MCP v2 PR-1: policy engine + audit log + Config/Audit/Policy panel tabs
Foundation for Claude-drives-the-workspace writes. Nothing wired end-to-end yet (App.tsx dispatcher comes next); this lands the machinery + UI. mcp_policy.rs (new) — three-tier allow/ask/deny policy with deny-first precedence and a compiled-in non-overridable hard-deny list (10 patterns covering rm -rf /, fork bombs, mkfs on device, dd to raw disk, /etc/passwd overwrite, curl|sh, chmod -R 777 /, etc.). Shell-operator-aware glob matcher mirroring Claude Code's Bash(*) syntax. Restrictive default — empty policy means every non-hard- denied call falls to Ask. Persisted to mcp-policy.json in app_config_dir. Includes a PolicyClassifier scaffold (no-op) for a future v2.1 LLM-classifier hook. 1152 lines incl. ~100 unit + fuzz tests covering the matchers and lookalike negatives. mcp.rs — TileService now holds AppHandle + Arc<PendingActions> (oneshot registry keyed by uuid). New async dispatch_action helper runs the policy check, emits "mcp://request" for the frontend to handle, awaits a oneshot reply (30s timeout), then emits "mcp:// audit" with the outcome regardless. set_label tool wired through this path as the demo for PR-1b's dispatcher. commands.rs / lib.rs — new Tauri commands mcp_action_reply, mcp_policy_load, mcp_policy_save; PendingActions registered as managed state. McpPanel.tsx — refactored into Config / Audit / Policy tabs. AuditTab listens on mcp://audit, keeps a 200-entry ring with ok/denied/failed chips. PolicyTab edits the allow/ask/deny buckets (stacked vertically — three columns overflowed the panel) and shows the hard-deny rules read-only at the bottom with "Cannot be disabled" badges. Themed scrollbar on mcp-body to match xterm panes. Caveat: set_label calls from Claude will currently time out — the App.tsx side that listens on mcp://request and replies via mcp_action_reply lands in PR-1b. Co-authored by Sonnet (policy engine, backend plumbing, panel UI) and Haiku (hard-deny fuzz test suite); integration + bug fixes here.
This commit is contained in:
parent
b14b450577
commit
464c576b79
11 changed files with 2512 additions and 144 deletions
|
|
@ -32,12 +32,67 @@
|
|||
}
|
||||
.mcp-close:hover { background: #2a2a2a; color: #ddd; }
|
||||
|
||||
/* ---- Tab bar ------------------------------------------------------------ */
|
||||
|
||||
.mcp-tabs {
|
||||
display: flex;
|
||||
gap: 0;
|
||||
border-bottom: 1px solid #2a2a2a;
|
||||
padding: 0 10px;
|
||||
}
|
||||
|
||||
.mcp-tab {
|
||||
position: relative;
|
||||
font: inherit;
|
||||
font-family: inherit;
|
||||
font-size: 11px;
|
||||
font-weight: 500;
|
||||
letter-spacing: 0.04em;
|
||||
background: transparent;
|
||||
color: #777;
|
||||
border: none;
|
||||
border-bottom: 2px solid transparent;
|
||||
padding: 7px 12px 5px;
|
||||
cursor: pointer;
|
||||
transition: color 0.1s, border-color 0.1s;
|
||||
}
|
||||
.mcp-tab:hover { color: #bbb; }
|
||||
.mcp-tab--active {
|
||||
color: #cce6ff;
|
||||
border-bottom-color: #4488cc;
|
||||
}
|
||||
|
||||
/* Unread dot badge on the Audit tab */
|
||||
.mcp-tab-badge {
|
||||
display: inline-block;
|
||||
width: 6px;
|
||||
height: 6px;
|
||||
border-radius: 50%;
|
||||
background: #d8a040;
|
||||
vertical-align: middle;
|
||||
margin-left: 5px;
|
