feat: implement platform-specific enforcement feedback and toast notifications

Author: leos565

deploy/dashboard/app.py

@@ -186,11 +186,50 @@ async def update_user_rules(request: Request):
         if "custom_rules" not in body and "custom_rules" in existing:
             body["custom_rules"] = existing["custom_rules"]
         save_user_rules(body)
-        return JSONResponse({"status": "ok", "path": str(USER_RULES_PATH)})
+        _trigger_enforcement()
+        return JSONResponse({
+            "status": "ok", 
+            "path": str(USER_RULES_PATH),
+            "message": _get_enforcement_message()
+        })
     except Exception as exc:
         return JSONResponse({"error": str(exc)}, status_code=400)
 
 
+def _trigger_enforcement():
+    """Trigger background daemon/policy hot reloads when user rules change."""
+    import platform
+    import subprocess
+    import threading
+
+    def _run():
+        if platform.system() == "Darwin":
+            # Re-generate the Seatbelt profile and notify user
+            apply_script = os.path.join(os.path.dirname(__file__), "..", "apply_macos_policy.py")
+            if os.path.exists(apply_script):
+                try:
+                    subprocess.run(["python3", apply_script], check=True, capture_output=True)
+                    logger.info("Triggered macOS policy applicator")
+                except subprocess.CalledProcessError as e:
+                    logger.error("Failed to apply macOS policy: %s", e.stderr.decode() if e.stderr else str(e))
+        else:
+            # On Linux, monitor.py automatically reloads on mtime changes.
+            # Touching the user_rules file ensures the trigger fires immediately if needed.
+            if USER_RULES_PATH.exists():
+                os.utime(USER_RULES_PATH, None)
+            logger.info("Triggered Linux monitor reload")
+
+    threading.Thread(target=_run, daemon=True).start()
+
+
+def _get_enforcement_message():
+    """Return a human-readable message about enforcement latency/actions."""
+    import platform
+    if platform.system() == "Darwin":
+        return "Changes applied. Please restart OpenClaw to enforce new kernel-level rules."
+    return "Changes applied and effective immediately."
+
+
 @app.get("/api/custom-rules")
 async def list_custom_rules():
     """Return all user-defined custom blocking rules."""
@@ -211,7 +250,13 @@ async def create_custom_rule(request: Request):
         rule, err = add_custom_rule(rule_type, value, platform)
         if err:
             return JSONResponse({"error": err}, status_code=400)
-        return JSONResponse({"status": "ok", "rule": rule})
+        
+        _trigger_enforcement()
+        return JSONResponse({
+            "status": "ok", 
+            "rule": rule,
+            "message": _get_enforcement_message()
+        })
     except Exception as exc:
         return JSONResponse({"error": str(exc)}, status_code=400)
 
@@ -228,7 +273,13 @@ async def modify_custom_rule(rule_id: str, request: Request):
         )
         if err:
             return JSONResponse({"error": err}, status_code=400)
-        return JSONResponse({"status": "ok", "rule": rule})
+        
+        _trigger_enforcement()
+        return JSONResponse({
+            "status": "ok", 
+            "rule": rule,
+            "message": _get_enforcement_message()
+        })
     except Exception as exc:
         return JSONResponse({"error": str(exc)}, status_code=400)
 
@@ -239,7 +290,13 @@ async def remove_custom_rule(rule_id: str):
     ok, err = delete_custom_rule(rule_id)
     if not ok:
         return JSONResponse({"error": err}, status_code=404)
-    return JSONResponse({"status": "ok", "deleted": rule_id})
+        
+    _trigger_enforcement()
+    return JSONResponse({
+        "status": "ok", 
+        "deleted": rule_id,
+        "message": _get_enforcement_message()
+    })
 
