Merge pull request #141 from backbay-labs/clawdstrike-go

feat(sdk): complete cross-SDK parity, conformance, and Go daemon/SIEM improvements

Author: bb-connor

.github/workflows/ci.yml

@@ -130,6 +130,35 @@ jobs:
       - name: Test
         run: cargo test --all --exclude sdr-integration-tests
 
+  sdk-conformance:
+    name: SDK Conformance Vectors
+    runs-on: ubuntu-latest
+    needs: check
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Setup Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: packages/sdk/hush-go/go.mod
+          cache: true
+          cache-dependency-path: packages/sdk/hush-go/go.sum
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '24'
+          cache: 'npm'
+          cache-dependency-path: packages/sdk/hush-ts/package-lock.json
+
+      - name: Setup Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+
+      - name: Run SDK conformance runner
+        run: bash scripts/run-sdk-conformance.sh
+
   tauri-rust-check:
     name: Tauri Rust Crates
     runs-on: ubuntu-latest
@@ -404,6 +433,7 @@ jobs:
           # Rust sources that do not emit stable LCOV entries in this job.
           grep -v '^apps/agent/src-tauri/' changed_rust_files.txt \
             | grep -v '^apps/desktop/src-tauri/' \
+            | grep -v '^crates/bridges/hush-go-native/' \
             | grep -v '^packages/sdk/hush-py/hush-native/' \
             | grep -Ev '(^|/)tests/|_test\.rs$|_tests\.rs$|integration_tests\.rs$' \
             | grep -Ev '^crates/libs/hunt-(correlate|query|scan)/src/(lib|error)\.rs$' \