||||
margin-bottom: 1px;
|
||||
}
|
||||
|
||||
/* ---- Body --------------------------------------------------------------- */
|
||||
|
||||
.mcp-body {
|
||||
padding: 14px 18px;
|
||||
overflow-y: auto;
|
||||
font-size: 12px;
|
||||
line-height: 1.45;
|
||||
scrollbar-width: thin;
|
||||
scrollbar-color: #2a2a2a transparent;
|
||||
}
|
||||
.mcp-body::-webkit-scrollbar { width: 8px; height: 8px; }
|
||||
.mcp-body::-webkit-scrollbar-track { background: transparent; }
|
||||
.mcp-body::-webkit-scrollbar-thumb {
|
||||
background: #2a2a2a;
|
||||
border-radius: 4px;
|
||||
border: 1px solid #1a1a1a;
|
||||
}
|
||||
.mcp-body::-webkit-scrollbar-thumb:hover { background: #3a3a3a; }
|
||||
.mcp-body::-webkit-scrollbar-corner { background: transparent; }
|
||||
|
||||
.mcp-blurb {
|
||||
color: #aaa;
|
||||
|
|
@ -189,3 +244,355 @@
|
|||
}
|
||||
.mcp-security strong { color: #d8a040; }
|
||||
.mcp-security em { color: #d88; font-style: normal; }
|
||||
|
||||
/* =========================================================================
|
||||
Audit tab
|
||||
========================================================================= */
|
||||
|
||||
.audit-tab {
|
||||
display: flex;
|
||||
flex-direction: column;
|
||||
gap: 8px;
|
||||
}
|
||||
|
||||
.audit-toolbar {
|
||||
display: flex;
|
||||
align-items: center;
|
||||
justify-content: flex-end;
|
||||
gap: 8px;
|
||||
min-height: 24px;
|
||||
}
|
||||
|
||||
.audit-unread {
|
||||
font-size: 10px;
|
||||
color: #d8a040;
|
||||
margin-right: auto;
|
||||
}
|
||||
|
||||
.audit-clear {
|
||||
font: inherit;
|
||||
font-family: inherit;
|
||||
font-size: 11px;
|
||||
background: #222;
|
||||
color: #aac;
|
||||
border: 1px solid #2a2a3a;
|
||||
border-radius: 3px;
|
||||
padding: 2px 10px;
|
||||
cursor: pointer;
|
||||
}
|
||||
.audit-clear:hover:not(:disabled) { background: #2a2a3a; color: #ccd; }
|
||||
.audit-clear:disabled { opacity: 0.4; cursor: default; }
|
||||
|
||||
.audit-empty {
|
||||
color: #666;
|
||||
font-style: italic;
|
||||
font-size: 11px;
|
||||
margin: 12px 0;
|
||||
}
|
||||
|
||||
.audit-table {
|
||||
width: 100%;
|
||||
border-collapse: collapse;
|
||||
font-size: 11px;
|
||||
}
|
||||
.audit-table th {
|
||||
text-align: left;
|
||||
font-size: 10px;
|
||||
text-transform: uppercase;
|
||||
letter-spacing: 0.07em;
|
||||
color: #666;
|
||||
padding: 0 6px 4px;
|
||||
border-bottom: 1px solid #2a2a2a;
|
||||
}
|
||||
.audit-table td {
|
||||
padding: 2px 6px;
|
||||
vertical-align: top;
|
||||
border-bottom: 1px solid #1c1c1c;
|
||||
}
|
||||
|
||||
/* Row tinting */
|
||||
.audit-row--ok td { background: rgba(80, 200, 80, 0.04); }
|
||||
.audit-row--denied td { background: rgba(220, 60, 60, 0.06); }
|
||||
.audit-row--failed td { background: rgba(220, 140, 30, 0.06); }
|
||||
|
||||
.audit-cell--time {
|
||||
font-size: 10px;
|
||||
color: #666;
|
||||
white-space: nowrap;
|
||||
font-family: inherit;
|
||||
}
|
||||
.audit-cell--tool {
|
||||
color: #cce6ff;
|
||||
white-space: nowrap;
|
||||
}
|
||||
.audit-cell--args {
|
||||
color: #aaa;
|
||||
max-width: 200px;
|
||||
overflow: hidden;
|
||||
text-overflow: ellipsis;
|
||||
white-space: nowrap;
|
||||
}
|
||||
.audit-cell--result {
|
||||
white-space: nowrap;
|
||||
}
|
||||
.audit-errmsg {
|
||||
