@contextfort-ai/openclaw-secure 0.1.6 → 0.1.8

package/bin/openclaw-secure.js

@@ -81,6 +81,175 @@ if (args[0] === 'enable') {
   process.exit(0);
 }
 
+if (args[0] === 'dashboard') {
+  const portArg = args.find(a => a.startsWith('--port='));
+  const port = portArg ? parseInt(portArg.split('=')[1]) : 9009;
+  const startDashboard = require('../monitor/dashboard/server');
+  const server = startDashboard({ port });
+
+  // Auto-open browser
+  const openUrl = `http://localhost:${port}`;
+  try {
+    const { execSync } = require('child_process');
+    if (process.platform === 'darwin') execSync(`open "${openUrl}"`);
+    else if (process.platform === 'linux') execSync(`xdg-open "${openUrl}" 2>/dev/null`);
+    else if (process.platform === 'win32') execSync(`start "" "${openUrl}"`);
+  } catch {}
+
+  process.on('SIGINT', () => { server.close(); process.exit(0); });
+  // Keep alive — don't fall through
+  return;
+}
+
+if (args[0] === 'scan' || args[0] === 'solve') {
+  const { spawnSync } = require('child_process');
+  const readline = require('readline');
+  const secretsGuard = require('../monitor/secrets_guard')({
+    spawnSync,
+    baseDir: packageDir,
+    analytics: null,
+  });
+
+  if (!secretsGuard.isTrufflehogInstalled()) {
+    console.error('\n  trufflehog is not installed.\n');
+    console.error('  Install it with:  brew install trufflehog');
+    console.error('  Or see: https://github.com/trufflesecurity/trufflehog#installation\n');
+    process.exit(1);
+  }
+
+  const onlyVerified = !args.includes('--all');
+  const cwd = args.find(a => !a.startsWith('-') && a !== 'scan' && a !== 'solve') || process.cwd();
+
+  console.log('\n  Running TruffleHog secret scan...');
+  if (args[0] === 'scan' && onlyVerified) {
+    console.log('  Mode: verified secrets only (use --all to include unverified)\n');
+  } else if (args[0] === 'scan') {
+    console.log('  Mode: all findings (including unverified)\n');
+  } else {
+    console.log('  Mode: solve — scanning for live secrets to replace\n');
+  }
+
+  // For solve, always scan with onlyVerified=true (only replace live secrets)
+  const scanVerified = args[0] === 'solve' ? true : onlyVerified;
+  const result = secretsGuard.scan(cwd, { onlyVerified: scanVerified });
+  console.log(secretsGuard.formatResults(result));
+
+  if (args[0] === 'scan') {
+    process.exit(result.findings.filter(f => f.verified).length > 0 ? 1 : 0);
+  }
+
+  // === SOLVE mode ===
+  const verified = result.findings.filter(f => f.verified && f.rawFull && f.file);
+  if (verified.length === 0) {
+    console.log('  Nothing to solve — no live hardcoded secrets found.\n');
+    process.exit(0);
+  }
+
+  // Group findings by file
+  const fileMap = new Map(); // file → [findings]
+  for (const f of verified) {
+    if (!fileMap.has(f.file)) fileMap.set(f.file, []);
+    fileMap.get(f.file).push(f);
+  }
+  const fileList = [...fileMap.entries()]; // [[file, [findings]], ...]
+
+  console.log(`  OpenClaw can read these ${fileList.length} file(s) containing ${verified.length} live secret(s).`);
+  console.log('  If not replaced, OpenClaw could read and leak them.\n');
+  console.log('  Use \u2191\u2193 to move, SPACE to select, A to toggle all, ENTER to confirm, Q to quit.\n');
+
+  // Build items for checkbox UI
+  const items = fileList.map(([filePath, findings]) => {
+    const types = [...new Set(findings.map(f => f.detectorName))].join(', ');
+    const count = findings.length;
+    return {
+      label: `${filePath.replace(os.homedir(), '~')}  (${count} ${types})`,
+      selected: false,
+    };
+  });
+
+  let cursor = 0;
+
+  function render() {
+    // Move cursor up to overwrite previous render
+    if (items._rendered) {
+      process.stdout.write(`\x1b[${items.length + 1}A`);
+    }
+    for (let i = 0; i < items.length; i++) {
+      const check = items[i].selected ? '\x1b[32m\u25c9\x1b[0m' : '\u25cb';
+      const pointer = i === cursor ? '\x1b[36m\u276f\x1b[0m ' : '  ';
+      const dim = i === cursor ? '' : '\x1b[2m';
+      const reset = i === cursor ? '' : '\x1b[0m';
+      process.stdout.write(`\x1b[2K  ${pointer}${check} ${dim}${items[i].label}${reset}\n`);
+    }
+    const selectedCount = items.filter(it => it.selected).length;
+    process.stdout.write(`\x1b[2K  \x1b[2m${selectedCount}/${items.length} selected\x1b[0m\n`);
+    items._rendered = true;
+  }
+
+  render();
+
+  const stdin = process.stdin;
+  stdin.setRawMode(true);
+  stdin.resume();
+  stdin.setEncoding('utf8');
+
+  stdin.on('data', (key) => {
+    if (key === 'q' || key === '\x03') {
+      // q or Ctrl+C
+      stdin.setRawMode(false);
+      console.log('\n\n  Aborted. No changes made.\n');
+      process.exit(0);
+    }
+    if (key === '\r' || key === '\n') {
+      // Enter — confirm
+      stdin.setRawMode(false);
+      stdin.pause();
+      const selectedFindings = [];
+      for (let i = 0; i < items.length; i++) {
+        if (items[i].selected) {
+          selectedFindings.push(...fileList[i][1]);
+        }
+      }
+      if (selectedFindings.length === 0) {
+        console.log('\n\n  No files selected. Aborted.\n');
+        process.exit(0);
+      }
+      const selectedFiles = items.filter(it => it.selected).length;
+      console.log(`\n\n  Replacing secrets in ${selectedFiles} file(s)...`);
+      const results = secretsGuard.solve(selectedFindings);
+      console.log(secretsGuard.formatSolveResults(results));
+      process.exit(0);
+      return;
+    }
+    if (key === ' ') {
+      // Space — toggle current item
+      items[cursor].selected = !items[cursor].selected;
+      render();
+      return;
+    }
+    if (key === 'a' || key === 'A') {
+      // A — toggle all
+      const allSelected = items.every(it => it.selected);
+      for (const it of items) it.selected = !allSelected;
+      render();
+      return;
+    }
+    if (key === '\x1b[A' || key === 'k') {
+      // Up arrow or k
+      cursor = (cursor - 1 + items.length) % items.length;
+      render();
+      return;
+    }
+    if (key === '\x1b[B' || key === 'j') {
+      // Down arrow or j
+      cursor = (cursor + 1) % items.length;
+      render();
+      return;
+    }
+  });
+  return; // don't fall through — raw mode is async
+}
+
 if (args[0] === 'disable') {
   try {
     const original = fs.readFileSync(backupLink, 'utf8').trim();

package/monitor/analytics.js

@@ -9,7 +9,7 @@ const ANALYTICS_DISABLED = ['1', 'true', 'yes'].includes(
   (process.env.CONTEXTFORT_NO_ANALYTICS || '').toLowerCase()
 );
 
-module.exports = function createAnalytics({ httpsRequest, readFileSync, baseDir }) {
+module.exports = function createAnalytics({ httpsRequest, readFileSync, baseDir, localLogger }) {
   if (ANALYTICS_DISABLED || !httpsRequest) {
     return { track() {} };
   }
@@ -27,7 +27,7 @@ module.exports = function createAnalytics({ httpsRequest, readFileSync, baseDir
 
   function track(event, properties) {
     if (!installId) return;
-    const body = JSON.stringify({
+    const payload = {
       api_key: POSTHOG_API_KEY,
       event,
       properties: {
@@ -35,7 +35,13 @@ module.exports = function createAnalytics({ httpsRequest, readFileSync, baseDir
         ...properties,
       },
       timestamp: new Date().toISOString(),
-    });
+    };
+    const body = JSON.stringify(payload);
+
+    // Log what we're sending to PostHog
+    if (localLogger) {
+      try { localLogger.logServerSend({ destination: 'posthog', event, properties: properties || {} }); } catch {}
+    }
 
     try {
       const req = httpsRequest({