ݗi\;dZddlmZddlZddlZddlZddlmZmZddl m Z ddl m Z m Z ddlmZdd lmZmZGd d eZGd d ZGddeZe GddZehdZehdZGddeZGddeZd#dZGddeZGddeZGddeZGdd eZ Gd!d"eZ!y)$u openclaw_mcp.interceptor — Middleware interceptor chain for MCP tool calls. Every tool call entering or leaving OpenClaw passes through this interceptor chain. Bidirectional: - PRE-interceptors: run before dispatch (auth, rate limit, schema, log) - POST-interceptors: run after result (validation, cache, audit, metrics) Failure Evolution Note (fe_003): The GHL MCP sat compiled but unactivated for weeks because Build != Activate. This interceptor chain ensures every tool call is OBSERVABLE. ) annotationsN)ABCabstractmethod) OrderedDict) dataclassfield)Any) MCPToolCall MCPToolResultc4eZdZdZeddZeddZy) Interceptorz.Abstract base class for OpenClaw interceptors.c Kyw)z3Pre-process. Return None to block, call to proceed.Nselfcalls I/mnt/e/genesis-system/genesis-os/packages/openclaw-mcp/src/interceptor.pypre_callzInterceptor.pre_call"  c Kyw)z/Post-process. Return modified/unchanged result.Nrrrresults r post_callzInterceptor.post_call'rrNrr returnzMCPToolCall | Nonerr rr rr )__name__ __module__ __qualname____doc__rrrrrrrs+8    r#rcBeZdZdZddZd dZed dZd dZd dZ y) InterceptorChaina Ordered chain of interceptors applied to every tool call. Usage: chain = InterceptorChain() chain.register(AuthInterceptor(whitelist=["genesis-orchestrator"])) chain.register(RateLimitInterceptor()) processed_call = await chain.run_pre(call) if processed_call is None: return error_response("Blocked by interceptor chain") result = await dispatch(processed_call) final_result = await chain.run_post(processed_call, result) cg|_yN) _interceptorsrs r__init__zInterceptorChain.__init__As 02r#c:|jj|y)z+Add an interceptor to the end of the chain.N)r(append)r interceptors rregisterzInterceptorChain.registerDs !!+.r#c,t|jSr')listr(r)s r interceptorszInterceptorChain.interceptorsHsD&&''r#crK|}|jD]}|y|j|d{}!|S7w)zz Run all pre-interceptors in registration order. Returns None if any interceptor blocks the call. N)r(r)rrcurrentr-s rrun_prezInterceptorChain.run_preLsI '+-- :K'0099G ::s *75 7clK|}|jD]}|j||d{}|S7w)zn Run all post-interceptors in registration order. Returns (possibly modified) result. N)r(r)rrrr3r-s rrun_postzInterceptorChain.run_postXsD -- AK'11$@@G AAs '42 4NrNone)r-rrr8)rzlist[Interceptor]rr) rr r!r"r*r.propertyr1r4r6rr#rr%r%1s/ 3/(( r#r%c*eZdZdZdddZddZd dZy) AuthInterceptorz Verify agent has permission to invoke the requested tool. Checks agent_id against whitelist. If whitelist is empty, all agents allowed. Nc(|xsg|_||_yr') whitelistsecret)rr=r>s rr*zAuthInterceptor.