palaryn 0.1.0 → 0.3.2

package/dist/tests/unit/websocket-executor.test.js

@@ -0,0 +1,121 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+// Mock the ws module before importing the executor
+const mockClose = jest.fn();
+const mockSend = jest.fn();
+jest.mock('ws', () => {
+    const EventEmitter = require('events');
+    class MockWebSocket extends EventEmitter {
+        constructor() {
+            super();
+            this.readyState = 1;
+            this.close = mockClose;
+            this.send = mockSend;
+            setTimeout(() => this.emit('open'), 0);
+        }
+    }
+    MockWebSocket.OPEN = 1;
+    return { default: MockWebSocket, __esModule: true };
+});
+const websocket_executor_1 = require("../../src/executor/websocket-executor");
+function makeToolCall(overrides = {}) {
+    return {
+        tool_call_id: 'tc_test',
+        task_id: 'task_test',
+        workspace_id: 'ws_test',
+        actor: { type: 'agent', id: 'agent_test' },
+        source: { platform: 'test' },
+        tool: { name: 'ws.connect', capability: 'write' },
+        args: {},
+        ...overrides,
+    };
+}
+const defaultConfig = {
+    enabled: true,
+    allowed_urls: ['wss://allowed.example.com/*', 'ws://test.local/*'],
+    connect_timeout_ms: 5000,
+    max_message_size_bytes: 1024 * 1024,
+};
+describe('WebSocketExecutor', () => {
+    let executor;
+    beforeEach(() => {
+        jest.clearAllMocks();
+        mockSend.mockImplementation((_data, cb) => cb());
+        executor = new websocket_executor_1.WebSocketExecutor(defaultConfig);
+    });
+    describe('connect', () => {
+        test('creates connection with allowed URL', async () => {
+            const tc = makeToolCall({
+                tool: { name: 'ws.connect', capability: 'write' },
+                args: { url: 'wss://allowed.example.com/ws' },
+            });
+            const result = await executor.execute(tc);
+            expect(result.body).toHaveProperty('connected', true);
+            expect(result.body).toHaveProperty('connection_id');
+        });
+        test('rejects connection to disallowed URL', async () => {
+            const tc = makeToolCall({
+                tool: { name: 'ws.connect', capability: 'write' },
+                args: { url: 'wss://evil.example.com/ws' },
+            });
+            await expect(executor.execute(tc)).rejects.toThrow('not in the allowed URLs list');
+        });
+        test('throws on missing url arg', async () => {
+            const tc = makeToolCall({
+                tool: { name: 'ws.connect', capability: 'write' },
+                args: {},
+            });
+            await expect(executor.execute(tc)).rejects.toThrow('Missing or invalid "url"');
+        });
+        test('returns provided connection_id', async () => {
+            const tc = makeToolCall({
+                tool: { name: 'ws.connect', capability: 'write' },
+                args: { url: 'wss://allowed.example.com/ws', connection_id: 'my-conn-1' },
+            });
+            const result = await executor.execute(tc);
+            expect(result.body.connection_id).toBe('my-conn-1');
+        });
+    });
+    describe('send', () => {
+        test('throws for unknown connection_id', async () => {
+            const tc = makeToolCall({
+                tool: { name: 'ws.send', capability: 'write' },
+                args: { connection_id: 'nonexistent', message: 'hello' },
+            });
+            await expect(executor.execute(tc)).rejects.toThrow('No connection found');
+        });
+        test('throws on missing connection_id', async () => {
+            const tc = makeToolCall({
+                tool: { name: 'ws.send', capability: 'write' },
+                args: { message: 'hello' },
+            });
+            await expect(executor.execute(tc)).rejects.toThrow('Missing or invalid "connection_id"');
+        });
+    });
+    describe('close', () => {
+        test('throws for unknown connection_id', async () => {
+            const tc = makeToolCall({
+                tool: { name: 'ws.close', capability: 'write' },
+                args: { connection_id: 'nonexistent' },
+            });
+            await expect(executor.execute(tc)).rejects.toThrow('No connection found');
+        });
+        test('throws on missing connection_id', async () => {
+            const tc = makeToolCall({
+                tool: { name: 'ws.close', capability: 'write' },
+                args: {},
+            });
+            await expect(executor.execute(tc)).rejects.toThrow('Missing or invalid "connection_id"');
+        });
+    });
+    describe('action resolution', () => {
+        test('throws for unsupported action', async () => {
+            const tc = makeToolCall({
+                tool: { name: 'ws.invalid', capability: 'write' },
+                args: {},
+            });
+            await expect(executor.execute(tc)).rejects.toThrow('Unsupported WebSocket action');
+        });
+    });
+});
+//# sourceMappingURL=websocket-executor.test.js.map

