractAuthPlaceholders } from '../mcp/tool-converter';
+const DEFAULT_ALLOWED_HTTP_METHODS = ['GET', 'POST'];
+const DEFAULT_PROTECTED_NAMESPACES = ['matimo_'];
+/**
+ * Validate a tool definition against content safety rules.
+ * Returns all violations found (does not short-circuit).
+ */
+export function validateToolContent(tool, context) {
+    const violations = [];
+    const config = context.policy ?? {};
+    // Only apply restrictive rules to untrusted sources
+    if (context.source !== 'untrusted') {
+        return { valid: true, violations: [] };
+    }
+    // Rule 1: Block execution type: function (arbitrary code)
+    if (tool.execution.type === 'function') {
+        if (!config.allowFunctionTools) {
+            violations.push({
+                rule: 'no-function-execution',
+                severity: 'critical',
+                message: 'Agent-created tools cannot use execution type "function" (arbitrary code execution)',
+            });
+        }
+    }
+    // Rule 2: Block execution type: command (shell injection)
+    if (tool.execution.type === 'command') {
+        if (!config.allowCommandTools) {
+            violations.push({
+                rule: 'no-command-execution',
+                severity: 'critical',
+                message: 'Agent-created tools cannot use execution type "command" (shell injection risk)',
+            });
+        }
+    }
+    // Rule 3: Block SSRF targets in HTTP URLs
+    if (tool.execution.type === 'http') {
+        const url = tool.execution.url;
+        if (isSSRFTarget(url)) {
+            violations.push({
+                rule: 'no-ssrf',
+                severity: 'critical',
+                message: `URL targets internal/metadata network: ${url}`,
+            });
+        }
+    }
+    // Rule 4: Block unauthorized credential references
+    if (config.allowedCredentials && config.allowedCredentials.length > 0) {
+        const referencedVars = extractAuthPlaceholders(tool);
+        for (const envVar of referencedVars) {
+            if (!config.allowedCredentials.includes(envVar)) {
+                violations.push({
+                    rule: 'unauthorized-credential',
+                    severity: 'high',
+                    message: `Tool references credential "${envVar}" not in allowlist`,
+                });
+            }
+        }
+    }
+    // Rule 5: Block reserved namespaces
+    const namespaces = config.protectedNamespaces ?? DEFAULT_PROTECTED_NAMESPACES;
+    for (const ns of namespaces) {
+        if (tool.name.startsWith(ns)) {
+            violations.push({
+                rule: 'reserved-namespace',
+                severity: 'critical',
+                message: `Tool name prefix "${ns}" is reserved for built-in tools`,
+            });
+        }
+    }
+    // Rule 6: Force requires_approval on agent-created tools
+    if (tool.requires_approval === false || tool.requires_approval === undefined) {
+        violations.push({
+            rule: 'forced-approval',
+            severity: 'high',
+            message: 'Agent-created tools must have requires_approval: true',
+        });
+    }
+    // Rule 7: Block disallowed HTTP methods
+    if (tool.execution.type === 'http') {
+        const allowed = config.allowedHttpMethods ?? DEFAULT_ALLOWED_HTTP_METHODS;
+        const method = tool.execution.method.toUpperCase();
+        if (!allowed.map((m) => m.toUpperCase()).includes(method)) {
+            violations.push({
+                rule: 'blocked-http-method',
+                severity: 'high',
+                message: `HTTP method "${method}" is not in the allowed list: ${allowed.join(', ')}`,
+            });
+        }
+    }
+    // Rule 8: Block domains not in allowlist (if configured)
+    if (tool.execution.type === 'http' && config.allowedDomains && config.allowedDomains.length > 0) {
+        const hostname = extractHostname(tool.execution.url);
+        if (hostname &&
+            !config.allowedDomains.some((d) => hostname === d || hostname.endsWith(`.${d}`))) {
+            violations.push({
+                rule: 'blocked-domain',
+                severity: 'high',
+                message: `URL domain "${hostname}" is not in the allowed list`,
+            });
+        }
+    }
+    // Rule 9: Force draft status on agent-created tools
+    if (tool.status !== undefined && tool.status !== 'draft') {
+        violations.push({
+            rule: 'forced-draft-status',
+            severity: 'medium',
+            message: 'Agent-created tools must have status "draft"',
+        });
+    }
+    return { valid: violations.length === 0, violations };
+}
+/**
+ * Replace all {...} placeholder patterns with 'placeholder' string.
