@lowwattlabs/clawsec 2.0.0

package/api/src/server.js

@@ -0,0 +1,58 @@
+/**
+ * ⚡ ClawSec v2 - Cloud API Server
+ * Express-based security verification service
+ */
+
+const express = require('express');
+const path = require('path');
+const os = require('os');
+const fs = require('fs');
+const { v4: uuidv4 } = require('uuid');
+const { RateLimiterMemory } = require('rate-limiter-flexible');
+const routes = require('./routes');
+const middleware = require('./middleware');
+
+const CLAWSEC_DIR = process.env.CLAWSEC_HOME || path.join(os.homedir(), '.clawsec');
+const REPORTS_DIR = process.env.CLAWSEC_REPORTS_DIR || path.join(CLAWSEC_DIR, 'reports');
+const PORT = process.env.CLAWSEC_PORT || 3100;
+
+const app = express();
+
+// Middleware
+app.use(express.json({ limit: '10mb' }));
+app.use(middleware.rateLimiter);
+app.use(middleware.apiKeyAuth);
+app.use(middleware.requestLogger);
+
+// CORS
+app.use(require('cors')({
+    origin: '*',
+    methods: ['GET', 'POST'],
+    allowedHeaders: ['Content-Type', 'Authorization', 'X-API-Key']
+}));
+
+// Static files
+app.use(express.static(path.join(__dirname, '..', 'public')));
+
+// API routes
+app.use('/api/v1', routes);
+
+// Health check
+app.get('/health', (req, res) => {
+    res.json({ status: 'ok', version: '2.0.0', uptime: process.uptime() });
+});
+
+// Error handler
+app.use((err, req, res, next) => {
+    console.error("[ERROR] " + err.message);
+    res.status(err.status || 500).json({
+        error: err.message || 'Internal server error',
+        status: err.status || 500
+    });
+});
+
+// Start
+app.listen(PORT, '0.0.0.0', () => {
+    console.log("⚡ ClawSec API v2.0.0 listening on 0.0.0.0:" + PORT);
+    fs.mkdirSync(REPORTS_DIR, { recursive: true });
+});

package/api/src/verify-wrapper.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+# ⚡ ClawSec API verification wrapper
+# Activates venv and runs verify.sh --json
+set -euo pipefail
+
+# Resolve package root: this script is at <pkg>/api/src/verify-wrapper.sh
+PKG_ROOT="$(cd "$(dirname "$0")"/../.. && pwd)"
+
+source "${PKG_ROOT}/lib/common/config.sh"
+
+VENV="${CLAWSEC_HOME}/venv"
+if [[ -d "$VENV" ]]; then
+    source "$VENV/bin/activate"
+fi
+export PATH="$HOME/.local/bin:$PATH"
+exec bash "${PKG_ROOT}/lib/skill-verify/verify.sh" --json "$1"

package/bin/clawsec-api.js

@@ -0,0 +1,19 @@
+#!/usr/bin/env node
+/**
+ * ⚡ ClawSec API Server Entry Point
+ * Starts the Express API server
+ */
+
+const path = require('path');
+
+// Set defaults before requiring server
+const CLAWSEC_HOME = process.env.CLAWSEC_HOME || path.join(require('os').homedir(), '.clawsec');
+const INTEL_DIR = process.env.CLAWSEC_INTEL_DIR || path.join(CLAWSEC_HOME, 'intel');
+const REPORTS_DIR = path.join(CLAWSEC_HOME, 'reports');
+
+process.env.CLAWSEC_HOME = CLAWSEC_HOME;
+process.env.CLAWSEC_INTEL_DIR = INTEL_DIR;
+process.env.CLAWSEC_REPORTS_DIR = REPORTS_DIR;
+
+// Require the server — it reads env vars at module level
+require('../api/src/server');