package/dist/tests/unit/websocket-executor.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"websocket-executor.test.js","sourceRoot":"","sources":["../../../tests/unit/websocket-executor.test.ts"],"names":[],"mappings":";;AAGA,mDAAmD;AACnD,MAAM,SAAS,GAAG,IAAI,CAAC,EAAE,EAAE,CAAC;AAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,EAAE,EAAE,CAAC;AAE3B,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE;IACnB,MAAM,YAAY,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IACvC,MAAM,aAAc,SAAQ,YAAY;QAKtC;YACE,KAAK,EAAE,CAAC;YAJV,eAAU,GAAG,CAAC,CAAC;YACf,UAAK,GAAG,SAAS,CAAC;YAClB,SAAI,GAAG,QAAQ,CAAC;YAGd,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;QACzC,CAAC;;IAPM,kBAAI,GAAG,CAAC,AAAJ,CAAK;IASlB,OAAO,EAAE,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC;AACtD,CAAC,CAAC,CAAC;AAEH,8EAA0E;AAE1E,SAAS,YAAY,CAAC,YAA+B,EAAE;IACrD,OAAO;QACL,YAAY,EAAE,SAAS;QACvB,OAAO,EAAE,WAAW;QACpB,YAAY,EAAE,SAAS;QACvB,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,YAAY,EAAE;QAC1C,MAAM,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE;QAC5B,IAAI,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,UAAU,EAAE,OAAO,EAAE;QACjD,IAAI,EAAE,EAAE;QACR,GAAG,SAAS;KACb,CAAC;AACJ,CAAC;AAED,MAAM,aAAa,GAA4B;IAC7C,OAAO,EAAE,IAAI;IACb,YAAY,EAAE,CAAC,6BAA6B,EAAE,mBAAmB,CAAC;IAClE,kBAAkB,EAAE,IAAI;IACxB,sBAAsB,EAAE,IAAI,GAAG,IAAI;CACpC,CAAC;AAEF,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;IACjC,IAAI,QAA2B,CAAC;IAEhC,UAAU,CAAC,GAAG,EAAE;QACd,IAAI,CAAC,aAAa,EAAE,CAAC;QACrB,QAAQ,CAAC,kBAAkB,CAAC,CAAC,KAAa,EAAE,EAAyB,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;QAChF,QAAQ,GAAG,IAAI,sCAAiB,CAAC,aAAa,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,SAAS,EAAE,GAAG,EAAE;QACvB,IAAI,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;YACrD,MAAM,EAAE,GAAG,YAAY,CAAC;gBACtB,IAAI,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,UAAU,EAAE,OAAO,EAAE;gBACjD,IAAI,EAAE,EAAE,GAAG,EAAE,8BAA8B,EAAE;aAC9C,CAAC,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;YAC1C,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,cAAc,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;YACtD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC;QACtD,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;YACtD,MAAM,EAAE,GAAG,YAAY,CAAC;gBACtB,IAAI,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,UAAU,EAAE,OAAO,EAAE;gBACjD,IAAI,EAAE,EAAE,GAAG,EAAE,2BAA2B,EAAE;aAC3C,CAAC,CAAC;YACH,MAAM,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,8BAA8B,CAAC,CAAC;QACrF,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,2BAA2B,EAAE,KAAK,IAAI,EAAE;YAC3C,MAAM,EAAE,GAAG,YAAY,CAAC;gBACtB,IAAI,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,UAAU,EAAE,OAAO,EAAE;gBACjD,IAAI,EAAE,EAAE;aACT,CAAC,CAAC;YACH,MAAM,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,0BAA0B,CAAC,CAAC;QACjF,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;YAChD,MAAM,EAAE,GAAG,YAAY,CAAC;gBACtB,IAAI,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,UAAU,EAAE,OAAO,EAAE;gBACjD,IAAI,EAAE,EAAE,GAAG,EAAE,8BAA8B,EAAE,aAAa,EAAE,WAAW,EAAE;aAC1E,CAAC,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;YAC1C,MAAM,CAAE,MAAM,CAAC,IAAY,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAC/D,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,MAAM,EAAE,GAAG,EAAE;QACpB,IAAI,CAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;YAClD,MAAM,EAAE,GAAG,YAAY,CAAC;gBACtB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,OAAO,EAAE;gBAC9C,IAAI,EAAE,EAAE,aAAa,EAAE,aAAa,EAAE,OAAO,EAAE,OAAO,EAAE;aACzD,CAAC,CAAC;YACH,MAAM,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,qBAAqB,CAAC,CAAC;QAC5E,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;YACjD,MAAM,EAAE,GAAG,YAAY,CAAC;gBACtB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,OAAO,EAAE;gBAC9C,IAAI,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE;aAC3B,CAAC,CAAC;YACH,MAAM,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,oCAAoC,CAAC,CAAC;QAC3F,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,OAAO,EAAE,GAAG,EAAE;QACrB,IAAI,CAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;YAClD,MAAM,EAAE,GAAG,YAAY,CAAC;gBACtB,IAAI,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,OAAO,EAAE;gBAC/C,IAAI,EAAE,EAAE,aAAa,EAAE,aAAa,EAAE;aACvC,CAAC,CAAC;YACH,MAAM,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,qBAAqB,CAAC,CAAC;QAC5E,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;YACjD,MAAM,EAAE,GAAG,YAAY,CAAC;gBACtB,IAAI,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,OAAO,EAAE;gBAC/C,IAAI,EAAE,EAAE;aACT,CAAC,CAAC;YACH,MAAM,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,oCAAoC,CAAC,CAAC;QAC3F,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;QACjC,IAAI,CAAC,+BAA+B,EAAE,KAAK,IAAI,EAAE;YAC/C,MAAM,EAAE,GAAG,YAAY,CAAC;gBACtB,IAAI,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,UAAU,EAAE,OAAO,EAAE;gBACjD,IAAI,EAAE,EAAE;aACT,CAAC,CAAC;YACH,MAAM,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,8BAA8B,CAAC,CAAC;QACrF,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "palaryn",
-  "version": "0.1.0",
+  "version": "0.3.2",
   "description": "Palaryn - Model-agnostic infrastructure layer for AI agent I/O security, cost control, and observability",
   "main": "dist/src/index.js",
   "types": "dist/src/index.d.ts",
@@ -9,7 +9,10 @@
   },
   "files": [
     "dist/",
+    "src/",
     "policy-packs/",
+    "tsconfig.json",
+    "package-lock.json",
     "README.md",
     "LICENSE"
   ],
@@ -38,6 +41,7 @@
   ],
   "license": "MIT",
   "dependencies": {
+    "@clerk/express": "^1.7.76",
     "@modelcontextprotocol/sdk": "^1.26.0",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/exporter-trace-otlp-http": "^0.211.0",
@@ -62,7 +66,8 @@
     "pg": "^8.18.0",
     "prom-client": "^15.1.3",
     "stripe": "^20.3.1",
-    "winston": "^3.19.0"
+    "winston": "^3.19.0",
+    "ws": "^8.19.0"
   },
   "devDependencies": {
     "@types/cookie-parser": "^1.4.10",
@@ -74,6 +79,7 @@
     "@types/node": "^25.2.1",
     "@types/pg": "^8.16.0",
     "@types/supertest": "^6.0.3",
+    "@types/ws": "^8.18.1",
     "@typescript-eslint/eslint-plugin": "^8.54.0",
     "@typescript-eslint/parser": "^8.54.0",
     "eslint": "^9.39.2",