+ * Uses safe string operations (indexOf) to avoid ReDoS vulnerabilities.
+ */
+function cleanUrlPlaceholders(url) {
+    let cleaned = url;
+    while (true) {
+        const start = cleaned.indexOf('{');
+        if (start === -1)
+            break;
+        const end = cleaned.indexOf('}', start);
+        if (end === -1)
+            break;
+        cleaned = cleaned.substring(0, start) + 'placeholder' + cleaned.substring(end + 1);
+    }
+    return cleaned;
+}
+/**
+ * Check if a URL targets an internal/metadata network (SSRF protection).
+ * Handles IPv4, IPv6, and common internal hostnames.
+ */
+export function isSSRFTarget(url) {
+    let hostname;
+    try {
+        const cleanUrl = cleanUrlPlaceholders(url);
+        const parsed = new URL(cleanUrl);
+        hostname = parsed.hostname.toLowerCase();
+    }
+    catch {
+        // If URL can't be parsed, it may contain only placeholders — allow it
+        return false;
+    }
+    // Strip IPv6 brackets
+    if (hostname.startsWith('[') && hostname.endsWith(']')) {
+        hostname = hostname.slice(1, -1);
+    }
+    // Exact matches
+    if (hostname === 'localhost' ||
+        hostname === '127.0.0.1' ||
+        hostname === '::1' ||
+        hostname === '0.0.0.0' ||
+        hostname === '0') {
+        return true;
+    }
+    // AWS/cloud metadata endpoint
+    if (hostname === '169.254.169.254') {
+        return true;
+    }
+    // Private IPv4 ranges
+    if (hostname.startsWith('169.254.'))
+        return true;
+    if (hostname.startsWith('10.'))
+        return true;
+    if (hostname.startsWith('192.168.'))
+        return true;
+    if (/^172\.(1[6-9]|2\d|3[01])\./.test(hostname))
+        return true;
+    // Internal/local domain suffixes
+    if (hostname.endsWith('.internal'))
+        return true;
+    if (hostname.endsWith('.local'))
+        return true;
+    if (hostname.endsWith('.localhost'))
+        return true;
+    return false;
+}
+/**
+ * Extract the hostname from a URL string. Returns undefined if unparseable.
+ */
+function extractHostname(url) {
+    try {
+        const cleanUrl = cleanUrlPlaceholders(url);
+        return new URL(cleanUrl).hostname.toLowerCase();
+    }
+    catch {
+        return undefined;
+    }
+}
+//# sourceMappingURL=content-validator.js.map

package/packages/core/dist/policy/content-validator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"content-validator.js","sourceRoot":"","sources":["../../src/policy/content-validator.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,uBAAuB,EAAE,MAAM,uBAAuB,CAAC;AAEhE,MAAM,4BAA4B,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;AACrD,MAAM,4BAA4B,GAAG,CAAC,SAAS,CAAC,CAAC;AAEjD;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CACjC,IAAoB,EACpB,OAA0B;IAE1B,MAAM,UAAU,GAAgB,EAAE,CAAC;IACnC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC;IAEpC,oDAAoD;IACpD,IAAI,OAAO,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;QACnC,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;IACzC,CAAC;IAED,0DAA0D;IAC1D,IAAI,IAAI,CAAC,SAAS,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;QACvC,IAAI,CAAC,MAAM,CAAC,kBAAkB,EAAE,CAAC;YAC/B,UAAU,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,uBAAuB;gBAC7B,QAAQ,EAAE,UAAU;gBACpB,OAAO,EACL,qFAAqF;aACxF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,0DAA0D;IAC1D,IAAI,IAAI,CAAC,SAAS,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QACtC,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE,CAAC;YAC9B,UAAU,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,sBAAsB;gBAC5B,QAAQ,EAAE,UAAU;gBACpB,OAAO,EAAE,gFAAgF;aAC1F,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,0CAA0C;IAC1C,IAAI,IAAI,CAAC,SAAS,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QACnC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC;QAC/B,IAAI,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC;YACtB,UAAU,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,SAAS;gBACf,QAAQ,EAAE,UAAU;gBACpB,OAAO,EAAE,0CAA0C,GAAG,EAAE;aACzD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,mDAAmD;IACnD,IAAI,MAAM,CAAC,kBAAkB,IAAI,MAAM,CAAC,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtE,MAAM,cAAc,GAAG,uBAAuB,CAAC,IAAI,CAAC,CAAC;QACrD,KAAK,MAAM,MAAM,IAAI,cAAc,EAAE,CAAC;YACpC,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBAChD,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,yBAAyB;oBAC/B,QAAQ,EAAE,MAAM;oBAChB,OAAO,EAAE,+BAA+B,MAAM,oBAAoB;iBACnE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,oCAAoC;IACpC,MAAM,UAAU,GAAG,MAAM,CAAC,mBAAmB,IAAI,4BAA4B,CAAC;IAC9E,KAAK,MAAM,EAAE,IAAI,UAAU,EAAE,CAAC;QAC5B,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,EAAE,CAAC;YAC7B,UAAU,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,oBAAoB;gBAC1B,QAAQ,EAAE,UAAU;gBACpB,OAAO,EAAE,qBAAqB,EAAE,kCAAkC;aACnE,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,yDAAyD;IACzD,IAAI,IAAI,CAAC,iBAAiB,KAAK,KAAK,IAAI,IAAI,CAAC,iBAAiB,KAAK,SAAS,EAAE,CAAC;QAC7E,UAAU,CAAC,IAAI,CAAC;YACd,IAAI,EAAE,iBAAiB;YACvB,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,uDAAuD;SACjE,CAAC,CAAC;IACL,CAAC;IAED,wCAAwC;IACxC,IAAI,IAAI,CAAC,SAAS,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QACnC,MAAM,OAAO,GAAG,MAAM,CAAC,kBAAkB,IAAI,4BAA4B,CAAC;QAC1E,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QACnD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YAC1D,UAAU,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,qBAAqB;gBAC3B,QAAQ,EAAE,MAAM;gBAChB,OAAO,EAAE,gBAAgB,MAAM,iCAAiC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;aACrF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,yDAAyD;IACzD,IAAI,IAAI,CAAC,SAAS,CAAC,IAAI,KAAK,MAAM,IAAI,MAAM,CAAC,cAAc,IAAI,MAAM,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChG,MAAM,QAAQ,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACrD,IACE,QAAQ;YACR,CAAC,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,KAAK,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,EAChF,CAAC;YACD,UAAU,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,gBAAgB;gBACtB,QAAQ,EAAE,MAAM;gBAChB,OAAO,EAAE,eAAe,QAAQ,8BAA8B;aAC/D,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,oDAAoD;IACpD,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;QACzD,UAAU,CAAC,IAAI,CAAC;YACd,IAAI,EAAE,qBAAqB;YAC3B,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,8CAA8C;SACxD,CAAC,CAAC;IACL,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,UAAU,EAAE,CAAC;AACxD,CAAC;AAED;;;GAGG;AACH,SAAS,oBAAoB,CAAC,GAAW;IACvC,IAAI,OAAO,GAAG,GAAG,CAAC;IAClB,OAAO,IAAI,EAAE,CAAC;QACZ,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,KAAK,KAAK,CAAC,CAAC;YAAE,MAAM;QACxB,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACxC,IAAI,GAAG,KAAK,CAAC,CAAC;YAAE,MAAM;QACtB,OAAO,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,GAAG,aAAa,GAAG,OAAO,CAAC,SAAS,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;IACrF,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,GAAW;IACtC,IAAI,QAAgB,CAAC;IACrB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAC3C,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC;QACjC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,sEAAsE;QACtE,OAAO,KAAK,CAAC;IACf,CAAC;IAED,sBAAsB;IACtB,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACvD,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC;IAED,gBAAgB;IAChB,IACE,QAAQ,KAAK,WAAW;QACxB,QAAQ,KAAK,WAAW;QACxB,QAAQ,KAAK,KAAK;QAClB,QAAQ,KAAK,SAAS;QACtB,QAAQ,KAAK,GAAG,EAChB,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,8BAA8B;IAC9B,IAAI,QAAQ,KAAK,iBAAiB,EAAE,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,sBAAsB;IACtB,IAAI,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,OAAO,IAAI,CAAC;IACjD,IAAI,QAAQ,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5C,IAAI,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,OAAO,IAAI,CAAC;IACjD,IAAI,4BAA4B,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAE7D,iCAAiC;IACjC,IAAI,QAAQ,CAAC,QAAQ,CAAC,WAAW,CAAC;QAAE,OAAO,IAAI,CAAC;IAChD,IAAI,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7C,IAAI,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC;QAAE,OAAO,IAAI,CAAC;IAEjD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,GAAW;IAClC,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAC3C,OAAO,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IAClD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC"}

package/packages/core/dist/policy/default-policy.d.ts

@@ -0,0 +1,46 @@
+/**
+ * Default Policy Engine for Matimo.