 
 @app.get("/api/status")

deploy/dashboard/templates/index.html

@@ -983,10 +983,69 @@
             font-weight: 600;
             color: var(--text-primary);
         }
+
+        /* Toast */
+        .toast-container {
+            position: fixed;
+            top: 24px;
+            right: 24px;
+            display: flex;
+            flex-direction: column;
+            gap: 12px;
+            z-index: 1000;
+            pointer-events: none;
+        }
+
+        .toast {
+            background: var(--bg-card);
+            border: 1px solid var(--border);
+            border-left: 4px solid var(--accent);
+            padding: 14px 20px;
+            border-radius: var(--radius-sm);
+            box-shadow: 0 10px 30px rgba(0, 0, 0, 0.1);
+            font-size: 13px;
+            color: var(--text-primary);
+            min-width: 280px;
+            max-width: 400px;
+            transform: translateX(120%);
+            transition: transform 0.3s cubic-bezier(0.175, 0.885, 0.32, 1.275);
+            pointer-events: auto;
+            display: flex;
+            align-items: center;
+            justify-content: space-between;
+            gap: 12px;
+        }
+
+        .toast.visible {
+            transform: translateX(0);
+        }
+
+        .toast.success {
+            border-left-color: var(--success);
+        }
+
+        .toast.warning {
+            border-left-color: var(--warning);
+        }
+
+        .toast.danger {
+            border-left-color: var(--danger);
+        }
+
+        .toast-close {
+            background: none;
+            border: none;
+            color: var(--text-muted);
+            cursor: pointer;
+            font-size: 16px;
+            padding: 0;
+            display: flex;
+        }
     </style>
 </head>
 
 <body>
+    <div class="toast-container" id="toastContainer"></div>
     <div class="app-layout">
         <!-- Sidebar -->
         <aside class="sidebar">
@@ -1326,6 +1385,25 @@ <h2 id="modalTitle">Add Custom Rule</h2>
         }
         function shouldShowRule(r) { const p = getEffectivePlatform(); if (!p) return true; return r.platform === 'general' || r.platform === p; }
 
+        // ── Toast ──
+        function showToast(message, type = 'info') {
+            const container = document.getElementById('toastContainer');
+            const toast = document.createElement('div');
+            toast.className = `toast ${type}`;
+            toast.innerHTML = `
+                <span>${esc(message)}</span>
+                <button class="toast-close" onclick="this.parentElement.classList.remove('visible'); setTimeout(() => this.parentElement.remove(), 300)">✕</button>
+            `;
+            container.appendChild(toast);
+            // Force reflow
+            toast.offsetHeight;
+            toast.classList.add('visible');
+            setTimeout(() => {
+                toast.classList.remove('visible');
+                setTimeout(() => toast.remove(), 300);
+            }, 5000);
+        }
+
         // ── API ──
         async function fetchJSON(u) { return (await fetch(u)).json(); }
 
@@ -1498,9 +1576,11 @@ <h2 id="modalTitle">Add Custom Rule</h2>
         async function saveExemptions() {
             if (!pendingExemptions) return;
             try {
-                await fetch('/api/user-rules', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ exempted_rule_ids: Array.from(pendingExemptions) }) });
+                const res = await fetch('/api/user-rules', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ exempted_rule_ids: Array.from(pendingExemptions) }) });
+                const data = await res.json();
                 exemptedIds = new Set(pendingExemptions); pendingExemptions = null;
                 document.getElementById('saveBanner').classList.remove('visible'); renderRules();
+                if (data.message) showToast(data.message, 'success');
             } catch (e) { alert('Failed to save: ' + e.message); }
         }
         function cancelExemptions() { pendingExemptions = null; document.getElementById('saveBanner').classList.remove('visible'); renderRules(); }
@@ -1582,6 +1662,7 @@ <h2 id="modalTitle">Add Custom Rule</h2>
                 if (data.error) { errEl.textContent = data.error; errEl.classList.add('visible'); return; }
                 closeModal();
                 await loadCustomRules();
+                if (data.message) showToast(data.message, 'success');
             } catch (e) { errEl.textContent = 'Request failed: ' + e.message; errEl.classList.add('visible'); }
         }
 
