predicate-claw 0.1.0

package/examples/policy/approved-hosts.yaml

@@ -0,0 +1,137 @@
+# Approved Hosts Policy
+# Allowlist for outbound HTTP requests.
+#
+# Customize this list for your environment:
+#   - Internal APIs
+#   - Known SaaS endpoints
+#   - Package registries
+
+version: 1
+
+defaults:
+  effect: deny
+
+rules:
+  # ============================================
+  # LOCALHOST - Always allowed
+  # ============================================
+
+  - id: allow_localhost
+    effect: allow
+    action: net.http
+    resource:
+      - "http://localhost:*"
+      - "http://127.0.0.1:*"
+      - "https://localhost:*"
+      - "https://127.0.0.1:*"
+
+  # ============================================
+  # PACKAGE REGISTRIES
+  # ============================================
+
+  - id: allow_npm_registry
+    effect: allow
+    action: net.http
+    resource:
+      - "https://registry.npmjs.org/*"
+      - "https://registry.yarnpkg.com/*"
+
+  - id: allow_pypi
+    effect: allow
+    action: net.http
+    resource:
+      - "https://pypi.org/*"
+      - "https://files.pythonhosted.org/*"
+
+  - id: allow_crates_io
+    effect: allow
+    action: net.http
+    resource:
+      - "https://crates.io/*"
+      - "https://static.crates.io/*"
+
+  - id: allow_go_proxy
+    effect: allow
+    action: net.http
+    resource:
+      - "https://proxy.golang.org/*"
+      - "https://sum.golang.org/*"
+
+  # ============================================
+  # GITHUB / SOURCE CONTROL
+  # ============================================
+
+  - id: allow_github_api
+    effect: allow
+    action: net.http
+    resource:
+      - "https://api.github.com/*"
+      - "https://raw.githubusercontent.com/*"
+
+  - id: allow_gitlab_api
+    effect: allow
+    action: net.http
+    resource:
+      - "https://gitlab.com/api/*"
+
+  # ============================================
+  # DOCUMENTATION SITES
+  # ============================================
+
+  - id: allow_docs_sites
+    effect: allow
+    action: net.http
+    resource:
+      - "https://docs.*.com/*"
+      - "https://*.readthedocs.io/*"
+      - "https://developer.mozilla.org/*"
+
+  # ============================================
+  # INTERNAL APIS (customize for your org)
+  # ============================================
+
+  # Example: internal API gateway
+  # - id: allow_internal_api
+  #   effect: allow
+  #   action: net.http
+  #   resource:
+  #     - "https://api.internal.example.com/*"
+
+  # Example: internal services
+  # - id: allow_internal_services
+  #   effect: allow
+  #   action: net.http
+  #   resource:
+  #     - "https://*.internal.example.com/*"
+
+  # ============================================
+  # KNOWN SAAS (customize for your tools)
+  # ============================================
+
+  # Example: Slack webhooks
+  # - id: allow_slack_webhooks
+  #   effect: allow
+  #   action: net.http
+  #   resource:
+  #     - "https://hooks.slack.com/*"
+
+  # Example: Sentry error reporting
+  # - id: allow_sentry
+  #   effect: allow
+  #   action: net.http
+  #   resource:
+  #     - "https://*.ingest.sentry.io/*"
+
+  # ============================================
+  # CATCH-ALL DENY
+  # ============================================
+
+  - id: deny_unknown_hosts
+    effect: deny
+    action: net.http
+    resource: "**"
+
+metadata:
+  name: Approved Hosts
+  description: Allowlist for outbound HTTP requests
+  version: 1.0.0

