refactor(exec-approvals): unify system.run binding and generate host env policy

2026-03-12 07:20:45 +00:00 · 2026-02-26 16:57:29 +01:00
parent baf1c8ea13
commit 4894d907fa
18 changed files with 858 additions and 342 deletions
--- a/scripts/generate-host-env-security-policy-swift.mjs
+++ b/scripts/generate-host-env-security-policy-swift.mjs
@@ -0,0 +1,45 @@
+#!/usr/bin/env node
+import fs from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+
+const here = path.dirname(fileURLToPath(import.meta.url));
+const repoRoot = path.resolve(here, "..");
+const policyPath = path.join(repoRoot, "src", "infra", "host-env-security-policy.json");
+const outputPath = path.join(
+  repoRoot,
+  "apps",
+  "macos",
+  "Sources",
+  "OpenClaw",
+  "HostEnvSecurityPolicy.generated.swift",
+);
+
+/** @type {{blockedKeys: string[]; blockedOverrideKeys?: string[]; blockedPrefixes: string[]}} */
+const policy = JSON.parse(fs.readFileSync(policyPath, "utf8"));
+
+const renderSwiftStringArray = (items) => items.map((item) => `        "${item}"`).join(",\n");
+
+const swift = `// Generated file. Do not edit directly.
+// Source: src/infra/host-env-security-policy.json
+// Regenerate: node scripts/generate-host-env-security-policy-swift.mjs
+
+import Foundation
+
+enum HostEnvSecurityPolicy {
+    static let blockedKeys: Set<String> = [
+${renderSwiftStringArray(policy.blockedKeys)}
+    ]
+
+    static let blockedOverrideKeys: Set<String> = [
+${renderSwiftStringArray(policy.blockedOverrideKeys ?? [])}
+    ]
+
+    static let blockedPrefixes: [String] = [
+${renderSwiftStringArray(policy.blockedPrefixes)}
+    ]
+}
+`;
+
+fs.writeFileSync(outputPath, swift);
+console.log(`Wrote ${path.relative(repoRoot, outputPath)}`);