@@ -1592,6 +1673,7 @@ <h2 id="modalTitle">Add Custom Rule</h2>
                 const data = await res.json();
                 if (data.error) { alert(data.error); return; }
                 await loadCustomRules();
+                if (data.message) showToast(data.message, 'success');
             } catch (e) { alert('Failed to delete: ' + e.message); }
         }
 

deploy/install.sh

@@ -62,16 +62,16 @@ install_dashboard_deps() {
     #   2. --ignore-installed (skip uninstall of apt-managed packages)
     #   3. --force-reinstall as last resort
     if $PIP install --quiet --break-system-packages --ignore-installed \
-            fastapi uvicorn typing-extensions pydantic 2>/dev/null; then
+            fastapi uvicorn typing-extensions pydantic pyyaml 2>/dev/null; then
         log "Dashboard dependencies installed successfully"
     elif $PIP install --quiet --break-system-packages --force-reinstall \
-            fastapi uvicorn typing-extensions pydantic 2>/dev/null; then
+            fastapi uvicorn typing-extensions pydantic pyyaml 2>/dev/null; then
         log "Dashboard dependencies installed (force-reinstall)"
-    elif $PIP install --quiet fastapi uvicorn typing-extensions pydantic 2>/dev/null; then
+    elif $PIP install --quiet fastapi uvicorn typing-extensions pydantic pyyaml 2>/dev/null; then
         log "Dashboard dependencies installed"
     else
-        log "WARNING: Could not install fastapi/uvicorn via pip."
-        log "  Install manually: pip3 install fastapi uvicorn typing-extensions pydantic"
+        log "WARNING: Could not install dependencies via pip."
+        log "  Install manually: pip3 install fastapi uvicorn typing-extensions pydantic pyyaml"
     fi
 }
 
@@ -197,6 +197,8 @@ install_macos() {
 
     mkdir -p "$CLAWEDR_DIR/shared"
     mkdir -p "$CLAWEDR_DIR/dashboard/templates"
+    mkdir -p "/etc/clawedr"
+    chmod 777 "/etc/clawedr" || true
     cp "$tmpdir/clawedr.sb"              "$CLAWEDR_DIR/"
     cp "$tmpdir/log_tailer.py"           "$CLAWEDR_DIR/"
     cp "$tmpdir/apply_macos_policy.py"   "$CLAWEDR_DIR/"
@@ -253,6 +255,8 @@ install_linux() {
 
     mkdir -p "$CLAWEDR_DIR/shared"
     mkdir -p "$CLAWEDR_DIR/dashboard/templates"
+    mkdir -p "/etc/clawedr"
+    chmod 777 "/etc/clawedr" || true
     cp "$tmpdir/compiled_policy.json" "$CLAWEDR_DIR/"
     cp "$tmpdir/bpf_hooks.c"         "$CLAWEDR_DIR/"
     cp "$tmpdir/monitor.py"          "$CLAWEDR_DIR/"

deploy/linux/monitor.py

@@ -43,7 +43,7 @@
 
 # Add parent directory to path so we can import shared modules
 sys.path.insert(0, os.path.join(os.path.dirname(__file__), ".."))
-from shared.user_rules import get_exempted_rule_ids, get_custom_rules
+from shared.user_rules import get_exempted_rule_ids, get_custom_rules, USER_RULES_PATH
 from shared.alert_dispatcher import dispatch_alert_async
 
 logger = logging.getLogger("clawedr.monitor")
@@ -640,17 +640,22 @@ def _stop(signum, frame):
     while running:
         now = time.monotonic()
         if now >= next_policy_check:
-            try:
-                mtime = os.path.getmtime(path)
+            mtimes = []
+            for check_path in (path, USER_RULES_PATH):
+                try:
+                    mtimes.append(os.path.getmtime(check_path))
+                except FileNotFoundError:
+                    pass
+            
+            if mtimes:
+                mtime = max(mtimes)
                 if mtime != last_mtime:
-                    logger.info("Policy file changed (mtime %.0f → %.0f), reloading", last_mtime, mtime)
+                    logger.info("Policy or user rules changed (mtime %.0f → %.0f), reloading", last_mtime, mtime)
                     policy = load_policy(path)
                     apply_policy(policy)
                     last_mtime = mtime
-            except FileNotFoundError:
-                logger.warning("Policy file not found at %s — waiting", path)
-            except json.JSONDecodeError as exc:
-                logger.error("Corrupt policy JSON: %s", exc)
+            
+            # (Exception handling merged appropriately above)
             next_policy_check = now + interval
 
