fix: authorizeBasic must match unconstrained policies

clawdreyhepburn · clawdreyhepburn · commit c82b3858c013 · 2026-03-24T07:56:00.000-07:00
A permit(principal, action, resource) policy with no == constraints
should match all requests (Cedar semantics). The string-match fallback
was only matching policies containing the exact resource ID string,
causing permit-all to never match.
diff --git a/openclaw.plugin.json b/openclaw.plugin.json
@@ -2,7 +2,7 @@
   "id": "carapace",
   "name": "Carapace",
   "description": "Cedar policy enforcement for agent tool access via before_tool_call hook. Your agent's exoskeleton.",
-  "version": "1.0.3",
+  "version": "1.0.4",
   "configSchema": {
     "type": "object",
     "additionalProperties": true,
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@clawdreyhepburn/carapace",
-  "version": "1.0.3",
+  "version": "1.0.4",
   "description": "Cedar policy enforcement for agent tool access via OpenClaw's before_tool_call hook.",
   "license": "Apache-2.0",
   "type": "module",
diff --git a/src/cedar-engine-cedarling.ts b/src/cedar-engine-cedarling.ts
@@ -627,10 +627,21 @@ export class CedarlingEngine {
     let hasForbid = false;
     const reasons: string[] = [];
 
+    const principalId = request.principal;
+    const actionId = request.action;
+    const resourceId = request.resource;
+
     for (const [id, policy] of this.policies) {
-      // Simple: check if resource appears in the policy
-      const resourceId = request.resource.replace(/.*::"/g, "").replace(/"$/, "");
-      if (!policy.raw.includes(`"${resourceId}"`)) continue;
+      // Parse constraints from raw policy text
+      const hasPrincipalConstraint = /principal\s*==/.test(policy.raw);
+      const hasActionConstraint = /action\s*==/.test(policy.raw);
+      const hasResourceConstraint = /resource\s*==/.test(policy.raw);
+
+      // Check if this policy matches the request
+      // Unconstrained fields match everything (Cedar semantics)
+      if (hasPrincipalConstraint && !policy.raw.includes(principalId)) continue;
+      if (hasActionConstraint && !policy.raw.includes(actionId)) continue;
+      if (hasResourceConstraint && !policy.raw.includes(resourceId)) continue;
 
       if (policy.effect === "forbid") {
         hasForbid = true;

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@clawdreyhepburn/carapace",`
`3`		`- "version": "1.0.3",`
	`3`	`+ "version": "1.0.4",`
`4`	`4`	`"description": "Cedar policy enforcement for agent tool access via OpenClaw's before_tool_call hook.",`
`5`	`5`	`"license": "Apache-2.0",`
`6`	`6`	`"type": "module",`