refactor(exec-approvals): unify system.run binding and generate host env policy

2026-03-12 07:20:45 +00:00 · 2026-02-26 16:57:29 +01:00
parent baf1c8ea13
commit 4894d907fa
18 changed files with 858 additions and 342 deletions
--- a/apps/macos/Sources/OpenClaw/HostEnvSanitizer.swift
+++ b/apps/macos/Sources/OpenClaw/HostEnvSanitizer.swift
@@ -1,37 +1,11 @@
 import Foundation

 enum HostEnvSanitizer {
-    /// Keep in sync with src/infra/host-env-security-policy.json.
+    /// Generated from src/infra/host-env-security-policy.json via scripts/generate-host-env-security-policy-swift.mjs.
    /// Parity is validated by src/infra/host-env-security.policy-parity.test.ts.
-    private static let blockedKeys: Set<String> = [
-        "NODE_OPTIONS",
-        "NODE_PATH",
-        "PYTHONHOME",
-        "PYTHONPATH",
-        "PERL5LIB",
-        "PERL5OPT",
-        "RUBYLIB",
-        "RUBYOPT",
-        "BASH_ENV",
-        "ENV",
-        "GIT_EXTERNAL_DIFF",
-        "SHELL",
-        "SHELLOPTS",
-        "PS4",
-        "GCONV_PATH",
-        "IFS",
-        "SSLKEYLOGFILE",
-    ]
-
-    private static let blockedPrefixes: [String] = [
-        "DYLD_",
-        "LD_",
-        "BASH_FUNC_",
-    ]
-    private static let blockedOverrideKeys: Set<String> = [
-        "HOME",
-        "ZDOTDIR",
-    ]
+    private static let blockedKeys = HostEnvSecurityPolicy.blockedKeys
+    private static let blockedPrefixes = HostEnvSecurityPolicy.blockedPrefixes
+    private static let blockedOverrideKeys = HostEnvSecurityPolicy.blockedOverrideKeys
    private static let shellWrapperAllowedOverrideKeys: Set<String> = [
        "TERM",
        "LANG",
--- a/apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift
+++ b/apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift
@@ -0,0 +1,38 @@
+// Generated file. Do not edit directly.
+// Source: src/infra/host-env-security-policy.json
+// Regenerate: node scripts/generate-host-env-security-policy-swift.mjs
+
+import Foundation
+
+enum HostEnvSecurityPolicy {
+    static let blockedKeys: Set<String> = [
+        "NODE_OPTIONS",
+        "NODE_PATH",
+        "PYTHONHOME",
+        "PYTHONPATH",
+        "PERL5LIB",
+        "PERL5OPT",
+        "RUBYLIB",
+        "RUBYOPT",
+        "BASH_ENV",
+        "ENV",
+        "GIT_EXTERNAL_DIFF",
+        "SHELL",
+        "SHELLOPTS",
+        "PS4",
+        "GCONV_PATH",
+        "IFS",
+        "SSLKEYLOGFILE"
+    ]
+
+    static let blockedOverrideKeys: Set<String> = [
+        "HOME",
+        "ZDOTDIR"
+    ]
+
+    static let blockedPrefixes: [String] = [
+        "DYLD_",
+        "LD_",
+        "BASH_FUNC_"
+    ]
+}