__init__ms"b r#c\K|js|S|j|jvr|Sywr')r=agent_idrs rrzAuthInterceptor.pre_callqs*~~K ==DNN *Ks*,cK|Swr'rrs rrzAuthInterceptor.post_callx  )N)r=zlist[str] | Noner>strrr8rrrr r!r"r*rrrr#rr;r;gs r#r;c@eZdZUdZeeZded<dd dZd dZ y) _RateLimitBucketz)Sliding window counter for rate limiting.)default_factoryz list[float]callsctj}||z }|jDcgc] }||kDs | c}|_t|jScc}wr')timerJlen)rwindow_secondsnowcutoffts rcount_in_windowz _RateLimitBucket.count_in_windowsFiik~%!%:Aq6za: 4::;s AAc^|jjtjyr')rJr,rLr)s rrecordz_RateLimitBucket.records $))+&r#N)gN@)rNfloatrintr7) rr r!r"rr0rJ__annotations__rRrTrr#rrHrHs3t4E;4 'r#rH>db_writegit_push db_delete file_write file_deleteplaywright_clickplaywright_navigate>db_read cache_get file_read health_checkcNeZdZdZ d d dZd dZd dZd dZd dZy)RateLimitInterceptorz Enforce per-agent + per-tool rate limits via sliding window. - Default: 100 calls/minute per agent - Expensive tools (browser, DB writes): 20 calls/minute - Free tools (read-only, cached): 1000 calls/minute c<||_||_||_i|_yr') default_limitexpensive_limit free_limit_buckets)rrfrgrhs rr*zRateLimitInterceptor.__init__s" +.$57 r#cj|tvr |jS|tvr |jS|jSr')EXPENSIVE_TOOLSrg FREE_TOOLSrhrf)r tool_names r _get_limitzRateLimitInterceptor._get_limits4  ''' '  "?? "!!!r#c8|jd|jS)N:)r@rmrs r _bucket_keyz RateLimitInterceptor._bucket_keys--$..!122r#cK|j|}||jvrt|j|<|j|}|j|j}|j |k\ry|j |Swr')rqrirHrnrmrRrT)rrkeybucketlimits rrzRateLimitInterceptor.pre_callsut$ dmm #!1!3DMM# s#/  ! ! #u ,  sBB cK|Swr'rrs rrzRateLimitInterceptor.post_callrBrCN)d)rfrVrgrVrhrVrr8)rmrErrVrr rrErr) rr r!r"r*rnrqrrrr#rrdrdsQ!! 8 8 8 8  8"3 r#rdc2eZdZdZdddZd dZd dZd dZy) SchemaInterceptorzl Validate tool arguments against registered schemas. Schemas are loaded from the tool registry. Nc|xsi|_yr'_schemas)rschemass rr*zSchemaInterceptor.__init__s  2 r#c"||j|<yr'r~)rrmschemas rregister_schemaz!SchemaInterceptor.register_schemas#) i r#cnK|jj|j}||S|jdg}|D]}||jvsy|jdi}|jj D]/\}}||vs ||jd}|s"t ||r/y|Sw)Nrequired propertiestype)rgetrm argumentsitems _check_type)rrrr field_namervalue expected_types rrzSchemaInterceptor.pre_calls""4>>2 >K::j"-" J/  ZZ b1 !%!5!5!7 JZ' *: 6 : :6 B  UM)J   sAB59B5 B5# B50B5cK|Swr'rrs rrzSchemaInterceptor.post_callrBrCr')rzdict[str, dict] | Nonerr8)rmrErdictrr8rr)rr r!r"r*rrrrr#rr|r|s &**r#r|ctttftttt d}|j |}|yt||S)zSimple JSON schema type check.)stringnumberintegerbooleanarrayobjectT)rErVrUboolr0rr isinstance)rexpectedtype_mapexpected_typess rrrsG, H\\(+N e^ ,,r#c:eZdZdZddZeddZd dZd dZy) LogInterceptorz Log every tool call to an audit queue. In production: Redis pub/sub for real-time audit stream. Here: in-memory list for testability. cg|_yr')_logr)s rr*zLogInterceptor.__init__ s " r#c,t|jSr')r0rr)s rlogzLogInterceptor.logsDIIr#cK|jjd|j|j|jt j d|Sw)Npre)phasecall_idrmr@ts)rr,rrmr@rLrs rrzLogInterceptor.pre_callsE || ))+    sAAc K|jjd|j|j|j|j t j d|Sw)Npost)rrrmerror elapsed_msr)rr,rrmrrrLrs rrzLogInterceptor.post_callsN ||\\ ++))+    sAA!Nr7rz list[dict]rr) rr r!r"r*r9rrrrr#rrrs* # r#rc*eZdZdZdddZddZd dZy) ValidationInterceptorz Apply validation on tool output (post-call only). In production: invokes sunaiva-crypto 9-layer validation. Here: checks for error responses and result size limits. c||_yr')_max_result_bytes)rmax_result_bytess rr*zValidationInterceptor.