tweek 0.1.0__py3-none-any.whl → 0.2.0__py3-none-any.whl

tweek/proxy/__init__.py

@@ -16,6 +16,7 @@ Usage:
 The proxy is DISABLED by default. Enable with:
     tweek proxy enable
 """
+from __future__ import annotations
 
 import shutil
 import socket
@@ -34,7 +35,7 @@ except ImportError:
 
 
 # Default ports
-MOLTBOT_DEFAULT_PORT = 18789
+OPENCLAW_DEFAULT_PORT = 18789
 TWEEK_DEFAULT_PORT = 9877
 
 
@@ -58,8 +59,8 @@ def is_port_in_use(port: int, host: str = "127.0.0.1") -> bool:
         return False
 
 
-def check_moltbot_gateway_running(port: int = MOLTBOT_DEFAULT_PORT) -> bool:
-    """Check if moltbot's gateway is actively listening on its port."""
+def check_openclaw_gateway_running(port: int = OPENCLAW_DEFAULT_PORT) -> bool:
+    """Check if OpenClaw's gateway is actively listening on its port."""
     return is_port_in_use(port)
 
 
@@ -71,19 +72,19 @@ def detect_proxy_conflicts() -> list[ProxyConflict]:
     """
     conflicts = []
 
-    # Check for moltbot
-    moltbot_info = detect_moltbot()
-    if moltbot_info:
-        moltbot_port = moltbot_info.get("gateway_port", MOLTBOT_DEFAULT_PORT)
-        is_running = check_moltbot_gateway_running(moltbot_port)
+    # Check for OpenClaw
+    openclaw_info = detect_openclaw()
+    if openclaw_info:
+        openclaw_port = openclaw_info.get("gateway_port", OPENCLAW_DEFAULT_PORT)
+        is_running = check_openclaw_gateway_running(openclaw_port)
 
-        if moltbot_info.get("process_running") or is_running:
+        if openclaw_info.get("process_running") or is_running:
             conflicts.append(ProxyConflict(
-                tool_name="moltbot",
-                port=moltbot_port,
+                tool_name="openclaw",
+                port=openclaw_port,
                 is_running=is_running,
-                description="Moltbot gateway detected" +
-                           (f" on port {moltbot_port}" if is_running else " (process found)")
+                description="OpenClaw gateway detected" +
+                           (f" on port {openclaw_port}" if is_running else " (process found)")
             ))
 
     # Check if something else is using Tweek's default port
@@ -98,31 +99,31 @@ def detect_proxy_conflicts() -> list[ProxyConflict]:
     return conflicts
 
 
-def get_moltbot_status() -> dict:
+def get_openclaw_status() -> dict:
     """
-    Get detailed moltbot status including whether its gateway is running.
+    Get detailed OpenClaw status including whether its gateway is running.
 
     Returns:
         Dict with keys: installed, running, gateway_active, port, config_path
     """
     from pathlib import Path
 
-    moltbot_info = detect_moltbot()
+    openclaw_info = detect_openclaw()
 
     status = {
-        "installed": moltbot_info is not None,
+        "installed": openclaw_info is not None,
         "running": False,
         "gateway_active": False,
-        "port": MOLTBOT_DEFAULT_PORT,
+        "port": OPENCLAW_DEFAULT_PORT,
         "config_path": None,
     }
 
-    if moltbot_info:
-        status["running"] = moltbot_info.get("process_running", False)
-        status["port"] = moltbot_info.get("gateway_port", MOLTBOT_DEFAULT_PORT)
-        status["gateway_active"] = check_moltbot_gateway_running(status["port"])
+    if openclaw_info:
+        status["running"] = openclaw_info.get("process_running", False)
+        status["port"] = openclaw_info.get("gateway_port", OPENCLAW_DEFAULT_PORT)
+        status["gateway_active"] = check_openclaw_gateway_running(status["port"])
 
-        config_path = Path.home() / ".moltbot"
+        config_path = Path.home() / ".openclaw"
         if config_path.exists():
             status["config_path"] = str(config_path)
 
@@ -130,8 +131,8 @@ def get_moltbot_status() -> dict:
 
