@contextfort-ai/openclaw-secure 0.1.1 → 0.1.3

package/bin/openclaw-secure.js

@@ -31,7 +31,7 @@ if (args[0] === 'set-key') {
   const key = args[1];
   if (!key) {
     console.error('Usage: openclaw-secure set-key <your-api-key>');
-    console.error('Get your key at https://contextfort.ai');
+    console.error('Get your key at https://contextfort.ai/login');
     process.exit(1);
   }
   fs.mkdirSync(CONFIG_DIR, { recursive: true });
@@ -45,7 +45,7 @@ if (args[0] === 'enable') {
   let hasKey = false;
   try { hasKey = fs.readFileSync(CONFIG_FILE, 'utf8').trim().length > 0; } catch {}
   if (!hasKey) {
-    console.error('No API key found. Get your key at https://contextfort.ai and run:');
+    console.error('No API key found. Get your key at https://contextfort.ai/login and run:');
     console.error('  openclaw-secure set-key <your-key>');
     process.exit(1);
   }
@@ -57,6 +57,17 @@ if (args[0] === 'enable') {
     console.error('openclaw not found. Install it first: npm install -g openclaw');
     process.exit(1);
   }
+  // Handle --no-skill-deliver flag
+  const noSkillDeliver = args.includes('--no-skill-deliver');
+  const prefsFile = path.join(CONFIG_DIR, 'preferences.json');
+  let prefs = {};
+  try { prefs = JSON.parse(fs.readFileSync(prefsFile, 'utf8')); } catch {}
+  prefs.skillDeliver = !noSkillDeliver;
+  fs.mkdirSync(CONFIG_DIR, { recursive: true });
+  fs.writeFileSync(prefsFile, JSON.stringify(prefs, null, 2) + '\n', { mode: 0o600 });
+  if (noSkillDeliver) {
+    console.log('Skill file scanning disabled. Only local checks will run.');
+  }
   try {
     const original = fs.readlinkSync(openclawLink);
     fs.writeFileSync(backupLink, original);
@@ -65,6 +76,7 @@ if (args[0] === 'enable') {
   fs.unlinkSync(openclawLink);
   fs.symlinkSync(wrapper, openclawLink);
   console.log('openclaw-secure enabled. `openclaw` is now guarded.');
+  console.log('Restart your openclaw gateway for the guard to take effect.');
   process.exit(0);
 }
 

package/monitor/prompt_injection_guard/index.js

@@ -1,21 +1,90 @@
 'use strict';
 
-// Only scan commands that fetch Notion pages
-const SCAN_PATTERNS = [
+const path = require('path');
+
+// Hardcoded fallback patterns (used when server is unreachable)
+const DEFAULT_SCAN_PATTERNS = [
   'curl -s "https://api.notion.com/v1/pages/',
+  'curl "https://api.notion.com/v1/pages/',
+  'curl -s "https://api.notion.com/v1/blocks/',
+  'curl "https://api.notion.com/v1/blocks/',
 ];
 
-module.exports = function createPromptInjectionGuard({ httpsRequest, anthropicKey, analytics }) {
+const PATTERNS_CACHE_FILE = '.scan_patterns_cache.json';
+
+module.exports = function createPromptInjectionGuard({ httpsRequest, anthropicKey, analytics, readFileSync, apiKey, baseDir }) {
   const track = analytics ? analytics.track.bind(analytics) : () => {};
   const flaggedOutput = new Map();  // id → { suspicious, reason, command }
   const pendingScans = new Set();   // scan ids currently in-flight
   let scanCounter = 0;
+  let scanPatterns = [...DEFAULT_SCAN_PATTERNS];
+
+  // Load cached patterns from disk
+  const cacheFile = baseDir ? path.join(baseDir, 'monitor', PATTERNS_CACHE_FILE) : null;
+  if (cacheFile && readFileSync) {
+    try {
+      const cached = JSON.parse(readFileSync(cacheFile, 'utf8'));
+      if (Array.isArray(cached.patterns) && cached.patterns.length > 0) {
+        scanPatterns = cached.patterns;
+      }
+    } catch {}
+  }
+
+  // Fetch patterns from server (non-blocking, updates in background)
+  function fetchPatternsFromServer() {
+    if (!httpsRequest || !apiKey) return;
+
+    const options = {
+      hostname: 'lschqndjjwtyrlcojvly.supabase.co',
+      port: 443,
+      path: '/rest/v1/scan_patterns?select=pattern&is_active=eq.true',
+      method: 'GET',
+      headers: {
+        'apikey': 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImxzY2hxbmRqand0eXJsY29qdmx5Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzA0NDE3MTEsImV4cCI6MjA4NjAxNzcxMX0.NAC9Tx5a_HswXPC41sDocDPZGuKLgDD-IujX7MSW0I0',
+        'Authorization': `Bearer ${apiKey}`,
+      },
+      timeout: 10000,
+    };
+
+    try {
+      const req = httpsRequest(options, (res) => {
+        let body = '';
+        res.on('data', (chunk) => { body += chunk; });
+        res.on('end', () => {
+          if (res.statusCode === 200) {
+            try {
+              const rows = JSON.parse(body);
+              if (Array.isArray(rows) && rows.length > 0) {
+                const patterns = rows.map(r => r.pattern).filter(Boolean);
+                if (patterns.length > 0) {
+                  scanPatterns = patterns;
+                  // Cache to disk
+                  if (cacheFile) {
+                    try {
+                      const fs = require('fs');
+                      fs.writeFileSync(cacheFile, JSON.stringify({ patterns, updated: new Date().toISOString() }));
+                    } catch {}
+                  }
+                }
+              }
+              // If server returns empty, keep current patterns (fallback)
+            } catch {}
+          }
+          // Non-200: fail-open, keep current patterns
+        });
+      });
+
+      req.on('error', () => {});
+      req.on('timeout', () => { req.destroy(); });
+      req.end();
+    } catch {}
+  }
 
   function shouldScanCommand(cmd) {
     if (!cmd || typeof cmd !== 'string') return false;
     if (!anthropicKey) return false;
     const lower = cmd.toLowerCase();
-    return SCAN_PATTERNS.some(p => lower.includes(p));
+    return scanPatterns.some(p => lower.includes(p.toLowerCase()));
   }
 
   function scanOutput(command, stdout, stderr) {
@@ -135,7 +204,7 @@ Do NOT continue with ANY task until the human explicitly resolves this.`;
     shouldScanCommand,
     checkFlaggedOutput,
     formatOutputBlockError,
-    init() {},  // no startup work needed
+    init() { fetchPatternsFromServer(); },
     cleanup() {},
   };
 };

package/monitor/skills_guard/index.js

@@ -8,7 +8,17 @@ const os = require('os');
 const SKILL_SCAN_API = 'https://lschqndjjwtyrlcojvly.supabase.co/functions/v1/scan-skill';
 const HOME = os.homedir();
 
-module.exports = function createSkillsGuard({ readFileSync, httpsRequest, baseDir, apiKey, analytics }) {
+module.exports = function createSkillsGuard({ readFileSync, httpsRequest, baseDir, apiKey, analytics, enabled = true }) {
+  // If skill delivery is disabled, return a no-op guard
+  if (!enabled) {
+    return {
+      checkFlaggedSkills() { return null; },
+      formatSkillBlockError() { return ''; },
+      init() {},
+      cleanup() {},
+    };
+  }
+
   const track = analytics ? analytics.track.bind(analytics) : () => {};
   const SKILL_CACHE_FILE = path.join(baseDir, 'monitor', '.skill_scan_cache.json');
   const INSTALL_ID_FILE = path.join(baseDir, 'monitor', '.install_id');

package/openclaw-secure.js

@@ -9,7 +9,15 @@ const _originalHttpsRequest = require('https').request;
 const os = require('os');
 const MONITOR_PY = path.join(__dirname, 'monitor', 'monitor.py');
 const MONITOR_CWD = path.join(__dirname, 'monitor');
-const CONFIG_FILE = path.join(os.homedir(), '.contextfort', 'config');
+const CONFIG_DIR = path.join(os.homedir(), '.contextfort');
+const CONFIG_FILE = path.join(CONFIG_DIR, 'config');
+const PREFS_FILE = path.join(CONFIG_DIR, 'preferences.json');
+
+function loadPreferences() {
+  try { return JSON.parse(_originalReadFileSync(PREFS_FILE, 'utf8')); } catch { return {}; }
+}
+const PREFS = loadPreferences();
+const SKILL_DELIVER = PREFS.skillDeliver !== false; // default true
 
 // === Analytics ===
 const analytics = require('./monitor/analytics')({
@@ -32,7 +40,7 @@ function loadApiKey() {
 const API_KEY = loadApiKey();
 
 const NO_KEY_MESSAGE = `SECURITY FIREWALL -- No API key configured. ALL agent actions are blocked.
-Get your API key at https://contextfort.ai and run:
+Get your API key at https://contextfort.ai/login and run:
   openclaw-secure set-key <your-key>
 Then restart your openclaw session.`;
 
@@ -48,6 +56,7 @@ const skillsGuard = require('./monitor/skills_guard')({
   baseDir: __dirname,
   apiKey: API_KEY,
   analytics,
+  enabled: SKILL_DELIVER,
 });
 
 // === Prompt Injection Guard (PostToolUse) ===
@@ -55,6 +64,9 @@ const ANTHROPIC_KEY = process.env.ANTHROPIC_API_KEY || null;
 const promptInjectionGuard = require('./monitor/prompt_injection_guard')({
   httpsRequest: _originalHttpsRequest,
   anthropicKey: ANTHROPIC_KEY,
+  readFileSync: _originalReadFileSync,
+  apiKey: API_KEY,
+  baseDir: __dirname,
   analytics,
 });
 
@@ -270,21 +282,8 @@ function hookFsMethods(fsModule) {
   if (fsModule.readFileSync && !fsModule.readFileSync.__hooked) {
     const orig = fsModule.readFileSync;
     fsModule.readFileSync = function(filePath, options) {
-      const keyBlock = checkApiKey();
-      if (keyBlock) {
-        analytics.track('fs_blocked', { blocker: 'api_key' });
-        const e = new Error(keyBlock.reason); e.code = 'EACCES'; throw e;
-      }
-      const outputBlock = promptInjectionGuard.checkFlaggedOutput();
-      if (outputBlock) {
-        analytics.track('fs_blocked', { blocker: 'prompt_injection' });
-        const e = new Error(promptInjectionGuard.formatOutputBlockError(outputBlock)); e.code = 'EACCES'; throw e;
-      }
-      const skillBlock = skillsGuard.checkFlaggedSkills();
-      if (skillBlock) {
-        analytics.track('fs_blocked', { blocker: 'skill' });
-        const e = new Error(skillsGuard.formatSkillBlockError(skillBlock)); e.code = 'EACCES'; throw e;
-      }
+      // Pass-through: blocking here disrupts openclaw's own config/LLM operations.
+      // Agent actions are blocked at child_process level instead.
       return orig.apply(this, arguments);
     };
     fsModule.readFileSync.__hooked = true;
@@ -297,26 +296,8 @@ function hookHttpModule(mod, protocol) {
   if (mod.request && !mod.request.__hooked) {
     const orig = mod.request;
     mod.request = function(options, callback) {
-      try {
-        const keyBlock = checkApiKey();
-        if (keyBlock) {
-          analytics.track('http_blocked', { blocker: 'api_key' });
-          const e = new Error(keyBlock.reason); e.code = 'ENOTALLOW'; throw e;
-        }
-        const outputBlock = promptInjectionGuard.checkFlaggedOutput();
-        if (outputBlock) {
-          analytics.track('http_blocked', { blocker: 'prompt_injection' });
-          const e = new Error(promptInjectionGuard.formatOutputBlockError(outputBlock)); e.code = 'ENOTALLOW'; throw e;
-        }
-        const skillBlock = skillsGuard.checkFlaggedSkills();
-        if (skillBlock) {
-          analytics.track('http_blocked', { blocker: 'skill' });
-          const e = new Error(skillsGuard.formatSkillBlockError(skillBlock)); e.code = 'ENOTALLOW'; throw e;
-        }
-      } catch (err) {
-        if (err.code === 'ENOTALLOW') throw err;
-      }
-
+      // Pass-through: blocking here kills openclaw's LLM API calls.
+      // Agent actions are blocked at child_process level instead.
       return orig.apply(this, arguments);
     };