__init__4s !1r#cK|Swr'rrs rrzValidationInterceptor.pre_call7  rCcK|jtj|jnd}t|j |j kDr/t |j|jdd|jdS|Sw)NrDz!Result exceeds maximum size limit)rrmrrrsunaiva_signature) rjsondumpsrMencoderr rrmr)rrr result_strs rrzValidationInterceptor.post_call:sv28--2KTZZ .QS z  " #d&<&< <  **9!,,"&   sBBN)i@B)rrVrr8rrrFrr#rrr-s 2 r#rc2eZdZdZdddZd dZd dZd dZy) CacheInterceptorzd Cache deterministic tool results. Cache key: SHA256(tool_name + sorted_arguments_json) Ncdt|_||_|xs t|_d|_y)Nry)r_cache _default_ttlset_cacheable_tools _max_entries)r default_ttlcacheable_toolss rr*zCacheInterceptor.__init__Ss*;F= ' / 835 r#c|jdtj|jd}t j |j jS)NrpT) sort_keys)rmrrrhashlibsha256r hexdigest)rrpayloads r _cache_keyzCacheInterceptor._cache_keyYsF^^$Adjj4&P%QR~~gnn./99;;r#c(K|j|jvr|S|j|}||jvrT|j|\}}t j|z |j kr||j d<|S|j|=|Sw)N__cached_result)rmrrrrLrr)rrrs cached_result cached_ats rrzCacheInterceptor.pre_call]s >>!6!6 6Kood# $++ '+{{3'7 $M9yy{Y&):)::5B01  C  sBBcRK|j|jvr|S|j||j|}t |j |j k\r|j jd|jtjf|j |<|Sw)NF)last) rmrrrrMrrpopitemrrL)rrrrss rrzCacheInterceptor.post_callos >>!6!6 6M << //$'C4;;4#4#44 ###/ & tyy{;DKK  sB%B')<N)rrVrzset[str] | Nonerr8rzrr)rr r!r"r*rrrrr#rrrMs ! <$ r#rc:eZdZdZddZeddZd dZd dZy) AuditInterceptorz Write final audit entry for completed tool calls. In production: PostgreSQL write. Here: in-memory for testability. cg|_yr')_entriesr)s rr*zAuditInterceptor.__init__s $& r#c,t|jSr')r0rr)s rentrieszAuditInterceptor.entriessDMM""r#cK|Swr'rrs rrzAuditInterceptor.pre_callrrCc K|jj|j|j|j|j |j du|j|jdu|jd|Sw)N)rrmr@ session_idsuccessrsigned completed_at) rr,rrmr@rrrrrrs rrzAuditInterceptor.post_callsl || //||t+ ++..d:"//   sA;A=Nr7rrr) rr r!r"r*r9rrrrr#rrrs* '## r#rcBeZdZdZddZed dZd dZd dZd dZ y) MetricsInterceptorz Update counters for tool call metrics. In production: Prometheus labels (tool_name, agent_id, status). Here: in-memory counters for testability. ci|_yr') _countersr)s rr*zMetricsInterceptor.__init__s )+r#c,t|jSr')rrr)s rcounterszMetricsInterceptor.counterssDNN##r#c\|jj|ddz|j|<y)Nrr )rr)rrss r_inczMetricsInterceptor._incs&"nn00a81<sr#cK|jd|j|jd|j|Sw)Nz calls_total:zcalls_by_agent:)rrmr@rs rrzMetricsInterceptor.pre_calls: L 012 ODMM?34 s?AcK|jr |jd|j|S|jd|j|Sw)Nz errors_total:zsuccess_total:)rrrmrs rrzMetricsInterceptor.post_callsK << II dnn%56 7  IIt~~&67 8 sA ANr7)rzdict[str, int])rsrErr8rr) rr r!r"r*r9rrrrrr#rrrs/ ,$$= r#r)rr rrErr)"r" __future__rrrrLabcrr collectionsr dataclassesrrtypingr serverr r rr%r;rH frozensetrkrlrdr|rrrrrrrr#rrs # ##(.  #  $//lk2  ' '  ' ,;,f" "J -(![!PK@,{,f{Fr#