color: #888;
|
||||
font-size: 10px;
|
||||
max-width: 150px;
|
||||
overflow: hidden;
|
||||
text-overflow: ellipsis;
|
||||
white-space: nowrap;
|
||||
display: inline-block;
|
||||
vertical-align: middle;
|
||||
}
|
||||
.audit-cell--dur {
|
||||
color: #777;
|
||||
text-align: right;
|
||||
white-space: nowrap;
|
||||
}
|
||||
|
||||
/* Result chips */
|
||||
.audit-chip {
|
||||
display: inline-block;
|
||||
font-size: 10px;
|
||||
font-weight: 600;
|
||||
padding: 1px 5px;
|
||||
border-radius: 3px;
|
||||
vertical-align: middle;
|
||||
}
|
||||
.audit-chip--ok { background: #1a3a1a; color: #80e080; border: 1px solid #2a5a2a; }
|
||||
.audit-chip--denied { background: #3a1a1a; color: #e06060; border: 1px solid #5a2a2a; }
|
||||
.audit-chip--failed { background: #3a2a10; color: #d8a040; border: 1px solid #5a4a20; }
|
||||
.audit-chip--denied em { font-style: italic; color: #c04040; margin-left: 3px; }
|
||||
|
||||
/* =========================================================================
|
||||
Policy tab
|
||||
========================================================================= */
|
||||
|
||||
.policy-tab {
|
||||
display: flex;
|
||||
flex-direction: column;
|
||||
gap: 14px;
|
||||
}
|
||||
|
||||
.policy-loading {
|
||||
color: #777;
|
||||
font-style: italic;
|
||||
font-size: 11px;
|
||||
}
|
||||
|
||||
.policy-toolbar {
|
||||
display: flex;
|
||||
align-items: flex-start;
|
||||
gap: 10px;
|
||||
}
|
||||
|
||||
.policy-hint {
|
||||
flex: 1 1 auto;
|
||||
color: #888;
|
||||
font-size: 11px;
|
||||
font-style: italic;
|
||||
margin: 0;
|
||||
line-height: 1.45;
|
||||
}
|
||||
|
||||
.policy-save-area {
|
||||
display: flex;
|
||||
align-items: center;
|
||||
gap: 8px;
|
||||
flex-shrink: 0;
|
||||
}
|
||||
|
||||
.policy-save-error {
|
||||
color: #e06060;
|
||||
font-size: 10px;
|
||||
max-width: 150px;
|
||||
}
|
||||
|
||||
.policy-save-btn {
|
||||
font: inherit;
|
||||
font-family: inherit;
|
||||
font-size: 11px;
|
||||
font-weight: 600;
|
||||
background: #1a3a1a;
|
||||
color: #80e080;
|
||||
border: 1px solid #2a6a2a;
|
||||
border-radius: 3px;
|
||||
padding: 4px 14px;
|
||||
cursor: pointer;
|
||||
}
|
||||
.policy-save-btn:hover:not(:disabled) { background: #225a22; }
|
||||
.policy-save-btn:disabled { opacity: 0.4; cursor: default; }
|
||||
|
||||
.policy-buckets {
|
||||
display: flex;
|
||||
flex-direction: column;
|
||||
gap: 10px;
|
||||
}
|
||||
|
||||
.policy-bucket {
|
||||
background: #111;
|
||||
border: 1px solid #2a2a2a;
|
||||
border-radius: 4px;
|
||||
padding: 8px 10px;
|
||||
display: flex;
|
||||
flex-direction: column;
|
||||
gap: 6px;
|
||||
}
|
||||
.policy-bucket--deny { border-color: #3a2020; }
|
||||
.policy-bucket--ask { border-color: #3a3020; }
|
||||
.policy-bucket--allow { border-color: #1a2a1a; }
|
||||
|
||||
.policy-bucket-header {
|
||||
font-size: 10px;
|
||||
text-transform: uppercase;
|
||||
letter-spacing: 0.07em;
|
||||
color: #888;
|
||||
padding-bottom: 4px;
|
||||
border-bottom: 1px solid #2a2a2a;
|
||||
}
|
||||
.policy-bucket--deny .policy-bucket-header { color: #c06060; }
|
||||
.policy-bucket--ask .policy-bucket-header { color: #c09040; }
|
||||
.policy-bucket--allow .policy-bucket-header { color: #60a060; }
|
||||
|
||||
.policy-rule-list {
|
||||