package/examples/policy/dev-workflow.yaml

@@ -0,0 +1,206 @@
+# Development Workflow Policy
+# Balanced policy for development agents.
+#
+# Allows common development tools while blocking:
+#   - Destructive commands
+#   - Production endpoints
+#   - Sensitive paths
+
+version: 1
+
+defaults:
+  effect: deny
+
+rules:
+  # ============================================
+  # SAFE SHELL COMMANDS
+  # Common development tools
+  # ============================================
+
+  - id: allow_git
+    effect: allow
+    action: shell.execute
+    resource:
+      - "git *"
+
+  - id: allow_npm_yarn
+    effect: allow
+    action: shell.execute
+    resource:
+      - "npm *"
+      - "npx *"
+      - "yarn *"
+      - "pnpm *"
+
+  - id: allow_cargo
+    effect: allow
+    action: shell.execute
+    resource:
+      - "cargo *"
+      - "rustc *"
+      - "rustfmt *"
+
+  - id: allow_go
+    effect: allow
+    action: shell.execute
+    resource:
+      - "go *"
+      - "gofmt *"
+
+  - id: allow_python
+    effect: allow
+    action: shell.execute
+    resource:
+      - "python *"
+      - "python3 *"
+      - "pip *"
+      - "pip3 *"
+      - "poetry *"
+      - "pytest *"
+
+  - id: allow_node
+    effect: allow
+    action: shell.execute
+    resource:
+      - "node *"
+      - "ts-node *"
+      - "tsx *"
+
+  - id: allow_build_tools
+    effect: allow
+    action: shell.execute
+    resource:
+      - "make *"
+      - "cmake *"
+      - "tsc *"
+      - "esbuild *"
+      - "vite *"
+      - "webpack *"
+
+  - id: allow_linters
+    effect: allow
+    action: shell.execute
+    resource:
+      - "eslint *"
+      - "prettier *"
+      - "black *"
+      - "ruff *"
+      - "clippy *"
+
+  - id: allow_file_ops
+    effect: allow
+    action: shell.execute
+    resource:
+      - "ls *"
+      - "cat *"
+      - "head *"
+      - "tail *"
+      - "grep *"
+      - "find *"
+      - "wc *"
+      - "diff *"
+
+  - id: allow_mkdir
+    effect: allow
+    action: shell.execute
+    resource:
+      - "mkdir *"
+      - "touch *"
+
+  # ============================================
+  # DANGEROUS COMMANDS - DENY
+  # ============================================
+
+  - id: deny_rm_rf
+    effect: deny
+    action: shell.execute
+    resource:
+      - "rm -rf *"
+      - "rm -fr *"
+
+  - id: deny_sudo
+    effect: deny
+    action: shell.execute
+    resource:
+      - "sudo *"
+
+  - id: deny_chmod_sensitive
+    effect: deny
+    action: shell.execute
+    resource:
+      - "chmod 777 *"
+      - "chmod -R *"
+
+  - id: deny_curl_bash
+    effect: deny
+    action: shell.execute
+    resource:
+      - "curl * | bash*"
+      - "curl * | sh*"
+      - "wget * | bash*"
+
+  - id: deny_env_export
+    effect: deny
+    action: shell.execute
+    resource:
+      - "export *KEY*"
+      - "export *SECRET*"
+      - "export *TOKEN*"
+      - "export *PASSWORD*"
+
+  # ============================================
+  # FILE SYSTEM
+  # ============================================
+
+  - id: allow_workspace_fs
+    effect: allow
+    action: fs.*
+    resource:
+      - ./workspace/**
+      - ./**/*.ts
+      - ./**/*.js
+      - ./**/*.json
+      - ./**/*.md
+      - ./**/*.yaml
+      - ./**/*.yml
+
+  # ============================================
+  # HTTP - Development only
+  # ============================================
+
+  - id: allow_localhost_http
+    effect: allow
+    action: net.http
+    resource:
+      - "http://localhost:*"
+      - "http://127.0.0.1:*"
+      - "https://localhost:*"
+
+  - id: allow_package_registries
+    effect: allow
+    action: net.http
+    resource:
+      - "https://registry.npmjs.org/*"
+      - "https://pypi.org/*"
+      - "https://crates.io/*"
+
+  - id: allow_github
+    effect: allow
+    action: net.http
+    resource:
+      - "https://api.github.com/*"
+      - "https://github.com/*"
+
+  # Block production endpoints
+  - id: deny_prod_endpoints
+    effect: deny
+    action: net.http
+    resource:
+      - "https://api.production.*"
+      - "https://prod.*"
+      - "https://*.prod.*"
+
+metadata:
+  name: Development Workflow
+  description: Balanced policy for development agents
+  version: 1.0.0

package/examples/policy/policy.example.yaml

@@ -0,0 +1,17 @@
+version: 1
+rules:
+  - id: allow_workspace_reads
+    effect: allow
+    action: fs.read
+    resource: ./workspace/*
+  - id: deny_sensitive_paths
+    effect: deny
+    action: fs.read
+    resource:
+      - ~/.ssh/*
+      - /etc/*
+  - id: deny_untrusted_shell
+    effect: deny
+    action: shell.execute
+    when:
+      source: untrusted_dm

