npm - @ellistevo/openclaw-secure - Versions diffs - 1.0.0 - Mend

@ellistevo/openclaw-secure 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/bin/cli.js ADDED Viewed

@@ -0,0 +1,399 @@
+#!/usr/bin/env node
+/**
+ * OpenClaw Secure CLI
+ * Command-line tool for managing skill security
+ */
+const { Command } = require('commander');
+const fs = require('fs');
+const path = require('path');
+const yaml = require('yaml');
+const crypto = require('crypto');
+// Import our modules
+const {
+  validateManifest,
+  generateKeyPair,
+  signManifest,
+  verifyManifest,
+  isSigned,
+  calculateTrustScore,
+  formatTrustScore,
+  getKeyFingerprint,
+  defaultPermissions,
+  defaultResources
+} = require('../src');
+const program = new Command();
+// Colors for terminal output (basic ANSI)
+const colors = {
+  reset: '\x1b[0m',
+  red: '\x1b[31m',
+  green: '\x1b[32m',
+  yellow: '\x1b[33m',
+  blue: '\x1b[34m',
+  cyan: '\x1b[36m',
+  gray: '\x1b[90m',
+  bold: '\x1b[1m'
+};
+function colorize(text, color) {
+  return `${colors[color] || ''}${text}${colors.reset}`;
+}
+function success(msg) {
+  console.log(colorize('✓ ' + msg, 'green'));
+}
+function error(msg) {
+  console.error(colorize('✗ ' + msg, 'red'));
+}
+function info(msg) {
+  console.log(colorize('ℹ ' + msg, 'cyan'));
+}
+function warn(msg) {
+  console.log(colorize('⚠ ' + msg, 'yellow'));
+}
+program
+  .name('openclaw-secure')
+  .description('Security toolkit for OpenClaw skills')
+  .version('1.0.0');
+// === INIT COMMAND ===
+program
+  .command('init')
+  .description('Initialize a new skill manifest (skill.yaml)')
+  .option('-n, --name <name>', 'Skill name')
+  .option('-a, --author <author>', 'Author name')
+  .option('-f, --force', 'Overwrite existing manifest')
+  .action((options) => {
+    const manifestPath = path.join(process.cwd(), 'skill.yaml');
+    if (fs.existsSync(manifestPath) && !options.force) {
+      error('skill.yaml already exists. Use --force to overwrite.');
+      process.exit(1);
+    }
+    const skillName = options.name || path.basename(process.cwd());
+    const authorName = options.author || process.env.USER || 'unknown';
+    const manifest = {
+      name: skillName.toLowerCase().replace(/[^a-z0-9-]/g, '-'),
+      version: '1.0.0',
+      display_name: skillName,
+      description: 'A secure OpenClaw skill',
+      author: {
+        name: authorName
+      },
+      license: 'MIT',
+      permissions: {
+        network: {
+          allow: [],
+          deny: []
+        },
+        filesystem: {
+          read: [],
+          write: [],
+          deny: ['~/.ssh', '~/.gnupg', '~/.config/openclaw']
+        },
+        shell: {
+          allowed: false,
+          commands: []
+        },
+        credentials: [],
+        capabilities: {
+          browser: false,
+          messaging: false,
+          cron: false,
+          spawn_agents: false
+        }
+      },
+      resources: {
+        max_memory_mb: 256,
+        max_cpu_percent: 25,
+        max_runtime_seconds: 60,
+        max_network_mb: 10
+      }
+    };
+    const yamlContent = yaml.stringify(manifest);
+    fs.writeFileSync(manifestPath, yamlContent);
+    success(`Created skill.yaml for "${manifest.name}"`);
+    info('Edit the manifest to declare your skill\'s permissions');
+    info('Then run: openclaw-secure sign');
+  });
+// === VALIDATE COMMAND ===
+program
+  .command('validate')
+  .description('Validate a skill manifest')
+  .argument('[path]', 'Path to skill.yaml', 'skill.yaml')
+  .action((manifestPath) => {
+    if (!fs.existsSync(manifestPath)) {
+      error(`File not found: ${manifestPath}`);
+      process.exit(1);
+    }
+    try {
+      const content = fs.readFileSync(manifestPath, 'utf8');
+      const manifest = yaml.parse(content);
+      const result = validateManifest(manifest);
+      if (result.valid) {
+        success('Manifest is valid');
+        // Show trust score
+        const trust = calculateTrustScore(result.manifest, {
+          signed: isSigned(result.manifest),
+          verified: false
+        });
+        console.log(formatTrustScore(trust));
+      } else {
+        error('Manifest validation failed:');
+        result.errors.forEach(err => {
+          console.log(`   - ${err}`);
+        });
+        process.exit(1);
+      }
+    } catch (err) {
+      error(`Failed to parse manifest: ${err.message}`);
+      process.exit(1);
+    }
+  });
+// === KEYGEN COMMAND ===
+program
+  .command('keygen')
+  .description('Generate a new signing keypair')
+  .option('-o, --output <dir>', 'Output directory', path.join(process.env.HOME || process.env.USERPROFILE, '.openclaw-secure'))
+  .option('-n, --name <name>', 'Key name', 'default')
+  .action((options) => {
+    const outputDir = options.output;
+    const keyName = options.name;
+    // Create output directory if needed
+    if (!fs.existsSync(outputDir)) {
+      fs.mkdirSync(outputDir, { recursive: true });
+    }
+    const secretKeyPath = path.join(outputDir, `${keyName}.key`);
+    const publicKeyPath = path.join(outputDir, `${keyName}.pub`);
+    if (fs.existsSync(secretKeyPath)) {
+      error(`Key already exists: ${secretKeyPath}`);
+      error('Use a different --name or delete the existing key');
+      process.exit(1);
+    }
+    // Generate keypair
+    const keyPair = generateKeyPair();
+    // Save keys
+    fs.writeFileSync(secretKeyPath, keyPair.secretKey, { mode: 0o600 });
+    fs.writeFileSync(publicKeyPath, keyPair.publicKey, { mode: 0o644 });
+    const fingerprint = getKeyFingerprint(keyPair.publicKey);
+    success('Generated new signing keypair');
+    info(`Secret key: ${secretKeyPath}`);
+    info(`Public key: ${publicKeyPath}`);
+    info(`Fingerprint: ${fingerprint}`);
+    warn('Keep your secret key safe! Anyone with it can sign skills as you.');
+  });
+// === SIGN COMMAND ===
+program
+  .command('sign')
+  .description('Sign a skill manifest')
+  .argument('[path]', 'Path to skill.yaml', 'skill.yaml')
+  .option('-k, --key <path>', 'Path to secret key')
+  .option('-n, --name <name>', 'Signer name (for signature block)')
+  .action((manifestPath, options) => {
+    if (!fs.existsSync(manifestPath)) {
+      error(`File not found: ${manifestPath}`);
+      process.exit(1);
+    }
+    // Find secret key
+    let secretKeyPath = options.key;
+    if (!secretKeyPath) {
+      const defaultKeyDir = path.join(process.env.HOME || process.env.USERPROFILE, '.openclaw-secure');
+      secretKeyPath = path.join(defaultKeyDir, 'default.key');
+    }
+    if (!fs.existsSync(secretKeyPath)) {
+      error(`Secret key not found: ${secretKeyPath}`);
+      error('Run: openclaw-secure keygen');
+      process.exit(1);
+    }
+    try {
+      // Read manifest
+      const content = fs.readFileSync(manifestPath, 'utf8');
+      const manifest = yaml.parse(content);
+      // Validate first
+      const validation = validateManifest(manifest);
+      if (!validation.valid) {
+        error('Manifest validation failed. Fix errors before signing:');
+        validation.errors.forEach(err => console.log(`   - ${err}`));
+        process.exit(1);
+      }
+      // Read secret key
+      const secretKey = fs.readFileSync(secretKeyPath, 'utf8').trim();
+      // Determine signer name
+      const signerName = options.name || manifest.author?.name || 'unknown';
+      // Sign manifest
+      const signedManifest = signManifest(validation.manifest, secretKey, signerName);
+      // Write back
+      const yamlContent = yaml.stringify(signedManifest);
+      fs.writeFileSync(manifestPath, yamlContent);
+      success(`Signed manifest as "${signerName}"`);
+      info(`Hash: ${signedManifest.signature.content_hash}`);
+      info(`Signed at: ${signedManifest.signature.signed_at}`);
+    } catch (err) {
+      error(`Signing failed: ${err.message}`);
+      process.exit(1);
+    }
+  });
+// === VERIFY COMMAND ===
+program
+  .command('verify')
+  .description('Verify a signed skill manifest')
+  .argument('[path]', 'Path to skill.yaml', 'skill.yaml')
+  .action((manifestPath) => {
+    if (!fs.existsSync(manifestPath)) {
+      error(`File not found: ${manifestPath}`);
+      process.exit(1);
+    }
+    try {
+      const content = fs.readFileSync(manifestPath, 'utf8');
+      const manifest = yaml.parse(content);
+      if (!isSigned(manifest)) {
+        error('Manifest is not signed');
+        process.exit(1);
+      }
+      const result = verifyManifest(manifest);
+      if (result.valid) {
+        success('Signature is valid');
+        info(`Signer: ${result.signer}`);
+        info(`Signed at: ${result.signed_at}`);
+        info(`Public key: ${result.public_key.substring(0, 16)}...`);
+        // Show trust score
+        const trust = calculateTrustScore(manifest, { signed: true, verified: true });
+        console.log(formatTrustScore(trust));
+      } else {
+        error(`Verification failed: ${result.error}`);
+        if (result.expected && result.computed) {
+          info(`Expected hash: ${result.expected}`);
+          info(`Computed hash: ${result.computed}`);
+        }
+        process.exit(1);
+      }
+    } catch (err) {
+      error(`Verification failed: ${err.message}`);
+      process.exit(1);
+    }
+  });
+// === AUDIT COMMAND ===
+program
+  .command('audit')
+  .description('Audit a skill and show trust score')
+  .argument('[path]', 'Path to skill.yaml', 'skill.yaml')
+  .option('-v, --verbose', 'Show detailed breakdown')
+  .action((manifestPath, options) => {
+    if (!fs.existsSync(manifestPath)) {
+      error(`File not found: ${manifestPath}`);
+      process.exit(1);
+    }
+    try {
+      const content = fs.readFileSync(manifestPath, 'utf8');
+      const manifest = yaml.parse(content);
+      // Validate
+      const validation = validateManifest(manifest);
+      if (!validation.valid) {
+        warn('Manifest has validation errors:');
+        validation.errors.forEach(err => console.log(`   - ${err}`));
+      }
+      // Check signature
+      let signed = false;
+      let verified = false;
+      if (isSigned(manifest)) {
+        const verifyResult = verifyManifest(manifest);
+        signed = true;
+        verified = verifyResult.valid;
+        if (verified) {
+          success(`Signed by: ${verifyResult.signer}`);
+        } else {
+          warn(`Signature present but invalid: ${verifyResult.error}`);
+        }
+      } else {
+        warn('Manifest is not signed');
+      }
+      // Calculate trust score
+      const trust = calculateTrustScore(validation.manifest, { signed, verified });
+      console.log(formatTrustScore(trust));
+      // Verbose output
+      if (options.verbose) {
+        console.log('\n' + colorize('Permissions Detail:', 'bold'));
+        console.log(yaml.stringify(validation.manifest.permissions));
+      }
+    } catch (err) {
+      error(`Audit failed: ${err.message}`);
+      process.exit(1);
+    }
+  });
+// === SHOW-PUBLIC-KEY COMMAND ===
+program
+  .command('show-key')
+  .description('Show public key for sharing')
+  .option('-n, --name <name>', 'Key name', 'default')
+  .action((options) => {
+    const keyDir = path.join(process.env.HOME || process.env.USERPROFILE, '.openclaw-secure');
+    const publicKeyPath = path.join(keyDir, `${options.name}.pub`);
+    if (!fs.existsSync(publicKeyPath)) {
+      error(`Public key not found: ${publicKeyPath}`);
+      error('Run: openclaw-secure keygen');
+      process.exit(1);
+    }
+    const publicKey = fs.readFileSync(publicKeyPath, 'utf8').trim();
+    const fingerprint = getKeyFingerprint(publicKey);
+    console.log('\n' + colorize('Your Public Key:', 'bold'));
+    console.log(publicKey);
+    console.log('\n' + colorize('Fingerprint:', 'bold'));
+    console.log(fingerprint);
+    console.log('\n' + colorize('Share this key so others can verify your signatures.', 'gray'));
+  });
+program.parse();

package/package.json ADDED Viewed

@@ -0,0 +1,43 @@
+{
+  "name": "@ellistevo/openclaw-secure",
+  "version": "1.0.0",
+  "description": "Security toolkit for OpenClaw skills - signing, manifests, and verification",
+  "main": "src/index.js",
+  "bin": {
+    "openclaw-secure": "./bin/cli.js"
+  },
+  "scripts": {
+    "test": "node --test test/*.test.js",
+    "lint": "eslint src/ bin/",
+    "build": "echo 'No build step needed'",
+    "prepublishOnly": "npm test"
+  },
+  "keywords": [
+    "openclaw",
+    "ai",
+    "agent",
+    "security",
+    "signing",
+    "manifest"
+  ],
+  "author": "Sociable Inc <hello@sociable.social>",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/sociable-inc/openclaw-secure"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "dependencies": {
+    "yaml": "^2.3.4",
+    "ajv": "^8.12.0",
+    "ajv-formats": "^2.1.1",
+    "commander": "^11.1.0",
+    "tweetnacl": "^1.0.3",
+    "tweetnacl-util": "^0.15.1"
+  },
+  "devDependencies": {
+    "eslint": "^8.56.0"
+  }
+}

package/src/index.js ADDED Viewed

@@ -0,0 +1,57 @@
+/**
+ * OpenClaw Secure
+ * Security toolkit for OpenClaw skills - signing, manifests, and verification
+ *
+ * @author Sociable Inc <hello@sociable.social>
+ * @license MIT
+ */
+const { manifestSchema, defaultPermissions, defaultResources } = require('./schema');
+const { validateManifest, isValidManifest, assertValidManifest, applyDefaults } = require('./validator');
+const {
+  generateKeyPair,
+  computeHash,
+  signManifest,
+  verifyManifest,
+  isSigned,
+  getSignableContent,
+  getKeyFingerprint
+} = require('./signing');
+const {
+  calculateTrustScore,
+  scoreToGrade,
+  gradeColor,
+  gradeEmoji,
+  formatTrustScore,
+  RISK_WEIGHTS
+} = require('./trust');
+module.exports = {
+  // Schema
+  manifestSchema,
+  defaultPermissions,
+  defaultResources,
+  // Validation
+  validateManifest,
+  isValidManifest,
+  assertValidManifest,
+  applyDefaults,
+  // Signing
+  generateKeyPair,
+  computeHash,
+  signManifest,
+  verifyManifest,
+  isSigned,
+  getSignableContent,
+  getKeyFingerprint,
+  // Trust scoring
+  calculateTrustScore,
+  scoreToGrade,
+  gradeColor,
+  gradeEmoji,
+  formatTrustScore,
+  RISK_WEIGHTS
+};