synapse-core 0.8.5

A neuro-symbolic semantic engine for OpenClaw, combining graph databases with vector operations.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132

use std::collections::HashMap;
use std::sync::RwLock;

/// Namespace access control
#[derive(Debug, Clone)]
pub struct NamespacePermission {
    pub read: bool,
    pub write: bool,
    pub delete: bool,
    pub reason: bool,
}

impl Default for NamespacePermission {
    fn default() -> Self {
        Self {
            read: true,
            write: true,
            delete: true,
            reason: true,
        }
    }
}

/// Auth layer for namespace-based access control
pub struct NamespaceAuth {
    /// Token -> (namespace patterns, permissions)
    tokens: RwLock<HashMap<String, (Vec<String>, NamespacePermission)>>,
    /// Allow unauthenticated access to "default" namespace
    pub allow_anonymous_default: bool,
}

impl Default for NamespaceAuth {
    fn default() -> Self {
        Self::new()
    }
}

impl NamespaceAuth {
    pub fn new() -> Self {
        Self {
            tokens: RwLock::new(HashMap::new()),
            allow_anonymous_default: true,
        }
    }

    /// Register a token with access to specific namespaces
    pub fn register_token(
        &self,
        token: &str,
        namespaces: Vec<String>,
        permissions: NamespacePermission,
    ) {
        let mut tokens = self.tokens.write().unwrap();
        tokens.insert(token.to_string(), (namespaces, permissions));
    }

    /// Check if token has permission for namespace and operation
    pub fn check(
        &self,
        token: Option<&str>,
        namespace: &str,
        operation: &str,
    ) -> Result<(), String> {
        // Anonymous access to default namespace
        if token.is_none() && namespace == "default" && self.allow_anonymous_default {
            return Ok(());
        }

        let token = token.ok_or("Authentication required")?;
        let tokens = self.tokens.read().unwrap();

        let (patterns, perms) = tokens.get(token).ok_or("Invalid token")?;

        // Check namespace pattern match
        let ns_match = patterns.iter().any(|p| {
            if p == "*" {
                true
            } else if p.ends_with('*') {
                namespace.starts_with(&p[..p.len() - 1])
            } else {
                p == namespace
            }
        });

        if !ns_match {
            return Err(format!("Token not authorized for namespace: {}", namespace));
        }

        // Check operation permission
        match operation {
            "read" if !perms.read => Err("Read permission denied".to_string()),
            "write" if !perms.write => Err("Write permission denied".to_string()),
            "delete" if !perms.delete => Err("Delete permission denied".to_string()),
            "reason" if !perms.reason => Err("Reasoning permission denied".to_string()),
            _ => Ok(()),
        }
    }

    /// Load tokens from environment variable (JSON format)
    pub fn load_from_env(&self) {
        if let Ok(json) = std::env::var("SYNAPSE_AUTH_TOKENS") {
            // Try parsing as complex object first: {"token": {"namespaces": [...], "permissions": {...}}}
            if let Ok(map) = serde_json::from_str::<HashMap<String, serde_json::Value>>(&json) {
                for (token, value) in map {
                    if let Ok(namespaces) = serde_json::from_value::<Vec<String>>(value.clone()) {
                        // Legacy format: value is list of namespaces
                        self.register_token(&token, namespaces, NamespacePermission::default());
                    } else if let Some(obj) = value.as_object() {
                        // Complex format
                        let namespaces = obj
                            .get("namespaces")
                            .and_then(|v| serde_json::from_value::<Vec<String>>(v.clone()).ok())
                            .unwrap_or_default();

                        let permissions = if let Some(p) = obj.get("permissions") {
                            NamespacePermission {
                                read: p.get("read").and_then(|v| v.as_bool()).unwrap_or(true),
                                write: p.get("write").and_then(|v| v.as_bool()).unwrap_or(true),
                                delete: p.get("delete").and_then(|v| v.as_bool()).unwrap_or(true),
                                reason: p.get("reason").and_then(|v| v.as_bool()).unwrap_or(true),
                            }
                        } else {
                            NamespacePermission::default()
                        };

                        self.register_token(&token, namespaces, permissions);
                    }
                }
            }
        }
    }
}