 
 # Detection functions for supported tools
-def detect_moltbot() -> Optional[dict]:
-    """Detect if moltbot is installed on the system."""
+def detect_openclaw() -> Optional[dict]:
+    """Detect if OpenClaw is installed on the system."""
     import subprocess
     import json
     from pathlib import Path
@@ -146,22 +147,22 @@ def detect_moltbot() -> Optional[dict]:
     # Check for npm global installation
     try:
         result = subprocess.run(
-            ["npm", "list", "-g", "moltbot", "--json"],
+            ["npm", "list", "-g", "openclaw", "--json"],
             capture_output=True,
             text=True,
             timeout=5
         )
         if result.returncode == 0:
             data = json.loads(result.stdout)
-            if "dependencies" in data and "moltbot" in data.get("dependencies", {}):
+            if "dependencies" in data and "openclaw" in data.get("dependencies", {}):
                 indicators["npm_global"] = True
     except (subprocess.TimeoutExpired, FileNotFoundError, json.JSONDecodeError):
         pass
 
-    # Check for running moltbot process
+    # Check for running openclaw process
     try:
         result = subprocess.run(
-            ["pgrep", "-f", "moltbot"],
+            ["pgrep", "-f", "openclaw"],
             capture_output=True,
             timeout=5
         )
@@ -170,9 +171,9 @@ def detect_moltbot() -> Optional[dict]:
     except (subprocess.TimeoutExpired, FileNotFoundError):
         pass
 
-    # Check for moltbot config directory
-    moltbot_config = Path.home() / ".moltbot"
-    if moltbot_config.exists():
+    # Check for OpenClaw config directory
+    openclaw_config = Path.home() / ".openclaw"
+    if openclaw_config.exists():
         indicators["config_exists"] = True
 
     # Default gateway port
@@ -231,7 +232,7 @@ def detect_continue() -> Optional[dict]:
 def detect_supported_tools() -> dict:
     """Detect all supported LLM tools on the system."""
     return {
-        "moltbot": detect_moltbot(),
+        "openclaw": detect_openclaw(),
         "cursor": detect_cursor(),
         "continue": detect_continue(),
     }
@@ -287,14 +288,14 @@ def get_proxy_status() -> dict:
 __all__ = [
     "PROXY_AVAILABLE",
     "PROXY_MISSING_DEPS",
-    "MOLTBOT_DEFAULT_PORT",
+    "OPENCLAW_DEFAULT_PORT",
     "TWEEK_DEFAULT_PORT",
     "ProxyConflict",
     "is_port_in_use",
-    "check_moltbot_gateway_running",
+    "check_openclaw_gateway_running",
     "detect_proxy_conflicts",
-    "get_moltbot_status",
-    "detect_moltbot",
+    "get_openclaw_status",
+    "detect_openclaw",
     "detect_cursor",
     "detect_continue",
     "detect_supported_tools",

tweek/proxy/addon.py

@@ -95,7 +95,6 @@ class TweekProxyAddon:
             result = self.interceptor.screen_request(flow.request.content, provider)
 
             if result.warnings:
-                # Log warnings but don't block requests
                 logger.warning(
                     f"Prompt injection warning: {result.warnings} "
                     f"(provider={provider.value}, path={flow.request.path})"
@@ -104,6 +103,21 @@ class TweekProxyAddon:
                 # Add header to track warning
                 flow.request.headers["X-Tweek-Warning"] = "prompt-injection-suspected"
 
+                # Block request if screening says it's not allowed
+                if not result.allowed and self.block_mode and not self.log_only:
+                    self.stats["requests_blocked"] += 1
+                    flow.response = http.Response.make(
+                        403,
+                        json.dumps({
+                            "error": {
+                                "type": "security_blocked",
+                                "message": f"Tweek Security: Request blocked — {result.reason}",
+                                "patterns": result.matched_patterns,
+                            }
+                        }),
+                        {"Content-Type": "application/json"},
+                    )
+
     @concurrent
     def response(self, flow: http.HTTPFlow):
         """Handle incoming responses from LLM APIs."""
@@ -112,10 +126,15 @@ class TweekProxyAddon:
         if not self.interceptor.should_intercept(host):
             return
 
