npm - @better_openclaw/betterclaw - Versions diffs - 2.0.3 → 2.1.1 - Mend

@better_openclaw/betterclaw 2.0.3 → 2.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@better_openclaw/betterclaw",
-  "version": "2.0.3",
+  "version": "2.1.1",
   "description": "Intelligent event filtering, context tracking, and proactive triggers for BetterClaw",
   "license": "AGPL-3.0-only",
   "repository": {

package/src/index.ts CHANGED Viewed

@@ -9,6 +9,7 @@ import { ProactiveEngine } from "./triggers.js";
 import { processEvent } from "./pipeline.js";
 import type { PipelineDeps } from "./pipeline.js";
 import { BETTERCLAW_COMMANDS, mergeAllowCommands } from "./cli.js";
+import { storeJwt } from "./jwt.js";
 import { loadTriageProfile, runLearner } from "./learner.js";
 import { ReactionTracker } from "./reactions.js";
 import * as os from "node:os";
@@ -114,12 +115,22 @@ export default {
     })();
     // Ping health check
-    api.registerGatewayMethod("betterclaw.ping", ({ params, respond }) => {
+    api.registerGatewayMethod("betterclaw.ping", async ({ params, respond }) => {
       const validTiers: Array<"free" | "premium" | "premium+"> = ["free", "premium", "premium+"];
       const rawTier = (params as Record<string, unknown>)?.tier as string;
       const tier = validTiers.includes(rawTier as any) ? (rawTier as "free" | "premium" | "premium+") : "free";
       const smartMode = (params as Record<string, unknown>)?.smartMode === true;
+      const jwt = (params as Record<string, unknown>)?.jwt as string | undefined;
+      if (jwt) {
+        const payload = await storeJwt(jwt);
+        if (payload) {
+          api.logger.info(`betterclaw: JWT verified, entitlements=${payload.ent.join(",")}`);
+        } else {
+          api.logger.warn("betterclaw: JWT verification failed");
+        }
+      }
       ctxManager.setRuntimeState({ tier, smartMode });
       const meta = ctxManager.get().meta;

package/src/jwt.ts ADDED Viewed

@@ -0,0 +1,147 @@
+export interface JwtPayload {
+  sub: string;
+  aud: string;
+  ent: string[];
+  iat: number;
+  exp: number;
+  iss: string;
+}
+const EXPECTED_AUD = "betterclaw";
+const EXPECTED_ISS = "api.betterclaw.app";
+function base64urlDecode(str: string): Uint8Array {
+  const padded = str + "=".repeat((4 - (str.length % 4)) % 4);
+  const binary = atob(padded.replace(/-/g, "+").replace(/_/g, "/"));
+  return Uint8Array.from(binary, (c) => c.charCodeAt(0));
+}
+async function importPublicKey(pem: string): Promise<CryptoKey> {
+  const b64 = pem
+    .replace(/-----BEGIN PUBLIC KEY-----/, "")
+    .replace(/-----END PUBLIC KEY-----/, "")
+    .replace(/\s/g, "");
+  const binary = atob(b64);
+  const bytes = Uint8Array.from(binary, (c) => c.charCodeAt(0));
+  return crypto.subtle.importKey(
+    "spki",
+    bytes,
+    { name: "ECDSA", namedCurve: "P-256" },
+    false,
+    ["verify"]
+  );
+}
+/**
+ * Verify an ES256 JWT and return the payload, or null if invalid.
+ * Never throws — all failures return null and are logged.
+ */
+export async function verifyJwt(
+  token: string,
+  publicKeyPem: string
+): Promise<JwtPayload | null> {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const [headerB64, payloadB64, signatureB64] = parts;
+    // Verify signature
+    const publicKey = await importPublicKey(publicKeyPem);
+    const signingInput = new TextEncoder().encode(`${headerB64}.${payloadB64}`);
+    const signature = base64urlDecode(signatureB64);
+    const valid = await crypto.subtle.verify(
+      { name: "ECDSA", hash: "SHA-256" },
+      publicKey,
+      signature,
+      signingInput
+    );
+    if (!valid) return null;
+    // Decode and validate payload
+    const payload: JwtPayload = JSON.parse(
+      new TextDecoder().decode(base64urlDecode(payloadB64))
+    );
+    if (payload.aud !== EXPECTED_AUD) return null;
+    if (payload.iss !== EXPECTED_ISS) return null;
+    if (payload.exp < Math.floor(Date.now() / 1000)) return null;
+    if (!Array.isArray(payload.ent)) return null;
+    return payload;
+  } catch {
+    return null;
+  }
+}
+/**
+ * Check if a verified JWT payload has a specific entitlement.
+ */
+export function hasEntitlement(
+  payload: JwtPayload | null,
+  entitlement: string
+): boolean {
+  return payload !== null && payload.ent.includes(entitlement);
+}
+// ES256 public key for JWT verification (from betterclaw-api)
+const JWT_PUBLIC_KEY = `-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENEZHoGBTF5wHq6p7GTDRl5b24aSS
+Jw9NZAbe/inE4VynwiMvl3IxS+CdJYSm4CKbeCGXxy/5jCBk6Mzod+0ICg==
+-----END PUBLIC KEY-----`;
+// Module-level JWT state — safe because this is per-plugin-instance,
+// not per-request. Updated only from the heartbeat handler.
+let currentJwtToken: string | null = null;
+let currentPayload: JwtPayload | null = null;
+/**
+ * Store and verify a JWT received from heartbeat.
+ * Only re-verifies if the token has changed.
+ */
+export async function storeJwt(jwt: string): Promise<JwtPayload | null> {
+  if (jwt === currentJwtToken) return currentPayload;
+  currentJwtToken = jwt;
+  currentPayload = await verifyJwt(jwt, JWT_PUBLIC_KEY);
+  return currentPayload;
+}
+/**
+ * Get the current verified payload (may be null).
+ */
+export function getVerifiedPayload(): JwtPayload | null {
+  return currentPayload;
+}
+/**
+ * Check if the current JWT grants an entitlement.
+ * Returns null if entitled, or an error message string if not.
+ */
+export function requireEntitlement(entitlement: string): string | null {
+  if (!currentPayload) {
+    return "This feature requires an active Premium subscription. Please open BetterClaw and check your subscription status.";
+  }
+  if (!hasEntitlement(currentPayload, entitlement)) {
+    if (entitlement === "shortcuts") {
+      return "This feature requires the Shortcuts Pack add-on. Please open BetterClaw and check your subscription status.";
+    }
+    return "This feature requires an active Premium subscription. Please open BetterClaw and check your subscription status.";
+  }
+  return null;
+}
+/**
+ * Reset JWT state (for testing).
+ */
+export function _resetJwtState(): void {
+  currentJwtToken = null;
+  currentPayload = null;
+}
+/**
+ * Inject a payload directly (for testing requireEntitlement without real keys).
+ */
+export function _setPayloadForTesting(payload: JwtPayload | null): void {
+  currentPayload = payload;
+}

package/src/pipeline.ts CHANGED Viewed

@@ -6,6 +6,7 @@ import type { ReactionTracker } from "./reactions.js";
 import type { DeviceEvent, DeviceContext, PluginConfig } from "./types.js";
 import { triageEvent } from "./triage.js";
 import { loadTriageProfile } from "./learner.js";
+import { requireEntitlement } from "./jwt.js";
 export interface PipelineDeps {
   api: OpenClawPluginApi;
@@ -20,10 +21,17 @@ export interface PipelineDeps {
 export async function processEvent(deps: PipelineDeps, event: DeviceEvent): Promise<void> {
   const { api, config, context, events, rules } = deps;
-  // Always update context
+  // Always update context (even for non-premium users)
   context.updateFromEvent(event);
   await context.save();
+  // Gate event forwarding behind premium entitlement
+  const entitlementError = requireEntitlement("premium");
+  if (entitlementError) {
+    api.logger.info(`betterclaw: event blocked (no premium entitlement)`);
+    return;
+  }
   // If smartMode is OFF, store only — no filtering or pushing
   if (!context.getRuntimeState().smartMode) {
     await events.append({ event, decision: "stored", reason: "smartMode off", timestamp: Date.now() / 1000 });