package/policy-packs/demo_fail.yaml

@@ -0,0 +1,41 @@
+name: demo_fail
+version: "1.0.0"
+description: "Demo — shows how Palaryn stops runaway agents"
+
+domain_blocklist:
+  - "169.254.169.254"
+  - "metadata.google.internal"
+
+rules:
+  # Scenario 1: DLP → DENY (secrets in body)
+  - name: "Block requests containing secrets"
+    effect: DENY
+    priority: 1
+    conditions:
+      dlp_detected: true
+      dlp_severity: ["high"]
+
+  # Scenario 2 prerequisite: allow GETs (for rate limit + budget demos)
+  - name: "Allow read operations"
+    effect: ALLOW
+    priority: 10
+    conditions:
+      capabilities: ["read"]
+
+  # Scenario 2: REQUIRE_APPROVAL (writes)
+  - name: "Require approval for writes"
+    effect: REQUIRE_APPROVAL
+    priority: 20
+    conditions:
+      capabilities: ["write"]
+    approval:
+      scope: "admin"
+      ttl_seconds: 300
+      reason: "Write operations require human approval. Go to /admin/approvals to approve."
+
+  # Hard deny for delete/admin
+  - name: "Deny delete and admin"
+    effect: DENY
+    priority: 30
+    conditions:
+      capabilities: ["delete", "admin"]

