Four features to complete the open-source governance tier: 1. Policy Presets (presets.ts): Built-in rule sets (permissive, safety, strict, audit-only) users can reference by name. Merge order: preset defaults → top-level overrides → additional rules appended. 2. Rate Limiting (rate-limiter.ts): Sliding window counters per key (tool or category). RateLimiter integrated into PolicyEngine — rate limit rules only match when threshold exceeded within window. Memory-only, resets on session restart. 3. Audit Query (audit.ts filter()): Filter audit records by tool, category, status, target pattern (glob), time range (ISO or relative like "1h"), and limit. CLI: moltbot audit query. 4. Audit Reporter (reporter.ts): Aggregates audit data into tool stats, category breakdown, policy decisions, error summaries, and per-minute timeline. Text and JSON output formats. All wired into index.ts with CLI commands (policy presets, audit query, audit report) and plugin.json schema updated with preset field. 151 tests pass across 9 test files. Co-authored-by: dp-web4 <dp@metalinxx.io> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
103 lines
3.5 KiB
JSON
103 lines
3.5 KiB
JSON
{
|
|
"id": "web4-governance",
|
|
"configSchema": {
|
|
"type": "object",
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"auditLevel": {
|
|
"type": "string",
|
|
"enum": ["minimal", "standard", "verbose"],
|
|
"default": "standard"
|
|
},
|
|
"showR6Status": {
|
|
"type": "boolean",
|
|
"default": true
|
|
},
|
|
"storagePath": {
|
|
"type": "string",
|
|
"description": "Override default ~/.web4/ storage path"
|
|
},
|
|
"policy": {
|
|
"type": "object",
|
|
"description": "Policy engine configuration for pre-action gating",
|
|
"properties": {
|
|
"preset": {
|
|
"type": "string",
|
|
"enum": ["permissive", "safety", "strict", "audit-only"],
|
|
"description": "Named preset to use as base config. Rules become optional when preset is set."
|
|
},
|
|
"defaultPolicy": {
|
|
"type": "string",
|
|
"enum": ["allow", "deny", "warn"],
|
|
"default": "allow",
|
|
"description": "Default decision when no rule matches"
|
|
},
|
|
"enforce": {
|
|
"type": "boolean",
|
|
"default": true,
|
|
"description": "When false, deny decisions are logged but not enforced (dry-run)"
|
|
},
|
|
"rules": {
|
|
"type": "array",
|
|
"default": [],
|
|
"items": {
|
|
"type": "object",
|
|
"required": ["id", "name", "priority", "decision", "match"],
|
|
"properties": {
|
|
"id": {
|
|
"type": "string",
|
|
"description": "Unique rule identifier"
|
|
},
|
|
"name": {
|
|
"type": "string",
|
|
"description": "Human-readable rule name"
|
|
},
|
|
"priority": {
|
|
"type": "number",
|
|
"description": "Lower = evaluated first. First match wins."
|
|
},
|
|
"decision": {
|
|
"type": "string",
|
|
"enum": ["allow", "deny", "warn"]
|
|
},
|
|
"reason": {
|
|
"type": "string",
|
|
"description": "Human-readable reason for the decision"
|
|
},
|
|
"match": {
|
|
"type": "object",
|
|
"properties": {
|
|
"tools": {
|
|
"type": "array",
|
|
"items": { "type": "string" },
|
|
"description": "Tool names to match (e.g. Bash, Write)"
|
|
},
|
|
"categories": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"enum": ["file_read", "file_write", "command", "network", "delegation", "state", "mcp", "unknown"]
|
|
},
|
|
"description": "Tool categories to match"
|
|
},
|
|
"targetPatterns": {
|
|
"type": "array",
|
|
"items": { "type": "string" },
|
|
"description": "Patterns to match against the tool target (glob by default)"
|
|
},
|
|
"targetPatternsAreRegex": {
|
|
"type": "boolean",
|
|
"default": false,
|
|
"description": "Treat targetPatterns as regex instead of glob"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|