list-style: none;
|
||||
margin: 0;
|
||||
padding: 0;
|
||||
display: flex;
|
||||
flex-direction: column;
|
||||
gap: 3px;
|
||||
min-height: 24px;
|
||||
}
|
||||
|
||||
.policy-rule-empty {
|
||||
color: #555;
|
||||
font-size: 11px;
|
||||
padding: 2px 0;
|
||||
}
|
||||
|
||||
.policy-rule {
|
||||
display: flex;
|
||||
align-items: center;
|
||||
gap: 4px;
|
||||
}
|
||||
|
||||
.policy-rule-text {
|
||||
flex: 1 1 auto;
|
||||
font-family: inherit;
|
||||
font-size: 11px;
|
||||
color: #ccc;
|
||||
overflow: hidden;
|
||||
text-overflow: ellipsis;
|
||||
white-space: nowrap;
|
||||
}
|
||||
|
||||
.policy-rule-remove {
|
||||
background: transparent;
|
||||
border: none;
|
||||
color: #666;
|
||||
font-size: 14px;
|
||||
line-height: 1;
|
||||
padding: 0 3px;
|
||||
cursor: pointer;
|
||||
border-radius: 2px;
|
||||
flex-shrink: 0;
|
||||
}
|
||||
.policy-rule-remove:hover { color: #e06060; background: #2a1a1a; }
|
||||
|
||||
.policy-add-row {
|
||||
display: flex;
|
||||
gap: 4px;
|
||||
margin-top: 2px;
|
||||
}
|
||||
|
||||
.policy-add-input {
|
||||
flex: 1 1 auto;
|
||||
font: inherit;
|
||||
font-family: inherit;
|
||||
font-size: 11px;
|
||||
color: #ddd;
|
||||
background: #0c0c0c;
|
||||
border: 1px solid #2a2a2a;
|
||||
border-radius: 3px;
|
||||
padding: 3px 6px;
|
||||
outline: none;
|
||||
min-width: 0;
|
||||
}
|
||||
.policy-add-input:focus { border-color: #4488cc; }
|
||||
|
||||
.policy-add-btn {
|
||||
font: inherit;
|
||||
font-family: inherit;
|
||||
font-size: 11px;
|
||||
background: #222;
|
||||
color: #aac;
|
||||
border: 1px solid #2a2a3a;
|
||||
border-radius: 3px;
|
||||
padding: 0 8px;
|
||||
cursor: pointer;
|
||||
flex-shrink: 0;
|
||||
}
|
||||
.policy-add-btn:hover:not(:disabled) { background: #2a2a3a; color: #ccd; }
|
||||
.policy-add-btn:disabled { opacity: 0.4; cursor: default; }
|
||||
|
||||
/* Hard-deny section */
|
||||
.policy-hard-deny {
|
||||
background: #0e0e0e;
|
||||
border: 1px solid #222;
|
||||
border-radius: 4px;
|
||||
padding: 10px 12px;
|
||||
}
|
||||
|
||||
.policy-hard-deny-header {
|
||||
font-size: 10px;
|
||||
font-variant: small-caps;
|
||||
letter-spacing: 0.1em;
|
||||
color: #666;
|
||||
margin-bottom: 6px;
|
||||
text-transform: lowercase;
|
||||
}
|
||||
|
||||
.policy-hard-deny-list {
|
||||
list-style: none;
|
||||
margin: 0;
|
||||
padding: 0;
|
||||
display: flex;
|
||||
flex-direction: column;
|
||||
gap: 4px;
|
||||
}
|
||||
|
||||
.policy-hard-deny-rule {
|
||||
display: flex;
|
||||
align-items: center;
|
||||
gap: 8px;
|
||||
font-size: 11px;
|
||||
}
|
||||
.policy-hard-deny-rule code {
|
||||
font-family: inherit;
|
||||
color: #888;
|
||||
background: #0c0c0c;
|
||||
padding: 1px 5px;
|
||||
border-radius: 2px;
|
||||
border: 1px solid #1e1e1e;
|
||||
flex-shrink: 0;
|
||||
}
|
||||
|
||||
.policy-hard-deny-badge {
|
||||
font-size: 9px;
|
||||
text-transform: uppercase;
|
||||
letter-spacing: 0.06em;
|
||||
color: #555;
|
||||
border: 1px solid #2a2a2a;
|
||||
border-radius: 3px;
|
||||
padding: 1px 5px;
|
||||
white-space: nowrap;
|
||||
}
|
||||
|
||||
.policy-hard-deny-footnote {
|
||||
font-size: 10px;
|
||||
font-style: italic;
|
||||
color: #555;
|
||||
margin: 8px 0 0;
|
||||
line-height: 1.4;
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue