@obep/enforcement
v0.1.0
Published
OBEP client-side permission engine: default-deny per-action checks, sensitive-surface blocklist, capture policy, playbook linter. Apache-2.0.
Maintainers
Readme
@obep/enforcement
The client-side permission engine of OBEP — the default-deny checks that decide whether a single browser action is allowed to run under a playbook's fence. Apache-2.0.
npm install @obep/enforcementGiven a signed playbook's permissions, it enforces, per action: the domain allowlist,
the allowed action set, the allowed credential-key references, the capture policy
(screenshots / DOM), and the sensitive-surface blocklist. It also ships lintPlaybook,
the authoring-time validator (schema + danger flags) used by @obep/cli.
import { lintPlaybook } from "@obep/enforcement";This is the engine the extension runs locally before every action, so a compromised relay can never widen what executes. Most developers don't import it directly — reach for it when building a conformant runner or your own tooling. See the repo.