-        # Skip streaming responses - we can't buffer them without breaking UX
+        # Log streaming responses - we can't fully buffer SSE without breaking UX
+        # but we flag them as unscreened for visibility
         content_type = flow.response.headers.get("content-type", "")
         if "text/event-stream" in content_type:
-            logger.debug(f"Skipping streaming response from {host}")
+            logger.warning(
+                f"Streaming response from {host} cannot be fully screened. "
+                "Tool calls in streaming responses bypass proxy screening."
+            )
+            self.stats["streaming_unscreened"] = self.stats.get("streaming_unscreened", 0) + 1
             return
 
         self.stats["responses_screened"] += 1

tweek/proxy/interceptor.py

@@ -4,6 +4,7 @@ LLM API Interceptor - Screens requests and responses to LLM APIs.
 This module provides the core interception logic for the Tweek proxy,
 analyzing LLM API traffic for security threats.
 """
+from __future__ import annotations
 
 import json
 import re

tweek/proxy/server.py

@@ -267,8 +267,10 @@ def get_proxy_env_vars(port: int = DEFAULT_PORT) -> dict[str, str]:
         "HTTPS_PROXY": proxy_url,
         "http_proxy": proxy_url,
         "https_proxy": proxy_url,
-        # For Node.js apps that don't respect standard env vars
-        "NODE_TLS_REJECT_UNAUTHORIZED": "0",  # Required for self-signed CA
+        # For Node.js: use CA cert bundle instead of disabling TLS validation
+        # NODE_TLS_REJECT_UNAUTHORIZED=0 would disable ALL TLS checks (insecure)
+        # NODE_EXTRA_CA_CERTS adds our CA to the trust store without disabling validation
+        "NODE_EXTRA_CA_CERTS": str(Path.home() / ".tweek" / "proxy" / "tweek-ca.pem"),
     }
 
 

tweek/sandbox/__init__.py

@@ -64,8 +64,19 @@ __all__ = [
     "SANDBOX_AVAILABLE",
     "SANDBOX_TOOL",
     "get_sandbox_status",
+    # Project sandbox (Layer 2)
+    "IsolationLayer",
+    "ProjectSandbox",
+    "get_project_sandbox",
+    "ProjectRegistry",
+    "get_registry",
 ]
 
+# Project sandbox imports (always available, no platform dependency)
+from .layers import IsolationLayer
+from .project import ProjectSandbox, get_project_sandbox
+from .registry import ProjectRegistry, get_registry
+
 # Add Linux-specific exports if available
 if IS_LINUX:
     __all__.extend(["LinuxSandbox", "prompt_install_firejail", "get_sandbox"])