package/bin/clawsec.js

@@ -0,0 +1,99 @@
+#!/usr/bin/env node
+/**
+ * ⚡ ClawSec CLI Entry Point
+ * Bootstraps Python venv if needed, then delegates to clawsec.py
+ */
+
+const { spawn, execSync } = require('child_process');
+const path = require('path');
+const fs = require('fs');
+const os = require('os');
+
+const CLAWSEC_HOME = process.env.CLAWSEC_HOME || path.join(os.homedir(), '.clawsec');
+const VENV_DIR = path.join(CLAWSEC_HOME, 'venv');
+const PYTHON = path.join(VENV_DIR, 'bin', 'python3');
+
+// Resolve package root — walk up from __dirname to find cli/clawsec.py
+function findPackageRoot() {
+  let dir = __dirname;
+  // Check if we're running from installed package
+  if (fs.existsSync(path.join(dir, '..', 'cli', 'clawsec.py'))) {
+    return path.resolve(dir, '..');
+  }
+  // Fallback
+  return path.resolve(dir, '..');
+}
+
+const PKG_ROOT = findPackageRoot();
+const CLAWSEC_PY = path.join(PKG_ROOT, 'cli', 'clawsec.py');
+const REQUIREMENTS = path.join(PKG_ROOT, 'requirements.txt');
+
+function log(msg) {
+  // Only show setup messages, not the ⚡ branding (Python handles that)
+  process.stderr.write(msg + '\n');
+}
+
+function setupVenv() {
+  if (fs.existsSync(PYTHON)) {
+    return true;
+  }
+
+  log('⚡ Setting up ClawSec Python environment (first run only)...');
+
+  try {
+    // Create CLAWSEC_HOME
+    fs.mkdirSync(CLAWSEC_HOME, { recursive: true });
+
+    // Create venv
+    log('  Creating Python venv...');
+    execSync(`python3 -m venv "${VENV_DIR}"`, { stdio: 'inherit' });
+
+    // Install requirements
+    if (fs.existsSync(REQUIREMENTS)) {
+      log('  Installing Python dependencies...');
+      execSync(`"${PYTHON}" -m pip install --quiet --upgrade pip`, { stdio: 'inherit' });
+      execSync(`"${PYTHON}" -m pip install --quiet -r "${REQUIREMENTS}"`, { stdio: 'inherit' });
+    }
+
+    log('  ✅ Python environment ready.');
+    return true;
+  } catch (err) {
+    log(`❌ Failed to set up Python environment: ${err.message}`);
+    log('   Try running: clawsec setup');
+    return false;
+  }
+}
+
+function run() {
+  // Ensure venv exists
+  if (!setupVenv()) {
+    process.exit(1);
+  }
+
+  // Build args — pass through all CLI args
+  const args = [CLAWSEC_PY, ...process.argv.slice(2)];
+
+  // Set env vars for Python subprocess
+  const env = {
+    ...process.env,
+    CLAWSEC_HOME: CLAWSEC_HOME,
+    CLAWSEC_INTEL_DIR: process.env.CLAWSEC_INTEL_DIR || path.join(CLAWSEC_HOME, 'intel'),
+    PATH: `${path.join(os.homedir(), '.local', 'bin')}:${process.env.PATH || '/usr/local/bin:/usr/bin:/bin'}`,
+  };
+
+  const child = spawn(PYTHON, args, {
+    env,
+    stdio: 'inherit',
+  });
+
+  child.on('close', (code) => {
+    process.exit(code ?? 1);
+  });
+
+  child.on('error', (err) => {
+    log(`❌ Failed to run clawsec: ${err.message}`);
+    process.exit(1);
+  });
+}
+
+run();

package/bin/setup-venv.js

@@ -0,0 +1,35 @@
+#!/usr/bin/env node
+/**
+ * ClawSec postinstall — sets up Python venv
+ * Called by npm postinstall. Safe to run multiple times.
+ */
+
+const { execSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+const CLAWSEC_HOME = process.env.CLAWSEC_HOME || path.join(os.homedir(), '.clawsec');
+const VENV_DIR = path.join(CLAWSEC_HOME, 'venv');
+const PYTHON = path.join(VENV_DIR, 'bin', 'python3');
+
+// Don't fail install if setup fails — user can run clawsec setup later
+try {
+  if (fs.existsSync(PYTHON)) {
+    process.exit(0); // Already set up
+  }
+
+  fs.mkdirSync(CLAWSEC_HOME, { recursive: true });
+  execSync(`python3 -m venv "${VENV_DIR}"`, { stdio: 'pipe' });
+
+  const PKG_ROOT = path.resolve(__dirname, '..');
+  const REQUIREMENTS = path.join(PKG_ROOT, 'requirements.txt');
+
+  if (fs.existsSync(REQUIREMENTS)) {
+    execSync(`"${PYTHON}" -m pip install --quiet --upgrade pip`, { stdio: 'pipe' });
+    execSync(`"${PYTHON}" -m pip install --quiet -r "${REQUIREMENTS}"`, { stdio: 'pipe' });
+  }
+} catch {
+  // Postinstall is best-effort. The CLI will try again on first run.
+  process.exit(0);
+}

package/cli/clawsec.py

@@ -0,0 +1,263 @@
+#!/usr/bin/env python3
+# ⚡ Low Watt Labs — ClawSec
+"""⚡ ClawSec v2 — Skill Security Verification
+
+Usage:
+    clawsec scan <slug|path>   Verify a skill
+    clawsec sync [source...]   Refresh intel cache
+    clawsec status             Show cache status
+    clawsec report <id>        View a saved report
+    clawsec --help             Show help
+    clawsec --version          Show version
+"""
+
+import argparse
+import json
+import os
+import subprocess
+import sys
+import time
+from pathlib import Path
+
+VERSION = "2.0.0"
+CLAWSEC_DIR = os.environ.get("CLAWSEC_HOME", os.path.expanduser("~/.clawsec"))
+INTEL_DIR = os.environ.get("CLAWSEC_INTEL_DIR", os.path.join(CLAWSEC_DIR, "intel"))
+REPORTS_DIR = os.environ.get("CLAWSEC_REPORTS_DIR", os.path.join(CLAWSEC_DIR, "reports"))
+
+# Resolve package root — cli/clawsec.py -> parent = package root
+SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__))
+PKG_ROOT = os.path.dirname(SCRIPT_DIR)
+
+# ANSI colors
+R = "\033[0;31m"
+G = "\033[0;32m"
+Y = "\033[0;33m"
+B = "\033[0;34m"
+C = "\033[0;36m"
+BOLD = "\033[1m"
+DIM = "\033[2m"
+RESET = "\033[0m"
+
+def banner():
+    print(f"""{BOLD}
+  ╔═════════════════════════════════════════╗
+  ║   ClawSec v{VERSION}                      ║
+  ║   ⚡ Security Verification for ClawHub  ║
+  ╚═════════════════════════════════════════╝{RESET}
+""")
+
+def cmd_scan(args):
+    """Run verification against a skill path."""
+    target = args.target
+    json_mode = args.json
+
+    # If it's a slug (no path separator and doesn't exist locally),
+    # try to download from ClawHub
+    if not os.path.exists(target) and "/" not in target and not target.startswith("."):
+        try:
+            result = subprocess.run(
+                ["clawhub", "install", target, "--dir", "/tmp/clawsec-scan-temp"],
+                capture_output=True, text=True, timeout=60
+            )
+            if result.returncode == 0:
+                for d in Path("/tmp/clawsec-scan-temp").iterdir():
+                    if d.is_dir():
+                        target = str(d)
+                        break
+        except Exception:
+            pass
+
+    if not os.path.exists(target):
+        print(f"{R}Error:{RESET} {target} not found", file=sys.stderr)
+        sys.exit(2)
+
+    # Run verify.sh — resolve relative to package root
+    verify_sh = os.path.join(PKG_ROOT, "lib", "skill-verify", "verify.sh")
+    # Fallback: check CLAWSEC_HOME (for dev/local setups)
+    if not os.path.exists(verify_sh):
+        verify_sh = os.path.join(CLAWSEC_DIR, "lib", "skill-verify", "verify.sh")
+
+    cmd = ["bash", verify_sh]
+    if json_mode:
+        cmd.append("--json")
+    if args.checks:
+        cmd.append(f"--checks={args.checks}")
+    cmd.append(target)
+
+    result = subprocess.run(cmd, capture_output=json_mode, text=True)
+    if json_mode:
+        print(result.stdout)
+    sys.exit(result.returncode)
+
+def cmd_sync(args):
+    """Run intel sync."""
+    sync_sh = os.path.join(PKG_ROOT, "lib", "intel-sync", "sync.sh")
+    if not os.path.exists(sync_sh):
+        sync_sh = os.path.join(CLAWSEC_DIR, "lib", "intel-sync", "sync.sh")
+
+    cmd = ["bash", sync_sh]
+    if args.json:
+        cmd.append("--json")
+    cmd.extend(args.sources)
+    result = subprocess.run(cmd, text=True)
+    sys.exit(result.returncode)
+
+def cmd_status(args):
+    """Show cache status."""
+    manifest_py = os.path.join(PKG_ROOT, "lib", "intel-sync", "manifest.py")
+    if not os.path.exists(manifest_py):
+        manifest_py = os.path.join(CLAWSEC_DIR, "lib", "intel-sync", "manifest.py")
+    manifest_path = os.path.join(INTEL_DIR, "manifest.json")
+
+    if args.json:
+        result = subprocess.run(["python3", manifest_py, "status"], capture_output=True, text=True)
+        print(result.stdout)
+        return
+
+    if not os.path.exists(manifest_path):
+        print(f"  {Y}No intel cache found{RESET}. Run {BOLD}clawsec sync{RESET} first.")
+        return
+
+    with open(manifest_path) as f:
+        manifest = json.load(f)
+
+    print(f"  {BOLD}Intel Cache Status{RESET}")
+    print(f"  {'─' * 50}")
+
+    for src in manifest.get("sources", []):
+        status_icon = G + "✓" + RESET if src["status"] == "success" else Y + "⚠" + RESET if src["status"] == "partial" else R + "✗" + RESET
+        last_sync = src.get("last_sync", "never")
+        if last_sync != "never":
+            try:
+                from datetime import datetime
+                dt = datetime.fromisoformat(last_sync.replace("Z", "+00:00"))
+                last_sync = dt.strftime("%Y-%m-%d %H:%M UTC")
+            except Exception:
+                pass
+        count = src.get("record_count", 0)
+        name = src["name"]