package/examples/policy/production-strict.yaml

@@ -0,0 +1,97 @@
+# Production Strict Policy
+# Maximum security for production agents.
+#
+# Characteristics:
+#   - Explicit allowlist only
+#   - No shell execution
+#   - Audit all decisions
+#   - Minimal attack surface
+
+version: 1
+
+defaults:
+  effect: deny
+  audit: true  # Log all decisions
+
+rules:
+  # ============================================
+  # SHELL - COMPLETELY DISABLED
+  # No shell execution in production
+  # ============================================
+
+  - id: deny_all_shell
+    effect: deny
+    action: shell.execute
+    resource: "**"
+
+  # ============================================
+  # FILE SYSTEM - READ ONLY, EXPLICIT PATHS
+  # ============================================
+
+  # Only allow reading specific config files
+  - id: allow_read_config
+    effect: allow
+    action: fs.read
+    resource:
+      - ./config/**
+      - ./public/**
+
+  # Deny all writes
+  - id: deny_all_writes
+    effect: deny
+    action: fs.write
+    resource: "**"
+
+  # ============================================
+  # HTTP - EXPLICIT ALLOWLIST ONLY
+  # ============================================
+
+  # Internal health checks only
+  - id: allow_health_checks
+    effect: allow
+    action: net.http
+    resource:
+      - "http://localhost:*/health"
+      - "http://127.0.0.1:*/health"
+
+  # Specific internal APIs (customize)
+  # - id: allow_internal_api
+  #   effect: allow
+  #   action: net.http
+  #   resource:
+  #     - "https://api.internal.example.com/v1/*"
+
+  # Deny everything else
+  - id: deny_external_http
+    effect: deny
+    action: net.http
+    resource: "**"
+
+  # ============================================
+  # EXPLICIT DENY FOR HIGH-RISK PATTERNS
+  # Defense in depth
+  # ============================================
+
+  - id: deny_sensitive_paths
+    effect: deny
+    action: fs.*
+    resource:
+      - ~/.ssh/**
+      - ~/.aws/**
+      - /etc/**
+      - "**/.env*"
+
+  - id: deny_credential_exfil
+    effect: deny
+    action: net.http
+    resource:
+      - "*://*.pastebin.com/*"
+      - "*://webhook.site/*"
+      - "*://*.ngrok.io/*"
+      - "*://*.requestbin.com/*"
+
+metadata:
+  name: Production Strict
+  description: Maximum security policy for production agents
+  version: 1.0.0
+  audit_all: true

package/examples/policy/sensitive-paths.yaml

@@ -0,0 +1,114 @@
+# Sensitive Path Blocking Policy
+# Blocks access to common sensitive paths regardless of source.
+#
+# These paths contain credentials, keys, or system configuration
+# that should never be accessible to AI agents.
+
+version: 1
+
+rules:
+  # SSH keys and configuration
+  - id: deny_ssh_keys
+    effect: deny
+    action: fs.*
+    resource:
+      - ~/.ssh/*
+      - ~/.ssh/**
+
+  # Cloud provider credentials
+  - id: deny_aws_credentials
+    effect: deny
+    action: fs.*
+    resource:
+      - ~/.aws/*
+      - ~/.aws/**
+
+  - id: deny_gcloud_credentials
+    effect: deny
+    action: fs.*
+    resource:
+      - ~/.config/gcloud/*
+      - ~/.config/gcloud/**
+
+  - id: deny_azure_credentials
+    effect: deny
+    action: fs.*
+    resource:
+      - ~/.azure/*
+      - ~/.azure/**
+
+  # Kubernetes configs
+  - id: deny_kube_config
+    effect: deny
+    action: fs.*
+    resource:
+      - ~/.kube/*
+      - ~/.kube/**
+
+  # Docker credentials
+  - id: deny_docker_config
+    effect: deny
+    action: fs.*
+    resource:
+      - ~/.docker/config.json
+      - ~/.docker/**
+
+  # Environment files (may contain secrets)
+  - id: deny_env_files
+    effect: deny
+    action: fs.*
+    resource:
+      - "**/.env"
+      - "**/.env.*"
+      - "**/.envrc"
+
+  # System paths
+  - id: deny_etc
+    effect: deny
+    action: fs.*
+    resource:
+      - /etc/*
+      - /etc/**
+
+  - id: deny_var_secrets
+    effect: deny
+    action: fs.*
+    resource:
+      - /var/run/secrets/**
+
+  # macOS keychain
+  - id: deny_keychain
+    effect: deny
+    action: fs.*
+    resource:
+      - ~/Library/Keychains/*
+      - ~/Library/Keychains/**
+
+  # GPG keys
+  - id: deny_gpg
+    effect: deny
+    action: fs.*
+    resource:
+      - ~/.gnupg/*
+      - ~/.gnupg/**
+
+  # Git credentials
+  - id: deny_git_credentials
+    effect: deny
+    action: fs.*
+    resource:
+      - ~/.git-credentials
+      - ~/.gitconfig
+
+  # npm/yarn tokens
+  - id: deny_npm_tokens
+    effect: deny
+    action: fs.*
+    resource:
+      - ~/.npmrc
+      - ~/.yarnrc
+
+metadata:
+  name: Sensitive Path Blocking
+  description: Block access to credential and key material paths
+  version: 1.0.0