tweek/sandbox/docker_bridge.py

@@ -0,0 +1,143 @@
+"""
+Tweek Docker Bridge
+
+Lightweight integration with Docker for container-level isolation.
+Generates docker-compose.yaml and provides simple run/status commands.
+Delegates actual container management to Docker rather than reimplementing.
+"""
+
+import subprocess
+import textwrap
+from pathlib import Path
+from typing import Optional
+
+
+TWEEK_HOME = Path.home() / ".tweek"
+
+
+class DockerBridge:
+    """Lightweight Docker integration for project-level container isolation."""
+
+    def is_docker_available(self) -> bool:
+        """Check if Docker is installed and the daemon is running."""
+        try:
+            result = subprocess.run(
+                ["docker", "info"],
+                capture_output=True,
+                text=True,
+                timeout=5,
+            )
+            return result.returncode == 0
+        except (FileNotFoundError, subprocess.TimeoutExpired):
+            return False
+
+    def get_docker_version(self) -> Optional[str]:
+        """Get Docker version string, or None if unavailable."""
+        try:
+            result = subprocess.run(
+                ["docker", "version", "--format", "{{.Server.Version}}"],
+                capture_output=True,
+                text=True,
+                timeout=5,
+            )
+            if result.returncode == 0:
+                return result.stdout.strip()
+        except (FileNotFoundError, subprocess.TimeoutExpired):
+            pass
+        return None
+
+    def init(self, project_dir: Path) -> Path:
+        """Generate docker-compose.yaml for this project.
+
+        Creates a minimal Docker Compose configuration that:
+        - Mounts the project directory read-write at /workspace
+        - Mounts global Tweek config read-only
+        - Disables network access by default
+        - Sets up environment for Tweek hooks
+
+        Returns the path to the generated compose file.
+        """
+        project_dir = project_dir.resolve()
+        tweek_dir = project_dir / ".tweek"
+        tweek_dir.mkdir(parents=True, exist_ok=True)
+
+        compose_path = tweek_dir / "docker-compose.yaml"
+        tweek_home_str = str(TWEEK_HOME)
+
+        compose_content = textwrap.dedent(f"""\
+            # Tweek Docker Sandbox Configuration
+            # Generated by: tweek sandbox docker init
+            # Docs: https://github.com/your-org/tweek
+            #
+            # This file mounts your project into a container with Tweek hooks active.
+            # Customize as needed for your workflow.
+
+            services:
+              tweek-sandbox:
+                image: python:3.12-slim
+                working_dir: /workspace
+                volumes:
+                  # Project directory (read-write)
+                  - {project_dir}:/workspace:rw
+                  # Global Tweek config (read-only)
+                  - {tweek_home_str}:/home/tweek/.tweek-global:ro
+                network_mode: "none"  # No network by default (security)
+                environment:
+                  - TWEEK_SANDBOX_LAYER=2
+                  - TWEEK_GLOBAL_CONFIG=/home/tweek/.tweek-global
+                  - HOME=/home/tweek
+                # Install tweek and start a shell
+                # Customize this command for your workflow
+                command: >
+                  bash -c "
+                    pip install -q tweek 2>/dev/null;
+                    echo 'Tweek sandbox ready. Project mounted at /workspace';
+                    exec bash
+                  "
+                stdin_open: true
+                tty: true
+        """)
+
+        compose_path.write_text(compose_content)
+        return compose_path
+
+    def run(self, project_dir: Path) -> int:
+        """Launch the project in a Docker container.
+
+        Returns the container's exit code.
+        """
+        project_dir = project_dir.resolve()
+        compose_path = project_dir / ".tweek" / "docker-compose.yaml"
+
+        if not compose_path.exists():
+            # Auto-generate if not present
+            self.init(project_dir)
+
+        result = subprocess.run(
+            ["docker", "compose", "-f", str(compose_path), "run", "--rm", "tweek-sandbox"],
+            cwd=str(project_dir),
+        )
+        return result.returncode
+
+    def stop(self, project_dir: Path) -> None:
+        """Stop any running containers for this project."""
+        compose_path = project_dir.resolve() / ".tweek" / "docker-compose.yaml"
+        if compose_path.exists():
+            subprocess.run(
+                ["docker", "compose", "-f", str(compose_path), "down"],
+                capture_output=True,
+            )
+
+    def suggest_docker(self, project_dir: Path) -> Optional[str]:
+        """Return a suggestion message if Docker is available but not configured."""
+        if not self.is_docker_available():
+            return None
+
+        compose = project_dir / ".tweek" / "docker-compose.yaml"
+        if compose.exists():
+            return None
+
+        return (
+            "Docker detected. For container-level isolation, run:\n"
+            "  tweek sandbox docker init"
+        )

tweek/sandbox/executor.py

@@ -14,6 +14,7 @@ Usage:
 """
 
 import os
+import shlex
 import subprocess
 import tempfile
 import json
@@ -166,10 +167,11 @@ class SandboxExecutor:
             profile_path = self.generator.save(manifest)
 
             # Build the sandboxed command
-            sandboxed_cmd = f'sandbox-exec -f "{profile_path}" /bin/bash -c {self._shell_quote(command)}'
+            sandboxed_cmd = f'sandbox-exec -f {shlex.quote(str(profile_path))} /bin/bash -c {self._shell_quote(command)}'
 
-            # Set up environment
-            run_env = os.environ.copy()
+            # Set up minimal environment (don't inherit all parent secrets)
+            safe_env_keys = {"PATH", "HOME", "USER", "SHELL", "TERM", "LANG", "LC_ALL", "TMPDIR"}
+            run_env = {k: v for k, v in os.environ.items() if k in safe_env_keys}
             if env:
                 run_env.update(env)
 
@@ -327,10 +329,11 @@ class SandboxExecutor:
                 profile_path = self.generator.save(manifest)
 
         # Build sandboxed command
-        sandboxed_cmd = f'sandbox-exec -f "{profile_path}" /bin/bash -c {self._shell_quote(command)}'
+        sandboxed_cmd = f'sandbox-exec -f {shlex.quote(str(profile_path))} /bin/bash -c {self._shell_quote(command)}'
 
