Runtime least-privilege firewall for agent/skill actions. It evaluates a requested action and returns one of:
It also returns a sanitizedAction with secrets redacted, plus a structured audit record.
> This is not a gateway hardening tool. It complements gateway security scanners by enforcing per-action policy at runtime.
~/.ssh, ~/.aws, .env, etc.)rm -rf, curl | sh, etc.)Provide an action object to evaluate:
{
"traceId": "optional-uuid",
"caller": { "skillName": "SomeSkill", "skillVersion": "1.2.0" },
"action": {
"type": "http_request | file_read | file_write | exec",
"method": "GET|POST|PUT|DELETE",
"url": "https://api.github.com/...",
"headers": { "authorization": "Bearer ..." },
"body": "...",
"path": "./reports/out.json",
"command": "rm -rf /"
},
"context": {
"workspaceRoot": "/workspace",
"mode": "strict | balanced | permissive",
"confirmed": false
}
}
{
"decision": "ALLOW | DENY | NEED_CONFIRMATION",
"riskScore": 0.42,
"reasons": [{"ruleId":"...","message":"..."}],
"sanitizedAction": { "...": "..." },
"confirmation": { "required": true, "prompt": "..." },
"audit": { "traceId":"...", "policyVersion":"...", "actionFingerprint":"..." }
}
Authorization, Cookie, X-API-Key, and common token patterns1) Your skill creates an action object.
2) Call this skill to evaluate it.
3) If ALLOW → execute sanitizedAction.
4) If NEED_CONFIRMATION → ask user and re-run with context.confirmed=true.
5) If DENY → stop and show the reasons.
policy.yaml contains the policy (edit for your environment).共 1 个版本