package/policy-packs/full_tools.yaml

@@ -0,0 +1,136 @@
+name: full_tools
+version: "1.0.0"
+description: "Comprehensive policy pack with rules for all tool types including file, SQL, shell, and provider interception"
+
+domain_allowlist:
+  - "*.github.com"
+  - "*.googleapis.com"
+  - "api.openai.com"
+  - "api.anthropic.com"
+
+rules:
+  # --- HTTP rules ---
+  - name: allow_http_get
+    description: "Allow all HTTP GET requests"
+    effect: ALLOW
+    priority: 10
+    conditions:
+      tool_match: "^http\\."
+      capabilities: [read]
+
+  - name: approve_http_write
+    description: "Require approval for HTTP write operations"
+    effect: REQUIRE_APPROVAL
+    priority: 20
+    conditions:
+      tool_match: "^http\\."
+      capabilities: [write, delete]
+    approval:
+      scope: "http_write"
+      ttl_seconds: 3600
+      reason: "HTTP write operation requires approval"
+
+  # --- Filesystem rules ---
+  - name: block_sensitive_files
+    description: "Block access to sensitive file types"
+    effect: DENY
+    priority: 5
+    conditions:
+      tool_match: "^file\\."
+      file_extensions: [".env", ".key", ".pem", ".p12", ".pfx"]
+
+  - name: block_sensitive_paths
+    description: "Block access to sensitive directories"
+    effect: DENY
+    priority: 5
+    conditions:
+      tool_match: "^file\\."
+      file_paths_blocklist:
+        - "/etc/**"
+        - "**/.ssh/**"
+        - "**/.git/config"
+
+  - name: allow_file_read
+    description: "Allow file read operations"
+    effect: ALLOW
+    priority: 15
+    conditions:
+      tools: [file.read, file.list, file.stat]
+
+  - name: approve_file_write
+    description: "Require approval for file writes and deletes"
+    effect: REQUIRE_APPROVAL
+    priority: 20
+    conditions:
+      tools: [file.write, file.delete]
+    approval:
+      scope: "file_write"
+      ttl_seconds: 1800
+      reason: "File modification requires approval"
+
+  # --- SQL rules ---
+  - name: block_system_tables
+    description: "Block queries to system/sensitive tables"
+    effect: DENY
+    priority: 5
+    conditions:
+      tool_match: "^sql\\."
+      sql_tables_blocklist:
+        - pg_shadow
+        - pg_authid
+        - information_schema
+
+  - name: allow_sql_select
+    description: "Allow SELECT queries"
+    effect: ALLOW
+    priority: 15
+    conditions:
+      tool_match: "^sql\\."
+      sql_statements: [SELECT]
+
+  - name: approve_sql_write
+    description: "Require approval for non-SELECT SQL"
+    effect: REQUIRE_APPROVAL
+    priority: 20
+    conditions:
+      tool_match: "^sql\\."
+      sql_statements: [INSERT, UPDATE, DELETE]
+    approval:
+      scope: "sql_write"
+      ttl_seconds: 1800
+      reason: "SQL write operation requires approval"
+
+  # --- Shell rules ---
+  - name: approve_shell_exec
+    description: "Require approval for all shell commands"
+    effect: REQUIRE_APPROVAL
+    priority: 15
+    conditions:
+      tool_match: "^shell\\."
+    approval:
+      scope: "shell_exec"
+      ttl_seconds: 900
+      reason: "Shell command execution requires approval"
+
+  # --- Provider interception ---
+  - name: scan_provider_computer_use
+    description: "Flag provider computer_use tool calls for review"
+    effect: REQUIRE_APPROVAL
+    priority: 10
+    conditions:
+      provider_tool_types: [computer_use, bash]
+    approval:
+      scope: "provider_dangerous_tool"
+      ttl_seconds: 600
+      reason: "AI provider using dangerous tool type"
+
+  # --- DLP-triggered rules ---
+  - name: block_high_severity_dlp
+    description: "Block requests with high-severity DLP detections"
+    effect: DENY
+    priority: 1
+    conditions:
+      dlp_severity: [high]
+      dlp_detected: true
+
+default_effect: DENY

package/src/admin/index.ts

@@ -0,0 +1 @@
+export { createAdminRouter } from './routes';