+        print(f"  {status_icon}  {name:<18} {count:>8} records  {DIM}{last_sync}{RESET}")
+
+    print(f"  {'─' * 50}")
+    updated = manifest.get("updated_at", "never")
+    try:
+        from datetime import datetime
+        dt = datetime.fromisoformat(updated.replace("Z", "+00:00"))
+        updated = dt.strftime("%Y-%m-%d %H:%M UTC")
+    except Exception:
+        pass
+    print(f"  Last full sync: {updated}")
+
+def cmd_report(args):
+    """View a saved report."""
+    report_id = args.report_id
+    report_path = os.path.join(REPORTS_DIR, f"{report_id}.json")
+
+    if not os.path.exists(report_path):
+        print(f"{R}Error:{RESET} Report {report_id} not found", file=sys.stderr)
+        sys.exit(1)
+
+    with open(report_path) as f:
+        report = json.load(f)
+
+    if args.json:
+        print(json.dumps(report, indent=2))
+        return
+
+    # Pretty-print
+    verdict = report.get("verdict", "unknown")
+    verdict_color = G if verdict == "pass" else Y if verdict == "warn" else R
+    summary = report.get("summary", {})
+
+    print(f"\n  {BOLD}Report: {report_id}{RESET}")
+    print(f"  {'─' * 50}")
+    print(f"  Skill:     {report.get('skill_path', 'unknown')}")
+    print(f"  Verdict:   {verdict_color}{BOLD}{verdict.upper()}{RESET}")
+    print(f"  Findings:  {summary.get('total_findings', 0)} total "
+          f"({R}{summary.get('critical', 0)} critical{RESET}, "
+          f"{Y}{summary.get('high', 0)} high{RESET}, "
+          f"{summary.get('medium', 0)} medium)")
+    print(f"  Time:      {report.get('timestamp', 'unknown')}")
+    print(f"  {'─' * 50}")
+
+    for check in report.get("checks", []):
+        status = check.get("status", "unknown")
+        icon = G + "✓" + RESET if status == "pass" else Y + "⚠" + RESET if status == "warn" else R + "✗" + RESET
+        name = check.get("check", "unknown")
+        findings = check.get("findings", [])
+        errors = check.get("errors", [])
+        count = len(findings) if findings else 0
+
+        print(f"\n  {icon} {name} ({status})")
+        if count > 0:
+            for f in findings[:5]:
+                desc = f.get("description", f.get("message", "No description"))
+                sev = f.get("severity", "unknown")
+                sev_color = R if sev in ("critical", "high") else Y if sev == "medium" else ""
+                print(f"    {sev_color}● {desc}{RESET}")
+            if count > 5:
+                print(f"    {DIM}... and {count - 5} more{RESET}")
+        if errors:
+            for e in errors[:3]:
+                print(f"    {DIM}err: {e}{RESET}")
+
+    print()
+
+def main():
+    parser = argparse.ArgumentParser(
+        prog="clawsec",
+        description="⚡ ClawSec v2 — Security Verification for ClawHub Skills",
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        epilog="""Examples:
+  clawsec scan ./my-skill          Verify a local skill
+  clawsec scan ./my-skill --json   Machine-readable output
+  clawsec sync                     Refresh all intel sources
+  clawsec sync cisa-kev epss       Sync specific sources
+  clawsec status                   Show cache status
+  clawsec report abc123            View saved report"""
+    )
+    parser.add_argument("--version", action="version", version=f"clawsec v{VERSION}")
+
+    subparsers = parser.add_subparsers(dest="command", help="Available commands")
+
+    # scan
+    scan_parser = subparsers.add_parser("scan", help="Verify a skill")
+    scan_parser.add_argument("target", help="Skill path or ClawHub slug")
+    scan_parser.add_argument("--checks", help="Comma-separated list of checks to run")
+    scan_parser.add_argument("--json", action="store_true", help="JSON output")
+
+    # sync
+    sync_parser = subparsers.add_parser("sync", help="Refresh intel cache")
+    sync_parser.add_argument("sources", nargs="*", help="Specific sources to sync")
+    sync_parser.add_argument("--json", action="store_true", help="JSON output")
+
+    # status
+    status_parser = subparsers.add_parser("status", help="Show cache status")
+    status_parser.add_argument("--json", action="store_true", help="JSON output")
+
+    # report
+    report_parser = subparsers.add_parser("report", help="View saved report")
+    report_parser.add_argument("report_id", help="Report ID")
+    report_parser.add_argument("--json", action="store_true", help="JSON output")
+
+    args = parser.parse_args()
+
+    if args.command is None:
+        banner()
+        parser.print_help()
+        sys.exit(0)
+
+    if args.command == "scan":
+        cmd_scan(args)
+    elif args.command == "sync":
+        cmd_sync(args)
+    elif args.command == "status":
+        cmd_status(args)
+    elif args.command == "report":
+        cmd_report(args)
+    else:
+        parser.print_help()
+        sys.exit(1)
+
+if __name__ == "__main__":
+    main()

package/lib/common/__init__.py

@@ -0,0 +1,2 @@
+"""ClawSec Common - Configuration package."""
+from .config import CLAWSEC_HOME, INTEL_DIR, REPORTS_DIR

package/lib/common/colors.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+# ClawSec Common - Terminal Colors
+export RED='\033[0;31m'
+export GREEN='\033[0;32m'
+export YELLOW='\033[0;33m'
+export BLUE='\033[0;34m'
+export MAGENTA='\033[0;35m'
+export CYAN='\033[0;36m'
+export BOLD='\033[1m'
+export DIM='\033[2m'
+export RESET='\033[0m'
+
+# Status markers
+export CHECKMARK="${GREEN}✓${RESET}"
+export CROSSMARK="${RED}✗${RESET}"
+export WARNMARK="${YELLOW}⚠${RESET}"
+export INFOMARK="${BLUE}ℹ${RESET}"

package/lib/common/config.py

@@ -0,0 +1,12 @@
+"""ClawSec Common - Configuration
+
+Centralizes INTEL_DIR and CLAWSEC_HOME with env var overrides.
+Usage:
+    from lib.common.config import INTEL_DIR, CLAWSEC_HOME
+"""
+
+import os
+
+CLAWSEC_HOME = os.environ.get("CLAWSEC_HOME", os.path.expanduser("~/.clawsec"))
+INTEL_DIR = os.environ.get("CLAWSEC_INTEL_DIR", os.path.join(CLAWSEC_HOME, "intel"))
+REPORTS_DIR = os.environ.get("CLAWSEC_REPORTS_DIR", os.path.join(CLAWSEC_HOME, "reports"))