         if _bpf_instance is not None:

deploy/macos/log_tailer.py

@@ -24,6 +24,7 @@
 # Add parent directory to path so we can import shared modules
 sys.path.insert(0, os.path.join(os.path.dirname(__file__), ".."))
 from shared.alert_dispatcher import dispatch_alert_async
+from shared.user_rules import get_custom_rules, USER_RULES_PATH
 
 logger = logging.getLogger("clawedr.log_tailer")
 
@@ -47,14 +48,36 @@ def _load_policy_rule_index() -> dict:
     """Load compiled_policy.json to allow cross-referencing sandbox violations."""
     try:
         with open(POLICY_PATH) as f:
-            return json.load(f)
+            policy = json.load(f)
+            
+        # Merge in custom user rules to the runtime mapping payload
+        custom_rules = get_custom_rules()
+        for rule in custom_rules:
+            rid = rule.get("id", "")
+            rtype = rule.get("type", "")
+            val = rule.get("value", "")
+            plat = rule.get("platform", "both")
+            if plat not in ("both", "macos") or not rid:
+                continue
+                
+            if rtype == "executable":
+                policy.setdefault("blocked_executables", {})[rid] = val
+            elif rtype == "domain":
+                policy.setdefault("blocked_domains", {})[rid] = val
+            elif rtype == "path":
+                policy.setdefault("blocked_paths", {}).setdefault("macos", {})[rid] = val
+            elif rtype == "argument":
+                policy.setdefault("deny_rules", {}).setdefault("macos", {})[rid] = val
+                
+        return policy
     except (FileNotFoundError, json.JSONDecodeError) as exc:
         logger.warning("Could not load policy for rule index: %s", exc)
         return {}
 
 
 def tail_sandbox_log():
     """Poll macOS sandbox violation events from the Unified Log."""
+    last_mtime = 0.0
     rule_index = _load_policy_rule_index()
     seen_events = set()
     logger.info("Starting log show polling for sandbox reporting...")
@@ -64,6 +87,12 @@ def tail_sandbox_log():
 
     while True:
         try:
+            # Refresh rule index if policy or user rules changed
+            changed, last_mtime = check_for_policy_update(last_mtime)
+            if changed:
+                logger.info("Policy or user rules updated, reloading rule index...")
+                rule_index = _load_policy_rule_index()
+
             # Check the last 15 seconds to overlap and avoid missing events
             start_time_str = (datetime.now() - timedelta(seconds=15)).strftime("%Y-%m-%d %H:%M:%S")
             cmd = [
@@ -135,12 +164,24 @@ def tail_sandbox_log():
 
 
 def check_for_policy_update(last_mtime: float) -> tuple[bool, float]:
-    """Check if the policy file has been updated since last_mtime."""
-    try:
-        mtime = os.path.getmtime(POLICY_PATH)
-        return (mtime != last_mtime, mtime)
-    except FileNotFoundError:
+    """Check if the system policy or user rules have been updated since last_mtime."""
+    mtimes = []
+    
+    for path in (POLICY_PATH, USER_RULES_PATH):
+        try:
+            mtimes.append(os.path.getmtime(path))
+        except FileNotFoundError:
+            pass
+            
+    if not mtimes:
         return (False, last_mtime)
+        
+    current_max_mtime = max(mtimes)
+    
+    if current_max_mtime != last_mtime:
+        return (True, current_max_mtime)
+        
+    return (False, last_mtime)
 
 
 def notify_user(message: str) -> None: