@better_openclaw/betterclaw 2.0.2 → 2.1.0

package/openclaw.plugin.json

@@ -42,6 +42,16 @@
         "minimum": 0,
         "maximum": 23,
         "description": "Hour (system timezone) for daily analysis run"
+      },
+      "deduplicationCooldowns": {
+        "type": "object",
+        "additionalProperties": { "type": "number" },
+        "description": "Per-subscription dedup cooldowns in seconds (e.g. {\"default.geofence\": 300})"
+      },
+      "defaultCooldown": {
+        "type": "number",
+        "default": 1800,
+        "description": "Default dedup cooldown in seconds for subscriptions not in deduplicationCooldowns"
       }
     },
     "additionalProperties": false

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better_openclaw/betterclaw",
-  "version": "2.0.2",
+  "version": "2.1.0",
   "description": "Intelligent event filtering, context tracking, and proactive triggers for BetterClaw",
   "license": "AGPL-3.0-only",
   "repository": {

package/src/index.ts

@@ -9,6 +9,7 @@ import { ProactiveEngine } from "./triggers.js";
 import { processEvent } from "./pipeline.js";
 import type { PipelineDeps } from "./pipeline.js";
 import { BETTERCLAW_COMMANDS, mergeAllowCommands } from "./cli.js";
+import { storeJwt } from "./jwt.js";
 import { loadTriageProfile, runLearner } from "./learner.js";
 import { ReactionTracker } from "./reactions.js";
 import * as os from "node:os";
@@ -114,12 +115,22 @@ export default {
     })();
 
     // Ping health check
-    api.registerGatewayMethod("betterclaw.ping", ({ params, respond }) => {
+    api.registerGatewayMethod("betterclaw.ping", async ({ params, respond }) => {
       const validTiers: Array<"free" | "premium" | "premium+"> = ["free", "premium", "premium+"];
       const rawTier = (params as Record<string, unknown>)?.tier as string;
       const tier = validTiers.includes(rawTier as any) ? (rawTier as "free" | "premium" | "premium+") : "free";
       const smartMode = (params as Record<string, unknown>)?.smartMode === true;
 
+      const jwt = (params as Record<string, unknown>)?.jwt as string | undefined;
+      if (jwt) {
+        const payload = await storeJwt(jwt);
+        if (payload) {
+          api.logger.info(`betterclaw: JWT verified, entitlements=${payload.ent.join(",")}`);
+        } else {
+          api.logger.warn("betterclaw: JWT verification failed");
+        }
+      }
+
       ctxManager.setRuntimeState({ tier, smartMode });
 
       const meta = ctxManager.get().meta;