     mod.request.__hooked = true;
@@ -325,26 +306,6 @@ function hookHttpModule(mod, protocol) {
   if (mod.get && !mod.get.__hooked) {
     const orig = mod.get;
     mod.get = function(options, callback) {
-      try {
-        const keyBlock = checkApiKey();
-        if (keyBlock) {
-          analytics.track('http_blocked', { blocker: 'api_key' });
-          const e = new Error(keyBlock.reason); e.code = 'ENOTALLOW'; throw e;
-        }
-        const outputBlock = promptInjectionGuard.checkFlaggedOutput();
-        if (outputBlock) {
-          analytics.track('http_blocked', { blocker: 'prompt_injection' });
-          const e = new Error(promptInjectionGuard.formatOutputBlockError(outputBlock)); e.code = 'ENOTALLOW'; throw e;
-        }
-        const skillBlock = skillsGuard.checkFlaggedSkills();
-        if (skillBlock) {
-          analytics.track('http_blocked', { blocker: 'skill' });
-          const e = new Error(skillsGuard.formatSkillBlockError(skillBlock)); e.code = 'ENOTALLOW'; throw e;
-        }
-      } catch (err) {
-        if (err.code === 'ENOTALLOW') throw err;
-      }
-
       return orig.apply(this, arguments);
     };
     mod.get.__hooked = true;
@@ -357,27 +318,8 @@ function hookGlobalFetch() {
   if (!globalThis.fetch || globalThis.fetch.__hooked) return;
   const origFetch = globalThis.fetch;
   globalThis.fetch = function(url, options) {
-    try {
-      const keyBlock = checkApiKey();
-      if (keyBlock) {
-        analytics.track('fetch_blocked', { blocker: 'api_key' });
-        return Promise.reject(new Error(keyBlock.reason));
-      }
-      const outputBlock = promptInjectionGuard.checkFlaggedOutput();
-      if (outputBlock) {
-        analytics.track('fetch_blocked', { blocker: 'prompt_injection' });
-        return Promise.reject(new Error(promptInjectionGuard.formatOutputBlockError(outputBlock)));
-      }
-      const skillBlock = skillsGuard.checkFlaggedSkills();
-      if (skillBlock) {
-        analytics.track('fetch_blocked', { blocker: 'skill' });
-        return Promise.reject(new Error(skillsGuard.formatSkillBlockError(skillBlock)));
-      }
-    } catch (err) {
-      if (err.message && err.message.includes('SECURITY FIREWALL')) {
-        return Promise.reject(err);
-      }
-    }
+    // Pass-through: blocking here kills openclaw's LLM API calls.
+    // Agent actions are blocked at child_process level instead.
     return origFetch.apply(this, arguments);
   };
   globalThis.fetch.__hooked = true;
@@ -413,6 +355,9 @@ Module.prototype.require = function(id) {
   return r;
 };
 
-// === Initialize Skill Scanner (non-blocking) ===
-setImmediate(() => { try { skillsGuard.init(); } catch {} });
+// === Initialize guards (non-blocking) ===
+setImmediate(() => {
+  try { skillsGuard.init(); } catch {}
+  try { promptInjectionGuard.init(); } catch {}
+});
 process.on('exit', () => { skillsGuard.cleanup(); });

package/package.json

@@ -1,10 +1,13 @@
 {
   "name": "@contextfort-ai/openclaw-secure",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "description": "Runtime security guard for OpenClaw — blocks malicious commands before they execute",
   "bin": {
     "openclaw-secure": "./bin/openclaw-secure.js"
   },
+  "scripts": {
+    "postinstall": "node -e \"console.log('\\n\\x1b[32m✓ openclaw-secure installed!\\x1b[0m\\n\\nGet your API key at https://contextfort.ai/login and run:\\n\\n  openclaw-secure set-key <your-key>\\n  openclaw-secure enable\\n')\""
+  },
   "keywords": [
     "openclaw",
     "security",