relaysecurity-dev 0.1.0__tar.gz → 0.2.0__tar.gz

{relaysecurity_dev-0.1.0 → relaysecurity_dev-0.2.0}/PKG-INFO

@@ -1,11 +1,11 @@
 Metadata-Version: 2.4
 Name: relaysecurity-dev
-Version: 0.1.0
+Version: 0.2.0
 Summary: Python SDK for checking AI agent tool calls with Relay.
 Project-URL: Homepage, https://relay-security-lemon.vercel.app
 Project-URL: Repository, https://github.com/aniiketvarshney/Relay-Security
 Author: Relay Security
-License-Expression: MIT
+License: Apache-2.0
 Keywords: agents,ai,guardrails,relay,security
 Requires-Python: >=3.9
 Requires-Dist: requests>=2.31.0

{relaysecurity_dev-0.1.0 → relaysecurity_dev-0.2.0}/pyproject.toml

@@ -4,11 +4,11 @@ build-backend = "hatchling.build"
 
 [project]
 name = "relaysecurity-dev"
-version = "0.1.0"
+version = "0.2.0"
 description = "Python SDK for checking AI agent tool calls with Relay."
 readme = "README.md"
 requires-python = ">=3.9"
-license = "MIT"
+license = { text = "Apache-2.0" }
 authors = [
   { name = "Relay Security" }
 ]

relaysecurity_dev-0.2.0/src/relaysecurity_dev/__init__.py

@@ -0,0 +1,4 @@
+from .client import Relay, RelayPolicyError
+from .sandbox import DockerSandbox, DockerSandboxResult
+
+__all__ = ["Relay", "RelayPolicyError", "DockerSandbox", "DockerSandboxResult"]