-        # Set up environment
-        run_env = os.environ.copy()
+        # Set up minimal environment (don't inherit all parent secrets)
+        safe_env_keys = {"PATH", "HOME", "USER", "SHELL", "TERM", "LANG", "LC_ALL", "TMPDIR"}
+        run_env = {k: v for k, v in os.environ.items() if k in safe_env_keys}
         if env:
             run_env.update(env)
 

tweek/sandbox/layers.py

@@ -0,0 +1,97 @@
+"""
+Tweek Sandbox Layers
+
+Defines the isolation layer hierarchy and capability matrix.
+
+Layer 0: Bypass        - No isolation, global state only (opt-in escape hatch)
+Layer 1: Skills Only   - Skill Isolation Chamber (already built)
+Layer 2: Project State - Per-project security DB, overrides, fingerprints, patterns (DEFAULT)
+Layer 3+: Deferred     - Filesystem/container isolation via Docker bridge
+"""
+
+from enum import IntEnum
+from typing import Dict, Set
+
+
+class IsolationLayer(IntEnum):
+    """Isolation layers ordered by increasing security."""
+
+    BYPASS = 0       # No isolation, global state only
+    SKILLS = 1       # Skill Isolation Chamber only
+    PROJECT = 2      # Per-project security state (default)
+
+    @classmethod
+    def from_value(cls, value: int) -> "IsolationLayer":
+        """Convert int to IsolationLayer, clamping to valid range."""
+        try:
+            return cls(value)
+        except ValueError:
+            if value < 0:
+                return cls.BYPASS
+            return cls.PROJECT
+
+
+# Capability matrix: what each layer provides
+LAYER_CAPABILITIES: Dict[IsolationLayer, Set[str]] = {
+    IsolationLayer.BYPASS: set(),
+    IsolationLayer.SKILLS: {
+        "skill_scanning",
+        "skill_fingerprints",
+        "skill_guard",
+    },
+    IsolationLayer.PROJECT: {
+        "skill_scanning",
+        "skill_fingerprints",
+        "skill_guard",
+        "project_security_db",
+        "project_overrides",
+        "project_fingerprints",
+        "project_config",
+    },
+}
+
+
+def layer_has_capability(layer: IsolationLayer, capability: str) -> bool:
+    """Check if a layer provides a specific capability."""
+    return capability in LAYER_CAPABILITIES.get(layer, set())
+
+
+def get_layer_description(layer: IsolationLayer) -> str:
+    """Human-readable description of what a layer provides."""
+    descriptions = {
+        IsolationLayer.BYPASS: (
+            "No isolation. All security state uses global ~/.tweek/. "
+            "Skills are not scanned. Use only for trusted projects."
+        ),
+        IsolationLayer.SKILLS: (
+            "Skill Isolation Chamber active. Skills are scanned before install. "
+            "Security state uses global ~/.tweek/."
+        ),
+        IsolationLayer.PROJECT: (
+            "Full project isolation. Security events, overrides, skill fingerprints, "
+            "and configuration are scoped to this project's .tweek/ directory. "
+            "Project overrides are additive-only (cannot weaken global security)."
+        ),
+    }
+    return descriptions.get(layer, "Unknown layer")
+
+
+# Severity ranking for additive-only merge
+SEVERITY_ORDER = {"critical": 0, "high": 1, "medium": 2, "low": 3}
+
+
+def stricter_severity(a: str, b: str) -> str:
+    """Return the stricter (lower threshold) of two severity levels.
+
+    Severity thresholds define the MINIMUM severity to report:
+    - "low" = report low+medium+high+critical (screens the most, strictest)
+    - "critical" = report only critical (screens the least, most permissive)
+
+    Higher rank number = screens more things = stricter.
+    """
+    rank_a = SEVERITY_ORDER.get(a, 3)
+    rank_b = SEVERITY_ORDER.get(b, 3)
+    # Higher rank = stricter = screens more things
+    if rank_a >= rank_b:
+        return a
+    return b

tweek/sandbox/linux.py

@@ -7,6 +7,7 @@ seccomp-bpf, and capabilities to restrict process execution.
 If firejail is not available, falls back to bubblewrap (bwrap)
 which is often installed with Flatpak.
 """
+from __future__ import annotations
 
 import shutil
 import subprocess