nativesoul 0.1.2 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,35 @@
1
+ # ADR-046: Central fail-closed policy gate + path-safety at the write boundary
2
+
3
+ ## Status
4
+ Accepted — 2026-07-04. Unblocks EPIC-025 Story 25.2.
5
+
6
+ ## Context
7
+ Ground-truth audit (2026-07-04) of the MCP/CLI boundary found two enforcement gaps:
8
+
9
+ 1. **Policy gate is ad-hoc.** `evaluatePolicyWithGate` runs **only** inside `life_approval_request` (`packages/mcp-server/src/server.ts`). Sensitive mutations — `life_memory_promote` / `life_memory_forget` / `life_memory_reject`, work-item create/claim/complete, `install --apply`, `policy packs apply` — reach their repository/core functions **without passing a gate**. `life_policy_evaluate` exists but is advisory (returns a decision; blocks nothing).
10
+ 2. **No path-safety.** Writes to managed blocks (`managed-block.ts`), MCP config (`config-writer.ts`), plugin installs (`plugin-install.ts`), and anything under `~/.nativesoul/proposals` happen with `0600`/`0700` modes but **no pre-write validation** — no rejection of path-escape, world-writable parents, unsafe symlinks, or direct writes to protected files.
11
+
12
+ This contradicts the product's pillars ("policy/audit", "reversible install", "never touches what it shouldn't", fail-closed defaults) and the founder's standing order (segurança total em fluxos sensíveis). OpenClaw's pattern is exactly this: a central registry gate + safety gates that reject unsafe candidates *before* running effects — worth adopting, minus the daemon.
13
+
14
+ ## Decision
15
+ Introduce a **single, deterministic, fail-closed enforcement point** applied at the MCP/CLI tool boundary, in two layers:
16
+
17
+ **A) Central policy gate.** A defined allowlist of **sensitive operations** must pass the policy gate (`evaluatePolicyWithGate`) before executing. Ambiguity → **deny** (fail-closed). A denied op emits an **audit event** and a clear error; an op needing approval routes through the existing approval flow. Non-sensitive read/local ops are unaffected.
18
+
19
+ **B) Path-safety gate.** Before any managed-block / MCP-config / plugin / proposal write, validate the resolved target and **refuse** on: `PATH_ESCAPES_ROOT`, `WORLD_WRITABLE_PATH`, `SUSPICIOUS_OWNER`, `SYMLINK_TARGET_UNSAFE`, `PROTECTED_FILE_DIRECT_WRITE`. Deny-by-default on any check it cannot positively clear.
20
+
21
+ **Constraints (binding):** deterministic + local (no network, no daemon), **no new runtime dependency** (`dependencies: {}`), additive (existing *allowed* operations keep working), reversible-install promise preserved, absolute imports. Enforcement lives at the boundary as shared middleware — not re-implemented per call-site — to remove the bypass surface.
22
+
23
+ ## Consequences
24
+ - Closes the accidental-bypass gap: sensitive mutations are gated in one place; unsafe paths are rejected before effects.
25
+ - Small refactor to route the sensitive-op allowlist and the write paths through the shared gate; the existing ~51-test/393-case baseline must stay green, plus new tests for each gate outcome (allow/deny/approval, and each path-safety code).
26
+ - Slightly stricter behavior: a previously-ungated op may now require approval per `POLICY.md`. That is the intended hardening, not a regression.
27
+ - No public marketing claim changes by default; if surfaced later, add a `feature-registry` entry with evidence (No Invention).
28
+
29
+ ## Alternatives considered
30
+ - **Status quo (per-callsite gating).** Rejected — proven bypass-prone (only 1 of many sensitive ops is gated today).
31
+ - **OpenClaw-style plugin runtime hooks (`before_tool_call`, etc.) as a broad plugin system.** Rejected as over-scope — NativeSoul needs a small, fixed middleware for its own MCP/CLI ops, not a general plugin hook bus.
32
+ - **OS sandboxing / seccomp.** Rejected — platform-specific, heavy, contradicts the lean/daemonless pillar.
33
+
34
+ ## References
35
+ Team analysis 2026-07-04 (§4.3, §4.8); EPIC-025; Constitution II (Agent Authority), IV (No Invention), V (Quality First); ADR-045 (paid-only, no telemetry); `feature-registry.yaml` (`badge_no_background_process`).
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "nativesoul",
3
- "version": "0.1.2",
3
+ "version": "0.1.3",
4
4
  "description": "Local-first continuity layer for coding agents.",
5
5
  "type": "module",
6
6
  "license": "UNLICENSED",