README.md

@@ -390,6 +390,61 @@ if alerts:
     print(report.merkle_root)
 ```
 
+### Go
+
+```bash
+go get github.com/backbay-labs/clawdstrike-go
+```
+
+```go
+package main
+
+import (
+	"fmt"
+
+	clawdstrike "github.com/backbay-labs/clawdstrike-go"
+)
+
+func main() {
+	cs, err := clawdstrike.WithDefaults("strict")
+	if err != nil {
+		panic(err)
+	}
+
+	decision := cs.CheckFileAccess("/home/user/.ssh/id_rsa")
+	fmt.Println(decision.Status)  // deny
+	fmt.Println(decision.Message) // Access to forbidden path: ...
+}
+```
+
+#### Daemon-backed Enforcement
+
+```go
+package main
+
+import (
+	"fmt"
+	"time"
+
+	clawdstrike "github.com/backbay-labs/clawdstrike-go"
+)
+
+func main() {
+	cs, err := clawdstrike.FromDaemonWithConfig("http://127.0.0.1:9876", clawdstrike.DaemonConfig{
+		APIKey:        "dev-token",
+		Timeout:       5 * time.Second,
+		RetryAttempts: 3,
+		RetryBackoff:  200 * time.Millisecond,
+	})
+	if err != nil {
+		panic(err)
+	}
+
+	decision := cs.CheckEgress("api.openai.com", 443)
+	fmt.Println(decision.Status) // allow / warn / deny
+}
+```
+
 ### OpenClaw Plugin
 
 Clawdstrike ships as a first-class [OpenClaw](https://openclaw.com) plugin that enforces policy at the tool boundary — every tool call your agent makes is checked against your policy before execution.

apps/desktop/src/features/forensics/policy-workbench/state.test.ts

@@ -153,4 +153,113 @@ describe("policyWorkbenchReducer", () => {
     });
     expect(preserved.loadedVersion).toBe("1.4.0");
   });
+
+  it("preserves newer draft when save completes against an older snapshot", () => {
+    const loaded = policyWorkbenchReducer(initialPolicyWorkbenchState, {
+      type: "load_success",
+      yaml: "version: \"1.2.0\"\nname: loaded",
+      hash: "h1",
+      version: "1.2.0",
+    });
+    const edited = policyWorkbenchReducer(loaded, {
+      type: "edit",
+      yaml: "version: \"1.2.0\"\nname: newer",
+    });
+    const saving = policyWorkbenchReducer(edited, { type: "save_start" });
+
+    const saved = policyWorkbenchReducer(saving, {
+      type: "save_success_preserve_draft",
+      loadedYaml: "version: \"1.2.0\"\nname: loaded",
+      hash: "h2",
+    });
+
+    expect(saved.isSaving).toBe(false);
+    expect(saved.loadedHash).toBe("h2");
+    expect(saved.loadedYaml).toContain("name: loaded");
+    expect(saved.draftYaml).toContain("name: newer");
+  });
+
+  it("clears stale loadError on save success", () => {
+    const errored = policyWorkbenchReducer(initialPolicyWorkbenchState, {
+      type: "load_error",
+      message: "Failed to load policy",
+    });
+    expect(errored.loadError).toBe("Failed to load policy");
+
+    const saved = policyWorkbenchReducer(errored, {
+      type: "save_success",
+      yaml: "version: \"1.2.0\"\nname: saved",
+      hash: "h3",
+    });
+    expect(saved.loadError).toBeUndefined();
+
+    const preserved = policyWorkbenchReducer(errored, {
+      type: "save_success_preserve_draft",
+      loadedYaml: "version: \"1.2.0\"\nname: saved",
+      hash: "h3",
+    });
+    expect(preserved.loadError).toBeUndefined();
+  });
+
+  it("preserves loadError while a new load is in-flight", () => {
+    const errored = policyWorkbenchReducer(initialPolicyWorkbenchState, {
+      type: "load_error",
+      message: "Failed to load policy",
+    });
+
+    const loading = policyWorkbenchReducer(errored, { type: "load_start" });
+    expect(loading.loadError).toBe("Failed to load policy");
+  });
+
+  it("clears stale saveError on save success paths", () => {
+    const failed = policyWorkbenchReducer(initialPolicyWorkbenchState, {
+      type: "save_error",
+      message: "previous save failed",
+    });
+    expect(failed.saveError).toBe("previous save failed");
+
+    const saved = policyWorkbenchReducer(failed, {
+      type: "save_success",
+      yaml: "version: \"1.2.0\"\nname: saved",
+      hash: "h3",
+    });
+    expect(saved.saveError).toBeUndefined();
+
+    const preserved = policyWorkbenchReducer(failed, {
+      type: "save_success_preserve_draft",
+      loadedYaml: "version: \"1.2.0\"\nname: saved",
+      hash: "h3",
+    });
+    expect(preserved.saveError).toBeUndefined();
+  });
+
+  it("refreshes loadedVersion on save success paths", () => {
+    const loaded = policyWorkbenchReducer(initialPolicyWorkbenchState, {
+      type: "load_success",
+      yaml: 'version: "1.2.0"\nname: demo',
+      hash: "h1",
+      version: "1.2.0",
+    });
+
+    const saved = policyWorkbenchReducer(loaded, {
+      type: "save_success",
+      yaml: 'version: "1.3.0"\nname: demo',
+      hash: "h2",
+      version: "1.3.0",
+    });
+    expect(saved.loadedVersion).toBe("1.3.0");
+
+    const edited = policyWorkbenchReducer(saved, {
+      type: "edit",
+      yaml: 'version: "1.4.0"\nname: demo',
+    });
+    const saving = policyWorkbenchReducer(edited, { type: "save_start" });
+    const preserved = policyWorkbenchReducer(saving, {
+      type: "save_success_preserve_draft",
+      loadedYaml: 'version: "1.4.0"\nname: demo',
+      hash: "h3",
+      version: "1.4.0",
+    });
+    expect(preserved.loadedVersion).toBe("1.4.0");
+  });
 });

crates/bridges/hush-go-native/Cargo.toml

@@ -0,0 +1,24 @@
+[package]
+name = "hush-go-native"
+version = "0.1.0"
+edition = "2021"
+description = "C FFI bridge for the Go SDK"
+license = "Apache-2.0"
+
+[lib]
+crate-type = ["staticlib", "cdylib"]
+
+[dependencies]
+hush-core = { workspace = true }
+clawdstrike = { workspace = true }
+libc = "0.2"
+serde_json = { workspace = true }
+hex = { workspace = true }
+tokio = { workspace = true }
+base64 = { workspace = true }
+
+[build-dependencies]
+cbindgen = "0.28"
+
+[lints]
+workspace = true

crates/bridges/hush-go-native/build.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -euo pipefail
+cd "$(dirname "$0")"
+
+REPO_ROOT="$(cd ../../.. && pwd)"
+DEST_INCLUDE_DIR="$REPO_ROOT/packages/sdk/hush-go/native/include"
+DEST_LIB_DIR="$REPO_ROOT/packages/sdk/hush-go/native/lib"
+
+mkdir -p "$DEST_INCLUDE_DIR" "$DEST_LIB_DIR"
+
+# Build static library
+cargo build --release -p hush-go-native
+
+# Generate C header
+cbindgen --config cbindgen.toml --crate hush-go-native --output "$DEST_INCLUDE_DIR/hush_go_native.h"
+
+# Copy static library (platform-dependent name)
+if [[ "$(uname)" == "Darwin" ]]; then
+    cp "$REPO_ROOT/target/release/libhush_go_native.a" "$DEST_LIB_DIR/"
+    cp "$REPO_ROOT/target/release/libhush_go_native.dylib" "$DEST_LIB_DIR/" 2>/dev/null || true
+else
+    cp "$REPO_ROOT/target/release/libhush_go_native.a" "$DEST_LIB_DIR/"
+    cp "$REPO_ROOT/target/release/libhush_go_native.so" "$DEST_LIB_DIR/" 2>/dev/null || true
+fi
+
+echo "Build complete. Static library and header copied to packages/sdk/hush-go/native/"

crates/bridges/hush-go-native/cbindgen.toml

@@ -0,0 +1,7 @@
+language = "C"
+include_guard = "HUSH_GO_NATIVE_H"
+autogen_warning = "/* Auto-generated by cbindgen. Do not edit. */"
+
+[export]
+include = []
+exclude = []