relaysecurity_dev-0.2.0/src/relaysecurity_dev/policy.py

@@ -0,0 +1,190 @@
+from __future__ import annotations
+
+import os
+import re
+from dataclasses import dataclass
+from urllib.parse import urlparse
+
+API_KEY_PREFIX = "relay_sk_"
+
+TOOL_ALIASES = {
+    "github_delete_repo": [
+        "github_delete_repo",
+        "github.deleteRepo",
+        "github.repos.delete",
+        "github_delete_repository",
+        "delete_repository",
+        "delete_repo",
+    ],
+    "shell_rm_rf": [
+        "shell_rm_rf",
+        "shell.rm_rf",
+        "shell.rm",
+        "terminal_rm_rf",
+        "delete_files_recursive",
+        "shell_command",
+        "terminal_command",
+        "bash_command",
+        "execute_shell",
+    ],
+    "deploy_production": [
+        "deploy_production",
+        "deploy.production",
+        "vercel_promote_production",
+        "production_deploy",
+    ],
+    "database_drop_table": [
+        "database_drop_table",
+        "db_drop_table",
+        "sql_drop_table",
+        "database.dropTable",
+    ],
+}
+
+SHELL_TOOL_HINTS = {
+    "shell_command",
+    "terminal_command",
+    "bash_command",
+    "execute_shell",
+    "shell_rm_rf",
+    "shell.rm_rf",
+    "shell.rm",
+    "terminal_rm_rf",
+}
+
+SHELL_PATTERNS = [
+    re.compile(r"\brm\s+-rf\b", re.IGNORECASE),
+    re.compile(r"\bdel\s+\/s\s+\/q\b", re.IGNORECASE),
+    re.compile(r"\bformat\s+[a-z]:", re.IGNORECASE),
+    re.compile(r"\bmkfs(?:\.\w+)?\b", re.IGNORECASE),
+    re.compile(r"\bdd\s+if=", re.IGNORECASE),
+    re.compile(r"\bchmod\s+-R\b", re.IGNORECASE),
+    re.compile(r"\bchown\s+-R\b", re.IGNORECASE),
+    re.compile(r"\bInvoke-WebRequest\b", re.IGNORECASE),
+    re.compile(r"\biwr\b", re.IGNORECASE),
+    re.compile(r"\bStart-BitsTransfer\b", re.IGNORECASE),
+    re.compile(r"\bcurl\b", re.IGNORECASE),
+    re.compile(r"\bwget\b", re.IGNORECASE),
+    re.compile(r"\bnc\b", re.IGNORECASE),
+    re.compile(r"\bnetcat\b", re.IGNORECASE),
+    re.compile(r"\bscp\b", re.IGNORECASE),
+    re.compile(r"\bsftp\b", re.IGNORECASE),
+    re.compile(r"\brsync\b", re.IGNORECASE),
+    re.compile(r"\bbase64\b", re.IGNORECASE),
+    re.compile(r"\bopenssl\s+enc\b", re.IGNORECASE),
+]
+
+PIPE_TO_SHELL_PATTERN = re.compile(
+    r"\|\s*(bash|sh|zsh|pwsh|powershell)\b",
+    re.IGNORECASE,
+)
+
+
+def parse_allowlist(value: str | None) -> list[str]:
+    if not value:
+        return []
+
+    return [
+        item.strip().lower().removeprefix("www.")
+        for item in re.split(r"[,\s]+", value)
+        if item.strip()
+    ]
+
+
+def normalize_host(host: str) -> str:
+    return host.lower().removeprefix("www.")
+
+
+def extract_urls(text: str) -> list[str]:
+    return re.findall(r"https?://[^\s'\"`<>\\()]+", text, flags=re.IGNORECASE)
+
+
+def is_host_allowed(host: str, allowlist: list[str]) -> bool:
+    normalized_host = normalize_host(host)
+    for allowed in allowlist:
+        normalized_allowed = normalize_host(allowed)
+        if (
+            normalized_host == normalized_allowed
+            or normalized_host.endswith(f".{normalized_allowed}")
+        ):
+            return True
+    return False
+
+
+def expand_tool_aliases(tool: str) -> list[str]:
+    normalized = tool.strip()
+    aliases = {normalized}
+
+    for values in TOOL_ALIASES.values():
+        if normalized in values:
+            aliases.update(values)
+
+    return list(aliases)
+
+
+def is_shell_tool(tool_name: str) -> bool:
+    return tool_name.strip() in SHELL_TOOL_HINTS
+
+
+def extract_shell_command(arguments: dict[str, object] | None) -> str:
+    if not isinstance(arguments, dict):
+        return ""
+
+    for key in ("command", "cmd", "shell", "script", "bash", "powershell", "sh", "args"):
+        value = arguments.get(key)
+        if isinstance(value, str) and value.strip():
+            return value.strip()
+
+    return ""
+
+
+@dataclass
+class ShellInspectionResult:
+    blocked: bool
+    reason: str | None = None
+
+
+def inspect_shell_command(
+    command: str | None,
+    allowlist: list[str] | None = None,
+) -> ShellInspectionResult:
+    normalized = (command or "").strip()
+    if not normalized:
+        return ShellInspectionResult(blocked=False)
+
+    for pattern in SHELL_PATTERNS:
+        if pattern.search(normalized):
+            return ShellInspectionResult(
+                blocked=True,
+                reason="Blocked risky shell command.",
+            )
+
+    if PIPE_TO_SHELL_PATTERN.search(normalized):
+        return ShellInspectionResult(
+            blocked=True,
+            reason="Blocked shell pipeline execution.",
+        )
+
+    allowed_hosts = allowlist or parse_allowlist(
+        os.getenv("RELAY_EGRESS_ALLOWLIST") or os.getenv("EGRESS_ALLOWLIST")
+    )
+
+    for raw_url in extract_urls(normalized):
+        host = urlparse(raw_url).hostname or ""
+        if host and not is_host_allowed(host, allowed_hosts):
+            return ShellInspectionResult(
+                blocked=True,
+                reason=f"Blocked external domain: {host}",
+            )
+
+    if not allowed_hosts and re.search(
+        r"(curl|wget|Invoke-WebRequest|iwr|Start-BitsTransfer)",
+        normalized,
+        flags=re.IGNORECASE,
+    ):
+        return ShellInspectionResult(
+            blocked=True,
+            reason="Blocked shell networking command.",
+        )
+
+    return ShellInspectionResult(blocked=False)

