vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-14 02:31:24 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
dfd4e9f8a13d5b4bf2e21cce3667b2c08ea154e3
openclaw/scripts/generate-host-env-security-policy-swift.mjs
Pavan Kumar Gondhi 2d126fc623 fix(infra): expand host env security policy denylist [AI] (#63277) 
* fix: address issue

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: close host env inherited sanitization gap

* fix: enforce host env reported baseline coverage

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* docs: add changelog entry for PR merge
2026-04-10 11:36:39 +05:30

88 lines
2.5 KiB
JavaScript
Raw Blame History

#!/usr/bin/env node
import fs from "node:fs";
import path from "node:path";
import { fileURLToPath } from "node:url";
import { loadHostEnvSecurityPolicy } from "../src/infra/host-env-security-policy.js";
const args = new Set(process.argv.slice(2));
const checkOnly = args.has("--check");
const writeMode = args.has("--write") || !checkOnly;
if (checkOnly && args.has("--write")) {
console.error("Use either --check or --write, not both.");
process.exit(1);
}
const here = path.dirname(fileURLToPath(import.meta.url));
const repoRoot = path.resolve(here, "..");
const policyPath = path.join(repoRoot, "src", "infra", "host-env-security-policy.json");
const outputPath = path.join(
repoRoot,
"apps",
"macos",
"Sources",
"OpenClaw",
"HostEnvSecurityPolicy.generated.swift",
);
const rawPolicy = JSON.parse(fs.readFileSync(policyPath, "utf8"));
const policy = loadHostEnvSecurityPolicy(rawPolicy);
const renderSwiftStringArray = (items) => items.map((item) => ` "${item}"`).join(",\n");
const generated = `// Generated file. Do not edit directly.
// Source: src/infra/host-env-security-policy.json
// Regenerate: node scripts/generate-host-env-security-policy-swift.mjs --write
import Foundation
enum HostEnvSecurityPolicy {
static let blockedInheritedKeys: Set<String> = [
${renderSwiftStringArray(policy.blockedInheritedKeys)}
]
static let blockedInheritedPrefixes: [String] = [
${renderSwiftStringArray(policy.blockedInheritedPrefixes)}
]
static let blockedKeys: Set<String> = [
${renderSwiftStringArray(policy.blockedKeys)}
]
static let blockedOverrideKeys: Set<String> = [
${renderSwiftStringArray(policy.blockedOverrideKeys ?? [])}
]
static let blockedOverridePrefixes: [String] = [
${renderSwiftStringArray(policy.blockedOverridePrefixes ?? [])}
]
static let blockedPrefixes: [String] = [
${renderSwiftStringArray(policy.blockedPrefixes)}
]
}
`;
const current = fs.existsSync(outputPath) ? fs.readFileSync(outputPath, "utf8") : null;
if (checkOnly) {
if (current === generated) {
console.log(`OK ${path.relative(repoRoot, outputPath)}`);
process.exit(0);
}
console.error(
[
`Out of date ${path.relative(repoRoot, outputPath)}.`,
"Run: node scripts/generate-host-env-security-policy-swift.mjs --write",
].join("\n"),
);
process.exit(1);
}
if (writeMode) {
if (current !== generated) {
fs.writeFileSync(outputPath, generated);
}
console.log(`Wrote ${path.relative(repoRoot, outputPath)}`);
}
Reference in New Issue View Git Blame Copy Permalink