feat(extensions): add Sondera policy guardrails [AI-assisted]#8448
Closed
joshdevon wants to merge 26 commits intoopenclaw:mainfrom
Closed
feat(extensions): add Sondera policy guardrails [AI-assisted]#8448joshdevon wants to merge 26 commits intoopenclaw:mainfrom
joshdevon wants to merge 26 commits intoopenclaw:mainfrom
Conversation
Author
Greptile Issues AddressedFixed in commits ead6622 and 96cb792:
Also replaced regex-based Cedar policy parsing with native APIs to properly handle nested braces and complex expressions. |
Adds the Sondera extension which provides deterministic Cedar policy guardrails for OpenClaw agents. Evaluates policies before tool execution (PRE_TOOL) and redacts sensitive output (POST_TOOL). - 41-rule Sondera base pack (dangerous commands, RCE, sensitive files) - 24-rule OpenClaw system protection pack - 38-rule OWASP Agentic pack (opt-in) - Lockdown mode for block-by-default operation - Custom rules support via config UI or expert mode file
- Change evaluator to fail-closed: only explicit "allow" permits - Handle lockdown mode with no policy packs (Cedar default-deny) - Add debug logging for config initialization - Fix syntax error in policy-sondera-base.cedar
Replace regex-based policy parsing with Cedar's native policySetTextToParts() and policyToJson() APIs. The regex [^}]* stops at the first } character, breaking policies with } in string patterns (e.g., like "*}*"). - evaluator.ts: Use policySetTextToParts() for robust parsing - validate-cedar.ts: Use checkParsePolicySet() for validation - Add error handling for parse failures Fixes Greptile P0: regex truncation issue
- Lockdown mode: use empty policy set (Cedar implicit deny) instead of comment - Add optional chaining to all logger.debug calls - Use naming convention to identify redaction policies (sondera-redact-*, owasp-redact-*) - Guard wrapToolForHooks against tools without execute function
- Remove unused catch parameter `err` in index.ts (3 instances) - Rename unused `ctx` parameters to `_ctx` in hook callbacks - Add curly braces to single-line if statement in evaluator.ts - Use proper TypeScript types instead of `any` in wrapToolForHooks - Fix template literal with unknown error type
…errors The previous change to use `unknown` types broke type compatibility with AnyAgentTool and ToolDefinition. Using `any` with explicit oxlint-disable comments is appropriate here since we're wrapping tools with varying signatures.
On Windows, `new URL(import.meta.url).pathname` returns `/C:/path/...` with a leading slash. When used with path.resolve, this creates invalid paths like `C:\C:\...`. Using fileURLToPath from the url module correctly handles cross-platform path conversion.
Add Sondera fork installation instructions with PR openclaw#8448 reference. Matches blog post and Sondera docs for consistent guidance until hooks are merged into mainline OpenClaw.
Resolve merge conflicts in pnpm-lock.yaml and src/agents/pi-embedded-runner/run/attempt.ts
- Remove duplicate hookRunner declaration in attempt.ts - Cast EvaluationContext to Cedar's Context type in evaluator.ts - Guard against AgentMessage variants without content in index.ts
The formal_conformance job fails on fork PRs because GitHub restricts the GITHUB_TOKEN to read-only for pull_request events from forks. Add continue-on-error to the comment step so the job succeeds gracefully — the drift artifact is still uploaded regardless.
The inferred return type of getSlackSlashMocks references @vitest/spy internals which are not portable under pnpm strict node_modules. Add an explicit return type annotation to prevent the error.
- exec-approvals: add stripUndefinedFields to send.shared mock - discord actions: remove stale loadHandleDiscordMessageAction call - web/media: pass explicit localRoots to avoid os.tmpdir() overlap
# Conflicts: # src/discord/monitor/exec-approvals.test.ts # src/slack/monitor/slash.test-harness.ts
On CI (Linux), file writes within the same second share the same mtime. The session store cache uses mtime to detect stale entries, so when a previous test caches the empty store and this test writes new data in the same second, loadSessionStore returns stale cached data. Clear the cache in beforeEach to ensure each test reads fresh data.
On Windows, path.resolve("/tmp/...") produces "C:\tmp\..." which
doesn't match hardcoded Unix paths. Use path.resolve() in the
expected values so the test passes on all platforms.
bfc1ccb to
f92900f
Compare
|
Please make this as a third-party plugin that you maintain yourself in your own repo. Docs: https://docs.openclaw.ai/plugin. Feel free to open a PR after to add it to our community plugins page: https://docs.openclaw.ai/plugins/community |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds Sondera, a Cedar-based policy guardrails extension that enforces deterministic security rules on tool calls before they execute.
(38)
rm -rf,sudo, reverse shells), credential access, and data exfiltrationpermitrules allow actionsBuilt by Sondera, powered by Cedar (AWS's policy language).
Related Work
This extension depends on plugin hooks landing. Complementary to the ongoing security work:
before_tool_call/after_tool_callhooks)AI Disclosure 🤖
Test Plan
openclaw plugins install @openclaw/sonderasudo whoamiin a session → "Blocked by Sondera policy"Greptile Overview
Greptile Summary
This PR adds the new
extensions/sonderaplugin, which evaluates Cedar policies (via@cedar-policy/cedar-wasm) to block risky tool calls pre-execution and redact sensitive tool outputs when persisting results. It also wires tool-call enforcement into the embedded runner by wrapping toolexecute()to runbefore_tool_callhooks and throw a dedicatedToolBlockedErroron blocks.The extension is integrated using the existing plugin hook system (
before_tool_call,after_tool_call,tool_result_persist) and exposes configuration (policy packs, lockdown mode, custom rules/path) viaopenclaw.plugin.jsonschema/UI hints.Main issues to address before merge are around Cedar policy parsing robustness (regex-based parsing can skip/truncate real policies), edge cases in lockdown mode policy construction, and a couple of logger calls that can throw when
debugisn’t present.Confidence Score: 2/5
when { ... }blocks, and lockdown mode can feed comment-only text as a “policy,” both of which can lead to missing rules or inconsistent behavior. There are also a couple of runtime footguns (logger debug calls without optional chaining; tool wrapping assumesexecuteexists) that can break hooks/session runs.(2/5) Greptile learns from your feedback when you react with thumbs up/down!