package/lib/common/config.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+# ClawSec Common - Configuration
+# Centralizes INTEL_DIR and CLAWSEC_HOME with env var overrides
+# Usage: source this file from any script
+
+export CLAWSEC_HOME="${CLAWSEC_HOME:-$HOME/.clawsec}"
+export CLAWSEC_INTEL_DIR="${CLAWSEC_INTEL_DIR:-$CLAWSEC_HOME/intel}"
+export CLAWSEC_REPORTS_DIR="${CLAWSEC_REPORTS_DIR:-$CLAWSEC_HOME/reports}"

package/lib/common/log.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+# ⚡ ClawSec Common - Logging
+# Usage: source this file, then use log_info/warn/err/ok
+
+# Source config to get CLAWSEC_INTEL_DIR if not already set
+if [[ -z "${CLAWSEC_HOME:-}" ]]; then
+    SCRIPT_DIR_LOG="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+    source "${SCRIPT_DIR_LOG}/config.sh"
+fi
+
+export CLAWSEC_LOG_FILE="${CLAWSEC_HOME}/clawsec.log"
+
+_log() {
+    local level="$1"; shift
+    local ts
+    ts=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+    local msg="[$ts] [$level] $*"
+    echo "$msg" >> "$CLAWSEC_LOG_FILE" 2>/dev/null || true
+}
+
+log_info()  { _log "INFO" "$@"; }
+log_warn()  { _log "WARN" "$@"; }
+log_error() { _log "ERROR" "$@"; }
+log_debug() { [[ "${CLAWSEC_DEBUG:-0}" == "1" ]] && _log "DEBUG" "$@"; }

package/lib/common/utils.sh

@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+# ClawSec Common - Utilities
+
+# Atomic write: write content to tmp file, validate, then mv
+# Usage: atomic_write <target_path> <content_from_stdin>
+atomic_write() {
+    local target="$1"
+    local tmp
+    tmp=$(mktemp "${target}.XXXXXX.new")
+    cat > "$tmp"
+    if [[ -s "$tmp" ]]; then
+        mv -f "$tmp" "$target"
+        return 0
+    else
+        rm -f "$tmp"
+        echo "atomic_write: refused to write empty file to $target" >&2
+        return 1
+    fi
+}
+
+# Validate JSON file
+validate_json() {
+    local f="$1"
+    if jq empty "$f" 2>/dev/null; then
+        return 0
+    else
+        echo "validate_json: $f is not valid JSON" >&2
+        return 1
+    fi
+}
+
+# Safe download: fetch URL, validate, atomic write
+# Usage: safe_download <url> <target_path> [validate_cmd]
+safe_download() {
+    local url="$1"
+    local target="$2"
+    local validate_cmd="${3:-}"
+    local tmp
+    tmp=$(mktemp "${target}.XXXXXX.new")
+
+    if ! curl -fsSL --max-time 120 --retry 3 --retry-delay 5 "$url" -o "$tmp"; then
+        rm -f "$tmp"
+        echo "safe_download: FAILED to fetch $url" >&2
+        return 1
+    fi
+
+    if [[ -n "$validate_cmd" ]]; then
+        if ! eval "$validate_cmd" "$tmp"; then
+            rm -f "$tmp"
+            echo "safe_download: validation failed for $url" >&2
+            return 1
+        fi
+    fi
+
+    mv -f "$tmp" "$target"
+    return 0
+}
+
+# Get script directory
+script_dir() {
+    local src="${BASH_SOURCE[0]}"
+    while [[ -L "$src" ]]; do
+        local dir
+        dir="$(cd -P "$(dirname "$src")" && pwd)"
+        src="$(readlink "$src")"
+        [[ "$src" != /* ]] && src="$dir/$src"
+    done
+    cd -P "$(dirname "$src")" && pwd
+}