relaysecurity_dev-0.2.0/src/relaysecurity_dev/sandbox.py

@@ -0,0 +1,154 @@
+from __future__ import annotations
+
+import os
+import subprocess
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Any
+
+from .client import Relay, RelayPolicyError
+from .policy import (
+    extract_shell_command,
+    inspect_shell_command,
+    parse_allowlist,
+)
+
+
+@dataclass
+class DockerSandboxResult:
+    stdout: str
+    stderr: str
+    returncode: int
+
+
+def _docker_error_message(details: str) -> str:
+    lower_details = details.lower()
+
+    if "no such file or directory" in lower_details or "file not found" in lower_details:
+        return (
+            "Docker was not found. Install Docker Desktop, open it once, "
+            "then run `docker run --rm hello-world`."
+        )
+
+    if "wsl" in lower_details or "windows subsystem for linux" in lower_details:
+        return (
+            "Docker needs WSL to run Linux containers on Windows. Run "
+            "`wsl --install`, restart your PC, open Docker Desktop, then retry."
+        )
+
+    if (
+        "docker desktop is unable to start" in lower_details
+        or "cannot connect to the docker daemon" in lower_details
+        or "daemon is not running" in lower_details
+        or "error during connect" in lower_details
+        or "//./pipe/docker" in lower_details
+    ):
+        return (
+            "Docker is installed, but the Docker engine is not running. "
+            "Open Docker Desktop and wait until it says 'Engine running', then retry."
+        )
+
+    if (
+        "permission denied" in lower_details and "docker" in lower_details
+    ) or (
+        "access is denied" in lower_details and ".docker" in lower_details
+    ) or "trying to connect to the docker api" in lower_details:
+        return (
+            "Docker is running, but this terminal cannot access Docker. "
+            "Open a normal PowerShell/Terminal as your user, make sure Docker "
+            "Desktop is running, then retry."
+        )
+
+    return details.strip() or "Docker sandbox failed."
+
+
+class DockerSandbox:
+    def __init__(
+        self,
+        relay: Relay | None = None,
+        *,
+        image: str = "ubuntu:24.04",
+        workdir: str | None = None,
+        egress_allowlist: list[str] | str | None = None,
+        tool_name: str = "shell_command",
+    ) -> None:
+        self.relay = relay or Relay()
+        self.image = image
+        self.workdir = workdir or os.getcwd()
+        self.tool_name = tool_name
+        if isinstance(egress_allowlist, str):
+            self.egress_allowlist = parse_allowlist(egress_allowlist)
+        else:
+            self.egress_allowlist = egress_allowlist or parse_allowlist(
+                os.getenv("RELAY_EGRESS_ALLOWLIST") or os.getenv("EGRESS_ALLOWLIST")
+            )
+
+    def run(
+        self,
+        command: str,
+        *,
+        arguments: dict[str, Any] | None = None,
+        env: dict[str, str] | None = None,
+        workdir: str | None = None,
+    ) -> DockerSandboxResult:
+        safe_command = extract_shell_command(arguments) or command.strip()
+        inspection = inspect_shell_command(safe_command, self.egress_allowlist)
+
+        if inspection.blocked:
+            raise RelayPolicyError(
+                inspection.reason or "Blocked by Relay policy",
+                {"status": "blocked", "reason": inspection.reason},
+            )
+
+        self.relay.assert_allowed(
+            self.tool_name,
+            {"command": safe_command, **(arguments or {})},
+        )
+
+        mount_dir = Path(workdir or self.workdir).resolve()
+        docker_args = [
+            "docker",
+            "run",
+            "--rm",
+            "-i",
+            "--network",
+            "none",
+            "-v",
+            f"{mount_dir}:/workspace",
+            "-w",
+            "/workspace",
+        ]
+
+        for key, value in (env or {}).items():
+            docker_args.extend(["-e", f"{key}={value}"])
+
+        if self.egress_allowlist:
+            docker_args.extend(
+                ["-e", f"RELAY_EGRESS_ALLOWLIST={','.join(self.egress_allowlist)}"]
+            )
+
+        docker_args.extend([self.image, "sh", "-lc", safe_command])
+
+        try:
+            completed = subprocess.run(
+                docker_args,
+                capture_output=True,
+                text=True,
+                check=False,
+                env={**os.environ, **(env or {})},
+            )
+        except FileNotFoundError as error:
+            raise RuntimeError(_docker_error_message(str(error))) from error
+        except OSError as error:
+            raise RuntimeError(_docker_error_message(str(error))) from error
+
+        if completed.returncode != 0:
+            raise RuntimeError(
+                _docker_error_message(completed.stderr or completed.stdout)
+            )
+
+        return DockerSandboxResult(
+            stdout=completed.stdout,
+            stderr=completed.stderr,
+            returncode=completed.returncode,
+        )

relaysecurity_dev-0.1.0/src/relaysecurity_dev/__init__.py

@@ -1,3 +0,0 @@
-from .client import Relay, RelayPolicyError
-
-__all__ = ["Relay", "RelayPolicyError"]