package/examples/policy/source-trust.yaml

@@ -0,0 +1,129 @@
+# Source-Based Trust Policy
+# Different permission levels based on where the request originated.
+#
+# Source labels:
+#   trusted_ui     - Direct user input from trusted interface
+#   trusted_api    - Authenticated API request
+#   untrusted_dm   - External message (DM, email, etc.)
+#   web_content    - Content scraped from web pages
+#   system         - Internal system calls
+
+version: 1
+
+defaults:
+  effect: deny
+
+rules:
+  # ============================================
+  # TRUSTED UI - Direct user interaction
+  # Most permissive, but still blocks credentials
+  # ============================================
+
+  - id: trusted_ui_shell
+    effect: allow
+    action: shell.execute
+    when:
+      source: trusted_ui
+
+  - id: trusted_ui_fs_read
+    effect: allow
+    action: fs.read
+    when:
+      source: trusted_ui
+
+  - id: trusted_ui_fs_write
+    effect: allow
+    action: fs.write
+    resource: ./workspace/**
+    when:
+      source: trusted_ui
+
+  - id: trusted_ui_http
+    effect: allow
+    action: net.http
+    when:
+      source: trusted_ui
+
+  # ============================================
+  # TRUSTED API - Authenticated programmatic access
+  # Similar to trusted_ui but may have tighter resource bounds
+  # ============================================
+
+  - id: trusted_api_shell_safe
+    effect: allow
+    action: shell.execute
+    resource:
+      - "git *"
+      - "npm *"
+      - "cargo *"
+      - "go *"
+      - "python *"
+    when:
+      source: trusted_api
+
+  - id: trusted_api_fs_read
+    effect: allow
+    action: fs.read
+    resource: ./workspace/**
+    when:
+      source: trusted_api
+
+  - id: trusted_api_http_internal
+    effect: allow
+    action: net.http
+    resource:
+      - "http://localhost:*"
+      - "http://127.0.0.1:*"
+    when:
+      source: trusted_api
+
+  # ============================================
+  # UNTRUSTED DM - External messages
+  # Very restrictive - likely prompt injection vector
+  # ============================================
+
+  - id: untrusted_dm_shell_deny
+    effect: deny
+    action: shell.execute
+    when:
+      source: untrusted_dm
+
+  - id: untrusted_dm_fs_read_workspace_only
+    effect: allow
+    action: fs.read
+    resource: ./workspace/public/**
+    when:
+      source: untrusted_dm
+
+  - id: untrusted_dm_http_deny
+    effect: deny
+    action: net.http
+    when:
+      source: untrusted_dm
+
+  # ============================================
+  # WEB CONTENT - Scraped from web pages
+  # Maximum restriction - high injection risk
+  # ============================================
+
+  - id: web_content_deny_all
+    effect: deny
+    action: "*"
+    when:
+      source: web_content
+
+  # ============================================
+  # SYSTEM - Internal system calls
+  # Trusted but audited
+  # ============================================
+
+  - id: system_allow_all
+    effect: allow
+    action: "*"
+    when:
+      source: system
+
+metadata:
+  name: Source-Based Trust
+  description: Different permission levels based on request source
+  version: 1.0.0