+ *
+ * Conservative defaults that protect against malicious agent-created tools.
+ * Frozen at boot time — agents cannot modify policy at runtime.
+ */
+import type { ToolDefinition } from '../core/schema';
+import type { PolicyEngine, PolicyContext, PolicyDecision, PolicyConfig, PolicyTier } from './types';
+export declare class DefaultPolicyEngine implements PolicyEngine {
+    private config;
+    constructor(config?: PolicyConfig);
+    /**
+     * Check whether a tool definition may be created/proposed.
+     * First applies the tier gate (fast early-return for TIER 3 blocked tools),
+     * then runs ContentValidator rules.
+     */
+    canCreate(context: PolicyContext, toolDef: ToolDefinition): PolicyDecision;
+    /**
+     * Check whether the caller is allowed to execute a given tool.
+     */
+    canExecute(context: PolicyContext, tool: ToolDefinition): PolicyDecision;
+    /**
+     * Filter tools to only those the caller is allowed to see and use.
+     */
+    filterForAgent(context: PolicyContext, tools: ToolDefinition[]): ToolDefinition[];
+    /** Expose the resolved config (read-only snapshot). */
+    getConfig(): Readonly<Required<Omit<PolicyConfig, 'approvalTtlSeconds'>> & Pick<PolicyConfig, 'approvalTtlSeconds'>>;
+    /**
+     * Hot-reload policy configuration at runtime.
+     * Merges the new config with DEFAULT_CONFIG (preserving conservative defaults
+     * for any unset fields), then replaces the active config atomically.
+     */
+    updateConfig(config: PolicyConfig): void;
+}
+/**
+ * Pure utility: classify an agent-proposed tool into a policy tier.
+ *
+ * - `blocked`: reserved namespace, function/command execution type, SSRF URL
+ * - `approval-required`: any auth credential, non-GET HTTP method, any data write
+ * - `auto`: low-risk read-only HTTP GET with no auth
+ *
+ * This runs BEFORE content validation and is a hard gate — `blocked` tools
+ * are rejected immediately without running the full content-validator.
+ */
+export declare function getTierForTool(tool: ToolDefinition, config?: PolicyConfig): PolicyTier;
+//# sourceMappingURL=default-policy.d.ts.map

package/packages/core/dist/policy/default-policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"default-policy.d.ts","sourceRoot":"","sources":["../../src/policy/default-policy.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,KAAK,EACV,YAAY,EACZ,aAAa,EACb,cAAc,EACd,YAAY,EACZ,UAAU,EAEX,MAAM,SAAS,CAAC;AAiBjB,qBAAa,mBAAoB,YAAW,YAAY;IACtD,OAAO,CAAC,MAAM,CAC6B;gBAE/B,MAAM,CAAC,EAAE,YAAY;IAIjC;;;;OAIG;IACH,SAAS,CAAC,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,cAAc,GAAG,cAAc;IAuG1E;;OAEG;IACH,UAAU,CAAC,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,cAAc,GAAG,cAAc;IA8CxE;;OAEG;IACH,cAAc,CAAC,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,cAAc,EAAE,GAAG,cAAc,EAAE;IAOjF,uDAAuD;IACvD,SAAS,IAAI,QAAQ,CACnB,QAAQ,CAAC,IAAI,CAAC,YAAY,EAAE,oBAAoB,CAAC,CAAC,GAAG,IAAI,CAAC,YAAY,EAAE,oBAAoB,CAAC,CAC9F;IAID;;;;OAIG;IACH,YAAY,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI;CAGzC;AAED;;;;;;;;;GASG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,cAAc,EAAE,MAAM,CAAC,EAAE,YAAY,GAAG,UAAU,CAsBtF"}