package/src/jwt.ts

@@ -0,0 +1,147 @@
+export interface JwtPayload {
+  sub: string;
+  aud: string;
+  ent: string[];
+  iat: number;
+  exp: number;
+  iss: string;
+}
+
+const EXPECTED_AUD = "betterclaw";
+const EXPECTED_ISS = "api.betterclaw.app";
+
+function base64urlDecode(str: string): Uint8Array {
+  const padded = str + "=".repeat((4 - (str.length % 4)) % 4);
+  const binary = atob(padded.replace(/-/g, "+").replace(/_/g, "/"));
+  return Uint8Array.from(binary, (c) => c.charCodeAt(0));
+}
+
+async function importPublicKey(pem: string): Promise<CryptoKey> {
+  const b64 = pem
+    .replace(/-----BEGIN PUBLIC KEY-----/, "")
+    .replace(/-----END PUBLIC KEY-----/, "")
+    .replace(/\s/g, "");
+  const binary = atob(b64);
+  const bytes = Uint8Array.from(binary, (c) => c.charCodeAt(0));
+  return crypto.subtle.importKey(
+    "spki",
+    bytes,
+    { name: "ECDSA", namedCurve: "P-256" },
+    false,
+    ["verify"]
+  );
+}
+
+/**
+ * Verify an ES256 JWT and return the payload, or null if invalid.
+ * Never throws — all failures return null and are logged.
+ */
+export async function verifyJwt(
+  token: string,
+  publicKeyPem: string
+): Promise<JwtPayload | null> {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+
+    const [headerB64, payloadB64, signatureB64] = parts;
+
+    // Verify signature
+    const publicKey = await importPublicKey(publicKeyPem);
+    const signingInput = new TextEncoder().encode(`${headerB64}.${payloadB64}`);
+    const signature = base64urlDecode(signatureB64);
+
+    const valid = await crypto.subtle.verify(
+      { name: "ECDSA", hash: "SHA-256" },
+      publicKey,
+      signature,
+      signingInput
+    );
+    if (!valid) return null;
+
+    // Decode and validate payload
+    const payload: JwtPayload = JSON.parse(
+      new TextDecoder().decode(base64urlDecode(payloadB64))
+    );
+
+    if (payload.aud !== EXPECTED_AUD) return null;
+    if (payload.iss !== EXPECTED_ISS) return null;
+    if (payload.exp < Math.floor(Date.now() / 1000)) return null;
+    if (!Array.isArray(payload.ent)) return null;
+
+    return payload;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Check if a verified JWT payload has a specific entitlement.
+ */
+export function hasEntitlement(
+  payload: JwtPayload | null,
+  entitlement: string
+): boolean {
+  return payload !== null && payload.ent.includes(entitlement);
+}
+
+// ES256 public key for JWT verification (from betterclaw-api)
+const JWT_PUBLIC_KEY = `-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEi2MFBpmWsTPIvJI4dTkrJVmeUE9L
+j9wMeV+kpLoMxVt09srOoI3r2CGUSwktRI0WyHQPkQjV1GC08SZ2Y8mwPw==
+-----END PUBLIC KEY-----`;
+
+// Module-level JWT state — safe because this is per-plugin-instance,
+// not per-request. Updated only from the heartbeat handler.
+let currentJwtToken: string | null = null;
+let currentPayload: JwtPayload | null = null;
+
+/**
+ * Store and verify a JWT received from heartbeat.
+ * Only re-verifies if the token has changed.
+ */
+export async function storeJwt(jwt: string): Promise<JwtPayload | null> {
+  if (jwt === currentJwtToken) return currentPayload;
+  currentJwtToken = jwt;
+  currentPayload = await verifyJwt(jwt, JWT_PUBLIC_KEY);
+  return currentPayload;
+}
+
+/**
+ * Get the current verified payload (may be null).
+ */
+export function getVerifiedPayload(): JwtPayload | null {
+  return currentPayload;
+}
+
+/**
+ * Check if the current JWT grants an entitlement.
+ * Returns null if entitled, or an error message string if not.
+ */
+export function requireEntitlement(entitlement: string): string | null {
+  if (!currentPayload) {
+    return "This feature requires an active Premium subscription. Please open BetterClaw and check your subscription status.";
+  }
+  if (!hasEntitlement(currentPayload, entitlement)) {
+    if (entitlement === "shortcuts") {
+      return "This feature requires the Shortcuts Pack add-on. Please open BetterClaw and check your subscription status.";
+    }
+    return "This feature requires an active Premium subscription. Please open BetterClaw and check your subscription status.";
+  }
+  return null;
+}
+
+/**
+ * Reset JWT state (for testing).
+ */
+export function _resetJwtState(): void {
+  currentJwtToken = null;
+  currentPayload = null;
+}
+
+/**
+ * Inject a payload directly (for testing requireEntitlement without real keys).
+ */
+export function _setPayloadForTesting(payload: JwtPayload | null): void {
+  currentPayload = payload;
+}

package/src/pipeline.ts

@@ -6,6 +6,7 @@ import type { ReactionTracker } from "./reactions.js";
 import type { DeviceEvent, DeviceContext, PluginConfig } from "./types.js";
 import { triageEvent } from "./triage.js";
 import { loadTriageProfile } from "./learner.js";
+import { requireEntitlement } from "./jwt.js";
 
 export interface PipelineDeps {
   api: OpenClawPluginApi;
@@ -20,10 +21,17 @@ export interface PipelineDeps {
 export async function processEvent(deps: PipelineDeps, event: DeviceEvent): Promise<void> {
   const { api, config, context, events, rules } = deps;
 
-  // Always update context
+  // Always update context (even for non-premium users)
   context.updateFromEvent(event);
   await context.save();
 
+  // Gate event forwarding behind premium entitlement
+  const entitlementError = requireEntitlement("premium");
+  if (entitlementError) {
+    api.logger.info(`betterclaw: event blocked (no premium entitlement)`);
+    return;
+  }
+
   // If smartMode is OFF, store only — no filtering or pushing
   if (!context.getRuntimeState().smartMode) {
     await events.append({ event, decision: "stored", reason: "smartMode off", timestamp: Date.now() / 1000 });